From b070b3cc78e1f0db965a15a363a92039bee67016 Mon Sep 17 00:00:00 2001
From: Victor Martinez <victormartinezrubio@gmail.com>
Date: Fri, 24 May 2024 15:03:27 +0200
Subject: [PATCH] build and push Docker image based on Chainguard base image
 (#13137)

---
 .github/workflows/ci.yml               | 25 ++++++++++++++++++++
 packaging.mk                           | 32 +++++++++++++++++++++++---
 packaging/docker/Dockerfile            | 13 ++++++++---
 packaging/docker/Dockerfile.chainguard |  2 ++
 4 files changed, 66 insertions(+), 6 deletions(-)
 create mode 100644 packaging/docker/Dockerfile.chainguard

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 6dcf4965a2f..a541e057e6a 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -87,3 +87,28 @@ jobs:
           go-version-file: go.mod
           cache: false
       - run: make package-snapshot
+        env:
+          GH_TOKEN: ${{ github.token }}
+
+  test-package-and-push:
+    runs-on: ubuntu-latest
+    if: github.event_name != 'pull_request' || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == false)
+    env:
+      GENERATE_CHAINGUARD_IMAGES: true
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+          cache: false
+      - uses: elastic/apm-pipeline-library/.github/actions/docker-login@current
+        with:
+          registry: docker.elastic.co
+          secret: secret/observability-team/ci/docker-registry/prod
+          url: ${{ secrets.VAULT_ADDR }}
+          roleId: ${{ secrets.VAULT_ROLE_ID }}
+          secretId: ${{ secrets.VAULT_SECRET_ID }}
+      - run: make package-snapshot
+        env:
+          GH_TOKEN: ${{ github.token }}
+      - run: make publish-docker-images
diff --git a/packaging.mk b/packaging.mk
index 0492993d131..91c2f987b4b 100644
--- a/packaging.mk
+++ b/packaging.mk
@@ -31,19 +31,39 @@ DOCKER_IMAGES := \
 	build/docker/apm-server-ubi-$(APM_SERVER_VERSION).txt \
 	build/docker/apm-server-ubi-$(APM_SERVER_VERSION)-SNAPSHOT.txt
 
+# If GENERATE_CHAINGUARD_IMAGES is set then generate chainguard docker images.
+ifdef GENERATE_CHAINGUARD_IMAGES
+DOCKER_IMAGES := $(DOCKER_IMAGES) \
+	build/docker/apm-server-chainguard-$(APM_SERVER_VERSION).txt \
+	build/docker/apm-server-chainguard-$(APM_SERVER_VERSION)-SNAPSHOT.txt
+endif
+
 build/docker/%.txt: DOCKER_IMAGE_TAG := docker.elastic.co/apm/apm-server:%
 build/docker/%.txt: VERSION := $(APM_SERVER_VERSION)
+build/docker/%.txt: DOCKER_FILE_ARGS := -f packaging/docker/Dockerfile
 build/docker/%-SNAPSHOT.txt: VERSION := $(APM_SERVER_VERSION)-SNAPSHOT
 build/docker/apm-server-ubi-%.txt: DOCKER_BUILD_ARGS+=--build-arg BASE_IMAGE=docker.elastic.co/ubi9/ubi-minimal
+build/docker/apm-server-chainguard-%.txt: DOCKER_FILE_ARGS := -f packaging/docker/Dockerfile.chainguard
+
+INTERNAL_DOCKER_IMAGE := docker.elastic.co/observability-ci/apm-server-internal
 
