diff --git a/.github/actions/build-push-kotsadm-image/action.yml b/.github/actions/build-push-kotsadm-image/action.yml index 88942908fa..ae4e46a347 100644 --- a/.github/actions/build-push-kotsadm-image/action.yml +++ b/.github/actions/build-push-kotsadm-image/action.yml @@ -34,33 +34,33 @@ inputs: runs: using: "composite" steps: - - uses: google-github-actions/auth@35b0e87d162680511bf346c299f71c9c5c379033 # v1.1.1 - with: - workload_identity_provider: ${{ inputs.chainguard-gcp-wif-pool }} - service_account: ${{ inputs.chainguard-gcp-sa }} - - - uses: google-github-actions/setup-gcloud@e30db14379863a8c79331b04a9969f4c1e225e0b # v1.1.1 - with: - project_id: ${{ inputs.chainguard-gcp-project-id }} - - - name: setup packages gcsfuse - env: - BUCKET: replicated-apk-registry - shell: bash - run: | - # Set up a gcsfuse RO mount to the bucket containing private packages. This is a cheap and - # cheerful way to get access to objects we need, without having to fetch all of them. - mkdir -p /gcsfuse/apk-repo - gcsfuse -o ro --implicit-dirs --only-dir os ${BUCKET} /gcsfuse/apk-repo - - # Symlink the gcsfuse mount to ./packages/$arch/*.apk - mkdir -p ./packages/x86_64 - ln -s /gcsfuse/apk-repo/x86_64/*.apk ./packages/x86_64/ - - # Make a copy of the APKINDEX.* since we'll need to write to it on package builds - cp /gcsfuse/apk-repo/x86_64/APKINDEX.* ./packages/x86_64/ - - ls -lR ./packages/ + # - uses: google-github-actions/auth@35b0e87d162680511bf346c299f71c9c5c379033 # v1.1.1 + # with: + # workload_identity_provider: ${{ inputs.chainguard-gcp-wif-pool }} + # service_account: ${{ inputs.chainguard-gcp-sa }} + + # - uses: google-github-actions/setup-gcloud@e30db14379863a8c79331b04a9969f4c1e225e0b # v1.1.1 + # with: + # project_id: ${{ inputs.chainguard-gcp-project-id }} + + # - name: setup packages gcsfuse + # env: + # BUCKET: replicated-apk-registry + # shell: bash + # run: | + # # Set up a gcsfuse RO mount to the bucket containing private packages. This is a cheap and + # # cheerful way to get access to objects we need, without having to fetch all of them. + # mkdir -p /gcsfuse/apk-repo + # gcsfuse -o ro --implicit-dirs --only-dir os ${BUCKET} /gcsfuse/apk-repo + + # # Symlink the gcsfuse mount to ./packages/$arch/*.apk + # mkdir -p ./packages/x86_64 + # ln -s /gcsfuse/apk-repo/x86_64/*.apk ./packages/x86_64/ + + # # Make a copy of the APKINDEX.* since we'll need to write to it on package builds + # cp /gcsfuse/apk-repo/x86_64/APKINDEX.* ./packages/x86_64/ + + # ls -lR ./packages/ - name: template melange and apko configs shell: bash diff --git a/.github/workflows/alpha.yaml b/.github/workflows/alpha.yaml index 98a02d9b1f..99394a5e37 100644 --- a/.github/workflows/alpha.yaml +++ b/.github/workflows/alpha.yaml @@ -210,7 +210,7 @@ jobs: id: scan uses: aquasecurity/trivy-action@master with: - image-ref: "rqlite/rqlite:${{ steps.dotenv.outputs.RQLITE_TAG }}" + image-ref: "cgr.dev/chainguard/rqlite:${{ steps.dotenv.outputs.RQLITE_TAG }}" format: 'template' template: '@/contrib/sarif.tpl' output: 'rqlite-scan-output.sarif' @@ -237,7 +237,7 @@ jobs: id: scan uses: aquasecurity/trivy-action@master with: - image-ref: "docker.io/minio/minio:${{ steps.dotenv.outputs.minio_tag }}" + image-ref: "cgr.dev/chainguard/minio:${{ steps.dotenv.outputs.minio_tag }}" format: 'template' template: '@/contrib/sarif.tpl' output: 'minio-scan-output.sarif' diff --git a/.github/workflows/build-test.yaml b/.github/workflows/build-test.yaml index 42acbfac93..de5c8a098c 100644 --- a/.github/workflows/build-test.yaml +++ b/.github/workflows/build-test.yaml @@ -431,8 +431,8 @@ jobs: - name: push minio for e2e run: | - docker pull minio/minio:${{ steps.dotenv.outputs.minio_tag }} - docker tag minio/minio:${{ steps.dotenv.outputs.minio_tag }} ttl.sh/automated-${{ github.run_id }}/minio:${{ steps.dotenv.outputs.minio_tag }} + docker pull cgr.dev/chainguard/minio:${{ steps.dotenv.outputs.minio_tag }} + docker tag cgr.dev/chainguard/minio:${{ steps.dotenv.outputs.minio_tag }} ttl.sh/automated-${{ github.run_id }}/minio:${{ steps.dotenv.outputs.minio_tag }} docker push ttl.sh/automated-${{ github.run_id }}/minio:${{ steps.dotenv.outputs.minio_tag }} @@ -450,8 +450,8 @@ jobs: - name: push rqlite for CI run: | - docker pull rqlite/rqlite:${{ steps.dotenv.outputs.RQLITE_TAG }} - docker tag rqlite/rqlite:${{ steps.dotenv.outputs.RQLITE_TAG }} ttl.sh/automated-${{ github.run_id }}/rqlite:${{ steps.dotenv.outputs.RQLITE_TAG }} + docker pull cgr.dev/chainguard/rqlite:${{ steps.dotenv.outputs.RQLITE_TAG }} + docker tag cgr.dev/chainguard/rqlite:${{ steps.dotenv.outputs.RQLITE_TAG }} ttl.sh/automated-${{ github.run_id }}/rqlite:${{ steps.dotenv.outputs.RQLITE_TAG }} docker push ttl.sh/automated-${{ github.run_id }}/rqlite:${{ steps.dotenv.outputs.RQLITE_TAG }} @@ -469,7 +469,8 @@ jobs: - name: push dex for CI run: | - docker build --pull -f deploy/dex.Dockerfile -t ttl.sh/automated-${{ github.run_id }}/dex:${{ steps.dotenv.outputs.DEX_TAG }} --build-arg TAG=${{ steps.dotenv.outputs.DEX_TAG }} . + docker pull cgr.dev/chainguard/dex:${{ steps.dotenv.outputs.DEX_TAG }} + docker tag cgr.dev/chainguard/dex:${{ steps.dotenv.outputs.DEX_TAG }} ttl.sh/automated-${{ github.run_id }}/dex:${{ steps.dotenv.outputs.DEX_TAG }} docker push ttl.sh/automated-${{ github.run_id }}/dex:${{ steps.dotenv.outputs.DEX_TAG }} diff --git a/.image.env b/.image.env index cb5fd3bde3..9fc46832f8 100644 --- a/.image.env +++ b/.image.env @@ -1,8 +1,8 @@ # Generated file, do not modify. This file is generated from a text file containing a list of images. The # most recent tag is interpolated from the source repository and used to generate a fully qualified image # name. -MINIO_TAG='RELEASE.2023-11-11T08-14-41Z' +MINIO_TAG='0.20231025' RQLITE_TAG='7.21.4' -DEX_TAG='v2.37.0' +DEX_TAG='2.37.0' SCHEMAHERO_TAG='0.16.0' LVP_TAG='v0.5.5' \ No newline at end of file diff --git a/Makefile b/Makefile index b2c6216431..996d5f858f 100644 --- a/Makefile +++ b/Makefile @@ -1,8 +1,8 @@ include Makefile.build.mk CURRENT_USER := $(shell id -u -n) -MINIO_TAG ?= RELEASE.2023-11-11T08-14-41Z +MINIO_TAG ?= 0.20231025 RQLITE_TAG ?= 7.21.4 -DEX_TAG ?= v2.37.0 +DEX_TAG ?= 2.37.0 LVP_TAG ?= v0.5.5 define sendMetrics @@ -118,12 +118,12 @@ build-ttl.sh: build all-ttl.sh: build-ttl.sh source .image.env && IMAGE=ttl.sh/${CURRENT_USER}/kotsadm-migrations:24h make -C migrations build_schema - docker pull minio/minio:${MINIO_TAG} - docker tag minio/minio:${MINIO_TAG} ttl.sh/${CURRENT_USER}/minio:${MINIO_TAG} + docker pull cgr.dev/chainguard/minio:${MINIO_TAG} + docker tag cgr.dev/chainguard/minio:${MINIO_TAG} ttl.sh/${CURRENT_USER}/minio:${MINIO_TAG} docker push ttl.sh/${CURRENT_USER}/minio:${MINIO_TAG} - docker pull rqlite/rqlite:${RQLITE_TAG} - docker tag rqlite/rqlite:${RQLITE_TAG} ttl.sh/${CURRENT_USER}/rqlite:${RQLITE_TAG} + docker pull cgr.dev/chainguard/rqlite:${RQLITE_TAG} + docker tag cgr.dev/chainguard/rqlite:${RQLITE_TAG} ttl.sh/${CURRENT_USER}/rqlite:${RQLITE_TAG} docker push ttl.sh/${CURRENT_USER}/rqlite:${RQLITE_TAG} .PHONY: build-alpha @@ -136,13 +136,11 @@ build-release: mkdir -p bin/docker-archive/kotsadm skopeo copy docker://kotsadm/kotsadm:${GIT_TAG} docker-archive:bin/docker-archive/kotsadm/${GIT_TAG} - docker build --pull -f deploy/dex.Dockerfile -t kotsadm/dex:${DEX_TAG} --build-arg TAG=${DEX_TAG} . - docker push kotsadm/dex:${DEX_TAG} mkdir -p bin/docker-archive/dex - skopeo copy docker://kotsadm/dex:${DEX_TAG} docker-archive:bin/docker-archive/dex/${DEX_TAG} + skopeo copy docker://cgr.dev/chainguard/dex:${DEX_TAG} docker-archive:bin/docker-archive/dex/${DEX_TAG} mkdir -p bin/docker-archive/minio - skopeo copy docker://minio/minio:${MINIO_TAG} docker-archive:bin/docker-archive/minio/${MINIO_TAG} + skopeo copy docker://cgr.dev/chainguard/minio:${MINIO_TAG} docker-archive:bin/docker-archive/minio/${MINIO_TAG} mkdir -p bin/docker-archive/local-volume-provider skopeo copy docker://replicated/local-volume-provider:${LVP_TAG} docker-archive:bin/docker-archive/local-volume-provider/${LVP_TAG} diff --git a/cmd/imagedeps/README.md b/cmd/imagedeps/README.md index 8962ea024d..33a292f66e 100644 --- a/cmd/imagedeps/README.md +++ b/cmd/imagedeps/README.md @@ -20,27 +20,27 @@ is useful to restrict release tags to a major version, or to filter out garbage | Name | Image URI | Matcher Regexp (Optional) | |------|--------------------|----------| -| Name of the image for example **minio** | Untagged image reference **ghcr.io/dexidp/dex**| An optional regular expression, only matching tags will be included. | +| Name of the image for example **minio** | Untagged image reference **cgr.dev/chainguard/minio**| An optional regular expression, only matching tags will be included. | ### Sample image-spec ```text -minio minio/minio -rqlite rqlite/rqlite -dex ghcr.io/dexidp/dex +minio cgr.dev/chainguard/minio +rqlite cgr.dev/chainguard/rqlite +dex cgr.dev/chainguard/dex ``` The preceding image spec will produce the following environment and