Skip to content

Commit

Permalink
feat(dtrack): expose mTLS configuration (#427)
Browse files Browse the repository at this point in the history 
Signed-off-by: Lucas Pape <[email protected]>
  • Loading branch information
@lpape-ionos
lpape-ionos authored Jun 20, 2023
1 parent 29c135e commit c3ce966
Show file tree
Hide file tree
Showing 4 changed files with 58 additions and 6 deletions.
3 changes: 3 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -137,6 +137,9 @@ not present in the cluster anymore are removed from the configured targets (exce
| `dtrack-base-url` | `true` when `dtrack` target is used | `""` | Dependency-Track base URL, e.g. 'https://dtrack.example.com' |
| `dtrack-api-key` | `true` when `dtrack` target is used | `""` | Dependency-Track API key |
| `dtrack-label-tag-matcher` | `false` | `""` | Dependency-Track Pod-Label-Tag matcher regex |
| `dtrack-ca-cert-file` | `false` | `""` | CA-Certificate filepath when using mTLS to connect to dtrack |
| `dtrack-client-cert-file` | `true` when `dtrack-ca-cert-file` is provided | `""` | Client-Certificate filepath when using mTLS to connect to dtrack |
| `dtrack-client-key-file` | `true` when `dtrack-ca-cert-file` is provided | `""` | Client-Key filepath when using mTLS to connect to dtrack |
| `kubernetes-cluster-id` | `false` | `"default"` | Kubernetes Cluster ID (to be used in Dependency-Track or Job-Images) |

Each image in the cluster is created as project with the full-image name (registry and image-path without tag) and the image-tag as project-version.
Expand Down
6 changes: 6 additions & 0 deletions internal/config.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,9 @@ type Config struct {
DtrackBaseUrl string `yaml:"dtrackBaseUrl" env:"SBOM_DTRACK_BASE_URL" flag:"dtrack-base-url"`
DtrackApiKey string `yaml:"dtrackApiKey" env:"SBOM_DTRACK_API_KEY" flag:"dtrack-api-key"`
DtrackLabelTagMatcher string `yaml:"dtrackLabelTagMatcher" env:"SBOM_DTRACK_LABEL_TAG_MATCHER" flag:"dtrack-label-tag-matcher"`
DtrackCaCertFile string `yaml:"dtrackCaCertFile" env:"SBOM_DTRACK_CA_CERT_FILE" flag:"dtrack-ca-cert-file"`
DtrackClientCertFile string `yaml:"dtrackClientCertFile" env:"SBOM_DTRACK_CLIENT_CERT_FILE" flag:"dtrack-client-cert-file"`
DtrackClientKeyFile string `yaml:"dtrackClientKeyFile" env:"SBOM_DTRACK_CLIENT_KEY_FILE" flag:"dtrack-client-key-file"`
KubernetesClusterId string `yaml:"kubernetesClusterId" env:"SBOM_KUBERNETES_CLUSTER_ID" flag:"kubernetes-cluster-id"`
JobImage string `yaml:"jobImage" env:"SBOM_JOB_IMAGE" flag:"job-image"`
JobImagePullSecret string `yaml:"jobImagePullSecret" env:"SBOM_JOB_IMAGE_PULL_SECRET" flag:"job-image-pull-secret"`
Expand Down Expand Up @@ -56,6 +59,9 @@ var (
/* #nosec */
ConfigKeyDependencyTrackApiKey = "dtrack-api-key"
ConfigKeyDependencyTrackLabelTagMatcher = "dtrack-label-tag-matcher"
ConfigKeyDependencyTrackCaCertFile = "dtrack-ca-cert-file"
ConfigKeyDependencyTrackClientCertFile = "dtrack-client-cert-file"
ConfigKeyDependencyTrackClientKeyFile = "dtrack-client-key-file"
ConfigKeyKubernetesClusterId = "kubernetes-cluster-id"
ConfigKeyJobImage = "job-image"
/* #nosec */
Expand Down
5 changes: 4 additions & 1 deletion internal/processor/processor.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -135,8 +135,11 @@ func initTargets(k8s *kubernetes.KubeClient) []target.Target {
baseUrl := internal.OperatorConfig.DtrackBaseUrl
apiKey := internal.OperatorConfig.DtrackApiKey
podLabelTagMatcher := internal.OperatorConfig.DtrackLabelTagMatcher
caCertFile := internal.OperatorConfig.DtrackCaCertFile
clientCertFile := internal.OperatorConfig.DtrackClientCertFile
clientKeyFile := internal.OperatorConfig.DtrackClientKeyFile
k8sClusterId := internal.OperatorConfig.KubernetesClusterId
t := dtrack.NewDependencyTrackTarget(baseUrl, apiKey, podLabelTagMatcher, k8sClusterId)
t := dtrack.NewDependencyTrackTarget(baseUrl, apiKey, podLabelTagMatcher, caCertFile, clientCertFile, clientKeyFile, k8sClusterId)
err = t.ValidateConfig()
targets = append(targets, t)
} else if ta == "oci" {
Expand Down
50 changes: 45 additions & 5 deletions internal/target/dtrack/dtrack_target.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,9 +18,14 @@ import (
)

