Update trust manager

.github/workflows/main.yaml

@@ -194,6 +194,7 @@ jobs:
             container-image: "trust-manager"
           - dir: "./trust-packages"
             container-image: "trust-packages"
+            make-targets: "download-certificates"
           - dir: "./ttypdb"
             container-image: "ttypdb-controller"
             target: "controller"

maintenance.md

@@ -882,24 +882,20 @@ Only the base image and module dependency should be updated.
 ![Regular Update](./regular_update.svg)
 
 1. Check the [release page](https://github.com/cert-manager/trust-manager/releases).
-2. Check the upstream Dockerfile. If there are any updates, update our `Dockerfile`.
-   - https://github.com/cert-manager/trust-manager/blob/vX.Y.Z/Dockerfile
-3. Update `BRANCH` and `TAG` files.
+2. Update `BRANCH` and `TAG` files.
 
 ## trust-packages
 
 ![Regular Update](./regular_update.svg)
 
 1. Check the [release page](https://github.com/cert-manager/trust-manager/releases).
-2. Check the upstream Containerfile. If there are any updates, update our `Dockerfile`.
-   - https://github.com/cert-manager/trust-manager/blob/vX.Y.Z/trust-packages/debian/Containerfile
-3. Update `TRUST_MANAGER_VERSION` in `Dockerfile`.
-4. Update `EXPECTED_VERSION` in `Dockerfile` as needed. You can check it to run docker command as follows.
+2. Update `TRUST_MANAGER_VERSION` in `Dockerfile`.
+3. Update `EXPECTED_VERSION` in `Dockerfile` as needed. You can check it to run docker command as follows.
    ```bash
    $ docker run --rm ghcr.io/cybozu/ubuntu:22.04 dpkg-query --show  ca-certificates
    ```
-5. Check the [tini release page](https://github.com/krallin/tini/releases) and update `TINI_VERSION` in `Dockerfile` as needed.
-6. Update `TAG` file. The TAG format is `<ca-certificates version>.<patch version>`.
+4. Check the [tini release page](https://github.com/krallin/tini/releases) and update `TINI_VERSION` in `Dockerfile` as needed.
+5. Update `TAG` file. The TAG format is `<ca-certificates version>.<patch version>`.
 
 ## ttypdb
 

trust-manager/BRANCH

@@ -1 +1 @@
-0.9
+0.11

trust-manager/Dockerfile

@@ -10,7 +10,10 @@ RUN VERSION=$(cut -d \. -f 1,2,3 < /TAG ) \
     && curl -fsSL https://github.com/cert-manager/trust-manager/archive/v${VERSION}.tar.gz | \
     tar --strip-components=1 -xzf -
 
-RUN make build
+# Parameters retrieved from:
+# $ make ko-config-manager
+# $ cat _bin/scratch/image/oci-layout-manager.v0.11.1.ko_config.yaml
+RUN CGO_ENABLED=0 GO_EXPERIMENT= go build -ldflags '-w -s' -o bin/trust-manager ./cmd/trust-manager 
 
 # Stage2: setup runtime container
 FROM scratch

trust-manager/TAG

@@ -1 +1 @@
-0.9.2.1
+0.11.1.1

trust-packages/.dockerignore

@@ -1 +1,2 @@
 *
+!trust-manager-source

trust-packages/.gitignore

@@ -0,0 +1 @@
+/trust-manager-source

trust-packages/Dockerfile

@@ -3,41 +3,24 @@
 # Stage1: build from source
 FROM ghcr.io/cybozu/golang:1.22-jammy AS build
 
-ARG TRUST_MANAGER_VERSION=0.9.2
+ARG TRUST_MANAGER_VERSION=0.11.1
+ARG TINI_VERSION=0.19.0
 WORKDIR /work
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 RUN curl -fsSL https://github.com/cert-manager/trust-manager/archive/v${TRUST_MANAGER_VERSION}.tar.gz | \
     tar --strip-components=1 -xzf -
+RUN CGO_ENABLED=0 go build -o debian-bundle-static ./trust-packages/debian/main.go
 
