feat: build third party images with chainguard

Author: emosbaugh

.github/workflows/image-deps-updater.yaml

@@ -0,0 +1,55 @@
+name: Update image deps
+
+on:
+  schedule:
+    - cron: '0 4 * * *'
+  workflow_dispatch:
+    inputs:
+      k0s-version:
+        description: 'K0s version for discovering image versions'
+        required: false
+  push:
+    branches:
+    - sgalsaleh/sc-108755/use-chainguard-images-for-embedded-cluster
+
+jobs:
+  update-k0s-images:
+    runs-on: ubuntu-20.04
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+
+    - name: Compile buildtools
+      run: |
+        make buildtools
+
+    - name: Update k0s images
+      env:
+        REGISTRY_SERVER: docker.io
+        REGISTRY_USER: ${{ secrets.DOCKERHUB_USER }}
+        REGISTRY_PASS: ${{ secrets.DOCKERHUB_PASSWORD }}
+      run: output/bin/buildtools update images k0s
+
+    - name: Create Pull Request # creates a PR if there are differences
+      uses: peter-evans/create-pull-request@v6
+      id: cpr
+      with:
+        token: ${{ secrets.AUTOMATED_PR_GH_PAT }}
+        commit-message: 'Update image versions'
+        title: 'Automated image updates'
+        branch: automation/image-dependencies
+        delete-branch: true
+        labels: |
+          automated-pr
+          images
+          type::security
+        draft: false
+        # base: "main"
+        base: "sgalsaleh/sc-108755/use-chainguard-images-for-embedded-cluster"
+        body: "Automated changes by the [image-deps-updater](https://github.com/replicatedhq/embedded-cluster/blob/main/.github/workflows/image-deps-updater.yaml) GitHub action"
+
+    - name: Check outputs
+      if: ${{ steps.cpr.outputs.pull-request-number }}
+      run: |
+        echo "Pull Request Number - ${{ steps.cpr.outputs.pull-request-number }}"
+        echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}"

.gitignore

@@ -7,3 +7,5 @@ pkg/goods/images
 .pre-commit-config.yaml
 vendor
 e2e/kots-release-install/license.yaml
+/build/
+/bin/

