bugfix: minor fixes #29 #28 #33

devopstales · Sep 29, 2022 · 9526a1c · 9526a1c
1 parent 8e7e840
commit 9526a1c
Show file tree

Hide file tree

Showing 5 changed files with 86 additions and 61 deletions.
diff --git a/Makefile b/Makefile
@@ -1,5 +1,5 @@
 codeSHELL=/bin/bash -o pipefail
-export VERSION=2.4
+export VERSION=2.5
 
 .PHONY:	all
 all:	 trivy
@@ -39,7 +39,8 @@ to-devel:
 
 #to-devel-delete:	@ Delete local trivy-operator dev image with nerdctl
 to-devel-delete:
-	nerdctl --namespace k8s.io image ls | grep devopstales | grep trivy-operator | grep $(VERSION)-devel | awk '{print "nerdctl --namespace k8s.io rmi "$$3}' | bash
+	#nerdctl --namespace k8s.io image ls | grep devopstales | grep trivy-operator | grep $(VERSION)-devel | awk '{print "nerdctl --namespace k8s.io rmi "$$3}' | bash
+	nerdctl --namespace k8s.io rmi devopstales/trivy-operator:$(VERSION)-devel
 
 #kbs-devel:	@ Build local kube-bench-scnner devel image with nerdctl
 kbs-devel:
@@ -49,7 +50,8 @@ kbs-devel:
 
 #kbs-devel-delete:	@ Delete local kube-bench-scnner dev image with nerdctl
 kbs-devel-delete:
-	nerdctl --namespace k8s.io image ls | grep devopstales | grep kube-bench-scnner | grep $(VERSION)-devel | awk '{print "nerdctl --namespace k8s.io rmi "$$3}' | bash
+	#nerdctl --namespace k8s.io image ls | grep devopstales | grep kube-bench-scnner | grep $(VERSION)-devel | awk '{print "nerdctl --namespace k8s.io rmi "$$3}' | bash
+	nerdctl --namespace k8s.io rmi devopstales/kube-bench-scnner:$(VERSION)-devel
 
 version:
 	cp trivy-operator.py docker/trivy-operator.py

diff --git a/deploy/helm/templates/1-rbac.yaml b/deploy/helm/templates/1-rbac.yaml
@@ -10,6 +10,17 @@ rules:
     - customresourcedefinitions
   verbs:
     - create
+- apiGroups:
+  - "admissionregistration.k8s.io"
+  resources:
+  - mutatingwebhookconfigurations
+  - validatingwebhookconfigurations
+  verbs:
+  - create
+  - patch
+  - get
+  - watch
+  - list
 - apiGroups:
    - "wgpolicyk8s.io"
   resources:
@@ -39,11 +50,22 @@ rules:
   resources:
   - namespace-scanners
   - namespace-scanners/status
+  - cluster-scanners
+  - cluster-scanners/status
   verbs:
   - get
+  - list
   - watch
   - list
   - patch
+- apiGroups:
+    - "apps"
+  resources:
+    - daemonsets
+  verbs:
+    - get
+    - create
+    - delete
 - apiGroups:
    - ""
   resources:
@@ -62,17 +84,6 @@ rules:
   - get
   - watch
   - list
-- apiGroups:
-  - "admissionregistration.k8s.io"
-  resources:
-  - mutatingwebhookconfigurations
-  - validatingwebhookconfigurations
-  verbs:
-  - create
-  - patch
-  - get
-  - watch
-  - list
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

diff --git a/deploy/kubernetes/01_rbac.yaml b/deploy/kubernetes/01_rbac.yaml
@@ -15,13 +15,16 @@ rules:
   verbs:
     - create
 - apiGroups:
-    - "apps/v1"
+  - "admissionregistration.k8s.io"
   resources:
-    - DaemonSet
+  - mutatingwebhookconfigurations
+  - validatingwebhookconfigurations
   verbs:
-    - get
-    - create
-    - delete
+  - create
+  - patch
+  - get
+  - watch
+  - list
 - apiGroups:
    - "wgpolicyk8s.io"
   resources:
@@ -55,9 +58,18 @@ rules:
   - cluster-scanners/status
   verbs:
   - get
+  - list
   - watch
   - list
   - patch
+- apiGroups:
+    - "apps"
+  resources:
+    - daemonsets
+  verbs:
+    - get
+    - create
+    - delete
 - apiGroups:
    - ""
   resources:
@@ -76,17 +88,6 @@ rules:
   - get
   - watch
   - list
-- apiGroups:
-  - "admissionregistration.k8s.io"
-  resources:
-  - mutatingwebhookconfigurations
-  - validatingwebhookconfigurations
-  verbs:
-  - create
-  - patch
-  - get
-  - watch
-  - list
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

diff --git a/deploy/kubernetes/10_demo.yaml b/deploy/kubernetes/10_demo.yaml
@@ -21,7 +21,7 @@ spec:
     image: ubuntu:latest
     command: ['sh', '-c', 'echo The app is running! && sleep 10']
   containers:
-  - image: docker.rancher-decktop.intra/evopstales/demo:insecure
+  - image: docker.rancher-decktop.intra/devopstales/demo:insecure
     imagePullPolicy: IfNotPresent
     name: nginx
   - image: library/nginx:bad

diff --git a/trivy-operator.py b/trivy-operator.py
@@ -11,11 +11,23 @@
 from OpenSSL import crypto
 import logging, uuid, requests
 
+def var_test(var):
+    if isinstance(var, bool):
+        resp = var
+    elif isinstance(var, six.string_types):
+        if var.lower() in ['true']:
+            resp = True
+        else:
+            resp = False
+    else:
+        resp = False
+    return resp
+
 #############################################################################
 # Logging
 #############################################################################
 
-VERBOSE_LOG = os.getenv("VERBOSE_LOG", False) in ('true', '1', 'True', 't', 'yes', 'Yes')
+VERBOSE_LOG = var_test(os.getenv("VERBOSE_LOG", False))
 FORMAT = '[%(asctime)s] %(name)s         [VERBOSE_LOG] %(message)s'
 
 logging.basicConfig(format=FORMAT)
@@ -53,11 +65,12 @@ def configure(settings: kopf.OperatorSettings, **_):
     'Admission Controller vulnerabilities',
     ['exported_namespace', 'image', 'severity']
 )
-IN_CLUSTER = os.getenv("IN_CLUSTER", False) in ('true', '1', 'True', 't', 'yes', 'Yes')
-IS_GLOBAL = os.getenv("IS_GLOBAL", False) in ('true', '1', 'True', 't', 'yes', 'Yes')
-AC_ENABLED = os.getenv("ADMISSION_CONTROLLER", False) in ('true', '1', 'True', 't', 'yes', 'Yes')
-REDIS_ENABLED = os.getenv("REDIS_ENABLED", False) in ('true', '1', 'True', 't', 'yes', 'Yes')
-OFFLINE_ENABLED = os.getenv("SKIP_DB_UPDATE", False) in ('true', '1', 'True', 't', 'yes', 'Yes')
+IN_CLUSTER = var_test(os.getenv("IN_CLUSTER", False))
+IS_GLOBAL = var_test(os.getenv("IS_GLOBAL", False))
+AC_ENABLED = var_test(os.getenv("ADMISSION_CONTROLLER", False))
+REDIS_ENABLED = var_test(os.getenv("REDIS_ENABLED", False))
+OFFLINE_ENABLED = var_test(os.getenv("SKIP_DB_UPDATE", False))
+DB_REPOSITORY_INSECURE = var_test(os.getenv("DB_REPOSITORY_INSECURE", False))
 
 if REDIS_ENABLED:
     REDIS_BACKEND = os.getenv("REDIS_BACKEND")
@@ -74,7 +87,9 @@ def configure(settings: kopf.OperatorSettings, **_):
     if not DB_REPOSITORY:
         TRIVY_OFFLINE = ["--skip-db-update", "--offline-scan"]
     else:
-        TRIVY_OFFLINE = ["--skip-db-update", "--offline-scan", "--db-repository", DB_REPOSITORY]
+        TRIVY_OFFLINE = ["--db-repository", DB_REPOSITORY]
+        if DB_REPOSITORY_INSECURE:
+            os.environ['TRIVY_INSECURE'] = "true"
 
 #############################################################################
 # Pretasks
@@ -101,31 +116,27 @@ def getCurretnTime():
   now = datetime.now().time() # time object
   return now
 
-def var_test(var):
-    if isinstance(var, bool):
-        resp = var
-    elif isinstance(var, six.string_types):
-        if var.lower() in ['true']:
-            resp = True
-        else:
-            resp = False
-    else:
-        resp = False
-    return resp
-
 """Download trivy cache """
 @kopf.on.startup()
 async def startup_fn_trivy_cache(logger, **kwargs):
     if OFFLINE_ENABLED:
-        logger.info("Offline mode enabled, skipping cache update")
-        return
-    TRIVY_CACHE = ["trivy", "-q", "image", "--download-db-only"]
-    if REDIS_ENABLED:
-      TRIVY_CACHE = TRIVY_CACHE + TRIVY_REDIS
-    trivy_cache_result = (
-        subprocess.check_output(TRIVY_CACHE).decode("UTF-8")
-    )
-    logger.info("trivy cache created...")
+        if DB_REPOSITORY:
+            TRIVY_CACHE = ["trivy", "-q", "image", "--download-db-only"]
+            TRIVY_CACHE = TRIVY_CACHE + ["--db-repository", DB_REPOSITORY]
+            trivy_cache_result = (
+                subprocess.check_output(TRIVY_CACHE).decode("UTF-8")
+            )
+            logger.info("Offline mode enabled, trivy cache created...")
+        else:
+            logger.info("Offline mode enabled, skipping cache update")
+    else:
+        TRIVY_CACHE = ["trivy", "-q", "image", "--download-db-only"]
+        if REDIS_ENABLED:
+            TRIVY_CACHE = TRIVY_CACHE + TRIVY_REDIS
+        trivy_cache_result = (
+            subprocess.check_output(TRIVY_CACHE).decode("UTF-8")
+        )
+        logger.info("trivy cache created...")
 
 """Start Prometheus Exporter"""
 @kopf.on.startup()
@@ -534,7 +545,7 @@ def delete_policyreports(namespace, name):
                     """DefectDojo Integration"""
                     if defectdojo_host is not None and defectdojo_api_key is not None:
                         DEFECTDOJO_AUTH_TOKEN = "Token " + defectdojo_api_key
-                        image_tag = image.split(':')[1]
+                        image_tag = image_name.split(':')[1]
 
                         headers = dict()
                         headers['Authorization'] = DEFECTDOJO_AUTH_TOKEN
@@ -547,7 +558,7 @@ def delete_policyreports(namespace, name):
                             'verified': False,
                             'scan_type': "Trivy Scan",
                             'product_type_name': "Container Image",
-                            'product_name': image_name,
+                            'product_name': image_name.split(':')[0],
                             'engagement_name': "trivy-operator",
                             'version': image_tag,
                             'auto_create_context': True,