From 0aafb892028db83504a18a027014926a71d38cec Mon Sep 17 00:00:00 2001
From: Mike Splain <mike.splain@gmail.com>
Date: Tue, 20 Feb 2018 14:50:59 -0500
Subject: [PATCH 1/5] Update bazel_rules_docker

---
 WORKSPACE | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/WORKSPACE b/WORKSPACE
index 3dd3e1e61b..96007d379a 100644
--- a/WORKSPACE
+++ b/WORKSPACE
@@ -40,7 +40,7 @@ go_register_toolchains(
 git_repository(
     name = "io_bazel_rules_docker",
     remote = "https://github.com/bazelbuild/rules_docker.git",
-    tag = "v0.3.0",
+    tag = "v0.4.0",
 )
 
 load(

From 43d58e50844e1909f2170d18d56f7463a683b4fa Mon Sep 17 00:00:00 2001
From: Mike Splain <mike.splain@gmail.com>
Date: Tue, 20 Feb 2018 15:03:12 -0500
Subject: [PATCH 2/5] Bazel docker images

---
 Makefile | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/Makefile b/Makefile
index b429ef5c9e..8448578f2a 100644
--- a/Makefile
+++ b/Makefile
@@ -34,7 +34,7 @@ PROTOKUBE=$(LOCAL)/protokube
 UPLOAD=$(BUILD)/upload
 UID:=$(shell id -u)
 GID:=$(shell id -g)
-TESTABLE_PACKAGES:=$(shell egrep -v "k8s.io/kops/cloudmock|k8s.io/kops/vendor" hack/.packages) 
+TESTABLE_PACKAGES:=$(shell egrep -v "k8s.io/kops/cloudmock|k8s.io/kops/vendor" hack/.packages)
 BAZEL_OPTIONS?=
 
 # See http://stackoverflow.com/questions/18136918/how-to-get-current-relative-directory-of-your-makefile
@@ -143,7 +143,7 @@ help: # Show this help
 
 .PHONY: clean
 clean: # Remove build directory and bindata-generated files
-	for t in ${BINDATA_TARGETS}; do if test -e $$t; then rm -fv $$t; fi; done 
+	for t in ${BINDATA_TARGETS}; do if test -e $$t; then rm -fv $$t; fi; done
 	if test -e ${BUILD}; then rm -rfv ${BUILD}; fi
 
 .PHONY: kops
@@ -623,6 +623,18 @@ bazel-build-cli:
 #bazel-crossbuild-dns-controller:
 #	bazel build --experimental_platforms=@io_bazel_rules_go//go/toolchain:linux_amd64 //dns-controller/...
 
+.PHONY: bazel-crossbuild-dns-controller-image
+bazel-crossbuild-dns-controller-image:
+	bazel build --experimental_platforms=@io_bazel_rules_go//go/toolchain:linux_amd64 //images:dns-controller.tar
+
+.PHONY: bazel-crossbuild-protokube-image
+bazel-crossbuild-protokube-image:
+	bazel build --experimental_platforms=@io_bazel_rules_go//go/toolchain:linux_amd64 //images:protokube.tar
+
+.PHONY: bazel-crossbuild-kube-discovery-image
+bazel-crossbuild-kube-discovery-image:
+	bazel build --experimental_platforms=@io_bazel_rules_go//go/toolchain:linux_amd64 //images:kube-discovery.tar
+
 .PHONY: bazel-push
 # Will always push a linux-based build up to the server
 bazel-push: bazel-crossbuild-nodeup

From f0ad5ed914bb1daf2569e799e482c027598507eb Mon Sep 17 00:00:00 2001
From: Mike Splain <mike.splain@gmail.com>
Date: Wed, 21 Feb 2018 17:11:03 -0500
Subject: [PATCH 3/5] Update rules go

---
 WORKSPACE | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/WORKSPACE b/WORKSPACE
index 96007d379a..4811aa8b54 100644
--- a/WORKSPACE
+++ b/WORKSPACE
@@ -3,8 +3,8 @@
 
 http_archive(
     name = "io_bazel_rules_go",
-    sha256 = "4d8d6244320dd751590f9100cf39fd7a4b75cd901e1f3ffdfd6f048328883695",
-    url = "https://github.com/bazelbuild/rules_go/releases/download/0.9.0/rules_go-0.9.0.tar.gz",
+    url = "https://github.com/bazelbuild/rules_go/releases/download/0.10.0/rules_go-0.10.0.tar.gz",
+    sha256 = "53c8222c6eab05dd49c40184c361493705d4234e60c42c4cd13ab4898da4c6be",
 )
 
 load("@io_bazel_rules_go//go:def.bzl", "go_rules_dependencies", "go_register_toolchains", "go_download_sdk")

From 1eb8e6da90054dff2bb9c1257c063200e615d8b4 Mon Sep 17 00:00:00 2001
From: Mike Splain <mike.splain@gmail.com>
Date: Thu, 22 Feb 2018 20:30:32 -0500
Subject: [PATCH 4/5] Crossbuilds seem to work now. Tested all of these on each
 of their systems Need more real testing to ensure all issues are fixed but
 worked better than not for me

---
 Makefile | 30 +++++++++++++++---------------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/Makefile b/Makefile
index 8448578f2a..2cbad53430 100644
--- a/Makefile
+++ b/Makefile
@@ -605,23 +605,23 @@ bazel-build-cli:
 	bazel build //cmd/kops/...
 
 # Not working yet, but we can hope
-#.PHONY: bazel-crossbuild-kops
-#bazel-crossbuild-kops:
-#	bazel build --experimental_platforms=@io_bazel_rules_go//go/toolchain:darwin_amd64 //cmd/kops/...
-#	bazel build --experimental_platforms=@io_bazel_rules_go//go/toolchain:linux_amd64 //cmd/kops/...
-#	bazel build --experimental_platforms=@io_bazel_rules_go//go/toolchain:windows_amd64 //cmd/kops/...
-#
-#.PHONY: bazel-crossbuild-nodeup
-#bazel-crossbuild-nodeup:
-#	bazel build --experimental_platforms=@io_bazel_rules_go//go/toolchain:linux_amd64 //cmd/nodeup/...
+.PHONY: bazel-crossbuild-kops
+bazel-crossbuild-kops:
+	bazel build --experimental_platforms=@io_bazel_rules_go//go/toolchain:darwin_amd64 //cmd/kops/...
+	bazel build --experimental_platforms=@io_bazel_rules_go//go/toolchain:linux_amd64 //cmd/kops/...
+	bazel build --experimental_platforms=@io_bazel_rules_go//go/toolchain:windows_amd64 //cmd/kops/...
 
-#.PHONY: bazel-crossbuild-protokube
-#bazel-crossbuild-protokube:
-#	bazel build --experimental_platforms=@io_bazel_rules_go//go/toolchain:linux_amd64 //protokube/...
+.PHONY: bazel-crossbuild-nodeup
+bazel-crossbuild-nodeup:
+	bazel build --experimental_platforms=@io_bazel_rules_go//go/toolchain:linux_amd64 //cmd/nodeup/...
 
-#.PHONY: bazel-crossbuild-dns-controller
-#bazel-crossbuild-dns-controller:
-#	bazel build --experimental_platforms=@io_bazel_rules_go//go/toolchain:linux_amd64 //dns-controller/...
+.PHONY: bazel-crossbuild-protokube
+bazel-crossbuild-protokube:
+	bazel build --experimental_platforms=@io_bazel_rules_go//go/toolchain:linux_amd64 //protokube/...
+
+.PHONY: bazel-crossbuild-dns-controller
+bazel-crossbuild-dns-controller:
+	bazel build --experimental_platforms=@io_bazel_rules_go//go/toolchain:linux_amd64 //dns-controller/...
 
 .PHONY: bazel-crossbuild-dns-controller-image
 bazel-crossbuild-dns-controller-image:

From 7f139caed20e020c7e8b8e1c5b480b24e6475182 Mon Sep 17 00:00:00 2001
From: Mike Splain <mike.splain@gmail.com>
Date: Fri, 23 Feb 2018 15:52:00 -0500
Subject: [PATCH 5/5] Add packages to protokube and make bazel-upload

---
 .gitignore         |  1 +
 Makefile           | 35 ++++++++++++++++++++++++++++++++++
 WORKSPACE          | 47 ++++++++++++++++++++++++++++++++++++++++++++++
 images/BUILD.bazel | 27 ++++++++++++++++++++++++--
 4 files changed, 108 insertions(+), 2 deletions(-)

diff --git a/.gitignore b/.gitignore
index eaa26afd25..6b95720998 100644
--- a/.gitignore
+++ b/.gitignore
@@ -56,6 +56,7 @@ network_closure.sh
 
 # build stuff
 .build
+.bazelbuild
 
 # autogenerated code we don't want to check in
 go-bindata
diff --git a/Makefile b/Makefile
index 2cbad53430..45bdaf1fe7 100644
--- a/Makefile
+++ b/Makefile
@@ -32,6 +32,10 @@ CHANNELS=$(LOCAL)/channels
 NODEUP=$(LOCAL)/nodeup
 PROTOKUBE=$(LOCAL)/protokube
 UPLOAD=$(BUILD)/upload
+BAZELBUILD=$(GOPATH_1ST)/src/k8s.io/kops/.bazelbuild
+BAZELDIST=$(BAZELBUILD)/dist
+BAZELIMAGES=$(BAZELDIST)/images
+BAZELUPLOAD=$(BAZELBUILD)/upload
 UID:=$(shell id -u)
 GID:=$(shell id -g)
 TESTABLE_PACKAGES:=$(shell egrep -v "k8s.io/kops/cloudmock|k8s.io/kops/vendor" hack/.packages)
@@ -671,3 +675,34 @@ push-kube-discovery:
 	bazel run //kube-discovery/images:kube-discovery
 	docker tag bazel/kube-discovery/images:kube-discovery ${DOCKER_REGISTRY}/kube-discovery:${DOCKER_TAG}
 	docker push ${DOCKER_REGISTRY}/kube-discovery:${DOCKER_TAG}
+
+.PHONY: bazel-protokube-export
+bazel-protokube-export:
+	mkdir -p ${BAZELIMAGES}
+	bazel run --experimental_platforms=@io_bazel_rules_go//go/toolchain:linux_amd64 //images:protokube
+	docker tag bazel/images:protokube protokube:${PROTOKUBE_TAG}
+	docker save protokube:${PROTOKUBE_TAG} > ${BAZELIMAGES}/protokube.tar
+	gzip --force --best ${BAZELIMAGES}/protokube.tar
+	(${SHASUMCMD} ${BAZELIMAGES}/protokube.tar.gz | cut -d' ' -f1) > ${BAZELIMAGES}/protokube.tar.gz.sha1
+
+.PHONY: bazel-version-dist
+bazel-version-dist: bazel-crossbuild-nodeup bazel-crossbuild-kops bazel-protokube-export utils-dist
+	rm -rf ${BAZELUPLOAD}
+	mkdir -p ${BAZELUPLOAD}/kops/${VERSION}/linux/amd64/
+	mkdir -p ${BAZELUPLOAD}/kops/${VERSION}/darwin/amd64/
+	mkdir -p ${BAZELUPLOAD}/kops/${VERSION}/images/
+	mkdir -p ${BAZELUPLOAD}/utils/${VERSION}/linux/amd64/
+	cp bazel-bin/cmd/nodeup/linux_amd64_pure_stripped/nodeup ${BAZELUPLOAD}/kops/${VERSION}/linux/amd64/nodeup
+	(${SHASUMCMD} ${BAZELUPLOAD}/kops/${VERSION}/linux/amd64/nodeup | cut -d' ' -f1) > ${BAZELUPLOAD}/kops/${VERSION}/linux/amd64/nodeup.sha1
+	cp ${BAZELIMAGES}/protokube.tar.gz ${BAZELUPLOAD}/kops/${VERSION}/images/protokube.tar.gz
+	cp ${BAZELIMAGES}/protokube.tar.gz.sha1 ${BAZELUPLOAD}/kops/${VERSION}/images/protokube.tar.gz.sha1
+	cp bazel-bin/cmd/kops/linux_amd64_pure_stripped/kops ${BAZELUPLOAD}/kops/${VERSION}/linux/amd64/kops
+	(${SHASUMCMD} ${BAZELUPLOAD}/kops/${VERSION}/linux/amd64/kops | cut -d' ' -f1) > ${BAZELUPLOAD}/kops/${VERSION}/linux/amd64/kops.sha1
+	cp bazel-bin/cmd/kops/darwin_amd64_stripped/kops ${BAZELUPLOAD}/kops/${VERSION}/darwin/amd64/kops
+	(${SHASUMCMD} ${BAZELUPLOAD}/kops/${VERSION}/darwin/amd64/kops | cut -d' ' -f1) > ${BAZELUPLOAD}/kops/${VERSION}/darwin/amd64/kops.sha1
+	cp ${DIST}/linux/amd64/utils.tar.gz ${BAZELUPLOAD}/kops/${VERSION}/linux/amd64/utils.tar.gz
+	cp ${DIST}/linux/amd64/utils.tar.gz.sha1 ${BAZELUPLOAD}/kops/${VERSION}/linux/amd64/utils.tar.gz.sha1
+
+.PHONY: bazel-upload
+bazel-upload: bazel-version-dist # Upload kops to S3
+	aws s3 sync --acl public-read ${BAZELUPLOAD}/ ${S3_BUCKET}
\ No newline at end of file
diff --git a/WORKSPACE b/WORKSPACE
index 4811aa8b54..89795f4bb3 100644
--- a/WORKSPACE
+++ b/WORKSPACE
@@ -59,3 +59,50 @@ container_pull(
     repository = "debian-hyperkube-base-amd64",
     tag = "0.8",
 )
+
+git_repository(
+    name = "distroless_rules",
+    remote = "https://github.com/googlecloudplatform/distroless.git",
+    commit = "886114394dfed219001ec3b068b139a3456e49d4"
+)
+
+load(
+    "@distroless_rules//package_manager:package_manager.bzl",
+    "package_manager_repositories",
+    "dpkg_src",
+    "dpkg_list",
+)
+
+package_manager_repositories()
+
+dpkg_src(
+    name = "debian_stretch",
+    arch = "amd64",
+    distro = "stretch",
+    sha256 = "9aea0e4c9ce210991c6edcb5370cb9b11e9e554a0f563e7754a4028a8fd0cb73",
+    snapshot = "20171101T160520Z",
+    url = "http://snapshot.debian.org/archive",
+)
+
+dpkg_list(
+    name = "package_bundle",
+    packages = [
+        "cgmanager",
+        "dbus",
+        "libapparmor1",
+        "libcgmanager0",
+        "libcryptsetup4",
+        "libdbus-1-3",
+        "libnih-dbus1",
+        "libnih1",
+        "libpam-systemd",
+        "libprocps6",
+        "libseccomp2",
+        "procps",
+        "systemd-shim",
+        "systemd",
+    ],
+    sources = [
+        "@debian_stretch//file:Packages.json",
+    ],
+)
diff --git a/images/BUILD.bazel b/images/BUILD.bazel
index 78eaaed7a9..f2bb5ebf5a 100644
--- a/images/BUILD.bazel
+++ b/images/BUILD.bazel
@@ -15,6 +15,8 @@ container_image(
     ],
 )
 
+load("@package_bundle//file:packages.bzl", "packages")
+
 container_image(
     name = "protokube",
     base = "@debian_hyperkube_base_amd64//image",
@@ -25,9 +27,30 @@ container_image(
     # systemd: needed to start kubelet
     # TODO: Replace systemd with direct calls, or chroot into rootfs
     debs = [
-        "@systemd//file",
+        packages["cgmanager"],
+        packages["dbus"],
+        packages["libapparmor1"],
+        packages["libcgmanager0"],
+        packages["libcryptsetup4"],
+        packages["libdbus-1-3"],
+        packages["libnih-dbus1"],
+        packages["libnih1"],
+        packages["libpam-systemd"],
+        packages["libprocps6"],
+        packages["libseccomp2"],
+        packages["procps"],
+        packages["systemd-shim"],
+        packages["systemd"],
     ],
-    directory = "/usr/bin/",
+    # Cannot use directory with packages or they get installed with
+    # directory as the root.
+    # directory = "/usr/bin/",
+    # TODO: figure out if there's a way to add files
+    # to actual /usr/bin while using debs above.
+    symlinks = {
+        "/usr/bin/channels": "/channels",
+        "/usr/bin/protokube": "/protokube",
+    },
     files = [
         "//channels/cmd/channels",
         # TODO "//kubectl",