diff --git a/go.mod b/go.mod index 1a4d6ffb..4faa76e2 100644 --- a/go.mod +++ b/go.mod @@ -16,7 +16,7 @@ require ( github.com/spectrocloud-labs/prompts-tui v0.1.0 github.com/spf13/cobra v1.8.1 github.com/spf13/viper v1.19.0 - github.com/validator-labs/validator v0.0.50 + github.com/validator-labs/validator v0.1.0 github.com/validator-labs/validator-plugin-aws v0.1.2 github.com/validator-labs/validator-plugin-azure v0.0.14 github.com/validator-labs/validator-plugin-network v0.0.22-0.20240801153219-c280e896939b diff --git a/go.sum b/go.sum index 8fc108ba..9b2064ae 100644 --- a/go.sum +++ b/go.sum @@ -698,8 +698,8 @@ github.com/tjfoc/gmsm v1.4.1 h1:aMe1GlZb+0bLjn+cKTPEvvn9oUEBlJitaZiiBwsbgho= github.com/tjfoc/gmsm v1.4.1/go.mod h1:j4INPkHWMrhJb38G+J6W4Tw0AbuN8Thu3PbdVYhVcTE= github.com/transparency-dev/merkle v0.0.2 h1:Q9nBoQcZcgPamMkGn7ghV8XiTZ/kRxn1yCG81+twTK4= github.com/transparency-dev/merkle v0.0.2/go.mod h1:pqSy+OXefQ1EDUVmAJ8MUhHB9TXGuzVAT58PqBoHz1A= -github.com/validator-labs/validator v0.0.50 h1:8h0Dy1Hl0818WuTF8hgZ3HaNxUtGSm130Zrp7f7vjGw= -github.com/validator-labs/validator v0.0.50/go.mod h1:YxUKAXuSR6fIAi7WCQV/Wbrzf9szf8aCTeYWEA+JyIY= +github.com/validator-labs/validator v0.1.0 h1:GVekIT5sG+kcyUbT04qb/pURmd9eE6NNKnSR9yJ1sQk= +github.com/validator-labs/validator v0.1.0/go.mod h1:OeJMHGKW3pWGkvKxHLN7HzjelSILJg2k8w3Z9SdML1g= github.com/validator-labs/validator-plugin-aws v0.1.2 h1:wonvgg9DICxu2fPO3HCTZzC4wJEJBLdS26pt+s50JhI= github.com/validator-labs/validator-plugin-aws v0.1.2/go.mod h1:oh1xveiGhOgAtlI/okU/sHsOmr4mBbHSLCIoD5essLs= github.com/validator-labs/validator-plugin-azure v0.0.14 h1:/PVhAw3Ug4oJz5iRy+Qw8vKYYHd+gOBbXI5AH6GyYHg= diff --git a/hack/validator.tmpl b/hack/validator.tmpl index 2a0ae09f..6492b166 100644 --- a/hack/validator.tmpl +++ b/hack/validator.tmpl @@ -1,21 +1,36 @@ +helmConfig: + registry: https://validator-labs.github.io + insecureSkipVerify: false helmRelease: chart: name: validator - repository: https://validator-labs.github.io/validator + repository: validator version: v${VALIDATOR_VERSION} - insecureSkipVerify: true values: "" helmReleaseSecret: - name: "" - caCertFile: "" + name: validator-helm-release-validator + basicAuth: + username: "" + password: "" exists: false -imageRegistry: quay.io/validator-labs -useFixedVersion: false -registryConfig: - enabled: false kindConfig: useKindCluster: true kindClusterName: "" +registryConfig: + enabled: false + registry: + host: "" + port: 0 + basicAuth: + username: "" + password: "" + insecureSkipTLSVerify: false + caCert: + data: "" + name: "" + path: "" + baseContentPath: "" + isAirgapped: false sinkConfig: enabled: true createSecret: true @@ -30,25 +45,22 @@ sinkConfig: proxyConfig: enabled: false env: + podCIDR: 172.16.0.0/20 proxyCaCert: data: "" name: "" path: "" - podCIDR: 172.16.0.0/20 serviceIPRange: 10.155.0.0/24 +imageRegistry: quay.io/validator-labs +useFixedVersions: false awsPlugin: enabled: true helmRelease: chart: name: validator-plugin-aws - repository: https://validator-labs.github.io/validator-plugin-aws + repository: validator-plugin-aws version: v${AWS_VERSION} - insecureSkipVerify: true values: "" - helmReleaseSecret: - name: "" - caCertFile: "" - exists: false accessKeyId: a0XCQd+Emx7/bwAaTyY13ipTRychb4MiQw== secretAccessKey: IrGIW8FPVuOxVDRWQUdTa22SDf1MQ2PBw0kdngVq+w== validator: @@ -160,14 +172,9 @@ networkPlugin: helmRelease: chart: name: validator-plugin-network - repository: https://validator-labs.github.io/validator-plugin-network + repository: validator-plugin-network version: v${NETWORK_VERSION} - insecureSkipVerify: true values: "" - helmReleaseSecret: - name: "" - caCertFile: "" - exists: false validator: dnsRules: - name: resolve foo @@ -193,14 +200,9 @@ ociPlugin: helmRelease: chart: name: validator-plugin-oci - repository: https://validator-labs.github.io/validator-plugin-oci + repository: validator-plugin-oci version: v${OCI_VERSION} - insecureSkipVerify: true values: "" - helmReleaseSecret: - name: "" - caCertFile: "" - exists: false secrets: - name: oci-creds username: user1 @@ -228,14 +230,9 @@ vspherePlugin: helmRelease: chart: name: validator-plugin-vsphere - repository: https://validator-labs.github.io/validator-plugin-vsphere + repository: validator-plugin-vsphere version: v${VSPHERE_VERSION} - insecureSkipVerify: true values: "" - helmReleaseSecret: - name: "" - caCertFile: "" - exists: false account: insecure: true password: vn0cCP3U08iqDUwwCgBFWBbfekA+4TTe @@ -526,14 +523,10 @@ azurePlugin: helmRelease: chart: name: validator-plugin-azure - repository: https://validator-labs.github.io/validator-plugin-azure + repository: validator-plugin-azure version: v${AZURE_VERSION} insecureSkipVerify: true values: "" - helmReleaseSecret: - name: "" - caCertFile: "" - exists: false tenantId: d551b7b1-78ae-43df-9d61-4935c843a454 clientId: d551b7b1-78ae-43df-9d61-4935c843a454 clientSecret: qC9aFbiDg/O2Ef31aqEBrbYXb/I+t+qXA4swfguuEBRRAQ== diff --git a/pkg/cmd/validator/validator.go b/pkg/cmd/validator/validator.go index 56842b23..899f49e1 100644 --- a/pkg/cmd/validator/validator.go +++ b/pkg/cmd/validator/validator.go @@ -385,7 +385,12 @@ func applyValidator(c *cfg.Config, vc *components.ValidatorConfig) error { // build validator plugin spec validatorSpec := vapi.ValidatorConfigSpec{ - Plugins: make([]vapi.HelmRelease, 0), + HelmConfig: *vc.HelmConfig, + Plugins: make([]vapi.HelmRelease, 0), + } + + if vc.ReleaseSecret != nil && vc.ReleaseSecret.ShouldCreate() { + kubecommandsPre = append(kubecommandsPre, createReleaseSecretCmd(vc.ReleaseSecret)) } if vc.AWSPlugin.Enabled { @@ -401,9 +406,6 @@ func applyValidator(c *cfg.Config, vc *components.ValidatorConfig) error { Chart: vc.AWSPlugin.Release.Chart, Values: string(values), }) - if vc.AWSPlugin.ReleaseSecret != nil && vc.AWSPlugin.ReleaseSecret.ShouldCreate() { - kubecommandsPre = append(kubecommandsPre, createReleaseSecretCmd(vc.AWSPlugin.ReleaseSecret)) - } pluginCount++ } @@ -420,9 +422,6 @@ func applyValidator(c *cfg.Config, vc *components.ValidatorConfig) error { Chart: vc.AzurePlugin.Release.Chart, Values: string(values), }) - if vc.AzurePlugin.ReleaseSecret != nil && vc.AzurePlugin.ReleaseSecret.ShouldCreate() { - kubecommandsPre = append(kubecommandsPre, createReleaseSecretCmd(vc.AzurePlugin.ReleaseSecret)) - } pluginCount++ } @@ -439,9 +438,6 @@ func applyValidator(c *cfg.Config, vc *components.ValidatorConfig) error { Chart: vc.NetworkPlugin.Release.Chart, Values: string(values), }) - if vc.NetworkPlugin.ReleaseSecret != nil && vc.NetworkPlugin.ReleaseSecret.ShouldCreate() { - kubecommandsPre = append(kubecommandsPre, createReleaseSecretCmd(vc.NetworkPlugin.ReleaseSecret)) - } pluginCount++ } @@ -458,9 +454,6 @@ func applyValidator(c *cfg.Config, vc *components.ValidatorConfig) error { Chart: vc.OCIPlugin.Release.Chart, Values: string(values), }) - if vc.OCIPlugin.ReleaseSecret != nil && vc.OCIPlugin.ReleaseSecret.ShouldCreate() { - kubecommandsPre = append(kubecommandsPre, createReleaseSecretCmd(vc.OCIPlugin.ReleaseSecret)) - } pluginCount++ } @@ -477,9 +470,6 @@ func applyValidator(c *cfg.Config, vc *components.ValidatorConfig) error { Chart: vc.VspherePlugin.Release.Chart, Values: string(values), }) - if vc.VspherePlugin.ReleaseSecret != nil && vc.VspherePlugin.ReleaseSecret.ShouldCreate() { - kubecommandsPre = append(kubecommandsPre, createReleaseSecretCmd(vc.VspherePlugin.ReleaseSecret)) - } pluginCount++ } @@ -541,8 +531,9 @@ func applyValidator(c *cfg.Config, vc *components.ValidatorConfig) error { opts := helm.Options{ Chart: vc.Release.Chart.Name, Repo: vc.Release.Chart.Repository, - CaFile: vc.Release.Chart.CAFile, - InsecureSkipTLSVerify: vc.Release.Chart.InsecureSkipTLSVerify, + Registry: vc.HelmConfig.Registry, + CaFile: vc.HelmConfig.CAFile, + InsecureSkipTLSVerify: vc.HelmConfig.InsecureSkipTLSVerify, Version: vc.Release.Chart.Version, Values: finalValues, CreateNamespace: true, @@ -553,8 +544,8 @@ func applyValidator(c *cfg.Config, vc *components.ValidatorConfig) error { } var cleanupLocalChart bool - if strings.HasPrefix(opts.Repo, oci.Scheme) { - log.InfoCLI("\n==== Pulling validator Helm chart from OCI repository %s ====", opts.Repo) + if strings.HasPrefix(opts.Registry, oci.Scheme) { + log.InfoCLI("\n==== Pulling validator Helm chart from OCI registry %s ====", opts.Registry) opts.Path = fmt.Sprintf("%s/%s", c.RunLoc, opts.Chart) opts.Version = strings.TrimPrefix(opts.Version, "v") @@ -567,7 +558,7 @@ func applyValidator(c *cfg.Config, vc *components.ValidatorConfig) error { return fmt.Errorf("failed to create OCI client: %w", err) } ociOpts := oci.ImageOptions{ - Ref: fmt.Sprintf("%s/%s:%s", strings.TrimPrefix(opts.Repo, oci.Scheme), opts.Chart, opts.Version), + Ref: fmt.Sprintf("%s/%s:%s", strings.TrimPrefix(opts.Registry, oci.Scheme), opts.Chart, opts.Version), OutDir: opts.Path, OutFile: opts.Chart, } diff --git a/pkg/components/network.go b/pkg/components/network.go index 0fd02678..abebb480 100644 --- a/pkg/components/network.go +++ b/pkg/components/network.go @@ -1,8 +1,6 @@ package components import ( - "fmt" - network_api "github.com/validator-labs/validator-plugin-network/api/v1alpha1" vapi "github.com/validator-labs/validator/api/v1alpha1" @@ -18,21 +16,16 @@ type NetworkConfig struct { // ConfigureNetworkPlugin configures the network plugin. func ConfigureNetworkPlugin(vc *ValidatorConfig, config NetworkConfig) { - // TODO: properly handle TLS, helm, and air-gap config + // TODO: prompt for chart version if !vc.UseFixedVersions vc.NetworkPlugin = &NetworkPluginConfig{ Enabled: true, Release: &vapi.HelmRelease{ Chart: vapi.HelmChart{ - Name: cfg.ValidatorPluginNetwork, - Repository: fmt.Sprintf("%s/%s", cfg.ValidatorHelmRepository, cfg.ValidatorPluginNetwork), - Version: cfg.ValidatorChartVersions[cfg.ValidatorPluginNetwork], - InsecureSkipTLSVerify: true, + Name: cfg.ValidatorPluginNetwork, + Repository: cfg.ValidatorPluginNetwork, + Version: cfg.ValidatorChartVersions[cfg.ValidatorPluginNetwork], }, }, - ReleaseSecret: &Secret{ - Name: fmt.Sprintf("validator-helm-release-%s", cfg.ValidatorPluginNetwork), - BasicAuth: &BasicAuth{}, - }, Validator: &network_api.NetworkValidatorSpec{ IPRangeRules: config.IPRangeRules, TCPConnRules: config.TCPConnRules, diff --git a/pkg/components/oci.go b/pkg/components/oci.go index 7531daf1..4c548e03 100644 --- a/pkg/components/oci.go +++ b/pkg/components/oci.go @@ -17,21 +17,16 @@ type OciConfig struct { // ConfigureOciPlugin configures the OCI plugin. func ConfigureOciPlugin(vc *ValidatorConfig, config OciConfig) { - // TODO: properly handle TLS, helm, and air-gap config + // TODO: prompt for chart version if !vc.UseFixedVersions vc.OCIPlugin = &OCIPluginConfig{ Enabled: true, Release: &vapi.HelmRelease{ Chart: vapi.HelmChart{ - Name: cfg.ValidatorPluginOci, - Repository: fmt.Sprintf("%s/%s", cfg.ValidatorHelmRepository, cfg.ValidatorPluginOci), - Version: cfg.ValidatorChartVersions[cfg.ValidatorPluginOci], - InsecureSkipTLSVerify: true, + Name: cfg.ValidatorPluginOci, + Repository: cfg.ValidatorPluginOci, + Version: cfg.ValidatorChartVersions[cfg.ValidatorPluginOci], }, }, - ReleaseSecret: &Secret{ - Name: fmt.Sprintf("validator-helm-release-%s", cfg.ValidatorPluginOci), - BasicAuth: &BasicAuth{}, - }, Validator: &oci_api.OciValidatorSpec{ OciRegistryRules: generateOciRegistryRules(config.HostRefs), }, diff --git a/pkg/components/validator.go b/pkg/components/validator.go index bc8fd695..23803ba6 100644 --- a/pkg/components/validator.go +++ b/pkg/components/validator.go @@ -23,6 +23,7 @@ import ( // ValidatorConfig represents the validator configuration. type ValidatorConfig struct { + HelmConfig *validator.HelmConfig `yaml:"helmConfig"` Release *validator.HelmRelease `yaml:"helmRelease"` ReleaseSecret *Secret `yaml:"helmReleaseSecret"` KindConfig KindConfig `yaml:"kindConfig"` @@ -44,7 +45,8 @@ type ValidatorConfig struct { func NewValidatorConfig() *ValidatorConfig { return &ValidatorConfig{ // Base config - Release: &validator.HelmRelease{}, + HelmConfig: &validator.HelmConfig{}, + Release: &validator.HelmRelease{}, ReleaseSecret: &Secret{ BasicAuth: &BasicAuth{}, Data: make(map[string]string), @@ -66,19 +68,11 @@ func NewValidatorConfig() *ValidatorConfig { }, // Plugin config AWSPlugin: &AWSPluginConfig{ - Release: &validator.HelmRelease{}, - ReleaseSecret: &Secret{ - BasicAuth: &BasicAuth{}, - Data: make(map[string]string), - }, + Release: &validator.HelmRelease{}, Validator: &aws.AwsValidatorSpec{}, }, AzurePlugin: &AzurePluginConfig{ - Release: &validator.HelmRelease{}, - ReleaseSecret: &Secret{ - BasicAuth: &BasicAuth{}, - Data: make(map[string]string), - }, + Release: &validator.HelmRelease{}, Validator: &azure.AzureValidatorSpec{}, RuleTypes: make(map[int]string), PlacementTypes: make(map[int]string), @@ -87,29 +81,17 @@ func NewValidatorConfig() *ValidatorConfig { }, NetworkPlugin: &NetworkPluginConfig{ Release: &validator.HelmRelease{}, - ReleaseSecret: &Secret{ - BasicAuth: &BasicAuth{}, - Data: make(map[string]string), - }, Validator: &network.NetworkValidatorSpec{ CACerts: network.CACertificates{}, }, }, OCIPlugin: &OCIPluginConfig{ - Release: &validator.HelmRelease{}, - ReleaseSecret: &Secret{ - BasicAuth: &BasicAuth{}, - Data: make(map[string]string), - }, + Release: &validator.HelmRelease{}, Validator: &oci.OciValidatorSpec{}, CaCertPaths: make(map[int]string), }, VspherePlugin: &VspherePluginConfig{ - Release: &validator.HelmRelease{}, - ReleaseSecret: &Secret{ - BasicAuth: &BasicAuth{}, - Data: make(map[string]string), - }, + Release: &validator.HelmRelease{}, Validator: &vsphereapi.VsphereValidatorSpec{}, Account: &vsphere.CloudAccount{}, }, @@ -207,6 +189,30 @@ type RegistryConfig struct { Registry *Registry `yaml:"registry"` } +// ToHelmConfig converts the RegistryConfig to a HelmConfig. +func (c *RegistryConfig) ToHelmConfig() *validator.HelmConfig { + hc := &validator.HelmConfig{ + Registry: c.Registry.ChartEndpoint(), + InsecureSkipTLSVerify: c.Registry.InsecureSkipTLSVerify, + } + + if c.Registry.CACert != nil { + hc.CAFile = c.Registry.CACert.Path + } + + if c.BasicAuthEnabled() { + hc.AuthSecretName = cfg.ValidatorHelmReleaseName + } + + return hc +} + +// BasicAuthEnabled returns true if basic auth is enabled on the RegistryConfig. +func (c *RegistryConfig) BasicAuthEnabled() bool { + return c.Registry.BasicAuth != nil && + (c.Registry.BasicAuth.Username != "" || c.Registry.BasicAuth.Password != "") +} + // KindConfig represents the kind configuration. type KindConfig struct { UseKindCluster bool `yaml:"useKindCluster"` @@ -266,7 +272,6 @@ func (c *SinkConfig) decrypt() error { type AWSPluginConfig struct { Enabled bool `yaml:"enabled"` Release *validator.HelmRelease `yaml:"helmRelease"` - ReleaseSecret *Secret `yaml:"helmReleaseSecret"` AccessKeyID string `yaml:"accessKeyId,omitempty"` SecretAccessKey string `yaml:"secretAccessKey,omitempty"` SessionToken string `yaml:"sessionToken,omitempty"` @@ -275,12 +280,6 @@ type AWSPluginConfig struct { } func (c *AWSPluginConfig) encrypt() error { - if c.ReleaseSecret != nil { - if err := c.ReleaseSecret.encrypt(); err != nil { - return errors.Wrap(err, "failed to encrypt release secret configuration") - } - } - accessKey, err := crypto.EncryptB64([]byte(c.AccessKeyID)) if err != nil { return errors.Wrap(err, "failed to encrypt access key id") @@ -303,12 +302,6 @@ func (c *AWSPluginConfig) encrypt() error { } func (c *AWSPluginConfig) decrypt() error { - if c.ReleaseSecret != nil { - if err := c.ReleaseSecret.decrypt(); err != nil { - return errors.Wrap(err, "failed to decrypt release secret configuration") - } - } - bytes, err := crypto.DecryptB64(c.AccessKeyID) if err != nil { return errors.Wrap(err, "failed to decrypt access key id") @@ -334,7 +327,6 @@ func (c *AWSPluginConfig) decrypt() error { type AzurePluginConfig struct { Enabled bool `yaml:"enabled"` Release *validator.HelmRelease `yaml:"helmRelease"` - ReleaseSecret *Secret `yaml:"helmReleaseSecret"` ServiceAccountName string `yaml:"serviceAccountName,omitempty"` TenantID string `yaml:"tenantId"` ClientID string `yaml:"clientId"` @@ -347,12 +339,6 @@ type AzurePluginConfig struct { } func (c *AzurePluginConfig) encrypt() error { - if c.ReleaseSecret != nil { - if err := c.ReleaseSecret.encrypt(); err != nil { - return errors.Wrap(err, "failed to encrypt release secret configuration") - } - } - clientSecret, err := crypto.EncryptB64([]byte(c.ClientSecret)) if err != nil { return errors.Wrap(err, "failed to encrypt Azure Client Secret") @@ -363,12 +349,6 @@ func (c *AzurePluginConfig) encrypt() error { } func (c *AzurePluginConfig) decrypt() error { - if c.ReleaseSecret != nil { - if err := c.ReleaseSecret.decrypt(); err != nil { - return errors.Wrap(err, "failed to decrypt release secret configuration") - } - } - bytes, err := crypto.DecryptB64(c.ClientSecret) if err != nil { return errors.Wrap(err, "failed to decrypt Azure Client Secret") @@ -389,27 +369,16 @@ type AzureStaticDeploymentValues struct { // NetworkPluginConfig represents the network plugin configuration. type NetworkPluginConfig struct { - Enabled bool `yaml:"enabled"` - Release *validator.HelmRelease `yaml:"helmRelease"` - ReleaseSecret *Secret `yaml:"helmReleaseSecret"` - Validator *network.NetworkValidatorSpec `yaml:"validator"` + Enabled bool `yaml:"enabled"` + Release *validator.HelmRelease `yaml:"helmRelease"` + Validator *network.NetworkValidatorSpec `yaml:"validator"` } func (c *NetworkPluginConfig) encrypt() error { - if c.ReleaseSecret != nil { - if err := c.ReleaseSecret.encrypt(); err != nil { - return errors.Wrap(err, "failed to encrypt release secret configuration") - } - } return nil } func (c *NetworkPluginConfig) decrypt() error { - if c.ReleaseSecret != nil { - if err := c.ReleaseSecret.decrypt(); err != nil { - return errors.Wrap(err, "failed to decrypt release secret configuration") - } - } return nil } @@ -417,7 +386,6 @@ func (c *NetworkPluginConfig) decrypt() error { type OCIPluginConfig struct { Enabled bool `yaml:"enabled"` Release *validator.HelmRelease `yaml:"helmRelease"` - ReleaseSecret *Secret `yaml:"helmReleaseSecret"` Secrets []*Secret `yaml:"secrets,omitempty"` PublicKeySecrets []*PublicKeySecret `yaml:"publicKeySecrets,omitempty"` CaCertPaths map[int]string `yaml:"caCertPaths,omitempty"` @@ -425,11 +393,6 @@ type OCIPluginConfig struct { } func (c *OCIPluginConfig) encrypt() error { - if c.ReleaseSecret != nil { - if err := c.ReleaseSecret.encrypt(); err != nil { - return errors.Wrap(err, "failed to encrypt release secret configuration") - } - } for _, s := range c.Secrets { if s != nil { if err := s.encrypt(); err != nil { @@ -441,11 +404,6 @@ func (c *OCIPluginConfig) encrypt() error { } func (c *OCIPluginConfig) decrypt() error { - if c.ReleaseSecret != nil { - if err := c.ReleaseSecret.decrypt(); err != nil { - return errors.Wrap(err, "failed to decrypt release secret configuration") - } - } for _, s := range c.Secrets { if s != nil { if err := s.decrypt(); err != nil { @@ -460,7 +418,6 @@ func (c *OCIPluginConfig) decrypt() error { type VspherePluginConfig struct { Enabled bool `yaml:"enabled"` Release *validator.HelmRelease `yaml:"helmRelease"` - ReleaseSecret *Secret `yaml:"helmReleaseSecret"` Account *vsphere.CloudAccount `yaml:"account"` Validator *vsphereapi.VsphereValidatorSpec `yaml:"validator"` VsphereEntityPrivilegeRules []VsphereEntityPrivilegeRule `yaml:"vsphereEntityPrivilegeRules"` @@ -469,11 +426,6 @@ type VspherePluginConfig struct { } func (c *VspherePluginConfig) encrypt() error { - if c.ReleaseSecret != nil { - if err := c.ReleaseSecret.encrypt(); err != nil { - return errors.Wrap(err, "failed to encrypt release secret configuration") - } - } if c.Account != nil { password, err := crypto.EncryptB64([]byte(c.Account.Password)) if err != nil { @@ -485,11 +437,6 @@ func (c *VspherePluginConfig) encrypt() error { } func (c *VspherePluginConfig) decrypt() error { - if c.ReleaseSecret != nil { - if err := c.ReleaseSecret.decrypt(); err != nil { - return errors.Wrap(err, "failed to decrypt release secret configuration") - } - } if c.Account != nil { bytes, err := crypto.DecryptB64(c.Account.Password) if err != nil { @@ -649,10 +596,9 @@ func ConfigureBaseValidator(vc *ValidatorConfig, kubeconfig