From d65d8856b5212ac9b34a9d135fdd01e2c3864f3d Mon Sep 17 00:00:00 2001
From: Billy Lynch <billy@chainguard.dev>
Date: Thu, 12 Oct 2023 13:51:48 -0400
Subject: [PATCH] experiment: Add Wolfi based images
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds some initial images (ko, ko-gcloud) based on Wolfi packages using
apko. (tl;dr apko = ko for apks).

These images are smaller and are kept up to date with upstream with a
focus on minimal CVEs.

(computed using `crane manifest $IMG | jq '.config.size + ([.layers[].size] | add)' | numfmt --to=iec`)

Image | Size
----- | ----
gcr.io/tekton-releases/dogfooding/ko:latest | 277M
us-docker.pkg.dev/wlynch-chainguard/public/ko@latest-wolfi | 31M
gcr.io/tekton-releases/dogfooding/ko-gcloud:latest | 606M
us-docker.pkg.dev/wlynch-chainguard/public/ko-gcloud@latest-wolfi | 304M

CVE Scans:

```
$ grype gcr.io/tekton-releases/dogfooding/ko:latest
 ✔ Vulnerability DB                [no update available]
 ✔ Parsed image                                                                                                                                                                                                 sha256:a41f5ae73e4a3aa0652d8653d22cd8dcf499f1ad2e78c3c1433127fe3ee6d61f
 ✔ Cataloged packages              [231 packages]
 ✔ Scanned for vulnerabilities     [23 vulnerability matches]
   ├── by severity: 1 critical, 7 high, 13 medium, 0 low, 0 negligible (2 unknown)
   └── by status:   12 fixed, 11 not-fixed, 0 ignored (4 dropped)
```

```
$ grype us-docker.pkg.dev/wlynch-chainguard/public/ko:latest-wolfi
 ✔ Vulnerability DB                [no update available]
 ✔ Parsed image                                                                                                                                                                                                 sha256:e5b9decd9f30c3500f7e289c7abd7d054e122b128877215b47b78b769e915329
 ✔ Cataloged packages              [191 packages]
 ✔ Scanned for vulnerabilities     [0 vulnerability matches]
   ├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible
   └── by status:   0 fixed, 0 not-fixed, 0 ignored (4 dropped)
```

These aren't wired up to CI yet.
---
 .github/dependabot.yml            |  9 ++++++++
 .gitignore                        |  3 +++
 tekton/images/README.md           | 35 ++++++++++++++++++++++++++++--
 tekton/images/ko-gcloud/apko.yaml | 27 +++++++++++++++++++++++
 tekton/images/ko-gcloud/main.tf   | 34 +++++++++++++++++++++++++++++
 tekton/images/ko/apko.yaml        | 20 +++++++++++++++++
 tekton/images/ko/main.tf          | 34 +++++++++++++++++++++++++++++
 tekton/images/main.tf             | 36 +++++++++++++++++++++++++++++++
 8 files changed, 196 insertions(+), 2 deletions(-)
 create mode 100644 tekton/images/ko-gcloud/apko.yaml
 create mode 100644 tekton/images/ko-gcloud/main.tf
 create mode 100644 tekton/images/ko/apko.yaml
 create mode 100644 tekton/images/ko/main.tf
 create mode 100644 tekton/images/main.tf

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index b3d0f6861..0a4c66b74 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -360,3 +360,12 @@ updates:
       all:
         patterns:
           - "*"
+  - package-ecosystem: "terraform"
+    directory: "/tekton/images"
+    schedule:
+      interval: "weekly"
+    labels:
+      - "ok-to-test"
+      - "dependencies"
+      - "release-note-none"
+      - "kind/misc"
diff --git a/.gitignore b/.gitignore
index 38f8cb40f..35c7709b6 100644
--- a/.gitignore
+++ b/.gitignore
@@ -13,3 +13,6 @@
 
 **/.bin
 **/.DS_Store
+
+.terraform**
+terraform.tfstate**
\ No newline at end of file
diff --git a/tekton/images/README.md b/tekton/images/README.md
index 27dc62c62..0d205ebd6 100644
--- a/tekton/images/README.md
+++ b/tekton/images/README.md
@@ -1,4 +1,35 @@
 # Container Images for Tekton infrastructure
 
