Merge pull request #234 from adishaull/SLK-78181-update-kube-enforcer…

…-opnshift-deploymen-with-the-latest-changes Slk 78181 update kube-enforcer openshift deployment with the latest changes
aquasecurity · Feb 20, 2024 · 61cf816 · 61cf816
2 parents 4a068c6 + d5752c8
commit 61cf816
Show file tree

Hide file tree

Showing 26 changed files with 512 additions and 1,159 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM golang:1.19 as builder
+FROM golang:1.21 as builder
 
 WORKDIR /workspace
 # Copy the Go Modules manifests
@@ -21,7 +21,7 @@ RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -o manager main.go
 # Use distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
 #FROM gcr.io/distroless/static:nonroot
-FROM registry.access.redhat.com/ubi8/ubi-minimal:latest
+FROM registry.access.redhat.com/ubi9/ubi-minimal:latest
 
 ENV OPERATOR=/usr/local/bin/aqua-operator \
     USER_UID=1001 \

diff --git a/Dockerfile.debug b/Dockerfile.debug
@@ -0,0 +1,52 @@
+# Build the manager binary
+FROM golang:1.21 as builder
+
+WORKDIR /workspace
+# Copy the Go Modules manifests
+COPY go.mod go.mod
+COPY go.sum go.sum
+# cache deps before building and copying source so that we don't need to re-download as much
+# and so that source changes don't invalidate our downloaded layer
+RUN go mod download
+
+# Copy the go source
+COPY main.go main.go
+COPY apis/ apis/
+COPY controllers/ controllers/
+COPY pkg/ pkg/
+
+# Install dlv
+RUN go install -mod=readonly github.com/go-delve/delve/cmd/dlv@latest
+ENV GCFLAGS "all=-N -l"
+
+# Build the Go binary
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -gcflags "all=-N -l" -a -o manager main.go
+
+# Use a separate stage for the final image
+FROM registry.access.redhat.com/ubi9/ubi-minimal:latest
+RUN microdnf install -y  wget tar yum findutils gzip && microdnf clean all
+RUN yum install -y glibc golang \
+                     && yum update -y glibc golang
+
+ENV OPERATOR=/usr/local/bin/aqua-operator \
+    USER_UID=1001 \
+    USER_NAME=aqua-operator
+
+LABEL name="Aqua Operator" \
+      vendor="Aqua Security Software Ltd." \
+      version="v1.0.2" \
+      release="1" \
+      summary="Aqua Security Operator." \
+      description="The Aqua Security Operator runs within a Openshift (or Kubernetes) cluster, and provides a means to deploy and manage the Aqua Security cluster and components"
+
+WORKDIR /
+
+COPY licenses /licenses
+COPY --from=builder /workspace/manager .
+COPY --from=builder /go/bin/dlv /usr/bin/
+
+USER ${USER_UID}
+ENTRYPOINT ["/manager"]
+
+## Set the entrypoint for the container
+ENTRYPOINT ["/usr/bin/dlv", "--listen=:40000", "--headless=true", "--api-version=2", "--accept-multiclient", "exec", "/manager"]
diff --git a/DockerfileForJenkinsBuild b/DockerfileForJenkinsBuild
@@ -1,4 +1,4 @@
-FROM golang:1.19.6-alpine
+FROM golang:1.21-alpine
 
 RUN apk update && apk add git docker sudo make bash gcc musl-dev
 

diff --git a/apis/aquasecurity/v1alpha1/aquastarboard_types.go b/apis/aquasecurity/v1alpha1/aquastarboard_types.go
@@ -30,25 +30,26 @@ type AquaStarboardSpec struct {
 	// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
 	// Important: Run "make" to regenerate code after modifying this file
 
