✨ Use framework images built on new repo (#2074)

* Use framework images built on new repo Signed-off-by: Mauro Morales <[email protected]> * Luet is not in the framework anymore Signed-off-by: Mauro Morales <[email protected]> * Use latest release by default Signed-off-by: Mauro Morales <[email protected]> * remove concept of security profile Generic images don't reflect it anymore so this can be considered part of the version Signed-off-by: Mauro Morales <[email protected]> --------- Signed-off-by: Mauro Morales <[email protected]>
kairos-io · Dec 13, 2023 · 3ee95d7 · 3ee95d7
1 parent 7ad3008
commit 3ee95d7
Show file tree

Hide file tree

Showing 15 changed files with 21 additions and 290 deletions.
diff --git a/.github/workflows/image.yaml b/.github/workflows/image.yaml
@@ -81,16 +81,6 @@ jobs:
     strategy:
       fail-fast: false
       matrix: ${{fromJson(needs.get-core-matrix.outputs.matrix)}}
-  framework:
-    uses: ./.github/workflows/reusable-build-framework.yaml
-    secrets: inherit
-    with:
-      security_profile: ${{ matrix.security_profile }}
-    strategy:
-      fail-fast: false
-      matrix:
-        security_profile: [generic, fips]
-        framework_version: [master]
   install:
     uses: ./.github/workflows/reusable-install-test.yaml
     with:
@@ -345,7 +335,6 @@ jobs:
     needs:
       - core
       - standard
-      - framework
       - install
       - zfs
       - acceptance

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -54,54 +54,6 @@ jobs:
           # end of optional handling for multi line json
           echo "::set-output name=matrix::{\"include\": $content }"
 
-  build-framework:
-    runs-on: kvm
-    permissions:
-      id-token: write  # OIDC support
-      contents: write
-    strategy:
-      fail-fast: false
-      matrix:
-        security_profile:
-          - "generic"
-          - "fips"
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-      - name: Install Cosign
-        uses: sigstore/cosign-installer@main
-      - name: Install earthly
-        uses: Luet-lab/[email protected]
-        with:
-          repository: quay.io/kairos/packages
-          packages: utils/earthly
-      - name: Login to Quay Registry
-        run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io
-      - name: Build  🔧
-        run: |
-          # Configure earthly to use the docker mirror in CI
-          # https://docs.earthly.dev/ci-integration/pull-through-cache#configuring-earthly-to-use-the-cache
-          mkdir -p ~/.earthly/
-          cat << EOF > ~/.earthly/config.yml
-          global:
-            buildkit_additional_config: |
-              [registry."docker.io"]
-                mirrors = ["registry.docker-mirror.svc.cluster.local:5000"]
-              [registry."registry.docker-mirror.svc.cluster.local:5000"]
-                insecure = true
-                http = true
-          EOF
-          earthly +multi-build-framework-image --SECURITY_PROFILE=${{ matrix.security_profile }} --FRAMEWORK_VERSION="git"
-      - name: Push to quay
-        env:
-          COSIGN_YES: true
-        if: startsWith(github.ref, 'refs/tags/')
-        run: |
-          export _IMG="$(cat build/FRAMEWORK_IMAGE)"
-          docker push "$_IMG" # Otherwise .RepoDigests will be empty for some reason
-          cosign sign $(docker image inspect --format='{{index .RepoDigests 0}}' "$_IMG")
-
   build-core:
     runs-on: ubuntu-latest
     needs:

diff --git a/.github/workflows/reusable-build-framework.yaml b/.github/workflows/reusable-build-framework.yaml
diff --git a/Earthfile b/Earthfile
@@ -8,6 +8,8 @@ ARG GITHUB_REPO=kairos-io/kairos
 ARG LUET_VERSION=0.35.0
 # renovate: datasource=docker depName=aquasec/trivy
 ARG TRIVY_VERSION=0.47.0
+# renovate: datasource=github-releases depName=kairos-io/kairos-framework
+ARG KAIROS_FRAMEWORK_VERSION="2.4.4"
 ARG COSIGN_SKIP=".*quay.io/kairos/.*"
 # TODO: rename ISO_NAME to something like ARTIFACT_NAME because there are place where we use ISO_NAME to refer to the artifact name
 
