fix(ci): publish multi-arch image to multiple registry (#1709)

## Which problem is this PR solving?

- #1708 

`ko` does produce a multi-arch image, but `docker push` doesn't push a
multi-arch image.

## Short description of the changes

This PR uses `crane cp` which has multi-arch support to copy multi-arch
image manifests between registries.

- wire up `crane` as a docker build dependency
- reorganize `build_docker.sh` to use a `PRIMARY_DOCKER_REPO`
environment variable to designate a prime destination for a particular
build
- if left unset, `ko.local` is the default and the image will only be
built and "published" to the local registry
- if set, the image build will be published to the given registry target
along with the appropriate tags as determined by the build script
- `COPY_DOCKER_REPOS` replaces `KO_DOCKER_REPOS`
- a comma-separated list of **additional** registry repos to copy the
image published to `PRIMARY_DOCKER_REPO`
  - same collection of tags will be applied to the copies

---------

Co-authored-by: Robb Kidd <[email protected]>

Author: VinozzZ

.circleci/config.yml

@@ -56,11 +56,12 @@ commands:
       - restore_cache:
           keys:
             - v2-googleko-{{ checksum "Makefile" }}
-      - run: make ko
+      - run: make ko crane
       - save_cache:
           key: v2-googleko-{{ checksum "Makefile" }}
           paths:
             - ./ko
+            - ./crane
 
 jobs:
   test:
@@ -231,7 +232,7 @@ jobs:
       - run:
           name: build and publish to private ECR
           command: |
-            export KO_DOCKER_REPO="${AWS_ACCOUNT_ID}.dkr.ecr.us-east-1.amazonaws.com"
+            export PRIMARY_DOCKER_REPO="${AWS_ACCOUNT_ID}.dkr.ecr.us-east-1.amazonaws.com"
             ./build-docker.sh
 
   publish_docker_to_ecr_sippycup:
@@ -255,7 +256,7 @@ jobs:
       - run:
           name: publish docker image to aws ecr
           environment:
-            KO_DOCKER_REPO: 017118846235.dkr.ecr.us-east-1.amazonaws.com
+            PRIMARY_DOCKER_REPO: 017118846235.dkr.ecr.us-east-1.amazonaws.com
           command: ./build-docker.sh
 
   publish_docker_to_all_public_registries:
@@ -280,7 +281,8 @@ jobs:
       - run:
           name: build once and publish to all public registries
           command: |
-            export KO_DOCKER_REPOS="${AWS_ACCOUNT_ID}.dkr.ecr.us-east-1.amazonaws.com,honeycombio,public.ecr.aws/honeycombio,ghcr.io/honeycombio/refinery"
+            export PRIMARY_DOCKER_REPO="honeycombio"
+            export COPY_DOCKER_REPOS="${AWS_ACCOUNT_ID}.dkr.ecr.us-east-1.amazonaws.com,public.ecr.aws/honeycombio,ghcr.io/honeycombio/refinery"
             echo "${DOCKER_PASSWORD}" | docker login -u "${DOCKER_USERNAME}" --password-stdin
             echo "${GITHUB_TOKEN}" | docker login ghcr.io -u "${GITHUB_USERNAME}" --password-stdin
             ./build-docker.sh

.gitignore

@@ -30,4 +30,6 @@ dockerize*
 # cache for ko-build/
 ko-cache/
 ko
-ko*.tar.gz
+ko*.tar.gz
+crane
+crane*.tar.gz

Makefile

@@ -27,14 +27,13 @@ test_all: test_results wait_for_redis
 test_results:
 	@mkdir -p test_results
 