-	Infrastructure                   *v1alpha1.AquaInfrastructure `json:"infra,omitempty"`
-	AllowAnyVersion                  bool                         `json:"allowAnyVersion,omitempty"`
-	StarboardService                 *v1alpha1.AquaService        `json:"deploy,required"`
-	Config                           v1alpha1.AquaStarboardConfig `json:"config"`
-	RegistryData                     *v1alpha1.AquaDockerRegistry `json:"registry,omitempty"`
-	ImageData                        *v1alpha1.AquaImage          `json:"image,omitempty"`
-	Envs                             []corev1.EnvVar              `json:"env,omitempty"`
-	KubeEnforcerVersion              string                       `json:"kube_enforcer_version,omitempty"`
-	LogDevMode                       bool                         `json:"logDevMode,omitempty"`
-	ConcurrentScanJobsLimit          string                       `json:"concurrentScanJobsLimit,omitempty"`
-	ScanJobRetryAfter                string                       `json:"scanJobRetryAfter,omitempty"`
-	MetricsBindAddress               string                       `json:"metricsBindAddress,omitempty"`
-	HealthProbeBindAddress           string                       `json:"healthProbeBindAddress,omitempty"`
-	CisKubernetesBenchmarkEnabled    string                       `json:"cisKubernetesBenchmarkEnabled,omitempty"`
-	VulnerabilityScannerEnabled      string                       `json:"vulnerabilityScannerEnabled,omitempty"`
-	BatchDeleteLimit                 string                       `json:"batchDeleteLimit,omitempty"`
-	BatchDeleteDelay                 string                       `json:"batchDeleteDelay,omitempty"`
-	OperatorClusterComplianceEnabled string                       `json:"operator_cluster_compliance_enabled"`
-	ConfigMapChecksum                string                       `json:"config_map_checksum,omitempty"`
+	Infrastructure                                     *v1alpha1.AquaInfrastructure `json:"infra,omitempty"`
+	AllowAnyVersion                                    bool                         `json:"allowAnyVersion,omitempty"`
+	StarboardService                                   *v1alpha1.AquaService        `json:"deploy,required"`
+	Config                                             v1alpha1.AquaStarboardConfig `json:"config"`
+	RegistryData                                       *v1alpha1.AquaDockerRegistry `json:"registry,omitempty"`
+	ImageData                                          *v1alpha1.AquaImage          `json:"image,omitempty"`
+	Envs                                               []corev1.EnvVar              `json:"env,omitempty"`
+	KubeEnforcerVersion                                string                       `json:"kube_enforcer_version,omitempty"`
+	LogDevMode                                         bool                         `json:"logDevMode,omitempty"`
+	ConcurrentScanJobsLimit                            string                       `json:"concurrentScanJobsLimit,omitempty"`
+	ScanJobRetryAfter                                  string                       `json:"scanJobRetryAfter,omitempty"`
+	MetricsBindAddress                                 string                       `json:"metricsBindAddress,omitempty"`
+	HealthProbeBindAddress                             string                       `json:"healthProbeBindAddress,omitempty"`
+	CisKubernetesBenchmarkEnabled                      string                       `json:"cisKubernetesBenchmarkEnabled,omitempty"`
+	VulnerabilityScannerEnabled                        string                       `json:"vulnerabilityScannerEnabled,omitempty"`
+	BatchDeleteLimit                                   string                       `json:"batchDeleteLimit,omitempty"`
+	BatchDeleteDelay                                   string                       `json:"batchDeleteDelay,omitempty"`
+	OperatorClusterComplianceEnabled                   string                       `json:"operator_cluster_compliance_enabled"`
+	OperatorConfigAuditScannerScanOnlyCurrentRevisions string                       `json:"operator_config_audit_scanner_scan_only_current_revisions"`
+	ConfigMapChecksum                                  string                       `json:"config_map_checksum,omitempty"`
 }
 
 // AquaStarboardStatus defines the observed state of AquaStarboard

diff --git a/config/crd/bases/aquasecurity.github.io_aquastarboards.yaml b/config/crd/bases/aquasecurity.github.io_aquastarboards.yaml
@@ -3097,6 +3097,8 @@ spec:
                 type: string
               operator_cluster_compliance_enabled:
                 type: string
+              operator_config_audit_scanner_scan_only_current_revisions:
+                type: string
               registry:
                 properties:
                   email:

