onboarding and ci

.github/workflows/companion.yml

@@ -0,0 +1,47 @@
+---
+name: Build heap-dump-companion
+
+on:
+  push:
+    branches:
+      - feature/tt/onboarding
+    paths-ignore:
+      - 'heap-dump-service/**'
+      - 'notify-sidecar/**'
+
+env:
+  PROJECT_PATH: heap-dump-companion
+
+jobs:
+  build-companion:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: '1.22'
+
+      - name: Go Test
+        run: |
+          cd ${{ env.PROJECT_PATH }}
+          go test -v ./...
+
+      - name: Trivy Scan
+        uses: aquasecurity/trivy-action@0.29.0
+        with:
+          scan-type: 'fs'
+          path: ${{ env.PROJECT_PATH }}
+
+      - name: Run GoReleaser (snapshot)
+        uses: goreleaser/goreleaser-action@v4
+        with:
+          workdir: ${{ env.PROJECT_PATH }}
+          version: latest
+          args: build --snapshot --clean

.github/workflows/container-build.yml

@@ -0,0 +1,74 @@
+---
+name: Build, Test, Scan, and Push OCI Images
+
+on:
+  push:
+    branches:
+      - feature/tt/onboarding
+    paths-ignore:
+      - 'heap-dump-companion/**'
+
+jobs:
+  build-and-push-images:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    strategy:
+      matrix:
+        include:
+          - image: heap-dump-service
+            dockerfile: heap-dump-service/Dockerfile
+            gopath: heap-dump-service
+            ghcr-image: ghcr.io/${{ github.repository }}/heap-dump-service
+          - image: notify-sidecar
+            dockerfile: notify-sidecar/Dockerfile
+            gopath: notify-sidecar
+            ghcr-image: ghcr.io/${{ github.repository }}/notify-sidecar
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Log in to GHCR
+        uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: ${{ matrix.ghcr-image }}
+
+      - name: Go Test
+        run: |
+          cd ${{ matrix.gopath }}
+          go test -v ./...
+
+      - name: Build
+        uses: docker/build-push-action@v6
+        with:
+          context: ${{ matrix.image }}
+          file: ${{ matrix.dockerfile }}
+          push: false
+          tags: ${{ matrix.ghcr-image }}:latest
+          labels: ${{ steps.meta.outputs.labels }}
+
+      - name: Trivy Scan
+        uses: aquasecurity/trivy-action@0.29.0
+        with:
+          image-ref: ${{ matrix.ghcr-image }}:latest
+          format: table
+          severity: CRITICAL,HIGH
+
+      - name: Push
+        if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
+        uses: docker/build-push-action@v6
+        with:
+          context: ${{ matrix.image }}
+          file: ${{ matrix.dockerfile }}
+          push: true
+          tags: ${{ matrix.ghcr-image }}:latest
+          labels: ${{ steps.meta.outputs.labels }}

.github/workflows/release-companion.yml

@@ -0,0 +1,43 @@
+---
+name: Release heap-dump-companion
+
+on:
+  release:
+    types: [created]
+
+env:
+  PROJECT_PATH: heap-dump-companion
+
+jobs:
+  release-companion:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: '1.22'
+
+      - name: Go Test
+        run: |
+          cd ${{ env.PROJECT_PATH }}
+          go test -v ./...
+
+      - name: Trivy Scan
+        uses: aquasecurity/trivy-action@0.29.0
+        with:
+          scan-type: 'fs'
+          path: ${{ env.PROJECT_PATH }}
+
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v4
+        with:
+          workdir: ${{ env.PROJECT_PATH }}
+          version: latest
+          args: release --clean

.github/workflows/release-container.yml

@@ -0,0 +1,70 @@
+---
+name: Release OCI images
+
+on:
+  release:
+    types: [created]
+
+jobs:
+  release-images:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    strategy:
+      matrix:
+        include:
+          - image: heap-dump-service
+            dockerfile: heap-dump-service/Dockerfile
+            gopath: heap-dump-service
+            ghcr-image: ghcr.io/${{ github.repository }}/heap-dump-service
+          - image: notify-sidecar
+            dockerfile: notify-sidecar/Dockerfile
+            gopath: notify-sidecar
+            ghcr-image: ghcr.io/${{ github.repository }}/notify-sidecar
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Log in to GHCR
+        uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: ${{ matrix.ghcr-image }}
+
+      - name: Go Test
+        run: |
+          cd ${{ matrix.gopath }}
+          go test -v ./...
+
+      - name: Build
+        uses: docker/build-push-action@v6
+        with:
+          context: ${{ matrix.image }}
+          file: ${{ matrix.dockerfile }}
+          push: false
+          tags: ${{ matrix.ghcr-image }}:${{ github.event.release.name }}"
+          labels: ${{ steps.meta.outputs.labels }}
+
+      - name: Trivy Scan
+        uses: aquasecurity/trivy-action@0.29.0
+        with:
+          image-ref: ${{ matrix.ghcr-image }}:${{ github.event.release.name }}"
+          format: table
+          severity: CRITICAL,HIGH
+
+      - name: Push
+        uses: docker/build-push-action@v6
+        with:
+          context: ${{ matrix.image }}
+          file: ${{ matrix.dockerfile }}
+          push: true
+          tags: ${{ matrix.ghcr-image }}:${{ github.event.release.name }}"
+          labels: ${{ steps.meta.outputs.labels }}

