latchset / tang-operator Goto Github PK

View Code? Open in Web Editor NEW

8.0 6.0 9.0 639 KB

An Openshift/K8S operator to manage NBDE Tang Servers

License: Apache License 2.0

Shell 19.84% Dockerfile 2.41% Makefile 8.74% Go 69.00%

nbde tang network-disk encryption-decryption security kubernetes openshift operator

tang-operator's People

Contributors

Stargazers

Watchers

Forkers

ekmixon sarroutbi yuvalk gauravpbankar ethicalsecurity-agency bawaler prb112 koncpa

tang-operator's Issues

Rename Verify to verify Github action job name for coherency

Cluster tests are broken with latest versions of Go. This needs to be reviewed

shellcheck tools/cluster_tools/add_cluster.sh

tools/cluster_tools/add_cluster.sh has issues reported by shellcheck. If possible, they should be fixed

Advertise key thumbprints

In order to ease key management in tang servers deploy via tang-operators, a new feature should be added to provide active and hidden key thumbprints in status field via K8S native API.

An example of the provided data could be as follows:

apiVersion: tangoperator.openshift.io/v1
kind: TangServer
metadata:
  name: exampleServer01
spec:
  port: 7500
  replicas: 3
  hiddenKeys:
  - sha1: shortthumbprint
status:
  running: 3
  ready: 3
  url: http://tang.cluster.fqdn:7500
  activeKeys:
  - sha1: NEWshorthumbprint
    sha256: NEWlongthumbprintismuchlonger
    generated: 2021-10-01T16:32:18Z
  hiddenKeys:
  - sha1: shorthumbprint
    sha256: longthumbprintismuchlonger
    generated: 2021-09-01T15:00:32Z
    hidden: 2021-10-01T16:32:18Z

tools/api_tools/api_explore.sh seems to be not working

tools/api_tools/api_explore.sh seems to be not working. It gets stuck trying to extract information from the client with latest versions of OpenShift

Release v0.0.28

Release v0.0.28 sould be created to include latest changes related to code refactor (see issue #27 and PR #106)

tang operator service: cannot use service port different to 8080

When port different to 8080 is defined in Tang Server as port to export, traffic is not correctly redirected.

shellcheck tools/test_memleak.sh

tools/tests_memleak.sh has issues reported by shellcheck. If possible, they should be fixed

Do not make public unnecessary function HandleHiddenKeys

Do not make public unnecessary function HandleHiddenKeys. It is not used outside.

.yaml should be preferred format for YAML rather than .yml for Github actions

A justification here:
https://stackoverflow.com/questions/22268952/what-is-the-difference-between-yaml-and-yml-extension#:~:text=The%20(rather%20sparse)%20YAML%20FAQ,yml%20instead.

Tang Operator Failed in Multiarch image

Hi,
I tried the with multi-arch image but this time it is not progressing at all.

I am using the following operator sdk version.

operator-sdk version
operator-sdk version: "v1.21.0", commit: "89d21a133750aee994476736fa9523656c793588", kubernetes version: "1.23", go version: "go1.17.10", GOOS: "linux", GOARCH: "s390x"

# operator-sdk run bundle quay.io/sec-eng-special/tang-operator:multi-arch --index-image quay.io/operator-framework/opm:v1.23.0
FATA[0002] Failed to run bundle: load bundle metadata: metadata not found in bundle-2257575074

operator-sdk run bundle quay.io/sec-eng-special/tang-operator:multi-arch
FATA[0002] Failed to run bundle: load bundle metadata: metadata not found in bundle-341866069

Reduce timer time on "Deploy and Scorecard" step

Right now, this seems to be using a 10 minutes timeout. For deployment and scorecard evaluation, 5 minutes should be enough.

shellcheck ./test_containers/fedora_tang_server/tangd-entrypoint

shellcheck is reporting issues for ./test_containers/fedora_tang_server/tangd-entrypoint.sh:

function finish() {
^-- SC2112 (warning): 'function' keyword is non-standard. Delete it.


