From 1354c6a2585af1d9d41e54ba0d1cb486875dbfea Mon Sep 17 00:00:00 2001
From: Federico Mengozzi <19249682+fedemengo@users.noreply.github.com>
Date: Mon, 27 Nov 2023 15:43:21 +0100
Subject: [PATCH 1/5] feat(registry-scanner): ovveride platform scanning logic
---
charts/registry-scanner/README.md | 1 +
charts/registry-scanner/templates/configmap.yaml | 1 +
2 files changed, 2 insertions(+)
diff --git a/charts/registry-scanner/README.md b/charts/registry-scanner/README.md
index bcd194828..8bb99f7e2 100644
--- a/charts/registry-scanner/README.md
+++ b/charts/registry-scanner/README.md
@@ -93,6 +93,7 @@ The following table lists the configurable parameters of the Sysdig Registry Sca
| config.scan.jobs.resources.requests.cpu | The CPU request for the scanner job. | 500m |
| config.scan.jobs.resources.limits.memory | The memory limit for the scanner job. | 2Gi |
| config.scan.jobs.temporaryVolumeSizeLimit | The size limit for the emptyDir volume used by the scanner job.
This volume is used to store both the vulnerability database and the image to scan. | 2Gi |
+| config.scan.disablePlatformScanning | Force the scan to happen on the client component rather than relying on backend scanning | false |
| config.parallelGoRoutines | Number of goroutines running in parallel in metadata phase for ECR Org setup. | 100 |
| ssl.ca.certs | For outbound connections.
List of PEM-encoded x509 certificate authority. | [] |
| customLabels | The additional labels to add to CronJob and Scanning Jobs. The custom labels to be added to kubernetes manifests of all the resources created. | {} |
diff --git a/charts/registry-scanner/templates/configmap.yaml b/charts/registry-scanner/templates/configmap.yaml
index 7d460aa25..11d12a82f 100644
--- a/charts/registry-scanner/templates/configmap.yaml
+++ b/charts/registry-scanner/templates/configmap.yaml
@@ -54,6 +54,7 @@ data:
k8sInCluster: true
namespace: {{ .Release.Namespace }}
workers: {{ .Values.config.maxWorkers }}
+ disablePlatformScanning: {{ default false .Values.config.scan.disablePlatformScanning }}
jobs:
ttlSecondsAfterFinished: {{ .Values.config.scan.jobs.ttlSecondsAfterFinished }}
serviceAccountName: {{ include "registry-scanner.serviceAccountName" . }}
From 21791f7bb8e693175f62902659e43b1599deca9a Mon Sep 17 00:00:00 2001
From: Federico Mengozzi <19249682+fedemengo@users.noreply.github.com>
Date: Fri, 1 Dec 2023 18:05:27 +0100
Subject: [PATCH 2/5] feat(registry-scanner): propagate schedule as env var
---
charts/registry-scanner/templates/_job.tpl | 2 ++
charts/registry-scanner/templates/configmap.yaml | 1 +
2 files changed, 3 insertions(+)
diff --git a/charts/registry-scanner/templates/_job.tpl b/charts/registry-scanner/templates/_job.tpl
index 92cde2b68..157b305a8 100644
--- a/charts/registry-scanner/templates/_job.tpl
+++ b/charts/registry-scanner/templates/_job.tpl
@@ -128,6 +128,8 @@
- name: REGISTRYSCANNER_PROFILING_ENABLED
value: /profiling
{{- end }}
+ - name: REGISTRYSCANNER_CRONJOB_SCHEDULE
+ value: {{ .Values.cronjob.schedule | quote }}
{{- if .Values.extraEnvVars }}
{{- toYaml .Values.extraEnvVars | nindent 10 }}
{{- end }}
diff --git a/charts/registry-scanner/templates/configmap.yaml b/charts/registry-scanner/templates/configmap.yaml
index 11d12a82f..7c927263f 100644
--- a/charts/registry-scanner/templates/configmap.yaml
+++ b/charts/registry-scanner/templates/configmap.yaml
@@ -65,6 +65,7 @@ data:
limits:
memory: {{ .Values.config.scan.jobs.resources.limits.memory }}
temporaryVolumeSizeLimit: {{ .Values.config.scan.jobs.temporaryVolumeSizeLimit }}
+ scheduleExpression: {{ .Values.cronjob.schedule | quote }}
{{- if .Values.config.scan.inlineScanImage }}
inlineScanImage: {{ .Values.config.scan.inlineScanImage }}
{{- end }}
From b17cd00c576c36e737db0021de62b9f5610f8b4d Mon Sep 17 00:00:00 2001
From: Federico Mengozzi <19249682+fedemengo@users.noreply.github.com>
Date: Tue, 5 Dec 2023 17:31:10 +0100
Subject: [PATCH 3/5] remove unused var
---
charts/registry-scanner/templates/configmap.yaml | 1 -
1 file changed, 1 deletion(-)
diff --git a/charts/registry-scanner/templates/configmap.yaml b/charts/registry-scanner/templates/configmap.yaml
index 7c927263f..11d12a82f 100644
