diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..eba37b2 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,56 @@ +name: Release + +on: + push: + tags: + - "[0-9]+.[0-9]+.[0-9]+" + +env: + IMAGE: zappi/image-builder + +jobs: + github-release: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v6 + - name: Create Release + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: gh release create "${{ github.ref_name }}" --title "Version ${{ github.ref_name }}" + docker-hub-release: + needs: github-release + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v6 + - name: Prepare image metadata + id: metadata + uses: docker/metadata-action@v6 + with: + images: ${{ env.IMAGE }} + - name: Set up QEMU + uses: docker/setup-qemu-action@v4 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v4 + - name: Login to Docker Hub + uses: docker/login-action@v4 + with: + username: ${{ secrets.DOCKER_HUB_USERNAME }} + password: ${{ secrets.DOCKER_HUB_TOKEN }} + - name: Build, tag, and push image to Docker Hub + uses: docker/build-push-action@v7 + with: + cache-from: type=gha + cache-to: type=gha,mode=max + context: . + labels: ${{ steps.metadata.outputs.labels }} + platforms: linux/amd64,linux/arm64 + push: true + tags: ${{ steps.metadata.outputs.tags }} + - name: Update description on Docker Hub + uses: peter-evans/dockerhub-description@v5 + with: + username: ${{ secrets.DOCKER_HUB_USERNAME }} + password: ${{ secrets.DOCKER_HUB_TOKEN }} + repository: ${{ env.IMAGE }} diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml new file mode 100644 index 0000000..b4afcfc --- /dev/null +++ b/.github/workflows/test.yml @@ -0,0 +1,35 @@ +name: Test + +on: + pull_request: + branches: + - "main" + +env: + IMAGE: zappi/image-builder + +jobs: + build: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v6 + - name: Prepare image metadata + id: metadata + uses: docker/metadata-action@v6 + with: + images: ${{ env.IMAGE }} + - name: Set up QEMU + uses: docker/setup-qemu-action@v4 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v4 + - name: Test multi-arch building of image + uses: docker/build-push-action@v7 + with: + cache-from: type=gha + cache-to: type=gha,mode=max + context: . + labels: ${{ steps.metadata.outputs.labels }} + platforms: linux/amd64,linux/arm64 + push: false + tags: ${{ steps.metadata.outputs.tags }} diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..85dc6c2 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,10 @@ +# Changelog + +## 1.0.0 + +* Use Ubuntu 24.04 (LTS) as upstream base image. +* Set up `builder` user and group with UID and GID of `1001`. +* Install `ca-certificates` and `curl`. +* Install Docker CLI v`29.3.0`. +* Install Docker Buildx Plugin v`0.31.1`. +* Install Amazon ECR Credential Helper v`0.12.0`. diff --git a/CODEOWNERS b/CODEOWNERS new file mode 100644 index 0000000..f83760b --- /dev/null +++ b/CODEOWNERS @@ -0,0 +1 @@ +* @Intellection/SRE diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..7901467 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,44 @@ +FROM ubuntu:24.04 + +SHELL ["/bin/bash", "-c"] + +ARG DEBIAN_FRONTEND=noninteractive +ARG TARGETARCH + +RUN apt-get update -y && \ + apt-get install --no-install-recommends -y \ + ca-certificates \ + curl && \ + rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* + +# Docker +ARG DOCKER_BUILDX_PLUGIN_VERSION="0.31.1-1" +ARG DOCKER_CLI_VERSION="5:29.3.0-1" +RUN mkdir -p /etc/apt/keyrings && \ + curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc && \ + chmod a+r /etc/apt/keyrings/docker.asc && \ + echo "deb [arch=${TARGETARCH} signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu noble stable" > /etc/apt/sources.list.d/docker.list && \ + apt-get update -y && \ + apt-get install --no-install-recommends -y \ + docker-buildx-plugin=${DOCKER_BUILDX_PLUGIN_VERSION}~ubuntu.24.04~noble \ + docker-ce-cli=${DOCKER_CLI_VERSION}~ubuntu.24.04~noble && \ + rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* + +# AECH (Amazon ECR Credential Helper) +ARG AECH_VERSION="0.12.0" +RUN cd /tmp && \ + curl -fSL -o "docker-credential-ecr-login" "https://amazon-ecr-credential-helper-releases.s3.us-east-2.amazonaws.com/${AECH_VERSION}/linux-${TARGETARCH}/docker-credential-ecr-login" && \ + curl -fSL -o "docker-credential-ecr-login.sha256" "https://amazon-ecr-credential-helper-releases.s3.us-east-2.amazonaws.com/${AECH_VERSION}/linux-${TARGETARCH}/docker-credential-ecr-login.sha256" && \ + cat "docker-credential-ecr-login.sha256" | sha256sum -c - && \ + chmod +x "./docker-credential-ecr-login" && \ + mv "./docker-credential-ecr-login" "/usr/local/bin/docker-credential-ecr-login" && \ + rm -rf /tmp/* + +# Create user +ARG APP_USER="builder" +RUN groupadd -g 1001 ${APP_USER} && \ + useradd --create-home -u 1001 -g 1001 ${APP_USER} + +WORKDIR /home/${APP_USER} +USER ${APP_USER}:${APP_USER} +CMD ["/bin/bash"] diff --git a/LICENSE.md b/LICENSE.md new file mode 100644 index 0000000..69b3895 --- /dev/null +++ b/LICENSE.md @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2026 Zappi + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/README.md b/README.md index 30e8f65..7612a75 100644 --- a/README.md +++ b/README.md @@ -1 +1,45 @@ # Docker Image Builder + +A purpose-built image for building and pushing container images via remote [BuildKit](https://github.com/moby/buildkit) daemons. It carries only what is needed for this role — no Docker Engine daemon, no `git`, no build toolchains. + +Published to Docker Hub as [`zappi/image-builder`](https://hub.docker.com/r/zappi/image-builder). Built for `linux/amd64` and `linux/arm64`. + +## Contents + +| Component | Version | +|-----------|---------| +| Base image | Ubuntu 24.04 LTS | +| [Docker CLI](https://github.com/docker/cli) | 29.3.0 | +| [Docker Buildx plugin](https://github.com/docker/buildx) | 0.31.1 | +| [Amazon ECR Credential Helper](https://github.com/awslabs/amazon-ecr-credential-helper) | 0.12.0 | + +The image runs as a non-root `builder` user (UID/GID `1001`). + +## Docker CLI Configuration + +No `~/.docker/config.json` is baked into the image. It is expected to be provided at runtime — for example, mounted via a Kubernetes ConfigMap. + +### AWS ECR Credential Helper Configuration + +The config should wire the ECR credential helper for the registries the builder needs to authenticate with: + +```json +{ + "credHelpers": { + "public.ecr.aws": "ecr-login", + ".dkr.ecr..amazonaws.com": "ecr-login" + } +} +``` + +The ECR credential helper (`docker-credential-ecr-login`) is already present in the image. It follows the standard [AWS credential chain](https://docs.aws.amazon.com/sdkref/latest/guide/standardized-credentials.html#credentialProviders), so no static credentials need to be baked into the image. + +## Releases + +Images are tagged and pushed to Docker Hub on every [GitHub Release](https://github.com/Intellection/docker-image-builder/releases). Tags follow the version in the release (e.g. `zappi/image-builder:1.0.0`). + +## References + +- [docker/cli](https://github.com/docker/cli) +- [docker/buildx](https://github.com/docker/buildx) +- [awslabs/amazon-ecr-credential-helper](https://github.com/awslabs/amazon-ecr-credential-helper)