fix for crds upload

2025-06-28 16:41:02 +03:00 · 2024-07-29 15:53:23 +03:00 · 2024-07-29 15:53:23 +03:00 · 286c017133
commit 286c017133
parent 705a5e6061
7 changed files with 50 additions and 11 deletions
--- a/components/security_apps/local_policy_mgmt_gen/include/ingress_data.h
+++ b/components/security_apps/local_policy_mgmt_gen/include/ingress_data.h
@ -79,6 +79,7 @@ class DefaultBackend
 {
 public:
    void load(cereal::JSONInputArchive &);
+    bool doesExist() const;

 private:
    bool is_exists = false;
@ -90,6 +91,7 @@ public:
    void load(cereal::JSONInputArchive &archive_in);

    const std::vector<IngressDefinedRule> & getRules() const;
+    bool doesDefaultBackendExist() const;

 private:
    std::string ingress_class_name;
--- a/components/security_apps/local_policy_mgmt_gen/include/policy_maker_utils.h
+++ b/components/security_apps/local_policy_mgmt_gen/include/policy_maker_utils.h
@ -111,7 +111,7 @@ private:
    SecurityAppsWrapper security_apps;
 };

-class PolicyMakerUtils
+class PolicyMakerUtils : Singleton::Consume<I_EnvDetails>
 {
 public:
    std::string proccesSingleAppsecPolicy(
--- a/components/security_apps/local_policy_mgmt_gen/ingress_data.cc
+++ b/components/security_apps/local_policy_mgmt_gen/ingress_data.cc
@ -86,6 +86,12 @@ DefaultBackend::load(cereal::JSONInputArchive &)
    is_exists = true;
 }

+bool
+DefaultBackend::doesExist() const
+{
+    return is_exists;
+}
+
 void
 IngressSpec::load(cereal::JSONInputArchive &archive_in)
 {
@ -101,6 +107,12 @@ IngressSpec::getRules() const
    return rules;
 }

+bool
+IngressSpec::doesDefaultBackendExist() const
+{
+    return default_backend.doesExist();
+}
+
 void
 SingleIngressData::load(cereal::JSONInputArchive &archive_in)
 {
--- a/components/security_apps/local_policy_mgmt_gen/k8s_policy_utils.cc
+++ b/components/security_apps/local_policy_mgmt_gen/k8s_policy_utils.cc
@ -532,6 +532,16 @@ K8sPolicyUtils::createPolicy(
    map<AnnotationKeys, string> &annotations_values,
    const SingleIngressData &item) const
 {
+    if (policies.find(annotations_values[AnnotationKeys::PolicyKey]) == policies.end()) {
+        policies[annotations_values[AnnotationKeys::PolicyKey]] = appsec_policy;
+    }
+    if (item.getSpec().doesDefaultBackendExist()) {
+        dbgTrace(D_LOCAL_POLICY)
+            << "Inserting Any host rule to the specific asset set";
+        K ingress_rule = K("*");
+        policies[annotations_values[AnnotationKeys::PolicyKey]].addSpecificRule(ingress_rule);
+    }
+
    for (const IngressDefinedRule &rule : item.getSpec().getRules()) {
        string url = rule.getHost();
        for (const IngressRulePath &uri : rule.getPathsWrapper().getRulePaths()) {
@ -544,14 +554,12 @@ K8sPolicyUtils::createPolicy(
                    << uri.getPath()
                    << "'";
                K ingress_rule = K(url + uri.getPath());
-                appsec_policy.addSpecificRule(ingress_rule);
+                policies[annotations_values[AnnotationKeys::PolicyKey]].addSpecificRule(ingress_rule);
            }
        }
    }
-    policies[annotations_values[AnnotationKeys::PolicyKey]] = appsec_policy;
 }

-
 std::tuple<map<string, AppsecLinuxPolicy>, map<string, V1beta2AppsecLinuxPolicy>>
 K8sPolicyUtils::createAppsecPoliciesFromIngresses()
 {
--- a/components/security_apps/local_policy_mgmt_gen/new_appsec_policy_crd_parser.cc
+++ b/components/security_apps/local_policy_mgmt_gen/new_appsec_policy_crd_parser.cc
@ -126,6 +126,7 @@ NewAppsecPolicySpec::load(cereal::JSONInputArchive &archive_in)
    dbgTrace(D_LOCAL_POLICY) << "Loading AppSec policy spec";
    parseAppsecJSONKey<string>("appsecClassName", appsec_class_name, archive_in);
    parseAppsecJSONKey<NewParsedRule>("default", default_rule, archive_in);
+    default_rule.setHost("*");
    parseAppsecJSONKey<vector<NewParsedRule>>("specificRules", specific_rules, archive_in);
 }

