Skip to content

Splitting arm/amd tags for operator and target allocator #304

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Apr 28, 2025
Merged

Splitting arm/amd tags for operator and target allocator #304

merged 2 commits into from
Apr 28, 2025

Conversation

Paramadon
Copy link
Contributor

@Paramadon Paramadon commented Apr 25, 2025
edited
Loading

Split Multi-Architecture Image Builds for Better Security Scanning

Problem

Currently, our operator and target allocator images are built as multi-architecture images, making it difficult to scan individual architecture images

Solution

Split the build process into three parts:

  1. Build individual architecture images
  2. Create manifest lists
  3. Clean up old images

Passing run: https://github.com/aws/amazon-cloudwatch-agent-operator/actions/runs/14673842807/job/41186231945

Flow Change

Before:

graph TD
    A[Build Multi-Arch Image] --> B[Push to ECR]
    B --> C[Release]
Loading

After:

graph TD
    A1[Build AMD64 Image] --> B1[Push AMD64 to ECR]
    A2[Build ARM64 Image] --> B2[Push ARM64 to ECR]
    B1 --> C1[Security Scan AMD64]
    B2 --> C2[Security Scan ARM64]
    C1 --> D[Create Manifest List]
    C2 --> D
    D --> E[Release]
Loading

Changes

  1. Split image builds:
    • staging-linux-amd64 for AMD64 architecture
    • staging-linux-arm64 for ARM64 architecture
    • Manifest list pointing to both architectures

Testing

  • Built and verified AMD64 images
  • Built and verified ARM64 images
  • Created and verified manifest lists
  • Tested image pulls for both architectures
  • Verified security scanning works for individual architectures

Verification

Screenshot 2025-04-25 at 4 14 56 PM (1)

@Paramadon Paramadon force-pushed the siprmp/splitTags branch 2 times, most recently from b9a5f5a to 388bdc5 Compare April 25, 2025 20:19
lisguo
lisguo reviewed Apr 25, 2025
View reviewed changes
@Paramadon Paramadon force-pushed the siprmp/splitTags branch 2 times, most recently from b5d464b to e429256 Compare April 25, 2025 20:46
@Paramadon Paramadon requested a review from lisguo April 25, 2025 20:53
@Paramadon Paramadon force-pushed the siprmp/splitTags branch 2 times, most recently from 0a6d0e9 to 73d2785 Compare April 25, 2025 21:05
lisguo
lisguo reviewed Apr 28, 2025
View reviewed changes
.github/workflows/operator-build-args.yml Outdated
@@ -0,0 +1,30 @@
name: 'Operator Build Args'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

instead of having a separate workflow just to obtain build args...I was thinking of a workflow to build the operator and it takes in an input for arch or tag.

I'd prefer the previous iteration over this

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ahh I see, I reverted it to the previous iteration.

agarakan
agarakan reviewed Apr 28, 2025
View reviewed changes
.github/workflows/build-and-upload.yml
uses: aws-actions/amazon-ecr-login@v2

- name: Create manifests
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Docker has a multi-tag feature thats also useful to prevent need for re-building a new image just to add the new tag. Not blocking comment

docker manifest create \
  ${{ env.ECR_TARGET_ALLOCATOR_STAGING_REPO }}:${{ inputs.tag }} \
  ${{ env.ECR_TARGET_ALLOCATOR_STAGING_REPO }}:${{ github.sha }} \
  --amend ${{ env.ECR_TARGET_ALLOCATOR_STAGING_REPO }}:${{ inputs.tag }}-linux-amd64 \
  --amend ${{ env.ECR_TARGET_ALLOCATOR_STAGING_REPO }}:${{ inputs.tag }}-linux-arm64

docker manifest push ${{ env.ECR_TARGET_ALLOCATOR_STAGING_REPO }}:${{ inputs.tag }}
docker manifest push ${{ env.ECR_TARGET_ALLOCATOR_STAGING_REPO }}:${{ github.sha }}

lisguo
lisguo reviewed Apr 28, 2025
View reviewed changes
.github/workflows/build-and-upload.yml
@@ -157,20 +184,38 @@ jobs:
run: |
go mod download
go mod tidy
export GOARCH=arm64 && make targetallocator
export GOARCH=amd64 && make targetallocator
mkdir -p cmd/amazon-cloudwatch-agent-target-allocator/bin
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why are we making a /bin directory here?

@Paramadon Paramadon merged commit 9687c7b into main Apr 28, 2025
21 of 27 checks passed
@Paramadon Paramadon deleted the siprmp/splitTags branch April 28, 2025 20:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lisguo lisguo lisguo approved these changes

@agarakan agarakan agarakan approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Paramadon @lisguo @agarakan