Use init process (#367)

* Use tini as PID 1

The operator runs as PID 1, which is expected to reap zombie processes;
since it doesn't, they get left around to take up room. This commit
installs `tini` and uses it as PID 1, instead.

This removes the use of ssh-agent in the `build/bin/entrypoint` script,
which serves only to prevent go-git from complaining about not finding
an ssh-agent socket -- and doesn't help with authentication (if no SSH
key is supplied, it will simply fail the SSH handshake).

* Remove build/bin scripts

These are relics of old operator-sdk boilerplate. In particular,

 - the entrypoint script is not needed because the entrypoint can be
   given in the Dockerfile (and doesn't need to do anything fancy)

 - the user_setup script isn't needed when `useradd` is run. `useradd`
   would not normally be available, since the base image used for
   controllers is often some variation of minimal, distro-less image;
   but, this image uses the maximalist pulumi/pulumi base image.

* Fail if SSH is used but no private key given

When using SSH, a key must be obtained from somewhere. On the command
line, git would either use the ssh-agent socket, or try to use a key in
~/.ssh. go-git mirrors this, by resorting to ssh-agent if it is not
given any other choices. But in the operator container, it doesn't make
sense to try to use ssh-agent, because there's no chance to add keys to
it -- its only purpose would be to stop go-git from complaining.

So: treat it as an error if someone uses an SSH git URL, but doesn't
supply a private SSH key.

Signed-off-by: Michael Bridgen <[email protected]>

.goreleaser.yml

@@ -63,6 +63,3 @@ dockers:
       - "--label=org.label-schema.name={{ .ProjectName }}"
       - "--label=org.label-schema.vcs-ref={{ .ShortCommit }}"
       - "--label=org.label-schema.vcs-url='{{ .GitURL }}'"
-
-    extra_files:
-      - "build/bin"

CHANGELOG.md

@@ -12,6 +12,8 @@ CHANGELOG
   [#365](https://github.com/pulumi/pulumi-kubernetes-operator/pull/365)
 - Rewrite test case to confirm to Pulumi YAML 1.0 (breaking) changes
   [#369](https://github.com/pulumi/pulumi-kubernetes-operator/pull/369)
+- Use an init process so processes spawned by `pulumi` are reaped
+  [#367](https://github.com/pulumi/pulumi-kubernetes-operator/pull/367)
 
 ## 1.10.1 (2022-10-25)
 

Dockerfile

@@ -1,12 +1,10 @@
 FROM pulumi/pulumi:3.46.0
 
-ENV OPERATOR=/usr/local/bin/pulumi-kubernetes-operator
+RUN apt-get install tini
+ENTRYPOINT ["tini", "--", "/usr/local/bin/pulumi-kubernetes-operator"]
 
 # install operator binary
-COPY pulumi-kubernetes-operator ${OPERATOR}
-
-COPY build/bin/* /usr/local/bin/
-RUN  /usr/local/bin/user_setup
+COPY pulumi-kubernetes-operator /usr/local/bin/pulumi-kubernetes-operator
 
 RUN useradd -m pulumi-kubernetes-operator
 RUN mkdir -p /home/pulumi-kubernetes-operator/.ssh \
@@ -22,4 +20,3 @@ ENV XDG_CONFIG_CACHE=/tmp/.cache
 ENV GOCACHE=/tmp/.cache/go-build
 ENV GOPATH=/tmp/.cache/go
 
-ENTRYPOINT ["/usr/local/bin/entrypoint"]

pkg/controller/stack/stack_controller.go

@@ -1433,6 +1433,12 @@ func (sess *reconcileStackSession) DestroyStack(ctx context.Context) error {
 func (sess *reconcileStackSession) SetupGitAuth(ctx context.Context) (*auto.GitAuth, error) {
 	gitAuth := &auto.GitAuth{}
 
+	// check that the URL is valid (and we'll use it later to check we got appropriate auth)
+	u, err := giturls.Parse(sess.stack.ProjectRepo)
+	if err != nil {
+		return gitAuth, err
+	}
+
 	if sess.stack.GitAuth != nil {
 		if sess.stack.GitAuth.SSHAuth != nil {
 			privateKey, err := sess.resolveResourceRef(ctx, &sess.stack.GitAuth.SSHAuth.SSHPrivateKey)
@@ -1516,6 +1522,10 @@ func (sess *reconcileStackSession) SetupGitAuth(ctx context.Context) (*auto.GitA
 		}
 	}
 
+	if u.Scheme == "ssh" && gitAuth.SSHPrivateKey == "" {
+		return gitAuth, fmt.Errorf("a private key must be provided for SSH")
+	}
+
 	return gitAuth, nil
 }