Skip to content

Commit

Permalink
Tier changes, part 2/3 (#1779)
Browse files Browse the repository at this point in the history 
## Type of change
<!-- Please be sure to add the appropriate label to your PR. -->
This PR implements a number of changes outlined in my Tier audit:
https://docs.google.com/document/d/1Go2vRf40PlVWka41dG_jmNZY_xkhhBbclf28duWwZ1E/edit?usp=sharing

Specifically, this PR updates any resources that use an affected image
in an example to using one that will remain avaiable after the change.
It also fixes the vulnerability comparisions template to point readers
to the image's readme in the Image's Directory.

Part 1/3 is Erika's initial work to improve/clarify language around our
pricing tiers
Part 3/3 will be implementing a short code note and adding it to
resources that will not be updated and instead continue to use images.

### What should this PR do?
<!-- Does this PR resolve an issue? Please include a reference to it.
-->
Resolves chainguard-dev/internal#4126

### Why are we making this change?
<!-- What larger problem does this PR address? -->
Clarity around products and pricing

### What are the acceptance criteria? 
<!-- What should be happening for this PR to be accepted? Please list
criteria. -->
<!-- Do any stakeholders need to be tagged in this review? If so, please
add them. -->
Changes should make sense. They're generally very small / trivial to the
bulk of the respective guide.

### How should this PR be tested?
<!-- What should your reviewer do to test this PR? Please list steps.
-->
Give changes a close look please!

---------

Signed-off-by: Mark Drake <[email protected]>
  • Loading branch information
@SharpRake
SharpRake authored Aug 21, 2024
1 parent 7eb6715 commit c662972
Show file tree
Hide file tree
Showing 12 changed files with 58 additions and 59 deletions.
2 changes: 1 addition & 1 deletion content/chainguard/administration/custom-idps/custom-idps/index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ type: "article"
date: 2023-04-17T08:48:45+00:00
lastmod: 2024-08-15T15:22:20+01:00
draft: false
tags: ["Chainguard Images", "Overview"]
tags: ["CHAINGUARD IMAGES", "OVERVIEW"]
images: []
weight: 005
---
Expand Down
8 changes: 4 additions & 4 deletions content/chainguard/chainguard-images/how-to-use-chainguard-images.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,9 @@ type: "article"
description: "A primer on how to migrate to Chainguard Images"
lead: "A primer on how to migrate to Chainguard Images"
date: 2022-09-01T08:49:31+00:00
lastmod: 2024-03-29T19:42:31+00:00
lastmod: 2024-08-19T15:56:52-07:00
draft: false
tags: ["Chainguard Images", "Procedural", "Product"]
tags: ["CHAINGUARD IMAGES", "PROCEDURAL", "PRODUCT"]
images: []
menu:
docs:
Expand Down Expand Up @@ -41,10 +41,10 @@ Chainguard Developer Images are also available on Docker Hub. Check out [Chaingu

### Pulling by Tag

You can also add a relevant tag that you have access to. In the case of the Git image, you can pull the `:latest-glibc` tag for the Git image. [Note that not all tags are available for public images](/chainguard/chainguard-images/faq/#do-i-need-to-authenticate-into-chainguard-to-use-chainguard-images).
You can also add a relevant tag that you have access to. In the case of the public Git image, you can always pull the `:latest` tag. [Note that not all tags are available for public images](/chainguard/chainguard-images/faq/#do-i-need-to-authenticate-into-chainguard-to-use-chainguard-images).

```sh
docker pull cgr.dev/chainguard/git:latest-glibc
docker pull cgr.dev/chainguard/git:latest
```

