Add support for arm64 docker builds

peterbogdan · Jul 7, 2024 · 36e38f5 · 36e38f5
1 parent e0746dc
commit 36e38f5
Show file tree

Hide file tree

Showing 6 changed files with 193 additions and 35 deletions.
diff --git a/.github/actions/build/docker/action.yml b/.github/actions/build/docker/action.yml
@@ -13,9 +13,6 @@ inputs:
   commit_sha:
     required: true
     description: Define the SHA1 git commit hash
-  docker_tag:
-    required: true
-    description: Define the Docker tag
   docker_hub_org:
     required: true
     description: Pass DockerHub org to action
@@ -54,13 +51,29 @@ runs:
         osctrl-${{ inputs.osctrl_component }}-${{ inputs.commit_sha }}-${{ inputs.go_os }}-${{ inputs.go_arch }}.bin \
         osctrl-${{ inputs.osctrl_component }}-${{ inputs.go_os }}-${{ inputs.go_arch }}.bin
 
+    ########################### Add meta data for containers ###########################
+    - name: Docker meta
+      id: meta
+      uses: docker/metadata-action@v5
+      with:
+        images: ${{ inputs.docker_hub_org }}/osctrl-${{ inputs.osctrl_component }}
+        labels: |
+          org.opencontainers.image.title=osctrl-${{ inputs.osctrl_component }}
+        tags: |
+            type=sha,prefix=,format=short
+            type=match,pattern=v(.*),group=1
+
     ########################### Log into Dockerhub ###########################
     - name: Login to Docker Hub
       uses: docker/[email protected]
       with:
         username: ${{ inputs.docker_hub_username }}
         password: ${{ inputs.docker_hub_access_token }}
 
+    # ########################### Setup QEMU ###########################
+    - name: Set up QEMU
+      uses: docker/setup-qemu-action@v3
+
     ########################### Setup Docker ###########################
     - name: Set up Docker Buildx
       uses: docker/[email protected]
@@ -73,8 +86,27 @@ runs:
         context: .
         file: ./deploy/cicd/docker/Dockerfile-osctrl-${{ inputs.osctrl_component }}
         push: true
-        tags: ${{ inputs.docker_hub_org }}/osctrl-${{ inputs.osctrl_component }}:${{ inputs.docker_tag }}
+        labels: ${{ steps.meta.outputs.labels }}
+        platforms: "${{ inputs.go_os }}/${{ inputs.go_arch  }}"
+        outputs: type=image,name=${{ inputs.docker_hub_org }}/osctrl-${{ inputs.osctrl_component }},push-by-digest=true,name-canonical=true,push=true
         build-args: |
           COMPONENT=${{ inputs.osctrl_component }}
           GOOS=${{ inputs.go_os }}
           GOARCH=${{ inputs.go_arch }}
+
+    ########################### Export image digest to tmp ###########################
+    - name: Export digest
+      shell: bash
+      run: |
+        mkdir -p /tmp/digests
+        digest="${{ steps.docker_build.outputs.digest }}"
+        touch "/tmp/digests/${digest#sha256:}"
+
+    ########################### Upload digest ###########################
+    - name: Upload digest
+      uses: actions/upload-artifact@v3
+      with:
+        name: digests-osctrl-${{ inputs.osctrl_component }}
+        path: /tmp/digests/*
+        if-no-files-found: error
+        retention-days: 1
diff --git a/.github/actions/build/dpkg/action.yml b/.github/actions/build/dpkg/action.yml
@@ -74,7 +74,7 @@ runs:
       if: startsWith(github.ref, 'refs/tags/')
       with:
         name: osctrl-${{ inputs.osctrl_component }}_${{ inputs.release_version_tag }}-${{ inputs.commit_sha }}_${{ inputs.go_arch }}.deb
-        path: osctrl-${{ inputs.osctrl_component }}_${{ inputs.release_version_tag }}-${{ inputs.commit_sha }}_${{ inputs.go_arch }}.deb
+        path: osctrl-${{ inputs.osctrl_component }}_${{ inputs.commit_sha }}_${{ inputs.go_arch }}.deb
         retention-days: 10
 
