github_mirrors/attachment
3
0
Fork 1
mirror of https://github.com/openappsec/attachment.git synced 2025-08-13 13:25:59 +03:00
Code Issues Packages Projects Releases Wiki Activity

remove the comments

Browse Source
This commit is contained in:
wiaamm 2025-07-02 13:21:06 +03:00
parent 88f9aedf10
commit f30b187d97
1 changed files with 6 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
docker/openappsec-waf-webhook/webhook_server.py
View File

@ -50,7 +50,6 @@ def configure_logging():
formatter = logging.Formatter('%(asctime)s - %(levelname)s - %(message)s')
handler.setFormatter(formatter)
# Remove any existing handlers
if app.logger.hasHandlers():
app.logger.handlers.clear()
@ -69,14 +68,12 @@ def get_sidecar_container():
secret_ref = os.getenv("SECRET_REF")
persistence_enabled = os.getenv("APPSEC_PERSISTENCE_ENABLED", "false").lower() == "true"
# Prepare the volumeMounts list based on PROXY_KIND
if is_istio_agent():
volume_mounts = [
{"name": "envoy-attachment-shared", "mountPath": "/envoy/attachment/shared/"},
{"name": "advanced-model", "mountPath": "/advanced-model"}
]
else:
# For non-istio agents, only mount advanced-model
volume_mounts = [
{"name": "advanced-model", "mountPath": "/advanced-model"}
]
@ -111,14 +108,12 @@ def get_sidecar_container():
"CRDS_SCOPE": os.getenv("CRDS_SCOPE"),
}
# Base environment variables
env = [
{"name": "registered_server", "value": registered_server}
]
# Add optional environment variables if they are set
for var_name, var_value in optional_env_vars.items():
if var_value is not None: # Only add if the variable is set
if var_value is not None:
env.append({"name": var_name, "value": var_value})
sidecar = {
@ -161,7 +156,7 @@ def get_istio_version():
url = f"http://istiod.istio-system:{ISTIOD_PORT}/version"
response = requests.get(url)
if response.status_code == 200:
return response.text.strip().split('-')[0] # Extracting version
return response.text.strip().split('-')[0]
else:
raise Exception(f"Failed to get Istio version: {response.status_code}")
@ -221,7 +216,6 @@ def get_init_container():
app.logger.debug("Exiting get_init_container()")
return init_container
# The volume mount configuration for both the original and sidecar containers
def get_volume_mount():
app.logger.debug("Entering get_volume_mount()")
volume_mount = {
@ -232,14 +226,11 @@ def get_volume_mount():
app.logger.debug("Exiting get_volume_mount()")
return volume_mount
# Volume definition for the pod
def get_volume_definition():
app.logger.debug("Entering get_volume_definition()")
persistence_enabled = os.getenv("APPSEC_PERSISTENCE_ENABLED", "false").lower() == "true"
# Base volumes - only add envoy-attachment-shared for Istio
# wiaam instead of this add the advanced-model volume all the time and the env
if is_istio_agent():
volume_def = [
{
@ -255,7 +246,6 @@ def get_volume_definition():
}
]
else:
# For non-istio agents, only add advanced-model volume
volume_def = [
{
"name": "advanced-model",
@ -411,7 +401,6 @@ def remove_env_variable(containers, container_name, env_var_name, patches):
def create_or_update_envoy_filter(name, namespace, selector_label_name, selector_label_value):
api = client.CustomObjectsApi()
# Define the EnvoyFilter specification
envoy_filter_spec = {
"apiVersion": "networking.istio.io/v1alpha3",
"kind": "EnvoyFilter",
@ -465,7 +454,6 @@ def create_or_update_envoy_filter(name, namespace, selector_label_name, selector
}
}
# Check if the EnvoyFilter exists
try:
existing_envoy_filter = api.get_namespaced_custom_object(
group="networking.istio.io",
@ -604,14 +592,12 @@ def mutate():
if REMOVE_WAF:
app.logger.debug("Removing injected sidecar and associated resources.")
# Only handle Istio-specific removal if PROXY_KIND is "istio"
if is_istio_agent():
app.logger.debug("PROXY_KIND is istio, removing Istio-specific components.")
if DEPLOY_FILTER and SELECTOR_LABEL_NAME and SELECTOR_LABEL_VALUE:
remove_envoy_filter_by_selector(namespace, SELECTOR_LABEL_NAME, SELECTOR_LABEL_VALUE)
# Remove ld library path env variable
if ISTIO_CONTAINER_NAME:
if CONCURRENCY_NUMBER_VALUE:
remove_env_variable(containers, ISTIO_CONTAINER_NAME, 'CONCURRENCY_NUMBER', patches)
@ -631,7 +617,6 @@ def mutate():
else:
app.logger.debug("shareProcessNamespace not found; no patch to remove it")
# Remove the init container if it exists (Istio only)
if init_container_exist:
for idx, init_container in enumerate(init_containers):
if init_container['name'] == 'prepare-attachment':
@ -640,7 +625,7 @@ def mutate():
"path": f"/spec/initContainers/{idx}"
})
app.logger.debug(f"Removed init container patch: {patches[-1]}")
break # Stop once we find and remove the target container
break
else:
app.logger.debug(f"PROXY_KIND is {PROXY_KIND}, skipping Istio-specific removal.")
@ -653,11 +638,9 @@ def mutate():
})
app.logger.debug("Set automountServiceAccountToken=false for kong agent removal")
# Remove the sidecar container if it exists (common for all agent kinds)
if sidecar_exists:
for idx, container in enumerate(containers):
volume_mounts = container.get('volumeMounts', [])
# Only remove envoy-attachment-shared volume mount for Istio
if is_istio_agent():
for idx_v, volume_mount in enumerate(volume_mounts):
if volume_mount['name'] == 'envoy-attachment-shared':
@ -673,35 +656,28 @@ def mutate():
})
app.logger.debug(f"Removed sidecar container patch: {patches[-1]}")
# Remove volumes based on agent kind
if volume_exist:
for idx, volume in enumerate(volumes):
# For Istio, remove envoy-attachment-shared volume
if is_istio_agent() and volume['name'] == 'envoy-attachment-shared':
patches.append({
"op": "remove",
"path": f"/spec/volumes/{idx}"
})
app.logger.debug(f"Removed volume patch: {patches[-1]}")
break # Stop once we find and remove the target volume
break
else:
app.logger.debug("Before if: Sidecar 'open-appsec-nano-agent' does not exist. Preparing to add it.")
# Define the sidecar container
sidecar = get_sidecar_container()
# Define the volume
volume_def = get_volume_definition()
# Only handle Istio-specific components if PROXY_KIND is "istio"
if is_istio_agent():
app.logger.debug("PROXY_KIND is istio, adding Istio-specific components.")
# Define the init container()
init_container = get_init_container()
# Define the volume mount for istio-proxy
volume_mount = get_volume_mount()
if ISTIO_CONTAINER_NAME:
@ -718,7 +694,6 @@ def mutate():
else:
app.logger.debug("ISTIO_CONTAINER_NAME skipping environment variable addition")
# Add shareProcessNamespace for Istio
patches.append({
"op": "add",
"path": "/spec/shareProcessNamespace",
@ -726,7 +701,6 @@ def mutate():
})
app.logger.debug("Added shareProcessNamespace patch")
# Add the volume mount to istio-proxy container (assumes istio-proxy is first container)
patches.append({
"op": "add",
"path": "/spec/containers/0/volumeMounts/-",
@ -734,9 +708,7 @@ def mutate():
})
app.logger.debug("Added volume mount patch to istio-proxy: %s", patches[-1])
# Add init container for Istio
if not init_container_exist:
# Add the initContainer to the pod spec in the deployment
if 'initContainers' in obj['spec']:
obj['spec']['initContainers'].append(init_container)
else:
@ -748,7 +720,6 @@ def mutate():
"value": obj['spec']['initContainers']
})
# Deploy EnvoyFilter for Istio
if DEPLOY_FILTER and SELECTOR_LABEL_NAME and SELECTOR_LABEL_VALUE:
RELEASE_NAME = os.getenv('RELEASE_NAME', 'openappsec-waf-injected')
envoy_filter_name = RELEASE_NAME + "-waf-filter"
@ -756,10 +727,8 @@ def mutate():
else:
app.logger.debug(f"PROXY_KIND is {PROXY_KIND}, skipping Istio-specific components.")
# For kong agents (like Kong), set automountServiceAccountToken to true
current_spec = obj.get('spec', {})
if 'automountServiceAccountToken' in current_spec:
# Field exists, replace it
patches.append({
"op": "replace",
"path": "/spec/automountServiceAccountToken",
@ -767,7 +736,6 @@ def mutate():
})
app.logger.debug("Replaced existing automountServiceAccountToken=true for kong agent")
else:
# Field doesn't exist, add it
patches.append({
"op": "add",
"path": "/spec/automountServiceAccountToken",
@ -775,7 +743,6 @@ def mutate():
})
app.logger.debug("Added automountServiceAccountToken=true for kong agent")
# Add the sidecar container (common for all agent kinds)
if not sidecar_exists:
patches.append({
"op": "add",
@ -784,7 +751,6 @@ def mutate():
})
app.logger.debug("Added sidecar container patch: %s", patches[-1])
# Add the new volume definition
for volume in volume_def:
patches.append({
"op": "add",
@ -795,7 +761,6 @@ def mutate():
else:
app.logger.debug("Before else: Sidecar 'open-appsec-nano-agent' already exists. Checking for image updates.")
# Optionally, update the sidecar image and tag if necessary
for idx, container in enumerate(containers):
if container['name'] == 'open-appsec-nano-agent':
current_image = container.get('image', '')
@ -808,13 +773,11 @@ def mutate():
"value": FULL_AGENT_IMAGE
})
app.logger.debug(f"Updated sidecar image patch: {patches[-1]}")
break # Sidecar found and handled
break
# Handle init container updates for Istio only
if is_istio_agent() and init_container_exist:
app.logger.debug("Before else: init-container 'prepare-attachment' already exists. Checking for image updates.")
# Optionally, update the init container image and tag if necessary
for idx, container in enumerate(init_containers):
if container['name'] == 'prepare-attachment':
current_image = container.get('image', '')
@ -827,7 +790,7 @@ def mutate():
"value": FULL_INIT_CONTAINER_IMAGE
})
app.logger.debug(f"Updated init container image patch: {patches[-1]}")
break # Init container found and handled
break
app.logger.info("Total patches: %s", json.dumps(patches, indent=2))