Merge pull request #22 from IBM/webhook-mount

Introduce functions to prevent containers from mounting to host socket file and to modify the image name of the sidecar

.travis.yml

@@ -1,8 +1,8 @@
 # .travis.yml
 language: go
 go:
-- "1.12"
-  
+- "1.14"
+
 branches:
   - master
 
@@ -15,7 +15,7 @@ env:
 
 # avoid issues in travis with ssh / https acccess
 before_script:
-  - git config --global url."git@github.ibm.com:".insteadOf "https://github.ibm.com/"
+  - git config --global url."git@github.com:".insteadOf "https://github.com/"
 
 after_success:
 # docker login is required if you want to push docker images.

build

@@ -1,6 +1,6 @@
 dep ensure
 CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o ti-webhook .
 if [ $? -ne 0 ]; then exit 1 ; fi
-docker build --no-cache -t trustedseriviceidentity/ti-webhook:v1.2 .
+docker build --no-cache -t trustedseriviceidentity/ti-webhook:v1.3 .
 
-docker push trustedseriviceidentity/ti-webhook:v1.2
+docker push trustedseriviceidentity/ti-webhook:v1.3

charts/ti-key-release-1/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 description: A Helm chart for deployment of TI-KeyRelease
 name: ti-key-release-1
-version: 1.2.0
+version: 1.3.0
 home: https://github.com/IBM/trusted-service-identity
 maintainers:
   - name: Brandon Lum

charts/ti-key-release-1/templates/configmap/mutatingwebhook.yaml

@@ -6,7 +6,7 @@ metadata:
   labels:
     app: tsi-mutate
 webhooks:
-  - name: tsi-mutate.morven.me
+  - name: tsi-mutate.trusted-service-identity.ibm
     clientConfig:
       service:
         name: tsi-mutate-webhook-svc

charts/ti-key-release-1/templates/configmap/tsi-mutate-configmap.yaml

@@ -30,8 +30,8 @@ data:
           - name: pod-metadata
             mountPath: /pod-metadata
             readOnly: true
-          - name: host-etc
-            mountPath: /host/etc
+          - name: host-machineid
+            mountPath: /host/machineid
             readOnly: true
       volumes:
         - name: tsi-secrets
@@ -42,11 +42,11 @@ data:
              path: /tsi-secure/sockets
              # directory must exist
              type: Directory
-        - name: host-etc
+        - name: host-machineid
           hostPath:
             # directory location on host
-             path: /etc
-             type: Directory
+             path: /etc/machine-id
+             type: File
         - name: pod-metadata
           downwardAPI:
             items:

charts/ti-key-release-1/values.yaml

@@ -6,7 +6,7 @@
 namespace: trusted-identity
 
 # version of ti-components
-tiVersion: v1.2
+tiVersion: v1.3
 
 # target docker repo
 tiRepo: trustedseriviceidentity

charts/ti-key-release-2/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 description: A Helm chart for deployment of TI-KeyRelease
 name: ti-key-release-2
-version: 1.2.0
+version: 1.3.0
 home: https://github.com/IBM/trusted-service-identity
 maintainers:
   - name: Brandon Lum

charts/ti-key-release-2/requirements.yaml

@@ -1,4 +1,4 @@
 dependencies:
   - name: ti-key-release-1
-    version: 1.2.0
+    version: 1.3.0
     repository: "file://../ti-key-release-1"

charts/ti-key-release-2/values.yaml

@@ -6,7 +6,7 @@
 # cannot use the value from `ti-key-release-1`
 # parsing problem:
 #    `error converting YAML to JSON`
-tiVersion: v1.2
+tiVersion: v1.3
 
 # target docker repo
 tiRepo: trustedseriviceidentity

charts/ti-setup/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 description: A Helm chart for deployment of TI-KeyRelease
 name: ti-setup
-version: 1.2.0
+version: 1.3.0
 home: https://github.com/IBM/trusted-service-identity
 maintainers:
   - name: Brandon Lum

charts/tsi-node-setup/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 appVersion: "1.0"
 description: A Helm chart for setting up TSI nodes
 name: tsi-node-setup
-version: 1.2.0
+version: 1.3.0
 home: https://github.com/IBM/trusted-service-identity
 maintainers:
   - name: Brandon Lum

charts/tsi-node-setup/values.yaml

@@ -6,7 +6,7 @@
 namespace: trusted-identity
 
 # version of TSI components
-tsiVersion: v1.2
+tsiVersion: v1.3
 
 # target docker repo
 tsiRepo: trustedseriviceidentity

components/jss/Makefile

@@ -5,9 +5,9 @@ BINARY_NAME_PUB="jss-server-pub"
 BINARY_NAME_PRIV="jss-server-priv"
 REPO ?= trustedseriviceidentity
 IMAGE_PUB := $(REPO)/$(BINARY_NAME_PUB):$(GIT_COMMIT_SHA)
-MUTABLE_IMAGE_PUB := $(REPO)/$(BINARY_NAME_PUB):v1.2
+MUTABLE_IMAGE_PUB := $(REPO)/$(BINARY_NAME_PUB):v1.3
 IMAGE_PRIV := $(REPO)/$(BINARY_NAME_PRIV):$(GIT_COMMIT_SHA)
-MUTABLE_IMAGE_PRIV := $(REPO)/$(BINARY_NAME_PRIV):v1.2
+MUTABLE_IMAGE_PRIV := $(REPO)/$(BINARY_NAME_PRIV):v1.3
 
