images: Use crane for pushing release images instead of docker

Currently, we're loading the images into docker, retagging them, and then push them onto the registry. This workflow is incompatible with Windows images, as docker load does not work for them, resulting in the following error: cannot load windows image on linux However, crane does not load the image, it just pushes it directly with the given tag. This will allow us to push any Windows image we might have (e.g.: Windows kube-proxy image).
kubernetes · Mar 26, 2024 · 19e3234 · 19e3234
1 parent 5cdeee7
commit 19e3234
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 9 deletions.
diff --git a/dependencies.yaml b/dependencies.yaml
@@ -527,3 +527,9 @@ dependencies:
     refPaths:
     - path: images/releng/k8s-ci-builder/Dockerfile
       match: DOCKER_BUILDX_VERSION
+
+  - name: Crane
+    version: v0.19.1
+    refPaths:
+    - path: push-build.sh
+      match: CRANE_VERSION
diff --git a/push-build.sh b/push-build.sh
@@ -1348,6 +1348,29 @@ release::gcs::publish () {
   fi
 }
 
+ensure_crane_exists () {
+  if ! command -v crane &> /dev/null; then
+    echo "Installing crane..."
+    CRANE_VERSION="v0.19.1"
+    BASE_URL="https://github.com/google/go-containerregistry/releases/download"
+    TAR_NAME="go-containerregistry_Linux_x86_64.tar.gz"
+
+    curl --fail --retry 10 -sL "${BASE_URL}/${CRANE_VERSION}/${TAR_NAME}" -o "${TMPDIR}/go-containerregistry.tar.gz"
+
+    # Fetch the checksum and verify it.
+    expected="$(curl --fail --retry 10 -sL ${BASE_URL}/${CRANE_VERSION}/checksums.txt -o - | grep ${TAR_NAME} | cut -d ' ' -f 1)"
+    actual="$(shasum -a256 ${TMPDIR}/go-containerregistry.tar.gz | cut -d ' ' -f 1)"
+    if [[ "${expected}" != "${actual}" ]]; then
+      logecho "Crane checksums do not match. Expected: ${expected}, actual: ${actual}"
+      return 1
+    fi
+
+    # Add crane.
+    sudo tar -zxvf "${TMPDIR}/go-containerregistry.tar.gz" -C /usr/local/bin/ crane
+    rm "${TMPDIR}/go-containerregistry.tar.gz"
+  fi
+}
+
 ###############################################################################
 # Releases all docker images to a docker registry using the docker tarfiles.
 #
@@ -1370,6 +1393,8 @@ release::docker::release () {
 
   common::argc_validate 3
 
+  ensure_crane_exists
+
   logecho "Send docker containers from release-images to $push_registry..."
 
   mapfile -t arches < <(find "${release_images}" -maxdepth 1 -mindepth 1 -type d -exec basename {} \;)
@@ -1388,16 +1413,10 @@ release::docker::release () {
       new_tag_with_arch=("$new_tag-$arch:$version")
       manifest_images["${new_tag}"]+=" $arch"
 
-      logrun docker load -qi $tarfile
-      logrun docker tag $orig_tag ${new_tag_with_arch}
       logecho -n "Pushing ${new_tag_with_arch}: "
-      # TODO: Use docker direct when fixed later
-      #logrun -r 5 -s docker push "${new_tag_with_arch}" || return 1
-      logrun -r 5 -s $GCLOUD docker -- push "${new_tag_with_arch}" || return 1
-      if [[ "${PURGE_IMAGES:-yes}" == "yes" ]] ; then
-        logrun docker rmi $orig_tag ${new_tag_with_arch} || true
-      fi
-
+      # We don't need to load the image when pushing it with crane.
+      # This will also allow us to push any Windows images we might have.
+      logrun -r 5 -s crane push $tarfile "${new_tag_with_arch}" || return 1
     done
   done