wip

Author: joshiste

Dockerfile

@@ -12,18 +12,33 @@ ARG BUILD_SNAPSHOT=true
 ARG SKIP_LICENSES_REPORT=false
 ARG VERSION=unknown
 ARG REVISION=unknown
+ARG RUNC_VERSION=v1.1.15
+ARG CRUN_VERSION=1.21
 
 WORKDIR /app
 
 RUN echo 'deb [trusted=yes] https://repo.goreleaser.com/apt/ /' > /etc/apt/sources.list.d/goreleaser.list \
     && apt-get -qq update \
-    && apt-get -qq install -y --no-install-recommends build-essential libcap2-bin goreleaser
+    && apt-get -qq install -y --no-install-recommends build-essential libcap2-bin goreleaser gpg curl
 
 COPY . .
 
+#Ambient set of capabilities are not really working, therefore we set the capabilities on the binary directly. More on this: https://github.com/kubernetes/kubernetes/issues/56374
 RUN GOOS=$TARGETOS GOARCH=$TARGETARCH goreleaser build --snapshot="${BUILD_SNAPSHOT}" --single-target -o extension \
     && setcap "cap_setuid,cap_setgid,cap_sys_admin,cap_dac_override,cap_sys_ptrace+eip" ./extension
 
+# As of today the runc binary from debian is built using golang 1.19.8 and will be flagged by CVE scanners as vulnerable to several CVEs.
+# We are dowonloading the runc binary from the official github release page and will use it instead of the one from the debian package.
+RUN curl --proto "=https" -sfL https://github.com/opencontainers/runc/releases/download/$RUNC_VERSION/runc.$TARGETARCH -o ./runc \
+    && curl --proto "=https" -sfL -o - https://raw.githubusercontent.com/opencontainers/runc/refs/heads/main/runc.keyring | gpg --import \
+    && curl --proto "=https" -sfL -o - https://github.com/opencontainers/runc/releases/download/$RUNC_VERSION/runc.$TARGETARCH.asc | gpg --verify - ./runc \
+    && chmod a+x ./runc
+
+RUN curl --proto "=https" -sfL https://github.com/containers/crun/releases/download/$CRUN_VERSION/crun-$CRUN_VERSION-linux-$TARGETARCH -o ./crun \
+    && curl --proto "=https" -sfL -o - https://github.com/giuseppe.gpg | gpg --import \
+    && curl --proto "=https" -sfL -o - https://github.com/containers/crun/releases/download/$CRUN_VERSION/crun-$CRUN_VERSION-linux-$TARGETARCH.asc | gpg --verify - ./crun \
+    && chmod a+x ./crun
+
 ##
 ## Runtime
 ##
@@ -50,10 +65,13 @@ RUN groupadd --gid $USER_GID $USERNAME \
 RUN apt-get -qq update \
     && apt-get -qq upgrade -y \
     && apt-get -y autoremove \
-    && apt-get -qq install -y --no-install-recommends runc procps \
+    && apt-get -qq install -y --no-install-recommends procps \
     && apt-get -y autoremove \
     && rm -rf /var/lib/apt/lists/*
 
+COPY --from=build /app/runc /usr/sbin/runc
+COPY --from=build /app/crun /usr/bin/crun
+
 USER $USER_UID
 
 WORKDIR /

charts/steadybit-extension-jvm/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: steadybit-extension-jvm
 description: Steadybit jvm extension Helm chart for Kubernetes.
-version: 1.1.21
+version: 1.2.0
 appVersion: v1.2.4
 home: https://www.steadybit.com/
 icon: https://steadybit-website-assets.s3.amazonaws.com/logo-symbol-transparent.png

charts/steadybit-extension-jvm/templates/_helpers.tpl

@@ -2,43 +2,26 @@
 {{/*
 checks the .Values.containerRuntime for valid values
 */}}
-{{- define "containerRuntime.valid" -}}
-{{- $valid := keys .Values.containerRuntimes | sortAlpha -}}
-{{- $runtime := .Values.container.runtime -}}
-{{- if has $runtime $valid -}}
-{{- $runtime  -}}
+{{- define "containerEngine.valid" -}}
+{{- $valid := keys .Values.containerEngines | sortAlpha -}}
+{{- if has .Values.container.runtime $valid -}}
+{{- .Values.container.runtime  -}}
+{{- else if has .Values.container.engine $valid -}}
+{{- .Values.container.engine  -}}
 {{- else -}}
-{{- fail (printf "unknown container runtime: %v (must be one of %s)" $runtime (join ", " $valid)) -}}
+{{- fail (printf "unknown container.engine: %v (must be one of %s)" .Values.container.engine (join ", " $valid)) -}}
 {{- end -}}
 {{- end -}}
 
-
 {{- /*
-containerRuntime.volumeMounts will render pod volume mounts(without indentation) for the selected container runtime
+ociRuntime.root will render the root for the selected container runtime
 */}}
-{{- define "containerRuntime.volumeMounts" -}}
-{{- $runtime := (include "containerRuntime.valid" . )  -}}
-{{- $runtimeValues := get .Values.containerRuntimes $runtime  -}}
-- name: "runtime-socket"
-  mountPath: "{{ $runtimeValues.socket }}"
-- name: "runtime-runc-root"
-  mountPath: "{{ $runtimeValues.runcRoot }}"
-{{- end -}}
-
-{{- /*
-containerRuntime.volumes will render pod volumes (without indentation) for the selected container runtime
-*/}}
-{{- define "containerRuntime.volumes" -}}
-{{- $runtime := (include "containerRuntime.valid" . )  -}}
-{{- $runtimeValues := get .Values.containerRuntimes $runtime  -}}
-- name: "runtime-socket"
-  hostPath:
-    path: "{{ $runtimeValues.socket }}"
-    type: Socket
-- name: "runtime-runc-root"
-  hostPath:
-    path: "{{ $runtimeValues.runcRoot }}"
-    type: Directory
+{{- define "ociRuntime.get" -}}
+{{- $top := index . 0 -}}
+{{- $field := index . 1 -}}
+{{- $engine := (include "containerEngine.valid" $top )  -}}
+{{- $engineValues := get $top.Values.containerEngines $engine  -}}
+{{- index $engineValues.ociRuntime $field -}}
 {{- end -}}
 
 {{- /*
@@ -54,3 +37,4 @@ will omit attribute from the passed in object depending on the KubeVersion
 {{- end -}}
 {{- $dict | toYaml -}}
 {{- end -}}
+

charts/steadybit-extension-jvm/templates/daemonset.yaml

@@ -4,21 +4,21 @@ metadata:
   name: {{ include "extensionlib.names.fullname" . }}
   namespace: {{ .Release.Namespace }}
   labels:
+  {{- include "extensionlib.labels" (list .) | nindent 4 }}
   {{- range $key, $value := .Values.extraLabels }}
     {{ $key }}: {{ $value }}
   {{- end }}
-  {{- include "extensionlib.labels" (list .) | nindent 4 }}
 spec:
   selector:
     matchLabels:
       app.kubernetes.io/name: {{ include "extensionlib.names.name" . }}
       app: {{ include "extensionlib.names.name" . }}
   updateStrategy:
-    # updateStrategy.type -- Specifies the strategy used to replace old Pods by new ones.
-    type: RollingUpdate
+    type: {{ .Values.updateStrategy.type }}
+    {{- if eq .Values.updateStrategy.type "RollingUpdate" }}
     rollingUpdate:
-      # updateStrategy.rollingUpdate.maxSurge -- The maximum number of DaemonSet pods that can be unavailable during the update.
-      maxUnavailable: 1
+      maxUnavailable: {{ .Values.updateStrategy.rollingUpdate.maxUnavailable }}
+    {{- end }}
   template:
     metadata:
       labels:
@@ -33,7 +33,7 @@ spec:
         {{- end }}
       annotations:
         {{- if semverCompare "<1.30-0" .Capabilities.KubeVersion.Version}}
-        "container.apparmor.security.beta.kubernetes.io/{{ include "extensionlib.names.name" . }}": unconfined
+        "container.apparmor.security.beta.kubernetes.io/steadybit-extension-jvm": unconfined
         {{- end }}
         {{- include "extensionlib.annotation" (list . .Values.containerPorts.http (.Values.daemonSet.extensionlib.list) ) | nindent 8 }}
         oneagent.dynatrace.com/injection: "false"
@@ -61,7 +61,7 @@ spec:
             limits:
               memory: {{ .Values.resources.limits.memory }}
               cpu: {{ .Values.resources.limits.cpu }}
-          name: {{ include "extensionlib.names.name" . }}
+          name: steadybit-extension-jvm
           ports:
             - name: http
               containerPort: {{ .Values.containerPorts.http }}
@@ -82,6 +82,10 @@ spec:
             - name: STEADYBIT_EXTENSION_DISCOVERY_ATTRIBUTES_EXCLUDES_JVM
               value: {{ join "," .Values.discovery.attributes.excludes.jvm | quote }}
             {{- end }}
+            - name: STEADYBIT_EXTENSION_OCIRUNTIME_ROOT
+              value: {{ include "ociRuntime.get" (list . "root") | quote }}
+            - name: STEADYBIT_EXTENSION_OCIRUNTIME_PATH
+              value: {{ include "ociRuntime.get" (list . "path") | quote }}
             {{- include "extensionlib.deployment.env" (list .) | nindent 12 }}
             {{- with .Values.extraEnv }}
               {{- toYaml . | nindent 12 }}
@@ -95,7 +99,8 @@ spec:
               mountPath: /tmp
             - name: cgroup-root
               mountPath: /sys/fs/cgroup
-                  {{- include "containerRuntime.volumeMounts" . | nindent 12 }}
+            - name: "ociruntime-root"
+              mountPath: {{ include "ociRuntime.get" (list . "root") | quote }}
                   {{- include "extensionlib.deployment.volumeMounts" (list .) | nindent 12 }}
           livenessProbe:
             initialDelaySeconds: {{ .Values.probes.liveness.initialDelaySeconds }}
@@ -126,7 +131,10 @@ spec:
           hostPath:
             path: /sys/fs/cgroup
             type: Directory
-            {{- include "containerRuntime.volumes" . | nindent 8 }}
+        - name: "ociruntime-root"
+          hostPath:
+            path: {{ include "ociRuntime.get" (list . "root") | quote }}
+            type: Directory
             {{- include "extensionlib.deployment.volumes" (list .) | nindent 8 }}
       serviceAccountName: {{ .Values.serviceAccount.name }}
           {{- with .Values.nodeSelector }}