feat: migrate image building to buildx

.github/workflows/nightly-chart-and-image-publish.yaml

@@ -32,9 +32,7 @@ jobs:
         username: ${{ github.actor }}
         password: ${{ secrets.GITHUB_TOKEN }}
     - name: Build docker image
-      run: make docker-build-all TAG=${{ env.TAG }} ORG=${{ env.PROD_ORG }}
-    - name: Push docker image
-      run: make docker-push-all TAG=${{ env.TAG }} ORG=${{ env.PROD_ORG }}
+      run: make docker-build-and-push TAG=${{ env.TAG }} ORG=${{ env.PROD_ORG }}
 
   publish-helm-chart-ghcr:
     name: Publish Helm chart to GHCR

.github/workflows/nightly-test-release.yaml

@@ -39,7 +39,6 @@ jobs:
     strategy:
       matrix:
         destination: [ghcr]
-        arch: [amd64, arm64]
         include:
         - destination: ghcr
           registry: ghcr.io
@@ -53,43 +52,10 @@ jobs:
       username: ${{ matrix.username }}
       registry: ${{ matrix.registry }}
       tag: t9.9.9-fake
-      arch: ${{ matrix.arch }}
       image: ${{ matrix.image }}
       secret_registry: ${{ matrix.secret_registry }}
     secrets: inherit
 
-  multiarch:
-    name: Publish multiarch image
-    needs: [build-push-services]
-    runs-on: ubuntu-latest
-    permissions:
-      packages: write
-      contents: read
-    strategy:
-      matrix:
-        destination: [ghcr]
-        include:
-        - destination: ghcr
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: GITHUB_TOKEN
-          image: GHCR_IMAGE
-          secret_registry: false
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4.1.7
-        with:
-          ref: ${{ env.RELEASE_TAG }}
-          fetch-depth: 0
-      - name: Docker login
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ matrix.secret_registry && secrets[matrix.registry] || matrix.registry }}
-          username: ${{ matrix.secret_registry && secrets[matrix.username] || matrix.username }}
-          password: ${{ secrets[matrix.password] }}
-      - name: Publish multiarch
-        run: CONTROLLER_IMG=${{ vars[matrix.image] }} TAG=${{ env.RELEASE_TAG }} make docker-push-manifest-rancher-turtles
-
   release:
     name: Create helm release
     needs: [build-push-services]

.github/workflows/release-workflow.yml

@@ -25,17 +25,11 @@ on:
         description: Destination registry for image push
         required: true
 
-
       tag:
         type: string
         description: Tag for the built image
         required: true
 
-      arch:
-        type: string
-        description: Architecture for the image
-        required: true
-
       org:
         type: string
         description: Organization part of the image name
@@ -62,7 +56,6 @@ jobs:
         id: image
         uses: ./.github/workflows/release_build
         with:
-          arch: ${{ inputs.arch }}
           tag: ${{ inputs.tag }}
           org: ${{ inputs.org }}
           registry: ${{ inputs.secret_registry && secrets[inputs.registry] || inputs.registry }}
@@ -85,24 +78,10 @@ jobs:
       - name: Sign image with cosign
         uses: ./.github/workflows/release_sign
         with:
-          image: ${{ format('{0}-{1}', vars[inputs.image], inputs.arch) }}
+          image: ${{ vars[inputs.image] }}
           digest: ${{ needs.build.outputs.digest }}
           identity: https://github.com/${{ inputs.org }}/turtles/.github/workflows/release-workflow.yml@${{ github.ref }}
           oids-issuer: https://token.actions.githubusercontent.com
           registry: ${{ inputs.secret_registry && secrets[inputs.registry] || inputs.registry }}
           username: ${{ inputs.secret_registry && secrets[inputs.username] || inputs.username }}
           password: ${{ secrets[inputs.password] }}
-
-  provenance:
-    needs: [sign, build]
-    permissions:
-      actions: read
-      id-token: write
-      packages: write
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.10.0
-    with:
-      digest: ${{ needs.build.outputs.digest }}
-      image: ${{ format('{0}-{1}', vars[inputs.image], inputs.arch) }}
-    secrets:
-      registry-username: ${{ inputs.secret_registry && secrets[inputs.username] || inputs.username }}
-      registry-password: ${{ secrets[inputs.password] }}

