From 70d3b7854d69930291807fbefff752f7610819ce Mon Sep 17 00:00:00 2001 From: Marcin Owsiany Date: Fri, 4 Feb 2022 10:08:22 +0100 Subject: [PATCH 1/2] Parameterize ALL scanner-related resource names. --- .../config-templates/scanner/config.yaml.tpl | 2 +- .../02-scanner-00-serviceaccount.yaml | 6 +- .../templates/02-scanner-01-security.yaml | 50 ++++++++--------- .../02-scanner-02-db-password-secret.yaml | 6 +- .../templates/02-scanner-03-tls-secret.yaml | 12 ++-- .../02-scanner-04-scanner-config.yaml | 6 +- .../02-scanner-05-network-policy.yaml | 18 +++--- .../02-scanner-06-deployment.yaml.htpl | 56 +++++++++---------- .../templates/02-scanner-07-service.yaml | 32 +++++------ .../shared/templates/02-scanner-08-hpa.yaml | 8 +-- .../shared/templates/_scanner_init.tpl.htpl | 4 ++ 11 files changed, 102 insertions(+), 98 deletions(-) diff --git a/image/templates/helm/shared/config-templates/scanner/config.yaml.tpl b/image/templates/helm/shared/config-templates/scanner/config.yaml.tpl index cc821180103d8..cb2fba0a4220e 100644 --- a/image/templates/helm/shared/config-templates/scanner/config.yaml.tpl +++ b/image/templates/helm/shared/config-templates/scanner/config.yaml.tpl @@ -15,7 +15,7 @@ scanner: options: # PostgreSQL Connection string # https://www.postgresql.org/docs/current/static/libpq-connect.html#LIBPQ-CONNSTRING - source: host=scanner-db.{{ .Release.Namespace }}.svc port=5432 user=postgres sslmode={{- if eq .Release.Namespace "stackrox" }}verify-full{{- else }}verify-ca{{- end }} statement_timeout=60000 + source: host={{ ._rox.scanner.name }}-db.{{ .Release.Namespace }}.svc port=5432 user=postgres sslmode={{- if eq .Release.Namespace "stackrox" }}verify-full{{- else }}verify-ca{{- end }} statement_timeout=60000 # Number of elements kept in the cache # Values unlikely to change (e.g. namespaces) are cached in order to save prevent needless roundtrips to the database. diff --git a/image/templates/helm/shared/templates/02-scanner-00-serviceaccount.yaml b/image/templates/helm/shared/templates/02-scanner-00-serviceaccount.yaml index a27c602723a43..73d47ba949b95 100644 --- a/image/templates/helm/shared/templates/02-scanner-00-serviceaccount.yaml +++ b/image/templates/helm/shared/templates/02-scanner-00-serviceaccount.yaml @@ -5,12 +5,12 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: scanner + name: {{ ._rox.scanner.name }} namespace: {{ .Release.Namespace }} labels: - {{- include "srox.labels" (list . "serviceaccount" "scanner") | nindent 4 }} + {{- include "srox.labels" (list . "serviceaccount" ._rox.scanner.name) | nindent 4 }} annotations: - {{- include "srox.annotations" (list . "serviceaccount" "scanner") | nindent 4 }} + {{- include "srox.annotations" (list . "serviceaccount" ._rox.scanner.name) | nindent 4 }} imagePullSecrets: {{- range $secretName := ._rox.imagePullSecrets._names }} - name: {{ quote $secretName }} diff --git a/image/templates/helm/shared/templates/02-scanner-01-security.yaml b/image/templates/helm/shared/templates/02-scanner-01-security.yaml index 72bd6fe15e9f2..eaf256d89c7c6 100644 --- a/image/templates/helm/shared/templates/02-scanner-01-security.yaml +++ b/image/templates/helm/shared/templates/02-scanner-01-security.yaml @@ -5,18 +5,18 @@ kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: {{ include "srox.globalResourceName" (list . "stackrox-scanner-psp") }} + name: {{ include "srox.globalResourceName" (list . (print "stackrox-" ._rox.scanner.name "-psp")) }} labels: - {{- include "srox.labels" (list . "clusterrole" "stackrox-scanner-psp") | nindent 4 }} + {{- include "srox.labels" (list . "clusterrole" (print "stackrox-" ._rox.scanner.name "-psp")) | nindent 4 }} annotations: - {{- include "srox.annotations" (list . "clusterrole" "stackrox-scanner-psp") | nindent 4 }} + {{- include "srox.annotations" (list . "clusterrole" (print "stackrox-" ._rox.scanner.name "-psp")) | nindent 4 }} rules: - apiGroups: - policy resources: - podsecuritypolicies resourceNames: - - {{ include "srox.globalResourceName" (list . "stackrox-scanner") }} + - {{ include "srox.globalResourceName" (list . (print "stackrox-" ._rox.scanner.name)) }} verbs: - use @@ -25,19 +25,19 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: stackrox-scanner-psp + name: stackrox-{{ ._rox.scanner.name }}-psp namespace: {{ .Release.Namespace }} labels: - {{- include "srox.labels" (list . "rolebinding" "stackrox-scanner-psp") | nindent 4 }} + {{- include "srox.labels" (list . "rolebinding" (print "stackrox-" ._rox.scanner.name "-psp")) | nindent 4 }} annotations: - {{- include "srox.annotations" (list . "rolebinding" "stackrox-scanner-psp") | nindent 4 }} + {{- include "srox.annotations" (list . "rolebinding" (print "stackrox-" ._rox.scanner.name "-psp")) | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: {{ include "srox.globalResourceName" (list . "stackrox-scanner-psp") }} + name: {{ include "srox.globalResourceName" (list . (print "stackrox-" ._rox.scanner.name "-psp")) }} subjects: - kind: ServiceAccount - name: scanner + name: {{ ._rox.scanner.name }} namespace: {{ .Release.Namespace }} --- @@ -45,11 +45,11 @@ subjects: apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: - name: {{ include "srox.globalResourceName" (list . "stackrox-scanner") }} + name: {{ include "srox.globalResourceName" (list . (print "stackrox-" ._rox.scanner.name)) }} labels: - {{- include "srox.labels" (list . "podsecuritypolicy" "stackrox-scanner") | nindent 4 }} + {{- include "srox.labels" (list . "podsecuritypolicy" (print "stackrox-" ._rox.scanner.name)) | nindent 4 }} annotations: - {{- include "srox.annotations" (list . "podsecuritypolicy" "stackrox-scanner") | nindent 4 }} + {{- include "srox.annotations" (list . "podsecuritypolicy" (print "stackrox-" ._rox.scanner.name)) | nindent 4 }} spec: privileged: false allowPrivilegeEscalation: false @@ -78,12 +78,12 @@ spec: kind: SecurityContextConstraints apiVersion: security.openshift.io/v1 metadata: - name: {{ include "srox.globalResourceName" (list . "stackrox-scanner") }} + name: {{ include "srox.globalResourceName" (list . (print "stackrox-" ._rox.scanner.name)) }} labels: - {{- include "srox.labels" (list . "securitycontextconstraints" "stackrox-scanner") | nindent 4 }} + {{- include "srox.labels" (list . "securitycontextconstraints" (print "stackrox-" ._rox.scanner.name)) | nindent 4 }} annotations: - {{- include "srox.annotations" (list . "securitycontextconstraints" "stackrox-scanner") | nindent 4 }} - kubernetes.io/description: stackrox-scanner is the security constraint for the Scanner container + {{- include "srox.annotations" (list . "securitycontextconstraints" (print "stackrox-" ._rox.scanner.name)) | nindent 4 }} + kubernetes.io/description: stackrox-{{ ._rox.scanner.name }} is the security constraint for the Scanner container priority: 0 runAsUser: type: RunAsAny @@ -92,7 +92,7 @@ seLinuxContext: seccompProfiles: - '*' users: - - system:serviceaccount:{{ .Release.Namespace }}:scanner + - system:serviceaccount:{{ .Release.Namespace }}:{{ ._rox.scanner.name }} volumes: - '*' allowHostDirVolumePlugin: false @@ -114,12 +114,12 @@ requiredDropCapabilities: [] apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: use-scanner-scc + name: use-{{ ._rox.scanner.name }}-scc namespace: {{ .Release.Namespace }} labels: - {{- include "srox.labels" (list . "role" "use-scanner-scc") | nindent 4 }} + {{- include "srox.labels" (list . "role" (print "use-" ._rox.scanner.name "-scc")) | nindent 4 }} annotations: - {{- include "srox.annotations" (list . "role" "use-scanner-scc") | nindent 4 }} + {{- include "srox.annotations" (list . "role" (print "use-" ._rox.scanner.name "-scc")) | nindent 4 }} rules: - apiGroups: - security.openshift.io @@ -133,19 +133,19 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: scanner-use-scc + name: {{ ._rox.scanner.name }}-use-scc namespace: {{ .Release.Namespace }} labels: - {{- include "srox.labels" (list . "rolebinding" "scanner-use-scc") | nindent 4 }} + {{- include "srox.labels" (list . "rolebinding" (print ._rox.scanner.name "-use-scc")) | nindent 4 }} annotations: - {{- include "srox.annotations" (list . "rolebinding" "scanner-use-scc") | nindent 4 }} + {{- include "srox.annotations" (list . "rolebinding" (print ._rox.scanner.name "-use-scc")) | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: use-scanner-scc + name: use-{{ ._rox.scanner.name }}-scc subjects: - kind: ServiceAccount - name: scanner + name: {{ ._rox.scanner.name }} namespace: {{ .Release.Namespace }} {{ end -}} diff --git a/image/templates/helm/shared/templates/02-scanner-02-db-password-secret.yaml b/image/templates/helm/shared/templates/02-scanner-02-db-password-secret.yaml index c6c0bc176c023..eb6586b4b6212 100644 --- a/image/templates/helm/shared/templates/02-scanner-02-db-password-secret.yaml +++ b/image/templates/helm/shared/templates/02-scanner-02-db-password-secret.yaml @@ -8,12 +8,12 @@ apiVersion: v1 kind: Secret metadata: - name: scanner-db-password + name: {{ ._rox.scanner.name }}-db-password namespace: {{ .Release.Namespace }} labels: - {{- include "srox.labels" (list . "secret" "scanner-db-password") | nindent 4 }} + {{- include "srox.labels" (list . "secret" (print ._rox.scanner.name "-db-password")) | nindent 4 }} annotations: - {{- include "srox.annotations" (list . "secret" "scanner-db-password") | nindent 4 }} + {{- include "srox.annotations" (list . "secret" (print ._rox.scanner.name "-db-password")) | nindent 4 }} "helm.sh/hook": "pre-install,pre-upgrade" "helm.sh/resource-policy": keep type: Opaque diff --git a/image/templates/helm/shared/templates/02-scanner-03-tls-secret.yaml b/image/templates/helm/shared/templates/02-scanner-03-tls-secret.yaml index 7c590fffe59f9..983c6365bc458 100644 --- a/image/templates/helm/shared/templates/02-scanner-03-tls-secret.yaml +++ b/image/templates/helm/shared/templates/02-scanner-03-tls-secret.yaml @@ -7,12 +7,12 @@ apiVersion: v1 kind: Secret metadata: - name: scanner-tls + name: {{ ._rox.scanner.name }}-tls namespace: {{ .Release.Namespace }} labels: - {{- include "srox.labels" (list . "secret" "scanner-tls") | nindent 4 }} + {{- include "srox.labels" (list . "secret" (print ._rox.scanner.name "-tls")) | nindent 4 }} annotations: - {{- include "srox.annotations" (list . "secret" "scanner-tls") | nindent 4 }} + {{- include "srox.annotations" (list . "secret" (print ._rox.scanner.name "-tls")) | nindent 4 }} "helm.sh/hook": "pre-install,pre-upgrade" "helm.sh/resource-policy": keep type: Opaque @@ -33,12 +33,12 @@ stringData: apiVersion: v1 kind: Secret metadata: - name: scanner-db-tls + name: {{ ._rox.scanner.name }}-db-tls namespace: {{ .Release.Namespace }} labels: - {{- include "srox.labels" (list . "secret" "scanner-db-tls") | nindent 4 }} + {{- include "srox.labels" (list . "secret" (print ._rox.scanner.name "-db-tls")) | nindent 4 }} annotations: - {{- include "srox.annotations" (list . "secret" "scanner-db-tls") | nindent 4 }} + {{- include "srox.annotations" (list . "secret" (print ._rox.scanner.name "-db-tls")) | nindent 4 }} "helm.sh/hook": "pre-install,pre-upgrade" "helm.sh/resource-policy": "keep" type: Opaque diff --git a/image/templates/helm/shared/templates/02-scanner-04-scanner-config.yaml b/image/templates/helm/shared/templates/02-scanner-04-scanner-config.yaml index 4ed16c779e60b..9b1fa7036f894 100644 --- a/image/templates/helm/shared/templates/02-scanner-04-scanner-config.yaml +++ b/image/templates/helm/shared/templates/02-scanner-04-scanner-config.yaml @@ -5,12 +5,12 @@ apiVersion: v1 kind: ConfigMap metadata: - name: scanner-config + name: {{ ._rox.scanner.name }}-config namespace: {{ .Release.Namespace }} labels: - {{- include "srox.labels" (list . "configmap" "scanner-config") | nindent 4 }} + {{- include "srox.labels" (list . "configmap" (print ._rox.scanner.name "-config")) | nindent 4 }} annotations: - {{- include "srox.annotations" (list . "configmap" "scanner-config") | nindent 4 }} + {{- include "srox.annotations" (list . "configmap" (print ._rox.scanner.name "-config")) | nindent 4 }} data: config.yaml: | {{- tpl (.Files.Get "config-templates/scanner/config.yaml.tpl") . | nindent 4 }} diff --git a/image/templates/helm/shared/templates/02-scanner-05-network-policy.yaml b/image/templates/helm/shared/templates/02-scanner-05-network-policy.yaml index 824c63ec4a8a5..d5881e0c3b95a 100644 --- a/image/templates/helm/shared/templates/02-scanner-05-network-policy.yaml +++ b/image/templates/helm/shared/templates/02-scanner-05-network-policy.yaml @@ -5,16 +5,16 @@ apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: scanner + name: {{ ._rox.scanner.name }} namespace: {{ .Release.Namespace }} labels: - {{- include "srox.labels" (list . "networkpolicy" "scanner") | nindent 4 }} + {{- include "srox.labels" (list . "networkpolicy" ._rox.scanner.name) | nindent 4 }} annotations: - {{- include "srox.annotations" (list . "networkpolicy" "scanner") | nindent 4 }} + {{- include "srox.annotations" (list . "networkpolicy" ._rox.scanner.name) | nindent 4 }} spec: podSelector: matchLabels: - app: scanner + app: {{ ._rox.scanner.name }} ingress: - from: - podSelector: @@ -33,21 +33,21 @@ spec: apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: scanner-db + name: {{ ._rox.scanner.name }}-db namespace: {{ .Release.Namespace }} labels: - {{- include "srox.labels" (list . "networkpolicy" "scanner-db") | nindent 4 }} + {{- include "srox.labels" (list . "networkpolicy" (print ._rox.scanner.name "-db")) | nindent 4 }} annotations: - {{- include "srox.annotations" (list . "networkpolicy" "scanner-db") | nindent 4 }} + {{- include "srox.annotations" (list . "networkpolicy" (print ._rox.scanner.name "-db")) | nindent 4 }} spec: podSelector: matchLabels: - app: scanner-db + app: {{ ._rox.scanner.name }}-db ingress: - from: - podSelector: matchLabels: - app: scanner + app: {{ ._rox.scanner.name }} ports: - port: 5432 protocol: TCP diff --git a/image/templates/helm/shared/templates/02-scanner-06-deployment.yaml.htpl b/image/templates/helm/shared/templates/02-scanner-06-deployment.yaml.htpl index e07745f9cc4b5..c399af5c2267f 100644 --- a/image/templates/helm/shared/templates/02-scanner-06-deployment.yaml.htpl +++ b/image/templates/helm/shared/templates/02-scanner-06-deployment.yaml.htpl @@ -5,30 +5,30 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: scanner + name: {{ ._rox.scanner.name }} namespace: {{ .Release.Namespace }} labels: - app: scanner - {{- include "srox.labels" (list . "deployment" "scanner") | nindent 4 }} + app: {{ ._rox.scanner.name }} + {{- include "srox.labels" (list . "deployment" ._rox.scanner.name) | nindent 4 }} annotations: - {{- include "srox.annotations" (list . "deployment" "scanner") | nindent 4 }} + {{- include "srox.annotations" (list . "deployment" ._rox.scanner.name) | nindent 4 }} spec: replicas: {{ ._rox.scanner.replicas }} minReadySeconds: 15 selector: matchLabels: - app: scanner + app: {{ ._rox.scanner.name }} strategy: type: Recreate template: metadata: namespace: {{ .Release.Namespace }} labels: - app: scanner - {{- include "srox.podLabels" (list . "deployment" "scanner") | nindent 8 }} + app: {{ ._rox.scanner.name }} + {{- include "srox.podLabels" (list . "deployment" ._rox.scanner.name) | nindent 8 }} annotations: traffic.sidecar.istio.io/excludeInboundPorts: "8080,8443" - {{- include "srox.podAnnotations" (list . "deployment" "scanner") | nindent 8 }} + {{- include "srox.podAnnotations" (list . "deployment" ._rox.scanner.name) | nindent 8 }} spec: {{- if ._rox.scanner._nodeSelector }} nodeSelector: @@ -45,7 +45,7 @@ spec: podAffinityTerm: labelSelector: matchLabels: - app: scanner + app: {{ ._rox.scanner.name }} topologyKey: kubernetes.io/hostname {{- if ._rox.env.openshift }} nodeAffinity: @@ -92,7 +92,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - {{- include "srox.envVars" (list . "deployment" "scanner" "scanner") | nindent 8 }} + {{- include "srox.envVars" (list . "deployment" ._rox.scanner.name ._rox.scanner.name) | nindent 8 }} resources: {{- ._rox.scanner._resources | nindent 10 }} command: @@ -136,7 +136,7 @@ spec: readOnly: true - name: scanner-db-password mountPath: /run/secrets/stackrox.io/secrets - serviceAccountName: scanner + serviceAccountName: {{ ._rox.scanner.name }} volumes: - name: additional-ca-volume secret: @@ -149,10 +149,10 @@ spec: name: scanner-etc-pki-volume - name: scanner-config-volume configMap: - name: scanner-config + name: {{ ._rox.scanner.name }}-config - name: scanner-tls-volume secret: - secretName: scanner-tls + secretName: {{ ._rox.scanner.name }}-tls - name: vuln-temp-db emptyDir: {} - name: proxy-config-volume @@ -161,37 +161,37 @@ spec: optional: true - name: scanner-db-password secret: - secretName: scanner-db-password + secretName: {{ ._rox.scanner.name }}-db-password --- apiVersion: apps/v1 kind: Deployment metadata: - name: scanner-db + name: {{ ._rox.scanner.name }}-db namespace: {{ .Release.Namespace }} labels: - app: scanner-db - {{- include "srox.labels" (list . "deployment" "scanner-db") | nindent 4 }} + app: {{ ._rox.scanner.name }}-db + {{- include "srox.labels" (list . "deployment" (print ._rox.scanner.name "-db")) | nindent 4 }} annotations: - {{- include "srox.annotations" (list . "deployment" "scanner-db") | nindent 4 }} + {{- include "srox.annotations" (list . "deployment" (print ._rox.scanner.name "-db")) | nindent 4 }} spec: replicas: 1 minReadySeconds: 15 selector: matchLabels: - app: scanner-db + app: {{ ._rox.scanner.name }}-db strategy: type: Recreate template: metadata: namespace: {{ .Release.Namespace }} labels: - app: scanner-db - {{- include "srox.podLabels" (list . "deployment" "scanner-db") | nindent 8 }} + app: {{ ._rox.scanner.name }}-db + {{- include "srox.podLabels" (list . "deployment" (print ._rox.scanner.name "-db")) | nindent 8 }} annotations: traffic.sidecar.istio.io/excludeInboundPorts: "5432" - {{- include "srox.podAnnotations" (list . "deployment" "scanner-db") | nindent 8 }} + {{- include "srox.podAnnotations" (list . "deployment" (print ._rox.scanner.name "-db")) | nindent 8 }} spec: {{- if ._rox.scanner._dbNodeSelector }} nodeSelector: @@ -276,7 +276,7 @@ spec: resources: {{- ._rox.scanner._dbResources | nindent 10 }} env: - {{- include "srox.envVars" (list . "deployment" "scanner-db" "db") | nindent 10 }} + {{- include "srox.envVars" (list . "deployment" (print ._rox.scanner.name "-db") "db") | nindent 10 }} securityContext: runAsUser: 70 runAsGroup: 70 @@ -287,19 +287,19 @@ spec: mountPath: /run/secrets/stackrox.io/certs - name: scanner-db-password mountPath: /run/secrets/stackrox.io/secrets - serviceAccountName: scanner + serviceAccountName: {{ ._rox.scanner.name }} securityContext: fsGroup: 70 volumes: - name: scanner-config-volume configMap: - name: scanner-config + name: {{ ._rox.scanner.name }}-config - name: scanner-tls-volume secret: - secretName: scanner-tls + secretName: {{ ._rox.scanner.name }}-tls - name: scanner-db-tls-volume secret: - secretName: scanner-db-tls + secretName: {{ ._rox.scanner.name }}-db-tls defaultMode: 0640 items: - key: cert.pem @@ -312,6 +312,6 @@ spec: emptyDir: {} - name: scanner-db-password secret: - secretName: scanner-db-password + secretName: {{ ._rox.scanner.name }}-db-password {{ end -}} diff --git a/image/templates/helm/shared/templates/02-scanner-07-service.yaml b/image/templates/helm/shared/templates/02-scanner-07-service.yaml index 6c6ad04bcdc63..55b5bf25250d4 100644 --- a/image/templates/helm/shared/templates/02-scanner-07-service.yaml +++ b/image/templates/helm/shared/templates/02-scanner-07-service.yaml @@ -5,12 +5,12 @@ apiVersion: v1 kind: Service metadata: - name: scanner + name: {{ ._rox.scanner.name }} namespace: {{ .Release.Namespace }} labels: - {{- include "srox.labels" (list . "service" "scanner") | nindent 4 }} + {{- include "srox.labels" (list . "service" ._rox.scanner.name) | nindent 4 }} annotations: - {{- include "srox.annotations" (list . "service" "scanner") | nindent 4 }} + {{- include "srox.annotations" (list . "service" ._rox.scanner.name) | nindent 4 }} spec: ports: - name: https-scanner @@ -20,7 +20,7 @@ spec: port: 8443 targetPort: 8443 selector: - app: scanner + app: {{ ._rox.scanner.name }} type: ClusterIP --- @@ -28,19 +28,19 @@ spec: apiVersion: v1 kind: Service metadata: - name: scanner-db + name: {{ ._rox.scanner.name }}-db namespace: {{ .Release.Namespace }} labels: - {{- include "srox.labels" (list . "service" "scanner-db") | nindent 4 }} + {{- include "srox.labels" (list . "service" (print ._rox.scanner.name "-db")) | nindent 4 }} annotations: - {{- include "srox.annotations" (list . "service" "scanner-db") | nindent 4 }} + {{- include "srox.annotations" (list . "service" (print ._rox.scanner.name "-db")) | nindent 4 }} spec: ports: - name: tcp-db port: 5432 targetPort: 5432 selector: - app: scanner-db + app: {{ ._rox.scanner.name }}-db type: ClusterIP {{ if ._rox.env.istio }} @@ -49,15 +49,15 @@ spec: apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: - name: scanner-internal-no-istio-mtls + name: {{ ._rox.scanner.name }}-internal-no-istio-mtls namespace: {{ .Release.Namespace }} labels: - {{- include "srox.labels" (list . "destinationrule" "scanner-internal-no-istio-mtls") | nindent 4 }} + {{- include "srox.labels" (list . "destinationrule" (print ._rox.scanner.name "-internal-no-istio-mtls")) | nindent 4 }} annotations: stackrox.io/description: "Disable Istio mTLS for ports 8080 and 8443, since StackRox services use built-in mTLS." - {{- include "srox.annotations" (list . "destinationrule" "scanner-internal-no-istio-mtls") | nindent 4 }} + {{- include "srox.annotations" (list . "destinationrule" (print ._rox.scanner.name "-internal-no-istio-mtls")) | nindent 4 }} spec: - host: scanner.{{ .Release.Namespace }}.svc.cluster.local + host: {{ ._rox.scanner.name }}.{{ .Release.Namespace }}.svc.cluster.local trafficPolicy: portLevelSettings: - port: @@ -74,15 +74,15 @@ spec: apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: - name: scanner-db-internal-no-istio-mtls + name: {{ ._rox.scanner.name }}-db-internal-no-istio-mtls namespace: {{ .Release.Namespace }} labels: - {{- include "srox.labels" (list . "destinationrule" "scanner-db-internal-no-istio-mtls") | nindent 4 }} + {{- include "srox.labels" (list . "destinationrule" (print ._rox.scanner.name "-db-internal-no-istio-mtls")) | nindent 4 }} annotations: stackrox.io/description: "Disable Istio mTLS for port 5432, since StackRox services use built-in mTLS." - {{- include "srox.annotations" (list . "destinationrule" "scanner-db-internal-no-istio-mtls") | nindent 4 }} + {{- include "srox.annotations" (list . "destinationrule" (print ._rox.scanner.name "-db-internal-no-istio-mtls")) | nindent 4 }} spec: - host: scanner-db.{{ .Release.Namespace }}.svc.cluster.local + host: {{ ._rox.scanner.name }}-db.