v0.2.2

add JWT secret reference
refer to the session secret using the application name prefix
2025-05-10 18:14:39 -05:00 · 2025-05-10 18:13:02 -05:00 · 2025-05-10 18:12:37 -05:00 · 2025-05-10 18:10:50 -05:00 · 2025-05-10 17:46:46 -05:00 · 2025-05-10 17:46:46 -05:00
20 changed files with 333 additions and 199 deletions
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@ -6,7 +6,7 @@
        "vscode": {
            "extensions": [
                "Shopify.ruby-lsp",
-                "ms-azuretools.vscode-docker"
+                "docker.docker"
            ]
        }
    },
--- a/.dockerignore
+++ b/.dockerignore
@ -0,0 +1,7 @@
+**/.git
+**/.gitignore
+/.devcontainer
+/.gitea
+/.github
+/.vscode
+/charts
--- a/.gitea/workflows/lint.yaml
+++ b/.gitea/workflows/lint.yaml
@ -0,0 +1,23 @@
+---
+name: Ruby Lint
+on:
+  push:
+    branches:
+      - "**"
+  pull_request:
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Ruby Setup
+        uses: ruby/setup-ruby@dffc446db9ba5a0c4446edb5bca1c5c473a806c5 # v1.235.0
+        with:
+          ruby-version: '3.4'
+          bundler-cache: true
+
+      - name: Standard Ruby
+        run: bundle exec standardrb
+
--- a/.gitea/workflows/release.yaml
+++ b/.gitea/workflows/release.yaml
@ -1,74 +1,27 @@
 ---
-name: Gitea Actions Demo
-run-name: ${{ gitea.actor }} is testing out Gitea Actions 🚀
-
+name: Release
 on:
  schedule: 
-    - cron: "0 10 * * *"
+    - cron: "0 0 * * *"
  push:
    branches:
-      - "**"
+      - main
    tags:
      - "v*.*.*"
-  pull_request:
-
 jobs:
-  lint:
-    runs-on: ubuntu-latest
-    permissions:
-      checks: write
-      contents: write
-    steps:
-      - name: Login to Docker
-        uses: docker/login-action@v3
-        with:
-          username: ${{ vars.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Ruby Setup
-        uses: ruby/setup-ruby@v1
-        with:
-          ruby-version: '3.4'
-          bundler-cache: true
-
-      - run: bundle install
-
-      - name: Standard Ruby
-        run: bundle exec standardrb
-
-
-  test:
-    needs: lint
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Test
-        uses: ruby/setup-ruby@v1
-        with:
-          ruby-version: '3.4'
-          bundler-cache: true
-
-      - run: bundle exec rake
-
  docker:
-    needs: test
    runs-on: ubuntu-latest
-    container:
-      image: catthehacker/ubuntu:act-latest
    env:
      DOCKER_ORG: ryanc
      DOCKER_LATEST: latest
    defaults:
      run:
        shell: bash
+    outputs:
+      metadata: ${{ steps.output.outputs.metadata }}
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0 # all history for all branches and tags

@ -83,14 +36,31 @@ jobs:
          printf "GITHUB_SHA=%s\n" "$GITHUB_SHA"
          printf "VERSION=%s\n" "$VERSION" | tee -a "$GITHUB_OUTPUT"

-      - name: Docker meta
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+
+      - name: Login to Gitea registry
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        with:
+          registry: git.kill0.net
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Docker meta (debian)
        id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
        with:
          images: |
            git.kill0.net/ryanc/kubernaut
+          flavor: |
+            latest=auto
+          bake-target: docker-metadata-action
          tags: |
-            type=schedule
+            type=schedule,pattern=nightly
+            type=edge
            type=ref,event=branch
            type=ref,event=pr
            type=semver,pattern={{version}}
@ -98,25 +68,37 @@ jobs:
            type=semver,pattern={{major}}
            type=sha

-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Login to Gitea registry
-        uses: docker/login-action@v3
+      - name: Docker meta (alpine)
+        id: meta-alpine
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
        with:
-          registry: git.kill0.net
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
+          images: |
+            git.kill0.net/ryanc/kubernaut
+          bake-target: docker-metadata-action-alpine
+          flavor: |
+            latest=auto
+            suffix=-alpine,onlatest=true
+          tags: |
+            type=schedule,pattern=nightly
+            type=edge
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=sha

      - name: Docker build and push
-        uses: docker/build-push-action@v5
+        uses: docker/bake-action@76f9fa3a758507623da19f6092dc4089a7e61592 # v6.6.0
        with:
          push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
+          files: |
+            ./docker-bake.hcl
+            cwd://${{ steps.meta.outputs.bake-file }}
+            cwd://${{ steps.meta-alpine.outputs.bake-file }}

      - name: Setup Helm
-        uses: azure/setup-helm@v4.3.0
+        uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0

