Create a Golang wrapper around Restler

.github/workflows/docker-publish.yml

@@ -19,7 +19,8 @@ env:
   # Use docker.io for Docker Hub if empty
   REGISTRY: ghcr.io
   # github.repository as <account>/<repo>
-  IMAGE_NAME: ${{ github.repository }}
+  CNFUZZ_IMAGE_NAME: ${{ github.repository }}
+  RESTLERWRAPPER_IMAGE_NAME: ${{ github.repository }}-restlerwrapper
 
 jobs:
   build:
@@ -59,33 +60,60 @@ jobs:
 
       # Extract metadata (tags, labels) for Docker
       # https://github.com/docker/metadata-action
-      - name: Extract Docker metadata
-        id: meta
+      - name: Extract Docker cnfuzz metadata
+        id: cnfuzz_meta
         uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
         with:
-          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          images: ${{ env.REGISTRY }}/${{ env.CNFUZZ_IMAGE_NAME }}
 
       # Build and push Docker image with Buildx (don't push on PR)
       # https://github.com/docker/build-push-action
-      - name: Build and push Docker image
-        id: build-and-push
+      - name: Build and push cnfuzz Docker image
+        id: build-and-push-cnfuzz
         uses: docker/build-push-action@v3
         with:
           context: .
           file: src/cmd/cnfuzz/Dockerfile
           push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
+          tags: ${{ steps.cnfuzz_meta.outputs.tags }}
+          labels: ${{ steps.cnfuzz_meta.outputs.labels }}
+
+      # https://github.com/docker/metadata-action
+      - name: Extract Docker restlerwrapper metadata
+        id: restlerwrapper_meta
+        uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.RESTLERWRAPPER_IMAGE_NAME }}
+
+      # https://github.com/docker/build-push-action
+      - name: Build and push restlerwrapper Docker image
+        id: build-and-push-restlerwrapper
+        uses: docker/build-push-action@v3
+        with:
+          context: .
+          file: src/cmd/restlerwrapper/Dockerfile
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.restlerwrapper_meta.outputs.tags }}
+          labels: ${{ steps.restlerwrapper_meta.outputs.labels }}
 
       # Sign the resulting Docker image digest except on PRs.
       # This will only write to the public Rekor transparency log when the Docker
       # repository is public to avoid leaking data.  If you would like to publish
       # transparency data even for private images, pass --force to cosign below.
       # https://github.com/sigstore/cosign
-      - name: Sign the published Docker image
+      - name: Sign the published cnfuzz Docker image
+        if: ${{ github.event_name != 'pull_request' }}
+        env:
+          COSIGN_EXPERIMENTAL: "true"
+        # This step uses the identity token to provision an ephemeral certificate
+        # against the sigstore community Fulcio instance.
+        run: cosign sign ${{ env.REGISTRY }}/${{ env.CNFUZZ_IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}
+
+      # https://github.com/sigstore/cosign
+      - name: Sign the published restlerwrapper Docker image
         if: ${{ github.event_name != 'pull_request' }}
         env:
           COSIGN_EXPERIMENTAL: "true"
         # This step uses the identity token to provision an ephemeral certificate
         # against the sigstore community Fulcio instance.
-        run: cosign sign ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}
+        run: cosign sign ${{ env.REGISTRY }}/${{ env.RESTLERWRAPPER_IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}

Makefile

@@ -1,21 +1,25 @@
 SRCS = $(shell git ls-files '*.go' | grep -v '^vendor/')
 
-APP_NAME := ghcr.io/suecodelabs/cnfuzz
+CNFUZZ_EXT_IMG := ghcr.io/suecodelabs/cnfuzz
+WRAPPER_EXT_IMG := ghcr.io/suecodelabs/cnfuzz-restlerwrapper
+
 TAG_NAME := $(shell git tag -l --contains HEAD)
 SHA := $(shell git rev-parse HEAD)
 VERSION_GIT := $(if $(TAG_NAME),$(TAG_NAME),$(SHA))
 VERSION := $(if $(VERSION),$(VERSION),$(VERSION_GIT))
 
-BIN_NAME ?= cnfuzz
+GO_ENV_VARS ?= CGO_ENABLED=0 GOOS=linux GOARCH=amd64
+
 BIN_DIR ?= dist
+CNFUZZ_DOCKERFILE ?= "src/cmd/cnfuzz/Dockerfile"
+CNFUZZ_LOCAL_DOCKERFILE ?= "src/cmd/cnfuzz/local.Dockerfile"
+CNFUZZ_IMAGE ?= "cnfuzz"
+RESTLERWRAPPER_IMAGE ?= "restlerwrapper"
+RESTLERWRAPPER_DOCKERFILE ?= "src/cmd/restlerwrapper/Dockerfile"
+RESTLERWRAPPER_LOCAL_DOCKERFILE ?= "src/cmd/restlerwrapper/local.Dockerfile"
+EXAMPLE_API_IMAGE := cnfuzz-todo-api
 
-GIT_BRANCH := $(subst heads/,,$(shell git rev-parse --abbrev-ref HEAD 2>/dev/null))
-GIT_COMMIT := $(subst heads/,,$(shell git rev-parse --short HEAD 2>/dev/null))
-DEV_IMAGE := cnfuzz-debug$(if $(GIT_BRANCH),:$(subst /,-,$(GIT_BRANCH)))
-CNFUZZ_IMAGE := $(APP_NAME)$(if $(GIT_COMMIT),:$(subst /,-,$(GIT_COMMIT)))
-DEFAULT_HELM_DEV_ARGS := --set minio.persistence.size=1Gi,minio.resources.requests.memory=1Gi,minio.replicas=1,minio.mode=standalone --set redis.architecture=standalone,redis.replica.replicaCount=1 --set restler.timeBudget=0.001
-KIND_EXAMPLE_IMAGE := $(APP_NAME)$(if $(GIT_COMMIT),-todo-api:$(subst /,-,$(GIT_COMMIT)))
-IMAGE ?= "cnfuzz"
+DEFAULT_HELM_DEV_ARGS := --set controllerImage.repository=$(CNFUZZ_IMAGE),controllerImage.tag=latest,restlerwrapper.image.image=$(RESTLERWRAPPER_IMAGE),restlerwrapper.image.tag=latest --set minio.persistence.size=1Gi,minio.resources.requests.memory=1Gi,minio.replicas=1,minio.mode=standalone --set redis.architecture=standalone,redis.replica.replicaCount=1 --set restler.timeBudget=0.001 --set debugMode=true
 
 init:
 	mkdir -p $(BIN_DIR)
@@ -25,16 +29,9 @@ helm-init:
 	helm repo add minio https://charts.min.io/
 	helm dependency build chart/cnfuzz
 
-
 run:
 	go run src/cmd/cnfuzz/main.go $(RUN_ARGS)
 
-build: init
-	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o $(BIN_DIR)/$(BIN_NAME) src/cmd/cnfuzz/main.go
-
-build-debug: init
-	GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -gcflags "all=-N -l" -o dist/cnfuzz-debug src/cmd/cnfuzz/main.go
-
 test:
 	go test ./...
 
@@ -46,51 +43,78 @@ fmt: format
 format:
 	gofmt -s -l -w $(SRCS)
 
-image:
-	docker build -t $(IMAGE) -f src/cmd/cnfuzz/Dockerfile .
+all: cnfuzz restlerwrapper
+
+cnfuzz: init
+	$(GO_ENV_VARS) go build -o $(BIN_DIR)/cnfuzz src/cmd/cnfuzz/main.go
+
+cnfuzz-debug: init
+	$(GO_ENV_VARS) go build -gcflags "all=-N -l" -o $(BIN_DIR)/cnfuzz-debug src/main.go
 
-image.local: build
-	docker build -t $(IMAGE) -f src/cmd/cnfuzz/local.Dockerfile .
+restlerwrapper: init
+	$(GO_ENV_VARS) go build -o $(BIN_DIR)/restlerwrapper src/cmd/restlerwrapper/main.go
 
-image-debug:
-	docker build -t $(DEV_IMAGE) -f src/cmd/cnfuzz/Dockerfile .
+cnfuzz-image:
+	docker build -t $(CNFUZZ_IMAGE) -f $(CNFUZZ_DOCKERFILE) --no-cache .
 
-kind-init: build
-	cd example && docker build -t $(KIND_EXAMPLE_IMAGE) . && cd ..
-	docker build -t $(CNFUZZ_IMAGE) -f src/cmd/cnfuzz/local.Dockerfile .
-	kind load docker-image $(CNFUZZ_IMAGE) && kind load docker-image $(KIND_EXAMPLE_IMAGE)
-	helm install --wait --timeout 10m0s dev chart/cnfuzz $(DEFAULT_HELM_DEV_ARGS) $(if $(GIT_COMMIT),--set image.tag=$(subst /,-,$(GIT_COMMIT)))
+cnfuzz-image.local: cnfuzz
+	docker build -t $(CNFUZZ_IMAGE) -f $(CNFUZZ_LOCAL_DOCKERFILE) .
+
+restlerwrapper-image:
+	docker build -t $(RESTLERWRAPPER_IMAGE) -f $(RESTLERWRAPPER_DOCKERFILE) .
+
+restlerwrapper-image.local: restlerwrapper
+	docker build -t $(RESTLERWRAPPER_IMAGE) -f $(RESTLERWRAPPER_LOCAL_DOCKERFILE) .
+
+kind-init: kind-load-images kind-fuzz-test
+
+kind-load-images: all
+	cd example && docker build -t $(EXAMPLE_API_IMAGE) -f Dockerfile . && cd ..
+	docker build -t $(CNFUZZ_IMAGE) -f $(CNFUZZ_LOCAL_DOCKERFILE) .
+	docker build -t $(RESTLERWRAPPER_IMAGE) -f $(RESTLERWRAPPER_LOCAL_DOCKERFILE) .
+	kind load docker-image $(CNFUZZ_IMAGE) && kind load docker-image $(RESTLERWRAPPER_IMAGE) && kind load docker-image $(EXAMPLE_API_IMAGE)
+
+kind-fuzz-test:
+	helm install --wait --timeout 10m0s dev chart/cnfuzz $(DEFAULT_HELM_DEV_ARGS) # $(if $(GIT_COMMIT),--set image.tag=$(subst /,-,$(GIT_COMMIT)))
 	kubectl apply -f example/deployment.yaml
-	kubectl set image deployment/todo-api todoapi=$(KIND_EXAMPLE_IMAGE)
+	kubectl set image deployment/todo-api todoapi=$(EXAMPLE_API_IMAGE)
 	kubectl scale deployment --replicas=1 todo-api
 
-kind-build: build
-	docker build -t $(CNFUZZ_IMAGE) -f src/cmd/cnfuzz/local.Dockerfile .
-	kind load docker-image $(CNFUZZ_IMAGE)
-	helm upgrade --install dev chart/cnfuzz $(DEFAULT_HELM_DEV_ARGS) $(if $(GIT_COMMIT),--set image.tag=$(subst /,-,$(GIT_COMMIT)))
+kind-build: all
+	docker build -t $(CNFUZZ_IMAGE) -f $(CNFUZZ_LOCAL_DOCKERFILE) .
+	docker build -t $(RESTLERWRAPPER_IMAGE) -f $(RESTLERWRAPPER_LOCAL_DOCKERFILE) .
+	kind load docker-image $(CNFUZZ_IMAGE) && kind load docker-image $(RESTLERWRAPPER_IMAGE)
+	helm upgrade --install dev chart/cnfuzz $(DEFAULT_HELM_DEV_ARGS) # $(if $(GIT_COMMIT),--set image.tag=$(subst /,-,$(GIT_COMMIT)))
+
+kind-setup-dev: kind-load-images
+	echo build example api image
+	echo deploy example api
+	@kubectl apply -f example/deployment.yaml
+	@kubectl set image deployment/todo-api todoapi=$(EXAMPLE_API_IMAGE)
+	@kubectl scale deployment --replicas=1 todo-api
+
+# kind-load-ext-images:
+# 	docker pull
 
 k8s-clean:
 	helm delete dev
 	kubectl delete pvc redis-data-dev-redis-master-0
 	kubectl delete deployment todo-api
 
-rancher-init: build
-	cd example && nerdctl -n k8s.io build -t $(KIND_EXAMPLE_IMAGE) -f src/cmd/cnfuzz/Dockerfile . && cd ..
-	nerdctl -n k8s.io build -t $(CNFUZZ_IMAGE) -f src/cmd/cnfuzz/local.Dockerfile .
-	helm install --wait --timeout 10m0s dev chart/cnfuzz $(DEFAULT_HELM_DEV_ARGS) $(if $(GIT_COMMIT),--set image.tag=$(subst /,-,$(GIT_COMMIT)))
+rancher-init: rancher-load-images
+	helm install --wait --timeout 10m0s dev chart/cnfuzz $(DEFAULT_HELM_DEV_ARGS) # $(if $(GIT_COMMIT),--set image.tag=$(subst /,-,$(GIT_COMMIT)))
 	kubectl apply -f example/deployment.yaml
-	kubectl set image deployment/todo-api todoapi=$(KIND_EXAMPLE_IMAGE)
+	kubectl set image deployment/todo-api todoapi=$(EXAMPLE_API_IMAGE)
 	kubectl scale deployment --replicas=1 todo-api
 
-rancher-build: build
-	nerdctl -n k8s.io build -t $(CNFUZZ_IMAGE) -f src/cmd/cnfuzz/local.Dockerfile .
-	helm upgrade --install dev chart/cnfuzz $(DEFAULT_HELM_DEV_ARGS) $(if $(GIT_COMMIT),--set image.tag=$(subst /,-,$(GIT_COMMIT)))
+rancher-build: all
+	nerdctl -n k8s.io build -t $(CNFUZZ_IMAGE) -f $(CNFUZZ_LOCAL_DOCKERFILE) .
+	nerdctl -n k8s.io build -t $(RESTLERWRAPPER_IMAGE) -f $(RESTLERWRAPPER_LOCAL_DOCKERFILE) .
+	helm upgrade --install dev chart/cnfuzz $(DEFAULT_HELM_DEV_ARGS) # $(if $(GIT_COMMIT),--set image.tag=$(subst /,-,$(GIT_COMMIT)))
 
-kill-jobs:
-	# Kill running jobs
-	JOBS=$(shell kubectl get jobs.batch --all-namespaces --no-headers | awk '{if ($$2 ~ "cnfuzz-") print $$2}')
-	@if [ $(JOBS) ]; then\
-        kubectl delete jobs.batch $$($(JOBS));\
-    fi
+rancher-load-images: all
+	cd example && nerdctl -n k8s.io build -t $(EXAMPLE_API_IMAGE) -f Dockerfile . && cd ..
+	nerdctl -n k8s.io build -t $(CNFUZZ_IMAGE) -f $(CNFUZZ_LOCAL_DOCKERFILE) .
+	nerctl -n k8s.io build -t $(RESTLERWRAPPER_IMAGE) -f $(RESTLERWRAPPER_LOCAL_DOCKERFILE) .
 
