From 48bc7fbbf9a3c08aa837b010cbe70b25ca604f73 Mon Sep 17 00:00:00 2001
From: Tim Hockin <thockin@google.com>
Date: Thu, 27 May 2021 09:56:29 -0700
Subject: [PATCH 1/6] Dockerfile: use multi-stage for cleaner result

---
 Dockerfile.in | 39 +++++++++++++++++++++++++--------------
 1 file changed, 25 insertions(+), 14 deletions(-)

diff --git a/Dockerfile.in b/Dockerfile.in
index 95b28f6..38a61a5 100644
--- a/Dockerfile.in
+++ b/Dockerfile.in
@@ -44,19 +44,22 @@
 #    => either add the git-sync GID or else set --root, mount a volume,
 #       and manage volume permissions to access that volume
 
-FROM {ARG_FROM}
+#############################################################################
+# First we prepare the image that we want, regardless of build layers.
+#############################################################################
+FROM {ARG_FROM} as prep
 
 RUN echo "deb http://deb.debian.org/debian/ buster-backports main contrib" > \
-        /etc/apt/sources.list.d/backports.list \
-    && apt update \
-    && apt -y upgrade \
-    && apt -y install \
+        /etc/apt/sources.list.d/backports.list
+RUN apt update
+RUN apt -y upgrade
+RUN apt -y install \
         ca-certificates \
         coreutils \
         socat \
-        openssh-client \
-    && apt -y -t buster-backports install git \
-    && rm -rf /var/lib/apt/lists/*
+        openssh-client
+RUN apt -y -t buster-backports install git
+RUN rm -rf /var/lib/apt/lists/*
 
 # Add the default UID to /etc/passwd so SSH is satisfied.
 RUN echo "git-sync:x:65533:65533::/tmp:/sbin/nologin" >> /etc/passwd
@@ -74,9 +77,20 @@ RUN echo "git-sync:x:65533:git-sync" >> /etc/group
 # they use our git-sync group.  If the user needs a different group or sets
 # $GIT_SYNC_ROOT or --root, their values will override this, and we assume they
 # are handling permissions themselves.
-ENV GIT_SYNC_ROOT=/git
 RUN mkdir -m 02775 /git && chown 65533:65533 /git
 
+# Add the platform-specific binary.
+COPY bin/{ARG_OS}_{ARG_ARCH}/{ARG_BIN} /{ARG_BIN}
+
+# Add third-party licenses.
+COPY .licenses/ /LICENSES/
+
+#############################################################################
+# Now we make a "clean" final image.
+#############################################################################
+FROM scratch
+COPY --from=prep / /
+
 # Run as non-root by default.  There's simply no reason to run as root.
 USER 65533:65533
 
@@ -85,10 +99,7 @@ USER 65533:65533
 ENV HOME=/tmp
 WORKDIR /tmp
 
-# Add the platform-specific binary.
-COPY bin/{ARG_OS}_{ARG_ARCH}/{ARG_BIN} /{ARG_BIN}
-
-# Add third-party licenses.
-COPY .licenses/ /LICENSES/
+# Default values for flags.
+ENV GIT_SYNC_ROOT=/tmp/git
 
 ENTRYPOINT ["/{ARG_BIN}"]

From 394a4604054c0726b779ba11288c67eb9d932e2f Mon Sep 17 00:00:00 2001
From: Tim Hockin <thockin@google.com>
Date: Thu, 27 May 2021 09:57:58 -0700
Subject: [PATCH 2/6] Makefile: plain output when building container

---
 Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Makefile b/Makefile
index f345f6b..b5beec5 100644
--- a/Makefile
+++ b/Makefile
@@ -138,6 +138,7 @@ container: .container-$(DOTFILE_IMAGE) container-name
 	    Dockerfile.in > .dockerfile-$(OS)_$(ARCH)
 	@docker buildx build \
 	    --no-cache \
+	    --progress=plain \
 	    --load \
 	    --platform "$(OS)/$(ARCH)" \
 	    --build-arg HTTP_PROXY=$(HTTP_PROXY) \

From 8b4f7d5be5b69b0329a2f8f6f52cde22391e8f77 Mon Sep 17 00:00:00 2001
From: Tim Hockin <thockin@google.com>
Date: Thu, 27 May 2021 09:59:58 -0700
Subject: [PATCH 3/6] Dockerfile: use apt-get (more stable)

