Skip to content

ROX-8825 - Add Local Scanner Operator API to SecuredCluster CRD#691

Merged
porridge merged 7 commits intomasterfrom
sb/rox-8825-operator-api
Mar 9, 2022
Merged

ROX-8825 - Add Local Scanner Operator API to SecuredCluster CRD#691
porridge merged 7 commits intomasterfrom
sb/rox-8825-operator-api

Conversation

@SimonBaeumer
Copy link
Contributor

@SimonBaeumer SimonBaeumer commented Feb 19, 2022
edited
Loading

Description

  • Scanner Deployments
  • Operator UI
  • Scanner Password DB Reconciler
  • Image Overrides with RELATED_ env variables

Depended PRs

Specification

The reconciler should be able to:

  • Custom resource API: extend schema of SecuredCluster CRD spec with fields for local scanner.
  • Install scanner.
  • By default scanner should be installed in a namespace without central.
  • Scanner should not be deployed in the same namespace as Central
  • If central is already installed in the same namespace, do not install scanner.
  • The operator should be able to generate a secret that contains the scanner database password.

Checklist

  • Investigated and inspected CI test results
  • Unit test and regression tests added
  • Evaluated and added CHANGELOG entry if required
  • Determined and documented upgrade steps

If any of these don't apply, please comment below.

TODO

  • Check CRD documentation
  • Add Scanner DB password reconciler
  • Test OpenShift Operator UI
  • Remove Enabled scanenrComponent option in favour of AutoSense
  • Protect translation logic by feature flag

Testing Performed

  • Test installation

  • Test upgrades

  • Test uninstall

  • Operator reconciles scanner-db-password if scanner is enabled

  • Operator does not install Scanner when

    • in Kubernetes clusters
    • in same namespace with Central

  • Deployment in different namespace than Central works

Scanner spec

apiVersion: platform.stackrox.io/v1alpha1
kind: SecuredCluster
metadata:
  namespace: openshift-operators
  name: stackrox-secured-cluster-services
spec:
  clusterName: my-cluster
  auditLogs:
    collection: Auto
  admissionControl:
    [...]
  scanner:
    analyzer:
      scaling:
        autoScaling: AutoSense
        maxReplicas: 5
        minReplicas: 2
        replicas: 3
        resources: [...]
        nodeSelector: [...]
        tolerations: [...]
    scannerComponent: AutoSense
    db:
      resources: [...]
      nodeSelector: [...]
      tolerations: [...]

@ghost
Copy link

ghost commented Feb 19, 2022
edited by ghost
Loading

Tag for build #287400 is 3.69.x-55-gaf9511040c.

💻 For deploying this image using the dev scripts, run the following first:

export MAIN_IMAGE_TAG='3.69.x-55-gaf9511040c'

📦 You can also generate an installation bundle with:

docker run -i --rm stackrox/main:3.69.x-55-gaf9511040c central generate interactive > bundle.zip

🕹️ A roxctl binary artifact can be downloaded from CircleCI.

@SimonBaeumer SimonBaeumer force-pushed the sb/rox-8825-operator-api branch 3 times, most recently from f1fbca3 to 4d26253 Compare March 1, 2022 08:16
@SimonBaeumer SimonBaeumer force-pushed the sb/rox-8825-operator-api branch 2 times, most recently from d304bd4 to b6dd799 Compare March 4, 2022 14:19
@SimonBaeumer SimonBaeumer changed the base branch from master to sb/rox-9589-remove-scanner-slim-prefixes March 4, 2022 15:30
@SimonBaeumer SimonBaeumer changed the title ROX-8825 - Operator API ROX-8825 - Local Scanner Operator API Mar 7, 2022
@SimonBaeumer SimonBaeumer marked this pull request as ready for review March 7, 2022 10:10
@SimonBaeumer SimonBaeumer changed the title ROX-8825 - Local Scanner Operator API ROX-8825 - Add Local Scanner Operator API to SecuredCluster CRD Mar 7, 2022
Base automatically changed from sb/rox-9589-remove-scanner-slim-prefixes to master March 7, 2022 10:24
@SimonBaeumer SimonBaeumer force-pushed the sb/rox-8825-operator-api branch 2 times, most recently from 11568a0 to d9f3d01 Compare March 7, 2022 10:25
@SimonBaeumer SimonBaeumer added this to the 69.0-rc.2 milestone Mar 7, 2022
@SimonBaeumer SimonBaeumer force-pushed the sb/rox-8825-operator-api branch from c5543ae to fe488b3 Compare March 7, 2022 14:58
juanrh
juanrh reviewed Mar 7, 2022
View reviewed changes
RTann
RTann reviewed Mar 7, 2022
View reviewed changes
juanrh
juanrh suggested changes Mar 7, 2022
View reviewed changes
operator/pkg/securedcluster/values/translation/image_overrides.go Outdated
Comment on lines +10 to +11
images.Scanner: "image.scanner.fullRef",
images.ScannerDB: "image.scannerDb.fullRef",
Copy link
Contributor

