Skip to content

feat: public blob rule (PAD-272) #198

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 3 commits into from
Closed

feat: public blob rule (PAD-272) #198

wants to merge 3 commits into from

Conversation

mattwelke
Copy link
Contributor

This is another rule that can be used to check that VM images are publicly available. In this case, it's when an image is a VHD file exposed publicly via public Azure Blob Storage.

The rule is implemented by performing a HEAD request against a URL formed from the rule input. If the request succeeds, the file is deemed available. If any an HTTP response comes back with any status code except 200 OK, the file is deemed inaccessible. If any error occurs while creating or sending the request, this is treated as an error that causes the rule to fail, just like how we handle errors in all rules in all plugins.

Because at the end of the day this is just testing whether a URL is publicly accessible by all HTTP clients, if we want to, this could be moved later into a new plugin for non-cloud specific use cases. At that point, Azure users could be instructed to use the new "public HTTP file" rule for their VHD image use case.

Example of rule:

apiVersion: validation.spectrocloud.labs/v1alpha1
kind: AzureValidator
metadata:
  name: azurevalidator-public-blob-one-blob
spec:
  auth:
    implicit: false
    secretName: azure-creds
  publicBlobRules:
  - name: rule-1
    storageAccount: spectroimageprod
    container: system
    paths:
    - "Microsoft.Compute/Images/spectroimages/c-77-0-k-11611-0-osDisk.8ed00fe6-11e0-42e9-8da9-28ea8bbf2046.vhd"

Succeeded example:

status:
  state: Succeeded
  validationConditions:
  - details:
    - Blob 'Microsoft.Compute/Images/spectroimages/c-77-0-k-11611-0-osDisk.8ed00fe6-11e0-42e9-8da9-28ea8bbf2046.vhd'
      in container 'system' in storage account 'spectroimageprod' is publicly accessible.
    lastValidationTime: "2024-07-11T19:48:38Z"
    message: All blobs present in container and publicly accessible.
    status: "True"
    validationRule: validation-rule-1
    validationType: azure-public-blob

Failed example (no error, but blob not accessible because path in rule doesn't match a public blob):

status:
  state: Failed
  validationConditions:
  - failures:
    - blob 'Microsoft.Compute/Images/spectroimages/c-77-0-k-11611-0-osDisk.8ed00fe6-11e0-42e9-8da9-28ea8bbf2046.vhs'
      in container 'system' in storage account 'spectroimageprod' is not publicly
      accessible; '404' status code in response to HEAD request
    lastValidationTime: "2024-07-11T19:46:53Z"
    message: One or more blobs not publicly accessible. See failures for details.
    status: "False"
    validationRule: validation-rule-1
    validationType: azure-public-blob

Failed example (error during request because Azure storage account in rule doesn't exist):

status:
  state: Failed
  validationConditions:
  - failures:
    - 'failed to check blob ''Microsoft.Compute/Images/spectroimages/c-77-0-k-11611-0-osDisk.8ed00fe6-11e0-42e9-8da9-28ea8bbf2046.vhd''
      in container ''system'' in storage account ''spectroimageproddd'': failed to
      send HTTP request: Head "https://spectroimageproddd.blob.core.windows.net/system/Microsoft.Compute/Images/spectroimages/c-77-0-k-11611-0-osDisk.8ed00fe6-11e0-42e9-8da9-28ea8bbf2046.vhd":
      dial tcp: lookup spectroimageproddd.blob.core.windows.net on 10.96.0.10:53:
      no such host'
    lastValidationTime: "2024-07-11T19:49:38Z"
    message: Validation failed with an unexpected error
    status: "False"
    validationRule: validation-rule-1
    validationType: azure-public-blob

mattwelke added 2 commits July 10, 2024 19:36
@mattwelke
WIP new public blob rule.
86d5b24 
Signed-off-by: Matt Welke <matt.welke@spectrocloud.com>
@mattwelke
Finish rule. Add sample.
1e1270d 
Signed-off-by: Matt Welke <matt.welke@spectrocloud.com>
@mattwelke mattwelke requested a review from a team as a code owner July 11, 2024 20:02
@mattwelke mattwelke requested a review from arturshadnik July 11, 2024 20:02
@dosubot dosubot bot added size:XL This PR changes 500-999 lines, ignoring generated files. enhancement Enhancement to an existing feature labels Jul 11, 2024
@mattwelke
make reviewable
e667fd8 
Signed-off-by: Matt Welke <matt.welke@spectrocloud.com>
@mattwelke mattwelke requested a review from TylerGillson July 11, 2024 20:29
@codecov Codecov
Copy link

codecov bot commented Jul 11, 2024

Codecov Report

Attention: Patch coverage is 64.70588% with 24 lines in your changes missing coverage. Please review.

@@            Coverage Diff             @@
##             main     #198      +/-   ##
==========================================
+ Coverage   61.38%   61.63%   +0.25%     
==========================================
  Files          10       11       +1     
  Lines         681      748      +67     
==========================================
+ Hits          418      461      +43     
- Misses        245      266      +21     
- Partials       18       21       +3
Files Coverage Δ
api/v1alpha1/azurevalidator_types.go 100.00% <100.00%> (ø)
internal/validators/public_blob.go 95.45% <95.45%> (ø)
internal/controller/azurevalidator_controller.go 73.33% <16.66%> (-3.44%) ⬇️
api/v1alpha1/zz_generated.deepcopy.go 32.84% <0.00%> (-4.66%) ⬇️

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update dd1e5e6...e667fd8. Read the comment docs.

TylerGillson
TylerGillson requested changes Jul 11, 2024
View reviewed changes
Copy link
Member

@TylerGillson TylerGillson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this should be moved to validator-plugin-network. The PublicBlobRule struct could just have Name and Path.

@mattwelke
Copy link
Contributor Author

Moving to network plugin.

@mattwelke mattwelke closed this Jul 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@TylerGillson TylerGillson TylerGillson requested changes

@arturshadnik arturshadnik Awaiting requested review from arturshadnik arturshadnik is a code owner automatically assigned from validator-labs/validator

Assignees
No one assigned
Labels
enhancement Enhancement to an existing feature size:XL This PR changes 500-999 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mattwelke @TylerGillson