Makefile

@@ -2,14 +2,22 @@ VERSION ?= $(shell git describe --tags --dirty)
 UNAME := $(shell uname)
 ARCH := $(shell uname -m)
 APP_NAME = embedded-cluster
+COREDNS_IMAGE =
+COREDNS_VERSION =
+CALICO_NODE_IMAGE =
+CALICO_NODE_VERSION =
+METRICS_SERVER_IMAGE =
+METRICS_SERVER_VERSION =
 ADMIN_CONSOLE_CHART_REPO_OVERRIDE =
-ADMIN_CONSOLE_CHART_VERSION = 1.111.0
+ADMIN_CONSOLE_CHART_VERSION = 1.112.1-build.1
 ADMIN_CONSOLE_IMAGE_OVERRIDE =
 ADMIN_CONSOLE_MIGRATIONS_IMAGE_OVERRIDE =
-EMBEDDED_OPERATOR_CHART_URL = oci://registry.replicated.com/library
-EMBEDDED_OPERATOR_CHART_NAME = embedded-cluster-operator
-EMBEDDED_OPERATOR_CHART_VERSION = 0.36.5
-EMBEDDED_OPERATOR_UTILS_IMAGE = busybox:1.36.1
+ADMIN_CONSOLE_KURL_PROXY_IMAGE_OVERRIDE =
+EMBEDDED_OPERATOR_CHART_VERSION = 0.40.2
+EMBEDDED_OPERATOR_BINARY_URL_OVERRIDE =
+EMBEDDED_OPERATOR_UTILS_IMAGE ?= replicated/embedded-cluster-utils
+EMBEDDED_OPERATOR_UTILS_IMAGE_VERSION ?= $(subst +,-,$(VERSION))
+EMBEDDED_OPERATOR_UTILS_IMAGE_LOCATION = proxy.replicated.com/anonymous/$(EMBEDDED_OPERATOR_UTILS_IMAGE):$(EMBEDDED_OPERATOR_UTILS_IMAGE_VERSION)
 EMBEDDED_CLUSTER_OPERATOR_IMAGE_OVERRIDE =
 OPENEBS_CHART_VERSION = 4.1.0
 OPENEBS_UTILS_VERSION = 4.1.0
@@ -20,28 +28,36 @@ VELERO_CHART_VERSION = 6.3.0
 VELERO_IMAGE_VERSION = v1.13.2
 VELERO_AWS_PLUGIN_IMAGE_VERSION = v1.9.2
 KUBECTL_VERSION = v1.30.1
-K0S_VERSION = v1.29.5+k0s.0-ec.0
-K0S_GO_VERSION = v1.29.5+k0s.0
-PREVIOUS_K0S_VERSION ?= v1.28.8+k0s.0
-K0S_BINARY_SOURCE_OVERRIDE = https://ec-k0s-binaries.s3.amazonaws.com/k0s-v1.29.5%2Bk0s.0-ec.0
+K0S_VERSION = v1.29.6+k0s.0
+K0S_GO_VERSION = v1.29.6+k0s.0
+PREVIOUS_K0S_VERSION ?= v1.28.10+k0s.0
+K0S_BINARY_SOURCE_OVERRIDE =
 PREVIOUS_K0S_BINARY_SOURCE_OVERRIDE =
 TROUBLESHOOT_VERSION = v0.93.1
 KOTS_VERSION = v$(shell echo $(ADMIN_CONSOLE_CHART_VERSION) | sed 's/\([0-9]\+\.[0-9]\+\.[0-9]\+\).*/\1/')
 KOTS_BINARY_URL_OVERRIDE =
-LOCAL_ARTIFACT_MIRROR_IMAGE ?= registry.replicated.com/library/embedded-cluster-local-artifact-mirror
-LOCAL_ARTIFACT_MIRROR_IMAGE_LOCATION = ${LOCAL_ARTIFACT_MIRROR_IMAGE}:$(subst +,-,$(VERSION))
+LOCAL_ARTIFACT_MIRROR_IMAGE ?= replicated/embedded-cluster-local-artifact-mirror
+LOCAL_ARTIFACT_MIRROR_IMAGE_VERSION ?= $(subst +,-,$(VERSION))
+LOCAL_ARTIFACT_MIRROR_IMAGE_LOCATION = proxy.replicated.com/anonymous/$(LOCAL_ARTIFACT_MIRROR_IMAGE):$(LOCAL_ARTIFACT_MIRROR_IMAGE_VERSION)
 LD_FLAGS = -X github.com/replicatedhq/embedded-cluster/pkg/defaults.K0sVersion=$(K0S_VERSION) \
 	-X github.com/replicatedhq/embedded-cluster/pkg/defaults.Version=$(VERSION) \
 	-X github.com/replicatedhq/embedded-cluster/pkg/defaults.TroubleshootVersion=$(TROUBLESHOOT_VERSION) \
 	-X github.com/replicatedhq/embedded-cluster/pkg/defaults.KubectlVersion=$(KUBECTL_VERSION) \
 	-X github.com/replicatedhq/embedded-cluster/pkg/defaults.LocalArtifactMirrorImage=$(LOCAL_ARTIFACT_MIRROR_IMAGE_LOCATION) \
+	-X github.com/replicatedhq/embedded-cluster/pkg/config/images.CoreDNSImage=$(COREDNS_IMAGE) \
+	-X github.com/replicatedhq/embedded-cluster/pkg/config/images.CoreDNSVersion=$(COREDNS_VERSION) \
+	-X github.com/replicatedhq/embedded-cluster/pkg/config/images.CalicoNodeImage=$(CALICO_NODE_IMAGE) \
+	-X github.com/replicatedhq/embedded-cluster/pkg/config/images.CalicoNodeVersion=$(CALICO_NODE_VERSION) \
+	-X github.com/replicatedhq/embedded-cluster/pkg/config/images.MetricsServerImage=$(METRICS_SERVER_IMAGE) \
+	-X github.com/replicatedhq/embedded-cluster/pkg/config/images.MetricsServerVersion=$(METRICS_SERVER_VERSION) \
 	-X github.com/replicatedhq/embedded-cluster/pkg/addons/adminconsole.ChartRepoOverride=$(ADMIN_CONSOLE_CHART_REPO_OVERRIDE) \
 	-X github.com/replicatedhq/embedded-cluster/pkg/addons/adminconsole.Version=$(ADMIN_CONSOLE_CHART_VERSION) \
 	-X github.com/replicatedhq/embedded-cluster/pkg/addons/adminconsole.ImageOverride=$(ADMIN_CONSOLE_IMAGE_OVERRIDE) \
 	-X github.com/replicatedhq/embedded-cluster/pkg/addons/adminconsole.MigrationsImageOverride=$(ADMIN_CONSOLE_MIGRATIONS_IMAGE_OVERRIDE) \
+	-X github.com/replicatedhq/embedded-cluster/pkg/addons/adminconsole.KurlProxyImageOverride=$(ADMIN_CONSOLE_KURL_PROXY_IMAGE_OVERRIDE) \
 	-X github.com/replicatedhq/embedded-cluster/pkg/addons/adminconsole.KotsVersion=$(KOTS_VERSION) \
 	-X github.com/replicatedhq/embedded-cluster/pkg/addons/embeddedclusteroperator.Version=$(EMBEDDED_OPERATOR_CHART_VERSION) \
-	-X github.com/replicatedhq/embedded-cluster/pkg/addons/embeddedclusteroperator.UtilsImage=$(EMBEDDED_OPERATOR_UTILS_IMAGE) \
+	-X github.com/replicatedhq/embedded-cluster/pkg/addons/embeddedclusteroperator.UtilsImage=$(EMBEDDED_OPERATOR_UTILS_IMAGE_LOCATION) \
 	-X github.com/replicatedhq/embedded-cluster/pkg/addons/embeddedclusteroperator.ImageOverride=$(EMBEDDED_CLUSTER_OPERATOR_IMAGE_OVERRIDE) \
 	-X github.com/replicatedhq/embedded-cluster/pkg/addons/openebs.Version=$(OPENEBS_CHART_VERSION) \
 	-X github.com/replicatedhq/embedded-cluster/pkg/addons/openebs.UtilsVersion=$(OPENEBS_UTILS_VERSION) \
@@ -52,6 +68,8 @@ LD_FLAGS = -X github.com/replicatedhq/embedded-cluster/pkg/defaults.K0sVersion=$
 	-X github.com/replicatedhq/embedded-cluster/pkg/addons/velero.VeleroTag=$(VELERO_IMAGE_VERSION) \
 	-X github.com/replicatedhq/embedded-cluster/pkg/addons/velero.AwsPluginTag=$(VELERO_AWS_PLUGIN_IMAGE_VERSION)
 
+export PATH := $(shell pwd)/bin:$(PATH)
+
 .DEFAULT_GOAL := default
 default: embedded-cluster-linux-amd64
 
@@ -89,7 +107,10 @@ pkg/goods/bins/kubectl-preflight: Makefile
 
 pkg/goods/bins/local-artifact-mirror: Makefile
 	mkdir -p pkg/goods/bins
-	CGO_ENABLED=0 go build -o pkg/goods/bins/local-artifact-mirror ./cmd/local-artifact-mirror
+	go build \
+		-tags osusergo,netgo \
+		-ldflags="-s -w -extldflags=-static" \
+		-o pkg/goods/bins/local-artifact-mirror ./cmd/local-artifact-mirror
 
 pkg/goods/internal/bins/kubectl-kots: Makefile
 	mkdir -p pkg/goods/internal/bins
@@ -158,6 +179,8 @@ clean:
 	rm -rf output
 	rm -rf pkg/goods/bins
 	rm -rf pkg/goods/internal/bins
+	rm -rf build
+	rm -rf bin
 
 .PHONY: lint
 lint:
@@ -176,20 +199,134 @@ scan:
 		--ignore-unfixed \
 		./
 
-print-%:
-	@echo -n $($*)
+.PHONY: build-utils-image
+build-utils-image: export IMAGE ?= $(EMBEDDED_OPERATOR_UTILS_IMAGE):$(EMBEDDED_OPERATOR_UTILS_IMAGE_VERSION)
+build-utils-image: export VERSION ?= $(EMBEDDED_OPERATOR_UTILS_IMAGE_VERSION)
+build-utils-image: export MELANGE_CONFIG = deploy/packages/utils/melange.tmpl.yaml
+build-utils-image: export APKO_CONFIG = deploy/images/utils/apko.tmpl.yaml
+build-utils-image: apko-build
 
-.PHONY: build-local-artifact-mirror-image
-build-local-artifact-mirror-image:
-	docker build -t $(LOCAL_ARTIFACT_MIRROR_IMAGE_LOCATION) -f Dockerfile .
+.PHONY: build-and-push-utils-image
+build-and-push-utils-image: export IMAGE ?= $(EMBEDDED_OPERATOR_UTILS_IMAGE):$(EMBEDDED_OPERATOR_UTILS_IMAGE_VERSION)
+build-and-push-utils-image: export VERSION ?= $(EMBEDDED_OPERATOR_UTILS_IMAGE_VERSION)
+build-and-push-utils-image: export APKO_CONFIG = deploy/images/utils/apko.tmpl.yaml
+build-and-push-utils-image: apko-login apko-build-and-publish
 
-.PHONY: push-local-artifact-mirror-image
-push-local-artifact-mirror-image:
-	docker push $(LOCAL_ARTIFACT_MIRROR_IMAGE_LOCATION)
+.PHONY: build-local-artifact-mirror-image
+build-local-artifact-mirror-image: export IMAGE ?= $(LOCAL_ARTIFACT_MIRROR_IMAGE):$(LOCAL_ARTIFACT_MIRROR_IMAGE_VERSION)
+build-local-artifact-mirror-image: export VERSION ?= $(LOCAL_ARTIFACT_MIRROR_IMAGE_VERSION)
+build-local-artifact-mirror-image: export MELANGE_CONFIG = deploy/packages/local-artifact-mirror/melange.tmpl.yaml
+build-local-artifact-mirror-image: export APKO_CONFIG = deploy/images/local-artifact-mirror/apko.tmpl.yaml
+build-local-artifact-mirror-image: melange-build apko-build
 
 .PHONY: build-and-push-local-artifact-mirror-image
-build-and-push-local-artifact-mirror-image: build-local-artifact-mirror-image push-local-artifact-mirror-image
+build-and-push-local-artifact-mirror-image: export IMAGE ?= $(LOCAL_ARTIFACT_MIRROR_IMAGE):$(LOCAL_ARTIFACT_MIRROR_IMAGE_VERSION)
+build-and-push-local-artifact-mirror-image: export VERSION ?= $(LOCAL_ARTIFACT_MIRROR_IMAGE_VERSION)
+build-and-push-local-artifact-mirror-image: export MELANGE_CONFIG = deploy/packages/local-artifact-mirror/melange.tmpl.yaml
+build-and-push-local-artifact-mirror-image: export APKO_CONFIG = deploy/images/local-artifact-mirror/apko.tmpl.yaml
+build-and-push-local-artifact-mirror-image: melange-build apko-login apko-build-and-publish
+
+CHAINGUARD_TOOLS_USE_DOCKER = 0
+ifeq ($(CHAINGUARD_TOOLS_USE_DOCKER),"1")
+MELANGE_CACHE_DIR ?= /go/pkg/mod
+APKO_CMD = docker run -v $(shell pwd):/work -w /work -v $(shell pwd)/build/.docker:/root/.docker cgr.dev/chainguard/apko
+MELANGE_CMD = docker run --privileged --rm -v $(shell pwd):/work -w /work -v "$(shell go env GOMODCACHE)":${MELANGE_CACHE_DIR} cgr.dev/chainguard/melange
+else
+MELANGE_CACHE_DIR ?= build/.melange-cache
+APKO_CMD = apko
+MELANGE_CMD = melange
+endif
+
+$(MELANGE_CACHE_DIR):
+	mkdir -p $(MELANGE_CACHE_DIR)
+
+.PHONY: apko-build
+apko-build: export ARCHS ?= amd64
+apko-build: check-env-IMAGE apko-template
+	cd build && ${APKO_CMD} \
+		build apko.yaml ${IMAGE} apko.tar \
+		--arch ${ARCHS}
+
+.PHONY: apko-build-and-publish
+apko-build-and-publish: export ARCHS ?= amd64
+apko-build-and-publish: check-env-IMAGE apko-template
+	cd build && ${APKO_CMD} \
+		publish apko.yaml ${IMAGE} \
+		--arch ${ARCHS} | tee digest
+
+.PHONY: apko-login
+apko-login:
+	rm -f build/.docker/config.json
+	@ { [ "${PASSWORD}" = "" ] || [ "${USERNAME}" = "" ] ; } || \
+	${APKO_CMD} \
+		login -u "${USERNAME}" \
+		--password "${PASSWORD}" "${REGISTRY}"
+
+.PHONY: melange-build
+melange-build: export ARCHS ?= amd64
+melange-build: $(MELANGE_CACHE_DIR) melange-template
+	${MELANGE_CMD} \
+		keygen build/melange.rsa
+	${MELANGE_CMD} \
+		build build/melange.yaml \
+		--arch ${ARCHS} \
+		--signing-key build/melange.rsa \
+		--cache-dir=$(MELANGE_CACHE_DIR) \
+		--source-dir . \
+		--out-dir build/packages/
+
+.PHONY: melange-template
+melange-template: check-env-MELANGE_CONFIG check-env-VERSION
+	mkdir -p build
+	envsubst '$${VERSION}' < ${MELANGE_CONFIG} > build/melange.yaml
+
+.PHONY: apko-template
+apko-template: check-env-APKO_CONFIG check-env-VERSION
+	mkdir -p build
+	envsubst '$${VERSION}' < ${APKO_CONFIG} > build/apko.yaml
 
 .PHONY: buildtools
 buildtools:
 	go build -o ./output/bin/buildtools ./cmd/buildtools
+
+.PHONY: cache-files
+cache-files: export EMBEDDED_OPERATOR_BINARY_URL_OVERRIDE
+cache-files:
+	./scripts/cache-files.sh
+
+## Location to install dependencies to
+LOCALBIN ?= $(shell pwd)/bin
+$(LOCALBIN):
+	mkdir -p $(LOCALBIN)
+
+## Tool Binaries
+MELANGE ?= $(LOCALBIN)/melange
+APKO ?= $(LOCALBIN)/apko
+
+# Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
+ifeq (,$(shell go env GOBIN))
+GOBIN=$(shell go env GOPATH)/bin
+else
+GOBIN=$(shell go env GOBIN)
+endif
+
+melange: $(MELANGE)
+$(MELANGE): $(LOCALBIN)
+	go install chainguard.dev/melange@latest && \
+		test -s $(GOBIN)/melange && \
+		ln -sf $(GOBIN)/melange $(LOCALBIN)/melange
+
+apko: $(APKO)
+$(APKO): $(LOCALBIN)
+	go install chainguard.dev/apko@latest && \
+		test -s $(GOBIN)/apko && \
+		ln -sf $(GOBIN)/apko $(LOCALBIN)/apko
+
+print-%:
+	@echo -n $($*)
+
+check-env-%:
+	@ if [ "${${*}}" = "" ]; then \
+		echo "Environment variable $* not set"; \
+		exit 1; \
+	fi