Build our own caddy image

[willdollman]

We currently just retag the upstream Caddy image where we use it in deploy-sourcegraph-docker. The upstream is slow to patch go module vulns, and the update process is different to the rest of our images.

Build a caddy container from scratch here to avoid having a separate update process, and to make use of the latest patched version of caddy from the wolfi repo.

Example of creating a new container image

This PR is also a good example of creating a new container image that uses a customised base image. The steps to create this PR were:

• Create wolfi-images/caddy.yaml
  • This was based on the upstream Caddy image Dockerfile
• Run sg wolfi lock caddy to generate the wolfi-images/caddy.lock.json lockfile
• Add Bazel configuration (docker-images/caddy/BUILD.bazel) to build the full Caddy image using the base image configuration
  • Optionally test image build locally with sg wolfi image caddy or bazel run //docker-images/caddy:base_tarball
• Add container structure tests (docker-images/caddy/image_test.yaml)
  • Optionally run tests locally with bazel run //docker-images/caddy:image_test

Test plan

• Added container structure test
• CI

[willdollman]

@Strum355 this works in some basic testing but not sure if there's a cleaner way to handle this. The issue I ran into was after adding the caddy image's yaml and lock.json files, the new lockfile wasn't in the dependency list -> repo wasn't invalidated -> repo isn't added to list -> GOTO 1.

[Strum355]

You can use rctx.watch("wolfi-images") for this now that we're on bazel 7.1

[Strum355]

Actually, youll want rctx.watch_tree given this is a directory

[willdollman]

Tested the rctx.watch_tree() change by creating a new yaml + lockfile and running bazel build @mynewfile_apko_lock//:contents. It works, and without the change it fails.

[Strum355]

love a streamlined process