DE-11 Release sidecar 4.10.2

.github/workflows/build.yaml

@@ -33,13 +33,10 @@ jobs:
             kv-gitlab-ci/data/node/build/cosign password | COSIGN_PASSWORD ;
             kv-gitlab-ci/data/node/build/cosign private_key | COSIGN_PRIVATE_KEY ;
 
-      - name: Build image
-        run: make build
-
-      - name: Push image
+      - name: Build and push image
         run: |
           echo ${DOCKERHUB_PASSWORD} | docker login -u ${DOCKERHUB_USER} --password-stdin
-          make push
+          make build
 
       - name: Sign image
         id: sign
@@ -55,7 +52,7 @@ jobs:
           syft -o spdx-json ${IMAGE_NAME} > ${SBOM_SPDX}
           cosign attach sbom --sbom ${SBOM_SPDX} ${IMAGE_DIGEST}
           cosign sign --yes --key env://COSIGN_PRIVATE_KEY "${IMAGE_URI}.sbom"
-          cosign sign --yes --key env://COSIGN_PRIVATE_KEY ${IMAGE_DIGEST}
+          cosign sign --recursive --yes --key env://COSIGN_PRIVATE_KEY ${IMAGE_DIGEST}
 
           echo "sbom=${SBOM_SPDX}" >> $GITHUB_OUTPUT
 

.github/workflows/ci.yaml

@@ -21,7 +21,15 @@ permissions:
 jobs:
   build:
     name: Build
-    runs-on: self-hosted-amd64-1cpu
+    runs-on: ${{ matrix.RUNNER }}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - PLATFORM: amd64
+            RUNNER: self-hosted-amd64-1cpu
+          - PLATFORM: aarch64
+            RUNNER: self-hosted-arm64-1cpu
     outputs:
       helm_args: ${{ steps.compute_helm_args.outputs.helm_args }}
     steps:
@@ -31,15 +39,15 @@ jobs:
       - name: Build
         run: |
           IMAGE="wallarm/sidecar-controller"
-          make build TAG=${GITHUB_SHA} IMAGE=${IMAGE}
+          make build TAG=${GITHUB_SHA} IMAGE=${IMAGE} PLATFORMS=linux/${{ matrix.PLATFORM }} BUILDX_ARGS=--load
           mkdir artifacts
-          docker save -o artifacts/docker-image.tar ${IMAGE}:${GITHUB_SHA}
+          docker save -o artifacts/docker-image-${{ matrix.PLATFORM }}.tar ${IMAGE}:${GITHUB_SHA}
 
       - name: Save artifact
         uses: actions/upload-artifact@v3
         with:
           name: docker-artifact
-          path: artifacts/docker-image.tar
+          path: artifacts/docker-image-${{ matrix.PLATFORM }}.tar
           retention-days: 1
 
       - name: Compute Helm arguments
@@ -51,7 +59,7 @@ jobs:
   test:
     name: Test
     needs: build
-    uses: wallarm/sidecar/.github/workflows/test.yaml@main
+    uses: wallarm/sidecar/.github/workflows/test.yaml@DE-11 # TODO: fix, tmp, no dynamic resolving here
     secrets:
       VAULT_URL: ${{ secrets.VAULT_URL }}
       VAULT_ROLE: ${{ secrets.VAULT_ROLE }}

.github/workflows/helm_publish.yaml

@@ -4,6 +4,7 @@ on:
   push:
     tags:
       - 'helm-chart-[0-9]+.[0-9]+.[0-9]+'
+      - 'helm-chart-[0-9]+.[0-9]+.[0-9]+-rc*'
 
 permissions:
   contents: read
@@ -14,6 +15,7 @@ jobs:
     runs-on: self-hosted-amd64-1cpu
     outputs:
       chart_version: ${{ steps.get_versions.outputs.chart_version }}
+      release_type: ${{ steps.check_release.outputs.type }}
     steps:
       - name: Import secrets
         uses: hashicorp/vault-action@130d1f5f4fe645bb6c83e4225c04d64cfb62de6e # v2.5.0
@@ -30,6 +32,16 @@ jobs:
       - name: Checkout
         uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
 
