From 9a1584345e8442c7d8f30ecac787b445223cba78 Mon Sep 17 00:00:00 2001 From: Renovator Bot Date: Fri, 8 Dec 2023 02:35:23 +0000 Subject: [PATCH 1/5] chore(deps): update docker.io/alpine docker tag to v3.19 --- Containerfile.multiarch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Containerfile.multiarch b/Containerfile.multiarch index 6e4ef8f..17ef125 100644 --- a/Containerfile.multiarch +++ b/Containerfile.multiarch @@ -1,4 +1,4 @@ -FROM docker.io/alpine:3.18@sha256:34871e7290500828b39e22294660bee86d966bc0017544e848dd9a255cdf59e0 +FROM docker.io/alpine:3.19@sha256:51b67269f354137895d43f3b3d810bfacd3945438e94dc5ac55fdac340352f48 LABEL maintainer="Robert Kaussow " LABEL org.opencontainers.image.authors="Robert Kaussow " -- 2.24.4 From cca86a86fb700e41039678d8e2ee8048dc9a5eef Mon Sep 17 00:00:00 2001 From: Robert Kaussow Date: Thu, 14 Dec 2023 09:15:09 +0100 Subject: [PATCH 2/5] use pipx to isolate python packages --- Containerfile.multiarch | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/Containerfile.multiarch b/Containerfile.multiarch index 17ef125..c8d632f 100644 --- a/Containerfile.multiarch +++ b/Containerfile.multiarch @@ -33,9 +33,14 @@ ENV POLARIS_VERSION="${POLARIS_VERSION:-8.5.2}" # renovate: datasource=pypi depName=flux-local ENV FLUX_LOCAL_VERSION="${FLUX_LOCAL_VERSION:-3.2.0}" -RUN apk --update add curl tar bash python3 py3-yaml py3-pip findutils git && \ +ENV PIPX_HOME=/opt/pipx +ENV PIPX_BIN_DIR=/usr/local/bin + +RUN apk --update add curl tar bash python3 pipx findutils git && \ apk --no-cache upgrade libcrypto3 libssl3 && \ - pip install -qq --no-cache-dir flux-local=="$FLUX_LOCAL_VERSION" && \ + pipx install --include-deps flux-local=="$FLUX_LOCAL_VERSION" && \ + pipx inject flux-local PyYAML && \ + $PIPX_HOME/shared/bin/pip install -U pip setuptools && \ curl -SsfL -o /usr/local/bin/kubectl "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/${TARGETOS}/${TARGETARCH}/kubectl" && \ curl -SsfL -o /usr/local/bin/kubectl-convert "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/${TARGETOS}/${TARGETARCH}/kubectl-convert" && \ curl -SsfL -o /usr/local/bin/yq "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_${TARGETOS}_${TARGETARCH}" && \ -- 2.24.4 From 274ccaa90d6dcacb8d0ac620cdb8a3cc428ae3f7 Mon Sep 17 00:00:00 2001 From: Robert Kaussow Date: Thu, 14 Dec 2023 09:35:47 +0100 Subject: [PATCH 3/5] switch to trivy config files --- .woodpecker/build-container.yml | 1 - Containerfile.multiarch | 3 ++- trivy-secret.yaml | 4 ++++ trivy.yaml | 7 +++++++ 4 files changed, 13 insertions(+), 2 deletions(-) create mode 100644 trivy-secret.yaml create mode 100644 trivy.yaml diff --git a/.woodpecker/build-container.yml b/.woodpecker/build-container.yml index 41dd9ea..eb43f5c 100644 --- a/.woodpecker/build-container.yml +++ b/.woodpecker/build-container.yml @@ -24,7 +24,6 @@ steps: TRIVY_NO_PROGRESS: "true" TRIVY_SEVERITY: HIGH,CRITICAL TRIVY_TIMEOUT: 1m - TRIVY_SKIP_FILES: /usr/local/bin/gomplate,/usr/local/bin/helm,/usr/local/bin/polaris,/usr/local/bin/yq publish-dockerhub: group: container diff --git a/Containerfile.multiarch b/Containerfile.multiarch index c8d632f..f2589ba 100644 --- a/Containerfile.multiarch +++ b/Containerfile.multiarch @@ -59,7 +59,8 @@ RUN apk --update add curl tar bash python3 pipx findutils git && \ chmod 755 /usr/local/bin/kustomize && \ chmod 755 /usr/local/bin/kubeconform && \ rm -rf /var/cache/apk/* && \ - rm -rf /tmp/* + rm -rf /tmp/* && \ + rm -rf /root/.cache/ ADD overlay/ / diff --git a/trivy-secret.yaml b/trivy-secret.yaml new file mode 100644 index 0000000..3287627 --- /dev/null +++ b/trivy-secret.yaml @@ -0,0 +1,4 @@ +--- +allow-rules: + - id: aws-secret-access-key + path: .*/flux-local/.*/site-packages/GitPython-.*\.dist-info/METADATA diff --git a/trivy.yaml b/trivy.yaml new file mode 100644 index 0000000..46bfe8e --- /dev/null +++ b/trivy.yaml @@ -0,0 +1,7 @@ +--- +scan: + skip-files: + - /usr/local/bin/gomplate + - /usr/local/bin/helm + - /usr/local/bin/polaris + - /usr/local/bin/yq -- 2.24.4 From 25d1b85c924b70ac284349053716a95bfde51c93 Mon Sep 17 00:00:00 2001 From: Robert Kaussow Date: Thu, 14 Dec 2023 10:34:18 +0100 Subject: [PATCH 4/5] remove setuptools --- Containerfile.multiarch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Containerfile.multiarch b/Containerfile.multiarch index f2589ba..78d6bb9 100644 --- a/Containerfile.multiarch +++ b/Containerfile.multiarch @@ -40,7 +40,7 @@ RUN apk --update add curl tar bash python3 pipx findutils git && \ apk --no-cache upgrade libcrypto3 libssl3 && \ pipx install --include-deps flux-local=="$FLUX_LOCAL_VERSION" && \ pipx inject flux-local PyYAML && \ - $PIPX_HOME/shared/bin/pip install -U pip setuptools && \ + $PIPX_HOME/shared/bin/pip install -U pip && \ curl -SsfL -o /usr/local/bin/kubectl "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/${TARGETOS}/${TARGETARCH}/kubectl" && \ curl -SsfL -o /usr/local/bin/kubectl-convert "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/${TARGETOS}/${TARGETARCH}/kubectl-convert" && \ curl -SsfL -o /usr/local/bin/yq "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_${TARGETOS}_${TARGETARCH}" && \ -- 2.24.4 From 25e80a2ca3ee4a6a56570b6ef20a44069c82d829 Mon Sep 17 00:00:00 2001 From: Robert Kaussow Date: Thu, 14 Dec 2023 10:42:48 +0100 Subject: [PATCH 5/5] readd setuptools --- Containerfile.multiarch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Containerfile.multiarch b/Containerfile.multiarch index 78d6bb9..f2589ba 100644 --- a/Containerfile.multiarch +++ b/Containerfile.multiarch @@ -40,7 +40,7 @@ RUN apk --update add curl tar bash python3 pipx findutils git && \ apk --no-cache upgrade libcrypto3 libssl3 && \ pipx install --include-deps flux-local=="$FLUX_LOCAL_VERSION" && \ pipx inject flux-local PyYAML && \ - $PIPX_HOME/shared/bin/pip install -U pip && \ + $PIPX_HOME/shared/bin/pip install -U pip setuptools && \ curl -SsfL -o /usr/local/bin/kubectl "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/${TARGETOS}/${TARGETARCH}/kubectl" && \ curl -SsfL -o /usr/local/bin/kubectl-convert "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/${TARGETOS}/${TARGETARCH}/kubectl-convert" && \ curl -SsfL -o /usr/local/bin/yq "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_${TARGETOS}_${TARGETARCH}" && \ -- 2.24.4