     - name: Upload osctrl DEBs

diff --git a/.github/actions/tagged_release/docker/codesign/action.yml b/.github/actions/tagged_release/docker/codesign/action.yml
@@ -4,10 +4,10 @@ inputs:
   osctrl_component:
     required: true
     description: Define the osctrl component to compile
-  docker_tag:
+  docker_tags:
     required: true
     description: Define the Docker tag
-  docker_image_digest:
+  docker_image_digests:
     required: true
     description: Dockerhub image digest
   docker_hub_org:
@@ -58,16 +58,28 @@ runs:
       env:
         COSIGN_PASSWORD: "${{ inputs.codesign_password }}"
       run: |
-        IMAGE_NAME="${{ inputs.docker_hub_org }}/osctrl-${{ inputs.osctrl_component }}:${{ inputs.docker_tag }}"
         echo "${{ inputs.codesign_private_key }}" > cosign.key
-        cosign sign --key cosign.key docker.io/$IMAGE_NAME@${{ inputs.docker_image_digest }}
+        for tag in ${{ inputs.docker_tags }}
+        do
+          IMAGE_NAME="${{ inputs.docker_hub_org }}/osctrl-${{ inputs.osctrl_component }}:$tag"
+          for digest in ${{ inputs.docker_image_digest }}
+          do
+            cosign sign --key cosign.key docker.io/$IMAGE_NAME@sha256:$digest
+          done
+        done
         rm -f cosign.key
 
     ########################### Verify signed image using cosign ###########################
     - name: Verify the signed published Docker image
       shell: bash
       run: |
-        IMAGE_NAME="${{ inputs.docker_hub_org }}/osctrl-${{ inputs.osctrl_component }}:${{ inputs.docker_tag }}"
         echo "${{ inputs.codesign_public_cert }}" > cosign.key
-        cosign verify --key cosign.key docker.io/$IMAGE_NAME@${{ inputs.docker_image_digest }}
+        for tag in ${{ inputs.docker_tags }}
+        do
+          IMAGE_NAME="${{ inputs.docker_hub_org }}/osctrl-${{ inputs.osctrl_component }}:$tag"
+          for digest in ${{ inputs.docker_image_digest }}
+          do
+            cosign verify --key cosign.key docker.io/$IMAGE_NAME@sha256:$digest
+          done
+        done
         rm -f cosign.key
diff --git a/.github/actions/tagged_release/github/action.yml b/.github/actions/tagged_release/github/action.yml
@@ -39,15 +39,15 @@ runs:
       shell: bash
       run: |
         cp \
-        osctrl-${{ inputs.osctrl_component }}-${{ inputs.go_os }}-${{ inputs.go_arch }}.bin \
+        osctrl-${{ inputs.osctrl_component }}-${{ inputs.commit_sha }}-${{ inputs.go_os }}-${{ inputs.go_arch }}.bin \
         osctrl-${{ inputs.osctrl_component }}-${{ inputs.release_version_tag }}-${{ inputs.go_os }}-${{ inputs.go_arch }}.bin
 
     - name: Copy windows binary
       if: ${{ inputs.go_os }} == 'windows'
       shell: bash
       run: |
         cp \
-        osctrl-${{ inputs.osctrl_component }}-${{ inputs.go_os }}-${{ inputs.go_arch }}.bin \
+        osctrl-${{ inputs.osctrl_component }}-${{ inputs.commit_sha }}-${{ inputs.go_os }}-${{ inputs.go_arch }}.bin \
         osctrl-${{ inputs.osctrl_component }}-${{ inputs.release_version_tag }}-${{ inputs.go_os }}-${{ inputs.go_arch }}.exe
 
