Commit Graph

60 Commits

Author SHA1 Message Date
Monis Khan
a042f74a88
Dockerfile: build all files and trim file system paths
Use "..." instead of "main.go" as the build target since we may have
extra files in the future.

https://pkg.go.dev/cmd/go#hdr-Compile_packages_and_dependencies

-trimpath
	remove all file system paths from the resulting executable.
	Instead of absolute file system paths, the recorded file names
	will begin with either "go" (for the standard library),
	or a module path@version (when using modules),
	or a plain import path (when using GOPATH).

Signed-off-by: Monis Khan <mok@vmware.com>
2021-11-03 10:26:13 -04:00
dependabot[bot]
1c3545e234
Bump distroless/static from 07869ab to bca3c20
Bumps distroless/static from `07869ab` to `bca3c20`.

---
updated-dependencies:
- dependency-name: distroless/static
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-10-28 01:02:33 +00:00
Monis Khan
7921a58988
Use 65532 instead of 1001 as non-root user
Signed-off-by: Monis Khan <mok@vmware.com>
2021-10-25 16:21:54 -04:00
dependabot[bot]
d1d954bb3b
Bump golang from 1.17.1 to 1.17.2
Bumps golang from 1.17.1 to 1.17.2.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-10-08 01:03:52 +00:00
dependabot[bot]
19cecc3235
Bump distroless/static from be5d77c to 7cb5539
Bumps distroless/static from `be5d77c` to `7cb5539`.

---
updated-dependencies:
- dependency-name: distroless/static
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-09-30 17:09:57 +00:00
dependabot[bot]
92ccc0ec84
Bump golang from 1.17.0 to 1.17.1
Bumps golang from 1.17.0 to 1.17.1.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-09-13 01:13:32 +00:00
dependabot[bot]
1bb8a43e04
Bump distroless/static from c9f9b04 to be5d77c
Bumps distroless/static from `c9f9b04` to `be5d77c`.

---
updated-dependencies:
- dependency-name: distroless/static
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-09-02 03:00:24 +00:00
Monis Khan
44f03af4b9
Bump to Go 1.17.0
Signed-off-by: Monis Khan <mok@vmware.com>
2021-08-27 09:00:49 -04:00
Monis Khan
25b4d82d87
Bump to Go 1.16.7 and Kube v0.22.0
Signed-off-by: Monis Khan <mok@vmware.com>
2021-08-09 15:32:13 -04:00
Matt Moyer
58bbffded4
Switch to a slimmer distroless base image.
At a high level, it switches us to a distroless base container image, but that also includes several related bits:

- Add a writable /tmp but make the rest of our filesystems read-only at runtime.

- Condense our main server binaries into a single pinniped-server binary. This saves a bunch of space in
  the image due to duplicated library code. The correct behavior is dispatched based on `os.Args[0]`, and
  the `pinniped-server` binary is symlinked to `pinniped-concierge` and `pinniped-supervisor`.

- Strip debug symbols from our binaries. These aren't really useful in a distroless image anyway and all the
  normal stuff you'd expect to work, such as stack traces, still does.

- Add a separate `pinniped-concierge-kube-cert-agent` binary with "sleep" and "print" functionality instead of
  using builtin /bin/sleep and /bin/cat for the kube-cert-agent. This is split from the main server binary
  because the loading/init time of the main server binary was too large for the tiny resource footprint we
  established in our kube-cert-agent PodSpec. Using a separate binary eliminates this issue and the extra
  binary adds only around 1.5MiB of image size.

- Switch the kube-cert-agent code to use a JSON `{"tls.crt": "<b64 cert>", "tls.key": "<b64 key>"}` format.
  This is more robust to unexpected input formatting than the old code, which simply concatenated the files
  with some extra newlines and split on whitespace.

- Update integration tests that made now-invalid assumptions about the `pinniped-server` image.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-08-09 15:05:13 -04:00
Monis Khan
32c9aa5087
Bump to Go 1.16.6 and Kube v0.21.3
Signed-off-by: Monis Khan <mok@vmware.com>
2021-07-27 14:18:08 -04:00
dependabot[bot]
125d891cd5
Bump debian from 10.9-slim to 10.10-slim
Bumps debian from 10.9-slim to 10.10-slim.

---
updated-dependencies:
- dependency-name: debian
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-06-23 01:02:44 +00:00
dependabot[bot]
f417f706b9
Bump golang from 1.16.4 to 1.16.5
Bumps golang from 1.16.4 to 1.16.5.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-06-04 06:00:24 +00:00
dependabot[bot]
2634c9f04a
Bump golang from 1.16.3 to 1.16.4
Bumps golang from 1.16.3 to 1.16.4.

Signed-off-by: dependabot[bot] <support@github.com>
2021-05-07 05:49:58 +00:00
dependabot[bot]
30f476e1ac
Bump golang from 1.16.2 to 1.16.3
Bumps golang from 1.16.2 to 1.16.3.

Signed-off-by: dependabot[bot] <support@github.com>
2021-04-02 05:56:43 +00:00
dependabot[bot]
469f864de3
Bump debian from 10.8-slim to 10.9-slim
Bumps debian from 10.8-slim to 10.9-slim.

Signed-off-by: dependabot[bot] <support@github.com>
2021-03-31 05:41:15 +00:00
dependabot[bot]
e64f2fe7fb
Bump golang from 1.16.1 to 1.16.2
Bumps golang from 1.16.1 to 1.16.2.

Signed-off-by: dependabot[bot] <support@github.com>
2021-03-15 19:55:44 +00:00
dependabot[bot]
ad3f04a982
Bump golang from 1.16.0 to 1.16.1
Bumps golang from 1.16.0 to 1.16.1.

Signed-off-by: dependabot[bot] <support@github.com>
2021-03-11 22:25:17 +00:00
dependabot[bot]
2637dc00da
Bump golang from 1.15.8 to 1.16.0
Bumps golang from 1.15.8 to 1.16.0.

Signed-off-by: dependabot[bot] <support@github.com>
2021-03-01 11:44:26 -06:00
Matt Moyer
45f4a0528c
Upgrade Debian base images from 10.7 to 10.8.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-10 15:57:16 -06:00
Matt Moyer
d06c935c2c
Upgrade Go from 1.15.7 to 1.15.8.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-08 10:58:51 -06:00
Matt Moyer
8a41419b94
Optimize image build using .dockerignore and BuildKit features.
This optimizes our image in a few different ways:

- It adds a bunch of files and directories to the `.dockerignore` file.
  This lets us have a single `COPY . .` but still be very aggressive about pruning what files end up in the build context.

- It adds build-time cache mounts to the `go build` commands using BuildKit's `--mount=type=cache` flag.
  This requires BuildKit-capable Docker, but means that our Go builds can all be incremental builds.
  This replaces the previous flow we had where we needed to split out `go mod download`.

- Instead of letting the full `apt-get install ca-certificates` layer end up in our final image, we copy just the single file we need.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-27 10:42:56 -06:00
dependabot[bot]
79fa96cfbc
Bump golang from 1.15.6 to 1.15.7
Bumps golang from 1.15.6 to 1.15.7.

Signed-off-by: dependabot[bot] <support@github.com>
2021-01-21 13:56:04 +00:00
Margo Crawford
b8f56bd10b 1.20 Changes to the update script and Dockerfile 2021-01-07 13:20:25 -08:00
Matt Moyer
c7931bc6d5
Remove our main module dependency on golangci-lint.
We will still pin this in CI via an image dependency.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-17 17:01:32 -06:00
Matt Moyer
111f6513ac
Upgrade base images to Debian 10.7-slim.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-16 15:16:31 -06:00
Aram Price
a33dace80b
Upgrade golang (1.15.5 -> 1.15.6)
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-16 13:31:54 -05:00
dependabot[bot]
901242c1e1
Bump golang from 1.15.3 to 1.15.5
Bumps golang from 1.15.3 to 1.15.5.

