Merge branch 'main' into fix-argocd-rbac-kubelink

Author: Ash-exp

CHANGELOG/release-notes-v0.6.17.md

@@ -0,0 +1,14 @@
+## v0.6.17
+
+## Bugs
+- fix: app metrics dynamically enabled based on support (#3369)
+- fix: 404 not found in devtron without cicd app list page (#3439)
+- fix: Build context backward compatability (#3408)
+- fix: updated audit info for cd pipeline delete req (#3404)
+## Enhancements
+- feat: Rotate pods feature (#3420)
+## Documentation
+- docs: how to refresh the argocd certificate (#3364)
+
+
+

Wire.go

@@ -585,6 +585,8 @@ func InitializeApp() (*App, error) {
 		wire.Bind(new(security2.CveStoreRepository), new(*security2.CveStoreRepositoryImpl)),
 		security2.NewImageScanDeployInfoRepositoryImpl,
 		wire.Bind(new(security2.ImageScanDeployInfoRepository), new(*security2.ImageScanDeployInfoRepositoryImpl)),
+		security2.NewScanToolMetadataRepositoryImpl,
+		wire.Bind(new(security2.ScanToolMetadataRepository), new(*security2.ScanToolMetadataRepositoryImpl)),
 		router.NewPolicyRouterImpl,
 		wire.Bind(new(router.PolicyRouter), new(*router.PolicyRouterImpl)),
 		restHandler.NewPolicyRestHandlerImpl,
@@ -593,6 +595,8 @@ func InitializeApp() (*App, error) {
 		wire.Bind(new(security.PolicyService), new(*security.PolicyServiceImpl)),
 		security2.NewPolicyRepositoryImpl,
 		wire.Bind(new(security2.CvePolicyRepository), new(*security2.CvePolicyRepositoryImpl)),
+		security2.NewScanToolExecutionHistoryMappingRepositoryImpl,
+		wire.Bind(new(security2.ScanToolExecutionHistoryMappingRepository), new(*security2.ScanToolExecutionHistoryMappingRepositoryImpl)),
 
 		argocdServer.NewArgoK8sClientImpl,
 		wire.Bind(new(argocdServer.ArgoK8sClient), new(*argocdServer.ArgoK8sClientImpl)),

api/bean/ClusterInfo.go

@@ -1,8 +1,12 @@
 package bean
 
 type ClusterInfo struct {
-	ClusterId   int    `json:"clusterId"`
-	ClusterName string `json:"clusterName"`
-	BearerToken string `json:"bearerToken"`
-	ServerUrl   string `json:"serverUrl"`
+	ClusterId             int    `json:"clusterId"`
+	ClusterName           string `json:"clusterName"`
+	BearerToken           string `json:"bearerToken"`
+	ServerUrl             string `json:"serverUrl"`
+	InsecureSkipTLSVerify bool   `json:"insecureSkipTLSVerify"`
+	KeyData               string `json:"keyData"`
+	CertData              string `json:"certData"`
+	CAData                string `json:"CAData"`
 }

api/cluster/ClusterRestHandler.go

@@ -43,6 +43,8 @@ const CLUSTER_DELETE_SUCCESS_RESP = "Cluster deleted successfully."
 
 type ClusterRestHandler interface {
 	Save(w http.ResponseWriter, r *http.Request)
+	SaveClusters(w http.ResponseWriter, r *http.Request)
+	ValidateKubeconfig(w http.ResponseWriter, r *http.Request)
 	FindAll(w http.ResponseWriter, r *http.Request)
 	FindById(w http.ResponseWriter, r *http.Request)
 	FindNoteByClusterId(w http.ResponseWriter, r *http.Request)
@@ -92,6 +94,81 @@ func NewClusterRestHandlerImpl(clusterService cluster.ClusterService,
 	}
 }
 
+func (impl ClusterRestHandlerImpl) SaveClusters(w http.ResponseWriter, r *http.Request) {
+	token := r.Header.Get("token")
+	decoder := json.NewDecoder(r.Body)
+	userId, err := impl.userService.GetLoggedInUser(r)
+	if userId == 0 || err != nil {
+		common.WriteJsonResp(w, err, "Unauthorized User", http.StatusUnauthorized)
+		return
+	}
+	beans := []*cluster.ClusterBean{}
+	err = decoder.Decode(&beans)
+	if err != nil {
+		impl.logger.Errorw("request err, Save", "error", err, "payload", beans)
+		common.WriteJsonResp(w, err, nil, http.StatusBadRequest)
+		return
+	}
+	// not logging bean object as it contains sensitive data
+	impl.logger.Infow("request payload received for save clusters")
+
+	// RBAC enforcer applying
+	isSuperAdmin, err := impl.userService.IsSuperAdmin(int(userId))
+	if !isSuperAdmin || err != nil {
+		if err != nil {
+			impl.logger.Errorw("request err, CheckSuperAdmin", "err", err, "isSuperAdmin", isSuperAdmin)
+		}
+		common.WriteJsonResp(w, err, "Unauthorized User", http.StatusForbidden)
+		return
+	}
+	//RBAC enforcer Ends
+	ctx, cancel := context.WithCancel(r.Context())
+	if cn, ok := w.(http.CloseNotifier); ok {
+		go func(done <-chan struct{}, closed <-chan bool) {
+			select {
+			case <-done:
+			case <-closed:
+				cancel()
+			}
+		}(ctx.Done(), cn.CloseNotify())
+	}
+	if util2.IsBaseStack() {
+		ctx = context.WithValue(ctx, "token", token)
+	} else {
+		acdToken, err := impl.argoUserService.GetLatestDevtronArgoCdUserToken()
+		if err != nil {
+			impl.logger.Errorw("error in getting acd token", "err", err)
+			common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)
+			return
+		}
+		ctx = context.WithValue(ctx, "token", acdToken)
+	}
+
+	for _, bean := range beans {
+		l := len(bean.ServerUrl)
+		if l > 1 && bean.ServerUrl[l-1:] == "/" {
+			bean.ServerUrl = bean.ServerUrl[0 : l-1]
+		}
+		if bean.Id != 0 {
+			_, err1 := impl.clusterService.Update(ctx, bean, userId)
+			if err1 != nil {
+				bean.ErrorInConnecting = err1.Error()
+			} else {
+				bean.ClusterUpdated = true
+			}
+		} else {
+			_, err1 := impl.clusterService.Save(ctx, bean, userId)
+			if err1 != nil {
+				bean.ErrorInConnecting = err1.Error()
+			}
+		}
+	}
+
+	res := beans
+
+	common.WriteJsonResp(w, err, res, http.StatusOK)
+}
+
 func (impl ClusterRestHandlerImpl) Save(w http.ResponseWriter, r *http.Request) {
 	token := r.Header.Get("token")
 	decoder := json.NewDecoder(r.Body)
@@ -161,6 +238,66 @@ func (impl ClusterRestHandlerImpl) Save(w http.ResponseWriter, r *http.Request)
 	common.WriteJsonResp(w, err, bean, http.StatusOK)
 }
 
