refactor: Remove redundant args passed to configauditreport.Plugin (#432

)

Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>

CONTRIBUTING.md

@@ -198,6 +198,11 @@ started with a basic development workflow. For other install modes see [Operator
    This will create the `starboard-operator` namespace, and the `starboard-operator` service account. Beyond that,
    it will create the `starboard-operator` ClusterRole and bind it to the `starboard-operator` service account in the
    `starboard-operator` namespace via the `starboard-operator` ClusterRoleBinding.
+3. (Optional) Create configuration objects:
+
+   ```
+   $ kubectl create -f deploy/static/05-starboard-operator.config.yaml
+   ```
 
 ### In cluster
 

pkg/configauditreport/plugin.go

@@ -4,9 +4,7 @@ import (
 	"io"
 
 	"github.com/aquasecurity/starboard/pkg/apis/aquasecurity/v1alpha1"
-	"github.com/aquasecurity/starboard/pkg/kube"
 	corev1 "k8s.io/api/core/v1"
-	"k8s.io/apimachinery/pkg/runtime/schema"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
@@ -15,9 +13,18 @@ import (
 // first step to separate generic workloads discovery code and Polaris
 // implementation details.
 type Plugin interface {
-	GetScanJobSpec(workload kube.Object, obj client.Object, gvk schema.GroupVersionKind) (corev1.PodSpec, []*corev1.Secret, error)
 
-	GetContainerName() string
+	// GetScanJobSpec describes the pod that will be created by Starboard when
+	// it schedules a Kubernetes job to scan the specified workload client.Object.
+	// The plugin might return zero to many v1.Secret objects which will be
+	// created by Starboard and associated with the scan job.
+	GetScanJobSpec(obj client.Object) (corev1.PodSpec, []*corev1.Secret, error)
+
+	// ParseConfigAuditReportData is a callback to parse and convert logs of
+	// the container in a pod controlled by the scan job to v1alpha1.ConfigAuditResult.
+	ParseConfigAuditReportData(logsReader io.ReadCloser) (v1alpha1.ConfigAuditResult, error)
 
-	ParseConfigAuditResult(logsReader io.ReadCloser) (v1alpha1.ConfigAuditResult, error)
+	// GetContainerName returns the name of the container in a pod created by a scan job
+	// to read logs from.
+	GetContainerName() string
 }

pkg/configauditreport/scanner.go

@@ -56,7 +56,7 @@ func (s *Scanner) Scan(ctx context.Context, workload kube.Object, gvk schema.Gro
 	}
 
 	klog.V(3).Infof("Scanning with options: %+v", s.opts)
-	job, secrets, err := s.getScanJob(workload, owner, gvk)
+	job, secrets, err := s.getScanJob(workload, owner)
 	if err != nil {
 		return v1alpha1.ConfigAuditReport{}, err
 	}
@@ -87,7 +87,7 @@ func (s *Scanner) Scan(ctx context.Context, workload kube.Object, gvk schema.Gro
 		return v1alpha1.ConfigAuditReport{}, fmt.Errorf("getting logs: %w", err)
 	}
 
-	result, err := s.plugin.ParseConfigAuditResult(logsStream)
+	result, err := s.plugin.ParseConfigAuditReportData(logsStream)
 	defer func() {
 		_ = logsStream.Close()
 	}()
@@ -98,8 +98,8 @@ func (s *Scanner) Scan(ctx context.Context, workload kube.Object, gvk schema.Gro
 		Get()
 }
 
