Use ko to build the container image

[imjasonh]

This PR proposes using ko to build the container image, instead of docker build.

• ko generates an SBOM and attaches it to the image, see cosign download sbom ghcr.io/imjasonh/golink
• ko doesn't require you to maintain a Dockerfile, just ko build and get an image.
• ko doesn't require any container runtime to build. Since go build is assumed not to have deleterious side effects, there's no real benefit to running it in a container; you can stop running Docker on your development machine.
• ko supports multi-platform builds easily. Add --platform=linux/amd64,linux/arm64, or just --platform=all, to build for all platforms supported by your base image (currently 8 platforms).
• ko builds images more reproducibly than docker build, which can lead to faster rebuilds and less registry storage.

This also changes the image to not set the --sqlitedb or --verbose flags by default anymore, and instead only recommend them at (production-)runtime.

I've built this in my fork, see the Action run here: https://github.com/imjasonh/golink/actions/runs/3462861488, and the image it produced at ghcr.io/imjasonh/golink.

[DentonGentry]

We're intending to make it use https://github.com/tailscale/mkctr, which we use for other services.

[bradfitz]

Aren't we only using mkctr because ko didn't do something @maisem? Maybe ko does now?

[imjasonh]

We're intending to make it use https://github.com/tailscale/mkctr, which we use for other services.

Oh awesome! The repo says:

This is inspired by ko which is awesome but doesn't support multiple binaries in a single container.

which, it's true, ko doesn't plan to support. It can be hacked around by doing successive ko builds on top of previously ko-built images, but that's uhhhh not a great experience.

I'd be curious to learn more about that use case though, I've truly never really needed multiple binaries in the same image, vs multiple single-binary containers in a Pod.

[maisem]

I'd be curious to learn more about that use case though, I've truly never really needed multiple binaries in the same image, vs multiple single-binary containers in a Pod.

The official tailscale container requires multiple binaries, tailscale, tailscaled and the recently added containerboot.
https://github.com/tailscale/tailscale/blob/fe81ee62d7cabcf3b9c5dc8107f2ff85372fe836/build_docker.sh#L35

If ko were to support multiple binaries we would be able to deprecate mkctr.
I have been meaning to add SBOM support for mkctr but haven't got around to it yet, would be great if we would just deprecate it instead 😄