feat: switch to distroless base image

Author: aramase

.gitignore

@@ -25,3 +25,5 @@ azure.json
 .DS_Store
 
 .idea/
+
+_output/

.pipelines/pr.yml

@@ -1,4 +1,7 @@
-trigger: none
+trigger:
+  branches:
+    include:
+    - master
 
 pr:
   branches:

.pipelines/scan-images.yml

@@ -0,0 +1,13 @@
+steps:
+  - script: |
+      export REGISTRY="e2e"
+      export IMAGE_VERSION="test"
+      make build-image
+      wget https://github.com/aquasecurity/trivy/releases/download/v$(TRIVY_VERSION)/trivy_$(TRIVY_VERSION)_Linux-64bit.tar.gz
+      tar zxvf trivy_$(TRIVY_VERSION)_Linux-64bit.tar.gz
+
+      # show all vulnerabilities in the logs
+      ./trivy "${REGISTRY}/keyvault:${IMAGE_VERSION}"
+      
+      ./trivy --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL "${REGISTRY}/keyvault:${IMAGE_VERSION}" || exit 1
+    displayName: "Scan images for vulnerability"

.pipelines/unit-tests-template.yml

@@ -1,6 +1,6 @@
 jobs:
   - job: unit_tests
-    timeoutInMinutes: 20
+    timeoutInMinutes: 10
     cancelTimeoutInMinutes: 5
     workspace:
       clean: all
@@ -23,8 +23,9 @@ jobs:
           CLIENT_ID: $(AZURE_CLIENT_ID)
           CLIENT_SECRET: $(AZURE_CLIENT_SECRET)
       - script: |
-          sudo ./kubernetes-kms > /dev/null &
+          sudo ./_output/kubernetes-kms > /dev/null &
           echo Waiting 2 seconds for the server to start
           sleep 2
           make integration-test
-        displayName: Run intergration tests
+        displayName: Run integration tests
+      - template: scan-images.yml

Dockerfile

@@ -1,6 +1,8 @@
-FROM alpine:3.12
-WORKDIR /bin
+FROM us.gcr.io/k8s-artifacts-prod/build-image/debian-base-amd64:buster-v1.2.0
+COPY ./_output/kubernetes-kms /bin/
+# upgrading apt &libapt-pkg5.0 due to CVE-2020-27350
+# upgrading libp11-kit0 due to CVE-2020-29362, CVE-2020-29363 and CVE-2020-29361
+RUN apt-mark unhold apt && \
+    clean-install ca-certificates apt libapt-pkg5.0 libp11-kit0 wget
 
-ADD ./kubernetes-kms /bin/k8s-azure-kms
-
-CMD ["./k8s-azure-kms"]
+ENTRYPOINT [ "/bin/kubernetes-kms" ]

Makefile

@@ -1,11 +1,15 @@
-binary := kubernetes-kms
 REGISTRY_NAME ?= upstreamk8sci
-REGISTRY ?= $(REGISTRY_NAME).azurecr.io
 REPO_PREFIX ?= k8s/kms
-DOCKER_IMAGE := $(REGISTRY)/$(REPO_PREFIX)/keyvault
-VERSION ?= v0.0.9
+REGISTRY ?= $(REGISTRY_NAME).azurecr.io/$(REPO_PREFIX)
+IMAGE_NAME ?= keyvault
+IMAGE_VERSION ?= v0.0.9
+IMAGE_TAG ?= $(REGISTRY)/$(IMAGE_NAME):$(IMAGE_VERSION)
 CGO_ENABLED_FLAG := 0
 
+# docker env var
+DOCKER_BUILDKIT = 1
+export DOCKER_BUILDKIT
+
 ifeq ($(OS),Windows_NT)
 	GOOS_FLAG = windows
 else
@@ -21,26 +25,20 @@ endif
 .PHONY: build
 build: authors
 	@echo "Building..."
-	$Q GOOS=${GOOS_FLAG} CGO_ENABLED=${CGO_ENABLED_FLAG} go build .
+	$Q GOOS=$(GOOS_FLAG) CGO_ENABLED=$(CGO_ENABLED_FLAG) go build -o _output/kubernetes-kms .
 
-build-image: authors deps
-	@echo "Building..."
-	$Q GOOS=linux CGO_ENABLED=${CGO_ENABLED_FLAG} go build .
+build-image: authors clean build
 	@echo "Building docker image..."
-	$Q docker build -t $(DOCKER_IMAGE):$(VERSION) .
+	$Q docker build -t $(IMAGE_TAG) .
 
-push: build-image
-	$Q docker push $(DOCKER_IMAGE):$(VERSION)
+push-image: build-image
+	$Q docker push $(IMAGE_TAG)
 
-.PHONY: clean deps unit-test integration-test
+.PHONY: clean unit-test integration-test
 
 clean:
 	@echo "Clean..."
-	$Q rm -rf $(binary)
-
-setup: clean
-	@echo "Setup..."
-	go get -u github.com/golang/dep/cmd/dep
+	$Q rm -rf _output/
 
 authors:
 	$Q git log --all --format='%aN <%cE>' | sort -u  | sed -n '/github/!p' > GITAUTHORS