      - name: Publish Helm chart
        if: ${{ contains(github.ref, 'refs/tags/') }}
--- a/.gitea/workflows/test.yaml
+++ b/.gitea/workflows/test.yaml
@ -0,0 +1,22 @@
+---
+name: Ruby Test
+on:
+  push:
+    branches:
+      - "**"
+  pull_request:
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Test
+        uses: ruby/setup-ruby@dffc446db9ba5a0c4446edb5bca1c5c473a806c5 # v1.235.0
+        with:
+          ruby-version: '3.4'
+          bundler-cache: true
+
+      - run: bundle exec rake
+
--- a/40
+++ b/40
@ -1,40 +0,0 @@
-FROM ruby:alpine AS base
-
-WORKDIR /app
-
-RUN <<EOT
-  gem update --system --no-document
-  gem install -N bundler
-  apk update
-  apk upgrade --no-cache
-EOT
-
-
-FROM base AS build
-
-RUN <<EOT
-  apk add gcc musl-dev ruby-dev make
-EOT
-
-COPY Gemfile* .
-
-RUN <<EOT
-  bundle config set --local without development
-  bundle install
-EOT
-
-
-FROM base
-
-# RUN useradd ruby --home /app --shell /bin/sh
-RUN adduser ruby -h /app -D
-
-USER ruby:ruby
-
-COPY --from=build /usr/local/bundle /usr/local/bundle
-COPY --from=build --chown=ruby:ruby /app /app
-
-COPY --chown=ruby:ruby . .
-
-EXPOSE 4567
-CMD [ "bundle", "exec", "rackup", "--host", "0.0.0.0", "--port", "4567" ]
--- a/1
+++ b/1
@ -3,7 +3,6 @@ source "https://rubygems.org"
 gem "sinatra"
 gem "sinatra-contrib"
 gem "puma"
-gem "rackup"

 gem "anyflake"
 gem "ksuid"
--- a/Gemfile.lock
+++ b/Gemfile.lock
@ -4,22 +4,22 @@ GEM
    anyflake (0.0.1)
    ast (2.4.3)
    base64 (0.2.0)
-    bigdecimal (3.1.8)
-    csv (3.3.0)
-    diff-lcs (1.6.0)
-    httparty (0.22.0)
+    bigdecimal (3.1.9)
+    csv (3.3.4)
+    diff-lcs (1.6.1)
+    httparty (0.23.1)
      csv
      mini_mime (>= 1.0.0)
      multi_xml (>= 0.5.2)
-    json (2.10.2)
+    json (2.11.3)
    jwt (2.10.1)
      base64
    ksuid (1.0.0)
    language_server-protocol (3.17.0.4)
    lint_roller (1.1.0)
-    logger (1.6.6)
+    logger (1.7.0)
    mini_mime (1.1.5)
-    minitest (5.25.4)
+    minitest (5.25.5)
    multi_json (1.15.0)
    multi_xml (0.7.1)
      bigdecimal (~> 3.1)
@ -27,15 +27,15 @@ GEM
      ruby2_keywords (~> 0.0.1)
    nanoid (2.0.0)
    nio4r (2.7.4)
-    parallel (1.26.3)
-    parser (3.3.7.2)
+    parallel (1.27.0)
+    parser (3.3.8.0)
      ast (~> 2.4.1)
      racc
-    prism (1.3.0)
+    prism (1.4.0)
    puma (6.6.0)
      nio4r (~> 2.0)
    racc (1.8.1)
-    rack (3.1.11)
+    rack (3.1.13)
    rack-protection (4.1.1)
      base64 (>= 0.1.0)
      logger (>= 1.6.0)
@ -45,11 +45,9 @@ GEM
      rack (>= 3.0.0)
    rack-test (2.2.0)
      rack (>= 1.3)
-    rackup (2.2.1)
-      rack (>= 3)
    rainbow (3.1.1)
    rake (13.2.1)
-    rbs (3.8.1)
+    rbs (3.9.2)
      logger
    regexp_parser (2.10.0)
    rspec (3.13.0)
@ -65,7 +63,7 @@ GEM
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.13.0)
    rspec-support (3.13.2)
-    rubocop (1.73.2)
+    rubocop (1.75.4)
      json (~> 2.3)
      language_server-protocol (~> 3.17.0.2)
      lint_roller (~> 1.1.0)
@ -73,16 +71,17 @@ GEM
      parser (>= 3.3.0.2)
      rainbow (>= 2.2.2, < 4.0)
      regexp_parser (>= 2.9.3, < 3.0)
-      rubocop-ast (>= 1.38.0, < 2.0)
+      rubocop-ast (>= 1.44.0, < 2.0)
      ruby-progressbar (~> 1.7)
      unicode-display_width (>= 2.4.0, < 4.0)
-    rubocop-ast (1.41.0)
+    rubocop-ast (1.44.1)
      parser (>= 3.3.7.2)
-    rubocop-performance (1.24.0)
+      prism (~> 1.4)
+    rubocop-performance (1.25.0)
      lint_roller (~> 1.1)
-      rubocop (>= 1.72.1, < 2.0)
+      rubocop (>= 1.75.0, < 2.0)
      rubocop-ast (>= 1.38.0, < 2.0)
-    ruby-lsp (0.23.11)
+    ruby-lsp (0.23.15)
      language_server-protocol (~> 3.17.0)
      prism (>= 1.2, < 2.0)
      rbs (>= 3, < 4)
@ -102,19 +101,19 @@ GEM
      rack-protection (= 4.1.1)
      sinatra (= 4.1.1)
      tilt (~> 2.0)
-    sorbet-runtime (0.5.11911)
-    standard (1.47.0)
+    sorbet-runtime (0.5.12043)
+    standard (1.49.0)
      language_server-protocol (~> 3.17.0.2)
      lint_roller (~> 1.0)
-      rubocop (~> 1.73.0)
+      rubocop (~> 1.75.2)
      standard-custom (~> 1.0.0)
-      standard-performance (~> 1.7)
+      standard-performance (~> 1.8)
    standard-custom (1.0.2)
      lint_roller (~> 1.0)
      rubocop (~> 1.50)
-    standard-performance (1.7.0)
+    standard-performance (1.8.0)
      lint_roller (~> 1.1)
-      rubocop-performance (~> 1.24.0)
+      rubocop-performance (~> 1.25.0)
    tilt (2.6.0)
    ulid (1.4.0)
    unicode-display_width (3.1.4)
@ -137,7 +136,6 @@ DEPENDENCIES
  nanoid
  puma
  rack-test
-  rackup
  rake
  rspec
  ruby-lsp
@ -148,4 +146,4 @@ DEPENDENCIES
  uuid7

