From 7f08498952fd0240dd5f4c678be4582febbfaa3d Mon Sep 17 00:00:00 2001 From: Bryce Thuilot Date: Mon, 29 Jun 2026 13:50:04 -0400 Subject: [PATCH 1/6] fix(scheduler): consider pending pipelines as active for reject threshold Signed-off-by: Bryce Thuilot --- internal/reports/pipelines.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/reports/pipelines.go b/internal/reports/pipelines.go index 378ff2c..4adba73 100644 --- a/internal/reports/pipelines.go +++ b/internal/reports/pipelines.go @@ -154,7 +154,7 @@ func (s *Scheduler) isDownloaderValid(ctx context.Context, reportPolicy *chalkul func isPipelineActiveIndexer(o client.Object) []string { p := o.(*ocularv1beta1.Pipeline) - if p.Status.StartTime != nil && p.Status.CompletionTime == nil { + if p.Status.CompletionTime == nil { return []string{"true"} } return []string{"false"} From f579115c04fe32b1715ed44fc3039d4aa63e42dc Mon Sep 17 00:00:00 2001 From: Bryce Thuilot Date: Mon, 29 Jun 2026 14:09:30 -0400 Subject: [PATCH 2/6] chore: improve scheduler metrics Signed-off-by: Bryce Thuilot --- internal/reports/scheduler.go | 42 +++++++++++++++++++++++++++-------- 1 file changed, 33 insertions(+), 9 deletions(-) diff --git a/internal/reports/scheduler.go b/internal/reports/scheduler.go index e64e188..d40c8fa 100644 --- a/internal/reports/scheduler.go +++ b/internal/reports/scheduler.go @@ -33,6 +33,13 @@ const ( ) var ( + schedulerPipelinesGenerated = prometheus.NewCounterVec( + prometheus.CounterOpts{ + Name: "scheduler_pipelines_genereated", + Help: "Total number of pipelines generated from all reports in event", + }, + []string{"profile", "policy", "namespace"}, + ) schedulerPipelinesCreated = prometheus.NewCounterVec( prometheus.CounterOpts{ Name: "scheduler_pipelines_created", @@ -40,22 +47,29 @@ var ( }, []string{"profile", "policy", "namespace"}, ) - schedulerReportErrors = prometheus.NewCounter( + schedulerPipelineErrors = prometheus.NewCounterVec( prometheus.CounterOpts{ - Name: "scheduler_reports_errors", - Help: "Total number of pipelines created", + Name: "scheduler_pipeline_errors", + Help: "Total number of errors when creating pipelines", }, + []string{"profile", "policy", "namespace"}, ) schedulerReportsRecieved = prometheus.NewCounter( prometheus.CounterOpts{ Name: "scheduler_reports_received", - Help: "Total number of pipelines created", + Help: "Total number of reports receieved. (one event can contain multiple reports)", }, ) schedulerEventsRecieved = prometheus.NewCounter( prometheus.CounterOpts{ Name: "scheduler_events_received", - Help: "Total number of pipelines created", + Help: "Total number of events received (i.e. SQS message, HTTP