build: update Dockerfiles, Makefile, and CI for Cilium v1.19

- Update Go base images and build toolchain in Dockerfiles
- Add ARG BUILDPLATFORM before first FROM in Windows Dockerfiles
- Fix CGO_ENABLED handling and use -run bpf2go in test image Dockerfile
- Add _cprog to golangci-lint excluded paths
- Update Makefile, CI workflows, devcontainer, and .gitignore

Signed-off-by: Quang Nguyen <nguyenquang@microsoft.com>

Author: nddq

.devcontainer/devcontainer.json

@@ -7,7 +7,6 @@
     "ghcr.io/devcontainers/features/github-cli:1": {},
     "ghcr.io/devcontainers/features/go:1": {},
     "ghcr.io/devcontainers/features/kubectl-helm-minikube:1": {},
-    "ghcr.io/devcontainers-contrib/features/kind:1": {},
     "ghcr.io/devcontainers/features/azure-cli:1": {}
   },
   "postCreateCommand": "bash .devcontainer/installMoreTools.sh && kind create cluster",
@@ -22,4 +21,4 @@
       ]
     }
   }
-}
+}

.github/workflows/golangci-lint.yaml

@@ -28,6 +28,9 @@ jobs:
         if: env.IS_NOT_MERGE_GROUP
         with:
           go-version-file: go.mod
+      - name: Check BPF object stubs
+        if: env.IS_NOT_MERGE_GROUP
+        run: make lint-bpf-objects
       - name: golangci-lint
         if: env.IS_NOT_MERGE_GROUP
         uses: golangci/golangci-lint-action@v9

.github/workflows/images.yaml

@@ -14,7 +14,7 @@ permissions:
 jobs:
   retina-images:
     name: Build Agent Images - Linux
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.arch == 'arm64' && 'ubuntu-24.04-arm' || 'ubuntu-latest' }}
 
     strategy:
       matrix:
@@ -30,9 +30,6 @@ jobs:
           go-version-file: go.mod
       - run: go version
 
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-
       - name: Az CLI login
         uses: azure/login@v2
         if: ${{ github.event_name == 'merge_group' }}
@@ -65,7 +62,7 @@ jobs:
   build-windows-binaries:
     name: Build Windows Binaries
     runs-on: ubuntu-latest
-    
+
     steps:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -131,7 +128,7 @@ jobs:
           TAG=$(make version)
           echo "TAG=$TAG" >> "$GITHUB_ENV"
           if [ "$IS_MERGE_GROUP" == "true" ]; then
-            az acr login -n ${{ vars.ACR_NAME }} 
+            az acr login -n ${{ vars.ACR_NAME }}
             make retina-image-win \
               IMAGE_NAMESPACE=${{ github.repository }} \
               PLATFORM=${{ matrix.platform }}/${{ matrix.arch }} \
@@ -154,7 +151,7 @@ jobs:
 
   operator-images:
     name: Build Operator Images
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.arch == 'arm64' && 'ubuntu-24.04-arm' || 'ubuntu-latest' }}
 
     strategy:
       matrix:
@@ -170,9 +167,6 @@ jobs:
           go-version-file: go.mod
       - run: go version
 
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-
       - name: Az CLI login
         uses: azure/login@v2
         if: ${{ github.event_name == 'merge_group' }}
@@ -203,18 +197,13 @@ jobs:
           IS_MERGE_GROUP: ${{ github.event_name == 'merge_group' }}
 
   retina-shell-images:
-    name: Build Retina Shell Images (${{ matrix.platform }}, ${{ matrix.arch }})
-    runs-on: ${{ matrix.runner }}
+    name: Build Retina Shell Images
+    runs-on: ${{ matrix.arch == 'arm64' && 'ubuntu-24.04-arm' || 'ubuntu-latest' }}
 
     strategy:
       matrix:
-        include:
-          - platform: linux
-            arch: amd64
-            runner: ubuntu-latest
-          - platform: linux
-            arch: arm64
-            runner: ubuntu-24.04-arm
+        platform: ["linux"]
+        arch: ["amd64", "arm64"]
 
     steps:
       - name: Checkout code
@@ -255,7 +244,7 @@ jobs:
 
   kubectl-retina-images:
     name: Build Kubectl Retina Images
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.arch == 'arm64' && 'ubuntu-24.04-arm' || 'ubuntu-latest' }}
 
     strategy:
       matrix:
@@ -271,9 +260,6 @@ jobs:
           go-version-file: go.mod
       - run: go version
 
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-
       - name: Az CLI login
         uses: azure/login@v2
         if: ${{ github.event_name == 'merge_group' }}
@@ -337,7 +323,7 @@ jobs:
         shell: bash
         run: |
           set -euo pipefail
-          az acr login -n ${{ vars.ACR_NAME }}  
+          az acr login -n ${{ vars.ACR_NAME }}
           make manifest COMPONENT=${{ matrix.components }} \
           IMAGE_REGISTRY=${{ vars.ACR_NAME }}  \
 
@@ -389,7 +375,7 @@ jobs:
       azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
       azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
       azure-app-insights-key: ${{ secrets.AZURE_APP_INSIGHTS_KEY }}
-  
+
   perf-test-advanced:
     if: ${{ github.event_name == 'merge_group'}}
     needs: [manifests]

.gitignore

@@ -1,55 +1,43 @@
-# If you prefer the allow list template instead of the deny list, see community template:
-# https://github.com/github/gitignore/blob/main/community/Golang/Go.AllowList.gitignore
-#
-# Binaries for programs and plugins
+# Binaries
 *.exe
 *.exe~
 *.dll
 *.so
 *.dylib
-
-# Avoid checking in keys
-*.pem
-
-# Test binary, built with `go test -c`
 *.test
-
-# Output of the go coverage tool, specifically when used with LiteIDE
-*.out
-
-# logs
-*.log
-
-# Dependency directories (remove the comment below to include it)
-# vendor/
-
-# Go workspace file
-go.work
-
-# Object files
 *.o
+bin/
+dist/
 
-# docusaurus
-site/yarn.lock
-site/.docusaurus/
-site/node_modules/
+# Go
+go.work
 
-output
-#vscode 
-.vscode/
+# Keys and certificates
+*.pem
+.certs/
 
-dist/
-bin/
+# Logs and output
+*.log
+*.out
+.output/
 
-image-metadata-*.json
-*packetmonitorsupport*/
-*.pem
+# Test artifacts
 *results*.json
 netperf-*.json
 netperf-*.csv
+image-metadata-*.json
+*packetmonitorsupport*/
+test-summary
 
-.certs/
+# Build artifacts
+.artifacts/
 
-artifacts/
+# Documentation site
+site/yarn.lock
+site/.docusaurus/
+site/node_modules/
 
-test-summary
+# IDE and editor
+.vscode/
+.clangd
+.clang-format

.golangci.yaml

@@ -78,6 +78,7 @@ linters:
       - third_party$
       - builtin$
       - examples$
+      - _cprog$
 issues:
   max-issues-per-linter: 0
   max-same-issues: 0

Makefile

@@ -146,6 +146,20 @@ lint: ## Fast lint vs default branch showing only new issues.
 lint-existing: ## Lint the current branch in entirety.
 	$(GOLANGCI_LINT) run -v $(LINT_PKG)/...
 
