Build multiplatform docker

meysam81 commented 3 weeks ago

Preflight checklist

[X] I could not find a solution in the existing issues, docs, nor discussions.
[X] I agree to follow this project's Code of Conduct.
[X] I have read and am following this repository's Contribution Guidelines.
[X] I have joined the Ory Community Slack.
[X] I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe your problem

With the current release scripts, the final docker image ends up having the following tags¹:

oryd/oathkeeper-maester:v0.1.10-amd64
oryd/oathkeeper-maester:v0.1.10-arm64

There is a lack of flexibility in the way these images are being distributed since it is not uncommon for people to have non-uniform workloads (a combination of ARM64 & AMD64 machines).

With the way things are at the moment, we have to explicitly specify the architecture in the image tag.

However, if you build one oryd/oathkeeper-maester:v0.1.10 for both platforms, then we can specify the version number and let the underlying OCI implementation take care of the rest.

These are the offending lines (trimmed for brevity):

https://github.com/ory/oathkeeper-maester/blob/293ae228dc87659f41487956a162918ebd3f511f/.goreleaser.yml#L67-L86

Describe your ideal solution

It would be awesome to build one docker image for multiple platforms¹.

Workarounds or alternatives

None at the moment. We have to explicitly set the taints and tolerations to make it work across different node types.

Version

v0.1.10

Additional Context

I would be more than happy to contribute if you confirm that this is a desired outcome. I know where to modify to make the change and I only need your approval.

Cheers and thanks for the awesome products. 🥂

meysam81 commented 3 weeks ago

cc @aeneasr @Demonsthere

Demonsthere commented 1 week ago

Hello there! As much as I understand your point, this is a design pattern that we have designed in the whole ory ecosystem. I don't feel confident in letting the OCI decide on the platform, as we have seen issues with it ourselves. Especially when combined with different base images like distroless vs alpine, which comes with a glibc vs musl discussion.

If you find some targets missing, we can add them to our process, but i would prefer to follow our patterns, and adding them explicitly :)

meysam81 commented 1 week ago

@Demonsthere

I understand that you would like to keep the compatibility of your upstream images.

However, your other images are multiplatform, example:

kratos v1.3
hydra v2.2.0
and even the recently multiplatform adopted kratos-UI (by myself): kratos-selfservice-ui-node v1.3.0

I wonder how is this oathkeeper-maester any different in terms of design and implementation when it comes to providing official multiplatform docker images!?

Demonsthere commented 1 week ago

Huh, to be honest I was not aware of those changes 😅. In that case, I think it should be rather straightforward, as if I understand the goreleaser structure, we can keep specific image_templates, but add a docker_manifest object that would join them 🤔

meysam81 commented 1 week ago

@Demonsthere

Appreciate your prompt action.

I believe there is a typo on latests (the trailing s is extra).

ory / oathkeeper-maester