refactor(main): wip (#134)

* refactor(main): wip

* simplify
* refactor unused code and features

* fix(workkflows): go version

* fix(workkflows): go version

* fix(workkflows): check latest

* fix(workflows): cache false

* fix(workflows): use single

* fix(picante): remove vipers

* fix netpol
* fix github orgs

* fix(picante): config github orgs

* update(picante): charts yml

* add(attestation): rekor index

* fix(charts): config type for github orgs should be string

Author: ybelMekk

.env.sample

@@ -4,14 +4,11 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
-    open-pull-requests-limit: 5
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "weekly"
-    open-pull-requests-limit: 5
   - package-ecosystem: "docker"
     directory: "/"
     schedule:
-      interval: "weekly"
-    open-pull-requests-limit: 5
+      interval: "weekly"

.github/dependabot.yml

@@ -18,7 +18,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v5
         with:
-          go-version: ">=1.22.1"
+          go-version: '>=1.22.1'
           cache-dependency-path: ./go.sum
       - run: make test
 

.github/workflows/main.yaml

@@ -19,7 +19,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v5
         with:
-          go-version: ">=1.22.1"
+          go-version: '>=1.22.1'
           cache-dependency-path: ./go.sum
       - run: make test
 
@@ -30,7 +30,7 @@ jobs:
     steps:
       - name: Dependabot metadata
         id: dependabot-metadata
-        uses: dependabot/fetch-metadata@v1.6.0
+        uses: dependabot/fetch-metadata@v1
         with:
           github-token: "${{ secrets.GITHUB_TOKEN }}"
       - name: Approve a PR

.github/workflows/pr.yml

@@ -17,4 +17,3 @@ COPY --from=builder /bin/picante /app/picante
 RUN apk add --no-cache git
 
 ENTRYPOINT ["/app/picante"]
-

Dockerfile

@@ -29,6 +29,7 @@ generate-mocks:
 	go run github.com/vektra/mockery/v2 --inpackage --case snake --srcpkg ./internal/attestation --name Verifier
 
 check:
+	go version
 	go run honnef.co/go/tools/cmd/staticcheck@latest ./...
 	go run golang.org/x/vuln/cmd/govulncheck@latest ./...
 	go run golang.org/x/tools/cmd/deadcode@latest -filter "internal/test/client.go" -filter "internal/test/test.go" -test ./...

Makefile

@@ -4,10 +4,13 @@
 
 ### Setup
 
-To run in a local k8s cluster
+Pre-requisites:
 
-* Add a [picante config](hack/picante-config-example.yaml) in root of project starting with
-  name `picante`
+Copy the `.env.example` file from [here](hack/.env.sample)
+to the root of the project and rename it to `.env` and fill in the required environment variables.
+Example is listed in the `.env.example` file.
+
+To start the development environment, run the following command;
 
 ```bash
 make dtrack-up
@@ -18,3 +21,12 @@ wait for dp to be ready and run;
 ```bash
 make local
 ```
+
+Navigate to the cluster you are interested to work with, Picante will now start to fetch data from the cluster.
+And fill the local database with the data.
+
+You can now access the instance of Dependant Track by navigating to `http://localhost:9010` in your browser.
+If it is fresh start, you will need to create a user to be able to login. Navigate to `http://localhost:9010`
+Login with admin user and password `admin` and create a new password matching the password in your `.env` file.
+Navigate to Administration -> Access Management -> Teams -> Administrators and click the plus sign to add api_key to the team.
+Picante will now be able to fetch data from the cluster.

README.md

@@ -2,6 +2,6 @@ apiVersion: v2
 name: picante
 sources:
   - https://github.com/nais/picante/tree/main/charts
-description: Informer to update salsa storage with attestation data
+description: Informer to update salsa storage (dependency-track) with attestation metadata (sbom)
 type: application
 version: 0.2.5

charts/Chart.yaml

@@ -21,30 +21,22 @@ values:
     computed:
       template: '"{{.Env.name}}"'
   config.github.organizations:
-    description: Required GitHub organizations to verify image attestations
+    description: Required GitHub organizations to verify image attestations, a comma seperated list
     displayName: GitHub organization(s)
     computed:
       template: |
         {{ if or (eq .Tenant.Name "nav") (eq .Tenant.Name "dev-nais") }}
-          - navikt
-          - nais
+          "nais,navikt"
         {{ else }}
-          - nais
-          - "{{.Tenant.Name}}"
+          "nais,{{.Tenant.Name}}"
         {{ end }}
     config:
-      type: string_array
-  config.identities:
-    displayName: Preconfigured signature sa Identities
-    computed:
-      template: |
-        - issuer: "https://accounts.google.com"
-          subjectRegExp: ".*@nais-io.iam.gserviceaccount.com"
-  config.storage.password:
+      type: string
+  config.dependencytrack.password:
     displayName: dependencytrack API password
     computed:
       template: '"{{.Management.picante_dependencytrack_password}}"'
-  config.storage.api:
+  config.dependencytrack.api:
     displayName: dependencytrack API endpoint
     computed:
       template: |
@@ -53,17 +45,6 @@ values:
         {{ else }}
           "https://dependencytrack-backend.{{.Tenant.Name}}.cloud.nais.io"
         {{ end }}
-  config.teamIdentity:
-    displayName: Preconfigured team identity
-    computed:
-      template: |
-        {{ if eq .Tenant.Name "nav" }}
-          issuer: "https://accounts.google.com"
-          domain: "nais-management-233d.iam.gserviceaccount.com"
-        {{ else }}
-          issuer: "https://accounts.google.com"
-          domain: "{{.Management.project_id}}.iam.gserviceaccount.com"
-        {{ end }}
   dockerconfigjson:
     displayName: Docker config json
     required: true

charts/Feature.yaml

@@ -30,7 +30,7 @@ spec:
           env:
             - name: DOCKER_CONFIG
               value: /etc/docker-credentials
-          {{- if .Values.webproxy }}
+            {{- if .Values.webproxy }}
             - name: HTTP_PROXY
               value: http://webproxy.nais:8088
             - name: http_proxy
@@ -43,7 +43,33 @@ spec:
               value: localhost,127.0.0.1,10.254.0.1,.local,.adeo.no,.nav.no,.aetat.no,.devillo.no,.oera.no,.nais.io,.aivencloud.com,.intern.dev.nav.no
             - name: no_proxy
               value: localhost,127.0.0.1,10.254.0.1,.local,.adeo.no,.nav.no,.aetat.no,.devillo.no,.oera.no,.nais.io,.aivencloud.com,.intern.dev.nav.no
-          {{- end }}
+              {{- end }}
+            - name: CLUSTER
+              value: {{ .Values.config.cluster }}
+            - name: LOG_LEVEL
+              value: {{ .Values.config.logLevel }}
+            - name: GITHUB_ORGANIZATIONS
+              value: {{ .Values.config.github.organizations }}
+            - name: DEPENDENCYTRACK_TEAM
+              value: {{ .Values.config.dependencytrack.team }}
+            - name: DEPENDENCYTRACK_API
+              value: {{ .Values.config.dependencytrack.api }}
+            - name: DEPENDENCYTRACK_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "picante.fullname" . }}
+                  key: dependencytrack_username
+            - name: DEPENDENCYTRACK_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "picante.fullname" . }}
+                  key: dependencytrack_password
+            - name: COSIGN_KEY_REF
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "picante.fullname" . }}
+                  key: cosign_key_ref
+
           securityContext:
             runAsNonRoot: true
             runAsUser: 1000
@@ -70,7 +96,7 @@ spec:
             {{- toYaml .Values.resources | nindent 12 }}
       volumes:
         - name: writable-tmp
-          emptyDir: {}
+          emptyDir: { }
         - name: config-volume
           configMap:
             name: {{ include "picante.fullname" . }}

charts/templates/deployment.yaml

@@ -42,8 +42,8 @@ spec:
           {{- range $key, $value := .Values.fqdns }}
             - {{ $value }}
           {{- end }}
-          {{- if hasPrefix  "https" .Values.config.storage.api }}
-            - {{ get (urlParse .Values.config.storage.api) "host" }}
+          {{- if hasPrefix  "https" .Values.config.dependencytrack.api }}
+            - {{ get (urlParse .Values.config.dependencytrack.api) "host" }}
           {{- end }}
   podSelector:
     matchLabels:

charts/templates/netpol.yaml

@@ -6,21 +6,6 @@ metadata:
   labels:
     {{- include "picante.labels" . | nindent 4 }}
 stringData:
-  picante.yaml: |
-    features:
-      {{- if .Values.config.features.enabled }}
-      label-selectors:
-        {{- .Values.config.features.labelSelectors | toYaml | nindent 8 }}
-      {{- end }}
-    cosign:
-      {{- .Values.config.cosign | toYaml | nindent 6 }}
-    storage:
-    {{- .Values.config.storage | toYaml | nindent 6 }}
-    identities:
-    {{- .Values.config.identities | toYaml | nindent 6 }}
-    github:
-    {{- .Values.config.github | toYaml | nindent 6 }}
-    teamIdentity:
-    {{- .Values.config.teamIdentity | toYaml | nindent 6 }}
-    cluster: {{ .Values.config.cluster }}
-    log-level: {{ .Values.logLevel }}
+  dependencytrack_username: "{{ .Values.config.dependencytrack.username }}"
+  dependencytrack_password: "{{ .Values.config.dependencytrack.password }}"
+  cosign_key_ref: "{{ .Values.config.cosign.keyRef }}"

charts/templates/secrets.yaml

@@ -5,8 +5,6 @@ image:
   name: picante
   tag: 20230414-090558-6aaa3f2
 
-logLevel: info
-
 team: nais
 
 webproxy: false
@@ -27,25 +25,17 @@ fqdns:
   - europe-north1-docker.pkg.dev
 
 config:
-  features:
-    enabled: false
-    labelSelectors:
-      name: nais.io/salsa-verify-attestation
-      value: "true"
+  logLevel: info
   cluster: test
   cosign:
     keyRef:
-  storage:
+  dependencytrack:
     api: http://dependencytrack-backend:8080
     username: picante
     password:
     team: Administrators
-  identities: [ ]
-  teamIdentity:
-    issuer:
-    domain:
   github:
-    organizations: [ ]
+    organizations:
 
 kms:
   pubKey: |