Move to KO + Chainguard for building KLT components

[thisthat]

Goal

Move to using cgr.dev/chainguard/static as base images for Keptn.

Details

In https://github.com/keptn/lifecycle-toolkit/issues/1094, we analyzed different possibilities to reduce the image size and improve the security of the container images. We agreed to move to chainguard static images for our base images used in the Dockerfiles. ~~Furthermore, the whole build should be moved to ko to simplify SBOM and multi-platform generation. Dockerfiles will be preserved to give users still a well-established way of building containers.~~

DoD

• [ ] Dockerfiles should use chainguard images - [ ] CI pipeline should use ko for building containers

[thisthat]

FYI @vedsmand - please let me know if everything is clear :)

[vedsmand]

thank you @thisthat :) I would like to work on this

can you elaborate on why you would like to keep a Dockerfile in parallel with ko ? 🤔 would it be a valid usecase that users would build their own version via the Dockerfile ?

downside of keeping it (as I see it) is that we now need to maintain 2 different CI approaches going forward, which might create an unwanted overhead for the project.

[mowies]

I agree with @vedsmand . If we move to ko we don't need the Dockerfiles anymore

[thisthat]

I planned to keep Dockerfiles to give devs time to adapt to the ko workflow - but I also see your point @mowies @vedsmand and I am happy to only use ko

[mowies]

We can always dig the files back up from the git history if we really need to

[mowies]

I want to re-discuss this in the next community meeting. Maybe it's good enough to leave the images as they are right now...

[thisthat]

We rescoped the ticket to only change the base image used in the production step in our Dockerfiles. A poc for KO would be nice to have to see the real benefits of the tool in our CI pipeline

[mowies]

@vedsmand do you still wanna work on this? (see the above reduction in scope)

[vedsmand]

@mowies sry for slow activity on my part on this I have currently very limited time to contribute, so feel free to reassign it :)

[mowies]

Ok then I will un-assign you for now

[Bharadwajshivam28]

Hey @mowies I want to work on this. Could you please assign this to me?

also please share some steps/resources to get started on this issue

[mowies]

It would be great if you could finish your other ticket first :) But then I'll gladly assign this to you

[Bharadwajshivam28]

It would be great if you could finish your other ticket first :) But then I'll gladly assign this to you

Okay thanks

[mowies]

Chainguard only supports latest container image tags in the free version. That is unfortunately not an option for us in this project, so I think we should close this issue. @Bharadwajshivam28 sorry that you already invested time into this and we only found out now..

[Bharadwajshivam28]

Chainguard only supports latest container image tags in the free version. That is unfortunately not an option for us in this project, so I think we should close this issue. @Bharadwajshivam28 sorry that you already invested time into this and we only found out now..

No worries..

Thanks @mowies