request, etc.)", + }, + ) + schedulerEventErrors = prometheus.NewCounter( + prometheus.CounterOpts{ + Name: "scheduler_event_errors", + Help: "Total number of errors reported for event", }, ) schedulerEventProcessingDurationSeconds = prometheus.NewHistogram( @@ -71,9 +85,11 @@ func init() { metrics.Registry.MustRegister( schedulerEventProcessingDurationSeconds, schedulerEventsRecieved, - schedulerPipelinesCreated, - schedulerReportErrors, + schedulerEventErrors, schedulerReportsRecieved, + schedulerPipelinesGenerated, + schedulerPipelinesCreated, + schedulerPipelineErrors, ) } @@ -141,7 +157,8 @@ func (s *Scheduler) Start(ctx context.Context) error { duration := time.Since(start) schedulerEventProcessingDurationSeconds.Observe(duration.Seconds()) if err != nil { - schedulerReportErrors.Add(1) + l.Error(err, "error when processing reports") + schedulerEventErrors.Inc() } time.Sleep(time.Second) } @@ -197,6 +214,12 @@ func (s *Scheduler) processReports(ctx context.Context, reports []chalk.Report) for _, g := range generatedPipelines { var policyPipelines []*ocularv1beta1.Pipeline for i, pipeline := range g.pipelines { + metricLabels := prometheus.Labels{ + "profile": pipeline.Spec.ProfileRef.Name, + "policy": g.policy.Name, + "namespace": pipeline.Namespace, + } + schedulerPipelinesGenerated.With(metricLabels).Inc() err := s.mgrClient.Create(ctx, pipeline) if err != nil { l.Error(err, "unable to create pipeline for policy", @@ -206,8 +229,9 @@ func (s *Scheduler) processReports(ctx context.Context, reports []chalk.Report) "FailedToCreatePipeline", "CreatePipelineFromReport", "failed to generate pipeline (%d/%d) for report '%s': %s", i, len(g.pipelines), g.actionID, err) + schedulerPipelineErrors.With(metricLabels).Inc() } else { - schedulerPipelinesCreated.With(prometheus.Labels{"profile": pipeline.Spec.ProfileRef.Name, "policy": g.policy.Name, "namespace": pipeline.Namespace}) + schedulerPipelinesCreated.With(metricLabels).Inc() policyPipelines = append(policyPipelines, pipeline) } } From 5a891c71ca9ec5cbb08d8bdcc87c55abb0aa97d2 Mon Sep 17 00:00:00 2001 From: Bryce Thuilot Date: Wed, 1 Jul 2026 17:15:14 -0400 Subject: [PATCH 3/6] fix: set resource requirements for ocular resources Signed-off-by: Bryce Thuilot --- config/ocular/downloader.yaml | 7 +++++++ config/ocular/uploader.yaml | 7 +++++++ go.mod | 2 +- go.sum | 2 ++ 4 files changed, 17 insertions(+), 1 deletion(-) diff --git a/config/ocular/downloader.yaml b/config/ocular/downloader.yaml index c49a63c..6a2e5ad 100644 --- a/config/ocular/downloader.yaml +++ b/config/ocular/downloader.yaml @@ -9,6 +9,13 @@ spec: imagePullPolicy: IfNotPresent env: [] volumeMounts: [] + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 10m + memory: 64Mi metadataFiles: - chalk.json parameters: diff --git a/config/ocular/uploader.yaml b/config/ocular/uploader.yaml index 361911a..080bd8a 100644 --- a/config/ocular/uploader.yaml +++ b/config/ocular/uploader.yaml @@ -15,6 +15,13 @@ spec: name: chalkular-secrets optional: true volumeMounts: [] + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 10m + memory: 64Mi parameters: - name: S3_BUCKET description: "The S3 bucket to upload to" diff --git a/go.mod b/go.mod index 612fd19..fa5dbc6 100644 --- a/go.mod +++ b/go.mod @@ -8,7 +8,7 @@ require ( github.com/aws/aws-sdk-go-v2/service/s3 v1.100.0 github.com/aws/aws-sdk-go-v2/service/sqs v1.42.21 github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.12.0 - github.com/crashappsec/ocular v0.3.3 + github.com/crashappsec/ocular v0.3.4-beta.1 github.com/gin-gonic/gin v1.11.0 github.com/google/cel-go v0.28.1 github.com/google/go-containerregistry v0.21.5 diff --git a/go.sum b/go.sum index 1cc518a..3bddb0f 100644 --- a/go.sum +++ b/go.sum @@ -89,6 +89,8 @@ github.com/crashappsec/ocular v0.3.3-beta.2 h1:N1OaZeXBaVxbiCDossgagWnvUFGJqdMCk github.com/crashappsec/ocular v0.3.3-beta.2/go.mod h1:lg7VzhAjqT9NeRQMWhrtZsBdKgfhJ0snPkNXyNIpNC8= github.com/crashappsec/ocular v0.3.3 h1:sm4SqHznQZirvnflj8ppLjaMLOiQI5NK01OdlEA2qVQ= github.com/crashappsec/ocular v0.3.3/go.mod h1:lg7VzhAjqT9NeRQMWhrtZsBdKgfhJ0snPkNXyNIpNC8= +github.com/crashappsec/ocular v0.3.4-beta.1 h1:XM5w3Z4mZ2YizGf2+p/ZgptBxscFvhucwTC6KNjs+Kk= +github.com/crashappsec/ocular v0.3.4-beta.1/go.mod h1:lg7VzhAjqT9NeRQMWhrtZsBdKgfhJ0snPkNXyNIpNC8= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= From bafeda66afa7b348104b952a8d6e2cfb22dbccb7 Mon Sep 17 00:00:00 2001 From: Bryce Thuilot Date: Tue, 7 Jul 2026 13:38:13 -0400 Subject: [PATCH 4/6] chore(deps): bump ocular dependency Signed-off-by: Bryce Thuilot --- ...crashoverride.run_chalkreportpolicies.yaml | 9 ++--- go.mod | 32 ++++++++--------- go.sum | 34 +++++++++++++++++++ 3 files changed, 52 insertions(+), 23 deletions(-) diff --git a/config/crd/bases/chalk.ocular.crashoverride.run_chalkreportpolicies.yaml b/config/crd/bases/chalk.ocular.crashoverride.run_chalkreportpolicies.yaml index e58d461..4525ea6 100644 --- a/config/crd/bases/chalk.ocular.crashoverride.run_chalkreportpolicies.yaml +++ b/config/crd/bases/chalk.ocular.crashoverride.run_chalkreportpolicies.yaml @@ -313,9 +313,9 @@ spec: RuntimeClassName is the name of the RuntimeClass that will be used to run the scan and upload pods. If not set, the cluster's default runtime handler will be used. type: string - scanServiceAccountName: + serviceAccountName: description: |- - ScanServiceAccountName is the name of the service account that will be used to run the scan job. + ServiceAccountName is the name of the service account that will be used to run the pipeline job. If not set, the default service account of the namespace will be used. type: string target: @@ -355,11 +355,6 @@ spec: format: int32 minimum: 1 type: integer - uploadServiceAccountName: - description: |- - UploadServiceAccountName is the name of the service account that will be used to run the upload job. - If not set, the default service account of the namespace will be used. - type: string required: - downloaderRef - profileRef diff --git a/go.mod b/go.mod index fa5dbc6..66e8079 100644 --- a/go.mod +++ b/go.mod @@ -8,21 +8,21 @@ require ( github.com/aws/aws-sdk-go-v2/service/s3 v1.100.0 github.com/aws/aws-sdk-go-v2/service/sqs v1.42.21 github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.12.0 - github.com/crashappsec/ocular v0.3.4-beta.1 + github.com/crashappsec/ocular v0.4.0 github.com/gin-gonic/gin v1.11.0 github.com/google/cel-go v0.28.1 github.com/google/go-containerregistry v0.21.5 github.com/google/go-containerregistry/pkg/authn/k8schain v0.0.0-20260421225946-d4f10504a3c9 github.com/hashicorp/go-multierror v1.1.1 - github.com/onsi/ginkgo/v2 v2.29.0 - github.com/onsi/gomega v1.41.0 - k8s.io/api v0.36.1 - k8s.io/apimachinery v0.36.1 + github.com/onsi/ginkgo/v2 v2.32.0 + github.com/onsi/gomega v1.42.1 + k8s.io/api v0.36.2 + k8s.io/apimachinery v0.36.2 k8s.io/apiserver v0.36.1 - k8s.io/client-go v0.36.1 + k8s.io/client-go v0.36.2 k8s.io/utils v0.0.0-20260507154919-ff6756f316d2 sigs.k8s.io/controller-runtime v0.24.1 - sigs.k8s.io/kubebuilder/v4 v4.14.0 + sigs.k8s.io/kubebuilder/v4 v4.15.0 ) require ( @@ -149,17 +149,17 @@ require ( go.yaml.in/yaml/v2 v2.4.4 // indirect go.yaml.in/yaml/v3 v3.0.4 // indirect golang.org/x/arch v0.20.0 // indirect - golang.org/x/crypto v0.51.0 // indirect + golang.org/x/crypto v0.53.0 // indirect golang.org/x/exp v0.0.0-20260508232706-74f9aab9d74a // indirect - golang.org/x/mod v0.36.0 // indirect - golang.org/x/net v0.54.0 // indirect + golang.org/x/mod v0.37.0 // indirect + golang.org/x/net v0.56.0 // indirect golang.org/x/oauth2 v0.36.0 // indirect - golang.org/x/sync v0.20.0 // indirect - golang.org/x/sys v0.44.0 // indirect - golang.org/x/term v0.43.0 // indirect - golang.org/x/text v0.37.0 // indirect + golang.org/x/sync v0.21.0 // indirect + golang.org/x/sys v0.46.0 // indirect + golang.org/x/term v0.44.0 // indirect + golang.org/x/text v0.38.0 // indirect golang.org/x/time v0.15.0 // indirect - golang.org/x/tools v0.45.0 // indirect + golang.org/x/tools