Enable arm builds for OPA envoy plugin

Signed-off-by: Tyler Schade <tyler.schade@solo.io>

.github/workflows/checks.yaml

@@ -68,7 +68,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Build docker image
-        run: make ci-go-build image-quick tag-latest
+        run: make ci-go-build ci-go-build-linux-static image-quick tag-latest
 
       - name: Setup kind/istio
         run: |
@@ -97,7 +97,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Build docker image
-        run: make ci-go-build image-quick tag-latest
+        run: make ci-go-build ci-go-build-linux-static image-quick tag-latest
 
       - name: Build testsrv docker image
         run: make testsrv-image

.gitignore

@@ -10,6 +10,7 @@ opa_*
 _release
 site.tar.gz
 *.bak
+.go/
 
 # runtime artifacts
 policies

Dockerfile

@@ -6,18 +6,23 @@ ARG BASE
 
 FROM ${BASE}
 
+LABEL org.opencontainers.image.authors="Ashutosh Narkar <anrkar4387@gmail.com>"
+
 # Any non-zero number will do, and unfortunately a named user will not, as k8s
 # pod securityContext runAsNonRoot can't resolve the user ID:
 # https://github.com/kubernetes/kubernetes/issues/40958.
 ARG USER=1000:1000
 USER ${USER}
 
-MAINTAINER Ashutosh Narkar  <anarkar4387@gmail.com>
-
-WORKDIR /app
+# TARGETOS and TARGETARCH are automatic platform args injected by BuildKit
+# https://docs.docker.com/engine/reference/builder/#automatic-platform-args-in-the-global-scope
+ARG TARGETOS
+ARG TARGETARCH
+# VARIANT is used to specify the build variant of the image, e.g. static or dynamic
+ARG VARIANT
 
-COPY opa_envoy_linux_GOARCH /app
+COPY opa_envoy_${TARGETOS}_${TARGETARCH}_${VARIANT} /opa
 
-ENTRYPOINT ["./opa_envoy_linux_GOARCH"]
+ENTRYPOINT ["/opa"]
 
 CMD ["run"]

Makefile

@@ -8,21 +8,30 @@ VERSION_ISTIO := $(VERSION_OPA)-istio$(shell ./build/get-plugin-rev.sh)
 
 PACKAGES := $(shell go list ./.../ | grep -v 'vendor')
 
+DOCKER := docker
+
+DOCKER_UID ?= 0
+DOCKER_GID ?= 0
 
 CGO_ENABLED ?= 1
 WASM_ENABLED ?= 1
+GOARCH ?= $(shell go env GOARCH)
 
 # GOPROXY=off: Don't pull anything off the network
 # see https://github.com/thepudds/go-module-knobs/blob/master/README.md
-GO := CGO_ENABLED=$(CGO_ENABLED) GO111MODULE=on GOFLAGS=-mod=vendor GOPROXY=off go
+GO := CGO_ENABLED=$(CGO_ENABLED) GOARCH=$(GOARCH) GO111MODULE=on GOFLAGS=-mod=vendor GOPROXY=off go
 GOVERSION := $(shell cat ./.go-version)
-GOARCH := $(shell go env GOARCH)
 GOOS := $(shell go env GOOS)
 DISABLE_CGO := CGO_ENABLED=0
 
-BIN := opa_envoy_$(GOOS)_$(GOARCH)
+VARIANT := dynamic
+ifeq ($(CGO_ENABLED),0)
+	VARIANT = static
+endif
+
+BIN := opa_envoy_$(GOOS)_$(GOARCH)_$(VARIANT)
 
-REPOSITORY := openpolicyagent
+REPOSITORY ?= openpolicyagent
 IMAGE := $(REPOSITORY)/opa
 
 GO_TAGS := -tags=
@@ -49,164 +58,224 @@ LDFLAGS := "-X github.com/open-policy-agent/opa/version.Version=$(VERSION) \
 	-X github.com/open-policy-agent/opa/version.Timestamp=$(BUILD_TIMESTAMP) \
 	-X github.com/open-policy-agent/opa/version.Hostname=$(BUILD_HOSTNAME)"
 
