chore: build annotated OCI images (#8301)

* refactor: isolate docker build to script * chore: add labels to docker image * chore: export image as OCI * chore: print image digest * fix: convert to OCI BEFORE calculating digest * fix: use digest of uploaded image, not of the local archive --------- Co-authored-by: kodiakhq[bot] <49736102+kodiakhq[bot]@users.noreply.github.com>
2023-07-24 15:28:04 +02:00 · 2023-07-24 15:28:04 +02:00 · e822374270
parent 6aaa7edcbe
commit e822374270
2 changed files with 51 additions and 19 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@ -387,25 +387,15 @@ jobs:
          command: |
            COMMIT_SHA="$(git rev-parse HEAD)"

-            RUST_VERSION="$(sed -E -ne 's/channel = "(.*)"/\1/p' rust-toolchain.toml)"
+            .circleci/docker_build_release.bash \
+              "influxdb_iox" \
+              "aws,gcp,azure,jemalloc_replacing_malloc,tokio_console,pprof" \
+              "quay.io/influxdb/iox:$COMMIT_SHA"

-            docker buildx build \
-              --build-arg CARGO_INCREMENTAL="no" \
-              --build-arg CARGO_NET_GIT_FETCH_WITH_CLI="true" \
-              --build-arg FEATURES="aws,gcp,azure,jemalloc_replacing_malloc,tokio_console,pprof" \
-              --build-arg RUST_VERSION="$RUST_VERSION" \
-              --progress plain \
-              --tag quay.io/influxdb/iox:"$COMMIT_SHA" \
-              .
-            docker buildx build \
-              --build-arg CARGO_INCREMENTAL="no" \
-              --build-arg CARGO_NET_GIT_FETCH_WITH_CLI="true" \
-              --build-arg FEATURES="" \
-              --build-arg PACKAGE="iox_data_generator" \
-              --build-arg RUST_VERSION="$RUST_VERSION" \
-              --progress plain \
-              --tag quay.io/influxdb/iox_data_generator:"$COMMIT_SHA" \
-              .
+            .circleci/docker_build_release.bash \
+              "iox_data_generator" \
+              "" \
+              "quay.io/influxdb/iox_data_generator:$COMMIT_SHA"

            docker run -it --rm quay.io/influxdb/iox:$COMMIT_SHA debug print-cpu

@ -452,14 +442,25 @@ jobs:

            for image in "${images[@]}"; do
              echo "Image: $image"
+              oci_path="oci-archive:///tmp/images/$image.oci.tar"
+
+              # convert the gzipped docker image into OCI
              gzip -d "/tmp/images/$image.tar.gz"
+              skopeo copy --format oci --quiet "docker-archive:///tmp/images/$image.tar" "$oci_path"

              for registry in "${registries[@]}"; do
                echo "  Registry: $registry"

+                # upload all tags
+                # Note: Uploading the 2nd tag for the same image (to the same registry) is very cheap since all layers
+                #       exist already (from the previous tag).
                for tag in "${tags[@]}"; do
                  echo "    Upload: tag=$tag"
-                  skopeo copy "docker-archive:///tmp/images/$image.tar" "docker://$registry/$image:$tag" --quiet
+                  docker_url="docker://$registry/$image:$tag"
+                  skopeo copy --quiet "$oci_path" "$docker_url"
+
+                  # print out digest AFTER upload, see https://github.com/containers/skopeo/issues/469
+                  echo "      Digest: $(skopeo inspect "$docker_url" | jq ".Digest")"
                done
              done
            done
--- a/.circleci/docker_build_release.bash
+++ b/.circleci/docker_build_release.bash
@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+readonly PACKAGE="$1"
+readonly FEATURES="$2"
+readonly TAG="$3"
+
+RUST_VERSION="$(sed -E -ne 's/channel = "(.*)"/\1/p' rust-toolchain.toml)"
+COMMIT_SHA="$(git rev-parse HEAD)"
+COMMIT_TS="$(env TZ=UTC0 git show --quiet --date='format-local:%Y-%m-%dT%H:%M:%SZ' --format="%cd" HEAD)"
+NOW="$(date --utc --iso-8601=seconds)"
+REPO_URL="https://github.com/influxdata/influxdb_iox"
+
+exec docker buildx build \
+  --build-arg CARGO_INCREMENTAL="no" \
+  --build-arg CARGO_NET_GIT_FETCH_WITH_CLI="true" \
+  --build-arg FEATURES="$FEATURES" \
+  --build-arg RUST_VERSION="$RUST_VERSION" \
+  --build-arg PACKAGE="$PACKAGE" \
+  --label org.opencontainers.image.created="$NOW" \
+  --label org.opencontainers.image.url="$REPO_URL" \
+  --label org.opencontainers.image.revision="$COMMIT_SHA" \
+  --label org.opencontainers.image.vendor="InfluxData Inc." \
+  --label org.opencontainers.image.title="InfluxDB IOx, '$PACKAGE'" \
+  --label org.opencontainers.image.description="InfluxDB IOx production image for package '$PACKAGE'" \
+  --label com.influxdata.image.commit-date="$COMMIT_TS" \
+  --label com.influxdata.image.package="$PACKAGE" \
+  --progress plain \
+  --tag "$TAG" \
+  .