-WORKDIR /work/trust-packages/debian
-RUN CGO_ENABLED=0 go build -o copyandmaybepause main.go
-RUN CGO_ENABLED=0 go install github.com/cert-manager/trust-manager/cmd/validate-trust-package@main
-
-# Stage2: copy ca-certificates from ubuntu
-FROM quay.io/cybozu/ubuntu:22.04 as debbase
-
-ARG EXPECTED_VERSION=20230311ubuntu0.22.04.1
-ARG VERSION_SUFFIX=.0
-ARG TINI_VERSION=0.19.0
-WORKDIR /work
-
-COPY --from=build /work/trust-packages/debian/build.sh /work/build.sh
-COPY --from=build /go/bin/validate-trust-package /usr/bin/validate-trust-package
-
-RUN /work/build.sh $EXPECTED_VERSION $VERSION_SUFFIX /work/package.json
-RUN curl -fsSL -o /usr/bin/tini-static https://github.com/krallin/tini/releases/download/v${TINI_VERSION}/tini-static
-
-# Stage3: setup runtime container
+# Stage2: setup runtime container
 FROM scratch
 LABEL org.opencontainers.image.source="https://github.com/cybozu/neco-containers"
 LABEL description="cert-manager trust package based on Debian"
 
-COPY --from=debbase /usr/bin/tini-static /tini
-COPY --from=debbase /work/package.json /debian-package/cert-manager-package-debian.json
-COPY --from=build /work/trust-packages/debian/copyandmaybepause /copyandmaybepause
+COPY --from=build /work/debian-bundle-static /debian-bundle-static
 COPY --from=build /work/LICENSE /LICENSE
-
-ENTRYPOINT ["/tini", "--"]
+COPY trust-manager-source/package.json /debian-package/cert-manager-package-debian.json
 
 USER 10000:10000
-CMD ["/copyandmaybepause", "/debian-package", "/packages"]
+
+ENTRYPOINT ["/debian-bundle-static"]
+CMD ["/debian-package", "/packages"]

trust-packages/Makefile

@@ -0,0 +1,23 @@
+TRUST_MANAGER_VERSION := $(shell cat ../trust-manager/TAG | cut -d'.' -f1-3)
+TRUST_MANAGER_SOURCE := trust-manager-source
+
+.PHONY: clean
+clean:
+	rm -rf ./$(TRUST_MANAGER_SOURCE)
+
+$(TRUST_MANAGER_SOURCE):
+	mkdir $@
+	cd $@; \
+	curl -fsSL https://github.com/cert-manager/trust-manager/archive/v$(TRUST_MANAGER_VERSION).tar.gz | \
+    tar --strip-components=1 -xzf -
+
+$(TRUST_MANAGER_SOURCE)/validate-trust-package: | $(TRUST_MANAGER_SOURCE)
+	cd $(TRUST_MANAGER_SOURCE); go build -o validate-trust-package ./cmd/validate-trust-package/main.go
+
+$(TRUST_MANAGER_SOURCE)/package.json: | $(TRUST_MANAGER_SOURCE) $(TRUST_MANAGER_SOURCE)/validate-trust-package
+	BIN_VALIDATE_TRUST_PACKAGE=$(TRUST_MANAGER_SOURCE)/validate-trust-package \
+	$(TRUST_MANAGER_SOURCE)/make/debian-trust-package-fetch.sh latest ghcr.io/cybozu/ubuntu:22.04 \
+	$(TRUST_MANAGER_SOURCE)/package.json latest
+
+.PHONY: download-certificates
+download-certificates: | $(TRUST_MANAGER_SOURCE)/package.json

trust-packages/TAG

@@ -1 +1 @@
-20230311ubuntu0.22.04.1.2
+20230311ubuntu0.22.04.1.3