Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

figure out containarization #16

Open
v0lkan opened this issue Nov 10, 2024 · 2 comments
Open

figure out containarization #16

v0lkan opened this issue Nov 10, 2024 · 2 comments
Assignees

Comments

@v0lkan
Copy link
Contributor

v0lkan commented Nov 10, 2024

No description provided.

@v0lkan v0lkan converted this from a draft issue Nov 10, 2024
@strideynet
Copy link
Contributor

I'm happy to pick this up.

The way we've handled this on https://github.com/spiffe/aws-spiffe-workload-helper is:

  • Using Ko to build the OCI images. This produces effectively a very simple distroless image with the Go binary. This only works with CGO_ENABLED=0 though - so if BoringCrypto is a hard requirement, we'll have to take a different route here and create a Dockerfile.
  • Pushing the built images to the GitHub Container Registry. This seems like the most natural place.

Given how sensitive the data SPIKE handles is, we probably ought to investigate SigStore signing of the release images. This should be fairly trivial in GHA.

@v0lkan
Copy link
Contributor Author

v0lkan commented Jan 3, 2025

Assigned.

Not boringcrypto, but CGO is a requirement (for sqlite at least)

We can discuss the details.

Also, @abhishek44sharma did the majority of helm charts work in VMware Secrets Manager; he might have ideas too.

Actually, we can even discuss that in our first contributor sync sometime :D

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Status: No status
Development

No branches or pull requests

2 participants