Issue-609 Port over Gatekeeper's Dockerfile and kube YAMLs (#638)

ASzc · web-flow · commit aa9ae98d6414 · 2020-06-15T15:28:21.000-03:00
I ended up rewriting a good portion of the Dockerfile. It now uses a multi-stage build. It can accept source code to build, or unpack a premade binary. I also updated the Makefile Fixes #609 Fixes #541
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1 @@
+/bin/
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,41 @@
+#
+# Builder image
+#
+
+FROM golang:1.14.4 AS build-env
+ARG SOURCE=*
+
+ADD $SOURCE /src/
+WORKDIR /src/
+
+# Unpack any tars, then try to execute a Makefile, but if the SOURCE url is
+# just a tar of binaries, then there probably won't be one. Using multiple RUN
+# commands to ensure any errors are caught.
+RUN find . -name '*.tar.gz' -type f | xargs -rn1 tar -xzf
+RUN if [ -f Makefile ]; then make; fi
+RUN cp "$(find . -name 'louketo-proxy' -type f -print -quit)" /louketo-proxy
+
+#
+# Actual image
+#
+
+FROM registry.access.redhat.com/ubi8/ubi-minimal:8.2
+
+LABEL Name=louketo-proxy \
+      Release=https://github.com/louketo/louketo-proxy \
+      Url=https://github.com/louketo/louketo-proxy \
+      Help=https://github.com/louketo/louketo-proxy/issues
+
+WORKDIR "/opt/louketo"
+
+RUN echo "louketo:x:1000:louketo" >> /etc/group && \
+    echo "louketo:x:1000:1000:louketo user:/opt/louketo:/sbin/nologin" >> /etc/passwd && \
+    chown -R louketo:louketo /opt/louketo && \
+    chmod -R g+rw /opt/louketo
+
+COPY templates ./templates
+COPY --from=build-env /louketo-proxy ./
+RUN chmod +x louketo-proxy
+
+USER 1000
+ENTRYPOINT [ "/opt/louketo/louketo-proxy" ]
diff --git a/Makefile b/Makefile
@@ -1,7 +1,7 @@
 NAME=louketo-proxy
 AUTHOR=louketo
 REGISTRY=docker.io
-GOVERSION ?= 1.10.2
+CONTAINER_TOOL=$(shell command -v podman 2>/dev/null || command -v docker)
 ROOT_DIR=${PWD}
 HARDWARE=$(shell uname -m)
 GIT_SHA=$(shell git --no-pager describe --always --dirty)
@@ -14,10 +14,10 @@ VETARGS ?= -asmdecl -atomic -bool -buildtags -copylocks -methods -nilfunc -print
 PLATFORMS=darwin linux windows
 ARCHITECTURES=amd64
 
-.PHONY: test authors changelog build docker static release lint cover vet
 
 default: build
 
+.PHONY: golang build static
 golang:
 	@echo "--> Go Version"
 	@go version
@@ -28,35 +28,42 @@ build: golang
 	go build -ldflags "${LFLAGS}" -o bin/${NAME}
 
 static: golang
-	@echo "--> Compiling the static binary"
+	@echo "--> Compiling the project statically"
 	@mkdir -p bin
 	CGO_ENABLED=0 GOOS=linux go build -a -tags netgo -ldflags "-w ${LFLAGS}" -o bin/${NAME}
 
+.PHONY: container-build docker-build
+container-build: docker-build
 docker-build:
-	@echo "--> Compiling the project"
-	docker run --rm \
-		-v ${ROOT_DIR}:/go/src/github.com/${AUTHOR}/${NAME} \
-		-w /go/src/github.com/${AUTHOR}/${NAME} \
-		-e GOOS=linux golang:${GOVERSION} \
-		make static
-
+	@echo "--> Compiling the project, inside a temporary container"
+	$(eval IMAGE=$(shell uuidgen))
+	${CONTAINER_TOOL} build --target build-env -t ${IMAGE} .
+	${CONTAINER_TOOL} run --rm ${IMAGE} /bin/cat /louketo-proxy > bin/louketo-proxy
+	${CONTAINER_TOOL} rmi ${IMAGE}
+	chmod +x bin/louketo-proxy
+
+.PHONY: container-test docker-test
+container-test: docker-test
 docker-test:
-	@echo "--> Running the docker test"
-	docker run --rm -ti -p 3000:3000 \
+	@echo "--> Running the container image tests"
+	${CONTAINER_TOOL} run --rm -ti -p 3000:3000 \
     -v ${ROOT_DIR}/config.yml:/etc/louketo/config.yml:ro \
     -v ${ROOT_DIR}/tests:/opt/tests:ro \
     ${REGISTRY}/${AUTHOR}/${NAME}:${VERSION} --config /etc/louketo/config.yml
 
