Images: Rework. (1/3) (#13014)

Co-authored-by: Marco Ebert <marco_ebert@icloud.com>

images/nginx/Makefile

@@ -1,4 +1,4 @@
-# Copyright 2024 The Kubernetes Authors. All rights reserved.
+# Copyright 2025 The Kubernetes Authors. All rights reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -12,48 +12,37 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-.DEFAULT_GOAL:=build
-
-# set default shell
-SHELL=/bin/bash -o pipefail -o errexit
-
-DIR:=$(strip $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))))
-INIT_BUILDX=$(DIR)/../../hack/init-buildx.sh
-
-# 0.0.0 shouldn't clobber any released builds
-SHORT_SHA ?=$(shell git rev-parse --short HEAD)
-TAG ?=$(shell cat TAG)
-
+BUILDER ?= ingress-nginx
+PLATFORMS ?= linux/amd64,linux/arm,linux/arm64
 REGISTRY ?= us-central1-docker.pkg.dev/k8s-staging-images/ingress-nginx
+IMAGE ?= $(REGISTRY)/nginx
+TAG ?= $(shell cat TAG)
 
-IMAGE = $(REGISTRY)/nginx
+.PHONY: builder
+builder:
+	docker buildx create --name $(BUILDER) --bootstrap || :
+	docker buildx inspect $(BUILDER)
 
-# required to enable buildx
-export DOCKER_CLI_EXPERIMENTAL=enabled
-
-# build with buildx
-PLATFORMS?=linux/amd64,linux/arm,linux/arm64
-OUTPUT=
-PROGRESS=plain
-build: ensure-buildx
+.PHONY: build
+build: builder
 	docker buildx build \
-		--platform=${PLATFORMS} $(OUTPUT) \
-		--progress=$(PROGRESS) \
-		--pull \
-		--tag $(IMAGE):$(TAG) rootfs
+		--builder $(BUILDER) \
+		--platform $(PLATFORMS) \
+		rootfs \
+		--tag $(IMAGE):$(TAG)
 
-# push the cross built image
-push: OUTPUT=--push
+# Pushing in the `build` target does not work as authentication times out after one hour.
+#
+# Therefore we need to build and push in separate commands.
+.PHONY: push
 push: build
+	docker buildx build \
+		--builder $(BUILDER) \
+		--platform $(PLATFORMS) \
+		rootfs \
+		--tag $(IMAGE):$(TAG) \
+		--push
 
-# enable buildx
-ensure-buildx:
-# this is required for cloudbuild
-ifeq ("$(wildcard $(INIT_BUILDX))","")
-	@curl -sSL https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/hack/init-buildx.sh | bash
-else
-	@exec $(INIT_BUILDX)
-endif
-	@echo "done"
-
-.PHONY: build push ensure-buildx
+.PHONY: clean
+clean:
+	docker buildx rm $(BUILDER) || :

images/nginx/cloudbuild.yaml

@@ -4,11 +4,9 @@ options:
   # Ignore Prow provided substitutions.
   substitution_option: ALLOW_LOOSE
 steps:
-  - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20250116-2a05ea7e3d
-    env:
-      - REGISTRY=us-central1-docker.pkg.dev/k8s-staging-images/ingress-nginx
-    entrypoint: bash
-    args:
-      - -c
-      - gcloud auth configure-docker && cd images/nginx && make push
+- name: gcr.io/cloud-builders/docker
+  dir: images/nginx
+  entrypoint: make
+  args:
+  - push
 timeout: 7200s

images/nginx/rootfs/Dockerfile

@@ -11,7 +11,7 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-FROM alpine:3.21 as builder
+FROM alpine:3.21 AS builder
 
 COPY . /
 

images/nginx/rootfs/build.sh

@@ -183,10 +183,6 @@ apk add \
 
 # apk add -X http://dl-cdn.alpinelinux.org/alpine/edge/testing opentelemetry-cpp-dev
 
-# There is some bug with some platforms and git, so force HTTP/1.1
-git config --global http.version HTTP/1.1
-git config --global http.postBuffer 157286400
-
 mkdir -p /etc/nginx
 
 mkdir --verbose -p "$BUILD_PATH"