helm: default to distroless images (gravitational#24706)

Somith11 · Apr 18, 2023 · e1f3fb8 · e1f3fb8
1 parent d011255
commit e1f3fb8
Show file tree

Hide file tree

Showing 15 changed files with 126 additions and 105 deletions.
diff --git a/examples/chart/teleport-cluster/tests/__snapshot__/auth_deployment_test.yaml.snap b/examples/chart/teleport-cluster/tests/__snapshot__/auth_deployment_test.yaml.snap
@@ -34,7 +34,7 @@ should add an operator side-car when operator is enabled:
     - args:
       - --diag-addr=0.0.0.0:3000
       - --apply-on-startup=/etc/teleport/apply-on-startup.yaml
-      image: public.ecr.aws/gravitational/teleport:13.0.0-dev
+      image: public.ecr.aws/gravitational/teleport-distroless:13.0.0-dev
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -157,7 +157,7 @@ should set nodeSelector when set in values:
     - args:
       - --diag-addr=0.0.0.0:3000
       - --apply-on-startup=/etc/teleport/apply-on-startup.yaml
-      image: public.ecr.aws/gravitational/teleport:13.0.0-dev
+      image: public.ecr.aws/gravitational/teleport-distroless:13.0.0-dev
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -244,7 +244,7 @@ should set resources when set in values:
     - args:
       - --diag-addr=0.0.0.0:3000
       - --apply-on-startup=/etc/teleport/apply-on-startup.yaml
-      image: public.ecr.aws/gravitational/teleport:13.0.0-dev
+      image: public.ecr.aws/gravitational/teleport-distroless:13.0.0-dev
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -320,7 +320,7 @@ should set securityContext when set in values:
     - args:
       - --diag-addr=0.0.0.0:3000
       - --apply-on-startup=/etc/teleport/apply-on-startup.yaml
-      image: public.ecr.aws/gravitational/teleport:13.0.0-dev
+      image: public.ecr.aws/gravitational/teleport-distroless:13.0.0-dev
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -406,7 +406,7 @@ should use OSS image and not mount license when enterprise is not set in values:
     - args:
       - --diag-addr=0.0.0.0:3000
       - --apply-on-startup=/etc/teleport/apply-on-startup.yaml
-      image: public.ecr.aws/gravitational/teleport:8.3.4
+      image: public.ecr.aws/gravitational/teleport-distroless:12.2.1
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:

diff --git a/examples/chart/teleport-cluster/tests/__snapshot__/proxy_deployment_test.yaml.snap b/examples/chart/teleport-cluster/tests/__snapshot__/proxy_deployment_test.yaml.snap
@@ -5,7 +5,7 @@ should provision initContainer correctly when set in values:
       - wait
       - no-resolve
       - RELEASE-NAME-auth-v12.NAMESPACE.svc.cluster.local
-      image: public.ecr.aws/gravitational/teleport:13.0.0-dev
+      image: public.ecr.aws/gravitational/teleport-distroless:13.0.0-dev
       name: wait-auth-update
     - args:
       - echo test
@@ -62,7 +62,7 @@ should set nodeSelector when set in values:
     containers:
     - args:
       - --diag-addr=0.0.0.0:3000
-      image: public.ecr.aws/gravitational/teleport:13.0.0-dev
+      image: public.ecr.aws/gravitational/teleport-distroless:13.0.0-dev
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -123,7 +123,7 @@ should set nodeSelector when set in values:
       - wait
       - no-resolve
       - RELEASE-NAME-auth-v12.NAMESPACE.svc.cluster.local
-      image: public.ecr.aws/gravitational/teleport:13.0.0-dev
+      image: public.ecr.aws/gravitational/teleport-distroless:13.0.0-dev
       name: wait-auth-update
     nodeSelector:
       environment: security
@@ -164,7 +164,7 @@ should set resources when set in values:
     containers:
     - args:
       - --diag-addr=0.0.0.0:3000
-      image: public.ecr.aws/gravitational/teleport:13.0.0-dev
+      image: public.ecr.aws/gravitational/teleport-distroless:13.0.0-dev
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -232,7 +232,7 @@ should set resources when set in values:
       - wait
       - no-resolve
       - RELEASE-NAME-auth-v12.NAMESPACE.svc.cluster.local
-      image: public.ecr.aws/gravitational/teleport:13.0.0-dev
+      image: public.ecr.aws/gravitational/teleport-distroless:13.0.0-dev
       name: wait-auth-update
     serviceAccountName: RELEASE-NAME-proxy
     terminationGracePeriodSeconds: 60
@@ -255,7 +255,7 @@ should set securityContext for initContainers when set in values:
     containers:
     - args:
       - --diag-addr=0.0.0.0:3000
-      image: public.ecr.aws/gravitational/teleport:13.0.0-dev
+      image: public.ecr.aws/gravitational/teleport-distroless:13.0.0-dev
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -323,7 +323,7 @@ should set securityContext for initContainers when set in values:
       - wait
       - no-resolve
       - RELEASE-NAME-auth-v12.NAMESPACE.svc.cluster.local
-      image: public.ecr.aws/gravitational/teleport:13.0.0-dev
+      image: public.ecr.aws/gravitational/teleport-distroless:13.0.0-dev
       name: wait-auth-update
       securityContext:
         allowPrivilegeEscalation: false
@@ -353,7 +353,7 @@ should set securityContext when set in values:
     containers:
     - args:
       - --diag-addr=0.0.0.0:3000
-      image: public.ecr.aws/gravitational/teleport:13.0.0-dev
+      image: public.ecr.aws/gravitational/teleport-distroless:13.0.0-dev
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -421,7 +421,7 @@ should set securityContext when set in values:
       - wait
       - no-resolve
       - RELEASE-NAME-auth-v12.NAMESPACE.svc.cluster.local
-      image: public.ecr.aws/gravitational/teleport:13.0.0-dev
+      image: public.ecr.aws/gravitational/teleport-distroless:13.0.0-dev
       name: wait-auth-update
       securityContext:
         allowPrivilegeEscalation: false