diff --git a/controllers/aquasecurity/aquastarboard/aquaStarboardHelper.go b/controllers/aquasecurity/aquastarboard/aquaStarboardHelper.go
@@ -687,10 +687,24 @@ func (ebf *AquaStarboardHelper) getStarboardEnvVars(cr *aquasecurityv1alpha1.Aqu
 
 	if cr.Spec.OperatorClusterComplianceEnabled != "" {
 		operatorClusterComplianceEnabled = corev1.EnvVar{
-			Name:  "OPERATOR_BATCH_DELETE_DELAY",
-			Value: cr.Spec.BatchDeleteDelay}
+			Name:  "OPERATOR_CLUSTER_COMPLIANCE_ENABLED",
+			Value: cr.Spec.OperatorClusterComplianceEnabled}
 	}
 
 	result = append(result, operatorClusterComplianceEnabled)
+
+	operatorConfigAuditScannerScanOnlyCurrentRevisions := corev1.EnvVar{
+		Name:  "OPERATOR_CONFIG_AUDIT_SCANNER_SCAN_ONLY_CURRENT_REVISIONS",
+		Value: consts.OperatorConfigAuditScannerScanOnlyCurrentRevisions,
+	}
+
+	if cr.Spec.OperatorConfigAuditScannerScanOnlyCurrentRevisions != "" {
+		operatorConfigAuditScannerScanOnlyCurrentRevisions = corev1.EnvVar{
+			Name:  "OPERATOR_CONFIG_AUDIT_SCANNER_SCAN_ONLY_CURRENT_REVISIONS",
+			Value: cr.Spec.OperatorConfigAuditScannerScanOnlyCurrentRevisions}
+	}
+
+	result = append(result, operatorConfigAuditScannerScanOnlyCurrentRevisions)
+
 	return result
 }
diff --git a/controllers/aquasecurity/aquastarboard/aquastarboard_controller.go b/controllers/aquasecurity/aquastarboard/aquastarboard_controller.go
@@ -35,7 +35,6 @@ import (
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/types"
 	"reflect"
-	"sigs.k8s.io/controller-runtime/pkg/controller"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 	"strings"
@@ -56,17 +55,6 @@ type AquaStarboardReconciler struct {
 	Scheme *runtime.Scheme
 }
 
-//+kubebuilder:rbac:groups=aquasecurity.aquasec.com,resources=aquastarboards,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups=aquasecurity.aquasec.com,resources=aquastarboards/status,verbs=get;update;patch
-//+kubebuilder:rbac:groups=aquasecurity.aquasec.com,resources=aquastarboards/finalizers,verbs=update
-//+kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups=core,resources=serviceaccounts,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups=core,resources=pods,verbs=get;list;
-//+kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups=authorization.k8s.io,resources=clusterroles,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups=authorization.k8s.io,resources=clusterrolebindings,verbs=get;list;watch;create;update;patch;delete
-
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.
 // the AquaStarboard object against the actual cluster state, and then
@@ -76,6 +64,7 @@ type AquaStarboardReconciler struct {
 // For more details, check Reconcile and its Result here:
 // - https://pkg.go.dev/sigs.k8s.io/[email protected]/pkg/reconcile
 func (r *AquaStarboardReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
+	req.NamespacedName.Namespace = extra.GetCurrentNameSpace()
 	reqLogger := log.WithValues("Request.Namespace", req.Namespace, "req.Name", req.Name)
 	reqLogger.Info("Reconciling AquaStarboard")
 
@@ -159,7 +148,6 @@ func (r *AquaStarboardReconciler) Reconcile(ctx context.Context, req ctrl.Reques
 func (r *AquaStarboardReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named("AquaStarboard-controller").
-		WithOptions(controller.Options{Reconciler: r}).
 		Owns(&corev1.Secret{}).
 		Owns(&corev1.ServiceAccount{}).
 		Owns(&appsv1.Deployment{}).
@@ -359,14 +347,13 @@ func (r *AquaStarboardReconciler) addStarboardRole(ro *aquasecurityv1alpha1.Aqua
 
