Use ko to build images everywhere

.github/workflows/verify-build.yaml

@@ -30,73 +30,60 @@ jobs:
     - uses: actions/checkout@v3
       with:
         path: go/src/github.com/timebertt/kubernetes-controller-sharding
-    - name: Setup Go
-      uses: actions/setup-go@v4
+    - uses: actions/setup-go@v4
       with:
         go-version-file: go/src/github.com/timebertt/kubernetes-controller-sharding/webhosting-operator/go.mod
         cache-dependency-path: go/src/github.com/timebertt/kubernetes-controller-sharding/webhosting-operator/go.sum
     - name: Verify
       run: make -C webhosting-operator verify
 
-  buildAndPush:
+  images:
     runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        include:
-        - name: webhosting-operator
-          context: webhosting-operator
     steps:
     - uses: actions/checkout@v3
-    - name: Cache Docker layers
-      uses: actions/cache@v3
+    - uses: actions/setup-go@v4
       with:
-        path: /tmp/.buildx-cache
-        key: ${{ runner.os }}-buildx-${{ github.sha }}
-        restore-keys: |
-          ${{ runner.os }}-buildx-
-    - name: Setup Docker buildx
-      uses: docker/setup-buildx-action@v2
+        go-version-file: webhosting-operator/go.mod
+        cache-dependency-path: webhosting-operator/go.sum
+    - uses: ko-build/[email protected]
       with:
-        install: true
-    - name: Login to GHCR
-      if: github.event_name != 'pull_request'
-      uses: docker/login-action@v2
-      with:
-        registry: ghcr.io
-        username: ${{ github.repository_owner }}
-        password: ${{ secrets.GITHUB_TOKEN }}
-
-    - uses: docker/metadata-action@v4
+        version: v0.14.1
+    - name: Prepare image metadata
       id: meta
-      with:
-        images: |
-          ghcr.io/${{ github.repository }}/${{ matrix.name }}
-        tags: |
-          type=ref,event=branch
-          type=ref,event=tag
-          type=ref,event=pr
-          type=sha
-        flavor: |
-          latest=${{ endsWith(github.ref, github.event.repository.default_branch) }}
+      # generate comma-separated tags and labels for image build (similar to docker/metadata-action)
+      run: |
+        short_ref=${{ github.ref_name }}
+        if ${{ github.event_name == 'pull_request' }} ; then
+          # for PR events, ref_name is '<pr-number>/merge' but tags may not contain /
+          short_ref=pr-${{ github.event.pull_request.number }}
+        fi
 
-    - name: Build and push
-      uses: docker/build-push-action@v4
-      with:
-        context: ${{ matrix.context }}
-        target: ${{ matrix.name }}
-        platforms: linux/amd64
-        push: ${{ github.event_name != 'pull_request' }}
-        tags: ${{ steps.meta.outputs.tags }}
-        labels: ${{ steps.meta.outputs.labels }}
-        cache-from: type=local,src=/tmp/.buildx-cache
-        cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max
-        secrets: |
-          GIT_AUTH_TOKEN=${{ secrets.GITHUB_TOKEN }}
+        tags=(
+          $short_ref
+          sha-$( echo ${{ github.sha }} | head -c7 )
+        )
 
-    - name: Move cache
-      # Temp fix
-      # https://github.com/docker/build-push-action/issues/252
-      # https://github.com/moby/buildkit/issues/1896
+        if ${{ github.ref_name == 'master' }} ; then
+          tags+=( latest )
+        fi
+
+        echo "tags=$(IFS=, ; echo "${tags[*]}")" >> $GITHUB_OUTPUT
+
+        labels=(
+          org.opencontainers.image.created=$( date -u +%Y-%m-%dT%H:%M:%SZ )
+          org.opencontainers.image.licenses=Apache-2.0
+          org.opencontainers.image.revision=${{ github.sha }}
+          org.opencontainers.image.source=https://github.com/${{ github.repository }}
+          org.opencontainers.image.url=https://github.com/${{ github.repository }}
+          org.opencontainers.image.version=$short_ref
+        )
+
+        echo "labels=$(IFS=, ; echo "${labels[*]}")" >> $GITHUB_OUTPUT
+    - name: ko build
       run: |
-        rm -rf /tmp/.buildx-cache
-        mv /tmp/.buildx-cache-new /tmp/.buildx-cache
+        set -ex
+
+        cd ./webhosting-operator
+        ko build --push=${{ github.event_name != 'pull_request' }} --sbom none --base-import-paths --platform linux/amd64,linux/arm64 \
+          --tags "${{ steps.meta.outputs.tags }}" --image-label "${{ steps.meta.outputs.labels }}" \
+          ./cmd/webhosting-operator

webhosting-operator/Makefile

@@ -2,7 +2,9 @@ PROJECT_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST))))
 
 # Image URL to use all building/pushing image targets
 TAG ?= latest
-CONTROLLER_IMG ?= ghcr.io/timebertt/kubernetes-controller-sharding/webhosting-operator:$(TAG)
+GHCR_REPO ?= ghcr.io/timebertt/kubernetes-controller-sharding
+OPERATOR_IMG ?= $(GHCR_REPO)/webhosting-operator:$(TAG)
+
 # ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary.
 ENVTEST_K8S_VERSION = 1.24
 # set OVERLAY to shoot to configure ingress-nginx with public dns and a TLS certificate
@@ -101,13 +103,12 @@ build: generate fmt vet ## Build manager binary.
 run: manifests generate fmt vet ## Run the webhosting-operator from your host.
 	go run ./cmd/webhosting-operator
 
-.PHONY: docker-build
-docker-build: test ## Build docker image with the manager.
-	docker build -t $(CONTROLLER_IMG) --target webhosting-operator .
+PUSH ?= false
+images: export KO_DOCKER_REPO = $(GHCR_REPO)
 
-.PHONY: docker-push
-docker-push: ## Push docker image with the manager.
-	docker push $(CONTROLLER_IMG)
+.PHONY: images
+images: $(KO) ## Build and push container images using ko.
+	$(KO) build --push=$(PUSH) --sbom none --base-import-paths -t $(TAG) --platform linux/amd64,linux/arm64 ./cmd/webhosting-operator
 
 ##@ Deployment
 
@@ -136,7 +137,7 @@ up dev down: export SKAFFOLD_LABEL = skaffold.dev/run-id=webhosting-operator
 
 .PHONY: deploy
 deploy: $(SKAFFOLD) ## Build all images and deploy everything to K8s cluster specified in $KUBECONFIG.
-	$(SKAFFOLD) deploy --port-forward=user --tail -i $(CONTROLLER_IMG)
+	$(SKAFFOLD) deploy --port-forward=user --tail -i $(OPERATOR_IMG)
 
 .PHONY: up
 up: $(SKAFFOLD) ## Build all images, deploy everything to K8s cluster specified in $KUBECONFIG, start port-forward and tail logs.

webhosting-operator/tools.mk

@@ -28,6 +28,11 @@ $(KIND): $(call tool_version_file,$(KIND),$(KIND_VERSION))
 	curl -L -o $(KIND) https://kind.sigs.k8s.io/dl/$(KIND_VERSION)/kind-$(shell uname -s | tr '[:upper:]' '[:lower:]')-$(shell uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/')
 	chmod +x $(KIND)
 
+KO := $(TOOLS_BIN_DIR)/ko
+KO_VERSION ?= v0.14.1
+$(KO): $(call tool_version_file,$(KO),$(KO_VERSION))
+	GOBIN=$(abspath $(TOOLS_BIN_DIR)) go install github.com/google/ko@$(KO_VERSION)
+
 KUBECTL := $(TOOLS_BIN_DIR)/kubectl
 KUBECTL_VERSION ?= v1.27.3
 $(KUBECTL): $(call tool_version_file,$(KUBECTL),$(KUBECTL_VERSION))