feat: build k0s images with chainguard (#793)

* feat: build k0s images with chainguard

---------

Co-authored-by: Ethan Mosbaugh <[email protected]>

Author: sgalsaleh

.github/workflows/image-deps-updater.yaml

@@ -0,0 +1,55 @@
+name: Update image deps
+
+on:
+  schedule:
+    - cron: '0 4 * * *'
+  workflow_dispatch:
+    inputs:
+      k0s-version:
+        description: 'K0s version for discovering image versions'
+        required: false
+
+jobs:
+  update-k0s-images:
+    runs-on: ubuntu-20.04
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+
+    - name: Setup Go
+      uses: actions/setup-go@v5
+      with:
+        go-version-file: go.mod
+
+    - name: Compile buildtools
+      run: make buildtools
+
+    - name: Update k0s images
+      env:
+        REGISTRY_SERVER: docker.io
+        REGISTRY_USER: ${{ secrets.DOCKERHUB_USER }}
+        REGISTRY_PASS: ${{ secrets.DOCKERHUB_PASSWORD }}
+      run: ./output/bin/buildtools update images k0s
+
+    - name: Create Pull Request # creates a PR if there are differences
+      uses: peter-evans/create-pull-request@v6
+      id: cpr
+      with:
+        token: ${{ secrets.AUTOMATED_PR_GH_PAT }}
+        commit-message: 'Update image versions'
+        title: 'Automated image updates'
+        branch: automation/image-dependencies
+        delete-branch: true
+        labels: |
+          automated-pr
+          images
+          type::security
+        draft: false
+        base: "main"
+        body: "Automated changes by the [image-deps-updater](https://github.com/replicatedhq/embedded-cluster/blob/main/.github/workflows/image-deps-updater.yaml) GitHub action"
+
+    - name: Check outputs
+      if: ${{ steps.cpr.outputs.pull-request-number }}
+      run: |
+        echo "Pull Request Number - ${{ steps.cpr.outputs.pull-request-number }}"
+        echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}"

Makefile

@@ -2,6 +2,12 @@ VERSION ?= $(shell git describe --tags --dirty)
 UNAME := $(shell uname)
 ARCH := $(shell uname -m)
 APP_NAME = embedded-cluster
+COREDNS_IMAGE = proxy.replicated.com/anonymous/replicated/ec-coredns
+COREDNS_VERSION = 1.11.3-r3@sha256:7996a7ee8e1b7fec9a6dc216b01f0047cafbd551562bde44a2c6615ef8f3dbfc
+CALICO_NODE_IMAGE = proxy.replicated.com/anonymous/replicated/ec-calico-node
+CALICO_NODE_VERSION = 3.26.1-r16@sha256:f2d58c94a900bf33174d81cb270dfdf070350954fd2e4e7edeccc2dad2f855b6
+METRICS_SERVER_IMAGE = proxy.replicated.com/anonymous/replicated/ec-metrics-server
+METRICS_SERVER_VERSION = 0.6.4-r9@sha256:bd7d9ada28e299979174b2094d1eec7d653f793730b320dc7e90763c92452268
 ADMIN_CONSOLE_CHART_REPO_OVERRIDE =
 ADMIN_CONSOLE_CHART_VERSION = 1.112.1-build.1
 ADMIN_CONSOLE_IMAGE_OVERRIDE =
@@ -38,6 +44,12 @@ LD_FLAGS = -X github.com/replicatedhq/embedded-cluster/pkg/defaults.K0sVersion=$
 	-X github.com/replicatedhq/embedded-cluster/pkg/defaults.TroubleshootVersion=$(TROUBLESHOOT_VERSION) \
 	-X github.com/replicatedhq/embedded-cluster/pkg/defaults.KubectlVersion=$(KUBECTL_VERSION) \
 	-X github.com/replicatedhq/embedded-cluster/pkg/defaults.LocalArtifactMirrorImage=$(LOCAL_ARTIFACT_MIRROR_IMAGE_LOCATION) \
+	-X github.com/replicatedhq/embedded-cluster/pkg/config/images.CoreDNSImage=$(COREDNS_IMAGE) \
+	-X github.com/replicatedhq/embedded-cluster/pkg/config/images.CoreDNSVersion=$(COREDNS_VERSION) \
+	-X github.com/replicatedhq/embedded-cluster/pkg/config/images.CalicoNodeImage=$(CALICO_NODE_IMAGE) \
+	-X github.com/replicatedhq/embedded-cluster/pkg/config/images.CalicoNodeVersion=$(CALICO_NODE_VERSION) \
+	-X github.com/replicatedhq/embedded-cluster/pkg/config/images.MetricsServerImage=$(METRICS_SERVER_IMAGE) \
+	-X github.com/replicatedhq/embedded-cluster/pkg/config/images.MetricsServerVersion=$(METRICS_SERVER_VERSION) \
 	-X github.com/replicatedhq/embedded-cluster/pkg/addons/adminconsole.ChartRepoOverride=$(ADMIN_CONSOLE_CHART_REPO_OVERRIDE) \
 	-X github.com/replicatedhq/embedded-cluster/pkg/addons/adminconsole.Version=$(ADMIN_CONSOLE_CHART_VERSION) \
 	-X github.com/replicatedhq/embedded-cluster/pkg/addons/adminconsole.ImageOverride=$(ADMIN_CONSOLE_IMAGE_OVERRIDE) \

cmd/buildtools/k0s.go

@@ -0,0 +1,164 @@
+package main
+
+import (
+	"bufio"
+	"bytes"
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+
+	"github.com/sirupsen/logrus"
+	"github.com/urfave/cli/v2"
+)
+
+var k0sComponents = []struct {
+	name        string
+	makefileVar string
+}{
+	{
+		name:        "coredns",
+		makefileVar: "COREDNS_VERSION",
+	},
+	{
+		name:        "calico-node",
+		makefileVar: "CALICO_NODE_VERSION",
+	},
+	{
+		name:        "metrics-server",
+		makefileVar: "METRICS_SERVER_VERSION",
+	},
+}
+
+var updateK0sImagesCommand = &cli.Command{
+	Name:      "k0s",
+	Usage:     "Updates the k0s images",
+	UsageText: environmentUsageText,
+	Flags: []cli.Flag{
+		&cli.StringFlag{
+			Name:  "k0s-version",
+			Usage: "The version of k0s to use to determine image versions",
+		},
+	},
+	Action: func(c *cli.Context) error {
+		logrus.Infof("updating k0s images")
+
+		k0sVersion := c.String("k0s-version")
+		if k0sVersion != "" {
+			if err := runCommand("make", "pkg/goods/bins/k0s", fmt.Sprintf("K0S_VERSION=%s", k0sVersion), "K0S_BINARY_SOURCE_OVERRIDE="); err != nil {
+				return fmt.Errorf("failed to make k0s: %w", err)
+			}
+		} else {
+			if err := runCommand("make", "pkg/goods/bins/k0s"); err != nil {
+				return fmt.Errorf("failed to make k0s: %w", err)
+			}
+		}
+
+		if err := runCommand("make", "apko"); err != nil {
+			return fmt.Errorf("failed to make apko: %w", err)
+		}
+
+		if os.Getenv("REGISTRY_PASS") != "" {
+			if err := runCommand(
+				"make",
+				"apko-login",
+				fmt.Sprintf("REGISTRY=%s", os.Getenv("REGISTRY_SERVER")),
+				fmt.Sprintf("USERNAME=%s", os.Getenv("REGISTRY_USER")),
+				fmt.Sprintf("PASSWORD=%s", os.Getenv("REGISTRY_PASS")),
+			); err != nil {
+				return fmt.Errorf("failed to apko login: %w", err)
+			}
+		}
+
+		wolfiAPKIndex, err := GetWolfiAPKIndex()
+		if err != nil {
+			return fmt.Errorf("failed to get APK index: %w", err)
+		}
+
+		for _, component := range k0sComponents {
+			upstreamVersion, err := getUpstreamVersion(component.name)
+			if err != nil {
+				return fmt.Errorf("failed to get upstream version for %s: %w", component.name, err)
+			}
+
+			packageVersion, err := GetWolfiPackageVersion(wolfiAPKIndex, component.name, upstreamVersion)
+			if err != nil {
+				return fmt.Errorf("failed to get package version for %s: %w", component.name, err)
+			}
+
+			if err := runCommand(
+				"make",
+				"apko-build-and-publish",
+				fmt.Sprintf("IMAGE=%s/replicated/ec-%s:%s", os.Getenv("REGISTRY_SERVER"), component.name, packageVersion),
+				fmt.Sprintf("APKO_CONFIG=%s", filepath.Join("deploy", "images", component.name, "apko.tmpl.yaml")),
+				fmt.Sprintf("PACKAGE_VERSION=%s", packageVersion),
+			); err != nil {
+				return fmt.Errorf("failed to build and publish apko for %s: %w", component.name, err)
+			}
+
+			digest, err := getDigestFromBuildFile()
+			if err != nil {
+				return fmt.Errorf("failed to get digest from build file: %w", err)
+			}
+
+			if err := SetMakefileVariable(component.makefileVar, fmt.Sprintf("%s@%s", packageVersion, digest)); err != nil {
+				return fmt.Errorf("failed to set %s version: %w", component.name, err)
+			}
+		}
+
+		return nil
+	},
+}
+
+func getUpstreamVersion(name string) (string, error) {
+	output, err := exec.Command("pkg/goods/bins/k0s", "airgap", "list-images", "--all").Output()
+	if err != nil {
+		return "", fmt.Errorf("list k0s images: %w", err)
+	}
+
+	// example output:
+	// quay.io/k0sproject/calico-node:v3.26.1-1
+	// quay.io/k0sproject/coredns:1.11.3
+	// quay.io/k0sproject/apiserver-network-proxy-agent:v0.1.4
+
+	version := ""
+	scanner := bufio.NewScanner(bytes.NewReader(output))
+	for scanner.Scan() {
+		line := scanner.Text()
+		if !strings.Contains(line, "/"+name+":") {
+			continue
+		}
+		parts := strings.Split(line, ":")
+		if len(parts) != 2 {
+			return "", fmt.Errorf("incorrect number of parts in image line: %s", line)
+		}
+		version = strings.TrimPrefix(parts[1], "v")
+		version = strings.Split(version, "-")[0]
+		break
+	}
+
+	if version == "" {
+		return "", fmt.Errorf("%q image not found", name)
+	}
+	return version, nil
+}
+
+func getDigestFromBuildFile() (string, error) {
+	contents, err := os.ReadFile("build/digest")
+	if err != nil {
+		return "", fmt.Errorf("read build file: %w", err)
+	}
+	parts := strings.Split(string(contents), "@")
+	if len(parts) != 2 {
+		return "", fmt.Errorf("incorrect number of parts in build file")
+	}
+	return strings.TrimSpace(parts[1]), nil
+}
+
+func runCommand(name string, args ...string) error {
+	cmd := exec.Command(name, args...)
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	return cmd.Run()
+}

