Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Setup VulnerabilityReport webhook conversion #283

Merged
merged 22 commits into from
May 8, 2024
Merged

Setup VulnerabilityReport webhook conversion #283

merged 22 commits into from
May 8, 2024

Conversation

matheusfm
Copy link
Contributor

@matheusfm matheusfm commented May 7, 2024
edited
Loading

Description

This PR sets up a webhook conversion for VulnerabilityReport CRD.
Now the operator is able to inject a webhook conversion in CRDs annotated with zora.undistro.io/inject-conversion: "true".
The spec.conversion.webhook.clientConfig.caBundle field in CRD, is set from a file ca.crt mounted as volume in operator, and generated by Helm.

A self-signed certificate is being generate by Helm, if it doesn't exist.
A Secret is also being created with three files: tls.crt, tls.key, and ca.crt. This Secret is mounted as volume in webhook server (operator) where tls.crt and tls.key files are used as server certificates and ca.crt is being set in CRD caBundle field on initialization.

Most of files in config/ directory are generated by kubebuilder. Documentation: https://book.kubebuilder.io/multiversion-tutorial/conversion

Linked Issues

How has this been tested?

This is a script that I've used for testing:

#!/bin/bash
#kind delete cluster
kind create cluster
#IMG="ghcr.io/undistro/zora/operator:v0.8.5-rc3" make docker-build
kind load docker-image ghcr.io/undistro/zora/operator:v0.8.5-rc3

kubectl apply -f https://raw.githubusercontent.com/undistro/zora/v0.8.4/charts/zora/crds/zora.undistro.io_vulnerabilityreports.yaml
cat config/samples/zora_v1alpha1_vulnerabilityreport.yaml | yq '.metadata.name = "stale"' | kubectl apply -f -

helm upgrade --install zora charts/zora/ --set clusterName=kind-kind -n zora-system --create-namespace --wait
kubectl apply -f config/samples/zora_v1alpha1_vulnerabilityreport.yaml
kubectl apply -f config/samples/zora_v1alpha2_vulnerabilityreport.yaml

Checklist

  • I have labeled this PR with the relevant Type labels
  • I have documented my code (if applicable)
  • My changes are covered by tests

matheusfm added 21 commits April 29, 2024 18:54
@matheusfm
implement conversion.Hub in VulnerabilityReport v1alpha1
0236e3b
@matheusfm
move summarize function to v1alpha2 VulnerabilityReport
f286039
@matheusfm
implement conversion.Convertible in VulnerabilityReport v1alpha2
68fd61a
@matheusfm
set imagePullPolicy to IfNotPresent in config/manager/manager.yaml
83bace5
@matheusfm
split install and install-crds targets in Makefile
6546412
@matheusfm
logging vulnerability reports conversions
50706b4
@matheusfm
remove x-kubernetes-preserve-unknown-fields from v1alpha2 vulnerabili…
131caf9 
…ty report
@matheusfm
setup webhook with cert-manager
59232ed
@matheusfm
setting TLSOpts in webhook server
94f47fe
@matheusfm
generating CRDs with kustomize for applying webhook patch
68a7157
@matheusfm
installing yq in local binaries directory
f4a3d56
@matheusfm
fix CRD generation
66713fc
@matheusfm
updating CRD annotations
5300b04
@matheusfm
annotate CRD for injecting conversion
de2da10
@matheusfm
inject webhook conversion in annotated CRDs
4c82fe9
@matheusfm
add flag for enabling/disabling conversion
090fdb8
@matheusfm
update helm chart for generating and mounting certificates if webhook…
830778d 
… is enabled
@matheusfm
set annotation with jq instead of kustomize
9356908
@matheusfm
remove unnecessary base64 encoding
49b88d8
@matheusfm
bump chart version to 0.8.5-rc3
98146e7
@matheusfm
move NAMESPACE var in Makefile
0aff67b
@matheusfm matheusfm added the enhancement New feature or request label May 7, 2024
@matheusfm matheusfm requested a review from knrc May 7, 2024 19:39
@matheusfm matheusfm self-assigned this May 7, 2024
@matheusfm matheusfm merged commit 5ad148c into UD-1378-vulnreport-v1alpha2 May 8, 2024
3 checks passed
@matheusfm matheusfm deleted the UD-1378-vulnreport-v1alpha2-conversion branch May 8, 2024 13:25
matheusfm added a commit that referenced this pull request Jun 3, 2024
@matheusfm
VulnerabilityReport v1alpha2 with grouped packages and webhook conver…
e7e761c 
…sion (#277)

* create resource VulnerabilityReport v1alpha2

* add VulnerabilityReport v1alpha2 fields

* generating clientset for vulnerabilityreport v1alpha2

* fix custom checks paths in Makefile

* parse trivy results to v1alpha2 vulnerability reports

* send v1alpha2 vulnerability reports to SaaS

* update vulnerabilityreport samples

* preserve unknown fields in .spec.vulnerabilities objects of v1alpha2 VulnerabilityReports

* deprecate VulnerabilityReport v1alpha1

* Setup VulnerabilityReport webhook conversion (#283)

* implement conversion.Hub in VulnerabilityReport v1alpha1

* move summarize function to v1alpha2 VulnerabilityReport

* implement conversion.Convertible in VulnerabilityReport v1alpha2

* set imagePullPolicy to IfNotPresent in config/manager/manager.yaml

* split install and install-crds targets in Makefile

* logging vulnerability reports conversions

* remove x-kubernetes-preserve-unknown-fields from v1alpha2 vulnerability report

* setup webhook with cert-manager

* setting TLSOpts in webhook server

* generating CRDs with kustomize for applying webhook patch

* installing yq in local binaries directory

* fix CRD generation

* updating CRD annotations

* annotate CRD for injecting conversion

* inject webhook conversion in annotated CRDs

* add flag for enabling/disabling conversion

* update helm chart for generating and mounting certificates if webhook is enabled

* set annotation with jq instead of kustomize

* remove unnecessary base64 encoding

* bump chart version to 0.8.5-rc3

* move NAMESPACE var in Makefile

* delete unused cert-manager files in config/ directory

* remove logs from vulnerabilityreport_conversion.go

* using certificates from existing secret if it already exists (#284)

* Add fields `totalPackages` and `totalUniquePackages` in VulnerabilityReport (#285)

* add fields `totalPackages` and `totalUniquePackages` in v1alpha2 VulnerabilityReport

* bump chart version to 0.8.5-rc4

* remove TODO
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@knrc knrc knrc approved these changes

Assignees

@matheusfm matheusfm

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@matheusfm @knrc