# syntax=docker/dockerfile:1.20@sha256:26147acbda4f14c5add9946e2fd2ed543fc402884fd75146bd342a7f6271dc1d # Build an OCI image that provides: # - talosctl # - talhelper # - sops # # Versions are controlled by build ARGs below. Renovate is configured to bump # these ARGs automatically. The CI workflow builds the image and tags it with a # composite version tag reflecting all three component versions. # renovate: datasource=github-releases depName=siderolabs/talos versioning=semver ARG TALOSCTL_VERSION=1.9.2 # renovate: datasource=github-releases depName=budimanjojo/talhelper versioning=semver ARG TALHELPER_VERSION=3.0.39 # renovate: datasource=github-releases depName=getsops/sops versioning=semver ARG SOPS_VERSION=3.11.0 # renovate: datasource=docker depName=cgr.dev/chainguard/wolfi-base FROM cgr.dev/chainguard/wolfi-base:latest@sha256:0d8efc73b806c780206b69d62e1b8cb10e9e2eefa0e4452db81b9fa00b1a5175 AS downloader ARG TALOSCTL_VERSION ARG TALHELPER_VERSION ARG SOPS_VERSION RUN set -eux; \ apk add --no-cache curl ca-certificates-bundle # Map Docker TARGETARCH to upstream asset architecture naming where needed. ARG TARGETARCH RUN set -eux; \ case "${TARGETARCH}" in \ amd64) TALOS_ARCH=amd64; TALHELPER_ARCH=amd64; SOPS_ARCH=amd64 ;; \ arm64) TALOS_ARCH=arm64; TALHELPER_ARCH=arm64; SOPS_ARCH=arm64 ;; \ *) echo "Unsupported TARGETARCH=${TARGETARCH}"; exit 1 ;; \ esac; \ echo "TALOS_ARCH=${TALOS_ARCH}" > /tmp/arches.env; \ echo "TALHELPER_ARCH=${TALHELPER_ARCH}" >> /tmp/arches.env; \ echo "SOPS_ARCH=${SOPS_ARCH}" >> /tmp/arches.env SHELL ["/bin/sh", "-c"] # Download talosctl and verify checksum RUN . /tmp/arches.env; \ set -eux; \ TALOS_URL="https://github.com/siderolabs/talos/releases/download/v${TALOSCTL_VERSION}/talosctl-linux-${TALOS_ARCH}"; \ curl -fsSL -o /tmp/talosctl "${TALOS_URL}"; \ chmod +x /tmp/talosctl; \ if curl -fsSL -o /tmp/talosctl.sha256 "${TALOS_URL}.sha256"; then \ TALOS_SHA=$(tr -d ' \n\r' < /tmp/talosctl.sha256); \ else \ curl -fsSL -o /tmp/talos_checksums.txt "https://github.com/siderolabs/talos/releases/download/v${TALOSCTL_VERSION}/sha256sum.txt"; \ TALOS_SHA=$(grep "$(basename ${TALOS_URL})" /tmp/talos_checksums.txt | awk '{print $1}' | tr -d ' \n\r'); \ fi; \ echo "${TALOS_SHA} /tmp/talosctl" | sha256sum -c -; \ echo "${TALOS_URL}" > /tmp/talosctl.src; \ echo "${TALOS_SHA}" > /tmp/talosctl.sha # Download talhelper (tar.gz containing the binary) and verify checksum RUN . /tmp/arches.env; \ set -eux; \ TALHELPER_TGZ_URL="https://github.com/budimanjojo/talhelper/releases/download/v${TALHELPER_VERSION}/talhelper_linux_${TALHELPER_ARCH}.tar.gz"; \ curl -fsSL -o /tmp/talhelper.tgz "${TALHELPER_TGZ_URL}"; \ if curl -fsSL -o /tmp/talhelper.tgz.sha256 "${TALHELPER_TGZ_URL}.sha256"; then \ TALHELPER_TGZ_SHA=$(tr -d ' \n\r' < /tmp/talhelper.tgz.sha256); \ else \ curl -fsSL -o /tmp/talhelper_checksums.txt "https://github.com/budimanjojo/talhelper/releases/download/v${TALHELPER_VERSION}/checksums.txt"; \ TALHELPER_TGZ_SHA=$(grep "$(basename ${TALHELPER_TGZ_URL})" /tmp/talhelper_checksums.txt | awk '{print $1}' | tr -d ' \n\r'); \ fi; \ echo "${TALHELPER_TGZ_SHA} /tmp/talhelper.tgz" | sha256sum -c -; \ mkdir -p /tmp/talhelper && tar -xzf /tmp/talhelper.tgz -C /tmp/talhelper; \ mv /tmp/talhelper/talhelper /tmp/talhelper.bin; \ chmod +x /tmp/talhelper.bin; \ echo "${TALHELPER_TGZ_URL}" > /tmp/talhelper.src; \ echo "${TALHELPER_TGZ_SHA}" > /tmp/talhelper.sha # Download sops and verify checksum RUN . /tmp/arches.env; \ set -eux; \ SOPS_URL="https://github.com/getsops/sops/releases/download/v${SOPS_VERSION}/sops-v${SOPS_VERSION}.linux.${SOPS_ARCH}"; \ curl -fsSL -o /tmp/sops "${SOPS_URL}"; \ chmod +x /tmp/sops; \ if curl -fsSL -o /tmp/sops.sha256 "${SOPS_URL}.sha256"; then \ SOPS_SHA=$(tr -d ' \n\r' < /tmp/sops.sha256); \ else \ curl -fsSL -o /tmp/sops_checksums.txt "https://github.com/getsops/sops/releases/download/v${SOPS_VERSION}/sops-v${SOPS_VERSION}.checksums.txt"; \ SOPS_SHA=$(grep "$(basename ${SOPS_URL})" /tmp/sops_checksums.txt | awk '{print $1}' | tr -d ' \n\r'); \ fi; \ echo "${SOPS_SHA} /tmp/sops" | sha256sum -c -; \ echo "${SOPS_URL}" > /tmp/sops.src; \ echo "${SOPS_SHA}" > /tmp/sops.sha # renovate: datasource=docker depName=cgr.dev/chainguard/wolfi-base FROM cgr.dev/chainguard/wolfi-base:latest@sha256:0d8efc73b806c780206b69d62e1b8cb10e9e2eefa0e4452db81b9fa00b1a5175 ARG TALOSCTL_VERSION ARG TALHELPER_VERSION ARG SOPS_VERSION LABEL org.opencontainers.image.title="talosctl + talhelper + sops" LABEL org.opencontainers.image.description="Utility image containing talosctl, talhelper, and sops" LABEL org.opencontainers.image.source="$GITHUB_SERVER_URL/$GITHUB_REPOSITORY" LABEL org.opencontainers.image.licenses="MIT" LABEL org.opencontainers.image.version.talosctl="${TALOSCTL_VERSION}" LABEL org.opencontainers.image.version.talhelper="${TALHELPER_VERSION}" LABEL org.opencontainers.image.version.sops="${SOPS_VERSION}" LABEL org.opencontainers.image.url.talosctl="https://github.com/siderolabs/talos" LABEL org.opencontainers.image.url.talhelper="https://github.com/budimanjojo/talhelper" LABEL org.opencontainers.image.url.sops="https://github.com/getsops/sops" RUN set -eux; \ apk add --no-cache ca-certificates-bundle bash git openssh-client curl nodejs npm yq; \ mkdir -p /usr/local/share/checksums COPY --from=downloader /tmp/talosctl /usr/local/bin/talosctl COPY --from=downloader /tmp/talhelper.bin /usr/local/bin/talhelper COPY --from=downloader /tmp/sops /usr/local/bin/sops COPY --from=downloader /tmp/*.sha /usr/local/share/checksums/ COPY --from=downloader /tmp/*.src /usr/local/share/checksums/ RUN set -eux; \ chmod +x /usr/local/bin/talosctl /usr/local/bin/talhelper /usr/local/bin/sops ENV PAGER=cat # Print versions by default so users can see what's inside quickly. CMD talosctl version --client && talhelper --version && sops --version