Migrate CI to docker buildx and other improvements (#4765)

* Migrate CI to docker buildx and other improvements

## Motivation
- Improve build times in forks. Specially when rerunning builds because of some flaky test.
- Start using `docker buildx` to pave the way for multiplatform builds.

## Performance improvements
These timings were taken for the `kind_integration.yml` workflow when we merged and rerun the lodash bump PR (#4762)

Before these improvements:
- when merging: `24:18`
- when rerunning after merge (docker cache warm): `19:00`
- when running the same changes in a fork (no docker cache): `32:15`

After these improvements:
- when merging: `25:38`
- when rerunning after merge (docker cache warm): `19:25`
- when running the same changes in a fork (docker cache warm): `19:25`

As explained below, non-forks and forks now use the same cache, so the important take is that forks will always start with a warm cache and we'll no longer see long build times like the `32:15` above.
The downside is a slight increase in the build times for non-forks (up to a little more than a minute, depending on the case).

## Build containers in parallel
The `docker_build` job in the `kind_integration.yml`, `cloud_integration.yml` and `release.yml` workflows relied on running `bin/docker-build` which builds all the containers in sequence. Now each container is built in parallel using a matrix strategy.

## New caching strategy
CI now uses `docker buildx` for building the container images, which allows using an external cache source for builds, a location in the filesystem in this case. That location gets cached using actions/cache, using the key `{{ runner.os }}-buildx-${{ matrix.target }}-${{ env.TAG }}` and the restore key `${{ runner.os }}-buildx-${{ matrix.target }}-`.

For example when building the `web` container, its image and all the intermediary layers get cached under the key `Linux-buildx-web-git-abc0123`. When that has been cached in the `main` branch, that cache will be available to all the child branches, including forks. If a new branch in a fork asks for a key like `Linux-buildx-web-git-def456`, the key won't be found during the first CI run, but the system falls back to the key `Linux-buildx-web-git-abc0123` from `main` and so the build will start with a warm cache (more info about how keys are matched in the [actions/cache docs](https://docs.github.com/en/actions/configuring-and-managing-workflows/caching-dependencies-to-speed-up-workflows#matching-a-cache-key)).

## Packet host no longer needed
To benefit from the warm caches both in non-forks and forks like just explained, we're required to ditch doing the builds in Packet and now everything runs in the github runners VMs.
As a result there's no longer separate logic for non-forks and forks in the workflow files; `kind_integration.yml` was greatly simplified but `cloud_integration.yml` and `release.yml` got a little bigger in order to use the actions artifacts as a repository for the images built. This bloat will be fixed when support for [composite actions](https://github.com/actions/runner/blob/users/ethanchewy/compositeADR/docs/adrs/0549-composite-run-steps.md) lands in github.

## Local builds
You still are able to run `bin/docker-build` or any of the `docker-build.*` scripts. And to make use of buildx, run those same scripts after having set the env var `DOCKER_BUILDKIT=1`. Using buildx supposes you have installed it, as instructed [here](https://github.com/docker/buildx).

## Other
- A new script `bin/docker-cache-prune` is used to remove unused images from the cache. Without that the cache grows constantly and we can rapidly hit the 5GB limit (when the limit is attained the oldest entries get evicted).
- The `go-deps` dockerfile base image was changed from `golang:1.14.2` (ubuntu based) to `golang-1:14.2-alpine` also to conserve cache space.

# Addressed separately in #4875:

Got rid of the `go-deps` image and instead added something similar on top of all the Dockerfiles dealing with `go`, as a first stage for those Dockerfiles. That continues to serve as a way to pre-populate go's build cache, which speeds up the builds in the subsequent stages. That build should in theory be rebuilt automatically only when `go.mod` or `go.sum` change, and now we don't require running `bin/update-go-deps-shas`. That script was removed along with all the logic elsewhere that used it, including the `go_dependencies` job in the `static_checks.yml` github workflow.

The list of modules preinstalled was moved from `Dockerfile-go-deps` to a new script `bin/install-deps`. I couldn't find a way to generate that list dynamically, so whenever a slow-to-compile dependency is found, we have to make sure it's included in that list.

Although this simplifies the dev workflow, note that the real motivation behind this was a limitation in buildx's `docker-container` driver that forbids us from depending on images that haven't been pushed to a registry, so we have to resort to building the dependencies as a first stage in the Dockerfiles.

Author: alpeb

.dockerignore

@@ -7,6 +7,7 @@
 **/node_modules
 bin
 !bin/fetch-proxy
+!bin/install-deps
 !bin/web
 **/Dockerfile*
 Dockerfile*

.github/workflows/cloud_integration.yml

@@ -8,72 +8,62 @@ on:
     - main
 env:
   GH_ANNOTATION: true
+  DOCKER_BUILDKIT: 1
 jobs:
-  # todo: Keep in sync with `release.yml`
   docker_build:
-    name: Docker build
     runs-on: ubuntu-18.04
+    strategy:
+      matrix:
+        target: [proxy, controller, web, cni-plugin, debug, cli-bin, grafana]
+    name: Docker build (${{ matrix.target }})
     steps:
     - name: Checkout code
       # actions/checkout@v2
       uses: actions/checkout@722adc6
-    - name: Setup SSH config for Packet
+    - name: Set environment variables from scripts
       run: |
-        mkdir -p ~/.ssh/
-        touch ~/.ssh/id && chmod 600 ~/.ssh/id
-        echo "${{ secrets.DOCKER_SSH_CONFIG }}"  > ~/.ssh/config
-        echo "${{ secrets.DOCKER_PRIVATE_KEY }}" > ~/.ssh/id
-        echo "${{ secrets.DOCKER_KNOWN_HOSTS }}" > ~/.ssh/known_hosts
-        ssh linkerd-docker docker version
+        . bin/_tag.sh
+        echo ::set-env name=TAG::$(CI_FORCE_CLEAN=1 bin/root-tag)
+
+        . bin/_docker.sh
+        echo ::set-env name=DOCKER_REGISTRY::$DOCKER_REGISTRY
+        echo ::set-env name=DOCKER_BUILDKIT_CACHE::${{ runner.temp }}/.buildx-cache
+    - name: Cache docker layers
+      # actions/[email protected]
+      uses: actions/cache@b820478
+      with:
+        path: ${{ env.DOCKER_BUILDKIT_CACHE }}
+        key: ${{ runner.os }}-buildx-${{ matrix.target }}-${{ env.TAG }}
+        restore-keys: |
+          ${{ runner.os }}-buildx-${{ matrix.target }}-
     - name: Build docker images
       env:
-        DOCKER_HOST: ssh://linkerd-docker
         DOCKER_TRACE: 1
       run: |
-        export PATH="`pwd`/bin:$PATH"
-        bin/docker-build
-  # todo: Keep in sync with `release.yml`
-  docker_push:
-    name: Docker push
-    runs-on: ubuntu-18.04
-    needs: [docker_build]
-    steps:
-    - name: Checkout code
-      # actions/checkout@v2
-      uses: actions/checkout@722adc6
-    - name: Set environment variables from scripts
-      run: |
-        . bin/_tag.sh
-        echo ::set-env name=TAG::$(CI_FORCE_CLEAN=1 bin/root-tag)
+        docker buildx create --driver docker-container --use
+        bin/docker-build-${{ matrix.target }}
     - name: Configure gcloud
       # linkerd/[email protected]
       uses: linkerd/linkerd2-action-gcloud@308c4df
       with:
         cloud_sdk_service_account_key: ${{ secrets.CLOUD_SDK_SERVICE_ACCOUNT_KEY }}
         gcp_project: ${{ secrets.GCP_PROJECT }}
         gcp_zone: ${{ secrets.GCP_ZONE }}
-    - name: Docker SSH setup
-      run: |
-        mkdir -p ~/.ssh/
-        touch ~/.ssh/id && chmod 600 ~/.ssh/id
-        echo "${{ secrets.DOCKER_SSH_CONFIG }}"  > ~/.ssh/config
-        echo "${{ secrets.DOCKER_PRIVATE_KEY }}" > ~/.ssh/id
