From 2b1b5715f3cf491e395b795b029ee8ab2986af37 Mon Sep 17 00:00:00 2001
From: Stephan Renatus <stephan@styra.com>
Date: Mon, 30 Nov 2020 11:44:44 +0100
Subject: [PATCH] workflow: use docker-env for building image

Before, the `image` would invoke `build-linux`, and that wouldn't guarantee the
version of golang used for building.

Now, we're following the schema used by OPA to build the binary into a release dir,
and have the image build pick it up.

Also, the built image now includes everything needed to use wasm:

    $ docker run  -it docker.io/openpolicyagent/opa:0.25.1-envoy-2 version
    Version: 0.25.1-envoy-2
    Build Commit: 20832273
    Build Timestamp: 2020-12-08T13:34:55Z
    Build Hostname: ce578c1a1309
    Go Version: go1.15.2
    WebAssembly: available
    $ docker run --entrypoint busybox -it docker.io/openpolicyagent/opa:0.25.1-envoy-2 sh
    / # ls /usr/lib/opa
    libwasmer.so
    / #

We do this by building off of the openpolicyagent/opa package, which has the
library in place.

Fixes https://github.com/open-policy-agent/opa/issues/2942.

Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>
---
 .github/workflows/checks.yaml |  2 +-
 Dockerfile                    | 22 ++++++++++++++++------
 Makefile                      | 28 +++++++++++++++++++++-------
 3 files changed, 38 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/checks.yaml b/.github/workflows/checks.yaml
index 1c9fd4f0b..2d4d9f874 100644
--- a/.github/workflows/checks.yaml
+++ b/.github/workflows/checks.yaml
@@ -68,7 +68,7 @@ jobs:
         uses: actions/checkout@v2
 
       - name: Build docker image
-        run: make image tag-latest
+        run: make release-local image-quick tag-latest
 
       - name: Setup kind/istio
         run: |
diff --git a/Dockerfile b/Dockerfile
index ab52d0d69..a5760bb4a 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,15 +1,25 @@
-# Copyright 2018 The OPA Authors. All rights reserved.
+# Copyright 2019 The OPA Authors.  All rights reserved.
 # Use of this source code is governed by an Apache2
 # license that can be found in the LICENSE file.
 
-FROM gcr.io/distroless/base
+ARG BASE
 
-MAINTAINER Ashutosh Narkar  <anarkar4387@gmail.com>
+FROM ${BASE}
+
+# Any non-zero number will do, and unfortunately a named user will not, as k8s
+# pod securityContext runAsNonRoot can't resolve the user ID:
+# https://github.com/kubernetes/kubernetes/issues/40958. Make root (uid 0) when
+# not specified.
+ARG USER=0
 
-WORKDIR /app
+MAINTAINER Ashutosh Narkar  <anarkar4387@gmail.com>
 
-COPY opa_envoy_linux_GOARCH /app
+# Hack.. https://github.com/moby/moby/issues/37965
+# _Something_ needs to be between the two COPY steps.
+USER ${USER}
 
-ENTRYPOINT ["./opa_envoy_linux_GOARCH"]
+ARG BIN_DIR=.
+COPY ${BIN_DIR}/opa_envoy_linux_amd64 /opa
 
+ENTRYPOINT ["/opa"]
 CMD ["run"]
diff --git a/Makefile b/Makefile
index 2ae23a8a8..496754566 100644
--- a/Makefile
+++ b/Makefile
@@ -9,6 +9,7 @@ VERSION_ISTIO := $(VERSION_OPA)-istio$(shell ./build/get-plugin-rev.sh)
 PACKAGES := $(shell go list ./.../ | grep -v 'vendor')
 
 GO := go
+GO_TAGS := -tags=opa_wasm
 GOVERSION := $(shell cat ./.go-version)
 GOARCH := $(shell go env GOARCH)
 GOOS := $(shell go env GOOS)
@@ -41,9 +42,10 @@ LDFLAGS := "-X github.com/open-policy-agent/opa/version.Version=$(VERSION) \
 GO15VENDOREXPERIMENT := 1
 export GO15VENDOREXPERIMENT
 
-.PHONY: all build build-darwin build-linux build-windows clean check check-fmt check-vet check-lint \
-    deploy-ci docker-login generate image image-quick push push-latest tag-latest \
-    test test-cluster test-e2e update-opa update-istio-quickstart-version version
+.PHONY: all build build-darwin build-linux build-windows clean check \
+    check-fmt check-vet check-lint deploy-ci docker-login generate image image-quick \
+    push push-latest tag-latest test test-cluster test-e2e update-opa \
+    update-istio-quickstart-version version
 
 ######################################################
 #
@@ -60,7 +62,8 @@ generate:
 	$(GO) generate ./...
 
 build: generate
-	$(GO) build -o $(BIN) -ldflags $(LDFLAGS) ./cmd/opa-envoy-plugin/...
+	CGO_LDFLAGS="-Wl,-rpath,/usr/lib/opa" $(GO) build $(GO_TAGS) -o $(BIN) \
+	  -ldflags $(LDFLAGS) ./cmd/opa-envoy-plugin
 
 build-darwin:
 	@$(MAKE) build GOOS=darwin
@@ -76,8 +79,11 @@ image:
 	@$(MAKE) image-quick
 
 image-quick:
-	sed -e 's/GOARCH/$(GOARCH)/g' Dockerfile > .Dockerfile_$(GOARCH)
-	docker build -t $(IMAGE):$(VERSION) -f .Dockerfile_$(GOARCH) .
+	docker build \
+		-t $(IMAGE):$(VERSION) \
+		--build-arg BASE=openpolicyagent/opa:$(VERSION_OPA)-debug \
+		--build-arg BIN_DIR=$(RELEASE_DIR) \
+		.
 	docker tag $(IMAGE):$(VERSION) $(IMAGE):$(VERSION_ISTIO)
 
 push:
@@ -96,7 +102,7 @@ docker-login:
 	@echo "Docker Login..."
 	@echo ${DOCKER_PASSWORD} | docker login -u ${DOCKER_USER} --password-stdin
 
-deploy-ci: docker-login image push tag-latest push-latest
+deploy-ci: release docker-login image-quick push tag-latest push-latest
 
 update-opa:
 	@./build/update-opa-version.sh $(TAG)
@@ -144,7 +150,15 @@ release:
 		$(RELEASE_BUILD_IMAGE) \
 		/_src/build/build-release.sh --version=$(VERSION) --output-dir=/$(RELEASE_DIR) --source-url=/_src
 
+.PHONY: release-local
+release-local:
+	docker run $(DOCKER_FLAGS) \
+		-v $(PWD)/$(RELEASE_DIR):/$(RELEASE_DIR) \
+		-v $(PWD):/_src \
+		$(RELEASE_BUILD_IMAGE) \
+		/_src/build/build-release.sh --output-dir=/$(RELEASE_DIR) --source-url=/_src
 
+# The remaining targets are invoked by build/build-release.sh (`make release` above)
 .PHONY: release-build-linux
 release-build-linux: ensure-release-dir build-linux
 	mv opa_envoy_linux_$(GOARCH) $(RELEASE_DIR)/