IBM
diff --git a/‎.gitignore
Lines changed: 6 additions & 1 deletion b/‎.gitignore
Lines changed: 6 additions & 1 deletion
diff --git a/‎.pre-commit-config.yaml
Lines changed: 14 additions & 4 deletions b/‎.pre-commit-config.yaml
Lines changed: 14 additions & 4 deletions
diff --git a/‎Dockerfile
Lines changed: 17 additions & 22 deletions b/‎Dockerfile
Lines changed: 17 additions & 22 deletions
diff --git a/‎README.md
Lines changed: 56 additions & 17 deletions b/‎README.md
Lines changed: 56 additions & 17 deletions
diff --git a/‎exporter.go
Lines changed: 22 additions & 13 deletions b/‎exporter.go
Lines changed: 22 additions & 13 deletions
diff --git a/‎go.mod
Lines changed: 5 additions & 2 deletions b/‎go.mod
Lines changed: 5 additions & 2 deletions
diff --git a/‎go.sum
Lines changed: 4 additions & 4 deletions b/‎go.sum
Lines changed: 4 additions & 4 deletions
diff --git a/‎go.work
Lines changed: 3 additions & 1 deletion b/‎go.work
Lines changed: 3 additions & 1 deletion
@@ -1,7 +1,12 @@
+cover.out
+exporter
+*/coverage.html
 coverage.xml
 .coverage
 .pytest_cache/
 __pycache__/
 local/
 *.pyc
-secrets/
+secrets/
+.vscode/settings.json
+config.yaml
@@ -1,8 +1,18 @@
 # See https://pre-commit.com for more information
 # See https://pre-commit.com/hooks.html for more hooks
 repos:
--   repo: https://gitlab.com/pycqa/flake8
-    rev: 'master'  # Use the sha / tag you want to point at
+- repo: https://github.com/ibm/detect-secrets
+  rev: 0.13.1+ibm.61.dss
     hooks:
-    -   id: flake8
-        args: []
+      - id: detect-secrets
+        args: [--baseline, .secrets.baseline, --use-all-plugins]
+- repo: https://github.com/dnephin/pre-commit-golang
+  rev: v0.5.1
+  hooks:
+    - id: go-fmt
+    - id: validate-toml
+    - id: no-go-testing
+    - id: go-unit-tests
+    - id: go-build
+    - id: go-mod-tidy
+
@@ -1,37 +1,32 @@
-FROM registry.access.redhat.com/ubi9/ubi-minimal AS build
-RUN microdnf update -y --refresh --best --nodocs --noplugins --setopt=install_weak_deps=0 && \
-    microdnf install -y --refresh --best --nodocs --noplugins --setopt=install_weak_deps=0 zip unzip make git gcc && \
-    microdnf install -y --refresh --best --nodocs --noplugins --setopt=install_weak_deps=0 go-toolset ca-certificates && \
-    microdnf clean all && \
-    rm -rf /var/cache/yum
+FROM registry.access.redhat.com/ubi9/ubi:latest AS build
+
 WORKDIR /app/
 
-ENV GOPATH /tmp/go
-ENV PATH $PATH:$GOPATH/bin
+RUN dnf upgrade --assumeyes
+RUN dnf install -y curl jq tar --allowerasing
+ 
+# Set the Go version dynamically by fetching the latest version
+RUN GOVERSION=$(curl -s 'https://go.dev/dl/?mode=json' | jq -r '.[0].version' | sed 's/^go//') && \
+    echo "Installing Go version: $GOVERSION" && \
+    curl -sSL "https://golang.org/dl/go$GOVERSION.linux-amd64.tar.gz" | tar -C /usr/local -xzf - && \
+    ln -s /usr/local/go/bin/go /usr/bin/go
 
 COPY . .
 RUN go mod download 
 
 RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o ./out/trawler .
+RUN dnf install ca-certificates --assumeyes
+RUN groupadd -r app && useradd -r -g app app
 
-FROM registry.access.redhat.com/ubi9/ubi-minimal
-
-ARG USER_UID
-ARG USER_NAME
-
-ENV USER_UID ${USER_UID:-1001}
-ENV USER_NAME ${USER_NAME:-apic}
-RUN mkdir -p ${HOME} && chown ${USER_UID}:0 ${HOME} && chmod ug+rwx ${HOME}
+FROM scratch
 
 COPY --from=build /app/out/trawler /app/trawler
 COPY base-config.yaml /app/config/config.yaml
+COPY --from=build /etc/pki/tls/certs/ca-bundle.crt /etc/ssl/certs/ca-certificates.crt
+COPY --from=build /etc/passwd /etc/passwd
 
-USER root
-RUN microdnf upgrade -y --refresh --best --nodocs --noplugins --setopt=install_weak_deps=0 \
-  && microdnf clean all
-USER 1001:0
+USER app
 
