Base entrypoint image on distroless

[imjasonh]

Reopening #2562 which for some reason GitHub/Prow won't let me reopen 🤷‍♂️

With ko gaining multi-arch support, this change is becoming a bit more relevant, since it makes every TaskRun require a cp binary in the base image, which makes it harder to support multi-arch support in Tekton.

---

The only reason it was based on busybox was to have access to cp,
which it used to copy its binary to /tekton/tools for use in later
steps.

Instead of relying on cp, this adds a "cp mode" to the entrypoint
binary itself. When invoked with the positional args cp <src> <dst>,
it copies src to dst using Go's os and io packages.

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

• [y] Includes tests (if functionality changed/added)
• [n] Includes docs (if user facing)
• [y] Commit messages follow commit message best practices
• [y] Release notes block has been filled in or deleted (only if no user facing changes)

See the contribution guide for more details.

Double check this list of stuff that's easy to miss:

• If you are adding a new binary/image to the cmd dir, please update
  the release Task to build and release this image.

Reviewer Notes

If API changes are included, additive changes must be approved by at least two OWNERS and backwards incompatible changes must be approved by more than 50% of the OWNERS, and they must first be added in a backwards compatible way.

Release Notes

Base entrypoint image on distroless/static:nonroot and give it a mode to copy itself to the destination, instead of relying on cp being present in the base image.

cc @mattmoor @afrittoli @vdemeester

[mattmoor]

/kind feature

[mattmoor]

/lgtm

FWIW :D

[imjasonh]

/kind feature

[dlorenc]

/approve

[tekton-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dlorenc

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [dlorenc]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[imjasonh]

/test pull-tekton-pipeline-integration-tests

[vdemeester]

With ko gaining multi-arch support, this change is becoming a bit more relevant, since it makes every TaskRun require a cp binary in the base image, which makes it harder to support multi-arch support in Tekton.

I am not sure I follow entirely this, before this change, we just need to ensure that entrypoint image is multi-arch (just like busybox is I think), right ? Now it's based on a non-os image so we don't really need to care about multi-arch because there is only binaries in there ?

This just bakes cp in entrypoint as an very lightweight alternative of cp. One thing though, is this be considered as a breaking change as we are removing a some debug (busybox) tooling from the entrypoint image ?

[imjasonh]

I am not sure I follow entirely this, before this change, we just need to ensure that entrypoint image is multi-arch (just like busybox is I think), right ? Now it's based on a non-os image so we don't really need to care about multi-arch because there is only binaries in there ?

Yep, exactly. It was based on distroless/base:debug before as an optimal middle-ground between "as minimal as possible (distroless)" and "contains cp", but now that we're trying to also make it multi-arch, I think it makes sense to base it on distroless/static instead. And we can do that just by moving cp into the binary itself.

Basing on busybox would also be an option, since it's multi-arch, but that moves us a bit further from the "as minimal as possible" goal.

This just bakes cp in entrypoint as an very lightweight alternative of cp. One thing though, is this be considered as a breaking change as we are removing a some debug (busybox) tooling from the entrypoint image ?

I don't think we should consider it a breaking change. The "debug stuff" was only present in the entrypoint image when it runs as an initContainer to copy the entrypoint binary out to the shared volume. I'm not even sure how a user would come to depend on that behavior, but if they did they're definitely doing something weird. 🙃

[vdemeester]

Yep, exactly. It was based on distroless/base:debug before as an optimal middle-ground between "as minimal as possible (distroless)" and "contains cp", but now that we're trying to also make it multi-arch, I think it makes sense to base it on distroless/static instead. And we can do that just by moving cp into the binary itself.

Well, we are not copying cp into the binary itself, we are "coding" cp 😝.

Basing on busybox would also be an option, since it's multi-arch, but that moves us a bit further from the "as minimal as possible" goal.

Isn't distroless/base:debug using busybox ? (I thought so, maybe I am wrong – or maybe it's alpine based).

I don't think we should consider it a breaking change. The "debug stuff" was only present in the entrypoint image when it runs as an initContainer to copy the entrypoint binary out to the shared volume. I'm not even sure how a user would come to depend on that behavior, but if they did they're definitely doing something weird. upside_down_face

We do publish the entrypoint image, so any user could use it as its own, independently of what Tekton does with it. I do agree it would be weird to use it (instead of an alpine or busybox image), but still, some might 😅

[imjasonh]

Well, we are not copying cp into the binary itself, we are "coding" cp 😝.

Right right. Copying it's functionality, is what I meant.

Isn't distroless/base:debug using busybox ? (I thought so, maybe I am wrong – or maybe it's alpine based).

I don't think so:

(from https://viz.kontain.me)

We do publish the entrypoint image, so any user could use it as its own, independently of what Tekton does with it. I do agree it would be weird to use it (instead of an alpine or busybox image), but still, some might 😅

I think I still consider that far enough outside intended use that if it breaks anybody it's because they were doing something we don't expect to support. (Hyrum's Law, of course, aside).

[vdemeester]

https://github.com/GoogleContainerTools/distroless#base-operating-system Interesting, it seems to track debian 🙃 👼