Skip to content

Commit

Permalink
fix(cluster-scanner): corrected the syntax of mirrors configuration a…
Browse files Browse the repository at this point in the history 
…s PR comments
  • Loading branch information
@michele-mangili
michele-mangili committed Oct 4, 2023
1 parent 973bbb2 commit d49facf
Show file tree
Hide file tree
Showing 8 changed files with 143 additions and 41 deletions.
2 changes: 1 addition & 1 deletion charts/cluster-scanner/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -134,7 +134,7 @@ The following table lists the configurable parameters of the `cluster-scanner` c
| imageSbomExtractor.cache.local.maxSizeBytes | The maximum size in bytes of the local cache. By default it is set to 35MB | <code>"36700160"</code> |
| imageSbomExtractor.cache.local.maxElementSizeBytes | When using `local` as cache type, restrict the maximum size of elements to be cached. By default it is set to 100KB | <code>"102400"</code> |
| imageSbomExtractor.cache.local.ttl | The TTL for items in the local cache. By default it is set to 7 days. | <code>"168h"</code> |
| imageSbomExtractor.registryMirrorsConfig | Provide optional mirrors configuration to be used by Image SBOM Extractor to pull images. [Only Docker HUB images](https://docs.docker.com/registry/recipes/mirror/#gotcha) are going to be pulled from the provided mirrors. When provided, the parameter must be a string in docker-daemon configuration file format (see: https://docs.docker.com/registry/recipes/mirror/#configure-the-docker-daemon). <br> Example: <br> `registryMirrorsConfig: \|-` <br> `{` <br> `"registry-mirrors": [` <br> `"insecure.mirror.acme.com",` <br> `"secure.mirror.acme.com"` <br> `],` <br> `"insecure-registries": [` <br> `"insecure.mirror.acme.com"` <br> `]` <br> `}` | <code></code> |
| imageSbomExtractor.mirrors | Provide optional registry mirrors configuration to be used by Image SBOM Extractor to pull images. [Only Docker HUB images](https://docs.docker.com/registry/recipes/mirror/#gotcha) are going to be pulled from the provided mirrors. The configuration is similar to the one currently supported by the docker-daemon where multiple mirrors (potentially insecure), can be specified. See https://docs.docker.com/registry/recipes/mirror/#configure-the-docker-daemon and https://docs.docker.com/registry/insecure/ . <br> Example: <br> `mirrors:` <br> `registryMirrors:` <br> `- insecure.mirror.acme.com` <br> `- secure.mirror.acme.com` <br> `insecureRegistries:` <br> `- insecure.mirror.acme.com` | <code></code> |
| nameOverride | Chart name override | <code>""</code> |
| fullnameOverride | Chart full name override | <code>""</code> |
| serviceAccount.create | Specifies whether a service account should be created | <code>true</code> |
Expand Down
4 changes: 2 additions & 2 deletions charts/cluster-scanner/templates/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ spec:
configMap:
name: {{ include "sysdig.custom_ca.existingConfigMap" (dict "global" .Values.global.ssl "component" .Values.ssl) }}
{{- end }}
{{- if .Values.imageSbomExtractor.registryMirrorsConfig }}
{{- if .Values.imageSbomExtractor.mirrors }}
- name: registry-mirrors-config
configMap:
name: {{ include "cluster-scanner.fullname" . }}-registry-mirrors
Expand Down Expand Up @@ -320,7 +320,7 @@ spec:
mountPath: /ca-certs
readOnly: true
{{- end }}
{{- if .Values.imageSbomExtractor.registryMirrorsConfig }}
{{- if .Values.imageSbomExtractor.mirrors }}
- name: registry-mirrors-config
mountPath: /etc/docker/daemon.json
subPath: daemon.json
Expand Down
8 changes: 6 additions & 2 deletions charts/cluster-scanner/templates/registrymirror.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{{- if .Values.imageSbomExtractor.registryMirrorsConfig -}}
{{- if .Values.imageSbomExtractor.mirrors -}}
apiVersion: v1
kind: ConfigMap
metadata:
Expand All @@ -7,5 +7,9 @@ metadata:
labels:
{{- include "cluster-scanner.labels" . | nindent 4 }}
data:
daemon.json: {{ .Values.imageSbomExtractor.registryMirrorsConfig | toJson | nindent 6 }}
daemon.json: |-
{
"registry-mirrors": {{ .Values.imageSbomExtractor.mirrors.registryMirrors | default list | toJson }},
"insecure-registries": {{ .Values.imageSbomExtractor.mirrors.insecureRegistries | default list | toJson }}
}
{{- end -}}
9 changes: 5 additions & 4 deletions charts/cluster-scanner/tests/deployment_test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -493,7 +493,7 @@ tests:
name: ENV_VAR_BOOL
value: "true"

- it: "does not have registry volume nor volumeMounts if registryMirrorsConfig is empty"
- it: "does not have registry volume nor volumeMounts if mirrors is empty"
templates:
- ../templates/deployment.yaml
asserts:
Expand All @@ -502,10 +502,11 @@ tests:
- isEmpty:
path: spec.template.spec.containers[1].volumeMounts

- it: "has registry volume mount if registryMirrorsConfig is configured"
- it: "has registry volume mount if mirrors are configured"
set:
imageSbomExtractor.registryMirrorsConfig: |-
testdata
imageSbomExtractor.mirrors:
registryMirrors:
- "foobar"
templates:
- ../templates/deployment.yaml
asserts:
Expand Down
2 changes: 2 additions & 0 deletions charts/cluster-scanner/tests/notes_test.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
suite: Test links in the notes section for regions
templates:
- templates/NOTES.txt
values:
- ../values.yaml
tests:
- it: Checking default value no region specified (us1)
asserts:
Expand Down
109 changes: 91 additions & 18 deletions charts/cluster-scanner/tests/registrymirror_test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,22 +9,41 @@ release:

tests:
- it: "does not have mirrors, if they are not provided"
set:
imageSbomExtractor.mirrors:
asserts:
- hasDocuments:
count: 0

- it: "has mirrors ConfigMap, when registryMirrorsConfig is set"
- it: "has mirrors ConfigMap, when mirrors are set"
set:
imageSbomExtractor.mirrors:
registryMirrors:
- "insecure.mirror.acme.com"
- "secure.mirror.acme.com"
insecureRegistries:
- "insecure.mirror.acme.com"
asserts:
- hasDocuments:
count: 1
- containsDocument:
kind: ConfigMap
apiVersion: v1
name: test-release-cluster-scanner-registry-mirrors
namespace: test-ns
- equal:
path: data["daemon.json"]
value: |-
{
"registry-mirrors": ["insecure.mirror.acme.com","secure.mirror.acme.com"],
"insecure-registries": ["insecure.mirror.acme.com"]
}
- it: "has correct empty registry mirrors"
set:
imageSbomExtractor.registryMirrorsConfig: |-
{
"registry-mirrors": [
"insecure.mirror.acme.com",
"secure.mirror.acme.com"
],
"insecure-registries": [
"insecure.mirror.acme.com"
]
}
imageSbomExtractor.mirrors:
insecureRegistries:
- "insecure.mirror.acme.com"
asserts:
- hasDocuments:
count: 1
Expand All @@ -37,11 +56,65 @@ tests:
path: data["daemon.json"]
value: |-
{
"registry-mirrors": [
"insecure.mirror.acme.com",
"secure.mirror.acme.com"
],
"insecure-registries": [
"insecure.mirror.acme.com"
]
"registry-mirrors": [],
"insecure-registries": ["insecure.mirror.acme.com"]
}
- it: "has correct empty insecure registries mirrors"
set:
imageSbomExtractor.mirrors:
registryMirrors:
- "insecure.mirror.acme.com"
- "secure.mirror.acme.com"
- "one more mirror"
asserts:
- hasDocuments:
count: 1
- containsDocument:
kind: ConfigMap
apiVersion: v1
name: test-release-cluster-scanner-registry-mirrors
namespace: test-ns
- equal:
path: data["daemon.json"]
value: |-
{
"registry-mirrors": ["insecure.mirror.acme.com","secure.mirror.acme.com","one more mirror"],
"insecure-registries": []
}
- it: "fails if format of registry mirrors is wrong"
set:
imageSbomExtractor.mirrors:
registryMirrors:
nested: "object"
asserts:
- failedTemplate:
errorMessage: "values don't meet the specifications of the schema(s) in the following chart(s):\ncluster-scanner:\n- imageSbomExtractor.mirrors.registryMirrors: Invalid type. Expected: array, given: object\n"

