kubewarden · viccuad · Jul 14, 2023 · Jul 13, 2023 · Jul 13, 2023 · Jul 13, 2023
@@ -18,7 +18,10 @@ jobs:
         with:
           script: |
             let repository = context.payload.client_payload.repository
-            if (!repository.endsWith("kubewarden-controller") && !repository.endsWith("policy-server") && !repository.endsWith("kwctl")) {
+            if (!repository.endsWith("kubewarden-controller") && \
+                !repository.endsWith("policy-server") && \
+                !repository.endsWith("kwctl")) && \
+                !repository.endsWith("audit-scanner")) {
                     core.setFailed("Invalid repository")
             }
 
@@ -77,7 +80,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v3
 
-      - name: Download CRDS
+      - name: Download CRDS controller
         if: endsWith(github.event.client_payload.repository, 'kubewarden-controller')
         uses: actions/github-script@v6
         with:
@@ -94,21 +97,45 @@ jobs:
                               accept: "application/octet-stream"},
               })
               let fs = require('fs');
-              fs.writeFileSync("/tmp/crds.tar.gz", Buffer.from(asset.data))
+              fs.writeFileSync("/tmp/crds-controller.tar.gz", Buffer.from(asset.data))
             }
 
-      - name: Update CRDS
-        if: endsWith(github.event.client_payload.repository, 'kubewarden-controller')
+      - name: Download CRDS audit-scanner
+        if: endsWith(github.event.client_payload.repository, 'audit-scanner')
+        uses: actions/github-script@v6
+        with:
+          script: |
+            let repository = context.payload.client_payload.repository
+            if (repository.endsWith("audit-scanner")) {
+              let crds_asset_id = context.payload.client_payload.crds_asset_id
+              console.log(`Fetching asset ID: ${crds_asset_id}`)
+              let repository_split = context.payload.client_payload.repository.split("/")
+              let owner = repository_split[0]
+              let repository = repository_split[1]
+              let asset = await github.rest.repos.getReleaseAsset({
+                      owner: owner, repo: repository, asset_id: crds_asset_id, headers:{
+                              accept: "application/octet-stream"},
+              })
+              let fs = require('fs');
+              fs.writeFileSync("/tmp/crds-audit-scanner.tar.gz", Buffer.from(asset.data))
+            }
+
+      - name: Update CRDs
+        if: endsWith(github.event.client_payload.repository, 'kubewarden-controller') || endsWith(github.event.client_payload.repository, 'audit-scanner')
         id: update_crds
         run: |
           # The next commands are use in the updatecli/scripts/install_crds.sh as well.
           # Here the commands are used to detect CRDs changes. In the script they are used
           # to install the CRDs
-          tar -xvf /tmp/crds.tar.gz
+          tar -xvf /tmp/crds-controller.tar.gz
           find . -maxdepth 1 -name "*_policyserver*" -exec  mv \{\} charts/kubewarden-crds/templates/policyservers.yaml \;
           find . -maxdepth 1 -name "*_admissionpolicies*" -exec  mv \{\} charts/kubewarden-crds/templates/admissionpolicies.yaml \;
           find . -maxdepth 1 -name "*_clusteradmissionpolicies*" -exec  mv \{\} charts/kubewarden-crds/templates/clusteradmissionpolicies.yaml \;
 
+          tar -xvf /tmp/crds-audit-scanner.tar.gz
+          find . -maxdepth 1 -name "*_clusterpolicyreports*" -exec  mv \{\} charts/kubewarden-crds/templates/clusterpolicyreports.yaml \;
+          find . -maxdepth 1 -name "*_policyreports*" -exec  mv \{\} charts/kubewarden-crds/templates/policyreports.yaml \;
+
           set +e
           git diff --exit-code --no-patch charts/kubewarden-crds
           echo "must_update_crds_chart=$?" >> $GITHUB_OUTPUT
@@ -151,7 +178,7 @@ jobs:
             let repository_split = context.payload.client_payload.repository.split("/")
             let owner = repository_split[0]
             const version = context.payload.client_payload.version
-            let repos = ['kubewarden-controller', 'policy-server', 'kwctl']
+            let repos = ['kubewarden-controller', 'policy-server', 'kwctl', 'audit-scanner']
 
             for (const repo of repos) {
               try {
@@ -162,7 +189,7 @@ jobs:
             }
 
       - name: Check if CRD are available in the Kubewarden controller
-        id: download_crds
+        id: download_crds_controller
         uses: actions/github-script@v6
         with:
           script: |
@@ -196,24 +223,69 @@ jobs:
                               accept: "application/octet-stream"},
               })
               let fs = require('fs');
-              fs.writeFileSync("/tmp/crds.tar.gz", Buffer.from(asset.data))
+              fs.writeFileSync("/tmp/crds-controller.tar.gz", Buffer.from(asset.data))
               console.log(`${crds_tarball} downloaded successfully`)
             } else {
               core.warning(`Aborting chart update: no ${crds_tarball} found. This is expected if the release process in the controller repository is still running. Otherwise, check why the release in the controller does not contains the CRDs tarball`)
               core.setFailed("No CRDs tarball found")
             }
 
+      - name: Check if CRD are available in the audit scanner
+        id: download_crds_audit_scanner
+        uses: actions/github-script@v6
+        with:
+          script: |
+            let repository_split = context.payload.client_payload.repository.split("/")
+            let owner = repository_split[0]
+            let repository = repository_split[1]
+            let crds_asset_id = null
+            const audit_scanner_repo = "audit-scanner"
+            const version = context.payload.client_payload.version
+            const crds_tarball = "CRDS.tar.gz"
+
+            if (repository === audit_scanner_repo) {
+              crds_asset_id = context.payload.client_payload.crds_asset_id
+            } else {
+              crds_asset_id = await github.rest.repos.getReleaseByTag({owner: owner, repo:  audit_scanner_repo, tag: version,}).then((response) => {
+                  for (const file of response.data.assets) {
+                    if (file.name == crds_tarball) {
+                      return file.id;
+                    }
+                  }
+                  return null;
+              }, (failedResponse) => {
+                      consolog.log("FAILED")
+                      return null;
+              });
+            }
+            console.log(`Fetching asset ID: ${crds_asset_id}`)
+            if (typeof(crds_asset_id) === "number") {
+              let asset = await github.rest.repos.getReleaseAsset({
+                      owner: owner, repo: controller_repo, asset_id: crds_asset_id, headers:{
+                              accept: "application/octet-stream"},
+              })
+              let fs = require('fs');
+              fs.writeFileSync("/tmp/crds-audit-scanner.tar.gz", Buffer.from(asset.data))
+              console.log(`${crds_tarball} downloaded successfully`)
+            } else {
+              core.warning(`Aborting chart update: no ${crds_tarball} found. This is expected if the release process in the audit-scanner repository is still running. Otherwise, check why the release does not contains the CRDs tarball`)
+              core.setFailed("No CRDs tarball found")
+            }
+
       - name: Update CRDS
         id: update_crds
         run: |
-          # The next commands are use in the updatecli/scripts/install_crds.sh as well.
+          # The next commands are used in the updatecli/scripts/install_crds.sh as well.
           # Here the commands are used to detect CRDs changes. In the script they are used
           # to install the CRDs
-          tar -xvf /tmp/crds.tar.gz
+          tar -xvf /tmp/crds-controller.tar.gz
           find . -maxdepth 1 -name "*_policyserver*" -exec  mv \{\} charts/kubewarden-crds/templates/policyservers.yaml \;
           find . -maxdepth 1 -name "*_admissionpolicies*" -exec  mv \{\} charts/kubewarden-crds/templates/admissionpolicies.yaml \;
           find . -maxdepth 1 -name "*_clusteradmissionpolicies*" -exec  mv \{\} charts/kubewarden-crds/templates/clusteradmissionpolicies.yaml \;
 
+          tar -xvf /tmp/crds-audit-scanner.tar.gz
+          find . -maxdepth 1 -name "*_clusterpolicyreports*" -exec  mv \{\} charts/kubewarden-crds/templates/clusterpolicyreports.yaml \;
+          find . -maxdepth 1 -name "*_policyreports*" -exec  mv \{\} charts/kubewarden-crds/templates/policyreports.yaml \;
 
           set +e
           git diff --exit-code --no-patch charts/kubewarden-crds

@@ -2,6 +2,8 @@ SHELL:=bash
 
 .PHONY: generate-values
 generate-values:
+# build values.yaml for each chart, from the common-values.yaml and their specific
+# chart-values.yaml
 	@echo "# This file was autogenerated." > charts/kubewarden-crds/values.yaml
 	@echo >> charts/kubewarden-crds/values.yaml
 	@cat charts/kubewarden-crds/chart-values.yaml >> charts/kubewarden-crds/values.yaml

