From 2021b8ee2c79a8bc2f15cbcbe611647fcc578329 Mon Sep 17 00:00:00 2001
From: Paulo Gomes <paulo.gomes@suse.com>
Date: Tue, 5 Mar 2024 09:53:28 +0000
Subject: [PATCH 1/2] build: Add image-test target to Makefile

Signed-off-by: Paulo Gomes <paulo.gomes@suse.com>
---
 .github/workflows/tests.yml | 17 ++++++++++++++++-
 Makefile                    |  8 +++++++-
 2 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 8162aa3c..516284b5 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -59,8 +59,23 @@ jobs:
       uses: docker/setup-buildx-action@v3
     - name: Checkout code
       uses: actions/checkout@v4
-  
+
     - name: E2E Tests
       env:
         KUBERNETES_VERSION: ${{ matrix.k8s-version }}
       run: make e2e
+
+  image-build:    
+    runs-on: ubuntu-latest
+    needs: [ validate ]
+
+    steps:
+    - name: Setup QEMU
+      uses: docker/setup-qemu-action@v3
+    - name: Setup Docker Buildx
+      uses: docker/setup-buildx-action@v3
+    - name: Checkout code
+      uses: actions/checkout@v4
+  
+    - name: Image build
+      run: make image-test
diff --git a/Makefile b/Makefile
index 531a429b..94d3285d 100644
--- a/Makefile
+++ b/Makefile
@@ -13,6 +13,7 @@ REPO ?= rancher
 IMAGE = $(REPO)/security-scan:$(TAG)
 TARGET_BIN ?= build/bin/kb-summarizer
 ARCH ?= $(shell docker info --format '{{.ClientInfo.Arch}}')
+BUILD_ACTION = --load
 
 .DEFAULT_GOAL := ci
 ci: build test validate e2e ## run the targets needed to validate a PR in CI.
@@ -30,11 +31,16 @@ build: # build project and output binary to TARGET_BIN.
 	$(TARGET_BIN) --version
 	md5sum $(TARGET_BIN)
 
+image-test: buildx-machine ## build the container image for all target architecures.
+	# Instead of loading image, target all platforms, effectivelly testing
+	# the build for the target architectures.
+	$(MAKE) image-build BUILD_ACTION="--platform=$(TARGET_PLATFORMS)"
+
 .PHONY: image-build
 image-build: buildx-machine ## build (and load) the container image targeting the current platform.
 	$(IMAGE_BUILDER) build -f package/Dockerfile \
 		--builder $(MACHINE) $(IMAGE_ARGS) \
-		--build-arg VERSION=$(VERSION) -t "$(IMAGE)" --load .
+		--build-arg VERSION=$(VERSION) -t "$(IMAGE)" $(BUILD_ACTION) .
 	@echo "Built $(IMAGE)"
 
 .PHONY: image-push

From dc7919b1c286dcc46a184ba4e3810824b74eee82 Mon Sep 17 00:00:00 2001
From: Paulo Gomes <paulo.gomes@suse.com>
Date: Tue, 5 Mar 2024 09:57:39 +0000
Subject: [PATCH 2/2] build: Run zypper on target arch xx currently does not
 support xx-zypper, which means that zypper cannot be executed at the host
 arch while targeting a different architecture. To fix this all the zypper
 operations will take place on the target arch, until support is added
 upstream.

Signed-off-by: Paulo Gomes <paulo.gomes@suse.com>
---
 package/Dockerfile | 36 +++++++++++++++++++++---------------
 1 file changed, 21 insertions(+), 15 deletions(-)

diff --git a/package/Dockerfile b/package/Dockerfile
index ba441480..42a0507a 100644
--- a/package/Dockerfile
+++ b/package/Dockerfile
@@ -4,15 +4,8 @@ FROM registry.suse.com/bci/bci-micro:15.5 AS micro
 # Image that provides cross compilation tooling.
 FROM --platform=$BUILDPLATFORM rancher/mirrored-tonistiigi-xx:1.3.0 as xx
 
-# Temporary build stage
-FROM --platform=$BUILDPLATFORM registry.suse.com/bci/golang:1.22 AS builder
-
-# Define build arguments
-ARG KUBE_BENCH_VERSION KUBE_BENCH_SUM_arm64 KUBE_BENCH_SUM_amd64 \
-    SONOBUOY_VERSION SONOBUOY_SUM_arm64 SONOBUOY_SUM_amd64 \
-    KUBECTL_VERSION KUBECTL_SUM_arm64 KUBECTL_SUM_amd64
-
-ARG TARGETARCH
+# Arch-specific temporary build stage for zypper deps that will be copied into the final image.
+FROM registry.suse.com/bci/golang:1.22 AS zypper
 
 # Install system packages using builder image that has zypper 
 COPY --from=micro / /chroot/
@@ -25,6 +18,17 @@ RUN zypper --non-interactive refresh && \
     zypper --installroot /chroot clean -a && \
     rm -rf /chroot/var/cache/zypp/* /chroot/var/log/zypp/*
 
+# Arch-agnostic temporary build stage for things that can be done at build platform arch.
+FROM --platform=$BUILDPLATFORM registry.suse.com/bci/golang:1.22 AS builder
+
+# Define build arguments
+ARG KUBE_BENCH_VERSION KUBE_BENCH_SUM_arm64 KUBE_BENCH_SUM_amd64 \
+    SONOBUOY_VERSION SONOBUOY_SUM_arm64 SONOBUOY_SUM_amd64 \
+    KUBECTL_VERSION KUBECTL_SUM_arm64 KUBECTL_SUM_amd64
+
+ARG TARGETARCH
+
+RUN mkdir -p /chroot/usr/bin
 
 # Stage Sonobuoy into builder
 ENV SONOBUOY_SUM="SONOBUOY_SUM_${TARGETARCH}"
@@ -62,6 +66,12 @@ COPY pkg /src/pkg
 COPY hack /src/hack
 COPY cmd /src/cmd
 
+# Copy xx supporting tools to throw-away layer, not to /chroot.
+COPY --from=xx / /
+
+ARG TARGETPLATFORM
+RUN xx-go --wrap && mkdir -p /run/lock
+
 # By setting the version as an argument, we can avoid running the version logic 
 # a second time (inside the Docker build process). Therefore, removing the need
 # to access the .git dir.
@@ -70,18 +80,14 @@ RUN VERSION=${VERSION} TARGET_BIN=/chroot/usr/bin/kb-summarizer make build
 
 # Ensures that the binary that was built was cross-compiled correctly
 # and is valid on the target platform.
-COPY --from=xx \
-    /usr/bin/xx-verify \
-    /usr/bin/xx-info \
-    /usr/bin
-RUN mkdir -p /run/lock
 RUN xx-verify --static /chroot/usr/bin/kb-summarizer
 
 # Main stage using bci-micro as the base image
 FROM micro
 
-# Copy binaries and configuration files from builder to micro
+# Copy binaries and configuration files from builder and zypper to micro.
 COPY --from=builder /chroot/ /
+COPY --from=zypper /chroot/ /
 
 # Copy binaries and configuration files from the local repository to micro
 COPY package/cfg/ /etc/kube-bench/cfg/