From 5083bbc8e9d5aef265d2c842a91f4ae6ec93a2a2 Mon Sep 17 00:00:00 2001
From: Alexey Yakubov <alexey.yakubov@flant.com>
Date: Wed, 15 Jan 2025 17:47:05 +0300
Subject: [PATCH] [internal] CSI Distroless (#99)

Signed-off-by: Alexey Yakubov <alexey.yakubov@flant.com>
Signed-off-by: v.oleynikov <vasily.oleynikov@flant.com>
Signed-off-by: Aleksandr Zimin <alexandr.zimin@flant.com>
Co-authored-by: v.oleynikov <vasily.oleynikov@flant.com>
Co-authored-by: Aleksandr Zimin <alexandr.zimin@flant.com>
Co-authored-by: Alexey Yakubov <alexey.yakubov@flant.com>
---
 images/sds-local-volume-controller/src/go.mod |  4 +-
 images/sds-local-volume-controller/src/go.sum |  4 +-
 images/sds-local-volume-csi/src/go.mod        |  4 +-
 images/sds-local-volume-csi/src/go.sum        |  4 +-
 images/sds-local-volume-csi/werf.inc.yaml     | 76 +++++++++++++++----
 .../src/go.mod                                |  4 +-
 .../src/go.sum                                |  4 +-
 images/webhooks/src/go.mod                    |  4 +-
 images/webhooks/src/go.sum                    |  8 +-
 9 files changed, 80 insertions(+), 32 deletions(-)

diff --git a/images/sds-local-volume-controller/src/go.mod b/images/sds-local-volume-controller/src/go.mod
index 79d1ad78..c28fc843 100644
--- a/images/sds-local-volume-controller/src/go.mod
+++ b/images/sds-local-volume-controller/src/go.mod
@@ -3,8 +3,8 @@ module sds-local-volume-controller
 go 1.23.4
 
 require (
-	github.com/deckhouse/sds-local-volume/api v0.0.0-20241030133552-b9f48131ef9f
-	github.com/deckhouse/sds-node-configurator/api v0.0.0-20241205120718-db6ffba1689b
+	github.com/deckhouse/sds-local-volume/api v0.0.0-20250114155747-5d75d401a787
+	github.com/deckhouse/sds-node-configurator/api v0.0.0-20250114161813-c1a8b09cd47d
 	github.com/go-logr/logr v1.4.2
 	github.com/onsi/ginkgo/v2 v2.20.0
 	github.com/onsi/gomega v1.34.1
diff --git a/images/sds-local-volume-controller/src/go.sum b/images/sds-local-volume-controller/src/go.sum
index 092c15d6..5faf975c 100644
--- a/images/sds-local-volume-controller/src/go.sum
+++ b/images/sds-local-volume-controller/src/go.sum
@@ -6,8 +6,8 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/deckhouse/sds-node-configurator/api v0.0.0-20241205120718-db6ffba1689b h1:7/31qbj61tdToVqc1P5seXHT2xNbx0gO1Ifza4nsxgk=
-github.com/deckhouse/sds-node-configurator/api v0.0.0-20241205120718-db6ffba1689b/go.mod h1:ROmrnlcAdtYX8HPb0pe1qsnmISpy5FSW5fn2n67JOoE=
+github.com/deckhouse/sds-node-configurator/api v0.0.0-20250114161813-c1a8b09cd47d h1:I5Bv75VPlH9AdBIOF4a1RIVRAr+zas8CMjeZ6pzJ7eE=
+github.com/deckhouse/sds-node-configurator/api v0.0.0-20250114161813-c1a8b09cd47d/go.mod h1:ro/TIWC/cbDPgjaCzJkbrekzp1CqPzgAzGdNUnww+Ps=
 github.com/emicklei/go-restful/v3 v3.12.1 h1:PJMDIM/ak7btuL8Ex0iYET9hxM3CI2sjZtzpL63nKAU=
 github.com/emicklei/go-restful/v3 v3.12.1/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
 github.com/evanphx/json-patch v4.12.0+incompatible h1:4onqiflcdA9EOZ4RxV643DvftH5pOlLGNtQ5lPWQu84=
diff --git a/images/sds-local-volume-csi/src/go.mod b/images/sds-local-volume-csi/src/go.mod
index e8c81f86..57679425 100644
--- a/images/sds-local-volume-csi/src/go.mod
+++ b/images/sds-local-volume-csi/src/go.mod
@@ -4,8 +4,8 @@ go 1.23.4
 
 require (
 	github.com/container-storage-interface/spec v1.10.0
-	github.com/deckhouse/sds-local-volume/api v0.0.0-20241030133552-b9f48131ef9f
-	github.com/deckhouse/sds-node-configurator/api v0.0.0-20241205120718-db6ffba1689b
+	github.com/deckhouse/sds-local-volume/api v0.0.0-20250114155747-5d75d401a787
+	github.com/deckhouse/sds-node-configurator/api v0.0.0-20250114161813-c1a8b09cd47d
 	github.com/go-logr/logr v1.4.2
 	github.com/golang/protobuf v1.5.4
 	github.com/google/uuid v1.6.0
diff --git a/images/sds-local-volume-csi/src/go.sum b/images/sds-local-volume-csi/src/go.sum
index 3382f538..9e7941bf 100644
--- a/images/sds-local-volume-csi/src/go.sum
+++ b/images/sds-local-volume-csi/src/go.sum
@@ -6,8 +6,8 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/deckhouse/sds-node-configurator/api v0.0.0-20241205120718-db6ffba1689b h1:7/31qbj61tdToVqc1P5seXHT2xNbx0gO1Ifza4nsxgk=
-github.com/deckhouse/sds-node-configurator/api v0.0.0-20241205120718-db6ffba1689b/go.mod h1:ROmrnlcAdtYX8HPb0pe1qsnmISpy5FSW5fn2n67JOoE=
+github.com/deckhouse/sds-node-configurator/api v0.0.0-20250114161813-c1a8b09cd47d h1:I5Bv75VPlH9AdBIOF4a1RIVRAr+zas8CMjeZ6pzJ7eE=
+github.com/deckhouse/sds-node-configurator/api v0.0.0-20250114161813-c1a8b09cd47d/go.mod h1:ro/TIWC/cbDPgjaCzJkbrekzp1CqPzgAzGdNUnww+Ps=
 github.com/emicklei/go-restful/v3 v3.12.1 h1:PJMDIM/ak7btuL8Ex0iYET9hxM3CI2sjZtzpL63nKAU=
 github.com/emicklei/go-restful/v3 v3.12.1/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
 github.com/evanphx/json-patch/v5 v5.9.0 h1:kcBlZQbplgElYIlo/n1hJbls2z/1awpXxpRi0/FOJfg=
diff --git a/images/sds-local-volume-csi/werf.inc.yaml b/images/sds-local-volume-csi/werf.inc.yaml
index 439eb9a3..6e92f477 100644
--- a/images/sds-local-volume-csi/werf.inc.yaml
+++ b/images/sds-local-volume-csi/werf.inc.yaml
@@ -1,3 +1,5 @@
+{{- $csiBinaries := "/usr/sbin/blkid /usr/sbin/blockdev /usr/bin/curl /lib64/libnss_files.so.2 /lib64/libnss_dns.so.2 /usr/sbin/mkfs.xfs /usr/sbin/xfs_admin /usr/sbin/xfs_bmap /usr/sbin/xfs_copy /usr/sbin/xfs_db /usr/sbin/xfs_estimate /usr/sbin/xfs_freeze /usr/sbin/xfs_fsr /usr/sbin/xfs_growfs /usr/sbin/xfs_info /usr/sbin/xfs_io /usr/sbin/xfs_logprint /usr/sbin/xfs_mdrestore /usr/sbin/xfs_metadump /usr/sbin/xfs_mkfile /usr/sbin/xfs_ncheck /usr/sbin/xfs_property /usr/sbin/xfs_quota /usr/sbin/xfs_repair /usr/sbin/xfs_rtcp /usr/sbin/xfs_scrub /usr/sbin/xfs_scrub_all /usr/sbin/xfs_spaceman /sbin/badblocks /sbin/debugfs /sbin/dumpe2fs /sbin/e2freefrag /sbin/e2fsck /sbin/e2image /sbin/e2initrd_helper /sbin/e2label /sbin/e2mmpstatus /sbin/e2scrub /sbin/e2scrub_all /sbin/e2undo /sbin/e4crypt /sbin/e4defrag /sbin/filefrag /sbin/fsck.ext2 /sbin/fsck.ext3 /sbin/fsck.ext4 /sbin/fsck.ext4dev /sbin/logsave /sbin/mke2fs /sbin/mkfs.ext2 /sbin/mkfs.ext3 /sbin/mkfs.ext4 /sbin/mkfs.ext4dev /sbin/mklost+found /sbin/resize2fs /sbin/tune2fs /usr/bin/chattr /usr/bin/lsattr /usr/sbin/dmfilemapd /usr/sbin/fsadm /usr/sbin/lvchange /usr/sbin/lvconvert /usr/sbin/lvcreate /usr/sbin/lvdisplay /usr/sbin/lvextend /usr/sbin/lvm /usr/sbin/lvm_import_vdo /usr/sbin/lvmconfig /usr/sbin/lvmdevices /usr/sbin/lvmdiskscan /usr/sbin/lvmdump /usr/sbin/lvmpolld /usr/sbin/lvmsadc /usr/sbin/lvmsar /usr/sbin/lvreduce /usr/sbin/lvremove /usr/sbin/lvrename /usr/sbin/lvresize /usr/sbin/lvs /usr/sbin/lvscan /usr/sbin/pvchange /usr/sbin/pvck /usr/sbin/pvcreate /usr/sbin/pvdisplay /usr/sbin/pvmove /usr/sbin/pvremove /usr/sbin/pvresize /usr/sbin/pvs /usr/sbin/pvscan /usr/sbin/vgcfgbackup /usr/sbin/vgcfgrestore /usr/sbin/vgchange /usr/sbin/vgck /usr/sbin/vgconvert /usr/sbin/vgcreate /usr/sbin/vgdisplay /usr/sbin/vgexport /usr/sbin/vgextend /usr/sbin/vgimport /usr/sbin/vgimportclone /usr/sbin/vgimportdevices /usr/sbin/vgmerge /usr/sbin/vgmknodes /usr/sbin/vgreduce /usr/sbin/vgremove /usr/sbin/vgrename /usr/sbin/vgs /usr/sbin/vgscan /usr/sbin/vgsplit /bin/mount /bin/umount /sbin/swapoff /sbin/swapon" }}
+# "/usr/bin/mount"  "/usr/sbin/mkfs /usr/sbin/mkfs.xfs /usr/sbin/mkfs.ext4 /usr/sbin/resize2fs /usr/sbin/lvm"
 # Required for external analytics. Do not remove!
 ---
 image: {{ $.ImageName }}-src-artifact
@@ -40,28 +42,74 @@ shell:
     - GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -ldflags="-s -w" -o /{{ $.ImageName }}
     - chmod +x /{{ $.ImageName }}
 
+
 ---
-image: {{ $.ImageName }}
+image: {{ $.ImageName }}-binaries-artifact
+from: {{ $.Root.BASE_ALT_P11 }}
+final: false
+
+git:
+  - add: /tools/dev_images/additional_tools/binary_replace.sh
+    to: /binary_replace.sh
+    stageDependencies:
+      install:
+        - '**/*'
+
+shell:
+  install:
+    - apt-get update
+    - apt-get -y install glibc-utils glibc-core glibc-nss mount nfs-utils curl curl lvm2 e2fsprogs xfsprogs
+    - rm -rf /var/lib/apt/lists/* /var/cache/apt/* && mkdir -p /var/lib/apt/lists/partial /var/cache/apt/archives/partial
+    - chmod +x /binary_replace.sh
+    - /binary_replace.sh -i "{{ $csiBinaries }}" -o /relocate
+
+---
+image: {{ $.ImageName }}-distroless-artifact
 from: {{ $.Root.BASE_ALT_P11 }}
+final: false
+
+shell:
+  install:
+    - apt-get update
+    - apt-get -y install ca-certificates tzdata 
+    - mkdir -p /relocate/bin /relocate/sbin /relocate/etc /relocate/etc/ssl /relocate/usr/bin /relocate/usr/sbin /relocate/usr/share
+    - cp -pr /tmp /relocate
+    - cp -pr /etc/passwd /etc/group /etc/hostname /etc/hosts /etc/shadow /etc/protocols /etc/services /etc/nsswitch.conf /relocate/etc
+    - cp -pr /usr/share/ca-certificates /relocate/usr/share
+    - cp -pr /usr/share/zoneinfo /relocate/usr/share
+    # changed from /etc/ssl/* to ALTLinux specific
+    - cp -pr /etc/pki/tls/cert.pem /relocate/etc/ssl
+    - cp -pr /etc/pki/tls/certs /relocate/etc/ssl
+    - echo "deckhouse:x:64535:64535:deckhouse:/:/sbin/nologin" >> /relocate/etc/passwd
+    - echo "deckhouse:x:64535:" >> /relocate/etc/group
+    - echo "deckhouse:!::0:::::" >> /relocate/etc/shadow
+
+---
+image: {{ $.ImageName }}-distroless
+from: {{ $.Root.BASE_SCRATCH }}
+final: false
+
+import:
+  - image: {{ $.ImageName }}-distroless-artifact
+    add: /relocate
+    to: /
+    before: install
+
+---
+image: {{ $.ImageName }}
+fromImage: {{ $.ImageName }}-distroless
 
 import:
   - image: {{ $.ImageName }}-golang-artifact
     add: /{{ $.ImageName }}
     to: /{{ $.ImageName }}
     before: install
-
-shell:
-  beforeInstall:
-    - export DEBIAN_FRONTEND=noninteractive
-    - apt-get update
-    - apt-get install -y curl
-    - |
-      apt-get -y install lvm2 e2fsprogs xfsprogs \
-      && apt-get clean \
-      && rm -rf /var/lib/apt/lists/*
-    - echo "deckhouse:x:64535:64535:deckhouse:/:/sbin/nologin" >> /etc/passwd
-    - echo "deckhouse:x:64535:" >> /etc/group
-    - echo "deckhouse:!::0:::::" >> /etc/shadow
+  - image: {{ $.ImageName }}-binaries-artifact
+    add: /relocate
+    to: /
+    before: install
+    includePaths:
+      - '**/*'
 
 docker:
   ENTRYPOINT: ["/{{ $.ImageName }}"]
diff --git a/images/sds-local-volume-scheduler-extender/src/go.mod b/images/sds-local-volume-scheduler-extender/src/go.mod
index 0a646e64..1f66653e 100644
--- a/images/sds-local-volume-scheduler-extender/src/go.mod
+++ b/images/sds-local-volume-scheduler-extender/src/go.mod
@@ -3,8 +3,8 @@ module sds-local-volume-scheduler-extender
 go 1.23.4
 
 require (
-	github.com/deckhouse/sds-local-volume/api v0.0.0-20241030133552-b9f48131ef9f
-	github.com/deckhouse/sds-node-configurator/api v0.0.0-20241205120718-db6ffba1689b
+	github.com/deckhouse/sds-local-volume/api v0.0.0-20250114155747-5d75d401a787
+	github.com/deckhouse/sds-node-configurator/api v0.0.0-20250114161813-c1a8b09cd47d
 	github.com/go-logr/logr v1.4.2
 	github.com/go-logr/zapr v1.3.0
 	github.com/spf13/cobra v1.8.1
diff --git a/images/sds-local-volume-scheduler-extender/src/go.sum b/images/sds-local-volume-scheduler-extender/src/go.sum
index cc430b1c..42ca4f40 100644
--- a/images/sds-local-volume-scheduler-extender/src/go.sum
+++ b/images/sds-local-volume-scheduler-extender/src/go.sum
@@ -7,8 +7,8 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/deckhouse/sds-node-configurator/api v0.0.0-20241205120718-db6ffba1689b h1:7/31qbj61tdToVqc1P5seXHT2xNbx0gO1Ifza4nsxgk=
-github.com/deckhouse/sds-node-configurator/api v0.0.0-20241205120718-db6ffba1689b/go.mod h1:ROmrnlcAdtYX8HPb0pe1qsnmISpy5FSW5fn2n67JOoE=
+github.com/deckhouse/sds-node-configurator/api v0.0.0-20250114161813-c1a8b09cd47d h1:I5Bv75VPlH9AdBIOF4a1RIVRAr+zas8CMjeZ6pzJ7eE=
+github.com/deckhouse/sds-node-configurator/api v0.0.0-20250114161813-c1a8b09cd47d/go.mod h1:ro/TIWC/cbDPgjaCzJkbrekzp1CqPzgAzGdNUnww+Ps=
 github.com/emicklei/go-restful/v3 v3.12.1 h1:PJMDIM/ak7btuL8Ex0iYET9hxM3CI2sjZtzpL63nKAU=
 github.com/emicklei/go-restful/v3 v3.12.1/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
 github.com/evanphx/json-patch v0.5.2 h1:xVCHIVMUu1wtM/VkR9jVZ45N3FhZfYMMYGorLCR8P3k=
diff --git a/images/webhooks/src/go.mod b/images/webhooks/src/go.mod
index 9fc49b9c..af958340 100644
--- a/images/webhooks/src/go.mod
+++ b/images/webhooks/src/go.mod
@@ -3,8 +3,8 @@ module webhooks
 go 1.23.4
 
 require (
-	github.com/deckhouse/sds-local-volume/api v0.0.0-20241030133552-b9f48131ef9f
-	github.com/deckhouse/sds-node-configurator/api v0.0.0-20241205120718-db6ffba1689b
+	github.com/deckhouse/sds-local-volume/api v0.0.0-20250114155747-5d75d401a787
+	github.com/deckhouse/sds-node-configurator/api v0.0.0-20250114161813-c1a8b09cd47d
 	github.com/sirupsen/logrus v1.9.3
 	github.com/slok/kubewebhook/v2 v2.6.0
 	k8s.io/api v0.30.3
diff --git a/images/webhooks/src/go.sum b/images/webhooks/src/go.sum
index f883f6bd..ce5396b2 100644
--- a/images/webhooks/src/go.sum
+++ b/images/webhooks/src/go.sum
@@ -2,10 +2,10 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/deckhouse/sds-local-volume/api v0.0.0-20241030133552-b9f48131ef9f h1:7jnAEWU8u4D2LdJV3NjRF8sSBfDvy19886tFykt0fP0=
-github.com/deckhouse/sds-local-volume/api v0.0.0-20241030133552-b9f48131ef9f/go.mod h1:cYxHYJmIl6g9lXb1etqmLeQL/vsPMgscmact/FObd+U=
-github.com/deckhouse/sds-node-configurator/api v0.0.0-20241205120718-db6ffba1689b h1:7/31qbj61tdToVqc1P5seXHT2xNbx0gO1Ifza4nsxgk=
-github.com/deckhouse/sds-node-configurator/api v0.0.0-20241205120718-db6ffba1689b/go.mod h1:ROmrnlcAdtYX8HPb0pe1qsnmISpy5FSW5fn2n67JOoE=
+github.com/deckhouse/sds-local-volume/api v0.0.0-20250114155747-5d75d401a787 h1:YYeoWACJsEOqNcQ/RWDsF82hihNYZKlYZAJopvdeKrQ=
+github.com/deckhouse/sds-local-volume/api v0.0.0-20250114155747-5d75d401a787/go.mod h1:LBLI26oEmeAMYTSRFFFljP8AOk4kqJEwHcf4fYnyzME=
+github.com/deckhouse/sds-node-configurator/api v0.0.0-20250114161813-c1a8b09cd47d h1:I5Bv75VPlH9AdBIOF4a1RIVRAr+zas8CMjeZ6pzJ7eE=
+github.com/deckhouse/sds-node-configurator/api v0.0.0-20250114161813-c1a8b09cd47d/go.mod h1:ro/TIWC/cbDPgjaCzJkbrekzp1CqPzgAzGdNUnww+Ps=
 github.com/emicklei/go-restful/v3 v3.12.0 h1:y2DdzBAURM29NFF94q6RaY4vjIH1rtwDapwQtU84iWk=
 github.com/emicklei/go-restful/v3 v3.12.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
 github.com/evanphx/json-patch v4.12.0+incompatible h1:4onqiflcdA9EOZ4RxV643DvftH5pOlLGNtQ5lPWQu84=