Change monitoring workflow configuration argument to optional #543
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #543 +/- ##
==========================================
- Coverage 64.02% 62.90% -1.13%
==========================================
Files 4 17 +13
Lines 303 1267 +964
==========================================
+ Hits 194 797 +603
- Misses 78 399 +321
- Partials 31 71 +40 ☔ View full report in Codecov by Sentry. 🚨 Try these New Features:
|
cmd/rekor_monitor/main.go
Outdated
| @@ -76,12 +69,16 @@ func main() { | |||
| if err := yaml.Unmarshal([]byte(configString), &config); err != nil { | |||
| log.Fatalf("error parsing identities: %v", err) | |||
| } | |||
|
|
|||
| configProvided = true | |||
There was a problem hiding this comment.
Do we need this? An uninitalized config should be sufficient for the checks below like config.EndIndex == nil
There was a problem hiding this comment.
I believe that in the event that an uninitialized config is currently passed in, the workflow will still attempt to set StartIndex and EndIndex using the latest checkpoint and log checkpoint file and then attempt to run the identity monitor using the uninitialized config's values resulting in an error- if we would prefer to have checking for the config's indices stop the identity monitor from running I can refactor that in another PR after this one
There was a problem hiding this comment.
https://github.com/sigstore/rekor-monitor/blob/114befbd5a9ab2639b80d592f7c777791495c192/cmd/rekor_monitor/main.go#L148C3-L175C4 As of right now I believe this check is only looking for nil values to set the start and end indices, not checking if the identity monitor is runnable- an uninitialized config will have the start and end indices set and then the identity monitor will run with nil arguments
There was a problem hiding this comment.
an uninitialized config will have the start and end indices set and then the identity monitor will run with nil arguments
I thought the defaults for start and end were nil. So if the config is not initialized, then the default values of nil will be read in the code you linked, and then the monitor will initialize them with defaults.
There was a problem hiding this comment.
Yes - I guess what I'm thinking is that in the event that a config is not initialized, there are also no identities provided to monitor; is the identity monitor portion of the workflow then still necessary to run?
There was a problem hiding this comment.
Ah I see your question. What about if we gated calling IdentitySearch on if MonitoredValues is set? That was like the original implementation, where it would only run if a user configured a value to monitor for.
cmd/rekor_monitor/main.go
Outdated
| } | ||
|
|
||
| if *configYamlInput != "" { | ||
| if err := yaml.Unmarshal([]byte(*configYamlInput), &config); err != nil { | ||
| log.Fatalf("error parsing identities: %v", err) | ||
| } | ||
|
|
||
| configProvided = true | ||
| } | ||
|
|
||
| if config.OutputIdentitiesFile == "" { |
There was a problem hiding this comment.
Below for VerifyConsistencyCheckInputs, given we provide defaults, do we need this check anymore? Just need to update config.LogINfoFile based on the default if it's not provided.
There was a problem hiding this comment.
updating logInfoFile and removing this part of the check
linus-sun
force-pushed
the
linussun/fix-config-required
branch
from
938437a to
50330a1
Compare
linus-sun
force-pushed
the
linussun/fix-config-required
branch
from
50330a1 to
6c2def6
Compare
cmd/rekor_monitor/main.go
Outdated
| @@ -88,7 +81,7 @@ func main() { | |||
| config.OutputIdentitiesFile = outputIdentitiesFileName | |||
| } | |||
|
|
|||
| err := rekor.VerifyConsistencyCheckInputs(interval, &config.LogInfoFile, once) | |||
| err := rekor.VerifyConsistencyCheckInputs(interval, logInfoFile, once) | |||
There was a problem hiding this comment.
Can we delete this check now, since all these variables have default values so this check will always pass?
There was a problem hiding this comment.
deleting this from main.go and removing the function in a follow-up PR
| @@ -163,7 +162,6 @@ func main() { | |||
| } | |||
There was a problem hiding this comment.
Can we remove the default of 0? Scrapping the entire log is hard to do without careful rate limiting on the client side. If no start index is provided and no checkpoint is provided, then just throw an error.
| @@ -145,10 +138,16 @@ func main() { | |||
| } | |||
| } | |||
|
|
|||
| err = rekor.RunConsistencyCheck(rekorClient, verifier, *logInfoFile) | |||
There was a problem hiding this comment.
For a follow up - I noticed RunConsistencyCheck calls GetLogInfo, so we could reduce duplication by having RunConsistencyCheck return the log info struct.
There was a problem hiding this comment.
will work on this in a follow-up PR now
Signed-off-by: linus-sun <[email protected]>
linus-sun
force-pushed
the
linussun/fix-config-required
branch
from
6c2def6 to
3769ea8
Compare
Summary
This PR changes the
configargument in the GitHub Actions reusable monitoring workflow to no longer be required, and sets the identity monitor portion of the workflow to only run if aconfigcontaining a desired set of identities to monitor has been passed in.Release Note
Workflow
configargument has been changed to optionalDocumentation
N/A