Collection of opinionated container images

Find a file

Tommy Skaug de734d2fc0 All checks were successful Build and Push Image / build-and-push (push) Successful in 1m55s Details feat(home-assistant): add pyeasee and pyelectroluxgroup to image		2025-01-05 12:18:19 +01:00
.forgejo	chore(forgejo): add push logic to image builds workflow and enforce only one Dockerfile at a time since the runner doesn't support fromJSON -_-	2025-01-05 12:17:26 +01:00
.taskfiles	misc	2024-12-30 21:50:06 +01:00
apps	feat(home-assistant): add pyeasee and pyelectroluxgroup to image	2025-01-05 12:18:19 +01:00
assets	chore: update readme	2024-11-10 10:56:27 +01:00
.gitignore	chore: more restructuring of the repo. Most significant change is rename from flakes-action to ci-os	2024-11-12 10:12:42 +01:00
LICENSE	testing: initial commit with port from buroa and significant changes	2024-10-12 10:01:23 +02:00
metadata.rules.cue	testing: initial commit with port from buroa and significant changes	2024-10-12 10:01:23 +02:00
README.org	Update README.org	2025-01-02 07:08:16 +00:00
renovate.json5	chore(renovate): move renovate file into place and customize for repo	2024-11-27 18:13:49 +01:00
Taskfile.yaml	chore: cleanup taskfiles	2024-11-15 07:24:10 +01:00

README.org

Container Collection

Containers for Kubernetes deployment_

Available Images

Container	Version	Status	Description
ci-os	latest	🚧	Image to streamline the code.252.no CI/CD workflows
kaniko	v24.10.01	🚧	A more secure image builder

Container Rules

Containers in this project should be useful in Kubernetes. They will be:

semantically versioned
rootless
logging to stdout in JSON format if possible
using one process per container
having no s6-overlay
built on Alpine
immutable
do no monkey business after deployed

Additionally I may in the future support:

multiple architecture. For now containers are generated for amd64

Tag immutability

Instead of using immutable version tags as seen on e.g. linuxserver.io we use calver and sha256-digests.

If pinning an image to the sha256 digest, tools like [Renovate](https://github.com/renovatebot/renovate) support updating the container on a digest or application version change.

The schema used is: YYYY.MM.Minor@sha256:digest. This is not as pretty, but functional and immutable. Examples:

Container	Immutable
`code.252.no/tommy/containers/flakes-action:v24.10.1`	❌
`code.252.no/tommy/containers/flakes-action:v24.10.1@sha256:1234...`	✅

Kubernetes Pod Security Standard

In Kubernetes we assume that you have pod-security.kubernetes.io/enforce set to restricted. There may be some exceptions to this if the container actually requires more privileges.

E.g. for the flakes-action, which runs as user ID 1000, this means that the following settings should be used for the pod (all containers in a pod):

spec:
  securityContext:
    runAsUser: 1000
    runAsGroup: 1000
    fsGroup: 1000

For a container this means:

spec:
  [...]
  containers:
  - name: flakes-action
    [...]
    securityContext:
      runAsUser: 1001
      capabilities:
        drop: ["ALL"]
      privileged: false
      allowPrivilegeEscalation: false
      runAsNonRoot: true
      seccompProfile:
        type: RuntimeDefault

Configuration volume

For applications that need to have persistent configuration data the config volume is hardcoded to `/config` inside the container.

Deprecations

Containers here can be deprecated at any point, this could be for any reason described below.

The upstream application is no longer actively developed
The upstream application has an official upstream container that follows closely to the mission statement described here
The upstream application has been replaced with a better alternative
The maintenance burden of keeping the container here is too bothersome

Credits

A big thanks goes to Buroa@github for the inspiration to the repo structure and concept.