Update component usage and add action pattern

go.mod

@@ -5,8 +5,10 @@ go 1.16
 require (
 	github.com/aquasecurity/starboard v0.11.0
 	github.com/stretchr/testify v1.7.0
-	github.com/vmware-tanzu/octant v0.23.0
+	github.com/vmware-tanzu/octant v0.24.0
 	k8s.io/api v0.21.3
 	k8s.io/apiextensions-apiserver v0.21.3
 	k8s.io/apimachinery v0.21.3
+	k8s.io/cli-runtime v0.21.3
+	k8s.io/client-go v0.21.3
 )

pkg/plugin/actions/actions.go

@@ -0,0 +1,71 @@
+package actions
+
+import (
+	"context"
+	"fmt"
+	"github.com/aquasecurity/starboard/pkg/generated/clientset/versioned"
+	"github.com/aquasecurity/starboard/pkg/kube"
+	"github.com/aquasecurity/starboard/pkg/kubehunter"
+	"github.com/aquasecurity/starboard/pkg/starboard"
+	"github.com/vmware-tanzu/octant/pkg/action"
+	"github.com/vmware-tanzu/octant/pkg/plugin/service"
+	"k8s.io/cli-runtime/pkg/genericclioptions"
+	"k8s.io/client-go/kubernetes"
+	"os"
+	"time"
+)
+
+const (
+	StarboardKubeHunterScan = "starboard.octant.dev/scanKubeHunter"
+
+	kubeHunterReportName = "cluster"
+)
+
+func ActionHandler(request *service.ActionRequest) error {
+	actionName, err := request.Payload.String("action")
+	if err != nil {
+		return err
+	}
+
+	switch actionName {
+	case StarboardKubeHunterScan:
+		alert := action.CreateAlert(action.AlertTypeInfo, "Creating kube-hunter report...", time.Second * 15)
+		request.DashboardClient.SendAlert(request.Context(), request.ClientState.ClientID(), alert)
+		return startKubeHunterScan(request.Context())
+	default:
+		// no-op
+	}
+	return nil
+}
+
+func startKubeHunterScan(ctx context.Context) error {
+	configFlags := genericclioptions.NewConfigFlags(true)
+	// TODO: Since DashboardClient does not provide a RESTConfig, don't scan if kubeconfigs are different
+	if *configFlags.KubeConfig != os.Getenv("KUBECONFIG") {
+		return fmt.Errorf("kubeconfig mismatch")
+	}
+
+	restconfig, err := configFlags.ToRESTConfig()
+	if err != nil {
+		return err
+	}
+	kubeClientset, err := kubernetes.NewForConfig(restconfig)
+	if err != nil {
+		return err
+	}
+	opts := kube.ScannerOpts{ScanJobTimeout: time.Minute}
+	config, err := starboard.NewConfigManager(kubeClientset, starboard.NamespaceName).Read(ctx)
+	if err != nil {
+		return err
+	}
+	scanner := kubehunter.NewScanner(starboard.NewScheme(), kubeClientset, config, opts)
+	report, err := scanner.Scan(ctx)
+	if err != nil {
+		return err
+	}
+	starboardClientset, err := versioned.NewForConfig(restconfig)
+	if err != nil {
+		return err
+	}
+	return kubehunter.NewWriter(starboardClientset).Write(ctx, report, kubeHunterReportName)
+}

pkg/plugin/controller/printers.go

@@ -3,7 +3,6 @@ package controller
 import (
 	"errors"
 	"fmt"
-
 	"github.com/aquasecurity/starboard-octant-plugin/pkg/plugin/model"
 	"github.com/aquasecurity/starboard-octant-plugin/pkg/plugin/view/configaudit"
 	"github.com/aquasecurity/starboard-octant-plugin/pkg/plugin/view/kubebench"
@@ -15,6 +14,7 @@ import (
 	"github.com/vmware-tanzu/octant/pkg/view/component"
 	"k8s.io/apimachinery/pkg/api/meta"
 	"k8s.io/apimachinery/pkg/runtime"
+	"strconv"
 )
 
 // ResourceTabPrinter is called when Octant wants to add new tab for the underlying resource.
@@ -130,11 +130,98 @@ func ResourcePrinter(request *service.PrintRequest) (plugin.PrintResponse, error
 	return plugin.PrintResponse{
 		Status: vulnerabilities.NewSummarySections(summary),
 		Config: configaudit.NewSummarySections(configAuditSummary),
-		Items: []component.FlexLayoutItem{
-			{
-				Width: component.WidthFull,
-				View:  configaudit.NewReport(workload, configAuditReportsDefined, configAuditReport),
+	}, nil
+}
+
+func ResourceReportTabPrinter(request *service.PrintRequest) (plugin.TabResponse, error) {
+	if request.Object == nil {
+		return plugin.TabResponse{}, errors.New("object is nil")
+	}
+
+	workload, err := getWorkloadFromObject(request.Object)
+	if err != nil {
+		return plugin.TabResponse{}, err
+	}
+
+	if workload.Kind == kube.KindNode {
+		return plugin.TabResponse{}, nil
+	}
+
+	repository := model.NewRepository(request.DashboardClient)
+
+	_, err = repository.GetCustomResourceDefinitionByName(request.Context(), v1alpha1.ConfigAuditReportCRName)
+	configAuditReportsDefined := err == nil
+
+	var configAuditReport *v1alpha1.ConfigAuditReport
+	if configAuditReportsDefined {
+		configAuditReport, err = repository.GetConfigAuditReportByOwner(request.Context(), workload)
+		if err != nil {
+			return plugin.TabResponse{}, err
+		}
+	}
+
+	return plugin.TabResponse{
+		Tab: component.NewTabWithContents(*configaudit.NewReport(workload, configAuditReportsDefined, configAuditReport)),
+	}, nil
+}
+
+// ResourceObjectStatus is called when Octant wants to determine the status (icon color) of an object
+func ResourceObjectStatus(request *service.PrintRequest) (plugin.ObjectStatusResponse, error) {
+	if request.Object == nil {
+		return plugin.ObjectStatusResponse{}, errors.New("object is nil")
+	}
+
+	workload, err := getWorkloadFromObject(request.Object)
+	if err != nil {
+		return plugin.ObjectStatusResponse{}, err
+	}
+
+	repository := model.NewRepository(request.DashboardClient)
+
+	_, err = repository.GetCustomResourceDefinitionByName(request.Context(), v1alpha1.VulnerabilityReportsCRName)
+	vulnerabilityReportsDefined := err == nil
+
+	var summary *v1alpha1.VulnerabilitySummary
+	if vulnerabilityReportsDefined {
+		summary, err = repository.GetVulnerabilitiesSummary(request.Context(), workload)
+		if err != nil {
+			return plugin.ObjectStatusResponse{}, err
+		}
+	}
+	// summary could be nil due to delays in fetching the CRDs
+	if summary == nil {
+		return plugin.ObjectStatusResponse{}, nil
+	}
+
+	status := vulnerabilities.NewSummaryStatus(summary)
+
+	return plugin.ObjectStatusResponse{
+		ObjectStatus: component.PodSummary{
+			Details: []component.Component{
+				component.NewLabels(map[string]string{
+					"Critical Vulnerabilities": strconv.Itoa(summary.CriticalCount),
+				}),
+				component.NewLabels(map[string]string{
+					"High Vulnerabilities": strconv.Itoa(summary.HighCount),
+				}),
+				component.NewLabels(map[string]string{
+					"Medium Vulnerabilities": strconv.Itoa(summary.MediumCount),
+				}),
+				component.NewLabels(map[string]string{
+					"Low Vulnerabilities": strconv.Itoa(summary.LowCount),
+				}),
+				component.NewLabels(map[string]string{
+					"Unknown Vulnerabilities": strconv.Itoa(summary.UnknownCount),
+				}),
+			},
+			Properties: []component.Property{
+				{Label: "Critical Vulnerabilities", Value: component.NewText(strconv.Itoa(summary.CriticalCount))},
+				{Label: "High Vulnerabilities", Value: component.NewText(strconv.Itoa(summary.HighCount))},
+				{Label: "Medium Vulnerabilities", Value: component.NewText(strconv.Itoa(summary.MediumCount))},
+				{Label: "Low Vulnerabilities", Value: component.NewText(strconv.Itoa(summary.LowCount))},
+				{Label: "Unknown Vulnerabilities", Value: component.NewText(strconv.Itoa(summary.UnknownCount))},
 			},
+			Status: status,
 		},
 	}, nil
 }