---
 Dockerfile.in | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/Dockerfile.in b/Dockerfile.in
index 38a61a5..9a21c01 100644
--- a/Dockerfile.in
+++ b/Dockerfile.in
@@ -51,14 +51,14 @@ FROM {ARG_FROM} as prep
 
 RUN echo "deb http://deb.debian.org/debian/ buster-backports main contrib" > \
         /etc/apt/sources.list.d/backports.list
-RUN apt update
-RUN apt -y upgrade
-RUN apt -y install \
+RUN apt-get update
+RUN apt-get -y upgrade
+RUN apt-get -y install \
         ca-certificates \
         coreutils \
         socat \
         openssh-client
-RUN apt -y -t buster-backports install git
+RUN apt-get -y -t buster-backports install git
 RUN rm -rf /var/lib/apt/lists/*
 
 # Add the default UID to /etc/passwd so SSH is satisfied.

From 79de193be559e67f78a6931fb01a999229726636 Mon Sep 17 00:00:00 2001
From: Tim Hockin <thockin@google.com>
Date: Thu, 27 May 2021 10:02:02 -0700
Subject: [PATCH 4/6] Dockerfile: apt install with --no-install-recommends

---
 Dockerfile.in | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/Dockerfile.in b/Dockerfile.in
index 9a21c01..8499346 100644
--- a/Dockerfile.in
+++ b/Dockerfile.in
@@ -53,12 +53,13 @@ RUN echo "deb http://deb.debian.org/debian/ buster-backports main contrib" > \
         /etc/apt/sources.list.d/backports.list
 RUN apt-get update
 RUN apt-get -y upgrade
-RUN apt-get -y install \
+RUN apt-get -y install --no-install-recommends \
         ca-certificates \
         coreutils \
         socat \
         openssh-client
-RUN apt-get -y -t buster-backports install git
+RUN apt-get -y -t buster-backports install --no-install-recommends \
+        git
 RUN rm -rf /var/lib/apt/lists/*
 
 # Add the default UID to /etc/passwd so SSH is satisfied.

From 5ecd341782df5487735f28bc540e803bdb9e5c89 Mon Sep 17 00:00:00 2001
From: Tim Hockin <thockin@google.com>
Date: Thu, 27 May 2021 10:18:34 -0700
Subject: [PATCH 5/6] Downgrade libcurl to avoid HTTP bug

---
 Dockerfile.in | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/Dockerfile.in b/Dockerfile.in
index 8499346..a82ab17 100644
--- a/Dockerfile.in
+++ b/Dockerfile.in
@@ -58,8 +58,15 @@ RUN apt-get -y install --no-install-recommends \
         coreutils \
         socat \
         openssh-client
+# We want a newer git than the norm.
 RUN apt-get -y -t buster-backports install --no-install-recommends \
         git
+# libcurl3-gnutls=7.74.0-1.2~bpo10+1 is broken.  We can downgrade for now until
+# the fix reaches upstream.
+# https://github.com/kubernetes/git-sync/issues/395
+RUN apt-get -y install --no-install-recommends --allow-downgrades \
+        libcurl3-gnutls:amd64=7.64.0-4+deb10u2
+RUN apt-get -y autoremove
 RUN rm -rf /var/lib/apt/lists/*
 
 # Add the default UID to /etc/passwd so SSH is satisfied.

From 421fc4e29804d34c601f4c6420136f8fcabf6c32 Mon Sep 17 00:00:00 2001
From: Tim Hockin <thockin@google.com>
Date: Fri, 28 May 2021 14:18:58 -0700
Subject: [PATCH 6/6] Add a testcase for github HTTPS

---
 test_e2e.sh | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/test_e2e.sh b/test_e2e.sh
index 5f82c0e..8f78d63 100755
--- a/test_e2e.sh
+++ b/test_e2e.sh
@@ -1432,6 +1432,23 @@ assert_file_eq "$ROOT"/link/file2 "$TESTCASE"
 # Wrap up
 pass
 
+##############################################
+# Test github HTTPS
+# TODO: it would be better if we set up a local HTTPS server
+##############################################
+testcase "github-https"
+GIT_SYNC \
+    --one-time \
+    --repo="https://github.com/kubernetes/git-sync" \
+    --branch=e2e-branch \
+    --rev=HEAD \
+    --root="$ROOT" \
+    --dest="link" \
+    > "$DIR"/log."$TESTCASE" 2>&1
+assert_file_exists "$ROOT"/link/LICENSE
+# Wrap up
+pass
+
 # Finally...
 echo
 echo "all tests passed: cleaning up $DIR"