Skip to content

Commit

Permalink
build: configuration for building "release" docker images
Browse files Browse the repository at this point in the history
These are different than our "full" images because they include a binary
already released to releases.hashicorp.com, whereas the root Dockerfile
directly builds from the current work tree.

This particular Dockerfile is not intended to be run manually, but rather
exists only to drive the dockerhub automated build.
  • Loading branch information
apparentlymart committed Jul 19, 2017
1 parent 909c454 commit 0f9af4d
Show file tree
Hide file tree
Showing 4 changed files with 109 additions and 0 deletions.
37 changes: 37 additions & 0 deletions scripts/docker-release/Dockerfile-release
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
# This Dockerfile is not intended for general use, but is rather used to
# package up official Terraform releases (from releases.hashicorp.com) to
# release on Dockerhub as the "light" release images.
#
# The main Dockerfile in the root of the repository is more generally-useful,
# since it is able to build a docker image of the current state of the work
# tree, without any dependency on there being an existing release on
# releases.hashicorp.com.

FROM alpine:latest
MAINTAINER "HashiCorp Terraform Team <[email protected]>"

# This is intended to be run from the hooks/build script, which sets this
# appropriately based on git tags.
ARG TERRAFORM_VERSION=UNSPECIFIED

COPY releases_public_key .

# What's going on here?
# - Download the indicated release along with its checksums and signature for the checksums
# - Verify that the checksums file is signed by the Hashicorp releases key
# - Verify that the zip file matches the expected checksum
# - Extract the zip file so it can be run

RUN echo Building image for Terraform ${TERRAFORM_VERSION} && \
apk add --update git curl openssh gnupg && \
curl https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip > terraform_${TERRAFORM_VERSION}_linux_amd64.zip && \
curl https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_SHA256SUMS.sig > terraform_${TERRAFORM_VERSION}_SHA256SUMS.sig && \
curl https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_SHA256SUMS > terraform_${TERRAFORM_VERSION}_SHA256SUMS && \
gpg --import releases_public_key && \
gpg --verify terraform_${TERRAFORM_VERSION}_SHA256SUMS.sig terraform_${TERRAFORM_VERSION}_SHA256SUMS && \
grep linux_amd64 terraform_${TERRAFORM_VERSION}_SHA256SUMS >terraform_${TERRAFORM_VERSION}_SHA256SUMS_linux_amd64 && \
sha256sum -cs terraform_${TERRAFORM_VERSION}_SHA256SUMS_linux_amd64 && \
unzip terraform_${TERRAFORM_VERSION}_linux_amd64.zip -d /bin && \
rm -f terraform_${TERRAFORM_VERSION}_linux_amd64.zip terraform_${TERRAFORM_VERSION}_SHA256SUMS*

ENTRYPOINT ["/bin/terraform"]
24 changes: 24 additions & 0 deletions scripts/docker-release/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
# Terraform Docker Release Build

This directory contains configuration to drive the Dockerhub automated build
for Terraform. This is different than the root Dockerfile (which produces
the "full" image on Dockerhub) because it uses the release archives from
releases.hashicorp.com. It is therefore not possible to use this configuration
to build an image for a commit that hasn't been released.

## How it works

Dockerhub runs the `hooks/build` script to trigger the build. That uses
`git describe` to identify the tag corresponding to the current `HEAD`. If
the current commit _isn't_ tagged with a version number corresponding to
a Terraform release already on releases.hashicorp.com, the build will fail.

## What it produces

This configuration is used to produce the "latest", "light" and "beta" tags
in Dockerhub, as well as specific version tags.

"latest" and "light" are synonyms, and are built from a branch in this
repository called "stable". "beta" is built from a branch called "beta". Both
of these branches should be updated only to _tagged_ commits, and only when
it is desirable to create a new release image.
18 changes: 18 additions & 0 deletions scripts/docker-release/hooks/build
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
#!/bin/bash

# This script assumes that its working directory is the parent directory,
# where the Dockerfile-release file is located, since that's how Dockerhub
# runs hooks.