pkg/plugin/settings/capabilities.go

@@ -1,6 +1,7 @@
 package settings
 
 import (
+	"github.com/aquasecurity/starboard-octant-plugin/pkg/plugin/actions"
 	"github.com/vmware-tanzu/octant/pkg/plugin"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 )
@@ -40,6 +41,18 @@ func GetCapabilities() *plugin.Capabilities {
 			cronJobGVK,
 			jobGVK,
 		},
+		SupportsObjectStatus: []schema.GroupVersionKind{
+			podGVK,
+			deploymentGVK,
+			daemonSetGVK,
+			statefulSetGVK,
+			replicaSetGVK,
+			replicationControllerGVK,
+			cronJobGVK,
+			jobGVK,
+			nodeGVK,
+		},
 		IsModule: true,
+		ActionNames: []string{actions.StarboardKubeHunterScan},
 	}
 }

pkg/plugin/settings/options.go

@@ -1,6 +1,7 @@
 package settings
 
 import (
+	"github.com/aquasecurity/starboard-octant-plugin/pkg/plugin/actions"
 	"strings"
 
 	"github.com/aquasecurity/starboard-octant-plugin/pkg/plugin/controller"
@@ -10,8 +11,10 @@ import (
 
 func GetOptions() []service.PluginOption {
 	return []service.PluginOption{
-		service.WithTabPrinter(controller.ResourceTabPrinter),
+		service.WithTabPrinter(controller.ResourceTabPrinter, controller.ResourceReportTabPrinter),
 		service.WithPrinter(controller.ResourcePrinter),
+		service.WithObjectStatus(controller.ResourceObjectStatus),
+		service.WithActionHandler(actions.ActionHandler),
 		service.WithNavigation(
 			func(_ *service.NavigationRequest) (nav navigation.Navigation, err error) {
 				nav = navigation.Navigation{

pkg/plugin/view/configaudit/report_view.go

@@ -13,12 +13,12 @@ import (
 )
 
 func NewReport(workload kube.Object, isConfigAuditReportsCRDefined bool, report *v1alpha1.ConfigAuditReport) *component.FlexLayout {
-	flexLayout := component.NewFlexLayout("")
+	flexLayout := component.NewFlexLayout("Audit Reports")
 
 	flexLayout.AddSections(component.FlexLayoutSection{
 		{
 			Width: component.WidthFull,
-			View:  component.NewMarkdownText("#### Config Audit Reports"),
+			View:  component.NewMarkdownText("#### Config"),
 		},
 	})
 
@@ -86,7 +86,7 @@ func NewReport(workload kube.Object, isConfigAuditReportsCRDefined bool, report
 
 	var items []component.FlexLayoutItem
 	items = append(items, component.FlexLayoutItem{
-		Width: component.WidthThird,
+		Width: component.WidthHalf,
 		View:  createCardComponent("Pod Template", report.Report.PodChecks),
 	})
 
@@ -100,7 +100,7 @@ func NewReport(workload kube.Object, isConfigAuditReportsCRDefined bool, report
 
 	for _, containerName := range containerNames {
 		items = append(items, component.FlexLayoutItem{
-			Width: component.WidthThird,
+			Width: component.WidthHalf,
 			View:  createCardComponent(fmt.Sprintf("Container %s", containerName), report.Report.ContainerChecks[containerName]),
 		})
 	}
@@ -131,25 +131,27 @@ func createChecksTable(checks []v1alpha1.Check) component.Component {
 		table.Add(tr)
 	}
 
+	sort.Slice(table.Rows(), func(i, j int) bool {
+		return table.Rows()[i]["ID"].(*component.Text).Config.Status > table.Rows()[j]["ID"].(*component.Text).Config.Status
+	})
+
 	return table
 }
 
 func CheckIDWithIcon(check v1alpha1.Check) component.Component {
-	iconShape := "check-circle"
-	iconClass := "is-success"
-
+	status := component.TextStatusOK
 	if !check.Success && check.Severity == "warning" {
-		iconShape = "info-circle"
-		iconClass = "is-warning"
+		status = component.TextStatusWarning
 	}
 	if !check.Success && check.Severity == "danger" {
-		iconShape = "exclamation-circle"
-		iconClass = "is-danger"
+		status = component.TextStatusError
 	}
 
-	status := component.NewMarkdownText(fmt.Sprintf(`<clr-icon shape="%s" class="is-solid %s"></clr-icon>&nbsp;%s`, iconShape, iconClass, check.ID))
-	status.EnableTrustedContent()
-	return status
+	text := component.NewText(check.ID, func(t *component.Text) {
+		t.SetStatus(status)
+	})
+
+	return text
 }
 
 func NewSummary(report v1alpha1.ConfigAuditReportData) *component.Summary {

pkg/plugin/view/configaudit/report_view_test.go

@@ -13,47 +13,54 @@ import (
 func TestCheckIDWithIcon(t *testing.T) {
 	testCases := []struct {
 		check                v1alpha1.Check
-		expectedMarkdownText string
+		expectedTextComponent *component.Text
 	}{
 		{
 			check: v1alpha1.Check{
 				ID:       "check-id",
 				Success:  true,
 				Severity: "warning",
 			},
-			expectedMarkdownText: `<clr-icon shape="check-circle" class="is-solid is-success"></clr-icon>&nbsp;check-id`,
+			expectedTextComponent: component.NewText("check-id", func(t *component.Text) {
+				t.SetStatus(component.TextStatusOK)
+			}),
 		},
 		{
 			check: v1alpha1.Check{
 				ID:       "check-id",
 				Success:  false,
 				Severity: "warning",
 			},
-			expectedMarkdownText: `<clr-icon shape="info-circle" class="is-solid is-warning"></clr-icon>&nbsp;check-id`,
+			expectedTextComponent: component.NewText("check-id", func(t *component.Text) {
+				t.SetStatus(component.TextStatusWarning)
+			}),
 		},
 		{
 			check: v1alpha1.Check{
 				ID:       "check-id",
 				Success:  true,
 				Severity: "danger",
 			},
-			expectedMarkdownText: `<clr-icon shape="check-circle" class="is-solid is-success"></clr-icon>&nbsp;check-id`,
+			expectedTextComponent: component.NewText("check-id", func(t *component.Text) {
+				t.SetStatus(component.TextStatusOK)
+			}),
 		},
 		{
 			check: v1alpha1.Check{
 				ID:       "check-id",
 				Success:  false,
 				Severity: "danger",
 			},
-			expectedMarkdownText: `<clr-icon shape="exclamation-circle" class="is-solid is-danger"></clr-icon>&nbsp;check-id`,
+			expectedTextComponent: component.NewText("check-id", func(t *component.Text) {
+				t.SetStatus(component.TextStatusError)
+			}),
 		},
 	}
 	for _, tc := range testCases {
-		t.Run(fmt.Sprintf("Should return markdown text component for severity %s and success status %t", tc.check.Severity, tc.check.Success), func(t *testing.T) {
+		t.Run(fmt.Sprintf("Should return text component for severity %s and success status %t", tc.check.Severity, tc.check.Success), func(t *testing.T) {
 			c, ok := configaudit.CheckIDWithIcon(tc.check).(*component.Text)
 			assert.True(t, ok)
-			assert.True(t, c.TrustedContent())
-			assert.Equal(t, tc.expectedMarkdownText, c.Config.Text)
+			assert.Equal(t, tc.expectedTextComponent, c)
 		})
 	}
 }