fix for crds upload

Jul 23rd update

attachments/nginx/nginx_attachment_util/nginx_attachment_util.cc

@@ -155,6 +155,24 @@ getWaitingForVerdictThreadTimeout()
     return conf_data.getNumericalValue("waiting_for_verdict_thread_timeout_msec");
 }
 
+unsigned int
+getMinRetriesForVerdict()
+{
+    return conf_data.getNumericalValue("min_retries_for_verdict");
+}
+
+unsigned int
+getMaxRetriesForVerdict()
+{
+    return conf_data.getNumericalValue("max_retries_for_verdict");
+}
+
+unsigned int
+getReqBodySizeTrigger()
+{
+    return conf_data.getNumericalValue("body_size_trigger");
+}
+
 int
 isIPAddress(c_str ip_str)
 {

attachments/nginx/nginx_attachment_util/nginx_attachment_util_ut/nginx_attachment_util_ut.cc

@@ -63,7 +63,10 @@ TEST_F(HttpAttachmentUtilTest, GetValidAttachmentConfiguration)
             "\"waiting_for_verdict_thread_timeout_msec\": 75,\n"
             "\"req_header_thread_timeout_msec\": 10,\n"
             "\"ip_ranges\": " + createIPRangesString(ip_ranges) + ",\n"
-            "\"static_resources_path\": \"" + static_resources_path + "\""
+            "\"static_resources_path\": \"" + static_resources_path + "\",\n"
+            "\"min_retries_for_verdict\": 1,\n"
+            "\"max_retries_for_verdict\": 3,\n"
+            "\"body_size_trigger\": 777\n"
         "}\n";
     ofstream valid_configuration_file(attachment_configuration_file_name);
     valid_configuration_file << valid_configuration;
@@ -87,6 +90,9 @@ TEST_F(HttpAttachmentUtilTest, GetValidAttachmentConfiguration)
     EXPECT_EQ(getReqBodyThreadTimeout(), 155);
     EXPECT_EQ(getResHeaderThreadTimeout(), 1);
     EXPECT_EQ(getResBodyThreadTimeout(), 0);
+    EXPECT_EQ(getMinRetriesForVerdict(), 1);
+    EXPECT_EQ(getMaxRetriesForVerdict(), 3);
+    EXPECT_EQ(getReqBodySizeTrigger(), 777);
     EXPECT_EQ(getWaitingForVerdictThreadTimeout(), 75);
     EXPECT_EQ(getInspectionMode(), ngx_http_inspection_mode::BLOCKING_THREAD);
 

components/attachment-intakers/nginx_attachment/nginx_attachment_config.cc

@@ -42,6 +42,7 @@ HttpAttachmentConfig::init()
     setNumOfNginxIpcElements();
     setDebugByContextValues();
     setKeepAliveIntervalMsec();
+    setRetriesForVerdict();
 }
 
 bool
@@ -215,6 +216,31 @@ HttpAttachmentConfig::setFailOpenTimeout()
     conf_data.setNumericalValue("nginx_inspection_mode", inspection_mode);
 }
 
+void
+HttpAttachmentConfig::setRetriesForVerdict()
+{
+    conf_data.setNumericalValue("min_retries_for_verdict", getAttachmentConf<uint>(
+        3,
+        "agent.minRetriesForVerdict.nginxModule",
+        "HTTP manager",
+        "Min retries for verdict"
+    ));
+
+    conf_data.setNumericalValue("max_retries_for_verdict", getAttachmentConf<uint>(
+        15,
+        "agent.maxRetriesForVerdict.nginxModule",
+        "HTTP manager",
+        "Max retries for verdict"
+    ));
+
+    conf_data.setNumericalValue("body_size_trigger", getAttachmentConf<uint>(
+        200000,
+        "agent.reqBodySizeTrigger.nginxModule",
+        "HTTP manager",
+        "Request body size trigger"
+    ));
+}
+
 void
 HttpAttachmentConfig::setFailOpenWaitMode()
 {

components/attachment-intakers/nginx_attachment/nginx_attachment_config.h

@@ -70,6 +70,8 @@ private:
 
     void setDebugByContextValues();
 
+    void setRetriesForVerdict();
+
     WebTriggerConf web_trigger_conf;
     HttpAttachmentConfiguration conf_data;
 };

components/security_apps/local_policy_mgmt_gen/include/ingress_data.h

@@ -79,6 +79,7 @@ class DefaultBackend
 {
 public:
     void load(cereal::JSONInputArchive &);
+    bool doesExist() const;
 
 private:
     bool is_exists = false;
@@ -90,6 +91,7 @@ public:
     void load(cereal::JSONInputArchive &archive_in);
 
     const std::vector<IngressDefinedRule> & getRules() const;
+    bool doesDefaultBackendExist() const;
 
 private:
     std::string ingress_class_name;

components/security_apps/local_policy_mgmt_gen/include/policy_maker_utils.h

@@ -111,7 +111,7 @@ private:
     SecurityAppsWrapper security_apps;
 };
 
-class PolicyMakerUtils
+class PolicyMakerUtils : Singleton::Consume<I_EnvDetails>
 {
 public:
     std::string proccesSingleAppsecPolicy(

components/security_apps/local_policy_mgmt_gen/ingress_data.cc

@@ -86,6 +86,12 @@ DefaultBackend::load(cereal::JSONInputArchive &)
     is_exists = true;
 }
 
+bool
+DefaultBackend::doesExist() const
+{
+    return is_exists;
+}
+
 void
 IngressSpec::load(cereal::JSONInputArchive &archive_in)
 {
@@ -101,6 +107,12 @@ IngressSpec::getRules() const
     return rules;
 }
 
+bool
+IngressSpec::doesDefaultBackendExist() const
+{
+    return default_backend.doesExist();
+}
+
 void
 SingleIngressData::load(cereal::JSONInputArchive &archive_in)
 {

components/security_apps/local_policy_mgmt_gen/k8s_policy_utils.cc

@@ -532,6 +532,16 @@ K8sPolicyUtils::createPolicy(
     map<AnnotationKeys, string> &annotations_values,
     const SingleIngressData &item) const
 {
+    if (policies.find(annotations_values[AnnotationKeys::PolicyKey]) == policies.end()) {
+        policies[annotations_values[AnnotationKeys::PolicyKey]] = appsec_policy;
+    }
+    if (item.getSpec().doesDefaultBackendExist()) {
+        dbgTrace(D_LOCAL_POLICY)
+            << "Inserting Any host rule to the specific asset set";
+        K ingress_rule = K("*");
+        policies[annotations_values[AnnotationKeys::PolicyKey]].addSpecificRule(ingress_rule);
+    }
+
     for (const IngressDefinedRule &rule : item.getSpec().getRules()) {
         string url = rule.getHost();
         for (const IngressRulePath &uri : rule.getPathsWrapper().getRulePaths()) {
@@ -544,14 +554,12 @@ K8sPolicyUtils::createPolicy(
                     << uri.getPath()
                     << "'";
                 K ingress_rule = K(url + uri.getPath());
-                appsec_policy.addSpecificRule(ingress_rule);
+                policies[annotations_values[AnnotationKeys::PolicyKey]].addSpecificRule(ingress_rule);
             }
         }
     }
-    policies[annotations_values[AnnotationKeys::PolicyKey]] = appsec_policy;
 }
 
