feat(evaluator): unleash flag cves_without_errata_evaluator

Utilize Unleash feature flags for cves_without_errata_evaluator. Flag name: vulnerability.cves_without_errata_evaluator RHINENG-1700
RedHatInsights · Aug 31, 2023 · 926450b · 926450b
1 parent d2802bb
commit 926450b
Show file tree

Hide file tree

Showing 9 changed files with 29 additions and 10 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -65,6 +65,7 @@ USER insights
 EXPOSE 8000
 
 ADD entrypoint.sh                          /engine/
+ADD develfeatureflags.json                 /engine/
 ADD manager.healthz.spec.yaml              /engine/
 ADD manager.admin.spec.yaml                /engine/
 ADD /database/upgrade/dbupgrade.sh         /engine/

diff --git a/common/config.py b/common/config.py
@@ -69,7 +69,6 @@ def __init__(self):
 
         self.vmaas_vulnerabilities_api = os.getenv("VMAAS_VULNERABILITIES_API", "/api/vmaas/v3/vulnerabilities")
         self.cves_without_errata = strtobool(os.getenv("CVES_WITHOUT_ERRATA", "FALSE"))
-        self.cves_without_errata_evaluator = strtobool(os.getenv("CVES_WITHOUT_ERRATA_EVALUATOR", "FALSE"))
 
         self.evaluator_prometheus_port = 8085
         self.taskomatic_prometheus_port = 8085

diff --git a/conf/common.env b/conf/common.env
@@ -37,4 +37,4 @@ CVES_WITHOUT_ERRATA=true
 UNLEASH_CACHE_DIR=/tmp/unleash_cache
 UNLEASH_TOKEN=
 UNLEASH_URL=
-UNLEASH_BOOTSTRAP_FILE=
+UNLEASH_BOOTSTRAP_FILE=develfeatureflags.json
diff --git a/conf/evaluator.env b/conf/evaluator.env
@@ -6,4 +6,3 @@ DB_MIN_POOL_SIZE=10
 DB_MAX_POOL_SIZE=30
 MAX_LOADED_EVALUATOR_MSGS=30
 USE_VMAAS_GO=true
-CVES_WITHOUT_ERRATA_EVALUATOR=true
diff --git a/deploy/clowdapp.yaml b/deploy/clowdapp.yaml
@@ -10,6 +10,7 @@ objects:
     name: vulnerability-engine
   spec:
     envName: ${ENV_NAME}
+    featureFlags: true
     deployments:
     - name: manager-service
       minReplicas: ${{REPLICAS_MANAGER}}
@@ -393,8 +394,6 @@ objects:
           value: ${MAX_LOADED_EVALUATOR_MSGS}
         - name: USE_VMAAS_GO
           value: ${USE_VMAAS_GO}
-        - name: CVES_WITHOUT_ERRATA_EVALUATOR
-          value: ${CVES_WITHOUT_ERRATA_EVALUATOR}
         resources:
           limits:
             cpu: ${{CPU_LIMIT_EVALUATOR_RECALC}}
@@ -446,8 +445,6 @@ objects:
           value: ${MAX_LOADED_EVALUATOR_MSGS}
         - name: USE_VMAAS_GO
           value: ${USE_VMAAS_GO}
-        - name: CVES_WITHOUT_ERRATA_EVALUATOR
-          value: ${CVES_WITHOUT_ERRATA_EVALUATOR}
         resources:
           limits:
             cpu: ${{CPU_LIMIT_EVALUATOR_UPLOAD}}
@@ -985,8 +982,6 @@ parameters:
   value: '10'
 - name: CVES_WITHOUT_ERRATA
   value: "FALSE"
-- name: CVES_WITHOUT_ERRATA_EVALUATOR
-  value: "FALSE"
 - name: GRANULAR_RBAC
   value: "TRUE"
 - name: MAX_LOADED_EVALUATOR_MSGS

diff --git a/develfeatureflags.json b/develfeatureflags.json
@@ -0,0 +1,19 @@
+{
+  "version": 1,
+  "features": [
+    {
+      "name": "vulnerability.cves_without_errata_evaluator",
+      "type": "release",
+      "enabled": false,
+      "stale": false,
+      "strategies": [
+        {
+          "name": "default",
+          "parameters": {}
+        }
+      ],
+      "strategy": "default",
+      "parameters": {}
+    }
+  ]
+}
diff --git a/evaluator/README.md b/evaluator/README.md
@@ -16,6 +16,9 @@ System CVEs returned from VMaaS are processed by a given logic:
 System-CVE links are represented in `system_vulnerabilities` table. Evaluator is caching the number of current CVEs to which system is vulnerable to the database, which is later used in some endpoints.
 After given evaluation, the new changes are sent to the Notificator service, `vulnerability.evaluator.results`.
 
+To enable evaluation of CVEs without errata set `vulnerability.cves_without_errata_evaluator` feature flag on.
+This can be done in an Unleash instance or bootsrapped in a JSON file via `UNLEASH_BOOTSTRAP_FILE` environment variable.
+
 ### Incoming message
 ```
 {

diff --git a/evaluator/evaluator.py b/evaluator/evaluator.py
@@ -14,6 +14,7 @@
 from .common import PROMETHEUS_PORT
 from .processor import EvaluatorProcessor
 from common.database_handler import setup_async_db_pool
+from common.feature_flags import initialize_unleash
 from common.logging import get_logger
 from common.logging import init_logging
 from common.mqueue import MQReader
@@ -112,6 +113,7 @@ async def stop(self):
 def main():
     """Main"""
     init_logging()
+    initialize_unleash()
     loop = asyncio.get_event_loop()
 
     status_app = create_status_app(LOGGER)

diff --git a/evaluator/logic.py b/evaluator/logic.py
@@ -28,6 +28,7 @@
 from .common import VmaasErrorException
 from .common import VulnerablePackageCache
 from common.constants import format_vmaas_cve_endpoint
+from common.feature_flags import UNLEASH
 from common.logging import get_logger
 from common.peewee_model import VulnerabilityState
 from common.vmaas_client import vmaas_request
@@ -467,7 +468,7 @@ async def _evaluate_vmaas_res(
             )
 
         # don't look on unfixed cves if the feature flag is off
-        if not CFG.cves_without_errata_evaluator:
+        if not UNLEASH.is_enabled("vulnerability.cves_without_errata_evaluator"):
             return sys_vuln_rows
 
         # aggregate unfixed cves, get (package name, cpe) pairs and list of cves for these pairs