Rebase GLBC on alpine:3.5

[timstclair]

For kubernetes/kubernetes#40248

Rebasing on busybox greatly reduces the size of the image. More importantly, it greatly reduces the management burden of keeping the image up-to-date in as all the packages within are updated.

@csbell @nicksardo

[k8s-reviewable]

This change is 

[coveralls]

Coverage decreased (-0.02%) to 46.418% when pulling 1b0a8c18f06b9df49ce4a94ff73e460653dd2909 on timstclair:busybox into a6e3822 on kubernetes:master.

[coveralls]

Coverage decreased (-0.04%) to 46.4% when pulling 2215e3b on timstclair:busybox into a6e3822 on kubernetes:master.

[csbell]

Review status: 0 of 8 files reviewed at latest revision, 2 unresolved discussions.

---

controllers/gce/Dockerfile, line 15 at r1 (raw file):

# limitations under the License.

FROM busybox

Should we leave a MAINTAINER here?

---

controllers/gce/README.md, line 343 at r1 (raw file):

$ kubectl exec -it glbc-6m6b6 -- wget -q -O- http://localhost:8081/delete-all-and-quit

Just curious why wget is preferred.

---

Comments from Reviewable

[gianrubio]

@timstclair why not use alpine instead busybox?

[nicksardo]

@timstclair Slipped my mind - we need the ca certs because the GLBC is calling out to the GCP api.

[glerchundi]

@nicksardo How is this usually solved? always include ca-certs in each image or just mount from the host through hostPath? CoreOS for example when it comes to launching kube-proxy or any k8s component, it mounts the hostPath for the ca-certs using host machine as the unique source of truth.

[timstclair]

Review status: 0 of 8 files reviewed at latest revision, 2 unresolved discussions.

---

controllers/gce/Dockerfile, line 15 at r1 (raw file):

Previously, csbell (Christian Bell) wrote…

Should we leave a MAINTAINER here?

No, the MAINTAINER line is deprecated. We're gradually removing it from all our images.

---

controllers/gce/README.md, line 343 at r1 (raw file):

Previously, csbell (Christian Bell) wrote…

Just curious why wget is preferred.

busybox (and alpine) ship with wget, but not curl.

---

Comments from Reviewable

[timstclair]

Rebased on alpine & installed ca-certs. I think we should probably prefer alpine for this type of image anyway, since we get better CVE notifications. Since there are no binary dependencies, I don't anticipate any of the alpine issues we've run into in the past (e.g. DNS problems).

@glerchundi I think this approach is preferable to mounting the host ca-certificates, since it keeps the environment contained, and doesn't add any host dependencies.

[coveralls]

Coverage decreased (-0.3%) to 46.129% when pulling b2a1f4b2d0d5875f7cb4cd9e6c8b26bf1e46df24 on timstclair:busybox into a6e3822 on kubernetes:master.

[timstclair]

Squashed & rebased.

[coveralls]

Coverage increased (+0.05%) to 46.321% when pulling 1023056 on timstclair:busybox into e1d1445 on kubernetes:master.

[nicksardo]

All unit tests, e2e ingress tests, and several manual tests (with and without pre-shared certs) were successful. Merging and generating 0.9.2 image.

[nicksardo]

/lgtm