feat: Install ClusterConfigAuditReport CRD (#675)

Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>
aquasecurity · Aug 21, 2021 · 396301c · 396301c
1 parent 6f580c6
commit 396301c
Show file tree

Hide file tree

Showing 9 changed files with 57 additions and 12 deletions.
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -72,7 +72,7 @@ jobs:
       - name: Release snapshot
         uses: goreleaser/goreleaser-action@v2
         with:
-          version: v0.164.0
+          version: v0.175.0
           args: release --snapshot --skip-publish --rm-dist
   itest-starboard:
     name: Run integration tests / Starboard CLI
@@ -144,6 +144,7 @@ jobs:
         run: |
           kubectl apply -f deploy/crd/vulnerabilityreports.crd.yaml \
                  -f deploy/crd/configauditreports.crd.yaml \
+                 -f deploy/crd/clusterconfigauditreports.crd.yaml \
                  -f deploy/crd/ciskubebenchreports.crd.yaml
           kubectl apply -f deploy/static/01-starboard-operator.ns.yaml \
             -f deploy/static/02-starboard-operator.sa.yaml \
@@ -187,6 +188,7 @@ jobs:
         run: |
           kubectl apply -f deploy/crd/vulnerabilityreports.crd.yaml \
                  -f deploy/crd/configauditreports.crd.yaml \
+                 -f deploy/crd/clusterconfigauditreports.crd.yaml \
                  -f deploy/crd/ciskubebenchreports.crd.yaml
           kubectl apply -f deploy/static/01-starboard-operator.ns.yaml \
             -f deploy/static/02-starboard-operator.sa.yaml \

