diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 5b64d1b8..d3fbae8d 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -21,3 +21,12 @@ repos: args: ["lint"] types: ["go"] pass_filenames: false + fail_fast: true + - id: deployment + name: deployment + fail_fast: true + language: system + entry: make + args: ["deployment"] + types: ["yaml"] + pass_filenames: false diff --git a/Dockerfile.release b/Dockerfile.release index 2160cc85..f6ca0c77 100644 --- a/Dockerfile.release +++ b/Dockerfile.release @@ -3,4 +3,4 @@ ARG ARCH FROM gcr.io/distroless/base:nonroot-${TARGETARCH:-amd64} WORKDIR /pomerium COPY pomerium* /bin/ -ENTRYPOINT [ "/bin/pomerium-ingress" ] \ No newline at end of file +ENTRYPOINT [ "/bin/pomerium-ingress" ] diff --git a/Makefile b/Makefile index a7cc504a..bb2985fb 100644 --- a/Makefile +++ b/Makefile @@ -212,7 +212,7 @@ dev-install: @echo "==> $@" @echo "deleting pods..." @kubectl delete --force --selector app.kubernetes.io/name=pomerium pods || true - @$(KUSTOMIZE) build config/dev | kubectl apply --filename - + @$(KUSTOMIZE) build config/dev/local | kubectl apply --filename - @stern -n pomerium --selector app.kubernetes.io/name=pomerium .PHONY: dev-gen-secrets diff --git a/apis/ingress/v1/zz_generated.deepcopy.go b/apis/ingress/v1/zz_generated.deepcopy.go index 78f93b50..4909bd1b 100644 --- a/apis/ingress/v1/zz_generated.deepcopy.go +++ b/apis/ingress/v1/zz_generated.deepcopy.go @@ -1,22 +1,6 @@ //go:build !ignore_autogenerated // +build !ignore_autogenerated -/* -Copyright 2021. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - // Code generated by controller-gen. DO NOT EDIT. package v1 diff --git a/cmd/all_in_one.go b/cmd/all_in_one.go index 2fc35e16..c57a24e6 100644 --- a/cmd/all_in_one.go +++ b/cmd/all_in_one.go @@ -30,8 +30,10 @@ import ( type allCmdOptions struct { ingressControllerOpts debug bool - // MetricsBindAddress must be externally accessible host:port - MetricsBindAddress string `validate:"required,hostname_port"` + // metricsBindAddress must be externally accessible host:port + metricsBindAddress string `validate:"required,hostname_port"` + serverAddr string `validate:"required,hostname_port"` + httpRedirectAddr string `validate:"required,hostname_port"` } type allCmdParam struct { @@ -40,9 +42,10 @@ type allCmdParam struct { updateStatusFromService string dumpConfigDiff bool - metricsBindAddress string + // bootstrapMetricsAddr for bootstrap configuration controller metrics bootstrapMetricsAddr string - ingressMetricsAddr string + // ingressMetricsAddr for ingress+settings reconciliation controller metrics + ingressMetricsAddr string cfg config.Config } @@ -72,7 +75,10 @@ func (s *allCmd) setupFlags() error { if err := flags.MarkHidden("debug"); err != nil { return err } - flags.StringVar(&s.MetricsBindAddress, metricsBindAddress, "", "host:port for aggregate metrics") + flags.StringVar(&s.metricsBindAddress, metricsBindAddress, "", "host:port for aggregate metrics. host is mandatory") + flags.StringVar(&s.serverAddr, "server-addr", ":8443", "the address the HTTPS server would bind to") + flags.StringVar(&s.httpRedirectAddr, "http-redirect-addr", ":8080", "the address HTTP redirect would bind to") + s.ingressControllerOpts.setupFlags(flags) return viperWalk(flags) } @@ -117,9 +123,8 @@ func (s *allCmdOptions) getParam() (*allCmdParam, error) { ingressOpts: opts, updateStatusFromService: s.UpdateStatusFromService, dumpConfigDiff: s.debug, - metricsBindAddress: s.MetricsBindAddress, } - if err := p.makeBootstrapConfig(); err != nil { + if err := p.makeBootstrapConfig(*s); err != nil { return nil, fmt.Errorf("bootstrap: %w", err) } @@ -144,9 +149,12 @@ func (s *allCmdParam) run(ctx context.Context) error { return eg.Wait() } -func (s *allCmdParam) makeBootstrapConfig() error { +func (s *allCmdParam) makeBootstrapConfig(opt allCmdOptions) error { s.cfg.Options = config.NewDefaultOptions() + s.cfg.Options.Addr = opt.serverAddr + s.cfg.Options.HTTPRedirectAddr = opt.httpRedirectAddr + ports, err := netutil.AllocatePorts(7) if err != nil { return fmt.Errorf("allocating ports: %w", err) @@ -157,6 +165,8 @@ func (s *allCmdParam) makeBootstrapConfig() error { s.bootstrapMetricsAddr = fmt.Sprintf("localhost:%s", ports[5]) s.ingressMetricsAddr = fmt.Sprintf("localhost:%s", ports[6]) + s.cfg.Options.MetricsAddr = opt.metricsBindAddress + s.cfg.MetricsScrapeEndpoints = []config.MetricsScrapeEndpoint{ { Name: "bootstrap", @@ -182,8 +192,6 @@ func (s *allCmdParam) makeBootstrapConfig() error { }, } - s.cfg.Options.MetricsAddr = ":9090" - return nil } diff --git a/config/pomerium/deployment.yaml b/config/pomerium/deployment.yaml deleted file mode 100644 index ec7e8300..00000000 --- a/config/pomerium/deployment.yaml +++ /dev/null @@ -1,54 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: pomerium -spec: - selector: {} - replicas: 1 - template: - spec: - nodeSelector: - kubernetes.io/os: linux - securityContext: - runAsNonRoot: true - fsGroup: 1000 - runAsUser: 1000 - containers: - - name: pomerium - args: - - all-in-one - - --global-settings=$(POMERIUM_NAMESPACE)/settings - - --update-status-from-service=$(POMERIUM_NAMESPACE)/pomerium-proxy - - --metrics-bind-address=$(POD_IP):9090 - image: pomerium/ingress-controller:main - ports: - - containerPort: 443 - name: https - protocol: TCP - - name: http - containerPort: 80 - protocol: TCP - - name: metrics - containerPort: 9090 - protocol: TCP - env: - - name: POMERIUM_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - securityContext: - allowPrivilegeEscalation: false - resources: - limits: - cpu: 5000m - memory: 1Gi - requests: - cpu: 300m - memory: 200Mi - serviceAccountName: pomerium-controller - terminationGracePeriodSeconds: 10 diff --git a/config/pomerium/deployment/args.yaml b/config/pomerium/deployment/args.yaml new file mode 100644 index 00000000..96ef688a --- /dev/null +++ b/config/pomerium/deployment/args.yaml @@ -0,0 +1,24 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: pomerium +spec: + template: + spec: + containers: + - name: pomerium + args: + - all-in-one + - --global-settings=$(POMERIUM_NAMESPACE)/settings + - --update-status-from-service=$(POMERIUM_NAMESPACE)/pomerium-proxy + - --metrics-bind-address=$(POD_IP):9090 + env: + - name: POMERIUM_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP diff --git a/config/pomerium/deployment/base.yaml b/config/pomerium/deployment/base.yaml new file mode 100644 index 00000000..b1ac96f0 --- /dev/null +++ b/config/pomerium/deployment/base.yaml @@ -0,0 +1,12 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: pomerium +spec: + replicas: 1 + template: + spec: + containers: + - name: pomerium + serviceAccountName: pomerium-controller + terminationGracePeriodSeconds: 10 diff --git a/config/pomerium/healthcheck.yaml