Add dropgz module for CNI installer #1335
Conversation
rbtr
changed the title
rbtr
force-pushed
the
dropgz
branch
2 times, most recently
from
ea28ed1 to
a8824d2
Compare
rbtr
force-pushed
the
dropgz
branch
3 times, most recently
from
7672187 to
91f6fb5
Compare
rbtr
force-pushed
the
dropgz
branch
4 times, most recently
from
2f70b51 to
9a85288
Compare
wedaly
left a comment
wedaly
left a comment
There was a problem hiding this comment.
overall looks good! had a few small comments/questions
One other thing to think about is testing. I'd suggest validating that all the expected files have been embedded, can be written out, and have the correct checksums (better to catch problems before this gets deployed to a cluster)
timraymond
left a comment
timraymond
left a comment
There was a problem hiding this comment.
Looks pretty good--no showstoppers that I can see. I have a couple of suggestions and questions though.
| skipVerify bool | ||
| outs []string |
There was a problem hiding this comment.
Might be helpful to document that these are flags... it took me a second or two to figure out why they were globals
Signed-off-by: Evan Baker <rbtr@users.noreply.github.com>
Signed-off-by: Evan Baker <rbtr@users.noreply.github.com>
Signed-off-by: Evan Baker <rbtr@users.noreply.github.com>
Signed-off-by: Evan Baker <rbtr@users.noreply.github.com>
tamilmani1989
left a comment
tamilmani1989
left a comment
There was a problem hiding this comment.
unit tests are missing for this new package.
| ARG VERSION | ||
| WORKDIR /azure-container-networking | ||
| COPY . . | ||
| RUN CGO_ENABLED=0 go build -a -o bin/azure-vnet -trimpath -ldflags "-X main.version="$VERSION"" -gcflags="-dwarflocationlists=true" cni/network/plugin/main.go |
tamilmani1989
left a comment
tamilmani1989
left a comment
There was a problem hiding this comment.
lgtm.. please add work item to cover unit tests in separate PR as discussed offline
Signed-off-by: Evan Baker <rbtr@users.noreply.github.com>
4 participants
Reason for Change:
Adds a CLI tool ("dropgz") for reliably deploying arbitrary files via a single self-contained binary/image.
Initial use case: to install the CNI binaries at runtime via an init container in the CNS daemonset.
Issue Fixed:
Requirements:
Notes:
dropgzis effectively a CLI wrapper around Go'sembed.FS, allowing us to pack the contents of a directory in to a binary and deploy the contents back out to the filesystem on-demand. The contents of the binary are determined at build-time, and SHA checksums are computed and stored with the files in the embed FS to allow us to verify integrity of the deployed files (bonus, we can skip re-deploying if the existing file-on-disk has the correct SHA).Q: Why not just do this with by copying the bins to deploy in to a busybox container (or other base image with a shell that can
cp)?A: Packing the files in to a Go bin lets us build in a scratch container with no shell, reducing the potential attack surface for a privileged container that is writing files out to the host disk (in our use-case, writing the CNI bins which are invoked by CRI on all Pod create/delete events on a K8s Node).