From 3535dd292a3f20b67b63db33bb8eba9fcbffe34d Mon Sep 17 00:00:00 2001
From: Thomas Ferrandiz <thomas.ferrandiz@suse.com>
Date: Thu, 22 Aug 2024 13:11:45 +0000
Subject: [PATCH] Add multus thick plugin image build and release

This allows us to support both operating mode of multus.
---
 .github/workflows/build.yml      | 30 +++++++++++++++++++++++++++++-
 .github/workflows/image-push.yml | 15 ++++++++++++++-
 Dockerfile                       | 21 +++++++++++++++------
 Makefile                         | 19 ++++++++++++++++---
 4 files changed, 74 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 7eb205f..a4f1287 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -21,13 +21,26 @@ jobs:
       id: get-TAG
       run: |
         echo "$(make -s log | grep TAG)" >> "$GITHUB_ENV"
-    - name: Build container image
+
+    - name: Build thin plugin image
       uses: docker/build-push-action@v6
       with:
         context: .
         push: false
         tags: rancher/hardened-multus-cni:${{ env.TAG }}-amd64
         file: Dockerfile
+        target: multus-thin
+        build-args: |
+          TAG=${{ env.TAG }}
+
+    - name: Build thick plugin image
+      uses: docker/build-push-action@v6
+      with:
+        context: .
+        push: false
+        tags: rancher/hardened-multus-thick:${{ env.TAG }}-amd64
+        file: Dockerfile
+        target: multus-thick
         build-args: |
           TAG=${{ env.TAG }}
 
@@ -40,6 +53,7 @@ jobs:
         severity: 'CRITICAL,HIGH'
         format: 'sarif'
         output: 'trivy-results.sarif'
+
     - name: Upload Trivy scan results to GitHub Security tab
       uses: github/codeql-action/upload-sarif@v3
       if: always()
@@ -69,6 +83,20 @@ jobs:
         push: false
         tags: rancher/hardened-multus-cni:${{ env.TAG }}-arm64
         file: Dockerfile
+        target: multus-thin
+        outputs: type=docker
+        platforms: linux/arm64
+        build-args: |
+          TAG=${{ env.TAG }}
+
+    - name: Build thick plugin image
+      uses: docker/build-push-action@v6
+      with:
+        context: .
+        push: false
+        tags: rancher/hardened-multus-thick:${{ env.TAG }}-arm64
+        file: Dockerfile
+        target: multus-thick
         outputs: type=docker
         platforms: linux/arm64
         build-args: |
diff --git a/.github/workflows/image-push.yml b/.github/workflows/image-push.yml
index 9124a9e..1060886 100644
--- a/.github/workflows/image-push.yml
+++ b/.github/workflows/image-push.yml
@@ -42,13 +42,26 @@ jobs:
         username: ${{ env.DOCKER_USERNAME }}
         password: ${{ env.DOCKER_PASSWORD }}
 
-    - name: Build container image
+    - name: Build thin plugin image
       uses: docker/build-push-action@v6
       with:
         context: .
         push: true
         tags: rancher/hardened-multus-cni:${{ github.event.release.tag_name }}
         file: Dockerfile
+        target: multus-thin
+        platforms: linux/amd64, linux/arm64
+        build-args: |
+          TAG=${{ env.TAG }}
+
+    - name: Build thick plugin image
+      uses: docker/build-push-action@v6
+      with:
+        context: .
+        push: true
+        tags: rancher/hardened-multus-thick:${{ github.event.release.tag_name }}
+        file: Dockerfile
+        target: multus-thick
         platforms: linux/amd64, linux/arm64
         build-args: |
           TAG=${{ env.TAG }}
diff --git a/Dockerfile b/Dockerfile
index ddcc52d..e917a8e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,9 +1,9 @@
 ARG GO_IMAGE=rancher/hardened-build-base:v1.21.11b3
 
 # Image that provides cross compilation tooling.
-FROM --platform=$BUILDPLATFORM rancher/mirrored-tonistiigi-xx:1.3.0 as xx
+FROM --platform=$BUILDPLATFORM rancher/mirrored-tonistiigi-xx:1.3.0 AS xx
 
-FROM --platform=$BUILDPLATFORM ${GO_IMAGE} as base-builder
+FROM --platform=$BUILDPLATFORM ${GO_IMAGE} AS base-builder
 # copy xx scripts to your build stage
 COPY --from=xx / /
 RUN apk add file make git clang lld patch
@@ -12,7 +12,7 @@ RUN set -x && \
     xx-apk --no-cache add musl-dev gcc lld 
 
