Merge pull request #2 from d-velop/main

Updated tools and expanded Helm chart
hpi-schul-cloud · Aug 12, 2024 · 539feee · 539feee
2 parents d1890f4 + a647861
commit 539feee
Show file tree

Hide file tree

Showing 12 changed files with 454 additions and 878 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.16-alpine AS build_deps
+FROM golang:1.22-alpine AS build_deps
 
 RUN apk add --no-cache git
 
@@ -15,10 +15,14 @@ COPY . .
 
 RUN CGO_ENABLED=0 go build -o webhook -ldflags '-w -extldflags "-static"' .
 
-FROM alpine:3.9
+FROM alpine:3.20
 
 RUN apk add --no-cache ca-certificates
 
 COPY --from=build /workspace/webhook /usr/local/bin/webhook
 
+RUN addgroup runtime -g 10001
+RUN adduser runtime -u 10000 -G runtime -D -h /workspace -s /bin/bash
+USER 10000
+
 ENTRYPOINT ["webhook"]
diff --git a/README.md b/README.md
@@ -8,7 +8,7 @@ infra-otc-cert-manager-webhook](https://github.com/hpi-schul-cloud/infra-otc-cer
 ## Requirements
 
 - [kubernetes](https://kubernetes.io/) >= v1.18.0
-- [cert-manager](https://cert-manager.io/) >= 1.3.1
+- [cert-manager](https://cert-manager.io/) >= 1.14.5
 - [helm](https://helm.sh/) >= v3.0.0
 
 ## Configuration
@@ -26,6 +26,7 @@ The following table lists the configurable parameters of the infra-otc-cert-mana
 | `image.repository` | Image repository | `schulcloud/infra-otc-cert-manager-webhook` |
 | `image.tag` | Image tag | `sha-6e4a13b` |
 | `image.pullPolicy` | Image pull policy | `IfNotPresent` |
+| `image.pullSecrets` | Image pull secrets | `[]` |
 | `nameOverride` | Override for the chartname | `` |
 | `fullnameOverride` | Override for the fullname of the chart | `` |
 | `loglevel` | Number for the log level verbosity of webhook. | 2 |
@@ -35,6 +36,11 @@ The following table lists the configurable parameters of the infra-otc-cert-mana
 | `nodeSelector` | Node labels for pod assignment | `{}` |
 | `affinity` | Node affinity for pod assignment | `{}` |
 | `tolerations` | Node tolerations for pod assignment | `[]` |
+| `properties.disableSecurityContext` | Disable security context for container | `false` |
+| `properties.runAsUser` | UID of user with which to run the container | `10000` |
+| `properties.runAsGroup` | GID of group with which to run the container | `10001` |
+| `properties.fsGroup` | GID of group which will own the mounted volumes | `10001` |
+| `properties.readOnlyRootFilesystem` | Sets filesystem to read-only | `false` |
 
 ## Installation
 
@@ -173,7 +179,7 @@ The cert-manager will detect it and start the issuing process. See [Troubleshoot
 
 ### Requirements
 
-- [go](https://golang.org/) >= 1.13.0
+- [go](https://golang.org/) >= 1.22.3
 
 ### Configure the tests
 

diff --git a/deploy/infra-otc-cert-manager-webhook/Chart.yaml b/deploy/infra-otc-cert-manager-webhook/Chart.yaml
@@ -1,8 +1,8 @@
 apiVersion: v1
-appVersion: "1.0.1"
+appVersion: "1.0.2"
 description: A Helm chart for the infra-otc-cert-manager-webhook
 name: infra-otc-cert-manager-webhook
-version: 1.0.1
+version: 1.0.2
 maintainers:
   - name: Markus Bartels
     url: https://github.com/hpi-schul-cloud/infra-otc-cert-manager-webhook

diff --git a/deploy/infra-otc-cert-manager-webhook/templates/deployment.yaml b/deploy/infra-otc-cert-manager-webhook/templates/deployment.yaml
@@ -22,6 +22,19 @@ spec:
         release: {{ .Release.Name }}
     spec:
       serviceAccountName: {{ include "infra-otc-cert-manager-webhook.fullname" . }}
+      {{- if not .Values.properties.disableSecurityContext }}
+      securityContext:
+        runAsUser: {{ default 10000 .Values.properties.runAsUser }}
+        runAsGroup: {{ default 10001 .Values.properties.runAsGroup }}
+        fsGroup: {{ default 10001 .Values.properties.fsGroup }}
+        fsGroupChangePolicy: "OnRootMismatch"
+        seccompProfile:
+          type: RuntimeDefault
+      {{- end }}
+      {{- if hasKey .Values.image "imagePullSecrets" }}
+      imagePullSecrets:
+{{ toYaml .Values.image.imagePullSecrets | indent 8 }}
+      {{- end }}
       containers:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
@@ -30,14 +43,15 @@ spec:
             {{- if .Values.logLevel }}
             - --v={{ .Values.logLevel }}
             {{- end }}
+            - --secure-port=8443
             - --tls-cert-file=/tls/tls.crt
             - --tls-private-key-file=/tls/tls.key
           env:
             - name: GROUP_NAME
               value: {{ .Values.groupName | quote }}
           ports:
             - name: https
-              containerPort: 443
+              containerPort: 8443
               protocol: TCP
           livenessProbe:
             httpGet:
@@ -53,6 +67,24 @@ spec:
             - name: certs
               mountPath: /tls
               readOnly: true
+          {{- if not .Values.properties.disableSecurityContext }}
+          securityContext:
+            runAsNonRoot: true
+            privileged: false
+            runAsUser: {{ default 10000 .Values.properties.runAsUser }}
+            runAsGroup: {{ default 10001 .Values.properties.runAsGroup }}
+            {{- if hasKey .Values.properties "readOnlyRootFilesystem" }}
+            readOnlyRootFilesystem: {{ .Values.properties.readOnlyRootFilesystem }}
+            {{- else }}
+            readOnlyRootFilesystem: true
+            {{- end }}
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
+          {{- end }}
           resources:
 {{ toYaml .Values.resources | indent 12 }}
       volumes:

diff --git a/deploy/infra-otc-cert-manager-webhook/values.yaml b/deploy/infra-otc-cert-manager-webhook/values.yaml
@@ -18,6 +18,8 @@ image:
   repository: schulcloud/infra-otc-cert-manager-webhook
   tag: 1.0.1
   pullPolicy: IfNotPresent
+  # pullSecrets:
+  # - name: my-pullsecret
 
 nameOverride: ""
 fullnameOverride: ""
@@ -45,3 +47,4 @@ tolerations: []
 
 affinity: {}
 
+properties: {}
diff --git a/go.mod b/go.mod
@@ -5,17 +5,10 @@ module github.com/hpi-schul-cloud/infra-otc-cert-manager-webhook
 // https://golang.org/doc/devel/release.html
 // https://golang.org/doc/go1.13 >> 03.09.2019
 // https://golang.org/doc/go1.16 >> 16.02.2021
-go 1.13
+go 1.22.3
 
 require (
-	// https://github.com/jetstack/cert-manager
-	// The Jetstack Cert-Manager.
-	// v1.2.0 >> 11.02.2021, https://github.com/jetstack/cert-manager/releases/tag/v1.2.0
-	// v1.3.0 >> 07.04.2021, https://github.com/jetstack/cert-manager/releases/tag/v1.3.0
-	// v1.3.1 >> 14.04.2021, https://github.com/jetstack/cert-manager/releases/tag/v1.3.1
-	// See also: terraform/modules/sc-ionos-certificate-issuer/main.tf. Version must match.
-	// The cert-manager uses Kubernetes API 0.19 since 26 Aug 2020. https://github.com/jetstack/cert-manager/commit/14ea7c3f653e07a7a326bef2c3689b0596d706bc#diff-33ef32bf6c23acb95f5902d7097b7a1d5128ca061167ec0716715b0b9eeaa5f6
-	github.com/jetstack/cert-manager v1.3.1
+	github.com/cert-manager/cert-manager v1.14.5
 
 	// https://github.com/opentelekomcloud/gophertelekomcloud
 	// The Open Telekom Cloud API
@@ -25,21 +18,121 @@ require (
 	// github.com/miekg/dns v1.1.31
 
 	// A test library.
-	github.com/stretchr/testify v1.6.1
+	github.com/stretchr/testify v1.8.4
 
 	// https://github.com/kubernetes/apiextensions-apiserver
 	// This API server provides the implementation for CustomResourceDefinitions which is included as delegate server inside of kube-apiserver.
 	// apiextensions-apiserver v0.18.0 >>> Kubernetes 1.18
-	k8s.io/apiextensions-apiserver v0.19.0
-
-	k8s.io/apimachinery v0.19.0
+	k8s.io/apiextensions-apiserver v0.29.0
+	k8s.io/apimachinery v0.29.0
 
 	// https://github.com/kubernetes/client-go
 	// Client library to talk to Kubernetes. client-go v0.18.0 >>> Kubernetes 1.18
-	k8s.io/client-go v0.19.0
+	k8s.io/client-go v0.29.0
 
 	// https://github.com/kubernetes/klog/tree/v2.9.0
 	k8s.io/klog v1.0.0
 )
 
+require (
+	github.com/NYTimes/gziphandler v1.1.1 // indirect
+	github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df // indirect
+	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/blang/semver/v4 v4.0.0 // indirect
+	github.com/cenkalti/backoff/v4 v4.2.1 // indirect
+	github.com/cespare/xxhash/v2 v2.2.0 // indirect
+	github.com/coreos/go-semver v0.3.1 // indirect
+	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
+	github.com/evanphx/json-patch v5.7.0+incompatible // indirect
+	github.com/evanphx/json-patch/v5 v5.7.0 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/fsnotify/fsnotify v1.7.0 // indirect
+	github.com/go-logr/logr v1.4.1 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/go-logr/zapr v1.3.0 // indirect
+	github.com/go-openapi/jsonpointer v0.20.2 // indirect
+	github.com/go-openapi/jsonreference v0.20.4 // indirect
+	github.com/go-openapi/swag v0.22.7 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/golang/protobuf v1.5.3 // indirect
+	github.com/google/cel-go v0.17.7 // indirect
+	github.com/google/gnostic-models v0.6.8 // indirect
+	github.com/google/go-cmp v0.6.0 // indirect
+	github.com/google/gofuzz v1.2.0 // indirect
+	github.com/google/uuid v1.5.0 // indirect
+	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.18.1 // indirect
+	github.com/imdario/mergo v0.3.16 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 // indirect
+	github.com/miekg/dns v1.1.57 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/prometheus/client_golang v1.18.0 // indirect
+	github.com/prometheus/client_model v0.5.0 // indirect
+	github.com/prometheus/common v0.45.0 // indirect
+	github.com/prometheus/procfs v0.12.0 // indirect
+	github.com/spf13/cobra v1.8.0 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/stoewer/go-strcase v1.3.0 // indirect
+	go.etcd.io/etcd/api/v3 v3.5.11 // indirect
+	go.etcd.io/etcd/client/pkg/v3 v3.5.11 // indirect
+	go.etcd.io/etcd/client/v3 v3.5.11 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.46.1 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1 // indirect
+	go.opentelemetry.io/otel v1.21.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.21.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.21.0 // indirect
+	go.opentelemetry.io/otel/metric v1.21.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.21.0 // indirect
+	go.opentelemetry.io/otel/trace v1.21.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.0.0 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
+	go.uber.org/zap v1.26.0 // indirect
+	golang.org/x/crypto v0.22.0 // indirect
+	golang.org/x/exp v0.0.0-20231226003508-02704c960a9b // indirect
+	golang.org/x/mod v0.14.0 // indirect
+	golang.org/x/net v0.24.0 // indirect
+	golang.org/x/oauth2 v0.15.0 // indirect
+	golang.org/x/sync v0.5.0 // indirect
+	golang.org/x/sys v0.19.0 // indirect
+	golang.org/x/term v0.19.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/time v0.5.0 // indirect
+	golang.org/x/tools v0.16.1 // indirect
+	google.golang.org/appengine v1.6.8 // indirect
+	google.golang.org/genproto v0.0.0-20240102182953-50ed04b92917 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20240102182953-50ed04b92917 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240102182953-50ed04b92917 // indirect
+	google.golang.org/grpc v1.60.1 // indirect
+	google.golang.org/protobuf v1.33.0 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+	k8s.io/api v0.29.0 // indirect
+	k8s.io/apiserver v0.29.0 // indirect
+	k8s.io/component-base v0.29.0 // indirect
+	k8s.io/klog/v2 v2.110.1 // indirect
+	k8s.io/kms v0.29.0 // indirect
+	k8s.io/kube-openapi v0.0.0-20240103051144-eec4567ac022 // indirect
+	k8s.io/utils v0.0.0-20240102154912-e7106e64919e // indirect
+	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.29.0 // indirect
+	sigs.k8s.io/controller-runtime v0.16.3 // indirect
+	sigs.k8s.io/gateway-api v1.0.0 // indirect
+	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
+	sigs.k8s.io/yaml v1.4.0 // indirect
+)
+
 // replace github.com/hpi-schul-cloud/infra-otc-cert-manager-webhook/otcdns => ../otcdns