do not verify the agent during debugging

go.sum

@@ -298,13 +298,8 @@ golang.org/x/sys v0.0.0-20220704084225-05e143d24a9e/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-<<<<<<< HEAD
 golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU=
 golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-=======
-golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
-golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
->>>>>>> main
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4=
 golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0=

internal/agent/agent.go

@@ -120,7 +120,11 @@ func NewAgent(
 		stopCh:                 stopCh,
 		log:                    log,
 	}
-	varmorutils.InitAndStartTokenRotation(5*time.Minute, log)
+
+	if !debug {
+		varmorutils.InitAndStartTokenRotation(5*time.Minute, log)
+	}
+
 	// Pre-checks
 	agent.appArmorSupported, err = isLSMSupported("AppArmor")
 	if err != nil {

internal/status/status.go

@@ -18,22 +18,22 @@ import (
 	"context"
 	"crypto/tls"
 	"fmt"
-	varmortls "github.com/bytedance/vArmor/internal/tls"
-	authv1 "k8s.io/api/authentication/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"net/http"
 	"os"
 	"time"
 
 	"github.com/gin-gonic/gin"
 	"github.com/go-logr/logr"
+	authv1 "k8s.io/api/authentication/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	appsv1 "k8s.io/client-go/kubernetes/typed/apps/v1"
+	authclientv1 "k8s.io/client-go/kubernetes/typed/authentication/v1"
+	corev1 "k8s.io/client-go/kubernetes/typed/core/v1"
 
 	varmorconfig "github.com/bytedance/vArmor/internal/config"
 	statusmanager "github.com/bytedance/vArmor/internal/status/api/v1"
+	varmortls "github.com/bytedance/vArmor/internal/tls"
 	varmorinterface "github.com/bytedance/vArmor/pkg/client/clientset/versioned/typed/varmor/v1beta1"
-	appsv1 "k8s.io/client-go/kubernetes/typed/apps/v1"
-	authclientv1 "k8s.io/client-go/kubernetes/typed/authentication/v1"
-	corev1 "k8s.io/client-go/kubernetes/typed/core/v1"
 )
 
 const managerAudience = "varmor-manager"
@@ -48,7 +48,13 @@ type StatusService struct {
 	log           logr.Logger
 }
 
-func CheckAgentToken(authInterface authclientv1.AuthenticationV1Interface) gin.HandlerFunc {
+func CheckAgentToken(authInterface authclientv1.AuthenticationV1Interface, debug bool) gin.HandlerFunc {
+	if debug {
+		return func(c *gin.Context) {
+			c.Next()
+		}
+	}
+
 	return func(c *gin.Context) {
 		token := c.GetHeader("Token")
 		if token == "" {
@@ -113,8 +119,8 @@ func NewStatusService(
 	}
 	s.router.SetTrustedProxies(nil)
 
-	s.router.POST(varmorconfig.StatusSyncPath, CheckAgentToken(authInterface), statusManager.Status)
-	s.router.POST(varmorconfig.DataSyncPath, CheckAgentToken(authInterface), statusManager.Data)
+	s.router.POST(varmorconfig.StatusSyncPath, CheckAgentToken(authInterface, debug), statusManager.Status)
+	s.router.POST(varmorconfig.DataSyncPath, CheckAgentToken(authInterface, debug), statusManager.Data)
 	s.router.GET("/healthz", health)
 
 	cert, err := tls.X509KeyPair(tlsPair.Certificate, tlsPair.PrivateKey)

internal/utils/token.go

@@ -15,10 +15,11 @@
 package utils
 
 import (
-	"github.com/go-logr/logr"
 	"os"
 	"sync"
 	"time"
+
+	"github.com/go-logr/logr"
 )
 
 const BindTokenPath = "/var/run/secrets/tokens"

internal/utils/utils.go

@@ -76,12 +76,15 @@ func httpsPostWithRetryAndToken(reqBody []byte, debug bool, service string, name
 		httpRsp, err = client.Do(httpReq)
 		if err == nil {
 			defer httpRsp.Body.Close()
-			if httpRsp.StatusCode == http.StatusOK {
+			switch httpRsp.StatusCode {
+			case http.StatusOK:
 				return nil
-			} else if httpRsp.StatusCode == http.StatusUnauthorized {
-				// try update token
-				updateChan <- true
-			} else {
+			case http.StatusUnauthorized:
+				if !debug {
+					// try update token
+					updateChan <- true
+				}
+			default:
 				err = fmt.Errorf(fmt.Sprintf("http error code %d", httpRsp.StatusCode))
 			}
 		}