|
| 1 | +# Custom Assembly: Infrastructure as Code Example |
| 2 | + |
| 3 | +This is an example of how you could manage Custom Assembly images |
| 4 | +declaratively with an IaC/GitOps approach. |
| 5 | + |
| 6 | +## How it Works |
| 7 | + |
| 8 | +Each YAML file under [`images/`](images/) represents a Chainguard image |
| 9 | +repository with the naming convention `images/{name}.yaml`. |
| 10 | + |
| 11 | +This example does not recommend a specific CI/CD solution. Instead it provides |
| 12 | +generic scripts that could be ran in response to GitHub repository events in |
| 13 | +any given workflow engine. |
| 14 | + |
| 15 | +### Pre Submit |
| 16 | + |
| 17 | +The `presubmit.sh` script is designed to run as part of the checks on a Pull |
| 18 | +Request. It validates that the yaml files are valid. |
| 19 | + |
| 20 | +It performs the following checks. |
| 21 | + |
| 22 | +1. Ensures that the image described by the file exists and is enabled for |
| 23 | + Custom Assembly. |
| 24 | +2. Validates that each package described by the configuration exists in the |
| 25 | + private APK repository that Custom Assembly uses. |
| 26 | + |
| 27 | +### Post Submit |
| 28 | + |
| 29 | +The `postsubmit.sh` script is designed to run when changes are merged to the |
| 30 | +`main` branch. It applies each of the yaml files with `chainctl image repo build |
| 31 | +apply`. |
| 32 | + |
| 33 | +## Usage |
| 34 | + |
| 35 | +### IAM |
| 36 | + |
| 37 | +Before running the scripts, you must login to Chainguard with `chainctl auth |
| 38 | +login`. |
| 39 | + |
| 40 | +You must be an `owner` in the organization. Or, you can construct a [custom |
| 41 | +role](https://edu.chainguard.dev/chainguard/administration/iam-organizations/roles-role-bindings/roles-role-bindings/) |
| 42 | +with the `repo.update` permission. |
| 43 | + |
| 44 | +For your automation, create an [Assumable |
| 45 | +Identity](https://edu.chainguard.dev/chainguard/administration/assumable-ids/assumable-ids/) |
| 46 | +to run the scripts with. The kind of identity will depend on the platform your |
| 47 | +pipelines are hosted in. |
| 48 | + |
| 49 | +### Checking Available Packages |
| 50 | + |
| 51 | +Not all packages are available via Custom Assembly. Before adding a package to |
| 52 | +an image, you can check if it's available by querying the index of the private |
| 53 | +APK repository used by Custom Assembly. |
| 54 | + |
| 55 | +You must have the `apk (list)` capability in your organization to do this. This |
| 56 | +is provided by the `apk.pull` role or other more privileged roles like `viewer` |
| 57 | +or `owner`. |
| 58 | + |
| 59 | +```shell |
| 60 | +export ORGANIZATION=your.org |
| 61 | + |
| 62 | +curl \ |
| 63 | + -sSf \ |
| 64 | + -u "_token:$(chainctl auth token --audience apk.cgr.dev)" \ |
| 65 | + "https://apk.cgr.dev/${ORGANIZATION}/x86_64/APKINDEX.tar.gz" \ |
| 66 | + | tar -xOz APKINDEX \ |
| 67 | + | grep '^P:curl$' |
| 68 | +``` |
0 commit comments