From 231869d7d99a4accfd38f9be4e7d8b039059597b Mon Sep 17 00:00:00 2001 From: surya9839 Date: Wed, 4 Sep 2024 17:18:21 +0530 Subject: [PATCH 01/16] handling insecure connections --- Dockerfile | 1 + cis-k8s-job/templates/cis-corn-job.yaml | 2 +- cis-k8s-job/templates/cis-job.yaml | 2 +- cis-k8s-job/values.yaml | 3 +++ curl_command.sh | 26 +++++++++++++++++++++++++ 5 files changed, 32 insertions(+), 2 deletions(-) create mode 100644 curl_command.sh diff --git a/Dockerfile b/Dockerfile index a1c7b50..b0b3028 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,5 +2,6 @@ FROM alpine:latest RUN apk --update add jq curl COPY entrypoint.sh . +COPY curl_command.sh ENTRYPOINT ["/bin/sh", "entrypoint.sh"] diff --git a/cis-k8s-job/templates/cis-corn-job.yaml b/cis-k8s-job/templates/cis-corn-job.yaml index 7faa87d..dcd8690 100644 --- a/cis-k8s-job/templates/cis-corn-job.yaml +++ b/cis-k8s-job/templates/cis-corn-job.yaml @@ -13,7 +13,7 @@ spec: containers: - image: accuknox/accuknox-job:latest command: ["/bin/sh", "-c"] - args: ['/bin/sh entrypoint.sh && curl --location --request POST "https://${URL}/api/v1/artifact/?tenant_id=${TENANT_ID}&data_type=KB&label_id=${LABEL_NAME}&save_to_s3=true" --header "Tenant-Id: ${TENANT_ID}" --header "Authorization: Bearer ${AUTH_TOKEN}" --form "file=@\"./data/report.json\"" && cat /data/report.json'] + args: ['/bin/sh entrypoint.sh && ./curl_command.sh'] name: cis-k8s-cronjob resources: {} env: diff --git a/cis-k8s-job/templates/cis-job.yaml b/cis-k8s-job/templates/cis-job.yaml index 54edf0d..fcdc491 100644 --- a/cis-k8s-job/templates/cis-job.yaml +++ b/cis-k8s-job/templates/cis-job.yaml @@ -13,7 +13,7 @@ spec: containers: - image: accuknox/accuknox-job:latest command: ["/bin/sh", "-c"] - args: ['/bin/sh entrypoint.sh && curl --location --request POST "https://${URL}/api/v1/artifact/?tenant_id=${TENANT_ID}&data_type=KB&label_id=${LABEL_NAME}&save_to_s3=true" --header "Tenant-Id: ${TENANT_ID}" --header "Authorization: Bearer ${AUTH_TOKEN}" --form "file=@\"./data/report.json\"" && cat /data/report.json'] + args: ['/bin/sh entrypoint.sh && ./curl_command.sh'] name: cis-k8s-cronjob resources: {} env: diff --git a/cis-k8s-job/values.yaml b/cis-k8s-job/values.yaml index 032aa18..a579ebb 100644 --- a/cis-k8s-job/values.yaml +++ b/cis-k8s-job/values.yaml @@ -10,3 +10,6 @@ accuknox: clusterId: "" tenantId: "" url: "cspm.demo.accuknox.com" + certBundleURL: "" # Set this for cert URL if needed + useInsecureConnection: false # Set to true if insecure connection is needed + diff --git a/curl_command.sh b/curl_command.sh new file mode 100644 index 0000000..27c7274 --- /dev/null +++ b/curl_command.sh @@ -0,0 +1,26 @@ +#!/bin/sh + +# Handling certificate download +if [ -n "$CERT_BUNDLE_URL" ]; then + echo "Attempting to download certificate from $CERT_BUNDLE_URL..." + if curl -o /tmp/cert.pem "$CERT_BUNDLE_URL"; then + CURL_FLAGS="--cacert /tmp/cert.pem" + else + echo "Certificate not available or failed to download." + CURL_FLAGS="" + fi +elif [ "$USE_INSECURE_CONNECTION" = "true" ]; then + CURL_FLAGS="--insecure" +else + CURL_FLAGS="" +fi + +# main curl command +curl --location --request POST "https://${URL}/api/v1/artifact/?tenant_id=${TENANT_ID}&data_type=KB&label_id=${LABEL_NAME}&save_to_s3=true" \ + --header "Tenant-Id: ${TENANT_ID}" \ + --header "Authorization: Bearer ${AUTH_TOKEN}" \ + $CURL_FLAGS \ + --form "file=@/data/report.json" + +# Print the report +cat /data/report.json From 2bf42db7f5e1c5a268291aa26bcaffd18ef04464 Mon Sep 17 00:00:00 2001 From: surya9839 Date: Wed, 4 Sep 2024 17:25:36 +0530 Subject: [PATCH 02/16] handling insecure connections --- cis-k8s-job/templates/cis-job.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/cis-k8s-job/templates/cis-job.yaml b/cis-k8s-job/templates/cis-job.yaml index fcdc491..2c7b068 100644 --- a/cis-k8s-job/templates/cis-job.yaml +++ b/cis-k8s-job/templates/cis-job.yaml @@ -29,6 +29,10 @@ spec: value: {{ .Values.accuknox.tenantId | quote}} - name: URL value: {{ .Values.accuknox.url }} + - name: CERT_BUNDLE_URL + value: {{ .Values.accuknox.certBundleURL }} + - name: USE_INSECURE_CONNECTION + value: {{ .Values.accuknox.useInsecureConnection | quote }} volumeMounts: - mountPath: /data name: datapath From 36caeb6ab53d07677d4b83d06d990464ecb790c6 Mon Sep 17 00:00:00 2001 From: surya9839 Date: Wed, 4 Sep 2024 17:43:42 +0530 Subject: [PATCH 03/16] handling insecure connections --- cis-k8s-job/templates/cis-corn-job.yaml | 4 ++++ k8s-risk-assessment-job/values.yaml | 1 + k8tls-job/templates/k8tls-cronjob.yaml | 6 +++++- k8tls-job/templates/k8tls-job.yaml | 6 +++++- k8tls-job/values.yaml | 2 ++ kiem-job/templates/job.yaml | 7 ++++++- kiem-job/values.yaml | 2 ++ 7 files changed, 25 insertions(+), 3 deletions(-) diff --git a/cis-k8s-job/templates/cis-corn-job.yaml b/cis-k8s-job/templates/cis-corn-job.yaml index dcd8690..c619ff4 100644 --- a/cis-k8s-job/templates/cis-corn-job.yaml +++ b/cis-k8s-job/templates/cis-corn-job.yaml @@ -29,6 +29,10 @@ spec: value: {{ .Values.accuknox.tenantId | quote}} - name: URL value: {{ .Values.accuknox.url }} + - name: CERT_BUNDLE_URL + value: {{ .Values.accuknox.certBundleURL }} + - name: USE_INSECURE_CONNECTION + value: {{ .Values.accuknox.useInsecureConnection | quote }} volumeMounts: - mountPath: /data name: datapath diff --git a/k8s-risk-assessment-job/values.yaml b/k8s-risk-assessment-job/values.yaml index 9b669bf..356e28d 100644 --- a/k8s-risk-assessment-job/values.yaml +++ b/k8s-risk-assessment-job/values.yaml @@ -18,3 +18,4 @@ accuknox: clusterID: 0 label: "" secretName: "" + diff --git a/k8tls-job/templates/k8tls-cronjob.yaml b/k8tls-job/templates/k8tls-cronjob.yaml index 951c54d..f5fe30b 100644 --- a/k8tls-job/templates/k8tls-cronjob.yaml +++ b/k8tls-job/templates/k8tls-cronjob.yaml @@ -42,7 +42,7 @@ spec: containers: - image: accuknox/accuknox-job:latest command: ["/bin/sh", "-c"] - args: ['curl --location --request POST "https://${URL}/api/v1/artifact/?tenant_id=${TENANT_ID}&data_type=K8TLS&save_to_s3=false" --header "Tenant-Id: ${TENANT_ID}" --header "Authorization: Bearer ${AUTH_TOKEN}" --form "file=@\"/data/report.json\"" && cat /data/report.json'] + args: ['./curl_command.sh'] name: k8tls-job resources: {} env: @@ -56,6 +56,10 @@ spec: value: {{ if ne .Values.accuknox.clusterName "" }}{{ .Values.accuknox.clusterName }}{{ else }}{{ "default" }}{{ end }} - name: LABEL_NAME value: {{ if ne .Values.accuknox.label "" }}{{ .Values.accuknox.label }}{{ else }}{{ "default" }}{{ end }} + - name: CERT_BUNDLE_URL + value: {{ .Values.accuknox.certBundleURL }} + - name: USE_INSECURE_CONNECTION + value: {{ .Values.accuknox.useInsecureConnection | quote }} volumeMounts: - mountPath: /data name: datapath diff --git a/k8tls-job/templates/k8tls-job.yaml b/k8tls-job/templates/k8tls-job.yaml index 3018a0a..fdb2f02 100644 --- a/k8tls-job/templates/k8tls-job.yaml +++ b/k8tls-job/templates/k8tls-job.yaml @@ -12,7 +12,7 @@ spec: containers: - image: accuknox/accuknox-job:latest command: ["/bin/sh", "-c"] - args: ['curl --location --request POST "https://${URL}/api/v1/artifact/?tenant_id=${TENANT_ID}&data_type=K8TLS&save_to_s3=false" --header "Tenant-Id: ${TENANT_ID}" --header "Authorization: Bearer ${AUTH_TOKEN}" --form "file=@\"/data/report.json\"" && cat /data/report.json'] + args: ['./curl_command.sh'] name: k8tls-job resources: {} env: @@ -26,6 +26,10 @@ spec: value: {{ if ne .Values.accuknox.clusterName "" }}{{ .Values.accuknox.clusterName }}{{ else }}{{ "default" }}{{ end }} - name: LABEL_NAME value: {{ if ne .Values.accuknox.label "" }}{{ .Values.accuknox.label }}{{ else }}{{ "default" }}{{ end }} + - name: CERT_BUNDLE_URL + value: {{ .Values.accuknox.certBundleURL }} + - name: USE_INSECURE_CONNECTION + value: {{ .Values.accuknox.useInsecureConnection | quote }} volumeMounts: - mountPath: /data name: datapath diff --git a/k8tls-job/values.yaml b/k8tls-job/values.yaml index 720722e..555c22b 100644 --- a/k8tls-job/values.yaml +++ b/k8tls-job/values.yaml @@ -9,3 +9,5 @@ accuknox: clusterName: "" label: "" URL: "cspm.demo.accuknox.com" + certBundleURL: "" # Set this for cert URL if needed + useInsecureConnection: false # Set to true if insecure connection is needed diff --git a/kiem-job/templates/job.yaml b/kiem-job/templates/job.yaml index 19906ac..39b5a9f 100644 --- a/kiem-job/templates/job.yaml +++ b/kiem-job/templates/job.yaml @@ -21,7 +21,8 @@ spec: mountPath: /data containers: - image: accuknox/accuknox-job:latest - command: ['sh', '-c', 'curl --location --request POST "https://${URL}/api/v1/artifact/?tenant_id=${TENANT_ID}&data_type=KIEM&save_to_s3=false&label_id=${LABEL_NAME}" --header "Tenant-Id: ${TENANT_ID}" --header "Authorization: Bearer ${AUTH_TOKEN}" --form "file=@\"/data/report.json\""'] + command: ["/bin/sh", "-c"] + args: ['./curl_command.sh'] name: accuknox-kiem-job resources: {} env: @@ -35,6 +36,10 @@ spec: value: {{ .Values.accuknox.clusterName }} - name: LABEL_NAME value: {{ .Values.accuknox.label | quote}} + - name: CERT_BUNDLE_URL + value: {{ .Values.accuknox.certBundleURL }} + - name: USE_INSECURE_CONNECTION + value: {{ .Values.accuknox.useInsecureConnection | quote }} volumeMounts: - mountPath: /data name: datapath diff --git a/kiem-job/values.yaml b/kiem-job/values.yaml index e979326..c503f6d 100644 --- a/kiem-job/values.yaml +++ b/kiem-job/values.yaml @@ -11,3 +11,5 @@ accuknox: cronTab: "30 9 * * *" clusterName: "" label: "" + certBundleURL: "" # Set this for cert URL if needed + useInsecureConnection: false # Set to true if insecure connection is needed From 960501fc8a8b26623d9d5be25923dd954600e4e3 Mon Sep 17 00:00:00 2001 From: surya9839 Date: Wed, 4 Sep 2024 17:44:48 +0530 Subject: [PATCH 04/16] handling insecure connections --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index b0b3028..4b0b0f8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,6 +2,6 @@ FROM alpine:latest RUN apk --update add jq curl COPY entrypoint.sh . -COPY curl_command.sh +COPY curl_command.sh . ENTRYPOINT ["/bin/sh", "entrypoint.sh"] From 86c4ba68a356aeb7a65618a2f44ff432dc19b516 Mon Sep 17 00:00:00 2001 From: surya9839 Date: Thu, 26 Sep 2024 15:51:35 +0530 Subject: [PATCH 05/16] removed hardcorded data_type for curl command --- cis-k8s-job/templates/cis-corn-job.yaml | 2 ++ cis-k8s-job/templates/cis-job.yaml | 2 ++ curl_command.sh | 2 +- k8tls-job/templates/k8tls-cronjob.yaml | 2 ++ k8tls-job/templates/k8tls-job.yaml | 2 ++ kiem-job/templates/job.yaml | 2 ++ 6 files changed, 11 insertions(+), 1 deletion(-) diff --git a/cis-k8s-job/templates/cis-corn-job.yaml b/cis-k8s-job/templates/cis-corn-job.yaml index c619ff4..629f226 100644 --- a/cis-k8s-job/templates/cis-corn-job.yaml +++ b/cis-k8s-job/templates/cis-corn-job.yaml @@ -33,6 +33,8 @@ spec: value: {{ .Values.accuknox.certBundleURL }} - name: USE_INSECURE_CONNECTION value: {{ .Values.accuknox.useInsecureConnection | quote }} + - name: DATA_TYPE + value: "KB" volumeMounts: - mountPath: /data name: datapath diff --git a/cis-k8s-job/templates/cis-job.yaml b/cis-k8s-job/templates/cis-job.yaml index 2c7b068..bd9935a 100644 --- a/cis-k8s-job/templates/cis-job.yaml +++ b/cis-k8s-job/templates/cis-job.yaml @@ -33,6 +33,8 @@ spec: value: {{ .Values.accuknox.certBundleURL }} - name: USE_INSECURE_CONNECTION value: {{ .Values.accuknox.useInsecureConnection | quote }} + - name: DATA_TYPE + value: "KB" volumeMounts: - mountPath: /data name: datapath diff --git a/curl_command.sh b/curl_command.sh index 27c7274..65eff73 100644 --- a/curl_command.sh +++ b/curl_command.sh @@ -16,7 +16,7 @@ else fi # main curl command -curl --location --request POST "https://${URL}/api/v1/artifact/?tenant_id=${TENANT_ID}&data_type=KB&label_id=${LABEL_NAME}&save_to_s3=true" \ +curl --location --request POST "https://${URL}/api/v1/artifact/?tenant_id=${TENANT_ID}&data_type=${DATA_TYPE}&label_id=${LABEL_NAME}&save_to_s3=true" \ --header "Tenant-Id: ${TENANT_ID}" \ --header "Authorization: Bearer ${AUTH_TOKEN}" \ $CURL_FLAGS \ diff --git a/k8tls-job/templates/k8tls-cronjob.yaml b/k8tls-job/templates/k8tls-cronjob.yaml index f5fe30b..8f4a5dc 100644 --- a/k8tls-job/templates/k8tls-cronjob.yaml +++ b/k8tls-job/templates/k8tls-cronjob.yaml @@ -60,6 +60,8 @@ spec: value: {{ .Values.accuknox.certBundleURL }} - name: USE_INSECURE_CONNECTION value: {{ .Values.accuknox.useInsecureConnection | quote }} + - name: DATA_TYPE + value: "K8TLS" volumeMounts: - mountPath: /data name: datapath diff --git a/k8tls-job/templates/k8tls-job.yaml b/k8tls-job/templates/k8tls-job.yaml index fdb2f02..46360cf 100644 --- a/k8tls-job/templates/k8tls-job.yaml +++ b/k8tls-job/templates/k8tls-job.yaml @@ -30,6 +30,8 @@ spec: value: {{ .Values.accuknox.certBundleURL }} - name: USE_INSECURE_CONNECTION value: {{ .Values.accuknox.useInsecureConnection | quote }} + - name: DATA_TYPE + value: "K8TLS" volumeMounts: - mountPath: /data name: datapath diff --git a/kiem-job/templates/job.yaml b/kiem-job/templates/job.yaml index 39b5a9f..f56941c 100644 --- a/kiem-job/templates/job.yaml +++ b/kiem-job/templates/job.yaml @@ -40,6 +40,8 @@ spec: value: {{ .Values.accuknox.certBundleURL }} - name: USE_INSECURE_CONNECTION value: {{ .Values.accuknox.useInsecureConnection | quote }} + - name: DATA_TYPE + value: "KIEM" volumeMounts: - mountPath: /data name: datapath From f860e05bc1434a46d18bf3473306744134796771 Mon Sep 17 00:00:00 2001 From: surya9839 Date: Tue, 1 Oct 2024 12:28:18 +0530 Subject: [PATCH 06/16] modifing docker file --- .DS_Store | Bin 0 -> 10244 bytes Dockerfile | 3 +++ cis-k8s-job/.DS_Store | Bin 0 -> 6148 bytes cis-k8s-job/test-scan.csv | 1 + kiem-job/templates/deployment.yaml | 9 ++++++++- 5 files changed, 12 insertions(+), 1 deletion(-) create mode 100644 .DS_Store create mode 100644 cis-k8s-job/.DS_Store create mode 100644 cis-k8s-job/test-scan.csv diff --git a/.DS_Store b/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..a460048bae0fcea3190c360a380ee6d135c124e5 GIT binary patch literal 10244 zcmeHNJ8u&~5S~p8ITNC!06~K|i2@1|9E^AfA(_NMqM(U+2oV(Q*u*C1JIfCu6h*QS z6*N>dApQa=sVJeMMHCcBNc;r^P55^Aa^CgrIRXk0*^O>z?{;Q)=9}5E=NuwpGoA7@ zkxN7lE>0)*qBAr;&#zb;3ZG;_8RW@Zo-Ql}^+t@-KClQ_1S|p;0gHe|;9o%ipV_=Q zqmtU*B481)2t)|*{NUo^G#ApYq#|{o6D0s>3Xes@c!Cc=-H_%&+LaVDXiSQNN>LV; z7)*-exf}B3LfVy7iW3Wq4;Jps!U~0n-Lbwa*ooyNwY^2aA`nM_*X}8rqGhU4TdUtw zUq7jH^&p=wc|i%!oNFI1EzIWMUexEy1Lqr6<=ueOg(!_|?MqeaP)XaJMyqiSRfjv( zGcPVk9s1U(2R%)axio!b(ix>CpwOa8TA{Oo-lKp@m%U&qw45gwZuQirXc!SCNR?Jw zjZo@!so~XH?M&ta8yZgS+CAcoIHS((LN!<|w2SRdYo^$|#qX{LfmhlZ7faV`mDR5@FN1?yI}T5Gs7W3zViZsve?{`CjEHPewa??PAfbAE59J}V zgea+Cjk|~$k1DzhJJcsL240`q;D103NY})jVK>H6S9d!QMPpM$=L+Jp2rXM!k@xj* zSb8kR!h{ufT z4}-*ia@Gx&>Ha_b(2SVsRJ}0fM+Vt*d zWRr1C)rZ^h>bCKZPn@`Unu90ubOm$@zA77Xr)t?SvL?{zNM{3IPy0c9njIu! z4cppg5wHkY1S|qO3V~s1t;^s4&n5r&TL1q9+p!P; literal 0 HcmV?d00001 diff --git a/Dockerfile b/Dockerfile index 4b0b0f8..02c8a21 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,4 +4,7 @@ RUN apk --update add jq curl COPY entrypoint.sh . COPY curl_command.sh . +# Grant execute permissions to the scripts +RUN chmod +x entrypoint.sh curl_command.sh + ENTRYPOINT ["/bin/sh", "entrypoint.sh"] diff --git a/cis-k8s-job/.DS_Store b/cis-k8s-job/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..f702656c74037acdc2869ed7a133371e119162ce GIT binary patch literal 6148 zcmeHKJ5Iwu5Pb_N5+bCOG)Qh}kcgBUEWs%#XvhUfoQM<-j>t!%bI%bt1Ql1{PSC)c z-BpO~ASe(*XhxcOoAJC|?_0;~1z@_%Q3q%NsM7^^8Vp-Zu8UV}CuD?YTptUxafbn> zNGsKv_=^h2+U?;C6Rz4VHrDSv&5~i74S8K2j#GO3%^6!j1DEJA8{>l5=8BI>jK>ON zfidf5d^QFgX^eT1VGh4$q}QE(l1*oF3&7DaL&Nn|=y#gMak%&T^6B-##?Ny9TPsK3 ztej0YN4D$^`+gRTCzvDQtZt}8!uF~(vwK!=s@KGd)hU*u!pDE6#Cj>QWK1IIHbC2%T!QhSn#2VAi*p|;l;Y0y#z}zFR(2S=N zJ=KIGhVgXfqflo9<{mvACLBIY7}F&qKipg?r}|F!)?W^m96-I?u_|J8bli~_s9%Q OKLnf%8dQN_Rp1?h3wG`R literal 0 HcmV?d00001 diff --git a/cis-k8s-job/test-scan.csv b/cis-k8s-job/test-scan.csv new file mode 100644 index 0000000..4ce779f --- /dev/null +++ b/cis-k8s-job/test-scan.csv @@ -0,0 +1 @@ +CSV report generated successfully at runstatus_report.csv diff --git a/kiem-job/templates/deployment.yaml b/kiem-job/templates/deployment.yaml index 0737708..c10e480 100644 --- a/kiem-job/templates/deployment.yaml +++ b/kiem-job/templates/deployment.yaml @@ -26,7 +26,8 @@ spec: mountPath: /data containers: - image: accuknox/accuknox-job:latest - command: ['sh', '-c', 'curl --location --request POST "https://${URL}/api/v1/artifact/?tenant_id=${TENANT_ID}&data_type=KIEM&save_to_s3=false&label_id=${LABEL_NAME}" --header "Tenant-Id: ${TENANT_ID}" --header "Authorization: Bearer ${AUTH_TOKEN}" --form "file=@\"/data/report.json\""'] + command: ["/bin/sh", "-c"] + args: ['./curl_command.sh'] name: accuknox-kiem-cronjob resources: {} env: @@ -40,6 +41,12 @@ spec: value: {{ .Values.accuknox.clusterName }} - name: LABEL_NAME value: {{ .Values.accuknox.label | quote}} + - name: CERT_BUNDLE_URL + value: {{ .Values.accuknox.certBundleURL }} + - name: USE_INSECURE_CONNECTION + value: {{ .Values.accuknox.useInsecureConnection | quote }} + - name: DATA_TYPE + value: "KIEM" volumeMounts: - mountPath: /data name: datapath From 624d7118e0430cbacafd2487da076271c33ca7c1 Mon Sep 17 00:00:00 2001 From: surya9839 Date: Tue, 1 Oct 2024 12:29:08 +0530 Subject: [PATCH 07/16] modifing docker file --- cis-k8s-job/test-scan.csv | 1 - 1 file changed, 1 deletion(-) delete mode 100644 cis-k8s-job/test-scan.csv diff --git a/cis-k8s-job/test-scan.csv b/cis-k8s-job/test-scan.csv deleted file mode 100644 index 4ce779f..0000000 --- a/cis-k8s-job/test-scan.csv +++ /dev/null @@ -1 +0,0 @@ -CSV report generated successfully at runstatus_report.csv From 88a507158e442d1c564032be5e13592e9bf7a8d8 Mon Sep 17 00:00:00 2001 From: surya9839 Date: Tue, 1 Oct 2024 14:58:57 +0530 Subject: [PATCH 08/16] modifing K8s-risk-management --- k8s-risk-assessment-job/templates/configmap.yaml | 7 ++----- k8s-risk-assessment-job/templates/cronjob.yaml | 2 ++ 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/k8s-risk-assessment-job/templates/configmap.yaml b/k8s-risk-assessment-job/templates/configmap.yaml index 54b913c..1d0fe16 100644 --- a/k8s-risk-assessment-job/templates/configmap.yaml +++ b/k8s-risk-assessment-job/templates/configmap.yaml @@ -33,8 +33,5 @@ data: cat /data/report.json # push - curl --location --request POST \ - --header "Authorization: Bearer ${AUTH_TOKEN}" \ - --header "Tenant-Id: ${TENANT_ID}" \ - --form "file=@\"/data/report.json\"" \ - "https://${URL}/api/v1/artifact/?tenant_id=${TENANT_ID}&data_type=KS&save_to_s3=false&label_id=${LABEL_NAME}" + + /curl_command.sh diff --git a/k8s-risk-assessment-job/templates/cronjob.yaml b/k8s-risk-assessment-job/templates/cronjob.yaml index b603dc2..9e5686d 100644 --- a/k8s-risk-assessment-job/templates/cronjob.yaml +++ b/k8s-risk-assessment-job/templates/cronjob.yaml @@ -51,6 +51,8 @@ spec: value: {{ .Values.accuknox.clusterID | quote }} - name: LABEL_NAME value: {{ .Values.accuknox.label }} + - name: DATA_TYPE + value: "KS" volumeMounts: - mountPath: /data name: datapath From e0a0a458d651e8252f8fdac6c0f224743d36e5af Mon Sep 17 00:00:00 2001 From: surya9839 Date: Tue, 1 Oct 2024 14:59:47 +0530 Subject: [PATCH 09/16] modifing K8s-risk-management --- k8s-risk-assessment-job/templates/job.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/k8s-risk-assessment-job/templates/job.yaml b/k8s-risk-assessment-job/templates/job.yaml index aaacd12..7cdf954 100644 --- a/k8s-risk-assessment-job/templates/job.yaml +++ b/k8s-risk-assessment-job/templates/job.yaml @@ -45,6 +45,8 @@ spec: value: {{ .Values.accuknox.clusterID | quote }} - name: LABEL_NAME value: {{ .Values.accuknox.label }} + - name: DATA_TYPE + value: "KS" volumeMounts: - mountPath: /data name: datapath From 125ea6a8511177a4b4822d4a7f3e67a91cb42f5d Mon Sep 17 00:00:00 2001 From: surya9839 Date: Tue, 1 Oct 2024 15:57:54 +0530 Subject: [PATCH 10/16] values update --- k8s-risk-assessment-job/templates/clusterrole.yaml | 2 +- k8s-risk-assessment-job/templates/clusterrolebinding.yaml | 6 +++--- k8s-risk-assessment-job/templates/cronjob.yaml | 2 +- k8s-risk-assessment-job/templates/job.yaml | 2 +- k8s-risk-assessment-job/templates/serviceaccount.yaml | 2 +- k8s-risk-assessment-job/values.yaml | 2 ++ 6 files changed, 9 insertions(+), 7 deletions(-) diff --git a/k8s-risk-assessment-job/templates/clusterrole.yaml b/k8s-risk-assessment-job/templates/clusterrole.yaml index 73564d6..64597b7 100644 --- a/k8s-risk-assessment-job/templates/clusterrole.yaml +++ b/k8s-risk-assessment-job/templates/clusterrole.yaml @@ -1,7 +1,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: k8s-risk-assessment-job-clusterrole + name: test-k8s-risk-assessment-job-clusterrole rules: - apiGroups: - '' diff --git a/k8s-risk-assessment-job/templates/clusterrolebinding.yaml b/k8s-risk-assessment-job/templates/clusterrolebinding.yaml index 7009a19..2a81135 100644 --- a/k8s-risk-assessment-job/templates/clusterrolebinding.yaml +++ b/k8s-risk-assessment-job/templates/clusterrolebinding.yaml @@ -1,12 +1,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: k8s-risk-assessment-job-clusterrole-binding + name: test-k8s-risk-assessment-job-clusterrole-binding subjects: - namespace: {{ .Release.Namespace }} kind: ServiceAccount - name: k8s-risk-assessment-job-service-account + name: test-k8s-risk-assessment-job-service-account roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: k8s-risk-assessment-job-clusterrole + name: test-k8s-risk-assessment-job-clusterrole diff --git a/k8s-risk-assessment-job/templates/cronjob.yaml b/k8s-risk-assessment-job/templates/cronjob.yaml index 9e5686d..33b1c68 100644 --- a/k8s-risk-assessment-job/templates/cronjob.yaml +++ b/k8s-risk-assessment-job/templates/cronjob.yaml @@ -65,4 +65,4 @@ spec: configMap: name: k8s-risk-assessment-job-script-configmap restartPolicy: OnFailure - serviceAccount: k8s-risk-assessment-job-service-account + serviceAccount: test-k8s-risk-assessment-job-service-account diff --git a/k8s-risk-assessment-job/templates/job.yaml b/k8s-risk-assessment-job/templates/job.yaml index 7cdf954..1fe1c86 100644 --- a/k8s-risk-assessment-job/templates/job.yaml +++ b/k8s-risk-assessment-job/templates/job.yaml @@ -59,4 +59,4 @@ spec: configMap: name: k8s-risk-assessment-job-script-configmap restartPolicy: OnFailure - serviceAccount: k8s-risk-assessment-job-service-account + serviceAccount: test-k8s-risk-assessment-job-service-account diff --git a/k8s-risk-assessment-job/templates/serviceaccount.yaml b/k8s-risk-assessment-job/templates/serviceaccount.yaml index f9d0a7a..c0981cb 100644 --- a/k8s-risk-assessment-job/templates/serviceaccount.yaml +++ b/k8s-risk-assessment-job/templates/serviceaccount.yaml @@ -1,5 +1,5 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: k8s-risk-assessment-job-service-account + name: test-k8s-risk-assessment-job-service-account namespace: {{ .Release.Namespace }} diff --git a/k8s-risk-assessment-job/values.yaml b/k8s-risk-assessment-job/values.yaml index 356e28d..e70d29d 100644 --- a/k8s-risk-assessment-job/values.yaml +++ b/k8s-risk-assessment-job/values.yaml @@ -18,4 +18,6 @@ accuknox: clusterID: 0 label: "" secretName: "" + certBundleURL: "" # Set this for cert URL if needed + useInsecureConnection: false # Set to true if insecure connection is needed From 2b19016570b4ad3a453ba5837114608c9db72329 Mon Sep 17 00:00:00 2001 From: surya9839 Date: Tue, 1 Oct 2024 16:06:08 +0530 Subject: [PATCH 11/16] values update --- k8s-risk-assessment-job/templates/clusterrole.yaml | 2 +- k8s-risk-assessment-job/templates/clusterrolebinding.yaml | 6 +++--- k8s-risk-assessment-job/templates/cronjob.yaml | 6 +++++- k8s-risk-assessment-job/templates/job.yaml | 6 +++++- k8s-risk-assessment-job/templates/serviceaccount.yaml | 2 +- 5 files changed, 15 insertions(+), 7 deletions(-) diff --git a/k8s-risk-assessment-job/templates/clusterrole.yaml b/k8s-risk-assessment-job/templates/clusterrole.yaml index 64597b7..73564d6 100644 --- a/k8s-risk-assessment-job/templates/clusterrole.yaml +++ b/k8s-risk-assessment-job/templates/clusterrole.yaml @@ -1,7 +1,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: test-k8s-risk-assessment-job-clusterrole + name: k8s-risk-assessment-job-clusterrole rules: - apiGroups: - '' diff --git a/k8s-risk-assessment-job/templates/clusterrolebinding.yaml b/k8s-risk-assessment-job/templates/clusterrolebinding.yaml index 2a81135..7009a19 100644 --- a/k8s-risk-assessment-job/templates/clusterrolebinding.yaml +++ b/k8s-risk-assessment-job/templates/clusterrolebinding.yaml @@ -1,12 +1,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: test-k8s-risk-assessment-job-clusterrole-binding + name: k8s-risk-assessment-job-clusterrole-binding subjects: - namespace: {{ .Release.Namespace }} kind: ServiceAccount - name: test-k8s-risk-assessment-job-service-account + name: k8s-risk-assessment-job-service-account roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: test-k8s-risk-assessment-job-clusterrole + name: k8s-risk-assessment-job-clusterrole diff --git a/k8s-risk-assessment-job/templates/cronjob.yaml b/k8s-risk-assessment-job/templates/cronjob.yaml index 33b1c68..59a0460 100644 --- a/k8s-risk-assessment-job/templates/cronjob.yaml +++ b/k8s-risk-assessment-job/templates/cronjob.yaml @@ -51,6 +51,10 @@ spec: value: {{ .Values.accuknox.clusterID | quote }} - name: LABEL_NAME value: {{ .Values.accuknox.label }} + - name: CERT_BUNDLE_URL + value: {{ .Values.accuknox.certBundleURL }} + - name: USE_INSECURE_CONNECTION + value: {{ .Values.accuknox.useInsecureConnection | quote }} - name: DATA_TYPE value: "KS" volumeMounts: @@ -65,4 +69,4 @@ spec: configMap: name: k8s-risk-assessment-job-script-configmap restartPolicy: OnFailure - serviceAccount: test-k8s-risk-assessment-job-service-account + serviceAccount: k8s-risk-assessment-job-service-account diff --git a/k8s-risk-assessment-job/templates/job.yaml b/k8s-risk-assessment-job/templates/job.yaml index 1fe1c86..7a6fdfa 100644 --- a/k8s-risk-assessment-job/templates/job.yaml +++ b/k8s-risk-assessment-job/templates/job.yaml @@ -45,6 +45,10 @@ spec: value: {{ .Values.accuknox.clusterID | quote }} - name: LABEL_NAME value: {{ .Values.accuknox.label }} + - name: CERT_BUNDLE_URL + value: {{ .Values.accuknox.certBundleURL }} + - name: USE_INSECURE_CONNECTION + value: {{ .Values.accuknox.useInsecureConnection | quote }} - name: DATA_TYPE value: "KS" volumeMounts: @@ -59,4 +63,4 @@ spec: configMap: name: k8s-risk-assessment-job-script-configmap restartPolicy: OnFailure - serviceAccount: test-k8s-risk-assessment-job-service-account + serviceAccount: k8s-risk-assessment-job-service-account diff --git a/k8s-risk-assessment-job/templates/serviceaccount.yaml b/k8s-risk-assessment-job/templates/serviceaccount.yaml index c0981cb..f9d0a7a 100644 --- a/k8s-risk-assessment-job/templates/serviceaccount.yaml +++ b/k8s-risk-assessment-job/templates/serviceaccount.yaml @@ -1,5 +1,5 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: test-k8s-risk-assessment-job-service-account + name: k8s-risk-assessment-job-service-account namespace: {{ .Release.Namespace }} From 8f787f9b4c947221d67fd0ff6dff95db6d6392dd Mon Sep 17 00:00:00 2001 From: surya9839 Date: Wed, 23 Oct 2024 10:33:43 +0530 Subject: [PATCH 12/16] new_requirement of allowing local cert --- cis-k8s-job/templates/cis-corn-job.yaml | 2 ++ cis-k8s-job/templates/cis-job.yaml | 2 ++ cis-k8s-job/values.yaml | 3 ++- curl_command.sh | 26 +++++++++++++------ .../templates/cronjob.yaml | 2 ++ k8s-risk-assessment-job/templates/job.yaml | 2 ++ k8s-risk-assessment-job/values.yaml | 3 ++- k8tls-job/templates/k8tls-cronjob.yaml | 2 ++ k8tls-job/templates/k8tls-job.yaml | 2 ++ k8tls-job/values.yaml | 3 ++- kiem-job/templates/deployment.yaml | 2 ++ kiem-job/templates/job.yaml | 2 ++ kiem-job/values.yaml | 3 ++- 13 files changed, 42 insertions(+), 12 deletions(-) diff --git a/cis-k8s-job/templates/cis-corn-job.yaml b/cis-k8s-job/templates/cis-corn-job.yaml index 629f226..afffb12 100644 --- a/cis-k8s-job/templates/cis-corn-job.yaml +++ b/cis-k8s-job/templates/cis-corn-job.yaml @@ -29,6 +29,8 @@ spec: value: {{ .Values.accuknox.tenantId | quote}} - name: URL value: {{ .Values.accuknox.url }} + - name: CERT_BUNDLE_PATH + value: {{ .Values.accuknox.certBundlePath }} - name: CERT_BUNDLE_URL value: {{ .Values.accuknox.certBundleURL }} - name: USE_INSECURE_CONNECTION diff --git a/cis-k8s-job/templates/cis-job.yaml b/cis-k8s-job/templates/cis-job.yaml index bd9935a..fa97f1c 100644 --- a/cis-k8s-job/templates/cis-job.yaml +++ b/cis-k8s-job/templates/cis-job.yaml @@ -29,6 +29,8 @@ spec: value: {{ .Values.accuknox.tenantId | quote}} - name: URL value: {{ .Values.accuknox.url }} + - name: CERT_BUNDLE_PATH + value: {{ .Values.accuknox.certBundlePath }} - name: CERT_BUNDLE_URL value: {{ .Values.accuknox.certBundleURL }} - name: USE_INSECURE_CONNECTION diff --git a/cis-k8s-job/values.yaml b/cis-k8s-job/values.yaml index a579ebb..9b47ecf 100644 --- a/cis-k8s-job/values.yaml +++ b/cis-k8s-job/values.yaml @@ -10,6 +10,7 @@ accuknox: clusterId: "" tenantId: "" url: "cspm.demo.accuknox.com" - certBundleURL: "" # Set this for cert URL if needed + certBundlePath: "" # Set this for cert local path if needed . + certBundleURL: "" # Set this for cert URL if needed (if certBundlePath is set as well certBundlePath will take precedent) useInsecureConnection: false # Set to true if insecure connection is needed diff --git a/curl_command.sh b/curl_command.sh index 65eff73..c5c83ff 100644 --- a/curl_command.sh +++ b/curl_command.sh @@ -1,18 +1,28 @@ #!/bin/sh -# Handling certificate download -if [ -n "$CERT_BUNDLE_URL" ]; then +# Initialize CURL_FLAGS to handle both insecure and certificate usage +CURL_FLAGS="" + +# Always add --insecure if USE_INSECURE_CONNECTION is true +if [ "$USE_INSECURE_CONNECTION" = "true" ]; then + CURL_FLAGS="$CURL_FLAGS --insecure" +fi + +# Add certificate flags if a certBundlePath or certBundleURL is provided +if [ -n "$CERT_BUNDLE_PATH" ]; then + echo "Using certificate from local path $CERT_BUNDLE_PATH..." + if [ -f "$CERT_BUNDLE_PATH" ]; then + CURL_FLAGS="$CURL_FLAGS --cacert $CERT_BUNDLE_PATH" + else + echo "Certificate not found at $CERT_BUNDLE_PATH." + fi +elif [ -n "$CERT_BUNDLE_URL" ]; then echo "Attempting to download certificate from $CERT_BUNDLE_URL..." if curl -o /tmp/cert.pem "$CERT_BUNDLE_URL"; then - CURL_FLAGS="--cacert /tmp/cert.pem" + CURL_FLAGS="$CURL_FLAGS --cacert /tmp/cert.pem" else echo "Certificate not available or failed to download." - CURL_FLAGS="" fi -elif [ "$USE_INSECURE_CONNECTION" = "true" ]; then - CURL_FLAGS="--insecure" -else - CURL_FLAGS="" fi # main curl command diff --git a/k8s-risk-assessment-job/templates/cronjob.yaml b/k8s-risk-assessment-job/templates/cronjob.yaml index 59a0460..d5ce0cb 100644 --- a/k8s-risk-assessment-job/templates/cronjob.yaml +++ b/k8s-risk-assessment-job/templates/cronjob.yaml @@ -51,6 +51,8 @@ spec: value: {{ .Values.accuknox.clusterID | quote }} - name: LABEL_NAME value: {{ .Values.accuknox.label }} + - name: CERT_BUNDLE_PATH + value: {{ .Values.accuknox.certBundlePath }} - name: CERT_BUNDLE_URL value: {{ .Values.accuknox.certBundleURL }} - name: USE_INSECURE_CONNECTION diff --git a/k8s-risk-assessment-job/templates/job.yaml b/k8s-risk-assessment-job/templates/job.yaml index 7a6fdfa..ce5c8b0 100644 --- a/k8s-risk-assessment-job/templates/job.yaml +++ b/k8s-risk-assessment-job/templates/job.yaml @@ -45,6 +45,8 @@ spec: value: {{ .Values.accuknox.clusterID | quote }} - name: LABEL_NAME value: {{ .Values.accuknox.label }} + - name: CERT_BUNDLE_PATH + value: {{ .Values.accuknox.certBundlePath }} - name: CERT_BUNDLE_URL value: {{ .Values.accuknox.certBundleURL }} - name: USE_INSECURE_CONNECTION diff --git a/k8s-risk-assessment-job/values.yaml b/k8s-risk-assessment-job/values.yaml index e70d29d..b2a1c7e 100644 --- a/k8s-risk-assessment-job/values.yaml +++ b/k8s-risk-assessment-job/values.yaml @@ -18,6 +18,7 @@ accuknox: clusterID: 0 label: "" secretName: "" - certBundleURL: "" # Set this for cert URL if needed + certBundlePath: "" # Set this for cert local path if needed . + certBundleURL: "" # Set this for cert URL if needed (if certBundlePath is set as well certBundlePath will take precedent) useInsecureConnection: false # Set to true if insecure connection is needed diff --git a/k8tls-job/templates/k8tls-cronjob.yaml b/k8tls-job/templates/k8tls-cronjob.yaml index 8f4a5dc..359a6ce 100644 --- a/k8tls-job/templates/k8tls-cronjob.yaml +++ b/k8tls-job/templates/k8tls-cronjob.yaml @@ -56,6 +56,8 @@ spec: value: {{ if ne .Values.accuknox.clusterName "" }}{{ .Values.accuknox.clusterName }}{{ else }}{{ "default" }}{{ end }} - name: LABEL_NAME value: {{ if ne .Values.accuknox.label "" }}{{ .Values.accuknox.label }}{{ else }}{{ "default" }}{{ end }} + - name: CERT_BUNDLE_PATH + value: {{ .Values.accuknox.certBundlePath }} - name: CERT_BUNDLE_URL value: {{ .Values.accuknox.certBundleURL }} - name: USE_INSECURE_CONNECTION diff --git a/k8tls-job/templates/k8tls-job.yaml b/k8tls-job/templates/k8tls-job.yaml index 46360cf..4d2583c 100644 --- a/k8tls-job/templates/k8tls-job.yaml +++ b/k8tls-job/templates/k8tls-job.yaml @@ -26,6 +26,8 @@ spec: value: {{ if ne .Values.accuknox.clusterName "" }}{{ .Values.accuknox.clusterName }}{{ else }}{{ "default" }}{{ end }} - name: LABEL_NAME value: {{ if ne .Values.accuknox.label "" }}{{ .Values.accuknox.label }}{{ else }}{{ "default" }}{{ end }} + - name: CERT_BUNDLE_PATH + value: {{ .Values.accuknox.certBundlePath }} - name: CERT_BUNDLE_URL value: {{ .Values.accuknox.certBundleURL }} - name: USE_INSECURE_CONNECTION diff --git a/k8tls-job/values.yaml b/k8tls-job/values.yaml index 555c22b..7d7d53f 100644 --- a/k8tls-job/values.yaml +++ b/k8tls-job/values.yaml @@ -9,5 +9,6 @@ accuknox: clusterName: "" label: "" URL: "cspm.demo.accuknox.com" - certBundleURL: "" # Set this for cert URL if needed + certBundlePath: "" # Set this for cert local path if needed . + certBundleURL: "" # Set this for cert URL if needed (if certBundlePath is set as well certBundlePath will take precedent) useInsecureConnection: false # Set to true if insecure connection is needed diff --git a/kiem-job/templates/deployment.yaml b/kiem-job/templates/deployment.yaml index c10e480..64069dc 100644 --- a/kiem-job/templates/deployment.yaml +++ b/kiem-job/templates/deployment.yaml @@ -41,6 +41,8 @@ spec: value: {{ .Values.accuknox.clusterName }} - name: LABEL_NAME value: {{ .Values.accuknox.label | quote}} + - name: CERT_BUNDLE_PATH + value: {{ .Values.accuknox.certBundlePath }} - name: CERT_BUNDLE_URL value: {{ .Values.accuknox.certBundleURL }} - name: USE_INSECURE_CONNECTION diff --git a/kiem-job/templates/job.yaml b/kiem-job/templates/job.yaml index f56941c..89a7eae 100644 --- a/kiem-job/templates/job.yaml +++ b/kiem-job/templates/job.yaml @@ -36,6 +36,8 @@ spec: value: {{ .Values.accuknox.clusterName }} - name: LABEL_NAME value: {{ .Values.accuknox.label | quote}} + - name: CERT_BUNDLE_PATH + value: {{ .Values.accuknox.certBundlePath }} - name: CERT_BUNDLE_URL value: {{ .Values.accuknox.certBundleURL }} - name: USE_INSECURE_CONNECTION diff --git a/kiem-job/values.yaml b/kiem-job/values.yaml index c503f6d..3b3fbfb 100644 --- a/kiem-job/values.yaml +++ b/kiem-job/values.yaml @@ -11,5 +11,6 @@ accuknox: cronTab: "30 9 * * *" clusterName: "" label: "" - certBundleURL: "" # Set this for cert URL if needed + certBundlePath: "" # Set this for cert local path if needed . + certBundleURL: "" # Set this for cert URL if needed (if certBundlePath is set as well certBundlePath will take precedent) useInsecureConnection: false # Set to true if insecure connection is needed From e64086ed44da065f132cd32444dcc7c16b8b643d Mon Sep 17 00:00:00 2001 From: surya9839 <84128985+surya9839@users.noreply.github.com> Date: Fri, 25 Oct 2024 18:10:57 +0530 Subject: [PATCH 13/16] Update curl_command.sh --- curl_command.sh | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/curl_command.sh b/curl_command.sh index c5c83ff..87080a8 100644 --- a/curl_command.sh +++ b/curl_command.sh @@ -8,14 +8,11 @@ if [ "$USE_INSECURE_CONNECTION" = "true" ]; then CURL_FLAGS="$CURL_FLAGS --insecure" fi -# Add certificate flags if a certBundlePath or certBundleURL is provided -if [ -n "$CERT_BUNDLE_PATH" ]; then - echo "Using certificate from local path $CERT_BUNDLE_PATH..." - if [ -f "$CERT_BUNDLE_PATH" ]; then - CURL_FLAGS="$CURL_FLAGS --cacert $CERT_BUNDLE_PATH" - else - echo "Certificate not found at $CERT_BUNDLE_PATH." - fi +# Add certificate flags if CERT_BUNDLE_CONTENT is provided +if [ -n "$CERT_BUNDLE_CONTENT" ]; then + echo "Using in-line certificate content from CERT_BUNDLE_CONTENT..." + echo "$CERT_BUNDLE_CONTENT" > /tmp/cert.pem + CURL_FLAGS="$CURL_FLAGS --cacert /tmp/cert.pem" elif [ -n "$CERT_BUNDLE_URL" ]; then echo "Attempting to download certificate from $CERT_BUNDLE_URL..." if curl -o /tmp/cert.pem "$CERT_BUNDLE_URL"; then @@ -34,3 +31,4 @@ curl --location --request POST "https://${URL}/api/v1/artifact/?tenant_id=${TENA # Print the report cat /data/report.json + From bdea86e968564859588d389804d4ae96d0157f77 Mon Sep 17 00:00:00 2001 From: surya9839 Date: Fri, 25 Oct 2024 18:18:48 +0530 Subject: [PATCH 14/16] logic for cert from local --- curl_command.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/curl_command.sh b/curl_command.sh index 87080a8..45b1327 100644 --- a/curl_command.sh +++ b/curl_command.sh @@ -8,10 +8,10 @@ if [ "$USE_INSECURE_CONNECTION" = "true" ]; then CURL_FLAGS="$CURL_FLAGS --insecure" fi -# Add certificate flags if CERT_BUNDLE_CONTENT is provided -if [ -n "$CERT_BUNDLE_CONTENT" ]; then - echo "Using in-line certificate content from CERT_BUNDLE_CONTENT..." - echo "$CERT_BUNDLE_CONTENT" > /tmp/cert.pem +# Add certificate flags if CERT_BUNDLE_PATH is provided +if [ -n "$CERT_BUNDLE_PATH" ]; then + echo "Using in-line certificate content from CERT_BUNDLE_PATH..." + echo "$CERT_BUNDLE_PATH" > /tmp/cert.pem CURL_FLAGS="$CURL_FLAGS --cacert /tmp/cert.pem" elif [ -n "$CERT_BUNDLE_URL" ]; then echo "Attempting to download certificate from $CERT_BUNDLE_URL..." From 56517aeada20510ebc91861e29517ed5ff16334f Mon Sep 17 00:00:00 2001 From: surya9839 Date: Mon, 28 Oct 2024 18:45:45 +0530 Subject: [PATCH 15/16] changes for local cert --- cis-k8s-job/templates/cis-corn-job.yaml | 6 +++--- cis-k8s-job/templates/cis-job.yaml | 6 +++--- cis-k8s-job/values.yaml | 4 ++-- curl_command.sh | 2 +- k8s-risk-assessment-job/templates/cronjob.yaml | 2 +- k8s-risk-assessment-job/templates/job.yaml | 2 +- k8tls-job/templates/k8tls-cronjob.yaml | 2 +- k8tls-job/templates/k8tls-job.yaml | 2 +- kiem-job/templates/deployment.yaml | 2 +- kiem-job/templates/job.yaml | 2 +- 10 files changed, 15 insertions(+), 15 deletions(-) diff --git a/cis-k8s-job/templates/cis-corn-job.yaml b/cis-k8s-job/templates/cis-corn-job.yaml index afffb12..5e8d276 100644 --- a/cis-k8s-job/templates/cis-corn-job.yaml +++ b/cis-k8s-job/templates/cis-corn-job.yaml @@ -24,13 +24,13 @@ spec: - name: LABEL_NAME value: {{ .Values.accuknox.label }} - name: CLUSTER_ID - value: {{ .Values.accuknox.clusterId }} + value: {{ .Values.accuknox.clusterID }} - name: TENANT_ID - value: {{ .Values.accuknox.tenantId | quote}} + value: {{ .Values.accuknox.tenantID | quote}} - name: URL value: {{ .Values.accuknox.url }} - name: CERT_BUNDLE_PATH - value: {{ .Values.accuknox.certBundlePath }} + value: {{ .Values.accuknox.certBundlePath | quote }} - name: CERT_BUNDLE_URL value: {{ .Values.accuknox.certBundleURL }} - name: USE_INSECURE_CONNECTION diff --git a/cis-k8s-job/templates/cis-job.yaml b/cis-k8s-job/templates/cis-job.yaml index fa97f1c..7373e11 100644 --- a/cis-k8s-job/templates/cis-job.yaml +++ b/cis-k8s-job/templates/cis-job.yaml @@ -24,13 +24,13 @@ spec: - name: LABEL_NAME value: {{ .Values.accuknox.label }} - name: CLUSTER_ID - value: {{ .Values.accuknox.clusterId }} + value: {{ .Values.accuknox.clusterID }} - name: TENANT_ID - value: {{ .Values.accuknox.tenantId | quote}} + value: {{ .Values.accuknox.tenantID | quote}} - name: URL value: {{ .Values.accuknox.url }} - name: CERT_BUNDLE_PATH - value: {{ .Values.accuknox.certBundlePath }} + value: {{ .Values.accuknox.certBundlePath | quote }} - name: CERT_BUNDLE_URL value: {{ .Values.accuknox.certBundleURL }} - name: USE_INSECURE_CONNECTION diff --git a/cis-k8s-job/values.yaml b/cis-k8s-job/values.yaml index 9b47ecf..5fa9b3e 100644 --- a/cis-k8s-job/values.yaml +++ b/cis-k8s-job/values.yaml @@ -7,8 +7,8 @@ accuknox: cronTab: "30 9 * * *" clusterName: "" label: "" - clusterId: "" - tenantId: "" + clusterID: "" + tenantID: "" url: "cspm.demo.accuknox.com" certBundlePath: "" # Set this for cert local path if needed . certBundleURL: "" # Set this for cert URL if needed (if certBundlePath is set as well certBundlePath will take precedent) diff --git a/curl_command.sh b/curl_command.sh index 45b1327..26f248e 100644 --- a/curl_command.sh +++ b/curl_command.sh @@ -11,7 +11,7 @@ fi # Add certificate flags if CERT_BUNDLE_PATH is provided if [ -n "$CERT_BUNDLE_PATH" ]; then echo "Using in-line certificate content from CERT_BUNDLE_PATH..." - echo "$CERT_BUNDLE_PATH" > /tmp/cert.pem + printf "%b" "$CERT_BUNDLE_PATH" > /tmp/cert.pem CURL_FLAGS="$CURL_FLAGS --cacert /tmp/cert.pem" elif [ -n "$CERT_BUNDLE_URL" ]; then echo "Attempting to download certificate from $CERT_BUNDLE_URL..." diff --git a/k8s-risk-assessment-job/templates/cronjob.yaml b/k8s-risk-assessment-job/templates/cronjob.yaml index d5ce0cb..856db8d 100644 --- a/k8s-risk-assessment-job/templates/cronjob.yaml +++ b/k8s-risk-assessment-job/templates/cronjob.yaml @@ -52,7 +52,7 @@ spec: - name: LABEL_NAME value: {{ .Values.accuknox.label }} - name: CERT_BUNDLE_PATH - value: {{ .Values.accuknox.certBundlePath }} + value: {{ .Values.accuknox.certBundlePath | quote }} - name: CERT_BUNDLE_URL value: {{ .Values.accuknox.certBundleURL }} - name: USE_INSECURE_CONNECTION diff --git a/k8s-risk-assessment-job/templates/job.yaml b/k8s-risk-assessment-job/templates/job.yaml index ce5c8b0..b587ec5 100644 --- a/k8s-risk-assessment-job/templates/job.yaml +++ b/k8s-risk-assessment-job/templates/job.yaml @@ -46,7 +46,7 @@ spec: - name: LABEL_NAME value: {{ .Values.accuknox.label }} - name: CERT_BUNDLE_PATH - value: {{ .Values.accuknox.certBundlePath }} + value: {{ .Values.accuknox.certBundlePath | quote }} - name: CERT_BUNDLE_URL value: {{ .Values.accuknox.certBundleURL }} - name: USE_INSECURE_CONNECTION diff --git a/k8tls-job/templates/k8tls-cronjob.yaml b/k8tls-job/templates/k8tls-cronjob.yaml index 359a6ce..84dd148 100644 --- a/k8tls-job/templates/k8tls-cronjob.yaml +++ b/k8tls-job/templates/k8tls-cronjob.yaml @@ -57,7 +57,7 @@ spec: - name: LABEL_NAME value: {{ if ne .Values.accuknox.label "" }}{{ .Values.accuknox.label }}{{ else }}{{ "default" }}{{ end }} - name: CERT_BUNDLE_PATH - value: {{ .Values.accuknox.certBundlePath }} + value: {{ .Values.accuknox.certBundlePath | quote }} - name: CERT_BUNDLE_URL value: {{ .Values.accuknox.certBundleURL }} - name: USE_INSECURE_CONNECTION diff --git a/k8tls-job/templates/k8tls-job.yaml b/k8tls-job/templates/k8tls-job.yaml index 4d2583c..b34898f 100644 --- a/k8tls-job/templates/k8tls-job.yaml +++ b/k8tls-job/templates/k8tls-job.yaml @@ -27,7 +27,7 @@ spec: - name: LABEL_NAME value: {{ if ne .Values.accuknox.label "" }}{{ .Values.accuknox.label }}{{ else }}{{ "default" }}{{ end }} - name: CERT_BUNDLE_PATH - value: {{ .Values.accuknox.certBundlePath }} + value: {{ .Values.accuknox.certBundlePath | quote }} - name: CERT_BUNDLE_URL value: {{ .Values.accuknox.certBundleURL }} - name: USE_INSECURE_CONNECTION diff --git a/kiem-job/templates/deployment.yaml b/kiem-job/templates/deployment.yaml index 64069dc..45318cb 100644 --- a/kiem-job/templates/deployment.yaml +++ b/kiem-job/templates/deployment.yaml @@ -42,7 +42,7 @@ spec: - name: LABEL_NAME value: {{ .Values.accuknox.label | quote}} - name: CERT_BUNDLE_PATH - value: {{ .Values.accuknox.certBundlePath }} + value: {{ .Values.accuknox.certBundlePath | quote }} - name: CERT_BUNDLE_URL value: {{ .Values.accuknox.certBundleURL }} - name: USE_INSECURE_CONNECTION diff --git a/kiem-job/templates/job.yaml b/kiem-job/templates/job.yaml index 89a7eae..beaa922 100644 --- a/kiem-job/templates/job.yaml +++ b/kiem-job/templates/job.yaml @@ -37,7 +37,7 @@ spec: - name: LABEL_NAME value: {{ .Values.accuknox.label | quote}} - name: CERT_BUNDLE_PATH - value: {{ .Values.accuknox.certBundlePath }} + value: {{ .Values.accuknox.certBundlePath | quote }} - name: CERT_BUNDLE_URL value: {{ .Values.accuknox.certBundleURL }} - name: USE_INSECURE_CONNECTION From 8931a583e3ce5ecc48f071c39955cb29d6d9b246 Mon Sep 17 00:00:00 2001 From: surya9839 Date: Tue, 29 Oct 2024 16:37:32 +0530 Subject: [PATCH 16/16] changes for local cert --- cis-k8s-job/templates/cis-corn-job.yaml | 2 +- cis-k8s-job/templates/cis-job.yaml | 2 +- cis-k8s-job/values.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/cis-k8s-job/templates/cis-corn-job.yaml b/cis-k8s-job/templates/cis-corn-job.yaml index 5e8d276..7609ec6 100644 --- a/cis-k8s-job/templates/cis-corn-job.yaml +++ b/cis-k8s-job/templates/cis-corn-job.yaml @@ -28,7 +28,7 @@ spec: - name: TENANT_ID value: {{ .Values.accuknox.tenantID | quote}} - name: URL - value: {{ .Values.accuknox.url }} + value: {{ .Values.accuknox.URL }} - name: CERT_BUNDLE_PATH value: {{ .Values.accuknox.certBundlePath | quote }} - name: CERT_BUNDLE_URL diff --git a/cis-k8s-job/templates/cis-job.yaml b/cis-k8s-job/templates/cis-job.yaml index 7373e11..4f6eb46 100644 --- a/cis-k8s-job/templates/cis-job.yaml +++ b/cis-k8s-job/templates/cis-job.yaml @@ -28,7 +28,7 @@ spec: - name: TENANT_ID value: {{ .Values.accuknox.tenantID | quote}} - name: URL - value: {{ .Values.accuknox.url }} + value: {{ .Values.accuknox.URL }} - name: CERT_BUNDLE_PATH value: {{ .Values.accuknox.certBundlePath | quote }} - name: CERT_BUNDLE_URL diff --git a/cis-k8s-job/values.yaml b/cis-k8s-job/values.yaml index 5fa9b3e..e92514f 100644 --- a/cis-k8s-job/values.yaml +++ b/cis-k8s-job/values.yaml @@ -9,7 +9,7 @@ accuknox: label: "" clusterID: "" tenantID: "" - url: "cspm.demo.accuknox.com" + URL: "cspm.demo.accuknox.com" certBundlePath: "" # Set this for cert local path if needed . certBundleURL: "" # Set this for cert URL if needed (if certBundlePath is set as well certBundlePath will take precedent) useInsecureConnection: false # Set to true if insecure connection is needed