Skip to content

Commit

Permalink
refactor: review and cleanup starboard config package (#904)
Browse files Browse the repository at this point in the history 
Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>
  • Loading branch information
@danielpacak
danielpacak committed Jan 18, 2022
1 parent b2a8c0d commit 3708c8f
Show file tree
Hide file tree
Showing 6 changed files with 315 additions and 264 deletions.
4 changes: 2 additions & 2 deletions deploy/helm/templates/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,12 +75,12 @@ spec:
value: {{ .Values.operator.kubernetesBenchmarkEnabled | quote }}
- name: OPERATOR_VULNERABILITY_SCANNER_ENABLED
value: {{ .Values.operator.vulnerabilityScannerEnabled | quote }}
- name: OPERATOR_VULNERABILITY_SCANNER_SCAN_ONLY_CURRENT_REVISIONS
value: {{ .Values.operator.vulnerabilityScannerScanOnlyCurrentRevisions | quote }}
- name: OPERATOR_VULNERABILITY_SCANNER_REPORT_TTL
value: {{ .Values.operator.vulnerabilityScannerReportTTL | quote }}
- name: OPERATOR_CONFIG_AUDIT_SCANNER_ENABLED
value: {{ .Values.operator.configAuditScannerEnabled | quote }}
- name: OPERATOR_VULNERABILITY_SCANNER_SCAN_ONLY_CURRENT_REVISIONS
value: {{ .Values.operator.vulnerabilityScannerScanOnlyCurrentRevisions | quote }}
{{- if gt (int .Values.operator.replicas) 1 }}
- name: OPERATOR_LEADER_ELECTION_ENABLED
value: "true"
Expand Down
4 changes: 2 additions & 2 deletions deploy/static/04-starboard-operator.deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -79,12 +79,12 @@ spec:
value: "true"
- name: OPERATOR_VULNERABILITY_SCANNER_ENABLED
value: "true"
- name: OPERATOR_VULNERABILITY_SCANNER_SCAN_ONLY_CURRENT_REVISIONS
value: "false"
- name: OPERATOR_VULNERABILITY_SCANNER_REPORT_TTL
value: ""
- name: OPERATOR_CONFIG_AUDIT_SCANNER_ENABLED
value: "true"
- name: OPERATOR_VULNERABILITY_SCANNER_SCAN_ONLY_CURRENT_REVISIONS
value: "false"
ports:
- name: metrics
containerPort: 8080
Expand Down
34 changes: 17 additions & 17 deletions pkg/operator/etc/config.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,24 +10,24 @@ import (

