From d6de4f7c3ca25d73b047cd9df6b5fad82f352657 Mon Sep 17 00:00:00 2001
From: Liz Rice <liz@lizrice.com>
Date: Mon, 14 Sep 2020 07:26:29 +0100
Subject: [PATCH] Multi-arch build  (#690)

* multi-arch build and other makefile tidies

* docker login in travis
---
 .travis.yml | 12 +++++++++---
 Dockerfile  |  4 +++-
 makefile    | 43 ++++++++++++++++++++++++++++++++++---------
 3 files changed, 46 insertions(+), 13 deletions(-)

diff --git a/.travis.yml b/.travis.yml
index 7a5b2bb..81daddb 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -13,16 +13,22 @@ before_install:
   - pip install --user yamllint==1.18.0
   - gem install --no-document fpm
   - go get -t -v ./...
+  - echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin
 
 script:
   - yamllint -c ./.yamllint.yaml .
-  - GO111MODULE=on go test ./...
+
+  # Run unit and integration tests
+  - make tests
+  - make integration-tests
+
+  # Build a local container image to test that the install sub-command works
   - IMAGE_NAME=kube-bench make build-docker
   - docker run -v `pwd`:/host kube-bench install
   - test -d cfg
   - test -f kube-bench
-  - make tests
-  - make integration-tests
+  # Build and push the multi-arch Docker image
+  - make docker
 
 after_success:
   - bash <(curl -s https://codecov.io/bash)
diff --git a/Dockerfile b/Dockerfile
index ccf672f..1ce9da2 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -5,7 +5,9 @@ COPY main.go .
 COPY check/ check/
 COPY cmd/ cmd/
 ARG KUBEBENCH_VERSION
-RUN GO111MODULE=on CGO_ENABLED=0 go install -a -ldflags "-X github.com/aquasecurity/kube-bench/cmd.KubeBenchVersion=${KUBEBENCH_VERSION} -w"
+ARG GOOS=linux
+ARG GOARCH=amd64
+RUN GO111MODULE=on CGO_ENABLED=0 GOOS=$GOOS GOARCH=$GOARCH go build -a -ldflags "-X github.com/aquasecurity/kube-bench/cmd.KubeBenchVersion=${KUBEBENCH_VERSION} -w" -o /go/bin/kube-bench
 
 FROM alpine:3.12 AS run
 WORKDIR /opt/kube-bench/
diff --git a/makefile b/makefile
index 290f527..ed60813 100644
--- a/makefile
+++ b/makefile
@@ -1,12 +1,14 @@
 SOURCES := $(shell find . -name '*.go')
 BINARY := kube-bench
-DOCKER_REGISTRY ?= aquasec
+DOCKER_ORG ?= aquasec
 VERSION ?= $(shell git rev-parse --short=7 HEAD)
 KUBEBENCH_VERSION ?= $(shell git describe --tags --abbrev=0)
-IMAGE_NAME ?= $(DOCKER_REGISTRY)/$(BINARY):$(VERSION)
-TARGET_OS ?= linux
+IMAGE_NAME ?= $(DOCKER_ORG)/$(BINARY):$(VERSION)
+GOOS ?= linux
 BUILD_OS := linux
 uname := $(shell uname -s)
+ARCHS ?= amd64 arm64
+GOARCH ?= $@
 
 ifneq ($(findstring Microsoft,$(shell uname -r)),)
 	BUILD_OS := windows
@@ -20,21 +22,44 @@ endif
 KIND_PROFILE ?= kube-bench
 KIND_CONTAINER_NAME=$(KIND_PROFILE)-control-plane
 
-build: kube-bench
+# build a multi-arch image and push to Docker hub
+.PHONY: docker
+docker: publish manifests
+
+# build and push an arch-specific image
+.PHONY: $(ARCHS) manifests publish
+publish: $(ARCHS)
+$(ARCHS):
+	@echo "Building Docker image for $@"
+	docker build -t ${DOCKER_ORG}/${BINARY}:$(GOOS)-$(GOARCH)-${VERSION} \
+	--build-arg GOOS=$(GOOS) --build-arg GOARCH=$(GOARCH) ./
+	@echo "Push $@ Docker image to ${DOCKER_ORG}/${BINARY}"
+	docker push ${DOCKER_ORG}/${BINARY}:$(GOOS)-$(GOARCH)-${VERSION}
+	docker manifest create --amend "${DOCKER_ORG}/${BINARY}:${VERSION}" "${DOCKER_ORG}/${BINARY}:$(GOOS)-$(GOARCH)-${VERSION}"
+	docker manifest annotate "${DOCKER_ORG}/${BINARY}:${VERSION}" "${DOCKER_ORG}/${BINARY}:$(GOOS)-$(GOARCH)-${VERSION}" --os=$(GOOS) --arch=$(GOARCH)
+
+# push the multi-arch manifest
+manifests:
+	@echo "Push manifest for ${DOCKER_ORG}/${BINARY}:${VERSION}"
+	docker manifest push "${DOCKER_ORG}/${BINARY}:${VERSION}"
+
+build: $(BINARY)
 
 $(BINARY): $(SOURCES)
-	GOOS=$(TARGET_OS) go build -ldflags "-X github.com/aquasecurity/kube-bench/cmd.KubeBenchVersion=$(KUBEBENCH_VERSION)" -o $(BINARY) .
+	GOOS=$(GOOS) go build -ldflags "-X github.com/aquasecurity/kube-bench/cmd.KubeBenchVersion=$(KUBEBENCH_VERSION)" -o $(BINARY) .
 
 # builds the current dev docker version
 build-docker:
 	docker build --build-arg BUILD_DATE=$(shell date -u +"%Y-%m-%dT%H:%M:%SZ") \
-             --build-arg VCS_REF=$(shell git rev-parse --short HEAD) \
+             --build-arg VCS_REF=$(VERSION) \
 			 --build-arg KUBEBENCH_VERSION=$(KUBEBENCH_VERSION) \
              -t $(IMAGE_NAME) .
 
+# unit tests
 tests:
 	GO111MODULE=on go test -short -race -timeout 30s -coverprofile=coverage.txt -covermode=atomic ./...
 
+# integration tests using kind
 integration-tests: build-docker
 	GO111MODULE=on go test ./integration/... -v -tags integration -timeout 1200s -args -kubebenchImg=$(IMAGE_NAME)
 
@@ -49,13 +74,13 @@ endif
 		kind create cluster --name $(KIND_PROFILE) --image kindest/node:v1.15.3 --wait 5m;\
 	fi
 
-# pushses the current dev version to the kind cluster.
-kind-push:
+# pushes the current dev version to the kind cluster.
+kind-push: build-docker
 	kind load docker-image $(IMAGE_NAME) --name $(KIND_PROFILE)
 
 # runs the current version on kind using a job and follow logs
 kind-run: KUBECONFIG = "./kubeconfig.kube-bench"
-kind-run: ensure-stern
+kind-run: ensure-stern kind-push
 	sed "s/\$${VERSION}/$(VERSION)/" ./hack/kind.yaml > ./hack/kind.test.yaml
 	kind get kubeconfig --name="$(KIND_PROFILE)" > $(KUBECONFIG)
 	-KUBECONFIG=$(KUBECONFIG) \