string) { // TODO: properly handle TLS, helm, and air-gap config vc.Release = &validator.HelmRelease{ Chart: validator.HelmChart{ - Name: cfg.Validator, - Repository: fmt.Sprintf("%s/%s", cfg.ValidatorHelmRepository, cfg.Validator), - Version: cfg.ValidatorChartVersions[cfg.Validator], - InsecureSkipTLSVerify: true, + Name: cfg.Validator, + Repository: cfg.Validator, + Version: cfg.ValidatorChartVersions[cfg.Validator], }, } vc.ReleaseSecret = &Secret{ diff --git a/pkg/components/vsphere.go b/pkg/components/vsphere.go index 7dc03fe8..fbf3b8d6 100644 --- a/pkg/components/vsphere.go +++ b/pkg/components/vsphere.go @@ -1,8 +1,6 @@ package components import ( - "fmt" - vsphereapi "github.com/validator-labs/validator-plugin-vsphere/api/v1alpha1" "github.com/validator-labs/validator-plugin-vsphere/pkg/vsphere" vapi "github.com/validator-labs/validator/api/v1alpha1" @@ -25,23 +23,18 @@ type VsphereConfig struct { // ConfigureVspherePlugin configures the vSphere plugin. func ConfigureVspherePlugin(vc *ValidatorConfig, config VsphereConfig) { - // TODO: properly handle TLS, helm, and air-gap config + // TODO: prompt for chart version if !vc.UseFixedVersions vc.VspherePlugin = &VspherePluginConfig{ Enabled: true, Release: &vapi.HelmRelease{ Chart: vapi.HelmChart{ - Name: cfg.ValidatorPluginVsphere, - Repository: fmt.Sprintf("%s/%s", cfg.ValidatorHelmRepository, cfg.ValidatorPluginVsphere), - Version: cfg.ValidatorChartVersions[cfg.ValidatorPluginVsphere], - InsecureSkipTLSVerify: true, + Name: cfg.ValidatorPluginVsphere, + Repository: cfg.ValidatorPluginVsphere, + Version: cfg.ValidatorChartVersions[cfg.ValidatorPluginVsphere], }, }, - ReleaseSecret: &Secret{ - Name: fmt.Sprintf("validator-helm-release-%s", cfg.ValidatorPluginVsphere), - BasicAuth: &BasicAuth{}, - }, Account: &vsphere.CloudAccount{ - Insecure: true, + Insecure: true, // TODO: get this from VsphereConfig Username: config.Username, Password: config.Password, VcenterServer: config.VcenterServer, diff --git a/pkg/config/constants.go b/pkg/config/constants.go index 2d72c342..95aa0cfe 100644 --- a/pkg/config/constants.go +++ b/pkg/config/constants.go @@ -21,9 +21,10 @@ const ( // Validator constants ValidatorConfigFile = "validator.yaml" ValidatorKindClusterName = "validator-kind-cluster" - ValidatorHelmRepository = "https://validator-labs.github.io" + ValidatorHelmRegistry = "https://validator-labs.github.io" ValidatorImageRegistry = "quay.io" ValidatorImageRepository = "validator-labs" + ValidatorHelmReleaseName = "validator-helm-release" ValidatorPluginAws = "validator-plugin-aws" ValidatorPluginAzure = "validator-plugin-azure" diff --git a/pkg/config/versions.go b/pkg/config/versions.go index aa118b47..de63ce08 100644 --- a/pkg/config/versions.go +++ b/pkg/config/versions.go @@ -2,7 +2,7 @@ package config // ValidatorChartVersions is a map of validator component names to their respective versions var ValidatorChartVersions = map[string]string{ - Validator: "v0.0.50", + Validator: "v0.1.0", ValidatorPluginAws: "v0.1.2", ValidatorPluginAzure: "v0.0.14", ValidatorPluginNetwork: "v0.0.21", diff --git a/pkg/services/validator/aws.go b/pkg/services/validator/aws.go index 5e35dbe1..df46002b 100644 --- a/pkg/services/validator/aws.go +++ b/pkg/services/validator/aws.go @@ -34,7 +34,7 @@ func readAwsPlugin(vc *components.ValidatorConfig, k8sClient kubernetes.Interfac var err error c := vc.AWSPlugin - if err := readHelmRelease(cfg.ValidatorPluginAws, k8sClient, vc, c.Release, c.ReleaseSecret); err != nil { + if err := readHelmRelease(cfg.ValidatorPluginAws, vc, c.Release); err != nil { return err } diff --git a/pkg/services/validator/aws_test.go b/pkg/services/validator/aws_test.go index e4856711..23fcd167 100644 --- a/pkg/services/validator/aws_test.go +++ b/pkg/services/validator/aws_test.go @@ -16,6 +16,7 @@ import ( ) var awsDummyConfig = &components.ValidatorConfig{ + HelmConfig: &v1alpha1.HelmConfig{}, RegistryConfig: &components.RegistryConfig{ Enabled: false, }, @@ -23,7 +24,6 @@ var awsDummyConfig = &components.ValidatorConfig{ Release: &v1alpha1.HelmRelease{ Chart: v1alpha1.HelmChart{}, }, - ReleaseSecret: &components.Secret{}, Validator: &aws.AwsValidatorSpec{ Auth: aws.AwsAuth{}, }, @@ -47,9 +47,7 @@ func Test_readAwsPlugin(t *testing.T) { name: "Fail - no rules", vc: deepcopy.Copy(awsDummyConfig).(*components.ValidatorConfig), returnVals: []string{ - cfg.ValidatorHelmRepository, // validator-plugin-aws helm chart repo cfg.ValidatorChartVersions[cfg.ValidatorPluginAws], // validator-plugin-aws helm chart version - "y", // Re-use validator chart security configuration "y", // use implicit auth "", // service account name "us-east-1", // region diff --git a/pkg/services/validator/azure.go b/pkg/services/validator/azure.go index 326649f8..2ca2235e 100644 --- a/pkg/services/validator/azure.go +++ b/pkg/services/validator/azure.go @@ -32,7 +32,7 @@ var ( func readAzurePlugin(vc *components.ValidatorConfig, k8sClient kubernetes.Interface) error { c := vc.AzurePlugin - if err := readHelmRelease(cfg.ValidatorPluginAzure, k8sClient, vc, c.Release, c.ReleaseSecret); err != nil { + if err := readHelmRelease(cfg.ValidatorPluginAzure, vc, c.Release); err != nil { return fmt.Errorf("failed to read Helm release: %w", err) } diff --git a/pkg/services/validator/common.go b/pkg/services/validator/common.go index bed8fbf9..3c74611c 100644 --- a/pkg/services/validator/common.go +++ b/pkg/services/validator/common.go @@ -9,7 +9,6 @@ import ( "strings" "emperror.dev/errors" - "github.com/mohae/deepcopy" "k8s.io/client-go/kubernetes" "k8s.io/helm/pkg/repo" "sigs.k8s.io/yaml" @@ -25,92 +24,39 @@ import ( var errNoRulesEnabled = errors.New("no validation rules enabled") -func readHelmRelease(name string, k8sClient kubernetes.Interface, vc *components.ValidatorConfig, r *vapi.HelmRelease, rs *components.Secret) error { - log.Header(fmt.Sprintf("%s Helm Chart Configuration", name)) +func readHelmConfig(name string, k8sClient kubernetes.Interface, vc *components.ValidatorConfig, rs *components.Secret) error { var err error - defaultRepo := fmt.Sprintf("%s/%s", cfg.ValidatorHelmRepository, name) - defaultVersion := "" - if r != nil && r.Chart.Repository != "" { - defaultRepo = r.Chart.Repository - defaultVersion = r.Chart.Version - } - - r.Chart.Name = name rs.Name = fmt.Sprintf("validator-helm-release-%s", name) - if vc.RegistryConfig.Enabled { - r.Chart.Repository = vc.RegistryConfig.Registry.ChartEndpoint() - log.InfoCLI("Using helm repository: %s", vc.RegistryConfig.Registry.ChartEndpoint()) - } else { - r.Chart.Repository, err = prompts.ReadText(fmt.Sprintf("%s Helm repository", name), defaultRepo, false, -1) - if err != nil { - return err - } - } - - if vc.UseFixedVersions { - r.Chart.Version = cfg.ValidatorChartVersions[name] - log.InfoCLI("Using fixed version: %s for %s chart", r.Chart.Version, r.Chart.Name) - } else { - versionPrompt := fmt.Sprintf("%s version", name) - availableVersions, err := getReleasesFromHelmRepo(r.Chart.Repository) - // Ignore error and fall back to reading version from the command line. - // Errors may occur in air-gapped environments or misconfigured helm repos. - if err != nil { - log.InfoCLI("Failed to fetch chart versions from Helm repo due to error: %v. Falling back to manual input.", err) - } - if availableVersions != nil { - r.Chart.Version, err = prompts.Select(versionPrompt, availableVersions) - if err != nil { - return err - } - } else { - r.Chart.Version, err = prompts.ReadSemVer(versionPrompt, defaultVersion, "invalid Helm version") - if err != nil { - return err - } - } - } - - return readHelmCredentials(r, rs, k8sClient, vc) -} - -func readHelmCredentials(r *vapi.HelmRelease, rs *components.Secret, k8sClient kubernetes.Interface, vc *components.ValidatorConfig) error { - copyChart := false - var err error - - if vc.Release != nil && r.Chart.Name != cfg.Validator { - copyChart, err = prompts.ReadBool("Re-use security configuration from validator chart", true) - if err != nil { - return err + rc := vc.RegistryConfig + vc.HelmConfig = rc.ToHelmConfig() + + log.InfoCLI("Using helm registry: %s", vc.HelmConfig.Registry) + if rc.BasicAuthEnabled() { + rs.Name = cfg.ValidatorHelmReleaseName + rs.BasicAuth.Username = rc.Registry.BasicAuth.Username + rs.BasicAuth.Password = rc.Registry.BasicAuth.Password } - } - if copyChart { - rsCp := deepcopy.Copy(vc.ReleaseSecret).(*components.Secret) - *rs = *rsCp - r.Chart.AuthSecretName = vc.Release.Chart.AuthSecretName - r.Chart.CAFile = vc.Release.Chart.CAFile - r.Chart.InsecureSkipTLSVerify = vc.Release.Chart.InsecureSkipTLSVerify return nil } - if rs.BasicAuth == nil { - rs.BasicAuth = &components.BasicAuth{} + vc.HelmConfig.Registry, err = prompts.ReadText("Helm registry", cfg.ValidatorHelmRegistry, false, -1) + if err != nil { + return err } - insecure, err := prompts.ReadBool("Allow Insecure Connection (Bypass x509 Verification)", true) + vc.HelmConfig.InsecureSkipTLSVerify, err = prompts.ReadBool("Allow Insecure Connection (Bypass x509 Verification)", true) if err != nil { return err } - if !insecure { - rs.CaCertFile, _, _, err = prompts.ReadCACert("Helm repository CA certificate filepath", rs.CaCertFile, "") + + if !vc.HelmConfig.InsecureSkipTLSVerify { + vc.HelmConfig.CAFile, _, _, err = prompts.ReadCACert("Helm repository CA certificate filepath", vc.HelmConfig.CAFile, "") if err != nil { return err } - r.Chart.CAFile = rs.CaCertFile } - r.Chart.InsecureSkipTLSVerify = insecure useBasicAuth, err := prompts.ReadBool("Configure Helm basic authentication", false) if err != nil { @@ -151,7 +97,41 @@ func readHelmCredentials(r *vapi.HelmRelease, rs *components.Secret, k8sClient k // Helm credentials and/or CA cert provided if rs.BasicAuth.Username != "" || rs.BasicAuth.Password != "" || rs.CaCertFile != "" { - r.Chart.AuthSecretName = rs.Name + vc.HelmConfig.AuthSecretName = rs.Name + } + + return nil +} + +func readHelmRelease(name string, vc *components.ValidatorConfig, c *vapi.HelmRelease) error { + log.Header(fmt.Sprintf("%s Helm Chart Configuration", name)) + + c.Chart.Name = name + c.Chart.Repository = name + repoURL := fmt.Sprintf("%s/%s", vc.HelmConfig.Registry, c.Chart.Repository) + + if vc.UseFixedVersions { + c.Chart.Version = cfg.ValidatorChartVersions[name] + log.InfoCLI("Using fixed version: %s for %s chart", c.Chart.Version, repoURL) + } else { + versionPrompt := fmt.Sprintf("%s version", name) + availableVersions, err := getReleasesFromHelmRepo(repoURL) + // Ignore error and fall back to reading version from the command line. + // Errors may occur in air-gapped environments or misconfigured helm repos. + if err != nil { + log.InfoCLI("Failed to fetch chart versions from Helm repo due to error: %v. Falling back to manual input.", err) + } + if availableVersions != nil { + c.Chart.Version, err = prompts.Select(versionPrompt, availableVersions) + if err != nil { + return err + } + } else { + c.Chart.Version, err = prompts.ReadSemVer(versionPrompt, c.Chart.Version, "invalid Helm version") + if err != nil { + return err + } + } } return nil diff --git a/pkg/services/validator/network.go b/pkg/services/validator/network.go index 7bd2913e..2db335e3 100644 --- a/pkg/services/validator/network.go +++ b/pkg/services/validator/network.go @@ -4,10 +4,10 @@ import ( "reflect" "strings" - network "github.com/validator-labs/validator-plugin-network/api/v1alpha1" "k8s.io/client-go/kubernetes" "github.com/spectrocloud-labs/prompts-tui/prompts" + network "github.com/validator-labs/validator-plugin-network/api/v1alpha1" "github.com/validator-labs/validatorctl/pkg/components" cfg "github.com/validator-labs/validatorctl/pkg/config" @@ -18,10 +18,10 @@ type networkRule interface { *network.DNSRule | *network.ICMPRule | *network.IPRangeRule | *network.MTURule | *network.TCPConnRule | *network.HTTPFileRule } -func readNetworkPlugin(vc *components.ValidatorConfig, k8sClient kubernetes.Interface) error { +func readNetworkPlugin(vc *components.ValidatorConfig, _ kubernetes.Interface) error { c := vc.NetworkPlugin - if err := readHelmRelease(cfg.ValidatorPluginNetwork, k8sClient, vc, c.Release, c.ReleaseSecret); err != nil { + if err := readHelmRelease(cfg.ValidatorPluginNetwork, vc, c.Release); err != nil { return err } diff --git a/pkg/services/validator/network_test.go b/pkg/services/validator/network_test.go index 2e651e41..59233825 100644 --- a/pkg/services/validator/network_test.go +++ b/pkg/services/validator/network_test.go @@ -16,6 +16,7 @@ import ( ) var networkDummyConfig = &components.ValidatorConfig{ + HelmConfig: &v1alpha1.HelmConfig{}, RegistryConfig: &components.RegistryConfig{ Enabled: false, }, @@ -23,8 +24,7 @@ var networkDummyConfig = &components.ValidatorConfig{ Release: &v1alpha1.HelmRelease{ Chart: v1alpha1.HelmChart{}, }, - ReleaseSecret: &components.Secret{}, - Validator: &network.NetworkValidatorSpec{}, + Validator: &network.NetworkValidatorSpec{}, }, Release: &v1alpha1.HelmRelease{ Chart: v1alpha1.HelmChart{}, @@ -45,9 +45,7 @@ func Test_readNetworkPlugin(t *testing.T) { name: "Fail - no rules", vc: deepcopy.Copy(networkDummyConfig).(*components.ValidatorConfig), returnVals: []string{ - cfg.ValidatorHelmRepository, // validator-plugin-network helm chart repo cfg.ValidatorChartVersions[cfg.ValidatorPluginNetwork], // validator-plugin-network helm chart version - "y", // Re-use validator chart security configuration "n", // enable DNS validation "n", // enable ICMP validation "n", // enable IP range validation diff --git a/pkg/services/validator/oci.go b/pkg/services/validator/oci.go index 22f56612..942682fa 100644 --- a/pkg/services/validator/oci.go +++ b/pkg/services/validator/oci.go @@ -21,7 +21,7 @@ const notApplicable = "N/A" func readOciPlugin(vc *components.ValidatorConfig, k8sClient kubernetes.Interface) error { c := vc.OCIPlugin - if err := readHelmRelease(cfg.ValidatorPluginOci, k8sClient, vc, c.Release, c.ReleaseSecret); err != nil { + if err := readHelmRelease(cfg.ValidatorPluginOci, vc, c.Release); err != nil { return err } diff --git a/pkg/services/validator/validator_service.go b/pkg/services/validator/validator_service.go index 9b2b6fb7..0e0fa49b 100644 --- a/pkg/services/validator/validator_service.go +++ b/pkg/services/validator/validator_service.go @@ -74,12 +74,18 @@ func ReadValidatorConfig(c *cfg.Config, tc *cfg.TaskConfig, vc *components.Valid return err } + log.Header("Helm Configuration") + if err := readHelmConfig(cfg.Validator, k8sClient, vc, vc.ReleaseSecret); err != nil { + return err + } + log.Header("Sink Configuration") if err := readSinkConfig(vc, k8sClient); err != nil { return err } - if err := readHelmRelease(cfg.Validator, k8sClient, vc, vc.Release, vc.ReleaseSecret); err != nil { + // Configure validator HelmRelease + if err := readHelmRelease(cfg.Validator, vc, vc.Release); err != nil { return err } @@ -183,30 +189,21 @@ func UpdateValidatorCredentials(c *components.ValidatorConfig) error { } } - if err := readHelmCredentials(c.Release, c.ReleaseSecret, k8sClient, c); err != nil { + if err := readHelmConfig(cfg.Validator, k8sClient, c, c.ReleaseSecret); err != nil { return err } if c.AWSPlugin != nil && c.AWSPlugin.Enabled { - if err := readHelmCredentials(c.AWSPlugin.Release, c.AWSPlugin.ReleaseSecret, k8sClient, c); err != nil { - return err - } if err := readAwsCredentials(c.AWSPlugin, k8sClient); err != nil { return err } } if c.AzurePlugin != nil && c.AzurePlugin.Enabled { - if err := readHelmCredentials(c.AzurePlugin.Release, c.AzurePlugin.ReleaseSecret, k8sClient, c); err != nil { - return err - } if err := readAzureCredentials(c.AzurePlugin, k8sClient); err != nil { return err } } if c.OCIPlugin != nil && c.OCIPlugin.Enabled { - if err := readHelmCredentials(c.OCIPlugin.Release, c.OCIPlugin.ReleaseSecret, k8sClient, c); err != nil { - return err - } for _, secret := range c.OCIPlugin.Secrets { if err := readOciSecret(secret); err != nil { return err @@ -214,9 +211,6 @@ func UpdateValidatorCredentials(c *components.ValidatorConfig) error { } } if c.VspherePlugin != nil && c.VspherePlugin.Enabled { - if err = readHelmCredentials(c.VspherePlugin.Release, c.VspherePlugin.ReleaseSecret, k8sClient, c); err != nil { - return err - } if err := readVsphereCredentials(c.VspherePlugin, k8sClient); err != nil { return err } diff --git a/pkg/services/validator/vmware.go b/pkg/services/validator/vmware.go index 69e0c6b7..23b9f254 100644 --- a/pkg/services/validator/vmware.go +++ b/pkg/services/validator/vmware.go @@ -49,7 +49,7 @@ func readVspherePlugin(vc *components.ValidatorConfig, k8sClient kubernetes.Inte ctx, cancel := context.WithCancel(context.Background()) defer cancel() - if err := readHelmRelease(cfg.ValidatorPluginVsphere, k8sClient, vc, c.Release, c.ReleaseSecret); err != nil { + if err := readHelmRelease(cfg.ValidatorPluginVsphere, vc, c.Release); err != nil { return err } diff --git a/pkg/services/validator/vmware_test.go b/pkg/services/validator/vmware_test.go index 2cf9f76d..8b6e9e1c 100644 --- a/pkg/services/validator/vmware_test.go +++ b/pkg/services/validator/vmware_test.go @@ -18,6 +18,7 @@ import ( ) var vSphereDummyConfig = &components.ValidatorConfig{ + HelmConfig: &v1alpha1.HelmConfig{}, RegistryConfig: &components.RegistryConfig{ Enabled: false, }, @@ -25,9 +26,8 @@ var vSphereDummyConfig = &components.ValidatorConfig{ Release: &v1alpha1.HelmRelease{ Chart: v1alpha1.HelmChart{}, }, - ReleaseSecret: &components.Secret{}, - Account: &vsphere.CloudAccount{}, - Validator: &vsphereapi.VsphereValidatorSpec{}, + Account: &vsphere.CloudAccount{}, + Validator: &vsphereapi.VsphereValidatorSpec{}, }, Release: &v1alpha1.HelmRelease{ Chart: v1alpha1.HelmChart{}, @@ -68,9 +68,7 @@ func Test_readVspherePlugin(t *testing.T) { name: "Fail - no rules", vc: deepcopy.Copy(vSphereDummyConfig).(*components.ValidatorConfig), returnVals: []string{ - cfg.ValidatorHelmRepository, // validator-plugin-vsphere helm chart repo cfg.ValidatorChartVersions[cfg.ValidatorPluginVsphere], // validator-plugin-vsphere helm chart version - "y", // Re-use validator chart security configuration "vsphere-creds", // vSphere secret name "fake.vsphere.com", // vSphere domain "bob@vsphere.com", // vSphere username diff --git a/tests/integration/_validator/testcases/data/validator.yaml b/tests/integration/_validator/testcases/data/validator.yaml index 367ee4cb..4bd49c5a 100644 --- a/tests/integration/_validator/testcases/data/validator.yaml +++ b/tests/integration/_validator/testcases/data/validator.yaml @@ -1,21 +1,36 @@ +helmConfig: + registry: https://validator-labs.github.io + insecureSkipVerify: false helmRelease: chart: name: validator - repository: https://validator-labs.github.io/validator - version: v0.0.50 - insecureSkipVerify: true + repository: validator + version: v0.1.0 values: "" helmReleaseSecret: - name: "" - caCertFile: "" + name: validator-helm-release-validator + basicAuth: + username: "" + password: "" exists: false -imageRegistry: quay.io/validator-labs -useFixedVersion: false -registryConfig: - enabled: false kindConfig: useKindCluster: true kindClusterName: "" +registryConfig: + enabled: false + registry: + host: "" + port: 0 + basicAuth: + username: "" + password: "" + insecureSkipTLSVerify: false + caCert: + data: "" + name: "" + path: "" + baseContentPath: "" + isAirgapped: false sinkConfig: enabled: true createSecret: true @@ -30,25 +45,22 @@ sinkConfig: proxyConfig: enabled: false env: + podCIDR: 172.16.0.0/20 proxyCaCert: data: "" name: "" path: "" - podCIDR: 172.16.0.0/20 serviceIPRange: 10.155.0.0/24 +imageRegistry: quay.io/validator-labs +useFixedVersions: false awsPlugin: enabled: true helmRelease: chart: name: validator-plugin-aws - repository: https://validator-labs.github.io/validator-plugin-aws + repository: validator-plugin-aws version: v0.1.2 - insecureSkipVerify: true values: "" - helmReleaseSecret: - name: "" - caCertFile: "" - exists: false accessKeyId: a0XCQd+Emx7/bwAaTyY13ipTRychb4MiQw== secretAccessKey: IrGIW8FPVuOxVDRWQUdTa22SDf1MQ2PBw0kdngVq+w== validator: @@ -160,14 +172,9 @@ networkPlugin: helmRelease: chart: name: validator-plugin-network - repository: https://validator-labs.github.io/validator-plugin-network + repository: validator-plugin-network version: v0.0.21 - insecureSkipVerify: true values: "" - helmReleaseSecret: - name: "" - caCertFile: "" - exists: false validator: dnsRules: - name: resolve foo @@ -193,14 +200,9 @@ ociPlugin: helmRelease: chart: name: validator-plugin-oci - repository: https://validator-labs.github.io/validator-plugin-oci + repository: validator-plugin-oci version: v0.0.12 - insecureSkipVerify: true values: "" - helmReleaseSecret: - name: "" - caCertFile: "" - exists: false secrets: - name: oci-creds username: user1 @@ -228,14 +230,9 @@ vspherePlugin: helmRelease: chart: name: validator-plugin-vsphere - repository: https://validator-labs.github.io/validator-plugin-vsphere + repository: validator-plugin-vsphere version: v0.0.28 - insecureSkipVerify: true values: "" - helmReleaseSecret: - name: "" - caCertFile: "" - exists: false account: insecure: true password: vn0cCP3U08iqDUwwCgBFWBbfekA+4TTe @@ -526,14 +523,10 @@ azurePlugin: helmRelease: chart: name: validator-plugin-azure - repository: https://validator-labs.github.io/validator-plugin-azure + repository: validator-plugin-azure version: v0.0.14 insecureSkipVerify: true values: "" - helmReleaseSecret: - name: "" - caCertFile: "" - exists: false tenantId: d551b7b1-78ae-43df-9d61-4935c843a454 clientId: d551b7b1-78ae-43df-9d61-4935c843a454 clientSecret: qC9aFbiDg/O2Ef31aqEBrbYXb/I+t+qXA4swfguuEBRRAQ== diff --git a/tests/integration/_validator/testcases/test_validator.go b/tests/integration/_validator/testcases/test_validator.go index d10243af..a8b40b6f 100644 --- a/tests/integration/_validator/testcases/test_validator.go +++ b/tests/integration/_validator/testcases/test_validator.go @@ -113,6 +113,11 @@ func (t *ValidatorTest) testDeployInteractive(ctx *test.TestContext) (tr *test.T // Image registry "quay.io/validator-labs", // validator image registry + // Helm registry + cfg.ValidatorHelmRegistry, // validator helm registry + "y", // allow insecure connection + "n", // configure basic auth + // Sink "y", // Configure a sink "Alertmanager", // Sink type @@ -121,10 +126,11 @@ func (t *ValidatorTest) testDeployInteractive(ctx *test.TestContext) (tr *test.T "y", // Alertmanager insecureSkipVerify "foo", // Alertmanager username "bar", // Alertmanager password + } tuiSliceVals := [][]string{} - tuiVals = t.baseHelmValues(ctx, tuiVals) + tuiVals = t.validatorValues(ctx, tuiVals) tuiVals, tuiSliceVals = t.awsPluginValues(ctx, tuiVals, tuiSliceVals) tuiVals = t.azurePluginValues(ctx, tuiVals) tuiVals, tuiSliceVals = t.networkPluginValues(ctx, tuiVals, tuiSliceVals) @@ -145,57 +151,46 @@ func (t *ValidatorTest) testDeployInteractive(ctx *test.TestContext) (tr *test.T return common.ExecCLI(interactiveCmd, buffer, t.log) } -func (t *ValidatorTest) baseHelmValues(ctx *test.TestContext, tuiVals []string) []string { - baseVals := []string{ - cfg.ValidatorHelmRepository, // validator helm chart repo - "y", // insecure skip verify - "y", // use basic auth - "bob", // release secret username - "dog", // release secret password - } +func (t *ValidatorTest) validatorValues(ctx *test.TestContext, tuiVals []string) []string { if string_utils.IsDevVersion(ctx.Get("version")) { - baseVals = slices.Insert(baseVals, 1, - cfg.ValidatorChartVersions[cfg.Validator], // validator helm chart version - ) + tuiVals = append(tuiVals, cfg.ValidatorChartVersions[cfg.Validator]) // validator helm chart version } - tuiVals = append(tuiVals, baseVals...) + return tuiVals } func (t *ValidatorTest) awsPluginValues(ctx *test.TestContext, vals []string, sliceVals [][]string) ([]string, [][]string) { awsVals := []any{ - "y", // enable AWS plugin - cfg.ValidatorHelmRepository, // validator-plugin-aws helm chart repo - "y", // Re-use validator chart security configuration - "n", // use implicit auth - "aws-creds", // AWS secret name - "secretkey", // AWS Secret Key ID - "secretaccesskey", // AWS Secret Access Key - "", // AWS Session Token - "y", // Configure STS - "arn", // AWS STS Role Arn - "abc", // AWS STS Session Name - "3600", // AWS STS Duration Seconds - "us-west-2", // default region - "y", // enable IAM role validation - "SpectroCloudRole", // IAM role name - "Local Filepath", // Policy Document Source - t.filePath("policy.json"), // Policy Document File - "n", // add another policy document - "n", // add another IAM role rule - "y", // enable IAM user validation - "SpectroCloudUser", // IAM user name - "Local Filepath", // Policy Document Source - t.filePath("policy.json"), // Policy Document File - "n", // add another policy document - "n", // add another IAM user rule - "y", // enable IAM group validation - "SpectroCloudGroup", // IAM group name - "Local Filepath", // Policy Document Source - t.filePath("policy.json"), // Policy Document File - "n", // add another policy document - "n", // add another IAM group rule - "y", // enable IAM policy validation + "y", // enable AWS plugin + "n", // use implicit auth + "aws-creds", // AWS secret name + "secretkey", // AWS Secret Key ID + "secretaccesskey", // AWS Secret Access Key + "", // AWS Session Token + "y", // Configure STS + "arn", // AWS STS Role Arn + "abc", // AWS STS Session Name + "3600", // AWS STS Duration Seconds + "us-west-2", // default region + "y", // enable IAM role validation + "SpectroCloudRole", // IAM role name + "Local Filepath", // Policy Document Source + t.filePath("policy.json"), // Policy Document File + "n", // add another policy document + "n", // add another IAM role rule + "y", // enable IAM user validation + "SpectroCloudUser", // IAM user name + "Local Filepath", // Policy Document Source + t.filePath("policy.json"), // Policy Document File + "n", // add another policy document + "n", // add another IAM user rule + "y", // enable IAM group validation + "SpectroCloudGroup", // IAM group name + "Local Filepath", // Policy Document Source + t.filePath("policy.json"), // Policy Document File + "n", // add another policy document + "n", // add another IAM group rule + "y", // enable IAM policy validation "arn:aws:iam::account-num:policy/some-policy", // IAM policy ARN "Local Filepath", // Policy Document Source t.filePath("policy.json"), // Policy Document File @@ -229,8 +224,8 @@ func (t *ValidatorTest) awsPluginValues(ctx *test.TestContext, vals []string, sl "n", // add another AMI rule } if string_utils.IsDevVersion(ctx.Get("version")) { - awsVals = append(awsVals[:3], awsVals[2:]...) - awsVals[2] = cfg.ValidatorChartVersions[cfg.ValidatorPluginAws] // validator-plugin-aws helm chart version + awsVals = append(awsVals[:2], awsVals[1:]...) + awsVals[1] = cfg.ValidatorChartVersions[cfg.ValidatorPluginAws] // validator-plugin-aws helm chart version } return interleave(vals, sliceVals, awsVals) } @@ -238,10 +233,6 @@ func (t *ValidatorTest) awsPluginValues(ctx *test.TestContext, vals []string, sl func (t *ValidatorTest) azurePluginValues(ctx *test.TestContext, tuiVals []string) []string { azureVals := []string{ "y", // enable plugin - cfg.ValidatorHelmRepository, // helm chart repo - "n", // Re-use validator chart security configuration - "y", // insecure skip verify - "n", // use basic auth "n", // implicit plugin auth "azure-creds", // k8s secret name "d551b7b1-78ae-43df-9d61-4935c843a454", // tenant id @@ -254,7 +245,7 @@ func (t *ValidatorTest) azurePluginValues(ctx *test.TestContext, tuiVals []strin "n", // add RBAC rule } if string_utils.IsDevVersion(ctx.Get("version")) { - azureVals = slices.Insert(azureVals, 2, + azureVals = slices.Insert(azureVals, 1, cfg.ValidatorChartVersions[cfg.ValidatorPluginAzure], // validator-plugin-azure helm chart version ) } @@ -265,8 +256,6 @@ func (t *ValidatorTest) azurePluginValues(ctx *test.TestContext, tuiVals []strin func (t *ValidatorTest) networkPluginValues(ctx *test.TestContext, vals []string, sliceVals [][]string) ([]string, [][]string) { networkVals := []any{ "y", // enable Network plugin - cfg.ValidatorHelmRepository, // validator-plugin-network helm chart repo - "y", // Re-use validator chart security configuration "y", // enable DNS validation "resolve foo", // DNS rule name "foo", // DNS host @@ -308,41 +297,39 @@ func (t *ValidatorTest) networkPluginValues(ctx *test.TestContext, vals []string "n", // add another CA cert secret ref } if string_utils.IsDevVersion(ctx.Get("version")) { - networkVals = append(networkVals[:3], networkVals[2:]...) - networkVals[2] = cfg.ValidatorChartVersions[cfg.ValidatorPluginNetwork] // validator-plugin-network helm chart version + networkVals = append(networkVals[:2], networkVals[1:]...) + networkVals[1] = cfg.ValidatorChartVersions[cfg.ValidatorPluginNetwork] // validator-plugin-network helm chart version } return interleave(vals, sliceVals, networkVals) } func (t *ValidatorTest) ociPluginValues(ctx *test.TestContext, tuiVals []string) []string { ociVals := []string{ - "y", // enable OCI plugin - cfg.ValidatorHelmRepository, // validator-plugin-oci helm chart repo - "y", // Re-use validator chart security configuration - "y", // add registry credentials - "oci-creds", // secret name - "y", // configure basic auth - "user1", // username - "pa$$w0rd", // password - "n", // skip adding env vars - "n", // add another registry credential - "y", // add signature verification secret - "cosign-pubkeys", // secret name - t.filePath("cosign.pub"), // public key file - "n", // add another public key to this secret - "n", // add another signature verification secret - "public ecr registry", // rule name - "public.ecr.aws", // registry host - "N/A", // registry auth secret name - "u5n5j0b4/oci-test-public", // artifact ref - "n", // enable full layer validation - "n", // add another artifact - "N/A", // signature verification secret name - "", // ca certificate - "n", // add another registry rule + "y", // enable OCI plugin + "y", // add registry credentials + "oci-creds", // secret name + "y", // configure basic auth + "user1", // username + "pa$$w0rd", // password + "n", // skip adding env vars + "n", // add another registry credential + "y", // add signature verification secret + "cosign-pubkeys", // secret name + t.filePath("cosign.pub"), // public key file + "n", // add another public key to this secret + "n", // add another signature verification secret + "public ecr registry", // rule name + "public.ecr.aws", // registry host + "N/A", // registry auth secret name + "u5n5j0b4/oci-test-public", // artifact ref + "n", // enable full layer validation + "n", // add another artifact + "N/A", // signature verification secret name + "", // ca certificate + "n", // add another registry rule } if string_utils.IsDevVersion(ctx.Get("version")) { - ociVals = slices.Insert(ociVals, 2, + ociVals = slices.Insert(ociVals, 1, cfg.ValidatorChartVersions[cfg.ValidatorPluginOci], // validator-plugin-oci helm chart version ) } @@ -353,8 +340,6 @@ func (t *ValidatorTest) ociPluginValues(ctx *test.TestContext, tuiVals []string) func (t *ValidatorTest) vspherePluginValues(ctx *test.TestContext, tuiVals []string) []string { vsphereVals := []string{ "y", // enable vsphere plugin - cfg.ValidatorHelmRepository, // validator-plugin-vsphere helm chart repo - "y", // Re-use validator chart security configuration "vsphere-creds", // vSphere secret name "fake.vsphere.com", // vSphere domain "bob@vsphere.com", // vSphere username @@ -416,7 +401,7 @@ func (t *ValidatorTest) vspherePluginValues(ctx *test.TestContext, tuiVals []str "n", // add another tag rule } if string_utils.IsDevVersion(ctx.Get("version")) { - vsphereVals = slices.Insert(vsphereVals, 2, + vsphereVals = slices.Insert(vsphereVals, 1, cfg.ValidatorChartVersions[cfg.ValidatorPluginVsphere], // validator-plugin-vsphere helm chart version ) } @@ -471,17 +456,14 @@ func (t *ValidatorTest) testUpdatePasswords() (tr *test.TestResult) { prompts.Tui = &tuimocks.MockTUI{ Values: []string{ - // Validator - "y", // Allow Insecure Connection (Bypass x509 Verification) - "y", // Use Helm basic auth - "validator-secret", // Helm secret name - "admin", // Helm username - "welcome", // Helm password + // Helm config + cfg.ValidatorHelmRegistry, // Helm registry + "y", // Allow Insecure Connection (Bypass x509 Verification) + "y", // Use Helm basic auth + "admin", // Helm username + "welcome", // Helm password // AWS validator - "n", // Re-use validator chart security configuration - "y", // Allow Insecure Connection (Bypass x509 Verification) - "n", // Use Helm basic auth "n", // Use implicit AWS auth "aws-creds", // AWS credentials secret name "abc", // AWS Access Key @@ -490,7 +472,6 @@ func (t *ValidatorTest) testUpdatePasswords() (tr *test.TestResult) { "n", // Use STS // Azure validator - "y", // Re-use validator chart security configuration "n", // Use implicit Azure auth "azure-creds", // Azure credentials secret name "d551b7b1-78ae-43df-9d61-4935c843a454", // Azure Tenant ID @@ -498,9 +479,6 @@ func (t *ValidatorTest) testUpdatePasswords() (tr *test.TestResult) { "test_azure_client_secret", // Azure Client Secret // OCI validator - "n", // Re-use validator chart security configuration - "y", // Allow Insecure Connection (Bypass x509 Verification) - "n", // Use Helm basic auth "y", // Add basic auth credentials "user2", // Registry username "password2", // Registry password @@ -510,7 +488,6 @@ func (t *ValidatorTest) testUpdatePasswords() (tr *test.TestResult) { "n", // Add another environment variable // vSphere validator - "y", // Re-use validator chart security configuration "vsphere-creds", // vSphere credentials secret name "vcenter.test.dev", // vSphere endpoint "bob@vsphere.com", // vSphere username