containers.openssl: reduce size by 85%

Signed-off-by: Paul Meyer <[email protected]>
edgelesssys · Aug 30, 2024 · e936d50 · e936d50
1 parent ade730b
commit e936d50
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 17 deletions.
diff --git a/e2e/openssl/openssl_test.go b/e2e/openssl/openssl_test.go
@@ -85,7 +85,7 @@ func TestOpenSSL(t *testing.T) {
 		require.NoError(err)
 		require.NotEmpty(coordinatorPods, "pod not found: %s/%s", ct.Namespace, "coordinator")
 
-		argv := []string{"/bin/bash", "-c", "curl --fail " + net.JoinHostPort(coordinatorPods[0].Status.PodIP, "9102") + "/metrics"}
+		argv := []string{"/bin/sh", "-c", "curl --fail " + net.JoinHostPort(coordinatorPods[0].Status.PodIP, "9102") + "/metrics"}
 		_, stderr, err := ct.Kubeclient.Exec(ctx, ct.Namespace, frontendPods[0].Name, argv)
 		require.NoError(err, "stderr: %q", stderr)
 	})
@@ -129,7 +129,7 @@ func TestOpenSSL(t *testing.T) {
 		// - the certificate in the backend pod can be used as a server certificate
 		// - the backend's CA configuration accepted the frontend certificate
 		// - the frontend's CA configuration accepted the backend certificate
-		stdout, stderr, err := c.ExecDeployment(ctx, ct.Namespace, opensslFrontend, []string{"/bin/bash", "-c", opensslConnectCmd("openssl-backend:443", meshCAFile)})
+		stdout, stderr, err := c.ExecDeployment(ctx, ct.Namespace, opensslFrontend, []string{"/bin/sh", "-c", opensslConnectCmd("openssl-backend:443", meshCAFile)})
 		t.Log(stdout)
 		require.NoError(err, "stderr: %q", stderr)
 	})
@@ -168,14 +168,14 @@ func TestOpenSSL(t *testing.T) {
 			require.NoError(c.WaitFor(ctx, kubeclient.Deployment{}, ct.Namespace, deploymentToRestart))
 
 			// This should not succeed because the certificates have changed.
-			stdout, stderr, err := c.ExecDeployment(ctx, ct.Namespace, opensslFrontend, []string{"/bin/bash", "-c", opensslConnectCmd("openssl-backend:443", meshCAFile)})
+			stdout, stderr, err := c.ExecDeployment(ctx, ct.Namespace, opensslFrontend, []string{"/bin/sh", "-c", opensslConnectCmd("openssl-backend:443", meshCAFile)})
 			t.Log("openssl with wrong certificates:", stdout)
 			require.Error(err)
 			require.Contains(stderr, "self-signed certificate in certificate chain")
 
 			// Connect from backend to fronted, because the frontend does not require client certs.
 			// This should succeed because the root cert did not change.
-			stdout, stderr, err = c.ExecDeployment(ctx, ct.Namespace, opensslBackend, []string{"/bin/bash", "-c", opensslConnectCmd("openssl-frontend:443", rootCAFile)})
+			stdout, stderr, err = c.ExecDeployment(ctx, ct.Namespace, opensslBackend, []string{"/bin/sh", "-c", opensslConnectCmd("openssl-frontend:443", rootCAFile)})
 			t.Log("openssl with root certificate:", stdout)
 			require.NoError(err, "stderr: %q", stderr)
 
@@ -188,7 +188,7 @@ func TestOpenSSL(t *testing.T) {
 			require.NoError(c.WaitFor(ctx, kubeclient.Deployment{}, ct.Namespace, d))
 
 			// This should succeed since both workloads now have updated certificates.
-			stdout, stderr, err = c.ExecDeployment(ctx, ct.Namespace, opensslFrontend, []string{"/bin/bash", "-c", opensslConnectCmd("openssl-backend:443", meshCAFile)})
+			stdout, stderr, err = c.ExecDeployment(ctx, ct.Namespace, opensslFrontend, []string{"/bin/sh", "-c", opensslConnectCmd("openssl-backend:443", meshCAFile)})
 			t.Log("openssl with correct certificates:", stdout)
 			require.NoError(err, "stderr: %q", stderr)
 		})
@@ -220,23 +220,23 @@ func TestOpenSSL(t *testing.T) {
 		require.NoError(c.WaitFor(ctx, kubeclient.Deployment{}, ct.Namespace, opensslFrontend))
 
 		t.Run("root CA is still accepted after coordinator recovery", func(t *testing.T) {
-			stdout, stderr, err := c.ExecDeployment(ctx, ct.Namespace, opensslBackend, []string{"/bin/bash", "-c", opensslConnectCmd("openssl-frontend:443", rootCAFile)})
+			stdout, stderr, err := c.ExecDeployment(ctx, ct.Namespace, opensslBackend, []string{"/bin/sh", "-c", opensslConnectCmd("openssl-frontend:443", rootCAFile)})
 			if err != nil {
 				t.Logf("openssl with %q after recovery:\n%s", rootCAFile, stdout)
 			}
 			assert.NoError(t, err, "stderr: %q", stderr)
 		})
 
 		t.Run("coordinator can't recover mesh CA key", func(t *testing.T) {
-			_, _, err := c.ExecDeployment(ctx, ct.Namespace, opensslBackend, []string{"/bin/bash", "-c", opensslConnectCmd("openssl-frontend:443", meshCAFile)})
+			_, _, err := c.ExecDeployment(ctx, ct.Namespace, opensslBackend, []string{"/bin/sh", "-c", opensslConnectCmd("openssl-frontend:443", meshCAFile)})
 			assert.Error(t, err)
 		})
 
 		require.NoError(c.Restart(ctx, kubeclient.Deployment{}, ct.Namespace, opensslBackend))
 		require.NoError(c.WaitFor(ctx, kubeclient.Deployment{}, ct.Namespace, opensslBackend))
 
 		t.Run("mesh CA after coordinator recovery is accepted when workloads are restarted", func(t *testing.T) {
-			stdout, stderr, err := c.ExecDeployment(ctx, ct.Namespace, opensslBackend, []string{"/bin/bash", "-c", opensslConnectCmd("openssl-frontend:443", meshCAFile)})
+			stdout, stderr, err := c.ExecDeployment(ctx, ct.Namespace, opensslBackend, []string{"/bin/sh", "-c", opensslConnectCmd("openssl-frontend:443", meshCAFile)})
 			if err != nil {
 				t.Logf("openssl with %q after recovery:\n%s", meshCAFile, stdout)
 			}

diff --git a/internal/kuberesource/sets.go b/internal/kuberesource/sets.go
@@ -64,7 +64,7 @@ func OpenSSL() []any {
 						Container().
 							WithName("openssl-backend").
 							WithImage("ghcr.io/edgelesssys/contrast/openssl:latest").
-							WithCommand("/bin/bash", "-c", "openssl s_server -port 443 -Verify 2 -CAfile /contrast/tls-config/mesh-ca.pem -cert /contrast/tls-config/certChain.pem -key /contrast/tls-config/key.pem").
+							WithCommand("/bin/sh", "-c", "openssl s_server -port 443 -Verify 2 -CAfile /contrast/tls-config/mesh-ca.pem -cert /contrast/tls-config/certChain.pem -key /contrast/tls-config/key.pem").
 							WithPorts(
 								ContainerPort().
 									WithName("https").
@@ -99,7 +99,7 @@ func OpenSSL() []any {
 						Container().
 							WithName("openssl-frontend").
 							WithImage("ghcr.io/edgelesssys/contrast/openssl:latest").
-							WithCommand("/bin/bash", "-c", "openssl s_server -www -port 443 -cert /contrast/tls-config/certChain.pem -key /contrast/tls-config/key.pem -cert_chain /contrast/tls-config/certChain.pem").
+							WithCommand("/bin/sh", "-c", "openssl s_server -www -port 443 -cert /contrast/tls-config/certChain.pem -key /contrast/tls-config/key.pem -cert_chain /contrast/tls-config/certChain.pem").
 							WithPorts(
 								ContainerPort().
 									WithName("https").

diff --git a/packages/containers.nix b/packages/containers.nix
@@ -68,14 +68,9 @@ let
       name = "openssl";
       tag = "v${pkgs.contrast.version}";
       copyToRoot = with pkgs; [
-        bash
-        bashInteractive
-        coreutils
-        ncurses
+        busybox
         openssl
-        procps
-        vim
-        curl
+        curlMinimal
       ];
       config = {
         Cmd = [ "bash" ];