-        echo "${{ secrets.DOCKER_KNOWN_HOSTS }}" > ~/.ssh/known_hosts
-        ssh linkerd-docker docker version
     - name: Push docker images to registry
-      env:
-        DOCKER_HOST: ssh://linkerd-docker
       run: |
-        export PATH="`pwd`/bin:$PATH"
-        bin/docker-push-deps
-        bin/docker-push $TAG
-        bin/docker-retag-all $TAG main
-        bin/docker-push main
+        . bin/_docker.sh
+        docker_push "${{ matrix.target }}" "$TAG"
+        docker_retag "${{ matrix.target }}" "$TAG" main
+        docker_push "${{ matrix.target }}" main
+    - name: Prune docker layers cache
+      # changes generate new images while the existing ones don't get removed
+      # so we manually do that to avoid bloating the cache
+      run: bin/docker-cache-prune
   # todo: Keep in sync with `release.yml`
   cloud_integration_tests:
     name: Cloud integration tests
     runs-on: ubuntu-18.04
-    needs: [docker_push]
+    needs: [docker_build]
     steps:
     - name: Checkout code
       # actions/checkout@v2
@@ -90,14 +80,14 @@ jobs:
       id: install_cli
       run: |
         TAG="$(CI_FORCE_CLEAN=1 bin/root-tag)"
-        image="gcr.io/linkerd-io/cli-bin:$TAG"
-        id=$(bin/docker create $image)
-        bin/docker cp "$id:/out/linkerd-linux" "$HOME/.linkerd"
-        "$HOME/.linkerd" version --client
+        CMD="$PWD/target/release/linkerd2-cli-$TAG-linux"
+        bin/docker-pull-binaries $TAG
+        $CMD version --client
         # validate CLI version matches the repo
-        [[ "$TAG" == "$($HOME/.linkerd version --short --client)" ]]
+        [[ "$TAG" == "$($CMD version --short --client)" ]]
         echo "Installed Linkerd CLI version: $TAG"
-        echo "::set-output name=tag::$TAG"
+        echo "::set-env name=CMD::$CMD"
+        echo "::set-env name=TAG::$TAG"
     - name: Create GKE cluster
       # linkerd/[email protected]
       uses: linkerd/linkerd2-action-gcloud@308c4df
@@ -107,17 +97,15 @@ jobs:
         gcp_zone: ${{ secrets.GCP_ZONE }}
         preemptible: false
         create: true
-        name: testing-${{ steps.install_cli.outputs.tag }}-${{ github.run_id }}
+        name: testing-${{ env.TAG }}-${{ github.run_id }}
         num_nodes: 2
     - name: Run integration tests
       env:
         GITCOOKIE_SH: ${{ secrets.GITCOOKIE_SH }}
       run: |
-        export PATH="`pwd`/bin:$PATH"
         echo "$GITCOOKIE_SH" | bash
-        version="$($HOME/.linkerd version --client --short | tr -cd '[:alnum:]-')"
-        bin/tests --skip-kind-create "$HOME/.linkerd"
+        bin/tests --skip-kind-create "$CMD"
     - name: CNI tests
       run: |
-        export TAG="$($HOME/.linkerd version --client --short)"
+        export TAG="$($CMD version --client --short)"
         go test -cover -race -v -mod=readonly ./cni-plugin/test -integration-tests

.github/workflows/kind_integration.yml

@@ -9,10 +9,14 @@ on:
     - main
 env:
   GH_ANNOTATION: true
+  DOCKER_BUILDKIT: 1
 jobs:
   docker_build:
-    name: Docker build
     runs-on: ubuntu-18.04
+    strategy:
+      matrix:
+        target: [proxy, controller, web, cni-plugin, debug, cli-bin, grafana]
+    name: Docker build (${{ matrix.target }})
     steps:
     - name: Checkout code
       # actions/checkout@v2
@@ -24,39 +28,35 @@ jobs:
 
         . bin/_docker.sh
         echo ::set-env name=DOCKER_REGISTRY::$DOCKER_REGISTRY
-    - name: Setup SSH config for Packet
-      if: github.event_name == 'push' || !github.event.pull_request.head.repo.fork
-      run: |
-        mkdir -p ~/.ssh/
-        touch ~/.ssh/id && chmod 600 ~/.ssh/id
-        echo "${{ secrets.DOCKER_SSH_CONFIG }}"  > ~/.ssh/config
-        echo "${{ secrets.DOCKER_PRIVATE_KEY }}" > ~/.ssh/id
-        echo "${{ secrets.DOCKER_KNOWN_HOSTS }}" > ~/.ssh/known_hosts
-        ssh linkerd-docker docker version
-        echo ::set-env name=DOCKER_HOST::ssh://linkerd-docker
+        echo ::set-env name=DOCKER_BUILDKIT_CACHE::${{ runner.temp }}/.buildx-cache
+    - name: Cache docker layers
+      # actions/[email protected]
+      uses: actions/cache@b820478
+      with:
+        path: ${{ env.DOCKER_BUILDKIT_CACHE }}
+        key: ${{ runner.os }}-buildx-${{ matrix.target }}-${{ env.TAG }}
+        restore-keys: |
+          ${{ runner.os }}-buildx-${{ matrix.target }}-
     - name: Build docker images
       env:
         DOCKER_TRACE: 1
       run: |
-        export PATH="`pwd`/bin:$PATH"
-        bin/docker-build
+        docker buildx create --driver docker-container --use
+        bin/docker-build-${{ matrix.target }}
+    - name: Prune docker layers cache
+      # changes generate new images while the existing ones don't get removed
+      # so we manually do that to avoid bloating the cache
+      run: bin/docker-cache-prune
     - name: Create artifact with CLI and image archives
       env:
         ARCHIVES: /home/runner/archives
       run: |
         mkdir -p $ARCHIVES
-
-        for image in proxy controller web cni-plugin debug cli-bin grafana; do
-          docker save "$DOCKER_REGISTRY/$image:$TAG" > $ARCHIVES/$image.tar || tee save_fail &
-        done
-
+        docker save "$DOCKER_REGISTRY/${{ matrix.target }}:$TAG" > $ARCHIVES/${{ matrix.target }}.tar
         # save windows cli into artifacts
-        cp -r ./target/cli/windows/linkerd $ARCHIVES/linkerd-windows.exe
-
-        # Wait for `docker save` background processes to complete. Exit early
-        # if any job failed.
-        wait < <(jobs -p)
-        test -f save_fail && exit 1 || true
+        if [ '${{ matrix.target }}' == 'cli-bin' ]; then
+          cp -r ./target/cli/windows/linkerd $ARCHIVES/linkerd-windows.exe
+        fi
     # `with.path` values do not support environment variables yet, so an
     # absolute path is used here.
     #
@@ -92,7 +92,6 @@ jobs:
     - name: Run CLI Integration tests
       run: |
         go test --failfast --mod=readonly ".\test\cli" --linkerd=$PWD\image-archives\linkerd-windows.exe --cli-tests -v
-  # todo: Keep in sync with `release.yml`
   kind_integration_tests:
     strategy:
       matrix:
@@ -127,31 +126,12 @@ jobs:
 
         . bin/_docker.sh
         echo ::set-env name=DOCKER_REGISTRY::$DOCKER_REGISTRY
-    - name: Setup SSH config for Packet
-      if: github.event_name == 'push' || !github.event.pull_request.head.repo.fork
-      run: |
-        mkdir -p ~/.ssh/
-        touch ~/.ssh/id && chmod 600 ~/.ssh/id
-        echo "${{ secrets.DOCKER_SSH_CONFIG }}"  > ~/.ssh/config
-        echo "${{ secrets.DOCKER_PRIVATE_KEY }}" > ~/.ssh/id
-        echo "${{ secrets.DOCKER_KNOWN_HOSTS }}" > ~/.ssh/known_hosts
-    - name: Download image archives (Forked repositories)
-      if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork
+    - name: Download image archives
       # actions/download-artifact@v1
       uses: actions/download-artifact@18f0f59
       with:
         name: image-archives
     - name: Load cli-bin image into local docker images
-      if: github.event_name == 'push' || !github.event.pull_request.head.repo.fork
-      run: |
-        # `docker load` only accepts input from STDIN, so pipe the image
-        # archive into the command.
-        #
-        # In order to pipe the image archive, set `DOCKER_HOST` for a single
-        # command and `docker save` the CLI image from the Packet host.
-        DOCKER_HOST=ssh://linkerd-docker docker save "$DOCKER_REGISTRY/cli-bin:$TAG" | docker load
-    - name: Load cli-bin image into local docker images (Forked repositories)
-      if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork
       run: docker load < image-archives/cli-bin.tar
     - name: Install CLI
       run: |
@@ -162,10 +142,5 @@ jobs:
         # Validate the CLI version matches the current build tag.
         [[ "$TAG" == "$($HOME/.linkerd version --short --client)" ]]
     - name: Run integration tests
-      if: github.event_name == 'push' || !github.event.pull_request.head.repo.fork
-      run: |
-        bin/tests --images --images-host ssh://linkerd-docker --name ${{ matrix.integration_test }} "$HOME/.linkerd"
-    - name: Run integration tests (Forked repositories)
-      if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork
       run: |
         bin/tests --images --name ${{ matrix.integration_test }} "$HOME/.linkerd"