init

.dockerignore

@@ -0,0 +1,2 @@
+*.env
+*.kube-config

.github/workflows/docker.yml

@@ -0,0 +1,68 @@
+name: docker
+
+on:
+  push:
+    tags:
+      - "*"
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: datadog/kubehound
+
+permissions:
+  contents: read
+
+jobs:
+  docker-build-push:
+    runs-on: ubuntu-latest
+    strategy:
+        # https://docs.github.com/en/actions/using-jobs/using-a-matrix-for-your-jobs
+        matrix:
+          include:
+            - dockerfile: ./Dockerfile
+              component: core
+            - dockerfile: deployments/kubehound/janusgraph/Dockerfile
+              image: janusgraph
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            auth.docker.io:443
+            dl-cdn.alpinelinux.org:443
+            ghcr.io:443
+            github.com:443
+            pipelines.actions.githubusercontent.com:443
+            pkg-containers.githubusercontent.com:443
+            production.cloudflare.docker.com:443
+            proxy.golang.org:443
+            registry-1.docker.io:443
+            storage.googleapis.com:443
+
+      - name: Checkout
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+        with:
+          fetch-depth: 0
+
+      - name: Log into registry ${{ env.REGISTRY }}
+        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671
+        with:
+          context: .
+          file: ${{ matrix.dockerfile }}
+          push: true
+          build-args: |
+            VERSION=${{ github.ref_name }}
+          tags: |
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-${{ matrix.image }}:${{ github.ref_name }}
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-${{ matrix.image }}:latest

.github/workflows/system-test.yml

@@ -17,20 +17,15 @@ jobs:
           config: test/setup/test-cluster/cluster.yaml
           wait: 5m
         env:
-          KUBECONFIG: ./test/setup/.kube/config
+          KUBECONFIG: ./test/setup/.kube-config
 
       - name: Create K8s resources
-        working-directory: test/setup/
-        run: bash create-cluster-resources.sh
-        env:
-          KUBECONFIG: .kube/config
+        run: make local-cluster-config-deploy
 
       - name: Setup Golang
         uses: actions/setup-go@v4
         with:
           go-version: "1.20"
 
       - name: Run integration Tests
-        run: make system-test
-        env:
-          KUBECONFIG: .kube/config
+        run: make system-test

.gitignore

@@ -39,3 +39,4 @@ test/setup/.kube
 # binary for the autogen of fixtures
 test/system/generator/generator
 *.env
+*.kube-config

Dockerfile

@@ -0,0 +1,26 @@
+FROM golang:1.20-alpine  AS build
+
+RUN apk update && \
+    apk add make && \
+    rm -rf /var/cache/apt/* && \
+    go install github.com/vektra/mockery/v2@v2.30.1
+
+WORKDIR /app
+
+COPY go.mod go.sum ./
+RUN go mod download
+
+COPY Makefile ./
+COPY cmd ./cmd/
+COPY pkg ./pkg/
+
+RUN make build BUILD_VERSION=${VERSION}
+
+FROM scratch
+LABEL org.opencontainers.image.source="https://github.com/DataDog/kubehound/"
+
+WORKDIR /
+COPY --from=build /app/bin/kubehound /kubehound
+COPY deployments/kubehound/kubehound.yaml /etc/kubehound.yaml
+
+ENTRYPOINT [ "/kubehound" ]

Makefile

@@ -3,30 +3,47 @@ BUILD_VERSION=dev-snapshot
 MAKEFILE_PATH := $(abspath $(lastword $(MAKEFILE_LIST)))
 ROOT_DIR := $(dir $(MAKEFILE_PATH))
 
-DOCKER_COMPOSE_FILE_PATH := -f test/system/docker-compose.yaml -f test/system/docker-compose.local.yaml
-DOCKER_COMPOSE_ENV_FILE_PATH := test/system/.env
-
-# https://docs.github.com/en/actions/learn-github-actions/variables
-ifeq (${CI},true)
-    DOCKER_COMPOSE_FILE_PATH := -f test/system/docker-compose.yaml
-endif
+DOCKER_COMPOSE_FILE_PATH := -f deployments/kubehound/docker-compose.yaml
+DOCKER_COMPOSE_ENV_FILE_PATH := deployments/kubehound/.env
+DEV_ENV_FILE_PATH := test/setup/.env.local
 
