-
Notifications
You must be signed in to change notification settings - Fork 9
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Split the Dockerfile into a release build and a test image build - Implement a test registry to support the split build - Fully support non-default namespace
- Loading branch information
Showing
8 changed files
with
186 additions
and
72 deletions.
There are no files selected for viewing
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,63 +1,89 @@ | ||
NAME:=dsv-injector | ||
VERSION?=latest | ||
|
||
NAME=dsv-injector | ||
VERSION?=0.0.1 | ||
IMAGE_TAG=$(NAME):$(VERSION) | ||
|
||
# The Kubernetes cluster Namespace in which to deploy the Webhook and/or POD | ||
NAMESPACE?=default | ||
image: | ||
docker build . -t $(IMAGE_TAG) -f build/Dockerfile | ||
|
||
# The JSON file containing a mapping of DSV role names to tenant/credential pairs | ||
ROLES_FILE?=configs/roles.json | ||
### The recipes below build and deploy a test injector-svc 🥼🧪 | ||
|
||
# The TCP port on which the service should listen | ||
SERVICE_PORT?=8543 | ||
# The CA certificate of the Kubernetes cluster 🔐 | ||
CA_CRT?=${HOME}/.minikube/ca.crt | ||
|
||
CA_CRT=${HOME}/.minikube/ca.crt | ||
|
||
# The IP address of the host of the dsv-injector service | ||
HOST_IP?=$(shell ip -o -4 -br addr show dev eth0 | awk '{print $$3}' | sed -e 's|/.*$$||') | ||
# The TCP port on which the service should listen 🌐 | ||
SERVICE_PORT?=8543 | ||
|
||
BUILD_DIR?=.build | ||
IMAGE_TAG?=$(NAME):v$(VERSION) | ||
# The Kubernetes cluster Namespace in which to deploy the Webhook and/or POD | ||
NAMESPACE?=default | ||
|
||
all: image deploy_host | ||
# The JSON file containing a mapping of DSV role names to tenant/credentials 🔑 | ||
ROLES_FILE?=configs/roles.json | ||
|
||
build: | ||
mkdir -p $(BUILD_DIR) | ||
# The IP address of the host running the dsv-injector service 🖥️ | ||
HOST_IP?=$(shell ip -o -4 -br addr | sed -n 2p | awk '{print $$3}' | sed -e 's|/.*$$||') | ||
|
||
clean: | ||
rm -rf $(BUILD_DIR) | ||
kubectl delete --ignore-not-found deployments $(NAME) | ||
kubectl delete --ignore-not-found service $(NAME) | ||
kubectl delete --ignore-not-found mutatingwebhookconfigurations.admissionregistration.k8s.io $(NAME) | ||
TEST_IMAGE_TAG?=$(NAME)-test:$(VERSION) | ||
|
||
cert=$(BUILD_DIR)/$(NAME).pem | ||
BUILD_DIR=target | ||
|
||
$(cert): build | ||
sh scripts/get_cert.sh -n "$(NAME)" -N "$(NAMESPACE)" -d "$(BUILD_DIR)" | ||
$(BUILD_DIR): | ||
mkdir -p $(BUILD_DIR) | ||
|
||
ca_bundle=$(shell base64 -w0 $(CA_CRT)) | ||
|
||
deploy_webhook: $(cert) image | ||
sed -e "s| port: [0-9]*.*$$| port: $(SERVICE_PORT)|" \ | ||
deploy_webhook: $(BUILD_DIR) | ||
sed -e "s| namespace: .*$$| namespace: $(NAMESPACE)|" \ | ||
-e "s| port: [0-9]*.*$$| port: $(SERVICE_PORT)|" \ | ||
-e "s|caBundle:.*$$|caBundle: $(ca_bundle)|" \ | ||
deployments/webhook.yml >| $(BUILD_DIR)/webhook.yml | ||
kubectl apply -f $(BUILD_DIR)/webhook.yml | ||
|
||
deploy_host: deploy_webhook | ||
sed -e "s|- port: [0-9]*.*$$|- port: $(SERVICE_PORT)|" \ | ||
sed -e "s| namespace: .*$$| namespace: $(NAMESPACE)|" \ | ||
-e "s|- port: [0-9]*.*$$|- port: $(SERVICE_PORT)|" \ | ||
-e "s|- ip: *\"[0-9].*$$|- ip: \"$(HOST_IP)\"|" \ | ||
deployments/host.yml >| $(BUILD_DIR)/host.yml | ||
kubectl apply -f $(BUILD_DIR)/host.yml | ||
|
||
deploy_pod: deploy_webhook | ||
sed -e "s|- port: [0-9]*.*$$|- port: $(SERVICE_PORT)|" \ | ||
-e "s|image:.*$$|image: $(IMAGE_TAG)|" \ | ||
deployments/pod.yml >| $(BUILD_DIR)/pod.yml | ||
kubectl apply -f $(BUILD_DIR)/pod.yml | ||
# Create a test image that includes the certficate and roles.json 🔓😧 | ||
|
||
image: $(cert) | ||
docker build -t $(IMAGE_TAG) . \ | ||
$(BUILD_DIR)/$(NAME).key $(BUILD_DIR)/$(NAME).pem: $(BUILD_DIR) | ||
sh scripts/get_cert.sh -n "$(NAME)" -N "$(NAMESPACE)" -d "$(BUILD_DIR)" | ||
|
||
# The registry can be supplied; spin up a test registry when it is not 🏗️ | ||
registry: | ||
ifndef REGISTRY | ||
kubectl apply -f test/registry.yml | ||
@echo "Waiting for the test registry to spin up..." && sleep 6 | ||
REGISTRY=$(shell kubectl get service -n kube-system kube-registry -o json |\ | ||
jq -r ".spec.clusterIP,.spec.ports[0].port" | sed -e "N;s|\n|:|") | ||
endif | ||
|
||
$(BUILD_DIR)/Dockerfile: registry test/Dockerfile $(BUILD_DIR) | ||
sed -e "s|^FROM $(NAME):.*|FROM $(REGISTRY)/$(IMAGE_TAG)|" \ | ||
test/Dockerfile >| $(BUILD_DIR)/Dockerfile | ||
|
||
test_image: image $(BUILD_DIR)/$(NAME).key $(BUILD_DIR)/$(NAME).pem $(BUILD_DIR)/Dockerfile | ||
docker tag $(IMAGE_TAG) $(REGISTRY)/$(IMAGE_TAG) | ||
docker push $(REGISTRY)/$(IMAGE_TAG) | ||
docker build . -t $(TEST_IMAGE_TAG) -f $(BUILD_DIR)/Dockerfile \ | ||
--build-arg cert_file="$(BUILD_DIR)/$(NAME).pem" \ | ||
--build-arg key_file="$(BUILD_DIR)/$(NAME).key" \ | ||
--build-arg roles_file="$(ROLES_FILE)" \ | ||
--build-arg roles_file="$(ROLES_FILE)" | ||
|
||
deploy: deploy_webhook test_image | ||
sed -e "s| namespace: .*$$| namespace: $(NAMESPACE)|" \ | ||
-e "s|- port: [0-9]*.*$$|- port: $(SERVICE_PORT)|" \ | ||
-e "s|image:.*$$|image: $(TEST_IMAGE_TAG)|" \ | ||
deployments/pod.yml >| $(BUILD_DIR)/pod.yml | ||
kubectl apply -f $(BUILD_DIR)/pod.yml | ||
|
||
deploy_clean: | ||
docker rmi -f $(IMAGE_TAG) | ||
kubectl delete --ignore-not-found deployments $(NAME) | ||
kubectl delete --ignore-not-found service $(NAME) | ||
kubectl delete --ignore-not-found mutatingwebhookconfigurations.admissionregistration.k8s.io $(NAME) | ||
|
||
clean: deploy_clean | ||
rm -rf $(BUILD_DIR) $(NAME) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
FROM alpine:latest AS build | ||
RUN apk update && apk upgrade | ||
RUN apk add go | ||
|
||
WORKDIR /b | ||
COPY cmd/ ./cmd | ||
COPY pkg/ ./pkg | ||
COPY go.mod go.sum ./ | ||
RUN go build cmd/injector-svc.go | ||
|
||
FROM alpine:latest | ||
RUN apk update && apk upgrade | ||
RUN addgroup dsv && adduser -S -G dsv dsv | ||
|
||
WORKDIR /home/dsv | ||
COPY --chown=dsv:dsv --from=build /b/injector-svc . | ||
|
||
USER dsv |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
FROM dsv-injector:latest | ||
|
||
ARG cert_file | ||
ARG key_file | ||
ARG roles_file | ||
|
||
WORKDIR /home/dsv | ||
|
||
COPY --chown=dsv:dsv ${cert_file} ./dsv.pem | ||
COPY --chown=dsv:dsv ${key_file} ./dsv.key | ||
COPY --chown=dsv:dsv ${roles_file} ./roles.json | ||
|
||
ENTRYPOINT ["./injector-svc", "-cert", "dsv.pem", "-key", "dsv.key", "-roles", "roles.json" ] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,62 @@ | ||
--- | ||
apiVersion: v1 | ||
kind: ReplicationController | ||
metadata: | ||
name: kube-registry-v0 | ||
namespace: kube-system | ||
labels: | ||
k8s-app: kube-registry | ||
version: v0 | ||
spec: | ||
replicas: 1 | ||
selector: | ||
k8s-app: kube-registry | ||
version: v0 | ||
template: | ||
metadata: | ||
labels: | ||
k8s-app: kube-registry | ||
version: v0 | ||
spec: | ||
containers: | ||
- name: registry | ||
image: registry:2.5.1 | ||
resources: | ||
requests: | ||
memory: "512Mi" | ||
cpu: "250m" | ||
limits: | ||
memory: "2048Mi" | ||
cpu: "1000m" | ||
env: | ||
- name: REGISTRY_HTTP_ADDR | ||
value: :5000 | ||
- name: REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY | ||
value: /var/lib/registry | ||
volumeMounts: | ||
- name: image-store | ||
mountPath: /var/lib/registry | ||
ports: | ||
- containerPort: 5000 | ||
name: registry | ||
protocol: TCP | ||
volumes: | ||
- name: image-store | ||
hostPath: | ||
path: /data/registry/ | ||
--- | ||
apiVersion: v1 | ||
kind: Service | ||
metadata: | ||
name: kube-registry | ||
namespace: kube-system | ||
labels: | ||
k8s-app: kube-registry | ||
spec: | ||
type: ClusterIP | ||
selector: | ||
k8s-app: kube-registry | ||
ports: | ||
- name: registry | ||
port: 5000 | ||
protocol: TCP |