ROX-11826: Disable kernel support package uploads for managed central#3661
Merged
ROX-11826: Disable kernel support package uploads for managed central#3661
Conversation
|
Images are ready for the commit at 78dad7d. To use with deploy scripts, first |
2c6cde4 to
cc4d6af
Compare
cc4d6af to
a3ce7e0
Compare
misberner
approved these changes
Nov 3, 2022
Contributor
misberner
left a comment
There was a problem hiding this comment.
I find the function odd and not worthy of a utility function, if that makes sense (I would propose to move it to somewhere under central/ at least, as we won't need it elsewhere), but I want to remain conscious of the overengineering risk so no strong demands to change the approach
central/main.go
Outdated
| Route: "/db/backup", | ||
| Authorizer: dbAuthz.DBReadAccessAuthorizer(), | ||
| ServerHandler: notImplementedOnManagedServices(globaldbHandlers.BackupDB(nil, nil, globaldb.GetPostgres(), false)), | ||
| ServerHandler: httputil.HandlerNotImplementedIfSettingDisabled(!env.ManagedCentral.BooleanSetting(), globaldbHandlers.BackupDB(nil, nil, globaldb.GetPostgres(), false)), |
Contributor
There was a problem hiding this comment.
I don't have a good solution to that problem, but I find it kind of annoying that using the handler to convey a "not implemented" means the entire rest of the pipeline still runs - authn (probably desired), audit (maybe okay), authz (meh - it's odd to say "not authorized" on an unimplemented API). I wondered if it wouldn't be better to only conditionally append to customRoutes, but then we'd just get a 404 instead of a more meaningful not implemented message..
pkg/httputil/handler.go
Outdated
|
|
||
| // HandlerNotImplementedIfSettingDisabled takes a handler func and returns a handler func that will error out if | ||
| // specified boolean is disabled, otherwise it will return the given handler func | ||
| func HandlerNotImplementedIfSettingDisabled(enabled bool, fn http.Handler) http.Handler { |
Contributor
There was a problem hiding this comment.
This function seems oddly specific for a utility package.
- Why is it relevant that the
boolparameter corresponds to a setting? - What if one wanted to customize the error message?
I think a more elegant way to solve this might be by introducing a general-purpose ITE (if-then-else)/ternary operator function, e.g., in pkg/utils, like:
func ITE[T any](cond bool, a, b T) T {
if cond {
return a
}
return b
}and then also have something like a func NotImplementedHandler(msg string) http.Handler. You can then invoke this as, e.g.,
utils.ITE[http.Handler](env.DisableKernelPackageUpload.BooleanSetting(), httputil.NotImplementedHandler("..."), http.HandlerFunc(s.handleProbeUpload))
Contributor
Author
There was a problem hiding this comment.
I totally forgot we support generics now. Love this idea so I'll switch to this
SimonBaeumer
suggested changes
Nov 3, 2022
| Route: "/api/extensions/probeupload", | ||
| Authorizer: user.With(permissions.Modify(resources.ProbeUpload)), | ||
| ServerHandler: http.HandlerFunc(s.handleProbeUpload), | ||
| ServerHandler: httputil.HandlerNotImplementedIfSettingDisabled(!env.DisableKernelPackageUpload.BooleanSetting(), http.HandlerFunc(s.handleProbeUpload)), |
Contributor
There was a problem hiding this comment.
Three negations here make the code hard to understand.
My suggestion:
- Rename function to
httputil.DisableHandler(bool, func), a true disables the handler. OrEnableHandlerwhich reacts on a positive setting. - Changing the env var to a positive
EnableKernelPackageUpload
Suggested change
| ServerHandler: httputil.HandlerNotImplementedIfSettingDisabled(!env.DisableKernelPackageUpload.BooleanSetting(), http.HandlerFunc(s.handleProbeUpload)), | |
| ServerHandler: httputil.HandlerEnabled(env.EnableKernelPackageUpload.BooleanSetting(), http.HandlerFunc(s.handleProbeUpload)), |
Contributor
Author
There was a problem hiding this comment.