 EXPOSE 63512
-ENV CONFIG_PATH=/app/config/config.yaml
 
-CMD ["/app/trawler"]
+CMD ["/app/trawler", "-c", "/app/config/config.yaml"]
@@ -67,36 +67,75 @@ Feature requests and issue reports are welcome as [github issues](https://github
 
 ## Development tips
 
-### Setting up your development environment
+## Running locally for development 
+
+### Secret set up
+
+    secrets/
+      datapower/  <-- datapower login credentials (DP_CREDS)
+        password
+      management/  <-- client credentials for accessing APIC platform api (MGMT_CREDS)
+        client_id
+        client_secret
+      analytics/   <-- client certificate to connect to analytics (ANALYTICS_CERTS)
+        ca.crt
+        tls.crt
+        tls.key
+      cert/  <-- server certificates for trawler (CERT_PATH if using SECURE)
+        ca.crt
+        tls.crt
+        tls.key
+
+Then ensure the following environment variables are set:
 
-Install the pre-reqs for trawler from requirements.txt and development and testing requirements from requirements-dev.txt
+```
+export MGMT_CREDS=secrets/management
+export DP_CREDS=secrets/datapower
+export ANALYTICS_CERTS=secrets/analytics
+# if testing using https and mtls
+export SECURE=true
+export CERT_PATH=secrets/cert
+```
+
+
+### DataPower
+
+ - Log into your cluster. 
+ - Ensure you have the password available in the secrets directory and the username set in your config
+
+```
+kubectl get secret gateway-admin-secret -o yaml | grep " password" | awk '{print $2}' | base64 -d > secrets/datapower/password
+```
 
-    pip install -r requirements.txt
-    pip install -r requirements-dev.txt
+ - Open port-forward to both ports 5554 (for REST Management) and 9443 (for API Invoke)
+  
+```
+kubectl port-forward $(kubectl get pods -l app.kubernetes.io/name=datapower -o name | head -1) 9443 5554
+```
 
-Initialise the pre-commit checks for Trawler using [pre-commit](https://pre-commit.com/)
+By default trawler will look for all the gateway pods in the cluster by label - this can also be restricted by namespace through the config.  Typically running in the cluster, trawler will communicate directly with each pod to retrieve metrics.  For local testing or running outside of the cluster you may wish to override the host it uses to retrieve metrics in the config (nets.datapower.host) - this will then be used instead of each pods individual IP address - getting metrics from a single place but reporting as if it spoke to each in turn.
 
-    pre-commit install
 
-### Running test cases locally
 
-Trawler uses py.test for test cases and the test suite is intended to be run with the test-assets directory as the secrets path.
 
-    SECRETS=test-assets coverage run --source . -m py.test
 
 
-### Running locally
 
-To run locally point the config parameter to a local config file
+### Analytics
 
-    python3 trawler.py --config local/config.yaml
+ - Log into your cluster. 
+ - Ensure you have the certificates available in the secrets directory
 
-You can view the data that is being exposed to prometheus at [localhost:63512](http://localhost:63512) (or the custom port value if it's been changed)
+```
+kubectl get secret analytics-client -o yaml > /tmp/analytics-client
+cat /tmp/analytics-client | grep " tls.crt" | awk '{print $2}' | base64 -d > secrets/analytics/tls.crt
+cat /tmp/analytics-client | grep " tls.key" | awk '{print $2}' | base64 -d > secrets/analytics/tls.key
+```
 
+ - Open port-forward to port 3009 on one of the analytics director pods
 
+```
+kubectl port-forward $(kubectl get deployment -l app.kubernetes.io/name=director -o name) 3009
+```
 
-Notes on developing with a running k8s pod:
 
-    kubectl cp datapower_trawl.py {trawler_pod}:/app/datapower_trawl.py
-    kubectl cp newconfig.yaml {trawler_pod}:/app/newconfig.yaml
-    kubectl exec {trawler_pod} -- sh -c 'cd /app;python3 trawler.py -c newconfig.yaml'
 
@@ -8,10 +8,12 @@ import (
 	"nets"
 	"nets/analytics"
 	"nets/apiconnect"
+	"nets/certs"
 	"nets/consumption"
 	"nets/datapower"
 	"nets/manager"
 	"os"
+	"path/filepath"
 	"time"
 
 	"github.com/IBM/alchemy-logging/src/go/alog"
@@ -41,6 +43,7 @@ type Config struct {
 		APIConnect  apiconnect.APIConnectNetConfig   `yaml:"apiconnect"`
 		Analytics   analytics.AnalyticsNetConfig     `yaml:"analytics"`
 		Consumption consumption.ConsumptionNetConfig `yaml:"consumption"`
+		Certs       certs.CertsNetConfig             `yaml:"certificates"`
 		DataPower   datapower.DataPowerNetConfig     `yaml:"datapower"`
 		Manager     manager.ManagerNetConfig         `yaml:"manager"`
 	} `yaml:"nets"`
@@ -64,7 +67,7 @@ func ReadConfig() Config {
 	log.Log(alog.INFO, "Loading config from %s ", config_path)
 
 	// Open YAML file
-	file, err := os.Open(config_path)
+	file, err := os.Open(filepath.Clean(config_path))
 	if err != nil {
 		log.Log(alog.ERROR, err.Error())
 	}
@@ -105,10 +108,12 @@ func main() {
 	// Set up logging
 
 	alog.Config(alog.INFO, alog.ChannelMap{
-		"trawler": alog.DEBUG,
+		"trawler": alog.INFO,
 		"apim":    alog.INFO,
+		"nets":    alog.INFO,
 		"apic":    alog.INFO,
 		"a7s":     alog.INFO,
+		"cert":    alog.DEBUG,
 		"dp":      alog.INFO,
 	})
 	// Read config file...
@@ -131,7 +136,6 @@ func main() {
 		log.Log(alog.INFO, "Enabled analytics net with %s frequency", a7s.Frequency)
 		go a7s.BackgroundFishing()
 	}
-
 	// Consumption health net
 	if config.Nets.Consumption.Enabled {
 		c := consumption.Consumption{}
@@ -141,6 +145,15 @@ func main() {
 		c.Fish()
 		go c.BackgroundFishing()
 	}
+	// Certs net
+	if config.Nets.Certs.Enabled {
+		cert_net := certs.Certs{}
+		cert_net.Config = config.Nets.Certs
+		cert_net.Frequency = frequency(config.Nets.Consumption.Frequency)
+		log.Log(alog.INFO, "Enabled certificate net with %s frequency", cert_net.Frequency)
+		cert_net.Fish()
+		go cert_net.BackgroundFishing()
+	}
 	// Manager net
 	if config.Nets.Manager.Enabled {
 		apim := manager.Manager{}
@@ -178,12 +191,12 @@ func main() {
 }
 
 func ListenAndServe(mux *http.ServeMux, listenPort string) (*http.Server, error) {
-	srv := &http.Server{}
+	srv := &http.Server{
+		Addr:              ":" + listenPort,
+		Handler:           mux,
+		ReadHeaderTimeout: 5 * time.Second, // for gosec G112 (CWE-400)
+	}
 	if os.Getenv("SECURE") != "true" {
-		srv := &http.Server{
-			Addr:    ":" + listenPort,
-			Handler: mux,
-		}
 		log.Log(alog.INFO, "Listening insecurely on http://0.0.0.0:%s/metrics", listenPort)
 		err := srv.ListenAndServe()
 		if err != nil {
@@ -193,10 +206,6 @@ func ListenAndServe(mux *http.ServeMux, listenPort string) (*http.Server, error)
 
 	} else {
 
-		srv := &http.Server{
-			Addr:    ":" + listenPort,
-			Handler: mux,
-		}
 		certPath := os.Getenv("CERT_PATH")
 		certReloader := CertReloader{
 			CertFile: certPath + "/tls.crt",
@@ -206,7 +215,7 @@ func ListenAndServe(mux *http.ServeMux, listenPort string) (*http.Server, error)
 		caFile := certPath + "/ca.crt"
 
 		var certPool *x509.CertPool = x509.NewCertPool()
-		caBytes, err := os.ReadFile(caFile)
+		caBytes, err := os.ReadFile(filepath.Clean(caFile))
 		if err != nil {
 			log.Log(alog.FATAL, "failed loading caFile: %v", err)
 			return nil, err
 
@@ -1,6 +1,8 @@
 module rickymoorhouse/exporter
 
-go 1.21
+go 1.23.0
+
+toolchain go1.23.5
 
 require (
 	github.com/IBM/alchemy-logging/src/go v1.0.3
@@ -12,12 +14,13 @@ require (
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
+	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/kr/text v0.2.0 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
 	github.com/prometheus/client_model v0.4.0 // indirect
 	github.com/prometheus/common v0.43.0 // indirect
 	github.com/prometheus/procfs v0.9.0 // indirect
 	github.com/stretchr/testify v1.8.1 // indirect
-	golang.org/x/sys v0.8.0 // indirect
+	golang.org/x/sys v0.32.0 // indirect
 	google.golang.org/protobuf v1.30.0 // indirect
 )
@@ -13,8 +13,8 @@ github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaS
 github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
 github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
-github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
@@ -42,8 +42,8 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO
 github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sys v0.8.0 h1:EBmGv8NaZBZTWvrbjNoL6HVt+IVy3QDQpJs7VRIw3tU=
-golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.32.0 h1:s77OFDvIQeibCmezSnk/q6iAfkdiQaJi4VzroCFrN20=
+golang.org/x/sys v0.32.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 
@@ -1,4 +1,6 @@
-go 1.21
+go 1.23.0
+
+toolchain go1.23.5
 
 use (
 	.
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,6 @@`
`1`		`-go 1.21`
	`1`	`+go 1.23.0`
	`2`	`+`
	`3`	`+toolchain go1.23.5`
`2`	`4`
`3`	`5`	`use (`
`4`	`6`	`.`