Skip to content

Commit

Permalink
Merge pull request #1924 from kubearmor/fix-operator-bug-dec-24
Browse files Browse the repository at this point in the history
Fix operator bug dec 24
  • Loading branch information
achrefbensaad authored Dec 21, 2024
2 parents 96b0ad7 + 13213a5 commit 3dee887
Show file tree
Hide file tree
Showing 8 changed files with 357 additions and 4 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.16.5
name: kubearmorconfigs.operator.kubearmor.com
spec:
group: operator.kubearmor.com
Expand Down Expand Up @@ -43,6 +43,33 @@ spec:
spec:
description: KubeArmorConfigSpec defines the desired state of KubeArmorConfig
properties:
adapters:
properties:
elasticsearch:
properties:
alertsIndex:
type: string
auth:
properties:
allowInsecureTLS:
type: boolean
caCertKey:
type: string
caCertSecretName:
type: string
passwordKey:
type: string
secretName:
type: string
usernameKey:
type: string
type: object
enabled:
type: boolean
url:
type: string
type: object
type: object
alertThrottling:
type: boolean
defaultCapabilitiesPosture:
Expand Down
29 changes: 28 additions & 1 deletion deployments/operator/operator.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.16.5
name: kubearmorconfigs.operator.kubearmor.com
spec:
group: operator.kubearmor.com
Expand Down Expand Up @@ -42,6 +42,33 @@ spec:
spec:
description: KubeArmorConfigSpec defines the desired state of KubeArmorConfig
properties:
adapters:
properties:
elasticsearch:
properties:
alertsIndex:
type: string
auth:
properties:
allowInsecureTLS:
type: boolean
caCertKey:
type: string
caCertSecretName:
type: string
passwordKey:
type: string
secretName:
type: string
usernameKey:
type: string
type: object
enabled:
type: boolean
url:
type: string
type: object
type: object
alertThrottling:
type: boolean
defaultCapabilitiesPosture:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,26 @@ type RecommendedPolicies struct {
ExcludePolicy []string `json:"excludePolicy,omitempty"`
}

type ElasticSearchAuth struct {
SecretName string `json:"secretName,omitempty"`
UserNameKey string `json:"usernameKey,omitempty"`
PasswordKey string `json:"passwordKey,omitempty"`
AllowTlsInsecure bool `json:"allowInsecureTLS,omitempty"`
CAcertSecretName string `json:"caCertSecretName,omitempty"`
CaCertKey string `json:"caCertKey,omitempty"`
}

type ElasticSearchAdapter struct {
Enabled bool `json:"enabled,omitempty"`
Url string `json:"url,omitempty"`
AlertsIndexName string `json:"alertsIndex,omitempty"`
Auth ElasticSearchAuth `json:"auth,omitempty"`
}

type Adapters struct {
ElasticSearch ElasticSearchAdapter `json:"elasticsearch,omitempty"`
}

// KubeArmorConfigSpec defines the desired state of KubeArmorConfig
type KubeArmorConfigSpec struct {
// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
Expand Down Expand Up @@ -80,6 +100,8 @@ type KubeArmorConfigSpec struct {
MaxAlertPerSec int `json:"maxAlertPerSec,omitempty"`
// +kubebuilder:validation:Optional
ThrottleSec int `json:"throttleSec,omitempty"`
// +kubebuilder:validation:Optional
Adapters Adapters `json:"adapters,omitempty"`
}

// KubeArmorConfigStatus defines the observed state of KubeArmorConfig
Expand Down

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

19 changes: 19 additions & 0 deletions pkg/KubeArmorOperator/common/defaults.go
Original file line number Diff line number Diff line change
Expand Up @@ -139,7 +139,26 @@ var (
},
},
}

Adapter opv1.Adapters = opv1.Adapters{
ElasticSearch: opv1.ElasticSearchAdapter{
Enabled: false,
Url: "",
AlertsIndexName: "kubearmor-alerts",
Auth: opv1.ElasticSearchAuth{
SecretName: "elastic-secret",
UserNameKey: "username",
PasswordKey: "password",
AllowTlsInsecure: false,
CAcertSecretName: "",
CaCertKey: "ca.crt",
},
},
}

ElasticSearchAdapterCaCertPath = "/cert"
)
var Pointer2True bool = true

var ConfigMapData = map[string]string{
ConfigGRPC: "32767",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.16.5
name: kubearmorconfigs.operator.kubearmor.com
spec:
group: operator.kubearmor.com
Expand Down Expand Up @@ -43,6 +43,33 @@ spec:
spec:
description: KubeArmorConfigSpec defines the desired state of KubeArmorConfig
properties:
adapters:
properties:
elasticsearch:
properties:
alertsIndex:
type: string
auth:
properties:
allowInsecureTLS:
type: boolean
caCertKey:
type: string
caCertSecretName:
type: string
passwordKey:
type: string
secretName:
type: string
usernameKey:
type: string
type: object
enabled:
type: boolean
url:
type: string
type: object
type: object
alertThrottling:
type: boolean
defaultCapabilitiesPosture:
Expand Down
110 changes: 110 additions & 0 deletions pkg/KubeArmorOperator/internal/controller/cluster.go
Original file line number Diff line number Diff line change
Expand Up @@ -472,7 +472,81 @@ func (clusterWatcher *ClusterWatcher) UpdateKubearmorRelayEnv(cfg *opv1.KubeArmo
Name: "ENABLE_STDOUT_MSGS",
Value: common.KubearmorRelayEnvMap[common.EnableStdOutMsgs],
},
{
Name: "ENABLE_DASHBOARDS",
Value: strconv.FormatBool(common.Adapter.ElasticSearch.Enabled),
},
{
Name: "ES_URL",
Value: common.Adapter.ElasticSearch.Url,
},
{
Name: "ES_ALERTS_INDEX",
Value: common.Adapter.ElasticSearch.AlertsIndexName,
},
{
Name: "ES_USERNAME",
ValueFrom: &corev1.EnvVarSource{
SecretKeyRef: &corev1.SecretKeySelector{
LocalObjectReference: corev1.LocalObjectReference{
Name: common.Adapter.ElasticSearch.Auth.SecretName,
},
Key: common.Adapter.ElasticSearch.Auth.UserNameKey,
Optional: &common.Pointer2True,
},
},
},
{
Name: "ES_PASSWORD",
ValueFrom: &corev1.EnvVarSource{
SecretKeyRef: &corev1.SecretKeySelector{
LocalObjectReference: corev1.LocalObjectReference{
Name: common.Adapter.ElasticSearch.Auth.SecretName,
},
Key: common.Adapter.ElasticSearch.Auth.PasswordKey,
Optional: &common.Pointer2True,
},
},
},
}

ElasticSearchAdapterCaVolume := []corev1.Volume{
{
Name: "elastic-ca",
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: common.Adapter.ElasticSearch.Auth.CAcertSecretName,
},
},
},
}

ElasticSearchAdapterCaVolumeMount := []corev1.VolumeMount{
{
Name: "elastic-ca",
MountPath: common.ElasticSearchAdapterCaCertPath,
},
}
if common.Adapter.ElasticSearch.Auth.CAcertSecretName != "" {
relay.Spec.Template.Spec.Containers[0].Env = append(relay.Spec.Template.Spec.Containers[0].Env, corev1.EnvVar{
Name: "ES_CA_CERT_PATH",
Value: common.ElasticSearchAdapterCaCertPath + "/" + common.Adapter.ElasticSearch.Auth.CaCertKey,
})

common.AddOrRemoveVolume(&ElasticSearchAdapterCaVolume, &relay.Spec.Template.Spec.Volumes, common.AddAction)
common.AddOrRemoveVolumeMount(&ElasticSearchAdapterCaVolumeMount, &relay.Spec.Template.Spec.Containers[0].VolumeMounts, common.AddAction)
} else {
common.AddOrRemoveVolume(&ElasticSearchAdapterCaVolume, &relay.Spec.Template.Spec.Volumes, common.DeleteAction)
common.AddOrRemoveVolumeMount(&ElasticSearchAdapterCaVolumeMount, &relay.Spec.Template.Spec.Containers[0].VolumeMounts, common.DeleteAction)
}

if common.Adapter.ElasticSearch.Auth.AllowTlsInsecure {
relay.Spec.Template.Spec.Containers[0].Env = append(relay.Spec.Template.Spec.Containers[0].Env, corev1.EnvVar{
Name: "ES_ALLOW_INSECURE_TLS",
Value: "true",
})
}

_, err = clusterWatcher.Client.AppsV1().Deployments(common.Namespace).Update(context.Background(), relay, v1.UpdateOptions{})
if err != nil {
clusterWatcher.Log.Warnf("Cannot update deployment=%s error=%s", deployments.RelayDeploymentName, err.Error())
Expand Down Expand Up @@ -955,6 +1029,42 @@ func UpdatedKubearmorRelayEnv(config *opv1.KubeArmorConfigSpec) bool {
updated = true
}
}

stringEnableElasticAdapter := strconv.FormatBool(config.Adapters.ElasticSearch.Enabled)
if stringEnableElasticAdapter != "" {
if common.Adapter.ElasticSearch.Enabled != config.Adapters.ElasticSearch.Enabled {
updated = true
common.Adapter.ElasticSearch.Enabled = config.Adapters.ElasticSearch.Enabled
}
if common.Adapter.ElasticSearch.Auth.AllowTlsInsecure != config.Adapters.ElasticSearch.Auth.AllowTlsInsecure {
updated = true
common.Adapter.ElasticSearch.Auth.AllowTlsInsecure = config.Adapters.ElasticSearch.Auth.AllowTlsInsecure
}
if common.Adapter.ElasticSearch.AlertsIndexName != config.Adapters.ElasticSearch.AlertsIndexName {
updated = true
common.Adapter.ElasticSearch.AlertsIndexName = config.Adapters.ElasticSearch.AlertsIndexName
}
if common.Adapter.ElasticSearch.Url != config.Adapters.ElasticSearch.Url {
updated = true
common.Adapter.ElasticSearch.Url = config.Adapters.ElasticSearch.Url
}
if config.Adapters.ElasticSearch.Auth.SecretName != "" && common.Adapter.ElasticSearch.Auth.SecretName != config.Adapters.ElasticSearch.Auth.SecretName {
updated = true
common.Adapter.ElasticSearch.Auth.SecretName = config.Adapters.ElasticSearch.Auth.SecretName
}
if config.Adapters.ElasticSearch.Auth.UserNameKey != "" && common.Adapter.ElasticSearch.Auth.UserNameKey != config.Adapters.ElasticSearch.Auth.UserNameKey {
updated = true
common.Adapter.ElasticSearch.Auth.UserNameKey = config.Adapters.ElasticSearch.Auth.UserNameKey
}
if config.Adapters.ElasticSearch.Auth.PasswordKey != "" && common.Adapter.ElasticSearch.Auth.PasswordKey != config.Adapters.ElasticSearch.Auth.PasswordKey {
updated = true
common.Adapter.ElasticSearch.Auth.PasswordKey = config.Adapters.ElasticSearch.Auth.PasswordKey
}
if config.Adapters.ElasticSearch.Auth.CAcertSecretName != "" && common.Adapter.ElasticSearch.Auth.CAcertSecretName != config.Adapters.ElasticSearch.Auth.CAcertSecretName {
updated = true
common.Adapter.ElasticSearch.Auth.CAcertSecretName = config.Adapters.ElasticSearch.Auth.CAcertSecretName
}
}
return updated
}

Expand Down
Loading

0 comments on commit 3dee887

Please sign in to comment.