58bbffded4
At a high level, it switches us to a distroless base container image, but that also includes several related bits:
- Add a writable /tmp but make the rest of our filesystems read-only at runtime.
- Condense our main server binaries into a single pinniped-server binary. This saves a bunch of space in
the image due to duplicated library code. The correct behavior is dispatched based on `os.Args[0]`, and
the `pinniped-server` binary is symlinked to `pinniped-concierge` and `pinniped-supervisor`.
- Strip debug symbols from our binaries. These aren't really useful in a distroless image anyway and all the
normal stuff you'd expect to work, such as stack traces, still does.
- Add a separate `pinniped-concierge-kube-cert-agent` binary with "sleep" and "print" functionality instead of
using builtin /bin/sleep and /bin/cat for the kube-cert-agent. This is split from the main server binary
because the loading/init time of the main server binary was too large for the tiny resource footprint we
established in our kube-cert-agent PodSpec. Using a separate binary eliminates this issue and the extra
binary adds only around 1.5MiB of image size.
- Switch the kube-cert-agent code to use a JSON `{"tls.crt": "<b64 cert>", "tls.key": "<b64 key>"}` format.
This is more robust to unexpected input formatting than the old code, which simply concatenated the files
with some extra newlines and split on whitespace.
- Update integration tests that made now-invalid assumptions about the `pinniped-server` image.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
73 lines
1.6 KiB
Go
73 lines
1.6 KiB
Go
// Copyright 2021 the Pinniped contributors. All Rights Reserved.
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
package main
|
|
|
|
import (
|
|
"bytes"
|
|
"log"
|
|
"os"
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
func TestEntrypoint(t *testing.T) {
|
|
for _, tt := range []struct {
|
|
name string
|
|
args []string
|
|
wantOutput string
|
|
wantFail bool
|
|
wantArgs []string
|
|
}{
|
|
{
|
|
name: "missing args",
|
|
args: []string{},
|
|
wantOutput: "missing os.Args\n",
|
|
wantFail: true,
|
|
},
|
|
{
|
|
name: "invalid subcommand",
|
|
args: []string{"/path/to/invalid", "some", "args"},
|
|
wantOutput: "must be invoked as one of [another-test-binary valid-test-binary], not \"invalid\"\n",
|
|
wantFail: true,
|
|
},
|
|
{
|
|
name: "valid",
|
|
args: []string{"/path/to/valid-test-binary", "foo", "bar"},
|
|
wantArgs: []string{"/path/to/valid-test-binary", "foo", "bar"},
|
|
},
|
|
} {
|
|
tt := tt
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
var logBuf bytes.Buffer
|
|
testLog := log.New(&logBuf, "", 0)
|
|
exited := "exiting via fatal"
|
|
fail = func(format string, v ...interface{}) {
|
|
testLog.Printf(format, v...)
|
|
panic(exited)
|
|
}
|
|
|
|
// Make a test command that records os.Args when it's invoked.
|
|
var gotArgs []string
|
|
subcommands = map[string]func(){
|
|
"valid-test-binary": func() { gotArgs = os.Args },
|
|
"another-test-binary": func() {},
|
|
}
|
|
|
|
os.Args = tt.args
|
|
if tt.wantFail {
|
|
require.PanicsWithValue(t, exited, main)
|
|
} else {
|
|
require.NotPanics(t, main)
|
|
}
|
|
if tt.wantArgs != nil {
|
|
require.Equal(t, tt.wantArgs, gotArgs)
|
|
}
|
|
if tt.wantOutput != "" {
|
|
require.Equal(t, tt.wantOutput, logBuf.String())
|
|
}
|
|
})
|
|
}
|
|
}
|