Remove MUSL and enable threadless libgit2 support

Use of MUSL was a temporary solution to mitigate cross-platform
issues while building openssl and libssh2. Since Unmanaged transport has
been deprecated, openssl and libssh2 dependencies are no longer required
and by extension MUSL.

Enables libgit2 threadless support and provides a regression assurance
for fluxcd/image-automation-controller#339.

Signed-off-by: Paulo Gomes <[email protected]>

Author: Paulo Gomes

Dockerfile

@@ -3,7 +3,7 @@ ARG GO_VERSION=1.18
 ARG XX_VERSION=1.1.2
 
 ARG LIBGIT2_IMG=ghcr.io/fluxcd/golang-with-libgit2-only
-ARG LIBGIT2_TAG=v0.1.4
+ARG LIBGIT2_TAG=v0.2.0
 
 FROM ${LIBGIT2_IMG}:${LIBGIT2_TAG} AS libgit2-libs
 
@@ -37,22 +37,6 @@ COPY go.sum go.sum
 # Cache modules
 RUN go mod download
 
-# The musl-tool-chain layer is an adhoc solution
-# for the problem in which xx gets confused during compilation
-# and a) looks for gold linker and then b) cannot find musl's dynamic linker.
-FROM --platform=$BUILDPLATFORM alpine as musl-tool-chain
-
-COPY --from=xx / /
-
-RUN apk add bash curl tar
-
-WORKDIR /workspace
-COPY hack/download-musl.sh .
-
-ARG TARGETPLATFORM
-ARG TARGETARCH
-RUN ROOT_DIR="$(pwd)" TARGET_ARCH="$(xx-info alpine-arch)" ENV_FILE=true \
-        ./download-musl.sh
 
 # Build stage install per target platform
 # dependency and effectively cross compile the application.
@@ -64,7 +48,7 @@ COPY --from=libgit2-libs /usr/local/ /usr/local/
 
 # Some dependencies have to installed 
 # for the target platform: https://github.com/tonistiigi/xx#go--cgo
-RUN xx-apk add musl-dev gcc lld
+RUN xx-apk add musl-dev gcc clang lld
 
 WORKDIR /workspace
 
@@ -74,17 +58,14 @@ COPY controllers/ controllers/
 COPY pkg/ pkg/
 COPY internal/ internal/
 
-COPY --from=musl-tool-chain /workspace/build /workspace/build
-
 ARG TARGETPLATFORM
 ARG TARGETARCH
 ENV CGO_ENABLED=1
 
 # Instead of using xx-go, (cross) compile with vanilla go leveraging musl tool chain.
-RUN export $(cat build/musl/$(xx-info alpine-arch).env | xargs) && \
-    export PKG_CONFIG_PATH="/usr/local/$(xx-info triple)/lib/pkgconfig" && \
-    export CGO_LDFLAGS="$(pkg-config --static --libs --cflags libgit2) -static" && \
-    GOARCH=$TARGETARCH go build  \
+RUN export PKG_CONFIG_PATH="/usr/local/$(xx-info triple)/lib/pkgconfig" && \
+    export CGO_LDFLAGS="$(pkg-config --static --libs --cflags libgit2) -static -fuse-ld=lld" && \
+    xx-go build \
         -ldflags "-s -w" \
         -tags 'netgo,osusergo,static_build' \
         -o /source-controller -trimpath main.go;

Makefile

@@ -4,7 +4,7 @@ TAG ?= latest
 
 # Base image used to build the Go binary
 LIBGIT2_IMG ?= ghcr.io/fluxcd/golang-with-libgit2-only
-LIBGIT2_TAG ?= v0.1.4
+LIBGIT2_TAG ?= v0.2.0
 
 # Allows for defining additional Go test args, e.g. '-tags integration'.
 GO_TEST_ARGS ?= -race
@@ -33,24 +33,12 @@ ENVTEST_BIN_VERSION ?= 1.19.2
 LIBGIT2_PATH := $(BUILD_DIR)/libgit2/$(LIBGIT2_TAG)
 LIBGIT2_LIB_PATH := $(LIBGIT2_PATH)/lib
 LIBGIT2 := $(LIBGIT2_LIB_PATH)/libgit2.a
-MUSL-CC =
 
 export CGO_ENABLED=1
 export PKG_CONFIG_PATH=$(LIBGIT2_LIB_PATH)/pkgconfig
 export CGO_LDFLAGS=$(shell PKG_CONFIG_PATH=$(PKG_CONFIG_PATH) pkg-config --libs --static --cflags libgit2 2>/dev/null)
 GO_STATIC_FLAGS=-ldflags "-s -w" -tags 'netgo,osusergo,static_build$(addprefix ,,$(GO_TAGS))'
 
-ifeq ($(shell uname -s),Linux)
-ifneq ($(shell uname -m),x86_64)
-	MUSL-PREFIX=$(BUILD_DIR)/musl/$(shell uname -m)-linux-musl-native/bin/$(shell uname -m)-linux-musl
-	MUSL-CC=$(MUSL-PREFIX)-gcc
-	export CC=$(MUSL-PREFIX)-gcc
-	export CXX=$(MUSL-PREFIX)-g++
-	export AR=$(MUSL-PREFIX)-ar
-	GO_STATIC_FLAGS=-ldflags "-s -w -extldflags \"-static\"" -tags 'netgo,osusergo,static_build$(addprefix ,,$(GO_TAGS))'
-endif
-endif
-
 # API (doc) generation utilities
 CONTROLLER_GEN_VERSION ?= v0.7.0
 GEN_API_REF_DOCS_VERSION ?= v0.3.0
@@ -179,15 +167,11 @@ install-envtest: setup-envtest ## Download envtest binaries locally.
 libgit2: $(LIBGIT2)  ## Detect or download libgit2 library
 
 COSIGN = $(GOBIN)/cosign
-$(LIBGIT2): $(MUSL-CC)
+$(LIBGIT2):
 	$(call go-install-tool,$(COSIGN),github.com/sigstore/cosign/cmd/cosign@latest)
 
 	IMG=$(LIBGIT2_IMG) TAG=$(LIBGIT2_TAG) PATH=$(PATH):$(GOBIN) ./hack/install-libraries.sh
 
-$(MUSL-CC):
-ifneq ($(shell uname -s),Darwin)
-	./hack/download-musl.sh
-endif
 
 .PHONY: help
 help:  ## Display this help menu

controllers/suite_test.go

@@ -45,6 +45,7 @@ import (
 	dockerRegistry "github.com/distribution/distribution/v3/registry"
 	_ "github.com/distribution/distribution/v3/registry/auth/htpasswd"
 	_ "github.com/distribution/distribution/v3/registry/storage/driver/inmemory"
+	git2go "github.com/libgit2/git2go/v33"
 
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 	"github.com/fluxcd/source-controller/internal/cache"
@@ -179,6 +180,8 @@ func setupRegistryServer(ctx context.Context) (*registryClientTestServer, error)
 }
 
 func TestMain(m *testing.M) {
+	mustHaveNoThreadSupport()
+
 	initTestTLS()
 
 	utilruntime.Must(sourcev1.AddToScheme(scheme.Scheme))
@@ -333,3 +336,22 @@ func randStringRunes(n int) string {
 func int64p(i int64) *int64 {
 	return &i
 }
+
+// This provides a regression assurance for image-automation-controller/#339.
+// Validates that:
+// - libgit2 was built with no support for threads.
+// - git2go accepts libgit2 built with no support for threads.
+//
+// The logic below does the validation of the former, whilst
+// referring to git2go forces its init() execution, which is
+// where any validation to that effect resides.
+//
+// git2go does not support threadless libgit2 by default,
+// hence a fork is being used which disables such validation.
+//
+// TODO: extract logic into pkg.
+func mustHaveNoThreadSupport() {
+	if git2go.Features()&git2go.FeatureThreads != 0 {
+		panic("libgit2 must not be build with thread support")
+	}
+}

go.mod

@@ -4,6 +4,16 @@ go 1.18
 
 replace github.com/fluxcd/source-controller/api => ./api
 
+// A temporary fork of git2go was created to enable use
+// of libgit2 without thread support to fix:
+// fluxcd/image-automation-controller/#339.
+//
+// This can be removed once libgit2/git2go#918 is merged.
+//
+// The fork automatically releases new patches based on upstream:
+// https://github.com/pjbgf/git2go/commit/d72e39cdc20f7fe014ba73072b01ba7b569e9253
+replace github.com/libgit2/git2go/v33 => github.com/pjbgf/git2go/v33 v33.0.9-nothread-check
+
 require (
 	cloud.google.com/go/storage v1.23.0
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v0.22.0

go.sum

@@ -593,8 +593,6 @@ github.com/lib/pq v1.2.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
 github.com/lib/pq v1.10.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/lib/pq v1.10.6 h1:jbk+ZieJ0D7EVGJYpL9QTz7/YW6UHbmdnZWYyK5cdBs=
 github.com/lib/pq v1.10.6/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
-github.com/libgit2/git2go/v33 v33.0.9 h1:4ch2DJed6IhJO28BEohkUoGvxLsRzUjxljoNFJ6/O78=
-github.com/libgit2/git2go/v33 v33.0.9/go.mod h1:KdpqkU+6+++4oHna/MIOgx4GCQ92IPCdpVRMRI80J+4=
 github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhnIaL+V+BEER86oLrvS+kWobKpbJuye0=
 github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de/go.mod h1:zAbeS9B/r2mtpb6U+EI2rYA5OAXxsYw6wTamcNW+zcE=
 github.com/lithammer/dedent v1.1.0/go.mod h1:jrXYCQtgg0nJiN+StA2KgR7w6CiQNv9Fd/Z9BP0jIOc=
@@ -719,6 +717,8 @@ github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+v
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
 github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5 h1:Ii+DKncOVM8Cu1Hc+ETb5K+23HdAMvESYE3ZJ5b5cMI=
 github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5/go.mod h1:iIss55rKnNBTvrwdmkUpLnDpZoAHvWaiq5+iMmen4AE=
+github.com/pjbgf/git2go/v33 v33.0.9-nothread-check h1:gSK7FaLECIM3VSuBOAsVZQtWd+51iTB5lv9RyxhOYMk=
+github.com/pjbgf/git2go/v33 v33.0.9-nothread-check/go.mod h1:KdpqkU+6+++4oHna/MIOgx4GCQ92IPCdpVRMRI80J+4=
 github.com/pkg/browser v0.0.0-20210115035449-ce105d075bb4 h1:Qj1ukM4GlMWXNdMBuXcXfz/Kw9s1qm0CLY32QxuSImI=
 github.com/pkg/browser v0.0.0-20210115035449-ce105d075bb4/go.mod h1:N6UoU20jOqggOuDwUaBQpluzLNDqif3kq9z2wpdYEfQ=
 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=

hack/download-musl.sh

@@ -79,7 +79,7 @@ fix_pkgconfigs(){
     # Update the prefix paths included in the .pc files.
     if [[ $OSTYPE == 'darwin'* ]]; then
         # https://github.com/fluxcd/golang-with-libgit2/blob/v0.1.4/.github/workflows/release.yaml#L158
-        INSTALLED_DIR="/Users/runner/work/golang-with-libgit2/golang-with-libgit2/build/libgit2-darwin-amd64"
+        INSTALLED_DIR="/Users/runner/work/golang-with-libgit2/golang-with-libgit2/build/darwin-libgit2-only"
 
         # This will make it easier to update to the location in which they will be used.
         # sed has a sight different behaviour in MacOS
@@ -137,7 +137,7 @@ install_libraries(){
         fi
     fi
 
-    FILE_NAME="linux-x86_64-libgit2-only.tar.gz"
+    FILE_NAME="linux-$(uname -m)-libgit2-only.tar.gz"
     DIR="linux-libgit2-only"
     if [[ $OSTYPE == 'darwin'* ]]; then
         FILE_NAME="darwin-libgit2-only.tar.gz"

hack/install-libraries.sh

@@ -16,7 +16,7 @@
 
 set -euxo pipefail
 
-LIBGIT2_TAG="${LIBGIT2_TAG:-v0.1.4}"
+LIBGIT2_TAG="${LIBGIT2_TAG:-v0.2.0}"
 GOPATH="${GOPATH:-/root/go}"
 GO_SRC="${GOPATH}/src"
 PROJECT_PATH="github.com/fluxcd/source-controller"