feat: Build Docker images

* Use goreleaser to build and push Docker images * Platforms: linux/amd64 and arm64 * Single-platform images: latest, major, minor, patch * Multi-platform images: latest, major, minor, patch * CI-friendly: COPY --from=helm/helm --chown=1000:1000 --chmod=0555 /bin/helm /usr/local/bin/ * Security-friendly: Distroless, rootless, read-only * Requires 2 new secrets: DOCKERHUB_USERNAME and DOCKERHUB_TOKEN Signed-off-by: Rene Leonhardt <65483435+reneleonhardt@users.noreply.github.com>
2 years ago · 4718bbccb4
parent 8219565249
commit 4718bbccb4
7 changed files with 158 additions and 0 deletions
--- a/.dockerignore
+++ b/.dockerignore
@ -0,0 +1,30 @@
+# .gitignore
+*.exe
+*.swp
+.DS_Store
+.coverage/
+.idea/
+.vimrc
+.vscode/
+_dist/
+bin/
+vendor/
+# Ignores charts pulled for dependency build tests
+cmd/helm/testdata/testcharts/issue-7233/charts/*
+
+# .dockerignore
+.git/
+.circleci/
+.github/
+scripts/
+testdata/
+dist/
+.dockerignore
+.gitignore
+.goreleaser.yaml
+*.md
+KEYS
+LICENSE
+OWNERS
+Dockerfile
+Makefile
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -51,6 +51,17 @@ jobs:
          connection_string: ${{ secrets.AZURE_STORAGE_CONNECTION_STRING }}
          extra_args: '--pattern helm-*'

+      - name: Login to Docker Hub
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # pin@3.0.0
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Build Docker images
+        uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # pin@5.0.0
+        with:
+          args: release --clean
+
  canary-release:
    runs-on: ubuntu-latest
    if: github.ref == 'refs/heads/main'
--- a/.gitignore
+++ b/.gitignore
@ -6,6 +6,7 @@
 .vimrc
 .vscode/
 _dist/
+dist/
 bin/
 vendor/
 # Ignores charts pulled for dependency build tests
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@ -0,0 +1,79 @@
+archives:   # goreleaser should only build Docker images
+  - format: binary # https://goreleaser.com/customization/archive/#disable-archiving
+builds:
+  - env:
+      - CGO_ENABLED=0
+      - GOFLAGS=-trimpath
+      - GO111MODULE=on
+    binary: helm
+    main: ./cmd/helm
+    ldflags:
+      - -s -w -X main.build={{.Version}} -extldflags "-static"
+    goos:
+      - linux
+    goarch:
+      - amd64
+      - arm64
+dockers:
+  - image_templates:
+      - "helm/helm:{{ .Version }}-amd64"
+      - "helm/helm:{{ .Major }}.{{ .Minor }}-amd64"
+      - "helm/helm:{{ .Major }}-amd64"
+      - "helm/helm:latest-amd64"
+    use: buildx
+    skip_push: false
+    build_flag_templates:
+      - "--platform=linux/amd64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.description=The Kubernetes Package Manager"
+      - "--label=org.opencontainers.image.licenses=Apache-2.0"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--build-arg=BUILDKIT_MULTI_PLATFORM=1"
+  - image_templates:
+      - "helm/helm:{{ .Version }}-arm64"
+      - "helm/helm:{{ .Major }}.{{ .Minor }}-arm64"
+      - "helm/helm:{{ .Major }}-arm64"
+      - "helm/helm:latest-arm64"
+    use: buildx
+    skip_push: false
+    goarch: arm64
+    build_flag_templates:
+      - "--platform=linux/arm64/v8"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.description=The Kubernetes Package Manager"
+      - "--label=org.opencontainers.image.licenses=Apache-2.0"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--build-arg=BUILDKIT_MULTI_PLATFORM=1"
+docker_manifests:
+  - id: patch
+    name_template: "helm/helm:{{ .Version }}"
+    image_templates:
+      - "helm/helm:{{ .Version }}-amd64"
+      - "helm/helm:{{ .Version }}-arm64"
+    skip_push: false
+    use: docker
+  - id: minor
+    name_template: "helm/helm:{{ .Major }}.{{ .Minor }}"
+    image_templates:
+      - "helm/helm:{{ .Version }}-amd64"
+      - "helm/helm:{{ .Version }}-arm64"
+    skip_push: false
+    use: docker
+  - id: major
+    name_template: "helm/helm:{{ .Major }}"
+    image_templates:
+      - "helm/helm:{{ .Version }}-amd64"
+      - "helm/helm:{{ .Version }}-arm64"
+    skip_push: false
+    use: docker
+  - id: latest
+    name_template: "helm/helm:latest"
+    image_templates:
+      - "helm/helm:{{ .Version }}-amd64"
+      - "helm/helm:{{ .Version }}-arm64"
+    skip_push: false
+    use: docker
--- a/17
+++ b/17
@ -0,0 +1,17 @@
+FROM alpine:3.18.4 AS base
+
+RUN addgroup -g 1000 -S helm && adduser -u 1000 -S helm -G helm
+
+#NOSONAR docker:S6596 Sonar bug: virtual scratch image doesn't have any tags, not even :latest
+# And Sonar doesn't process "trailing" comments in multi-stage Dockerfiles or parser directives like "# syntax=docker/dockerfile:1":
+# https://docs.sonarsource.com/sonarcloud/advanced-setup/languages/docker/#no-nosonar-support
+FROM scratch
+
+COPY --chmod=0444 --from=base /etc/passwd /etc/group /etc/
+COPY --chmod=0555 --chown=1000:1000 helm /bin/helm
+
+USER helm
+WORKDIR /in
+WORKDIR /out
+
+ENTRYPOINT ["/bin/helm"]
--- a/6
+++ b/6
@ -26,6 +26,8 @@ LDFLAGS     := -w -s
 GOFLAGS     :=
 CGO_ENABLED ?= 0

+GORELEASER_FLAGS ?= --clean
+
 # Rebuild the binary if any of these files change
 SRC := $(shell find . -type f -name '*.go' -print) go.mod go.sum

@ -178,6 +180,10 @@ dist:
 		$(DIST_DIRS) zip -r helm-${VERSION}-{}.zip {} \; \
 	)

+.PHONY: goreleaser
+goreleaser:
+	goreleaser release $(GORELEASER_FLAGS)
+
 .PHONY: fetch-dist
 fetch-dist:
 	mkdir -p _dist
--- a/README.md
+++ b/README.md
@ -46,6 +46,20 @@ To rapidly get Helm up and running, start with the [Quick Start Guide](https://h
 See the [installation guide](https://helm.sh/docs/intro/install/) for more options,
 including installing pre-releases.

+## Docker
+Package subdirectory mychart:
+```shell
+docker run --rm -v $PWD:/out helm/helm package mychart
+```
+Package /tmp/mychart (outside of working directory):
+```shell
+docker run --rm -v /tmp:/in -v $PWD:/out helm/helm package /in/mychart
+```
+Integrate helm binary into own Dockerfile for CI workflow:
+```dockerfile
+COPY --from=helm/helm --chown=1000:1000 --chmod=0555 /bin/helm /usr/local/bin/
+```
+
 ## Docs

 Get started with the [Quick Start guide](https://helm.sh/docs/intro/quickstart/) or plunge into the [complete documentation](https://helm.sh/docs)