-local_image: export KO_DOCKER_REPO=ko.local
+local_image: export PRIMARY_DOCKER_REPO=ko.local
 local_image: export CIRCLE_TAG=$(shell git describe --always --match "v[0-9]*" --tags)
 local_image: export CIRCLE_BRANCH=$(shell git rev-parse --abbrev-ref HEAD)
 local_image: export CIRCLE_SHA1=$(shell git rev-parse HEAD)
-local_image: export CIRCLE_BUILD_NUM=''
 local_image: export SOURCE_DATE_EPOCH=$(call __latest_modification_time)
 #: build the release image locally, available as "ko.local/refinery:<commit>"
-local_image:
+local_image: ko crane
 	./build-docker.sh
 
 .PHONY: wait_for_redis
@@ -51,14 +50,14 @@ HOST_OS := $(shell uname -s | tr A-Z a-z)
 # You can override this version from an environment variable.
 KO_VERSION ?= 0.11.2
 KO_RELEASE_ASSET := ko_${KO_VERSION}_${HOST_OS}_x86_64.tar.gz
-# ensure the dockerize command is available
+# ensure the ko command is available
 ko: ko_${KO_VERSION}.tar.gz
 	tar xzvmf $< ko
 	chmod u+x ./ko
 
 ko_${KO_VERSION}.tar.gz:
 	@echo
-	@echo "+++ Retrieving dockerize tool for Redis readiness check."
+	@echo "+++ Retrieving ko tool for container building."
 	@echo
 # make sure that file is available
 ifeq (, $(shell command -v file))
@@ -71,6 +70,29 @@ endif
 	&& file ko_tmp.tar.gz | grep --silent gzip \
 	&& mv ko_tmp.tar.gz $@ || (echo "Failed to download ko. Got:"; cat ko_tmp.tar.gz ; echo "" ; exit 1)
 
+# You can override this version from an environment variable.
+CRANE_VERSION ?= 0.19.1
+CRANE_RELEASE_ASSET := go-containerregistry_${HOST_OS}_x86_64.tar.gz
+# ensure the crane command is available
+crane: crane_${CRANE_VERSION}.tar.gz
+	tar xzvmf $< crane
+	chmod u+x ./crane
+
+crane_${CRANE_VERSION}.tar.gz:
+	@echo
+	@echo "+++ Retrieving crane tool for container registry operations."
+	@echo
+# make sure that file is available
+ifeq (, $(shell command -v file))
+	sudo apt-get update
+	sudo apt-get -y install file
+endif
+	curl --location --silent --show-error \
+	    --output crane_tmp.tar.gz \
+	    https://github.com/google/go-containerregistry/releases/download/v${CRANE_VERSION}/${CRANE_RELEASE_ASSET} \
+	&& file crane_tmp.tar.gz | grep --silent gzip \
+	&& mv crane_tmp.tar.gz $@ || (echo "Failed to download crane. Got:"; cat crane_tmp.tar.gz ; echo "" ; exit 1)
+
 __latest_modification_time := $(strip $(if $(shell git diff --quiet && echo $$?), \
 $(shell git log --max-count=1 --pretty=format:"%ct"), \
 $(shell git status --short --untracked-files=no --no-column | cut -w -f 3 | xargs ls -ltr -D "%s" | tail -n 1 | cut -w -f 6)))
@@ -105,6 +127,10 @@ endif
 clean:
 	rm -f dockerize.tar.gz
 	rm -f dockerize
+	rm -f ko_*.tar.gz
+	rm -f ko
+	rm -f crane_*.tar.gz
+	rm -f crane
 	rm -rf test_results
 
 

build-docker.sh

@@ -63,54 +63,41 @@ unset GOARCH
 export GOFLAGS="-ldflags=-X=main.BuildID=$VERSION"
 export SOURCE_DATE_EPOCH=${SOURCE_DATE_EPOCH:-$(make latest_modification_time)}
 
-# If KO_DOCKER_REPOS is set (comma-separated list), build once and push to multiple registries
-if [[ -n "${KO_DOCKER_REPOS:-}" ]]; then
-  # Build the image once to a local registry first
-  LOCAL_REPO="ko.local"
-  ORIGINAL_REPO="${KO_DOCKER_REPO:-ko.local}"
-  export KO_DOCKER_REPO="$LOCAL_REPO"
-
-  echo "Building image locally with ko for multi-registry push..."
-  # shellcheck disable=SC2086
-  IMAGE_REF=$(./ko publish \
-    --tags "${TAGS}" \
-    --base-import-paths \
-    --platform "linux/amd64,linux/arm64" \
-    --image-label org.opencontainers.image.source=https://github.com/honeycombio/refinery \
-    --image-label org.opencontainers.image.licenses=Apache-2.0 \
-    --image-label org.opencontainers.image.revision=${GIT_COMMIT} \
-    ./cmd/refinery)
-
-  echo "Built image: $IMAGE_REF"
-  echo "Pushing to multiple registries: $KO_DOCKER_REPOS"
-  
-  IFS=',' read -ra REPOS <<< "$KO_DOCKER_REPOS"
+# Build the image once, either to a remote registry designated by PRIMARY_DOCKER_REPO
+# or to the local repository as "ko.local/refinery:<tags>" if PRIMARY_DOCKER_REPO is not set.
+export KO_DOCKER_REPO="${PRIMARY_DOCKER_REPO:-ko.local}"
+
+echo "Building image locally with ko for multi-registry push..."
+# shellcheck disable=SC2086
+IMAGE_REF=$(./ko publish \
+  --tags "${TAGS}" \
+  --base-import-paths \
+  --platform "linux/amd64,linux/arm64" \
+  --image-label org.opencontainers.image.source=https://github.com/honeycombio/refinery \
+  --image-label org.opencontainers.image.licenses=Apache-2.0 \
+  --image-label org.opencontainers.image.revision=${GIT_COMMIT} \
+  ./cmd/refinery)
+
+echo "Built image: ${IMAGE_REF}"
+
+# If COPY_DOCKER_REPOS is set, copy the built image to each of the listed registries.
+# This is a comma-separated list of registry/repo names, e.g.
+#   "public.ecr.aws/honeycombio,ghcr.io/honeycombio/refinery"
+if [[ -n "${COPY_DOCKER_REPOS:-}" ]]; then
+  echo "Pushing to multiple registries: ${COPY_DOCKER_REPOS}"
+
+  IFS=',' read -ra REPOS <<< "$COPY_DOCKER_REPOS"
   for REPO in "${REPOS[@]}"; do
     REPO=$(echo "$REPO" | xargs) # trim whitespace
     echo "Tagging and pushing to: $REPO"
-    
+
     # Tag for each tag in the TAGS list
     IFS=',' read -ra TAG_LIST <<< "$TAGS"
     for TAG in "${TAG_LIST[@]}"; do
       TAG=$(echo "$TAG" | xargs) # trim whitespace
       TARGET_IMAGE="$REPO/refinery:$TAG"
-      echo "Tagging $IMAGE_REF as $TARGET_IMAGE"
-      docker tag "$IMAGE_REF" "$TARGET_IMAGE"
-      echo "Pushing $TARGET_IMAGE"
-      docker push "$TARGET_IMAGE"
+      echo "Copying $IMAGE_REF to $TARGET_IMAGE"
+      ./crane copy "$IMAGE_REF" "$TARGET_IMAGE"
     done
   done
-else
-  # Single registry mode - use ko publish directly
-  export KO_DOCKER_REPO=${KO_DOCKER_REPO:-ko.local}
-  echo "Publishing to single registry: $KO_DOCKER_REPO"
-  # shellcheck disable=SC2086
-  ./ko publish \
-    --tags "${TAGS}" \
-    --base-import-paths \
-    --platform "linux/amd64,linux/arm64" \
-    --image-label org.opencontainers.image.source=https://github.com/honeycombio/refinery \
-    --image-label org.opencontainers.image.licenses=Apache-2.0 \
-    --image-label org.opencontainers.image.revision=${GIT_COMMIT} \
-    ./cmd/refinery
 fi