Skip to content

Commit

Permalink
Have optional result server
Browse files Browse the repository at this point in the history 
Adding a Disabled filed in ScanSetting.Spec.RawResultStorage.Disabled, defaulting to false, if setting to true we will not create result server to store arf report.
  • Loading branch information
@Vincent056
Vincent056 committed Aug 15, 2024
1 parent 2120915 commit 6b9593b
Show file tree
Hide file tree
Showing 13 changed files with 174 additions and 53 deletions.
6 changes: 6 additions & 0 deletions bundle/manifests/compliance.openshift.io_compliancescans.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,12 @@ spec:
rawResultStorage:
description: Specifies settings that pertain to raw result storage.
properties:
disabled:
default: false
description: Specifies if the raw result storage is disabled.
This is useful in case the raw results are not needed. Defaults
to false.
type: boolean
nodeSelector:
additionalProperties:
type: string
Expand Down
6 changes: 6 additions & 0 deletions bundle/manifests/compliance.openshift.io_compliancesuites.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,12 @@ spec:
rawResultStorage:
description: Specifies settings that pertain to raw result storage.
properties:
disabled:
default: false
description: Specifies if the raw result storage is disabled.
This is useful in case the raw results are not needed.
Defaults to false.
type: boolean
nodeSelector:
additionalProperties:
type: string
Expand Down
5 changes: 5 additions & 0 deletions bundle/manifests/compliance.openshift.io_scansettings.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,11 @@ spec:
rawResultStorage:
description: Specifies settings that pertain to raw result storage.
properties:
disabled:
default: false
description: Specifies if the raw result storage is disabled. This
is useful in case the raw results are not needed. Defaults to false.
type: boolean
nodeSelector:
additionalProperties:
type: string
Expand Down
5 changes: 3 additions & 2 deletions cmd/manager/common.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,12 @@ package manager

import (
"fmt"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/discovery"
"os"
"path/filepath"

metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/discovery"

ocpcfgv1 "github.com/openshift/api/config/v1"
mcfgv1 "github.com/openshift/machine-config-operator/pkg/apis/machineconfiguration.openshift.io/v1"
"github.com/spf13/cobra"
Expand Down
67 changes: 37 additions & 30 deletions cmd/manager/resultcollector.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,20 +64,21 @@ func init() {
}

type scapresultsConfig struct {
ArfFile string
XccdfFile string
ExitCodeFile string
CmdOutputFile string
WarningsOutputFile string
ScanName string
ConfigMapName string
NodeName string
Namespace string
ResultServerURI string
Timeout int64
Cert string
Key string
CA string
ArfFile string
XccdfFile string
ExitCodeFile string
CmdOutputFile string
WarningsOutputFile string
ScanName string
ConfigMapName string
NodeName string
Namespace string
ResultServerURI string
Timeout int64
Cert string
Key string
CA string
DisableRawResultUpload bool
}

func defineResultcollectorFlags(cmd *cobra.Command) {
Expand Down Expand Up @@ -117,6 +118,7 @@ func parseConfig(cmd *cobra.Command) *scapresultsConfig {
conf.CA = getValidStringArg(cmd, "tls-ca")
conf.Timeout, _ = cmd.Flags().GetInt64("timeout")
conf.ResultServerURI, _ = cmd.Flags().GetString("resultserveruri")
conf.DisableRawResultUpload, _ = cmd.Flags().GetBool("disable-raw-upload")
// Set default if needed
if conf.ResultServerURI == "" {
conf.ResultServerURI = "http://" + conf.ScanName + "-rs:8080/"
Expand Down Expand Up @@ -370,31 +372,36 @@ func uploadErrorConfigMap(errorMsg *resultFileContents, exitcode string,
}

func handleCompleteSCAPResults(exitcode string, scapresultsconf *scapresultsConfig, client *complianceCrClient) {
arfContents, err := readResultsFile(scapresultsconf.ArfFile, scapresultsconf.Timeout)
if err != nil {
cmdLog.Error(err, "Failed to read ARF file")
os.Exit(1)
}
defer arfContents.close()

xccdfContents, err := readResultsFile(scapresultsconf.XccdfFile, scapresultsconf.Timeout)
if err != nil {
cmdLog.Error(err, "Failed to read XCCDF file")
os.Exit(1)
}
defer xccdfContents.close()

var wg sync.WaitGroup
wg.Add(2)
go func() {
serverUploadErr := uploadToResultServer(arfContents, scapresultsconf)
if serverUploadErr != nil {
cmdLog.Error(serverUploadErr, "Failed to upload results to server")
numWG := 1
if !scapresultsconf.DisableRawResultUpload {
numWG++
}
wg.Add(numWG)

if !scapresultsconf.DisableRawResultUpload {
arfContents, err := readResultsFile(scapresultsconf.ArfFile, scapresultsconf.Timeout)
if err != nil {
cmdLog.Error(err, "Failed to read ARF file")
os.Exit(1)
}
cmdLog.Info("Uploaded to resultserver")
wg.Done()
}()
defer arfContents.close()
go func() {
serverUploadErr := uploadToResultServer(arfContents, scapresultsconf)
if serverUploadErr != nil {
cmdLog.Error(serverUploadErr, "Failed to upload results to server")
os.Exit(1)
}
cmdLog.Info("Uploaded to resultserver")
wg.Done()
}()
}

go func() {
cmUploadErr := uploadResultConfigMap(xccdfContents, exitcode, scapresultsconf, client)
Expand Down
6 changes: 6 additions & 0 deletions config/crd/bases/compliance.openshift.io_compliancescans.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,12 @@ spec:
rawResultStorage:
description: Specifies settings that pertain to raw result storage.
properties:
disabled:
default: false
description: Specifies if the raw result storage is disabled.
This is useful in case the raw results are not needed. Defaults
to false.
type: boolean
nodeSelector:
additionalProperties:
type: string
Expand Down
6 changes: 6 additions & 0 deletions config/crd/bases/compliance.openshift.io_compliancesuites.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,12 @@ spec:
rawResultStorage:
description: Specifies settings that pertain to raw result storage.
properties:
disabled:
default: false
description: Specifies if the raw result storage is disabled.
This is useful in case the raw results are not needed.
Defaults to false.
type: boolean
nodeSelector:
additionalProperties:
type: string
Expand Down
5 changes: 5 additions & 0 deletions config/crd/bases/compliance.openshift.io_scansettings.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,11 @@ spec:
rawResultStorage:
description: Specifies settings that pertain to raw result storage.
properties:
disabled:
default: false
description: Specifies if the raw result storage is disabled. This
is useful in case the raw results are not needed. Defaults to false.
type: boolean
nodeSelector:
additionalProperties:
type: string
Expand Down
5 changes: 5 additions & 0 deletions pkg/apis/compliance/v1alpha1/compliancescan_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -132,6 +132,11 @@ type ComplianceScanType string
// When changing the defaults, remember to change also the DefaultRawStorageSize and
// DefaultStorageRotation constants
type RawResultStorageSettings struct {
// Specifies if the raw result storage is disabled. This is useful in case
// the raw results are not needed. Defaults to false.
// +kubebuilder:validation:Default=false
// +kubebuilder:default=false
Disabled bool `json:"disabled,omitempty"`
// Specifies the amount of storage to ask for storing the raw results. Note that
// if re-scans happen, the new results will also need to be stored. Defaults to 1Gi.
// +kubebuilder:validation:Default=1Gi
Expand Down
46 changes: 25 additions & 21 deletions pkg/controller/compliancescan/compliancescan_controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -335,26 +335,29 @@ func (r *ReconcileComplianceScan) phaseLaunchingHandler(h scanTypeHandler, logge
return reconcile.Result{}, err
}

if err = r.handleResultServerSecret(scan, logger); err != nil {
logger.Error(err, "Cannot create result server cert secret")
return reconcile.Result{}, err
}
if !scan.Spec.RawResultStorage.Disabled {
if err = r.handleResultServerSecret(scan, logger); err != nil {
logger.Error(err, "Cannot create result server cert secret")
return reconcile.Result{}, err
}

if err = r.handleResultClientSecret(scan, logger); err != nil {
logger.Error(err, "Cannot create result Client cert secret")
return reconcile.Result{}, err
}
if err = r.handleResultClientSecret(scan, logger); err != nil {
logger.Error(err, "Cannot create result Client cert secret")
return reconcile.Result{}, err
}

if resume, err := r.handleRawResultsForScan(scan, logger); err != nil || !resume {
if err != nil {
logger.Error(err, "Cannot create the PersistentVolumeClaims")
if resume, err := r.handleRawResultsForScan(scan, logger); err != nil || !resume {
if err != nil {
logger.Error(err, "Cannot create the PersistentVolumeClaims")
}
return reconcile.Result{}, err
}

if err = r.createResultServer(scan, logger); err != nil {
logger.Error(err, "Cannot create result server")
return reconcile.Result{}, err
}
return reconcile.Result{}, err
}

if err = r.createResultServer(scan, logger); err != nil {
logger.Error(err, "Cannot create result server")
return reconcile.Result{}, err
}

if err = r.handleRuntimeKubeletConfig(scan, logger); err != nil {
Expand Down Expand Up @@ -745,11 +748,12 @@ func (r *ReconcileComplianceScan) phaseDoneHandler(h scanTypeHandler, instance *
}
} else {
// If we're done with the scan but we're not cleaning up just yet.

// scale down resultserver so it's not still listening for requests.
if err := r.scaleDownResultServer(instance, logger); err != nil {
logger.Error(err, "Cannot scale down result server")
return reconcile.Result{}, err
if !instance.Spec.RawResultStorage.Disabled {
// scale down resultserver so it's not still listening for requests.
if err := r.scaleDownResultServer(instance, logger); err != nil {
logger.Error(err, "Cannot scale down result server")
return reconcile.Result{}, err
}
}
}

Expand Down
8 changes: 8 additions & 0 deletions pkg/controller/compliancescan/resultserver.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -282,3 +282,11 @@ func getResultServerName(instance *compv1alpha1.ComplianceScan) string {
func getResultServerURI(instance *compv1alpha1.ComplianceScan) string {
return "https://" + getResultServerName(instance) + fmt.Sprintf(":%d/", ResultServerPort)
}

func getDisableRawResultUploadValue(instance *compv1alpha1.ComplianceScan) string {
if instance.Spec.RawResultStorage.Disabled {
return "true"
} else {
return "false"
}
}
2 changes: 2 additions & 0 deletions pkg/controller/compliancescan/scan.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -182,6 +182,7 @@ func newScanPodForNode(scanInstance *compv1alpha1.ComplianceScan, node *corev1.N
"--tls-client-cert=/etc/pki/tls/tls.crt",
"--tls-client-key=/etc/pki/tls/tls.key",
"--tls-ca=/etc/pki/tls/ca.crt",
"--disable-raw-upload=" + getDisableRawResultUploadValue(scanInstance),
},
ImagePullPolicy: corev1.PullAlways,
SecurityContext: &corev1.SecurityContext{
Expand Down Expand Up @@ -508,6 +509,7 @@ func (r *ReconcileComplianceScan) newPlatformScanPod(scanInstance *compv1alpha1.
"--tls-client-cert=/etc/pki/tls/tls.crt",
"--tls-client-key=/etc/pki/tls/tls.key",
"--tls-ca=/etc/pki/tls/ca.crt",
"--disable-raw-upload=" + getDisableRawResultUploadValue(scanInstance),
},
ImagePullPolicy: corev1.PullAlways,
SecurityContext: &corev1.SecurityContext{
Expand Down
60 changes: 60 additions & 0 deletions tests/e2e/parallel/main_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1833,6 +1833,66 @@ func TestScheduledSuitePriorityClass(t *testing.T) {
}
}

func TestScheduledSuiteNoStorage(t *testing.T) {
t.Parallel()
f := framework.Global
suiteName := "test-scheduled-suite-no-storage"
workerScanName := fmt.Sprintf("%s-workers-scan", suiteName)
selectWorkers := map[string]string{
"node-role.kubernetes.io/worker": "",
}

testSuite := &compv1alpha1.ComplianceSuite{
ObjectMeta: metav1.ObjectMeta{
Name: suiteName,
Namespace: f.OperatorNamespace,
},
Spec: compv1alpha1.ComplianceSuiteSpec{
ComplianceSuiteSettings: compv1alpha1.ComplianceSuiteSettings{
AutoApplyRemediations: false,
},
Scans: []compv1alpha1.ComplianceScanSpecWrapper{
{
Name: workerScanName,
ComplianceScanSpec: compv1alpha1.ComplianceScanSpec{
ContentImage: contentImagePath,
Profile: "xccdf_org.ssgproject.content_profile_moderate",
Content: framework.RhcosContentFile,
Rule: "xccdf_org.ssgproject.content_rule_no_netrc_files",
NodeSelector: selectWorkers,
ComplianceScanSettings: compv1alpha1.ComplianceScanSettings{
RawResultStorage: compv1alpha1.RawResultStorageSettings{
Disabled: true,
},
Debug: true,
},
},
},
},
},
}

err := f.Client.Create(context.TODO(), testSuite, nil)
if err != nil {
t.Fatal(err)
}
defer f.Client.Delete(context.TODO(), testSuite)

pvcList := &corev1.PersistentVolumeClaimList{}
err = f.Client.List(context.TODO(), pvcList, client.InNamespace(f.OperatorNamespace), client.MatchingLabels(map[string]string{
compv1alpha1.ComplianceScanLabel: workerScanName,
}))
if err != nil {
t.Fatal(err)
}

// Ensure that all the scans in the suite have finished and are marked as Done
err = f.WaitForSuiteScansStatus(f.OperatorNamespace, suiteName, compv1alpha1.PhaseDone, compv1alpha1.ResultCompliant)
if err != nil {
t.Fatal(err)
}
}

func TestScheduledSuiteInvalidPriorityClass(t *testing.T) {
t.Parallel()
f := framework.Global
Expand Down

0 comments on commit 6b9593b

Please sign in to comment.