From 60f1538447048d1943ac62785a801e6d9aca2c0b Mon Sep 17 00:00:00 2001 From: Tidusete <> Date: Wed, 13 Nov 2024 18:14:03 +0100 Subject: [PATCH] Allow Trivy-dojo-report-operator fetch vulnerabilities from remote cluster --- charts/templates/deployment.yaml | 20 ++++++++++++++++++++ charts/templates/rbac.yaml | 2 ++ charts/templates/secret.yaml | 11 +++++++---- charts/values.yaml | 3 +++ deploy/trivy-dojo-report-operator.yaml | 11 +++++++++++ src/handlers.py | 6 ++++++ src/settings.py | 1 + 7 files changed, 50 insertions(+), 4 deletions(-) diff --git a/charts/templates/deployment.yaml b/charts/templates/deployment.yaml index e0ecc85..bd0edce 100644 --- a/charts/templates/deployment.yaml +++ b/charts/templates/deployment.yaml @@ -91,6 +91,10 @@ spec: value: {{ quote .Values.operator.trivyDojoReportOperator.env.reports }} - name: KUBERNETES_CLUSTER_DOMAIN value: {{ quote .Values.kubernetesClusterDomain }} + {{- if .Values.remoteClusterKubeconfig }} + - name: KUBECONFIG + value: "/app/.kube/config" + {{- end }} image: {{ .Values.operator.trivyDojoReportOperator.image.repository }}:{{ .Values.operator.trivyDojoReportOperator.image.tag | default .Chart.AppVersion }} livenessProbe: httpGet: @@ -104,5 +108,21 @@ spec: {{- end }} securityContext: {{- toYaml .Values.operator.trivyDojoReportOperator.containerSecurityContext | nindent 10 }} + {{- if .Values.remoteClusterKubeconfig }} + volumeMounts: + - name: kubeconfig + mountPath: /app/.kube + {{- end }} + {{- if .Values.remoteClusterKubeconfig }} + volumes: + - name: kubeconfig + secret: + secretName: {{ include "charts.fullname" . }}-defect-dojo-api-credentials + items: + - key: kubeconfig + path: config + {{- end }} securityContext: {{- toYaml .Values.operator.podSecurityContext | nindent 8 }} + {{- if .Values.createRBAC }} serviceAccountName: {{ include "charts.fullname" . }}-account + {{- end }} diff --git a/charts/templates/rbac.yaml b/charts/templates/rbac.yaml index 957e932..93dce15 100644 --- a/charts/templates/rbac.yaml +++ b/charts/templates/rbac.yaml @@ -1,3 +1,4 @@ +{{- if .Values.createRBAC }} apiVersion: v1 kind: ServiceAccount metadata: @@ -62,3 +63,4 @@ subjects: - kind: ServiceAccount name: '{{ include "charts.fullname" . }}-account' namespace: '{{ .Release.Namespace }}' +{{- end }} diff --git a/charts/templates/secret.yaml b/charts/templates/secret.yaml index 25b590b..d2a1333 100644 --- a/charts/templates/secret.yaml +++ b/charts/templates/secret.yaml @@ -4,9 +4,12 @@ metadata: name: {{ include "charts.fullname" . }}-defect-dojo-api-credentials labels: {{- include "charts.labels" . | nindent 4 }} -stringData: +data: apiKey: {{ required "defectDojoApiCredentials.apiKey is required" .Values.defectDojoApiCredentials.apiKey - | quote }} + | b64enc | quote }} url: {{ required "defectDojoApiCredentials.url is required" .Values.defectDojoApiCredentials.url - | quote }} -type: Opaque \ No newline at end of file + | b64enc | quote }} + {{- if .Values.remoteClusterKubeconfig }} + kubeconfig: {{ .Values.remoteClusterKubeconfig | quote }} + {{- end }} +type: Opaque diff --git a/charts/values.yaml b/charts/values.yaml index fdefd12..7483866 100644 --- a/charts/values.yaml +++ b/charts/values.yaml @@ -1,6 +1,8 @@ defectDojoApiCredentials: apiKey: "YOUR_DEFECTDOJO_API_KEY" url: "YOUR_DEFECTDOJO_URL" +# -- Kubeconfig remote cluster already in base64 +remoteClusterKubeconfig: "" kubernetesClusterDomain: cluster.local account: serviceAccount: @@ -54,3 +56,4 @@ operator: runAsNonRoot: true fsGroupChangePolicy: Always fsGroup: 1000 +createRBAC: true diff --git a/deploy/trivy-dojo-report-operator.yaml b/deploy/trivy-dojo-report-operator.yaml index bb4a6f5..ffa4365 100644 --- a/deploy/trivy-dojo-report-operator.yaml +++ b/deploy/trivy-dojo-report-operator.yaml @@ -27,6 +27,7 @@ metadata: stringData: apiKey: "YOUR_DEFECTDOJO_API_KEY" url: "YOUR_DEFECTDOJO_URL" + kubeconfig: "" type: Opaque --- # Source: trivy-dojo-report-operator/templates/rbac.yaml @@ -217,6 +218,16 @@ spec: runAsUser: 1000 seccompProfile: type: RuntimeDefault + volumeMounts: + - name: kubeconfig + mountPath: /app/.kube + volumes: + - name: kubeconfig + secret: + secretName: telekom-mms-trivy-dojo-report-operator-defect-dojo-api-credentials + items: + - key: kubeconfig + path: config securityContext: fsGroup: 1000 fsGroupChangePolicy: Always diff --git a/src/handlers.py b/src/handlers.py index 2e76825..619a948 100644 --- a/src/handlers.py +++ b/src/handlers.py @@ -32,6 +32,12 @@ def check_allowed_reports(report: str): ) exit(1) +@kopf.on.login() +def login_fn(**kwargs): + if settings.KUBECONFIG: + return kopf.login_with_kubeconfig(**kwargs) + else: + return kopf.login_via_client(**kwargs) @kopf.on.startup() def configure(settings: kopf.OperatorSettings, **_): diff --git a/src/settings.py b/src/settings.py index 0ea5187..eb26c46 100644 --- a/src/settings.py +++ b/src/settings.py @@ -67,3 +67,4 @@ LOG_LEVEL: str = os.getenv("LOG_LEVEL", "INFO").upper() REPORTS: list = os.getenv("REPORTS", "vulnerabilityreports").split(",") +KUBECONFIG: str = os.getenv("KUBECONFIG", "")