-
 std::tuple<map<string, AppsecLinuxPolicy>, map<string, V1beta2AppsecLinuxPolicy>>
 K8sPolicyUtils::createAppsecPoliciesFromIngresses()
 {

components/security_apps/local_policy_mgmt_gen/new_appsec_policy_crd_parser.cc

@@ -126,6 +126,7 @@ NewAppsecPolicySpec::load(cereal::JSONInputArchive &archive_in)
     dbgTrace(D_LOCAL_POLICY) << "Loading AppSec policy spec";
     parseAppsecJSONKey<string>("appsecClassName", appsec_class_name, archive_in);
     parseAppsecJSONKey<NewParsedRule>("default", default_rule, archive_in);
+    default_rule.setHost("*");
     parseAppsecJSONKey<vector<NewParsedRule>>("specificRules", specific_rules, archive_in);
 }
 

components/security_apps/local_policy_mgmt_gen/policy_maker_utils.cc

@@ -1636,7 +1636,9 @@ PolicyMakerUtils::createAgentPolicyFromAppsecPolicy(const string &policy_name, c
     createPolicyElements<T, R>(specific_rules, default_rule, appsec_policy, policy_name);
 
     // add default rule to policy
-    createPolicyElementsByRule<T, R>(default_rule, default_rule, appsec_policy, policy_name);
+    if (Singleton::Consume<I_EnvDetails>::by<PolicyMakerUtils>()->getEnvType() != EnvType::K8S) {
+        createPolicyElementsByRule<T, R>(default_rule, default_rule, appsec_policy, policy_name);
+    }
 }
 
 // LCOV_EXCL_START Reason: no test exist
@@ -1659,11 +1661,13 @@ PolicyMakerUtils::createAgentPolicyFromAppsecPolicy<V1beta2AppsecLinuxPolicy, Ne
     );
 
     // add default rule to policy
-    createPolicyElementsByRule<V1beta2AppsecLinuxPolicy, NewParsedRule>(
-        default_rule,
-        default_rule,
-        appsec_policy,
-        policy_name);
+    if (Singleton::Consume<I_EnvDetails>::by<PolicyMakerUtils>()->getEnvType() != EnvType::K8S) {
+        createPolicyElementsByRule<V1beta2AppsecLinuxPolicy, NewParsedRule>(
+            default_rule,
+            default_rule,
+            appsec_policy,
+            policy_name);
+    }
 }
 // LCOV_EXCL_STOP
 

components/security_apps/local_policy_mgmt_gen/triggers_section.cc

@@ -96,8 +96,8 @@ LogTriggerSection::save(cereal::JSONOutputArchive &out_ar) const
         cereal::make_nvp("acDrop",                   acDrop),
         cereal::make_nvp("complianceViolations",     false),
         cereal::make_nvp("complianceWarnings",       false),
-        cereal::make_nvp("extendloggingMinSeverity", extendloggingMinSeverity),
-        cereal::make_nvp("extendlogging",            extendlogging),
+        cereal::make_nvp("extendLoggingMinSeverity", extendloggingMinSeverity),
+        cereal::make_nvp("extendLogging",            extendlogging),
         cereal::make_nvp("logToAgent",               logToAgent),
         cereal::make_nvp("logToCef",                 logToCef),
         cereal::make_nvp("logToCloud",               logToCloud),

components/security_apps/orchestration/details_resolver/details_resolving_handler.cc

@@ -99,6 +99,7 @@ map<string, string>
 DetailsResolvingHanlder::Impl::getResolvedDetails() const
 {
     I_ShellCmd *shell = Singleton::Consume<I_ShellCmd>::by<DetailsResolvingHanlder>();
+    I_AgentDetailsReporter *reporter = Singleton::Consume<I_AgentDetailsReporter>::by<DetailsResolvingHanlder>();
     uint32_t timeout = getConfigurationWithDefault<uint32_t>(5000, "orchestration", "Details resolver time out");
 
     for (auto &shell_pre_command : shell_pre_commands) {
@@ -122,7 +123,15 @@ DetailsResolvingHanlder::Impl::getResolvedDetails() const
         Maybe<string> shell_command_output = getCommandOutput(command);
         if (!shell_command_output.ok()) continue;
         Maybe<string> handler_ret = handler(*shell_command_output);
-        if (handler_ret.ok()) resolved_details[attr] = *handler_ret;
+
+        if (handler_ret.ok()) {
+            resolved_details[attr] = *handler_ret;
+        } else {
+            if (reporter->isPersistantAttr(attr)) {
+                dbgTrace(D_AGENT_DETAILS)<< "Persistent attribute changed, removing old value";
+                reporter->deleteAttr(attr);
+            }
+        }
     }
 
     for (auto file_handler : file_content_handlers) {
@@ -157,7 +166,6 @@ DetailsResolvingHanlder::Impl::getResolvedDetails() const
         }
     }
 
-    I_AgentDetailsReporter *reporter = Singleton::Consume<I_AgentDetailsReporter>::by<DetailsResolvingHanlder>();
     reporter->addAttr(resolved_details, true);
 
     return resolved_details;

components/utils/generic_rulebase/evaluators/parameter_eval.cc

@@ -22,6 +22,8 @@
 
 using namespace std;
 
+USE_DEBUG_FLAG(D_RULEBASE_CONFIG);
+
 string ParameterMatcher::ctx_key = "parameters";
 
 ParameterMatcher::ParameterMatcher(const vector<string> &params)
@@ -33,6 +35,17 @@ ParameterMatcher::ParameterMatcher(const vector<string> &params)
 Maybe<bool, Context::Error>
 ParameterMatcher::evalVariable() const
 {
+    I_Environment *env = Singleton::Consume<I_Environment>::by<ParameterMatcher>();
+    auto bc_param_id_ctx = env->get<set<GenericConfigId>>(ParameterMatcher::ctx_key);
+    dbgTrace(D_RULEBASE_CONFIG)
+        << "Trying to match parameter. ID: "
+        << parameter_id << ", Current set IDs: "
+        << makeSeparatedStr(bc_param_id_ctx.ok() ? *bc_param_id_ctx : set<GenericConfigId>(), ", ");
+    if (bc_param_id_ctx.ok()) return bc_param_id_ctx.unpack().count(parameter_id) > 0;
+
+    dbgTrace(D_RULEBASE_CONFIG)
+        << "Did not find current parameter in context."
+        << " Match parameter from current rule";
     auto rule = getConfiguration<BasicRuleConfig>("rulebase", "rulesConfig");
     return rule.ok() && rule.unpack().isParameterActive(parameter_id);
 }

core/agent_details_reporter/agent_details_reporter.cc

@@ -71,6 +71,7 @@ public:
     bool addAttr(const string &key, const string &val, bool allow_override = false) override;
     bool addAttr(const map<string, string> &attr, bool allow_override = false) override;
     void deleteAttr(const string &key) override;
+    bool isPersistantAttr(const string &key) override;
 
     bool sendAttributes() override;
 
@@ -130,6 +131,7 @@ private:
     map<string, string> persistant_attributes;
     map<string, string> new_attributes;
     map<string, string> attributes;
+    bool is_attr_deleted = false;
 
     I_Messaging *messaging = nullptr;
     bool is_server;
@@ -207,6 +209,13 @@ AgentDetailsReporter::Impl::deleteAttr(const string &key)
     attributes.erase(key);
     new_attributes.erase(key);
     persistant_attributes.erase(key);
+    is_attr_deleted = true;
+}
+
+bool
+AgentDetailsReporter::Impl::isPersistantAttr(const std::string &key)
+{
+    return persistant_attributes.count(key) > 0;
 }
 
 bool
@@ -214,7 +223,7 @@ AgentDetailsReporter::Impl::sendAttributes()
 {
     dbgDebug(D_AGENT_DETAILS) << "Trying to send attributes";
 
-    if (new_attributes.empty()) {
+    if (new_attributes.empty() && !is_attr_deleted) {
         dbgDebug(D_AGENT_DETAILS) << "Skipping current attempt since no new attributes were added";
         return true;
     }
@@ -261,6 +270,7 @@ AgentDetailsReporter::Impl::sendAttributes()
         if (add_agent_details_status.ok()) {
             dbgDebug(D_AGENT_DETAILS) << "Successfully sent attributes to the Orchestrator";
             new_attributes.clear();
+            is_attr_deleted = false;
             return true;
         }
 

core/agent_details_reporter/agent_details_reporter_ut/agent_details_reporter_ut.cc

