Skip to content

Commit 605291d

Browse files
authored
fix(Dockerfile): Allow non-priviledged docker. (#294)
This fixes #289. One can configure the http and the https ports via operator settings. This config only matters for the yaml generator. It has no impact on the running operator since this config is given by kestrel.
1 parent 58ea7d9 commit 605291d

File tree

5 files changed

+65
-50
lines changed

5 files changed

+65
-50
lines changed

src/KubeOps/Operator/Commands/Generators/DockerGenerator.cs

Lines changed: 19 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,26 @@
11
using System.IO;
2+
using System.Linq;
23
using System.Text;
34
using System.Threading.Tasks;
5+
using KubeOps.Operator.Builder;
46
using McMaster.Extensions.CommandLineUtils;
57

68
namespace KubeOps.Operator.Commands.Generators
79
{
810
[Command("docker", Description = "Generates the docker file for building.")]
911
internal class DockerGenerator : GeneratorBase
1012
{
13+
private readonly OperatorSettings _settings;
14+
private readonly bool _hasWebhooks;
15+
16+
public DockerGenerator(IComponentRegistrar componentRegistrar, OperatorSettings settings)
17+
{
18+
_settings = settings;
19+
_hasWebhooks =
20+
componentRegistrar.ValidatorRegistrations.Any() ||
21+
componentRegistrar.MutatorRegistrations.Any();
22+
}
23+
1124
[Option(
1225
"--dotnet-tag",
1326
Description = @"Defines the used dotnet docker image tag for the dockerfile (default: ""latest"").")]
@@ -50,9 +63,14 @@ RUN dotnet publish -c Release -o out {ProjectToBuild}
5063
5164
# The runner for the application
5265
FROM mcr.microsoft.com/dotnet/aspnet:{DotnetImageTag} as final
53-
WORKDIR /operator
5466
67+
RUN addgroup k8s-operator && useradd -G k8s-operator operator-user
68+
69+
WORKDIR /operator
5570
COPY --from=build /operator/out/ ./
71+
RUN chown operator-user:k8s-operator -R .
72+
73+
USER operator-user
5674
5775
ENTRYPOINT [ ""dotnet"", ""{TargetFile}"" ]
5876
";

src/KubeOps/Operator/Commands/Generators/OperatorGenerator.cs

Lines changed: 28 additions & 47 deletions
Original file line numberDiff line numberDiff line change
@@ -47,39 +47,35 @@ public async Task<int> OnExecuteAsync(CommandLineApplication app)
4747
_serializer.Serialize(
4848
new KustomizationConfig
4949
{
50-
Resources = new List<string>
51-
{
52-
$"deployment.{Format.ToString().ToLower()}",
53-
},
54-
CommonLabels = new Dictionary<string, string>
55-
{
56-
{ "operator-element", "operator-instance" },
57-
},
50+
Resources = new List<string> { $"deployment.{Format.ToString().ToLower()}", },
51+
CommonLabels = new Dictionary<string, string> { { "operator-element", "operator-instance" }, },
5852
ConfigMapGenerator = _hasWebhooks
5953
? new List<KustomizationConfigMapGenerator>
6054
{
55+
new() { Name = "webhook-ca", Files = new List<string> { "ca.pem", "ca-key.pem", }, },
6156
new()
6257
{
63-
Name = "webhook-ca",
64-
Files = new List<string>
58+
Name = "webhook-config",
59+
Literals = new List<string>
6560
{
66-
"ca.pem",
67-
"ca-key.pem",
61+
$"KESTREL__ENDPOINTS__HTTP__URL=http://0.0.0.0:{_settings.HttpPort}",
62+
$"KESTREL__ENDPOINTS__HTTPS__URL=https://0.0.0.0:{_settings.HttpsPort}",
63+
"KESTREL__ENDPOINTS__HTTPS__CERTIFICATE__PATH=/certs/server.pem",
64+
"KESTREL__ENDPOINTS__HTTPS__CERTIFICATE__KEYPATH=/certs/server-key.pem",
6865
},
6966
},
67+
}
68+
: new List<KustomizationConfigMapGenerator>
69+
{
7070
new()
7171
{
7272
Name = "webhook-config",
7373
Literals = new List<string>
7474
{
75-
"KESTREL__ENDPOINTS__HTTP__URL=http://0.0.0.0:80",
76-
"KESTREL__ENDPOINTS__HTTPS__URL=https://0.0.0.0:443",
77-
"KESTREL__ENDPOINTS__HTTPS__CERTIFICATE__PATH=/certs/server.pem",
78-
"KESTREL__ENDPOINTS__HTTPS__CERTIFICATE__KEYPATH=/certs/server-key.pem",
75+
$"KESTREL__ENDPOINTS__HTTP__URL=http://0.0.0.0:{_settings.HttpPort}",
7976
},
8077
},
81-
}
82-
: null,
78+
},
8379
},
8480
Format));
8581

@@ -109,11 +105,7 @@ public async Task<int> OnExecuteAsync(CommandLineApplication app)
109105
? null
110106
: new List<V1Volume>
111107
{
112-
new()
113-
{
114-
Name = "certificates",
115-
EmptyDir = new(),
116-
},
108+
new() { Name = "certificates", EmptyDir = new(), },
117109
new()
118110
{
119111
Name = "ca-certificates",
@@ -128,11 +120,7 @@ public async Task<int> OnExecuteAsync(CommandLineApplication app)
128120
{
129121
Image = "operator",
130122
Name = "webhook-installer",
131-
Args = new[]
132-
{
133-
"webhooks",
134-
"install",
135-
},
123+
Args = new[] { "webhooks", "install", },
136124
Env = new List<V1EnvVar>
137125
{
138126
new()
@@ -149,11 +137,7 @@ public async Task<int> OnExecuteAsync(CommandLineApplication app)
149137
},
150138
VolumeMounts = new List<V1VolumeMount>
151139
{
152-
new()
153-
{
154-
Name = "certificates",
155-
MountPath = "/certs",
156-
},
140+
new() { Name = "certificates", MountPath = "/certs", },
157141
new()
158142
{
159143
Name = "ca-certificates",
@@ -183,15 +167,10 @@ public async Task<int> OnExecuteAsync(CommandLineApplication app)
183167
},
184168
},
185169
},
186-
EnvFrom = !_hasWebhooks
187-
? null
188-
: new List<V1EnvFromSource>
189-
{
190-
new()
191-
{
192-
ConfigMapRef = new() { Name = "webhook-config" },
193-
},
194-
},
170+
EnvFrom = new List<V1EnvFromSource>
171+
{
172+
new() { ConfigMapRef = new() { Name = "webhook-config" } },
173+
},
195174
VolumeMounts = !_hasWebhooks
196175
? null
197176
: new List<V1VolumeMount>
@@ -203,11 +182,13 @@ public async Task<int> OnExecuteAsync(CommandLineApplication app)
203182
ReadOnlyProperty = true,
204183
},
205184
},
206-
Ports = new List<V1ContainerPort>
207-
{
208-
new(80, name: "http"),
209-
new(443, name: "https"),
210-
},
185+
Ports = _hasWebhooks
186+
? new List<V1ContainerPort>
187+
{
188+
new(_settings.HttpPort, name: "http"),
189+
new(_settings.HttpsPort, name: "https"),
190+
}
191+
: new List<V1ContainerPort> { new(_settings.HttpPort, name: "http"), },
211192
LivenessProbe = new V1Probe(
212193
timeoutSeconds: 1,
213194
initialDelaySeconds: 30,

src/KubeOps/Operator/OperatorSettings.cs

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -142,6 +142,22 @@ public sealed class OperatorSettings
142142
/// </summary>
143143
public bool EnableAssemblyScanning { get; set; } = true;
144144

145+
/// <summary>
146+
/// The configured http port that the operator should run
147+
/// on Kubernetes. This has no direct impact on the startup call in `Program.cs`,
148+
/// but on the generated yaml files of the operator. This setting modifies
149+
/// the environment variable "KESTREL__ENDPOINTS__HTTP__URL" in the yaml file.
150+
/// </summary>
151+
public short HttpPort { get; set; } = 5000;
152+
153+
/// <summary>
154+
/// The configured https port that the operator should run
155+
/// on Kubernetes. This has no direct impact on the startup call in `Program.cs`,
156+
/// but on the generated yaml files of the operator. This setting modifies
157+
/// the environment variable "KESTREL__ENDPOINTS__HTTPS__URL" in the yaml file.
158+
/// </summary>
159+
public short HttpsPort { get; set; } = 5001;
160+
145161
internal JsonSerializerSettings SerializerSettings { get; } = new()
146162
{
147163
DateFormatHandling = DateFormatHandling.IsoDateFormat,

tests/KubeOps.TestOperator/KubeOps.TestOperator.csproj

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@
99
<IsPackable>false</IsPackable>
1010
</PropertyGroup>
1111

12-
<!--<Import Project="..\..\src\KubeOps\Build\KubeOps.targets"/>-->
12+
<!-- <Import Project="..\..\src\KubeOps\Build\KubeOps.targets"/>-->
1313

1414
<ItemGroup>
1515
<ProjectReference Include="..\..\src\KubeOps\KubeOps.csproj" />

tests/KubeOps.TestOperator/Startup.cs

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ public class Startup
99
{
1010
public void ConfigureServices(IServiceCollection services)
1111
{
12-
services.AddKubernetesOperator(s => s.EnableLeaderElection = false).AddWebhookLocaltunnel();
12+
services.AddKubernetesOperator(s => s.EnableLeaderElection = false);//.AddWebhookLocaltunnel();
1313
services.AddTransient<IManager, TestManager.TestManager>();
1414
}
1515

0 commit comments

Comments
 (0)