Merge pull request #94 from xrstf/go1241

update build image for Go 1.24.1, kind 0.27, Docker 27.3

Author: kcp-ci-bot

.gitignore

@@ -19,3 +19,5 @@
 
 # Go workspace file
 go.work
+
+kindest.tar

.prow.yaml

@@ -0,0 +1,46 @@
+presubmits:
+  - name: pull-infra-images-1.23-build
+    decorate: true
+    clone_uri: "ssh://git@github.com/kcp-dev/infra.git"
+    run_if_changed: '^images/build/go-1.23'
+    labels:
+      preset-goproxy: "true"
+    spec:
+      containers:
+        - image: quay.io/containers/buildah:v1.39.2
+          command:
+            - images/build/hack/build-image.sh
+            - go-1.23
+          # docker-in-docker needs privileged mode
+          securityContext:
+            privileged: true
+          env:
+            - name: DRY_RUN
+              value: '1'
+          resources:
+            requests:
+              memory: 1Gi
+              cpu: 1
+
+  - name: pull-infra-images-1.24-build
+    decorate: true
+    clone_uri: "ssh://git@github.com/kcp-dev/infra.git"
+    run_if_changed: '^images/build/go-1.24'
+    labels:
+      preset-goproxy: "true"
+    spec:
+      containers:
+        - image: quay.io/containers/buildah:v1.39.2
+          command:
+            - images/build/hack/build-image.sh
+            - go-1.24
+          # docker-in-docker needs privileged mode
+          securityContext:
+            privileged: true
+          env:
+            - name: DRY_RUN
+              value: '1'
+          resources:
+            requests:
+              memory: 1Gi
+              cpu: 1

images/build/Dockerfile images/build/go-1.23/Dockerfile

@@ -0,0 +1,67 @@
+ARG GO_VERSION
+
+FROM --platform=${BUILDPLATFORM} docker.io/library/golang:${GO_VERSION} as download
+
+    # the Kubernetes version that is used to determine which kubectl to install.
+ENV KUBECTL_VERSION=1.32.3 \
+    # the kind version installed into this image.
+    # https://github.com/kubernetes-sigs/kind/releases
+    KIND_VERSION=0.27.0 \
+    # the Helm version installed into this image.
+    # https://github.com/helm/helm/releases
+    HELM_VERSION=3.17.2 \
+    # the kubeconform version installed into this image.
+    # https://github.com/yannh/kubeconform/releases
+    KUBECONFORM_VERSION=0.6.7
+
+WORKDIR /tmp
+
+RUN curl --fail -L https://get.helm.sh/helm-v${HELM_VERSION}-linux-$(dpkg --print-architecture).tar.gz | tar -xzO linux-$(dpkg --print-architecture)/helm > helm && \
+    chmod +x helm && \
+    ./helm version --short
+
+RUN curl --fail -Lo kubectl https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/$(dpkg --print-architecture)/kubectl && \
+    chmod +x kubectl && \
+    ./kubectl version --client
+
+RUN curl --fail -Lo kind https://github.com/kubernetes-sigs/kind/releases/download/v${KIND_VERSION}/kind-linux-$(dpkg --print-architecture) && \
+    chmod +x kind && \
+    ./kind version
+
+RUN curl --fail -L https://github.com/yannh/kubeconform/releases/download/v${KUBECONFORM_VERSION}/kubeconform-linux-$(dpkg --print-architecture).tar.gz | tar -xzO kubeconform > kubeconform && \
+    chmod +x kubeconform && \
+    ./kubeconform -v
+
+FROM docker.io/library/golang:${GO_VERSION}
+
+# this is used by docker as data root
+VOLUME /docker-graph
+
+COPY --from=download /tmp/kubectl /usr/local/bin/
+COPY --from=download /tmp/kind /usr/local/bin/
+COPY --from=download /tmp/helm /usr/local/bin/
+COPY --from=download /tmp/kubeconform /usr/local/bin/
+
+COPY start-docker.sh /usr/local/bin/
+# this pre-loads the kindest/node image so it can be loaded via docker
+# when starting a container based on this image
+COPY kindest.tar /kindest.tar
+
+RUN apt-get update && \
+    apt-get install -y \
+        git \
+        curl \
+        jq \
+        buildah \
+    && rm -rf /var/lib/apt/lists/*
+
+# install Docker (and socat for tunneling the docker registry later)
+RUN curl -fsSL https://download.docker.com/linux/$(. /etc/os-release; echo "$ID")/gpg | gpg --dearmor > /usr/share/keyrings/docker.com.gpg && \
+    echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker.com.gpg] https://download.docker.com/linux/$(. /etc/os-release; echo "$ID") $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | tee /etc/apt/sources.list.d/docker.list && \
+    apt-get update && \
+    apt-get install -y --no-install-recommends docker-ce=5:27.3.* socat && \
+    sed -i 's/cgroupfs_mount$/#cgroupfs_mount\n/' /etc/init.d/docker && \
+    sed -i 's/ulimit -Hn/#ulimit -Hn/g' /etc/init.d/docker && \
+    mkdir -p /etc/docker && \
+    echo '{"data-root":"/docker-graph"}' | jq '.' > /etc/docker/daemon.json && \
+    rm -rf /var/lib/apt/lists/*

images/build/env images/build/go-1.23/env

@@ -0,0 +1,7 @@
+# the tag used for the final image. Update the suffix when you want
+# a new version of the image to be built.
+BUILD_IMAGE_TAG=1.24.1-0
+# the Go version used for the images.
+GO_VERSION=1.24.1
+# the kindest image that matches the kind version above
+KINDEST_IMAGE=kindest/node:v1.32.2@sha256:f226345927d7e348497136874b6d207e0b32cc52154ad8323129352923a3142f

images/build/start-docker.sh images/build/go-1.23/start-docker.sh

@@ -0,0 +1,83 @@
+#!/usr/bin/env bash
+
+## This script should be called by all containers that
+## want to use docker-in-docker. This ensures a consistent
+## setup instead of homegrown custom hacks in each
+## repository.
+## It is safe to call this multiple times, only the first
+## invocation will start the daemon.
+
+set -euo pipefail
+
+retry() {
+  # Works only with bash but doesn't fail on other shells
+  set +e
+  actual_retry $@
+  rc=$?
+  set -e
+  return $rc
+}
+
+# We use an extra wrapping to write junit and have a timer
+actual_retry() {
+  retries=$1
+  shift
+
+  count=0
+  delay=1
+  until "$@"; do
+    rc=$?
+    count=$((count + 1))
+    if [ $count -lt "$retries" ]; then
+      echo "Retry $count/$retries exited $rc, retrying in $delay seconds..." > /dev/stderr
+      sleep $delay
+    else
+      echo "Retry $count/$retries exited $rc, no more retries left." > /dev/stderr
+      return $rc
+    fi
+    delay=$((delay + 1))
+  done
+  return 0
+}
+
+echodate() {
+  # do not use -Is to keep this compatible with macOS
+  echo "[$(date +%Y-%m-%dT%H:%M:%S%:z)]" "$@"
+}
+
+# does Docker already run?
+if docker stats --no-stream > /dev/null 2>&1; then
+  exit 0
+fi
+
+echodate "Starting Docker"
+
+# This is needed so Docker-In-Docker still works when the peer doesn't allow ICMP packages and hence path mtu discovery cant work
+# Most notably, pmtud doesn't work with the hoster of the Alpine package mirror, fastly, causing dind builds of alpine to hang
+# forever. Upstream issue: See https://github.com/gliderlabs/docker-alpine/issues/307#issuecomment-427246497
+echodate "Configuring iptables"
+iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+
+# Configure a registry mirror. This will help only the `docker build` commands during
+# regular Prow job, but will not affect any kind clusters that are started from within
+# Prow jobs.
+registryMirror="${DOCKER_REGISTRY_MIRROR:-}"
+if [ -n "$registryMirror" ]; then
+  echodate "Configuring registry mirror"
+  jq --arg mirror "$registryMirror" '."registry-mirrors" = [$mirror]' /etc/docker/daemon.json > /etc/docker/daemon.new.json
+  mv /etc/docker/daemon.new.json /etc/docker/daemon.json
+fi
+
+mtu=${DOCKER_MTU:-0}
+if [[ $mtu -gt 0 ]]; then
+  echodate "Configuring MTU"
+  jq --argjson mtu $mtu '.mtu = $mtu' /etc/docker/daemon.json > /etc/docker/daemon.new.json
+  mv /etc/docker/daemon.new.json /etc/docker/daemon.json
+fi
+
+# start Docker daemon
+service docker start
+
+# wait for Docker to start
+retry 5 docker stats --no-stream
+echodate "Docker became ready"

