initial aks and ci configurations (#1)

* initial aks and ci configurations * updating chart and make sure publish-manifest depends on build-multiarch * quote the registry * fixing cache values * adding setup-buildx for cache support * separate artifacts * update tag for native build * ensure runner sets are scheduled on appropriate architecture * adding packages: write privilege * add nodeselector to runner container spec * login to ghcr for publishing the muti-arch manifest * update README * update README * removing unecessary comment
siimpl · Jul 11, 2024 · cbf42e9 · cbf42e9
1 parent 4f86436
commit cbf42e9
Show file tree

Hide file tree

Showing 10 changed files with 541 additions and 1 deletion.
diff --git a/.github/workflows/emulated-build.yml b/.github/workflows/emulated-build.yml
@@ -0,0 +1,45 @@
+name: "CI"
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+jobs:
+  build-multiarch:
+    permissions:
+      contents: read
+      pull-requests: read
+      packages: write
+    env:
+      REGISTRY: ghcr.io/siimpl
+      IMAGE_NAME: cicd-tooling-emulated
+      IMAGE_VERSION: 1.0
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_VERSION }}
diff --git a/.github/workflows/native-build.yml b/.github/workflows/native-build.yml
@@ -0,0 +1,62 @@
+name: "CI"
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+env:
+  REGISTRY: ghcr.io/siimpl
+  IMAGE_NAME: cicd-tooling-native
+  IMAGE_VERSION: 1.0
+
+jobs:
+  build-multiarch:
+    permissions:
+      contents: read
+      pull-requests: read
+      packages: write
+    runs-on: arc-runner-set-${{ matrix.architecture }}
+    strategy:
+      matrix:
+        architecture: [amd64, arm64]
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - uses: docker/build-push-action@v6
+        with:
+          context: .
+          platforms: linux/${{ matrix.architecture }}
+          push: true
+          tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_VERSION }}-${{ matrix.architecture }}
+          cache-from: type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:builder-cache-${{ matrix.architecture }}
+          cache-to: type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:builder-cache-${{ matrix.architecture }},mode=max
+  publish-manifest:
+    runs-on: arc-runner-set-arm64
+    needs: build-multiarch
+    permissions:
+      id-token: write
+      contents: read
+      packages: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Setup Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Publish Manifest
+        run: |
+          docker buildx imagetools create -t ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_VERSION }} ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_VERSION }}-amd64 ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_VERSION }}-arm64
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,2 @@
+.terraform*
+terraform.*
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,27 @@
+# Use the official Golang Image
+FROM golang:bookworm
+
+RUN apt-get update && \
+    apt-get install -y \
+                    jq \
+                    yq
+
+# Install Azure CLI
+RUN curl -sL https://aka.ms/InstallAzureCLIDeb | bash
+
+RUN az aks install-cli
+
+# Install Helm
+RUN curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 && \
+    chmod +x get_helm.sh && \
+    ./get_helm.sh
+
+RUN rm get_helm.sh
+
+# Install kubectl
+RUN curl -LO "https://dl.k8s.io/release/v1.30.2/bin/linux/amd64/kubectl" \
+    && chmod +x kubectl \
+    && mv kubectl /usr/local/bin/
+
+# Install docker
+RUN curl -fsSL https://get.docker.com -o get-docker.sh && sh ./get-docker.sh
diff --git a/README.md b/README.md
@@ -1 +1,69 @@
-# multi-architecture-cicd
+# multi-architecture-cicd
+
+This project deploys self-hosted GitHub runners to be used for multi-architecture builds and offers up to **90% faster builds**.
+The implementation is reflective of a CI/CD solution we built for a mid-size security startup.
+
+Typically, multi-architecture builds leverage an emulation tool like [QEMU](https://docs.docker.com/build/building/multi-platform/#qemu) to enable cross-platforms builds from a single machine.
+This offers a simpler configuration, but delivers a significant perfomance hit when emulating another architecture.
+
+Our solution uses the [native node strategy](https://docs.docker.com/build/building/multi-platform/#multiple-native-nodes) to give us the performance gains of native architecture builds, but still supporting multi-architecture manifests.
+
+Going through the guide, you will notice how the `native-build` action runs roughly 90% faster than the `emulated-build` action using the self-hosted runners.
+
+## Pre-requisuites
+
+- [Terraform](https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli)
+- [Helm](https://helm.sh/docs/intro/install/)
+- [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli)
+
+## Guide
+
+1. **Generate GitHub PAT**
+
