vpn: ship our own container image (#2909)

* vpn: ship our own container image The container image used in the VPN chart should be reproducible and stable. We're sticking close to the original nixery.dev version by building the image with nix ourselves, and then publishing the single layer from the result with Bazel OCI rules. The resulting image should be handled similar to s3proxy: it's built as a part of the Constellation release process and then consumed from a Helm chart in our registry. Co-authored-by: Malte Poll <[email protected]>
edgelesssys · Feb 15, 2024 · 473001b · 473001b
1 parent 896f68c
commit 473001b
Show file tree

Hide file tree

Showing 12 changed files with 123 additions and 40 deletions.
diff --git a/WORKSPACE.bazel b/WORKSPACE.bazel
@@ -63,6 +63,14 @@ nixpkgs_flake_package(
     package = "uplosi",
 )
 
+nixpkgs_flake_package(
+    name = "vpn_oci_image",
+    build_file_content = """exports_files(["layer.tar"])""",
+    nix_flake_file = "//:flake.nix",
+    nix_flake_lock_file = "//:flake.lock",
+    package = "vpn",
+)
+
 nixpkgs_package(
     name = "diffutils",
     repository = "@nixpkgs",

diff --git a/bazel/oci/containers.bzl b/bazel/oci/containers.bzl
@@ -63,6 +63,14 @@ def containers():
             "repotag_file": "//bazel/release:s3proxy_tag.txt",
             "used_by": ["config"],
         },
+        {
+            "identifier": "vpn",
+            "image_name": "vpn",
+            "name": "vpn",
+            "oci": "//nix/container/vpn",
+            "repotag_file": "//bazel/release:vpn_tag.txt",
+            "used_by": ["config"],
+        },
     ]
 
 def helm_containers():

diff --git a/dev-docs/howto/vpn/helm/files/strongswan/charon-logging.conf b/dev-docs/howto/vpn/helm/files/strongswan/charon-logging.conf
diff --git a/dev-docs/howto/vpn/helm/templates/operator-deployment.yaml b/dev-docs/howto/vpn/helm/templates/operator-deployment.yaml
@@ -20,13 +20,5 @@ spec:
       containers:
       - name: operator
         image: {{ .Values.image | quote }}
-        command: ["sh", "/scripts/entrypoint.sh"]
+        command: ["/bin/operator.sh"]
         env: {{- include "..commonEnv" . | nindent 10 }}
-        volumeMounts:
-        - name: scripts
-          mountPath: "/scripts"
-          readOnly: true
-      volumes:
-      - name: scripts
-        configMap:
-          name: {{ include "..fullname" . }}-operator
diff --git a/dev-docs/howto/vpn/helm/templates/strongswan-statefulset.yaml b/dev-docs/howto/vpn/helm/templates/strongswan-statefulset.yaml
@@ -18,37 +18,22 @@ spec:
       containers:
       - name: strongswan
         image: {{ .Values.image | quote }}
-        command: ["sh", "-x", "/entrypoint.sh"]
+        command: ["/bin/strongswan.sh"]
         securityContext:
           capabilities:
             add: ["NET_ADMIN"]
         volumeMounts:
-        - name: files
-          mountPath: "/entrypoint.sh"
-          subPath: "entrypoint.sh"
-          readOnly: true
-        - name: files
-          mountPath: "/etc/strongswan.d/charon-logging.conf"
-          subPath: "charon-logging.conf"
-          readOnly: true
         - name: config
           mountPath: "/etc/swanctl/swanctl.conf"
           subPath: "swanctl.conf"
           readOnly: true
       - name: cilium-setup
         image: {{ .Values.image | quote }}
-        command: ["sh", "/scripts/sidecar.sh"]
+        command: ["/bin/sidecar.sh"]
         env: {{- include "..commonEnv" . | nindent 10 }}
         securityContext:
           privileged: true
-        volumeMounts:
-        - name: files
-          mountPath: "/scripts"
-          readOnly: true
       volumes:
-      - name: files
-        configMap:
-          name: {{ include "..fullname" . }}-strongswan
       - name: config
         secret:
           secretName: {{ include "..fullname" . }}-strongswan
diff --git a/dev-docs/howto/vpn/helm/values.yaml b/dev-docs/howto/vpn/helm/values.yaml
@@ -15,5 +15,4 @@ ipsec:
   # Address of the peer's gateway router.
   peer: ""
 
-# required tools:  sh    nsenter    ip       pidof  jq kubectl    charon
-image: "nixery.dev/shell/util-linux/iproute2/procps/jq/kubernetes/strongswan"
+image: "ghcr.io/edgelesssys/constellation/vpn@sha256:34e28ced172d04dfdadaadbefb1a53b5857cb24fb24e275fbbc537f3639a789e"
diff --git a/flake.nix b/flake.nix
@@ -69,6 +69,8 @@
 
       packages.libvirtd_base = callPackage ./nix/container/libvirtd_base.nix { pkgs = pkgsUnstable; pkgsLinux = import nixpkgsUnstable { system = "x86_64-linux"; }; };
 
+      packages.vpn = callPackage ./nix/container/vpn/vpn.nix { pkgs = pkgsUnstable; pkgsLinux = import nixpkgsUnstable { system = "x86_64-linux"; }; };
+
       packages.awscli2 = pkgsUnstable.awscli2;
 
       packages.bazel_6 = pkgsUnstable.bazel_6;

diff --git a/nix/container/vpn/BUILD.bazel b/nix/container/vpn/BUILD.bazel
@@ -0,0 +1,11 @@
+load("@rules_oci//oci:defs.bzl", "oci_image")
+
+oci_image(
+    name = "vpn",
+    base = "@distroless_static_linux_amd64",
+    entrypoint = ["/bin/sh"],
+    tars = [
+        "@vpn_oci_image//:layer.tar",
+    ],
+    visibility = ["//visibility:public"],
+)
diff --git a/...wto/vpn/helm/files/operator/entrypoint.sh → nix/container/vpn/operator.sh b/...wto/vpn/helm/files/operator/entrypoint.sh → nix/container/vpn/operator.sh
@@ -1,5 +1,7 @@
 #!/bin/sh
 
+set -u
+
 signaled() {
   exit 143
 }

diff --git a/...owto/vpn/helm/files/strongswan/sidecar.sh → nix/container/vpn/sidecar.sh b/...owto/vpn/helm/files/strongswan/sidecar.sh → nix/container/vpn/sidecar.sh
diff --git a/...o/vpn/helm/files/strongswan/entrypoint.sh → nix/container/vpn/strongswan.sh b/...o/vpn/helm/files/strongswan/entrypoint.sh → nix/container/vpn/strongswan.sh
@@ -1,6 +1,11 @@
 #!/bin/sh
 
-# The charon binary is not included in the PATH generated by nixery.dev, find it manually.
+set -eux
+
+mkdir -p /var/run
+export SWANCTL_DIR=/etc/swanctl
+
+# The charon binary is not included in the PATH generated by writeShellCommand, find it manually.
 charon="$(dirname "$(readlink -f "$(command -v charon-systemd)")")/../libexec/ipsec/charon"
 
 "${charon}" &

diff --git a/nix/container/vpn/vpn.nix b/nix/container/vpn/vpn.nix
@@ -0,0 +1,82 @@
+{ pkgs
+, pkgsLinux
+, stdenv
+}:
+let
+  passwd = pkgs.writeTextDir "etc/passwd" ''
+    root:x:0:0:root:/root:/bin/sh
+    nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin
+  '';
+  group = pkgs.writeTextDir "etc/group" ''
+    root:x:0:
+    nobody:x:65534:
+  '';
+
+  strongswanScript = pkgsLinux.writeShellApplication {
+    name = "strongswan.sh";
+    runtimeInputs = with pkgsLinux; [
+      coreutils
+      strongswan
+    ];
+    text = ./strongswan.sh;
+  };
+
+  sidecarScript = pkgsLinux.writeShellApplication {
+    name = "sidecar.sh";
+    runtimeInputs = with pkgsLinux; [
+      coreutils
+      iproute2
+      jq
+      util-linux
+      procps
+    ];
+    text = ./sidecar.sh;
+  };
+
+  operatorScript = pkgsLinux.writeShellApplication {
+    name = "operator.sh";
+    runtimeInputs = with pkgsLinux; [
+      coreutils
+      kubernetes
+      jq
+    ];
+    text = ./operator.sh;
+  };
+
+  image = pkgs.dockerTools.buildImage {
+    name = "ghcr.io/edgelesssys/constellation/vpn";
+    copyToRoot = with pkgsLinux.dockerTools; [
+      passwd
+      group
+      strongswanScript
+      sidecarScript
+      operatorScript
+      binSh
+    ];
+    config = {
+      Cmd = [ "/bin/entrypoint.sh" ];
+    };
+  };
+
+in
+
+stdenv.mkDerivation {
+  name = "image";
+
+  src = image;
+
+  buildInputs = with pkgs; [ gnutar jq ];
+
+
+  installPhase = ''
+    mkdir -p "$out/tmp"
+    pushd "$out/tmp"
+    tar -xf ${image}
+    layer="$(jq -r '.[0].Layers[0]' <manifest.json)"
+    chmod -R u+w "."
+    mv "$layer" "$out/layer.tar"
+    popd
+    rm -rf -- "$out/tmp"
+  '';
+
+}