[Feature] Provide multi-arch images for apiserver and security proxy (#4131)

* [Feature] Provide multi-arch image build and push for apiserver and security proxy

Signed-off-by: wei-chenglai <[email protected]>

* build on test and push only on master branch

* fix lint

---------

Signed-off-by: wei-chenglai <[email protected]>

Author: seanlaii

.github/workflows/image-release.yaml

@@ -52,27 +52,50 @@ jobs:
       run: go test ./pkg/... ./cmd/... -race -parallel 4
       working-directory: ${{env.working-directory}}
 
-    - name: Set up Docker
-      uses: docker/setup-docker-action@v4
-
-    - name: Build Docker Image - Apiserver
-      run: |
-        docker build -t kuberay/apiserver:${{ steps.vars.outputs.sha_short }} -f apiserver/Dockerfile .
-        docker save -o /tmp/apiserver.tar kuberay/apiserver:${{ steps.vars.outputs.sha_short }}
-
     - name: Log in to Quay.io
       uses: docker/login-action@v2
       with:
         registry: quay.io
         username: ${{ secrets.QUAY_USERNAME }}
         password: ${{ secrets.QUAY_ROBOT_TOKEN }}
 
-    - name: Push Apiserver to Quay.io
+    # Build apiserver binaries inside the gh runner vm directly and then copy the go binaries to docker images using the Dockerfile.buildx
+    - name: Build linux/amd64 apiserver go binary
+      env:
+        CGO_ENABLED: 0
+        GOOS: linux
+        GOARCH: amd64
+      run: |
+        CGO_ENABLED=$CGO_ENABLED GOOS=$GOOS GOARCH=$GOARCH go build -a -o kuberay-apiserver-$GOARCH cmd/main.go
+      working-directory: ${{env.working-directory}}
+
+    - name: Build linux/arm64 apiserver binary
+      env:
+        CGO_ENABLED: 0
+        GOOS: linux
+        GOARCH: arm64
       run: |
-        docker image tag kuberay/apiserver:${{ steps.vars.outputs.sha_short }} quay.io/kuberay/apiserver:${{ steps.vars.outputs.sha_short }};
-        docker push quay.io/kuberay/apiserver:${{ steps.vars.outputs.sha_short }};
-        docker image tag kuberay/apiserver:${{ steps.vars.outputs.sha_short }} quay.io/kuberay/apiserver:${{ env.tag }};
-        docker push quay.io/kuberay/apiserver:${{ env.tag }}
+        CGO_ENABLED=$CGO_ENABLED GOOS=$GOOS GOARCH=$GOARCH go build -a -o kuberay-apiserver-$GOARCH cmd/main.go
+      working-directory: ${{env.working-directory}}
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: Build MultiArch Image
+      uses: docker/build-push-action@v5
+      env:
+        PUSH: true
+        REPO_ORG: kuberay
+        REPO_NAME: apiserver
+      with:
+        platforms: linux/amd64,linux/arm64
+        context: .
+        file: ./apiserver/Dockerfile.buildx
+        push: ${{env.PUSH}}
+        provenance: false
+        tags: |
+          quay.io/${{env.REPO_ORG}}/${{env.REPO_NAME}}:${{ steps.vars.outputs.sha_short }}
+          quay.io/${{env.REPO_ORG}}/${{env.REPO_NAME}}:${{ env.tag }}
 
   release_operator_image:
     env:
@@ -122,14 +145,6 @@ jobs:
       run: make test
       working-directory: ${{env.working-directory}}
 
-    - name: Set up Docker
-      uses: docker/setup-docker-action@v4
-
-    - name: Build Docker Image - Operator
-      run: |
-        IMG=kuberay/operator:${{ steps.vars.outputs.sha_short }} make docker-image
-      working-directory: ${{env.working-directory}}
-
     - name: Log in to Quay.io
       uses: docker/login-action@v2
       with:
@@ -215,9 +230,6 @@ jobs:
       id: vars
       run: echo "::set-output name=sha_short::$(git rev-parse --short HEAD)"
 
-    - name: Set up Docker
-      uses: docker/setup-docker-action@v4
-
     - name: Log in to Quay.io
       uses: docker/login-action@v2
       with:
@@ -273,14 +285,6 @@ jobs:
       run: go mod download
       working-directory: ${{env.working-directory}}
 
-    - name: Set up Docker
-      uses: docker/setup-docker-action@v4
-
-    - name: Build Docker Image - Submitter
-      run: |
-        IMG=kuberay/submitter:${{ steps.vars.outputs.sha_short }} make docker-image-rayjob-submitter
-      working-directory: ${{env.working-directory}}
-
     - name: Log in to Quay.io
       uses: docker/login-action@v2
       with:

.github/workflows/test-job.yaml

@@ -97,13 +97,42 @@ jobs:
           password: ${{ secrets.QUAY_ROBOT_TOKEN }}
         if: contains(fromJson('["refs/heads/master"]'), github.ref)
 
-      - name: Push Apiserver to Quay.io
+      # Build apiserver binaries inside the gh runner vm directly and then copy the go binaries to docker images using the Dockerfile.buildx
+      - name: Build linux/amd64 apiserver go binary
+        env:
+          CGO_ENABLED: 0
+          GOOS: linux
+          GOARCH: amd64
         run: |
-          docker image tag kuberay/apiserver:${{ steps.vars.outputs.sha_short }} quay.io/kuberay/apiserver:${{ steps.vars.outputs.sha_short }};
-          docker push quay.io/kuberay/apiserver:${{ steps.vars.outputs.sha_short }};
-          docker image tag kuberay/apiserver:${{ steps.vars.outputs.sha_short }} quay.io/kuberay/apiserver:nightly;
-          docker push quay.io/kuberay/apiserver:nightly
-        if: contains(fromJson('["refs/heads/master"]'), github.ref)
+          CGO_ENABLED=$CGO_ENABLED GOOS=$GOOS GOARCH=$GOARCH go build -a -o kuberay-apiserver-$GOARCH cmd/main.go
+        working-directory: ${{env.working-directory}}
+
+      - name: Build linux/arm64 apiserver binary
+        env:
+          CGO_ENABLED: 0
+          GOOS: linux
+          GOARCH: arm64
+        run: |
+          CGO_ENABLED=$CGO_ENABLED GOOS=$GOOS GOARCH=$GOARCH go build -a -o kuberay-apiserver-$GOARCH cmd/main.go
+        working-directory: ${{env.working-directory}}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build MultiArch Docker Image and Push on Merge
+        uses: docker/build-push-action@v5
+        env:
+          REPO_ORG: kuberay
+          REPO_NAME: apiserver
+        with:
+          platforms: linux/amd64,linux/arm64
+          context: .
+          file: ./apiserver/Dockerfile.buildx
+          push: ${{ contains(fromJson('["refs/heads/master"]'), github.ref) }}
+          provenance: false
+          tags: |
+            quay.io/${{env.REPO_ORG}}/${{env.REPO_NAME}}:${{ steps.vars.outputs.sha_short }}
+            quay.io/${{env.REPO_ORG}}/${{env.REPO_NAME}}:nightly
 
   build_apiserversdk:
     env:
@@ -199,13 +228,42 @@ jobs:
           password: ${{ secrets.QUAY_ROBOT_TOKEN }}
         if: contains(fromJson('["refs/heads/master"]'), github.ref)
 
-      - name: Push security proxy to Quay.io
+      # Build security proxy binaries inside the gh runner vm directly and then copy the go binaries to docker images using the Dockerfile.buildx
+      - name: Build linux/amd64 security proxy go binary
+        env:
+          CGO_ENABLED: 0
+          GOOS: linux
+          GOARCH: amd64
         run: |
-          docker image tag kuberay/security-proxy:${{ steps.vars.outputs.sha_short }} quay.io/kuberay/security-proxy:${{ steps.vars.outputs.sha_short }};
-          docker push quay.io/kuberay/security-proxy:${{ steps.vars.outputs.sha_short }};
-          docker image tag kuberay/security-proxy:${{ steps.vars.outputs.sha_short }} quay.io/kuberay/security-proxy:nightly;
-          docker push quay.io/kuberay/security-proxy:nightly
-        if: contains(fromJson('["refs/heads/master"]'), github.ref)
+          CGO_ENABLED=$CGO_ENABLED GOOS=$GOOS GOARCH=$GOARCH go build -a -o security_proxy-$GOARCH cmd/main.go
+        working-directory: ${{env.working-directory}}
+
+      - name: Build linux/arm64 security proxy binary
+        env:
+          CGO_ENABLED: 0
+          GOOS: linux
+          GOARCH: arm64
+        run: |
+          CGO_ENABLED=$CGO_ENABLED GOOS=$GOOS GOARCH=$GOARCH go build -a -o security_proxy-$GOARCH cmd/main.go
+        working-directory: ${{env.working-directory}}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build MultiArch Docker Image and Push on Merge
+        uses: docker/build-push-action@v5
+        env:
+          REPO_ORG: kuberay
+          REPO_NAME: security-proxy
+        with:
+          platforms: linux/amd64,linux/arm64
+          context: .
+          file: ./experimental/Dockerfile.buildx
+          push: ${{ contains(fromJson('["refs/heads/master"]'), github.ref) }}
+          provenance: false
+          tags: |
+            quay.io/${{env.REPO_ORG}}/${{env.REPO_NAME}}:${{ steps.vars.outputs.sha_short }}
+            quay.io/${{env.REPO_ORG}}/${{env.REPO_NAME}}:nightly
 
   build_operator:
     env:

apiserver/DEVELOPMENT.md

@@ -156,6 +156,46 @@ Access the service at `localhost:8888` for http, and `localhost:8887` for the RP
 make docker-image
 ```
 
+#### Build Multi-Architecture Image
+
+The API server supports building multi-architecture images for `linux/amd64` and `linux/arm64` platforms. This is useful for deploying on ARM-based systems like Apple Silicon.
+
+**Prerequisites:**
+
+* Docker Buildx installed and configured
+
+**Build Process:**
+
+The multi-arch build follows a similar pattern to the ray-operator:
+
+**Build binaries for each architecture:**
+
+```bash
+# Build for amd64
+cd apiserver
+CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -o kuberay-apiserver-amd64 cmd/main.go
+
+# Build for arm64
+CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -a -o kuberay-apiserver-arm64 cmd/main.go
+```
+
+**Build and push multi-arch image using Dockerfile.buildx:**
+
+```bash
+# From the project root directory
+docker buildx build --platform linux/amd64,linux/arm64 \
+  -t your-registry/apiserver:your-tag \
+  -f apiserver/Dockerfile.buildx \
+  --push .
+```
+
+**Note:**
+
+* The multi-arch image uses `apiserver/Dockerfile.buildx` which is optimized for copying pre-built binaries.
+* Since the API server is built with `CGO_ENABLED=0`, no cross-compilation tools (like gcc-aarch64-linux-gnu) are needed, making the build process simpler than the operator.
+* The build context must be the project root directory (`.`) because the `proto/` directory needs to be copied for serving swagger files at runtime.
+* Multi-arch images are automatically built and pushed to `quay.io/kuberay/apiserver:nightly` on merges to the `master` branch via the GitHub Actions workflow.
+
 #### Start Kubernetes Deployment
 
 Note that you should make your KubeRay API server image available by either pushing it to an image registry, such as DockerHub or Quay, or by loading the image into the Kubernetes cluster. If you are using a Kind cluster for development, you can run `make load-image` to load the newly built API server image into the Kind cluster.  The operator image will also be needed to be loaded on your cluster. If you want run secure API server, you can build security proxy using `make security-proxy-image` and load it to the cluster using `make load-security-proxy-image`

apiserver/Dockerfile.buildx

@@ -0,0 +1,8 @@
+FROM scratch
+ARG TARGETARCH
+WORKDIR /workspace
+COPY ./apiserver/kuberay-apiserver-${TARGETARCH} apiserver/kuberay-apiserver
+COPY proto/ proto/
+USER 65532:65532
+
+ENTRYPOINT ["/workspace/apiserver/kuberay-apiserver"]

apiserver/Makefile

@@ -188,6 +188,12 @@ docker-image: test ## Build image for the api server.
 docker-push: ## Push image for the api server.
 	$(ENGINE) push ${IMG}
 
+docker-multi-arch-build: test ## Build multi arch image, amd64 and arm64 currently.
+	$(ENGINE) buildx build --platform linux/amd64,linux/arm64 -t ${IMG} -f Dockerfile.buildx ..
+
+docker-multi-arch-push: test ## Build and Push multi arch image, amd64 and arm64 currently.
+	$(ENGINE) buildx build --push --platform linux/amd64,linux/arm64 -t ${IMG} -f Dockerfile.buildx ..
+
 ##@ Deployment
 .PHONY: install
 install: kustomize docker-image load-image  ## Install the kuberay api server without security to the K8s cluster specified in ~/.kube/config.

experimental/Dockerfile.buildx

@@ -0,0 +1,7 @@
+FROM scratch
+ARG TARGETARCH
+WORKDIR /workspace
+COPY ./experimental/security_proxy-${TARGETARCH} /usr/local/bin/security_proxy
+USER 65532:65532
+
+ENTRYPOINT ["/usr/local/bin/security_proxy"]

experimental/Makefile

@@ -70,6 +70,12 @@ docker-image: ## Build image for the security proxy.
 docker-push: ## Push image for the api server.
 	$(ENGINE) push ${IMG}
 
+docker-multi-arch-build: ## Build multi arch image, amd64 and arm64 currently.
+	$(ENGINE) buildx build --platform linux/amd64,linux/arm64 -t ${IMG} -f Dockerfile.buildx ..
+
+docker-multi-arch-push: ## Build and Push multi arch image, amd64 and arm64 currently.
+	$(ENGINE) buildx build --push --platform linux/amd64,linux/arm64 -t ${IMG} -f Dockerfile.buildx ..
+
 ##@ Development Tools Setup
 
 ## Location to install dependencies to

ray-operator/Makefile

@@ -125,8 +125,11 @@ docker-build: build docker-image ## Build image with the manager.
 docker-push: ## Push image with the manager.
 	${ENGINE} push ${IMG}
 
-docker-multi-arch-image: # Build and push multi arch image, amd64 and arm64 currently
-	${ENGINE} buildx build --push --platform linux/amd64,linux/arm64/v8 -t ${IMG} .
+docker-multi-arch-build: # Build multi arch image, amd64 and arm64 currently
+	${ENGINE} buildx build --platform linux/amd64,linux/arm64 -t ${IMG} .
+
+docker-multi-arch-push: ## Build and Push multi arch image, amd64 and arm64 currently
+	${ENGINE} buildx build --push --platform linux/amd64,linux/arm64 -t ${IMG} .
 
 docker-image-rayjob-submitter:
 	${ENGINE} build -t ${IMG} --target submitter .