Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: AWS marketplace & EKS add on integration (WIP) #86

Open
wants to merge 81 commits into
base: main
Choose a base branch
from
Open
Changes from 1 commit
Commits
Show all changes
81 commits
Select commit Hold shift + click to select a range
5842bac
feat: new chart for aws marketplace product. The product supports lic…
Sep 6, 2022
fbc595c
fix: qoute productSKU value; add logs for checkout license
Sep 6, 2022
20852b4
refactor: upgrade values.yaml with updated image pushed to aws mp pro…
Sep 6, 2022
ed91e2a
fix: support region, product, fingerprint and debug env variables; re…
Sep 7, 2022
44b1b82
fix: run license cron job on @daily. fix values naming bug
Sep 7, 2022
4012723
fix: upgrade image in aws mp helm chart values
Sep 7, 2022
0ae52ee
fix: remove awsmp-... chart. datree-admission-webhook chart should ho…
Sep 12, 2022
f61c9c7
fix: add * to ignore luanch.json file
Sep 12, 2022
32e1e4e
fix: remove ** to ignore luanch.json file
Sep 12, 2022
754366a
feat: added validation for value.yaml file
Sep 12, 2022
2beb9fa
fix: combine charts and added values.yaml for each option
Sep 19, 2022
cd9ef82
feat: script for packaing
Sep 19, 2022
17d8e07
fix: added script package for free-datree
Sep 19, 2022
3b5fa6d
feat: added chart
Sep 20, 2022
5ca2d41
fix: accidently deleted gh-pages values file with awsmp values file. …
Sep 21, 2022
be37723
fix: added aws.values
Sep 21, 2022
916151b
feat: added validation for value.yaml file
Sep 12, 2022
7dcfbbe
fix: combine charts and added values.yaml for each option
Sep 19, 2022
80c87f7
feat: script for packaing
Sep 19, 2022
8cc5a94
fix: added script package for free-datree
Sep 19, 2022
33758ae
feat: added chart
Sep 20, 2022
2eb9637
feat: charts file structure
Sep 20, 2022
7e86a32
fix: move tempaltes to lib template
shmu3l Sep 28, 2022
538ff06
Merge branch 'datree-lib-chart' into DAT-feat-datree-lib-chart
shmu3l Sep 28, 2022
ebab8d6
fix: remove templates use include from lib
shmu3l Sep 28, 2022
9002818
fix: remove templates use include from lib
shmu3l Sep 28, 2022
25ced28
fix: add dynamic webhook server alt name to cert
shmu3l Oct 2, 2022
c7eb9ae
fix: clear datree webhook values and update schema
shmu3l Oct 2, 2022
3a92aac
feat: awsmp datree use datree lib
shmu3l Oct 2, 2022
dc2b784
Merge pull request #99 from datreeio/DAT-awsmp-datree-use-lib
shmu3l Oct 2, 2022
31214ab
fix: awsmp file structure
shmu3l Oct 2, 2022
91ff33e
feat: add release admission webhook script
shmu3l Oct 3, 2022
a3f36c9
fix: release admission webhook
shmu3l Oct 3, 2022
3fa719e
fix: bump chart version
shmu3l Oct 3, 2022
68d2b7f
release chart 0.1.3
shmu3l Oct 3, 2022
9d53630
fix: release admission webhook helm script update
shmu3l Oct 6, 2022
4e8ef26
fix: update .gitignore
Oct 6, 2022
a7c79e8
fix: change messages
Oct 6, 2022
5f2fe54
fix: release admission webhook path scripts
shmu3l Oct 6, 2022
4a16912
fix: release admission webhook path scripts
shmu3l Oct 6, 2022
0aefb7b
fix: release admission webhook path scripts
shmu3l Oct 6, 2022
eb6f8e5
fix: rename script
Oct 6, 2022
ffbccfb
fix: change the order of helm file creations
Oct 6, 2022
6b7605e
fix: remove files
Oct 6, 2022
121fc8c
fix: release file index yaml
Oct 6, 2022
e775214
fix: dont stash pop
Oct 6, 2022
27c833d
feat: certificate alternative names use datree.namespace template.
Oct 18, 2022
5c19e06
fix: bump lib chart version
Oct 18, 2022
3c9e662
Merge pull request #142 from datreeio/DAT-support-certificate-release…
noaabarki Oct 18, 2022
d9dd178
fix: added dynamic namespace installation. Rename chart according to …
Oct 24, 2022
890d179
fix: aligned charts with aws-marketplace ECR repositories.
Nov 3, 2022
19585b5
feat: pull bitnami-kubectl from private ecr registry
Nov 3, 2022
4e04618
fix: updated bitnami in free offer chart
Nov 3, 2022
49aff40
feat: added new binary in cmd folder for init container
Nov 7, 2022
6930693
wip
Nov 8, 2022
c08df99
wip: poc of webhook race condition
Nov 9, 2022
6055484
fix: working product on minikube. NOTE: very slow
Nov 10, 2022
8d1eb85
fix: working version
Nov 13, 2022
976d208
fix: wokring production version on minikube
Nov 13, 2022
89e7bda
fix: working production version. Minikube. 3minutes sleep time
Nov 13, 2022
674558d
fix: working version ECR repositories on Faragate.
Nov 13, 2022
b986d9b
feat: support uninstall Datree product
Nov 13, 2022
8fd5105