@juanrh juanrh Mar 7, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please check that this is on sync with https://github.com/stackrox/stackrox/blob/porridge/ROX-9524/operator/pkg/securedcluster/values/translation/image_overrides.go

Copy link
Contributor Author

@SimonBaeumer SimonBaeumer Mar 8, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rebased after @porridge's PR was merged

Copy link
Contributor Author

@SimonBaeumer SimonBaeumer Mar 8, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Revert the changes the merged PR was broken, it should not be scanner slim because these are implementation details.
The Secured Cluster chart does not differentiate from the outside for them, thus we can add the overrides directly.

@porridge porridge mentioned this pull request Mar 8, 2022
Closed
4 tasks
@SimonBaeumer SimonBaeumer force-pushed the sb/rox-8825-operator-api branch from da101bd to fa70404 Compare March 8, 2022 09:16
porridge
porridge requested changes Mar 8, 2022
View reviewed changes
Copy link
Contributor

@porridge porridge left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mostly nitpicks but there's also one or two more important things.

@juanrh
Copy link
Contributor

juanrh commented Mar 8, 2022

To answer your first question, @juanrh this is a separate comment block in order to prevent tools from copying it into any user-facing documentation.

Thanks for the clarification @porridge !

@porridge porridge force-pushed the sb/rox-8825-operator-api branch from afed0b5 to a82fbda Compare March 9, 2022 08:46
@porridge
Copy link
Contributor

porridge commented Mar 9, 2022

I just:

  • squashed all changes so far into one commit (to make the next step easier)
  • rebased on tip of master, noting the warning from Connor about required postgres tests
  • added a few changes to address remaining review comments and fix the build/tests, most notably:
  • removed the mention from changelog, since this is still feature-gated and thus not user visible (and IMO not really changelog-worthy according to our definition of what the changelog should contain)
  • restored separate env var for scanner-slim images (I don't see how a single var could work for two different images 🤔 )
  • stripped remaining mentions of "local" in user-visible places
  • guarded against a nil pointer panic in autosense function and extracted the now-common code
  • updated autogenerated code and manifests

@juanrh PTAL

juanrh
juanrh suggested changes Mar 9, 2022
View reviewed changes
Copy link
Contributor

@juanrh juanrh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me in general, but I'd like to clarify something about the image overrides

@msugakov
Copy link
Contributor

msugakov commented Mar 9, 2022

What makes me confused is that this PR #691 is targeted for 3.69.1 patch-release but PR #836 is targeted for 3.69.0 release. Would 3.69.0 still function ok without this change or is it a mistake and the milestone should be 69.0-rc.*?
Related Slack thread https://srox.slack.com/archives/C02TWBJ63DX/p1646825532918719

@porridge porridge merged commit bfcbf99 into master Mar 9, 2022
@porridge porridge deleted the sb/rox-8825-operator-api branch March 9, 2022 15:48
@porridge
Copy link
Contributor

porridge commented Mar 9, 2022

What makes me confused is that this PR #691 is targeted for 3.69.1 patch-release but PR #836 is targeted for 3.69.0 release. Would 3.69.0 still function ok without this change or is it a mistake and the milestone should be 69.0-rc.*?

I think #836 by itself is a no-op, @msugakov

@parametalol parametalol modified the milestones: 69.1-rc.1, 69.0-rc.2 Mar 9, 2022
RTann pushed a commit that referenced this pull request Mar 9, 2022
@SimonBaeumer @porridge @RTann
ROX-8825 - Add Operator support for Local Scanner in SecuredCluster CR (
a565227 
#691)

Co-authored-by: Marcin Owsiany <porridge@redhat.com>
(cherry picked from commit bfcbf99)
RTann pushed a commit that referenced this pull request Apr 6, 2022
@SimonBaeumer @porridge
ROX-8825 - Add Operator support for Local Scanner in SecuredCluster CR (
b2f3ee1 
#691)

Co-authored-by: Marcin Owsiany <porridge@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@msugakov msugakov msugakov left review comments

@porridge porridge porridge approved these changes

@RTann RTann Awaiting requested review from RTann

+2 more reviewers

@mtesseract mtesseract mtesseract left review comments

@juanrh juanrh juanrh approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

area/helm area/operator

Projects

None yet

Milestone

69.0-rc.2

Development

Successfully merging this pull request may close these issues.

7 participants

@SimonBaeumer @juanrh @porridge @msugakov @RTann @mtesseract @parametalol