metal-toolbox / auditevent Goto Github PK

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Rate-Limited

These updates are currently rate-limited. Click on a checkbox below to force their creation now.

• fix(deps): update module github.com/go-logr/logr to v1.4.2
• fix(deps): update module github.com/gin-gonic/gin to v1.10.0
• 🔐 Create all rate-limited PRs at once 🔐

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• chore(deps): update anothrnick/github-tag-action action to v1.69.0
• chore(deps): update docker.io/library/golang docker tag to v1.22
• chore(deps): update golangci/golangci-lint docker tag to v1.59.0
• chore(deps): update helm/kind-action action to v1.10.0
• fix(deps): update module github.com/labstack/echo/v4 to v4.12.0
• fix(deps): update module github.com/prometheus/client_golang to v1.19.1
• fix(deps): update module github.com/prometheus/common to v0.54.0
• fix(deps): update module golang.org/x/sync to v0.7.0
• chore(deps): update codecov/codecov-action action to v4
• chore(deps): update softprops/action-gh-release action to v2
• Click on this checkbox to rebase all open PRs at once

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

The OpenAuditLogFileUntilSuccess helper silently blocks until the named pipe is available. While the wait was intentional, this is not user-friendly and causes confusion. Let's at least print an message that the wait is happening.

The Go Doc for NewDefaultAuditEventWriter says:

// AuditEventEncoderJSON is an encoder that encodes audit events
// using a default JSON encoder.

Is AuditEventEncoderJSON a typo in the documentation, or should that be the function's name? Is the function supposed to use a JSON encoder?

some metal-toolbox/infratographer projects are adopting echo, we should cater for them and provide audit middleware for them to use.

The audittail container uses stdout to flush the audit logs it's tailing. This is useful for containers as they'll get immediately picked up by a log forwarder. However, we don't necessarily want to pollute these logs.

However, we still want to know if the audittail container had an error. Having a dedicated error file (that is not necessarily stderr) would be ideal for this. In cases where audittail is deployed in Kubernetes, it could be /dev/termination-log.

While working on a project that uses this library, I implemented an Encoder that (accidentally) produced a deadlock. While write operations are usually considered non-blocking operations, there are exceptions such as writing to a FIFO pipe (by default the write blocks until a read occurs).

In discussing the issue with @JAORMX, Ozz felt we should either support cancellation or document such a cases in the auditevent library.

By distributing a helm chart that provides values for the init container and the main sidecar, we could allow helm chart users to get automated dependency updates while making the adoption barrier even lower. The helm chart should allow for inserting a template for the init container and the sidecar, set the name of the mounted volume for audit logs, as well as a custom path for the logs.