Add marvin plugin (#213)

* add config/samples/zora_v1alpha1_plugin_marvin.yaml

* implement marvin parse

* unit test for marvin parse

* using marvin parse in worker

* using scan.plugins.popeye.enabled in helm chart

* add marvin plugin in helm chart

* add marvin as default plugin

* remove values-hml.yaml

* 0.5.0-alpha2

* parsing marvin errors

* 0.5.0-alpha3

* using marvin 0.1.3

* get marvin report errors

* add marvin errors to testdata

* add param to build string message for each regex pattern

* marvin 0.1.4

* zora 0.5.0-alpha4

* replacing IDs from marvin testdata

* marvin issues URL

* zora 0.5.0-alpha5

* zora 0.5.0

Makefile

@@ -86,6 +86,7 @@ install: manifests kustomize  ## Install default configuration (RBAC for plugins
 	${KUSTOMIZE} build config/crd | kubectl apply -f -
 	@kubectl apply -f config/rbac/clusterissue_editor_role.yaml
 	@kubectl apply -f config/samples/zora_v1alpha1_plugin_popeye.yaml
+	@kubectl apply -f config/samples/zora_v1alpha1_plugin_marvin.yaml
 	@kubectl create -f config/rbac/plugins_role_binding.yaml || true
 
 uninstall: manifests kustomize  ## Uninstall CRDs from the current cluster.

charts/zora/.helmignore

@@ -23,5 +23,3 @@
 .vscode/
 
 README.md.gotmpl
-
-values-hml.yaml

charts/zora/Chart.yaml

@@ -17,7 +17,7 @@ name: zora
 description: Zora scans multiple Kubernetes clusters and reports potential issues.
 icon: https://zora-docs.undistro.io/assets/logo.png
 type: application
-version: 0.4.5
-appVersion: "v0.4.5"
+version: 0.5.0
+appVersion: "v0.5.0"
 sources:
   - https://github.com/undistro/zora

charts/zora/README.md

@@ -1,6 +1,6 @@
 # Zora Helm Chart
 
-![Version: 0.4.5](https://img.shields.io/badge/Version-0.4.5-informational?style=flat-square&color=3CA9DD) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square&color=3CA9DD) ![AppVersion: v0.4.5](https://img.shields.io/badge/AppVersion-v0.4.5-informational?style=flat-square&color=3CA9DD)
+![Version: 0.5.0](https://img.shields.io/badge/Version-0.5.0-informational?style=flat-square&color=3CA9DD) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square&color=3CA9DD) ![AppVersion: v0.5.0](https://img.shields.io/badge/AppVersion-v0.5.0-informational?style=flat-square&color=3CA9DD)
 
 Zora scans multiple Kubernetes clusters and reports potential issues.
 
@@ -12,7 +12,7 @@ To install the chart with the release name `zora`:
 helm repo add undistro https://charts.undistro.io --force-update
 helm upgrade --install zora undistro/zora \
   -n zora-system \
-  --version 0.4.5 \
+  --version 0.5.0 \
   --create-namespace --wait
 ```
 
@@ -93,8 +93,12 @@ The following table lists the configurable parameters of the Zora chart and thei
 | operator.log.timeEncoding | string | `"rfc3339"` | Log time encoding (one of 'epoch', 'millis', 'nano', 'iso8601', 'rfc3339' or 'rfc3339nano') |
 | scan.worker.image.repository | string | `"ghcr.io/undistro/zora/worker"` | worker image repository |
 | scan.worker.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion |
-| scan.defaultPlugins | list | `["popeye"]` | Names of the default plugins |
-| scan.plugins.popeye.enabled | bool | `true` |  |
+| scan.defaultPlugins | list | `["popeye","marvin"]` | Names of the default plugins |
+| scan.plugins.marvin.enabled | bool | `true` | Specifies whether the marvin plugin should be created |
+| scan.plugins.marvin.resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"250m","memory":"256Mi"}}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers) to add to `marvin` container |
+| scan.plugins.marvin.image.repository | string | `"ghcr.io/undistro/marvin"` | marvin plugin image repository |
+| scan.plugins.marvin.image.tag | string | `"v0.1.4"` | marvin plugin image tag |
+| scan.plugins.popeye.enabled | bool | `true` | Specifies whether the popeye plugin should be created |
 | scan.plugins.popeye.skipInternalResources | bool | `false` | Specifies whether the following resources should be skipped by `popeye` scans. 1. resources from `kube-system`, `kube-public` and `kube-node-lease` namespaces; 2. kubernetes system reserved RBAC (prefixed with `system:`); 3. `kube-root-ca.crt` configmaps; 4. `default` namespace; 5. `default` serviceaccounts; 6. Helm secrets (prefixed with `sh.helm.release`); 7. Zora components. See `popeye` configuration file that is used for this case: https://github.com/undistro/zora/blob/main/charts/zora/templates/plugins/popeye-config.yaml |
 | scan.plugins.popeye.resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"250m","memory":"256Mi"}}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers) to add to `popeye` container |
 | scan.plugins.popeye.image.repository | string | `"ghcr.io/undistro/popeye"` | popeye plugin image repository |

charts/zora/templates/plugins/marvin.yaml

@@ -0,0 +1,45 @@
+# Copyright 2023 Undistro Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{ if .Values.scan.plugins.marvin.enabled -}}
+apiVersion: zora.undistro.io/v1alpha1
+kind: Plugin
+metadata:
+  name: marvin
+  labels:
+    {{- include "zora.labels" . | nindent 4 }}
+spec:
+  image: "{{ .Values.scan.plugins.marvin.image.repository }}:{{ .Values.scan.plugins.marvin.image.tag }}"
+  {{- if .Values.scan.plugins.marvin.resources }}
+  resources:
+    {{- toYaml .Values.scan.plugins.marvin.resources | nindent 4 }}
+  {{- end }}
+  command:
+    - /bin/sh
+    - -c
+    - |
+      start=$(date +%s)
+      echo Scanning...
+      /marvin scan --disable-annotation-skip -o json -v 2 --kubeconfig $(KUBECONFIG) > $(DONE_DIR)/results.json
+      exitcode=$(echo $?)
+      if [ $exitcode -ne 0 ]; then
+        echo "ERROR" > $(DONE_DIR)/error
+      else
+        echo $(DONE_DIR)/results.json > $(DONE_DIR)/done
+      fi
+      ls -lh $(DONE_DIR)/
+      end=$(date +%s)
+      echo "Scan has finished in $(($end-$start)) seconds with exit code $exitcode"
+      exit $exitcode
+{{- end }}

charts/zora/templates/plugins/popeye.yaml

@@ -12,6 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+{{ if .Values.scan.plugins.popeye.enabled -}}
 apiVersion: zora.undistro.io/v1alpha1
 kind: Plugin
 metadata:
@@ -63,3 +64,4 @@ spec:
       end=$(date +%s)
       echo "Scan has finished in $(($end-$start)) seconds with exit code $exitcode"
       exit $exitcode
+{{- end }}

charts/zora/values.yaml

@@ -140,8 +140,27 @@ scan:
   # -- Names of the default plugins
   defaultPlugins:
     - popeye
+    - marvin
   plugins:
+    marvin:
+      # -- Specifies whether the marvin plugin should be created
+      enabled: true
+      # -- [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers) to add to `marvin` container
+      resources:
+        requests:
+          cpu: 250m
+          memory: 256Mi
+        limits:
+          cpu: 500m
+          memory: 500Mi
+      image:
+        # -- marvin plugin image repository
+        repository: ghcr.io/undistro/marvin
+        # -- marvin plugin image tag
+        tag: v0.1.4
+
     popeye:
+      # -- Specifies whether the popeye plugin should be created
       enabled: true
       # -- Specifies whether the following resources should be skipped by `popeye` scans.
       # 1. resources from `kube-system`, `kube-public` and `kube-node-lease` namespaces;

config/samples/zora_v1alpha1_plugin_marvin.yaml

@@ -0,0 +1,41 @@
+# Copyright 2023 Undistro Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: zora.undistro.io/v1alpha1
+kind: Plugin
+metadata:
+  name: marvin
+spec:
+  image: ghcr.io/undistro/marvin:v0.1.4
+  resources:
+    limits:
+      cpu: 500m
+      memory: 100Mi
+  command:
+    - /bin/sh
+    - -c
+    - |
+      start=$(date +%s)
+      echo Scanning...
+      /marvin scan --disable-annotation-skip -o json -v 2 --kubeconfig $(KUBECONFIG) > $(DONE_DIR)/results.json
+      exitcode=$(echo $?)
+      if [ $exitcode -ne 0 ]; then
+        echo "ERROR" > $(DONE_DIR)/error
+      else
+        echo $(DONE_DIR)/results.json > $(DONE_DIR)/done
+      fi
+      ls -lh $(DONE_DIR)/
+      end=$(date +%s)
+      echo "Scan has finished in $(($end-$start)) seconds with exit code $exitcode"
+      exit $exitcode

main.go

@@ -70,13 +70,13 @@ func main() {
 		"Enable leader election for controller manager. "+
 			"Enabling this will ensure there is only one active controller manager.")
 	flag.StringVar(&defaultPluginsNamespace, "default-plugins-namespace", "zora-system", "The namespace of default plugins")
-	flag.StringVar(&defaultPluginsNames, "default-plugins-names", "popeye", "Comma separated list of default plugins")
-	flag.StringVar(&workerImage, "worker-image", "ghcr.io/undistro/zora/worker:v0.4.5", "Docker image name of Worker container")
+	flag.StringVar(&defaultPluginsNames, "default-plugins-names", "marvin,popeye", "Comma separated list of default plugins")
+	flag.StringVar(&workerImage, "worker-image", "ghcr.io/undistro/zora/worker:latest", "Docker image name of Worker container")
 	flag.StringVar(&cronJobClusterRoleBinding, "cronjob-clusterrolebinding-name", "zora-plugins", "Name of ClusterRoleBinding to append CronJob ServiceAccounts")
 	flag.StringVar(&cronJobServiceAccount, "cronjob-serviceaccount-name", "zora-plugins", "Name of ServiceAccount to be configured, appended to ClusterRoleBinding and used by CronJobs")
 	flag.StringVar(&saasWorkspaceID, "saas-workspace-id", "", "Your workspace ID in Zora SaaS")
 	flag.StringVar(&saasServer, "saas-server", "http://localhost:3003", "Address for Zora's saas server")
-	flag.StringVar(&version, "version", "v0.4.5", "Zora version")
+	flag.StringVar(&version, "version", "0.5.0", "Zora version")
 
 	opts := zap.Options{
 		Development: true,

pkg/plugins/errparse/parse.go

@@ -20,30 +20,55 @@ import (
 	"regexp"
 )
 
+type pluginPattern struct {
+	regexp regexp.Regexp
+	msgf   func([][]byte) string
+}
+
 // The message patterns are ordered by priority.
-var patterns = map[string][]*regexp.Regexp{
+var patterns = map[string][]pluginPattern{
 	"popeye": {
-		regexp.MustCompile(`panic:\s+.{3}\[38;5;196m(.*).\[0m\n`),
-		regexp.MustCompile(`Boom!\s+.{3}\[38;5;196m(.*).\[0m\n`),
+		{regexp: *regexp.MustCompile(`(?m)^panic:\s+.{3}\[38;5;196m(.*).\[0m\n`), msgf: firstGroup},
+		{regexp: *regexp.MustCompile(`(?m)^Boom!\s+.{3}\[38;5;196m(.*).\[0m\n`), msgf: firstGroup},
+	},
+	"marvin": {
+		{regexp: *regexp.MustCompile(`(?m)^Error:\s(.*)\n`), msgf: firstGroup},
+		{
+			regexp: *regexp.MustCompile(`(?m)^E.*]\s*"msg"="(.*)"\s*"error"="(.*?)"`),
+			msgf: func(matches [][]byte) string {
+				var err string
+				if len(matches) >= 3 {
+					err = ": " + string(matches[2])
+				}
+				return string(matches[1]) + err
+			},
+		},
 	},
 }
 
 // Parse extracts an error message from a given <io.Reader> pointing to a Zora
 // plugin error output. It uses regular expressions as heuristics to find the
 // message, whereby the first match is returned.
-func Parse(r io.Reader, plug string) (string, error) {
-	if _, ok := patterns[plug]; !ok {
-		return "", fmt.Errorf("Invalid plugin: <%s>", plug)
+func Parse(r io.Reader, plugin string) (string, error) {
+	if _, ok := patterns[plugin]; !ok {
+		return "", fmt.Errorf("invalid plugin: <%s>", plugin)
 	}
-	fc, err := io.ReadAll(r)
+	if r == nil {
+		return "", fmt.Errorf("invalid reader")
+	}
+	b, err := io.ReadAll(r)
 	if err != nil {
-		return "", fmt.Errorf("Unable to read <%s> error data: %w", plug, err)
+		return "", fmt.Errorf("unable to read <%s> error data: %w", plugin, err)
 	}
-	for _, p := range patterns[plug] {
-		mats := p.FindSubmatch(fc)
-		if len(mats) >= 2 {
-			return string(mats[1]), nil
+	for _, p := range patterns[plugin] {
+		matches := p.regexp.FindSubmatch(b)
+		if len(matches) >= 2 {
+			return p.msgf(matches), nil
 		}
 	}
-	return "", fmt.Errorf("Unable to match on <%s> error output", plug)
+	return "", fmt.Errorf("unable to match on <%s> error output", plugin)
+}
+
+func firstGroup(matches [][]byte) string {
+	return string(matches[1])
 }