feat(vulnerabilityreports): use deterministic names for secrets assoc…

…iated with scan jobs (#1069)

Signed-off-by: Daniel Pacak <[email protected]>

overrides/main.html

@@ -2,7 +2,7 @@
 
 {% block outdated %}
 You're not viewing the latest version.
-<a href="{{ config.site_url | url }}">
-    Click here to go to latest.
+<a href="{{ '../' ~ base_url }}">
+    <strong>Click here to go to latest.</strong>
 </a>
-{% endblock %}
+{% endblock %}

pkg/plugin/trivy/plugin.go

@@ -254,11 +254,6 @@ func (p *plugin) Init(ctx starboard.PluginContext) error {
 }
 
 func (p *plugin) GetScanJobSpec(ctx starboard.PluginContext, workload client.Object, credentials map[string]docker.Auth) (corev1.PodSpec, []*corev1.Secret, error) {
-	spec, err := kube.GetPodSpec(workload)
-	if err != nil {
-		return corev1.PodSpec{}, nil, err
-	}
-
 	config, err := p.newConfigFrom(ctx)
 	if err != nil {
 		return corev1.PodSpec{}, nil, err
@@ -274,9 +269,9 @@ func (p *plugin) GetScanJobSpec(ctx starboard.PluginContext, workload client.Obj
 	if command == Image {
 		switch mode {
 		case Standalone:
-			return p.getPodSpecForStandaloneMode(ctx, config, spec, credentials)
+			return p.getPodSpecForStandaloneMode(ctx, config, workload, credentials)
 		case ClientServer:
-			return p.getPodSpecForClientServerMode(ctx, config, spec, credentials)
+			return p.getPodSpecForClientServerMode(ctx, config, workload, credentials)
 		default:
 			return corev1.PodSpec{}, nil, fmt.Errorf("unrecognized trivy mode %q for command %q", mode, command)
 		}
@@ -294,14 +289,13 @@ func (p *plugin) GetScanJobSpec(ctx starboard.PluginContext, workload client.Obj
 	return corev1.PodSpec{}, nil, fmt.Errorf("unrecognized trivy command %q", command)
 }
 
-func (p *plugin) newSecretWithAggregateImagePullCredentials(spec corev1.PodSpec, credentials map[string]docker.Auth) *corev1.Secret {
+func (p *plugin) newSecretWithAggregateImagePullCredentials(obj client.Object, spec corev1.PodSpec, credentials map[string]docker.Auth) *corev1.Secret {
 	containerImages := kube.GetContainerImagesFromPodSpec(spec)
 	secretData := kube.AggregateImagePullSecretsData(containerImages, credentials)
 
 	return &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
-			// TODO Use deterministic names for secrets that hold image pull credentials, e.g. scan-vulnerabilityreport-<workload hash>-registry-creds
-			Name: p.idGenerator.GenerateID(),
+			Name: vulnerabilityreport.RegistryCredentialsSecretName(obj),
 		},
 		Data: secretData,
 	}
@@ -327,12 +321,17 @@ const (
 //
 //     trivy --cache-dir /tmp/trivy/.cache image --skip-update \
 //       --format json <container image>
-func (p *plugin) getPodSpecForStandaloneMode(ctx starboard.PluginContext, config Config, spec corev1.PodSpec, credentials map[string]docker.Auth) (corev1.PodSpec, []*corev1.Secret, error) {
+func (p *plugin) getPodSpecForStandaloneMode(ctx starboard.PluginContext, config Config, workload client.Object, credentials map[string]docker.Auth) (corev1.PodSpec, []*corev1.Secret, error) {
 	var secret *corev1.Secret
 	var secrets []*corev1.Secret
 
+	spec, err := kube.GetPodSpec(workload)
+	if err != nil {
+		return corev1.PodSpec{}, nil, err
+	}
+
 	if len(credentials) > 0 {
-		secret = p.newSecretWithAggregateImagePullCredentials(spec, credentials)
+		secret = p.newSecretWithAggregateImagePullCredentials(workload, spec, credentials)
 		secrets = append(secrets, secret)
 	}
 
@@ -673,12 +672,17 @@ func (p *plugin) getPodSpecForStandaloneMode(ctx starboard.PluginContext, config
 //
 //     trivy client --remote <server URL> \
 //       --format json <container image>
-func (p *plugin) getPodSpecForClientServerMode(ctx starboard.PluginContext, config Config, spec corev1.PodSpec, credentials map[string]docker.Auth) (corev1.PodSpec, []*corev1.Secret, error) {
+func (p *plugin) getPodSpecForClientServerMode(ctx starboard.PluginContext, config Config, workload client.Object, credentials map[string]docker.Auth) (corev1.PodSpec, []*corev1.Secret, error) {
 	var secret *corev1.Secret
 	var secrets []*corev1.Secret
 	var volumeMounts []corev1.VolumeMount
 	var volumes []corev1.Volume
 
+	spec, err := kube.GetPodSpec(workload)
+	if err != nil {
+		return corev1.PodSpec{}, nil, err
+	}
+
 	trivyImageRef, err := config.GetImageRef()
 	if err != nil {
 		return corev1.PodSpec{}, nil, err
@@ -690,7 +694,7 @@ func (p *plugin) getPodSpecForClientServerMode(ctx starboard.PluginContext, conf
 	}
 
 	if len(credentials) > 0 {
-		secret = p.newSecretWithAggregateImagePullCredentials(spec, credentials)
+		secret = p.newSecretWithAggregateImagePullCredentials(workload, spec, credentials)
 		secrets = append(secrets, secret)
 	}
 
@@ -1346,15 +1350,15 @@ func GetMirroredImage(image string, mirrors map[string]string) (string, error) {
 	return image, nil
 }
 
-func constructEnvVarSourceFromConfigMap(envName, trivyConfigName, trivyConfikey string) (res corev1.EnvVar) {
+func constructEnvVarSourceFromConfigMap(envName, configName, configKey string) (res corev1.EnvVar) {
 	res = corev1.EnvVar{
 		Name: envName,
 		ValueFrom: &corev1.EnvVarSource{
 			ConfigMapKeyRef: &corev1.ConfigMapKeySelector{
 				LocalObjectReference: corev1.LocalObjectReference{
-					Name: trivyConfigName,
+					Name: configName,
 				},
-				Key:      trivyConfikey,
+				Key:      configKey,
 				Optional: pointer.BoolPtr(true),
 			},
 		},

pkg/vulnerabilityreport/builder.go

@@ -173,6 +173,10 @@ func GetScanJobName(obj client.Object) string {
 	}))
 }
 
+func RegistryCredentialsSecretName(obj client.Object) string {
+	return fmt.Sprintf("%s-regcred", GetScanJobName(obj))
+}
+
 type ReportBuilder struct {
 	scheme     *runtime.Scheme
 	controller client.Object