updates

.github/actions/build-push-dex-image/action.yml

@@ -0,0 +1,28 @@
+name: 'Build and push dex image'
+description: 'Composite action for building and pushing dex image'
+inputs:
+  image-name:
+    description: 'Full destination dex image name'
+    required: true
+
+  registry-username:
+    description: 'Username to login to registry'
+    default: ''
+    required: false
+
+  registry-password:
+    description: 'Password to login to registry'
+    default: ''
+    required: false
+
+runs:
+  using: "composite"
+  steps:
+    - uses: chainguard-images/actions/apko-publish@main
+      with:
+        config: deploy/dex/apko.yaml
+        archs: x86_64
+        tag: ${{ inputs.image-name }}
+        vcs-url: true
+        generic-user: ${{ inputs.registry-username }}
+        generic-pass: ${{ inputs.registry-password }}

.github/workflows/alpha.yaml

@@ -71,6 +71,22 @@ jobs:
           registry-password: ${{ secrets.DOCKERHUB_PASSWORD }}
 
 
+  build-dex:
+    runs-on: ubuntu-20.04
+    steps:
+      - uses: actions/checkout@v4
+      - name: Read image tags from env file
+        uses: falti/dotenv-action@v1
+        id: dotenv
+        with:
+          path: .image.env
+      - uses: ./.github/actions/build-push-dex-image
+        with:
+          image-name: index.docker.io/kotsadm/dex:${{ steps.dotenv.outputs.DEX_TAG }}
+          registry-username: ${{ secrets.DOCKERHUB_USER }}
+          registry-password: ${{ secrets.DOCKERHUB_PASSWORD }}
+
+
   build-kotsadm:
     runs-on: ubuntu-20.04
     needs: [generate-tag]
@@ -171,7 +187,7 @@ jobs:
         id: scan
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: "ghcr.io/dexidp/dex:${{ steps.dotenv.outputs.dex_tag }}"
+          image-ref: "docker.io/kotsadm/dex:${{ steps.dotenv.outputs.dex_tag }}"
           format: 'template'
           template: '@/contrib/sarif.tpl'
           output: 'dex-scan-output.sarif'

.github/workflows/build-test.yaml

@@ -429,7 +429,7 @@ jobs:
 
       - uses: ./.github/actions/build-push-minio-image
         with:
-          image-name: ttl.sh/automated-${{ github.run_id }}/minio:${{ steps.dotenv.outputs.minio_tag }}
+          image-name: ttl.sh/automated-${{ github.run_id }}/minio:${{ steps.dotenv.outputs.MINIO_TAG }}
 
 
   push-rqlite:
@@ -461,10 +461,9 @@ jobs:
         with:
           path: .image.env
 
-      - name: push dex for CI
-        run: |
-          docker build --pull -f deploy/dex.Dockerfile -t ttl.sh/automated-${{ github.run_id }}/dex:${{ steps.dotenv.outputs.DEX_TAG }} --build-arg TAG=${{ steps.dotenv.outputs.DEX_TAG }} .
-          docker push ttl.sh/automated-${{ github.run_id }}/dex:${{ steps.dotenv.outputs.DEX_TAG }}
+      - uses: ./.github/actions/build-push-dex-image
+        with:
+          image-name: ttl.sh/automated-${{ github.run_id }}/dex:${{ steps.dotenv.outputs.DEX_TAG }}
 
 
   # only run validate-kurl-addon if changes to "deploy/kurl/kotsadm/template/**"

.github/workflows/release.yaml

@@ -6,6 +6,7 @@ on:
       - "v*.*.*"
     branches:
       - main
+      - build-rqlite-with-apko
 
 jobs:
   generate-tag:
@@ -164,6 +165,13 @@ jobs:
     steps:
     - name: Checkout
       uses: actions/checkout@v4
+
+    - name: Read image tags from env file
+      uses: falti/dotenv-action@v1
+      id: dotenv
+      with:
+        path: .image.env
+
     - uses: ./.github/actions/build-push-kotsadm-image
       with:
         chainguard-gcp-wif-pool: ${{ secrets.CHAINGUARD_GCP_WIF_POOL }}
@@ -173,17 +181,31 @@ jobs:
         git-tag: ${{ needs.generate-tag.outputs.tag }}
         registry-username: ${{ secrets.DOCKERHUB_USER }}
         registry-password: ${{ secrets.DOCKERHUB_PASSWORD }}
-    - uses: azure/docker-login@v1
-      env:
-        DOCKER_CONFIG: ./.docker
+
+    - uses: ./.github/actions/build-push-minio-image
       with:
-        username: ${{ secrets.DOCKERHUB_USER }}
-        password: ${{ secrets.DOCKERHUB_PASSWORD }}
+        image-name: index.docker.io/kotsadm/minio:${{ steps.dotenv.outputs.MINIO_TAG }}
+        registry-username: ${{ secrets.DOCKERHUB_USER }}
+        registry-password: ${{ secrets.DOCKERHUB_PASSWORD }}
+
+    - uses: ./.github/actions/build-push-rqlite-image
+      with:
+        image-name: index.docker.io/kotsadm/rqlite:${{ steps.dotenv.outputs.RQLITE_TAG }}
+        registry-username: ${{ secrets.DOCKERHUB_USER }}
+        registry-password: ${{ secrets.DOCKERHUB_PASSWORD }}
+
+    - uses: ./.github/actions/build-push-dex-image
+      with:
+        image-name: index.docker.io/kotsadm/dex:${{ steps.dotenv.outputs.DEX_TAG }}
+        registry-username: ${{ secrets.DOCKERHUB_USER }}
+        registry-password: ${{ secrets.DOCKERHUB_PASSWORD }}
+
     - name: Build tagged release
       env:
         GIT_TAG: ${{ needs.generate-tag.outputs.tag }}
         DOCKER_CONFIG: ./.docker
       run: mapfile -t envs < <(grep -v '#.*' < .image.env) && export "${envs[@]}" && make build-release
+
     - name: Upload airgap image
       uses: actions/upload-artifact@v3
       with:

.image.env

@@ -1,8 +1,8 @@
 # Generated file, do not modify.  This file is generated from a text file containing a list of images. The
 # most recent tag is interpolated from the source repository and used to generate a fully qualified image
 # name.
-MINIO_TAG='RELEASE.2023-11-11T08-14-41Z'
-RQLITE_TAG='7.21.4'
-DEX_TAG='v2.37.0'
-SCHEMAHERO_TAG='0.16.0'
+MINIO_TAG='0.20231101.183725'
+RQLITE_TAG='8.0.1'
+DEX_TAG='2.37.0'
+SCHEMAHERO_TAG='0.17.0'
 LVP_TAG='v0.5.5'

Makefile

@@ -1,8 +1,8 @@
 include Makefile.build.mk
 CURRENT_USER := $(shell id -u -n)
-MINIO_TAG ?= RELEASE.2023-11-11T08-14-41Z
-RQLITE_TAG ?= 7.21.4
-DEX_TAG ?= v2.37.0
+MINIO_TAG ?= 0.20231101.183725
+RQLITE_TAG ?= 8.0.1
+DEX_TAG ?= 2.37.0
 LVP_TAG ?= v0.5.5
 
 define sendMetrics
@@ -118,31 +118,27 @@ build-ttl.sh: build
 all-ttl.sh: build-ttl.sh
 	source .image.env && IMAGE=ttl.sh/${CURRENT_USER}/kotsadm-migrations:24h make -C migrations build_schema
 
-	docker pull minio/minio:${MINIO_TAG}
-	docker tag minio/minio:${MINIO_TAG} ttl.sh/${CURRENT_USER}/minio:${MINIO_TAG}
+	docker pull kotsadm/minio:${MINIO_TAG}
+	docker tag kotsadm/minio:${MINIO_TAG} ttl.sh/${CURRENT_USER}/minio:${MINIO_TAG}
 	docker push ttl.sh/${CURRENT_USER}/minio:${MINIO_TAG}
 
-	docker pull rqlite/rqlite:${RQLITE_TAG}
-	docker tag rqlite/rqlite:${RQLITE_TAG} ttl.sh/${CURRENT_USER}/rqlite:${RQLITE_TAG}
+	docker pull kotsadm/rqlite:${RQLITE_TAG}
+	docker tag kotsadm/rqlite:${RQLITE_TAG} ttl.sh/${CURRENT_USER}/rqlite:${RQLITE_TAG}
 	docker push ttl.sh/${CURRENT_USER}/rqlite:${RQLITE_TAG}
 
-.PHONY: build-alpha
-build-alpha:
-	docker build --pull -f deploy/Dockerfile --build-arg version=${GIT_TAG} -t kotsadm/kotsadm:alpha .
-	docker push kotsadm/kotsadm:alpha
-
 .PHONY: build-release
 build-release:
 	mkdir -p bin/docker-archive/kotsadm
 	skopeo copy docker://kotsadm/kotsadm:${GIT_TAG} docker-archive:bin/docker-archive/kotsadm/${GIT_TAG}
 
-	docker build --pull -f deploy/dex.Dockerfile -t kotsadm/dex:${DEX_TAG} --build-arg TAG=${DEX_TAG} .
-	docker push kotsadm/dex:${DEX_TAG}
 	mkdir -p bin/docker-archive/dex
 	skopeo copy docker://kotsadm/dex:${DEX_TAG} docker-archive:bin/docker-archive/dex/${DEX_TAG}
 
 	mkdir -p bin/docker-archive/minio
-	skopeo copy docker://minio/minio:${MINIO_TAG} docker-archive:bin/docker-archive/minio/${MINIO_TAG}
+	skopeo copy docker://kotsadm/minio:${MINIO_TAG} docker-archive:bin/docker-archive/minio/${MINIO_TAG}
+
+	mkdir -p bin/docker-archive/rqlite
+	skopeo copy docker://kotsadm/rqlite:${RQLITE_TAG} docker-archive:bin/docker-archive/rqlite/${RQLITE_TAG}
 
 	mkdir -p bin/docker-archive/local-volume-provider
 	skopeo copy docker://replicated/local-volume-provider:${LVP_TAG} docker-archive:bin/docker-archive/local-volume-provider/${LVP_TAG}

cmd/imagedeps/README.md

@@ -20,27 +20,27 @@ is useful to restrict release tags to a major version, or to filter out garbage
 
 | Name | Image URI | Matcher Regexp (Optional) |
 |------|--------------------|----------|
-| Name of the image for example **minio** | Untagged image reference **ghcr.io/dexidp/dex**| An optional regular expression, only matching tags will be included.  |
+| Name of the image for example **minio** | Untagged image reference **kotsadm/minio**| An optional regular expression, only matching tags will be included.  |
 
 ### Sample image-spec
 ```text
-minio minio/minio
-rqlite rqlite/rqlite
-dex ghcr.io/dexidp/dex
+minio kotsadm/minio
+rqlite kotsadm/rqlite
+dex kotsadm/dex
 ```
 The preceding image spec will produce the following environment and Go files.
 ```shell
-MINIO_TAG='RELEASE.2021-09-15T04-54-25Z'
-RQLITE_TAG='7.7.0'
-DEX_TAG='v2.30.0'
+MINIO_TAG='0.20231101.183725'
+RQLITE_TAG='8.0.1'
+DEX_TAG='2.37.0'
 ```
 ```go
 package image
 
 const (
-	Minio = "minio/minio:RELEASE.2021-09-15T04-54-25Z"
-	Rqlite = "rqlite/rqlite:7.7.0"
-	Dex = "ghcr.io/dexidp/dex:v2.30.0"
+	Minio = "kotsadm/minio:0.20231101.183725"
+	Rqlite = "kotsadm/rqlite:8.0.1"
+	Dex = "kotsadm/dex:2.37.0"
 )
 ```
 

cmd/imagedeps/image-spec

@@ -1,5 +1,5 @@
-minio minio/minio
-rqlite rqlite/rqlite ^([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)$
-dex ghcr.io/dexidp/dex
+minio kotsadm/minio
+rqlite kotsadm/rqlite
+dex kotsadm/dex
 schemahero schemahero/schemahero ^([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)$
 lvp replicated/local-volume-provider ^v([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)$

cmd/imagedeps/main.go

@@ -5,7 +5,6 @@ import (
 	"bytes"
 	"fmt"
 	"go/format"
-	"io/ioutil"
 	"log"
 	"os"
 	"regexp"
@@ -56,6 +55,9 @@ var (
 	replacers = []*replacer{
 		getMakefileReplacer("Makefile"),
 		getMakefileReplacer("migrations/Makefile"),
+		getApkoFileReplacer("deploy/minio/apko.yaml", "minio"),
+		getApkoFileReplacer("deploy/rqlite/apko.yaml", "rqlite"),
+		getApkoFileReplacer("deploy/dex/apko.yaml", "dex"),
 	}
 )
 
@@ -146,15 +148,15 @@ func generateOutput(filename, fileTemplate string, refs []*ImageRef, fn template
 		return err
 	}
 
-	if err := ioutil.WriteFile(filename, buff, 0644); err != nil {
+	if err := os.WriteFile(filename, buff, 0644); err != nil {
 		return err
 	}
 
 	return nil
 }
 
 func (r *replacer) replace(refs []*ImageRef) error {
-	b, err := ioutil.ReadFile(r.path)
+	b, err := os.ReadFile(r.path)
 	if err != nil {
 		return errors.Wrap(err, "failed to read file")
 	}
@@ -168,7 +170,7 @@ func (r *replacer) replace(refs []*ImageRef) error {
 		content = reg.ReplaceAllString(content, r.valueFn(ref))
 	}
 
-	if err := ioutil.WriteFile(r.path, []byte(content), 0644); err != nil {
+	if err := os.WriteFile(r.path, []byte(content), 0644); err != nil {
 		return errors.Wrap(err, "failed to write file")
 	}
 
@@ -198,7 +200,7 @@ func getMakefileVarName(s string) string {
 	return strings.ToUpper(strings.ReplaceAll(s, "-", "_")) + "_TAG"
 }
 
-// converts a name from the input string into an a makefile variable name
+// converts a name from the input string into an a dockerfile variable name
 // for example: foo_bar_baz -> FOO_BAR_BAZ
 func getDockerfileVarName(s string) string {
 	return strings.ToUpper(strings.ReplaceAll(s, "-", "_")) + "_TAG"
@@ -227,3 +229,15 @@ func getDockerfileReplacer(path string) *replacer {
 		},
 	}
 }
+
+func getApkoFileReplacer(path string, pkg string) *replacer {
+	return &replacer{
+		path: path,
+		regexFn: func(ir *ImageRef) string {
+			return fmt.Sprintf(`- %s~\d+\.\d+\.\d+`, ir.name)
+		},
+		valueFn: func(ir *ImageRef) string {
+			return ir.GetApkoFileLine(ir.name)
+		},
+	}
+}