diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index c364636f5d..1cd5fd7fcb 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -42,6 +42,10 @@ jobs: with: username: ${{ secrets.DOCKERHUB_LOGIN }} password: ${{ secrets.DOCKERHUB_PASSWORD }} + - name: Login to Chainguard + uses: chainguard-dev/setup-chainctl@main + with: + identity: ${{ secrets.CGR_DEV_TEST_IDENTITY }} - name: Checkout uses: actions/checkout@v4 with: diff --git a/.github/workflows/pre-merge.yaml b/.github/workflows/pre-merge.yaml index 2324266437..8168c1f1c7 100644 --- a/.github/workflows/pre-merge.yaml +++ b/.github/workflows/pre-merge.yaml @@ -24,6 +24,10 @@ on: - "w/**" - "q/*/**" +permissions: + contents: read + id-token: write + jobs: changed-files: runs-on: ubuntu-24.04 diff --git a/buildchain/buildchain/constants.py b/buildchain/buildchain/constants.py index 945105f988..a20f4d77f5 100644 --- a/buildchain/buildchain/constants.py +++ b/buildchain/buildchain/constants.py @@ -32,6 +32,7 @@ PROMETHEUS_REPOSITORY: str = "quay.io/prometheus" THANOS_REPOSITORY: str = "quay.io/thanos" CERT_MANAGER_REPOSITORY: str = "quay.io/jetstack" +CGR_CHAINGUARD_REPOSITORY: str = "cgr.dev/chainguard" # Paths {{{ diff --git a/buildchain/buildchain/image.py b/buildchain/buildchain/image.py index 858e473e53..40c2f68075 100644 --- a/buildchain/buildchain/image.py +++ b/buildchain/buildchain/image.py @@ -217,6 +217,9 @@ def _local_image(name: str, **kwargs: Any) -> targets.LocalImage: "cert-manager-cainjector", "cert-manager-acmesolver", ], + constants.CGR_CHAINGUARD_REPOSITORY: [ + "wolfi-base", + ], } REMOTE_NAMES: Dict[str, str] = { @@ -241,13 +244,13 @@ def _local_image(name: str, **kwargs: Any) -> targets.LocalImage: _local_image( name="metalk8s-alert-logger", build_args={ - "BASE_IMAGE": TO_PULL["alpine"].remote_fullname_digest, + "BASE_IMAGE": TO_PULL["wolfi-base"].remote_fullname_digest, }, ), _local_image( name="metalk8s-keepalived", build_args={ - "BASE_IMAGE": TO_PULL["alpine"].remote_fullname_digest, + "BASE_IMAGE": TO_PULL["wolfi-base"].remote_fullname_digest, "BUILD_DATE": datetime.datetime.now(datetime.timezone.utc) .astimezone() .isoformat(), diff --git a/buildchain/buildchain/versions.py b/buildchain/buildchain/versions.py index afe8b9d564..214c6725de 100644 --- a/buildchain/buildchain/versions.py +++ b/buildchain/buildchain/versions.py @@ -103,6 +103,11 @@ def _version_prefix(version: str, prefix: str = "v") -> str: # pylint:disable=line-too-long CONTAINER_IMAGES: Tuple[Image, ...] = ( # Remote images + Image( + name="wolfi-base", + version="latest", + digest="sha256:2148be123cd047f10c93e2bc88010d4abba1fc56a367d6287a251099ed5f006a", + ), Image( name="alpine", version="3.20.3", diff --git a/images/metalk8s-alert-logger/Dockerfile b/images/metalk8s-alert-logger/Dockerfile index 9cd6c7a4db..193695d2db 100644 --- a/images/metalk8s-alert-logger/Dockerfile +++ b/images/metalk8s-alert-logger/Dockerfile @@ -1,7 +1,7 @@ -ARG BASE_IMAGE=docker.io/alpine +ARG BASE_IMAGE=cgr.dev/chainguard/wolfi-base ARG BUILD_IMAGE_NAME=golang -ARG BUILD_IMAGE_TAG=1.17.0-alpine +ARG BUILD_IMAGE_TAG=1.23.3-alpine FROM ${BUILD_IMAGE_NAME}:${BUILD_IMAGE_TAG} AS builder ENV CGO_ENABLED=0 @@ -16,7 +16,7 @@ COPY main.go go.mod "$PKG_PATH" WORKDIR "$PKG_PATH" RUN sed -i "s/@@ALERTMANAGER_VERSION@@/$ALERTMANAGER_VERSION/g" go.mod \ - && go mod tidy -go=1.16 && go mod tidy -go=1.17 \ + && go mod tidy -go=1.23 \ && go install FROM ${BASE_IMAGE} diff --git a/images/metalk8s-alert-logger/go.mod b/images/metalk8s-alert-logger/go.mod index 124016f5e7..a04df99ff3 100644 --- a/images/metalk8s-alert-logger/go.mod +++ b/images/metalk8s-alert-logger/go.mod @@ -1,5 +1,5 @@ module metalk8s-alert-logger -go 1.17 +go 1.23 require github.com/prometheus/alertmanager @@ALERTMANAGER_VERSION@@ diff --git a/images/metalk8s-keepalived/Dockerfile b/images/metalk8s-keepalived/Dockerfile index f2ff63cb54..f7f73e2544 100644 --- a/images/metalk8s-keepalived/Dockerfile +++ b/images/metalk8s-keepalived/Dockerfile @@ -1,4 +1,4 @@ -ARG BASE_IMAGE=docker.io/alpine +ARG BASE_IMAGE=cgr.dev/chainguard/wolfi-base # NOTE: We need to build keepalived ourself to enable JSON, so that we can # use the JSON signal to get the current keepalived status in JSON format @@ -10,7 +10,7 @@ ARG KEEPALIVED_VERSION WORKDIR /home/keepalived -RUN apk add --no-cache make gcc curl autoconf automake musl-dev libnl3-dev libnftnl-dev openssl-dev \ +RUN apk add --no-cache make gcc curl autoconf automake glibc-dev libnl3-dev libnftnl-dev openssl-dev \ && curl --fail -Lo keepalived.tar.gz https://github.com/acassen/keepalived/archive/refs/tags/v${KEEPALIVED_VERSION}.tar.gz \ && tar xvf keepalived.tar.gz && cd "keepalived-${KEEPALIVED_VERSION}" \ && ./autogen.sh \ @@ -44,12 +44,14 @@ COPY --chown=keepalived:keepalived entrypoint.sh / COPY --chown=keepalived:keepalived --from=build-step /keepalived /usr/sbin/ -RUN apk add --no-cache libcap \ +RUN apk add --no-cache libcap-utils \ && setcap cap_net_admin,cap_net_bind_service,cap_net_raw,cap_setuid,cap_setgid=+ep /usr/sbin/keepalived \ && setcap -v cap_net_admin,cap_net_bind_service,cap_net_raw,cap_setuid,cap_setgid=+ep /usr/sbin/keepalived \ - && apk del libcap + && apk del libcap-utils -RUN apk add --no-cache libnl3 libnftnl bash curl py3-jinja2 py3-yaml py3-netifaces +RUN apk add --no-cache iproute2 libnl3 libnftnl bash curl python-3.12 py3.12-pip py3-yaml py3-jinja2 +RUN pip install netifaces-plus +RUN apk del py3.12-pip USER keepalived