A binary for building and scanning (with Trivy) a Kubernetes image using the kubernetes-sigs/image-builder repo or the drew-viles-image-builder repo where new functionality is required but not yet merged upstream.
Baski also supports signing images and will tag the image with a digest so that a verification can be done against images.
The scanning and signing functionality are separate from the build meaning these can be used on none Kubernetes images.
✅ Stable
However, no responsibility is held for anything that may go wrong with your images - it's been tested to the best of my ability, but you know, hidden bugs exist in all projects
| Cloud Provider |
|---|
| OpenStack |
| Kubevirt |
More clouds could be supported but may not be maintained directly by Drewbernetes.
Run the binary with a config file or see the help for a list of flags.
In the example config, not all fields are required and any fields that are not required are left
blank - unless the fields are enabled by a bool, for example in the Nvidia options where none are required
if enable-nvidia-support is set to false,
The following are valid locations for the baski.yaml config file are:
/tmp/
/etc/baski/
$HOME/.baski/For more flags and info, run baski --help
If you wish to run it locally then you can either build the binary and run it, or you can run it in docker by doing the following example for OpenStack:
docker build -t baski:v0.0.0 -f docker/baski/Dockerfile .
docker run --name baski -it --rm --env OS_CLOUD=some-cloud -v /path/to/openstack/clouds.yaml:/home/baski/.config/openstack/clouds.yaml -v /path/to/baski.yaml:/tmp/baski.yaml baski:v0.0.0
#Then from in here
baski build / scan / signThe prebuilt images are stored in Dockerhub at drewviles/baski
Get yourself a GitHub access token with permissions to read the repository, if you don't already have one.
gh auth login
gh auth tokenRun git cliff
export GITHUB_TOKEN=<token> # You can also add this to your ~/.bashrc or ~/.zshrc etc
git cliff -o
It's worth noting that --bump will update the changelog with what it thinks will be the next release. Make sure to check this and ensure your next tag matches this value.
The rules are:
- The default is
patch. Generally speaking this would beafix,docs,choreetc. (see conventional commits) - If
feat:exists in the commit, then a minor version increase will happen. - If
BREAKING CHANGE:exists in the commit, then it will be a major version bump. - If
--bumpis not added, it will result in an[unreleased]changelog entry instead of a tagged one.
Once tested and validated using your branch, get the next available tag by running the following command, and incrementing by one. e.g if this output v0.1.31, you should use v0.1.32.
git tag | sort -V | tail -n1- Automatically clear up resources when ctrl-c is pressed.
- Make this work for more than just Openstack so that it's more useful to the community around the Kubernetes Image Builder?
- Add metrics/telemetry to the process.
- Create all option to allow whole process?
The scripts and documentation in this project are released under the Apache v2 License.