Deploy a multiarch image (#706)

Previously, the "main" image was always an amd64 image, and there was
a secondary arm64 image that could be used with an explicit tag. This
makes the amd64 image also have an explicit tag, and replaces the normal
tagged image with a manifest file that will correctly route to the appropriate
architecture.

Co-authored-by: Bennett Sala <[email protected]>

Author: BennettJames

.github/actions/integration-test/action.yaml

@@ -56,7 +56,7 @@ runs:
         make test
 
     - name: Configure AWS Credentials (build)
-      uses: aws-actions/configure-aws-credentials@v1-node16
+      uses: aws-actions/configure-aws-credentials@v2
       with:
         aws-region: us-west-2
         role-to-assume: ${{ inputs.aws_role }}

.github/actions/push-image/action.yaml

@@ -0,0 +1,63 @@
+name: "Push Image"
+description: "Deploys the controller image into a given region"
+
+inputs:
+  src_host:
+    description: "URL of the source ECR repository to pull images from"
+    required: true
+  src_image_name:
+    description: "Name of the source image"
+    default: "amazon/appmesh-controller"
+    required: false
+  image_tag:
+    description: "Root tag of the image to pull and push"
+    required: true
+  region:
+    description: "AWS region to push images to"
+    required: true
+  dst_host:
+    description: "URL of the target ECR repository to push images to"
+    required: true
+  dst_image_name:
+    description: "Name of the destination image"
+    default: "amazon/appmesh-controller"
+    required: false
+  role:
+    description: "IAM role to assume to perform the deploys"
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Configure AWS Credentials For Region
+      uses: aws-actions/configure-aws-credentials@v2
+      with:
+        aws-region: "${{ inputs.region }}"
+        role-to-assume: "${{ inputs.role }}"
+        role-session-name: RegionalImageDeploy
+      env:
+        AWS_DEFAULT_REGION: ""
+        AWS_REGION: ""
+        AWS_ACCESS_KEY_ID: ""
+        AWS_SECRET_ACCESS_KEY: ""
+        AWS_SESSION_TOKEN: ""
+
+    - name: Push Images To Region
+      shell: bash
+      env:
+        SRC: "${{ inputs.src_host }}/${{ inputs.src_image_name }}:${{ inputs.image_tag }}"
+        DST: "${{ inputs.dst_host }}/${{ inputs.dst_image_name }}:${{ inputs.image_tag }}"
+      run: |
+        if [[ "${{ inputs.dst_host }}" =~ "public.ecr.aws" ]]; then
+          aws ecr-public get-login-password --region "us-east-1" | \
+            docker login --username AWS --password-stdin "public.ecr.aws"
+        else  
+          aws ecr get-login-password --region "${{ inputs.region }}" | \
+            docker login --username AWS --password-stdin "${{ inputs.dst_host }}"
+        fi
+        docker tag "${SRC}-linux_amd64" "${DST}-linux_amd64"
+        docker push "${DST}-linux_amd64"
+        docker tag "${SRC}-linux_arm64" "${DST}-linux_arm64"
+        docker push "${DST}-linux_arm64"
+        docker manifest create "$DST" "${DST}-linux_amd64" "${DST}-linux_arm64"
+        docker manifest push "$DST"

.github/workflows/beta-release.yaml

@@ -10,14 +10,8 @@ permissions:
   id-token: write
   contents: read
 
-env:
-  IMAGE_HOST: "${{ secrets.BETA_AWS_ACCOUNT }}.dkr.ecr.us-west-2.amazonaws.com"
-  IMAGE: "${{ secrets.BETA_AWS_ACCOUNT }}.dkr.ecr.us-west-2.amazonaws.com/amazon/appmesh-controller"
-  IMAGE_TAG: "${{ github.event.inputs.tag }}"
-  IMAGE_TAG_AMD: "${{ github.event.inputs.tag }}-linux_amd64"
-  IMAGE_TAG_ARM: "${{ github.event.inputs.tag }}-linux_arm64"
-
 jobs:
+
   integration-test:
     name: Integration Test
     runs-on: ubuntu-22.04
@@ -47,17 +41,19 @@ jobs:
           ref: refs/tags/${{ github.event.inputs.tag }}
 
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v1-node16
+        uses: aws-actions/configure-aws-credentials@v2
         with:
           aws-region: us-west-2
           role-to-assume: ${{ secrets.BETA_AWS_ROLE }}
           role-session-name: ImagePusher
 
       - name: Build Images
+        env:
+          IMAGE: "${{ secrets.BETA_AWS_ACCOUNT }}.dkr.ecr.us-west-2.amazonaws.com/amazon/appmesh-controller:${{ github.event.inputs.tag }}"
         run: |
           aws ecr get-login-password --region us-west-2 | \
-            docker login --username AWS --password-stdin $IMAGE_HOST
-          # Note: right now, this pushes the amd image under the default. This
-          # behavior should be changed to supporting multiarch shortly.
-          docker buildx build --platform linux/amd64 -t "${IMAGE}:${IMAGE_TAG}" . --push
-          docker buildx build --platform linux/arm64 -t "${IMAGE}:${IMAGE_TAG_ARM}" . --push
+            docker login --username AWS --password-stdin "${IMAGE}"
+          docker buildx build --platform linux/amd64 -t "${IMAGE}-linux_amd64" . --push
+          docker buildx build --platform linux/arm64 -t "${IMAGE}-linux_arm64" . --push
+          docker manifest create "${IMAGE}" "${IMAGE}-linux_amd64" "${IMAGE}-linux_arm64"
+          docker manifest push "${IMAGE}"