Distroless

[nfuden]

Gloo Edge Product

Open Source

Gloo Edge Version

1.15.x

Is your feature request related to a problem? Please describe.

Alpine is no longer supported for our purposes so we moved to ubuntu to mimic upstream and decided to hold off at the time on adding a distroless build. Turns out some of the libraries in the image used by upstream are include some packages we dont want to have around.

Describe the solution you'd like

Get a distroless option for those who dont want full ubuntu shenanagins

This SHOULD be an opt in version for both non-fips and fips. This does NOT need the debug images to be supported.
This MUST be toggleable as part of the top level helm configuration rather than a per deployment flag.
Our distroless SHOULD use most of the same work flow as our ubuntu versions
This MAY include our apiserver components but it MAY leave that to a future issue.
Distroless MUST be supported for gloo, discovery, envoy-gloo-ee-wrapper, extauth, and rate limit servers.
Distroless images MUST NOT include any problematic licenses such as those found but not used in ubuntu images.

Describe alternatives you've considered

No response

Additional Context

No response

┆Issue is synchronized with this Asana task by Unito

[sam-heilbron]

We no longer consider this a release blocker for 1.16. This is intended to be released in a subsequent patch release. Confirmed with @SantoDE

[sam-heilbron]

#6084 is a duplicate issue. I am closing that one, in favor of this more recently created issue, but I wanted to keep the context

[sam-heilbron]

Definition of done:

• For 1.17, we will publish distroless variants of our images, in addition, to our existing images.
• We will make it possible in the Helm chart to define that distroless variants should be used
• We will provide user facing documentation around this functionality
• We will work with the field to enable adoption

[davidjumani]

List of problematic libraries that should not be included are :

• berkleydb

[davidjumani]

The following images now have a distroless variant :

• caching-ee
• discovery-ee
• discovery-ee-fips
• ext-auth-plugins
• extauth-ee
• extauth-ee-fips
• gloo-ee
• gloo-ee-envoy-wrapper
• gloo-ee-envoy-wrapper-fips
• gloo-ee-fips
• observability-ee
• rate-limit-ee
• rate-limit-ee-fips
• sds-ee
• sds-ee-fips

Having discussed on slack, have decided to :

• Add support for fed images

[davidjumani]

Adding distroless variants to all images created by gloo edge in #9278

[davidjumani]

This will be in v1.17.0
Distroless images can be specified via the helm value global.image.variant to distroless or fips-distroless