/fury-distribution-container-image-sync

This is a simple mechanism that pulls and pushes container images based on a configuration file (yaml).

Primary LanguageShell

Kubernetes Fury Distribution
Container Image Sync

Table of contents

This is a simple mechanism that pulls and pushes or builds container images based on a configuration file (yaml).

The main goal for this repository is to have a central location used to sync on our public SIGHUP registry all the upstream images used by all the Fury modules.

The goal of this repository is twofold: build custom images and sync upstream ones used by all the Fury modules on our public SIGHUP registry.

Features:

  • Configurable via YAML files
  • Build custom images
  • Skips images if the layers between src and dest are the same using skopeo
  • Everything is executed with bash script single_sync_v3.sh that by default will sync all image architectures
  • Execute the vulnerability detection and patching of synced images with amd64 and arm64 architectures

Inside the folder modules/ there is a subfolder for each KFD module with an images.yml file.

Each images.yml file has to have a root attribute: images and its value is an array of objects:

  - name: # Simple description of the image
    source: # Source image. Where to pull the image
    tag: # Tags to sync
      - "xxx"
    destination:
      - # Destination registry

or (when building):

  - name: # Simple description of the image
    source: # Local name used by the newly built image
    build: # Build parameters
      context: # Path where the Dockerfile is stored (relative to images.yml file)
      args: # Build arguments
        - name: # Build argument name
          value: # Build argument value
    tag: # New image tag
      - "xxx"
    destination:
      - # Destination registry

Example images.yml:

  - name: Alpine
    source: docker.io/library/alpine
    tag:
      - "3"
      - "3.12"
      - "3.13"
      - "3.14"
    destinations:
      - registry.sighup.io/fury/alpine

  - name: Grafana
    source: grafana
    build:
      context: custom/grafana
      args:
        - name: GF_INSTALL_PLUGINS
          value: grafana-piechart-panel
    tag:
      - "8.5.5"
    destinations:
      - registry.sighup.io/fury/grafana/grafana

This automation runs once a day: "0 2 * * *" and every time someone pushes to the main branch.

The reports of vulnerability scanning and patching are available in the dedicate worflow run page.

On each workflow run, navigate to the Artefacts section where you can find:

  • the cve-reports-vX.Y.Z artefact (zip file) that includes the pre patching and post patching vulnerabilities reports for KFD version X.Y.Z.
  • the cve-patch-reports-by-image artefact (zip file) that includes the patching report by image for all the images used in all the supported KFD versions.