alpha0.1

.gitignore

@@ -23,3 +23,11 @@ Dockerfile.cross
 *.swp
 *.swo
 *~
+
+# macOS paraphernalia
+.DS_Store
+
+bin/*
+
+# macOS paraphernalia
+.DS_Store

Dockerfile

@@ -1,9 +1,8 @@
-# Build the manager binary
 FROM golang:1.19 as builder
 ARG TARGETOS
 ARG TARGETARCH
 
-WORKDIR /workspace
+WORKDIR /go/src/github.com/traas-stack/altershield-operator
 
 # Copy the Go Modules manifests
 COPY go.mod go.mod
@@ -13,27 +12,28 @@ COPY go.sum go.sum
 RUN go mod download
 
 # Copy the go source
-COPY main.go main.go
-COPY apis/ apis/
-COPY controllers/ controllers/
-COPY routers/ routers/
-COPY runnable/ runnable/
+COPY . /go/src/github.com/traas-stack/altershield-operator
+
+RUN cd /go/src/github.com/traas-stack/altershield-operator/certs && \
+    sh generate-tls-certificates.sh
 
 # Build
 # the GOARCH has not a default value to allow the binary be built according to the host where the command
 # was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO
 # the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore,
 # by leaving it empty we can ensure that the container and binary shipped on it will have the same platform.
 #RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o manager main.go
-RUN CGO_ENABLED=0 GOARCH=amd64 GOOS=linux go build -a -o manager main.go
+RUN GO111MODULE=on CGO_ENABLED=0 GOARCH=amd64 GOOS=linux go build -a -o manager main.go
 
 # Use distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
 #FROM gcr.io/distroless/static:nonroot
 FROM alpine:3.16 AS final
 RUN apk update && apk add curl
 WORKDIR /
-COPY --from=builder /workspace/manager .
+COPY --from=builder /go/src/github.com/traas-stack/altershield-operator/manager .
+COPY --from=builder /go/src/github.com/traas-stack/altershield-operator/certs/tls.crt /tmp/k8s-webhook-server/serving-certs/tls.crt
+COPY --from=builder /go/src/github.com/traas-stack/altershield-operator/certs/tls.key /tmp/k8s-webhook-server/serving-certs/tls.key
 USER 65532:65532
 #USER root
 

PROJECT

@@ -5,7 +5,7 @@ plugins:
   manifests.sdk.operatorframework.io/v2: {}
   scorecard.sdk.operatorframework.io/v2: {}
 projectName: altershieldoperator
-repo: gitlab.alipay-inc.com/common_release/altershieldoperator
+repo: github.com/traas-stack/altershield-operator
 resources:
 - api:
     crdVersion: v1
@@ -14,7 +14,7 @@ resources:
   domain: ops.cloud.alipay.com
   group: app
   kind: OpsCheckRecord
-  path: gitlab.alipay-inc.com/common_release/altershieldoperator/api/v1alpha1
+  path: github.com/traas-stack/altershield-operator/api/v1alpha1
   version: v1alpha1
 - api:
     crdVersion: v1
@@ -23,7 +23,7 @@ resources:
   domain: ops.cloud.alipay.com
   group: app
   kind: OpsConfigInfo
-  path: gitlab.alipay-inc.com/common_release/altershieldoperator/api/v1alpha1
+  path: github.com/traas-stack/altershield-operator/api/v1alpha1
   version: v1alpha1
 - api:
     crdVersion: v1
@@ -32,7 +32,7 @@ resources:
   domain: ops.cloud.alipay.com
   group: app
   kind: OpsCheckOrder
-  path: gitlab.alipay-inc.com/common_release/altershieldoperator/api/v1alpha1
+  path: github.com/traas-stack/altershield-operator/api/v1alpha1
   version: v1alpha1
 - api:
     crdVersion: v1
@@ -41,7 +41,7 @@ resources:
   domain: ops.cloud.alipay.com
   group: app
   kind: ExeOrder
-  path: gitlab.alipay-inc.com/common_release/altershieldoperator/api/v1alpha1
+  path: github.com/traas-stack/altershield-operator/api/v1alpha1
   version: v1alpha1
 - api:
     crdVersion: v1
@@ -50,7 +50,7 @@ resources:
   domain: ops.cloud.alipay.com
   group: app
   kind: ExeNode
-  path: gitlab.alipay-inc.com/common_release/altershieldoperator/api/v1alpha1
+  path: github.com/traas-stack/altershield-operator/api/v1alpha1
   version: v1alpha1
 - api:
     crdVersion: v1
@@ -59,7 +59,7 @@ resources:
   domain: ops.cloud.alipay.com
   group: app
   kind: ChangeWorkload
-  path: gitlab.alipay-inc.com/common_release/altershieldoperator/api/v1alpha1
+  path: github.com/traas-stack/altershield-operator/api/v1alpha1
   version: v1alpha1
 - api:
     crdVersion: v1
@@ -68,17 +68,33 @@ resources:
   domain: ops.cloud.alipay.com
   group: app
   kind: ChangePod
-  path: gitlab.alipay-inc.com/common_release/altershieldoperator/api/v1alpha1
+  path: github.com/traas-stack/altershield-operator/api/v1alpha1
   version: v1alpha1
 - api:
     crdVersion: v1
     namespaced: true
   group: apps
   kind: Deployment
-  path: gitlab.alipay-inc.com/common_release/altershieldoperator/apis/apps/v1
+  path: github.com/traas-stack/altershield-operator/apis/apps/v1
   version: v1
   webhooks:
     defaulting: true
     validation: true
     webhookVersion: v1
+- api:
+    crdVersion: v1
+    namespaced: true
+  controller: true
+  group: app.ops.cloud.alipay.com
+  kind: ChangeDefense
+  path: github.com/traas-stack/altershield-operator/apis/app.ops.cloud.alipay.com/v1alpha1
+  version: v1alpha1
+- api:
+    crdVersion: v1
+    namespaced: true
+  controller: true
+  group: app.ops.cloud.alipay.com
+  kind: ChangeDefenseExecution
+  path: github.com/traas-stack/altershield-operator/apis/app.ops.cloud.alipay.com/v1alpha1
+  version: v1alpha1
 version: "3"

apis/app.ops.cloud.alipay.com/v1alpha1/changedefense_types.go

@@ -0,0 +1,134 @@
+/*
+Copyright 2023.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/intstr"
+)
+
+// EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
+// NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
+
+type TargetType string
+
+const (
+	TargetTypeWorkload TargetType = "workload"
+)
+
+// ChangeDefenseSpec defines the desired state of ChangeDefense
+type ChangeDefenseSpec struct {
+	// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
+	// Important: Run "make" to regenerate code after modifying this file
+
+	// Target indicates the resource that needs change defense
+	Target *TargetRef `json:"target"`
+	// DefenseStrategy indicates the defense strategy on targeted resource changes
+	DefenseStrategy *DefenseStrategy `json:"defenseStrategy"`
+	// RiskPolicy indicates what to do on risks discovered by defense strategy
+	// +kubebuilder:validation:Optional
+	RiskPolicy *RiskPolicy `json:"riskPolicy"`
+}
+
+// TargetRef defines the object that needs change defense
+type TargetRef struct {
+	// Type of change resource target
+	Type TargetType `json:"type"`
+	// ObjectRef references the targeted kubernetes object
+	ObjectRef *ObjectRef `json:"objectRef"`
+}
+
+// DefenseStrategy defines the defense strategy on resource changes
+type DefenseStrategy struct {
+	// Workload indicates the defense strategy on targeted workload changes
+	// +kubebuilder:validation:Optional
+	Workload WorkloadDefenseStrategy `json:"workload"`
+}
+
+// Workload defines the defense strategy on workload changes
+type WorkloadDefenseStrategy struct {
+	// Steps define the order of phases to execute defense in batches(e.g. 20%, 40%, 60%, 80%, 100%)
+	Steps []WorkloadDefenseStep `json:"steps"`
+}
+
+type WorkloadDefenseStep struct {
+	Partition intstr.IntOrString `json:"partition"`
+	// +kubebuilder:validation:Optional
+	CheckAfterComplete *int32 `json:"checkAfterComplete"`
+}
+
+// RiskPolicy defines what to do on risks discovered by defense strategy
+type RiskPolicy struct {
+}
+
+type ObjectRef struct {
+	// API Version of the referent
+	APIVersion string `json:"apiVersion"`
+	// Kind of the referent
+	Kind string `json:"kind"`
+	// Name of the referent
+	Name string `json:"name"`
+}
+
+type DefensePhase string
+const (
+	DefensePhaseInitial     DefensePhase = "Initial"
+	DefensePhasePreCheck    DefensePhase = "PreCheck"
+	DefensePhaseProgressing DefensePhase = "Progressing"
+	DefensePhaseObserving 	DefensePhase = "Observing"
+	DefensePhasePostCheck   DefensePhase = "PostCheck"
+	DefensePhasePassed      DefensePhase = "Passed"
+	DefensePhaseFailed      DefensePhase = "Failed"
+	DefensePhaseSkipped     DefensePhase = "Skipped"
+)
+
+// ChangeDefenseStatus defines the observed state of ChangeDefense
+type ChangeDefenseStatus struct {
+	// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
+	// Important: Run "make" to regenerate code after modifying this file
+	// +kubebuilder:validation:Optional
+	CurrentExecutionID string `json:"currentExecutionID"`
+	// +kubebuilder:validation:Optional
+	Verdict string `json:"verdict"`
+	// +kubebuilder:validation:Optional
+	Phase DefensePhase `json:"phase"`
+}
+
+//+kubebuilder:object:root=true
+//+kubebuilder:subresource:status
+
+// ChangeDefense is the Schema for the changedefenses API
+type ChangeDefense struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   ChangeDefenseSpec   `json:"spec,omitempty"`
+	Status ChangeDefenseStatus `json:"status,omitempty"`
+}
+
+//+kubebuilder:object:root=true
+
+// ChangeDefenseList contains a list of ChangeDefense
+type ChangeDefenseList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []ChangeDefense `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&ChangeDefense{}, &ChangeDefenseList{})
+}