First release

.github/dependabot.yml

@@ -0,0 +1,18 @@
+version: 2
+updates:
+  # Update Dockerfile
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    commit-message:
+      prefix: "feat: "
+
+  # Maintain dependencies for GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    commit-message:
+      prefix: "chore(ci): "
+    open-pull-requests-limit: 10

.github/workflows/release-container-image.yaml

@@ -0,0 +1,73 @@
+name: Release Container Image
+
+on:
+  schedule:
+    - cron: '3 3 * * *'
+  pull_request:
+  push:
+    branches:
+      - main
+    tags:
+      - 'v*.*.*'
+
+jobs:
+  container:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Configure Image Metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            docker.io/adfinissygroup/signalilo-scrubbed
+            ghcr.io/adfinis/signalilo-scrubbed
+            quay.io/adfinis/signalilo-scrubbed
+          tags: |
+            type=schedule,pattern=nightly
+            type=edge
+            type=semver,pattern=v{{version}}
+            type=semver,pattern=v{{major}}
+            type=semver,pattern=v{{major}}.{{minor}}
+            type=ref,event=pr
+
+      - name: Login to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+        if: ${{ github.event_name != 'pull_request' }}
+
+      - name: Login to DockerHub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_ACCESS_TOKEN }}
+        if: ${{ github.event_name != 'pull_request' }}
+
+      - name: Login to quay.io
+        uses: docker/login-action@v3
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAY_USERNAME}}
+          password: ${{ secrets.QUAY_ACCESS_TOKEN }}
+        if: ${{ github.event_name != 'pull_request' }}
+
+      - name: Build and push
+        id: docker_build_ghcr
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ./Containerfile
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}

.github/workflows/semantic-release.yaml

@@ -0,0 +1,22 @@
+# runs on each push to main and is responsible for creating new tags/releases
+name: Create Semantic Release
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  semantic-release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Run go-semantic-release
+        id: semrel
+        uses: go-semantic-release/[email protected]
+        with:
+          github-token: ${{ secrets.PAT }}
+          allow-initial-development-versions: true

.github/workflows/shellcheck.yaml

@@ -0,0 +1,11 @@
+name: Shellcheck
+on: pull_request
+jobs:
+  shellcheck:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Run shellcheck
+        id: shellcheck
+        uses: ludeeus/[email protected]

.gitignore

@@ -0,0 +1,5 @@
+__pycache__/
+venv/
+build/
+dist/
+*.spec

Containerfile

@@ -0,0 +1,18 @@
+FROM docker.io/library/python:3.11 as scrubbed
+
+WORKDIR /src
+
+COPY Makefile initenv.sh requirements.txt scrubbed.py .
+
+RUN make static
+
+FROM quay.io/vshn/signalilo:v0.14.0 as signalilo
+
+FROM debian
+#FROM registry.access.redhat.com/ubi9/ubi-micro:9.4
+
+COPY --from=signalilo /usr/local/bin/signalilo /usr/local/bin/
+
+COPY --from=scrubbed /src/dist/scrubbed /usr/local/bin/
+
+EXPOSE 8080

Makefile

@@ -0,0 +1,26 @@
+.DEFAULT_GOAL := help
+
+.PHONY: help
+# Self documenting Makefile
+help:
+	@grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
+
+
+# -t $(IMAGE_NAME):$(VERSION) .
+
+.PHONY: image
+image: ## Create Docker image
+	podman build .
+	@echo built image $(IMAGE_NAME)
+
+.PHONY: venv
+venv: ## Initialize virtual environment and install dependencies
+	./initenv.sh
+
+.PHONY: static
+static: venv ## Generate static binary with embedded Python
+	venv/bin/pyinstaller --onefile scrubbed.py
+
+.PHONY: clean
+clean: ## Clean up
+	rm -rf venv/ build/ dist/ __pycache__/ scrubbed.spec

initenv.sh

@@ -0,0 +1,7 @@
+#!/usr/bin/env sh
+
+python3 -m venv $(dirname "$0")/venv/
+
+PIP=$(dirname "$0")/venv/bin/pip
+
+$PIP install -r requirements.txt

requirements.txt

@@ -0,0 +1,4 @@
+Flask==3.0.3
+requests==2.32.3
+pyinstaller==6.8.0
+waitress==3.0.0

scrubbed.py

@@ -0,0 +1,105 @@
+#!/bin/env python3
+
+from flask import Flask, request, jsonify
+import requests
+import logging
+import os
+
+app = Flask(__name__)
+
+# Map the string level to a logging level
+log_level_map = {
+    "DEBUG": logging.DEBUG,
+    "INFO": logging.INFO,
+    "WARNING": logging.WARNING,
+    "ERROR": logging.ERROR,
+    "CRITICAL": logging.CRITICAL,
+}
+
+log_level = os.getenv("SCRUBBED_LOG_LEVEL", "INFO").upper()
+logging.basicConfig(level=log_level_map.get(log_level, logging.WARNING))
+
+logger = logging.getLogger("scrubbed")
+logger.info("hello")
+
+# Replace non whitelisted values with REDACTED_STRING
+REDACTED_STRING = os.environ.get("SCRUBBED_REDACTED_STRING", "REDACTED")
+
+# Whitelist filtering configuration
+ALERT_LABELS = os.environ.get("SCRUBBED_ALERT_LABELS", "alertname severity").split()
+ALERT_ANNOTATIONS = os.environ.get("SCRUBBED_ALERT_ANNOTATIONS", "").split()
+GROUP_LABELS = os.environ.get("SCRUBBED_GROUP_LABELS", "").split()
+COMMON_LABELS = os.environ.get("SCRUBBED_COMMON_LABELS", "alertname severity").split()
+COMMON_ANNOTATIONS = os.environ.get("SCRUBBED_COMMON_ANNOTATIONS", "").split()
+
+# Service configuration
+PORT = os.environ.get("SCRUBBED_LISTEN_PORT", 8080)
+URL = os.environ.get("SCRUBBED_DESTINATION_URL", "http://localhost:6725")
+
+
+def redact_fields(fields, keys_to_keep):
+    return {
+        key: (fields[key] if key in keys_to_keep else REDACTED_STRING) for key in fields
+    }
+
+
+def scrub(alert):
+    for a in alert["alerts"]:
+        a["labels"] = redact_fields(a["labels"], ALERT_LABELS)
+        a["annotations"] = redact_fields(a["annotations"], ALERT_ANNOTATIONS)
+        a["generatorURL"] = REDACTED_STRING
+    alert["groupLabels"] = redact_fields(alert["groupLabels"], GROUP_LABELS)
+    alert["commonLabels"] = redact_fields(alert["commonLabels"], COMMON_LABELS)
+    alert["commonAnnotations"] = redact_fields(
+        alert["commonAnnotations"], COMMON_ANNOTATIONS
+    )
+    alert["externalURL"] = REDACTED_STRING
+    alert["groupKey"] = REDACTED_STRING
+
+
+@app.post("/webhook")
+def webhook():
+    if request.is_json:
+        try:
+            alert = request.get_json()
+
+            scrub(alert)
+
+            logger.debug(f"sending:\n{alert}")
+
+            session = requests.Session()
+
+            # Copy headers
+            session.headers.clear()
+            for h in request.headers.keys():
+                session.headers[h] = request.headers.get(h)
+
+            r = session.post(URL, json=alert)
+            msg = "alert received and processed"
+            response = {
+                "status": "success",
+                "message": f"{msg}, status code {r.status_code}",
+            }
+            logger.info(f"{msg} with code {r.status_code}")
+            return jsonify(response), r.status_code
+        except Exception as e:
+            response = {
+                "status": "error",
+                "message": str(e),
+            }
+            logger.error(str(e))
+            return jsonify(response), 500
+    else:
+        msg = "request must be in JSON format"
+        response = {
+            "status": "error",
+            "message": msg,
+        }
+        logger.error(msg)
+        return jsonify(response), 400
+
+
+if __name__ == "__main__":
+    from waitress import serve
+
+    serve(app, host="0.0.0.0", port=PORT)

test.hurl

@@ -0,0 +1,45 @@
+POST http://localhost:8080/webhook
+User-Agent: Alertmanager/0.25.0
+Accept:
+{
+  "receiver": "default",
+  "status": "firing",
+  "alerts": [
+    {
+      "status": "firing",
+      "labels": {
+        "alertname": "ProbeFailure",
+        "cluster": "pia2",
+        "namespace": "openshift-monitoring",
+        "node": "node.foo.ch",
+        "openshift_io_alert_source": "platform",
+        "prometheus": "openshift-monitoring/k8s",
+        "severity": "critical"
+      },
+      "annotations": {
+        "description": "Instance https://server.example.org has been down for over 5m. Job: http_checks",
+        "summary": "BlackBox Probe Failure: https://server.example.org"
+      },
+      "startsAt": "2023-02-06T13:08:45.828Z",
+      "endsAt": "0001-01-01T00:00:00Z",
+      "generatorURL": "https://console.apps.ioipioipo/monitoring....",
+      "fingerprint": "1a30ba71cca2921f"
+    }
+  ],
+  "groupLabels": {
+    "namespace": "openshift-monitoring"
+  },
+  "commonLabels": {
+    "alertname": "ProbeFailure",
+    "cluster": "pta2",
+    "namespace": "openshift-monitoring",
+    "openshift_io_alert_source": "platform",
+    "prometheus": "openshift-monitoring/k8s",
+    "severity": "critical"
+  },
+  "commonAnnotations": {},
+  "externalURL": "https://console.apps.joihjoijiooij/monitoring",
+  "version": "4",
+  "groupKey": "{}/{severity=\"critical\"}:{alertname=\"ProbeFailure\"}",
+  "truncatedAlerts": 0
+}