Skip to content
This repository has been archived by the owner on Dec 7, 2020. It is now read-only.

Commit

Permalink
Issue-609 Port over Gatekeeper's Dockerfile and kube YAMLs
Browse files Browse the repository at this point in the history
I ended up rewriting a good portion of the Dockerfile. It now uses a
multi-stage build. It can accept source code to build, or unpack a premade
binary.

I also updated the Makefile
  • Loading branch information
ASzc committed Jun 11, 2020
1 parent 48c72c0 commit a2b8f46
Show file tree
Hide file tree
Showing 5 changed files with 160 additions and 19 deletions.
1 change: 1 addition & 0 deletions .dockerignore
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
/bin/
41 changes: 41 additions & 0 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
#
# Builder image
#

FROM golang:1.14.4 AS build-env
ARG SOURCE=*

ADD $SOURCE /src/
WORKDIR /src/

# Unpack any tars, then try to execute a Makefile, but if the SOURCE url is
# just a tar of binaries, then there probably won't be one. Using multiple RUN
# commands to ensure any errors are caught.
RUN find . -name '*.tar.gz' -type f | xargs -rn1 tar -xzf
RUN if [ -f Makefile ]; then make; fi
RUN cp "$(find . -name 'louketo-proxy' -type f -print -quit)" /louketo-proxy

#
# Actual image
#

FROM registry.access.redhat.com/ubi8/ubi-minimal:8.2

LABEL Name=louketo-proxy \
Release=https://github.com/louketo/louketo-proxy \
Url=https://github.com/louketo/louketo-proxy \
Help=https://github.com/louketo/louketo-proxy/issues

WORKDIR "/opt/louketo"

RUN echo "louketo:x:1000:louketo" >> /etc/group && \
echo "louketo:x:1000:1000:louketo user:/opt/louketo:/sbin/nologin" >> /etc/passwd && \
chown -R louketo:louketo /opt/louketo && \
chmod -R g+rw /opt/louketo

COPY templates ./templates
COPY --from=build-env /louketo-proxy ./
RUN chmod +x louketo-proxy

USER 1000
ENTRYPOINT [ "/opt/louketo/louketo-proxy" ]
47 changes: 28 additions & 19 deletions Makefile
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
NAME=louketo-proxy
AUTHOR=louketo
REGISTRY=docker.io
GOVERSION ?= 1.10.2
CONTAINER_TOOL=$(shell command -v podman 2>/dev/null || command -v docker)
ROOT_DIR=${PWD}
HARDWARE=$(shell uname -m)
GIT_SHA=$(shell git --no-pager describe --always --dirty)
Expand All @@ -14,10 +14,10 @@ VETARGS ?= -asmdecl -atomic -bool -buildtags -copylocks -methods -nilfunc -print
PLATFORMS=darwin linux windows
ARCHITECTURES=amd64

.PHONY: test authors changelog build docker static release lint cover vet

default: build

.PHONY: golang build static
golang:
@echo "--> Go Version"
@go version
Expand All @@ -28,35 +28,42 @@ build: golang
go build -ldflags "${LFLAGS}" -o bin/${NAME}

static: golang
@echo "--> Compiling the static binary"
@echo "--> Compiling the project statically"
@mkdir -p bin
CGO_ENABLED=0 GOOS=linux go build -a -tags netgo -ldflags "-w ${LFLAGS}" -o bin/${NAME}

.PHONY: container-build docker-build
container-build: docker-build
docker-build:
@echo "--> Compiling the project"
docker run --rm \
-v ${ROOT_DIR}:/go/src/github.com/${AUTHOR}/${NAME} \
-w /go/src/github.com/${AUTHOR}/${NAME} \
-e GOOS=linux golang:${GOVERSION} \
make static

@echo "--> Compiling the project, inside a temporary container"
$(eval IMAGE=$(shell uuidgen))
${CONTAINER_TOOL} build --target build-env -t ${IMAGE} .
${CONTAINER_TOOL} run --rm ${IMAGE} /bin/cat /louketo-proxy > bin/louketo-proxy
${CONTAINER_TOOL} rmi ${IMAGE}
chmod +x bin/louketo-proxy

