From b9c5ee56f1f25f03b21d9c91198163b23b8bd4df Mon Sep 17 00:00:00 2001
From: Marco Franssen <marco.franssen@gmail.com>
Date: Thu, 29 Aug 2024 15:52:16 +0200
Subject: [PATCH] Enable multi-arch Docker build

Signed-off-by: Marco Franssen <marco.franssen@gmail.com>
---
 .github/workflows/images.yaml | 33 ++++++++++++----------
 Dockerfile                    | 52 +++++++++++++++++------------------
 2 files changed, 45 insertions(+), 40 deletions(-)

diff --git a/.github/workflows/images.yaml b/.github/workflows/images.yaml
index 1c6163fe53..9d338708af 100644
--- a/.github/workflows/images.yaml
+++ b/.github/workflows/images.yaml
@@ -27,6 +27,11 @@ jobs:
         include:
           - name: cilium-cli
             dockerfile: ./Dockerfile
+            platforms: linux/amd64,linux/arm64
+          - name: cilium-cli-ci
+            dockerfile: ./Dockerfile
+            platforms: linux/amd64
+
     steps:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
@@ -55,46 +60,46 @@ jobs:
           ref: ${{ steps.tag.outputs.tag }}
 
       # main branch or tag pushes
-      - name: CI Build ${{ matrix.name }}
+      - name: Build ${{ matrix.name }}
         if: ${{ github.event_name != 'pull_request_target' }}
         uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
-        id: docker_build_ci_main
+        id: docker_build_main
         with:
           context: .
           file: ${{ matrix.dockerfile }}
           push: true
-          platforms: linux/amd64
+          platforms: ${{ matrix.platforms }}
           tags: |
-            quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:latest
-            quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}
+            quay.io/${{ github.repository_owner }}/${{ matrix.name }}:latest
+            quay.io/${{ github.repository_owner }}/${{ matrix.name }}:${{ steps.tag.outputs.tag }}
 
-      - name: CI Image Releases digests
+      - name: Image Releases digests
         if: ${{ github.event_name != 'pull_request_target' }}
         shell: bash
         run: |
           mkdir -p image-digest/
-          echo "quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:latest@${{ steps.docker_build_ci_main.outputs.digest }}" > image-digest/${{ matrix.name }}.txt
-          echo "quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}@${{ steps.docker_build_ci_main.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt
+          echo "quay.io/${{ github.repository_owner }}/${{ matrix.name }}:latest@${{ steps.docker_build_main.outputs.digest }}" > image-digest/${{ matrix.name }}.txt
+          echo "quay.io/${{ github.repository_owner }}/${{ matrix.name }}:${{ steps.tag.outputs.tag }}@${{ steps.docker_build_main.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt
 
       # PR updates
-      - name: CI Build ${{ matrix.name }}
+      - name: Build ${{ matrix.name }}
         if: ${{ github.event_name == 'pull_request_target' }}
         uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
-        id: docker_build_ci_pr
+        id: docker_build_pr
         with:
           context: .
           file: ${{ matrix.dockerfile }}
           push: true
-          platforms: linux/amd64
+          platforms:  ${{ env.DOCKER_PLATFORMS }}
           tags: |
-            quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}
+            quay.io/${{ github.repository_owner }}/${{ matrix.name }}:${{ steps.tag.outputs.tag }}
 
-      - name: CI Image Releases digests
+      - name: Image Releases digests
         if: ${{ github.event_name == 'pull_request_target' }}
         shell: bash
         run: |
           mkdir -p image-digest/
-          echo "quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}@${{ steps.docker_build_ci_pr.outputs.digest }}" > image-digest/${{ matrix.name }}.txt
+          echo "quay.io/${{ github.repository_owner }}/${{ matrix.name }}:${{ steps.tag.outputs.tag }}@${{ steps.docker_build_pr.outputs.digest }}" > image-digest/${{ matrix.name }}.txt
 
