From 8edb94c771e1cdda18421fea73471cf8dbd8c566 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Wenzel?= Date: Sat, 20 Jun 2020 22:59:42 +0200 Subject: [PATCH] switch to distroless java and upgrade kubernetes resources for deprecated api versions --- Dockerfile | 14 +++--- deploy/rbac.yaml | 122 +++++++++++++++++++++++------------------------ 2 files changed, 69 insertions(+), 67 deletions(-) diff --git a/Dockerfile b/Dockerfile index 8fc3cde..0b6ae2b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,15 +1,17 @@ -FROM openjdk:8-alpine AS BUILD +FROM openjdk:8 AS BUILD COPY . /opt WORKDIR /opt RUN ./mvnw clean install -DskipTests +ENV JAVA_RANDOM="file:/dev/./urandom" +RUN echo "networkaddress.cache.ttl=60" >> /usr/local/openjdk-8/jre/lib/security/java.security +RUN sed -i -e "s@^securerandom.source=.*@securerandom.source=${JAVA_RANDOM}@" /usr/local/openjdk-8/jre/lib/security/java.security -FROM openjdk:8-alpine +FROM gcr.io/distroless/java:8 COPY --from=BUILD /opt/target/vault-crd.jar /opt/vault-crd.jar -WORKDIR /opt - -ENV JAVA_OPTS="-Xms256m -Xmx512m" +COPY --from=BUILD /usr/local/openjdk-8/jre/lib/security/java.security /etc/java-8-openjdk/security/java.security -ENTRYPOINT java $JAVA_OPTS -Djava.security.egd=file:/dev/./urandom -jar vault-crd.jar +ENTRYPOINT ["/usr/bin/java", "-XX:+UnlockExperimentalVMOptions", "-XX:+UseCGroupMemoryLimitForHeap", "-Djavax.net.ssl.trustStore=/etc/ssl/certs/java/cacerts", "-Djavax.net.ssl.trustStorePassword=changeit", "-Djavax.net.ssl.trustStoreType=jks"] +CMD ["-jar", "/opt/vault-crd.jar"] diff --git a/deploy/rbac.yaml b/deploy/rbac.yaml index c5e8f61..3d7a150 100644 --- a/deploy/rbac.yaml +++ b/deploy/rbac.yaml @@ -13,7 +13,7 @@ metadata: --- -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: vault-crd-clusterrole @@ -45,7 +45,7 @@ rules: --- -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: vault-crd-clusterrole-binding @@ -60,7 +60,7 @@ subjects: --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: vault.koudingspawn.de @@ -77,72 +77,72 @@ spec: - name: v1 served: true storage: true - validation: - openAPIV3Schema: - properties: - spec: + schema: + openAPIV3Schema: properties: - path: - type: string - pattern: '^.*?\/.*?(\/.*?)?$' - type: - type: string - enum: - - PKI - - PKIJKS - - CERT - - CERTJKS - - DOCKERCFG - - KEYVALUE - - KEYVALUEV2 - - PROPERTIES - pkiConfiguration: - type: object + spec: properties: - commonName: + path: type: string - altNames: - type: string - ipSans: - type: string - ttl: - type: string - pattern: '^[0-9]{1,}[hm]$' - jksConfiguration: - type: object - properties: - password: - type: string - alias: - type: string - keyName: - type: string - caAlias: - type: string - versionConfiguration: - type: object - properties: - version: - type: integer - propertiesConfiguration: - type: object - properties: - context: - type: object - files: - type: object - dockerCfgConfiguration: - type: object - properties: + pattern: '^.*?\/.*?(\/.*?)?$' type: type: string enum: + - PKI + - PKIJKS + - CERT + - CERTJKS + - DOCKERCFG - KEYVALUE - KEYVALUEV2 - version: - type: integer - required: - - type + - PROPERTIES + pkiConfiguration: + type: object + properties: + commonName: + type: string + altNames: + type: string + ipSans: + type: string + ttl: + type: string + pattern: '^[0-9]{1,}[hm]$' + jksConfiguration: + type: object + properties: + password: + type: string + alias: + type: string + keyName: + type: string + caAlias: + type: string + versionConfiguration: + type: object + properties: + version: + type: integer + propertiesConfiguration: + type: object + properties: + context: + type: object + files: + type: object + dockerCfgConfiguration: + type: object + properties: + type: + type: string + enum: + - KEYVALUE + - KEYVALUEV2 + version: + type: integer + required: + - type ---