search

telekom-mms / trivy-dojo-report-operator

This Kubernetes operator listens for vulnerability reports generated by the Trivy Operator and forwards them to Defect Dojo for further analysis and tracking.
GNU General Public License v3.0
13 stars 15 forks source link

Update service.yaml #68

Closed rits1902 closed 6 months ago

rits1902 commented 6 months ago

Hello!

The fields in the selector within the services are getting duplicated when generated, and this is causing issues in FluxCD v2.

I'm implementing your chart in my FluxCD setup. However, while conducting tests, I encountered the mentioned error. I noticed a related issue on https://github.com/fluxcd/helm-controller/issues/283. I tried the suggested test at the end of the thread using a shell script to generate the Helm template, and that's when I observed the issue of duplicated selectors.

Error:

Helm install failed for release trivy-report-operator/trivy-dojo-operator with chart trivy-dojo-report-operator@0.6.1: error while running post render on files: map[string]interface {}(nil): yaml: unmarshal errors: line 20: mapping key "app.kubernetes.io/instance" already defined at line 17 line 19: mapping key "app.kubernetes.io/name" already defined at line 18

rits1902 commented 6 months ago

The example below was after I executed the helm template using the shell mentioned on GitHub. As you can see in the service, it ended up with duplicate labels in the selector section.

trivy-dojo-report-operator % helm template trivy-dojo-report-operator . --dry-run=trivy-dojo-report-operator -n trivy-report-operator --post-renderer ./kustomize.sh

