使用AWS CodeBuild和GitHub操作构建多架结构容器图像

随着计算的景观不断发展，越来越强调支持各种计算体系结构。

This blog was authored by Zakiya Randall, Technical Account Manager and co-written with Muru Bhaskaran, Sr. Specialist Solutions Architect.

该博客是由技术客户经理Zakiya Randall撰写的，并与Sr.专业解决方案建筑师Muru Bhaskaran共同撰写。

As the landscape of computing continues to evolve, there is a growing emphasis on supporting a diverse range of computing architectures. This shift is driven by the need for flexibility, efficiency, and performance optimization across different hardware platforms. Consequently, it has become increasingly important for developers and organizations to build container images that are compatible with multiple architectures (multi-arch).

随着计算的景观不断发展，越来越强调支持各种计算体系结构。这种转变是由于对不同硬件平台的灵活性，效率和性能优化的需求所驱动的。因此，对于开发人员和组织而言，构建与多个体系结构（多核管）兼容的容器图像变得越来越重要。

AWS CodeBuild is a fully managed continuous integration service that now supports managed GitHub Actions runners, which are self-hosted runners that allow users to configure their CodeBuild projects to receive GitHub Actions workflow job events. In this post, we demonstrate a solution that uses GitHub, GitHub Actions workflows, and CodeBuild to build native container images for both x86 and AWS Graviton-based compute on AWS. Upon completion of our GitHub Actions workflow, we will proceed to push our multi-arch images to Amazon Elastic Container Registry (Amazon ECR).

AWS CodeBuild是一项完全托管的连续集成服务，现在支持托管的GitHub Actions跑步者，它们是自托管跑步者，允许用户配置其CodeBuild项目以接收GitHub Actions Workflow工作Flow工作事件。在这篇文章中，我们演示了一种使用GitHub，GitHub Action工作流程和CodeBuild的解决方案，以构建X86和AWS GRAVITON基于AWS的AWS COMPETE的本机容器图像。完成GitHub Action工作流程后，我们将继续将多ARCH图像推向Amazon弹性容器注册表（Amazon ECR）。

Solution overview

解决方案概述

The architecture diagram illustrates the workflow that occurs upon committing a change to the GitHub repository, detailing the subsequent steps involved in pushing the container image to Amazon ECR.

该架构图说明了对GitHub存储库进行更改后发生的工作流程，详细介绍了将容器图像推向Amazon ECR所涉及的后续步骤。

Figure 1: Solution architecture diagram

图1：解决方案架构图

Prerequisites

先决条件

The following prerequisites are necessary to complete this solution:

以下先决条件是完成此解决方案的必要条件：

Walkthrough

演练

The following steps walk you through this solution.

以下步骤可以使您完成此解决方案。

Creating GitHub repository files

创建GitHub存储库文件

To begin creating the solution, you need a GitHub repository to store the Dockerfile, index.html file, and GitHub Actions workflow YAML file. Refer to Creating a new GitHub repository for step by step instructions. For this example, the following files should be committed to the root of the GitHub repository.

要开始创建解决方案，您需要一个GitHub存储库来存储Dockerfile，index.html文件和GitHub Actions WorkFlow yaml文件。请参阅创建一个新的GitHub存储库，以逐步说明。在此示例中，应将以下文件定为GitHub存储库的根。

Create two CodeBuild projects for the x86 and arm64 compute architectures

为X86和ARM64计算体系结构创建两个代码建筑项目

You must create two CodeBuild projects to run your GitHub Actions jobs. Your CodeBuild projects should follow the following naming structure for -x86 and -arm64. Refer to the following tutorial to set up two CodeBuild projects for the x86 and arm64 compute environments. You should use the OAuth app authentication method to connect with your GitHub repository. For the x86 and arm64 CodeBuild projects, choose a supported environment image that matches each compute architecture. Your Buildspec build specifications are ignored. Instead, CodeBuild overrides it to use commands that setup the compute runner.

您必须创建两个代码建筑项目来运行您的GitHub操作作业。您的CodeBuild项目应遵循-X86和-ARM64的以下命名结构。请参阅以下教程，以为X86和ARM64计算环境设置两个代码构建项目。您应该使用OAuth应用程序身份验证方法与GitHub存储库连接。对于X86和ARM64 CodeBuild项目，请选择与每个计算体系结构相匹配的支持的环境图像。您的buildSpec构建规格将被忽略。相反，CodeBuild将其覆盖以使用设置Compute Runner的命令。

Figure 2: CodeBuild Projects for x86 and arm64

图2：X86和ARM64的CodeBuild项目

Create an Amazon ECR repository

创建一个亚马逊ECR存储库

You also need to create an Amazon ECR repository to store the x86 and arm64 container images. Run the following AWS CLI command to create an Amazon ECR repository.

您还需要创建一个Amazon ECR存储库来存储X86和ARM64容器图像。运行以下AWS CLI命令来创建Amazon ECR存储库。

After creating and defining your Amazon ECR repository, you must define a role so that the CodeBuild runners can have permission to access and push your images to your Amazon ECR repository. The following role that you create allows you to push images to your Amazon ECR repository.

在创建和定义亚马逊ECR存储库后，您必须定义角色，以便CodeBuild跑步者可以允许访问并将图像推向亚马逊ECR存储库。您创建的以下角色使您可以将图像推向亚马逊ECR存储库。

After creating the policy, go to the AWS Identity and Access Management (IAM) console to create an Identity Provider and choose OpenID Connect. For the Provider URL, choose https://token.actions.githubusercontent.com. For the Audience, choose sts.amazonaws.com.

创建策略后，转到AWS Identity and Access Management（IAM）控制台创建身份提供商并选择OpenID Connect。对于提供商URL，选择https://token.actions.githubusercontent.com。对于观众，选择sts.amazonaws.com。

2. After you create the provider, create a role and choose Web Identity. In the drop-down box, you should see the Provider URL for https://token.actions.githubusercontent.com. Choose this option and specify sts.amazonaws.com for your Audience. In the GitHub organization, specify your GitHub Organization and add the repository that you created in the initial setup. Choose Next.

2。创建提供商后，创建角色并选择Web身份。在下拉框中，您应该看到https://token.actions.githubusercontent.com的提供商URL。选择此选项并为您的听众指定sts.amazonaws.com。在GitHub组织中，指定您的GitHub组织，并添加您在初始设置中创建的存储库。选择下一步。

Figure 3: Example of creating the role

图3：创建角色的示例

3. On the Add Permissions page, choose the policy that you created in Step 1 so that you can push images to Amazon ECR. Choose Next. On the next screen, name the role and choose Create role.

3。在“添加权限”页面上，选择您在步骤1中创建的策略，以便可以将图像推向Amazon ECR。选择下一步。在下一个屏幕上，命名角色并选择创建角色。

Figure 4: Example of adding policy permissions

图4：添加策略权限的示例

4. Go to Settings within your GitHub repository, and under Security in the left pane, choose Secrets and Variables. Choose the Actions tab within Secrets and Variables. Choose New repository secret. For the name, enter AWS_ROLE_ARN, enter the AWS Role ARN of the role that you created in Step 3, and choose Add secret.

4。转到GitHub存储库中的设置，并在左窗格中的安全性下选择秘密和变量。在秘密和变量中选择“动作”选项卡。选择新的存储库秘密。对于该名称，输入AWS_ROLE_ARN，请输入您在步骤3中创建的角色的AWS角色，然后选择“添加秘密”。

Figure 5: Example of creating GitHub Actions secret for the AWS Role

图5：为AWS角色创建GitHub动作的示例

5. Create another New repository secret for AWS_REGION. Specify the Region in which you created your resources and choose Add secret.

5。为AWS_Region创建另一个新的存储库秘密。指定创建资源的区域并选择添加秘密。

Figure 6: Example of GitHub Actions secret for the AWS Region

图6：GitHub动作的示例AWS区域的秘密

Prepare GitHub Actions workflow

准备github操作工作流程

A GitHub Actions workflow is a configurable automated process made up of one or more jobs and you can define these jobs in a YAML file. You are going to create a YAML file in the .github/workflows directory within your GitHub repository that defines the workflow for the solution. The YAML file for your GitHub Actions workflow contains the build

GitHub操作工作流程是由一个或多个作业组成的可配置的自动化过程，您可以在YAML文件中定义这些作业。您将在GitHub存储库中的.github/Workflows目录中创建一个YAML文件，以定义解决方案的工作流程。 github操作工作流的yaml文件包含构建