deployment: enable multi-arch release images (#1643)

.github/Dockerfile-release

@@ -1,7 +1,9 @@
+ARG ARCH
+
 FROM busybox:latest as build
 RUN touch /config.yaml
 
-FROM gcr.io/distroless/base
+FROM gcr.io/distroless/base-debian10:latest-${ARCH}
 ENV AUTOCERT_DIR /data/autocert
 WORKDIR /pomerium
 COPY pomerium* /bin/

.github/Dockerfile-release.arm32v6

@@ -1,12 +0,0 @@
-FROM busybox:latest as build
-RUN touch /config.yaml
-
-FROM arm32v7/alpine
-ENV AUTOCERT_DIR /data/autocert
-WORKDIR /pomerium
-COPY --from=multiarch/qemu-user-static /usr/bin/qemu-aarch64-static /usr/bin/
-RUN apk --no-cache add ca-certificates
-COPY pomerium* /bin/
-COPY --from=build /config.yaml /pomerium/config.yaml
-ENTRYPOINT [ "/bin/pomerium" ]
-CMD ["-config","/pomerium/config.yaml"]

.github/Dockerfile-release.arm32v7

@@ -1,12 +0,0 @@
-FROM busybox:latest as build
-RUN touch /config.yaml
-
-FROM arm32v7/alpine
-ENV AUTOCERT_DIR /data/autocert
-WORKDIR /pomerium
-COPY --from=multiarch/qemu-user-static /usr/bin/qemu-aarch64-static /usr/bin/
-RUN apk --no-cache add ca-certificates
-COPY pomerium* /bin/
-COPY --from=build /config.yaml /pomerium/config.yaml
-ENTRYPOINT [ "/bin/pomerium" ]
-CMD ["-config","/pomerium/config.yaml"]

.github/Dockerfile-release.arm64v8

@@ -1,12 +0,0 @@
-FROM busybox:latest as build
-RUN touch /config.yaml
-
-FROM arm64v8/alpine
-ENV AUTOCERT_DIR /data/autocert
-WORKDIR /pomerium
-COPY --from=multiarch/qemu-user-static /usr/bin/qemu-aarch64-static /usr/bin/
-RUN apk --no-cache add ca-certificates
-COPY pomerium* /bin/
-COPY --from=build /config.yaml /pomerium/config.yaml
-ENTRYPOINT [ "/bin/pomerium" ]
-CMD ["-config","/pomerium/config.yaml"]

.github/goreleaser.yaml

@@ -101,13 +101,14 @@ snapshot:
 
 dockers:
   - image_templates:
-      - "pomerium/pomerium:{{ .Tag }}"
+      - "pomerium/pomerium:amd64-{{ .Tag }}"
     dockerfile: .github/Dockerfile-release
     binaries:
       - pomerium
       - pomerium-cli
     build_flag_templates:
       - "--pull"
+      - "--build-arg=ARCH=amd64"
       - "--label=org.opencontainers.image.created={{.Date}}"
       - "--label=org.opencontainers.image.name={{.ProjectName}}"
       - "--label=org.opencontainers.image.revision={{.FullCommit}}"
@@ -134,12 +135,13 @@ dockers:
   - goarch: arm64
     image_templates:
       - "pomerium/pomerium:arm64v8-{{ .Tag }}"
-    dockerfile: .github/Dockerfile-release.arm64v8
+    dockerfile: .github/Dockerfile-release
     binaries:
       - pomerium
       - pomerium-cli
     build_flag_templates:
       - "--pull"
+      - "--build-arg=ARCH=arm64"
       - "--label=org.opencontainers.image.created={{.Date}}"
       - "--label=org.opencontainers.image.name={{.ProjectName}}"
       - "--label=org.opencontainers.image.revision={{.FullCommit}}"
@@ -148,6 +150,12 @@ dockers:
       - "--label=repository=http://github.com/pomerium/pomerium"
       - "--label=homepage=http://www.pomerium.io"
 
+docker_manifests:
+  - name_template: "pomerium/pomerium:{{ .Tag }}"
+    image_templates:
+      - pomerium/pomerium:arm64v8-{{ .Tag }}
+      - pomerium/pomerium:amd64-{{ .Tag }}
+
 brews:
   - # Name template of the recipe
     name: pomerium-cli

.github/workflows/release.yaml

@@ -8,11 +8,15 @@ on:
 jobs:
   goreleaser:
     runs-on: ubuntu-latest
+    env:
+      DOCKER_CLI_EXPERIMENTAL: "enabled"
     steps:
       - name: Checkout
         uses: actions/checkout@v2
+
       - name: Unshallow
         run: git fetch --prune --unshallow
+
       - name: Set up Go
         uses: actions/setup-go@v2
         with:

docs/docs/upgrading.md

@@ -18,6 +18,12 @@ With the v0.11.0 release, user impersonation by administrators is now disabled b
 
 The `cache_service_url` parameter has been deprecated since v0.10.0 and is now removed.  Please replace it with `databroker_service_url` in your yaml configuration, or `DATABROKER_SERVICE_URL` as an environment variable.
 
+## New
+
+### Docker Multi-Arch Images
+
+With the v0.11.0 release, Pomerium docker images are multi-arch for `arm64` and `amd64`.  Individual images for each architecture will continue to be published.
+
 # Since 0.9.0
 
 ## Breaking