type DependencyTrackTarget struct {
clientOptions []dtrack.ClientOption

baseUrl string
apiKey string
podLabelTagMatcher string
caCertFile string
clientCertFile string
clientKeyFile string
k8sClusterId string
imageProjectMap map[string]uuid.UUID
}
Expand All @@ -32,12 +37,15 @@ const (
podNamespaceTagKey = "namespace"
)

func NewDependencyTrackTarget(baseUrl, apiKey, podLabelTagMatcher, k8sClusterId string) *DependencyTrackTarget {
func NewDependencyTrackTarget(baseUrl, apiKey, podLabelTagMatcher, caCertFile, clientCertFile, clientKeyFile, k8sClusterId string) *DependencyTrackTarget {
return &DependencyTrackTarget{
baseUrl: baseUrl,
apiKey: apiKey,
k8sClusterId: k8sClusterId,
podLabelTagMatcher: podLabelTagMatcher,
caCertFile: caCertFile,
clientCertFile: clientCertFile,
clientKeyFile: clientKeyFile,
k8sClusterId: k8sClusterId,
}
}

Expand All @@ -48,10 +56,36 @@ func (g *DependencyTrackTarget) ValidateConfig() error {
if g.apiKey == "" {
return fmt.Errorf("%s is empty", internal.ConfigKeyDependencyTrackApiKey)
}
if g.caCertFile != "" {
if g.clientCertFile == "" {
return fmt.Errorf(
"%s provided but %s is empty",
internal.ConfigKeyDependencyTrackCaCertFile,
internal.ConfigKeyDependencyTrackClientCertFile,
)
}

if g.clientKeyFile == "" {
return fmt.Errorf(
"%s provided but %s is empty",
internal.ConfigKeyDependencyTrackCaCertFile,
internal.ConfigKeyDependencyTrackClientKeyFile,
)
}
}

return nil
}

func (g *DependencyTrackTarget) Initialize() error {
g.clientOptions = []dtrack.ClientOption{}

g.clientOptions = append(g.clientOptions, dtrack.WithAPIKey(g.apiKey))

if len(g.caCertFile) > 0 {
g.clientOptions = append(g.clientOptions, dtrack.WithMTLS(g.caCertFile, g.clientCertFile, g.clientKeyFile))
}

return nil
}

Expand All @@ -63,7 +97,7 @@ func (g *DependencyTrackTarget) ProcessSbom(ctx *target.TargetContext) error {
return nil
}

client, err := dtrack.NewClient(g.baseUrl, dtrack.WithAPIKey(g.apiKey))
client, err := dtrack.NewClient(g.baseUrl, g.clientOptions...)
if err != nil {
logrus.WithError(err).Errorf("failed to init dtrack client")
return err
Expand Down Expand Up @@ -135,7 +169,10 @@ func (g *DependencyTrackTarget) ProcessSbom(ctx *target.TargetContext) error {
}

func (g *DependencyTrackTarget) LoadImages() []*libk8s.RegistryImage {
client, _ := dtrack.NewClient(g.baseUrl, dtrack.WithAPIKey(g.apiKey))
client, err := dtrack.NewClient(g.baseUrl, g.clientOptions...)
if err != nil {
logrus.WithError(err).Errorf("failed to init dtrack client")
}

if g.imageProjectMap == nil {
g.imageProjectMap = make(map[string]uuid.UUID)
Expand Down Expand Up @@ -200,7 +237,10 @@ func (g *DependencyTrackTarget) Remove(images []*libk8s.RegistryImage) {
g.LoadImages()
}

client, _ := dtrack.NewClient(g.baseUrl, dtrack.WithAPIKey(g.apiKey))
client, err := dtrack.NewClient(g.baseUrl, g.clientOptions...)
if err != nil {
logrus.WithError(err).Errorf("failed to init dtrack client")
}

for _, img := range images {
uuid := g.imageProjectMap[img.ImageID]
Expand Down

0 comments on commit c3ce966

Please sign in to comment.