@@ -230,83 +232,6 @@ luet:
 ### Image Build targets
 ###
 
-# This generates the framework base by installing luet packages generated with
-# the profile-build + framework-profile.yaml file.
-# Installs everything under the /framework dir and saves that as an artifact
-framework:
-    FROM golang:alpine
-
-    ARG SECURITY_PROFILE
-    IF [ "$SECURITY_PROFILE" = "fips" ]
-        ARG _SECURITY_PROFILE=fips
-    ELSE
-        ARG _SECURITY_PROFILE=generic
-    END
-
-    WORKDIR /build
-
-    COPY ./profile-build /build
-    COPY +luet/luet /usr/bin/luet
-
-    RUN go mod download
-    COPY framework-profile.yaml /build
-    RUN go run main.go ${_SECURITY_PROFILE} framework-profile.yaml /framework
-
-    RUN mkdir -p /framework/etc/kairos/
-    RUN luet database --system-target /framework get-all-installed --output /framework/etc/kairos/versions.yaml
-
-    # luet cleanup
-    RUN luet cleanup --system-target /framework
-    RUN rm -rf /var/luet
-    RUN rm -rf /var/cache
-
-    # COPY luet into the final framework
-    # TODO: Understand why?
-    COPY +luet/luet /framework/usr/bin/luet
-    COPY framework-profile.yaml /framework/etc/luet/luet.yaml
-
-    SAVE ARTIFACT --keep-own /framework/ framework
-
-multi-build-framework-image:
-    ARG --required SECURITY_PROFILE
-
-    BUILD --platform=linux/amd64 --platform=linux/arm64 +build-framework-image
-
-build-framework-image:
-    FROM alpine
-    ARG SECURITY_PROFILE
-    ARG FRAMEWORK_VERSION
-
-    IF [ "$SECURITY_PROFILE" = "fips" ]
-        ARG _SECURITY_PROFILE=fips
-    ELSE
-        ARG _SECURITY_PROFILE=generic
-    END
-
-    COPY +version/VERSION ./
-    DO +GIT_VERSION
-
-    ARG VERSION=$(cat ./GIT_VERSION)
-
-    IF [ "$FRAMEWORK_VERSION" = "" ]
-        ARG _FRAMEWORK_VERSION=master
-    ELSE IF [ "$FRAMEWORK_VERSION" = "git" ]
-        ARG _FRAMEWORK_VERSION=$VERSION
-    ELSE
-        ARG _FRAMEWORK_VERSION=$FRAMEWORK_VERSION
-    END
-
-    ARG _IMG="$IMAGE_REPOSITORY_ORG/framework:${_FRAMEWORK_VERSION}_${_SECURITY_PROFILE}"
-    RUN echo $_IMG > FRAMEWORK_IMAGE
-
-    SAVE ARTIFACT FRAMEWORK_IMAGE AS LOCAL build/FRAMEWORK_IMAGE
-
-    FROM scratch
-
-    COPY (+framework/framework --SECURITY_PROFILE=$_SECURITY_PROFILE) /
-
-    SAVE IMAGE --push $IMAGE_REPOSITORY_ORG/framework:${_FRAMEWORK_VERSION}_${_SECURITY_PROFILE}
-
 kairos-dockerfile:
     ARG --required FAMILY
     COPY ./images .
@@ -333,12 +258,10 @@ base-image:
 
     ARG KAIROS_VERSION=$(cat ./GIT_VERSION)
 
-    IF [ "$FRAMEWORK_VERSION" = "" ]
-        ARG _FRAMEWORK_VERSION=master
-    ELSE IF [ "$FRAMEWORK_VERSION" = "git" ]
-        ARG _FRAMEWORK_VERSION=$VERSION
-    ELSE
+    IF [ "$FRAMEWORK_VERSION" != "" ]
         ARG _FRAMEWORK_VERSION=$FRAMEWORK_VERSION
+    ELSE
+        ARG _FRAMEWORK_VERSION=$KAIROS_FRAMEWORK_VERSION
     END
     RUN cat +kairos-dockerfile/Dockerfile
 

diff --git a/images/Dockerfile.alpine b/images/Dockerfile.alpine
@@ -10,9 +10,7 @@ ARG MODEL=generic
 ARG BASE_IMAGE=alpine
 ARG VARIANT
 ARG VERSION
-ARG FRAMEWORK_VERSION=master
-# Not to be confused with the concept of MODEL, this is either fips or generic
-ARG SECURITY_PROFILE=generic
+ARG FRAMEWORK_VERSION=main
 
