cluster list fetchers

[tmishina]

• Tick to sign-off your agreement to the Developer Certificate of Origin (DCO) 1.1

PR #15 is split into two PRs; cluster list fetchers are included in this PR, and cluster resource fetchers will be included in another PR.

What

This pull request provides a feature to fetch list of kubernetes clusters per account (see #9 in details).
For vanilla kubernetes clusters, a BOM (Bill of Materials) described in a config file will be stored into an evidence locker. For other types of clusters, a list of clusters is fetched by invoking API of each cloud service provider. This PR includes a fetcher for IBM Cloud.

Why

The resources in a kubernetes cluster contain various types of evidences; for example, spec of Pods represents configuration of applications, ConfigMap contains the configuration for the kubernetes cluster itself, and therefore fetching the resources of a kubernetes cluster is important capability for compliance evidence validation of kubernetes clusters.

To fetch resources from a kubernetes cluster, a list of the target clusters is required. This PR includes cluster list fetchers, and its output will be used by cluster resource fetchers (will be provided in another future PR).

How

• cluster list fetcher: store the list of clusters
  • kube/fetchers/fetch_cluster_list.py: copy BOM (Bill of Materials) specified in an auditree config file into an evidence locker
  • ibm_cloud/fetchers/fetch_cluster_list.py: fetch the list of clusters managed by IBM Cloud (IBM Kubernetes Service or IKS, and Red Hat Openshift Kubernetes Services or ROKS) by invoking IBM Cloud API.

Test

• tests of cluster list fetcher (kubernetes and ibm_cloud) against the IBM Cloud clusters (both IKS and ROKS)
  were passed

Context

• issue: new feature: cluster list/resource fetcher #9
• previous PR: feat: cluster list fetchers and cluster resource fetcher #15

[alfinkel]

• I didn't review the READMEs. Saving that for later.
• You need to add unit tests for the iam_ibm module.

[tmishina]

@alfinkel I added a unit test for iam_ibm.py, but it always fails when it is executed on github because required credential (API key) is not stored in the repo. Setting up a test-purpose cluster and generating an API key for the cluster is not an easy way...

Test in a local environment is passed as follows.

 $ python -m unittest test.test_iam_ibm
..
----------------------------------------------------------------------
Ran 2 tests in 1.119s

OK

Is there any solution for this issue?

[drsm79]

@alfinkel I added a unit test for iam_ibm.py, but it always fails when it is executed on github because required credential (API key) is not stored in the repo. Setting up a test-purpose cluster and generating an API key for the cluster is not an easy way...

Test in a local environment is passed as follows.

 $ python -m unittest test.test_iam_ibm
..
----------------------------------------------------------------------
Ran 2 tests in 1.119s

OK

Is there any solution for this issue?

Could that be mocked @tmishina ?

[tmishina]

@drsm79

Could that be mocked @tmishina ?

Does "mock" mean an http server process which returns as below?

• correct tokens when get_tokens() send an http get request with API-key-like string in its header
• some error (e.g., 404) when get_tokens() send wrong request (such as empty-string API key)

[drsm79]

Does "mock" mean an http server process which returns as below?

* correct tokens when `get_tokens()` send an http get request with API-key-like string in its header

* some error (e.g., 404) when `get_tokens()` send wrong request (such as empty-string API key)

https://docs.python.org/3/library/unittest.mock.html you know the good/bad conditions, so should be able to mock the behviour.Not perfect, but gets around needing a live IAM to talk to, and can be extended in the future if responses change.

[tmishina]

@drsm79 thank you, I realized that my knowledge about Python should be update to Python3...l will update the code with unittest.mock.

[tmishina]

updated with using unittest.mock
https://github.com/ComplianceAsCode/auditree-arboretum/pull/25/files#diff-2de61972d474998cd443ad1de046a017

Now the test successfully finishes in the status checks.

[alfinkel]

We're getting closer @tmishina...

A few code tweaks, a rewrite of the unit tests, and you still need to remove the BOM fetcher and docs. See: https://github.com/ComplianceAsCode/auditree-arboretum/pull/25/files#r481124180

[tmishina]

@alfinkel update the usage of mock; does this usage of mock make sense for you?

Other changes include applyin your suggestions and deleting kubernetes/fetch_cluster_list.py which can be substituted by ComplianceConfigFetcher. Updating README.md would be required in addition to the deletion, but it has not been done yet.

[alfinkel]

I copied this iam_ibm.py and changed it to iam_ibm_utils.py with a few small modifications and submitted it for PR #26. I also added tests for get_tokens. Once #26 is merged you can refresh your branch and retest the fetcher to make sure it still works and just delete your iam_ibm.py and test_iam_ibm.py.

[alfinkel]

Move 'https://containers.cloud.ibm.com' to ibm_constants.py (in #26) and use the constant value here instead. Suggest:

# IBM Cloud containers API base URL
IC_CONTAINERS_BASE_URL = 'https://containers.cloud.ibm.com'

after IAM_API_KEY_GRANT_TYPE in constants.py.

[alfinkel]

Should return this to original Fetchers coming soon...

[alfinkel]

Replace this with iam_ibm_utils.py from #26 once it is merged.

[alfinkel]

Delete this file and just use what's in #26

[alfinkel]

@tmishina #26 is merged into main so you're good to go with applying changes from the above review.

[tmishina]

@alfinkel applied your comments and perform git rebase -i. Please tell me if further tasks that I need to do remain.

[tmishina]

@alfinkel Thank you, I applied your suggestion with additional import statements. Also, I performed git rebase -i again and fixup commits into single commit.

[alfinkel]

+1 - I'll merge and then add a follow up PR to update the missing CHANGES.md entry and version bump and then make a release.