Allow for the injector to be built in docker (#1917)

## Description This PR allows building the injector on more systems and migrates its release to GHCR to avoid issues with Docker Hub. ## Related Issue Fixes #N/A ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [X] Other (security config, docs update, etc) ## Checklist before merging - [X] Test, docs, adr added or updated as needed - [X] [Contributor Guide Steps](https://github.com/defenseunicorns/zarf/blob/main/CONTRIBUTING.md#developer-workflow) followed
zarf-dev · Aug 3, 2023 · f2fc551 · f2fc551
1 parent a4848f9
commit f2fc551
Show file tree

Hide file tree

Showing 9 changed files with 88 additions and 52 deletions.
diff --git a/.github/workflows/build-rust-injector.yml b/.github/workflows/build-rust-injector.yml
@@ -25,46 +25,24 @@ jobs:
       - name: Install tools
         uses: ./.github/actions/install-tools
 
-      - name: "Dependency: Setup rust toolchain"
+      - name: "Build Rust Binary for x86_64 and arm64"
         run: |
-          curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --no-modify-path
-          echo "$HOME/.cargo/bin" >> $GITHUB_PATH
-          sudo apt install build-essential -y
-
-      - name: "Build Rust Binary for x86_64"
-        working-directory: src/injector
-        run: |
-          rustup target add x86_64-unknown-linux-musl
-          cargo build --target x86_64-unknown-linux-musl --release
-          strip target/x86_64-unknown-linux-musl/release/zarf-injector
-
-      - name: "Build Rust Binary for aarch64"
-        working-directory: src/injector
-        run: |
-          rustup target add aarch64-unknown-linux-musl
-          curl https://zarf-public.s3-us-gov-west-1.amazonaws.com/pipelines/aarch64-linux-musl-cross.tgz | tar -xz
-          export PATH="$PWD/aarch64-linux-musl-cross/bin:$PATH"
-          cargo build --target aarch64-unknown-linux-musl --release
-          aarch64-linux-musl-strip target/aarch64-unknown-linux-musl/release/zarf-injector
-
-      - name: Login to Docker Hub
-        uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
+          make build-injector-linux
+          cd src/injector/target
+          mkdir -p ../dist
+          cp x86_64-unknown-linux-musl/release/zarf-injector ../dist/zarf-injector-amd64
+          cp aarch64-unknown-linux-musl/release/zarf-injector ../dist/zarf-injector-arm64
+          cd ../dist
+          shasum zarf-injector-amd64 >> checksums.txt
+          shasum zarf-injector-arm64 >> checksums.txt
+
+      - name: Set AWS Credentials
+        uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
         with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: "Upload Binaries To DockerHub"
-        working-directory: src/injector/target
-        run: |
-          cosign upload blob -f x86_64-unknown-linux-musl/release/zarf-injector defenseunicorns/zarf-injector:amd64-${{ github.event.inputs.versionTag }}
-          cosign upload blob -f aarch64-unknown-linux-musl/release/zarf-injector defenseunicorns/zarf-injector:arm64-${{ github.event.inputs.versionTag }}
+          aws-access-key-id: ${{ secrets.AWS_GOV_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_GOV_SECRET_ACCESS_KEY }}
+          aws-region: us-gov-west-1
 
-      - name: "Sign the binaries"
+      - name: Sync Artifacts to S3
         run: |
-          cosign sign --key awskms:///${{ secrets.COSIGN_AWS_KMS_KEY }} -a release-engineer=https://github.com/${{ github.actor }} -a version=${{ github.event.inputs.versionTag }} defenseunicorns/zarf-injector:amd64-${{ github.event.inputs.versionTag }}
-          cosign sign --key awskms:///${{ secrets.COSIGN_AWS_KMS_KEY }} -a release-engineer=https://github.com/${{ github.actor }} -a version=${{ github.event.inputs.versionTag }} defenseunicorns/zarf-injector:arm64-${{ github.event.inputs.versionTag }}
-        env:
-          COSIGN_EXPERIMENTAL: 1
-          AWS_REGION: ${{ secrets.COSIGN_AWS_REGION }}
-          AWS_ACCESS_KEY_ID: ${{ secrets.COSIGN_AWS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.COSIGN_AWS_ACCESS_KEY }}
+          aws s3 sync src/injector/dist/ s3://zarf-public/injector/${{ github.event.inputs.versionTag }}/
diff --git a/Makefile b/Makefile
@@ -151,6 +151,9 @@ build-examples: ## Build all of the example packages
 
 	@test -s ./build/zarf-package-yolo-$(ARCH).tar.zst || $(ZARF_BIN) package create examples/yolo -o build -a $(ARCH) --confirm
 
+build-injector-linux: ## Build the Zarf injector for AMD64 and ARM64
+	docker run --rm --user "$(id -u)":"$(id -g)" -v $$PWD/src/injector:/usr/src/zarf-injector -w /usr/src/zarf-injector rust:1.71.0-bookworm make build-injector-linux
+
 ## NOTE: Requires an existing cluster or the env var APPLIANCE_MODE=true
 .PHONY: test-e2e
 test-e2e: build-examples ## Run all of the core Zarf CLI E2E tests (builds any deps that aren't present)

diff --git a/packages/zarf-registry/zarf.yaml b/packages/zarf-registry/zarf.yaml
@@ -56,11 +56,29 @@ components:
       Bootstraps a Kubernetes cluster by cloning a running pod in the cluster and hosting the registry image.
       Removed and destroyed after the Zarf Registry is self-hosting the registry image.
     required: true
-    cosignKeyPath: ../../cosign.pub
+    only:
+      cluster:
+        architecture: amd64
     files:
       # Rust Injector Binary
-      - source: sget://defenseunicorns/zarf-injector:###ZARF_PKG_ARCH###-###ZARF_PKG_TMPL_INJECTOR_VERSION###
+      - source: https://zarf-public.s3-us-gov-west-1.amazonaws.com/injector/###ZARF_PKG_TMPL_INJECTOR_VERSION###/zarf-injector-amd64
         target: "###ZARF_TEMP###/zarf-injector"
+        shasum: "###ZARF_PKG_TMPL_INJECTOR_AMD64_SHASUM###"
+        executable: true
+
+  - name: zarf-injector
+    description: |
+      Bootstraps a Kubernetes cluster by cloning a running pod in the cluster and hosting the registry image.
+      Removed and destroyed after the Zarf Registry is self-hosting the registry image.
+    required: true
+    only:
+      cluster:
+        architecture: arm64
+    files:
+      # Rust Injector Binary
+      - source: https://zarf-public.s3-us-gov-west-1.amazonaws.com/injector/###ZARF_PKG_TMPL_INJECTOR_VERSION###/zarf-injector-arm64
+        target: "###ZARF_TEMP###/zarf-injector"
+        shasum: "###ZARF_PKG_TMPL_INJECTOR_ARM64_SHASUM###"
         executable: true
 
   - name: zarf-seed-registry

diff --git a/src/injector/.cargo/config b/src/injector/.cargo/config
diff --git a/src/injector/.gitignore b/src/injector/.gitignore
@@ -1 +1,3 @@
 target/
+aarch64-linux-musl-cross/
+x86_64-linux-musl-cross/
diff --git a/src/injector/Cargo.lock b/src/injector/Cargo.lock
diff --git a/src/injector/Cargo.toml b/src/injector/Cargo.toml
@@ -10,7 +10,7 @@ strip = true
 
 [package]
 name = "zarf-injector"
-version = "0.4.3"
+version = "0.5.0"
 edition = "2021"
 
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html

diff --git a/src/injector/Makefile b/src/injector/Makefile
@@ -0,0 +1,41 @@
+# SPDX-License-Identifier: Apache-2.0
+# SPDX-FileCopyrightText: 2021-Present The Zarf Authors
+
+.PHONY: help
+help: ## Display this help information
+	@grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) \
+	  | sort | awk 'BEGIN {FS = ":.*?## "}; \
+	  {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
+
+clean: ## Clean the build directory
+	rm -rf target
+
+build-injector-linux: build-injector-linux-amd build-injector-linux-arm ## Build the Zarf injector for AMD64 and ARM64
+
+build-injector-linux-amd: ## Build the Zarf injector for AMD64
+	rustup target add x86_64-unknown-linux-musl
+
+	if [ "$(shell uname -m)" = "arm64" ] || [ "$(shell uname -m)" = "aarch64" ]; then \
+		test -s x86_64-linux-musl-cross || curl https://zarf-public.s3-us-gov-west-1.amazonaws.com/pipelines/x86_64-linux-musl-cross.tgz | tar -xz; \
+		export PATH="$$PWD/x86_64-linux-musl-cross/bin:$$PATH"; \
+		export CARGO_TARGET_X86_64_UNKNOWN_LINUX_MUSL_LINKER=x86_64-linux-musl-cc; \
+		cargo build --target x86_64-unknown-linux-musl --release; \
+	elif [ "$(shell uname -m)" = "x86_64" ]; then \
+		cargo build --target x86_64-unknown-linux-musl --release; \
+	fi
+
+	du --si target/x86_64-unknown-linux-musl/release/zarf-injector
+
+build-injector-linux-arm: ## Build the Zarf injector for ARM64
+	rustup target add aarch64-unknown-linux-musl
+
+	if [ "$(shell uname -m)" = "arm64" ] || [ "$(shell uname -m)" = "aarch64" ]; then \
+		cargo build --target aarch64-unknown-linux-musl --release; \
+	elif [ "$(shell uname -m)" = "x86_64" ]; then \
+		test -s aarch64-linux-musl-cross || curl https://zarf-public.s3-us-gov-west-1.amazonaws.com/pipelines/aarch64-linux-musl-cross.tgz | tar -xz; \
+		export PATH="$$PWD/aarch64-linux-musl-cross/bin:$$PATH"; \
+		export CARGO_TARGET_AARCH64_UNKNOWN_LINUX_MUSL_LINKER=aarch64-linux-musl-cc; \
+		cargo build --target aarch64-unknown-linux-musl --release; \
+	fi
+
+	du --si target/aarch64-unknown-linux-musl/release/zarf-injector
diff --git a/zarf-config.toml b/zarf-config.toml
@@ -5,7 +5,9 @@ agent_image = 'defenseunicorns/zarf/agent'
 agent_image_tag = 'local'
 
 # Tag for the zarf injector binary to use
-injector_version = '2023-07-19'
+injector_version = '2023-08-02'
+injector_amd64_shasum = '91de0768855ee2606a4f85a92bb480ff3a14ca205fd8d05eb397c18e15aa0247'
+injector_arm64_shasum = '663df681deea957b0ec53538eab221691a83de8e95d86b8a29008af711934bee'
 
 # The image reference to use for the registry that Zarf deploys into the cluster
 registry_image_domain = ''