airship/promenade
Code Issues Proposed changes

Libyaml and cfssl install from apt

Browse Source 
This PS is to install libyaml and cfssl from apt
instead of building it from source. Also we
upgrade the Helm version to 3.17.3 because of CVE.

In order to decrease the image size *-dev libs are
installed only when needed to build/install Python
packages.

Change-Id: Ia83805799f46f5b20008f0a9393ab508078926e4
This commit is contained in:
Sergiy Markin
2025-04-24 19:58:44 +00:00
parent 4f719460e6
commit e96713115f
13 changed files with 46 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
bindep.txt
View File

@@ -10,4 +10,5 @@ libpq-dev [platform:dpkg]
libsasl2-dev [platform:dpkg] libsasl2-dev [platform:dpkg]
libssl-dev [platform:dpkg] libssl-dev [platform:dpkg]
libre2-dev [platform:dpkg] libre2-dev [platform:dpkg]
libyaml-dev [platform:dpkg]
apt-utils [platform:dpkg] apt-utils [platform:dpkg]

4
doc/source/configuration/host-system.rst
View File

@@ -22,7 +22,7 @@ Sample Document to run containers in Docker runtime
images: images:
haproxy: haproxy:2.4 haproxy: haproxy:2.4
helm: helm:
helm: lachlanevenson/k8s-helm:v3.16.4 helm: lachlanevenson/k8s-helm:v3.17.3
monitoring_image: busybox:1.28.3 monitoring_image: busybox:1.28.3
packages: packages:
repositories: repositories:
@@ -121,7 +121,7 @@ Sample Document to run containers in Containerd runtime
images: images:
haproxy: haproxy:2.4 haproxy: haproxy:2.4
helm: helm:
helm: lachlanevenson/k8s-helm:v3.16.4 helm: lachlanevenson/k8s-helm:v3.17.3
monitoring_image: busybox:1.28.3 monitoring_image: busybox:1.28.3
packages: packages:
additional: additional:

2
examples/basic/HostSystem.yaml
View File

@@ -85,7 +85,7 @@ data:
monitoring_image: &busybox busybox:1.28.3 monitoring_image: &busybox busybox:1.28.3
haproxy: haproxy:2.4 haproxy: haproxy:2.4
helm: helm:
helm: lachlanevenson/k8s-helm:v3.16.4 helm: lachlanevenson/k8s-helm:v3.17.3
packages: packages:
common: common:
repositories: repositories:

2
examples/complete/HostSystem.yaml
View File

@@ -85,7 +85,7 @@ data:
monitoring_image: busybox:1.28.3 monitoring_image: busybox:1.28.3
haproxy: haproxy:2.4 haproxy: haproxy:2.4
helm: helm:
helm: lachlanevenson/k8s-helm:v3.16.4 helm: lachlanevenson/k8s-helm:v3.17.3
packages: packages:
common: common:
repositories: repositories:

2
examples/containerd/HostSystem.yaml
View File

@@ -85,7 +85,7 @@ data:
monitoring_image: &busybox busybox:1.28.3 monitoring_image: &busybox busybox:1.28.3
haproxy: haproxy:2.4 haproxy: haproxy:2.4
helm: helm:
helm: lachlanevenson/k8s-helm:v3.16.4 helm: lachlanevenson/k8s-helm:v3.17.3
packages: packages:
common: common:
additional: additional:

2
examples/gate/HostSystem.yaml
View File

@@ -85,7 +85,7 @@ data:
monitoring_image: &busybox busybox:1.28.3 monitoring_image: &busybox busybox:1.28.3
haproxy: haproxy:2.4 haproxy: haproxy:2.4
helm: helm:
helm: lachlanevenson/k8s-helm:v3.16.4 helm: lachlanevenson/k8s-helm:v3.17.3
packages: packages:
common: common:
repositories: repositories:

60
images/promenade/Dockerfile.ubuntu_jammy
View File

@@ -49,48 +49,54 @@ RUN set -ex \
&& apt update -qq \ && apt update -qq \
&& apt upgrade -y \ && apt upgrade -y \
&& apt-get install --no-install-recommends -y \ && apt-get install --no-install-recommends -y \
automake \
ca-certificates \ ca-certificates \
curl \ curl \
dnsutils \ dnsutils \
gcc \
git \
gpg \ gpg \
gpg-agent \ gpg-agent \
libpcre3-dev \
libtool \
libpq-dev \
make \
python3-dev \ python3-dev \
python3-pip \
python3-setuptools \ python3-setuptools \
rsync \ rsync \
# this will install golang-cfssl 1.2.0 in Jammy
golang-cfssl \
&& ln -s /usr/bin/python3 /usr/bin/python \ && ln -s /usr/bin/python3 /usr/bin/python \
&& curl -Lo /usr/local/bin/cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 \
&& chmod 555 /usr/local/bin/cfssl \
&& python3 -m pip install -U pip \
&& apt-get autoremove -yqq --purge \ && apt-get autoremove -yqq --purge \
&& apt-get clean \ && apt-get clean \
&& useradd -u 1000 -g users -d /opt/promenade promenade \ && useradd -u 1000 -g users -d /opt/promenade promenade \
&& rm -rf /var/lib/apt/lists/* && rm -rf /var/lib/apt/lists/*
# Install LibYAML
ENV LD_LIBRARY_PATH=/usr/local/lib
ARG LIBYAML_VERSION=0.2.5
RUN set -ex \
&& git clone https://github.com/yaml/libyaml.git \
&& cd libyaml \
&& git checkout $LIBYAML_VERSION \
&& ./bootstrap \
&& ./configure \
&& make \
&& make install \
&& cd .. \
&& rm -fr libyaml
COPY requirements-frozen.txt /opt/promenade COPY requirements-frozen.txt /opt/promenade
RUN pip3 install --no-cache-dir -r requirements-frozen.txt
RUN set -ex \
&& buildDeps=' \
automake \
gcc \
libpcre3-dev \
libffi-dev \
libpq-dev \
libssl-dev \
libtool \
libyaml-dev \
libvirt-dev \
make \
python3-pip \
pkg-config \
' \
&& apt-get -qq update \
# Keep git separate so it's not removed below
&& apt-get install -y $buildDeps git --no-install-recommends \
&& python3 -m pip install -U pip \
&& pip3 install --no-cache-dir -r requirements-frozen.txt \
&& apt-get purge -y --auto-remove $buildDeps \
&& apt-get autoremove -yqq --purge \
&& apt-get clean \
&& rm -rf \
/var/lib/apt/lists/* \
/tmp/* \
/var/tmp/* \
/usr/share/man \
/usr/share/doc \
/usr/share/doc-base
# Setting promenade version for BPR # Setting promenade version for BPR
ENV PBR_VERSION 0.9.0 ENV PBR_VERSION 0.9.0

