Support runtime changes of target secretRefs (#465)

* Support runtime changes of target secretRefs Signed-off-by: Frank Jogeleit <frank.jogeleit@web.de>
kyverno · Sep 28, 2024 · 85c48f9 · 85c48f9
1 parent 8c64e0f
commit 85c48f9
Show file tree

Hide file tree

Showing 30 changed files with 1,717 additions and 774 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -14,12 +14,13 @@ on:
   pull_request:
     branches:
       - main
+      - 3.x
 
 jobs:
   coverage:
     runs-on: ubuntu-latest
     steps:
-      - name: Set up Go 1.21
+      - name: Set up Go
         uses: actions/setup-go@v2
         with:
           go-version-file: go.mod

diff --git a/cmd/run.go b/cmd/run.go
@@ -55,6 +55,11 @@ func newRunCMD(version string) *cobra.Command {
 				return err
 			}
 
+			secretInformer, err := resolver.SecretInformer()
+			if err != nil {
+				return err
+			}
+
 			g := &errgroup.Group{}
 
 			var store *database.Store
@@ -170,6 +175,7 @@ func newRunCMD(version string) *cobra.Command {
 			g.Go(server.Start)
 
 			g.Go(func() error {
+				logger.Info("wait policy informer")
 				readinessProbe.Wait()
 
 				logger.Info("start client", zap.Int("worker", c.WorkerCount))
@@ -184,6 +190,26 @@ func newRunCMD(version string) *cobra.Command {
 				}
 			})
 
+			g.Go(func() error {
+				collection := resolver.TargetClients()
+				if !collection.UsesSecrets() {
+					return nil
+				}
+
+				readinessProbe.Wait()
+
+				stop := make(chan struct{})
+				if err := secretInformer.Sync(collection, stop); err != nil {
+					zap.L().Error("secret informer error", zap.Error(err))
+
+					return err
+				}
+
+				<-stop
+
+				return nil
+			})
+
 			return g.Wait()
 		},
 	}

diff --git a/pkg/api/v1/api.go b/pkg/api/v1/api.go
@@ -18,7 +18,7 @@ var defaultOrder = []string{"resource_namespace", "resource_name", "resource_uid
 
 type APIHandler struct {
 	store    *db.Store
-	targets  []Target
+	targets  *target.Collection
 	reporter *violations.Reporter
 }
 
@@ -52,7 +52,7 @@ func (h *APIHandler) Register(engine *gin.RouterGroup) error {
 }
 
 func (h *APIHandler) ListTargets(ctx *gin.Context) {
-	ctx.JSON(http.StatusOK, h.targets)
+	ctx.JSON(http.StatusOK, helper.Map(h.targets.Clients(), mapTarget))
 }
 
 func (h *APIHandler) ListPolicyReports(ctx *gin.Context) {
@@ -256,11 +256,11 @@ func (h *APIHandler) HTMLViolationsReport(ctx *gin.Context) {
 	ctx.Data(http.StatusOK, "text/html; charset=utf-8", []byte(data.Message))
 }
 
-func NewAPIHandler(store *db.Store, targets []target.Client, reporter *violations.Reporter) *APIHandler {
-	return &APIHandler{store, helper.Map(targets, mapTarget), reporter}
+func NewAPIHandler(store *db.Store, targets *target.Collection, reporter *violations.Reporter) *APIHandler {
+	return &APIHandler{store, targets, reporter}
 }
 
-func WithAPI(store *db.Store, targets []target.Client, reporter *violations.Reporter) api.ServerOption {
+func WithAPI(store *db.Store, targets *target.Collection, reporter *violations.Reporter) api.ServerOption {
 	return func(s *api.Server) error {
 		return s.Register("v1", NewAPIHandler(store, targets, reporter))
 	}

diff --git a/pkg/api/v1/api_test.go b/pkg/api/v1/api_test.go
@@ -44,8 +44,8 @@ func TestV1(t *testing.T) {
 
 	gin.SetMode(gin.ReleaseMode)
 
-	server := api.NewServer(gin.New(), v1.WithAPI(store, []target.Client{
-		webhook.NewClient(webhook.Options{
+	server := api.NewServer(gin.New(), v1.WithAPI(store, target.NewCollection(&target.Target{
+		Client: webhook.NewClient(webhook.Options{
 			ClientOptions: target.ClientOptions{
 				Name:                  "Webhook",
 				SkipExistingOnStartup: true,
@@ -56,7 +56,7 @@ func TestV1(t *testing.T) {
 			},
 			Host: "http://localhost:8080",
 		}),
-	}, violations.NewReporter("../../../templates", "Cluster", "Report")))
+	}), violations.NewReporter("../../../templates", "Cluster", "Report")))
 
 	t.Run("TargetResponse", func(t *testing.T) {
 		req, _ := http.NewRequest("GET", "/v1/targets", nil)

diff --git a/pkg/api/v2/api.go b/pkg/api/v2/api.go
@@ -8,9 +8,9 @@ import (
 	"go.uber.org/zap"
 
 	"github.com/kyverno/policy-reporter/pkg/api"
-	"github.com/kyverno/policy-reporter/pkg/config"
 	db "github.com/kyverno/policy-reporter/pkg/database"
 	"github.com/kyverno/policy-reporter/pkg/kubernetes/namespaces"
+	"github.com/kyverno/policy-reporter/pkg/target"
 )
 
 var defaultOrder = []string{"resource_namespace", "resource_name", "resource_uid", "policy", "rule", "message"}
@@ -237,7 +237,7 @@ func NewAPIHandler(store *db.Store, client namespaces.Client, targets map[string
 	}
 }
 
-func WithAPI(store *db.Store, client namespaces.Client, targets config.Targets) api.ServerOption {
+func WithAPI(store *db.Store, client namespaces.Client, targets target.Targets) api.ServerOption {
 	return func(s *api.Server) error {
 		return s.Register("v2", NewAPIHandler(store, client, MapConfigTagrgets(targets)))
 	}

diff --git a/pkg/api/v2/api_test.go b/pkg/api/v2/api_test.go
@@ -19,11 +19,11 @@ import (
 
 	"github.com/kyverno/policy-reporter/pkg/api"
 	v2 "github.com/kyverno/policy-reporter/pkg/api/v2"
-	"github.com/kyverno/policy-reporter/pkg/config"
 	"github.com/kyverno/policy-reporter/pkg/database"
 	"github.com/kyverno/policy-reporter/pkg/fixtures"
 	"github.com/kyverno/policy-reporter/pkg/kubernetes/namespaces"
 	"github.com/kyverno/policy-reporter/pkg/report/result"
+	"github.com/kyverno/policy-reporter/pkg/target"
 )
 
 const (
@@ -79,11 +79,11 @@ func TestV2(t *testing.T) {
 
 	gin.SetMode(gin.ReleaseMode)
 
-	server := api.NewServer(gin.New(), v2.WithAPI(store, client, config.Targets{
-		Webhook: &config.Target[config.WebhookOptions]{
+	server := api.NewServer(gin.New(), v2.WithAPI(store, client, target.Targets{
+		Webhook: &target.Config[target.WebhookOptions]{
 			Name:            "Webhook",
 			MinimumPriority: "warn",
-			Config: &config.WebhookOptions{
+			Config: &target.WebhookOptions{
 				Webhook: "http://localhost:8080",
 			},
 		},

diff --git a/pkg/api/v2/views.go b/pkg/api/v2/views.go
@@ -4,10 +4,10 @@ import (
 	"fmt"
 	"net/url"
 
-	"github.com/kyverno/policy-reporter/pkg/config"
 	"github.com/kyverno/policy-reporter/pkg/crd/api/policyreport/v1alpha2"
 	db "github.com/kyverno/policy-reporter/pkg/database"
 	"github.com/kyverno/policy-reporter/pkg/helper"
+	"github.com/kyverno/policy-reporter/pkg/target"
 )
 
 type Category struct {
@@ -374,7 +374,7 @@ type Target struct {
 	Auth            bool              `json:"auth"`
 }
 
-func MapValueFilter(f config.ValueFilter) *ValueFilter {
+func MapValueFilter(f target.ValueFilter) *ValueFilter {
 	if len(f.Exclude)+len(f.Include) == 0+len(f.Selector) {
 		return nil
 	}
@@ -386,7 +386,7 @@ func MapValueFilter(f config.ValueFilter) *ValueFilter {
 	}
 }
 
-func MapBaseToTarget[T any](t *config.Target[T]) *Target {
+func MapBaseToTarget[T any](t *target.Config[T]) *Target {
 	fields := t.CustomFields
 	if fields == nil {
 		fields = make(map[string]string, 0)
@@ -404,22 +404,22 @@ func MapBaseToTarget[T any](t *config.Target[T]) *Target {
 			Priorities:   MapValueFilter(t.Filter.Priorities),
 			Policies:     MapValueFilter(t.Filter.Policies),
 			ReportLabels: MapValueFilter(t.Filter.ReportLabels),
-			Sources: MapValueFilter(config.ValueFilter{
+			Sources: MapValueFilter(target.ValueFilter{
 				Include: t.Sources,
 			}),
 		},
 	}
 }
 
