Lets/go (#21)

* move implementation to go * Go based implementation * dockerfile lints * use 1.22.5 only * go 1.22 * test refactor * dependabot ecosystem go * update lint action * action version bumps * add tests * add env var generation, tests, update readme * go mod 1.22 * build with signalilo * bump gh actions versions * add tests * add proxy doc * update doc
adfinis · Aug 5, 2024 · 3faa1f6 · 3faa1f6
1 parent c599b83
commit 3faa1f6
Show file tree

Hide file tree

Showing 23 changed files with 829 additions and 258 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -13,7 +13,7 @@ updates:
     commit-message:
       prefix: "chore(ci): "
     open-pull-requests-limit: 10
-  - package-ecosystem: "pip"
+  - package-ecosystem: "gomod"
     directory: "/"
     schedule:
       interval: "daily"
diff --git a/...ub/workflows/release-container-image.yaml → ...s/release-container-image-standalone.yaml b/...ub/workflows/release-container-image.yaml → ...s/release-container-image-standalone.yaml
@@ -1,4 +1,4 @@
-name: Release Container Image
+name: Release Container Image - Standalone
 
 on:
   schedule:
@@ -28,7 +28,7 @@ jobs:
         uses: docker/metadata-action@v5
         with:
           images: |
-            quay.io/adfinis/signalilo-scrubbed
+            quay.io/adfinis/scrubbed
           tags: |
             type=schedule,pattern=nightly
             type=edge
@@ -46,7 +46,7 @@ jobs:
         if: ${{ github.event_name != 'pull_request' }}
 
       - name: Build and push
-        id: docker_build_ghcr
+        id: build
         uses: docker/build-push-action@v6
         with:
           context: .

diff --git a/.github/workflows/release-container-image-with-signalilo.yaml b/.github/workflows/release-container-image-with-signalilo.yaml
@@ -0,0 +1,56 @@
+name: Release Container Image - With Signalilo
+
+on:
+  schedule:
+    - cron: '3 3 * * *'
+  pull_request:
+  push:
+    branches:
+      - main
+    tags:
+      - 'v*.*.*'
+
+jobs:
+  container:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Configure Image Metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            quay.io/adfinis/scrubbed-signalilo
+          tags: |
+            type=schedule,pattern=nightly
+            type=edge
+            type=semver,pattern=v{{version}}
+            type=semver,pattern=v{{major}}
+            type=semver,pattern=v{{major}}.{{minor}}
+            type=ref,event=pr
+
+      - name: Login to quay.io
+        uses: docker/login-action@v3
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAY_USERNAME}}
+          password: ${{ secrets.QUAY_ACCESS_TOKEN }}
+        if: ${{ github.event_name != 'pull_request' }}
+
+      - name: Build and push
+        id: build
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ./Dockerfile.signalilo
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml
@@ -0,0 +1,37 @@
+name: Security
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+permissions:
+  contents: read
+jobs:
+  scan:
+    strategy:
+      matrix:
+        go: ["1.22.5"]
+      fail-fast: true
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+
+      - name: Setup Go ${{ matrix.go }}
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ matrix.go }}
+          cache: false
+
+      - name: Run GoSec
+        uses: securego/gosec@master
+        with:
+          args: -exclude-dir examples ./...
+
+      - name: Run GoVulnCheck
+        uses: golang/govulncheck-action@v1
+        with:
+          go-version-input: ${{ matrix.go }}
+          go-package: ./...
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -1,25 +1,35 @@
 name: Test
-on: pull_request
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+permissions:
+  contents: read
 jobs:
-  ruff:
-    runs-on: ubuntu-latest
+  unit:
+    strategy:
+      matrix:
+        go: ["1.22.5"]
+        os: [ubuntu-latest, macos-latest, windows-latest]
+      fail-fast: true
+    runs-on: ${{ matrix.os }}
     steps:
-      - name: Checkout
+      - name: Checkout Code
         uses: actions/checkout@v4
-      - name: Setup Python
-        uses: actions/setup-python@v5
+
+      - name: Setup Go ${{ matrix.go }}
+        uses: actions/setup-go@v5
         with:
-          python-version: 3.x
-      - name: ruff
-        run: |
-          pip install -r requirements-dev.txt
-          ruff format --check
-          ruff check . --output-format=github
-  shellcheck:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-      - name: Run shellcheck
-        id: shellcheck
-        uses: ludeeus/[email protected]
+          go-version: ${{ matrix.go }}
+          cache: false
+
+      - name: Run Tests
+        run: go test -race -cover -coverprofile=coverage -covermode=atomic -v ./...
+
+      # - name: Upload coverage to Codecov
+      #   uses: codecov/codecov-action@v4
+      #   with:
+      #     files: ./coverage
diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml
@@ -0,0 +1,32 @@
+name: Verify
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+permissions:
+  contents: read
+jobs:
+  lint:
+    strategy:
+      matrix:
+        go: ["1.22.5"]
+      fail-fast: true
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+
+      - name: Setup Go ${{ matrix.go }}
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ matrix.go }}
+          cache: false
+
+      - name: Run GolangCI-Lint
+        uses: golangci/golangci-lint-action@v6
+        with:
+          version: v1.59
+          args: --timeout=5m
diff --git a/.gitignore b/.gitignore
@@ -1,6 +1,2 @@
-__pycache__/
-venv/
-build/
-dist/
-*.spec
-.venv/
+scrubbed
+coverage.coverprofile
diff --git a/Dockerfile b/Dockerfile
@@ -1,15 +1,21 @@
-FROM docker.io/library/python:3.12 AS scrubbed
+FROM golang:1.22 AS builder
 
 WORKDIR /src
 
-COPY Makefile initenv.sh requirements.txt scrubbed.py .
+COPY go.mod go.sum .
 
-RUN make static
+RUN go mod download
 
-FROM quay.io/vshn/signalilo:v0.14.0 AS signalilo
+COPY *.go Makefile .
 
-FROM docker.io/library/debian:bookworm
+RUN make build
 
-COPY --from=signalilo /usr/local/bin/signalilo /usr/local/bin/
+FROM registry.access.redhat.com/ubi9/ubi-micro:9.4
 
-COPY --from=scrubbed /src/dist/scrubbed /usr/local/bin/
+COPY --from=builder /src/scrubbed /usr/local/bin/
+
+EXPOSE 8080
+
+EXPOSE 8443
+
+ENTRYPOINT ["/usr/local/bin/scrubbed"]
diff --git a/Dockerfile.signalilo b/Dockerfile.signalilo
@@ -0,0 +1,25 @@
+FROM golang:1.22 AS builder
+
+WORKDIR /src
+
+COPY go.mod go.sum .
+
+RUN go mod download
+
+COPY *.go Makefile .
+
+RUN make build
+
+FROM quay.io/vshn/signalilo:v0.14.0 AS signalilo
+
+FROM registry.access.redhat.com/ubi9/ubi-micro:9.4
+
+COPY --from=signalilo /usr/local/bin/signalilo /usr/local/bin/
+
+COPY --from=builder /src/scrubbed /usr/local/bin/
+
+EXPOSE 8080
+
+EXPOSE 8443
+
+ENTRYPOINT ["/usr/local/bin/scrubbed"]
diff --git a/Makefile b/Makefile
@@ -5,22 +5,45 @@
 help:
 	@grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
 
+GO_LINT=$(shell which golangci-lint 2> /dev/null || echo '')
+GO_LINT_URI=github.com/golangci/golangci-lint/cmd/golangci-lint@latest
 
-# -t $(IMAGE_NAME):$(VERSION) .
+GO_SEC=$(shell which gosec 2> /dev/null || echo '')
+GO_SEC_URI=github.com/securego/gosec/v2/cmd/gosec@latest
 
-.PHONY: image
-image: ## Create Docker image
-	podman build .
-	@echo built image $(IMAGE_NAME)
+GO_VULNCHECK=$(shell which govulncheck 2> /dev/null || echo '')
+GO_VULNCHECK_URI=golang.org/x/vuln/cmd/govulncheck@latest
 
-.PHONY: venv
-venv: ## Initialize virtual environment and install dependencies
-	./initenv.sh
+.PHONY: golangci-lint
+golangci-lint: ## Run golangci-lint
+	$(if $(GO_LINT), ,go install $(GO_LINT_URI))
+	@echo "##### Running golangci-lint"
+	golangci-lint run -v
+
+.PHONY: gosec
+gosec: ## Run gosec
+	$(if $(GO_SEC), ,go install $(GO_SEC_URI))
+	@echo "##### Running gosec"
+	gosec ./...
 
-.PHONY: static
-static: venv ## Generate static binary with embedded Python
-	venv/bin/pyinstaller --onefile scrubbed.py
+.PHONY: govulncheck
+govulncheck: ## Run govulncheck
+	$(if $(GO_VULNCHECK), ,go install $(GO_VULNCHECK_URI))
+	@echo "##### Running govulncheck"
+	govulncheck ./...
 
-.PHONY: clean
-clean: ## Clean up
-	rm -rf venv/ build/ dist/ __pycache__/ scrubbed.spec
+.PHONY: verify
+verify: golangci-lint gosec govulncheck ## Run all checks
+
+.PHONY: test
+test: ## Run Go tests
+	@echo "##### Running tests"
+	go test -race -cover -coverprofile=coverage.coverprofile -covermode=atomic -v ./...
+
+.PHONY: tidy
+tidy: ## Tidy go.mod
+	go mod tidy
+
+.PHONY: build
+build: ## Build scrubbed
+	go build
diff --git a/README.md b/README.md
@@ -1,12 +1,10 @@
-# Signalilo With Alert Content Scrubbing
+# Alertmanager Webhook Content Scrubber
 
-This repository creates and publishes Docker image for deployment of upstream Signalilo with Alertmanager filtering proxy added.
-This proxy is useful for preventing sensitive information (e.g. IP addressess, hostnames, alert descriptions, etc.) leaving organisational boundaries when monitoring is outsourced to external entity.
-
-For convenience, filtering proxy is coupled with Signalilo. It can be easily separated if alternative alertmanager webhook receiver is used.
+This repository creates and publishes Docker image for deployment of Alertmanager filtering proxy.
 
-Raise a PR if you have a use case.
+This proxy is useful for preventing sensitive information (e.g. IP addressess, hostnames, alert descriptions, etc.) leaving organisational boundaries when monitoring is outsourced to external entity.
 
+For convenience, Dockerfile to couple filtering proxy with Signalilo is also provided.
 
 ## Installation
 
@@ -23,6 +21,10 @@ SIGNALILO_ALERTMANAGER_BEARER_TOKEN: foo
 SIGNALILO_ICINGA_PASSWORD: bar
 ```
 
+### Proxy
+
+Implicitly uses default HTTP_PROXY, HTTPS_PROXY and NO_PROXY environment variables
+
 ### Alertmanager
 
 Add receiver to Alertmanager configuration:
@@ -70,4 +72,4 @@ it during the squash and merge operation on the PR.
 ## References
 
 * https://github.com/vshn/signalilo
-* https://prometheus.io/docs/alerting/latest/configuration/#webhook_config
+* https://prometheus.io/docs/alerting/latest/configuration/#webhook_config