Apply review findings #2

Author: r-oldenburg

charts/templates/_helpers.tpl

@@ -42,6 +42,21 @@ app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end }}
 
+{{/*
+Resolve the effective name of the transformation script ConfigMap.
+When scriptConfigMap.create is true the name is derived from the release.
+When false the caller-supplied ref is used.
+*/}}
+{{- define "charts.transformScriptConfigMapName" -}}
+{{- with .Values.operator.trivyDojoReportOperator.transformation.scriptConfigMap }}
+{{- if .create }}
+{{- include "charts.fullname" $ }}-transform-scripts
+{{- else }}
+{{- .ref }}
+{{- end }}
+{{- end }}
+{{- end }}
+
 {{/*
 Selector labels
 */}}

charts/templates/deployment.yaml

@@ -130,7 +130,8 @@ spec:
         securityContext: {{- toYaml .Values.operator.trivyDojoReportOperator.containerSecurityContext
           | nindent 10 }}
         volumeMounts:
-          {{- if .Values.operator.trivyDojoReportOperator.transformation.scriptConfigMap }}
+          {{- $cm := .Values.operator.trivyDojoReportOperator.transformation.scriptConfigMap }}
+          {{- if or $cm.create $cm.ref }}
           - mountPath: /scripts
             name: transformation-scripts
           {{- end }}
@@ -144,10 +145,11 @@ spec:
       securityContext: {{- toYaml .Values.operator.podSecurityContext | nindent 8 }}
       # Additional volumes on the output Deployment definition.
       volumes:
-        {{- if .Values.operator.trivyDojoReportOperator.transformation.scriptConfigMap }}
+        {{- $cm := .Values.operator.trivyDojoReportOperator.transformation.scriptConfigMap }}
+        {{- if or $cm.create $cm.ref }}
         - name: transformation-scripts
           configMap:
-            name: {{ .Values.operator.trivyDojoReportOperator.transformation.scriptConfigMap }}
+            name: {{ include "charts.transformScriptConfigMapName" . }}
         {{- end }}
         {{- with .Values.operator.trivyDojoReportOperator.extraVolumes }}
         {{- toYaml . | nindent 8 }}

charts/templates/rbac.yaml

@@ -38,35 +38,18 @@ rules:
   - ""
   resources:
   - namespaces
-  - pods
-  - secrets
-  - replicationcontrollers
   verbs:
   - list
   - watch
-  - get
-- apiGroups:
-  - apps
-  resources:
-  - deployments
-  - statefulsets
-  - daemonsets
-  - replicasets
-  verbs:
-  - get
-- apiGroups:
-  - batch
-  resources:
-  - jobs
-  - cronjobs
-  verbs:
-  - get
 - apiGroups:
   - ""
   resources:
   - events
   verbs:
   - create
+{{- range .Values.rbac.additionalRules }}
+- {{ toYaml . | nindent 2 | trim }}
+{{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

charts/templates/transformation-configmap.yaml

@@ -0,0 +1,12 @@
+{{- with .Values.operator.trivyDojoReportOperator.transformation }}
+{{- if and .enabled .scriptConfigMap.create }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "charts.transformScriptConfigMapName" $ }}
+  labels:
+  {{- include "charts.labels" $ | nindent 4 }}
+data:
+{{- toYaml .scriptConfigMap.data | nindent 2 }}
+{{- end }}
+{{- end }}

charts/values.yaml

@@ -64,13 +64,58 @@ operator:
       tag: 0.9.2
     imagePullSecrets: []
     transformation:
-      enabled: true
-      scriptConfigMap: "trivy-dojo-transform-script"
+      enabled: false
       scriptFilename: "wrapper.sh"
       interpreter: "bash"
       scanType: "Generic Findings Import"
+      # scriptConfigMap: defines the ConfigMap that holds the transformation scripts.
+      # create: when true, Helm creates and manages the ConfigMap; the name is
+      #         derived automatically from the release. Only data is needed.
+      # data:   map of filename -> script content; only used when create: true.
+      # ref:    name of an existing externally-deployed ConfigMap to mount;
+      #         only used when create: false.
+      #
+      # Example — let Helm manage the ConfigMap:
+      # scriptConfigMap:
+      #   create: true
+      #   data:
+      #     wrapper.sh: |
+      #       #!/bin/bash
+      #       echo "$REPORT_JSON" | python3 /scripts/transform.py
+      #     transform.py: |
+      #       import sys, json
+      #       print(sys.stdin.read())
+      #
+      # Example — reference an externally-deployed ConfigMap:
+      # scriptConfigMap:
+      #   ref: my-transform-scripts
+      scriptConfigMap:
+        create: false
+        ref: ""
+        data: {}
   type: ClusterIP
   podSecurityContext:
     runAsNonRoot: true
     fsGroupChangePolicy: Always
     fsGroup: 1000
+# rbac.additionalRules: Additional RBAC rules appended to the base ClusterRole.
+# These rules are strictly additive — the built-in base rules are always present
+# and cannot be removed through this value.
+#
+# Each entry must be a valid RBAC rule object (apiGroups, resources, verbs).
+# The rules below are the ones needed when the transformation feature is used
+# to enrich reports with workload context (pods, deployments, jobs, …):
+#
+# rbac:
+#   additionalRules:
+#     - apiGroups: [""]
+#       resources: [pods, secrets, replicationcontrollers]
+#       verbs: [list, watch, get]
+#     - apiGroups: [apps]
+#       resources: [deployments, statefulsets, daemonsets, replicasets]
+#       verbs: [get]
+#     - apiGroups: [batch]
+#       resources: [jobs, cronjobs]
+#       verbs: [get]
+rbac:
+  additionalRules: []