From f69ad640700f499821296a055044c7f4558eb2a4 Mon Sep 17 00:00:00 2001 From: Michele Mangili Date: Fri, 22 Sep 2023 15:34:03 +0200 Subject: [PATCH 1/4] feat(cluster-scanner): added configuration for docker registry mirrors --- charts/cluster-scanner/README.md | 1 + .../cluster-scanner/templates/deployment.yaml | 11 +++++ .../templates/registrymirror.yaml | 11 +++++ .../tests/deployment_test.yaml | 30 ++++++++++++ .../tests/registrymirror_test.yaml | 47 +++++++++++++++++++ charts/cluster-scanner/values.yaml | 21 +++++++++ 6 files changed, 121 insertions(+) create mode 100644 charts/cluster-scanner/templates/registrymirror.yaml create mode 100644 charts/cluster-scanner/tests/registrymirror_test.yaml diff --git a/charts/cluster-scanner/README.md b/charts/cluster-scanner/README.md index 8f8315d8b..2e870eb49 100644 --- a/charts/cluster-scanner/README.md +++ b/charts/cluster-scanner/README.md @@ -134,6 +134,7 @@ The following table lists the configurable parameters of the `cluster-scanner` c | imageSbomExtractor.cache.local.maxSizeBytes | The maximum size in bytes of the local cache. By default it is set to 35MB | "36700160" | | imageSbomExtractor.cache.local.maxElementSizeBytes | When using `local` as cache type, restrict the maximum size of elements to be cached. By default it is set to 100KB | "102400" | | imageSbomExtractor.cache.local.ttl | The TTL for items in the local cache. By default it is set to 7 days. | "168h" | +| imageSbomExtractor.registryMirrorsConfig | Provide optional mirrors configuration to be used by Image SBOM Extractor to pull images. [Only Docker HUB images](https://docs.docker.com/registry/recipes/mirror/#gotcha) are going to be pulled from the provided mirrors. When provided, the parameter must be a string in docker-daemon configuration file format (see: https://docs.docker.com/registry/recipes/mirror/#configure-the-docker-daemon).
Example:
`registryMirrorsConfig: \|-`
`{`
`"registry-mirrors": [`
`"insecure.mirror.acme.com",`
`"secure.mirror.acme.com"`
`],`
`"insecure-registries": [`
`"insecure.mirror.acme.com"`
`]`
`}` | | | nameOverride | Chart name override | "" | | fullnameOverride | Chart full name override | "" | | serviceAccount.create | Specifies whether a service account should be created | true | diff --git a/charts/cluster-scanner/templates/deployment.yaml b/charts/cluster-scanner/templates/deployment.yaml index f7c907d1e..16d46ec36 100644 --- a/charts/cluster-scanner/templates/deployment.yaml +++ b/charts/cluster-scanner/templates/deployment.yaml @@ -48,6 +48,11 @@ spec: configMap: name: {{ include "sysdig.custom_ca.existingConfigMap" (dict "global" .Values.global.ssl "component" .Values.ssl) }} {{- end }} + {{- if .Values.imageSbomExtractor.registryMirrorsConfig }} + - name: registry-mirrors-config + configMap: + name: {{ include "cluster-scanner.fullname" . }}-registry-mirrors + {{- end }} containers: - name: rsi securityContext: @@ -315,6 +320,12 @@ spec: mountPath: /ca-certs readOnly: true {{- end }} + {{- if .Values.imageSbomExtractor.registryMirrorsConfig }} + - name: registry-mirrors-config + mountPath: /etc/docker/daemon.json + subPath: daemon.json + readOnly: true + {{- end }} {{- with .Values.imageSbomExtractor }} ports: - name: metrics diff --git a/charts/cluster-scanner/templates/registrymirror.yaml b/charts/cluster-scanner/templates/registrymirror.yaml new file mode 100644 index 000000000..fa93346e0 --- /dev/null +++ b/charts/cluster-scanner/templates/registrymirror.yaml @@ -0,0 +1,11 @@ +{{- if .Values.imageSbomExtractor.registryMirrorsConfig -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "cluster-scanner.fullname" . }}-registry-mirrors + namespace: {{ include "cluster-scanner.namespace" . }} + labels: + {{- include "cluster-scanner.labels" . | nindent 4 }} +data: + daemon.json: {{ .Values.imageSbomExtractor.registryMirrorsConfig | toJson | nindent 6 }} +{{- end -}} diff --git a/charts/cluster-scanner/tests/deployment_test.yaml b/charts/cluster-scanner/tests/deployment_test.yaml index fc3d07c58..2ff2e36ee 