+    Follow these [docs](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-personal-access-token-classic) to generate a PAT that the self-hosted runners will use to register with the target repository/organization.
+
+2. **Update the variables.tf**
+
+   You can update the variables.tf with the config url and pat or create a .tfvars file
+
+    ```hcl
+      variable "github_config" {
+        type = object({
+          config_url = string
+          pat = string
+        })
+        default = {
+        config_url = "https://github.com/${organization}/${repo}"
+        pat = "${github_pat}"
+      }
+    }
+    ```
+3. **Initialize AZ CLI**
+
+run the following commands to initialize your az cli
+
+```sh
+az cloud set --name AzureCloud
+az login
+az account set --subscription ${subscription}
+```
+
+4. **Deploy Cluster**
+
+```sh
+terraform init
+terraform plan
+terraform apply -auto-approve
+```
+
+5. **Create a PR to validate pipelines**
+
+Update the `REGISTRY` value to match your ghcr repository, push your changes, and create a Pull Request.
+This will trigger the `emulated-build` and `native-build` to kickoff.
+
+## Tooling Docs
+
+* [AKS](https://learn.microsoft.com/en-us/azure/aks/)
+* [Terraform](https://github.com/stretchr/testify)
+* [GitHub Runners](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller)
+* [GitHub Actions](https://docs.github.com/en/actions)
diff --git a/aks.tf b/aks.tf
@@ -0,0 +1,50 @@
+resource "azurerm_resource_group" "cicd" {
+  name     = "multi-arch-cicd"
+  location = "East US 2"
+}
+
+resource "azurerm_kubernetes_cluster" "cicd" {
+  name                = "multi-arch-cicd"
+  location            = azurerm_resource_group.cicd.location
+  resource_group_name = azurerm_resource_group.cicd.name
+  dns_prefix          = "multiarchcicd"
+
+  default_node_pool {
+    name       = "default"
+    node_count = 1
+    vm_size    = "Standard_DS2_v2"
+    tags = {
+      environment = "dev"
+    }
+  }
+
+  identity {
+    type = "SystemAssigned"
+  }
+
+  tags = {
+    environment = "dev"
+  }
+}
+
+resource "azurerm_kubernetes_cluster_node_pool" "amd64" {
+  name                  = "amd64pool"
+  kubernetes_cluster_id = azurerm_kubernetes_cluster.cicd.id
+  vm_size               = "Standard_DS2_v2" # AMD-based instance
+  node_count            = 1
+  os_type               = "Linux"
+  tags = {
+    environment = "dev"
+  }
+}
+
+resource "azurerm_kubernetes_cluster_node_pool" "arm64" {
+  name                  = "arm64pool"
+  kubernetes_cluster_id = azurerm_kubernetes_cluster.cicd.id
+  vm_size               = "Standard_D4ps_v5" # ARM-based instance
+  node_count            = 1
+  os_type               = "Linux"
+  tags = {
+    environment = "dev"
+  }
+}
diff --git a/providers.tf b/providers.tf
@@ -0,0 +1,28 @@
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "3.111.0"
+    }
+    helm = {
+      source = "hashicorp/helm"
+      version = "2.14.0"
+    }
+  }
+}
+
+provider "azurerm" {
+    skip_provider_registration = true
+    features {}
+}
+
+provider "helm" {
+  kubernetes {
+    host                   = azurerm_kubernetes_cluster.cicd.kube_config[0].host
+    username               = azurerm_kubernetes_cluster.cicd.kube_config[0].username
+    password               = azurerm_kubernetes_cluster.cicd.kube_config[0].password
+    client_certificate     = base64decode(azurerm_kubernetes_cluster.cicd.kube_config[0].client_certificate)
+    client_key             = base64decode(azurerm_kubernetes_cluster.cicd.kube_config[0].client_key)
+    cluster_ca_certificate = base64decode(azurerm_kubernetes_cluster.cicd.kube_config[0].cluster_ca_certificate)
+  }
+}
diff --git a/runners.tf b/runners.tf
@@ -0,0 +1,45 @@
+resource "helm_release" "arc" {
+  name      = "arc"
+  chart     = "oci://ghcr.io/actions/actions-runner-controller-charts/gha-runner-scale-set-controller"
+  namespace = "arc-systems"
+  create_namespace = true
+  timeout   = 120
+
+  depends_on = [azurerm_kubernetes_cluster.cicd]
+}
+
+resource "helm_release" "arc_runner_set_amd64" {
+  name      = "arc-runner-set-amd64"
+  chart     = "oci://ghcr.io/actions/actions-runner-controller-charts/gha-runner-scale-set"
+  namespace = "arc-runners"
+  create_namespace = true
+  timeout   = 120
+
+  values = [
+    templatefile("./templatefiles/arc_runner_values.yaml", {
+      github_config_url = var.github_config.config_url
+      github_pat = var.github_config.pat
+      architecture = "amd64"
+    })
+  ]
+
+  depends_on = [helm_release.arc]
+}
+
+resource "helm_release" "arc_runner_set_arm64" {
+  name      = "arc-runner-set-arm64"
+  chart     = "oci://ghcr.io/actions/actions-runner-controller-charts/gha-runner-scale-set"
+  namespace = "arc-runners"
+  create_namespace = true
+  timeout   = 120
+
+  values = [
+    templatefile("./templatefiles/arc_runner_values.yaml", {
+      github_config_url = var.github_config.config_url
+      github_pat = var.github_config.pat
+      architecture = "arm64"
+    })
+  ]
+
+  depends_on = [helm_release.arc]
+}