 	// Check if this Role already exists
 	found := &rbacv1.Role{}
-	err := r.Client.Get(context.TODO(), types.NamespacedName{Name: role.Name}, found)
+	err := r.Client.Get(context.TODO(), types.NamespacedName{Name: role.Name, Namespace: ro.Namespace}, found)
 	if err != nil && errors.IsNotFound(err) {
 		reqLogger.Info("Aqua Starboard: Creating a New Role", "Role.Namespace", role.Namespace, "Role.Name", role.Name)
 		err = r.Client.Create(context.TODO(), role)
 		if err != nil {
-			return reconcile.Result{Requeue: true}, nil
+			return reconcile.Result{Requeue: true}, err
 		}
-
 		return reconcile.Result{}, nil
 	} else if err != nil {
 		return reconcile.Result{}, err
@@ -380,20 +367,19 @@ func (r *AquaStarboardReconciler) addStarboardRole(ro *aquasecurityv1alpha1.Aqua
 	}
 
 	if !equal {
-		found = role
-		log.Info("Aqua Starboard: Updating Role", "Role.Namespace", found.Namespace, "Role.Name", found.Name)
+		found.Rules = role.Rules // Update the existing Role's rules
+		reqLogger.Info("Aqua Starboard: Updating Role", "Role.Namespace", found.Namespace, "Role.Name", found.Name)
 		err := r.Client.Update(context.TODO(), found)
 		if err != nil {
-			log.Error(err, "Failed to update Role", "Role.Namespace", found.Namespace, "Role.Name", found.Name)
+			reqLogger.Error(err, "Failed to update Role", "Role.Namespace", found.Namespace, "Role.Name", found.Name)
 			return reconcile.Result{}, err
 		}
-
 		return reconcile.Result{Requeue: true}, nil
 	}
 
-	// Role already exists - don't requeue
+	// Role already exists and is up-to-date - don't requeue
 	reqLogger.Info("Skip reconcile: Aqua Role Exists", "Role.Namespace", found.Namespace, "Role.Name", found.Name)
-	return reconcile.Result{Requeue: true}, nil
+	return reconcile.Result{}, nil
 }
 
 func (r *AquaStarboardReconciler) createAquaStarboardServiceAccount(cr *aquasecurityv1alpha1.AquaStarboard) (reconcile.Result, error) {

diff --git a/controllers/operator/aquacloudconnector/aquacloudconnector_controller.go b/controllers/operator/aquacloudconnector/aquacloudconnector_controller.go
@@ -31,7 +31,6 @@ import (
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/types"
 	"reflect"
-	"sigs.k8s.io/controller-runtime/pkg/controller"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
@@ -121,7 +120,6 @@ func (r *AquaCloudConnectorReconciler) Reconcile(ctx context.Context, req ctrl.R
 func (r *AquaCloudConnectorReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named("aquacloudconnector-controller").
-		WithOptions(controller.Options{Reconciler: r}).
 		Owns(&corev1.Secret{}).
 		Owns(&appsv1.Deployment{}).
 		Owns(&corev1.ConfigMap{}).

diff --git a/controllers/operator/aquacsp/aquacsp_controller.go b/controllers/operator/aquacsp/aquacsp_controller.go
@@ -32,7 +32,6 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/types"
-	"sigs.k8s.io/controller-runtime/pkg/controller"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
@@ -293,7 +292,6 @@ func (r *AquaCspReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	builder := ctrl.NewControllerManagedBy(mgr).
 		For(&operatorv1alpha1.AquaCsp{}).
 		Named("aquacsp-controller").
-		WithOptions(controller.Options{Reconciler: r}).
 		Owns(&corev1.Secret{}).
 		Owns(&corev1.ServiceAccount{}).
 		Owns(&operatorv1alpha1.AquaDatabase{}).
@@ -302,10 +300,6 @@ func (r *AquaCspReconciler) SetupWithManager(mgr ctrl.Manager) error {
 		Owns(&operatorv1alpha1.AquaEnforcer{}).
 		Owns(&operatorv1alpha1.AquaKubeEnforcer{})
 
-	//isOpenshift, _ := ocp.VerifyRouteAPI()
-	//if isOpenshift {
-	//	builder.Owns(&routev1.Route{})
-	//}
 	return builder.Complete(r)
 }
 
@@ -678,16 +672,36 @@ func (r *AquaCspReconciler) InstallAquaKubeEnforcer(cr *v1alpha1.AquaCsp) (recon
 
 		reqLogger.Info("Checking for AquaKubeEnforcer Upgrade", "kube-enforcer", enforcer.Spec, "found", found.Spec, "update bool", update)
 		if update {
-			found.Spec = *(enforcer.Spec.DeepCopy())
-			err = r.Client.Update(context.Background(), found)
-			if err != nil {
-				reqLogger.Error(err, "Aqua CSP: Failed to update AquaKubeEnforcer.", "Deployment.Namespace", found.Namespace, "Deployment.Name", found.Name)
-				return reconcile.Result{}, err
+			// Retry loop with backoff
+			retryCount := 0
+			maxRetries := 3
+			retryDelay := time.Second * 5
+
+			for {
+				// Increment retry count
+				retryCount++
+
+				// Attempt to update AquaKubeEnforcer
+				err = r.Client.Update(context.Background(), found)
+				if err == nil {
+					// Update successful, break out of the loop
+					break
+				}
+
+				// Check if maximum retries reached
+				if retryCount >= maxRetries {
+					reqLogger.Error(err, "Max retries reached. Failed to update AquaKubeEnforcer.")
+					return reconcile.Result{}, err
+				}
+
+				// Log the error and retry after delay
+				reqLogger.Info("Error updating AquaKubeEnforcer. Retrying...", "RetryCount", retryCount, "MaxRetries", maxRetries)
+				time.Sleep(retryDelay)
 			}
+
 			// Spec updated - return and requeue
 			return reconcile.Result{Requeue: true}, nil
 		}
-
 	}
 
 	reqLogger.Info("Skip reconcile: Aqua KubeEnforcer Exists", "AquaKubeEnforcer.Namespace", found.Namespace, "AquaKubeEnforcer.Name", found.Name)

diff --git a/controllers/operator/aquadatabase/aquadatabase_controller.go b/controllers/operator/aquadatabase/aquadatabase_controller.go
@@ -34,7 +34,6 @@ import (
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/types"
 	"reflect"
-	"sigs.k8s.io/controller-runtime/pkg/controller"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
@@ -225,7 +224,6 @@ func (r *AquaDatabaseReconciler) Reconcile(ctx context.Context, req ctrl.Request
 func (r *AquaDatabaseReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named("aquadatabase-controller").
-		WithOptions(controller.Options{Reconciler: r}).
 		For(&operatorv1alpha1.AquaDatabase{}).
 		Owns(&corev1.Secret{}).
 		Owns(&corev1.ServiceAccount{}).

diff --git a/controllers/operator/aquaenforcer/aquaenforcer_controller.go b/controllers/operator/aquaenforcer/aquaenforcer_controller.go
@@ -32,7 +32,6 @@ import (
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/types"
 	"reflect"
-	"sigs.k8s.io/controller-runtime/pkg/controller"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
@@ -153,7 +152,6 @@ func (r *AquaEnforcerReconciler) Reconcile(ctx context.Context, req ctrl.Request
 func (r *AquaEnforcerReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named("aquaenforcer-controller").
-		WithOptions(controller.Options{Reconciler: r}).
 		Owns(&corev1.Secret{}).
 		Owns(&corev1.ServiceAccount{}).
 		Owns(&corev1.ConfigMap{}).

diff --git a/controllers/operator/aquagateway/aquagateway_controller.go b/controllers/operator/aquagateway/aquagateway_controller.go
@@ -33,7 +33,6 @@ import (
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/types"
 	"reflect"
-	"sigs.k8s.io/controller-runtime/pkg/controller"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 	"strings"
@@ -151,7 +150,6 @@ func (r *AquaGatewayReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 func (r *AquaGatewayReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	builder := ctrl.NewControllerManagedBy(mgr).
 		Named("aquagateway-controller").
-		WithOptions(controller.Options{Reconciler: r}).
 		Owns(&corev1.Secret{}).
 		Owns(&appsv1.Deployment{}).
 		Owns(&corev1.Service{}).