refactor: Update helm registry initialization

This commit updates the helm registry initialization by separating out
the image used for copying the charts to the PVC and using the released
mindthegap image directly for serving the bundles. This is a small
security enhancement by using the minimal image that mindthegap already
provides.

This commit also copies a statically compiled version of `cp` to a scratch
container in order to us a minimal container with no package manager or
shell, again this is a minor security enhancement. This change means
that the bundles are copied to a subdirectory on the PVC as globbing
cannot be used without a shell present, whereas recursive copying works
correctly. This is a breaking change but should not affect any users at
this point (e.g. not yet included in any downstream releases).

Finally, this commit updates the helm values to use a more structured
approach. While this is a breaking change, the Helm chart is only used
to generate the clusterctl provider components YAML and as such does not
have any impact on existing users.

Author: jimmidyson

.envrc

@@ -7,8 +7,8 @@ export DEVBOX_NO_ENVRC_UPDATE=1
 
 eval "$(devbox generate direnv --print-envrc --env-file .dev-envrc)"
 
-dotenv_if_exists '.envrc.local'
-dotenv_if_exists '.envrc.e2e'
+source_env_if_exists '.envrc.local'
+source_env_if_exists '.envrc.e2e'
 
 # check out https://www.jetpack.io/devbox/docs/ide_configuration/direnv/
 # for more details

.goreleaser.yml

@@ -44,7 +44,7 @@ before:
       $(helm template {{ .ProjectName }} ./charts/{{ .ProjectName }} \
         --namespace caren-system \
         --set-string image.tag=v{{ trimprefix .Version "v" }}{{ if .IsSnapshot }}-{{ .Runtime.Goarch }}{{ end }} \
-        --set-string helmRepositoryImage.tag=v{{ trimprefix .Version "v" }}{{ if .IsSnapshot }}-{{ .Runtime.Goarch }} \
+        --set-string helmRepository.images.bundleInitializer.tag=v{{ trimprefix .Version "v" }}{{ if .IsSnapshot }}-{{ .Runtime.Goarch }} \
         --set-string image.repository=ko.local/{{ .ProjectName }}{{ end }} \
       )
       EOF'

charts/cluster-api-runtime-extensions-nutanix/README.md

@@ -32,12 +32,14 @@ A Helm chart for cluster-api-runtime-extensions-nutanix
 | deployment.replicas | int | `1` |  |
 | env | object | `{}` |  |
 | helmAddonsConfigMap | string | `"default-helm-addons-config"` |  |
-| helmRepositoryImage.pullPolicy | string | `"IfNotPresent"` |  |
-| helmRepositoryImage.repository | string | `"ghcr.io/nutanix-cloud-native/caren-helm-reg"` |  |
-| helmRepositoryImage.tag | string | `""` |  |
-| helmRepositorySecurityContext.fsGroup | int | `65534` |  |
-| helmRepositorySecurityContext.runAsGroup | int | `65534` |  |
-| helmRepositorySecurityContext.runAsUser | int | `65534` |  |
+| helmRepository.images.bundleInitializer.pullPolicy | string | `"IfNotPresent"` |  |
+| helmRepository.images.bundleInitializer.repository | string | `"ghcr.io/nutanix-cloud-native/caren-helm-reg"` |  |
+| helmRepository.images.bundleInitializer.tag | string | `""` |  |
+| helmRepository.images.mindthegap.pullPolicy | string | `"IfNotPresent"` |  |
+| helmRepository.images.mindthegap.repository | string | `"ghcr.io/mesosphere/mindthegap"` |  |
+| helmRepository.images.mindthegap.tag | string | `"v1.16.0"` |  |
+| helmRepository.securityContext.fsGroup | int | `65534` |  |
+| helmRepository.securityContext.runAsUser | int | `65534` |  |
 | hooks.ccm.aws.helmAddonStrategy.defaultValueTemplateConfigMap.create | bool | `true` |  |
 | hooks.ccm.aws.helmAddonStrategy.defaultValueTemplateConfigMap.name | string | `"default-aws-ccm-helm-values-template"` |  |
 | hooks.ccm.aws.k8sMinorVersionToCCMVersion."1.27" | string | `"v1.27.9"` |  |

charts/cluster-api-runtime-extensions-nutanix/templates/helm-repository.yaml

@@ -62,8 +62,8 @@ spec:
     spec:
       initContainers:
       - name: copy-charts
-        image: "{{ .Values.helmRepositoryImage.repository }}:{{ default $.Chart.AppVersion .Values.helmRepositoryImage.tag }}"
-        command: ["/bin/sh", "-c", "cp /charts/*.tar /helm-charts"]
+        image: "{{ .Values.helmRepository.images.bundleInitializer.repository }}:{{ default $.Chart.AppVersion .Values.helmRepository.images.bundleInitializer.tag }}"
+        command: ["/bin/cp", "-r", "/charts/",  "/helm-charts/bundles/"]
         imagePullPolicy: "{{ .Values.image.pullPolicy }}"
         volumeMounts:
         - name: charts-volume
@@ -74,13 +74,12 @@ spec:
           - name: serve
             protocol: TCP
             containerPort: 5000
-        image: "{{ .Values.helmRepositoryImage.repository }}:{{ default $.Chart.AppVersion .Values.helmRepositoryImage.tag }}"
+        image: "{{ .Values.helmRepository.images.mindthegap.repository }}:{{ .Values.helmRepository.images.mindthegap.tag }}"
         imagePullPolicy: "{{ .Values.image.pullPolicy }}"
-        command: ["/usr/bin/mindthegap"]
         args:
           - serve
           - bundle
-          - --bundle=/helm-charts/helm-charts-*.tar
+          - --bundle=/helm-charts/bundles/helm-charts-*.tar
           - --listen-port=5000
           - --listen-address=0.0.0.0
           - --tls-private-key-file=/certs/tls.key
@@ -101,7 +100,7 @@ spec:
           periodSeconds: 1
       priorityClassName: {{ .Values.priorityClassName }}
       securityContext:
-        {{ with .Values.helmRepositorySecurityContext }}
+        {{ with .Values.helmRepository.securityContext }}
         {{- toYaml . | nindent 8}}
         {{- end }}
       volumes:

charts/cluster-api-runtime-extensions-nutanix/values.schema.json

@@ -38,30 +38,51 @@
         "helmAddonsConfigMap": {
             "type": "string"
         },
-        "helmRepositoryImage": {
+        "helmRepository": {
             "properties": {
-                "pullPolicy": {
-                    "type": "string"
-                },
-                "repository": {
-                    "type": "string"
-                },
-                "tag": {
-                    "type": "string"
-                }
-            },
-            "type": "object"
-        },
-        "helmRepositorySecurityContext": {
-            "properties": {
-                "fsGroup": {
-                    "type": "integer"
-                },
-                "runAsGroup": {
-                    "type": "integer"
+                "images": {
+                    "properties": {
+                        "bundleInitializer": {
+                            "properties": {
+                                "pullPolicy": {
+                                    "type": "string"
+                                },
+                                "repository": {
+                                    "type": "string"
+                                },
+                                "tag": {
+                                    "type": "string"
+                                }
+                            },
+                            "type": "object"
+                        },
+                        "mindthegap": {
+                            "properties": {
+                                "pullPolicy": {
+                                    "type": "string"
+                                },
+                                "repository": {
+                                    "type": "string"
+                                },
+                                "tag": {
+                                    "type": "string"
+                                }
+                            },
+                            "type": "object"
+                        }
+                    },
+                    "type": "object"
                 },
-                "runAsUser": {
-                    "type": "integer"
+                "securityContext": {
+                    "properties": {
+                        "fsGroup": {
+                            "type": "integer"
+                        },
+                        "runAsUser": {
+                            "type": "integer"
+                        }
+                    },
+                    "type": "object"
                 }
             },
             "type": "object"

charts/cluster-api-runtime-extensions-nutanix/values.yaml

@@ -132,10 +132,19 @@ image:
   tag: ""
   pullPolicy: IfNotPresent
 
-helmRepositoryImage:
-  repository: ghcr.io/nutanix-cloud-native/caren-helm-reg
-  tag: ""
-  pullPolicy: IfNotPresent
+helmRepository:
+  images:
+    bundleInitializer:
+      repository: ghcr.io/nutanix-cloud-native/caren-helm-reg
+      tag: ""
+      pullPolicy: IfNotPresent
+    mindthegap:
+      repository: ghcr.io/mesosphere/mindthegap
+      tag: "v1.16.0"
+      pullPolicy: IfNotPresent
+  securityContext:
+    runAsUser: 65534
+    fsGroup: 65534
 
 # -- Optional secrets used for pulling the container image
 imagePullSecrets: []
@@ -160,12 +169,6 @@ resources:
 securityContext:
   runAsUser: 65532
 
-# The helm-repository containers are based on an Alpine image with a different nonroot user
-helmRepositorySecurityContext:
-  runAsUser: 65534
-  runAsGroup: 65534
-  fsGroup: 65534
-
 service:
   annotations: {}
   type: ClusterIP

hack/addons/mindthegap-helm-registry/Dockerfile

@@ -1,19 +1,19 @@
-ARG MINDTHEGAP_VERSION=v1.14.4
+ARG MINDTHEGAP_VERSION=v1.16.0
+
 FROM --platform=${BUILDPLATFORM} ghcr.io/mesosphere/mindthegap:${MINDTHEGAP_VERSION} as bundle_builder
-# this gets called by goreleaser so the copy source has to be the path relative to the repo root.
+# This gets called by goreleaser so the copy source has to be the path relative to the repo root.
 RUN --mount=source=./hack/addons/mindthegap-helm-registry/repos.yaml,target=/repos.yaml \
     ["/ko-app/mindthegap", "create", "bundle", "--helm-charts-file=/repos.yaml", "--output-file=/tmp/helm-charts.tar"]
 
-FROM --platform=${TARGETPLATFORM} ghcr.io/mesosphere/mindthegap:${MINDTHEGAP_VERSION} as mindthegap
+FROM --platform=${TARGETPLATFORM} busybox:1.37.0-musl as static-busybox
 
-FROM --platform=${TARGETPLATFORM} alpine:3.20.3
-# Add mindthegap binary that matches TARGETPLATFORM
-COPY --from=mindthegap /ko-app/mindthegap /usr/bin/mindthegap
+FROM --platform=${TARGETPLATFORM} scratch
 # Add helm charts for the current version
 ARG VERSION
 COPY --from=bundle_builder /tmp/helm-charts.tar /charts/helm-charts-${VERSION}.tar
 # TODO remove me as soon as its not needed to hold multiple versions of helm charts
 COPY --from=ghcr.io/nutanix-cloud-native/caren-helm-reg:v0.14.6 /tmp/helm-charts.tar /charts/helm-charts-v0.14.6.tar
 COPY --from=ghcr.io/nutanix-cloud-native/caren-helm-reg:v0.14.9 /tmp/helm-charts.tar /charts/helm-charts-v0.14.9.tar
-VOLUME /certs
-ENTRYPOINT /usr/bin/mindthegap
+
+# Add statically compiled cp to the image used to copy bundles to the mounted PVC at runtime.
+COPY --from=static-busybox /bin/cp /bin/cp

make/dev.mk

@@ -15,7 +15,7 @@ dev.run-on-kind:
 	helm upgrade --install cluster-api-runtime-extensions-nutanix ./charts/cluster-api-runtime-extensions-nutanix \
 		--set-string image.repository=ko.local/cluster-api-runtime-extensions-nutanix \
 		--set-string image.tag=$(SNAPSHOT_VERSION) \
-		--set-string helmRepositoryImage.tag=$(SNAPSHOT_VERSION) \
+		--set-string helmRepository.images.bundleInitializer.tag=$(SNAPSHOT_VERSION) \
 		--wait --wait-for-jobs
 	kubectl rollout restart deployment cluster-api-runtime-extensions-nutanix
 	kubectl rollout restart deployment helm-repository