Update build and release process for envoy embedding (#699)

.dockerignore

@@ -0,0 +1,2 @@
+dist/
+bin/

.github/goreleaser.yaml

@@ -9,6 +9,7 @@ release:
 before:
   hooks:
     - go mod download
+    - make build-deps
 
 builds:
   - id: pomerium
@@ -18,21 +19,9 @@ builds:
       - CGO_ENABLED=0
     goarch:
       - amd64
-      - arm
-      - arm64
     goos:
       - linux
       - darwin
-      - windows
-      - freebsd
-    goarm:
-      - 6
-      - 7
-    ignore:
-      - goos: freebsd
-        goarch: arm64
-      - goos: freebsd
-        goarch: arm
 
     ldflags:
       - -s -w
@@ -42,6 +31,9 @@ builds:
       - -X github.com/pomerium/pomerium/internal/version.ProjectName=pomerium
       - -X github.com/pomerium/pomerium/internal/version.ProjectURL=https://wwww.pomerium.io
 
+    hooks:
+      post: ./scripts/embed-envoy.bash {{ .Path }}
+
   - id: pomerium-cli
     main: cmd/pomerium-cli/cli.go
     binary: pomerium-cli
@@ -106,57 +98,3 @@ dockers:
       - "--label=org.opencontainers.image.source={{.GitURL}}"
       - "--label=repository=http://github.com/pomerium/pomerium"
       - "--label=homepage=http://www.pomerium.io"
-
-  - goarch: arm64
-    image_templates:
-      - "pomerium/pomerium:arm64v8-{{ .Tag }}"
-    dockerfile: .github/Dockerfile-release.arm64v8
-    binaries:
-      - pomerium
-      - pomerium-cli
-    build_flag_templates:
-      - "--pull"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.name={{.ProjectName}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.source={{.GitURL}}"
-      - "--label=repository=http://github.com/pomerium/pomerium"
-      - "--label=homepage=http://www.pomerium.io"
-
-  - goarch: arm
-    goarm: 7
-    image_templates:
-      - "pomerium/pomerium:arm32v7-{{ .Tag }}"
-    dockerfile: .github/Dockerfile-release.arm32v7
-    binaries:
-      - pomerium
-      - pomerium-cli
-
-    build_flag_templates:
-      - "--pull"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.name={{.ProjectName}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.source={{.GitURL}}"
-      - "--label=repository=http://github.com/pomerium/pomerium"
-      - "--label=homepage=http://www.pomerium.io"
-
-  - goarch: arm
-    goarm: 6
-    image_templates:
-      - "pomerium/pomerium:arm32v6-{{ .Tag }}"
-    dockerfile: .github/Dockerfile-release.arm32v6
-    binaries:
-      - pomerium
-      - pomerium-cli
-    build_flag_templates:
-      - "--pull"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.name={{.ProjectName}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.source={{.GitURL}}"
-      - "--label=repository=http://github.com/pomerium/pomerium"
-      - "--label=homepage=http://www.pomerium.io"

.github/workflows/test.yaml

@@ -76,7 +76,9 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v2
       - name: build
-        run: make build
+        run: |
+          make build-deps
+          make build
 
   build-docker:
     runs-on: ubuntu-latest

Dockerfile

@@ -1,13 +1,17 @@
 FROM golang:latest as build
 WORKDIR /go/src/github.com/pomerium/pomerium
 
+RUN apt update \
+    && apt -y install zip
+
 # cache depedency downloads
 COPY go.mod go.sum ./
 RUN go mod download
 COPY . .
 
 # build
-RUN make
+RUN make build-deps
+RUN make build
 RUN touch /config.yaml
 
 FROM gcr.io/distroless/base:debug

Makefile

@@ -27,9 +27,12 @@ CTIMEVAR=-X $(PKG)/internal/version.GitCommit=$(GITCOMMIT) \
 	-X $(PKG)/internal/version.ProjectURL=$(PKG)
 GO_LDFLAGS=-ldflags "-s -w $(CTIMEVAR)"
 GOOSARCHES = linux/amd64 darwin/amd64 windows/amd64
+GOOS = $(shell go env GOOS)
+GOARCH= $(shell go env GOARCH)
 MISSPELL_VERSION = v0.3.4
 GOLANGCI_VERSION = v1.21.0
 OPA_VERSION = v0.19.1
+GETENVOY_VERSION = v0.1.8
 
 .PHONY: all
 all: clean build-deps test lint spellcheck build ## Runs a clean, build, fmt, lint, test, and vet.
@@ -41,6 +44,7 @@ build-deps: ## Install build dependencies
 	@cd /tmp; GO111MODULE=on go get github.com/client9/misspell/cmd/misspell@${MISSPELL_VERSION}
 	@cd /tmp; GO111MODULE=on go get github.com/golangci/golangci-lint/cmd/golangci-lint@${GOLANGCI_VERSION}
 	@cd /tmp; GO111MODULE=on go get github.com/open-policy-agent/opa@${OPA_VERSION}
+	@cd /tmp; GO111MODULE=on go get github.com/tetratelabs/getenvoy/cmd/getenvoy@${GETENVOY_VERSION}
 
 .PHONY: docs
 docs: ## Start the vuepress docs development server
@@ -61,6 +65,7 @@ frontend: ## Runs go generate on the static assets package.
 build: ## Builds dynamic executables and/or packages.
 	@echo "==> $@"
 	@CGO_ENABLED=0 GO111MODULE=on go build -tags "$(BUILDTAGS)" ${GO_LDFLAGS} -o $(BINDIR)/$(NAME) ./cmd/"$(NAME)"
+	./scripts/embed-envoy.bash $(BINDIR)/$(NAME)
 
 .PHONY: lint
 lint: ## Verifies `golint` passes.
@@ -96,33 +101,11 @@ clean: ## Cleanup any build binaries or packages.
 	$(RM) -r $(BINDIR)
 	$(RM) -r $(BUILDDIR)
 
-define buildpretty
-mkdir -p $(BUILDDIR)/$(1)/$(2);
-GOOS=$(1) GOARCH=$(2) CGO_ENABLED=0 GO111MODULE=on go build \
-	 -o $(BUILDDIR)/$(1)/$(2)/$(NAME) \
-	 ${GO_LDFLAGS_STATIC} ./cmd/$(NAME);
-md5sum $(BUILDDIR)/$(1)/$(2)/$(NAME) > $(BUILDDIR)/$(1)/$(2)/$(NAME).md5;
-sha256sum $(BUILDDIR)/$(1)/$(2)/$(NAME) > $(BUILDDIR)/$(1)/$(2)/$(NAME).sha256;
-endef
-
-.PHONY: cross
-cross: ## Builds the cross-compiled binaries, creating a clean directory structure (eg. GOOS/GOARCH/binary)
-	@echo "+ $@"
-	$(foreach GOOSARCH,$(GOOSARCHES), $(call buildpretty,$(subst /,,$(dir $(GOOSARCH))),$(notdir $(GOOSARCH))))
-
-define buildrelease
-GOOS=$(1) GOARCH=$(2) CGO_ENABLED=0 GO111MODULE=on go build ${GO_LDFLAGS} \
-	 -o $(BUILDDIR)/$(NAME)-$(1)-$(2) \
-	 ${GO_LDFLAGS_STATIC} ./cmd/$(NAME);
-GOOS=$(1) GOARCH=$(2) ./scripts/embed-envoy.bash "$(BUILDDIR)/$(NAME)-$(1)-$(2)" || true;
-md5sum $(BUILDDIR)/$(NAME)-$(1)-$(2) > $(BUILDDIR)/$(NAME)-$(1)-$(2).md5;
-sha256sum $(BUILDDIR)/$(NAME)-$(1)-$(2) > $(BUILDDIR)/$(NAME)-$(1)-$(2).sha256;
-endef
-
 .PHONY: release
-release: ## Builds the cross-compiled binaries, naming them in such a way for release (eg. binary-GOOS-GOARCH)
+snapshot: ## Builds the cross-compiled binaries, naming them in such a way for release (eg. binary-GOOS-GOARCH)
 	@echo "+ $@"
-	$(foreach GOOSARCH,$(GOOSARCHES), $(call buildrelease,$(subst /,,$(dir $(GOOSARCH))),$(notdir $(GOOSARCH))))
+	@cd /tmp; GO111MODULE=on go get github.com/goreleaser/goreleaser
+	goreleaser release --rm-dist -f .github/goreleaser.yaml --snapshot 
 
 .PHONY: help
 help:

scripts/build-dev-docker.bash

@@ -1,28 +1,12 @@
 #!/bin/bash
 set -euxo pipefail
 
-_script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" >/dev/null 2>&1 && pwd)"
 _dir=/tmp/pomerium-dev-docker
 mkdir -p "$_dir"
 