// Config defines parameters for running the operator.
type Config struct {
Namespace string `env:"OPERATOR_NAMESPACE"`
TargetNamespaces string `env:"OPERATOR_TARGET_NAMESPACES"`
ServiceAccount string `env:"OPERATOR_SERVICE_ACCOUNT" envDefault:"starboard-operator"`
LogDevMode bool `env:"OPERATOR_LOG_DEV_MODE" envDefault:"false"`
ScanJobTimeout time.Duration `env:"OPERATOR_SCAN_JOB_TIMEOUT" envDefault:"5m"`
ConcurrentScanJobsLimit int `env:"OPERATOR_CONCURRENT_SCAN_JOBS_LIMIT" envDefault:"10"`
ScanJobRetryAfter time.Duration `env:"OPERATOR_SCAN_JOB_RETRY_AFTER" envDefault:"30s"`
BatchDeleteLimit int `env:"OPERATOR_BATCH_DELETE_LIMIT" envDefault:"10"`
BatchDeleteDelay time.Duration `env:"OPERATOR_BATCH_DELETE_DELAY" envDefault:"10s"`
MetricsBindAddress string `env:"OPERATOR_METRICS_BIND_ADDRESS" envDefault:":8080"`
HealthProbeBindAddress string `env:"OPERATOR_HEALTH_PROBE_BIND_ADDRESS" envDefault:":9090"`
CISKubernetesBenchmarkEnabled bool `env:"OPERATOR_CIS_KUBERNETES_BENCHMARK_ENABLED" envDefault:"true"`
VulnerabilityScannerEnabled bool `env:"OPERATOR_VULNERABILITY_SCANNER_ENABLED" envDefault:"true"`
ConfigAuditScannerEnabled bool `env:"OPERATOR_CONFIG_AUDIT_SCANNER_ENABLED" envDefault:"true"`
LeaderElectionEnabled bool `env:"OPERATOR_LEADER_ELECTION_ENABLED" envDefault:"false"`
LeaderElectionID string `env:"OPERATOR_LEADER_ELECTION_ID" envDefault:"starboard-lock"`
VulnerabilityScannerScanOnlyCurrentRevisions bool `env:"OPERATOR_VULNERABILITY_SCANNER_SCAN_ONLY_CURRENT_REVISIONS" envDefault:"false"`
Namespace string `env:"OPERATOR_NAMESPACE"`
TargetNamespaces string `env:"OPERATOR_TARGET_NAMESPACES"`
ServiceAccount string `env:"OPERATOR_SERVICE_ACCOUNT" envDefault:"starboard-operator"`
LogDevMode bool `env:"OPERATOR_LOG_DEV_MODE" envDefault:"false"`
ScanJobTimeout time.Duration `env:"OPERATOR_SCAN_JOB_TIMEOUT" envDefault:"5m"`
ConcurrentScanJobsLimit int `env:"OPERATOR_CONCURRENT_SCAN_JOBS_LIMIT" envDefault:"10"`
ScanJobRetryAfter time.Duration `env:"OPERATOR_SCAN_JOB_RETRY_AFTER" envDefault:"30s"`
BatchDeleteLimit int `env:"OPERATOR_BATCH_DELETE_LIMIT" envDefault:"10"`
BatchDeleteDelay time.Duration `env:"OPERATOR_BATCH_DELETE_DELAY" envDefault:"10s"`
MetricsBindAddress string `env:"OPERATOR_METRICS_BIND_ADDRESS" envDefault:":8080"`
HealthProbeBindAddress string `env:"OPERATOR_HEALTH_PROBE_BIND_ADDRESS" envDefault:":9090"`
CISKubernetesBenchmarkEnabled bool `env:"OPERATOR_CIS_KUBERNETES_BENCHMARK_ENABLED" envDefault:"true"`
VulnerabilityScannerEnabled bool `env:"OPERATOR_VULNERABILITY_SCANNER_ENABLED" envDefault:"true"`
VulnerabilityScannerScanOnlyCurrentRevisions bool `env:"OPERATOR_VULNERABILITY_SCANNER_SCAN_ONLY_CURRENT_REVISIONS" envDefault:"false"`
VulnerabilityScannerReportTTL *time.Duration `env:"OPERATOR_VULNERABILITY_SCANNER_REPORT_TTL"`
ConfigAuditScannerEnabled bool `env:"OPERATOR_CONFIG_AUDIT_SCANNER_ENABLED" envDefault:"true"`
LeaderElectionEnabled bool `env:"OPERATOR_LEADER_ELECTION_ENABLED" envDefault:"false"`
LeaderElectionID string `env:"OPERATOR_LEADER_ELECTION_ID" envDefault:"starboard-lock"`
}

// GetOperatorConfig loads Config from environment variables.
Expand Down
42 changes: 24 additions & 18 deletions pkg/starboard/config.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ type BuildInfo struct {
Executable string
}

// Scanner represents unique, human readable identifier of a security scanner.
// Scanner represents unique, human-readable identifier of a security scanner.
type Scanner string

const (
Expand All @@ -57,6 +57,12 @@ const (
const (
keyVulnerabilityReportsScanner = "vulnerabilityReports.scanner"
keyConfigAuditReportsScanner = "configAuditReports.scanner"
keyKubeBenchImageRef = "kube-bench.imageRef"
keyKubeHunterImageRef = "kube-hunter.imageRef"
keyKubeHunterQuick = "kube-hunter.quick"
keyScanJobTolerations = "scanJob.tolerations"
keyScanJobAnnotations = "scanJob.annotations"
keyScanJobPodTemplateLabels = "scanJob.podTemplateLabels"
)

// ConfigData holds Starboard configuration settings as a set
Expand All @@ -82,16 +88,6 @@ func GetDefaultConfig() ConfigData {
}
}

func (c ConfigData) GetScanJobTolerations() ([]corev1.Toleration, error) {
scanJobTolerations := []corev1.Toleration{}
if c["scanJob.tolerations"] == "" {
return scanJobTolerations, nil
}
err := json.Unmarshal([]byte(c["scanJob.tolerations"]), &scanJobTolerations)

return scanJobTolerations, err
}

func (c ConfigData) GetVulnerabilityReportsScanner() (Scanner, error) {
var ok bool
var value string
Expand Down Expand Up @@ -127,8 +123,18 @@ func (c ConfigData) GetConfigAuditReportsScanner() (Scanner, error) {
value, keyConfigAuditReportsScanner, Polaris, Conftest)
}

func (c ConfigData) GetScanJobTolerations() ([]corev1.Toleration, error) {
var scanJobTolerations []corev1.Toleration
if c[keyScanJobTolerations] == "" {
return scanJobTolerations, nil
}
err := json.Unmarshal([]byte(c[keyScanJobTolerations]), &scanJobTolerations)

return scanJobTolerations, err
}

func (c ConfigData) GetScanJobAnnotations() (map[string]string, error) {
scanJobAnnotationsStr, found := c[AnnotationScanJobAnnotations]
scanJobAnnotationsStr, found := c[keyScanJobAnnotations]
if !found || strings.TrimSpace(scanJobAnnotationsStr) == "" {
return map[string]string{}, nil
}
Expand All @@ -137,7 +143,7 @@ func (c ConfigData) GetScanJobAnnotations() (map[string]string, error) {
for _, annotation := range strings.Split(scanJobAnnotationsStr, ",") {
sepByEqual := strings.Split(annotation, "=")
if len(sepByEqual) != 2 {
return map[string]string{}, fmt.Errorf("custom annotations found to be wrongfully provided: %s", scanJobAnnotationsStr)
return map[string]string{}, fmt.Errorf("failed parsing incorrectly formatted custom scan job annotations: %s", scanJobAnnotationsStr)
}
key, value := sepByEqual[0], sepByEqual[1]
scanJobAnnotationsMap[key] = value
Expand All @@ -147,7 +153,7 @@ func (c ConfigData) GetScanJobAnnotations() (map[string]string, error) {
}

func (c ConfigData) GetScanJobPodTemplateLabels() (labels.Set, error) {
scanJobPodTemplateLabelsStr, found := c[AnnotationScanJobPodTemplateLabels]
scanJobPodTemplateLabelsStr, found := c[keyScanJobPodTemplateLabels]
if !found || strings.TrimSpace(scanJobPodTemplateLabelsStr) == "" {
return labels.Set{}, nil
}
Expand All @@ -156,7 +162,7 @@ func (c ConfigData) GetScanJobPodTemplateLabels() (labels.Set, error) {
for _, annotation := range strings.Split(scanJobPodTemplateLabelsStr, ",") {
sepByEqual := strings.Split(annotation, "=")
if len(sepByEqual) != 2 {
return labels.Set{}, fmt.Errorf("custom template labels found to be wrongfully provided: %s", scanJobPodTemplateLabelsStr)
return labels.Set{}, fmt.Errorf("failed parsing incorrectly formatted custom scan pod template labels: %s", scanJobPodTemplateLabelsStr)
}
key, value := sepByEqual[0], sepByEqual[1]
scanJobPodTemplateLabelsMap[key] = value
Expand All @@ -166,15 +172,15 @@ func (c ConfigData) GetScanJobPodTemplateLabels() (labels.Set, error) {
}

func (c ConfigData) GetKubeBenchImageRef() (string, error) {
return c.GetRequiredData("kube-bench.imageRef")
return c.GetRequiredData(keyKubeBenchImageRef)
}

func (c ConfigData) GetKubeHunterImageRef() (string, error) {
return c.GetRequiredData("kube-hunter.imageRef")
return c.GetRequiredData(keyKubeHunterImageRef)
}

func (c ConfigData) GetKubeHunterQuick() (bool, error) {
val, ok := c["kube-hunter.quick"]
val, ok := c[keyKubeHunterQuick]
if !ok {
return false, nil
}
Expand Down

0 comments on commit 3708c8f

Please sign in to comment.