feat(helm): Configure scanner pods tolerations and annotations (#605)

Signed-off-by: Daniel Pacak <[email protected]>
aquasecurity · May 26, 2021 · 72b99f1 · 72b99f1
1 parent 8815f5f
commit 72b99f1
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 16 deletions.
diff --git a/deploy/helm/templates/config.yaml b/deploy/helm/templates/config.yaml
@@ -6,9 +6,11 @@ metadata:
   labels:
     {{- include "starboard-operator.labels" . | nindent 4 }}
 data:
+  scanJob.tolerations: {{ .Values.starboard.scanJobTolerations | toJson | quote }}
+  scanJob.annotations: {{ .Values.starboard.scanJobAnnotations | quote }}
   {{- if .Values.operator.vulnerabilityScannerEnabled }}
-  vulnerabilityReports.scanner: {{ .Values.operator.vulnerabilityReportsPlugin | quote }}
-  {{- if eq .Values.operator.vulnerabilityReportsPlugin "Trivy" }}
+  vulnerabilityReports.scanner: {{ .Values.starboard.vulnerabilityReportsPlugin | quote }}
+  {{- if eq .Values.starboard.vulnerabilityReportsPlugin "Trivy" }}
   trivy.imageRef: "{{ .Values.trivy.imageRef }}"
   trivy.mode: "{{ .Values.trivy.mode }}"
   {{- if eq .Values.trivy.mode "ClientServer" }}
@@ -24,9 +26,9 @@ data:
   kube-bench.imageRef: "{{ .Values.kubeBench.imageRef }}"
   {{- end }}
   {{- if .Values.operator.configAuditScannerEnabled }}
-  configAuditReports.scanner: {{ .Values.operator.configAuditReportsPlugin | quote }}
+  configAuditReports.scanner: {{ .Values.starboard.configAuditReportsPlugin | quote }}
   {{- end }}
-{{- if eq .Values.operator.configAuditReportsPlugin "Conftest" }}
+{{- if eq .Values.starboard.configAuditReportsPlugin "Conftest" }}
 ---
 apiVersion: v1
 kind: ConfigMap
@@ -37,7 +39,7 @@ metadata:
 data:
   conftest.imageRef: {{ .Values.conftest.imageRef | quote }}
 {{- end }}
-{{- if eq .Values.operator.configAuditReportsPlugin "Polaris" }}
+{{- if eq .Values.starboard.configAuditReportsPlugin "Polaris" }}
 ---
 apiVersion: v1
 kind: ConfigMap
@@ -50,7 +52,7 @@ data:
   polaris.config.yaml: |
   {{- toYaml .Values.polaris.config | nindent 4 }}
 {{- end }}
-{{- if eq .Values.operator.vulnerabilityReportsPlugin "Aqua" }}
+{{- if eq .Values.starboard.vulnerabilityReportsPlugin "Aqua" }}
 ---
 apiVersion: v1
 kind: ConfigMap

diff --git a/deploy/helm/values.yaml b/deploy/helm/values.yaml
@@ -21,10 +21,6 @@ operator:
   configAuditScannerEnabled: true
   # kubernetesBenchmarkEnabled the flag to enable CIS Kubernetes Benchmark scanner
   kubernetesBenchmarkEnabled: true
-  # vulnerabilityReportsPlugin the name of the plugin that generates vulnerability reports. Either `Trivy` or `Aqua`.
-  vulnerabilityReportsPlugin: "Trivy"
-  # configAuditReportsPlugin the name of the plugin that generates config audit reports. Either `Polaris` or `Conftest`.
-  configAuditReportsPlugin: "Polaris"
   # batchDeleteLimit the maximum number of config audit reports deleted by the operator when the plugin's config has changed.
   batchDeleteLimit: 10
   # batchDeleteDelay the duration to wait before deleting another batch of config audit reports.
@@ -70,6 +66,24 @@ envSecret:
   stringData:
     OPERATOR_LOG_DEV_MODE: "false"
 
+starboard:
+  # vulnerabilityReportsPlugin the name of the plugin that generates vulnerability reports. Either `Trivy` or `Aqua`.
+  vulnerabilityReportsPlugin: "Trivy"
+  # configAuditReportsPlugin the name of the plugin that generates config audit reports. Either `Polaris` or `Conftest`.
+  configAuditReportsPlugin: "Polaris"
+
+  # scanJobTolerations tolerations to be applied to the scanner pods so that they can run on nodes with matching taints
+  scanJobTolerations: []
+  # If you do want to specify tolerations, uncomment the following lines, adjust them as necessary, and remove the
+  # square brackets after 'scanJobTolerations:'.
+  # - key: "key1"
+  #   operator: "Equal"
+  #   value: "value1"
+  #   effect: "NoSchedule"
+
+  # scanJobAnnotations comma-separated representation of the annotations which the user wants the scanner pods to be
+  # annotated with. Example: `foo=bar,env=stage` will annotate the scanner pods with the annotations `foo: bar` and `env: stage`
+  scanJobAnnotations: ""
 trivy:
   imageRef: docker.io/aquasec/trivy:0.16.0
   mode: Standalone
@@ -274,13 +288,14 @@ conftest:
   imageRef: docker.io/openpolicyagent/conftest:v0.25.0
 
 aqua:
-  # imageRef Aqua scanner image reference. The tag determines the version of the scanner binary executable and it must be compatible with version of Aqua server.
+  # imageRef Aqua scanner image reference. The tag determines the version of the scanner binary executable and it must
+  # be compatible with version of Aqua server.
   imageRef: docker.io/aquasec/scanner:5.3
-  # serverURL The endpoint URL of Aqua management console
+  # serverURL the endpoint URL of Aqua management console
   serverURL:
-  # username Aqua management console username
+  # username the Aqua management console username
   username:
-  # password Aqua management console password
+  # password the Aqua management console password
   password:
 
 rbac:

diff --git a/docs/settings.md b/docs/settings.md
@@ -82,7 +82,7 @@ The following tables list available configuration settings with their default va
 | `polaris.config.yaml`           | [Check the default value here][default-polaris-config] | Polaris configuration file |
 | `conftest.imageRef`             | `docker.io/openpolicyagent/conftest:v0.25.0`           | Conftest image reference |
 | `scanJob.tolerations`           | N/A                                                    | JSON representation of the [tolerations] to be applied to the scanner pods so that they can run on nodes with matching taints. Example: `'[{"key":"key1", "operator":"Equal", "value":"value1", "effect":"NoSchedule"}]'` |
-| `scanJob.annotations`           | N/A                                                    | One-line comma-separated representation of the annotations which the user wants the scan job's pods to be annotated with. Example: `foo=bar,env=stage` will annotate the scan job's pods with the annotations `foo: bar` and `env: stage` |
+| `scanJob.annotations`           | N/A                                                    | One-line comma-separated representation of the annotations which the user wants the scanner pods to be annotated with. Example: `foo=bar,env=stage` will annotate the scanner pods with the annotations `foo: bar` and `env: stage` |
 
 | SECRET KEY                  | DESCRIPTION |
 | --------------------------- | ----------- |

diff --git a/pkg/configauditreport/builder.go b/pkg/configauditreport/builder.go
@@ -71,7 +71,7 @@ func (s *ScanJobBuilder) Get() (*batchv1.Job, []*corev1.Secret, error) {
 		return nil, nil, err
 	}
 
-	podSpec.Tolerations = append(podSpec.Tolerations, s.tolerations...)
+	jobSpec.Tolerations = append(jobSpec.Tolerations, s.tolerations...)
 
 	podSpecHash := kube.ComputeHash(podSpec)