Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support flavored Docker images i.e. awscli v2, tfsec, or alpine, debian #2523

Closed
1 task
nitrocode opened this issue Sep 14, 2022 · 16 comments
Closed
1 task

Support flavored Docker images i.e. awscli v2, tfsec, or alpine, debian #2523

nitrocode opened this issue Sep 14, 2022 · 16 comments
Labels
build Relating to how we build Atlantis feature New functionality/enhancement

Comments

@nitrocode
Copy link
Member

nitrocode commented Sep 14, 2022
edited

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Describe the user story

Id like to use the kubernetes provider using exec with the latest and greatest awscli version.

The pip version is awscli v1 and the awscli v2 is not simple to install from a custom image.

For the record, we do install both terraform and conftest in the Dockerfile.

atlantis/Dockerfile

Line 16 in 84304d6

ENV DEFAULT_TERRAFORM_VERSION=1.2.9

atlantis/Dockerfile

Line 38 in 84304d6

ENV DEFAULT_CONFTEST_VERSION=0.34.0

Describe the solution you'd like

Bake the awscli v2 in the base image

Describe the drawbacks of your solution

Slightly larger image

Describe alternatives you've considered

Installing my own image (which I do) but I'd prefer if it was baked in the official image

references
@nitrocode nitrocode added the feature New functionality/enhancement label Sep 14, 2022
@jamengual
Copy link
Contributor

jamengual commented Sep 14, 2022 via email

@marceloboeira
Copy link
Contributor

It feels like something you could/should do on your own. Otherwise, we'll install a bunch of things in the image just for the few that might use it.

@SudoSpartanDan
Copy link
Contributor

Agreed with the above, Atlantis is built to be cloud provider agnostic; adding CLIs in there bloats the image for others. Also, you’re giving up the ability to adjust the version of the cli. Say you need to up the cli version, are you also forcing yourself to update Atlantis at the same time?

@marceloboeira
Copy link
Contributor

Maybe at some point individual projects could send their Dockerfile so that everything required is included "per-project" and not on atlantis server level.

@krzysztof-magosa
Copy link

maybe let's leave base image as is, and incorporate images with aws cli (and others) separately?

@nitrocode
Copy link
Member Author

nitrocode commented Sep 19, 2022
edited

@krzysztof-magosa

Yes, I like that approach.

Perhaps a directory or documentation of common Dockerfile flavors of the atlantis image ?

  • awscli v2
  • awscli v1
  • tflint
  • tfsec
  • tf-summarize
  • checkov
  • infracost
  • etc

@nitrocode nitrocode changed the title Install awscli v2 in base image Support flavored Docker images i.e. awscli v2, tfsec, tflint, etc Sep 19, 2022
@SudoSpartanDan
Copy link
Contributor

I’m not sure how valuable this is; wouldn’t it be easier for you just make your own Dockerfile and install what you need on it? That way you can maintain your versions the way you want.

@macropin
Copy link

It's not hard to roll your own image and bake in the provider deps that you require and the official image just start your image with FROM ghcr.io/runatlantis/atlantis:v0.19.8.

@nitrocode
Copy link
Member Author

Yes, creating custom images is what is currently being done and mentioned above but it is challenging when it comes to the awscli v2.

Perhaps it might be better to roll out an atlantis image for multiple distributions i.e. alpine and debian. Reason for debian would be because its much easier to install packages like the awscli v2 since its a first class citizen unlike in alpine.

For examples of apps doing this, see python docker images.

@nitrocode nitrocode changed the title Support flavored Docker images i.e. awscli v2, tfsec, tflint, etc Support flavored Docker images i.e. awscli v2, tfsec, or alpine, debian Oct 4, 2022
@jamengual
Copy link
Contributor

jamengual commented Oct 4, 2022 via email

@nikolaik
Copy link
Contributor

With a debian/debian-slim base image we could work around installation of relevant tools that are not compiled for musl libc, like checkov. bridgecrewio/checkov#3649 (comment)

@nitrocode nitrocode added the build Relating to how we build Atlantis label Nov 20, 2022
@llamahunter
Copy link
Contributor

if atlantis updates its base image to alpine 3.17, it will then have a version of aws-cli available from the alpine package manager that is compatible with v1beta1 k8s authorization.

@nitrocode
Copy link
Member Author

That's good to know and helpful for people who do not want to go through the pain of installing awscli v2 in alpine. I already did so im stuck on it lol.

However, the above was simply an example of how difficult it is to use alpine. I'm not suggesting to get rid of alpine, but simply to offer at least a debian-slim release so it has access to a larger package ecosystem.

@llamahunter
Copy link
Contributor

However, the above was simply an example of how difficult it is to use alpine. I'm not suggesting to get rid of alpine, but simply to offer at least a debian-slim release so it has access to a larger package ecosystem.

Agreed... the debian and redhat distributions have gone on some serious diets now that containerization is a thing, and alpine is not quite the 'clear win' it used to be as a base image, especially given the glibc headaches.

@nitrocode nitrocode mentioned this issue Dec 11, 2022
Merged
4 tasks
@nitrocode
Copy link
Member Author

There is now a debian bullseye image available as a dev release. When the next release is available, the flavor will be suffixed to the version.

Current images released

docker pull ghcr.io/runatlantis/atlantis:dev-alpine
docker pull ghcr.io/runatlantis/atlantis:dev-debian

Here is an example of how to install awscli v2 on the debian image using the official instructions.

docker run -it \
  ghcr.io/runatlantis/atlantis:dev-alpine \
  sh -c 'curl https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip -o "awscliv2.zip" && unzip awscliv2.zip && ./aws/install && rm -rf ./aws awscliv2.zip && aws --version'

Returns

You can now run: /usr/local/bin/aws --version
aws-cli/2.9.6 Python/3.9.11 Linux/5.15.49-linuxkit exe/x86_64.debian.11 prompt/off

Future versions when v0.21.0 is released

docker pull ghcr.io/runatlantis/atlantis:v0.21.0-alpine
docker pull ghcr.io/runatlantis/atlantis:v0.21.0-debian

@nitrocode
Copy link
Member Author

FYI

The alpine awscliv2 installation has gotten much simpler using "Update 2022-08-01" section of https://stackoverflow.com/a/61268529

This advancement also led to native aws-cli-v2 testing package support soon in alpine.

https://gitlab.alpinelinux.org/alpine/aports/-/commit/aa039cf358500ac471ba9f82529dba0c0fdc2887

So if you're using alpine or haven't shifted to the debian image, the awscli v2 native support is almost available in alpine.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
build Relating to how we build Atlantis feature New functionality/enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@nikolaik @macropin @llamahunter @marceloboeira @jamengual @krzysztof-magosa @nitrocode @SudoSpartanDan