OCP Update variable filter to consider go_template by Vincent056 · Pull Request #11906 · ComplianceAsCode/content

Vincent056 · 2024-04-26T20:29:34Z

Description:

Update the variable filter to find if a rule is using go-template, if so find any var being used, and add them to the var list for that rule, Compliance Operator use [go template](https://pkg.go.dev/text/template) to do additional processing, sometimes we reference a xccdf variable within templated content.

github-actions · 2024-04-26T20:30:56Z

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment

Oracle Linux 8 Environment

github-actions · 2024-04-26T20:34:14Z

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:11906
This image was built from commit: 59162ea

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:11906

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:11906 make deploy-local

rhmdnd · 2024-04-26T21:04:44Z

/test

openshift-ci · 2024-04-26T21:04:47Z

@rhmdnd: The /test command needs one or more targets.
The following commands are available to trigger required jobs:

/test 4.13-e2e-aws-ocp4-cis
/test 4.13-e2e-aws-ocp4-cis-node
/test 4.13-e2e-aws-ocp4-e8
/test 4.13-e2e-aws-ocp4-high
/test 4.13-e2e-aws-ocp4-high-node
/test 4.13-e2e-aws-ocp4-moderate
/test 4.13-e2e-aws-ocp4-moderate-node
/test 4.13-e2e-aws-ocp4-pci-dss
/test 4.13-e2e-aws-ocp4-pci-dss-node
/test 4.13-e2e-aws-ocp4-stig
/test 4.13-e2e-aws-ocp4-stig-node
/test 4.13-e2e-aws-rhcos4-e8
/test 4.13-e2e-aws-rhcos4-high
/test 4.13-e2e-aws-rhcos4-moderate
/test 4.13-e2e-aws-rhcos4-stig
/test 4.13-images
/test 4.14-images
/test 4.15-e2e-aws-ocp4-cis
/test 4.15-e2e-aws-ocp4-cis-node
/test 4.15-e2e-aws-ocp4-e8
/test 4.15-e2e-aws-ocp4-high
/test 4.15-e2e-aws-ocp4-high-node
/test 4.15-e2e-aws-ocp4-moderate
/test 4.15-e2e-aws-ocp4-moderate-node
/test 4.15-e2e-aws-ocp4-pci-dss
/test 4.15-e2e-aws-ocp4-pci-dss-node
/test 4.15-e2e-aws-ocp4-stig
/test 4.15-e2e-aws-ocp4-stig-node
/test 4.15-e2e-aws-rhcos4-e8
/test 4.15-e2e-aws-rhcos4-high
/test 4.15-e2e-aws-rhcos4-moderate
/test 4.15-e2e-aws-rhcos4-stig
/test 4.15-images
/test 4.16-e2e-aws-ocp4-cis
/test 4.16-e2e-aws-ocp4-cis-node
/test 4.16-e2e-aws-ocp4-e8
/test 4.16-e2e-aws-ocp4-high
/test 4.16-e2e-aws-ocp4-high-node
/test 4.16-e2e-aws-ocp4-moderate
/test 4.16-e2e-aws-ocp4-moderate-node
/test 4.16-e2e-aws-ocp4-pci-dss
/test 4.16-e2e-aws-ocp4-pci-dss-node
/test 4.16-e2e-aws-ocp4-stig
/test 4.16-e2e-aws-ocp4-stig-node
/test 4.16-e2e-aws-rhcos4-e8
/test 4.16-e2e-aws-rhcos4-high
/test 4.16-e2e-aws-rhcos4-moderate
/test 4.16-e2e-aws-rhcos4-stig
/test 4.16-images
/test e2e-aws-ocp4-cis
/test e2e-aws-ocp4-cis-node
/test e2e-aws-ocp4-e8
/test e2e-aws-ocp4-high
/test e2e-aws-ocp4-high-node
/test e2e-aws-ocp4-moderate
/test e2e-aws-ocp4-moderate-node
/test e2e-aws-ocp4-pci-dss
/test e2e-aws-ocp4-pci-dss-node
/test e2e-aws-ocp4-stig
/test e2e-aws-ocp4-stig-node
/test e2e-aws-rhcos4-e8
/test e2e-aws-rhcos4-high
/test e2e-aws-rhcos4-moderate
/test e2e-aws-rhcos4-stig
/test images

Use /test all to run the following jobs that were automatically triggered:

pull-ci-ComplianceAsCode-content-master-4.13-images
pull-ci-ComplianceAsCode-content-master-4.14-images
pull-ci-ComplianceAsCode-content-master-4.15-images
pull-ci-ComplianceAsCode-content-master-4.16-images
pull-ci-ComplianceAsCode-content-master-images

Details

In response to this:

/test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

rhmdnd · 2024-04-26T21:05:07Z

/test e2e-aws-ocp4-pci-dss
/test e2e-aws-ocp4-pci-dss-node

xiaojiey · 2024-04-28T03:36:47Z

/hold for test

xiaojiey · 2024-04-28T07:14:28Z

Verification pass with 4.16.0-0.nightly-2024-04-26-145258 + ghcr.io/complianceascode/k8scontent:11906:

1. e2e failures on master branch:
$ oc compliance bind -N test-pci-dss profile/ocp4-pci-dss profile/ocp4-pci-dss-node
Creating ScanSettingBinding test-pci-dss
$ oc get suite -w
NAME           PHASE     RESULT
test           RUNNING   NOT-AVAILABLE
test-pci-dss   PENDING
...
test-pci-dss   RUNNING     NOT-AVAILABLE
...
test-pci-dss   RUNNING     NOT-AVAILABLE
^C
$ oc get pod
NAME                                              READY   STATUS       RESTARTS        AGE
compliance-operator-6bf6fbc8c8-v7wtj              1/1     Running      1 (5m17s ago)   5m23s
ocp4-openshift-compliance-pp-7c6d678c7f-m8whd     1/1     Running      0               5m15s
ocp4-pci-dss-api-checks-pod                       0/2     Init:Error   4 (55s ago)     2m
ocp4-pci-dss-rs-665d6b5cb8-bq28d                  1/1     Running      0               2m
rhcos4-openshift-compliance-pp-86665cf945-dfs4x   1/1     Running      0               5m15s
[3:10](https://redhat-internal.slack.com/archives/DNPDDTQA3/p1714288242759759)
$ oc logs pod/ocp4-pci-dss-api-checks-pod --all-containers
...
Fetching URI: '/api/v1/namespaces/-/pods?labelSelector=app%3Dkube-controller-manager'
FATAL:Error fetching resources: couldn't filter '{"kind":"PodList","apiVersion":"v1","metadata":{"resourceVersion":"92523"},"items":[]}
': cannot iterate over: null
Error from server (BadRequest): container "log-collector" in pod "ocp4-pci-dss-api-checks-pod" is waiting to start: PodInitializing
2. Issue get fixed this this PR:
$ oc compliance bind -N test-11906 profile/upstream-ocp4-pci-dss profile/upstream-ocp4-pci-dss-node
Creating ScanSettingBinding test-11906
$ oc get suite -w
NAME           PHASE     RESULT
test           RUNNING   NOT-AVAILABLE
test-11906     PENDING
...
test-11906     DONE          NON-COMPLIANT
test-11906     DONE          NON-COMPLIANT

xiaojiey · 2024-04-28T07:14:37Z

/unhold

xiaojiey · 2024-04-28T07:14:42Z

/lgtm

xiaojiey · 2024-04-28T08:40:33Z

@Vincent056 seems one issue to fix: https://codeclimate.com/github/ComplianceAsCode/content/pull/11906. Could you please take a look? Thanks.

rhmdnd · 2024-04-29T16:04:32Z

/test e2e-aws-ocp4-pci-dss
/test e2e-aws-ocp4-pci-dss-node

Vincent056 · 2024-04-29T18:19:47Z

/test e2e-aws-ocp4-pci-dss
/test e2e-aws-ocp4-pci-dss-node

rhmdnd · 2024-04-29T21:11:30Z

/test 4.15-e2e-aws-ocp4-high
/test 4.15-e2e-aws-ocp4-high-node
/test 4.15-e2e-aws-rhcos4-high

openshift-ci · 2024-04-29T22:56:36Z

@Vincent056: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/4.15-e2e-aws-rhcos4-high	`f2a9860`	link	true	`/test 4.15-e2e-aws-rhcos4-high`

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

rhmdnd · 2024-04-30T01:12:18Z

The stig e2e failure is unrelated and being addressed in a separate PR.

rhmdnd

/lgtm

Looks good from a OpenShift content perspective.

rhmdnd · 2024-04-30T01:14:18Z

@Mab879 does this seem reasonable from the build perspective?

rhmdnd · 2024-05-01T13:37:54Z

@Honny1 how do you feel about this approach given the recent refactors to the build system made in #11858 ?

Honny1

I built and compared ocp4 ds from this PR branch and the main branch and found no problem. However, I would like to ask you to create tests for this problem to avoid similar problems in future changes. Also, I would like to ask why you are processing the DS after the build? Wouldn't it be better to extend the macros during the build?

Honny1 · 2024-05-02T09:41:25Z

+def get_variables_from_go_templating(rule, var_ids):
+    go_templating_pattern = re.compile(r"{{(.*?)}}")
+    go_templating_var_pattern = re.compile(r"\.([a-zA-Z0-9_]+)")
+    for ele in rule.itertext():


Can go_template be used only in the text part of a rule or can it be present in an XML element attribute?

they will present in the text part of the rule as well as in the remediations

I think fix is also part of the rule

Okay, I was curious. Yes, the fix element is a sub-element of the Rule element.

Update the variable filter to find if a rule is using go-template, if so find any var being used, add them to var list for that rule

Vincent056 · 2024-05-02T15:41:15Z

I built and compared ocp4 ds from this PR branch and the main branch and found no problem. However, I would like to ask you to create tests for this problem to avoid similar problems in future changes. Also, I would like to ask why you are processing the DS after the build? Wouldn't it be better to extend the macros during the build?

Thanks for the review, we have e2e test, but we don't run that in every PR, for example you could run /test 4.15-e2e-aws-ocp4-high for one of the test, I can add the unit test in another PR since this is blocking our CI and release.

The go_template is use to in our operator when consuming the datastream file, so that we can process the remediation to use xccdf variables as well as other part of rule to be more dynamic. @Honny1

qlty-cloud-legacy · 2024-05-02T15:48:50Z

Code Climate has analyzed commit 59162ea and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.4% (0.0% change).

View more on Code Climate.

Honny1 · 2024-05-02T16:07:40Z

@Vincent056
Okay, please add a unit test in another PR.

Well, I think the sub element would do the same magic. See rule: xccdf_org.ssgproject.content_rule_enable_fips_mode
Or is there some other reason for this approach?

Vincent056 · 2024-05-02T17:18:40Z

xccdf_org.ssgproject.content_rule_enable_fips_mode

@Honny1 great, I will do that, we were also depending on go_templating to be able to fetch different kube API, which is defined in warning part of the rule in the compliance operator dynamically based on value of the xccdf variables, among other things such as render value of referenced variables in rule description

Honny1 · 2024-05-02T20:17:28Z

@Vincent056 Okay

yuumasato

Thank you for the review @Honny1

/lgtm

yuumasato · 2024-05-03T07:57:18Z

/packit help

yuumasato · 2024-05-03T08:00:36Z

/packit retest-failed

theboringstuff · 2024-05-03T09:51:23Z

This will not be included in v0.1.73? Is there WA for this issue? I encounter similar problem for openshift cluster

Fetching URI: '/api/v1/namespaces/-/pods?labelSelector=app%3Dkube-controller-manager'
debug: Applying filter '[[.items[0].spec.containers[0].args[] | select(. | match("--port=[1-9]*[1-9]+") )] | length | if . == 0 then true else false end]' to path '/api/v1/namespaces/-/pods?labelSelector=app%3Dkube-controller-manager'
debug: Error while filtering: cannot iterate over: null
debug: Persisting warnings to output file
FATAL:Error fetching resources: couldn't filter '{"kind":"PodList","apiVersion":"v1","metadata":{"resourceVersion":"190509111"},"items":[]}
': cannot iterate over: null

Are there older content/CO versions where this issue is not present (to use as a WA)?

yuumasato · 2024-05-03T14:04:17Z

As #11858 is going into 0.1.73, I think it makes sense to backport this fix there.
@ComplianceAsCode/red-hatters do you guys concur?

Vincent056 force-pushed the filter branch from e53e8a1 to aea581c Compare April 26, 2024 20:32

Vincent056 force-pushed the filter branch 3 times, most recently from 8fed1ef to e1bdec0 Compare April 26, 2024 20:53

openshift-ci Bot added the do-not-merge/hold Used by openshift-ci-robot bot. label Apr 28, 2024

openshift-ci Bot removed the do-not-merge/hold Used by openshift-ci-robot bot. label Apr 28, 2024

xiaojiey mentioned this pull request Apr 28, 2024

OCPBUGS-33067: Don't fatal error when filter cannot iterate ComplianceAsCode/compliance-operator#509

Merged

marcusburghardt added the Infrastructure Our content build system label Apr 29, 2024

marcusburghardt requested a review from jan-cerny April 29, 2024 09:27

Vincent056 force-pushed the filter branch 7 times, most recently from b636d2b to b6ef6c2 Compare April 29, 2024 16:03

Vincent056 force-pushed the filter branch 3 times, most recently from b0124e3 to f2a9860 Compare April 29, 2024 17:58

rhmdnd mentioned this pull request Apr 29, 2024

Update periodic compliance jobs to use job-release label openshift/release#51476

Merged

rhmdnd approved these changes Apr 30, 2024

View reviewed changes

Honny1 suggested changes May 2, 2024

View reviewed changes

OCP Update variable filter to consider go_template

59162ea

Update the variable filter to find if a rule is using go-template, if so find any var being used, add them to var list for that rule

Vincent056 force-pushed the filter branch from f2a9860 to 59162ea Compare May 2, 2024 15:33

Honny1 approved these changes May 2, 2024

View reviewed changes

yuumasato approved these changes May 3, 2024

View reviewed changes

yuumasato merged commit bd9ef20 into ComplianceAsCode:master May 3, 2024

yuumasato added this to the 0.1.74 milestone May 3, 2024

yuumasato self-assigned this May 3, 2024

yuumasato mentioned this pull request May 7, 2024

[Stabilization] OCP Update variable filter to consider go_template #11955

Merged

Conversation

Vincent056 commented Apr 26, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Description:

Uh oh!

github-actions Bot commented Apr 26, 2024

Uh oh!

github-actions Bot commented Apr 26, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

rhmdnd commented Apr 26, 2024

Uh oh!

openshift-ci Bot commented Apr 26, 2024

Uh oh!

rhmdnd commented Apr 26, 2024

Uh oh!

xiaojiey commented Apr 28, 2024

Uh oh!

xiaojiey commented Apr 28, 2024

Uh oh!

xiaojiey commented Apr 28, 2024

Uh oh!

xiaojiey commented Apr 28, 2024

Uh oh!

xiaojiey commented Apr 28, 2024

Uh oh!

rhmdnd commented Apr 29, 2024

Uh oh!

Vincent056 commented Apr 29, 2024

Uh oh!

rhmdnd commented Apr 29, 2024

Uh oh!

openshift-ci Bot commented Apr 29, 2024

Uh oh!

rhmdnd commented Apr 30, 2024

Uh oh!

rhmdnd left a comment

Choose a reason for hiding this comment

Uh oh!

rhmdnd commented Apr 30, 2024

Uh oh!

rhmdnd commented May 1, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Honny1 left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Honny1 May 2, 2024

Choose a reason for hiding this comment

Uh oh!

Vincent056 May 2, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Vincent056 May 2, 2024

Choose a reason for hiding this comment

Uh oh!

Honny1 May 2, 2024

Choose a reason for hiding this comment

Uh oh!

Vincent056 commented May 2, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

qlty-cloud-legacy Bot commented May 2, 2024

Uh oh!

Honny1 commented May 2, 2024

Uh oh!

Vincent056 commented May 2, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Honny1 commented May 2, 2024

Uh oh!

yuumasato left a comment

Choose a reason for hiding this comment

Uh oh!

yuumasato commented May 3, 2024

Uh oh!

yuumasato commented May 3, 2024

Uh oh!

Vincent056 commented Apr 26, 2024 •

edited

Loading

github-actions Bot commented Apr 26, 2024 •

edited

Loading

rhmdnd commented May 1, 2024 •

edited

Loading

Vincent056 May 2, 2024 •

edited

Loading

Vincent056 commented May 2, 2024 •

edited

Loading

Vincent056 commented May 2, 2024 •

edited

Loading

theboringstuff commented May 3, 2024 •

edited

Loading