cmd/buildtools/main.go

@@ -12,7 +12,7 @@ import (
 
 const environmentUsageText = `
 This script uses the following environment variables:
-- REGISTRY_SERVER: the registry server to push the chart to (used for authentication, e.g. index.docker.io)
+- REGISTRY_SERVER: the registry server to push the chart/image to (only used for authentication in the case of charts, e.g. index.docker.io)
 - REGISTRY_USER: the username to authenticate with.
 - REGISTRY_PASS: the password to authenticate with.
 - DESTINATION: the destination repository to push the chart to (e.g. oci://ttl.sh/embedded-cluster-charts)
@@ -29,7 +29,7 @@ func main() {
 		Name:  "buildtools",
 		Usage: "Provide a set of tools for building embedded cluster binarires",
 		Commands: []*cli.Command{
-			addonCommand,
+			updateCommand,
 		},
 	}
 	if err := app.RunContext(ctx, os.Args); err != nil {

cmd/buildtools/addon.go renamed to cmd/buildtools/update.go

@@ -4,27 +4,36 @@ import (
 	"github.com/urfave/cli/v2"
 )
 
-var addonCommand = &cli.Command{
+var updateCommand = &cli.Command{
 	Name:  "update",
-	Usage: "Manage the embedded cluster addons",
-	Flags: []cli.Flag{
-		&cli.BoolFlag{
-			Name:  "force",
-			Usage: "Pushes the addon chart even if no new version was found",
-		},
-	},
+	Usage: "Manage the embedded cluster components",
 	Subcommands: []*cli.Command{
 		updateAddonCommand,
+		updateImagesCommand,
 	},
 }
 
 var updateAddonCommand = &cli.Command{
 	Name:  "addon",
 	Usage: "Update an embedded cluster addon by copying the chart to the Replicated registry and setting the version in the Makefile",
+	Flags: []cli.Flag{
+		&cli.BoolFlag{
+			Name:  "force",
+			Usage: "Pushes the addon chart even if no new version was found",
+		},
+	},
 	Subcommands: []*cli.Command{
 		updateOpenEBSAddonCommand,
 		updateSeaweedFSAddonCommand,
 		updateRegistryAddonCommand,
 		updateVeleroAddonCommand,
 	},
 }
+
+var updateImagesCommand = &cli.Command{
+	Name:  "images",
+	Usage: "Update embedded cluster images",
+	Subcommands: []*cli.Command{
+		updateK0sImagesCommand,
+	},
+}