Merge pull request #139 from mfreeman451/updates/memory_leak_work

Updates/memory leak work
carverauto · Jan 30, 2025 · a082230 · a082230
2 parents 158a194 + e068938
commit a082230
Show file tree

Hide file tree

Showing 25 changed files with 2,240 additions and 449 deletions.
diff --git a/README.md b/README.md
@@ -31,45 +31,45 @@ ServiceRadar can be installed via direct downloads from GitHub releases.
 Install these components on your monitored host:
 ```bash
 # Download and install core components
-curl -LO https://github.com/mfreeman451/serviceradar/releases/download/1.0.3/serviceradar-agent_1.0.10.deb \
-     -O https://github.com/mfreeman451/serviceradar/releases/download/1.0.3/serviceradar-poller_1.0.10.deb
+curl -LO https://github.com/mfreeman451/serviceradar/releases/download/1.0.3/serviceradar-agent_1.0.11.deb \
+     -O https://github.com/mfreeman451/serviceradar/releases/download/1.0.3/serviceradar-poller_1.0.11.deb
 
-sudo dpkg -i serviceradar-agent_1.0.10.deb serviceradar-poller_1.0.10.deb
+sudo dpkg -i serviceradar-agent_1.0.11.deb serviceradar-poller_1.0.11.deb
 ```
 
 On a separate machine (recommended) or the same host:
 ```bash
 # Download and install cloud service
-curl -LO https://github.com/mfreeman451/serviceradar/releases/download/1.0.3/serviceradar-cloud_1.0.10.deb
-sudo dpkg -i serviceradar-cloud_1.0.10.deb
+curl -LO https://github.com/mfreeman451/serviceradar/releases/download/1.0.3/serviceradar-cloud_1.0.11.deb
+sudo dpkg -i serviceradar-cloud_1.0.11.deb
 ```
 
 #### Optional: Dusk Node Monitoring
 If you're running a [Dusk](https://dusk.network/) node and want specialized monitoring:
 ```bash
-curl -LO https://github.com/mfreeman451/serviceradar/releases/download/1.0.10/serviceradar-dusk-checker_1.0.10.deb
-sudo dpkg -i serviceradar-dusk-checker_1.0.10.deb
+curl -LO https://github.com/mfreeman451/serviceradar/releases/download/1.0.11/serviceradar-dusk-checker_1.0.11.deb
+sudo dpkg -i serviceradar-dusk-checker_1.0.11.deb
 ```
 
 #### Distributed Setup
 For larger deployments where components run on different hosts:
 
 1. On monitored hosts:
 ```bash
-curl -LO https://github.com/mfreeman451/serviceradar/releases/download/1.0.10/serviceradar-agent_1.0.10.deb
-sudo dpkg -i serviceradar-agent_1.0.10.deb
+curl -LO https://github.com/mfreeman451/serviceradar/releases/download/1.0.11/serviceradar-agent_1.0.11.deb
+sudo dpkg -i serviceradar-agent_1.0.11.deb
 ```
 
 2. On monitoring host:
 ```bash
-curl -LO https://github.com/mfreeman451/serviceradar/releases/download/1.0.3/serviceradar-poller_1.0.10.deb
-sudo dpkg -i serviceradar-poller_1.0.10.deb
+curl -LO https://github.com/mfreeman451/serviceradar/releases/download/1.0.3/serviceradar-poller_1.0.11.deb
+sudo dpkg -i serviceradar-poller_1.0.11.deb
 ```
 
 3. On cloud host:
 ```bash
-curl -LO https://github.com/mfreeman451/serviceradar/releases/download/1.0.3/serviceradar-cloud_1.0.10.deb
-sudo dpkg -i serviceradar-cloud_1.0.10.deb
+curl -LO https://github.com/mfreeman451/serviceradar/releases/download/1.0.3/serviceradar-cloud_1.0.11.deb
+sudo dpkg -i serviceradar-cloud_1.0.11.deb
 ```
 
