Enable starting containers in the varnish/haproxy Pod as nonroot.

Initially for kubectl/yaml deployments.

While here, ensure that /etc/varnish is world-readable, since it's
been reported that it might not be. Evidently not always, but setting
the permissions is never wrong.

Addresses #38

container/Dockerfile.haproxy

@@ -36,7 +36,9 @@ COPY haproxy.cfg /etc/haproxy/
 # GID 998 is the varnish group in the varnish container.
 RUN /bin/mkdir /run/haproxy/ && \
     /usr/sbin/groupadd -g 998 varnish && \
-    /usr/sbin/usermod -G varnish haproxy
+    /usr/sbin/usermod -G varnish -g varnish -u 102 haproxy && \
+    /bin/chgrp varnish /run/haproxy && \
+    /bin/chmod 775 /run/haproxy
 
 COPY haproxy_exec.sh /
 RUN /bin/chmod 755 /haproxy_exec.sh /usr/bin/k8s-crt-dnldr

container/Dockerfile.varnish

@@ -23,7 +23,9 @@ COPY boot.vcl /etc/varnish
 COPY start.cli /etc/varnish
 
 COPY varnishd_exec.sh /
-RUN /bin/chmod 755 /varnishd_exec.sh
+RUN /usr/sbin/useradd -r -g varnish -d /var/lib/varnish -s /sbin/nologin \
+	-u 102 vcache
+RUN /bin/chmod 755 /varnishd_exec.sh /etc/varnish
 
 ENV HTTP_PORT=80 PROTO=HTTP READY_PORT=8080 SECRET_PATH=/var/run/varnish \
     SECRET_FILE=_.secret ADMIN_PORT=6081 GROUP=varnish \

container/haproxy_exec.sh

@@ -5,4 +5,8 @@ set -u
 
 /bin/sed -e "s/%%SECRET_DATAPLANEAPI%%/${SECRET_DATAPLANEAPI}/g" -e "s/%%POD_NAMESPACE%%/${POD_NAMESPACE}/g" /etc/haproxy/haproxy.cfg > /run/haproxy/haproxy.cfg
 
+if [[ ${EUID} > 0 ]]; then
+    /bin/sed -i -e '\:chroot /run/offload:d' /run/haproxy/haproxy.cfg
+fi
+
 exec /usr/sbin/haproxy -f /run/haproxy/haproxy.cfg "$@"

examples/varnish_pod_template/Makefile

@@ -118,21 +118,22 @@ deploy-env-helm:
 	@helm install viking-ingress-env $(CHARTDIR)/viking-test-app \
 		--values values.yaml
 
-deploy-cli-args-kubectl:
+deploy-cafe-kubectl:
 	@kubectl apply -f ../hello/cafe.yaml
 	@kubectl apply -f cafe-ingress.yaml
+
+deploy-cli-args-kubectl: deploy-cafe-kubectl
 	@kubectl apply -f cli-args.yaml
 
-deploy-proxy-kubectl:
-	@kubectl apply -f ../hello/cafe.yaml
-	@kubectl apply -f cafe-ingress.yaml
+deploy-proxy-kubectl: deploy-cafe-kubectl
 	@kubectl apply -f proxy.yaml
 
-deploy-env-kubectl:
-	@kubectl apply -f ../hello/cafe.yaml
-	@kubectl apply -f cafe-ingress.yaml
+deploy-env-kubectl: deploy-cafe-kubectl
 	@kubectl apply -f env.yaml
 
+deploy-nonroot-kubectl: deploy-cafe-kubectl
+	@kubectl apply -f nonroot.yaml
+
 # TESTOPTS are passed to varnishtest, e.g.: make TESTOPTS=-v verify
 verify-cli-args:
 	$(mkdir)/verify_cli-args.sh
@@ -143,24 +144,33 @@ verify-proxy:
 verify-env:
 	$(mkdir)/verify_env.sh
 
