plumbing icon indicating copy to clipboard operation
plumbing copied to clipboard

Published 20 hours ago verified publisher icon tektoncd

Reduce the number of image we maintain here

Open vdemeester opened this issue 1 year ago • 2 comments

I wonder if we could reduce the number of images we maintain here to the minimum and rely more on upstream images instead. Few examples:

  • [x] skopeo has upstream images, and I am not even sure where it is used in our infrastructure
  • [ ] tkn could be managed directly on tektoncd/cli, published at release time (and thus, having tagged version aligned with release)
  • [ ] hub is very similar to this
  • [ ] ko has an upstream image we could use as well I think (same, it would be tagged per version I think, cc @imjasonh)
    • ko-gcloud is a bit trickier
  • [ ] kubectl I am not sure, but it keels like there might be some official or semi-official / maintained image already
  • [x] openssh-server is.. a wonder to me, not sure where / how we use that one even

I don't think it has a huge impact on cost (registry side), but, less things to maintain is less work 🙃 .

test-runner is not really concerned as it is the image used by prow, so it has everything in it. If we manage to get out of prow in the future, this image would become deprecated.

cc @wlynch @afrittoli @tektoncd/plumbing-maintainers

(Sidenote: we could also migrate the one we can to apko maybe ?)

vdemeester avatar Feb 21 '24 12:02 vdemeester

If the cli and hub teams are interested in maintaining their own images, that'd be great. Fine to use upstream images where available, they weren't at the time but things have improved :)

afrittoli avatar Feb 21 '24 12:02 afrittoli

💯

I ran a grype scan on images we reference in plumbing a few weeks ago and the results were not great 😅 https://gist.github.com/wlynch/117da1f0e102e699ac13bc33d9f5cf40

For simple images upstream SGTM, and https://images.chainguard.dev/ also exists with a bunch of available images that we can use - most latest versions are free, with latest-dev including shells + common tools for scripting (if there's anything missing we want lmk).

If there's interest, I can revive https://github.com/tektoncd/plumbing/pull/1735 to build images with apko that would allow us to mix-and-match apk packages as we want - Wolfi packages are maintained by Chainguard, but we can also source from Alpine repositories directly if we need to.

wlynch avatar Feb 21 '24 14:02 wlynch