Docker Push Github Action

[arkodg]

• Use the buildx based GHA https://github.com/docker/buildx
• Add make targets for docker build and push

Relates to #75

Signed-off-by: Arko Dasgupta arko@tetrate.io

[arkodg]

Testing out the make target

🐳 $ REGISTRY=arkodg make docker-build
?   	github.com/envoyproxy/gateway/cmd/envoy-gateway	[no test files]
ok  	github.com/envoyproxy/gateway/internal/cmd	(cached)
docker build -t arkodg/gateway-dev:f08f90b -f Dockerfile . 
[+] Building 1.4s (16/16) FINISHED                                                                                                                           
 => [internal] load build definition from Dockerfile                                                                                                    0.0s
 => => transferring dockerfile: 37B                                                                                                                     0.0s
 => [internal] load .dockerignore                                                                                                                       0.0s
 => => transferring context: 2B                                                                                                                         0.0s
 => [internal] load metadata for gcr.io/distroless/static:nonroot                                                                                       0.2s
 => [internal] load metadata for docker.io/library/golang:1.18                                                                                          1.3s
 => [auth] library/golang:pull token for registry-1.docker.io                                                                                           0.0s
 => [builder 1/7] FROM docker.io/library/golang:1.18@sha256:04fab5aaf4fc18c40379924674491d988af3d9e97487472e674d0b5fd837dfac                            0.0s
 => [internal] load build context                                                                                                                       0.0s
 => => transferring context: 6.31kB                                                                                                                     0.0s
 => [stage-1 1/3] FROM gcr.io/distroless/static:nonroot@sha256:2556293984c5738fc75208cce52cf0a4762c709cf38e4bf8def65a61992da0ad                         0.0s
 => CACHED [builder 2/7] WORKDIR /workspace                                                                                                             0.0s
 => CACHED [builder 3/7] COPY go.mod go.mod                                                                                                             0.0s
 => CACHED [builder 4/7] COPY go.sum go.sum                                                                                                             0.0s
 => CACHED [builder 5/7] RUN go mod download                                                                                                            0.0s
 => CACHED [builder 6/7] COPY . /workspace                                                                                                              0.0s
 => CACHED [builder 7/7] RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -o envoy-gateway cmd/envoy-gateway/main.go                               0.0s
 => CACHED [stage-1 2/3] COPY --from=builder /workspace/envoy-gateway .                                                                                 0.0s
 => exporting to image                                                                                                                                  0.0s
 => => exporting layers                                                                                                                                 0.0s
 => => writing image sha256:85654f15252eea65077722536c56a165a4fe69c5cde59979e904ebb0538b5e6f                                                            0.0s
 => => naming to docker.io/arkodg/gateway-dev:f08f90b                                                                                                   0.0s
🐳 $ REGISTRY=arkodg make docker-push
docker push arkodg/gateway-dev:f08f90b
The push refers to repository [docker.io/arkodg/gateway-dev]
3488f8e5adf9: Layer already exists 
0b031aac6569: Layer already exists 
f08f90b: digest: sha256:ee08e64800438702fb183b8016a0ce49efce29c8352003ee06a62784dc9bdb0a size: 738

[lizan]

Why build here again but not use artifact from build and test?

[arkodg]

keeping the Dockerfile mutually exclusive from the CI flow so a

• dev can run make docker-build or docker build . to build images and test them quickly
• above flow eliminates volume mounts to share artifacts etc

[lizan]

I feel this is a bad practice: we are releasing a build which is not tested in the same environment.

buildx doesn't need volume mounts anyway, it is just ADD file?

[arkodg]

I disagree here, the workflow for pushing docker images would also run some form of e2e (which doesn't exist today) using the same image before pushing the image

[lizan]

The other disadvantage of this is we are going to use QEMU for future arm64 (and other) build which is way slower and hard to workaround. It is better to split the build and docker packaging.

[arkodg]

prefer if we first tried the simpler way of building linux/arm64 using QEMU, quantified the slowness in CI, and then deleted the QEMU step in favor of a self hosted ARM runner

[arkodg]

I have moved over the job as a step into the main workflow, we could further optimize this logic by retagging instead of relying on the build cache layers

[lizan]

You don't need even a self hosted ARM runner, Go cross compile works great without hassle, just need to copy the binary from local machine (or downloaded artifacts), instead of force docker build run Go build.

[arkodg]

cool, lets consider adding that as a follow up PR

[arkodg]

raised #93 so this conversation can continue there and can unblock this PR

[LukeShu]

See also: #89

[skriss]

One question but otherwise LGTM; re: the open threads, IMO we can always tackle later if we want, but this gets us started.

[skriss]

I think we can drop this since we're only building a single arch now and when we add support for multi-arch images we can use Go's native cross-compilation

[arkodg]

based on the comments, added linux/arm64 to enable envoy-gateway images to run on arm64 as well (e.g. M1 Macbooks)

[codecov-commenter]

Codecov Report

Merging #83 (2fa3a1a) into main (bc2c27f) will not change coverage.
The diff coverage is n/a.

@@            Coverage Diff            @@
##              main       #83   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files            1         1           
  Lines            5         5           
=========================================
  Hits             5         5           

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update bc2c27f...2fa3a1a. Read the comment docs.

[skriss]

Suggest defaulting this arg to linux/amd64 so it just works for a regular docker build invocation:

Suggested change

	ARG TARGETPLATFORM
	ARG TARGETPLATFORM=linux/amd64

[arkodg]

it will never work for a docker build . invocation now :)

=> ERROR [2/2] COPY linux/amd64/envoy-gateway /usr/local/bin/ 

since the Dockerfile is only a means for packaging the binary and the binary is built on the host , relates to http://github.com/envoyproxy/gateway/issues/93

Instead we need to rely on make docker-build now

As for TARGETPLATFORM=linux/amd64, we dont need this, by default it picks the right value

[skriss]

If I run make docker-build as is, then docker run the image, I get exec /usr/local/bin/envoy-gateway: no such file or directory. If I add the default I suggested, then do the same, I get Manages Envoy Proxy as a standalone or Kubernetes-based application gateway as expected.

[lizan]

It is environment dependent, if you did docker buildx install then your docker build is buildx otherwise it's not. Though defaults to linux/amd64 doesn't do right thing for M1 mac users whose docker is linux/arm64.

[lizan]

Actually, set environment DOCKER_BUILDKIT=1 in the Makefile should make thing work? @skriss

[skriss]

Yep, understood, was just trying to have this work OOTB for the most environments. Since you're against the default, let's document the buildx requirement in https://github.com/envoyproxy/gateway/blob/main/CONTRIBUTING.md.

[danehans]

xref #63