refactor: vulnerabilityreport.ReadWriter to use controller-runtime Cl…

…ient (#403)

Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>

go.sum

@@ -443,6 +443,7 @@ github.com/hashicorp/go-sockaddr v1.0.0/go.mod h1:7Xibr9yA9JjQq1JpNB2Vw7kxv8xerX
 github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdvsLplgctolz4=
 github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
+github.com/hashicorp/go-version v1.2.0 h1:3vNe/fWF5CBgRIguda1meWhsZHy3m8gCJ5wx+dIzX/E=
 github.com/hashicorp/go-version v1.2.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
 github.com/hashicorp/go.net v0.0.1/go.mod h1:hjKkEWcCURg++eb33jQU7oqQcI9XDCnUzHA0oac0k90=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=

pkg/cmd/get_report.go

@@ -4,7 +4,6 @@ import (
 	"fmt"
 	"io"
 
-	"github.com/aquasecurity/starboard/pkg/generated/clientset/versioned"
 	"github.com/aquasecurity/starboard/pkg/report"
 	"github.com/aquasecurity/starboard/pkg/starboard"
 	"github.com/spf13/cobra"
@@ -29,10 +28,6 @@ NAME is the name of a particular Kubernetes workload.
 			if err != nil {
 				return err
 			}
-			starboardClientset, err := versioned.NewForConfig(kubeConfig)
-			if err != nil {
-				return err
-			}
 			kubeClientset, err := kubernetes.NewForConfig(kubeConfig)
 			if err != nil {
 				return err
@@ -51,7 +46,7 @@ NAME is the name of a particular Kubernetes workload.
 				return err
 			}
 
-			reporter := report.NewHTMLReporter(starboardClientset, kubeClientset, kubeClient)
+			reporter := report.NewHTMLReporter(kubeClientset, kubeClient)
 			return reporter.GenerateReport(workload, outWriter)
 		},
 	}

pkg/cmd/get_vulnerabilities.go

@@ -5,15 +5,13 @@ import (
 	"fmt"
 	"io"
 
-	"github.com/aquasecurity/starboard/pkg/starboard"
-
 	"github.com/aquasecurity/starboard/pkg/apis/aquasecurity/v1alpha1"
+	"github.com/aquasecurity/starboard/pkg/starboard"
 	"github.com/aquasecurity/starboard/pkg/vulnerabilityreport"
-
-	clientset "github.com/aquasecurity/starboard/pkg/generated/clientset/versioned"
 	"github.com/spf13/cobra"
 	"k8s.io/cli-runtime/pkg/genericclioptions"
 	"k8s.io/client-go/kubernetes"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
 func NewGetVulnerabilitiesCmd(executable string, cf *genericclioptions.ConfigFlags, outWriter io.Writer) *cobra.Command {
@@ -40,15 +38,16 @@ NAME is the name of a particular Kubernetes workload.
 		RunE: func(cmd *cobra.Command, args []string) error {
 			ctx := context.Background()
 
-			config, err := cf.ToRESTConfig()
+			kubeConfig, err := cf.ToRESTConfig()
 			if err != nil {
 				return err
 			}
-			starboardClientset, err := clientset.NewForConfig(config)
+			kubeClientset, err := kubernetes.NewForConfig(kubeConfig)
 			if err != nil {
 				return err
 			}
-			kubernetesClientset, err := kubernetes.NewForConfig(config)
+			scheme := starboard.NewScheme()
+			kubeClient, err := client.New(kubeConfig, client.Options{Scheme: scheme})
 			if err != nil {
 				return err
 			}
@@ -65,7 +64,8 @@ NAME is the name of a particular Kubernetes workload.
 				return err
 			}
 
-			items, err := vulnerabilityreport.NewReadWriter(starboardClientset, kubernetesClientset).FindByOwner(ctx, workload)
+			reader := vulnerabilityreport.NewReadWriter(kubeClient, kubeClientset)
+			items, err := reader.FindByOwnerInHierarchy(ctx, workload)
 			if err != nil {
 				return fmt.Errorf("list vulnerability reports: %v", err)
 			}

pkg/cmd/scan_vulnerabilities.go

@@ -5,12 +5,12 @@ import (
 	"fmt"
 
 	"github.com/aquasecurity/starboard/pkg/config"
-	apis "github.com/aquasecurity/starboard/pkg/generated/clientset/versioned"
 	"github.com/aquasecurity/starboard/pkg/starboard"
 	"github.com/aquasecurity/starboard/pkg/vulnerabilityreport"
 	"github.com/spf13/cobra"
 	"k8s.io/cli-runtime/pkg/genericclioptions"
 	"k8s.io/client-go/kubernetes"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
 const (
@@ -77,15 +77,20 @@ func ScanVulnerabilityReports(buildInfo starboard.BuildInfo, cf *genericclioptio
 		if err != nil {
 			return err
 		}
-		kubernetesConfig, err := cf.ToRESTConfig()
+		kubeConfig, err := cf.ToRESTConfig()
 		if err != nil {
 			return err
 		}
-		kubernetesClientset, err := kubernetes.NewForConfig(kubernetesConfig)
+		kubeClientset, err := kubernetes.NewForConfig(kubeConfig)
 		if err != nil {
 			return err
 		}
-		starboardConfig, err := starboard.NewConfigManager(kubernetesClientset, starboard.NamespaceName).Read(ctx)
+		scheme := starboard.NewScheme()
+		kubeClient, err := client.New(kubeConfig, client.Options{Scheme: scheme})
+		if err != nil {
+			return err
+		}
+		starboardConfig, err := starboard.NewConfigManager(kubeClientset, starboard.NamespaceName).Read(ctx)
 		if err != nil {
 			return err
 		}
@@ -98,18 +103,14 @@ func ScanVulnerabilityReports(buildInfo starboard.BuildInfo, cf *genericclioptio
 			return err
 		}
 		reports, err := vulnerabilityreport.NewScanner(
-			starboard.NewScheme(),
-			kubernetesClientset,
+			scheme,
+			kubeClientset,
 			opts,
 			plugin).Scan(ctx, workload)
 		if err != nil {
 			return err
 		}
 
-		starboardClientset, err := apis.NewForConfig(kubernetesConfig)
-		if err != nil {
-			return err
-		}
-		return vulnerabilityreport.NewReadWriter(starboardClientset, kubernetesClientset).Write(ctx, reports)
+		return vulnerabilityreport.NewReadWriter(kubeClient, kubeClientset).Write(ctx, reports)
 	}
 }

pkg/configauditreport/io.go

@@ -3,6 +3,7 @@ package configauditreport
 import (
 	"context"
 	"fmt"
+
 	"k8s.io/client-go/kubernetes"
 
 	"github.com/aquasecurity/starboard/pkg/apis/aquasecurity/v1alpha1"
@@ -26,9 +27,9 @@ type Writer interface {
 // kube.Object or nil if the report is not found.
 //
 // FindByOwnerInHierarchy is similar to FindByOwner except that it tries to lookup
-// the v1alpha1.ConfigAuditReport objects owned by related Kubernetes objects.
-// For example, if the given owner is a Deployment, but a report is owned
-// by the active ReplicaSet (current revision) this method will return the report.
+// a v1alpha1.ConfigAuditReport object owned by related Kubernetes objects.
+// For example, if the given owner is a Deployment, but a report is owned by the
+// active ReplicaSet (current revision) this method will return the report.
 type Reader interface {
 	FindByOwner(ctx context.Context, owner kube.Object) (*v1alpha1.ConfigAuditReport, error)
 	FindByOwnerInHierarchy(ctx context.Context, owner kube.Object) (*v1alpha1.ConfigAuditReport, error)

pkg/kubebench/converter_test.go

@@ -3,20 +3,17 @@ package kubebench_test
 import (
 	"encoding/json"
 	"errors"
-	"github.com/aquasecurity/starboard/pkg/ext"
 	"os"
 	"testing"
 	"time"
 
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-
+	"github.com/aquasecurity/starboard/pkg/apis/aquasecurity/v1alpha1"
+	"github.com/aquasecurity/starboard/pkg/ext"
 	"github.com/aquasecurity/starboard/pkg/kubebench"
-
 	"github.com/aquasecurity/starboard/pkg/starboard"
-
-	starboardv1alpha1 "github.com/aquasecurity/starboard/pkg/apis/aquasecurity/v1alpha1"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 var (
@@ -76,14 +73,14 @@ func TestConverter_Convert(t *testing.T) {
 	}
 }
 
-func expectedOutputFrom(t *testing.T, fileName string) starboardv1alpha1.CISKubeBenchOutput {
+func expectedOutputFrom(t *testing.T, fileName string) v1alpha1.CISKubeBenchOutput {
 	t.Helper()
 
 	file, err := os.Open(fileName)
 	require.NoError(t, err)
 	defer file.Close()
 
-	var expectedOutput starboardv1alpha1.CISKubeBenchOutput
+	var expectedOutput v1alpha1.CISKubeBenchOutput
 	err = json.NewDecoder(file).Decode(&expectedOutput)
 	require.NoError(t, err)
 

pkg/operator/operator.go

@@ -129,7 +129,7 @@ func Run(buildInfo starboard.BuildInfo, operatorConfig etc.Config) error {
 		LogsReader:    logsReader,
 		SecretsReader: secretsReader,
 		Plugin:        vulnerabilityReportPlugin,
-		ReadWriter:    vulnerabilityreport.NewControllerRuntimeReadWriter(mgr.GetClient()),
+		ReadWriter:    vulnerabilityreport.NewReadWriter(mgr.GetClient(), kubeClientset),
 	}).SetupWithManager(mgr); err != nil {
 		return fmt.Errorf("unable to setup vulnerabilityreport reconciler: %w", err)
 	}

pkg/report/html.go

@@ -8,7 +8,6 @@ import (
 
 	"github.com/aquasecurity/starboard/pkg/apis/aquasecurity/v1alpha1"
 	"github.com/aquasecurity/starboard/pkg/configauditreport"
-	"github.com/aquasecurity/starboard/pkg/generated/clientset/versioned"
 	"github.com/aquasecurity/starboard/pkg/kube"
 	"github.com/aquasecurity/starboard/pkg/report/templates"
 	"github.com/aquasecurity/starboard/pkg/vulnerabilityreport"
@@ -21,9 +20,9 @@ type htmlReporter struct {
 	configAuditReportsReader   configauditreport.ReadWriter
 }
 
-func NewHTMLReporter(starboardClientset versioned.Interface, kubeClientset kubernetes.Interface, client client.Client) Reporter {
+func NewHTMLReporter(kubeClientset kubernetes.Interface, client client.Client) Reporter {
 	return &htmlReporter{
-		vulnerabilityReportsReader: vulnerabilityreport.NewReadWriter(starboardClientset, kubeClientset),
+		vulnerabilityReportsReader: vulnerabilityreport.NewReadWriter(client, kubeClientset),
 		configAuditReportsReader:   configauditreport.NewReadWriter(client, kubeClientset),
 	}
 }
@@ -34,7 +33,7 @@ func (h *htmlReporter) GenerateReport(workload kube.Object, writer io.Writer) er
 	if err != nil {
 		return err
 	}
-	vulnerabilityReports, err := h.vulnerabilityReportsReader.FindByOwner(ctx, workload)
+	vulnerabilityReports, err := h.vulnerabilityReportsReader.FindByOwnerInHierarchy(ctx, workload)
 	if err != nil {
 		return err
 	}