 # Build the multus project
-FROM base-builder as multus-builder
+FROM base-builder AS multus-builder
 ARG TAG=v4.1.0
 ARG SRC=github.com/k8snetworkplumbingwg/multus-cni
 ARG PKG=github.com/k8snetworkplumbingwg/multus-cni
@@ -28,17 +28,19 @@ RUN xx-go --wrap && \
     ./hack/build-go.sh
 RUN xx-verify --static bin/thin_entrypoint bin/multus
 
-FROM ${GO_IMAGE} as strip_binary
+FROM ${GO_IMAGE} AS strip_binary
 #strip needs to run on TARGETPLATFORM, not BUILDPLATFORM
 COPY --from=multus-builder /go/src/github.com/k8snetworkplumbingwg/multus-cni/bin/thin_entrypoint /thin_entrypoint
 COPY --from=multus-builder /go/src/github.com/k8snetworkplumbingwg/multus-cni/bin/multus /multus
 COPY --from=multus-builder /go/src/github.com/k8snetworkplumbingwg/multus-cni/bin/kubeconfig_generator /kubeconfig_generator
 COPY --from=multus-builder /go/src/github.com/k8snetworkplumbingwg/multus-cni/bin/cert-approver /cert-approver
 COPY --from=multus-builder /go/src/github.com/k8snetworkplumbingwg/multus-cni/bin/install_multus /install_multus
-RUN strip /thin_entrypoint /multus /kubeconfig_generator /cert-approver /install_multus
+COPY --from=multus-builder /go/src/github.com/k8snetworkplumbingwg/multus-cni/bin/multus-daemon /multus-daemon
+COPY --from=multus-builder /go/src/github.com/k8snetworkplumbingwg/multus-cni/bin/multus-shim /multus-shim
+RUN strip /thin_entrypoint /multus /kubeconfig_generator /cert-approver /install_multus /multus-daemon /multus-shim
 
 # Create the multus image
-FROM scratch as multus-cni
+FROM scratch AS multus-thin
 COPY --from=strip_binary  /multus /usr/src/multus-cni/bin/multus
 COPY --from=multus-builder  /go/src/github.com/k8snetworkplumbingwg/multus-cni/LICENSE /usr/src/multus-cni/LICENSE
 COPY --from=strip_binary    /thin_entrypoint /
@@ -46,3 +48,10 @@ COPY --from=strip_binary    /kubeconfig_generator /
 COPY --from=strip_binary    /cert-approver /
 COPY --from=strip_binary    /install_multus /
 ENTRYPOINT ["/thin_entrypoint"]
+
+# Create the thick plugin image
+FROM scratch AS multus-thick
+COPY --from=multus-builder  /go/src/github.com/k8snetworkplumbingwg/multus-cni/LICENSE /usr/src/multus-cni/LICENSE
+COPY --from=strip_binary  /multus-daemon /usr/src/multus-cni/bin/multus-daemon
+COPY --from=strip_binary  /multus-shim /usr/src/multus-cni/bin/multus-shim
+ENTRYPOINT [ "/usr/src/multus-cni/bin/multus-daemon" ]
\ No newline at end of file
diff --git a/Makefile b/Makefile
index 0b4cd36..37e2272 100644
--- a/Makefile
+++ b/Makefile
@@ -24,19 +24,32 @@ ifeq (,$(filter %$(BUILD_META),$(TAG)))
 $(error TAG $(TAG) needs to end with build metadata: $(BUILD_META))
 endif
 
-.PHONY: image-build
-image-build:
+.PHONY: image-build-thin
+image-build-thin:
 	docker buildx build \
 		--platform=$(ARCH) \
 		--build-arg PKG=$(PKG) \
 		--build-arg SRC=$(SRC) \
 		--build-arg TAG=$(TAG:$(BUILD_META)=) \
-		--target multus-cni \
+		--target multus-thin \
 		--tag $(ORG)/hardened-multus-cni:$(TAG) \
 		--tag $(ORG)/hardened-multus-cni:$(TAG)-$(ARCH) \
 		--load \
 	.
 
+.PHONY: image-build-thick
+image-build-thick:
+	docker buildx build \
+		--platform=$(ARCH) \
+		--build-arg PKG=$(PKG) \
+		--build-arg SRC=$(SRC) \
+		--build-arg TAG=$(TAG:$(BUILD_META)=) \
+		--target multus-thick \
+		--tag $(ORG)/hardened-multus-thick:$(TAG) \
+		--tag $(ORG)/hardened-multus-thick:$(TAG)-$(ARCH) \
+		--load \
+	.
+
 .PHONY: image-push
 image-push:
 	docker push $(ORG)/hardened-multus-cni:$(TAG)-$(ARCH)