Skip to content

Commit

Permalink
✨ allow setting custom env vars for container and node scans (#1098)
Browse files Browse the repository at this point in the history 
* ✨ allow setting custom env vars for container and node scans

Signed-off-by: Ivan Milchev <[email protected]>

* fix unit tests

Signed-off-by: Ivan Milchev <[email protected]>

* always sort env vars

Signed-off-by: Ivan Milchev <[email protected]>

---------

Signed-off-by: Ivan Milchev <[email protected]>
  • Loading branch information
@imilchev
imilchev authored Apr 30, 2024
1 parent 5f5dba2 commit 9d391d3
Show file tree
Hide file tree
Showing 9 changed files with 367 additions and 4 deletions.
6 changes: 6 additions & 0 deletions api/v1alpha2/mondooauditconfig_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -114,6 +114,9 @@ type Nodes struct {
Style NodeScanStyle `json:"style,omitempty"`
// PriorityClassName specifies the name of the PriorityClass for the node scanning workloads.
PriorityClassName string `json:"priorityClassName,omitempty"`
// Env allows setting extra environment variables for the node scanner. If the operator sets already an env
// variable with the same name, the value specified here will override it.
Env []corev1.EnvVar `json:"envVar,omitempty"`
}

type Admission struct {
Expand Down Expand Up @@ -143,6 +146,9 @@ type Containers struct {
Resources corev1.ResourceRequirements `json:"resources,omitempty"`
// Specify a custom crontab schedule for the container image scanning job. If not specified, the default schedule is used.
Schedule string `json:"schedule,omitempty"`
// Env allows setting extra environment variables for the node scanner. If the operator sets already an env
// variable with the same name, the value specified here will override it.
Env []corev1.EnvVar `json:"envVar,omitempty"`
}

type Image struct {
Expand Down
15 changes: 14 additions & 1 deletion api/v1alpha2/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

232 changes: 232 additions & 0 deletions config/crd/bases/k8s.mondoo.com_mondooauditconfigs.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -99,6 +99,122 @@ spec:
properties:
enable:
type: boolean
envVar:
description: |-
Env allows setting extra environment variables for the node scanner. If the operator sets already an env
variable with the same name, the value specified here will override it.
items:
description: EnvVar represents an environment variable present
in a Container.
properties:
name:
description: Name of the environment variable. Must be a
C_IDENTIFIER.
type: string
value:
description: |-
Variable references $(VAR_NAME) are expanded
using the previously defined environment variables in the container and
any service environment variables. If a variable cannot be resolved,
the reference in the input string will be unchanged. Double $$ are reduced
to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e.
"$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)".
Escaped references will never be expanded, regardless of whether the variable
exists or not.
Defaults to "".
type: string
valueFrom:
description: Source for the environment variable's value.
Cannot be used if value is not empty.
properties:
configMapKeyRef:
description: Selects a key of a ConfigMap.
properties:
key:
description: The key to select.
type: string
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its
key must be defined
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
fieldRef:
description: |-
Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['<KEY>']`, `metadata.annotations['<KEY>']`,
spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.
properties:
apiVersion:
description: Version of the schema the FieldPath
is written in terms of, defaults to "v1".
type: string
fieldPath:
description: Path of the field to select in the
specified API version.
type: string
required:
- fieldPath
type: object
x-kubernetes-map-type: atomic
resourceFieldRef:
description: |-
Selects a resource of the container: only resources limits and requests
(limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.
properties:
containerName:
description: 'Container name: required for volumes,
optional for env vars'
type: string
divisor:
anyOf:
- type: integer
- type: string
description: Specifies the output format of the
exposed resources, defaults to "1"
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
resource:
description: 'Required: resource to select'
type: string
required:
- resource
type: object
x-kubernetes-map-type: atomic
secretKeyRef:
description: Selects a key of a secret in the pod's
namespace
properties:
key:
description: The key of the secret to select from. Must
be a valid secret key.
type: string
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key
must be defined
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
type: object
required:
- name
type: object
type: array
resources:
description: ResourceRequirements describes the compute resource
requirements.
Expand Down Expand Up @@ -227,6 +343,122 @@ spec:
properties:
enable:
type: boolean
envVar:
description: |-
Env allows setting extra environment variables for the node scanner. If the operator sets already an env
variable with the same name, the value specified here will override it.
items:
description: EnvVar represents an environment variable present
in a Container.
properties:
name:
description: Name of the environment variable. Must be a
C_IDENTIFIER.
type: string
value:
description: |-
Variable references $(VAR_NAME) are expanded
using the previously defined environment variables in the container and
any service environment variables. If a variable cannot be resolved,
the reference in the input string will be unchanged. Double $$ are reduced
to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e.
"$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)".
Escaped references will never be expanded, regardless of whether the variable
exists or not.
Defaults to "".
type: string
valueFrom:
description: Source for the environment variable's value.
Cannot be used if value is not empty.
properties:
configMapKeyRef:
description: Selects a key of a ConfigMap.
properties:
key:
description: The key to select.
type: string
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its
key must be defined
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
fieldRef:
description: |-
Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['<KEY>']`, `metadata.annotations['<KEY>']`,
spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.
properties:
apiVersion:
description: Version of the schema the FieldPath
is written in terms of, defaults to "v1".
type: string
fieldPath:
description: Path of the field to select in the
specified API version.
type: string
required:
- fieldPath
type: object
x-kubernetes-map-type: atomic
resourceFieldRef:
description: |-
Selects a resource of the container: only resources limits and requests
(limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.
properties:
containerName:
description: 'Container name: required for volumes,
optional for env vars'
type: string
divisor:
anyOf:
- type: integer
- type: string
description: Specifies the output format of the
exposed resources, defaults to "1"
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
resource:
description: 'Required: resource to select'
type: string
required:
- resource
type: object
x-kubernetes-map-type: atomic
secretKeyRef:
description: Selects a key of a secret in the pod's
namespace
properties:
key:
description: The key of the secret to select from. Must
be a valid secret key.
type: string
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key
must be defined
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
type: object
required:
- name
type: object
type: array
intervalTimer:
default: 60
description: |-
Expand Down
31 changes: 31 additions & 0 deletions controllers/container_image/deployment_handler_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,37 @@ func (s *DeploymentHandlerSuite) TestReconcile_Create() {
s.Equal(expected, created)
}

func (s *DeploymentHandlerSuite) TestReconcile_Create_CustomEnvVars() {
d := s.createDeploymentHandler()
mondooAuditConfig := &s.auditConfig
mondooAuditConfig.Spec.Containers.Env = []corev1.EnvVar{{Name: "TEST_ENV", Value: "TEST_VALUE"}}
s.NoError(d.KubeClient.Create(s.ctx, mondooAuditConfig))

result, err := d.Reconcile(s.ctx)
s.NoError(err)
s.True(result.IsZero())

image, err := s.containerImageResolver.CnspecImage("", "", false)
s.NoError(err)

expected := CronJob(image, "", test.KubeSystemNamespaceUid, "", &s.auditConfig, mondoov1alpha2.MondooOperatorConfig{})
s.NoError(ctrl.SetControllerReference(&s.auditConfig, expected, d.KubeClient.Scheme()))

// Set some fields that the kube client sets
expected.ResourceVersion = "1"

created := &batchv1.CronJob{}
created.Name = expected.Name
created.Namespace = expected.Namespace
s.NoError(d.KubeClient.Get(s.ctx, client.ObjectKeyFromObject(created), created))

// Make sure the env vars for both are sorted
utils.SortEnvVars(expected.Spec.JobTemplate.Spec.Template.Spec.Containers[0].Env)
utils.SortEnvVars(created.Spec.JobTemplate.Spec.Template.Spec.Containers[0].Env)

s.Equal(expected, created)
}

func (s *DeploymentHandlerSuite) TestReconcile_CreateWithCustomImage() {
d := s.createDeploymentHandler()
mondooAuditConfig := &s.auditConfig
Expand Down
1 change: 1 addition & 0 deletions controllers/container_image/resources.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@ func CronJob(image, integrationMrn, clusterUid, privateImageScanningSecretName s

envVars := feature_flags.AllFeatureFlagsAsEnv()
envVars = append(envVars, corev1.EnvVar{Name: "MONDOO_AUTO_UPDATE", Value: "false"})
envVars = k8s.MergeEnv(envVars, m.Spec.Containers.Env)

cronjob := &batchv1.CronJob{
ObjectMeta: metav1.ObjectMeta{
Expand Down
Loading

0 comments on commit 9d391d3

Please sign in to comment.