diff --git a/Dockerfile b/Dockerfile index b7ec330..dc6baeb 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,14 +6,14 @@ WORKDIR /app COPY go.mod go.sum ./ RUN go mod download COPY . . -RUN CGO_ENABLED=0 go build -o /bin/ino +RUN CGO_ENABLED=0 go build -o /bin/opa-nginx RUN echo "nobody:x:65534:65534:nobody:/nonexistent:/bin/nope" > passwd FROM scratch -COPY --from=builder /bin/ino /bin/ino +COPY --from=builder /bin/opa-nginx /bin/opa-nginx COPY --from=builder /app/passwd /etc/passwd USER nobody ENV OPA_URL=https://127.0.0.1:8181 -ENTRYPOINT ["/bin/ino"] +ENTRYPOINT ["/bin/opa-nginx"] CMD ["serve"] \ No newline at end of file diff --git a/charts/opa-nginx/Chart.yaml b/charts/opa-nginx/Chart.yaml index 31c6d14..28880f9 100644 --- a/charts/opa-nginx/Chart.yaml +++ b/charts/opa-nginx/Chart.yaml @@ -2,5 +2,5 @@ apiVersion: v2 name: opa-nginx description: OPA Nginx Auth Request Integration type: application -version: 0.0.2 -appVersion: 0.0.2 \ No newline at end of file +version: 0.0.3 +appVersion: 0.0.3 \ No newline at end of file diff --git a/charts/opa-nginx/templates/deployment.yaml b/charts/opa-nginx/templates/deployment.yaml index 9219ea4..2ddb4cd 100644 --- a/charts/opa-nginx/templates/deployment.yaml +++ b/charts/opa-nginx/templates/deployment.yaml @@ -30,7 +30,7 @@ spec: - --tls-private-key-file=/certs/tls.key - --addr=localhost:8181 - --log-level={{ .Values.opa.logLevel }} - - --diagnostic-addr=localhost:8080 + - --diagnostic-addr=0.0.0.0:8080 - --disable-telemetry - --log-format=json - /policy @@ -39,8 +39,19 @@ spec: scheme: HTTPS path: /health port: 8080 - initialDelaySeconds: 3 - periodSeconds: 30 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 6 + readinessProbe: + httpGet: + scheme: HTTPS + path: /health + port: 8080 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 1 volumeMounts: - mountPath: /certs name: certs @@ -78,6 +89,24 @@ spec: - name: http containerPort: 8282 protocol: TCP + livenessProbe: + httpGet: + scheme: HTTPS + path: /healthz + port: 8282 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 6 + readinessProbe: + httpGet: + scheme: HTTPS + path: /healthz + port: 8282 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 1 volumeMounts: - mountPath: /certs name: certs diff --git a/charts/opa-nginx/values.yaml b/charts/opa-nginx/values.yaml index e3132e2..f91a6d4 100644 --- a/charts/opa-nginx/values.yaml +++ b/charts/opa-nginx/values.yaml @@ -2,7 +2,7 @@ nameOverride: "" replicaCount: 3 opaNginx: - image: richardjennings/opa-nginx:0.0.2 + image: richardjennings/opa-nginx:0.0.3 imagePullPolicy: IfNotPresent #authenticatedKey: "verified" #authenticatedValue: "true" diff --git a/cmd/serve.go b/cmd/serve.go index 84d0b24..6e97f91 100644 --- a/cmd/serve.go +++ b/cmd/serve.go @@ -34,12 +34,19 @@ var serveCmd = &cobra.Command{ if err != nil { log.Fatalln(err) } + + mux := http.NewServeMux() + mux.HandleFunc("/", internal.NewHandler(&internal.OpaProxy{Config: config})) + mux.HandleFunc("/healthz", func(writer http.ResponseWriter, request *http.Request) { + writer.WriteHeader(200) + }) server := &http.Server{ Addr: defaultAddr, - Handler: internal.NewHandler(&internal.OpaProxy{Config: config}), + Handler: mux, ReadTimeout: 5 * time.Second, WriteTimeout: 10 * time.Second, } + if tlsCertFile != "" && tlsPrivateKeyFile != "" { log.Fatalln(server.ListenAndServeTLS(tlsCertFile, tlsPrivateKeyFile)) }