Skip to content

Commit

Permalink
Build pause image with chainguard (#833)
Browse files Browse the repository at this point in the history
  • Loading branch information
@sgalsaleh
sgalsaleh authored Jul 25, 2024
1 parent 3a0f78b commit e8d30a1
Show file tree
Hide file tree
Showing 8 changed files with 60 additions and 53 deletions.
2 changes: 1 addition & 1 deletion Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -252,7 +252,7 @@ melange-template: check-env-MELANGE_CONFIG check-env-PACKAGE_VERSION
.PHONY: apko-template
apko-template: check-env-APKO_CONFIG check-env-PACKAGE_VERSION
mkdir -p build
envsubst '$${PACKAGE_NAME} $${PACKAGE_VERSION}' < ${APKO_CONFIG} > build/apko.yaml
envsubst '$${PACKAGE_NAME} $${PACKAGE_VERSION} $${UPSTREAM_VERSION}' < ${APKO_CONFIG} > build/apko.yaml

.PHONY: buildtools
buildtools:
Expand Down
67 changes: 19 additions & 48 deletions cmd/buildtools/k0s.go
View file
Original file line number Diff line number Diff line change
@@ -1,14 +1,13 @@
package main

import (
"bufio"
"bytes"
"fmt"
"os"
"os/exec"
"strings"

"github.com/Masterminds/semver/v3"
k0sconfig "github.com/k0sproject/k0s/pkg/apis/k0s/v1beta1"
"github.com/replicatedhq/embedded-cluster/pkg/config"
"github.com/replicatedhq/embedded-cluster/pkg/release"
"github.com/sirupsen/logrus"
"github.com/urfave/cli/v2"
Expand All @@ -22,6 +21,7 @@ var k0sImageComponents = map[string]string{
"registry.k8s.io/metrics-server/metrics-server": "metrics-server",
"quay.io/k0sproject/kube-proxy": "kube-proxy",
"quay.io/k0sproject/envoy-distroless": "envoy-distroless",
"registry.k8s.io/pause": "pause",
}

var k0sComponents = map[string]addonComponent{
Expand Down Expand Up @@ -55,7 +55,8 @@ var k0sComponents = map[string]addonComponent{
return fmt.Sprintf("kube-proxy-%d.%d-default", k0sVersion.Major(), k0sVersion.Minor())
},
getWolfiPackageVersionComparison: func(k0sVersion *semver.Version, upstreamVersion *semver.Version) string {
// match the greatest patch version of the same minor version
// current k0s version is 1.29.6, which isn't available in wolfi packages, latest for that minor is 1.29.5
// to workaround this, match the greatest patch version of the same minor version
return fmt.Sprintf(">=%d.%d, <%d.%d", k0sVersion.Major(), k0sVersion.Minor(), k0sVersion.Major(), k0sVersion.Minor()+1)
},
},
Expand All @@ -64,6 +65,17 @@ var k0sComponents = map[string]addonComponent{
return fmt.Sprintf("envoy-%d.%d", upstreamVersion.Major(), upstreamVersion.Minor())
},
},
"pause": {
getWolfiPackageName: func(k0sVersion *semver.Version, upstreamVersion *semver.Version) string {
return fmt.Sprintf("kubernetes-pause-%d.%d", upstreamVersion.Major(), upstreamVersion.Minor())
},
getWolfiPackageVersionComparison: func(k0sVersion *semver.Version, upstreamVersion *semver.Version) string {
// pause package version follows the k8s version
// current k0s version is 1.29.6, which isn't available in wolfi packages, latest for that minor is 1.29.5
// to workaround this, match the greatest patch version of the same minor version
return fmt.Sprintf(">=%d.%d, <%d.%d", k0sVersion.Major(), k0sVersion.Minor(), k0sVersion.Major(), k0sVersion.Minor()+1)
},
},
}

var updateK0sImagesCommand = &cli.Command{
Expand All @@ -77,14 +89,7 @@ var updateK0sImagesCommand = &cli.Command{
Images: make(map[string]string),
}

if err := makeK0s(); err != nil {
return fmt.Errorf("failed to make k0s: %w", err)
}

images, err := listK0sImages()
if err != nil {
return fmt.Errorf("failed to list k0s images: %w", err)
}
k0sImages := config.ListK0sImages(k0sconfig.DefaultClusterConfig())

k0sVersion, err := getK0sVersion()
if err != nil {
Expand All @@ -100,7 +105,7 @@ var updateK0sImagesCommand = &cli.Command{
return fmt.Errorf("failed to get APK index: %w", err)
}

for _, image := range images {
for _, image := range k0sImages {
logrus.Infof("updating image %s", image)

upstreamVersion := TagFromImage(image)
Expand All @@ -126,7 +131,7 @@ var updateK0sImagesCommand = &cli.Command{

logrus.Infof("building and publishing %s, %s=%s", componentName, packageName, packageVersion)

if err := ApkoBuildAndPublish(componentName, packageName, packageVersion); err != nil {
if err := ApkoBuildAndPublish(componentName, packageName, packageVersion, upstreamVersion); err != nil {
return fmt.Errorf("failed to apko build and publish for %s: %w", componentName, err)
}

Expand Down Expand Up @@ -158,37 +163,3 @@ func getK0sVersion() (*semver.Version, error) {
}
return semver.MustParse(v), nil
}

func makeK0s() error {
if v := os.Getenv("INPUT_K0S_VERSION"); v != "" {
logrus.Infof("using input override from INPUT_K0S_VERSION: %s", v)
cmd := exec.Command("make", "pkg/goods/bins/k0s", fmt.Sprintf("K0S_VERSION=%s", v), "K0S_BINARY_SOURCE_OVERRIDE=")
if err := RunCommand(cmd); err != nil {
return fmt.Errorf("make k0s: %w", err)
}
} else {
cmd := exec.Command("make", "pkg/goods/bins/k0s")
if err := RunCommand(cmd); err != nil {
return fmt.Errorf("make k0s: %w", err)
}
}
return nil
}

func listK0sImages() ([]string, error) {
output, err := exec.Command("pkg/goods/bins/k0s", "airgap", "list-images", "--all").Output()
if err != nil {
return nil, fmt.Errorf("list k0s images: %w", err)
}
images := []string{}
scanner := bufio.NewScanner(bytes.NewReader(output))
for scanner.Scan() {
image := scanner.Text()
if _, ok := k0sImageComponents[RemoveTagFromImage(image)]; !ok {
logrus.Warnf("skipping image %q as it is not in the list", image)
continue
}
images = append(images, image)
}
return images, nil
}
2 changes: 1 addition & 1 deletion cmd/buildtools/openebs.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -176,7 +176,7 @@ func updateOpenEBSAddonImages(ctx context.Context, chartURL string, chartVersion

logrus.Infof("building and publishing %s, %s=%s", componentName, packageName, packageVersion)

if err := ApkoBuildAndPublish(componentName, packageName, packageVersion); err != nil {
if err := ApkoBuildAndPublish(componentName, packageName, packageVersion, upstreamVersion); err != nil {
return fmt.Errorf("failed to apko build and publish for %s: %w", componentName, err)
}

Expand Down
3 changes: 2 additions & 1 deletion cmd/buildtools/utils.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -188,13 +188,14 @@ func ApkoLogin() error {
return nil
}

func ApkoBuildAndPublish(componentName string, packageName string, packageVersion string) error {
func ApkoBuildAndPublish(componentName string, packageName string, packageVersion string, upstreamVersion string) error {
args := []string{
"apko-build-and-publish",
fmt.Sprintf("IMAGE=%s/replicated/ec-%s:%s", os.Getenv("IMAGES_REGISTRY_SERVER"), componentName, packageVersion),
fmt.Sprintf("APKO_CONFIG=%s", filepath.Join("deploy", "images", componentName, "apko.tmpl.yaml")),
fmt.Sprintf("PACKAGE_NAME=%s", packageName),
fmt.Sprintf("PACKAGE_VERSION=%s", packageVersion),
fmt.Sprintf("UPSTREAM_VERSION=%s", upstreamVersion),
}
cmd := exec.Command("make", args...)
if err := RunCommand(cmd); err != nil {
Expand Down
2 changes: 1 addition & 1 deletion cmd/buildtools/velero.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -247,7 +247,7 @@ func updateVeleroAddonImages(ctx context.Context, chartURL string, chartVersion

logrus.Infof("building and publishing %s, %s=%s", componentName, packageName, packageVersion)

if err := ApkoBuildAndPublish(componentName, packageName, packageVersion); err != nil {
if err := ApkoBuildAndPublish(componentName, packageName, packageVersion, upstreamVersion); err != nil {
return fmt.Errorf("failed to apko build and publish for %s: %w", componentName, err)
}

Expand Down
20 changes: 20 additions & 0 deletions deploy/images/pause/apko.tmpl.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
contents:
repositories:
- https://packages.wolfi.dev/os
keyring:
- https://packages.wolfi.dev/os/wolfi-signing.rsa.pub
packages:
- ${PACKAGE_NAME}=${PACKAGE_VERSION}

accounts:
groups:
- groupname: nonroot
gid: 65532
users:
- username: nonroot
uid: 65532
gid: 65532
run-as: 65532

entrypoint:
command: /usr/bin/pause-${UPSTREAM_VERSION}
13 changes: 12 additions & 1 deletion pkg/config/images.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,12 @@ package config
import (
_ "embed"
"fmt"
"strings"

"github.com/k0sproject/k0s/pkg/airgap"
k0sconfig "github.com/k0sproject/k0s/pkg/apis/k0s/v1beta1"
k0sv1beta1 "github.com/k0sproject/k0s/pkg/apis/k0s/v1beta1"
"github.com/k0sproject/k0s/pkg/constant"
"github.com/replicatedhq/embedded-cluster/pkg/release"
"gopkg.in/yaml.v2"
)
Expand All @@ -33,7 +35,13 @@ func ListK0sImages(cfg *k0sconfig.ClusterConfig) []string {
cfg.Spec.Images.KubeRouter.CNIInstaller.URI(),
cfg.Spec.Images.Konnectivity.URI():
default:
images = append(images, image)
if strings.Contains(image, constant.KubePauseContainerImage) {
// there's a bug in GetImageURIs where it always returns the original pause image
// instead of the one in the config, make sure to use the one in the config.
images = append(images, cfg.Spec.Images.Pause.URI())
} else {
images = append(images, image)
}
}
}
return images
Expand Down Expand Up @@ -62,6 +70,9 @@ func overrideK0sImages(cfg *k0sv1beta1.ClusterConfig) {
cfg.Spec.Images.KubeProxy.Image = "proxy.replicated.com/anonymous/replicated/ec-kube-proxy"
cfg.Spec.Images.KubeProxy.Version = Metadata.Images["kube-proxy"]

cfg.Spec.Images.Pause.Image = "proxy.replicated.com/anonymous/replicated/ec-pause"
cfg.Spec.Images.Pause.Version = Metadata.Images["pause"]

// TODO (salah): uncomment when upstream PR for digest support is released: https://github.com/k0sproject/k0s/pull/4792
// if cfg.Spec.Network == nil {
// cfg.Spec.Network = &k0sv1beta1.Network{}
Expand Down
4 changes: 4 additions & 0 deletions pkg/config/images_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ import (
"testing"

"github.com/k0sproject/k0s/pkg/airgap"
"github.com/k0sproject/k0s/pkg/constant"
)

func TestListK0sImages(t *testing.T) {
Expand Down Expand Up @@ -48,5 +49,8 @@ func TestListK0sImages(t *testing.T) {
if strings.Contains(image, "apiserver-network-proxy-agent") {
t.Errorf("ListK0sImages() = %v, want not to contain apiserver-network-proxy-agent", filtered)
}
if strings.Contains(image, constant.KubePauseContainerImage) {
t.Errorf("ListK0sImages() = %v, want the ec pause image", filtered)
}
}
}

0 comments on commit e8d30a1

Please sign in to comment.