Enable multi-arch build for cilium-cli image

[marcofranssen]

This PR builds on top of #2842

It also includes the cilium-cli target to the build using multi-arch.

In the PR we levarage some buildx features like --cache and --link to improve the speed of builds for multi-arch.

Resolves #2780

[maintainer-s-little-helper]

Commits 42d8aa8, ed8ea68 do not match "Signed-off-by".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

[aanm]

@michi-covalent @tklauser with the merge of cilium-cli into cilium/cilium it's becoming confusing to where contributors can submit their changes for cilium-cli.

[aanm]

Is this really necessary? It shouldn't be since we cross compile cilium without tonistiigi/xx as an example.

[marcofranssen]

This is required within Docker, to compile with CGO_ENABLED=0. Don't recall the exact reason, I think it was related to alpine based builds (muslc, vs glibc).

I also use some buildx features that allow caching and parallel builds for all the supported platforms to have a speedy and optimized build.

I contributed similar to the Spire project couple of years ago.

[marcofranssen]

In essence the tool does following and is basically a small little wrapper.

https://github.com/tonistiigi/xx?tab=readme-ov-file#go--cgo

It wraps the go command by setting some variables accordingly based on the buildx args.

Saves a lot of plumbing.

[michi-covalent]

re-requested review from andre. let's see what he says 🙏

[aanm]

We can still use the caches without using this dependency. Personally, I would prefer to not have any wrappers on official builds.

[marcofranssen]

this isn't related to the caching only. It is also to set the go flags accordingly for crosscompile based on the TARGETPLATFORM and TARGETARCH which is a buildx feature.

It is used here https://github.com/cilium/cilium-cli/pull/2782/files#diff-dd2c0eb6ea5cfc6c4bd4eac30934e2d5746747af48fef6da689e85b752f39557R19

Without that we would have to do all the plumbing for that in the RUN statement. I'm not a fan of reinventing the wheel :)

[marcofranssen]

@michi-covalent @tklauser with the merge of cilium-cli into cilium/cilium it's becoming confusing to where contributors can submit their changes for cilium-cli.

Yes, now I'm confused 😕

Should I create such PR on the cilium repo?

Maybe this repo has to be archived?

Let me know how to proceed.

[michi-covalent]

with the merge of cilium-cli into cilium/cilium it's becoming confusing to where contributors can submit their changes for cilium-cli.

sorry for the delay, we build release artifacts from this repo. assuming we want to build this docker image for each release tag, this is the right repo for this pull request.

@marcofranssen let's limit this pull request to Dockerfile changes only. once it gets approved & merged, i'll make necessary changes to github workflows.

[marcofranssen]

Did another rebase to get branch fully in sync with upstream

[michi-covalent]

LGTM overall, only one feedback regarding when to push to the non-CI repo.

pinging @aanm for re-review 🏓

[michi-covalent]

let's run step only on tag push, not branch push. https://quay.io/repository/cilium/cilium-cli?tab=tags should only contain released images 🙏

Suggested change

	if: ${{ github.event_name != 'pull_request_target' }}
	if: ${{ github.ref_type == 'tag' }}

[aanm]

@michi-covalent maybe github.ref_type == 'tag' && github.event_name == 'tag'?

[marcofranssen]

This was never changed. Happy to change it, but didn't want to modify the current pipeline behavior.

Let me know and I can perform the update.

[marcofranssen]

I'm not even sure if you want to change it, because this would allow the release of the image on merges to main using the commit hash.

See https://github.com/cilium/cilium-cli/pull/2782/files#diff-d0a3d6684c78a148cbf0725d5fe8b5aab6431da05b698a82c9e015516f3020baR48-R57

So changing this would change the existing behavior as that step output is used during the Build here https://github.com/cilium/cilium-cli/pull/2782/files#diff-d0a3d6684c78a148cbf0725d5fe8b5aab6431da05b698a82c9e015516f3020baR99

[michi-covalent]

the latest workflow file looks good to me. just wanted to make sure we don't push to quay.io/cilium/cilium-cli on push to main branch 🚀🙏

[michi-covalent]

hmm don't we still end up pushing to quay.io/cilium/cilium-cli repo on push to main?

cilium-cli/.github/workflows/images.yaml

Lines 64 to 77 in f996cce

	# main branch or tag pushes
	- name: Build ${{ matrix.name }}
	if: ${{ github.event_name != 'pull_request_target' }}
	uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
	id: docker_build_main
	with:
	context: .
	file: ${{ matrix.dockerfile }}
	target: ${{ matrix.name }}
	platforms: ${{ matrix.platforms }}
	push: true
	tags: |
	quay.io/${{ github.repository_owner }}/${{ matrix.name }}:latest
	quay.io/${{ github.repository_owner }}/${{ matrix.name }}:${{ steps.tag.outputs.tag }}

💭

i suggest keeping this pull request for changing Dockerfile only. let's forcus on getting Dockerfile change merged in this PR. @tklauser and i will set up a release image workflow. we need to create a separate github environment anyways.

[michi-covalent]

we'll do something like this for the release image workflow once the Dockerfile change gets merged => c6cfc8b

[marcofranssen]

@michi-covalent the separete github env is already created based on earlier feedback.

https://github.com/cilium/cilium-cli/pull/2782/files#diff-d0a3d6684c78a148cbf0725d5fe8b5aab6431da05b698a82c9e015516f3020baR23

[michi-covalent]

i didn't mean to update the workflow file to refer to a release environment. i need to configure a github environment for this repo and make sure that it works.

let's limit the scope of this pull request to the Dockerfile change 🙏

[marcofranssen]

Without the workflow it won't work right. Hence #2782 (comment)

The Github environment you have to configure basically needs to match the name here https://github.com/cilium/cilium-cli/pull/2782/files#diff-d0a3d6684c78a148cbf0725d5fe8b5aab6431da05b698a82c9e015516f3020baR31

Guess the only thing you need to do is configure the secrets for publishing the image int there.

Why don't you add the environment, (give it a different name to your desires) and then we update it here in the workflow.

I'm not fully getting the problem with the workflow here. Basically all required to use a different gh-env is in place. You only need to add the secret to it.

[aanm]

@michi-covalent We recently changed the cilium-cli Dockerfile in cilium/cilium to add support for multi-arch. Can't we replace cilium/cilium-cli Dockerfile with the on we have in cilium/cilium?

@marcofranssen sorry for taking so much time to review the PR. I needed some time to think about it.

[aanm]

@michi-covalent maybe github.ref_type == 'tag' && github.event_name == 'tag'?

[aanm]

We can still use the caches without using this dependency. Personally, I would prefer to not have any wrappers on official builds.

[aanm]

Similar to https://github.com/cilium/cilium/blob/78b2e1a189bccd7c863715d3f7708f8fdab1cf59/cilium-cli/Dockerfile, I don't think this will work because, for example, awscli, downloaded on line 53, is for x86_64 only.

[marcofranssen]

I can tell you it does work.

https://github.com/cilium/cilium-cli/pull/2782/files#diff-d0a3d6684c78a148cbf0725d5fe8b5aab6431da05b698a82c9e015516f3020baR33

The ci image is only build for amd64. If you want to add arm64 support for that image I'm happy to another PR for that.

[aanm]

What I meant was that it will not work for arm64 because of the binary downloaded on line 53. The build will work but the resulting image will not work for arm64.

[marcofranssen]

Let me state it differently, because we are not building this image for arm64 in the workflow, it won't be a problem until we change that in the workflow.

For now this PR only focusses on building the cilium image in both architectures, the ci image will stay with amd64 support only.

[marcofranssen]

Rebased PR again to resolve the merge conflict.

[maintainer-s-little-helper]

Commit b9d0135 does not match "Signed-off-by".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

[maintainer-s-little-helper]

Commit 553f2d9 does not match "Signed-off-by".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

[maintainer-s-little-helper]

Commit 553f2d9 does not match "Signed-off-by".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

[marcofranssen]

Rebased once more and signed off the one commit I forgot about.

[michi-covalent]

reminder for @tklauser and myself: set up release environment before the next release 🚀

[michi-covalent]

ping @cilium/ci-structure for review 🚀🙏

edit: never mind, i requested to update this PR to only modify Dockerfile 👍 #2782 (comment)

[aanm]

Also, can't we replace cilium/cilium-cli Dockerfile with the on we have in cilium/cilium? It seems this remains unanswered.

[aanm]

What I meant was that it will not work for arm64 because of the binary downloaded on line 53. The build will work but the resulting image will not work for arm64.

[marcofranssen]

What should I do to get this merged? I adjusted the workflow to use a separate GH environment for the release image? Went trough the open conversations but not sure how to progress now.

I feel all required changes are in.

[tklauser]

What should I do to get this merged? I adjusted the workflow to use a separate GH environment for the release image? Went trough the open conversations but not sure how to progress now.

There are still two open questions from @aanm which AFAICT haven't been addressed or answered:
#2782 (review) and #2782 (comment)

[marcofranssen]

Also, can't we replace cilium/cilium-cli Dockerfile with the on we have in cilium/cilium? It seems this remains unanswered.

In a previous PR I contributed this was also already the question. It seems that is something to be figured out within the cilium repo owners.

In my previous PR it was decided to continue using this repo until a decision is made. Would be great if we can unblock this PR and move forward and figure out the other part in a follow-up.

[marcofranssen]

What should I do to get this merged? I adjusted the workflow to use a separate GH environment for the release image? Went trough the open conversations but not sure how to progress now.

There are still two open questions from @aanm which AFAICT haven't been addressed or answered: #2782 (review) and #2782 (comment)

I feel one was already answered, but gave it another shot with different wording.

The other one seems to be unrelated to this PR. It was already a discussion on a previous PR and there it was decided to not hold back community contribution while the cilium team figures it out internally on how and when to make that change.