From 463644ead0721e1389e833accce2a8f8f1938502 Mon Sep 17 00:00:00 2001 From: Richard Hagen Date: Fri, 15 Mar 2024 08:19:18 +0100 Subject: [PATCH] Remove legacy auth (#55) * Remove legacy auth * removve legacy options * update installation instructions * remove legacy auth --- .env.template | 2 -- README.md | 17 +++++++++++------ charts/radix-vulnerability-scanner/Chart.yaml | 4 ++-- .../templates/deployment.yaml | 6 ------ .../templates/secret.yaml | 3 --- charts/radix-vulnerability-scanner/values.yaml | 4 ---- main.go | 3 --- pkg/server/load.go | 3 --- pkg/server/options.go | 7 ++----- pkg/server/server.go | 7 +------ 10 files changed, 16 insertions(+), 40 deletions(-) diff --git a/.env.template b/.env.template index db13743..732f072 100644 --- a/.env.template +++ b/.env.template @@ -8,5 +8,3 @@ RVS_APP_NAME_EXCLUDE_LIST= RVS_WORKERS= RVS_DB_SERVER= RVS_DB_DATABASE= -RVS_DB_USERNAME= -RVS_DB_PASSWORD= \ No newline at end of file diff --git a/README.md b/README.md index b67e0f5..0d575dc 100644 --- a/README.md +++ b/README.md @@ -8,7 +8,7 @@ ## Installation -`radix-vulnerability-scanner` installation is handled by Flux using [Radix Flux](https://github.com/equinor/radix-flux). Flux prerequisites is bootstrapped with scripts in [Radix Platform](https://github.com/equinor/radix-platform/tree/master/scripts/vulnerability-scanner). +`radix-vulnerability-scanner` installation is handled by Flux using [Radix Flux](https://github.com/equinor/radix-flux). Flux prerequisites is bootstrapped with Terraforms [Vulnerability Scanner module](https://github.com/equinor/radix-platform/tree/master/terraform/subscriptions/s941/dev/vulnerability-scanner) (in each environment) ### Azure Resources @@ -16,9 +16,16 @@ ### Database Permissions -The user configured for connecting to the SQL Server must be member of the `radixwriter` database role. -Run script `bootstrap-scanner.sh` in [Radix Platform](https://github.com/equinor/radix-platform/tree/master/scripts/vulnerability-scanner) to create a database user with the required role membership. +The user configured for connecting to the SQL Server must be member of the `radixwriter` database role and authenticates with managed identity using Azure `ActiveDirectoryDefault` profile. + - Run the Vulnerability Scanner Terraform module in each environment to set up Managed Identities. + - Take a note of any changed CLIENT-IDs: + - `radix-id-vulnerability-scan-admin-` must be added in `./.github/workflows/build-push.yml` in this project + - `radix-id-vulnerability-scan-github-` must be added in `./.github/workflows/deploy-database.yml` in this project + - `radix-id-vulnerability-scan-reader-` must be added in Radixconfig.yaml file for each environment in https://github.com/equinor/radix-vulnerability-scanner-api + - `radix-id-vulnerability-scan-writer-` must be added in `VULNERABILITY_SCANNER_SQL_CLIENT_ID` in `https://github.com/equinor/radix-flux/blob/master/clusters/development/postBuild.yaml` + - Check https://github.com/equinor/radix-vulnerability-scanner/issues/54 for special considerations to deploy roles and external users. + ## Configuration **Environment variables** @@ -36,8 +43,6 @@ Run script `bootstrap-scanner.sh` in [Radix Platform](https://github.com/equinor | workers | number | No | Number of concurrent workers to scan images | 1 | | db-server | string | Yes | Name/URL of the SQL Server where scan results are stored | "" | | db-database | string | Yes | Name of the SQL Server database where scan results are stored | "" | -| db-username | string | Yes | User name for connection to SQL Server | "" | -| db-password | string | Yes | Password for SQL Server user | "" | | vulnerability-scan-timeout | string | No | Context timeout for each image scan | "5m" | | vulnerability-rescan-age | string | No | Defines the minimum age of an image scan before a new scan is performed. An image is not scanned if the age of the last scan is less than this value | "24h" | | docker-config-file | string | No | Path to docker file with auths for accessing private image repositories | "" | @@ -67,4 +72,4 @@ Create a copy of .env.template and name it .env. Set variables to allow local de ## Security -This is how we handle [security issues](./SECURITY.md) \ No newline at end of file +This is how we handle [security issues](./SECURITY.md) diff --git a/charts/radix-vulnerability-scanner/Chart.yaml b/charts/radix-vulnerability-scanner/Chart.yaml index cfa2c67..46d4c74 100644 --- a/charts/radix-vulnerability-scanner/Chart.yaml +++ b/charts/radix-vulnerability-scanner/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v1 -appVersion: 0.1.0 -version: 0.1.0 +appVersion: 1.0.0 +version: 1.0.0 description: Scan images in RadixDeployments for vulnerabilities name: radix-vulnerability-scanner diff --git a/charts/radix-vulnerability-scanner/templates/deployment.yaml b/charts/radix-vulnerability-scanner/templates/deployment.yaml index 236dc2d..354060f 100644 --- a/charts/radix-vulnerability-scanner/templates/deployment.yaml +++ b/charts/radix-vulnerability-scanner/templates/deployment.yaml @@ -57,12 +57,6 @@ spec: {{- with .Values.sql.databaseName }} - --db-database={{ . }} {{- end}} - {{- with .Values.sql.federatedCredentials}} - - --db-use-federated-token=true - {{- end}} - {{- with .Values.sql.userName }} - - --db-username={{ . }} - {{- end}} {{- with .Values.kubeConfigFile }} - --kube-config-file={{ . }} {{- end}} diff --git a/charts/radix-vulnerability-scanner/templates/secret.yaml b/charts/radix-vulnerability-scanner/templates/secret.yaml index c46b26d..3c34dae 100644 --- a/charts/radix-vulnerability-scanner/templates/secret.yaml +++ b/charts/radix-vulnerability-scanner/templates/secret.yaml @@ -6,9 +6,6 @@ metadata: namespace: {{ .Release.Namespace | quote }} type: Opaque stringData: - {{- with .Values.sql.password }} - RVS_DB_PASSWORD: {{ . }} - {{- end }} {{- with .Values.snykToken }} SNYK_TOKEN: {{ . | quote }} {{- end }} diff --git a/charts/radix-vulnerability-scanner/values.yaml b/charts/radix-vulnerability-scanner/values.yaml index 9bdb164..4eb7e36 100644 --- a/charts/radix-vulnerability-scanner/values.yaml +++ b/charts/radix-vulnerability-scanner/values.yaml @@ -23,10 +23,6 @@ rbac: sql: serverName: "" databaseName: "" - userName: "" - # Stored in envSecret. Requires envSecret.create to be true. - password: "" - federatedCredentials: "" # Defines or creates a secret that holds environment variables envSecret: diff --git a/main.go b/main.go index 3f7b1ac..00d8c29 100644 --- a/main.go +++ b/main.go @@ -63,9 +63,6 @@ func logOptions(opts *server.Options) { log.Info().Msgf(" workers: %v", opts.Workers) log.Info().Msgf(" db-server: %v", opts.DB.Server) log.Info().Msgf(" db-database: %v", opts.DB.Database) - log.Info().Msgf(" db-username: %v", opts.DB.UserName) - log.Info().Msgf(" db-password set: %v", len(opts.DB.Password) > 0) - log.Info().Msgf(" db-use-federated-token set: %v", opts.DB.UseFederatedToken) log.Info().Msgf(" vulnerability-scan-timeout: %s", opts.VulnerabilityScan.ScanTimeout) log.Info().Msgf(" vulnerability-rescan-age: %s", opts.VulnerabilityScan.RescanAge) log.Info().Msgf(" docker-config-file: %s", opts.Docker.AuthsFile) diff --git a/pkg/server/load.go b/pkg/server/load.go index fb661f1..aaf75a3 100644 --- a/pkg/server/load.go +++ b/pkg/server/load.go @@ -56,9 +56,6 @@ func dbFlagset() *pflag.FlagSet { flagset := pflag.NewFlagSet("db", pflag.ExitOnError) flagset.String("db-server", "", "SQL Server address") flagset.String("db-database", "", "SQL Server database name") - flagset.String("db-username", "", "SQL Server user name") - flagset.String("db-password", "", "SQL Server password") - flagset.String("db-use-federated-token", "", "SQL Use federated token") return flagset } diff --git a/pkg/server/options.go b/pkg/server/options.go index 9236f2c..3682577 100644 --- a/pkg/server/options.go +++ b/pkg/server/options.go @@ -24,11 +24,8 @@ type ( // DBOptions contains configuration for database connection DBOptions struct { - Server string `flag:"db-server" cfg:"db_server"` - Database string `flag:"db-database" cfg:"db_database"` - UserName string `flag:"db-username" cfg:"db_username"` - Password string `flag:"db-password" cfg:"db_password"` - UseFederatedToken bool `flag:"db-use-federated-token" cfg:"db_use_federated_token" default:"false"` + Server string `flag:"db-server" cfg:"db_server"` + Database string `flag:"db-database" cfg:"db_database"` } // DockerOptions contains configuration for accessing docker images diff --git a/pkg/server/server.go b/pkg/server/server.go index 34d2785..eab2408 100644 --- a/pkg/server/server.go +++ b/pkg/server/server.go @@ -150,13 +150,8 @@ func (s *Server) run(stopCh <-chan struct{}) error { } func getRepository(opts *DBOptions) (db.Repository, error) { - var dsn string - if opts.UseFederatedToken { - dsn = fmt.Sprintf("server=%s;database=%s;fedauth=ActiveDirectoryDefault", opts.Server, opts.Database) - } else { - dsn = fmt.Sprintf("server=%s;database=%s;user id=%s;password=%s", opts.Server, opts.Database, opts.UserName, opts.Password) - } + dsn := fmt.Sprintf("server=%s;database=%s;fedauth=ActiveDirectoryDefault", opts.Server, opts.Database) dialector := sqlserver.New(sqlserver.Config{ DriverName: azuread.DriverName, DSN: dsn,