Feature/build scripts update

helm/values.yaml

@@ -6,7 +6,7 @@ awsNitroEnclavesK8SDaemonset:
         drop:
         - ALL
     env:
-      enclaveCpuAdvertisement: "true"
+      enclaveCpuAdvertisement: "false"
       maxEnclavesPerNode: "4"
     image:
       repository: public.ecr.aws/aws-nitro-enclaves/aws-nitro-enclaves-k8s-device-plugin

scripts/build_docker.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+# Copyright 2022 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+source "$(dirname $(realpath $0))/common.sh"
+
+build_docker_image() {
+    local arch=$1
+    docker build --target device_plugin --platform linux/$arch -t $IMAGE-$arch $TOP_DIR -f $TOP_DIR/container/Dockerfile
+}
+
+docker build --target builder -t $BUILDER_IMAGE $TOP_DIR -f $TOP_DIR/container/Dockerfile ||
+    die "Failed to build generic builder image"
+arch=x86_64 && build_docker_image ${arch} || die "Failed to build ${arch} image"
+arch=aarch64 && build_docker_image ${arch} || die "Failed to build ${arch} image"

scripts/common.sh

@@ -13,8 +13,9 @@ readonly RELEASE_FILE="RELEASE"
 readonly BUILDER_IMAGE=ne-k8s-device-plugin-build:latest
 readonly REPOSITORY_NAME=aws-nitro-enclaves-k8s-device-plugin
 readonly RELEASE=$(cat $TOP_DIR/$RELEASE_FILE)
-readonly TAG=$RELEASE-$(arch)
-readonly IMAGE=$REPOSITORY_NAME:$TAG
+readonly VERSION="$(echo $RELEASE | cut -c 2-).0"
+readonly IMAGE=$REPOSITORY_NAME:$RELEASE
+readonly HELM_CHART="aws-nitro-enclaves-k8s-device-plugin-chart-$VERSION.tgz"
 
 say() {
   echo "$@"
@@ -25,74 +26,100 @@ die() {
   exit $FAILURE
 }
 
-[[ -f $TOP_DIR/$RELEASE_FILE ]] || \
+[[ -f $TOP_DIR/$RELEASE_FILE ]] ||
   die "Cannot find $RELEASE_FILE file in $TOP_DIR directory."
 
 _set_config_item() {
   local var=$1; shift
   local prompt="$@"
 
   local value=""
-  while [[ $value = "" ]];
-  do
-      printf "$prompt"
-      read value
+  while [[ $value = "" ]]; do
+    printf "$prompt"
+    read value
   done
 
-  echo "$var=$value" >> "$ECR_CONFIG_FILE_PATH"
+  echo "$var=$value" >>"$ECR_CONFIG_FILE_PATH"
 }
 
 _load_ecr_config() {
   [[ -f $ECR_CONFIG_FILE_PATH ]] || {
-      printf "No configuration found!\n"
-      _set_config_item ECR_URL "Please enter an ECR URL:"
-      _set_config_item ECR_REGION "Please enter AWS region of the ECR repository:"
+    printf "No configuration found!\n"
+    _set_config_item ECR_URL "Please enter an ECR URL:"
+    _set_config_item ECR_HELM_URL "Please enter an ECR Helm URL:"
+    _set_config_item ECR_REGION "Please enter AWS region of the ECR repository:"
   }
 
   source "$ECR_CONFIG_FILE_PATH"
   [[ -z "$ECR_URL" || -z "$ECR_REGION" ]] && {
-      say "$(basename $ECR_CONFIG_FILE_PATH) seems corrupted. Try using" \
+    say "$(basename $ECR_CONFIG_FILE_PATH) seems corrupted. Try using" \
       "'rm -f $ECR_CONFIG_FILE_PATH' to remove this configuration."
-      exit 1
+    exit 1
   }
 