- it: "fails if format of insecure registries is wrong"
set:
imageSbomExtractor.mirrors:
insecureRegistries: 18
asserts:
- failedTemplate:
errorMessage: "values don't meet the specifications of the schema(s) in the following chart(s):\ncluster-scanner:\n- imageSbomExtractor.mirrors.insecureRegistries: Invalid type. Expected: array, given: integer\n"

- it: "fails if format of mirrors is wrong"
set:
imageSbomExtractor.mirrors: 18
asserts:
- failedTemplate:
errorMessage: "values don't meet the specifications of the schema(s) in the following chart(s):\ncluster-scanner:\n- imageSbomExtractor.mirrors: Invalid type. Expected: object, given: integer\n"

- it: "fails if mirrors contains unexpeceted property"
set:
imageSbomExtractor.mirrors:
gigi:
- "insecure.mirror.acme.com"
- "secure.mirror.acme.com"
insecureRegistries:
- "insecure.mirror.acme.com"
asserts:
- failedTemplate:
errorMessage: "values don't meet the specifications of the schema(s) in the following chart(s):\ncluster-scanner:\n- imageSbomExtractor.mirrors: Additional property gigi is not allowed\n"
24 changes: 24 additions & 0 deletions charts/cluster-scanner/values.schema.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,30 @@
}
}
}
},
"imageSbomExtractor": {
"type": "object",
"properties": {
"mirrors": {
"type": "object",
"type": ["object", "null"],
"additionalProperties": false,
"properties": {
"registryMirrors": {
"type": "array",
"items": {
"type": "string"
}
},
"insecureRegistries": {
"type": "array",
"items": {
"type": "string"
}
}
}
}
}
}
}
}
26 changes: 12 additions & 14 deletions charts/cluster-scanner/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -218,26 +218,24 @@ imageSbomExtractor:
# sentinelAddress: ""
# ttl: "168h" # Default ttl is 7 days

# Provide optional mirrors configuration to be used by Image SBOM Extractor to pull images.
# Provide optional registry mirrors configuration to be used by Image SBOM Extractor to pull images.
# [Only Docker HUB images](https://docs.docker.com/registry/recipes/mirror/#gotcha) are going to be pulled from
# the provided mirrors.
#
# When provided, the parameter must be a string in docker-daemon configuration file format
# (see: https://docs.docker.com/registry/recipes/mirror/#configure-the-docker-daemon).
# The configuration is similar to the one currently supported by the docker-daemon where multiple mirrors
# (potentially insecure), can be specified.
#
# See https://docs.docker.com/registry/recipes/mirror/#configure-the-docker-daemon and https://docs.docker.com/registry/insecure/ .
#
# Example:
#
# registryMirrorsConfig: \|-
# {
# "registry-mirrors": [
# "insecure.mirror.acme.com",
# "secure.mirror.acme.com"
# ],
# "insecure-registries": [
# "insecure.mirror.acme.com"
# ]
# }
registryMirrorsConfig:
# mirrors:
# registryMirrors:
# - insecure.mirror.acme.com
# - secure.mirror.acme.com
# insecureRegistries:
# - insecure.mirror.acme.com
mirrors:

# Chart name override
nameOverride: ""
Expand Down

0 comments on commit d49facf

Please sign in to comment.