b/config/pomerium/deployment/healthcheck.yaml similarity index 100% rename from config/pomerium/healthcheck.yaml rename to config/pomerium/deployment/healthcheck.yaml diff --git a/config/pomerium/deployment/image.yaml b/config/pomerium/deployment/image.yaml new file mode 100644 index 00000000..cdbc800e --- /dev/null +++ b/config/pomerium/deployment/image.yaml @@ -0,0 +1,12 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: pomerium +spec: + replicas: 1 + template: + spec: + containers: + - name: pomerium + image: pomerium/ingress-controller:main + imagePullPolicy: IfNotPresent diff --git a/config/pomerium/deployment/kustomization.yaml b/config/pomerium/deployment/kustomization.yaml new file mode 100644 index 00000000..b17a1f07 --- /dev/null +++ b/config/pomerium/deployment/kustomization.yaml @@ -0,0 +1,10 @@ +resources: + - base.yaml +patchesStrategicMerge: + - args.yaml + - image.yaml + - ports.yaml + - resources.yaml + - no-root.yaml + - readonly-root-fs.yaml + #- healthchecks.yaml diff --git a/config/pomerium/deployment/no-root.yaml b/config/pomerium/deployment/no-root.yaml new file mode 100644 index 00000000..79e9924e --- /dev/null +++ b/config/pomerium/deployment/no-root.yaml @@ -0,0 +1,16 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: pomerium +spec: + template: + spec: + securityContext: + runAsNonRoot: true + containers: + - name: pomerium + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 1000 diff --git a/config/pomerium/deployment/ports.yaml b/config/pomerium/deployment/ports.yaml new file mode 100644 index 00000000..cc194812 --- /dev/null +++ b/config/pomerium/deployment/ports.yaml @@ -0,0 +1,19 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: pomerium +spec: + template: + spec: + containers: + - name: pomerium + ports: + - containerPort: 8443 + name: https + protocol: TCP + - name: http + containerPort: 8080 + protocol: TCP + - name: metrics + containerPort: 9090 + protocol: TCP diff --git a/config/pomerium/deployment/readonly-root-fs.yaml b/config/pomerium/deployment/readonly-root-fs.yaml new file mode 100644 index 00000000..eed1cf56 --- /dev/null +++ b/config/pomerium/deployment/readonly-root-fs.yaml @@ -0,0 +1,22 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: pomerium +spec: + template: + spec: + nodeSelector: + kubernetes.io/os: linux + containers: + - name: pomerium + securityContext: + readOnlyRootFilesystem: true + env: + - name: TMPDIR + value: "/tmp" + volumeMounts: + - mountPath: "/tmp" + name: tmp + volumes: + - name: tmp + emptyDir: {} diff --git a/config/pomerium/deployment/resources.yaml b/config/pomerium/deployment/resources.yaml new file mode 100644 index 00000000..21a6ee65 --- /dev/null +++ b/config/pomerium/deployment/resources.yaml @@ -0,0 +1,16 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: pomerium +spec: + template: + spec: + containers: + - name: pomerium + resources: + limits: + cpu: 5000m + memory: 1Gi + requests: + cpu: 300m + memory: 200Mi diff --git a/config/pomerium/kustomization.yaml b/config/pomerium/kustomization.yaml index c1457f9e..5bb1e171 100644 --- a/config/pomerium/kustomization.yaml +++ b/config/pomerium/kustomization.yaml @@ -3,10 +3,6 @@ # resources: - namespace.yaml - - deployment.yaml - - service_proxy.yaml - - service_metrics.yaml - - service_account.yaml - - role.yaml - - role_binding.yaml - - ingressclass.yaml + - ./ingressclass.yaml + - ./deployment + - ./service diff --git a/config/pomerium/rbac/kustomization.yaml b/config/pomerium/rbac/kustomization.yaml new file mode 100644 index 00000000..25a37bf7 --- /dev/null +++ b/config/pomerium/rbac/kustomization.yaml @@ -0,0 +1,4 @@ +resources: + - role.yaml + - role_binding.yaml + - service_account.yaml diff --git a/config/pomerium/role.yaml b/config/pomerium/rbac/role.yaml similarity index 100% rename from config/pomerium/role.yaml rename to config/pomerium/rbac/role.yaml diff --git a/config/pomerium/role_binding.yaml b/config/pomerium/rbac/role_binding.yaml similarity index 100% rename from config/pomerium/role_binding.yaml rename to config/pomerium/rbac/role_binding.yaml diff --git a/config/pomerium/service_account.yaml b/config/pomerium/rbac/service_account.yaml similarity index 100% rename from config/pomerium/service_account.yaml rename to config/pomerium/rbac/service_account.yaml diff --git a/config/pomerium/service/kustomization.yaml b/config/pomerium/service/kustomization.yaml new file mode 100644 index 00000000..4bf3311c --- /dev/null +++ b/config/pomerium/service/kustomization.yaml @@ -0,0 +1,3 @@ +resources: + - proxy.yaml + - metrics.yaml diff --git a/config/pomerium/service_metrics.yaml b/config/pomerium/service/metrics.yaml similarity index 100% rename from config/pomerium/service_metrics.yaml rename to config/pomerium/service/metrics.yaml diff --git a/config/pomerium/service_proxy.yaml b/config/pomerium/service/proxy.yaml similarity index 90% rename from config/pomerium/service_proxy.yaml rename to config/pomerium/service/proxy.yaml index 3a345126..3e1df1f5 100644 --- a/config/pomerium/service_proxy.yaml +++ b/config/pomerium/service/proxy.yaml @@ -10,6 +10,6 @@ spec: protocol: TCP name: https - name: http - targetPort: 80 + targetPort: http protocol: TCP port: 80 diff --git a/deployment.yaml b/deployment.yaml index 07c81ce2..01c460c8 100644 --- a/deployment.yaml +++ b/deployment.yaml @@ -243,14 +243,6 @@ spec: --- apiVersion: v1 kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/name: pomerium - name: pomerium-controller - namespace: pomerium ---- -apiVersion: v1 -kind: ServiceAccount metadata: labels: app.kubernetes.io/name: pomerium @@ -259,72 +251,6 @@ metadata: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole -metadata: - labels: - app.kubernetes.io/name: pomerium - name: pomerium-controller -rules: -- apiGroups: - - "" - resources: - - services - - endpoints - - secrets - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - services/status - - secrets/status - - endpoints/status - verbs: - - get -- apiGroups: - - networking.k8s.io - resources: - - ingresses - - ingressclasses - verbs: - - get - - list - - watch -- apiGroups: - - networking.k8s.io - resources: - - ingresses/status - verbs: - - get - - patch - - update -- apiGroups: - - ingress.pomerium.io - resources: - - settings - verbs: - - get - - list - - watch -- apiGroups: - - ingress.pomerium.io - resources: - - settings/status - verbs: - - get - - update - - patch -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole metadata: labels: app.kubernetes.io/name: pomerium @@ -339,21 +265,6 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/name: pomerium - name: pomerium-controller -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: pomerium-controller -subjects: -- kind: ServiceAccount - name: pomerium-controller - namespace: pomerium ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding metadata: labels: app.kubernetes.io/name: pomerium @@ -400,7 +311,7 @@ spec: - name: http port: 80 protocol: TCP - targetPort: 80 + targetPort: http selector: app.kubernetes.io/name: pomerium type: LoadBalancer @@ -429,6 +340,8 @@ spec: - --update-status-from-service=$(POMERIUM_NAMESPACE)/pomerium-proxy - --metrics-bind-address=$(POD_IP):9090 env: + - name: TMPDIR + value: /tmp - name: POMERIUM_NAMESPACE valueFrom: fieldRef: @@ -439,12 +352,13 @@ spec: fieldRef: fieldPath: status.podIP image: pomerium/ingress-controller:main + imagePullPolicy: IfNotPresent name: pomerium ports: - - containerPort: 443 + - containerPort: 8443 name: https protocol: TCP - - containerPort: 80 + - containerPort: 8080 name: http protocol: TCP - containerPort: 9090 @@ -459,14 +373,22 @@ spec: memory: 200Mi securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + volumeMounts: + - mountPath: /tmp + name: tmp nodeSelector: kubernetes.io/os: linux securityContext: - fsGroup: 1000 runAsNonRoot: true - runAsUser: 1000 serviceAccountName: pomerium-controller terminationGracePeriodSeconds: 10 + volumes: + - emptyDir: {} + name: tmp --- apiVersion: batch/v1 kind: Job diff --git a/go.mod b/go.mod index f987eeb8..9fdb0abe 100644 --- a/go.mod +++ b/go.mod @@ -17,7 +17,7 @@ require ( github.com/iancoleman/strcase v0.2.0 github.com/open-policy-agent/opa v0.41.0 github.com/pomerium/csrf v1.7.0 - github.com/pomerium/pomerium v0.17.1-0.20220629143207-2ddd3953cd7a + github.com/pomerium/pomerium v0.17.1-0.20220630145245-f67b33484bcb github.com/sergi/go-diff v1.2.0 github.com/spf13/cobra v1.5.0 github.com/spf13/pflag v1.0.5 diff --git a/go.sum b/go.sum index 288b5f11..773be4d0 100644 --- a/go.sum +++ b/go.sum @@ -1379,8 +1379,8 @@ github.com/polyfloyd/go-errorlint v1.0.0 h1:pDrQG0lrh68e602Wfp68BlUTRFoHn8PZYAjL github.com/polyfloyd/go-errorlint v1.0.0/go.mod h1:KZy4xxPJyy88/gldCe5OdW6OQRtNO3EZE7hXzmnebgA= github.com/pomerium/csrf v1.7.0 h1:Qp4t6oyEod3svQtKfJZs589mdUTWKVf7q0PgCKYCshY= github.com/pomerium/csrf v1.7.0/go.mod h1:hAPZV47mEj2T9xFs+ysbum4l7SF1IdrryYaY6PdoIqw= -github.com/pomerium/pomerium v0.17.1-0.20220629143207-2ddd3953cd7a h1:j8d1J8LEfRNIsTVdnp4en5FvJ+LKm2g9R8XwgG5+HaA= -github.com/pomerium/pomerium v0.17.1-0.20220629143207-2ddd3953cd7a/go.mod h1:M90ORT7OpOUInd1w0skRXyPZ9Ygh324lSdHOPb/oz3Q= +github.com/pomerium/pomerium v0.17.1-0.20220630145245-f67b33484bcb h1:vN2xH+bxyJfuXZiJTSIvw5XRzp+OxamlbKihQ4EBr6o= +github.com/pomerium/pomerium v0.17.1-0.20220630145245-f67b33484bcb/go.mod h1:M90ORT7OpOUInd1w0skRXyPZ9Ygh324lSdHOPb/oz3Q= github.com/pomerium/webauthn v0.0.0-20211014213840-422c7ce1077f h1:442shkoI4Oh4RHdzFaGma1t9Ji/T+8pfCxQQzmY5kj8= github.com/pomerium/webauthn v0.0.0-20211014213840-422c7ce1077f/go.mod h1:wgH3ualWdXu/qwbhOoSQedXzco+38Iz7qKKGCJcKPXg= github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI= diff --git a/goreleaser.yaml b/goreleaser.yaml index 63b158e3..a335a5e5 100644 --- a/goreleaser.yaml +++ b/goreleaser.yaml @@ -89,4 +89,3 @@ docker_manifests: image_templates: - pomerium/ingress-controller:{{ .Tag }}-arm64 - pomerium/ingress-controller:{{ .Tag }}-amd64 - diff --git a/hack/boilerplate.go.txt b/hack/boilerplate.go.txt index 45dbbbbc..e69de29b 100644 --- a/hack/boilerplate.go.txt +++ b/hack/boilerplate.go.txt @@ -1,15 +0,0 @@ -/* -Copyright 2021. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ \ No newline at end of file