Embed templates into cis-operator

Previously, templates were copied into the final image, together with all
source code within the pkg dir.
The new approach avoids copying unnecessary files over to the final image,
but instead embeds the templates into the target binary.

Signed-off-by: Paulo Gomes <[email protected]>

Author: pjbgf

package/Dockerfile

@@ -1,11 +1,5 @@
 FROM registry.suse.com/bci/bci-busybox:15.5
 
-COPY pkg/ pkg/
-
-# Ensure 65535 can access the templates in
-# pkg/securityscan/core/templates
-RUN chmod -R +xr pkg/
-
 COPY bin/cis-operator /usr/bin/
 
 USER 65535:65535

pkg/securityscan/alert/prometheusrule.go

@@ -2,6 +2,7 @@ package alert
 
 import (
 	"bytes"
+	_ "embed" // nolint
 	"fmt"
 	"text/template"
 
@@ -14,8 +15,10 @@ import (
 	"github.com/rancher/wrangler/pkg/name"
 )
 
+//go:embed templates/prometheusrule.template
+var prometheusRuleTemplate string
+
 const templateName = "prometheusrule.template"
-const templatePath = "./pkg/securityscan/alert/templates/prometheusrule.template"
 
 func NewPrometheusRule(clusterscan *cisoperatorapiv1.ClusterScan, clusterscanprofile *cisoperatorapiv1.ClusterScanProfile, imageConfig *cisoperatorapiv1.ScanImageConfig) (*monitoringv1.PrometheusRule, error) {
 	configdata := map[string]interface{}{
@@ -28,17 +31,17 @@ func NewPrometheusRule(clusterscan *cisoperatorapiv1.ClusterScan, clusterscanpro
 		"alertOnComplete": clusterscan.Spec.ScheduledScanConfig.ScanAlertRule.AlertOnComplete,
 		"failOnWarn":      clusterscan.Spec.ScoreWarning == cisoperatorapiv1.ClusterScanFailOnWarning,
 	}
-	scanAlertRule, err := generatePrometheusRule(clusterscan, templateName, templatePath, configdata)
+	scanAlertRule, err := generatePrometheusRule(clusterscan, configdata)
 	if err != nil {
 		return scanAlertRule, err
 	}
 
 	return scanAlertRule, nil
 }
 
-func generatePrometheusRule(clusterscan *cisoperatorapiv1.ClusterScan, templateName string, templateFile string, data map[string]interface{}) (*monitoringv1.PrometheusRule, error) {
+func generatePrometheusRule(clusterscan *cisoperatorapiv1.ClusterScan, data map[string]interface{}) (*monitoringv1.PrometheusRule, error) {
 	scanAlertRule := &monitoringv1.PrometheusRule{}
-	obj, err := parseTemplate(clusterscan, templateName, templateFile, data)
+	obj, err := parseTemplate(clusterscan, data)
 	if err != nil {
 		return nil, fmt.Errorf("Error parsing the template %w", err)
 	}
@@ -58,8 +61,8 @@ func generatePrometheusRule(clusterscan *cisoperatorapiv1.ClusterScan, templateN
 	return scanAlertRule, nil
 }
 
-func parseTemplate(clusterscan *cisoperatorapiv1.ClusterScan, templateName string, templateFile string, data map[string]interface{}) (*k8Yaml.YAMLOrJSONDecoder, error) {
-	cmTemplate, err := template.New(templateName).ParseFiles(templateFile)
+func parseTemplate(clusterscan *cisoperatorapiv1.ClusterScan, data map[string]interface{}) (*k8Yaml.YAMLOrJSONDecoder, error) {
+	cmTemplate, err := template.New(templateName).Parse(prometheusRuleTemplate)
 	if err != nil {
 		return nil, err
 	}

pkg/securityscan/core/configmap.go

@@ -2,6 +2,7 @@ package core
 
 import (
 	"bytes"
+	_ "embed" // nolint
 	"encoding/json"
 	"text/template"
 
@@ -15,6 +16,12 @@ import (
 	cisoperatorapiv1 "github.com/rancher/cis-operator/pkg/apis/cis.cattle.io/v1"
 )
 
+//go:embed templates/pluginConfig.template
+var pluginConfigTemplate string
+
+//go:embed templates/cisscanConfig.template
+var cisscanConfigTemplate string
+
 type OverrideSkipInfoData struct {
 	Skip map[string][]string `json:"skip"`
 }
@@ -36,7 +43,7 @@ func NewConfigMaps(clusterscan *cisoperatorapiv1.ClusterScan, clusterscanprofile
 		"sonobuoyImage":    imageConfig.SonobuoyImage + ":" + imageConfig.SonobuoyImageTag,
 		"sonobuoyVersion":  imageConfig.SonobuoyImageTag,
 	}
-	configcm, err := generateConfigMap(clusterscan, "cisscanConfig.template", "./pkg/securityscan/core/templates/cisscanConfig.template", configdata)
+	configcm, err := generateConfigMap(clusterscan, "cisscanConfig.template", cisscanConfigTemplate, configdata)
 	if err != nil {
 		return cmMap, err
 	}
@@ -68,7 +75,7 @@ func NewConfigMaps(clusterscan *cisoperatorapiv1.ClusterScan, clusterscanprofile
 		"customBenchmarkConfigMapName": customBenchmarkConfigMapName,
 		"customBenchmarkConfigMapData": customBenchmarkConfigMapData,
 	}
-	plugincm, err := generateConfigMap(clusterscan, "pluginConfig.template", "./pkg/securityscan/core/templates/pluginConfig.template", plugindata)
+	plugincm, err := generateConfigMap(clusterscan, "pluginConfig.template", pluginConfigTemplate, plugindata)
 	if err != nil {
 		return cmMap, err
 	}
@@ -89,10 +96,10 @@ func NewConfigMaps(clusterscan *cisoperatorapiv1.ClusterScan, clusterscanprofile
 	return cmMap, nil
 }
 
-func generateConfigMap(clusterscan *cisoperatorapiv1.ClusterScan, templateName string, templateFile string, data map[string]interface{}) (*corev1.ConfigMap, error) {
+func generateConfigMap(clusterscan *cisoperatorapiv1.ClusterScan, name string, text string, data map[string]interface{}) (*corev1.ConfigMap, error) {
 	configcm := &corev1.ConfigMap{}
 
-	obj, err := parseTemplate(clusterscan, templateName, templateFile, data)
+	obj, err := parseTemplate(clusterscan, name, text, data)
 	if err != nil {
 		return nil, err
 	}
@@ -103,8 +110,8 @@ func generateConfigMap(clusterscan *cisoperatorapiv1.ClusterScan, templateName s
 	return configcm, nil
 }
 
-func parseTemplate(clusterscan *cisoperatorapiv1.ClusterScan, templateName string, templateFile string, data map[string]interface{}) (*k8Yaml.YAMLOrJSONDecoder, error) {
-	cmTemplate, err := template.New(templateName).ParseFiles(templateFile)
+func parseTemplate(clusterscan *cisoperatorapiv1.ClusterScan, name string, text string, data map[string]interface{}) (*k8Yaml.YAMLOrJSONDecoder, error) {
+	cmTemplate, err := template.New(name).Parse(text)
 	if err != nil {
 		return nil, err
 	}

pkg/securityscan/core/service.go

@@ -1,12 +1,17 @@
 package core
 
 import (
+	_ "embed" // nolint
+
 	"github.com/rancher/wrangler/pkg/name"
 	corev1 "k8s.io/api/core/v1"
 
 	cisoperatorapiv1 "github.com/rancher/cis-operator/pkg/apis/cis.cattle.io/v1"
 )
 
+//go:embed templates/service.template
+var serviceTemplate string
+
 func NewService(clusterscan *cisoperatorapiv1.ClusterScan, clusterscanprofile *cisoperatorapiv1.ClusterScanProfile, controllerName string) (service *corev1.Service, err error) {
 
 	servicedata := map[string]interface{}{
@@ -15,17 +20,17 @@ func NewService(clusterscan *cisoperatorapiv1.ClusterScan, clusterscanprofile *c
 		"runName":   name.SafeConcatName("security-scan-runner", clusterscan.Name),
 		"appName":   "rancher-cis-benchmark",
 	}
-	service, err = generateService(clusterscan, "service.template", "./pkg/securityscan/core/templates/service.template", servicedata)
+	service, err = generateService(clusterscan, "service.template", serviceTemplate, servicedata)
 	if err != nil {
 		return nil, err
 	}
 	return service, nil
 }
 
-func generateService(clusterscan *cisoperatorapiv1.ClusterScan, templateName string, templateFile string, data map[string]interface{}) (*corev1.Service, error) {
+func generateService(clusterscan *cisoperatorapiv1.ClusterScan, templateName string, templContent string, data map[string]interface{}) (*corev1.Service, error) {
 	service := &corev1.Service{}
 
-	obj, err := parseTemplate(clusterscan, templateName, templateFile, data)
+	obj, err := parseTemplate(clusterscan, templateName, templContent, data)
 	if err != nil {
 		return nil, err
 	}