diff --git a/scripts/docker-release/Dockerfile-release b/scripts/docker-release/Dockerfile-release new file mode 100644 index 000000000..f1600df77 --- /dev/null +++ b/scripts/docker-release/Dockerfile-release @@ -0,0 +1,37 @@ +# This Dockerfile is not intended for general use, but is rather used to +# package up official Terraform releases (from releases.hashicorp.com) to +# release on Dockerhub as the "light" release images. +# +# The main Dockerfile in the root of the repository is more generally-useful, +# since it is able to build a docker image of the current state of the work +# tree, without any dependency on there being an existing release on +# releases.hashicorp.com. + +FROM alpine:latest +MAINTAINER "HashiCorp Terraform Team " + +# This is intended to be run from the hooks/build script, which sets this +# appropriately based on git tags. +ARG TERRAFORM_VERSION=UNSPECIFIED + +COPY releases_public_key . + +# What's going on here? +# - Download the indicated release along with its checksums and signature for the checksums +# - Verify that the checksums file is signed by the Hashicorp releases key +# - Verify that the zip file matches the expected checksum +# - Extract the zip file so it can be run + +RUN echo Building image for Terraform ${TERRAFORM_VERSION} && \ + apk add --update git curl openssh gnupg && \ + curl https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip > terraform_${TERRAFORM_VERSION}_linux_amd64.zip && \ + curl https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_SHA256SUMS.sig > terraform_${TERRAFORM_VERSION}_SHA256SUMS.sig && \ + curl https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_SHA256SUMS > terraform_${TERRAFORM_VERSION}_SHA256SUMS && \ + gpg --import releases_public_key && \ + gpg --verify terraform_${TERRAFORM_VERSION}_SHA256SUMS.sig terraform_${TERRAFORM_VERSION}_SHA256SUMS && \ + grep linux_amd64 terraform_${TERRAFORM_VERSION}_SHA256SUMS >terraform_${TERRAFORM_VERSION}_SHA256SUMS_linux_amd64 && \ + sha256sum -cs terraform_${TERRAFORM_VERSION}_SHA256SUMS_linux_amd64 && \ + unzip terraform_${TERRAFORM_VERSION}_linux_amd64.zip -d /bin && \ + rm -f terraform_${TERRAFORM_VERSION}_linux_amd64.zip terraform_${TERRAFORM_VERSION}_SHA256SUMS* + +ENTRYPOINT ["/bin/terraform"] diff --git a/scripts/docker-release/README.md b/scripts/docker-release/README.md new file mode 100644 index 000000000..6073e852f --- /dev/null +++ b/scripts/docker-release/README.md @@ -0,0 +1,24 @@ +# Terraform Docker Release Build + +This directory contains configuration to drive the Dockerhub automated build +for Terraform. This is different than the root Dockerfile (which produces +the "full" image on Dockerhub) because it uses the release archives from +releases.hashicorp.com. It is therefore not possible to use this configuration +to build an image for a commit that hasn't been released. + +## How it works + +Dockerhub runs the `hooks/build` script to trigger the build. That uses +`git describe` to identify the tag corresponding to the current `HEAD`. If +the current commit _isn't_ tagged with a version number corresponding to +a Terraform release already on releases.hashicorp.com, the build will fail. + +## What it produces + +This configuration is used to produce the "latest", "light" and "beta" tags +in Dockerhub, as well as specific version tags. + +"latest" and "light" are synonyms, and are built from a branch in this +repository called "stable". "beta" is built from a branch called "beta". Both +of these branches should be updated only to _tagged_ commits, and only when +it is desirable to create a new release image. diff --git a/scripts/docker-release/hooks/build b/scripts/docker-release/hooks/build new file mode 100755 index 000000000..faed92fb2 --- /dev/null +++ b/scripts/docker-release/hooks/build @@ -0,0 +1,18 @@ +#!/bin/bash + +# This script assumes that its working directory is the parent directory, +# where the Dockerfile-release file is located, since that's how Dockerhub +# runs hooks. + +set -eu + +# We assume that this is always running while git HEAD is pointed at a release +# tag or a branch that is pointed at the same commit as a release tag. If not, +# this will fail since we can't build a release image for a commit that hasn't +# actually been released. +VERSION="$(git describe)" + +echo "Building release docker images for version $VERSION" +VERSION_SLUG="${VERSION#v}" + +docker build "--build-arg=TERRAFORM_VERSION=${VERSION_SLUG}" -t ${IMAGE_NAME} -f "Dockerfile-release" . diff --git a/scripts/docker-release/releases_public_key b/scripts/docker-release/releases_public_key new file mode 100644 index 000000000..010c9271c --- /dev/null +++ b/scripts/docker-release/releases_public_key @@ -0,0 +1,30 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1 + +mQENBFMORM0BCADBRyKO1MhCirazOSVwcfTr1xUxjPvfxD3hjUwHtjsOy/bT6p9f +W2mRPfwnq2JB5As+paL3UGDsSRDnK9KAxQb0NNF4+eVhr/EJ18s3wwXXDMjpIifq +fIm2WyH3G+aRLTLPIpscUNKDyxFOUbsmgXAmJ46Re1fn8uKxKRHbfa39aeuEYWFA +3drdL1WoUngvED7f+RnKBK2G6ZEpO+LDovQk19xGjiMTtPJrjMjZJ3QXqPvx5wca +KSZLr4lMTuoTI/ZXyZy5bD4tShiZz6KcyX27cD70q2iRcEZ0poLKHyEIDAi3TM5k +SwbbWBFd5RNPOR0qzrb/0p9ksKK48IIfH2FvABEBAAG0K0hhc2hpQ29ycCBTZWN1 +cml0eSA8c2VjdXJpdHlAaGFzaGljb3JwLmNvbT6JATgEEwECACIFAlMORM0CGwMG +CwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEFGFLYc0j/xMyWIIAIPhcVqiQ59n +Jc07gjUX0SWBJAxEG1lKxfzS4Xp+57h2xxTpdotGQ1fZwsihaIqow337YHQI3q0i +SqV534Ms+j/tU7X8sq11xFJIeEVG8PASRCwmryUwghFKPlHETQ8jJ+Y8+1asRydi +psP3B/5Mjhqv/uOK+Vy3zAyIpyDOMtIpOVfjSpCplVRdtSTFWBu9Em7j5I2HMn1w +sJZnJgXKpybpibGiiTtmnFLOwibmprSu04rsnP4ncdC2XRD4wIjoyA+4PKgX3sCO +klEzKryWYBmLkJOMDdo52LttP3279s7XrkLEE7ia0fXa2c12EQ0f0DQ1tGUvyVEW +WmJVccm5bq25AQ0EUw5EzQEIANaPUY04/g7AmYkOMjaCZ6iTp9hB5Rsj/4ee/ln9 +wArzRO9+3eejLWh53FoN1rO+su7tiXJA5YAzVy6tuolrqjM8DBztPxdLBbEi4V+j +2tK0dATdBQBHEh3OJApO2UBtcjaZBT31zrG9K55D+CrcgIVEHAKY8Cb4kLBkb5wM +skn+DrASKU0BNIV1qRsxfiUdQHZfSqtp004nrql1lbFMLFEuiY8FZrkkQ9qduixo +mTT6f34/oiY+Jam3zCK7RDN/OjuWheIPGj/Qbx9JuNiwgX6yRj7OE1tjUx6d8g9y +0H1fmLJbb3WZZbuuGFnK6qrE3bGeY8+AWaJAZ37wpWh1p0cAEQEAAYkBHwQYAQIA +CQUCUw5EzQIbDAAKCRBRhS2HNI/8TJntCAClU7TOO/X053eKF1jqNW4A1qpxctVc +z8eTcY8Om5O4f6a/rfxfNFKn9Qyja/OG1xWNobETy7MiMXYjaa8uUx5iFy6kMVaP +0BXJ59NLZjMARGw6lVTYDTIvzqqqwLxgliSDfSnqUhubGwvykANPO+93BBx89MRG +unNoYGXtPlhNFrAsB1VR8+EyKLv2HQtGCPSFBhrjuzH3gxGibNDDdFQLxxuJWepJ +EK1UbTS4ms0NgZ2Uknqn1WRU1Ki7rE4sTy68iZtWpKQXZEJa0IGnuI2sSINGcXCJ +oEIgXTMyCILo34Fa/C6VCm2WBgz9zZO8/rHIiQm1J5zqz0DrDwKBUM9C +=LYpS +-----END PGP PUBLIC KEY BLOCK-----