Use Chainguard's minio, rqlite, and dex images (#4191)

* Use Chainguard's minio, rqlite, and dex images * fix needs field * explicitly expose 4001 port for rqlite integration test * build alpha tag via chainguard as well * fix minio command * fix needs field * remove /bin/sh from minio command * remove /bin/sh from minio import script * use -dev chainguard minio image because it includes a shell * no /usr/bin/docker-entrypoint.sh in chainguard's -dev image * test with latest-dev minio tag temporarily * test latest-dev * update sts command on upgrade * use 0.20231101-dev
replicatedhq · Dec 4, 2023 · ad7d0ea · ad7d0ea
1 parent fa8e0ac
commit ad7d0ea
Show file tree

Hide file tree

Showing 43 changed files with 296 additions and 168 deletions.
diff --git a/.github/workflows/alpha.yaml b/.github/workflows/alpha.yaml
@@ -96,7 +96,7 @@ jobs:
         path: ./kurl_proxy/bin
 
 
-  build_go_api:
+  build-kots:
     runs-on: ubuntu-20.04
     needs: [build_web, build_kurl_proxy, generate-tag]
     steps:
@@ -133,39 +133,26 @@ jobs:
     - name: Upload Go API artifact
       uses: actions/upload-artifact@v3
       with:
-        name: go_api
+        name: kots
         path: ./bin
 
 
-  release_go_api_alpha:
+  build-kotsadm:
     runs-on: ubuntu-20.04
-    needs: [build_web, build_go_api, generate-tag]
+    needs: [generate-tag]
+    permissions:
+      id-token: write # required to be able to assume the GCP SA identity to pull Chainguard packages.
     steps:
-
-    - name: Checkout
-      uses: actions/checkout@v4
-
-    - name: Download go_api artifact
-      uses: actions/download-artifact@v3
-      with:
-        name: go_api
-        path: ./bin
-
-    - name: Add executable permissions
-      run: |
-        chmod a+x ./bin/kotsadm
-        chmod a+x ./bin/kots
-
-    - uses: azure/docker-login@v1
-      with:
-        username: ${{ secrets.DOCKERHUB_USER }}
-        password: ${{ secrets.DOCKERHUB_PASSWORD }}
-
-    - name: Build alpha release
-      env:
-        GIT_TAG: ${{ needs.generate-tag.outputs.tag }}
-      run: |
-        mapfile -t envs < <(grep -v '#.*' < .image.env) && export "${envs[@]}" && make build-alpha
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/build-push-kotsadm-image
+        with:
+          chainguard-gcp-wif-pool: ${{ secrets.CHAINGUARD_GCP_WIF_POOL }}
+          chainguard-gcp-sa: ${{ secrets.CHAINGUARD_GCP_SA }}
+          chainguard-gcp-project-id: ${{ secrets.CHAINGUARD_GCP_PROJECT_ID }}
+          image-name: index.docker.io/kotsadm/kotsadm:alpha
+          git-tag: ${{ needs.generate-tag.outputs.tag }}
+          registry-username: ${{ secrets.DOCKERHUB_USER }}
+          registry-password: ${{ secrets.DOCKERHUB_PASSWORD }}
 
 
   build_kurl_proxy_alpha:
@@ -210,7 +197,7 @@ jobs:
         id: scan
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: "rqlite/rqlite:${{ steps.dotenv.outputs.RQLITE_TAG }}"
+          image-ref: "cgr.dev/chainguard/rqlite:${{ steps.dotenv.outputs.RQLITE_TAG }}"
           format: 'template'
           template: '@/contrib/sarif.tpl'
           output: 'rqlite-scan-output.sarif'
@@ -237,7 +224,7 @@ jobs:
         id: scan
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: "docker.io/minio/minio:${{ steps.dotenv.outputs.minio_tag }}"
+          image-ref: "cgr.dev/chainguard/minio:${{ steps.dotenv.outputs.minio_tag }}"
           format: 'template'
           template: '@/contrib/sarif.tpl'
           output: 'minio-scan-output.sarif'
@@ -265,7 +252,7 @@ jobs:
         id: scan
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: "ghcr.io/dexidp/dex:${{ steps.dotenv.outputs.dex_tag }}"
+          image-ref: "cgr.dev/chainguard/dex:${{ steps.dotenv.outputs.dex_tag }}"
           format: 'template'
           template: '@/contrib/sarif.tpl'
           output: 'dex-scan-output.sarif'
@@ -330,7 +317,7 @@ jobs:
 
