pkg,images: use openshift style user init and entrypoint (#969)

* pkg,images: use openshift style user init and entrypoint

This updates the scaffolds for the go operator and the scorecard
proxy to use openshift style user init and entrypoints (similar
to the ansible and helm operators)

Author: AlexNPavel

commands/operator-sdk/cmd/new.go

@@ -131,6 +131,8 @@ func doScaffold() {
 	err := s.Execute(cfg,
 		&scaffold.Cmd{},
 		&scaffold.Dockerfile{},
+		&scaffold.Entrypoint{},
+		&scaffold.UserSetup{},
 		&scaffold.ServiceAccount{},
 		&scaffold.Role{
 			IsClusterScoped: isClusterScoped,

images/scorecard-proxy/Dockerfile

@@ -1,7 +1,16 @@
 # Base image
 FROM alpine:3.8
 
-RUN apk upgrade --update --no-cache
-USER nobody
+ENV PROXY=/usr/local/bin/scorecard-proxy \
+    USER_UID=1001 \
+    USER_NAME=proxy
 
-COPY scorecard-proxy /usr/local/bin/scorecard-proxy
+# install operator binary
+COPY scorecard-proxy ${PROXY}
+
+COPY bin /usr/local/bin
+RUN  /usr/local/bin/user_setup
+
+ENTRYPOINT ["/usr/local/bin/entrypoint"]
+
+USER ${USER_UID}

images/scorecard-proxy/bin/entrypoint

@@ -0,0 +1,12 @@
+#!/bin/sh -e
+
+# This is documented here:
+# https://docs.openshift.com/container-platform/3.11/creating_images/guidelines.html#openshift-specific-guidelines
+
+if ! whoami &>/dev/null; then
+  if [ -w /etc/passwd ]; then
+    echo "${USER_NAME:-proxy}:x:$(id -u):$(id -g):${USER_NAME:-proxy} user:${HOME}:/sbin/nologin" >> /etc/passwd
+  fi
+fi
+
+exec ${PROXY} $@

images/scorecard-proxy/bin/user_setup

@@ -0,0 +1,13 @@
+#!/bin/sh
+set -x
+
+# ensure $HOME exists and is accessible by group 0 (we don't know what the runtime UID will be)
+mkdir -p ${HOME}
+chown ${USER_UID}:0 ${HOME}
+chmod ug+rwx ${HOME}
+
+# runtime user will need to be able to self-insert in /etc/passwd
+chmod g+rw /etc/passwd
+
+# no need for this script to remain in the image after running
+rm $0

pkg/scaffold/build_dockerfile.go

@@ -36,9 +36,17 @@ func (s *Dockerfile) GetInput() (input.Input, error) {
 
 const dockerfileTmpl = `FROM alpine:3.8
 
-RUN apk upgrade --update --no-cache
+ENV OPERATOR=/usr/local/bin/{{.ProjectName}} \
+    USER_UID=1001 \
+    USER_NAME={{.ProjectName}}
 
-USER nobody
+# install operator binary
+COPY build/_output/bin/{{.ProjectName}} ${OPERATOR}
 
-ADD build/_output/bin/{{.ProjectName}} /usr/local/bin/{{.ProjectName}}
+COPY build/bin /usr/local/bin
+RUN  /usr/local/bin/user_setup
+
+ENTRYPOINT ["/usr/local/bin/entrypoint"]
+
+USER ${USER_UID}
 `

pkg/scaffold/build_dockerfile_test.go

@@ -35,9 +35,17 @@ func TestDockerfile(t *testing.T) {
 
 const dockerfileExp = `FROM alpine:3.8
 
-RUN apk upgrade --update --no-cache
+ENV OPERATOR=/usr/local/bin/app-operator \
+    USER_UID=1001 \
+    USER_NAME=app-operator
 
-USER nobody
+# install operator binary
+COPY build/_output/bin/app-operator ${OPERATOR}
 
-ADD build/_output/bin/app-operator /usr/local/bin/app-operator
+COPY build/bin /usr/local/bin
+RUN  /usr/local/bin/user_setup
+
+ENTRYPOINT ["/usr/local/bin/entrypoint"]
+
+USER ${USER_UID}
 `

pkg/scaffold/constants.go

@@ -23,16 +23,17 @@ const (
 	filePathSep = string(filepath.Separator)
 
 	// dirs
-	CmdDir        = "cmd"
-	ManagerDir    = CmdDir + filePathSep + "manager"
-	PkgDir        = "pkg"
-	ApisDir       = PkgDir + filePathSep + "apis"
-	ControllerDir = PkgDir + filePathSep + "controller"
-	BuildDir      = "build"
-	BuildTestDir  = BuildDir + filePathSep + "test-framework"
-	BuildBinDir   = BuildDir + filePathSep + "_output" + filePathSep + "bin"
-	DeployDir     = "deploy"
-	OlmCatalogDir = DeployDir + filePathSep + "olm-catalog"
-	CrdsDir       = DeployDir + filePathSep + "crds"
-	VersionDir    = "version"
+	CmdDir         = "cmd"
+	ManagerDir     = CmdDir + filePathSep + "manager"
+	PkgDir         = "pkg"
+	ApisDir        = PkgDir + filePathSep + "apis"
+	ControllerDir  = PkgDir + filePathSep + "controller"
+	BuildDir       = "build"
+	BuildTestDir   = BuildDir + filePathSep + "test-framework"
+	BuildBinDir    = BuildDir + filePathSep + "_output" + filePathSep + "bin"
+	BuildScriptDir = BuildDir + filePathSep + "bin"
+	DeployDir      = "deploy"
+	OlmCatalogDir  = DeployDir + filePathSep + "olm-catalog"
+	CrdsDir        = DeployDir + filePathSep + "crds"
+	VersionDir     = "version"
 )

pkg/scaffold/entrypoint.go

@@ -0,0 +1,51 @@
+// Copyright 2019 The Operator-SDK Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package scaffold
+
+import (
+	"path/filepath"
+
+	"github.com/operator-framework/operator-sdk/pkg/scaffold/input"
+)
+
+const EntrypointFile = "entrypoint"
+
+// Entrypoint - entrypoint script
+type Entrypoint struct {
+	input.Input
+}
+
+func (e *Entrypoint) GetInput() (input.Input, error) {
+	if e.Path == "" {
+		e.Path = filepath.Join(BuildScriptDir, EntrypointFile)
+	}
+	e.TemplateBody = entrypointTmpl
+	e.IsExec = true
+	return e.Input, nil
+}
+
+const entrypointTmpl = `#!/bin/sh -e
+
+# This is documented here:
+# https://docs.openshift.com/container-platform/3.11/creating_images/guidelines.html#openshift-specific-guidelines
+
+if ! whoami &>/dev/null; then
+  if [ -w /etc/passwd ]; then
+    echo "${USER_NAME:-{{.ProjectName}}}:x:$(id -u):$(id -g):${USER_NAME:-{{.ProjectName}}} user:${HOME}:/sbin/nologin" >> /etc/passwd
+  fi
+fi
+
+exec ${OPERATOR} $@
+`

pkg/scaffold/entrypoint_test.go

@@ -0,0 +1,49 @@
+// Copyright 2019 The Operator-SDK Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package scaffold
+
+import (
+	"testing"
+
+	"github.com/operator-framework/operator-sdk/internal/util/diffutil"
+)
+
+func EntrypointTest(t *testing.T) {
+	s, buf := setupScaffoldAndWriter()
+	err := s.Execute(appConfig, &Entrypoint{})
+	if err != nil {
+		t.Fatalf("Failed to execute the scaffold: (%v)", err)
+	}
+
+	if entrypointExp != buf.String() {
+		diffs := diffutil.Diff(entrypointExp, buf.String())
+		t.Fatalf("Expected vs actual differs.\n%v", diffs)
+	}
+}
+
+const entrypointExp = `#!/bin/sh -e
+
+# This is documented here:
+# https://docs.openshift.com/container-platform/3.11/creating_images/guidelines.html#openshift-specific-guidelines
+
+if ! whoami &>/dev/null; then
+  if [ -w /etc/passwd ]; then
+    echo "${USER_NAME:-app-operator}:x:$(id -u):$(id -g):${USER_NAME:-app-operator} user:${HOME}:/sbin/nologin" >> /etc/passwd
+  fi
+fi
+
+exec ${OPERATOR} $@
+
+`

pkg/scaffold/usersetup.go

@@ -0,0 +1,52 @@
+// Copyright 2019 The Operator-SDK Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package scaffold
+
+import (
+	"path/filepath"
+
+	"github.com/operator-framework/operator-sdk/pkg/scaffold/input"
+)
+
+const UserSetupFile = "user_setup"
+
+// UserSetup - userSetup script
+type UserSetup struct {
+	input.Input
+}
+
+func (u *UserSetup) GetInput() (input.Input, error) {
+	if u.Path == "" {
+		u.Path = filepath.Join(BuildScriptDir, UserSetupFile)
+	}
+	u.TemplateBody = userSetupTmpl
+	u.IsExec = true
+	return u.Input, nil
+}
+
+const userSetupTmpl = `#!/bin/sh
+set -x
+
+# ensure $HOME exists and is accessible by group 0 (we don't know what the runtime UID will be)
+mkdir -p ${HOME}
+chown ${USER_UID}:0 ${HOME}
+chmod ug+rwx ${HOME}
+
+# runtime user will need to be able to self-insert in /etc/passwd
+chmod g+rw /etc/passwd
+
+# no need for this script to remain in the image after running
+rm $0
+`

pkg/scaffold/usersetup_test.go

@@ -0,0 +1,49 @@
+// Copyright 2019 The Operator-SDK Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package scaffold
+
+import (
+	"testing"
+
+	"github.com/operator-framework/operator-sdk/internal/util/diffutil"
+)
+
+func UserSetupTest(t *testing.T) {
+	s, buf := setupScaffoldAndWriter()
+	err := s.Execute(appConfig, &UserSetup{})
+	if err != nil {
+		t.Fatalf("Failed to execute the scaffold: (%v)", err)
+	}
+
+	if userSetupExp != buf.String() {
+		diffs := diffutil.Diff(userSetupExp, buf.String())
+		t.Fatalf("Expected vs actual differs.\n%v", diffs)
+	}
+}
+
+const userSetupExp = `#!/bin/sh
+set -x
+
+# ensure $HOME exists and is accessible by group 0 (we don't know what the runtime UID will be)
+mkdir -p ${HOME}
+chown ${USER_UID}:0 ${HOME}
+chmod ug+rwx ${HOME}
+
+# runtime user will need to be able to self-insert in /etc/passwd
+chmod g+rw /etc/passwd
+
+# no need for this script to remain in the image after running
+rm $0
+`