Giters

chainguard-dev / apko

Build OCI images from APK packages directly without Dockerfile

Home Page:https://apko.dev

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Using pull-through cache for longer alpine package retention

kolloch opened this issue · comments

commented

Context:

  1. Alpine main/community: We are using alpine (not wolfi).
  2. Checked-in lockfiles: In our repository, we check in the lock files to get reproducible lock files.

Sample apko.yaml:

contents:
  repositories:
    - https://dl-cdn.alpinelinux.org/alpine/v3.19/main
    - https://dl-cdn.alpinelinux.org/alpine/v3.19/community
  packages:
    - alpine-base
    - java-cacerts

archs:
  - amd64
  - arm64

This works well BUT in alpine old package files are apparently quickly deleted when not referenced by the index anymore. That makes our builds often fail even only a few hours/days after the last update.

To work around this, we tried to use a pull through cache:

https://jfrog.com/help/r/jfrog-artifactory-documentation/alpine-linux-repositories

In our first tries, we hard-coded our credentials into the repositories URLs in the apko.yaml file.

We got this error:

Error: failed to get package list for image: error getting package dependencies: error getting repository indexes: no key found to verify signature for keyfile alpine-devel@lists.alpinelinux.org-6165ee59.rsa.pub; tried all other keys as well
2024/05/28 14:25:08 error during command execution: failed to get package list for image: error getting package dependencies: error getting repository indexes: no key found to verify signature for keyfile alpine-devel@lists.alpinelinux.org-6165ee59.rsa.pub; tried all other keys as well

I assume the logic that automagically loads the correct keys for the standard URLs doesn't trigger here?

Anyways, we can then add the keyring files individually:

  keyring:
    - https://alpinelinux.org/keys/alpine-devel@lists.alpinelinux.org-4a6a0840.rsa.pub
    - https://alpinelinux.org/keys/alpine-devel@lists.alpinelinux.org-6165ee59.rsa.pub
    - https://alpinelinux.org/keys/alpine-devel@lists.alpinelinux.org-616ae350.rsa.pub

But it doesn't work for all keys?

Error: failed to get package list for image: error getting package dependencies: error getting repository indexes: no key found to verify signature for keyfile alpine-devel@lists.alpinelinux.org-616ae350.rsa.pub; tried all other keys as well
2024/05/28 14:26:58 error during command execution: failed to get package list for image: error getting package dependencies: error getting repository indexes: no key found to verify signature for keyfile alpine-devel@lists.alpinelinux.org-616ae350.rsa.pub; tried all other keys as well