refactor: Remove Aqua settings from generic starboard ConfigMap (#604)

Signed-off-by: Daniel Pacak <[email protected]>
aquasecurity · May 26, 2021 · 8815f5f · 8815f5f
1 parent ddf6f58
commit 8815f5f
Show file tree

Hide file tree

Showing 7 changed files with 90 additions and 46 deletions.
diff --git a/deploy/helm/templates/config.yaml b/deploy/helm/templates/config.yaml
@@ -44,9 +44,31 @@ kind: ConfigMap
 metadata:
   name: starboard-polaris-config
   labels:
-  {{- include "starboard-operator.labels" . | nindent 4 }}
+    {{- include "starboard-operator.labels" . | nindent 4 }}
 data:
   polaris.imageRef: "{{ .Values.polaris.imageRef }}"
   polaris.config.yaml: |
   {{- toYaml .Values.polaris.config | nindent 4 }}
 {{- end }}
+{{- if eq .Values.operator.vulnerabilityReportsPlugin "Aqua" }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: starboard-aqua-config
+  labels:
+     {{- include "starboard-operator.labels" . | nindent 4 }}
+data:
+  aqua.imageRef: {{ required ".Values.aqua.imageRef is required!" .Values.aqua.imageRef | quote }}
+  aqua.serverURL: {{ required ".Values.aqua.serverURL is required!" .Values.aqua.serverURL | quote }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: starboard-aqua-config
+  labels:
+    {{- include "starboard-operator.labels" . | nindent 4 }}
+data:
+  aqua.username: {{ required ".Values.aqua.username is required!" .Values.aqua.username | b64enc | quote }}
+  aqua.password: {{ required ".Values.aqua.password is required!" .Values.aqua.password | b64enc | quote }}
+{{- end}}
diff --git a/deploy/helm/values.yaml b/deploy/helm/values.yaml
@@ -273,6 +273,16 @@ conftest:
   # imageRef the image reference
   imageRef: docker.io/openpolicyagent/conftest:v0.25.0
 
+aqua:
+  # imageRef Aqua scanner image reference. The tag determines the version of the scanner binary executable and it must be compatible with version of Aqua server.
+  imageRef: docker.io/aquasec/scanner:5.3
+  # serverURL The endpoint URL of Aqua management console
+  serverURL:
+  # username Aqua management console username
+  username:
+  # password Aqua management console password
+  password:
+
 rbac:
   create: true
 serviceAccount:

diff --git a/docs/integrations/vulnerability-scanners/aqua-enterprise.md b/docs/integrations/vulnerability-scanners/aqua-enterprise.md
@@ -5,44 +5,60 @@ connector for Aqua attempts to fetch the vulnerability report for the specified
 If the report is not found, it spins up an ad-hoc scan by executing the `scannercli` command.
 
 The value of `aqua.imageRef` determines the version of the actual `scannercli` binary executable and must be
-compatible with the version of your Aqua deployment. By default, `scannercli` 5.3 is used, but if you are running,
+compatible with the version of your Aqua server. By default, `scannercli` 5.3 is used, but if you are running,
 for example, Aqua 5.2, change the value to `docker.io/aquasec/scanner:5.2`.
 
-To integrate Aqua scanner change the value of the `vulnerabilityReports.scanner` property to `Aqua` and specify
-the `aqua.serverURL`:
+To integrate Aqua scanner change the value of the `vulnerabilityReports.scanner` property to `Aqua`:
 
 ```
-AQUA_SERVER_URL=<your console URL>
-
 kubectl patch cm starboard -n <starboard_namespace> \
   --type merge \
   -p "$(cat <<EOF
 {
   "data": {
-    "vulnerabilityReports.scanner": "Aqua",
-    "aqua.serverURL":               "$AQUA_SERVER_URL"
+    "vulnerabilityReports.scanner": "Aqua"
   }
 }
 EOF
 )"
 ```
 
-Finally, edit the `starboard` secret to configure `aqua.username` and `aqua.password` credentials, which are used
-to connect to the Aqua's management console:
+Specify the container image of Aqua scanner and server URL:
+
+```
+AQUA_SERVER_URL=<your console URL>
+
+kubectl create configmap starboard-aqua-config -n <starboard_namespace> \
+  --from-literal=aqua.imageRef=docker.io/aquasec/scanner:5.3 \
+  --from-literal=aqua.serverURL=$AQUA_SERVER_URL
+```
+
+Finally, create or edit the `starboard-aqua-config` secret to configure `aqua.username` and `aqua.password` credentials,
+which are used to connect to the Aqua's management console:
 
 ```
 AQUA_CONSOLE_USERNAME=<your username>
 AQUA_CONSOLE_PASSWORD=<your password>
 
-kubectl patch secret starboard -n <starboard_namespace> \
-  --type merge \
-  -p "$(cat <<EOF
-{
-  "data": {
-    "aqua.username": "$(echo -n $AQUA_CONSOLE_USERNAME | base64)",
-    "aqua.password": "$(echo -n $AQUA_CONSOLE_PASSWORD | base64)"
-  }
-}
-EOF
-)"
+kubectl create secret generic starboard-aqua-config -n <starboard_namespace> \
+  --from-literal=aqua.username=$AQUA_CONSOLE_USERNAME \
+  --from-literal=aqua.password=$AQUA_CONSOLE_PASSWORD
 ```
+
+!!! tip
+
+    You can use Helm installer to enable Aqua Enterprise scanner as follows:
+    ```
+    AQUA_SERVER_URL=<your console URL>
+    AQUA_CONSOLE_USERNAME=<your username>
+    AQUA_CONSOLE_PASSWORD=<your password>
+
+    helm install starboard-operator ./deploy/helm \
+      -n starboard-operator --create-namespace \
+      --set="targetNamespaces=default" \
+      --set="operator.vulnerabilityReportsPlugin=Aqua" \
+      --set="aqua.imageRef=docker.io/aquasec/scanner:5.3" \
+      --set="aqua.serverURL=$AQUA_SERVER_URL" \
+      --set="aqua.username=$AQUA_CONSOLE_USERNAME" \
+      --set="aqua.password=$AQUA_CONSOLE_PASSWORD"
+    ```
diff --git a/pkg/plugin/aqua/plugin.go b/pkg/plugin/aqua/plugin.go
@@ -15,43 +15,35 @@ import (
 	"k8s.io/utils/pointer"
 )
 
-// Config defines configuration settings for the Aqua vulnerabilityreport.Plugin.
-type Config interface {
-	GetAquaImageRef() (string, error)
-}
-
-type scanner struct {
+type plugin struct {
 	idGenerator ext.IDGenerator
 	buildInfo   starboard.BuildInfo
-	config      Config
 }
 
 // NewPlugin constructs a new vulnerabilityreport.Plugin, which is using
 // the Aqua Enterprise to scan container images of Kubernetes workloads.
 func NewPlugin(
 	idGenerator ext.IDGenerator,
 	buildInfo starboard.BuildInfo,
-	config Config,
 ) vulnerabilityreport.Plugin {
-	return &scanner{
+	return &plugin{
 		idGenerator: idGenerator,
 		buildInfo:   buildInfo,
-		config:      config,
 	}
 }
 
-func (s *scanner) GetScanJobSpec(_ starboard.PluginContext, spec corev1.PodSpec, _ map[string]docker.Auth) (corev1.PodSpec, []*corev1.Secret, error) {
+func (s *plugin) GetScanJobSpec(ctx starboard.PluginContext, spec corev1.PodSpec, _ map[string]docker.Auth) (corev1.PodSpec, []*corev1.Secret, error) {
 	initContainerName := s.idGenerator.GenerateID()
 
-	aquaImageRef, err := s.config.GetAquaImageRef()
+	aquaImageRef, err := s.getImageRef(ctx)
 	if err != nil {
 		return corev1.PodSpec{}, nil, err
 	}
 
 	scanJobContainers := make([]corev1.Container, len(spec.Containers))
 	for i, container := range spec.Containers {
 		var err error
-		scanJobContainers[i], err = s.newScanJobContainer(container)
+		scanJobContainers[i], err = s.newScanJobContainer(ctx, container)
 		if err != nil {
 			return corev1.PodSpec{}, nil, err
 		}
@@ -98,8 +90,8 @@ func (s *scanner) GetScanJobSpec(_ starboard.PluginContext, spec corev1.PodSpec,
 	}, nil, nil
 }
 
-func (s *scanner) newScanJobContainer(podContainer corev1.Container) (corev1.Container, error) {
-	aquaImageRef, err := s.config.GetAquaImageRef()
+func (s *plugin) newScanJobContainer(ctx starboard.PluginContext, podContainer corev1.Container) (corev1.Container, error) {
+	aquaImageRef, err := s.getImageRef(ctx)
 	if err != nil {
 		return corev1.Container{}, err
 	}
@@ -130,7 +122,7 @@ func (s *scanner) newScanJobContainer(podContainer corev1.Container) (corev1.Con
 				ValueFrom: &corev1.EnvVarSource{
 					ConfigMapKeyRef: &corev1.ConfigMapKeySelector{
 						LocalObjectReference: corev1.LocalObjectReference{
-							Name: starboard.SecretName,
+							Name: starboard.GetPluginConfigMapName("Aqua"),
 						},
 						Key: "aqua.serverURL",
 					},
@@ -141,7 +133,7 @@ func (s *scanner) newScanJobContainer(podContainer corev1.Container) (corev1.Con
 				ValueFrom: &corev1.EnvVarSource{
 					SecretKeyRef: &corev1.SecretKeySelector{
 						LocalObjectReference: corev1.LocalObjectReference{
-							Name: starboard.SecretName,
+							Name: starboard.GetPluginConfigMapName("Aqua"),
 						},
 						Key: "aqua.username",
 					},
@@ -152,7 +144,7 @@ func (s *scanner) newScanJobContainer(podContainer corev1.Container) (corev1.Con
 				ValueFrom: &corev1.EnvVarSource{
 					SecretKeyRef: &corev1.SecretKeySelector{
 						LocalObjectReference: corev1.LocalObjectReference{
-							Name: starboard.SecretName,
+							Name: starboard.GetPluginConfigMapName("Aqua"),
 						},
 						Key: "aqua.password",
 					},
@@ -183,8 +175,16 @@ func (s *scanner) newScanJobContainer(podContainer corev1.Container) (corev1.Con
 	}, nil
 }
 
-func (s *scanner) ParseVulnerabilityReportData(_ string, logsReader io.ReadCloser) (v1alpha1.VulnerabilityScanResult, error) {
+func (s *plugin) ParseVulnerabilityReportData(_ string, logsReader io.ReadCloser) (v1alpha1.VulnerabilityScanResult, error) {
 	var report v1alpha1.VulnerabilityScanResult
 	err := json.NewDecoder(logsReader).Decode(&report)
 	return report, err
 }
+
+func (s *plugin) getImageRef(ctx starboard.PluginContext) (string, error) {
+	config, err := ctx.GetConfig()
+	if err != nil {
+		return "", err
+	}
+	return config.GetRequiredData("aqua.imageRef")
+}
diff --git a/pkg/plugin/aqua/plugin_test.go b/pkg/plugin/aqua/plugin_test.go
@@ -0,0 +1 @@
+package aqua_test
diff --git a/pkg/plugin/factory.go b/pkg/plugin/factory.go
@@ -74,7 +74,7 @@ func (r *Resolver) GetVulnerabilityPlugin() (vulnerabilityreport.Plugin, starboa
 	case starboard.Trivy:
 		return trivy.NewPlugin(ext.NewSystemClock(), ext.NewGoogleUUIDGenerator(), r.config), pluginContext, nil
 	case starboard.Aqua:
-		return aqua.NewPlugin(ext.NewGoogleUUIDGenerator(), r.buildInfo, r.config), pluginContext, nil
+		return aqua.NewPlugin(ext.NewGoogleUUIDGenerator(), r.buildInfo), pluginContext, nil
 	}
 	return nil, nil, fmt.Errorf("unsupported vulnerability scanner plugin: %s", scanner)
 }

diff --git a/pkg/starboard/config.go b/pkg/starboard/config.go
@@ -273,7 +273,6 @@ func GetDefaultConfig() ConfigData {
 		"trivy.severity": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
 		"trivy.imageRef": "docker.io/aquasec/trivy:0.16.0",
 		keyTrivyMode:     string(Standalone),
-		"aqua.imageRef":  "docker.io/aquasec/scanner:5.3",
 
 		"kube-bench.imageRef":  "docker.io/aquasec/kube-bench:0.5.0",
 		"kube-hunter.imageRef": "docker.io/aquasec/kube-hunter:0.4.1",
@@ -403,10 +402,6 @@ func (c ConfigData) GetTrivyInsecureRegistries() map[string]bool {
 	return insecureRegistries
 }
 
-func (c ConfigData) GetAquaImageRef() (string, error) {
-	return c.getRequiredProperty("aqua.imageRef")
-}
-
 func (c ConfigData) GetKubeBenchImageRef() (string, error) {
 	return c.getRequiredProperty("kube-bench.imageRef")
 }