In test_containers/fedora_tang_server/tangd-entrypoint line 26:
trap finish SIGINT SIGTERM SIGKILL
            ^----^ SC3048 (warning): In POSIX sh, prefixing signal names with 'SIG' is undefined.
                   ^-----^ SC3048 (warning): In POSIX sh, prefixing signal names with 'SIG' is undefined.
                           ^-----^ SC2173 (error): SIGKILL/SIGSTOP can not be trapped.
                           ^-----^ SC3048 (warning): In POSIX sh, prefixing signal names with 'SIG' is undefined.


In test_containers/fedora_tang_server/tangd-entrypoint line 40:
kill -9 $(ps aux | grep [s]ocat | awk {'print $2'}) 2>/dev/null
        ^-- SC2046 (warning): Quote this to prevent word splitting.
          ^----^ SC2009 (info): Consider using pgrep instead of grepping ps output.
                        ^-----^ SC2062 (warning): Quote the grep pattern so the shell won't interpret it.
                                      ^-- SC1083 (warning): This { is literal. Check expression (missing ;/\n?) or quote it.
                                                 ^-- SC1083 (warning): This } is literal. Check expression (missing ;/\n?) or quote it.


In test_containers/fedora_tang_server/tangd-entrypoint line 41:
kill -9 $(ps aux | grep [t]angd-entrypoint | awk {'print $2'}) 2>/dev/null
        ^-- SC2046 (warning): Quote this to prevent word splitting.
          ^----^ SC2009 (info): Consider using pgrep instead of grepping ps output.
                        ^----------------^ SC2062 (warning): Quote the grep pattern so the shell won't interpret it.
                                                 ^-- SC1083 (warning): This { is literal. Check expression (missing ;/\n?) or quote it.
                                                            ^-- SC1083 (warning): This } is literal. Check expression (missing ;/\n?) or quote it.

Release new version (v0.0.27)

New version (v0.0.27) should be released, generated with newer versions of operator-sdk and go

README.md: include instructions on how to execute Function Tests

Function tests can be executed through other repository containing all the infrastructure required, placed here:
https://github.com/RedHat-SP-Security/tests

Information on steps to execute function tests should be included in README.md

shellcheck Github action should be introduced as part of the CI steps

Once all scripts have been improved to not dump shellcheck issues, shellcheck Gtihub action should be introduced to prevent shellcheck issues in bash script changes

Code refactor: avoid having to pass log object everywhere in the code

Log object is passed everywhere in the code. Think of a mechanism (singleton, association) to have this ready in the code without passing it as parameter

./tools/api_tools/show_keys.sh should indicate k8s client being used by default (oc) and namespace by default (default)

./tools/api_tools/show_keys.sh should indicate k8s client being used by default in usage. Right now, it shows:

Usage:

./tools/api_tools/show_keys.sh -n namespace [-c k8s_client] [-m (using minikube)] [-v (verbose)]

It should show something like:
./tools/api_tools/show_keys.sh [-n namespace (otherwise will use default)] [-c k8s_client (oc by default)] [-m (using minikube)] [-v (verbose)]

Include article about Tang-Operator in Red Hat Hybrid Cloud blog as reference

Article about Tang-Operator hosted in Red Hat Hybrid Cloud blog should be included in README.md as reference:
https://cloud.redhat.com/blog/tang-operator-providing-nbde-in-openshift

shellcheck tools/api_tools/api_explore.sh

tools/api_tools/api_explore.sh has issues reported by shellcheck. If possible, they should be fixed

"verify" Github action is timing out

It seems verify Github action is timing out. In particular, it is happening in the Step "Deploy and Scorecard". An example:
https://github.com/latchset/tang-operator/actions/runs/4988381171/jobs/8931047595?pr=32

I guess it could be fixed by using a newer version of the operator-sdk, but it needs to be verified

Create minimum change in README.md to check if only shellcheck Github action is executed

A minimum change in README.md should be introduced to check if only shellcheck Github action is executed, as introduced in #84, so that it can be verified that only spellcheck Github action is executed.