--- a/charts/registry-scanner/templates/configmap.yaml
+++ b/charts/registry-scanner/templates/configmap.yaml
@@ -65,7 +65,6 @@ data:
limits:
memory: {{ .Values.config.scan.jobs.resources.limits.memory }}
temporaryVolumeSizeLimit: {{ .Values.config.scan.jobs.temporaryVolumeSizeLimit }}
- scheduleExpression: {{ .Values.cronjob.schedule | quote }}
{{- if .Values.config.scan.inlineScanImage }}
inlineScanImage: {{ .Values.config.scan.inlineScanImage }}
{{- end }}
From ed3164300d37b34b0ea5019012893ad97a44edd6 Mon Sep 17 00:00:00 2001
From: Federico Mengozzi <19249682+fedemengo@users.noreply.github.com>
Date: Tue, 19 Dec 2023 11:36:08 +0100
Subject: [PATCH 4/5] add tests
---
charts/registry-scanner/tests/configmap_test.yaml | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/charts/registry-scanner/tests/configmap_test.yaml b/charts/registry-scanner/tests/configmap_test.yaml
index b66a4062a..14b24d8a6 100644
--- a/charts/registry-scanner/tests/configmap_test.yaml
+++ b/charts/registry-scanner/tests/configmap_test.yaml
@@ -139,3 +139,17 @@ tests:
- matchRegex:
path: data['config.yaml']
pattern: allowListMemberAccountIDs:\n\s*- 123456789
+ - it: platform scanning is not disable by default
+ asserts:
+ - matchRegex:
+ path: data['config.yaml']
+ pattern: scan:((.|\n)*)disablePlatformScanning:\s*false
+ - it: force scanning on the client component regardless of backend config
+ set:
+ config:
+ scan:
+ disablePlatformScanning: "true"
+ asserts:
+ - matchRegex:
+ path: data['config.yaml']
+ pattern: scan:((.|\n)*)disablePlatformScanning:\s*true
From cb0a6f4b40d90b50f77fc0cc815cf3a10d6bca94 Mon Sep 17 00:00:00 2001
From: Federico Mengozzi <19249682+fedemengo@users.noreply.github.com>
Date: Tue, 19 Dec 2023 14:01:37 +0100
Subject: [PATCH 5/5] feat(registry-scanner): bump chart version
---
charts/registry-scanner/Chart.yaml | 4 ++--
charts/registry-scanner/README.md | 2 +-
charts/registry-scanner/README.tpl | 2 +-
charts/registry-scanner/values.yaml | 2 ++
4 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/charts/registry-scanner/Chart.yaml b/charts/registry-scanner/Chart.yaml
index 0da670392..97892ccf9 100644
--- a/charts/registry-scanner/Chart.yaml
+++ b/charts/registry-scanner/Chart.yaml
@@ -4,7 +4,7 @@ description: Sysdig Registry Scanner
type: application
home: https://www.sysdig.com/
icon: https://avatars.githubusercontent.com/u/5068817?s=200&v=4
-version: 1.1.25
-appVersion: 0.2.60
+version: 1.1.26
+appVersion: 0.2.61
maintainers:
- name: sysdiglabs
diff --git a/charts/registry-scanner/README.md b/charts/registry-scanner/README.md
index 8bb99f7e2..bb5884b18 100644
--- a/charts/registry-scanner/README.md
+++ b/charts/registry-scanner/README.md
@@ -130,7 +130,7 @@ Use the following command to deploy:
helm upgrade --install registry-scanner \
--namespace sysdig-agent \
--create-namespace \
- --version=1.1.25 \
+ --version=1.1.26 \
--set config.secureBaseURL= \
--set config.secureAPIToken= \
--set config.secureSkipTLS=true \
diff --git a/charts/registry-scanner/README.tpl b/charts/registry-scanner/README.tpl
index e1950db19..9e7c5616d 100644
--- a/charts/registry-scanner/README.tpl
+++ b/charts/registry-scanner/README.tpl
@@ -62,7 +62,7 @@ Use the following command to deploy:
helm upgrade --install registry-scanner \
--namespace sysdig-agent \
--create-namespace \
- {{ with .Chart.Version }}--version={{.}} {{ end }} \
+ {{ with .Chart.Version }}--version={{.}}{{ end }} \
--set config.secureBaseURL= \
--set config.secureAPIToken= \
--set config.secureSkipTLS=true \
diff --git a/charts/registry-scanner/values.yaml b/charts/registry-scanner/values.yaml
index 43fe49795..0a32ef66c 100644
--- a/charts/registry-scanner/values.yaml
+++ b/charts/registry-scanner/values.yaml
@@ -105,6 +105,8 @@ config:
# The size limit for the emptyDir volume used by the scanner job.
# This volume is used to store both the vulnerability database and the image to scan.
temporaryVolumeSizeLimit: 2Gi
+ # Force the scan to happen on the client component rather than relying on backend scanning
+ disablePlatformScanning: false
# Number of goroutines running in parallel in metadata phase for ECR Org setup.
parallelGoRoutines: 100
ssl: