Use new images for shell image and the git-init base.

This swaps out the use of `gcr.io/distroless/base:debug` for the new `ghcr.io/distroless/busybox` image (since the former was being used exclusively for it having busybox). This also swaps our the `Dockerfile` based `git-init` base image in favor of `ghcr.io/distroless/git` since it is now possible to produce a `distroless` Git image without losing one's sanity. This does NOT remove the `Dockerfile` or any logic to build it just yet, in case we want to roll this back, but that should follow in a subsequent change (tracked by the issue below). Related: tektoncd#4752
mattmoor · Apr 13, 2022 · a75e4a5 · a75e4a5
1 parent cb23f45
commit a75e4a5
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 6 deletions.
diff --git a/.ko.yaml b/.ko.yaml
@@ -2,4 +2,4 @@ defaultBaseImage: gcr.io/distroless/static:nonroot
 baseImageOverrides:
   # git-init uses a base image that includes Git, and supports running either
   # as root or as user nonroot with UID 65532.
-  github.com/tektoncd/pipeline/cmd/git-init: gcr.io/tekton-nightly/github.com/tektoncd/pipeline/git-init-build-base:latest
+  github.com/tektoncd/pipeline/cmd/git-init: ghcr.io/distroless/git
diff --git a/config/controller.yaml b/config/controller.yaml
@@ -75,10 +75,10 @@ spec:
 
           # This is gcr.io/google.com/cloudsdktool/cloud-sdk:302.0.0-slim
           "-gsutil-image", "gcr.io/google.com/cloudsdktool/cloud-sdk@sha256:27b2c22bf259d9bc1a291e99c63791ba0c27a04d2db0a43241ba0f1f20f4067f",
-          # The shell image must be root in order to create directories and copy files to PVCs.
-          # gcr.io/distroless/base:debug as of February 17, 2022
+          # The shell image must allow root in order to create directories and copy files to PVCs.
+          # ghcr.io/distroless/busybox as of April 13, 2022
           # image shall not contains tag, so it will be supported on a runtime like cri-o
-          "-shell-image", "gcr.io/distroless/base@sha256:3cebc059e7e52a4f5a389aa6788ac2b582227d7953933194764ea434f4d70d64",
+          "-shell-image", "ghcr.io/distroless/busybox@sha256:a49009a6824586192cfa370edcb05daf96b949bc7c44f1c800025b6df39a8811",
           # for script mode to work with windows we need a powershell image
           # pinning to nanoserver tag as of July 15 2021
           "-shell-image-win", "mcr.microsoft.com/powershell:nanoserver@sha256:b6d5ff841b78bdf2dfed7550000fd4f3437385b8fa686ec0f010be24777654d6",

diff --git a/tekton/publish.yaml b/tekton/publish.yaml
@@ -95,7 +95,7 @@ spec:
 
       # Combine Distroless with a Windows base image, used for the entrypoint image.
       COMBINED_BASE_IMAGE=$(go run ./vendor/github.com/tektoncd/plumbing/cmd/combine/main.go \
-        gcr.io/distroless/base:debug-nonroot \
+        ghcr.io/distroless/busybox \
         mcr.microsoft.com/windows/nanoserver:1809 \
         ${CONTAINER_REGISTRY}/$(params.package)/combined-base-image:latest)
 
@@ -109,7 +109,7 @@ spec:
         $(params.package)/cmd/workingdirinit: ${COMBINED_BASE_IMAGE}
 
         # This matches values configured in .ko.yaml
-        $(params.package)/cmd/git-init: ${CONTAINER_REGISTRY}/$(params.package)/git-init-build-base:latest
+        $(params.package)/cmd/git-init: ghcr.io/distroless/git
       EOF
 
       cat ${PROJECT_ROOT}/.ko.yaml