Merge pull request #230 from pjbgf/improvements2

Embed templates into final binary

Author: pjbgf

package/Dockerfile

@@ -1,11 +1,5 @@
 FROM registry.suse.com/bci/bci-busybox:15.5
 
-COPY pkg/ pkg/
-
-# Ensure 65535 can access the templates in
-# pkg/securityscan/core/templates
-RUN chmod -R +xr pkg/
-
 COPY bin/cis-operator /usr/bin/
 
 USER 65535:65535

pkg/crds/crd.go

@@ -3,7 +3,7 @@ package crds
 import (
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
+	"os"
 	"strings"
 
 	cisoperator "github.com/rancher/cis-operator/pkg/apis/cis.cattle.io/v1"
@@ -37,7 +37,7 @@ func WriteCRD() error {
 		}
 
 		filename := fmt.Sprintf("./crds/%s.yaml", strings.ToLower(crd.Spec.Names.Kind))
-		err = ioutil.WriteFile(filename, yamlBytes, 0644)
+		err = os.WriteFile(filename, yamlBytes, 0o644)
 		if err != nil {
 			return err
 		}

pkg/securityscan/alert/prometheusrule.go

@@ -2,6 +2,7 @@ package alert
 
 import (
 	"bytes"
+	_ "embed" // nolint
 	"fmt"
 	"text/template"
 
@@ -14,8 +15,10 @@ import (
 	"github.com/rancher/wrangler/pkg/name"
 )
 
+//go:embed templates/prometheusrule.template
+var prometheusRuleTemplate string
+
 const templateName = "prometheusrule.template"
-const templatePath = "./pkg/securityscan/alert/templates/prometheusrule.template"
 
 func NewPrometheusRule(clusterscan *cisoperatorapiv1.ClusterScan, clusterscanprofile *cisoperatorapiv1.ClusterScanProfile, imageConfig *cisoperatorapiv1.ScanImageConfig) (*monitoringv1.PrometheusRule, error) {
 	configdata := map[string]interface{}{
@@ -28,23 +31,23 @@ func NewPrometheusRule(clusterscan *cisoperatorapiv1.ClusterScan, clusterscanpro
 		"alertOnComplete": clusterscan.Spec.ScheduledScanConfig.ScanAlertRule.AlertOnComplete,
 		"failOnWarn":      clusterscan.Spec.ScoreWarning == cisoperatorapiv1.ClusterScanFailOnWarning,
 	}
-	scanAlertRule, err := generatePrometheusRule(clusterscan, templateName, templatePath, configdata)
+	scanAlertRule, err := generatePrometheusRule(clusterscan, configdata)
 	if err != nil {
 		return scanAlertRule, err
 	}
 
 	return scanAlertRule, nil
 }
 
-func generatePrometheusRule(clusterscan *cisoperatorapiv1.ClusterScan, templateName string, templateFile string, data map[string]interface{}) (*monitoringv1.PrometheusRule, error) {
+func generatePrometheusRule(clusterscan *cisoperatorapiv1.ClusterScan, data map[string]interface{}) (*monitoringv1.PrometheusRule, error) {
 	scanAlertRule := &monitoringv1.PrometheusRule{}
-	obj, err := parseTemplate(clusterscan, templateName, templateFile, data)
+	obj, err := parseTemplate(clusterscan, data)
 	if err != nil {
-		return nil, fmt.Errorf("Error parsing the template %v", err)
+		return nil, fmt.Errorf("Error parsing the template %w", err)
 	}
 
 	if err := obj.Decode(&scanAlertRule); err != nil {
-		return nil, fmt.Errorf("Error decoding to template %v", err)
+		return nil, fmt.Errorf("Error decoding to template %w", err)
 	}
 
 	ownerRef := meta1.OwnerReference{
@@ -58,8 +61,8 @@ func generatePrometheusRule(clusterscan *cisoperatorapiv1.ClusterScan, templateN
 	return scanAlertRule, nil
 }
 
-func parseTemplate(clusterscan *cisoperatorapiv1.ClusterScan, templateName string, templateFile string, data map[string]interface{}) (*k8Yaml.YAMLOrJSONDecoder, error) {
-	cmTemplate, err := template.New(templateName).ParseFiles(templateFile)
+func parseTemplate(clusterscan *cisoperatorapiv1.ClusterScan, data map[string]interface{}) (*k8Yaml.YAMLOrJSONDecoder, error) {
+	cmTemplate, err := template.New(templateName).Parse(prometheusRuleTemplate)
 	if err != nil {
 		return nil, err
 	}

pkg/securityscan/controller.go

@@ -116,32 +116,32 @@ func NewController(ctx context.Context, cfg *rest.Config, namespace, name string
 	}
 	ctl.cisFactory, err = cisoperatorctl.NewFactoryFromConfig(cfg)
 	if err != nil {
-		return nil, fmt.Errorf("Error building securityscan NewFactoryFromConfig: %s", err.Error())
+		return nil, fmt.Errorf("Error building securityscan NewFactoryFromConfig: %w", err)
 	}
 
 	ctl.batchFactory, err = batchctl.NewFactoryFromConfig(cfg)
 	if err != nil {
-		return nil, fmt.Errorf("Error building batch NewFactoryFromConfig: %s", err.Error())
+		return nil, fmt.Errorf("Error building batch NewFactoryFromConfig: %w", err)
 	}
 
 	ctl.coreFactory, err = corectl.NewFactoryFromConfig(cfg)
 	if err != nil {
-		return nil, fmt.Errorf("Error building core NewFactoryFromConfig: %s", err.Error())
+		return nil, fmt.Errorf("Error building core NewFactoryFromConfig: %w", err)
 	}
 
 	ctl.appsFactory, err = appsctl.NewFactoryFromConfig(cfg)
 	if err != nil {
-		return nil, fmt.Errorf("Error building apps NewFactoryFromConfig: %s", err.Error())
+		return nil, fmt.Errorf("Error building apps NewFactoryFromConfig: %w", err)
 	}
 
 	ctl.monitoringClient, err = v1monitoringclient.NewForConfig(cfg)
 	if err != nil {
-		return nil, fmt.Errorf("Error building v1 monitoring client from config: %s", err.Error())
+		return nil, fmt.Errorf("Error building v1 monitoring client from config: %w", err)
 	}
 
 	err = initializeMetrics(ctl)
 	if err != nil {
-		return nil, fmt.Errorf("Error registering CIS Metrics: %s", err.Error())
+		return nil, fmt.Errorf("Error registering CIS Metrics: %w", err)
 	}
 
 	ctl.scans = ctl.cisFactory.Cis().V1().ClusterScan()

pkg/securityscan/core/configmap.go

@@ -2,6 +2,7 @@ package core
 
 import (
 	"bytes"
+	_ "embed" // nolint
 	"encoding/json"
 	"text/template"
 
@@ -15,6 +16,12 @@ import (
 	cisoperatorapiv1 "github.com/rancher/cis-operator/pkg/apis/cis.cattle.io/v1"
 )
 
+//go:embed templates/pluginConfig.template
+var pluginConfigTemplate string
+
+//go:embed templates/cisscanConfig.template
+var cisscanConfigTemplate string
+
 type OverrideSkipInfoData struct {
 	Skip map[string][]string `json:"skip"`
 }
@@ -36,7 +43,7 @@ func NewConfigMaps(clusterscan *cisoperatorapiv1.ClusterScan, clusterscanprofile
 		"sonobuoyImage":    imageConfig.SonobuoyImage + ":" + imageConfig.SonobuoyImageTag,
 		"sonobuoyVersion":  imageConfig.SonobuoyImageTag,
 	}
-	configcm, err := generateConfigMap(clusterscan, "cisscanConfig.template", "./pkg/securityscan/core/templates/cisscanConfig.template", configdata)
+	configcm, err := generateConfigMap(clusterscan, "cisscanConfig.template", cisscanConfigTemplate, configdata)
 	if err != nil {
 		return cmMap, err
 	}
@@ -68,7 +75,7 @@ func NewConfigMaps(clusterscan *cisoperatorapiv1.ClusterScan, clusterscanprofile
 		"customBenchmarkConfigMapName": customBenchmarkConfigMapName,
 		"customBenchmarkConfigMapData": customBenchmarkConfigMapData,
 	}
-	plugincm, err := generateConfigMap(clusterscan, "pluginConfig.template", "./pkg/securityscan/core/templates/pluginConfig.template", plugindata)
+	plugincm, err := generateConfigMap(clusterscan, "pluginConfig.template", pluginConfigTemplate, plugindata)
 	if err != nil {
 		return cmMap, err
 	}
@@ -89,10 +96,10 @@ func NewConfigMaps(clusterscan *cisoperatorapiv1.ClusterScan, clusterscanprofile
 	return cmMap, nil
 }
 
-func generateConfigMap(clusterscan *cisoperatorapiv1.ClusterScan, templateName string, templateFile string, data map[string]interface{}) (*corev1.ConfigMap, error) {
+func generateConfigMap(clusterscan *cisoperatorapiv1.ClusterScan, name string, text string, data map[string]interface{}) (*corev1.ConfigMap, error) {
 	configcm := &corev1.ConfigMap{}
 
-	obj, err := parseTemplate(clusterscan, templateName, templateFile, data)
+	obj, err := parseTemplate(clusterscan, name, text, data)
 	if err != nil {
 		return nil, err
 	}
@@ -103,8 +110,8 @@ func generateConfigMap(clusterscan *cisoperatorapiv1.ClusterScan, templateName s
 	return configcm, nil
 }
 
-func parseTemplate(clusterscan *cisoperatorapiv1.ClusterScan, templateName string, templateFile string, data map[string]interface{}) (*k8Yaml.YAMLOrJSONDecoder, error) {
-	cmTemplate, err := template.New(templateName).ParseFiles(templateFile)
+func parseTemplate(clusterscan *cisoperatorapiv1.ClusterScan, name string, text string, data map[string]interface{}) (*k8Yaml.YAMLOrJSONDecoder, error) {
+	cmTemplate, err := template.New(name).Parse(text)
 	if err != nil {
 		return nil, err
 	}

pkg/securityscan/core/service.go

@@ -1,12 +1,17 @@
 package core
 
 import (
+	_ "embed" // nolint
+
 	"github.com/rancher/wrangler/pkg/name"
 	corev1 "k8s.io/api/core/v1"
 
 	cisoperatorapiv1 "github.com/rancher/cis-operator/pkg/apis/cis.cattle.io/v1"
 )
 
+//go:embed templates/service.template
+var serviceTemplate string
+
 func NewService(clusterscan *cisoperatorapiv1.ClusterScan, clusterscanprofile *cisoperatorapiv1.ClusterScanProfile, controllerName string) (service *corev1.Service, err error) {
 
 	servicedata := map[string]interface{}{
@@ -15,17 +20,17 @@ func NewService(clusterscan *cisoperatorapiv1.ClusterScan, clusterscanprofile *c
 		"runName":   name.SafeConcatName("security-scan-runner", clusterscan.Name),
 		"appName":   "rancher-cis-benchmark",
 	}
-	service, err = generateService(clusterscan, "service.template", "./pkg/securityscan/core/templates/service.template", servicedata)
+	service, err = generateService(clusterscan, "service.template", serviceTemplate, servicedata)
 	if err != nil {
 		return nil, err
 	}
 	return service, nil
 }
 
-func generateService(clusterscan *cisoperatorapiv1.ClusterScan, templateName string, templateFile string, data map[string]interface{}) (*corev1.Service, error) {
+func generateService(clusterscan *cisoperatorapiv1.ClusterScan, templateName string, templContent string, data map[string]interface{}) (*corev1.Service, error) {
 	service := &corev1.Service{}
 
-	obj, err := parseTemplate(clusterscan, templateName, templateFile, data)
+	obj, err := parseTemplate(clusterscan, templateName, templContent, data)
 	if err != nil {
 		return nil, err
 	}

pkg/securityscan/jobHandler.go

@@ -74,7 +74,7 @@ func (c *Controller) handleJobs(ctx context.Context) error {
 			}
 			err := c.deleteJob(jobs, obj, metav1.DeletePropagationBackground)
 			if err != nil {
-				return obj, fmt.Errorf("error deleting job: %v", err)
+				return obj, fmt.Errorf("error deleting job: %w", err)
 			}
 			err = c.ensureCleanup(scan)
 			if err != nil {
@@ -173,14 +173,14 @@ func (c *Controller) createClusterScanReport(ctx context.Context, outputBytes []
 	}
 	profile, err := c.getClusterScanProfile(ctx, scan)
 	if err != nil {
-		return nil, fmt.Errorf("Error %v loading v1.ClusterScanProfile for name %v", scan.Spec.ScanProfileName, err)
+		return nil, fmt.Errorf("Error %v loading v1.ClusterScanProfile for name %w", scan.Spec.ScanProfileName, err)
 	}
 	scanReport.Spec.BenchmarkVersion = profile.Spec.BenchmarkVersion
 	scanReport.Spec.LastRunTimestamp = time.Now().String()
 
 	data, err := reportLibrary.GetJSONBytes(outputBytes)
 	if err != nil {
-		return nil, fmt.Errorf("Error %v loading scan report json bytes", err)
+		return nil, fmt.Errorf("Error %w loading scan report json bytes", err)
 	}
 	scanReport.Spec.ReportJSON = string(data[:])
 
@@ -201,7 +201,7 @@ func (c *Controller) ensureCleanup(scan *v1.ClusterScan) error {
 	dsPrefix := "sonobuoy-rancher-kube-bench-daemon-set"
 	dsList, err := c.daemonsetCache.List(v1.ClusterScanNS, labels.Set(sonobuoyWorkerLabel).AsSelector())
 	if err != nil {
-		return fmt.Errorf("cis: ensureCleanup: error listing daemonsets: %v", err)
+		return fmt.Errorf("cis: ensureCleanup: error listing daemonsets: %w", err)
 	}
 	for _, ds := range dsList {
 		if !strings.HasPrefix(ds.Name, dsPrefix) {
@@ -216,29 +216,29 @@ func (c *Controller) ensureCleanup(scan *v1.ClusterScan) error {
 	podPrefix := name.SafeConcatName("security-scan-runner", scan.Name)
 	podList, err := c.podCache.List(v1.ClusterScanNS, labels.Set(SonobuoyMasterLabel).AsSelector())
 	if err != nil {
-		return fmt.Errorf("cis: ensureCleanup: error listing pods: %v", err)
+		return fmt.Errorf("cis: ensureCleanup: error listing pods: %w", err)
 	}
 	for _, pod := range podList {
 		if !strings.HasPrefix(pod.Name, podPrefix) {
 			continue
 		}
 		if e := c.pods.Delete(v1.ClusterScanNS, pod.Name, &metav1.DeleteOptions{}); e != nil && !errors.IsNotFound(e) {
-			return fmt.Errorf("cis: ensureCleanup: error deleting pod %v: %v", pod.Name, e)
+			return fmt.Errorf("cis: ensureCleanup: error deleting pod %v: %w", pod.Name, e)
 		}
 	}
 
 	// Delete cms
 	cms, err := c.configMapCache.List(v1.ClusterScanNS, labels.NewSelector())
 	if err != nil {
-		return fmt.Errorf("cis: ensureCleanup: error listing cm: %v", err)
+		return fmt.Errorf("cis: ensureCleanup: error listing cm: %w", err)
 	}
 	for _, cm := range cms {
 		if !strings.Contains(cm.Name, scan.Name) {
 			continue
 		}
 
 		if e := c.configmaps.Delete(v1.ClusterScanNS, cm.Name, &metav1.DeleteOptions{}); e != nil && !errors.IsNotFound(e) {
-			return fmt.Errorf("cis: ensureCleanup: error deleting cm %v: %v", cm.Name, e)
+			return fmt.Errorf("cis: ensureCleanup: error deleting cm %v: %w", cm.Name, e)
 		}
 	}