+      - name: Check release type
+        id: check_release
+        run: |
+          TYPE="production"
+          if [[ ${GITHUB_REF#refs/*/} =~ "rc" ]]; then
+            TYPE="release-candidate"
+          fi
+          echo -e "Type: ${TYPE}"
+          echo "type=${TYPE}" >> $GITHUB_OUTPUT
+
       - name: Get versions
         id: get_versions
         run: |
@@ -52,6 +64,7 @@ jobs:
 
   update_version:
     name: Update package version
+    if: needs.release.outputs.release_type == 'production'
     runs-on: self-hosted-amd64-1cpu
     needs: release
     steps:

.github/workflows/test.yaml

@@ -119,9 +119,9 @@ jobs:
 
   test:
     name: Integration test
+    runs-on: ${{ matrix.RUNNER }}
     if: ${{ inputs.run_test }}
     needs: check
-    runs-on: self-hosted-amd64-1cpu
     strategy:
       matrix:
         kubeVersion:
@@ -132,6 +132,11 @@ jobs:
           - 1.23.13
           - 1.24.7
           - 1.25.3
+        PLATFORM: [ amd64 ]
+        RUNNER: [ self-hosted-amd64-1cpu ]
+        include:
+          - { kubeVersion: 1.19.16, PLATFORM: aarch64, RUNNER: self-hosted-arm64-1cpu }
+          - { kubeVersion: 1.25.3,  PLATFORM: aarch64, RUNNER: self-hosted-arm64-1cpu }
     steps:
       - name: Import secrets
         uses: hashicorp/vault-action@130d1f5f4fe645bb6c83e4225c04d64cfb62de6e # v2.5.0
@@ -169,7 +174,7 @@ jobs:
 
       - name: Load image
         if: ${{ inputs.load_artifact }}
-        run: kind load image-archive artifacts/docker-image.tar
+        run: kind load image-archive artifacts/docker-image-${{ matrix.PLATFORM }}.tar
 
       - name: Install Helm chart
         run: |
@@ -234,7 +239,7 @@ jobs:
 
       - name: Load image
         if: ${{ inputs.load_artifact }}
-        run: kind load image-archive artifacts/docker-image.tar
+        run: kind load image-archive artifacts/docker-image-amd64.tar
 
       - name: Run test
         env:

.github/workflows/update_versions.yaml

@@ -85,13 +85,7 @@ jobs:
           export TAG="${{ inputs.upstream_tag }}"
           export VERSION=$(echo "${TAG}" | cut -d "-" -f 1)    
           yq e -i '.appVersion = env(VERSION)' helm/Chart.yaml
-          yq e -i \
-          '(.postanalytics.init.image.tag = env(TAG)) |
-           (.postanalytics.cron.image.tag = env(TAG)) |
-           (.postanalytics.tarantool.image.tag = env(TAG)) |
-           (.postanalytics.heartbeat.image.tag = env(TAG)) |
-           (.postanalytics.antibot.image.tag = env(TAG)) |
-           (.postanalytics.appstructure.image.tag = env(TAG))' helm/values.yaml
+          yq e -i '.helper.image.tag = env(TAG)' helm/values.yaml
           echo "next-version=${VERSION}" >> $GITHUB_OUTPUT
 
       - name: Update sidecar version

.github/workflows/upstream_update.yaml

@@ -55,11 +55,7 @@ jobs:
           if [ ${{ github.event.client_payload.upstream_update }} = true ]; then
             UPSTREAM_TAG=${{ github.event.client_payload.upstream_tag }}
             HELM_ARGS+="\
-              --set postanalytics.init.image.tag=${UPSTREAM_TAG} \
-              --set postanalytics.cron.image.tag=${UPSTREAM_TAG} \
-              --set postanalytics.tarantool.image.tag=${UPSTREAM_TAG} \
-              --set postanalytics.heartbeat.image.tag=${UPSTREAM_TAG} \
-              --set postanalytics.appstructure.image.tag=${UPSTREAM_TAG}"
+              --set helper.image.tag=${UPSTREAM_TAG}"
             echo "HELM_ARGS: ${HELM_ARGS}"
           fi
           

Dockerfile

@@ -1,4 +1,15 @@
-FROM golang:1.21.1-alpine3.18 as builder
+ARG ALPINE_VERSION
+FROM golang:1.21.1-alpine${ALPINE_VERSION} as builder
+
+MAINTAINER Wallarm Support Team <[email protected]>
+
+LABEL org.opencontainers.image.title="Docker official image for Wallarm Node. API security platform agent"
+LABEL org.opencontainers.image.title="Kubernetes Sidecar schema of Wallarm API Security deployment"
+LABEL org.opencontainers.image.documentation="https://docs.wallarm.com/installation/kubernetes/sidecar-proxy/deployment/"
+LABEL org.opencontainers.image.source="https://github.com/wallarm/sidecar"
+LABEL org.opencontainers.image.vendor="Wallarm"
+LABEL org.opencontainers.image.revision="${COMMIT_SHA}"
+LABEL com.wallarm.sidecar-controller.versions.alpine="${ALPINE_VERSION}"
 