-func (s *Scanner) getScanJob(workload kube.Object, obj client.Object, gvk schema.GroupVersionKind) (*batchv1.Job, []*corev1.Secret, error) {
-	jobSpec, secrets, err := s.plugin.GetScanJobSpec(workload, obj, gvk)
+func (s *Scanner) getScanJob(workload kube.Object, obj client.Object) (*batchv1.Job, []*corev1.Secret, error) {
+	jobSpec, secrets, err := s.plugin.GetScanJobSpec(obj)
 	if err != nil {
 		return nil, nil, err
 	}

pkg/kube/object.go

@@ -172,6 +172,11 @@ func (o *ObjectResolver) GetObjectFromPartialObject(ctx context.Context, workloa
 	if err != nil {
 		return nil, err
 	}
+	gvk, err := apiutil.GVKForObject(obj, o.Client.Scheme())
+	if err != nil {
+		return nil, err
+	}
+	obj.GetObjectKind().SetGroupVersionKind(gvk)
 	return obj, nil
 }
 

pkg/operator/controller/configauditreport.go

@@ -20,7 +20,6 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/builder"
 	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/controller-runtime/pkg/client/apiutil"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 )
@@ -222,12 +221,7 @@ func (r *ConfigAuditReportReconciler) getScanJobName(workload kube.Object) strin
 }
 
 func (r *ConfigAuditReportReconciler) getScanJob(workload kube.Object, obj client.Object, hash string) (*batchv1.Job, []*corev1.Secret, error) {
-	gvk, err := apiutil.GVKForObject(obj, r.Client.Scheme())
-	if err != nil {
-		return nil, nil, err
-	}
-
-	jobSpec, secrets, err := r.Plugin.GetScanJobSpec(workload, obj, gvk)
+	jobSpec, secrets, err := r.Plugin.GetScanJobSpec(obj)
 
 	if err != nil {
 		return nil, nil, err
@@ -341,7 +335,7 @@ func (r *ConfigAuditReportReconciler) processCompleteScanJob(ctx context.Context
 		return fmt.Errorf("getting logs: %w", err)
 	}
 
-	result, err := r.Plugin.ParseConfigAuditResult(logsStream)
+	result, err := r.Plugin.ParseConfigAuditReportData(logsStream)
 	defer func() {
 		_ = logsStream.Close()
 	}()

pkg/plugin/polaris/plugin.go

@@ -8,12 +8,10 @@ import (
 	"github.com/aquasecurity/starboard/pkg/apis/aquasecurity/v1alpha1"
 	"github.com/aquasecurity/starboard/pkg/configauditreport"
 	"github.com/aquasecurity/starboard/pkg/ext"
-	"github.com/aquasecurity/starboard/pkg/kube"
 	"github.com/aquasecurity/starboard/pkg/starboard"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/utils/pointer"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
@@ -41,12 +39,12 @@ func NewPlugin(clock ext.Clock, config Config) configauditreport.Plugin {
 	}
 }
 
-func (p *plugin) GetScanJobSpec(workload kube.Object, obj client.Object, gvk schema.GroupVersionKind) (corev1.PodSpec, []*corev1.Secret, error) {
+func (p *plugin) GetScanJobSpec(obj client.Object) (corev1.PodSpec, []*corev1.Secret, error) {
 	imageRef, err := p.config.GetPolarisImageRef()
 	if err != nil {
 		return corev1.PodSpec{}, nil, err
 	}
-	sourceName := p.sourceNameFrom(workload, gvk)
+	sourceName := p.sourceNameFrom(obj)
 
 	return corev1.PodSpec{
 		ServiceAccountName:           starboard.ServiceAccountName,
@@ -118,7 +116,7 @@ func (p *plugin) GetContainerName() string {
 	return polarisContainerName
 }
 
-func (p *plugin) ParseConfigAuditResult(logsReader io.ReadCloser) (v1alpha1.ConfigAuditResult, error) {
+func (p *plugin) ParseConfigAuditReportData(logsReader io.ReadCloser) (v1alpha1.ConfigAuditResult, error) {
 	var report Report
 	err := json.NewDecoder(logsReader).Decode(&report)
 	if err != nil {
@@ -127,17 +125,18 @@ func (p *plugin) ParseConfigAuditResult(logsReader io.ReadCloser) (v1alpha1.Conf
 	return p.configAuditResultFrom(report.Results[0])
 }
 
