Merge pull request #234 from IBM/fix/log-report

add dyanmic log level & improve RSP report

Makefile

@@ -302,7 +302,7 @@ setup-test-resources:
 	@echo
 	@echo prepare cr for updating test
 	cp $(TMP_CR_FILE) $(TMP_CR_UPDATED_FILE)
-	yq write -i $(TMP_CR_UPDATED_FILE) spec.signPolicy.signers[1].subjects[1].email $(TEST_SAMPLE_SIGNER_SUBJECT_EMAIL)
+	yq write -i $(TMP_CR_UPDATED_FILE) spec.signerConfig.signers[1].subjects[1].email $(TEST_SAMPLE_SIGNER_SUBJECT_EMAIL)
 
 e2e-test:
 	@echo
@@ -383,15 +383,15 @@ setup-tmp-cr:
 	yq write -i $(TMP_CR_FILE) spec.server.imagePullPolicy Always
 	@echo setup keyring configs
 	yq write -i $(TMP_CR_FILE) spec.keyRingConfigs[1].name $(TEST_SECRET2)
-	@echo setup signer policy
-	yq write -i $(TMP_CR_FILE) spec.signPolicy.policies[2].namespaces[0] $(TEST_NS)
-	yq write -i $(TMP_CR_FILE) spec.signPolicy.policies[2].signers[0] $(TEST_SIGNERS)
-	yq write -i $(TMP_CR_FILE) spec.signPolicy.signers[1].name $(TEST_SIGNERS)
-	yq write -i $(TMP_CR_FILE) spec.signPolicy.signers[1].secret $(TEST_SECRET)
-	yq write -i $(TMP_CR_FILE) spec.signPolicy.signers[1].subjects[0].email $(TEST_SIGNER_SUBJECT_EMAIL)
-	yq write -i $(TMP_CR_FILE) spec.signPolicy.signers[2].name $(TEST_SIGNERS2)
-	yq write -i $(TMP_CR_FILE) spec.signPolicy.signers[2].secret $(TEST_SECRET2)
-	yq write -i $(TMP_CR_FILE) spec.signPolicy.signers[2].subjects[0].email $(TEST_SIGNER_SUBJECT_EMAIL2)
+	@echo setup signer config
+	yq write -i $(TMP_CR_FILE) spec.signerConfig.policies[2].namespaces[0] $(TEST_NS)
+	yq write -i $(TMP_CR_FILE) spec.signerConfig.policies[2].signers[0] $(TEST_SIGNERS)
+	yq write -i $(TMP_CR_FILE) spec.signerConfig.signers[1].name $(TEST_SIGNERS)
+	yq write -i $(TMP_CR_FILE) spec.signerConfig.signers[1].secret $(TEST_SECRET)
+	yq write -i $(TMP_CR_FILE) spec.signerConfig.signers[1].subjects[0].email $(TEST_SIGNER_SUBJECT_EMAIL)
+	yq write -i $(TMP_CR_FILE) spec.signerConfig.signers[2].name $(TEST_SIGNERS2)
+	yq write -i $(TMP_CR_FILE) spec.signerConfig.signers[2].secret $(TEST_SECRET2)
+	yq write -i $(TMP_CR_FILE) spec.signerConfig.signers[2].subjects[0].email $(TEST_SIGNER_SUBJECT_EMAIL2)
 	@if [ "$(TEST_LOCAL)" ]; then \
 		echo enable logAllResponse ; \
 		yq write -i $(TMP_CR_FILE) spec.shieldConfig.log.logLevel trace ;\

integrity-shield-operator/api/v1alpha1/integrityshield_types.go

@@ -35,17 +35,17 @@ import (
 	extv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1"
 
 	ec "github.com/IBM/integrity-enforcer/shield/pkg/apis/shieldconfig/v1alpha1"
-	spol "github.com/IBM/integrity-enforcer/shield/pkg/apis/signpolicy/v1alpha1"
+	sigconf "github.com/IBM/integrity-enforcer/shield/pkg/apis/signerconfig/v1alpha1"
 )
 
