diff --git a/.github/workflows/actions.yaml b/.github/workflows/actions.yaml index b5204f1c..0794be5c 100644 --- a/.github/workflows/actions.yaml +++ b/.github/workflows/actions.yaml @@ -1,20 +1,10 @@ name: Workflow -on: +on: # yamllint disable-line rule:truthy push: branches: [ main ] pull_request: branches: [ main ] jobs: - code-check: - name: Check Go formatting, linting, vetting - runs-on: ubuntu-latest - steps: - - name: Checkout the code - uses: actions/checkout@v4 - - name: Run the formatter, linter, and vetter - uses: dell/common-github-actions/go-code-formatter-linter-vetter@main - with: - directories: ./... sanitize: name: Check for forbidden words runs-on: ubuntu-latest @@ -25,57 +15,7 @@ jobs: uses: dell/common-github-actions/code-sanitizer@main with: args: /github/workspace - test: - name: Run Go unit tests and check package coverage - runs-on: ubuntu-latest - container: node:20 - services: - # Label used to access the service container - redis: - # Docker Hub image - image: redis - # Set health checks to wait until redis has started - options: >- - --health-cmd "redis-cli ping" - --health-interval 10s - --health-timeout 5s - --health-retries 5 - steps: - - name: Checkout the code - uses: actions/checkout@v4 - - name: Run unit tests and check package coverage - uses: dell/common-github-actions/go-code-tester@main - with: - threshold: 90 - skip-list: "karavi-authorization/deploy,karavi-authorization/internal/web,karavi-authorization/internal/tenantsvc,karavi-authorization/cmd/karavictl/cmd,karavi-authorization/cmd/proxy-server,karavi-authorization/cmd/tenant-service,karavi-authorization/internal/proxy,karavi-authorization/internal/tenantsvc,karavi-authorization/internal/token/jwx,karavi-authorization/internal/k8s,karavi-authorization/internal/role-service,karavi-authorization/internal/role-service/validate,karavi-authorization/cmd/sidecar-proxy" - env: - # The hostname used to communicate with the Redis service container - REDIS_HOST: redis - # The default Redis port - REDIS_PORT: 6379 - - go_security_scan: - name: Go security - runs-on: ubuntu-latest - steps: - - name: Checkout the code - uses: actions/checkout@v4 - - name: Run Go Security - uses: securego/gosec@master - with: - args: -exclude=G108,G402,G307 ./... - malware_security_scan: - name: Malware Scanner - runs-on: ubuntu-latest - steps: - - name: Checkout the code - uses: actions/checkout@v4 - - name: Run malware scan - uses: dell/common-github-actions/malware-scanner@main - with: - directories: . - options: -ri image_security_scan: name: Image Scanner runs-on: ubuntu-latest @@ -90,7 +30,7 @@ jobs: - name: Install Mockgen run: go get github.com/golang/mock/mockgen@v1.6.0 - name: Get dependencies - run: go mod download + run: go mod download - name: Build karavi-authorization Docker Images run: make builder - name: Get podman image tags for image scans diff --git a/.github/workflows/common-workflows.yaml b/.github/workflows/common-workflows.yaml new file mode 100644 index 00000000..4b2dd073 --- /dev/null +++ b/.github/workflows/common-workflows.yaml @@ -0,0 +1,40 @@ +name: Common Workflows +on: # yamllint disable-line rule:truthy + push: + branches: [main] + pull_request: + branches: ["**"] + +env: + # The hostname used to communicate with the Redis service container + REDIS_HOST: redis + # The default Redis port + REDIS_PORT: 6379 + +jobs: + + # golang static analysis checks + go-static-analysis: + uses: dell/common-github-actions/.github/workflows/go-static-analysis.yaml@main + name: Golang Validation + + redis: + name: Set up Redis + runs-on: ubuntu-latest + container: node:20 + services: + # Label used to access the service container + redis: + # Docker Hub image + image: redis + # Set health checks to wait until redis has started + options: >- + --health-cmd "redis-cli ping" + --health-interval 10s + --health-timeout 5s + --health-retries 5 + + common: + name: Quality Checks + needs: redis + uses: dell/common-github-actions/.github/workflows/go-common.yml@main diff --git a/.github/workflows/go-version.yaml b/.github/workflows/go-version.yaml index 1ba387ea..51df53be 100644 --- a/.github/workflows/go-version.yaml +++ b/.github/workflows/go-version.yaml @@ -9,7 +9,7 @@ # Reusable workflow to perform go version update on Golang based projects name: Go Version Update -on: +on: # yamllint disable-line rule:truthy workflow_dispatch: repository_dispatch: types: [go-update-workflow] diff --git a/.github/workflows/linters.yaml b/.github/workflows/linters.yaml deleted file mode 100644 index cbeb2c49..00000000 --- a/.github/workflows/linters.yaml +++ /dev/null @@ -1,31 +0,0 @@ -name: linters - -on: - push: - branches: [main] - pull_request: - branches: ["**"] - -permissions: - contents: read - -jobs: - golangci-lint: - name: golangci-lint - runs-on: ubuntu-latest - steps: - - uses: actions/setup-go@v5 - with: - go-version: "1.23" - cache: false - - name: Checkout the code - uses: actions/checkout@v4 - - name: Vendor packages - run: | - go mod vendor - - name: golangci-lint - uses: golangci/golangci-lint-action@v6 - with: - version: latest - skip-cache: true - args: --out-format=colored-line-number diff --git a/cmd/sidecar-proxy/main_test.go b/cmd/sidecar-proxy/main_test.go index eff22da1..7026c49a 100644 --- a/cmd/sidecar-proxy/main_test.go +++ b/cmd/sidecar-proxy/main_test.go @@ -40,7 +40,7 @@ func TestProxyInstanceHandler(t *testing.T) { rp := httputil.NewSingleHostReverseProxy(u) rp.Transport = &http.Transport{ TLSClientConfig: &tls.Config{ - InsecureSkipVerify: true, + InsecureSkipVerify: true, // #nosec G402 }, } diff --git a/deploy/deployment.yaml b/deploy/deployment.yaml index 87ebea63..9d216138 100644 --- a/deploy/deployment.yaml +++ b/deploy/deployment.yaml @@ -14,9 +14,9 @@ roleRef: name: view apiGroup: rbac.authorization.k8s.io subjects: -- kind: Group - name: system:serviceaccounts:karavi - apiGroup: rbac.authorization.k8s.io + - kind: Group + name: system:serviceaccounts:karavi + apiGroup: rbac.authorization.k8s.io --- # Define role for OPA/kube-mgmt to update configmaps with policy status. kind: Role @@ -25,9 +25,9 @@ metadata: namespace: karavi name: configmap-modifier rules: -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["update", "patch"] + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["update", "patch"] --- # Grant OPA/kube-mgmt role defined above. kind: RoleBinding @@ -40,9 +40,9 @@ roleRef: name: configmap-modifier apiGroup: rbac.authorization.k8s.io subjects: -- kind: Group - name: system:serviceaccounts:karavi - apiGroup: rbac.authorization.k8s.io + - kind: Group + name: system:serviceaccounts:karavi + apiGroup: rbac.authorization.k8s.io --- apiVersion: apps/v1 kind: Deployment @@ -62,46 +62,46 @@ spec: app: proxy-server spec: containers: - - name: proxy-server - image: localhost/proxy-server:${BUILDER_TAG} - imagePullPolicy: IfNotPresent - ports: - - containerPort: 8080 - volumeMounts: + - name: proxy-server + image: localhost/proxy-server:${BUILDER_TAG} + imagePullPolicy: IfNotPresent + ports: + - containerPort: 8080 + volumeMounts: + - name: config-volume + mountPath: /etc/karavi-authorization/config + - name: storage-volume + mountPath: /etc/karavi-authorization/storage + - name: csm-config-params + mountPath: /etc/karavi-authorization/csm-config-params + - name: opa + image: docker.io/openpolicyagent/opa + imagePullPolicy: IfNotPresent + args: + - "run" + - "--ignore=." + - "--server" + - "--log-level=debug" + ports: + - name: http + containerPort: 