Modify Dockerfile and manifests

cybozu-go · Apr 8, 2021 · 1519164 · 1519164
1 parent 1200741
commit 1519164
Show file tree

Hide file tree

Showing 24 changed files with 289 additions and 112 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -28,3 +28,9 @@ jobs:
         if: steps.cache-tools.outputs.cache-hit != 'true'
       - run: make lint
       - run: make test
+  build-image:
+    name: Build Container Image
+    runs-on: ubuntu-20.04
+    steps:
+      - uses: actions/checkout@v2
+      - run: docker build -t quay.io/cybozu/pod-security-admission:latest .
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -0,0 +1,40 @@
+name: Release
+on:
+  push:
+    tags:
+    - 'v*'
+env:
+  go-version: 1.16
+  tag: ${GITHUB_REF#refs/tags/v}
+  prerelease: ${{ contains(github.ref, '-') }}
+jobs:
+  image:
+    name: Push Container Image
+    runs-on: ubuntu-20.04
+    steps:
+      - uses: actions/checkout@v2
+      - run: docker build -t quay.io/cybozu/pod-security-admission:latest .
+      - name: Push docker image to Quay.io
+        run: |
+          echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USER }} --password-stdin quay.io
+          echo "pushing image ..."
+          docker tag quay.io/cybozu/pod-security-admission:latest quay.io/cybozu/pod-security-admission:${{ env.tag }}
+          docker push quay.io/cybozu/pod-security-admission:${{ env.tag }}
+          BRANCH=$(echo ${{ env.tag }} | cut -d "." -f 1-2)
+          docker tag quay.io/cybozu/pod-security-admission:latest quay.io/cybozu/pod-security-admission:$BRANCH
+          docker push quay.io/cybozu/pod-security-admission:$BRANCH
+  release:
+    name: Release on GitHub
+    needs: image
+    runs-on: ubuntu-20.04
+    container:
+      image: quay.io/cybozu/golang:1.16-focal
+    steps:
+      - uses: actions/checkout@v2
+      - run: make build/install.yaml
+      - name: Create release
+        run: |
+          if ${{ env.prerelease }}; then
+            PRERELEASE="-prerelease"
+          fi
+          ghr -t ${{ secrets.GITHUB_TOKEN }} -u cybozu-go -r pod-security-admission -n v${{ env.tag }} ${PRERELEASE} -b "See [CHANGELOG.md](./CHANGELOG.md) for details." v${{ env.tag }} ./build/
diff --git a/.gitignore b/.gitignore
@@ -4,3 +4,4 @@
 /.vscode
 /.idea
 cover.out
+/build
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,4 +9,4 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 ### Changed
 ### Removed
 
-[Unreleased]: https://github.com/cybozu-go/neco-template/compare/4b825dc642cb6eb9a060e54bf8d69288fbee4904...HEAD
+[Unreleased]: https://github.com/cybozu-go/pod-security-admission/compare/1468d8fc5862faccd4c0444b1d7721798ffe6080...HEAD
diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM golang:1.15 as builder
+FROM quay.io/cybozu/golang:1.16-focal as builder
 
 WORKDIR /workspace
 # Copy the Go Modules manifests
@@ -10,18 +10,16 @@ COPY go.sum go.sum
 RUN go mod download
 
 # Copy the go source
-COPY main.go main.go
-COPY api/ api/
-COPY controllers/ controllers/
+COPY version.go version.go
+COPY cmd/ cmd/
+COPY hooks/ hooks/
 
 # Build
-RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -a -o manager main.go
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -o pod-security-admission cmd/main.go
 
-# Use distroless as minimal base image to package the manager binary
-# Refer to https://github.com/GoogleContainerTools/distroless for more details
-FROM gcr.io/distroless/static:nonroot
+FROM scratch
 WORKDIR /
-COPY --from=builder /workspace/manager .
-USER 65532:65532
+COPY --from=builder /workspace/pod-security-admission .
+USER 10000:10000
 
-ENTRYPOINT ["/manager"]
+ENTRYPOINT ["/pod-security-admission"]
diff --git a/Makefile b/Makefile
@@ -5,7 +5,13 @@ KUSTOMIZE_VERSION = 3.8.7
 # Set the shell used to bash for better error handling.
 SHELL = /bin/bash
 .SHELLFLAGS = -e -o pipefail -c
-BIN_DIR = $(shell pwd)/bin
+BIN_DIR = ./bin
+INSTALL_YAML = build/install.yaml
+
+KUSTOMIZE = $(BIN_DIR)/kustomize
+CONTROLLER_GEN = $(BIN_DIR)/controller-gen
+STATICCHECK = $(BIN_DIR)/staticcheck
+NILERR = $(BIN_DIR)/nilerr
 
 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
 ifeq (,$(shell go env GOBIN))
@@ -36,11 +42,11 @@ help: ## Display this help.
 ##@ Development
 
 .PHONY: manifests
-manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
+manifests: $(CONTROLLER_GEN) ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
 	$(CONTROLLER_GEN) rbac:roleName=pod-security-admission webhook paths="./..."
 
 .PHONY: generate
-generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.
+generate: $(CONTROLLER_GEN) ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.
 	$(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./..."
 
 .PHONY: check-generate
@@ -50,7 +56,7 @@ check-generate:
 	git diff --exit-code --name-only
 
 .PHONY: lint
-lint: staticcheck nilerr
+lint: $(STATICCHECK) $(NILERR)
 	test -z "$$(gofmt -s -l . | tee /dev/stderr)"
 	$(STATICCHECK) ./...
 	go vet ./...
@@ -71,29 +77,25 @@ test: manifests generate ## Run tests.
 build: ## Build binary.
 	CGO_ENABLED=0 go build -o bin/pod-security-admission -ldflags="-w -s" main.go
 
-CONTROLLER_GEN = $(BIN_DIR)/controller-gen
-.PHONY: controller-gen
-controller-gen: ## Download controller-gen locally if necessary.
+$(INSTALL_YAML): $(KUSTOMIZE)
+	mkdir -p build
+	$(KUSTOMIZE) build ./config/default > $@
+
+$(CONTROLLER_GEN): ## Download controller-gen locally if necessary.
 	$(call go-install-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@v$(CONTROLLER_TOOLS_VERSION))
 
-KUSTOMIZE = $(BIN_DIR)/kustomize
-.PHONY: kustomize
-kustomize: ## Download kustomize locally if necessary.
+$(KUSTOMIZE): ## Download kustomize locally if necessary.
 	mkdir -p $(BIN_DIR)
 	curl -sSLf https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv$(KUSTOMIZE_VERSION)/kustomize_v$(KUSTOMIZE_VERSION)_linux_amd64.tar.gz | tar -xz -C $(BIN_DIR)
 
-STATICCHECK = $(BIN_DIR)/staticcheck
-.PHONY: staticcheck
-staticcheck:
+$(STATICCHECK):
 	$(call go-install-tool,$(STATICCHECK),honnef.co/go/tools/cmd/staticcheck@latest)
 
-NILERR = $(BIN_DIR)/nilerr
-.PHONY: nilerr
-nilerr:
+$(NILERR):
 	$(call go-install-tool,$(NILERR),github.com/gostaticanalysis/nilerr/cmd/nilerr@latest)
 
 .PHONY: setup
-setup: staticcheck nilerr kustomize controller-gen
+setup: $(STATICCHECK) $(NILERR) $(KUSTOMIZE) $(CONTROLLER_GEN)
 	mkdir -p ${ENVTEST_ASSETS_DIR}
 	curl -sSLo ${ENVTEST_ASSETS_DIR}/setup-envtest.sh https://raw.githubusercontent.com/kubernetes-sigs/controller-runtime/v$(CONTROLLER_RUNTIME_VERSION)/hack/setup-envtest.sh
 

diff --git a/PROJECT b/PROJECT
@@ -1,5 +1,5 @@
 domain: cybozu.com
 layout: go.kubebuilder.io/v3
-projectName: tmp
+projectName: pod-security-admission
 repo: github.com/cybozu-go/pod-security-admission
 version: "3"
diff --git a/RELEASE.md b/RELEASE.md
@@ -1,7 +1,7 @@
 Release procedure
 =================
 
-This document describes how to release a new version of neco-template.
+This document describes how to release a new version of pod-security-admission.
 
 Versioning
 ----------
@@ -37,6 +37,8 @@ Bump version
 1. Checkout `main` branch.
 1. Make a branch to release, for example by `git neco dev "$VERSION"`
 1. Edit `CHANGELOG.md` for the new version ([example][]).
+1. Edit `version.go` for the new version.
+1. Edit `config/manager/kustomization.yaml` and update newTag value for the new version.
 1. Commit the change and push it.
 
     ```console
@@ -51,12 +53,12 @@ Bump version
     $ git tag "v$VERSION"
     $ git push origin "v$VERSION"
 
-Now the version is bumped up and the latest container image is uploaded to [quay.io](https://quay.io/cybozu/neco-template).
+Now the version is bumped up and the latest container image is uploaded to [quay.io](https://quay.io/cybozu/pod-security-admission).
 
 Publish GitHub release page
 ---------------------------
 
-Go to https://github.com/cybozu-go/neco-template/releases and edit the tag.
+Go to https://github.com/cybozu-go/pod-security-admission/releases and edit the tag.
 Finally, press `Publish release` button.
 
