From b9c1f7242e4fa8b35acda95ff4cc46f43d7af158 Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Thu, 3 Mar 2022 17:13:48 +0100 Subject: [PATCH 1/5] Add ROX_SCANNER_GRPC_ENDPOINT and ROX_USE_LOCAL_SCANNER env vars to Sensor --- .../templates/sensor.yaml.htpl | 6 ++++ .../scanner-slim/scanner-slim.test.yaml | 32 +++++++++++++++++++ 2 files changed, 38 insertions(+) diff --git a/image/templates/helm/stackrox-secured-cluster/templates/sensor.yaml.htpl b/image/templates/helm/stackrox-secured-cluster/templates/sensor.yaml.htpl index 77b4003811b5b..41e369fe19835 100644 --- a/image/templates/helm/stackrox-secured-cluster/templates/sensor.yaml.htpl +++ b/image/templates/helm/stackrox-secured-cluster/templates/sensor.yaml.htpl @@ -120,6 +120,12 @@ spec: - name: ROX_OPENSHIFT_API value: "true" {{- end}} + - name: ROX_USE_LOCAL_SCANNER + value: {{ not ._rox.scanner.disable }} + {{- if not ._rox.scanner.disable }} + - name: ROX_SCANNER_GRPC_ENDPOINT + value: {{ printf "%s.%s.svc:8443" ._rox.scanner.name .Release.Namespace }} + {{- end}} [<- if not .KubectlOutput >] - name: ROX_HELM_CLUSTER_CONFIG_FP value: {{ quote ._rox._configFP }} diff --git a/pkg/helm/charts/tests/securedclusterservices/testdata/scanner-slim/scanner-slim.test.yaml b/pkg/helm/charts/tests/securedclusterservices/testdata/scanner-slim/scanner-slim.test.yaml index a5ff94bdca6f0..0b3fb50ef2a62 100644 --- a/pkg/helm/charts/tests/securedclusterservices/testdata/scanner-slim/scanner-slim.test.yaml +++ b/pkg/helm/charts/tests/securedclusterservices/testdata/scanner-slim/scanner-slim.test.yaml @@ -96,3 +96,35 @@ tests: .serviceaccounts["scanner"] | .imagePullSecrets | assertThat(length == 5) .serviceaccounts["scanner"] | .imagePullSecrets[] | select(.name == "existing-secret1") .serviceaccounts["scanner"] | .imagePullSecrets[] | select(.name == "existing-secret2") + +- name: "sensor only connects to local scanner when it is enabled" + tests: + - name: "local scanner enabled" + set: + scanner.disable: false + expect: | + .deployments["sensor"].spec.template.spec.containers[0].env[] | + select(.name == "ROX_USE_LOCAL_SCANNER") | assertThat(.value) + - name: "local scanner disabled" + set: + scanner.disable: true + expect: | + .deployments["sensor"].spec.template.spec.containers[0].env[] | + select(.name == "ROX_USE_LOCAL_SCANNER") | assertThat(.value == false) + +- name: "sensor connects to local scanner using the correct GRPC endpoint" + tests: + - name: "env var is missing when scanner is disabled" + set: + scanner.disable: true + expect: | + [.deployments["sensor"].spec.template.spec.containers[0].env[] | select(.name == "ROX_SCANNER_GRPC_ENDPOINT")] | assertThat(length == 0) + - name: "when scanner is enabled" + release: + namespace: custom-ns + set: + allowNonstandardNamespace: true + scanner.disable: false + expect: | + .deployments["sensor"].spec.template.spec.containers[0].env[] | + select(.name == "ROX_SCANNER_GRPC_ENDPOINT") | assertThat(.value == "scanner-slim.custom-ns.svc:8443") From 94a07127551729a58aff39815ae2330534dd0a57 Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Thu, 3 Mar 2022 18:44:57 +0100 Subject: [PATCH 2/5] git null pointer error when ._rox.scanner is not defined --- .../stackrox-secured-cluster/templates/sensor.yaml.htpl | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/image/templates/helm/stackrox-secured-cluster/templates/sensor.yaml.htpl b/image/templates/helm/stackrox-secured-cluster/templates/sensor.yaml.htpl index 41e369fe19835..eca5de17a3caf 100644 --- a/image/templates/helm/stackrox-secured-cluster/templates/sensor.yaml.htpl +++ b/image/templates/helm/stackrox-secured-cluster/templates/sensor.yaml.htpl @@ -121,11 +121,15 @@ spec: value: "true" {{- end}} - name: ROX_USE_LOCAL_SCANNER + {{- if ._rox.scanner }} value: {{ not ._rox.scanner.disable }} - {{- if not ._rox.scanner.disable }} + {{- if not ._rox.scanner.disable }} - name: ROX_SCANNER_GRPC_ENDPOINT value: {{ printf "%s.%s.svc:8443" ._rox.scanner.name .Release.Namespace }} - {{- end}} + {{- end }} + {{- else }} + value: false + {{- end }} [<- if not .KubectlOutput >] - name: ROX_HELM_CLUSTER_CONFIG_FP value: {{ quote ._rox._configFP }} From a0591c9fadf1e4a8f09f781df71c449e7db6e5ea Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Thu, 3 Mar 2022 19:52:46 +0100 Subject: [PATCH 3/5] quote env var value when ._rox.scanner is not defined --- .../helm/stackrox-secured-cluster/templates/sensor.yaml.htpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/image/templates/helm/stackrox-secured-cluster/templates/sensor.yaml.htpl b/image/templates/helm/stackrox-secured-cluster/templates/sensor.yaml.htpl index eca5de17a3caf..5ab63dca1dd5f 100644 --- a/image/templates/helm/stackrox-secured-cluster/templates/sensor.yaml.htpl +++ b/image/templates/helm/stackrox-secured-cluster/templates/sensor.yaml.htpl @@ -128,7 +128,7 @@ spec: value: {{ printf "%s.%s.svc:8443" ._rox.scanner.name .Release.Namespace }} {{- end }} {{- else }} - value: false + value: "false" {{- end }} [<- if not .KubectlOutput >] - name: ROX_HELM_CLUSTER_CONFIG_FP From adc5da5088912ff4488f4195a0c30935feecfa6d Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Mon, 7 Mar 2022 14:49:41 +0100 Subject: [PATCH 4/5] adapt to removing scanner slim prefixes in ROX-9589 --- .../helm/stackrox-secured-cluster/templates/sensor.yaml.htpl | 2 +- .../testdata/scanner-slim/scanner-slim.test.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/image/templates/helm/stackrox-secured-cluster/templates/sensor.yaml.htpl b/image/templates/helm/stackrox-secured-cluster/templates/sensor.yaml.htpl index 5ab63dca1dd5f..dce43b8f6d75e 100644 --- a/image/templates/helm/stackrox-secured-cluster/templates/sensor.yaml.htpl +++ b/image/templates/helm/stackrox-secured-cluster/templates/sensor.yaml.htpl @@ -125,7 +125,7 @@ spec: value: {{ not ._rox.scanner.disable }} {{- if not ._rox.scanner.disable }} - name: ROX_SCANNER_GRPC_ENDPOINT - value: {{ printf "%s.%s.svc:8443" ._rox.scanner.name .Release.Namespace }} + value: {{ printf "scanner.%s.svc:8443" .Release.Namespace }} {{- end }} {{- else }} value: "false" diff --git a/pkg/helm/charts/tests/securedclusterservices/testdata/scanner-slim/scanner-slim.test.yaml b/pkg/helm/charts/tests/securedclusterservices/testdata/scanner-slim/scanner-slim.test.yaml index 0b3fb50ef2a62..58dbd88941e00 100644 --- a/pkg/helm/charts/tests/securedclusterservices/testdata/scanner-slim/scanner-slim.test.yaml +++ b/pkg/helm/charts/tests/securedclusterservices/testdata/scanner-slim/scanner-slim.test.yaml @@ -127,4 +127,4 @@ tests: scanner.disable: false expect: | .deployments["sensor"].spec.template.spec.containers[0].env[] | - select(.name == "ROX_SCANNER_GRPC_ENDPOINT") | assertThat(.value == "scanner-slim.custom-ns.svc:8443") + select(.name == "ROX_SCANNER_GRPC_ENDPOINT") | assertThat(.value == "scanner.custom-ns.svc:8443") From 84f5a95bd6717c8a1591f7c6a798b7dc40ab362a Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Mon, 7 Mar 2022 16:00:44 +0100 Subject: [PATCH 5/5] simplify logic --- .../templates/sensor.yaml.htpl | 12 ++++------ .../scanner-slim/scanner-slim.test.yaml | 23 +++++++------------ 2 files changed, 12 insertions(+), 23 deletions(-) diff --git a/image/templates/helm/stackrox-secured-cluster/templates/sensor.yaml.htpl b/image/templates/helm/stackrox-secured-cluster/templates/sensor.yaml.htpl index dce43b8f6d75e..546f7df2effe1 100644 --- a/image/templates/helm/stackrox-secured-cluster/templates/sensor.yaml.htpl +++ b/image/templates/helm/stackrox-secured-cluster/templates/sensor.yaml.htpl @@ -119,17 +119,13 @@ spec: {{- if ._rox.env.openshift }} - name: ROX_OPENSHIFT_API value: "true" - {{- end}} + [<- if and (not .KubectlOutput) .FeatureFlags.ROX_LOCAL_IMAGE_SCANNING >] - name: ROX_USE_LOCAL_SCANNER - {{- if ._rox.scanner }} - value: {{ not ._rox.scanner.disable }} - {{- if not ._rox.scanner.disable }} + value: {{ not ._rox.scanner.disable | not | not }} - name: ROX_SCANNER_GRPC_ENDPOINT value: {{ printf "scanner.%s.svc:8443" .Release.Namespace }} - {{- end }} - {{- else }} - value: "false" - {{- end }} + [<- end >] + {{- end}} [<- if not .KubectlOutput >] - name: ROX_HELM_CLUSTER_CONFIG_FP value: {{ quote ._rox._configFP }} diff --git a/pkg/helm/charts/tests/securedclusterservices/testdata/scanner-slim/scanner-slim.test.yaml b/pkg/helm/charts/tests/securedclusterservices/testdata/scanner-slim/scanner-slim.test.yaml index 58dbd88941e00..ce3624039380e 100644 --- a/pkg/helm/charts/tests/securedclusterservices/testdata/scanner-slim/scanner-slim.test.yaml +++ b/pkg/helm/charts/tests/securedclusterservices/testdata/scanner-slim/scanner-slim.test.yaml @@ -113,18 +113,11 @@ tests: select(.name == "ROX_USE_LOCAL_SCANNER") | assertThat(.value == false) - name: "sensor connects to local scanner using the correct GRPC endpoint" - tests: - - name: "env var is missing when scanner is disabled" - set: - scanner.disable: true - expect: | - [.deployments["sensor"].spec.template.spec.containers[0].env[] | select(.name == "ROX_SCANNER_GRPC_ENDPOINT")] | assertThat(length == 0) - - name: "when scanner is enabled" - release: - namespace: custom-ns - set: - allowNonstandardNamespace: true - scanner.disable: false - expect: | - .deployments["sensor"].spec.template.spec.containers[0].env[] | - select(.name == "ROX_SCANNER_GRPC_ENDPOINT") | assertThat(.value == "scanner.custom-ns.svc:8443") + release: + namespace: custom-ns + set: + allowNonstandardNamespace: true + scanner.disable: false + expect: | + .deployments["sensor"].spec.template.spec.containers[0].env[] | + select(.name == "ROX_SCANNER_GRPC_ENDPOINT") | assertThat(.value == "scanner.custom-ns.svc:8443")