Status: MVP Complete → hephy-builder Transformation Complete (October 26, 2025)
Documentation: See docs/ for comprehensive guides and specifications
Next Phase: See GitHub Issues for active development tasks
Build multi-architecture container images with Kaniko, supporting both self-hosted Kaniko builds and external project building.
Resurrect the elegant "git push deis main" developer experience using modern, secure, multi-platform container and WebAssembly build tooling.
- ✅ Documentation architecture: Professional docs/ structure with lore/ heritage preservation
- ✅ Vision articulation: Complete hephy-builder roadmap and developer experience design
- ✅ Implementation roadmap: 18 GitHub issues spanning research, design, and implementation
- ✅ Community foundation: Contributor onboarding, examples, and clear project navigation
- ✅ Heritage preservation: Deis Workflow story and lessons documented for posterity
- Original Goal: Build
gcr.io/kaniko-project/executor:debugfor arm64 + amd64 - Actual Achievement: Adopted maintained external Kaniko (
martizih/kaniko:v1.26.0-debug) - Outcome: Zero maintenance overhead, community maintained
- Decision: Deferred self-build (Issue #6) in favor of external dependency strategy
- Original Goal: Support one additional project
- Actual Achievement: Generalized framework supporting GitHub repositories
- Validated Examples: spkane/scratch-helloworld (Go HTTP server), manifest-tool, test-app
- Remote Cloning: GitHub integration with pre-clone artifact system
- Original Goal: Build for linux/amd64 and linux/arm64 with proper manifests
- Actual Achievement: Full multi-arch pipeline with professional tagging and dependency resolution
- Additional Features:
- Professional image tagging (
latest, version tags) - Smart change detection and architecture filtering
- Circular dependency elimination
- Self-contained tool architecture
- Professional image tagging (
- On merge to main: Build all directories with changes (like current minimal-base-image)
- On scheduled runs: Build all directories listed in
rebuild-weekly.txt(future)
.
├── .gitlab-ci.yml
├── hack/
│ ├── prepare_diff.sh (adapted from minimal-base-image)
│ └── README.md
├── README.md
├── rebuild-weekly.txt (for scheduled builds)
├── kaniko/
│ ├── build-config.yaml
│ └── README.md
└── another-tool/
├── build-config.yaml
└── README.md
# Example for Kaniko
upstream_repo: https://github.com/chainguard-dev/kaniko
upstream_ref: v1.25.3 # Can be tag, branch, or commit SHA
# Path to Dockerfile relative to upstream repo root
dockerfile_path: deploy/Dockerfile
# Optional: Dockerfile target (for multi-stage builds)
target: "" # e.g., "executor", "warmer", "debug" for Kaniko
# Optional: Build context path (defaults to repo root)
context_path: .
# Build arguments to pass to Kaniko
build_args:
- ARG1=value1
- ARG2=value2
# Architectures to build
platforms:
- linux/amd64
- linux/arm64
# Tags to apply (in addition to date-commit tag)
# Format: {directory-name}-{tag}
additional_tags:
- v1.25.3
- latestFollowing minimal-base-image pattern:
- Default tag:
{directory-name}-{YYYYMMDD}-{short-sha}- Example:
kaniko-20251014-a1b2c3d
- Example:
- Additional tags: As specified in
build-config.yaml- Example:
kaniko-v1.25.3,kaniko-latest
- Example:
- Use same
ECR_REGISTRYCI/CD variable as minimal-base-image - All images pushed to single ECR repo (like minimal-base-image)
- Multi-arch manifest references individual arch-specific tags
- Run
prepare_diff.sh(adapted from minimal-base-image) - Detect which directories changed
- Validate
build-config.yamlexists in each directory - Output
dirs.txtfor next stage
Each directory spawns parallel jobs for each architecture:
- Clone upstream repo at specified ref
- Build image for specific architecture using Kaniko
- Use
--customPlatformflag for architecture - Use
--cache=false --use-new-run --cleanup(like current pipeline) - Tag with arch-specific suffix:
{image-tag}-{arch}
- Use
- Push arch-specific image to ECR
- Wait for all architecture builds to complete
- Use
manifest-toolor Kaniko's approach to create multi-arch manifest - Apply all tags from
build-config.yaml - Push manifest to ECR
Kaniko's Dockerfile has multiple targets (executor, warmer, debug, etc.):
-
Solution 1 (Preferred): Create separate directories for each target
kaniko-executor/ kaniko-debug/ kaniko-warmer/Each points to same upstream repo but different
targetinbuild-config.yaml -
Solution 2: Support array of targets in one directory (more complex)
- Use existing Kaniko image to build new Kaniko
- Start with
gcr.io/kaniko-project/executor:latestas builder - After first successful build, use our own image for future builds
Goal: Build Kaniko arm64 ASAP, even if not perfect
-
Create minimal
.gitlab-ci.ymlthat:- Clones Kaniko repo
- Builds for arm64 using Kaniko
- Pushes to ECR
- Don't worry about multi-arch manifest yet
-
Validate it works and replaces our EOL Kaniko image
-
Document the process
- Add amd64 build in parallel
- Create multi-arch manifest
- Test auto-pull of correct architecture
- Adapt
prepare_diff.shfrom minimal-base-image - Add
build-config.yamlsupport - Add second test project
- Refactor to handle multiple directories
- Better error handling
- Build caching strategies
- Scheduled rebuild support
- Use
$CICD_TAGvariable (like minimal-base-image) - Ensure arm64 runners are available and tagged appropriately
- Public repos: No auth needed (start here)
- Private GitLab repos: Use runner token (already available)
- Future complex auth: GitLab CI Secrets or K8s External Secrets
- Use ECR credential helper:
{"credsStore":"ecr-login"} - Configure in
/kaniko/.docker/config.json
dirs.txtpassed between stages- Build logs captured for debugging
- Consider caching cloned repos (optional optimization)
- Can build Kaniko v1.25.3 for arm64 (deferred - using external)
- Can build Kaniko v1.25.3 for amd64 (deferred - using external)
- Multi-arch manifest created and pushed
- Can build other projects with Dockerfiles
- Images pushed to ECR with proper tags
- Pipeline triggered on merge to main
- Documentation explains how to add new projects
- Reusable GitLab CI component for other repos
- Scheduled rebuilds via
rebuild-weekly.txt - Build caching for faster iterations
- Parallel builds of multiple projects
- Support for private repos with complex auth
- Current minimal-base-image pipeline: [provided above]
- GitLab Kaniko component: https://gitlab.com/explore/catalog/guided-explorations/ci-components/kaniko
- Kaniko multi-arch docs: https://github.com/chainguard-dev/kaniko?tab=readme-ov-file#creating-multi-arch-container-manifests-using-kaniko-and-manifest-tool
- Upstream Kaniko: https://github.com/chainguard-dev/kaniko
- Timeline: ~10 hours for implementation
- Pragmatism: Working > Perfect. Iterate after Phase 1.
- Compliance: Must not use EOL/unsupported Kaniko version
- Efficiency: Don't sacrifice obvious efficiencies (parallel builds, etc.)
- Shortcut encouraged: If you find a faster way to get arm64 Kaniko working, take it. We can iterate.
- Don't reinvent wheels: Use existing GitLab examples and patterns
- Ask questions: If something is ambiguous, surface it quickly
- Incremental commits: Get Phase 1 working, commit, then move to Phase 2