fix: support region, product, fingerprint and debug env variables; re…

…factore initK8sMetadata

.vscode/launch.json

@@ -20,8 +20,10 @@
       "args": ["upgrade"],
       "buildFlags": "-tags=staging",
       "env": {
-        "AWS_MP_ENABLE_CHECKOUT_LICENSE": "true",
-        "AWS_MP_PRODUCT_SKU": "ad0ee0c8-f50f-464a-9bc4-d6270592dd36"
+        "AWS_MP_ENABLE_CHECK_ENTITLEMENT": "true",
+        "AWS_MP_PRODUCT_ID": "ad0ee0c8-f50f-464a-9bc4-d6270592dd36",
+        "AWS_MP_KEY_FINGERPRINT": "aws:294406891311:AWS/Marketplace:issuer-fingerprint",
+        "AWS_MP_REGION": "us-east-1"
       }
     }
   ]

charts/awsmp-datree-admission-webhook/templates/deployment.yaml

@@ -49,6 +49,9 @@ spec:
           # caution: don't change the order of the environment variables
           # changing the order will harm resource patching
           env:
+            - name: DEBUG
+              value: "{{ .Values.debug }}"
+            # Datree webhook varaibles
             - name: DATREE_TOKEN
               value: {{.Values.datree.token}}
             - name: DATREE_POLICY
@@ -59,34 +62,39 @@ spec:
               value: {{.Values.datree.output}}
             - name: DATREE_NO_RECORD
               value: {{.Values.datree.noRecord}}
-            - name: AWS_MP_PRODUCT_SKU
-              value: {{.Values.aws.productSku}}
-            - name: AWS_MP_ENABLE_CHECKOUT_LICENSE
-              value: {{.Values.aws.enableCheckoutLicense | quote}}
-            {{- if .Values.aws.mpLicenseSecretName }}
+            # AWS Marketplace varaibles
+            - name: AWS_MP_PRODUCT_ID
+              value: {{ .Values.aws.productId }}
+            - name: AWS_MP_KEY_FINGERPRINT
+              value: {{ .Values.aws.issuerKey }}
+            - name: AWS_MP_ENABLE_CHECK_ENTITLEMENT
+              value: "{{.Values.aws.enableCheckEntitlement}}"
+            - name: AWS_MP_REGION
+              value: {{.Values.aws.region}}
+            {{- if .Values.aws.licenseConfigSecretName }}
             - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE
               value: "/var/run/secrets/awsmp-product-license/license_token"
             - name: AWS_ROLE_ARN
               valueFrom:
                 secretKeyRef:
-                  name: {{ .Values.aws.mpLicenseSecretName }}
+                  name: {{ .Values.aws.licenseConfigSecretName }}
                   key: iam_role
             {{- end}}
           # add aws marketplace license config to the licensed container application env
           volumeMounts:
             - name: webhook-tls-certs
               mountPath: /run/secrets/tls
               readOnly: true
-          {{- if .Values.aws.mpLicenseSecretName }}
+          {{- if .Values.aws.licenseConfigSecretName }}
             - name: awsmp-product-license
               mountPath: "/var/run/secrets/awsmp-product-license"
           {{- end}}
       volumes:
         - name: webhook-tls-certs
           secret:
             secretName: webhook-server-tls
-      {{- if .Values.aws.mpLicenseSecretName }}
+      {{- if .Values.aws.licenseConfigSecretName }}
         - name: awsmp-product-license
           secret:
-            secretName: {{ .Values.aws.mpLicenseSecretName }}
+            secretName: {{ .Values.aws.licenseConfigSecretName }}
       {{- end}}

charts/awsmp-datree-admission-webhook/values.yaml

@@ -12,6 +12,9 @@ customLabels: {}
 # Additional annotations to add to all resources.
 customAnnotations: {}
 
+# Run the webhook-server in debug mode, this will log debug information to the console.
+debug: false
+
 # Create ClusterRoles, ClusterRoleBindings, and ServiceAccount for datree-webhook-server
 rbac:
   serviceAccount:
@@ -25,6 +28,7 @@ rbac:
     # The ClusterRole name
     name: datree-webhook-server-read
 
+# Datree webhook configuration, checkout more details at htttps://hub.datree.com
 datree:
   # The token used to link the CLI to your dashboard.
   token: <DATREE_TOKEN>
@@ -73,16 +77,14 @@ hooks:
     pullPolicy: IfNotPresent
 
 # AWS Marketplace configuration
-# awsmp:
-#   # The name of the secret that contains the license configuration.
-#   licenseConfigSecretName: "aws-marketplace-license-config"
-#   # The license identity token in the secret.
-#   licenseToken: <LICENSE_TOKEN>
-#   # The AWS Identity and Access Management role.
-#   iamRole: <IAM_ROLE>
-
-# add aws marketplace license config for on-prem deployments
 aws:
-  mpLicenseSecretName: ""
-  productSku: "ad0ee0c8-f50f-464a-9bc4-d6270592dd36"
-  enableCheckoutLicense: "true"
+  # The name of the secret that contains the license configuration.
+  licenseConfigSecretName: ""
+  # The AWS Region
+  region: "us-east-1"
+  # Enable AWS Marketplace license checkout, this is relevant for paid products only.
+  enableCheckAccountEntitlement: true
+  # The application’s Product SKU (Product ID)
+  productId: "ad0ee0c8-f50f-464a-9bc4-d6270592dd36"
+  # The trusted issuer of the license (AWS Marketplace)
+  issuerKey: "aws:294406891311:AWS/Marketplace:issuer-fingerprint"

pkg/enums/enums.go

@@ -1,13 +1,16 @@
 package enums
 
 const (
-	Token                               = "DATREE_TOKEN"
-	ClientId                            = "DATREE_CLIENT_ID"
-	Policy                              = "DATREE_POLICY"
-	Verbose                             = "DATREE_VERBOSE"
-	NoRecord                            = "DATREE_NO_RECORD"
-	Output                              = "DATREE_OUTPUT"
-	Enforce                             = "DATREE_ENFORCE"
-	AWSMarketplaceProductSKU            = "AWS_MP_PRODUCT_SKU"
-	AWSMarketplaceEnableCheckoutLicense = "AWS_MP_ENABLE_CHECKOUT_LICENSE"
+	Token                                = "DATREE_TOKEN"
+	ClientId                             = "DATREE_CLIENT_ID"
+	Policy                               = "DATREE_POLICY"
+	Verbose                              = "DATREE_VERBOSE"
+	NoRecord                             = "DATREE_NO_RECORD"
+	Output                               = "DATREE_OUTPUT"
+	Enforce                              = "DATREE_ENFORCE"
+	AWSMarketplaceProductID              = "AWS_MP_PRODUCT_ID"
+	AWSMarketplaceEnableCheckEntitlement = "AWS_MP_ENABLE_CHECK_ENTITLEMENT"
+	AWSMarketplaceRegion                 = "AWS_MP_REGION"
+	AWSMarketplaceKeyFingerprint         = "AWS_MP_KEY_FINGERPRINT"
+	Debug                                = "DEBUG"
 )

pkg/k8sMetadataUtil/k8sMetadataUtil.go

@@ -6,7 +6,7 @@ import (
 	"os"
 	"time"
 
-	cliClient "github.com/datreeio/admission-webhook-datree/pkg/clients"
+	cliclient "github.com/datreeio/admission-webhook-datree/pkg/clients"
 	"github.com/datreeio/admission-webhook-datree/pkg/enums"
 	licensemanagerclient "github.com/datreeio/admission-webhook-datree/pkg/licenseManagerClient"
 	"github.com/datreeio/admission-webhook-datree/pkg/loggerUtil"
@@ -20,34 +20,50 @@ import (
 )
 
 func InitK8sMetadataUtil() {
-
 	validator := networkValidator.NewNetworkValidator()
-	cliClient := cliClient.NewCliServiceClient(deploymentConfig.URL, validator)
-	k8sClient, err := getClientSet()
+	cliClient := cliclient.NewCliServiceClient(deploymentConfig.URL, validator)
 
-	var clusterUuid k8sTypes.UID
+	k8sClient, err := getClientSet()
 	if err != nil {
-		sendK8sMetadata(-1, err, clusterUuid, cliClient)
-		loggerUtil.Log(fmt.Sprint("failed getting k8s client set", err))
+		cliClient.ReportK8sMetadata(&cliclient.ReportK8sMetadataRequest{
+			ClusterUuid:   "",
+			Token:         os.Getenv(enums.Token),
+			NodesCount:    -1,
+			NodesCountErr: err.Error(),
+		})
 		return
 	}
 
-	clusterUuid, err = getClusterUuid(k8sClient)
+	clusterUuid, err := getClusterUuid(k8sClient)
 	if err != nil {
-		sendK8sMetadata(-1, err, clusterUuid, cliClient)
+		cliClient.ReportK8sMetadata(&cliclient.ReportK8sMetadataRequest{
+			ClusterUuid:   clusterUuid,
+			Token:         os.Getenv(enums.Token),
+			NodesCount:    -1,
+			NodesCountErr: err.Error(),
+		})
 	}
 
+	runHourlyNodesCountCronJob(k8sClient, cliClient, clusterUuid)
+
+	if os.Getenv(enums.AWSMarketplaceEnableCheckEntitlement) == "true" {
+		runDailyAWSCheckoutLicenseCronJob(k8sClient, cliClient, clusterUuid)
+	}
+
+}
+
+func runHourlyNodesCountCronJob(k8sClient *kubernetes.Clientset, cliClient *cliclient.CliClient, clusterUuid k8sTypes.UID) {
 	cornJob := cron.New(cron.WithLocation(time.UTC))
 	cornJob.AddFunc("@hourly", func() {
 		nodesCount, nodesCountErr := getNodesCount(k8sClient)
-		sendK8sMetadata(nodesCount, nodesCountErr, clusterUuid, cliClient)
+		cliClient.ReportK8sMetadata(&cliclient.ReportK8sMetadataRequest{
+			ClusterUuid:   clusterUuid,
+			Token:         os.Getenv(enums.Token),
+			NodesCount:    nodesCount,
+			NodesCountErr: nodesCountErr.Error(),
+		})
 	})
 	cornJob.Start()
-
-	if os.Getenv(enums.AWSMarketplaceEnableCheckoutLicense) == "true" {
-		runDailyAWSCheckoutLicenseCronJob(k8sClient)
-	}
-
 }
 
 func getNodesCount(clientset *kubernetes.Clientset) (int, error) {
@@ -84,38 +100,35 @@ func getClusterUuid(clientset *kubernetes.Clientset) (k8sTypes.UID, error) {
 	return clusterMetadata.UID, nil
 }
 
-func sendK8sMetadata(nodesCount int, nodesCountErr error, clusterUuid k8sTypes.UID, client *cliClient.CliClient) {
-	token := os.Getenv(enums.Token)
-
-	var nodesCountErrString string
-	if nodesCountErr != nil {
-		nodesCountErrString = nodesCountErr.Error()
-	}
-
-	client.ReportK8sMetadata(&cliClient.ReportK8sMetadataRequest{
-		ClusterUuid:   clusterUuid,
-		Token:         token,
-		NodesCount:    nodesCount,
-		NodesCountErr: nodesCountErrString,
-	})
-}
-
 // run chckout license cron job daily to check if aws marketplace license is valid with the nodes number
-func runDailyAWSCheckoutLicenseCronJob(k8sClient *kubernetes.Clientset) {
+func runDailyAWSCheckoutLicenseCronJob(k8sClient *kubernetes.Clientset, cliClient *cliclient.CliClient, clusterUuid k8sTypes.UID) {
 	licenseManagerClient := licensemanagerclient.NewLicenseManagerClient()
 
 	licenseCheckerCornJob := cron.New(cron.WithLocation(time.UTC))
 	// @daily means run once a day, midnight
-	licenseCheckerCornJob.AddFunc("@daily", func() {
+	licenseCheckerCornJob.AddFunc("@every 1m", func() {
 		nodesCount, err := getNodesCount(k8sClient)
 		if err != nil {
-			loggerUtil.Log(fmt.Sprint("failed counting nodes for checkout", err))
+			loggerUtil.Debug(fmt.Sprint("failed counting nodes for checkout", err))
+			cliClient.ReportK8sMetadata(&cliclient.ReportK8sMetadataRequest{
+				ClusterUuid:   clusterUuid,
+				Token:         os.Getenv(enums.Token),
+				NodesCount:    -1,
+				NodesCountErr: err.Error(),
+			})
+			return
 		}
 
-		fmt.Println("checking aws marketplace license with nodes count", nodesCount)
+		loggerUtil.Debug(fmt.Sprint("checking aws marketplace license with nodes count", nodesCount))
 		err = licenseManagerClient.CheckoutLicense(nodesCount)
 		if err != nil {
-			loggerUtil.Log(fmt.Sprint("checkout license failed: ", err))
+			loggerUtil.Debug(fmt.Sprint("checkout license failed: ", err))
+			cliClient.ReportK8sMetadata(&cliclient.ReportK8sMetadataRequest{
+				ClusterUuid:   clusterUuid,
+				Token:         os.Getenv(enums.Token),
+				NodesCount:    -1,
+				NodesCountErr: err.Error(),
+			})
 		}
 	})
 	licenseCheckerCornJob.Start()

pkg/licenseManagerClient/client.go

@@ -11,8 +11,6 @@ import (
 	"github.com/google/uuid"
 )
 
-const awsMarketplaceIssuer = "aws:294406891311:AWS/Marketplace:issuer-fingerprint"
-
 type LicenseManager struct {
 	client                    *licensemanager.LicenseManager
 	awsMarketplaceProductID   string
@@ -21,24 +19,27 @@ type LicenseManager struct {
 
 func NewLicenseManagerClient() *LicenseManager {
 	clientSession := session.Must(session.NewSession())
-	awsClient := licensemanager.New(clientSession, aws.NewConfig().WithRegion("us-east-1"))
+	awsClient := licensemanager.New(clientSession, aws.NewConfig().WithRegion(os.Getenv(enums.AWSMarketplaceRegion)))
 	return &LicenseManager{
 		client:                    awsClient,
-		awsMarketplaceProductID:   os.Getenv(enums.AWSMarketplaceProductSKU),
-		awsMarketplaceFingerprint: awsMarketplaceIssuer,
+		awsMarketplaceProductID:   os.Getenv(enums.AWSMarketplaceProductID),
+		awsMarketplaceFingerprint: os.Getenv(enums.AWSMarketplaceKeyFingerprint),
 	}
 }
 
-// Checkout the account license according to number of nodes, if everything goes well, the license will be checked out,
-// otherwise an error will returned.
-func (l *LicenseManager) CheckoutLicense(entititlementValue int) error {
+// Checkout the account license according to quantity of units the account consumes.
+// If everything goes well, the license will be checked out, otherwise an error will returned.
+func (l *LicenseManager) CheckoutLicense(consumedUnitsCount int) error {
 	_, err := l.client.CheckoutLicense(&licensemanager.CheckoutLicenseInput{
-		ClientToken:  aws.String(uuid.New().String()),
+		ClientToken: aws.String(uuid.New().String()),
+		// "PROVISIONAL" checkout type enables to temporarily draw a unit and return it back to the license pool when the application is stopped.
 		CheckoutType: aws.String("PROVISIONAL"),
 		Entitlements: []*licensemanager.EntitlementData{
 			{
+				// The entitilement name is the contract API name defined in the product.
+				// The contract API name is defined in the product "load form" in the AWS Marketplace management protal
 				Name:  aws.String("Datree"),
-				Value: aws.String(fmt.Sprint(entititlementValue)),
+				Value: aws.String(fmt.Sprint(consumedUnitsCount)),
 				Unit:  aws.String("Count"),
 			},
 		},