Remove non-scratch images

.github/workflows/nightly_build.yaml

@@ -30,20 +30,12 @@ jobs:
       - name: Install regctl
         uses: regclient/actions/regctl-installer@main
       - name: Build images
-        run: make images scratch-images load-images load-scratch-images
-      - name: Log in to GCR
-        uses: docker/login-action@v2
-        with:
-          registry: gcr.io
-          username: _json_key
-          password: ${{ secrets.GCR_JSON_KEY }}
-      - name: Push images
-        run: ./.github/workflows/scripts/push-images.sh nightly
+        run: make images load-images
       - name: Log in to GHCR
         uses: docker/login-action@v2
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Push images
-        run: ./.github/workflows/scripts/push-images.sh nightly -scratch
+        run: ./.github/workflows/scripts/push-images.sh nightly

.github/workflows/pr_build.yaml

@@ -218,50 +218,10 @@ jobs:
           name: images-windows
           path: images-windows.tar.gz
 
-  scratch-images:
-    runs-on: ubuntu-20.04
-    needs: [cache-deps]
-
-    permissions:
-      contents: read
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-      - name: Setup go
-        uses: actions/setup-go@v3
-        with:
-          go-version: ${{ env.GO_VERSION }}
-      - name: Load cached deps
-        uses: actions/cache@v3
-        with:
-          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-      - name: Load cached build tools
-        uses: actions/cache@v3
-        with:
-          path: .build
-          key: ${{ runner.os }}-tools-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-tools-
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
-      - name: Build scratch images
-        run: make scratch-images
-      - name: Export scratch images
-        run: tar -czvf scratch-images.tar.gz *-scratch-image.tar
-      - name: Archive scratch images
-        uses: actions/upload-artifact@v3
-        with:
-          name: scratch-images
-          path: scratch-images.tar.gz
-
   integration:
     name: integration (linux)
     runs-on: ubuntu-20.04
-    needs: [cache-deps, images, scratch-images]
+    needs: [cache-deps, images]
 
     permissions:
       contents: read
@@ -303,19 +263,10 @@ jobs:
         with:
           name: images
           path: .
-      - name: Download archived scratch images
-        uses: actions/download-artifact@v3
-        with:
-          name: scratch-images
-          path: .
       - name: Load archived images
         run: |
           tar xvf images.tar.gz
           make load-images
-      - name: Load archived scratch images
-        run: |
-          tar xvf scratch-images.tar.gz
-          make load-scratch-images
       - name: Run integration tests
         env:
           NUM_RUNNERS: ${{ matrix.num_runners }}

.github/workflows/release_build.yaml

@@ -212,46 +212,10 @@ jobs:
           name: images-windows
           path: images-windows.tar.gz
 
-  scratch-images:
-    runs-on: ubuntu-20.04
-    needs: [cache-deps]
-
-    permissions:
-      contents: read
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-      - name: Setup go
-        uses: actions/setup-go@v3
-        with:
-          go-version: ${{ env.GO_VERSION }}
-      - name: Load cached deps
-        uses: actions/cache@v3
-        with:
-          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-      - name: Load cached build tools
-        uses: actions/cache@v3
-        with:
-          path: .build
-          key: ${{ runner.os }}-tools-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-tools-
-      - name: Build scratch images
-        run: make scratch-images
-      - name: Export scratch images
-        run: tar -czvf scratch-images.tar.gz *-scratch-image.tar
-      - name: Archive scratch images
-        uses: actions/upload-artifact@v3
-        with:
-          name: scratch-images
-          path: scratch-images.tar.gz
-
   integration:
     name: integration (linux)
     runs-on: ubuntu-20.04
-    needs: [cache-deps, images, scratch-images]
+    needs: [cache-deps, images]
 
     permissions:
       contents: read
@@ -302,19 +266,10 @@ jobs:
         with:
           name: images
           path: .
-      - name: Download archived scratch images
-        uses: actions/download-artifact@v3
-        with:
-          name: scratch-images
-          path: .
       - name: Load archived images
         run: |
           tar xvf images.tar.gz
           make load-images
-      - name: Load archived scratch images
-        run: |
-          tar xvf scratch-images.tar.gz
-          make load-scratch-images
       - name: Run integration tests
         env:
           NUM_RUNNERS: ${{ matrix.num_runners }}
@@ -591,27 +546,12 @@ jobs:
         with:
           name: images
           path: .
-      - name: Download archived scratch images
-        uses: actions/download-artifact@v3
-        with:
-          name: scratch-images
-          path: .
       - name: Log in to GHCR
         uses: docker/login-action@v2
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Push images
-        run: |
-          tar xzvf scratch-images.tar.gz
-          ./.github/workflows/scripts/push-images.sh "${GITHUB_REF}" -scratch
-      - name: Log in to GCR
-        uses: docker/login-action@v2
-        with:
-          registry: gcr.io
-          username: _json_key
-          password: ${{ secrets.GCR_JSON_KEY }}
       - name: Push images
         run: |
           tar xzvf images.tar.gz

.github/workflows/scripts/load-oci-archives.sh

@@ -7,11 +7,10 @@
 ##
 ## Usage example(s):
 ##   ./__PROG__
-##   ./__PROG__ -scratch
-##   PLATFORM=linux/arm64 ./__PROG__ -scratch
+##   PLATFORM=linux/arm64 ./__PROG__
 ##
 ## Commands
-## - ./__PROG__ <image-variant>    loads the oci tarball for the optional variant into Docker.
+## - ./__PROG__ loads the oci tarball into Docker.
 
 function usage {
   grep '^##' "$0" | sed -e 's/^##//' -e "s/__PROG__/$me/" >&2
@@ -38,14 +37,6 @@ ROOTDIR="$(normalize_path "$BASEDIR/../../../")"
 command -v regctl >/dev/null 2>&1 || { usage; echo -e "\n * The regctl cli is required to run this script." >&2 ; exit 1; }
 command -v docker >/dev/null 2>&1 || { usage; echo -e "\n * The docker cli is required to run this script." >&2 ; exit 1; }
 
-variant="$1"
-
-if [ -n "$variant" ] && [ "$variant" != "-scratch" ] ; then
-    usage
-    echo -e "The only supported variants are '-scratch'." >&2
-    exit 1
-fi
-
 # Takes the current platform architecture or plaftorm as defined externally in a platform variable.
 # e.g.:
 # linux/amd64
@@ -58,17 +49,16 @@ OCI_IMAGES=(
 
 echo "Importing ${OCI_IMAGES[*]} into docker".
 for img in "${OCI_IMAGES[@]}"; do
-    image_variant="${img}${variant}"
-    oci_dir="ocidir://${ROOTDIR}oci/${image_variant}"
-    platform_tar="${image_variant}-${PLATFORM}-image.tar"
+    oci_dir="ocidir://${ROOTDIR}oci/${img}"
+    platform_tar="${img}-${PLATFORM}-image.tar"
 
     # regclient works with directories rather than tars, so import the OCI tar to a directory
-    regctl image import "$oci_dir" "${image_variant}-image.tar"
+    regctl image import "$oci_dir" "${img}-image.tar"
     dig="$(regctl image digest --platform "$PLATFORM" "$oci_dir")"
     # export the single platform image using the digest
     regctl image export "$oci_dir@${dig}" "${platform_tar}"
 
     docker load < "${platform_tar}"
-    docker image tag "localhost/oci/${image_variant}:latest" "${image_variant}:latest-local"
-    docker image rm "localhost/oci/${image_variant}:latest"
+    docker image tag "localhost/oci/${img}:latest" "${img}:latest-local"
+    docker image rm "localhost/oci/${img}:latest"
 done

.github/workflows/scripts/push-images.sh

@@ -8,12 +8,10 @@
 ## Usage example(s):
 ##   ./__PROG__ 1.5.2
 ##   ./__PROG__ v1.5.2
-##   ./__PROG__ v1.5.2 -scratch
 ##   ./__PROG__ refs/tags/v1.5.2
-##   ./__PROG__ refs/tags/v1.5.2 -scratch
 ##
 ## Commands
-## - ./__PROG__ <version> [image-variant]   pushes images to the registry using given version.
+## - ./__PROG__ <version> pushes images to the registry using given version.
 
 set -e
 
@@ -52,37 +50,23 @@ fi
 version="${version#refs/tags/v}"
 version="${version#v}"
 
-variant="$2"
-if [ -n "${variant}" ] && [ "${variant}" != "-scratch" ] ; then
-  usage
-  echo -e "\n Errors:\n * The only supported variant is '-scratch'." >&2
-  exit 1
-fi
-
 OCI_IMAGES=(
   spire-server spire-agent oidc-discovery-provider
 )
 
-registry=gcr.io/spiffe-io
-if [ "${variant}" = "-scratch" ] ; then
-  org_name=$(echo "$GITHUB_REPOSITORY" | tr '/' "\n" | head -1 | tr -d "\n")
-  org_name="${org_name:-spiffe}" # default to spiffe in case ran on local
-  registry=ghcr.io/${org_name}
-else
-  # Continue publishing the non-scratch k8s-workload-registrar to GCR
-  OCI_IMAGES+=( k8s-workload-registrar )
-fi
+org_name=$(echo "$GITHUB_REPOSITORY" | tr '/' "\n" | head -1 | tr -d "\n")
+org_name="${org_name:-spiffe}" # default to spiffe in case ran on local
+registry=ghcr.io/${org_name}
 
 echo "Pushing images ${OCI_IMAGES[*]} to ${registry} with tag ${version}".
 for img in "${OCI_IMAGES[@]}"; do
-  image_variant="${img}${variant}"
-  oci_dir="ocidir://${ROOTDIR}oci/${image_variant}"
+  oci_dir="ocidir://${ROOTDIR}oci/${img}"
   image_to_push="${registry}/${img}:${version}"
 
-  regctl image import "${oci_dir}" "${image_variant}-image.tar"
+  regctl image import "${oci_dir}" "${img}-image.tar"
   regctl image copy "${oci_dir}" "${image_to_push}"
 
-  image_digest="$(jq -r '.manifests[0].digest' "${ROOTDIR}oci/${image_variant}/index.json")"
+  image_digest="$(jq -r '.manifests[0].digest' "${ROOTDIR}oci/${img}/index.json")"
 
   cosign sign "${registry}/${img}@${image_digest}"
 done

Dockerfile

@@ -3,42 +3,52 @@
 ARG goversion
 FROM --platform=${BUILDPLATFORM} golang:${goversion}-alpine as base
 WORKDIR /spire
+RUN apk --no-cache --update add file bash clang lld pkgconfig git make
 COPY go.* ./
 # https://go.dev/ref/mod#module-cache
 RUN --mount=type=cache,target=/go/pkg/mod go mod download
 COPY . .
 
-FROM base as builder
-ARG TARGETOS TARGETARCH
-RUN apk --no-cache --update add build-base git mercurial
+# xx is a helper for cross-compilation
+# when bumping to a new version analyze the new version for security issues
+# then use crane to lookup the digest of that version so we are immutable
+# crane digest tonistiigi/xx:1.1.2
+FROM --platform=$BUILDPLATFORM tonistiigi/xx@sha256:9dde7edeb9e4a957ce78be9f8c0fbabe0129bf5126933cd3574888f443731cda AS xx
+
+FROM --platform=${BUILDPLATFORM} base as builder
+ARG TARGETPLATFORM
+ARG TARGETARCH
+COPY --link --from=xx / /
+RUN install -d -o root -g root -m 1777 /newtmp
+RUN xx-go --wrap
+RUN set -e ; xx-apk --no-cache --update add build-base musl-dev libseccomp-dev
 RUN --mount=type=cache,target=/root/.cache/go-build \
     --mount=type=cache,target=/go/pkg/mod \
-    GOOS=$TARGETOS GOARCH=$TARGETARCH \
-    make build
+    if [ "$TARGETARCH" = "arm64" ]; then CC=aarch64-alpine-linux-musl; fi && \
+    make build-static && \
+    for f in $(find bin -executable -type f); do xx-verify $f; done
 
-# Common base
-FROM --platform=${BUILDPLATFORM} alpine AS spire-base
+FROM --platform=${BUILDPLATFORM} scratch AS spire-base
 WORKDIR /opt/spire
 CMD []
-RUN apk --no-cache --update add dumb-init
-RUN apk --no-cache --update add ca-certificates
+COPY --link --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+COPY --link --from=builder /newtmp /tmp
 
 # SPIRE Server
 FROM spire-base AS spire-server
-ENTRYPOINT ["/usr/bin/dumb-init", "/opt/spire/bin/spire-server", "run"]
-COPY --link --from=builder /spire/bin/spire-server bin/spire-server
+ENTRYPOINT ["/opt/spire/bin/spire-server", "run"]
+COPY --link --from=builder /spire/bin/static/spire-server bin/
 
-# SPIRE Agent
 FROM spire-base AS spire-agent
-ENTRYPOINT ["/usr/bin/dumb-init", "/opt/spire/bin/spire-agent", "run"]
-COPY --link --from=builder /spire/bin/spire-agent bin/spire-agent
+ENTRYPOINT ["/opt/spire/bin/spire-agent", "run"]
+COPY --link --from=builder /spire/bin/static/spire-agent bin/
 
 # K8S Workload Registrar
 FROM spire-base AS k8s-workload-registrar
-ENTRYPOINT ["/usr/bin/dumb-init", "/opt/spire/bin/k8s-workload-registrar"]
-COPY --link --from=builder /spire/bin/k8s-workload-registrar bin/k8s-workload-registrar
+ENTRYPOINT ["/opt/spire/bin/k8s-workload-registrar"]
+COPY --link --from=builder /spire/bin/static/k8s-workload-registrar bin/
 
 # OIDC Discovery Provider
 FROM spire-base AS oidc-discovery-provider
-ENTRYPOINT ["/usr/bin/dumb-init", "/opt/spire/bin/oidc-discovery-provider"]
-COPY --link --from=builder /spire/bin/oidc-discovery-provider bin/oidc-discovery-provider
+ENTRYPOINT ["/opt/spire/bin/oidc-discovery-provider"]
+COPY --link --from=builder /spire/bin/static/oidc-discovery-provider bin/