automated commit

Signed-off-by: Public copy <41898282+github-actions[bot]@users.noreply.github.com>

images/aspnet-runtime/config/main.tf

@@ -1,3 +1,23 @@
+terraform {
+  required_providers {
+    apko = { source = "chainguard-dev/apko" }
+  }
+}
+
+data "apko_config" "package-info" {
+  config_contents = jsonencode({
+    contents = {
+      packages = var.extra_packages
+    }
+  })
+}
+
+locals {
+  package_conf                  = [for p in data.apko_config.package-info.config.contents.packages : p if startswith(p, "aspnet")][0]
+  full_package_version          = split("=", local.package_conf)[1]
+  package_version_without_epoch = split("-", local.full_package_version)[0] // This extracts the version without the epoch
+}
+
 variable "extra_packages" {
   description = "Additional packages to install."
   type        = list(string)
@@ -16,5 +36,13 @@ output "config" {
       command = "/usr/bin/dotnet"
     }
     cmd = "--help"
+    # copied from crane config mcr.microsoft.com/dotnet/aspnet:9.0 |jq .config
+    environment = {
+      APP_UID                     = module.accts.uid,
+      ASPNETCORE_HTTP_PORTS       = 8080,
+      DOTNET_RUNNING_IN_CONTAINER = true,
+      DOTNET_VERSION              = local.package_version_without_epoch,
+      ASPNET_VERSION              = local.package_version_without_epoch,
+    }
   })
 }

images/dotnet/configs/runtime/main.tf

@@ -1,28 +1,49 @@
-module "accts" {
-  source = "../../../../tflib/accts"
-}
-
 terraform {
   required_providers {
     apko = { source = "chainguard-dev/apko" }
   }
 }
 
+data "apko_config" "package-info" {
+  config_contents = jsonencode({
+    contents = {
+      packages = var.extra_packages
+    }
+  })
+}
+
+locals {
+  package_conf                  = [for p in data.apko_config.package-info.config.contents.packages : p if startswith(p, "dotnet")][0]
+  full_package_version          = split("=", local.package_conf)[1]
+  package_version_without_epoch = split("-", local.full_package_version)[0] // This extracts the version without the epoch
+}
+
+module "accts" {
+  source = "../../../../tflib/accts"
+}
+
 variable "extra_packages" {
   default     = ["dotnet-runtime"]
   description = "The additional packages to install (e.g. dotnet-runtime)."
 }
 
 output "config" {
   value = jsonencode({
-    "contents" : {
-      "packages" : var.extra_packages
+    contents = {
+      packages = var.extra_packages
     },
-    "entrypoint" : {
-      "command" : "/usr/bin/dotnet"
+    entrypoint = {
+      command = "/usr/bin/dotnet"
     },
-    "cmd" : "--help",
-    "accounts" : module.accts.block
+    cmd      = "--help",
+    accounts = module.accts.block
+    # copied from crane config mcr.microsoft.com/dotnet/runtime:9.0 |jq .config
+    environment = {
+      APP_UID                     = module.accts.uid
+      ASPNETCORE_HTTP_PORTS       = 8080
+      DOTNET_RUNNING_IN_CONTAINER = true,
+      DOTNET_VERSION              = local.package_version_without_epoch,
+    }
   })
 }
 

images/dotnet/configs/sdk/main.tf

@@ -1,32 +1,53 @@
+terraform {
+  required_providers {
+    apko = { source = "chainguard-dev/apko" }
+  }
+}
+
+data "apko_config" "package-info" {
+  config_contents = jsonencode({
+    contents = {
+      packages = var.extra_packages
+    }
+  })
+}
+
 locals {
-  baseline_packages = ["busybox"]
+  package_conf                  = [for p in data.apko_config.package-info.config.contents.packages : p if startswith(p, "dotnet")][0]
+  full_package_version          = split("=", local.package_conf)[1]
+  package_version_without_epoch = split("-", local.full_package_version)[0] // This extracts the version without the epoch
 }
 
 module "accts" {
   source = "../../../../tflib/accts"
 }
 
-terraform {
-  required_providers {
-    apko = { source = "chainguard-dev/apko" }
-  }
-}
-
 variable "extra_packages" {
   default     = ["dotnet-sdk"]
   description = "The additional packages to install (e.g. dotnet-sdk)."
 }
 
 output "config" {
   value = jsonencode({
-    "contents" : {
-      // TODO: remove the need for using hardcoded local.baseline_packages by plumbing
-      // these packages through var.extra_packages in all callers of this config module
-      "packages" : distinct(concat(local.baseline_packages, var.extra_packages))
+    contents = {
+      packages = var.extra_packages
     },
-    "entrypoint" : {},
-    "cmd" : "/bin/sh -l",
-    "accounts" : module.accts.block
+    entrypoint = {},
+    cmd        = "/bin/sh -l",
+    accounts   = module.accts.block
+    environment = {
+      # copied from crane config mcr.microsoft.com/dotnet/sdk:9.0 |jq .config
+      APP_UID                            = module.accts.uid
+      ASPNETCORE_HTTP_PORTS              = 8080
+      DOTNET_RUNNING_IN_CONTAINER        = true,
+      DOTNET_VERSION                     = local.package_version_without_epoch,
+      ASPNET_VERSION                     = local.package_version_without_epoch
+      DOTNET_GENERATE_ASPNET_CERTIFICATE = false,
+      DOTNET_NOLOGO                      = true,
+      DOTNET_SDK_VERSION                 = local.package_version_without_epoch,
+      DOTNET_USE_POLLING_FILE_WATCHER    = true,
+      NUGET_XMLDOC_MODE                  = "skip",
+    }
   })
 }
 

images/kubectl/README.md

@@ -32,6 +32,169 @@ Be sure to replace the `ORGANIZATION` placeholder with the name used for your or
 <!--getting:end-->
 
 <!--body:start-->
+## Compatibility Notes
+
+The `kubectl` Chainguard Image provides a low-to-zero CVE environment for [`kubectl`](https://kubernetes.io/docs/reference/kubectl/) suitable for integrating into Kubernetes CI or testing workflows.
+
+## Configuration
+
+To load your own global configuration file, you can set the `KUBECONFIG` environment variable and mount a configuration file on your host machine to the specified location on the container using a volume.
+
+The command below sets the `KUBECONFIG` environment variable to `.kube/config` within the `nonroot` home folder, initializes a volume at that location, and runs the container with a command that prints the current configuration. Make sure to replace $ORGANIZATION with the name of your organization.
+
+```sh
+docker run \
+ -e KUBECONFIG=/home/nonroot/.kube/config \
+ -v $PWD/config:/home/nonroot/.kube/config \
+ cgr.dev/$ORGANIZATION/kubectl:latest-dev config view
+```
+
+If you would prefer to test this command without using your own configuration file, you can create a default `config` file in your current working directory as below:
+
+```sh
+cat << 'EOF' > config
+apiVersion: v1
+clusters: null
+contexts: null
+current-context: ""
+kind: Config
+preferences: {output=json}
+users: null
+EOF
+```
+
+## Getting Started
+
+### Adding to a Kubernetes Cluster
+
+In this example, we'll add the Kubectl Chainguard Image to a Kubernetes cluster. To follow this example, you'll need to install the following software to your host machine:
+
+
+- [`kind`](https://kind.sigs.k8s.io/docs/user/quick-start#installation). 
+- [`chainctl`](https://edu.chainguard.dev/chainguard/administration/how-to-install-chainctl)
+- [`kubectl`]( https://kubernetes.io/docs/tasks/tools/)
+
+Once the `kind` utility for creating local Kubernetes clusters is installed and on your path, create a new cluster with the following command:
+
+```sh
+kind create cluster
+```
+
+This will create a cluster with the default name `kind`.
+
+Next, we'll need to download a pull token using Chainguard's [`chainctl`](https://edu.chainguard.dev/chainguard/administration/how-to-install-chainctl) utility. This will allow us to access your organization's Chainguard Images in environments that do not support OIDC, such as a Kubernetes cluster.
+
+Run the following to generate a pull token:
+
+```
+chainctl auth configure-docker --pull-token --save
+```
+
+You will need to select your organization name from the menu and confirm the creation of the pull token. This will save your pull token to your Docker configuration, typically at `~/.docker/config.json`.
+
+Now use [kubectl](https://kubernetes.io/docs/tasks/tools/) on your host machine to load the pull token as a secret. The following assumes your current working directory is your home directory, and depending on your system and configuration you may need to update the path to the `config.json`.
+
+
+```
+kubectl create secret generic cgsecret \
+ --from-file=.dockerconfigjson=./.docker/config.json \
+ --type=kubernetes.io/dockerconfigjson
+```
+
+Next, we'll run a shell command to create a configuration for the pod for our `kubectl ` Chainguard Image container. First, set your organization name as an environment variable:
+
+```sh
+ORGANIZATION=my-organization
+```
+
+Then run the following command to create the pod configuration file:
+
+
+```sh
+cat << EOF > kubectl.yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: kube-pod
+spec:
+  containers:
+  - name: kubectl-container
+    image: cgr.dev/$ORGANIZATION/kubectl
+    command: ["/usr/bin/kubectl", "version"]
+  imagePullSecrets:
+  - name: cgsecret
+EOF
+```
+
+The above provides configuration for a pod that will pull the `kubectl` Chainguard Image from your organization, then run a container with a command that outputs the current `kubectl` version.
+
+Run the following to create the pod using the configuration file:
+
+```sh
+kubectl create -f kubectl.yaml
+```
+
+The pod should now be created. Run the following command to see information on the pod and associated container:
+
+```sh
+kubectl describe pod kube-pod
+```
+
+```
+Name:             kube-pod
+Namespace:        default
+Priority:         0
+Service Account:  default
+Node:             kind-control-plane/172.19.0.2
+Start Time:       Tue, 26 Nov 2024 16:30:24 -0500
+Labels:           <none>
+Annotations:      <none>
+Status:           Running
+IP:               10.244.0.4
+IPs:
+  IP:  10.244.0.4
+Containers:
+  kubectl-container:
+    Container ID:  containerd://e9bc0e28ae161ff9ce84842f560478728c5986ff2dc2a41f02e90b49a3919211
+    Image:         cgr.dev/$ORGANIZATION/kubectl
+    Image ID:      cgr.dev/$ORGANIZATION/kubectl@sha256:034d5e90723d49a31e6e98ad9ad787946143e9ea7a3728bfb38645d99305dc52
+    Port:          <none>
+    Host Port:     <none>
+    Command:
+      /usr/bin/kubectl
+      version
+    State:          Waiting
+      Reason:       CrashLoopBackOff
+    Last State:     Terminated
+      Reason:       Completed
+      Exit Code:    0
+...
+```
+
+In the configuration file, we provided the `/usr/bin/kubectl version` command. The above output shows this command completed. We can view the output of the command:
+
+```sh
+kubectl logs kube-pod
+```
+
+```
+Client Version: v1.31.3
+Kustomize Version: v5.4.2
+Server Version: v1.30.0
+```
+
+The `kubectl` Chainguard Image has now been loaded into the cluster and used to run a command. To access cluster information from the container, you will need to [configure a security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) for the pod or container.
+
+Once you're finished testing, you can shut down and delete the example `kind` cluster with the following command:
+
+```sh
+kind delete cluster
+```
+
+## Documentation and Resources
+
+- [Chainguard Academy: Authenticating to Chainguard Registry with a Pull Token](https://edu.chainguard.dev/chainguard/chainguard-registry/authenticating/#authenticating-with-the-chainctl-credential-helper)
+- [Kubernetes Reference: Kubectl Documentation](https://kubernetes.io/docs/reference/kubectl/)
 <!--body:end-->
 
 ## Contact Support
@@ -62,4 +225,4 @@ That being said, it’s worth noting that `-dev` variants of Chainguard Images a
 
 ## Learn More
 
-To better understand how to work with Chainguard Images, we encourage you to visit [Chainguard Academy](https://edu.chainguard.dev/), our documentation and education platform.
+To better understand how to work with Chainguard Images, we encourage you to visit [Chainguard Academy](https://edu.chainguard.dev/), our documentation and education platform.

images/kubectl/config/main.tf

@@ -8,7 +8,7 @@ variable "entrypoint" {
 }
 
 variable "command" {
-  default     = "/usr/bin/kubectl"
+  default     = "--help"
   description = "Image command"
 }