diff --git a/.github/dependabot.yml b/.github/dependabot.yml index b3d0f6861..0a4c66b74 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -360,3 +360,12 @@ updates: all: patterns: - "*" + - package-ecosystem: "terraform" + directory: "/tekton/images" + schedule: + interval: "weekly" + labels: + - "ok-to-test" + - "dependencies" + - "release-note-none" + - "kind/misc" diff --git a/.gitignore b/.gitignore index 38f8cb40f..35c7709b6 100644 --- a/.gitignore +++ b/.gitignore @@ -13,3 +13,6 @@ **/.bin **/.DS_Store + +.terraform** +terraform.tfstate** \ No newline at end of file diff --git a/tekton/images/README.md b/tekton/images/README.md index 27dc62c62..0d205ebd6 100644 --- a/tekton/images/README.md +++ b/tekton/images/README.md @@ -1,4 +1,35 @@ # Container Images for Tekton infrastructure -This folder contains various container images used by Tekton infrastructure -to run Tekton's own CI/CD. +This folder contains various container images used by Tekton infrastructure to +run Tekton's own CI/CD. + +## Wolfi images (experimental) + +Some directories include experimental support for +[Wolfi](https://github.com/wolfi-dev/) images built via +[apko](https://github.com/chainguard-dev/apko) + terraform. + +These images are built declaratively from Wolfi packages and are automatically +signed + attested during publishing. + +To build these images, run: + +```sh +TF_VAR_target_repository=ttl.sh/path/to/registry terraform apply +``` + +To build a single image (for example, `ko-gcloud`): + +```sh +TF_VAR_target_repository=ttl.sh/path/to/registry terraform apply -target=module.ko-gcloud +``` + +### Signing and attestations + +If you wish to sign/attest the image locally (optional for development, but +terraform will output a warning), you can enable it by setting +`TF_COSIGN_LOCAL=1`: + +```sh +TF_COSIGN_LOCAL=1 TF_VAR_target_repository=ttl.sh/path/to/registry terraform apply -target=module.ko-gcloud +``` diff --git a/tekton/images/ko-gcloud/apko.yaml b/tekton/images/ko-gcloud/apko.yaml new file mode 100644 index 000000000..bdd43c081 --- /dev/null +++ b/tekton/images/ko-gcloud/apko.yaml @@ -0,0 +1,27 @@ +contents: + packages: + - bash + - busybox + - git + - go + - google-cloud-sdk + - ko + - kubectl + - kustomize + # Pin to python 3.11 until issues with 3.12 are resolved. + # ref: https://issuetracker.google.com/issues/303737178 + - python3~3.11 + - yq + +entrypoint: + command: /bin/bash + +accounts: + groups: + - groupname: nonroot + gid: 65532 + users: + - username: nonroot + uid: 65532 + gid: 65532 + run-as: 65532 \ No newline at end of file diff --git a/tekton/images/ko-gcloud/main.tf b/tekton/images/ko-gcloud/main.tf new file mode 100644 index 000000000..ea22dcf26 --- /dev/null +++ b/tekton/images/ko-gcloud/main.tf @@ -0,0 +1,34 @@ +terraform { + required_providers { + apko = { + source = "chainguard-dev/apko" + } + oci = { + source = "chainguard-dev/oci" + } + } +} + +variable "target_repository" { + description = "The docker repo into which the image and attestations should be published." +} + +module "image" { + source = "chainguard-dev/apko/publisher" + version = "0.0.9" + + target_repository = var.target_repository + config = file("${path.module}/apko.yaml") + default_annotations = { + "org.opencontainers.image.url": "https://github.com/tektoncd/plumbing/tree/main/tekton/images/ko-gcloud" + } +} + +resource "oci_tag" "latest" { + digest_ref = module.image.image_ref + tag = "latest-wolfi" +} + +output "image_ref" { + value = oci_tag.latest.tagged_ref +} \ No newline at end of file diff --git a/tekton/images/ko/apko.yaml b/tekton/images/ko/apko.yaml new file mode 100644 index 000000000..fbf73b01d --- /dev/null +++ b/tekton/images/ko/apko.yaml @@ -0,0 +1,20 @@ +contents: + packages: + - bash + - busybox + - git + - ko + - kustomize + +entrypoint: + command: /bin/bash + +accounts: + groups: + - groupname: nonroot + gid: 65532 + users: + - username: nonroot + uid: 65532 + gid: 65532 + run-as: 65532 \ No newline at end of file diff --git a/tekton/images/ko/main.tf b/tekton/images/ko/main.tf new file mode 100644 index 000000000..e900e541e --- /dev/null +++ b/tekton/images/ko/main.tf @@ -0,0 +1,34 @@ +terraform { + required_providers { + apko = { + source = "chainguard-dev/apko" + } + oci = { + source = "chainguard-dev/oci" + } + } +} + +variable "target_repository" { + description = "The docker repo into which the image and attestations should be published." +} + +module "image" { + source = "chainguard-dev/apko/publisher" + version = "0.0.9" + + target_repository = var.target_repository + config = file("${path.module}/apko.yaml") + default_annotations = { + "org.opencontainers.image.url": "https://github.com/tektoncd/plumbing/tree/main/tekton/images/ko" + } +} + +resource "oci_tag" "latest" { + digest_ref = module.image.image_ref + tag = "latest-wolfi" +} + +output "image_ref" { + value = oci_tag.latest.tagged_ref +} \ No newline at end of file diff --git a/tekton/images/main.tf b/tekton/images/main.tf new file mode 100644 index 000000000..deb2bcd59 --- /dev/null +++ b/tekton/images/main.tf @@ -0,0 +1,36 @@ +terraform { + required_providers { + oci = { + source = "chainguard-dev/oci" + version = "~> 0.0.10" + } + apko = { + source = "chainguard-dev/apko" + version = "~> 0.10.7" + } + } +} + +provider "apko" { + extra_repositories = ["https://packages.wolfi.dev/os"] + extra_keyring = ["https://packages.wolfi.dev/os/wolfi-signing.rsa.pub"] + extra_packages = ["wolfi-baselayout"] + default_archs = ["x86_64", "aarch64"] + default_annotations = { + "org.opencontainers.image.authors" = "Tekton Authors " + } +} + +variable "target_repository" { + description = "The docker repo into which the image and attestations should be published." +} + +module "ko" { + source = "./ko" + target_repository = "${var.target_repository}/ko" +} + +module "ko-gcloud" { + source = "./ko-gcloud" + target_repository = "${var.target_repository}/ko-gcloud" +}