 ---
# Source: trivy-dojo-report-operator/templates/rbac.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: trivy-dojo-report-operator-account
  labels:
    helm.sh/chart: trivy-dojo-report-operator-0.6.1
    app.kubernetes.io/name: trivy-dojo-report-operator
    app.kubernetes.io/instance: trivy-dojo-report-operator
    app.kubernetes.io/version: "0.6.1"
    app.kubernetes.io/managed-by: Helm
  annotations:
    {}
---
# Source: trivy-dojo-report-operator/templates/secret.yaml
apiVersion: v1
kind: Secret
metadata:
  name: trivy-dojo-report-operator-defect-dojo-api-credentials
  labels:
    helm.sh/chart: trivy-dojo-report-operator-0.6.1
    app.kubernetes.io/name: trivy-dojo-report-operator
    app.kubernetes.io/instance: trivy-dojo-report-operator
    app.kubernetes.io/version: "0.6.1"
    app.kubernetes.io/managed-by: Helm
stringData:
  apiKey: "xxxxxxxxx"
  url: "xxxxxxxxxx"
type: Opaque
---
# Source: trivy-dojo-report-operator/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: trivy-dojo-report-operator-role-cluster
  labels:
    helm.sh/chart: trivy-dojo-report-operator-0.6.1
    app.kubernetes.io/name: trivy-dojo-report-operator
    app.kubernetes.io/instance: trivy-dojo-report-operator
    app.kubernetes.io/version: "0.6.1"
    app.kubernetes.io/managed-by: Helm
rules:
- apiGroups:
  - aquasecurity.github.io
  resources:
  - vulnerabilityreports
  - rbacassessmentreports
  - configauditreports
  - infraassessmentreports
  - exposedsecretreports
  verbs:
  - list
  - watch
  - patch
  - get
- apiGroups:
  - apiextensions.k8s.io
  resources:
  - customresourcedefinitions
  verbs:
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - namespaces
  verbs:
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
---
# Source: trivy-dojo-report-operator/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: trivy-dojo-report-operator-rolebinding-cluster
  labels:
    helm.sh/chart: trivy-dojo-report-operator-0.6.1
    app.kubernetes.io/name: trivy-dojo-report-operator
    app.kubernetes.io/instance: trivy-dojo-report-operator
    app.kubernetes.io/version: "0.6.1"
    app.kubernetes.io/managed-by: Helm
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: 'trivy-dojo-report-operator-role-cluster'
subjects:
- kind: ServiceAccount
  name: 'trivy-dojo-report-operator-account'
  namespace: 'trivy-report-operator'
---
# Source: trivy-dojo-report-operator/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
  name: trivy-dojo-report-operator-operator
  labels:
    helm.sh/chart: trivy-dojo-report-operator-0.6.1
    app.kubernetes.io/name: trivy-dojo-report-operator
    app.kubernetes.io/instance: trivy-dojo-report-operator
    app.kubernetes.io/version: "0.6.1"
    app.kubernetes.io/managed-by: Helm
spec:
  type: ClusterIP
  selector:
    app.kubernetes.io/instance: trivy-dojo-report-operator
    app.kubernetes.io/name: trivy-dojo-report-operator
    app.kubernetes.io/name: trivy-dojo-report-operator
    app.kubernetes.io/instance: trivy-dojo-report-operator
  ports:
  - name: metrics
    port: 80
    protocol: TCP
    targetPort: metrics
---
# Source: trivy-dojo-report-operator/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: trivy-dojo-report-operator-operator
  labels:
    helm.sh/chart: trivy-dojo-report-operator-0.6.1
    app.kubernetes.io/name: trivy-dojo-report-operator
    app.kubernetes.io/instance: trivy-dojo-report-operator
    app.kubernetes.io/version: "0.6.1"
    app.kubernetes.io/managed-by: Helm
spec:
  replicas: 1
  selector:
    matchLabels:
      application: trivy-dojo-report-operator
      app.kubernetes.io/name: trivy-dojo-report-operator
      app.kubernetes.io/instance: trivy-dojo-report-operator
  template:
    metadata:
      labels:
        application: trivy-dojo-report-operator
        app.kubernetes.io/name: trivy-dojo-report-operator
        app.kubernetes.io/instance: trivy-dojo-report-operator
    spec:
      containers:
      - env:
        - name: DEFECT_DOJO_API_KEY
          valueFrom:
            secretKeyRef:
              key: apiKey
              name: trivy-dojo-report-operator-defect-dojo-api-credentials
              optional: false
        - name: DEFECT_DOJO_URL
          valueFrom:
            secretKeyRef:
              key: url
              name: trivy-dojo-report-operator-defect-dojo-api-credentials
              optional: false
        - name: DEFECT_DOJO_ACTIVE
          value: "true"
        - name: DEFECT_DOJO_VERIFIED
          value: "false"
        - name: DEFECT_DOJO_CLOSE_OLD_FINDINGS
          value: "false"
        - name: DEFECT_DOJO_CLOSE_OLD_FINDINGS_PRODUCT_SCOPE
          value: "false"
        - name: DEFECT_DOJO_PUSH_TO_JIRA
          value: "false"
        - name: DEFECT_DOJO_MINIMUM_SEVERITY
          value: "Info"
        - name: DEFECT_DOJO_AUTO_CREATE_CONTEXT
          value: "true"
        - name: DEFECT_DOJO_DEDUPLICATION_ON_ENGAGEMENT
          value: "true"
        - name: DEFECT_DOJO_PRODUCT_TYPE_NAME
          value: "Infraestrutura"
        - name: DEFECT_DOJO_EVAL_PRODUCT_TYPE_NAME
          value: "false"
        - name: DEFECT_DOJO_ENV_NAME
          value: "Development"
        - name: DEFECT_DOJO_EVAL_ENV_NAME
          value: "false"
        - name: DEFECT_DOJO_TEST_TITLE
          value: "Kubernetes"
        - name: DEFECT_DOJO_EVAL_TEST_TITLE
          value: "false"
        - name: DEFECT_DOJO_ENGAGEMENT_NAME
          value: "engagement"
        - name: DEFECT_DOJO_EVAL_ENGAGEMENT_NAME
          value: "false"
        - name: DEFECT_DOJO_PRODUCT_NAME
          value: "Recursos compartilhados Nonprod"
        - name: DEFECT_DOJO_EVAL_PRODUCT_NAME
          value: "false"
        - name: DEFECT_DOJO_DO_NOT_REACTIVATE
          value: "true"
        - name: REPORTS
          value: "vulnerabilityreports"
        - name: KUBERNETES_CLUSTER_DOMAIN
          value: "cluster.local"
        image: ghcr.io/telekom-mms/docker-trivy-dojo-operator:0.6.1
        livenessProbe:
          httpGet:
            path: /healthz
            port: 8080
          initialDelaySeconds: 5
          periodSeconds: 30
        name: trivy-dojo-report-operator
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL
          privileged: false
          readOnlyRootFilesystem: true
          runAsGroup: 1000
          runAsUser: 1000
          seccompProfile:
            type: RuntimeDefault
      securityContext:
        fsGroup: 1000
        fsGroupChangePolicy: Always
        runAsNonRoot: true
      serviceAccountName: trivy-dojo-report-operator-account
szEvEz commented 6 months ago

Hi @rits1902,

you are absolutely right. Thanks for pointing this out and fixing the issue with this PR!

rits1902 commented 6 months ago

Good morning everyone, thank you very much for approving my pull requests. I just tested the chart deployment on FluxCD again, and it worked perfectly.

Thank you very much, and have a great day at work, everyone.