From 28e27d30be2304dcc93b37161182aed9ad68604f Mon Sep 17 00:00:00 2001 From: Gireesh Naidu Date: Fri, 23 Jun 2023 14:55:18 +0530 Subject: [PATCH 1/2] getting force_security_scan value from devtron-cm --- pkg/pipeline/PipelineBuilder.go | 38 ++++++++++++++------------------- 1 file changed, 16 insertions(+), 22 deletions(-) diff --git a/pkg/pipeline/PipelineBuilder.go b/pkg/pipeline/PipelineBuilder.go index b3a1705502..a88f0e9118 100644 --- a/pkg/pipeline/PipelineBuilder.go +++ b/pkg/pipeline/PipelineBuilder.go @@ -87,6 +87,12 @@ type DeploymentServiceTypeConfig struct { IsInternalUse bool `env:"IS_INTERNAL_USE" envDefault:"false"` } +type SecurityConfig struct { + //FORCE_SECURITY_SCANNING flag is being maintained in both dashboard and orchestrator CM's + //TODO: rishabh will remove FORCE_SECURITY_SCANNING from dashboard's CM. + ForceSecurityScanning bool `env:"FORCE_SECURITY_SCANNING" envDefault:"false"` +} + func GetDeploymentServiceTypeConfig() (*DeploymentServiceTypeConfig, error) { cfg := &DeploymentServiceTypeConfig{} err := env.Parse(cfg) @@ -217,6 +223,7 @@ type PipelineBuilderImpl struct { appGroupService appGroup2.AppGroupService chartDeploymentService util.ChartDeploymentService K8sUtil *util.K8sUtil + securityConfig *SecurityConfig } func NewPipelineBuilderImpl(logger *zap.SugaredLogger, @@ -270,6 +277,12 @@ func NewPipelineBuilderImpl(logger *zap.SugaredLogger, appGroupService appGroup2.AppGroupService, chartDeploymentService util.ChartDeploymentService, K8sUtil *util.K8sUtil) *PipelineBuilderImpl { + + securityConfig := &SecurityConfig{} + err := env.Parse(securityConfig) + if err != nil { + logger.Errorw("error in parsing securityConfig,setting ForceSecurityScanning to default value", "defaultValue", securityConfig.ForceSecurityScanning, "err", err) + } return &PipelineBuilderImpl{ logger: logger, ciCdPipelineOrchestrator: ciCdPipelineOrchestrator, @@ -330,6 +343,7 @@ func NewPipelineBuilderImpl(logger *zap.SugaredLogger, appGroupService: appGroupService, chartDeploymentService: chartDeploymentService, K8sUtil: K8sUtil, + securityConfig: securityConfig, } } @@ -1423,28 +1437,8 @@ func (impl PipelineBuilderImpl) PatchCiPipeline(request *bean.CiPatchRequest) (c ciConfig.AppWorkflowId = request.AppWorkflowId ciConfig.UserId = request.UserId if request.CiPipeline != nil { - client, err := impl.K8sUtil.GetClientForInCluster() - if err != nil { - impl.logger.Errorw("exception while getting unique client id", "error", err) - return nil, err - } - cm, err := impl.K8sUtil.GetConfigMap(argo.DEVTRONCD_NAMESPACE, DashboardConfigMap, client) - if err != nil { - impl.logger.Errorw("error while getting dashboard-cm", "error", err) - return nil, err - } - if cm == nil { - impl.logger.Errorw("error while getting dashboard-cm", "error", err) - return nil, err - } - datamap := cm.Data - forceScanConfig, err := strconv.ParseBool(datamap[SECURITY_SCANNING]) - if err != nil { - forceScanConfig = false - } - if forceScanConfig { - request.CiPipeline.ScanEnabled = true - } + //setting ScanEnabled value from env variable, + request.CiPipeline.ScanEnabled = impl.securityConfig.ForceSecurityScanning ciConfig.ScanEnabled = request.CiPipeline.ScanEnabled } switch request.Action { From 8dce28a919b78f16a6a620757113962185b6ba52 Mon Sep 17 00:00:00 2001 From: Gireesh Naidu Date: Fri, 23 Jun 2023 16:25:02 +0530 Subject: [PATCH 2/2] condition updated to force enforce or requested enforce --- pkg/pipeline/PipelineBuilder.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/pipeline/PipelineBuilder.go b/pkg/pipeline/PipelineBuilder.go index a88f0e9118..1eb294f8ce 100644 --- a/pkg/pipeline/PipelineBuilder.go +++ b/pkg/pipeline/PipelineBuilder.go @@ -1438,7 +1438,7 @@ func (impl PipelineBuilderImpl) PatchCiPipeline(request *bean.CiPatchRequest) (c ciConfig.UserId = request.UserId if request.CiPipeline != nil { //setting ScanEnabled value from env variable, - request.CiPipeline.ScanEnabled = impl.securityConfig.ForceSecurityScanning + request.CiPipeline.ScanEnabled = request.CiPipeline.ScanEnabled || impl.securityConfig.ForceSecurityScanning ciConfig.ScanEnabled = request.CiPipeline.ScanEnabled } switch request.Action {