Merge pull request #54 from ContainerSolutions/fix/demonstration

Adding several fixes

infrastructure/main.tf

@@ -49,7 +49,7 @@ resource "google_container_node_pool" "primary_preemptible_nodes" {
   node_count = 3
 
   node_config {
-    machine_type = "e2-medium"
+    machine_type = "e2-standard-4"
 
     service_account = google_service_account.default.email
     oauth_scopes    = [

operator/api/v1alpha1/componentattestation_types.go

@@ -32,11 +32,14 @@ type ComponentAttestationStatus struct {
 }
 
 type AttestationResult struct {
-	Logs   string                `json:"logs"`
+	//+optional
+	Logs   string                `json:"logs,omitempty"`
 	Result AttestationResultType `json:"result"`
-	Reason string                `json:"reason"`
 	//+optional
-	Err   string      `json:"err,omitempty"`
+	Reason string `json:"reason"`
+	//+optional
+	Err string `json:"err,omitempty"`
+	//+optional
 	RunAt metav1.Time `json:"runAt"`
 }
 type AttestationResultType string

operator/config/crd/bases/argus.io_componentattestations.yaml

@@ -74,10 +74,7 @@ spec:
                     format: date-time
                     type: string
                 required:
-                - logs
-                - reason
                 - result
-                - runAt
                 type: object
               status:
                 type: string

operator/config/manager/kustomization.yaml

@@ -4,5 +4,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 images:
 - name: controller
-  newName: controller
+  newName: us-central1-docker.pkg.dev/gfc-personal-use/argus/controller
   newTag: latest

operator/config/manager/manager.yaml

@@ -72,7 +72,7 @@ spec:
         - --leader-elect
         image: controller:latest
         name: manager
-        imagePullPolicy: IfNotPresent
+        imagePullPolicy: Always
         ports:
         - containerPort: 8080
           name: metrics
@@ -97,10 +97,10 @@ spec:
         # More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
         resources:
           limits:
-            cpu: 500m
-            memory: 128Mi
+            cpu: 2000m
+            memory: 2Gi
           requests:
-            cpu: 10m
-            memory: 64Mi
+            cpu: 1000m
+            memory: 1Gi
       serviceAccountName: controller-manager
       terminationGracePeriodSeconds: 10

operator/config/samples/terraform/main.tf

@@ -2,19 +2,9 @@ provider "kubernetes" {
   config_path    = "~/.kube/config"
 }
 
-resource "kubernetes_manifest" "resource_type1" {
-  count=10
-  manifest = yamldecode(templatefile("resource.yaml", {name="app-${count.index+1}",class="Application",parent="app-platform"}))
-}
-
-resource "kubernetes_manifest" "resource_type2" {
-  count=10
-  manifest = yamldecode(templatefile("resource.yaml", {name="vm-${count.index+1}",class="VirtualMachine",parent="vm-platform"}))
-}
-
 resource "kubernetes_manifest" "resource_type3" {
   count=10
-  manifest = yamldecode(templatefile("resource.yaml", {name="rt-${count.index+1}",class="NetworkElement",parent="rt-platform"}))
+  manifest = yamldecode(templatefile("resource.yaml", {name="router-${count.index+1}",class="NetworkElement",parent="rt-platform"}))
 }
 
 resource "kubernetes_manifest" "random_provider" {

operator/config/samples/terraform/network.tf

@@ -1,11 +1,10 @@
 resource "kubernetes_manifest" "network_control_1" {
   manifest = yamldecode(templatefile("requirement.yaml", 
   {
-#    name="Auto routing should be disabled",
+    description="Auto routing should be disabled",
     name="net-req-01"
     code="NET-REQ-01",
     version="1.0.0",
-    description="Auto routing can be used to propagate information",
     componentclass="NetworkElement",
     }
     ))
@@ -14,11 +13,10 @@ resource "kubernetes_manifest" "network_control_1" {
 resource "kubernetes_manifest" "network_control_2" {
   manifest = yamldecode(templatefile("requirement.yaml",
     {
-#    name="Outbound traffic should be sent to NSEC device",
+    description="Outbound traffic should be sent to NSEC device",
     name="net-req-02"
     code="NET-REQ-02",
     version="1.0.0",
-    description="",
     componentclass="NetworkElement",
     }
 ))
@@ -27,11 +25,10 @@ resource "kubernetes_manifest" "network_control_2" {
 resource "kubernetes_manifest" "network_control_3" {
   manifest = yamldecode(templatefile("requirement.yaml",
     {
-#    name="Public IP Addresses must not be used",
+    description="Public IP Addresses must not be used",
     name="net-req-03"
     code="NET-REQ-03",
     version="1.0.0",
-    description="",
     componentclass="NetworkElement",
     }
 ))
@@ -40,11 +37,10 @@ resource "kubernetes_manifest" "network_control_3" {
 resource "kubernetes_manifest" "network_control_4" {
   manifest = yamldecode(templatefile("requirement.yaml",
     {
-#    name="Inbound internet facing communication must be behind central firewall",
+    description="Inbound internet facing communication must be behind central firewall",
     name="net-req-04"
     code="NET-REQ-04",
     version="1.0.0",
-    description="",
     componentclass="NetworkElement",
     }
 ))
@@ -53,11 +49,10 @@ resource "kubernetes_manifest" "network_control_4" {
 resource "kubernetes_manifest" "network_control_5" {
   manifest = yamldecode(templatefile("requirement.yaml",
     {
-#    name="DNS requests must be microsegmented between network environments",
+    description="DNS requests must be microsegmented between network environments",
     name="net-req-05"
     code="NET-REQ-05",
     version="1.0.0",
-    description="",
     componentclass="NetworkElement",
     }
 ))
@@ -66,11 +61,10 @@ resource "kubernetes_manifest" "network_control_5" {
 resource "kubernetes_manifest" "network_control_6" {
   manifest = yamldecode(templatefile("requirement.yaml",
     {
-#    name="Any Inbound traffic needs to be properly managed behind firewall rules",
     name="net-req-06"
     code="NET-REQ-06",
     version="1.0.0",
-    description="",
+    description="Any Inbound traffic needs to be properly managed behind firewall rules",
     componentclass="NetworkElement",
     }
 ))
@@ -79,11 +73,10 @@ resource "kubernetes_manifest" "network_control_6" {
 resource "kubernetes_manifest" "network_control_7" {
   manifest = yamldecode(templatefile("requirement.yaml",
     {
-#    name="Networking design needs to ensure network isolation between different applications",
+    description="Networking design needs to ensure network isolation between different applications",
     name="net-req-07"
     code="NET-REQ-07",
     version="1.0.0",
-    description="",
     componentclass="NetworkElement",
     }
 ))
@@ -92,11 +85,10 @@ resource "kubernetes_manifest" "network_control_7" {
 resource "kubernetes_manifest" "network_control_8" {
   manifest = yamldecode(templatefile("requirement.yaml",
     {
-#    name="Network traffic cannot leave the same bounded region/datacenter",
+    description="Network traffic cannot leave the same bounded region/datacenter",
     name="net-req-08"
     code="NET-REQ-08",
     version="1.0.0",
-    description="",
     componentclass="NetworkElement",
     }
 ))
@@ -110,7 +102,7 @@ resource "kubernetes_manifest" "preventative_control" {
     class= "PreventativeControl",
     code= "NET-REQ-0${count.index+1}",
     version="1.0.0",
-    type="rt"
+    type="router"
     }
   ))
 }
@@ -123,7 +115,7 @@ resource "kubernetes_manifest" "detective_control" {
     class= "DetectiveControl",
     code= "NET-REQ-0${count.index+1}",
     version="1.0.0",
-    type="rt"
+    type="router"
     }
   ))
 }
@@ -136,7 +128,7 @@ resource "kubernetes_manifest" "reactive_control" {
     class= "ReactiveControl",
     code= "NET-REQ-0${count.index+1}",
     version="1.0.0",
-    type="rt"
+    type="router"
     }
   ))
 }
@@ -145,8 +137,8 @@ resource "kubernetes_manifest" "reasoning_attestation" {
     count = 8
   manifest = yamldecode(templatefile("attestation.yaml",
     {
-    name="req${count.index+1}-reasoning",
-    implementation = "req${count.index+1}-preventative",
+    name="req${count.index+1}-detective",
+    implementation = "req${count.index+1}-detective",
     }
   ))
 }
@@ -155,7 +147,7 @@ resource "kubernetes_manifest" "deployed_attestation" {
     count = 8
   manifest = yamldecode(templatefile("attestation.yaml",
     {
-    name="req${count.index+1}-prev-deployed",
+    name="req${count.index+1}-preventative",
     implementation = "req${count.index+1}-preventative",
     }
   ))

operator/config/samples/terraform/requirement.yaml

@@ -15,6 +15,7 @@ spec:
     code: ${code}
     class: "Security"
     category: "Internal"
+    description: ${description}
   applicableComponentClasses:
   - ${componentclass}
   requiredAssessmentClasses:

operator/internal/provider/checkov/checkov.go

@@ -22,9 +22,10 @@ type Client struct {
 
 func (c *Client) Attest() (argusiov1alpha1.AttestationResult, error) {
 	mu.Lock()
-	// ToDo: generate unique file names for clone_location and output_file_path
-	defer os.RemoveAll("/tmp/location")
-	defer mu.Unlock()
+	defer func() {
+		os.RemoveAll("/tmp/location")
+		mu.Unlock()
+	}()
 	clone_location := "/tmp/location"
 	cmd := exec.Command("git", "clone", c.RepoUrl, clone_location)
 	out, err := cmd.CombinedOutput()
@@ -33,7 +34,7 @@ func (c *Client) Attest() (argusiov1alpha1.AttestationResult, error) {
 		res := argusiov1alpha1.AttestationResult{
 			Result: argusiov1alpha1.AttestationResultTypeUnknown,
 			Logs:   string(out),
-			Err:    err.Error(), // Logs has to be type string
+			Err:    err.Error(),
 			RunAt:  v1.Now(),
 			Reason: fmt.Sprintf("could not get source repo for '%v'", c.RepoUrl),
 		}
@@ -44,7 +45,6 @@ func (c *Client) Attest() (argusiov1alpha1.AttestationResult, error) {
 
 	out, err = checkov_cmd.CombinedOutput()
 
-	// Distinguish between execution and validation failure
 	res := argusiov1alpha1.AttestationResult{
 		Result: argusiov1alpha1.AttestationResultTypePass,
 		Logs:   string(out),
@@ -55,6 +55,7 @@ func (c *Client) Attest() (argusiov1alpha1.AttestationResult, error) {
 		res.Result = argusiov1alpha1.AttestationResultTypeUnknown
 		res.Err = err.Error()
 		res.Reason = "checkov execution returned error"
+		return res, err
 	}
 	if checkov_cmd.ProcessState.ExitCode() != 0 {
 		res.Result = argusiov1alpha1.AttestationResultTypeFail
@@ -69,7 +70,8 @@ func (c *Client) Close() error {
 
 type Provider struct{}
 
-func (p *Provider) New(_ string, spec *argusiov1alpha1.AttestationProviderSpec) (provider.AttestationClient, error) {
+func (p *Provider) New(name string, spec *argusiov1alpha1.AttestationProviderSpec) (provider.AttestationClient, error) {
+
 	c := &Client{}
 	repourl_value, ok := spec.ProviderConfig["repo"]