cross-compile container images

Create multi-arch container images by first cross compiling the
binaries for the different platforms, and then creating the container
images by copying the binaries.

.cargo/config

@@ -0,0 +1,7 @@
+[target.x86_64-unknown-linux-musl]
+linker = "x86_64-linux-musl-ld"
+ar = "x86_64-linux-musl-ar"
+
+[target.aarch64-unknown-linux-musl]
+linker = "aarch64-linux-musl-ld"
+ar = "aarch64-linux-musl-ar"

.github/workflows/container-image.yml

@@ -4,54 +4,106 @@ on:
     - main
     tags:
     - 'v*'
-
 name: build container image
-
 jobs:
-  build:
+  build-x86_64:
+    name: Build x86_64 binary
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Setup rust toolchain
+        uses: actions-rs/toolchain@v1
+        with:
+          toolchain: stable
+      - run: rustup target add x86_64-unknown-linux-musl
+      - name: Setup musl for x86_64
+        run: |
+          curl -O https://musl.cc/x86_64-linux-musl-cross.tgz
+          tar -xzf x86_64-linux-musl-cross.tgz -C $HOME
+          echo "$HOME/x86_64-linux-musl-cross/bin" >> $GITHUB_PATH
+      - name: Build policy-server
+        env:
+          CC: x86_64-linux-musl-gcc
+        run: |
+          cargo build --target=x86_64-unknown-linux-musl --release
+      - name: Upload policy-server
+        uses: actions/upload-artifact@v2
+        with:
+          name: policy-server-x86_64
+          path: target/x86_64-unknown-linux-musl/release/policy-server
+  build-aarch64:
+    name: Build aarch64 binary
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Setup rust toolchain
+        uses: actions-rs/toolchain@v1
+        with:
+          toolchain: stable
+      - run: rustup target add aarch64-unknown-linux-musl
+      - name: Setup musl for aarch64
+        run: |
+          curl -O https://musl.cc/aarch64-linux-musl-cross.tgz
+          tar -xzf aarch64-linux-musl-cross.tgz -C $HOME
+          echo "$HOME/aarch64-linux-musl-cross/bin" >> $GITHUB_PATH
+      - name: Build policy-server
+        env:
+          CC: aarch64-linux-musl-gcc
+        run: |
+          cargo build --target=aarch64-unknown-linux-musl --release
+      - name: Upload policy-server
+        uses: actions/upload-artifact@v2
+        with:
+          name: policy-server-aarch64
+          path: target/aarch64-unknown-linux-musl/release/policy-server
+  build-container-image:
     name: Build container image
     runs-on: ubuntu-latest
+    needs:
+     - build-x86_64
+     - build-aarch64
     steps:
-      -
-        name: Checkout code
+      - name: Checkout code
         uses: actions/checkout@v2
-      -
-        name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
-      -
-        name: Set up Docker Buildx
+      - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v1
-      -
-        name: Login to GitHub Container Registry
+      - uses: actions/download-artifact@v2
+        with:
+          name: policy-server-x86_64
+          path: target/x86_64-unknown-linux-musl/release/policy-server
+      - uses: actions/download-artifact@v2
+        with:
+          name: policy-server-aarch64
+          path: target/aarch64-unknown-linux-musl/release/policy-server
+      - name: Login to GitHub Container Registry
         uses: docker/login-action@v1
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      -
-        name: Build and push development container image
+      - name: Build and push development container image
         if: ${{ startsWith(github.ref, 'refs/heads/') }}
         uses: docker/build-push-action@v2
         with:
-          context: .
+          context: target
           file: ./Dockerfile
           platforms: linux/amd64, linux/arm64
           push: true
           tags: |
-            ghcr.io/kubewarden/policy-server:latest
-      -
-        name: Retrieve tag name
+            ghcr.io/${{ github.repository_owner }}/policy-server:latest
+      - name: Retrieve tag name
         if: ${{ startsWith(github.ref, 'refs/tags/') }}
         run: |
           echo TAG_NAME=$(echo $GITHUB_REF | sed -e "s|refs/tags/||") >> $GITHUB_ENV
-      -
-        name: Build and push tagged container image
+      - name: Build and push tagged container image
         if: ${{ startsWith(github.ref, 'refs/tags/') }}
         uses: docker/build-push-action@v2
         with:
-          context: .
+          context: target
           file: ./Dockerfile
           platforms: linux/amd64, linux/arm64
           push: true
           tags: |
-            ghcr.io/kubewarden/policy-server:${{ env.TAG_NAME }}
+            ghcr.io/${{ github.repository_owner }}/policy-server:${{ env.TAG_NAME }}

Dockerfile

@@ -1,32 +1,21 @@
-# build image
-FROM registry.opensuse.org/opensuse/leap:15.3 as builder
-
-RUN zypper in -y curl && \
-    sh -c 'curl https://download.opensuse.org/repositories/devel:/languages:/rust/openSUSE_Leap_15.3/repodata/repomd.xml.key > gpg.key' && \
-    gpg --import gpg.key && \
-    rpm --import gpg.key && \
-    # Now add the repository and install cargo
-    zypper ar -f obs://devel:languages:rust/openSUSE_Leap_15.3 devel:languages:rust && \
-    zypper ref && \
-    zypper in -y gcc cargo
-
-WORKDIR /usr/src/policy-server
-COPY . .
-RUN cargo install --root /usr/local/cargo --path .
-
-# final image
-FROM registry.suse.com/bci/minimal
-LABEL org.opencontainers.image.source https://github.com/kubewarden/policy-server
-
-# By default we will run as this user...
+FROM alpine AS common
 RUN echo "policy-server:x:65533:65533::/tmp:/sbin/nologin" >> /etc/passwd
-# Add the default GID to /etc/group for completeness.
 RUN echo "policy-server:x:65533:policy-server" >> /etc/group
 
-COPY --from=builder /usr/local/cargo/bin/policy-server /usr/local/bin/policy-server
+# amd64-specific
+FROM scratch AS build-amd64
+COPY --from=common /etc/passwd /etc/passwd
+COPY --from=common /etc/group /etc/group
+COPY --chmod=0755 x86_64-unknown-linux-musl/release/policy-server /
 
-USER 65533:65533
+# arm64-specific
+FROM scratch AS build-arm64
+COPY --from=common /etc/passwd /etc/passwd
+COPY --from=common /etc/group /etc/group
+COPY --chmod=0755 aarch64-unknown-linux-musl/release/policy-server /
 
+# common final steps
+FROM build-${TARGETARCH}
+USER 65533:65533
 EXPOSE 3000
-
-ENTRYPOINT ["/usr/local/bin/policy-server"]
+ENTRYPOINT ["/policy-server"]