   return 0
 }
 
 _ecr_login() {
-  is_a_public_ecr_registry
 
+  # check if docker client can login to specified registry again without prompting for a password
+  # indicating that it still has a valid access token
+  if timeout -f 10 docker login $ECR_URL &>/dev/null; then
+    say "Using existing ECR credentials"
+    return 0
+  fi
+
+  is_a_public_ecr_registry
   if [[ $? -eq $SUCCESS ]]; then
-      aws ecr-public get-login-password --region "$ECR_REGION" | docker login --username AWS --password-stdin $ECR_URL
+    aws ecr-public get-login-password --region "$ECR_REGION" | docker login --username AWS --password-stdin $ECR_URL
   else
-      aws ecr get-login-password --region "$ECR_REGION" | docker login --username AWS --password-stdin $ECR_URL
+    aws ecr get-login-password --region "$ECR_REGION" | docker login --username AWS --password-stdin $ECR_URL
   fi
 }
 
 # Loads configuration and logs in to a registry.
 #
 ecr_login() {
-    _load_ecr_config || die "Error while loading configuration file!"
-    say "Using ECR registry url: $ECR_URL. (region: $ECR_REGION)."
-    _ecr_login || die "Failed to log in to the ECR registry."
+  _load_ecr_config || die "Error while loading configuration file!"
+  say "Using ECR registry url: $ECR_URL. (region: $ECR_REGION)."
+  _ecr_login || die "Failed to log in to the ECR registry."
+}
+
+_helm_login() {
+  is_a_public_ecr_registry
+
+  if [[ $? -eq $SUCCESS ]]; then
+    aws ecr-public get-login-password --region "$ECR_REGION" | helm registry login --username AWS --password-stdin $ECR_URL
+  else
+    aws ecr get-login-password --region "$ECR_REGION" | helm registry login --username AWS --password-stdin $ECR_URL
+  fi
+}
+
+# Loads configuration and logs in to a Helm registry.
+#
+helm_login() {
+  _load_ecr_config || die "Error while loading configuration file!"
+  say "Using ECR registry url: $ECR_URL. (region: $ECR_REGION)."
+  _helm_login || die "Failed to log in to the ECR registry."
 }
 
 # Check if the current ECR URL is a public one or not.
-# 
+#
 is_a_public_ecr_registry() {
   [[ "$ECR_URL" =~ ^public.ecr.aws* ]] && { return $SUCCESS; }
   return $FAILURE
 }
 
 # Generic user confirmation function
-# 
+#
 confirm() {
-  read -p "$@ (yes/no)" yn
-  case yn in
-    yes) ;;
-    *)
-      say "Aborting..."
-      exit $FAILURE
-      ;;
+  echo -n "$@ (yes/no): "
+  read yn
+  case $yn in
+  yes) ;;
+  *)
+    say "Aborting..."
+    exit $FAILURE
+    ;;
   esac
 }

scripts/create_manifest_docker.sh

@@ -0,0 +1,28 @@
+#!/bin/bash
+# Copyright 2022 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+source "$(dirname $(realpath $0))/common.sh"
+
+main() {
+  ecr_login
+
+  docker manifest create --amend $ECR_URL/$IMAGE \
+    $ECR_URL/$REPOSITORY_NAME:$RELEASE-x86_64 \
+    $ECR_URL/$REPOSITORY_NAME:$RELEASE-aarch64 ||
+    die "Cannot create manifest for multiarch image." \
+      " Please ensure that both x86_64 and aarch64 images" \
+      " already exist in the repository."
+
+  docker manifest inspect $ECR_URL/$IMAGE ||
+    die "Cannot inspect manifest for multiarch image."
+
+  is_a_public_ecr_registry && {
+    confirm "You are about to push a $RELEASE multiarch manifest to a public repository." \
+      "Are you sure you want to continue? (yes/no)"
+  }
+
+  docker manifest push $ECR_URL/$REPOSITORY_NAME:$RELEASE ||
+    die "Cannot push manifest for multiarch image."
+}
+
+main

scripts/package_helm.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+# Copyright 2025 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+source "$(dirname $(realpath $0))/common.sh"
+
+helm lint $TOP_DIR/helm && helm package $TOP_DIR/helm ||
+    die "Helm package lint failed"
+
+# assert that packaged file is located in directory
+# its best practice to manage helm version and app relase version independent from each other
+# VERSION is sourced from packed RELEASE veriable and HELM versions are based on Chart.yaml values
+if [[ ! -f $TOP_DIR/aws-nitro-enclaves-k8s-device-plugin-$VERSION.tgz ]]; then
+    die "Packaged file not found in $TOP_DIR directory"
+fi
+
+# change name of standard HELM archive to explicitly state that it is a packaged chart
+mv aws-nitro-enclaves-k8s-device-plugin-$VERSION.tgz $HELM_CHART

scripts/pipeline.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+# Copyright 2025 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+set -e
+source "$(dirname $(realpath $0))/common.sh"
+current_folder="$(dirname $(realpath $0))"
+
+# version of helm charts are based on /helm/Chart.yaml
+# before packaging and publishing validate that the RELEASE version, manifest.yaml
+# and helm chart version are in sync and pointig to the new multich arch docker manifest
+$current_folder/validate_artifacts_versions.sh
+
+# build and upload docker artifacts
+# version for docker artifacts are based on RELEASE file
+$current_folder/build_docker.sh
+$current_folder/push_docker.sh
+$current_folder/create_manifest_docker.sh
+
+# build and upload helm artifacts
+$current_folder/package_helm.sh
+$current_folder/push_helm.sh

scripts/push_docker.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+# Copyright 2022 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+source "$(dirname $(realpath $0))/common.sh"
+
+tag_and_push_docker_image() {
+  local arch=$1
+
+  docker tag $IMAGE-$arch $ECR_URL/$IMAGE-$arch
+  say "Pushing $IMAGE-$arch to $ECR_URL..."
+  docker push $ECR_URL/$IMAGE-$arch
+}
+
+main() {
+  ecr_login
+
+  aws ecr-public --region $ECR_REGION describe-repositories \
+    --repository-names "$REPOSITORY_NAME" >/dev/null ||
+    die "There is no repository named $REPOSITORY_NAME in" \
+      "$ECR_REGION region."
+
+  is_a_public_ecr_registry && {
+    confirm "You are about to push $RELEASE docker images on a public repository." \
+      "Are you sure you want to continue?"
+  }
+
+  arch=x86_64 && tag_and_push_docker_image ${arch} || die "Failed to push $arch docker image"
+  arch=aarch64 && tag_and_push_docker_image ${arch} || die "Failed to push $arch docker image"
+}
+
+main

scripts/push_helm.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+# Copyright 2025 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+source "$(dirname $(realpath $0))/common.sh"
+
+main() {
+  helm_login
+
+  aws ecr-public --region $ECR_REGION describe-repositories \
+    --repository-names "charts/$REPOSITORY_NAME" >/dev/null ||
+    die "There is no repository named $REPOSITORY_NAME in" \
+      "$ECR_REGION region."
+
+  is_a_public_ecr_registry && {
+    confirm "You are about to push a $RELEASE Helm chart on a public repository." \
+      "Are you sure you want to continue?"
+  }
+  say "Pushing $HELM_CHART to $ECR_HELM_URL..."
+  helm push aws-nitro-enclaves-k8s-device-plugin-chart-$VERSION.tgz oci://$ECR_HELM_URL ||
+    die "Failed to push $HELM_CHART to $ECR_HELM_URL."
+}
+
+main

scripts/validate_artifacts_versions.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+# Copyright 2025 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+source "$(dirname $(realpath $0))/common.sh"
+
+# extract version of kubernetes manifest
+k8s_manifest=$TOP_DIR/aws-nitro-enclaves-k8s-ds.yaml
+k8s_version=$(yq '.spec.template.spec.containers[]?.image' "$k8s_manifest" | grep -o '[^:]*$')
+
+# extract version of helm chart, should be based on k8s manifest
+helm_chart=$TOP_DIR/helm/values.yaml
+helm_version=$(yq '.awsNitroEnclavesK8SDaemonset.awsNitroEnclavesK8SDp.image.tag' $helm_chart)
+
+echo "Release: $RELEASE"
+echo "Kubernetes Manifest: $k8s_version"
+echo "Helm Chart: $helm_version"
+
+if [ $RELEASE != $k8s_version ] || [ $k8s_version != $helm_version ]; then
+    die "Versions in release $RELEASE are not in sync"
+fi