Merge pull request #52 from CrowdStrike/add-multi-arch-builds

fix: add support for multi arch builds

.github/workflows/build.yml

@@ -0,0 +1,55 @@
+name: Multi-arch build
+
+on:
+  push:
+    paths-ignore:
+      - '**.md'
+
+env:
+  IMAGE_TAG: latest
+  IMAGE_REGISTRY: quay.io
+  IMAGE_REPOSITORY: crowdstrike/cloud-tools-image
+
+jobs:
+  build-multiarch-image:
+    name: Build multi-architecture image
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Install qemu dependency
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y qemu-user-static
+
+      - name: Checkout project
+        uses: actions/checkout@v3
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          platforms: linux/arm64,linux/amd64
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          registry: ${{ env.IMAGE_REGISTRY }}
+          username: ${{ secrets.REGISTRY_LOGIN }}
+          password: ${{ secrets.REGISTRY_PASSWORD }}
+
+      - name: Build and push
+        id: build_image_multiarch
+        uses: docker/build-push-action@v4
+        with:
+          context: .
+          file: ./Dockerfile
+          platforms: linux/arm64,linux/amd64
+          push: true
+          tags: |
+            ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_REPOSITORY }}:${{ env.IMAGE_TAG }}
+
+      - name: Check manifest
+        run: |
+          docker buildx imagetools inspect ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_REPOSITORY }}:${{ env.IMAGE_TAG }}

Dockerfile

@@ -1,9 +1,16 @@
-FROM quay.io/centos/centos:stream8 as builder
+FROM registry.access.redhat.com/ubi9/ubi as builder
+
+# Get target architecture
+ARG TARGETARCH
 
 RUN dnf install -y unzip golang-bin git
 
 # eksctl cli
-RUN curl --silent --location "https://github.com/weaveworks/eksctl/releases/latest/download/eksctl_Linux_amd64.tar.gz" | tar xz -C /tmp
+RUN PLATFORM="Linux_${TARGETARCH}" && \
+    curl -sLO "https://github.com/eksctl-io/eksctl/releases/latest/download/eksctl_$PLATFORM.tar.gz" && \
+    curl -sL "https://github.com/eksctl-io/eksctl/releases/latest/download/eksctl_checksums.txt" | grep $PLATFORM | sha256sum --check && \
+    tar -xzf eksctl_$PLATFORM.tar.gz -C /tmp && \
+    rm eksctl_$PLATFORM.tar.gz
 
 # helm
 RUN curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash
@@ -17,26 +24,27 @@ RUN curl -sS https://webinstall.dev/k9s | bash
 RUN curl -sSfL https://raw.githubusercontent.com/crowdstrike/gofalcon/main/examples/install | sh -s
 
 
-FROM quay.io/centos/centos:stream8
+FROM registry.access.redhat.com/ubi9/ubi
 
 COPY --from=builder /tmp/eksctl /usr/local/bin/helm /bin/
 COPY --from=builder /root/go/bin/docker-credential-ecr-login /usr/bin/falcon_sensor_download /usr/bin/falcon_registry_token /usr/bin/falcon_get_cid /bin/
 COPY --from=builder /root/.local/bin/k9s /bin/
 COPY .docker /root/.docker
 COPY demo-yamls /root/demo-yamls
-COPY kubernetes.repo google-cloud-sdk.repo azure-cli.repo /etc/yum.repos.d/
+COPY kubernetes.repo google-cloud-sdk.repo /etc/yum.repos.d/
 COPY falcon-node-sensor-build falcon-node-sensor-push falcon-container-sensor-push falcon-image-pull-token /bin/
 
 RUN : \
     && dnf update -y \
-    && dnf install -y kubectl groff-base bash-completion google-cloud-sdk tmux git \
-    && curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" \
+    && dnf install -y kubectl groff-base bash-completion google-cloud-sdk git \
+    && curl "https://awscli.amazonaws.com/awscli-exe-linux-$(uname -m).zip" -o "awscliv2.zip" \
     && dnf install -y zip \
     && unzip awscliv2.zip \
     && dnf history undo last -y \
     && ./aws/install \
     && curl  https://download.docker.com/linux/centos/docker-ce.repo > /etc/yum.repos.d/docker-ce.repo \
     && rpm --import https://packages.microsoft.com/keys/microsoft.asc \
+    && dnf install -y https://packages.microsoft.com/config/rhel/9.0/packages-microsoft-prod.rpm \
     && dnf install -y docker-ce docker-ce-cli containerd.io azure-cli \
     && dnf install -y skopeo --nobest --allowerasing jq \
     && dnf clean all \

Makefile

@@ -0,0 +1,19 @@
+# Image URL to use all building/pushing image targets
+IMG ?= cloud-tools-image:latest
+
+# PLATFORMS defines the target platforms for  the manager image be build to provide support to multiple
+# architectures. (i.e. make docker-buildx IMG=myregistry/mypoperator:0.0.1). To use this option you need to:
+# - able to use docker buildx . More info: https://docs.docker.com/build/buildx/
+# - have enable BuildKit, More info: https://docs.docker.com/develop/develop-images/build_enhancements/
+# - be able to push the image for your registry (i.e. if you do not inform a valid value via IMG=<myregistry/image:<tag>> than the export will fail)
+# To properly provided solutions that supports more than one platform you should use this option.
+PLATFORMS ?= linux/arm64,linux/amd64
+.PHONY: docker-buildx
+docker-buildx: ## Build and push docker image for the manager for cross-platform support
+	# copy existing Dockerfile and insert --platform=${BUILDPLATFORM} into Dockerfile.cross, and preserve the original Dockerfile
+	sed -e '1 s/\(^FROM\)/FROM --platform=\$$\{BUILDPLATFORM\}/; t' -e ' 1,// s//FROM --platform=\$$\{BUILDPLATFORM\}/' Dockerfile > Dockerfile.cross
+	- docker buildx create --name project-v3-builder
+	docker buildx use project-v3-builder
+	- docker buildx build --push --platform=$(PLATFORMS) --tag ${IMG} -f Dockerfile.cross .
+	- docker buildx rm project-v3-builder
+	rm Dockerfile.cross

README.md

@@ -1,6 +1,50 @@
 # cloud-tools-image [![Docker Repository on Quay](https://quay.io/repository/crowdstrike/cloud-tools-image/status "Docker Repository on Quay")](https://quay.io/repository/crowdstrike/cloud-tools-image)
 
+## Downloading & Usage
+
+### Download via Quay.io
+
+Container images hosted at [https://quay.io/repository/crowdstrike/cloud-tools-image](https://quay.io/repository/crowdstrike/cloud-tools-image) are automatically rebuilt as mult-architecture images with every merged pull request. Pull this container with the following Docker (or podman!) command:
+
+Using Docker CLI:
+
+```shell
+docker pull quay.io/crowdstrike/cloud-tools-image
+```
+
+Using Podman CLI:
+
+```shell
+podman pull quay.io/crowdstrike/cloud-tools-image
 ```
+
+If a specific architecture is desired to be used, add the `--platform` flag with the desired architecture(s): `linux/arm64,linux/amd64,linux/s390x,linux/ppc64le`
+
+### Build from Source
+
+Clone this repository and build the container using ``docker build`` or ``podman build``:
+
+With Docker CLI:
+
+```shell
+docker build -t <your_repository>/cloud-tools-image .
+```
+
+Podman CLI:
+
+```shell
+podman build -t <your_repository>/cloud-tools-image .
+```
+
+Multi-architecture Build (requires Docker with BuildKit):
+
+```shell
+make docker-buildx
+```
+
+### Usage
+
+```shell
 docker run --privileged=true \
     -v /var/run/docker.sock:/var/run/docker.sock \
     -v ~/.aws:/root/.aws:ro -it --rm \
@@ -18,19 +62,20 @@ Cloud-tools-image is a collection of command-line tools for remote communication
 Cloud-tools-image is an open source project, not a CrowdStrike product. As such it carries no formal support, expressed or implied.
 
 This container contains following command-line tools:
- * falcon-image-pull-token command
- * falcon-container-sensor-push command
- * falcon-node-sensor-push command
- * falcon-node-sensor-build command (deprecated)
- * aws command
- * eksctl command
- * kubectl command
- * docker command
- * docker-credential-ecr-login helper (configured)
- * gcloud command
- * az command
- * helm command
- * k9s command
+
+- falcon-image-pull-token command
+- falcon-container-sensor-push command
+- falcon-node-sensor-push command
+- falcon-node-sensor-build command (deprecated)
+- aws command
+- eksctl command
+- kubectl command
+- docker command
+- docker-credential-ecr-login helper (configured)
+- gcloud command
+- az command
+- helm command
+- k9s command
 
 ## Demo Yamls
 
@@ -39,4 +84,4 @@ The demo-yamls folder is a collection of threats in containers that can be deplo
 This command can be used to list all resources deployed:
 ```
 kubectl get all --selector=app.kubernetes.io/part-of=crowdstrike-demo
-```
+```

google-cloud-sdk.repo

@@ -1,8 +1,8 @@
 [google-cloud-sdk]
 name=Google Cloud SDK
-baseurl=https://packages.cloud.google.com/yum/repos/cloud-sdk-el7-x86_64
+baseurl=https://packages.cloud.google.com/yum/repos/cloud-sdk-el9-$basearch
 enabled=1
 gpgcheck=1
 repo_gpgcheck=1
 gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg
-       https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
+       https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg

kubernetes.repo

@@ -1,7 +1,7 @@
 [kubernetes]
 name=Kubernetes
-baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64
+baseurl=https://pkgs.k8s.io/core:/stable:/v1.28/rpm/
 enabled=1
 gpgcheck=1
 repo_gpgcheck=1
-gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
+gpgkey=https://pkgs.k8s.io/core:/stable:/v1.28/rpm/repodata/repomd.xml.key