     ########################### Download osctrl DEB package ###########################

diff --git a/.github/workflows/build_and_test_main_merge.yml b/.github/workflows/build_and_test_main_merge.yml
@@ -103,7 +103,7 @@ jobs:
       matrix:
         components: ['tls', 'admin', 'api', 'cli']
         goos: ['linux']
-        goarch: ['amd64']
+        goarch: ['amd64', 'arm64']
     steps:
       ########################### Checkout code ###########################
       - name: Checkout code
@@ -131,8 +131,58 @@ jobs:
           #### Build vars ####
           osctrl_component: ${{ matrix.components }}
           commit_sha: ${{ steps.vars.outputs.sha_short }}
-          docker_tag: ${{ steps.vars.outputs.sha_short }}
           #### Dockerhub creds ####
           docker_hub_org: ${{ secrets.DOCKER_HUB_ORG }}
           docker_hub_username: ${{ secrets.DOCKER_HUB_USERNAME }}
           docker_hub_access_token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+
+
+  push_docker_images:
+      needs: [create_docker_images]
+      runs-on: ubuntu-22.04
+      strategy:
+        matrix:
+          components: ['tls', 'admin', 'api', 'cli']
+      steps:
+        ########################### Get digests from build ###########################
+        - name: Download digests
+          uses: actions/download-artifact@v3
+          with:
+            name: digests-osctrl-${{ matrix.components }}
+            path: /tmp/digests
+
+        ########################### Setup Docker ###########################
+        - name: Set up Docker Buildx
+          uses: docker/[email protected]
+
+        ########################### Add meta data for containers ###########################
+        - name: Docker meta
+          id: meta
+          uses: docker/metadata-action@v5
+          with:
+            images: ${{ secrets.DOCKER_HUB_ORG }}/osctrl-${{ matrix.components }}
+            labels: |
+              org.opencontainers.image.title=osctrl-${{ matrix.components }}
+            tags: |
+                type=sha,prefix=,format=short
+                type=match,pattern=v(.*),group=1
+
+
+        ########################### Log into Dockerhub ###########################
+        - name: Login to Docker Hub
+          uses: docker/[email protected]
+          with:
+            username: ${{ secrets.DOCKER_HUB_USERNAME }}
+            password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+
+        ########################### Create and push images ###########################
+        - name: Create manifest list and push
+          working-directory: /tmp/digests
+          run: |
+            docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
+              $(printf '${{ secrets.DOCKER_HUB_ORG }}/osctrl-${{ matrix.components }}@sha256:%s ' *)
+
+        ########################### Inspect new image ###########################
+        - name: Inspect image
+          run: |
+            docker buildx imagetools inspect ${{ secrets.DOCKER_HUB_ORG }}/osctrl-${{ matrix.components }}:${{ steps.meta.outputs.version }}
diff --git a/.github/workflows/create_tagged_releases.yml b/.github/workflows/create_tagged_releases.yml
@@ -96,6 +96,7 @@ jobs:
           osctrl_component: ${{ matrix.components }}
           commit_sha: ${{ steps.vars.outputs.sha_short }}
           osquery_version: ${{ env.OSQUERY_VERSION }}
+          release_version_tag:  ${{ steps.vars.outputs.branch }}
 
   create_docker_images:
     needs: [build_and_test]
@@ -104,7 +105,7 @@ jobs:
       matrix:
         components: ['tls', 'admin', 'api', 'cli']
         goos: ['linux']
-        goarch: ['amd64']
+        goarch: ['amd64', 'arm64']
     steps:
       ########################### Checkout code ###########################
       - name: Checkout code
@@ -133,31 +134,95 @@ jobs:
           #### Build vars ####
           osctrl_component: ${{ matrix.components }}
           commit_sha: ${{ steps.vars.outputs.sha_short }}
-          docker_tag: ${{ steps.vars.outputs.RELEASE_VERSION }}
           #### Dockerhub creds ####
           docker_hub_org: ${{ secrets.DOCKER_HUB_ORG }}
           docker_hub_username: ${{ secrets.DOCKER_HUB_USERNAME }}
           docker_hub_access_token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
 
