Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

experiment: Add Wolfi based images #1735

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
Expand Up @@ -360,3 +360,12 @@ updates:
all:
patterns:
- "*"
- package-ecosystem: "terraform"
directory: "/tekton/images"
schedule:
interval: "weekly"
labels:
- "ok-to-test"
- "dependencies"
- "release-note-none"
- "kind/misc"
3 changes: 3 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -13,3 +13,6 @@

**/.bin
**/.DS_Store

.terraform**
terraform.tfstate**
35 changes: 33 additions & 2 deletions tekton/images/README.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,35 @@
# Container Images for Tekton infrastructure

This folder contains various container images used by Tekton infrastructure
to run Tekton's own CI/CD.
This folder contains various container images used by Tekton infrastructure to
run Tekton's own CI/CD.

## Wolfi images (experimental)

Some directories include experimental support for
[Wolfi](https://github.com/wolfi-dev/) images built via
[apko](https://github.com/chainguard-dev/apko) + terraform.

These images are built declaratively from Wolfi packages and are automatically
signed + attested during publishing.

To build these images, run:

```sh
TF_VAR_target_repository=ttl.sh/path/to/registry terraform apply
```

To build a single image (for example, `ko-gcloud`):

```sh
TF_VAR_target_repository=ttl.sh/path/to/registry terraform apply -target=module.ko-gcloud
```

### Signing and attestations

If you wish to sign/attest the image locally (optional for development, but
terraform will output a warning), you can enable it by setting
`TF_COSIGN_LOCAL=1`:

```sh
TF_COSIGN_LOCAL=1 TF_VAR_target_repository=ttl.sh/path/to/registry terraform apply -target=module.ko-gcloud
```
27 changes: 27 additions & 0 deletions tekton/images/ko-gcloud/apko.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
contents:
packages:
- bash
- busybox
- git
- go
- google-cloud-sdk
- ko
- kubectl
- kustomize
# Pin to python 3.11 until issues with 3.12 are resolved.
# ref: https://issuetracker.google.com/issues/303737178
- python3~3.11
- yq

entrypoint:
command: /bin/bash

accounts:
groups:
- groupname: nonroot
gid: 65532
users:
- username: nonroot
uid: 65532
gid: 65532
run-as: 65532
34 changes: 34 additions & 0 deletions tekton/images/ko-gcloud/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
terraform {
required_providers {
apko = {
source = "chainguard-dev/apko"
}
oci = {
source = "chainguard-dev/oci"
}
}
}

variable "target_repository" {
description = "The docker repo into which the image and attestations should be published."
}

module "image" {
source = "chainguard-dev/apko/publisher"
version = "0.0.9"

target_repository = var.target_repository
config = file("${path.module}/apko.yaml")
default_annotations = {
"org.opencontainers.image.url": "https://github.com/tektoncd/plumbing/tree/main/tekton/images/ko-gcloud"
}
}

resource "oci_tag" "latest" {
digest_ref = module.image.image_ref
tag = "latest-wolfi"
}

output "image_ref" {
value = oci_tag.latest.tagged_ref
}
20 changes: 20 additions & 0 deletions tekton/images/ko/apko.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
contents:
packages:
- bash
- busybox
- git
- ko
- kustomize

entrypoint:
command: /bin/bash

accounts:
groups:
- groupname: nonroot
gid: 65532
users:
- username: nonroot
uid: 65532
gid: 65532
run-as: 65532
34 changes: 34 additions & 0 deletions tekton/images/ko/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
terraform {
required_providers {
apko = {
source = "chainguard-dev/apko"
}
oci = {
source = "chainguard-dev/oci"
}
}
}

variable "target_repository" {
description = "The docker repo into which the image and attestations should be published."
}

module "image" {
source = "chainguard-dev/apko/publisher"
version = "0.0.9"

target_repository = var.target_repository
config = file("${path.module}/apko.yaml")
default_annotations = {
"org.opencontainers.image.url": "https://github.com/tektoncd/plumbing/tree/main/tekton/images/ko"
}
}

resource "oci_tag" "latest" {
digest_ref = module.image.image_ref
tag = "latest-wolfi"
}

output "image_ref" {
value = oci_tag.latest.tagged_ref
}
36 changes: 36 additions & 0 deletions tekton/images/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
terraform {
required_providers {
oci = {
source = "chainguard-dev/oci"
version = "~> 0.0.10"
}
apko = {
source = "chainguard-dev/apko"
version = "~> 0.10.7"
}
}
}

provider "apko" {
extra_repositories = ["https://packages.wolfi.dev/os"]
extra_keyring = ["https://packages.wolfi.dev/os/wolfi-signing.rsa.pub"]
extra_packages = ["wolfi-baselayout"]
default_archs = ["x86_64", "aarch64"]
default_annotations = {
"org.opencontainers.image.authors" = "Tekton Authors <[email protected]>"
}
}

variable "target_repository" {
description = "The docker repo into which the image and attestations should be published."
}

module "ko" {
source = "./ko"
target_repository = "${var.target_repository}/ko"
}

module "ko-gcloud" {
source = "./ko-gcloud"
target_repository = "${var.target_repository}/ko-gcloud"
}