 BUNDLED WITH
-   2.6.6
+   2.6.8
--- a/app.rb
+++ b/app.rb
@ -2,6 +2,7 @@ require "bundler/setup"
 require "sinatra"
 require "sinatra/cookies"
 require "sinatra/multi_route"
+require "sinatra/quiet_logger"
 require "time"
 require "fileutils"
 require "json"
@ -20,11 +21,9 @@ $LOAD_PATH.unshift File.dirname(__FILE__) + "/lib"

 require "config"

-VERSION = "0.1.1"
+VERSION = "0.2.2"

 CHUNK_SIZE = 1024**2
-SESSION_SECRET_HEX_LENGTH = 64
-JWT_SECRET_HEX_LENGTH = 64
 DEFAULT_FLAKEY = 50

 NAME = "kubernaut".freeze
@ -52,9 +51,12 @@ DURATION_PARTS = [

 config = Config.new

+set :quiet_logger_prefixes, %w[livez readyz]
 set :session_secret, config.session_secret.unwrap
 set :public_folder, __dir__ + "/static"

+register Sinatra::QuietLogger
+
 module Sinatra
  module RequestHeadersHelper
    def req_headers
@ -113,7 +115,6 @@ class TickTock
  def initialize
    @pid = ppid
    @procfs_f = format "/proc/%s/stat", @pid
-    puts @pid
  end

  def uptime
@ -164,7 +165,7 @@ class Sleep
  include State

  def initialize
-    @file = "/dev/shm/sleep"
+    @file = "/dev/shm/sleepy"
  end

  def asleep?
@ -181,20 +182,11 @@ class Sleep
 end

 def ppid
-  pid = Process.pid
-  # self
-  ps = File.open "/proc/#{pid}/stat", &:readline
-  ps = ps.split(" ")
-  ppid = Integer(ps[3])
-
-  # ppid
-  ps = File.open "/proc/#{ppid}/stat", &:readline
-  ps = ps.split(" ")
-
-  if ps[1].include? "ruby"
-    ppid
-  else
-    pid
+  pid = ENV.fetch "PUMA_PID", Process.pid
+  begin
+    Integer pid
+  rescue ArgumentError
+    -1
  end
 end

@ -232,9 +224,7 @@ end

 enable :sessions

-on_start do
-  puts "#{NAME} #{VERSION} staring, per aspera ad astra"
-end
+puts "#{NAME} #{VERSION} staring, per aspera ad astra"

 configure do
  mime_type :json, "application/json"
@ -309,31 +299,31 @@ get "/headers", provides: "json" do
  jsonify h, pretty:
 end

-get "/livez" do
-  error 503 unless Health.instance.healthy?
-
-  return Health.instance.to_json if request.env["HTTP_ACCEPT"] == "application/json"
-
-  Health.instance.to_s
-end
-
-get "/livez/uptime" do
+get "/uptime", provides: "json" do
  tt = TickTock.new
  x = {started_at: tt.started_at, seconds: tt.uptime.to_i, human: human_time(tt.uptime.to_i)}

  jsonify x
 end

-post "/livez/toggle" do
+post "/api/livez/toggle" do
  Health.instance.toggle
  "ok\n"
 end

-post "/livez/sleep" do
+post "/api/livez/sleep" do
  Sleep.instance.toggle
  "ok\n"
 end

+get "/livez" do
+  error 503 unless Health.instance.healthy?
+
+  return Health.instance.to_json if request.env["HTTP_ACCEPT"] == "application/json"
+
+  Health.instance.to_s
+end
+
 get "/readyz" do
  error 503 unless Ready.instance.ready?

@ -382,25 +372,27 @@ post "/halt" do
  nil
 end

-get "/pid" do
+get "/pid", provides: "json" do
  pretty = params.key? :pretty

  jsonify({ppid: ppid, pid: Process.pid}, pretty:)
 end

-get "/token" do
+get "/token", provides: "json" do
+  pretty = params.key? :pretty
+
  exp = Time.now.to_i + SECONDS_PER_MINUTE * 2
  payload = {name: "anonymous", exp: exp, jti: Random.uuid}
  expires_at = Time.at(exp).to_datetime
-  token = JWT.encode payload, JWT_SECRET, "HS256"
+  token = JWT.encode payload, config.jwt_secret.unwrap, "HS256"
  x = {token: token, expires_at: expires_at}

-  jsonify x
+  jsonify x, pretty:
 end

 get "/token/validate" do
  token = req_headers["authorization"].split[1]
-  payload = JWT.decode token, JWT_SECRET, true, algorithm: "HS256"
+  payload = JWT.decode token, config.jwt_secret.unwrap, true, algorithm: "HS256"

  jsonify payload
 end
--- a/charts/kubernaut/Chart.yaml
+++ b/charts/kubernaut/Chart.yaml
@ -15,10 +15,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.1
+version: 0.2.2

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.1.1"
+appVersion: "0.2.2"
--- a/charts/kubernaut/values.yaml
+++ b/charts/kubernaut/values.yaml
@ -97,7 +97,7 @@ readinessProbe:

