Add -dev variant to static image

[charlieegan3]

Plan is to replace gcr.io/distroless/static:debug here https://github.com/open-policy-agent/opa/blob/main/Makefile#L363

Fixes:

Related:

Pre-review Checklist

• IMPORTANT: 'image-request' tag has been applied if this PR is adding any images, including new versions or variants

For new image PRs only

If you have an apko.yaml file in this PR you need to follow this checklist, otherwise feel free to remove.

• Image is marked experimental or stable as appropriate
• The last two minor versions are available
• The latest tag points to the newest stable version
• There is a dev tag available that includes a shell and apk tools (by depending on 'wolfi-base')
• The image runs as nonroot and GID/UID are set to 65532
  • Alternatively the username and GID/UID may be a commonly used one from the ecosystem e.g: postgres
  • See above for exceptions to nonroot rule
• ENTRYPOINT
  • For applications/servers/utilities call main program with no arguments e.g. [redis-server]
  • For base images leave empty
  • For dev variants set to entrypoint script that falls back to system
• CMD:
  • For server applications give arguments to start in daemon mode (may be empty)
  • For utilities/tooling bring up help e.g. –help
  • For base images with a shell, call it e.g. [/bin/sh]
• Consider where and how the image deviates from popular alternatives. Is there a good reason and is it documented?
• Add annotations e.g:

annotations:
  "org.opencontainers.image.authors": "Chainguard Team https://www.chainguard.dev/"
  "org.opencontainers.image.url": https://edu.chainguard.dev/chainguard/chainguard-images/reference/busybox/ # use the academy site here
  "org.opencontainers.image.source": https://github.com/chainguard-images/images/tree/main/images/bazel # use github here

• Check if environment variables are needed e.g. to set data locations
• Ensure the image responds to SIGTERM
  • docker kill $(docker run -d --rm cgr.dev/chainguard/nginx)
• Documentation. Let's make this excellent. Include usage example.
• Error logs write to stderr and normal logs to stdout. DO NOT write to file.
• Include tests, at the very least a basic smoke test.

[charlieegan3]

IMPORTANT: 'image-request' tag has been applied if this PR is adding any images, including new versions or variants

I don't think that I can set the labels, so might need some help there.

[jdolitsky]

if we could would be great to have this on the glibc version too

[imjasonh]

I might be missing some context, but what is a dev variant of static supposed to achieve? As I understand it, static:latest-dev would be identical to static:latest with the PR in its current state. Typically dev variants have other stuff in them to make them useful to developers. edit: I was wrong! But keep reading anyway. :)

The nearest equivalent to gcr.io/distroless/static:debug would probably be something like cgr.dev/chainguard/busybox, which has no package manager, only a shell. If you want a package manager, you can use wolfi-base, which has busybox and apk.

So :static-dev being "static but with a shell and apk" is basically exactly what we have today in wolfi-base. I'd prefer to just recommend that image instead of having a separate "static-but-not-exactly" image that's ~equivalent to an existing image.

[charlieegan3]

Thanks for those details Jason, much appreciated. I think that we can use busybox in that case. I'll close this for now!