Base ECK docker image on distroless instead of UBI by default #5580
Conversation
naemono
added
the
:ci
Update makefile to add new section for building ubi image. Make spacing consistent in makefile include '-ubi' suffix in image* when building CSV files for redhat. Ensure UBI build references the ubi dockerfile
naemono
force-pushed
the
4561-replace-ubi-with-scratch
branch
from
d945e60 to
f0a3009
Compare
|
The additional ubi image build adds about 30 seconds to the full release. |
|
I think we should adopt the same naming convention as Elasticsearch and the rest of the Elastic Stack: |
Dockerfile
Outdated
|
|
||
| # Copy the operator binary into a lighter image | ||
| FROM registry.access.redhat.com/ubi8/ubi-minimal:8.5 | ||
| FROM scratch |
There was a problem hiding this comment.
Should this be distroless instead? We used to use that in the past. AFAIK one of the advantages is that it comes with CA certificates and supports tmp (not sure if we need the latter)
There was a problem hiding this comment.
I can move this to distroless. I had run through all e2e tests using scratch, and -ubi builds and hadn't hit a single failure.
There was a problem hiding this comment.
I am trying to think of scenarios where the operator actually makes HTTP requests that would require root CA certs. The only one I can think of now is the external secrets feature we added recently. The operator makes a request to the linked Elastic Stack applications to determine their version, which would require those certs. We don't test this setup in e2e tests (we only approximate it with another Elasticsearch cluster in the same k8s cluster). @thbkrkr may have more insights here.
But I guess distroless puts us on the safe side wrt that.
There was a problem hiding this comment.
Yes, we are in a better place using distroless for the reasons you outlined.
|
After fighting with |
|
run/e2e-tests |
|
run/e2e-tests |
|
run/e2e-tests |
…'s already non-root.
|
run/e2e-tests |
pebrc
changed the title
Dockerfile
Outdated
| @@ -39,16 +39,11 @@ LABEL name="Elastic Cloud on Kubernetes" \ | |||
| description="Elastic Cloud on Kubernetes automates the deployment, provisioning, management, and orchestration of Elasticsearch, Kibana, APM Server, Beats, and Enterprise Search on Kubernetes" \ | |||
| io.k8s.description="Elastic Cloud on Kubernetes automates the deployment, provisioning, management, and orchestration of Elasticsearch, Kibana, APM Server, Beats, and Enterprise Search on Kubernetes" | |||
There was a problem hiding this comment.
Sorry I missed this initially. These label choices where motivated by the need to override existing labels in the UBI base image. I think now that we are moving back to distroless there is no need for these often redundant (description and io.k8s.description and summary, io.k8s.display-name and name) labels.
I wonder if we should use OCI standardised labels on this docker image instead (for the UBI one we have to stick with the current set of labels to keep the overrides)
https://github.com/opencontainers/image-spec/blob/main/annotations.md
There was a problem hiding this comment.
This is a good point. I've removed the overrides, and added OCI annotations as described in link, and grouped the k8s labels together alphabetically. lmk if I've covered them all.
Also verified that the golang:1.x image we base things from does not have any preexisting labels:
"Labels": {}
Co-authored-by: Thibault Richard <thbkrkr@users.noreply.github.com>
Co-authored-by: Thibault Richard <thbkrkr@users.noreply.github.com>
Co-authored-by: Thibault Richard <thbkrkr@users.noreply.github.com>
Co-authored-by: Thibault Richard <thbkrkr@users.noreply.github.com>
Co-authored-by: Thibault Richard <thbkrkr@users.noreply.github.com>
Co-authored-by: Thibault Richard <thbkrkr@users.noreply.github.com>
Co-authored-by: Peter Brachwitz <peter.brachwitz@gmail.com>
thbkrkr
removed
the
:ci
…c#5580) * Update default dockerfile to add scratch. Update makefile to add new section for building ubi image. Make spacing consistent in makefile include '-ubi' suffix in image* when building CSV files for redhat. Ensure UBI build references the ubi dockerfile * move from scratch to distroless * Update image name to include ubi suffix, not tag * Move template to have suffix on image name, not tag * Add without integration check to apmserver sample test builders * Add newline to generate new git hash * Attempt to use different machine type * Remove user specification in dockerfile for distroless:nonroot, as it's already non-root. * revert change to machine type * Only use ubi image when certified-operator. * removing WithoutIntegrationCheck() from this PR * use UbiOnly instead of string comparison. * Add OCI annotations to dockerfile, and remove legacy labels. * Update Dockerfile label to correct base name Co-authored-by: Thibault Richard <thbkrkr@users.noreply.github.com> * Update Dockerfile.ubi for updated golang version Co-authored-by: Thibault Richard <thbkrkr@users.noreply.github.com> * Convert to ubi8 in Makefile Co-authored-by: Thibault Richard <thbkrkr@users.noreply.github.com> * Convert to ubi8 in hack/operatorhub/templates/csv.tpl Co-authored-by: Thibault Richard <thbkrkr@users.noreply.github.com> * Convert to ubi8 again in hack/operatorhub/templates/csv.tpl Co-authored-by: Thibault Richard <thbkrkr@users.noreply.github.com> * Convert to ubi8 once more in hack/operatorhub/templates/csv.tpl Co-authored-by: Thibault Richard <thbkrkr@users.noreply.github.com> * Update license Label Co-authored-by: Peter Brachwitz <peter.brachwitz@gmail.com> Co-authored-by: Thibault Richard <thbkrkr@users.noreply.github.com> Co-authored-by: Peter Brachwitz <peter.brachwitz@gmail.com>
Closes #4561
This will update the default Dockerfile for ECK operator to use a scratch image instead of UBI. An additional UBI dockerfile has been added, which is leveraged in CI tooling to build/push an additional image to both:
So, a total of 4 images (not including different platforms) will be built when building a new release (non-SNAPSHOT)
This will be paired with an additional PR for the internal redhat tooling leveraged during release.
Reason for Draft:
Additional testing is being done now to ensure: