mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-09-19 15:56:03 +00:00
473001be55
* vpn: ship our own container image The container image used in the VPN chart should be reproducible and stable. We're sticking close to the original nixery.dev version by building the image with nix ourselves, and then publishing the single layer from the result with Bazel OCI rules. The resulting image should be handled similar to s3proxy: it's built as a part of the Constellation release process and then consumed from a Helm chart in our registry. Co-authored-by: Malte Poll <1780588+malt3@users.noreply.github.com>
335 lines
7.9 KiB
Plaintext
335 lines
7.9 KiB
Plaintext
workspace(name = "constellation")
|
|
|
|
load("//bazel/toolchains:skylib_deps.bzl", "skylib_deps")
|
|
|
|
skylib_deps()
|
|
|
|
# nixpkgs deps
|
|
load("//bazel/toolchains:nixpkgs_deps.bzl", "nixpkgs_deps")
|
|
|
|
nixpkgs_deps()
|
|
|
|
load("@io_tweag_rules_nixpkgs//nixpkgs:repositories.bzl", "rules_nixpkgs_dependencies")
|
|
|
|
rules_nixpkgs_dependencies()
|
|
|
|
load("@io_tweag_rules_nixpkgs//nixpkgs:nixpkgs.bzl", "nixpkgs_cc_configure", "nixpkgs_flake_package", "nixpkgs_git_repository", "nixpkgs_package", "nixpkgs_python_configure")
|
|
|
|
nixpkgs_git_repository(
|
|
name = "nixpkgs",
|
|
revision = "85306ef2470ba705c97ce72741d56e42d0264015",
|
|
sha256 = "adbbcfd49b5180e51e2971626cafb14123e3ec06c18fa143b1f386b029081f12",
|
|
)
|
|
|
|
nixpkgs_flake_package(
|
|
name = "awscli",
|
|
nix_flake_file = "//:flake.nix",
|
|
nix_flake_lock_file = "//:flake.lock",
|
|
package = "awscli2",
|
|
)
|
|
|
|
nixpkgs_flake_package(
|
|
name = "bazel",
|
|
nix_flake_file = "//:flake.nix",
|
|
nix_flake_lock_file = "//:flake.lock",
|
|
package = "bazel_6",
|
|
)
|
|
|
|
nixpkgs_flake_package(
|
|
name = "createrepo_c",
|
|
nix_flake_file = "//:flake.nix",
|
|
nix_flake_lock_file = "//:flake.lock",
|
|
package = "createrepo_c",
|
|
)
|
|
|
|
nixpkgs_flake_package(
|
|
name = "dnf5",
|
|
nix_flake_file = "//:flake.nix",
|
|
nix_flake_lock_file = "//:flake.lock",
|
|
package = "dnf5",
|
|
)
|
|
|
|
nixpkgs_flake_package(
|
|
name = "mkosi",
|
|
nix_flake_file = "//:flake.nix",
|
|
nix_flake_lock_file = "//:flake.lock",
|
|
package = "mkosi",
|
|
)
|
|
|
|
nixpkgs_flake_package(
|
|
name = "uplosi",
|
|
nix_flake_file = "//:flake.nix",
|
|
nix_flake_lock_file = "//:flake.lock",
|
|
package = "uplosi",
|
|
)
|
|
|
|
nixpkgs_flake_package(
|
|
name = "vpn_oci_image",
|
|
build_file_content = """exports_files(["layer.tar"])""",
|
|
nix_flake_file = "//:flake.nix",
|
|
nix_flake_lock_file = "//:flake.lock",
|
|
package = "vpn",
|
|
)
|
|
|
|
nixpkgs_package(
|
|
name = "diffutils",
|
|
repository = "@nixpkgs",
|
|
)
|
|
|
|
nixpkgs_package(
|
|
name = "terraform-plugin-docs",
|
|
repository = "@nixpkgs",
|
|
)
|
|
|
|
nixpkgs_package(
|
|
name = "patchelf",
|
|
repository = "@nixpkgs",
|
|
)
|
|
|
|
nixpkgs_package(
|
|
name = "systemd",
|
|
repository = "@nixpkgs",
|
|
)
|
|
|
|
nixpkgs_package(
|
|
name = "util-linux",
|
|
repository = "@nixpkgs",
|
|
)
|
|
|
|
nixpkgs_package(
|
|
name = "coreutils",
|
|
repository = "@nixpkgs",
|
|
)
|
|
|
|
nixpkgs_package(
|
|
name = "e2fsprogs",
|
|
repository = "@nixpkgs",
|
|
)
|
|
|
|
nixpkgs_package(
|
|
name = "gnused",
|
|
repository = "@nixpkgs",
|
|
)
|
|
|
|
nixpkgs_package(
|
|
name = "parallel",
|
|
repository = "@nixpkgs",
|
|
)
|
|
|
|
nixpkgs_package(
|
|
name = "cosign",
|
|
repository = "@nixpkgs",
|
|
)
|
|
|
|
nixpkgs_package(
|
|
name = "rekor-cli",
|
|
repository = "@nixpkgs",
|
|
)
|
|
|
|
load("//nix/cc:nixpkgs_cc_libraries.bzl", "nixpkgs_cc_library_deps")
|
|
|
|
nixpkgs_cc_library_deps()
|
|
|
|
load("//bazel/mkosi:mkosi_configure.bzl", "register_mkosi")
|
|
|
|
register_mkosi(
|
|
name = "mkosi_nix_toolchain",
|
|
)
|
|
|
|
# Python toolchain
|
|
load("//bazel/toolchains:python_deps.bzl", "python_deps")
|
|
|
|
python_deps()
|
|
|
|
load("@rules_python//python:repositories.bzl", "py_repositories")
|
|
|
|
py_repositories()
|
|
|
|
nixpkgs_python_configure(
|
|
fail_not_supported = False,
|
|
python3_attribute_path = "python311",
|
|
repository = "@nixpkgs",
|
|
)
|
|
|
|
# Go toolchain
|
|
load("//bazel/toolchains:go_rules_deps.bzl", "go_deps")
|
|
|
|
go_deps()
|
|
|
|
load("//bazel/toolchains:go_module_deps.bzl", "go_dependencies")
|
|
|
|
# gazelle:repository_macro bazel/toolchains/go_module_deps.bzl%go_dependencies
|
|
go_dependencies()
|
|
|
|
load("@io_bazel_rules_go//go:deps.bzl", "go_register_toolchains", "go_rules_dependencies")
|
|
|
|
go_rules_dependencies()
|
|
|
|
go_register_toolchains(version = "1.21.6")
|
|
|
|
load("@bazel_gazelle//:deps.bzl", "gazelle_dependencies")
|
|
|
|
gazelle_dependencies(go_repository_default_config = "//:WORKSPACE.bazel")
|
|
|
|
# gazelle:repo bazel_gazelle
|
|
|
|
# proto toolchain
|
|
load("//bazel/toolchains:proto_deps.bzl", "proto_deps")
|
|
|
|
proto_deps()
|
|
|
|
load("@rules_proto//proto:repositories.bzl", "rules_proto_dependencies", "rules_proto_toolchains")
|
|
|
|
rules_proto_dependencies()
|
|
|
|
rules_proto_toolchains()
|
|
|
|
# Buildifier
|
|
load("//bazel/toolchains:buildifier_deps.bzl", "buildifier_deps")
|
|
|
|
buildifier_deps()
|
|
|
|
# C / C++ toolchains
|
|
|
|
load("//bazel/toolchains:hermetic_cc_deps.bzl", "hermetic_cc_deps")
|
|
|
|
hermetic_cc_deps()
|
|
|
|
load("@hermetic_cc_toolchain//toolchain:defs.bzl", zig_toolchains = "toolchains")
|
|
|
|
# If needed, we can specify a specific version of the Zig toolchain to use.
|
|
# If not specified, hermetic_cc_toolchain will use a known good version of Zig.
|
|
# See https://ziglang.org/download/ for the latest releases
|
|
|
|
# zig_toolchains(
|
|
# host_platform_sha256 = {
|
|
# "linux-aarch64": "b759a11993949531c692ccfc3d1a004b14df714a7a3515fe0b5c90c9a7631d61",
|
|
# "linux-x86_64": "028dad5189e02b2058679b64df16e854a1c1ca0e6044b334d4f3be6e35544f07",
|
|
# "macos-aarch64": "5709c27d581988f50f5e6fd5b69d92707787e803a1d04992e290b764617664e6",
|
|
# "macos-x86_64": "88d194adb2f3c1a9edbb4a24d018007d5f827a57d1d26b2d9f3459236da1b7b6",
|
|
# "windows-x86_64": "75e510bda108e4d78b89d5d1d09e70ea8595fac7c43b5611f280668881adb09d",
|
|
# },
|
|
# version = "0.11.0-dev.1638+7199d7c77",
|
|
# )
|
|
|
|
zig_toolchains()
|
|
|
|
nixpkgs_cc_configure(
|
|
name = "nixpkgs_cc_toolchain",
|
|
# TODO(malt3): Use clang once cc-wrapper path reset bug is fixed upstream.
|
|
# attribute_path = "clang_11",
|
|
repository = "@nixpkgs",
|
|
)
|
|
|
|
nixpkgs_cc_configure(
|
|
name = "nixpkgs_cc_aarch64_darwin_x86_64_linux",
|
|
cross_cpu = "k8",
|
|
exec_constraints = [
|
|
"@platforms//os:osx",
|
|
"@platforms//cpu:arm64",
|
|
],
|
|
nix_file = "//nix/toolchains:cc_cross_darwin_x86_64_linux.nix",
|
|
nixopts = [
|
|
"--arg",
|
|
"ccPkgs",
|
|
"import <nixpkgs> { crossSystem = \"x86_64-linux\";}",
|
|
"--show-trace",
|
|
],
|
|
repository = "@nixpkgs",
|
|
target_constraints = [
|
|
"@platforms//cpu:x86_64",
|
|
"@platforms//os:linux",
|
|
"@rules_nixpkgs_core//constraints:support_nix",
|
|
],
|
|
)
|
|
|
|
register_toolchains(
|
|
"@zig_sdk//libc_aware/toolchain:linux_amd64_gnu.2.23",
|
|
"@zig_sdk//libc_aware/toolchain:linux_arm64_gnu.2.23",
|
|
"@zig_sdk//libc_aware/toolchain:linux_amd64_musl",
|
|
"@zig_sdk//libc_aware/toolchain:linux_arm64_musl",
|
|
"@zig_sdk//toolchain:linux_amd64_gnu.2.23",
|
|
"@zig_sdk//toolchain:linux_arm64_gnu.2.23",
|
|
"@zig_sdk//toolchain:linux_amd64_musl",
|
|
"@zig_sdk//toolchain:linux_arm64_musl",
|
|
"@zig_sdk//toolchain:darwin_amd64",
|
|
"@zig_sdk//toolchain:darwin_arm64",
|
|
"@zig_sdk//toolchain:windows_amd64",
|
|
)
|
|
|
|
# Packaging rules (tar)
|
|
load("//bazel/toolchains:pkg_deps.bzl", "pkg_deps")
|
|
|
|
pkg_deps()
|
|
|
|
load("@rules_pkg//:deps.bzl", "rules_pkg_dependencies")
|
|
|
|
rules_pkg_dependencies()
|
|
|
|
# Aspect Bazel Lib
|
|
load("//bazel/toolchains:aspect_bazel_lib.bzl", "aspect_bazel_lib")
|
|
|
|
aspect_bazel_lib()
|
|
|
|
load("@aspect_bazel_lib//lib:repositories.bzl", "aspect_bazel_lib_dependencies", "aspect_bazel_lib_register_toolchains", "register_coreutils_toolchains", "register_yq_toolchains")
|
|
|
|
aspect_bazel_lib_dependencies()
|
|
|
|
aspect_bazel_lib_register_toolchains()
|
|
|
|
register_coreutils_toolchains()
|
|
|
|
# OCI rules
|
|
load("//bazel/toolchains:oci_deps.bzl", "oci_deps")
|
|
|
|
oci_deps()
|
|
|
|
load("@rules_oci//oci:dependencies.bzl", "rules_oci_dependencies")
|
|
|
|
rules_oci_dependencies()
|
|
|
|
load("@rules_oci//oci:repositories.bzl", "LATEST_CRANE_VERSION", "oci_register_toolchains")
|
|
|
|
oci_register_toolchains(
|
|
name = "oci",
|
|
crane_version = LATEST_CRANE_VERSION,
|
|
)
|
|
|
|
load("//bazel/toolchains:container_images.bzl", "containter_image_deps")
|
|
|
|
containter_image_deps()
|
|
|
|
register_yq_toolchains()
|
|
|
|
# Multirun
|
|
load("//bazel/toolchains:multirun_deps.bzl", "multirun_deps")
|
|
|
|
multirun_deps()
|
|
|
|
load("//3rdparty/bazel/com_github_medik8s_node_maintainance_operator:source.bzl", "node_maintainance_operator_deps")
|
|
|
|
node_maintainance_operator_deps()
|
|
|
|
# CI deps
|
|
load("//bazel/toolchains:ci_deps.bzl", "ci_deps")
|
|
|
|
ci_deps()
|
|
|
|
# k8s deps
|
|
load("//bazel/toolchains:k8s.bzl", "k8s_deps")
|
|
|
|
k8s_deps()
|
|
|
|
# kernel rpms
|
|
load("//bazel/toolchains:linux_kernel.bzl", "kernel_rpms")
|
|
|
|
kernel_rpms()
|
|
|
|
# mkosi rpms
|
|
load("//bazel/rpm:package_manifest.bzl", "rpm_repository")
|
|
|
|
rpm_repository(
|
|
name = "mkosi_rpms",
|
|
lockfile = "//image/mirror:SHA256SUMS",
|
|
)
|