 ###############################################################
 ####                          Common                       ####

diff --git a/images/Dockerfile.debian b/images/Dockerfile.debian
@@ -10,9 +10,7 @@ ARG MODEL=generic
 ARG BASE_IMAGE=debian:testing
 ARG VARIANT
 ARG VERSION
-ARG FRAMEWORK_VERSION=master
-# Not to be confused with the concept of MODEL, this is either fips or generic
-ARG SECURITY_PROFILE=generic
+ARG FRAMEWORK_VERSION=main
 # TARGETARCH is used to determine the architecture of the image
 # it is already set by Docker so it doesn't need to be defined here
 

diff --git a/images/Dockerfile.kairos b/images/Dockerfile.kairos
@@ -1,5 +1,5 @@
 # WARNING: Do not build this image on its own, use the different Dockerfile.kairos-* instead
-FROM --platform="linux/${TARGETARCH}" quay.io/kairos/framework:${FRAMEWORK_VERSION}_${SECURITY_PROFILE} AS framework
+FROM --platform="linux/${TARGETARCH}" quay.io/kairos/framework:${FRAMEWORK_VERSION} AS framework
 
 FROM all AS base-kairos
 
@@ -52,7 +52,6 @@ ARG FLAVOR_RELEASE
 ARG MODEL
 ARG VERSION
 ARG FRAMEWORK_VERSION
-ARG SECURITY_PROFILE
 LABEL org.opencontainers.image.authors="Kairos Maintainers <[email protected]>"
 LABEL org.opencontainers.image.licenses="Apache-2.0"
 LABEL org.opencontainers.image.url="https://github.com/kairos-io/kairos"
@@ -65,7 +64,6 @@ LABEL io.kairos.flavor_release="${FLAVOR_RELEASE}"
 LABEL io.kairos.model="${MODEL}"
 LABEL io.kairos.version="${VERSION}"
 LABEL io.kairos.framework-version="${FRAMEWORK_VERSION}"
-LABEL io.kairos.security-profile="${SECURITY_PROFILE}"
 
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 RUN luet database get-all-installed --output /etc/kairos/versions.yaml

diff --git a/images/Dockerfile.kairos-alpine b/images/Dockerfile.kairos-alpine
@@ -9,9 +9,7 @@ ARG MODEL=generic
 ARG BASE_IMAGE=alpine
 ARG VARIANT
 ARG VERSION
-ARG FRAMEWORK_VERSION=master
-# Not to be confused with the concept of MODEL, this is either fips or generic
-ARG SECURITY_PROFILE=generic
+ARG FRAMEWORK_VERSION=main
 
 ###############################################################
 ####                          Common                       ####
@@ -151,7 +149,7 @@ RUN rc-update add sshd boot && \
     rc-update add crond && \
     rc-update add fail2ban
 
-FROM --platform="linux/${TARGETARCH}" quay.io/kairos/framework:${FRAMEWORK_VERSION}_${SECURITY_PROFILE} AS framework
+FROM --platform="linux/${TARGETARCH}" quay.io/kairos/framework:${FRAMEWORK_VERSION} AS framework
 
 FROM all AS base-kairos
 
@@ -184,15 +182,6 @@ ARG MODEL
 ARG REGISTRY_AND_ORG="quay.io/kairos"
 ARG K3S_VERSION
 ARG TARGETARCH
-ARG OS_NAME=kairos-${VARIANT}-${FLAVOR}-${FLAVOR_RELEASE}
-ENV KAIROS_VERSION="${VERSION}${K3S_VERSION:+-k3s$K3S_VERSION}"
-ENV OS_VERSION=${KAIROS_VERSION}
-ENV OS_LABEL=${KAIROS_VERSION}
-RUN OS_LABEL=$(naming.sh container_artifact_label) \
-    OS_REPO=$(naming.sh container_artifact_repo) \
-    ARTIFACT=$(naming.sh bootable_artifact_name) \
-    envsubst >>/etc/os-release </usr/lib/os-release.tmpl
-RUN naming.sh container_artifact_name > /IMAGE
 
