Skip to content

Commit

Permalink
Have optional result server
Browse files Browse the repository at this point in the history
Adding a Disabled filed in ScanSetting.Spec.RawResultStorage.Disabled, defaulting to false, if setting to true we will not create result server to store arf report.
  • Loading branch information
Vincent056 committed Aug 15, 2024
1 parent 2120915 commit 2163edc
Show file tree
Hide file tree
Showing 13 changed files with 182 additions and 54 deletions.
6 changes: 6 additions & 0 deletions bundle/manifests/compliance.openshift.io_compliancescans.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,12 @@ spec:
rawResultStorage:
description: Specifies settings that pertain to raw result storage.
properties:
disabled:
default: false
description: Specifies if the raw result storage is disabled.
This is useful in case the raw results are not needed. Defaults
to false.
type: boolean
nodeSelector:
additionalProperties:
type: string
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,12 @@ spec:
rawResultStorage:
description: Specifies settings that pertain to raw result storage.
properties:
disabled:
default: false
description: Specifies if the raw result storage is disabled.
This is useful in case the raw results are not needed.
Defaults to false.
type: boolean
nodeSelector:
additionalProperties:
type: string
Expand Down
5 changes: 5 additions & 0 deletions bundle/manifests/compliance.openshift.io_scansettings.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,11 @@ spec:
rawResultStorage:
description: Specifies settings that pertain to raw result storage.
properties:
disabled:
default: false
description: Specifies if the raw result storage is disabled. This
is useful in case the raw results are not needed. Defaults to false.
type: boolean
nodeSelector:
additionalProperties:
type: string
Expand Down
5 changes: 3 additions & 2 deletions cmd/manager/common.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,12 @@ package manager

import (
"fmt"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/discovery"
"os"
"path/filepath"

metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/discovery"

ocpcfgv1 "github.com/openshift/api/config/v1"
mcfgv1 "github.com/openshift/machine-config-operator/pkg/apis/machineconfiguration.openshift.io/v1"
"github.com/spf13/cobra"
Expand Down
69 changes: 38 additions & 31 deletions cmd/manager/resultcollector.go
Original file line number Diff line number Diff line change
Expand Up @@ -64,20 +64,21 @@ func init() {
}

type scapresultsConfig struct {
ArfFile string
XccdfFile string
ExitCodeFile string
CmdOutputFile string
WarningsOutputFile string
ScanName string
ConfigMapName string
NodeName string
Namespace string
ResultServerURI string
Timeout int64
Cert string
Key string
CA string
ArfFile string
XccdfFile string
ExitCodeFile string
CmdOutputFile string
WarningsOutputFile string
ScanName string
ConfigMapName string
NodeName string
Namespace string
ResultServerURI string
Timeout int64
Cert string
Key string
CA string
DisableRawResultUpload bool
}

func defineResultcollectorFlags(cmd *cobra.Command) {
Expand All @@ -95,7 +96,7 @@ func defineResultcollectorFlags(cmd *cobra.Command) {
cmd.Flags().String("tls-client-cert", "", "The path to the client and CA PEM cert bundle.")
cmd.Flags().String("tls-client-key", "", "The path to the client PEM key.")
cmd.Flags().String("tls-ca", "", "The path to the CA certificate.")

cmd.Flags().Bool("disable-raw-upload", false, "Setting to true to disable upload raw arf result")
flags := cmd.Flags()

// Add flags registered by imported packages (e.g. glog and
Expand All @@ -117,6 +118,7 @@ func parseConfig(cmd *cobra.Command) *scapresultsConfig {
conf.CA = getValidStringArg(cmd, "tls-ca")
conf.Timeout, _ = cmd.Flags().GetInt64("timeout")
conf.ResultServerURI, _ = cmd.Flags().GetString("resultserveruri")
conf.DisableRawResultUpload, _ = cmd.Flags().GetBool("disable-raw-upload")
// Set default if needed
if conf.ResultServerURI == "" {
conf.ResultServerURI = "http://" + conf.ScanName + "-rs:8080/"
Expand Down Expand Up @@ -370,31 +372,36 @@ func uploadErrorConfigMap(errorMsg *resultFileContents, exitcode string,
}

func handleCompleteSCAPResults(exitcode string, scapresultsconf *scapresultsConfig, client *complianceCrClient) {
arfContents, err := readResultsFile(scapresultsconf.ArfFile, scapresultsconf.Timeout)
if err != nil {
cmdLog.Error(err, "Failed to read ARF file")
os.Exit(1)
}
defer arfContents.close()

xccdfContents, err := readResultsFile(scapresultsconf.XccdfFile, scapresultsconf.Timeout)
if err != nil {
cmdLog.Error(err, "Failed to read XCCDF file")
os.Exit(1)
}
defer xccdfContents.close()

var wg sync.WaitGroup
wg.Add(2)
go func() {
serverUploadErr := uploadToResultServer(arfContents, scapresultsconf)
if serverUploadErr != nil {
cmdLog.Error(serverUploadErr, "Failed to upload results to server")
numWG := 1
if !scapresultsconf.DisableRawResultUpload {
numWG++
}
wg.Add(numWG)

if !scapresultsconf.DisableRawResultUpload {
arfContents, err := readResultsFile(scapresultsconf.ArfFile, scapresultsconf.Timeout)
if err != nil {
cmdLog.Error(err, "Failed to read ARF file")
os.Exit(1)
}
cmdLog.Info("Uploaded to resultserver")
wg.Done()
}()
defer arfContents.close()
go func() {
serverUploadErr := uploadToResultServer(arfContents, scapresultsconf)
if serverUploadErr != nil {
cmdLog.Error(serverUploadErr, "Failed to upload results to server")
os.Exit(1)
}
cmdLog.Info("Uploaded to resultserver")
wg.Done()
}()
}

go func() {
cmUploadErr := uploadResultConfigMap(xccdfContents, exitcode, scapresultsconf, client)
Expand Down
6 changes: 6 additions & 0 deletions config/crd/bases/compliance.openshift.io_compliancescans.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,12 @@ spec:
rawResultStorage:
description: Specifies settings that pertain to raw result storage.
properties:
disabled:
default: false
description: Specifies if the raw result storage is disabled.
This is useful in case the raw results are not needed. Defaults
to false.
type: boolean
nodeSelector:
additionalProperties:
type: string
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,12 @@ spec:
rawResultStorage:
description: Specifies settings that pertain to raw result storage.
properties:
disabled:
default: false
description: Specifies if the raw result storage is disabled.
This is useful in case the raw results are not needed.
Defaults to false.
type: boolean
nodeSelector:
additionalProperties:
type: string
Expand Down
5 changes: 5 additions & 0 deletions config/crd/bases/compliance.openshift.io_scansettings.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,11 @@ spec:
rawResultStorage:
description: Specifies settings that pertain to raw result storage.
properties:
disabled:
default: false
description: Specifies if the raw result storage is disabled. This
is useful in case the raw results are not needed. Defaults to false.
type: boolean
nodeSelector:
additionalProperties:
type: string
Expand Down
5 changes: 5 additions & 0 deletions pkg/apis/compliance/v1alpha1/compliancescan_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -132,6 +132,11 @@ type ComplianceScanType string
// When changing the defaults, remember to change also the DefaultRawStorageSize and
// DefaultStorageRotation constants
type RawResultStorageSettings struct {
// Specifies if the raw result storage is disabled. This is useful in case
// the raw results are not needed. Defaults to false.
// +kubebuilder:validation:Default=false
// +kubebuilder:default=false
Disabled bool `json:"disabled,omitempty"`
// Specifies the amount of storage to ask for storing the raw results. Note that
// if re-scans happen, the new results will also need to be stored. Defaults to 1Gi.
// +kubebuilder:validation:Default=1Gi
Expand Down
46 changes: 25 additions & 21 deletions pkg/controller/compliancescan/compliancescan_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -335,26 +335,29 @@ func (r *ReconcileComplianceScan) phaseLaunchingHandler(h scanTypeHandler, logge
return reconcile.Result{}, err
}

if err = r.handleResultServerSecret(scan, logger); err != nil {
logger.Error(err, "Cannot create result server cert secret")
return reconcile.Result{}, err
}
if !scan.Spec.RawResultStorage.Disabled {
if err = r.handleResultServerSecret(scan, logger); err != nil {
logger.Error(err, "Cannot create result server cert secret")
return reconcile.Result{}, err
}

if err = r.handleResultClientSecret(scan, logger); err != nil {
logger.Error(err, "Cannot create result Client cert secret")
return reconcile.Result{}, err
}
if err = r.handleResultClientSecret(scan, logger); err != nil {
logger.Error(err, "Cannot create result Client cert secret")
return reconcile.Result{}, err
}

if resume, err := r.handleRawResultsForScan(scan, logger); err != nil || !resume {
if err != nil {
logger.Error(err, "Cannot create the PersistentVolumeClaims")
if resume, err := r.handleRawResultsForScan(scan, logger); err != nil || !resume {
if err != nil {
logger.Error(err, "Cannot create the PersistentVolumeClaims")
}
return reconcile.Result{}, err
}

if err = r.createResultServer(scan, logger); err != nil {
logger.Error(err, "Cannot create result server")
return reconcile.Result{}, err
}
return reconcile.Result{}, err
}

if err = r.createResultServer(scan, logger); err != nil {
logger.Error(err, "Cannot create result server")
return reconcile.Result{}, err
}

if err = r.handleRuntimeKubeletConfig(scan, logger); err != nil {
Expand Down Expand Up @@ -745,11 +748,12 @@ func (r *ReconcileComplianceScan) phaseDoneHandler(h scanTypeHandler, instance *
}
} else {
// If we're done with the scan but we're not cleaning up just yet.