-func (p *plugin) sourceNameFrom(workload kube.Object, gvk schema.GroupVersionKind) string {
+func (p *plugin) sourceNameFrom(obj client.Object) string {
+	gvk := obj.GetObjectKind().GroupVersionKind()
 	group := gvk.Group
 	if len(group) > 0 {
 		group = "." + group
 	}
 	return fmt.Sprintf("%s/%s%s/%s/%s",
-		workload.Namespace,
+		obj.GetNamespace(),
 		gvk.Kind,
 		group,
 		gvk.Version,
-		workload.Name,
+		obj.GetName(),
 	)
 }
 

pkg/plugin/polaris/plugin_test.go

@@ -1,21 +1,21 @@
 package polaris_test
 
 import (
+	appsv1 "k8s.io/api/apps/v1"
 	"os"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 	"testing"
 	"time"
 
 	"github.com/aquasecurity/starboard/pkg/apis/aquasecurity/v1alpha1"
 	"github.com/aquasecurity/starboard/pkg/ext"
-	"github.com/aquasecurity/starboard/pkg/kube"
 	"github.com/aquasecurity/starboard/pkg/plugin/polaris"
 	"github.com/aquasecurity/starboard/pkg/starboard"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/utils/pointer"
 )
 
@@ -28,9 +28,8 @@ func TestPlugin_GetScanJobSpec(t *testing.T) {
 	testCases := []struct {
 		name string
 
-		config   starboard.ConfigData
-		workload kube.Object
-		gvk      schema.GroupVersionKind
+		config starboard.ConfigData
+		obj    client.Object
 
 		expectedJobSpec corev1.PodSpec
 	}{
@@ -39,15 +38,15 @@ func TestPlugin_GetScanJobSpec(t *testing.T) {
 			config: starboard.ConfigData{
 				"polaris.imageRef": "quay.io/fairwinds/polaris:3.0",
 			},
-			workload: kube.Object{
-				Name:      "nginx",
-				Namespace: corev1.NamespaceDefault,
-				Kind:      kube.KindDeployment,
-			},
-			gvk: schema.GroupVersionKind{
-				Group:   "apps",
-				Version: "v1",
-				Kind:    "Deployment",
+			obj: &appsv1.Deployment{
+				TypeMeta: metav1.TypeMeta{
+					APIVersion: "apps/v1",
+					Kind:       "Deployment",
+				},
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "nginx",
+					Namespace: metav1.NamespaceDefault,
+				},
 			},
 			expectedJobSpec: corev1.PodSpec{
 				ServiceAccountName:           starboard.ServiceAccountName,
@@ -119,7 +118,7 @@ func TestPlugin_GetScanJobSpec(t *testing.T) {
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			plugin := polaris.NewPlugin(fixedClock, tc.config)
-			jobSpec, secrets, err := plugin.GetScanJobSpec(tc.workload, &corev1.Pod{}, tc.gvk)
+			jobSpec, secrets, err := plugin.GetScanJobSpec(tc.obj)
 			require.NoError(t, err, tc.name)
 			assert.Nil(t, secrets)
 			assert.Equal(t, tc.expectedJobSpec, jobSpec, tc.name)
@@ -144,7 +143,7 @@ func TestPlugin_ParseConfigAuditResult(t *testing.T) {
 		"polaris.imageRef": "quay.io/fairwinds/polaris:3.0",
 	}
 	plugin := polaris.NewPlugin(fixedClock, config)
-	result, err := plugin.ParseConfigAuditResult(testReport)
+	result, err := plugin.ParseConfigAuditReportData(testReport)
 	require.NoError(t, err)
 	assert.Equal(t, metav1.NewTime(fixedTime), result.UpdateTimestamp)
 	assert.Equal(t, v1alpha1.Scanner{