{{ .Release.Namespace }}.svc.cluster.local trafficPolicy: portLevelSettings: - port: diff --git a/image/templates/helm/shared/templates/02-scanner-08-hpa.yaml b/image/templates/helm/shared/templates/02-scanner-08-hpa.yaml index c7af476a189f9..148d6ac46e061 100644 --- a/image/templates/helm/shared/templates/02-scanner-08-hpa.yaml +++ b/image/templates/helm/shared/templates/02-scanner-08-hpa.yaml @@ -6,19 +6,19 @@ apiVersion: autoscaling/v1 kind: HorizontalPodAutoscaler metadata: - name: scanner + name: {{ ._rox.scanner.name }} namespace: {{ .Release.Namespace }} labels: - {{- include "srox.labels" (list . "horizontalpodautoscaler" "scanner") | nindent 4 }} + {{- include "srox.labels" (list . "horizontalpodautoscaler" ._rox.scanner.name) | nindent 4 }} annotations: - {{- include "srox.annotations" (list . "horizontalpodautoscaler" "scanner") | nindent 4 }} + {{- include "srox.annotations" (list . "horizontalpodautoscaler" ._rox.scanner.name) | nindent 4 }} spec: minReplicas: {{ ._rox.scanner.autoscaling.minReplicas }} maxReplicas: {{ ._rox.scanner.autoscaling.maxReplicas }} scaleTargetRef: apiVersion: apps/v1 kind: Deployment - name: scanner + name: {{ ._rox.scanner.name }} targetCPUUtilizationPercentage: 150 {{ end -}} diff --git a/image/templates/helm/shared/templates/_scanner_init.tpl.htpl b/image/templates/helm/shared/templates/_scanner_init.tpl.htpl index 24db504268348..025298c2698b4 100644 --- a/image/templates/helm/shared/templates/_scanner_init.tpl.htpl +++ b/image/templates/helm/shared/templates/_scanner_init.tpl.htpl @@ -24,6 +24,8 @@ [< end >] {{ if or (eq $scannerCfg.mode "") (eq $scannerCfg.mode "full") }} + {{ $_ := set $scannerCfg "name" "scanner" }} + {{ include "srox.configureImage" (list $ $scannerCfg.image) }} {{ include "srox.configureImage" (list $ $scannerCfg.dbImage) }} @@ -36,6 +38,8 @@ [< if not .FeatureFlags.ROX_LOCAL_IMAGE_SCANNING >] {{ include "srox.fail" "Scanner's slim mode currently not supported" }} [< end >] + {{ $_ := set $scannerCfg "name" "scanner-slim" }} + {{ include "srox.configureImage" (list $ $scannerCfg.slimImage) }} {{ include "srox.configureImage" (list $ $scannerCfg.slimDBImage) }} {{ else }} From 963a1bde3aa820dbf56b8668fe643da8ad1a7a19 Mon Sep 17 00:00:00 2001 From: Marcin Owsiany Date: Fri, 4 Feb 2022 11:19:19 +0100 Subject: [PATCH 2/2] adjust slim helm test --- .../tests/shared/scanner-slim/scanner-slim.test.yaml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/pkg/helm/charts/tests/shared/scanner-slim/scanner-slim.test.yaml b/pkg/helm/charts/tests/shared/scanner-slim/scanner-slim.test.yaml index c972727eaf3ce..afcd6d7b0999e 100644 --- a/pkg/helm/charts/tests/shared/scanner-slim/scanner-slim.test.yaml +++ b/pkg/helm/charts/tests/shared/scanner-slim/scanner-slim.test.yaml @@ -15,7 +15,9 @@ tests: scanner: mode: slim expect: | - .deployments["scanner"].spec.template.spec.containers[0].image | contains("slim") - .deployments["scanner-db"].spec.template.spec.containers[0].image | contains("slim") - .secrets["scanner-tls"] | assertThat(. == null) - .secrets["scanner-db-tls"] | assertThat(. == null) + .deployments["scanner-slim"].spec.template.spec.containers[0].image | contains("slim") + .deployments["scanner-slim-db"].spec.template.spec.containers[0].image | contains("slim") + .deployments["scanner"] | assertThat(. == null) + .deployments["scanner-db"] | assertThat(. == null) + .secrets["scanner-slim-tls"] | assertThat(. == null) + .secrets["scanner-slim-db-tls"] | assertThat(. == null)