Skip to content

Commit 4d45a27

Browse files
committed
feat: copilot suggestions
Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com>
1 parent 5d3d916 commit 4d45a27

5 files changed

Lines changed: 38 additions & 12 deletions

File tree

Makefile

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,7 @@ CONTAINER_TOOL ?= docker
1919

2020
# Helm chart and Conftest policy directory for manifest linting
2121
HELM_CHART_DIR ?= deploy/charts/command-cert-manager-issuer
22+
HELM_RELEASE_NAME ?= command-cert-manager-issuer
2223
POLICY_DIR ?= policy
2324

2425
# Setting SHELL to bash allows bash commands to be executed by recipes.
@@ -84,14 +85,14 @@ lint-fix: golangci-lint ## Run golangci-lint linter and perform fixes
8485

8586
.PHONY: helm-template
8687
helm-template: ## Render Helm chart templates to stdout (includes CRDs).
87-
helm template ejbca-cert-manager-issuer $(HELM_CHART_DIR) --include-crds
88+
helm template $(HELM_RELEASE_NAME) $(HELM_CHART_DIR) --include-crds
8889

8990
.PHONY: lint-manifests
9091
lint-manifests: conftest ## Run Conftest policy checks against every CI values file in $(HELM_CHART_DIR)/ci/.
9192
@failed=0; \
9293
for f in $(HELM_CHART_DIR)/ci/*-values.yaml; do \
9394
echo "==> $$(basename $$f)"; \
94-
helm template ejbca-cert-manager-issuer $(HELM_CHART_DIR) --include-crds -f "$$f" \
95+
helm template $(HELM_RELEASE_NAME) $(HELM_CHART_DIR) --include-crds -f "$$f" \
9596
| $(CONFTEST) test --policy $(POLICY_DIR) - || failed=1; \
9697
done; \
9798
exit $$failed

internal/command/client.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -266,7 +266,7 @@ func printClaims(log logr.Logger, token string, claimsToPrint []string) {
266266
}
267267
}
268268

269-
if issuer, err := claims.GetIssuer(); err != nil {
269+
if issuer, err := claims.GetIssuer(); err == nil && issuer != "" {
270270
log.Info(fmt.Sprintf("\nNOTE: If you are receiving a HTTP 401 on requests to Command, make sure an identity provider in Command is configured with '%s' as the authority.\nThe discovery endpoint for your issuer can be found at %s/.well-known/openid-configuration.", issuer, issuer))
271271
}
272272
}

internal/command/command.go

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -658,12 +658,14 @@ func getEnrollmentPatternByName(log logr.Logger, s *signer, enrollmentPatternNam
658658

659659
queryString := fmt.Sprintf("Name -eq \"%s\"", enrollmentPatternName)
660660
patterns, httpResp, err := s.client.GetEnrollmentPatterns(v1.ApiGetEnrollmentPatternsRequest{}.QueryString(queryString))
661+
if httpResp != nil && httpResp.Body != nil {
662+
defer httpResp.Body.Close()
663+
}
661664

662665
if err != nil {
663666
// Capture the error message which should indicate the failure reason
664667
msg := ""
665668
if httpResp != nil && httpResp.Body != nil {
666-
defer httpResp.Body.Close()
667669
bodyBytes, _ := io.ReadAll(httpResp.Body)
668670
msg += string(bodyBytes)
669671
}

policy/deployments.rego

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
package main
2+
3+
import rego.v1
4+
5+
# Validate that every Deployment container and initContainer effectively runs
6+
# as non-root, either by setting securityContext.runAsNonRoot=true itself or
7+
# by inheriting a pod-level default.
8+
pod_run_as_non_root_default if {
9+
object.get(object.get(input.spec.template.spec, "securityContext", {}), "runAsNonRoot", false) == true
10+
}
11+
container_run_as_non_root(container) if {
12+
object.get(object.get(container, "securityContext", {}), "runAsNonRoot", null) == true
13+
}
14+
container_run_as_non_root(container) if {
15+
object.get(object.get(container, "securityContext", {}), "runAsNonRoot", null) == null
16+
pod_run_as_non_root_default
17+
}
18+
19+
deny contains msg if {
20+
input.kind == "Deployment"
21+
container := input.spec.template.spec.containers[_]
22+
not container_run_as_non_root(container)
23+
msg := sprintf("Deployment %v container %v must set securityContext.runAsNonRoot to true or inherit it from the pod securityContext", [input.metadata.name, container.name])
24+
}
25+
26+
deny contains msg if {
27+
input.kind == "Deployment"
28+
container := input.spec.template.spec.initContainers[_]
29+
not container_run_as_non_root(container)
30+
msg := sprintf("Deployment %v initContainer %v must set securityContext.runAsNonRoot to true or inherit it from the pod securityContext", [input.metadata.name, container.name])
31+
}

policy/roles.rego

Lines changed: 0 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -19,14 +19,6 @@ deny contains msg if {
1919
msg := sprintf("RoleBinding %v must have a namespace set", [input.metadata.name])
2020
}
2121

22-
# Validate that Deployments do not run as root
23-
deny contains msg if {
24-
input.kind == "Deployment"
25-
not input.spec.template.spec.securityContext.runAsNonRoot
26-
27-
msg := "Containers must not run as root"
28-
}
29-
3022
# ClusterRole resources must not have a namespace applied. This is typically ignored, but good hygiene
3123
# to omit to avoid confusion.
3224
deny contains msg if {

0 commit comments

Comments
 (0)