 

diff --git a/cmd/main.go b/cmd/main.go
@@ -0,0 +1,9 @@
+package main
+
+import (
+	"github.com/cybozu-go/pod-security-admission/cmd/sub"
+)
+
+func main() {
+	sub.Execute()
+}
diff --git a/cmd/root.go → cmd/sub/root.go b/cmd/root.go → cmd/sub/root.go
@@ -1,4 +1,4 @@
-package cmd
+package sub
 
 import (
 	"flag"
@@ -7,6 +7,7 @@ import (
 	"os"
 	"strconv"
 
+	psa "github.com/cybozu-go/pod-security-admission"
 	"github.com/cybozu-go/pod-security-admission/hooks"
 	"github.com/spf13/cobra"
 	"k8s.io/klog"
@@ -24,9 +25,10 @@ var config struct {
 }
 
 var rootCmd = &cobra.Command{
-	Use:   "pod-security-admission",
-	Short: "admission webhooks to ensure pod security standards",
-	Long:  `Admission webhooks to ensure pod security standards.`,
+	Use:     "pod-security-admission",
+	Short:   "admission webhooks to ensure pod security standards",
+	Long:    `Admission webhooks to ensure pod security standards.`,
+	Version: psa.Version(),
 	RunE: func(cmd *cobra.Command, args []string) error {
 		cmd.SilenceUsage = true
 		h, p, err := net.SplitHostPort(config.webhookAddr)

diff --git a/cmd/run.go → cmd/sub/run.go b/cmd/run.go → cmd/sub/run.go
@@ -1,4 +1,4 @@
-package cmd
+package sub
 
 import (
 	"github.com/cybozu-go/pod-security-admission/hooks"

diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml
@@ -1,74 +1,74 @@
 # Adds namespace to all resources.
-namespace: tmp-system
+namespace: psa-system
 
 # Value of this field is prepended to the
 # names of all resources, e.g. a deployment named
 # "wordpress" becomes "alices-wordpress".
 # Note that it should also match with the prefix (text before '-') of the namespace
 # field above.
-namePrefix: tmp-
+namePrefix: psa-
 
 # Labels to add to all resources and selectors.
 #commonLabels:
 #  someName: someValue
 
 bases:
-- ../crd
-- ../rbac
+#- ../crd
+#- ../rbac
 - ../manager
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
 # crd/kustomization.yaml
-#- ../webhook
+- ../webhook
 # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required.
-#- ../certmanager
+- ../certmanager
 # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
 #- ../prometheus
 
 patchesStrategicMerge:
 # Protect the /metrics endpoint by putting it behind auth.
 # If you want your controller-manager to expose the /metrics
 # endpoint w/o any authn/z, please comment the following line.
-- manager_auth_proxy_patch.yaml
+#- manager_auth_proxy_patch.yaml
 
 # Mount the controller config file for loading manager configurations
 # through a ComponentConfig type
 #- manager_config_patch.yaml
 
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
 # crd/kustomization.yaml
-#- manager_webhook_patch.yaml
+- manager_webhook_patch.yaml
 
 # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'.
 # Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks.
 # 'CERTMANAGER' needs to be enabled to use ca injection
-#- webhookcainjection_patch.yaml
+- webhookcainjection_patch.yaml
 
 # the following config is for teaching kustomize how to do var substitution
 vars:
 # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix.
-#- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR
-#  objref:
-#    kind: Certificate
-#    group: cert-manager.io
-#    version: v1
-#    name: serving-cert # this name should match the one in certificate.yaml
-#  fieldref:
-#    fieldpath: metadata.namespace
-#- name: CERTIFICATE_NAME
-#  objref:
-#    kind: Certificate
-#    group: cert-manager.io
-#    version: v1
-#    name: serving-cert # this name should match the one in certificate.yaml
-#- name: SERVICE_NAMESPACE # namespace of the service
-#  objref:
-#    kind: Service
-#    version: v1
-#    name: webhook-service
-#  fieldref:
-#    fieldpath: metadata.namespace
-#- name: SERVICE_NAME
-#  objref:
-#    kind: Service
-#    version: v1
-#    name: webhook-service
+- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR
+  objref:
+    kind: Certificate
+    group: cert-manager.io
+    version: v1
+    name: serving-cert # this name should match the one in certificate.yaml
+  fieldref:
+    fieldpath: metadata.namespace
+- name: CERTIFICATE_NAME
+  objref:
+    kind: Certificate
+    group: cert-manager.io
+    version: v1
+    name: serving-cert # this name should match the one in certificate.yaml
+- name: SERVICE_NAMESPACE # namespace of the service
+  objref:
+    kind: Service
+    version: v1
+    name: webhook-service
+  fieldref:
+    fieldpath: metadata.namespace
+- name: SERVICE_NAME
+  objref:
+    kind: Service
+    version: v1
+    name: webhook-service
diff --git a/config/default/manager_webhook_patch.yaml b/config/default/manager_webhook_patch.yaml
@@ -0,0 +1,23 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    spec:
+      containers:
+      - name: manager
+        ports:
+        - containerPort: 9443
+          name: webhook-server
+          protocol: TCP
+        volumeMounts:
+        - mountPath: /certs
+          name: cert
+          readOnly: true
+      volumes:
+      - name: cert
+        secret:
+          defaultMode: 420
+          secretName: webhook-server-cert
-Original file line number
+Diff line change
@@ Expand Up / @@ -4,3 +4,4 @@ @@
     /.vscode
     /.idea
     cover.out
+    /build