From ef0fcc85d9689baf8f67d0759b73aefbe3ad7df1 Mon Sep 17 00:00:00 2001 From: Jay Deokar Date: Tue, 3 Oct 2023 11:44:16 -0700 Subject: [PATCH] Build latest image with conformance tests --- .../actions/install-dependencies/action.yaml | 4 ++ Makefile | 16 +++++- scripts/lib/cluster.sh | 4 ++ scripts/lib/network-policy.sh | 50 ++++++++++++++++--- scripts/run-tests.sh | 5 +- 5 files changed, 68 insertions(+), 11 deletions(-) diff --git a/.github/actions/install-dependencies/action.yaml b/.github/actions/install-dependencies/action.yaml index e9cb95a..5d376cb 100644 --- a/.github/actions/install-dependencies/action.yaml +++ b/.github/actions/install-dependencies/action.yaml @@ -17,3 +17,7 @@ runs: run: | curl --silent --location "https://github.com/weaveworks/eksctl/releases/latest/download/eksctl_$(uname -s)_amd64.tar.gz" | tar xz -C /tmp sudo mv /tmp/eksctl /usr/local/bin/ + - name: Set up Docker QEMU + uses: docker/setup-qemu-action@v2 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 diff --git a/Makefile b/Makefile index 8cd39d6..9d04ff4 100644 --- a/Makefile +++ b/Makefile @@ -198,6 +198,20 @@ docker-buildx: setup-ebpf-sdk-override ## Build and push docker image for the ma - docker buildx rm project-v3-builder rm Dockerfile.cross + +.PHONY: multi-arch-build-and-push +multi-arch-build-and-push: setup-ebpf-sdk-override ## Build and push docker image for the manager for cross-platform support + + sed -e '1 s/\(^FROM\)/FROM --platform=\$$\{BUILDPLATFORM\}/; t' -e ' 1,// s//FROM --platform=\$$\{BUILDPLATFORM\}/' Dockerfile > Dockerfile.cross + docker buildx build $(DOCKER_BUILD_FLAGS_NP_AGENT) \ + -f Dockerfile.cross \ + --platform "$(PLATFORMS)"\ + --cache-from=type=gha \ + --cache-to=type=gha,mode=max \ + -t $(IMAGE):$(VERSION) \ + --push \ + . + ##@ Deployment ifndef ignore-not-found @@ -289,7 +303,7 @@ endif ./PHONY: update-node-agent-image update-node-agent-image: ## Updates node agent image on an existing cluster. Optionally call with AWS_EKS_NODEAGENT= - ./scripts/update-node-agent-image.sh AWS_EKS_NODEAGENT=$(AWS_EKS_NODEAGENT) + ./scripts/update-node-agent-image.sh AWS_EKS_NODEAGENT=$(AWS_EKS_NODEAGENT) IP_FAMILY=$(IP_FAMILY) ./PHONY: update-image-and-test update-image-and-test: ## Updates node agent image on existing cluster and runs cyclonus tests. Call with CLUSTER_NAME= and AWS_EKS_NODEAGENT= diff --git a/scripts/lib/cluster.sh b/scripts/lib/cluster.sh index 1e9932f..43db2c1 100644 --- a/scripts/lib/cluster.sh +++ b/scripts/lib/cluster.sh @@ -15,6 +15,10 @@ function load_default_values(){ : "${ENDPOINT_FLAG:=""}" : "${HELM_EXTRA_ARGS:=""}" + IMAGE_VERSION=$(git rev-parse HEAD) + AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text) + AWS_ECR_REGISTRY="$AWS_ACCOUNT_ID.dkr.ecr.$REGION.amazonaws.com" + AWS_ECR_REPO_NAME="amazon/aws-network-policy-agent" } function create_cluster(){ diff --git a/scripts/lib/network-policy.sh b/scripts/lib/network-policy.sh index 9dc71e2..8e0b6e9 100644 --- a/scripts/lib/network-policy.sh +++ b/scripts/lib/network-policy.sh @@ -4,7 +4,7 @@ function load_addon_details() { ADDON_NAME="vpc-cni" echo "loading $ADDON_NAME addon details" LATEST_ADDON_VERSION=$(aws eks describe-addon-versions $ENDPOINT_FLAG --addon-name $ADDON_NAME --kubernetes-version $K8S_VERSION | jq '.addons[0].addonVersions[0].addonVersion' -r) - EXISTING_SERVICE_ACCOUNT_ROLE_ARN=$(kubectl get serviceaccount -n kube-system aws-node -o json | jq '.metadata.annotations."eks.amazonaws.com/role-arn"' -r) + get_service_account_role_arn } function wait_for_addon_status() { @@ -73,6 +73,10 @@ function install_network_policy_mao() { wait_for_addon_status "ACTIVE" } +function get_service_account_role_arn(){ + EXISTING_SERVICE_ACCOUNT_ROLE_ARN=$(kubectl get serviceaccount -n kube-system aws-node -o json | jq '.metadata.annotations."eks.amazonaws.com/role-arn"' -r) +} + function install_network_policy_helm(){ helm repo add eks https://aws.github.io/eks-charts @@ -87,15 +91,21 @@ function install_network_policy_helm(){ ENABLE_PREFIX_DELEGATION=true fi + get_service_account_role_arn + + if [[ ! -z $EXISTING_SERVICE_ACCOUNT_ROLE_ARN ]]; then + HELM_EXTRA_ARGS+=" --set serviceAccount.annotations.\eks\.amazonaws\.com/role-arn=$EXISTING_SERVICE_ACCOUNT_ROLE_ARN" + fi + echo "Updating annotations and labels on existing resources" - for kind in daemonSet clusterRole clusterRoleBinding serviceAccount; do - echo "setting annotations and labels on $kind/aws-node" - kubectl -n kube-system annotate --overwrite $kind aws-node meta.helm.sh/release-name=aws-vpc-cni || echo "Unable to annotate $kind/aws-node" - kubectl -n kube-system annotate --overwrite $kind aws-node meta.helm.sh/release-namespace=kube-system || echo "Unable to annotate $kind/aws-node" - kubectl -n kube-system label --overwrite $kind aws-node app.kubernetes.io/managed-by=Helm || echo "Unable to label $kind/aws-node" + resources=("daemonSet/aws-node" "clusterRole/aws-node" "clusterRoleBinding/aws-node" "serviceAccount/aws-node" "configmap/amazon-vpc-cni") + for kind in ${resources[@]}; do + echo "setting annotations and labels on $kind" + kubectl -n kube-system annotate --overwrite $kind meta.helm.sh/release-name=aws-vpc-cni meta.helm.sh/release-namespace=kube-system || echo "Unable to annotate $kind" + kubectl -n kube-system label --overwrite $kind app.kubernetes.io/managed-by=Helm || echo "Unable to label $kind" done - echo "Installing/Updating the aws-vpc-cni helm chart with `enableNetworkPolicy=true`" + echo "Installing/Updating the aws-vpc-cni helm chart with enableNetworkPolicy=true" helm upgrade --install aws-vpc-cni eks/aws-vpc-cni --wait --timeout 300s \ --namespace kube-system \ --set enableNetworkPolicy=true \ @@ -107,3 +117,29 @@ function install_network_policy_helm(){ --set image.env.ENABLE_IPv4=$ENABLE_IPv4 $HELM_EXTRA_ARGS } + +function build_and_push_image(){ + + # Get ECR credentials + aws ecr get-login-password --region $REGION | docker login --username AWS --password-stdin ${AWS_ECR_REGISTRY} + + # Create repository if doesn't exist + if ! `aws ecr describe-repositories --registry-id $AWS_ACCOUNT_ID --repository-names $AWS_ECR_REPO_NAME >/dev/null 2>&1`; then + echo "creating ECR repo with name $AWS_ECR_REPO_NAME" + aws ecr create-repository --repository-name $AWS_ECR_REPO_NAME + fi + + if [[ $(aws ecr batch-get-image --repository-name=$AWS_ECR_REPO_NAME --image-ids imageTag=$IMAGE_VERSION \ + --query 'images[].imageId.imageTag' --region $REGION) != "[]" ]]; then + echo "Image $AWS_ECR_REPO_NAME:$IMAGE_VERSION already exists. Skipping image build." + else + START=$SECONDS + echo "Building AWS Network Policy Agent latest image" + + docker buildx create --name="network-policy-agent-builder" --buildkitd-flags '--allow-insecure-entitlement network.host' --use >/dev/null + make multi-arch-build-and-push VERSION=$IMAGE_VERSION IMAGE=$AWS_ECR_REGISTRY/$AWS_ECR_REPO_NAME + + echo "TIMELINE: Docker build took $(($SECONDS - $START)) seconds." + docker buildx rm network-policy-agent-builder + fi +} \ No newline at end of file diff --git a/scripts/run-tests.sh b/scripts/run-tests.sh index 0722f91..0899fa0 100755 --- a/scripts/run-tests.sh +++ b/scripts/run-tests.sh @@ -1,5 +1,4 @@ #! /bin/bash - set -Eeuox pipefail DIR=$(cd "$(dirname "$0")"; pwd) @@ -28,8 +27,8 @@ trap cleanup EXIT load_default_values create_cluster -load_addon_details -install_network_policy_mao $LATEST_ADDON_VERSION +build_and_push_image +make update-node-agent-image AWS_EKS_NODEAGENT=$AWS_ECR_REGISTRY/$AWS_ECR_REPO_NAME:$IMAGE_VERSION IP_FAMILY=$IP_FAMILY if [[ $RUN_PERFORMANCE_TESTS == "true" ]]; then echo "Runnning Performance tests"