new plugin: img

TODO: figure out how to support persistent cache

Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>

Dockerfile.cbi-img

@@ -0,0 +1,7 @@
+FROM golang:1.10-alpine AS compile
+COPY . /go/src/github.com/containerbuilding/cbi
+RUN go build -ldflags="-s -w" -o /cbi-img github.com/containerbuilding/cbi/cmd/cbi-img
+
+FROM alpine:3.7
+COPY --from=compile /cbi-img /cbi-img
+ENTRYPOINT ["/cbi-img"]

README.md

@@ -22,8 +22,9 @@ Plugin | Support Dockerfile | Support `cloudbuild.yaml` | Support LLB
 [BuildKit](https://github.com/moby/buildkit) | Yes ✅| Planned? (TBD) | Planned
 [Buildah](https://github.com/projectatomic/buildah) | Yes ✅ | |
 [kaniko](https://github.com/GoogleCloudPlatform/kaniko) | Yes ✅ | |
+[img](https://github.com/genuinetools/img) | Yes ✅ | |
 
-* Planned: [img](https://github.com/genuinetools/img), [Google Cloud Container Builder](https://cloud.google.com/container-builder/), [OpenShift Image Builder](https://github.com/openshift/imagebuilder), [Orca](https://github.com/cyphar/orca-build), ...
+* Planned: [Google Cloud Container Builder](https://cloud.google.com/container-builder/), [OpenShift Image Builder](https://github.com/openshift/imagebuilder), [Orca](https://github.com/cyphar/orca-build), ...
 
 <!-- TODO: figure out possibility for supporting Bazel, OpenShift S2I, Singularity... -->
 
@@ -54,6 +55,7 @@ Docker (highest priority)   | Docker needs to be installed on the hosts
 Buildah  | Privileged containers needs to be enabled
 BuildKit | Privileged containers needs to be enabled
 kaniko   | N/A
+img      | Privileged containers needs to be enabled (See [`kubernetes/community#1934`](https://github.com/kubernetes/community/pull/1934) and [Jess's blog](https://blog.jessfraz.com/post/building-container-images-securely-on-kubernetes/) for the ongoing work to remove this requirement)
 
 You may edit the YAML file to remove unneeded plugins or change the priorities.
 

cbi-latest.yaml

@@ -1,6 +1,6 @@
-# Autogenerated at Thu Apr 26 15:01:44 JST 2018.
-# Command: [/tmp/go-build321429061/b001/exe/generate_manifests generate-manifests containerbuilding latest]
-# Contains 14 manifests.
+# Autogenerated at Thu Apr 26 18:00:26 JST 2018.
+# Command: [/tmp/go-build515519228/b001/exe/generate_manifests generate-manifests containerbuilding latest]
+# Contains 16 manifests.
 #  0. CustomResourceDefinition [CRD (BuildJob)]
 #  1. ServiceAccount [ServiceAccount used by CBI controller daemon]
 #  2. ClusterRoleBinding [ClusterRoleBinding for binding a role to the service account. (FIXME: cluster-admin)]
@@ -14,7 +14,9 @@
 # 10. Service [Service for deployment cbi-buildah]
 # 11. Deployment [Plugin: kaniko]
 # 12. Service [Service for deployment cbi-kaniko]
-# 13. Deployment [CBI controller daemon. Plugin addresses=[cbi-docker cbi-buildkit cbi-buildah cbi-kaniko]]
+# 13. Deployment [Plugin: img]
+# 14. Service [Service for deployment cbi-img]
+# 15. Deployment [CBI controller daemon. Plugin addresses=[cbi-docker cbi-buildkit cbi-buildah cbi-kaniko cbi-img]]
 ---
 # 0. CRD (BuildJob)
 apiVersion: apiextensions.k8s.io/v1beta1
@@ -322,7 +324,59 @@ status:
   loadBalancer: {}
 
