complianceeventsapi

package
v0.13.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 29, 2024 License: Apache-2.0 Imports: 49 Imported by: 0

Documentation

Overview

Copyright Contributors to the Open Cluster Management project

Index

Constants

View Source 
const (
	ControllerName       = "compliance-events-api"
	DBSecretName         = "governance-policy-database"
	WatchNamespaceEnvVar = "WATCH_NAMESPACE_COMPLIANCE_EVENTS_STORE"
)

Variables

View Source 
var (
	ErrInvalidDBSecret      = errors.New("the governance-policy-database secret is invalid")
	ErrInvalidConnectionURL = errors.New("the database connection URL is invalid")
	ErrDBConnectionFailed   = errors.New("the compliance events database could not be connected to")

	ErrRetryable = errors.New("")
)
View Source 
var (
	ErrInvalidSortOption    error
	ErrInvalidQueryArgValue = errors.New("invalid query argument")
	ErrInvalidQueryArg      error
	ErrUnauthorized         = errors.New("not authorized")
	ErrForbidden            = errors.New("the request is not allowed")
	// The user has no access to any managed cluster
	ErrNoAccess = errors.New("the user has no access")
)

Functions

func GetClusterForeignKey added in v0.13.0 

func GetClusterForeignKey(ctx context.Context, db *sql.DB, cluster Cluster) (int32, error)

GetClusterForeignKey will return the database ID based on the cluster.ClusterID.

func MonitorDatabaseConnection added in v0.13.0 

func MonitorDatabaseConnection(
	ctx context.Context,
	complianceServerCtx *ComplianceServerCtx,
	client *kubernetes.Clientset,
	controllerNamespace string,
	reconcileRequests chan<- event.GenericEvent,
)

MonitorDatabaseConnection will check the database connection health every 20 seconds. If healthy, it will migrate the database if necessary, and send any reconcile requests to the replicated policy controller from complianceServerCtx.Queue. To stop MonitorDatabaseConnection, cancel the input context.

func ParseDBSecret added in v0.13.0 

func ParseDBSecret(dbSecret *corev1.Secret, tempDirPath string) (string, error)

ParseDBSecret will parse the input database secret and return a connection URL. If the secret contains invalid connection information, then ErrInvalidDBSecret is returned.

func RecordLocalClusterComplianceEvent added in v0.13.0 

func RecordLocalClusterComplianceEvent(
	ctx context.Context, complianceServerCtx *ComplianceServerCtx, complianceEvent *EventDetails,
) error

RecordLocalClusterComplianceEvent will record the input compliance event. It returns ErrRetryable if the compliance event should be requeued to record again later.

Types

type Cluster added in v0.13.0 

type Cluster struct {
	KeyID     int32  `db:"id" json:"-"`
	Name      string `db:"name" json:"name"`
	ClusterID string `db:"cluster_id" json:"cluster_id"` //nolint:tagliatelle
}

func (*Cluster) GetOrCreate added in v0.13.0 

func (c *Cluster) GetOrCreate(ctx context.Context, db *sql.DB) error

func (*Cluster) InsertQuery added in v0.13.0 

func (c *Cluster) InsertQuery() (string, []any)

func (*Cluster) SelectQuery added in v0.13.0 

func (c *Cluster) SelectQuery(returnedColumns ...string) (string, []any)

func (Cluster) Validate added in v0.13.0 

func (c Cluster) Validate() error

type ComplianceAPIServer added in v0.13.0 

type ComplianceAPIServer struct {
	// contains filtered or unexported fields
}

func NewComplianceAPIServer added in v0.13.0 

func NewComplianceAPIServer(listenAddress string, cfg *rest.Config, cert *tls.Certificate) *ComplianceAPIServer

func (*ComplianceAPIServer) Start added in v0.13.0 

func (s *ComplianceAPIServer) Start(ctx context.Context, serverContext *ComplianceServerCtx) error

Start starts the HTTP server and blocks until ctx is closed or there was an error starting the HTTP server.