You may use tags to pull a specific version of a software like Git, or programming language version in a catalog you have access to. The Chainguard Images Directory has tag history pages for each image, for example, the [Git Image Tags History](https://images.chainguard.dev/directory/image/git/versions), [PHP Image Tags History](https://images.chainguard.dev/directory/image/php/versions), and [JDK Image Tags History](https://images.chainguard.dev/directory/image/jdk/versions).
Expand Down
2 changes: 1 addition & 1 deletion content/chainguard/chainguard-images/working-with-images/images-directory/index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ description: "A walkthrough of the Chainguard Images directory."
date: 2024-02-23T11:07:52+02:00
lastmod: 2024-08-05T11:07:52+02:00
draft: false
tags: ["Conceptual", "Chainguard Images", "Product"]
tags: ["CONCEPTUAL", "CHAINGUARD IMAGES", "PRODUCT"]
images: []
menu:
docs:
Expand Down
8 changes: 4 additions & 4 deletions .../chainguard/chainguard-images/working-with-images/retrieve-image-sboms/index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,9 @@ aliases:
type: "article"
description: "A brief tutorial on how to use Cosign to retrieve Chainguard Image SBOMs."
date: 2023-11-17T11:07:52+02:00
lastmod: 2024-08-01T11:07:52+02:00
lastmod: 2024-08-19T11:07:52+02:00
draft: false
tags: ["Conceptual", "Chainguard Images", "SBOM"]
tags: ["CONCEPTUAL", "CHAINGUARD IMAGES", "SBOM"]
images: []
menu:
docs:
Expand Down Expand Up @@ -48,13 +48,13 @@ Notice that this example syntax includes `download attestation` rather than `dow

This attestation data is encoded in base64, making it unreadable without further processing. This is why the output from the first part of the command is piped into `jq` in order to filter out the payload section of the output containing the SBOM. This filtered output is then passed into the `base64` command to be decoded before that output is piped into another `jq` command. The final `jq` command extracts the attestation predicate from the `base64` output and returns it to your terminal.

As an example, to retrieve the `argocd` image's attestation you would run a command like this.
As an example, to retrieve the `apko` image's attestation you would run a command like this.

```shell
cosign download attestation \
--platform=linux/amd64 \
--predicate-type=https://spdx.dev/Document \
cgr.dev/chainguard/argocd | jq -r .payload | base64 -d | jq .predicate
cgr.dev/chainguard/apko | jq -r .payload | base64 -d | jq .predicate
```

This example includes two extra arguments not included in the example syntax outlined previously. First, it includes the `--platform` flag which allows you to download the attestation for a specific platform image. This example specifies the `linux/amd64` platform, but you could also use `linux/arm64`. Be aware, though, that in order to use the `--platform` option you'll need to have Cosign version 2.2.1 or newer installed.
Expand Down
16 changes: 9 additions & 7 deletions ...d/chainguard-images/working-with-images/security-advisories/how-to-use/index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,9 @@ aliases:
type: "article"
description: "Article outlining how one can explore and use the Security Advisories found on the Chainguard Image Directory."
date: 2023-12-27T11:07:52+02:00
lastmod: 2023-12-27T11:07:52+02:00
lastmod: 2024-08-19T15:56:52-07:00
draft: false
tags: ["Overview", "Product", "Chainguard Images", "CVE"]
tags: ["OVERVIEW", "PRODUCT", "CHAINGUARD IMAGES", "CVE"]
images: []
menu:
docs:
Expand All @@ -36,6 +36,8 @@ To follow along with these examples, you'll need the following tools installed.
* [`chainctl`](/chainguard/chainctl/) — Chainguard's command-line interface tool. To install `chainctl`, follow our [installation guide](/chainguard/administration/how-to-install-chainctl/).
* [`jq`](https://jqlang.github.io/jq/)`jq` is a command-line JSON processor that allows you to filter and manipulate streaming JSON data. Although it isn’t strictly necessary for the purposes of this guide, this tutorial includes commands that use `jq` to filter command output that would otherwise be difficult to read. You can install `jq` by following the instructions on [the project’s Download jq page](https://jqlang.github.io/jq/download/).

Lastly, note that this guide includes examples involving an example organization with a private Chainguard Registry named `example.com`. If you would like to follow along with your own private Chainguard Images, be sure to change this where relevant to reflect your own setup. If you don't have access to a private Chainguard Registry, you can also follow along using Chainguard's public Developer Images but be aware that these are limited to only the `latest` or `latest-dev` tags. You can download public Developer Images from the `cgr.dev/chainguard` registry, as in `cgr.dev/chainguard/go:latest`.


## So you've encountered a CVE in a Chainguard Image

Expand All @@ -44,7 +46,7 @@ Say you use a vulnerability scanner like Grype or Docker Scout to inspect a cert
As of this writing, the `go:1.21.2` image points to the image digest `sha256:04ab6905552b54a6977bed40a4105e9c95f78033e1cde67806259efc4beb959d`. Be aware that this tag will be withdrawn in the future, but the digest will remain available.

```sh
docker scout cves cgr.dev/chainguard-private/go:1.21.2
docker scout cves cgr.dev/example.com/go:1.21.2
```

Because this is the digest for an older version of Chainguard's Go Image, this command's output will show a number of vulnerabilities that have been found to exist within this specific version of the Image.
Expand Down Expand Up @@ -115,14 +117,14 @@ Chainguard's Security Advisories have told us that the CVE-2023-44487 was fixed
If you inspect a later version of the Image with Docker Scout, you'll find that this time it reports no CVEs. This example inspects version `1.21.5` of the Image.

```shell
docker scout cves cgr.dev/chainguard-private/go:1.21.5
docker scout cves cgr.dev/example.com/go:1.21.5
```
```
## Overview
│ Analyzed Image
────────────────────┼─────────────────────────────────────────
Target │ cgr.dev/chainguard-private/go:1.21.5
Target │ cgr.dev/example.com/go:1.21.5
digest │ 65008b35ef40
platform │ linux/amd64
vulnerabilities │ 0C 0H 0M 0L
Expand All @@ -141,8 +143,8 @@ You can go a step further by comparing these two images directly with the `chain

```sh
chainctl images diff \
cgr.dev/chainguard-private/go:1.21.2 \
cgr.dev/chainguard-private/go:1.21.5 | jq .
cgr.dev/example.com/go:1.21.2 \
cgr.dev/example.com/go:1.21.5 | jq .
```

This example will return a lot of output, as there are significant differences from version `1.21.2` to `1.21.5` of the Go Image. If you scroll down to the `vulnerabilities` section of this output, you'll find a list of vulnerabilities that are present in version `1.21.2` but have been removed by version `1.21.5`.
Expand Down
16 changes: 8 additions & 8 deletions ...chainguard-registry/pull-through-guides/artifact-registry-pull-through/index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,9 @@ aliases:
type: "article"
description: "Tutorial outlining how to set up a Google Artifact Registry repository to pull Images through from the Chainguard Registry."
date: 2024-07-08T15:56:52-07:00
lastmod: 2024-07-17T15:56:52-07:00
lastmod: 2024-08-19T15:56:52-07:00
draft: false
tags: ["Product", "Procedural", "Chainguard Images"]
tags: ["PRODUCT", "PROCEDURAL", "CHAINGUARD IMAGES"]
images: []
menu:
docs:
Expand Down Expand Up @@ -59,13 +59,13 @@ gcloud auth configure-docker us-central1-docker.pkg.dev
Be sure to change `us-central1` to reflect the location of your Artifact Registry repository.
Also, after running this command you may be prompted to log in to your Google Cloud account.

After running the command, you will be able to pull a Chainguard Developer Image through Google Artifact Registry. The following example pulls the `wolfi-base` Image:
After running the command, you will be able to pull a Chainguard Developer Image through Google Artifact Registry. The following example pulls the `go` Image:

```sh
docker pull us-central1-docker.pkg.dev/<your-project-id>/chainguard-pull-through/chainguard/wolfi-base:latest
docker pull us-central1-docker.pkg.dev/<your-project-id>/chainguard-pull-through/chainguard/go:latest
```

This command first specifies the location of the Artifact Registry repository we just created (`us-central1-docker.pkg.dev/<your-project-id>/chainguard-pull-through/`). It then follows that with the name of the Chainguard Developer Image and the remote repository we want to pull it from (`chainguard/wolfi-base:latest`).
This command first specifies the location of the Artifact Registry repository we just created (`us-central1-docker.pkg.dev/<your-project-id>/chainguard-pull-through/`). It then follows that with the name of the Chainguard Developer Image and the remote repository we want to pull it from (`chainguard/go:latest`).

If you run into issues with this command, be sure that it contains the correct Google Artifact Registry URL for your repository, including the location and project ID.

Expand Down Expand Up @@ -124,7 +124,7 @@ Back in the Google Artifact Registry, click on the repository you want to config

Enter the pull token `username` value in the **Username** field. In the **Password** field, select the secret you created in Google Secret Manager.

![Screenshot of the Google Artifact Registry screen, showing the username and secret password configuration. The "Authenticated" option is selected, the "Username for the upstream repository" field points to a username generated byt he pull-token command, and the "Secret" drop-down menu has "chainguard-pull-token" selected.](Google-Artifact-Registry-2.png)
![Screenshot of the Google Artifact Registry screen, showing the username and secret password configuration. The "Authenticated" option is selected, the "Username for the upstream repository" field points to a username generated by the pull-token command, and the "Secret" drop-down menu has "chainguard-pull-token" selected.](Google-Artifact-Registry-2.png)

Click the **Save** button to apply the changes.

Expand All @@ -139,10 +139,10 @@ gcloud auth configure-docker us-central1-docker.pkg.dev
Be sure to change `us-central1` to reflect the location of your Artifact Registry repository.


After running the command, you will be able to pull any Production Images that your organization has access to through Google Artifact Registry. For example, the following command will pull the `argo-cli-fips` Image if your organization has access to it:
After running the command, you will be able to pull any Production Images that your organization has access to through Google Artifact Registry. For example, the following command will pull the `chainguard-base` Image if your organization has access to it:

```sh
docker pull us-central1-docker.pkg.dev/<your-project-id>/chainguard-pull-through/<your-chainguard-org-name>/argo-cli-fips:latest
docker pull us-central1-docker.pkg.dev/<your-project-id>/chainguard-pull-through/<example.com>/chainguard-base:latest
```

Be sure the `docker pull` command you run includes the name of your Chainguard organization's registry.
Expand Down
22 changes: 11 additions & 11 deletions ...guard/chainguard-registry/pull-through-guides/artifactory-pull-through/index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,9 @@ aliases:
type: "article"
description: "Tutorial outlining how to set up a remote Artifactory repository to pull Images through from the Chainguard Registry."
date: 2024-02-13T15:56:52-07:00
lastmod: 2024-07-09T15:56:52-07:00
lastmod: 2024-08-19T15:56:52-07:00
draft: false
tags: ["Product", "Procedural", "Chainguard Images"]
tags: ["PRODUCT", "PROCEDURAL", "CHAINGUARD IMAGES"]
images: []
menu:
docs:
Expand Down Expand Up @@ -62,18 +62,18 @@ Following that, click the **Create Remote Repository** button. If everything wor

After clicking the **Set Up Docker Client** button, a modal window will appear from the right side of the page. Click the **Generate Token & Create Instructions** button, which will generate two code blocks whose contents you can copy.

The first will be a `docker login` command similar to the following example. Copy this command and run it in your terminal.
The first will be a `docker login` command similar to the following example. Run the following command in your terminal:

```sh
docker login -u<[email protected]> <myproject>.jfrog.io
```

After running this command, you'll be prompted to enter a password. Copy the token from the second code block and paste it into your terminal.

After running the `docker login` command, you will be able to pull a Chainguard Developer Image through Artifactory. The following example pulls the `wolfi-base` Image.
After running the `docker login` command, you will be able to pull a Chainguard Developer Image through Artifactory. The following example pulls the `go` Image:

```sh
docker pull <myproject>.jfrog.io/cgr-public/chainguard/wolfi-base
docker pull <myproject>.jfrog.io/cgr-public/chainguard/go
```

Be sure the `docker pull` command you run includes the name of your project as well as your own repository key in place of `cgr-public`.
Expand All @@ -85,7 +85,7 @@ Production Chainguard Images are enterprise-ready images that come with patch SL

To get started, you will need to create [a pull token](/chainguard/chainguard-registry/authenticating/#authenticating-with-a-pull-token) for your organization's Chainguard Registry. Pull tokens are longer-lived tokens that can be used to pull Images from other environments that don't support OIDC, such as some CI environments, Kubernetes clusters, or with registry mirroring tools like Artifactory.

To create a pull token with `chainctl`, run the following command.
To create a pull token with `chainctl`, run the following command:

```sh
chainctl auth configure-docker --pull-token --parent <organization>
Expand All @@ -95,7 +95,7 @@ Be sure to replace `<organization>` with your organization's name or ID.

> **Note**: You can find your organization's name or ID by running `chainctl iam groups list -o table`.
This command will return a `docker login` command like the following.
This command will return a `docker login` command like the following:

```
. . .
Expand Down Expand Up @@ -127,7 +127,7 @@ Following that, click the **Create Remote Repository** button. If everything wor

After clicking the **Set Up Docker Client** button, a modal window will appear from the right side of the page. Click the **Generate Token & Create Instructions** button, which will generate two code blocks.

The first will be a `docker login` command similar to the following example. Copy this command and run it in your terminal.
The first will be a `docker login` command similar to the following example. Copy this command and run it in your terminal:

```sh
docker login -u<[email protected]> <myproject>.jfrog.io
Expand All @@ -137,13 +137,13 @@ Be sure to include your own username and Artifactory instance.

After running this command, you'll be prompted to enter a password. Copy the token from the second code block, paste it into your terminal, and press `ENTER`.

After running the `docker login` command, you will be able to pull a Chainguard Production Image through Artifactory. The following example pulls the `wolfi-base` Image.
After running the `docker login` command, you will be able to pull a Chainguard Production Image through Artifactory. The following example will pull the `chainguard-base` Image if your organization has access to it:

```sh
docker pull <myproject>.jfrog.io/cgr-private/<organization-name>/wolfi-base
docker pull <myproject>.jfrog.io/cgr-private/<example.com>/chainguard-base:latest
```

Be sure the `docker pull` command you run includes the name of your artifactory project and the proper name of your organization's registry. Additionally, if you entered a different repository key in the setup section, use it in place of `cgr-private`.
Be sure the `docker pull` command you run includes the name of your artifactory project and the name of your organization's registry. Additionally, if you entered a different repository key in the setup section, use it in place of `cgr-private`.


## Debugging pull through from Chainguard’s registry to Artifactory
Expand Down
6 changes: 3 additions & 3 deletions ...nguard/chainguard-registry/pull-through-guides/cloudsmith-pull-through/index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,9 @@ aliases:
type: "article"
description: "Tutorial outlining how to set up a Cloudsmith repository to pull Images through from the Chainguard Registry."
date: 2024-07-16T15:56:52-07:00
lastmod: 2024-07-16T15:56:52-07:00
lastmod: 2024-08-19T15:56:52-07:00
draft: false
tags: ["Product", "Procedural", "Chainguard Images"]
tags: ["PRODUCT", "PROCEDURAL", "CHAINGUARD IMAGES"]
images: []
menu:
docs:
Expand Down Expand Up @@ -157,7 +157,7 @@ If you run into issues when trying to pull Images from Chainguard's Registry to

* Ensure that all Images [network requirements](https://edu.chainguard.dev/chainguard/administration/network-requirements/) are met.
* When configuring a remote Cloudsmith repository, ensure that the **URL** field is set correctly. For Developer Images, this should be `https://cgr.dev/chainguard`; for Production Images this should be `https://cgr.dev/`. This field **must not** contain any additional components.
* You can troubleshoot by running `docker login` from another node (using the Cloudsmith pull token credentials) and try pulling an Image from `cgr.dev/chainguard/<image name>` or `cgr.dev/<company domain>/<image name>`.
* You can troubleshoot by running `docker login` from another node (using the Cloudsmith pull token credentials) and try pulling an Image from `cgr.dev/chainguard/<image name>` or `cgr.dev/<example.com>/<image name>`, using your own organization's registry name in place of `<example.com>`.
* It could be that your Cloudsmith repository was misconfigured. In this case, create and configure a new Cloudsmith repository to test with.

## Learn More
Expand Down
Loading

0 comments on commit c662972

Please sign in to comment.