8181 + - name: kube-mgmt + image: docker.io/openpolicyagent/kube-mgmt:0.11 + imagePullPolicy: IfNotPresent + args: + - "--policies=karavi" + - "--enable-data" + - "--opa-url=http://127.0.0.1:8181/v1" + volumes: - name: config-volume - mountPath: /etc/karavi-authorization/config + secret: + secretName: karavi-config-secret - name: storage-volume - mountPath: /etc/karavi-authorization/storage + secret: + secretName: karavi-storage-secret - name: csm-config-params - mountPath: /etc/karavi-authorization/csm-config-params - - name: opa - image: docker.io/openpolicyagent/opa - imagePullPolicy: IfNotPresent - args: - - "run" - - "--ignore=." - - "--server" - - "--log-level=debug" - ports: - - name: http - containerPort: 8181 - - name: kube-mgmt - image: docker.io/openpolicyagent/kube-mgmt:0.11 - imagePullPolicy: IfNotPresent - args: - - "--policies=karavi" - - "--enable-data" - - "--opa-url=http://127.0.0.1:8181/v1" - volumes: - - name: config-volume - secret: - secretName: karavi-config-secret - - name: storage-volume - secret: - secretName: karavi-storage-secret - - name: csm-config-params - configMap: - name: csm-config-params + configMap: + name: csm-config-params --- apiVersion: apps/v1 kind: Deployment @@ -121,24 +121,24 @@ spec: app: tenant-service spec: containers: - - name: tenant-service - image: localhost/tenant-service:${BUILDER_TAG} - imagePullPolicy: IfNotPresent - ports: - - containerPort: 50051 - name: grpc - volumeMounts: + - name: tenant-service + image: localhost/tenant-service:${BUILDER_TAG} + imagePullPolicy: IfNotPresent + ports: + - containerPort: 50051 + name: grpc + volumeMounts: + - name: config-volume + mountPath: /etc/karavi-authorization/config + - name: csm-config-params + mountPath: /etc/karavi-authorization/csm-config-params + volumes: - name: config-volume - mountPath: /etc/karavi-authorization/config + secret: + secretName: karavi-config-secret - name: csm-config-params - mountPath: /etc/karavi-authorization/csm-config-params - volumes: - - name: config-volume - secret: - secretName: karavi-config-secret - - name: csm-config-params - configMap: - name: csm-config-params + configMap: + name: csm-config-params --- apiVersion: v1 kind: ServiceAccount @@ -153,7 +153,7 @@ metadata: rules: - apiGroups: [""] resources: ["secrets"] - verbs: ["get","patch","post"] + verbs: ["get", "patch", "post"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 @@ -187,32 +187,32 @@ spec: spec: serviceAccountName: storage-service containers: - - name: storage-service - image: localhost/storage-service:${BUILDER_TAG} - imagePullPolicy: IfNotPresent - ports: - - containerPort: 50051 - name: grpc - env: - - name: NAMESPACE - value: karavi - volumeMounts: + - name: storage-service + image: localhost/storage-service:${BUILDER_TAG} + imagePullPolicy: IfNotPresent + ports: + - containerPort: 50051 + name: grpc + env: + - name: NAMESPACE + value: karavi + volumeMounts: + - name: storage-volume + mountPath: /etc/karavi-authorization/storage + - name: config-volume + mountPath: /etc/karavi-authorization/config + - name: csm-config-params + mountPath: /etc/karavi-authorization/csm-config-params + volumes: - name: storage-volume - mountPath: /etc/karavi-authorization/storage + secret: + secretName: karavi-storage-secret - name: config-volume - mountPath: /etc/karavi-authorization/config + secret: + secretName: karavi-config-secret - name: csm-config-params - mountPath: /etc/karavi-authorization/csm-config-params - volumes: - - name: storage-volume - secret: - secretName: karavi-storage-secret - - name: config-volume - secret: - secretName: karavi-config-secret - - name: csm-config-params - configMap: - name: csm-config-params + configMap: + name: csm-config-params --- apiVersion: v1 kind: ServiceAccount @@ -264,24 +264,24 @@ spec: spec: serviceAccountName: role-service containers: - - name: role-service - image: localhost/role-service:${BUILDER_TAG} - imagePullPolicy: IfNotPresent - ports: - - containerPort: 50051 - name: grpc - env: - - name: NAMESPACE - value: karavi - volumeMounts: - - name: csm-config-params - mountPath: /etc/karavi-authorization/csm-config-params + - name: role-service + image: localhost/role-service:${BUILDER_TAG} + imagePullPolicy: IfNotPresent + ports: + - containerPort: 50051 + name: grpc + env: + - name: NAMESPACE + value: karavi + volumeMounts: + - name: csm-config-params + mountPath: /etc/karavi-authorization/csm-config-params volumes: - - name: csm-config-params - configMap: - name: csm-config-params + - name: csm-config-params + configMap: + name: csm-config-params --- -apiVersion: apps/v1 +apiVersion: apps/v1 kind: Deployment metadata: name: redis-primary @@ -303,19 +303,19 @@ spec: tier: backend spec: containers: - - name: primary - image: docker.io/redis:6.0.8-alpine - imagePullPolicy: IfNotPresent - args: ["--appendonly", "yes", "--appendfsync", "always"] - resources: - requests: - cpu: 100m - memory: 100Mi - ports: - - containerPort: 6379 - volumeMounts: - - name: redis-primary-volume - mountPath: /data + - name: primary + image: docker.io/redis:6.0.8-alpine + imagePullPolicy: IfNotPresent + args: ["--appendonly", "yes", "--appendfsync", "always"] + resources: + requests: + cpu: 100m + memory: 100Mi + ports: + - containerPort: 6379 + volumeMounts: + - name: redis-primary-volume + mountPath: /data volumes: - name: redis-primary-volume persistentVolumeClaim: @@ -353,34 +353,34 @@ spec: tier: backend spec: containers: - - name: redis-commander - image: docker.io/rediscommander/redis-commander:latest - imagePullPolicy: IfNotPresent - env: - - name: REDIS_HOSTS - value: "rbac:redis.karavi.svc.cluster.local:6379" - - name: K8S_SIGTERM - value: "1" - ports: - name: redis-commander - containerPort: 8081 - livenessProbe: - httpGet: - path: /favicon.png - port: 8081 - initialDelaySeconds: 10 - timeoutSeconds: 5 - resources: - limits: - cpu: "500m" - memory: "512M" - securityContext: - runAsNonRoot: true - readOnlyRootFilesystem: false - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL + image: docker.io/rediscommander/redis-commander:latest + imagePullPolicy: IfNotPresent + env: + - name: REDIS_HOSTS + value: "rbac:redis.karavi.svc.cluster.local:6379" + - name: K8S_SIGTERM + value: "1" + ports: + - name: redis-commander + containerPort: 8081 + livenessProbe: + httpGet: + path: /favicon.png + port: 8081 + initialDelaySeconds: 10 + timeoutSeconds: 5 + resources: + limits: + cpu: "500m" + memory: "512M" + securityContext: + runAsNonRoot: true + readOnlyRootFilesystem: false + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL --- apiVersion: v1 kind: Service @@ -391,9 +391,9 @@ spec: selector: app: tenant-service ports: - - port: 50051 - targetPort: 50051 - name: grpc + - port: 50051 + targetPort: 50051 + name: grpc --- apiVersion: v1 kind: Service @@ -404,9 +404,9 @@ spec: selector: app: storage-service ports: - - port: 50051 - targetPort: 50051 - name: grpc + - port: 50051 + targetPort: 50051 + name: grpc --- apiVersion: v1 kind: Service @@ -417,9 +417,9 @@ spec: selector: app: role-service ports: - - port: 50051 - targetPort: 50051 - name: grpc + - port: 50051 + targetPort: 50051 + name: grpc --- apiVersion: v1 kind: Service @@ -430,10 +430,10 @@ spec: selector: app: proxy-server ports: - - name: http - protocol: TCP - port: 8080 - targetPort: 8080 + - name: http + protocol: TCP + port: 8080 + targetPort: 8080 --- apiVersion: v1 kind: Service @@ -444,9 +444,9 @@ spec: selector: app: redis ports: - - protocol: TCP - port: 6379 - targetPort: 6379 + - protocol: TCP + port: 6379 + targetPort: 6379 --- apiVersion: v1 kind: Service @@ -457,6 +457,6 @@ spec: selector: app: redis-commander ports: - - protocol: TCP - port: 8081 - targetPort: 8081 + - protocol: TCP + port: 8081 + targetPort: 8081 diff --git a/deploy/ingress-traefik.yaml b/deploy/ingress-traefik.yaml index cd63d404..d2caf8b9 100644 --- a/deploy/ingress-traefik.yaml +++ b/deploy/ingress-traefik.yaml @@ -8,17 +8,17 @@ metadata: namespace: karavi spec: entryPoints: - - web - - websecure + - web + - websecure routes: - - kind: Rule - match: Host(`temporary.Host.Name`) && PathPrefix(`/`) - middlewares: [] - priority: 0 - services: - - kind: Service - name: proxy-server - namespace: karavi - port: 8080 + - kind: Rule + match: Host(`temporary.Host.Name`) && PathPrefix(`/`) + middlewares: [] + priority: 0 + services: + - kind: Service + name: proxy-server + namespace: karavi + port: 8080 tls: secretName: karavi-auth-tls diff --git a/deploy/self-cert.yaml b/deploy/self-cert.yaml index 2df5fda1..f14f9292 100644 --- a/deploy/self-cert.yaml +++ b/deploy/self-cert.yaml @@ -7,7 +7,6 @@ spec: selfSigned: {} --- - apiVersion: cert-manager.io/v1 kind: Certificate metadata: @@ -15,11 +14,11 @@ metadata: namespace: karavi spec: secretName: karavi-auth-tls - duration: 2160h # 90d - renewBefore: 360h # 15d + duration: 2160h # 90d + renewBefore: 360h # 15d subject: organizations: - - dellemc + - dellemc isCA: false privateKey: algorithm: RSA @@ -29,8 +28,8 @@ spec: - server auth - client auth dnsNames: - - karavi-auth - - karavi-auth.karavi.svc.kubernetes.local + - karavi-auth + - karavi-auth.karavi.svc.kubernetes.local issuerRef: name: selfsigned-issuer kind: Issuer diff --git a/deploy/tls-option.yaml b/deploy/tls-option.yaml index 51646b32..918af724 100644 --- a/deploy/tls-option.yaml +++ b/deploy/tls-option.yaml @@ -14,4 +14,4 @@ spec: - TLS_RSA_WITH_AES_128_CBC_SHA - TLS_RSA_WITH_AES_128_GCM_SHA256 - TLS_RSA_WITH_AES_256_CBC_SHA - - TLS_RSA_WITH_AES_256_GCM_SHA384 \ No newline at end of file + - TLS_RSA_WITH_AES_256_GCM_SHA384 diff --git a/deploy/tls-store.yaml b/deploy/tls-store.yaml index 6d1631a1..8bb083fe 100644 --- a/deploy/tls-store.yaml +++ b/deploy/tls-store.yaml @@ -6,4 +6,4 @@ metadata: spec: defaultCertificate: - secretName: karavi-auth-tls \ No newline at end of file + secretName: karavi-auth-tls diff --git a/policies/karavi-storage-secret.yaml b/policies/karavi-storage-secret.yaml index 4a7b240a..125bc903 100644 --- a/policies/karavi-storage-secret.yaml +++ b/policies/karavi-storage-secret.yaml @@ -5,4 +5,4 @@ kind: Secret metadata: creationTimestamp: null name: karavi-storage-secret - namespace: karavi \ No newline at end of file + namespace: karavi diff --git a/tokens.yaml b/tokens.yaml index 521e7209..0db0c68b 100644 --- a/tokens.yaml +++ b/tokens.yaml @@ -2,4 +2,4 @@ tokenString: "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9" AccessToken: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJrYXJhdmkiLCJleHAiOjExMTQ0ODQ4ODMsImlzcyI6ImNvbS5kZWxsLmthcmF2aSIsInN1YiI6ImthcmF2aS10ZW5hbnQiLCJyb2xlcyI6IkNBLW1lZGl1bSIsImdyb3VwIjoiUGFuY2FrZUdyb3VwIn0.IE4yX53JaGwHZigD299ROtt0OH6DhUWGqejcLQ9N-xU" RefreshToken: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJrYXJhdmkiLCJleHAiOjE5MTU1ODU4ODMsImlzcyI6ImNvbS5kZWxsLmthcmF2aSIsInN1YiI6ImthcmF2aS10ZW5hbnQiLCJyb2xlcyI6IkNBLW1lZGl1bSIsImdyb3VwIjoiUGFuY2FrZUdyb3VwIn0.7fljbEr3ylTGO7MeeEk-jv4-QzxhcQaXjDAXXvmo9zI" secondToken: "YWRtaW46MTYxMDU3OTI1NjMyMjo2MGFiNTIyYTcxYjEwMGM3ZTdlYzRhMDU3MDA1MjNhMw" -firstToken: "YWRtaW46MTYxMDUxNzk5NDQxODpjYzBkMGEwMmUwYzNiODUxOTM1NWMxZThkNTcwZWEwNA" \ No newline at end of file +firstToken: "YWRtaW46MTYxMDUxNzk5NDQxODpjYzBkMGEwMmUwYzNiODUxOTM1NWMxZThkNTcwZWEwNA"