Skip to content

Add multi-platform container builds for amd64 and arm64#985

Open
pditommaso wants to merge 18 commits intomasterfrom
refactor/child-entries
Open

Add multi-platform container builds for amd64 and arm64#985
pditommaso wants to merge 18 commits intomasterfrom
refactor/child-entries

Conversation

@pditommaso
Copy link
Collaborator

@pditommaso pditommaso commented Mar 3, 2026
edited
Loading

Summary

  • Add support for multi-platform container builds targeting both linux/amd64 and linux/arm64 architectures
  • Multi-platform builds are triggered by specifying a multi-arch containerPlatform value (e.g. linux/amd64,linux/arm64) — the previous multiPlatform boolean flag has been removed
  • Introduce ContainerPlatform.Platform inner class to properly model per-platform {os, arch, variant} tuples instead of a shared OS with a list of bare arch names
  • Introduce ChildRefs value type to track per-platform child build and scan IDs with proper Moshi serialization
  • Per-architecture security scanning: each platform gets its own scan ID and independent scan execution
  • MultiPlatformBuildService orchestrates parallel per-arch builds and assembles an OCI image index (manifest list)

Test plan

  • ContainerPlatformTest — single/multi-arch parsing, round-trip, equality, matching
  • ContainerControllerTest — multi-platform validation and request handling
  • ChildEntriesTest — encoding, round-trip, Jackson serialization, template binding
  • BuildRequestTest — Jackson serialization with child entries
  • ContainerScanServiceImplTest — multi-platform scan fan-out

🤖 Generated with Claude Code

pditommaso and others added 5 commits March 2, 2026 21:04
@pditommaso
POC 1
5201d27 
Signed-off-by: Paolo Di Tommaso <paolo.ditommaso@gmail.com>
@pditommaso
POC 2
6a415c4 
Signed-off-by: Paolo Di Tommaso <paolo.ditommaso@gmail.com>
@pditommaso
POC 3
390e1f5 
Signed-off-by: Paolo Di Tommaso <paolo.ditommaso@gmail.com>
@pditommaso @claude
Add multi-platform container builds with per-architecture scanning
8adb8ac 
Refactor ContainerPlatform to support multi-arch builds natively,
replacing MultiContainerPlatform with a unified model. Fan out security
scans per architecture since Trivy only accepts a single --platform flag.

Key changes:
- Consolidate ContainerPlatform to handle both single and multi-arch
- Add ScanIds helper for encoding/decoding per-platform scan IDs
- Fan out scans in ContainerScanServiceImpl per architecture
- Add BuildRequest.withScanId() for propagating multi-scan IDs
- Update views and email templates for per-arch scan links
- Poll all per-arch scans in ContainerStatusServiceImpl
- Extract ScanIds.populateScanBinding() to DRY scan binding logic

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@pditommaso @claude
Replace ScanIds with ChildEntries value type and add dedicated scanCh…
8fa40ae 
…ildIds field

- Create ChildEntries as a shared value type for encoding/decoding per-platform
  child IDs (builds and scans), with Jackson serialization support
- Stop overloading scanId with multi-platform encoded IDs; add dedicated
  scanChildIds field to BuildRequest, ContainerRequest, WaveBuildRecord,
  and WaveContainerRecord
- Change buildChildIds from String to ChildEntries type across all data classes
- Remove scan/build child entries and scan info from mail notifications
- Delete ScanIds utility class and its tests, replaced by ChildEntries

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@pditommaso pditommaso changed the base branch from multi-platform to master March 3, 2026 17:48
@pditommaso pditommaso mentioned this pull request Mar 3, 2026
Closed
5 tasks
pditommaso and others added 4 commits March 3, 2026 19:31
@pditommaso @claude
Address code review feedback
6747ea8 
- Remove dead `withScanId()` method from BuildRequest
- Add explicit `= null` initialization for scanChildIds in ContainerController
- Fix pre-existing bug: `this.mirror == that.mirror` → `=` in WaveContainerRecord copy constructor
- Rename mismatched getter `getChildScanIds()` → `getScanChildIds()` in ContainerRequest
- Add Jackson round-trip serialization tests for ChildEntries

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@pditommaso @claude
Fix failing tests: ContainerPlatform Jackson support and scan mock stubs
ca0ec8c 
- Add @JsonCreator/@jsonvalue to ContainerPlatform for proper serialization
  in persistence records (fixes mirror record tests)
- Add missing getScanId() stubs to ScanEntry mocks in ContainerStatusServiceTest
  (scanResult uses scan.scanId not request.scanId for URL)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@pditommaso @claude
Refactor ContainerPlatform: introduce inner Platform class
1beb69b 
Replace separate os/arch/variant/archs fields with a List<Platform> to
properly model multi-platform combinations where each platform can have
its own OS. Move parsing logic into Platform.of() static factory method.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@pditommaso @claude
Replace multiPlatform flag with multi-arch containerPlatform detection
059e5d5 
Remove the boolean multiPlatform field from SubmitContainerTokenRequest.
Multi-platform builds are now triggered by specifying a multi-arch
containerPlatform value (e.g. "linux/amd64,linux/arm64"). Add validation
that only the linux/amd64+arm64 pair is currently allowed. Add
@JsonPropertyOrder to BuildRequest to fix CI field ordering.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@pditommaso pditommaso changed the title Replace ScanIds with ChildEntries value type Add multi-platform container builds for amd64 and arm64 Mar 3, 2026
pditommaso and others added 2 commits March 3, 2026 22:13
@pditommaso @claude
Rewrite ChildEntries as plain POJO for Moshi serialization
8ae134f 
ChildEntries no longer extends ArrayList — it wraps a List<Entry>
field that Moshi can serialize/deserialize correctly through
BuildStateStore. Replace Jackson-based tests with Moshi roundtrip
tests using the same MoshiEncodeStrategy as production. Remove
unused @JsonPropertyOrder from BuildRequest.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@pditommaso @claude
Rename ChildEntries to ChildRefs with Entry→Ref and platform→value
9a0318e 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@pditommaso pditommaso requested a review from munishchouhan March 3, 2026 21:36
@pditommaso
Copy link
Collaborator Author

pditommaso commented Mar 4, 2026

@munishchouhan when you have some capacity, it would be useful to stress this a bit to make sure there no regression.

containerPlatform allow linux/amd64,linux/arm64 in the build request. For all others it should remain the same

pditommaso and others added 6 commits March 4, 2026 09:19
@pditommaso
Merge branch 'master' into refactor/child-entries
c7e3812 
# Conflicts:
#	src/test/groovy/io/seqera/wave/service/persistence/impl/SurrealPersistenceServiceTest.groovy
@pditommaso @claude
Add validation to reject multi-platform values in non-build endpoints
bd32c39 
Add ContainerPlatform.validateSinglePlatform() helper and use it in
InspectController to prevent comma-separated platform values (e.g.
linux/amd64,linux/arm64) which should only be allowed for container
build requests.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@pditommaso
Merge branch 'master' into refactor/child-entries
5ef0c36
@pditommaso
[release] bump version
971eb5f 
Signed-off-by: Paolo Di Tommaso <paolo.ditommaso@gmail.com>
@pditommaso @claude
Augment all matching platform manifests for multi-arch containers
aa971fa 
When containerPlatform is multi-arch, the resolution process now
augments each matching platform manifest in the image index with
correctly filtered arch-specific fusion layers (amd64 gets
fusion-amd64.tar.gz, arm64 gets fusion-arm64.tar.gz).

Key changes:
- Add resolveImageIndex() and augmentManifest() to handle per-platform
  augmentation with arch-specific layer filtering
- Add AugmentedManifest class replacing Tuple2<String, Integer>
- Move matches() from ContainerPlatform to Platform inner class
- Guard ContainerPlatform.os/arch/variant with exception on multi-arch
- Move skip-cache setting from debug flag to BuildConfig (default false)
- Fix body.bytes double computation in ManifestAssembler

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@pditommaso
[release] bump version 1.33.0-B1
9af8edd 
Signed-off-by: Paolo Di Tommaso <paolo.ditommaso@gmail.com>
@pditommaso
Copy link
Collaborator Author

pditommaso commented Mar 6, 2026

Multi-arch augmentation and Fusion layer filtering

Problem

When containerPlatform is multi-arch (e.g. linux/amd64,linux/arm64), the container resolution process in ContainerAugmenter only augmented one platform manifest from the image index. This meant the other architecture was left unaugmented, resulting in incorrect multi-platform images.

Additionally, fusion layers were not filtered by architecture — both fusion-amd64.tar.gz and fusion-arm64.tar.gz would be injected into every platform manifest, regardless of its target architecture.

Solution

Multi-arch augmentation (ContainerAugmenter)

  • Added resolveImageIndex() — a unified handler that iterates over all matching platform entries in a manifest index (both single-arch and multi-arch)
  • Added augmentManifest() — shared logic to fetch config, filter layers by architecture, and update the config + manifest for a single platform
  • Added matchesPlatformEntry() to check if an index entry matches any of the target platforms
  • updateImageIndex() now accepts a Map<String, AugmentedManifest> to batch-update all augmented entries in one pass
  • Introduced AugmentedManifest inner class (digest + size) replacing the previous Tuple2<String, Integer>

Fusion layer filtering (MultiPlatformBuildService)

  • Added filterLayersForPlatform() — filters fusion layers by matching the architecture suffix in the layer URL (e.g. fusion-amd64.tar.gz → keeps only for amd64)
  • Non-fusion layers (no arch suffix) pass through unfiltered
  • Used at build time in createPlatformRequest() and at augmentation time in augmentManifest()

Platform matching (ContainerPlatform)

  • Moved matches(), sameOs(), sameArch(), sameVariant() into the Platform inner class where they belong
  • Guarded getOs()/getArch()/getVariant() on ContainerPlatform to throw IllegalStateException when called on a multi-arch instance (marked @Deprecated)
  • Fixed PullMetricsRequestsFilter to handle multi-arch platforms safely

Other improvements

  • Moved skip-build-cache from wave.debug to BuildConfig (wave.build.skip-cache, default false)
  • Fixed body.bytes double computation in ManifestAssembler
  • Fixed double JSON parsing in parseManifest overloads

Result

Each platform in a multi-arch image index now gets augmented with the correct arch-specific fusion layers: amd64 manifests receive fusion-amd64.tar.gz, arm64 manifests receive fusion-arm64.tar.gz.

@pditommaso pditommaso mentioned this pull request Mar 6, 2026
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@munishchouhan munishchouhan Awaiting requested review from munishchouhan

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pditommaso @munishchouhan