Dev/refactor update (#336)

* resolve conflict

* fix image decision result

* fix image verification condition

* fix logger to enable session trace

* fix check_functions.go functions and test cases

Author: hirokuni-kitahara

build/build_images.sh

@@ -57,10 +57,10 @@ if [ -z "$ISHIELD_OBSERVER_IMAGE_NAME_AND_VERSION" ]; then
     exit 1
 fi
 
-if [ -z "$ISHIELD_INSPECTOR_IMAGE_NAME_AND_VERSION" ]; then
-    echo "ISHIELD_INSPECTOR_IMAGE_NAME_AND_VERSION is empty. Please set IShield build env settings."
-    exit 1
-fi
+# if [ -z "$ISHIELD_INSPECTOR_IMAGE_NAME_AND_VERSION" ]; then
+#     echo "ISHIELD_INSPECTOR_IMAGE_NAME_AND_VERSION is empty. Please set IShield build env settings."
+#     exit 1
+# fi
 
 if [ -z "$ISHIELD_OPERATOR_IMAGE_NAME_AND_VERSION" ]; then
     echo "ISHIELD_OPERATOR_IMAGE_NAME_AND_VERSION is empty. Please set IShield build env settings."

cmd/pkg/yamlsign/audit/audityaml.go

@@ -31,15 +31,7 @@ func AuditYaml(ctx context.Context, apiVersion, kind, namespace, name string) (*
 	_ = config.InitShieldConfig()
 
 	metaLogger := logger.NewLogger(config.ShieldConfig.LoggerConfig())
-	reqLog := metaLogger.WithFields(
-		log.Fields{
-			"namespace":  namespace,
-			"name":       name,
-			"apiVersion": apiVersion,
-			"kind":       kind,
-		},
-	)
-	resourceHandler := shield.NewResourceHandler(config.ShieldConfig, metaLogger, reqLog)
+	resourceHandler := shield.NewResourceCheckHandler(config.ShieldConfig, metaLogger)
 
 	var obj *unstructured.Unstructured
 	obj, err := kubeutil.GetResource(apiVersion, kind, namespace, name)

integrity-shield-operator/api/v1alpha1/integrityshield_types.go

@@ -39,13 +39,13 @@ import (
 )
 
 const (
-	DefaultIntegrityShieldCRDName             = "integrityshields.apis.integrityshield.io"
-	DefaultShieldConfigCRDName                = "shieldconfigs.apis.integrityshield.io"
-	DefaultSignerConfigCRDName                = "signerconfigs.apis.integrityshield.io"
-	DefaultResourceSignatureCRDName           = "resourcesignatures.apis.integrityshield.io"
-	DefaultResourceSigningProfileCRDName      = "resourcesigningprofiles.apis.integrityshield.io"
-	DefaultHelmReleaseMetadataCRDName         = "helmreleasemetadatas.apis.integrityshield.io"
-	DefaultProtectedResourceIntegrityCRDName  = "protectedresourceintegrities.apis.integrityshield.io"
+	DefaultIntegrityShieldCRDName        = "integrityshields.apis.integrityshield.io"
+	DefaultShieldConfigCRDName           = "shieldconfigs.apis.integrityshield.io"
+	DefaultSignerConfigCRDName           = "signerconfigs.apis.integrityshield.io"
+	DefaultResourceSignatureCRDName      = "resourcesignatures.apis.integrityshield.io"
+	DefaultResourceSigningProfileCRDName = "resourcesigningprofiles.apis.integrityshield.io"
+	DefaultHelmReleaseMetadataCRDName    = "helmreleasemetadatas.apis.integrityshield.io"
+	// DefaultProtectedResourceIntegrityCRDName  = "protectedresourceintegrities.apis.integrityshield.io"
 	DefaultSignerConfigCRName                 = "signer-config"
 	DefaultIShieldAdminClusterRoleName        = "ishield-admin-clusterrole"
 	DefaultIShieldAdminClusterRoleBindingName = "ishield-admin-clusterrolebinding"
@@ -282,9 +282,9 @@ func (self *IntegrityShield) GetResourceSigningProfileCRDName() string {
 	return DefaultResourceSigningProfileCRDName
 }
 
