containers/apps/lix-builder/manifest.yaml

apiVersion: v1
kind: Namespace
metadata:
  name: builds
  labels:
    pod-security.kubernetes.io/enforce: privileged
    pod-security.kubernetes.io/enforce-version: latest
    pod-security.kubernetes.io/warn: privileged
    pod-security.kubernetes.io/warn-version: latest
    pod-security.kubernetes.io/audit: privileged
    pod-security.kubernetes.io/audit-version: latest
---
apiVersion: v1
kind: Pod
metadata:
  name: kaniko
  namespace: builds
spec:
  securityContext:
    runAsUser: 1001
    runAsGroup: 1001
    fsGroup: 1001
    seccompProfile:
      type: Unconfined
  containers:
  - name: kaniko
    image: code.252.no/tommy/kaniko:v24.10.01@sha256:d51c3b5c468bb070108d9e27884072f8527f20c9e41e2133621c56f62f89afc0
    resources:
      limits:
        cpu: 1000m
        memory: 2Gi
    command: ["/opt/kaniko/kaniko"]
    args:
    - --dockerfile=Dockerfile
    #- --reproducible
    - --context=/kaniko
    - --custom-platform=linux/amd64
    - --destination=code.252.no/tommy/lix-builder:v24.10.01
    #- --dockerfile=Dockerfile
    #- --reproducible
    #- --kaniko-dir=/workspace/kaniko
    #- --context=/workspace
    #- --custom-platform=linux/amd64
    #- --destination=code.252.no/tommy/lix-builder:v24.10.01
    #- --cache=true
    #- --compressed-caching=false
    #- --use-new-run
    #- --cleanup
    volumeMounts:
    # - name: workspace-dir
    #   mountPath: /workspace
    - name: docker-config
      mountPath: /opt/kaniko/.docker/config.json
      subPath: config.json
    - name: dockerfile
      mountPath: /kaniko/Dockerfile
      subPath: Dockerfile
    securityContext:
      runAsUser: 1001
      privileged: false
      allowPrivilegeEscalation: false
      runAsNonRoot: true
      capabilities:
        drop:
        - ALL
        add:
        - CHOWN
        - FOWNER
        - DAC_OVERRIDE
        - SYS_ADMIN
  restartPolicy: Never
  volumes:
  # - name: workspace-dir
  #   emptyDir: {}
  - name: docker-config
    secret:
      secretName: tommy-pushsecret-rw
      items:
      - key: .dockerconfigjson
        path: config.json
  - name: dockerfile
    configMap:
      name: dockerfile
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: dockerfile
  namespace: builds
data:
  Dockerfile: |
    FROM ghcr.io/lix-project/lix:2.91

    WORKDIR /tmp/working-dir

    RUN nix-env -iA nixpkgs.go nixpkgs.vim nixpkgs.sops nixpkgs.nix-direnv \
                nixpkgs.attic-client nixpkgs.nh nixpkgs.deploy-rs nixpkgs.statix \
                nixpkgs.deadnix nixpkgs.alejandra nixpkgs.home-manager \
                nixpkgs.ssh-to-age nixpkgs.gnupg nixpkgs.age nixpkgs.linux \
                nixpkgs.go-task nixpkgs.curl nixpkgs.fish nixpkgs.nixos-anywhere

    ENTRYPOINT ["fish"]
chore: adding backlog of additions 2024-11-03 20:28:20 +00:00			`apiVersion: v1`
			`kind: Namespace`
			`metadata:`
			`name: builds`
			`labels:`
			`pod-security.kubernetes.io/enforce: privileged`
			`pod-security.kubernetes.io/enforce-version: latest`
			`pod-security.kubernetes.io/warn: privileged`
			`pod-security.kubernetes.io/warn-version: latest`
			`pod-security.kubernetes.io/audit: privileged`
			`pod-security.kubernetes.io/audit-version: latest`
			`---`
			`apiVersion: v1`
			`kind: Pod`
			`metadata:`
			`name: kaniko`
			`namespace: builds`
			`spec:`
			`securityContext:`
			`runAsUser: 1001`
			`runAsGroup: 1001`
			`fsGroup: 1001`
			`seccompProfile:`
			`type: Unconfined`
			`containers:`
			`- name: kaniko`
			`image: code.252.no/tommy/kaniko:v24.10.01@sha256:d51c3b5c468bb070108d9e27884072f8527f20c9e41e2133621c56f62f89afc0`
			`resources:`
			`limits:`
			`cpu: 1000m`
			`memory: 2Gi`
			`command: ["/opt/kaniko/kaniko"]`
			`args:`
			`- --dockerfile=Dockerfile`
			`#- --reproducible`
			`- --context=/kaniko`
			`- --custom-platform=linux/amd64`
			`- --destination=code.252.no/tommy/lix-builder:v24.10.01`
			`#- --dockerfile=Dockerfile`
			`#- --reproducible`
			`#- --kaniko-dir=/workspace/kaniko`
			`#- --context=/workspace`
			`#- --custom-platform=linux/amd64`
			`#- --destination=code.252.no/tommy/lix-builder:v24.10.01`
			`#- --cache=true`
			`#- --compressed-caching=false`
			`#- --use-new-run`
			`#- --cleanup`
			`volumeMounts:`
			`# - name: workspace-dir`
			`# mountPath: /workspace`
			`- name: docker-config`
			`mountPath: /opt/kaniko/.docker/config.json`
			`subPath: config.json`
			`- name: dockerfile`
			`mountPath: /kaniko/Dockerfile`
			`subPath: Dockerfile`
			`securityContext:`
			`runAsUser: 1001`
			`privileged: false`
			`allowPrivilegeEscalation: false`
			`runAsNonRoot: true`
			`capabilities:`
			`drop:`
			`- ALL`
			`add:`
			`- CHOWN`
			`- FOWNER`
			`- DAC_OVERRIDE`
			`- SYS_ADMIN`
			`restartPolicy: Never`
			`volumes:`
			`# - name: workspace-dir`
			`# emptyDir: {}`
			`- name: docker-config`
			`secret:`
			`secretName: tommy-pushsecret-rw`
			`items:`
			`- key: .dockerconfigjson`
			`path: config.json`
			`- name: dockerfile`
			`configMap:`
			`name: dockerfile`
			`---`
			`apiVersion: v1`
			`kind: ConfigMap`
			`metadata:`
			`name: dockerfile`
			`namespace: builds`
			`data:`
			`Dockerfile: \|`
			`FROM ghcr.io/lix-project/lix:2.91`

			`WORKDIR /tmp/working-dir`

			`RUN nix-env -iA nixpkgs.go nixpkgs.vim nixpkgs.sops nixpkgs.nix-direnv \`
			`nixpkgs.attic-client nixpkgs.nh nixpkgs.deploy-rs nixpkgs.statix \`
			`nixpkgs.deadnix nixpkgs.alejandra nixpkgs.home-manager \`
			`nixpkgs.ssh-to-age nixpkgs.gnupg nixpkgs.age nixpkgs.linux \`
			`nixpkgs.go-task nixpkgs.curl nixpkgs.fish nixpkgs.nixos-anywhere`

			`ENTRYPOINT ["fish"]`