+lint-bpf-objects: ## Check that committed .o files are empty stubs (build generates real ones).
+	@echo "Checking for non-empty .o files..."
+	@non_empty=$$(git ls-files '*.o' | xargs -I{} sh -c 'test -s "{}" && echo "{}"'); \
+	if [ -n "$$non_empty" ]; then \
+		echo "ERROR: The following .o files must be empty stubs:"; \
+		echo "$$non_empty"; \
+		echo "Run 'make empty-bpf-objects' to fix."; \
+		exit 1; \
+	fi
+	@echo "All .o files are empty stubs. OK."
+
+empty-bpf-objects: ## Empty all tracked .o files (they are stubs for the linter).
+	git ls-files '*.o' | xargs -I{} truncate -s 0 {}
+
 clean: ## clean build artifacts
 	$(RMDIR) $(OUTPUT_DIR)
 

cli/Dockerfile

@@ -1,5 +1,5 @@
 # skopeo inspect docker://mcr.microsoft.com/oss/go/microsoft/golang:1.24.11-azurelinux3.0 --format "{{.Name}}@{{.Digest}}"
-FROM --platform=$BUILDPLATFORM mcr.microsoft.com/oss/go/microsoft/golang@sha256:531bd02db17b0c2ec919f10fc203a6a8c825e8ca01f40c3a1e32e1cf7119c6d8 AS builder
+FROM mcr.microsoft.com/oss/go/microsoft/golang@sha256:a1a9699ff2ee1c3a2b5a23e6226ea431b6c876c84b52f78b2f514edcb9816340 AS builder
 
 ARG VERSION
 ARG APP_INSIGHTS_ID
@@ -16,21 +16,21 @@ ARG GOARCH=amd64
 ENV GOARCH=${GOARCH}
 
 RUN --mount=type=cache,target="/root/.cache/go-build" \
-    CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build \
+    GOOS=$GOOS GOARCH=$GOARCH go build \
     -ldflags "-X github.com/microsoft/retina/internal/buildinfo.Version="$VERSION" \
     -X "github.com/microsoft/retina/internal/buildinfo.ApplicationInsightsID"="$APP_INSIGHTS_ID" \
     -X "github.com/microsoft/retina/internal/buildinfo.RetinaAgentImageName"="$AGENT_IMAGE_NAME"" \
     -a -o kubectl-retina cli/main.go
 
 # Target 1: Distroless (secure, minimal)
 # skopeo inspect docker://mcr.microsoft.com/azurelinux/distroless/minimal:3.0 --format "{{.Name}}@{{.Digest}}"
-FROM --platform=$BUILDPLATFORM mcr.microsoft.com/azurelinux/distroless/minimal@sha256:0801b80a0927309572b9adc99bd1813bc680473175f6e8175cd4124d95dbd50c AS distroless-target
+FROM mcr.microsoft.com/azurelinux/distroless/minimal@sha256:0801b80a0927309572b9adc99bd1813bc680473175f6e8175cd4124d95dbd50c AS distroless-target
 WORKDIR /
 COPY --from=builder /workspace/kubectl-retina .
 
 # Target 2: Shell-enabled (operational, init container support)
 # skopeo inspect docker://mcr.microsoft.com/cbl-mariner/base/core:2.0 --format "{{.Name}}@{{.Digest}}"
-FROM --platform=$BUILDPLATFORM mcr.microsoft.com/cbl-mariner/base/core@sha256:4d97d662d71c1fda938ed9df36d8f490d9107cff37e89c0efa932d073285ad85 AS shell-target
+FROM mcr.microsoft.com/cbl-mariner/base/core@sha256:4d97d662d71c1fda938ed9df36d8f490d9107cff37e89c0efa932d073285ad85 AS shell-target
 WORKDIR /
 COPY --from=builder /workspace/kubectl-retina /bin/kubectl-retina
 RUN chmod +x /bin/kubectl-retina

controller/Dockerfile

@@ -1,7 +1,7 @@
 # pinned base images
 
 # skopeo inspect docker://mcr.microsoft.com/oss/go/microsoft/golang:1.24.11-azurelinux3.0 --format "{{.Name}}@{{.Digest}}"
-FROM --platform=$BUILDPLATFORM mcr.microsoft.com/oss/go/microsoft/golang@sha256:531bd02db17b0c2ec919f10fc203a6a8c825e8ca01f40c3a1e32e1cf7119c6d8 AS golang
+FROM mcr.microsoft.com/oss/go/microsoft/golang@sha256:a1a9699ff2ee1c3a2b5a23e6226ea431b6c876c84b52f78b2f514edcb9816340 AS golang
 
