Merge pull request #1924 from kubearmor/fix-operator-bug-dec-24

achrefbensaad · web-flow · commit 3dee887ff00a · 2024-12-21T15:54:07.000+01:00
Fix operator bug dec 24
diff --git a/deployments/helm/KubeArmorOperator/crds/operator.kubearmor.com_kubearmorconfigs.yaml b/deployments/helm/KubeArmorOperator/crds/operator.kubearmor.com_kubearmorconfigs.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.5
   name: kubearmorconfigs.operator.kubearmor.com
 spec:
   group: operator.kubearmor.com
@@ -43,6 +43,33 @@ spec:
           spec:
             description: KubeArmorConfigSpec defines the desired state of KubeArmorConfig
             properties:
+              adapters:
+                properties:
+                  elasticsearch:
+                    properties:
+                      alertsIndex:
+                        type: string
+                      auth:
+                        properties:
+                          allowInsecureTLS:
+                            type: boolean
+                          caCertKey:
+                            type: string
+                          caCertSecretName:
+                            type: string
+                          passwordKey:
+                            type: string
+                          secretName:
+                            type: string
+                          usernameKey:
+                            type: string
+                        type: object
+                      enabled:
+                        type: boolean
+                      url:
+                        type: string
+                    type: object
+                type: object
               alertThrottling:
                 type: boolean
               defaultCapabilitiesPosture:
diff --git a/deployments/operator/operator.yaml b/deployments/operator/operator.yaml
@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.5
   name: kubearmorconfigs.operator.kubearmor.com
 spec:
   group: operator.kubearmor.com
@@ -42,6 +42,33 @@ spec:
           spec:
             description: KubeArmorConfigSpec defines the desired state of KubeArmorConfig
             properties:
+              adapters:
+                properties:
+                  elasticsearch:
+                    properties:
+                      alertsIndex:
+                        type: string
+                      auth:
+                        properties:
+                          allowInsecureTLS:
+                            type: boolean
+                          caCertKey:
+                            type: string
+                          caCertSecretName:
+                            type: string
+                          passwordKey:
+                            type: string
+                          secretName:
+                            type: string
+                          usernameKey:
+                            type: string
+                        type: object
+                      enabled:
+                        type: boolean
+                      url:
+                        type: string
+                    type: object
+                type: object
               alertThrottling:
                 type: boolean
               defaultCapabilitiesPosture:
diff --git a/pkg/KubeArmorOperator/api/operator.kubearmor.com/v1/kubearmorconfig_types.go b/pkg/KubeArmorOperator/api/operator.kubearmor.com/v1/kubearmorconfig_types.go
@@ -39,6 +39,26 @@ type RecommendedPolicies struct {
 	ExcludePolicy []string `json:"excludePolicy,omitempty"`
 }
 
+type ElasticSearchAuth struct {
+	SecretName       string `json:"secretName,omitempty"`
+	UserNameKey      string `json:"usernameKey,omitempty"`
+	PasswordKey      string `json:"passwordKey,omitempty"`
+	AllowTlsInsecure bool   `json:"allowInsecureTLS,omitempty"`
+	CAcertSecretName string `json:"caCertSecretName,omitempty"`
+	CaCertKey        string `json:"caCertKey,omitempty"`
+}
+
+type ElasticSearchAdapter struct {
+	Enabled         bool              `json:"enabled,omitempty"`
+	Url             string            `json:"url,omitempty"`
+	AlertsIndexName string            `json:"alertsIndex,omitempty"`
+	Auth            ElasticSearchAuth `json:"auth,omitempty"`
+}
+
+type Adapters struct {
+	ElasticSearch ElasticSearchAdapter `json:"elasticsearch,omitempty"`
+}
+
 // KubeArmorConfigSpec defines the desired state of KubeArmorConfig
 type KubeArmorConfigSpec struct {
 	// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
@@ -80,6 +100,8 @@ type KubeArmorConfigSpec struct {
 	MaxAlertPerSec int `json:"maxAlertPerSec,omitempty"`
 	// +kubebuilder:validation:Optional
 	ThrottleSec int `json:"throttleSec,omitempty"`
+	// +kubebuilder:validation:Optional
+	Adapters Adapters `json:"adapters,omitempty"`
 }
 
 // KubeArmorConfigStatus defines the observed state of KubeArmorConfig
diff --git a/pkg/KubeArmorOperator/api/operator.kubearmor.com/v1/zz_generated.deepcopy.go b/pkg/KubeArmorOperator/api/operator.kubearmor.com/v1/zz_generated.deepcopy.go
diff --git a/pkg/KubeArmorOperator/common/defaults.go b/pkg/KubeArmorOperator/common/defaults.go
@@ -139,7 +139,26 @@ var (
 			},
 		},
 	}
+
+	Adapter opv1.Adapters = opv1.Adapters{
+		ElasticSearch: opv1.ElasticSearchAdapter{
+			Enabled:         false,
+			Url:             "",
+			AlertsIndexName: "kubearmor-alerts",
+			Auth: opv1.ElasticSearchAuth{
+				SecretName:       "elastic-secret",
+				UserNameKey:      "username",
+				PasswordKey:      "password",
+				AllowTlsInsecure: false,
+				CAcertSecretName: "",
+				CaCertKey:        "ca.crt",
+			},
+		},
+	}
+
+	ElasticSearchAdapterCaCertPath = "/cert"
 )
+var Pointer2True bool = true
 
 var ConfigMapData = map[string]string{
 	ConfigGRPC:                       "32767",
diff --git a/pkg/KubeArmorOperator/config/crd/bases/operator.kubearmor.com_kubearmorconfigs.yaml b/pkg/KubeArmorOperator/config/crd/bases/operator.kubearmor.com_kubearmorconfigs.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.5
   name: kubearmorconfigs.operator.kubearmor.com
 spec:
   group: operator.kubearmor.com
@@ -43,6 +43,33 @@ spec:
           spec:
             description: KubeArmorConfigSpec defines the desired state of KubeArmorConfig
             properties:
+              adapters:
+                properties:
+                  elasticsearch:
+                    properties:
+                      alertsIndex:
+                        type: string
+                      auth:
+                        properties:
+                          allowInsecureTLS:
+                            type: boolean
+                          caCertKey:
+                            type: string
+                          caCertSecretName:
+                            type: string
+                          passwordKey:
+                            type: string
+                          secretName:
+                            type: string
+                          usernameKey:
+                            type: string
+                        type: object
+                      enabled:
+                        type: boolean
+                      url:
+                        type: string
+                    type: object
+                type: object
               alertThrottling:
                 type: boolean
               defaultCapabilitiesPosture:
diff --git a/pkg/KubeArmorOperator/internal/controller/cluster.go b/pkg/KubeArmorOperator/internal/controller/cluster.go
@@ -472,7 +472,81 @@ func (clusterWatcher *ClusterWatcher) UpdateKubearmorRelayEnv(cfg *opv1.KubeArmo
 				Name:  "ENABLE_STDOUT_MSGS",
 				Value: common.KubearmorRelayEnvMap[common.EnableStdOutMsgs],
 			},
+			{
+				Name:  "ENABLE_DASHBOARDS",
+				Value: strconv.FormatBool(common.Adapter.ElasticSearch.Enabled),
+			},
+			{
+				Name:  "ES_URL",
+				Value: common.Adapter.ElasticSearch.Url,
+			},
+			{
+				Name:  "ES_ALERTS_INDEX",
+				Value: common.Adapter.ElasticSearch.AlertsIndexName,
+			},
+			{
+				Name: "ES_USERNAME",
+				ValueFrom: &corev1.EnvVarSource{
+					SecretKeyRef: &corev1.SecretKeySelector{
+						LocalObjectReference: corev1.LocalObjectReference{
+							Name: common.Adapter.ElasticSearch.Auth.SecretName,
+						},
+						Key:      common.Adapter.ElasticSearch.Auth.UserNameKey,
+						Optional: &common.Pointer2True,
+					},
+				},
+			},
+			{
+				Name: "ES_PASSWORD",
+				ValueFrom: &corev1.EnvVarSource{
+					SecretKeyRef: &corev1.SecretKeySelector{
+						LocalObjectReference: corev1.LocalObjectReference{
+							Name: common.Adapter.ElasticSearch.Auth.SecretName,
+						},
+						Key:      common.Adapter.ElasticSearch.Auth.PasswordKey,
+						Optional: &common.Pointer2True,
+					},
+				},
+			},
+		}
+
+		ElasticSearchAdapterCaVolume := []corev1.Volume{
+			{
+				Name: "elastic-ca",
+				VolumeSource: corev1.VolumeSource{
+					Secret: &corev1.SecretVolumeSource{
+						SecretName: common.Adapter.ElasticSearch.Auth.CAcertSecretName,
+					},
+				},
+			},
+		}
+
+		ElasticSearchAdapterCaVolumeMount := []corev1.VolumeMount{
+			{
+				Name:      "elastic-ca",
+				MountPath: common.ElasticSearchAdapterCaCertPath,
+			},
+		}
+		if common.Adapter.ElasticSearch.Auth.CAcertSecretName != "" {
+			relay.Spec.Template.Spec.Containers[0].Env = append(relay.Spec.Template.Spec.Containers[0].Env, corev1.EnvVar{
+				Name:  "ES_CA_CERT_PATH",
+				Value: common.ElasticSearchAdapterCaCertPath + "/" + common.Adapter.ElasticSearch.Auth.CaCertKey,
+			})
+
+			common.AddOrRemoveVolume(&ElasticSearchAdapterCaVolume, &relay.Spec.Template.Spec.Volumes, common.AddAction)
+			common.AddOrRemoveVolumeMount(&ElasticSearchAdapterCaVolumeMount, &relay.Spec.Template.Spec.Containers[0].VolumeMounts, common.AddAction)
+		} else {
+			common.AddOrRemoveVolume(&ElasticSearchAdapterCaVolume, &relay.Spec.Template.Spec.Volumes, common.DeleteAction)
+			common.AddOrRemoveVolumeMount(&ElasticSearchAdapterCaVolumeMount, &relay.Spec.Template.Spec.Containers[0].VolumeMounts, common.DeleteAction)
 		}
+
+		if common.Adapter.ElasticSearch.Auth.AllowTlsInsecure {
+			relay.Spec.Template.Spec.Containers[0].Env = append(relay.Spec.Template.Spec.Containers[0].Env, corev1.EnvVar{
+				Name:  "ES_ALLOW_INSECURE_TLS",
+				Value: "true",
+			})
+		}
+
 		_, err = clusterWatcher.Client.AppsV1().Deployments(common.Namespace).Update(context.Background(), relay, v1.UpdateOptions{})
 		if err != nil {
 			clusterWatcher.Log.Warnf("Cannot update deployment=%s error=%s", deployments.RelayDeploymentName, err.Error())
@@ -955,6 +1029,42 @@ func UpdatedKubearmorRelayEnv(config *opv1.KubeArmorConfigSpec) bool {
 			updated = true
 		}
 	}
+
+	stringEnableElasticAdapter := strconv.FormatBool(config.Adapters.ElasticSearch.Enabled)
+	if stringEnableElasticAdapter != "" {
+		if common.Adapter.ElasticSearch.Enabled != config.Adapters.ElasticSearch.Enabled {
+			updated = true
+			common.Adapter.ElasticSearch.Enabled = config.Adapters.ElasticSearch.Enabled
+		}
+		if common.Adapter.ElasticSearch.Auth.AllowTlsInsecure != config.Adapters.ElasticSearch.Auth.AllowTlsInsecure {
+			updated = true
+			common.Adapter.ElasticSearch.Auth.AllowTlsInsecure = config.Adapters.ElasticSearch.Auth.AllowTlsInsecure
+		}
+		if common.Adapter.ElasticSearch.AlertsIndexName != config.Adapters.ElasticSearch.AlertsIndexName {
+			updated = true
+			common.Adapter.ElasticSearch.AlertsIndexName = config.Adapters.ElasticSearch.AlertsIndexName
+		}
+		if common.Adapter.ElasticSearch.Url != config.Adapters.ElasticSearch.Url {
+			updated = true
+			common.Adapter.ElasticSearch.Url = config.Adapters.ElasticSearch.Url
+		}
+		if config.Adapters.ElasticSearch.Auth.SecretName != "" && common.Adapter.ElasticSearch.Auth.SecretName != config.Adapters.ElasticSearch.Auth.SecretName {
+			updated = true
+			common.Adapter.ElasticSearch.Auth.SecretName = config.Adapters.ElasticSearch.Auth.SecretName
+		}
+		if config.Adapters.ElasticSearch.Auth.UserNameKey != "" && common.Adapter.ElasticSearch.Auth.UserNameKey != config.Adapters.ElasticSearch.Auth.UserNameKey {
+			updated = true
+			common.Adapter.ElasticSearch.Auth.UserNameKey = config.Adapters.ElasticSearch.Auth.UserNameKey
+		}
+		if config.Adapters.ElasticSearch.Auth.PasswordKey != "" && common.Adapter.ElasticSearch.Auth.PasswordKey != config.Adapters.ElasticSearch.Auth.PasswordKey {
+			updated = true
+			common.Adapter.ElasticSearch.Auth.PasswordKey = config.Adapters.ElasticSearch.Auth.PasswordKey
+		}
+		if config.Adapters.ElasticSearch.Auth.CAcertSecretName != "" && common.Adapter.ElasticSearch.Auth.CAcertSecretName != config.Adapters.ElasticSearch.Auth.CAcertSecretName {
+			updated = true
+			common.Adapter.ElasticSearch.Auth.CAcertSecretName = config.Adapters.ElasticSearch.Auth.CAcertSecretName
+		}
+	}
 	return updated
 }
 
diff --git a/pkg/KubeArmorOperator/internal/controller/resources.go b/pkg/KubeArmorOperator/internal/controller/resources.go