-.PHONY: all build build-darwin build-linux build-linux-static build-windows clean check check-fmt check-vet check-lint \
-    deploy-ci docker-login generate image image-quick image-static image-quick-static \
-    push push-static push-latest push-latest-static tag-latest \
-    tag-latest-static test test-cluster test-e2e version
+# BuildKit is required for automatic platform arg injection (see Dockerfile)
+export DOCKER_BUILDKIT := 1
+
+# Supported platforms to include in image manifest lists
+DOCKER_PLATFORMS := linux/amd64
+DOCKER_PLATFORMS_STATIC := linux/amd64,linux/arm64
 
 ######################################################
 #
 # Development targets
 #
 ######################################################
 
+.PHONY: all
 all: build test check
 
+.PHONY: version
 version:
 	@echo $(VERSION)
 
+.PHONY: generate
 generate:
 	$(GO) generate ./...
 
+.PHONY: build
 build: generate
 	$(GO) build $(GO_TAGS) -o $(BIN) -ldflags $(LDFLAGS) ./cmd/opa-envoy-plugin/...
 
+.PHONY: build-darwin
 build-darwin:
 	@$(MAKE) build GOOS=darwin
 
-build-linux:
+.PHONY: build-linux
+build-linux: ensure-release-dir ensure-linux-toolchain
 	@$(MAKE) build GOOS=linux
 
-build-linux-static:
+.PHONY: build-linux-static
+build-linux-static: ensure-release-dir ensure-linux-toolchain
 	@$(MAKE) build GOOS=linux WASM_ENABLED=0 CGO_ENABLED=0
 
+.PHONY: ci-build-linux
+ci-build-linux:
+	$(MAKE) ci-go-build-linux GOARCH=arm64
+	$(MAKE) ci-go-build-linux GOARCH=amd64
+
+.PHONY: ci-build-linux-static
+ci-build-linux-static:
+	$(MAKE) ci-go-build-linux-static GOARCH=arm64
+	$(MAKE) ci-go-build-linux-static GOARCH=amd64
+
+.PHONY: build-windows
 build-windows:
 	@$(MAKE) build GOOS=windows
 
+.PHONY: image
 image:
 	@$(MAKE) ci-go-build-linux
 	@$(MAKE) image-quick
 
-image-static:
-	CGO_ENABLED=0 WASM_ENABLED=0 $(MAKE) ci-go-build-linux-static
-	@$(MAKE) image-quick-static
-
-image-quick:
-	sed -e 's/GOARCH/$(GOARCH)/g' Dockerfile > .Dockerfile_$(GOARCH)
-	docker build -t $(IMAGE):$(VERSION) --build-arg BASE=chainguard/glibc-dynamic -f .Dockerfile_$(GOARCH) .
-	docker tag $(IMAGE):$(VERSION) $(IMAGE):$(VERSION_ISTIO)
-
-image-quick-static:
-	sed -e 's/GOARCH/$(GOARCH)/g' Dockerfile > .Dockerfile_$(GOARCH)
-	docker build -t $(IMAGE):$(VERSION)-static --build-arg BASE=chainguard/static:latest -f .Dockerfile_$(GOARCH) .
-	docker tag $(IMAGE):$(VERSION)-static $(IMAGE):$(VERSION_ISTIO)-static
-
-push:
-	docker push $(IMAGE):$(VERSION)
-	docker push $(IMAGE):$(VERSION_ISTIO)
-
-push-static:
-	docker push $(IMAGE):$(VERSION)-static
-	docker push $(IMAGE):$(VERSION_ISTIO)-static
-
-tag-latest:
-	docker tag $(IMAGE):$(VERSION) $(IMAGE):latest-envoy
-	docker tag $(IMAGE):$(VERSION) $(IMAGE):latest-istio
-
-tag-latest-static:
-	docker tag $(IMAGE):$(VERSION)-static $(IMAGE):latest-envoy-static
-	docker tag $(IMAGE):$(VERSION)-static $(IMAGE):latest-istio-static
-
-push-latest:
-	docker push $(IMAGE):latest-envoy
-	docker push $(IMAGE):latest-istio
-
-push-latest-static:
-	docker push $(IMAGE):latest-envoy-static
-	docker push $(IMAGE):latest-istio-static
-
+.PHONY: start-builder
+start-builder:
+	@./build/buildx_workaround.sh
+
+.PHONY: image-quick
+image-quick: image-quick-$(GOARCH)
+
+.PHONY: image-quick-%
+image-quick-%:
+ifneq ($(GOARCH),arm64) # build only static images for arm64
+	$(DOCKER) build \
+		--platform=linux/$(GOARCH) \
+		-t $(IMAGE):$(VERSION) \
+		--build-arg BASE=chainguard/glibc-dynamic:latest \
+		--build-arg VARIANT=dynamic \
+		-f Dockerfile \
+		.
+endif
+	$(DOCKER) build \
+		--platform=linux/$(GOARCH) \
+		-t $(IMAGE):$(VERSION)-static \
+		--build-arg BASE=chainguard/static:latest \
+		--build-arg VARIANT=static \
+		-f Dockerfile \
+		.
+
+.PHONY: push-manifest-list-%
+push-manifest-list-%:
+	$(DOCKER) buildx build \
+		--platform=$(DOCKER_PLATFORMS) \
+		--push \
+		-t $(IMAGE):$* \
+		--build-arg BASE=chainguard/glibc-dynamic:latest \
+		--build-arg VARIANT=dynamic \
+		-f Dockerfile \
+		.
+
+	$(DOCKER) buildx build \
+		--platform=$(DOCKER_PLATFORMS_STATIC) \
+		--push \
+		-t $(IMAGE):$*-static \
+		--build-arg BASE=chainguard/static:latest \
+		--build-arg VARIANT=static \
+		-f Dockerfile \
+		.
+
+.PHONY: docker-login
 docker-login:
 	@echo "Docker Login..."
-	@echo ${DOCKER_PASSWORD} | docker login -u ${DOCKER_USER} --password-stdin
+	@echo ${DOCKER_PASSWORD} | $(DOCKER) login -u ${DOCKER_USER} --password-stdin
+
+.PHONY: push-image
+push-image: docker-login push-manifest-list-$(VERSION)
 
-deploy-ci: docker-login image image-static push tag-latest push-latest \
-	push-static tag-latest-static push-latest-static
+.PHONY: deploy-ci
+deploy-ci: ensure-release-dir start-builder ci-build-linux ci-build-linux-static push-manifest-list-latest push-manifest-list-latest-istio push-manifest-list-latest-envoy push-manifest-list-$(VERSION) push-manifest-list-$(VERSION_ISTIO)
 
+.PHONY: test
 test: generate
 	$(DISABLE_CGO) $(GO) test -v -bench=. $(PACKAGES)
 
+.PHONY: test-e2e
 test-e2e:
 	bats -t test/bats/test.bats
 
+.PHONY: test-cluster
 test-cluster:
 	@./build/install-istio-with-kind.sh
 
+.PHONY: clean
 clean:
 	rm -f .Dockerfile_*
 	rm -f opa_*_*
 	rm -f *.so
 
+.PHONY: check
 check: check-fmt check-vet check-lint
 
+.PHONY: check-fmt
 check-fmt:
 	./build/check-fmt.sh
 
+.PHONY: check-vet
 check-vet:
 	./build/check-vet.sh
 
+.PHONY: check-lint
 check-lint:
 	./build/check-lint.sh
 
+.PHONY: generatepb
 generatepb:
 	protoc --proto_path=test/files \
 	  --descriptor_set_out=test/files/combined.pb \
 	  --include_imports \
 	  test/files/example/Example.proto \
 	  test/files/book/Book.proto
 
-CI_GOLANG_DOCKER_MAKE := docker run \
+CI_GOLANG_DOCKER_MAKE := $(DOCKER) run \
         $(DOCKER_FLAGS) \
-        -u $(shell id -u):$(shell id -g) \
+        -u $(DOCKER_UID):$(DOCKER_GID) \
         -v $(PWD):/src \
         -w /src \
         -e GOCACHE=/src/.go/cache \
         -e CGO_ENABLED=$(CGO_ENABLED) \
         -e WASM_ENABLED=$(WASM_ENABLED) \
         -e TELEMETRY_URL=$(TELEMETRY_URL) \
+		-e GOARCH=$(GOARCH) \
         golang:$(GOVERSION) \
-        make
+		make
+
+.PHONY: ensure-linux-toolchain
+ensure-linux-toolchain:
+ifeq ($(CGO_ENABLED),1)
+	$(eval export CC = $(shell GOARCH=$(GOARCH) build/ensure-linux-toolchain.sh))
+else
+	@echo "CGO_ENABLED=$(CGO_ENABLED). No need to check gcc toolchain."
+endif
 
 .PHONY: ci-go-%
 ci-go-%:
 	$(CI_GOLANG_DOCKER_MAKE) "$*"
 
+.PHONY: tag-latest
+tag-latest:
+	docker tag $(IMAGE):$(VERSION) $(IMAGE):latest-envoy
+	docker tag $(IMAGE):$(VERSION) $(IMAGE):latest-istio
+
+.PHONY: tag-latest-static
+tag-latest-static:
+	docker tag $(IMAGE):$(VERSION)-static $(IMAGE):latest-envoy-static
+	docker tag $(IMAGE):$(VERSION)-static $(IMAGE):latest-istio-static
+
 .PHONY: release
 release:
-	docker run $(DOCKER_FLAGS) \
+	$(DOCKER) run $(DOCKER_FLAGS) \
 		-v $(PWD)/$(RELEASE_DIR):/$(RELEASE_DIR) \
 		-v $(PWD):/_src \
 		$(RELEASE_BUILD_IMAGE) \
 		/_src/build/build-release.sh --version=$(VERSION) --output-dir=/$(RELEASE_DIR) --source-url=/_src
 
+.PHONY: release-build-linux-%
+release-build-linux-%: ensure-release-dir
+	@$(MAKE) build GOOS=linux CGO_ENABLED=0 WASM_ENABLED=0 GOARCH=$*
+	mv opa_envoy_linux_$*_static $(RELEASE_DIR)/opa_envoy_linux_$*
 
-.PHONY: release-build-linux
-release-build-linux: ensure-release-dir
-	@$(MAKE) build GOOS=linux CGO_ENABLED=0 WASM_ENABLED=0
-	mv opa_envoy_linux_$(GOARCH) $(RELEASE_DIR)/
-
-.PHONY: release-build-darwin
-release-build-darwin: ensure-release-dir
-	@$(MAKE) build GOOS=darwin CGO_ENABLED=0 WASM_ENABLED=0
-	mv opa_envoy_darwin_$(GOARCH) $(RELEASE_DIR)/
+.PHONY: release-build-darwin-%
+release-build-darwin-%: ensure-release-dir
+	@$(MAKE) build GOOS=darwin CGO_ENABLED=0 WASM_ENABLED=0 GOARCH=$*
+	mv opa_envoy_darwin_$*_static $(RELEASE_DIR)/opa_envoy_darwin_$*
 
 .PHONY: release-build-windows
 release-build-windows: ensure-release-dir
 	@$(MAKE) build GOOS=windows CGO_ENABLED=0 WASM_ENABLED=0
-	mv opa_envoy_windows_$(GOARCH) $(RELEASE_DIR)/opa_envoy_windows_$(GOARCH).exe
+	mv opa_envoy_windows_$(GOARCH)_static $(RELEASE_DIR)/opa_envoy_windows_$(GOARCH).exe
 
 .PHONY: ensure-release-dir
 ensure-release-dir:
 	mkdir -p $(RELEASE_DIR)
 
 .PHONY: build-all-platforms
-build-all-platforms: release-build-linux release-build-darwin release-build-windows
+build-all-platforms: release-build-linux-amd64 release-build-darwin-amd64 release-build-windows release-build-linux-arm64 release-build-darwin-arm64