.PHONY: container-test docker-test
container-test: docker-test
docker-test:
@echo "--> Running the docker test"
docker run --rm -ti -p 3000:3000 \
@echo "--> Running the container image tests"
${CONTAINER_TOOL} run --rm -ti -p 3000:3000 \
-v ${ROOT_DIR}/config.yml:/etc/louketo/config.yml:ro \
-v ${ROOT_DIR}/tests:/opt/tests:ro \
${REGISTRY}/${AUTHOR}/${NAME}:${VERSION} --config /etc/louketo/config.yml

docker-release:
@echo "--> Building a release image"
@$(MAKE) static
@$(MAKE) docker
@docker push ${REGISTRY}/${AUTHOR}/${NAME}:${VERSION}
.PHONY: container-release docker-release
container-release: docker-release
docker-release: docker
@echo "--> Releasing the container image"
${CONTAINER_TOOL} push ${REGISTRY}/${AUTHOR}/${NAME}:${VERSION}

.PHONY: container docker
container: docker
docker:
@echo "--> Building the docker image"
docker build -t ${REGISTRY}/${AUTHOR}/${NAME}:${VERSION} .
@echo "--> Building the container image"
${CONTAINER_TOOL} build -t ${REGISTRY}/${AUTHOR}/${NAME}:${VERSION} .

.PHONY: certs
certs:
@echo "--> Generating the root CA"
@cfssl gencert -initca tests/ca-csr.json | cfssljson -bare tests/ca
Expand All @@ -68,6 +75,7 @@ certs:
-profile=server \
tests/proxy-csr.json | cfssljson -bare tests/proxy

.PHONY: clean authors vet lint gofmt verify format bench coverage cover spelling
clean:
rm -rf ./bin/* 2>/dev/null
rm -rf ./release/* 2>/dev/null
Expand Down Expand Up @@ -134,6 +142,7 @@ spelling:
@misspell -error *.go
@misspell -error *.md

.PHONY: test all changelog
test:
@echo "--> Running the tests"
@go test -v
Expand Down
36 changes: 36 additions & 0 deletions kube/forward.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: proxy
spec:
replicas: 1
template:
metadata:
labels:
name: proxy
annotations:
repository: https://github.com/louketo/louketo-proxy
spec:
containers:
- name: proxy
image: docker.io/jboss/louketo/louketo-proxy:latest
imagePullPolicy: Always
args:
- --config /etc/secrets/forwarding.yml
- --discovery-url https://sso.example.com/auth/realms/hod-test
- --client-id broker
- --client-secret
- --listen 127.0.0.1:3000
- --enable-forwarding=true
- --forwarding-username=username
- --forwarding-password=password
- --enable-logging=true
- --enable-json-logging true
- --verbose true
volumeMounts:
- name: secrets
mountPath: /etc/secrets
volumes:
- name: secrets
secret:
secretName: config
54 changes: 54 additions & 0 deletions kube/reverse.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: proxy
spec:
replicas: 1
template:
metadata:
labels:
name: proxy
annotations:
repository: https://github.com/louketo/louketo-proxy
spec:
securityContext:
fsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
volumes:
- name: certs
secret:
secretName: tls
containers:
- name: proxy
image: docker.io/jboss/louketo/louketo-proxy:latest
imagePullPolicy: Always
args:
- --client-id=broker
- --discovery-url=https://sso.example.com/auth/realms/hod-test
- --enable-default-deny=false
- --enable-json-logging=true
- --enable-logging=true
- --enable-request-id=true
- --enable-security-filter=true
- --http-only-cookie=true
- --listen=127.0.0.1:3000
- --preserve-host=true
- --redirection-url=https://www.example.com
- --resources=uri=/admin/*|roles=admin
- --skip-client-id=true
- --tls-cert=/certs/tls.pem
- --tls-private-key=/certs/tls-key.pem
- --upstream-url=http://127.0.0.1:8080
env:
- name: PROXY_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: openid
key: client.secret
securityContext:
readOnlyRootFilesystem: true
volumeMounts:
- name: certs
mountPath: /certs
readOnly: true

0 comments on commit a2b8f46

Please sign in to comment.