From 7cbfde8080c42735a6dcad29b745ba042986e404 Mon Sep 17 00:00:00 2001
From: Anish Ramasekar <anish.ramasekar@gmail.com>
Date: Tue, 20 Jul 2021 12:44:01 -0700
Subject: [PATCH] chore: switch to using distroless base image for driver-crds

Switches to using scratch base image for the driver-crds. The entrypoint
is set to kubectl to prevent shell access. Enabled image scan for the
driver-crds image.

Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
---
 Makefile                                            | 13 +++++++++----
 docker/crd.Dockerfile                               | 12 +++++++++++-
 .../templates/crds-upgrade-hook.yaml                |  9 ++++-----
 3 files changed, 24 insertions(+), 10 deletions(-)

diff --git a/Makefile b/Makefile
index 0eaf14c2b..a260cf938 100644
--- a/Makefile
+++ b/Makefile
@@ -145,8 +145,10 @@ sanity-test:
 image-scan: $(TRIVY)
 	# show all vulnerabilities
 	$(TRIVY) --severity MEDIUM,HIGH,CRITICAL $(IMAGE_TAG)
+	$(TRIVY) --severity MEDIUM,HIGH,CRITICAL $(CRD_IMAGE_TAG)
 	# show vulnerabilities that have been fixed
 	$(TRIVY) --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL $(IMAGE_TAG)
+	$(TRIVY) --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL $(CRD_IMAGE_TAG)
 
 ## --------------------------------------
 ## Tooling Binaries
@@ -263,11 +265,11 @@ endif
 
 .PHONY: container
 container: crd-container
-	docker build --no-cache --build-arg IMAGE_VERSION=$(IMAGE_VERSION) -t $(IMAGE_TAG) -f docker/Dockerfile .
+	docker build --platform="linux/$(ARCH)" --no-cache --build-arg IMAGE_VERSION=$(IMAGE_VERSION) -t $(IMAGE_TAG) -f docker/Dockerfile .
 
 .PHONY: crd-container
 crd-container: build-crds
-	docker build --no-cache -t $(CRD_IMAGE_TAG) -f docker/crd.Dockerfile _output/crds/
+	docker build --platform="linux/$(ARCH)" --no-cache -t $(CRD_IMAGE_TAG) -f docker/crd.Dockerfile _output/crds/
 
 .PHONY: crd-container-linux
 crd-container-linux: build-crds docker-buildx-builder
@@ -364,7 +366,7 @@ e2e-teardown: $(HELM)
 
 .PHONY: e2e-helm-deploy
 e2e-helm-deploy:
-	helm install csi-secrets-store manifest_staging/charts/secrets-store-csi-driver --namespace kube-system --wait --timeout=15m -v=5 --debug \
+	helm install csi-secrets-store manifest_staging/charts/secrets-store-csi-driver --namespace kube-system --timeout=2m -v=5 --debug \
 		--set linux.image.pullPolicy="IfNotPresent" \
 		--set windows.image.pullPolicy="IfNotPresent" \
 		--set linux.image.repository=$(REGISTRY)/$(IMAGE_NAME) \
@@ -377,7 +379,10 @@ e2e-helm-deploy:
 		--set linux.enabled=true \
 		--set syncSecret.enabled=true \
 		--set enableSecretRotation=true \
-		--set rotationPollInterval=30s
+		--set rotationPollInterval=30s || true
+	kubectl get pods -n kube-system
+	kubectl logs csi-secrets-store-secrets-store-csi-driver-upgrade-crds -n kube-system
+	kubectl describe pod csi-secrets-store-secrets-store-csi-driver-upgrade-crds -n kube-system
 
 .PHONY: e2e-helm-upgrade
 e2e-helm-upgrade:
diff --git a/docker/crd.Dockerfile b/docker/crd.Dockerfile
index 3e0fc2d4a..f59664d56 100644
--- a/docker/crd.Dockerfile
+++ b/docker/crd.Dockerfile
@@ -1,2 +1,12 @@
-FROM bitnami/kubectl:1.21.2
+FROM alpine as builder
+ARG KUBE_VERSION=v1.21.2
+ARG TARGETARCH
+
+RUN apk add --no-cache curl && \
+    curl -LO https://storage.googleapis.com/kubernetes-release/release/$KUBE_VERSION/bin/linux/amd64/kubectl && \
+    chmod +x kubectl
+
+FROM gcr.io/distroless/static
 COPY * /crds/
+COPY --from=builder /kubectl /kubectl
+ENTRYPOINT ["/kubectl"]
diff --git a/manifest_staging/charts/secrets-store-csi-driver/templates/crds-upgrade-hook.yaml b/manifest_staging/charts/secrets-store-csi-driver/templates/crds-upgrade-hook.yaml
index bf5f4088d..ef4e24b80 100644
--- a/manifest_staging/charts/secrets-store-csi-driver/templates/crds-upgrade-hook.yaml
+++ b/manifest_staging/charts/secrets-store-csi-driver/templates/crds-upgrade-hook.yaml
@@ -53,11 +53,10 @@ spec:
   containers:
     - name: crds-upgrade
       image: "{{ .Values.linux.crds.image.repository }}:{{ .Values.linux.crds.image.tag }}"
-      command:
-      - sh
-      - -c
-      - >
-       kubectl apply -f /crds;
+      args:
+      - apply
+      - -f
+      - crds/
       imagePullPolicy: {{ .Values.linux.crds.image.pullPolicy }}
   {{- if .Values.imagePullSecrets }}
   imagePullSecrets: