Merge pull request #233 from undistro/feat/push-vuln-reports

Send vulnerability reports to SaaS when enabled

api/zora/v1alpha1/vulnerabilityreport_types.go

@@ -67,7 +67,23 @@ type VulnerabilitySummary struct {
 }
 
 // VulnerabilityReportStatus defines the observed state of VulnerabilityReport
-type VulnerabilityReportStatus struct{}
+type VulnerabilityReportStatus struct {
+	Status `json:",inline"`
+}
+
+func (in *VulnerabilityReport) SetSaaSStatus(status metav1.ConditionStatus, reason, msg string) {
+	in.Status.SetCondition(metav1.Condition{
+		Type:               "SaaS",
+		Status:             status,
+		ObservedGeneration: in.Generation,
+		Reason:             reason,
+		Message:            msg,
+	})
+}
+
+func (in *VulnerabilityReport) SaaSStatusIsTrue() bool {
+	return in.Status.ConditionIsTrue("SaaS")
+}
 
 //+kubebuilder:object:root=true
 //+kubebuilder:subresource:status

charts/zora/crds/zora.undistro.io_vulnerabilityreports.yaml

@@ -185,6 +185,82 @@ spec:
             type: object
           status:
             description: VulnerabilityReportStatus defines the observed state of VulnerabilityReport
+            properties:
+              conditions:
+                description: Conditions the latest available observations of a resource's
+                  current state.
+                items:
+                  description: "Condition contains details for one aspect of the current
+                    state of this API Resource. --- This struct is intended for direct
+                    use as an array at the field path .status.conditions.  For example,
+                    \n type FooStatus struct{ // Represents the observations of a
+                    foo's current state. // Known .status.conditions.type are: \"Available\",
+                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
+                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
+                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
+                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+                  properties:
+                    lastTransitionTime:
+                      description: lastTransitionTime is the last time the condition
+                        transitioned from one status to another. This should be when
+                        the underlying condition changed.  If that is not known, then
+                        using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: message is a human readable message indicating
+                        details about the transition. This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: observedGeneration represents the .metadata.generation
+                        that the condition was set based upon. For instance, if .metadata.generation
+                        is currently 12, but the .status.conditions[x].observedGeneration
+                        is 9, the condition is out of date with respect to the current
+                        state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: reason contains a programmatic identifier indicating
+                        the reason for the condition's last transition. Producers
+                        of specific condition types may define expected values and
+                        meanings for this field, and whether the values are considered
+                        a guaranteed API. The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                        --- Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+              observedGeneration:
+                description: ObservedGeneration is the 'Generation' of the resource
+                  that was last processed by the controller.
+                format: int64
+                type: integer
             type: object
         type: object
     served: true

charts/zora/templates/operator/rbac.yaml

@@ -265,6 +265,26 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+    - zora.undistro.io
+  resources:
+    - vulnerabilityreports
+  verbs:
+    - create
+    - delete
+    - get
+    - list
+    - patch
+    - update
+    - watch
+- apiGroups:
+    - zora.undistro.io
+  resources:
+    - vulnerabilityreports/status
+  verbs:
+    - get
+    - patch
+    - update
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole

config/crd/bases/zora.undistro.io_vulnerabilityreports.yaml

@@ -171,6 +171,82 @@ spec:
             type: object
           status:
             description: VulnerabilityReportStatus defines the observed state of VulnerabilityReport
+            properties:
+              conditions:
+                description: Conditions the latest available observations of a resource's
+                  current state.
+                items:
+                  description: "Condition contains details for one aspect of the current
+                    state of this API Resource. --- This struct is intended for direct
+                    use as an array at the field path .status.conditions.  For example,
+                    \n type FooStatus struct{ // Represents the observations of a
+                    foo's current state. // Known .status.conditions.type are: \"Available\",
+                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
+                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
+                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
+                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+                  properties:
+                    lastTransitionTime:
+                      description: lastTransitionTime is the last time the condition
+                        transitioned from one status to another. This should be when
+                        the underlying condition changed.  If that is not known, then
+                        using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: message is a human readable message indicating
+                        details about the transition. This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: observedGeneration represents the .metadata.generation
+                        that the condition was set based upon. For instance, if .metadata.generation
+                        is currently 12, but the .status.conditions[x].observedGeneration
+                        is 9, the condition is out of date with respect to the current
+                        state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: reason contains a programmatic identifier indicating
+                        the reason for the condition's last transition. Producers
+                        of specific condition types may define expected values and
+                        meanings for this field, and whether the values are considered
+                        a guaranteed API. The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                        --- Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+              observedGeneration:
+                description: ObservedGeneration is the 'Generation' of the resource
+                  that was last processed by the controller.
+                format: int64
+                type: integer
             type: object
         type: object
     served: true

config/rbac/role.yaml

@@ -219,3 +219,5 @@ rules:
   - vulnerabilityreports/status
   verbs:
   - get
+  - patch
+  - update

internal/controller/zora/clusterscan_controller.go

@@ -74,7 +74,7 @@ type ClusterScanReconciler struct {
 //+kubebuilder:rbac:groups=zora.undistro.io,resources=clusterissues,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=zora.undistro.io,resources=clusterissues/status,verbs=get
 //+kubebuilder:rbac:groups=zora.undistro.io,resources=vulnerabilityreports,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups=zora.undistro.io,resources=vulnerabilityreports/status,verbs=get
+//+kubebuilder:rbac:groups=zora.undistro.io,resources=vulnerabilityreports/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=batch,resources=cronjobs,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=batch,resources=cronjobs/status,verbs=get
 //+kubebuilder:rbac:groups=batch,resources=jobs,verbs=get;list;watch

internal/saas/client.go

@@ -22,6 +22,8 @@ import (
 	"net/http"
 	"net/url"
 	"path"
+
+	"github.com/undistro/zora/api/zora/v1alpha1"
 )
 
 const (
@@ -42,6 +44,7 @@ type Client interface {
 	DeleteCluster(ctx context.Context, namespace, name string) error
 	PutClusterScan(ctx context.Context, namespace, name string, pluginStatus map[string]*PluginStatus) error
 	DeleteClusterScan(ctx context.Context, namespace, name string) error
+	PutVulnerabilityReport(ctx context.Context, namespace, name string, vulnReport v1alpha1.VulnerabilityReport) error
 }
 
 type client struct {
@@ -120,6 +123,26 @@ func (r *client) PutClusterScan(ctx context.Context, namespace, name string, plu
 	return validateStatus(res)
 }
 
+func (r *client) PutVulnerabilityReport(ctx context.Context, namespace, name string, vulnReport v1alpha1.VulnerabilityReport) error {
+	u := r.clusterURL(namespace, name, "vulnerabilityreports")
+	b, err := json.Marshal(vulnReport)
+	if err != nil {
+		return err
+	}
+	req, err := http.NewRequestWithContext(ctx, http.MethodPut, u, bytes.NewReader(b))
+	if err != nil {
+		return err
+	}
+	req.Header.Set("content-type", "application/json")
+	req.Header.Set(versionHeader, r.version)
+	res, err := r.client.Do(req)
+	if err != nil {
+		return err
+	}
+	defer res.Body.Close()
+	return validateStatus(res)
+}
+
 func (r *client) DeleteClusterScan(ctx context.Context, namespace, name string) error {
 	u := r.clusterURL(namespace, name, "scan")
 	req, err := http.NewRequestWithContext(ctx, http.MethodDelete, u, nil)

internal/saas/clusters.go

@@ -80,6 +80,7 @@ type ScanStatus struct {
 	Status  ScanStatusType `json:"status"`
 	Message string         `json:"message"`
 	Suspend bool           `json:"suspend"`
+	ID      string         `json:"id"`
 }
 
 type ConnectionStatus struct {
@@ -156,6 +157,7 @@ func NewScanStatus(scans []v1alpha1.ClusterScan) (map[string]*PluginStatus, *int
 			}
 			pluginStatus[p].Scan.Suspend = pointer.BoolDeref(cs.Spec.Suspend, false)
 			pluginStatus[p].Schedule = cs.Spec.Schedule
+			pluginStatus[p].Scan.ID = s.LastScanID
 
 			if s.TotalIssues != nil {
 				if pluginStatus[p].IssueCount == nil {