From b6c05cc3aa3c7c7dbdb86697eb84b211e0faf8f8 Mon Sep 17 00:00:00 2001 From: Gabe Alford Date: Fri, 6 Oct 2023 14:32:30 -0600 Subject: [PATCH] feat: update service asset to pass service name - remove duplicate files --- controllers/falcon_container/ecr.go | 23 --- .../falcon_container/image_refresher.go | 132 ------------------ controllers/falcon_container/service.go | 2 +- internal/controller/assets/service.go | 4 +- internal/controller/assets/service_test.go | 4 +- 5 files changed, 5 insertions(+), 160 deletions(-) delete mode 100644 controllers/falcon_container/ecr.go delete mode 100644 controllers/falcon_container/image_refresher.go diff --git a/controllers/falcon_container/ecr.go b/controllers/falcon_container/ecr.go deleted file mode 100644 index 6a13a634..00000000 --- a/controllers/falcon_container/ecr.go +++ /dev/null @@ -1,23 +0,0 @@ -package falcon - -import ( - "context" - "fmt" - - "github.com/aws/aws-sdk-go-v2/service/ecr/types" - "github.com/crowdstrike/falcon-operator/pkg/aws" -) - -func (r *FalconContainerReconciler) UpsertECRRepo(ctx context.Context) (*types.Repository, error) { - cfg, err := aws.NewConfig() - if err != nil { - return nil, fmt.Errorf("Failed to initialise connection to AWS. Please make sure that kubernetes service account falcon-operator has access to AWS IAM role and OIDC Identity provider is running on the cluster. Error was: %v", err) - } - - data, err := cfg.UpsertRepository(ctx, "falcon-container") - if err != nil { - return nil, fmt.Errorf("Failed to upsert ECR repository: %v", err) - } - - return data, nil -} diff --git a/controllers/falcon_container/image_refresher.go b/controllers/falcon_container/image_refresher.go deleted file mode 100644 index 02f4278f..00000000 --- a/controllers/falcon_container/image_refresher.go +++ /dev/null @@ -1,132 +0,0 @@ -package falcon - -import ( - "context" - "fmt" - "os" - "strings" - - "github.com/go-logr/logr" - - "github.com/containers/image/v5/copy" - "github.com/containers/image/v5/signature" - "github.com/containers/image/v5/transports/alltransports" - "github.com/containers/image/v5/types" - - "github.com/crowdstrike/falcon-operator/pkg/registry/auth" - "github.com/crowdstrike/falcon-operator/pkg/registry/falcon_registry" - "github.com/crowdstrike/gofalcon/falcon" -) - -type ImageRefresher struct { - ctx context.Context - log logr.Logger - falconConfig *falcon.ApiConfig - insecureSkipTLSVerify bool - pushCredentials auth.Credentials -} - -func NewImageRefresher(ctx context.Context, log logr.Logger, falconConfig *falcon.ApiConfig, pushAuth auth.Credentials, insecureSkipTLSVerify bool) *ImageRefresher { - return &ImageRefresher{ - ctx: ctx, - log: log, - falconConfig: falconConfig, - insecureSkipTLSVerify: insecureSkipTLSVerify, - pushCredentials: pushAuth, - } -} - -func (r *ImageRefresher) Refresh(imageDestination string, versionRequested *string) (string, error) { - falconTag, srcRef, sourceCtx, err := r.source(versionRequested) - if err != nil { - return "", err - } - - r.log.Info("Identified the latest Falcon Container image", "reference", srcRef.DockerReference().String()) - - policy := &signature.Policy{Default: []signature.PolicyRequirement{signature.NewPRInsecureAcceptAnything()}} - policyContext, err := signature.NewPolicyContext(policy) - if err != nil { - return "", fmt.Errorf("Error loading trust policy: %v", err) - } - defer func() { _ = policyContext.Destroy() }() - - destinationCtx, err := r.destinationContext(r.insecureSkipTLSVerify) - if err != nil { - return "", err - } - - // Push to the registry with the falconTag - dest := fmt.Sprintf("docker://%s:%s", imageDestination, falconTag) - destRef, err := alltransports.ParseImageName(dest) - - if err != nil { - return "", fmt.Errorf("Invalid destination name %s: %v", dest, err) - } - - r.log.Info("Identified the target location for image push", "reference", destRef.DockerReference().String()) - _, err = copy.Image(r.ctx, policyContext, destRef, srcRef, - ©.Options{ - ReportWriter: os.Stdout, - SourceCtx: sourceCtx, - DestinationCtx: destinationCtx, - }, - ) - if err != nil { - return "", wrapWithHint(err) - } - - // Push to the registry with the latest tag - dest = fmt.Sprintf("docker://%s", imageDestination) - destRef, err = alltransports.ParseImageName(dest) - if err != nil { - return "", fmt.Errorf("Invalid destination name %s: %v", dest, err) - } - - r.log.Info("Identified the target location for image push", "reference", destRef.DockerReference().String()) - _, err = copy.Image(r.ctx, policyContext, destRef, srcRef, - ©.Options{ - ReportWriter: os.Stdout, - SourceCtx: sourceCtx, - DestinationCtx: destinationCtx, - }, - ) - - return falconTag, wrapWithHint(err) -} - -func (r *ImageRefresher) source(versionRequested *string) (falconTag string, falconImage types.ImageReference, systemContext *types.SystemContext, err error) { - registry, err := falcon_registry.NewFalconRegistry(r.ctx, r.falconConfig) - if err != nil { - return - } - - return registry.PullInfo(r.ctx, versionRequested) -} - -func (r *ImageRefresher) destinationContext(insecureSkipTLSVerify bool) (*types.SystemContext, error) { - ctx, err := r.pushCredentials.DestinationContext() - if err != nil { - return nil, err - } - - if insecureSkipTLSVerify { - ctx.DockerInsecureSkipTLSVerify = 1 - } - - return ctx, nil -} - -func wrapWithHint(in error) error { - // Use of credentials store outside of docker command is somewhat limited - // See https://github.com/moby/moby/issues/39377 - // https://github.com/containers/image/pull/656 - if in == nil { - return in - } - - if strings.Contains(in.Error(), "authentication required") { - return fmt.Errorf("Could not authenticate to the registry: %w", in) - } - return in -} diff --git a/controllers/falcon_container/service.go b/controllers/falcon_container/service.go index 9dfbc887..2286f0bd 100644 --- a/controllers/falcon_container/service.go +++ b/controllers/falcon_container/service.go @@ -17,7 +17,7 @@ import ( func (r *FalconContainerReconciler) reconcileService(ctx context.Context, log logr.Logger, falconContainer *falconv1alpha1.FalconContainer) (*corev1.Service, error) { selector := map[string]string{common.FalconComponentKey: common.FalconSidecarSensor} - service := assets.Service(injectorName, r.Namespace(), common.FalconSidecarSensor, selector, *falconContainer.Spec.Injector.ListenPort) + service := assets.Service(injectorName, r.Namespace(), common.FalconSidecarSensor, selector, common.FalconServiceHTTPSName, *falconContainer.Spec.Injector.ListenPort) updated := false existingService := &corev1.Service{} diff --git a/internal/controller/assets/service.go b/internal/controller/assets/service.go index 97174f20..f5040ceb 100644 --- a/internal/controller/assets/service.go +++ b/internal/controller/assets/service.go @@ -8,7 +8,7 @@ import ( ) // Service returns a Kubernetes Service object -func Service(name string, namespace string, component string, selector map[string]string, port int32) *corev1.Service { +func Service(name string, namespace string, component string, selector map[string]string, portName string, port int32) *corev1.Service { labels := common.CRLabels("service", name, component) return &corev1.Service{ TypeMeta: metav1.TypeMeta{ @@ -24,7 +24,7 @@ func Service(name string, namespace string, component string, selector map[strin Selector: selector, Ports: []corev1.ServicePort{ { - Name: common.FalconServiceHTTPSName, + Name: portName, Port: port, Protocol: corev1.ProtocolTCP, TargetPort: intstr.FromString(common.FalconServiceHTTPSName), diff --git a/internal/controller/assets/service_test.go b/internal/controller/assets/service_test.go index 80761a57..4aa28d51 100644 --- a/internal/controller/assets/service_test.go +++ b/internal/controller/assets/service_test.go @@ -27,7 +27,7 @@ func TestService(t *testing.T) { Selector: selector, Ports: []corev1.ServicePort{ { - Name: common.FalconServiceHTTPSName, + Name: "portName", Port: 123, Protocol: corev1.ProtocolTCP, TargetPort: intstr.FromString(common.FalconServiceHTTPSName), @@ -36,7 +36,7 @@ func TestService(t *testing.T) { }, } - got := Service("test", "test", "test", selector, 123) + got := Service("test", "test", "test", selector, "portName", 123) if diff := cmp.Diff(want, got); diff != "" { t.Errorf("Service() mismatch (-want +got): %s", diff) }