spiffe · MarcosDY · Jan 9, 2023 · Nov 13, 2022 · Dec 1, 2022 · Dec 1, 2022
@@ -3,3 +3,9 @@
 .cache
 releases/
 artifacts/
+.githooks/
+script/
+doc/
+examples/
+oci/
+*-image.tar
@@ -19,8 +19,10 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v3
+      - name: Install regctl
+        uses: regclient/actions/regctl-installer@main
       - name: Build images
-        run: make images scratch-images
+        run: make images scratch-images load-images load-scratch-images
       - name: Log in to GCR
         uses: docker/login-action@v2
         with:

@@ -176,10 +176,14 @@ jobs:
           key: ${{ runner.os }}-tools-${{ github.sha }}
           restore-keys: |
             ${{ runner.os }}-tools-
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
       - name: Build images
         run: make images
       - name: Export images
-        run: docker save spire-server:latest-local spire-agent:latest-local k8s-workload-registrar:latest-local oidc-discovery-provider:latest-local | gzip > images.tar.gz
+        run: tar -czvf images.tar.gz *-image.tar
       - name: Archive images
         uses: actions/upload-artifact@v3
         with:
@@ -240,10 +244,14 @@ jobs:
           key: ${{ runner.os }}-tools-${{ github.sha }}
           restore-keys: |
             ${{ runner.os }}-tools-
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
       - name: Build scratch images
         run: make scratch-images
       - name: Export scratch images
-        run: docker save spire-server-scratch:latest-local spire-agent-scratch:latest-local k8s-workload-registrar-scratch:latest-local oidc-discovery-provider-scratch:latest-local | gzip > scratch-images.tar.gz
+        run: tar -czvf scratch-images.tar.gz *-scratch-image.tar
       - name: Archive scratch images
         uses: actions/upload-artifact@v3
         with:
@@ -276,6 +284,8 @@ jobs:
         uses: actions/setup-go@v3
         with:
           go-version: ${{ env.GO_VERSION }}
+      - name: Install regctl
+        uses: regclient/actions/regctl-installer@main
       - name: Load cached deps
         uses: actions/cache@v3
         with:
@@ -299,9 +309,13 @@ jobs:
           name: scratch-images
           path: .
       - name: Load archived images
-        run: zcat images.tar.gz | docker load
+        run: |
+          tar xvf images.tar.gz
+          make load-images
       - name: Load archived scratch images
-        run: zcat scratch-images.tar.gz | docker load
+        run: |
+          tar xvf scratch-images.tar.gz
+          make load-scratch-images
       - name: Run integration tests
         env:
           NUM_RUNNERS: ${{ matrix.num_runners }}

