From 59c0340f20561c8923b5b5f1fbc8b3712a6ec6ab Mon Sep 17 00:00:00 2001
From: Gabriel Bernal <gabrielbernalp@gmail.com>
Date: Thu, 19 Dec 2024 13:57:31 +0100
Subject: [PATCH] fix local development documentation and setup

Signed-off-by: Gabriel Bernal <gbernal@redhat.com>
---
 Dockerfile.dev              | 35 +++++++++++++++++++++++++++++++++++
 Makefile                    |  6 +++---
 README.md                   |  8 +++++++-
 config/manager/manager.yaml |  8 +-------
 4 files changed, 46 insertions(+), 11 deletions(-)
 create mode 100644 Dockerfile.dev

diff --git a/Dockerfile.dev b/Dockerfile.dev
new file mode 100644
index 0000000..bd217d3
--- /dev/null
+++ b/Dockerfile.dev
@@ -0,0 +1,35 @@
+# Build the manager binary
+FROM golang:1.23 as builder
+ARG TARGETOS
+ARG TARGETARCH
+
+WORKDIR /workspace
+# Copy the Go Modules manifests
+COPY go.mod go.mod
+COPY go.sum go.sum
+# cache deps before building and copying source so that we don't need to re-download as much
+# and so that source changes don't invalidate our downloaded layer
+RUN go mod download
+
+# Copy the go source
+COPY main.go main.go
+COPY api/ api/
+COPY controllers/ controllers/
+COPY internal/ internal/
+
+# Build
+# the GOARCH has not a default value to allow the binary be built according to the host where the command
+# was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO
+# the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore,
+# by leaving it empty we can ensure that the container and binary shipped on it will have the same platform.
+RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o manager main.go
+
+FROM gcr.io/distroless/static:nonroot
+WORKDIR /
+
+COPY --from=builder /workspace/manager .
+COPY --chown=nobody:nobody LICENSE /LICENSE
+
+USER 65532:65532
+
+ENTRYPOINT ["/manager"]
diff --git a/Makefile b/Makefile
index 819387d..0b8faf6 100644
--- a/Makefile
+++ b/Makefile
@@ -150,8 +150,8 @@ run: manifests generate fmt vet ## Run a controller from your host.
 # (i.e. docker build --platform linux/arm64 ). However, you must enable docker buildKit for it.
 # More info: https://docs.docker.com/develop/develop-images/build_enhancements/
 .PHONY: image-build
-image-build: test ## Build docker image with the manager.
-	${CONTAINER_RUNTIME} build -t ${IMG} .
+image-build: build test ## Build docker image with the manager.
+	${CONTAINER_RUNTIME} build -f Dockerfile.dev -t ${IMG} .
 
 .PHONY: image-push
 image-push: ## Push docker image with the manager.
@@ -326,7 +326,7 @@ endef
 generate-goreleaser:
 	go run ./scripts/generate-goreleaser/generate-goreleaser.go
 
-## Cross build binaries for all platforms (Use "make build" in development)
+## Cross build binaries for all platforms (Use "make image-build" in development)
 .PHONY: cross-build
 cross-build: generate-goreleaser manifests generate fmt vet ## Cross build binaries for all platforms (Use "make build" in development)
 	goreleaser release --snapshot --clean
diff --git a/README.md b/README.md
index c932c89..162ff1f 100644
--- a/README.md
+++ b/README.md
@@ -23,7 +23,7 @@ kubectl apply -k config/samples
 3. Build and push your image to the location specified by `IMG`:
 
 ```sh
-make docker-build docker-push IMG=<some-registry>/perses-operator:tag
+make image-build image-push IMG=<some-registry>/perses-operator:tag
 ```
 
 4. Deploy the controller to the cluster with the image specified by `IMG`:
@@ -32,6 +32,12 @@ make docker-build docker-push IMG=<some-registry>/perses-operator:tag
 make deploy IMG=<some-registry>/perses-operator:tag
 ```
 
+6. Access the Perses UI at `http://localhost:8080`
+
+```sh
+kubectl port-forward svc/perses-sample 8080:8080
+```
+
 ### Uninstall CRDs
 
 To delete the CRDs from the cluster:
diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
index a9c33a7..79a5874 100644
--- a/config/manager/manager.yaml
+++ b/config/manager/manager.yaml
@@ -58,19 +58,13 @@ spec:
       #               - linux
       securityContext:
         runAsNonRoot: true
-        # TODO(user): For common cases that do not require escalating privileges
-        # it is recommended to ensure that all your Pods/Containers are restrictive.
-        # More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
-        # Please uncomment the following code if your project does NOT have to work on old Kubernetes
-        # versions < 1.19 or on vendors versions which do NOT support this field by default (i.e. Openshift < 4.11 ).
-        # seccompProfile:
-        #   type: RuntimeDefault
       containers:
       - command:
         - /manager
         args:
         - --leader-elect
         image: controller:latest
+        imagePullPolicy: Always
         name: manager
         securityContext:
           allowPrivilegeEscalation: false