chore: switch to using scratch base image for driver-crds

Switches to using scratch base image for the driver-crds. The entrypoint is set to kubectl to prevent shell access. Enabled image scan for the driver-crds image. Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
kubernetes-sigs · Jul 20, 2021 · a8cd172 · a8cd172
1 parent 651990f
commit a8cd172
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 7 deletions.
diff --git a/Makefile b/Makefile
@@ -145,8 +145,10 @@ sanity-test:
 image-scan: $(TRIVY)
 	# show all vulnerabilities
 	$(TRIVY) --severity MEDIUM,HIGH,CRITICAL $(IMAGE_TAG)
+	$(TRIVY) --severity MEDIUM,HIGH,CRITICAL $(CRD_IMAGE_TAG)
 	# show vulnerabilities that have been fixed
 	$(TRIVY) --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL $(IMAGE_TAG)
+	$(TRIVY) --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL $(CRD_IMAGE_TAG)
 
 ## --------------------------------------
 ## Tooling Binaries
@@ -364,7 +366,7 @@ e2e-teardown: $(HELM)
 
 .PHONY: e2e-helm-deploy
 e2e-helm-deploy:
-	helm install csi-secrets-store manifest_staging/charts/secrets-store-csi-driver --namespace kube-system --wait --timeout=15m -v=5 --debug \
+	helm install csi-secrets-store manifest_staging/charts/secrets-store-csi-driver --namespace kube-system --wait --timeout=3m -v=5 --debug \
 		--set linux.image.pullPolicy="IfNotPresent" \
 		--set windows.image.pullPolicy="IfNotPresent" \
 		--set linux.image.repository=$(REGISTRY)/$(IMAGE_NAME) \
@@ -378,6 +380,8 @@ e2e-helm-deploy:
 		--set syncSecret.enabled=true \
 		--set enableSecretRotation=true \
 		--set rotationPollInterval=30s
+	kubectl get pods -n kube-system
+	kubectl logs csi-secrets-store-secrets-store-csi-driver-upgrade-crds -n kube-system
 
 .PHONY: e2e-helm-upgrade
 e2e-helm-upgrade:

diff --git a/docker/crd.Dockerfile b/docker/crd.Dockerfile
@@ -1,2 +1,14 @@
-FROM bitnami/kubectl:1.21.2
+FROM alpine as builder
+ARG KUBE_VERSION=v1.21.2
+ARG TARGETARCH
+ARG TARGETPLATFORM
+ARG TARGETOS
+
+RUN apk add --no-cache curl && \
+    curl -LO https://storage.googleapis.com/kubernetes-release/release/$KUBE_VERSION/bin/linux/$TARGETARCH/kubectl && \
+    chmod +x kubectl
+
+FROM scratch
 COPY * /crds/
+COPY --from=builder /kubectl /kubectl
+ENTRYPOINT ["/kubectl"]
diff --git a/manifest_staging/charts/secrets-store-csi-driver/templates/crds-upgrade-hook.yaml b/manifest_staging/charts/secrets-store-csi-driver/templates/crds-upgrade-hook.yaml
@@ -53,11 +53,10 @@ spec:
   containers:
     - name: crds-upgrade
       image: "{{ .Values.linux.crds.image.repository }}:{{ .Values.linux.crds.image.tag }}"
-      command:
-      - sh
-      - -c
-      - >
-       kubectl apply -f /crds;
+      args:
+      - apply
+      - -f
+      - crds/
       imagePullPolicy: {{ .Values.linux.crds.image.pullPolicy }}
   {{- if .Values.imagePullSecrets }}
   imagePullSecrets: