build: compress SDK with zstd

Rather than implicitly using BuildKit underneath `docker build`,
switch to explicitly using it via `docker buildx build` with a custom
builder.

The default builder loads builds into Docker after they finish, which
causes certain options - like zstd compression - to be ignored when
pushing to a registry.

`docker buildx build` doesn't really distinguish between "build" and
"push" steps; a "push" is just a build where the output is sent to a
registry rather than written to a tar archive or loaded into Docker.
This breaks one of the main assumptions of the `publish-sdk` script,
which expects the build to be done already.

Rather than wiring up the build arguments as additional arguments to
`publish-sdk`, replace it with `docker buildx imagetools create` as
the tool for creating and replacing remote manifests.

Signed-off-by: Ben Cressey <[email protected]>

Author: bcressey

Makefile

@@ -2,25 +2,69 @@ TOP := $(dir $(abspath $(firstword $(MAKEFILE_LIST))))
 
 HOST_ARCH ?= $(shell uname -m)
 DOCKER_ARCH ?= $(lastword $(subst :, ,$(filter $(HOST_ARCH):%,x86_64:amd64 aarch64:arm64)))
+DOCKER_ALT_ARCH ?= $(lastword $(subst :, ,$(filter $(HOST_ARCH):%,x86_64:arm64 aarch64:amd64)))
 UPSTREAM_SOURCE_FALLBACK ?= false
 
 VERSION := $(shell cat $(TOP)VERSION)
 SHORT_SHA := $(shell git rev-parse --short=8 HEAD)
 
-IMAGE_NAME ?= bottlerocket-sdk:$(VERSION)-$(SHORT_SHA)-$(DOCKER_ARCH)
+REGISTRY ?=
+REPOSITORY ?= bottlerocket-sdk
+IMAGE_NAME ?= $(REPOSITORY):$(VERSION)-$(SHORT_SHA)-$(DOCKER_ARCH)
+IMAGE_ALT_NAME ?= $(REPOSITORY):$(VERSION)-$(SHORT_SHA)-$(DOCKER_ALT_ARCH)
+MANIFEST ?= $(REPOSITORY):$(VERSION)
 
-all: sdk
+BUILDX_BUILDER ?= sdk-builder
 
-sdk:
-	@DOCKER_BUILDKIT=1 docker build . \
-		--tag $(IMAGE_NAME) \
-		--target sdk-golden \
-		--build-arg HOST_ARCH=$(HOST_ARCH) \
-		--build-arg UPSTREAM_SOURCE_FALLBACK=$(UPSTREAM_SOURCE_FALLBACK)
+BUILDX_BUILD_ARGS = $\
+	--build-arg HOST_ARCH=$(HOST_ARCH) $\
+	--build-arg UPSTREAM_SOURCE_FALLBACK=$(UPSTREAM_SOURCE_FALLBACK) $\
+	--target sdk-golden $\
+	--provenance=false $\
+	--sbom=false $\
+	--builder $(BUILDX_BUILDER)
 
-publish:
+BUILDX_LOAD_ARGS = $\
+	--tag $(IMAGE_NAME) \
+	--load
+
+BUILDX_PUSH_ARGS = $\
+	--output $\
+	type=registry,name=$(REGISTRY)/$(IMAGE_NAME),$\
+	compression=zstd,compression-level=22,force-compression=true,$\
+	oci-mediatypes=true,platform=linux/$(DOCKER_ARCH)
+
+all: build
+
+builder:
+	@docker buildx create \
+		--name $(BUILDX_BUILDER) \
+		--driver docker-container \
+		--driver-opt env.BUILDKIT_STEP_LOG_MAX_SIZE=-1 \
+		--driver-opt env.BUILDKIT_STEP_LOG_MAX_SPEED=-1 \
+		--node $(BUILDX_BUILDER)0
+
+build: builder
+	@docker buildx build . \
+		$(BUILDX_BUILD_ARGS) \
+		$(BUILDX_LOAD_ARGS)
+
+build-push: builder
 	@test $${REGISTRY?not set!}
-	@test $${REPOSITORY?not set!}
-	$(TOP)publish-sdk --registry=$(REGISTRY) --repository=$(REPOSITORY) --tag=$(VERSION) --short-sha=$(SHORT_SHA)
+	@docker buildx build . \
+		$(BUILDX_BUILD_ARGS) \
+		$(BUILDX_PUSH_ARGS)
+
+publish: build-push
+	@if docker buildx imagetools inspect $(REGISTRY)/$(IMAGE_ALT_NAME) >/dev/null 2>&1 ; then \
+		docker buildx imagetools create \
+			--tag $(REGISTRY)/$(MANIFEST) \
+			$(REGISTRY)/$(IMAGE_NAME) \
+			$(REGISTRY)/$(IMAGE_ALT_NAME) ; \
+	else \
+		docker buildx imagetools create \
+			--tag $(REGISTRY)/$(MANIFEST) \
+			$(REGISTRY)/$(IMAGE_NAME) ; \
+	fi
 
-.PHONY: all sdk publish
+.PHONY: all builder build build-push publish