diff --git a/examples/chart/teleport-cluster/tests/auth_deployment_test.yaml b/examples/chart/teleport-cluster/tests/auth_deployment_test.yaml
@@ -168,11 +168,11 @@ tests:
     set:
       clusterName: helm-lint.example.com
       enterprise: true
-      teleportVersionOverride: 8.3.4
+      teleportVersionOverride: 12.2.1
     asserts:
       - equal:
           path: spec.template.spec.containers[0].image
-          value: public.ecr.aws/gravitational/teleport-ent:8.3.4
+          value: public.ecr.aws/gravitational/teleport-ent-distroless:12.2.1
       - contains:
           path: spec.template.spec.containers[0].volumeMounts
           content:
@@ -190,11 +190,11 @@ tests:
     template: auth/deployment.yaml
     set:
       clusterName: helm-lint
-      teleportVersionOverride: 8.3.4
+      teleportVersionOverride: 12.2.1
     asserts:
       - equal:
           path: spec.template.spec.containers[0].image
-          value: public.ecr.aws/gravitational/teleport:8.3.4
+          value: public.ecr.aws/gravitational/teleport-distroless:12.2.1
       - notContains:
           path: spec.template.spec.containers[0].volumeMounts
           content:

diff --git a/examples/chart/teleport-cluster/tests/proxy_deployment_test.yaml b/examples/chart/teleport-cluster/tests/proxy_deployment_test.yaml
@@ -229,21 +229,21 @@ tests:
     set:
       clusterName: helm-lint.example.com
       enterprise: true
-      teleportVersionOverride: 8.3.4
+      teleportVersionOverride: 12.2.1
     asserts:
       - equal:
           path: spec.template.spec.containers[0].image
-          value: public.ecr.aws/gravitational/teleport-ent:8.3.4
+          value: public.ecr.aws/gravitational/teleport-ent-distroless:12.2.1
 
   - it: should use OSS image when enterprise is not set in values
     template: proxy/deployment.yaml
     set:
       clusterName: helm-lint
-      teleportVersionOverride: 8.3.4
+      teleportVersionOverride: 12.2.1
     asserts:
       - equal:
           path: spec.template.spec.containers[0].image
-          value: public.ecr.aws/gravitational/teleport:8.3.4
+          value: public.ecr.aws/gravitational/teleport-distroless:12.2.1
 
   - it: should mount TLS certs when cert-manager is enabled
     template: proxy/deployment.yaml

diff --git a/examples/chart/teleport-cluster/values.schema.json b/examples/chart/teleport-cluster/values.schema.json
@@ -607,12 +607,12 @@
         "image": {
             "$id": "#/properties/image",
             "type": "string",
-            "default": "public.ecr.aws/gravitational/teleport"
+            "default": "public.ecr.aws/gravitational/teleport-distroless"
         },
         "enterpriseImage": {
             "$id": "#/properties/enterpriseImage",
             "type": "string",
-            "default": "public.ecr.aws/gravitational/teleport-ent"
+            "default": "public.ecr.aws/gravitational/teleport-ent-distroless"
         },
         "imagePullSecrets": {
             "$id": "#/properties/imagePullSecrets",

diff --git a/examples/chart/teleport-cluster/values.yaml b/examples/chart/teleport-cluster/values.yaml
@@ -431,9 +431,17 @@ tls:
 ##################################################
 
 # Container image for the cluster.
-image: public.ecr.aws/gravitational/teleport
+# Since version 13, hardened distroless images are used by default.
+# You can use the deprecated debian-based images by setting the value to
+# `public.ecr.aws/gravitational/teleport`. Those images will be
+# removed with teleport 14.
+image: public.ecr.aws/gravitational/teleport-distroless
 # Enterprise version of the image
-enterpriseImage: public.ecr.aws/gravitational/teleport-ent
+# Since version 13, hardened distroless images are used by default.
+# You can use the deprecated debian-based images by setting the value to
+# `public.ecr.aws/gravitational/teleport-ent`. Those images will be
+# removed with teleport 14.
+enterpriseImage: public.ecr.aws/gravitational/teleport-ent-distroless
 # Optional array of imagePullSecrets, to use when pulling from a private registry
 imagePullSecrets: []
 # Teleport logging configuration