type ComplianceDBSecretReconciler added in v0.13.0 

type ComplianceDBSecretReconciler struct {
	DynamicWatcher k8sdepwatches.DynamicWatcher
	Client         *kubernetes.Clientset
	// TempDir is used for temporary files such as a custom CA to use to verify the Postgres TLS connection. The
	// caller is responsible for cleaning it up after the controller stops.
	TempDir             string
	ConnectionURL       string
	ComplianceServerCtx *ComplianceServerCtx
}

ComplianceDBSecretReconciler is responsible for managing the compliance events history database migrations and keeping the shared database connection up to date.

func (*ComplianceDBSecretReconciler) Reconcile added in v0.13.0 

func (r *ComplianceDBSecretReconciler) Reconcile(
	ctx context.Context, watcher k8sdepwatches.ObjectIdentifier,
) (ctrl.Result, error)

Reconcile watches the governance-policy-database secret in the controller namespace. On updates it'll trigger a database migration and update the shared database connection.

type ComplianceEvent added in v0.13.0 

type ComplianceEvent struct {
	EventID      int32         `json:"id"`
	Cluster      Cluster       `json:"cluster"`
	Event        EventDetails  `json:"event"`
	ParentPolicy *ParentPolicy `json:"parent_policy"` //nolint:tagliatelle
	Policy       Policy        `json:"policy"`
}

func (*ComplianceEvent) Create added in v0.13.0 

func (ce *ComplianceEvent) Create(ctx context.Context, db *sql.DB) error

func (ComplianceEvent) Validate added in v0.13.0 

func (ce ComplianceEvent) Validate(ctx context.Context, serverContext *ComplianceServerCtx) error

Validate ensures that a valid POST request for a compliance event is set. This means that if the shorthand approach of providing parent_policy.id and/or policy.id is used, the other fields for ParentPolicy and Policy will not be present.

type ComplianceServerCtx added in v0.13.0 

type ComplianceServerCtx struct {
	// A write lock is used when the database connection changes and the DB object needs to be replaced.
	// A read lock should be used when the DB is accessed.
	Lock  sync.RWMutex
	DB    *sql.DB
	Queue workqueue.Interface

	// These caches get reset after a database migration due to a connection drop and reconnect.
	ParentPolicyToID sync.Map
	PolicyToID       sync.Map
	ClusterID        string
	// contains filtered or unexported fields
}

ComplianceServerCtx acts as a "global" database instance that all required controllers share. The ComplianceDBSecretReconciler reconciler is responsible for updating the DB field if the connection info gets added or changes. MonitorDatabaseConnection will periodically check the health of the database connection and monitor the Queue. See MonitorDatabaseConnection for more information.

func NewComplianceServerCtx added in v0.13.0 

func NewComplianceServerCtx(dbConnectionURL string, clusterID string) (*ComplianceServerCtx, error)

NewComplianceServerCtx returns a ComplianceServerCtx with initialized values. It does not start a connection but does validate the connection URL for syntax. If the connection URL is not provided or is invalid, ErrInvalidConnectionURL is returned.

func (*ComplianceServerCtx) MigrateDB added in v0.13.0 

func (c *ComplianceServerCtx) MigrateDB(
	ctx context.Context, client *kubernetes.Clientset, controllerNamespace string,
) error

MigrateDB will perform a database migration if required and send Kubernetes events if the migration fails. ErrDBConnectionFailed will be returned if the database connection failed. Obtain a write lock before calling this method if multiple goroutines use this ComplianceServerCtx instance.

type EventDetails added in v0.13.0 

type EventDetails struct {
	KeyID          int32     `db:"id" json:"-"`
	ClusterID      int32     `db:"cluster_id" json:"-"`
	PolicyID       int32     `db:"policy_id" json:"-"`
	ParentPolicyID *int32    `db:"parent_policy_id" json:"-"`
	Compliance     string    `db:"compliance" json:"compliance"`
	Message        string    `db:"message" json:"message"`
	Timestamp      time.Time `db:"timestamp" json:"timestamp"`
	Metadata       JSONMap   `db:"metadata" json:"metadata"`
	ReportedBy     *string   `db:"reported_by" json:"reported_by"` //nolint:tagliatelle
}

func (*EventDetails) InsertQuery added in v0.13.0 

func (e *EventDetails) InsertQuery() (string, []any)

func (EventDetails) Validate added in v0.13.0 

func (e EventDetails) Validate() error

type EventDetailsQueued added in v0.13.0 

type EventDetailsQueued struct {
	ClusterID      int32
	PolicyID       int32
	ParentPolicyID int32
	Compliance     string
	Message        string
	Timestamp      time.Time
	ReportedBy     string
}

