From aea603df5ebd9cd4590947cc121ddbb7a1786914 Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Fri, 2 Feb 2024 13:47:06 -0600 Subject: [PATCH 1/2] :broom: update golang to 1.21 --- Dockerfile.ci | 4 ++-- Dockerfile.ocp | 3 ++- go.mod | 2 +- go.sum | 7 +++++-- 4 files changed, 10 insertions(+), 6 deletions(-) diff --git a/Dockerfile.ci b/Dockerfile.ci index 7b65176b7..dd500bd02 100644 --- a/Dockerfile.ci +++ b/Dockerfile.ci @@ -1,5 +1,5 @@ # Step one: build compliance-operator -FROM registry.ci.openshift.org/openshift/release:rhel-8-release-golang-1.20-openshift-4.14 AS builder +FROM registry.ci.openshift.org/openshift/release:rhel-9-release-golang-1.21-openshift-4.16 AS builder WORKDIR /go/src/github.com/openshift/compliance-operator @@ -10,7 +10,7 @@ COPY . . RUN make manager # Step two: containerize compliance-operator -FROM registry.access.redhat.com/ubi8/ubi-micro:latest +FROM registry.access.redhat.com/ubi9/ubi-micro:latest ENV OPERATOR=/usr/local/bin/compliance-operator \ USER_UID=1001 \ diff --git a/Dockerfile.ocp b/Dockerfile.ocp index 7b65176b7..dfe915998 100644 --- a/Dockerfile.ocp +++ b/Dockerfile.ocp @@ -1,5 +1,5 @@ # Step one: build compliance-operator -FROM registry.ci.openshift.org/openshift/release:rhel-8-release-golang-1.20-openshift-4.14 AS builder +FROM registry.ci.openshift.org/openshift/release:rhel-9-release-golang-1.21-openshift-4.16 AS builder WORKDIR /go/src/github.com/openshift/compliance-operator @@ -21,6 +21,7 @@ COPY --from=builder /go/src/github.com/openshift/compliance-operator/build/_outp COPY build/bin /usr/local/bin RUN /usr/local/bin/user_setup +RUN dnf update glibc -y ENTRYPOINT ["/usr/local/bin/entrypoint"] diff --git a/go.mod b/go.mod index 3885ca0d8..4c8b3afb0 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/ComplianceAsCode/compliance-operator -go 1.20 +go 1.21 require ( github.com/onsi/ginkgo v1.16.5 diff --git a/go.sum b/go.sum index b8c2a1048..ec1fddd18 100644 --- a/go.sum +++ b/go.sum @@ -6,6 +6,7 @@ github.com/antchfx/xmlquery v1.3.18/go.mod h1:Afkq4JIeXut75taLSuI31ISJ/zeq+3jG7T github.com/antchfx/xpath v1.2.4 h1:dW1HB/JxKvGtJ9WyVGJ0sIoEcqftV3SqIstujI+B9XY= github.com/antchfx/xpath v1.2.4/go.mod h1:i54GszH55fYfBmoZXapTHN8T8tkcHfRgLyVwwqzXNcs= github.com/ashcrow/osrelease v0.0.0-20180626175927-9b292693c55c h1:icme0QhxrgZOxTBnT6K8dfGLwbKWSOVwPB95XTbo8Ws= +github.com/ashcrow/osrelease v0.0.0-20180626175927-9b292693c55c/go.mod h1:BRljTyotlu+6N+Qlu5MhjxpdmccCnp9lDvZjNNV8qr4= github.com/aws/aws-sdk-go v1.19.11/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= github.com/aws/aws-sdk-go v1.50.25 h1:vhiHtLYybv1Nhx3Kv18BBC6L0aPJHaG9aeEsr92W99c= github.com/aws/aws-sdk-go v1.50.25/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk= @@ -83,6 +84,7 @@ github.com/go-openapi/swag v0.22.4 h1:QLMzNJnMGPRNDCbySlcj1x01tzU8/9LTTL9hZZZogB github.com/go-openapi/swag v0.22.4/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE= github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= +github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= github.com/gobuffalo/flect v1.0.2 h1:eqjPGSo2WmjgY2XlpGwo2NXgL3RucAKo4k4qQMNA5sA= github.com/gobuffalo/flect v1.0.2/go.mod h1:A5msMlrHtLqh9umBSnvabjsMrCcCpAyzglnDvkbYKHs= github.com/godbus/dbus v0.0.0-20181025153459-66d97aec3384/go.mod h1:/YcGZj5zSblfDWMMoOzV4fas9FZnQYTkDnsGvmh2Grw= @@ -115,6 +117,7 @@ github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/ github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec= +github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= @@ -152,6 +155,7 @@ github.com/klauspost/cpuid