-This folder contains various container images used by Tekton infrastructure
-to run Tekton's own CI/CD.
+This folder contains various container images used by Tekton infrastructure to
+run Tekton's own CI/CD.
+
+## Wolfi images (experimental)
+
+Some directories include experimental support for
+[Wolfi](https://github.com/wolfi-dev/) images built via
+[apko](https://github.com/chainguard-dev/apko) + terraform.
+
+These images are built declaratively from Wolfi packages and are automatically
+signed + attested during publishing.
+
+To build these images, run:
+
+```sh
+TF_VAR_target_repository=ttl.sh/path/to/registry terraform apply
+```
+
+To build a single image (for example, `ko-gcloud`):
+
+```sh
+TF_VAR_target_repository=ttl.sh/path/to/registry terraform apply -target=module.ko-gcloud
+```
+
+### Signing and attestations
+
+If you wish to sign/attest the image locally (optional for development, but
+terraform will output a warning), you can enable it by setting
+`TF_COSIGN_LOCAL=1`:
+
+```sh
+TF_COSIGN_LOCAL=1 TF_VAR_target_repository=ttl.sh/path/to/registry terraform apply -target=module.ko-gcloud
+```
diff --git a/tekton/images/ko-gcloud/apko.yaml b/tekton/images/ko-gcloud/apko.yaml
new file mode 100644
index 000000000..bdd43c081
--- /dev/null
+++ b/tekton/images/ko-gcloud/apko.yaml
@@ -0,0 +1,27 @@
+contents:
+  packages:
+    - bash
+    - busybox
+    - git
+    - go
+    - google-cloud-sdk
+    - ko
+    - kubectl
+    - kustomize
+    # Pin to python 3.11 until issues with 3.12 are resolved.
+    # ref: https://issuetracker.google.com/issues/303737178
+    - python3~3.11
+    - yq
+
+entrypoint:
+  command: /bin/bash
+
+accounts:
+  groups:
+    - groupname: nonroot
+      gid: 65532
+  users:
+    - username: nonroot
+      uid: 65532
+      gid: 65532
+  run-as: 65532
\ No newline at end of file
diff --git a/tekton/images/ko-gcloud/main.tf b/tekton/images/ko-gcloud/main.tf
new file mode 100644
index 000000000..ea22dcf26
--- /dev/null
+++ b/tekton/images/ko-gcloud/main.tf
@@ -0,0 +1,34 @@
+terraform {
+  required_providers {
+    apko = {
+      source = "chainguard-dev/apko"
+    }
+    oci = {
+      source = "chainguard-dev/oci"
+    }
+  }
+}
+
+variable "target_repository" {
+  description = "The docker repo into which the image and attestations should be published."
+}
+
+module "image" {
+  source  = "chainguard-dev/apko/publisher"
+  version = "0.0.9"
+
+  target_repository = var.target_repository
+  config = file("${path.module}/apko.yaml")
+  default_annotations = {
+    "org.opencontainers.image.url": "https://github.com/tektoncd/plumbing/tree/main/tekton/images/ko-gcloud"
+  }
+}
+
+resource "oci_tag" "latest" {
+  digest_ref = module.image.image_ref
+  tag        = "latest-wolfi"
+}
+
+output "image_ref" {
+  value = oci_tag.latest.tagged_ref
+}
\ No newline at end of file
diff --git a/tekton/images/ko/apko.yaml b/tekton/images/ko/apko.yaml
new file mode 100644
index 000000000..fbf73b01d
--- /dev/null
+++ b/tekton/images/ko/apko.yaml
@@ -0,0 +1,20 @@
+contents:
+  packages:
+    - bash
+    - busybox
+    - git
+    - ko
+    - kustomize
+
+entrypoint:
+  command: /bin/bash
+
+accounts:
+  groups:
+    - groupname: nonroot
+      gid: 65532
+  users:
+    - username: nonroot
+      uid: 65532
+      gid: 65532
+  run-as: 65532
\ No newline at end of file
diff --git a/tekton/images/ko/main.tf b/tekton/images/ko/main.tf
new file mode 100644
index 000000000..e900e541e
--- /dev/null
+++ b/tekton/images/ko/main.tf
@@ -0,0 +1,34 @@
+terraform {
+  required_providers {
+    apko = {
+      source = "chainguard-dev/apko"
+    }
+    oci = {
+      source = "chainguard-dev/oci"
+    }
+  }
+}
+
+variable "target_repository" {
+  description = "The docker repo into which the image and attestations should be published."
+}
+
+module "image" {
+  source  = "chainguard-dev/apko/publisher"
+  version = "0.0.9"
+
+  target_repository = var.target_repository
+  config = file("${path.module}/apko.yaml")
+  default_annotations = {
+    "org.opencontainers.image.url": "https://github.com/tektoncd/plumbing/tree/main/tekton/images/ko"
+  }
+}
+
+resource "oci_tag" "latest" {
+  digest_ref = module.image.image_ref
+  tag        = "latest-wolfi"
+}
+
+output "image_ref" {
+  value = oci_tag.latest.tagged_ref
+}
\ No newline at end of file
diff --git a/tekton/images/main.tf b/tekton/images/main.tf
new file mode 100644
index 000000000..deb2bcd59
--- /dev/null
+++ b/tekton/images/main.tf
@@ -0,0 +1,36 @@
+terraform {
+  required_providers {
+    oci = {
+        source = "chainguard-dev/oci" 
+        version = "~> 0.0.10"
+    }
+    apko = {
+        source = "chainguard-dev/apko"
+        version = "~> 0.10.7"
+    }
+  }
+}
+
+provider "apko" {
+  extra_repositories = ["https://packages.wolfi.dev/os"]
+  extra_keyring      = ["https://packages.wolfi.dev/os/wolfi-signing.rsa.pub"]
+  extra_packages     = ["wolfi-baselayout"]
+  default_archs      = ["x86_64", "aarch64"]
+  default_annotations = {
+    "org.opencontainers.image.authors" = "Tekton Authors <tekton-dev@googlegroups.com>"
+  }
+}
+
+variable "target_repository" {
+  description = "The docker repo into which the image and attestations should be published."
+}
+
+module "ko" {
+    source = "./ko"
+    target_repository = "${var.target_repository}/ko"
+}
+
+module "ko-gcloud" {
+    source = "./ko-gcloud"
+    target_repository = "${var.target_repository}/ko-gcloud"
+}