mirror of
https://github.com/kyverno/policy-reporter.git
synced 2024-12-14 11:57:32 +00:00
add logging
Signed-off-by: Frank Jogeleit <frank.jogeleit@web.de>
This commit is contained in:
Frank Jogeleit
commit
061a816416
10 changed files with 187 additions and 131 deletions
21
go.mod
21
go.mod
|
|
@ -4,7 +4,13 @@ go 1.21
|
|||
|
||||
require (
|
||||
cloud.google.com/go/storage v1.33.0
|
||||
github.com/aws/aws-sdk-go v1.45.28
|
||||
github.com/aws/aws-sdk-go-v2 v1.21.2
|
||||
github.com/aws/aws-sdk-go-v2/config v1.19.0
|
||||
github.com/aws/aws-sdk-go-v2/credentials v1.13.43
|
||||
github.com/aws/aws-sdk-go-v2/service/kinesis v1.20.0
|
||||
github.com/aws/aws-sdk-go-v2/service/s3 v1.40.2
|
||||
github.com/aws/aws-sdk-go-v2/service/securityhub v1.37.2
|
||||
github.com/aws/aws-sdk-go-v2/service/sts v1.23.2
|
||||
github.com/go-redis/redis/v8 v8.11.5
|
||||
github.com/go-sql-driver/mysql v1.7.1
|
||||
github.com/kyverno/go-wildcard v1.0.5
|
||||
|
|
@ -33,6 +39,19 @@ require (
|
|||
cloud.google.com/go/compute v1.23.1 // indirect
|
||||
cloud.google.com/go/compute/metadata v0.2.3 // indirect
|
||||
cloud.google.com/go/iam v1.1.3 // indirect
|
||||
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.14 // indirect
|
||||
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.13 // indirect
|
||||
github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.43 // indirect
|
||||
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.37 // indirect
|
||||
github.com/aws/aws-sdk-go-v2/internal/ini v1.3.45 // indirect
|
||||
github.com/aws/aws-sdk-go-v2/internal/v4a v1.1.6 // indirect
|
||||
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.15 // indirect
|
||||
github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.38 // indirect
|
||||
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.37 // indirect
|
||||
github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.15.6 // indirect
|
||||
github.com/aws/aws-sdk-go-v2/service/sso v1.15.2 // indirect
|
||||
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.17.3 // indirect
|
||||
github.com/aws/smithy-go v1.15.0 // indirect
|
||||
github.com/beorn7/perks v1.0.1 // indirect
|
||||
github.com/cespare/xxhash/v2 v2.2.0 // indirect
|
||||
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
|
||||
|
|
|
|||
47
go.sum
47
go.sum
|
|
@ -48,8 +48,46 @@ cloud.google.com/go/storage v1.33.0/go.mod h1:Hhh/dogNRGca7IWv1RC2YqEn0c0G77ctA/
|
|||
dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
|
||||
github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
|
||||
github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
|
||||
github.com/aws/aws-sdk-go v1.45.28 h1:p2ATcaK6ffSw4yZ2UAGzgRyRXwKyOJY6ZCiKqj5miJE=
|
||||
github.com/aws/aws-sdk-go v1.45.28/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI=
|
||||
github.com/aws/aws-sdk-go-v2 v1.21.2 h1:+LXZ0sgo8quN9UOKXXzAWRT3FWd4NxeXWOZom9pE7GA=
|
||||
github.com/aws/aws-sdk-go-v2 v1.21.2/go.mod h1:ErQhvNuEMhJjweavOYhxVkn2RUx7kQXVATHrjKtxIpM=
|
||||
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.14 h1:Sc82v7tDQ/vdU1WtuSyzZ1I7y/68j//HJ6uozND1IDs=
|
||||
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.14/go.mod h1:9NCTOURS8OpxvoAVHq79LK81/zC78hfRWFn+aL0SPcY=
|
||||
github.com/aws/aws-sdk-go-v2/config v1.19.0 h1:AdzDvwH6dWuVARCl3RTLGRc4Ogy+N7yLFxVxXe1ClQ0=
|
||||
github.com/aws/aws-sdk-go-v2/config v1.19.0/go.mod h1:ZwDUgFnQgsazQTnWfeLWk5GjeqTQTL8lMkoE1UXzxdE=
|
||||
github.com/aws/aws-sdk-go-v2/credentials v1.13.43 h1:LU8vo40zBlo3R7bAvBVy/ku4nxGEyZe9N8MqAeFTzF8=
|
||||
github.com/aws/aws-sdk-go-v2/credentials v1.13.43/go.mod h1:zWJBz1Yf1ZtX5NGax9ZdNjhhI4rgjfgsyk6vTY1yfVg=
|
||||
