chore(*) scripts for build, publish and fetch Envoy binaries (#3110)

Signed-off-by: Ilya Lobkov <ilya.lobkov@konghq.com>
(cherry picked from commit 6f2071e)

Makefile

@@ -25,3 +25,4 @@ include mk/k3d.mk
 include mk/e2e.mk
 include mk/e2e.new.mk
 include mk/docs.mk
+include mk/envoy.mk

mk/build.mk

@@ -31,7 +31,7 @@ COREDNS_TMP_DIRECTORY ?= $(BUILD_DIR)/coredns
 COREDNS_PLUGIN_CFG_PATH ?= $(TOP)/tools/builds/coredns/templates/plugin.cfg
 
 # List of binaries that we have release build rules for.
-BUILD_RELEASE_BINARIES := kuma-cp kuma-dp kumactl kuma-prometheus-sd coredns
+BUILD_RELEASE_BINARIES := kuma-cp kuma-dp kumactl kuma-prometheus-sd coredns envoy
 
 # List of binaries that we have test build roles for.
 BUILD_TEST_BINARIES := test-server

mk/docker.mk

@@ -66,7 +66,7 @@ docker/build/kuma-universal: build/artifacts-linux-amd64/kuma-cp/kuma-cp build/a
 image/kuma-cp: build/kuma-cp/linux-amd64 docker/build/kuma-cp ## Dev: Rebuild `kuma-cp` Docker image
 
 .PHONY: image/kuma-dp
-image/kuma-dp: build/kuma-dp/linux-amd64 build/coredns/linux-amd64 docker/build/kuma-dp ## Dev: Rebuild `kuma-dp` Docker image
+image/kuma-dp: build/kuma-dp/linux-amd64 build/coredns/linux-amd64 build/artifacts-linux-amd64/envoy/envoy docker/build/kuma-dp ## Dev: Rebuild `kuma-dp` Docker image
 
 .PHONY: image/kumactl
 image/kumactl: build/kumactl/linux-amd64 docker/build/kumactl ## Dev: Rebuild `kumactl` Docker image

mk/envoy.mk

@@ -0,0 +1,32 @@
+ENVOY_TAG ?= v1.18.4
+ENVOY_COMMIT_HASH ?=
+
+SOURCE_DIR ?= ${TMPDIR}envoy-sources
+ifndef TMPDIR
+	SOURCE_DIR ?= /tmp/envoy-sources
+endif
+
+BUILD_ENVOY_FROM_SOURCES ?= false
+KUMA_DIR ?= .
+# Target 'build/envoy' allows to put Envoy binary under the build/artifacts-$GOOS-$GOARCH directory.
+# Depending on the flag BUILD_ENVOY_FROM_SOURCES this target either fetches Envoy from binary registry or
+# builds from sources. It's possible to build binaries for darwin, linux and centos7 by specifying GOOS variable.
+# Envoy version could be specified either by ENVOY_TAG or ENVOY_COMMIT_HASH, the latter takes precedence.
+.PHONY: build/envoy
+build/envoy: ## Envoy: build or fetch envoy binaries
+	$(MAKE) build/artifacts-${GOOS}-${GOARCH}/envoy/envoy
+
+build/artifacts-%-amd64/envoy/envoy:
+ifeq ($(BUILD_ENVOY_FROM_SOURCES),true)
+	ENVOY_TAG=${ENVOY_TAG} \
+	ENVOY_COMMIT_HASH=${ENVOY_COMMIT_HASH} \
+	SOURCE_DIR=${SOURCE_DIR} \
+	KUMA_DIR=${KUMA_DIR} \
+	BAZEL_BUILD_EXTRA_OPTIONS=${BAZEL_BUILD_EXTRA_OPTIONS} \
+	BINARY_PATH=$@ ${KUMA_DIR}/tools/envoy/build_$*.sh
+else
+	ENVOY_TAG=${ENVOY_TAG} \
+	ENVOY_COMMIT_HASH=${ENVOY_COMMIT_HASH} \
+	BINARY_PATH=$@ \
+	ENVOY_DISTRO=$* ${KUMA_DIR}/tools/envoy/fetch.sh
+endif