EventDetailsQueued is a slimmed down EventDetails that supports being put in a client-go work queue. The client-go work queue rejects an EventDetails object because it is not hashable due to the Metadata field using the JSONMap type.

func (*EventDetailsQueued) EventDetails added in v0.13.0 

func (e *EventDetailsQueued) EventDetails() *EventDetails

func (*EventDetailsQueued) InsertQuery added in v0.13.0 

func (e *EventDetailsQueued) InsertQuery() (string, []any)

type JSONMap added in v0.13.0 

type JSONMap map[string]interface{}

func (*JSONMap) Scan added in v0.13.0 

func (j *JSONMap) Scan(src interface{}) error

Scan allows for reading a JSONMap from the database.

func (JSONMap) Value added in v0.13.0 

func (j JSONMap) Value() (driver.Value, error)

Value returns a value that the database driver can use, or an error.

type ListResponse added in v0.13.0 

type ListResponse struct {
	Data     []ComplianceEvent `json:"data"`
	Metadata metadata          `json:"metadata"`
}

type ParentPolicy added in v0.13.0 

type ParentPolicy struct {
	KeyID      int32          `db:"id" json:"id"`
	Name       string         `db:"name" json:"name"`
	Namespace  string         `db:"namespace" json:"namespace"`
	Categories pq.StringArray `db:"categories" json:"categories"`
	Controls   pq.StringArray `db:"controls" json:"controls"`
	Standards  pq.StringArray `db:"standards" json:"standards"`
}

func ParentPolicyFromPolicyObj added in v0.13.0 

func ParentPolicyFromPolicyObj(plc *policiesv1.Policy) ParentPolicy

func (*ParentPolicy) GetOrCreate added in v0.13.0 

func (p *ParentPolicy) GetOrCreate(ctx context.Context, db *sql.DB) error

func (*ParentPolicy) InsertQuery added in v0.13.0 

func (p *ParentPolicy) InsertQuery() (string, []any)

func (ParentPolicy) Key added in v0.13.0 

func (p ParentPolicy) Key() string

func (*ParentPolicy) SelectQuery added in v0.13.0 

func (p *ParentPolicy) SelectQuery(returnedColumns ...string) (string, []any)

func (ParentPolicy) Validate added in v0.13.0 

func (p ParentPolicy) Validate() error

type Policy added in v0.13.0 

type Policy struct {
	KeyID     int32   `db:"id" json:"id"`
	Kind      string  `db:"kind" json:"kind"`
	APIGroup  string  `db:"api_group" json:"apiGroup"`
	Name      string  `db:"name" json:"name"`
	Namespace *string `db:"namespace" json:"namespace"`
	Spec      JSONMap `db:"spec" json:"spec,omitempty"`
	Severity  *string `db:"severity" json:"severity"`
}

func PolicyFromUnstructured added in v0.13.0 

func PolicyFromUnstructured(obj unstructured.Unstructured) *Policy

func (*Policy) GetOrCreate added in v0.13.0 

func (p *Policy) GetOrCreate(ctx context.Context, db *sql.DB) error

func (*Policy) InsertQuery added in v0.13.0 

func (p *Policy) InsertQuery() (string, []any)

func (*Policy) Key added in v0.13.0 

func (p *Policy) Key() string

func (*Policy) SelectQuery added in v0.13.0 

func (p *Policy) SelectQuery(returnedColumns ...string) (string, []any)

func (*Policy) Validate added in v0.13.0 

func (p *Policy) Validate() error

type Scannable added in v0.13.0 

type Scannable interface {
	Scan(dest ...any) error
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.