From 07ee3325fcf4453b99fbab8e112618577b9a8494 Mon Sep 17 00:00:00 2001 From: Tidusete <> Date: Wed, 13 Nov 2024 18:14:03 +0100 Subject: [PATCH 1/2] Allow Trivy-dojo-report-operator fetch vulnerabilities from remote cluster --- charts/templates/deployment.yaml | 19 +++++++++++++++++++ charts/templates/rbac.yaml | 2 ++ charts/templates/secret.yaml | 11 +++++++---- charts/values.yaml | 3 +++ deploy/trivy-dojo-report-operator.yaml | 11 +++++++++++ src/handlers.py | 6 ++++++ src/settings.py | 1 + 7 files changed, 49 insertions(+), 4 deletions(-) diff --git a/charts/templates/deployment.yaml b/charts/templates/deployment.yaml index 61c038f..0a1663f 100644 --- a/charts/templates/deployment.yaml +++ b/charts/templates/deployment.yaml @@ -97,6 +97,10 @@ spec: value: {{ quote .Values.operator.trivyDojoReportOperator.env.reports }} - name: KUBERNETES_CLUSTER_DOMAIN value: {{ quote .Values.kubernetesClusterDomain }} + {{- if .Values.remoteClusterKubeconfig }} + - name: KUBECONFIG + value: "/app/.kube/config" + {{- end }} image: {{ .Values.operator.trivyDojoReportOperator.image.repository }}:{{ .Values.operator.trivyDojoReportOperator.image.tag | default .Chart.AppVersion }} livenessProbe: httpGet: @@ -110,7 +114,22 @@ spec: {{- end }} securityContext: {{- toYaml .Values.operator.trivyDojoReportOperator.containerSecurityContext | nindent 10 }} + {{- if .Values.remoteClusterKubeconfig }} + volumeMounts: + - name: kubeconfig + mountPath: /app/.kube + {{- end }} + {{- if .Values.remoteClusterKubeconfig }} + volumes: + - name: kubeconfig + secret: + secretName: {{ include "charts.fullname" . }}-defect-dojo-api-credentials + items: + - key: kubeconfig + path: config + {{- end }} securityContext: {{- toYaml .Values.operator.podSecurityContext | nindent 8 }} + {{- if .Values.createRBAC }} serviceAccountName: {{ include "charts.fullname" . }}-account {{- with .Values.operator.trivyDojoReportOperator.nodeSelector }} nodeSelector: diff --git a/charts/templates/rbac.yaml b/charts/templates/rbac.yaml index 957e932..93dce15 100644 --- a/charts/templates/rbac.yaml +++ b/charts/templates/rbac.yaml @@ -1,3 +1,4 @@ +{{- if .Values.createRBAC }} apiVersion: v1 kind: ServiceAccount metadata: @@ -62,3 +63,4 @@ subjects: - kind: ServiceAccount name: '{{ include "charts.fullname" . }}-account' namespace: '{{ .Release.Namespace }}' +{{- end }} diff --git a/charts/templates/secret.yaml b/charts/templates/secret.yaml index 25b590b..d2a1333 100644 --- a/charts/templates/secret.yaml +++ b/charts/templates/secret.yaml @@ -4,9 +4,12 @@ metadata: name: {{ include "charts.fullname" . }}-defect-dojo-api-credentials labels: {{- include "charts.labels" . | nindent 4 }} -stringData: +data: apiKey: {{ required "defectDojoApiCredentials.apiKey is required" .Values.defectDojoApiCredentials.apiKey - | quote }} + | b64enc | quote }} url: {{ required "defectDojoApiCredentials.url is required" .Values.defectDojoApiCredentials.url - | quote }} -type: Opaque \ No newline at end of file + | b64enc | quote }} + {{- if .Values.remoteClusterKubeconfig }} + kubeconfig: {{ .Values.remoteClusterKubeconfig | quote }} + {{- end }} +type: Opaque diff --git a/charts/values.yaml b/charts/values.yaml index e4497c3..1db6d4c 100644 --- a/charts/values.yaml +++ b/charts/values.yaml @@ -1,6 +1,8 @@ defectDojoApiCredentials: apiKey: "YOUR_DEFECTDOJO_API_KEY" url: "YOUR_DEFECTDOJO_URL" +# -- Kubeconfig remote cluster already in base64 +remoteClusterKubeconfig: "" kubernetesClusterDomain: cluster.local account: serviceAccount: @@ -57,3 +59,4 @@ operator: runAsNonRoot: true fsGroupChangePolicy: Always fsGroup: 1000 +createRBAC: true diff --git a/deploy/trivy-dojo-report-operator.yaml b/deploy/trivy-dojo-report-operator.yaml index 459f63a..02be9c1 100644 --- a/deploy/trivy-dojo-report-operator.yaml +++ b/deploy/trivy-dojo-report-operator.yaml @@ -27,6 +27,7 @@ metadata: stringData: apiKey: "YOUR_DEFECTDOJO_API_KEY" url: "YOUR_DEFECTDOJO_URL" + kubeconfig: "" type: Opaque --- # Source: trivy-dojo-report-operator/templates/rbac.yaml @@ -221,6 +222,16 @@ spec: runAsUser: 1000 seccompProfile: type: RuntimeDefault + volumeMounts: + - name: kubeconfig + mountPath: /app/.kube + volumes: + - name: kubeconfig + secret: + secretName: telekom-mms-trivy-dojo-report-operator-defect-dojo-api-credentials + items: + - key: kubeconfig + path: config securityContext: fsGroup: 1000 fsGroupChangePolicy: Always diff --git a/src/handlers.py b/src/handlers.py index 024f3d5..8be4ec6 100644 --- a/src/handlers.py +++ b/src/handlers.py @@ -32,6 +32,12 @@ def check_allowed_reports(report: str): ) exit(1) +@kopf.on.login() +def login_fn(**kwargs): + if settings.KUBECONFIG: + return kopf.login_with_kubeconfig(**kwargs) + else: + return kopf.login_via_client(**kwargs) @kopf.on.startup() def configure(settings: kopf.OperatorSettings, **_): diff --git a/src/settings.py b/src/settings.py index 16578d2..b59b600 100644 --- a/src/settings.py +++ b/src/settings.py @@ -74,3 +74,4 @@ LOG_LEVEL: str = os.getenv("LOG_LEVEL", "INFO").upper() REPORTS: list = os.getenv("REPORTS", "vulnerabilityreports").split(",") +KUBECONFIG: str = os.getenv("KUBECONFIG", "") From 27d1ff821db9714b464495911e88c4b7b59d9ff8 Mon Sep 17 00:00:00 2001 From: Tidusete <> Date: Tue, 26 Nov 2024 12:01:12 +0100 Subject: [PATCH 2/2] Fix: close conditional block for createRBAC in template --- charts/templates/deployment.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/charts/templates/deployment.yaml b/charts/templates/deployment.yaml index 0a1663f..325863f 100644 --- a/charts/templates/deployment.yaml +++ b/charts/templates/deployment.yaml @@ -131,6 +131,7 @@ spec: securityContext: {{- toYaml .Values.operator.podSecurityContext | nindent 8 }} {{- if .Values.createRBAC }} serviceAccountName: {{ include "charts.fullname" . }}-account + {{- end }} {{- with .Values.operator.trivyDojoReportOperator.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }}