generated from ministryofjustice/analytical-platform-image-build-template
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Migrate kubectl image from data platform (#2)
* migrate image build * fixed container-structure-test pt.1 * Update Makefile * update README * Fixed linting pt.1 * Update README.md Co-authored-by: Jacob Woffenden <jacob.woffenden@digital.justice.gov.uk> --------- Co-authored-by: Gary H <26419401+Gary-H9@users.noreply.github.com> Co-authored-by: Emterry <123941245+Emterry@users.noreply.github.com> Co-authored-by: Jacob Woffenden <jacob.woffenden@digital.justice.gov.uk>
- Loading branch information
4 people
authored
Apr 18, 2024
1 parent
060d825
commit 885591a
Showing
6 changed files
with
99 additions
and
148 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,49 +1,38 @@ | ||
| # checkov:skip=CKV_DOCKER_2:Healthcheck instructions have not been added to container images | ||
| # This image is an example base image for this template and can be replaced to fit user needs | ||
| FROM public.ecr.aws/ubuntu/ubuntu@sha256:12fb86d81bc4504d8261a91c83c54b9e5dcdf1d833ba0fe42ec9e0ee09a2b0ba | ||
| FROM docker.io/alpine:3.19.1 | ||
|
|
||
| LABEL org.opencontainers.image.vendor="Ministry of Justice" \ | ||
| org.opencontainers.image.authors="Analytical Platform (analytical-platform@digital.justice.gov.uk)"\ | ||
| org.opencontainers.image.title="{image title}" \ | ||
| org.opencontainers.image.description="{decription}" \ | ||
| org.opencontainers.image.url="{your repo url}" | ||
|
|
||
| ENV CONTAINER_USER="analyticalplatform" \ | ||
| CONTAINER_UID="1000" \ | ||
| CONTAINER_GROUP="analyticalplatform" \ | ||
| CONTAINER_GID="1000" \ | ||
| DEBIAN_FRONTEND="noninteractive" | ||
|
|
||
| SHELL ["/bin/bash", "-e", "-u", "-o", "pipefail", "-c"] | ||
|
|
||
| # User | ||
| RUN <<EOF | ||
| groupadd \ | ||
| --gid ${CONTAINER_GID} \ | ||
| ${CONTAINER_GROUP} | ||
|
|
||
| useradd \ | ||
| --uid ${CONTAINER_UID} \ | ||
| --gid ${CONTAINER_GROUP} \ | ||
| --create-home \ | ||
| --shell /bin/bash \ | ||
| ${CONTAINER_USER} | ||
| EOF | ||
|
|
||
| # Base | ||
| RUN <<EOF | ||
| apt-get update --yes | ||
|
|
||
| apt-get install --yes \ | ||
| "apt-transport-https=2.4.12" \ | ||
| "curl=7.81.0-1ubuntu1.16" | ||
|
|
||
| apt-get clean --yes | ||
|
|
||
| rm --force --recursive /var/lib/apt/lists/* | ||
| EOF | ||
| org.opencontainers.image.authors="Analytical Platform" \ | ||
| org.opencontainers.image.title="kubectl Image" \ | ||
| org.opencontainers.image.description="kubectl image for Analytical Platform" \ | ||
| org.opencontainers.image.url="https://github.com/ministryofjustice/analytical-platform-kubectl" | ||
|
|
||
| ARG KUBECTL_VERSION="v1.28.4" | ||
|
|
||
| ENV CONTAINER_GID="10000" \ | ||
| CONTAINER_GROUP="nonroot" \ | ||
| CONTAINER_UID="10000" \ | ||
| CONTAINER_USER="nonroot" \ | ||
| CONTAINER_HOME="/app" | ||
|
|
||
| RUN addgroup \ | ||
| --gid ${CONTAINER_GID} \ | ||
| --system \ | ||
| ${CONTAINER_GROUP} \ | ||
| && adduser \ | ||
| --uid ${CONTAINER_UID} \ | ||
| --ingroup ${CONTAINER_GROUP} \ | ||
| --disabled-password \ | ||
| ${CONTAINER_USER} \ | ||
| && mkdir --parents ${CONTAINER_HOME} \ | ||
| && chown --recursive ${CONTAINER_USER}:${CONTAINER_GROUP} ${CONTAINER_HOME} \ | ||
| && apk add --no-cache --virtual build \ | ||
| curl==8.5.0-r0 \ | ||
| && curl --location "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl" \ | ||
| --output /usr/local/bin/kubectl \ | ||
| && chmod +x /usr/local/bin/kubectl \ | ||
| && apk del build | ||
|
|
||
| USER ${CONTAINER_USER} | ||
|
|
||
| WORKDIR /home/${CONTAINER_USER} | ||
|
|
||
| WORKDIR ${CONTAINER_HOME} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,18 +1,29 @@ | ||
| IMAGE_NAME = ghcr.io/ministryofjustice/analytical-platform-image-build-template:latest | ||
| IMAGE_NAME = ghcr.io/ministryofjustice/analytical-platform-kubectl:latest | ||
| ARCH = $(shell uname --machine) | ||
|
|
||
| test: build | ||
| container-structure-test test --config test/container-structure-test.yml --image $(IMAGE_NAME) | ||
| define DOCKER_BUILD | ||
| @echo "Building on $(ARCH) architecture"; | ||
| @if [ "$(ARCH)" = "aarch64" ] || [ "$(ARCH)" = "arm64" ]; then \ | ||
| docker build --platform linux/amd64 --file Dockerfile --tag $(IMAGE_NAME) .; \ | ||
| else \ | ||
| docker build --file Dockerfile --tag $(IMAGE_NAME) .; \ | ||
| fi | ||
| endef | ||
|
|
||
| scan: build | ||
| trivy image --vuln-type os,library --severity CRITICAL --exit-code 1 $(IMAGE_NAME) | ||
| define CONTAINER_TEST | ||
| @echo "Testing on $(ARCH) architecture"; | ||
| @if [ "$(ARCH)" = "aarch64" ] || [ "$(ARCH)" = "arm64" ]; then \ | ||
| container-structure-test test --platform linux/amd64 --config test/container-structure-test.yml --image $(IMAGE_NAME); \ | ||
| else \ | ||
| container-structure-test test --config test/container-structure-test.yml --image $(IMAGE_NAME); \ | ||
| fi | ||
| endef | ||
|
|
||
| build: | ||
| @ARCH=`uname -m`; \ | ||
| case $$ARCH in \ | ||
| aarch64 | arm64) \ | ||
| echo "Building on $$ARCH architecture"; \ | ||
| docker build --platform linux/amd64 --file Dockerfile --tag $(IMAGE_NAME) . ;; \ | ||
| *) \ | ||
| echo "Building on $$ARCH architecture"; \ | ||
| docker build --file Dockerfile --tag $(IMAGE_NAME) . ;; \ | ||
| esac | ||
| $(DOCKER_BUILD) | ||
|
|
||
| test: build | ||
| $(CONTAINER_TEST) | ||
|
|
||
| scan: build | ||
| trivy image --vuln-type os,library --severity CRITICAL --exit-code 1 $(IMAGE_NAME) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,96 +1,47 @@ | ||
| # Analytical Platform Image Build Template | ||
| # Analytical Platform Kubectl | ||
|
|
||
| [](https://operations-engineering-reports.cloud-platform.service.justice.gov.uk/public-report/analytical-platform-image-build-template) | ||
|
|
||
| This template repository equips you with the default initial files for building a container used in Analytical Platform. | ||
| [](https://operations-engineering-reports.cloud-platform.service.justice.gov.uk/public-report/analytical-platform-kubectl) | ||
|
|
||
| This repository is managed in Terraform [here](https://github.com/ministryofjustice/data-platform-github-access/blob/main/terraform/github/analytical-platform-repositories.tf). | ||
|
|
||
| ## Included Files | ||
|
|
||
| The repository comes with the following preset files: | ||
|
|
||
| <!-- generated with `tree -a -I '.git'` --> | ||
| ```text | ||
| ├── .devcontainer | ||
| │ ├── devcontainer.json | ||
| │ └── devcontainer-lock.json | ||
| ├── Dockerfile | ||
| ├── .editorconfig | ||
| ├── .github | ||
| │ ├── CODEOWNERS | ||
| │ ├── dependabot.yml | ||
| │ └── workflows | ||
| │ ├── build-and-test.yml | ||
| │ ├── dependency-review.yml | ||
| │ ├── release.yml | ||
| │ ├── scan-image.yml | ||
| │ └── super-linter.yml | ||
| ├── .gitignore | ||
| ├── LICENSE | ||
| ├── Makefile | ||
| ├── README.md | ||
| └── test | ||
| └── container-structure-test.yml | ||
| ``` | ||
|
|
||
| ## Setup Instructions | ||
|
|
||
| Once you've created your repository using this template, perform the following steps: | ||
|
|
||
| ### Update README | ||
|
|
||
| Edit this README.md file to document your project accurately. Take the time to create a clear, engaging, and informative README.md file. Include information like what your project does, how to install and run it, how to contribute, and any other pertinent details. | ||
|
|
||
| ### Update repository description | ||
|
|
||
| After you've created your repository, GitHub provides a brief description field that appears on the top of your repository's main page. This is a summary that gives visitors quick insight into the project. Using this field to provide a succinct overview of your repository is highly recommended. | ||
|
|
||
| This description and your README.md will be one of the first things people see when they visit your repository. It's a good place to make a strong, concise first impression. Remember, this is often visible in search results on GitHub and search engines, so it's also an opportunity to help people discover your project. | ||
|
|
||