 # skopeo inspect docker://mcr.microsoft.com/azurelinux/base/core:3.0 --format "{{.Name}}@{{.Digest}}"
 FROM mcr.microsoft.com/azurelinux/base/core@sha256:9948138108a3d69f1dae62104599ac03132225c3b7a5ac57b85a214629c8567d AS azurelinux-core
@@ -19,21 +19,23 @@ ARG GOOS=linux # default to linux
 ENV GOARCH=${GOARCH}
 ENV GOOS=${GOOS}
 RUN if [ "$GOOS" = "linux" ] ; then \
-      tdnf install -y clang lld bpftool libbpf-devel; \
+    tdnf install -y clang lld bpftool libbpf-devel; \
     fi
 COPY ./pkg/plugin /go/src/github.com/microsoft/retina/pkg/plugin
 WORKDIR /go/src/github.com/microsoft/retina
 RUN if [ "$GOOS" = "linux" ] ; then \
-      go mod init github.com/microsoft/retina; \
-      go generate -skip "mockgen" -x /go/src/github.com/microsoft/retina/pkg/plugin/...; \
-      tar czf /gen.tar.gz ./pkg/plugin; \
-      rm go.mod; \
+    go mod init github.com/microsoft/retina; \
+    go generate -skip "mockgen" -x /go/src/github.com/microsoft/retina/pkg/plugin/...; \
+    tar czf /gen.tar.gz ./pkg/plugin; \
+    rm go.mod; \
     fi
 COPY ./go.mod ./go.sum ./
 RUN go mod download
 COPY . .
 RUN if [ "$GOOS" = "linux" ] ; then \
-      rm -rf ./pkg/plugin && tar xvf /gen.tar.gz ./pkg/plugin; \
+    rm -rf ./pkg/plugin && tar xvf /gen.tar.gz ./pkg/plugin; \
+    find ./pkg/plugin -path "*/_cprog/*.go" -delete; \
+    find ./pkg/plugin -name "*.go" -exec sed -i '/^[[:space:]]*_[[:space:]]*".*\/_cprog"/d' {} \;; \
     fi
 
 # capture binary

controller/Dockerfile.gogen

@@ -1,5 +1,5 @@
 # skopeo inspect docker://mcr.microsoft.com/oss/go/microsoft/golang:1.24.11-azurelinux3.0 --format "{{.Name}}@{{.Digest}}"
-FROM --platform=$BUILDPLATFORM mcr.microsoft.com/oss/go/microsoft/golang@sha256:531bd02db17b0c2ec919f10fc203a6a8c825e8ca01f40c3a1e32e1cf7119c6d8
+FROM --platform=$BUILDPLATFORM mcr.microsoft.com/oss/go/microsoft/golang@sha256:a1a9699ff2ee1c3a2b5a23e6226ea431b6c876c84b52f78b2f514edcb9816340
 
 # Default linux/architecture.
 ARG GOOS=linux

controller/Dockerfile.proto

@@ -1,5 +1,5 @@
 # skopeo inspect docker://mcr.microsoft.com/oss/go/microsoft/golang:1.24.11-azurelinux3.0 --format "{{.Name}}@{{.Digest}}"
-FROM --platform=$BUILDPLATFORM mcr.microsoft.com/oss/go/microsoft/golang@sha256:531bd02db17b0c2ec919f10fc203a6a8c825e8ca01f40c3a1e32e1cf7119c6d8
+FROM --platform=$BUILDPLATFORM mcr.microsoft.com/oss/go/microsoft/golang@sha256:a1a9699ff2ee1c3a2b5a23e6226ea431b6c876c84b52f78b2f514edcb9816340
 
 LABEL Name=retina-builder Version=0.0.1