Tutorials use potentially vulnerable container image gcr.io/spiffe-io/wait-for-it

[elinesterov]

From slack:

Erik Godding Boye
Yesterday at 9:12 AM
Does anyone know where the image gcr.io/spiffe-io/wait-for-it is mastered? It desperately need some security updates:

D:~ $ trivy image gcr.io/spiffe-io/wait-for-it --security-checks vuln --severity CRITICAL,HIGH --quiet

gcr.io/spiffe-io/wait-for-it (alpine 3.14.2)

Total: 27 (HIGH: 26, CRITICAL: 1)

We use wait-for-it container basically to make sure that the SPIRE server is up before running agents. That helps to reduce the number of false errors in the logs etc. There is no other practical need for it as far as I understand.

I see the following options to fix this issue (with the different efforts for it, from lower to higher):

1. Change the current image to something that can perform the same functionality but is supported/maintained by another credible source (e.g., Google)
2. Bake the functionality into our spire-agent release images (we use scratch as a base, so we will need to change the CI process)
3. Implement the server-healthcheck feature in an agent, so we just have one binary, and the init container in the k8s config is the same as an app container.

[evan2645]

@developer-guy and @dlorenc have graciously offered to publish a maintained image of wait-for-it. This issue was discussed in SPIRE maintainer sync today, and consensus was we should take them up on the offer and switch to using that.

Option 2 was seen as a good (but smelly) short term solution ... a k8s operator was seen as the correct long term solution.

When changing the container reference to pick up Chainguard's image, we should also add comments in the README and/or in the YAML stating that the use of this image is for cosmetic purposes in our tutorials e.g.

// The use of wait-for-it in these tutorials is for cosmetic purposes only. Production deployments
// should deploy the server in advance of the agent, particularly during upgrades. Please see
// https://github.com/spiffe/spire/blob/main/doc/upgrading.md for more information.

[marcofranssen]

Awesome, we where also planning switching there.

• Replace wait-for-it image to get rid of vulnerabilities philips-labs/helm-charts#80

[developer-guy]

Hello, folx; I've good news: the wait-for-it image is now available on Chainguard's registry. 🥳

cgr.dev/chainguard/wait-for-it:latest

It has been built for amd64 architectures only, but hoping to make it more suitable with other architectures and already created a PR for that 🙈

/cc @dlorenc @rawlingsj

[marcofranssen]

See philips-labs/helm-charts#80

Now waiting for the Arm64 support.