| ### Grant Team Permissions | ||
|
|
||
| Assign permissions to the appropriate Ministry of Justice teams. Ensure at least one team is granted Admin permissions. Whenever possible, assign permissions to teams rather than individual users. | ||
| This repository contains the GitHub Kubectl container image for use in the Analytical Platform. | ||
|
|
||
| ### Read about the GitHub Repository Standards | ||
| ## Running Locally | ||
|
|
||
| Familiarise yourself with the Ministry of Justice GitHub Repository Standards. These standards ensure consistency, maintainability, and best practices across all our repositories. | ||
| ### Build | ||
|
|
||
| You can find the standards [here](https://operations-engineering.service.justice.gov.uk/documentation/services/repository-standards.html). | ||
|
|
||
| Please read and understand these standards thoroughly and enable them when you feel comfortable. | ||
|
|
||
| ### Modify the GitHub Repository Standards Badge | ||
|
|
||
| Once you've ensured that all the [GitHub Repository Standards](https://operations-engineering.service.justice.gov.uk/documentation/services/repository-standards.html) have been applied to your repository, it's time to update the Ministry of Justice (MoJ) Compliance Badge located in the README file. | ||
|
|
||
| The badge demonstrates that your repository is compliant with MoJ's standards. Please follow these [instructions](https://operations-engineering.service.justice.gov.uk/documentation/runbooks/services/add-repo-badge.html) to modify the badge URL to reflect the status of your repository correctly. | ||
|
|
||
| **Please note** the badge will not function correctly if your repository is internal or private. In this case, you may remove the badge from your README. | ||
|
|
||
| ### Manage Outside Collaborators | ||
|
|
||
| To add an Outside Collaborator to the repository, follow the guidelines detailed [here](https://github.com/ministryofjustice/github-collaborators). | ||
| ```bash | ||
| docker build --platform linux/amd64 --file Dockerfile --tag analytical-platform.service.justice.gov.uk/kubectl:local . | ||
| ``` | ||
|
|
||
| ### Update CODEOWNERS | ||
| ### Run | ||
|
|
||
| (Optional) Modify the CODEOWNERS file to specify the teams or users authorized to approve pull requests. | ||
| ```bash | ||
| docker run -it --rm \ | ||
| --platform linux/amd64 \ | ||
| --name analytical-platform-actions-runner \ | ||
| analytical-platform.service.justice.gov.uk/actions-runner:local | ||
| ``` | ||
| ## Versions | ||
|
|
||
| ### Configure Dependabot | ||
| ### Alpine | ||
|
|
||
| Adapt the dependabot.yml file to match your project's [dependency manager](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#package-ecosystem) and to enable [automated pull requests for package updates](https://docs.github.com/en/code-security/supply-chain-security). | ||
| Generally Dependabot does this, but the following command will return the digest: | ||
|
|
||
| ### Dependency Review | ||
| ```bash | ||
| docker pull --platform linux/amd64 docker.io/alpine:3.19.1 | ||
|
|
||
| If your repository is private with no GitHub Advanced Security license, remove the `.github/workflows/dependency-review.yml` file. | ||
| docker image inspect --format='{{index .RepoDigests 0}}' docker.io/alpine:3.19.1 | ||
| ``` | ||
|
|
||
| ### Dockerfile | ||
| ### APT Packages | ||
|
|
||
| Make sure to add your own build logic to the bottom of the `Dockerfile`. | ||
| To find latest APT package versions, you can run the following: | ||
|
|
||
| ### Tests | ||
| ```bash | ||
| docker run -it --rm --platform linux/amd64 docker.io/alpine:3.19.1 | ||
|
|
||
| > [!NOTE] | ||
| > No application testing has been added to this template, this is to be implemented by the developer as required. | ||
| apk update | ||
|
|
||
| Please make sure to add any additional container structure tests needed to the `container-structure-test.yml`. | ||
| apk policy ${PACKAGE} # for example curl, git or gpg | ||
| ``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters