feat: adding driver to export to disk (#3832)

Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com>
Co-authored-by: Rita Zhang <rita.z.zhang@gmail.com>

Author: JaydipGabani

.github/dependabot.yml

@@ -63,3 +63,17 @@ updates:
       interval: "weekly"
     commit-message:
       prefix: "chore"
+
+  - package-ecosystem: "docker"
+    directory: "/test/export/fake-subscriber"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "chore"
+
+  - package-ecosystem: "docker"
+    directory: "/test/export/fake-reader"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "chore"

.github/workflows/dapr-export.yaml

@@ -50,8 +50,8 @@ jobs:
         kind load docker-image --name kind gatekeeper-e2e:latest gatekeeper-crds:latest
         kubectl create ns gatekeeper-system
         make e2e-publisher-deploy
-        make e2e-helm-deploy HELM_REPO=gatekeeper-e2e HELM_CRD_REPO=gatekeeper-crds HELM_RELEASE=latest ENABLE_EXPORT=true LOG_LEVEL=DEBUG
-        make test-e2e ENABLE_EXPORT_TESTS=1
+        make e2e-helm-deploy HELM_REPO=gatekeeper-e2e HELM_CRD_REPO=gatekeeper-crds HELM_RELEASE=latest ENABLE_EXPORT=true LOG_LEVEL=DEBUG AUDIT_CHANNEL=audit-channel EXPORT_BACKEND=dapr
+        make test-e2e ENABLE_EXPORT_TESTS=1 EXPORT_BACKEND=dapr
 
     - name: Save logs
       if: ${{ always() }}

.github/workflows/disk-export.yaml

@@ -0,0 +1,61 @@
+name: disk-export
+on:
+  push:
+    paths:
+      - "pkg/export/dapr"
+      - "pkg/export/disk"
+      - "test/export/**"
+  pull_request:
+    paths:
+      - "pkg/export/dapr"
+      - "pkg/export/disk"
+      - "test/export/**"
+permissions: read-all
+
+jobs:
+  disk_test:
+    name: "Disk export test"
+    runs-on: ubuntu-22.04
+    timeout-minutes: 15
+    steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+      with:
+        egress-policy: audit
+
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+    - name: Bootstrap e2e
+      run: |
+        mkdir -p $GITHUB_WORKSPACE/bin
+        echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH
+        make e2e-bootstrap
+
+    - name: Run e2e
+      run: |
+        make docker-buildx IMG=gatekeeper-e2e:latest
+        make e2e-build-load-externaldata-image
+        make e2e-reader-build-image
+        make docker-buildx-crds CRD_IMG=gatekeeper-crds:latest
+        kind load docker-image --name kind gatekeeper-e2e:latest fake-reader:latest gatekeeper-crds:latest
+        kubectl create ns gatekeeper-system
+        
+        make e2e-helm-deploy HELM_REPO=gatekeeper-e2e HELM_CRD_REPO=gatekeeper-crds HELM_RELEASE=latest ENABLE_EXPORT=true LOG_LEVEL=DEBUG EXPORT_BACKEND=disk FAKE_READER_IMAGE_PULL_POLICY=Never AUDIT_CONNECTION=audit-connection AUDIT_CHANNEL=audit-channel EXPORT_DISK_PATH=/tmp/violations MAX_AUDIT_RESULTS=3 FAKE_READER_IMAGE=fake-reader:latest
+        
+        make test-e2e ENABLE_EXPORT_TESTS=1 EXPORT_BACKEND=disk
+
+    - name: Save logs
+      if: ${{ always() }}
+      run: |
+        kubectl logs -n gatekeeper-system -l control-plane=audit-controller -c manager --tail=-1 > logs-audit-manager.json
+        kubectl logs -n gatekeeper-system -l control-plane=audit-controller -c reader --tail=-1 > logs-audit-export.json
+
+    - name: Upload artifacts
+      uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+      if: ${{ always() }}
+      with:
+        name: export-logs
+        path: |
+          logs-*.json
+

Makefile

@@ -37,6 +37,38 @@ NODE_VERSION ?= 16-bullseye-slim
 YQ_VERSION ?= 4.30.6
 
 HELM_ARGS ?=
+HELM_DAPR_EXPORT_ARGS := --set-string auditPodAnnotations.dapr\\.io/enabled=true \
+	--set-string auditPodAnnotations.dapr\\.io/app-id=audit \
+	--set-string auditPodAnnotations.dapr\\.io/metrics-port=9999 \
+
+HELM_DISK_EXPORT_ARGS := --set audit.exportVolumeMount.path=${EXPORT_DISK_PATH} \
+	--set audit.exportConfig.maxAuditResults=${MAX_AUDIT_RESULTS} \
+	--set audit.exportSidecar.image=${FAKE_READER_IMAGE} \
+	--set audit.exportSidecar.imagePullPolicy=${FAKE_READER_IMAGE_PULL_POLICY} \
+
+HELM_EXPORT_ARGS := --set enableViolationExport=${ENABLE_EXPORT} \
+	--set audit.connection=${AUDIT_CONNECTION} \
+	--set audit.channel=${AUDIT_CHANNEL} \
+	--set exportBackend=${EXPORT_BACKEND} \
+
+HELM_EXTRA_ARGS := --set image.repository=${HELM_REPO} \
+	--set image.crdRepository=${HELM_CRD_REPO} \
+	--set image.release=${HELM_RELEASE} \
+	--set postInstall.labelNamespace.image.repository=${HELM_CRD_REPO} \
+	--set postInstall.labelNamespace.image.tag=${HELM_RELEASE} \
+	--set postInstall.labelNamespace.enabled=true \
+	--set postInstall.probeWebhook.enabled=true \
+	--set emitAdmissionEvents=true \
+	--set emitAuditEvents=true \
+	--set admissionEventsInvolvedNamespace=true \
+	--set auditEventsInvolvedNamespace=true \
+	--set disabledBuiltins={http.send} \
+	--set logMutations=true \
+	--set logLevel=${LOG_LEVEL} \
+	--set defaultCreateVAPForTemplates=${GENERATE_VAP} \
+	--set defaultCreateVAPBindingForConstraints=${GENERATE_VAPBINDING} \
+	--set mutationAnnotations=true;\
+
 GATEKEEPER_NAMESPACE ?= gatekeeper-system
 
 # When updating this, make sure to update the corresponding action in
@@ -48,6 +80,8 @@ GOLANGCI_LINT_CACHE := $(shell pwd)/.tmp/golangci-lint
 
 BENCHMARK_FILE_NAME ?= benchmarks.txt
 FAKE_SUBSCRIBER_IMAGE ?= fake-subscriber:latest
+FAKE_READER_IMAGE ?= fake-reader:latest
+FAKE_READER_IMAGE_PULL_POLICY ?= IfNotPresent
 
 ROOT_DIR := $(shell dirname $(realpath $(firstword $(MAKEFILE_LIST))))
 BIN_DIR := $(abspath $(ROOT_DIR)/bin)
@@ -106,6 +140,29 @@ MANAGER_IMAGE_PATCH := "apiVersion: apps/v1\
 \n        - --log-level=${LOG_LEVEL}\
 \n"
 
+HELM_EXPORT_VARIABLES := "audit:\
+\n  exportVolume:\
+\n    name: tmp-violations\
+\n    emptyDir: {}\
+\n  exportSidecar:\
+\n    name: go-sub\
+\n    image: ${FAKE_READER_IMAGE}\
+\n    imagePullPolicy: ${FAKE_READER_IMAGE_PULL_POLICY}\
+\n    securityContext:\
+\n      allowPrivilegeEscalation: false\
+\n      capabilities:\
+\n        drop:\
+\n        - ALL\
+\n      readOnlyRootFilesystem: true\
+\n      runAsGroup: 999\
+\n      runAsNonRoot: true\
+\n      runAsUser: 1000\
+\n      seccompProfile:\
+\n        type: RuntimeDefault\
+\n    volumeMounts:\
+\n    - mountPath: /tmp/violations\
+\n      name: tmp-violations"
+
 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
 ifeq (,$(shell go env GOBIN))
 GOBIN=$(shell go env GOPATH)/bin
@@ -202,53 +259,20 @@ e2e-helm-install:
 	cd .staging/helm && tar -xvf helmbin.tar.gz
 	./.staging/helm/linux-amd64/helm version --client
 
-e2e-helm-deploy: e2e-helm-install
+e2e-helm-deploy: e2e-helm-install $(LOCALBIN)
 ifeq ($(ENABLE_EXPORT),true)
 	./.staging/helm/linux-amd64/helm install manifest_staging/charts/gatekeeper --name-template=gatekeeper \
 		--namespace ${GATEKEEPER_NAMESPACE} \
 		--debug --wait \
-		--set image.repository=${HELM_REPO} \
-		--set image.crdRepository=${HELM_CRD_REPO} \
-		--set image.release=${HELM_RELEASE} \
-		--set postInstall.labelNamespace.image.repository=${HELM_CRD_REPO} \
-		--set postInstall.labelNamespace.image.tag=${HELM_RELEASE} \
-		--set postInstall.labelNamespace.enabled=true \
-		--set postInstall.probeWebhook.enabled=true \
-		--set emitAdmissionEvents=true \
-		--set emitAuditEvents=true \
-		--set admissionEventsInvolvedNamespace=true \
-		--set auditEventsInvolvedNamespace=true \
-		--set disabledBuiltins={http.send} \
-		--set logMutations=true \
-		--set enableViolationExport=${ENABLE_EXPORT} \
-		--set audit.connection=${AUDIT_CONNECTION} \
-		--set audit.channel=${AUDIT_CHANNEL} \
-		--set-string auditPodAnnotations.dapr\\.io/enabled=true \
-		--set-string auditPodAnnotations.dapr\\.io/app-id=audit \
-		--set-string auditPodAnnotations.dapr\\.io/metrics-port=9999 \
-		--set logLevel=${LOG_LEVEL} \
-		--set mutationAnnotations=true;
+		$(HELM_EXPORT_ARGS) \
+		$(if $(filter disk,$(EXPORT_BACKEND)),$(HELM_DISK_EXPORT_ARGS)) \
+		$(if $(filter dapr,$(EXPORT_BACKEND)),$(HELM_DAPR_EXPORT_ARGS)) \
+		$(HELM_EXTRA_ARGS)
 else
 	./.staging/helm/linux-amd64/helm install manifest_staging/charts/gatekeeper --name-template=gatekeeper \
 		--namespace ${GATEKEEPER_NAMESPACE} --create-namespace \
 		--debug --wait \
-		--set image.repository=${HELM_REPO} \
-		--set image.crdRepository=${HELM_CRD_REPO} \
-		--set image.release=${HELM_RELEASE} \
-		--set postInstall.labelNamespace.image.repository=${HELM_CRD_REPO} \
-		--set postInstall.labelNamespace.image.tag=${HELM_RELEASE} \
-		--set postInstall.labelNamespace.enabled=true \
-		--set postInstall.probeWebhook.enabled=true \
-		--set emitAdmissionEvents=true \
-		--set emitAuditEvents=true \
-		--set admissionEventsInvolvedNamespace=true \
-		--set auditEventsInvolvedNamespace=true \
-		--set disabledBuiltins={http.send} \
-		--set logMutations=true \
-		--set logLevel=${LOG_LEVEL} \
-		--set defaultCreateVAPForTemplates=${GENERATE_VAP} \
-		--set defaultCreateVAPBindingForConstraints=${GENERATE_VAPBINDING} \
-		--set mutationAnnotations=true;
+		$(HELM_EXTRA_ARGS)
 endif
 
 e2e-helm-upgrade-init: e2e-helm-install
@@ -273,23 +297,7 @@ e2e-helm-upgrade:
 	./.staging/helm/linux-amd64/helm upgrade gatekeeper manifest_staging/charts/gatekeeper \
 		--namespace ${GATEKEEPER_NAMESPACE} \
 		--debug --wait \
-		--set image.repository=${HELM_REPO} \
-		--set image.crdRepository=${HELM_CRD_REPO} \
-		--set image.release=${HELM_RELEASE} \
-		--set postInstall.labelNamespace.image.repository=${HELM_CRD_REPO} \
-		--set postInstall.labelNamespace.image.tag=${HELM_RELEASE} \
-		--set postInstall.labelNamespace.enabled=true \
-		--set postInstall.probeWebhook.enabled=true \
-		--set emitAdmissionEvents=true \
-		--set emitAuditEvents=true \
-		--set admissionEventsInvolvedNamespace=true \
-		--set auditEventsInvolvedNamespace=true \
-		--set disabledBuiltins={http.send} \
-		--set logMutations=true \
-		--set logLevel=${LOG_LEVEL} \
-		--set defaultCreateVAPForTemplates=${GENERATE_VAP} \
-		--set defaultCreateVAPBindingForConstraints=${GENERATE_VAPBINDING} \
-		--set mutationAnnotations=true;\
+		$(HELM_EXTRA_ARGS)
 
 e2e-subscriber-build-load-image:
 	docker buildx build --platform="linux/amd64" -t ${FAKE_SUBSCRIBER_IMAGE} --load -f test/export/fake-subscriber/Dockerfile test/export/fake-subscriber
@@ -302,7 +310,10 @@ e2e-subscriber-deploy:
 
 e2e-publisher-deploy:
 	kubectl get secret redis --namespace=default -o yaml | sed 's/namespace: .*/namespace: gatekeeper-system/' | kubectl apply -f -
-	kubectl apply -f test/export/publish-components.yaml
+	kubectl apply -f test/export/fake-subscriber/manifest/publish-components.yaml
+
+e2e-reader-build-image:
+	docker buildx build --platform="$(PLATFORM)" -t ${FAKE_READER_IMAGE} --load -f test/export/fake-reader/Dockerfile test/export/fake-reader
 
 # Build manager binary
 manager: generate

cmd/build/helmify/main.go

@@ -141,7 +141,8 @@ func (ks *kindSet) Write() error {
 				obj = "{{- if not .Values.disableAudit }}\n" + obj + "{{- end }}\n"
 				obj = strings.Replace(obj, "      labels:", "      labels:\n        {{- include \"gatekeeper.podLabels\" . | nindent 8 }}\n        {{- include \"audit.podLabels\" . | nindent 8 }}\n        {{- include \"gatekeeper.commonLabels\" . | nindent 8 }}", 1)
 				obj = strings.Replace(obj, "      priorityClassName: system-cluster-critical", "      {{- if .Values.audit.priorityClassName }}\n      priorityClassName:  {{ .Values.audit.priorityClassName }}\n      {{- end }}", 1)
-				obj = strings.Replace(obj, "      - emptyDir: {}", "      {{- if .Values.audit.writeToRAMDisk }}\n      - emptyDir:\n          medium: Memory\n      {{ else }}\n      - emptyDir: {}\n      {{- end }}", 1)
+				obj = strings.Replace(obj, "          name: tmp-volume", "          name: tmp-volume\n        {{- if and (.Values.enableViolationExport) (eq (.Values.exportBackend | default \"\" | lower) \"disk\") }}\n        - mountPath: {{ .Values.audit.exportVolumeMount.path }}\n          name: {{ .Values.audit.exportVolume.name }}\n        {{- end }}\n      {{ if and (.Values.enableViolationExport) (eq (.Values.exportBackend | default \"\" | lower) \"disk\") }}\n      - {{ toYaml .Values.audit.exportSidecar | nindent 8 }}\n      {{- end }}", 1)
+				obj = strings.Replace(obj, "      - emptyDir: {}", "      {{- if and (.Values.enableViolationExport) (eq (.Values.exportBackend | default \"\" | lower) \"disk\") }}\n      - {{- toYaml .Values.audit.exportVolume | nindent 8 }}\n      {{- end }}\n      {{- if .Values.audit.writeToRAMDisk }}\n      - emptyDir:\n          medium: Memory\n      {{ else }}\n      - emptyDir: {}\n      {{- end }}", 1)
 			}
 
 			if name == "gatekeeper-manager-role" && kind == "Role" {