From 00732a8fe00ebfc9d01db73794cb88ae0a51426a Mon Sep 17 00:00:00 2001
From: Julien Potrel <julien.potrel-prestataire@ca-gip.fr>
Date: Mon, 25 May 2020 10:56:11 +0200
Subject: [PATCH] Added K8S support and improved security

---
 Dockerfile       | 11 +++++----
 README.md        | 14 ++++++++++++
 k8s_manifest.yml | 58 ++++++++++++++++++++++++++++++++++++++++++++++++
 requirements.txt |  2 +-
 4 files changed, 80 insertions(+), 5 deletions(-)
 create mode 100644 k8s_manifest.yml

diff --git a/Dockerfile b/Dockerfile
index 85c28e9..6a710a8 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -4,9 +4,12 @@ WORKDIR /usr/src/app
 ENV PYTHONPATH=/usr/src/app
 
 COPY ./requirements.txt ./requirements.txt
+COPY app.py .
 
-RUN pip install --no-cache-dir -r requirements.txt
+RUN pip install --no-cache-dir -r requirements.txt && \
+    chown 65534:65534 app.py && \
+    chmod 400 app.py
 
-COPY . .
-
-CMD ["python", "app.py"]
+EXPOSE 5000
+USER nobody
+ENTRYPOINT ["python", "app.py"]
\ No newline at end of file
diff --git a/README.md b/README.md
index 5fb8498..0bec016 100644
--- a/README.md
+++ b/README.md
@@ -31,3 +31,17 @@ Now, if you make a `GET` request to `http://localhost:5000/__last_request__` you
     "url": "http://localhost:5000/foo-bar"
 }
 ```
+
+## Kubernetes support
+
+This project also supports Kubernetes deployments (tested on k8s 1.17). It might allow you to debug your ingress configuration. As prerequisite, you need a Kubernetes cluster with a Ingress controller configured.
+
+To deploy, update the values of $YOUR_IMAGE and $YOUR_URL in the k8s_manifest.yml.
+
+Then deploy through
+
+```sh
+kubectl apply -f k8s_manifest.yml
+```
+
+Once deployed, make your POST API calls to `$YOUR_URL/foo-bar` and your GET API calls to `$YOUR_URL/__last_request`
\ No newline at end of file
diff --git a/k8s_manifest.yml b/k8s_manifest.yml
new file mode 100644
index 0000000..24570bb
--- /dev/null
+++ b/k8s_manifest.yml
@@ -0,0 +1,58 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: http-request-catcher
+spec:
+  type: ClusterIP
+  ports:
+  - name: python
+    port: 5000
+    targetPort: 5000
+  selector:
+    app: http-request-catcher
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: http-request-catcher
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: http-request-catcher
+  template:
+    metadata:
+      labels:
+        app: http-request-catcher
+    spec:
+      containers:
+      - image: $YOUR_IMAGE
+        name: http-request-catcher
+        imagePullPolicy: Always
+        ports:
+          - name: python
+            containerPort: 5000
+            protocol: TCP
+        resources:
+          limits:
+            memory: "128Mi"
+            cpu: "100m"
+          requests:
+            memory: "128Mi"
+            cpu: "100m"
+---
+apiVersion: networking.k8s.io/v1beta1
+kind: Ingress
+metadata:
+  name: http-request-catcher
+spec:
+  rules:
+  - host: $YOUR_URL
+    http:
+      paths:
+        - backend:
+            serviceName: http-request-catcher
+            servicePort: 5000
+  tls:
+  - hosts:
+    - $YOUR_URL
\ No newline at end of file
diff --git a/requirements.txt b/requirements.txt
index 4a5cb4c..46a48dd 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1 +1 @@
-Flask==0.12
+Flask==1.1.2