Issue-609 Port over Gatekeeper's Dockerfile and kube YAMLs

I ended up rewriting a good portion of the Dockerfile. It now uses a
multi-stage build. It can accept source code to build, or unpack a premade
binary.

Author: ASzc

.dockerignore

@@ -0,0 +1 @@
+/bin/

Dockerfile

@@ -0,0 +1,45 @@
+#
+# Builder image
+#
+
+FROM registry.svc.ci.openshift.org/openshift/release:golang-1.13 AS build-env
+ARG SOURCE=*
+
+ADD $SOURCE /src/
+WORKDIR /src/
+
+ENV GOFLAGS=''
+
+# Try to execute a Makefile, but if the SOURCE url is just a tar of binaries,
+# then there probably won't be one. `|| true` makes us tolerant of that case.
+RUN find . -name '*.tar.gz' -type f | xargs -rn1 tar -xzf; \
+    make || true; \
+    cp "$(find . -name 'louketo-proxy' -type f -print -quit)" /louketo-proxy
+
+#
+# Actual image
+#
+
+FROM registry.access.redhat.com/ubi8/ubi-minimal:8.1
+
+LABEL Name=louketo-proxy \
+      Release=https://github.com/louketo/louketo-proxy \
+      Url=https://github.com/louketo/louketo-proxy \
+      Help=https://github.com/louketo/louketo-proxy/issues
+
+WORKDIR "/opt/louketo"
+
+RUN echo "louketo:x:1000:louketo" >> /etc/group && \
+    echo "louketo:x:1000:1000:louketo user:/opt/louketo:/sbin/nologin" >> /etc/passwd && \
+    chown -R louketo:louketo /opt/louketo && \
+    chmod -R g+rw /opt/louketo
+
+COPY --from=build-env /louketo-proxy ./
+
+RUN microdnf update && \
+    microdnf clean all && \
+    chmod +x /opt/louketo/louketo-proxy
+
+USER 1000
+
+ENTRYPOINT [ "/opt/louketo/louketo-proxy" ]

kube/forward.yml

@@ -0,0 +1,36 @@
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: proxy
+spec:
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        name: proxy
+      annotations:
+        repository: https://github.com/louketo/louketo-proxy
+    spec:
+      containers:
+      - name: proxy
+        image: docker.io/jboss/louketo/louketo-proxy:latest
+        imagePullPolicy: Always
+        args:
+          - --config /etc/secrets/forwarding.yml
+          - --discovery-url https://sso.example.com/auth/realms/hod-test
+          - --client-id broker
+          - --client-secret
+          - --listen 127.0.0.1:3000
+          - --enable-forwarding=true
+          - --forwarding-username=username
+          - --forwarding-password=password
+          - --enable-logging=true
+          - --enable-json-logging true
+          - --verbose true
+        volumeMounts:
+        - name: secrets
+          mountPath: /etc/secrets
+      volumes:
+      - name: secrets
+        secret:
+          secretName: config

kube/reverse.yml

@@ -0,0 +1,54 @@
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: proxy
+spec:
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        name: proxy
+      annotations:
+        repository: https://github.com/louketo/louketo-proxy
+    spec:
+      securityContext:
+        fsGroup: 1000
+        runAsNonRoot: true
+        runAsUser: 1000
+      volumes:
+      - name: certs
+        secret:
+          secretName: tls
+      containers:
+        - name: proxy
+          image: docker.io/jboss/louketo/louketo-proxy:latest
+          imagePullPolicy: Always
+          args:
+            - --client-id=broker
+            - --discovery-url=https://sso.example.com/auth/realms/hod-test
+            - --enable-default-deny=false
+            - --enable-json-logging=true
+            - --enable-logging=true
+            - --enable-request-id=true
+            - --enable-security-filter=true
+            - --http-only-cookie=true
+            - --listen=127.0.0.1:3000
+            - --preserve-host=true
+            - --redirection-url=https://www.example.com
+            - --resources=uri=/admin/*|roles=admin
+            - --skip-client-id=true
+            - --tls-cert=/certs/tls.pem
+            - --tls-private-key=/certs/tls-key.pem
+            - --upstream-url=http://127.0.0.1:8080
+          env:
+            - name: PROXY_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: openid
+                  key: client.secret
+          securityContext:
+            readOnlyRootFilesystem: true
+          volumeMounts:
+          - name: certs
+            mountPath: /certs
+            readOnly: true