 all: docker docker-push timestamp
 

components/jwt-sidecar/Makefile

@@ -4,7 +4,7 @@ BUILD_DATE="$(shell date -u +"%Y-%m-%dT%H:%M:%SZ")"
 BINARY_NAME="ti-jwt-sidecar"
 REPO ?= trustedseriviceidentity
 IMAGE := $(REPO)/$(BINARY_NAME):$(GIT_COMMIT_SHA)
-MUTABLE_IMAGE := $(REPO)/$(BINARY_NAME):v1.2
+MUTABLE_IMAGE := $(REPO)/$(BINARY_NAME):v1.3
 
 all: docker docker-push timestamp
 

components/jwt-sidecar/execute-get-token.sh

@@ -15,7 +15,7 @@ while true
   echo -n "images=$(cat /pod-metadata/ti-images | sha256sum | awk '{print $1}')&" >> /tmp/claims
   echo -n "cluster-name=$(cat /pod-metadata/ti-cluster-name)&" >> /tmp/claims
   echo -n "cluster-region=$(cat /pod-metadata/ti-cluster-region)&" >> /tmp/claims
-  echo -n "machineid=$(cat /host/etc/machine-id)" >> /tmp/claims
+  echo -n "machineid=$(cat /host/machineid)" >> /tmp/claims
 
   curl --unix-socket ${SOCKETFILE} http://localhost/getJWT?"$(cat /tmp/claims)" > /jwt/token
   # make the wait 5 seconds shorter than JWT TTL

components/node-setup/Makefile

@@ -4,7 +4,7 @@ BUILD_DATE="$(shell date -u +"%Y-%m-%dT%H:%M:%SZ")"
 BINARY_NAME="node-setup"
 REPO ?= trustedseriviceidentity
 IMAGE := $(REPO)/$(BINARY_NAME):$(GIT_COMMIT_SHA)
-MUTABLE_IMAGE := $(REPO)/$(BINARY_NAME):v1.2
+MUTABLE_IMAGE := $(REPO)/$(BINARY_NAME):v1.3
 
 all: docker docker-push timestamp
 

components/vtpm2-server/Makefile

@@ -4,7 +4,7 @@ BUILD_DATE="$(shell date -u +"%Y-%m-%dT%H:%M:%SZ")"
 BINARY_NAME="vtpm2-server"
 REPO ?= trustedseriviceidentity
 IMAGE := $(REPO)/$(BINARY_NAME):$(GIT_COMMIT_SHA)
-MUTABLE_IMAGE := $(REPO)/$(BINARY_NAME):v1.2
+MUTABLE_IMAGE := $(REPO)/$(BINARY_NAME):v1.3
 
 all: docker docker-push timestamp
 

components/vtpm2-server/vtpm2-server.yaml

@@ -15,7 +15,7 @@ spec:
       containers:
         - name: vtpm2-server-pub
           #image: {{ .Values.tiRepo }}/{{ index .Values "ti-key-release-1" "jssService" "type" }}:{{ .Values.tiVersion }}
-          image: trustedseriviceidentity/vtpm2-server:v1.2
+          image: trustedseriviceidentity/vtpm2-server:v1.3
           imagePullPolicy: Always
           env:
             - name: ISS

deployment/configmap.yaml

@@ -6,7 +6,7 @@ data:
   tsiMutateConfig.yaml: |
       initContainers:
       - name: gen-vault-cert
-        image: trustedseriviceidentity/ti-gen-vault-cert:v1.2
+        image: trustedseriviceidentity/ti-gen-vault-cert:v1.3
         imagePullSecrets:
         - name: regcred
         imagePullPolicy: Always

deployment/deployment.yaml

@@ -17,7 +17,7 @@ spec:
       serviceAccountName: ti-sa
       containers:
         - name: tsi-mutate
-          image: trustedseriviceidentity/ti-webhook:v1.2
+          image: trustedseriviceidentity/ti-webhook:v1.3
           imagePullPolicy: Always
           args:
             - -tsiMutateConfigFile=/etc/webhook/config/tsiMutateConfig.yaml

deployment/mutatingwebhook.yaml

@@ -5,7 +5,7 @@ metadata:
   labels:
     app: tsi-mutate
 webhooks:
-  - name: tsi-mutate.morven.me
+  - name: tsi-mutate.trusted-service-identity.ibm
     clientConfig:
       service:
         name: tsi-mutate-webhook-svc

