feat: Added Server

* Added a server for Baski so that trivy results can be served up to unikorn * Updated pipeline to build a server binary and image * Updated the pipeline to use latest golang
eschercloudai · Sep 20, 2023 · dfac30f · dfac30f
1 parent 8f2a099
commit dfac30f
Show file tree

Hide file tree

Showing 31 changed files with 1,471 additions and 86 deletions.
diff --git a/.github/ISSUE_TEMPLATE/bug.md b/.github/ISSUE_TEMPLATE/bug.md
diff --git a/.github/ISSUE_TEMPLATE/feature.md b/.github/ISSUE_TEMPLATE/feature.md
diff --git a/.github/workflows/pull_request.yaml b/.github/workflows/pull_request.yaml
@@ -13,7 +13,7 @@ jobs:
  - uses: actions/checkout@v3
  - uses: actions/setup-go@v3
  with:
- go-version: '1.19.2'
+ go-version: '1.21.1'
  - name: golangci-lint
  uses: golangci/golangci-lint-action@v3
  with:
@@ -27,7 +27,7 @@ jobs:
  - uses: actions/checkout@v3
  - uses: actions/setup-go@v3
  with:
- go-version: '1.19.2'
+ go-version: '1.21.1'
  - run: go test -v -cover ./...
 
  security-checks:
@@ -38,10 +38,10 @@ jobs:
  packages: write
  id-token: write
  steps:
- - name: Build Local Image
+ - name: Build Local Baski Image
  uses: eschercloudai/container-security-action@v0.0.1-beta.3
  if: github.event_name != 'pull_request'
- id: build-and-scan
+ id: build-and-scan-baski
  with:
  image-repo: ghcr.io
  repo-username: ${{ github.repository_owner }}
@@ -54,4 +54,21 @@ jobs:
  cosign-private-key: ${{secrets.COSIGN_KEY}}
  cosign-password: ${{secrets.COSIGN_PASSWORD}}
  cosign-tlog: false
- dockerfile-path: docker
+ dockerfile-path: docker/baski
+ - name: Build Local Baski Server Image
+ uses: eschercloudai/container-security-action@v0.0.1-beta.3
+ if: github.event_name != 'pull_request'
+ id: build-and-scan-server
+ with:
+ image-repo: ghcr.io
+ repo-username: ${{ github.repository_owner }}
+ repo-password: ${{ secrets.GITHUB_TOKEN }}
+ image-name: baski-server
+ image-tag: ${{ github.ref_name }}
+ min-severity: critical
+ add-latest-tag: false
+ publish-image: false
+ cosign-private-key: ${{secrets.COSIGN_KEY}}
+ cosign-password: ${{secrets.COSIGN_PASSWORD}}
+ cosign-tlog: false
+ dockerfile-path: docker/server
diff --git a/.github/workflows/push.yaml b/.github/workflows/push.yaml
@@ -16,7 +16,7 @@ jobs:
  - uses: actions/checkout@v3
  - uses: actions/setup-go@v3
  with:
- go-version: '1.19'
+ go-version: '1.21.1'
  - name: golangci-lint
  uses: golangci/golangci-lint-action@v3
  with:
@@ -30,7 +30,7 @@ jobs:
  - uses: actions/checkout@v3
  - uses: actions/setup-go@v3
  with:
- go-version: '1.19.2'
+ go-version: '1.21.1'
  - run: go test -v -cover ./...
 
  security-checks:
@@ -41,10 +41,10 @@ jobs:
  packages: write
  id-token: write
  steps:
- - name: Build Local Image
+ - name: Build Local Baski Image
  uses: eschercloudai/container-security-action@v0.0.1-beta.3
  if: github.event_name != 'pull_request'
- id: build-and-scan
+ id: build-and-scan-baski
  with:
  image-repo: ghcr.io
  repo-username: ${{ github.repository_owner }}
@@ -57,4 +57,21 @@ jobs:
  cosign-private-key: ${{secrets.COSIGN_KEY}}
  cosign-password: ${{secrets.COSIGN_PASSWORD}}
  cosign-tlog: false
- dockerfile-path: docker
+ dockerfile-path: docker/baski
+ - name: Build Local Baski Server Image
+ uses: eschercloudai/container-security-action@v0.0.1-beta.3
+ if: github.event_name != 'pull_request'
+ id: build-and-scan-server
+ with:
+ image-repo: ghcr.io
+ repo-username: ${{ github.repository_owner }}
+ repo-password: ${{ secrets.GITHUB_TOKEN }}
+ image-name: baski-server
+ image-tag: ${{ github.ref_name }}
+ min-severity: critical
+ add-latest-tag: false
+ publish-image: false
+ cosign-private-key: ${{secrets.COSIGN_KEY}}
+ cosign-password: ${{secrets.COSIGN_PASSWORD}}
+ cosign-tlog: false
+ dockerfile-path: docker/server
diff --git a/.github/workflows/tag.yml b/.github/workflows/tag.yml
@@ -14,7 +14,7 @@ jobs:
  - uses: actions/checkout@v3
  - uses: actions/setup-go@v3
  with:
- go-version: '1.19'
+ go-version: '1.21.1'
  - name: golangci-lint
  uses: golangci/golangci-lint-action@v3
  with:
@@ -29,7 +29,7 @@ jobs:
  - uses: actions/checkout@v3
  - uses: actions/setup-go@v3
  with:
- go-version: '1.19.2'
+ go-version: '1.21.1'
  - run: go test -v -cover ./...
 
  security-checks:
@@ -40,10 +40,10 @@ jobs:
  packages: write
  id-token: write
  steps:
- - name: Build Image
+ - name: Build Baski Image
  uses: eschercloudai/container-security-action@v0.0.1-beta.3
  if: github.event_name != 'pull_request'
- id: build-and-scan
+ id: build-and-scan-baski
  with:
  image-repo: ghcr.io
  repo-username: ${{ github.repository_owner }}
@@ -56,7 +56,24 @@ jobs:
  cosign-private-key: ${{secrets.COSIGN_KEY}}
  cosign-password: ${{secrets.COSIGN_PASSWORD}}
  cosign-tlog: true
- dockerfile-path: docker
+ dockerfile-path: docker/baski
+ - name: Build Baski Server Image
+ uses: eschercloudai/container-security-action@v0.0.1-beta.3
+ if: github.event_name != 'pull_request'
+ id: build-and-scan-server
+ with:
+ image-repo: ghcr.io
+ repo-username: ${{ github.repository_owner }}
+ repo-password: ${{ secrets.GITHUB_TOKEN }}
+ image-name: baski-server
+ image-tag: ${{ github.ref_name }}
+ min-severity: critical
+ add-latest-tag: true
+ publish-image: true
+ cosign-private-key: ${{secrets.COSIGN_KEY}}
+ cosign-password: ${{secrets.COSIGN_PASSWORD}}
+ cosign-tlog: true
+ dockerfile-path: docker/server
 
  release:
  name: Create Release
@@ -68,18 +85,22 @@ jobs:
  fetch-depth: 0
  - uses: actions/setup-go@v3
  with:
- go-version: '1.19.2'
+ go-version: '1.21.1'
  - name: Get OS and arch info
  run: |
  GOARCH=amd64
  GOOS=linux
  BINARY_NAME=${{github.repository}}-$GOOS-$GOARCH
+ SERVER_BINARY_NAME=${{github.repository}}-server-$GOOS-$GOARCH
  echo "BINARY_NAME=$BINARY_NAME" >> $GITHUB_ENV
  echo "GOOS=$GOOS" >> $GITHUB_ENV
  echo "GOARCH=$GOARCH" >> $GITHUB_ENV
- - name: Build
+ - name: Build Baski
  run: |
  CGO_ENABLED=0 go build -o "$BINARY_NAME" cmd/baski/main.go
+ - name: Build Baski-Server
+ run: |
+ CGO_ENABLED=0 go build -o "$SERVER_BINARY_NAME" cmd/baski/main.go
  - name: Release Notes
  run: |
  git log $(git describe HEAD~ --tags --abbrev=0)..HEAD --pretty='format:* %h %s%n * %an <%ae>' --no-merges >> ".github/RELEASE-TEMPLATE.md"
@@ -88,6 +109,8 @@ jobs:
  with:
  body_path: ".github/RELEASE-TEMPLATE.md"
  draft: false
- files: ${{env.BINARY_NAME}}
+ files: |
+ ${{env.BINARY_NAME}}
+ ${{env.SERVER_BINARY_NAME}}
  env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,8 +1,12 @@
 # Changelog
 
-## [ Upcoming Release ]
+## [ Upcoming Release - v0.1.0-beta.9 ]
 
 ### Changed/Added
+* Added a server so baski can serve up scans via an API
+* Added initial tests
+* Updated builds to include server as a separate binary and docker image
+* Updated golang version in pipeline
 
 ### Fixed
 

diff --git a/baski-example.yaml b/baski-example.yaml
@@ -112,7 +112,9 @@ scan:
  # Minimum severity to check for during the scan.
  max-severity-type: MEDIUM
  # The bucket name in which the trivyignore file can be located.
- trivyignore-bucket: "trivy"
+ scan-bucket: "baski"
+ # The file path in the bucket to the trivyignore file.
+ trivyignore-path: ""
  # The name of the trivyignore file in the bucket.
  trivyignore-filename: ".trivyignore"
  # A list of CVEs to add to the ignore list. If a file is also provided, this list will be appended to the list within the file.

diff --git a/cmd/server/main.go b/cmd/server/main.go
@@ -0,0 +1,122 @@
+/*
+Copyright 2023 EscherCloud.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+ "context"
+ "errors"
+ "github.com/eschercloudai/baski/pkg/cmd/util/flags"
+ "github.com/eschercloudai/baski/pkg/server/server"
+ "github.com/spf13/cobra"
+ "log"
+ "net/http"
+ "os"
+ "os/signal"
+ "syscall"
+ "time"
+)
+
+type Options struct {
+ ip string
+ port int32
+ dev bool
+ flags.S3Flags
+ bucket string
+}
+
+func (o *Options) AddFlags(cmd *cobra.Command) {
+ cmd.Flags().StringVarP(&o.ip, "bind-address", "a", "127.0.0.1", "The ip to bind to")
+ cmd.Flags().Int32VarP(&o.port, "bind-port", "p", 8080, "The port to bind to")
+ cmd.Flags().BoolVarP(&o.dev, "dev", "d", false, "Set to true to allow all in cors world")
+ o.S3Flags.AddFlags(cmd)
+ cmd.Flags().StringVar(&o.bucket, "bucket", "baski", "The S3 bucket")
+
+ for _, flag := range []string{"endpoint", "access-key", "secret-key", "bucket"} {
+ requireFlag(cmd, flag)
+ }
+}
+
+func requireFlag(cmd *cobra.Command, name string) {
+ err := cmd.MarkFlagRequired(name)
+ if err != nil {
+ log.Fatalln(err)
+ }
+}
+
+func start() *cobra.Command {
+ o := &Options{}
+
+ cmd := &cobra.Command{
+ Use: "run",
+ Short: "Runs the api server",
+ Long: "Runs the api server to which the front end will connect",
+ Run: func(cmd *cobra.Command, args []string) {
+
+ s := &server.Server{
+ Options: server.Options{
+ ListenAddress: o.ip,
+ ListenPort: o.port,
+ Endpoint: o.Endpoint,
+ AccessKey: o.AccessKey,
+ SecretKey: o.SecretKey,
+ Bucket: o.bucket,
+ },
+ }
+
+ server, err := s.NewServer(o.dev)
+ if err != nil {
+ log.Fatalln(err)
+ }
+
+ stop := make(chan os.Signal, 1)
+
+ signal.Notify(stop, syscall.SIGTERM)
+
+ go func() {
+ <-stop
+
+ // Shutdown the server, Kubernetes gives us 30 seconds before a SIGKILL.
+ ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+ defer cancel()
+
+ if err := server.Shutdown(ctx); err != nil {
+ log.Fatalln(err, "server shutdown error")
+ }
+ }()
+
+ if err := server.ListenAndServe(); err != nil {
+ if errors.Is(err, http.ErrServerClosed) {
+ return
+ }
+
+ log.Fatalln(err, "unexpected server error")
+
+ return
+ }
+ },
+ }
+ o.AddFlags(cmd)
+
+ return cmd
+}
+
+// Execute runs the execute command for the Cobra library allowing commands & flags to be utilised.
+func main() {
+ if err := start().Execute(); err != nil {
+ os.Exit(1)
+ }
+}
diff --git a/docker/Dockerfile → docker/baski/Dockerfile b/docker/Dockerfile → docker/baski/Dockerfile
diff --git a/docker/server/Dockerfile b/docker/server/Dockerfile
@@ -0,0 +1,34 @@
+# syntax=docker/dockerfile:1
+FROM golang as go-builder
+
+WORKDIR /app
+
+COPY go.mod ./
+COPY go.sum ./
+COPY cmd ./cmd/
+COPY pkg ./pkg/
+
+RUN go mod download
+
+RUN CGO_ENABLED=0 go build -o /tmp/baski-server /app/cmd/server/main.go
+
+
+FROM alpine:3.17
+
+RUN apk update --no-cache
+RUN apk add bash build-base jq curl git python3 py3-pip openssh-client
+
+RUN echo "ServerAliveInterval 120" >> /etc/ssh/ssh_config
+
+RUN echo "baski:x:1000:1000:Baski Non Root,,,:/home/baski:" >> /etc/passwd
+RUN mkdir -p /home/baski/.config/openstack/
+RUN chown baski: -R /home/baski
+
+COPY --from=go-builder /tmp/baski /usr/bin/
+
+RUN chmod 755 /usr/bin/baski
+ENV PATH=${PATH}:/home/baski/.local/bin/
+
+USER 1000
+
+ENTRYPOINT ["bash"]