diff --git a/CLAUDE.md b/CLAUDE.md index 289725a..f1d640e 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -121,6 +121,18 @@ from upstream. Ask user to mirror on forge first, then clone to `~/code/3rd//`. +### Sporked Projects + +Some mirrored projects are "sporked" — a floating-branch soft-fork strategy +where local patches are continuously rebased on top of upstream. See +[[spork-strategy]] and [[create-a-spork]] for the full methodology. + +Sporked projects live in `~/code/3rd//` with three remotes: +`origin` (eblume/ fork on forge), `mirror` (mirrors/ on forge), `upstream` +(canonical). The `blumeops` branch is the default; `deploy` merges everything. + +Create a new spork: `mise run spork-create ` + ## Task Discovery ```fish diff --git a/argocd/manifests/kingfisher/cronjob.yaml b/argocd/manifests/kingfisher/cronjob.yaml index 0efd7ab..e895b59 100644 --- a/argocd/manifests/kingfisher/cronjob.yaml +++ b/argocd/manifests/kingfisher/cronjob.yaml @@ -17,7 +17,7 @@ spec: type: RuntimeDefault containers: - name: kingfisher - image: ghcr.io/mongodb/kingfisher:kustomized + image: registry.ops.eblu.me/blumeops/kingfisher:kustomized command: ["/bin/sh", "-c"] args: - | diff --git a/argocd/manifests/kingfisher/kustomization.yaml b/argocd/manifests/kingfisher/kustomization.yaml index 97d951c..be57aba 100644 --- a/argocd/manifests/kingfisher/kustomization.yaml +++ b/argocd/manifests/kingfisher/kustomization.yaml @@ -11,5 +11,5 @@ resources: - cronjob.yaml images: - - name: ghcr.io/mongodb/kingfisher - newTag: "1.91.0" + - name: registry.ops.eblu.me/blumeops/kingfisher + newTag: kustomized diff --git a/containers/kingfisher/Dockerfile b/containers/kingfisher/Dockerfile new file mode 100644 index 0000000..13eb25f --- /dev/null +++ b/containers/kingfisher/Dockerfile @@ -0,0 +1,42 @@ +# Kingfisher — built from sporked deploy branch +# Multi-stage: Rust build with vectorscan/Boost, then minimal Alpine runtime +ARG CONTAINER_APP_VERSION=latest + +# --- Build stage --- +FROM rust:1.92-bookworm AS build + +RUN apt-get update && apt-get install -y --no-install-recommends \ + cmake pkg-config libboost-dev git ca-certificates \ + && rm -rf /var/lib/apt/lists/* + +WORKDIR /build + +ARG CONTAINER_APP_VERSION +RUN git clone --branch deploy \ + https://forge.ops.eblu.me/eblume/kingfisher.git . \ + && git checkout "${CONTAINER_APP_VERSION}" + +RUN cargo build --release \ + && install -m 0755 target/release/kingfisher /usr/local/bin/kingfisher + +# Quick smoke-test +RUN kingfisher --version + +# --- Runtime stage --- +FROM debian:bookworm-slim + +RUN apt-get update && apt-get install -y --no-install-recommends \ + git ca-certificates \ + && rm -rf /var/lib/apt/lists/* + +COPY --from=build /usr/local/bin/kingfisher /usr/local/bin/kingfisher + +RUN groupadd -r app && useradd -r -g app -d /app app \ + && mkdir -p /app && chown app:app /app + +USER app +WORKDIR /app + +RUN kingfisher --version + +ENTRYPOINT ["kingfisher"] diff --git a/docs/changelog.d/feature-kingfisher-container.feature.md b/docs/changelog.d/feature-kingfisher-container.feature.md new file mode 100644 index 0000000..9054e81 --- /dev/null +++ b/docs/changelog.d/feature-kingfisher-container.feature.md @@ -0,0 +1 @@ +Build custom Kingfisher container from sporked deploy branch, replacing upstream image with locally-built version including --clone-url-base patch. diff --git a/service-versions.yaml b/service-versions.yaml index bca2528..57586f1 100644 --- a/service-versions.yaml +++ b/service-versions.yaml @@ -285,6 +285,13 @@ services: upstream-source: https://github.com/prowler-cloud/prowler/releases notes: CIS Kubernetes Benchmark scanner; weekly CronJob on minikube-indri + - name: kingfisher + type: argocd + last-reviewed: 2026-03-29 + current-version: "1d37d29" + upstream-source: https://github.com/mongodb/kingfisher/releases + notes: Secret scanner; sporked from upstream with --clone-url-base patch. Version is upstream main SHA. + - name: forgejo type: ansible last-reviewed: 2026-03-28