 # This section is for setting up autoscaling more information can be found here: https://kubernetes.io/docs/concepts/workloads/autoscaling/
 autoscaling:
-  enabled: false
+  enabled: true
  minReplicas: 2
  maxReplicas: 100
  targetCPUUtilizationPercentage: 80
--- a/config/puma.rb
+++ b/config/puma.rb
@ -0,0 +1,5 @@
+ENV["PUMA_PID"] = Process.pid.to_s
+
+port ENV.fetch("PORT", 4567)
+
+pidfile ENV["PIDFILE"] if ENV["PIDFILE"]
--- a/docker-bake.hcl
+++ b/docker-bake.hcl
@ -0,0 +1,22 @@
+group "default" {
+    targets = [ "bookworm", "alpine" ]
+}
+
+target "docker-metadata-action" {}
+target "docker-metadata-action-alpine" {}
+
+target "_common" {
+    args = {
+        RUBY_VERSION = "3.4.3"
+    }
+}
+
+target "bookworm" {
+    dockerfile = "./dockerfiles/bookworm.Dockerfile"
+    inherits = [ "_common", "docker-metadata-action" ]
+}
+
+target "alpine" {
+    dockerfile = "./dockerfiles/alpine.Dockerfile"
+    inherits = [ "_common", "docker-metadata-action-alpine" ]
+}
--- a/dockerfiles/alpine.Dockerfile
+++ b/dockerfiles/alpine.Dockerfile
@ -0,0 +1,54 @@
+ARG RUBY_VERSION="3.4.3"
+ARG BASE_REGISTRY="docker.io"
+FROM ${BASE_REGISTRY}/ruby:${RUBY_VERSION}-alpine AS base
+
+ENV RACK_ENV="production" \
+  BUNDLE_DEPLOYMENT=true \
+  BUNDLE_PATH="/usr/local/bundle" \
+  BUNDLE_WITHOUT="development test" \
+  RUBY_YJIT_ENABLE=true
+
+WORKDIR /kubernaut
+
+RUN \
+  --mount=type=cache,id=var-cache-apk,target=/var/cache/apk,sharing=locked \
+  apk update -q; \
+  apk add bash jemalloc
+
+RUN \
+  --mount=type=cache,id=usr-local-bundle-cache,target=${BUNDLE_PATH},sharing=locked \
+  gem update --system --no-document; \
+  gem install -N bundler
+
+FROM base AS build
+
+RUN \
+  --mount=type=cache,id=var-cache-apk,target=/var/cache/apk,sharing=locked \
+  apk update -q; \
+  apk add musl-dev gcc make; \
+  apk add bash jemalloc
+
+COPY Gemfile Gemfile.lock ./
+
+RUN \
+  --mount=type=cache,id=usr-local-bundle-ruby-cache,target=${BUNDLE_PATH}/ruby/3.4.0/cache,sharing=locked \
+  bundle install
+
+COPY . .
+
+FROM base
+
+ENV PORT=4567
+
+RUN \
+  addgroup --system --gid 666 kubernaut; \
+  adduser --system --uid 666 --ingroup kubernaut --shell /bin/bash --disabled-password kubernaut
+
+COPY --from=build "${BUNDLE_PATH}" "${BUNDLE_PATH}"
+COPY --from=build /kubernaut /kubernaut
+
+USER kubernaut:kubernaut
+
+EXPOSE $PORT
+ENTRYPOINT [ "/kubernaut/dockerfiles/entrypoint.sh" ]
+CMD [ "bundle", "exec", "puma" ]
--- a/dockerfiles/bookworm.Dockerfile
+++ b/dockerfiles/bookworm.Dockerfile
@ -0,0 +1,62 @@
+ARG RUBY_VERSION="3.4.3"
+ARG BASE_REGISTRY="docker.io"
+ARG DEBIAN_VERSION="bookworm"
+FROM ${BASE_REGISTRY}/ruby:${RUBY_VERSION}-slim-${DEBIAN_VERSION} AS base
+
+ENV RACK_ENV="production" \
+  BUNDLE_DEPLOYMENT=true \
+  BUNDLE_PATH="/usr/local/bundle" \
+  BUNDLE_WITHOUT="development test" \
+  RUBY_YJIT_ENABLE=true
+
+WORKDIR /kubernaut
+
+RUN rm -f /etc/apt/apt.conf.d/docker-clean
+
+RUN \
+  --mount=type=cache,id=var-cache-apt,target=/var/cache/apt,sharing=locked \
+  --mount=type=cache,id=var-lib-apt,target=/var/lib/apt,sharing=locked \
+  apt-get update -qq; \
+  apt-get install --yes --no-install-recommends \
+  libjemalloc2
+
+RUN \
+  --mount=type=cache,id=usr-local-bundle-cache,target=${BUNDLE_PATH},sharing=locked \
+  gem update --system --no-document; \
+  gem install -N bundler
+
+ENV DEBIAN_FRONTEND="noninteractive"
+
+FROM base AS build
+
+RUN \
+  --mount=type=cache,id=var-cache-apt,target=/var/cache/apt,sharing=locked \
+  --mount=type=cache,id=var-lib-apt,target=/var/lib/apt,sharing=locked \
