Building a local copy of pomerium into the ingest-controller

Drew Perttula

2023-07-15 16:01

As you'd expect, the pomerium ingest-controller (IC) for k8s has some local code, some pomerium interface code, and depends on pomerium. If you want to try something with the pomerium library code, you need to arrange for a local version of it to end up in your IC container image.

Checkouts

% git clone https://git@github.com/pomerium/ingress-controller.git
ingress-controller% grep "pomerium v" go.mod 
    github.com/pomerium/pomerium v0.20.1-0.20230526203421-d315e683357a

ingress-controller% git clone https://git@github.com/pomerium/pomerium.git pomerium-src

I want pomerium source inside the IC directory for ease of docker building, but it needs a separate name from the ingress-controller/pomerium/ that's already there.

The grep call above says that this IC version depends on a pomerium-src revision (not just v0.20.1, which took me a while to figure out!)

ingress-controller/pomerium-src% git checkout d315e683357a

go.mod link

go.mod tells the IC build to use a version of pomerium from github. Insert this in go.mod (before the first require block, but maybe that doesn't matter):

replace github.com/pomerium/pomerium => ./pomerium-src

Incorporate pomerium-src's dependencies

Edit ingress-controller's Dockerfile, so the build can incorporate pomerium-src/go.mod.

diff --git a/Dockerfile b/Dockerfile
index 9805497..3044a97 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -12,10 +12,15 @@ COPY Makefile Makefile

 RUN mkdir -p pomerium/envoy/bin
 RUN make envoy
+
+COPY pomerium-src/go.mod pomerium-src/go.sum pomerium-src/
 RUN go mod download

 COPY Makefile ./Makefile

This docker (actually podman) build takes me 2m45s. I believe the following is a safe speedup. It does some dependency downloads before the source code copy, which caches better. New rebuild time is 2m0s:

diff --git a/Dockerfile b/Dockerfile
index 9805497..a9212d2 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -16,6 +16,9 @@ RUN go mod download

 COPY Makefile ./Makefile

+# this pulls a bunch of deps that we don't want to repeat in 'make build-go'
+RUN make controller-gen
+
 # download ui dependencies from core module
 RUN mkdir -p internal
 RUN make internal/ui

Build the docker image with all the local edits

So far, this is building to ingress-controller/bin/*, but we want to affect the build in a docker image.

ingress-controller% export TAG=bang5:5000/pomerium_ic_local
ingress-controller% docker build -t ${TAG} . && docker push ${TAG}

Output includes this:

Successfully tagged bang5:5000/pomerium_ic_local:latest
031715bd3fa0da34f7cfdfc26eb020643bf1a9904ad8af228837c2bdcaef39cc

GCR error

You may see this:

       [3/3] STEP 1/5: FROM gcr.io/distroless/base:debug-nonroot@sha256:de8fb012fc630b7cdea6861442a0185213b574c71e246ddc97e9eb1d047048e7
    Trying to pull gcr.io/distroless/base@sha256:de8fb012fc630b7cdea6861442a0185213b574c71e246ddc97e9eb1d047048e7...
        Error: creating build container: initializing source docker://gcr.io/distroless/base@sha256:de8fb012fc630b7cdea6861442a0185213b574c71e246ddc97e9eb1d047048e7: getting username and password: 1 error occurred:
        * error getting credentials - err: docker-credential-gcloud resolves to executable in current directory (./docker-credential-gcloud), out: ``

Something from the user setup is breaking this (how?). I used a different account on another computer to work around it.

Use the local docker image in a k8s setup

I run ingress-controller/deployment.yaml with some kustomize patches, so I deploy the new docker image like this:

My existing deployment configs:

upstream% cp .../ingress-controller/deplyment.yaml pomerium-ingress-controller.yaml

My existing upstream/kustomzation.yaml:

bases:
  - pomerium-ingress-controller.yaml
  - cert-manager-v1.12.0.yaml
patchesStrategicMerge:
  - "patch.yaml"
etc

My upstream/patch.yaml, with the local image:

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: pomerium
  namespace: pomerium
spec:
  template:
    spec:
      containers:
        - name: pomerium
          image: bang5:5000/pomerium_ic_local:latest
          imagePullPolicy: Always

Apply changes (abridged):

kubectl kustomize upstream | kubectl apply -f -

Test the result

Edit this:

--- a/pomerium/ctrl/run.go
+++ b/pomerium/ctrl/run.go
@@ -75,6 +75,7 @@ func (r *Runner) Run(ctx context.Context) error {
        }

        log.FromContext(ctx).V(1).Info("got bootstrap config, starting pomerium...", "cfg", r.src.GetConfig())
+       log.Log.Error(nil, "hello IC world")

        return pomerium_cmd.Run(ctx, r.src)
 }

And this:

diff --git a/pomerium-src/authorize/internal/store/store.go b/pomerium-src/authorize/internal/store/store.go
index f9f9e08d..3dcac141 100644
--- a/pomerium-src/authorize/internal/store/store.go
+++ b/pomerium-src/authorize/internal/store/store.go
@@ -31,6 +31,8 @@ type Store struct {

 // New creates a new Store.
 func New() *Store {
+       ctx := context.TODO()
+       log.Error(ctx).Err(nil).Msg("hello pom world")
        return &Store{
                Store: inmem.New(),
        }

Rebuild

ingress-controller% docker build -t ${TAG} . && docker push ${TAG}

Also, my docker is podman, so I added "build --network=host" for a speedup.

Redeploy to k8s:

% kubectl rollout restart -n pomerium deploy/pomerium

Use tab-complete (or a app.name selector) to describe the right pod:

% kubectl describe -n pomerium pod/pomerium-79954677c-qzhpj

    Image:         bang5:5000/pomerium_ic_local:latest
    Image ID:      bang5:5000/pomerium_ic_local@sha256:0edbab12576bc68054b4f900f96318c04df4fcb9c1f588f2e4c2454cbe3b8a08

Not sure why this 0edb id doesn't match the 'successfully tagged' 0317 one above.

However, we still have great success!

% kubectl logs -n pomerium deploy/pomerium | grep hello

{"level":"error","ts":"2023-07-17T01:32:27Z","msg":"hello IC world"}
{"level":"error","time":"2023-07-17T01:32:27Z","message":"hello pom world"}