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.13 h1:PIktER+hwIG286DqXyvVENjgLTAwGgoeriLDD5C+YlQ=
|
||||
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.13/go.mod h1:f/Ib/qYjhV2/qdsf79H3QP/eRE4AkVyEf6sk7XfZ1tg=
|
||||
github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.43 h1:nFBQlGtkbPzp/NjZLuFxRqmT91rLJkgvsEQs68h962Y=
|
||||
github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.43/go.mod h1:auo+PiyLl0n1l8A0e8RIeR8tOzYPfZZH/JNlrJ8igTQ=
|
||||
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.37 h1:JRVhO25+r3ar2mKGP7E0LDl8K9/G36gjlqca5iQbaqc=
|
||||
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.37/go.mod h1:Qe+2KtKml+FEsQF/DHmDV+xjtche/hwoF75EG4UlHW8=
|
||||
github.com/aws/aws-sdk-go-v2/internal/ini v1.3.45 h1:hze8YsjSh8Wl1rYa1CJpRmXP21BvOBuc76YhW0HsuQ4=
|
||||
github.com/aws/aws-sdk-go-v2/internal/ini v1.3.45/go.mod h1:lD5M20o09/LCuQ2mE62Mb/iSdSlCNuj6H5ci7tW7OsE=
|
||||
github.com/aws/aws-sdk-go-v2/internal/v4a v1.1.6 h1:wmGLw2i8ZTlHLw7a9ULGfQbuccw8uIiNr6sol5bFzc8=
|
||||
github.com/aws/aws-sdk-go-v2/internal/v4a v1.1.6/go.mod h1:Q0Hq2X/NuL7z8b1Dww8rmOFl+jzusKEcyvkKspwdpyc=
|
||||
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.15 h1:7R8uRYyXzdD71KWVCL78lJZltah6VVznXBazvKjfH58=
|
||||
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.15/go.mod h1:26SQUPcTNgV1Tapwdt4a1rOsYRsnBsJHLMPoxK2b0d8=
|
||||
github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.38 h1:skaFGzv+3kA+v2BPKhuekeb1Hbb105+44r8ASC+q5SE=
|
||||
github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.38/go.mod h1:epIZoRSSbRIwLPJU5F+OldHhwZPBdpDeQkRdCeY3+00=
|
||||
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.37 h1:WWZA/I2K4ptBS1kg0kV1JbBtG/umed0vwHRrmcr9z7k=
|
||||
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.37/go.mod h1:vBmDnwWXWxNPFRMmG2m/3MKOe+xEcMDo1tanpaWCcck=
|
||||
github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.15.6 h1:9ulSU5ClouoPIYhDQdg9tpl83d5Yb91PXTKK+17q+ow=
|
||||
github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.15.6/go.mod h1:lnc2taBsR9nTlz9meD+lhFZZ9EWY712QHrRflWpTcOA=
|
||||
github.com/aws/aws-sdk-go-v2/service/kinesis v1.20.0 h1:OCYjSomi2Q8ttimk0DB4nNSAvoVOXfpSAwB0ZM4g1K0=
|
||||
github.com/aws/aws-sdk-go-v2/service/kinesis v1.20.0/go.mod h1:IKAdoalibJPPhb+riPJyKh9z/6V8n4J2X1yUto/W90Q=
|
||||
github.com/aws/aws-sdk-go-v2/service/s3 v1.40.2 h1:Ll5/YVCOzRB+gxPqs2uD0R7/MyATC0w85626glSKmp4=
|
||||
github.com/aws/aws-sdk-go-v2/service/s3 v1.40.2/go.mod h1:Zjfqt7KhQK+PO1bbOsFNzKgaq7TcxzmEoDWN8lM0qzQ=
|
||||
github.com/aws/aws-sdk-go-v2/service/securityhub v1.37.2 h1:F/ApqSnIeQl+1oiBxEmnJ4Xza3lzC/58tbtuHN5ZiCs=
|
||||
github.com/aws/aws-sdk-go-v2/service/securityhub v1.37.2/go.mod h1:T1iphqNYdWF50nRQ++jMxIYe5Gw63/eeP0as72YtzwI=
|
||||
github.com/aws/aws-sdk-go-v2/service/sso v1.15.2 h1:JuPGc7IkOP4AaqcZSIcyqLpFSqBWK32rM9+a1g6u73k=
|
||||
github.com/aws/aws-sdk-go-v2/service/sso v1.15.2/go.mod h1:gsL4keucRCgW+xA85ALBpRFfdSLH4kHOVSnLMSuBECo=
|
||||
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.17.3 h1:HFiiRkf1SdaAmV3/BHOFZ9DjFynPHj8G/UIO1lQS+fk=
|
||||
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.17.3/go.mod h1:a7bHA82fyUXOm+ZSWKU6PIoBxrjSprdLoM8xPYvzYVg=
|
||||
github.com/aws/aws-sdk-go-v2/service/sts v1.23.2 h1:0BkLfgeDjfZnZ+MhB3ONb01u9pwFYTCZVhlsSSBvlbU=
|
||||
github.com/aws/aws-sdk-go-v2/service/sts v1.23.2/go.mod h1:Eows6e1uQEsc4ZaHANmsPRzAKcVDrcmjjWiih2+HUUQ=
|
||||
github.com/aws/smithy-go v1.15.0 h1:PS/durmlzvAFpQHDs4wi4sNNP9ExsqZh6IlfdHXgKK8=
|
||||
github.com/aws/smithy-go v1.15.0/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA=
|
||||
github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
|
||||
github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
|
||||
github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
|
||||
|
|
@ -154,6 +192,7 @@ github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
|
|||
github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
|
||||
github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
|
||||
github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
|
||||
github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
|
||||
github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
|
||||
github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
|
||||
github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
|
||||
|
|
@ -427,7 +466,6 @@ golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v
|
|||
golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
|
||||
golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
|
||||
golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
|
||||
golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco=
|
||||
golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
|
||||
golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
|
||||
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
|
||||
|
|
@ -492,12 +530,10 @@ golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBc
|
|||
golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
|
||||
golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
|
||||
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
|
||||
golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
|
||||
golang.org/x/term v0.13.0 h1:bb+I9cTfFazGW51MZqBVmZy7+JEJMouUHTUSKVQLBek=
|
||||
golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U=
|
||||
golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
|
||||
|
|
@ -509,7 +545,6 @@ golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
|
|||
golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
|
||||
golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
|
||||
golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
|
||||
golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
|
||||
golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
|
||||
golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
|
||||
golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
|
||||
|
|
|
|||
|
|
@ -3,9 +3,10 @@ package config_test
|
|||
import (
|
||||
"testing"
|
||||
|
||||
"github.com/uptrace/bun/dialect"
|
||||
|
||||
"github.com/kyverno/policy-reporter/pkg/config"
|
||||
"github.com/kyverno/policy-reporter/pkg/kubernetes/secrets"
|
||||
"github.com/uptrace/bun/dialect"
|
||||
)
|
||||
|
||||
func Test_ResolveDatabase(t *testing.T) {
|
||||
|
|
|
|||
|
|
@ -616,6 +616,7 @@ func (f *TargetFactory) createS3Client(config, parent *S3) target.Client {
|
|||
return nil
|
||||
}
|
||||
|
||||
setFallback(&config.Region, os.Getenv("AWS_REGION"))
|
||||
setFallback(&config.Prefix, parent.Prefix, "policy-reporter")
|
||||
setFallback(&config.KmsKeyID, parent.KmsKeyID)
|
||||
setFallback(&config.ServerSideEncryption, parent.ServerSideEncryption)
|
||||
|
|
@ -630,7 +631,7 @@ func (f *TargetFactory) createS3Client(config, parent *S3) target.Client {
|
|||
config.Endpoint,
|
||||
config.Bucket,
|
||||
config.PathStyle,
|
||||
helper.WithKMS(&config.BucketKeyEnabled, &config.KmsKeyID, &config.ServerSideEncryption),
|
||||
helper.WithKMS(config.BucketKeyEnabled, &config.KmsKeyID, &config.ServerSideEncryption),
|
||||
)
|
||||
|
||||
sugar.Infof("%s configured", config.Name)
|
||||
|
|
|
|||
|
|
@ -2,19 +2,20 @@ package helper
|
|||
|
||||
import (
|
||||
"bytes"
|
||||
"context"
|
||||
"io"
|
||||
"os"
|
||||
|
||||
"github.com/aws/aws-sdk-go/aws"
|
||||
"github.com/aws/aws-sdk-go/aws/credentials"
|