-docker-release:
-	@echo "--> Building a release image"
-	@$(MAKE) static
-	@$(MAKE) docker
-	@docker push ${REGISTRY}/${AUTHOR}/${NAME}:${VERSION}
+.PHONY: container-release docker-release
+container-release: docker-release
+docker-release: docker
+	@echo "--> Releasing the container image"
+	${CONTAINER_TOOL} push ${REGISTRY}/${AUTHOR}/${NAME}:${VERSION}
 
+.PHONY: container docker
+container: docker
 docker:
-	@echo "--> Building the docker image"
-	docker build -t ${REGISTRY}/${AUTHOR}/${NAME}:${VERSION} .
+	@echo "--> Building the container image"
+	${CONTAINER_TOOL} build -t ${REGISTRY}/${AUTHOR}/${NAME}:${VERSION} .
 
+.PHONY: certs
 certs:
 	@echo "--> Generating the root CA"
 	@cfssl gencert -initca tests/ca-csr.json | cfssljson -bare tests/ca
@@ -68,6 +75,7 @@ certs:
 		-profile=server \
 		tests/proxy-csr.json | cfssljson -bare tests/proxy
 
+.PHONY: clean authors vet lint gofmt verify format bench coverage cover spelling
 clean:
 	rm -rf ./bin/* 2>/dev/null
 	rm -rf ./release/* 2>/dev/null
@@ -134,6 +142,7 @@ spelling:
 	@misspell -error *.go
 	@misspell -error *.md
 
+.PHONY: test all changelog
 test:
 	@echo "--> Running the tests"
 	@go test -v
diff --git a/kube/forward.yml b/kube/forward.yml
@@ -0,0 +1,36 @@
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: proxy
+spec:
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        name: proxy
+      annotations:
+        repository: https://github.com/louketo/louketo-proxy
+    spec:
+      containers:
+      - name: proxy
+        image: docker.io/jboss/louketo/louketo-proxy:latest
+        imagePullPolicy: Always
+        args:
+          - --config /etc/secrets/forwarding.yml
+          - --discovery-url https://sso.example.com/auth/realms/hod-test
+          - --client-id broker
+          - --client-secret
+          - --listen 127.0.0.1:3000
+          - --enable-forwarding=true
+          - --forwarding-username=username
+          - --forwarding-password=password
+          - --enable-logging=true
+          - --enable-json-logging true
+          - --verbose true
+        volumeMounts:
+        - name: secrets
+          mountPath: /etc/secrets
+      volumes:
+      - name: secrets
+        secret:
+          secretName: config
diff --git a/kube/reverse.yml b/kube/reverse.yml
@@ -0,0 +1,54 @@
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: proxy
+spec:
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        name: proxy
+      annotations:
+        repository: https://github.com/louketo/louketo-proxy
+    spec:
+      securityContext:
+        fsGroup: 1000
+        runAsNonRoot: true
+        runAsUser: 1000
+      volumes:
+      - name: certs
+        secret:
+          secretName: tls
+      containers:
+        - name: proxy
+          image: docker.io/jboss/louketo/louketo-proxy:latest
+          imagePullPolicy: Always
+          args:
+            - --client-id=broker
+            - --discovery-url=https://sso.example.com/auth/realms/hod-test
+            - --enable-default-deny=false
+            - --enable-json-logging=true
+            - --enable-logging=true
+            - --enable-request-id=true
+            - --enable-security-filter=true
+            - --http-only-cookie=true
+            - --listen=127.0.0.1:3000
+            - --preserve-host=true
+            - --redirection-url=https://www.example.com
+            - --resources=uri=/admin/*|roles=admin
+            - --skip-client-id=true
+            - --tls-cert=/certs/tls.pem
+            - --tls-private-key=/certs/tls-key.pem
+            - --upstream-url=http://127.0.0.1:8080
+          env:
+            - name: PROXY_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: openid
+                  key: client.secret
+          securityContext:
+            readOnlyRootFilesystem: true
+          volumeMounts:
+          - name: certs
+            mountPath: /certs
+            readOnly: true
