latchset / tang-operator Goto Github PK
View Code? Open in Web Editor NEWAn Openshift/K8S operator to manage NBDE Tang Servers
License: Apache License 2.0
An Openshift/K8S operator to manage NBDE Tang Servers
License: Apache License 2.0
Rename Verify to verify Github action job name for coherency
Cluster tests are broken with latest versions of Go. This needs to be reviewed
tools/cluster_tools/add_cluster.sh has issues reported by shellcheck. If possible, they should be fixed
In order to ease key management in tang servers deploy via tang-operators, a new feature should be added to provide active and hidden key thumbprints in status field via K8S native API.
An example of the provided data could be as follows:
apiVersion: tangoperator.openshift.io/v1
kind: TangServer
metadata:
name: exampleServer01
spec:
port: 7500
replicas: 3
hiddenKeys:
- sha1: shortthumbprint
status:
running: 3
ready: 3
url: http://tang.cluster.fqdn:7500
activeKeys:
- sha1: NEWshorthumbprint
sha256: NEWlongthumbprintismuchlonger
generated: 2021-10-01T16:32:18Z
hiddenKeys:
- sha1: shorthumbprint
sha256: longthumbprintismuchlonger
generated: 2021-09-01T15:00:32Z
hidden: 2021-10-01T16:32:18Z
tools/api_tools/api_explore.sh seems to be not working. It gets stuck trying to extract information from the client with latest versions of OpenShift
When port different to 8080 is defined in Tang Server as port to export, traffic is not correctly redirected.
tools/tests_memleak.sh has issues reported by shellcheck. If possible, they should be fixed
Do not make public unnecessary function HandleHiddenKeys. It is not used outside.
Hi,
I tried the with multi-arch image but this time it is not progressing at all.
I am using the following operator sdk version.
operator-sdk version
operator-sdk version: "v1.21.0", commit: "89d21a133750aee994476736fa9523656c793588", kubernetes version: "1.23", go version: "go1.17.10", GOOS: "linux", GOARCH: "s390x"
# operator-sdk run bundle quay.io/sec-eng-special/tang-operator:multi-arch --index-image quay.io/operator-framework/opm:v1.23.0
FATA[0002] Failed to run bundle: load bundle metadata: metadata not found in bundle-2257575074
operator-sdk run bundle quay.io/sec-eng-special/tang-operator:multi-arch
FATA[0002] Failed to run bundle: load bundle metadata: metadata not found in bundle-341866069
Right now, this seems to be using a 10 minutes timeout. For deployment and scorecard evaluation, 5 minutes should be enough.
shellcheck is reporting issues for ./test_containers/fedora_tang_server/tangd-entrypoint.sh:
function finish() {
^-- SC2112 (warning): 'function' keyword is non-standard. Delete it.
In test_containers/fedora_tang_server/tangd-entrypoint line 26:
trap finish SIGINT SIGTERM SIGKILL
^----^ SC3048 (warning): In POSIX sh, prefixing signal names with 'SIG' is undefined.
^-----^ SC3048 (warning): In POSIX sh, prefixing signal names with 'SIG' is undefined.
^-----^ SC2173 (error): SIGKILL/SIGSTOP can not be trapped.
^-----^ SC3048 (warning): In POSIX sh, prefixing signal names with 'SIG' is undefined.
In test_containers/fedora_tang_server/tangd-entrypoint line 40:
kill -9 $(ps aux | grep [s]ocat | awk {'print $2'}) 2>/dev/null
^-- SC2046 (warning): Quote this to prevent word splitting.
^----^ SC2009 (info): Consider using pgrep instead of grepping ps output.
^-----^ SC2062 (warning): Quote the grep pattern so the shell won't interpret it.
^-- SC1083 (warning): This { is literal. Check expression (missing ;/\n?) or quote it.
^-- SC1083 (warning): This } is literal. Check expression (missing ;/\n?) or quote it.
In test_containers/fedora_tang_server/tangd-entrypoint line 41:
kill -9 $(ps aux | grep [t]angd-entrypoint | awk {'print $2'}) 2>/dev/null
^-- SC2046 (warning): Quote this to prevent word splitting.
^----^ SC2009 (info): Consider using pgrep instead of grepping ps output.
^----------------^ SC2062 (warning): Quote the grep pattern so the shell won't interpret it.
^-- SC1083 (warning): This { is literal. Check expression (missing ;/\n?) or quote it.
^-- SC1083 (warning): This } is literal. Check expression (missing ;/\n?) or quote it.
