-
Notifications
You must be signed in to change notification settings - Fork 311
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WIP] Get rid of kubectl depepdency in container image #1137
base: main
Are you sure you want to change the base?
Conversation
0b72b10
to
ee56413
Compare
// DROP BEFORE MERGE! | ||
// Implements https://github.com/NVIDIA/k8s-operator-libs/pull/58 | ||
// This is only for testing. | ||
replace github.com/NVIDIA/k8s-operator-libs => github.com/tobiasgiese/k8s-operator-libs v0.0.0-20241125092837-e8a080621717 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
must be dropped before merging, just as a reminder
ee56413
to
3887841
Compare
We should not use the kubectl binary inside our containers because of potential CVEs. To get rid of the binary we can use the crdutil from the k8s-operator-libs. Signed-off-by: Tobias Giese <[email protected]>
3887841
to
92ad2af
Compare
@@ -77,6 +77,7 @@ operator: | |||
use_ocp_driver_toolkit: false | |||
# cleanup CRD on chart un-install | |||
cleanupCRD: false | |||
imageCleanupCRD: bitnami/kubectl:1.31 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can use the upstream bitnami/kubectl
image here as we don't need the CRDs in the container for the cleanup task.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The cleanest approach would be to add a DeleteCRD
method to the k8s-operator-libs. I think we can revisit this PR after that. Thoughts?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good call, was also thinking about this. Let me add a command to delete CRDs to the cmdutil
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There may be other requirements in terms of using a thirdparty image. Implementing the required logic in code may be simpler in the long run.
# Build apply-crds binary | ||
apply-crds: | ||
CGO_ENABLED=0 GOOS=$(GOOS) \ | ||
go build -ldflags "-s -w -X $(VERSION_PKG).gitCommit=$(GIT_COMMIT) -X $(VERSION_PKG).version=$(VERSION)" -o apply-crds ./cmd/apply-crds/... | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In other projects we using the following:
CMDS := $(patsubst ./cmd/%/,%,$(sort $(dir $(wildcard ./cmd/*/))))
CMD_TARGETS := $(patsubst %,cmd-%,$(CMDS))
ifneq ($(PREFIX),)
cmd-%: COMMAND_BUILD_OPTIONS = -o $(PREFIX)/$(*)
endif
ifneq ($(shell uname),Darwin)
EXTLDFLAGS = -Wl,--export-dynamic -Wl,--unresolved-symbols=ignore-in-object-files
else
EXTLDFLAGS = -Wl,-undefined,dynamic_lookup
endif
BUILDFLAGS = -ldflags "-s -w '-extldflags=$(EXTLDFLAGS)' -X $(CLI_VERSION_PACKAGE).gitCommit=$(GIT_COMMIT) -X $(CLI_VERSION_PACKAGE).version=$(CLI_VERSION)"
build:
go build $(BUILDFLAGS) ./...
cmds: $(CMD_TARGETS)
$(CMD_TARGETS): cmd-%:
go build $(BUILDFLAGS) $(COMMAND_BUILD_OPTIONS) $(MODULE)/cmd/$(*)
to auto-generate make cmd-*
targets for any binary that we place in cmd
. Would that be a useful addition here?
We should not use the kubectl binary inside our containers because of potential CVEs.
To get rid of the binary we can use the crdutil from the k8s-operator-libs.
Depends on NVIDIA/k8s-operator-libs#58