Signed-off-by: dependabot[bot] <support@github.com>
2020-11-20 20:19:51 +00:00
Matt Moyer
e0a9bef6ce
Move ./internal/oidcclient to ./pkg/oidcclient.
This will allow it to be imported by Go code outside of our repository, which was something we have planned for since this code was written.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-17 14:53:32 -06:00
Matt Moyer
cbd71df574
Add "upstream-watcher" controller to supervisor.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-13 12:30:38 -06:00
Ryan Richard
5a0e7fd358 Upgrade golang patch release to 1.15.3 and debian 10.5-slim -> 10.6-slim 2020-11-02 16:17:15 -08:00
Andrew Keesler
fcea48c8f9
Run as non-root
I tried to follow a principle of encapsulation here - we can still default to
peeps making connections to 80/443 on a Service object, but internally we will
use 8080/8443.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-02 12:51:15 -05:00
Andrew Keesler
8fe031e73d Do not copy pkg directory in Dockerfile
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-15 13:31:16 -07:00
Ryan Richard
5b3dd5fc7d
Rename pinniped-server -> pinniped-concierge
Do we like this? We don't know yet.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-06 14:59:03 -04:00
Ryan Richard
76bd462cf8 Implement very rough skeleton of the start of a supervisor server
- This is just stab at a starting place because it felt easier to
  put something down on paper than to keep staring at a blank page
2020-10-05 17:28:19 -07:00
dependabot[bot]
29305777bb
Bump golang from 1.15.1 to 1.15.2
Bumps golang from 1.15.1 to 1.15.2.

Signed-off-by: dependabot[bot] <support@github.com>
2020-09-16 14:59:35 +00:00
Andrew Keesler
e7b389ae6c
Update copyright to reference Pinniped contributors
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-16 10:05:51 -04:00
Ryan Richard
b7bdb7f3b1 Rename test-webhook to local-user-authenticator
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-10 15:20:02 -07:00
Ryan Richard
2565f67824 Create a deployment for test-webhook
- For now, build the test-webhook binary in the same container image as
  the pinniped-server binary, to make it easier to distribute
- Also fix lots of bugs from the first draft of the test-webhook's
  `/authenticate` implementation from the previous commit
- Add a detailed README for the new deploy-test-webhook directory
2020-09-09 19:06:39 -07:00
dependabot[bot]
a2e8b2aa0c
Bump golang from 1.15.0 to 1.15.1
Bumps golang from 1.15.0 to 1.15.1.

Signed-off-by: dependabot[bot] <support@github.com>
2020-09-02 06:03:19 +00:00
Matt Moyer
7848332d47 Remove .netrc trick from Dockerfile.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-28 13:07:47 -05:00
Matt Moyer
8f93fbb87b Make ./pkg/client into an internal package using the native k8s client.
This should simplify our build/test setup quite a bit, since it means we have only a single module (at the top level) with all hand-written code. I'll leave `module.sh` alone for now but we may be able to simplify that a bit more.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-27 11:48:18 -05:00
Matt Moyer
8b36f2e8ae Convert code to use the new generated packages.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-24 14:42:27 -05:00
Ryan Richard
3929fa672e Rename project 2020-08-20 10:54:15 -07:00
Matt Moyer
ae0b97d807
Revert "Pin images to exact hashes (Dependabot can handle this, it seems)." 2020-08-14 10:52:29 -05:00
Matt Moyer
0d034cd18e Pin images to exact hashes (Dependabot can handle this, it seems).
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-14 10:04:43 -05:00
Matt Moyer
c02b6fee8f Switch to Debian base images.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-13 13:35:42 -05:00
dependabot[bot]
d2f6eebc66
Bump golang from 1.14.7-alpine to 1.15.0-alpine
Bumps golang from 1.14.7-alpine to 1.15.0-alpine.

Signed-off-by: dependabot[bot] <support@github.com>
2020-08-12 05:50:33 +00:00
Ryan Richard
626fc6aa8d Merge branch 'main' into cert_controllers 2020-08-10 19:01:36 -07:00
dependabot[bot]
b3df59ca13
Bump golang from 1.14.6-alpine to 1.14.7-alpine
Bumps golang from 1.14.6-alpine to 1.14.7-alpine.

Signed-off-by: dependabot[bot] <support@github.com>
2020-08-10 16:46:08 +00:00