feat: Serve data instead of using the nginx container

.github/workflows/chart.yaml

@@ -60,25 +60,6 @@ jobs:
       - name: Run audit
         run: |
           polaris audit --helm-chart ./charts/well-known --helm-values ./charts/well-known/values.yaml --format pretty --set-exit-code-on-danger --set-exit-code-below-score 90
-
-  kubescape-scan:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-        with:
-          fetch-depth: 0
-
-      - name: Install Kubescape
-        run: curl -s https://raw.githubusercontent.com/armosec/kubescape/master/install.sh | /bin/bash
-
-      - name: Set up Helm
-        uses: azure/setup-helm@v3
-        with:
-          version: v3.7.1
-
-      - name: Scan helm 
-        run: helm template ./charts/well-known --namespace fake -f ./charts/well-known/ci/pluto-values.yaml | ~/.kubescape/bin/kubescape scan --controls-config .github/kubescape-controls-inputs.json -v --fail-threshold 15 -
 
   pluto-scan:
     runs-on: ubuntu-latest

Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.20 AS build-server
+FROM golang:1.22 AS build-server
 
 WORKDIR /workspace/server
 # Copy the Go Modules manifests
@@ -19,16 +19,21 @@ RUN CGO_ENABLED=0 GOOS=linux go build -a -o well-known ./
 
 FROM alpine AS downloader
 
-RUN wget -O /usr/local/bin/dumb-init https://github.com/Yelp/dumb-init/releases/download/v1.2.5/dumb-init_1.2.5_x86_64
-RUN chmod +x /usr/local/bin/dumb-init
+ARG TARGETPLATFORM
+ARG TINI_VERSION=v0.19.0
+RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then ARCHITECTURE=amd64; elif [ "$TARGETPLATFORM" = "linux/arm/v7" ]; then ARCHITECTURE=arm; elif [ "$TARGETPLATFORM" = "linux/arm64" ]; then ARCHITECTURE=arm64; else ARCHITECTURE=amd64; fi \
+    && wget -O /usr/local/bin/tini https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini-static-${ARCHITECTURE}
+RUN chmod +x /usr/local/bin/tini
+
+#
 
 # Use distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
 FROM gcr.io/distroless/static:nonroot
 WORKDIR /app
 
-COPY --from=downloader /usr/local/bin/dumb-init /app/dumb-init
+COPY --from=downloader /usr/local/bin/tini /app/tini
 COPY --from=build-server /workspace/server/well-known /app/well-known
 USER 65532:65532
 
-ENTRYPOINT ["/app/dumb-init", "--", "/app/well-known"]
+ENTRYPOINT ["/app/tini", "--", "/app/well-known"]

charts/well-known/ci/pluto-values.yaml

@@ -6,4 +6,4 @@ autoscaling:
 
 networkpolicies:
   enabled: true
-  kubeApiServerCIDR: 1.2.3.4/32
+  kubeApiServerCIDR: 1.2.3.4/32

charts/well-known/templates/deployment.yaml

@@ -30,36 +30,6 @@ spec:
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       containers:
-        - name: webserver
-          securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
-          image: "{{ .Values.webserver.image.repository }}:{{ .Values.webserver.image.tag }}"
-          imagePullPolicy: {{ .Values.webserver.image.pullPolicy }}
-          ports:
-            - name: http
-              containerPort: 8080
-              protocol: TCP
-            - name: probe
-              containerPort: 8082
-              protocol: TCP
-          livenessProbe:
-            httpGet:
-              path: /healthz
-              port: probe
-          readinessProbe:
-            httpGet:
-              path: /healthz
-              port: probe
-          volumeMounts:
-            - name: config
-              mountPath: /etc/nginx/conf.d/default.conf
-              subPath: default.conf
-            - name: data
-              mountPath: /usr/share/nginx/html/.well-known
-            - mountPath: /tmp
-              name: tmp-volume
-          resources:
-            {{- toYaml .Values.webserver.resources | nindent 12 }}
         - name: {{ .Chart.Name }}
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
@@ -76,6 +46,9 @@ spec:
                   apiVersion: v1
                   fieldPath: metadata.name
           ports:
+            - name: http
+              containerPort: 8080
+              protocol: TCP
             - name: probe
               containerPort: 8081
               protocol: TCP
@@ -101,13 +74,3 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      volumes:
-        - name: config
-          configMap:
-            name: {{ include "well-known.fullname" . }}
-        - name: data
-          configMap:
-            name: {{ include "well-known.fullname" . }}-data
-            optional: true
-        - name: tmp-volume
-          emptyDir: {}

charts/well-known/values.yaml

@@ -18,22 +18,7 @@ resources:
     cpu: 20m
     memory: 32Mi
 
-webserver:
-  image:
-    repository: nginxinc/nginx-unprivileged
-    pullPolicy: Always
-    tag: "1.25"
-  resources:
-    limits:
-      cpu: 50m
-      memory: 24Mi
-    requests:
-      cpu: 10m
-      memory: 10Mi
-  config:
-    accessLogEnabled: false
-
-podDisruptionBudget: 
+podDisruptionBudget:
   maxUnavailable: 1
 
 imagePullSecrets: []
@@ -93,8 +78,9 @@ autoscaling:
 
 networkpolicies:
   enabled: false
-  kubeApi: [] # kubectl get svc -n default kubernetes -oyaml
-    # - addresses: 
+  kubeApi: []
+    # kubectl get svc -n default kubernetes -oyaml
+    # - addresses:
     #     - 10.0.0.153
     #     - 10.0.0.90
     #   ports:

go.mod

@@ -1,6 +1,6 @@
 module well-known
 
-go 1.20
+go 1.22
 
 require (
 	k8s.io/api v0.28.3