From 7a27d47f74b69f8f06f87bf3ba3d0c743b94876f Mon Sep 17 00:00:00 2001 From: root Date: Fri, 8 Nov 2024 18:54:19 +0000 Subject: [PATCH] fix linting --- .github/workflows/actions.yaml | 2 +- cmd/sidecar-proxy/main_test.go | 2 +- deploy/deployment.yaml | 322 ++++++++++++++-------------- deploy/ingress-traefik.yaml | 22 +- deploy/self-cert.yaml | 6 +- deploy/tls-option.yaml | 2 +- deploy/tls-store.yaml | 2 +- policies/karavi-storage-secret.yaml | 2 +- 8 files changed, 180 insertions(+), 180 deletions(-) diff --git a/.github/workflows/actions.yaml b/.github/workflows/actions.yaml index a878d5e6..0794be5c 100644 --- a/.github/workflows/actions.yaml +++ b/.github/workflows/actions.yaml @@ -30,7 +30,7 @@ jobs: - name: Install Mockgen run: go get github.com/golang/mock/mockgen@v1.6.0 - name: Get dependencies - run: go mod download + run: go mod download - name: Build karavi-authorization Docker Images run: make builder - name: Get podman image tags for image scans diff --git a/cmd/sidecar-proxy/main_test.go b/cmd/sidecar-proxy/main_test.go index eff22da1..7026c49a 100644 --- a/cmd/sidecar-proxy/main_test.go +++ b/cmd/sidecar-proxy/main_test.go @@ -40,7 +40,7 @@ func TestProxyInstanceHandler(t *testing.T) { rp := httputil.NewSingleHostReverseProxy(u) rp.Transport = &http.Transport{ TLSClientConfig: &tls.Config{ - InsecureSkipVerify: true, + InsecureSkipVerify: true, // #nosec G402 }, } diff --git a/deploy/deployment.yaml b/deploy/deployment.yaml index 87ebea63..9d216138 100644 --- a/deploy/deployment.yaml +++ b/deploy/deployment.yaml @@ -14,9 +14,9 @@ roleRef: name: view apiGroup: rbac.authorization.k8s.io subjects: -- kind: Group - name: system:serviceaccounts:karavi - apiGroup: rbac.authorization.k8s.io + - kind: Group + name: system:serviceaccounts:karavi + apiGroup: rbac.authorization.k8s.io --- # Define role for OPA/kube-mgmt to update configmaps with policy status. kind: Role @@ -25,9 +25,9 @@ metadata: namespace: karavi name: configmap-modifier rules: -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["update", "patch"] + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["update", "patch"] --- # Grant OPA/kube-mgmt role defined above. kind: RoleBinding @@ -40,9 +40,9 @@ roleRef: name: configmap-modifier apiGroup: rbac.authorization.k8s.io subjects: -- kind: Group - name: system:serviceaccounts:karavi - apiGroup: rbac.authorization.k8s.io + - kind: Group + name: system:serviceaccounts:karavi + apiGroup: rbac.authorization.k8s.io --- apiVersion: apps/v1 kind: Deployment @@ -62,46 +62,46 @@ spec: app: proxy-server spec: containers: - - name: proxy-server - image: localhost/proxy-server:${BUILDER_TAG} - imagePullPolicy: IfNotPresent - ports: - - containerPort: 8080 - volumeMounts: + - name: proxy-server + image: localhost/proxy-server:${BUILDER_TAG} + imagePullPolicy: IfNotPresent + ports: + - containerPort: 8080 + volumeMounts: + - name: config-volume + mountPath: /etc/karavi-authorization/config + - name: storage-volume + mountPath: /etc/karavi-authorization/storage + - name: csm-config-params + mountPath: /etc/karavi-authorization/csm-config-params + - name: opa + image: docker.io/openpolicyagent/opa + imagePullPolicy: IfNotPresent + args: + - "run" + - "--ignore=." + - "--server" + - "--log-level=debug" + ports: + - name: http + containerPort: 8181 + - name: kube-mgmt + image: docker.io/openpolicyagent/kube-mgmt:0.11 + imagePullPolicy: IfNotPresent + args: + - "--policies=karavi" + - "--enable-data" + - "--opa-url=http://127.0.0.1:8181/v1" + volumes: - name: config-volume - mountPath: /etc/karavi-authorization/config + secret: + secretName: karavi-config-secret - name: storage-volume - mountPath: /etc/karavi-authorization/storage + secret: + secretName: karavi-storage-secret - name: csm-config-params - mountPath: /etc/karavi-authorization/csm-config-params - - name: opa - image: docker.io/openpolicyagent/opa - imagePullPolicy: IfNotPresent - args: - - "run" - - "--ignore=." - - "--server" - - "--log-level=debug" - ports: - - name: http - containerPort: 8181 - - name: kube-mgmt - image: docker.io/openpolicyagent/kube-mgmt:0.11 - imagePullPolicy: IfNotPresent - args: - - "--policies=karavi" - - "--enable-data" - - "--opa-url=http://127.0.0.1:8181/v1" - volumes: - - name: config-volume - secret: - secretName: karavi-config-secret - - name: storage-volume - secret: - secretName: karavi-storage-secret - - name: csm-config-params - configMap: - name: csm-config-params + configMap: + name: csm-config-params --- apiVersion: apps/v1 kind: Deployment @@ -121,24 +121,24 @@ spec: app: tenant-service spec: containers: - - name: tenant-service - image: localhost/tenant-service:${BUILDER_TAG} - imagePullPolicy: IfNotPresent - ports: - - containerPort: 50051 - name: grpc - volumeMounts: + - name: tenant-service + image: localhost/tenant-service:${BUILDER_TAG} + imagePullPolicy: IfNotPresent + ports: + - containerPort: 50051 + name: grpc + volumeMounts: + - name: config-volume + mountPath: /etc/karavi-authorization/config + - name: csm-config-params + mountPath: /etc/karavi-authorization/csm-config-params + volumes: - name: config-volume - mountPath: /etc/karavi-authorization/config + secret: + secretName: karavi-config-secret - name: csm-config-params - mountPath: /etc/karavi-authorization/csm-config-params - volumes: - - name: config-volume - secret: - secretName: karavi-config-secret - - name: csm-config-params - configMap: - name: csm-config-params + configMap: + name: csm-config-params --- apiVersion: v1 kind: ServiceAccount @@ -153,7 +153,7 @@ metadata: rules: - apiGroups: [""] resources: ["secrets"] - verbs: ["get","patch","post"] + verbs: ["get", "patch", "post"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 @@ -187,32 +187,32 @@ spec: spec: serviceAccountName: storage-service containers: - - name: storage-service - image: localhost/storage-service:${BUILDER_TAG} - imagePullPolicy: IfNotPresent - ports: - - containerPort: 50051 - name: grpc - env: - - name: NAMESPACE - value: karavi - volumeMounts: + - name: storage-service + image: localhost/storage-service:${BUILDER_TAG} + imagePullPolicy: IfNotPresent + ports: + - containerPort: 50051 + name: grpc + env: + - name: NAMESPACE + value: karavi + volumeMounts: + - name: storage-volume + mountPath: /etc/karavi-authorization/storage + - name: config-volume + mountPath: /etc/karavi-authorization/config + - name: csm-config-params + mountPath: /etc/karavi-authorization/csm-config-params + volumes: - name: storage-volume - mountPath: /etc/karavi-authorization/storage + secret: + secretName: karavi-storage-secret - name: config-volume - mountPath: /etc/karavi-authorization/config + secret: + secretName: karavi-config-secret - name: csm-config-params - mountPath: /etc/karavi-authorization/csm-config-params - volumes: - - name: storage-volume - secret: - secretName: karavi-storage-secret - - name: config-volume - secret: - secretName: karavi-config-secret - - name: csm-config-params - configMap: - name: csm-config-params + configMap: + name: csm-config-params --- apiVersion: v1 kind: ServiceAccount @@ -264,24 +264,24 @@ spec: spec: serviceAccountName: role-service containers: - - name: role-service - image: localhost/role-service:${BUILDER_TAG} - imagePullPolicy: IfNotPresent - ports: - - containerPort: 50051 - name: grpc - env: - - name: NAMESPACE - value: karavi - volumeMounts: - - name: csm-config-params - mountPath: /etc/karavi-authorization/csm-config-params + - name: role-service + image: localhost/role-service:${BUILDER_TAG} + imagePullPolicy: IfNotPresent + ports: + - containerPort: 50051 + name: grpc + env: + - name: NAMESPACE + value: karavi + volumeMounts: + - name: csm-config-params + mountPath: /etc/karavi-authorization/csm-config-params volumes: - - name: csm-config-params - configMap: - name: csm-config-params + - name: csm-config-params + configMap: + name: csm-config-params --- -apiVersion: apps/v1 +apiVersion: apps/v1 kind: Deployment metadata: name: redis-primary @@ -303,19 +303,19 @@ spec: tier: backend spec: containers: - - name: primary - image: docker.io/redis:6.0.8-alpine - imagePullPolicy: IfNotPresent - args: ["--appendonly", "yes", "--appendfsync", "always"] - resources: - requests: - cpu: 100m - memory: 100Mi - ports: - - containerPort: 6379 - volumeMounts: - - name: redis-primary-volume - mountPath: /data + - name: primary + image: docker.io/redis:6.0.8-alpine + imagePullPolicy: IfNotPresent + args: ["--appendonly", "yes", "--appendfsync", "always"] + resources: + requests: + cpu: 100m + memory: 100Mi + ports: + - containerPort: 6379 + volumeMounts: + - name: redis-primary-volume + mountPath: /data volumes: - name: redis-primary-volume persistentVolumeClaim: @@ -353,34 +353,34 @@ spec: tier: backend spec: containers: - - name: redis-commander - image: docker.io/rediscommander/redis-commander:latest - imagePullPolicy: IfNotPresent - env: - - name: REDIS_HOSTS - value: "rbac:redis.karavi.svc.cluster.local:6379" - - name: K8S_SIGTERM - value: "1" - ports: - name: redis-commander - containerPort: 8081 - livenessProbe: - httpGet: - path: /favicon.png - port: 8081 - initialDelaySeconds: 10 - timeoutSeconds: 5 - resources: - limits: - cpu: "500m" - memory: "512M" - securityContext: - runAsNonRoot: true - readOnlyRootFilesystem: false - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL + image: docker.io/rediscommander/redis-commander:latest + imagePullPolicy: IfNotPresent + env: + - name: REDIS_HOSTS + value: "rbac:redis.karavi.svc.cluster.local:6379" + - name: K8S_SIGTERM + value: "1" + ports: + - name: redis-commander + containerPort: 8081 + livenessProbe: + httpGet: + path: /favicon.png + port: 8081 + initialDelaySeconds: 10 + timeoutSeconds: 5 + resources: + limits: + cpu: "500m" + memory: "512M" + securityContext: + runAsNonRoot: true + readOnlyRootFilesystem: false + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL --- apiVersion: v1 kind: Service @@ -391,9 +391,9 @@ spec: selector: app: tenant-service ports: - - port: 50051 - targetPort: 50051 - name: grpc + - port: 50051 + targetPort: 50051 + name: grpc --- apiVersion: v1 kind: Service @@ -404,9 +404,9 @@ spec: selector: app: storage-service ports: - - port: 50051 - targetPort: 50051 - name: grpc + - port: 50051 + targetPort: 50051 + name: grpc --- apiVersion: v1 kind: Service @@ -417,9 +417,9 @@ spec: selector: app: role-service ports: - - port: 50051 - targetPort: 50051 - name: grpc + - port: 50051 + targetPort: 50051 + name: grpc --- apiVersion: v1 kind: Service @@ -430,10 +430,10 @@ spec: selector: app: proxy-server ports: - - name: http - protocol: TCP - port: 8080 - targetPort: 8080 + - name: http + protocol: TCP + port: 8080 + targetPort: 8080 --- apiVersion: v1 kind: Service @@ -444,9 +444,9 @@ spec: selector: app: redis ports: - - protocol: TCP - port: 6379 - targetPort: 6379 + - protocol: TCP + port: 6379 + targetPort: 6379 --- apiVersion: v1 kind: Service @@ -457,6 +457,6 @@ spec: selector: app: redis-commander ports: - - protocol: TCP - port: 8081 - targetPort: 8081 + - protocol: TCP + port: 8081 + targetPort: 8081 diff --git a/deploy/ingress-traefik.yaml b/deploy/ingress-traefik.yaml index cd63d404..d2caf8b9 100644 --- a/deploy/ingress-traefik.yaml +++ b/deploy/ingress-traefik.yaml @@ -8,17 +8,17 @@ metadata: namespace: karavi spec: entryPoints: - - web - - websecure + - web + - websecure routes: - - kind: Rule - match: Host(`temporary.Host.Name`) && PathPrefix(`/`) - middlewares: [] - priority: 0 - services: - - kind: Service - name: proxy-server - namespace: karavi - port: 8080 + - kind: Rule + match: Host(`temporary.Host.Name`) && PathPrefix(`/`) + middlewares: [] + priority: 0 + services: + - kind: Service + name: proxy-server + namespace: karavi + port: 8080 tls: secretName: karavi-auth-tls diff --git a/deploy/self-cert.yaml b/deploy/self-cert.yaml index dc6aa67d..f14f9292 100644 --- a/deploy/self-cert.yaml +++ b/deploy/self-cert.yaml @@ -18,7 +18,7 @@ spec: renewBefore: 360h # 15d subject: organizations: - - dellemc + - dellemc isCA: false privateKey: algorithm: RSA @@ -28,8 +28,8 @@ spec: - server auth - client auth dnsNames: - - karavi-auth - - karavi-auth.karavi.svc.kubernetes.local + - karavi-auth + - karavi-auth.karavi.svc.kubernetes.local issuerRef: name: selfsigned-issuer kind: Issuer diff --git a/deploy/tls-option.yaml b/deploy/tls-option.yaml index 51646b32..918af724 100644 --- a/deploy/tls-option.yaml +++ b/deploy/tls-option.yaml @@ -14,4 +14,4 @@ spec: - TLS_RSA_WITH_AES_128_CBC_SHA - TLS_RSA_WITH_AES_128_GCM_SHA256 - TLS_RSA_WITH_AES_256_CBC_SHA - - TLS_RSA_WITH_AES_256_GCM_SHA384 \ No newline at end of file + - TLS_RSA_WITH_AES_256_GCM_SHA384 diff --git a/deploy/tls-store.yaml b/deploy/tls-store.yaml index 6d1631a1..8bb083fe 100644 --- a/deploy/tls-store.yaml +++ b/deploy/tls-store.yaml @@ -6,4 +6,4 @@ metadata: spec: defaultCertificate: - secretName: karavi-auth-tls \ No newline at end of file + secretName: karavi-auth-tls diff --git a/policies/karavi-storage-secret.yaml b/policies/karavi-storage-secret.yaml index 4a7b240a..125bc903 100644 --- a/policies/karavi-storage-secret.yaml +++ b/policies/karavi-storage-secret.yaml @@ -5,4 +5,4 @@ kind: Secret metadata: creationTimestamp: null name: karavi-storage-secret - namespace: karavi \ No newline at end of file + namespace: karavi