diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml new file mode 100644 index 0000000000000..523f1ff08afd7 --- /dev/null +++ b/.gitlab-ci.yml @@ -0,0 +1,89 @@ +variables: + CI_DOCKER_IMAGE: registry.ddbuild.io/images/docker:24.0.4-gbi-focal + DOCKER_CTX: "." + DOCKER_BUILD_ARGS: "" + +# Force git to remove any reference to the local disk copy of the repository +before_script: + - git repack -a -d && rm -f .git/objects/info/alternates + +.build-docker-image: &build-docker-image + stage: build + image: $CI_DOCKER_IMAGE + tags: ["arch:arm64"] + rules: + # Run the pipeline for all pushed tags + schedules + - if: $CI_COMMIT_TAG + - if: $CI_PIPELINE_SOURCE == "schedule" + id_tokens: + DDSIGN_ID_TOKEN: + aud: image-integrity + script: + - .gitlab/build-image.sh + +build-docker-image-operator: + <<: *build-docker-image + variables: + IMAGE_NAME: cilium-operator + DOCKERFILE_PATH: images/operator/Dockerfile + DOCKER_BUILD_ARGS: | + OPERATOR_VARIANT=operator + BASE_IMAGE=registry.ddbuild.io/images/base/gbi-distroless:release + GOLANG_IMAGE=registry.ddbuild.io/images/mirror/golang:1.22.5@sha256:1a9b9cc9929106f9a24359581bcf35c7a6a3be442c1c53dc12c41a106c1daca8 + ALPINE_IMAGE=registry.ddbuild.io/images/mirror/library/alpine:3.19.2@sha256:af4785ccdbcd5cde71bfd5b93eabd34250b98651f19fe218c91de6c8d10e21c5 + CILIUM_BUILDER_IMAGE=registry.ddbuild.io/images/mirror/cilium/cilium-builder:5d119d3345a09e13d6b8cc8d5486853a88c03511@sha256:664161d2ac7d52478e755efa12c2a8fe578073fe517f6f725258915b2faafd52 + TARGET: release + +build-docker-image-runtime: + <<: *build-docker-image + variables: + IMAGE_NAME: cilium-runtime + DOCKERFILE_PATH: images/runtime/Dockerfile + DOCKER_BUILD_ARGS: | + TESTER_IMAGE=registry.ddbuild.io/images/mirror/cilium/image-tester:dd09c8d3ef349a909fbcdc99279516baef153f22@sha256:c056d064cb47c97acd607343db5457e1d49d9338d6d8a87e93e23cc93f052c73 + GOLANG_IMAGE=registry.ddbuild.io/images/mirror/golang:1.22.5@sha256:1a9b9cc9929106f9a24359581bcf35c7a6a3be442c1c53dc12c41a106c1daca8 + UBUNTU_IMAGE=registry.ddbuild.io/images/base/gbi-ubuntu_2204:release + CILIUM_LLVM_IMAGE=registry.ddbuild.io/images/mirror/cilium/cilium-llvm:a8c542efc076b62ba683e7699c0013adb6955f0f@sha256:38e8941107bd19eb30bdde6e478760a22325f38d1f2771dfd1b9af81d74235e7 + CILIUM_BPFTOOL_IMAGE=registry.ddbuild.io/images/mirror/cilium/cilium-bpftool:0db3a73729ceb42e947d826bb96a655be79e5317@sha256:de23c9546c4eafab33f75d6f5d129947bbbafc132dbd113c0cecc9a61929e6b0 + CILIUM_IPTABLES_IMAGE=registry.ddbuild.io/images/mirror/cilium/iptables:67f517af50e18f64cd12625021f1c39246bb4f92@sha256:d075f03e89aacf51908346ec8ed5d251b8d3ad528ce30a710fcd074cdf91f11d + DOCKER_CTX: "./images/runtime" + +# Caveats: +# * The build image is single-arch amd64 and we're doing cross-compilation, so the dlv copy is only valid on amd64. In +# other words, the arm64 image does not work. +build-docker-image-cilium: + <<: *build-docker-image + needs: + # The cilium image depends on the runtime image + - build-docker-image-runtime + variables: + IMAGE_NAME: cilium + DOCKERFILE_PATH: images/cilium/Dockerfile + DOCKER_BUILD_ARGS: | + CILIUM_BUILDER_IMAGE=registry.ddbuild.io/images/mirror/cilium/cilium-builder:5d119d3345a09e13d6b8cc8d5486853a88c03511@sha256:664161d2ac7d52478e755efa12c2a8fe578073fe517f6f725258915b2faafd52 + CILIUM_ENVOY_IMAGE=registry.ddbuild.io/images/mirror/cilium/cilium-envoy:v1.29.7-39a2a56bbd5b3a591f69dbca51d3e30ef97e0e51@sha256:bd5ff8c66716080028f414ec1cb4f7dc66f40d2fb5a009fff187f4a9b90b566b + TARGET: release + NOSTRIP: 0 + script: + - .gitlab/build-image.sh + +build-docker-image-hubble-relay: + <<: *build-docker-image + variables: + IMAGE_NAME: hubble-relay + DOCKERFILE_PATH: images/hubble-relay/Dockerfile + DOCKER_BUILD_ARGS: | + BASE_IMAGE=registry.ddbuild.io/images/base/gbi-distroless:release + GOLANG_IMAGE=registry.ddbuild.io/images/mirror/golang:1.22.5@sha256:1a9b9cc9929106f9a24359581bcf35c7a6a3be442c1c53dc12c41a106c1daca8 + CILIUM_BUILDER_IMAGE=registry.ddbuild.io/images/mirror/cilium/cilium-builder:5d119d3345a09e13d6b8cc8d5486853a88c03511@sha256:664161d2ac7d52478e755efa12c2a8fe578073fe517f6f725258915b2faafd52 + TARGET: release + +build-docker-image-clustermesh-apiserver: + <<: *build-docker-image + variables: + IMAGE_NAME: kvstoremesh + DOCKERFILE_PATH: images/clustermesh-apiserver/Dockerfile + DOCKER_BUILD_ARGS: | + BASE_IMAGE=registry.ddbuild.io/images/base/gbi-distroless:release + GOLANG_IMAGE=registry.ddbuild.io/images/mirror/golang:1.22.5@sha256:1a9b9cc9929106f9a24359581bcf35c7a6a3be442c1c53dc12c41a106c1daca8 + TARGET: release diff --git a/.gitlab/build-image.sh b/.gitlab/build-image.sh new file mode 100755 index 0000000000000..40a4a361522f9 --- /dev/null +++ b/.gitlab/build-image.sh @@ -0,0 +1,77 @@ +#!/usr/bin/env bash +set -exuo pipefail + +TARGET="${TARGET:-}" + +# Construct valid --build-args arguments from the DOCKER_BUILD_ARGS variable +BUILD_ARGS="" +IFS=$'\n' +for arg in $DOCKER_BUILD_ARGS; do + BUILD_ARGS+=" $(echo "--build-arg $arg")" +done +IFS=$' ' + +# Build 3 latest git tags when the pipeline is triggered by a schedule, otherwise build the latest tag +N_GIT_TAGS_TO_BUILD=1 +if [ "$CI_PIPELINE_SOURCE" == "schedule" ]; then + N_GIT_TAGS_TO_BUILD=3 +fi + +# Get the N_GIT_TAGS_TO_BUILD latest git tags containing the dd suffix +GIT_TAGS_TO_BUILD=$(git --no-pager tag --sort=-creatordate --merged HEAD --list \*-dd\* | head -n $N_GIT_TAGS_TO_BUILD) + +while IFS= read -r GIT_TAG; do + git checkout "$GIT_TAG" + + # Construct the image tag + IMAGE_TAG="$GIT_TAG" + if [ "$TARGET" = "debug" ]; then + IMAGE_TAG="${IMAGE_TAG}-debug" + fi + if [ "$CI_PIPELINE_SOURCE" == "schedule" ]; then + TIMESTAMP=${CI_PIPELINE_CREATED_AT//:/-} + TIMESTAMP=${TIMESTAMP,,} + IMAGE_TAG="${IMAGE_TAG}-${TIMESTAMP}" + fi + IMAGE_REF="registry.ddbuild.io/$IMAGE_NAME:$IMAGE_TAG" + + # Find the right Cilium Runtime image to use for the main Cilium image build + if [ "$IMAGE_NAME" == "cilium" ]; then + CILIUM_RUNTIME_IMAGE="registry.ddbuild.io/cilium-runtime:$IMAGE_TAG" + BUILD_ARGS+=" --build-arg CILIUM_RUNTIME_IMAGE=$CILIUM_RUNTIME_IMAGE" + fi + + METADATA_FILE=$(mktemp) + docker buildx build --platform linux/amd64,linux/arm64 \ + --tag "$IMAGE_REF" \ + --file "$DOCKERFILE_PATH" \ + $BUILD_ARGS \ + --label CILIUM_VERSION="$(cat VERSION)" \ + --label target=prod \ + --label CI_PIPELINE_ID="$CI_PIPELINE_ID" \ + --label CI_JOB_ID="$CI_JOB_ID" \ + --target "$TARGET" \ + --push \ + --metadata-file "$METADATA_FILE" \ + "$DOCKER_CTX" + + ddsign sign "$IMAGE_REF" --docker-metadata-file "$METADATA_FILE" + + # Always build the debug version of the Cilium image + if [ "$IMAGE_NAME" == "cilium" ]; then + METADATA_FILE_DEBUG=$(mktemp) + docker buildx build --platform linux/amd64,linux/arm64 \ + --tag "$IMAGE_REF"-debug \ + --file "$DOCKERFILE_PATH" \ + $BUILD_ARGS \ + --label CILIUM_VERSION="$(cat VERSION)" \ + --label target=debug \ + --label CI_PIPELINE_ID="$CI_PIPELINE_ID" \ + --label CI_JOB_ID="$CI_JOB_ID" \ + --target debug \ + --push \ + --metadata-file "$METADATA_FILE_DEBUG" \ + "$DOCKER_CTX" + ddsign sign "$IMAGE_REF"-debug --docker-metadata-file "$METADATA_FILE_DEBUG" + fi +done <<< "$GIT_TAGS_TO_BUILD" diff --git a/images/operator/Dockerfile b/images/operator/Dockerfile index d43fb8b6d188a..bfbd665c7949e 100644 --- a/images/operator/Dockerfile +++ b/images/operator/Dockerfile @@ -55,6 +55,10 @@ RUN --mount=type=bind,readwrite,target=/go/src/github.com/cilium/cilium \ ./build-gops.sh FROM ${BASE_IMAGE} as release + +# Datadog Modification: operator has to run as root +USER root + # TARGETOS is an automatic platform ARG enabled by Docker BuildKit. ARG TARGETOS # TARGETARCH is an automatic platform ARG enabled by Docker BuildKit. diff --git a/images/runtime/Dockerfile b/images/runtime/Dockerfile index 1f9ffcd4e7009..021dbbcf64351 100644 --- a/images/runtime/Dockerfile +++ b/images/runtime/Dockerfile @@ -27,6 +27,9 @@ RUN --mount=type=bind,readwrite,target=/go/src/github.com/cilium/cilium/images/r FROM ${UBUNTU_IMAGE} as rootfs +# Datadog modification: to be able to run APT we need to be root, Cilium also need to run as root +USER root + # Change the number to force the generation of a new git-tree SHA. Useful when # we want to re-run 'apt-get upgrade' for stale images. ENV FORCE_BUILD=5 @@ -60,6 +63,5 @@ COPY --from=bpftool-dist /test /test RUN /test/bin/cst -C /test/llvm RUN /test/bin/cst -C /test/bpftool -FROM scratch -LABEL maintainer="maintainer@cilium.io" -COPY --from=rootfs / / +# Datadog modification: do not squash the layers to not lose GBI labels +FROM rootfs