-      ########################### Sign Docker images ###########################
-      - name: Sign osctrl Docker containers
-        uses: ./.github/actions/tagged_release/docker/codesign
-        with:
-          #### Docker vars ####
-          osctrl_component: ${{ matrix.components }}
-          docker_tag: ${{ steps.vars.outputs.RELEASE_VERSION }}
-          docker_image_digest: ${{ steps.build_docker_containers.outputs.docker_image_digest }}
-          #### Dockerhub creds ####
-          docker_hub_org: ${{ secrets.DOCKER_HUB_ORG }}
-          docker_hub_username: ${{ secrets.DOCKER_HUB_USERNAME }}
-          docker_hub_access_token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
-          #### Codesign secrets ####
-          codesign_password: ${{ secrets.COSIGN_PASSWORD }}
-          codesign_private_key: ${{ secrets.COSIGN_PRIVATE }}
-          codesign_public_cert: ${{ secrets.COSIGN_PUBLIC }}
+
+  push_docker_images:
+      needs: [create_docker_images]
+      runs-on: ubuntu-22.04
+      strategy:
+        matrix:
+          components: ['tls', 'admin', 'api', 'cli']
+      steps:
+        ########################### Checkout code ###########################
+        - name: Checkout code
+          uses: actions/[email protected]
+          with:
+            fetch-depth: 2
+
+        ########################### Get digests from build ###########################
+        - name: Download digests
+          uses: actions/download-artifact@v3
+          with:
+            name: digests-osctrl-${{ matrix.components }}
+            path: /tmp/digests
+
+        ########################### Setup Docker ###########################
+        - name: Set up Docker Buildx
+          uses: docker/[email protected]
+
+        ########################### Add meta data for containers ###########################
+        - name: Docker meta
+          id: meta
+          uses: docker/metadata-action@v5
+          with:
+            images: ${{ secrets.DOCKER_HUB_ORG }}/osctrl-${{ matrix.components }}
+            labels: |
+              org.opencontainers.image.title=osctrl-${{ matrix.components }}
+            tags: |
+                type=sha,prefix=,format=short
+                type=match,pattern=v(.*),group=1
+
+
+        ########################### Log into Dockerhub ###########################
+        - name: Login to Docker Hub
+          uses: docker/[email protected]
+          with:
+            username: ${{ secrets.DOCKER_HUB_USERNAME }}
+            password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+
+        ########################### Create and push images ###########################
+        - name: Create manifest list and push
+          working-directory: /tmp/digests
+          run: |
+            docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
+              $(printf '${{ secrets.DOCKER_HUB_ORG }}/osctrl-${{ matrix.components }}@sha256:%s ' *)
+
+        ########################### Generate image tags and digests ###########################
+        - name: Export digests and tags for cosign
+          id: docker_vars
+          working-directory: /tmp/digests
+          run: |
+              echo "digests=$(printf '%s ' *)" >> $GITHUB_OUTPUT
+              echo "tags=$(jq -cr '.tags | map(\"-t \" + .) | join(\" \")' <<< \"$DOCKER_METADATA_OUTPUT_JSON\")" >> $GITHUB_OUTPUT
+
+        ########################### Sign Docker images ###########################
+        - name: Sign osctrl Docker containers
+          uses: ./.github/actions/tagged_release/docker/codesign
+          with:
+            #### Docker vars ####
+            osctrl_component: ${{ matrix.components }}
+            docker_tags: ${{ steps.docker_vars.outputs.tags }}
+            docker_image_digests: ${{ steps.digests.outputs.digests }}
+            #### Dockerhub creds ####
+            docker_hub_org: ${{ secrets.DOCKER_HUB_ORG }}
+            docker_hub_username: ${{ secrets.DOCKER_HUB_USERNAME }}
+            docker_hub_access_token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+            #### Codesign secrets ####
+            codesign_password: ${{ secrets.COSIGN_PASSWORD }}
+            codesign_private_key: ${{ secrets.COSIGN_PRIVATE }}
+            codesign_public_cert: ${{ secrets.COSIGN_PUBLIC }}
+
+        ########################### Inspect new image ###########################
+        - name: Inspect image
+          run: |
+            docker buildx imagetools inspect ${{ secrets.DOCKER_HUB_ORG }}/osctrl-${{ matrix.components }}:${{ steps.meta.outputs.version }}
 
   create_release:
-    needs: [build_and_test,create_deb_packages,create_docker_images]
+    needs: [build_and_test,create_deb_packages,push_docker_images]
     runs-on: ubuntu-22.04
     strategy:
       matrix:
@@ -184,7 +249,6 @@ jobs:
       ########################### Create release ###########################
       - name: Create a new release with binaries and packages
         uses: ./.github/actions/tagged_release/github
-        id: build_docker_containers
         with:
           go_os: "${{ matrix.goos }}"
           go_arch: "${{ matrix.goarch }}"