.github/workflows/release.yaml

@@ -17,7 +17,6 @@ jobs:
     strategy:
       matrix:
         destination: [ghcr, prod]
-        arch: [amd64, arm64]
         include:
         - destination: ghcr
           registry: ghcr.io
@@ -38,51 +37,13 @@ jobs:
       username: ${{ matrix.username }}
       registry: ${{ matrix.registry }}
       tag: ${{ github.ref_name }}
-      arch: ${{ matrix.arch }}
       image: ${{ matrix.image }}
       secret_registry: ${{ matrix.secret_registry }}
     secrets: inherit
 
-  multiarch:
-    name: Publish multiarch image
-    needs: [build-push-services]
-    runs-on: ubuntu-latest
-    permissions:
-      packages: write
-      contents: read
-    strategy:
-      matrix:
-        destination: [ghcr, prod]
-        include:
-        - destination: ghcr
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: GITHUB_TOKEN
-          image: GHCR_IMAGE
-          secret_registry: false
-        - destination: prod
-          registry: REGISTRY_ENDPOINT
-          username: REGISTRY_USERNAME
-          password: REGISTRY_PASSWORD
-          image: REGISTRY_IMAGE
-          secret_registry: true
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4.1.7
-        with:
-          fetch-depth: 0
-      - name: Docker login
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ matrix.secret_registry && secrets[matrix.registry] || matrix.registry }}
-          username: ${{ matrix.secret_registry && secrets[matrix.username] || matrix.username }}
-          password: ${{ secrets[matrix.password] }}
-      - name: Publish multiarch
-        run: CONTROLLER_IMG=${{ vars[matrix.image] }} TAG=${{ github.ref_name }} make docker-push-manifest-rancher-turtles
-
   release:
     name: Create helm release
-    needs: [multiarch]
+    needs: [build-push-services]
     runs-on: ubuntu-latest
     env:
       TAG: ${{ github.ref_name }}

.github/workflows/release_build/action.yaml

@@ -1,10 +1,6 @@
 name: "Build release"
 description: "Builds release image and pushes to the registry"
 inputs:
-  arch:
-    description: "Architecture of the built image"
-    required: true
-    type: string
   tag:
     description: "Image tag"
     type: string
@@ -47,12 +43,9 @@ runs:
         registry: ${{ inputs.registry }}
         username: ${{ inputs.username }}
         password: ${{ inputs.password }}
-    - name: Build docker image
-      shell: bash
-      run: make docker-build-${{ inputs.arch }} TAG=${{ inputs.tag }} REGISTRY=${{ inputs.registry }} ORG=${{ inputs.org }}
-    - name: Push docker image to registry
+    - name: Build & Push docker image
       shell: bash
-      run: make docker-push-${{ inputs.arch }} TAG=${{ inputs.tag }} REGISTRY=${{ inputs.registry }} ORG=${{ inputs.org }}
+      run: make docker-build-and-push TAG=${{ inputs.tag }} REGISTRY=${{ inputs.registry }} ORG=${{ inputs.org }}
     - name: Store image and digest
       shell: bash
       id: image_info

Dockerfile

@@ -17,9 +17,6 @@
 # Build the manager binary
 ARG builder_image
 
-# Build architecture
-ARG ARCH
-
 FROM ${builder_image} as builder
 WORKDIR /workspace
 
@@ -41,19 +38,18 @@ COPY ./ ./
 
 # Build
 ARG package=.
-ARG ARCH
 ARG ldflags
 
 # Do not force rebuild of up-to-date packages (do not use -a) and use the compiler cache folder
 RUN --mount=type=cache,target=/go/pkg/mod \
-    CGO_ENABLED=0 GOOS=linux GOARCH=${ARCH} \
+    CGO_ENABLED=0 GOOS=linux \
     go build -trimpath -ldflags "${ldflags} -extldflags '-static'" \
     -o manager ${package}
 
 
 # Use distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
-FROM gcr.io/distroless/static:nonroot-${ARCH}
+FROM gcr.io/distroless/static:nonroot
 LABEL org.opencontainers.image.source=https://github.com/rancher/turtles
 WORKDIR /
 COPY --from=builder /workspace/manager .

Makefile

@@ -161,6 +161,8 @@ NOTES := $(abspath $(TOOLS_BIN_DIR)/$(NOTES_BIN))
 TAG ?= dev
 ARCH ?= $(shell go env GOARCH)
 ALL_ARCH = amd64 arm64
+TARGET_PLATFORMS := linux/amd64,linux/arm64
+MACHINE := rancher-turtles
 REGISTRY ?= ghcr.io
 ORG ?= rancher
 CONTROLLER_IMAGE_NAME ?= turtles
@@ -324,43 +326,40 @@ build: generate fmt vet ## Build manager binary.
 run: generate fmt vet ## Run a controller from your host.
 	go run ./main.go
 
+buildx-machine:
+	@docker buildx inspect $(MACHINE) || \
+		docker buildx create --name=$(MACHINE) --platform=$(TARGET_PLATFORMS)
+
 ## --------------------------------------
 ## Docker
 ## --------------------------------------
 
-.PHONY: docker-push
-docker-push: ## Push the docker images
-	docker push $(MANIFEST_IMG):$(TAG)
-
-.PHONY: docker-push-all
-docker-push-all: $(addprefix docker-push-,$(ALL_ARCH))  ## Push all the architecture docker images
-	$(MAKE) docker-push-manifest-rancher-turtles
-
-docker-push-%:
-	$(MAKE) ARCH=$* docker-push
-
-.PHONY: docker-push-manifest-rancher-turtles
-docker-push-manifest-rancher-turtles: ## Push the multiarch manifest for the rancher turtles docker images
-	## Minimum docker version 18.06.0 is required for creating and pushing manifest images.
-	docker manifest create --amend $(CONTROLLER_IMG):$(TAG) $(shell echo $(ALL_ARCH) | sed -e "s~[^ ]*~$(CONTROLLER_IMG)\-&:$(TAG)~g")
-	@for arch in $(ALL_ARCH); do docker manifest annotate --arch $${arch} ${CONTROLLER_IMG}:${TAG} ${CONTROLLER_IMG}-$${arch}:${TAG}; done
-	docker manifest push --purge $(CONTROLLER_IMG):$(TAG)
-
 .PHONY: docker-pull-prerequisites
 docker-pull-prerequisites:
 	docker pull docker.io/docker/dockerfile:1.4
 	docker pull $(GO_CONTAINER_IMAGE)
 	docker pull gcr.io/distroless/static:latest
 
-.PHONY: docker-build-all
-docker-build-all: $(addprefix docker-build-,$(ALL_ARCH)) ## Build docker images for all architectures
-
-docker-build-%:
-	$(MAKE) ARCH=$* docker-build
-
-.PHONY: docker-build
-docker-build: docker-pull-prerequisites ## Run docker-build-* targets for all providers
-	DOCKER_BUILDKIT=1 docker build --build-arg builder_image=$(GO_CONTAINER_IMAGE) --build-arg goproxy=$(GOPROXY) --build-arg ARCH=$(ARCH) --build-arg package=. --build-arg ldflags="$(LDFLAGS)" . -t $(MANIFEST_IMG):$(TAG)
+docker-build: buildx-machine docker-pull-prerequisites ## Build docker image for a specific architecture
+	# buildx does not support using local registry for multi-architecture images
+	DOCKER_BUILDKIT=1 BUILDX_BUILDER=$(MACHINE) docker buildx build \
+			--platform $(ARCH) \
+			--load \
+			--build-arg builder_image=$(GO_CONTAINER_IMAGE) \
+			--build-arg goproxy=$(GOPROXY) \
+			--build-arg package=. \
+			--build-arg ldflags="$(LDFLAGS)" . -t $(MANIFEST_IMG):$(TAG)
+
+.PHONY: docker-build-and-push
+docker-build-and-push: buildx-machine docker-pull-prerequisites ## Run docker-build-and-push targets for all architectures
+	DOCKER_BUILDKIT=1 BUILDX_BUILDER=$(MACHINE) docker buildx build \
+			--platform $(TARGET_PLATFORMS) \
+			--push \
+			--attest type=provenance \
+			--build-arg builder_image=$(GO_CONTAINER_IMAGE) \
+			--build-arg goproxy=$(GOPROXY) \
+			--build-arg package=. \
+			--build-arg ldflags="$(LDFLAGS)" . -t $(MANIFEST_IMG):$(TAG)
 
 docker-list-all:
 	@echo $(CONTROLLER_IMG):${TAG}