Additional binaries for the Sidecar Script

[hinrichd]

Hi,

is it possible to add additional binaries to the sidecar container like curl or jq?

Node-Red Helm Chart is using this sidecar container to store config maps in the container and running a shell script afterwards which will reload the stored config maps in the main container. Unfortunately the script fails in the sidecar container as it is using curl (API Request) and jq (json parser) as it is not present in the container image.

I also have opened a ticket in the node-red issues.

What do you thing is the best way to solve this?! Is it possible to add curl an jq to the requirements.txt?

[hinrichd]

Here is the Script witch will used from the Env Variable SCRIPT inside the side container.

`#!/bin/sh echo "node-red flow refresh api" sleep $SLEEP_TIME_SIDECAR

token=$(curl -X POST -sSk --connect-timeout 30 --retry 50 --retry-delay 10 --data "client_id=node-red-admin&grant_type=password&scope=*&username=$USERNAME&password=$PASSWORD" $URL/auth/token | grep "^{" | jq -r .access_token)

curl -k -X POST --connect-timeout 30 --retry 50 --retry-delay 10 -H "Authorization: Bearer $token" -H "content-type: application/json; charset=utf-8" -H "Node-RED-Deployment-Type: reload" -H "Node-RED-API-Version: v2" --data '{"flows": [{"type": "tab"}]}' $URL/flows `

I have read the readme again and found the REQ_* Labels and thought this could be a solutions. But it looks the TokenBased Auth would not fit into it and have to use a custom script. Therefor it would be nice to see additional common shell binaries which could be used in the script.

[jekkel]

Hi @hinrichd , thanks for reaching out to us. Adding more binaries to the image does not really match the philosophy of the project having a minimal image and hence minimal attack surface.

But we're building upon a generic python image and already do have the python requests package installed. So I think it should be possible to use python instead of separate binaries to perform the requests and parse JSON responses.

Let us know if that works :crossed_fingers:

[hinrichd]

Hi @jekkel, thank you for your reply. Totally understand your answer and thank you for pointing us into the right direction. This little API Request will indeed possible with python requests. However I have never been scripted with python before. Many Thanks

[hinrichd]

Hi @jekkel I have rewritten the shell script with curl/jq to pyhton using request and json. The script actually works in the k8s-sidecar container by running manually inside the container. So, no need for extra binary or packages, so far.

Obviously the SCRIPT configuration environment variabel will only run sh scripts after configmaps or secrets have changed. So, how can I run my python script ?

[jekkel]

If you mount both the python file AND a small shell script only invoking the python file...? I can imagine that we could change the execution of scripts to work with shebangs so that the python file itself could be referred to by SCRIPT...

[hinrichd]

sh /app/my-py-script.py will not work even with the python shebang #!/usr/bin/env python Actually I found a workaround and now calling python inside the shell script..

#!/bin/sh
python - << EOF

import time
import os
import requests
.
.
.
EOF

I am not sure yet, if this is a good idea. Maybe this have some downsides with std logging or environment variables. If this ContainerImage is Python based, it should be run python by default to match the dependencys like json and requests. Or there is even an SCRIPT-SH and SCRIPT-PY configuration environment variable, which can run the script in the desired script language directly.

Happy Weekend ✌️

[jekkel]

sh /app/my-py-script.py will not work even with the python shebang #!/usr/bin/env python

I know and that's what I meant with that we can probably change the invocation strategy to support shebangs. This would be an enhancement, it is not yet supported.

Glad that you made it work in a shell script through stdin though!

Would you mind closing this issue in favor of a new one requesting support for python scripts having a valid shebang line?

[onedr0p]

It would be nice if this would be revisited, having jq and curl would mean we do not need to write python to have a simple script to something when the SCRIPT env is use. I get the need to have minimal attack surface but having python included is already stretching it pretty wide anyways 🤷🏼‍♂️

[ChristianGeie]

@onedr0p I would like to understand what exactly is the reason for putting more binaries into the image. The use case of the sidecar is clearly described and it should fulfill this. If there are understandable reasons to extend this use case, then this should be done in Python.

[onedr0p]

I would like to understand what exactly is the reason for putting more binaries into the image.

I get Python is there and pretty much all use-cases could be solved with writing a Python script, however a script in bash with curl/jq is so much easier to write and maintain than writing a Python script to just call a HTTP endpoint when a configmap or secret is changed.. I really don't get why having more options available to cluster operators by including these two tools can be controversial. 🤷🏼‍♂️

Anyways, I digress. I will just build a image off ghcr.io/kiwigrid/k8s-sidecar and apk add the tools I need. This project is awesome so keep up the good work 👍🏼