Replace curlimages/curl with extension-init (#108)

* Replace `curlimages/curl` with `extension-init` Replaced curlimages/curl docker image in the namespace-metadata Job with linkerd's extension-init image, to avoid all the OS luggage included in the former, which generates CVE alerts.
linkerd · Sep 25, 2023 · 364ca6e · sdickhoven · Feb 4, 2024 · alpeb
1 parent ef8986a
commit 364ca6e
Show file tree

Hide file tree

Showing 5 changed files with 54 additions and 23 deletions.
diff --git a/README.md b/README.md
@@ -29,15 +29,15 @@ Alternatively, you can download the CLI directly via the
 To install the linkerd-smi Helm chart, run:
 
     helm repo add l5d-smi https://linkerd.github.io/linkerd-smi
-    helm install linkers-smi -n --create-namespace l5d-smi/linkerd-smi
+    helm install linkerd-smi -n --create-namespace l5d-smi/linkerd-smi
 
 ## Compatibility matrix
 
-| linkerd-smi | linkerd stable    | linkerd edge              |
-| ----------- | ----------------- | ------------------------- |
-| v0.1.0      | 2.11 and previous | edge-21.12.1 and previous |
-| v0.2.0      | 2.12.0 and later  | edge-21.12.2 and later    |
-| v0.2.1      | 2.12.0 and later  | edge-21.12.2 and later    |
+| linkerd-smi      | linkerd stable    | linkerd edge              |
+| ---------------- | ----------------- | ------------------------- |
+| v0.1.0           | 2.11 and previous | edge-21.12.1 and previous |
+| v0.2.0           | 2.12.0 and later  | edge-21.12.2 and later    |
+| v0.2.1 and later | 2.12.0 and later  | edge-21.12.2 and later    |
 
 ## License
 

diff --git a/charts/linkerd-smi/README.md b/charts/linkerd-smi/README.md
@@ -72,6 +72,11 @@ Kubernetes: `>=1.16.0-0`
 | adaptor.nodeSelector | object | `{}` | Node selector for the adaptor instance |
 | adaptor.tolerations | list | `[]` | Tolerations for the adaptor instance |
 | clusterDomain | string | `"cluster.local"` | Kubernetes DNS Domain name to use |
+| linkerdNamespace | string | `"linkerd"` | Namespace of the Linkerd core control-plane install |
+| namespaceMetadata.image.name | string | `"extension-init"` | Docker image name for the namespace-metadata instance |
+| namespaceMetadata.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the namespace-metadata instance |
+| namespaceMetadata.image.registry | string | `"cr.l5d.io/linkerd"` | Docker registry for the namespace-metadata instance |
+| namespaceMetadata.image.tag | string | `"v0.1.0"` | Docker image tag for the namespace-metadata instance |
 
 ----------------------------------------------
 Autogenerated from chart metadata using [helm-docs v1.4.0](https://github.com/norwoodj/helm-docs/releases/v1.4.0)
diff --git a/charts/linkerd-smi/templates/namespace-metadata-rbac.yaml b/charts/linkerd-smi/templates/namespace-metadata-rbac.yaml
@@ -37,4 +37,23 @@ subjects:
 - kind: ServiceAccount
   name: namespace-metadata
   namespace: {{.Release.Namespace}}
-
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  namespace: {{ .Values.linkerdNamespace }}
+  labels:
+    linkerd.io/extension: smi
+  annotations:
+    "helm.sh/hook": post-install
+    "helm.sh/hook-weight": "0"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+  name: smi-namespace-metadata-linkerd-config
+roleRef:
+  kind: Role
+  name: ext-namespace-metadata-linkerd-config
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+- kind: ServiceAccount
+  name: namespace-metadata
+  namespace: {{.Release.Namespace}}
diff --git a/charts/linkerd-smi/templates/namespace-metadata.yaml b/charts/linkerd-smi/templates/namespace-metadata.yaml
@@ -3,7 +3,7 @@ kind: Job
 metadata:
   annotations:
     "helm.sh/hook": post-install
-    "helm.sh/hook-weight": "0"
+    "helm.sh/hook-weight": "1"
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/name: namespace-metadata
@@ -22,19 +22,12 @@ spec:
       serviceAccountName: namespace-metadata
       containers:
       - name: namespace-metadata
-        image: curlimages/curl:7.78.0
-        command: ["/bin/sh"]
+        image: {{.Values.namespaceMetadata.image.registry}}/{{.Values.namespaceMetadata.image.name}}:{{.Values.namespaceMetadata.image.tag}}
+        imagePullPolicy: {{.Values.namespaceMetadata.image.pullPolicy }}
         args:
-        - -c
-        - |
-          ops=''
-          token=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
-          ns=$(curl -kfv -H "Authorization: Bearer $token" \
-            "https://kubernetes.default.svc/api/v1/namespaces/{{.Release.Namespace}}")
-          if echo "$ns" | grep -vq 'labels'; then
-            ops="$ops{\"op\": \"add\",\"path\": \"/metadata/labels\",\"value\": {}},"
-          fi
-          ops="$ops{\"op\": \"add\", \"path\": \"/metadata/labels/linkerd.io~1extension\", \"value\": \"smi\"}"
-          curl -kfv -XPATCH -H "Content-Type: application/json-patch+json" -H "Authorization: Bearer $token" \
-            -d "[$ops]" \
-            "https://kubernetes.default.svc/api/v1/namespaces/{{.Release.Namespace}}?fieldManager=kubectl-label"
+        - --extension
+        - smi
+        - --namespace
+        - {{.Release.Namespace}}
+        - --linkerd-namespace
+        - {{.Values.linkerdNamespace}}
diff --git a/charts/linkerd-smi/values.yaml b/charts/linkerd-smi/values.yaml
@@ -1,6 +1,9 @@
 # -- Kubernetes DNS Domain name to use
 clusterDomain: cluster.local
 
+# -- Namespace of the Linkerd core control-plane install
+linkerdNamespace: linkerd
+
 # SMI Adaptor configuration
 adaptor:
   image:
@@ -19,3 +22,14 @@ adaptor:
   nodeSelector: {}
   # -- Tolerations for the adaptor instance
   tolerations: []
+
+namespaceMetadata:
+  image:
+    # -- Docker registry for the namespace-metadata instance
+    registry: cr.l5d.io/linkerd
+    # -- Docker image name for the namespace-metadata instance
+    name: extension-init
+    # -- Docker image tag for the namespace-metadata instance
+    tag: v0.1.0
+    # -- Pull policy for the namespace-metadata instance
+    pullPolicy: IfNotPresent