Merge pull request #1443 from snyk/staging

KatieArmstr · web-flow · commit 3b2dcca2f894 · 2024-01-15T14:35:22.000Z
RELEASE
diff --git a/src/index.ts b/src/index.ts
@@ -77,12 +77,7 @@ async function setupSysdigIntegration(): Promise<void> {
     ) &&
     !(config.SYSDIG_ENDPOINT && config.SYSDIG_TOKEN)
   ) {
-    console.log(
-      config.SYSDIG_REGION_URL,
-      config.SYSDIG_RISK_SPOTLIGHT_TOKEN,
-      config.SYSDIG_CLUSTER_NAME,
-    );
-    console.log('Sysdig integration not enabled');
+    logger.info({}, 'Sysdig integration not enabled');
     return;
   }
 
diff --git a/src/supervisor/watchers/handlers/argo-rollout.ts b/src/supervisor/watchers/handlers/argo-rollout.ts
@@ -101,13 +101,46 @@ export async function paginatedClusterArgoRolloutList(): Promise<{
 export async function argoRolloutWatchHandler(
   rollout: V1alpha1Rollout,
 ): Promise<void> {
+  if (rollout.spec?.workloadRef && rollout.metadata?.namespace) {
+    // Attempt to load workloadRef if a template is not directly defined
+    const workloadName = rollout.spec.workloadRef.name;
+    const namespace = rollout.metadata.namespace;
+    switch (rollout.spec.workloadRef.kind) {
+      // Perform lookup for known supported kinds: https://github.com/argoproj/argo-rollouts/blob/master/rollout/templateref.go#L40-L52
+      case 'Deployment': {
+        const deployResult = await retryKubernetesApiRequest(() =>
+          k8sApi.appsClient.readNamespacedDeployment(workloadName, namespace),
+        );
+        rollout.spec.template = deployResult.body.spec?.template;
+        break;
+      }
+      case 'ReplicaSet': {
+        const replicaSetResult = await retryKubernetesApiRequest(() =>
+          k8sApi.appsClient.readNamespacedReplicaSet(workloadName, namespace),
+        );
+        rollout.spec.template = replicaSetResult.body.spec?.template;
+        break;
+      }
+      case 'PodTemplate': {
+        const podTemplateResult = await retryKubernetesApiRequest(() =>
+          k8sApi.coreClient.readNamespacedPodTemplate(workloadName, namespace),
+        );
+        rollout.spec.template = podTemplateResult.body.template;
+        break;
+      }
+      default:
+        logger.debug(
+          { workloadKind: WorkloadKind.ArgoRollout },
+          'Unsupported workloadRef kind specified',
+        );
+    }
+  }
   rollout = trimWorkload(rollout);
 
   if (
     !rollout.metadata ||
-    !rollout.spec ||
-    !rollout.spec.template.metadata ||
-    !rollout.spec.template.spec ||
+    !rollout.spec?.template?.metadata ||
+    !rollout.spec?.template?.spec ||
     !rollout.status
   ) {
     return;
diff --git a/src/supervisor/watchers/handlers/types.ts b/src/supervisor/watchers/handlers/types.ts
@@ -85,13 +85,20 @@ export interface V1alpha1Rollout extends KubernetesObject {
 }
 
 export interface V1alpha1RolloutSpec {
-  template: V1PodTemplateSpec;
+  template?: V1PodTemplateSpec;
+  workloadRef?: V1alpha1RolloutWorkloadRef;
 }
 
 export interface V1alpha1RolloutStatus {
   observedGeneration?: number;
 }
 
+export interface V1alpha1RolloutWorkloadRef {
+  apiVersion: string;
+  kind: string;
+  name: string;
+}
+
 export type V1ClusterList<T> = (
   allowWatchBookmarks?: boolean,
   _continue?: string,
diff --git a/src/supervisor/workload-reader.ts b/src/supervisor/workload-reader.ts
@@ -338,11 +338,21 @@ const argoRolloutReader: IWorkloadReaderFunc = async (
   );
   const rollout: V1alpha1Rollout = trimWorkload(rolloutResult.body);
 
+  if (rollout.spec?.workloadRef && rollout.metadata?.namespace) {
+    // Lookup child template metadata when a workloadRef is defined
+    const workloadReader = getWorkloadReader(rollout.spec.workloadRef.kind);
+    const workloadMetadata = await workloadReader(
+      rollout.spec.workloadRef.name,
+      rollout.metadata.namespace,
+    );
+    rollout.spec.template = {
+      metadata: workloadMetadata?.specMeta,
+    };
+  }
+
   if (
     !rollout.metadata ||
-    !rollout.spec ||
-    !rollout.spec.template.metadata ||
-    !rollout.spec.template.spec ||
+    !rollout.spec?.template?.metadata ||
     !rollout.status
   ) {
     logIncompleteWorkload(workloadName, namespace);
diff --git a/test/fixtures/argo-rollout.yaml b/test/fixtures/argo-rollout.yaml
@@ -31,3 +31,53 @@ spec:
             requests:
               memory: 32Mi
               cpu: 5m
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Rollout
+metadata:
+  name: argo-rollout-workload-ref
+  namespace: services
+spec:
+  replicas: 1
+  strategy:
+    canary:
+      steps:
+        - setWeight: 100
+  revisionHistoryLimit: 1
+  selector:
+    matchLabels:
+      app: rollouts-workload-demo
+  workloadRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: argo-rollout-workload-deployment
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: argo-rollout-workload-deployment
+  namespace: services
+spec:
+  replicas: 1
+  revisionHistoryLimit: 1
+  selector:
+    matchLabels:
+      app: rollouts-workload-demo
+  template:
+    metadata:
+      labels:
+        app: rollouts-workload-demo
+    spec:
+      imagePullSecrets:
+        - name: docker-io
+      containers:
+        - name: rollouts-workload-demo
+          image: argoproj/rollouts-demo:blue
+          ports:
+            - name: http
+              containerPort: 8080
+              protocol: TCP
+          resources:
+            requests:
+              memory: 32Mi
+              cpu: 5m
diff --git a/test/integration/kubernetes.spec.ts b/test/integration/kubernetes.spec.ts
@@ -299,6 +299,22 @@ test('snyk-monitor sends data to kubernetes-upstream', async () => {
       },
       expect.any(Object),
     ]);
+
+    const scanResultsArgoRolloutWorkloadRef = await getUpstreamResponseBody(
+      `api/v1/scan-results/${integrationId}/${clusterName}/services/Rollout/argo-rollout-workload-ref`,
+    );
+    expect(
+      scanResultsArgoRolloutWorkloadRef.workloadScanResults[
+        'argoproj/rollouts-demo'
+      ],
+    ).toEqual<ScanResult[]>([
+      {
+        identity: { type: 'linux', args: { platform: 'linux/amd64' } },
+        facts: expect.any(Array),
+        target: { image: 'docker-image|argoproj/rollouts-demo' },
+      },
+      expect.any(Object),
+    ]);
   }
 });
 
diff --git a/test/unit/supervisor/workload-reader.spec.ts b/test/unit/supervisor/workload-reader.spec.ts
@@ -15,6 +15,7 @@ describe('workload reader tests', () => {
     expect(
       SupportedWorkloadTypes.indexOf('ReplicationController') > -1,
     ).toEqual(true);
+    expect(SupportedWorkloadTypes.indexOf('Rollout') > -1).toEqual(true);
   });
 
   test.concurrent('getSupportedWorkload()', async () => {

Original file line number	Diff line number	Diff line change
`@@ -85,13 +85,20 @@ export interface V1alpha1Rollout extends KubernetesObject {`
`85`	`85`	`}`
`86`	`86`
`87`	`87`	`export interface V1alpha1RolloutSpec {`
`88`		`- template: V1PodTemplateSpec;`
	`88`	`+ template?: V1PodTemplateSpec;`
	`89`	`+ workloadRef?: V1alpha1RolloutWorkloadRef;`
`89`	`90`	`}`
`90`	`91`
`91`	`92`	`export interface V1alpha1RolloutStatus {`
`92`	`93`	`observedGeneration?: number;`
`93`	`94`	`}`
`94`	`95`
	`96`	`+export interface V1alpha1RolloutWorkloadRef {`
	`97`	`+ apiVersion: string;`
	`98`	`+ kind: string;`
	`99`	`+ name: string;`
	`100`	`+}`
	`101`	`+`
`95`	`102`	`export type V1ClusterList<T> = (`
`96`	`103`	`allowWatchBookmarks?: boolean,`
`97`	`104`	`_continue?: string,`