 ## Architecture
@@ -171,19 +171,19 @@ cd serviceradar
 
 1. **Agent Installation** (on monitored hosts):
 ```bash
-sudo dpkg -i serviceradar-dusk-checker_1.0.10.deb  # For Dusk nodes
+sudo dpkg -i serviceradar-dusk-checker_1.0.11.deb  # For Dusk nodes
 # or
-sudo dpkg -i serviceradar-agent_1.0.10.deb  # For other hosts
+sudo dpkg -i serviceradar-agent_1.0.11.deb  # For other hosts
 ```
 
 2. **Poller Installation** (on any host in your network):
 ```bash
-sudo dpkg -i serviceradar-poller_1.0.10.deb
+sudo dpkg -i serviceradar-poller_1.0.11.deb
 ```
 
 3. **Cloud Installation** (on a reliable host):
 ```bash
-sudo dpkg -i serviceradar-cloud_1.0.10.deb
+sudo dpkg -i serviceradar-cloud_1.0.11.deb
 ```
 
 ## Configuration

diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,214 @@
+# Security Configuration
+
+ServiceRadar supports multiple security modes for gRPC communication between components. Choose the mode that best fits your environment and security requirements.
+
+## Quick Start
+
+The simplest secure configuration uses basic TLS:
+
+```json
+{
+  "security": {
+    "mode": "tls",
+    "cert_dir": "/etc/serviceradar/certs"
+  }
+}
+```
+
+## Security Modes
+
+### Development Mode (No Security)
+⚠️ **Not recommended for production use**
+
+```json
+{
+  "security": {
+    "mode": "none"
+  }
+}
+```
+
+### Basic TLS
+Provides encryption and server authentication:
+
+```json
+{
+  "security": {
+    "mode": "tls",
+    "cert_dir": "/etc/serviceradar/certs"
+  }
+}
+```
+
+Required files in cert_dir:
+- `ca.crt`: Certificate Authority certificate
+- `server.crt`: Server certificate
+- `server.key`: Server private key
+
+### Mutual TLS (mTLS)
+Provides encryption with both server and client authentication:
+
+```json
+{
+  "security": {
+    "mode": "mtls",
+    "cert_dir": "/etc/serviceradar/certs"
+  }
+}
+```
+
+Required files in cert_dir:
+- `ca.crt`: Certificate Authority certificate
+- `server.crt`: Server certificate
+- `server.key`: Server private key
+- `client.crt`: Client certificate
+- `client.key`: Client private key
+
+### SPIFFE/SPIRE Integration
+Zero-trust workload identity using SPIFFE:
+
+```json
+{
+  "security": {
+    "mode": "spiffe",
+    "trust_domain": "example.org",
+    "workload_socket": "unix:/run/spire/sockets/agent.sock"
+  }
+}
+```
+
+## Kubernetes Deployment
+
+### With SPIFFE/SPIRE
+
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: serviceradar
+spec:
+  containers:
+  - name: serviceradar
+    image: serviceradar:latest
+    env:
+    - name: SR_SECURITY_MODE
+      value: "spiffe"
+    - name: SR_TRUST_DOMAIN
+      value: "example.org"
+    volumeMounts:
+    - name: spire-socket
+      mountPath: /run/spire/sockets
+      readOnly: true
+  volumes:
+  - name: spire-socket
+    hostPath:
+      path: /run/spire/sockets
+      type: Directory
+```
+
+### With mTLS
+
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: serviceradar
+spec:
+  containers:
+  - name: serviceradar
+    image: serviceradar:latest
+    env:
+    - name: SR_SECURITY_MODE
+      value: "mtls"
+    - name: SR_CERT_DIR
+      value: "/etc/serviceradar/certs"
+    volumeMounts:
+    - name: certs
+      mountPath: /etc/serviceradar/certs
+      readOnly: true
+  volumes:
+  - name: certs
+    secret:
+      secretName: serviceradar-certs
+```
+
+## Certificate Management
+
+### Generating Self-Signed Certificates
+
+For testing or development environments, you can generate self-signed certificates using the provided tool:
+
+```bash
+# Generate basic TLS certificates
+serviceradar cert generate --dir /etc/serviceradar/certs
+
+# Generate mTLS certificates (includes client certs)
+serviceradar cert generate --dir /etc/serviceradar/certs --mtls
+
+# View certificate information
+serviceradar cert info --dir /etc/serviceradar/certs
+```
+
+### Using Existing PKI
+
+If you have an existing PKI infrastructure, place your certificates in the configured certificate directory:
+
+```bash
+# Example directory structure
+/etc/serviceradar/certs/
+├── ca.crt
+├── server.crt
+├── server.key
+├── client.crt  # Only needed for mTLS
+└── client.key  # Only needed for mTLS
+```
+
+### Certificate Rotation
+
+ServiceRadar automatically detects and reloads certificates when they change. For SPIFFE mode, certificate rotation is handled automatically by the SPIFFE Workload API.
+
+## Environment Variables
+
+All security settings can be configured via environment variables:
+
+```bash
+# Security mode
+export SR_SECURITY_MODE=mtls
+
+# Certificate directory for TLS/mTLS modes
+export SR_CERT_DIR=/etc/serviceradar/certs
+
+# SPIFFE configuration
+export SR_TRUST_DOMAIN=example.org
+export SR_WORKLOAD_SOCKET=unix:/run/spire/sockets/agent.sock
+```
+
+## Security Best Practices
+
+1. Always use a secure mode in production environments
+2. Regularly rotate certificates
+3. Use mTLS or SPIFFE for zero-trust environments
+4. Keep private keys protected (0600 permissions)
+5. Monitor certificate expiration
+6. Use separate certificates for different components
+
+## Troubleshooting
+
+Common issues and solutions:
+
+1. **Certificate not found errors**
+    - Verify certificate paths
+    - Check file permissions
+    - Ensure certificates are in PEM format
+
+2. **SPIFFE Workload API connection issues**
+    - Check SPIFFE agent is running
+    - Verify socket path and permissions
+    - Confirm trust domain configuration
+
+3. **mTLS authentication failures**
+    - Verify client and server certificates are signed by the same CA
+    - Check certificate expiration dates
+    - Confirm trust domain matches (SPIFFE mode)
+
+For more detailed security configuration and best practices, see the [full documentation](https://docs.serviceradar.example.com/security).
diff --git a/buildAll.sh b/buildAll.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-VERSION=${VERSION:-1.0.10}
+VERSION=${VERSION:-1.0.11}
 
 
 ./setup-deb-poller.sh

diff --git a/go.mod b/go.mod
@@ -6,6 +6,7 @@ require (
 	github.com/gorilla/mux v1.8.1
 	github.com/gorilla/websocket v1.5.3
 	github.com/mattn/go-sqlite3 v1.14.24
+	github.com/spiffe/go-spiffe/v2 v2.4.0
 	github.com/stretchr/testify v1.9.0
 	go.uber.org/mock v0.5.0
 	golang.org/x/net v0.34.0
@@ -14,8 +15,13 @@ require (
 )
 
 require (
+	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.4 // indirect
+	github.com/kr/text v0.2.0 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/zeebo/errs v1.4.0 // indirect
+	golang.org/x/crypto v0.32.0 // indirect
 	golang.org/x/sys v0.29.0 // indirect
 	golang.org/x/text v0.21.0 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20250127172529-29210b9bc287 // indirect

diff --git a/go.sum b/go.sum
@@ -1,5 +1,10 @@
+github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
+github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
+github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/go-jose/go-jose/v4 v4.0.4 h1:VsjPI33J0SB9vQM6PLmNjoHqMQNGPiZ0rHL7Ni7Q6/E=
+github.com/go-jose/go-jose/v4 v4.0.4/go.mod h1:NKb5HO1EZccyMpiZNbdUw/14tiXNyUJh188dfnMCAfc=
 github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
 github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
@@ -14,12 +19,20 @@ github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
 github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
 github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg=
 github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
+github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
+github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/mattn/go-sqlite3 v1.14.24 h1:tpSp2G2KyMnnQu99ngJ47EIkWVmliIizyZBfPrBWDRM=
 github.com/mattn/go-sqlite3 v1.14.24/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/spiffe/go-spiffe/v2 v2.4.0 h1:j/FynG7hi2azrBG5cvjRcnQ4sux/VNj8FAVc99Fl66c=
+github.com/spiffe/go-spiffe/v2 v2.4.0/go.mod h1:m5qJ1hGzjxjtrkGHZupoXHo/FDWwCB1MdSyBzfHugx0=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/zeebo/errs v1.4.0 h1:XNdoD/RRMKP7HD0UhJnIzUy74ISdGGxURlYG8HSWSfM=
+github.com/zeebo/errs v1.4.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4=
 go.opentelemetry.io/otel v1.32.0 h1:WnBN+Xjcteh0zdk01SVqV55d/m62NJLJdIyb4y/WO5U=
 go.opentelemetry.io/otel v1.32.0/go.mod h1:00DCVSB0RQcnzlwyTfqtxSm+DRr9hpYrHjNGiBHVQIg=
 go.opentelemetry.io/otel/metric v1.32.0 h1:xV2umtmNcThh2/a/aCP+h64Xx5wsj8qqnkYZktzNa0M=
@@ -32,6 +45,8 @@ go.opentelemetry.io/otel/trace v1.32.0 h1:WIC9mYrXf8TmY/EXuULKc8hR17vE+Hjv2cssQD
 go.opentelemetry.io/otel/trace v1.32.0/go.mod h1:+i4rkvCraA+tG6AzwloGaCtkx53Fa+L+V8e9a7YvhT8=
 go.uber.org/mock v0.5.0 h1:KAMbZvZPyBPWgD14IrIQ38QCyjwpvVVV6K/bHl1IwQU=
 go.uber.org/mock v0.5.0/go.mod h1:ge71pBPLYDk7QIi1LupWxdAykm7KIEFchiOqd6z7qMM=
+golang.org/x/crypto v0.32.0 h1:euUpcYgM8WcP71gNpTqQCn6rC2t6ULUPiOzfWaXVVfc=
+golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc=
 golang.org/x/net v0.34.0 h1:Mb7Mrk043xzHgnRM88suvJFwzVrRfHEHJEl5/71CKw0=
 golang.org/x/net v0.34.0/go.mod h1:di0qlW3YNM5oh6GqDGQr92MyTozJPmybPK4Ev/Gm31k=
 golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU=
@@ -44,7 +59,8 @@ google.golang.org/grpc v1.70.0 h1:pWFv03aZoHzlRKHWicjsZytKAiYCtNS0dHbXnIdq7jQ=
 google.golang.org/grpc v1.70.0/go.mod h1:ofIJqVKDXx/JiXrwr2IG4/zwdH9txy3IlF40RmcJSQw=
 google.golang.org/protobuf v1.36.4 h1:6A3ZDJHn/eNqc1i+IdefRzy/9PokBTPvcqMySR7NNIM=
 google.golang.org/protobuf v1.36.4/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
+gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
diff --git a/pkg/agent/sweep_service.go b/pkg/agent/sweep_service.go
@@ -57,7 +57,7 @@ func NewSweepService(config *models.Config) (Service, error) {
 	)
 
 	// Create processor instance
-	processor := sweeper.NewBaseProcessor()
+	processor := sweeper.NewBaseProcessor(config)
 
 	// Create an in-memory store
 	store := sweeper.NewInMemoryStore(processor)
@@ -467,9 +467,6 @@ func (s *SweepService) GetStatus(ctx context.Context) (*proto.StatusResponse, er
 		return nil, fmt.Errorf("failed to marshal sweep status: %w", err)
 	}
 
-	// Log the response data for debugging
-	log.Printf("Sweep status response: %s", string(statusJSON))
-
 	return &proto.StatusResponse{
 		Available:    true,
 		Message:      string(statusJSON),