Refactor consistency check workflow #513
Conversation
linus-sun
force-pushed
the
linussun/refactor-verifier
branch
3 times, most recently
from
8390178 to
cfce3f4
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #513 +/- ##
==========================================
- Coverage 64.02% 62.12% -1.91%
==========================================
Files 4 18 +14
Lines 303 1299 +996
==========================================
+ Hits 194 807 +613
- Misses 78 413 +335
- Partials 31 79 +48 ☔ View full report in Codecov by Sentry. |
linus-sun
force-pushed
the
linussun/refactor-verifier
branch
2 times, most recently
from
b9e07db to
8599c52
Compare
cmd/consistency/main.go
Outdated
| // 3. Write latest checkpoint to file | ||
|
|
||
| // To get an immediate first tick | ||
| for ; ; <-ticker.C { |
There was a problem hiding this comment.
Did you want to include a loop here? RunConsistencyCheck includes a loop.
I would suggest renaming the file with git mv and then making changes, which I believe will properly show the diff in github.
There was a problem hiding this comment.
Removing loop from within RunConsistencyCheck tried renaming via git mv, but diff doesn't still seem to be tracked- might be because I already renamed without using git mv
linus-sun
force-pushed
the
linussun/refactor-verifier
branch
6 times, most recently
from
de2807b to
9491b69
Compare
pkg/rekor/verifier.go
Outdated
| return fmt.Errorf("failed to get log info: %v", err) | ||
| } | ||
| checkpoint, err := verifyLatestCheckpointSignature(logInfo, verifier) | ||
| func RunConsistencyCheck(rekorClient *client.Rekor, verifier signature.Verifier, logInfoFile string, mvs identity.MonitoredValues, outputIdentitiesFile string, once bool) error { |
There was a problem hiding this comment.
Can we remove once as a parameter?
cmd/rekor_consistency/config.go
Outdated
| "github.com/sigstore/rekor-monitor/pkg/identity" | ||
| ) | ||
|
|
||
| type ConsistencyCheckConfiguration struct { |
There was a problem hiding this comment.
What do you think about omitting this and sticking to CLI flags? I think that yaml is great for complex input or for server configuration, but since we expect this to be run as a tool, these can be flags.
Given we also have other flags already, I don't think we need a configuration too.
If we remove this, then we can have a monitored-values flag as a string and a monitored-value-file flag as a path to a file.
There was a problem hiding this comment.
Do we want to address the last part of this:
If we remove this, then we can have a monitored-values flag as a string and a monitored-value-file flag as a path to a file.
Adding a flag for passing by file as well?
cmd/rekor_consistency/main.go
Outdated
| configFilePath := flag.String("config-file", "", "Name of the file containing the consistency check workflow configuration settings") | ||
| configString := flag.String("config-string", "", "Consistency check workflow configuration settings input as a string") | ||
| once := flag.Bool("once", false, "Perform consistency check once and exit") | ||
| logInfoFile := flag.String("file", "", "path to log info file") |
There was a problem hiding this comment.
You can specify default values instead of an empty string, and if --file is set, it'll override the value.
| @@ -76,7 +76,7 @@ jobs: | |||
| run: cat ${{ env.LOG_FILE }} | |||
| # Skip on first run | |||
| continue-on-error: true | |||
| - run: go run ./cmd/verifier --file ${{ env.LOG_FILE }} --once --monitored-values "${{ inputs.identities }}" --user-agent "${{ format('{0}/{1}/{2}', needs.detect-workflow.outputs.repository, needs.detect-workflow.outputs.ref, github.run_id) }}" | |||
| - run: go run ./cmd/consistency --file ${{ env.LOG_FILE }} --once --config-string "${{ inputs.config }}" --user-agent "${{ format('{0}/{1}/{2}', needs.detect-workflow.outputs.repository, needs.detect-workflow.outputs.ref, github.run_id) }}" | |||
There was a problem hiding this comment.
rekor_consistency?
linus-sun
force-pushed
the
linussun/refactor-verifier
branch
6 times, most recently
from
3662a5b to
c554e93
Compare
cmd/rekor_consistency/main.go
Outdated
| "runtime" | ||
| "strings" | ||
| "time" | ||
|
|
||
| "github.com/sigstore/rekor-monitor/pkg/identity" | ||
| "github.com/sigstore/rekor-monitor/pkg/rekor" | ||
| "github.com/sigstore/rekor/pkg/client" | ||
| "gopkg.in/yaml.v3" |
There was a problem hiding this comment.
Is this necessary? v2 is a few years older than v3.
| if err := yaml.Unmarshal([]byte(*monitoredValsInput), &monitoredVals); err != nil { | ||
| log.Fatalf("error parsing identities: %v", err) | ||
| } | ||
| for _, certID := range monitoredVals.CertificateIdentities { |
There was a problem hiding this comment.
Can we keep the output? I think it's helpful to verify that you're monitoring the correct values.
linus-sun
force-pushed
the
linussun/refactor-verifier
branch
from
c554e93 to
15d9ce3
Compare
linus-sun
force-pushed
the
linussun/refactor-verifier
branch
3 times, most recently
from
5305cb3 to
350346d
Compare
|
LGTM, can you rebase and run |
Signed-off-by: linus-sun <[email protected]>
linus-sun
force-pushed
the
linussun/refactor-verifier
branch
from
350346d to
642da2a
Compare
Signed-off-by: Linus Sun <[email protected]>
Summary
This PR does the following:
verifiertask torekor_consistencyto more accurately reflect its functionalityRunConsistencyCheckto take the looping functionality out of the check itself and moves it into the workflowRunConsistencyCheckto move its identity monitor functionality into a separate function,writeIdentitiesBetweenCheckpointsThis PR has been tested remotely via a GitHub reusable workflow: https://github.com/linus-sun/rekor-log-monitor/actions/runs/11582060548/job/32244210000
Release Note
Documentation
Readme has been updated to reflect new configuration input