@@ -213,6 +213,7 @@ TEST_F(AgentReporterTest, basicAttrTest)
     EXPECT_TRUE(report->addAttr({{"c", "d"}, {"1", "2"}, {"delete", "me"}}));
     EXPECT_FALSE(report->addAttr("a", "d"));
     EXPECT_TRUE(report->addAttr("a", "1", true));
+    EXPECT_TRUE(report->isPersistantAttr("a"));
     report->deleteAttr("delete");
     {
         AgentDataReport agent_data;

core/attachments/http_configuration/http_configuration.cc

@@ -108,7 +108,10 @@ HttpAttachmentConfiguration::save(cereal::JSONOutputArchive &archive) const
         ),
         cereal::make_nvp("nginx_inspection_mode", getNumericalValue("inspection_mode")),
         cereal::make_nvp("num_of_nginx_ipc_elements", getNumericalValue("num_of_nginx_ipc_elements")),
-        cereal::make_nvp("keep_alive_interval_msec", getNumericalValue("keep_alive_interval_msec"))
+        cereal::make_nvp("keep_alive_interval_msec", getNumericalValue("keep_alive_interval_msec")),
+        cereal::make_nvp("min_retries_for_verdict", getNumericalValue("min_retries_for_verdict")),
+        cereal::make_nvp("max_retries_for_verdict", getNumericalValue("max_retries_for_verdict")),
+        cereal::make_nvp("body_size_trigger", getNumericalValue("body_size_trigger"))
     );
 }
 
@@ -161,6 +164,9 @@ HttpAttachmentConfiguration::load(cereal::JSONInputArchive &archive)
     loadNumericalValue(archive, "nginx_inspection_mode", 0);
     loadNumericalValue(archive, "num_of_nginx_ipc_elements", 200);
     loadNumericalValue(archive, "keep_alive_interval_msec", DEFAULT_KEEP_ALIVE_INTERVAL_MSEC);
+    loadNumericalValue(archive, "min_retries_for_verdict", 3);
+    loadNumericalValue(archive, "max_retries_for_verdict", 15);
+    loadNumericalValue(archive, "body_size_trigger", 200000);
 }
 
 bool

core/include/attachments/nginx_attachment_util.h

@@ -54,6 +54,9 @@ unsigned int getReqBodyThreadTimeout();
 unsigned int getResProccessingTimeout();
 unsigned int getResHeaderThreadTimeout();
 unsigned int getResBodyThreadTimeout();
+unsigned int getMinRetriesForVerdict();
+unsigned int getMaxRetriesForVerdict();
+unsigned int getReqBodySizeTrigger();
 
 unsigned int getWaitingForVerdictThreadTimeout();
 

core/include/services_sdk/interfaces/i_agent_details_reporter.h

@@ -48,6 +48,7 @@ public:
     virtual bool addAttr(const std::map<std::string, std::string> &attr, bool allow_override = false) = 0;
     virtual void deleteAttr(const std::string &key) = 0;
     virtual bool sendAttributes() = 0;
+    virtual bool isPersistantAttr(const std::string &key) = 0;
 
 protected:
     ~I_AgentDetailsReporter() = default;

core/include/services_sdk/interfaces/mock/mock_agent_details_reporter.h

@@ -26,6 +26,7 @@ public:
     MOCK_METHOD3(addAttr, bool(const std::string &key, const std::string &val, bool allow_override));
     MOCK_METHOD2(addAttr, bool(const std::map<std::string, std::string> &attr, bool allow_override));
     MOCK_METHOD1(deleteAttr, void(const std::string &key));
+    MOCK_METHOD1(isPersistantAttr, bool(const std::string &key));
     MOCK_METHOD0(sendAttributes, bool());
 };
 

