Merge branch 'main' into feat/trivy-plugin

# Conflicts:
#	charts/zora/README.md
#	charts/zora/templates/plugins/rbac.yaml
#	charts/zora/values.yaml
#	config/rbac/zora_plugins_role.yaml
#	pkg/plugins/cronjob.go

README.md

@@ -1,5 +1,3 @@
-# Zora (Alpha Release)
-
 <div align="center">
 
 <a href="https://zora-docs.undistro.io/" target="_blank">

charts/zora/README.md

@@ -54,8 +54,7 @@ The following table lists the configurable parameters of the Zora chart and thei
 |-----|------|---------|-------------|
 | nameOverride | string | `""` | String to partially override fullname template with a string (will prepend the release name) |
 | fullnameOverride | string | `""` | String to fully override fullname template with a string |
-| agent | bool | `false` | Specifies whether Zora should be installed in `agent` mode |
-| clusterName | string | `""` | Cluster name. Required if `agent` is `true`. Should be set by `kubectl config current-context`. |
+| clusterName | string | `""` | Cluster name. Should be set by `kubectl config current-context`. |
 | scanSchedule | string | Cron expression for every hour at the current minute + 5 minutes | Cluster scan schedule in Cron format |
 | saas.workspaceID | string | `""` | Your SaaS workspace ID |
 | saas.server | string | `"https://zora-dashboard.undistro.io"` | SaaS server URL |

charts/zora/templates/NOTES.txt

@@ -1,9 +1,16 @@
-1. Connect clusters with `kubectl`:
+Thank you for installing {{ .Chart.Name | title }} version {{ .Chart.Version }}.
 
-  For in-depth information about how to connect a cluster, visit
-    https://zora-docs.undistro.io/
+{{ if .Values.clusterName -}}
+Cluster `{{ .Values.clusterName }}` is scheduled to be scanned. Check it by running:
+    kubectl get cluster,clusterscan -o wide -n {{ .Release.Namespace }}
 
-{{- if .Values.saas.workspaceID }}
-2. Now you can see your clusters and issues in the SaaS:
-     {{ .Values.saas.server }}
+Once a cluster is successfully scanned, you can check issues by running:
+    kubectl get clusterissues -n {{ .Release.Namespace }}
+
+{{ end -}}
+
+Visit our documentation for in-depth information: https://zora-docs.undistro.io
+
+{{ if .Values.saas.workspaceID -}}
+You can see your clusters and issues in SaaS: {{ .Values.saas.server }}
 {{- end }}

charts/zora/templates/cluster/cluster.yaml

@@ -0,0 +1,33 @@
+# Copyright 2023 Undistro Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{ if .Values.clusterName }}
+apiVersion: zora.undistro.io/v1alpha1
+kind: Cluster
+metadata:
+  labels:
+    {{- include "zora.labels" . | nindent 4 }}
+  name: {{ include "clusterName" . }}
+spec: {}
+---
+apiVersion: zora.undistro.io/v1alpha1
+kind: ClusterScan
+metadata:
+  labels:
+    {{- include "zora.labels" . | nindent 4 }}
+  name: {{ include "clusterName" . }}
+spec:
+  clusterRef:
+    name: {{ include "clusterName" . }}
+  schedule: {{ include "scanSchedule" . | quote }}
+{{- end }}

charts/zora/templates/plugins/rbac.yaml

@@ -38,8 +38,6 @@ rules:
       - secrets
       - serviceaccounts
       - services
-      - replicationcontrollers
-      - resourcequotas
     verbs: [ "get", "list" ]
   - apiGroups: [ "apps" ]
     resources:

charts/zora/values.yaml

@@ -17,10 +17,7 @@ nameOverride: ""
 # -- String to fully override fullname template with a string
 fullnameOverride: ""
 
-# -- Specifies whether Zora should be installed in `agent` mode
-agent: false
-
-# -- Cluster name. Required if `agent` is `true`. Should be set by `kubectl config current-context`.
+# -- Cluster name. Should be set by `kubectl config current-context`.
 clusterName: ""
 
 # -- Cluster scan schedule in Cron format

cmd/worker/main.go

@@ -15,30 +15,32 @@
 package main
 
 import (
+	"context"
+	"flag"
+	"os"
 	"time"
 
+	"github.com/go-logr/logr"
 	"go.uber.org/zap/zapcore"
 
-	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 
 	"github.com/undistro/zora/pkg/worker"
 )
 
-var log = ctrl.Log.WithName("worker")
-
 func main() {
 	opts := zap.Options{
 		Development: true,
 		TimeEncoder: zapcore.TimeEncoderOfLayout(time.RFC3339),
 	}
-	ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts)))
-
-	log.Info("Starting worker")
-	if err := worker.Run(log); err != nil {
-		log.Info("Worker crashed")
-		panic(err)
+	opts.BindFlags(flag.CommandLine)
+	log := zap.New(zap.UseFlagOptions(&opts)).WithName("worker")
+	ctx := logr.NewContext(context.Background(), log)
+
+	log.Info("starting worker")
+	if err := worker.Run(ctx); err != nil {
+		log.Error(err, "failed to run worker")
+		os.Exit(1)
 	}
-	log.Info("Worker finished successfully")
-	log.Info("Stopping worker")
+	log.Info("worker finished successfully")
 }

config/rbac/zora_plugins_role.yaml

@@ -45,8 +45,6 @@ rules:
       - secrets
       - serviceaccounts
       - services
-      - replicationcontrollers
-      - resourcequotas
     verbs: [ "get", "list" ]
   - apiGroups: [ "apps" ]
     resources:

go.mod

@@ -3,6 +3,7 @@ module github.com/undistro/zora
 go 1.20
 
 require (
+	github.com/caarlos0/env/v9 v9.0.0
 	github.com/go-logr/logr v1.2.4
 	github.com/google/go-cmp v0.5.9
 	github.com/onsi/ginkgo/v2 v2.9.5

go.sum

@@ -6,6 +6,8 @@ github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLj
 github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
+github.com/caarlos0/env/v9 v9.0.0 h1:SI6JNsOA+y5gj9njpgybykATIylrRMklbs5ch6wO6pc=
+github.com/caarlos0/env/v9 v9.0.0/go.mod h1:ye5mlCVMYh6tZ+vCgrs/B95sj88cg5Tlnc0XIzgZ020=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
 github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=

mkdocs.yml

@@ -69,6 +69,9 @@ extra:
       link: https://join.slack.com/t/undistrocommunity/shared_invite/zt-1h5i4earm-IjOpQeKNby09YzoOcvXqQQ
     - icon: fontawesome/brands/github
       link: https://github.com/undistro/zora
+  analytics:
+    provider: google
+    property: G-D6NENTNM1P
 
 copyright: Copyright © 2022 - 2023 Undistro Authors
 

pkg/plugins/cronjob.go

@@ -48,6 +48,14 @@ var (
 			Name:  "DONE_DIR",
 			Value: resultsDir,
 		},
+		{
+			Name:  "DONE_FILE",
+			Value: filepath.Join(resultsDir, "done"),
+		},
+		{
+			Name:  "ERROR_FILE",
+			Value: filepath.Join(resultsDir, "error"),
+		},
 	}
 	// commonVolumeMounts represents the volume mounts to be used in worker and plugin containers
 	commonVolumeMounts = []corev1.VolumeMount{
@@ -131,6 +139,9 @@ func (r *CronJobMutator) Mutate() error {
 			},
 		})
 	}
+	r.Existing.Spec.JobTemplate.Spec.Template.Spec.SecurityContext = &corev1.PodSecurityContext{
+		RunAsNonRoot: pointer.Bool(true),
+	}
 
 	if pointer.BoolDeref(r.Plugin.Spec.MountCustomChecksVolume, false) {
 		initContainer := r.initContainer()
@@ -264,8 +275,10 @@ func (r *CronJobMutator) workerEnv() []corev1.EnvVar {
 			Value: r.ClusterScan.Spec.ClusterRef.Name,
 		},
 		corev1.EnvVar{
-			Name:  "CLUSTER_ISSUES_NAMESPACE",
-			Value: r.ClusterScan.Namespace,
+			Name: "NAMESPACE",
+			ValueFrom: &corev1.EnvVarSource{
+				FieldRef: &corev1.ObjectFieldSelector{FieldPath: "metadata.namespace", APIVersion: "v1"},
+			},
 		},
 		corev1.EnvVar{
 			Name:  "PLUGIN_NAME",

pkg/worker/config.go

@@ -0,0 +1,49 @@
+// Copyright 2023 Undistro Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package worker
+
+import (
+	"strings"
+	"time"
+
+	"github.com/caarlos0/env/v9"
+)
+
+// config represents worker configuration
+type config struct {
+	DoneFile     string        `env:"DONE_FILE" envDefault:"/tmp/zora/results/done"`
+	ErrorFile    string        `env:"ERROR_FILE" envDefault:"/tmp/zora/results/error"`
+	PluginName   string        `env:"PLUGIN_NAME,required"`
+	ClusterName  string        `env:"CLUSTER_NAME,required"`
+	Namespace    string        `env:"NAMESPACE,required"`
+	JobName      string        `env:"JOB_NAME,required"`
+	JobUID       string        `env:"JOB_UID,required"`
+	PodName      string        `env:"POD_NAME,required"`
+	WaitInterval time.Duration `env:"WAIT_INTERVAL" envDefault:"1s"`
+
+	suffix string
+}
+
+// configFromEnv returns a config from environment variables
+func configFromEnv() (*config, error) {
+	cfg := &config{}
+	if err := env.Parse(cfg); err != nil {
+		return nil, err
+	}
+	if i := strings.LastIndex(cfg.PodName, "-"); i > 0 && len(cfg.PodName) > i+1 {
+		cfg.suffix = cfg.PodName[i+1:]
+	}
+	return cfg, nil
+}