diff --git a/Dockerfile b/Dockerfile index f9fa3626a61b..54010c96e3c0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,7 +6,7 @@ ARG XX_VERSION=1.2.1 ARG DOCKER_VERSION=24.0.2 ARG GOTESTSUM_VERSION=v1.9.0 ARG REGISTRY_VERSION=2.8.0 -ARG BUILDKIT_VERSION=master@sha256:58b3d496584c7a33dd129fb4f6dec7828c4f31aa7808a5be1c9835f0fbc33bfe +ARG BUILDKIT_VERSION=v0.11.6 # xx is a helper for cross-compilation FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx diff --git a/go.mod b/go.mod index db07a75fbb6a..f3ae88a44889 100644 --- a/go.mod +++ b/go.mod @@ -95,6 +95,7 @@ require ( github.com/gorilla/mux v1.8.0 // indirect github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 // indirect github.com/grpc-ecosystem/grpc-gateway/v2 v2.11.3 // indirect + github.com/hashicorp/go-cleanhttp v0.5.2 // indirect github.com/imdario/mergo v0.3.16 // indirect github.com/in-toto/in-toto-golang v0.5.0 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect @@ -160,3 +161,5 @@ require ( sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect sigs.k8s.io/yaml v1.3.0 // indirect ) + +replace github.com/moby/buildkit => github.com/crazy-max/buildkit v0.7.1-0.20230926171716-d7819a7b6773 diff --git a/go.sum b/go.sum index 4137cc9f9397..00269fbc2298 100644 --- a/go.sum +++ b/go.sum @@ -144,6 +144,8 @@ github.com/containerd/ttrpc v1.2.2/go.mod h1:sIT6l32Ph/H9cvnJsfXM5drIVzTr5A2flTf github.com/containerd/typeurl/v2 v2.1.1 h1:3Q4Pt7i8nYwy2KmQWIw2+1hTvwTE/6w9FqcttATPO/4= github.com/containerd/typeurl/v2 v2.1.1/go.mod h1:IDp2JFvbwZ31H8dQbEIY7sDl2L3o3HZj1hsSQlywkQ0= github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= +github.com/crazy-max/buildkit v0.7.1-0.20230926171716-d7819a7b6773 h1:oNontG2WgW2cMk7eTaTmKmSwUjFp5g1TW4bjYaR9Sm8= +github.com/crazy-max/buildkit v0.7.1-0.20230926171716-d7819a7b6773/go.mod h1:oSHnUZH7sNtAFLyeN1syf46SuzMThKsCQaioNEqJVUk= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY= github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4= @@ -317,6 +319,8 @@ github.com/grpc-ecosystem/grpc-gateway/v2 v2.11.3 h1:lLT7ZLSzGLI08vc9cpd+tYmNWjd github.com/grpc-ecosystem/grpc-gateway/v2 v2.11.3/go.mod h1:o//XUCC/F+yRGJoPO/VU0GSB0f8Nhgmxx0VIRUvaC0w= github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed h1:5upAirOpQc1Q53c0bnx2ufif5kANL7bfZWcc6VJWJd8= github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed/go.mod h1:tMWxXQ9wFIaZeTI9F+hmhFiGpFmhOHzyShyFUhRm0H4= +github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ= +github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48= github.com/hashicorp/go-cty-funcs v0.0.0-20200930094925-2721b1e36840 h1:kgvybwEeu0SXktbB2y3uLHX9lklLo+nzUwh59A3jzQc= github.com/hashicorp/go-cty-funcs v0.0.0-20200930094925-2721b1e36840/go.mod h1:Abjk0jbRkDaNCzsRhOv2iDCofYpX1eVsjozoiK63qLA= github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= @@ -387,8 +391,6 @@ github.com/mitchellh/go-wordwrap v0.0.0-20150314170334-ad45545899c7/go.mod h1:ZX github.com/mitchellh/mapstructure v0.0.0-20150613213606-2caf8efc9366/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= -github.com/moby/buildkit v0.12.1-0.20230907220514-cbfd4023383d h1:MvJmhRRk24vVVabMmvVLeHpeeprSBmq/ApjXo7A3MS4= -github.com/moby/buildkit v0.12.1-0.20230907220514-cbfd4023383d/go.mod h1:7/l0VKIyp1hBcGZF2hRpfBgvc0beQ9/hBWw7S+1JM0s= github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg= github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc= github.com/moby/patternmatcher v0.6.0 h1:GmP9lR19aU5GqSSFko+5pRqHi+Ohk1O69aFiKkVGiPk= diff --git a/vendor/github.com/hashicorp/go-cleanhttp/LICENSE b/vendor/github.com/hashicorp/go-cleanhttp/LICENSE new file mode 100644 index 000000000000..e87a115e462e --- /dev/null +++ b/vendor/github.com/hashicorp/go-cleanhttp/LICENSE @@ -0,0 +1,363 @@ +Mozilla Public License, version 2.0 + +1. Definitions + +1.1. "Contributor" + + means each individual or legal entity that creates, contributes to the + creation of, or owns Covered Software. + +1.2. "Contributor Version" + + means the combination of the Contributions of others (if any) used by a + Contributor and that particular Contributor's Contribution. + +1.3. "Contribution" + + means Covered Software of a particular Contributor. + +1.4. "Covered Software" + + means Source Code Form to which the initial Contributor has attached the + notice in Exhibit A, the Executable Form of such Source Code Form, and + Modifications of such Source Code Form, in each case including portions + thereof. + +1.5. "Incompatible With Secondary Licenses" + means + + a. that the initial Contributor has attached the notice described in + Exhibit B to the Covered Software; or + + b. that the Covered Software was made available under the terms of + version 1.1 or earlier of the License, but not also under the terms of + a Secondary License. + +1.6. "Executable Form" + + means any form of the work other than Source Code Form. + +1.7. "Larger Work" + + means a work that combines Covered Software with other material, in a + separate file or files, that is not Covered Software. + +1.8. "License" + + means this document. + +1.9. "Licensable" + + means having the right to grant, to the maximum extent possible, whether + at the time of the initial grant or subsequently, any and all of the + rights conveyed by this License. + +1.10. "Modifications" + + means any of the following: + + a. any file in Source Code Form that results from an addition to, + deletion from, or modification of the contents of Covered Software; or + + b. any new file in Source Code Form that contains any Covered Software. + +1.11. "Patent Claims" of a Contributor + + means any patent claim(s), including without limitation, method, + process, and apparatus claims, in any patent Licensable by such + Contributor that would be infringed, but for the grant of the License, + by the making, using, selling, offering for sale, having made, import, + or transfer of either its Contributions or its Contributor Version. + +1.12. "Secondary License" + + means either the GNU General Public License, Version 2.0, the GNU Lesser + General Public License, Version 2.1, the GNU Affero General Public + License, Version 3.0, or any later versions of those licenses. + +1.13. "Source Code Form" + + means the form of the work preferred for making modifications. + +1.14. "You" (or "Your") + + means an individual or a legal entity exercising rights under this + License. For legal entities, "You" includes any entity that controls, is + controlled by, or is under common control with You. For purposes of this + definition, "control" means (a) the power, direct or indirect, to cause + the direction or management of such entity, whether by contract or + otherwise, or (b) ownership of more than fifty percent (50%) of the + outstanding shares or beneficial ownership of such entity. + + +2. License Grants and Conditions + +2.1. Grants + + Each Contributor hereby grants You a world-wide, royalty-free, + non-exclusive license: + + a. under intellectual property rights (other than patent or trademark) + Licensable by such Contributor to use, reproduce, make available, + modify, display, perform, distribute, and otherwise exploit its + Contributions, either on an unmodified basis, with Modifications, or + as part of a Larger Work; and + + b. under Patent Claims of such Contributor to make, use, sell, offer for + sale, have made, import, and otherwise transfer either its + Contributions or its Contributor Version. + +2.2. Effective Date + + The licenses granted in Section 2.1 with respect to any Contribution + become effective for each Contribution on the date the Contributor first + distributes such Contribution. + +2.3. Limitations on Grant Scope + + The licenses granted in this Section 2 are the only rights granted under + this License. No additional rights or licenses will be implied from the + distribution or licensing of Covered Software under this License. + Notwithstanding Section 2.1(b) above, no patent license is granted by a + Contributor: + + a. for any code that a Contributor has removed from Covered Software; or + + b. for infringements caused by: (i) Your and any other third party's + modifications of Covered Software, or (ii) the combination of its + Contributions with other software (except as part of its Contributor + Version); or + + c. under Patent Claims infringed by Covered Software in the absence of + its Contributions. + + This License does not grant any rights in the trademarks, service marks, + or logos of any Contributor (except as may be necessary to comply with + the notice requirements in Section 3.4). + +2.4. Subsequent Licenses + + No Contributor makes additional grants as a result of Your choice to + distribute the Covered Software under a subsequent version of this + License (see Section 10.2) or under the terms of a Secondary License (if + permitted under the terms of Section 3.3). + +2.5. Representation + + Each Contributor represents that the Contributor believes its + Contributions are its original creation(s) or it has sufficient rights to + grant the rights to its Contributions conveyed by this License. + +2.6. Fair Use + + This License is not intended to limit any rights You have under + applicable copyright doctrines of fair use, fair dealing, or other + equivalents. + +2.7. Conditions + + Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in + Section 2.1. + + +3. Responsibilities + +3.1. Distribution of Source Form + + All distribution of Covered Software in Source Code Form, including any + Modifications that You create or to which You contribute, must be under + the terms of this License. You must inform recipients that the Source + Code Form of the Covered Software is governed by the terms of this + License, and how they can obtain a copy of this License. You may not + attempt to alter or restrict the recipients' rights in the Source Code + Form. + +3.2. Distribution of Executable Form + + If You distribute Covered Software in Executable Form then: + + a. such Covered Software must also be made available in Source Code Form, + as described in Section 3.1, and You must inform recipients of the + Executable Form how they can obtain a copy of such Source Code Form by + reasonable means in a timely manner, at a charge no more than the cost + of distribution to the recipient; and + + b. You may distribute such Executable Form under the terms of this + License, or sublicense it under different terms, provided that the + license for the Executable Form does not attempt to limit or alter the + recipients' rights in the Source Code Form under this License. + +3.3. Distribution of a Larger Work + + You may create and distribute a Larger Work under terms of Your choice, + provided that You also comply with the requirements of this License for + the Covered Software. If the Larger Work is a combination of Covered + Software with a work governed by one or more Secondary Licenses, and the + Covered Software is not Incompatible With Secondary Licenses, this + License permits You to additionally distribute such Covered Software + under the terms of such Secondary License(s), so that the recipient of + the Larger Work may, at their option, further distribute the Covered + Software under the terms of either this License or such Secondary + License(s). + +3.4. Notices + + You may not remove or alter the substance of any license notices + (including