fix: working version in AWS Marketplace. Datree product
Nov 13, 2022
790d488
feat: working version. Datree Free product. version 1.0.1-rc.1
Nov 13, 2022
332ecbd
feat: check for webhook existence, wait for running pods. Refactor
Nov 15, 2022
14277c3
fix: wait for all deployment replicas to be ready. updated ecr images
Nov 15, 2022
811dd1b
fix: update aws mp Chart
Nov 16, 2022
5e6d6d7
fix: remove .vscode luanch.json
Nov 16, 2022
acc7591
fix: update Dockerfiles
Nov 16, 2022
64eb1c5
fix: remove comments
Nov 16, 2022
04ace8c
Merge pull request #179 from datreeio/DAT-custom-validation-webhook
noaabarki Nov 16, 2022
b2999c6
test: added tests for cert-generator
Nov 16, 2022
1c47849
test: wip
Nov 20, 2022
74e9c60
test: fixed table testing for k8sClient
Nov 20, 2022
feb8e8d
test: cert-generator tests
Nov 21, 2022
c766a92
fix: structure packages in webhook-init to not use one another, only …
Nov 21, 2022
43a6ea2
fix: updated makefile
Nov 21, 2022
3c0a416
test: ensure empty env variables has defaults
Nov 21, 2022
ddeddfd
fix: bump images versions, working product on minikube.
Nov 21, 2022
0c9ca9d
Merge pull request #92 from datreeio/DAT-feat-datree-lib-chart
noaabarki Nov 21, 2022
08bef3a
Merge pull request #91 from datreeio/DAT-chart-values-validation
noaabarki Nov 21, 2022
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
fix: support region, product, fingerprint and debug env variables; re…
…factore initK8sMetadata
  • Loading branch information
Noaa Barki authored and Noaa Barki committed Sep 7, 2022
commit ed91e2afaa6ede59bd4c0b896378b7be88139e64
6 changes: 4 additions & 2 deletions .vscode/launch.json
Original file line number Diff line number Diff line change
@@ -20,8 +20,10 @@
"args": ["upgrade"],
"buildFlags": "-tags=staging",
"env": {
"AWS_MP_ENABLE_CHECKOUT_LICENSE": "true",
"AWS_MP_PRODUCT_SKU": "ad0ee0c8-f50f-464a-9bc4-d6270592dd36"
"AWS_MP_ENABLE_CHECK_ENTITLEMENT": "true",
"AWS_MP_PRODUCT_ID": "ad0ee0c8-f50f-464a-9bc4-d6270592dd36",
"AWS_MP_KEY_FINGERPRINT": "aws:294406891311:AWS/Marketplace:issuer-fingerprint",
"AWS_MP_REGION": "us-east-1"
}
}
]
26 changes: 17 additions & 9 deletions charts/awsmp-datree-admission-webhook/templates/deployment.yaml
Original file line number Diff line number Diff line change
@@ -49,6 +49,9 @@ spec:
# caution: don't change the order of the environment variables
# changing the order will harm resource patching
env:
- name: DEBUG
value: "{{ .Values.debug }}"
# Datree webhook varaibles
- name: DATREE_TOKEN
value: {{.Values.datree.token}}
- name: DATREE_POLICY
@@ -59,34 +62,39 @@ spec:
value: {{.Values.datree.output}}
- name: DATREE_NO_RECORD
value: {{.Values.datree.noRecord}}
- name: AWS_MP_PRODUCT_SKU
value: {{.Values.aws.productSku}}
- name: AWS_MP_ENABLE_CHECKOUT_LICENSE
value: {{.Values.aws.enableCheckoutLicense | quote}}
{{- if .Values.aws.mpLicenseSecretName }}
# AWS Marketplace varaibles
- name: AWS_MP_PRODUCT_ID
value: {{ .Values.aws.productId }}
- name: AWS_MP_KEY_FINGERPRINT
value: {{ .Values.aws.issuerKey }}
- name: AWS_MP_ENABLE_CHECK_ENTITLEMENT
value: "{{.Values.aws.enableCheckEntitlement}}"
- name: AWS_MP_REGION
value: {{.Values.aws.region}}
{{- if .Values.aws.licenseConfigSecretName }}
- name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE
value: "/var/run/secrets/awsmp-product-license/license_token"
- name: AWS_ROLE_ARN
valueFrom:
secretKeyRef:
name: {{ .Values.aws.mpLicenseSecretName }}
name: {{ .Values.aws.licenseConfigSecretName }}
key: iam_role
{{- end}}
# add aws marketplace license config to the licensed container application env
volumeMounts:
- name: webhook-tls-certs
mountPath: /run/secrets/tls
readOnly: true
{{- if .Values.aws.mpLicenseSecretName }}
{{- if .Values.aws.licenseConfigSecretName }}
- name: awsmp-product-license
mountPath: "/var/run/secrets/awsmp-product-license"
{{- end}}
volumes:
- name: webhook-tls-certs
secret:
secretName: webhook-server-tls
{{- if .Values.aws.mpLicenseSecretName }}
{{- if .Values.aws.licenseConfigSecretName }}
- name: awsmp-product-license
secret:
secretName: {{ .Values.aws.mpLicenseSecretName }}
secretName: {{ .Values.aws.licenseConfigSecretName }}
{{- end}}
26 changes: 14 additions & 12 deletions charts/awsmp-datree-admission-webhook/values.yaml
Original file line number Diff line number Diff line change
@@ -12,6 +12,9 @@ customLabels: {}
# Additional annotations to add to all resources.
customAnnotations: {}

# Run the webhook-server in debug mode, this will log debug information to the console.
debug: false

# Create ClusterRoles, ClusterRoleBindings, and ServiceAccount for datree-webhook-server
rbac:
serviceAccount:
@@ -25,6 +28,7 @@ rbac:
# The ClusterRole name
name: datree-webhook-server-read

# Datree webhook configuration, checkout more details at htttps://hub.datree.com
datree:
# The token used to link the CLI to your dashboard.
token: <DATREE_TOKEN>
@@ -73,16 +77,14 @@ hooks:
pullPolicy: IfNotPresent

# AWS Marketplace configuration
# awsmp:
# # The name of the secret that contains the license configuration.
# licenseConfigSecretName: "aws-marketplace-license-config"
# # The license identity token in the secret.
# licenseToken: <LICENSE_TOKEN>
# # The AWS Identity and Access Management role.
# iamRole: <IAM_ROLE>

# add aws marketplace license config for on-prem deployments
aws:
mpLicenseSecretName: ""
productSku: "ad0ee0c8-f50f-464a-9bc4-d6270592dd36"
enableCheckoutLicense: "true"
# The name of the secret that contains the license configuration.
licenseConfigSecretName: ""
# The AWS Region
region: "us-east-1"
# Enable AWS Marketplace license checkout, this is relevant for paid products only.
enableCheckAccountEntitlement: true
# The application’s Product SKU (Product ID)
productId: "ad0ee0c8-f50f-464a-9bc4-d6270592dd36"
# The trusted issuer of the license (AWS Marketplace)
issuerKey: "aws:294406891311:AWS/Marketplace:issuer-fingerprint"
19 changes: 11 additions & 8 deletions pkg/enums/enums.go
Original file line number Diff line number Diff line change
@@ -1,12 +1,15 @@
package enums

const (
Token = "DATREE_TOKEN"
ClientId = "DATREE_CLIENT_ID"
Policy = "DATREE_POLICY"
Verbose = "DATREE_VERBOSE"
NoRecord = "DATREE_NO_RECORD"
Output = "DATREE_OUTPUT"
AWSMarketplaceProductSKU = "AWS_MP_PRODUCT_SKU"
AWSMarketplaceEnableCheckoutLicense = "AWS_MP_ENABLE_CHECKOUT_LICENSE"
Token = "DATREE_TOKEN"
ClientId = "DATREE_CLIENT_ID"
Policy = "DATREE_POLICY"
Verbose = "DATREE_VERBOSE"
NoRecord = "DATREE_NO_RECORD"
Output = "DATREE_OUTPUT"
AWSMarketplaceProductID = "AWS_MP_PRODUCT_ID"
AWSMarketplaceEnableCheckEntitlement = "AWS_MP_ENABLE_CHECK_ENTITLEMENT"
AWSMarketplaceRegion = "AWS_MP_REGION"
AWSMarketplaceKeyFingerprint = "AWS_MP_KEY_FINGERPRINT"
Debug = "DEBUG"
)
85 changes: 49 additions & 36 deletions pkg/k8sMetadataUtil/k8sMetadataUtil.go
Original file line number Diff line number Diff line change
@@ -6,7 +6,7 @@ import (
"os"
"time"

cliClient "github.com/datreeio/admission-webhook-datree/pkg/clients"
cliclient "github.com/datreeio/admission-webhook-datree/pkg/clients"
"github.com/datreeio/admission-webhook-datree/pkg/enums"
licensemanagerclient "github.com/datreeio/admission-webhook-datree/pkg/licenseManagerClient"
"github.com/datreeio/admission-webhook-datree/pkg/loggerUtil"
@@ -20,34 +20,50 @@ import (
)

func InitK8sMetadataUtil() {

validator := networkValidator.NewNetworkValidator()
cliClient := cliClient.NewCliServiceClient(deploymentConfig.URL, validator)
k8sClient, err := getClientSet()
cliClient := cliclient.NewCliServiceClient(deploymentConfig.URL, validator)

var clusterUuid k8sTypes.UID
k8sClient, err := getClientSet()
if err != nil {
sendK8sMetadata(-1, err, clusterUuid, cliClient)
loggerUtil.Log(fmt.Sprint("failed getting k8s client set", err))
cliClient.ReportK8sMetadata(&cliclient.ReportK8sMetadataRequest{
ClusterUuid: "",
Token: os.Getenv(enums.Token),
NodesCount: -1,
NodesCountErr: err.Error(),
})
return
}

clusterUuid, err = getClusterUuid(k8sClient)
clusterUuid, err := getClusterUuid(k8sClient)
if err != nil {
sendK8sMetadata(-1, err, clusterUuid, cliClient)
cliClient.ReportK8sMetadata(&cliclient.ReportK8sMetadataRequest{
ClusterUuid: clusterUuid,
Token: os.Getenv(enums.Token),
NodesCount: -1,
NodesCountErr: err.Error(),
})
}

runHourlyNodesCountCronJob(k8sClient, cliClient, clusterUuid)

if os.Getenv(enums.AWSMarketplaceEnableCheckEntitlement) == "true" {
runDailyAWSCheckoutLicenseCronJob(k8sClient, cliClient, clusterUuid)
}

}

func runHourlyNodesCountCronJob(k8sClient *kubernetes.Clientset, cliClient *cliclient.CliClient, clusterUuid k8sTypes.UID) {
cornJob := cron.New(cron.WithLocation(time.UTC))
cornJob.AddFunc("@hourly", func() {
nodesCount, nodesCountErr := getNodesCount(k8sClient)
sendK8sMetadata(nodesCount, nodesCountErr, clusterUuid, cliClient)
cliClient.ReportK8sMetadata(&cliclient.ReportK8sMetadataRequest{
ClusterUuid: clusterUuid,
Token: os.Getenv(enums.Token),
NodesCount: nodesCount,
NodesCountErr: nodesCountErr.Error(),
})
})
cornJob.Start()

if os.Getenv(enums.AWSMarketplaceEnableCheckoutLicense) == "true" {
runDailyAWSCheckoutLicenseCronJob(k8sClient)
}

}

func getNodesCount(clientset *kubernetes.Clientset) (int, error) {
@@ -81,38 +97,35 @@ func getClusterUuid(clientset *kubernetes.Clientset) (k8sTypes.UID, error) {
return clusterMetadata.UID, nil
}

func sendK8sMetadata(nodesCount int, nodesCountErr error, clusterUuid k8sTypes.UID, client *cliClient.CliClient) {
token := os.Getenv(enums.Token)

var nodesCountErrString string
if nodesCountErr != nil {
nodesCountErrString = nodesCountErr.Error()
}

client.ReportK8sMetadata(&cliClient.ReportK8sMetadataRequest{
ClusterUuid: clusterUuid,
Token: token,
NodesCount: nodesCount,
NodesCountErr: nodesCountErrString,
})
}

// run chckout license cron job daily to check if aws marketplace license is valid with the nodes number
func runDailyAWSCheckoutLicenseCronJob(k8sClient *kubernetes.Clientset) {
func runDailyAWSCheckoutLicenseCronJob(k8sClient *kubernetes.Clientset, cliClient *cliclient.CliClient, clusterUuid k8sTypes.UID) {
licenseManagerClient := licensemanagerclient.NewLicenseManagerClient()

licenseCheckerCornJob := cron.New(cron.WithLocation(time.UTC))
// @daily means run once a day, midnight
licenseCheckerCornJob.AddFunc("@daily", func() {
licenseCheckerCornJob.AddFunc("@every 1m", func() {
nodesCount, err := getNodesCount(k8sClient)
if err != nil {
loggerUtil.Log(fmt.Sprint("failed counting nodes for checkout", err))
loggerUtil.Debug(fmt.Sprint("failed counting nodes for checkout", err))
cliClient.ReportK8sMetadata(&cliclient.ReportK8sMetadataRequest{
ClusterUuid: clusterUuid,
Token: os.Getenv(enums.Token),
NodesCount: -1,
NodesCountErr: err.Error(),
})
return
}

fmt.Println("checking aws marketplace license with nodes count", nodesCount)
loggerUtil.Debug(fmt.Sprint("checking aws marketplace license with nodes count", nodesCount))
err = licenseManagerClient.CheckoutLicense(nodesCount)
if err != nil {
loggerUtil.Log(fmt.Sprint("checkout license failed: ", err))
loggerUtil.Debug(fmt.Sprint("checkout license failed: ", err))
cliClient.ReportK8sMetadata(&cliclient.ReportK8sMetadataRequest{
ClusterUuid: clusterUuid,
Token: os.Getenv(enums.Token),
NodesCount: -1,
NodesCountErr: err.Error(),
})
}
})
licenseCheckerCornJob.Start()
21 changes: 11 additions & 10 deletions pkg/licenseManagerClient/client.go
Original file line number Diff line number Diff line change
@@ -11,8 +11,6 @@ import (
"github.com/google/uuid"
)

const awsMarketplaceIssuer = "aws:294406891311:AWS/Marketplace:issuer-fingerprint"

type LicenseManager struct {
client *licensemanager.LicenseManager
awsMarketplaceProductID string
@@ -21,24 +19,27 @@ type LicenseManager struct {

func NewLicenseManagerClient() *LicenseManager {
clientSession := session.Must(session.NewSession())
awsClient := licensemanager.New(clientSession, aws.NewConfig().WithRegion("us-east-1"))
awsClient := licensemanager.New(clientSession, aws.NewConfig().WithRegion(os.Getenv(enums.AWSMarketplaceRegion)))
return &LicenseManager{
client: awsClient,
awsMarketplaceProductID: os.Getenv(enums.AWSMarketplaceProductSKU),
awsMarketplaceFingerprint: awsMarketplaceIssuer,
awsMarketplaceProductID: os.Getenv(enums.AWSMarketplaceProductID),
awsMarketplaceFingerprint: os.Getenv(enums.AWSMarketplaceKeyFingerprint),
}
}

// Checkout the account license according to number of nodes, if everything goes well, the license will be checked out,
// otherwise an error will returned.
func (l *LicenseManager) CheckoutLicense(entititlementValue int) error {
// Checkout the account license according to quantity of units the account consumes.
// If everything goes well, the license will be checked out, otherwise an error will returned.
func (l *LicenseManager) CheckoutLicense(consumedUnitsCount int) error {
_, err := l.client.CheckoutLicense(&licensemanager.CheckoutLicenseInput{
ClientToken: aws.String(uuid.New().String()),
ClientToken: aws.String(uuid.New().String()),
// "PROVISIONAL" checkout type enables to temporarily draw a unit and return it back to the license pool when the application is stopped.
CheckoutType: aws.String("PROVISIONAL"),
Entitlements: []*licensemanager.EntitlementData{
{
// The entitilement name is the contract API name defined in the product.
// The contract API name is defined in the product "load form" in the AWS Marketplace management protal
Name: aws.String("Datree"),
Value: aws.String(fmt.Sprint(entititlementValue)),
Value: aws.String(fmt.Sprint(consumedUnitsCount)),
Unit: aws.String("Count"),
},
},
13 changes: 12 additions & 1 deletion pkg/loggerUtil/loggerUtil.go
Original file line number Diff line number Diff line change
@@ -1,7 +1,18 @@
package loggerUtil

import "fmt"
import (
"fmt"
"os"

"github.com/datreeio/admission-webhook-datree/pkg/enums"
)

func Log(msg string) {
fmt.Println(msg)
}

func Debug(msg string) {
if os.Getenv(enums.Debug) == "true" {
fmt.Println(msg)
}
}