Scanners Integration (#18)

* Research scanning * Move files around * Reports the list * Scanner happens * Commit * Work on alternative * refactorings * Progress * Save the state * Commit * Display trivy Results * Checkov also reports * Better display * Correct trivy numbers * Scan pre-install manifest * Readme items * Static checks
2026-03-26 06:18:04 +00:00 · 2022-10-17 13:41:08 +01:00
parent 5cae4b5adf
commit f86a4a93a7
22 changed files with 995 additions and 439 deletions
--- a/pkg/dashboard/subproc/data.go
+++ b/pkg/dashboard/subproc/data.go
@@ -0,0 +1,404 @@
+package subproc
+
+import (
+	"bytes"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"github.com/hexops/gotextdiff"
+	"github.com/hexops/gotextdiff/myers"
+	"github.com/hexops/gotextdiff/span"
+	"github.com/komodorio/helm-dashboard/pkg/dashboard/utils"
+	log "github.com/sirupsen/logrus"
+	"gopkg.in/yaml.v3"
+	"helm.sh/helm/v3/pkg/release"
+	v1 "k8s.io/apimachinery/pkg/apis/testapigroup/v1"
+	"regexp"
+	"sort"
+	"strconv"
+	"strings"
+	"time"
+)
+
+type DataLayer struct {
+	KubeContext string
+	Helm        string
+	Kubectl     string
+	Scanners    []Scanner
+}
+
+func (d *DataLayer) runCommand(cmd ...string) (string, error) {
+	log.Debugf("Starting command: %s", cmd)
+
+	return utils.RunCommand(cmd, map[string]string{"HELM_KUBECONTEXT": d.KubeContext})
+}
+
+func (d *DataLayer) runCommandHelm(cmd ...string) (string, error) {
+	if d.Helm == "" {
+		d.Helm = "helm"
+	}
+
+	cmd = append([]string{d.Helm}, cmd...)
+	if d.KubeContext != "" {
+		cmd = append(cmd, "--kube-context", d.KubeContext)
+	}
+
+	return d.runCommand(cmd...)
+}
+
+func (d *DataLayer) runCommandKubectl(cmd ...string) (string, error) {
+	// TODO: migrate into using kubectl "k8s.io/kubectl/pkg/cmd" and kube API
+	if d.Kubectl == "" {
+		d.Kubectl = "kubectl"
+	}
+
+	cmd = append([]string{d.Kubectl}, cmd...)
+
+	if d.KubeContext != "" {
+		cmd = append(cmd, "--context", d.KubeContext)
+	}
+
+	return d.runCommand(cmd...)
+}
+
+func (d *DataLayer) CheckConnectivity() error {
+	contexts, err := d.ListContexts()
+	if err != nil {
+		return err
+	}
+
+	if len(contexts) < 1 {
+		return errors.New("did not find any kubectl contexts configured")
+	}
+
+	_, err = d.runCommandHelm("--help") // no point in doing is, since the default context may be invalid
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+type KubeContext struct {
+	IsCurrent bool
+	Name      string
+	Cluster   string
+	AuthInfo  string
+	Namespace string
+}
+
+func (d *DataLayer) ListContexts() (res []KubeContext, err error) {
+	out, err := d.runCommandKubectl("config", "get-contexts")
+	if err != nil {
+		return nil, err
+	}
+
+	// kubectl has no JSON output for it, we'll have to do custom text parsing
+	lines := strings.Split(out, "\n")
+
+	// find field positions
+	fields := regexp.MustCompile(`(\w+\s+)`).FindAllString(lines[0], -1)
+	cur := len(fields[0])
+	name := cur + len(fields[1])
+	cluster := name + len(fields[2])
+	auth := cluster + len(fields[3])
+
+	// read items
+	for _, line := range lines[1:] {
+		if strings.TrimSpace(line) == "" {
+			continue
+		}
+
+		res = append(res, KubeContext{
+			IsCurrent: strings.TrimSpace(line[0:cur]) == "*",
+			Name:      strings.TrimSpace(line[cur:name]),
+			Cluster:   strings.TrimSpace(line[name:cluster]),
+			AuthInfo:  strings.TrimSpace(line[cluster:auth]),
+			Namespace: strings.TrimSpace(line[auth:]),
+		})
+	}
+
+	return res, nil
+}
+
+func (d *DataLayer) ListInstalled() (res []ReleaseElement, err error) {
+	out, err := d.runCommandHelm("ls", "--all", "--all-namespaces", "--output", "json", "--time-format", time.RFC3339)
+	if err != nil {
+		return nil, err
+	}
+
+	err = json.Unmarshal([]byte(out), &res)
+	if err != nil {
+		return nil, err
+	}
+	return res, nil
+}
+
+func (d *DataLayer) ChartHistory(namespace string, chartName string) (res []*HistoryElement, err error) {
+	// TODO: there is `max` but there is no `offset`
+	out, err := d.runCommandHelm("history", chartName, "--namespace", namespace, "--output", "json", "--max", "18")
+	if err != nil {
+		return nil, err
+	}
+
+	err = json.Unmarshal([]byte(out), &res)
+	if err != nil {
+		return nil, err
+	}
+
+	for _, elm := range res {
+		chartRepoName, curVer, err := utils.ChartAndVersion(elm.Chart)
+		if err != nil {
+			return nil, err
+		}
+		elm.ChartName = chartRepoName
+		elm.ChartVer = curVer
+		elm.Updated.Time = elm.Updated.Time.Round(time.Second)
+	}
+
+	return res, nil
+}
+
+func (d *DataLayer) ChartRepoVersions(chartName string) (res []RepoChartElement, err error) {
+	cmd := []string{"search", "repo", "--regexp", "/" + chartName + "\v", "--versions", "--output", "json"}
+	out, err := d.runCommandHelm(cmd...)