--- a/components/security_apps/local_policy_mgmt_gen/policy_maker_utils.cc
+++ b/components/security_apps/local_policy_mgmt_gen/policy_maker_utils.cc
@ -1636,7 +1636,9 @@ PolicyMakerUtils::createAgentPolicyFromAppsecPolicy(const string &policy_name, c
    createPolicyElements<T, R>(specific_rules, default_rule, appsec_policy, policy_name);

    // add default rule to policy
-    createPolicyElementsByRule<T, R>(default_rule, default_rule, appsec_policy, policy_name);
+    if (Singleton::Consume<I_EnvDetails>::by<PolicyMakerUtils>()->getEnvType() != EnvType::K8S) {
+        createPolicyElementsByRule<T, R>(default_rule, default_rule, appsec_policy, policy_name);
+    }
 }

 // LCOV_EXCL_START Reason: no test exist
@ -1659,11 +1661,13 @@ PolicyMakerUtils::createAgentPolicyFromAppsecPolicy<V1beta2AppsecLinuxPolicy, Ne
    );

    // add default rule to policy
-    createPolicyElementsByRule<V1beta2AppsecLinuxPolicy, NewParsedRule>(
-        default_rule,
-        default_rule,
-        appsec_policy,
-        policy_name);
+    if (Singleton::Consume<I_EnvDetails>::by<PolicyMakerUtils>()->getEnvType() != EnvType::K8S) {
+        createPolicyElementsByRule<V1beta2AppsecLinuxPolicy, NewParsedRule>(
+            default_rule,
+            default_rule,
+            appsec_policy,
+            policy_name);
+    }
 }
 // LCOV_EXCL_STOP

--- a/nodes/orchestration/package/open-appsec-cloud-mgmt-k8s
+++ b/nodes/orchestration/package/open-appsec-cloud-mgmt-k8s
@ -13,6 +13,10 @@ profile_id=
 cluster_id=
 latest_policy_version=1

+if [ -f $POLICY_CRDS_PATH ]; then
+    chmod 644 $POLICY_CRDS_PATH
+fi
+
 load_agent_details()
 {
    tenant_id=$(awk -F\" '/Tenant ID/{print $4}' /etc/cp/conf/agent_details.json)
@ -29,7 +33,7 @@ get_latest_policy_version()
    bucket_list=$(curl -s -w "%{http_code}\n" --request GET \
        -H "user-agent: Infinity Next (a7030abf93a4c13)" -H "Authorization: Bearer ${ra_token}" \
        "$var_fog/agents-core/storage/?list-type=2&prefix=${tenant_id}/${profile_id}")
-    paths_list=$(echo $bucket_list  | /etc/cp/bin/yq -p xml | grep "/policy")
+    paths_list=$(echo $bucket_list  | awk -F'<Key>|</Key>' '/policy-/ {for (i = 1; i <= NF; i++) if ($i ~ /policy/) print $i}')

    prefix="${tenant_id}/${profile_id}"
    paths=$(echo $paths_list | tr " " "\n" | grep / )
@ -257,6 +261,7 @@ usage()
    echo "Options:"
    echo "    --fog       <fog address>          : Namespace with the relevant Helm Chart"
    echo "    --upload_policy_only               : Upload policy to the fog, withput changing agent mode"
+    echo "    --debug                            : Keep the debuging files"
    exit 255
 }

@ -277,6 +282,8 @@ validate_arg_value_exists()
    fi
 }

+debug_mode="false"
+
 while true; do
    if [ "$1" = "--token" ]; then
        validate_arg_value_exists "$1" "$#"
@ -290,6 +297,8 @@ while true; do
        validate_arg_value_exists "$1" "$#"
        shift
        ra_token="$1"
+    elif [ "$1" = "--debug" ]; then
+        debug_mode="true"
    elif [ -z "$1" ]; then
        break
    fi
@ -305,5 +314,8 @@ upload_crds_to_the_cloud
 if [ "$?" = "0" ]; then
    echo "SUCCESS"
 fi
+if [ "$debug_mode" = "false" ]; then
+    rm $POLICY_CRDS_PATH
+fi

 exit 0