New version (v0.0.27) should be released, generated with newer versions of operator-sdk and go
Function tests can be executed through other repository containing all the infrastructure required, placed here:
https://github.com/RedHat-SP-Security/tests
Information on steps to execute function tests should be included in README.md
Once all scripts have been improved to not dump shellcheck issues, shellcheck Gtihub action should be introduced to prevent shellcheck issues in bash script changes
Log object is passed everywhere in the code. Think of a mechanism (singleton, association) to have this ready in the code without passing it as parameter
./tools/api_tools/show_keys.sh should indicate k8s client being used by default in usage. Right now, it shows:
Usage:
./tools/api_tools/show_keys.sh -n namespace [-c k8s_client] [-m (using minikube)] [-v (verbose)]
It should show something like:
./tools/api_tools/show_keys.sh [-n namespace (otherwise will use default)] [-c k8s_client (oc by default)] [-m (using minikube)] [-v (verbose)]
Article about Tang-Operator hosted in Red Hat Hybrid Cloud blog should be included in README.md as reference:
https://cloud.redhat.com/blog/tang-operator-providing-nbde-in-openshift
tools/api_tools/api_explore.sh has issues reported by shellcheck. If possible, they should be fixed
It seems verify Github action is timing out. In particular, it is happening in the Step "Deploy and Scorecard". An example:
https://github.com/latchset/tang-operator/actions/runs/4988381171/jobs/8931047595?pr=32
I guess it could be fixed by using a newer version of the operator-sdk, but it needs to be verified
A minimum change in README.md should be introduced to check if only shellcheck Github action is executed, as introduced in #84, so that it can be verified that only spellcheck Github action is executed.
Information of coverage information on README.md file should be updated for both normal and cluster execution
shellcheck tools/api_tools/key_rotate.sh has issues reported by shellcheck. If possible, they should be fixed
Fix issues detected by shellcheck for ./tools/step_by_step/step_by_step_00.sh script
Fix issues detected by shellcheck for tools/api_tools/show_keys.sh script
Add badges to README.md to collect status of Github actions
Update setup-go action to v4, so that Node.js warning is not shown any more
spellcheck Github action should be also executed on main branch, as it is not being executed, it is only being executed on PRs
On Github action that is doing operator-sdk download, the checksum of it should be fixed, or, at least, warned if m5sum not retrievable or failing
Homogeneize name of jobs in tang-operator Github actions
Include rule to avoid running verify/shellcheck/staticcheck Github actions for README.md change. We should verify that, if the PR or merge to main contains other files, they should run similarly as how they are doing now.
Include Github action to cross compile in ppc and arm
It would be nice to have a Github action to detect Golang code issues statically. A possible option is "staticcheck":
https://staticcheck.io/docs/getting-started/
A Github action is already available, as described here:
https://staticcheck.io/docs/running-staticcheck/ci/github-actions/
As part of the security worker on OCP Compliance Operator we do need to get Tang Operator working on Power for volume encryption task.
So we are trying to install operator on ppc64le and currently we dont have support for ppc64le so we are trying to build images for power using source code change.
There is change in Docker file related to arch we have added and build images for operator, bundle and catalogs etc.
Now trying to deploy tang operator using bundle images,:
Getting error for operator-sdk run command:
operator-sdk run bundle quay.io/gauravbankar/tang-operator-bundle:v0.0.24
INFO[0008] Successfully created registry pod: quay-io-gauravbankar-tang-operator-bundle-v0-0-24
INFO[0008] Created CatalogSource: tang-operator-catalog
INFO[0008] Created Subscription: tang-operator-v0-0-24-sub
FATA[0120] Failed to run bundle: install plan is not available for the subscription tang-operator-v0-0-24-sub: timed out waiting for the condition```
Description for subscription:
Message: constraints not satisfiable: @existing/default//tang-operator.v0.0.24 and tang-operator-catalog/default/alpha/tang-operator.v0.0.24 originate from package tang-operator, subscription tang-operator-v0-0-24-sub requires tang-operator-catalog/default/alpha/tang-operator.v0.0.24, subscription tang-operator-v0-0-24-sub exists, clusterserviceversion tang-operator.v0.0.24 exists and is not referenced by a subscription
Reason: ConstraintsNotSatisfiable
can you please help to get resolve this issue?
Use secrets instead of PVCs for key database. This way, access to the keys will be accessible to the different replicas, without having to care that PVCs is multi-attachable.
More information here: Create a POD that has access to the secret data through a volume
It seems staticcheck
application is reporting several issues for tang-operator code:
$ staticcheck ./...
