-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #3 from panubo/k8s_nonroot_upgrade
Upgrade to support a Kubernetes nginx deployment and run as non-root
- Loading branch information
Showing
20 changed files
with
239 additions
and
60 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
[submodule "tests/test_helpers/bats-support"] | ||
path = tests/test_helpers/bats-support | ||
url = https://github.com/bats-core/bats-support.git | ||
[submodule "tests/test_helpers/bats-assert"] | ||
path = tests/test_helpers/bats-assert | ||
url = https://github.com/bats-core/bats-assert.git |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
#!/usr/bin/env bash | ||
|
||
# This script will copy the nginx config and html content to /volume then run | ||
# the normal renderers. This is used in an initContainer in a Kubernetes pod. | ||
# The /volume mount should then be mounted into the main container as | ||
# readOnly mounts and using `k8s-nginx` as the command. | ||
|
||
K8S_VOLUME_PATH="${K8S_VOLUME_PATH:=/volume}" | ||
|
||
source /panubo-functions.sh | ||
|
||
set -euo pipefail | ||
IFS=$'\n\t' | ||
|
||
[[ "${DEBUG:-}" == 'true' ]] && set -x | ||
|
||
mkdir "${K8S_VOLUME_PATH}/config" | ||
mkdir "${K8S_VOLUME_PATH}/content" | ||
|
||
cp -a /etc/nginx/http.d "${K8S_VOLUME_PATH}/config" | ||
cp -a "${NGINX_SERVER_ROOT}" "${K8S_VOLUME_PATH}/content" | ||
|
||
export OLD_NGINX_SERVER_ROOT="${NGINX_SERVER_ROOT}" | ||
export NGINX_SERVER_ROOT=${K8S_VOLUME_PATH}/content/html | ||
/templater.sh | ||
|
||
render_templates "${K8S_VOLUME_PATH}/config/http.d/default.conf.tmpl" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
window._env_ = { | ||
"hostname": "{{ env.Getenv "HOSTNAME" }}", | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
window._env_ = { | ||
"hostname": "{{ env.Getenv "HOSTNAME" }}", | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,56 @@ | ||
load test_helpers/bats-support/load | ||
load test_helpers/bats-assert/load | ||
load functions.bash | ||
# load setup.bash | ||
|
||
setup_file() { | ||
# Disable parallel execution in this file | ||
export BATS_NO_PARALLELIZE_WITHIN_FILE=true | ||
|
||
docker_volume="$(docker volume create)" | ||
|
||
export docker_volume | ||
} | ||
|
||
teardown_file() { | ||
docker volume rm -f "${docker_volume}" || true | ||
} | ||
|
||
@test "k8s-init" { | ||
# Fix volume permissions to match K8s behaviour | ||
docker run --rm -v "${docker_volume}:/volume" busybox install -d -o root -g 2000 -m 2775 /volume | ||
|
||
# Run k8s-init - content and config should be copied to the volume | ||
docker run --rm -v "${docker_volume}:/volume" --group-add 2000 panubo/staticsite-testsite:1 k8s-init | ||
|
||
# Print the content of the volume | ||
run docker run --rm -v "${docker_volume}:/volume" busybox sh -c 'find /volume | sort' | ||
|
||
# diag "${output}" | ||
assert_line '/volume/config/http.d/default.conf' | ||
assert_line '/volume/content/html/env-config.js' | ||
assert_line '/volume/content/html/env-config2.js' | ||
|
||
# assert_output --regexp '/volume/config/http\.d/default\.conf[^.]' | ||
# assert_output --regexp '/volume/content/html/env-config\.js[^.]' | ||
# assert_output --regexp '/volume/content/html/env-config2\.js[^.]' | ||
} | ||
|
||
@test "k8s-nginx" { | ||
# This test isn't possible with docker since your cannot mount a subPath | ||
# from a docker volume. eg `-v "$ | ||
# {docker_volume}/config/http.d:/etc/nginx/http.d:ro` (or whatever the | ||
# syntax will be if implemented in docker). | ||
skip "Unable to implement with docker, missing subPath support" | ||
|
||
container="$(docker run -d -v "${docker_volume}:/volume:ro" --group-add 2000 -p 8080 panubo/staticsite-testsite:1 k8s-nginx)" | ||
container_ip="$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' ${container})" | ||
container_http_port="$(docker inspect --format '{{(index (index .NetworkSettings.Ports "8080/tcp") 0).HostPort}}' ${container} || { docker logs ${container} >&3 2>&3; return 1; })" | ||
( wait_http "http://127.0.0.1:${container_http_port}"; ) | ||
|
||
run curl -sSf http://127.0.0.1:${container_http_port} | ||
|
||
docker rm -f "${container}" || true | ||
|
||
assert_success | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.