Merge pull request #476 from snyk/feat/add_ssl_certs

shaimendel · web-flow · commit c4dfed394a15 · 2020-05-11T18:44:59.000+03:00
[RUN-848] Feat/add ssl certs
diff --git a/README.md b/README.md
@@ -58,6 +58,11 @@ Finally, create the secret in Kubernetes by running the following command:
 kubectl create secret generic snyk-monitor -n snyk-monitor --from-file=./dockercfg.json --from-literal=integrationId=abcd1234-abcd-1234-abcd-1234abcd1234
 ```
 
+4. If your private registry requires installing certificates (*.crt, *.cert, *.key only) please put them in a folder and create the following ConfigMap:
+```shell
+kubectl create configmap snyk-monitor-certs -n snyk-monitor --from-file=<path_to_certs_folder>
+```
+
 ## Installation from YAML files ##
 
 The `kubernetes-monitor` can run in one of two modes: constrained to a single namespace, or with access to the whole cluster.
diff --git a/snyk-monitor-deployment.yaml b/snyk-monitor-deployment.yaml
@@ -30,6 +30,8 @@ spec:
           mountPath: "/srv/app/.docker"
         - name: temporary-storage
           mountPath: "/var/tmp"
+        - name: ssl-certs
+          mountPath: "/srv/app/certs"
         env:
           - name: SNYK_INTEGRATION_ID
             valueFrom:
@@ -101,4 +103,8 @@ spec:
       - name: temporary-storage
         emptyDir:
           sizeLimit: 50Gi
+      - name: ssl-certs
+        configMap:
+          name: snyk-monitor-certs
+          optional: true
       serviceAccountName: snyk-monitor
diff --git a/snyk-monitor/README.md b/snyk-monitor/README.md
@@ -50,6 +50,11 @@ Finally, create the secret in Kubernetes by running the following command:
 kubectl create secret generic snyk-monitor -n snyk-monitor --from-file=./dockercfg.json --from-literal=integrationId=abcd1234-abcd-1234-abcd-1234abcd1234
 ```
 
+4. If your private registry requires installing certificates (*.crt, *.cert, *.key only) please put them in a folder and create the following ConfigMap:
+```shell
+kubectl create configmap snyk-monitor-certs -n snyk-monitor --from-file=<path_to_certs_folder>
+```
+
 ## Installation from Helm repo ##
 
 Add Snyk's Helm repo:
diff --git a/snyk-monitor/templates/deployment.yaml b/snyk-monitor/templates/deployment.yaml
@@ -32,6 +32,8 @@ spec:
             mountPath: "/srv/app/.docker"
           - name: temporary-storage
             mountPath: "/var/tmp"
+          - name: ssl-certs
+            mountPath: "/srv/app/certs"
           env:
           - name: SNYK_INTEGRATION_ID
             valueFrom:
@@ -79,3 +81,7 @@ spec:
         - name: temporary-storage
           emptyDir:
             sizeLimit: {{ .Values.temporaryStorageSize }}
+        - name: ssl-certs
+          configMap:
+            name: {{ .Values.certsConfigMap }}
+            optional: true
diff --git a/snyk-monitor/values.yaml b/snyk-monitor/values.yaml
@@ -5,6 +5,7 @@
 # The secrets should be created externally, before applying this Helm chart.
 # The currently used keys within the secret are: "dockercfg.json", "integrationId".
 monitorSecrets: snyk-monitor
+certsConfigMap: snyk-monitor-certs
 
 # One of: Cluster, Namespaced
 # Cluster - creates a ClusterRole and ClusterRoleBinding with the ServiceAccount
diff --git a/src/scanner/images/skopeo.ts b/src/scanner/images/skopeo.ts
@@ -38,10 +38,12 @@ export async function pull(
 ): Promise<void> {
   const creds = await credentials.getSourceCredentials(image);
   const credentialsParameters = getCredentialParameters(creds);
+  const certificatesParameters = getCertificatesParameters();
 
   const args: Array<processWrapper.IProcessArgument> = [];
   args.push({body: 'copy', sanitise: false});
   args.push(...credentialsParameters);
+  args.push(...certificatesParameters);
   args.push({body: prefixRespository(image, SkopeoRepositoryType.ImageRegistry), sanitise: false});
   args.push({body: prefixRespository(destination, SkopeoRepositoryType.DockerArchive), sanitise: false});
 
@@ -80,3 +82,10 @@ export function getCredentialParameters(credentials: string | undefined): Array<
   }
   return credentialsParameters;
 }
+
+export function getCertificatesParameters(): Array<processWrapper.IProcessArgument> {
+  const certificatesParameters: Array<processWrapper.IProcessArgument> = [];
+  certificatesParameters.push({body: '--src-cert-dir', sanitise: true});
+  certificatesParameters.push({body: '/srv/app/certs', sanitise: true});
+  return certificatesParameters;
+}
diff --git a/test/unit/scanner/skopeo.test.ts b/test/unit/scanner/skopeo.test.ts
@@ -17,8 +17,17 @@ tap.test('getCredentialParameters()', async (t) => {
     credentialParametersForSomeCredentials,
     [
       {body: '--src-creds', sanitise: true},
-      {body: someCredentials, sanitise: true}
+      {body: someCredentials, sanitise: true},
     ],
     'returns Skopeo\'s args for source credentials',
   );
+  const certificatesParameters = skopeo.getCertificatesParameters();
+  t.same(
+    certificatesParameters,
+    [
+      {body: '--src-cert-dir', sanitise: true},
+      {body: '/srv/app/certs', sanitise: true},
+    ],
+    'returns Skopeo\'s certificate args',
+  );
 });