   scan_kotsadm:
     runs-on: ubuntu-20.04
-    needs: [release_go_api_alpha]
+    needs: [build-kotsadm]
     steps:
       - name: Checkout
         uses: actions/checkout@v4

diff --git a/.github/workflows/build-test.yaml b/.github/workflows/build-test.yaml
@@ -431,8 +431,8 @@ jobs:
 
       - name: push minio for e2e
         run: |
-          docker pull minio/minio:${{ steps.dotenv.outputs.minio_tag }}
-          docker tag minio/minio:${{ steps.dotenv.outputs.minio_tag }} ttl.sh/automated-${{ github.run_id }}/minio:${{ steps.dotenv.outputs.minio_tag }}
+          docker pull cgr.dev/chainguard/minio:${{ steps.dotenv.outputs.minio_tag }}
+          docker tag cgr.dev/chainguard/minio:${{ steps.dotenv.outputs.minio_tag }} ttl.sh/automated-${{ github.run_id }}/minio:${{ steps.dotenv.outputs.minio_tag }}
           docker push ttl.sh/automated-${{ github.run_id }}/minio:${{ steps.dotenv.outputs.minio_tag }}
 
 
@@ -450,8 +450,8 @@ jobs:
 
       - name: push rqlite for CI
         run: |
-          docker pull rqlite/rqlite:${{ steps.dotenv.outputs.RQLITE_TAG }}
-          docker tag rqlite/rqlite:${{ steps.dotenv.outputs.RQLITE_TAG }} ttl.sh/automated-${{ github.run_id }}/rqlite:${{ steps.dotenv.outputs.RQLITE_TAG }}
+          docker pull cgr.dev/chainguard/rqlite:${{ steps.dotenv.outputs.RQLITE_TAG }}
+          docker tag cgr.dev/chainguard/rqlite:${{ steps.dotenv.outputs.RQLITE_TAG }} ttl.sh/automated-${{ github.run_id }}/rqlite:${{ steps.dotenv.outputs.RQLITE_TAG }}
           docker push ttl.sh/automated-${{ github.run_id }}/rqlite:${{ steps.dotenv.outputs.RQLITE_TAG }}
 
 
@@ -469,7 +469,8 @@ jobs:
 
       - name: push dex for CI
         run: |
-          docker build --pull -f deploy/dex.Dockerfile -t ttl.sh/automated-${{ github.run_id }}/dex:${{ steps.dotenv.outputs.DEX_TAG }} --build-arg TAG=${{ steps.dotenv.outputs.DEX_TAG }} .
+          docker pull cgr.dev/chainguard/dex:${{ steps.dotenv.outputs.DEX_TAG }}
+          docker tag cgr.dev/chainguard/dex:${{ steps.dotenv.outputs.DEX_TAG }} ttl.sh/automated-${{ github.run_id }}/dex:${{ steps.dotenv.outputs.DEX_TAG }}
           docker push ttl.sh/automated-${{ github.run_id }}/dex:${{ steps.dotenv.outputs.DEX_TAG }}
 
 

