Init

Dockerfile

@@ -0,0 +1,128 @@
+# syntax=docker/dockerfile:1.7
+
+# Build an OCI image that provides:
+#  - talosctl
+#  - talhelper
+#  - sops
+#
+# Versions are controlled by build ARGs below. Renovate is configured to bump
+# these ARGs automatically. The CI workflow builds the image and tags it with a
+# composite version tag reflecting all three component versions.
+
+# renovate: datasource=github-releases depName=siderolabs/talos versioning=semver
+ARG TALOSCTL_VERSION=1.9.2
+# renovate: datasource=github-releases depName=budimanjojo/talhelper versioning=semver
+ARG TALHELPER_VERSION=3.0.39
+# renovate: datasource=github-releases depName=getsops/sops versioning=semver
+ARG SOPS_VERSION=3.11.0
+
+# renovate: datasource=docker depName=cgr.dev/chainguard/wolfi-base
+FROM cgr.dev/chainguard/wolfi-base:latest AS downloader
+
+ARG TALOSCTL_VERSION
+ARG TALHELPER_VERSION
+ARG SOPS_VERSION
+
+RUN set -eux; \
+    apk add --no-cache curl ca-certificates-bundle
+
+# Map Docker TARGETARCH to upstream asset architecture naming where needed.
+ARG TARGETARCH
+RUN set -eux; \
+    case "${TARGETARCH}" in \
+      amd64)  TALOS_ARCH=amd64;  TALHELPER_ARCH=amd64;  SOPS_ARCH=amd64 ;; \
+      arm64)  TALOS_ARCH=arm64;  TALHELPER_ARCH=arm64;  SOPS_ARCH=arm64 ;; \
+      *) echo "Unsupported TARGETARCH=${TARGETARCH}"; exit 1 ;; \
+    esac; \
+    echo "TALOS_ARCH=${TALOS_ARCH}" > /tmp/arches.env; \
+    echo "TALHELPER_ARCH=${TALHELPER_ARCH}" >> /tmp/arches.env; \
+    echo "SOPS_ARCH=${SOPS_ARCH}" >> /tmp/arches.env
+
+SHELL ["/bin/sh", "-c"]
+
+# Download talosctl and verify checksum
+RUN . /tmp/arches.env; \
+    set -eux; \
+    TALOS_URL="https://github.com/siderolabs/talos/releases/download/v${TALOSCTL_VERSION}/talosctl-linux-${TALOS_ARCH}"; \
+    curl -fsSL -o /tmp/talosctl "${TALOS_URL}"; \
+    chmod +x /tmp/talosctl; \
+    if curl -fsSL -o /tmp/talosctl.sha256 "${TALOS_URL}.sha256"; then \
+      TALOS_SHA=$(tr -d ' \n\r' < /tmp/talosctl.sha256); \
+    else \
+      curl -fsSL -o /tmp/talos_checksums.txt "https://github.com/siderolabs/talos/releases/download/v${TALOSCTL_VERSION}/sha256sum.txt"; \
+      TALOS_SHA=$(grep "$(basename ${TALOS_URL})" /tmp/talos_checksums.txt | awk '{print $1}' | tr -d ' \n\r'); \
+    fi; \
+    echo "${TALOS_SHA}  /tmp/talosctl" | sha256sum -c -; \
+    echo "${TALOS_URL}" > /tmp/talosctl.src; \
+    echo "${TALOS_SHA}" > /tmp/talosctl.sha
+
+# Download talhelper (tar.gz containing the binary) and verify checksum
+RUN . /tmp/arches.env; \
+    set -eux; \
+    TALHELPER_TGZ_URL="https://github.com/budimanjojo/talhelper/releases/download/v${TALHELPER_VERSION}/talhelper_linux_${TALHELPER_ARCH}.tar.gz"; \
+    curl -fsSL -o /tmp/talhelper.tgz "${TALHELPER_TGZ_URL}"; \
+    if curl -fsSL -o /tmp/talhelper.tgz.sha256 "${TALHELPER_TGZ_URL}.sha256"; then \
+      TALHELPER_TGZ_SHA=$(tr -d ' \n\r' < /tmp/talhelper.tgz.sha256); \
+    else \
+      curl -fsSL -o /tmp/talhelper_checksums.txt "https://github.com/budimanjojo/talhelper/releases/download/v${TALHELPER_VERSION}/checksums.txt"; \
+      TALHELPER_TGZ_SHA=$(grep "$(basename ${TALHELPER_TGZ_URL})" /tmp/talhelper_checksums.txt | awk '{print $1}' | tr -d ' \n\r'); \
+    fi; \
+    echo "${TALHELPER_TGZ_SHA}  /tmp/talhelper.tgz" | sha256sum -c -; \
+    mkdir -p /tmp/talhelper && tar -xzf /tmp/talhelper.tgz -C /tmp/talhelper; \
+    mv /tmp/talhelper/talhelper /tmp/talhelper.bin; \
+    chmod +x /tmp/talhelper.bin; \
+    echo "${TALHELPER_TGZ_URL}" > /tmp/talhelper.src; \
+    echo "${TALHELPER_TGZ_SHA}" > /tmp/talhelper.sha
+
+# Download sops and verify checksum
+RUN . /tmp/arches.env; \
+    set -eux; \
+    SOPS_URL="https://github.com/getsops/sops/releases/download/v${SOPS_VERSION}/sops-v${SOPS_VERSION}.linux.${SOPS_ARCH}"; \
+    curl -fsSL -o /tmp/sops "${SOPS_URL}"; \
+    chmod +x /tmp/sops; \
+    if curl -fsSL -o /tmp/sops.sha256 "${SOPS_URL}.sha256"; then \
+      SOPS_SHA=$(tr -d ' \n\r' < /tmp/sops.sha256); \
+    else \
+      curl -fsSL -o /tmp/sops_checksums.txt "https://github.com/getsops/sops/releases/download/v${SOPS_VERSION}/sops-v${SOPS_VERSION}.checksums.txt"; \
+      SOPS_SHA=$(grep "$(basename ${SOPS_URL})" /tmp/sops_checksums.txt | awk '{print $1}' | tr -d ' \n\r'); \
+    fi; \
+    echo "${SOPS_SHA}  /tmp/sops" | sha256sum -c -; \
+    echo "${SOPS_URL}" > /tmp/sops.src; \
+    echo "${SOPS_SHA}" > /tmp/sops.sha
+
+
+# renovate: datasource=docker depName=cgr.dev/chainguard/wolfi-base
+FROM cgr.dev/chainguard/wolfi-base:latest
+
+ARG TALOSCTL_VERSION
+ARG TALHELPER_VERSION
+ARG SOPS_VERSION
+
+LABEL org.opencontainers.image.title="talosctl + talhelper + sops"
+LABEL org.opencontainers.image.description="Utility image containing talosctl, talhelper, and sops"
+LABEL org.opencontainers.image.source="$GITHUB_SERVER_URL/$GITHUB_REPOSITORY"
+LABEL org.opencontainers.image.licenses="MIT"
+LABEL org.opencontainers.image.version.talosctl="${TALOSCTL_VERSION}"
+LABEL org.opencontainers.image.version.talhelper="${TALHELPER_VERSION}"
+LABEL org.opencontainers.image.version.sops="${SOPS_VERSION}"
+LABEL org.opencontainers.image.url.talosctl="https://github.com/siderolabs/talos"
+LABEL org.opencontainers.image.url.talhelper="https://github.com/budimanjojo/talhelper"
+LABEL org.opencontainers.image.url.sops="https://github.com/getsops/sops"
+
+RUN set -eux; \
+    apk add --no-cache ca-certificates-bundle bash git openssh-client; \
+    mkdir -p /usr/local/share/checksums
+
+COPY --from=downloader /tmp/talosctl /usr/local/bin/talosctl
+COPY --from=downloader /tmp/talhelper.bin /usr/local/bin/talhelper
+COPY --from=downloader /tmp/sops /usr/local/bin/sops
+COPY --from=downloader /tmp/*.sha /usr/local/share/checksums/
+COPY --from=downloader /tmp/*.src /usr/local/share/checksums/
+
+RUN set -eux; \
+    chmod +x /usr/local/bin/talosctl /usr/local/bin/talhelper /usr/local/bin/sops
+
+ENV PAGER=cat
+
+# Print versions by default so users can see what's inside quickly.
+CMD talosctl version --client && talhelper --version && sops --version