||||
"github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds"
|
||||
"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
|
||||
"github.com/aws/aws-sdk-go/aws/ec2metadata"
|
||||
"github.com/aws/aws-sdk-go/aws/session"
|
||||
"github.com/aws/aws-sdk-go/service/kinesis"
|
||||
"github.com/aws/aws-sdk-go/service/s3/s3manager"
|
||||
"github.com/aws/aws-sdk-go/service/securityhub"
|
||||
"github.com/aws/aws-sdk-go/service/sts"
|
||||
"github.com/aws/aws-sdk-go-v2/aws"
|
||||
"github.com/aws/aws-sdk-go-v2/config"
|
||||
"github.com/aws/aws-sdk-go-v2/credentials"
|
||||
"github.com/aws/aws-sdk-go-v2/credentials/ec2rolecreds"
|
||||
"github.com/aws/aws-sdk-go-v2/credentials/stscreds"
|
||||
"github.com/aws/aws-sdk-go-v2/service/kinesis"
|
||||
"github.com/aws/aws-sdk-go-v2/service/s3"
|
||||
"github.com/aws/aws-sdk-go-v2/service/s3/types"
|
||||
"github.com/aws/aws-sdk-go-v2/service/securityhub"
|
||||
"github.com/aws/aws-sdk-go-v2/service/sts"
|
||||
"go.uber.org/zap"
|
||||
)
|
||||
|
||||
|
|
@ -27,15 +28,15 @@ type AWSClient interface {
|
|||
|
||||
type s3Client struct {
|
||||
bucket string
|
||||
uploader *s3manager.Uploader
|
||||
bucketKeyEnabled *bool
|
||||
client *s3.Client
|
||||
bucketKeyEnabled bool
|
||||
kmsKeyID *string
|
||||
serverSideEncryption *string
|
||||
serverSideEncryption types.ServerSideEncryption
|
||||
}
|
||||
|
||||
type Options func(s *s3Client)
|
||||
|
||||
func WithKMS(bucketKeyEnabled *bool, kmsKeyID, serverSideEncryption *string) Options {
|
||||
func WithKMS(bucketKeyEnabled bool, kmsKeyID, serverSideEncryption *string) Options {
|
||||
return func(s *s3Client) {
|
||||
s.bucketKeyEnabled = bucketKeyEnabled
|
||||
if *kmsKeyID != "" {
|
||||
|
|
@ -43,13 +44,13 @@ func WithKMS(bucketKeyEnabled *bool, kmsKeyID, serverSideEncryption *string) Opt
|
|||
}
|
||||
|
||||
if *serverSideEncryption != "" {
|
||||
s.serverSideEncryption = serverSideEncryption
|
||||
s.serverSideEncryption = types.ServerSideEncryption(s.serverSideEncryption)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func (s *s3Client) Upload(body *bytes.Buffer, key string) error {
|
||||
_, err := s.uploader.Upload(&s3manager.UploadInput{
|
||||
_, err := s.client.PutObject(context.TODO(), &s3.PutObjectInput{
|
||||
Bucket: aws.String(s.bucket),
|
||||
Key: aws.String(key),
|
||||
Body: body,
|
||||
|
|
@ -62,20 +63,25 @@ func (s *s3Client) Upload(body *bytes.Buffer, key string) error {
|
|||
|
||||
// NewS3Client creates a new S3.client to send Results to S3
|
||||
func NewS3Client(accessKeyID, secretAccessKey, region, endpoint, bucket string, pathStyle bool, opts ...Options) AWSClient {
|
||||
config := createConfig(accessKeyID, secretAccessKey, region, endpoint)
|
||||
if pathStyle {
|
||||
config.S3ForcePathStyle = &pathStyle
|
||||
}
|
||||
|
||||
sess, err := session.NewSession(config)
|
||||
config, err := createConfig(accessKeyID, secretAccessKey, region)
|
||||
if err != nil {
|
||||
zap.L().Error("error while creating S3 session")
|
||||
zap.L().Error("error while creating config", zap.Error(err))
|
||||
return nil
|
||||
}
|
||||
|
||||
client := s3.NewFromConfig(config, func(o *s3.Options) {
|
||||
o.UsePathStyle = pathStyle
|
||||
|
||||
if endpoint != "" {
|
||||
o.BaseEndpoint = &endpoint
|
||||
}
|
||||
})
|
||||
|
||||
zap.L().Debug("S3 Client created", zap.String("Region", region), zap.String("Endpoint", endpoint), zap.Bool("PathStyle", pathStyle))
|
||||
|
||||
s3Client := &s3Client{
|
||||
bucket: bucket,
|
||||
uploader: s3manager.NewUploader(sess),
|
||||
bucket: bucket,
|
||||
client: client,
|
||||
}
|
||||
|
||||
for _, opt := range opts {
|
||||
|
|
@ -87,7 +93,7 @@ func NewS3Client(accessKeyID, secretAccessKey, region, endpoint, bucket string,
|
|||
|
||||
type kinesisClient struct {
|
||||
streamName string
|
||||
kinesis *kinesis.Kinesis
|
||||
kinesis *kinesis.Client
|
||||
}
|
||||
|
||||
func (k *kinesisClient) Upload(body *bytes.Buffer, key string) error {
|
||||
|
|
@ -96,7 +102,7 @@ func (k *kinesisClient) Upload(body *bytes.Buffer, key string) error {
|
|||
return err
|
||||
}
|
||||
|
||||
_, err = k.kinesis.PutRecord(&kinesis.PutRecordInput{
|
||||
_, err = k.kinesis.PutRecord(context.TODO(), &kinesis.PutRecordInput{
|
||||
StreamName: aws.String(k.streamName),
|
||||
PartitionKey: aws.String(key),
|
||||
Data: data,
|
||||
|
|
@ -106,75 +112,64 @@ func (k *kinesisClient) Upload(body *bytes.Buffer, key string) error {
|
|||
|
||||
// NewKinesisClient creates a new S3.client to send Results to S3
|
||||
func NewKinesisClient(accessKeyID, secretAccessKey, region, endpoint, streamName string) AWSClient {
|
||||
config := createConfig(accessKeyID, secretAccessKey, region, endpoint)
|
||||
|
||||
sess, err := session.NewSession(config)
|
||||
config, err := createConfig(accessKeyID, secretAccessKey, region)
|
||||
if err != nil {
|
||||
zap.L().Error("error while creating Kinesis session")
|
||||
zap.L().Error("error while creating config", zap.Error(err))
|
||||
return nil
|
||||
}
|
||||
|
||||
return &kinesisClient{
|
||||
streamName,
|
||||
kinesis.New(sess),
|
||||
kinesis.NewFromConfig(config, func(o *kinesis.Options) {
|
||||
if endpoint != "" {
|
||||
o.BaseEndpoint = &endpoint
|
||||
}
|
||||
}),
|
||||
}
|
||||
}
|
||||
|
||||
// NewHubClient creates a new SecurityHub client to send finding events
|
||||
func NewHubClient(accessKeyID, secretAccessKey, region, endpoint string) *securityhub.SecurityHub {
|
||||
config := createConfig(accessKeyID, secretAccessKey, region, endpoint)
|
||||
|
||||
sess, err := session.NewSession(config)
|
||||
func NewHubClient(accessKeyID, secretAccessKey, region, endpoint string) *securityhub.Client {
|
||||
config, err := createConfig(accessKeyID, secretAccessKey, region)
|
||||
if err != nil {
|
||||
zap.L().Error("error while creating SecurityHub session")
|
||||
zap.L().Error("error while creating config", zap.Error(err))
|
||||
return nil
|
||||
}
|
||||
|
||||
optional := make([]*aws.Config, 0)
|
||||
if endpoint != "" {
|
||||
optional = append(optional, aws.NewConfig().WithEndpoint(endpoint))
|
||||
}
|
||||
|
||||
return securityhub.New(sess, optional...)
|
||||
return securityhub.NewFromConfig(config, func(o *securityhub.Options) {
|
||||
if endpoint != "" {
|
||||
o.BaseEndpoint = &endpoint
|
||||
}
|
||||
})
|
||||
}
|
||||
|
||||
func createConfig(accessKeyID, secretAccessKey, region, endpoint string) *aws.Config {
|
||||
baseConfig := &aws.Config{}
|
||||
if endpoint != "" {
|
||||
baseConfig.Endpoint = aws.String(endpoint)
|
||||
}
|
||||
if region != "" {
|
||||
baseConfig.Region = aws.String(region)
|
||||
}
|
||||
func createConfig(accessKeyID, secretAccessKey, region string) (aws.Config, error) {
|
||||
roleARN := os.Getenv("AWS_ROLE_ARN")
|
||||
webIdentity := os.Getenv("AWS_WEB_IDENTITY_TOKEN_FILE")
|
||||
|
||||
sess := session.Must(session.NewSession(baseConfig))
|
||||
cfg, err := config.LoadDefaultConfig(context.TODO(), func(o *config.LoadOptions) error {
|
||||
if region != "" {
|
||||
o.Region = region
|
||||
}
|
||||
|
||||
var provider credentials.Provider
|
||||
return nil
|
||||
})
|
||||
if err != nil {
|
||||
return aws.Config{}, err
|
||||
}
|
||||
|
||||
if accessKeyID != "" && secretAccessKey != "" {
|
||||
provider = &credentials.StaticProvider{
|
||||
Value: credentials.Value{
|
||||
AccessKeyID: accessKeyID,
|
||||
SecretAccessKey: secretAccessKey,
|
||||
},
|
||||
}
|
||||
} else if os.Getenv("AWS_ROLE_ARN") != "" && os.Getenv("AWS_WEB_IDENTITY_TOKEN_FILE") != "" {
|
||||
provider = stscreds.NewWebIdentityRoleProvider(
|
||||
sts.New(sess),
|
||||
os.Getenv("AWS_ROLE_ARN"),
|
||||
"",
|
||||
os.Getenv("AWS_WEB_IDENTITY_TOKEN_FILE"),
|
||||
)
|
||||
zap.L().Debug("configure AWS credentals provider", zap.String("provider", "StaticCredentialsProvider"))
|
||||
cfg.Credentials = credentials.NewStaticCredentialsProvider(accessKeyID, secretAccessKey, "")
|
||||
} else if webIdentity != "" && roleARN != "" {
|
||||
zap.L().Debug("configure AWS credentals provider", zap.String("provider", "WebIdentityRoleProvider"), zap.String("WebIdentidyFile", webIdentity))
|
||||
cfg.Credentials = stscreds.NewWebIdentityRoleProvider(sts.NewFromConfig(cfg), roleARN, stscreds.IdentityTokenFile(webIdentity))
|
||||
} else if roleARN != "" {
|
||||
zap.L().Debug("configure AWS credentals provider", zap.String("provider", "AssumeRoleProvider"))
|
||||
cfg.Credentials = stscreds.NewAssumeRoleProvider(sts.NewFromConfig(cfg), roleARN)
|
||||
} else {
|
||||
provider = &ec2rolecreds.EC2RoleProvider{
|
||||
Client: ec2metadata.New(sess),
|
||||
}
|
||||
cfg.Credentials = ec2rolecreds.New()
|
||||
}
|
||||
|
||||
return &aws.Config{
|
||||
Region: baseConfig.Region,
|
||||
Endpoint: baseConfig.Endpoint,
|
||||
CredentialsChainVerboseErrors: aws.Bool(true),
|
||||
Credentials: credentials.NewCredentials(provider),
|
||||
}
|
||||
return cfg, nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -4,12 +4,13 @@ import (
|
|||
"testing"
|
||||
"time"
|
||||
|
||||
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
|
||||
"github.com/kyverno/policy-reporter/pkg/cache"
|
||||
"github.com/kyverno/policy-reporter/pkg/crd/api/policyreport/v1alpha2"
|
||||
"github.com/kyverno/policy-reporter/pkg/fixtures"
|
||||
"github.com/kyverno/policy-reporter/pkg/listener"
|
||||
"github.com/kyverno/policy-reporter/pkg/report"
|
||||
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
)
|
||||
|
||||
func Test_ResultListener(t *testing.T) {
|
||||
|
|
|
|||
|
|
@ -5,15 +5,18 @@ import (
|
|||
"text/template"
|
||||
"time"
|
||||
|
||||
"go.uber.org/zap"
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
|
||||
"github.com/kyverno/policy-reporter/pkg/crd/api/policyreport/v1alpha2"
|
||||
"github.com/kyverno/policy-reporter/pkg/target"
|
||||
"github.com/kyverno/policy-reporter/pkg/target/http"
|
||||
"go.uber.org/zap"
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
)
|
||||
|
||||
const messageTempl string = `[{{ .Priority }}] {{ or .Result.Policy .Result.Rule }}`
|
||||
const resourceTempl string = `{{ if .Namespace }}[{{ .Namespace }}] {{ end }} {{ .APIVersion }}/{{ .Kind }} {{ .Name }}`
|
||||
const (
|
||||
messageTempl string = `[{{ .Priority }}] {{ or .Result.Policy .Result.Rule }}`
|
||||
resourceTempl string = `{{ if .Namespace }}[{{ .Namespace }}] {{ end }} {{ .APIVersion }}/{{ .Kind }} {{ .Name }}`
|
||||
)
|
||||
|
||||
type values struct {
|
||||
Result v1alpha2.PolicyReportResult
|
||||
|
|
@ -94,7 +97,7 @@ func mapPayload(result v1alpha2.PolicyReportResult) (*Payload, error) {
|
|||
return nil, err
|
||||
}
|
||||
|
||||
var prio = result.Priority.String()
|
||||
prio := result.Priority.String()
|
||||
if prio == "" {
|
||||
prio = v1alpha2.DebugPriority.String()
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,9 +2,10 @@ package http
|
|||
|
||||
import (
|
||||
"fmt"
|
||||
"go.uber.org/zap"
|
||||
"net/http"
|
||||
"net/http/httputil"
|
||||
|
||||
"go.uber.org/zap"
|
||||
)
|
||||
|
||||
func NewLoggingRoundTripper(roundTripper http.RoundTripper) http.RoundTripper {
|
