diff --git a/.github/workflows/checks.yaml b/.github/workflows/checks.yaml index 2805d095b..971f20932 100644 --- a/.github/workflows/checks.yaml +++ b/.github/workflows/checks.yaml @@ -68,7 +68,7 @@ jobs: uses: actions/checkout@v4 - name: Build docker image - run: make ci-go-build image-quick tag-latest + run: make ci-go-build ci-go-build-linux-static image-quick tag-latest - name: Setup kind/istio run: | @@ -97,7 +97,7 @@ jobs: uses: actions/checkout@v4 - name: Build docker image - run: make ci-go-build image-quick tag-latest + run: make ci-go-build ci-go-build-linux-static image-quick tag-latest - name: Build testsrv docker image run: make testsrv-image diff --git a/.gitignore b/.gitignore index 714c1e2d7..89280165e 100644 --- a/.gitignore +++ b/.gitignore @@ -10,6 +10,7 @@ opa_* _release site.tar.gz *.bak +.go/ # runtime artifacts policies diff --git a/Dockerfile b/Dockerfile index c8bb0ae96..fb6cdca41 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,18 +6,23 @@ ARG BASE FROM ${BASE} +LABEL org.opencontainers.image.authors="Ashutosh Narkar " + # Any non-zero number will do, and unfortunately a named user will not, as k8s # pod securityContext runAsNonRoot can't resolve the user ID: # https://github.com/kubernetes/kubernetes/issues/40958. ARG USER=1000:1000 USER ${USER} -MAINTAINER Ashutosh Narkar - -WORKDIR /app +# TARGETOS and TARGETARCH are automatic platform args injected by BuildKit +# https://docs.docker.com/engine/reference/builder/#automatic-platform-args-in-the-global-scope +ARG TARGETOS +ARG TARGETARCH +# VARIANT is used to specify the build variant of the image, e.g. static or dynamic +ARG VARIANT -COPY opa_envoy_linux_GOARCH /app +COPY opa_envoy_${TARGETOS}_${TARGETARCH}_${VARIANT} /opa -ENTRYPOINT ["./opa_envoy_linux_GOARCH"] +ENTRYPOINT ["/opa"] CMD ["run"] diff --git a/Makefile b/Makefile index 3bb9405d0..e4324ca4e 100644 --- a/Makefile +++ b/Makefile @@ -8,21 +8,30 @@ VERSION_ISTIO := $(VERSION_OPA)-istio$(shell ./build/get-plugin-rev.sh) PACKAGES := $(shell go list ./.../ | grep -v 'vendor') +DOCKER := docker + +DOCKER_UID ?= 0 +DOCKER_GID ?= 0 CGO_ENABLED ?= 1 WASM_ENABLED ?= 1 +GOARCH ?= $(shell go env GOARCH) # GOPROXY=off: Don't pull anything off the network # see https://github.com/thepudds/go-module-knobs/blob/master/README.md -GO := CGO_ENABLED=$(CGO_ENABLED) GO111MODULE=on GOFLAGS=-mod=vendor GOPROXY=off go +GO := CGO_ENABLED=$(CGO_ENABLED) GOARCH=$(GOARCH) GO111MODULE=on GOFLAGS=-mod=vendor GOPROXY=off go GOVERSION := $(shell cat ./.go-version) -GOARCH := $(shell go env GOARCH) GOOS := $(shell go env GOOS) DISABLE_CGO := CGO_ENABLED=0 -BIN := opa_envoy_$(GOOS)_$(GOARCH) +VARIANT := dynamic +ifeq ($(CGO_ENABLED),0) + VARIANT = static +endif + +BIN := opa_envoy_$(GOOS)_$(GOARCH)_$(VARIANT) -REPOSITORY := openpolicyagent +REPOSITORY ?= openpolicyagent IMAGE := $(REPOSITORY)/opa GO_TAGS := -tags= @@ -49,10 +58,12 @@ LDFLAGS := "-X github.com/open-policy-agent/opa/version.Version=$(VERSION) \ -X github.com/open-policy-agent/opa/version.Timestamp=$(BUILD_TIMESTAMP) \ -X github.com/open-policy-agent/opa/version.Hostname=$(BUILD_HOSTNAME)" -.PHONY: all build build-darwin build-linux build-linux-static build-windows clean check check-fmt check-vet check-lint \ - deploy-ci docker-login generate image image-quick image-static image-quick-static \ - push push-static push-latest push-latest-static tag-latest \ - tag-latest-static test test-cluster test-e2e version +# BuildKit is required for automatic platform arg injection (see Dockerfile) +export DOCKER_BUILDKIT := 1 + +# Supported platforms to include in image manifest lists +DOCKER_PLATFORMS := linux/amd64 +DOCKER_PLATFORMS_STATIC := linux/amd64,linux/arm64 ###################################################### # @@ -60,103 +71,143 @@ LDFLAGS := "-X github.com/open-policy-agent/opa/version.Version=$(VERSION) \ # ###################################################### +.PHONY: all all: build test check +.PHONY: version version: @echo $(VERSION) +.PHONY: generate generate: $(GO) generate ./... +.PHONY: build build: generate $(GO) build $(GO_TAGS) -o $(BIN) -ldflags $(LDFLAGS) ./cmd/opa-envoy-plugin/... +.PHONY: build-darwin build-darwin: @$(MAKE) build GOOS=darwin -build-linux: +.PHONY: build-linux +build-linux: ensure-release-dir ensure-linux-toolchain @$(MAKE) build GOOS=linux -build-linux-static: +.PHONY: build-linux-static +build-linux-static: ensure-release-dir ensure-linux-toolchain @$(MAKE) build GOOS=linux WASM_ENABLED=0 CGO_ENABLED=0 +.PHONY: ci-build-linux +ci-build-linux: + $(MAKE) ci-go-build-linux GOARCH=arm64 + $(MAKE) ci-go-build-linux GOARCH=amd64 + +.PHONY: ci-build-linux-static +ci-build-linux-static: + $(MAKE) ci-go-build-linux-static GOARCH=arm64 + $(MAKE) ci-go-build-linux-static GOARCH=amd64 + +.PHONY: build-windows build-windows: @$(MAKE) build GOOS=windows +.PHONY: image image: @$(MAKE) ci-go-build-linux @$(MAKE) image-quick -image-static: - CGO_ENABLED=0 WASM_ENABLED=0 $(MAKE) ci-go-build-linux-static - @$(MAKE) image-quick-static - -image-quick: - sed -e 's/GOARCH/$(GOARCH)/g' Dockerfile > .Dockerfile_$(GOARCH) - docker build -t $(IMAGE):$(VERSION) --build-arg BASE=chainguard/glibc-dynamic -f .Dockerfile_$(GOARCH) . - docker tag $(IMAGE):$(VERSION) $(IMAGE):$(VERSION_ISTIO) - -image-quick-static: - sed -e 's/GOARCH/$(GOARCH)/g' Dockerfile > .Dockerfile_$(GOARCH) - docker build -t $(IMAGE):$(VERSION)-static --build-arg BASE=chainguard/static:latest -f .Dockerfile_$(GOARCH) . - docker tag $(IMAGE):$(VERSION)-static $(IMAGE):$(VERSION_ISTIO)-static - -push: - docker push $(IMAGE):$(VERSION) - docker push $(IMAGE):$(VERSION_ISTIO) - -push-static: - docker push $(IMAGE):$(VERSION)-static - docker push $(IMAGE):$(VERSION_ISTIO)-static - -tag-latest: - docker tag $(IMAGE):$(VERSION) $(IMAGE):latest-envoy - docker tag $(IMAGE):$(VERSION) $(IMAGE):latest-istio - -tag-latest-static: - docker tag $(IMAGE):$(VERSION)-static $(IMAGE):latest-envoy-static - docker tag $(IMAGE):$(VERSION)-static $(IMAGE):latest-istio-static - -push-latest: - docker push $(IMAGE):latest-envoy - docker push $(IMAGE):latest-istio - -push-latest-static: - docker push $(IMAGE):latest-envoy-static - docker push $(IMAGE):latest-istio-static - +.PHONY: start-builder +start-builder: + @./build/buildx_workaround.sh + +.PHONY: image-quick +image-quick: image-quick-$(GOARCH) + +.PHONY: image-quick-% +image-quick-%: +ifneq ($(GOARCH),arm64) # build only static images for arm64 + $(DOCKER) build \ + --platform=linux/$(GOARCH) \ + -t $(IMAGE):$(VERSION) \ + --build-arg BASE=chainguard/glibc-dynamic:latest \ + --build-arg VARIANT=dynamic \ + -f Dockerfile \ + . +endif + $(DOCKER) build \ + --platform=linux/$(GOARCH) \ + -t $(IMAGE):$(VERSION)-static \ + --build-arg BASE=chainguard/static:latest \ + --build-arg VARIANT=static \ + -f Dockerfile \ + . + +.PHONY: push-manifest-list-% +push-manifest-list-%: + $(DOCKER) buildx build \ + --platform=$(DOCKER_PLATFORMS) \ + --push \ + -t $(IMAGE):$* \ + --build-arg BASE=chainguard/glibc-dynamic:latest \ + --build-arg VARIANT=dynamic \ + -f Dockerfile \ + . + + $(DOCKER) buildx build \ + --platform=$(DOCKER_PLATFORMS_STATIC) \ + --push \ + -t $(IMAGE):$*-static \ + --build-arg BASE=chainguard/static:latest \ + --build-arg VARIANT=static \ + -f Dockerfile \ + . + +.PHONY: docker-login docker-login: @echo "Docker Login..." - @echo ${DOCKER_PASSWORD} | docker login -u ${DOCKER_USER} --password-stdin + @echo ${DOCKER_PASSWORD} | $(DOCKER) login -u ${DOCKER_USER} --password-stdin + +.PHONY: push-image +push-image: docker-login push-manifest-list-$(VERSION) -deploy-ci: docker-login image image-static push tag-latest push-latest \ - push-static tag-latest-static push-latest-static +.PHONY: deploy-ci +deploy-ci: ensure-release-dir start-builder ci-build-linux ci-build-linux-static push-manifest-list-latest push-manifest-list-latest-istio push-manifest-list-latest-envoy push-manifest-list-$(VERSION) push-manifest-list-$(VERSION_ISTIO) +.PHONY: test test: generate $(DISABLE_CGO) $(GO) test -v -bench=. $(PACKAGES) +.PHONY: test-e2e test-e2e: bats -t test/bats/test.bats +.PHONY: test-cluster test-cluster: @./build/install-istio-with-kind.sh +.PHONY: clean clean: rm -f .Dockerfile_* rm -f opa_*_* rm -f *.so +.PHONY: check check: check-fmt check-vet check-lint +.PHONY: check-fmt check-fmt: ./build/check-fmt.sh +.PHONY: check-vet check-vet: ./build/check-vet.sh +.PHONY: check-lint check-lint: ./build/check-lint.sh +.PHONY: generatepb generatepb: protoc --proto_path=test/files \ --descriptor_set_out=test/files/combined.pb \ @@ -164,49 +215,67 @@ generatepb: test/files/example/Example.proto \ test/files/book/Book.proto -CI_GOLANG_DOCKER_MAKE := docker run \ +CI_GOLANG_DOCKER_MAKE := $(DOCKER) run \ $(DOCKER_FLAGS) \ - -u $(shell id -u):$(shell id -g) \ + -u $(DOCKER_UID):$(DOCKER_GID) \ -v $(PWD):/src \ -w /src \ -e GOCACHE=/src/.go/cache \ -e CGO_ENABLED=$(CGO_ENABLED) \ -e WASM_ENABLED=$(WASM_ENABLED) \ -e TELEMETRY_URL=$(TELEMETRY_URL) \ + -e GOARCH=$(GOARCH) \ golang:$(GOVERSION) \ - make + make + +.PHONY: ensure-linux-toolchain +ensure-linux-toolchain: +ifeq ($(CGO_ENABLED),1) + $(eval export CC = $(shell GOARCH=$(GOARCH) build/ensure-linux-toolchain.sh)) +else + @echo "CGO_ENABLED=$(CGO_ENABLED). No need to check gcc toolchain." +endif .PHONY: ci-go-% ci-go-%: $(CI_GOLANG_DOCKER_MAKE) "$*" +.PHONY: tag-latest +tag-latest: + docker tag $(IMAGE):$(VERSION) $(IMAGE):latest-envoy + docker tag $(IMAGE):$(VERSION) $(IMAGE):latest-istio + +.PHONY: tag-latest-static +tag-latest-static: + docker tag $(IMAGE):$(VERSION)-static $(IMAGE):latest-envoy-static + docker tag $(IMAGE):$(VERSION)-static $(IMAGE):latest-istio-static + .PHONY: release release: - docker run $(DOCKER_FLAGS) \ + $(DOCKER) run $(DOCKER_FLAGS) \ -v $(PWD)/$(RELEASE_DIR):/$(RELEASE_DIR) \ -v $(PWD):/_src \ $(RELEASE_BUILD_IMAGE) \ /_src/build/build-release.sh --version=$(VERSION) --output-dir=/$(RELEASE_DIR) --source-url=/_src +.PHONY: release-build-linux-% +release-build-linux-%: ensure-release-dir + @$(MAKE) build GOOS=linux CGO_ENABLED=0 WASM_ENABLED=0 GOARCH=$* + mv opa_envoy_linux_$*_static $(RELEASE_DIR)/opa_envoy_linux_$* -.PHONY: release-build-linux -release-build-linux: ensure-release-dir - @$(MAKE) build GOOS=linux CGO_ENABLED=0 WASM_ENABLED=0 - mv opa_envoy_linux_$(GOARCH) $(RELEASE_DIR)/ - -.PHONY: release-build-darwin -release-build-darwin: ensure-release-dir - @$(MAKE) build GOOS=darwin CGO_ENABLED=0 WASM_ENABLED=0 - mv opa_envoy_darwin_$(GOARCH) $(RELEASE_DIR)/ +.PHONY: release-build-darwin-% +release-build-darwin-%: ensure-release-dir + @$(MAKE) build GOOS=darwin CGO_ENABLED=0 WASM_ENABLED=0 GOARCH=$* + mv opa_envoy_darwin_$*_static $(RELEASE_DIR)/opa_envoy_darwin_$* .PHONY: release-build-windows release-build-windows: ensure-release-dir @$(MAKE) build GOOS=windows CGO_ENABLED=0 WASM_ENABLED=0 - mv opa_envoy_windows_$(GOARCH) $(RELEASE_DIR)/opa_envoy_windows_$(GOARCH).exe + mv opa_envoy_windows_$(GOARCH)_static $(RELEASE_DIR)/opa_envoy_windows_$(GOARCH).exe .PHONY: ensure-release-dir ensure-release-dir: mkdir -p $(RELEASE_DIR) .PHONY: build-all-platforms -build-all-platforms: release-build-linux release-build-darwin release-build-windows +build-all-platforms: release-build-linux-amd64 release-build-darwin-amd64 release-build-windows release-build-linux-arm64 release-build-darwin-arm64 diff --git a/build/ensure-linux-toolchain.sh b/build/ensure-linux-toolchain.sh new file mode 100755 index 000000000..9f1c2ad47 --- /dev/null +++ b/build/ensure-linux-toolchain.sh @@ -0,0 +1,52 @@ +#!/usr/bin/env bash +set -eo pipefail + +case "$(uname -m | tr '[:upper:]' '[:lower:]')" in + amd64 | x86_64 | x64) + HOST_ARCH=amd64 + ;; + arm64 | aarch64) + HOST_ARCH=arm64 + ;; + *) + echo "Error: Host architecture not supported." >&2 + exit 1 + ;; +esac + +# Native build +if [ "${GOARCH}" = "${HOST_ARCH}" ]; then + if ! [ -x "$(command -v gcc)" ]; then + echo "Error: gcc not found." >&2 + exit 1 + fi + exit 0 +fi + +# Cross-compile +case "${GOARCH}" in + amd64) + PKG=gcc-x86-64-linux-gnu + CC=x86_64-linux-gnu-gcc + ;; + arm64) + PKG=gcc-aarch64-linux-gnu + CC=aarch64-linux-gnu-gcc + ;; + *) + echo "Error: Target architecture ${GOARCH} not supported." >&2 + exit 1 + ;; +esac + +type -f ${CC} 2>/dev/null && exit 0 + +if ! [ -x "$(command -v apt-get)" ]; then + echo "Error: apt-get not found. Could not install missing toolchain." >&2 + exit 1 +fi + +apt-get update >/dev/null && \ + apt-get install -y ${PKG} >/dev/null + +echo ${CC} \ No newline at end of file diff --git a/build/get-plugin-rev.sh b/build/get-plugin-rev.sh index f02499c7e..95c989603 100755 --- a/build/get-plugin-rev.sh +++ b/build/get-plugin-rev.sh @@ -1,6 +1,9 @@ #!/usr/bin/env bash # Script to get number of commits from the last OPA revendoring +# trust our mounted directory +git config --global --add safe.directory /src + LINE=$(git grep -n "github.com/open-policy-agent/opa " go.mod | awk -F: '{ print $2 }') GIT_SHA=$(git log -n 1 --pretty=format:%H -L $LINE,$LINE:go.mod | head -1) COMMITS=$(git rev-list $GIT_SHA..HEAD --count)