copyright notices, patent notices, disclaimers of warranty, or + limitations of liability) contained within the Source Code Form of the + Covered Software, except that You may alter any license notices to the + extent required to remedy known factual inaccuracies. + +3.5. Application of Additional Terms + + You may choose to offer, and to charge a fee for, warranty, support, + indemnity or liability obligations to one or more recipients of Covered + Software. However, You may do so only on Your own behalf, and not on + behalf of any Contributor. You must make it absolutely clear that any + such warranty, support, indemnity, or liability obligation is offered by + You alone, and You hereby agree to indemnify every Contributor for any + liability incurred by such Contributor as a result of warranty, support, + indemnity or liability terms You offer. You may include additional + disclaimers of warranty and limitations of liability specific to any + jurisdiction. + +4. Inability to Comply Due to Statute or Regulation + + If it is impossible for You to comply with any of the terms of this License + with respect to some or all of the Covered Software due to statute, + judicial order, or regulation then You must: (a) comply with the terms of + this License to the maximum extent possible; and (b) describe the + limitations and the code they affect. Such description must be placed in a + text file included with all distributions of the Covered Software under + this License. Except to the extent prohibited by statute or regulation, + such description must be sufficiently detailed for a recipient of ordinary + skill to be able to understand it. + +5. Termination + +5.1. The rights granted under this License will terminate automatically if You + fail to comply with any of its terms. However, if You become compliant, + then the rights granted under this License from a particular Contributor + are reinstated (a) provisionally, unless and until such Contributor + explicitly and finally terminates Your grants, and (b) on an ongoing + basis, if such Contributor fails to notify You of the non-compliance by + some reasonable means prior to 60 days after You have come back into + compliance. Moreover, Your grants from a particular Contributor are + reinstated on an ongoing basis if such Contributor notifies You of the + non-compliance by some reasonable means, this is the first time You have + received notice of non-compliance with this License from such + Contributor, and You become compliant prior to 30 days after Your receipt + of the notice. + +5.2. If You initiate litigation against any entity by asserting a patent + infringement claim (excluding declaratory judgment actions, + counter-claims, and cross-claims) alleging that a Contributor Version + directly or indirectly infringes any patent, then the rights granted to + You by any and all Contributors for the Covered Software under Section + 2.1 of this License shall terminate. + +5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user + license agreements (excluding distributors and resellers) which have been + validly granted by You or Your distributors under this License prior to + termination shall survive termination. + +6. Disclaimer of Warranty + + Covered Software is provided under this License on an "as is" basis, + without warranty of any kind, either expressed, implied, or statutory, + including, without limitation, warranties that the Covered Software is free + of defects, merchantable, fit for a particular purpose or non-infringing. + The entire risk as to the quality and performance of the Covered Software + is with You. Should any Covered Software prove defective in any respect, + You (not any Contributor) assume the cost of any necessary servicing, + repair, or correction. This disclaimer of warranty constitutes an essential + part of this License. No use of any Covered Software is authorized under + this License except under this disclaimer. + +7. Limitation of Liability + + Under no circumstances and under no legal theory, whether tort (including + negligence), contract, or otherwise, shall any Contributor, or anyone who + distributes Covered Software as permitted above, be liable to You for any + direct, indirect, special, incidental, or consequential damages of any + character including, without limitation, damages for lost profits, loss of + goodwill, work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses, even if such party shall have been + informed of the possibility of such damages. This limitation of liability + shall not apply to liability for death or personal injury resulting from + such party's negligence to the extent applicable law prohibits such + limitation. Some jurisdictions do not allow the exclusion or limitation of + incidental or consequential damages, so this exclusion and limitation may + not apply to You. + +8. Litigation + + Any litigation relating to this License may be brought only in the courts + of a jurisdiction where the defendant maintains its principal place of + business and such litigation shall be governed by laws of that + jurisdiction, without reference to its conflict-of-law provisions. Nothing + in this Section shall prevent a party's ability to bring cross-claims or + counter-claims. + +9. Miscellaneous + + This License represents the complete agreement concerning the subject + matter hereof. If any provision of this License is held to be + unenforceable, such provision shall be reformed only to the extent + necessary to make it enforceable. Any law or regulation which provides that + the language of a contract shall be construed against the drafter shall not + be used to construe