nodes/orchestration/package/k8s-check-update-listener.sh

@@ -69,7 +69,7 @@ while true; do
         exception_pid=$!
         saveRuningPids
     fi
-        if [ ! -d /proc/${exception_pid} ]; then
+    if [ ! -d /proc/${policy_pid} ]; then
         runGetResourceListener policies
         policy_pid=$!
         saveRuningPids

nodes/orchestration/package/open-appsec-cloud-mgmt-k8s

@@ -13,13 +13,19 @@ profile_id=
 cluster_id=
 latest_policy_version=1
 
+if [ -f $POLICY_CRDS_PATH ]; then
+    chmod 644 $POLICY_CRDS_PATH
+fi
+
 load_agent_details()
 {
-    tenant_id=$(cat /etc/cp/conf/agent_details.json | sed "s|Tenant ID|TenantID|g" | /etc/cp/bin/yq -P '.TenantID')
-    agent_id=$(cat /etc/cp/conf/agent_details.json | sed "s|Agent ID|AgentID|g" | /etc/cp/bin/yq -P '.AgentID')
-    profile_id=$(cat /etc/cp/conf/agent_details.json | sed "s|Profile ID|ProfileID|g" | /etc/cp/bin/yq -P '.ProfileID')
+    tenant_id=$(awk -F\" '/Tenant ID/{print $4}' /etc/cp/conf/agent_details.json)
+    agent_id=$(awk -F\" '/Agent ID/{print $4}' /etc/cp/conf/agent_details.json)
+    profile_id=$(awk -F\" '/Profile ID/{print $4}' /etc/cp/conf/agent_details.json)
     cluster_id=$(echo $(curl -s --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api/v1/namespaces/ ) \
-        | /etc/cp/bin/yq .items | /etc/cp/bin/yq  '.[] | select(.metadata.name  | contains("kube-system"))' | /etc/cp/bin/yq .metadata.uid)
+        | /etc/cp/bin/yq eval '.items' - \
+        | /etc/cp/bin/yq eval '.[] | select(.metadata.name | contains("kube-system"))' - \
+        | /etc/cp/bin/yq eval '.metadata.uid' -)
 }
 
 get_latest_policy_version()
@@ -27,7 +33,7 @@ get_latest_policy_version()
     bucket_list=$(curl -s -w "%{http_code}\n" --request GET \
         -H "user-agent: Infinity Next (a7030abf93a4c13)" -H "Authorization: Bearer ${ra_token}" \
         "$var_fog/agents-core/storage/?list-type=2&prefix=${tenant_id}/${profile_id}")
-    paths_list=$(echo $bucket_list  | /etc/cp/bin/yq -p xml | grep "/policy")
+    paths_list=$(echo $bucket_list  | awk -F'<Key>|</Key>' '/policy-/ {for (i = 1; i <= NF; i++) if ($i ~ /policy/) print $i}')
 
     prefix="${tenant_id}/${profile_id}"
     paths=$(echo $paths_list | tr " " "\n" | grep / )
@@ -44,15 +50,16 @@ get_latest_policy_version()
 
 concat_to_policy()
 {
-    crd_to_concat="$1"
-    is_first=$2
+    api_version="$1"
+    crd_to_concat="$2"
+    is_first=$3
     if [ ! -z $is_first ]; then
-        POLICY="$POLICY \"$1\": "
+        POLICY="$POLICY \"$crd_to_concat\": "
     else
-        POLICY="$POLICY, \"$1\": "
+        POLICY="$POLICY, \"$crd_to_concat\": "
     fi
     CRD=$(curl -s --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" \
-        -X GET ${APISERVER}/apis/openappsec.io/v1beta1/$crd_to_concat)
+        -X GET ${APISERVER}/apis/openappsec.io/$api_version/$crd_to_concat)
     CRD=$(echo $CRD|tr -d '\n')
     if [ -z "$CRD" ]; then
         CRD="{}"
@@ -60,28 +67,49 @@ concat_to_policy()
     POLICY="$POLICY $CRD"
 }
 