Update test execution coverage information on README.md file

Information of coverage information on README.md file should be updated for both normal and cluster execution

shellcheck tools/api_tools/key_rotate.sh

shellcheck tools/api_tools/key_rotate.sh has issues reported by shellcheck. If possible, they should be fixed

shellcheck ./tools/step_by_step/step_by_step_00.sh

Fix issues detected by shellcheck for ./tools/step_by_step/step_by_step_00.sh script

shellcheck tools/api_tools/show_keys.sh

Fix issues detected by shellcheck for tools/api_tools/show_keys.sh script

Add badges to README.md to collect status of Github actions

Avoid warnings on Github actions

Such as this:

It seems it is just a matter of updating the checkout Github action version

Update setup-go action to v4, so that Node.js warning is not shown any more

spellcheck Github action should be also executed on main branch

spellcheck Github action should be also executed on main branch, as it is not being executed, it is only being executed on PRs

On Github action that is doing operator-sdk download, the checksum of it should be checked

On Github action that is doing operator-sdk download, the checksum of it should be fixed, or, at least, warned if m5sum not retrievable or failing

Reduce timer time on "Deploy and Scorecard

Homogeneize name of jobs

Homogeneize name of jobs in tang-operator Github actions

Include rule to avoid running verify/shellcheck Github actions for documentation changes

Include rule to avoid running verify/shellcheck/staticcheck Github actions for README.md change. We should verify that, if the PR or merge to main contains other files, they should run similarly as how they are doing now.

Include Github action to cross compile in ppc and arm

staticcheck: try to detect and fix Golang code issues statically

It would be nice to have a Github action to detect Golang code issues statically. A possible option is "staticcheck":
https://staticcheck.io/docs/getting-started/

A Github action is already available, as described here:
https://staticcheck.io/docs/running-staticcheck/ci/github-actions/

Support Need for ppc64le arch

As part of the security worker on OCP Compliance Operator we do need to get Tang Operator working on Power for volume encryption task.
So we are trying to install operator on ppc64le and currently we dont have support for ppc64le so we are trying to build images for power using source code change.
There is change in Docker file related to arch we have added and build images for operator, bundle and catalogs etc.
Now trying to deploy tang operator using bundle images,:
Getting error for operator-sdk run command:

operator-sdk run bundle quay.io/gauravbankar/tang-operator-bundle:v0.0.24
INFO[0008] Successfully created registry pod: quay-io-gauravbankar-tang-operator-bundle-v0-0-24
INFO[0008] Created CatalogSource: tang-operator-catalog
INFO[0008] Created Subscription: tang-operator-v0-0-24-sub
FATA[0120] Failed to run bundle: install plan is not available for the subscription tang-operator-v0-0-24-sub: timed out waiting for the condition```

Description for subscription:

   Message:               constraints not satisfiable: @existing/default//tang-operator.v0.0.24 and tang-operator-catalog/default/alpha/tang-operator.v0.0.24 originate from package tang-operator, subscription tang-operator-v0-0-24-sub requires tang-operator-catalog/default/alpha/tang-operator.v0.0.24, subscription tang-operator-v0-0-24-sub exists, clusterserviceversion tang-operator.v0.0.24 exists and is not referenced by a subscription
    Reason:                ConstraintsNotSatisfiable

can you please help to get resolve this issue?

Use secrets instead of PVCs for key database

Use secrets instead of PVCs for key database. This way, access to the keys will be accessible to the different replicas, without having to care that PVCs is multi-attachable.
More information here: Create a POD that has access to the secret data through a volume

staticcheck reports several issues

It seems staticcheck application is reporting several issues for tang-operator code:

$ staticcheck ./...                                                                                
controllers/suite_test.go:40:5: var cfg is unused (U1000)                                                                                                                            
controllers/tangserver_controller.go:363:47: unnecessary use of fmt.Sprintf (S1039)                                                                                                  
controllers/tangserver_controller.go:429:58: unnecessary use of fmt.Sprintf (S1039)                                                                                                  
controllers/tangserver_controller.go:431:57: unnecessary use of fmt.Sprintf (S1039)                                                                                                  
controllers/tangserver_controller.go:449:43: unnecessary use of fmt.Sprintf (S1039)                                                                                                  
controllers/tangserver_controller.go:488:45: unnecessary use of fmt.Sprintf (S1039)                                                                                                  
controllers/tangserver_controller.go:513:44: unnecessary use of fmt.Sprintf (S1039)                                                                                                  
controllers/tangserver_controller.go:522:44: unnecessary use of fmt.Sprintf (S1039)                                                                                                  
controllers/tangserver_controller_deployment.go:42:5: don't use Yoda conditions (ST1017)                                                                                             
controllers/tangserver_controller_keyhandler.go:290:6: func dumpKeyStatusFileWithHereDoc is unused (U1000)                                                                           
controllers/tangserver_controller_keyhandler.go:303:6: func dumpKeyStatusFileWithBashEchoRedirection is unused (U1000)                                                               
controllers/tangserver_controller_keyhandler.go:327:6: func dumpKeyStatusFileWithTee is unused (U1000)                                                                               
controllers/tangserver_controller_keyhandler.go:347:6: func dumpKeyStatusFileWithAwk is unused (U1000)                                                                               
controllers/tangserver_controller_keystatus.go:49:6: func keyStatusLockFile is unused (U1000)                                                                                        
controllers/tangserver_controller_keystatus.go:57:6: func keyStatusLockFilePathWithTangServer is unused (U1000)                                                                      
controllers/tangserver_controller_keystatus.go:150:2: this value of err is never used (SA4006)                                                                                       
controllers/tangserver_controller_service.go:45:5: don't use Yoda conditions (ST1017)

As there are not too many errors, a unique fix can be uploaded to fix them

shellcheck ./test_containers/fedora_tang_server/tangd-health-check

shellcheck is returning errors for ./test_containers/fedora_tang_server/tangd-health-check script:

./test_containers/fedora_tang_server/tangd-health-check:48:22: error: This printf format string has no variables. Other arguments are ignored. [SC2182]
./test_containers/fedora_tang_server/tangd-health-check:48:22: warning: This { is literal. Check expression (missing ;/\n?) or quote it. [SC1083]
./test_containers/fedora_tang_server/tangd-health-check:48:33: warning: This } is literal. Check expression (missing ;/\n?) or quote it. [SC1083]

Remove references to CLUSTER unit tests from README.md until they are fixed

TangOperator Install fails on S390x.

While installing tang operator in s390x the pod fails to run the operator commands due to permission issue.

operator-sdk run bundle quay.io/sec-eng-special/tang-operator-bundle:v0.0.25

INFO[0017] Successfully created registry pod: quay-io-sec-eng-special-tang-operator-bundle-v0-0-25
INFO[0017] Created CatalogSource: tang-operator-catalog
INFO[0017] OperatorGroup "operator-sdk-og" created
INFO[0017] Created Subscription: tang-operator-v0-0-25-sub
FATA[0120] Failed to run bundle: install plan is not available for the subscription tang-operator-v0-0-25-sub: timed out waiting for the condition

#oc logs quay-io-sec-eng-special-tang-operator-bundle-v0-0-25
mkdir: can't create directory '/database': Permission denied

Limit statticcheck Github action to .go files

statticcheck Github action execution should be limited to .go files. More information on how to do this on:
https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions

Check the paths option, as it can be used to specify wildcards:

on:
  push:
    paths:
      - '**.go'

time="2022-05-20T14:43:45Z" level=warning msg="\x1b[1;33mDEPRECATION NOTICE:\nSqlite-based catalogs and their related subcommands are deprecated. Support for\nthem will be removed in a future release. Please migrate your catalog workflows\nto the new file-based catalog format.\x1b[0m"
time="2022-05-20T14:43:45Z" level=info msg="adding to the registry" bundles="[quay.io/sec-eng-special/tang-operator-bundle:v0.0.24]"
time="2022-05-20T14:44:15Z" level=info msg="trying next host" error="failed to do request: Head \"https://quay.io/v2/sec-eng-special/tang-operator-bundle/manifests/v0.0.24\": dial tcp: i/o timeout" host=quay.io
time="2022-05-20T14:44:15Z" level=error msg="permissive mode disabled" bundles="[quay.io/sec-eng-special/tang-operator-bundle:v0.0.24]" error="[error resolving name : failed to do request: Head \"https://quay.io/v2/sec-eng-special/tang-operator-bundle/manifests/v0.0.24\": dial tcp: i/o timeout, image \"quay.io/sec-eng-special/tang-operator-bundle:v0.0.24\": not found]"
Error: [error resolving name : failed to do request: Head "https://quay.io/v2/sec-eng-special/tang-operator-bundle/manifests/v0.0.24": dial tcp: i/o timeout, image "quay.io/sec-eng-special/tang-operator-bundle:v0.0.24": not found]

Likewise, I cannot find this image quay.io. Is this image public?