Ensure wolfi-based agent images work with ECK

[pebrc]

Describe the enhancement: ECK is the Kubernetes operator for the Elastic stack and targets self-hosted Kubernetes deployments (i.e. not Hosted ESS or Serverless) It uses the regular stack images to deploy Elastic Agent.

If we want to support the wolfi based version of the Agent image docker.elastic.co/beats/elastic-agent-wolfi we need to ensure that:

• we either have the command line tools that ECK relies on in the new image
• or find alternative solutions for the problems currently solved by relying on these tools

Describe a specific use case for the enhancement or feature:

1. establishing CA trust between the Agents and Elasticsearch. ECK uses by default self-signed certificates. It establishes trust by amending the OS trust store in the image currently using the Debian style /usr/sbin/update-ca-certificates tool with the self-signed ECK-managed Elasticsearch CA. (source)
2. extracting diagnostics data. The eck-diagnostics tool creates an agent diagnostic by kubectl executing the diagnostics collect subcommand in the container. It then uses the equivalent of kubectl cp to extract the resulting file from the container. This requires the presence of the tar utility in the image. (source)

What is the definition of done?

A successful run of the ECK e2e tests with a wolfi image or workarounds for the two use cases.

cc @rdner

[pebrc]

Update: it seems both use cases are already covered: I built a snapshot with SNAPSHOT=true PLATFORMS=linux/arm64 PACKAGES=docker mage package and was able to run /usr/sbin/update-ca-certificates as root.

tar was also present, it seems to be coming out of /bin/busybox . So unless there are plans to trim down this image further, I think we are good to close this issue.

(Should have waiting for the build to finish before writing the original issue here)