@@ -21,3 +21,6 @@
 .idea/
 *.tmproj
 .vscode/
+
+# dev files
+chart-values.yaml
@@ -21,3 +21,6 @@
 .idea/
 *.tmproj
 .vscode/
+
+# dev files
+chart-values.yaml
@@ -21,3 +21,6 @@
 .idea/
 *.tmproj
 .vscode/
+
+# dev files
+chart-values.yaml
@@ -6,6 +6,8 @@ metadata:
     {{- include "kubewarden-defaults.labels" . | nindent 4 }}
     app.kubernetes.io/component: policy
   annotations:
+    io.kubewarden.policy.severity: medium
+    io.kubewarden.policy.category: PSP
     {{- include "kubewarden-defaults.annotations" . | nindent 4 }}
   name: {{ $.Values.recommendedPolicies.allowPrivilegeEscalationPolicy.name }}
 spec:

@@ -6,6 +6,8 @@ metadata:
     {{- include "kubewarden-defaults.labels" . | nindent 4 }}
     app.kubernetes.io/component: policy
   annotations:
+    io.kubewarden.policy.category: PSP
+    io.kubewarden.policy.severity: medium
     {{- include "kubewarden-defaults.annotations" . | nindent 4 }}
   name: {{ $.Values.recommendedPolicies.capabilitiesPolicy.name }}
 spec:

@@ -6,6 +6,8 @@ metadata:
     {{- include "kubewarden-defaults.labels" . | nindent 4 }}
     app.kubernetes.io/component: policy
   annotations:
+    io.kubewarden.policy.category: PSP
+    io.kubewarden.policy.severity: medium
     {{- include "kubewarden-defaults.annotations" . | nindent 4 }}
   name: {{ $.Values.recommendedPolicies.hostNamespacePolicy.name }}
 spec:

@@ -6,6 +6,8 @@ metadata:
     {{- include "kubewarden-defaults.labels" . | nindent 4 }}
     app.kubernetes.io/component: policy
   annotations:
+    io.kubewarden.policy.category: PSP
+    io.kubewarden.policy.severity: medium
     {{- include "kubewarden-defaults.annotations" . | nindent 4 }}
   name: {{ $.Values.recommendedPolicies.hostPathsPolicy.name }}
 spec:

@@ -6,6 +6,8 @@ metadata:
     {{- include "kubewarden-defaults.labels" . | nindent 4 }}
     app.kubernetes.io/component: policy
   annotations:
+    io.kubewarden.policy.category: PSP
+    io.kubewarden.policy.severity: medium
     {{- include "kubewarden-defaults.annotations" . | nindent 4 }}
   name: {{ $.Values.recommendedPolicies.podPrivilegedPolicy.name }}
 spec:

@@ -6,6 +6,8 @@ metadata:
     {{- include "kubewarden-defaults.labels" . | nindent 4 }}
     app.kubernetes.io/component: policy
   annotations:
+    io.kubewarden.policy.category: PSP
+    io.kubewarden.policy.severity: medium
     {{- include "kubewarden-defaults.annotations" . | nindent 4 }}
   name: {{ $.Values.recommendedPolicies.userGroupPolicy.name }}
 spec:

@@ -1,9 +1,13 @@
 #!/bin/bash
 
-tar -xf /tmp/crds.tar.gz
+tar -xf /tmp/crds-controller.tar.gz
 find . -maxdepth 1 -name "*_policyserver*" -exec  mv \{\} /tmp/helm-charts/charts/kubewarden-crds/templates/policyservers.yaml \;
 find . -maxdepth 1 -name "*_admissionpolicies*" -exec  mv \{\} /tmp/helm-charts/charts/kubewarden-crds/templates/admissionpolicies.yaml \;
 find . -maxdepth 1 -name "*_clusteradmissionpolicies*" -exec  mv \{\} /tmp/helm-charts/charts/kubewarden-crds/templates/clusteradmissionpolicies.yaml \;
 
