From aa9ae98d6414045628d17b5c43a3f17cdb7f799b Mon Sep 17 00:00:00 2001 From: Alex Szczuczko Date: Mon, 15 Jun 2020 12:28:21 -0600 Subject: [PATCH] Issue-609 Port over Gatekeeper's Dockerfile and kube YAMLs (#638) I ended up rewriting a good portion of the Dockerfile. It now uses a multi-stage build. It can accept source code to build, or unpack a premade binary. I also updated the Makefile Fixes #609 Fixes #541 --- .dockerignore | 1 + Dockerfile | 41 ++++++++++++++++++++++++++++++++++++ Makefile | 47 ++++++++++++++++++++++++----------------- kube/forward.yml | 36 ++++++++++++++++++++++++++++++++ kube/reverse.yml | 54 ++++++++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 160 insertions(+), 19 deletions(-) create mode 100644 .dockerignore create mode 100644 Dockerfile create mode 100644 kube/forward.yml create mode 100644 kube/reverse.yml diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 000000000..ae3c17260 --- /dev/null +++ b/.dockerignore @@ -0,0 +1 @@ +/bin/ diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 000000000..d6eab82d5 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,41 @@ +# +# Builder image +# + +FROM golang:1.14.4 AS build-env +ARG SOURCE=* + +ADD $SOURCE /src/ +WORKDIR /src/ + +# Unpack any tars, then try to execute a Makefile, but if the SOURCE url is +# just a tar of binaries, then there probably won't be one. Using multiple RUN +# commands to ensure any errors are caught. +RUN find . -name '*.tar.gz' -type f | xargs -rn1 tar -xzf +RUN if [ -f Makefile ]; then make; fi +RUN cp "$(find . -name 'louketo-proxy' -type f -print -quit)" /louketo-proxy + +# +# Actual image +# + +FROM registry.access.redhat.com/ubi8/ubi-minimal:8.2 + +LABEL Name=louketo-proxy \ + Release=https://github.com/louketo/louketo-proxy \ + Url=https://github.com/louketo/louketo-proxy \ + Help=https://github.com/louketo/louketo-proxy/issues + +WORKDIR "/opt/louketo" + +RUN echo "louketo:x:1000:louketo" >> /etc/group && \ + echo "louketo:x:1000:1000:louketo user:/opt/louketo:/sbin/nologin" >> /etc/passwd && \ + chown -R louketo:louketo /opt/louketo && \ + chmod -R g+rw /opt/louketo + +COPY templates ./templates +COPY --from=build-env /louketo-proxy ./ +RUN chmod +x louketo-proxy + +USER 1000 +ENTRYPOINT [ "/opt/louketo/louketo-proxy" ] diff --git a/Makefile b/Makefile index e2e5e2455..f64251cde 100644 --- a/Makefile +++ b/Makefile @@ -1,7 +1,7 @@ NAME=louketo-proxy AUTHOR=louketo REGISTRY=docker.io -GOVERSION ?= 1.10.2 +CONTAINER_TOOL=$(shell command -v podman 2>/dev/null || command -v docker) ROOT_DIR=${PWD} HARDWARE=$(shell uname -m) GIT_SHA=$(shell git --no-pager describe --always --dirty) @@ -14,10 +14,10 @@ VETARGS ?= -asmdecl -atomic -bool -buildtags -copylocks -methods -nilfunc -print PLATFORMS=darwin linux windows ARCHITECTURES=amd64 -.PHONY: test authors changelog build docker static release lint cover vet default: build +.PHONY: golang build static golang: @echo "--> Go Version" @go version @@ -28,35 +28,42 @@ build: golang go build -ldflags "${LFLAGS}" -o bin/${NAME} static: golang - @echo "--> Compiling the static binary" + @echo "--> Compiling the project statically" @mkdir -p bin CGO_ENABLED=0 GOOS=linux go build -a -tags netgo -ldflags "-w ${LFLAGS}" -o bin/${NAME} +.PHONY: container-build docker-build +container-build: docker-build docker-build: - @echo "--> Compiling the project" - docker run --rm \ - -v ${ROOT_DIR}:/go/src/github.com/${AUTHOR}/${NAME} \ - -w /go/src/github.com/${AUTHOR}/${NAME} \ - -e GOOS=linux golang:${GOVERSION} \ - make static - + @echo "--> Compiling the project, inside a temporary container" + $(eval IMAGE=$(shell uuidgen)) + ${CONTAINER_TOOL} build --target build-env -t ${IMAGE} . + ${CONTAINER_TOOL} run --rm ${IMAGE} /bin/cat /louketo-proxy > bin/louketo-proxy + ${CONTAINER_TOOL} rmi ${IMAGE} + chmod +x bin/louketo-proxy + +.PHONY: container-test docker-test +container-test: docker-test docker-test: - @echo "--> Running the docker test" - docker run --rm -ti -p 3000:3000 \ + @echo "--> Running the container image tests" + ${CONTAINER_TOOL} run --rm -ti -p 3000:3000 \ -v ${ROOT_DIR}/config.yml:/etc/louketo/config.yml:ro \ -v ${ROOT_DIR}/tests:/opt/tests:ro \ ${REGISTRY}/${AUTHOR}/${NAME}:${VERSION} --config /etc/louketo/config.yml -docker-release: - @echo "--> Building a release image" - @$(MAKE) static - @$(MAKE) docker - @docker push ${REGISTRY}/${AUTHOR}/${NAME}:${VERSION} +.PHONY: container-release docker-release +container-release: docker-release +docker-release: docker + @echo "--> Releasing the container image" + ${CONTAINER_TOOL} push ${REGISTRY}/${AUTHOR}/${NAME}:${VERSION} +.PHONY: container docker +container: docker docker: - @echo "--> Building the docker image" - docker build -t ${REGISTRY}/${AUTHOR}/${NAME}:${VERSION} . + @echo "--> Building the container image" + ${CONTAINER_TOOL} build -t ${REGISTRY}/${AUTHOR}/${NAME}:${VERSION} . +.PHONY: certs certs: @echo "--> Generating the root CA" @cfssl gencert -initca tests/ca-csr.json | cfssljson -bare tests/ca @@ -68,6 +75,7 @@ certs: -profile=server \ tests/proxy-csr.json | cfssljson -bare tests/proxy +.PHONY: clean authors vet lint gofmt verify format bench coverage cover spelling clean: rm -rf ./bin/* 2>/dev/null rm -rf ./release/* 2>/dev/null @@ -134,6 +142,7 @@ spelling: @misspell -error *.go @misspell -error *.md +.PHONY: test all changelog test: @echo "--> Running the tests" @go test -v diff --git a/kube/forward.yml b/kube/forward.yml new file mode 100644 index 000000000..8336ed4c9 --- /dev/null +++ b/kube/forward.yml @@ -0,0 +1,36 @@ +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: proxy +spec: + replicas: 1 + template: + metadata: + labels: + name: proxy + annotations: + repository: https://github.com/louketo/louketo-proxy + spec: + containers: + - name: proxy + image: docker.io/jboss/louketo/louketo-proxy:latest + imagePullPolicy: Always + args: + - --config /etc/secrets/forwarding.yml + - --discovery-url https://sso.example.com/auth/realms/hod-test + - --client-id broker + - --client-secret + - --listen 127.0.0.1:3000 + - --enable-forwarding=true + - --forwarding-username=username + - --forwarding-password=password + - --enable-logging=true + - --enable-json-logging true + - --verbose true + volumeMounts: + - name: secrets + mountPath: /etc/secrets + volumes: + - name: secrets + secret: + secretName: config diff --git a/kube/reverse.yml b/kube/reverse.yml new file mode 100644 index 000000000..99ecddb9a --- /dev/null +++ b/kube/reverse.yml @@ -0,0 +1,54 @@ +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: proxy +spec: + replicas: 1 + template: + metadata: + labels: + name: proxy + annotations: + repository: https://github.com/louketo/louketo-proxy + spec: + securityContext: + fsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + volumes: + - name: certs + secret: + secretName: tls + containers: + - name: proxy + image: docker.io/jboss/louketo/louketo-proxy:latest + imagePullPolicy: Always + args: + - --client-id=broker + - --discovery-url=https://sso.example.com/auth/realms/hod-test + - --enable-default-deny=false + - --enable-json-logging=true + - --enable-logging=true + - --enable-request-id=true + - --enable-security-filter=true + - --http-only-cookie=true + - --listen=127.0.0.1:3000 + - --preserve-host=true + - --redirection-url=https://www.example.com + - --resources=uri=/admin/*|roles=admin + - --skip-client-id=true + - --tls-cert=/certs/tls.pem + - --tls-private-key=/certs/tls-key.pem + - --upstream-url=http://127.0.0.1:8080 + env: + - name: PROXY_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: openid + key: client.secret + securityContext: + readOnlyRootFilesystem: true + volumeMounts: + - name: certs + mountPath: /certs + readOnly: true