Skip to content

Commit

Permalink
switch to distroless java and upgrade kubernetes resources for deprec…
Browse files Browse the repository at this point in the history 
…ated api versions
  • Loading branch information
Björn Wenzel committed Jun 20, 2020
1 parent 71f51c0 commit 8edb94c
Show file tree
Hide file tree
Showing 2 changed files with 69 additions and 67 deletions.
14 changes: 8 additions & 6 deletions Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -1,15 +1,17 @@
FROM openjdk:8-alpine AS BUILD
FROM openjdk:8 AS BUILD

COPY . /opt
WORKDIR /opt
RUN ./mvnw clean install -DskipTests

ENV JAVA_RANDOM="file:/dev/./urandom"
RUN echo "networkaddress.cache.ttl=60" >> /usr/local/openjdk-8/jre/lib/security/java.security
RUN sed -i -e "s@^securerandom.source=.*@securerandom.source=${JAVA_RANDOM}@" /usr/local/openjdk-8/jre/lib/security/java.security

FROM openjdk:8-alpine
FROM gcr.io/distroless/java:8

COPY --from=BUILD /opt/target/vault-crd.jar /opt/vault-crd.jar
WORKDIR /opt

ENV JAVA_OPTS="-Xms256m -Xmx512m"
COPY --from=BUILD /usr/local/openjdk-8/jre/lib/security/java.security /etc/java-8-openjdk/security/java.security

ENTRYPOINT java $JAVA_OPTS -Djava.security.egd=file:/dev/./urandom -jar vault-crd.jar
ENTRYPOINT ["/usr/bin/java", "-XX:+UnlockExperimentalVMOptions", "-XX:+UseCGroupMemoryLimitForHeap", "-Djavax.net.ssl.trustStore=/etc/ssl/certs/java/cacerts", "-Djavax.net.ssl.trustStorePassword=changeit", "-Djavax.net.ssl.trustStoreType=jks"]
CMD ["-jar", "/opt/vault-crd.jar"]
122 changes: 61 additions & 61 deletions deploy/rbac.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ metadata:

---

apiVersion: rbac.authorization.k8s.io/v1beta1
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: vault-crd-clusterrole
Expand Down Expand Up @@ -45,7 +45,7 @@ rules:

---

apiVersion: rbac.authorization.k8s.io/v1beta1
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: vault-crd-clusterrole-binding
Expand All @@ -60,7 +60,7 @@ subjects:

---

apiVersion: apiextensions.k8s.io/v1beta1
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: vault.koudingspawn.de
Expand All @@ -77,72 +77,72 @@ spec:
- name: v1
served: true
storage: true
validation:
openAPIV3Schema:
properties:
spec:
schema:
openAPIV3Schema:
properties:
path:
type: string
pattern: '^.*?\/.*?(\/.*?)?$'
type:
type: string
enum:
- PKI
- PKIJKS
- CERT
- CERTJKS
- DOCKERCFG
- KEYVALUE
- KEYVALUEV2
- PROPERTIES
pkiConfiguration:
type: object
spec:
properties:
commonName:
path:
type: string
altNames:
type: string
ipSans:
type: string
ttl:
type: string
pattern: '^[0-9]{1,}[hm]$'
jksConfiguration:
type: object
properties:
password:
type: string
alias:
type: string
keyName:
type: string
caAlias:
type: string
versionConfiguration:
type: object
properties:
version:
type: integer
propertiesConfiguration:
type: object
properties:
context:
type: object
files:
type: object
dockerCfgConfiguration:
type: object
properties:
pattern: '^.*?\/.*?(\/.*?)?$'
type:
type: string
enum:
- PKI
- PKIJKS
- CERT
- CERTJKS
- DOCKERCFG
- KEYVALUE
- KEYVALUEV2
version:
type: integer
required:
- type
- PROPERTIES
pkiConfiguration:
type: object
properties:
commonName:
type: string
altNames:
type: string
ipSans:
type: string
ttl:
type: string
pattern: '^[0-9]{1,}[hm]$'
jksConfiguration:
type: object
properties:
password:
type: string
alias:
type: string
keyName:
type: string
caAlias:
type: string
versionConfiguration:
type: object
properties:
version:
type: integer
propertiesConfiguration:
type: object
properties:
context:
type: object
files:
type: object
dockerCfgConfiguration:
type: object
properties:
type:
type: string
enum:
- KEYVALUE
- KEYVALUEV2
version:
type: integer
required:
- type

---

Expand Down

0 comments on commit 8edb94c

Please sign in to comment.