Add EFS-backed Fargate build cache support

[ntner]

Summary

• Upgrade Fargate build image from archived Google Kaniko v1.23.2 to osscontainertools/kaniko v1.27.5, supporting RUN --mount=type=cache directives
• Add unified BuildCache parameter that enables persistent layer caching for both EC2 and Fargate builds
• EC2: registry-based layer cache via ECR (--cache-from/--cache-to type=registry,mode=max) with estargz, image-manifest, ignore-error
• Fargate: EFS filesystem for --mount=type=cache persistence + Kaniko ECR layer caching (--cache=true --cache-repo)
• Pin Fargate platform version to 1.4.0 (required for EFS, already the default since 2020)

New parameter

Parameter	Type	Default	Effect
BuildCache	Yes/No	No	Enables persistent build layer caching. EC2: registry cache via ECR (all layers including intermediate multi-stage). Fargate: EFS mount cache + Kaniko ECR layer cache.

Changes

File	Change
cmd/build/Dockerfile	Kaniko base image v1.27.5 + FF_KANIKO_OCI_STAGES=0
cmd/build/Dockerfile.arm	Same
pkg/build/kaniko.go	--tarPath to --tar-path + conditional --cache=true/--cache-repo
pkg/build/docker.go	Host version detection + --cache-from/--cache-to flags + --progress=plain + service-aware cache refs
provider/aws/builds.go	BUILD_CACHE + BUILD_CACHE_REPO env vars, PlatformVersion: "1.4.0" on Fargate
cmd/build/main.go	Read BUILD_CACHE + BUILD_CACHE_REPO via flag+env override pattern
provider/aws/formation/rack.json	1 param, 3 conditions, 5 resources (EFS), unconditional DOCKER_BUILDKIT=1 in EC2 task def, volumes/mounts in Fargate task def
pkg/cli/rack.go	Register BuildCache in build param group

EC2 registry cache design

Cache flags (pkg/build/buildkit.go imageManifestCacheProvider branch):

• Export: --cache-to type=registry,ref={repo}:{service}.buildcache,mode=max,image-manifest=true,oci-mediatypes=true,ignore-error=true,compression=estargz
• Import: --cache-from type=registry,ref={repo}:{service}.buildcache,ignore-error=true
• Host Docker daemon version detected; cache flags skipped gracefully on Docker < 23.0
• --no-cache skips --cache-from but still exports --cache-to (refreshes cache for future builds)

Fargate EFS design

• Dedicated BuildCacheFilesystem (always encrypted, CMK when configured)
• Security group with three-way SG ingress matching fetchSecurityGroups()
• Mount targets in AZ 0, AZ 1, and AZ 2 (HA only)
• Kaniko layer cache tags (sha256-{hash}) accumulate in ECR; lifecycle policy recommended for cleanup

Backward compatibility

• BuildCache defaults to No. Disabled racks behave identically to today.
• Kaniko upgrade applies to all Fargate builds regardless of BuildCache. --mount=type=cache directives previously ignored are now honored (cache ephemeral per task without EFS).
• EC2 builds get unconditional DOCKER_BUILDKIT=1 in the task definition (redundant with image-level ENV, but explicit). New task definition revision created on upgrade.
• PlatformVersion: "1.4.0" is a no-op (already the Fargate default).
• Gen1 apps are unaffected (use manifest1.Build(), not docker.go).
• Custom BuildImage users: DOCKER_BUILDKIT=1 is now forced via task definition. If the custom image ships Docker CLI, BuildKit mode is active.