From 2edb89c1920719b03797b3ad2bdc062dff7160de Mon Sep 17 00:00:00 2001 From: Waleed Hammam Date: Wed, 31 Aug 2022 14:49:04 +0200 Subject: [PATCH 01/17] disable v1 policies to be served to prioritize v2beta1 (#78) * disable v1 policies to be served to prioritize v2beta1 * make manifests * make manifests --- api/v1/policy_types.go | 1 + config/crd/bases/pac.weave.works_policies.yaml | 2 +- helm/crds/pac.weave.works_policies.yaml | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/api/v1/policy_types.go b/api/v1/policy_types.go index 6c097af2..ab6f7657 100644 --- a/api/v1/policy_types.go +++ b/api/v1/policy_types.go @@ -91,6 +91,7 @@ type PolicySpec struct { Controls []string `json:"controls,omitempty"` } +// +kubebuilder:unservedversion //+kubebuilder:object:root=true // +kubebuilder:resource:scope=Cluster diff --git a/config/crd/bases/pac.weave.works_policies.yaml b/config/crd/bases/pac.weave.works_policies.yaml index 1fe54c10..972c5a3f 100644 --- a/config/crd/bases/pac.weave.works_policies.yaml +++ b/config/crd/bases/pac.weave.works_policies.yaml @@ -143,7 +143,7 @@ spec: - severity type: object type: object - served: true + served: false storage: false - name: v2beta1 schema: diff --git a/helm/crds/pac.weave.works_policies.yaml b/helm/crds/pac.weave.works_policies.yaml index 1fe54c10..972c5a3f 100644 --- a/helm/crds/pac.weave.works_policies.yaml +++ b/helm/crds/pac.weave.works_policies.yaml @@ -143,7 +143,7 @@ spec: - severity type: object type: object - served: true + served: false storage: false - name: v2beta1 schema: From 26850e9dfa12d6314e5530806566bd0399db57cc Mon Sep 17 00:00:00 2001 From: Waleed Hammam Date: Wed, 31 Aug 2022 16:47:53 +0200 Subject: [PATCH 02/17] replace circleCI with github actions (#54) * replace circleCI with github actions * remove unnecessary step * make workflow need build to be success * add elasticsearch * add docker secrets * seprate build and push * remove unnecessary check --- .circleci/config.yml | 180 ------------------------------ .github/workflows/build.yml | 77 +++++++++++++ .github/workflows/push_docker.yml | 34 ++++++ .github/workflows/release.yml | 9 +- go.sum | 7 +- 5 files changed, 121 insertions(+), 186 deletions(-) delete mode 100644 .circleci/config.yml create mode 100644 .github/workflows/build.yml create mode 100644 .github/workflows/push_docker.yml diff --git a/.circleci/config.yml b/.circleci/config.yml deleted file mode 100644 index 3667a4aa..00000000 --- a/.circleci/config.yml +++ /dev/null @@ -1,180 +0,0 @@ -version: 2 -jobs: - build-push: - docker: - - image: magalixcorp/circleci-golang-lite:1.17 - - steps: - - run: - name: Set up source path directory - command: | - echo 'export SOURCE_PATH=/home/$CIRCLE_PROJECT_USERNAME/$CIRCLE_PROJECT_REPONAME' >> $BASH_ENV - echo 'export GO111MODULE=on' >> $BASH_ENV - echo 'export GOPRIVATE=github.com/MagalixTechnologies' >> $BASH_ENV - - run: - name: Checkout code - command: | - mkdir -p ~/.ssh - echo 'StrictHostKeyChecking no' >> ~/.ssh/config - - git config --global \ - url."ssh://git@github.com".insteadOf "https://github.com" - - git clone -q --recursive "$CIRCLE_REPOSITORY_URL" "$SOURCE_PATH" - - cd $SOURCE_PATH - - if [[ "$CIRCLE_TAG" ]]; then - git checkout -q "$CIRCLE_TAG" - fi - - if [[ "$CIRCLE_BRANCH" ]]; then - git checkout -q "$CIRCLE_BRANCH" - fi - - - run: - name: Should push? - command: | - if [[ "$CIRCLE_BRANCH" == "dev" || "$CIRCLE_BRANCH" == "master" ]] - then - echo 'export SHOULD_PUSH=true' >> $BASH_ENV - else - echo :: will not push - fi - - - restore_cache: - keys: - - go-src-pkg-cache-v2 - - - run: - name: Build binary - command: | - - apk add build-base - - export GOCACHE=/go/cache/ - - cd $SOURCE_PATH - make build - - - save_cache: - key: go-src-pkg-cache-v2 - paths: - - /go/src/k8s.io/ - - /go/pkg/ - - /go/cache/ - - - setup_remote_docker: - reusable: true - exclusive: true - - - run: - name: Build docker image - command: | - cd $SOURCE_PATH - - COMMIT_COUNT=$(git rev-list --count HEAD) - SHORT_HASH=$(git rev-parse --short HEAD) - VERSION=${CIRCLE_BRANCH}-${COMMIT_COUNT}-${SHORT_HASH} - - if [[ "$CIRCLE_BRANCH" == "master" ]]; then - export VERSION=$( /tmp/report.txt #--fail-on high to fail on sev high - - - store_artifacts: - path: /tmp/report.txt - - - deploy: - name: Release and push to Docker Registry - command: | - if [[ ! "$SHOULD_PUSH" ]]; then - echo :: no push - - exit 0 - fi - - cd $SOURCE_PATH - - docker login -u "$DOCKERHUB_USERNAME" -p "$DOCKERHUB_PASSWORD" - - if [[ "$CIRCLE_BRANCH" == "master" ]]; then - export VERSION=$(> $BASH_ENV - echo 'export GOPRIVATE=github.com/MagalixTechnologies' >> $BASH_ENV - - - run: - name: install dockerize - command: wget https://github.com/jwilder/dockerize/releases/download/$DOCKERIZE_VERSION/dockerize-linux-amd64-$DOCKERIZE_VERSION.tar.gz && sudo tar -C /usr/local/bin -xzvf dockerize-linux-amd64-$DOCKERIZE_VERSION.tar.gz && sudo rm dockerize-linux-amd64-$DOCKERIZE_VERSION.tar.gz - environment: - DOCKERIZE_VERSION: v0.3.0 - - - run: - name: Running ElasticSearch - command: | - docker run -itd --name elasticsearch -p 9200:9200 -e "discovery.type=single-node" -e "xpack.security.enabled=false" docker.elastic.co/elasticsearch/elasticsearch:8.3.3 - docker_layer_caching: true - - - run: - name: Wait for elasticsearch docker image - command: dockerize -wait http://localhost:9200 -timeout 2m - - - checkout - - run: - name: run test - command: | - go test -v -cover -covermode=atomic -coverprofile=coverage.txt ./... - bash <(curl -s https://codecov.io/bash) -F unit - -workflows: - version: 2 - test_build: - jobs: - - tests - - build-push: - requires: - - tests diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 00000000..fe1e5c1c --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,77 @@ +name: build + +on: + push: + branches: [ master, dev ] + pull_request: + branches: [ master, dev ] + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: setup go + uses: actions/setup-go@v3 + with: + go-version: '1.17' + cache: true + + - name: Get branch name (merge) + if: github.event_name != 'pull_request' + run: echo "BRANCH_NAME=$(echo ${{ github.ref }} | tr / -)" >> $GITHUB_ENV + + - name: Get branch name (pull request) + if: github.event_name == 'pull_request' + run: | + git fetch -a + echo "BRANCH_NAME=$(echo ${{ github.head_ref }} | tr / -)" >> $GITHUB_ENV + + - name: Build binary + run: | + make build + + - name: Running ElasticSearch + run: | + docker run -itd --name elasticsearch -p 9200:9200 -e "discovery.type=single-node" -e "xpack.security.enabled=false" docker.elastic.co/elasticsearch/elasticsearch:8.3.3 + sleep 20 + timeout 120 sh -c 'until nc -z $0 $1; do echo "waiting for elasticsearch to start on port 9200"; sleep 5; done' localhost 9200 + + - name: run test + run: | + go test -v -cover -covermode=atomic -coverprofile=coverage.txt ./... + bash <(curl -s https://codecov.io/bash) -F unit + + - name: Build docker image + run: | + COMMIT_COUNT=$(git rev-list --count HEAD) + SHORT_HASH=$(git rev-parse --short HEAD) + VERSION=${{ env.BRANCH_NAME }}-${COMMIT_COUNT}-${SHORT_HASH} + + if [[ ${{ env.BRANCH_NAME }} == "master" ]]; then + export VERSION=$( /tmp/report.txt #--fail-on high to fail on sev high diff --git a/.github/workflows/push_docker.yml b/.github/workflows/push_docker.yml new file mode 100644 index 00000000..89337409 --- /dev/null +++ b/.github/workflows/push_docker.yml @@ -0,0 +1,34 @@ +name: push_docker + +on: + workflow_run: + workflows: ["build"] + branches: [master, dev] + types: + - completed +jobs: + push: + runs-on: ubuntu-latest + steps: + - name: Login to Docker Hub + uses: docker/login-action@v1 + with: + registry: docker.io + username: ${{ secrets.DOCKER_USER }} + password: ${{ secrets.DOCKER_PASSWORD }} + + - name: Release and push to Docker Registry + run: | + if [[ ${{ env.BRANCH_NAME }} == "master" ]]; then + export VERSION=$( Date: Wed, 31 Aug 2022 17:00:55 +0200 Subject: [PATCH 03/17] add branch to github env (#81) --- .github/workflows/push_docker.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/push_docker.yml b/.github/workflows/push_docker.yml index 89337409..1ff051c4 100644 --- a/.github/workflows/push_docker.yml +++ b/.github/workflows/push_docker.yml @@ -19,6 +19,7 @@ jobs: - name: Release and push to Docker Registry run: | + echo "BRANCH_NAME=$(echo ${{ github.ref }} | tr / -)" >> $GITHUB_ENV if [[ ${{ env.BRANCH_NAME }} == "master" ]]; then export VERSION=$( Date: Wed, 31 Aug 2022 17:49:31 +0200 Subject: [PATCH 04/17] fix github actions branch (#83) --- .github/workflows/push_docker.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/push_docker.yml b/.github/workflows/push_docker.yml index 1ff051c4..88f67762 100644 --- a/.github/workflows/push_docker.yml +++ b/.github/workflows/push_docker.yml @@ -19,8 +19,8 @@ jobs: - name: Release and push to Docker Registry run: | - echo "BRANCH_NAME=$(echo ${{ github.ref }} | tr / -)" >> $GITHUB_ENV - if [[ ${{ env.BRANCH_NAME }} == "master" ]]; then + BRANCH_NAME=$(echo ${{ github.ref }} | tr / -) + if [[ ${BRANCH_NAME} == "master" ]]; then export VERSION=$( Date: Wed, 31 Aug 2022 18:36:04 +0200 Subject: [PATCH 05/17] fix github actions branch and docker push (#84) --- .github/workflows/build.yml | 29 +++++++++++++++++++++++++++-- .github/workflows/release.yml | 2 +- 2 files changed, 28 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index fe1e5c1c..c3c2d8e3 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -19,13 +19,13 @@ jobs: - name: Get branch name (merge) if: github.event_name != 'pull_request' - run: echo "BRANCH_NAME=$(echo ${{ github.ref }} | tr / -)" >> $GITHUB_ENV + run: echo "BRANCH_NAME=$(echo ${GITHUB_REF#refs/heads/} | tr / -)" >> $GITHUB_ENV - name: Get branch name (pull request) if: github.event_name == 'pull_request' run: | git fetch -a - echo "BRANCH_NAME=$(echo ${{ github.head_ref }} | tr / -)" >> $GITHUB_ENV + echo "BRANCH_NAME=$(echo ${GITHUB_HEAD_REF} | tr / -)" >> $GITHUB_ENV - name: Build binary run: | @@ -75,3 +75,28 @@ jobs: echo scanning ${REPO}:${VERSION} curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sudo sh -s -- -b /usr/local/bin grype "${REPO}:${VERSION}" --scope all-layers > /tmp/report.txt #--fail-on high to fail on sev high + + - name: Login to Docker Hub + if: github.ref == 'refs/heads/dev' || github.ref == 'refs/heads/master' + uses: docker/login-action@v1 + with: + registry: docker.io + username: ${{ secrets.DOCKER_USER }} + password: ${{ secrets.DOCKER_PASSWORD }} + + - name: Release and push to Docker Registry + if: github.ref == 'refs/heads/dev' || github.ref == 'refs/heads/master' + run: | + if [[ ${{ env.BRANCH_NAME }} == "master" ]]; then + export VERSION=$( Date: Wed, 31 Aug 2022 19:00:26 +0200 Subject: [PATCH 06/17] Init container with change owner for validation results directory --- helm/templates/agent.yaml | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/helm/templates/agent.yaml b/helm/templates/agent.yaml index 7450833f..6a1e6131 100644 --- a/helm/templates/agent.yaml +++ b/helm/templates/agent.yaml @@ -136,6 +136,13 @@ spec: restartPolicy: Always securityContext: fsGroup: 1000 + initContainers: + - name: file-permission + image: busybox + command: ["sh", "-c", "chown -R 1000:1000 {{ .Values.persistence.sinkDir }}"] + volumeMounts: + - name: validation-results + mountPath: {{ .Values.persistence.sinkDir }} containers: - image: {{ .Values.image }}:{{ .Chart.AppVersion }} imagePullPolicy: Always @@ -183,10 +190,8 @@ spec: readOnly: true - name: agent-config-volume mountPath: /config - {{- if eq .Values.persistence.enabled true }} - name: validation-results - mountPath: {{.Values.persistence.sinkDir}} - {{- end}} + mountPath: {{ .Values.persistence.sinkDir }} volumes: - name: cert secret: @@ -198,7 +203,11 @@ spec: - name: validation-results persistentVolumeClaim: claimName: policy-agent + {{ else }} + - emptyDir: {} + name: validation-results {{- end}} + --- apiVersion: v1 kind: Service From 4b8458d750982ec93118a4633fbf66e2cfb03e6a Mon Sep 17 00:00:00 2001 From: Waleed Hammam Date: Wed, 31 Aug 2022 19:05:17 +0200 Subject: [PATCH 07/17] remove unused workflow (#85) --- .github/workflows/push_docker.yml | 35 ------------------------------- 1 file changed, 35 deletions(-) delete mode 100644 .github/workflows/push_docker.yml diff --git a/.github/workflows/push_docker.yml b/.github/workflows/push_docker.yml deleted file mode 100644 index 88f67762..00000000 --- a/.github/workflows/push_docker.yml +++ /dev/null @@ -1,35 +0,0 @@ -name: push_docker - -on: - workflow_run: - workflows: ["build"] - branches: [master, dev] - types: - - completed -jobs: - push: - runs-on: ubuntu-latest - steps: - - name: Login to Docker Hub - uses: docker/login-action@v1 - with: - registry: docker.io - username: ${{ secrets.DOCKER_USER }} - password: ${{ secrets.DOCKER_PASSWORD }} - - - name: Release and push to Docker Registry - run: | - BRANCH_NAME=$(echo ${{ github.ref }} | tr / -) - if [[ ${BRANCH_NAME} == "master" ]]; then - export VERSION=$( Date: Thu, 1 Sep 2022 17:20:09 +0200 Subject: [PATCH 08/17] Create different volumes for admission and audit files --- helm/templates/agent.yaml | 44 ++++++++++++++++++++++++++++++++------- helm/values.yaml | 1 - 2 files changed, 36 insertions(+), 9 deletions(-) diff --git a/helm/templates/agent.yaml b/helm/templates/agent.yaml index 6a1e6131..91249aaa 100644 --- a/helm/templates/agent.yaml +++ b/helm/templates/agent.yaml @@ -137,12 +137,22 @@ spec: securityContext: fsGroup: 1000 initContainers: - - name: file-permission + {{- if .Values.config.audit.sinks.fileSystemSink.filePath }} + - name: audit-file-permission image: busybox - command: ["sh", "-c", "chown -R 1000:1000 {{ .Values.persistence.sinkDir }}"] + command: ["sh", "-c", "chown -R 1000:1000 $(dirname {{ .Values.config.audit.sinks.fileSystemSink.filePath }})"] volumeMounts: - - name: validation-results - mountPath: {{ .Values.persistence.sinkDir }} + - name: audit-validation-results + mountPath: {{ dir .Values.config.audit.sinks.fileSystemSink.filePath }} + {{- end}} + {{- if .Values.config.admission.sinks.fileSystemSink.filePath }} + - name: admission-file-permission + image: busybox + command: ["sh", "-c", "chown -R 1000:1000 $(dirname {{ .Values.config.admission.sinks.fileSystemSink.filePath }})"] + volumeMounts: + - name: admission-validation-results + mountPath: {{ dir .Values.config.admission.sinks.fileSystemSink.filePath }} + {{- end}} containers: - image: {{ .Values.image }}:{{ .Chart.AppVersion }} imagePullPolicy: Always @@ -190,8 +200,14 @@ spec: readOnly: true - name: agent-config-volume mountPath: /config - - name: validation-results - mountPath: {{ .Values.persistence.sinkDir }} + {{- if .Values.config.audit.sinks.fileSystemSink.filePath }} + - name: audit-validation-results + mountPath: {{ dir .Values.config.audit.sinks.fileSystemSink.filePath }} + {{- end}} + {{- if .Values.config.admission.sinks.fileSystemSink.filePath }} + - name: admission-validation-results + mountPath: {{ dir .Values.config.admission.sinks.fileSystemSink.filePath }} + {{- end}} volumes: - name: cert secret: @@ -199,13 +215,25 @@ spec: - name: agent-config-volume configMap: name: policy-agent-config + {{- if dir .Values.config.audit.sinks.fileSystemSink.filePath }} + {{- if eq .Values.persistence.enabled true }} + - name: audit-validation-results + persistentVolumeClaim: + claimName: policy-agent + {{ else }} + - emptyDir: {} + name: audit-validation-results + {{- end}} + {{- end}} + {{- if dir .Values.config.admission.sinks.fileSystemSink.filePath }} {{- if eq .Values.persistence.enabled true }} - - name: validation-results + - name: admission-validation-results persistentVolumeClaim: claimName: policy-agent {{ else }} - emptyDir: {} - name: validation-results + name: admission-validation-results + {{- end}} {{- end}} --- diff --git a/helm/values.yaml b/helm/values.yaml index 0806c038..dc96913e 100644 --- a/helm/values.yaml +++ b/helm/values.yaml @@ -11,7 +11,6 @@ caCertificate: "" persistence: enabled: false # claimStorage: 1Gi - # sinkDir: /var/log # storageClassName: standard config: From 7846a83db0b10c34f37f281483a96d9107fb8427 Mon Sep 17 00:00:00 2001 From: Noha Sayed Date: Thu, 1 Sep 2022 19:22:10 +0200 Subject: [PATCH 09/17] Define helper function for audit and admission sinks conditions --- helm/templates/agent.yaml | 49 ++++++++++++++++++-------------------- helm/templates/helpers.tpl | 27 +++++++++++++++++++++ 2 files changed, 50 insertions(+), 26 deletions(-) create mode 100644 helm/templates/helpers.tpl diff --git a/helm/templates/agent.yaml b/helm/templates/agent.yaml index 91249aaa..68e0541e 100644 --- a/helm/templates/agent.yaml +++ b/helm/templates/agent.yaml @@ -136,23 +136,27 @@ spec: restartPolicy: Always securityContext: fsGroup: 1000 + {{- if eq .Values.persistence.enabled false }} + {{- if or (eq (include "isAuditFileSystemSinkEnabled" .) "true") (eq (include "isAdmissionFileSystemSinkEnabled" .) "true") }} initContainers: - {{- if .Values.config.audit.sinks.fileSystemSink.filePath }} + {{- if eq (include "isAuditFileSystemSinkEnabled" .) "true" }} - name: audit-file-permission image: busybox command: ["sh", "-c", "chown -R 1000:1000 $(dirname {{ .Values.config.audit.sinks.fileSystemSink.filePath }})"] volumeMounts: - name: audit-validation-results mountPath: {{ dir .Values.config.audit.sinks.fileSystemSink.filePath }} - {{- end}} - {{- if .Values.config.admission.sinks.fileSystemSink.filePath }} + {{- end }} + {{- if eq (include "isAdmissionFileSystemSinkEnabled" .) "true" }} - name: admission-file-permission image: busybox command: ["sh", "-c", "chown -R 1000:1000 $(dirname {{ .Values.config.admission.sinks.fileSystemSink.filePath }})"] volumeMounts: - name: admission-validation-results mountPath: {{ dir .Values.config.admission.sinks.fileSystemSink.filePath }} - {{- end}} + {{- end }} + {{- end }} + {{- end }} containers: - image: {{ .Values.image }}:{{ .Chart.AppVersion }} imagePullPolicy: Always @@ -200,14 +204,18 @@ spec: readOnly: true - name: agent-config-volume mountPath: /config - {{- if .Values.config.audit.sinks.fileSystemSink.filePath }} - - name: audit-validation-results + {{- if eq .Values.persistence.enabled true }} + {{- if eq (include "isAuditFileSystemSinkEnabled" .) "true" }} + - name: validation-results mountPath: {{ dir .Values.config.audit.sinks.fileSystemSink.filePath }} - {{- end}} - {{- if .Values.config.admission.sinks.fileSystemSink.filePath }} - - name: admission-validation-results + subPath: audit + {{- end }} + {{- if eq (include "isAdmissionFileSystemSinkEnabled" .) "true" }} + - name: validation-results mountPath: {{ dir .Values.config.admission.sinks.fileSystemSink.filePath }} - {{- end}} + subPath: admission + {{- end }} + {{- end }} volumes: - name: cert secret: @@ -215,27 +223,16 @@ spec: - name: agent-config-volume configMap: name: policy-agent-config - {{- if dir .Values.config.audit.sinks.fileSystemSink.filePath }} {{- if eq .Values.persistence.enabled true }} - - name: audit-validation-results + - name: validation-results persistentVolumeClaim: claimName: policy-agent {{ else }} + {{- if or (eq (include "isAuditFileSystemSinkEnabled" .) "true") (eq (include "isAdmissionFileSystemSinkEnabled" .) "true") }} - emptyDir: {} - name: audit-validation-results - {{- end}} - {{- end}} - {{- if dir .Values.config.admission.sinks.fileSystemSink.filePath }} - {{- if eq .Values.persistence.enabled true }} - - name: admission-validation-results - persistentVolumeClaim: - claimName: policy-agent - {{ else }} - - emptyDir: {} - name: admission-validation-results - {{- end}} - {{- end}} - + name: validation-results + {{- end }} + {{- end }} --- apiVersion: v1 kind: Service diff --git a/helm/templates/helpers.tpl b/helm/templates/helpers.tpl new file mode 100644 index 00000000..a681ab13 --- /dev/null +++ b/helm/templates/helpers.tpl @@ -0,0 +1,27 @@ +{{- define "isAuditFileSystemSinkEnabled" -}} +{{- if .Values.config.audit }} +{{- if eq .Values.config.audit.enabled true }} +{{- if .Values.config.audit.sinks }} +{{- if .Values.config.audit.sinks.fileSystemSink }} +{{- if .Values.config.audit.sinks.fileSystemSink.filePath }} +{{- printf "true"}} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end -}} + +{{- define "isAdmissionFileSystemSinkEnabled" -}} +{{- if .Values.config.admission }} +{{- if eq .Values.config.admission.enabled true }} +{{- if .Values.config.admission.sinks }} +{{- if .Values.config.admission.sinks.fileSystemSink }} +{{- if .Values.config.admission.sinks.fileSystemSink.filePath }} +{{- printf "true"}} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end -}} From a8c0eb801ad22dd3d56d5ebc0ac566811fd05ace Mon Sep 17 00:00:00 2001 From: Waleed Hammam Date: Sun, 4 Sep 2022 11:18:10 +0200 Subject: [PATCH 10/17] add codecov secret to env (#87) --- .github/workflows/build.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c3c2d8e3..65a44f71 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -37,7 +37,9 @@ jobs: sleep 20 timeout 120 sh -c 'until nc -z $0 $1; do echo "waiting for elasticsearch to start on port 9200"; sleep 5; done' localhost 9200 - - name: run test + - name: run test + env: + CODECOV_TOKEN: ${{secrets.CODECOV_TOKEN}} run: | go test -v -cover -covermode=atomic -coverprofile=coverage.txt ./... bash <(curl -s https://codecov.io/bash) -F unit From 7d6be4991e0ea6de02db3f75221178a3d4f3711b Mon Sep 17 00:00:00 2001 From: Noha Sayed Date: Sun, 4 Sep 2022 11:32:19 +0200 Subject: [PATCH 11/17] Fix volumes names --- helm/templates/agent.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/helm/templates/agent.yaml b/helm/templates/agent.yaml index 68e0541e..dc717b6a 100644 --- a/helm/templates/agent.yaml +++ b/helm/templates/agent.yaml @@ -144,7 +144,7 @@ spec: image: busybox command: ["sh", "-c", "chown -R 1000:1000 $(dirname {{ .Values.config.audit.sinks.fileSystemSink.filePath }})"] volumeMounts: - - name: audit-validation-results + - name: validation-results mountPath: {{ dir .Values.config.audit.sinks.fileSystemSink.filePath }} {{- end }} {{- if eq (include "isAdmissionFileSystemSinkEnabled" .) "true" }} @@ -152,7 +152,7 @@ spec: image: busybox command: ["sh", "-c", "chown -R 1000:1000 $(dirname {{ .Values.config.admission.sinks.fileSystemSink.filePath }})"] volumeMounts: - - name: admission-validation-results + - name: validation-results mountPath: {{ dir .Values.config.admission.sinks.fileSystemSink.filePath }} {{- end }} {{- end }} From bf65cc4d0deb696c18d39a2124dcff5f3bb26c01 Mon Sep 17 00:00:00 2001 From: Ahmed El-Sayed Date: Sun, 4 Sep 2022 13:53:37 +0200 Subject: [PATCH 12/17] user logs dir for audit and admission logs --- Dockerfile | 2 ++ helm/templates/agent.yaml | 63 ++++++++++++++++----------------------- main.go | 4 ++- 3 files changed, 30 insertions(+), 39 deletions(-) diff --git a/Dockerfile b/Dockerfile index 1d1b3bb3..8e0755c3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,7 @@ FROM alpine:3.15 COPY bin/agent / +RUN mkdir -p logs && chmod -R 777 /logs + ENTRYPOINT ["/agent"] diff --git a/helm/templates/agent.yaml b/helm/templates/agent.yaml index dc717b6a..9e8fc081 100644 --- a/helm/templates/agent.yaml +++ b/helm/templates/agent.yaml @@ -34,6 +34,27 @@ rules: - create - patch - update +- apiGroups: + - "" + - apps + - batch + - rbac.authorization.k8s.io + resources: + - pods + - deployments + - replicationcontrollers + - statefulsets + - daemonsets + - replicasets + - jobs + - cronjobs + - clusterrolebindings + - serviceaccounts + - nodes + verbs: + - get + - list + - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -136,30 +157,9 @@ spec: restartPolicy: Always securityContext: fsGroup: 1000 - {{- if eq .Values.persistence.enabled false }} - {{- if or (eq (include "isAuditFileSystemSinkEnabled" .) "true") (eq (include "isAdmissionFileSystemSinkEnabled" .) "true") }} - initContainers: - {{- if eq (include "isAuditFileSystemSinkEnabled" .) "true" }} - - name: audit-file-permission - image: busybox - command: ["sh", "-c", "chown -R 1000:1000 $(dirname {{ .Values.config.audit.sinks.fileSystemSink.filePath }})"] - volumeMounts: - - name: validation-results - mountPath: {{ dir .Values.config.audit.sinks.fileSystemSink.filePath }} - {{- end }} - {{- if eq (include "isAdmissionFileSystemSinkEnabled" .) "true" }} - - name: admission-file-permission - image: busybox - command: ["sh", "-c", "chown -R 1000:1000 $(dirname {{ .Values.config.admission.sinks.fileSystemSink.filePath }})"] - volumeMounts: - - name: validation-results - mountPath: {{ dir .Values.config.admission.sinks.fileSystemSink.filePath }} - {{- end }} - {{- end }} - {{- end }} containers: - - image: {{ .Values.image }}:{{ .Chart.AppVersion }} - imagePullPolicy: Always + - image: {{ .Values.image }} + imagePullPolicy: Never name: policy-agent args: [ "--config-file", @@ -205,16 +205,8 @@ spec: - name: agent-config-volume mountPath: /config {{- if eq .Values.persistence.enabled true }} - {{- if eq (include "isAuditFileSystemSinkEnabled" .) "true" }} - name: validation-results - mountPath: {{ dir .Values.config.audit.sinks.fileSystemSink.filePath }} - subPath: audit - {{- end }} - {{- if eq (include "isAdmissionFileSystemSinkEnabled" .) "true" }} - - name: validation-results - mountPath: {{ dir .Values.config.admission.sinks.fileSystemSink.filePath }} - subPath: admission - {{- end }} + mountPath: /logs {{- end }} volumes: - name: cert @@ -227,12 +219,7 @@ spec: - name: validation-results persistentVolumeClaim: claimName: policy-agent - {{ else }} - {{- if or (eq (include "isAuditFileSystemSinkEnabled" .) "true") (eq (include "isAdmissionFileSystemSinkEnabled" .) "true") }} - - emptyDir: {} - name: validation-results - {{- end }} - {{- end }} + {{ end }} --- apiVersion: v1 kind: Service diff --git a/main.go b/main.go index 1ccff50c..a1af5dc9 100644 --- a/main.go +++ b/main.go @@ -9,6 +9,7 @@ import ( "net/http" "net/url" "os" + "path/filepath" "time" "github.com/MagalixTechnologies/core/logger" @@ -354,7 +355,8 @@ func main() { } } -func initFileSystemSink(mgr manager.Manager, filePath string) (*filesystem.FileSystemSink, error) { +func initFileSystemSink(mgr manager.Manager, filename string) (*filesystem.FileSystemSink, error) { + filePath := filepath.Join("/logs", filename) sink, err := filesystem.NewFileSystemSink(filePath) if err != nil { return nil, fmt.Errorf("failed to initialize filesystem sink: %w", err) From 011ad19a6e99141716cb6d51c6488ea40b247e05 Mon Sep 17 00:00:00 2001 From: Ahmed El-Sayed Date: Sun, 4 Sep 2022 14:08:55 +0200 Subject: [PATCH 13/17] fix template --- Dockerfile | 2 +- helm/templates/agent.yaml | 4 ++-- helm/templates/helpers.tpl | 27 --------------------------- 3 files changed, 3 insertions(+), 30 deletions(-) delete mode 100644 helm/templates/helpers.tpl diff --git a/Dockerfile b/Dockerfile index 8e0755c3..353b1147 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ FROM alpine:3.15 COPY bin/agent / -RUN mkdir -p logs && chmod -R 777 /logs +RUN mkdir /logs && chmod -R 777 /logs ENTRYPOINT ["/agent"] diff --git a/helm/templates/agent.yaml b/helm/templates/agent.yaml index 9e8fc081..13fb5684 100644 --- a/helm/templates/agent.yaml +++ b/helm/templates/agent.yaml @@ -158,8 +158,8 @@ spec: securityContext: fsGroup: 1000 containers: - - image: {{ .Values.image }} - imagePullPolicy: Never + - image: {{ .Values.image }}:{{ .Chart.AppVersion }} + imagePullPolicy: Always name: policy-agent args: [ "--config-file", diff --git a/helm/templates/helpers.tpl b/helm/templates/helpers.tpl deleted file mode 100644 index a681ab13..00000000 --- a/helm/templates/helpers.tpl +++ /dev/null @@ -1,27 +0,0 @@ -{{- define "isAuditFileSystemSinkEnabled" -}} -{{- if .Values.config.audit }} -{{- if eq .Values.config.audit.enabled true }} -{{- if .Values.config.audit.sinks }} -{{- if .Values.config.audit.sinks.fileSystemSink }} -{{- if .Values.config.audit.sinks.fileSystemSink.filePath }} -{{- printf "true"}} -{{- end }} -{{- end }} -{{- end }} -{{- end }} -{{- end }} -{{- end -}} - -{{- define "isAdmissionFileSystemSinkEnabled" -}} -{{- if .Values.config.admission }} -{{- if eq .Values.config.admission.enabled true }} -{{- if .Values.config.admission.sinks }} -{{- if .Values.config.admission.sinks.fileSystemSink }} -{{- if .Values.config.admission.sinks.fileSystemSink.filePath }} -{{- printf "true"}} -{{- end }} -{{- end }} -{{- end }} -{{- end }} -{{- end }} -{{- end -}} From 1a0730d42c115a4550d6302fa166c3677e73c87b Mon Sep 17 00:00:00 2001 From: Noha Sayed Date: Sun, 4 Sep 2022 14:14:41 +0200 Subject: [PATCH 14/17] Rename file configuration --- README.md | 4 ++-- configuration/config.go | 2 +- go.sum | 7 +++---- main.go | 12 ++++++------ 4 files changed, 12 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index ed883cb3..562d58d9 100644 --- a/README.md +++ b/README.md @@ -74,7 +74,7 @@ admission: enabled: true sinks: filesystemSink: - filePath: "" + fileName: "" fluxNotificationSink: address: "" k8sEventsSink: @@ -86,7 +86,7 @@ audit: writeCompliance: true sinks: filesystemSink: - filePath: "" + fileName: "" fluxNotificationSink: address: "" k8sEventsSink: diff --git a/configuration/config.go b/configuration/config.go index ee550bda..2e47ed6a 100644 --- a/configuration/config.go +++ b/configuration/config.go @@ -26,7 +26,7 @@ type K8sEventsSink struct { } type FileSystemSink struct { - FilePath string + FileName string } type FluxNotificationSink struct { diff --git a/go.sum b/go.sum index 1bea811f..f3ce8632 100644 --- a/go.sum +++ b/go.sum @@ -59,8 +59,8 @@ github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBp github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ= -github.com/MagalixTechnologies/channel v1.1.0 h1:5JbU+f2Gu7ZQwXk+wCHp0fbHRm98sSa9oM76szRAVT8= -github.com/MagalixTechnologies/channel v1.1.0/go.mod h1:wTJeQYo0exPHns6lzsLa7jqKmCc5JpjyJ4+wYpQwKu4= +github.com/MagalixTechnologies/channel v1.1.0 h1:qsVt/QiTr1crOgJiwxhgNWDWbRC2/vsJ0YFr9/dYwok= +github.com/MagalixTechnologies/channel v1.1.0/go.mod h1:RPmBuLy/nk8lDIDKucBb6YxCaSM4PJeUkD5Cuynna3s= github.com/MagalixTechnologies/core/logger v1.0.4 h1:qnlUUMYSZMKPwxV9MQC+Cg3Rkh/84v7xW5SBQttTFMU= github.com/MagalixTechnologies/core/logger v1.0.4/go.mod h1:HUb6GF/FKiBWkVCiRNCpxo3btqIxp8Ek4HZNt4Ga0KA= github.com/MagalixTechnologies/core/packet v1.0.1 h1:1OGTRcrKKPP23LOq6QEqPOLXw6A7amVZLAGwT1FPXWg= @@ -70,7 +70,7 @@ github.com/MagalixTechnologies/opa-core v1.0.12/go.mod h1:OOvF4AcJEQ1fAcelaC10CC github.com/MagalixTechnologies/policy-core v1.0.8/go.mod h1:gM6cocm6aDq7c1DW+JbQlzv1RMM6iwiJojBufSXPUfU= github.com/MagalixTechnologies/policy-core v1.1.1 h1:/RLewnJyyaulCk7SmxPlknB6Fwc+P6AlRBqxkF7Imy4= github.com/MagalixTechnologies/policy-core v1.1.1/go.mod h1:gM6cocm6aDq7c1DW+JbQlzv1RMM6iwiJojBufSXPUfU= -github.com/MagalixTechnologies/uuid-go v0.0.0-20200102125057-aa0bb55c403a/go.mod h1:O74c5ywMyRjVPErmn6fQ8Z3narXcQE+0Qf5vzWQ9HLU= +github.com/MagalixTechnologies/uuid-go v0.0.0-20191003092420-742176f3bcb7/go.mod h1:vQb1eXhfh+tMJjQQ0Xv9zx8M9qLYpqEDtWrTD89g8Ko= github.com/MagalixTechnologies/uuid-go v0.0.0-20210127133914-f8f07f7ab96e h1:l/ci+0/7XVCFdnLSIvgTM9femU75hXpoCBgVX+w1XTA= github.com/MagalixTechnologies/uuid-go v0.0.0-20210127133914-f8f07f7ab96e/go.mod h1:/ZuJrsOm2BFLXkKN6zBuQ5L35llSU1x40U5eo4Aa6Dg= github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= @@ -243,7 +243,6 @@ github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg78 github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= -github.com/gofrs/uuid v3.2.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM= github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= diff --git a/main.go b/main.go index a1af5dc9..9f3e5953 100644 --- a/main.go +++ b/main.go @@ -165,9 +165,9 @@ func main() { if config.Audit.Enabled { auditSinksConfig := config.Audit.Sinks if auditSinksConfig.FilesystemSink != nil { - filePath := auditSinksConfig.FilesystemSink.FilePath - logger.Infow("initializing filesystem audit sink ...", "file", filePath) - fileSystemSink, err := initFileSystemSink(mgr, filePath) + fileName := auditSinksConfig.FilesystemSink.FileName + logger.Infow("initializing filesystem audit sink ...", "file", fileName) + fileSystemSink, err := initFileSystemSink(mgr, fileName) if err != nil { return err } @@ -209,9 +209,9 @@ func main() { if config.Admission.Enabled { admissionSinksConfig := config.Admission.Sinks if admissionSinksConfig.FilesystemSink != nil { - filePath := admissionSinksConfig.FilesystemSink.FilePath - logger.Infow("initializing filesystem admission sink ...", "file", filePath) - fileSystemSink, err := initFileSystemSink(mgr, filePath) + fileName := admissionSinksConfig.FilesystemSink.FileName + logger.Infow("initializing filesystem admission sink ...", "file", fileName) + fileSystemSink, err := initFileSystemSink(mgr, fileName) if err != nil { return err } From 6a9d3cb59d1b82c6a5529df7a990889d3a447c71 Mon Sep 17 00:00:00 2001 From: Ahmed El-Sayed Date: Tue, 6 Sep 2022 03:29:34 +0200 Subject: [PATCH 15/17] fix go mod --- go.mod | 2 +- go.sum | 9 ++++++--- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/go.mod b/go.mod index c2a77089..214996d9 100644 --- a/go.mod +++ b/go.mod @@ -51,7 +51,7 @@ require ( github.com/google/gofuzz v1.2.0 // indirect github.com/google/uuid v1.2.0 // indirect github.com/googleapis/gnostic v0.5.5 // indirect - github.com/gorilla/websocket v1.4.2 // indirect + github.com/gorilla/websocket v1.5.0 // indirect github.com/hashicorp/errwrap v1.0.0 // indirect github.com/hashicorp/go-cleanhttp v0.5.2 // indirect github.com/hashicorp/go-multierror v1.1.1 // indirect diff --git a/go.sum b/go.sum index f3ce8632..69bd4745 100644 --- a/go.sum +++ b/go.sum @@ -59,8 +59,8 @@ github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBp github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ= -github.com/MagalixTechnologies/channel v1.1.0 h1:qsVt/QiTr1crOgJiwxhgNWDWbRC2/vsJ0YFr9/dYwok= -github.com/MagalixTechnologies/channel v1.1.0/go.mod h1:RPmBuLy/nk8lDIDKucBb6YxCaSM4PJeUkD5Cuynna3s= +github.com/MagalixTechnologies/channel v1.1.0 h1:5JbU+f2Gu7ZQwXk+wCHp0fbHRm98sSa9oM76szRAVT8= +github.com/MagalixTechnologies/channel v1.1.0/go.mod h1:wTJeQYo0exPHns6lzsLa7jqKmCc5JpjyJ4+wYpQwKu4= github.com/MagalixTechnologies/core/logger v1.0.4 h1:qnlUUMYSZMKPwxV9MQC+Cg3Rkh/84v7xW5SBQttTFMU= github.com/MagalixTechnologies/core/logger v1.0.4/go.mod h1:HUb6GF/FKiBWkVCiRNCpxo3btqIxp8Ek4HZNt4Ga0KA= github.com/MagalixTechnologies/core/packet v1.0.1 h1:1OGTRcrKKPP23LOq6QEqPOLXw6A7amVZLAGwT1FPXWg= @@ -70,7 +70,7 @@ github.com/MagalixTechnologies/opa-core v1.0.12/go.mod h1:OOvF4AcJEQ1fAcelaC10CC github.com/MagalixTechnologies/policy-core v1.0.8/go.mod h1:gM6cocm6aDq7c1DW+JbQlzv1RMM6iwiJojBufSXPUfU= github.com/MagalixTechnologies/policy-core v1.1.1 h1:/RLewnJyyaulCk7SmxPlknB6Fwc+P6AlRBqxkF7Imy4= github.com/MagalixTechnologies/policy-core v1.1.1/go.mod h1:gM6cocm6aDq7c1DW+JbQlzv1RMM6iwiJojBufSXPUfU= -github.com/MagalixTechnologies/uuid-go v0.0.0-20191003092420-742176f3bcb7/go.mod h1:vQb1eXhfh+tMJjQQ0Xv9zx8M9qLYpqEDtWrTD89g8Ko= +github.com/MagalixTechnologies/uuid-go v0.0.0-20200102125057-aa0bb55c403a/go.mod h1:O74c5ywMyRjVPErmn6fQ8Z3narXcQE+0Qf5vzWQ9HLU= github.com/MagalixTechnologies/uuid-go v0.0.0-20210127133914-f8f07f7ab96e h1:l/ci+0/7XVCFdnLSIvgTM9femU75hXpoCBgVX+w1XTA= github.com/MagalixTechnologies/uuid-go v0.0.0-20210127133914-f8f07f7ab96e/go.mod h1:/ZuJrsOm2BFLXkKN6zBuQ5L35llSU1x40U5eo4Aa6Dg= github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= @@ -243,6 +243,7 @@ github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg78 github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= +github.com/gofrs/uuid v3.2.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM= github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= @@ -346,6 +347,8 @@ github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB7 github.com/gorilla/websocket v1.4.1/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= github.com/gorilla/websocket v1.4.2 h1:+/TMaTYc4QFitKJxsQ7Yye35DkWvkdLcvGKqM+x0Ufc= github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= +github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWmnc= +github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= github.com/grpc-ecosystem/go-grpc-middleware v1.3.0/go.mod h1:z0ButlSOZa5vEBq9m2m2hlwIgKw+rp3sdCBRoJY+30Y= From 3e0bc9043ffc5fd49bd4303ded6c39c97733bda4 Mon Sep 17 00:00:00 2001 From: Ahmed El-Sayed Date: Tue, 6 Sep 2022 11:22:03 +0200 Subject: [PATCH 16/17] update image registry --- helm/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm/values.yaml b/helm/values.yaml index dc96913e..7b94adf5 100644 --- a/helm/values.yaml +++ b/helm/values.yaml @@ -1,5 +1,5 @@ -image: magalixcorp/policy-agent +image: weaveworks/policy-agent failurePolicy: Ignore # If you don't want to use cert-manager, set useCertManager to false and provide your own certs From bf5673711be9232162e7c7bb78ac56255ed785bc Mon Sep 17 00:00:00 2001 From: Ahmed El-Sayed Date: Tue, 6 Sep 2022 11:39:49 +0200 Subject: [PATCH 17/17] move filesystem sink logging to its init func --- helm/templates/agent.yaml | 2 +- main.go | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/helm/templates/agent.yaml b/helm/templates/agent.yaml index 13fb5684..fefbd7a2 100644 --- a/helm/templates/agent.yaml +++ b/helm/templates/agent.yaml @@ -219,7 +219,7 @@ spec: - name: validation-results persistentVolumeClaim: claimName: policy-agent - {{ end }} + {{- end }} --- apiVersion: v1 kind: Service diff --git a/main.go b/main.go index 9f3e5953..151e3c83 100644 --- a/main.go +++ b/main.go @@ -166,7 +166,6 @@ func main() { auditSinksConfig := config.Audit.Sinks if auditSinksConfig.FilesystemSink != nil { fileName := auditSinksConfig.FilesystemSink.FileName - logger.Infow("initializing filesystem audit sink ...", "file", fileName) fileSystemSink, err := initFileSystemSink(mgr, fileName) if err != nil { return err @@ -210,7 +209,6 @@ func main() { admissionSinksConfig := config.Admission.Sinks if admissionSinksConfig.FilesystemSink != nil { fileName := admissionSinksConfig.FilesystemSink.FileName - logger.Infow("initializing filesystem admission sink ...", "file", fileName) fileSystemSink, err := initFileSystemSink(mgr, fileName) if err != nil { return err @@ -357,6 +355,8 @@ func main() { func initFileSystemSink(mgr manager.Manager, filename string) (*filesystem.FileSystemSink, error) { filePath := filepath.Join("/logs", filename) + logger.Infow("initializing filesystem sink ...", "file", filePath) + sink, err := filesystem.NewFileSystemSink(filePath) if err != nil { return nil, fmt.Errorf("failed to initialize filesystem sink: %w", err)