this License against a Contributor. + + +10. Versions of the License + +10.1. New Versions + + Mozilla Foundation is the license steward. Except as provided in Section + 10.3, no one other than the license steward has the right to modify or + publish new versions of this License. Each version will be given a + distinguishing version number. + +10.2. Effect of New Versions + + You may distribute the Covered Software under the terms of the version + of the License under which You originally received the Covered Software, + or under the terms of any subsequent version published by the license + steward. + +10.3. Modified Versions + + If you create software not governed by this License, and you want to + create a new license for such software, you may create and use a + modified version of this License if you rename the license and remove + any references to the name of the license steward (except to note that + such modified license differs from this License). + +10.4. Distributing Source Code Form that is Incompatible With Secondary + Licenses If You choose to distribute Source Code Form that is + Incompatible With Secondary Licenses under the terms of this version of + the License, the notice described in Exhibit B of this License must be + attached. + +Exhibit A - Source Code Form License Notice + + This Source Code Form is subject to the + terms of the Mozilla Public License, v. + 2.0. If a copy of the MPL was not + distributed with this file, You can + obtain one at + http://mozilla.org/MPL/2.0/. + +If it is not possible or desirable to put the notice in a particular file, +then You may include the notice in a location (such as a LICENSE file in a +relevant directory) where a recipient would be likely to look for such a +notice. + +You may add additional accurate notices of copyright ownership. + +Exhibit B - "Incompatible With Secondary Licenses" Notice + + This Source Code Form is "Incompatible + With Secondary Licenses", as defined by + the Mozilla Public License, v. 2.0. + diff --git a/vendor/github.com/hashicorp/go-cleanhttp/README.md b/vendor/github.com/hashicorp/go-cleanhttp/README.md new file mode 100644 index 000000000000..036e5313fc8f --- /dev/null +++ b/vendor/github.com/hashicorp/go-cleanhttp/README.md @@ -0,0 +1,30 @@ +# cleanhttp + +Functions for accessing "clean" Go http.Client values + +------------- + +The Go standard library contains a default `http.Client` called +`http.DefaultClient`. It is a common idiom in Go code to start with +`http.DefaultClient` and tweak it as necessary, and in fact, this is +encouraged; from the `http` package documentation: + +> The Client's Transport typically has internal state (cached TCP connections), +so Clients should be reused instead of created as needed. Clients are safe for +concurrent use by multiple goroutines. + +Unfortunately, this is a shared value, and it is not uncommon for libraries to +assume that they are free to modify it at will. With enough dependencies, it +can be very easy to encounter strange problems and race conditions due to +manipulation of this shared value across libraries and goroutines (clients are +safe for concurrent use, but writing values to the client struct itself is not +protected). + +Making things worse is the fact that a bare `http.Client` will use a default +`http.Transport` called `http.DefaultTransport`, which is another global value +that behaves the same way. So it is not simply enough to replace +`http.DefaultClient` with `&http.Client{}`. + +This repository provides some simple functions to get a "clean" `http.Client` +-- one that uses the same default values as the Go standard library, but +returns a client that does not share any state with other clients. diff --git a/vendor/github.com/hashicorp/go-cleanhttp/cleanhttp.go b/vendor/github.com/hashicorp/go-cleanhttp/cleanhttp.go new file mode 100644 index 000000000000..fe28d15b6f93 --- /dev/null +++ b/vendor/github.com/hashicorp/go-cleanhttp/cleanhttp.go @@ -0,0 +1,58 @@ +package cleanhttp + +import ( + "net" + "net/http" + "runtime" + "time" +) + +// DefaultTransport returns a new http.Transport with similar default values to +// http.DefaultTransport, but with idle connections and keepalives disabled. +func DefaultTransport() *http.Transport { + transport := DefaultPooledTransport() + transport.DisableKeepAlives = true + transport.MaxIdleConnsPerHost = -1 + return transport +} + +// DefaultPooledTransport returns a new http.Transport with similar default +// values to http.DefaultTransport. Do not use this for transient transports as +// it can leak file descriptors over time. Only use this for transports that +// will be re-used for the same host(s). +func DefaultPooledTransport() *http.Transport { + transport := &http.Transport{ + Proxy: http.ProxyFromEnvironment, + DialContext: (&net.Dialer{ + Timeout: 30 * time.Second, + KeepAlive: 30 * time.Second, + DualStack: true, + }).DialContext, + MaxIdleConns: 100, + IdleConnTimeout: 90 * time.Second, + TLSHandshakeTimeout: 10 * time.Second, + ExpectContinueTimeout: 1 * time.Second, + ForceAttemptHTTP2: true, + MaxIdleConnsPerHost: runtime.GOMAXPROCS(0) + 1, + } + return transport +} + +// DefaultClient returns a new http.Client with similar default values to +// http.Client, but with a non-shared Transport, idle connections disabled, and +// keepalives disabled. +func DefaultClient() *http.Client { + return &http.Client{ + Transport: DefaultTransport(), + } +} + +// DefaultPooledClient returns a new http.Client with similar default values to +// http.Client, but with a shared Transport. Do not use this function for +// transient clients as it can leak file descriptors over time. Only use this +// for clients that will be re-used for the same host(s). +func DefaultPooledClient() *http.Client { + return &http.Client{ + Transport: DefaultPooledTransport(), + } +} diff --git a/vendor/github.com/hashicorp/go-cleanhttp/doc.go b/vendor/github.com/hashicorp/go-cleanhttp/doc.go new file mode 100644 index 000000000000..05841092a7b3 --- /dev/null +++ b/vendor/github.com/hashicorp/go-cleanhttp/doc.go @@ -0,0 +1,20 @@ +// Package cleanhttp offers convenience utilities for acquiring "clean" +// http.Transport and http.Client structs. +// +// Values set on http.DefaultClient and http.DefaultTransport affect all +// callers. This can have detrimental effects, esepcially in TLS contexts, +// where client or root certificates set to talk to multiple endpoints can end +// up displacing each other, leading to hard-to-debug issues. This package +// provides non-shared http.Client and http.Transport structs to ensure that +// the configuration will not be overwritten by other parts of the application +// or dependencies. +// +// The DefaultClient and DefaultTransport functions disable idle connections +// and keepalives. Without ensuring that idle connections are closed before +// garbage collection, short-term clients/transports can leak file descriptors, +// eventually leading to "too many open files" errors. If you will be +// connecting to the same hosts repeatedly from the same client, you can use +// DefaultPooledClient to receive a client that has connection pooling +// semantics similar to http.DefaultClient. +// +package cleanhttp diff --git a/vendor/github.com/hashicorp/go-cleanhttp/handlers.go b/vendor/github.com/hashicorp/go-cleanhttp/handlers.go new file mode 100644 index 000000000000..3c845dc0dc6f --- /dev/null +++ b/vendor/github.com/hashicorp/go-cleanhttp/handlers.go @@ -0,0 +1,48 @@ +package cleanhttp + +import ( + "net/http" + "strings" + "unicode" +) + +// HandlerInput provides input options to cleanhttp's handlers +type HandlerInput struct { + ErrStatus int +} + +// PrintablePathCheckHandler is a middleware that ensures the request path +// contains only printable runes. +func PrintablePathCheckHandler(next http.Handler, input *HandlerInput) http.Handler { + // Nil-check on input to make it optional + if input == nil { + input = &HandlerInput{ + ErrStatus: http.StatusBadRequest, + } + } + + // Default to http.StatusBadRequest on error + if input.ErrStatus == 0 { + input.ErrStatus = http.StatusBadRequest + } + + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + if r != nil { + // Check URL path for non-printable characters + idx := strings.IndexFunc(r.URL.Path, func(c rune) bool { + return !unicode.IsPrint(c) + }) + + if idx != -1 { + w.WriteHeader(input.ErrStatus) + return + } + + if next != nil { + next.ServeHTTP(w, r) + } + } + + return + }) +} diff --git a/vendor/github.com/moby/buildkit/client/llb/source.go b/vendor/github.com/moby/buildkit/client/llb/source.go index 3dd83e6799c1..5ffc3a0f2f77 100644 --- a/vendor/github.com/moby/buildkit/client/llb/source.go +++ b/vendor/github.com/moby/buildkit/client/llb/source.go @@ -9,7 +9,7 @@ import ( "strconv" "strings" - "github.com/docker/distribution/reference" + "github.com/distribution/reference" "github.com/moby/buildkit/solver/pb" "github.com/moby/buildkit/util/apicaps" "github.com/moby/buildkit/util/gitutil" diff --git a/vendor/github.com/moby/buildkit/cmd/buildkitd/config/config.go b/vendor/github.com/moby/buildkit/cmd/buildkitd/config/config.go index f33b132f2105..6f7393e0effc 100644 --- a/vendor/github.com/moby/buildkit/cmd/buildkitd/config/config.go +++ b/vendor/github.com/moby/buildkit/cmd/buildkitd/config/config.go @@ -112,6 +112,7 @@ type ContainerdConfig struct { Labels map[string]string `toml:"labels"` Platforms []string `toml:"platforms"` Namespace string `toml:"namespace"` + Runtime ContainerdRuntime `toml:"runtime"` GCConfig NetworkConfig Snapshotter string `toml:"snapshotter"` @@ -128,6 +129,11 @@ type ContainerdConfig struct { Rootless bool `toml:"rootless"` } +type ContainerdRuntime struct { + Name string `toml:"name"` + Options map[string]interface{} `toml:"options"` +} + type GCPolicy struct { All bool `toml:"all"` KeepBytes DiskSpace `toml:"keepBytes"` diff --git a/vendor/github.com/moby/buildkit/exporter/containerimage/exptypes/keys.go b/vendor/github.com/moby/buildkit/exporter/containerimage/exptypes/keys.go index c43221849911..722f099cf0ce 100644 --- a/vendor/github.com/moby/buildkit/exporter/containerimage/exptypes/keys.go +++ b/vendor/github.com/moby/buildkit/exporter/containerimage/exptypes/keys.go @@ -72,4 +72,8 @@ var ( // Value: int (0-9) for gzip and estargz // Value: int (0-22) for zstd OptKeyCompressionLevel ImageExporterOptKey = "compression-level" + + // Rewrite timestamps in layers to match SOURCE_DATE_EPOCH + // Value: bool + OptKeyRewriteTimestamp ImageExporterOptKey = "rewrite-timestamp" ) diff --git a/vendor/github.com/moby/buildkit/frontend/dockerui/config.go b/vendor/github.com/moby/buildkit/frontend/dockerui/config.go index 0ae30245ed64..79faecd3a20e 100644 --- a/vendor/github.com/moby/buildkit/frontend/dockerui/config.go +++ b/vendor/github.com/moby/buildkit/frontend/dockerui/config.go @@ -10,7 +10,7 @@ import ( "time" "github.com/containerd/containerd/platforms" - "github.com/docker/distribution/reference" + "github.com/distribution/reference" controlapi "github.com/moby/buildkit/api/services/control" "github.com/moby/buildkit/client/llb" "github.com/moby/buildkit/exporter/containerimage/image" @@ -494,6 +494,15 @@ func (bc *Client) IsNoCache(name string) bool { return false } +func DefaultMainContext(opts ...llb.LocalOption) *llb.State { + opts = append([]llb.LocalOption{ + llb.SharedKeyHint(DefaultLocalNameContext), + WithInternalName("load build context"), + }, opts...) + st := llb.Local(DefaultLocalNameContext, opts...) + return &st +} + func WithInternalName(name string) llb.ConstraintsOpt { return llb.WithCustomName("[internal] " + name) } diff --git a/vendor/github.com/moby/buildkit/frontend/dockerui/namedcontext.go b/vendor/github.com/moby/buildkit/frontend/dockerui/namedcontext.go index dd44b7d8fe89..7e4123fffea1 100644 --- a/vendor/github.com/moby/buildkit/frontend/dockerui/namedcontext.go +++ b/vendor/github.com/moby/buildkit/frontend/dockerui/namedcontext.go @@ -7,7 +7,7 @@ import ( "fmt" "strings" - "github.com/docker/distribution/reference" + "github.com/distribution/reference" "github.com/moby/buildkit/client/llb" "github.com/moby/buildkit/exporter/containerimage/exptypes" "github.com/moby/buildkit/exporter/containerimage/image" diff --git a/vendor/github.com/moby/buildkit/session/auth/authprovider/authconfig.go b/vendor/github.com/moby/buildkit/session/auth/authprovider/authconfig.go new file mode 100644 index 000000000000..911e134836f7 --- /dev/null +++ b/vendor/github.com/moby/buildkit/session/auth/authprovider/authconfig.go @@ -0,0 +1,11 @@ +package authprovider + +type AuthTLSConfig struct { + RootCAs []string + KeyPairs []TLSKeyPair +} + +type TLSKeyPair struct { + Key string + Certificate string +} diff --git a/vendor/github.com/moby/buildkit/session/auth/authprovider/authprovider.go b/vendor/github.com/moby/buildkit/session/auth/authprovider/authprovider.go index 045185d6b674..87618caa3421 100644 --- a/vendor/github.com/moby/buildkit/session/auth/authprovider/authprovider.go +++ b/vendor/github.com/moby/buildkit/session/auth/authprovider/authprovider.go @@ -5,9 +5,11 @@ import ( "crypto/ed25519" "crypto/hmac" "crypto/sha256" + "crypto/tls" + "crypto/x509" "fmt" - "net/http" "os" + "runtime" "strconv" "strings" "sync" @@ -18,6 +20,7 @@ import ( "github.com/docker/cli/cli/config" "github.com/docker/cli/cli/config/configfile" "github.com/docker/cli/cli/config/types" + http "github.com/hashicorp/go-cleanhttp" "github.com/moby/buildkit/session" "github.com/moby/buildkit/session/auth" "github.com/moby/buildkit/util/progress/progresswriter" @@ -32,12 +35,13 @@ const defaultExpiration = 60 const dockerHubConfigfileKey = "https://index.docker.io/v1/" const dockerHubRegistryHost = "registry-1.docker.io" -func NewDockerAuthProvider(cfg *configfile.ConfigFile) session.Attachable { +func NewDockerAuthProvider(cfg *configfile.ConfigFile, tlsConfigs map[string]*AuthTLSConfig) session.Attachable { return &authProvider{ authConfigCache: map[string]*types.AuthConfig{}, config: cfg, seeds: &tokenSeeds{dir: config.Dir()}, loggerCache: map[string]struct{}{}, + tlsConfigs: tlsConfigs, } } @@ -47,6 +51,7 @@ type authProvider struct { seeds *tokenSeeds logger progresswriter.Logger loggerCache map[string]struct{} + tlsConfigs map[string]*AuthTLSConfig // The need for this mutex is not well understood. // Without it, the docker cli on OS X hangs when @@ -89,6 +94,13 @@ func (ap *authProvider) FetchToken(ctx context.Context, req *auth.FetchTokenRequ Secret: creds.Secret, } + var httpClient = http.DefaultClient() + if tc, err := ap.tlsConfig(req.Host); err == nil && tc != nil { + transport := http.DefaultTransport() + transport.TLSClientConfig = tc + httpClient.Transport = transport + } + if creds.Secret != "" { done := func(progresswriter.SubLogger) error { return err @@ -103,7 +115,7 @@ func (ap *authProvider) FetchToken(ctx context.Context, req *auth.FetchTokenRequ } ap.mu.Unlock() // credential information is provided, use oauth POST endpoint - resp, err := authutil.FetchTokenWithOAuth(ctx, http.DefaultClient, nil, "buildkit-client", to) + resp, err := authutil.FetchTokenWithOAuth(ctx, httpClient, nil, "buildkit-client", to) if err != nil { var errStatus remoteserrors.ErrUnexpectedStatus if errors.As(err, &errStatus) { @@ -111,7 +123,7 @@ func (ap *authProvider) FetchToken(ctx context.Context, req *auth.FetchTokenRequ // As of September 2017, GCR is known to return 404. // As of February 2018, JFrog Artifactory is known to return 401. if (errStatus.StatusCode == 405 && to.Username != "") || errStatus.StatusCode == 404 || errStatus.StatusCode == 401 { - resp, err := authutil.FetchToken(ctx, http.DefaultClient, nil, to) + resp, err := authutil.FetchToken(ctx, httpClient, nil, to) if err != nil { return nil, err } @@ -123,13 +135,52 @@ func (ap *authProvider) FetchToken(ctx context.Context, req *auth.FetchTokenRequ return toTokenResponse(resp.AccessToken, resp.IssuedAt, resp.ExpiresIn), nil } // do request anonymously - resp, err := authutil.FetchToken(ctx, http.DefaultClient, nil, to) + resp, err := authutil.FetchToken(ctx, httpClient, nil, to) if err != nil { return nil, errors.Wrap(err, "failed to fetch anonymous token") } return toTokenResponse(resp.Token, resp.IssuedAt, resp.ExpiresIn), nil } +func (ap *authProvider) tlsConfig(host string) (*tls.Config, error) { + if ap.tlsConfigs == nil { + return nil, nil + } + c, ok := ap.tlsConfigs[host] + if !ok { + return nil, nil + } + tc := &tls.Config{} + if len(c.RootCAs) > 0 { + systemPool, err := x509.SystemCertPool() + if err != nil { + if runtime.GOOS == "windows" { + systemPool = x509.NewCertPool() + } else { + return nil, errors.Wrapf(err, "unable to get system cert pool") + } + } + tc.RootCAs = systemPool + } + + for _, p := range c.RootCAs { + dt, err := os.ReadFile(p) + if err != nil { + return nil, errors.Wrapf(err, "failed to read %s", p) + } + tc.RootCAs.AppendCertsFromPEM(dt) + } + + for _, kp := range c.KeyPairs { + cert, err := tls.LoadX509KeyPair(kp.Certificate, kp.Key) + if err != nil { + return nil, errors.Wrapf(err, "failed to load keypair for %s", kp.Certificate) + } + tc.Certificates = append(tc.Certificates, cert) + } + return tc, nil +} + func (ap *authProvider) credentials(host string) (*auth.CredentialsResponse, error) { ac, err := ap.getAuthConfig(host) if err != nil { @@ -152,7 +203,7 @@ func (ap *authProvider) Credentials(ctx context.Context, req *auth.CredentialsRe defer ap.mu.Unlock() _, ok := ap.loggerCache[req.Host] ap.loggerCache[req.Host] = struct{}{} - if !ok { + if !ok && ap.logger != nil { return resp, progresswriter.Wrap(fmt.Sprintf("[auth] sharing credentials for %s", req.Host), ap.logger, func(progresswriter.SubLogger) error { return err }) diff --git a/vendor/github.com/moby/buildkit/util/contentutil/storewithprovider.go b/vendor/github.com/moby/buildkit/util/contentutil/storewithprovider.go new file mode 100644 index 000000000000..0b5df244f15a --- /dev/null +++ b/vendor/github.com/moby/buildkit/util/contentutil/storewithprovider.go @@ -0,0 +1,24 @@ +package contentutil + +import ( + "context" + + "github.com/containerd/containerd/content" + ocispecs "github.com/opencontainers/image-spec/specs-go/v1" +) + +func NewStoreWithProvider(cs content.Store, p content.Provider) content.Store { + return &storeWithProvider{Store: cs, p: p} +} + +type storeWithProvider struct { + content.Store + p content.Provider +} + +func (cs *storeWithProvider) ReaderAt(ctx context.Context, desc ocispecs.Descriptor) (content.ReaderAt, error) { + if ra, err := cs.p.ReaderAt(ctx, desc); err == nil { + return ra, nil + } + return cs.Store.ReaderAt(ctx, desc) +} diff --git a/vendor/github.com/moby/buildkit/util/progress/progressui/display.go b/vendor/github.com/moby/buildkit/util/progress/progressui/display.go index dc669d8e90d0..b606d31a238c 100644 --- a/vendor/github.com/moby/buildkit/util/progress/progressui/display.go +++ b/vendor/github.com/moby/buildkit/util/progress/progressui/display.go @@ -137,14 +137,16 @@ const ( RawJSONMode DisplayMode = "rawjson" ) -// NewDisplay constructs a Display that outputs to the given console.File with the given DisplayMode. +// NewDisplay constructs a Display that outputs to the given io.Writer with the given DisplayMode. // -// This method will return an error when the DisplayMode is invalid or if TtyMode is used but the console.File +// This method will return an error when the DisplayMode is invalid or if TtyMode is used but the io.Writer // does not refer to a tty. AutoMode will choose TtyMode or PlainMode depending on if the output is a tty or not. -func NewDisplay(out console.File, mode DisplayMode, opts ...DisplayOpt) (Display, error) { +// +// For TtyMode to work, the io.Writer should also implement console.File. +func NewDisplay(out io.Writer, mode DisplayMode, opts ...DisplayOpt) (Display, error) { switch mode { case AutoMode, TtyMode, DefaultMode: - if c, err := console.ConsoleFromFile(out); err == nil { + if c, err := consoleFromWriter(out); err == nil { return newConsoleDisplay(c, opts...), nil } else if mode == "tty" { return Display{}, errors.Wrap(err, "failed to get console") @@ -161,6 +163,15 @@ func NewDisplay(out console.File, mode DisplayMode, opts ...DisplayOpt) (Display } } +// consoleFromWriter retrieves a console.Console from an io.Writer. +func consoleFromWriter(out io.Writer) (console.Console, error) { + f, ok := out.(console.File) + if !ok { + return nil, errors.New("output is not a file") + } + return console.ConsoleFromFile(f) +} + type discardDisplay struct{} func newDiscardDisplay() Display { diff --git a/vendor/github.com/moby/buildkit/util/resolver/limited/group.go b/vendor/github.com/moby/buildkit/util/resolver/limited/group.go index 934bd4f4eb17..2ab325ec561e 100644 --- a/vendor/github.com/moby/buildkit/util/resolver/limited/group.go +++ b/vendor/github.com/moby/buildkit/util/resolver/limited/group.go @@ -10,7 +10,7 @@ import ( "github.com/containerd/containerd/content" "github.com/containerd/containerd/images" "github.com/containerd/containerd/remotes" - "github.com/docker/distribution/reference" + "github.com/distribution/reference" "github.com/moby/buildkit/util/bklog" ocispecs "github.com/opencontainers/image-spec/specs-go/v1" "golang.org/x/sync/semaphore" diff --git a/vendor/github.com/moby/buildkit/util/testutil/integration/run.go b/vendor/github.com/moby/buildkit/util/testutil/integration/run.go index 3b009558bbda..ae473df32e07 100644 --- a/vendor/github.com/moby/buildkit/util/testutil/integration/run.go +++ b/vendor/github.com/moby/buildkit/util/testutil/integration/run.go @@ -57,8 +57,8 @@ type Sandbox interface { // BackendConfig is used to configure backends created by a worker. type BackendConfig struct { - Logs map[string]*bytes.Buffer - ConfigFile string + Logs map[string]*bytes.Buffer + DaemonConfig []ConfigUpdater } type Worker interface { @@ -303,7 +303,21 @@ mirrors=["%s"] `, in, mc) } -func writeConfig(updaters []ConfigUpdater) (string, error) { +func WithOTELSocketPath(socketPath string) ConfigUpdater { + return otelSocketPath(socketPath) +} + +type otelSocketPath string + +func (osp otelSocketPath) UpdateConfigFile(in string) string { + return fmt.Sprintf(`%s + +[otel] + socketPath = %q +`, in, osp) +} + +func WriteConfig(updaters []ConfigUpdater) (string, error) { tmpdir, err := os.MkdirTemp("", "bktest_config") if err != nil { return "", err @@ -320,7 +334,7 @@ func writeConfig(updaters []ConfigUpdater) (string, error) { if err := os.WriteFile(filepath.Join(tmpdir, buildkitdConfigFile), []byte(s), 0644); err != nil { return "", err } - return tmpdir, nil + return filepath.Join(tmpdir, buildkitdConfigFile), nil } func runMirror(t *testing.T, mirroredImages map[string]string) (host string, _ func() error, err error) { diff --git a/vendor/github.com/moby/buildkit/util/testutil/integration/sandbox.go b/vendor/github.com/moby/buildkit/util/testutil/integration/sandbox.go index 593b52e8ef05..d7f1dfff2734 100644 --- a/vendor/github.com/moby/buildkit/util/testutil/integration/sandbox.go +++ b/vendor/github.com/moby/buildkit/util/testutil/integration/sandbox.go @@ -7,7 +7,6 @@ import ( "fmt" "os" "os/exec" - "path/filepath" "strings" "testing" @@ -78,15 +77,14 @@ func newSandbox(ctx context.Context, w Worker, mirror string, mv matrixValue) (s Logs: make(map[string]*bytes.Buffer), } - var upt []ConfigUpdater for _, v := range mv.values { if u, ok := v.value.(ConfigUpdater); ok { - upt = append(upt, u) + cfg.DaemonConfig = append(cfg.DaemonConfig, u) } } if mirror != "" { - upt = append(upt, withMirrorConfig(mirror)) + cfg.DaemonConfig = append(cfg.DaemonConfig, withMirrorConfig(mirror)) } deferF := &MultiCloser{} @@ -99,17 +97,6 @@ func newSandbox(ctx context.Context, w Worker, mirror string, mv matrixValue) (s } }() - if len(upt) > 0 { - dir, err := writeConfig(upt) - if err != nil { - return nil, nil, err - } - deferF.Append(func() error { - return os.RemoveAll(dir) - }) - cfg.ConfigFile = filepath.Join(dir, buildkitdConfigFile) - } - b, closer, err := w.New(ctx, cfg) if err != nil { return nil, nil, err diff --git a/vendor/github.com/moby/buildkit/util/testutil/workers/dockerd.go b/vendor/github.com/moby/buildkit/util/testutil/workers/dockerd.go index 7ed0d6f36e06..5c2158b20fd5 100644 --- a/vendor/github.com/moby/buildkit/util/testutil/workers/dockerd.go +++ b/vendor/github.com/moby/buildkit/util/testutil/workers/dockerd.go @@ -76,9 +76,29 @@ func (c Moby) New(ctx context.Context, cfg *integration.BackendConfig) (b integr return nil, nil, err } - bkcfg, err := config.LoadFile(cfg.ConfigFile) + c.Close() + + deferF := &integration.MultiCloser{} + cl = deferF.F() + + defer func() { + if err != nil { + deferF.F()() + cl = nil + } + }() + + cfgFile, err := integration.WriteConfig(cfg.DaemonConfig) + if err != nil { + return nil, nil, err + } + deferF.Append(func() error { + return os.RemoveAll(filepath.Dir(cfgFile)) + }) + + bkcfg, err := config.LoadFile(cfgFile) if err != nil { - return nil, nil, errors.Wrapf(err, "failed to load buildkit config file %s", cfg.ConfigFile) + return nil, nil, errors.Wrapf(err, "failed to load buildkit config file %s", cfgFile) } dcfg := dockerd.Config{ @@ -107,16 +127,6 @@ func (c Moby) New(ctx context.Context, cfg *integration.BackendConfig) (b integr return nil, nil, errors.Wrapf(err, "failed to marshal dockerd config") } - deferF := &integration.MultiCloser{} - cl = deferF.F() - - defer func() { - if err != nil { - deferF.F()() - cl = nil - } - }() - var proxyGroup errgroup.Group deferF.Append(proxyGroup.Wait) diff --git a/vendor/github.com/moby/buildkit/util/testutil/workers/util.go b/vendor/github.com/moby/buildkit/util/testutil/workers/util.go index f01bdca670be..c7611c7f59d3 100644 --- a/vendor/github.com/moby/buildkit/util/testutil/workers/util.go +++ b/vendor/github.com/moby/buildkit/util/testutil/workers/util.go @@ -32,10 +32,6 @@ func runBuildkitd(ctx context.Context, conf *integration.BackendConfig, args []s } }() - if conf.ConfigFile != "" { - args = append(args, "--config="+conf.ConfigFile) - } - tmpdir, err := os.MkdirTemp("", "bktest_buildkitd") if err != nil { return "", nil, err @@ -49,12 +45,20 @@ func runBuildkitd(ctx context.Context, conf *integration.BackendConfig, args []s if err := os.Chown(filepath.Join(tmpdir, "tmp"), uid, gid); err != nil { return "", nil, err } - deferF.Append(func() error { return os.RemoveAll(tmpdir) }) + cfgfile, err := integration.WriteConfig(append(conf.DaemonConfig, integration.WithOTELSocketPath(getTraceSocketPath(tmpdir)))) + if err != nil { + return "", nil, err + } + deferF.Append(func() error { + return os.RemoveAll(filepath.Dir(cfgfile)) + }) + args = append(args, "--config="+cfgfile) + address = getBuildkitdAddr(tmpdir) - args = append(args, "--root", tmpdir, "--addr", address, "--otel-socket-path", getTraceSocketPath(tmpdir), "--debug") + args = append(args, "--root", tmpdir, "--addr", address, "--debug") cmd := exec.Command(args[0], args[1:]...) //nolint:gosec // test utility cmd.Env = append(os.Environ(), "BUILDKIT_DEBUG_EXEC_OUTPUT=1", "BUILDKIT_DEBUG_PANIC_ON_ERROR=1", "TMPDIR="+filepath.Join(tmpdir, "tmp")) cmd.Env = append(cmd.Env, extraEnv...) diff --git a/vendor/modules.txt b/vendor/modules.txt index 904683bc5551..7de6597c53da 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -407,6 +407,9 @@ github.com/grpc-ecosystem/go-grpc-middleware github.com/grpc-ecosystem/grpc-gateway/v2/internal/httprule github.com/grpc-ecosystem/grpc-gateway/v2/runtime github.com/grpc-ecosystem/grpc-gateway/v2/utilities +# github.com/hashicorp/go-cleanhttp v0.5.2 +## explicit; go 1.13 +github.com/hashicorp/go-cleanhttp # github.com/hashicorp/go-cty-funcs v0.0.0-20200930094925-2721b1e36840 ## explicit; go 1.14 github.com/hashicorp/go-cty-funcs/cidr @@ -471,7 +474,7 @@ github.com/mitchellh/go-wordwrap # github.com/mitchellh/mapstructure v1.5.0 ## explicit; go 1.14 github.com/mitchellh/mapstructure -# github.com/moby/buildkit v0.12.1-0.20230907220514-cbfd4023383d +# github.com/moby/buildkit v0.12.1-0.20230907220514-cbfd4023383d => github.com/crazy-max/buildkit v0.7.1-0.20230926171716-d7819a7b6773 ## explicit; go 1.20 github.com/moby/buildkit/api/services/control github.com/moby/buildkit/api/types @@ -1224,3 +1227,4 @@ sigs.k8s.io/structured-merge-diff/v4/value # sigs.k8s.io/yaml v1.3.0 ## explicit; go 1.12 sigs.k8s.io/yaml +# github.com/moby/buildkit => github.com/crazy-max/buildkit v0.7.1-0.20230926171716-d7819a7b6773