Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: updating pubsub system #3646

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
+895 −901
Open

chore: updating pubsub system #3646

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
64e2ae5
updating pubsub system
JaydipGabani Jan 24, 2025
2fba5c2
replacing pub-sub with export everywhere
JaydipGabani Jan 28, 2025
2323228
updating logs and docs
JaydipGabani Jan 28, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 10 additions & 10 deletions .github/workflows/dapr-pubsub.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,18 +1,18 @@
name: dapr-pubsub
name: dapr-export
on:
push:
paths:
- "pkg/pubsub/dapr"
- "test/pubsub/**"
- "pkg/export/dapr"
- "test/export/**"
pull_request:
paths:
- "pkg/pubsub/dapr"
- "test/pubsub/**"
- "pkg/export/dapr"
- "test/export/**"
permissions: read-all

jobs:
dapr_test:
name: "Dapr pubsub test"
name: "Dapr export test"
runs-on: ubuntu-22.04
timeout-minutes: 15
strategy:
Expand Down Expand Up @@ -50,20 +50,20 @@ jobs:
kind load docker-image --name kind gatekeeper-e2e:latest gatekeeper-crds:latest
kubectl create ns gatekeeper-system
make e2e-publisher-deploy
make e2e-helm-deploy HELM_REPO=gatekeeper-e2e HELM_CRD_REPO=gatekeeper-crds HELM_RELEASE=latest ENABLE_PUBSUB=true LOG_LEVEL=DEBUG
make test-e2e ENABLE_PUBSUB_TESTS=1
make e2e-helm-deploy HELM_REPO=gatekeeper-e2e HELM_CRD_REPO=gatekeeper-crds HELM_RELEASE=latest ENABLE_EXPORT=true LOG_LEVEL=DEBUG
make test-e2e ENABLE_EXPORT_TESTS=1

- name: Save logs
if: ${{ always() }}
run: |
kubectl logs -n fake-subscriber -l app=sub --tail=-1 > logs-audit-subscribe.json
kubectl logs -n gatekeeper-system -l control-plane=audit-controller --tail=-1 > logs-audit-publish.json
kubectl logs -n gatekeeper-system -l control-plane=audit-controller --tail=-1 > logs-audit-export.json

- name: Upload artifacts
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
if: ${{ always() }}
with:
name: pubsub-logs
name: export-logs
path: |
logs-*.json

12 changes: 6 additions & 6 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ PUSH_TO_GHCR ?= false
DEV_TAG ?= dev
USE_LOCAL_IMG ?= false
ENABLE_GENERATOR_EXPANSION ?= false
ENABLE_PUBSUB ?= false
ENABLE_EXPORT ?= false
AUDIT_CONNECTION ?= "audit"
AUDIT_CHANNEL ?= "audit"
LOG_LEVEL ?= "INFO"
Expand Down Expand Up @@ -203,7 +203,7 @@ e2e-helm-install:
./.staging/helm/linux-amd64/helm version --client

e2e-helm-deploy: e2e-helm-install
ifeq ($(ENABLE_PUBSUB),true)
ifeq ($(ENABLE_EXPORT),true)
./.staging/helm/linux-amd64/helm install manifest_staging/charts/gatekeeper --name-template=gatekeeper \
--namespace ${GATEKEEPER_NAMESPACE} \
--debug --wait \
Expand All @@ -220,7 +220,7 @@ ifeq ($(ENABLE_PUBSUB),true)
--set auditEventsInvolvedNamespace=true \
--set disabledBuiltins={http.send} \
--set logMutations=true \
--set audit.enablePubsub=${ENABLE_PUBSUB} \
--set audit.exportViolations=${ENABLE_EXPORT} \
--set audit.connection=${AUDIT_CONNECTION} \
--set audit.channel=${AUDIT_CHANNEL} \
--set-string auditPodAnnotations.dapr\\.io/enabled=true \
Expand Down Expand Up @@ -292,17 +292,17 @@ e2e-helm-upgrade:
--set mutationAnnotations=true;\

e2e-subscriber-build-load-image:
docker buildx build --platform="linux/amd64" -t ${FAKE_SUBSCRIBER_IMAGE} --load -f test/pubsub/fake-subscriber/Dockerfile test/pubsub/fake-subscriber
docker buildx build --platform="linux/amd64" -t ${FAKE_SUBSCRIBER_IMAGE} --load -f test/export/fake-subscriber/Dockerfile test/export/fake-subscriber
kind load docker-image --name kind ${FAKE_SUBSCRIBER_IMAGE}

e2e-subscriber-deploy:
kubectl create ns fake-subscriber
kubectl get secret redis --namespace=default -o yaml | sed 's/namespace: .*/namespace: fake-subscriber/' | kubectl apply -f -
kubectl apply -f test/pubsub/fake-subscriber/manifest/subscriber.yaml
kubectl apply -f test/export/fake-subscriber/manifest/subscriber.yaml

e2e-publisher-deploy:
kubectl get secret redis --namespace=default -o yaml | sed 's/namespace: .*/namespace: gatekeeper-system/' | kubectl apply -f -
kubectl apply -f test/pubsub/publish-components.yaml
kubectl apply -f test/export/publish-components.yaml

# Build manager binary
manager: generate
Expand Down
2 changes: 1 addition & 1 deletion cmd/build/helmify/kustomize-for-helm.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -183,7 +183,7 @@ spec:
- --operation=audit
- --operation=status
- --operation=generate
- HELMSUBST_DEPLOYMENT_AUDIT_PUBSUB_ARGS
- HELMSUBST_DEPLOYMENT_AUDIT_EXPORT_ARGS
- HELMSUBST_MUTATION_STATUS_ENABLED_ARG
- --logtostderr
- --health-addr=:HELMSUBST_DEPLOYMENT_AUDIT_HEALTH_PORT
Expand Down
4 changes: 2 additions & 2 deletions cmd/build/helmify/replacements.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -118,8 +118,8 @@ var replacements = map[string]string{
- --default-wait-for-vapb-generation={{ .Values.defaultWaitForVAPBGeneration }}
{{- end }}`,

"- HELMSUBST_DEPLOYMENT_AUDIT_PUBSUB_ARGS": `{{ if hasKey .Values.audit "enablePubsub" }}
- --enable-pub-sub={{ .Values.audit.enablePubsub }}
"- HELMSUBST_DEPLOYMENT_AUDIT_EXPORT_ARGS": `{{ if hasKey .Values.audit "exportViolations" }}
- --export-violations={{ .Values.audit.exportViolations }}
{{- end }}
{{ if hasKey .Values.audit "connection" }}
- --audit-connection={{ .Values.audit.connection }}
Expand Down
6 changes: 3 additions & 3 deletions cmd/build/helmify/static/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -221,9 +221,9 @@ information._
| audit.readinessTimeout | Timeout in seconds for audit's readiness probe | `1` |
| audit.livenessTimeout | Timeout in seconds for the audit's liveness probe | `1` |
| audit.logLevel | The minimum log level for audit, takes precedence over `logLevel` when specified | `null` |
| audit.enablePubsub | (alpha) Enabled pubsub to publish messages | `false` |
| audit.connection | (alpha) Connection name for publishing audit violation messages | `audit-connection` |
| audit.channel | (alpha) Channel name for publishing audit violation messages | `audit-channel` |
| audit.exportViolations | (alpha) Enable exporting violations to external systems | `false` |
| audit.connection | (alpha) Connection name for exporting audit violation messages | `audit-connection` |
| audit.channel | (alpha) Channel name for exporting audit violation messages | `audit-channel` |
| replicas | The number of Gatekeeper replicas to deploy for the webhook | `3` |
| podAnnotations | The annotations to add to the Gatekeeper pods | `container.seccomp.security.alpha.kubernetes.io/manager: runtime/default` |
| podLabels | The labels to add to the Gatekeeper pods | `{}` |
Expand Down
8 changes: 4 additions & 4 deletions main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,11 +47,11 @@ import (
"github.com/open-policy-agent/gatekeeper/v3/pkg/controller/config/process"
"github.com/open-policy-agent/gatekeeper/v3/pkg/drivers/k8scel"
"github.com/open-policy-agent/gatekeeper/v3/pkg/expansion"
"github.com/open-policy-agent/gatekeeper/v3/pkg/export"
"github.com/open-policy-agent/gatekeeper/v3/pkg/externaldata"
"github.com/open-policy-agent/gatekeeper/v3/pkg/metrics"
"github.com/open-policy-agent/gatekeeper/v3/pkg/mutation"
"github.com/open-policy-agent/gatekeeper/v3/pkg/operations"
"github.com/open-policy-agent/gatekeeper/v3/pkg/pubsub"
"github.com/open-policy-agent/gatekeeper/v3/pkg/readiness"
"github.com/open-policy-agent/gatekeeper/v3/pkg/readiness/pruner"
"github.com/open-policy-agent/gatekeeper/v3/pkg/syncutil"
Expand Down Expand Up @@ -435,7 +435,7 @@ func setupControllers(ctx context.Context, mgr ctrl.Manager, tracker *readiness.

mutationSystem := mutation.NewSystem(mutationOpts)
expansionSystem := expansion.NewSystem(mutationSystem)
pubsubSystem := pubsub.NewSystem()
exportSystem := export.NewSystem()

c := mgr.GetCache()
dc, ok := c.(watch.RemovableCache)
Expand Down Expand Up @@ -508,7 +508,7 @@ func setupControllers(ctx context.Context, mgr ctrl.Manager, tracker *readiness.
MutationSystem: mutationSystem,
ExpansionSystem: expansionSystem,
ProviderCache: providerCache,
PubsubSystem: pubsubSystem,
ExportSystem: exportSystem,
}

if err := controller.AddToManager(mgr, &opts); err != nil {
Expand Down Expand Up @@ -538,7 +538,7 @@ func setupControllers(ctx context.Context, mgr ctrl.Manager, tracker *readiness.
ProcessExcluder: processExcluder,
CacheLister: auditCache,
ExpansionSystem: expansionSystem,
PubSubSystem: pubsubSystem,
ExportSystem: exportSystem,
}
if err := audit.AddToManager(mgr, &auditDeps); err != nil {
setupLog.Error(err, "unable to register audit with the manager")
Expand Down
6 changes: 3 additions & 3 deletions manifest_staging/charts/gatekeeper/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -221,9 +221,9 @@ information._
| audit.readinessTimeout | Timeout in seconds for audit's readiness probe | `1` |
| audit.livenessTimeout | Timeout in seconds for the audit's liveness probe | `1` |
| audit.logLevel | The minimum log level for audit, takes precedence over `logLevel` when specified | `null` |
| audit.enablePubsub | (alpha) Enabled pubsub to publish messages | `false` |
| audit.connection | (alpha) Connection name for publishing audit violation messages | `audit-connection` |
| audit.channel | (alpha) Channel name for publishing audit violation messages | `audit-channel` |
| audit.exportViolations | (alpha) Enable exporting violations to external systems | `false` |
| audit.connection | (alpha) Connection name for exporting audit violation messages | `audit-connection` |
| audit.channel | (alpha) Channel name for exporting audit violation messages | `audit-channel` |
| replicas | The number of Gatekeeper replicas to deploy for the webhook | `3` |
| podAnnotations | The annotations to add to the Gatekeeper pods | `container.seccomp.security.alpha.kubernetes.io/manager: runtime/default` |
| podLabels | The labels to add to the Gatekeeper pods | `{}` |
Expand Down
4 changes: 2 additions & 2 deletions manifest_staging/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,8 +71,8 @@ spec:
- --operation=audit
- --operation=status
- --operation=generate
{{ if hasKey .Values.audit "enablePubsub" }}
- --enable-pub-sub={{ .Values.audit.enablePubsub }}
{{ if hasKey .Values.audit "exportViolations" }}
- --export-violations={{ .Values.audit.exportViolations }}
{{- end }}
{{ if hasKey .Values.audit "connection" }}
- --audit-connection={{ .Values.audit.connection }}
Expand Down
Loading
Loading