Build envoy image with chainguard (#819)

replicatedhq · Jul 24, 2024 · 14fd302 · 14fd302
1 parent ade8217
commit 14fd302
Show file tree

Hide file tree

Showing 17 changed files with 223 additions and 149 deletions.
diff --git a/Makefile b/Makefile
@@ -2,18 +2,6 @@ VERSION ?= $(shell git describe --tags --dirty)
 UNAME := $(shell uname)
 ARCH := $(shell uname -m)
 APP_NAME = embedded-cluster
-COREDNS_IMAGE = proxy.replicated.com/anonymous/replicated/ec-coredns
-COREDNS_VERSION = 1.11.3-r3@sha256:7996a7ee8e1b7fec9a6dc216b01f0047cafbd551562bde44a2c6615ef8f3dbfc
-CALICO_NODE_IMAGE = proxy.replicated.com/anonymous/replicated/ec-calico-node
-CALICO_NODE_VERSION = 3.26.1-r16@sha256:7212746eda056c0b2833764d065e932fdddee2aced0170fd721197b19d13606e
-CALICO_CNI_IMAGE = proxy.replicated.com/anonymous/replicated/ec-calico-cni
-CALICO_CNI_VERSION = 3.26.1-r16@sha256:11d5bf25611ffc578e632e23e09767ca5a964f81ff311c47d2e98b686c2d0365
-CALICO_KUBE_CONTROLLERS_IMAGE = proxy.replicated.com/anonymous/replicated/ec-calico-kube-controllers
-CALICO_KUBE_CONTROLLERS_VERSION = 3.26.1-r16@sha256:74e845a0dbbd2b9ebd988c03ed53b88f2e2657c5defb2ed7796dda2583601111
-METRICS_SERVER_IMAGE = proxy.replicated.com/anonymous/replicated/ec-metrics-server
-METRICS_SERVER_VERSION = 0.6.4-r9@sha256:bd7d9ada28e299979174b2094d1eec7d653f793730b320dc7e90763c92452268
-KUBE_PROXY_IMAGE = proxy.replicated.com/anonymous/replicated/ec-kube-proxy
-KUBE_PROXY_VERSION = 1.29.5-r0@sha256:a329421a4574823411f4e4f3215a112596407a4bd5a96372b7059feb77258074
 ADMIN_CONSOLE_CHART_REPO_OVERRIDE =
 ADMIN_CONSOLE_IMAGE_OVERRIDE =
 ADMIN_CONSOLE_MIGRATIONS_IMAGE_OVERRIDE =
@@ -42,18 +30,6 @@ LD_FLAGS = \
 	-X github.com/replicatedhq/embedded-cluster/pkg/defaults.TroubleshootVersion=$(TROUBLESHOOT_VERSION) \
 	-X github.com/replicatedhq/embedded-cluster/pkg/defaults.KubectlVersion=$(KUBECTL_VERSION) \
 	-X github.com/replicatedhq/embedded-cluster/pkg/defaults.LocalArtifactMirrorImage=$(LOCAL_ARTIFACT_MIRROR_IMAGE_LOCATION) \
-	-X github.com/replicatedhq/embedded-cluster/pkg/config/images.CoreDNSImage=$(COREDNS_IMAGE) \
-	-X github.com/replicatedhq/embedded-cluster/pkg/config/images.CoreDNSVersion=$(COREDNS_VERSION) \
-	-X github.com/replicatedhq/embedded-cluster/pkg/config/images.CalicoNodeImage=$(CALICO_NODE_IMAGE) \
-	-X github.com/replicatedhq/embedded-cluster/pkg/config/images.CalicoNodeVersion=$(CALICO_NODE_VERSION) \
-	-X github.com/replicatedhq/embedded-cluster/pkg/config/images.CalicoCNIImage=$(CALICO_CNI_IMAGE) \
-	-X github.com/replicatedhq/embedded-cluster/pkg/config/images.CalicoCNIVersion=$(CALICO_CNI_VERSION) \
-	-X github.com/replicatedhq/embedded-cluster/pkg/config/images.CalicoKubeControllersImage=$(CALICO_KUBE_CONTROLLERS_IMAGE) \
-	-X github.com/replicatedhq/embedded-cluster/pkg/config/images.CalicoKubeControllersVersion=$(CALICO_KUBE_CONTROLLERS_VERSION) \
-	-X github.com/replicatedhq/embedded-cluster/pkg/config/images.MetricsServerImage=$(METRICS_SERVER_IMAGE) \
-	-X github.com/replicatedhq/embedded-cluster/pkg/config/images.MetricsServerVersion=$(METRICS_SERVER_VERSION) \
-	-X github.com/replicatedhq/embedded-cluster/pkg/config/images.KubeProxyImage=$(KUBE_PROXY_IMAGE) \
-	-X github.com/replicatedhq/embedded-cluster/pkg/config/images.KubeProxyVersion=$(KUBE_PROXY_VERSION) \
 	-X github.com/replicatedhq/embedded-cluster/pkg/addons/adminconsole.ChartRepoOverride=$(ADMIN_CONSOLE_CHART_REPO_OVERRIDE) \
 	-X github.com/replicatedhq/embedded-cluster/pkg/addons/adminconsole.KurlProxyImageOverride=$(ADMIN_CONSOLE_KURL_PROXY_IMAGE_OVERRIDE) \
 	-X github.com/replicatedhq/embedded-cluster/pkg/addons/adminconsole.KotsVersion=$(KOTS_VERSION) \