test/dockerfiles/Dockerfile.universal

@@ -37,6 +37,7 @@ COPY --from=envoy /usr/local/bin/envoy /usr/local/bin/envoy
 
 ADD $KUMA_ROOT/build/artifacts-linux-amd64/kuma-cp/kuma-cp /usr/bin
 ADD $KUMA_ROOT/build/artifacts-linux-amd64/kuma-dp/kuma-dp /usr/bin
+ADD $KUMA_ROOT/build/artifacts-linux-amd64/envoy/envoy /usr/bin
 ADD $KUMA_ROOT/build/artifacts-linux-amd64/coredns/coredns /usr/bin
 ADD $KUMA_ROOT/build/artifacts-linux-amd64/kumactl/kumactl /usr/bin
 ADD $KUMA_ROOT/build/artifacts-linux-amd64/test-server/test-server /usr/bin

test/dockerfiles/Dockerfile.universal.dockerignore

@@ -1,6 +1,7 @@
 *
 !build/artifacts-linux-amd64/kuma-cp/kuma-cp
 !build/artifacts-linux-amd64/kuma-dp/kuma-dp
+!build/artifacts-linux-amd64/envoy/envoy
 !build/artifacts-linux-amd64/kumactl/kumactl
 !build/artifacts-linux-amd64/coredns/coredns
 !build/artifacts-linux-amd64/test-server/test-server

tools/common.sh

@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+
+function msg_green() {
+  builtin echo -en "\033[1;32m"
+  echo "$@"
+  builtin echo -en "\033[0m"
+}
+
+function msg_red() {
+  builtin echo -en "\033[1;31m" >&2
+  echo "$@" >&2
+  builtin echo -en "\033[0m" >&2
+}
+
+function msg_yellow() {
+  builtin echo -en "\033[1;33m"
+  echo "$@"
+  builtin echo -en "\033[0m"
+}
+
+function msg() {
+  builtin echo -en "\033[1m"
+  echo "$@"
+  builtin echo -en "\033[0m"
+}
+
+function msg_err() {
+  msg_red $@
+  exit 1
+}

tools/envoy/Dockerfile.build-centos7

@@ -0,0 +1,18 @@
+ARG ENVOY_BUILD_IMAGE
+FROM $ENVOY_BUILD_IMAGE
+
+ARG BUILD_CMD
+
+# based on the fix https://github.com/envoyproxy/envoy/pull/18426, could be deleted as soon as it'll be merged
+RUN git clone https://gn.googlesource.com/gn && \
+    pushd gn && \
+    git checkout 45aa842fb41d79e149b46fac8ad71728856e15b9 && \
+    python build/gen.py && \
+    ninja -C out && \
+    mv -f out/gn /usr/local/bin/gn && \
+    chmod +x /usr/local/bin/gn && \
+    popd
+
+RUN mkdir /build /source
+COPY . /envoy-sources/
+RUN bash -c "pushd /envoy-sources && $BUILD_CMD"

tools/envoy/Dockerfile.build-centos7.dockerignore

@@ -0,0 +1,3 @@
+# Overrides standard .dockerignore file from the project's root directory.
+# It's important to have it empty because we're running 'docker build' with envoy's
+# source directory as a workspace and by default it's $TMPDIR/envoy-sources.

tools/envoy/Dockerfile.build-ubuntu

@@ -0,0 +1,13 @@
+ARG ENVOY_BUILD_IMAGE
+FROM $ENVOY_BUILD_IMAGE
+
+ARG BUILD_CMD
+
+RUN groupadd --gid $(id -g) -f envoygroup \
+  && useradd -o --uid $(id -u) --gid $(id -g) --no-create-home --home-dir /build envoybuild \
+  && usermod -a -G pcap envoybuild \
+  && mkdir /build /source \
+  && chown envoybuild:envoygroup /build /source
+
+COPY . /envoy-sources/
+RUN sudo -EHs -u envoybuild bash -c "pushd /envoy-sources && $BUILD_CMD"

tools/envoy/Dockerfile.build-ubuntu.dockerignore

@@ -0,0 +1,3 @@
+# Overrides standard .dockerignore file from the project's root directory.
+# It's important to have it empty because we're running 'docker build' with envoy's
+# source directory as a workspace and by default it's $TMPDIR/envoy-sources.

