Migrate golang-crossbuild pipeline (#326)

Co-authored-by: Julien Lind <[email protected]>

Author: oakrizan

.buildkite/hooks/pre-command

@@ -0,0 +1,28 @@
+#!/bin/bash
+
+set -euo pipefail
+
+source .buildkite/scripts/common.sh
+
+DOCKER_REGISTRY_SECRET_PATH="kv/ci-shared/platform-ingest/docker_registry_prod"
+PRIVATE_CI_GCS_CREDENTIALS_PATH="kv/ci-shared/platform-ingest/private_ci_artifacts_gcs_credentials"
+GITHUB_TOKEN_VAULT_PATH="kv/ci-shared/platform-ingest/github_token"
+
+# Secrets must be redacted
+# https://buildkite.com/docs/pipelines/managing-log-output#redacted-environment-variables
+
+if [[ "$BUILDKITE_PIPELINE_SLUG" == "golang-crossbuild" && "$BUILDKITE_STEP_KEY" =~ ^build ]]; then
+    export PRIVATE_CI_GCS_CREDENTIALS_SECRET=$(retry 5 vault kv get -field plaintext ${PRIVATE_CI_GCS_CREDENTIALS_PATH})
+fi
+
+if [[ "$BUILDKITE_PIPELINE_SLUG" == "golang-crossbuild" && ("$BUILDKITE_STEP_KEY" =~ ^build || "$BUILDKITE_STEP_KEY" =~ ^publish)]]; then
+    export DOCKER_USERNAME_SECRET=$(retry 5 vault kv get -field user "${DOCKER_REGISTRY_SECRET_PATH}")
+    export DOCKER_PASSWORD_SECRET=$(retry 5 vault kv get -field password "${DOCKER_REGISTRY_SECRET_PATH}")
+    docker login -u "${DOCKER_USERNAME_SECRET}" -p "${DOCKER_PASSWORD_SECRET}" "${DOCKER_REGISTRY}" 2>/dev/null
+fi
+
+if [[ "$BUILDKITE_PIPELINE_SLUG" == "golang-crossbuild" && "$BUILDKITE_STEP_KEY" == "post-release" ]]; then
+    export GITHUB_TOKEN_SECRET=$(retry 5 vault kv get -field token ${GITHUB_TOKEN_VAULT_PATH})
+    export GITHUB_USERNAME_SECRET=$(retry 5 vault kv get -field username ${GITHUB_TOKEN_VAULT_PATH})
+    export GITHUB_EMAIL_SECRET=$(retry 5 vault kv get -field email ${GITHUB_TOKEN_VAULT_PATH})
+fi

.buildkite/hooks/pre-exit

@@ -0,0 +1,18 @@
+#!/bin/bash
+
+set -euo pipefail
+
+source .buildkite/scripts/common.sh
+
+unset_secrets
+
+if [[ "$BUILDKITE_PIPELINE_SLUG" == "golang-crossbuild" && "$BUILDKITE_STEP_KEY" =~ ^build ]]; then
+    google_cloud_logout_active_account
+fi
+
+if [[ "$BUILDKITE_PIPELINE_SLUG" == "golang-crossbuild" && ("$BUILDKITE_STEP_KEY" =~ ^build || "$BUILDKITE_STEP_KEY" =~ ^publish) ]]; then
+    docker logout "${DOCKER_REGISTRY}"
+fi
+
+# Ensure that any temporal files created during any step are removed
+cleanup

.buildkite/pipeline.yml

@@ -1,5 +1,114 @@
 # yaml-language-server: $schema=https://raw.githubusercontent.com/buildkite/pipeline-schema/main/schema.json
 