 ---
-# 13. CBI controller daemon. Plugin addresses=[cbi-docker cbi-buildkit cbi-buildah cbi-kaniko]
+# 13. Plugin: img
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  creationTimestamp: null
+  labels:
+    app: cbi-img
+  name: cbi-img
+spec:
+  selector:
+    matchLabels:
+      app: cbi-img
+  strategy: {}
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        app: cbi-img
+    spec:
+      containers:
+      - args:
+        - -logtostderr
+        - -v=4
+        - -helper-image=containerbuilding/cbipluginhelper:latest
+        - -img-image=r.j3ss.co/img:latest
+        image: containerbuilding/cbi-img:latest
+        imagePullPolicy: Always
+        name: cbi-img
+        ports:
+        - containerPort: 12111
+        resources: {}
+status: {}
+
+---
+# 14. Service for deployment cbi-img
+apiVersion: v1
+kind: Service
+metadata:
+  creationTimestamp: null
+  labels:
+    app: cbi-img
+  name: cbi-img
+spec:
+  ports:
+  - port: 12111
+    targetPort: 0
+  selector:
+    app: cbi-img
+status:
+  loadBalancer: {}
+
+---
+# 15. CBI controller daemon. Plugin addresses=[cbi-docker cbi-buildkit cbi-buildah cbi-kaniko cbi-img]
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -345,7 +399,7 @@ spec:
       - args:
         - -logtostderr
         - -v=4
-        - -cbi-plugins=cbi-docker,cbi-buildkit,cbi-buildah,cbi-kaniko
+        - -cbi-plugins=cbi-docker,cbi-buildkit,cbi-buildah,cbi-kaniko,cbi-img
         image: containerbuilding/cbid:latest
         imagePullPolicy: Always
         name: cbid

cmd/cbi-img/main.go

@@ -0,0 +1,63 @@
+/*
+Copyright The CBI Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"flag"
+	"os"
+
+	"github.com/golang/glog"
+
+	"github.com/containerbuilding/cbi/pkg/plugin/backends/img"
+	"github.com/containerbuilding/cbi/pkg/plugin/base"
+	"github.com/containerbuilding/cbi/pkg/plugin/base/cbipluginhelper"
+	"github.com/containerbuilding/cbi/pkg/plugin/base/cmd"
+)
+
+func main() {
+	o := cmd.Opts{
+		// glog installs itself to flag.CommandLine via init().
+		// flag.CommandLine is associated with flag.ExitOnError.
+		FlagSet: flag.CommandLine,
+		Args:    os.Args[1:],
+	}
+	var (
+		helperImage string
+		image       string
+	)
+	o.FlagSet.StringVar(&helperImage, "helper-image", "", "cbipluginhelper image")
+	o.FlagSet.StringVar(&image, "img-image", "", "image with /docker-build-push.sh, used for running img job")
+	o.CreateBackend = func() (base.Backend, error) {
+		if helperImage == "" {
+			glog.Fatal("no helper-image provided")
+		}
+		if image == "" {
+			glog.Fatal("no img-image provided")
+		}
+		b := &img.Img{
+			Helper: cbipluginhelper.Helper{
+				Image:   helperImage,
+				HomeDir: "/root",
+			},
+			Image: image,
+		}
+		return b, nil
+	}
+	if err := cmd.Main(o); err != nil {
+		glog.Fatal(err)
+	}
+}

cmd/cbihack/generate_manifests.go

@@ -46,7 +46,7 @@ var generateManifests = &cli.Command{
 		&cli.StringSliceFlag{
 			Name:  "plugin",
 			Usage: "Plugin names (first=highest priority, last=lowest priority)",
-			Value: cli.NewStringSlice("docker", "buildkit", "buildah", "kaniko"),
+			Value: cli.NewStringSlice("docker", "buildkit", "buildah", "kaniko", "img"),
 		},
 	},
 	Action: generateManifestsAction,
@@ -130,6 +130,10 @@ func generateManifestsAction(clicontext *cli.Context) error {
 			args = func() []string {
 				return []string{"-kaniko-image=gcr.io/kaniko-project/executor:latest"}
 			}
+		case "img":
+			args = func() []string {
+				return []string{"-img-image=r.j3ss.co/img:latest"}
+			}
 		default:
 			return fmt.Errorf("unknown plugin: %s", p)
 		}

hack/test/e2e.sh

@@ -66,7 +66,7 @@ function e2e(){
 }
 
 # NOTE: no test for kaniko, because it always requires pushing at the moment.
-for f in docker buildkit buildah; do
+for f in docker buildkit buildah img; do
     e2e ex-git-nopush $f
     e2e ex-http-nopush $f
     e2e ex-configmap-nopush $f

pkg/plugin/backends/img/img.go

@@ -0,0 +1,127 @@
+/*
+Copyright The CBI Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package img
+
+import (
+	"context"
+	"fmt"
+
+	corev1 "k8s.io/api/core/v1"
+
+	crd "github.com/containerbuilding/cbi/pkg/apis/cbi/v1alpha1"
+	pluginapi "github.com/containerbuilding/cbi/pkg/plugin/api"
+	"github.com/containerbuilding/cbi/pkg/plugin/base"
+	"github.com/containerbuilding/cbi/pkg/plugin/base/cbipluginhelper"
+	"github.com/containerbuilding/cbi/pkg/plugin/base/registryutil"
+)
+
+type Img struct {
+	Image  string
+	Helper cbipluginhelper.Helper
+}
+
+var _ base.Backend = &Img{}
+
+func (b *Img) Info(ctx context.Context, req *pluginapi.InfoRequest) (*pluginapi.InfoResponse, error) {
+	res := &pluginapi.InfoResponse{
+		Labels: map[string]string{
+			pluginapi.LPluginName:         "img",
+			pluginapi.LLanguageDockerfile: "",
+		},
+	}
+	for k, v := range cbipluginhelper.Labels {
+		res.Labels[k] = v
+	}
+	return res, nil
+}
+
+func (b *Img) commonPodSpec(buildJob crd.BuildJob) corev1.PodSpec {
+	push := "0"
+	if buildJob.Spec.Registry.Push {
+		push = "1"
+	}
+	// TODO(AkihiroSuda): support non-privileged
+	privileged := true
+	podSpec := corev1.PodSpec{
+		RestartPolicy: corev1.RestartPolicyNever,
+		Containers: []corev1.Container{
+			{
+				Name:    "img-job",
+				Image:   b.Image,
+				Command: []string{
+					// needs to be "docker-build-push.sh", not img itself.
+				},
+				Env: []corev1.EnvVar{
+					{
+						Name:  "DBP_DOCKER_BINARY",
+						Value: "img",
+					},
+					{
+						Name:  "DBP_IMAGE_NAME",
+						Value: buildJob.Spec.Registry.Target,
+					},
+					{
+						Name:  "DBP_DIALECT",
+						Value: "docker",
+					},
+					{
+						Name:  "DBP_PUSH",
+						Value: push,
+					},
+				},
+				SecurityContext: &corev1.SecurityContext{
+					Privileged: &privileged,
+				},
+			},
+		},
+	}
+	return podSpec
+}
+
+func (b *Img) CreatePodTemplateSpec(ctx context.Context, buildJob crd.BuildJob) (*corev1.PodTemplateSpec, error) {
+	if buildJob.Spec.Language.Kind != crd.LanguageKindDockerfile {
+		return nil, fmt.Errorf("unsupported Spec.Language: %v", buildJob.Spec.Language)
+	}
+	podSpec := b.commonPodSpec(buildJob)
+	if buildJob.Spec.Registry.Push && buildJob.Spec.Registry.SecretRef.Name != "" {
+		if err := registryutil.InjectRegistrySecret(&podSpec, 0, "/root", buildJob.Spec.Registry.SecretRef); err != nil {
+			return nil, err
+		}
+	}
+	injector := cbipluginhelper.Injector{
+		Helper:        b.Helper,
+		TargetPodSpec: &podSpec,
+	}
+	dbpPath, err := injector.InjectFile("/docker-build-push.sh")
+	if err != nil {
+		return nil, err
+	}
+	podSpec.Containers[0].Command = []string{dbpPath}
+	ctxInjector := cbipluginhelper.ContextInjector{
+		Injector: injector,
+	}
+	ctxPath, err := ctxInjector.Inject(buildJob.Spec.Context)
+	if err != nil {
+		return nil, err
+	}
+	podSpec.Containers[0].Command = append(podSpec.Containers[0].Command, []string{
+		ctxPath,
+	}...)
+	return &corev1.PodTemplateSpec{
+		Spec: podSpec,
+	}, nil
+}