-.PHONY : clean
+.PHONY : clean cnfuzz restlerwrapper

README.md

@@ -164,7 +164,7 @@ But you can also attach a debugger to a running pod inside a cluster using [DevS
 
 ```sh
 cd docs
-helm package ../charts/cnfuzz
+helm package ../chart/cnfuzz
 helm repo index --url https://suecodelabs.github.io/cnfuzz/ .
 ```
 </details>

chart/cnfuzz/templates/_helpers.tpl

@@ -60,3 +60,14 @@ Create the name of the service account to use
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}
 {{- end }}
+
+{{/*
+Create the name of the service account to use for restlerwrapper jobs
+*/}}
+{{- define "restlerwrapper.serviceAccountName" -}}
+{{- if .Values.restlerwrapper.serviceAccount.create }}
+{{- default (printf "%s-job" (include "cnfuzz.fullname" .)) .Values.restlerwrapper.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.restlerwrapper.serviceAccount.name }}
+{{- end }}
+{{- end }}

chart/cnfuzz/templates/configmap.yaml

@@ -1,7 +1,11 @@
+{{- define "cnfuzz.configmapName" -}}
+{{ include "cnfuzz.name" . }}-config
+{{- end }}
+
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: cnfuzz-config
+  name: {{ include "cnfuzz.configmapName" . }}
 data:
   "auth.py": |
     #!/usr/bin/env python3
@@ -11,6 +15,20 @@ data:
   "config.yaml": |
     namespace: {{ $.Values.namespace }}
     only_fuzz_marked: {{ $.Values.onlyMarked }}
+    configmap_name: {{ include "cnfuzz.configmapName" . }}
+    restlerwrapper:
+      service_account: {{ include "restlerwrapper.serviceAccountName" . }}
+      image:
+        image: {{ $.Values.restlerwrapper.image.image }}
+        pullPolicy: {{ $.Values.restlerwrapper.image.pullPolicy }}
+        tag: {{ $.Values.restlerwrapper.image.tag }}
+      restler:
+        time_budget: {{ $.Values.restler.timeBudget }}
+        cpu_limit: {{ $.Values.restler.resources.limits.cpu }} 
+        memory_limit: {{ $.Values.restler.resources.limits.memory }}
+        cpu_request: {{ $.Values.restler.resources.requests.cpu }}
+        memory_request:  {{ $.Values.restler.resources.requests.memory }}
+        telemetry_opt_out: "{{ $.Values.restler.telemetryOptOut }}"
     {{- if $.Values.redis.enabled }}
     cache_solution: redis
     redis:
@@ -19,15 +37,6 @@ data:
     {{ else }}
     cache_solution: in_memory
     {{- end }}
-    restler:
-      image: "{{ $.Values.restler.image.repository }}:{{ $.Values.restler.image.tag }}"
-      init_image: "{{ $.Values.restler.initImage.repository }}:{{ $.Values.restler.initImage.tag }}"
-      time_budget: {{ $.Values.restler.timeBudget }}
-      cpu_limit: {{ $.Values.restler.resources.limits.cpu }} 
-      memory_limit: {{ $.Values.restler.resources.limits.memory }}
-      cpu_request: {{ $.Values.restler.resources.requests.cpu }}
-      memory_request:  {{ $.Values.restler.resources.requests.memory }}
-      telemetry_opt_out: "{{ $.Values.restler.telemetryOptOut }}"
     auth:
       username: "{{ $.Values.auth.userName }}"
       secret: "{{ $.Values.auth.secret }}"
@@ -49,6 +58,3 @@ data:
       access_key: "{{ $.Values.s3.accessKey }}"
       secret_key: "{{ $.Values.s3.secretKey }}"
       {{- end }}
-      sidecar: 
-        image: "{{ $.Values.s3.sidecar.image.repository }}:{{ $.Values.s3.sidecar.image.tag }}"
-        container_name: "{{ $.Values.s3.sidecar.name }}"

chart/cnfuzz/templates/deployment.yaml

@@ -29,11 +29,14 @@ spec:
         - name: {{ .Chart.Name }}
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          image: "{{ .Values.controllerImage.repository }}:{{ .Values.controllerImage.tag | default .Chart.AppVersion }}"
           args:
+            {{- if .Values.debugMode }}
+            - "--debug"
+            {{- end }}
             - "--config"
             - {{ $.Values.configFile | default "/config/config.yaml" }}
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          imagePullPolicy: {{ .Values.controllerImage.pullPolicy }}
           ports:
             - name: http
               containerPort: 8080