From 20fe7a8533c56525d3be2ce1bb979a825bb68491 Mon Sep 17 00:00:00 2001 From: Richard87 Date: Tue, 12 Mar 2024 17:39:04 +0100 Subject: [PATCH] Add Workload Identity feature --- go.mod | 13 ++++++++++--- go.sum | 13 ++++++++----- main.go | 2 ++ pkg/server/load.go | 1 + pkg/server/options.go | 9 +++++---- pkg/server/server.go | 21 ++++++++++++++++----- 6 files changed, 42 insertions(+), 17 deletions(-) diff --git a/go.mod b/go.mod index ffb86e1..6c8078d 100644 --- a/go.mod +++ b/go.mod @@ -6,7 +6,7 @@ toolchain go1.21.0 require ( github.com/containerd/containerd v1.7.11 - github.com/equinor/radix-common v1.7.1 + github.com/equinor/radix-common v1.9.2 github.com/equinor/radix-operator v1.48.0 github.com/golang/mock v1.6.0 github.com/microsoft/go-mssqldb v1.6.0 @@ -17,7 +17,7 @@ require ( github.com/spf13/viper v1.18.2 github.com/stretchr/testify v1.8.4 gorm.io/driver/sqlserver v1.5.2 - gorm.io/gorm v1.25.5 + gorm.io/gorm v1.25.7 k8s.io/api v0.29.0 k8s.io/apimachinery v0.29.0 k8s.io/client-go v0.29.0 @@ -26,15 +26,20 @@ require ( require ( dario.cat/mergo v1.0.0 // indirect + github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.1 // indirect + github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0 // indirect + github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 // indirect + github.com/AzureAD/microsoft-authentication-library-for-go v1.1.0 // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/emicklei/go-restful/v3 v3.11.0 // indirect github.com/evanphx/json-patch v5.7.0+incompatible // indirect github.com/fsnotify/fsnotify v1.7.0 // indirect - github.com/go-logr/logr v1.3.0 // indirect + github.com/go-logr/logr v1.4.1 // indirect github.com/go-openapi/jsonpointer v0.20.0 // indirect github.com/go-openapi/jsonreference v0.20.2 // indirect github.com/go-openapi/swag v0.22.4 // indirect github.com/gogo/protobuf v1.3.2 // indirect + github.com/golang-jwt/jwt/v5 v5.0.0 // indirect github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 // indirect github.com/golang-sql/sqlexp v0.1.0 // indirect github.com/golang/protobuf v1.5.3 // indirect @@ -48,6 +53,7 @@ require ( github.com/jinzhu/now v1.1.5 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect + github.com/kylelemons/godebug v1.1.0 // indirect github.com/magiconair/properties v1.8.7 // indirect github.com/mailru/easyjson v0.7.7 // indirect github.com/mattn/go-colorable v0.1.13 // indirect @@ -57,6 +63,7 @@ require ( github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect github.com/pelletier/go-toml/v2 v2.1.0 // indirect + github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 // indirect github.com/pkg/errors v0.9.1 // indirect github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect github.com/sagikazarmark/locafero v0.4.0 // indirect diff --git a/go.sum b/go.sum index 90870f1..f774679 100644 --- a/go.sum +++ b/go.sum @@ -27,11 +27,12 @@ github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/dnaeon/go-vcr v1.1.0/go.mod h1:M7tiix8f0r6mKKJ3Yq/kqU1OYf3MnfmBWVbPx/yU9ko= +github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI= github.com/dnaeon/go-vcr v1.2.0/go.mod h1:R4UdLID7HZT3taECzJs4YgbbH6PIGXB6W/sc5OLb6RQ= github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g= github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= -github.com/equinor/radix-common v1.7.1 h1:kl7Tuo2VEo2WHGm/vkvktrZ9t9S3Nht7Mob3CSIzcJI= -github.com/equinor/radix-common v1.7.1/go.mod h1:M6mhgHtFQ3rnjJnyOuECXiZOh7XQ5xVeHMyCAU+YPzQ= +github.com/equinor/radix-common v1.9.2 h1:pOYN/mSAoPe6KO/Nvudfd5DUETbLv4nLTLzFPr62ADw= +github.com/equinor/radix-common v1.9.2/go.mod h1:ekn86U68NT4ccSdt3GT+ukpiclzfuhr96a7zBJKv/jw= github.com/equinor/radix-operator v1.48.0 h1:10ABXtD7SJAJ2FcYOTJrWjW8h9nbsCsxQQ5LwC9qqYs= github.com/equinor/radix-operator v1.48.0/go.mod h1:kwwnvyW1WKCKiXVSKNhkG7zAe1sFC2XW9IbNZsCCgRw= github.com/evanphx/json-patch v5.7.0+incompatible h1:vgGkfT/9f8zE6tvSCe74nfpAVDQ2tG6yudJd8LBksgI= @@ -40,8 +41,9 @@ github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHk github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0= github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= -github.com/go-logr/logr v1.3.0 h1:2y3SDp0ZXuc6/cjLSZ+Q3ir+QB9T/iG5yYRXqsagWSY= github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ= +github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs= github.com/go-openapi/jsonpointer v0.20.0 h1:ESKJdU9ASRfaPNOPRx12IUyA1vn3R9GiE3KYD14BXdQ= github.com/go-openapi/jsonpointer v0.20.0/go.mod h1:6PGzBjjIIumbLYysB73Klnms1mwnU4G3YHOECG3CedA= @@ -56,6 +58,7 @@ github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5x github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang-jwt/jwt/v4 v4.4.3/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= +github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg= github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= github.com/golang-jwt/jwt/v5 v5.0.0 h1:1n1XNM9hk7O9mnQoNBGolZvzebBQ7p93ULHRc28XJUE= github.com/golang-jwt/jwt/v5 v5.0.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= @@ -312,8 +315,8 @@ gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gorm.io/driver/sqlserver v1.5.2 h1:+o4RQ8w1ohPbADhFqDxeeZnSWjwOcBnxBckjTbcP4wk= gorm.io/driver/sqlserver v1.5.2/go.mod h1:gaKF0MO0cfTq9Q3/XhkowSw4g6nIwHPGAs4hzKCmvBo= gorm.io/gorm v1.25.2-0.20230610234218-206613868439/go.mod h1:L4uxeKpfBml98NYqVqwAdmV1a2nBtAec/cf3fpucW/k= -gorm.io/gorm v1.25.5 h1:zR9lOiiYf09VNh5Q1gphfyia1JpiClIWG9hQaxB/mls= -gorm.io/gorm v1.25.5/go.mod h1:hbnx/Oo0ChWMn1BIhpy1oYozzpM15i4YPuHDmfYtwg8= +gorm.io/gorm v1.25.7 h1:VsD6acwRjz2zFxGO50gPO6AkNs7KKnvfzUjHQhZDz/A= +gorm.io/gorm v1.25.7/go.mod h1:hbnx/Oo0ChWMn1BIhpy1oYozzpM15i4YPuHDmfYtwg8= k8s.io/api v0.29.0 h1:NiCdQMY1QOp1H8lfRyeEf8eOwV6+0xA6XEE44ohDX2A= k8s.io/api v0.29.0/go.mod h1:sdVmXoz2Bo/cb77Pxi71IPTSErEW32xa4aXwKH7gfBA= k8s.io/apimachinery v0.29.0 h1:+ACVktwyicPz0oc6MTMLwa2Pw3ouLAfAon1wPLtG48o= diff --git a/main.go b/main.go index 4178237..3f7b1ac 100644 --- a/main.go +++ b/main.go @@ -52,6 +52,7 @@ func setupLogger(opts *server.Options, ctx context.Context) (context.Context, er log.Logger = log.Output(zerolog.ConsoleWriter{Out: os.Stderr, TimeFormat: time.TimeOnly}) } ctx = log.Logger.WithContext(ctx) + zerolog.DefaultContextLogger = &log.Logger return ctx, nil } @@ -64,6 +65,7 @@ func logOptions(opts *server.Options) { log.Info().Msgf(" db-database: %v", opts.DB.Database) log.Info().Msgf(" db-username: %v", opts.DB.UserName) log.Info().Msgf(" db-password set: %v", len(opts.DB.Password) > 0) + log.Info().Msgf(" db-use-federated-token set: %v", opts.DB.UseFederatedToken) log.Info().Msgf(" vulnerability-scan-timeout: %s", opts.VulnerabilityScan.ScanTimeout) log.Info().Msgf(" vulnerability-rescan-age: %s", opts.VulnerabilityScan.RescanAge) log.Info().Msgf(" docker-config-file: %s", opts.Docker.AuthsFile) diff --git a/pkg/server/load.go b/pkg/server/load.go index d05480c..fb661f1 100644 --- a/pkg/server/load.go +++ b/pkg/server/load.go @@ -58,6 +58,7 @@ func dbFlagset() *pflag.FlagSet { flagset.String("db-database", "", "SQL Server database name") flagset.String("db-username", "", "SQL Server user name") flagset.String("db-password", "", "SQL Server password") + flagset.String("db-use-federated-token", "", "SQL Use federated token") return flagset } diff --git a/pkg/server/options.go b/pkg/server/options.go index 6759f30..9236f2c 100644 --- a/pkg/server/options.go +++ b/pkg/server/options.go @@ -24,10 +24,11 @@ type ( // DBOptions contains configuration for database connection DBOptions struct { - Server string `flag:"db-server" cfg:"db_server"` - Database string `flag:"db-database" cfg:"db_database"` - UserName string `flag:"db-username" cfg:"db_username"` - Password string `flag:"db-password" cfg:"db_password"` + Server string `flag:"db-server" cfg:"db_server"` + Database string `flag:"db-database" cfg:"db_database"` + UserName string `flag:"db-username" cfg:"db_username"` + Password string `flag:"db-password" cfg:"db_password"` + UseFederatedToken bool `flag:"db-use-federated-token" cfg:"db_use_federated_token" default:"false"` } // DockerOptions contains configuration for accessing docker images diff --git a/pkg/server/server.go b/pkg/server/server.go index fc44dd3..34d2785 100644 --- a/pkg/server/server.go +++ b/pkg/server/server.go @@ -4,6 +4,7 @@ import ( "fmt" "sync" + commongorm "github.com/equinor/radix-common/pkg/gorm" v1 "github.com/equinor/radix-operator/pkg/apis/radix/v1" radix "github.com/equinor/radix-operator/pkg/client/clientset/versioned" radixinformer "github.com/equinor/radix-operator/pkg/client/informers/externalversions" @@ -14,9 +15,9 @@ import ( "github.com/equinor/radix-vulnerability-scanner/pkg/observe" "github.com/equinor/radix-vulnerability-scanner/pkg/scan" "github.com/equinor/radix-vulnerability-scanner/pkg/utils" + "github.com/microsoft/go-mssqldb/azuread" "gorm.io/driver/sqlserver" "gorm.io/gorm" - gormlogger "gorm.io/gorm/logger" "gorm.io/gorm/schema" "k8s.io/apimachinery/pkg/labels" "k8s.io/client-go/kubernetes" @@ -149,12 +150,22 @@ func (s *Server) run(stopCh <-chan struct{}) error { } func getRepository(opts *DBOptions) (db.Repository, error) { - dsn := fmt.Sprintf("server=%s;database=%s;user id=%s;password=%s", opts.Server, opts.Database, opts.UserName, opts.Password) + var dsn string + if opts.UseFederatedToken { + dsn = fmt.Sprintf("server=%s;database=%s;fedauth=ActiveDirectoryDefault", opts.Server, opts.Database) + } else { + dsn = fmt.Sprintf("server=%s;database=%s;user id=%s;password=%s", opts.Server, opts.Database, opts.UserName, opts.Password) + } + + dialector := sqlserver.New(sqlserver.Config{ + DriverName: azuread.DriverName, + DSN: dsn, + }) - gormdb, err := gorm.Open(sqlserver.Open(dsn), &gorm.Config{ + gormdb, err := gorm.Open(dialector, &gorm.Config{ NamingStrategy: schema.NamingStrategy{NoLowerCase: true}, - Logger: gormlogger.Default.LogMode(gormlogger.Silent), - DisableAutomaticPing: true, + Logger: commongorm.NewLogger(), + DisableAutomaticPing: false, }) if err != nil { return nil, err