Merge pull request #95 from luxas/distroless-etcd

Don't make use of /bin/sh in etcd images & update etcd version
kcp-dev · Aug 14, 2024 · d71f723 · d71f723
2 parents a8454bb + 1f23fa0
commit d71f723
Show file tree

Hide file tree

Showing 3 changed files with 63 additions and 55 deletions.
diff --git a/charts/kcp/templates/etcd-statefulset.yaml b/charts/kcp/templates/etcd-statefulset.yaml
@@ -42,33 +42,37 @@ spec:
         - name: etcd
           image: {{ .Values.etcd.image }}:{{ .Values.etcd.tag }}
           command:
-            - /bin/sh
-            - -c
-            - |
-              PEERS="{{ include "etcd.fullname" . }}-0=https://{{ include "etcd.fullname" . }}-0.{{ include "etcd.fullname" . }}:2380,{{ include "etcd.fullname" . }}-1=https://{{ include "etcd.fullname" . }}-1.{{ include "etcd.fullname" . }}:2380,{{ include "etcd.fullname" . }}-2=https://{{ include "etcd.fullname" . }}-2.{{ include "etcd.fullname" . }}:2380"
-              exec etcd --name ${HOSTNAME} \
-                --listen-peer-urls https://0.0.0.0:2380 \
-                --initial-advertise-peer-urls https://${HOSTNAME}:2380 \
-                --listen-client-urls https://0.0.0.0:2379 \
-                --advertise-client-urls https://${HOSTNAME}:2379 \
-                --initial-cluster-token etcd-cluster-1 \
-                --initial-cluster ${PEERS} \
-                --initial-cluster-state new \
-                --auto-compaction-mode=periodic \
-                --auto-compaction-retention=5m \
-                --data-dir /var/run/etcd/default.etcd \
-                --peer-client-cert-auth=true \
-                --peer-cert-file=/etc/etcd/tls/peer/tls.crt \
-                --peer-key-file=/etc/etcd/tls/peer/tls.key \
-                --peer-trusted-ca-file=/etc/etcd/tls/peer-ca/tls.crt \
-                --client-cert-auth=true \
-                --cert-file=/etc/etcd/tls/server/tls.crt \
-                --key-file=/etc/etcd/tls/server/tls.key \
-                --trusted-ca-file=/etc/etcd/tls/client-ca/tls.crt \
-                {{- if .Values.etcd.profiling.enabled }}
-                --enable-pprof=true \
-                {{- end }}
-                --snapshot-count=5000
+          - etcd
+          - --name=$(HOSTNAME)
+          - --listen-peer-urls=https://0.0.0.0:2380
+          - --initial-advertise-peer-urls=https://$(HOSTNAME):2380
+          - --listen-client-urls=https://0.0.0.0:2379
+          - --advertise-client-urls=https://$(HOSTNAME):2379
+          - --initial-cluster-token=etcd-cluster-1
+          - --initial-cluster=$(PEERS)
+          - --initial-cluster-state=new
+          - --auto-compaction-mode=periodic
+          - --auto-compaction-retention=5m
+          - --data-dir=/var/run/etcd/default.etcd
+          - --peer-client-cert-auth=true
+          - --peer-cert-file=/etc/etcd/tls/peer/tls.crt
+          - --peer-key-file=/etc/etcd/tls/peer/tls.key
+          - --peer-trusted-ca-file=/etc/etcd/tls/peer-ca/tls.crt
+          - --client-cert-auth=true
+          - --cert-file=/etc/etcd/tls/server/tls.crt
+          - --key-file=/etc/etcd/tls/server/tls.key
+          - --trusted-ca-file=/etc/etcd/tls/client-ca/tls.crt
+          {{- if .Values.etcd.profiling.enabled }}
+          - --enable-pprof=true
+          {{- end }}
+          - --snapshot-count=5000
+          env:
+          - name: PEERS
+            value: "{{ include "etcd.fullname" . }}-0=https://{{ include "etcd.fullname" . }}-0.{{ include "etcd.fullname" . }}:2380,{{ include "etcd.fullname" . }}-1=https://{{ include "etcd.fullname" . }}-1.{{ include "etcd.fullname" . }}:2380,{{ include "etcd.fullname" . }}-2=https://{{ include "etcd.fullname" . }}-2.{{ include "etcd.fullname" . }}:2380"
+          - name: HOSTNAME
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.name
           ports:
             - containerPort: 2379
               name: client

diff --git a/charts/kcp/values.yaml b/charts/kcp/values.yaml
@@ -3,7 +3,7 @@ externalPort: "" # defaults to 8443 for .Values.kcpFrontProxy.service.type "Load
 etcd:
   enabled: true
   image: quay.io/coreos/etcd
-  tag: v3.5.4
+  tag: v3.5.15
   resources:
     requests:
       cpu: 500m

diff --git a/charts/shard/templates/etcd-statefulset.yaml b/charts/shard/templates/etcd-statefulset.yaml
@@ -42,33 +42,37 @@ spec:
         - name: etcd
           image: {{ .Values.etcd.image }}:{{ .Values.etcd.tag }}
           command:
-            - /bin/sh
-            - -c
-            - |
-              PEERS="{{ include "etcd.fullname" . }}-0=https://{{ include "etcd.fullname" . }}-0.{{ include "etcd.fullname" . }}:2380,{{ include "etcd.fullname" . }}-1=https://{{ include "etcd.fullname" . }}-1.{{ include "etcd.fullname" . }}:2380,{{ include "etcd.fullname" . }}-2=https://{{ include "etcd.fullname" . }}-2.{{ include "etcd.fullname" . }}:2380"
-              exec etcd --name ${HOSTNAME} \
-                --listen-peer-urls https://0.0.0.0:2380 \
-                --initial-advertise-peer-urls https://${HOSTNAME}:2380 \
-                --listen-client-urls https://0.0.0.0:2379 \
-                --advertise-client-urls https://${HOSTNAME}:2379 \
-                --initial-cluster-token etcd-cluster-1 \
-                --initial-cluster ${PEERS} \
-                --initial-cluster-state new \
-                --auto-compaction-mode=periodic \
-                --auto-compaction-retention=5m \
-                --data-dir /var/run/etcd/default.etcd \
-                --peer-client-cert-auth=true \
-                --peer-cert-file=/etc/etcd/tls/peer/tls.crt \
-                --peer-key-file=/etc/etcd/tls/peer/tls.key \
-                --peer-trusted-ca-file=/etc/etcd/tls/peer-ca/tls.crt \
-                --client-cert-auth=true \
-                --cert-file=/etc/etcd/tls/server/tls.crt \
-                --key-file=/etc/etcd/tls/server/tls.key \
-                --trusted-ca-file=/etc/etcd/tls/client-ca/tls.crt \
-                {{- if .Values.etcd.profiling.enabled }}
-                --enable-pprof=true \
-                {{- end }}
-                --snapshot-count=5000
+          - etcd
+          - --name=$(HOSTNAME)
+          - --listen-peer-urls=https://0.0.0.0:2380
+          - --initial-advertise-peer-urls=https://$(HOSTNAME):2380
+          - --listen-client-urls=https://0.0.0.0:2379
+          - --advertise-client-urls=https://$(HOSTNAME):2379
+          - --initial-cluster-token=etcd-cluster-1
+          - --initial-cluster=$(PEERS)
+          - --initial-cluster-state=new
+          - --auto-compaction-mode=periodic
+          - --auto-compaction-retention=5m
+          - --data-dir=/var/run/etcd/default.etcd
+          - --peer-client-cert-auth=true
+          - --peer-cert-file=/etc/etcd/tls/peer/tls.crt
+          - --peer-key-file=/etc/etcd/tls/peer/tls.key
+          - --peer-trusted-ca-file=/etc/etcd/tls/peer-ca/tls.crt
+          - --client-cert-auth=true
+          - --cert-file=/etc/etcd/tls/server/tls.crt
+          - --key-file=/etc/etcd/tls/server/tls.key
+          - --trusted-ca-file=/etc/etcd/tls/client-ca/tls.crt
+          {{- if .Values.etcd.profiling.enabled }}
+          - --enable-pprof=true
+          {{- end }}
+          - --snapshot-count=5000
+          env:
+          - name: PEERS
+            value: "{{ include "etcd.fullname" . }}-0=https://{{ include "etcd.fullname" . }}-0.{{ include "etcd.fullname" . }}:2380,{{ include "etcd.fullname" . }}-1=https://{{ include "etcd.fullname" . }}-1.{{ include "etcd.fullname" . }}:2380,{{ include "etcd.fullname" . }}-2=https://{{ include "etcd.fullname" . }}-2.{{ include "etcd.fullname" . }}:2380"
+          - name: HOSTNAME
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.name
           ports:
             - containerPort: 2379
               name: client