test chainguard 3rd party images

replicatedhq · Nov 28, 2023 · e52f629 · e52f629
1 parent f698ef1
commit e52f629
Show file tree

Hide file tree

Showing 42 changed files with 281 additions and 151 deletions.
diff --git a/.github/actions/build-push-kotsadm-image/action.yml b/.github/actions/build-push-kotsadm-image/action.yml
@@ -34,33 +34,33 @@ inputs:
 runs:
   using: "composite"
   steps:
-    - uses: google-github-actions/auth@35b0e87d162680511bf346c299f71c9c5c379033 # v1.1.1
-      with:
-        workload_identity_provider: ${{ inputs.chainguard-gcp-wif-pool }}
-        service_account: ${{ inputs.chainguard-gcp-sa }}
-
-    - uses: google-github-actions/setup-gcloud@e30db14379863a8c79331b04a9969f4c1e225e0b # v1.1.1
-      with:
-        project_id: ${{ inputs.chainguard-gcp-project-id }}
-
-    - name: setup packages gcsfuse
-      env:
-        BUCKET: replicated-apk-registry
-      shell: bash
-      run: |
-        # Set up a gcsfuse RO mount to the bucket containing private packages. This is a cheap and
-        # cheerful way to get access to objects we need, without having to fetch all of them.
-        mkdir -p /gcsfuse/apk-repo
-        gcsfuse -o ro --implicit-dirs --only-dir os ${BUCKET} /gcsfuse/apk-repo
-
-        # Symlink the gcsfuse mount to ./packages/$arch/*.apk
-        mkdir -p ./packages/x86_64
-        ln -s /gcsfuse/apk-repo/x86_64/*.apk ./packages/x86_64/
-
-        # Make a copy of the APKINDEX.* since we'll need to write to it on package builds
-        cp /gcsfuse/apk-repo/x86_64/APKINDEX.* ./packages/x86_64/
-
-        ls -lR ./packages/
+    # - uses: google-github-actions/auth@35b0e87d162680511bf346c299f71c9c5c379033 # v1.1.1
+    #   with:
+    #     workload_identity_provider: ${{ inputs.chainguard-gcp-wif-pool }}
+    #     service_account: ${{ inputs.chainguard-gcp-sa }}
+
+    # - uses: google-github-actions/setup-gcloud@e30db14379863a8c79331b04a9969f4c1e225e0b # v1.1.1
+    #   with:
+    #     project_id: ${{ inputs.chainguard-gcp-project-id }}
+
+    # - name: setup packages gcsfuse
+    #   env:
+    #     BUCKET: replicated-apk-registry
+    #   shell: bash
+    #   run: |
+    #     # Set up a gcsfuse RO mount to the bucket containing private packages. This is a cheap and
+    #     # cheerful way to get access to objects we need, without having to fetch all of them.
+    #     mkdir -p /gcsfuse/apk-repo
+    #     gcsfuse -o ro --implicit-dirs --only-dir os ${BUCKET} /gcsfuse/apk-repo
+
+    #     # Symlink the gcsfuse mount to ./packages/$arch/*.apk
+    #     mkdir -p ./packages/x86_64
+    #     ln -s /gcsfuse/apk-repo/x86_64/*.apk ./packages/x86_64/
+
+    #     # Make a copy of the APKINDEX.* since we'll need to write to it on package builds
+    #     cp /gcsfuse/apk-repo/x86_64/APKINDEX.* ./packages/x86_64/
+
+    #     ls -lR ./packages/
 
     - name: template melange and apko configs
       shell: bash

diff --git a/.github/workflows/alpha.yaml b/.github/workflows/alpha.yaml
@@ -210,7 +210,7 @@ jobs:
         id: scan
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: "rqlite/rqlite:${{ steps.dotenv.outputs.RQLITE_TAG }}"
+          image-ref: "cgr.dev/chainguard/rqlite:${{ steps.dotenv.outputs.RQLITE_TAG }}"
           format: 'template'
           template: '@/contrib/sarif.tpl'
           output: 'rqlite-scan-output.sarif'
@@ -237,7 +237,7 @@ jobs:
         id: scan
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: "docker.io/minio/minio:${{ steps.dotenv.outputs.minio_tag }}"
+          image-ref: "cgr.dev/chainguard/minio:${{ steps.dotenv.outputs.minio_tag }}"
           format: 'template'
           template: '@/contrib/sarif.tpl'
           output: 'minio-scan-output.sarif'

diff --git a/.github/workflows/build-test.yaml b/.github/workflows/build-test.yaml
@@ -431,8 +431,8 @@ jobs:
 