diff --git a/cmd/buildtools/addon.go b/cmd/buildtools/addon.go
@@ -7,10 +7,9 @@ import (
 )
 
 type addonComponent struct {
-	getWolfiPackageName              func(k0sVersion *semver.Version, upstreamVersion string) string
-	getWolfiPackageVersionComparison func(k0sVersion *semver.Version, upstreamVersion string) string
+	getWolfiPackageName              func(k0sVersion *semver.Version, upstreamVersion *semver.Version) string
+	getWolfiPackageVersionComparison func(k0sVersion *semver.Version, upstreamVersion *semver.Version) string
 	upstreamVersionInputOverride     string
-	makefileVar                      string
 }
 
 func (c *addonComponent) getPackageNameAndVersion(wolfiAPKIndex []byte, k0sVersion *semver.Version, upstreamVersion string) (string, string, error) {
@@ -20,12 +19,12 @@ func (c *addonComponent) getPackageNameAndVersion(wolfiAPKIndex []byte, k0sVersi
 	}
 
 	if c.getWolfiPackageName != nil {
-		packageName = c.getWolfiPackageName(k0sVersion, upstreamVersion)
+		packageName = c.getWolfiPackageName(k0sVersion, semver.MustParse(upstreamVersion))
 	}
 
 	comparison := "=" + upstreamVersion
 	if c.getWolfiPackageVersionComparison != nil {
-		comparison = c.getWolfiPackageVersionComparison(k0sVersion, upstreamVersion)
+		comparison = c.getWolfiPackageVersionComparison(k0sVersion, semver.MustParse(upstreamVersion))
 	}
 	constraints, err := semver.NewConstraint(comparison)
 	if err != nil {

diff --git a/cmd/buildtools/embeddedclusteroperator.go b/cmd/buildtools/embeddedclusteroperator.go
@@ -50,9 +50,9 @@ var updateOperatorAddonCommand = &cli.Command{
 
 		logrus.Infof("extracting images from chart")
 		withproto := fmt.Sprintf("oci://%s", upstream)
-		images, err := GetImagesFromOCIChart(withproto, "adminconsole", latest, values)
+		images, err := GetImagesFromOCIChart(withproto, "embeddedclusteroperator", latest, values)
 		if err != nil {
-			return fmt.Errorf("failed to get images from admin console chart: %w", err)
+			return fmt.Errorf("failed to get images from embedded cluster operator chart: %w", err)
 		}
 
 		// make sure we include the operator util image as it does not show up

diff --git a/cmd/buildtools/k0s.go b/cmd/buildtools/k0s.go
@@ -9,6 +9,7 @@ import (
 	"strings"
 
 	"github.com/Masterminds/semver/v3"
+	"github.com/replicatedhq/embedded-cluster/pkg/release"
 	"github.com/sirupsen/logrus"
 	"github.com/urfave/cli/v2"
 )
@@ -20,48 +21,48 @@ var k0sImageComponents = map[string]string{
 	"quay.io/k0sproject/calico-kube-controllers":    "calico-kube-controllers",
 	"registry.k8s.io/metrics-server/metrics-server": "metrics-server",
 	"quay.io/k0sproject/kube-proxy":                 "kube-proxy",
+	"quay.io/k0sproject/envoy-distroless":           "envoy-distroless",
 }
 
 var k0sComponents = map[string]addonComponent{
 	"coredns": {
-		getWolfiPackageName: func(k0sVersion *semver.Version, upstreamVersion string) string {
+		getWolfiPackageName: func(k0sVersion *semver.Version, upstreamVersion *semver.Version) string {
 			return "coredns"
 		},
-		makefileVar: "COREDNS_VERSION",
 	},
 	"calico-node": {
-		getWolfiPackageName: func(k0sVersion *semver.Version, upstreamVersion string) string {
+		getWolfiPackageName: func(k0sVersion *semver.Version, upstreamVersion *semver.Version) string {
 			return "calico-node"
 		},
-		makefileVar: "CALICO_NODE_VERSION",
 	},
 	"calico-cni": {
-		getWolfiPackageName: func(k0sVersion *semver.Version, upstreamVersion string) string {
+		getWolfiPackageName: func(k0sVersion *semver.Version, upstreamVersion *semver.Version) string {
 			return "calico-cni"
 		},
-		makefileVar: "CALICO_CNI_VERSION",
 	},
 	"calico-kube-controllers": {
-		getWolfiPackageName: func(k0sVersion *semver.Version, upstreamVersion string) string {
+		getWolfiPackageName: func(k0sVersion *semver.Version, upstreamVersion *semver.Version) string {
 			return "calico-kube-controllers"
 		},
-		makefileVar: "CALICO_KUBE_CONTROLLERS_VERSION",
 	},
 	"metrics-server": {
-		getWolfiPackageName: func(k0sVersion *semver.Version, upstreamVersion string) string {
+		getWolfiPackageName: func(k0sVersion *semver.Version, upstreamVersion *semver.Version) string {
 			return "metrics-server"
 		},
-		makefileVar: "METRICS_SERVER_VERSION",
 	},
 	"kube-proxy": {
-		getWolfiPackageName: func(k0sVersion *semver.Version, upstreamVersion string) string {
+		getWolfiPackageName: func(k0sVersion *semver.Version, upstreamVersion *semver.Version) string {
 			return fmt.Sprintf("kube-proxy-%d.%d-default", k0sVersion.Major(), k0sVersion.Minor())
 		},
-		getWolfiPackageVersionComparison: func(k0sVersion *semver.Version, upstreamVersion string) string {
+		getWolfiPackageVersionComparison: func(k0sVersion *semver.Version, upstreamVersion *semver.Version) string {
 			// match the greatest patch version of the same minor version
 			return fmt.Sprintf(">=%d.%d, <%d.%d", k0sVersion.Major(), k0sVersion.Minor(), k0sVersion.Major(), k0sVersion.Minor()+1)
 		},
-		makefileVar: "KUBE_PROXY_VERSION",
+	},
+	"envoy-distroless": {
+		getWolfiPackageName: func(k0sVersion *semver.Version, upstreamVersion *semver.Version) string {
+			return fmt.Sprintf("envoy-%d.%d", upstreamVersion.Major(), upstreamVersion.Minor())
+		},
 	},
 }
 
@@ -72,23 +73,23 @@ var updateK0sImagesCommand = &cli.Command{
 	Action: func(c *cli.Context) error {
 		logrus.Infof("updating k0s images")
 
-		rawK0sVersion := os.Getenv("INPUT_K0S_VERSION")
-		if rawK0sVersion != "" {
-			logrus.Infof("using input override from INPUT_K0S_VERSION: %s", rawK0sVersion)
-		} else {
-			rawver, err := GetMakefileVariable("K0S_VERSION")
-			if err != nil {
-				return fmt.Errorf("failed to get k0s version: %w", err)
-			}
-			rawK0sVersion = rawver
+		newmeta := release.K0sMetadata{
+			Images: make(map[string]string),
 		}
 
-		images, err := listK0sImages(rawK0sVersion)
-		if err != nil {
+		if err := makeK0s(); err != nil {
 			return fmt.Errorf("failed to make k0s: %w", err)
 		}
 
-		k0sVersion := semver.MustParse(rawK0sVersion)
+		images, err := listK0sImages()
+		if err != nil {
+			return fmt.Errorf("failed to list k0s images: %w", err)
+		}
+
+		k0sVersion, err := getK0sVersion()
+		if err != nil {
+			return fmt.Errorf("failed to get k0s version: %w", err)
+		}
 
 		if err := ApkoLogin(); err != nil {
 			return fmt.Errorf("failed to apko login: %w", err)
@@ -134,26 +135,51 @@ var updateK0sImagesCommand = &cli.Command{
 				return fmt.Errorf("failed to get digest from build file: %w", err)
 			}
 
-			if err := SetMakefileVariable(component.makefileVar, fmt.Sprintf("%s@%s", packageVersion, digest)); err != nil {
-				return fmt.Errorf("failed to set %s version: %w", componentName, err)
-			}
+			newmeta.Images[componentName] = fmt.Sprintf("%s@%s", packageVersion, digest)
+		}
+
+		logrus.Infof("saving k0s metadata")
+		if err := newmeta.Save(); err != nil {
+			return fmt.Errorf("failed to save k0s metadata: %w", err)
 		}
 
 		return nil
 	},
 }
 
-func listK0sImages(k0sVersion string) ([]string, error) {
-	cmd := exec.Command("make", "pkg/goods/bins/k0s", fmt.Sprintf("K0S_VERSION=%s", k0sVersion))
-	if err := RunCommand(cmd); err != nil {
-		return nil, fmt.Errorf("make k0s: %w", err)
+func getK0sVersion() (*semver.Version, error) {
+	if v := os.Getenv("INPUT_K0S_VERSION"); v != "" {
+		logrus.Infof("using input override from INPUT_K0S_VERSION: %s", v)
+		return semver.MustParse(v), nil
+	}
+	v, err := GetMakefileVariable("K0S_VERSION")
+	if err != nil {
+		return nil, fmt.Errorf("failed to get k0s version: %w", err)
 	}
+	return semver.MustParse(v), nil
+}
 
+func makeK0s() error {
+	if v := os.Getenv("INPUT_K0S_VERSION"); v != "" {
+		logrus.Infof("using input override from INPUT_K0S_VERSION: %s", v)
+		cmd := exec.Command("make", "pkg/goods/bins/k0s", fmt.Sprintf("K0S_VERSION=%s", v), "K0S_BINARY_SOURCE_OVERRIDE=")
+		if err := RunCommand(cmd); err != nil {
+			return fmt.Errorf("make k0s: %w", err)
+		}
+	} else {
+		cmd := exec.Command("make", "pkg/goods/bins/k0s")
+		if err := RunCommand(cmd); err != nil {
+			return fmt.Errorf("make k0s: %w", err)
+		}
+	}
+	return nil
+}
+
+func listK0sImages() ([]string, error) {
 	output, err := exec.Command("pkg/goods/bins/k0s", "airgap", "list-images", "--all").Output()
 	if err != nil {
 		return nil, fmt.Errorf("list k0s images: %w", err)
 	}
-
 	images := []string{}
 	scanner := bufio.NewScanner(bytes.NewReader(output))
 	for scanner.Scan() {
@@ -164,6 +190,5 @@ func listK0sImages(k0sVersion string) ([]string, error) {
 		}
 		images = append(images, image)
 	}
-
 	return images, nil
 }
diff --git a/cmd/buildtools/openebs.go b/cmd/buildtools/openebs.go
@@ -21,7 +21,7 @@ var openebsImageComponents = map[string]string{
 