+func (impl ClusterRestHandlerImpl) ValidateKubeconfig(w http.ResponseWriter, r *http.Request) {
+	token := r.Header.Get("token")
+	decoder := json.NewDecoder(r.Body)
+	userId, err := impl.userService.GetLoggedInUser(r)
+	if userId == 0 || err != nil {
+		common.WriteJsonResp(w, err, "Unauthorized User", http.StatusUnauthorized)
+		return
+	}
+	bean := &cluster.Kubeconfig{}
+	err = decoder.Decode(bean)
+	if err != nil {
+		impl.logger.Errorw("request err, Validate", "error", err, "payload", bean)
+		common.WriteJsonResp(w, err, nil, http.StatusBadRequest)
+		return
+	}
+
+	err = impl.validator.Struct(bean)
+	if err != nil {
+		impl.logger.Errorw("validation err, Validate", "err", err, "payload", bean)
+		common.WriteJsonResp(w, err, nil, http.StatusBadRequest)
+		return
+	}
+
+	// RBAC enforcer applying
+	if ok := impl.enforcer.Enforce(token, casbin.ResourceCluster, casbin.ActionCreate, "*"); !ok {
+		common.WriteJsonResp(w, errors.New("unauthorized"), nil, http.StatusForbidden)
+		return
+	}
+	//RBAC enforcer Ends
+	ctx, cancel := context.WithCancel(r.Context())
+	if cn, ok := w.(http.CloseNotifier); ok {
+		go func(done <-chan struct{}, closed <-chan bool) {
+			select {
+			case <-done:
+			case <-closed:
+				cancel()
+			}
+		}(ctx.Done(), cn.CloseNotify())
+	}
+	if util2.IsBaseStack() {
+		ctx = context.WithValue(ctx, "token", token)
+	} else {
+		acdToken, err := impl.argoUserService.GetLatestDevtronArgoCdUserToken()
+		if err != nil {
+			impl.logger.Errorw("error in getting acd token", "err", err)
+			common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)
+			return
+		}
+		ctx = context.WithValue(ctx, "token", acdToken)
+	}
+	res, err := impl.clusterService.ValidateKubeconfig(bean.Config)
+	if err != nil {
+		impl.logger.Errorw("error in validating kubeconfig")
+		common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)
+		return
+	}
+
+	common.WriteJsonResp(w, err, res, http.StatusOK)
+}
+
 func (impl ClusterRestHandlerImpl) FindAll(w http.ResponseWriter, r *http.Request) {
 	token := r.Header.Get("token")
 	clusterList, err := impl.clusterService.FindAllWithoutConfig()

api/cluster/ClusterRouter.go

@@ -40,6 +40,14 @@ func (impl ClusterRouterImpl) InitClusterRouter(clusterRouter *mux.Router) {
 		Methods("POST").
 		HandlerFunc(impl.clusterRestHandler.Save)
 
+	clusterRouter.Path("/saveClusters").
+		Methods("POST").
+		HandlerFunc(impl.clusterRestHandler.SaveClusters)
+
+	clusterRouter.Path("/validate").
+		Methods("POST").
+		HandlerFunc(impl.clusterRestHandler.ValidateKubeconfig)
+
 	clusterRouter.Path("").
 		Methods("GET").
 		Queries("id", "{id}").

api/helm-app/HelmAppService.go

@@ -140,7 +140,7 @@ func (impl *HelmAppServiceImpl) listApplications(ctx context.Context, clusterIds
 	for _, clusterDetail := range clusters {
 		config := &ClusterConfig{
 			ApiServerUrl: clusterDetail.ServerUrl,
-			Token:        clusterDetail.Config["bearer_token"],
+			Token:        clusterDetail.Config[util.BearerToken],
 			ClusterId:    int32(clusterDetail.Id),
 			ClusterName:  clusterDetail.ClusterName,
 		}
@@ -265,7 +265,7 @@ func (impl *HelmAppServiceImpl) GetClusterConf(clusterId int) (*ClusterConfig, e
 	}
 	config := &ClusterConfig{
 		ApiServerUrl: cluster.ServerUrl,
-		Token:        cluster.Config["bearer_token"],
+		Token:        cluster.Config[util.BearerToken],
 		ClusterId:    int32(cluster.Id),
 		ClusterName:  cluster.ClusterName,
 	}

api/module/ModuleRestHandler.go

@@ -34,6 +34,7 @@ type ModuleRestHandler interface {
 	GetModuleInfo(w http.ResponseWriter, r *http.Request)
 	GetModuleConfig(w http.ResponseWriter, r *http.Request)
 	HandleModuleAction(w http.ResponseWriter, r *http.Request)
+	EnableModule(w http.ResponseWriter, r *http.Request)
 }
 
 type ModuleRestHandlerImpl struct {
@@ -164,3 +165,46 @@ func (impl ModuleRestHandlerImpl) HandleModuleAction(w http.ResponseWriter, r *h
 	}
 	common.WriteJsonResp(w, err, res, http.StatusOK)
 }
+
+func (impl ModuleRestHandlerImpl) EnableModule(w http.ResponseWriter, r *http.Request) {
+	// check if user is logged in or not
+	userId, err := impl.userService.GetLoggedInUser(r)
+	if userId == 0 || err != nil {
+		common.WriteJsonResp(w, err, "Unauthorized User", http.StatusUnauthorized)
+		return
+	}
+
+	// check query param
+	params := mux.Vars(r)
+	moduleName := params["name"]
+	if len(moduleName) == 0 {
+		impl.logger.Error("module name is not supplied")
+		common.WriteJsonResp(w, errors.New("module name is not supplied"), nil, http.StatusBadRequest)
+		return
+	}
+	// decode request
+	decoder := json.NewDecoder(r.Body)
+	var moduleEnableRequestDto module.ModuleEnableRequestDto
+	err = decoder.Decode(&moduleEnableRequestDto)
+	if err != nil {
+		impl.logger.Errorw("error in decoding request in ModuleEnableRequestDto", "err", err)
+		common.WriteJsonResp(w, err, nil, http.StatusBadRequest)
+		return
+	}
+
+	// handle super-admin RBAC
+	token := r.Header.Get("token")
+	if ok := impl.enforcer.Enforce(token, casbin.ResourceGlobal, casbin.ActionUpdate, "*"); !ok {
+		common.WriteJsonResp(w, errors.New("unauthorized"), nil, http.StatusForbidden)
+		return
+	}
+
+	// service call
+	res, err := impl.moduleService.EnableModule(moduleName, moduleEnableRequestDto.Version)
+	if err != nil {
+		impl.logger.Errorw("service err, Enabling Module", "err", err, "moduleName", moduleName, "toolVersion", moduleEnableRequestDto.Version)
+		common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)
+		return
+	}
+	common.WriteJsonResp(w, err, res, http.StatusOK)
+}

api/module/ModuleRouter.go

@@ -21,4 +21,5 @@ func (impl ModuleRouterImpl) Init(configRouter *mux.Router) {
 	configRouter.Path("").HandlerFunc(impl.moduleRestHandler.GetModuleInfo).Methods("GET")
 	configRouter.Path("/config").HandlerFunc(impl.moduleRestHandler.GetModuleConfig).Queries("name", "{name}").Methods("GET")
 	configRouter.Path("").HandlerFunc(impl.moduleRestHandler.HandleModuleAction).Queries("name", "{name}").Methods("POST")
+	configRouter.Path("/enable").HandlerFunc(impl.moduleRestHandler.EnableModule).Queries("name", "{name}").Methods("POST")
 }

api/restHandler/PipelineTriggerRestHandler.go

@@ -128,7 +128,7 @@ func (handler PipelineTriggerRestHandlerImpl) OverrideConfig(w http.ResponseWrit
 	}
 	ctx := context.WithValue(r.Context(), "token", acdToken)
 	_, span := otel.Tracer("orchestrator").Start(ctx, "workflowDagExecutor.ManualCdTrigger")
-	mergeResp, _, err := handler.workflowDagExecutor.ManualCdTrigger(&overrideRequest, ctx)
+	mergeResp, err := handler.workflowDagExecutor.ManualCdTrigger(&overrideRequest, ctx)
 	span.End()
 	if err != nil {
 		handler.logger.Errorw("request err, OverrideConfig", "err", err, "payload", overrideRequest)

charts/devtron/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: devtron-operator
-appVersion: 0.6.16
+appVersion: 0.6.18-rc.0
 description: Chart to configure and install Devtron. Devtron is a Kubernetes Orchestration system.
 keywords:
   - Devtron
@@ -11,7 +11,7 @@ keywords:
   - argocd
   - Hyperion
 engine: gotpl
-version: 0.22.55
+version: 0.22.56
 sources:
   - https://github.com/devtron-labs/charts
 dependencies: