58bbffded4
At a high level, it switches us to a distroless base container image, but that also includes several related bits:
- Add a writable /tmp but make the rest of our filesystems read-only at runtime.
- Condense our main server binaries into a single pinniped-server binary. This saves a bunch of space in
the image due to duplicated library code. The correct behavior is dispatched based on `os.Args[0]`, and
the `pinniped-server` binary is symlinked to `pinniped-concierge` and `pinniped-supervisor`.
- Strip debug symbols from our binaries. These aren't really useful in a distroless image anyway and all the
normal stuff you'd expect to work, such as stack traces, still does.
- Add a separate `pinniped-concierge-kube-cert-agent` binary with "sleep" and "print" functionality instead of
using builtin /bin/sleep and /bin/cat for the kube-cert-agent. This is split from the main server binary
because the loading/init time of the main server binary was too large for the tiny resource footprint we
established in our kube-cert-agent PodSpec. Using a separate binary eliminates this issue and the extra
binary adds only around 1.5MiB of image size.
- Switch the kube-cert-agent code to use a JSON `{"tls.crt": "<b64 cert>", "tls.key": "<b64 key>"}` format.
This is more robust to unexpected input formatting than the old code, which simply concatenated the files
with some extra newlines and split on whitespace.
- Update integration tests that made now-invalid assumptions about the `pinniped-server` image.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
42 lines
1.2 KiB
Go
42 lines
1.2 KiB
Go
// Copyright 2021 the Pinniped contributors. All Rights Reserved.
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
// Package main is the combined entrypoint for all Pinniped server components.
|
|
//
|
|
// It dispatches to the appropriate Main() entrypoint based the name it is invoked as (os.Args[0]). In our server
|
|
// container image, this binary is symlinked to several names such as `/usr/local/bin/pinniped-concierge`.
|
|
package main
|
|
|
|
import (
|
|
"os"
|
|
"path/filepath"
|
|
|
|
"k8s.io/apimachinery/pkg/util/sets"
|
|
"k8s.io/klog/v2"
|
|
|
|
concierge "go.pinniped.dev/internal/concierge/server"
|
|
lua "go.pinniped.dev/internal/localuserauthenticator"
|
|
supervisor "go.pinniped.dev/internal/supervisor/server"
|
|
)
|
|
|
|
//nolint: gochecknoglobals // these are swapped during unit tests.
|
|
var (
|
|
fail = klog.Fatalf
|
|
subcommands = map[string]func(){
|
|
"pinniped-concierge": concierge.Main,
|
|
"pinniped-supervisor": supervisor.Main,
|
|
"local-user-authenticator": lua.Main,
|
|
}
|
|
)
|
|
|
|
func main() {
|
|
if len(os.Args) == 0 {
|
|
fail("missing os.Args")
|
|
}
|
|
binary := filepath.Base(os.Args[0])
|
|
if subcommands[binary] == nil {
|
|
fail("must be invoked as one of %v, not %q", sets.StringKeySet(subcommands).List(), binary)
|
|
}
|
|
subcommands[binary]()
|
|
}
|