 const (
 	DefaultIntegrityShieldCRDName             = "integrityshields.apis.integrityshield.io"
 	DefaultShieldConfigCRDName                = "shieldconfigs.apis.integrityshield.io"
-	DefaultSignPolicyCRDName                  = "signpolicies.apis.integrityshield.io"
+	DefaultSignerConfigCRDName                = "signerconfigs.apis.integrityshield.io"
 	DefaultResourceSignatureCRDName           = "resourcesignatures.apis.integrityshield.io"
 	DefaultResourceSigningProfileCRDName      = "resourcesigningprofiles.apis.integrityshield.io"
 	DefaultHelmReleaseMetadataCRDName         = "helmreleasemetadatas.apis.integrityshield.io"
-	DefaultSignPolicyCRName                   = "sign-policy"
+	DefaultSignerConfigCRName                 = "signer-config"
 	DefaultIShieldAdminClusterRoleName        = "ishield-admin-clusterrole"
 	DefaultIShieldAdminClusterRoleBindingName = "ishield-admin-clusterrolebinding"
 	DefaultIShieldAdminRoleName               = "ishield-admin-role"
@@ -82,10 +82,10 @@ type IntegrityShieldSpec struct {
 	Logger                 LoggerContainer `json:"logger,omitempty"`
 	RegKeySecret           RegKeySecret    `json:"regKeySecret,omitempty"`
 
-	ShieldConfigCrName      string             `json:"shieldConfigCrName,omitempty"`
-	ShieldConfig            *iec.ShieldConfig  `json:"shieldConfig,omitempty"`
-	SignPolicy              *common.SignPolicy `json:"signPolicy,omitempty"`
-	ResourceSigningProfiles []*ProfileConfig   `json:"resourceSigningProfiles,omitempty"`
+	ShieldConfigCrName      string               `json:"shieldConfigCrName,omitempty"`
+	ShieldConfig            *iec.ShieldConfig    `json:"shieldConfig,omitempty"`
+	SignerConfig            *common.SignerConfig `json:"signerConfig,omitempty"`
+	ResourceSigningProfiles []*ProfileConfig     `json:"resourceSigningProfiles,omitempty"`
 
 	WebhookServerTlsSecretName string     `json:"webhookServerTlsSecretName,omitempty"`
 	WebhookServiceName         string     `json:"webhookServiceName,omitempty"`
@@ -136,7 +136,7 @@ type ServerContainer struct {
 }
 
 type LoggerContainer struct {
-	Enabled         bool                    `json:"enabled,omitempty"`
+	Enabled         *bool                   `json:"enabled,omitempty"`
 	Name            string                  `json:"name,omitempty"`
 	SecurityContext *v1.SecurityContext     `json:"securityContext,omitempty"`
 	ImagePullPolicy v1.PullPolicy           `json:"imagePullPolicy,omitempty"`
@@ -221,8 +221,8 @@ func (self *IntegrityShield) GetShieldConfigCRDName() string {
 	return DefaultShieldConfigCRDName
 }
 
-func (self *IntegrityShield) GetSignPolicyCRDName() string {
-	return DefaultSignPolicyCRDName
+func (self *IntegrityShield) GetSignerConfigCRDName() string {
+	return DefaultSignerConfigCRDName
 }
 
 func (self *IntegrityShield) GetResourceSignatureCRDName() string {
@@ -241,8 +241,8 @@ func (self *IntegrityShield) GetShieldConfigCRName() string {
 	return self.Spec.ShieldConfigCrName
 }
 
-func (self *IntegrityShield) GetSignPolicyCRName() string {
-	return DefaultSignPolicyCRName
+func (self *IntegrityShield) GetSignerConfigCRName() string {
+	return DefaultSignerConfigCRName
 }
 
 func (self *IntegrityShield) GetRegKeySecretName() string {
@@ -325,7 +325,7 @@ func (self *IntegrityShield) GetIShieldResourceList(scheme *runtime.Scheme) ([]*
 	_deployType := getTypeFromObj(&appsv1.Deployment{}, scheme)
 	_crdType := getTypeFromObj(&extv1.CustomResourceDefinition{}, scheme)
 	_ecType := getTypeFromObj(&ec.ShieldConfig{}, scheme)
-	_spolType := getTypeFromObj(&spol.SignPolicy{}, scheme)
+	_sigconfType := getTypeFromObj(&sigconf.SignerConfig{}, scheme)
 	_rspType := getTypeFromObj(&rsp.ResourceSigningProfile{}, scheme)
 	_secretType := getTypeFromObj(&v1.Secret{}, scheme)
 	_saType := getTypeFromObj(&v1.ServiceAccount{}, scheme)
@@ -359,7 +359,7 @@ func (self *IntegrityShield) GetIShieldResourceList(scheme *runtime.Scheme) ([]*
 		},
 		{
 			Kind: _crdType.Kind,
-			Name: self.GetSignPolicyCRDName(),
+			Name: self.GetSignerConfigCRDName(),
 		},
 		{
 			Kind: _crdType.Kind,
@@ -379,8 +379,8 @@ func (self *IntegrityShield) GetIShieldResourceList(scheme *runtime.Scheme) ([]*
 			Namespace: self.Namespace,
 		},
 		{
-			Kind:      _spolType.Kind,
-			Name:      self.GetSignPolicyCRName(),
+			Kind:      _sigconfType.Kind,
+			Name:      self.GetSignerConfigCRName(),
 			Namespace: self.Namespace,
 		},
 		{

integrity-shield-operator/bundle/manifests/apis.integrityshield.io_integrityshields.yaml

@@ -1114,7 +1114,7 @@ spec:
                   format: int32
                   type: integer
               type: object
-            signPolicy:
+            signerConfig:
               properties:
                 breakGlass:
                   items:

integrity-shield-operator/bundle/manifests/integrity-shield-operator.clusterserviceversion.yaml

@@ -17,7 +17,7 @@ metadata:
               }
             ],
             "namespace": "integrity-shield-operator-system",
-            "signPolicy": {
+            "signerConfig": {
               "policies": [
                 {
                   "namespaces": [
@@ -104,7 +104,7 @@ spec:
                 - integrityshields/finalizers
                 - resourcesignatures
                 - resourcesigningprofiles
-                - signpolicies
+                - signerconfigs
                 - shieldconfigs
               verbs:
                 - create

integrity-shield-operator/config/crd/bases/apis.integrityshield.io_integrityshields.yaml

@@ -1543,7 +1543,7 @@ spec:
                   format: int32
                   type: integer
               type: object
-            signPolicy:
+            signerConfig:
               properties:
                 breakGlass:
                   items:

integrity-shield-operator/config/rbac/role.yaml

@@ -26,8 +26,8 @@ rules:
   - integrityshields/finalizers
   - resourcesignatures
   - resourcesigningprofiles
-  - signpolicies
   - shieldconfigs
+  - signerconfigs
   verbs:
   - create
   - delete

integrity-shield-operator/config/samples/apis_v1alpha1_integrityshield.yaml

@@ -12,7 +12,7 @@ spec:
       exclude:
       - "kube-*"
       - "openshift-*"
-  signPolicy:
+  signerConfig:
     policies:
     - namespaces:
       - "*"

integrity-shield-operator/config/samples/apis_v1alpha1_integrityshield_local.yaml

@@ -12,7 +12,7 @@ spec:
       exclude:
       - "kube-*"
       - "openshift-*"
-  signPolicy:
+  signerConfig:
     policies:
     - namespaces:
       - "*"

integrity-shield-operator/controllers/integrityshield.go

@@ -38,7 +38,7 @@ import (
 	cert "github.com/IBM/integrity-enforcer/integrity-shield-operator/cert"
 
 	ec "github.com/IBM/integrity-enforcer/shield/pkg/apis/shieldconfig/v1alpha1"
-	spol "github.com/IBM/integrity-enforcer/shield/pkg/apis/signpolicy/v1alpha1"
+	sigconf "github.com/IBM/integrity-enforcer/shield/pkg/apis/signerconfig/v1alpha1"
 
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -111,9 +111,9 @@ func (r *IntegrityShieldReconciler) createOrUpdateShieldConfigCRD(
 	return r.createOrUpdateCRD(instance, expected)
 }
 
-func (r *IntegrityShieldReconciler) createOrUpdateSignPolicyCRD(
+func (r *IntegrityShieldReconciler) createOrUpdateSignerConfigCRD(
 	instance *apiv1alpha1.IntegrityShield) (ctrl.Result, error) {
-	expected := res.BuildSignPolicyCRD(instance)
+	expected := res.BuildSignerConfigCRD(instance)
 	return r.createOrUpdateCRD(instance, expected)
 }
 func (r *IntegrityShieldReconciler) createOrUpdateResourceSignatureCRD(
@@ -213,14 +213,14 @@ func (r *IntegrityShieldReconciler) createOrUpdateShieldConfigCR(instance *apiv1
 