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -92,6 +92,7 @@ jobs:
         run: |
           kubectl apply -f deploy/crd/vulnerabilityreports.crd.yaml \
                  -f deploy/crd/configauditreports.crd.yaml \
+                 -f deploy/crd/clusterconfigauditreports.crd.yaml \
                  -f deploy/crd/ciskubebenchreports.crd.yaml
           kubectl apply -f deploy/static/01-starboard-operator.ns.yaml \
             -f deploy/static/02-starboard-operator.sa.yaml \
@@ -130,6 +131,7 @@ jobs:
         run: |
           kubectl apply -f deploy/crd/vulnerabilityreports.crd.yaml \
                  -f deploy/crd/configauditreports.crd.yaml \
+                 -f deploy/crd/clusterconfigauditreports.crd.yaml \
                  -f deploy/crd/ciskubebenchreports.crd.yaml
           kubectl apply -f deploy/static/01-starboard-operator.ns.yaml \
             -f deploy/static/02-starboard-operator.sa.yaml \
@@ -177,7 +179,7 @@ jobs:
       - name: Release
         uses: goreleaser/goreleaser-action@v2
         with:
-          version: v0.164.0
+          version: v0.175.0
           args: release --rm-dist
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -189,6 +189,7 @@ started with a basic development workflow. For other install modes see [Operator
    ```
    $ kubectl apply -f deploy/crd/vulnerabilityreports.crd.yaml \
        -f deploy/crd/configauditreports.crd.yaml \
+       -f deploy/crd/clusterconfigauditreports.crd.yaml \
        -f deploy/crd/ciskubebenchreports.crd.yaml
    ```
 2. Send the following Kubernetes objects definitions to the Kubernetes API:
@@ -254,6 +255,7 @@ $ kubectl delete -f deploy/static/01-starboard-operator.ns.yaml \
     -f deploy/static/04-starboard-operator.clusterrolebinding.yaml
 $ kubectl delete -f deploy/crd/vulnerabilityreports.crd.yaml \
     -f deploy/crd/configauditreports.crd.yaml \
+    -f deploy/crd/clusterconfigauditreports.crd.yaml \
     -f deploy/crd/ciskubebenchreports.crd.yaml
 ```
 

diff --git a/docs/operator/installation/kubectl.md b/docs/operator/installation/kubectl.md
@@ -11,6 +11,7 @@ watch the `default` namespace:
    ```
    kubectl apply -f https://raw.githubusercontent.com/aquasecurity/starboard/{{ var.tag }}/deploy/crd/vulnerabilityreports.crd.yaml \
      -f https://raw.githubusercontent.com/aquasecurity/starboard/{{ var.tag }}/deploy/crd/configauditreports.crd.yaml \
+     -f https://raw.githubusercontent.com/aquasecurity/starboard/{{ var.tag }}/deploy/crd/clusterconfigauditreports.crd.yaml \
      -f https://raw.githubusercontent.com/aquasecurity/starboard/{{ var.tag }}/deploy/crd/ciskubebenchreports.crd.yaml
    ```
 2. Send the following Kubernetes objects definitions to the Kubernetes API:
@@ -72,6 +73,7 @@ Delete custom resources definitions:
     ```
     kubectl delete -f https://raw.githubusercontent.com/aquasecurity/starboard/{{ var.tag }}/deploy/crd/vulnerabilityreports.crd.yaml \
       -f https://raw.githubusercontent.com/aquasecurity/starboard/{{ var.tag }}/deploy/crd/configauditreports.crd.yaml \
+      -f https://raw.githubusercontent.com/aquasecurity/starboard/{{ var.tag }}/deploy/crd/clusterconfigauditreports.crd.yaml \
       -f https://raw.githubusercontent.com/aquasecurity/starboard/{{ var.tag }}/deploy/crd/ciskubebenchreports.crd.yaml
     ```
 

diff --git a/docs/operator/installation/olm.md b/docs/operator/installation/olm.md
@@ -109,6 +109,7 @@ You have to manually delete custom resource definitions created by the OLM opera
     ```
     kubectl delete crd vulnerabilityreports.aquasecurity.github.io
     kubectl delete crd configauditreports.aquasecurity.github.io
+    kubectl delete crd clusterconfigauditreports.aquasecurity.github.io
     kubectl delete crd ciskubebenchreports.aquasecurity.github.io
     ```
 

diff --git a/embedded.go b/embedded.go
@@ -12,6 +12,8 @@ var (
 	vulnerabilityReportsCRD []byte
 	//go:embed deploy/crd/configauditreports.crd.yaml
 	configAuditReportsCRD []byte
+	//go:embed deploy/crd/clusterconfigauditreports.crd.yaml
+	clusterConfigAuditReportsCRD []byte
 	//go:embed deploy/crd/ciskubebenchreports.crd.yaml
 	kubeBenchReportsCRD []byte
 	//go:embed deploy/crd/kubehunterreports.crd.yaml
@@ -26,6 +28,10 @@ func GetConfigAuditReportsCRD() (apiextensionsv1.CustomResourceDefinition, error
 	return getCRDFromBytes(configAuditReportsCRD)
 }
 
+func GetClusterConfigAuditReportsCRD() (apiextensionsv1.CustomResourceDefinition, error) {
+	return getCRDFromBytes(clusterConfigAuditReportsCRD)
+}
+
 func GetCISKubeBenchReportsCRD() (apiextensionsv1.CustomResourceDefinition, error) {
 	return getCRDFromBytes(kubeBenchReportsCRD)
 }

diff --git a/itest/starboard/starboard_cli_test.go b/itest/starboard/starboard_cli_test.go
@@ -83,6 +83,21 @@ var _ = Describe("Starboard CLI", func() {
 						}),
 					}),
 				}),
+				"clusterconfigauditreports.aquasecurity.github.io": MatchFields(IgnoreExtras, Fields{
+					"Spec": MatchFields(IgnoreExtras, Fields{
+						"Group":   Equal("aquasecurity.github.io"),
+						"Version": Equal("v1alpha1"),
+						"Scope":   Equal(apiextensionsv1beta1.ClusterScoped),
+						"Names": Equal(apiextensionsv1beta1.CustomResourceDefinitionNames{
+							Plural:     "clusterconfigauditreports",
+							Singular:   "clusterconfigauditreport",
+							ShortNames: []string{"clusterconfigaudit"},
+							Kind:       "ClusterConfigAuditReport",
+							ListKind:   "ClusterConfigAuditReportList",
+							Categories: []string{"all"},
+						}),
+					}),
+				}),
 				"ciskubebenchreports.aquasecurity.github.io": MatchFields(IgnoreExtras, Fields{
 					"Spec": MatchFields(IgnoreExtras, Fields{
 						"Group":   Equal("aquasecurity.github.io"),

diff --git a/pkg/apis/aquasecurity/v1alpha1/config_audit_types.go b/pkg/apis/aquasecurity/v1alpha1/config_audit_types.go
@@ -9,6 +9,8 @@ const (
 	ConfigAuditReportCRVersion = "v1alpha1"
 	ConfigAuditReportKind      = "ConfigAuditReport"
 	ConfigAuditReportListKind  = "ConfigAuditReportList"
+
+	ClusterConfigAuditReportCRName = "clusterconfigauditreports.aquasecurity.github.io"
 )
 
 const (

diff --git a/pkg/cmd/installer.go b/pkg/cmd/installer.go
@@ -182,6 +182,15 @@ func (m *Installer) Install(ctx context.Context) error {
 	if err != nil {
 		return err
 	}
+	clusterConfigAuditReportsCRD, err := embedded.GetClusterConfigAuditReportsCRD()
+	if err != nil {
+		return err
+	}
+	err = m.createOrUpdateCRD(ctx, &clusterConfigAuditReportsCRD)
+	if err != nil {
+		return err
+	}
+
 	// TODO We should wait for CRD statuses and make sure that the names were accepted
 
 	err = m.createNamespaceIfNotFound(ctx, namespace)
@@ -381,36 +390,40 @@ func (m *Installer) deleteCRD(ctx context.Context, name string) (err error) {
 	return
 }
 
-func (m *Installer) Uninstall(ctx context.Context) (err error) {
-	err = m.deleteCRD(ctx, v1alpha1.VulnerabilityReportsCRName)
+func (m *Installer) Uninstall(ctx context.Context) error {
+	err := m.deleteCRD(ctx, v1alpha1.VulnerabilityReportsCRName)
 	if err != nil {
-		return
+		return err
 	}
 	err = m.deleteCRD(ctx, v1alpha1.CISKubeBenchReportCRName)
 	if err != nil {
-		return
+		return err
 	}
 	err = m.deleteCRD(ctx, v1alpha1.KubeHunterReportCRName)
 	if err != nil {
-		return
+		return err
 	}
 	err = m.deleteCRD(ctx, v1alpha1.ConfigAuditReportCRName)
 	if err != nil {
-		return
+		return err
+	}
+	err = m.deleteCRD(ctx, v1alpha1.ClusterConfigAuditReportCRName)
+	if err != nil {
+		return err
 	}
 	err = m.cleanupRBAC(ctx)
 	if err != nil {
-		return
+		return err
 	}
 
 	err = m.configManager.Delete(ctx)
 	if err != nil {
-		return
+		return err
 	}
 
 	err = m.cleanupNamespace(ctx)
 	if err != nil {
-		return
+		return err
 	}
-	return
+	return nil
 }