 # build linux binary
-env GOOS=linux \
+env GOOS=linux make build-deps build
-  GOARCH=amd64 \
+cp bin/pomerium $_dir/
-  CGO_ENABLED=0 \
-  GO111MODULE=on \
-  go build \
-  -ldflags "-s -w" \
-  -o "$_dir/pomerium" \
-  ./cmd/pomerium
-
-# embed envoy
-(
-  cd "$_script_dir"
-  env GOOS=linux \
-    GOARCH=amd64 \
-    ./embed-envoy.bash \
-    "$_dir/pomerium"
-)
 
 # build docker image
 (

scripts/embed-envoy.bash

@@ -1,50 +1,37 @@
 #!/bin/bash
 set -euo pipefail
 
-_pomerium_binary_path="${1?"pomerium binary path is required"}"
+BINARY=$1
-_go_os="$(go env GOOS)"
-_go_arch="$(go env GOARCH)"
 
-is_musl() {
+ENVOY_VERSION=1.14.1
-  ldd /bin/ls | grep musl >/dev/null 2>&1
+DIR=$(dirname "${BINARY}")
-}
+GOOS=$(go env GOOS)
 
-# URLs from: https://tetrate.bintray.com/getenvoy/manifest.json
+if [ "${GOOS}" == "darwin" ]; then
-_envoy_version="1.14.1"
+  ENVOY_PLATFORM="darwin"
-_envoy_build=""
+elif [ "${GOOS}" == "linux" ]; then
-if [ "$_go_os" == linux ] && ! is_musl && [ "$_go_arch" == "amd64" ]; then
+  ENVOY_PLATFORM="linux_glibc"
-  _envoy_build="LINUX_GLIBC"
+else
-elif [ "$_go_os" == darwin ] && [ "$_go_arch" == "amd64" ]; then
+  echo "unsupported"
-  _envoy_build="DARWIN"
-fi
-if [ -z "$_envoy_build" ]; then
-  echo "this platform is not supported for embedded envoy"
   exit 1
 fi
-_envoy_url="$(
-  curl --silent "https://tetrate.bintray.com/getenvoy/manifest.json" |
-    jq -r '.flavors.standard.versions["'"$_envoy_version"'"].builds["'"$_envoy_build"'"].downloadLocationUrl'
-)"
 
-_abs_pomerium_binary_path="$(realpath "$_pomerium_binary_path")"
+## TODO we should be able to replace this with a utility that consumes
+## https://godoc.org/github.com/tetratelabs/getenvoy/pkg/binary/envoy
+## https://golang.org/pkg/archive/zip/#Writer.SetOffset
+export PATH=$PATH:$(go env GOPATH)/bin
+HOME=${DIR} getenvoy fetch standard:${ENVOY_VERSION}/${ENVOY_PLATFORM}
+ENVOY_PATH=${DIR}/.getenvoy/builds/standard/${ENVOY_VERSION}/${ENVOY_PLATFORM}/bin
+ARCHIVE=${ENVOY_PATH}/envoy.zip
 
-_wd="/tmp/pomerium-embedded-files"
-mkdir -p "$_wd"
 (
-  cd "$_wd"
+  cd "${ENVOY_PATH}"
-  if [ ! -f "envoy-$_envoy_version.tar.xz" ]; then
+  zip envoy.zip envoy
-    echo "downloading $_envoy_url"
-    curl --silent --location --output "envoy-$_envoy_version.tar.xz" "$_envoy_url"
-  fi
-  echo "extracting"
-  tar --extract --xz --strip-components=3 --file "envoy-$_envoy_version.tar.xz"
-  echo "appending to $_abs_pomerium_binary_path"
-  # if this binary already has a zip file appended to it
-  if [ -z "$(unzip -z -qq "$_abs_pomerium_binary_path" 2>&1)" ]; then
-    zip -A "$_abs_pomerium_binary_path" envoy
-  else
-    zip envoy.zip envoy
-    cat envoy.zip >>"$_abs_pomerium_binary_path"
-  fi
-  zip -A "$_abs_pomerium_binary_path"
 )
+
+echo "appending ${ARCHIVE} to ${BINARY}"
+
+if [ "$(unzip -z -qq "$BINARY" 2>&1)" != "" ]; then
+  cat "${ARCHIVE}" >>"${BINARY}"
+fi
+zip -A "${BINARY}"