Merge pull request #6 from JupiterOne/k8s-infra-improvements

Various Kubernetes improvements
JupiterOne-Archives · Jun 29, 2021 · 7f67d6f · 7f67d6f
2 parents e793a13 + 0d436f4
commit 7f67d6f
Show file tree

Hide file tree

Showing 19 changed files with 176 additions and 87 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -3,3 +3,18 @@ node_modules/
 dist/
 .env
 .eslintcache
+.git/
+.github/
+configs/
+docs/
+terraform/
+test/
+CHANGELOG.md
+husky.config.js
+jest.config.js
+lint-staged-config.js
+prettier.config.js
+.eslintignore
+.eslintrc
+.gitleaks.yml
+.prettierignore
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -7,7 +7,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        node-version: [12.x]
+        node-version: [14.x]
         os: [ubuntu-latest, macos-latest]
 
     steps:
@@ -38,13 +38,13 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        node: [12]
+        node: [14]
 
     steps:
       - name: Setup Node
         uses: actions/setup-node@v1
         with:
-          node-version: 12.x
+          node-version: 14.x
 
       - name: Check out repo
         uses: actions/checkout@v2

diff --git a/Dockerfile b/Dockerfile
@@ -1,14 +1,15 @@
-FROM node:12-alpine
+FROM node:14-alpine
 
-WORKDIR .
+ENV JUPITERONE_INTEGRATION_DIR=/opt/jupiterone/integration
 
 # node-gyp/python3 requirement
 RUN apk add g++ make python
 
-COPY package.json yarn.lock ./
+COPY package.json yarn.lock LICENSE ${JUPITERONE_INTEGRATION_DIR}/
+COPY src/ ${JUPITERONE_INTEGRATION_DIR}/src
+COPY scripts/ ${JUPITERONE_INTEGRATION_DIR}/scripts
 
+WORKDIR  ${JUPITERONE_INTEGRATION_DIR}
 RUN yarn install --production
 
-COPY . .
-
 CMD ["yarn", "collect"]
diff --git a/configs/clusterRole.yml b/configs/clusterRole.yml
@@ -4,7 +4,7 @@ metadata:
   annotations:
     rbac.authorization.kubernetes.io/autoupdate: 'true'
   labels:
-  name: test-read-only
+  name: jupiterone-integration-cluster-readonly
   namespace: default
 rules:
   - apiGroups:

diff --git a/configs/clusterRoleBinding.yml b/configs/clusterRoleBinding.yml
@@ -1,12 +1,12 @@
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: test-binding
+  name: jupiterone-integration-cluster
 subjects:
   - kind: ServiceAccount
-    name: cluster-sa
+    name: jupiterone-integration-cluster
     namespace: default
 roleRef:
   kind: ClusterRole
-  name: test-read-only
+  name: jupiterone-integration-cluster-readonly
   apiGroup: rbac.authorization.k8s.io
diff --git a/configs/createSecret.yml b/configs/createSecret.yml
@@ -4,8 +4,6 @@ metadata:
   name: jupiterone-integration-secret
 type: Opaque
 data:
-  # base64 encoded values
-  # could use better key-names I'm just unsure of guidelines on that at the moment
-  jaccountid: <base64encoded jupiterone account id>
-  japikey: <base64encoded jupiterone api key>
-  integrationid: <base64encoded integration id>
+  jupiteroneAccountId: <base64encoded jupiterone account id>
+  jupiteroneApiKey: <base64encoded jupiterone api key>
+  jupiteroneIntegrationInstanceId: <base64encoded integration id>
diff --git a/configs/cronjobCluster.yaml → configs/cronjobCluster.yml b/configs/cronjobCluster.yaml → configs/cronjobCluster.yml
@@ -5,15 +5,15 @@ metadata:
   labels:
     app: integration-cron
 spec:
-  schedule: "*/60 * * * *" # Schedule to run every 10 minutes
+  schedule: "*/60 * * * *" # Schedule to run every hour
   jobTemplate:
     spec:
       template:
         spec:
-          serviceAccountName: cluster-sa
+          serviceAccountName: jupiterone-integration-cluster
           containers:
           - name: integration
-            image: my-new-image
+            image: jupiterone-graph-kubernetes
             imagePullPolicy: IfNotPresent
             env:
               # could use better name, but for now:
@@ -28,15 +28,17 @@ spec:
                 valueFrom:
                   secretKeyRef:
                     name: jupiterone-integration-secret
-                    key: jaccountid
+                    key: jupiteroneAccountId
               - name: JUPITERONE_API_KEY
                 valueFrom:
-                  secretKeyRef:jone-secret
+                  secretKeyRef:
                     name: jupiterone-integration-secret
-                    key: japikey
+                    key: jupiteroneApiKey
               - name: INTEGRATION_INSTANCE_ID
                 valueFrom:
                   secretKeyRef:
                     name: jupiterone-integration-secret
-                    key: integrationid
+                    key: jupiteroneIntegrationInstanceId
+              - name: IS_RUNNING_TEST
+                value: 'false'
           restartPolicy: Never
diff --git a/configs/cronjobNamespace.yaml → configs/cronjobNamespace.yml b/configs/cronjobNamespace.yaml → configs/cronjobNamespace.yml
@@ -10,10 +10,10 @@ spec:
     spec:
       template:
         spec:
-          serviceAccountName: namespace-sa
+          serviceAccountName: jupiterone-integration
           containers:
           - name: integration
-            image: my-new-image
+            image: jupiterone-graph-kubernetes
             imagePullPolicy: IfNotPresent
             env:
               # could use better name, but for now:
@@ -28,15 +28,17 @@ spec:
                 valueFrom:
                   secretKeyRef:
                     name: jupiterone-integration-secret
-                    key: jaccountid
+                    key: jupiteroneAccountId
               - name: JUPITERONE_API_KEY
                 valueFrom:
                   secretKeyRef:
                     name: jupiterone-integration-secret
-                    key: japikey
+                    key: jupiteroneApiKey
               - name: INTEGRATION_INSTANCE_ID
                 valueFrom:
                   secretKeyRef:
                     name: jupiterone-integration-secret
-                    key: integrationid
+                    key: jupiteroneIntegrationInstanceId
+              - name: IS_RUNNING_TEST
+                value: 'false'
           restartPolicy: Never
diff --git a/configs/deploymentCluster.yml b/configs/deploymentCluster.yml
@@ -14,10 +14,10 @@ spec:
       labels:
         app: integration
     spec:
-      serviceAccountName: cluster-sa
+      serviceAccountName: jupiterone-integration-cluster
       containers:
         - name: integration
-          image: my-new-image
+          image: jupiterone-graph-kubernetes
           imagePullPolicy: IfNotPresent
           env:
             # could use better name, but for now:
@@ -32,14 +32,16 @@ spec:
               valueFrom:
                 secretKeyRef:
                   name: jupiterone-integration-secret
-                  key: jaccountid
+                  key: jupiteroneAccountId
             - name: JUPITERONE_API_KEY
               valueFrom:
                 secretKeyRef:
                   name: jupiterone-integration-secret
-                  key: japikey
+                  key: jupiteroneApiKey
             - name: INTEGRATION_INSTANCE_ID
               valueFrom:
                 secretKeyRef:
                   name: jupiterone-integration-secret
-                  key: integrationid
+                  key: jupiteroneIntegrationInstanceId
+            - name: IS_RUNNING_TEST
+              value: 'false'
diff --git a/configs/deploymentNamespace.yml b/configs/deploymentNamespace.yml
@@ -14,10 +14,10 @@ spec:
       labels:
         app: integration
     spec:
-      serviceAccountName: namespace-sa
+      serviceAccountName: jupiterone-integration
       containers:
         - name: integration
-          image: my-new-image
+          image: jupiterone-graph-kubernetes
           imagePullPolicy: IfNotPresent
           env:
             # could use better name, but for now:
@@ -32,14 +32,16 @@ spec:
               valueFrom:
                 secretKeyRef:
                   name: jupiterone-integration-secret
-                  key: jaccountid
+                  key: jupiteroneAccountId
             - name: JUPITERONE_API_KEY
               valueFrom:
                 secretKeyRef:
                   name: jupiterone-integration-secret
-                  key: japikey
+                  key: jupiteroneApiKey
             - name: INTEGRATION_INSTANCE_ID
               valueFrom:
                 secretKeyRef:
                   name: jupiterone-integration-secret
-                  key: integrationid
+                  key: jupiteroneIntegrationInstanceId
+            - name: IS_RUNNING_TEST
+              value: 'false'
diff --git a/configs/exampleJob.yml b/configs/exampleJob.yml
@@ -5,10 +5,10 @@ metadata:
 spec:
   template:
     spec:
-      serviceAccountName: cluster-sa
+      serviceAccountName: jupiterone-integration-cluster
       containers:
         - name: integration
-          image: my-new-image
+          image: jupiterone-graph-kubernetes
           imagePullPolicy: IfNotPresent
           env:
             # could use better name, but for now:
@@ -25,16 +25,16 @@ spec:
               valueFrom:
                 secretKeyRef:
                   name: jupiterone-integration-secret
-                  key: jaccountid
+                  key: jupiteroneAccountId
             - name: JUPITERONE_API_KEY
               valueFrom:
                 secretKeyRef:
                   name: jupiterone-integration-secret
-                  key: japikey
+                  key: jupiteroneApiKey
             - name: INTEGRATION_INSTANCE_ID
               valueFrom:
                 secretKeyRef:
                   name: jupiterone-integration-secret
-                  key: integrationid
+                  key: jupiteroneIntegrationInstanceId
       restartPolicy: Never
   backoffLimit: 4
diff --git a/docs/development.md b/docs/development.md
@@ -31,17 +31,17 @@ read-only access or cluster-wide read-only access.
 
 1. Create a new service account
 
-`kubectl create sa namespace-sa`
+`kubectl create sa jupiterone-integration`
 
 2. Assign namespace read-only access
 
-`kubectl create rolebinding namespace-sa-view --clusterrole=view --serviceaccount=default:namespace-sa --namespace=default`
+`kubectl create rolebinding jupiterone-integration-view --clusterrole=view --serviceaccount=default:jupiterone-integration --namespace=default`
 
 ### Creating service account with cluster-wide read-only access
 
 1. Create a new service account
 
-`kubectl create sa cluster-sa`
+`kubectl create sa jupiterone-integration-cluster`
 
 2. Assign cluster-wide read-only access
 
@@ -58,7 +58,8 @@ The integration requires you to store `jupiterone account id`,
 `jupiterone api key` and `integration id` as secrets that will be read by the
 pod.
 
-Update the `./configs/createSecret.yml` with base64 encoded values.
+1. Update the `./configs/createSecret.yml` with base64 encoded values.
+2. `kubectl apply -f ./configs/createSecret.yml `
 
 ### Building the image and running the integration
 
@@ -68,8 +69,9 @@ If you want to build a docker image locally that's also visible to the
 minikube/kubernetes, do the following:
 
 1. `eval $(minikube docker-env)`
-2. `docker build -t my-new-image .` (will be replaced later with a better name
-   if we're sure we want to proceed with this authentication method)
+2. `docker build -t jupiterone-graph-kubernetes .` (will be replaced later with
+   a better name if we're sure we want to proceed with this authentication
+   method)
 
 To deploy the built image as a pod:
 

diff --git a/package.json b/package.json
@@ -12,7 +12,7 @@
     "access": "public"
   },
   "scripts": {
-    "start": "j1-integration collect",
+    "start": "IS_RUNNING_TEST=true j1-integration collect",
     "collect": "./scripts/collect.sh",
     "graph": "j1-integration visualize",
     "graph:types": "j1-integration visualize-types",
@@ -26,11 +26,11 @@
     "prepack": "yarn build"
   },
   "devDependencies": {
-    "@jupiterone/integration-sdk-testing": "^6.0.0"
+    "@jupiterone/integration-sdk-testing": "^6.7.1"
   },
   "dependencies": {
-    "@jupiterone/integration-sdk-core": "^6.0.0",
-    "@jupiterone/integration-sdk-dev-tools": "^6.0.0",
+    "@jupiterone/integration-sdk-core": "^6.7.1",
+    "@jupiterone/integration-sdk-dev-tools": "^6.7.1",
     "@kubernetes/client-node": "^0.14.3"
   }
 }
diff --git a/scripts/collect.sh b/scripts/collect.sh
@@ -1,2 +1,3 @@
 #!/usr/bin/env sh
-JUPITERONE_API_KEY=$JUPITERONE_API_KEY JUPITERONE_ACCOUNT=$JUPITERONE_ACCOUNT_ID yarn j1-integration run -i $INTEGRATION_INSTANCE_ID
+
+JUPITERONE_API_KEY=$JUPITERONE_API_KEY JUPITERONE_ACCOUNT=$JUPITERONE_ACCOUNT_ID yarn j1-integration run -i $INTEGRATION_INSTANCE_ID
diff --git a/src/kubernetes/clients/core.ts b/src/kubernetes/clients/core.ts
@@ -24,7 +24,12 @@ export class CoreClient extends Client {
     try {
       await this.client.listNamespace();
     } catch (err) {
-      throw new IntegrationProviderAuthenticationError(err.message);
+      throw new IntegrationProviderAuthenticationError({
+        cause: err,
+        endpoint: '/apis/apps/v1/namespaces',
+        status: 400,
+        statusText: err.message,
+      });
     }
   }
 

diff --git a/src/steps/services/__snapshots__/converters.test.ts.snap b/src/steps/services/__snapshots__/converters.test.ts.snap
@@ -67,6 +67,9 @@ Object {
   "externalIPs": undefined,
   "externalName": undefined,
   "externalTrafficPolicy": undefined,
+  "function": Array [
+    "compute",
+  ],
   "generation": undefined,
   "healthCheckNodePort": undefined,
   "ipFamilies": undefined,