snyk
diff --git a/‎snyk-monitor-cluster-permissions.yaml‎
Lines changed: 8 additions & 0 deletions b/‎snyk-monitor-cluster-permissions.yaml‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎snyk-monitor-namespaced-permissions.yaml‎
Lines changed: 8 additions & 0 deletions b/‎snyk-monitor-namespaced-permissions.yaml‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎snyk-monitor/templates/clusterrole.yaml‎
Lines changed: 8 additions & 0 deletions b/‎snyk-monitor/templates/clusterrole.yaml‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎snyk-monitor/templates/role.yaml‎
Lines changed: 8 additions & 0 deletions b/‎snyk-monitor/templates/role.yaml‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎src/supervisor/types.ts‎
Lines changed: 1 addition & 0 deletions b/‎src/supervisor/types.ts‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/supervisor/watchers/handlers/argo-rollout.ts‎
Lines changed: 223 additions & 0 deletions b/‎src/supervisor/watchers/handlers/argo-rollout.ts‎
Lines changed: 223 additions & 0 deletions
diff --git a/‎src/supervisor/watchers/handlers/deployment-config.ts‎
Lines changed: 9 additions & 1 deletion b/‎src/supervisor/watchers/handlers/deployment-config.ts‎
Lines changed: 9 additions & 1 deletion
diff --git a/‎src/supervisor/watchers/handlers/index.ts‎
Lines changed: 5 additions & 0 deletions b/‎src/supervisor/watchers/handlers/index.ts‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎src/supervisor/watchers/handlers/informer-config.ts‎
Lines changed: 12 additions & 0 deletions b/‎src/supervisor/watchers/handlers/informer-config.ts‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎src/supervisor/watchers/handlers/types.ts‎
Lines changed: 25 additions & 0 deletions b/‎src/supervisor/watchers/handlers/types.ts‎
Lines changed: 25 additions & 0 deletions
@@ -54,6 +54,14 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - argoproj.io
+  resources:
+  - rollouts
+  verbs:
+  - get
+  - list
+  - watch
 ---
 kind: ServiceAccount
 apiVersion: v1
 
@@ -46,6 +46,14 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - argoproj.io
+  resources:
+  - rollouts
+  verbs:
+  - get
+  - list
+  - watch
 ---
 kind: ServiceAccount
 apiVersion: v1
 
@@ -61,6 +61,14 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - argoproj.io
+  resources:
+  - rollouts
+  verbs:
+  - get
+  - list
+  - watch
 {{- if .Values.psp.enabled }}
 - apiGroups:
   - policy
 
@@ -61,6 +61,14 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - argoproj.io
+  resources:
+  - rollouts
+  verbs:
+  - get
+  - list
+  - watch
 {{- if .Values.psp.enabled }}
 - apiGroups:
   - policy
 
@@ -25,6 +25,7 @@ export enum WorkloadKind {
   ReplicationController = 'ReplicationController',
   Pod = 'Pod',
   DeploymentConfig = 'DeploymentConfig',
+  ArgoRollout = 'Rollout',
 }
 
 export interface IRequestError {
 
@@ -0,0 +1,223 @@
+import { IncomingMessage } from 'http';
+import { deleteWorkload } from './workload';
+import { WorkloadKind } from '../../types';
+import {
+  FALSY_WORKLOAD_NAME_MARKER,
+  V1alpha1Rollout,
+  V1alpha1RolloutList,
+} from './types';
+import { paginatedClusterList, paginatedNamespacedList } from './pagination';
+import { k8sApi } from '../../cluster';
+import {
+  deleteWorkloadAlreadyScanned,
+  deleteWorkloadImagesAlreadyScanned,
+  kubernetesObjectToWorkloadAlreadyScanned,
+} from '../../../state';
+import { retryKubernetesApiRequest } from '../../kuberenetes-api-wrappers';
+import { logger } from '../../../common/logger';
+import { deleteWorkloadFromScanQueue } from './queue';
+import { trimWorkload } from '../../workload-sanitization';
+
+export async function paginatedNamespacedArgoRolloutList(
+  namespace: string,
+): Promise<{
+  response: IncomingMessage;
+  body: V1alpha1RolloutList;
+}> {
+  const rolloutList = new V1alpha1RolloutList();
+  rolloutList.apiVersion = 'argoproj.io/v1alpha1';
+  rolloutList.kind = 'RolloutList';
+  rolloutList.items = new Array<V1alpha1Rollout>();
+
+  return await paginatedNamespacedList(
+    namespace,
+    rolloutList,
+    async (
+      namespace: string,
+      pretty?: string,
+      _allowWatchBookmarks?: boolean,
+      _continue?: string,
+      fieldSelector?: string,
+      labelSelector?: string,
+      limit?: number,
+    ) =>
+      k8sApi.customObjectsClient.listNamespacedCustomObject(
+        'argoproj.io',
+        'v1alpha1',
+        namespace,
+        'rollouts',
+        pretty,
+        _continue,
+        fieldSelector,
+        labelSelector,
+        limit,
+        /**
+         * The K8s client's listNamespacedCustomObject() doesn't allow to specify
+         * the type of the response body and returns the generic "object" type,
+         * but with how we declared our types we expect it to return a "KubernetesListObject" type.
+         *
+         * Not using "any" results in a similar error (highlighting the "body" property):
+         * Type 'Promise<{ response: IncomingMessage; ***body: object;*** }>' is not assignable to type
+         * 'Promise<{ response: IncomingMessage; ***body: KubernetesListObject<...>;*** }>'
+         */
+      ) as any,
+  );
+}
+
+export async function paginatedClusterArgoRolloutList(): Promise<{
+  response: IncomingMessage;
+  body: V1alpha1RolloutList;
+}> {
+  const rolloutList = new V1alpha1RolloutList();
+  rolloutList.apiVersion = 'argoproj.io/v1';
+  rolloutList.kind = 'RolloutList';
+  rolloutList.items = new Array<V1alpha1Rollout>();
+
+  return await paginatedClusterList(
+    rolloutList,
+    async (
+      _allowWatchBookmarks?: boolean,
+      _continue?: string,
+      fieldSelector?: string,
+      labelSelector?: string,
+      limit?: number,
+      pretty?: string,
+    ) =>
+      k8sApi.customObjectsClient.listClusterCustomObject(
+        'argoproj.io',
+        'v1alpha1',
+        'rollouts',
+        pretty,
+        _continue,
+        fieldSelector,
+        labelSelector,
+        limit,
+      ) as any,
+  );
+}
+
+export async function argoRolloutWatchHandler(
+  rollout: V1alpha1Rollout,
+): Promise<void> {
+  rollout = trimWorkload(rollout);
+
+  if (
+    !rollout.metadata ||
+    !rollout.spec ||
+    !rollout.spec.template.metadata ||
+    !rollout.spec.template.spec ||
+    !rollout.status
+  ) {
+    return;
+  }
+
+  const workloadAlreadyScanned =
+    kubernetesObjectToWorkloadAlreadyScanned(rollout);
+  if (workloadAlreadyScanned !== undefined) {
+    await Promise.all([
+      deleteWorkloadAlreadyScanned(workloadAlreadyScanned),
+      deleteWorkloadImagesAlreadyScanned({
+        ...workloadAlreadyScanned,
+        imageIds: rollout.spec.template.spec.containers
+          .filter((container) => container.image !== undefined)
+          .map((container) => container.image!),
+      }),
+      deleteWorkloadFromScanQueue(workloadAlreadyScanned),
+    ]);
+  }
+
+  const workloadName = rollout.metadata.name || FALSY_WORKLOAD_NAME_MARKER;
+
+  await deleteWorkload(
+    {
+      kind: WorkloadKind.ArgoRollout,
+      objectMeta: rollout.metadata,
+      specMeta: rollout.spec.template.metadata,
+      ownerRefs: rollout.metadata.ownerReferences,
+      revision: rollout.status.observedGeneration,
+      podSpec: rollout.spec.template.spec,
+    },
+    workloadName,
+  );
+}
+
+export async function isNamespacedArgoRolloutSupported(
+  namespace: string,
+): Promise<boolean> {
+  try {
+    const pretty = undefined;
+    const continueToken = undefined;
+    const fieldSelector = undefined;
+    const labelSelector = undefined;
+    const limit = 1; // Try to grab only a single object
+    const resourceVersion = undefined; // List anything in the cluster
+    const timeoutSeconds = 10; // Don't block the snyk-monitor indefinitely
+    const attemptedApiCall = await retryKubernetesApiRequest(() =>
+      k8sApi.customObjectsClient.listNamespacedCustomObject(
+        'argoproj.io',
+        'v1alpha1',
+        namespace,
+        'rollouts',
+        pretty,
+        continueToken,
+        fieldSelector,
+        labelSelector,
+        limit,
+        resourceVersion,
+        timeoutSeconds,
+      ),
+    );
+    return (
+      attemptedApiCall !== undefined &&
+      attemptedApiCall.response !== undefined &&
+      attemptedApiCall.response.statusCode !== undefined &&
+      attemptedApiCall.response.statusCode >= 200 &&
+      attemptedApiCall.response.statusCode < 300
+    );
+  } catch (error) {
+    logger.debug(
+      { error, workloadKind: WorkloadKind.ArgoRollout },
+      'Failed on Kubernetes API call to list namespaced argoproj.io/Rollout',
+    );
+    return false;
+  }
+}
+
+export async function isClusterArgoRolloutSupported(): Promise<boolean> {
+  try {
+    const pretty = undefined;
+    const continueToken = undefined;
+    const fieldSelector = undefined;
+    const labelSelector = undefined;
+    const limit = 1; // Try to grab only a single object
+    const resourceVersion = undefined; // List anything in the cluster
+    const timeoutSeconds = 10; // Don't block the snyk-monitor indefinitely
+    const attemptedApiCall = await retryKubernetesApiRequest(() =>
+      k8sApi.customObjectsClient.listClusterCustomObject(
+        'argoproj.io',
+        'v1alpha1',
+        'rollouts',
+        pretty,
+        continueToken,
+        fieldSelector,
+        labelSelector,
+        limit,
+        resourceVersion,
+        timeoutSeconds,
+      ),
+    );
+    return (
+      attemptedApiCall !== undefined &&
+      attemptedApiCall.response !== undefined &&
+      attemptedApiCall.response.statusCode !== undefined &&
+      attemptedApiCall.response.statusCode >= 200 &&
+      attemptedApiCall.response.statusCode < 300
+    );
+  } catch (error) {
+    logger.debug(
+      { error, workloadKind: WorkloadKind.ArgoRollout },
+      'Failed on Kubernetes API call to list cluster argoproj.io/Rollout',
+    );
+    return false;
+  }
+}
@@ -51,7 +51,15 @@ export async function paginatedNamespacedDeploymentConfigList(
         fieldSelector,
         labelSelector,
         limit,
-        // TODO: Why any?
+        /**
+         * The K8s client's listNamespacedCustomObject() doesn't allow to specify
+         * the type of the response body and returns the generic "object" type,
+         * but with how we declared our types we expect it to return a "KubernetesListObject" type.
+         *
+         * Not using "any" results in a similar error (highlighting the "body" property):
+         * Type 'Promise<{ response: IncomingMessage; ***body: object;*** }>' is not assignable to type
+         * 'Promise<{ response: IncomingMessage; ***body: KubernetesListObject<...>;*** }>'
+         */
       ) as any,
   );
 }
 
@@ -4,6 +4,7 @@ import { logger } from '../../../common/logger';
 import { WorkloadKind } from '../../types';
 import * as cronJob from './cron-job';
 import * as deploymentConfig from './deployment-config';
+import * as rollout from './argo-rollout';
 import { k8sApi, kubeConfig } from '../../cluster';
 import * as kubernetesApiWrappers from '../../kuberenetes-api-wrappers';
 import { FALSY_WORKLOAD_NAME_MARKER } from './types';
@@ -16,6 +17,8 @@ async function isSupportedNamespacedWorkload(
   workloadKind: WorkloadKind,
 ): Promise<boolean> {
   switch (workloadKind) {
+    case WorkloadKind.ArgoRollout:
+      return await rollout.isNamespacedArgoRolloutSupported(namespace);
     case WorkloadKind.DeploymentConfig:
       return await deploymentConfig.isNamespacedDeploymentConfigSupported(
         namespace,
@@ -43,6 +46,8 @@ async function isSupportedClusterWorkload(
   switch (workloadKind) {
     case WorkloadKind.DeploymentConfig:
       return await deploymentConfig.isClusterDeploymentConfigSupported();
+    case WorkloadKind.ArgoRollout:
+      return await rollout.isClusterArgoRolloutSupported();
     case WorkloadKind.CronJobV1Beta1:
       return await cronJob.isClusterCronJobSupported(
         workloadKind,
 
@@ -10,6 +10,7 @@ import * as replicaSet from './replica-set';
 import * as replicationController from './replication-controller';
 import * as statefulSet from './stateful-set';
 import * as deploymentConfig from './deployment-config';
+import * as rollout from './argo-rollout';
 import { IWorkloadWatchMetadata } from './types';
 
 /**
@@ -146,4 +147,15 @@ export const workloadWatchMetadata: Readonly<IWorkloadWatchMetadata> = {
     namespacedListFactory: (namespace) => () =>
       deploymentConfig.paginatedNamespacedDeploymentConfigList(namespace),
   },
+  [WorkloadKind.ArgoRollout]: {
+    clusterEndpoint: '/apis/argoproj.io/v1alpha1/rollouts',
+    namespacedEndpoint:
+      '/apis/argoproj.io/v1alpha1/watch/namespaces/{namespace}/rollouts',
+    handlers: {
+      [DELETE]: rollout.argoRolloutWatchHandler,
+    },
+    clusterListFactory: () => () => rollout.paginatedClusterArgoRolloutList(),
+    namespacedListFactory: (namespace) => () =>
+      rollout.paginatedNamespacedArgoRolloutList(namespace),
+  },
 };
@@ -60,6 +60,31 @@ export interface V1DeploymentConfigStatus {
   observedGeneration?: number;
 }
 
+export class V1alpha1RolloutList
+  implements KubernetesListObject<V1alpha1Rollout>
+{
+  'apiVersion'?: string;
+  'items': Array<V1alpha1Rollout>;
+  'kind'?: string;
+  'metadata'?: V1ListMeta;
+}
+
+export interface V1alpha1Rollout extends KubernetesObject {
+  apiVersion?: string;
+  kind?: string;
+  metadata?: V1ObjectMeta;
+  spec?: V1alpha1RolloutSpec;
+  status?: V1alpha1RolloutStatus;
+}
+
+export interface V1alpha1RolloutSpec {
+  template: V1PodTemplateSpec;
+}
+
+export interface V1alpha1RolloutStatus {
+  observedGeneration?: number;
+}
+
 export type V1ClusterList<T> = (
   allowWatchBookmarks?: boolean,
   _continue?: string,
Original file line number	Diff line number	Diff line change
`@@ -25,6 +25,7 @@ export enum WorkloadKind {`
`25`	`25`	`ReplicationController = 'ReplicationController',`
`26`	`26`	`Pod = 'Pod',`
`27`	`27`	`DeploymentConfig = 'DeploymentConfig',`
	`28`	`+ ArgoRollout = 'Rollout',`
`28`	`29`	`}`
`29`	`30`
`30`	`31`	`export interface IRequestError {`