refactor(core): cdi-controller replaces bash usage with static binaries

base-images/image_versions.yml

@@ -2,7 +2,7 @@
 REGISTRY_PATH: "docker.io/"
 
 # Virtualization images
-BASE_DEBIAN_BOOKWORM_SLIM: "debian:bookworm-slim@sha256:a629e796d77a7b2ff82186ed15d01a493801c020eed5ce6adaa2704356f15a1c"
+BASE_DEBIAN_BOOKWORM_SLIM: "debian:bookworm-slim@sha256:e9ac68ffde903b241342267a51cd74c5417414af652cb2e380c6ddcf522589bc"
 BASE_CONTAINER_REGISTRY: "registry:2.8.3@sha256:ac0192b549007e22998eb74e8d8488dcfe70f1489520c3b144a6047ac5efbe90"
 BASE_GOLANG_22_BOOKWORM: "golang:1.22.8-bookworm@sha256:3f0457a0a56a926d93c2baf4cf0057a645e8ff69ff31314080fcc62389643b8e"
 BASE_GOLANG_23_BOOKWORM: "golang:1.23.6-bookworm@sha256:441f59f8a2104b99320e1f5aaf59a81baabbc36c81f4e792d5715ef09dd29355"

images/cdi-artifact/patches/024-cdi-controller-change-bash-utils-to-binary.patch

@@ -0,0 +1,37 @@
+diff --git a/pkg/controller/clone/prep-claim.go b/pkg/controller/clone/prep-claim.go
+index 68a249b77..5e96feee0 100644
+--- a/pkg/controller/clone/prep-claim.go
++++ b/pkg/controller/clone/prep-claim.go
+@@ -162,8 +162,8 @@ func (p *PrepClaimPhase) createPod(ctx context.Context, name string, pvc *corev1
+ 					Name:            "dummy",
+ 					Image:           p.Image,
+ 					ImagePullPolicy: p.PullPolicy,
+-					Command:         []string{"/bin/bash"},
+-					Args:            []string{"-c", "echo", "'hello cdi'"},
++					Command:         []string{"/bin/hello"},
++					// Args:            []string{"-c", "echo", "'hello cdi'"},
+ 				},
+ 			},
+ 			ImagePullSecrets: imagePullSecrets,
+diff --git a/pkg/operator/resources/namespaced/controller.go b/pkg/operator/resources/namespaced/controller.go
+index 665a4517b..36054391c 100644
+--- a/pkg/operator/resources/namespaced/controller.go
++++ b/pkg/operator/resources/namespaced/controller.go
+@@ -190,7 +190,7 @@ func createControllerDeployment(controllerImage, importerImage, clonerImage, ovi
+ 		},
+ 	}
+ 	labels := util.MergeLabels(deployment.Spec.Template.GetLabels(), map[string]string{common.PrometheusLabelKey: common.PrometheusLabelValue})
+-	//Add label for pod affinity
++	// Add label for pod affinity
+ 	deployment.SetLabels(labels)
+ 	deployment.Spec.Template.SetLabels(labels)
+ 	container.Env = []corev1.EnvVar{
+@@ -240,7 +240,7 @@ func createControllerDeployment(controllerImage, importerImage, clonerImage, ovi
+ 	container.ReadinessProbe = &corev1.Probe{
+ 		ProbeHandler: corev1.ProbeHandler{
+ 			Exec: &corev1.ExecAction{
+-				Command: []string{"cat", "/tmp/ready"},
++				Command: []string{"printFile", "/tmp/ready"},
+ 			},
+ 		},
+ 		InitialDelaySeconds: 2,

images/cdi-artifact/patches/README.md

@@ -100,4 +100,10 @@ This patch includes an architectural assumption where the condition of the DataV
 
 #### `023-remove-upload-proxy-server-variables.patch`
 
-The CDI uploadproxy and serverproxy functionality is not used. Deployment of these images and deployments has been removed.
+The CDI uploadproxy and serverproxy functionality is not used. Deployment of these images and deployments has been removed.
+
+#### `024-cdi-controller-change-bash-utils-to-binary.patch`
+
+We want fully reproducible distroless images (without bash). This patch replaces bash usage with static binaries:
+- `bash -c "echo 'hello cdi'"` is replaced with "hello" binary.
+- `cat /tmp/ready` is replaced with "printFile /tmp/ready"

images/cdi-controller/hello.c

@@ -0,0 +1,6 @@
+#include <stdio.h>
+
+int main() {
+    printf("hello cdi\n");
+    return 0;
+}

images/cdi-controller/print_file_context.c

@@ -0,0 +1,29 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+int main(int argc, char *argv[]) {
+    FILE *fptr;
+    char myContent[100];
+    // Check for correct command-line arguments
+    if (argc != 2) {
+        printf("Usage: %s <filename>\n", argv[0]);
+        return 1;
+    }
+
+    fptr = fopen(argv[1], "r"); // Open in read mode
+
+    if(fptr != NULL) {
+        // Read the content and print it
+        while (fgets(myContent,100,fptr)) {
+            printf("%s", myContent);
+        }
+    } else {
+        perror("Not able to open the file");
+        fclose(fptr);
+        return 1;
+    }
+
+
+    fclose(fptr); // Close the file
+    return 0;
+}

images/cdi-controller/werf.inc.yaml

@@ -13,9 +13,6 @@ imageSpec:
 ---
 {{- define "cdi-controller-deps" -}}
 binaries:
-  - /usr/bin/cat
-  - /usr/bin/bash
-  - /usr/bin/echo
   - /usr/bin/cdi-controller
   - /usr/sbin/blockdev
 packages:
@@ -28,13 +25,17 @@ image: {{ $.ImageName }}-bins
 final: false
 fromImage: base-alt-p11-binaries
 import:
+- image: {{ $.ImageName }}-cbuilder
+  add: /bins
+  to: /relocate/usr/bin
+  after: setup
 - image: cdi-artifact
   add: /cdi-binaries
   to: /usr/bin
   includePaths:
   - cdi-controller
   before: setup
-# Source https://github.com/kubevirt/containerized-data-importer/blob/v1.58.0/cmd/cdi-controller/BUILD.bazel
+# Source https://github.com/kubevirt/containerized-data-importer/blob/v1.60.3/cmd/cdi-controller/BUILD.bazel
 shell:
   install:
   - |
@@ -50,3 +51,26 @@ shell:
   - |
     mkdir -p /relocate/{tmp,var/run/certs/cdi-uploadserver-signer,var/run/certs/cdi-uploadserver-client-signer}
     chown -R 64535:64535 /relocate/
+
+---
+image: {{ $.ImageName }}-cbuilder
+final: false
+from: {{ .Images.BASE_DEBIAN_BOOKWORM_SLIM }}
+git:
+  - add: /images/{{ $.ImageName }}
+    to: /
+    stageDependencies:
+      install:
+        - '*.c'
+shell:
+  install:
+  - |
+    apt-get update && apt-get install --yes gcc musl-dev musl-tools
+    apt-get clean
+
+    echo "Building simple app that prints hello cdi"
+    mkdir -p /bins
+    musl-gcc -static -Os -o /bins/hello hello.c
+    musl-gcc -static -Os -o /bins/printFile print_file_context.c
+    strip /bins/hello
+    strip /bins/printFile