tools/envoy/README.md

@@ -0,0 +1,40 @@
+# Tools for Envoy
+
+The current directory contains tools for building, publishing and fetching Envoy binaries.
+
+There is a new Makefile target `build/envoy` that places an `envoy` binary in `build/artifacts-$GOOS-$GOARCH/` directory.
+The default behaviour of that target – fetching binaries from [download.konghq.com](download.konghq.com) since it makes more sense for
+overwhelming majority of users. However, there is a variable `BUILD_ENVOY_FROM_SOURCES` that allows to build Envoy from 
+source code. 
+
+### Usage
+
+Download the latest supported Envoy binary for your host OS: 
+```shell
+$ make build/envoy
+```
+
+Download the latest supported Envoy binary for specified system:
+```shell
+$ GOOS=linux make build/envoy # supported OS: linux, centos7 and darwin
+```
+
+Download the specific Envoy tag:
+```shell
+$ ENVOY_TAG=v1.18.4 make build/envoy
+```
+
+Download the specific Envoy commit hash (if it exists in [download.konghq.com](download.konghq.com)):
+```shell
+$ ENVOY_COMMIT_HASH=bef18019d8fc33a4ed6aca3679aff2100241ac5e make build/envoy
+```
+
+If desired commit hash doesn't exist, it could be built from sources:
+```shell
+$ ENVOY_COMMIT_HASH=bef18019d8fc33a4ed6aca3679aff2100241ac5e BUILD_ENVOY_FROM_SOURCES=true make build/envoy
+```
+
+When building from sources its still possible to specify OS:
+```shell
+$ GOOS=linux ENVOY_COMMIT_HASH=bef18019d8fc33a4ed6aca3679aff2100241ac5e BUILD_ENVOY_FROM_SOURCES=true make build/envoy
+```

tools/envoy/build_centos7.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+
+set -o errexit
+set -o pipefail
+set -o nounset
+
+echo "Building Envoy for CentOS 7"
+
+mkdir -p "$(dirname ${BINARY_PATH})"
+
+SOURCE_DIR="${SOURCE_DIR}" "${KUMA_DIR:-.}/tools/envoy/fetch_sources.sh"
+
+BUILD_CMD=${BUILD_CMD:-"BAZEL_BUILD_EXTRA_OPTIONS=\"${BAZEL_BUILD_EXTRA_OPTIONS:-}\" ./ci/do_ci.sh bazel.release.server_only"}
+
+ENVOY_BUILD_SHA=$(curl --fail --location --silent https://raw.githubusercontent.com/envoyproxy/envoy/"${ENVOY_TAG}"/.bazelrc | grep envoyproxy/envoy-build-ubuntu | sed -e 's#.*envoyproxy/envoy-build-ubuntu:\(.*\)#\1#'| uniq)
+ENVOY_BUILD_IMAGE="envoyproxy/envoy-build-centos:${ENVOY_BUILD_SHA}"
+LOCAL_BUILD_IMAGE="envoy-builder:${ENVOY_TAG}"
+
+docker build -t "${LOCAL_BUILD_IMAGE}" --progress=plain \
+  --build-arg ENVOY_BUILD_IMAGE="${ENVOY_BUILD_IMAGE}" \
+  --build-arg BUILD_CMD="${BUILD_CMD}" \
+  -f tools/envoy/Dockerfile.build-centos7 "${SOURCE_DIR}"
+
+# copy out the binary
+id=$(docker create "${LOCAL_BUILD_IMAGE}")
+docker cp "$id":/envoy-sources/linux/amd64/build_envoy_release_stripped/envoy "${BINARY_PATH}"
+docker rm -v "$id"

tools/envoy/build_darwin.sh

@@ -0,0 +1,29 @@
+#!/bin/bash
+
+set -o errexit
+set -o pipefail
+set -o nounset
+
+echo "Building Envoy for Darwin"
+
+mkdir -p "$(dirname ${BINARY_PATH})"
+
+SOURCE_DIR="${SOURCE_DIR}" "${KUMA_DIR:-.}/tools/envoy/fetch_sources.sh"
+
+pushd "${SOURCE_DIR}"
+
+BAZEL_BUILD_EXTRA_OPTIONS=${BAZEL_BUILD_EXTRA_OPTIONS:-""}
+read -ra BAZEL_BUILD_EXTRA_OPTIONS <<< "${BAZEL_BUILD_EXTRA_OPTIONS}"
+BAZEL_BUILD_OPTIONS=(
+    "--curses=no"
+    --show_task_finish
+    --verbose_failures
+    "--action_env=PATH=/usr/local/bin:/opt/local/bin:/usr/bin:/bin"
+    "--define" "wasm=disabled"
+    "${BAZEL_BUILD_EXTRA_OPTIONS[@]+"${BAZEL_BUILD_EXTRA_OPTIONS[@]}"}")
+bazel build "${BAZEL_BUILD_OPTIONS[@]}" -c opt //source/exe:envoy-static
+
+popd
+
+cp ${SOURCE_DIR}/bazel-bin/source/exe/envoy-static ${BINARY_PATH}
+

tools/envoy/build_linux.sh

@@ -0,0 +1,29 @@
+#!/bin/bash
+
+set -o errexit
+set -o pipefail
+set -o nounset
+
+echo "Building Envoy for Linux"
+
+mkdir -p "$(dirname ${BINARY_PATH})"
+
+SOURCE_DIR="${SOURCE_DIR}" "${KUMA_DIR:-.}/tools/envoy/fetch_sources.sh"
+
+BUILD_CMD=${BUILD_CMD:-"BAZEL_BUILD_EXTRA_OPTIONS=\"${BAZEL_BUILD_EXTRA_OPTIONS:-}\" ./ci/do_ci.sh bazel.release.server_only"}
+
+ENVOY_BUILD_SHA=$(curl --fail --location --silent https://raw.githubusercontent.com/envoyproxy/envoy/"${ENVOY_TAG}"/.bazelrc | grep envoyproxy/envoy-build-ubuntu | sed -e 's#.*envoyproxy/envoy-build-ubuntu:\(.*\)#\1#'| uniq)
+ENVOY_BUILD_IMAGE="envoyproxy/envoy-build-ubuntu:${ENVOY_BUILD_SHA}"
+LOCAL_BUILD_IMAGE="envoy-builder:${ENVOY_TAG}"
+
+echo "BUILD_CMD=${BUILD_CMD}"
+
+docker build -t "${LOCAL_BUILD_IMAGE}" --progress=plain \
+  --build-arg ENVOY_BUILD_IMAGE="${ENVOY_BUILD_IMAGE}" \
+  --build-arg BUILD_CMD="${BUILD_CMD}" \
+  -f tools/envoy/Dockerfile.build-ubuntu "${SOURCE_DIR}"
+
+# copy out the binary
+id=$(docker create "${LOCAL_BUILD_IMAGE}")
+docker cp "$id":/envoy-sources/linux/amd64/build_envoy_release_stripped/envoy "${BINARY_PATH}"
+docker rm -v "$id"

tools/envoy/fetch.sh

@@ -0,0 +1,68 @@
+#!/usr/bin/env bash
+
+# This script fetches Envoy binary from download.konghq.com
+#
+# Requires:
+# - $BINARY_PATH, path where binary will be fetched, for example 'out/envoy'
+# - $ENVOY_DISTRO, name of the distributive (i.e darwin, linux)
+#
+# Optional:
+# - $ENVOY_TAG, git tag to reference specific revision
+# - $ENVOY_COMMIT_HASH, hash of the git commit. If specified, then $ENVOY_TAG will be ignored
+#
+# at least one of $ENVOY_TAG or $ENVOY_COMMIT_HASH should be specified
+
+set -o errexit
+set -o pipefail
+set -o nounset
+
+source "$(dirname -- "${BASH_SOURCE[0]}")/../common.sh"
+
+function download_envoy() {
+    local binary_name=$1
+    echo "Downloading ${binary_name}"
+
+    if [ ! -d "$(dirname "${BINARY_PATH}")" ]; then
+      mkdir -p "$(dirname "${BINARY_PATH}")"
+    fi
+
+    local status=$(curl -# --location --output "${BINARY_PATH}" --write-out %{http_code} \
+    "https://download.konghq.com/mesh-alpine/${binary_name}")
+
+  [ -f "${BINARY_PATH}" ] && chmod +x "${BINARY_PATH}"
+  [ "$status" -ne "200" ] && msg_err "Error: failed downloading Envoy" || true
+}
+
+ENVOY_TAG=${ENVOY_TAG:-}
+ENVOY_COMMIT_HASH=${ENVOY_COMMIT_HASH:-}
+[[ -z "${ENVOY_TAG}" ]] && [[ -z "${ENVOY_COMMIT_HASH}" ]] && msg_err "Error: either ENVOY_TAG or ENVOY_COMMIT_HASH should be specified"
+
+if [ "${ENVOY_DISTRO}" == "linux" ]; then
+  ENVOY_DISTRO="alpine"
+fi
+
+if [ "${ENVOY_DISTRO}" == "centos7" ]; then
+  ENVOY_DISTRO="centos"
+fi
+
+if [[ -n "${ENVOY_COMMIT_HASH}" ]]; then
+  ENVOY_SHORT_HASH=${ENVOY_COMMIT_HASH:0:8}
+
+  BINARY_NAME=$(curl --silent https://download.konghq.com/mesh-alpine/ \
+    | { grep "${ENVOY_SHORT_HASH}" || true; } \
+    | { grep "${ENVOY_DISTRO}" || true; } \
+    | sed -e 's#.*<li><a href=".*">\(.*\)</a></li>#\1#')
+
+  [[ -z "${BINARY_NAME}" ]] && msg_err "failed to resolve binary name by ENVOY_COMMIT_HASH=${ENVOY_COMMIT_HASH}"
+
+  download_envoy "${BINARY_NAME}"
+  exit 0
+fi
+
+if [[ -n "${ENVOY_TAG}" ]]; then
+  ENVOY_VERSION=${ENVOY_TAG:1}
+  BINARY_NAME="envoy-${ENVOY_VERSION}-${ENVOY_DISTRO}"
+
+  download_envoy "${BINARY_NAME}"
+  exit 0
+fi

tools/envoy/fetch_sources.sh

@@ -0,0 +1,45 @@
+#!/bin/bash
+
+# This script fetches Envoy source code to $SOURCE_DIR
+#
+# Requires:
+# - $SOURCE_DIR, a directory where sources will be placed
+#
+# Optional:
+# - $ENVOY_TAG, git tag to reference specific revision
+# - $ENVOY_COMMIT_HASH, hash of the git commit. If specified, then $ENVOY_TAG will be ignored
+#
+# at least one of $ENVOY_TAG or $ENVOY_COMMIT_HASH should be specified
+
+set -o errexit
+set -o pipefail
+set -o nounset
+
+source "$(dirname -- "${BASH_SOURCE[0]}")/../common.sh"
+
+ENVOY_TAG=${ENVOY_TAG:-}
+ENVOY_COMMIT_HASH=${ENVOY_COMMIT_HASH:-}
+[[ -z "${ENVOY_TAG}" ]] && [[ -z "${ENVOY_COMMIT_HASH}" ]] && msg_err "Error: either ENVOY_TAG or ENVOY_COMMIT_HASH should be specified"
+
+# clone Envoy repo if not exists
+if [[ ! -d "${SOURCE_DIR}" ]]; then
+  mkdir -p "${SOURCE_DIR}"
+  (
+    cd "${SOURCE_DIR}"
+    git init .
+    git remote add origin https://github.com/envoyproxy/envoy.git
+  )
+else
+  echo "Envoy source directory already exists, just fetching"
+  pushd ${SOURCE_DIR} && git fetch --all && popd
+fi
+
+pushd ${SOURCE_DIR}
+
+git fetch origin --depth=1 "${ENVOY_COMMIT_HASH:-${ENVOY_TAG}}"
+git reset --hard FETCH_HEAD
+
+echo "ENVOY_TAG=${ENVOY_TAG}"
+echo "ENVOY_COMMIT_HASH=${ENVOY_COMMIT_HASH}"
+
+popd