feat: pod hardening (#207)

* chore: prepare release v0.2.0-beta.5

Signed-off-by: Lin Yang <reaver@flomesh.io>

* feat: pod hardening

Signed-off-by: Lin Yang <reaver@flomesh.io>

* ci: build both nonroot and debug-nonroot image for pipy

Signed-off-by: Lin Yang <reaver@flomesh.io>

* fix: pipy crash while codebase reloading

Signed-off-by: Lin Yang <reaver@flomesh.io>

* build: change base image of pipy

Signed-off-by: Lin Yang <reaver@flomesh.io>

* build: add env for GIN

Signed-off-by: Lin Yang <reaver@flomesh.io>

* fix: use timestamp as codebase version

Signed-off-by: Lin Yang <reaver@flomesh.io>

* fix: codebase version

Signed-off-by: Lin Yang <reaver@flomesh.io>

* Revert "fix: codebase version"

This reverts commit cd2f596.

* Revert "fix: use timestamp as codebase version"

This reverts commit 91eb4ac.

* fix: a typo

Signed-off-by: Lin Yang <reaver@flomesh.io>

* WIP: try to disable concurrent modify repo

Signed-off-by: Lin Yang <reaver@flomesh.io>

* Revert "WIP: try to disable concurrent modify repo"

This reverts commit be486c3.

* WIP: try to revert session sticky change

Signed-off-by: Lin Yang <reaver@flomesh.io>

* fix: exclude .DS_Store

Signed-off-by: Lin Yang <reaver@flomesh.io>

* refactor: adjust pod command and args

Signed-off-by: Lin Yang <reaver@flomesh.io>

* test: add samples

Signed-off-by: Lin Yang <reaver@flomesh.io>

* build: exclude .DS_Store when package scripts

Signed-off-by: Lin Yang <reaver@flomesh.io>

* Revert "WIP: try to revert session sticky change"

This reverts commit 3b68de4.

Signed-off-by: Lin Yang <reaver@flomesh.io>

# Conflicts:
#	charts/fsm/components/scripts.tar.gz
#	deploy/fsm-dev.yaml
#	deploy/fsm.yaml

* build: refine building pipy nonroot image

Signed-off-by: Lin Yang <reaver@flomesh.io>

* style: format code

Signed-off-by: Lin Yang <reaver@flomesh.io>

* build: change base image of pipy

Signed-off-by: Lin Yang <reaver@flomesh.io>

* feat: health checking port of ingress

Signed-off-by: Lin Yang <reaver@flomesh.io>

* chore: bump pipy to 0.90.0-rc1

Signed-off-by: Lin Yang <reaver@flomesh.io>

chore: bump pipy to 0.90.0-rc1

Signed-off-by: Lin Yang <reaver@flomesh.io>

chore: bump pipy to 0.90.0-rc1

Signed-off-by: Lin Yang <reaver@flomesh.io>

* fix: handle empty endpoints

Signed-off-by: Lin Yang <reaver@flomesh.io>

* test: testcases

Signed-off-by: Lin Yang <reaver@flomesh.io>

Signed-off-by: Lin Yang <reaver@flomesh.io>

.github/workflows/build-pipy.yml

@@ -12,6 +12,9 @@ jobs:
   build-pipy:
     name: Build pipy image
     runs-on: ubuntu-22.04
+    strategy:
+      matrix:
+        id: [ "nonroot", "debug-nonroot" ]
     steps:
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v2.1.0
@@ -36,7 +39,7 @@ jobs:
         with:
           images: flomesh/pipy
           tags: |
-            type=raw,${{ inputs.tag }}-nonroot
+            type=raw,${{ inputs.tag }}-${{ matrix.id }}
 
       - name: Build and Push
         uses: docker/build-push-action@v3.3.0
@@ -48,6 +51,6 @@ jobs:
           tags: ${{ steps.docker_meta.outputs.tags }}
           labels: ${{ steps.docker_meta.outputs.labels }}
           build-args: |
-            DISTROLESS_TAG=nonroot
+            DISTROLESS_TAG=${{ matrix.id }}
             PIPY_VERSION=${{ inputs.tag }}
           

Makefile

@@ -120,7 +120,7 @@ codegen: ## Generate ClientSet, Informer, Lister and Deepcopy code for Flomesh C
 
 .PHONY: package-scripts
 package-scripts: ## Tar all repo initializing scripts
-	tar -C $(CHART_COMPONENTS_DIR)/ -zcvf $(SCRIPTS_TAR) scripts/
+	tar -C $(CHART_COMPONENTS_DIR)/ --exclude='.DS_Store' -zcvf $(SCRIPTS_TAR) scripts/
 
 .PHONY: charts-tgz-rel
 charts-tgz-rel: helm

VERSION

@@ -1,4 +1,4 @@
-APP_VERSION=0.2.0-beta.4
-HELM_CHART_VERSION=0.2.0-beta.4
+APP_VERSION=0.2.0-beta.5
+HELM_CHART_VERSION=0.2.0-beta.5
 K8S_VERSION=1.25.5
 ENVTEST_K8S_VERSION=1.25

charts/fsm/Chart.yaml

@@ -18,13 +18,13 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.0-beta.4
+version: 0.2.0-beta.5
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.2.0-beta.4"
+appVersion: "0.2.0-beta.5"
 
 keywords:
   - kubernetes

charts/fsm/components/scripts/ingress/plugins/balancer.js

@@ -44,7 +44,7 @@
         Object.entries(ingress.services).map(
           ([k, v]) =>(
             ((targets, balancer, balancerInst) => (
-              targets = v?.upstream?.endpoints?.map(ep => `${ep.ip}:${ep.port}`),
+              targets = v?.upstream?.endpoints?.map?.(ep => `${ep.ip}:${ep.port}`),
               v?.upstream?.sslCert?.ca && (
                 addUpstreamIssuingCA(v.upstream.sslCert.ca)
               ),

charts/fsm/components/scripts/ingress/plugins/default.js

@@ -24,11 +24,11 @@
 
 pipy()
   .pipeline()
-  .replaceMessage(
-    new Message({
-      "status": 404,
-      "headers": {
-        "Server": "pipy/0.70.0"
-      }
-    }, 'Service Not Found')
-  )
+    .replaceMessage(
+      new Message({
+        "status": 404,
+        "headers": {
+          "Server": "pipy/0.70.0"
+        }
+      }, 'Service Not Found')
+    )

charts/fsm/components/scripts/ingress/plugins/reject-http.js

@@ -38,38 +38,38 @@
   })
 
   .pipeline()
-  .handleMessageStart(
-    msg => (
-      ((host, hostname)  => (
-        host = msg.head.headers['host'],
-        hostname = host ? host.split(":")[0] : '',
+    .handleMessageStart(
+      msg => (
+        ((host, hostname)  => (
+          host = msg.head.headers['host'],
+          hostname = host ? host.split(":")[0] : '',
 
-        console.log("[reject-http] hostname", hostname),
-        console.log("[reject-http] __isTLS", __isTLS),
+          console.log("[reject-http] hostname", hostname),
+          console.log("[reject-http] __isTLS", __isTLS),
 
-        !__isTLS && (
-          _reject = (
-            Boolean(tlsDomains.find(domain => domain === hostname)) ||
-            Boolean(tlsWildcardDomains.find(domain => domain.test(hostname)))
-          )
-        ),
-        console.log("[reject-http] _reject", _reject)
-      ))()
+          !__isTLS && (
+            _reject = (
+              Boolean(tlsDomains.find(domain => domain === hostname)) ||
+              Boolean(tlsWildcardDomains.find(domain => domain.test(hostname)))
+            )
+          ),
+          console.log("[reject-http] _reject", _reject)
+        ))()
+      )
     )
-  )
-  .branch(
-    () => (_reject), (
-      $ => $
-        .replaceMessage(
-          new Message({
-            "status": 403,
-            "headers": {
-              "Server": "pipy/0.70.0"
-            }
-          }, 'Forbidden')
-        )
-    ), (
-      $=>$.chain()
+    .branch(
+      () => (_reject), (
+        $ => $
+          .replaceMessage(
+            new Message({
+              "status": 403,
+              "headers": {
+                "Server": "pipy/0.70.0"
+              }
+            }, 'Forbidden')
+          )
+      ), (
+        $=>$.chain()
+      )
     )
-  )
 )()

charts/fsm/components/scripts/ingress/plugins/router.js

@@ -35,28 +35,28 @@
 
   ) => pipy()
 
-    .import({
-      __route: 'main',
-    })
+  .import({
+    __route: 'main',
+  })
 
-    .pipeline()
-      .handleMessageStart(
-        msg => (
-          ((
-            r = router.find(
-              msg.head.headers.host,
-              msg.head.path,
-            )
-          ) => (
-            __route = r?.service,
-            r?.rewrite && (
-              msg.head.path = msg.head.path.replace(r.rewrite[0], r.rewrite[1])
-            ),
-            console.log('[router] Request Host: ', msg.head.headers['host']),
-            console.log('[router] Request Path: ', msg.head.path)
-          ))()
-        )
+  .pipeline()
+    .handleMessageStart(
+      msg => (
+        ((
+          r = router.find(
+            msg.head.headers.host,
+            msg.head.path,
+          )
+        ) => (
+          __route = r?.service,
+          r?.rewrite && (
+            msg.head.path = msg.head.path.replace(r.rewrite[0], r.rewrite[1])
+          ),
+          console.log('[router] Request Host: ', msg.head.headers['host']),
+          console.log('[router] Request Path: ', msg.head.path)
+        ))()
       )
-      .chain()
+    )
+    .chain()
 
 )()

charts/fsm/templates/egress-gateway-deployment.yaml

@@ -19,10 +19,16 @@ spec:
       labels:
         {{- include "fsm.egress-gateway.labels" . | nindent 8 }}
         {{- include "fsm.egress-gateway.selectorLabels" . | nindent 8 }}
+        {{- with .Values.fsm.egressGateway.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
       annotations:
         prometheus.io/path: '/stats/prometheus'
         prometheus.io/port: '15010'
         prometheus.io/scrape: 'true'
+        {{- with .Values.fsm.egressGateway.podAnnotations }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
     spec:
       containers:
       - name: pipy

charts/fsm/templates/ingress-class.yaml

@@ -6,7 +6,7 @@ metadata:
   labels:
     {{- include "fsm.labels" . | nindent 4 }}
   annotations:
-    meta.flomesh.io/fsm-namespace: {{ include "fsm.namespace" . }}
+    meta.flomesh.io/namespace: {{ include "fsm.namespace" . }}
     meta.flomesh.io/ingress-pipy-svc: {{ .Values.fsm.ingress.service.name }}
 spec:
   controller: flomesh.io/ingress-pipy

charts/fsm/templates/ingress-pipy-deployment.yaml

@@ -1,5 +1,5 @@
 {{- if and .Values.fsm.ingress.enabled (semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion) }}
-{{- if not .Values.fsm.ingress.namespaced }}
+{{- if and (not .Values.fsm.ingress.namespaced) (or .Values.fsm.ingress.http.enabled .Values.fsm.ingress.tls.enabled) }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -20,10 +20,17 @@ spec:
     type: RollingUpdate
   template:
     metadata:
+      {{- with .Values.fsm.ingress.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       labels:
         {{- include "fsm.ingress-pipy.labels" . | nindent 8 }}
         {{- include "fsm.ingress-pipy.selectorLabels" . | nindent 8 }}
         ingress.flomesh.io/namespaced: {{ .Values.fsm.ingress.namespaced | quote }}
+        {{- with .Values.fsm.ingress.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
     spec:
       initContainers:
       - name: wait-manager
@@ -75,12 +82,12 @@ spec:
           initialDelaySeconds: 5
           timeoutSeconds: 5
           tcpSocket:
-            port: {{ .Values.fsm.ingress.http.containerPort }}
+            port: {{ include "fsm.ingress-pipy.heath.port" . }}
         readinessProbe:
           initialDelaySeconds: 5
           timeoutSeconds: 5
           tcpSocket:
-            port: {{ .Values.fsm.ingress.http.containerPort }}
+            port: {{ include "fsm.ingress-pipy.heath.port" . }}
       terminationGracePeriodSeconds: 60
       {{- with .Values.fsm.ingress.podSecurityContext }}
       securityContext:

charts/fsm/templates/ingress-pipy-service.yaml

@@ -1,5 +1,5 @@
 {{- if and .Values.fsm.ingress.enabled (semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion) }}
-{{- if not .Values.fsm.ingress.namespaced }}
+{{- if and (not .Values.fsm.ingress.namespaced) (or .Values.fsm.ingress.http.enabled .Values.fsm.ingress.tls.enabled) }}
 apiVersion: v1
 kind: Service
 metadata:

charts/fsm/templates/manager-deployment.yaml

@@ -12,9 +12,16 @@ spec:
       {{- include "fsm.manager.selectorLabels" . | nindent 6 }}
   template:
     metadata:
+      {{- with .Values.fsm.manager.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       labels:
         {{- include "fsm.manager.labels" . | nindent 8 }}
         {{- include "fsm.manager.selectorLabels" . | nindent 8 }}
+        {{- with .Values.fsm.manager.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
     spec:
       initContainers:
       - name: init

charts/fsm/templates/mesh-config-configmap.yaml

@@ -53,7 +53,7 @@ data:
         {{- else }}
         "manager": "archon",
         {{- end }}
-        "caBundleName": "{{ .Values.certManager.caBundleName }}",
+        "caBundleName": "{{ .Values.fsm.certificate.caBundleName }}",
         "caBundleNamespace": ""
       },
 

charts/fsm/templates/repo-deployment.yaml

@@ -13,9 +13,16 @@ spec:
       {{- include "fsm.repo.selectorLabels" . | nindent 6 }}
   template:
     metadata:
+      {{- with .Values.fsm.repo.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       labels:
         {{- include "fsm.repo.labels" . | nindent 8 }}
         {{- include "fsm.repo.selectorLabels" . | nindent 8 }}
+        {{- with .Values.fsm.repo.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
     spec:
       containers:
       - name: repo
@@ -25,10 +32,9 @@ spec:
         - name: repo
           containerPort: {{ .Values.fsm.services.repo.containerPort }}
         command:
-        - sh
-        - -c
-        - |
-          /usr/local/bin/pipy --admin-port={{ .Values.fsm.services.repo.port }}
+        - pipy
+        args:
+        - --admin-port={{ .Values.fsm.services.repo.containerPort }}
         resources:
           {{- toYaml .Values.fsm.repo.resources | nindent 10 }}
         env:

charts/fsm/values.schema.json

@@ -166,7 +166,7 @@
             },
             "tag": {
               "type": "string",
-              "default": "0.70.0-46",
+              "default": "0.90.0-rc1",
               "title": "The tag Schema"
             }
           }