v0.46.0 // indirect gomodules.xyz/jsonpatch/v2 v2.5.0 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20260511170946-3700d4141b60 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20260511170946-3700d4141b60 // indirect @@ -171,7 +171,7 @@ require ( k8s.io/component-base v0.36.1 // indirect k8s.io/klog/v2 v2.140.0 // indirect k8s.io/kube-openapi v0.0.0-20260512234627-ef417d054102 // indirect - k8s.io/streaming v0.36.1 // indirect + k8s.io/streaming v0.36.2 // indirect sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.34.0 // indirect sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect sigs.k8s.io/randfill v1.0.0 // indirect diff --git a/go.sum b/go.sum index 3bddb0f..d43e3fe 100644 --- a/go.sum +++ b/go.sum @@ -91,6 +91,10 @@ github.com/crashappsec/ocular v0.3.3 h1:sm4SqHznQZirvnflj8ppLjaMLOiQI5NK01OdlEA2 github.com/crashappsec/ocular v0.3.3/go.mod h1:lg7VzhAjqT9NeRQMWhrtZsBdKgfhJ0snPkNXyNIpNC8= github.com/crashappsec/ocular v0.3.4-beta.1 h1:XM5w3Z4mZ2YizGf2+p/ZgptBxscFvhucwTC6KNjs+Kk= github.com/crashappsec/ocular v0.3.4-beta.1/go.mod h1:lg7VzhAjqT9NeRQMWhrtZsBdKgfhJ0snPkNXyNIpNC8= +github.com/crashappsec/ocular v0.4.0-beta.1 h1:gg4b+8tg1kUtWnYj7NG9GBNmsIEO6tJIVVFCZAAbrgA= +github.com/crashappsec/ocular v0.4.0-beta.1/go.mod h1:lg7VzhAjqT9NeRQMWhrtZsBdKgfhJ0snPkNXyNIpNC8= +github.com/crashappsec/ocular v0.4.0 h1:bDf68x/betAd6JdmlNk94p7LxlZsJ3sncQQOc6S488g= +github.com/crashappsec/ocular v0.4.0/go.mod h1:5H4AS2c/ffTVlIv9DKPJwipwR5SFtoVjICWZPGTPu8c= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= @@ -250,8 +254,12 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/onsi/ginkgo/v2 v2.29.0 h1:rfh+ZFjgJhYWRoIqVf3Uwx/W20yLrcrE2h2GmYVRaag= github.com/onsi/ginkgo/v2 v2.29.0/go.mod h1:+aXOY+vzZ5mu2iI2HpTZUPmM//oQfsNFX6gU9kNcA44= +github.com/onsi/ginkgo/v2 v2.32.0 h1:Hw7s2pVrQo/8Yz5N77qdnpHaoc+c6cC9WIV1Jce+J6E= +github.com/onsi/ginkgo/v2 v2.32.0/go.mod h1:+aXOY+vzZ5mu2iI2HpTZUPmM//oQfsNFX6gU9kNcA44= github.com/onsi/gomega v1.41.0 h1:OwKp4pXNgVxf6sCplzYo794OFNuoL2q2SBMU5NSWOjA= github.com/onsi/gomega v1.41.0/go.mod h1:M/Uqpu/8qTjtzCLUA2zJHX9Iilrau25x1PdoSRbWh5A= +github.com/onsi/gomega v1.42.1 h1:iN1rCUX+44NZ1Dc97MPoeFYbFR0vh8zxoxMFwKdyZ6I= +github.com/onsi/gomega v1.42.1/go.mod h1:REff/hsDsodHoKlWsP2mAPhu1+5/6hVYNf9rIEBpeSg= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040= @@ -352,28 +360,44 @@ golang.org/x/arch v0.20.0 h1:dx1zTU0MAE98U+TQ8BLl7XsJbgze2WnNKF/8tGp/Q6c= golang.org/x/arch v0.20.0/go.mod h1:bdwinDaKcfZUGpH09BB7ZmOfhalA8lQdzl62l8gGWsk= golang.org/x/crypto v0.51.0 h1:IBPXwPfKxY7cWQZ38ZCIRPI50YLeevDLlLnyC5wRGTI= golang.org/x/crypto v0.51.0/go.mod h1:8AdwkbraGNABw2kOX6YFPs3WM22XqI4EXEd8g+x7Oc8= +golang.org/x/crypto v0.53.0 h1:QZ4Muo8THX6CizN2vPPd5fBGHyogrdK9fG4wLPFUsto= +golang.org/x/crypto v0.53.0/go.mod h1:DNLU434OwVakk9PzuwV8w62mAJpRJL3vsgcfp4Qnsio= golang.org/x/exp v0.0.0-20260508232706-74f9aab9d74a h1:+3jdDGGB8NGb1Zktc737jlt3/A5f6UlwSzmvqUuufxw= golang.org/x/exp v0.0.0-20260508232706-74f9aab9d74a/go.mod h1:d2fgXJLVs4dYDHUk5lwMIfzRzSrWCfGZb0ZqeLa/Vcw= golang.org/x/mod v0.36.0 h1:JJjpVx6myfUsUdAzZuOSTTmRE0PfZeNWzzvKrP7amb4= golang.org/x/mod v0.36.0/go.mod h1:moc6ELqsWcOw5Ef3xVprK5ul/MvtVvkIXLziUOICjUQ= +golang.org/x/mod v0.37.0 h1:vF1DjpVEshcIqoEaauuHebaLk1O1forxjxBaVn884JQ= +golang.org/x/mod v0.37.0/go.mod h1:m8S8VeM9r4dzDwjrKO0a1sZP3YjeMamRRlD+fmR2Q/0= golang.org/x/net v0.54.0 h1:2zJIZAxAHV/OHCDTCOHAYehQzLfSXuf/5SoL/Dv6w/w= golang.org/x/net v0.54.0/go.mod h1:Sj4oj8jK6XmHpBZU/zWHw3BV3abl4Kvi+Ut7cQcY+cQ= +golang.org/x/net v0.56.0 h1:Rw8j/hFzGvJUZwNBXnAtf5sVDVt+65SK2C7IxCxZt5o= +golang.org/x/net v0.56.0/go.mod h1:D3Ku6r+V6JROoZK144D2XfMHFcMq/0zSfLelVTCFKec= golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs= golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q= golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4= golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0= +golang.org/x/sync v0.21.0 h1:HLII4xRRTtCRkxYp4HNFF0Js/Og6q2i++KXbg0gHCwM= +golang.org/x/sync v0.21.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0= golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.44.0 h1:ildZl3J4uzeKP07r2F++Op7E9B29JRUy+a27EibtBTQ= golang.org/x/sys v0.44.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw= +golang.org/x/sys v0.46.0 h1:noSf2Fq6F8DBgS+LysIkx7rIExoNHJsxOAtPp4rthXw= +golang.org/x/sys v0.46.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw= golang.org/x/term v0.43.0 h1:S4RLU2sB31O/NCl+zFN9Aru9A/Cq2aqKpTZJ6B+DwT4= golang.org/x/term v0.43.0/go.mod h1:lrhlHNdQJHO+1qVYiHfFKVuVioJIheAc3fBSMFYEIsk= +golang.org/x/term v0.44.0 h1:0rLvDRCtNj0gZkyIXhCyOb2OAzEhLVqc4B+hrsBhrmc= +golang.org/x/term v0.44.0/go.mod h1:7ze4MdzUzLXpSAoFP1H0bOI9aXDqveSvatT5vKcFh2Y= golang.org/x/text v0.37.0 h1:Cqjiwd9eSg8e0QAkyCaQTNHFIIzWtidPahFWR83rTrc= golang.org/x/text v0.37.0/go.mod h1:a5sjxXGs9hsn/AJVwuElvCAo9v8QYLzvavO5z2PiM38= +golang.org/x/text v0.38.0 h1:sXmwo9DwP3OK9EZ7PqAdaooSGozfl/3a6/xJcbzPRhE= +golang.org/x/text v0.38.0/go.mod h1:YXZt3QhHUKYT53r2lLKFIVi6Ao1jdzrTR/KQ09qyxF4= golang.org/x/time v0.15.0 h1:bbrp8t3bGUeFOx08pvsMYRTCVSMk89u4tKbNOZbp88U= golang.org/x/time v0.15.0/go.mod h1:Y4YMaQmXwGQZoFaVFk4YpCt4FLQMYKZe9oeV/f4MSno= golang.org/x/tools v0.45.0 h1:18qN3FAooORvApf5XjCXgsuayZOEtXf6JK18I3+ONa8= golang.org/x/tools v0.45.0/go.mod h1:LuUGqqaXcXMEFEruIVJVm5mgDD8vww/z/SR1gQ4uE/0= +golang.org/x/tools v0.46.0 h1:7jTurBkPZu4moS/Uy4OQT1M+QBlsj3wejyZwsT8Z7rk= +golang.org/x/tools v0.46.0/go.mod h1:FrD85F8l+NWL+9XWBSyVSHO6Ne4jutsfIFba7AWQ5Ys= gomodules.xyz/jsonpatch/v2 v2.5.0 h1:JELs8RLM12qJGXU4u/TO3V25KW8GreMKl9pdkk14RM0= gomodules.xyz/jsonpatch/v2 v2.5.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY= gonum.org/v1/gonum v0.17.0 h1:VbpOemQlsSMrYmn7T2OUvQ4dqxQXU+ouZFQsZOx50z4= @@ -400,14 +424,20 @@ gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q= gotest.tools/v3 v3.5.2/go.mod h1:LtdLGcnqToBH83WByAAi/wiwSFCArdFIUV/xxN4pcjA= k8s.io/api v0.36.1 h1:XbL/EMj8K2aJpJtePmqUyQMsM0D4QI2pvl7YKJ20FTY= k8s.io/api v0.36.1/go.mod h1:KOWo4ey3TINlXjeHVuwB3i+tXXnu+UcwFBHlI/9dvEo= +k8s.io/api v0.36.2 h1:TF6YDLIzKfccK7cq9YpTcGX8TJmEkHVRv78DM51fRYY= +k8s.io/api v0.36.2/go.mod h1:F4LbMO4brjZYh7yFkXWhynSvtB7YauxV4c+HHkNRGNg= k8s.io/apiextensions-apiserver v0.36.1 h1:6JfYmPUsuUIHuN+3QxutXYWj492RqF5fBSx67GYK5Ks= k8s.io/apiextensions-apiserver v0.36.1/go.mod h1:pLzZin90riwisdzKwv/GoTwENooytoIx5zWJb4Hkby8= k8s.io/apimachinery v0.36.1 h1:G63Gjx2W+q0YD+72Vo8oY0nDnePVwnuzTmmy5ENrVSA= k8s.io/apimachinery v0.36.1/go.mod h1:ibYOR00vW/I1kzvi5SF0dRuJ52BvKtfvRdOn35GPQ+8= +k8s.io/apimachinery v0.36.2 h1:0PE/W/WNy1UX61NLbXY5TMbJ6UwLL6E6lAPkYrKFxbQ= +k8s.io/apimachinery v0.36.2/go.mod h1:fvf/HOLXq9RId0rnDIbN1OEBvHXdQbLMM8nu0LcBUf4= k8s.io/apiserver v0.36.1 h1:iMS5V+rPUertv5P9RaqJgmHHTuh4quWpoxchvMUY+JY= k8s.io/apiserver v0.36.1/go.mod h1:Cby1PbLWztu0GDOxoO6iFOyyqIsziHNEW+w9zVQ22Kw= k8s.io/client-go v0.36.1 h1:FN/K8QIT2CEDt+2WB2HnWrUANZ50AP5GII43/SP2JR0= k8s.io/client-go v0.36.1/go.mod h1:s6rAnCtTGYDQnpNjEhSaISV+2O8jwruZ6m3QOYBFbtU= +k8s.io/client-go v0.36.2 h1:bfgxmFKc9CgqsgX4xKLAAdmTQlWee7Ob/HlDOrJ5TBI= +k8s.io/client-go v0.36.2/go.mod h1:1vgO4OAlfPnoLcb+Rze2GF5rAr14w8qjrYMoyXJzQj0= k8s.io/component-base v0.36.1 h1:iG6GsELftXqTNG9HG6kiVjatSgAw1sf5pJ6R5a6N0kA= k8s.io/component-base v0.36.1/go.mod h1:nf9XPlntRdqO6WMeEWAA5F93Y4ICZQdeT9GeqLDB3JI= k8s.io/klog/v2 v2.140.0 h1:Tf+J3AH7xnUzZyVVXhTgGhEKnFqye14aadWv7bzXdzc= @@ -416,6 +446,8 @@ k8s.io/kube-openapi v0.0.0-20260512234627-ef417d054102 h1:xs2ux1MvyrOdfKwS3vuFWr k8s.io/kube-openapi v0.0.0-20260512234627-ef417d054102/go.mod h1:V/QaCUYDa+0QpcHhVVc5l99Uz56wEMEXBSj9oCDkNDY= k8s.io/streaming v0.36.1 h1:L+K68n4Gg940BGNNYtUBvL1WTLL0YnKT3s+P1MNAmR4= k8s.io/streaming v0.36.1/go.mod h1:z6fV3D+NVkoeqRMtWwlUZK6U17SY/LqNzOxWL6GyR/s= +k8s.io/streaming v0.36.2 h1:NSKthPPg9UFSKsRauVJUVGH2Dvn8fhKmY4qrMkw/p98= +k8s.io/streaming v0.36.2/go.mod h1:z6fV3D+NVkoeqRMtWwlUZK6U17SY/LqNzOxWL6GyR/s= k8s.io/utils v0.0.0-20260507154919-ff6756f316d2 h1:wU4tMEhLGgIbLvXQb1cfN+EcM0wf7zC6CPF+C79jroc= k8s.io/utils v0.0.0-20260507154919-ff6756f316d2/go.mod h1:xDxuJ0whA3d0I4mf/C4ppKHxXynQ+fxnkmQH0vTHnuk= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.34.0 h1:hSfpvjjTQXQY2Fol2CS0QHMNs/WI1MOSGzCm1KhM5ec= @@ -426,6 +458,8 @@ sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5E sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg= sigs.k8s.io/kubebuilder/v4 v4.14.0 h1:db0bzdZUCr2n5DCgczYvovC+Xzt4NxlXM59Rsa6aAhM= sigs.k8s.io/kubebuilder/v4 v4.14.0/go.mod h1:wqL+ZD1Et4RBj1PDsSBdSVLt1RVO4bX59vxNBW1rKjk= +sigs.k8s.io/kubebuilder/v4 v4.15.0 h1:LiTS6XCCmhxS0P7OXwpVqcoywlvbF3yK8G+tZjZF62A= +sigs.k8s.io/kubebuilder/v4 v4.15.0/go.mod h1:3Q0bwaT7zJg9V1wSqYOCClA29iAYkR9CVe+iqMuBg1w= sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU= sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY= sigs.k8s.io/structured-merge-diff/v6 v6.4.0 h1:qmp2e3ZfFi1/jJbDGpD4mt3wyp6PE1NfKHCYLqgNQJo= From aac8a4758a14760ef8b77fd2b217fed15f07e92a Mon Sep 17 00:00:00 2001 From: Bryce Thuilot Date: Tue, 7 Jul 2026 21:19:46 -0400 Subject: [PATCH 5/6] fix: specify entrypoint for containers Signed-off-by: Bryce Thuilot --- config/ocular/downloader.yaml | 1 + config/ocular/uploader.yaml | 1 + 2 files changed, 2 insertions(+) diff --git a/config/ocular/downloader.yaml b/config/ocular/downloader.yaml index 6a2e5ad..1cd841b 100644 --- a/config/ocular/downloader.yaml +++ b/config/ocular/downloader.yaml @@ -7,6 +7,7 @@ spec: name: chalkmark-extract image: chalkular-downloader:latest imagePullPolicy: IfNotPresent + command: ["/entrypoint"] env: [] volumeMounts: [] resources: diff --git a/config/ocular/uploader.yaml b/config/ocular/uploader.yaml index 080bd8a..8ffb8fe 100644 --- a/config/ocular/uploader.yaml +++ b/config/ocular/uploader.yaml @@ -7,6 +7,7 @@ spec: name: results-extract image: chalkular-uploader:latest imagePullPolicy: IfNotPresent + command: ["/entrypoint"] env: - name: CHALKULAR_INGEST_TOKEN valueFrom: From e39e44906045e9ec15c4ee3ab1d4065a143adfb3 Mon Sep 17 00:00:00 2001 From: Bryce Thuilot Date: Wed, 8 Jul 2026 08:43:50 -0400 Subject: [PATCH 6/6] docs: update CHANGELOG Signed-off-by: Bryce Thuilot --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index dbb2c7f..4f3cb75 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,12 @@ # Chalkular Release Notes +# [v0.0.7](https://github.com/crashappsec/chalkular/releases/tag/v0.0.7) - **July 8th, 2026** + +### Changed +- Add resource requirements to downloader and uploader +- Upgrade to ocular v0.4.0 +- Consider pending pipelines as active for reject threshold + # [v0.0.6](https://github.com/crashappsec/chalkular/releases/tag/v0.0.6) - **June 26th, 2026** ### Added