refactor: change how the container image is built

Prior to this commit, building the container image was done performing a complex cross-compilation build of the policy-server binary. That required a special environment to be setup inside of the GitHub action. This environment was a bit scary to maintain, it required a specific set of repositories and workarounds in place, all of them done inside of our GitHub action. Because of that, performing a local build of the container image was not doable. This change allows to build the container image doing a simple "docker build". Moreover, the complex build environment is no longer needed. Signed-off-by: Flavio Castelli <[email protected]>
kubewarden · Jul 18, 2023 · 6be2466 · 6be2466
1 parent dd02489
commit 6be2466
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 26 deletions.
diff --git a/.cargo/config b/.cargo/config
diff --git a/Dockerfile b/Dockerfile
@@ -1,21 +1,27 @@
-FROM alpine AS common
-RUN echo "policy-server:x:65533:65533::/tmp:/sbin/nologin" >> /etc/passwd
-RUN echo "policy-server:x:65533:policy-server" >> /etc/group
+FROM rust:1.70 AS build
+WORKDIR /usr/src
+
+# Download the target for static linking.
+RUN rustup target add $(arch)-unknown-linux-musl
 
-# amd64-specific
-FROM scratch AS build-amd64
-COPY --from=common /etc/passwd /etc/passwd
-COPY --from=common /etc/group /etc/group
-COPY --chmod=0755 policy-server-x86_64 /policy-server
+# Fix ring building using musl - see https://github.com/briansmith/ring/issues/1414#issuecomment-1055177218
+RUN apt-get update && apt-get install musl-tools clang llvm -y
+ENV RUSTFLAGS="-Clink-self-contained=yes -Clinker=rust-lld"
 
-# arm64-specific
-FROM scratch AS build-arm64
-COPY --from=common /etc/passwd /etc/passwd
-COPY --from=common /etc/group /etc/group
-COPY --chmod=0755 policy-server-aarch64 /policy-server
+RUN mkdir /usr/src/policy-server
+WORKDIR /usr/src/policy-server
+COPY ./ ./
+RUN cargo install --target $(arch)-unknown-linux-musl --path .
+
+FROM alpine AS cfg
+RUN echo "policy-server:x:65533:65533::/tmp:/sbin/nologin" >> /etc/passwd
+RUN echo "policy-server:x:65533:policy-server" >> /etc/group
 
-# common final steps
-FROM build-${TARGETARCH}
+# Copy the statically-linked binary into a scratch container.
+FROM scratch
+COPY --from=cfg /etc/passwd /etc/passwd
+COPY --from=cfg /etc/group /etc/group
+COPY --from=build --chmod=0755 /usr/local/cargo/bin/policy-server /policy-server
 USER 65533:65533
 EXPOSE 3000
 ENTRYPOINT ["/policy-server"]