Build multiarch images on native GitHub runners

This commit makes the following changes:

1. Builds multiarch images for non-release commits/PRs, in addition
   to released versions.
2. Runs the docker build for an arch on the respective GitHub runner
   (e.g. a linux/amd64 docker image will be built on a linux/amd64
   runner). This native build reduces build times due to not requiring
   emulation.
3. Removes explicit use of buildx for docker build. Buildx is now the
   default builder in Docker. Also removes the related QEMU setup.

Signed-off-by: Rajath Agasthya <[email protected]>

Author: rajathagasthya

.github/workflows/image.yaml

@@ -24,26 +24,21 @@ on:
 
 jobs:
   build-image:
-    runs-on: linux-amd64-cpu4
+    strategy:
+      matrix:
+        arch:
+          - amd64
+          - arm64
+        dist: [distroless]
+    runs-on: linux-${{ matrix.arch }}-cpu4
     permissions:
       contents: read
       id-token: write
       packages: write
-    strategy:
-      matrix:
-        dist: [ubi9]
     steps:
       - uses: actions/checkout@v5
         name: Check out code
 
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-        with:
-          image: tonistiigi/binfmt:master
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v3
         with:
@@ -56,10 +51,32 @@ jobs:
       - name: Build image
         env:
           IMAGE_NAME: ghcr.io/nvidia/k8s-driver-manager
-          VERSION: ${{ inputs.version }}
+          VERSION: ${{ inputs.version }}-${{ matrix.arch }}
           PUSH_ON_BUILD: "true"
-          BUILD_MULTI_ARCH_IMAGES: "true"
           GOPROXY: ${{ steps.setup-go-proxy.outputs.goproxy-url }}
+          DOCKER_BUILD_PLATFORM_OPTIONS: "--platform=linux/${{ matrix.arch }}"
         run: |
           echo "${VERSION}"
           make -f deployments/container/Makefile build-${{ matrix.dist }}
+
+  create-manifest:
+    needs: build-image
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+        name: Check out code
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build Manifest
+        env:
+          MULTIARCH_IMAGE: ghcr.io/nvidia/k8s-driver-manager:${{ inputs.version }}
+        run: |
+          docker manifest create \
+            ${MULTIARCH_IMAGE} \
+            ghcr.io/nvidia/k8s-driver-manager:${{ inputs.version }}-amd64 \
+            ghcr.io/nvidia/k8s-driver-manager:${{ inputs.version }}-arm64
+          docker manifest push ${MULTIARCH_IMAGE}

deployments/container/Makefile

@@ -14,10 +14,6 @@
 
 BUILD_MULTI_ARCH_IMAGES ?= no
 DOCKER ?= docker
-BUILDX =
-ifeq ($(BUILD_MULTI_ARCH_IMAGES),true)
-BUILDX = buildx
-endif
 
 ##### Global variables #####
 include $(CURDIR)/versions.mk
@@ -38,8 +34,8 @@ OUT_IMAGE_VERSION ?= $(IMAGE_VERSION)
 OUT_IMAGE = $(OUT_IMAGE_NAME):$(OUT_IMAGE_VERSION)
 
 ##### Public rules #####
-DISTRIBUTIONS := ubi9
-DEFAULT_PUSH_TARGET := ubi9
+DISTRIBUTIONS := distroless
+DEFAULT_PUSH_TARGET := distroless
 
 PUSH_TARGETS := $(patsubst %, push-%, $(DISTRIBUTIONS))
 BUILD_TARGETS := $(patsubst %, build-%, $(DISTRIBUTIONS))
@@ -53,24 +49,30 @@ else
 include $(CURDIR)/deployments/container/multi-arch.mk
 endif
 
+# Both distroless and build-distroless trigger a build of the relevant image
+$(DISTRIBUTIONS): %: build-%
+
 build-%: DOCKERFILE_SUFFIX = $(*)
 build-%: DOCKERFILE = $(CURDIR)/deployments/container/Dockerfile.$(DOCKERFILE_SUFFIX)
-
-# Both ubi9 and build-ubi9 trigger a build of the relevant image
-$(DISTRIBUTIONS): %: build-%
 $(BUILD_TARGETS): build-%:
-	DOCKER_BUILDKIT=1 \
-		$(DOCKER) $(BUILDX) build --pull \
-			$(DOCKER_BUILD_OPTIONS) \
-			$(DOCKER_BUILD_PLATFORM_OPTIONS) \
-			--tag $(IMAGE) \
-			--build-arg GOLANG_VERSION="$(GOLANG_VERSION)" \
-			--build-arg VERSION="$(VERSION)" \
-			--build-arg GIT_COMMIT="$(GIT_COMMIT)" \
-			--build-arg CVE_UPDATES="$(CVE_UPDATES)" \
-			--build-arg GOPROXY="$(GOPROXY)" \
-			--file $(DOCKERFILE) \
-			$(CURDIR)
+	$(DOCKER) build --pull \
+		$(DOCKER_BUILD_OPTIONS) \
+		$(DOCKER_BUILD_PLATFORM_OPTIONS) \
+		--tag $(IMAGE) \
+		--build-arg GOLANG_VERSION="$(GOLANG_VERSION)" \
+		--build-arg VERSION="$(VERSION)" \
+		--build-arg GIT_COMMIT="$(GIT_COMMIT)" \
+		--build-arg CVE_UPDATES="$(CVE_UPDATES)" \
+		--build-arg GOPROXY="$(GOPROXY)" \
+		--file $(DOCKERFILE) \
+		$(CURDIR)
+ifeq ($(PUSH_ON_BUILD),true)
+	$(DOCKER) push "$(IMAGE)"
+endif
+
+# Handle the default build target.
+.PHONY: build
+build: $(DEFAULT_PUSH_TARGET)
 
 .PHONY: bump-commit
 BUMP_COMMIT := Bump to version $(VERSION)

deployments/container/multi-arch.mk

@@ -15,7 +15,7 @@
 PUSH_ON_BUILD ?= false
 ATTACH_ATTESTATIONS ?= false
 DOCKER_BUILD_OPTIONS = --output=type=image,push=$(PUSH_ON_BUILD) --provenance=$(ATTACH_ATTESTATIONS) --sbom=$(ATTACH_ATTESTATIONS)
-DOCKER_BUILD_PLATFORM_OPTIONS = --platform=linux/amd64,linux/arm64
+DOCKER_BUILD_PLATFORM_OPTIONS ?= --platform=linux/amd64,linux/arm64
 
 REGCTL ?= regctl
 $(PUSH_TARGETS): push-%:

deployments/container/native-only.mk

@@ -12,7 +12,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-DOCKER_BUILD_PLATFORM_OPTIONS = --platform=linux/amd64
+PUSH_ON_BUILD ?= false
+DOCKER_BUILD_PLATFORM_OPTIONS ?= --platform=linux/amd64
 
 $(PUSH_TARGETS): push-%:
 	$(DOCKER) tag "$(IMAGE)" "$(OUT_IMAGE)"