ContainerImage.Pinniped/deploy/local-user-authenticator/deployment.yaml

#! Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
#! SPDX-License-Identifier: Apache-2.0

#@ load("@ytt:data", "data")

---
apiVersion: v1
kind: Namespace
metadata:
  name: local-user-authenticator
  labels:
    name: local-user-authenticator
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: local-user-authenticator
  namespace: local-user-authenticator
---
#@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "":
apiVersion: v1
kind: Secret
metadata:
  name: image-pull-secret
  namespace: local-user-authenticator
  labels:
    app: local-user-authenticator
type: kubernetes.io/dockerconfigjson
data:
  .dockerconfigjson: #@ data.values.image_pull_dockerconfigjson
#@ end
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: local-user-authenticator
  namespace: local-user-authenticator
  labels:
    app: local-user-authenticator
spec:
  replicas: 1
  selector:
    matchLabels:
      app: local-user-authenticator
  template:
    metadata:
      labels:
        app: local-user-authenticator
    spec:
      securityContext:
        runAsUser: #@ data.values.run_as_user
        runAsGroup: #@ data.values.run_as_group
      serviceAccountName: local-user-authenticator
      #@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "":
      imagePullSecrets:
        - name: image-pull-secret
      #@ end
      containers:
        - name: local-user-authenticator
          #@ if data.values.image_digest:
          image:  #@ data.values.image_repo + "@" + data.values.image_digest
          #@ else:
          image: #@ data.values.image_repo + ":" + data.values.image_tag
          #@ end
          imagePullPolicy: IfNotPresent
          command:
            - local-user-authenticator
          securityContext:
            readOnlyRootFilesystem: true
            runAsNonRoot: true
            allowPrivilegeEscalation: false
            capabilities:
              drop: [ "ALL" ]
            #! seccompProfile was introduced in Kube v1.19. Using it on an older Kube version will result in a
            #! kubectl validation error when installing via `kubectl apply`, which can be ignored using kubectl's
            #! `--validate=false` flag. Note that installing via `kapp` does not complain about this validation error.
            seccompProfile:
              type: "RuntimeDefault"
---
apiVersion: v1
kind: Service
metadata:
  name: local-user-authenticator
  namespace: local-user-authenticator
  labels:
    app: local-user-authenticator
  #! prevent kapp from altering the selector of our services to match kubectl behavior
  annotations:
    kapp.k14s.io/disable-default-label-scoping-rules: ""
spec:
  type: ClusterIP
  selector:
    app: local-user-authenticator
  ports:
    - protocol: TCP
      port: 443
      targetPort: 8443
Make Pinniped compatible with Kube clusters which have enabled PSAs Where possible, use securityContext settings which will work with the most restrictive Pod Security Admission policy level (as of Kube 1.25). Where privileged containers are needed, use the namespace-level annotation to allow them. Also adjust some integration tests to make similar changes to allow the integration tests to pass on test clusters which use restricted PSAs. 2022-09-15 21:58:15 +00:00			`#! Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.`
Create a deployment for `test-webhook` - For now, build the test-webhook binary in the same container image as the pinniped-server binary, to make it easier to distribute - Also fix lots of bugs from the first draft of the test-webhook's `/authenticate` implementation from the previous commit - Add a detailed README for the new deploy-test-webhook directory 2020-09-10 02:06:39 +00:00			`#! SPDX-License-Identifier: Apache-2.0`

			`#@ load("@ytt:data", "data")`

			`---`
			`apiVersion: v1`
			`kind: Namespace`
			`metadata:`
Rename `test-webhook` to `local-user-authenticator` Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-10 22:20:02 +00:00			`name: local-user-authenticator`
Create a deployment for `test-webhook` - For now, build the test-webhook binary in the same container image as the pinniped-server binary, to make it easier to distribute - Also fix lots of bugs from the first draft of the test-webhook's `/authenticate` implementation from the previous commit - Add a detailed README for the new deploy-test-webhook directory 2020-09-10 02:06:39 +00:00			`labels:`
Rename `test-webhook` to `local-user-authenticator` Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-10 22:20:02 +00:00			`name: local-user-authenticator`
Create a deployment for `test-webhook` - For now, build the test-webhook binary in the same container image as the pinniped-server binary, to make it easier to distribute - Also fix lots of bugs from the first draft of the test-webhook's `/authenticate` implementation from the previous commit - Add a detailed README for the new deploy-test-webhook directory 2020-09-10 02:06:39 +00:00			`---`
			`apiVersion: v1`
			`kind: ServiceAccount`
			`metadata:`
Rename many of resources that are created in Kubernetes by Pinniped New resource naming conventions: - Do not repeat the Kind in the name, e.g. do not call it foo-cluster-role-binding, just call it foo - Names will generally start with a prefix to identify our component, so when a user lists all objects of that kind, they can tell to which component it is related, e.g. `kubectl get configmaps` would list one named "pinniped-config" - It should be possible for an operator to make the word "pinniped" mostly disappear if they choose, by specifying the app_name in values.yaml, to the extent that is practical (but not from APIService names because those are hardcoded in golang) - Each role/clusterrole and its corresponding binding have the same name - Pinniped resource names that must be known by the server golang code are passed to the code at run time via ConfigMap, rather than hardcoded in the golang code. This also allows them to be prepended with the app_name from values.yaml while creating the ConfigMap. - Since the CLI `get-kubeconfig` command cannot guess the name of the CredentialIssuerConfig resource in advance anymore, it lists all CredentialIssuerConfig in the app's namespace and returns an error if there is not exactly one found, and then uses that one regardless of its name 2020-09-18 22:56:50 +00:00			`name: local-user-authenticator`
Rename `test-webhook` to `local-user-authenticator` Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-10 22:20:02 +00:00			`namespace: local-user-authenticator`
Create a deployment for `test-webhook` - For now, build the test-webhook binary in the same container image as the pinniped-server binary, to make it easier to distribute - Also fix lots of bugs from the first draft of the test-webhook's `/authenticate` implementation from the previous commit - Add a detailed README for the new deploy-test-webhook directory 2020-09-10 02:06:39 +00:00			`---`
local-user-authenticator can be deployed from a private registry image - Also add more comment to the values.yaml files to make the options more clear 2020-09-17 23:07:31 +00:00			`#@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "":`
			`apiVersion: v1`
			`kind: Secret`
			`metadata:`
			`name: image-pull-secret`
			`namespace: local-user-authenticator`
			`labels:`
			`app: local-user-authenticator`
			`type: kubernetes.io/dockerconfigjson`
			`data:`
			`.dockerconfigjson: #@ data.values.image_pull_dockerconfigjson`
			`#@ end`
			`---`
Create a deployment for `test-webhook` - For now, build the test-webhook binary in the same container image as the pinniped-server binary, to make it easier to distribute - Also fix lots of bugs from the first draft of the test-webhook's `/authenticate` implementation from the previous commit - Add a detailed README for the new deploy-test-webhook directory 2020-09-10 02:06:39 +00:00			`apiVersion: apps/v1`
			`kind: Deployment`
			`metadata:`
Rename `test-webhook` to `local-user-authenticator` Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-10 22:20:02 +00:00			`name: local-user-authenticator`
			`namespace: local-user-authenticator`
Create a deployment for `test-webhook` - For now, build the test-webhook binary in the same container image as the pinniped-server binary, to make it easier to distribute - Also fix lots of bugs from the first draft of the test-webhook's `/authenticate` implementation from the previous commit - Add a detailed README for the new deploy-test-webhook directory 2020-09-10 02:06:39 +00:00			`labels:`
Rename `test-webhook` to `local-user-authenticator` Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-10 22:20:02 +00:00			`app: local-user-authenticator`
Create a deployment for `test-webhook` - For now, build the test-webhook binary in the same container image as the pinniped-server binary, to make it easier to distribute - Also fix lots of bugs from the first draft of the test-webhook's `/authenticate` implementation from the previous commit - Add a detailed README for the new deploy-test-webhook directory 2020-09-10 02:06:39 +00:00			`spec:`
			`replicas: 1`
			`selector:`
			`matchLabels:`
Rename `test-webhook` to `local-user-authenticator` Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-10 22:20:02 +00:00			`app: local-user-authenticator`
Create a deployment for `test-webhook` - For now, build the test-webhook binary in the same container image as the pinniped-server binary, to make it easier to distribute - Also fix lots of bugs from the first draft of the test-webhook's `/authenticate` implementation from the previous commit - Add a detailed README for the new deploy-test-webhook directory 2020-09-10 02:06:39 +00:00			`template:`
			`metadata:`
			`labels:`
Rename `test-webhook` to `local-user-authenticator` Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-10 22:20:02 +00:00			`app: local-user-authenticator`
Create a deployment for `test-webhook` - For now, build the test-webhook binary in the same container image as the pinniped-server binary, to make it easier to distribute - Also fix lots of bugs from the first draft of the test-webhook's `/authenticate` implementation from the previous commit - Add a detailed README for the new deploy-test-webhook directory 2020-09-10 02:06:39 +00:00			`spec:`