v1.2.0/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgo github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= +github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= @@ -233,6 +237,7 @@ github.com/robfig/cron v1.2.0/go.mod h1:JGuDeoQd7Z6yL4zQhZ3OPEVHB7fL6Ka6skscFHfm github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs= github.com/robfig/cron/v3 v3.0.1/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro= github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= +github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/securego/gosec/v2 v2.17.0 h1:ZpAStTDKY39insEG9OH6kV3IkhQZPTq9a9eGOLOjcdI= github.com/securego/gosec/v2 v2.17.0/go.mod h1:lt+mgC91VSmriVoJLentrMkRCYs+HLTBnUFUBuhV2hc= @@ -415,8 +420,6 @@ k8s.io/pod-security-admission v0.28.4 h1:b9d6zfKNjkawrO2gF7rBr5XoSZqPfE6UjKLNjgX k8s.io/pod-security-admission v0.28.4/go.mod h1:MVYrZx0Q6ewsZ05Ml2+Ox03HQMAVjO60oombQNmJ44E= k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI= k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -open-cluster-management.io/api v0.12.0 h1:sNkj4k2XyWA/GLsTiFg82bLIZ7JDZKkLLLyZjJUlJMs= -open-cluster-management.io/api v0.12.0/go.mod h1:/CZhelEH+30/pX7vXGSZOzLMX0zvjthYOkT/5ZTzVTQ= sigs.k8s.io/controller-runtime v0.16.3 h1:2TuvuokmfXvDUamSx1SuAOO3eTyye+47mJCigwG62c4= sigs.k8s.io/controller-runtime v0.16.3/go.mod h1:j7bialYoSn142nv9sCOJmQgDXQXxnroFU4VnX/brVJ0= sigs.k8s.io/controller-tools v0.13.0 h1:NfrvuZ4bxyolhDBt/rCZhDnx3M2hzlhgo5n3Iv2RykI= From 2a198beadd5d43eeedd70115c3a8cbabc63cce85 Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Thu, 18 Jul 2024 11:56:32 -0500 Subject: [PATCH 2/2] Use Authorization instead of BearerTokenFile for metrics endpoint auth --- cmd/manager/operator.go | 46 ++++++++++++++++++++++++++++++++---- cmd/manager/operator_test.go | 9 +++---- 2 files changed, 46 insertions(+), 9 deletions(-) diff --git a/cmd/manager/operator.go b/cmd/manager/operator.go index 4767d6484..94b15e5a6 100644 --- a/cmd/manager/operator.go +++ b/cmd/manager/operator.go @@ -439,7 +439,7 @@ func addMetrics(ctx context.Context, cfg *rest.Config, kClient *kubernetes.Clien os.Exit(1) } - if err := handleServiceMonitor(ctx, cfg, mClient, operatorNs, metricsService); err != nil { + if err := handleServiceMonitor(ctx, cfg, mClient, kClient, operatorNs, metricsService); err != nil { log.Error(err, "Error creating ServiceMonitor") os.Exit(1) } @@ -681,13 +681,21 @@ func getDefaultRoles(platform PlatformType) []string { return defaultRolesPerPlatform[PlatformGeneric] } -func generateOperatorServiceMonitor(service *v1.Service, namespace string) *monitoring.ServiceMonitor { +func generateOperatorServiceMonitor(service *v1.Service, namespace, secretName string) *monitoring.ServiceMonitor { serviceMonitor := GenerateServiceMonitor(service) for i := range serviceMonitor.Spec.Endpoints { if serviceMonitor.Spec.Endpoints[i].Port == ctrlMetrics.ControllerMetricsServiceName { serviceMonitor.Spec.Endpoints[i].Path = ctrlMetrics.HandlerPath serviceMonitor.Spec.Endpoints[i].Scheme = "https" - serviceMonitor.Spec.Endpoints[i].BearerTokenFile = serviceMonitorBearerTokenFile + serviceMonitor.Spec.Endpoints[i].Authorization = &monitoring.SafeAuthorization{ + Type: "Bearer", + Credentials: &v1.SecretKeySelector{ + LocalObjectReference: v1.LocalObjectReference{ + Name: secretName, + }, + Key: "token", + }, + } serviceMonitor.Spec.Endpoints[i].TLSConfig = &monitoring.TLSConfig{ SafeTLSConfig: monitoring.SafeTLSConfig{ ServerName: "metrics." + namespace + ".svc", @@ -699,6 +707,25 @@ func generateOperatorServiceMonitor(service *v1.Service, namespace string) *moni return serviceMonitor } +func getSecretNameForServiceAccount(clientset *kubernetes.Clientset, namespace string, serviceAccountName string) (string, error) { + // List all secrets in the specified namespace + secrets, err := clientset.CoreV1().Secrets(namespace).List(context.TODO(), metav1.ListOptions{}) + if err != nil { + return "", err + } + + // Iterate through the secrets to find the one associated with the service account + for _, secret := range secrets.Items { + if secret.Annotations != nil { + if saName, exists := secret.Annotations["kubernetes.io/service-account.name"]; exists && saName == serviceAccountName { + return secret.Name, nil + } + } + } + + return "", errors.New("secret for service account not found") +} + // createOrUpdateServiceMonitor creates or updates the ServiceMonitor if it already exists. func createOrUpdateServiceMonitor(ctx context.Context, mClient *monclientv1.MonitoringV1Client, namespace string, serviceMonitor *monitoring.ServiceMonitor) error { @@ -724,7 +751,7 @@ func createOrUpdateServiceMonitor(ctx context.Context, mClient *monclientv1.Moni // handleServiceMonitor attempts to create a ServiceMonitor out of service, and updates it to include the controller // metrics paths. -func handleServiceMonitor(ctx context.Context, cfg *rest.Config, mClient *monclientv1.MonitoringV1Client, +func handleServiceMonitor(ctx context.Context, cfg *rest.Config, mClient *monclientv1.MonitoringV1Client, kubeClient *kubernetes.Clientset, namespace string, service *v1.Service) error { ok, err := ResourceExists(discovery.NewDiscoveryClientForConfigOrDie(cfg), "monitoring.coreos.com/v1", "ServiceMonitor") @@ -736,7 +763,16 @@ func handleServiceMonitor(ctx context.Context, cfg *rest.Config, mClient *moncli return nil } - serviceMonitor := generateOperatorServiceMonitor(service, namespace) + serviceAccountName := "compliance-operator" + secretName, err := getSecretNameForServiceAccount(kubeClient, namespace, serviceAccountName) + if err != nil { + if kerr.IsNotFound(err) { + log.Infof("Unable to find secret associated with %s service account: %s", serviceAccountName, err) + } else { + log.Errorf("Failed to retrieve secret associated with %s service account for setting up metrics monitor: %s", serviceAccountName, err) + } + } + serviceMonitor := generateOperatorServiceMonitor(service, namespace, secretName) return createOrUpdateServiceMonitor(ctx, mClient, namespace, serviceMonitor) } diff --git a/cmd/manager/operator_test.go b/cmd/manager/operator_test.go index 59806229c..e2c63ea84 100644 --- a/cmd/manager/operator_test.go +++ b/cmd/manager/operator_test.go @@ -1,12 +1,13 @@ package manager import ( - "github.com/ComplianceAsCode/compliance-operator/pkg/controller/metrics" - . "github.com/onsi/ginkgo" - . "github.com/onsi/gomega" "reflect" "runtime" "strings" + + "github.com/ComplianceAsCode/compliance-operator/pkg/controller/metrics" + . "github.com/onsi/ginkgo" + . "github.com/onsi/gomega" ) var _ = Describe("Operator Startup Function tests", func() { @@ -23,7 +24,7 @@ var _ = Describe("Operator Startup Function tests", func() { When("Installing to non-controlled namespace", func() { It("ServiceMonitor is generated with the proper TLSConfig ServerName", func() { metricService := operatorMetricService("foobar") - sm := generateOperatorServiceMonitor(metricService, "foobar") + sm := generateOperatorServiceMonitor(metricService, "foobar", "secret") controllerMetricServiceFound := false for _, ep := range sm.Spec.Endpoints { if ep.Port == metrics.ControllerMetricsServiceName && ep.TLSConfig != nil {