 RUN rm -rf /etc/machine-id
 
@@ -213,7 +202,6 @@ ARG FLAVOR_RELEASE
 ARG MODEL
 ARG VERSION
 ARG FRAMEWORK_VERSION
-ARG SECURITY_PROFILE
 LABEL org.opencontainers.image.authors="Kairos Maintainers <[email protected]>"
 LABEL org.opencontainers.image.licenses="Apache-2.0"
 LABEL org.opencontainers.image.url="https://github.com/kairos-io/kairos"
@@ -226,7 +214,6 @@ LABEL io.kairos.flavor_release="${FLAVOR_RELEASE}"
 LABEL io.kairos.model="${MODEL}"
 LABEL io.kairos.version="${VERSION}"
 LABEL io.kairos.framework-version="${FRAMEWORK_VERSION}"
-LABEL io.kairos.security-profile="${SECURITY_PROFILE}"
 
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 RUN luet database get-all-installed --output /etc/kairos/versions.yaml

diff --git a/images/Dockerfile.kairos-debian b/images/Dockerfile.kairos-debian
@@ -9,9 +9,7 @@ ARG MODEL=generic
 ARG BASE_IMAGE=debian:testing
 ARG VARIANT
 ARG VERSION
-ARG FRAMEWORK_VERSION=master
-# Not to be confused with the concept of MODEL, this is either fips or generic
-ARG SECURITY_PROFILE=generic
+ARG FRAMEWORK_VERSION=main
 # TARGETARCH is used to determine the architecture of the image
 # it is already set by Docker so it doesn't need to be defined here
 
@@ -156,7 +154,7 @@ RUN chown root:root /usr/bin/sudo && chmod 4755 /usr/bin/sudo
 # Clear cache
 RUN rm -rf /var/cache/* && journalctl --vacuum-size=1K && rm /etc/machine-id && rm /var/lib/dbus/machine-id && rm /etc/hostname
 
-FROM --platform="linux/${TARGETARCH}" quay.io/kairos/framework:${FRAMEWORK_VERSION}_${SECURITY_PROFILE} AS framework
+FROM --platform="linux/${TARGETARCH}" quay.io/kairos/framework:${FRAMEWORK_VERSION} AS framework
 
 FROM all AS base-kairos
 
@@ -189,15 +187,6 @@ ARG MODEL
 ARG REGISTRY_AND_ORG="quay.io/kairos"
 ARG K3S_VERSION
 ARG TARGETARCH
-ARG OS_NAME=kairos-${VARIANT}-${FLAVOR}-${FLAVOR_RELEASE}
-ENV KAIROS_VERSION="${VERSION}${K3S_VERSION:+-k3s$K3S_VERSION}"
-ENV OS_VERSION=${KAIROS_VERSION}
-ENV OS_LABEL=${KAIROS_VERSION}
-RUN OS_LABEL=$(naming.sh container_artifact_label) \
-    OS_REPO=$(naming.sh container_artifact_repo) \
-    ARTIFACT=$(naming.sh bootable_artifact_name) \
-    envsubst >>/etc/os-release </usr/lib/os-release.tmpl
-RUN naming.sh container_artifact_name > /IMAGE
 
 RUN rm -rf /etc/machine-id
 
@@ -218,7 +207,6 @@ ARG FLAVOR_RELEASE
 ARG MODEL
 ARG VERSION
 ARG FRAMEWORK_VERSION
-ARG SECURITY_PROFILE
 LABEL org.opencontainers.image.authors="Kairos Maintainers <[email protected]>"
 LABEL org.opencontainers.image.licenses="Apache-2.0"
 LABEL org.opencontainers.image.url="https://github.com/kairos-io/kairos"
@@ -231,7 +219,6 @@ LABEL io.kairos.flavor_release="${FLAVOR_RELEASE}"
 LABEL io.kairos.model="${MODEL}"
 LABEL io.kairos.version="${VERSION}"
 LABEL io.kairos.framework-version="${FRAMEWORK_VERSION}"
-LABEL io.kairos.security-profile="${SECURITY_PROFILE}"
 
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 RUN luet database get-all-installed --output /etc/kairos/versions.yaml