build: configuration for building "release" docker images

These are different than our "full" images because they include a binary
already released to releases.hashicorp.com, whereas the root Dockerfile
directly builds from the current work tree.

This particular Dockerfile is not intended to be run manually, but rather
exists only to drive the dockerhub automated build.

scripts/docker-release/Dockerfile-release

@@ -0,0 +1,37 @@
+# This Dockerfile is not intended for general use, but is rather used to
+# package up official Terraform releases (from releases.hashicorp.com) to
+# release on Dockerhub as the "light" release images.
+#
+# The main Dockerfile in the root of the repository is more generally-useful,
+# since it is able to build a docker image of the current state of the work
+# tree, without any dependency on there being an existing release on
+# releases.hashicorp.com.
+
+FROM alpine:latest
+MAINTAINER "HashiCorp Terraform Team <terraform@hashicorp.com>"
+
+# This is intended to be run from the hooks/build script, which sets this
+# appropriately based on git tags.
+ARG TERRAFORM_VERSION=UNSPECIFIED
+
+COPY releases_public_key .
+
+# What's going on here?
+# - Download the indicated release along with its checksums and signature for the checksums
+# - Verify that the checksums file is signed by the Hashicorp releases key
+# - Verify that the zip file matches the expected checksum
+# - Extract the zip file so it can be run
+
+RUN echo Building image for Terraform ${TERRAFORM_VERSION} && \
+    apk add --update git curl openssh gnupg && \
+    curl https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip > terraform_${TERRAFORM_VERSION}_linux_amd64.zip && \
+    curl https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_SHA256SUMS.sig > terraform_${TERRAFORM_VERSION}_SHA256SUMS.sig && \
+    curl https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_SHA256SUMS > terraform_${TERRAFORM_VERSION}_SHA256SUMS && \
+    gpg --import releases_public_key && \
+    gpg --verify terraform_${TERRAFORM_VERSION}_SHA256SUMS.sig terraform_${TERRAFORM_VERSION}_SHA256SUMS && \
+    grep linux_amd64 terraform_${TERRAFORM_VERSION}_SHA256SUMS >terraform_${TERRAFORM_VERSION}_SHA256SUMS_linux_amd64 && \
+    sha256sum -cs terraform_${TERRAFORM_VERSION}_SHA256SUMS_linux_amd64 && \
+    unzip terraform_${TERRAFORM_VERSION}_linux_amd64.zip -d /bin && \
+    rm -f terraform_${TERRAFORM_VERSION}_linux_amd64.zip terraform_${TERRAFORM_VERSION}_SHA256SUMS*
+
+ENTRYPOINT ["/bin/terraform"]

scripts/docker-release/README.md

@@ -0,0 +1,24 @@
+# Terraform Docker Release Build
+
+This directory contains configuration to drive the Dockerhub automated build
+for Terraform. This is different than the root Dockerfile (which produces
+the "full" image on Dockerhub) because it uses the release archives from
+releases.hashicorp.com. It is therefore not possible to use this configuration
+to build an image for a commit that hasn't been released.
+
+## How it works
+
+Dockerhub runs the `hooks/build` script to trigger the build. That uses
+`git describe` to identify the tag corresponding to the current `HEAD`. If
+the current commit _isn't_ tagged with a version number corresponding to
+a Terraform release already on releases.hashicorp.com, the build will fail.
+
+## What it produces
+
+This configuration is used to produce the "latest", "light" and "beta" tags
+in Dockerhub, as well as specific version tags.
+
+"latest" and "light" are synonyms, and are built from a branch in this
+repository called "stable". "beta" is built from a branch called "beta". Both
+of these branches should be updated only to _tagged_ commits, and only when
+it is desirable to create a new release image.

scripts/docker-release/hooks/build

@@ -0,0 +1,18 @@
+#!/bin/bash
+
+# This script assumes that its working directory is the parent directory,
+# where the Dockerfile-release file is located, since that's how Dockerhub
+# runs hooks.
+
+set -eu
+
+# We assume that this is always running while git HEAD is pointed at a release
+# tag or a branch that is pointed at the same commit as a release tag. If not,
+# this will fail since we can't build a release image for a commit that hasn't
+# actually been released.
+VERSION="$(git describe)"
+
+echo "Building release docker images for version $VERSION"
+VERSION_SLUG="${VERSION#v}"
+
+docker build "--build-arg=TERRAFORM_VERSION=${VERSION_SLUG}" -t ${IMAGE_NAME} -f "Dockerfile-release" .

scripts/docker-release/releases_public_key

@@ -0,0 +1,30 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1
+
+mQENBFMORM0BCADBRyKO1MhCirazOSVwcfTr1xUxjPvfxD3hjUwHtjsOy/bT6p9f
+W2mRPfwnq2JB5As+paL3UGDsSRDnK9KAxQb0NNF4+eVhr/EJ18s3wwXXDMjpIifq
+fIm2WyH3G+aRLTLPIpscUNKDyxFOUbsmgXAmJ46Re1fn8uKxKRHbfa39aeuEYWFA
+3drdL1WoUngvED7f+RnKBK2G6ZEpO+LDovQk19xGjiMTtPJrjMjZJ3QXqPvx5wca
+KSZLr4lMTuoTI/ZXyZy5bD4tShiZz6KcyX27cD70q2iRcEZ0poLKHyEIDAi3TM5k
+SwbbWBFd5RNPOR0qzrb/0p9ksKK48IIfH2FvABEBAAG0K0hhc2hpQ29ycCBTZWN1
+cml0eSA8c2VjdXJpdHlAaGFzaGljb3JwLmNvbT6JATgEEwECACIFAlMORM0CGwMG
+CwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEFGFLYc0j/xMyWIIAIPhcVqiQ59n
+Jc07gjUX0SWBJAxEG1lKxfzS4Xp+57h2xxTpdotGQ1fZwsihaIqow337YHQI3q0i
+SqV534Ms+j/tU7X8sq11xFJIeEVG8PASRCwmryUwghFKPlHETQ8jJ+Y8+1asRydi
+psP3B/5Mjhqv/uOK+Vy3zAyIpyDOMtIpOVfjSpCplVRdtSTFWBu9Em7j5I2HMn1w
+sJZnJgXKpybpibGiiTtmnFLOwibmprSu04rsnP4ncdC2XRD4wIjoyA+4PKgX3sCO
+klEzKryWYBmLkJOMDdo52LttP3279s7XrkLEE7ia0fXa2c12EQ0f0DQ1tGUvyVEW
+WmJVccm5bq25AQ0EUw5EzQEIANaPUY04/g7AmYkOMjaCZ6iTp9hB5Rsj/4ee/ln9
+wArzRO9+3eejLWh53FoN1rO+su7tiXJA5YAzVy6tuolrqjM8DBztPxdLBbEi4V+j
+2tK0dATdBQBHEh3OJApO2UBtcjaZBT31zrG9K55D+CrcgIVEHAKY8Cb4kLBkb5wM
+skn+DrASKU0BNIV1qRsxfiUdQHZfSqtp004nrql1lbFMLFEuiY8FZrkkQ9qduixo
+mTT6f34/oiY+Jam3zCK7RDN/OjuWheIPGj/Qbx9JuNiwgX6yRj7OE1tjUx6d8g9y
+0H1fmLJbb3WZZbuuGFnK6qrE3bGeY8+AWaJAZ37wpWh1p0cAEQEAAYkBHwQYAQIA
+CQUCUw5EzQIbDAAKCRBRhS2HNI/8TJntCAClU7TOO/X053eKF1jqNW4A1qpxctVc
+z8eTcY8Om5O4f6a/rfxfNFKn9Qyja/OG1xWNobETy7MiMXYjaa8uUx5iFy6kMVaP
+0BXJ59NLZjMARGw6lVTYDTIvzqqqwLxgliSDfSnqUhubGwvykANPO+93BBx89MRG
+unNoYGXtPlhNFrAsB1VR8+EyKLv2HQtGCPSFBhrjuzH3gxGibNDDdFQLxxuJWepJ
+EK1UbTS4ms0NgZ2Uknqn1WRU1Ki7rE4sTy68iZtWpKQXZEJa0IGnuI2sSINGcXCJ
+oEIgXTMyCILo34Fa/C6VCm2WBgz9zZO8/rHIiQm1J5zqz0DrDwKBUM9C
+=LYpS
+-----END PGP PUBLIC KEY BLOCK-----