feat: Ensure default config should not create ConfigMap for Polaris w…

…hen it is not chosen as plugin (#530) Resolves: #524 Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>
aquasecurity · Apr 23, 2021 · f7d8d46 · f7d8d46
1 parent ca59eb2
commit f7d8d46
Show file tree

Hide file tree

Showing 3 changed files with 214 additions and 56 deletions.
diff --git a/deploy/static/05-starboard-operator.config.yaml b/deploy/static/05-starboard-operator.config.yaml
@@ -211,9 +211,3 @@ kind: Secret
 metadata:
   name: starboard
   namespace: starboard-operator
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: starboard-conftest-config
-  namespace: starboard-operator
diff --git a/pkg/starboard/config.go b/pkg/starboard/config.go
@@ -284,12 +284,17 @@ func GetDefaultConfig() ConfigData {
 }
 
 // GetDefaultPolarisConfig returns the default Polaris configuration.
-func GetDefaultPolarisConfig() ConfigData {
+func GetDefaultPolarisConfig() map[string]string {
 	return map[string]string{
 		"polaris.config.yaml": polarisConfigYAML,
 	}
 }
 
+// GetDefaultConftestConfig return the defautl Conftest configuration.
+func GetDefaultConftestConfig() map[string]string {
+	return map[string]string{}
+}
+
 func (c ConfigData) GetVulnerabilityReportsScanner() (Scanner, error) {
 	var ok bool
 	var value string
@@ -424,49 +429,70 @@ type configManager struct {
 }
 
 func (c *configManager) EnsureDefault(ctx context.Context) error {
-	cm := &corev1.ConfigMap{
-		ObjectMeta: metav1.ObjectMeta{
-			Namespace: c.namespace,
-			Name:      ConfigMapName,
-			Labels: labels.Set{
-				"app.kubernetes.io/managed-by": "starboard",
+	cm, err := c.client.CoreV1().ConfigMaps(c.namespace).Get(ctx, ConfigMapName, metav1.GetOptions{})
+	if err != nil {
+		if !apierrors.IsNotFound(err) {
+			return fmt.Errorf("getting config: %w", err)
+		}
+
+		cm, err = c.client.CoreV1().ConfigMaps(c.namespace).Create(ctx, &corev1.ConfigMap{
+			ObjectMeta: metav1.ObjectMeta{
+				Namespace: c.namespace,
+				Name:      ConfigMapName,
+				Labels: labels.Set{
+					LabelK8SAppManagedBy: "starboard",
+				},
 			},
-		},
-		Data: GetDefaultConfig(),
-	}
-	_, err := c.client.CoreV1().ConfigMaps(c.namespace).Create(ctx, cm, metav1.CreateOptions{})
-	if err != nil && !apierrors.IsAlreadyExists(err) {
-		return err
+			Data: GetDefaultConfig(),
+		}, metav1.CreateOptions{})
+
+		if err != nil {
+			return fmt.Errorf("creating config: %w", err)
+		}
 	}
 
-	polarisCm := &corev1.ConfigMap{
+	secret := &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace: c.namespace,
-			Name:      GetPluginConfigMapName(string(Polaris)),
+			Name:      SecretName,
 			Labels: labels.Set{
-				"app.kubernetes.io/managed-by": "starboard",
+				LabelK8SAppManagedBy: "starboard",
 			},
 		},
-		Data: GetDefaultPolarisConfig(),
 	}
-	_, err = c.client.CoreV1().ConfigMaps(c.namespace).Create(ctx, polarisCm, metav1.CreateOptions{})
+	_, err = c.client.CoreV1().Secrets(c.namespace).Create(ctx, secret, metav1.CreateOptions{})
 	if err != nil && !apierrors.IsAlreadyExists(err) {
 		return err
 	}
 