-undeploy-cli-args-kubectl:
-	@kubectl delete -f cli-args.yaml
+verify-nonroot:
+	$(mkdir)/verify_nonroot.sh
+
+undeploy-cafe-kubectl:
 	@kubectl delete -f cafe-ingress.yaml
 	@kubectl delete -f ../hello/cafe.yaml
+
+undeploy-cli-args-kubectl:
+	@kubectl delete -f cli-args.yaml
+	$(MAKE) undeploy-cafe-kubectl
 	$(TESTDIR)/wait_delete.sh app=varnish-ingress,example=cli-args
 
 undeploy-proxy-kubectl:
 	@kubectl delete -f proxy.yaml
-	@kubectl delete -f cafe-ingress.yaml
-	@kubectl delete -f ../hello/cafe.yaml
+	$(MAKE) undeploy-cafe-kubectl
 	$(TESTDIR)/wait_delete.sh app=varnish-ingress,example=proxy
 
 undeploy-env-kubectl:
 	@kubectl delete -f env.yaml
-	@kubectl delete -f cafe-ingress.yaml
-	@kubectl delete -f ../hello/cafe.yaml
+	$(MAKE) undeploy-cafe-kubectl
 	$(TESTDIR)/wait_delete.sh app=varnish-ingress,example=env
 
+undeploy-nonroot-kubectl:
+	@kubectl delete -f nonroot.yaml
+	$(MAKE) undeploy-cafe-kubectl
+	$(TESTDIR)/wait_delete.sh app=varnish-ingress,example=nonroot
+
 undeploy-cli-args-helm:
 	@helm uninstall viking-ingress-cli-args
 	@helm uninstall viking-service-cli-args
@@ -180,9 +190,11 @@ ifeq ($(DEPLOY),kubectl)
 deploy-cli-args: deploy-cli-args-kubectl
 deploy-proxy: deploy-proxy-kubectl
 deploy-env: deploy-env-kubectl
+deploy-nonroot: deploy-nonroot-kubectl
 undeploy-cli-args: undeploy-cli-args-kubectl
 undeploy-proxy: undeploy-proxy-kubectl
 undeploy-env: undeploy-env-kubectl
+undeploy-nonroot: undeploy-nonroot-kubectl
 else
 deploy-cli-args: deploy-cli-args-helm
 deploy-proxy: deploy-proxy-helm
@@ -194,7 +206,7 @@ endif
 
 deploy verify undeploy:
 ifndef EXAMPLE
-	$(error EXAMPLE must be set to cli-args, proxy, or env)
+	$(error EXAMPLE must be set to cli-args, proxy, env, or nonroot)
 endif
 
 ifeq ($(EXAMPLE),cli-args)
@@ -209,6 +221,10 @@ else ifeq ($(EXAMPLE),env)
 deploy: deploy-env
 verify: verify-env
 undeploy: undeploy-env
+else ifeq ($(EXAMPLE),nonroot)
+deploy: deploy-nonroot
+verify: verify-nonroot
+undeploy: undeploy-nonroot
 endif
 
 .PHONY: all $(MAKECMDGOALS)

examples/varnish_pod_template/nonroot.yaml

+apiVersion: v1
+kind: Service
+metadata:
+  name: pod-template-examples
+  labels:
+    app: varnish-ingress
+spec:
+  type: NodePort
+  ports:
+  - port: 80
+    targetPort: 8888
+    protocol: TCP
+    name: http
+  - port: 443
+    targetPort: 443
+    protocol: TCP
+    name: tls
+  selector:
+    app: varnish-ingress
+    example: nonroot
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: pod-template-examples-admin
+  labels:
+    app: varnish-ingress
+  annotations:
+    viking.uplex.de/admSecret: adm-secret
+spec:
+  clusterIP: None
+  ports:
+  - port: 6081
+    targetPort: 6081
+    protocol: TCP
+    name: varnishadm
+  - port: 8000
+    targetPort: 8000
+    protocol: TCP
+    name: configured
+  - port: 5555
+    targetPort: 5555
+    protocol: TCP
+    name: dataplane
+  - port: 5556
+    targetPort: 5556
+    protocol: TCP
+    name: crt-dnldr
+  - port: 9443
+    targetPort: 9443
+    protocol: TCP
+    name: stats
+  selector:
+    app: varnish-ingress
+    example: nonroot
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nonroot-example
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: varnish-ingress
+  template:
+    metadata:
+      labels:
+        app: varnish-ingress
+        example: nonroot
+    spec:
+      serviceAccountName: varnish-ingress
+      securityContext:
+        runAsUser: 102
+        fsGroup: 998
+      containers:
+      - image: varnish-ingress/varnish
+        imagePullPolicy: IfNotPresent
+        name: varnish-ingress
+        ports:
+        - name: http
+          containerPort: 8888
+        - name: k8s
+          containerPort: 8080
+        volumeMounts:
+        - name: adm-secret
+          mountPath: "/var/run/varnish"
+          readOnly: true
+        - name: varnish-home
+          mountPath: "/var/run/varnish-home"
+        - name: offload
+          mountPath: "/var/run/offload"
+        livenessProbe:
+          exec:
+            command:
+            - /usr/bin/pgrep
+            - -P
+            - "0"
+            - varnishd
+        readinessProbe:
+          httpGet:
+            path: /ready
+            port: k8s
+        args:
+          - -n
+          - /var/run/varnish-home
+        env:
+        # Container port for the HTTP listener.
+        # MUST match the value set for the http containerPort above, and
+        # the http targetPort in the Service.
+        - name: HTTP_PORT
+          value: "8888"
+      - image: varnish-ingress/haproxy
+        imagePullPolicy: IfNotPresent
+        name: varnish-ingress-offloader
+        ports:
+        - name: tls
+          containerPort: 443
+        - name: k8s
+          containerPort: 8443
+        volumeMounts:
+        - name: tls-cert
+          mountPath: "/etc/ssl/private"
+        - name: offload
+          mountPath: "/var/run/offload"
+        env:
+          - name: SECRET_DATAPLANEAPI
+            valueFrom:
+              secretKeyRef:
+                name: adm-secret
+                key: dataplaneapi
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+        livenessProbe:
+          exec:
+            command:
+            - /usr/bin/pgrep
+            - -P
+            - "0"
+            - haproxy
+        readinessProbe:
+          httpGet:
+            path: /healthz
+            port: k8s
+      volumes:
+      - name: adm-secret
+        secret:
+          secretName: adm-secret
+          items:
+          - key: admin
+            path: _.secret
+      - name: tls-cert
+        emptyDir: {}
+      - name: varnish-home
+        emptyDir:
+          medium: "Memory"
+      - name: offload
+        emptyDir: {}

examples/varnish_pod_template/verify_cli-args.sh

@@ -13,4 +13,4 @@ kubectl port-forward svc/pod-template-examples ${LOCALPORT}:80 >/dev/null &
 trap 'kill $(jobs -p)' EXIT
 wait_for_port ${LOCALPORT}
 
-varnishtest ${TESTOPTS} -Dlocalport=${LOCALPORT} cafe_cli-args.vtc
+varnishtest ${TESTOPTS} -Dlocalport=${LOCALPORT} cafe.vtc

examples/varnish_pod_template/verify_nonroot.sh

+#! /bin/bash -x
+
+MYDIR=$(dirname ${BASH_SOURCE[0]})
+source ${MYDIR}/../../test/utils.sh
+
+LOCALPORT=${LOCALPORT:-8888}
+
+set -e
+wait_until_ready example=nonroot
+wait_until_configured example=nonroot
+
+kubectl port-forward svc/pod-template-examples ${LOCALPORT}:80 >/dev/null &
+trap 'kill $(jobs -p)' EXIT
+wait_for_port ${LOCALPORT}
+
+varnishtest ${TESTOPTS} -Dlocalport=${LOCALPORT} cafe.vtc

test/e2e.sh

@@ -41,6 +41,9 @@ make EXAMPLE=proxy deploy verify undeploy
 echo Varnish Pod template with env settings example
 make EXAMPLE=env deploy verify undeploy
 
+echo Varnish Pod template with containers running as nonroot example
+make EXAMPLE=nonroot deploy verify undeploy
+
 echo Cluster-wide Ingress example
 cd ${MYPATH}/../examples/architectures/clusterwide/
 make deploy verify undeploy