||||
|
|
|
|||
|
|
@ -1,10 +1,12 @@
|
|||
package securityhub
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"time"
|
||||
|
||||
hub "github.com/aws/aws-sdk-go/service/securityhub"
|
||||
hub "github.com/aws/aws-sdk-go-v2/service/securityhub"
|
||||
"github.com/aws/aws-sdk-go-v2/service/securityhub/types"
|
||||
"go.uber.org/zap"
|
||||
|
||||
"github.com/kyverno/policy-reporter/pkg/crd/api/policyreport/v1alpha2"
|
||||
|
|
@ -15,7 +17,7 @@ import (
|
|||
type Options struct {
|
||||
target.ClientOptions
|
||||
CustomFields map[string]string
|
||||
Client *hub.SecurityHub
|
||||
Client *hub.Client
|
||||
AccountID string
|
||||
Region string
|
||||
}
|
||||
|
|
@ -23,7 +25,7 @@ type Options struct {
|
|||
type client struct {
|
||||
target.BaseClient
|
||||
customFields map[string]string
|
||||
hub *hub.SecurityHub
|
||||
hub *hub.Client
|
||||
accountID string
|
||||
region string
|
||||
}
|
||||
|
|
@ -41,37 +43,37 @@ func (c *client) Send(result v1alpha2.PolicyReportResult) {
|
|||
|
||||
t := time.Unix(result.Timestamp.Seconds, int64(result.Timestamp.Nanos))
|
||||
|
||||
res, err := c.hub.BatchImportFindings(&hub.BatchImportFindingsInput{
|
||||
Findings: []*hub.AwsSecurityFinding{
|
||||
res, err := c.hub.BatchImportFindings(context.TODO(), &hub.BatchImportFindingsInput{
|
||||
Findings: []types.AwsSecurityFinding{
|
||||
{
|
||||
Id: &result.ID,
|
||||
AwsAccountId: &c.accountID,
|
||||
SchemaVersion: toPointer("2018-10-08"),
|
||||
ProductArn: toPointer("arn:aws:securityhub:" + c.region + ":" + c.accountID + ":product/" + c.accountID + "/default"),
|
||||
GeneratorId: toPointer(fmt.Sprintf("%s/%s", result.Source, generator)),
|
||||
Types: []*string{toPointer("Software and Configuration Checks")},
|
||||
Types: []string{"Software and Configuration Checks"},
|
||||
CreatedAt: toPointer(t.Format("2006-01-02T15:04:05.999999999Z07:00")),
|
||||
UpdatedAt: toPointer(t.Format("2006-01-02T15:04:05.999999999Z07:00")),
|
||||
Severity: &hub.Severity{
|
||||
Severity: &types.Severity{
|
||||
Label: mapSeverity(result.Severity),
|
||||
},
|
||||
Title: &title,
|
||||
Description: &result.Message,
|
||||
ProductFields: map[string]*string{
|
||||
"Product Name": toPointer("Policy Reporter"),
|
||||
ProductFields: map[string]string{
|
||||
"Product Name": "Policy Reporter",
|
||||
},
|
||||
Resources: []*hub.Resource{
|
||||
Resources: []types.Resource{
|
||||
{
|
||||
Type: toPointer("Other"),
|
||||
Region: &c.region,
|
||||
Partition: toPointer("aws"),
|
||||
Partition: types.PartitionAws,
|
||||
Id: mapResourceID(result),
|
||||
Details: &hub.ResourceDetails{
|
||||
Details: &types.ResourceDetails{
|
||||
Other: c.mapOtherDetails(result),
|
||||
},
|
||||
},
|
||||
},
|
||||
RecordState: toPointer(hub.RecordStateActive),
|
||||
RecordState: types.RecordStateActive,
|
||||
},
|
||||
},
|
||||
})
|
||||
|
|
@ -80,26 +82,26 @@ func (c *client) Send(result v1alpha2.PolicyReportResult) {
|
|||
return
|
||||
}
|
||||
|
||||
zap.L().Info(c.Name()+": PUSH OK", zap.Int64("successCount", *res.SuccessCount), zap.Int64("failedCount", *res.FailedCount))
|
||||
zap.L().Info(c.Name()+": PUSH OK", zap.Int32("successCount", res.SuccessCount), zap.Int32("failedCount", res.FailedCount))
|
||||
}
|
||||
|
||||
func (c *client) mapOtherDetails(result v1alpha2.PolicyReportResult) map[string]*string {
|
||||
details := map[string]*string{
|
||||
"Source": &result.Source,
|
||||
"Category": &result.Category,
|
||||
"Policy": &result.Policy,
|
||||
"Rule": &result.Rule,
|
||||
"Result": toPointer(string(result.Result)),
|
||||
"Priority": toPointer(result.Priority.String()),
|
||||
func (c *client) mapOtherDetails(result v1alpha2.PolicyReportResult) map[string]string {
|
||||
details := map[string]string{
|
||||
"Source": result.Source,
|
||||
"Category": result.Category,
|
||||
"Policy": result.Policy,
|
||||
"Rule": result.Rule,
|
||||
"Result": string(result.Result),
|
||||
"Priority": result.Priority.String(),
|
||||
}
|
||||
|
||||
if len(c.customFields) > 0 {
|
||||
for property, value := range c.customFields {
|
||||
details[property] = &value
|
||||
details[property] = value
|
||||
}
|
||||
|
||||
for property, value := range result.Properties {
|
||||
details[property] = &value
|
||||
details[property] = value
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -107,19 +109,19 @@ func (c *client) mapOtherDetails(result v1alpha2.PolicyReportResult) map[string]
|
|||
res := result.GetResource()
|
||||
|
||||
if res.APIVersion != "" {
|
||||
details["Resource APIVersion"] = &res.APIVersion
|
||||
details["Resource APIVersion"] = res.APIVersion
|
||||
}
|
||||
if res.Kind != "" {
|
||||
details["Resource Kind"] = &res.Kind
|
||||
details["Resource Kind"] = res.Kind
|
||||
}
|
||||
if res.Namespace != "" {
|
||||
details["Resource Namespace"] = &res.Namespace
|
||||
details["Resource Namespace"] = res.Namespace
|
||||
}
|
||||
if res.Name != "" {
|
||||
details["Resource Name"] = &res.Name
|
||||
details["Resource Name"] = res.Name
|
||||
}
|
||||
if res.UID != "" {
|
||||
details["Resource UID"] = toPointer(string(res.UID))
|
||||
details["Resource UID"] = string(res.UID)
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -141,20 +143,20 @@ func toPointer[T any](value T) *T {
|
|||
return &value
|
||||
}
|
||||
|
||||
func mapSeverity(s v1alpha2.PolicySeverity) *string {
|
||||
func mapSeverity(s v1alpha2.PolicySeverity) types.SeverityLabel {
|
||||
switch s {
|
||||
case v1alpha2.SeverityInfo:
|
||||
return toPointer(hub.SeverityLabelInformational)
|
||||
return types.SeverityLabelInformational
|
||||
case v1alpha2.SeverityLow:
|
||||
return toPointer(hub.SeverityLabelLow)
|
||||
return types.SeverityLabelLow
|
||||
case v1alpha2.SeverityMedium:
|
||||
return toPointer(hub.SeverityLabelMedium)
|
||||
return types.SeverityLabelMedium
|
||||
case v1alpha2.SeverityHigh:
|
||||
return toPointer(hub.SeverityLabelHigh)
|
||||
return types.SeverityLabelHigh
|
||||
case v1alpha2.SeverityCritical:
|
||||
return toPointer(hub.SeverityLabelCritical)
|
||||
return types.SeverityLabelCritical
|
||||
default:
|
||||
return toPointer(hub.SeverityLabelInformational)
|
||||
return types.SeverityLabelInformational
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -26,8 +26,7 @@ func escape(text interface{}) string {
|
|||
return replacer.Replace(fmt.Sprintf("%v", text))
|
||||
}
|
||||
|
||||
var (
|
||||
notificationTempl = `*\[Policy Reporter\] \[{{ .Priority }}\] {{ escape (or .Result.Policy .Result.Rule) }}*
|
||||
var notificationTempl = `*\[Policy Reporter\] \[{{ .Priority }}\] {{ escape (or .Result.Policy .Result.Rule) }}*
|
||||
{{- if .Resource }}
|
||||
|
||||
*Resource*: {{ .Resource.Kind }} {{ if .Resource.Namespace }}{{ escape .Resource.Namespace }}/{{ end }}{{ escape .Resource.Name }}
|
||||
|
|
@ -49,7 +48,6 @@ var (
|
|||
{{ range $key, $value := .Result.Properties }}• *{{ escape $key }}*: {{ escape $value }}
|
||||
{{ end }}
|
||||
`
|
||||
)
|
||||
|
||||
type Payload struct {
|
||||
Text string `json:"text,omitempty"`
|
||||
|
|
@ -119,7 +117,7 @@ func (e *client) Send(result v1alpha2.PolicyReportResult) {
|
|||
res = result.GetResource()
|
||||
}
|
||||
|
||||
var prio = result.Priority.String()
|
||||
prio := result.Priority.String()
|
||||
if prio == "" {
|
||||
prio = v1alpha2.DebugPriority.String()
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue