Allow Trivy-dojo-report-operator fetch vulnerabilities from remote cl…

…uster
telekom-mms · Nov 26, 2024 · 07ee332 · 07ee332
1 parent 5e7b172
commit 07ee332
Show file tree

Hide file tree

Showing 7 changed files with 49 additions and 4 deletions.
diff --git a/charts/templates/deployment.yaml b/charts/templates/deployment.yaml
@@ -97,6 +97,10 @@ spec:
           value: {{ quote .Values.operator.trivyDojoReportOperator.env.reports }}
         - name: KUBERNETES_CLUSTER_DOMAIN
           value: {{ quote .Values.kubernetesClusterDomain }}
+        {{- if .Values.remoteClusterKubeconfig }}
+        - name: KUBECONFIG
+          value: "/app/.kube/config"
+        {{- end }}
         image: {{ .Values.operator.trivyDojoReportOperator.image.repository }}:{{ .Values.operator.trivyDojoReportOperator.image.tag | default .Chart.AppVersion }}
         livenessProbe:
           httpGet:
@@ -110,7 +114,22 @@ spec:
         {{- end }}
         securityContext: {{- toYaml .Values.operator.trivyDojoReportOperator.containerSecurityContext
           | nindent 10 }}
+        {{- if .Values.remoteClusterKubeconfig }}
+        volumeMounts:
+        - name: kubeconfig
+          mountPath: /app/.kube
+        {{- end }}
+      {{- if .Values.remoteClusterKubeconfig }}
+      volumes:
+      - name: kubeconfig
+        secret:
+          secretName: {{ include "charts.fullname" . }}-defect-dojo-api-credentials
+          items:
+          - key: kubeconfig
+            path: config
+      {{- end }}
       securityContext: {{- toYaml .Values.operator.podSecurityContext | nindent 8 }}
+      {{- if .Values.createRBAC }}
       serviceAccountName: {{ include "charts.fullname" . }}-account
       {{- with .Values.operator.trivyDojoReportOperator.nodeSelector }}
       nodeSelector:

diff --git a/charts/templates/rbac.yaml b/charts/templates/rbac.yaml
@@ -1,3 +1,4 @@
+{{- if .Values.createRBAC }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -62,3 +63,4 @@ subjects:
 - kind: ServiceAccount
   name: '{{ include "charts.fullname" . }}-account'
   namespace: '{{ .Release.Namespace }}'
+{{- end }}
diff --git a/charts/templates/secret.yaml b/charts/templates/secret.yaml
@@ -4,9 +4,12 @@ metadata:
   name: {{ include "charts.fullname" . }}-defect-dojo-api-credentials
   labels:
   {{- include "charts.labels" . | nindent 4 }}
-stringData:
+data:
   apiKey: {{ required "defectDojoApiCredentials.apiKey is required" .Values.defectDojoApiCredentials.apiKey
-    | quote }}
+    | b64enc | quote }}
   url: {{ required "defectDojoApiCredentials.url is required" .Values.defectDojoApiCredentials.url
-    | quote }}
-type: Opaque
+    | b64enc | quote }}
+  {{- if .Values.remoteClusterKubeconfig }}
+  kubeconfig: {{ .Values.remoteClusterKubeconfig | quote }}
+  {{- end }}
+type: Opaque
diff --git a/charts/values.yaml b/charts/values.yaml
@@ -1,6 +1,8 @@
 defectDojoApiCredentials:
   apiKey: "YOUR_DEFECTDOJO_API_KEY"
   url: "YOUR_DEFECTDOJO_URL"
+# -- Kubeconfig remote cluster already in base64
+remoteClusterKubeconfig: ""
 kubernetesClusterDomain: cluster.local
 account:
   serviceAccount:
@@ -57,3 +59,4 @@ operator:
     runAsNonRoot: true
     fsGroupChangePolicy: Always
     fsGroup: 1000
+createRBAC: true
diff --git a/deploy/trivy-dojo-report-operator.yaml b/deploy/trivy-dojo-report-operator.yaml
@@ -27,6 +27,7 @@ metadata:
 stringData:
   apiKey: "YOUR_DEFECTDOJO_API_KEY"
   url: "YOUR_DEFECTDOJO_URL"
+  kubeconfig: ""
 type: Opaque
 ---
 # Source: trivy-dojo-report-operator/templates/rbac.yaml
@@ -221,6 +222,16 @@ spec:
           runAsUser: 1000
           seccompProfile:
             type: RuntimeDefault
+        volumeMounts:
+        - name: kubeconfig
+          mountPath: /app/.kube
+      volumes:
+      - name: kubeconfig
+        secret:
+          secretName: telekom-mms-trivy-dojo-report-operator-defect-dojo-api-credentials
+          items:
+          - key: kubeconfig
+            path: config
       securityContext:
         fsGroup: 1000
         fsGroupChangePolicy: Always

diff --git a/src/handlers.py b/src/handlers.py
@@ -32,6 +32,12 @@ def check_allowed_reports(report: str):
         )
         exit(1)
 
+@kopf.on.login()
+def login_fn(**kwargs):
+    if settings.KUBECONFIG:
+        return kopf.login_with_kubeconfig(**kwargs)
+    else:
+        return kopf.login_via_client(**kwargs)
 
 @kopf.on.startup()
 def configure(settings: kopf.OperatorSettings, **_):

diff --git a/src/settings.py b/src/settings.py
@@ -74,3 +74,4 @@
 LOG_LEVEL: str = os.getenv("LOG_LEVEL", "INFO").upper()
 
 REPORTS: list = os.getenv("REPORTS", "vulnerabilityreports").split(",")
+KUBECONFIG: str = os.getenv("KUBECONFIG", "")
Original file line number	Diff line number	Diff line change
Expand Up		@@ -74,3 +74,4 @@
		LOG_LEVEL: str = os.getenv("LOG_LEVEL", "INFO").upper()

		REPORTS: list = os.getenv("REPORTS", "vulnerabilityreports").split(",")
		KUBECONFIG: str = os.getenv("KUBECONFIG", "")