make: speed up 'docker build' with separate dir contexts

Previously, we had one .dockerignore that would do its best to only have
the binaries and licenses copied into the Docker (or nerdctl, or
buildah). Unfortunately, that meant it had to copy all of bin/server and
bin/cmctl, which could become quite large (I measured 1.6 GB).

Instead of relying on a single .dockerignore file, we copy the licenses
and binaries into a "scratch context" directory. The downside is that
all the binaries are in two different places (bin/server and
bin/scratch/containers). Note that we can't use symlinks because Docker
won't dereference them.

Signed-off-by: Maël Valais <mael@vls.dev>

.dockerignore

@@ -1,7 +0,0 @@
-bin/*
-bazel*
-
-!bin/server/**
-!bin/cmctl/cmctl-linux-*
-!bin/scratch/cert-manager.license
-!bin/scratch/cert-manager.licenses_notice

hack/containers/Containerfile.acmesolver

@@ -4,14 +4,9 @@ FROM $BASE_IMAGE
 
 USER 1000
 
-ARG BINARY_PATH
-ARG LICENSE_PATH
-ARG LICENSES_PATH
-
-COPY $BINARY_PATH /app/cmd/acmesolver/acmesolver
-
-COPY $LICENSE_PATH /licenses/LICENSE
-COPY $LICENSES_PATH /licenses/LICENSES
+COPY acmesolver /app/cmd/acmesolver/acmesolver
+COPY cert-manager.license /licenses/LICENSE
+COPY cert-manager.licenses_notice /licenses/LICENSES
 
 ENTRYPOINT ["/app/cmd/acmesolver/acmesolver"]
 

hack/containers/Containerfile.cainjector

@@ -4,14 +4,9 @@ FROM $BASE_IMAGE
 
 USER 1000
 
-ARG BINARY_PATH
-ARG LICENSE_PATH
-ARG LICENSES_PATH
-
-COPY $BINARY_PATH /app/cmd/cainjector/cainjector
-
-COPY $LICENSE_PATH /licenses/LICENSE
-COPY $LICENSES_PATH /licenses/LICENSES
+COPY cainjector /app/cmd/cainjector/cainjector
+COPY cert-manager.license /licenses/LICENSE
+COPY cert-manager.licenses_notice /licenses/LICENSES
 
 ENTRYPOINT ["/app/cmd/cainjector/cainjector"]
 

hack/containers/Containerfile.controller

@@ -4,14 +4,9 @@ FROM $BASE_IMAGE
 
 USER 1000
 
-ARG BINARY_PATH
-ARG LICENSE_PATH
-ARG LICENSES_PATH
-
-COPY $BINARY_PATH /app/cmd/controller/controller
-
-COPY $LICENSE_PATH /licenses/LICENSE
-COPY $LICENSES_PATH /licenses/LICENSES
+COPY controller /app/cmd/controller/controller
+COPY cert-manager.license /licenses/LICENSE
+COPY cert-manager.licenses_notice /licenses/LICENSES
 
 ENTRYPOINT ["/app/cmd/controller/controller"]
 

hack/containers/Containerfile.ctl

@@ -4,14 +4,9 @@ FROM $BASE_IMAGE
 
 USER 1000
 
-ARG BINARY_PATH
-ARG LICENSE_PATH
-ARG LICENSES_PATH
-
-COPY $BINARY_PATH /app/cmd/ctl/ctl
-
-COPY $LICENSE_PATH /licenses/LICENSE
-COPY $LICENSES_PATH /licenses/LICENSES
+COPY ctl /app/cmd/ctl/ctl
+COPY cert-manager.license /licenses/LICENSE
+COPY cert-manager.licenses_notice /licenses/LICENSES
 
 ENTRYPOINT ["/app/cmd/ctl/ctl"]
 

hack/containers/Containerfile.webhook

@@ -4,14 +4,9 @@ FROM $BASE_IMAGE
 
 USER 1000
 
-ARG BINARY_PATH
-ARG LICENSE_PATH
-ARG LICENSES_PATH
-
-COPY $BINARY_PATH /app/cmd/webhook/webhook
-
-COPY $LICENSE_PATH /licenses/LICENSE
-COPY $LICENSES_PATH /licenses/LICENSES
+COPY webhook /app/cmd/webhook/webhook
+COPY cert-manager.license /licenses/LICENSE
+COPY cert-manager.licenses_notice /licenses/LICENSES
 
 ENTRYPOINT ["/app/cmd/webhook/webhook"]
 

make/containers.mk

@@ -40,79 +40,83 @@ all-containers: cert-manager-controller-linux cert-manager-webhook-linux cert-ma
 .PHONY: cert-manager-controller-linux
 cert-manager-controller-linux: bin/containers/cert-manager-controller-linux-amd64.tar.gz bin/containers/cert-manager-controller-linux-arm64.tar.gz bin/containers/cert-manager-controller-linux-s390x.tar.gz bin/containers/cert-manager-controller-linux-ppc64le.tar.gz bin/containers/cert-manager-controller-linux-arm.tar.gz
 
-bin/containers/cert-manager-controller-linux-amd64.tar.gz bin/containers/cert-manager-controller-linux-arm64.tar.gz bin/containers/cert-manager-controller-linux-s390x.tar.gz bin/containers/cert-manager-controller-linux-ppc64le.tar.gz bin/containers/cert-manager-controller-linux-arm.tar.gz: bin/containers/cert-manager-controller-linux-%.tar.gz: bin/server/controller-linux-% hack/containers/Containerfile.controller bin/scratch/cert-manager.license bin/scratch/cert-manager.licenses_notice bin/release-version | bin/containers
+bin/containers/cert-manager-controller-linux-amd64.tar.gz bin/containers/cert-manager-controller-linux-arm64.tar.gz bin/containers/cert-manager-controller-linux-s390x.tar.gz bin/containers/cert-manager-controller-linux-ppc64le.tar.gz bin/containers/cert-manager-controller-linux-arm.tar.gz: bin/containers/cert-manager-controller-linux-%.tar.gz: bin/server/controller-linux-% hack/containers/Containerfile.controller bin/scratch/cert-manager.license bin/scratch/cert-manager.licenses_notice bin/release-version | bin/containers bin/scratch/containers/cert-manager-controller-linux-%
 	$(eval TAG := cert-manager-controller-$*:$(RELEASE_VERSION))
-	$(eval BASE := $(BASE_IMAGE_$(notdir $<)))
+	$(eval BASE := BASE_IMAGE_$(notdir $<))
+	$(eval CONTEXT_DIR := bin/scratch/containers/$(notdir $(@:%.tar.gz=%)))
+	@cp $< $(CONTEXT_DIR)/controller
+	@cp bin/scratch/cert-manager.license bin/scratch/cert-manager.licenses_notice $(CONTEXT_DIR)
 	$(CTR) build --quiet \
 		-f hack/containers/Containerfile.controller \
-		--build-arg BASE_IMAGE=$(BASE) \
-		--build-arg BINARY_PATH=$< \
-		--build-arg LICENSE_PATH=bin/scratch/cert-manager.license \
-		--build-arg LICENSES_PATH=bin/scratch/cert-manager.licenses_notice \
+		--build-arg BASE_IMAGE=$($(BASE)) \
 		-t $(TAG) \
-		.
+		$(CONTEXT_DIR)
 	$(CTR) save $(TAG) | gzip > $@
 
 .PHONY: cert-manager-webhook-linux
 cert-manager-webhook-linux: bin/containers/cert-manager-webhook-linux-amd64.tar.gz bin/containers/cert-manager-webhook-linux-arm64.tar.gz bin/containers/cert-manager-webhook-linux-s390x.tar.gz bin/containers/cert-manager-webhook-linux-ppc64le.tar.gz bin/containers/cert-manager-webhook-linux-arm.tar.gz
 
-bin/containers/cert-manager-webhook-linux-amd64.tar.gz bin/containers/cert-manager-webhook-linux-arm64.tar.gz bin/containers/cert-manager-webhook-linux-s390x.tar.gz bin/containers/cert-manager-webhook-linux-ppc64le.tar.gz bin/containers/cert-manager-webhook-linux-arm.tar.gz: bin/containers/cert-manager-webhook-linux-%.tar.gz: bin/server/webhook-linux-% hack/containers/Containerfile.webhook bin/scratch/cert-manager.license bin/scratch/cert-manager.licenses_notice bin/release-version | bin/containers
+bin/containers/cert-manager-webhook-linux-amd64.tar.gz bin/containers/cert-manager-webhook-linux-arm64.tar.gz bin/containers/cert-manager-webhook-linux-s390x.tar.gz bin/containers/cert-manager-webhook-linux-ppc64le.tar.gz bin/containers/cert-manager-webhook-linux-arm.tar.gz: bin/containers/cert-manager-webhook-linux-%.tar.gz: bin/server/webhook-linux-% hack/containers/Containerfile.webhook bin/scratch/cert-manager.license bin/scratch/cert-manager.licenses_notice bin/release-version | bin/containers bin/scratch/containers/cert-manager-webhook-linux-%
 	$(eval TAG := cert-manager-webhook-$*:$(RELEASE_VERSION))
 	$(eval BASE := BASE_IMAGE_$(notdir $<))
+	$(eval CONTEXT_DIR := bin/scratch/containers/$(notdir $(@:%.tar.gz=%)))
+	@cp $< $(CONTEXT_DIR)/webhook
+	@cp bin/scratch/cert-manager.license bin/scratch/cert-manager.licenses_notice $(CONTEXT_DIR)
 	$(CTR) build --quiet \
 		-f hack/containers/Containerfile.webhook \
 		--build-arg BASE_IMAGE=$($(BASE)) \
-		--build-arg BINARY_PATH=$< \
-		--build-arg LICENSE_PATH=bin/scratch/cert-manager.license \
-		--build-arg LICENSES_PATH=bin/scratch/cert-manager.licenses_notice \
 		-t $(TAG) \
-		.
+		$(CONTEXT_DIR)
 	$(CTR) save $(TAG) | gzip > $@
 
 .PHONY: cert-manager-cainjector-linux
 cert-manager-cainjector-linux: bin/containers/cert-manager-cainjector-linux-amd64.tar.gz bin/containers/cert-manager-cainjector-linux-arm64.tar.gz bin/containers/cert-manager-cainjector-linux-s390x.tar.gz bin/containers/cert-manager-cainjector-linux-ppc64le.tar.gz bin/containers/cert-manager-cainjector-linux-arm.tar.gz
 
-bin/containers/cert-manager-cainjector-linux-amd64.tar.gz bin/containers/cert-manager-cainjector-linux-arm64.tar.gz bin/containers/cert-manager-cainjector-linux-s390x.tar.gz bin/containers/cert-manager-cainjector-linux-ppc64le.tar.gz bin/containers/cert-manager-cainjector-linux-arm.tar.gz: bin/containers/cert-manager-cainjector-linux-%.tar.gz: bin/server/cainjector-linux-% hack/containers/Containerfile.cainjector bin/scratch/cert-manager.license bin/scratch/cert-manager.licenses_notice bin/release-version | bin/containers
+bin/containers/cert-manager-cainjector-linux-amd64.tar.gz bin/containers/cert-manager-cainjector-linux-arm64.tar.gz bin/containers/cert-manager-cainjector-linux-s390x.tar.gz bin/containers/cert-manager-cainjector-linux-ppc64le.tar.gz bin/containers/cert-manager-cainjector-linux-arm.tar.gz: bin/containers/cert-manager-cainjector-linux-%.tar.gz: bin/server/cainjector-linux-% hack/containers/Containerfile.cainjector bin/scratch/cert-manager.license bin/scratch/cert-manager.licenses_notice bin/release-version | bin/containers bin/scratch/containers/cert-manager-cainjector-linux-%
 	$(eval TAG := cert-manager-cainjector-$*:$(RELEASE_VERSION))
 	$(eval BASE := BASE_IMAGE_$(notdir $<))
+	$(eval CONTEXT_DIR := bin/scratch/containers/$(notdir $(@:%.tar.gz=%)))
+	@cp $< $(CONTEXT_DIR)/cainjector
+	@cp bin/scratch/cert-manager.license bin/scratch/cert-manager.licenses_notice $(CONTEXT_DIR)
 	$(CTR) build --quiet \
 		-f hack/containers/Containerfile.cainjector \
 		--build-arg BASE_IMAGE=$($(BASE)) \
-		--build-arg BINARY_PATH=$< \
-		--build-arg LICENSE_PATH=bin/scratch/cert-manager.license \
-		--build-arg LICENSES_PATH=bin/scratch/cert-manager.licenses_notice \
 		-t $(TAG) \
-		.
+		$(CONTEXT_DIR)
 	$(CTR) save $(TAG) | gzip > $@
 
 .PHONY: cert-manager-acmesolver-linux
 cert-manager-acmesolver-linux: bin/containers/cert-manager-acmesolver-linux-amd64.tar.gz bin/containers/cert-manager-acmesolver-linux-arm64.tar.gz bin/containers/cert-manager-acmesolver-linux-s390x.tar.gz bin/containers/cert-manager-acmesolver-linux-ppc64le.tar.gz bin/containers/cert-manager-acmesolver-linux-arm.tar.gz
 