 # Loading docker .env file if present
 ifneq (,$(wildcard $(DOCKER_COMPOSE_ENV_FILE_PATH)))
 	include $(DOCKER_COMPOSE_ENV_FILE_PATH)
     export
 endif
 
-# No API key is being set
-ifeq (${DD_API_KEY},)
-    DOCKER_COMPOSE_FILE_PATH := -f test/system/docker-compose.yaml
+# Loading docker .env file if present
+ifneq (,$(wildcard $(DEV_ENV_FILE_PATH)))
+	include $(DEV_ENV_FILE_PATH)
+    export
 endif
 
+ifeq (${KUBEHOUND_ENV}, prod)
+	DOCKER_COMPOSE_FILE_PATH += -f deployments/kubehound/docker-compose.prod.yaml
+else ifeq (${KUBEHOUND_ENV}, dev)
+	DOCKER_COMPOSE_FILE_PATH += -f deployments/kubehound/docker-compose.dev.yaml
+endif
+
+
+# No API key is being set
+# ifeq (${DD_API_KEY},)
+ifneq (${DD_API_KEY},)
+    DOCKER_COMPOSE_FILE_PATH += -f deployments/kubehound/docker-compose.datadog.yaml
+endif
 
-DOCKER_CMD = docker
 UNAME_S := $(shell uname -s)
-ifeq ($(UNAME_S),Linux)
-	DOCKER_CMD = sudo docker
+ifndef DOCKER_CMD
+	ifeq ($(UNAME_S),Linux)
+		# https://docs.github.com/en/actions/learn-github-actions/variables
+		ifneq (${CI},true)
+			DOCKER_CMD := sudo docker
+		endif
+	else
+		DOCKER_CMD := docker
+	endif
+else
+	DOCKER_CMD := ${DOCKER_CMD}
 endif
 
 all: build
@@ -57,9 +74,7 @@ test: ## Run the full suite of unit tests
 system-test: ## Run the system tests
 	$(MAKE) infra-rm
 	$(MAKE) infra-up
-	# we print the KUBECONFIG envvar here to make it easier to see what is actively used
-	sleep 10
-	cd test/system && export KUBECONFIG=$(ROOT_DIR)/test/setup/.kube/config && bash -c "printenv KUBECONFIG" && go test -v -timeout "60s" -count=1 ./...
+	cd test/system && export KUBECONFIG=$(ROOT_DIR)/test/setup/${KIND_KUBECONFIG} && go test -v -timeout "60s" -count=1 ./...
 
 .PHONY: local-cluster-reset
 local-cluster-reset: ## Destroy the current kind cluster and creates a new one

deployments/kubehound/.env.tpl

@@ -0,0 +1,4 @@
+DD_API_KEY=
+DD_SITE=api.datadoghq.com
+KUBEHOUND_ENV=prod
+BUILDKIT_PROGRESS=auto # (default) auto, plain, tty

deployments/kubehound/docker-compose.datadog.yaml

@@ -0,0 +1,17 @@
+version: "3.8"
+
+services:
+  datadog:
+    image: gcr.io/datadoghq/agent:7
+    restart: unless-stopped
+    container_name: datadog-agent
+    ports:
+      - "127.0.0.1:8125:8125"
+    environment:
+     - DD_API_KEY="${DD_API_KEY:?error}"
+     - DD_SITE=datadoghq.com
+    networks:
+      - kubenet
+
+networks:
+  kubenet:

deployments/kubehound/docker-compose.dev.yaml

@@ -0,0 +1,42 @@
+version: "3.8"
+name: kubehound-dev
+services:
+  mongodb:
+    volumes:
+      - mongodb_data:/data/db
+
+  janusgraph:
+    volumes:
+      - janusgraph_data:/data
+
+  mongo-express:
+    image: mongo-express:0.54.0
+    restart: unless-stopped
+    depends_on:
+      - mongodb
+    ports:
+      - "127.0.0.1:8081:8081"
+    environment:
+      ME_CONFIG_MONGODB_URL: mongodb://mongodb:27017/
+
+  kubehound:
+    container_name: ${COMPOSE_PROJECT_NAME}-core
+    restart: unless-stopped
+    build:
+      context: ../../
+      dockerfile: Dockerfile
+    environment:
+      - KUBECONFIG=/tmp/.kube/config
+    volumes:
+      - ./.kube-config:/tmp/.kube/config
+    networks:
+      - kubenet
+      - kind
+
+volumes:
+  mongodb_data:
+  janusgraph_data:
+
+networks:
+  kind:
+    external: true

deployments/kubehound/docker-compose.prod.yaml

@@ -0,0 +1,26 @@
+version: "3.8"
+name: kubehound-prod
+services:
+  mongodb:
+    volumes:
+      - mongodb_data:/data/db
+
+  janusgraph:
+    image: ghcr.io/datadog/kubehound/kubehound-janusgraph:latest
+    volumes:
+      - janusgraph_data:/data
+
+  kubehound:
+    container_name: ${COMPOSE_PROJECT_NAME}-core
+    restart: unless-stopped
+    image: ghcr.io/datadog/kubehound/kubehound-core:latest
+    environment:
+      - KUBECONFIG=/tmp/.kube/config
+    volumes:
+      - ./.kube-config:/tmp/.kube/config
+    networks:
+      - kubenet
+
+volumes:
+  mongodb_data:
+  janusgraph_data:

deployments/kubehound/docker-compose.yaml

@@ -0,0 +1,36 @@
+version: "3.7"
+name: kubehound-testing
+services:
+  mongodb:
+    image: mongo:6.0.6
+    restart: unless-stopped
+    container_name: ${COMPOSE_PROJECT_NAME}-storedb
+    ports:
+      - "127.0.0.1:27017:27017"
+    networks:
+      - kubenet
+    depends_on:
+      janusgraph:
+        condition: service_healthy
+
+  janusgraph:
+    build: ./janusgraph/
+    restart: unless-stopped
+    container_name: ${COMPOSE_PROJECT_NAME}-graphdb
+    ports:
+      - "127.0.0.1:8182:8182"
+    networks:
+      - kubenet
+    environment:
+      # Enforce strict schema constrains as per https://docs.janusgraph.org/configs/configuration-reference/#schema
+      - janusgraph.schema.constraints=true
+      - janusgraph.schema.default=none
+    healthcheck:
+      test: ["CMD", "/opt/janusgraph/bin/gremlin.sh", "-e", "/opt/janusgraph/scripts/health-check.groovy"]
+      interval: 60s
+      timeout: 30s
+      retries: 1
+      start_period: 15s
+
+networks:
+  kubenet:

deployments/kubehound/janusgraph/Dockerfile

@@ -1,4 +1,5 @@
-FROM janusgraph/janusgraph:latest
+FROM janusgraph/janusgraph:0.6.3
+LABEL org.opencontainers.image.source="https://github.com/DataDog/kubehound/"
 
 # Add our initialization script for the database schema to the startup directory
 # See https://github.com/JanusGraph/janusgraph-docker#initialization

deployments/kubehound/kubehound.yaml

@@ -0,0 +1,18 @@
+storage:
+  retry_delay: 10s
+  retry: 5
+collector:
+  type: live-k8s-api-collector
+  live:
+    page_size: 500
+    page_buffer_size: 10
+    rate_limit_per_second: 100
+mongodb:
+  url: "mongodb://mongodb:27017"
+  connection_timeout: 5s
+janusgraph:
+  url: "ws://janusgraph:8182/gremlin"
+  connection_timeout: 5s
+telemetry:
+  statsd:
+    url: "datadog:8125"

test/setup/.env.local

@@ -1,3 +1,5 @@
 CLUSTER_NAME=kubehound.test.local
 CONFIG_DIR=./test-cluster
-KUBECONFIG=./test/setup/.kube/config
+KIND_KUBECONFIG=./.kube-config
+KIND_KUBECONFIG_INTERNAL=./../../deployments/kubehound/.kube-config
+DOCKER_CMD=docker