images/build/go-1.24/Dockerfile

@@ -34,7 +34,8 @@ fi
 repository=ghcr.io/kcp-dev/infra/build
 architectures="amd64 arm64"
 
-cd images/build
+# cd into the desired go-* Docker image
+cd "$(dirname "$0")/../$1"
 
 # read configuration file for build image
 source ./env

images/build/go-1.24/env

@@ -42,22 +42,44 @@ postsubmits:
               - name: KUBE_CONTEXT
                 value: default
 
-    - name: post-infra-publish-images-build
+    - name: post-infra-publish-images-1.23-build
       decorate: true
       clone_uri: "ssh://git@github.com/kcp-dev/infra.git"
       cluster: prow # GHCR credentials are only available here
       labels:
         preset-ghcr-credentials: "true"
       branches:
         - ^main$
-      # this forces to bump the image tag in this file to get a
-      # new image build
-      run_if_changed: '^images/build/env$'
+      run_if_changed: '^images/build/go-1.23'
       spec:
         containers:
-          - image: quay.io/containers/buildah:v1.30.0
+          - image: quay.io/containers/buildah:v1.39.2
             command:
               - images/build/hack/build-image.sh
+              - go-1.23
+            # docker-in-docker needs privileged mode
+            securityContext:
+              privileged: true
+            resources:
+              requests:
+                cpu: 2
+                memory: 3Gi
+
+    - name: post-infra-publish-images-1.24-build
+      decorate: true
+      clone_uri: "ssh://git@github.com/kcp-dev/infra.git"
+      cluster: prow # GHCR credentials are only available here
+      labels:
+        preset-ghcr-credentials: "true"
+      branches:
+        - ^main$
+      run_if_changed: '^images/build/go-1.24'
+      spec:
+        containers:
+          - image: quay.io/containers/buildah:v1.39.2
+            command:
+              - images/build/hack/build-image.sh
+              - go-1.24
             # docker-in-docker needs privileged mode
             securityContext:
               privileged: true

images/build/go-1.24/start-docker.sh

@@ -59,27 +59,3 @@ presubmits:
         - name: oauth-token
           secret:
             secretName: github-token
-
-    - name: pull-infra-images-build
-      decorate: true
-      clone_uri: "ssh://git@github.com/kcp-dev/infra.git"
-      # this forces to bump the image tag in this file to get a
-      # new image build
-      run_if_changed: '^images/build/env$'
-      labels:
-        preset-goproxy: "true"
-      spec:
-        containers:
-          - image: quay.io/containers/buildah:v1.30.0
-            command:
-              - images/build/hack/build-image.sh
-            # docker-in-docker needs privileged mode
-            securityContext:
-              privileged: true
-            env:
-              - name: DRY_RUN
-                value: '1'
-            resources:
-              requests:
-                memory: 1Gi
-                cpu: 1