 RUN apk add --no-cache                         \
         bash                                   \
@@ -10,15 +21,16 @@ WORKDIR /build
 COPY cmd/ go.mod go.sum ./
 RUN go mod download
 
+ARG TARGETARCH
 ARG CGO_ENABLED=0
 ARG GOOS=linux
-ARG GOARCH=amd64
+ARG GOARCH=$TARGETARCH
 RUN go test -v .                            && \
     go build -a -ldflags="-s -w"               \
         -o sidecar-controller .             && \
     upx -9 sidecar-controller
 
-FROM alpine:3.18
+FROM alpine:${ALPINE_VERSION}
 
 ARG UID=65222
 ARG GID=65222

Makefile

@@ -1,19 +1,23 @@
 # https://makefiletutorial.com/
 
 -include env.ini
+
+ifndef CI
+	PLATFORMS?=linux/amd64
+	BUILDX_ARGS?=--load
+else
+	PLATFORMS?=linux/amd64,linux/aarch64
+	BUILDX_ARGS?=--push
+endif
+
 .EXPORT_ALL_VARIABLES:
 
 DOCKERFILE       := ./Dockerfile
 TAG   	 		 ?= $(shell cat TAG)
 IMAGE 	  		 ?= wallarm/sidecar-controller
 CONTROLLER_IMAGE = $(IMAGE):$(TAG)
-
-### For embedding into the chart
-###
-SIDECAR_IMAGE    := wallarm/sidecar:4.8.0-1
-TARANTOOL_IMAGE  := wallarm/ingress-tarantool:4.8.1-1
-RUBY_IMAGE       := wallarm/ingress-ruby:4.8.1-1
-PYTHON_IMAGE     := wallarm/ingress-python:4.8.1-1
+COMMIT_SHA ?= git-$(shell git rev-parse --short HEAD)
+ALPINE_VERSION   = 3.18
 
 ### Contribution routines
 ###
@@ -68,13 +72,7 @@ clean-all:
 ### Helm routines
 ###
 HELMARGS := --set "config.wallarm.api.token=$(WALLARM_API_TOKEN)" \
-			--set "config.wallarm.api.host=$(WALLARM_API_HOST)" \
-			--set "config.sidecar.image.fullname=$(SIDECAR_IMAGE)" \
-			--set "postanalytics.init.image.fullname=$(RUBY_IMAGE)" \
-			--set "postanalytics.cron.image.fullname=$(RUBY_IMAGE)" \
-			--set "postanalytics.tarantool.image.fullname=$(TARANTOOL_IMAGE)" \
-			--set "postanalytics.appstructure.image.fullname=$(PYTHON_IMAGE)" \
-			--set "postanalytics.antibot.image.fullname=$(PYTHON_IMAGE)"
+			--set "config.wallarm.api.host=$(WALLARM_API_HOST)"
 
 helm-template:
 	@$(HELM) template wallarm-sidecar ./helm -f ./helm/values.dev.yaml $(HELMARGS) --debug
@@ -108,8 +106,23 @@ test: fmt vet
 
 ### Build
 ###
-build:
-	@docker build -t $(CONTROLLER_IMAGE) . --force-rm --no-cache --progress=plain
+
+setup_buildx:
+	docker buildx rm multi-arch || true
+	docker buildx create \
+		--name multi-arch \
+		--platform linux/amd64,linux/arm64 \
+		--driver docker-container \
+		--use
+
+build: setup_buildx
+	@docker buildx build \
+		--file Dockerfile \
+		--platform=$(PLATFORMS) \
+		--build-arg ALPINE_VERSION="$(ALPINE_VERSION)" \
+		--build-arg COMMIT_SHA="$(COMMIT_SHA)" \
+		--force-rm --no-cache --progress=plain \
+		--tag $(CONTROLLER_IMAGE) $(BUILDX_ARGS) .
 
 push rmi:
 	@docker $@ $(CONTROLLER_IMAGE)

TAG

@@ -1 +1 @@
-1.3.4
+1.3.5