UnboundLocalError: local variable 'registry_list' referenced before assignment on Openshift.

kmotojim commented 1 year ago

Describe the bug
I got the following error.

[2023-01-24 14:54:58,548] kopf.objects         [ERROR   ] [my-namespace/trivy-operator-main-config] Handler 'create_fn' failed with an exception. Will retry.
Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/kopf/_core/actions/execution.py", line 279, in execute_handler_once
    result = await invoke_handler(
  File "/usr/local/lib/python3.8/site-packages/kopf/_core/actions/execution.py", line 374, in invoke_handler
    result = await invocation.invoke(
  File "/usr/local/lib/python3.8/site-packages/kopf/_core/actions/invocation.py", line 116, in invoke
    result = await fn(**kwargs)  # type: ignore
  File "/trivy-operator.py", line 416, in create_fn
    pull_secret_decoder(tmp3, tagged_ns)
  File "/trivy-operator.py", line 240, in pull_secret_decoder
    registry_list.append(data['auths'])
UnboundLocalError: local variable 'registry_list' referenced before assignment

The error I encountered is related to the registry_list = spec['registry'] line of code because I got DEBUG message [2023-01-24 14:54:58,541] kopf.objects [DEBUG ] [my-namespace/trivy-operator-main-config] No registry auth config is defined.

Expected behavior
I set registryAuth > registry in Helm Values file but it looks that trivy-operator pod can't get the value from it. Value of registry should be configured in trivy-operator pod, so registry_list = spec['registry'] would be success and local variable registry_list would be assigned before registry_list.append(data['auths']).

https://github.com/devopstales/trivy-operator/blob/main/trivy-operator.py#L229-L233 https://github.com/devopstales/trivy-operator/blob/main/trivy-operator.py#L240

Configuration file
Due to the above error, the NamespaceScanner is not created.

Helm Values file

image:
  # -- The docker image repository to use
  repository: devopstales/trivy-operator
  # -- The docker image pull policy
  pullPolicy: Always
  # -- The docker image tag to use
  tag: "2.5"

# -- Time Zone in container
TimeZone: UTC

# -- Log level
log_level: "DEBUG"
# INFO, HIGH, DEBUG

# -- list of secrets to use for imae pull
imagePullSecrets: []
# -- security options for the pod
podSecurityContext:
  fsGroup: 10001
  fsGroupChangePolicy: "OnRootMismatch"

serviceAccount:
  # -- Enable serviceAccount creation
  create: true
  # -- serviceAccount annotations
  annotations: {}
  # -- Name of the serviceAccount
  name: "trivy-operator"

# Dont try to download trivy db, run in air-gapped env:
offline:
  # -- enable air-gapped mode
  enabled: false
  # -- repository to use for download trivy vuln db
  db_repository: localhost:5000/trivy-db
  # -- insecure repository
  db_repository_insecure: False

cache:
  # -- enable redis cache
  enabled: false

monitoring:
  # -- configure prometheus monitoring port
  port: "9115"

# deploy service monitor
serviceMonitor:
  # -- allow to override the namespace for serviceMonitor
  enabled: false
  # -- Name of the namespace for serviceMonitor
  namespace: {}
  labels:
    # -- labels to match the serviceMonitorSelector of the Prometheus Resource
    release: prometheus
  # https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#relabelconfig
  # -- relabel config for serviceMonitor
  relabelings: []
  # see serviceMonitor.relabelings
  # -- metricRelabeling config for serviceMonitor
  metricRelabelings: []

grafana:
  # -- namespace for configMap of grafana dashboards
  namespace:
  dashboards:
    # -- Enable the deployment of grafana dashboards
    enabled: true
    # -- Label to find dashboards using the k8s sidecar
    label: grafana_dashboard
    # -- Label value to find dashboards using the k8s sidecar
    value: "1"
  folder:
    # -- Annotation to enable folder storage using the k8s sidecar
    annotation: grafana_folder
    # -- Grafana folder in which to store the dashboards
    name: Policy Reporter

persistence:
  # -- Volumes for the pod
  enabled: true
  # -- Volumes mode
  accessMode: "ReadWriteOnce"
  # -- Volumes size
  size: "3Gi"
  # -- Volumes annotations
  annotations: {}
  ## database data Persistent Volume Storage Class
  ## If defined, storageClassName: <storageClass>
  ## If set to "-", storageClassName: "", which disables dynamic provisioning
  ## If undefined (the default) or set to null, no storageClassName spec is
  ##   set, choosing the default provisioner.  (gp2 on AWS, standard on
  ##   GKE, AWS & OpenStack)
  ##
  # storageClass: "-"

# content foc ns-scan CRD
namespaceScanner:
  crontab: "*/1 * * * *"
  namespaceSelector: "trivy-scan"
  clusterWide: false
  integrations:
    policyreport: false
#    defectdojo:
#      host: "https://defectdojo.k8s.intra"
#      api_key: "xyz456ucdssd67sd67dsg"
#      k8s-cluster-name: "eks-prod"

kube_bench_scnner:
  image:
    # -- The docker image repository to use
    repository: devopstales/kube-bench-scnner
    # -- The docker image pull policy
    pullPolicy: Always
    # -- The docker image tag to use
    tag: "2.5"

clusterScanner:
  # -- enable clusterScanner cr creation
  enabled: false
  # -- crontab for scheduled scan
  crontab: "*/1 * * * *"
  # -- kube-hunter scan profile
  scanProfileName: "cis-1.23"
  # -- configure defectdojo integration
  integrations: {}
#    defectdojo:
#      host: "https://defectdojo.k8s.intra"
#      api_key: "xyz456ucdssd67sd67dsg"
#      k8s-cluster-name: "eks-prod"

admissionController:
  # -- enable adission controller
  enabled: false

# authentication informatin for trivy to use wen scan image
registryAuth:
  # -- enable registry authentication
  enabled: false
  # -- list of image pull secrets for authentication
  image_pull_secrets:
    - regcred
  registry:
    - name: image-registry.openshift-image-registry.svc\:5000
      username: "serviceaccount"
      password: "******"

# github authentiation token for trivy database download
githubToken:
  # -- enable github authentiation token
  enabled: false
  # -- github authentiation token value
  token: ""

## Define which Nodes the Pods are scheduled on.
## ref: https://kubernetes.io/docs/user-guide/node-selection/
# -- Set the node selector for the pod.
nodeSelector: {}

## Tolerations for use with node taints
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
# -- Set the tolerations for the pod.
tolerations: []
# - key: "key"
#   operator: "Equal"
#   value: "value"
#   effect: "NoSchedule"

## Assign custom affinity rules to the trivy operator
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
# -- Set the affinity for the pod.
affinity: {}
# nodeAffinity:
#   requiredDuringSchedulingIgnoredDuringExecution:
#     nodeSelectorTerms:
#     - matchExpressions:
#       - key: kubernetes.io/e2e-az-name
#         operator: In
#         values:
#         - e2e-az1
#         - e2e-az2%

Environment:

Trivy-Operator version (use trivy-operator version): 2.5.0
Installation type (Helm, Kubernetes, OperatorFramework): Helm
Kubernetes version (use kubectl version): I use Oenshift(Client Version: 4.10.12/Server Version: 4.10.36/Kubernetes Version: v1.23.5+8471591)
OS (macOS 10.15, Windows 10, Ubuntu 19.10 etc):Red Hat Enterprise Linux CoreOS 410.84.202210040010-0 (Ootpa)

Additional context
I got the same error on Kubernetes Deploy.
https://github.com/devopstales/trivy-operator/tree/main/deploy/kubernetes

This is 05_namespace-scanner.yaml I applied for openshift.

# cat 05_namespace-scanner.yaml
apiVersion: trivy-operator.devopstales.io/v1
kind: NamespaceScanner
metadata:
  name: main-config
spec:
  crontab: "*/1 * * * *"
  namespace_selector: "trivy-scan"
  clusterWide: False
  integrations:
    policyreport: True
#    defectdojo:
#      host: "https://defectdojo.k8s.intra"
#      api_key: "xyz456ucdssd67sd67dsg"
  image_pull_secrets:
    - trivy-operator-dockercfg-cw8lh
  registry:
  - name: image-registry.openshift-image-registry.svc\:5000
    username: "serviceaccount"
    password: "******"
    insecure: True

devopstales commented 1 year ago

Hi @kmotojim

I didn't test it but the source of the problem cloud be this line: name: image-registry.openshift-image-registry.svc\:5000 I think you shuld try like this: name: "image-registry.openshift-image-registry.svc:5000"

And yes there is a problem in the code too because of this https://github.com/devopstales/trivy-operator/blob/main/trivy-operator.py#L230-L233 part

kmotojim commented 1 year ago

I tried setting image-registry.openshift-image-registry.svc:5000 (without slash before colon) to name in registy object but pod still can't get the value from it.

  registry:
  - name: image-registry.openshift-image-registry.svc:5000
    username: "serviceaccount"
    password: "******"
    insecure: True

Thank you for fixing. It seems UnboundLocalError: local variable 'registry_list' referenced before assignment doesn't happen.

devopstales / trivy-operator

UnboundLocalError: local variable 'registry_list' referenced before assignment on Openshift. #41