feat: Use deterministic names for Secrets created by Conftest plugin (#…

…536) Resolves: #527 Signed-off-by: Daniel Pacak <[email protected]>
aquasecurity · Apr 26, 2021 · 9fd1bfa · 9fd1bfa
1 parent 858ba0d
commit 9fd1bfa
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 11 deletions.
diff --git a/pkg/configauditreport/builder.go b/pkg/configauditreport/builder.go
@@ -76,6 +76,15 @@ func (s *ScanJobBuilder) Get() (*batchv1.Job, []*corev1.Secret, error) {
 		starboard.LabelK8SAppManagedBy:          starboard.AppStarboard,
 	}
 
+	for _, secret := range secrets {
+		if secret.Labels == nil {
+			secret.Labels = make(map[string]string)
+		}
+		for k, v := range labels {
+			secret.Labels[k] = v
+		}
+	}
+
 	return &batchv1.Job{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      GetScanJobName(s.object),

diff --git a/pkg/operator/controller/configauditreport.go b/pkg/operator/controller/configauditreport.go
@@ -1,14 +1,15 @@
 package controller
 
 import (
+	. "github.com/aquasecurity/starboard/pkg/operator/predicate"
+
 	"context"
 	"fmt"
 
 	"github.com/aquasecurity/starboard/pkg/apis/aquasecurity/v1alpha1"
 	"github.com/aquasecurity/starboard/pkg/configauditreport"
 	"github.com/aquasecurity/starboard/pkg/kube"
 	"github.com/aquasecurity/starboard/pkg/operator/etc"
-	. "github.com/aquasecurity/starboard/pkg/operator/predicate"
 	"github.com/aquasecurity/starboard/pkg/starboard"
 	"github.com/go-logr/logr"
 	appsv1 "k8s.io/api/apps/v1"
@@ -170,9 +171,12 @@ func (r *ConfigAuditReportReconciler) reconcileWorkload(workloadKind kube.Kind)
 		}
 
 		for _, secret := range secrets {
-			secret.Namespace = r.Config.Namespace
 			err := r.Client.Create(ctx, secret)
 			if err != nil {
+				if !errors.IsAlreadyExists(err) {
+					log.V(1).Info("Secret already exists", "secretName", secret.Name)
+					return ctrl.Result{}, nil
+				}
 				return ctrl.Result{}, fmt.Errorf("creating secret: %w", err)
 			}
 		}
@@ -182,6 +186,7 @@ func (r *ConfigAuditReportReconciler) reconcileWorkload(workloadKind kube.Kind)
 		if err != nil {
 			if errors.IsAlreadyExists(err) {
 				// TODO Delete secrets that were created in the previous step. Alternatively we can delete them on schedule.
+				log.V(1).Info("Job already exists", "jobName", job.Name)
 				return ctrl.Result{}, nil
 			}
 			return ctrl.Result{}, fmt.Errorf("creating job: %w", err)

diff --git a/pkg/plugin/conftest/plugin.go b/pkg/plugin/conftest/plugin.go
@@ -70,7 +70,7 @@ func (p *plugin) GetScanJobSpec(ctx starboard.PluginContext, obj client.Object)
 	var volumeMounts []corev1.VolumeMount
 	var volumeItems []corev1.KeyToPath
 
-	secretName := p.idGenerator.GenerateID()
+	secretName := configauditreport.GetScanJobName(obj) + "-volume"
 	secretData := make(map[string]string)
 
 	for policy, script := range policies {

diff --git a/pkg/plugin/conftest/plugin_test.go b/pkg/plugin/conftest/plugin_test.go
@@ -75,7 +75,7 @@ func TestPlugin_GetScanJobSpec(t *testing.T) {
 		"Affinity":                     Equal(starboard.LinuxNodeAffinity()),
 		"Volumes": ConsistOf(
 			MatchFields(IgnoreExtras, Fields{
-				"Name": Equal("00000000-0000-0000-0000-000000000001"),
+				"Name": Equal("scan-configauditreport-5d4445db4f-volume"),
 				// We cannot inline assert here on other properties with the MatchFields matcher
 				// because the value of the Secret field is the pointer to v1.SecretVolumeSource.
 				// The MatchFields matcher only works with structs :-(
@@ -99,31 +99,31 @@ func TestPlugin_GetScanJobSpec(t *testing.T) {
 				}),
 				"VolumeMounts": ConsistOf(
 					corev1.VolumeMount{
-						Name:      "00000000-0000-0000-0000-000000000001",
+						Name:      "scan-configauditreport-5d4445db4f-volume",
 						MountPath: "/project/policy/libkubernetes.rego",
 						SubPath:   "libkubernetes.rego",
 						ReadOnly:  true,
 					},
 					corev1.VolumeMount{
-						Name:      "00000000-0000-0000-0000-000000000001",
+						Name:      "scan-configauditreport-5d4445db4f-volume",
 						MountPath: "/project/policy/libutil.rego",
 						SubPath:   "libutil.rego",
 						ReadOnly:  true,
 					},
 					corev1.VolumeMount{
-						Name:      "00000000-0000-0000-0000-000000000001",
+						Name:      "scan-configauditreport-5d4445db4f-volume",
 						MountPath: "/project/policy/access_to_host_pid.rego",
 						SubPath:   "access_to_host_pid.rego",
 						ReadOnly:  true,
 					},
 					corev1.VolumeMount{
-						Name:      "00000000-0000-0000-0000-000000000001",
+						Name:      "scan-configauditreport-5d4445db4f-volume",
 						MountPath: "/project/policy/cpu_not_limited.rego",
 						SubPath:   "cpu_not_limited.rego",
 						ReadOnly:  true,
 					},
 					corev1.VolumeMount{
-						Name:      "00000000-0000-0000-0000-000000000001",
+						Name:      "scan-configauditreport-5d4445db4f-volume",
 						MountPath: "/project/workload.yaml",
 						SubPath:   "workload.yaml",
 						ReadOnly:  true,
@@ -149,7 +149,7 @@ func TestPlugin_GetScanJobSpec(t *testing.T) {
 		"SecurityContext": Equal(&corev1.PodSecurityContext{}),
 	}))
 	g.Expect(*jobSpec.Volumes[0].VolumeSource.Secret).To(MatchFields(IgnoreExtras, Fields{
-		"SecretName": Equal("00000000-0000-0000-0000-000000000001"),
+		"SecretName": Equal("scan-configauditreport-5d4445db4f-volume"),
 		"Items": ConsistOf(
 			corev1.KeyToPath{
 				Key:  "conftest.policy.libkubernetes.rego",
@@ -176,7 +176,7 @@ func TestPlugin_GetScanJobSpec(t *testing.T) {
 	g.Expect(secrets).To(ConsistOf(
 		&corev1.Secret{
 			ObjectMeta: metav1.ObjectMeta{
-				Name:      "00000000-0000-0000-0000-000000000001",
+				Name:      "scan-configauditreport-5d4445db4f-volume",
 				Namespace: "starboard-ns",
 			},
 			StringData: map[string]string{