k3s.yaml

package:
  name: k3s
  version: 1.29.0
  epoch: 1
  description:
  copyright:
    - license: Apache-2.0
  dependencies:
    runtime:
      - busybox
      - conntrack-tools
      - containerd-shim-runc-v2
      - ip6tables # this pulls in iptables as well
      - libseccomp
      - runc

environment:
  contents:
    packages:
      - build-base
      - busybox
      - ca-certificates-bundle
      - crane
      - curl
      - go
      - libseccomp-dev
      - sqlite-dev
      - yq
      - zstd

var-transforms:
  # TODO: This transforms the version into the real k3s version. It's needed
  # because the wolfictl update bot doesn't yet support the k3s version format
  # (+k3s#). This is a hack, and means if upstream ships a >k3s1 revision, we
  # won't automatically pick it up. However, this is rare, and this solution
  # buys us enough time to add support for the k3s version scheme.
  - from: ${{package.version}}
    match: ^(.+)$
    replace: $1+k3s1 # NOTE: Update k3s# if upstream ships a >k3s# revision
    to: full-package-version

# Upstream uses `dapper` to initialize build environments, but since melange
# already provides a consistent build environment, we adopt upstreams ./scripts
# as much as possible.
pipeline:
  - uses: git-checkout
    with:
      repository: https://github.com/k3s-io/k3s
      tag: v${{vars.full-package-version}}
      expected-commit: 3190a5faa28d7a0d428c756d67adcab7eb11e6a5
  - uses: go/bump
    with:
      deps: github.com/opencontainers/runc@v1.1.12
  # Build things (almost) identical to upstream, with the k3s components
  # embedded in the "outer" multicall binary.
  - runs: |
      # Don't include the k3s-root since it conflicts with wolfi variants (ie: busybox and ip6tables)
      sed -e '/curl --compressed/d' -i scripts/download
      mkdir -p build/static bin/aux etc
      ./scripts/download

      # Patch things that need patching

      # CVE-2023-47108
      go mod edit -dropreplace=go.opentelemetry.io/otel/exporters/otlp/otlpmetric
      go mod edit -dropreplace=go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc
      go mod edit -dropreplace=go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
      go mod edit -dropreplace=go.opentelemetry.io/contrib/instrumentation/github.com/emicklei/go-restful/otelrestful
      go mod edit -dropreplace=go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc
      go mod edit -dropreplace=go.opentelemetry.io/otel
      go mod edit -dropreplace=go.opentelemetry.io/otel/sdk
      go mod edit -dropreplace=go.opentelemetry.io/otel/trace
      go mod edit -dropreplace=go.opentelemetry.io/proto/otlp
      go mod edit -dropreplace=go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc
      go mod edit -dropreplace=go.opentelemetry.io/otel/exporters/otlp/otlptrace
      go mod edit -dropreplace=go.opentelemetry.io/otel/metric
      go mod edit -dropreplace=go.opentelemetry.io/otel/exporters/otlp/internal/retry

      go get go.opentelemetry.io/contrib/instrumentation/github.com/emicklei/go-restful/otelrestful@v0.46.1
      go get go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc@v0.46.1
      go get go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.46.1
      go get go.opentelemetry.io/otel@v1.21.0
      go get go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc@v0.44.0
      go get go.opentelemetry.io/otel/exporters/otlp/otlptrace@v1.21.0
      go get go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc@v1.21.0
      go get go.opentelemetry.io/otel/metric@v1.21.0
      go get go.opentelemetry.io/otel/sdk@v1.21.0
      go get go.opentelemetry.io/otel/trace@v1.21.0
      go get go.opentelemetry.io/proto/otlp@v1.0.0

      # GHSA-jq35-85cj-fj4
      go mod edit -dropreplace=github.com/docker/docker

      go get github.com/docker/docker@v24.0.7

      # CVE-2023-46129
      go get github.com/nats-io/nkeys@v0.4.6

      # GHSA-6xv5-86q9-7xr8
      go get github.com/cyphar/filepath-securejoin@v0.2.4

      # CVE-2023-48795
      go mod edit -dropreplace=golang.org/x/crypto
      go get golang.org/x/crypto@v0.17.0

      go mod tidy

      ./scripts/build
  # k3s embedds a lot of useful components (containerd, kubectl, etc...) in a
  # very efficient manner that can't be replicated with external runtime
  # components. To ensure we have an optimally packaged k3s, we try to mimic
  # as much of the upstream k3s space savings while still building all the
  # components from source. We use some light sed surgery instead of
  # maintaining patches for every version. Ultimately this means Wolfi's
  # version of k3s should feel identical to upstream (with containerd,
  # kubectl, crictl, etc...) all embedded, but with Wolfi variants where
  # applicable (runc).
  - runs: |
      # Remove non-embedded components and replace with Wolfi variants at runtime
      rm -rf bin/runc
      rm -rf bin/containerd-shim-runc-v2

      # Move the "inner" k3s binary out of the bundle dir to avoid packaging it
      # twice. Give it a weird but semi-descriptive name to discourage users from
      # calling it directly
      mkdir -p "${{targets.destdir}}"/bin/
      mv bin/k3s "${{targets.destdir}}"/bin/_k3s-inner

      # Modify the packaging script to exclusively use symlinks to our moved "inner" binary
      sed -i 's|ln -s k3s${BINARY_POSTFIX} bin/$i${BINARY_POSTFIX}|ln -s /bin/_k3s-inner${BINARY_POSTFIX} bin/$i${BINARY_POSTFIX}|g' ./scripts/package-cli

      # Remove the upload portion from the upstream package-cli script
      sed -e '/scripts\/build-upload/d' -i scripts/package-cli

      # Upstream handles the ctr link at install time, since we don't have an "install" phase, we do it here
      rm -rf bin/ctr && ln -s /bin/_k3s-inner bin/ctr

      ./scripts/package-cli

      # Check that the multicall symlinks were created
      [ "$(readlink ./bin/k3s-server)" = "/bin/_k3s-inner" ] || { echo "Error: the multicall symlinks are not set up appropriately" >&2; exit 1; }
      [ "$(readlink ./bin/loopback)" = "cni" ] || { echo "Error: the multicall symlinks are not set up appropriately" >&2; exit 1; }

      # Finally, install the "outer" k3s multicall binary. This should only
      # contain the go runtime plus the self extracting multicall logic, and
      # should be a relatively small binary (~<15Mb).
      install -Dm755 dist/artifacts/k3s* "${{targets.destdir}}"/bin/k3s

      # Assert a max multicall size since it's a good sign that packaging happened correctly.
      [ $(stat -c%s "${{targets.destdir}}"/bin/k3s) -le $((15 * 1024 * 1024)) ] || { echo "Error: multicall k3s exceeds 15MB" >&2; exit 1; }
  - uses: strip

subpackages:
  - name: k3s-images
    description: "pre-packaged k3s core runtime images"
    pipeline:
      - runs: |
          set -e -u -x

          _arch=$(go env GOARCH)

          images=""
          while read -r line
          do
            repo=$(echo $line | cut -d ':' -f 1)
            tag=$(echo $line | cut -d ':' -f 2)

            # Replace upstream images with cgr.dev equivalents only if they exist
            case $repo in
              docker.io/rancher/klipper-helm|docker.io/rancher/klipper-lb|docker.io/rancher/local-path-provisioner|docker.io/rancher/mirrored-pause)
                # TODO: Replace these known gaps with cgr variants
                image="$repo:$tag@$(crane digest $repo:$tag)"
                ;;
              docker.io/rancher/mirrored-metrics-server)
                image=$(crane digest --full-ref cgr.dev/chainguard/metrics-server:latest)
                ;;
              docker.io/rancher/mirrored-coredns-coredns)
                image=$(crane digest --full-ref cgr.dev/chainguard/coredns:latest)
                ;;
              docker.io/rancher/mirrored-library-busybox)
                image=$(crane digest --full-ref cgr.dev/chainguard/busybox:latest)
                ;;
              docker.io/rancher/mirrored-library-traefik)
                image=$(crane digest --full-ref cgr.dev/chainguard/traefik:latest)
                ;;
              *)
                echo "unaccounted for image: $repo:$tag"
                exit 1
                ;;
            esac

            images="$images $image"
          done < ./scripts/airgap/image-list.txt

          echo "Pulling images locally..."
          echo $images

          _images_path="${{targets.subpkgdir}}"/var/lib/rancher/k3s/agent/images
          mkdir -p $_images_path

          crane pull $images $_images_path/k3s-airgap-images-$_arch.tar

update:
  enabled: true
  github:
    identifier: k3s-io/k3s
    strip-prefix: v
    strip-suffix: "+k3s1" # NOTE: Update k3s# if upstream ships a >k3s1 revision