@@ -177,7 +177,7 @@ jobs:
       - name: Build images
         run: make images
       - name: Export images
-        run: docker save spire-server:latest-local spire-agent:latest-local k8s-workload-registrar:latest-local oidc-discovery-provider:latest-local | gzip > images.tar.gz
+        run: tar -czvf images.tar.gz *-image.tar
       - name: Archive images
         uses: actions/upload-artifact@v3
         with:
@@ -241,7 +241,7 @@ jobs:
       - name: Build scratch images
         run: make scratch-images
       - name: Export scratch images
-        run: docker save spire-server-scratch:latest-local spire-agent-scratch:latest-local k8s-workload-registrar-scratch:latest-local oidc-discovery-provider-scratch:latest-local | gzip > scratch-images.tar.gz
+        run: tar -czvf scratch-images.tar.gz *-scratch-image.tar
       - name: Archive scratch images
         uses: actions/upload-artifact@v3
         with:
@@ -283,6 +283,8 @@ jobs:
         uses: actions/setup-go@v3
         with:
           go-version: ${{ env.GO_VERSION }}
+      - name: Install regctl
+        uses: regclient/actions/regctl-installer@main
       - name: Load cached deps
         uses: actions/cache@v3
         with:
@@ -306,9 +308,13 @@ jobs:
           name: scratch-images
           path: .
       - name: Load archived images
-        run: zcat images.tar.gz | docker load
+        run: |
+          tar xvf images.tar.gz
+          make load-images
       - name: Load archived scratch images
-        run: zcat scratch-images.tar.gz | docker load
+        run: |
+          tar xvf scratch-images.tar.gz
+          make load-scratch-images
       - name: Run integration tests
         env:
           NUM_RUNNERS: ${{ matrix.num_runners }}
@@ -574,28 +580,30 @@ jobs:
         with:
           name: images
           path: .
+      - name: Install regctl
+        uses: regclient/actions/regctl-installer@main
       - name: Download archived scratch images
         uses: actions/download-artifact@v3
         with:
           name: scratch-images
           path: .
-      - name: Load archived images
-        run: zcat images.tar.gz | docker load
-      - name: Load archived scratch images
-        run: zcat scratch-images.tar.gz | docker load
       - name: Log in to GCR
         uses: docker/login-action@v2
         with:
           registry: gcr.io
           username: _json_key
           password: ${{ secrets.GCR_JSON_KEY }}
       - name: Push images
-        run: ./.github/workflows/scripts/push-images.sh "${GITHUB_REF}"
+        run: |
+          tar xzvf images.tar.gz
+          ./.github/workflows/scripts/push-images.sh "${GITHUB_REF}"
       - name: Log in to GHCR
         uses: docker/login-action@v2
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Push images
-        run: ./.github/workflows/scripts/push-images.sh "${GITHUB_REF}" -scratch
+        run: |
+          tar xzvf scratch-images.tar.gz
+          ./.github/workflows/scripts/push-images.sh "${GITHUB_REF}" -scratch
@@ -0,0 +1,74 @@
+#!/usr/bin/env bash
+# shellcheck shell=bash
+##
+## USAGE: __PROG__
+##
+## "__PROG__" loads oci tarballs created with xbuild into docker.
+##
+## Usage example(s):
+##   ./__PROG__
+##   ./__PROG__ -scratch
+##   PLATFORM=linux/arm64 ./__PROG__ -scratch
+##
+## Commands
+## - ./__PROG__ <image-variant>    loads the oci tarball for the optional variant into Docker.
+
+function usage {
+  grep '^##' "$0" | sed -e 's/^##//' -e "s/__PROG__/$me/" >&2
+}
+
+function normalize_path {
+    # Remove all /./ sequences.
+    local path=${1//\/.\//\/}
+    local npath
+    # Remove first dir/.. sequence.
+    npath="${path//[^\/][^\/]*\/\.\.\//}"
+    # Remove remaining dir/.. sequence.
+    while [[ $npath != "$path" ]] ; do
+        path=$npath
+        npath="${path//[^\/][^\/]*\/\.\.\//}"
+    done
+    echo "$path"
+}
+
+me=$(basename "$0")
+BASEDIR=$(dirname "$0")
+ROOTDIR="$(normalize_path "$BASEDIR/../../../")"
+
+command -v regctl >/dev/null 2>&1 || { usage; echo -e "\n * The regctl cli is required to run this script." >&2 ; exit 1; }
+command -v docker >/dev/null 2>&1 || { usage; echo -e "\n * The docker cli is required to run this script." >&2 ; exit 1; }
+
+variant="$1"
+
+if [ -n "$variant" ] && [ "$variant" != "-scratch" ] ; then
+    usage
+    echo -e "The only supported variants are '-scratch'." >&2
+    exit 1
+fi
+
+# Takes the current platform architecture or plaftorm as defined externally in a platform variable.
+# e.g.:
+# linux/amd64
+# linux/arm64
+# linux/arm64/v7
+PLATFORM="${PLATFORM:-local}"
+OCI_IMAGES=(
+    spire-server spire-agent k8s-workload-registrar oidc-discovery-provider
+)
+
+echo "Importing ${OCI_IMAGES[*]} into docker".
+for img in "${OCI_IMAGES[@]}"; do
+    image_variant="${img}${variant}"
+    oci_dir="ocidir://${ROOTDIR}oci/${image_variant}"
+    platform_tar="${image_variant}-${PLATFORM}-image.tar"
+
+    # regclient works with directories rather than tars, so import the OCI tar to a directory
+    regctl image import "$oci_dir" "${image_variant}-image.tar"
+    dig="$(regctl image digest --platform "$PLATFORM" "$oci_dir")"
+    # export the single platform image using the digest
+    regctl image export "$oci_dir@${dig}" "${platform_tar}"
+
+    docker load < "${platform_tar}"
+    docker image tag "localhost/oci/${image_variant}:latest" "${image_variant}:latest-local"
+    docker image rm "localhost/oci/${image_variant}:latest"
+done
@@ -21,7 +21,23 @@ function usage {
   grep '^##' "$0" | sed -e 's/^##//' -e "s/__PROG__/$me/" >&2
 }
 
+function normalize_path {
+  # Remove all /./ sequences.
+  local path=${1//\/.\//\/}
+  local npath
+  # Remove first dir/.. sequence.
+  npath="${path//[^\/][^\/]*\/\.\.\//}"
+  # Remove remaining dir/.. sequence.
+  while [[ $npath != "$path" ]] ; do
+    path=$npath
+    npath="${path//[^\/][^\/]*\/\.\.\//}"
+  done
+  echo "$path"
+}
+
 me=$(basename "$0")
+BASEDIR=$(dirname "$0")
+ROOTDIR="$(normalize_path "$BASEDIR/../../../")"
 
 version="$1"
 if [ -z "${version}" ]; then
@@ -37,7 +53,7 @@ version="${version#refs/tags/v}"
 version="${version#v}"
 
 variant="$2"
-if [ -n "${variant}" ] && [ "${variant}" != "-scratch" ]; then
+if [ -n "${variant}" ] && [ "${variant}" != "-scratch" ] ; then
   usage
   echo -e "\n Errors:\n * The only supported variant is '-scratch'." >&2
   exit 1
@@ -60,7 +76,9 @@ fi
 echo "Pushing images ${OCI_IMAGES[*]} to ${registry} with tag ${version}".
 for img in "${OCI_IMAGES[@]}"; do
   image_variant="${img}${variant}"
+  oci_dir="ocidir://${ROOTDIR}oci/${image_variant}"
   image_to_push="${registry}/${img}:${version}"
-  docker tag "${image_variant}:latest-local" "${image_to_push}"
-  docker push "${image_to_push}"
+
+  regctl image import "${oci_dir}" "${image_variant}-image.tar"
+  regctl image copy "${oci_dir}" "${image_to_push}"
 done
@@ -34,3 +34,7 @@ tools/spire-plugingen/spire-plugingen
 # Runtime version manager specific configuration
 # asdf config file
 .tool-versions
+
+# oci artifacts
+*-image.tar
+oci/
@@ -1,37 +1,44 @@
 # Build stage
+# syntax = docker/dockerfile:1.4.2@sha256:443aab4ca21183e069e7d8b2dc68006594f40bddf1b15bbd83f5137bd93e80e2
 ARG goversion
-FROM golang:${goversion}-alpine as builder
+FROM --platform=${BUILDPLATFORM} golang:${goversion}-alpine as base
 WORKDIR /spire
+COPY go.* ./
+# https://go.dev/ref/mod#module-cache
+RUN --mount=type=cache,target=/go/pkg/mod go mod download
+COPY . .
+
+FROM base as builder
+ARG TARGETOS TARGETARCH
 RUN apk --no-cache --update add build-base git mercurial
-ADD go.* ./
-RUN go mod download
-ADD . .
-RUN make build
+RUN --mount=type=cache,target=/root/.cache/go-build \
+    --mount=type=cache,target=/go/pkg/mod \
+    GOOS=$TARGETOS GOARCH=$TARGETARCH \
+    make build
 
 # Common base
-FROM alpine AS spire-base
+FROM --platform=${BUILDPLATFORM} alpine AS spire-base
 WORKDIR /opt/spire
-RUN mkdir -p /opt/spire/bin
 CMD []
 RUN apk --no-cache --update add dumb-init
 RUN apk --no-cache --update add ca-certificates
 
 # SPIRE Server
 FROM spire-base AS spire-server
 ENTRYPOINT ["/usr/bin/dumb-init", "/opt/spire/bin/spire-server", "run"]
-COPY --from=builder /spire/bin/spire-server bin/spire-server
+COPY --link --from=builder /spire/bin/spire-server bin/spire-server
 
 # SPIRE Agent
 FROM spire-base AS spire-agent
 ENTRYPOINT ["/usr/bin/dumb-init", "/opt/spire/bin/spire-agent", "run"]
-COPY --from=builder /spire/bin/spire-agent bin/spire-agent
+COPY --link --from=builder /spire/bin/spire-agent bin/spire-agent
 
 # K8S Workload Registrar
 FROM spire-base AS k8s-workload-registrar
 ENTRYPOINT ["/usr/bin/dumb-init", "/opt/spire/bin/k8s-workload-registrar"]
-COPY --from=builder /spire/bin/k8s-workload-registrar bin/k8s-workload-registrar
+COPY --link --from=builder /spire/bin/k8s-workload-registrar bin/k8s-workload-registrar
 
 # OIDC Discovery Provider
 FROM spire-base AS oidc-discovery-provider
 ENTRYPOINT ["/usr/bin/dumb-init", "/opt/spire/bin/oidc-discovery-provider"]
-COPY --from=builder /spire/bin/oidc-discovery-provider bin/oidc-discovery-provider
+COPY --link --from=builder /spire/bin/oidc-discovery-provider bin/oidc-discovery-provider