Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(container.provider): added container instances enforcement allowlist #5197

Merged
merged 27 commits into from
Apr 4, 2024
Merged

feat(container.provider): added container instances enforcement allowlist #5197

merged 27 commits into from
Apr 4, 2024

Conversation

sfiorani
Copy link
Contributor

@sfiorani sfiorani commented Apr 2, 2024

This PR adds an option to the Container Instances to be compliant with the Enforcement feature added to the Container Orchestration Service in #5162 and it's the second step of building the Container Authenticity feature.

This option allows the user to provide an Enforcement Digest for a specific Container Instance: when a container is enabled with the given option filled, the provided digest is added to the Container Orchestration Service enforcement allowlist. In this way the Container Instance is allowed to run even if in the Orchestration Service allowlist the digest is not included, because is the container instance to provide it.

Related docs is present in #5184 .

Related Issue:

Description of the solution adopted:

Screenshots:

Manual Tests:

Any side note on the changes made:

sfiorani and others added 22 commits March 1, 2024 15:27
@sfiorani
feat(container.orchestration.provider): added first implementation of…
dbd0697 
… enforcement allowlist

Signed-off-by: SimoneFiorani <[email protected]>
@sfiorani
feat(container.orchestration.provider): enforcement allowlist impleme…
16deb27 
…nted

Signed-off-by: SimoneFiorani <[email protected]>
@sfiorani
feat(container.orchestration.provider): updated copyright and method …
c6f3ca5 
…signature

Signed-off-by: SimoneFiorani <[email protected]>
@sfiorani
feat(container.orchestration.provider): improved implementation, test…
7fb3e51 
…s added

Signed-off-by: SimoneFiorani <[email protected]>
@sfiorani
feat(container.orchestration.provider): corrected typo in option desc…
f5a7b0e 
…ription

Signed-off-by: SimoneFiorani <[email protected]>
@sfiorani @mattdibi
feat(container.orchestration.provider): fixed indendation
3ec5287 
Co-authored-by: Mattia Dal Ben <[email protected]>
@sfiorani
feat(container.orchestration.provider): implemented suggestion and va…
5d7aed2 
…lidation of already running containers

Signed-off-by: SimoneFiorani <[email protected]>
@sfiorani
feat(container.orchestration.provider): added tests for monitor-start…
91b521d 
…ing phase

Signed-off-by: SimoneFiorani <[email protected]>
@sfiorani
feat(container.orchestration.provider): refactored allowlist monitor …
990eead 
…class

Signed-off-by: SimoneFiorani <[email protected]>
@mattdibi
fix: typo in log
b9e3260
@mattdibi
style: fix copyright header
f67926e
@mattdibi
fix: copyright header year
57499d3
@sfiorani
feat(container.provider): added container instance digest enforcement
701312b 
Signed-off-by: SimoneFiorani <[email protected]>
@sfiorani
feat: added tests and some updates on orchestration service
f0051a1 
Signed-off-by: SimoneFiorani <[email protected]>
@sfiorani
feat: added running containers check after instance digest removing
940e029 
Signed-off-by: SimoneFiorani <[email protected]>
@sfiorani
feat: running container check after stopping added
5e7e511 
Signed-off-by: SimoneFiorani <[email protected]>
@sfiorani
refactor: refactor with suggestions
ab61d1d 
Signed-off-by: SimoneFiorani <[email protected]>
@sfiorani
Merge branch 'allowlist_enforcement_adding' into container-instances-…
90c7c50 
…allowlist
@sfiorani
refactor: moved enforceAlreadyRunningContainer method
ec5d9b9
@sfiorani
refactor: refactored some methods
0b327ad
@sfiorani
refactor: refactored hashcode and equals methods
486309d
@sfiorani
Merge branch 'develop' into container-instances-allowlist
081a23c
@mattdibi mattdibi self-requested a review April 2, 2024 10:34
@sfiorani sfiorani marked this pull request as ready for review April 3, 2024 13:18
@sfiorani sfiorani marked this pull request as draft April 3, 2024 13:19
@sfiorani sfiorani marked this pull request as ready for review April 4, 2024 09:21
mattdibi
mattdibi requested changes Apr 4, 2024
View reviewed changes
Copy link
Contributor

@mattdibi mattdibi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A reeeeeaaaaaaally small thing. Let me know what you think...

...ntainer.provider/OSGI-INF/metatype/org.eclipse.kura.container.provider.ContainerInstance.xml Outdated Show resolved Hide resolved
@sfiorani @mattdibi
Update kura/org.eclipse.kura.container.provider/OSGI-INF/metatype/org…
19ca6ef 
….eclipse.kura.container.provider.ContainerInstance.xml

Co-authored-by: Mattia Dal Ben <[email protected]>
@sfiorani sfiorani requested a review from mattdibi April 4, 2024 09:55
@mattdibi
Copy link
Contributor

mattdibi commented Apr 4, 2024

As per our offline discussion, among other smaller things, we decided to move the ContainerInstance digest allowlist from the Container Orchestrator to the Allowlist Enforcement Monitor for a better logic separation of the concerns.

@sfiorani @mattdibi
Update kura/org.eclipse.kura.container.orchestration.provider/src/mai…
50cbc4c 
…n/java/org/eclipse/kura/container/orchestration/provider/impl/enforcement/AllowlistEnforcementMonitor.java

Co-authored-by: Mattia Dal Ben <[email protected]>
mattdibi
mattdibi approved these changes Apr 4, 2024
View reviewed changes
Copy link
Contributor

@mattdibi mattdibi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@mattdibi
Copy link
Contributor

mattdibi commented Apr 4, 2024

As per our offline discussion, among other smaller things, we decided to move the ContainerInstance digest allowlist from the Container Orchestrator to the Allowlist Enforcement Monitor for a better logic separation of the concerns.

We discarded this since the only object that knows the digest associated with the Container Instances is the Container Orchestrator... it is natural to have it have the list of the digests.

@mattdibi
Copy link
Contributor

mattdibi commented Apr 4, 2024

The build succeeds locally but we are facing an issue in the CI connection to Sonar. An issue has been raised few weeks ago to the Eclipse Team: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/issues/4422

Merging as-is for now.

@mattdibi mattdibi merged commit 024e264 into eclipse-kura:develop Apr 4, 2024
2 of 3 checks passed
@sfiorani sfiorani mentioned this pull request Apr 8, 2024
Merged
@mattdibi mattdibi mentioned this pull request Jul 15, 2024
Merged
This was referenced Aug 28, 2024
Merged
Closed
@mattdibi mattdibi mentioned this pull request Sep 17, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mattdibi mattdibi mattdibi approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sfiorani @mattdibi