Bind trow to IPv6 and IPv4 by default (#436)

* chart: better securitycontext

* UID and GID in the 0-10_000 range
* readonly filesystem
* disable privilege escalation

* rename fn

* improve CLI args

* bind "::" which maps to both ipv4 and ipv6

* add emptydir /data for webhooks

Author: awoimbee

charts/trow/templates/statefulset.yaml

@@ -28,7 +28,7 @@ spec:
         image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         args:
-          - "-n"
+          - "--hostname"
           - {{ .Values.trow.domain | quote }}
           {{- if and (.Values.trow.user) (.Values.trow.password) }}
           - "--user"

charts/trow/templates/webhooks/deployment.yaml

@@ -48,7 +48,7 @@ spec:
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         args:
           - "--tls=/etc/trow/webhook-cert/cert,/etc/trow/webhook-cert/key"
-          - "-n"
+          - "--hostname"
           - {{ .Values.trow.domain | quote }}
           {{- if include "trow.hasConfigFile" . }}
           - "--config-file=/etc/trow/config.yaml"
@@ -58,7 +58,7 @@ spec:
           value: {{ .Values.trow.logLevel }}
         ports:
         - name: webhook
-          containerPort: 8443
+          containerPort: 8000
         {{- with .Values.containerSecurityContext }}
         securityContext:
           {{- toYaml . | nindent 10 }}
@@ -67,6 +67,8 @@ spec:
         - name: webhook-cert-translated
           mountPath: /etc/trow/webhook-cert
           readOnly: true
+        - name: data-emptydir
+          mountPath: /data
       {{- if include "trow.hasConfigFile" . }}
         - name: trow-cfg
           mountPath: /etc/trow/config.yaml
@@ -89,6 +91,8 @@ spec:
           {{- end }}
         - name: webhook-cert-translated
           emptyDir: {}
+        - name: data-emptydir
+          emptyDir: {}
       {{- if include "trow.hasConfigFile" . }}
         - name: trow-cfg
           secret:

charts/trow/values.yaml

@@ -8,14 +8,14 @@ image:
   repository: ghcr.io/trow-registry/trow
   tag:
   pullPolicy: IfNotPresent
-
-## Applies to the Trow Statefulset and the webhooks Deployment
 podSecurityContext:
-  runAsUser: 333333
-  runAsGroup: 333333
-  fsGroup: 333333
-
-containerSecurityContext: {}
+  runAsNonRoot: true
+  runAsUser: 1000
+  runAsGroup: 3000
+  fsGroup: 3000
+containerSecurityContext:
+  readOnlyRootFilesystem: true
+  allowPrivilegeEscalation: false
 
 trow:
   ## if using NodePort, this can be set to 127.0.0.1:XXXX

src/main.rs

@@ -1,6 +1,6 @@
 use std::fs::File;
 use std::io::prelude::*;
-use std::net::{IpAddr, SocketAddr};
+use std::net::{IpAddr, SocketAddr, TcpListener, ToSocketAddrs};
 use std::path::{Path, PathBuf};
 use std::str::FromStr;
 
@@ -15,18 +15,9 @@ use trow::{TlsConfig, TrowConfig};
 #[command(about = "The Cluster Registry")]
 #[command(author, version, long_about = None)]
 struct Args {
-    /// Name of the host or interface to start Trow on
-    #[arg(long, default_value = "0.0.0.0")]
-    host: IpAddr,
-
-    /// Port that trow will listen on
-    #[arg(
-        short,
-        long,
-        default_value_if("tls", ArgPredicate::IsPresent, "8443"),
-        default_value("8000")
-    )]
-    port: u16,
+    /// Interface to bind Trow on
+    #[arg(long, default_value = "[::]:8000")]
+    bind: SocketAddr,
 
     /// Path to TLS certificate and key, separated by ','
     #[arg(
@@ -44,10 +35,10 @@ struct Args {
 
     /// Host name for registry.
     ///
-    /// Used in AdmissionMutation webhook.
+    /// Used in AdmissionMutation webhook and token issuer.
     /// Defaults to `host`.
-    #[arg(short, long)]
-    name: Option<String>,
+    #[arg(short = 'n', long)]
+    hostname: Option<String>,
 
     /// Don't actually run Trow, just validate arguments.
     ///
@@ -81,8 +72,13 @@ async fn main() {
     tracing_subscriber::fmt::init();
 
     let args = Args::parse();
-    let addr = SocketAddr::new(args.host, args.port);
-    let host_name = args.name.unwrap_or(addr.to_string());
+    let addr = args
+        .bind
+        .to_socket_addrs()
+        .expect("Could not resolve bind address")
+        .next()
+        .expect("Bound address did not resolve to anything");
+    let host_name = args.hostname.unwrap_or(addr.to_string());
 
     let mut builder = TrowConfig::new();
     builder.data_dir = PathBuf::from_str(args.data_dir.as_str()).expect("Invalid data path");

src/routes/mod.rs

@@ -176,7 +176,7 @@ async fn login(
     auth_user: ValidBasicToken,
     State(state): State<Arc<TrowServerState>>,
 ) -> Result<TrowToken, Error> {
-    let tok = trow_token::new(auth_user, &state.config);
+    let tok = trow_token::create_token(auth_user, &state.config);
     match tok {
         Ok(t) => Ok(t),
         Err(e) => {

src/routes/response/trow_token.rs

@@ -137,7 +137,7 @@ struct TokenClaim {
  * Create new jsonwebtoken.
  * Token consists of a string with 3 comma separated fields header, payload, signature
  */
-pub fn new(
+pub fn create_token(
     vbt: ValidBasicToken,
     config: &TrowConfig,
 ) -> Result<TrowToken, jsonwebtoken::errors::Error> {

tests/cli.rs

@@ -46,13 +46,13 @@ mod cli {
     #[test]
     fn host_name_parsing() {
         get_command()
-            .args(["-n", "myhost.com"])
+            .args(["--hostname", "myhost.com"])
             .assert()
             .success()
             .stdout(predicate::str::contains(": \"myhost.com\""));
 
         get_command()
-            .args(["--name", "trow.test"])
+            .args(["--hostname", "trow.test"])
             .assert()
             .success()
             .stdout(predicate::str::contains(": \"trow.test\""));

tests/smoke_test.rs

@@ -33,8 +33,10 @@ mod smoke_test {
         drop(listener);
 
         let mut child = Command::new("./target/debug/trow")
-            .arg(format!("--host={}", if ipv6 { "::" } else { "0.0.0.0" }))
-            .arg(format!("--port={port}"))
+            .arg(format!(
+                "--bind={}",
+                format!("{}:{port}", if ipv6 { "[::]" } else { "0.0.0.0" })
+            ))
             .arg(format!("--data-dir={}", temp_dir.display()))
             .env_clear()
             .envs(Environment::inherit().compile())