Add CI for provider images (#19)

.github/workflows/release.yaml

@@ -0,0 +1,72 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v[0-9]+.[0-9]+.[0-9]+'
+      - 'v[0-9]+.[0-9]+.[0-9]+-rc[0-9]+'
+
+jobs:
+  release:
+    permissions:
+      contents: write  # for release
+      packages: write # for publishing docker images
+    name: Release
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+      - name: Retrieve build information
+        id: build
+        run: |
+          VERSION="${GITHUB_REF#refs/tags/}"
+          echo "Releasing ${VERSION}"
+          echo "VERSION=${VERSION}" >> $GITHUB_ENV
+
+      - name: Log in to the Container registry
+        uses: docker/[email protected]
+        with:
+          registry: https://ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Build bootstrap provider image
+        run: make BOOTSTRAP_IMG_TAG=${{ env.VERSION }} docker-build-bootstrap
+
+      - name: Build controlplane provider image
+        run: make CONTROLPLANE_IMG_TAG=${{ env.VERSION }} docker-build-controlplane
+
+      - name: Publish bootstrap provider image
+        run: |
+          make BOOTSTRAP_IMG_TAG=${{ env.VERSION }} docker-push-bootstrap
+          make BOOTSTRAP_IMG_TAG=${{ env.VERSION }} docker-manifest-bootstrap
+
+      - name: Publish controlplane provider image
+        run: |
+          make CONTROLPLANE_IMG_TAG=${{ env.VERSION }} docker-push-controlplane
+          make CONTROLPLANE_IMG_TAG=${{ env.VERSION }} docker-manifest-controlplane
+
+      - name: Build manifests
+        run: |
+          make release
+          sed -i "s,ghcr.io/canonical/cluster-api-k8s/bootstrap-controller:latest,ghcr.io/canonical/cluster-api-k8s/bootstrap-controller:${{ env.VERSION }}," out/bootstrap-components.yaml
+          sed -i "s,ghcr.io/canonical/cluster-api-k8s/controlplane-controller:latest,ghcr.io/canonical/cluster-api-k8s/controlplane-controller:${{ env.VERSION }}," out/control-plane-components.yaml
+
+      - name: Create GitHub Release
+        uses: softprops/[email protected]
+        with:
+          name: 'Release ${{ env.VERSION }}'
+          tag_name: ${{ env.VERSION }}
+          files: |
+            out/bootstrap-components.yaml
+            out/control-plane-components.yaml
+            out/metadata.yaml
+          generate_release_notes: true
+          draft: ${{ contains(env.VERSION, 'rc') }}
+          prerelease: ${{ contains(env.VERSION, 'rc') }}

Dockerfile

@@ -0,0 +1,66 @@
+# syntax=docker/dockerfile:1.4
+
+# Copyright 2018 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Build the manager binary
+# Run this with docker build --build-arg builder_image=<golang:x.y.z>
+ARG builder_image
+
+# Build architecture
+ARG ARCH
+
+# Ignore Hadolint rule "Always tag the version of an image explicitly."
+# It's an invalid finding since the image is explicitly set in the Makefile.
+# https://github.com/hadolint/hadolint/wiki/DL3006
+# hadolint ignore=DL3006
+FROM ${builder_image} as builder
+WORKDIR /workspace
+
+# Run this with docker build --build-arg goproxy=$(go env GOPROXY) to override the goproxy
+ARG goproxy=off
+# Run this with docker build --build-arg package=./controlplane/kubeadm or --build-arg package=./bootstrap/kubeadm
+ENV GOPROXY=$goproxy
+
+# Copy the Go Modules manifests
+COPY go.mod go.mod
+COPY go.sum go.sum
+
+# Cache deps before building and copying source so that we don't need to re-download as much
+# and so that source changes don't invalidate our downloaded layer
+RUN --mount=type=cache,target=/go/pkg/mod \
+    go mod download
+
+# Copy the sources
+COPY ./ ./
+
+# Build
+ARG package=.
+ARG ARCH
+ARG ldflags
+
+# Do not force rebuild of up-to-date packages (do not use -a) and use the compiler cache folder
+RUN --mount=type=cache,target=/root/.cache/go-build \
+    --mount=type=cache,target=/go/pkg/mod \
+    CGO_ENABLED=0 GOOS=linux GOARCH=${ARCH} \
+    go build -trimpath -ldflags "${ldflags} -extldflags '-static'" \
+    -o manager ${package}
+
+# Production image
+FROM gcr.io/distroless/static:nonroot
+WORKDIR /
+COPY --from=builder /workspace/manager .
+# Use uid of nonroot user (65532) because kubernetes expects numeric user when applying pod security policies
+USER 65532
+ENTRYPOINT ["/manager"]

Makefile

@@ -148,7 +148,8 @@ dev-controlplane:
 ##@ release:
 
 ## latest git tag for the commit, e.g., v0.3.10
-RELEASE_TAG ?= $(shell git describe --abbrev=0 --tags 2>/dev/null)
+## set to v0.0.0 if no tag is found
+RELEASE_TAG ?= $(shell git describe --abbrev=0 --tags 2>/dev/null || echo v0.0.0)
 ifneq (,$(findstring -,$(RELEASE_TAG)))
     PRE_RELEASE=true
 endif
@@ -236,13 +237,24 @@ generate-bootstrap-conversions: $(CONVERSION_GEN)
 		--output-base=./ \
 		--go-header-file=./hack/boilerplate.go.txt
 
-# Build the docker image
-docker-build-bootstrap: manager-bootstrap ## Build bootstrap
-	DOCKER_BUILDKIT=1 docker build --build-arg builder_image=$(GO_CONTAINER_IMAGE) --build-arg goproxy=$(GOPROXY) --build-arg TARGETARCH=$(ARCH) --build-arg package=./bootstrap/main.go --build-arg ldflags="$(LDFLAGS)" . -t ${BOOTSTRAP_IMG}:${BOOTSTRAP_IMG_TAG}
-
-# Push the docker image
-docker-push-bootstrap: ## Push bootstrap
-	docker push ${BOOTSTRAP_IMG}:${BOOTSTRAP_IMG_TAG}
+.PHONY: docker-build-bootstrap
+docker-build-bootstrap-%:
+	DOCKER_BUILDKIT=1 docker build --build-arg builder_image=$(GO_CONTAINER_IMAGE) --build-arg goproxy=$(GOPROXY) --build-arg ARCH=$* --build-arg package=./bootstrap/main.go --build-arg ldflags="$(LDFLAGS)" . -t ${BOOTSTRAP_IMG}:${BOOTSTRAP_IMG_TAG}-$*
+docker-build-bootstrap: manager-bootstrap docker-build-bootstrap-amd64 docker-build-bootstrap-arm64
+
+# Push the bootstrap multiarch image
+.PHONY: docker-push-bootstrap
+docker-push-bootstrap-%: docker-build-bootstrap-%
+	docker push ${BOOTSTRAP_IMG}:$(BOOTSTRAP_IMG_TAG)-$*
+docker-push-bootstrap: docker-push-bootstrap-amd64 docker-push-bootstrap-arm64
+
+.PHONY: docker-manifest-bootstrap
+docker-manifest-bootstrap: docker-push-bootstrap
+	docker manifest rm ${BOOTSTRAP_IMG}:$(BOOTSTRAP_IMG_TAG) || true
+	docker manifest create ${BOOTSTRAP_IMG}:$(BOOTSTRAP_IMG_TAG) --amend ${BOOTSTRAP_IMG}:$(BOOTSTRAP_IMG_TAG)-amd64 --amend ${BOOTSTRAP_IMG}:$(BOOTSTRAP_IMG_TAG)-arm64
+	docker manifest annotate ${BOOTSTRAP_IMG}:$(BOOTSTRAP_IMG_TAG) ${BOOTSTRAP_IMG}:$(BOOTSTRAP_IMG_TAG)-amd64 --arch=amd64
+	docker manifest annotate ${BOOTSTRAP_IMG}:$(BOOTSTRAP_IMG_TAG) ${BOOTSTRAP_IMG}:$(BOOTSTRAP_IMG_TAG)-arm64 --arch=arm64
+	docker manifest push ${BOOTSTRAP_IMG}:$(BOOTSTRAP_IMG_TAG)
 
 all-controlplane: manager-controlplane
 
@@ -309,11 +321,24 @@ generate-controlplane-conversions: $(CONVERSION_GEN)
 		--output-base=./ \
 		--go-header-file=./hack/boilerplate.go.txt
 
-docker-build-controlplane: manager-controlplane ## Build control-plane
-	DOCKER_BUILDKIT=1 docker build --build-arg builder_image=$(GO_CONTAINER_IMAGE) --build-arg goproxy=$(GOPROXY) --build-arg TARGETARCH=$(ARCH) --build-arg package=./controlplane/main.go --build-arg ldflags="$(LDFLAGS)" . -t ${CONTROLPLANE_IMG}:$(CONTROLPLANE_IMG_TAG)
-
-docker-push-controlplane: ## Push control-plane
-	docker push ${CONTROLPLANE_IMG}:$(CONTROLPLANE_IMG_TAG)
+.PHONY: docker-build-controlplane
+docker-build-controlplane-%:
+	DOCKER_BUILDKIT=1 docker build --build-arg builder_image=$(GO_CONTAINER_IMAGE) --build-arg goproxy=$(GOPROXY) --build-arg ARCH=$* --build-arg package=./controlplane/main.go --build-arg ldflags="$(LDFLAGS)" . -t ${CONTROLPLANE_IMG}:${CONTROLPLANE_IMG_TAG}-$*
+docker-build-controlplane: manager-controlplane docker-build-controlplane-amd64 docker-build-controlplane-arm64
+
+# Push the controlplane multiarch image
+.PHONY: docker-push-controlplane
+docker-push-controlplane-%: docker-build-controlplane-%
+	docker push ${CONTROLPLANE_IMG}:$(CONTROLPLANE_IMG_TAG)-$*
+docker-push-controlplane: docker-push-controlplane-amd64 docker-push-controlplane-arm64
+
+.PHONY: docker-manifest-controlplane
+docker-manifest-controlplane: docker-push-controlplane
+	docker manifest rm ${CONTROLPLANE_IMG}:$(CONTROLPLANE_IMG_TAG) || true
+	docker manifest create ${CONTROLPLANE_IMG}:$(CONTROLPLANE_IMG_TAG) --amend ${CONTROLPLANE_IMG}:$(CONTROLPLANE_IMG_TAG)-amd64 --amend ${CONTROLPLANE_IMG}:$(CONTROLPLANE_IMG_TAG)-arm64
+	docker manifest annotate ${CONTROLPLANE_IMG}:$(CONTROLPLANE_IMG_TAG) ${CONTROLPLANE_IMG}:$(CONTROLPLANE_IMG_TAG)-amd64 --arch=amd64
+	docker manifest annotate ${CONTROLPLANE_IMG}:$(CONTROLPLANE_IMG_TAG) ${CONTROLPLANE_IMG}:$(CONTROLPLANE_IMG_TAG)-arm64 --arch=arm64
+	docker manifest push ${CONTROLPLANE_IMG}:$(CONTROLPLANE_IMG_TAG)
 
 release: release-bootstrap release-controlplane
 	cp metadata.yaml $(RELEASE_DIR)/metadata.yaml