       - name: push minio for e2e
         run: |
-          docker pull minio/minio:${{ steps.dotenv.outputs.minio_tag }}
-          docker tag minio/minio:${{ steps.dotenv.outputs.minio_tag }} ttl.sh/automated-${{ github.run_id }}/minio:${{ steps.dotenv.outputs.minio_tag }}
+          docker pull cgr.dev/chainguard/minio:${{ steps.dotenv.outputs.minio_tag }}
+          docker tag cgr.dev/chainguard/minio:${{ steps.dotenv.outputs.minio_tag }} ttl.sh/automated-${{ github.run_id }}/minio:${{ steps.dotenv.outputs.minio_tag }}
           docker push ttl.sh/automated-${{ github.run_id }}/minio:${{ steps.dotenv.outputs.minio_tag }}
 
 
@@ -450,8 +450,8 @@ jobs:
 
       - name: push rqlite for CI
         run: |
-          docker pull rqlite/rqlite:${{ steps.dotenv.outputs.RQLITE_TAG }}
-          docker tag rqlite/rqlite:${{ steps.dotenv.outputs.RQLITE_TAG }} ttl.sh/automated-${{ github.run_id }}/rqlite:${{ steps.dotenv.outputs.RQLITE_TAG }}
+          docker pull cgr.dev/chainguard/rqlite:${{ steps.dotenv.outputs.RQLITE_TAG }}
+          docker tag cgr.dev/chainguard/rqlite:${{ steps.dotenv.outputs.RQLITE_TAG }} ttl.sh/automated-${{ github.run_id }}/rqlite:${{ steps.dotenv.outputs.RQLITE_TAG }}
           docker push ttl.sh/automated-${{ github.run_id }}/rqlite:${{ steps.dotenv.outputs.RQLITE_TAG }}
 
 

diff --git a/.image.env b/.image.env
@@ -1,8 +1,8 @@
 # Generated file, do not modify.  This file is generated from a text file containing a list of images. The
 # most recent tag is interpolated from the source repository and used to generate a fully qualified image
 # name.
-MINIO_TAG='RELEASE.2023-11-11T08-14-41Z'
+MINIO_TAG='0.20231025'
 RQLITE_TAG='7.21.4'
-DEX_TAG='v2.37.0'
+DEX_TAG='2.37.0'
 SCHEMAHERO_TAG='0.16.0'
 LVP_TAG='v0.5.5'
diff --git a/Makefile b/Makefile
@@ -1,8 +1,8 @@
 include Makefile.build.mk
 CURRENT_USER := $(shell id -u -n)
-MINIO_TAG ?= RELEASE.2023-11-11T08-14-41Z
+MINIO_TAG ?= 0.20231025
 RQLITE_TAG ?= 7.21.4
-DEX_TAG ?= v2.37.0
+DEX_TAG ?= 2.37.0
 LVP_TAG ?= v0.5.5
 
 define sendMetrics
@@ -118,12 +118,12 @@ build-ttl.sh: build
 all-ttl.sh: build-ttl.sh
 	source .image.env && IMAGE=ttl.sh/${CURRENT_USER}/kotsadm-migrations:24h make -C migrations build_schema
 
-	docker pull minio/minio:${MINIO_TAG}
-	docker tag minio/minio:${MINIO_TAG} ttl.sh/${CURRENT_USER}/minio:${MINIO_TAG}
+	docker pull cgr.dev/chainguard/minio:${MINIO_TAG}
+	docker tag cgr.dev/chainguard/minio:${MINIO_TAG} ttl.sh/${CURRENT_USER}/minio:${MINIO_TAG}
 	docker push ttl.sh/${CURRENT_USER}/minio:${MINIO_TAG}
 
-	docker pull rqlite/rqlite:${RQLITE_TAG}
-	docker tag rqlite/rqlite:${RQLITE_TAG} ttl.sh/${CURRENT_USER}/rqlite:${RQLITE_TAG}
+	docker pull cgr.dev/chainguard/rqlite:${RQLITE_TAG}
+	docker tag cgr.dev/chainguard/rqlite:${RQLITE_TAG} ttl.sh/${CURRENT_USER}/rqlite:${RQLITE_TAG}
 	docker push ttl.sh/${CURRENT_USER}/rqlite:${RQLITE_TAG}
 