+  apt-get update -qq; \
+  apt-get install --yes --no-install-recommends \
+  build-essential
+
+COPY Gemfile Gemfile.lock ./
+
+RUN \
+  --mount=type=cache,id=usr-local-bundle-ruby-cache,target=${BUNDLE_PATH}/ruby/3.4.0/cache,sharing=locked \
+  bundle install
+
+COPY . .
+
+FROM base
+
+ENV PORT=4567
+
+RUN \
+  groupadd --system --gid 666 kubernaut; \
+  useradd --system --uid 666 --gid kubernaut --create-home --shell /bin/bash kubernaut
+
+COPY --from=build "${BUNDLE_PATH}" "${BUNDLE_PATH}"
+COPY --from=build /kubernaut /kubernaut
+
+USER kubernaut:kubernaut
+
+EXPOSE $PORT
+ENTRYPOINT [ "/kubernaut/dockerfiles/entrypoint.sh" ]
+CMD [ "bundle", "exec", "puma" ]
--- a/dockerfiles/entrypoint.sh
+++ b/dockerfiles/entrypoint.sh
@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+# output debugging info
+ruby --version
+printf "rubygems %s\n" "$(gem --version)"
+bundle version
+
+if [ -z "${LD_PRELOAD+x}" ]; then
+    LD_PRELOAD="$(find /usr/lib -name libjemalloc.so.2 -print -quit)"
+    export LD_PRELOAD
+fi
+
+exec "${@}"
--- a/kustomize/app/deployment.yaml
+++ b/kustomize/app/deployment.yaml
@ -16,18 +16,24 @@ spec:
    spec:
      containers:
        - name: kubernaut
-          image: git.kill0.net/ryanc/kubernaut:0.1.1
+          image: git.kill0.net/ryanc/kubernaut:0.2.2
          imagePullPolicy: Always
          ports:
            - name: sinatra-web
              containerPort: 4567
          env:
-            - name: SESSION_SECRET
+            - name: KUBERNAUT_SESSION_SECRET
              valueFrom:
                secretKeyRef:
-                  name: kubernaut-session-secret
+                  name: kubernaut
                  key: session_secret
                  optional: true
+            - name: KUBERNAUT_JWT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: kubernaut
+                  key: jwt_secret
+                  optional: true
          envFrom:
            - configMapRef:
                name: kubernaut-configmap
--- a/kustomize/app/kustomization.yaml
+++ b/kustomize/app/kustomization.yaml
@ -3,7 +3,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: kubernaut
 resources:
-  - secret.yaml
  - configmap.yaml
  - deployment.yaml
  - hpa.yaml
--- a/kustomize/app/secret.yaml
+++ b/kustomize/app/secret.yaml
@ -1,15 +0,0 @@
---
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  creationTimestamp: null
-  name: kubernaut-session-secret
-  namespace: kubernaut
-spec:
-  encryptedData:
-    session_secret: AgCY08t0AU418znEZt5d252J+lH+fwYki2g6jdJpfdRfVQjnA+b52P0KWrs/x5pB0PKab6Z3JY/Tz0SQCaoIsCR4IzUO3a095aulRqb6Qr1Lz8udBVta4JJMZLmo26tuUfVHlpD1d6J8rkBSm8vzckFLkOA1Wfl/9rS3K4qwiDogA5pI0ULghFkeEx1yKdRwPq0k8PuvOvLUJ6oNq3e5n+B/BrVWdQ+7XQxUq/AMANJrDbe+RD33f99LArHYA7bFMbY8YRazXSTAkeunpTlxTjuGZKYvJKupo29LHz2OVbZVX/hI0nZkdVpcgqvbxF6Vw9CuCeAmtKYl7A3qsAWqDLUdP3hRLsk2P9RDNhEzYWh4ml8APzziWzihdJbGEjwLy7HsHgKslM0XbBnRQDlxp/JtvcWdjQp33A+QOON32zOKHi+qJjDYyGebS1+xkPbnyb1MPSJVAtFpj7dlLbFekLFDZEbXuJYUl1wKdFOIjJHmNK/MTEV2kOhtiVj/aeKgSXwor9hR7Uxzs5ZSawp9uWw+hpr58EX6I+RtfO4yjFC6FjnagiU6SlI1Q2F7/nv82g1UWTYMpNN5bduS1YFWmsnXvK+W7YQHpSForr5ndtCSHmclbXb5Fc33sywC5u6Bi2Gu5/MW6d73BOog5BC3QtOuEQ044Q+cuU3RIlKADBqKLzZmHlmukyyGuZfXJnGjlWGKp3J1KecucTo6XC9QHpUkjXEKdlE63mOI1VuOGyBIHl60v4bnWiBg+aDZVHipz4JLKsVB0HOgBBK7+tOX6tr1GDG/F7Nz/i9ebzUV6i8Ec1jHf+2ZcTtBkNXBIkHc84+4Qd33/gOuP+lizLfIhfQ3DFWbwyfYumpVbeapyYhB0CE=
-  template:
-    metadata:
-      creationTimestamp: null
-      name: kubernaut-session-secret
-      namespace: kubernaut
--- a/lib/config.rb
+++ b/lib/config.rb
@ -1,5 +1,8 @@
 require "sensitive"

+SESSION_SECRET_HEX_LENGTH = 64
+JWT_SECRET_HEX_LENGTH = 64
+
 class Config
  attr_accessor :cat

@ -9,7 +12,7 @@ class Config
    @prefix = prefix
    @cat = cat

-    session_secret ||= ENV.fetch "SESSION_SECRET" do
+    session_secret ||= fetch_env "SESSION_SECRET" do
      SecureRandom.hex SESSION_SECRET_HEX_LENGTH
    end
Author	SHA1	Message	Date
Ryan Cavicchioni	40ede07ab0	v0.2.2 All checks were successful Ruby Lint / lint (push) Successful in 27s Details Ruby Test / test (push) Successful in 23s Details Release / docker (push) Successful in 3m9s Details	2025-05-10 18:14:39 -05:00
Ryan Cavicchioni	5165759558	add JWT secret reference Some checks failed Ruby Lint / lint (push) Successful in 20s Details Ruby Test / test (push) Successful in 24s Details Release / docker (push) Has been cancelled Details	2025-05-10 18:13:02 -05:00
Ryan Cavicchioni	10f73b96ec	refer to the session secret using the application name prefix	2025-05-10 18:12:37 -05:00
Ryan Cavicchioni	5097e551e2	just call the Kubernetes secret "kubernaut"	2025-05-10 18:10:50 -05:00
Ryan Cavicchioni	820d2d8c51	move secret related contstants to Config class Some checks failed Ruby Lint / lint (push) Failing after 13s Details Ruby Test / test (push) Successful in 16s Details	2025-05-10 17:46:46 -05:00
Ryan Cavicchioni	eb5c12ca91	remove secret from Kustomize	2025-05-10 17:46:46 -05:00
Ryan Cavicchioni	2d1c9f7418	/token should provide pretty-printing All checks were successful Ruby Test / test (push) Successful in 18s Details Ruby Lint / lint (push) Successful in 24s Details	2025-05-09 10:50:26 -05:00
Ryan Cavicchioni	3c2e0cdcb8	/token should provide JSON	2025-05-09 10:49:24 -05:00
Ryan Cavicchioni	66c2c3b6a2	fix undefined references to JWT_SECRET	2025-05-09 10:47:10 -05:00
Ryan Cavicchioni	b92f6688c7	add .dockerignore	2025-05-06 17:38:23 -05:00
Ryan Cavicchioni	85d00a53f6	make RUN stanza formatting consistent	2025-05-06 17:13:36 -05:00
Ryan Cavicchioni	529abe67b1	break Gitea actions up into separate files All checks were successful Ruby Lint / lint (push) Successful in 25s Details Ruby Test / test (push) Successful in 32s Details Release / docker (push) Successful in 4m3s Details	2025-05-06 00:58:37 -05:00
Ryan Cavicchioni	2bef46ea1b	use Docker cache mount for apk All checks were successful Gitea Actions Demo / lint (push) Successful in 25s Details Gitea Actions Demo / test (push) Successful in 13s Details Gitea Actions Demo / docker (push) Successful in 3m23s Details	2025-05-05 22:51:18 -05:00
Ryan Cavicchioni	19d1e60d2f	use Docker cache mount for Ruby bundler	2025-05-05 22:47:24 -05:00
Ryan Cavicchioni	2da770623f	use Docker cache mount for Ruby gems	2025-05-05 22:46:42 -05:00
Ryan Cavicchioni	e90966970a	move main ENV section in Dockerfiles	2025-05-05 22:45:52 -05:00
Ryan Cavicchioni	a54a46b0a6	use Docker cache mount for apt	2025-05-05 22:18:04 -05:00
Ryan Cavicchioni	a719e5f820	add Docker DX	2025-05-05 22:06:27 -05:00
Ryan Cavicchioni	3c4f656ec8	add Docker ARG for DEBIAN_VERSION	2025-05-02 15:37:41 -05:00
Ryan Cavicchioni	e0e6bf2507	add Docker ARG for BASE_REGISTRY	2025-05-02 15:32:26 -05:00
Ryan Cavicchioni	84908c0a24	set Debian frontend to noninteractive	2025-05-02 15:28:56 -05:00
Ryan Cavicchioni	762169f563	enable Ruby's YJIT	2025-05-02 15:27:33 -05:00
Ryan Cavicchioni	066078f23c	v0.2.1 All checks were successful Gitea Actions Demo / lint (push) Successful in 17s Details Gitea Actions Demo / test (push) Successful in 11s Details Gitea Actions Demo / docker (push) Successful in 2m54s Details	2025-04-30 22:48:09 -05:00
Ryan Cavicchioni	f201287a9b	remove rackup gem Some checks failed Gitea Actions Demo / lint (push) Successful in 21s Details Gitea Actions Demo / test (push) Successful in 13s Details Gitea Actions Demo / docker (push) Has been cancelled Details	2025-04-30 22:44:35 -05:00
Ryan Cavicchioni	4fd8dd78ef	use jemalloc Some checks failed Gitea Actions Demo / lint (push) Successful in 24s Details Gitea Actions Demo / test (push) Successful in 15s Details Gitea Actions Demo / docker (push) Has been cancelled Details	2025-04-30 21:51:49 -05:00
Ryan Cavicchioni	16139755e5	remove old Dockerfile	2025-04-30 21:04:19 -05:00
Ryan Cavicchioni	8e960419b4	use docker/setup-qemu-action All checks were successful Gitea Actions Demo / lint (push) Successful in 22s Details Gitea Actions Demo / test (push) Successful in 16s Details Gitea Actions Demo / docker (push) Successful in 2m59s Details	2025-04-30 17:01:57 -05:00
Ryan Cavicchioni	e23ece0d76	v0.2.0 All checks were successful Gitea Actions Demo / lint (push) Successful in 24s Details Gitea Actions Demo / test (push) Successful in 16s Details Gitea Actions Demo / docker (push) Successful in 2m41s Details	2025-04-30 16:48:14 -05:00
Ryan Cavicchioni	499724ba76	use BUNDLE_PATH in COPY	2025-04-30 16:48:14 -05:00
Ryan Cavicchioni	2fd3c801de	ensure that the application is not writable by kubernaut	2025-04-30 16:48:14 -05:00
Ryan Cavicchioni	da9a06dc24	create system user and group for kubernaut	2025-04-30 16:48:14 -05:00
Ryan Cavicchioni	57e913d4e9	remove commented out line	2025-04-30 16:48:14 -05:00
Ryan Cavicchioni	623a5904f3	whitespace fix	2025-04-30 16:48:14 -05:00
Ryan Cavicchioni	adb6cdcdbc	change the application user to be kubernaut	2025-04-30 16:48:14 -05:00
Ryan Cavicchioni	ab31f56380	make WORKDIR /kubernaut	2025-04-30 16:48:14 -05:00
Ryan Cavicchioni	28b65a160b	tidy up after bundler	2025-04-30 16:48:14 -05:00
Ryan Cavicchioni	5c6845a914	explicitly copy Gemfile and Gemfile.lock	2025-04-30 16:48:14 -05:00
Ryan Cavicchioni	c63aa3490d	fix bundler environment variables	2025-04-30 16:48:14 -05:00
Ryan Cavicchioni	9ab21f0e18	clean up apk/apt caches	2025-04-30 16:48:14 -05:00
Ryan Cavicchioni	4506628803	make apk/apt update quiter	2025-04-30 16:48:14 -05:00
Ryan Cavicchioni	795889afad	use full registry path in Dockerfile	2025-04-30 16:48:14 -05:00
Ryan Cavicchioni	27f10e0671	add basic Docker entrypoint script	2025-04-30 16:48:14 -05:00
Ryan Cavicchioni	249d067c0e	add bash to Alpine Docker image	2025-04-30 16:48:14 -05:00
Ryan Cavicchioni	2c71dfac86	don't install apt-get recommendations	2025-04-29 15:07:36 -05:00
Ryan Cavicchioni	f0f439fb6d	set PORT and PIDFILE via environment variables	2025-04-29 15:07:36 -05:00
Ryan Cavicchioni	b8737c2583	enable bundler deployment mode All checks were successful Gitea Actions Demo / lint (push) Successful in 34s Details Gitea Actions Demo / test (push) Successful in 18s Details Gitea Actions Demo / docker (push) Successful in 3m17s Details	2025-04-28 13:19:43 -05:00
Ryan Cavicchioni	8baed7389c	bundle update	2025-04-28 13:00:16 -05:00
Ryan Cavicchioni	f61eb8acb7	docker/bake-action v6.6.0 All checks were successful Gitea Actions Demo / lint (push) Successful in 22s Details Gitea Actions Demo / test (push) Successful in 13s Details Gitea Actions Demo / docker (push) Successful in 3m7s Details Use bake-action instead of build-and-push action.	2025-04-27 21:29:06 -05:00
Ryan Cavicchioni	c153a0af33	azure/setup-helm v4.3.0 All checks were successful Gitea Actions Demo / lint (push) Successful in 2m45s Details Gitea Actions Demo / test (push) Successful in 14s Details Gitea Actions Demo / docker (push) Successful in 4m35s Details	2025-04-26 17:26:40 -05:00
Ryan Cavicchioni	d6d129bb69	docker/build-push-action v6.16.0	2025-04-26 17:21:59 -05:00
Ryan Cavicchioni	71d7685549	docker/setup-buildx-action v3.10.0	2025-04-26 17:21:59 -05:00
Ryan Cavicchioni	a0fc202e86	docker/metadata-action v5.7.0	2025-04-26 17:21:59 -05:00
Ryan Cavicchioni	4af74c77b2	ruby/setup-ruby v1.235.0	2025-04-26 17:21:59 -05:00
Ryan Cavicchioni	bee86998bd	actions/checkout v4.2.2	2025-04-26 17:21:59 -05:00
Ryan Cavicchioni	26d615632a	docker/login-action v3.4.0	2025-04-26 17:21:51 -05:00
Ryan Cavicchioni	69c6b30255	use puma directly in Dockerfile All checks were successful Gitea Actions Demo / lint (push) Successful in 22s Details Gitea Actions Demo / test (push) Successful in 11s Details Gitea Actions Demo / docker (push) Successful in 2m3s Details	2025-04-20 12:45:26 -05:00
Ryan Cavicchioni	c068eacf58	use environment variable $PORT to set the port All checks were successful Gitea Actions Demo / lint (push) Successful in 26s Details Gitea Actions Demo / test (push) Successful in 16s Details Gitea Actions Demo / docker (push) Successful in 3m16s Details	2025-04-20 12:34:43 -05:00
Ryan Cavicchioni	89367e3169	switch to Debian bookworn Ruby image All checks were successful Gitea Actions Demo / lint (push) Successful in 21s Details Gitea Actions Demo / test (push) Successful in 12s Details Gitea Actions Demo / docker (push) Successful in 2m7s Details	2025-04-20 12:23:00 -05:00
Ryan Cavicchioni	42e6830cca	bundle update All checks were successful Gitea Actions Demo / lint (push) Successful in 21s Details Gitea Actions Demo / test (push) Successful in 12s Details Gitea Actions Demo / docker (push) Successful in 1m32s Details	2025-04-19 11:25:37 -05:00
Ryan Cavicchioni	8e9a37b477	v0.1.4 All checks were successful Gitea Actions Demo / lint (push) Successful in 23s Details Gitea Actions Demo / test (push) Successful in 14s Details Gitea Actions Demo / docker (push) Successful in 1m41s Details	2025-04-03 22:59:31 -05:00
Ryan Cavicchioni	7831c5da16	/pid route should return JSON All checks were successful Gitea Actions Demo / lint (push) Successful in 50s Details Gitea Actions Demo / test (push) Successful in 17s Details Gitea Actions Demo / docker (push) Successful in 2m6s Details	2025-04-03 20:52:32 -05:00
Ryan Cavicchioni	8667d0571f	have Puma set the PID of the master process	2025-04-03 20:52:32 -05:00
Ryan Cavicchioni	bb7f309b34	v0.1.3 All checks were successful Gitea Actions Demo / lint (push) Successful in 22s Details Gitea Actions Demo / test (push) Successful in 14s Details Gitea Actions Demo / docker (push) Successful in 2m8s Details	2025-04-02 21:07:52 -05:00
Ryan Cavicchioni	9b2d2f9522	enable Kubernetes HPA in Helm chart	2025-04-02 21:06:11 -05:00
Ryan Cavicchioni	a30c6d7cb8	reorder routes	2025-04-02 21:01:45 -05:00
Ryan Cavicchioni	20c34f3c76	move uptime route to root, /uptime	2025-04-02 21:01:18 -05:00
Ryan Cavicchioni	dc9b8b7cc7	move /livez control routes under /api	2025-04-02 21:00:16 -05:00
Ryan Cavicchioni	149b42825f	log kubernaut version number that is compatible with Puma	2025-04-02 20:59:10 -05:00
Ryan Cavicchioni	2285def168	s/sleep/sleepy/g	2025-04-02 20:58:20 -05:00
Ryan Cavicchioni	a83fa30cd4	quiet logger for /livez and /readyz	2025-04-02 20:57:13 -05:00
Ryan Cavicchioni	37694a38d7	v0.1.2 All checks were successful Gitea Actions Demo / lint (push) Successful in 25s Details Gitea Actions Demo / test (push) Successful in 20s Details Gitea Actions Demo / docker (push) Successful in 1m54s Details	2025-04-01 21:23:05 -05:00
Ryan Cavicchioni	3505820213	bundle update All checks were successful Gitea Actions Demo / lint (push) Successful in 26s Details Gitea Actions Demo / test (push) Successful in 16s Details Gitea Actions Demo / docker (push) Successful in 2m34s Details	2025-04-01 21:05:57 -05:00