100644 --- a/charts/cluster-scanner/tests/deployment_test.yaml +++ b/charts/cluster-scanner/tests/deployment_test.yaml @@ -492,3 +492,33 @@ tests: content: name: ENV_VAR_BOOL value: "true" + + - it: "does not have registry volume nor volumeMounts if registryMirrorsConfig is empty" + templates: + - ../templates/deployment.yaml + asserts: + - isEmpty: + path: spec.template.spec.volumes + - isEmpty: + path: spec.template.spec.containers[1].volumeMounts + + - it: "has registry volume mount if registryMirrorsConfig is configured" + set: + imageSbomExtractor.registryMirrorsConfig: |- + testdata + templates: + - ../templates/deployment.yaml + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: registry-mirrors-config + configMap: + name: test-release-cluster-scanner-registry-mirrors + - contains: + path: spec.template.spec.containers[1].volumeMounts + content: + name: registry-mirrors-config + mountPath: /etc/docker/daemon.json + subPath: daemon.json + readOnly: true diff --git a/charts/cluster-scanner/tests/registrymirror_test.yaml b/charts/cluster-scanner/tests/registrymirror_test.yaml new file mode 100644 index 000000000..9e14e8c46 --- /dev/null +++ b/charts/cluster-scanner/tests/registrymirror_test.yaml @@ -0,0 +1,47 @@ +suite: registrymirror +templates: + - ../templates/registrymirror.yaml +values: + - ../values.yaml +release: + name: test-release + namespace: test-ns + +tests: + - it: "does not have mirrors, if they are not provided" + asserts: + - hasDocuments: + count: 0 + + - it: "has mirrors ConfigMap, when registryMirrorsConfig is set" + set: + imageSbomExtractor.registryMirrorsConfig: |- + { + "registry-mirrors": [ + "insecure.mirror.acme.com", + "secure.mirror.acme.com" + ], + "insecure-registries": [ + "insecure.mirror.acme.com" + ] + } + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: ConfigMap + apiVersion: v1 + name: test-release-cluster-scanner-registry-mirrors + namespace: test-ns + - equal: + path: data["daemon.json"] + value: |- + { + "registry-mirrors": [ + "insecure.mirror.acme.com", + "secure.mirror.acme.com" + ], + "insecure-registries": [ + "insecure.mirror.acme.com" + ] + } diff --git a/charts/cluster-scanner/values.yaml b/charts/cluster-scanner/values.yaml index 714d6c220..3cbeaad01 100644 --- a/charts/cluster-scanner/values.yaml +++ b/charts/cluster-scanner/values.yaml @@ -218,6 +218,27 @@ imageSbomExtractor: # sentinelAddress: "" # ttl: "168h" # Default ttl is 7 days + # Provide optional mirrors configuration to be used by Image SBOM Extractor to pull images. + # [Only Docker HUB images](https://docs.docker.com/registry/recipes/mirror/#gotcha) are going to be pulled from + # the provided mirrors. + # + # When provided, the parameter must be a string in docker-daemon configuration file format + # (see: https://docs.docker.com/registry/recipes/mirror/#configure-the-docker-daemon). + # + # Example: + # + # registryMirrorsConfig: \|- + # { + # "registry-mirrors": [ + # "insecure.mirror.acme.com", + # "secure.mirror.acme.com" + # ], + # "insecure-registries": [ + # "insecure.mirror.acme.com" + # ] + # } + registryMirrorsConfig: + # Chart name override nameOverride: "" # Chart full name override From 973bbb2901e06b242dc200ff4a9ef994d64effc8 Mon Sep 17 00:00:00 2001 From: Michele Mangili Date: Tue, 26 Sep 2023 16:03:28 +0200 Subject: [PATCH 2/4] fix(cluster-scanner): bumped minor cluster-scanner and sysdig-deploy chart versions --- charts/cluster-scanner/Chart.yaml | 2 +- charts/cluster-scanner/README.md | 8 ++++---- charts/sysdig-deploy/Chart.yaml | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/charts/cluster-scanner/Chart.yaml b/charts/cluster-scanner/Chart.yaml index 32b2d7cab..7a106f005 100644 --- a/charts/cluster-scanner/Chart.yaml +++ b/charts/cluster-scanner/Chart.yaml @@ -4,7 +4,7 @@ description: Sysdig Cluster Scanner type: application -version: 0.6.1 +version: 0.7.0 appVersion: "0.1.0" home: https://www.sysdig.com/ diff --git a/charts/cluster-scanner/README.md b/charts/cluster-scanner/README.md index 2e870eb49..57c493e6a 100644 --- a/charts/cluster-scanner/README.md +++ b/charts/cluster-scanner/README.md @@ -25,7 +25,7 @@ $ pre-commit run -a $ helm repo add sysdig https://charts.sysdig.com $ helm repo update $ helm upgrade --install sysdig-cluster-scanner sysdig/cluster-scanner \ - --create-namespace -n sysdig --version=0.6.1 \ + --create-namespace -n sysdig --version=0.7.0 \ --set global.clusterConfig.name=CLUSTER_NAME \ --set global.sysdig.region=SYSDIG_REGION \ --set global.sysdig.accessKey=YOUR-KEY-HERE @@ -55,7 +55,7 @@ To install the chart with the release name `cluster-scanner`, run: ```console $ helm upgrade --install sysdig-cluster-scanner sysdig/cluster-scanner \ - --create-namespace -n sysdig --version=0.6.1 \ + --create-namespace -n sysdig --version=0.7.0 \ --set global.clusterConfig.name=CLUSTER_NAME \ --set global.sysdig.region=SYSDIG_REGION \ --set global.sysdig.accessKey=YOUR-KEY-HERE @@ -161,7 +161,7 @@ Specify each parameter using the **`--set key=value[,key=value]`** argument to ` ```console $ helm upgrade --install sysdig-cluster-scanner sysdig/cluster-scanner \ - --create-namespace -n sysdig --version=0.6.1 \ + --create-namespace -n sysdig --version=0.7.0 \ --set global.sysdig.region="us1" ``` @@ -170,7 +170,7 @@ installing the chart. For example: ```console $ helm upgrade --install sysdig-cluster-scanner sysdig/cluster-scanner \ - --create-namespace -n sysdig --version=0.6.1 \ + --create-namespace -n sysdig --version=0.7.0 \ --values values.yaml ``` diff --git a/charts/sysdig-deploy/Chart.yaml b/charts/sysdig-deploy/Chart.yaml index d709c170c..4489603c2 100644 --- a/charts/sysdig-deploy/Chart.yaml +++ b/charts/sysdig-deploy/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: sysdig-deploy description: A chart with various Sysdig components for Kubernetes type: application -version: 1.23.10 +version: 1.24.0 maintainers: - name: AlbertoBarba email: alberto.barba@sysdig.com @@ -42,7 +42,7 @@ dependencies: - name: cluster-scanner # repository: https://charts.sysdig.com repository: file://../cluster-scanner - version: ~0.6.1 + version: ~0.7.0 alias: clusterScanner condition: clusterScanner.enabled - name: kspm-collector From 876435c1b4bb8a6859e4c6309522ba0c009b6f3d Mon Sep 17 00:00:00 2001 From: Michele Mangili Date: Wed, 4 Oct 2023 11:44:28 +0200 Subject: [PATCH 3/4] fix(cluster-scanner): corrected the syntax of mirrors configuration as PR comments --- charts/cluster-scanner/README.md | 2 +- .../cluster-scanner/templates/deployment.yaml | 4 +- .../templates/registrymirror.yaml | 8 +- .../tests/deployment_test.yaml | 9 +- charts/cluster-scanner/tests/notes_test.yaml | 2 + .../tests/registrymirror_test.yaml | 109 +++++++++++++++--- charts/cluster-scanner/values.schema.json | 23 ++++ charts/cluster-scanner/values.yaml | 26 ++--- 8 files changed, 142 insertions(+), 41 deletions(-) diff --git a/charts/cluster-scanner/README.md b/charts/cluster-scanner/README.md index 57c493e6a..13982b413 100644 --- a/charts/cluster-scanner/README.md +++ b/charts/cluster-scanner/README.md @@ -134,7 +134,7 @@ The following table lists the configurable parameters of the `cluster-scanner` c | imageSbomExtractor.cache.local.maxSizeBytes | The maximum size in bytes of the local cache. By default it is set to 35MB | "36700160" | | imageSbomExtractor.cache.local.maxElementSizeBytes | When using `local` as cache type, restrict the maximum size of elements to be cached. By default it is set to 100KB | "102400" | | imageSbomExtractor.cache.local.ttl | The TTL for items in the local cache. By default it is set to 7 days. | "168h" | -| imageSbomExtractor.registryMirrorsConfig | Provide optional mirrors configuration to be used by Image SBOM Extractor to pull images. [Only Docker HUB images](https://docs.docker.com/registry/recipes/mirror/#gotcha) are going to be pulled from the provided mirrors. When provided, the parameter must be a string in docker-daemon configuration file format (see: https://docs.docker.com/registry/recipes/mirror/#configure-the-docker-daemon).
Example:
`registryMirrorsConfig: \|-`
`{`
`"registry-mirrors": [`
`"insecure.mirror.acme.com",`
`"secure.mirror.acme.com"`
`],`
`"insecure-registries": [`
`"insecure.mirror.acme.com"`
`]`
`}` | | +| imageSbomExtractor.mirrors | Provide optional registry mirrors configuration to be used by Image SBOM Extractor to pull images. [Only Docker HUB images](https://docs.docker.com/registry/recipes/mirror/#gotcha) are going to be pulled from the provided mirrors. The configuration is similar to the one currently supported by the docker-daemon where multiple mirrors (potentially insecure), can be specified. See https://docs.docker.com/registry/recipes/mirror/#configure-the-docker-daemon and https://docs.docker.com/registry/insecure/ .
Example:
`mirrors:`
`registryMirrors:`
`- insecure.mirror.acme.com`
`- secure.mirror.acme.com`
`insecureRegistries:`
`- insecure.mirror.acme.com` | | | nameOverride | Chart name override | "" | | fullnameOverride | Chart full name override | "" | | serviceAccount.create | Specifies whether a service account should be created | true | diff --git a/charts/cluster-scanner/templates/deployment.yaml b/charts/cluster-scanner/templates/deployment.yaml index 16d46ec36..2c3806913 100644 --- a/charts/cluster-scanner/templates/deployment.yaml +++ b/charts/cluster-scanner/templates/deployment.yaml @@ -48,7 +48,7 @@ spec: configMap: name: {{ include "sysdig.custom_ca.existingConfigMap" (dict "global" .Values.global.ssl "component" .Values.ssl) }} {{- end }} - {{- if .Values.imageSbomExtractor.registryMirrorsConfig }} + {{- if .Values.imageSbomExtractor.mirrors }} - name: registry-mirrors-config configMap: name: {{ include "cluster-scanner.fullname" . }}-registry-mirrors @@ -320,7 +320,7 @@ spec: mountPath: /ca-certs readOnly: true {{- end }} - {{- if .Values.imageSbomExtractor.registryMirrorsConfig }} + {{- if .Values.imageSbomExtractor.mirrors }} - name: registry-mirrors-config mountPath: /etc/docker/daemon.json subPath: daemon.json diff --git a/charts/cluster-scanner/templates/registrymirror.yaml b/charts/cluster-scanner/templates/registrymirror.yaml index fa93346e0..f28af3423 100644 --- a/charts/cluster-scanner/templates/registrymirror.yaml +++ b/charts/cluster-scanner/templates/registrymirror.yaml @@ -1,4 +1,4 @@ -{{- if .Values.imageSbomExtractor.registryMirrorsConfig -}} +{{- if .Values.imageSbomExtractor.mirrors -}} apiVersion: v1 kind: ConfigMap metadata: @@ -7,5 +7,9 @@ metadata: labels: {{- include "cluster-scanner.labels" . | nindent 4 }} data: - daemon.json: {{ .Values.imageSbomExtractor.registryMirrorsConfig | toJson | nindent 6 }} + daemon.json: |- + { + "registry-mirrors": {{ .Values.imageSbomExtractor.mirrors.registryMirrors | default list | toJson }}, + "insecure-registries": {{ .Values.imageSbomExtractor.mirrors.insecureRegistries | default list | toJson }} + } {{- end -}} diff --git a/charts/cluster-scanner/tests/deployment_test.yaml b/charts/cluster-scanner/tests/deployment_test.yaml index 2ff2e36ee..2eab8b338 100644 --- a/charts/cluster-scanner/tests/deployment_test.yaml +++ b/charts/cluster-scanner/tests/deployment_test.yaml @@ -493,7 +493,7 @@ tests: name: ENV_VAR_BOOL value: "true" - - it: "does not have registry volume nor volumeMounts if registryMirrorsConfig is empty" + - it: "does not have registry volume nor volumeMounts if mirrors is empty" templates: - ../templates/deployment.yaml asserts: @@ -502,10 +502,11 @@ tests: - isEmpty: path: spec.template.spec.containers[1].volumeMounts - - it: "has registry volume mount if registryMirrorsConfig is configured" + - it: "has registry volume mount if mirrors are configured" set: - imageSbomExtractor.registryMirrorsConfig: |- - testdata + imageSbomExtractor.mirrors: + registryMirrors: + - "foobar" templates: - ../templates/deployment.yaml asserts: diff --git a/charts/cluster-scanner/tests/notes_test.yaml b/charts/cluster-scanner/tests/notes_test.yaml index 6983ef5e8..0461c01cc 100644 --- a/charts/cluster-scanner/tests/notes_test.yaml +++ b/charts/cluster-scanner/tests/notes_test.yaml @@ -1,6 +1,8 @@ suite: Test links in the notes section for regions templates: - templates/NOTES.txt +values: + - ../values.yaml tests: - it: Checking default value no region specified (us1) asserts: diff --git a/charts/cluster-scanner/tests/registrymirror_test.yaml b/charts/cluster-scanner/tests/registrymirror_test.yaml index 9e14e8c46..c6d6fe02a 100644 --- a/charts/cluster-scanner/tests/registrymirror_test.yaml +++ b/charts/cluster-scanner/tests/registrymirror_test.yaml @@ -9,22 +9,41 @@ release: tests: - it: "does not have mirrors, if they are not provided" + set: + imageSbomExtractor.mirrors: asserts: - hasDocuments: count: 0 - - it: "has mirrors ConfigMap, when registryMirrorsConfig is set" + - it: "has mirrors ConfigMap, when mirrors are set" + set: + imageSbomExtractor.mirrors: + registryMirrors: + - "insecure.mirror.acme.com" + - "secure.mirror.acme.com" + insecureRegistries: + - "insecure.mirror.acme.com" + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: ConfigMap + apiVersion: v1 + name: test-release-cluster-scanner-registry-mirrors + namespace: test-ns + - equal: + path: data["daemon.json"] + value: |- + { + "registry-mirrors": ["insecure.mirror.acme.com","secure.mirror.acme.com"], + "insecure-registries": ["insecure.mirror.acme.com"] + } + + - it: "has correct empty registry mirrors" set: - imageSbomExtractor.registryMirrorsConfig: |- - { - "registry-mirrors": [ - "insecure.mirror.acme.com", - "secure.mirror.acme.com" - ], - "insecure-registries": [ - "insecure.mirror.acme.com" - ] - } + imageSbomExtractor.mirrors: + insecureRegistries: + - "insecure.mirror.acme.com" asserts: - hasDocuments: count: 1 @@ -37,11 +56,65 @@ tests: path: data["daemon.json"] value: |- { - "registry-mirrors": [ - "insecure.mirror.acme.com", - "secure.mirror.acme.com" - ], - "insecure-registries": [ - "insecure.mirror.acme.com" - ] + "registry-mirrors": [], + "insecure-registries": ["insecure.mirror.acme.com"] } + + - it: "has correct empty insecure registries mirrors" + set: + imageSbomExtractor.mirrors: + registryMirrors: + - "insecure.mirror.acme.com" + - "secure.mirror.acme.com" + - "one more mirror" + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: ConfigMap + apiVersion: v1 + name: test-release-cluster-scanner-registry-mirrors + namespace: test-ns + - equal: + path: data["daemon.json"] + value: |- + { + "registry-mirrors": ["insecure.mirror.acme.com","secure.mirror.acme.com","one more mirror"], + "insecure-registries": [] + } + + - it: "fails if format of registry mirrors is wrong" + set: + imageSbomExtractor.mirrors: + registryMirrors: + nested: "object" + asserts: + - failedTemplate: + errorMessage: "values don't meet the specifications of the schema(s) in the following chart(s):\ncluster-scanner:\n- imageSbomExtractor.mirrors.registryMirrors: Invalid type. Expected: array, given: object\n" + + - it: "fails if format of insecure registries is wrong" + set: + imageSbomExtractor.mirrors: + insecureRegistries: 18 + asserts: + - failedTemplate: + errorMessage: "values don't meet the specifications of the schema(s) in the following chart(s):\ncluster-scanner:\n- imageSbomExtractor.mirrors.insecureRegistries: Invalid type. Expected: array, given: integer\n" + + - it: "fails if format of mirrors is wrong" + set: + imageSbomExtractor.mirrors: 18 + asserts: + - failedTemplate: + errorMessage: "values don't meet the specifications of the schema(s) in the following chart(s):\ncluster-scanner:\n- imageSbomExtractor.mirrors: Invalid type. Expected: [object,null], given: integer\n" + + - it: "fails if mirrors contains unexpeceted property" + set: + imageSbomExtractor.mirrors: + gigi: + - "insecure.mirror.acme.com" + - "secure.mirror.acme.com" + insecureRegistries: + - "insecure.mirror.acme.com" + asserts: + - failedTemplate: + errorMessage: "values don't meet the specifications of the schema(s) in the following chart(s):\ncluster-scanner:\n- imageSbomExtractor.mirrors: Additional property gigi is not allowed\n" diff --git a/charts/cluster-scanner/values.schema.json b/charts/cluster-scanner/values.schema.json index 528627434..00b3f6705 100644 --- a/charts/cluster-scanner/values.schema.json +++ b/charts/cluster-scanner/values.schema.json @@ -43,6 +43,29 @@ } } } + }, + "imageSbomExtractor": { + "type": "object", + "properties": { + "mirrors": { + "type": ["object", "null"], + "additionalProperties": false, + "properties": { + "registryMirrors": { + "type": "array", + "items": { + "type": "string" + } + }, + "insecureRegistries": { + "type": "array", + "items": { + "type": "string" + } + } + } + } + } } } } diff --git a/charts/cluster-scanner/values.yaml b/charts/cluster-scanner/values.yaml index 3cbeaad01..7ce3011fd 100644 --- a/charts/cluster-scanner/values.yaml +++ b/charts/cluster-scanner/values.yaml @@ -218,26 +218,24 @@ imageSbomExtractor: # sentinelAddress: "" # ttl: "168h" # Default ttl is 7 days - # Provide optional mirrors configuration to be used by Image SBOM Extractor to pull images. + # Provide optional registry mirrors configuration to be used by Image SBOM Extractor to pull images. # [Only Docker HUB images](https://docs.docker.com/registry/recipes/mirror/#gotcha) are going to be pulled from # the provided mirrors. # - # When provided, the parameter must be a string in docker-daemon configuration file format - # (see: https://docs.docker.com/registry/recipes/mirror/#configure-the-docker-daemon). + # The configuration is similar to the one currently supported by the docker-daemon where multiple mirrors + # (potentially insecure), can be specified. + # + # See https://docs.docker.com/registry/recipes/mirror/#configure-the-docker-daemon and https://docs.docker.com/registry/insecure/ . # # Example: # - # registryMirrorsConfig: \|- - # { - # "registry-mirrors": [ - # "insecure.mirror.acme.com", - # "secure.mirror.acme.com" - # ], - # "insecure-registries": [ - # "insecure.mirror.acme.com" - # ] - # } - registryMirrorsConfig: + # mirrors: + # registryMirrors: + # - insecure.mirror.acme.com + # - secure.mirror.acme.com + # insecureRegistries: + # - insecure.mirror.acme.com + mirrors: # Chart name override nameOverride: "" From f7f09b21fad733057813df93eff562964ccd16c7 Mon Sep 17 00:00:00 2001 From: Michele Mangili Date: Thu, 5 Oct 2023 12:55:29 +0200 Subject: [PATCH 4/4] chore(cluster-scanner): mirrors shall always be an object --- charts/cluster-scanner/README.md | 2 +- charts/cluster-scanner/tests/registrymirror_test.yaml | 4 ++-- charts/cluster-scanner/values.schema.json | 2 +- charts/cluster-scanner/values.yaml | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/charts/cluster-scanner/README.md b/charts/cluster-scanner/README.md index 13982b413..6373702b6 100644 --- a/charts/cluster-scanner/README.md +++ b/charts/cluster-scanner/README.md @@ -134,7 +134,7 @@ The following table lists the configurable parameters of the `cluster-scanner` c | imageSbomExtractor.cache.local.maxSizeBytes | The maximum size in bytes of the local cache. By default it is set to 35MB | "36700160" | | imageSbomExtractor.cache.local.maxElementSizeBytes | When using `local` as cache type, restrict the maximum size of elements to be cached. By default it is set to 100KB | "102400" | | imageSbomExtractor.cache.local.ttl | The TTL for items in the local cache. By default it is set to 7 days. | "168h" | -| imageSbomExtractor.mirrors | Provide optional registry mirrors configuration to be used by Image SBOM Extractor to pull images. [Only Docker HUB images](https://docs.docker.com/registry/recipes/mirror/#gotcha) are going to be pulled from the provided mirrors. The configuration is similar to the one currently supported by the docker-daemon where multiple mirrors (potentially insecure), can be specified. See https://docs.docker.com/registry/recipes/mirror/#configure-the-docker-daemon and https://docs.docker.com/registry/insecure/ .