 var openebsComponents = map[string]addonComponent{
 	"openebs-provisioner-localpv": {
-		getWolfiPackageName: func(k0sVersion *semver.Version, upstreamVersion string) string {
+		getWolfiPackageName: func(k0sVersion *semver.Version, upstreamVersion *semver.Version) string {
 			// package name is not the same as the component name
 			return "dynamic-localpv-provisioner"
 		},
@@ -31,10 +31,10 @@ var openebsComponents = map[string]addonComponent{
 		upstreamVersionInputOverride: "INPUT_OPENEBS_VERSION",
 	},
 	"kubectl": {
-		getWolfiPackageName: func(k0sVersion *semver.Version, upstreamVersion string) string {
+		getWolfiPackageName: func(k0sVersion *semver.Version, upstreamVersion *semver.Version) string {
 			return fmt.Sprintf("kubectl-%d.%d-default", k0sVersion.Major(), k0sVersion.Minor())
 		},
-		getWolfiPackageVersionComparison: func(k0sVersion *semver.Version, upstreamVersion string) string {
+		getWolfiPackageVersionComparison: func(k0sVersion *semver.Version, upstreamVersion *semver.Version) string {
 			// match the greatest patch version of the same minor version
 			return fmt.Sprintf(">=%d.%d, <%d.%d", k0sVersion.Major(), k0sVersion.Minor(), k0sVersion.Major(), k0sVersion.Minor()+1)
 		},
@@ -116,15 +116,10 @@ func updateOpenEBSAddonImages(ctx context.Context, chartURL string, chartVersion
 		Images:   make(map[string]string),
 	}
 
-	rawver := os.Getenv("INPUT_K0S_VERSION")
-	if rawver == "" {
-		v, err := GetMakefileVariable("K0S_VERSION")
-		if err != nil {
-			return fmt.Errorf("failed to get k0s version: %w", err)
-		}
-		rawver = v
+	k0sVersion, err := getK0sVersion()
+	if err != nil {
+		return fmt.Errorf("failed to get k0s version: %w", err)
 	}
-	k0sVersion := semver.MustParse(rawver)
 
 	logrus.Infof("fetching wolfi apk index")
 	wolfiAPKIndex, err := GetWolfiAPKIndex()
@@ -140,7 +135,7 @@ func updateOpenEBSAddonImages(ctx context.Context, chartURL string, chartVersion
 	logrus.Infof("extracting images from chart version %s", chartVersion)
 	images, err := GetImagesFromOCIChart(chartURL, "openebs", chartVersion, values)
 	if err != nil {
-		return fmt.Errorf("failed to get images from admin console chart: %w", err)
+		return fmt.Errorf("failed to get images from openebs chart: %w", err)
 	}
 
 	// make sure we include the linux-utils image.

diff --git a/cmd/buildtools/velero.go b/cmd/buildtools/velero.go
@@ -37,10 +37,10 @@ var veleroComponents = map[string]addonComponent{
 		upstreamVersionInputOverride: "INPUT_VELERO_VERSION",
 	},
 	"kubectl": {
-		getWolfiPackageName: func(k0sVersion *semver.Version, upstreamVersion string) string {
+		getWolfiPackageName: func(k0sVersion *semver.Version, upstreamVersion *semver.Version) string {
 			return fmt.Sprintf("kubectl-%d.%d-default", k0sVersion.Major(), k0sVersion.Minor())
 		},
-		getWolfiPackageVersionComparison: func(k0sVersion *semver.Version, upstreamVersion string) string {
+		getWolfiPackageVersionComparison: func(k0sVersion *semver.Version, upstreamVersion *semver.Version) string {
 			// match the greatest patch version of the same minor version
 			return fmt.Sprintf(">=%d.%d, <%d.%d", k0sVersion.Major(), k0sVersion.Minor(), k0sVersion.Major(), k0sVersion.Minor()+1)
 		},
@@ -149,7 +149,7 @@ func findVeleroVersionFromChart(ctx context.Context, chartURL string, chartVersi
 	}
 	images, err := GetImagesFromOCIChart(chartURL, "velero", chartVersion, values)
 	if err != nil {
-		return "", fmt.Errorf("failed to get images from admin console chart: %w", err)
+		return "", fmt.Errorf("failed to get images from velero chart: %w", err)
 	}
 
 	for _, image := range images {
@@ -186,15 +186,10 @@ func updateVeleroAddonImages(ctx context.Context, chartURL string, chartVersion
 		Images:   make(map[string]string),
 	}
 
-	rawver := os.Getenv("INPUT_K0S_VERSION")
-	if rawver == "" {
-		v, err := GetMakefileVariable("K0S_VERSION")
-		if err != nil {
-			return fmt.Errorf("failed to get k0s version: %w", err)
-		}
-		rawver = v
+	k0sVersion, err := getK0sVersion()
+	if err != nil {
+		return fmt.Errorf("failed to get k0s version: %w", err)
 	}
-	k0sVersion := semver.MustParse(rawver)
 
 	logrus.Infof("fetching wolfi apk index")
 	wolfiAPKIndex, err := GetWolfiAPKIndex()
@@ -210,7 +205,7 @@ func updateVeleroAddonImages(ctx context.Context, chartURL string, chartVersion
 	logrus.Infof("extracting images from chart version %s", chartVersion)
 	images, err := GetImagesFromOCIChart(chartURL, "velero", chartVersion, values)
 	if err != nil {
-		return fmt.Errorf("failed to get images from admin console chart: %w", err)
+		return fmt.Errorf("failed to get images from velero chart: %w", err)
 	}
 
 	// make sure we include additional images

diff --git a/deploy/images/envoy-distroless/apko.tmpl.yaml b/deploy/images/envoy-distroless/apko.tmpl.yaml
@@ -0,0 +1,31 @@
+# source: https://github.com/chainguard-images/images/blob/ff274276f4f9a96753ea89fa916b7a9396f2d59a/images/envoy/config/main.tf
+contents:
+  repositories:
+    - https://packages.wolfi.dev/os
+  keyring:
+    - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub
+  packages:
+    - envoy=${PACKAGE_VERSION}
+    - envoy-config=${PACKAGE_VERSION}
+    - envoy-oci-entrypoint=${PACKAGE_VERSION}
+    - su-exec
+
+accounts:
+  groups:
+    - groupname: nonroot
+      gid: 65532
+  users:
+    - username: nonroot
+      uid: 65532
+      gid: 65532
+  run-as: 65532
+
+paths:
+  - path: /etc/envoy
+    type: directory
+    uid: 65532
+    gid: 65532
+    permissions: 0o755
+
+entrypoint:
+  command: /var/lib/envoy/init/envoy-entrypoint.sh
diff --git a/pkg/addons/adminconsole/adminconsole.go b/pkg/addons/adminconsole/adminconsole.go
@@ -42,7 +42,7 @@ var (
 	helmValues map[string]interface{}
 	//go:embed static/metadata.yaml
 	rawmetadata []byte
-	// Metadata is the unmarchal version of rawmetadata.
+	// Metadata is the unmarshal version of rawmetadata.
 	Metadata release.AddonMetadata
 	// protectedFields are helm values that are not overwritten when upgrading the addon.
 	protectedFields = []string{"automation", "embeddedClusterID", "isAirgap"}