automate building k0s images with chainguard

sgalsaleh · sgalsaleh · commit 86a144aa9356 · 2024-07-18T05:32:15.000Z
diff --git a/.github/actions/build-dep-image-with-apko/action.yml b/.github/actions/build-dep-image-with-apko/action.yml
diff --git a/.github/workflows/image-deps-updater.yaml b/.github/workflows/image-deps-updater.yaml
@@ -8,75 +8,41 @@ on:
       k0s-version:
         description: 'K0s version for discovering image versions'
         required: false
-      overwrite:
-        description: 'Overwrite the existing image tags'
-        required: false
-        default: 'true'
   push:
     branches:
-    - emosbaugh/sc-108755/use-chainguard-images-for-embedded-cluster
+    - sgalsaleh/sc-108755/use-chainguard-images-for-embedded-cluster
 
 jobs:
-  define-matrix:
-    runs-on: ubuntu-20.04
-    outputs:
-      matrix: ${{ steps.set-matrix.outputs.matrix }}
-
-    steps:
-    - name: Checkout
-      uses: actions/checkout@v4
-
-    - name: Set matrix
-      id: set-matrix
-      run: |
-        set -euo pipefail
-
-        # We're only using the APKINDEX files to get the versions, so it doesn't matter which arch we use
-
-        curl -LO --fail --show-error https://packages.wolfi.dev/os/x86_64/APKINDEX.tar.gz
-        tar -xzvf APKINDEX.tar.gz
-
-        calico_node_version=$(< APKINDEX grep -A1 "^P:calico-node" | tail -n 1 | sed -n -e 's/V://p' | tr -d '\n')
-
-        if [ -n "${{ github.event.inputs.k0s-version }}" ]; then
-          make pkg/goods/bins/k0s K0S_VERSION="${{ github.event.inputs.k0s-version }}" K0S_BINARY_SOURCE_OVERRIDE=
-        else
-          make pkg/goods/bins/k0s
-        fi
-
-        coredns_version=$(pkg/goods/bins/k0s airgap list-images --all | grep '/coredns:' | awk -F':' '{ print $2 }')
-        kube_proxy_version=$(pkg/goods/bins/k0s airgap list-images --all | grep '/kube-proxy:' | awk -F':v' '{ print $2 }')
-        metrics_server_version=$(pkg/goods/bins/k0s airgap list-images --all | grep '/metrics-server:' | awk -F':v' '{ print $2 }')
-
-        {
-          printf "matrix={\"include\":["
-          printf "{\"component\": \"calico-node\", \"version\": \"$calico_node_version\"},"
-          printf "{\"component\": \"coredns\", \"version\": \"$coredns_version\"},"
-          printf "{\"component\": \"metrics-server\", \"version\": \"$metrics_server_version\"}"
-          printf "]}"
-        } >> "$GITHUB_OUTPUT"
-
-  build-images:
+  update-k0s-images:
     runs-on: ubuntu-20.04
-    needs: define-matrix
-    strategy:
-      fail-fast: false
-      matrix: ${{ fromJSON(needs.define-matrix.outputs.matrix) }}
-
     steps:
     - name: Checkout
       uses: actions/checkout@v4
 
-    - name: Generate apko config
-      run: |
-        set -euo pipefail
-        sed "s/__VERSION__/${{ matrix.version }}/g" deploy/images/${{ matrix.component }}/apko.tmpl.yaml > apko.yaml
+    - name: Update k0s images
+      run: deploy/scripts/k0s-images.sh
 
-    - name: Build and push image
-      uses: ./.github/actions/build-dep-image-with-apko
+    - name: Create Pull Request # creates a PR if there are differences
+      uses: peter-evans/create-pull-request@v6
+      id: cpr
       with:
-        apko-config: apko.yaml
-        image-name: ttl.sh/ec/${{ matrix.component }}:${{ matrix.version }}
-        # registry-username: ${{ secrets.REGISTRY_USERNAME_STAGING }}
-        # registry-password: ${{ secrets.REGISTRY_PASSWORD_STAGING }}
-        overwrite: true # ${{ github.event.inputs.overwrite }}
+        token: ${{ secrets.AUTOMATED_PR_GH_PAT }}
+        commit-message: 'Update image versions'
+        title: 'Automated image updates'
+        branch: automation/image-dependencies
+        delete-branch: true
+        labels: |
+          automated-pr
+          images
+          type::security
+        # draft: false
+        draft: true
+        # base: "main"
+        base: "sgalsaleh/sc-108755/use-chainguard-images-for-embedded-cluster"
+        body: "Automated changes by the [image-deps-updater](https://github.com/replicatedhq/embedded-cluster/blob/main/.github/workflows/image-deps-updater.yaml) GitHub action"
+
+    - name: Check outputs
+      if: ${{ steps.cpr.outputs.pull-request-number }}
+      run: |
+        echo "Pull Request Number - ${{ steps.cpr.outputs.pull-request-number }}"
+        echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}"
diff --git a/.gitignore b/.gitignore
@@ -7,3 +7,5 @@ pkg/goods/images
 .pre-commit-config.yaml
 vendor
 e2e/kots-release-install/license.yaml
+/build/
+/bin/
diff --git a/Makefile b/Makefile
@@ -64,6 +64,8 @@ LD_FLAGS = -X github.com/replicatedhq/embedded-cluster/pkg/defaults.K0sVersion=$
 	-X github.com/replicatedhq/embedded-cluster/pkg/addons/velero.VeleroTag=$(VELERO_IMAGE_VERSION) \
 	-X github.com/replicatedhq/embedded-cluster/pkg/addons/velero.AwsPluginTag=$(VELERO_AWS_PLUGIN_IMAGE_VERSION)
 
+export PATH := $(shell pwd)/bin:$(PATH)
+
 .DEFAULT_GOAL := default
 default: embedded-cluster-linux-amd64
 
@@ -170,6 +172,8 @@ clean:
 	rm -rf output
 	rm -rf pkg/goods/bins
 	rm -rf pkg/goods/internal/bins
+	rm -rf build
+	rm -rf bin
 
 .PHONY: lint
 lint:
@@ -188,9 +192,6 @@ scan:
 		--ignore-unfixed \
 		./
 
-print-%:
-	@echo -n $($*)
-
 .PHONY: build-local-artifact-mirror-image
 build-local-artifact-mirror-image:
 	docker build -t $(LOCAL_ARTIFACT_MIRROR_IMAGE_LOCATION) -f Dockerfile .
@@ -202,6 +203,97 @@ push-local-artifact-mirror-image:
 .PHONY: build-and-push-local-artifact-mirror-image
 build-and-push-local-artifact-mirror-image: build-local-artifact-mirror-image push-local-artifact-mirror-image
 
+CHAINGUARD_TOOLS_USE_DOCKER = 0
+ifeq ($(CHAINGUARD_TOOLS_USE_DOCKER),"1")
+MELANGE_CACHE_DIR = /go/pkg/mod
+APKO_CMD = docker run -v "${PWD}":/work -w /work -v "${PWD}"/build/.docker:/root/.docker cgr.dev/chainguard/apko
+MELANGE_CMD = docker run --privileged --rm -v "${PWD}":/work -w /work -v "$(shell go env GOMODCACHE)":${MELANGE_CACHE_DIR} cgr.dev/chainguard/melange
+else
+MELANGE_CACHE_DIR = $(shell go env GOMODCACHE)
+APKO_CMD = apko
+MELANGE_CMD = melange
+endif
+
+.PHONY: apko-build
+apko-build: export ARCHS ?= amd64
+apko-build: check-env-IMAGE apko-template
+	cd build && ${APKO_CMD} \
+		build apko.yaml ${IMAGE} apko.tar \
+		--arch ${ARCHS}
+
+.PHONY: apko-build-and-publish
+apko-build-and-publish: export ARCHS ?= amd64
+apko-build-and-publish: check-env-IMAGE apko-template
+	cd build && ${APKO_CMD} \
+		publish apko.yaml ${IMAGE} \
+		--arch ${ARCHS} | tee digest
+
+.PHONY: apko-login
+apko-login:
+	rm -f build/.docker/config.json
+	@ { [ "${PASSWORD}" = "" ] || [ "${USERNAME}" = "" ] ; } || \
+	${APKO_CMD} \
+		login -u "${USERNAME}" \
+		--password "${PASSWORD}" "${REGISTRY}"
+
+.PHONY: melange-build
+melange-build: export ARCHS ?= amd64
+melange-build: melange-template
+	mkdir -p build
+	for f in pkg cmd go.mod go.sum Makefile ; do \
+		rm -rf "build/$$f" && cp -r $$f build/ ; \
+	done
+	${MELANGE_CMD} \
+		keygen build/melange.rsa
+	${MELANGE_CMD} \
+		build build/melange.yaml \
+		--arch ${ARCHS} \
+		--signing-key build/melange.rsa \
+		--cache-dir=$(MELANGE_CACHE_DIR) \
+		--out-dir build/packages/
+
+.PHONY: melange-template
+melange-template: check-env-MELANGE_CONFIG check-env-VERSION
+	mkdir -p build
+	envsubst '$${VERSION}' < ${MELANGE_CONFIG} > build/melange.yaml
+
+.PHONY: apko-template
+apko-template: check-env-APKO_CONFIG check-env-VERSION
+	mkdir -p build
+	envsubst '$${VERSION}' < ${APKO_CONFIG} > build/apko.yaml
+
 .PHONY: buildtools
 buildtools:
 	go build -o ./output/bin/buildtools ./cmd/buildtools
+
+.PHONY: cache-files
+cache-files: export EMBEDDED_OPERATOR_BINARY_URL_OVERRIDE
+cache-files:
+	./scripts/cache-files.sh
+
+ifeq (,$(shell go env GOBIN))
+GOBIN=$(shell go env GOPATH)/bin
+else
+GOBIN=$(shell go env GOBIN)
+endif
+
+bin/apko:
+	mkdir -p bin
+	go install chainguard.dev/apko@latest && \
+		test -s $(GOBIN)/apko && \
+		ln -sf $(GOBIN)/apko bin/apko
+
+bin/melange:
+	mkdir -p bin
+	go install chainguard.dev/melange@latest && \
+		test -s $(GOBIN)/melange && \
+		ln -sf $(GOBIN)/melange bin/melange
+
+print-%:
+	@echo -n $($*)
+
+check-env-%:
+	@ if [ "${${*}}" = "" ]; then \
+		echo "Environment variable $* not set"; \
+		exit 1; \
+	fi
diff --git a/deploy/scripts/k0s-images.sh b/deploy/scripts/k0s-images.sh
@@ -0,0 +1,57 @@
+#!/bin/bash
+
+set -euox pipefail
+
+# we're only using the APKINDEX files to get the versions, so it doesn't matter which arch we use
+
+mkdir -p output/tmp
+curl -L -o output/tmp/APKINDEX.tar.gz https://packages.wolfi.dev/os/x86_64/APKINDEX.tar.gz
+tar -xzvf output/tmp/APKINDEX.tar.gz -C output/tmp
+
+k0s_version=${1-}
+if [ -n "$k0s_version" ]; then
+  make pkg/goods/bins/k0s K0S_VERSION="$k0s_version" K0S_BINARY_SOURCE_OVERRIDE=
+else
+  make pkg/goods/bins/k0s
+fi
+
+function get_package_version() {
+  pinned_version=$(pkg/goods/bins/k0s airgap list-images --all | grep "/$1:" | awk -F':' '{ print $2 }' | sed 's/^v//' | sed 's/-[0-9]*$//')
+  < output/tmp/APKINDEX grep -A1 "^P:$1" | grep "V:$pinned_version" | awk -F '-r' '{print $1, $2}' | sort -k2,2n | tail -1 | awk '{print $1 "-r" $2}' | sed -n -e 's/V://p' | tr -d '\n'
+}
+
+components='[
+  {
+    "name": "coredns",
+    "version": "'$(get_package_version coredns)'",
+    "makefile_var": "COREDNS_VERSION"
+  },
+  {
+    "name": "calico-node",
+    "version": "'$(get_package_version calico-node)'",
+    "makefile_var": "CALICO_NODE_VERSION"
+  },
+  {
+    "name": "metrics-server",
+    "version": "'$(get_package_version metrics-server)'",
+    "makefile_var": "METRICS_SERVER_VERSION"
+  }
+]'
+
+make bin/apko
+
+for component in $(echo "${components}" | jq -c '.[]'); do
+  name=$(echo "$component" | jq -r '.name')
+  version=$(echo "$component" | jq -r '.version')
+  makefile_var=$(echo "$component" | jq -r '.makefile_var')
+
+  sed "s/__VERSION__/$version/g" deploy/images/"$name"/apko.tmpl.yaml > output/tmp/apko.yaml
+
+  make apko-build-and-publish \
+    IMAGE=ttl.sh/ec/"$name":"$version" \
+    APKO_CONFIG=output/tmp/apko.yaml \
+    VERSION="$version"
+
+  digest=$(awk -F'@' '{print $2}' build/digest)
+  sed -i "s/^$makefile_var.*/$makefile_var = $version@$digest/" Makefile
+done
