How to take a rules_oci base image and add an apko package?

[njlr]

I am trying to achieve the following in Bazel, in order to migrate away from rules_docker:

• Base image pulled using rules_oci
• An Alpine package installed using apko (git)
• Final application image containing the Alpine package, plus my code, based on the image from rules_oci

So far I have been unable to figure out how to combine these things.

Is there an example?

My attempt:

oci.pull(
  name = "dotnet_runtime_deps_alpine_3_16",
  image = "mcr.microsoft.com/dotnet/runtime-deps",
  digest = "sha256:3a4197e1da3bb5e5a97bdfa062ae0e4a55150cfe023d101a2e8cf107a6ac2be3",
  platforms = [ "linux/amd64" ],
)

load("@rules_apko//apko:defs.bzl", "apko_image")
load("@rules_dotnet//dotnet:defs.bzl", "fsharp_binary", "publish_binary")
load("@rules_oci//oci:defs.bzl", "oci_image", "oci_tarball")
load("@rules_pkg//:pkg.bzl", "pkg_tar")

fsharp_binary(
  name = "app",
  srcs = [
    "Program.fs",
  ],
  target_frameworks = [
    "net6.0",
  ],
  deps = [
    "@paket.main//fsharp.core",
  ],
  visibility = [
    "//visibility:public",
  ],
)

publish_binary(
  name = "app_alpine_x64",
  binary = ":app",
  target_framework = "net6.0",
  self_contained = True,
  runtime_identifier = "alpine-x64",
)

pkg_tar(
  name = "app_alpine_x64_archive",
  srcs = [
    ":app_alpine_x64",
  ],
  strip_prefix = "app_alpine_x64/publish/linux-musl-x64",
  include_runfiles = True,
)

apko_image(
  name = "git",
  architecture = select({
    "@platforms//cpu:arm64": "arm64",
    "@platforms//cpu:x86_64": "amd64",
  }),
  config = "git.yaml",
  contents = "@git_lock//:contents",
  tag = "git:latest",
)

oci_tarball(
  name = "git_tarball",
  image = ":git",
  repo_tags = ["test:test"],
)

oci_image(
  name = "image_alpine",
  base = "@dotnet_runtime_deps_alpine_3_16",
  tars = [
    ":git_tarball",
    ":app_alpine_x64_archive",
  ],
  entrypoint = [ "/app" ],
  tags = [ "manual" ],
)

oci_tarball(
  name = "image_alpine_tarball",
  image = ":image_alpine",
  repo_tags = [ "image_alpine:latest" ],
)

This does not put git (plus dependencies) into the image.

Related:

• https://github.com/bazel-contrib/rules_oci/issues/35
• https://github.com/bazel-contrib/rules_oci/issues/309
• https://github.com/bazel-contrib/rules_oci/issues/375

[sfc-gh-mhazy]

You might be interested in https://github.com/chainguard-dev/rules_apko/pull/64 and the linked issue in apko. This is still in progress but there will be support for exactly your usecase.