 .PHONY: build-alpha
@@ -136,13 +136,11 @@ build-release:
 	mkdir -p bin/docker-archive/kotsadm
 	skopeo copy docker://kotsadm/kotsadm:${GIT_TAG} docker-archive:bin/docker-archive/kotsadm/${GIT_TAG}
 
-	docker build --pull -f deploy/dex.Dockerfile -t kotsadm/dex:${DEX_TAG} --build-arg TAG=${DEX_TAG} .
-	docker push kotsadm/dex:${DEX_TAG}
 	mkdir -p bin/docker-archive/dex
-	skopeo copy docker://kotsadm/dex:${DEX_TAG} docker-archive:bin/docker-archive/dex/${DEX_TAG}
+	skopeo copy docker://cgr.dev/chainguard/dex:${DEX_TAG} docker-archive:bin/docker-archive/dex/${DEX_TAG}
 
 	mkdir -p bin/docker-archive/minio
-	skopeo copy docker://minio/minio:${MINIO_TAG} docker-archive:bin/docker-archive/minio/${MINIO_TAG}
+	skopeo copy docker://cgr.dev/chainguard/minio:${MINIO_TAG} docker-archive:bin/docker-archive/minio/${MINIO_TAG}
 
 	mkdir -p bin/docker-archive/local-volume-provider
 	skopeo copy docker://replicated/local-volume-provider:${LVP_TAG} docker-archive:bin/docker-archive/local-volume-provider/${LVP_TAG}

diff --git a/cmd/imagedeps/README.md b/cmd/imagedeps/README.md
@@ -20,27 +20,27 @@ is useful to restrict release tags to a major version, or to filter out garbage
 
 | Name | Image URI | Matcher Regexp (Optional) |
 |------|--------------------|----------|
-| Name of the image for example **minio** | Untagged image reference **ghcr.io/dexidp/dex**| An optional regular expression, only matching tags will be included.  |
+| Name of the image for example **minio** | Untagged image reference **cgr.dev/chainguard/minio**| An optional regular expression, only matching tags will be included.  |
 
 ### Sample image-spec
 ```text
-minio minio/minio
-rqlite rqlite/rqlite
-dex ghcr.io/dexidp/dex
+minio cgr.dev/chainguard/minio
+rqlite cgr.dev/chainguard/rqlite
+dex cgr.dev/chainguard/dex
 ```
 The preceding image spec will produce the following environment and Go files.
 ```shell
-MINIO_TAG='RELEASE.2021-09-15T04-54-25Z'
-RQLITE_TAG='7.7.0'
+MINIO_TAG='0.20231025'
+RQLITE_TAG='7.21.4'
 DEX_TAG='v2.30.0'
 ```
 ```go
 package image
 
 const (
-	Minio = "minio/minio:RELEASE.2021-09-15T04-54-25Z"
-	Rqlite = "rqlite/rqlite:7.7.0"
-	Dex = "ghcr.io/dexidp/dex:v2.30.0"
+	Minio = "cgr.dev/chainguard/minio:0.20231025"
+	Rqlite = "cgr.dev/chainguard/rqlite:7.21.4"
+	Dex = "cgr.dev/chainguard/dex:2.30.0"
 )
 ```
 

diff --git a/cmd/imagedeps/image-spec b/cmd/imagedeps/image-spec
@@ -1,5 +1,5 @@
-minio minio/minio
-rqlite rqlite/rqlite ^([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)$
-dex ghcr.io/dexidp/dex
+minio cgr.dev/chainguard/minio ^\b0\.\d+\b$
+rqlite cgr.dev/chainguard/rqlite ^([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)$
+dex cgr.dev/chainguard/dex ^([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)$
 schemahero schemahero/schemahero ^([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)$
 lvp replicated/local-volume-provider ^v([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)$
diff --git a/cmd/imagedeps/main_test.go b/cmd/imagedeps/main_test.go
@@ -12,16 +12,72 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
-var releaseTags = []string{
-	"RELEASE.2022-06-11T19-55-32Z.fips",
-	"RELEASE.2021-09-09T21-37-06Z.xxx",
-	"RELEASE.2021-09-09T21-37-05Z",
-	"RELEASE.2021-09-09T21-37-04Z",
-}
-var semVerTags = []string{
-	"0.12.7", "0.12.6", "0.12.5",
-	"0.12.4", "0.12.3", "0.12.2",
-}
+var (
+	minioTags = []string{
+		"sha256-00428f99c05677c91ad393c3017376e800d601708baa36e51091df3b9a67b324.att",
+		"latest-dev",
+		"latest",
+		"0.20231025.063325-r0-dev",
+		"0.20231025.063325-r0",
+		"0.20231025.063325-dev",
+		"0.20231025.063325",
+		"0.20231025-dev",
+		"0.20231025",
+		"0.20230904.195737-r1-dev",
+		"0.20230904.195737-r1",
+		"0.20230904.195737-dev",
+		"0.20230904.195737",
+		"0.20230904-dev",
+		"0.20230904",
+		"0-dev",
+		"0",
+	}
+
+	schemaheroTags = []string{
+		"0.13.2",
+		"0.13.1",
+		"0.12.7",
+		"0.12.2",
+	}
+
+	rqliteTags = []string{
+		"sha256-00122e405b3fa3b5105b0468f1fb72dcb32474968a971c45906a702120d55b58.att",
+		"latest-dev",
+		"latest",
+		"7",
+		"7-dev",
+		"7.7.0",
+		"7.7.0-dev",
+		"7.7.0-r2",
+		"7.7.0-r2-dev",
+		"7.6.2",
+		"7.6.1",
+		"7.6.0",
+		"6.10.2",
+		"6.10.1",
+		"6.8.2",
+	}
+
+	dexTags = []string{
+		"sha256-002adc734b3d83bb6be291b49eb8f3f95b905c411d404c2f4b52a759140739c9.att",
+		"latest-dev",
+		"latest",
+		"2.37.0",
+		"2.37.0-r3-dev",
+		"2.37.0-r3",
+		"2.37.0-dev",
+		"2.36.0",
+		"2.35.3",
+		"2.35.2",
+		"2.35.1",
+	}
+
+	lvpTags = []string{
+		"v0.3.3",
+		"v0.3.2",
+		"v0.3.1",
+	}
+)
 
 func makeReleases(tags []string) []*github.RepositoryRelease {
 	var releases []*github.RepositoryRelease
@@ -46,29 +102,21 @@ func TestFunctional(t *testing.T) {
 		expectError bool
 	}{
 		{
-			name: "basic",
+			name: "minio",
 			fn: getTagFinder(
-				withGithubReleaseTagFinder(
-					func(_ string, _ string) ([]*github.RepositoryRelease, error) {
-						return makeReleases(releaseTags), nil
+				withRepoGetTags(
+					func(_ string) ([]string, error) {
+						return minioTags, nil
 					},
 				),
 			),
 		},
 		{
-			name: "with-overrides",
+			name: "schemahero",
 			fn: getTagFinder(
 				withRepoGetTags(
 					func(_ string) ([]string, error) {
-						return []string{
-							"0.13.2", "0.13.1",
-							"0.12.7", "0.12.2",
-						}, nil
-					},
-				),
-				withGithubReleaseTagFinder(
-					func(_ string, _ string) ([]*github.RepositoryRelease, error) {
-						return makeReleases(releaseTags), nil
+						return schemaheroTags, nil
 					},
 				),
 			),
@@ -82,30 +130,17 @@ func TestFunctional(t *testing.T) {
 			fn: getTagFinder(
 				withRepoGetTags(
 					func(_ string) ([]string, error) {
-						return []string{
-							"7.7.0", "7.6.1", "7.6.0",
-							"6.10.2", "6.10.1", "6.8.2",
-						}, nil
-					},
-				),
-			),
-		},
-		{
-			name: "filter-github",
-			fn: getTagFinder(
-				withGithubReleaseTagFinder(
-					func(_ string, _ string) ([]*github.RepositoryRelease, error) {
-						return makeReleases(releaseTags), nil
+						return rqliteTags, nil
 					},
 				),
 			),
 		},
 		{
-			name: "schemahero",
+			name: "dex",
 			fn: getTagFinder(
 				withRepoGetTags(
 					func(_ string) ([]string, error) {
-						return semVerTags, nil
+						return dexTags, nil
 					},
 				),
 			),
@@ -115,9 +150,7 @@ func TestFunctional(t *testing.T) {
 			fn: getTagFinder(
 				withRepoGetTags(
 					func(_ string) ([]string, error) {
-						return []string{
-							"v0.3.3",
-						}, nil
+						return lvpTags, nil
 					},
 				),
 			),