[gitlab] Add initial v1.15 config

.gitlab-ci.yml

@@ -0,0 +1,89 @@
+variables:
+  CI_DOCKER_IMAGE: registry.ddbuild.io/images/docker:24.0.4-gbi-focal
+  DOCKER_CTX: "."
+  DOCKER_BUILD_ARGS: ""
+
+# Force git to remove any reference to the local disk copy of the repository
+before_script:
+  - git repack -a -d && rm -f .git/objects/info/alternates
+
+.build-docker-image: &build-docker-image
+  stage: build
+  image: $CI_DOCKER_IMAGE
+  tags: ["arch:arm64"]
+  rules:
+    # Run the pipeline for all pushed tags + schedules
+    - if: $CI_COMMIT_TAG
+    - if: $CI_PIPELINE_SOURCE == "schedule"
+  id_tokens:
+    DDSIGN_ID_TOKEN:
+      aud: image-integrity
+  script:
+    - .gitlab/build-image.sh
+
+build-docker-image-operator:
+  <<: *build-docker-image
+  variables:
+    IMAGE_NAME: cilium-operator
+    DOCKERFILE_PATH: images/operator/Dockerfile
+    DOCKER_BUILD_ARGS: |
+      OPERATOR_VARIANT=operator
+      BASE_IMAGE=registry.ddbuild.io/images/base/gbi-distroless:release
+      GOLANG_IMAGE=registry.ddbuild.io/images/mirror/golang:1.22.5@sha256:1a9b9cc9929106f9a24359581bcf35c7a6a3be442c1c53dc12c41a106c1daca8
+      ALPINE_IMAGE=registry.ddbuild.io/images/mirror/library/alpine:3.19.2@sha256:af4785ccdbcd5cde71bfd5b93eabd34250b98651f19fe218c91de6c8d10e21c5
+      CILIUM_BUILDER_IMAGE=registry.ddbuild.io/images/mirror/cilium/cilium-builder:5d119d3345a09e13d6b8cc8d5486853a88c03511@sha256:664161d2ac7d52478e755efa12c2a8fe578073fe517f6f725258915b2faafd52
+    TARGET: release
+
+build-docker-image-runtime:
+  <<: *build-docker-image
+  variables:
+    IMAGE_NAME: cilium-runtime
+    DOCKERFILE_PATH: images/runtime/Dockerfile
+    DOCKER_BUILD_ARGS: |
+      TESTER_IMAGE=registry.ddbuild.io/images/mirror/cilium/image-tester:dd09c8d3ef349a909fbcdc99279516baef153f22@sha256:c056d064cb47c97acd607343db5457e1d49d9338d6d8a87e93e23cc93f052c73
+      GOLANG_IMAGE=registry.ddbuild.io/images/mirror/golang:1.22.5@sha256:1a9b9cc9929106f9a24359581bcf35c7a6a3be442c1c53dc12c41a106c1daca8
+      UBUNTU_IMAGE=registry.ddbuild.io/images/base/gbi-ubuntu_2204:release
+      CILIUM_LLVM_IMAGE=registry.ddbuild.io/images/mirror/cilium/cilium-llvm:a8c542efc076b62ba683e7699c0013adb6955f0f@sha256:38e8941107bd19eb30bdde6e478760a22325f38d1f2771dfd1b9af81d74235e7
+      CILIUM_BPFTOOL_IMAGE=registry.ddbuild.io/images/mirror/cilium/cilium-bpftool:0db3a73729ceb42e947d826bb96a655be79e5317@sha256:de23c9546c4eafab33f75d6f5d129947bbbafc132dbd113c0cecc9a61929e6b0
+      CILIUM_IPTABLES_IMAGE=registry.ddbuild.io/images/mirror/cilium/iptables:67f517af50e18f64cd12625021f1c39246bb4f92@sha256:d075f03e89aacf51908346ec8ed5d251b8d3ad528ce30a710fcd074cdf91f11d
+    DOCKER_CTX: "./images/runtime"
+
+# Caveats:
+# * The build image is single-arch amd64 and we're doing cross-compilation, so the dlv copy is only valid on amd64. In
+#   other words, the arm64 image does not work.
+build-docker-image-cilium:
+  <<: *build-docker-image
+  needs:
+    # The cilium image depends on the runtime image
+    - build-docker-image-runtime
+  variables:
+    IMAGE_NAME: cilium
+    DOCKERFILE_PATH: images/cilium/Dockerfile
+    DOCKER_BUILD_ARGS: |
+      CILIUM_BUILDER_IMAGE=registry.ddbuild.io/images/mirror/cilium/cilium-builder:5d119d3345a09e13d6b8cc8d5486853a88c03511@sha256:664161d2ac7d52478e755efa12c2a8fe578073fe517f6f725258915b2faafd52
+      CILIUM_ENVOY_IMAGE=registry.ddbuild.io/images/mirror/cilium/cilium-envoy:v1.29.7-39a2a56bbd5b3a591f69dbca51d3e30ef97e0e51@sha256:bd5ff8c66716080028f414ec1cb4f7dc66f40d2fb5a009fff187f4a9b90b566b
+    TARGET: release
+    NOSTRIP: 0
+  script:
+    - .gitlab/build-image.sh
+
+build-docker-image-hubble-relay:
+  <<: *build-docker-image
+  variables:
+    IMAGE_NAME: hubble-relay
+    DOCKERFILE_PATH: images/hubble-relay/Dockerfile
+    DOCKER_BUILD_ARGS: |
+      BASE_IMAGE=registry.ddbuild.io/images/base/gbi-distroless:release
+      GOLANG_IMAGE=registry.ddbuild.io/images/mirror/golang:1.22.5@sha256:1a9b9cc9929106f9a24359581bcf35c7a6a3be442c1c53dc12c41a106c1daca8
+      CILIUM_BUILDER_IMAGE=registry.ddbuild.io/images/mirror/cilium/cilium-builder:5d119d3345a09e13d6b8cc8d5486853a88c03511@sha256:664161d2ac7d52478e755efa12c2a8fe578073fe517f6f725258915b2faafd52
+    TARGET: release
+
+build-docker-image-clustermesh-apiserver:
+  <<: *build-docker-image
+  variables:
+    IMAGE_NAME: kvstoremesh
+    DOCKERFILE_PATH: images/clustermesh-apiserver/Dockerfile
+    DOCKER_BUILD_ARGS: |
+      BASE_IMAGE=registry.ddbuild.io/images/base/gbi-distroless:release
+      GOLANG_IMAGE=registry.ddbuild.io/images/mirror/golang:1.22.5@sha256:1a9b9cc9929106f9a24359581bcf35c7a6a3be442c1c53dc12c41a106c1daca8
+    TARGET: release

.gitlab/build-image.sh

@@ -0,0 +1,77 @@
+#!/usr/bin/env bash
+set -exuo pipefail
+
+TARGET="${TARGET:-}"
+
+# Construct valid --build-args arguments from the DOCKER_BUILD_ARGS variable
+BUILD_ARGS=""
+IFS=$'\n'
+for arg in $DOCKER_BUILD_ARGS; do
+  BUILD_ARGS+=" $(echo "--build-arg $arg")"
+done
+IFS=$' '
+
+# Build 3 latest git tags when the pipeline is triggered by a schedule, otherwise build the latest tag
+N_GIT_TAGS_TO_BUILD=1
+if [ "$CI_PIPELINE_SOURCE" == "schedule" ]; then
+  N_GIT_TAGS_TO_BUILD=3
+fi
+
+# Get the N_GIT_TAGS_TO_BUILD latest git tags containing the dd suffix
+GIT_TAGS_TO_BUILD=$(git --no-pager tag --sort=-creatordate --merged HEAD --list \*-dd\* | head -n $N_GIT_TAGS_TO_BUILD)
+
+while IFS= read -r GIT_TAG; do
+  git checkout "$GIT_TAG"
+
+  # Construct the image tag
+  IMAGE_TAG="$GIT_TAG"
+  if [ "$TARGET" = "debug" ]; then
+    IMAGE_TAG="${IMAGE_TAG}-debug"
+  fi
+  if [ "$CI_PIPELINE_SOURCE" == "schedule" ]; then
+    TIMESTAMP=${CI_PIPELINE_CREATED_AT//:/-}
+    TIMESTAMP=${TIMESTAMP,,}
+    IMAGE_TAG="${IMAGE_TAG}-${TIMESTAMP}"
+  fi
+  IMAGE_REF="registry.ddbuild.io/$IMAGE_NAME:$IMAGE_TAG"
+
+  # Find the right Cilium Runtime image to use for the main Cilium image build
+  if [ "$IMAGE_NAME" == "cilium" ]; then
+    CILIUM_RUNTIME_IMAGE="registry.ddbuild.io/cilium-runtime:$IMAGE_TAG"
+    BUILD_ARGS+=" --build-arg CILIUM_RUNTIME_IMAGE=$CILIUM_RUNTIME_IMAGE"
+  fi
+
+  METADATA_FILE=$(mktemp)
+  docker buildx build --platform linux/amd64,linux/arm64 \
+    --tag "$IMAGE_REF" \
+    --file "$DOCKERFILE_PATH" \
+    $BUILD_ARGS \
+    --label CILIUM_VERSION="$(cat VERSION)" \
+    --label target=prod \
+    --label CI_PIPELINE_ID="$CI_PIPELINE_ID" \
+    --label CI_JOB_ID="$CI_JOB_ID" \
+    --target "$TARGET" \
+    --push \
+    --metadata-file "$METADATA_FILE" \
+    "$DOCKER_CTX"
+
+  ddsign sign "$IMAGE_REF" --docker-metadata-file "$METADATA_FILE"
+
+  # Always build the debug version of the Cilium image
+  if [ "$IMAGE_NAME" == "cilium" ]; then
+    METADATA_FILE_DEBUG=$(mktemp)
+    docker buildx build --platform linux/amd64,linux/arm64 \
+      --tag "$IMAGE_REF"-debug \
+      --file "$DOCKERFILE_PATH" \
+      $BUILD_ARGS \
+      --label CILIUM_VERSION="$(cat VERSION)" \
+      --label target=debug \
+      --label CI_PIPELINE_ID="$CI_PIPELINE_ID" \
+      --label CI_JOB_ID="$CI_JOB_ID" \
+      --target debug \
+      --push \
+      --metadata-file "$METADATA_FILE_DEBUG" \
+      "$DOCKER_CTX"
+    ddsign sign "$IMAGE_REF"-debug --docker-metadata-file "$METADATA_FILE_DEBUG"
+  fi
+done <<< "$GIT_TAGS_TO_BUILD"

images/operator/Dockerfile

@@ -55,6 +55,10 @@ RUN --mount=type=bind,readwrite,target=/go/src/github.com/cilium/cilium \
     ./build-gops.sh
 
 FROM ${BASE_IMAGE} as release
+
+# Datadog Modification: operator has to run as root
+USER root
+
 # TARGETOS is an automatic platform ARG enabled by Docker BuildKit.
 ARG TARGETOS
 # TARGETARCH is an automatic platform ARG enabled by Docker BuildKit.

images/runtime/Dockerfile

@@ -27,6 +27,9 @@ RUN --mount=type=bind,readwrite,target=/go/src/github.com/cilium/cilium/images/r
 
 FROM ${UBUNTU_IMAGE} as rootfs
 
+# Datadog modification: to be able to run APT we need to be root, Cilium also need to run as root
+USER root
+
 # Change the number to force the generation of a new git-tree SHA. Useful when
 # we want to re-run 'apt-get upgrade' for stale images.
 ENV FORCE_BUILD=5
@@ -60,6 +63,5 @@ COPY --from=bpftool-dist /test /test
 RUN /test/bin/cst -C /test/llvm
 RUN /test/bin/cst -C /test/bpftool
 
-FROM scratch
-LABEL maintainer="[email protected]"
-COPY --from=rootfs / /
+# Datadog modification: do not squash the layers to not lose GBI labels
+FROM rootfs