Add Kerberos libraries to the Docker images (#242)

* Include all binary outputs from the workspace in the images' $PATH * Include MIT kerberos libraries in the build- and runtime environments * Document why the different Nix components are installed * Install krb5 for CI * Also install krb5 headers for CI * Consider all workspace members for udeps * Fix wonky Dockerfile COPY path * Add undo-tree files to the Tilt ignore list --------- Co-authored-by: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com>

Author: nightkr

template/.github/workflows/build.yml.j2

@@ -31,10 +31,10 @@ jobs:
  env:
  RUSTC_BOOTSTRAP: 1
  steps:
- - name: Install protoc
+ - name: Install host dependencies
  run: |
  sudo apt-get update
- sudo apt-get install protobuf-compiler
+ sudo apt-get install protobuf-compiler krb5-user libkrb5-dev
  - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
  with:
  submodules: recursive
@@ -43,7 +43,7 @@ jobs:
  with:
  key: udeps
  - run: cargo install cargo-udeps
- - run: cargo udeps
+ - run: cargo udeps --workspace
 
  # This job evaluates the github environment to determine why this action is running and selects the appropriate
  # target repository for published Helm charts based on this.
@@ -125,10 +125,10 @@ jobs:
  name: Run Clippy
  runs-on: ubuntu-latest
  steps:
- - name: Install protoc
+ - name: Install host dependencies
  run: |
  sudo apt-get update
- sudo apt-get install protobuf-compiler
+ sudo apt-get install protobuf-compiler krb5-user libkrb5-dev
  - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
  with:
  submodules: recursive
@@ -156,10 +156,10 @@ jobs:
  name: Run RustDoc
  runs-on: ubuntu-latest
  steps:
- - name: Install protoc
+ - name: Install host dependencies
  run: |
  sudo apt-get update
- sudo apt-get install protobuf-compiler
+ sudo apt-get install protobuf-compiler krb5-user libkrb5-dev
  - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
  with:
  submodules: recursive
@@ -175,10 +175,10 @@ jobs:
  name: Run Cargo Tests
  runs-on: ubuntu-latest
  steps:
- - name: Install protoc
+ - name: Install host dependencies
  run: |
  sudo apt-get update
- sudo apt-get install protobuf-compiler
+ sudo apt-get install protobuf-compiler krb5-user libkrb5-dev
  - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
  with:
  submodules: recursive
@@ -230,10 +230,10 @@ jobs:
  name: Check if committed Helm charts are up to date
  runs-on: ubuntu-latest
  steps:
- - name: Install protoc
+ - name: Install host dependencies
  run: |
  sudo apt-get update
- sudo apt-get install protobuf-compiler
+ sudo apt-get install protobuf-compiler krb5-user libkrb5-dev
  - name: Checkout
  uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
  with:
@@ -288,10 +288,10 @@ jobs:
  outputs:
  IMAGE_TAG: ${{ steps.printtag.outputs.IMAGE_TAG }}
  steps:
- - name: Install protoc
+ - name: Install host dependencies
  run: |
  sudo apt-get update
- sudo apt-get install protobuf-compiler
+ sudo apt-get install protobuf-compiler krb5-user libkrb5-dev
  - name: Checkout
  uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
  with:

template/Tiltfile

@@ -12,6 +12,7 @@ custom_build(
  registry + '/' + operator_name,
  'nix shell -f . crate2nix -c crate2nix generate && nix-build . -A docker --argstr dockerName "${EXPECTED_REGISTRY}/' + operator_name + '" && ./result/load-image | docker load',
  deps=['rust', 'Cargo.toml', 'Cargo.lock', 'default.nix', "nix", 'build.rs', 'vendor'],
+ ignore=['*.~undo-tree~'],
  # ignore=['result*', 'Cargo.nix', 'target', *.yaml],
  outputs_image_ref_to='result/ref',
 )

template/default.nix

@@ -10,6 +10,15 @@
  tonic-reflection = attrs: {
  buildInputs = [ pkgs.rustfmt ];
  };
+ stackable-secret-operator = attrs: {
+ buildInputs = [ pkgs.protobuf pkgs.rustfmt ];
+ };
+ krb5-sys = attrs: {
+ nativeBuildInputs = [ pkgs.pkg-config ];
+ buildInputs = [ (pkgs.enableDebugging pkgs.krb5) ];
+ LIBCLANG_PATH = "${pkgs.libclang.lib}/lib";
+ BINDGEN_EXTRA_CLANG_ARGS = "-I${pkgs.glibc.dev}/include -I${pkgs.clang.cc.lib}/lib/clang/${pkgs.lib.getVersion pkgs.clang.cc}/include";
+ };
  };
  }
 , meta ? pkgs.lib.importJSON ./nix/meta.json
@@ -27,14 +36,21 @@ rec {
  dockerImage = pkgs.dockerTools.streamLayeredImage {
  name = dockerName;
  tag = dockerTag;
- contents = [ pkgs.bashInteractive pkgs.coreutils pkgs.util-linuxMinimal ];
+ contents = [
+ # Common debugging tools
+ pkgs.bashInteractive pkgs.coreutils pkgs.util-linuxMinimal
+ # Kerberos 5 must be installed globally to load plugins correctly
+ pkgs.krb5
+ # Make the whole cargo workspace available on $PATH
+ build
+ ];
  config = {
- Env =
- let
- fileRefVars = {
- PRODUCT_CONFIG = deploy/config-spec/properties.yaml;
- };
- in pkgs.lib.concatLists (pkgs.lib.mapAttrsToList (env: path: pkgs.lib.optional (pkgs.lib.pathExists path) "${env}=${path}") fileRefVars);
+  Env =
+  let
+  fileRefVars = {
+  PRODUCT_CONFIG = deploy/config-spec/properties.yaml;
+  };
+  in pkgs.lib.concatLists (pkgs.lib.mapAttrsToList (env: path: pkgs.lib.optional (pkgs.lib.pathExists path) "${env}=${path}") fileRefVars);
  Entrypoint = [ entrypoint ];
  Cmd = [ "run" ];
  };

template/docker/Dockerfile.j2

@@ -23,9 +23,12 @@ RUN microdnf install -y yum \
  && yum clean all \
  && microdnf clean all
 
+# Install kerberos client libraries
+RUN microdnf install -y krb5-libs libkadm5 && microdnf clean all
+
 COPY LICENSE /licenses/LICENSE
 
-COPY --from=builder /app/stackable-{[ operator.name }] /
+COPY --from=builder /app/* /usr/local/bin/
 {[% if operator.include_productconfig is undefined or operator.include_productconfig == true %}]
 COPY deploy/config-spec/properties.yaml /etc/stackable/{[ operator.name }]/config-spec/properties.yaml
 {[% endif %}]
@@ -34,5 +37,5 @@ RUN groupadd -g 1000 stackable && adduser -u 1000 -g stackable -c 'Stackable Ope
 
 USER stackable:stackable
 
-ENTRYPOINT ["/stackable-{[ operator.name }]"]
+ENTRYPOINT ["stackable-{[ operator.name }]"]
 CMD ["run"]