set -eu

# We assume that this is always running while git HEAD is pointed at a release
# tag or a branch that is pointed at the same commit as a release tag. If not,
# this will fail since we can't build a release image for a commit that hasn't
# actually been released.
VERSION="$(git describe)"

echo "Building release docker images for version $VERSION"
VERSION_SLUG="${VERSION#v}"

docker build "--build-arg=TERRAFORM_VERSION=${VERSION_SLUG}" -t ${IMAGE_NAME} -f "Dockerfile-release" .
30 changes: 30 additions & 0 deletions scripts/docker-release/releases_public_key
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1

mQENBFMORM0BCADBRyKO1MhCirazOSVwcfTr1xUxjPvfxD3hjUwHtjsOy/bT6p9f
W2mRPfwnq2JB5As+paL3UGDsSRDnK9KAxQb0NNF4+eVhr/EJ18s3wwXXDMjpIifq
fIm2WyH3G+aRLTLPIpscUNKDyxFOUbsmgXAmJ46Re1fn8uKxKRHbfa39aeuEYWFA
3drdL1WoUngvED7f+RnKBK2G6ZEpO+LDovQk19xGjiMTtPJrjMjZJ3QXqPvx5wca
KSZLr4lMTuoTI/ZXyZy5bD4tShiZz6KcyX27cD70q2iRcEZ0poLKHyEIDAi3TM5k
SwbbWBFd5RNPOR0qzrb/0p9ksKK48IIfH2FvABEBAAG0K0hhc2hpQ29ycCBTZWN1
cml0eSA8c2VjdXJpdHlAaGFzaGljb3JwLmNvbT6JATgEEwECACIFAlMORM0CGwMG
CwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEFGFLYc0j/xMyWIIAIPhcVqiQ59n
Jc07gjUX0SWBJAxEG1lKxfzS4Xp+57h2xxTpdotGQ1fZwsihaIqow337YHQI3q0i
SqV534Ms+j/tU7X8sq11xFJIeEVG8PASRCwmryUwghFKPlHETQ8jJ+Y8+1asRydi
psP3B/5Mjhqv/uOK+Vy3zAyIpyDOMtIpOVfjSpCplVRdtSTFWBu9Em7j5I2HMn1w
sJZnJgXKpybpibGiiTtmnFLOwibmprSu04rsnP4ncdC2XRD4wIjoyA+4PKgX3sCO
klEzKryWYBmLkJOMDdo52LttP3279s7XrkLEE7ia0fXa2c12EQ0f0DQ1tGUvyVEW
WmJVccm5bq25AQ0EUw5EzQEIANaPUY04/g7AmYkOMjaCZ6iTp9hB5Rsj/4ee/ln9
wArzRO9+3eejLWh53FoN1rO+su7tiXJA5YAzVy6tuolrqjM8DBztPxdLBbEi4V+j
2tK0dATdBQBHEh3OJApO2UBtcjaZBT31zrG9K55D+CrcgIVEHAKY8Cb4kLBkb5wM
skn+DrASKU0BNIV1qRsxfiUdQHZfSqtp004nrql1lbFMLFEuiY8FZrkkQ9qduixo
mTT6f34/oiY+Jam3zCK7RDN/OjuWheIPGj/Qbx9JuNiwgX6yRj7OE1tjUx6d8g9y
0H1fmLJbb3WZZbuuGFnK6qrE3bGeY8+AWaJAZ37wpWh1p0cAEQEAAYkBHwQYAQIA
CQUCUw5EzQIbDAAKCRBRhS2HNI/8TJntCAClU7TOO/X053eKF1jqNW4A1qpxctVc
z8eTcY8Om5O4f6a/rfxfNFKn9Qyja/OG1xWNobETy7MiMXYjaa8uUx5iFy6kMVaP
0BXJ59NLZjMARGw6lVTYDTIvzqqqwLxgliSDfSnqUhubGwvykANPO+93BBx89MRG
unNoYGXtPlhNFrAsB1VR8+EyKLv2HQtGCPSFBhrjuzH3gxGibNDDdFQLxxuJWepJ
EK1UbTS4ms0NgZ2Uknqn1WRU1Ki7rE4sTy68iZtWpKQXZEJa0IGnuI2sSINGcXCJ
oEIgXTMyCILo34Fa/C6VCm2WBgz9zZO8/rHIiQm1J5zqz0DrDwKBUM9C
=LYpS
-----END PGP PUBLIC KEY BLOCK-----

0 comments on commit 0f9af4d

Please sign in to comment.