User/eg ayoub/poc/test wolfi

.github/workflows/build.yaml

@@ -42,6 +42,10 @@ jobs:
         with:
           username: ${{ secrets.DOCKERHUB_LOGIN }}
           password: ${{ secrets.DOCKERHUB_PASSWORD }}
+      - name: Login to Chainguard
+        uses: chainguard-dev/setup-chainctl@main
+        with:
+          identity: ${{ secrets.CGR_DEV_TEST_IDENTITY }}
       - name: Checkout
         uses: actions/checkout@v4
         with:

.github/workflows/pre-merge.yaml

@@ -24,6 +24,10 @@ on:
       - "w/**"
       - "q/*/**"
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   changed-files:
     runs-on: ubuntu-24.04

buildchain/buildchain/constants.py

@@ -32,6 +32,7 @@
 PROMETHEUS_REPOSITORY: str = "quay.io/prometheus"
 THANOS_REPOSITORY: str = "quay.io/thanos"
 CERT_MANAGER_REPOSITORY: str = "quay.io/jetstack"
+CGR_CHAINGUARD_REPOSITORY: str = "cgr.dev/chainguard"
 
 # Paths {{{
 

buildchain/buildchain/image.py

@@ -217,6 +217,9 @@ def _local_image(name: str, **kwargs: Any) -> targets.LocalImage:
         "cert-manager-cainjector",
         "cert-manager-acmesolver",
     ],
+    constants.CGR_CHAINGUARD_REPOSITORY: [
+        "wolfi-base",
+    ],
 }
 
 REMOTE_NAMES: Dict[str, str] = {
@@ -241,13 +244,13 @@ def _local_image(name: str, **kwargs: Any) -> targets.LocalImage:
     _local_image(
         name="metalk8s-alert-logger",
         build_args={
-            "BASE_IMAGE": TO_PULL["alpine"].remote_fullname_digest,
+            "BASE_IMAGE": TO_PULL["wolfi-base"].remote_fullname_digest,
         },
     ),
     _local_image(
         name="metalk8s-keepalived",
         build_args={
-            "BASE_IMAGE": TO_PULL["alpine"].remote_fullname_digest,
+            "BASE_IMAGE": TO_PULL["wolfi-base"].remote_fullname_digest,
             "BUILD_DATE": datetime.datetime.now(datetime.timezone.utc)
             .astimezone()
             .isoformat(),

buildchain/buildchain/versions.py

@@ -103,6 +103,11 @@ def _version_prefix(version: str, prefix: str = "v") -> str:
 # pylint:disable=line-too-long
 CONTAINER_IMAGES: Tuple[Image, ...] = (
     # Remote images
+    Image(
+        name="wolfi-base",
+        version="latest",
+        digest="sha256:2148be123cd047f10c93e2bc88010d4abba1fc56a367d6287a251099ed5f006a",
+    ),
     Image(
         name="alpine",
         version="3.20.3",

images/metalk8s-alert-logger/Dockerfile

@@ -1,7 +1,7 @@
-ARG BASE_IMAGE=docker.io/alpine
+ARG BASE_IMAGE=cgr.dev/chainguard/wolfi-base
 
 ARG BUILD_IMAGE_NAME=golang
-ARG BUILD_IMAGE_TAG=1.17.0-alpine
+ARG BUILD_IMAGE_TAG=1.23.3-alpine
 FROM ${BUILD_IMAGE_NAME}:${BUILD_IMAGE_TAG} AS builder
 
 ENV CGO_ENABLED=0
@@ -16,7 +16,7 @@ COPY main.go go.mod "$PKG_PATH"
 WORKDIR "$PKG_PATH"
 
 RUN sed -i "s/@@ALERTMANAGER_VERSION@@/$ALERTMANAGER_VERSION/g" go.mod \
-  && go mod tidy -go=1.16 && go mod tidy -go=1.17 \
+  && go mod tidy -go=1.23 \
   && go install
 
 FROM ${BASE_IMAGE}

images/metalk8s-alert-logger/go.mod

@@ -1,5 +1,5 @@
 module metalk8s-alert-logger
 
-go 1.17
+go 1.23
 
 require github.com/prometheus/alertmanager @@ALERTMANAGER_VERSION@@

images/metalk8s-keepalived/Dockerfile

@@ -1,4 +1,4 @@
-ARG BASE_IMAGE=docker.io/alpine
+ARG BASE_IMAGE=cgr.dev/chainguard/wolfi-base
 
 # NOTE: We need to build keepalived ourself to enable JSON, so that we can
 # use the JSON signal to get the current keepalived status in JSON format
@@ -10,7 +10,7 @@ ARG KEEPALIVED_VERSION
 
 WORKDIR /home/keepalived
 
-RUN apk add --no-cache make gcc curl autoconf automake musl-dev libnl3-dev libnftnl-dev openssl-dev \
+RUN apk add --no-cache make gcc curl autoconf automake glibc-dev libnl3-dev libnftnl-dev openssl-dev \
   && curl --fail -Lo keepalived.tar.gz https://github.com/acassen/keepalived/archive/refs/tags/v${KEEPALIVED_VERSION}.tar.gz \
   && tar xvf keepalived.tar.gz && cd "keepalived-${KEEPALIVED_VERSION}" \
   && ./autogen.sh \
@@ -44,12 +44,14 @@ COPY --chown=keepalived:keepalived entrypoint.sh /
 
 COPY --chown=keepalived:keepalived --from=build-step /keepalived /usr/sbin/
 
-RUN apk add --no-cache libcap \
+RUN apk add --no-cache libcap-utils \
   && setcap     cap_net_admin,cap_net_bind_service,cap_net_raw,cap_setuid,cap_setgid=+ep /usr/sbin/keepalived \
   && setcap -v  cap_net_admin,cap_net_bind_service,cap_net_raw,cap_setuid,cap_setgid=+ep /usr/sbin/keepalived \
-  && apk del libcap
+  && apk del libcap-utils
 
-RUN apk add --no-cache libnl3 libnftnl bash curl py3-jinja2 py3-yaml py3-netifaces
+RUN apk add --no-cache iproute2 libnl3 libnftnl bash curl python-3.12 py3.12-pip py3-yaml py3-jinja2
+RUN pip install netifaces-plus
+RUN apk del py3.12-pip
 
 USER keepalived