-# updatecli expects something in the stdout when a change happen.
+tar -xvf /tmp/crds-audit-scanner.tar.gz
+find . -maxdepth 1 -name "*_clusterpolicyreports*" -exec  mv \{\} charts/kubewarden-crds/templates/clusterpolicyreports.yaml \;
+find . -maxdepth 1 -name "*_policyreports*" -exec  mv \{\} charts/kubewarden-crds/templates/policyreports.yaml \;
+
+# updatecli expects something in stdout when a change happened.
 echo "Changed!"
@@ -49,18 +49,30 @@ sources:
       file: "file://charts/kubewarden-controller/Chart.yaml"
       key: "version"
 
-  controllerChartValuesFile:
+  controllerImageChartValuesFile:
     kind: yaml
     spec:
       file: "charts/kubewarden-controller/chart-values.yaml"
       key: "image.tag"
 
-  controllerValuesFile:
+  controllerImageValuesFile:
     kind: yaml
     spec:
       file: "charts/kubewarden-controller/values.yaml"
       key: "image.tag"
 
+  auditScannerImageChartValuesFile:
+    kind: yaml
+    spec:
+      file: "charts/kubewarden-controller/chart-values.yaml"
+      key: "auditScanner.image.tag"
+
+  auditScannerImageValuesFile:
+    kind: yaml
+    spec:
+      file: "charts/kubewarden-controller/values.yaml"
+      key: "auditScanner.image.tag"
+
   crdChartVersion:
     kind: yaml
     transformers:
@@ -80,7 +92,7 @@ sources:
 
 
 conditions:
-  # All the major 3 components must have the same tag
+  # All the major components must have the same tag
   kwctlTag:
     name: Test if kwctl has the required tag
     disablesourceinput: true
@@ -108,6 +120,15 @@ conditions:
       versionfilter:
         kind: "semver"
         pattern: '{{ requiredEnv .releaseVersion }}'
+  auditScannerTag:
+    name: Test if audit-scanner has the required tag
+    disablesourceinput: true
+    kind: gittag
+    scmid: auditScannerGit
+    spec:
+      versionfilter:
+        kind: "semver"
+        pattern: '{{ requiredEnv .releaseVersion }}'
 
 targets:
   installCRD:
@@ -217,26 +238,46 @@ targets:
       value: 'kubewarden-crds={{ source "crdChartVersion" }}'
 
 
-  controllerUpdateChartValuesFile:
+  controllerImageUpdateChartValuesFile:
     name: "Update container image in the chart-values.yaml file"
     kind: yaml
-    sourceid: defaultChartValuesFile
+    sourceid: controllerImageChartValuesFile
     scmid: "default"
     spec:
       file: "charts/kubewarden-controller/chart-values.yaml"
       key: 'image.tag'
       value: '{{ requiredEnv .releaseVersion }}'
 
-  controllerUpdateValuesFile:
+  controllerImageUpdateValuesFile:
     kind: yaml
     name: "Update container image in the values.yaml file"
-    sourceid: controllerValuesFile
+    sourceid: controllerImageValuesFile
     scmid: "default"
     spec:
       file: "charts/kubewarden-controller/values.yaml"
       key: 'image.tag'
       value: '{{ requiredEnv .releaseVersion }}'
 
+  auditScannerImageUpdateChartValuesFile:
+    name: "Update container image in the chart-values.yaml file"
+    kind: yaml
+    sourceid: auditScannerImageChartValuesFile
+    scmid: "default"
+    spec:
+      file: "charts/kubewarden-controller/chart-values.yaml"
+      key: 'auditScanner.image.tag'
+      value: '{{ requiredEnv .releaseVersion }}'
+
+  auditScannerImageUpdateValuesFile:
+    kind: yaml
+    name: "Update container image in the values.yaml file"
+    sourceid: auditScannerImageValuesFile
+    scmid: "default"
+    spec:
+      file: "charts/kubewarden-controller/values.yaml"
+      key: 'auditScanner.image.tag'
+      value: '{{ requiredEnv .releaseVersion }}'
+
   controllerChartAppVersionUpdate:
     name: Bump controller chart app version
     kind: yaml
@@ -314,3 +355,8 @@ scms:
     spec:
         url: "https://github.com/{{ requiredEnv .github.user }}/policy-server.git"
         branch: "main"
+  auditScannerGit:
+    kind: "git"
+    spec:
+        url: "https://github.com/{{ requiredEnv .github.user }}/audit-scanner.git"
+        branch: "main"