       # Upload artifact digests
       - name: Upload artifact digests
diff --git a/Dockerfile b/Dockerfile
index e0ff2b74b7..63c28449da 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -8,38 +8,38 @@
 # cilium-cli is from scratch only including cilium binaries
 ARG FINAL_CONTAINER="cilium-cli-ci"
 
-FROM docker.io/library/golang:1.23.2-alpine3.19@sha256:f6392ffebb028fed5ffe743ddb9716e38402c978779edd66474bb5d05f5e65e4 AS builder
+FROM --platform=${BUILDPLATFORM} golang:1.23.0-alpine3.20@sha256:d0b31558e6b3e4cc59f6011d79905835108c919143ebecc58f35965bf79948f4 AS base
+RUN apk add --no-cache --update ca-certificates git make 
 WORKDIR /go/src/github.com/cilium/cilium-cli
-RUN apk add --no-cache curl git make ca-certificates
+COPY go.* .
+RUN --mount=type=cache,target=/go/pkg/mod go mod download
 COPY . .
-RUN make
 
-FROM scratch AS cilium-cli
-ENTRYPOINT ["cilium"]
-COPY --from=builder --chown=root:root --chmod=755 /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
-COPY --from=builder /go/src/github.com/cilium/cilium-cli/cilium /usr/local/bin/cilium
+# xx is a helper for cross-compilation
+# when bumping to a new version analyze the new version for security issues
+# then use crane to lookup the digest of that version so we are immutable
+# crane digest tonistiigi/xx:1.5.0
+FROM --platform=$BUILDPLATFORM tonistiigi/xx:1.5.0@sha256:0c6a569797744e45955f39d4f7538ac344bfb7ebf0a54006a0a4297b153ccf0f AS xx
+
+FROM --platform=${BUILDPLATFORM} base AS builder
+ARG TARGETPLATFORM
+ARG TARGETARCH
+COPY --link --from=xx / /
+RUN --mount=type=cache,target=/root/.cache/go-build \
+    --mount=type=cache,target=/go/pkg/mod \
+    xx-go --wrap && \
+    make && \
+    xx-verify --static /go/src/github.com/cilium/cilium-cli/cilium
+
+FROM --platform=${BUILDPLATFORM} scratch AS cilium-cli
+ENTRYPOINT [""]
+COPY --link --from=builder --chmod=755 /go/src/github.com/cilium/cilium-cli/cilium /usr/local/bin/cilium
+COPY --link --from=builder --chown=root:root --chmod=755 /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 
 FROM ubuntu:24.04@sha256:99c35190e22d294cdace2783ac55effc69d32896daaa265f0bbedbcde4fbe3e5 AS cilium-cli-ci
-ENTRYPOINT []
 COPY --from=builder /go/src/github.com/cilium/cilium-cli/cilium /usr/local/bin/cilium
+ENTRYPOINT []
 
-# Install cloud CLIs. Based on these instructions:
-# - https://cloud.google.com/sdk/docs/install#deb
-# - https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html
-# - https://learn.microsoft.com/en-us/cli/azure/install-azure-cli-linux?pivots=apt#install-azure-cli
-RUN apt-get update -y \
-  && apt-get install -y curl gnupg unzip \
-  && curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | gpg --dearmor -o /usr/share/keyrings/cloud.google.gpg \
-  && curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add - \
-  && echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main" | tee -a /etc/apt/sources.list.d/google-cloud-sdk.list \
-  && apt-get update -y \
-  && apt-get install -y google-cloud-cli google-cloud-sdk-gke-gcloud-auth-plugin kubectl \
-  && curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" \
-  && unzip awscliv2.zip \
-  && ./aws/install \
-  && rm -r ./aws awscliv2.zip \
-  && curl -sL https://aka.ms/InstallAzureCLIDeb | bash
-
-FROM ${FINAL_CONTAINER} 
+FROM ${FINAL_CONTAINER}
 LABEL maintainer="maintainer@cilium.io"
 WORKDIR /root/app