-func MapSlackToTarget(ta *config.Target[config.SlackOptions]) *Target {
+func MapSlackToTarget(ta *target.Config[target.SlackOptions]) *Target {
 	t := MapBaseToTarget(ta)
 	t.Type = "Slack"
 	t.Properties["channel"] = ta.Config.Channel
 
 	return t
 }
 
-func MapLokiToTarget(ta *config.Target[config.LokiOptions]) *Target {
+func MapLokiToTarget(ta *target.Config[target.LokiOptions]) *Target {
 	t := MapBaseToTarget(ta)
 	t.Type = "Loki"
 	t.Host = ta.Config.Host
@@ -436,7 +436,7 @@ func MapLokiToTarget(ta *config.Target[config.LokiOptions]) *Target {
 	return t
 }
 
-func MapElasticsearchToTarget(ta *config.Target[config.ElasticsearchOptions]) *Target {
+func MapElasticsearchToTarget(ta *target.Config[target.ElasticsearchOptions]) *Target {
 	t := MapBaseToTarget(ta)
 	t.Type = "Elasticsearch"
 	t.Host = ta.Config.Host
@@ -453,8 +453,8 @@ func MapElasticsearchToTarget(ta *config.Target[config.ElasticsearchOptions]) *T
 	return t
 }
 
-func MapWebhhokToTarget(typeName string) func(ta *config.Target[config.WebhookOptions]) *Target {
-	return func(ta *config.Target[config.WebhookOptions]) *Target {
+func MapWebhhokToTarget(typeName string) func(ta *target.Config[target.WebhookOptions]) *Target {
+	return func(ta *target.Config[target.WebhookOptions]) *Target {
 		t := MapBaseToTarget(ta)
 		t.Type = typeName
 		t.SkipTLS = ta.Config.SkipTLS
@@ -473,7 +473,7 @@ func MapWebhhokToTarget(typeName string) func(ta *config.Target[config.WebhookOp
 	}
 }
 
-func MapTelegramToTarget(ta *config.Target[config.TelegramOptions]) *Target {
+func MapTelegramToTarget(ta *target.Config[target.TelegramOptions]) *Target {
 	t := MapBaseToTarget(ta)
 	t.Type = "Telegram"
 	t.Host = ta.Config.Webhook
@@ -484,7 +484,7 @@ func MapTelegramToTarget(ta *config.Target[config.TelegramOptions]) *Target {
 	return t
 }
 
-func MapS3ToTarget(ta *config.Target[config.S3Options]) *Target {
+func MapS3ToTarget(ta *target.Config[target.S3Options]) *Target {
 	t := MapBaseToTarget(ta)
 	t.Type = "S3"
 	t.Host = ta.Config.Endpoint
@@ -496,7 +496,7 @@ func MapS3ToTarget(ta *config.Target[config.S3Options]) *Target {
 	return t
 }
 
-func MapKinesisToTarget(ta *config.Target[config.KinesisOptions]) *Target {
+func MapKinesisToTarget(ta *target.Config[target.KinesisOptions]) *Target {
 	t := MapBaseToTarget(ta)
 	t.Type = "Kinesis"
 	t.Host = ta.Config.Endpoint
@@ -507,7 +507,7 @@ func MapKinesisToTarget(ta *config.Target[config.KinesisOptions]) *Target {
 	return t
 }
 
-func MapSecurityHubToTarget(ta *config.Target[config.SecurityHubOptions]) *Target {
+func MapSecurityHubToTarget(ta *target.Config[target.SecurityHubOptions]) *Target {
 	t := MapBaseToTarget(ta)
 	t.Type = "SecurityHub"
 	t.Host = ta.Config.Endpoint
@@ -518,7 +518,7 @@ func MapSecurityHubToTarget(ta *config.Target[config.SecurityHubOptions]) *Targe
 	return t
 }
 
-func MapGCSToTarget(ta *config.Target[config.GCSOptions]) *Target {
+func MapGCSToTarget(ta *target.Config[target.GCSOptions]) *Target {
 	t := MapBaseToTarget(ta)
 	t.Type = "GoogleCloudStore"
 	t.Properties["prefix"] = ta.Config.Prefix
@@ -528,7 +528,7 @@ func MapGCSToTarget(ta *config.Target[config.GCSOptions]) *Target {
 	return t
 }
 
-func MapTargets[T any](c *config.Target[T], mapper func(*config.Target[T]) *Target) []*Target {
+func MapTargets[T any](c *target.Config[T], mapper func(*target.Config[T]) *Target) []*Target {
 	targets := make([]*Target, 0)
 
 	if c == nil {
@@ -548,7 +548,7 @@ func MapTargets[T any](c *config.Target[T], mapper func(*config.Target[T]) *Targ
 	return targets
 }
 
-func MapConfigTagrgets(c config.Targets) map[string][]*Target {
+func MapConfigTagrgets(c target.Targets) map[string][]*Target {
 	targets := make(map[string][]*Target)
 
 	targets["loki"] = MapTargets(c.Loki, MapLokiToTarget)