Run as non-root I tried to follow a principle of encapsulation here - we can still default to peeps making connections to 80/443 on a Service object, but internally we will use 8080/8443. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-11-02 16:57:05 +00:00			`securityContext:`
Run Tilt images as root for faster reload Previously, when triggering a Tilt reload via a *.go file change, a reload would take ~13 seconds and we would see this error message in the Tilt logs for each component. Live Update failed with unexpected error: command terminated with exit code 2 Falling back to a full image build + deploy Now, Tilt should reload images a lot faster (~3 seconds) since we are running the images as root. Note! Reloading the Concierge component still takes ~13 seconds because there are 2 containers running in the Concierge namespace that use the Concierge image: the main Concierge app and the kube cert agent pod. Tilt can't live reload both of these at once, so the reload takes longer and we see this error message. Will not perform Live Update because: Error retrieving container info: can only get container info for a single pod; image target image:image/concierge has 2 pods Falling back to a full image build + deploy Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2021-01-13 14:47:39 +00:00			`runAsUser: #@ data.values.run_as_user`
			`runAsGroup: #@ data.values.run_as_group`
Rename many of resources that are created in Kubernetes by Pinniped New resource naming conventions: - Do not repeat the Kind in the name, e.g. do not call it foo-cluster-role-binding, just call it foo - Names will generally start with a prefix to identify our component, so when a user lists all objects of that kind, they can tell to which component it is related, e.g. `kubectl get configmaps` would list one named "pinniped-config" - It should be possible for an operator to make the word "pinniped" mostly disappear if they choose, by specifying the app_name in values.yaml, to the extent that is practical (but not from APIService names because those are hardcoded in golang) - Each role/clusterrole and its corresponding binding have the same name - Pinniped resource names that must be known by the server golang code are passed to the code at run time via ConfigMap, rather than hardcoded in the golang code. This also allows them to be prepended with the app_name from values.yaml while creating the ConfigMap. - Since the CLI `get-kubeconfig` command cannot guess the name of the CredentialIssuerConfig resource in advance anymore, it lists all CredentialIssuerConfig in the app's namespace and returns an error if there is not exactly one found, and then uses that one regardless of its name 2020-09-18 22:56:50 +00:00			`serviceAccountName: local-user-authenticator`
local-user-authenticator can be deployed from a private registry image - Also add more comment to the values.yaml files to make the options more clear 2020-09-17 23:07:31 +00:00			`#@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "":`
			`imagePullSecrets:`
			`- name: image-pull-secret`
			`#@ end`
Create a deployment for `test-webhook` - For now, build the test-webhook binary in the same container image as the pinniped-server binary, to make it easier to distribute - Also fix lots of bugs from the first draft of the test-webhook's `/authenticate` implementation from the previous commit - Add a detailed README for the new deploy-test-webhook directory 2020-09-10 02:06:39 +00:00			`containers:`
Rename `test-webhook` to `local-user-authenticator` Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-10 22:20:02 +00:00			`- name: local-user-authenticator`
Create a deployment for `test-webhook` - For now, build the test-webhook binary in the same container image as the pinniped-server binary, to make it easier to distribute - Also fix lots of bugs from the first draft of the test-webhook's `/authenticate` implementation from the previous commit - Add a detailed README for the new deploy-test-webhook directory 2020-09-10 02:06:39 +00:00			`#@ if data.values.image_digest:`
			`image: #@ data.values.image_repo + "@" + data.values.image_digest`
			`#@ else:`
			`image: #@ data.values.image_repo + ":" + data.values.image_tag`
			`#@ end`
			`imagePullPolicy: IfNotPresent`
Switch to a slimmer distroless base image. At a high level, it switches us to a distroless base container image, but that also includes several related bits: - Add a writable /tmp but make the rest of our filesystems read-only at runtime. - Condense our main server binaries into a single pinniped-server binary. This saves a bunch of space in the image due to duplicated library code. The correct behavior is dispatched based on `os.Args[0]`, and the `pinniped-server` binary is symlinked to `pinniped-concierge` and `pinniped-supervisor`. - Strip debug symbols from our binaries. These aren't really useful in a distroless image anyway and all the normal stuff you'd expect to work, such as stack traces, still does. - Add a separate `pinniped-concierge-kube-cert-agent` binary with "sleep" and "print" functionality instead of using builtin /bin/sleep and /bin/cat for the kube-cert-agent. This is split from the main server binary because the loading/init time of the main server binary was too large for the tiny resource footprint we established in our kube-cert-agent PodSpec. Using a separate binary eliminates this issue and the extra binary adds only around 1.5MiB of image size. - Switch the kube-cert-agent code to use a JSON `{"tls.crt": "<b64 cert>", "tls.key": "<b64 key>"}` format. This is more robust to unexpected input formatting than the old code, which simply concatenated the files with some extra newlines and split on whitespace. - Update integration tests that made now-invalid assumptions about the `pinniped-server` image. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-07-26 16:18:43 +00:00			`command:`
			`- local-user-authenticator`
Make Pinniped compatible with Kube clusters which have enabled PSAs Where possible, use securityContext settings which will work with the most restrictive Pod Security Admission policy level (as of Kube 1.25). Where privileged containers are needed, use the namespace-level annotation to allow them. Also adjust some integration tests to make similar changes to allow the integration tests to pass on test clusters which use restricted PSAs. 2022-09-15 21:58:15 +00:00			`securityContext:`
			`readOnlyRootFilesystem: true`
			`runAsNonRoot: true`
			`allowPrivilegeEscalation: false`
			`capabilities:`
			`drop: [ "ALL" ]`
			`#! seccompProfile was introduced in Kube v1.19. Using it on an older Kube version will result in a`
			#! kubectl validation error when installing via `kubectl apply`, which can be ignored using kubectl's
			#! `--validate=false` flag. Note that installing via `kapp` does not complain about this validation error.
			`seccompProfile:`
			`type: "RuntimeDefault"`
Create a deployment for `test-webhook` - For now, build the test-webhook binary in the same container image as the pinniped-server binary, to make it easier to distribute - Also fix lots of bugs from the first draft of the test-webhook's `/authenticate` implementation from the previous commit - Add a detailed README for the new deploy-test-webhook directory 2020-09-10 02:06:39 +00:00			`---`
			`apiVersion: v1`
			`kind: Service`
			`metadata:`
Rename `test-webhook` to `local-user-authenticator` Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-10 22:20:02 +00:00			`name: local-user-authenticator`
			`namespace: local-user-authenticator`
Create a deployment for `test-webhook` - For now, build the test-webhook binary in the same container image as the pinniped-server binary, to make it easier to distribute - Also fix lots of bugs from the first draft of the test-webhook's `/authenticate` implementation from the previous commit - Add a detailed README for the new deploy-test-webhook directory 2020-09-10 02:06:39 +00:00			`labels:`
Rename `test-webhook` to `local-user-authenticator` Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-10 22:20:02 +00:00			`app: local-user-authenticator`
prevent kapp from altering the selector of our services This makes it so that our service selector will match exactly the YAML we specify instead of including an extra "kapp.k14s.io/app" key. This will take us closer to the standard kubectl behavior which is desirable since we want to avoid future bugs that only manifest when kapp is not used. Signed-off-by: Monis Khan <mok@vmware.com> 2021-09-15 20:08:49 +00:00			`#! prevent kapp from altering the selector of our services to match kubectl behavior`
			`annotations:`
			`kapp.k14s.io/disable-default-label-scoping-rules: ""`
Create a deployment for `test-webhook` - For now, build the test-webhook binary in the same container image as the pinniped-server binary, to make it easier to distribute - Also fix lots of bugs from the first draft of the test-webhook's `/authenticate` implementation from the previous commit - Add a detailed README for the new deploy-test-webhook directory 2020-09-10 02:06:39 +00:00			`spec:`
			`type: ClusterIP`
			`selector:`
Rename `test-webhook` to `local-user-authenticator` Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-10 22:20:02 +00:00			`app: local-user-authenticator`
Create a deployment for `test-webhook` - For now, build the test-webhook binary in the same container image as the pinniped-server binary, to make it easier to distribute - Also fix lots of bugs from the first draft of the test-webhook's `/authenticate` implementation from the previous commit - Add a detailed README for the new deploy-test-webhook directory 2020-09-10 02:06:39 +00:00			`ports:`
			`- protocol: TCP`
			`port: 443`
Run as non-root I tried to follow a principle of encapsulation here - we can still default to peeps making connections to 80/443 on a Service object, but internally we will use 8080/8443. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-11-02 16:57:05 +00:00			`targetPort: 8443`