Build latest image with conformance tests

.github/actions/install-dependencies/action.yaml

@@ -17,3 +17,7 @@ runs:
       run: |
         curl --silent --location "https://github.com/weaveworks/eksctl/releases/latest/download/eksctl_$(uname -s)_amd64.tar.gz" | tar xz -C /tmp
         sudo mv /tmp/eksctl /usr/local/bin/
+    - name: Set up Docker QEMU
+      uses: docker/setup-qemu-action@v2
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v2

Makefile

@@ -198,6 +198,20 @@ docker-buildx: setup-ebpf-sdk-override ## Build and push docker image for the ma
 	- docker buildx rm project-v3-builder
 	rm Dockerfile.cross
 
+
+.PHONY: multi-arch-build-and-push
+multi-arch-build-and-push: setup-ebpf-sdk-override ## Build and push docker image for the manager for cross-platform support
+
+	sed -e '1 s/\(^FROM\)/FROM --platform=\$$\{BUILDPLATFORM\}/; t' -e ' 1,// s//FROM --platform=\$$\{BUILDPLATFORM\}/' Dockerfile > Dockerfile.cross
+	docker buildx build $(DOCKER_BUILD_FLAGS_NP_AGENT) \
+		-f Dockerfile.cross \
+		--platform "$(PLATFORMS)"\
+		--cache-from=type=gha \
+		--cache-to=type=gha,mode=max \
+		-t $(IMAGE):$(VERSION) \
+		--push \
+		.
+
 ##@ Deployment
 
 ifndef ignore-not-found
@@ -289,7 +303,7 @@ endif
 
 ./PHONY: update-node-agent-image
 update-node-agent-image: ## Updates node agent image on an existing cluster. Optionally call with AWS_EKS_NODEAGENT=<Image URI>
-	./scripts/update-node-agent-image.sh AWS_EKS_NODEAGENT=$(AWS_EKS_NODEAGENT)
+	./scripts/update-node-agent-image.sh AWS_EKS_NODEAGENT=$(AWS_EKS_NODEAGENT) IP_FAMILY=$(IP_FAMILY)
 
 ./PHONY: update-image-and-test
 update-image-and-test: ## Updates node agent image on existing cluster and runs cyclonus tests. Call with CLUSTER_NAME=<name of the cluster> and AWS_EKS_NODEAGENT=<Image URI> 

scripts/lib/cluster.sh

@@ -15,6 +15,10 @@ function load_default_values(){
     : "${ENDPOINT_FLAG:=""}"
     : "${HELM_EXTRA_ARGS:=""}"
 
+    IMAGE_VERSION=$(git rev-parse HEAD)
+    AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
+    AWS_ECR_REGISTRY="$AWS_ACCOUNT_ID.dkr.ecr.$REGION.amazonaws.com"
+    AWS_ECR_REPO_NAME="amazon/aws-network-policy-agent"
 }
 
 function create_cluster(){

scripts/lib/network-policy.sh

@@ -4,7 +4,7 @@ function load_addon_details() {
   ADDON_NAME="vpc-cni"
   echo "loading $ADDON_NAME addon details"
   LATEST_ADDON_VERSION=$(aws eks describe-addon-versions $ENDPOINT_FLAG --addon-name $ADDON_NAME --kubernetes-version $K8S_VERSION | jq '.addons[0].addonVersions[0].addonVersion' -r)
-  EXISTING_SERVICE_ACCOUNT_ROLE_ARN=$(kubectl get serviceaccount -n kube-system aws-node -o json | jq '.metadata.annotations."eks.amazonaws.com/role-arn"' -r)
+  get_service_account_role_arn
 }
 
 function wait_for_addon_status() {
@@ -73,6 +73,10 @@ function install_network_policy_mao() {
   wait_for_addon_status "ACTIVE"
 }
 
+function get_service_account_role_arn(){
+  EXISTING_SERVICE_ACCOUNT_ROLE_ARN=$(kubectl get serviceaccount -n kube-system aws-node -o json | jq '.metadata.annotations."eks.amazonaws.com/role-arn"' -r)
+}
+
 function install_network_policy_helm(){
 
     helm repo add eks https://aws.github.io/eks-charts
@@ -87,15 +91,21 @@ function install_network_policy_helm(){
         ENABLE_PREFIX_DELEGATION=true
     fi
 
+    get_service_account_role_arn
+
+    if [[ ! -z $EXISTING_SERVICE_ACCOUNT_ROLE_ARN ]]; then
+      HELM_EXTRA_ARGS+=" --set serviceAccount.annotations.\eks\.amazonaws\.com/role-arn=$EXISTING_SERVICE_ACCOUNT_ROLE_ARN"
+    fi
+
     echo "Updating annotations and labels on existing resources"
-    for kind in daemonSet clusterRole clusterRoleBinding serviceAccount; do
-      echo "setting annotations and labels on $kind/aws-node"
-      kubectl -n kube-system annotate --overwrite $kind aws-node meta.helm.sh/release-name=aws-vpc-cni || echo "Unable to annotate $kind/aws-node"
-      kubectl -n kube-system annotate --overwrite $kind aws-node meta.helm.sh/release-namespace=kube-system || echo "Unable to annotate $kind/aws-node"
-      kubectl -n kube-system label --overwrite $kind aws-node app.kubernetes.io/managed-by=Helm || echo "Unable to label $kind/aws-node"
+    resources=("daemonSet/aws-node" "clusterRole/aws-node" "clusterRoleBinding/aws-node" "serviceAccount/aws-node" "configmap/amazon-vpc-cni") 
+    for kind in ${resources[@]}; do
+      echo "setting annotations and labels on $kind"
+      kubectl -n kube-system annotate --overwrite $kind meta.helm.sh/release-name=aws-vpc-cni meta.helm.sh/release-namespace=kube-system || echo "Unable to annotate $kind"
+      kubectl -n kube-system label --overwrite $kind app.kubernetes.io/managed-by=Helm || echo "Unable to label $kind"
     done
 
-    echo "Installing/Updating the aws-vpc-cni helm chart with `enableNetworkPolicy=true`"
+    echo "Installing/Updating the aws-vpc-cni helm chart with enableNetworkPolicy=true"
     helm upgrade --install aws-vpc-cni eks/aws-vpc-cni --wait --timeout 300s \
         --namespace kube-system \
         --set enableNetworkPolicy=true \
@@ -107,3 +117,29 @@ function install_network_policy_helm(){
         --set image.env.ENABLE_IPv4=$ENABLE_IPv4 $HELM_EXTRA_ARGS
 
 }
+
+function build_and_push_image(){
+
+  # Get ECR credentials
+  aws ecr get-login-password --region $REGION | docker login --username AWS --password-stdin ${AWS_ECR_REGISTRY}
+
+  # Create repository if doesn't exist
+  if ! `aws ecr describe-repositories --registry-id $AWS_ACCOUNT_ID --repository-names $AWS_ECR_REPO_NAME >/dev/null 2>&1`; then
+      echo "creating ECR repo with name $AWS_ECR_REPO_NAME"
+      aws ecr create-repository --repository-name $AWS_ECR_REPO_NAME
+  fi
+
+  if [[ $(aws ecr batch-get-image --repository-name=$AWS_ECR_REPO_NAME --image-ids imageTag=$IMAGE_VERSION \
+      --query 'images[].imageId.imageTag' --region $REGION) != "[]" ]]; then
+    echo "Image $AWS_ECR_REPO_NAME:$IMAGE_VERSION already exists. Skipping image build."
+  else
+    START=$SECONDS
+    echo "Building AWS Network Policy Agent latest image"
+
+    docker buildx create --name="network-policy-agent-builder" --buildkitd-flags '--allow-insecure-entitlement network.host' --use >/dev/null
+    make multi-arch-build-and-push VERSION=$IMAGE_VERSION IMAGE=$AWS_ECR_REGISTRY/$AWS_ECR_REPO_NAME
+
+    echo "TIMELINE: Docker build took $(($SECONDS - $START)) seconds."
+    docker buildx rm network-policy-agent-builder
+  fi
+}

scripts/run-tests.sh

@@ -1,5 +1,4 @@
 #! /bin/bash
-
 set -Eeuox pipefail
 
 DIR=$(cd "$(dirname "$0")"; pwd)
@@ -28,8 +27,8 @@ trap cleanup EXIT
 load_default_values
 create_cluster
 
-load_addon_details
-install_network_policy_mao $LATEST_ADDON_VERSION
+build_and_push_image
+make update-node-agent-image AWS_EKS_NODEAGENT=$AWS_ECR_REGISTRY/$AWS_ECR_REPO_NAME:$IMAGE_VERSION IP_FAMILY=$IP_FAMILY
 
 if [[ $RUN_PERFORMANCE_TESTS == "true" ]]; then
   echo "Runnning Performance tests"