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -186,7 +186,7 @@ jobs:
       id-token: write # required to be able to assume the GCP SA identity to pull Chainguard packages.
     steps:
     - name: Checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - uses: ./.github/actions/build-push-kotsadm-image
       with:
         chainguard-gcp-wif-pool: ${{ secrets.CHAINGUARD_GCP_WIF_POOL }}

diff --git a/.image.env b/.image.env
@@ -1,8 +1,8 @@
 # Generated file, do not modify.  This file is generated from a text file containing a list of images. The
 # most recent tag is interpolated from the source repository and used to generate a fully qualified image
 # name.
-MINIO_TAG='RELEASE.2023-11-11T08-14-41Z'
+MINIO_TAG='0.20231101-dev'
 RQLITE_TAG='7.21.4'
-DEX_TAG='v2.37.0'
+DEX_TAG='2.37.0'
 SCHEMAHERO_TAG='0.16.0'
 LVP_TAG='v0.5.5'
diff --git a/Makefile b/Makefile
@@ -1,8 +1,8 @@
 include Makefile.build.mk
 CURRENT_USER := $(shell id -u -n)
-MINIO_TAG ?= RELEASE.2023-11-11T08-14-41Z
+MINIO_TAG ?= 0.20231101-dev
 RQLITE_TAG ?= 7.21.4
-DEX_TAG ?= v2.37.0
+DEX_TAG ?= 2.37.0
 LVP_TAG ?= v0.5.5
 
 define sendMetrics
@@ -118,31 +118,36 @@ build-ttl.sh: build
 all-ttl.sh: build-ttl.sh
 	source .image.env && IMAGE=ttl.sh/${CURRENT_USER}/kotsadm-migrations:24h make -C migrations build_schema
 
-	docker pull minio/minio:${MINIO_TAG}
-	docker tag minio/minio:${MINIO_TAG} ttl.sh/${CURRENT_USER}/minio:${MINIO_TAG}
+	docker pull cgr.dev/chainguard/minio:${MINIO_TAG}
+	docker tag cgr.dev/chainguard/minio:${MINIO_TAG} ttl.sh/${CURRENT_USER}/minio:${MINIO_TAG}
 	docker push ttl.sh/${CURRENT_USER}/minio:${MINIO_TAG}
 
-	docker pull rqlite/rqlite:${RQLITE_TAG}
-	docker tag rqlite/rqlite:${RQLITE_TAG} ttl.sh/${CURRENT_USER}/rqlite:${RQLITE_TAG}
+	docker pull cgr.dev/chainguard/rqlite:${RQLITE_TAG}
+	docker tag cgr.dev/chainguard/rqlite:${RQLITE_TAG} ttl.sh/${CURRENT_USER}/rqlite:${RQLITE_TAG}
 	docker push ttl.sh/${CURRENT_USER}/rqlite:${RQLITE_TAG}
 
-.PHONY: build-alpha
-build-alpha:
-	docker build --pull -f deploy/Dockerfile --build-arg version=${GIT_TAG} -t kotsadm/kotsadm:alpha .
-	docker push kotsadm/kotsadm:alpha
-
 .PHONY: build-release
 build-release:
 	mkdir -p bin/docker-archive/kotsadm
 	skopeo copy docker://kotsadm/kotsadm:${GIT_TAG} docker-archive:bin/docker-archive/kotsadm/${GIT_TAG}
 