+get_api_version()
+{
+    CRD=$(curl -s --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" \
+        -X GET ${APISERVER}/apis/openappsec.io/v1beta2/policies)
+    CRD=$(echo $CRD|tr -d '\n')
+    # if CRD is not empty and does not contain "page not found" then it is v1beta2
+    if [ ! -z "$CRD" ] && ! echo "$CRD" | grep -q "page not found"; then
+        echo "v1beta2"
+    else
+        echo "v1beta1"
+    fi
+}
+
 generate_policy()
 {
     POLICY="{ \"Policy\": {"
-    concat_to_policy policies true
-    concat_to_policy practices
-    concat_to_policy logtriggers
-    concat_to_policy customresponses
-    concat_to_policy exceptions
-    concat_to_policy sourcesidentifiers
-    concat_to_policy trustedsources
+
+    api_version=$(get_api_version)
+
+    concat_to_policy $api_version "policies" true
+    if [ "$api_version" = "v1beta2" ]; then
+        concat_to_policy $api_version "threatpreventionpractices"
+        concat_to_policy $api_version "accesscontrolpractices"
+    else
+        concat_to_policy $api_version "practices"
+    fi
+    concat_to_policy $api_version "logtriggers"
+    concat_to_policy $api_version "customresponses"
+    concat_to_policy $api_version "exceptions"
+    concat_to_policy $api_version "sourcesidentifiers"
+    concat_to_policy $api_version "trustedsources"
 
     POLICY="$POLICY, \"assets\": { \"items\":[ "
 
     FIRST="1"
     all_ingresses=$(curl -s --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" \
         -X GET ${APISERVER}/apis/networking.k8s.io/v1/ingresses)
-    namespaces=$(echo $all_ingresses | /etc/cp/bin/yq -P '.items[].metadata.namespace')
+    namespaces=$(echo $all_ingresses | /etc/cp/bin/yq eval '.items[].metadata.namespace' -)
 
     for ns in ${namespaces}; do
         ingress_in_ns=$(curl -s --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" \
             -X GET ${APISERVER}/apis/networking.k8s.io/v1/namespaces/${ns}/ingresses)
-        ingress_list=$(echo $ingress_in_ns | /etc/cp/bin/yq -P '.items[].metadata.name')
+        ingress_list=$(echo $ingress_in_ns | /etc/cp/bin/yq eval '.items[].metadata.name' -)
         for ingress_name in ${ingress_list}; do
             ingress_crd=$(curl -s --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" \
                 -X GET ${APISERVER}/apis/networking.k8s.io/v1/namespaces/${ns}/ingresses/${ingress_name})
@@ -233,6 +261,7 @@ usage()
     echo "Options:"
     echo "    --fog       <fog address>          : Namespace with the relevant Helm Chart"
     echo "    --upload_policy_only               : Upload policy to the fog, withput changing agent mode"
+    echo "    --debug                            : Keep the debuging files"
     exit 255
 }
 
@@ -253,6 +282,8 @@ validate_arg_value_exists()
     fi
 }
 
+debug_mode="false"
+
 while true; do
     if [ "$1" = "--token" ]; then
         validate_arg_value_exists "$1" "$#"
@@ -266,6 +297,8 @@ while true; do
         validate_arg_value_exists "$1" "$#"
         shift
         ra_token="$1"
+    elif [ "$1" = "--debug" ]; then
+        debug_mode="true"
     elif [ -z "$1" ]; then
         break
     fi
@@ -273,7 +306,7 @@ while true; do
 done
 
 if [ -z "$var_fog" ]; then
-    var_fog=$(cat /etc/cp/conf/agent_details.json | sed "s|Fog domain|Fogdomain|g" | /etc/cp/bin/yq -P '.Fogdomain')
+    var_fog=$(awk -F\" '/Fog domain/{print $4}' /etc/cp/conf/agent_details.json)
     var_fog="https://$var_fog"
 fi
 
@@ -281,5 +314,8 @@ upload_crds_to_the_cloud
 if [ "$?" = "0" ]; then
     echo "SUCCESS"
 fi
+if [ "$debug_mode" = "false" ]; then
+    rm $POLICY_CRDS_PATH
+fi
 
 exit 0

nodes/orchestration/package/open-appsec-ctl.sh

@@ -1363,9 +1363,12 @@ run_ai() # Initials - ra
         exit 1
     fi
     if [ "$ra_upload_to_fog" = "true" ]; then
-        ra_token_data=$(curl_to_orchestration "show-access-token")
-        ra_token_hex=$(echo "$ra_token_data" | grep "token" | cut -d '"' -f4 | base64 -d | od -t x1 -An)
-        ra_token_hex_formatted=$(echo $ra_token_hex | tr -d ' ')
+        ra_token_data=$(curl_to_orchestration "show-access-token" | grep "token" | cut -d '"' -f4)
+        if [ -z "${ra_token_data}" ]; then
+            echo "Failed to get crediantials to upload the file to the cloud."
+            exit 1;
+        fi
+        ra_token_hex_formatted=$(echo $ra_token_data | base64 -d | od -t x1 -An | tr -d '[:space:]')
         ra_token="$(xor_decrypt "${ra_token_hex_formatted}")"
 
         ra_proxy_val=""

nodes/orchestration/package/orchestration_package.sh

@@ -302,13 +302,15 @@ while true; do
         echo "Filesystem paths: ${FILESYSTEM_PATH}"
     elif [ "$1" = "--vs_id" ]; then
         shift
-        VS_ID=$1
-        export FILESYSTEM_PATH="/etc/cp/vs${VS_ID}"
-        NANO_AGENT_SERVICE_NAME="nano_agent_${VS_ID}"
-        NANO_AGENT_SERVICE_FILE="${NANO_AGENT_SERVICE_NAME}.service"
-        VS_LIB_SUB_FOLDER="/vs${VS_ID}"
-        LOG_FILE_PATH="${LOG_FILE_PATH}/vs${VS_ID}"
-        TMP_FOLDER="${TMP_FOLDER}/vs${VS_ID}"
+        if [ "$1" != "0" ]; then
+            VS_ID=$1
+            export FILESYSTEM_PATH="/etc/cp/vs${VS_ID}"
+            NANO_AGENT_SERVICE_NAME="nano_agent_${VS_ID}"
+            NANO_AGENT_SERVICE_FILE="${NANO_AGENT_SERVICE_NAME}.service"
+            VS_LIB_SUB_FOLDER="/vs${VS_ID}"
+            LOG_FILE_PATH="${LOG_FILE_PATH}/vs${VS_ID}"
+            TMP_FOLDER="${TMP_FOLDER}/vs${VS_ID}"
+        fi
     elif [ "$1" = "--log_files_path" ]; then
         shift
         var=$1
@@ -360,6 +362,16 @@ if [ -z "$VS_ID" ]; then
     fi
 fi
 
+if [ -n "${VS_ID}" ]; then
+    if [ "$VS_ID" != "$INSTANCE_VSID" ]; then
+        echo "Error: Incorrect context, switch to VS${VS_ID} context first."
+        exit 1
+    fi
+elif [ -n "$INSTANCE_VSID" ] && [ "$INSTANCE_VSID" != "0" ]; then
+    echo "Error: Incorrect context, exit vs${INSTANCE_VSID} first."
+    exit 1
+fi
+
 if [ "$RUN_MODE" = "install" ] && [ $var_offline_mode = false ]; then
     if [ -n "$OTP_TOKEN" ] && [ -z "$var_token" ] && [ "$var_no_otp" = "false" ]; then
         var_token=$OTP_TOKEN
@@ -846,7 +858,7 @@ install_public_key()
 
     fog_address=${var_fog_address}
     if [ -n "${var_upgrade_mode}" ]; then
-        # Upgradde - look in policy.json
+        # Upgrade - look in policy.json
         fog_address=$(cat ${FILESYSTEM_PATH}/${CONF_PATH}/${SERVICE_PATH}/orchestration.policy)
     fi