feat(registry-scanner): add support for ocp registry (#1711)

Co-authored-by: hayk99 <hayk.kocharyan@sysdig.com>

charts/registry-scanner/Chart.yaml

@@ -4,7 +4,7 @@ description: Sysdig Registry Scanner
 type: application
 home: https://www.sysdig.com/
 icon: https://avatars.githubusercontent.com/u/5068817?s=200&v=4
-version: 1.1.35
+version: 1.2.0
 appVersion: 0.2.69
 maintainers:
   - name: sysdiglabs

charts/registry-scanner/README.md

@@ -35,6 +35,7 @@ Follow the instructions in [Install Registry Scanner](https://docs.sysdig.com/en
 - Azure ACR
 - Google GAR
 - Google GCR
+- OpenShift Internal Registry
 
 Once installed, you can view the scan results in the [Vulnerabilities UI](https://docs.sysdig.com/en/docs/sysdig-secure/vulnerabilities/registry/) of Sysdig Secure.
 
@@ -63,7 +64,7 @@ The following table lists the configurable parameters of the Sysdig Registry Sca
 | config.registryApiUrl                            | The API URL of the registry to scan. This is required if your registry type is Artifactory.                                                                                                                                                | <code>""</code>                              |
 | config.registryUser                              | The username for registry authentication.                                                                                                                                                                                                  | <code>""</code>                              |
 | config.registryPassword                          | The password for registry authentication.                                                                                                                                                                                                  | <code>""</code>                              |
-| config.registryType                              | Mandatory.<br/>The registry Type. Supported types: artifactory, ecr, icr, acr, quay, harbor, gar, gcr, nexus and dockerv2.                                                                                                                 | <code>""</code>                              |
+| config.registryType                              | Mandatory.<br/>The registry Type. Supported types: artifactory, ecr, icr, acr, quay, harbor, gar, gcr, nexus, ocp and dockerv2.                                                                                                            | <code>""</code>                              |
 | config.registryAccountId                         | The account ID. Applicable only for ICR registry type.                                                                                                                                                                                     | <code>""</code>                              |
 | config.icrIamApi                                 | The ICR IAM API. Applicable only for ICR registry type.                                                                                                                                                                                    | <code>""</code>                              |
 | config.icrIamApiSkipTLS                          | Ignore TLS certificate for IAM API. Applicable only for ICR registry type.                                                                                                                                                                 | <code>false</code>                           |
@@ -130,7 +131,7 @@ Use the following command to deploy:
 helm upgrade --install registry-scanner \
    --namespace sysdig-agent \
    --create-namespace \
-   --version=1.1.35 \
+   --version=1.2.0 \
    --set config.secureBaseURL=<SYSDIG_SECURE_URL> \
    --set config.secureAPIToken=<SYSDIG_SECURE_API_TOKEN> \
    --set config.secureSkipTLS=true \

charts/registry-scanner/README.tpl

@@ -35,6 +35,7 @@ Follow the instructions in [Install Registry Scanner](https://docs.sysdig.com/en
 - Azure ACR
 - Google GAR
 - Google GCR
+- OpenShift Internal Registry
 
 Once installed, you can view the scan results in the [Vulnerabilities UI](https://docs.sysdig.com/en/docs/sysdig-secure/vulnerabilities/registry/) of Sysdig Secure.
 

charts/registry-scanner/templates/_job.tpl

@@ -110,6 +110,7 @@
                 name: {{ .Values.existingSecretName }}
                 {{- end }}
                 key: registryUser
+          {{- if ne .Values.config.registryType "ocp" }}
           - name: REGISTRYSCANNER_REGISTRY_PASSWORD
             valueFrom:
               secretKeyRef:
@@ -120,6 +121,7 @@
                 {{- end }}
                 key: registryPassword
           {{- end }}
+          {{- end }}
           {{ if .Values.config.parallelGoRoutines }}
           - name: GROUP_LIMIT
             value: "{{ .Values.config.parallelGoRoutines }}"

charts/registry-scanner/templates/clusterrole.yaml

@@ -0,0 +1,11 @@
+{{- if eq .Values.config.registryType "ocp" }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  namespace: {{ .Release.Namespace }}
+  name: token-requestor
+rules:
+- apiGroups: [""]
+  resources: ["serviceaccounts/token"]
+  verbs: ["create"]
+{{- end }}

charts/registry-scanner/templates/clusterrolebinding.yaml

@@ -0,0 +1,28 @@
+{{- if eq .Values.config.registryType "ocp" }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "registry-scanner.fullname" . }}-crb-registry-viewer
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: registry-viewer
+subjects:
+- kind: ServiceAccount
+  name: {{ include "registry-scanner.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "registry-scanner.fullname" . }}-crb-token-requestor
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: token-requestor
+subjects:
+- kind: ServiceAccount
+  name: {{ include "registry-scanner.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}

charts/registry-scanner/templates/configmap.yaml

@@ -13,9 +13,7 @@ data:
       url: {{ .Values.config.registryURL }}
       user: from-secret
       pass: from-secret
-      {{- if .Values.config.registryType }}
       type: {{ .Values.config.registryType }}
-      {{- end }}
       {{- if .Values.config.registryAccountId }}
       accountId: {{ .Values.config.registryAccountId }}
       {{- end }}
@@ -25,7 +23,11 @@ data:
       {{- if .Values.config.icrIamApiSkipTLS }}
       icrIamApiSkipTLS: {{ .Values.config.icrIamApiSkipTLS }}
       {{- end }}
+      {{- if eq .Values.config.registryType "ocp" }}
+      skipTLS: true
+      {{- else }}
       skipTLS: {{ .Values.config.registrySkipTLS }}
+      {{- end }}
       {{- if .Values.config.registryApiUrl }}
       api: {{ .Values.config.registryApiUrl }}
       {{- end }}

charts/registry-scanner/templates/secret.yaml

@@ -18,6 +18,8 @@ data:
   {{- else if eq .Values.config.registryType "gcr" }}
   registryUser: {{ "_json_key" | b64enc | quote }}
   registryPassword: {{ required "A valid .Values.config.registryPassword is required" .Values.config.registryPassword | b64enc | quote }}
+  {{- else if eq .Values.config.registryType "ocp" }}
+  registryUser: {{ "serviceaccount"| b64enc | quote }}
   {{- else }}
   registryUser: {{ required "A valid .Values.config.registryUser is required" .Values.config.registryUser | b64enc | quote }}
   registryPassword: {{ required "A valid .Values.config.registryPassword is required" .Values.config.registryPassword | b64enc | quote }}

charts/registry-scanner/tests/ocp_test.yaml

@@ -0,0 +1,59 @@
+suite: Registry Scanner - OCP Internal Registry
+
+release:
+  name: my-release
+  namespace: my-namespace
+
+values:
+  - ocp_test_values.yaml
+
+tests:
+  - it: service account has registry-viewer role
+    documentIndex: 0
+    asserts:
+      - containsDocument:
+          kind: ClusterRoleBinding
+          apiVersion: rbac.authorization.k8s.io/v1
+      - equal:
+          path: metadata.name
+          value: my-release-registry-scanner-crb-registry-viewer
+      - equal:
+          path: subjects[0].name
+          value: my-release-registry-scanner
+      - equal:
+          path: subjects[0].namespace
+          value: my-namespace
+      - equal:
+          path: roleRef.name
+          value: registry-viewer
+    template: templates/clusterrolebinding.yaml
+
+  - it: service account has token-requestor role
+    documentIndex: 1
+    asserts:
+      - containsDocument:
+          kind: ClusterRoleBinding
+          apiVersion: rbac.authorization.k8s.io/v1
+      - equal:
+          path: metadata.name
+          value: my-release-registry-scanner-crb-token-requestor
+      - equal:
+          path: subjects[0].name
+          value: my-release-registry-scanner
+      - equal:
+          path: subjects[0].namespace
+          value: my-namespace
+      - equal:
+          path: roleRef.name
+          value: token-requestor
+    template: templates/clusterrolebinding.yaml
+
+  - it: checks configmap
+    asserts:
+      - matchRegex:
+          path: data['config.yaml']
+          pattern: "type: ocp"
+      - matchRegex:
+          path: data['config.yaml']
+          pattern: "skipTLS: true"
+    template: templates/configmap.yaml

charts/registry-scanner/tests/ocp_test_values.yaml

@@ -0,0 +1,3 @@
+config:
+  secureAPIToken: 11111111-2222-3333-4444-555555555555
+  registryType: ocp

charts/registry-scanner/values.yaml

@@ -28,7 +28,7 @@ config:
   registryUser: ""
   # The password for registry authentication.
   registryPassword: ""
-  # Mandatory.<br/>The registry Type. Supported types: artifactory, ecr, icr, acr, quay, harbor, gar, gcr, nexus and dockerv2.
+  # Mandatory.<br/>The registry Type. Supported types: artifactory, ecr, icr, acr, quay, harbor, gar, gcr, nexus, ocp and dockerv2.
   registryType: ""
   # The account ID. Applicable only for ICR registry type.
   registryAccountId: ""