[Backport release/3.4.x] feat(cd): enable arm64 for rhel-9 and aws-2023

.github/matrix-full.yml

@@ -1,6 +1,5 @@
 build-packages:
 # label: used to distinguish artifacts for later use
-# os: the github actions runner label to pick from
 # image: docker image name if the build is running in side a container
 # package: package type
 # package-type: the nfpm packaging target, //:kong_{package} target; only used when package is rpm
@@ -9,65 +8,66 @@ build-packages:
 
 # Ubuntu
 - label: ubuntu-20.04
-  os: ubuntu-22.04
   image: ubuntu:20.04
   package: deb
   check-manifest-suite: ubuntu-20.04-amd64
 - label: ubuntu-22.04
-  os: ubuntu-22.04
   package: deb
   check-manifest-suite: ubuntu-22.04-amd64
 - label: ubuntu-22.04-arm64
-  os: ubuntu-22.04
   package: deb
   bazel-args: --platforms=//:generic-crossbuild-aarch64
   check-manifest-suite: ubuntu-22.04-arm64
 
 # Debian
 - label: debian-10
-  os: ubuntu-22.04
   image: debian:10
   package: deb
   check-manifest-suite: debian-10-amd64
 - label: debian-11
-  os: ubuntu-22.04
   image: debian:11
   package: deb
   check-manifest-suite: debian-11-amd64
 
 # RHEL
 - label: rhel-7
-  os: ubuntu-22.04
   image: centos:7
   package: rpm
   package-type: el7
+  bazel-args: --//:wasmx_el7_workaround=true
   check-manifest-suite: el7-amd64
 - label: rhel-8
-  os: ubuntu-22.04
   image: rockylinux:8
   package: rpm
   package-type: el8
   check-manifest-suite: el8-amd64
 - label: rhel-9
-  os: ubuntu-22.04
   image: rockylinux:9
   package: rpm
   package-type: el9
   check-manifest-suite: el9-amd64
+- label: rhel-9-arm64
+  package: rpm
+  package-type: el9
+  bazel-args: --platforms=//:rhel9-crossbuild-aarch64
+  check-manifest-suite: el9-arm64
 
-# Amazon Linux
+  # Amazon Linux
 - label: amazonlinux-2
-  os: ubuntu-22.04
   image: amazonlinux:2
   package: rpm
   package-type: aws2
   check-manifest-suite: amazonlinux-2-amd64
 - label: amazonlinux-2023
-  os: ubuntu-22.04
   image: amazonlinux:2023
   package: rpm
   package-type: aws2023
   check-manifest-suite: amazonlinux-2023-amd64
+- label: amazonlinux-2023-arm64
+  package: rpm
+  package-type: aws2023
+  bazel-args: --platforms=//:aws2023-crossbuild-aarch64
+  check-manifest-suite: amazonlinux-2023-arm64
 
 build-images:
 # Only build images for the latest version of each major release.
@@ -99,6 +99,8 @@ build-images:
   package: rpm
   rpm_platform: el9
   artifact-from: rhel-9
+  artifact-from-alt: rhel-9-arm64
+  docker-platforms: linux/amd64, linux/arm64
 
 smoke-tests:
 - label: ubuntu
@@ -164,6 +166,12 @@ release-packages:
   artifact-version: 9
   artifact-type: rhel
   artifact: kong.el9.amd64.rpm
+- label: rhel-9-arm64
+  package: rpm
+  artifact-from: rhel-9-arm64
+  artifact-version: 9
+  artifact-type: rhel
+  artifact: kong.el9.arm64.rpm
 
 # Amazon Linux
 - label: amazonlinux-2
@@ -178,6 +186,12 @@ release-packages:
   artifact-version: 2023
   artifact-type: amazonlinux
   artifact: kong.aws2023.amd64.rpm
+- label: amazonlinux-2023-arm64
+  package: rpm
+  artifact-from: amazonlinux-2023-arm64
+  artifact-version: 2023
+  artifact-type: amazonlinux
+  artifact: kong.aws2023.arm64.rpm
 
 release-images:
 - label: ubuntu

.github/workflows/release.yml

@@ -102,14 +102,14 @@ jobs:
       matrix:
         include: "${{ fromJSON(needs.metadata.outputs.matrix)['build-packages'] }}"
 
-    runs-on: ${{ matrix.os }}
+    runs-on: ubuntu-22.04
     container:
       image: ${{ matrix.image }}
       options: --privileged
 
     steps:
     - name: Early Rpm Setup
-      if: matrix.package == 'rpm'
+      if: matrix.package == 'rpm' && matrix.image != ''
       run: |
         # tar/gzip is needed to restore git cache (if available)
         yum install -y tar gzip which file zlib-devel
@@ -123,15 +123,15 @@ jobs:
 
     - name: Cache Git
       id: cache-git
-      if: matrix.package == 'rpm' || matrix.image == 'debian:10'
+      if: (matrix.package == 'rpm' || matrix.image == 'debian:10') && matrix.image != ''
       uses: actions/cache@v3
       with:
         path: /usr/local/git
-        key: ${{ matrix.label }}-git-2.30.0
+        key: ${{ matrix.label }}-git-2.41.0
 
     # el-7,8, amazonlinux-2,2023, debian-10 doesn't have git 2.18+, so we need to install it manually
     - name: Install newer Git
-      if: (matrix.package == 'rpm' || matrix.image == 'debian:10') && steps.cache-git.outputs.cache-hit != 'true'
+      if: (matrix.package == 'rpm' || matrix.image == 'debian:10') && matrix.image != '' && steps.cache-git.outputs.cache-hit != 'true'
       run: |
         if which apt 2>/dev/null; then
           apt update
@@ -141,16 +141,22 @@ jobs:
           yum groupinstall -y 'Development Tools'
           yum install -y wget zlib-devel openssl-devel curl-devel expat-devel gettext-devel perl-CPAN perl-devel
         fi
-        wget https://mirrors.edge.kernel.org/pub/software/scm/git/git-2.30.0.tar.gz
-        tar xf git-2.30.0.tar.gz
-        cd git-2.30.0
+        wget https://mirrors.edge.kernel.org/pub/software/scm/git/git-2.41.0.tar.gz
+        tar xf git-2.41.0.tar.gz
+        cd git-2.41.0
+
+        # https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/5948/diffs
+        if [[ ${{ matrix.image }} == "centos:7" ]]; then
+          echo 'CFLAGS=-std=gnu99' >> config.mak
+        fi
+
         make configure
         ./configure --prefix=/usr/local/git
         make -j$(nproc)
         make install
 
     - name: Add Git to PATH
-      if: matrix.package == 'rpm' || matrix.image == 'debian:10'
+      if: (matrix.package == 'rpm' || matrix.image == 'debian:10') && matrix.image != ''
       run: |
         echo "/usr/local/git/bin" >> $GITHUB_PATH
 
@@ -210,7 +216,7 @@ jobs:
         sudo apt-get install crossbuild-essential-arm64 -y
 
     - name: Install Rpm Dependencies
-      if: matrix.package == 'rpm'
+      if: matrix.package == 'rpm' && matrix.image != ''
       run: |
         yum groupinstall -y 'Development Tools'
         dnf config-manager --set-enabled powertools || true # enable devel packages on rockylinux:8
@@ -260,9 +266,9 @@ jobs:
         path: bazel-bin/pkg
         retention-days: 3
 
-  build-packages-verify-manifest:
+  verify-manifest-packages:
     needs: [metadata, build-packages]
-    name: Verify Manifest - ${{ matrix.label }}
+    name: Verify Manifest - Package ${{ matrix.label }}
     runs-on: ubuntu-22.04
 
     strategy:
@@ -389,8 +395,41 @@ jobs:
           Docker image available `${{ needs.metadata.outputs.prerelease-docker-repository }}:${{ github.sha }}`
           Artifacts available https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
 
-  scan:
-    name: Scan - ${{ matrix.label }}
+  verify-manifest-images:
+    needs: [metadata, build-images]
+    name: Verify Manifest - Image ${{ matrix.label }}
+    runs-on: ubuntu-22.04
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include: "${{ fromJSON(needs.metadata.outputs.matrix)['build-images'] }}"
+
+    steps:
+    - uses: actions/checkout@v3
+
+    - name: Install Python
+      uses: actions/setup-python@v4
+      with:
+        python-version: '3.11'
+        cache: 'pip' # caching pip dependencies
+
+    - name: Verify
+      run: |
+        cd scripts/explain_manifest
+        # docker image verify requires sudo to set correct permissions, so we
+        # also install deps for root
+        sudo -E pip install -r requirements.txt
+        IMAGE=${{ env.PRERELEASE_DOCKER_REPOSITORY }}:${{ github.sha }}-${{ matrix.label }}
+
+        sudo -E python ./main.py --image $IMAGE -f docker_image_filelist.txt -s docker-image
+
+        if [[ ! -z "${{ matrix.docker-platforms }}" ]]; then
+          DOCKER_DEFAULT_PLATFORM=linux/arm64 sudo -E python ./main.py --image $IMAGE -f docker_image_filelist.txt -s docker-image
+        fi
+
+  scan-images:
+    name: Scan Images - ${{ matrix.label }}
     needs: [metadata, build-images]
     runs-on: ubuntu-22.04
     if: |-
@@ -443,15 +482,15 @@ jobs:
       uses: Kong/public-shared-actions/security-actions/scan-docker-image@v1
       with:
         asset_prefix: kong-${{ github.sha }}-${{ matrix.label }}-linux-amd64
-        image: ${{env.IMAGE}}@${{ steps.image_manifest_metadata.outputs.amd64_sha }}
+        image: ${{ needs.metadata.outputs.prerelease-docker-repository }}:${{ github.sha }}-${{ matrix.label }}
 
     - name: Scan ARM64 Image digest
       if: steps.image_manifest_metadata.outputs.manifest_list_exists == 'true' && steps.image_manifest_metadata.outputs.arm64_sha != ''
       id: sbom_action_arm64
       uses: Kong/public-shared-actions/security-actions/scan-docker-image@v1
       with:
         asset_prefix: kong-${{ github.sha }}-${{ matrix.label }}-linux-arm64
-        image: ${{env.IMAGE}}@${{ steps.image_manifest_metadata.outputs.arm64_sha }}
+        image: ${{ needs.metadata.outputs.prerelease-docker-repository }}:${{ github.sha }}-${{ matrix.label }}
 
   smoke-tests:
     name: Smoke Tests - ${{ matrix.label }}

.requirements

@@ -12,7 +12,7 @@ LUA_RESTY_WEBSOCKET=60eafc3d7153bceb16e6327074e0afc3d94b1316 # 0.4.0
 ATC_ROUTER=b0d5e7e2a2ca59bb051959385d3e42d96c93bb98 # 1.2.0
 
 KONG_MANAGER=v3.4.0.0
-NGX_WASM_MODULE=prerelease-0.1.0
+NGX_WASM_MODULE=abd6a40790e019495de0f1532a8f2312bbdbc820 # prerelease-0.1.0
 WASMER=3.1.1
 WASMTIME=8.0.1
 V8=10.5.18