 .PHONY: $(DOCKER_IMAGES)
 $(DOCKER_IMAGES):
 	@mkdir -p $(@D)
-	docker build --iidfile="$(@)" --build-arg GOLANG_VERSION=$(GOLANG_VERSION) --build-arg VERSION=$(VERSION) $(DOCKER_BUILD_ARGS) -f packaging/docker/Dockerfile .
-
-# Docker image tarballs. We distribute UBI8 Docker images only for AMD64.
+	docker build --iidfile="$(@)" \
+		--build-arg GOLANG_VERSION=$(GOLANG_VERSION) \
+		--build-arg VERSION=$(VERSION) \
+		$(DOCKER_BUILD_ARGS) \
+		--tag $(INTERNAL_DOCKER_IMAGE):$(VERSION)$(if $(findstring arm64,$(GOARCH)),-arm64)$(if $(findstring chainguard,$(@)),-chainguard) \
+		$(DOCKER_FILE_ARGS) .
+
+# Docker image tarballs. We distribute UBI Docker images only for AMD64.
 DOCKER_IMAGE_SUFFIX := docker-image$(if $(findstring arm64,$(GOARCH)),-arm64).tar.gz
 DOCKER_IMAGE_PREFIXES := apm-server $(if $(findstring amd64,$(GOARCH)), apm-server-ubi)
+# If GENERATE_CHAINGUARD_IMAGES is set then generate chainguard docker images.
+ifdef GENERATE_CHAINGUARD_IMAGES
+DOCKER_IMAGE_PREFIXES := $(DOCKER_IMAGE_PREFIXES) apm-server-chainguard
+endif
 DOCKER_IMAGE_RELEASE_TARBALLS := $(patsubst %, $(DISTDIR)/%-$(APM_SERVER_VERSION)-$(DOCKER_IMAGE_SUFFIX), $(DOCKER_IMAGE_PREFIXES))
 DOCKER_IMAGE_SNAPSHOT_TARBALLS := $(patsubst %, $(DISTDIR)/%-$(APM_SERVER_VERSION)-SNAPSHOT-$(DOCKER_IMAGE_SUFFIX), $(DOCKER_IMAGE_PREFIXES))
 
@@ -186,7 +206,10 @@ build/dependencies-$(APM_SERVER_VERSION)-SNAPSHOT.csv: build/dependencies-$(APM_
 	cp $< $@
 
 package-docker: $(DOCKER_IMAGE_RELEASE_TARBALLS)
+	@echo ">> $(DOCKER_IMAGE_RELEASE_TARBALLS)"
+
 package-docker-snapshot: $(DOCKER_IMAGE_SNAPSHOT_TARBALLS)
+	@echo ">> $(DOCKER_IMAGE_SNAPSHOT_TARBALLS)"
 
 package: \
 	package-docker \
@@ -200,3 +223,6 @@ package-snapshot: \
 	$(DOCKER_IMAGE_SNAPSHOT_TARBALLS) \
 	$(DISTDIR)/apm-server-ironbank-$(APM_SERVER_VERSION)-SNAPSHOT-docker-build-context.tar.gz \
 	build/dependencies-$(APM_SERVER_VERSION)-SNAPSHOT.csv
+
+publish-docker-images:
+	docker push --all-tags $(INTERNAL_DOCKER_IMAGE)
diff --git a/packaging/docker/Dockerfile b/packaging/docker/Dockerfile
index f66bf8ef006..22b6c48db74 100644
--- a/packaging/docker/Dockerfile
+++ b/packaging/docker/Dockerfile
@@ -1,24 +1,31 @@
 ARG BASE_IMAGE=ubuntu:22.04
 ARG GOLANG_VERSION
 
+################################################################################
+# Build stage 0
 # Build the apm-server binary. The golang image version is kept
 # up to date with go.mod by Makefile.
+################################################################################
 FROM golang:${GOLANG_VERSION} as builder
 WORKDIR /src
-COPY go.mod go.sum /src/
+COPY go.mod go.sum .go-version /src/
 COPY internal/glog/go.mod /src/internal/glog/go.mod
 RUN --mount=type=cache,target=/go/pkg/mod go mod download
-COPY Makefile *.mk /src
+COPY Makefile *.mk /src/
 COPY cmd /src/cmd
 COPY internal /src/internal
 COPY x-pack /src/x-pack
 COPY .git /src/.git
+COPY script /src/script
 
-ENV GOROOT /usr/local/go
 RUN --mount=type=cache,target=/go/pkg/mod \
     --mount=type=cache,target=/root/.cache/go-build \
     make apm-server
 
+################################################################################
+# Build stage 1
+# Copy prepared files from the previous stage and complete the image.
+################################################################################
 FROM ${BASE_IMAGE}
 ARG TARGETARCH
 ARG BUILD_DATE
diff --git a/packaging/docker/Dockerfile.chainguard b/packaging/docker/Dockerfile.chainguard
new file mode 100644
index 00000000000..ddd0b22ff68
--- /dev/null
+++ b/packaging/docker/Dockerfile.chainguard
@@ -0,0 +1,2 @@
+FROM docker.elastic.co/wolfi/chainguard-base:20230214
+RUN echo 'TBC'
\ No newline at end of file