-	secret := &corev1.Secret{
+	scanner, err := ConfigData(cm.Data).GetConfigAuditReportsScanner()
+	if err != nil {
+		return fmt.Errorf("getting scanner: %w", err)
+	}
+
+	var pluginConfigData map[string]string
+	switch scanner {
+	case Polaris:
+		pluginConfigData = GetDefaultPolarisConfig()
+	case Conftest:
+		pluginConfigData = GetDefaultConftestConfig()
+	}
+
+	pluginConfig := &corev1.ConfigMap{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace: c.namespace,
-			Name:      SecretName,
+			Name:      GetPluginConfigMapName(string(scanner)),
 			Labels: labels.Set{
-				"app.kubernetes.io/managed-by": "starboard",
+				LabelK8SAppManagedBy: "starboard",
 			},
 		},
+		Data: pluginConfigData,
 	}
-	_, err = c.client.CoreV1().Secrets(c.namespace).Create(ctx, secret, metav1.CreateOptions{})
+	_, err = c.client.CoreV1().ConfigMaps(c.namespace).Create(ctx, pluginConfig, metav1.CreateOptions{})
 	if err != nil && !apierrors.IsAlreadyExists(err) {
 		return err
 	}
+
 	return nil
 }
 

diff --git a/pkg/starboard/config_test.go b/pkg/starboard/config_test.go
@@ -5,6 +5,7 @@ import (
 	"testing"
 
 	"github.com/aquasecurity/starboard/pkg/starboard"
+	"github.com/onsi/gomega"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	corev1 "k8s.io/api/core/v1"
@@ -324,67 +325,204 @@ func TestConfigManager_Read(t *testing.T) {
 
 func TestConfigManager_EnsureDefault(t *testing.T) {
 
-	t.Run("Should create ConfigMap with default values, and empty secret", func(t *testing.T) {
+	t.Run("Should create ConfigMaps and Secret", func(t *testing.T) {
+		g := gomega.NewGomegaWithT(t)
+
+		namespace := "starboard-ns"
 		clientset := fake.NewSimpleClientset()
 
-		err := starboard.NewConfigManager(clientset, starboard.NamespaceName).EnsureDefault(context.TODO())
-		require.NoError(t, err)
+		err := starboard.NewConfigManager(clientset, namespace).EnsureDefault(context.TODO())
+		g.Expect(err).ToNot(gomega.HaveOccurred())
 
-		cm, err := clientset.CoreV1().
-			ConfigMaps(starboard.NamespaceName).
+		cm, err := clientset.CoreV1().ConfigMaps(namespace).
 			Get(context.TODO(), starboard.ConfigMapName, metav1.GetOptions{})
-		require.NoError(t, err)
-		assert.Equal(t, starboard.GetDefaultConfig(), starboard.ConfigData(cm.Data))
+		g.Expect(err).ToNot(gomega.HaveOccurred())
+		g.Expect(cm.Data).To(gomega.BeEquivalentTo(starboard.GetDefaultConfig()))
 
-		secret, err := clientset.CoreV1().
-			Secrets(starboard.NamespaceName).
+		secret, err := clientset.CoreV1().Secrets(namespace).
 			Get(context.TODO(), starboard.SecretName, metav1.GetOptions{})
-		require.NoError(t, err)
-		assert.Equal(t, map[string][]byte(nil), secret.Data)
+		g.Expect(err).ToNot(gomega.HaveOccurred())
+		g.Expect(secret.Data).To(gomega.BeEmpty())
+
+		pluginConfig, err := clientset.CoreV1().ConfigMaps(namespace).
+			Get(context.TODO(), starboard.GetPluginConfigMapName(string(starboard.Polaris)), metav1.GetOptions{})
+		g.Expect(err).ToNot(gomega.HaveOccurred())
+		g.Expect(pluginConfig.Data).To(gomega.Equal(starboard.GetDefaultPolarisConfig()))
+
+		_, err = clientset.CoreV1().ConfigMaps(namespace).
+			Get(context.TODO(), starboard.GetPluginConfigMapName(string(starboard.Conftest)), metav1.GetOptions{})
+		g.Expect(err).To(gomega.MatchError(`configmaps "starboard-conftest-config" not found`))
 	})
 
-	t.Run("Should not modify ConfigMap nor secret if they already exist", func(t *testing.T) {
+	t.Run("Should not modify ConfigMaps nor Secret", func(t *testing.T) {
+		g := gomega.NewGomegaWithT(t)
+		namespace := "starboard-ns"
 		clientset := fake.NewSimpleClientset(
 			&corev1.ConfigMap{
 				ObjectMeta: metav1.ObjectMeta{
-					Namespace: starboard.NamespaceName,
+					Namespace: namespace,
 					Name:      starboard.ConfigMapName,
 				},
 				Data: map[string]string{
-					"foo": "bar",
+					"foo":                        "bar",
+					"configAuditReports.scanner": string(starboard.Conftest),
 				},
 			},
 			&corev1.Secret{
 				ObjectMeta: metav1.ObjectMeta{
-					Namespace: starboard.NamespaceName,
+					Namespace: namespace,
 					Name:      starboard.SecretName,
 				},
 				Data: map[string][]byte{
 					"baz": []byte("s3cret"),
 				},
 			},
+			&corev1.ConfigMap{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: namespace,
+					Name:      starboard.GetPluginConfigMapName(string(starboard.Conftest)),
+				},
+				Data: map[string]string{
+					"conftest.policy.my-check.rego": "<REGO>",
+				},
+			},
 		)
 
-		err := starboard.NewConfigManager(clientset, starboard.NamespaceName).EnsureDefault(context.TODO())
-		require.NoError(t, err)
+		err := starboard.NewConfigManager(clientset, namespace).EnsureDefault(context.TODO())
+		g.Expect(err).ToNot(gomega.HaveOccurred())
 
-		cm, err := clientset.CoreV1().
-			ConfigMaps(starboard.NamespaceName).
+		cm, err := clientset.CoreV1().ConfigMaps(namespace).
 			Get(context.TODO(), starboard.ConfigMapName, metav1.GetOptions{})
-		require.NoError(t, err)
-		assert.Equal(t, map[string]string{
-			"foo": "bar",
-		}, cm.Data)
+		g.Expect(err).ToNot(gomega.HaveOccurred())
+		g.Expect(cm.Data).To(gomega.Equal(map[string]string{
+			"foo":                        "bar",
+			"configAuditReports.scanner": "Conftest",
+		}))
 
-		secret, err := clientset.CoreV1().
-			Secrets(starboard.NamespaceName).
+		secret, err := clientset.CoreV1().Secrets(namespace).
 			Get(context.TODO(), starboard.SecretName, metav1.GetOptions{})
-		require.NoError(t, err)
-		assert.Equal(t, map[string][]byte{
+		g.Expect(err).ToNot(gomega.HaveOccurred())
+		g.Expect(secret.Data).To(gomega.Equal(map[string][]byte{
 			"baz": []byte("s3cret"),
-		}, secret.Data)
+		}))
+
+		pluginConfig, err := clientset.CoreV1().ConfigMaps(namespace).
+			Get(context.TODO(), starboard.GetPluginConfigMapName(string(starboard.Conftest)), metav1.GetOptions{})
+		g.Expect(err).ToNot(gomega.HaveOccurred())
+		g.Expect(pluginConfig.Data).To(gomega.Equal(map[string]string{
+			"conftest.policy.my-check.rego": "<REGO>",
+		}))
+
+		_, err = clientset.CoreV1().ConfigMaps(namespace).
+			Get(context.TODO(), starboard.GetPluginConfigMapName(string(starboard.Polaris)), metav1.GetOptions{})
+		g.Expect(err).To(gomega.MatchError(`configmaps "starboard-polaris-config" not found`))
 	})
 
+	t.Run("Should create ConfigMap for Polaris", func(t *testing.T) {
+		g := gomega.NewGomegaWithT(t)
+		namespace := "starboard-ns"
+		clientset := fake.NewSimpleClientset(
+			&corev1.ConfigMap{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: namespace,
+					Name:      starboard.ConfigMapName,
+				},
+				Data: map[string]string{
+					"foo":                        "bar",
+					"configAuditReports.scanner": string(starboard.Polaris),
+				},
+			},
+			&corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: namespace,
+					Name:      starboard.SecretName,
+				},
+				Data: map[string][]byte{
+					"baz": []byte("s3cret"),
+				},
+			},
+		)
+
+		err := starboard.NewConfigManager(clientset, namespace).EnsureDefault(context.TODO())
+		g.Expect(err).ToNot(gomega.HaveOccurred())
+
+		cm, err := clientset.CoreV1().ConfigMaps(namespace).
+			Get(context.TODO(), starboard.ConfigMapName, metav1.GetOptions{})
+		g.Expect(err).ToNot(gomega.HaveOccurred())
+		g.Expect(cm.Data).To(gomega.Equal(map[string]string{
+			"foo":                        "bar",
+			"configAuditReports.scanner": "Polaris",
+		}))
+
+		secret, err := clientset.CoreV1().Secrets(namespace).
+			Get(context.TODO(), starboard.SecretName, metav1.GetOptions{})
+		g.Expect(err).ToNot(gomega.HaveOccurred())
+		g.Expect(secret.Data).To(gomega.Equal(map[string][]byte{
+			"baz": []byte("s3cret"),
+		}))
+
+		pluginConfig, err := clientset.CoreV1().ConfigMaps(namespace).
+			Get(context.TODO(), starboard.GetPluginConfigMapName(string(starboard.Polaris)), metav1.GetOptions{})
+		g.Expect(err).ToNot(gomega.HaveOccurred())
+		g.Expect(pluginConfig.Data).To(gomega.Equal(starboard.GetDefaultPolarisConfig()))
+
+		_, err = clientset.CoreV1().ConfigMaps(namespace).
+			Get(context.TODO(), starboard.GetPluginConfigMapName(string(starboard.Conftest)), metav1.GetOptions{})
+		g.Expect(err).To(gomega.MatchError(`configmaps "starboard-conftest-config" not found`))
+	})
+
+	t.Run("Should create ConfigMap for Conftest", func(t *testing.T) {
+		g := gomega.NewGomegaWithT(t)
+		namespace := "starboard-ns"
+		clientset := fake.NewSimpleClientset(
+			&corev1.ConfigMap{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: namespace,
+					Name:      starboard.ConfigMapName,
+				},
+				Data: map[string]string{
+					"foo":                        "bar",
+					"configAuditReports.scanner": string(starboard.Conftest),
+				},
+			},
+			&corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: namespace,
+					Name:      starboard.SecretName,
+				},
+				Data: map[string][]byte{
+					"baz": []byte("s3cret"),
+				},
+			},
+		)
+
+		err := starboard.NewConfigManager(clientset, namespace).EnsureDefault(context.TODO())
+		g.Expect(err).ToNot(gomega.HaveOccurred())
+
+		cm, err := clientset.CoreV1().ConfigMaps(namespace).
+			Get(context.TODO(), starboard.ConfigMapName, metav1.GetOptions{})
+		g.Expect(err).ToNot(gomega.HaveOccurred())
+		g.Expect(cm.Data).To(gomega.Equal(map[string]string{
+			"foo":                        "bar",
+			"configAuditReports.scanner": "Conftest",
+		}))
+
+		secret, err := clientset.CoreV1().Secrets(namespace).
+			Get(context.TODO(), starboard.SecretName, metav1.GetOptions{})
+		g.Expect(err).ToNot(gomega.HaveOccurred())
+		g.Expect(secret.Data).To(gomega.Equal(map[string][]byte{
+			"baz": []byte("s3cret"),
+		}))
+
+		pluginConfig, err := clientset.CoreV1().ConfigMaps(namespace).
+			Get(context.TODO(), starboard.GetPluginConfigMapName(string(starboard.Conftest)), metav1.GetOptions{})
+		g.Expect(err).ToNot(gomega.HaveOccurred())
+		g.Expect(pluginConfig.Data).To(gomega.BeEmpty())
+
+		_, err = clientset.CoreV1().ConfigMaps(namespace).
+			Get(context.TODO(), starboard.GetPluginConfigMapName(string(starboard.Polaris)), metav1.GetOptions{})
+		g.Expect(err).To(gomega.MatchError(`configmaps "starboard-polaris-config" not found`))
+	})
 }
 
 func TestConfigManager_Delete(t *testing.T) {