deploy using terraform

- remove some apps (cowsay, transparency, estargz)
- start to move DNS zone management into TF too (optional)
- update GH workflow to deploy using TF

TODO:
- store state in GCS
- define one-time setup to grant GHA SA permissions it needs to deploy
- documentation for Future Jason
- cosign_verify base images
- cosign_sign images and cosign_verify before deploy

.github/workflows/deploy.yaml

@@ -14,16 +14,15 @@ jobs:
     permissions:
       id-token: write
       contents: read
+    env:
+      KO_DOCKER_REPO=gcr.io/kontaindotme
     steps:
     - uses: actions/checkout@v3
 
-    # Install tools.
     - uses: actions/setup-go@v2
       with:
-        go-version: 1.18
-    - uses: imjasonh/setup-ko@v0.6
-      env:
-        KO_DOCKER_REPO: gcr.io/kontaindotme
+        go-version: 1.20.x
+    - uses: hashicorp/setup-terraform@v2
     - uses: imjasonh/setup-crane@v0.1
 
     # Setup OIDC->SA auth
@@ -35,11 +34,20 @@ jobs:
     - uses: google-github-actions/setup-gcloud@v0.6.0
       with:
         project_id: kontaindotme
-        install_components: beta
 
-    # Deploy and test.
-    - run: ./deploy.sh
-      env:
-        KOCACHE: ~/ko
+    - name: Terraform Plan
+      run: |
+        cat > terraform.tfvars <<EOF
+        project_id = "${{ env.PROJECT_ID }}"
+        EOF
+
+        terraform init
+        terraform plan -input=false -lock=false -out=plan.tmp
+        terraform show -no-color plan.tmp
+
+    - name: Terraform Apply
+      if: ${{ github.event_name == 'push' }}
+      run: terraform apply -auto-approve -input=false plan.tmp
+
     - run: ./test.sh
-    
+

.gitignore

@@ -4,15 +4,20 @@
 # Local .terraform directories
 **/.terraform/*
 
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
 # Crash log files
 crash.log
+crash.*.log
 
-# Exclude all .tfvars files, which are likely to contain sentitive data, such as
-# password, private keys, and other secrets. These should not be part of version 
-# control as they are data points which are potentially sensitive and subject 
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
 # to change depending on the environment.
-#
 *.tfvars
+*.tfvars.json
 
 # Ignore override files as they are usually used to override resources locally and so
 # are not checked in
@@ -21,32 +26,9 @@ override.tf.json
 *_override.tf
 *_override.tf.json
 
-# Include override files you do wish to add to version control using negated pattern
-#
-# !example_override.tf
-
-# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
-# example: *tfplan*
-
 # Ignore CLI configuration files
 .terraformrc
 terraform.rc
 
-###
-# https://github.com/github/gitignore/blob/master/Go.gitignore
-
-# Binaries for programs and plugins
-*.exe
-*.exe~
-*.dll
-*.so
-*.dylib
-
-# Test binary, built with `go test -c`
-*.test
-
-# Output of the go coverage tool, specifically when used with LiteIDE
-*.out
 
-# Dependency directories (remove the comment below to include it)
-# vendor/
+plan.tmp

README.md

@@ -19,9 +19,6 @@ These include:
   APK packages, using [`apko`](https://apko.dev).
 * [`buildpack.kontain.me`](./cmd/buildpack), which builds a GitHub repo using [CNCF
   Buildpacks](https://buildpacks.io).
-* [`estargz.kontain.me`](./cmd/estargz), which optimizes an image's layers for
-  partial image pulls using
-  [estargz](https://github.com/containerd/stargz-snapshotter).
 * [`wait.kontain.me`](./cmd/wait), which enqueues a background task to serve a
   random image after some amount of time.
 

cmd/apko/main.go

@@ -166,7 +166,6 @@ func (s *server) build(ctx context.Context, ic types.ImageConfiguration) (v1.Ima
 
 	bc, err := build.New(wd,
 		build.WithImageConfiguration(ic),
-		build.WithProot(true),
 		build.WithArch(amd64), // TODO: multiarch
 		build.WithBuildDate(time.Time{}.Format(time.RFC3339)),
 		build.WithAssertions(build.RequireGroupFile(true), build.RequirePasswdFile(true)))