-func (self *IntegrityShield) GetProtectedResourceIntegrityCRDName() string {
-	return DefaultProtectedResourceIntegrityCRDName
-}
+// func (self *IntegrityShield) GetProtectedResourceIntegrityCRDName() string {
+// 	return DefaultProtectedResourceIntegrityCRDName
+// }
 
 func (self *IntegrityShield) GetHelmReleaseMetadataCRDName() string {
 	return DefaultHelmReleaseMetadataCRDName

integrity-shield-operator/config/samples/apis_v1alpha1_integrityshield_sigstore.yaml

@@ -18,8 +18,6 @@ spec:
       useDefaultRootCert: true
     imageVerificationConfig:
       enabled: true
-      verificationURL: "<COSIGN VERIFIER API URL>"
-      options: {}
   signerConfig:
     policies:
     - namespaces:

integrity-shield-operator/controllers/integrityshield.go

@@ -163,11 +163,11 @@ func (r *IntegrityShieldReconciler) createOrUpdateResourceSigningProfileCRD(
 	return r.createOrUpdateCRD(instance, expected)
 }
 
-func (r *IntegrityShieldReconciler) createOrUpdateProtectedResourceIntegrityCRD(
-	instance *apiv1alpha1.IntegrityShield) (ctrl.Result, error) {
-	expected := res.BuildProtectedResourceIntegrityCRD(instance)
-	return r.createOrUpdateCRD(instance, expected)
-}
+// func (r *IntegrityShieldReconciler) createOrUpdateProtectedResourceIntegrityCRD(
+// 	instance *apiv1alpha1.IntegrityShield) (ctrl.Result, error) {
+// 	expected := res.BuildProtectedResourceIntegrityCRD(instance)
+// 	return r.createOrUpdateCRD(instance, expected)
+// }
 
 func (r *IntegrityShieldReconciler) deleteShieldConfigCRD(
 	instance *apiv1alpha1.IntegrityShield) (ctrl.Result, error) {
@@ -198,11 +198,11 @@ func (r *IntegrityShieldReconciler) deleteResourceSigningProfileCRD(
 	return r.deleteCRD(instance, expected)
 }
 
-func (r *IntegrityShieldReconciler) deleteProtectedResourceIntegrityCRD(
-	instance *apiv1alpha1.IntegrityShield) (ctrl.Result, error) {
-	expected := res.BuildProtectedResourceIntegrityCRD(instance)
-	return r.deleteCRD(instance, expected)
-}
+// func (r *IntegrityShieldReconciler) deleteProtectedResourceIntegrityCRD(
+// 	instance *apiv1alpha1.IntegrityShield) (ctrl.Result, error) {
+// 	expected := res.BuildProtectedResourceIntegrityCRD(instance)
+// 	return r.deleteCRD(instance, expected)
+// }
 
 /**********************************************
 

integrity-shield-operator/go.mod

@@ -25,12 +25,12 @@ replace (
 	github.com/IBM/integrity-enforcer/cmd => ../cmd
 	github.com/IBM/integrity-enforcer/integrity-shield-operator => ./
 	github.com/IBM/integrity-enforcer/shield => ../shield
-	k8s.io/api => k8s.io/api v0.20.2
-	k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.20.2
-	k8s.io/apimachinery => k8s.io/apimachinery v0.20.2
-	k8s.io/cli-runtime => k8s.io/cli-runtime v0.20.2
-	k8s.io/client-go => k8s.io/client-go v0.20.2
-	k8s.io/kubectl => k8s.io/kubectl v0.20.2
+	k8s.io/api => k8s.io/api v0.19.0
+	k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.19.0
+	k8s.io/apimachinery => k8s.io/apimachinery v0.19.0
+	k8s.io/cli-runtime => k8s.io/cli-runtime v0.19.0
+	k8s.io/client-go => k8s.io/client-go v0.19.0
+	k8s.io/kubectl => k8s.io/kubectl v0.19.0
 	sigs.k8s.io/controller-runtime => sigs.k8s.io/controller-runtime v0.8.3
 )