images: start building an apko-general iptables image (#50545)

* images: start building an apko-general iptables image For #44510 This will need a PR to istio/tools to add `apko`, so putting a hold. Note this doesn't yet change Istio to use it, only to build it. * add libgcc for ztunnel
istio · May 2, 2024 · e123547 · e123547
1 parent 63b9bce
commit e123547
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 0 deletions.
diff --git a/docker/iptables.yaml b/docker/iptables.yaml
@@ -0,0 +1,30 @@
+contents:
+  repositories:
+    - https://packages.wolfi.dev/os
+  keyring:
+    - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub
+  packages:
+    - ca-certificates-bundle
+    - wolfi-baselayout
+    - glibc
+    - iptables
+    - ip6tables
+    - libnetfilter_conntrack
+    - libnfnetlink
+    - libmnl
+    - libgcc
+archs:
+  - x86_64
+  - aarch64
+paths:
+- path: /run
+  type: directory
+  permissions: 0o755
+accounts:
+  users:
+    - username: nonroot
+      uid: 65532
+    - username: nobody
+      uid: 65534
+  run-as: 65532
+work-dir: /home/nonroot
diff --git a/tools/build-base-images.sh b/tools/build-base-images.sh
@@ -48,3 +48,15 @@ DOCKER_TARGETS="${DOCKER_TARGETS:-${defaultTargets}}"
 # * export DOCKER_ARCHITECTURES="linux/amd64,linux/arm64"
 # Note: if you already have a container builder before running the qemu setup you will need to restart them
 "${ROOT}/tools/docker" --push --no-cache --no-clobber --targets="${DOCKER_TARGETS}"
+
+APKO_IMAGES=""
+for h in ${HUBS}; do
+  for t in ${TAGS:-$TAG}; do
+    APKO_IMAGES+="${h}/iptables:$t "
+  done
+done
+
+# Build apko base image, which isn't part of our image building tool
+APKO_ARCHES="$(echo "${DOCKER_ARCHITECTURES:-arm64,amd64}" | sed 's/linux\///g')"
+# shellcheck disable=SC2086
+apko publish --arch="${APKO_ARCHES}" docker/iptables.yaml ${APKO_IMAGES}