fix(ci): Fix publish step to publish multi-arch images for public use (#3287)

* Remove `--pull-tags`
* Correctly build and push multi-arch images for public use
* re-revert Fix POSIX shell issue
* re-revert Fix Gateways masquerading for wireless interfaces

.github/workflows/publish.yml

@@ -156,16 +156,14 @@ jobs:
 
           for image in "${IMAGES[@]}"; do
             SOURCE_TAG=${{ steps.login.outputs.registry }}/firezone/${image}:${{ inputs.tag || github.sha }}
-            docker pull --all-tags ${SOURCE_TAG}
 
-            echo "Retagging ${image} from ${SOURCE_TAG}"
-
-            docker tag ${SOURCE_TAG} ghcr.io/firezone/${image}:${{ inputs.tag || github.sha }}
-            docker tag ${SOURCE_TAG} ghcr.io/firezone/${image}:${{ env.VERSION }}
-            docker tag ${SOURCE_TAG} ghcr.io/firezone/${image}:${{ env.VERSION }}-${{ inputs.tag || github.sha }}
-            docker tag ${SOURCE_TAG} ghcr.io/firezone/${image}:latest
-            docker tag ${SOURCE_TAG} ghcr.io/firezone/${image}:${MAJOR_VERSION}
-            docker tag ${SOURCE_TAG} ghcr.io/firezone/${image}:${MAJOR_MINOR_VERSION}
-
-            docker push --all-tags ghcr.io/firezone/${image}
+            docker buildx imagetools create \
+              -t ghcr.io/firezone/${image}:${{ inputs.tag || github.sha }} \
+              -t ghcr.io/firezone/${image}:${{ env.VERSION }} \
+              -t ghcr.io/firezone/${image}:${{ env.VERSION }} \
+              -t ghcr.io/firezone/${image}:${{ env.VERSION }}-${{ inputs.tag || github.sha }} \
+              -t ghcr.io/firezone/${image}:latest \
+              -t ghcr.io/firezone/${image}:${MAJOR_VERSION} \
+              -t ghcr.io/firezone/${image}:${MAJOR_MINOR_VERSION} \
+              $SOURCE_TAG
           done

rust/Dockerfile

@@ -87,7 +87,7 @@ COPY . .
 
 ARG TARGET
 ARG PACKAGE
-RUN cargo build -p ${PACKAGE} $([ -v "${TARGET}" ] && "--target ${TARGET}")
+RUN cargo build -p ${PACKAGE} $([ -n "${TARGET}" ] && "--target ${TARGET}")
 
 # Image which is used to run the application binary
 FROM alpine:${ALPINE_VERSION} AS runtime

rust/docker-init.sh

@@ -3,12 +3,14 @@
 if [ "${FIREZONE_ENABLE_MASQUERADE}" = "1" ]; then
   IFACE="tun-firezone"
   # Enable masquerading for ethernet and wireless interfaces
-  iptables-nft -A FORWARD -i $IFACE -j ACCEPT
-  iptables-nft -A FORWARD -o $IFACE -j ACCEPT
-  iptables-nft -t nat -A POSTROUTING -o eth+ -j MASQUERADE
-  ip6tables-nft -A FORWARD -i $IFACE -j ACCEPT
-  ip6tables-nft -A FORWARD -o $IFACE -j ACCEPT
-  ip6tables-nft -t nat -A POSTROUTING -o eth+ -j MASQUERADE
+  iptables -C FORWARD -i $IFACE -j ACCEPT > /dev/null 2>&1 || iptables -A FORWARD -i $IFACE -j ACCEPT
+  iptables -C FORWARD -o $IFACE -j ACCEPT > /dev/null 2>&1 || iptables -A FORWARD -o $IFACE -j ACCEPT
+  iptables -t nat -C POSTROUTING -o e+ -j MASQUERADE > /dev/null 2>&1 || iptables -t nat -A POSTROUTING -o e+ -j MASQUERADE
+  iptables -t nat -C POSTROUTING -o w+ -j MASQUERADE > /dev/null 2>&1 || iptables -t nat -A POSTROUTING -o w+ -j MASQUERADE
+  ip6tables -C FORWARD -i $IFACE -j ACCEPT > /dev/null 2>&1 || ip6tables -A FORWARD -i $IFACE -j ACCEPT
+  ip6tables -C FORWARD -o $IFACE -j ACCEPT > /dev/null 2>&1 || ip6tables -A FORWARD -o $IFACE -j ACCEPT
+  ip6tables -t nat -C POSTROUTING -o e+ -j MASQUERADE > /dev/null 2>&1 || ip6tables -t nat -A POSTROUTING -o e+ -j MASQUERADE
+  ip6tables -t nat -C POSTROUTING -o w+ -j MASQUERADE > /dev/null 2>&1 || ip6tables -t nat -A POSTROUTING -o w+ -j MASQUERADE
 fi
 
 if [ "${LISTEN_ADDRESS_DISCOVERY_METHOD}" = "gce_metadata" ]; then