From 6a0fbbac1541c7dd39274b67e5db969a7641d13b Mon Sep 17 00:00:00 2001
From: Udit Gaurav <35391335+uditgaurav@users.noreply.github.com>
Date: Thu, 30 Sep 2021 15:34:55 +0530
Subject: [PATCH] Chore(security): Add litmus hardened alpine as base image in
 chaos-scheduler (#29)

Signed-off-by: udit <udit@chaosnative.com>
---
 .github/workflows/build.yml | 22 ++++++++++++++++++++++
 Makefile                    |  9 ++++++++-
 build/Dockerfile            | 16 +++++-----------
 build/bin/entrypoint        | 12 ------------
 build/bin/user_setup        | 13 -------------
 go.mod                      |  5 +++--
 go.sum                      |  5 ++++-
 7 files changed, 42 insertions(+), 40 deletions(-)
 delete mode 100755 build/bin/entrypoint
 delete mode 100755 build/bin/user_setup

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 8f1b54c5..2017264a 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -24,6 +24,28 @@ jobs:
       - name: unused-package check
         run: make unused-package-check
 
+  trivy:
+    needs: pre-checks
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Build an image from Dockerfile
+        run: |
+          docker build -f build/Dockerfile -t docker.io/litmuschaos/chaos-scheduler:${{ github.sha }} . --build-arg TARGETPLATFORM=linux/amd64
+      
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'docker.io/litmuschaos/chaos-scheduler:${{ github.sha }}'
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'          
+
   image-build:
     runs-on: ubuntu-latest
     needs: pre-checks
diff --git a/Makefile b/Makefile
index a46077b1..871a4875 100644
--- a/Makefile
+++ b/Makefile
@@ -84,4 +84,11 @@ build-amd64:
 	@echo "--------------------------------------------"
 	@echo "--> Build chaos-scheduler amd-64 docker image"
 	@echo "--------------------------------------------"
-	@sudo docker build --file build/Dockerfile --tag $(DOCKER_REPO)/$(DOCKER_IMAGE):$(DOCKER_TAG) . --build-arg TARGETARCH=amd64
\ No newline at end of file
+	@sudo docker build --file build/Dockerfile --tag $(DOCKER_REPO)/$(DOCKER_IMAGE):$(DOCKER_TAG) . --build-arg TARGETARCH=amd64
+
+.PHONY: push-amd64
+push-amd64:
+	@echo "--------------------------------------------"
+	@echo "--> Push chaos-scheduler amd-64 docker image"
+	@echo "--------------------------------------------"
+	@sudo docker push $(DOCKER_REPO)/$(DOCKER_IMAGE):$(DOCKER_TAG)
diff --git a/build/Dockerfile b/build/Dockerfile
index 71f2c28a..8e59c752 100644
--- a/build/Dockerfile
+++ b/build/Dockerfile
@@ -17,19 +17,13 @@ RUN go env
 RUN CGO_ENABLED=0 go build -o /output/chaos-scheduler -v ./cmd/manager/
 
 # Packaging stage
-FROM registry.access.redhat.com/ubi8/ubi-minimal:8.4
+# Image source: https://github.com/litmuschaos/test-tools/blob/master/custom/hardened-alpine/infra/Dockerfile
+# The base image is non-root (have litmus user) with default litmus directory.
+FROM litmuschaos/infra-alpine
 
 LABEL maintainer="LitmusChaos"
 
-ENV SCHEDULER=/usr/local/bin/chaos-scheduler \
-    USER_UID=1001 \
-    USER_NAME=chaos-scheduler
-
+ENV SCHEDULER=/usr/local/bin/chaos-scheduler 
 COPY --from=builder /output/chaos-scheduler ${SCHEDULER}
 
-COPY build/bin /usr/local/bin
-RUN  /usr/local/bin/user_setup
-
-ENTRYPOINT ["/usr/local/bin/entrypoint"]
-
-USER ${USER_UID}
+ENTRYPOINT ["/usr/local/bin/chaos-scheduler"]
diff --git a/build/bin/entrypoint b/build/bin/entrypoint
deleted file mode 100755
index faad5573..00000000
--- a/build/bin/entrypoint
+++ /dev/null
@@ -1,12 +0,0 @@
-#!/bin/sh -e
-
-# This is documented here:
-# https://docs.openshift.com/container-platform/3.11/creating_images/guidelines.html#openshift-specific-guidelines
-
-if ! whoami &>/dev/null; then
-  if [ -w /etc/passwd ]; then
-    echo "${USER_NAME:-chaos-scheduler}:x:$(id -u):$(id -g):${USER_NAME:-chaos-scheduler} user:${HOME}:/sbin/nologin" >> /etc/passwd
-  fi
-fi
-
-exec ${OPERATOR} $@
diff --git a/build/bin/user_setup b/build/bin/user_setup
deleted file mode 100755
index 1e36064c..00000000
--- a/build/bin/user_setup
+++ /dev/null
@@ -1,13 +0,0 @@
-#!/bin/sh
-set -x
-
-# ensure $HOME exists and is accessible by group 0 (we don't know what the runtime UID will be)
-mkdir -p ${HOME}
-chown ${USER_UID}:0 ${HOME}
-chmod ug+rwx ${HOME}
-
-# runtime user will need to be able to self-insert in /etc/passwd
-chmod g+rw /etc/passwd
-
-# no need for this script to remain in the image after running
-rm $0
diff --git a/go.mod b/go.mod
index 2e083ec9..099dd235 100644
--- a/go.mod
+++ b/go.mod
@@ -10,8 +10,9 @@ require (
 	github.com/operator-framework/operator-sdk v0.15.2
 	github.com/robfig/cron/v3 v3.0.1
 	github.com/spf13/pflag v1.0.5
-	k8s.io/api v0.17.3
-	k8s.io/apimachinery v0.17.3
+	golang.org/x/crypto v0.0.0-20201216223049-8b5274cf687f // indirect
+	k8s.io/api v0.22.2
+	k8s.io/apimachinery v0.22.2
 	k8s.io/client-go v12.0.0+incompatible
 	k8s.io/kube-openapi v0.0.0-20200121204235-bf4fb3bd569c
 	sigs.k8s.io/controller-runtime v0.4.0
diff --git a/go.sum b/go.sum
index d21216d1..f2b752e5 100644
--- a/go.sum
+++ b/go.sum
@@ -879,8 +879,9 @@ golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20190911031432-227b76d455e7/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191028145041-f83a4685e152/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 h1:psW17arqaxU48Z5kZ0CQnkZWQJsqcURM6tKiBApRjXI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20201216223049-8b5274cf687f h1:aZp0e2vLN4MToVqnjNEYEtrEA8RH8U8FN1CU7JgqsPU=
+golang.org/x/crypto v0.0.0-20201216223049-8b5274cf687f/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190125153040-c74c464bbbf2/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190312203227-4b39c73a6495/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -992,6 +993,8 @@ golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c h1:VwygUrnw9jn88c4u8GD3rZQbqrP/tgas88tPUbBxQrk=
 golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/term v0.0.0-20201117132131-f5c789dd3221 h1:/ZHdbVpdR/jk3g30/d4yUL0JU9kksj8+F/bnQUVLGDM=
+golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.0.0-20170915090833-1cbadb444a80/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=