Go files. ```shell -MINIO_TAG='RELEASE.2021-09-15T04-54-25Z' -RQLITE_TAG='7.7.0' +MINIO_TAG='0.20231025' +RQLITE_TAG='7.21.4' DEX_TAG='v2.30.0' ``` ```go package image const ( - Minio = "minio/minio:RELEASE.2021-09-15T04-54-25Z" - Rqlite = "rqlite/rqlite:7.7.0" - Dex = "ghcr.io/dexidp/dex:v2.30.0" + Minio = "cgr.dev/chainguard/minio:0.20231025" + Rqlite = "cgr.dev/chainguard/rqlite:7.21.4" + Dex = "cgr.dev/chainguard/dex:2.30.0" ) ``` diff --git a/cmd/imagedeps/image-spec b/cmd/imagedeps/image-spec index 66a0ae252a..010f9209c7 100644 --- a/cmd/imagedeps/image-spec +++ b/cmd/imagedeps/image-spec @@ -1,5 +1,5 @@ -minio minio/minio -rqlite rqlite/rqlite ^([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)$ -dex ghcr.io/dexidp/dex +minio cgr.dev/chainguard/minio ^\b0\.\d+\b$ +rqlite cgr.dev/chainguard/rqlite ^([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)$ +dex cgr.dev/chainguard/dex ^([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)$ schemahero schemahero/schemahero ^([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)$ lvp replicated/local-volume-provider ^v([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)$ \ No newline at end of file diff --git a/cmd/imagedeps/main_test.go b/cmd/imagedeps/main_test.go index e1ac5eb665..713addb013 100644 --- a/cmd/imagedeps/main_test.go +++ b/cmd/imagedeps/main_test.go @@ -12,16 +12,72 @@ import ( "github.com/stretchr/testify/require" ) -var releaseTags = []string{ - "RELEASE.2022-06-11T19-55-32Z.fips", - "RELEASE.2021-09-09T21-37-06Z.xxx", - "RELEASE.2021-09-09T21-37-05Z", - "RELEASE.2021-09-09T21-37-04Z", -} -var semVerTags = []string{ - "0.12.7", "0.12.6", "0.12.5", - "0.12.4", "0.12.3", "0.12.2", -} +var ( + minioTags = []string{ + "sha256-00428f99c05677c91ad393c3017376e800d601708baa36e51091df3b9a67b324.att", + "latest-dev", + "latest", + "0.20231025.063325-r0-dev", + "0.20231025.063325-r0", + "0.20231025.063325-dev", + "0.20231025.063325", + "0.20231025-dev", + "0.20231025", + "0.20230904.195737-r1-dev", + "0.20230904.195737-r1", + "0.20230904.195737-dev", + "0.20230904.195737", + "0.20230904-dev", + "0.20230904", + "0-dev", + "0", + } + + schemaheroTags = []string{ + "0.13.2", + "0.13.1", + "0.12.7", + "0.12.2", + } + + rqliteTags = []string{ + "sha256-00122e405b3fa3b5105b0468f1fb72dcb32474968a971c45906a702120d55b58.att", + "latest-dev", + "latest", + "7", + "7-dev", + "7.7.0", + "7.7.0-dev", + "7.7.0-r2", + "7.7.0-r2-dev", + "7.6.2", + "7.6.1", + "7.6.0", + "6.10.2", + "6.10.1", + "6.8.2", + } + + dexTags = []string{ + "sha256-002adc734b3d83bb6be291b49eb8f3f95b905c411d404c2f4b52a759140739c9.att", + "latest-dev", + "latest", + "2.37.0", + "2.37.0-r3-dev", + "2.37.0-r3", + "2.37.0-dev", + "2.36.0", + "2.35.3", + "2.35.2", + "2.35.1", + } + + lvpTags = []string{ + "v0.3.3", + "v0.3.2", + "v0.3.1", + } +) func makeReleases(tags []string) []*github.RepositoryRelease { var releases []*github.RepositoryRelease @@ -46,29 +102,21 @@ func TestFunctional(t *testing.T) { expectError bool }{ { - name: "basic", + name: "minio", fn: getTagFinder( - withGithubReleaseTagFinder( - func(_ string, _ string) ([]*github.RepositoryRelease, error) { - return makeReleases(releaseTags), nil + withRepoGetTags( + func(_ string) ([]string, error) { + return minioTags, nil }, ), ), }, { - name: "with-overrides", + name: "schemahero", fn: getTagFinder( withRepoGetTags( func(_ string) ([]string, error) { - return []string{ - "0.13.2", "0.13.1", - "0.12.7", "0.12.2", - }, nil - }, - ), - withGithubReleaseTagFinder( - func(_ string, _ string) ([]*github.RepositoryRelease, error) { - return makeReleases(releaseTags), nil + return schemaheroTags, nil }, ), ), @@ -82,30 +130,17 @@ func TestFunctional(t *testing.T) { fn: getTagFinder( withRepoGetTags( func(_ string) ([]string, error) { - return []string{ - "7.7.0", "7.6.1", "7.6.0", - "6.10.2", "6.10.1", "6.8.2", - }, nil - }, - ), - ), - }, - { - name: "filter-github", - fn: getTagFinder( - withGithubReleaseTagFinder( - func(_ string, _ string) ([]*github.RepositoryRelease, error) { - return makeReleases(releaseTags), nil + return rqliteTags, nil }, ), ), }, { - name: "schemahero", + name: "dex", fn: getTagFinder( withRepoGetTags( func(_ string) ([]string, error) { - return semVerTags, nil + return dexTags, nil }, ), ), @@ -115,9 +150,7 @@ func TestFunctional(t *testing.T) { fn: getTagFinder( withRepoGetTags( func(_ string) ([]string, error) { - return []string{ - "v0.3.3", - }, nil + return lvpTags, nil }, ), ), diff --git a/cmd/imagedeps/tag-finder.go b/cmd/imagedeps/tag-finder.go index eac106a303..1d97be31ea 100644 --- a/cmd/imagedeps/tag-finder.go +++ b/cmd/imagedeps/tag-finder.go @@ -2,7 +2,9 @@ package main import ( "context" + "encoding/json" "fmt" + "io" "net/http" "os" "path" @@ -13,6 +15,7 @@ import ( semver "github.com/Masterminds/semver/v3" "github.com/google/go-github/v39/github" "github.com/heroku/docker-registry-client/registry" + "github.com/pkg/errors" "golang.org/x/oauth2" ) @@ -119,17 +122,17 @@ func getTagFinder(opts ...func(c *configuration)) tagFinderFn { switch imageName { case minioReference: - latestReleaseTag, err = getLatestTagFromGithub(config.releaseFinder, "minio", "minio", matcherFn) + latestReleaseTag, err = getLatestTagFromRegistry("cgr.dev/chainguard/minio", config.repositoryTagsFinder, matcherFn) if err != nil { - return nil, fmt.Errorf("failed to get release tag for minio/minio %w", err) + return nil, fmt.Errorf("failed to get release tag for %s %w", imageName, err) } case dexReference: - latestReleaseTag, err = getLatestTagFromGithub(config.releaseFinder, "dexidp", "dex", matcherFn) + latestReleaseTag, err = getLatestTagFromRegistry("cgr.dev/chainguard/dex", config.repositoryTagsFinder, matcherFn) if err != nil { - return nil, fmt.Errorf("failed to get release tag for dexidp/dex %w", err) + return nil, fmt.Errorf("failed to get release tag for %s %w", imageName, err) } case rqliteReference: - latestReleaseTag, err = getLatestTagFromRegistry("rqlite/rqlite", config.repositoryTagsFinder, matcherFn) + latestReleaseTag, err = getLatestTagFromRegistry("cgr.dev/chainguard/rqlite", config.repositoryTagsFinder, matcherFn) if err != nil { return nil, fmt.Errorf("failed to get release tag for %s %w", imageName, err) } @@ -256,21 +259,120 @@ func getReleases(owner, repo string) ([]*github.RepositoryRelease, error) { // getRegistryTags queries a Docker Registry HTTP API V2 compliant registry to get the tags for an image. func getRegistryTags(untaggedRef string) ([]string, error) { + parts := strings.Split(untaggedRef, "/") + + if len(parts) > 0 && parts[0] == "cgr.dev" { + // this is chainguard's registry and it only accepts a token (not username/password) + token, err := getCGRToken(untaggedRef) + if err != nil { + return nil, fmt.Errorf("could not get cgr token %w", err) + } + tags, err := getCGRImageTags(untaggedRef, token) + if err != nil { + return nil, fmt.Errorf("could not get tags from cgr %w", err) + } + return tags, nil + } + registryUri := dockerRegistryUrl imageRef := untaggedRef userName, password := "", "" - parts := strings.Split(untaggedRef, "/") + if len(parts) > 2 { registryUri = fmt.Sprintf("https://%s", parts[0]) imageRef = path.Join(parts[1:]...) } + hub, err := registry.New(registryUri, userName, password) if err != nil { return nil, fmt.Errorf("could not connect to registry %q %w", registryUri, err) } + tags, err := hub.Tags(imageRef) if err != nil { return nil, fmt.Errorf("could not fetch tags for image %q %w", imageRef, err) } + return tags, nil } + +func getCGRToken(untaggedRef string) (string, error) { + parts := strings.Split(untaggedRef, "/") + if len(parts) < 2 { + return "", fmt.Errorf("invalid ref %q", untaggedRef) + } + + repo := strings.Join(parts[1:], "/") + scope := fmt.Sprintf("repository:%s:pull", repo) + url := fmt.Sprintf("https://cgr.dev/token?scope=%s", scope) + + resp, err := http.Get(url) + if err != nil { + return "", errors.Wrap(err, "failed to get token") + } + defer resp.Body.Close() + + body, err := io.ReadAll(resp.Body) + if err != nil { + return "", fmt.Errorf("failed to read body %w", err) + } + + if resp.StatusCode != http.StatusOK { + return "", fmt.Errorf("failed to get token: %s", body) + } + + var token struct { + Token string `json:"token"` + } + if err := json.Unmarshal(body, &token); err != nil { + return "", fmt.Errorf("failed to unmarshal body %w", err) + } + + return token.Token, nil +} + +func getCGRImageTags(untaggedRef string, token string) ([]string, error) { + parts := strings.Split(untaggedRef, "/") + if len(parts) < 2 { + return nil, fmt.Errorf("invalid ref %q", untaggedRef) + } + + repo := strings.Join(parts[1:], "/") + url := fmt.Sprintf("https://cgr.dev/v2/%s/tags/list", repo) + + req, err := http.NewRequest("GET", url, nil) + if err != nil { + return nil, fmt.Errorf("failed to create request %w", err) + } + + req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token)) + + resp, err := http.DefaultClient.Do(req) + if err != nil { + return nil, errors.Wrap(err, "failed to get tags") + } + + body, err := io.ReadAll(resp.Body) + if err != nil { + return nil, fmt.Errorf("failed to read body %w", err) + } + + if resp.StatusCode != http.StatusOK { + return nil, fmt.Errorf("failed to get tags: %s", body) + } + + var tags struct { + Tags []string `json:"tags"` + } + if err := json.Unmarshal(body, &tags); err != nil { + return nil, fmt.Errorf("failed to unmarshal body %w", err) + } + + // reverse array order so that most recent is first + for i := len(tags.Tags)/2 - 1; i >= 0; i-- { + opp := len(tags.Tags) - 1 - i + tags.Tags[i], tags.Tags[opp] = tags.Tags[opp], tags.Tags[i] + } + + return tags.Tags, nil +} diff --git a/cmd/imagedeps/testdata/basic/input-spec b/cmd/imagedeps/testdata/basic/input-spec deleted file mode 100644 index 7c0313fd1f..0000000000 --- a/cmd/imagedeps/testdata/basic/input-spec +++ /dev/null @@ -1 +0,0 @@ -minio minio/minio \ No newline at end of file diff --git a/cmd/imagedeps/testdata/filter-github/.image.env b/cmd/imagedeps/testdata/dex/.image.env similarity index 83% rename from cmd/imagedeps/testdata/filter-github/.image.env rename to cmd/imagedeps/testdata/dex/.image.env index 1055c8ca12..3077a28796 100644 --- a/cmd/imagedeps/testdata/filter-github/.image.env +++ b/cmd/imagedeps/testdata/dex/.image.env @@ -1,4 +1,4 @@ # Generated file, do not modify. This file is generated from a text file containing a list of images. The # most recent tag is interpolated from the source repository and used to generate a fully qualified image # name. -MINIO_TAG='RELEASE.2021-09-09T21-37-06Z.xxx' \ No newline at end of file +DEX_TAG='2.37.0' \ No newline at end of file diff --git a/cmd/imagedeps/testdata/filter-github/constants.go b/cmd/imagedeps/testdata/dex/constants.go similarity index 81% rename from cmd/imagedeps/testdata/filter-github/constants.go rename to cmd/imagedeps/testdata/dex/constants.go index 4c28919a57..4537788f47 100644 --- a/cmd/imagedeps/testdata/filter-github/constants.go +++ b/cmd/imagedeps/testdata/dex/constants.go @@ -5,5 +5,5 @@ package image // image name. const ( - Minio = "minio/minio:RELEASE.2021-09-09T21-37-06Z.xxx" + Dex = "cgr.dev/chainguard/dex:2.37.0" ) diff --git a/cmd/imagedeps/testdata/dex/input-spec b/cmd/imagedeps/testdata/dex/input-spec new file mode 100644 index 0000000000..5a572f7155 --- /dev/null +++ b/cmd/imagedeps/testdata/dex/input-spec @@ -0,0 +1 @@ +dex cgr.dev/chainguard/dex ^([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)$ \ No newline at end of file diff --git a/cmd/imagedeps/testdata/filter-github/input-spec b/cmd/imagedeps/testdata/filter-github/input-spec deleted file mode 100644 index 80c831f8a5..0000000000 --- a/cmd/imagedeps/testdata/filter-github/input-spec +++ /dev/null @@ -1 +0,0 @@ -minio minio/minio xxx$ \ No newline at end of file diff --git a/cmd/imagedeps/testdata/basic/.image.env b/cmd/imagedeps/testdata/minio/.image.env similarity index 83% rename from cmd/imagedeps/testdata/basic/.image.env rename to cmd/imagedeps/testdata/minio/.image.env index 2999afe7b5..f6889ebf78 100644 --- a/cmd/imagedeps/testdata/basic/.image.env +++ b/cmd/imagedeps/testdata/minio/.image.env @@ -1,4 +1,4 @@ # Generated file, do not modify. This file is generated from a text file containing a list of images. The # most recent tag is interpolated from the source repository and used to generate a fully qualified image # name. -MINIO_TAG='RELEASE.2022-06-11T19-55-32Z.fips' \ No newline at end of file +MINIO_TAG='0.20231025' \ No newline at end of file diff --git a/cmd/imagedeps/testdata/basic/constants.go b/cmd/imagedeps/testdata/minio/constants.go similarity index 81% rename from cmd/imagedeps/testdata/basic/constants.go rename to cmd/imagedeps/testdata/minio/constants.go index 240e8c0597..84cab60909 100644 --- a/cmd/imagedeps/testdata/basic/constants.go +++ b/cmd/imagedeps/testdata/minio/constants.go @@ -5,5 +5,5 @@ package image // image name. const ( - Minio = "minio/minio:RELEASE.2022-06-11T19-55-32Z.fips" + Minio = "cgr.dev/chainguard/minio:0.20231025" ) diff --git a/cmd/imagedeps/testdata/minio/input-spec b/cmd/imagedeps/testdata/minio/input-spec new file mode 100644 index 0000000000..a400f05af7 --- /dev/null +++ b/cmd/imagedeps/testdata/minio/input-spec @@ -0,0 +1 @@ +minio cgr.dev/chainguard/minio ^\b0\.\d+\b$ \ No newline at end of file diff --git a/cmd/imagedeps/testdata/rqlite/constants.go b/cmd/imagedeps/testdata/rqlite/constants.go index ab99db1066..872adeba02 100644 --- a/cmd/imagedeps/testdata/rqlite/constants.go +++ b/cmd/imagedeps/testdata/rqlite/constants.go @@ -5,5 +5,5 @@ package image // image name. const ( - Rqlite = "rqlite/rqlite:7.7.0" + Rqlite = "cgr.dev/chainguard/rqlite:7.7.0" ) diff --git a/cmd/imagedeps/testdata/rqlite/input-spec b/cmd/imagedeps/testdata/rqlite/input-spec index c4772a98f3..fc65a896c9 100644 --- a/cmd/imagedeps/testdata/rqlite/input-spec +++ b/cmd/imagedeps/testdata/rqlite/input-spec @@ -1 +1 @@ -rqlite rqlite/rqlite ^([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)$ +rqlite cgr.dev/chainguard/rqlite ^([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)$ diff --git a/cmd/imagedeps/testdata/schemahero/.image.env b/cmd/imagedeps/testdata/schemahero/.image.env index 931c6000ca..4615bd4e65 100644 --- a/cmd/imagedeps/testdata/schemahero/.image.env +++ b/cmd/imagedeps/testdata/schemahero/.image.env @@ -1,4 +1,4 @@ # Generated file, do not modify. This file is generated from a text file containing a list of images. The # most recent tag is interpolated from the source repository and used to generate a fully qualified image # name. -SCHEMAHERO_TAG='0.12.7' \ No newline at end of file +SCHEMAHERO_TAG='0.13.2' \ No newline at end of file diff --git a/cmd/imagedeps/testdata/schemahero/constants.go b/cmd/imagedeps/testdata/schemahero/constants.go index 50a8eca1f2..3b8bc02ce8 100644 --- a/cmd/imagedeps/testdata/schemahero/constants.go +++ b/cmd/imagedeps/testdata/schemahero/constants.go @@ -5,5 +5,5 @@ package image // image name. const ( - Schemahero = "schemahero/schemahero:0.12.7" + Schemahero = "schemahero/schemahero:0.13.2" ) diff --git a/cmd/imagedeps/testdata/with-overrides/replacers/expected/test.Dockerfile b/cmd/imagedeps/testdata/schemahero/replacers/expected/test.Dockerfile similarity index 100% rename from cmd/imagedeps/testdata/with-overrides/replacers/expected/test.Dockerfile rename to cmd/imagedeps/testdata/schemahero/replacers/expected/test.Dockerfile diff --git a/cmd/imagedeps/testdata/with-overrides/replacers/expected/test.mk b/cmd/imagedeps/testdata/schemahero/replacers/expected/test.mk similarity index 100% rename from cmd/imagedeps/testdata/with-overrides/replacers/expected/test.mk rename to cmd/imagedeps/testdata/schemahero/replacers/expected/test.mk diff --git a/cmd/imagedeps/testdata/with-overrides/replacers/input/test.Dockerfile b/cmd/imagedeps/testdata/schemahero/replacers/input/test.Dockerfile similarity index 100% rename from cmd/imagedeps/testdata/with-overrides/replacers/input/test.Dockerfile rename to cmd/imagedeps/testdata/schemahero/replacers/input/test.Dockerfile diff --git a/cmd/imagedeps/testdata/with-overrides/replacers/input/test.mk b/cmd/imagedeps/testdata/schemahero/replacers/input/test.mk similarity index 100% rename from cmd/imagedeps/testdata/with-overrides/replacers/input/test.mk rename to cmd/imagedeps/testdata/schemahero/replacers/input/test.mk diff --git a/cmd/imagedeps/testdata/with-overrides/.image.env b/cmd/imagedeps/testdata/with-overrides/.image.env deleted file mode 100644 index f8ab2a50cc..0000000000 --- a/cmd/imagedeps/testdata/with-overrides/.image.env +++ /dev/null @@ -1,5 +0,0 @@ -# Generated file, do not modify. This file is generated from a text file containing a list of images. The -# most recent tag is interpolated from the source repository and used to generate a fully qualified image -# name. -MINIO_TAG='RELEASE.2022-06-11T19-55-32Z.fips' -SCHEMAHERO_TAG='0.13.2' \ No newline at end of file diff --git a/cmd/imagedeps/testdata/with-overrides/constants.go b/cmd/imagedeps/testdata/with-overrides/constants.go deleted file mode 100644 index 99df410f88..0000000000 --- a/cmd/imagedeps/testdata/with-overrides/constants.go +++ /dev/null @@ -1,10 +0,0 @@ -package image - -// Generated file, do not modify. This file is generated from a text file containing a list of images. The -// most recent tag is interpolated from the source repository and used to generate a fully qualified -// image name. - -const ( - Minio = "minio/minio:RELEASE.2022-06-11T19-55-32Z.fips" - Schemahero = "schemahero/schemahero:0.13.2" -) diff --git a/cmd/imagedeps/testdata/with-overrides/input-spec b/cmd/imagedeps/testdata/with-overrides/input-spec deleted file mode 100644 index b2a4505a31..0000000000 --- a/cmd/imagedeps/testdata/with-overrides/input-spec +++ /dev/null @@ -1,2 +0,0 @@ -minio minio/minio -schemahero schemahero/schemahero ^([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)$ diff --git a/deploy/dex.Dockerfile b/deploy/dex.Dockerfile deleted file mode 100644 index 7db7f0ff67..0000000000 --- a/deploy/dex.Dockerfile +++ /dev/null @@ -1,2 +0,0 @@ -ARG TAG=v2.32.0 -FROM ghcr.io/dexidp/dex:$TAG diff --git a/deploy/kurl/kotsadm/template/base/Manifest b/deploy/kurl/kotsadm/template/base/Manifest index 0e57a590cf..96288a8624 100644 --- a/deploy/kurl/kotsadm/template/base/Manifest +++ b/deploy/kurl/kotsadm/template/base/Manifest @@ -1,7 +1,7 @@ image kotsadm-migrations __KOTSADM_MIGRATIONS_IMAGE__ image kotsadm __KOTSADM_IMAGE__ image kurl-proxy __KURL_PROXY_IMAGE__ -image rqlite rqlite/rqlite:__RQLITE_TAG__ +image rqlite cgr.dev/chainguard/rqlite:__RQLITE_TAG__ image dex __DEX_IMAGE__ asset kots.tar.gz __KOTSADM_BINARY__ diff --git a/deploy/kurl/kotsadm/template/base/rqlite.yaml b/deploy/kurl/kotsadm/template/base/rqlite.yaml index 2a78dd37b1..fda73ceae3 100644 --- a/deploy/kurl/kotsadm/template/base/rqlite.yaml +++ b/deploy/kurl/kotsadm/template/base/rqlite.yaml @@ -50,7 +50,7 @@ spec: - kotsadm-rqlite topologyKey: "kubernetes.io/hostname" containers: - - image: rqlite/rqlite:__RQLITE_TAG__ + - image: cgr.dev/chainguard/rqlite:__RQLITE_TAG__ name: rqlite args: - -disco-mode=dns diff --git a/integration/database/rqlite_migration_test.go b/integration/database/rqlite_migration_test.go index 78765e0032..f8ba823e71 100644 --- a/integration/database/rqlite_migration_test.go +++ b/integration/database/rqlite_migration_test.go @@ -71,7 +71,7 @@ func TestMigrateFromPostgresToRqlite(t *testing.T) { rqliteTag, _ := image.GetTag(image.Rqlite) rqliteRunOptions := &dockertest.RunOptions{ Name: "rqlite", - Repository: "rqlite/rqlite", + Repository: "cgr.dev/chainguard/rqlite", Tag: rqliteTag, Mounts: []string{ fmt.Sprintf("%s:/auth/config.json", rqliteAuthConfigPath), diff --git a/migrations/Makefile b/migrations/Makefile index 011acb5480..ebdfc43d85 100644 --- a/migrations/Makefile +++ b/migrations/Makefile @@ -13,7 +13,7 @@ schema-release: build_schema mkdir -p bin/docker-archive/${PROJECT_NAME} skopeo copy docker-daemon:kotsadm/${PROJECT_NAME}:${GIT_TAG} docker-archive:bin/docker-archive/${PROJECT_NAME}/${GIT_TAG} mkdir -p bin/docker-archive/rqlite - skopeo copy docker://rqlite/rqlite:${RQLITE_TAG} docker-archive:bin/docker-archive/rqlite/${RQLITE_TAG} + skopeo copy docker://cgr.dev/chainguard/rqlite:${RQLITE_TAG} docker-archive:bin/docker-archive/rqlite/${RQLITE_TAG} build_schema: docker build --pull --build-arg SCHEMAHERO_TAG=${SCHEMAHERO_TAG} -f deploy/Dockerfile -t ${IMAGE} . diff --git a/migrations/kustomize/overlays/dev/rqlite.yaml b/migrations/kustomize/overlays/dev/rqlite.yaml index 3014cb5c0c..bb2a830557 100644 --- a/migrations/kustomize/overlays/dev/rqlite.yaml +++ b/migrations/kustomize/overlays/dev/rqlite.yaml @@ -59,7 +59,7 @@ spec: spec: containers: - name: rqlite - image: rqlite/rqlite:7.9.2 + image: cgr.dev/chainguard/rqlite:7.21.4 imagePullPolicy: IfNotPresent args: - -disco-mode=dns diff --git a/migrations/kustomize/overlays/okteto/rqlite.yaml b/migrations/kustomize/overlays/okteto/rqlite.yaml index 3014cb5c0c..bb2a830557 100644 --- a/migrations/kustomize/overlays/okteto/rqlite.yaml +++ b/migrations/kustomize/overlays/okteto/rqlite.yaml @@ -59,7 +59,7 @@ spec: spec: containers: - name: rqlite - image: rqlite/rqlite:7.9.2 + image: cgr.dev/chainguard/rqlite:7.21.4 imagePullPolicy: IfNotPresent args: - -disco-mode=dns diff --git a/pkg/identity/deploy/deploy.go b/pkg/identity/deploy/deploy.go index b7b050a2b8..6a9cf2f853 100644 --- a/pkg/identity/deploy/deploy.go +++ b/pkg/identity/deploy/deploy.go @@ -376,7 +376,7 @@ func deploymentResource(issuerURL, configChecksum string, options Options) (*app if err != nil { return nil, err } - image := fmt.Sprintf("kotsadm/dex:%s", dexVersion) + image := fmt.Sprintf("cgr.dev/chainguard/dex:%s", dexVersion) imagePullSecrets := []corev1.LocalObjectReference{} if options.ImageRewriteFn != nil { var err error diff --git a/pkg/image/constants.go b/pkg/image/constants.go index f1b491f53d..fa48efe0c2 100644 --- a/pkg/image/constants.go +++ b/pkg/image/constants.go @@ -5,9 +5,9 @@ package image // image name. const ( - Minio = "minio/minio:RELEASE.2023-11-11T08-14-41Z" - Rqlite = "rqlite/rqlite:7.21.4" - Dex = "ghcr.io/dexidp/dex:v2.37.0" + Minio = "cgr.dev/chainguard/minio:0.20231025" + Rqlite = "cgr.dev/chainguard/rqlite:7.21.4" + Dex = "cgr.dev/chainguard/dex:2.37.0" Schemahero = "schemahero/schemahero:0.16.0" Lvp = "replicated/local-volume-provider:v0.5.5" ) diff --git a/pkg/image/minio.go b/pkg/image/minio.go index 2db1eb774f..d7519265f9 100644 --- a/pkg/image/minio.go +++ b/pkg/image/minio.go @@ -36,6 +36,9 @@ func GetMinioImage(clientset kubernetes.Interface, kotsadmNamespace string) (str if strings.Contains(container.Image, "minio/minio:RELEASE.") { return container.Image, nil } + if strings.Contains(container.Image, "cgr.dev/chainguard/minio:0.") { + return container.Image, nil + } } return "", nil diff --git a/pkg/kotsadm/minio.go b/pkg/kotsadm/minio.go index 7385b989e9..86f21f957e 100644 --- a/pkg/kotsadm/minio.go +++ b/pkg/kotsadm/minio.go @@ -25,6 +25,7 @@ import ( ) var ( + MinioCGRImageTagRegexp = regexp.MustCompile(`:0\.\d+`) MinioImageTagDateRegexp = regexp.MustCompile(`RELEASE\.(\d{4}-\d{2}-\d{2}T\d{2}-\d{2}-\d{2}Z)`) // MigrateToMinioXlBeforeTime is the time that the minio version was released that removed the legacy backend // that we need to migrate from: https://github.com/minio/minio/releases/tag/RELEASE.2022-10-29T06-21-33Z @@ -393,6 +394,12 @@ func IsMinioXlMigrationNeeded(clientset kubernetes.Interface, namespace string) // imageNeedsMinioXlMigration returns true if the minio image is older than the migrate before time (2022-10-29T06-21-33Z). func imageNeedsMinioXlMigration(minioImage string) (bool, error) { + isCGRImage := len(MinioCGRImageTagRegexp.FindStringSubmatch(minioImage)) > 0 + if isCGRImage { + // chainguard minio images are all new and don't need to be migrated + return false, nil + } + existingImageTagDateMatch := MinioImageTagDateRegexp.FindStringSubmatch(minioImage) if len(existingImageTagDateMatch) != 2 { return false, errors.New("failed to parse existing image tag date") diff --git a/pkg/kotsadm/minio_test.go b/pkg/kotsadm/minio_test.go index f10fec56b1..c678b81d9c 100644 --- a/pkg/kotsadm/minio_test.go +++ b/pkg/kotsadm/minio_test.go @@ -91,6 +91,13 @@ func Test_IsMinioXlMigrationNeeded(t *testing.T) { wantMinioImage: "minio/minio:RELEASE.2023-02-10T18-48-39Z", wantErr: false, }, + { + name: "should not migrate cgr image", + clientset: fake.NewSimpleClientset(minioStsWithImage("cgr.dev/chainguard/minio:0.20231025")), + wantMigration: false, + wantMinioImage: "cgr.dev/chainguard/minio:0.20231025", + wantErr: false, + }, { name: "should not migrate if no minio", clientset: fake.NewSimpleClientset(), diff --git a/pkg/kotsadm/objects/images.go b/pkg/kotsadm/objects/images.go index 1d097d2611..2093624157 100644 --- a/pkg/kotsadm/objects/images.go +++ b/pkg/kotsadm/objects/images.go @@ -18,9 +18,9 @@ func GetAdminConsoleImages(deployOptions types.DeployOptions) map[string]string rqliteTag, _ := image.GetTag(image.Rqlite) dexTag, _ := image.GetTag(image.Dex) - minioImage := fmt.Sprintf("minio/minio:%s", minioTag) - rqliteImage := fmt.Sprintf("rqlite/rqlite:%s", rqliteTag) - dexImage := fmt.Sprintf("kotsadm/dex:%s", dexTag) + minioImage := fmt.Sprintf("cgr.dev/chainguard/minio:%s", minioTag) + rqliteImage := fmt.Sprintf("cgr.dev/chainguard/rqlite:%s", rqliteTag) + dexImage := fmt.Sprintf("cgr.dev/chainguard/dex:%s", dexTag) if s := kotsadmversion.KotsadmPullSecret(deployOptions.Namespace, deployOptions.RegistryConfig); s != nil { minioImage = fmt.Sprintf("%s/minio:%s", kotsadmversion.KotsadmRegistry(deployOptions.RegistryConfig), minioTag) @@ -43,12 +43,11 @@ func GetAdminConsoleImages(deployOptions types.DeployOptions) map[string]string } func GetOriginalAdminConsoleImages(deployOptions types.DeployOptions) map[string]string { - dexTag, _ := image.GetTag(image.Dex) // dex image is special; we host a copy return map[string]string{ "kotsadm-migrations": fmt.Sprintf("kotsadm/kotsadm-migrations:%s", kotsadmversion.KotsadmTag(deployOptions.RegistryConfig)), "kotsadm": fmt.Sprintf("kotsadm/kotsadm:%s", kotsadmversion.KotsadmTag(deployOptions.RegistryConfig)), "minio": image.Minio, "rqlite": image.Rqlite, - "dex": fmt.Sprintf("kotsadm/dex:%s", dexTag), + "dex": image.Dex, } } diff --git a/pkg/snapshot/filesystem_minio.go b/pkg/snapshot/filesystem_minio.go index cfebe071bd..04ce36b074 100644 --- a/pkg/snapshot/filesystem_minio.go +++ b/pkg/snapshot/filesystem_minio.go @@ -269,7 +269,7 @@ func fileSystemMinioDeploymentResource(clientset kubernetes.Interface, secretChe if err != nil { return nil, errors.Wrap(err, "failed to get minio image tag") } - minioImage := fmt.Sprintf("minio/minio:%s", minioTag) + minioImage := fmt.Sprintf("cgr.dev/chainguard/minio:%s", minioTag) imagePullSecrets := []corev1.LocalObjectReference{} isKurl, err := kurl.IsKurl(clientset)