 }
 
-func (r *IntegrityShieldReconciler) createOrUpdateSignPolicyCR(instance *apiv1alpha1.IntegrityShield) (ctrl.Result, error) {
+func (r *IntegrityShieldReconciler) createOrUpdateSignerConfigCR(instance *apiv1alpha1.IntegrityShield) (ctrl.Result, error) {
 	ctx := context.Background()
-	found := &spol.SignPolicy{}
-	expected := res.BuildSignPolicyForIShield(instance)
+	found := &sigconf.SignerConfig{}
+	expected := res.BuildSignerConfigForIShield(instance)
 
 	reqLogger := r.Log.WithValues(
 		"Instance.Name", instance.Name,
-		"SignPolicy.Name", expected.Name)
+		"SignerConfig.Name", expected.Name)
 
 	// Set CR instance as the owner and controller
 	err := controllerutil.SetControllerReference(instance, expected, r.Scheme)

integrity-shield-operator/controllers/integrityshield_controller.go

@@ -48,7 +48,7 @@ type IntegrityShieldReconciler struct {
 // +kubebuilder:rbac:groups=apps,resources=deployments/finalizers,resourceNames=integrity-shield-operator,verbs=update
 // +kubebuilder:rbac:groups=core,resources=pods,verbs=get
 // +kubebuilder:rbac:groups=apps,resources=deployments;replicasets,verbs=get
-// +kubebuilder:rbac:groups=apis.integrityshield.io,resources=integrityshields;integrityshields/finalizers;shieldconfigs;signpolicies;resourcesigningprofiles;resourcesignatures;helmreleasemetadatas,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=apis.integrityshield.io,resources=integrityshields;integrityshields/finalizers;shieldconfigs;signerconfigs;resourcesigningprofiles;resourcesignatures;helmreleasemetadatas,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions,verbs=*
 // +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles;clusterrolebindings;roles;rolebindings,verbs=*
 // +kubebuilder:rbac:groups=policy,resources=podsecuritypolicies,verbs=get;list;watch;create;update;patch;delete
@@ -91,7 +91,7 @@ func (r *IntegrityShieldReconciler) Reconcile(req ctrl.Request) (ctrl.Result, er
 		return recResult, recErr
 	}
 
-	recResult, recErr = r.createOrUpdateSignPolicyCRD(instance)
+	recResult, recErr = r.createOrUpdateSignerConfigCRD(instance)
 	if recErr != nil || recResult.Requeue {
 		return recResult, recErr
 	}
@@ -120,7 +120,7 @@ func (r *IntegrityShieldReconciler) Reconcile(req ctrl.Request) (ctrl.Result, er
 		return recResult, recErr
 	}
 
-	recResult, recErr = r.createOrUpdateSignPolicyCR(instance)
+	recResult, recErr = r.createOrUpdateSignerConfigCR(instance)
 	if recErr != nil || recResult.Requeue {
 		return recResult, recErr
 	}

integrity-shield-operator/controllers/suite_test.go

@@ -50,7 +50,7 @@ import (
 	rs "github.com/IBM/integrity-enforcer/shield/pkg/apis/resourcesignature/v1alpha1"
 	rsp "github.com/IBM/integrity-enforcer/shield/pkg/apis/resourcesigningprofile/v1alpha1"
 	ec "github.com/IBM/integrity-enforcer/shield/pkg/apis/shieldconfig/v1alpha1"
-	spol "github.com/IBM/integrity-enforcer/shield/pkg/apis/signpolicy/v1alpha1"
+	sigconf "github.com/IBM/integrity-enforcer/shield/pkg/apis/signerconfig/v1alpha1"
 	"github.com/IBM/integrity-enforcer/shield/pkg/common"
 	scc "github.com/openshift/api/security/v1"
 
@@ -148,7 +148,7 @@ var _ = BeforeSuite(func(done Done) {
 	err = ec.AddToScheme(scheme)
 	err = rsp.AddToScheme(scheme)
 	err = rs.AddToScheme(scheme)
-	err = spol.AddToScheme(scheme)
+	err = sigconf.AddToScheme(scheme)
 
 	Expect(err).NotTo(HaveOccurred())