controllers/suite_test.go:40:5: var cfg is unused (U1000)
controllers/tangserver_controller.go:363:47: unnecessary use of fmt.Sprintf (S1039)
controllers/tangserver_controller.go:429:58: unnecessary use of fmt.Sprintf (S1039)
controllers/tangserver_controller.go:431:57: unnecessary use of fmt.Sprintf (S1039)
controllers/tangserver_controller.go:449:43: unnecessary use of fmt.Sprintf (S1039)
controllers/tangserver_controller.go:488:45: unnecessary use of fmt.Sprintf (S1039)
controllers/tangserver_controller.go:513:44: unnecessary use of fmt.Sprintf (S1039)
controllers/tangserver_controller.go:522:44: unnecessary use of fmt.Sprintf (S1039)
controllers/tangserver_controller_deployment.go:42:5: don't use Yoda conditions (ST1017)
controllers/tangserver_controller_keyhandler.go:290:6: func dumpKeyStatusFileWithHereDoc is unused (U1000)
controllers/tangserver_controller_keyhandler.go:303:6: func dumpKeyStatusFileWithBashEchoRedirection is unused (U1000)
controllers/tangserver_controller_keyhandler.go:327:6: func dumpKeyStatusFileWithTee is unused (U1000)
controllers/tangserver_controller_keyhandler.go:347:6: func dumpKeyStatusFileWithAwk is unused (U1000)
controllers/tangserver_controller_keystatus.go:49:6: func keyStatusLockFile is unused (U1000)
controllers/tangserver_controller_keystatus.go:57:6: func keyStatusLockFilePathWithTangServer is unused (U1000)
controllers/tangserver_controller_keystatus.go:150:2: this value of err is never used (SA4006)
controllers/tangserver_controller_service.go:45:5: don't use Yoda conditions (ST1017)
As there are not too many errors, a unique fix can be uploaded to fix them
shellcheck is returning errors for ./test_containers/fedora_tang_server/tangd-health-check script:
./test_containers/fedora_tang_server/tangd-health-check:48:22: error: This printf format string has no variables. Other arguments are ignored. [SC2182]
./test_containers/fedora_tang_server/tangd-health-check:48:22: warning: This { is literal. Check expression (missing ;/\n?) or quote it. [SC1083]
./test_containers/fedora_tang_server/tangd-health-check:48:33: warning: This } is literal. Check expression (missing ;/\n?) or quote it. [SC1083]
Remove references to CLUSTER unit tests from README.md until they are fixed
While installing tang operator in s390x the pod fails to run the operator commands due to permission issue.
INFO[0017] Successfully created registry pod: quay-io-sec-eng-special-tang-operator-bundle-v0-0-25
INFO[0017] Created CatalogSource: tang-operator-catalog
INFO[0017] OperatorGroup "operator-sdk-og" created
INFO[0017] Created Subscription: tang-operator-v0-0-25-sub
FATA[0120] Failed to run bundle: install plan is not available for the subscription tang-operator-v0-0-25-sub: timed out waiting for the condition
#oc logs quay-io-sec-eng-special-tang-operator-bundle-v0-0-25
mkdir: can't create directory '/database': Permission denied
statticcheck Github action execution should be limited to .go files. More information on how to do this on:
https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions
Check the paths
option, as it can be used to specify wildcards:
on:
push:
paths:
- '**.go'
Include Github action to check spell errors on markdown files
Normally, configuration of a cluster is done through cluster-bot....txt file. They should be added to .gitignore
Operator SDK version used in Github actions should be updated to v1.28.1.
This version, seems to be failing on scorecard execution, so upgrading it could be a double check to prove it is purely an issue from v1.28.1 (current v1.28.0 seems to be working)
The tang operator hard-codes the tang server's pod's SecurityContext to require RunAsUser: 0
- This should not be required for the tang server container and should be removed.
Fix index of README.md with cross-compilation section (it has not been updated)
Adapt to use latest versions of Go programming language. Right now, bigger than Golang 1.17.X seem to fail
Installing via operatorsdk results in the following in the logs:
time="2022-05-20T14:43:45Z" level=warning msg="\x1b[1;33mDEPRECATION NOTICE:\nSqlite-based catalogs and their related subcommands are deprecated. Support for\nthem will be removed in a future release. Please migrate your catalog workflows\nto the new file-based catalog format.\x1b[0m"
time="2022-05-20T14:43:45Z" level=info msg="adding to the registry" bundles="[quay.io/sec-eng-special/tang-operator-bundle:v0.0.24]"
time="2022-05-20T14:44:15Z" level=info msg="trying next host" error="failed to do request: Head \"https://quay.io/v2/sec-eng-special/tang-operator-bundle/manifests/v0.0.24\": dial tcp: i/o timeout" host=quay.io
time="2022-05-20T14:44:15Z" level=error msg="permissive mode disabled" bundles="[quay.io/sec-eng-special/tang-operator-bundle:v0.0.24]" error="[error resolving name : failed to do request: Head \"https://quay.io/v2/sec-eng-special/tang-operator-bundle/manifests/v0.0.24\": dial tcp: i/o timeout, image \"quay.io/sec-eng-special/tang-operator-bundle:v0.0.24\": not found]"
Error: [error resolving name : failed to do request: Head "https://quay.io/v2/sec-eng-special/tang-operator-bundle/manifests/v0.0.24": dial tcp: i/o timeout, image "quay.io/sec-eng-special/tang-operator-bundle:v0.0.24": not found]
Likewise, I cannot find this image quay.io. Is this image public?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.