From 43e89aee00b635bc1525dab75280665f11c0e19e Mon Sep 17 00:00:00 2001
From: humanoid2050 <humanoid2050@monolith>
Date: Mon, 13 Feb 2023 21:09:18 -0500
Subject: [PATCH] generate multiarch images for non-architecture tags

---
 .../templates/stages/deploy-stage.yml         | 10 ++++-
 tools/docker/deploy.sh                        | 38 +++++++------------
 tools/docker/deploy_multiarch.sh              | 36 ++++++++++++++++++
 3 files changed, 58 insertions(+), 26 deletions(-)
 create mode 100755 tools/docker/deploy_multiarch.sh

diff --git a/.azure-pipelines/templates/stages/deploy-stage.yml b/.azure-pipelines/templates/stages/deploy-stage.yml
index cb8b24e28..bf9a9ef95 100644
--- a/.azure-pipelines/templates/stages/deploy-stage.yml
+++ b/.azure-pipelines/templates/stages/deploy-stage.yml
@@ -11,7 +11,7 @@ stages:
       - template: ../jobs/snap-deploy-job.yml
         parameters:
           snapReleaseChannel: ${{ parameters.snapReleaseChannel }}
-      - job: publish_docker
+      - job: publish_docker_by_arch
         pool:
           vmImage: ubuntu-22.04
         strategy:
@@ -51,4 +51,10 @@ stages:
               containerRegistry: docker-hub
             displayName: Login to Docker Hub
           - bash: set -e && tools/docker/deploy.sh $(dockerTag) $DOCKER_ARCH
-            displayName: Deploy the Docker images
+            displayName: Deploy the Docker images by architecture
+      - job: publish_docker_multiarch
+        pool:
+          vmImage: ubuntu-22.04
+        steps:
+          - bash: set -e && tools/docker/deploy_multiarch.sh $(dockerTag)
+            displayName: Deploy the Docker multiarch manifests
\ No newline at end of file
diff --git a/tools/docker/deploy.sh b/tools/docker/deploy.sh
index f9446a991..3513d73a8 100755
--- a/tools/docker/deploy.sh
+++ b/tools/docker/deploy.sh
@@ -21,25 +21,25 @@ fi
 source "$WORK_DIR/lib/common"
 ParseRequestedArch "${2}"
 
+
+
+
 # Creates and pushes all Docker images aliases for the requested architectures
 # set in the environment variable ALL_REQUESTED_ARCH.  If the value of the
 # global variable TAG_BASE is a 2.0.0 or greater version tag such as v2.1.0,
-# the "latest" tag is also updated. Tags without the architecture part are also
-# created for the default architecture.
-# As an example, for amd64 (the default architecture) and the tag v0.35.0, the
-# following tags would be created:
-#  - certbot/certbot:v0.35.0
-#  - certbot/certbot:latest
-#  - certbot/certbot:amd64-latest
-# For the architecture arm32v6 and the tag v0.35.0, only the following tag
-# would be created:
-#  - certbot/certbot:arm32v6-latest
-# For other tags such as "nightly", aliases are only created for the default
-# architecture where the tag "nightly" would be used without an architecture
-# part.
+# tags for "latest" are also created. Tags such as "nightly" do not recieve 
+# "latest" tags.
+# As an example, for the tag v2.2.0 and the default set of all target 
+# architectures, the following tags would be created:
+#  - certbot/certbot:amd64-v2.2.0       <- image
+#  - certbot/certbot:arm32v6-v2.2.0     <- image
+#  - certbot/certbot:arm64v8-v2.2.0     <- image
+#  - certbot/certbot:amd64-latest       <- image
+#  - certbot/certbot:arm32v6-latest     <- image
+#  - certbot/certbot:arm64v8-latest     <- image
 # Usage: TagAndPushForAllRequestedArch [IMAGE NAME]
 #   where [IMAGE NAME] is the name of the Docker image in the Docker repository
-#   such as "certbot" or "dns-cloudflare".
+#   such as "certbot" or "dns-cloudflare". 
 # Read globals:
 # * TAG_BASE
 # * ALL_REQUESTED_ARCH
@@ -51,19 +51,9 @@ TagAndPushForAllRequestedArch() {
         # added them, we haven't had another timeout, so until we experience
         # another timeout & can get the deubg logs, we're leaving them in.
         docker --debug push "${DOCKER_REPO}:${TARGET_ARCH}-${TAG_BASE}"
-
-        # If TAG_BASE is a valid tag for version 2.0.0 or greater
         if [[ "${TAG_BASE}" =~ ^v([2-9]|[1-9][0-9]+)\.[0-9]+\.[0-9]+$ ]]; then
             docker tag "${DOCKER_REPO}:${TARGET_ARCH}-${TAG_BASE}" "${DOCKER_REPO}:${TARGET_ARCH}-latest"
             docker --debug push "${DOCKER_REPO}:${TARGET_ARCH}-latest"
-            if [ "${TARGET_ARCH}" == "${DEFAULT_ARCH}" ]; then
-                docker tag "${DOCKER_REPO}:${TARGET_ARCH}-${TAG_BASE}" "${DOCKER_REPO}:latest"
-                docker --debug push "${DOCKER_REPO}:latest"
-            fi
-        fi
-        if [ "${TARGET_ARCH}" == "${DEFAULT_ARCH}" ]; then
-            docker tag "${DOCKER_REPO}:${TARGET_ARCH}-${TAG_BASE}" "${DOCKER_REPO}:${TAG_BASE}"
-            docker --debug push "${DOCKER_REPO}:${TAG_BASE}"
         fi
     done
 }
diff --git a/tools/docker/deploy_multiarch.sh b/tools/docker/deploy_multiarch.sh
new file mode 100755
index 000000000..893da8fa6
--- /dev/null
+++ b/tools/docker/deploy_multiarch.sh
@@ -0,0 +1,36 @@
+#!/bin/bash
+set -euxo pipefail
+
+WORK_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )"
+
+TAG_BASE="$1"  # Eg. v0.35.0 or nightly
+if [ -z "$TAG_BASE" ]; then
+    echo "We cannot tag Docker images with an empty string!" >&2
+    exit 1
+fi
+source "$WORK_DIR/lib/common"
+
+# Creates multiarch manifests for TAG_BASE, and 'latest' if TAG_BASE > 2.0.0
+#  - certbot/certbot:v2.2.0             <- multiarch manifest 
+#  - certbot/certbot:latest             <- multiarch manifest
+MakeMultiarchManifestForAllTargetArch() {
+    DOCKER_REPO="${DOCKER_HUB_ORG}/${1}"
+    SRC_IMAGES=""
+    for TARGET_ARCH in "${ALL_TARGET_ARCH[@]}"; do
+        SRC_IMAGES+=" ${DOCKER_REPO}:${TARGET_ARCH}-${TAG_BASE}"
+    done
+    echo ${SRC_IMAGES}
+    docker buildx imagetools create -t ${DOCKER_REPO}:${TAG_BASE}${SRC_IMAGES}
+    if [[ "${TAG_BASE}" =~ ^v([2-9]|[1-9][0-9]+)\.[0-9]+\.[0-9]+$ ]]; then
+        docker buildx imagetools create -t "${DOCKER_REPO}:latest" "${SRC_IMAGES}"
+    fi
+}
+
+
+# Step 1: Certbot core Docker
+MakeMultiarchManifestForAllTargetArch "certbot"
+
+# Step 2: Certbot DNS plugins Docker images
+for plugin in "${CERTBOT_PLUGINS[@]}"; do
+    MakeMultiarchManifestForAllTargetArch "${plugin}"
+done