// scale down resultserver so it's not still listening for requests.
if err := r.scaleDownResultServer(instance, logger); err != nil {
logger.Error(err, "Cannot scale down result server")
return reconcile.Result{}, err
if !instance.Spec.RawResultStorage.Disabled {
// scale down resultserver so it's not still listening for requests.
if err := r.scaleDownResultServer(instance, logger); err != nil {
logger.Error(err, "Cannot scale down result server")
return reconcile.Result{}, err
}
}
}

Expand Down
8 changes: 8 additions & 0 deletions pkg/controller/compliancescan/resultserver.go
Original file line number Diff line number Diff line change
Expand Up @@ -282,3 +282,11 @@ func getResultServerName(instance *compv1alpha1.ComplianceScan) string {
func getResultServerURI(instance *compv1alpha1.ComplianceScan) string {
return "https://" + getResultServerName(instance) + fmt.Sprintf(":%d/", ResultServerPort)
}

func getDisableRawResultUploadValue(instance *compv1alpha1.ComplianceScan) string {
if instance.Spec.RawResultStorage.Disabled {
return "true"
} else {
return "false"
}
}
2 changes: 2 additions & 0 deletions pkg/controller/compliancescan/scan.go
Original file line number Diff line number Diff line change
Expand Up @@ -182,6 +182,7 @@ func newScanPodForNode(scanInstance *compv1alpha1.ComplianceScan, node *corev1.N
"--tls-client-cert=/etc/pki/tls/tls.crt",
"--tls-client-key=/etc/pki/tls/tls.key",
"--tls-ca=/etc/pki/tls/ca.crt",
"--disable-raw-upload=" + getDisableRawResultUploadValue(scanInstance),
},
ImagePullPolicy: corev1.PullAlways,
SecurityContext: &corev1.SecurityContext{
Expand Down Expand Up @@ -508,6 +509,7 @@ func (r *ReconcileComplianceScan) newPlatformScanPod(scanInstance *compv1alpha1.
"--tls-client-cert=/etc/pki/tls/tls.crt",
"--tls-client-key=/etc/pki/tls/tls.key",
"--tls-ca=/etc/pki/tls/ca.crt",
"--disable-raw-upload=" + getDisableRawResultUploadValue(scanInstance),
},
ImagePullPolicy: corev1.PullAlways,
SecurityContext: &corev1.SecurityContext{
Expand Down
67 changes: 67 additions & 0 deletions tests/e2e/parallel/main_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ import (
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
"k8s.io/apimachinery/pkg/types"
"k8s.io/apimachinery/pkg/util/wait"

"sigs.k8s.io/controller-runtime/pkg/client"
)

Expand Down Expand Up @@ -1833,6 +1834,72 @@ func TestScheduledSuitePriorityClass(t *testing.T) {
}
}

func TestScheduledSuiteNoStorage(t *testing.T) {
t.Parallel()
f := framework.Global
suiteName := "test-scheduled-suite-no-storage"
workerScanName := fmt.Sprintf("%s-workers-scan", suiteName)
selectWorkers := map[string]string{
"node-role.kubernetes.io/worker": "",
}

testSuite := &compv1alpha1.ComplianceSuite{
ObjectMeta: metav1.ObjectMeta{
Name: suiteName,
Namespace: f.OperatorNamespace,
},
Spec: compv1alpha1.ComplianceSuiteSpec{
ComplianceSuiteSettings: compv1alpha1.ComplianceSuiteSettings{
AutoApplyRemediations: false,
},
Scans: []compv1alpha1.ComplianceScanSpecWrapper{
{
Name: workerScanName,
ComplianceScanSpec: compv1alpha1.ComplianceScanSpec{
ContentImage: contentImagePath,
Profile: "xccdf_org.ssgproject.content_profile_moderate",
Content: framework.RhcosContentFile,
Rule: "xccdf_org.ssgproject.content_rule_no_netrc_files",
NodeSelector: selectWorkers,
ComplianceScanSettings: compv1alpha1.ComplianceScanSettings{
RawResultStorage: compv1alpha1.RawResultStorageSettings{
Disabled: true,
},
Debug: true,
},
},
},
},
},
}

err := f.Client.Create(context.TODO(), testSuite, nil)
if err != nil {
t.Fatal(err)
}
defer f.Client.Delete(context.TODO(), testSuite)

pvcList := &corev1.PersistentVolumeClaimList{}
err = f.Client.List(context.TODO(), pvcList, client.InNamespace(f.OperatorNamespace), client.MatchingLabels(map[string]string{
compv1alpha1.ComplianceScanLabel: workerScanName,
}))
if err != nil {
t.Fatal(err)
}
if len(pvcList.Items) > 0 {
for _, pvc := range pvcList.Items {
t.Fatalf("Found unexpected PVC %s", pvc.Name)
}
t.Fatal("Expected not to find PVC associated with the scan.")
}

// Ensure that all the scans in the suite have finished and are marked as Done
err = f.WaitForSuiteScansStatus(f.OperatorNamespace, suiteName, compv1alpha1.PhaseDone, compv1alpha1.ResultCompliant)
if err != nil {
t.Fatal(err)
}
}

func TestScheduledSuiteInvalidPriorityClass(t *testing.T) {
t.Parallel()
f := framework.Global
Expand Down

0 comments on commit 2163edc

Please sign in to comment.