+env:
+  SETUP_GVM_VERSION: "v0.5.1"
+  GOLANG_VERSION: "1.21.3"
+  IMAGE_UBUNTU_X86_64: "family/core-ubuntu-2204"
+  IMAGE_UBUNTU_ARM_64: "core-ubuntu-2004-aarch64"
+  DOCKER_REGISTRY: "docker.elastic.co"
+  STAGING_IMAGE: "${DOCKER_REGISTRY}/observability-ci"
+  DOCKER_REGISTRY_SECRET_PATH: "secret/observability-team/ci/docker-registry/prod"
+  BUILDX: 1
+
 steps:
-  - label: "Example test"
-    command: echo "Hello!"
+  - group: "Staging"
+    key: "staging"
+
+    steps:
+      - label: ":linux: Staging / Ubuntu X86_64 - {{matrix.makefile}}"
+        key: "build-ubuntu-x86"
+        command:
+          - ".buildkite/scripts/build.sh {{matrix.makefile}}"
+          - ".buildkite/scripts/publish.sh {{matrix.makefile}}"
+        if: build.env("BUILDKITE_PULL_REQUEST") != "false"
+        notify:
+          - github_commit_status:
+              context: "Staging / Ubuntu X86_64"
+        agents:
+          provider: "gcp"
+          image: "${IMAGE_UBUNTU_X86_64}"
+        matrix:
+          setup:
+            makefile:
+              - "Makefile"
+              - "Makefile.debian7"
+              - "Makefile.debian8"
+              - "Makefile.debian9"
+              - "Makefile.debian10"
+              - "Makefile.debian11"
+              - "Makefile.debian12"
+
+      - label: ":linux: Staging / Ubuntu ARM - Makefile.debian9"
+        key: "build-ubuntu-arm"
+        command:
+          - ".buildkite/scripts/build.sh Makefile.debian9"
+          - ".buildkite/scripts/publish.sh Makefile.debian9"
+        env:
+          REPOSITORY: "${STAGING_IMAGE}"
+        if: build.env("BUILDKITE_PULL_REQUEST") != "false"
+        notify:
+          - github_commit_status:
+              context: "Staging / Ubuntu ARM"
+        agents:
+          provider: "aws"
+          imagePrefix: "${IMAGE_UBUNTU_ARM_64}"
+          instanceType: "t4g.large"
+
+  - group: "Release"
+    key: "release"
+    notify:
+      - github_commit_status:
+          context: "Release / Ubuntu X86_64 && ARM"
+
+    steps:
+      - label: ":linux: Release / Ubuntu X86_64 - {{matrix.makefile}}"
+        key: "release-ubuntu-x86"
+        command:
+          - ".buildkite/scripts/build.sh {{matrix.makefile}}"
+          - ".buildkite/scripts/publish.sh {{matrix.makefile}}"
+        branches: "^(main|\\d+\\.\\d+)$"
+        agents:
+          provider: "gcp"
+          image: "${IMAGE_UBUNTU_X86_64}"
+        matrix:
+          setup:
+            makefile:
+              - "Makefile"
+              - "Makefile.debian7"
+              - "Makefile.debian8"
+              - "Makefile.debian9"
+              - "Makefile.debian10"
+              - "Makefile.debian11"
+              - "Makefile.debian12"
+
+      - label: ":linux: Release / Ubuntu ARM - {{matrix.makefile}}"
+        key: "release-ubuntu-arm"
+        command:
+          - ".buildkite/scripts/build.sh {{matrix.makefile}}"
+          - ".buildkite/scripts/publish.sh {{matrix.makefile}}"
+        branches: "^(main|\\d+\\.\\d+)$"
+        agents:
+          provider: "aws"
+          imagePrefix: "${IMAGE_UBUNTU_ARM_64}"
+          instanceType: "t4g.large"
+        matrix:
+          setup:
+            makefile:
+              - "Makefile"
+              - "Makefile.debian7"
+              - "Makefile.debian8"
+              - "Makefile.debian9"
+              - "Makefile.debian10"
+              - "Makefile.debian11"
+              - "Makefile.debian12"
+
+      - label: "Post-Release"
+        key: "post-release"
+        command: ".buildkite/scripts/post-release.sh ${GOLANG_VERSION}"
+        branches: "^(main|\\d+\\.\\d+)$"
+        notify:
+          - github_commit_status:
+              context: "Post-release"
+        agents:
+          provider: "gcp"
+          image: "${IMAGE_UBUNTU_X86_64}"

.buildkite/scripts/build.sh

@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+source .buildkite/scripts/common.sh
+
+MAKEFILE=${1}
+
+check_is_arm
+
+add_bin_path
+with_go "${GOLANG_VERSION}"
+with_mage
+google_cloud_auth
+
+make -C go -f "${MAKEFILE}" build"${is_arm}" GS_BUCKET_PATH=ingest-buildkite-ci
+docker images --format "table {{.Repository}}:{{.Tag}}\t{{.Size}}" --filter=reference="${STAGING_IMAGE}/golang-crossbuild"
+docker images --format "table {{.Repository}}:{{.Tag}}\t{{.Size}}" --filter=reference="${DOCKER_REGISTRY}/beats-dev/golang-crossbuild"
+
+

.buildkite/scripts/buildx.sh

@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+set -e
+set +x
+
+BUILDPLATFORM=${BUILDPLATFORM:-"linux/amd64,linux/arm64"}
+
+#docker run --privileged --rm tonistiigi/binfmt --install all
+docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
+BUILDER_NAME="multibuilder${RANDOM}"
+echo "Add support for multiarch"
+docker run --privileged --rm tonistiigi/binfmt --install all
+
+docker buildx ls
+echo 'Create builder'
+docker buildx create --name "${BUILDER_NAME}"
+docker buildx use "${BUILDER_NAME}"
+docker buildx inspect --bootstrap
+echo 'Build Docker image'
+docker buildx build --platform "${BUILDPLATFORM}" --push $*

.buildkite/scripts/common.sh

@@ -0,0 +1,143 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+REPO="golang-crossbuild"
+WORKSPACE="$(pwd)/bin"
+HW_TYPE="$(uname -m)"
+PLATFORM_TYPE="$(uname)"
+TMP_FOLDER="tmp.${REPO}"
+GOOGLE_CREDENTIALS_FILENAME="google-cloud-credentials.json"
+
+add_bin_path() {
+    echo "Adding PATH to the environment variables..."
+    create_workspace
+    export PATH="${PATH}:${WORKSPACE}"
+}
+
+with_go() {
+    local go_version="${1}"
+    echo "Setting up the Go environment..."
+    create_workspace
+    check_platform_architecture
+    retry 5 curl -sL -o ${WORKSPACE}/gvm "https://github.com/andrewkroh/gvm/releases/download/${SETUP_GVM_VERSION}/gvm-${PLATFORM_TYPE}-${arch_type}"
+    export PATH="${PATH}:${WORKSPACE}"
+    chmod +x ${WORKSPACE}/gvm
+    eval "$(gvm "$go_version")"
+    go version
+    which go
+    export PATH="${PATH}:$(go env GOPATH):$(go env GOPATH)/bin"
+}
+
+with_mage() {
+    local install_packages=(
+            "github.com/magefile/mage"
+            "github.com/elastic/go-licenser"
+            "golang.org/x/tools/cmd/goimports"
+            "github.com/jstemmer/go-junit-report"
+            "gotest.tools/gotestsum"
+    )
+    create_workspace
+    for pkg in "${install_packages[@]}"; do
+        go install "${pkg}@latest"
+    done
+}
+
+create_workspace() {
+    if [[ ! -d "${WORKSPACE}" ]]; then
+    mkdir -p ${WORKSPACE}
+    fi
+}
+
+check_platform_architecture() {
+# for downloading the GVM and Terraform packages
+  case "${HW_TYPE}" in
+   "x86_64")
+        arch_type="amd64"
+        ;;
+    "aarch64")
+        arch_type="arm64"
+        ;;
+    "arm64")
+        arch_type="arm64"
+        ;;
+    *)
+    echo "The current platform/OS type is unsupported yet"
+    ;;
+  esac
+}
+
+retry() {
+    local retries=$1
+    shift
+    local count=0
+    until "$@"; do
+        exit=$?
+        wait=$((2 ** count))
+        count=$((count + 1))
+        if [ $count -lt "$retries" ]; then
+            >&2 echo "Retry $count/$retries exited $exit, retrying in $wait seconds..."
+            sleep $wait
+        else
+            >&2 echo "Retry $count/$retries exited $exit, no more retries left."
+            return $exit
+        fi
+    done
+    return 0
+}
+
+google_cloud_auth() {
+    local gsUtilLocation=$(mktemp -d -p ${WORKSPACE} -t "${TMP_FOLDER}.XXXXXXXXX")
+    local secretFileLocation=${gsUtilLocation}/${GOOGLE_CREDENTIALS_FILENAME}
+    echo "${PRIVATE_CI_GCS_CREDENTIALS_SECRET}" > ${secretFileLocation}
+    gcloud auth activate-service-account --key-file ${secretFileLocation} 2> /dev/null
+    export GOOGLE_APPLICATION_CREDENTIALS=${secretFileLocation}
+}
+
+unset_secrets () {
+  for var in $(printenv | sed 's;=.*;;' | sort); do
+    if [[ "$var" == *_SECRET || "$var" == *_TOKEN ]]; then
+      unset "$var"
+    fi
+  done
+}
+
+google_cloud_logout_active_account() {
+  local active_account=$(gcloud auth list --filter=status:ACTIVE --format="value(account)" 2>/dev/null)
+  if [[ -n "$active_account" && -n "${GOOGLE_APPLICATION_CREDENTIALS+x}" ]]; then
+    echo "Logging out from GCP for active account"
+    gcloud auth revoke $active_account > /dev/null 2>&1
+  else
+    echo "No active GCP accounts found."
+  fi
+  if [ -n "${GOOGLE_APPLICATION_CREDENTIALS+x}" ]; then
+    unset GOOGLE_APPLICATION_CREDENTIALS
+    cleanup
+  fi
+}
+
+cleanup() {
+  echo "Deleting temporary files..."
+  rm -rf ${WORKSPACE}/${TMP_FOLDER}.*
+  echo "Done."
+}
+
+tag_Exists() {
+  local tag=$1
+  local url=https://api.github.com/repos/elastic/${REPO}/releases/tags/${tag}
+  local status=$(retry 3 curl -s -o /dev/null -w "%{http_code}" -u ${GITHUB_TOKEN_SECRET}:x-oauth-basic ${url})
+
+  if [ "${status}" == "200" ]; then
+    echo true
+  else
+    echo false
+  fi
+}
+
+check_is_arm() {
+  if [[ ${HW_TYPE} == "aarch64" || ${HW_TYPE} == "arm64" ]]; then
+    is_arm="-arm"
+  else
+    is_arm=""
+  fi
+}

.buildkite/scripts/post-release.sh

@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+source .buildkite/scripts/common.sh
+
+TAG="v{$1}"
+TAG_EXISTS=$(tag_Exists ${TAG})
+
+set_git_config() {
+    git config user.name "${GITHUB_USERNAME_SECRET}"
+    git config user.email "${GITHUB_EMAIL_SECRET}"
+}
+
+tag_commit() {
+  echo "Tagging commit ${BUILDKITE_COMMIT}"
+  git tag -a -m "${BUILDKITE_COMMIT}" "${TAG}"
+}
+
+git_push_with_auth() {
+  echo "Pushing tag ${TAG}"
+  retry 3 git push https://${GITHUB_USERNAME_SECRET}:${GITHUB_TOKEN_SECRET}@github.com/elastic/golang-crossbuild.git ${TAG}
+}
+
+if [[ "${TAG_EXISTS}" == true ]]; then
+  echo "Tag already exists! Exiting Post-release stage."
+  exit 1
+fi
+
+set_git_config
+tag_commit
+git_push_with_auth
+
+

.buildkite/scripts/publish.sh

@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+source .buildkite/scripts/common.sh
+
+MAKEFILE=${1}
+
+check_is_arm
+add_bin_path
+retry 3 make -C go -f "${MAKEFILE}" push"${is_arm}"