I'm using the IfThenElse and with the switch to EnableKernelPackageUpload it'll become true enables it and false returns not implemented.
md2119
approved these changes
Nov 3, 2022
central/main.go
Outdated
| Route: "/db/backup", | ||
| Authorizer: dbAuthz.DBReadAccessAuthorizer(), | ||
| ServerHandler: notImplementedOnManagedServices(globaldbHandlers.BackupDB(nil, nil, globaldb.GetPostgres(), false)), | ||
| ServerHandler: httputil.HandlerNotImplementedIfSettingDisabled(!env.ManagedCentral.BooleanSetting(), globaldbHandlers.BackupDB(nil, nil, globaldb.GetPostgres(), false)), |
Contributor
There was a problem hiding this comment.
It would be nice if the func reads in one or more settings and resolves the settings within instead of receiving a bool.
Contributor
Author
There was a problem hiding this comment.
I switched to a If-Then-Else construct which won't support this, but does it make it easy to read for this (more common) use case
a3ce7e0 to
550cad2
Compare
theencee
commented
Nov 4, 2022
Contributor
Author
theencee
left a comment
There was a problem hiding this comment.
had to rebase to fix conflicts
pkg/httputil/handler.go
Outdated
|
|
||
| // HandlerNotImplementedIfSettingDisabled takes a handler func and returns a handler func that will error out if | ||
| // specified boolean is disabled, otherwise it will return the given handler func | ||
| func HandlerNotImplementedIfSettingDisabled(enabled bool, fn http.Handler) http.Handler { |
Contributor
Author
There was a problem hiding this comment.
I totally forgot we support generics now. Love this idea so I'll switch to this
| Route: "/api/extensions/probeupload", | ||
| Authorizer: user.With(permissions.Modify(resources.ProbeUpload)), | ||
| ServerHandler: http.HandlerFunc(s.handleProbeUpload), | ||
| ServerHandler: httputil.HandlerNotImplementedIfSettingDisabled(!env.DisableKernelPackageUpload.BooleanSetting(), http.HandlerFunc(s.handleProbeUpload)), |
Contributor
Author
There was a problem hiding this comment.
I'm using the IfThenElse and with the switch to EnableKernelPackageUpload it'll become true enables it and false returns not implemented.
central/main.go
Outdated
| Route: "/db/backup", | ||
| Authorizer: dbAuthz.DBReadAccessAuthorizer(), | ||
| ServerHandler: notImplementedOnManagedServices(globaldbHandlers.BackupDB(nil, nil, globaldb.GetPostgres(), false)), | ||
| ServerHandler: httputil.HandlerNotImplementedIfSettingDisabled(!env.ManagedCentral.BooleanSetting(), globaldbHandlers.BackupDB(nil, nil, globaldb.GetPostgres(), false)), |
Contributor
Author
There was a problem hiding this comment.
I switched to a If-Then-Else construct which won't support this, but does it make it easy to read for this (more common) use case
|
@theencee: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
SimonBaeumer
approved these changes
Nov 7, 2022
vikin91
added a commit
that referenced
this pull request
Nov 25, 2022
7ffc6be ROX-13368: Skip failing nongroovy tests on PG (#3721) bbdd7a0 Bump github.com/gofrs/uuid from 4.3.0+incompatible to 4.3.1+incompatible (#3642) 1f253f2 Bump github.com/google/certificate-transparency-go from 1.1.3 to 1.1.4 (#3543) d434c8d [ROX-13030] : Add delete collection API endpoint and service implementation (#3648) f062c21 Dashrews/ROX-13253 wait for central-db to come back after bounce and allow FATAL connection lost error (#3537) edc1174 CI: Fill the gaps for https://testgrid.k8s.io/ (#3715) 86d7c54 ROX-13231: use passed context when non-postgres (#3540) 9093195 Add less specific type for BE collection response string (#3728) 5abb652 Only enable ROX_OBJECT_COLLECTIONS feature flag during gke-postgres-ui-e2e job (#3727) 4f64cd1 Add centralDBOnly mode in render (#3707) d67bbe5 Dashrews/ROX-13082 UUID searcher and common updates to set allow use of postgres UUID PR 1 of 4 (#3679) 6f829d5 ROX-13259: graphInit called during init time (#3705) f3bc50d ROX-13380: Conditional rendering edges for deployments and namespaces (#3641) 3764476 ROX-12319: implement smoke test step with groovy test filter (#3220) f202fd4 ROX-11826: Disable kernel support package uploads for managed central (#3661) 61f03dc ROX-11101: Remove deprecated resources from central (#3115) e6aa6d7 ROX-11101: Restore Role permission in UI (#3428) 3203e04 ROX-11101: Remove deprecated resources (#3036) a35f41e Bump golang.org/x/sys from 0.1.0 to 0.2.0 (#3733) 4120524 Bump snakeyaml from 1.29 to 1.33 in /qa-tests-backend (#3732) e1785c0 Bump github.com/coreos/go-systemd/v22 from 22.4.0 to 22.5.0 (#3724) 870df4a Bump google.golang.org/api from 0.101.0 to 0.102.0 (#3723) 721454c Generalize User-Agent setup (#3672) 6a11bf0 Bumps collector version to 3.11.x-145-gc345f72f5e (#3736) ec5d343 [ROX-12923] Walk retries - remainder work (#3729) 40f3d43 ROX-13440: Replace ambiguous central with sensor in networkGraph integration test (#3730) 281ed22 Bump groovy-xml from 2.5.18 to 2.5.19 in /qa-tests-backend (#3741) 49d1651 Bump github.com/prometheus/client_golang from 1.13.1 to 1.14.0 (#3742) b5544aa Bump cloud.google.com/go/storage from 1.27.0 to 1.28.0 (#3743) 9c61e53 ensure CVSS is present for istio vulns (#3706) ae29d52 ROX-13452: don't always clobber scoped ctx when non-postgres (#3748) 517bf05 ROX-13261: DryRunUpdate on collection datastore (#3687) baf7654 ROX-13378: Group new resources with deprecated in UI (#3690) 569922f ROX-13421: Enable roxctl netpol generate and add tech-preview messages (#3740) 2465fc5 Dashrews/ROX-13082 UUID generator templates PR 2 of 4 (#3681) c093c68 Bump slack-api-client from 1.20.2 to 1.27.0 in /qa-tests-backend (#3752) 2c860bb Bump ubi8-micro from 8.6 to 8.7 in /operator (#3751) 80eb04c Make deploy.sh and deploy-local.sh pass shellcheck (#3582) 2182b43 Dashrews/ROX-13082 UUID test updates PR 3 of 4 (#3694) 6dc6ca5 [ROX-13403] : Fix node -> topVuln sub resolver bug when node cves is empty (#3689) 1b21361 Move integration tests for page title from general to specific containers (#3675) e1a9f31 Bump google.golang.org/api from 0.102.0 to 0.103.0 (#3773) a05ea31 Bump golang.org/x/crypto from 0.1.0 to 0.2.0 (#3772) 65ddf4f ROX-12824: Add roxctl commands to generate Central DB bundle (#3602) c3f1e2f Remove obsolete authProviders request for Integrations page (#3759) 7ccd54d Dashrews/ROX-13082 UUID protos generated PR 4 of 4 (#3698) 9ab5c8f cleanup image digest utilities (#3764) 187ed44 ROX-11931: Convert junit failure artifacts to Slack attachments (#3438) b5d8790 ROX-13432: leaning up unused code copied/pasted from topology demo (#3750) ab05bfc Refactor collection form page for better composition (#3744) c5562f7 Remove babel devDependencies in ui-components (#3761) 2b90b3a Extract collection form from drawer wrapper layout (#3745) a779fc9 [ROX-12625 + ROX-13032] : Add GetCollectionCount and UpdateCollection endpoints and services (#3749) e77f0da Upgrade cypress 11.0.0 devDependencies in ui (#3760) a3fba94 ROX-13068: Use real data for deployment details (#3688) 4c7d90e ROX-12617: Collection to search query converter (#3683) 3e98aec ROX-13067: fill out port configurations section of deployment details (#3714) a48de36 ROX-12835: Add support for NodeScanV2 to Sensor (#3533) 30c5dc7 ROX-13466: Fix deletion of groups with empty properties (#3756) 5cb2470 Add autocomplete for name selector dropdowns (#3676) b9a75ad ROX-13464 adding flows dropdown in NG (#3763) 3217a67 [ROX-13500] Perform type check for V1 CronJob (#3787) af3790d Remove bulk delete from collections table (#3776) dda123b Add more info in migration log (#3788) 179f0c9 ROX-13502: Remove the circular dependency between cluster datastore init and cscc notifier init (#3790) 029d584 Update SCANNER_VERSION (#3774) cbca57c Bump github.com/ckaznocha/protoc-gen-lint from 0.2.4 to 0.3.0 (#3783) 3613b56 Bump golang.org/x/tools from 0.2.0 to 0.3.0 (#3782) 5fc0a6a Bump github.com/google/go-containerregistry from 0.12.0 to 0.12.1 (#3781) 1d1c687 Bump controller-gen version to 0.10.0 (#3754) c3a5290 Untie documentation link from the product version (#3799) ed822aa use correct package for migration (#3784) 397a0b4 Validate that label keys are valid k8s labels and ensure correct key splitting (#3777) edd1050 Rename variable ScannerGRPCEndpoint to ScannerSlimGRPCEndpoint (#3657) 6662c9f ROX-13378: Access Control page permissions (#3720) b0e73c5 fix Operator reconciliation for external Central DB (#3796) b83bc1f ROX-13505: Fix error log scanning the postgres stat collection (#3795) ca660cb Prevent the collection being edited from displaying in its own embedded list (#3778) 3f7b3fc [ROX-13441][POSTGRES] Propagate context correctly in retries (#3793) e0cbc6f ROX-12839: Update changelog to announce removal of in-product docs (#3805) 696e8bc [ROX-12358] Follow up on vulnerability request proto change (#2851) c4b46d8 Change getCollectionCount endpoint and updateCollection request type 5f2efbc remove make proto-fmt (#3804) 0c75540 Remove os.Std* from roxctl/central (#3758) 25a90de Add ability to view embedded collections in a pop up modal (#3747) 5c1bf81 ROX-13240: fix scanner-slim updates when WebSockets are used (#3704) 1d98577 Add more context to jira notifier logging (#3812) da2fd28 ROX-13031: DryRun Collection API (#3766) 1c418d5 Test data migration code in postgres tests (#3803) ed95b37 Update UI Collection requests for BE compatibiltiy (#3762) 09cc188 ROX-11931: Fix junit-parse install in CI (#3811) d2b01e3 ROX-12814: Disable PolicyFieldsTest on openshift. (#3797) d10ce27 ROX-13345: disable 'missing required registry' aspect on openshift (#3798) 3d22396 Update collector to 3.12 (#3809) 1eb33fb ROX-13347: Modify scope queries to included quoted cluster and nameace names, to allow exact matches instead of erroneous and unintended prefix matches. (#3767) 3811a69 ROX-12621: list collection selectors api (#3806) f6d3f9d Add migration for groups with invalid values (#3789) cc21125 Bugfixes for collection autocomplete (#3816) 7623dec ROX-9350 Use fine-grained host paths for compliance mounts (#2479) b4bf5c2 Fix collector volumeMounts (#3826) 0e9be05 ROX-12953: figure out last 4 versions of sensor automatically (#3611) 459c7ae ROX-12814: Add proper todo for reenabling the test (#3817) 9ee40ff ROX-13523: add isEnabled enum to central db spec (#3815) 535bc72 Replace requestConfig with routeMatcherMap in helper functions for integration tests (#3686) 2b75b61 `gosec` G104: Add `ShouldErr(err)` that returns `err` (#3830) fb1b82f WIP: Introduce nodescan call 35f8a8f WIP: Prepare converter 716144b Moved and renamed fake nodescan tests 4748de7 Introduce real node scanner with conversion functions 5e6d9a8 wip: real scanner 0169868 wip: log results 1438d2c wip: Debug Analyze call b09894c wip: Debug Analyze call 3ceed72 wip: Update and improve debug logs d1669fd Remove copied lib, bump scanner version, add debug 14a3f73 Merge branch 'master' into mm/ROX-12967-real-nodescan fbd0450 Fix style issues 17ccb31 Debug: let both scans finish to see what they return
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This is only used for those running in offline mode and thus is unnecessary in managed central. Uses a new env var,
ROX_DISABLE_KERNEL_PACKAGE_UPLOAD, which is enabled by default for managed central (via helm).Checklist
[ ] Evaluated and added CHANGELOG entry if required[ ] Determined and documented upgrade steps[ ] Documented user facing changes (create PR based on openshift/openshift-docs and merge into rhacs-docs)If any of these don't apply, please comment below.
Testing Performed
TODO(replace-me)
Use this space to explain how you tested your PR, or, if you didn't test it, why
you did not do so. Valid reasons include, for example, "CI is sufficient",
"No testable changes". Feel free to attach JSON snippets, curl commands,
screenshots.
In addition to reviewing your code, reviewers must also review your testing
instructions and make sure they are sufficient.