Last active
April 5, 2024 07:31
-
-
Save jeesmon/e5672fdc6362156ad756295e1b5b1521 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash -ex | |
# yum install -y docker git patch jq | |
# systemctl start docker | |
# docker info | |
ISTIO_VERSION=${ISTIO_VERSION:-1.19.3} | |
MAJOR_ISTIO_VERSION=$(cut -f1-2 -d. <<< ${ISTIO_VERSION}) | |
# Need a custom build-tools-proxy image for 1.18.3+ | |
# https://istio.slack.com/archives/C6FCV6WN4/p1696463622534729 | |
# https://github.com/istio/tools/pull/2566 | |
git clone https://github.com/istio/tools.git --depth 1 | |
cd tools | |
git fetch --tags | |
git checkout "${ISTIO_VERSION}" | |
# Patch tools | |
sed -i'' \ | |
-e 's/FROM ubuntu:xenial AS clang_context_amd64/FROM ubuntu:jammy AS clang_context_amd64/' \ | |
-e 's/FROM ubuntu:xenial AS build_env_proxy_amd64/FROM ubuntu:jammy AS build_env_proxy_amd64/' \ | |
-e 's/ENV UBUNTU_RELEASE_CODE_NAME=xenial/ENV UBUNTU_RELEASE_CODE_NAME=jammy/' \ | |
-e 's/ENV DOCKER_VERSION=5:20.10.7~3-0~ubuntu/ENV DOCKER_VERSION=5:20.10.14~3-0~ubuntu/' \ | |
-e 's/ENV CONTAINERD_VERSION=1.4.6-1/ENV CONTAINERD_VERSION=1.6.12-1/' \ | |
-e 's/python \\/#python \\/' \ | |
docker/build-tools/Dockerfile | |
# Build tools | |
cd docker/build-tools/ | |
DRY_RUN=true ./build-and-push.sh | |
cd ../../.. | |
git clone https://github.com/istio/proxy.git --depth 1 | |
pushd proxy | |
git fetch --tags | |
git checkout "${ISTIO_VERSION}" | |
export GOOS=linux | |
# Patch Makefile for BAZEL_BIN_PATH in 1.19.3 | |
# https://github.com/istio/proxy/pull/5087 | |
sed -i '/exportcache:/i \ | |
exportcache: BAZEL_BIN_PATH ?= $(shell bazel info $(BAZEL_BUILD_ARGS) $(BAZEL_CONFIG_CURRENT) bazel-bin)' \ | |
Makefile.core.mk | |
# Compile envoy with FIPS: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fips-140-2 | |
echo "build --define boringssl=fips" >> .bazelrc | |
IMG=gcr.io/istio-testing/build-tools-proxy:release-${MAJOR_ISTIO_VERSION}-latest-amd64 BUILD_WITH_CONTAINER=1 BAZEL_BUILD_ARGS=--config=release TARGET_OS=linux make build_wasm build build_envoy exportcache | |
popd | |
git clone https://github.com/istio/istio.git --depth 1 | |
pushd istio | |
git fetch --tags | |
git checkout "${ISTIO_VERSION}" | |
# Pre-built binaries need to copied with SHA in name, otherwise build process will download it from gc bucket | |
# https://github.com/istio/istio/blob/1.18.1/bin/init.sh#L106 | |
# Populate the git version for istio/proxy (i.e. Envoy) | |
# PROXY_REPO_SHA="${PROXY_REPO_SHA:-$(grep PROXY_REPO_SHA istio.deps -A 4 | grep lastStableSHA | cut -f 4 -d '"')}" | |
PROXY_REPO_SHA=$(jq -r '.[] | select(.name == "PROXY_REPO_SHA").lastStableSHA' istio.deps) | |
# Copy locally built binaries | |
mkdir -p out/linux_amd64/release | |
cp -f ../proxy/out/linux_amd64/envoy out/linux_amd64/release/envoy-${PROXY_REPO_SHA} | |
cp -f out/linux_amd64/release/envoy-${PROXY_REPO_SHA} out/linux_amd64/release/envoy | |
# Patch Makefile to use BoringCrypto: https://github.com/tetratelabs/istio/blob/tetrate-workflow/tetrateci/docs/fips.md | |
sed -i'' -e 's%GOOS=linux%CGO_ENABLED=1 GOEXPERIMENT=boringcrypto GOOS=linux%' Makefile.core.mk | |
# Envoy built with BoringSSL requires libc++ installed in the docker image | |
# Patch pilot/docker/Dockerfile.proxyv2 to install libc++ | |
cat > Dockerfile.patch << EOF | |
COPY --from=debug /lib/x86_64-linux-gnu/libm.so.6 /lib/x86_64-linux-gnu/libm.so.6 | |
COPY --from=debug /lib/x86_64-linux-gnu/librt.so.1 /lib/x86_64-linux-gnu/librt.so.1 | |
COPY --from=debug /lib64/ld-linux-x86-64.so.2 /lib64/ld-linux-x86-64.so.2 | |
COPY --from=debug /lib/x86_64-linux-gnu/libdl.so.2 /lib/x86_64-linux-gnu/libdl.so.2 | |
COPY --from=debug /lib/x86_64-linux-gnu/libpthread.so.0 /lib/x86_64-linux-gnu/libpthread.so.0 | |
COPY --from=debug /lib/x86_64-linux-gnu/libc.so.6 /lib/x86_64-linux-gnu/libc.so.6 | |
EOF | |
cat Dockerfile.patch >> pilot/docker/Dockerfile.proxyv2 | |
cat Dockerfile.patch >> pilot/docker/Dockerfile.pilot | |
rm Dockerfile.patch | |
# Build pilot and proxy | |
DOCKER_BUILD_VARIANTS="distroless" TARGET_OS=linux make docker.pilot docker.proxyv2 | |
# Confirm version | |
docker run --rm --entrypoint="" localhost:5000/proxyv2:latest-distroless envoy --version | |
docker run --rm --entrypoint="" localhost:5000/proxyv2:latest-distroless pilot-agent version | |
docker run --rm --entrypoint="" localhost:5000/pilot:latest-distroless pilot-discovery version | |
# docker tag localhost:5000/proxyv2:latest-distroless quay.io/jeesmon/proxyv2:${ISTIO_VERSION}-distroless | |
# docker tag localhost:5000/pilot:latest-distroless quay.io/jeesmon/pilot:${ISTIO_VERSION}-distroless | |
# docker login quay.io | |
# docker push quay.io/jeesmon/proxyv2:${ISTIO_VERSION}-distroless | |
# docker push quay.io/jeesmon/pilot:${ISTIO_VERSION}-distroless | |
You can try pre-built image from
quay.io/jeesmon/proxyv2:1.19.3-distroless
quay.io/jeesmon/pilot:1.19.3-distroless
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Experimental, not well tested other than the version check