Skip to content

Commit

Permalink
Lets/go (#21)
Browse files Browse the repository at this point in the history
* move implementation to go

* Go based implementation

* dockerfile lints

* use 1.22.5 only

* go 1.22

* test refactor

* dependabot ecosystem go

* update lint action

* action version bumps

* add tests

* add env var generation, tests, update readme

* go mod 1.22

* build with signalilo

* bump gh actions versions

* add tests

* add proxy doc

* update doc
  • Loading branch information
alesz authored Aug 5, 2024
1 parent c599b83 commit 3faa1f6
Show file tree
Hide file tree
Showing 23 changed files with 829 additions and 258 deletions.
2 changes: 1 addition & 1 deletion .github/dependabot.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ updates:
commit-message:
prefix: "chore(ci): "
open-pull-requests-limit: 10
- package-ecosystem: "pip"
- package-ecosystem: "gomod"
directory: "/"
schedule:
interval: "daily"
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
name: Release Container Image
name: Release Container Image - Standalone

on:
schedule:
Expand Down Expand Up @@ -28,7 +28,7 @@ jobs:
uses: docker/metadata-action@v5
with:
images: |
quay.io/adfinis/signalilo-scrubbed
quay.io/adfinis/scrubbed
tags: |
type=schedule,pattern=nightly
type=edge
Expand All @@ -46,7 +46,7 @@ jobs:
if: ${{ github.event_name != 'pull_request' }}

- name: Build and push
id: docker_build_ghcr
id: build
uses: docker/build-push-action@v6
with:
context: .
Expand Down
56 changes: 56 additions & 0 deletions .github/workflows/release-container-image-with-signalilo.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
name: Release Container Image - With Signalilo

on:
schedule:
- cron: '3 3 * * *'
pull_request:
push:
branches:
- main
tags:
- 'v*.*.*'

jobs:
container:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4

- name: Set up QEMU
uses: docker/setup-qemu-action@v3

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Configure Image Metadata
id: meta
uses: docker/metadata-action@v5
with:
images: |
quay.io/adfinis/scrubbed-signalilo
tags: |
type=schedule,pattern=nightly
type=edge
type=semver,pattern=v{{version}}
type=semver,pattern=v{{major}}
type=semver,pattern=v{{major}}.{{minor}}
type=ref,event=pr
- name: Login to quay.io
uses: docker/login-action@v3
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME}}
password: ${{ secrets.QUAY_ACCESS_TOKEN }}
if: ${{ github.event_name != 'pull_request' }}

- name: Build and push
id: build
uses: docker/build-push-action@v6
with:
context: .
file: ./Dockerfile.signalilo
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
37 changes: 37 additions & 0 deletions .github/workflows/security.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
name: Security
on:
push:
branches:
- main
pull_request:
branches:
- main
permissions:
contents: read
jobs:
scan:
strategy:
matrix:
go: ["1.22.5"]
fail-fast: true
runs-on: ubuntu-latest
steps:
- name: Checkout Code
uses: actions/checkout@v4

- name: Setup Go ${{ matrix.go }}
uses: actions/setup-go@v5
with:
go-version: ${{ matrix.go }}
cache: false

- name: Run GoSec
uses: securego/gosec@master
with:
args: -exclude-dir examples ./...

- name: Run GoVulnCheck
uses: golang/govulncheck-action@v1
with:
go-version-input: ${{ matrix.go }}
go-package: ./...
50 changes: 30 additions & 20 deletions .github/workflows/test.yaml
Original file line number Diff line number Diff line change
@@ -1,25 +1,35 @@
name: Test
on: pull_request
on:
push:
branches:
- main
pull_request:
branches:
- main
permissions:
contents: read
jobs:
ruff:
runs-on: ubuntu-latest
unit:
strategy:
matrix:
go: ["1.22.5"]
os: [ubuntu-latest, macos-latest, windows-latest]
fail-fast: true
runs-on: ${{ matrix.os }}
steps:
- name: Checkout
- name: Checkout Code
uses: actions/checkout@v4
- name: Setup Python
uses: actions/setup-python@v5

- name: Setup Go ${{ matrix.go }}
uses: actions/setup-go@v5
with:
python-version: 3.x
- name: ruff
run: |
pip install -r requirements-dev.txt
ruff format --check
ruff check . --output-format=github
shellcheck:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Run shellcheck
id: shellcheck
uses: ludeeus/[email protected]
go-version: ${{ matrix.go }}
cache: false

- name: Run Tests
run: go test -race -cover -coverprofile=coverage -covermode=atomic -v ./...

# - name: Upload coverage to Codecov
# uses: codecov/codecov-action@v4
# with:
# files: ./coverage
32 changes: 32 additions & 0 deletions .github/workflows/verify.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
name: Verify
on:
push:
branches:
- main
pull_request:
branches:
- main
permissions:
contents: read
jobs:
lint:
strategy:
matrix:
go: ["1.22.5"]
fail-fast: true
runs-on: ubuntu-latest
steps:
- name: Checkout Code
uses: actions/checkout@v4

- name: Setup Go ${{ matrix.go }}
uses: actions/setup-go@v5
with:
go-version: ${{ matrix.go }}
cache: false

- name: Run GolangCI-Lint
uses: golangci/golangci-lint-action@v6
with:
version: v1.59
args: --timeout=5m
8 changes: 2 additions & 6 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -1,6 +1,2 @@
__pycache__/
venv/
build/
dist/
*.spec
.venv/
scrubbed
coverage.coverprofile
20 changes: 13 additions & 7 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -1,15 +1,21 @@
FROM docker.io/library/python:3.12 AS scrubbed
FROM golang:1.22 AS builder

WORKDIR /src

COPY Makefile initenv.sh requirements.txt scrubbed.py .
COPY go.mod go.sum .

RUN make static
RUN go mod download

FROM quay.io/vshn/signalilo:v0.14.0 AS signalilo
COPY *.go Makefile .

FROM docker.io/library/debian:bookworm
RUN make build

COPY --from=signalilo /usr/local/bin/signalilo /usr/local/bin/
FROM registry.access.redhat.com/ubi9/ubi-micro:9.4

COPY --from=scrubbed /src/dist/scrubbed /usr/local/bin/
COPY --from=builder /src/scrubbed /usr/local/bin/

EXPOSE 8080

EXPOSE 8443

ENTRYPOINT ["/usr/local/bin/scrubbed"]
25 changes: 25 additions & 0 deletions Dockerfile.signalilo
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
FROM golang:1.22 AS builder

WORKDIR /src

COPY go.mod go.sum .

RUN go mod download

COPY *.go Makefile .

RUN make build

FROM quay.io/vshn/signalilo:v0.14.0 AS signalilo

FROM registry.access.redhat.com/ubi9/ubi-micro:9.4

COPY --from=signalilo /usr/local/bin/signalilo /usr/local/bin/

COPY --from=builder /src/scrubbed /usr/local/bin/

EXPOSE 8080

EXPOSE 8443

ENTRYPOINT ["/usr/local/bin/scrubbed"]
51 changes: 37 additions & 14 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -5,22 +5,45 @@
help:
@grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'

GO_LINT=$(shell which golangci-lint 2> /dev/null || echo '')
GO_LINT_URI=github.com/golangci/golangci-lint/cmd/golangci-lint@latest

# -t $(IMAGE_NAME):$(VERSION) .
GO_SEC=$(shell which gosec 2> /dev/null || echo '')
GO_SEC_URI=github.com/securego/gosec/v2/cmd/gosec@latest

.PHONY: image
image: ## Create Docker image
podman build .
@echo built image $(IMAGE_NAME)
GO_VULNCHECK=$(shell which govulncheck 2> /dev/null || echo '')
GO_VULNCHECK_URI=golang.org/x/vuln/cmd/govulncheck@latest

.PHONY: venv
venv: ## Initialize virtual environment and install dependencies
./initenv.sh
.PHONY: golangci-lint
golangci-lint: ## Run golangci-lint
$(if $(GO_LINT), ,go install $(GO_LINT_URI))
@echo "##### Running golangci-lint"
golangci-lint run -v

.PHONY: gosec
gosec: ## Run gosec
$(if $(GO_SEC), ,go install $(GO_SEC_URI))
@echo "##### Running gosec"
gosec ./...

.PHONY: static
static: venv ## Generate static binary with embedded Python
venv/bin/pyinstaller --onefile scrubbed.py
.PHONY: govulncheck
govulncheck: ## Run govulncheck
$(if $(GO_VULNCHECK), ,go install $(GO_VULNCHECK_URI))
@echo "##### Running govulncheck"
govulncheck ./...

.PHONY: clean
clean: ## Clean up
rm -rf venv/ build/ dist/ __pycache__/ scrubbed.spec
.PHONY: verify
verify: golangci-lint gosec govulncheck ## Run all checks

.PHONY: test
test: ## Run Go tests
@echo "##### Running tests"
go test -race -cover -coverprofile=coverage.coverprofile -covermode=atomic -v ./...

.PHONY: tidy
tidy: ## Tidy go.mod
go mod tidy

.PHONY: build
build: ## Build scrubbed
go build
16 changes: 9 additions & 7 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,12 +1,10 @@
# Signalilo With Alert Content Scrubbing
# Alertmanager Webhook Content Scrubber

This repository creates and publishes Docker image for deployment of upstream Signalilo with Alertmanager filtering proxy added.
This proxy is useful for preventing sensitive information (e.g. IP addressess, hostnames, alert descriptions, etc.) leaving organisational boundaries when monitoring is outsourced to external entity.

For convenience, filtering proxy is coupled with Signalilo. It can be easily separated if alternative alertmanager webhook receiver is used.
This repository creates and publishes Docker image for deployment of Alertmanager filtering proxy.

Raise a PR if you have a use case.
This proxy is useful for preventing sensitive information (e.g. IP addressess, hostnames, alert descriptions, etc.) leaving organisational boundaries when monitoring is outsourced to external entity.

For convenience, Dockerfile to couple filtering proxy with Signalilo is also provided.

## Installation

Expand All @@ -23,6 +21,10 @@ SIGNALILO_ALERTMANAGER_BEARER_TOKEN: foo
SIGNALILO_ICINGA_PASSWORD: bar
```

### Proxy

Implicitly uses default HTTP_PROXY, HTTPS_PROXY and NO_PROXY environment variables

### Alertmanager

Add receiver to Alertmanager configuration:
Expand Down Expand Up @@ -70,4 +72,4 @@ it during the squash and merge operation on the PR.
## References

* https://github.com/vshn/signalilo
* https://prometheus.io/docs/alerting/latest/configuration/#webhook_config
* https://prometheus.io/docs/alerting/latest/configuration/#webhook_config
Loading

0 comments on commit 3faa1f6

Please sign in to comment.