+	if err != nil {
+		return nil, err
+	}
+
+	err = json.Unmarshal([]byte(out), &res)
+	if err != nil {
+		return nil, err
+	}
+	return res, nil
+}
+
+type SectionFn = func(string, string, int, bool) (string, error) // TODO: rework it into struct-based argument?
+
+func (d *DataLayer) RevisionManifests(namespace string, chartName string, revision int, _ bool) (res string, err error) {
+	cmd := []string{"get", "manifest", chartName, "--namespace", namespace}
+	if revision > 0 {
+		cmd = append(cmd, "--revision", strconv.Itoa(revision))
+	}
+
+	out, err := d.runCommandHelm(cmd...)
+	if err != nil {
+		return "", err
+	}
+	return out, nil
+}
+
+func (d *DataLayer) RevisionManifestsParsed(namespace string, chartName string, revision int) ([]*v1.Carp, error) {
+	out, err := d.RevisionManifests(namespace, chartName, revision, false)
+	if err != nil {
+		return nil, err
+	}
+
+	dec := yaml.NewDecoder(bytes.NewReader([]byte(out)))
+
+	res := make([]*v1.Carp, 0)
+	var tmp interface{}
+	for dec.Decode(&tmp) == nil {
+		// k8s libs uses only JSON tags defined, say hello to https://github.com/go-yaml/yaml/issues/424
+		// bug we can juggle it
+		jsoned, err := json.Marshal(tmp)
+		if err != nil {
+			return nil, err
+		}
+
+		var doc v1.Carp
+		err = json.Unmarshal(jsoned, &doc)
+		if err != nil {
+			return nil, err
+		}
+
+		if doc.Kind == "" {
+			log.Warnf("Manifest piece is not k8s resource: %s", jsoned)
+			continue
+		}
+
+		res = append(res, &doc)
+	}
+
+	return res, nil
+}
+
+func (d *DataLayer) RevisionNotes(namespace string, chartName string, revision int, _ bool) (res string, err error) {
+	out, err := d.runCommandHelm("get", "notes", chartName, "--namespace", namespace, "--revision", strconv.Itoa(revision))
+	if err != nil {
+		return "", err
+	}
+	return out, nil
+}
+
+func (d *DataLayer) RevisionValues(namespace string, chartName string, revision int, onlyUserDefined bool) (res string, err error) {
+	cmd := []string{"get", "values", chartName, "--namespace", namespace, "--output", "yaml"}
+
+	if revision > 0 {
+		cmd = append(cmd, "--revision", strconv.Itoa(revision))
+	}
+
+	if !onlyUserDefined {
+		cmd = append(cmd, "--all")
+	}
+	out, err := d.runCommandHelm(cmd...)
+	if err != nil {
+		return "", err
+	}
+	return out, nil
+}
+
+func (d *DataLayer) GetResource(namespace string, def *v1.Carp) (*v1.Carp, error) {
+	out, err := d.runCommandKubectl("get", strings.ToLower(def.Kind), def.Name, "--namespace", namespace, "--output", "json")
+	if err != nil {
+		if strings.HasSuffix(strings.TrimSpace(err.Error()), " not found") {
+			return &v1.Carp{
+				Status: v1.CarpStatus{
+					Phase:   "NotFound",
+					Message: err.Error(),
+					Reason:  "not found",
+				},
+			}, nil
+		} else {
+			return nil, err
+		}
+	}
+
+	var res v1.Carp
+	err = json.Unmarshal([]byte(out), &res)
+	if err != nil {
+		return nil, err
+	}
+
+	sort.Slice(res.Status.Conditions, func(i, j int) bool {
+		// some condition types always bubble up
+		if res.Status.Conditions[i].Type == "Available" {
+			return false
+		}
+
+		if res.Status.Conditions[j].Type == "Available" {
+			return true
+		}
+
+		t1 := res.Status.Conditions[i].LastTransitionTime
+		t2 := res.Status.Conditions[j].LastTransitionTime
+		return t1.Time.Before(t2.Time)
+	})
+
+	return &res, nil
+}
+
+func (d *DataLayer) GetResourceYAML(namespace string, def *v1.Carp) (string, error) {
+	out, err := d.runCommandKubectl("get", strings.ToLower(def.Kind), def.Name, "--namespace", namespace, "--output", "yaml")
+	if err != nil {
+		return "", err
+	}
+
+	return out, nil
+}
+
+func (d *DataLayer) DescribeResource(namespace string, kind string, name string) (string, error) {
+	out, err := d.runCommandKubectl("describe", strings.ToLower(kind), name, "--namespace", namespace)
+	if err != nil {
+		return "", err
+	}
+	return out, nil
+}
+
+func (d *DataLayer) UninstallChart(namespace string, name string) error {
+	_, err := d.runCommandHelm("uninstall", name, "--namespace", namespace)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+func (d *DataLayer) Revert(namespace string, name string, rev int) error {
+	_, err := d.runCommandHelm("rollback", name, strconv.Itoa(rev), "--namespace", namespace)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+func (d *DataLayer) ChartRepoUpdate(name string) error {
+	cmd := []string{"repo", "update"}
+	if name != "" {
+		cmd = append(cmd, name)
+	}
+
+	_, err := d.runCommandHelm(cmd...)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (d *DataLayer) ChartUpgrade(namespace string, name string, repoChart string, version string, justTemplate bool, values string) (string, error) {
+	if values == "" {
+		oldVals, err := d.RevisionValues(namespace, name, 0, true)
+		if err != nil {
+			return "", err
+		}
+		values = oldVals
+	}
+
+	oldValsFile, close1, err := utils.TempFile(values)
+	defer close1()
+	if err != nil {
+		return "", err
+	}
+
+	cmd := []string{"upgrade", name, repoChart, "--version", version, "--namespace", namespace, "--values", oldValsFile, "--output", "json"}
+	if justTemplate {
+		cmd = append(cmd, "--dry-run")
+	}
+
+	out, err := d.runCommandHelm(cmd...)
+	if err != nil {
+		return "", err
+	}
+	res := release.Release{}
+	err = json.Unmarshal([]byte(out), &res)
+	if err != nil {
+		return "", err
+	}
+	if justTemplate {
+		out = strings.TrimSpace(res.Manifest)
+	}
+
+	return out, nil
+}
+
+func (d *DataLayer) ShowValues(chart string, ver string) (string, error) {
+	return d.runCommandHelm("show", "values", chart, "--version", ver)
+}
+
+func RevisionDiff(functor SectionFn, ext string, namespace string, name string, revision1 int, revision2 int, flag bool) (string, error) {
+	if revision1 == 0 || revision2 == 0 {
+		log.Debugf("One of revisions is zero: %d %d", revision1, revision2)
+		return "", nil
+	}
+
+	manifest1, err := functor(namespace, name, revision1, flag)
+	if err != nil {
+		return "", err
+	}
+
+	manifest2, err := functor(namespace, name, revision2, flag)
+	if err != nil {
+		return "", err
+	}
+
+	diff := GetDiff(manifest1, manifest2, strconv.Itoa(revision1)+ext, strconv.Itoa(revision2)+ext)
+	return diff, nil
+}
+
+func GetDiff(text1 string, text2 string, name1 string, name2 string) string {
+	edits := myers.ComputeEdits(span.URIFromPath(""), text1, text2)
+	unified := gotextdiff.ToUnified(name1, name2, text1, edits)
+	diff := fmt.Sprint(unified)
+	log.Debugf("The diff is: %s", diff)
+	return diff
+}
--- a/pkg/dashboard/subproc/data_test.go
+++ b/pkg/dashboard/subproc/data_test.go
@@ -0,0 +1,88 @@
+package subproc
+
+import (
+	"github.com/komodorio/helm-dashboard/pkg/dashboard/utils"
+	log "github.com/sirupsen/logrus"
+	"helm.sh/helm/v3/pkg/release"
+	v1 "k8s.io/apimachinery/pkg/apis/testapigroup/v1"
+	"sync"
+	"testing"
+)
+
+func TestFlow(t *testing.T) {
+	log.SetLevel(log.DebugLevel)
+
+	var _ release.Status
+	data := DataLayer{}
+	err := data.CheckConnectivity()
+	if err != nil {
+		if err.Error() == "did not find any kubectl contexts configured" {
+			t.Skip()
+		} else {
+			t.Fatal(err)
+		}
+	}
+
+	ctxses, err := data.ListContexts()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	for _, ctx := range ctxses {
+		if ctx.IsCurrent {
+			data.KubeContext = ctx.Name
+		}
+	}
+
+	installed, err := data.ListInstalled()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	chart := installed[1]
+	history, err := data.ChartHistory(chart.Namespace, chart.Name)
+	if err != nil {
+		t.Fatal(err)
+	}
+	_ = history
+
+	chartRepoName, curVer, err := utils.ChartAndVersion(chart.Chart)
+	if err != nil {
+		t.Fatal(err)
+	}
+	_ = curVer
+
+	upgrade, err := data.ChartRepoVersions(chartRepoName)
+	if err != nil {
+		t.Fatal(err)
+	}
+	_ = upgrade
+
+	manifests, err := data.RevisionManifestsParsed(chart.Namespace, chart.Name, history[len(history)-1].Revision)
+	if err != nil {
+		t.Fatal(err)
+	}
+	_ = manifests
+
+	var wg sync.WaitGroup
+	res := make([]*v1.Carp, 0)
+	for _, m := range manifests {
+		wg.Add(1)
+		mc := m // fix the clojure
+		func() {
+			defer wg.Done()
+			lst, err := data.GetResource(chart.Namespace, mc)
+			if err != nil {
+				t.Fatal(err)
+			}
+			res = append(res, lst)
+		}()
+	}
+	wg.Wait()
+
+	diff, err := RevisionDiff(data.RevisionManifests, ".yaml", chart.Namespace, chart.Name, history[len(history)-1].Revision, history[len(history)-2].Revision, true)
+	if err != nil {
+		t.Fatal(err)
+	}
+	_ = diff
+}
--- a/pkg/dashboard/subproc/helmTypes.go
+++ b/pkg/dashboard/subproc/helmTypes.go
@@ -0,0 +1,35 @@
+package subproc
+
+import (
+	"helm.sh/helm/v3/pkg/release"
+	helmtime "helm.sh/helm/v3/pkg/time"
+)
+
+// unpleasant copy from Helm sources, where they have it non-public
+type ReleaseElement struct {
+	Name       string         `json:"name"`
+	Namespace  string         `json:"namespace"`
+	Revision   string         `json:"revision"`
+	Updated    helmtime.Time  `json:"updated"`
+	Status     release.Status `json:"status"`
+	Chart      string         `json:"chart"`
+	AppVersion string         `json:"app_version"`
+}
+
+type HistoryElement struct {
+	Revision    int            `json:"revision"`
+	Updated     helmtime.Time  `json:"updated"`
+	Status      release.Status `json:"status"`
+	Chart       string         `json:"chart"`
+	AppVersion  string         `json:"app_version"`
+	Description string         `json:"description"`
+	ChartName   string         `json:"chart_name"`
+	ChartVer    string         `json:"chart_ver"`
+}
+
+type RepoChartElement struct {
+	Name        string `json:"name"`
+	Version     string `json:"version"`
+	AppVersion  string `json:"app_version"`
+	Description string `json:"description"`
+}
--- a/pkg/dashboard/subproc/scan.go
+++ b/pkg/dashboard/subproc/scan.go
@@ -0,0 +1,15 @@
+package subproc
+
+type Scanner interface {
+	Name() string                                                           // returns string label for the scanner
+	Test() bool                                                             // test if the scanner is available
+	ScanManifests(mnf string) (*ScanResults, error)                         // run the scanner on manifests
+	ScanResource(ns string, kind string, name string) (*ScanResults, error) // run the scanner on k8s resource
+}
+
+type ScanResults struct {
+	PassedCount int
+	FailedCount int
+	OrigReport  interface{}
+	Error       error
+}