Skip to content

ROX-9487: Define Sensor env vars for connecting to local scanner #807

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
juanrh merged 5 commits into from
Mar 7, 2022
Merged

ROX-9487: Define Sensor env vars for connecting to local scanner #807

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
b9c1f72
Add ROX_SCANNER_GRPC_ENDPOINT and ROX_USE_LOCAL_SCANNER env vars to S…
Mar 3, 2022
94a0712
git null pointer error when ._rox.scanner is not defined
Mar 3, 2022
a0591c9
quote env var value when ._rox.scanner is not defined
Mar 3, 2022
adc5da5
adapt to removing scanner slim prefixes in ROX-9589
Mar 7, 2022
84f5a95
simplify logic
Mar 7, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions image/templates/helm/stackrox-secured-cluster/templates/sensor.yaml.htpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,12 @@ spec:
{{- if ._rox.env.openshift }}
- name: ROX_OPENSHIFT_API
value: "true"
[<- if and (not .KubectlOutput) .FeatureFlags.ROX_LOCAL_IMAGE_SCANNING >]
- name: ROX_USE_LOCAL_SCANNER
Copy link
Contributor

@SimonBaeumer SimonBaeumer Mar 4, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The env var does not need to be set unconditionally because false is the default even if it is not set on the pod.
See here: https://github.com/stackrox/stackrox/blob/master/pkg/env/sensor.go#L20-L20

The reason why you have the nil pointer errors is because of this code which only adds the scanner shape if the feature flag is enabled and not in kubectl output mode:
https://github.com/stackrox/stackrox/blob/master/image/templates/helm/stackrox-secured-cluster/templates/_init.tpl.htpl#L41-L45

Can you add this env variables only:

  • If not in kubectl output AND feature flag enabled in the meta templating stage?
    The check is this: [< if and (not .KubectlOutput) .FeatureFlags.ROX_LOCAL_IMAGE_SCANNING ->]
  • The env variables should be inside the {{- if ._rox.env.openshift }} above.
{{ if ._rox.env.openshift }}
- name: ROX_OPENSHIFT_API
  value: "true"
[<- if and (not .KubectlOutput) .FeatureFlags.ROX_LOCAL_IMAGE_SCANNING >]
- name: ROX_USE_LOCAL_SCANNER
   value: {{ not ._rox.scanner.disable }}
 - name: ROX_SCANNER_GRPC_ENDPOINT
   value: {{ printf "%s.%s.svc:8443" ._rox.scanner.name .Release.Namespace }}
[<- end >]
{{ end }}

In case you get an error because {{ not ._rox.scanner.disable }} was not "false" you need to do a hack and change it to {{ not ._rox.scanner.disable | not | not }} to convert it

Copy link
Contributor Author

@juanrh juanrh Mar 7, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done. I had to remove the test to check ROX_SCANNER_GRPC_ENDPOINT is missing, because I cannot manipulate KubectlOutput or FeatureFlags in the test

value: {{ not ._rox.scanner.disable | not | not }}
- name: ROX_SCANNER_GRPC_ENDPOINT
value: {{ printf "scanner.%s.svc:8443" .Release.Namespace }}
[<- end >]
{{- end}}
[<- if not .KubectlOutput >]
- name: ROX_HELM_CLUSTER_CONFIG_FP
Expand Down
25 changes: 25 additions & 0 deletions pkg/helm/charts/tests/securedclusterservices/testdata/scanner-slim/scanner-slim.test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -96,3 +96,28 @@ tests:
.serviceaccounts["scanner"] | .imagePullSecrets | assertThat(length == 5)
.serviceaccounts["scanner"] | .imagePullSecrets[] | select(.name == "existing-secret1")
.serviceaccounts["scanner"] | .imagePullSecrets[] | select(.name == "existing-secret2")

- name: "sensor only connects to local scanner when it is enabled"
tests:
- name: "local scanner enabled"
set:
scanner.disable: false
expect: |
.deployments["sensor"].spec.template.spec.containers[0].env[] |
select(.name == "ROX_USE_LOCAL_SCANNER") | assertThat(.value)
- name: "local scanner disabled"
set:
scanner.disable: true
expect: |
.deployments["sensor"].spec.template.spec.containers[0].env[] |
select(.name == "ROX_USE_LOCAL_SCANNER") | assertThat(.value == false)

- name: "sensor connects to local scanner using the correct GRPC endpoint"
release:
namespace: custom-ns
set:
allowNonstandardNamespace: true
scanner.disable: false
expect: |
.deployments["sensor"].spec.template.spec.containers[0].env[] |
select(.name == "ROX_SCANNER_GRPC_ENDPOINT") | assertThat(.value == "scanner.custom-ns.svc:8443")