Merge pull request #109 from doitintl/feature/goEmbed

ref: Replace statik with Go embed

Dockerfile

@@ -16,6 +16,8 @@ RUN make all
 
 FROM scratch
 
+USER 1000
+
 COPY --from=builder /src/bin/kubent-linux-amd64 /app/kubent
 
 WORKDIR /app

Makefile

@@ -27,7 +27,6 @@ CGO_ENABLED ?= 0
 GOOS ?= $(shell go env GOOS)
 GOARCH ?= $(shell go env GOARCH)
 
-GENERATE_DIR ?= generated
 BIN_DIR ?= bin
 CMD_DIR ?= cmd
 RELEASE_DIR ?= release-artifacts
@@ -44,7 +43,6 @@ SRC ?= $(shell find . -iname '*.go')
 
 GOCMD ?= go
 GOBUILD ?= $(GOCMD) build
-GOGENERATE ?= $(GOCMD) generate
 UPXCMD ?= upx
 
 REQ_BINS = upx go opa
@@ -66,21 +64,12 @@ help:
 build: $(BINS)
 .PHONY: build
 
-$(BIN_DIR)/%-$(BIN_ARCH): generated/* $(SRC) go.mod go.sum
+$(BIN_DIR)/%-$(BIN_ARCH): $(SRC) go.mod go.sum
 	mkdir -p $(BIN_DIR)
 	$(GOBUILD) -ldflags="-s -w -X main.version=$(GIT_REF) -X main.gitSha=$(GIT_SHA)" \
 	-o "$@" \
 	"./$(CMD_DIR)/$(*)"
 
-## Go generate
-generate: generated/*
-	mkdir -p $(GENERATE_DIR)
-.PHONY: generate
-
-generated/*: rules/*
-	$(GOGENERATE)
-	go fmt "./generated/..."
-
 ## Pack binaries with upx
 pack: $(PACKED_BINS)
 .PHONY: pack
@@ -99,12 +88,12 @@ $(RELEASE_DIR)/%-$(RELEASE_SUFFIX): $(PACKED_DIR)/%-$(BIN_ARCH)
 	$(TAR) -cvz --transform 's,$(PACKED_DIR)/$(*)-$(BIN_ARCH),$(*),gi' -f "$@" "$<"
 
 ## Run Go tests
-test: generate test-fmt test-git
+test: test-fmt test-git
 	go test -v -coverprofile fmtcoverage.html ./...
 .PHONY: test
 
 ## Run go and opt fmt checks
-test-fmt: generate
+test-fmt:
 	test -z "$$(opa fmt -l rules/*)"
 	test -z "$$(go fmt ./...)"
 .PHONY: test-fmt
@@ -116,7 +105,6 @@ test-git:
 
 ## Clean build artifacts
 clean:
-	rm -rf $(GENERATE_DIR)
 	rm -rf $(BIN_DIR)
 .PHONY: clean
 

README.md

@@ -127,10 +127,6 @@ The simplest way to build `kubent` is:
 # Clone the repository
 git clone https://github.com/doitintl/kube-no-trouble.git
 cd kube-no-trouble/
-# We require statik for generating static embedded files
-go get github.com/rakyll/statik
-# Generate
-go generate
 # Build
 go build -o bin/kubent cmd/kubent/main.go
 ```

cmd/kubent/main.go

@@ -8,6 +8,7 @@ import (
 	"github.com/doitintl/kube-no-trouble/pkg/config"
 	"github.com/doitintl/kube-no-trouble/pkg/judge"
 	"github.com/doitintl/kube-no-trouble/pkg/printer"
+	"github.com/doitintl/kube-no-trouble/pkg/rules"
 
 	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
@@ -96,7 +97,12 @@ func main() {
 	initCollectors := initCollectors(config)
 	collectors := getCollectors(initCollectors)
 
-	judge, err := judge.NewRegoJudge(&judge.RegoOpts{})
+	loadedRules, err := rules.FetchRegoRules()
+	if err != nil {
+		log.Fatal().Err(err).Str("name", "Rules").Msg("Failed to load rules")
+	}
+
+	judge, err := judge.NewRegoJudge(&judge.RegoOpts{}, loadedRules)
 	if err != nil {
 		log.Fatal().Err(err).Str("name", "Rego").Msg("Failed to initialize decision engine")
 	}

go.mod

@@ -10,7 +10,6 @@ require (
 	github.com/jmoiron/sqlx v1.2.0 // indirect
 	github.com/lib/pq v1.3.0 // indirect
 	github.com/open-policy-agent/opa v0.26.0
-	github.com/rakyll/statik v0.1.7
 	github.com/rs/zerolog v1.20.0
 	github.com/rubenv/sql-migrate v0.0.0-20200402132117-435005d389bc // indirect
 	github.com/spf13/pflag v1.0.5

go.sum

@@ -528,8 +528,6 @@ github.com/prometheus/procfs v0.0.5/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDa
 github.com/prometheus/procfs v0.0.8/go.mod h1:7Qr8sr6344vo1JqZ6HhLceV9o3AJ1Ff+GxbHq6oeK9A=
 github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU=
 github.com/prometheus/procfs v0.2.0/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU=
-github.com/rakyll/statik v0.1.7 h1:OF3QCZUuyPxuGEP7B4ypUa7sB/iHtqOTDYZXGM8KOdQ=
-github.com/rakyll/statik v0.1.7/go.mod h1:AlZONWzMtEnMs7W4e/1LURLiI49pIMmp6V9Unghqrcc=
 github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a h1:9ZKAASQSHhDYGoxY8uLVpewe1GDZ2vu2Tr/vTdVAkFQ=
 github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
 github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 h1:MkV+77GLUNo5oJ0jf870itWm3D0Sjh7+Za9gazKc5LQ=

pkg/judge/rego.go

@@ -2,14 +2,10 @@ package judge
 
 import (
 	"context"
-	"io/ioutil"
-	"os"
 
+	"github.com/doitintl/kube-no-trouble/pkg/rules"
 	"github.com/open-policy-agent/opa/rego"
-	"github.com/rakyll/statik/fs"
 	"github.com/rs/zerolog/log"
-
-	_ "github.com/doitintl/kube-no-trouble/generated/statik"
 )
 
 type RegoJudge struct {
@@ -19,34 +15,17 @@ type RegoJudge struct {
 type RegoOpts struct {
 }
 
-func NewRegoJudge(opts *RegoOpts) (*RegoJudge, error) {
+func NewRegoJudge(opts *RegoOpts, rules []rules.Rule) (*RegoJudge, error) {
 	ctx := context.Background()
 
 	r := rego.New(
 		rego.Query("data[_].main"),
 	)
 
-	statikFS, err := fs.New()
-
-	fs.Walk(statikFS, "/",
-		func(path string, info os.FileInfo, err error) error {
-			if !info.IsDir() {
-				if err != nil {
-					return err
-				}
-				f, err := statikFS.Open(path)
-				if err != nil {
-					return err
-				}
-				c, err := ioutil.ReadAll(f)
-				if err != nil {
-					return err
-				}
-				rego.Module(info.Name(), string(c))(r)
-				log.Info().Str("name", info.Name()).Msg("Loaded ruleset")
-			}
-			return nil
-		})
+	for _, info := range rules {
+		rego.Module(info.Name, info.Rule)(r)
+		log.Info().Str("name", info.Name).Msg("Loaded ruleset")
+	}
 
 	pq, err := r.PrepareForEval(ctx)
 	if err != nil {

pkg/judge/rego_test.go

@@ -1,13 +1,14 @@
 package judge
 
 import (
+	"github.com/doitintl/kube-no-trouble/pkg/rules"
 	"github.com/ghodss/yaml"
 	"io/ioutil"
 	"testing"
 )
 
 func TestNewRegoJudge(t *testing.T) {
-	_, err := NewRegoJudge(&RegoOpts{})
+	_, err := NewRegoJudge(&RegoOpts{}, []rules.Rule{})
 	if err != nil {
 		t.Errorf("failed to create judge instance: %s", err)
 	}
@@ -16,7 +17,7 @@ func TestNewRegoJudge(t *testing.T) {
 func TestEvalEmpty(t *testing.T) {
 	inputs := []map[string]interface{}{}
 
-	judge, err := NewRegoJudge(&RegoOpts{})
+	judge, err := NewRegoJudge(&RegoOpts{}, []rules.Rule{})
 	if err != nil {
 		t.Errorf("failed to create judge instance: %s", err)
 	}
@@ -64,7 +65,12 @@ func TestEvalRules(t *testing.T) {
 				manifests = append(manifests, manifest)
 			}
 
-			judge, err := NewRegoJudge(&RegoOpts{})
+			loadedRules, err := rules.FetchRegoRules()
+			if err != nil {
+				t.Errorf("Failed to load rules")
+			}
+
+			judge, err := NewRegoJudge(&RegoOpts{}, loadedRules)
 			if err != nil {
 				t.Errorf("failed to create judge instance: %s", err)
 			}

pkg/rules/rules.go

@@ -0,0 +1,35 @@
+package rules
+
+import (
+	"embed"
+	"path"
+)
+
+//go:embed rego
+var local embed.FS
+
+type Rule struct {
+	Name string
+	Rule string
+}
+
+func FetchRegoRules() ([]Rule, error) {
+	fis, err := local.ReadDir("rego")
+	if err != nil {
+		return nil, err
+	}
+
+	rules := []Rule{}
+	for _, info := range fis {
+		data, err := local.ReadFile(path.Join("rego", info.Name()))
+		if err != nil {
+			return nil, err
+		}
+		rules = append(rules, Rule{
+			Name: info.Name(),
+			Rule: string(data),
+		})
+	}
+
+	return rules, nil
+}

pkg/rules/rules_test.go

@@ -0,0 +1,28 @@
+package rules
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+func TestFetchRules(t *testing.T) {
+	var expected []string
+	root := "rego/"
+	err := filepath.Walk(root, func(path string, info os.FileInfo, err error) error {
+		if info.Name() != "rego" {
+			expected = append(expected, info.Name())
+		}
+		return nil
+	})
+
+	rules, err := FetchRegoRules()
+	if err != nil {
+		t.Errorf("Failed to load rules with: %s", err)
+	}
+	for i, rule := range rules {
+		if rule.Name != expected[i] {
+			t.Errorf("expected to get %s finding, instead got: %s", expected[i], rule.Name)
+		}
+	}
+}

scripts/alpine-setup.sh

@@ -21,5 +21,4 @@ wget -qO- "https://github.com/upx/upx/releases/download/v${UPX_VERSION}/upx-${UP
 wget -q -O "/usr/local/bin/opa" "https://github.com/open-policy-agent/opa/releases/download/v${OPA_VERSION}/opa_linux_amd64"
 chmod +x "/usr/local/bin/opa"
 
-go get github.com/rakyll/statik
 go get github.com/paultyng/changelog-gen