-bin/containers/cert-manager-acmesolver-linux-amd64.tar.gz bin/containers/cert-manager-acmesolver-linux-arm64.tar.gz bin/containers/cert-manager-acmesolver-linux-s390x.tar.gz bin/containers/cert-manager-acmesolver-linux-ppc64le.tar.gz bin/containers/cert-manager-acmesolver-linux-arm.tar.gz: bin/containers/cert-manager-acmesolver-linux-%.tar.gz: bin/server/acmesolver-linux-% hack/containers/Containerfile.acmesolver bin/scratch/cert-manager.license bin/scratch/cert-manager.licenses_notice bin/release-version | bin/containers
+bin/containers/cert-manager-acmesolver-linux-amd64.tar.gz bin/containers/cert-manager-acmesolver-linux-arm64.tar.gz bin/containers/cert-manager-acmesolver-linux-s390x.tar.gz bin/containers/cert-manager-acmesolver-linux-ppc64le.tar.gz bin/containers/cert-manager-acmesolver-linux-arm.tar.gz: bin/containers/cert-manager-acmesolver-linux-%.tar.gz: bin/server/acmesolver-linux-% hack/containers/Containerfile.acmesolver bin/scratch/cert-manager.license bin/scratch/cert-manager.licenses_notice bin/release-version | bin/containers bin/scratch/containers/cert-manager-acmesolver-linux-%
 	$(eval TAG := cert-manager-acmesolver-$*:$(RELEASE_VERSION))
 	$(eval BASE := BASE_IMAGE_$(notdir $<))
+	$(eval CONTEXT_DIR := bin/scratch/containers/$(notdir $(@:%.tar.gz=%)))
+	@cp $< $(CONTEXT_DIR)/acmesolver
+	@cp bin/scratch/cert-manager.license bin/scratch/cert-manager.licenses_notice $(CONTEXT_DIR)
 	$(CTR) build --quiet \
 		-f hack/containers/Containerfile.acmesolver \
 		--build-arg BASE_IMAGE=$($(BASE)) \
-		--build-arg BINARY_PATH=$< \
-		--build-arg LICENSE_PATH=bin/scratch/cert-manager.license \
-		--build-arg LICENSES_PATH=bin/scratch/cert-manager.licenses_notice \
 		-t $(TAG) \
-		.
+		$(CONTEXT_DIR)
 	$(CTR) save $(TAG) | gzip > $@
 
 .PHONY: cert-manager-ctl-linux
 cert-manager-ctl-linux: bin/containers/cert-manager-ctl-linux-amd64.tar.gz bin/containers/cert-manager-ctl-linux-arm64.tar.gz bin/containers/cert-manager-ctl-linux-s390x.tar.gz bin/containers/cert-manager-ctl-linux-ppc64le.tar.gz bin/containers/cert-manager-ctl-linux-arm.tar.gz
 
-bin/containers/cert-manager-ctl-linux-amd64.tar.gz bin/containers/cert-manager-ctl-linux-arm64.tar.gz bin/containers/cert-manager-ctl-linux-s390x.tar.gz bin/containers/cert-manager-ctl-linux-ppc64le.tar.gz bin/containers/cert-manager-ctl-linux-arm.tar.gz: bin/containers/cert-manager-ctl-linux-%.tar.gz: bin/cmctl/cmctl-linux-% hack/containers/Containerfile.ctl bin/scratch/cert-manager.license bin/scratch/cert-manager.licenses_notice bin/release-version | bin/containers
+bin/containers/cert-manager-ctl-linux-amd64.tar.gz bin/containers/cert-manager-ctl-linux-arm64.tar.gz bin/containers/cert-manager-ctl-linux-s390x.tar.gz bin/containers/cert-manager-ctl-linux-ppc64le.tar.gz bin/containers/cert-manager-ctl-linux-arm.tar.gz: bin/containers/cert-manager-ctl-linux-%.tar.gz: bin/cmctl/cmctl-linux-% hack/containers/Containerfile.ctl bin/scratch/cert-manager.license bin/scratch/cert-manager.licenses_notice bin/release-version | bin/containers bin/scratch/containers/cert-manager-ctl-linux-%
 	$(eval TAG := cert-manager-ctl-$*:$(RELEASE_VERSION))
 	$(eval BASE := BASE_IMAGE_$(notdir $<))
+	$(eval CONTEXT_DIR := bin/scratch/containers/$(notdir $(@:%.tar.gz=%)))
+	@cp $< $(CONTEXT_DIR)/ctl
+	@cp bin/scratch/cert-manager.license bin/scratch/cert-manager.licenses_notice $(CONTEXT_DIR)
 	$(CTR) build --quiet \
 		-f hack/containers/Containerfile.ctl \
 		--build-arg BASE_IMAGE=$($(BASE)) \
-		--build-arg BINARY_PATH=$< \
-		--build-arg LICENSE_PATH=bin/scratch/cert-manager.license \
-		--build-arg LICENSES_PATH=bin/scratch/cert-manager.licenses_notice \
 		-t $(TAG) \
-		.
+		$(CONTEXT_DIR)
 	$(CTR) save $(TAG) | gzip > $@
+
+
+$(foreach arch,amd64 arm64 s390x ppc64le arm,$(foreach bin,controller acmesolver cainjector webhook ctl, bin/scratch/containers/cert-manager-$(bin)-linux-$(arch))):
+	@mkdir -p $@