diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml new file mode 100644 index 0000000..b4dc73b --- /dev/null +++ b/.github/workflows/docker.yaml @@ -0,0 +1,55 @@ +--- +name: Docker Build Action +on: + pull_request: + branches: + - main + release: + types: + - published + push: + branches: + - main + +env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + +jobs: + build: + name: Docker Build + runs-on: ubuntu-latest + + steps: + - name: Log in to the container registry + uses: docker/login-action@v2 + with: + registry: ${{ env.REGISTRY }} + username: ${{ secrets.DOCKER_REGISTRY_USER }} + password: ${{ secrets.DOCKER_REGISTRY_TOKEN }} + + - name: Checkout + uses: actions/checkout@v3 + + - name: Set up Go 1.20 + uses: actions/setup-go@v4 + with: + go-version: '1.20.x' + + - name: Lint + uses: golangci/golangci-lint-action@v3 + with: + args: --build-tags integration -p bugs -p unused --timeout=3m + + - name: Make tag + run: | + [ "${GITHUB_EVENT_NAME}" == 'pull_request' ] && echo "tag=${GITHUB_HEAD_REF##*/}" >> $GITHUB_ENV || true + [ "${GITHUB_EVENT_NAME}" == 'release' ] && echo "tag=${GITHUB_REF##*/}" >> $GITHUB_ENV || true + [ "${GITHUB_EVENT_NAME}" == 'push' ] && echo "tag=latest" >> $GITHUB_ENV || true + + - name: Build and push image + uses: docker/build-push-action@v3 + with: + context: . + push: true + tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.tag }} diff --git a/.github/workflows/latest.yaml b/.github/workflows/latest.yaml deleted file mode 100644 index 0b88e3e..0000000 --- a/.github/workflows/latest.yaml +++ /dev/null @@ -1,39 +0,0 @@ -name: Build latest image - -on: - push: - branches: - - main - -jobs: - build: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v3 - - - name: Docker Login - uses: docker/login-action@v2 - with: - registry: ${{ secrets.DOCKER_REGISTRY }} - username: ${{ secrets.DOCKER_REGISTRY_USER }} - password: ${{ secrets.DOCKER_REGISTRY_TOKEN }} - - - name: Setup go - uses: actions/setup-go@v3 - with: - go-version: '1.20' - - - name: Lint - uses: golangci/golangci-lint-action@v3 - with: - args: -p bugs --timeout=3m - - - name: Build and push Docker image - run: | - docker build -t ghcr.io/metal-stack/audit-forwarder . - docker push ghcr.io/metal-stack/audit-forwarder - - - uses: release-drafter/release-drafter@v5 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/pull_request.yaml b/.github/workflows/pull_request.yaml deleted file mode 100644 index 6cfabf2..0000000 --- a/.github/workflows/pull_request.yaml +++ /dev/null @@ -1,45 +0,0 @@ -name: Build image from pull request - -on: - pull_request: - branches: - - main - -jobs: - build: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v3 - - - name: Figure out if running fork PR - id: fork - run: '["${{ secrets.DOCKER_REGISTRY_TOKEN }}" == ""] && echo "::set-output name=is_fork_pr::true" || echo "::set-output name=is_fork_pr::false"' - - - name: Docker Login - uses: docker/login-action@v2 - with: - registry: ${{ secrets.DOCKER_REGISTRY }} - username: ${{ secrets.DOCKER_REGISTRY_USER }} - password: ${{ secrets.DOCKER_REGISTRY_TOKEN }} - if: steps.fork.outputs.is_fork_pr == 'false' - - - name: Setup go - uses: actions/setup-go@v3 - with: - go-version: '1.20' - - - name: Lint - uses: golangci/golangci-lint-action@v3 - with: - args: -p bugs --timeout=3m - - - name: Build Docker image - run: | - docker build -t ghcr.io/metal-stack/audit-forwarder:pr-${GITHUB_HEAD_REF##*/} . - - - name: Push Docker image - run: | - # pull request images are prefixed with 'pr' to prevent them from overriding released images - docker push ghcr.io/metal-stack/audit-forwarder:pr-${GITHUB_HEAD_REF##*/} - if: steps.fork.outputs.is_fork_pr == 'false' diff --git a/.github/workflows/release-drafter.yaml b/.github/workflows/release-drafter.yaml new file mode 100644 index 0000000..0a81725 --- /dev/null +++ b/.github/workflows/release-drafter.yaml @@ -0,0 +1,15 @@ +--- +name: Release Drafter Action + +on: + push: + branches: + - main + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: release-drafter/release-drafter@v5 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml deleted file mode 100644 index fa78a7f..0000000 --- a/.github/workflows/release.yaml +++ /dev/null @@ -1,35 +0,0 @@ -name: Build image from release tag - -on: - release: - types: - - published - -jobs: - build: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v3 - - - name: Docker Login - uses: docker/login-action@v2 - with: - registry: ${{ secrets.DOCKER_REGISTRY }} - username: ${{ secrets.DOCKER_REGISTRY_USER }} - password: ${{ secrets.DOCKER_REGISTRY_TOKEN }} - - - name: Setup go - uses: actions/setup-go@v3 - with: - go-version: '1.20' - - - name: Lint - uses: golangci/golangci-lint-action@v3 - with: - args: -p bugs --timeout=3m - - - name: Build and push Docker image - run: | - docker build -t ghcr.io/metal-stack/audit-forwarder:${GITHUB_REF##*/} . - docker push ghcr.io/metal-stack/audit-forwarder:${GITHUB_REF##*/} diff --git a/Dockerfile b/Dockerfile index 4b313e2..e80745b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,11 +6,12 @@ COPY .git Makefile go.* *.go /work/ COPY pkg/ /work/pkg/ RUN make bin/audit-forwarder -FROM fluent/fluent-bit:1.9.3-debug +FROM fluent/fluent-bit:1.9.10 COPY --from=builder /work/bin/audit-forwarder /fluent-bit/bin/ COPY fluent-bit.conf /fluent-bit/etc/ COPY parsers.conf /fluent-bit/etc/ COPY null.conf /fluent-bit/etc/add/ +ENTRYPOINT ["/fluent-bit/bin/audit-forwarder"] CMD ["/fluent-bit/bin/audit-forwarder"] diff --git a/Makefile b/Makefile index 538a2af..e4edfbe 100644 --- a/Makefile +++ b/Makefile @@ -1,10 +1,15 @@ .ONESHELL: SHA := $(shell git rev-parse --short=8 HEAD) GITVERSION := $(shell git describe --long --all) -BUILDDATE := $(shell date -Iseconds) -VERSION := $(or ${VERSION},devel) +BUILDDATE := $(shell GO111MODULE=off go run ${COMMONDIR}/time.go) +VERSION := $(or ${VERSION},$(shell git describe --tags --exact-match 2> /dev/null || git symbolic-ref -q --short HEAD || git rev-parse --short HEAD)) BINARY := audit-forwarder +LINKMODE := -extldflags '-static -s -w' \ + -X 'github.com/metal-stack/v.Version=$(VERSION)' \ + -X 'github.com/metal-stack/v.Revision=$(GITVERSION)' \ + -X 'github.com/metal-stack/v.GitSHA1=$(SHA)' \ + -X 'github.com/metal-stack/v.BuildDate=$(BUILDDATE)' .PHONY: test test: @@ -12,16 +17,13 @@ test: .PHONY: all bin/$(BINARY): test - GGO_ENABLED=0 \ + GGO_ENABLED=1 \ GO111MODULE=on \ go build \ -trimpath \ -tags netgo \ -o bin/$(BINARY) \ - -ldflags "-X 'github.com/metal-stack/v.Version=$(VERSION)' \ - -X 'github.com/metal-stack/v.Revision=$(GITVERSION)' \ - -X 'github.com/metal-stack/v.GitSHA1=$(SHA)' \ - -X 'github.com/metal-stack/v.BuildDate=$(BUILDDATE)'" . && strip bin/$(BINARY) + -ldflags "$(LINKMODE)" -tags 'osusergo netgo static_build' . && strip bin/$(BINARY) strip bin/$(BINARY) .PHONY: release @@ -35,7 +37,7 @@ release: bin/$(BINARY) && cd - dockerimage: - docker build -t metal-stack/audit-forwarder . + docker build -t ghcr.io/metal-stack/audit-forwarder . .PHONY: all all:: release; diff --git a/go.mod b/go.mod index e0c6031..046f5b4 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,6 @@ go 1.20 require ( github.com/go-playground/validator/v10 v10.12.0 - github.com/metal-stack/gardener-extension-provider-metal v0.20.3 github.com/metal-stack/v v1.0.3 github.com/robfig/cron/v3 v3.0.1 github.com/spf13/cobra v1.7.0 @@ -31,6 +30,7 @@ require ( github.com/google/gnostic v0.6.9 // indirect github.com/google/go-cmp v0.5.9 // indirect github.com/google/gofuzz v1.2.0 // indirect + github.com/google/pprof v0.0.0-20230323073829-e72429f035bd // indirect github.com/google/uuid v1.3.0 // indirect github.com/hashicorp/hcl v1.0.0 // indirect github.com/imdario/mergo v0.3.15 // indirect @@ -44,6 +44,8 @@ require ( github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect + github.com/onsi/ginkgo/v2 v2.9.2 // indirect + github.com/onsi/gomega v1.27.6 // indirect github.com/pelletier/go-toml/v2 v2.0.7 // indirect github.com/spf13/afero v1.9.5 // indirect github.com/spf13/cast v1.5.0 // indirect diff --git a/go.sum b/go.sum index 168ff9d..a672edf 100644 --- a/go.sum +++ b/go.sum @@ -156,6 +156,7 @@ github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLe github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20201218002935-b9804c9f04c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20230323073829-e72429f035bd h1:r8yyd+DJDmsUhGrRBxH5Pj7KeFK5l+Y3FsgT8keqKtk= +github.com/google/pprof v0.0.0-20230323073829-e72429f035bd/go.mod h1:79YE0hCXdHag9sBkw2o+N/YnZtTkXi0UT9Nnixa5eYk= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= @@ -197,8 +198,6 @@ github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0V github.com/magiconair/properties v1.8.7/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0= github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= -github.com/metal-stack/gardener-extension-provider-metal v0.20.3 h1:hhNLjACU2vYbZJFx7XuFXEAZXgXKElq6Bb5FFFUJEiQ= -github.com/metal-stack/gardener-extension-provider-metal v0.20.3/go.mod h1:r0SgbEF3au3pJCMmriA3PNaawUd9h3v8msrMt43rGxI= github.com/metal-stack/v v1.0.3 h1:Sh2oBlnxrCUD+mVpzfC8HiqL045YWkxs0gpTvkjppqs= github.com/metal-stack/v v1.0.3/go.mod h1:YTahEu7/ishwpYKnp/VaW/7nf8+PInogkfGwLcGPdXg= github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= @@ -210,9 +209,10 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= -github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= github.com/onsi/ginkgo/v2 v2.9.2 h1:BA2GMJOtfGAfagzYtrAlufIP0lq6QERkFmHLMLPwFSU= +github.com/onsi/ginkgo/v2 v2.9.2/go.mod h1:WHcJJG2dIlcCqVfBAwUCrJxSPFb6v4azBwgxeMeDuts= github.com/onsi/gomega v1.27.6 h1:ENqfyGeS5AX/rlXDd/ETokDz93u0YufY1Pgxuy/PvWE= +github.com/onsi/gomega v1.27.6/go.mod h1:PIQNjfQwkP3aQAH7lf7j87O/5FiNr+ZR8+ipb+qQlhg= github.com/pelletier/go-toml/v2 v2.0.7 h1:muncTPStnKRos5dpVKULv2FVd4bMOhNePj9CjgDb8Us= github.com/pelletier/go-toml/v2 v2.0.7/go.mod h1:eumQOmlWiOPt5WriQQqoM5y18pDHwha2N+QD+EUNTek= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= diff --git a/main.go b/main.go index ade6411..94acf3a 100644 --- a/main.go +++ b/main.go @@ -23,7 +23,6 @@ import ( "strings" "github.com/metal-stack/audit-forwarder/pkg/proxy" - "github.com/metal-stack/gardener-extension-provider-metal/pkg/secret" "github.com/metal-stack/v" "github.com/go-playground/validator/v10" @@ -517,15 +516,10 @@ func checkSecret(opts *Opts, client *k8s.Clientset) error { kubectx, kubecancel := context.WithTimeout(context.Background(), time.Duration(10*time.Second)) defer kubecancel() - secret, err := getLatestSecret(kubectx, client, opts.NameSpace, opts.SecretName) - // TODO: backward compability, remove in the future - if err != nil { // That means no matching secret provided by secretsmanager found, try old way - secret, err = client.CoreV1().Secrets(opts.NameSpace).Get(kubectx, opts.SecretName, metav1.GetOptions{}) - } - - if err != nil { // That means no matching secret found. No need to do anything - we write a new secret when one becomes available. - return err + secret, err := client.CoreV1().Secrets(opts.NameSpace).Get(kubectx, opts.SecretName, metav1.GetOptions{}) + if err != nil { + return fmt.Errorf("did not find client secret %q in namespace %s: %w", opts.SecretName, opts.NameSpace, err) } logger.Debugw("Got secret", opts.SecretName, secret.Name) @@ -563,14 +557,3 @@ func checkSecret(opts *Opts, client *k8s.Clientset) error { return nil } - -func getLatestSecret(ctx context.Context, c *k8s.Clientset, namespace string, name string) (*corev1.Secret, error) { - secretList, err := c.CoreV1().Secrets(namespace).List(ctx, metav1.ListOptions{ - LabelSelector: fmt.Sprintf("%s=%s", "name", name), - }) - if err != nil { - return nil, err - } - - return secret.GetLatestIssuedSecret(secretList.Items) -}