README.md

@@ -0,0 +1,19 @@
+# Heap Dump Management
+
+As the filesystem in Kubernetes pods is not directly accessable we developed a sidecar approach where written heap dumps are collected and stored in an encrypted format on a central S3 Bucket per cluster.
+
+This approach consists of 3 parts: 
+
+* [heap dump service](heap-dump-service/README.md)
+* [notify sidecar](notify-sidecar/README.md)
+* [heap dump companion](heap-dump-companion/README.md)
+
+Please read the individual documentation to understand the individual parts.  
+This architectual overview should help to understand the interactions in between the components
+
+![](notify-sidecar/docs/Architecture.svg)
+
+## Maintainers
+
+This project is maintained by: 
+* Tobias Trabelsi (tobias.trabelsi+github@dbschenker.com)

heap-dump-companion/.gitignore

@@ -0,0 +1,3 @@
+bin/*
+test
+dist

heap-dump-companion/.goreleaser.yaml

@@ -0,0 +1,42 @@
+version: 2
+project_name: heap-dump-companion
+before:
+  hooks:
+    - go mod tidy
+builds:
+  - env:
+      - CGO_ENABLED=0
+    mod_timestamp: '{{ .CommitTimestamp }}'
+    flags:
+      - -trimpath
+    ldflags:
+      - '-s -w'
+    goos:
+      - windows
+      - linux
+      - darwin
+    goarch:
+      - amd64
+      - '386'
+      - arm
+      - arm64
+    ignore:
+      - goos: darwin
+        goarch: '386'
+    dir: cmd/heap-dump-companion
+archives:
+- format: zip
+  name_template: '{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}'
+checksum:
+  name_template: '{{ .ProjectName }}_{{ .Version }}_SHA256SUMS'
+  algorithm: sha256
+snapshot:
+  version_template: "snapshot"
+changelog:
+  sort: asc
+  filters:
+    exclude:
+      - '^docs:'
+      - '^test:'
+sboms:
+  - artifacts: binary

heap-dump-companion/Makefile

@@ -0,0 +1,35 @@
+GOFMT ?= gofmt -s
+GOFMT_FILES?=$$(find . -name '*.go'|grep -v .cache)
+
+build: test
+	goreleaser build --snapshot --clean
+
+package: build
+	goreleaser release --skip-publish --snapshot --clean
+
+test: fmt-check
+	go generate ./...; \
+    go test ./... -coverprofile=coverage.out; \
+    go test ./... -json > report.json; 
+
+fmt-check:
+	@diff=$$($(GOFMT) -d $(GOFMT_FILES)); \
+	if [ -n "$$diff" ]; then \
+		echo "Please run 'make fmt' and commit the result:"; \
+		echo "$${diff}"; \
+		exit 1; \
+	fi;
+
+fmt:
+	go fmt ./...
+
+clean:
+	rm -rf dist; \
+	rm coverage.out; \
+	rm report.json;
+
+.PHONY: build
+
+all:
+	$(MAKE) build
+	$(MAKE) package

heap-dump-companion/README.md

@@ -0,0 +1,49 @@
+# Heap Dump Companion
+
+Helper binary to seemlesly work with encrypted heap dumps.
+
+![](docs/Architecture.svg)
+
+## What it does
+
+As all heap dumps are AES encrypted and the AES Key itself is encrypted with Hashicorp Vault's transit encryption, we offer a small companion CLI application to decrypt the heap dump and the AES key in one go.  
+
+### MacOS prerequisites
+
+Maybe OSX is blocking you from execution of downloaded tool.\
+Go to directory with extracted tool and execute in shell:
+```bash
+xattr -d com.apple.quarantine heap-dump-companion
+```
+
+The tool should now be executable.
+
+### Usage of heap-dump-companion
+
+Make sure that you are signed into Vault and export your vault token via the environment variable `VAULT_TOKEN`.
+
+```
+Companion implementation intended to work with the general heap dump service.
+
+This command takes a encrypted heap dump, the encrypted AES Key of the heap dump and decrypts both
+using the transit engine of hashicorp Vault. 
+
+Examples:
+
+heap-dump-companion decrypt --input-file test/test.dump.crypted --output-file test/test.dump --key test/test.key -t some-tenant
+
+Usage:
+  heap-dump-companion decrypt [flags]
+
+Flags:
+  -h, --help                         help for decrypt
+  -i, --input-file string            Path to the encrypted heap dump
+  -k, --key string                   Path to the encrypted key that should be used for dectyption
+  -o, --output-file string           Desired output file after decryption
+  -t, --topic string                 Topic/Tenant owner of the heap dump to be decrypted
+  -T, --transit-mount-point string   Transit engine mount point in vault (default "eaas-heap-dump-service")
+
+Global Flags:
+  -c, --config string   config file (default is $HOME/.heap-dump-companion.yaml)
+```
+