Example:
`mirrors:`
`registryMirrors:`
`- insecure.mirror.acme.com`
`- secure.mirror.acme.com`
`insecureRegistries:`
`- insecure.mirror.acme.com` | | +| imageSbomExtractor.mirrors | Provide optional registry mirrors configuration to be used by Image SBOM Extractor to pull images. [Only Docker HUB images](https://docs.docker.com/registry/recipes/mirror/#gotcha) are going to be pulled from the provided mirrors. The configuration is similar to the one currently supported by the docker-daemon where multiple mirrors (potentially insecure), can be specified. See https://docs.docker.com/registry/recipes/mirror/#configure-the-docker-daemon and https://docs.docker.com/registry/insecure/ .
Example:
`mirrors:`
`registryMirrors:`
`- insecure.mirror.acme.com`
`- secure.mirror.acme.com`
`insecureRegistries:`
`- insecure.mirror.acme.com` | {} | | nameOverride | Chart name override | "" | | fullnameOverride | Chart full name override | "" | | serviceAccount.create | Specifies whether a service account should be created | true | diff --git a/charts/cluster-scanner/tests/registrymirror_test.yaml b/charts/cluster-scanner/tests/registrymirror_test.yaml index c6d6fe02a..496f81c11 100644 --- a/charts/cluster-scanner/tests/registrymirror_test.yaml +++ b/charts/cluster-scanner/tests/registrymirror_test.yaml @@ -10,7 +10,7 @@ release: tests: - it: "does not have mirrors, if they are not provided" set: - imageSbomExtractor.mirrors: + imageSbomExtractor.mirrors: {} asserts: - hasDocuments: count: 0 @@ -105,7 +105,7 @@ tests: imageSbomExtractor.mirrors: 18 asserts: - failedTemplate: - errorMessage: "values don't meet the specifications of the schema(s) in the following chart(s):\ncluster-scanner:\n- imageSbomExtractor.mirrors: Invalid type. Expected: [object,null], given: integer\n" + errorMessage: "values don't meet the specifications of the schema(s) in the following chart(s):\ncluster-scanner:\n- imageSbomExtractor.mirrors: Invalid type. Expected: object, given: integer\n" - it: "fails if mirrors contains unexpeceted property" set: diff --git a/charts/cluster-scanner/values.schema.json b/charts/cluster-scanner/values.schema.json index 00b3f6705..b27e18f49 100644 --- a/charts/cluster-scanner/values.schema.json +++ b/charts/cluster-scanner/values.schema.json @@ -48,7 +48,7 @@ "type": "object", "properties": { "mirrors": { - "type": ["object", "null"], + "type": "object", "additionalProperties": false, "properties": { "registryMirrors": { diff --git a/charts/cluster-scanner/values.yaml b/charts/cluster-scanner/values.yaml index 7ce3011fd..14b520bf9 100644 --- a/charts/cluster-scanner/values.yaml +++ b/charts/cluster-scanner/values.yaml @@ -235,7 +235,7 @@ imageSbomExtractor: # - secure.mirror.acme.com # insecureRegistries: # - insecure.mirror.acme.com - mirrors: + mirrors: {} # Chart name override nameOverride: ""