Merge pull request #56 from equinor/main

Release Removal of legacy auth (#55)

.env.template

@@ -8,5 +8,3 @@ RVS_APP_NAME_EXCLUDE_LIST=
 RVS_WORKERS=
 RVS_DB_SERVER=
 RVS_DB_DATABASE=
-RVS_DB_USERNAME=
-RVS_DB_PASSWORD=

README.md

@@ -8,17 +8,24 @@
 
 ## Installation
 
-`radix-vulnerability-scanner` installation is handled by Flux using [Radix Flux](https://github.com/equinor/radix-flux). Flux prerequisites is bootstrapped with scripts in [Radix Platform](https://github.com/equinor/radix-platform/tree/master/scripts/vulnerability-scanner).
+`radix-vulnerability-scanner` installation is handled by Flux using [Radix Flux](https://github.com/equinor/radix-flux). Flux prerequisites is bootstrapped with Terraforms [Vulnerability Scanner module](https://github.com/equinor/radix-platform/tree/master/terraform/subscriptions/s941/dev/vulnerability-scanner) (in each environment)
 
 ### Azure Resources
 
 `radix-vulnerability-scanner` stores scan results in a SQL Server database. The database and schema is deployed using Github actions.
 
 ### Database Permissions
 
-The user configured for connecting to the SQL Server must be member of the `radixwriter` database role.
-Run script `bootstrap-scanner.sh` in [Radix Platform](https://github.com/equinor/radix-platform/tree/master/scripts/vulnerability-scanner) to create a database user with the required role membership.
+The user configured for connecting to the SQL Server must be member of the `radixwriter` database role and authenticates with managed identity using Azure `ActiveDirectoryDefault` profile.
 
+ - Run the Vulnerability Scanner Terraform module in each environment to set up Managed Identities.
+ - Take a note of any changed CLIENT-IDs:
+   - `radix-id-vulnerability-scan-admin-<ENV>` must be added in `./.github/workflows/build-push.yml` in this project
+   - `radix-id-vulnerability-scan-github-<ENV>` must be added in `./.github/workflows/deploy-database.yml` in this project
+   - `radix-id-vulnerability-scan-reader-<ENV>` must be added in Radixconfig.yaml file for each environment in https://github.com/equinor/radix-vulnerability-scanner-api
+   - `radix-id-vulnerability-scan-writer-<ENV>` must be added in `VULNERABILITY_SCANNER_SQL_CLIENT_ID` in `https://github.com/equinor/radix-flux/blob/master/clusters/development/postBuild.yaml`
+   - Check https://github.com/equinor/radix-vulnerability-scanner/issues/54 for special considerations to deploy roles and external users.
+
 ## Configuration
 
 **Environment variables**
@@ -36,8 +43,6 @@ Run script `bootstrap-scanner.sh` in [Radix Platform](https://github.com/equinor
 | workers | number | No | Number of concurrent workers to scan images | 1 |
 | db-server | string | Yes | Name/URL of the SQL Server where scan results are stored | "" |
 | db-database | string | Yes | Name of the SQL Server database where scan results are stored | "" |
-| db-username | string | Yes | User name for connection to SQL Server | "" |
-| db-password | string | Yes | Password for SQL Server user | "" |
 | vulnerability-scan-timeout | string | No | Context timeout for each image scan | "5m" |
 | vulnerability-rescan-age | string | No | Defines the minimum age of an image scan before a new scan is performed. An image is not scanned if the age of the last scan is less than this value | "24h" |
 | docker-config-file | string | No | Path to docker file with auths for accessing private image repositories | "" |
@@ -67,4 +72,4 @@ Create a copy of .env.template and name it .env. Set variables to allow local de
 
 ## Security
 
-This is how we handle [security issues](./SECURITY.md)
+This is how we handle [security issues](./SECURITY.md)

charts/radix-vulnerability-scanner/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v1
-appVersion: 0.1.0
-version: 0.1.0
+appVersion: 1.0.0
+version: 1.0.0
 description: Scan images in RadixDeployments for vulnerabilities
 name: radix-vulnerability-scanner

charts/radix-vulnerability-scanner/templates/deployment.yaml

@@ -57,12 +57,6 @@ spec:
             {{- with .Values.sql.databaseName }}
             - --db-database={{ . }}
             {{- end}}
-            {{- with .Values.sql.federatedCredentials}}
-            - --db-use-federated-token=true
-            {{- end}}
-            {{- with .Values.sql.userName }}
-            - --db-username={{ . }}
-            {{- end}}
             {{- with .Values.kubeConfigFile }}
             - --kube-config-file={{ . }}
             {{- end}}

charts/radix-vulnerability-scanner/templates/secret.yaml

@@ -6,9 +6,6 @@ metadata:
   namespace: {{ .Release.Namespace | quote }}
 type: Opaque
 stringData:
-  {{- with .Values.sql.password }}
-  RVS_DB_PASSWORD: {{ . }}
-  {{- end }}
   {{- with .Values.snykToken }}
   SNYK_TOKEN: {{ . | quote }}
   {{- end }}

charts/radix-vulnerability-scanner/values.yaml

@@ -23,10 +23,6 @@ rbac:
 sql:
   serverName: ""
   databaseName: ""
-  userName: ""
-  # Stored in envSecret. Requires envSecret.create to be true.
-  password: ""
-  federatedCredentials: ""
 
 # Defines or creates a secret that holds environment variables
 envSecret:

main.go

@@ -63,9 +63,6 @@ func logOptions(opts *server.Options) {
 	log.Info().Msgf("  workers: %v", opts.Workers)
 	log.Info().Msgf("  db-server: %v", opts.DB.Server)
 	log.Info().Msgf("  db-database: %v", opts.DB.Database)
-	log.Info().Msgf("  db-username: %v", opts.DB.UserName)
-	log.Info().Msgf("  db-password set: %v", len(opts.DB.Password) > 0)
-	log.Info().Msgf("  db-use-federated-token set: %v", opts.DB.UseFederatedToken)
 	log.Info().Msgf("  vulnerability-scan-timeout: %s", opts.VulnerabilityScan.ScanTimeout)
 	log.Info().Msgf("  vulnerability-rescan-age: %s", opts.VulnerabilityScan.RescanAge)
 	log.Info().Msgf("  docker-config-file: %s", opts.Docker.AuthsFile)

pkg/server/load.go

@@ -56,9 +56,6 @@ func dbFlagset() *pflag.FlagSet {
 	flagset := pflag.NewFlagSet("db", pflag.ExitOnError)
 	flagset.String("db-server", "", "SQL Server address")
 	flagset.String("db-database", "", "SQL Server database name")
-	flagset.String("db-username", "", "SQL Server user name")
-	flagset.String("db-password", "", "SQL Server password")
-	flagset.String("db-use-federated-token", "", "SQL Use federated token")
 	return flagset
 }
 

pkg/server/options.go

@@ -24,11 +24,8 @@ type (
 
 	// DBOptions contains configuration for database connection
 	DBOptions struct {
-		Server            string `flag:"db-server" cfg:"db_server"`
-		Database          string `flag:"db-database" cfg:"db_database"`
-		UserName          string `flag:"db-username" cfg:"db_username"`
-		Password          string `flag:"db-password" cfg:"db_password"`
-		UseFederatedToken bool   `flag:"db-use-federated-token" cfg:"db_use_federated_token" default:"false"`
+		Server   string `flag:"db-server" cfg:"db_server"`
+		Database string `flag:"db-database" cfg:"db_database"`
 	}
 
 	// DockerOptions contains configuration for accessing docker images

pkg/server/server.go

@@ -150,13 +150,8 @@ func (s *Server) run(stopCh <-chan struct{}) error {
 }
 
 func getRepository(opts *DBOptions) (db.Repository, error) {
-	var dsn string
-	if opts.UseFederatedToken {
-		dsn = fmt.Sprintf("server=%s;database=%s;fedauth=ActiveDirectoryDefault", opts.Server, opts.Database)
-	} else {
-		dsn = fmt.Sprintf("server=%s;database=%s;user id=%s;password=%s", opts.Server, opts.Database, opts.UserName, opts.Password)
-	}
 
+	dsn := fmt.Sprintf("server=%s;database=%s;fedauth=ActiveDirectoryDefault", opts.Server, opts.Database)
 	dialector := sqlserver.New(sqlserver.Config{
 		DriverName: azuread.DriverName,
 		DSN:        dsn,