-	docker build --pull -f deploy/dex.Dockerfile -t kotsadm/dex:${DEX_TAG} --build-arg TAG=${DEX_TAG} .
-	docker push kotsadm/dex:${DEX_TAG}
-	mkdir -p bin/docker-archive/dex
-	skopeo copy docker://kotsadm/dex:${DEX_TAG} docker-archive:bin/docker-archive/dex/${DEX_TAG}
-
 	mkdir -p bin/docker-archive/minio
-	skopeo copy docker://minio/minio:${MINIO_TAG} docker-archive:bin/docker-archive/minio/${MINIO_TAG}
+	docker pull cgr.dev/chainguard/minio:${MINIO_TAG}
+	docker tag cgr.dev/chainguard/minio:${MINIO_TAG} kotsadm/minio:${MINIO_TAG}
+	docker push kotsadm/minio:${MINIO_TAG}
+	skopeo copy docker-daemon:kotsadm/minio:${MINIO_TAG} docker-archive:bin/docker-archive/minio/${MINIO_TAG}
+
+	mkdir -p bin/docker-archive/rqlite
+	docker pull cgr.dev/chainguard/rqlite:${RQLITE_TAG}
+	docker tag cgr.dev/chainguard/rqlite:${RQLITE_TAG} kotsadm/rqlite:${RQLITE_TAG}
+	docker push kotsadm/rqlite:${RQLITE_TAG}
+	skopeo copy docker-daemon:kotsadm/rqlite:${RQLITE_TAG} docker-archive:bin/docker-archive/rqlite/${RQLITE_TAG}
+
+	mkdir -p bin/docker-archive/dex
+	docker pull cgr.dev/chainguard/dex:${DEX_TAG}
+	docker tag cgr.dev/chainguard/dex:${DEX_TAG} kotsadm/dex:${DEX_TAG}
+	docker push kotsadm/dex:${DEX_TAG}
+	skopeo copy docker-daemon:kotsadm/dex:${DEX_TAG} docker-archive:bin/docker-archive/dex/${DEX_TAG}
 
 	mkdir -p bin/docker-archive/local-volume-provider
 	skopeo copy docker://replicated/local-volume-provider:${LVP_TAG} docker-archive:bin/docker-archive/local-volume-provider/${LVP_TAG}

diff --git a/cmd/imagedeps/README.md b/cmd/imagedeps/README.md
@@ -20,27 +20,27 @@ is useful to restrict release tags to a major version, or to filter out garbage
 
 | Name | Image URI | Matcher Regexp (Optional) |
 |------|--------------------|----------|
-| Name of the image for example **minio** | Untagged image reference **ghcr.io/dexidp/dex**| An optional regular expression, only matching tags will be included.  |
+| Name of the image for example **minio** | Untagged image reference **cgr.dev/chainguard/minio**| An optional regular expression, only matching tags will be included.  |
 
 ### Sample image-spec
 ```text
-minio minio/minio
-rqlite rqlite/rqlite
-dex ghcr.io/dexidp/dex
+minio cgr.dev/chainguard/minio
+rqlite cgr.dev/chainguard/rqlite
+dex cgr.dev/chainguard/dex
 ```
 The preceding image spec will produce the following environment and Go files.
 ```shell
-MINIO_TAG='RELEASE.2021-09-15T04-54-25Z'
-RQLITE_TAG='7.7.0'
+MINIO_TAG='0.20231025-dev'
+RQLITE_TAG='7.21.4'
 DEX_TAG='v2.30.0'
 ```
 ```go
 package image
 
 const (
-	Minio = "minio/minio:RELEASE.2021-09-15T04-54-25Z"
-	Rqlite = "rqlite/rqlite:7.7.0"
-	Dex = "ghcr.io/dexidp/dex:v2.30.0"
+	Minio = "cgr.dev/chainguard/minio:0.20231025-dev"
+	Rqlite = "cgr.dev/chainguard/rqlite:7.21.4"
+	Dex = "cgr.dev/chainguard/dex:2.30.0"
 )
 ```
 

diff --git a/cmd/imagedeps/image-spec b/cmd/imagedeps/image-spec
@@ -1,5 +1,5 @@
-minio minio/minio
-rqlite rqlite/rqlite ^([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)$
-dex ghcr.io/dexidp/dex
+minio cgr.dev/chainguard/minio ^\b0\.\d+\b-dev$
+rqlite cgr.dev/chainguard/rqlite ^([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)$
+dex cgr.dev/chainguard/dex ^([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)$
 schemahero schemahero/schemahero ^([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)$
 lvp replicated/local-volume-provider ^v([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)$