Plumb through the notion of build-time repositories. #1169
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
There are three interesting use cases enabled by this change: 1. Silence `./packages` warnings with our private images. Currently for our private images, we pull private packages via GCS fuse mounted to `./packages/`. This results in warnings from `apk` when the indices are updated today because this path does not exist. By making `./packages` a build-time only thing, this goes away. 2. Stop leaking auth in build repository URLs into the final image Currently it is impossible to use `https://user:pass@repo` style repositories without the credential leaking into the image's `/etc/apk/repositories`. With this change, credentialed URLs may be passed to `--build-repository-append` and the credentials will only be used for the initial image construction and not be present in the final image. 3. Enable using private APK registries with `HTTP_AUTH` without breaking `apk update` We uncovered an unfortunate side-effect of switching from `./packages` to `apk.cgr.dev/chainguard-private` for our packages: `apk update` breaks. With the former, we get a `WARNING` that `./packages` is not found (see `1.` above). With the latter, we get a `WARNING` that the caller isn't authorized, but unlike `./packages` it returns a non-zero exit code breaking `Dockerfile` builds. Armed with this change, we can move `apk.cgr.dev/chainguard-private` into our `build_repositories`, specify auth at build-time via `HTTP_AUTH` and avoid the private repository URL leaking into the final image causing `apk update` to break. Signed-off-by: Matt Moore <mattmoor@chainguard.dev>
jonjohnsonjr
approved these changes
Jun 15, 2024
imjasonh
approved these changes
Jun 15, 2024
imjasonh
added a commit
to chainguard-dev/terraform-provider-apko
that referenced
this pull request
Jun 17, 2024
Picks up chainguard-dev/apko#1169 This lets us define repos to pull packages from at apko-build-time, which won't be available or visible via `apk update` or `apk add`. --------- Signed-off-by: Jason Hall <jason@chainguard.dev>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There are three interesting use cases enabled by this change:
./packageswarnings with our private images.Currently for our private images, we pull private packages via GCS fuse mounted to
./packages/. This results in warnings fromapkwhen the indices are updated today because this path does not exist.By making
./packagesa build-time only thing, this goes away.Currently it is impossible to use
https://user:pass@repostyle repositories without the credential leaking into the image's/etc/apk/repositories.With this change, credentialed URLs may be passed to
--build-repository-appendand the credentials will only be used for the initial image construction and not be present in the final image.HTTP_AUTHwithout breakingapk updateWe uncovered an unfortunate side-effect of switching from
./packagestoapk.cgr.dev/chainguard-privatefor our packages:apk updatebreaks.With the former, we get a
WARNINGthat./packagesis not found (see1.above).With the latter, we get a
WARNINGthat the caller isn't authorized, but unlike./packagesit returns a non-zero exit code breakingDockerfilebuilds.Armed with this change, we can move
apk.cgr.dev/chainguard-privateinto ourbuild_repositories, specify auth at build-time viaHTTP_AUTHand avoid the private repository URL leaking into the final image causingapk updateto break.