examples/myubuntuErr1.yaml

@@ -0,0 +1,48 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: myubuntu
+  name: myubuntu
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: myubuntu
+  template:
+    metadata:
+      annotations:
+        admission.trusted.identity/inject: "false"
+        tsi.secrets: |
+             - tsi.secret/name: "mysecret1"
+               tsi.secret/role: "demo"
+               tsi.secret/vault-path: "secret/ti-demo-all"
+               tsi.secret/local-name: "mysecrets/myubuntu-mysecret1"
+      labels:
+        app: myubuntu
+      name: myubuntu
+    spec:
+      containers:
+        - name: myubuntu
+          image: ubuntu@sha256:250cc6f3f3ffc5cdaa9d8f4946ac79821aafb4d3afc93928f0de9336eba21aa4
+          imagePullPolicy: Always
+          command: [ "/bin/bash", "-c", "--" ]
+          args: [ "while true; do cat /mydata; sleep 5; done;" ]
+          volumeMounts:
+          - mountPath: /host/etc
+            name: host-etc
+          - mountPath: /host/sockets
+            name: tsi-sockets
+          - mountPath: /host/secrets
+            name: tsi-secrets
+      volumes:
+      - emptyDir: {}
+        name: tsi-secrets
+      - hostPath:
+          path: /tsi-secure/sockets
+          type: Directory
+        name: tsi-sockets
+      - hostPath:
+          path: /etc
+          type: Directory
+        name: host-etc

makefile

@@ -7,13 +7,15 @@ BUILD_DATE=$(shell date -u +"%Y-%m-%dT%H:%M:%SZ")
 BINARY_NAME=ti-webhook
 REPO ?= trustedseriviceidentity
 IMAGE := $(REPO)/$(BINARY_NAME):$(GIT_COMMIT_SHA)
-MUTABLE_IMAGE := $(REPO)/$(BINARY_NAME):v1.2
+MUTABLE_IMAGE := $(REPO)/$(BINARY_NAME):v1.3
 GOARCH=$(shell go env GOARCH)
 
-.PHONY: all test-deps build-deps fmt vet lint get-deps test build docker docker-push dep
+.PHONY: all fast test-deps build-deps fmt vet lint get-deps test build docker docker-push dep
 
 all: dep get-deps fmt test build docker timestamp
 
+fast: test build docker docker-push timestamp
+
 dep:
 	go mod tidy
 
@@ -46,7 +48,7 @@ build-deps: dep
 	go mod vendor
 
 fmt:
-	@if [ -n "$$(gofmt -l ${GOFILES})" ]; then echo 'Please run gofmt -l -w $GOFILES on your code.' && exit 1; fi
+	@if [ -n "$$(gofmt -l ${GOFILES})" ]; then echo 'Please run gofmt -l -w ${GOFILES} on your code.' && exit 1; fi
 
 vet:
 	@set -e; for LINE in ${GOPACKAGES}; do go vet $${LINE} ; done

tests/ConfigFile.yaml

@@ -1,6 +1,6 @@
 sidecarContainers:
 - name: jwt-sidecar
-  image: trustedseriviceidentity/ti-jwt-sidecar:v1.2
+  image: trustedseriviceidentity/ti-jwt-sidecar:v1.3
   imagePullPolicy: Always
   env:
   - name: HOST_IP

tests/ExpectAddContainer.json

@@ -0,0 +1,57 @@
+[
+  {
+    "op": "add",
+    "path": "/spec/containers/-",
+    "value": {
+      "name": "jwt-sidecar",
+      "image": "trustedseriviceidentity/ti-jwt-sidecar:v1.3",
+      "env": [
+        {
+          "name": "HOST_IP",
+          "valueFrom": {
+            "fieldRef": {
+              "fieldPath": "status.hostIP"
+            }
+          }
+        },
+        {
+          "name": "JWT_TTL_SEC",
+          "value": "30"
+        },
+        {
+          "name": "VAULT_ADDR",
+          "value": "http://ti-test1.eu-de.containers.appdomain.cloud"
+        },
+        {
+          "name": "SECRET_REFRESH_SEC",
+          "value": "45"
+        }
+      ],
+      "resources": {},
+      "volumeMounts": [
+        {
+          "name": "tsi-secrets",
+          "mountPath": "/usr/share/secrets"
+        },
+        {
+          "name": "tsi-sockets",
+          "mountPath": "/host/sockets"
+        },
+        {
+          "name": "pod-metadata",
+          "readOnly": true,
+          "mountPath": "/pod-metadata"
+        },
+        {
+          "name": "host-etc",
+          "readOnly": true,
+          "mountPath": "/host/etc"
+        }
+      ],
+      "imagePullPolicy": "Always",
+      "securityContext": {
+        "runAsUser": 0
+      }
+    }
+  }
+]