Merge pull request #1000 from flanksource/minimal-image

feat: generate minimal and elevated base images

.github/workflows/lint.yml

@@ -26,8 +26,6 @@ jobs:
         env:
           CI: false
         run: |
-          mkdir -p ui/build
-          touch ui/build/noop
           make resources
           git diff
           changed_files=$(git status -s)

.gitignore

@@ -5,7 +5,6 @@ bin/
 .env
 .certs
 .kube
-build/
 docs/cli/
 .DS_Store
 cover.out
@@ -18,4 +17,4 @@ chart/templates/crd.yaml
 postgres-db/
 ui/scripts/
 Chart.lock
-chart/charts/
+chart/charts/

Makefile

@@ -13,6 +13,7 @@ else
 endif
 
 # Image URL to use all building/pushing image targets
+IMG_F ?= docker.io/flanksource/canary-checker-full:${VERSION_TAG}
 IMG ?= docker.io/flanksource/canary-checker:${VERSION_TAG}
 
 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
@@ -83,21 +84,26 @@ generate: .bin/controller-gen
 
 # Build the docker image
 docker:
-	docker build . -t ${IMG}
+	docker build . -f build/full/Dockerfile -t ${IMG_F}
+	docker build . -f build/minimal/Dockerfile -t ${IMG}
 
 # Build the docker image
 docker-dev: linux
-	docker build ./ -f ./Dockerfile.dev -t ${IMG}
+	docker build ./ -f build/dev/Dockerfile -t ${IMG}
 
 
 docker-push-%:
-	docker build ./ -f ./Dockerfile.dev -t ${IMG}
+	docker build . -f build/full/Dockerfile -t ${IMG_F}
+	docker build . -f build/minimal/Dockerfile -t ${IMG}
+	docker tag $(IMG_F) $*/$(IMG_F)
 	docker tag $(IMG) $*/$(IMG)
+	docker push  $*/$(IMG_F)
 	docker push  $*/$(IMG)
-	kubectl set image deployment/$(NAME) $(NAME)=$*/$(IMG)
+	kubectl set image deployment/$(NAME) $(NAME)=$*/$(IMG_F)
 
 # Push the docker image
 docker-push:
+	docker push ${IMG_F}
 	docker push ${IMG}
 
 .PHONY: compress

Dockerfile → build/full/Dockerfile

@@ -3,6 +3,7 @@ WORKDIR /app
 
 ARG NAME
 ARG VERSION
+ENV IMAGE_TYPE=full
 COPY go.mod /app/go.mod
 COPY go.sum /app/go.sum
 RUN go mod download

build/minimal/Dockerfile

@@ -0,0 +1,32 @@
+FROM golang:1.20 AS builder
+WORKDIR /app
+
+ARG NAME
+ARG VERSION
+ENV IMAGE_TYPE=minimal
+COPY go.mod /app/go.mod
+COPY go.sum /app/go.sum
+RUN go mod download
+COPY ./ ./
+RUN go version
+RUN make build
+
+FROM ubuntu 
+WORKDIR /app
+RUN apt-get update && \
+  apt-get install -y curl unzip ca-certificates jq wget gnupg2 bzip2 --no-install-recommends && \
+  rm -Rf /var/lib/apt/lists/*  && \
+  rm -Rf /usr/share/doc && rm -Rf /usr/share/man  && \
+  apt-get clean
+
+COPY --from=builder /app/.bin/canary-checker /app
+
+RUN /app/canary-checker go-offline
+
+RUN mkdir /opt/database
+RUN groupadd --gid 1000 canary
+RUN useradd canary --uid 1000 -g canary -m -d /var/lib/canary
+RUN chown -R 1000:1000 /opt/database
+USER canary:canary
+
+ENTRYPOINT ["/app/canary-checker"]

chart/templates/_helpers.tpl

@@ -50,3 +50,10 @@ app.kubernetes.io/name: {{ include "canary-checker.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 control-plane: canary-checker
 {{- end }}
+
+{{/*
+Image Name
+*/}}
+{{- define "canary-checker.imageString" -}}
+{{ .Values.image.repository }}{{- if eq (lower .Values.image.type) "full" }}-full{{- end }}:{{ .Values.image.tag }} 
+{{- end }}

chart/templates/deployment.yaml

@@ -67,7 +67,7 @@ spec:
             capabilities:
               add:
                 - CAP_NET_RAW
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          image: {{ include "canary-checker.imageString" . }}
           imagePullPolicy: "{{ .Values.image.pullPolicy }}"
           env:
             {{- if eq .Values.debug true }}

chart/values.yaml

@@ -6,6 +6,9 @@ replicas: 1
 
 image:
   repository: docker.io/flanksource/canary-checker
+  ## Options: minimal | full
+  ## full image is larger and requires more permissions to run, but is required to execute 3rd party checks (jmeter, restic, k6 etc)
+  type: minimal
   pullPolicy: IfNotPresent
   # Overrides the image tag whose default is the chart appVersion.
   tag: "latest"