feat(executor): Switch to alpine base image. Close #5720

Signed-off-by: Alex Collins <[email protected]>
argoproj · May 25, 2021 · 8bf528f · 8bf528f
1 parent d7517cf
commit 8bf528f
Show file tree

Hide file tree

Showing 10 changed files with 59 additions and 18 deletions.
diff --git a/.github/workflows/ci-build.yaml b/.github/workflows/ci-build.yaml
@@ -115,9 +115,9 @@ jobs:
       - name: make/pull argoexec-image
         run: |
           if [ ${{matrix.test}} == test-executor ]; then
-            make argoexec-image STATIC_FILES=false
+            make argoexec-alpine-image STATIC_FILES=false
           else
-            docker pull argoproj/argoexec:latest
+            docker pull argoproj/argoexec-alpine:latest || make argoexec-alpine-image STATIC_FILES=false
           fi
       - run: make wait
         timeout-minutes: 4

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -19,7 +19,7 @@ jobs:
     strategy:
       matrix:
         platform: [ linux/amd64 ]
-        target: [ workflow-controller, argocli, argoexec ]
+        target: [ workflow-controller, argocli, argoexec, argoexec-alpine ]
     steps:
       - uses: actions/checkout@v2
 
@@ -84,7 +84,7 @@ jobs:
     strategy:
       matrix:
         platform: [ linux/arm64 ]
-        target: [ workflow-controller, argocli, argoexec ]
+        target: [ workflow-controller, argocli, argoexec, argoexec-alpine ]
     steps:
       - uses: actions/checkout@v2
 
@@ -177,7 +177,7 @@ jobs:
             tag="latest"
           fi
 
-          targets="argoexec"
+          targets="argoexec argoexec-alpine"
           for target in $targets; do
             image_name="${docker_org}/${target}:${tag}-windows"
             docker build --target $target -t $image_name -f Dockerfile.windows .
@@ -219,7 +219,7 @@ jobs:
             tag="latest"
           fi
 
-          targets="workflow-controller argoexec argocli"
+          targets="workflow-controller argoexec argoexec-alpine argocli"
           for target in $targets; do
             image_name="${docker_org}/${target}:${tag}"
 
@@ -262,11 +262,11 @@ jobs:
             tag="latest"
           fi
 
-          targets="workflow-controller argoexec argocli"
+          targets="workflow-controller argoexec argoexec-alpine argocli"
           for target in $targets; do
             image_name="${docker_org}/${target}:${tag}"
 
-            if [ $target = "argoexec" ]; then
+            if [ $target = "argoexec" ] || [ $target = "argoexec-image" ]; then
               docker manifest create $image_name ${image_name}-linux-arm64 ${image_name}-linux-amd64 ${image_name}-windows
               docker manifest create quay.io/$image_name quay.io/${image_name}-linux-arm64 quay.io/${image_name}-linux-amd64 quay.io/${image_name}-windows
             else
@@ -284,7 +284,7 @@ jobs:
     strategy:
       matrix:
         platform: [ linux/amd64 ]
-        target: [ workflow-controller, argocli, argoexec ]
+        target: [ workflow-controller, argocli, argoexec, argoexec-alpine  ]
     steps:
       - name: Docker Login
         uses: Azure/docker-login@v1
@@ -341,7 +341,7 @@ jobs:
             tag="latest"
           fi
 
-          targets="argoexec"
+          targets="argoexec argoexec-alpine"
           for target in $targets; do
             image_name="${docker_org}/${target}:${tag}"
             docker pull $image_name

diff --git a/Dockerfile b/Dockerfile
@@ -68,6 +68,28 @@ RUN ./recurl.sh /usr/local/bin/kubectl https://storage.googleapis.com/kubernetes
 RUN ./recurl.sh /usr/local/bin/jq https://github.com/stedolan/jq/releases/download/jq-${JQ_VERSION}/jq-linux64
 RUN rm recurl.sh arch.sh os.sh
 
+####################################################################################################
+
+FROM alpine:3 as argoexec-alpine-base
+
+ARG DOCKER_CHANNEL
+ARG DOCKER_VERSION
+ARG KUBECTL_VERSION
+
+RUN apk --no-cache add curl procps git tar libcap jq
+
+COPY hack/arch.sh hack/os.sh /bin/
+
+RUN if [ $(arch.sh) = ppc64le ] || [ $(arch.sh) = s390x ]; then \
+        curl -o docker.tgz https://download.docker.com/$(os.sh)/static/${DOCKER_CHANNEL}/$(uname -m)/docker-18.06.3-ce.tgz; \
+    else \
+        curl -o docker.tgz https://download.docker.com/$(os.sh)/static/${DOCKER_CHANNEL}/$(uname -m)/docker-${DOCKER_VERSION}.tgz; \
+    fi && \
+    tar --extract --file docker.tgz --strip-components 1 --directory /usr/local/bin/ && \
+    rm docker.tgz
+RUN curl -o /usr/local/bin/kubectl https://storage.googleapis.com/kubernetes-release/release/v${KUBECTL_VERSION}/bin/$(os.sh)/$(arch.sh)/kubectl
+RUN rm /bin/arch.sh /bin/os.sh
+
 COPY hack/ssh_known_hosts /etc/ssh/
 COPY hack/nsswitch.conf /etc/
 
@@ -134,6 +156,14 @@ ENTRYPOINT [ "argoexec" ]
 
 ####################################################################################################
 
+FROM argoexec-alpine-base as argoexec-alpine
+
+COPY --from=argoexec-build /go/src/github.com/argoproj/argo-workflows/dist/argoexec /usr/local/bin/
+RUN setcap CAP_SYS_PTRACE,CAP_SYS_CHROOT+ei /usr/local/bin/argoexec
+ENTRYPOINT [ "argoexec" ]
+
+####################################################################################################
+
 FROM scratch as workflow-controller
 
 USER 8737

diff --git a/Makefile b/Makefile
@@ -137,7 +137,7 @@ endif
 build: clis images
 
 .PHONY: images
-images: argocli-image argoexec-image workflow-controller-image
+images: argocli-image argoexec-image argoexec-alpine-image workflow-controller-image
 
 # cli
 
@@ -219,6 +219,7 @@ else
 endif
 
 argoexec-image:
+argoexec-alpine-image:
 
 %-image:
 	[ ! -e dist/$* ] || mv dist/$* .
@@ -228,7 +229,7 @@ argoexec-image:
 	if [ $(K3D) = true ]; then k3d image import $(IMAGE_NAMESPACE)/$*:$(VERSION); fi
 	if [ $(DOCKER_PUSH) = true ] && [ $(IMAGE_NAMESPACE) != argoproj ] ; then docker push $(IMAGE_NAMESPACE)/$*:$(VERSION) ; fi
 
-scan-images: scan-workflow-controller scan-argoexec scan-argocli
+scan-images: scan-workflow-controller scan-argoexec scan-argoexec-alpine scan-argocli
 
 scan-%:
 	docker scan --severity=high $(IMAGE_NAMESPACE)/$*:$(VERSION)

diff --git a/manifests/base/workflow-controller/workflow-controller-deployment.yaml b/manifests/base/workflow-controller/workflow-controller-deployment.yaml
@@ -28,7 +28,7 @@ spec:
             - --configmap
             - workflow-controller-configmap
             - --executor-image
-            - argoproj/argoexec:latest
+            - argoproj/argoexec-alpine:latest
           env:
             - name: LEADER_ELECTION_IDENTITY
               valueFrom:

diff --git a/manifests/install.yaml b/manifests/install.yaml
@@ -197,16 +197,19 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: argo
+  namespace: argo
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: argo-server
+  namespace: argo
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: argo-role
+  namespace: argo
 rules:
 - apiGroups:
   - coordination.k8s.io
@@ -470,13 +473,15 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: argo-binding
+  namespace: argo
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
   name: argo-role
 subjects:
 - kind: ServiceAccount
   name: argo
+  namespace: argo
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -508,11 +513,13 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: workflow-controller-configmap
+  namespace: argo
 ---
 apiVersion: v1
 kind: Service
 metadata:
   name: argo-server
+  namespace: argo
 spec:
   ports:
   - name: web
@@ -525,6 +532,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: workflow-controller-metrics
+  namespace: argo
 spec:
   ports:
   - name: metrics
@@ -538,6 +546,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: argo-server
+  namespace: argo
 spec:
   selector:
     matchLabels:
@@ -582,6 +591,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: workflow-controller
+  namespace: argo
 spec:
   selector:
     matchLabels:
@@ -596,7 +606,7 @@ spec:
         - --configmap
         - workflow-controller-configmap
         - --executor-image
-        - argoproj/argoexec:latest
+        - argoproj/argoexec-alpine:latest
         command:
         - workflow-controller
         env:

diff --git a/manifests/namespace-install.yaml b/manifests/namespace-install.yaml
@@ -490,7 +490,7 @@ spec:
         - --configmap
         - workflow-controller-configmap
         - --executor-image
-        - argoproj/argoexec:latest
+        - argoproj/argoexec-alpine:latest
         - --namespaced
         command:
         - workflow-controller

diff --git a/manifests/quick-start-minimal.yaml b/manifests/quick-start-minimal.yaml
@@ -863,7 +863,7 @@ spec:
         - --configmap
         - workflow-controller-configmap
         - --executor-image
-        - argoproj/argoexec:latest
+        - argoproj/argoexec-alpine:latest
         - --namespaced
         command:
         - workflow-controller

diff --git a/manifests/quick-start-mysql.yaml b/manifests/quick-start-mysql.yaml
@@ -952,7 +952,7 @@ spec:
         - --configmap
         - workflow-controller-configmap
         - --executor-image
-        - argoproj/argoexec:latest
+        - argoproj/argoexec-alpine:latest
         - --namespaced
         command:
         - workflow-controller

diff --git a/manifests/quick-start-postgres.yaml b/manifests/quick-start-postgres.yaml
@@ -944,7 +944,7 @@ spec:
         - --configmap
         - workflow-controller-configmap
         - --executor-image
-        - argoproj/argoexec:latest
+        - argoproj/argoexec-alpine:latest
         - --namespaced
         command:
         - workflow-controller