2
tests/unit/api/test_validatedesign.py
View File

@@ -153,7 +153,7 @@ VALID_DOCS = [
'images': { 'images': {
'haproxy': 'haproxy:2.4', 'haproxy': 'haproxy:2.4',
'helm': { 'helm': {
'helm': 'lachlanevenson/k8s-helm:v3.16.4' 'helm': 'lachlanevenson/k8s-helm:v3.17.3'
} }
}, },
'packages': { 'packages': {

2
tests/unit/builder_data/simple/HostSystem.yaml
View File

@@ -38,7 +38,7 @@ data:
monitoring_image: &busybox busybox:1.28.3 monitoring_image: &busybox busybox:1.28.3
haproxy: haproxy:2.4 haproxy: haproxy:2.4
helm: helm:
helm: lachlanevenson/k8s-helm:v3.16.4 helm: lachlanevenson/k8s-helm:v3.17.3
packages: packages:
common: common:
repositories: repositories:

2
tools/gate/default-config-env
View File

@@ -9,7 +9,7 @@ IMAGE_DEP_CHECK=quay.io/airshipit/kubernetes-entrypoint:latest-ubuntu_focal
IMAGE_ETCD=quay.io/coreos/etcd:v3.5.12 IMAGE_ETCD=quay.io/coreos/etcd:v3.5.12
IMAGE_ETCDCTL=quay.io/airshipit/porthole-etcdctl-utility:latest-ubuntu_focal IMAGE_ETCDCTL=quay.io/airshipit/porthole-etcdctl-utility:latest-ubuntu_focal
IMAGE_HAPROXY=haproxy:2.4 IMAGE_HAPROXY=haproxy:2.4
IMAGE_HELM=lachlanevenson/k8s-helm:v3.16.4 IMAGE_HELM=lachlanevenson/k8s-helm:v3.17.3
IMAGE_APISERVER=registry.k8s.io/kube-apiserver-amd64:v1.32.1 IMAGE_APISERVER=registry.k8s.io/kube-apiserver-amd64:v1.32.1
IMAGE_CONTROLLER_MANAGER=registry.k8s.io/kube-controller-manager-amd64:v1.32.1 IMAGE_CONTROLLER_MANAGER=registry.k8s.io/kube-controller-manager-amd64:v1.32.1
IMAGE_SCHEDULER=registry.k8s.io/kube-scheduler-amd64:v1.32.1 IMAGE_SCHEDULER=registry.k8s.io/kube-scheduler-amd64:v1.32.1

2
tools/helm_install.sh
View File

@@ -17,7 +17,7 @@
set -x set -x
HELM=$1 HELM=$1
HELM_ARTIFACT_URL=${HELM_ARTIFACT_URL:-"https://get.helm.sh/helm-v3.16.4-linux-amd64.tar.gz"} HELM_ARTIFACT_URL=${HELM_ARTIFACT_URL:-"https://get.helm.sh/helm-v3.17.3-linux-amd64.tar.gz"}
function install_helm_binary { function install_helm_binary {

2
tools/image_tags.py
View File

@@ -1,4 +1,4 @@
#!/bin/python #!/bin/python3
import json import json
import logging import logging

2
tools/registry/IMAGES
View File

@@ -6,7 +6,7 @@ registry.k8s.io/kube-apiserver-amd64,v1.32.1,apiserver
registry.k8s.io/kube-controller-manager-amd64,v1.32.1,controller-manager registry.k8s.io/kube-controller-manager-amd64,v1.32.1,controller-manager
registry.k8s.io/kube-scheduler-amd64,v1.32.1,scheduler registry.k8s.io/kube-scheduler-amd64,v1.32.1,scheduler
registry.k8s.io/kube-proxy-amd64,v1.32.1,proxy registry.k8s.io/kube-proxy-amd64,v1.32.1,proxy
lachlanevenson/k8s-helm,v3.16.4,helm lachlanevenson/k8s-helm,v3.17.3,helm
quay.io/airshipit/armada,master,armada quay.io/airshipit/armada,master,armada
quay.io/airshipit/armada-operator,latest,armada-operator quay.io/airshipit/armada-operator,latest,armada-operator
quay.io/calico/cni,v3.4.0,calico-cni quay.io/calico/cni,v3.4.0,calico-cni