Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

build kots with apko+melange in presubmit #3959

Closed
wants to merge 3 commits into from
Closed

build kots with apko+melange in presubmit #3959

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
3ddce6d
build kots with apko+melange in presubmit
imjasonh Jun 26, 2023
6ec019c
add language about non-production-readiness
imjasonh Jun 28, 2023
d064244
include all currently supported kubectl versions
imjasonh Jun 29, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 24 additions & 0 deletions .github/workflows/presubmit-image.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
on:
pull_request:

jobs:
presubmit-image:
runs-on: ubuntu-latest
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we pin to a specific ubuntu major version (preferably 22.04)?

permissions:
contents: read
steps:
- uses: actions/checkout@v3
- uses: actions/setup-go@v3
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

let's get on actions/setup-go@v4 since this is a new workflow.

with:
go-version: '1.20.x'
- uses: chainguard-dev/actions/melange-build@main
with:
config: melange.yaml
archs: x86_64
sign-with-temporary-key: true
- uses: chainguard-images/actions/apko-publish@main
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see that this action pushes the image with a digest instead of a tag. Our tests currently leverages a --kotsadm-tag flag to override the image used during the install. For example: https://github.com/replicatedhq/kots/blob/v1.100.3/.github/workflows/build-test.yaml#L988-L990

with:
config: apko.yaml
archs: x86_64
tag: ttl.sh/kots
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would probably make integration easier if we match the chainguard image name to our current image name kotsadm

Copy link
Contributor Author

@cbodonnell cbodonnell Jul 14, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Additionally, we will usually push the image with a namespace to avoid conflicts on ttl.sh. For example ttl.sh/<some-identifier>/kotsadm:24h

vcs-url: true
4 changes: 4 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,3 +34,7 @@ kotsdata/
sbom/
cosign.key
pkg/tests/pull/cases/*/results

melange.rsa
melange.rsa.pub
packages/*
52 changes: 52 additions & 0 deletions apko.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
contents:
repositories:
- https://packages.wolfi.dev/os
- ./packages/
keyring:
- https://packages.wolfi.dev/os/wolfi-signing.rsa.pub
- ./melange.rsa.pub
packages:
- kots-head # This is expected to be built locally by `melange`.

# All currently supported kubectl versions.
# TODO: this requires manual intervention whenever there are new kubectl releases.
- kubectl-1.24
- kubectl-1.25
- kubectl-1.26
- kubectl-1.27

- bash
- busybox
- curl
- git
- helm
- kustomize
- py3-dateutil
- py3-magic
- s3cmd
- wolfi-baselayout

accounts:
groups:
- groupname: kotsadm
gid: 1001
users:
- username: kotsadm
uid: 1001
gid: 1001
run-as: kotsadm

environment:
VERSION: v1.98.3
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm assuming this refers to the KOTS version? I feel like this should be a variable assuming the file format supports them, else we need to envsubst and pipe into apko.

KOTS_KUBECTL_BIN_DIR: /usr/local/bin
KOTS_HELM_BIN_DIR: /usr/local/bin
KOTS_KUSTOMIZE_BIN_DIR: /usr/local/bin

entrypoint:
command: /kotsadm

cmd: api

archs:
- x86_64
- aarch64
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have we started supporting KOTS on arm64? If not, should we remove this? I don't feel like we're doing a lot of local dev on KOTS.

54 changes: 54 additions & 0 deletions apko_melange_build.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
# Building KOTS with apko + melange

## What?

This doc describes a non-production-ready process for building a minimal `kots` image using `melange` and `apko`:

- [`melange`](https://github.com/chainguard-dev/melange) is a tool for reproducibly building APK packages from source
- [`apko`](https://github.com/chainguard-dev/apko) is a tool for reproducibly building container images from APK packages

## Why?

Building with `melange` and `apko` produces smaller, more reproducible images, which can be easier to operate and easier to keep free of vulnerabilities.

## How?

First, build the package from source, using `melange`.

To start, if there isn't already a signing key for the package, we need to generate one:

```sh
melange keygen
```

We only need to build for x86_64, which is faster than building for arm64 since it doesn't require qemu.

```sh
melange build melange.yaml --arch=x86_64
```

> 💡 Only building for your local platform makes builds faster, since it doesn't have to emulate with qemu.
> If you're on an arm64 machine (e.g., Apple Silicon), use `--arch=aarch64` here and below.

Then, build the image from the newly built `kots` package, and the other packages needed by the image, using `apko`:

```sh
apko publish apko.yaml ttl.sh/kots --arch=x86_64
```

This will print the image to stdout, so you can run it:

```sh
docker run $(apko publish ...)
```

### Presubmit GitHub Actions

The above steps are automated in [GitHub Actions](./.github/workflows/presubmit-image.yaml) as a presubmit check for PRs.

The image this workflow produces is only meant for validation, and not meant for production use cases at this time.

## Further Reading

- https://edu.chainguard.dev/open-source/melange/overview/
- https://edu.chainguard.dev/open-source/apko/overview/
72 changes: 72 additions & 0 deletions melange.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
package:
name: kots-head
version: 0.0.1
epoch: 0
description: Kubernetes Off-The-Shelf (KOTS) Software
copyright:
- license: Apache-2.0

environment:
contents:
repositories:
- https://packages.wolfi.dev/os
keyring:
- https://packages.wolfi.dev/os/wolfi-signing.rsa.pub
packages:
- ca-certificates-bundle
- busybox
- git
- go
- nodejs
- yarn

pipeline:
- runs: |
set -x
export DESTDIR="${{targets.destdir}}"
mkdir -p "${DESTDIR}"

# Scripts etc.
mv deploy/assets/backup.sh "${DESTDIR}/backup.sh"
mv deploy/assets/restore-db.sh "${DESTDIR}/restore-db.sh"
mv deploy/assets/restore-s3.sh "${DESTDIR}/restore-s3.sh"
mv deploy/assets/restore.sh "${DESTDIR}/restore.sh"
mv deploy/assets/migrate-s3.sh "${DESTDIR}/migrate-s3.sh"
mv deploy/assets/fs-minio-check.sh "${DESTDIR}/fs-minio-check.sh"
mv deploy/assets/fs-minio-reset.sh "${DESTDIR}/fs-minio-reset.sh"
mv deploy/assets/fs-minio-keys-sha.sh "${DESTDIR}/fs-minio-keys-sha.sh"
mv deploy/assets/s3-bucket-create.sh "${DESTDIR}/s3-bucket-create.sh"
mv deploy/assets/s3-bucket-head.sh "${DESTDIR}/s3-bucket-head.sh"
mv deploy/assets/kots-upgrade.sh "${DESTDIR}/kots-upgrade.sh"
mv deploy/assets/postgres "${DESTDIR}/postgres"

# kotsadm and kots binaries
export VERSION=${{package.version}}
export GIT_TAG=${{package.version}}

# Set environment variables from repository
source .image.env

KOTS_KUSTOMIZE_BIN_DIR=/usr/local/bin

# TODO: fix pact build error on arm https://github.com/pact-foundation/pact-js-core/issues/264
export PACT_SKIP_BINARY_INSTALL=true
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should no longer be necessary as we should be on the latest version of pact-js which bundles the multi-arch Rust core.

I'll submit a PR for kotsadm today to address that.


# Configure Yarn
yarn install --pure-lockfile --network-concurrency 1

make -C web deps lint build-kotsadm
make vet kots build
Comment on lines +58 to +59
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we move the static analysis steps into jobs outside of the package build, and just do the build here? That will allow us to parallelize those items and save some CI time.


mv bin/kotsadm "${DESTDIR}/kotsadm"
mv bin/kots "${DESTDIR}/kots"

# TODO: this requires manual intervention whenever helm bumps its major version
ln -s /usr/bin/helm ${{targets.destdir}}/usr/local/bin/helm
ln -s /usr/bin/helm ${{targets.destdir}}/usr/local/bin/helm3

# TODO: this requires manual intervention whenever kustomize bumps its major version
ln -s /usr/bin/kustomize ${{targets.destdir}}/usr/local/bin/kustomize
ln -s /usr/bin/kustomize ${{targets.destdir}}/usr/local/bin/kustomize5

ln -s /usr/bin/kubectl ${{targets.destdir}}/usr/local/bin/kubectl