Move CentOS 7 assets to GitHub repo (#21435)

Moving our CentOS build assets, aka Clang-10 is the first step to enabling our full Teleport to build on ARM64. This change should also save us some $$ as getting the assets from S3 sounds expensive.

.github/workflows/build-centos7-assets.yaml

@@ -0,0 +1,44 @@
+name: Build CentOS 7 Buildbox Assets Images
+run-name: Build CentOS 7 Buildbox Assets Images
+on:
+  # Only allow manual triggers
+  workflow_dispatch:
+
+env:
+  REGISTRY: ghcr.io
+  BUILDBOX_BASE_NAME: ghcr.io/gravitational/teleport-buildbox
+
+jobs:
+  buildbox-centos7-assets:
+    name: Build CentOS 7 Asset Buildbox
+    strategy:
+      matrix:
+        # Build assets on x86. TODO(jakule) Add ARM64 build.
+        runner: [ ubuntu-22.04-32core ]
+    # Use bigger worker. Clang takes a while to build.
+    runs-on: ${{ matrix.runner }}
+
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout Teleport
+        uses: actions/checkout@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Login to registry
+        uses: docker/login-action@v2
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      # We need to keep env vars in sync, so, we can't use standard build actions
+      - name: Build buildbox assets image
+        run: cd build.assets && make build-centos7-assets
+
+      - name: Docker push the latest built image
+        run: docker push $(docker images -a --format '{{.Repository}}:{{.Tag}}'| head -1)

build.assets/Dockerfile-centos7

@@ -1,5 +1,9 @@
 ARG RUST_VERSION
 
+# Create an alias to the assets image. Ref: https://github.com/docker/for-mac/issues/2155
+ARG BUILDARCH
+FROM ghcr.io/gravitational/teleport-buildbox-centos7-assets:teleport13-${BUILDARCH} AS teleport-buildbox-centos7-assets
+
 ## LIBFIDO2 ###################################################################
 
 # Build libfido2 separately for isolation, speed and flexibility.
@@ -246,11 +250,12 @@ COPY --from=libpcsclite \
     /usr/local/lib/libpcsclite.a \
     /usr/local/lib/
 
-# Download pre-built CentOS 7 assets with clang needed to build BPF tools.
-RUN cd / && curl -L https://s3.amazonaws.com/clientbuilds.gravitational.io/go/centos7-assets.tar.gz | tar -xz
-
 # Copy libbpf into the final image.
 COPY --from=libbpf /opt/libbpf/usr /usr
 
+# Download pre-built CentOS 7 assets with clang needed to build BPF tools.
+ARG BUILDARCH
+COPY --from=teleport-buildbox-centos7-assets /opt/llvm /opt/llvm
+
 VOLUME ["/go/src/github.com/gravitational/teleport"]
 EXPOSE 6600 2379 2380

build.assets/Dockerfile-centos7-assets

@@ -54,16 +54,14 @@ RUN git clone --branch llvmorg-10.0.1 --depth=1 https://github.com/llvm/llvm-pro
     -DLLVM_INCLUDE_TESTS=OFF \
     -DLLVM_TOOL_LLI_BUILD=OFF \
     -G \"Unix Makefiles\" ../llvm && \
-    make -j6 &&  \
+    make -j$(grep -c processor /proc/cpuinfo) &&  \
     make install"' && \
     cd ../.. && \
     rm -rf llvm-project
 
-FROM centos:7 AS assetbox
+# Create the final image with Clang only. We're using this Docker image as a tar.gz mainly
+# because we want to keep our artifacts on GitHub, and GH doesn't support blobs, only Docker images.
+FROM scratch AS buildbox-centos7-assets
 
 # Copy Clang into the final image.
 COPY --from=clang10 /opt/llvm /opt/llvm/
-ENV PATH=/opt/llvm/bin:${PATH}
-
-# Create the archive and copy it to the host.
-RUN tar -czvf centos7-assets.tar.gz /opt

build.assets/Dockerfile-centos7-fips

@@ -1,3 +1,7 @@
+# Create an alias to the assets image. Ref: https://github.com/docker/for-mac/issues/2155
+ARG BUILDARCH
+FROM ghcr.io/gravitational/teleport-buildbox-centos7-assets:teleport13-${BUILDARCH} AS teleport-buildbox-centos7-assets
+
 FROM centos:7 AS libbpf
 
 # Install required dependencies.
@@ -151,9 +155,6 @@ RUN make -C /opt/pam_teleport install
 
 RUN chmod a-w /
 
-# Download pre-built CentOS 7 assets with clang needed to build BPF tools.
-RUN cd / && curl -L https://s3.amazonaws.com/clientbuilds.gravitational.io/go/centos7-assets.tar.gz | tar -xz
-
 # Copy libbpf into the final image.
 COPY --from=libbpf /opt/libbpf/usr /usr
 
@@ -185,5 +186,9 @@ COPY --from=boringssl /opt/boringssl /opt/boringssl
 ENV BORING_BSSL_PATH=/opt/boringssl
 ENV BORING_BSSL_INCLUDE_PATH=/opt/boringssl/include
 
+# Download pre-built CentOS 7 assets with clang needed to build BPF tools.
+ARG BUILDARCH
+COPY --from=teleport-buildbox-centos7-assets /opt/llvm /opt/llvm
+
 VOLUME ["/go/src/github.com/gravitational/teleport"]
 EXPOSE 6600 2379 2380

build.assets/Makefile

@@ -178,6 +178,7 @@ buildbox-centos7-fips:
 	docker build \
 		--build-arg UID=$(UID) \
 		--build-arg GID=$(GID) \
+		--build-arg BUILDARCH=$(RUNTIME_ARCH) \
 		--build-arg GOLANG_VERSION=$(GOLANG_VERSION) \
 		--build-arg NODE_VERSION=$(NODE_VERSION) \
 		--build-arg RUST_VERSION=$(RUST_VERSION) \
@@ -530,9 +531,10 @@ print-buildbox-version:
 	@echo $(BUILDBOX_VERSION)
 
 #
-# Build CentOS 7 assets such as clang.
+# Build CentOS 7 assets - clang.
 #
 .PHONY:build-centos7-assets
 build-centos7-assets:
-	docker build --build-arg LIBBPF_VERSION=$(LIBBPF_VERSION) -t buildbox-centos7-assets -f Dockerfile-centos7-assets .
-	docker run -v $$(pwd):/centos7.assets -it buildbox-centos7-assets cp /centos7-assets.tar.gz /centos7.assets
+	docker build \
+		--tag $(BUILDBOX_CENTOS7_ASSETS)-$(RUNTIME_ARCH) \
+		-f Dockerfile-centos7-assets .

build.assets/images.mk

@@ -12,3 +12,4 @@ BUILDBOX_CENTOS7_FIPS=$(BUILDBOX_BASE_NAME)-centos7-fips:$(BUILDBOX_VERSION)
 BUILDBOX_ARM=$(BUILDBOX_BASE_NAME)-arm:$(BUILDBOX_VERSION)
 BUILDBOX_ARM_FIPS=$(BUILDBOX_BASE_NAME)-arm-fips:$(BUILDBOX_VERSION)
 BUILDBOX_UI=$(BUILDBOX_BASE_NAME)-ui:$(BUILDBOX_VERSION)
+BUILDBOX_CENTOS7_ASSETS=$(BUILDBOX_BASE_NAME)-centos7-assets:$(BUILDBOX_VERSION)