accuknox · SujithKasireddy · Nov 11, 2024 · Sep 4, 2024 · Sep 4, 2024 · Sep 4, 2024
diff --git a/.DS_Store b/.DS_Store
diff --git a/Dockerfile b/Dockerfile
@@ -2,5 +2,9 @@ FROM alpine:latest
 
 RUN apk --update add jq curl
 COPY entrypoint.sh .
+COPY curl_command.sh .
+
+# Grant execute permissions to the scripts
+RUN chmod +x entrypoint.sh curl_command.sh
 
 ENTRYPOINT ["/bin/sh", "entrypoint.sh"]
diff --git a/cis-k8s-job/.DS_Store b/cis-k8s-job/.DS_Store
diff --git a/cis-k8s-job/templates/cis-corn-job.yaml b/cis-k8s-job/templates/cis-corn-job.yaml
@@ -13,7 +13,7 @@ spec:
           containers:
           - image: accuknox/accuknox-job:latest
             command: ["/bin/sh", "-c"]
-            args: ['/bin/sh entrypoint.sh && curl --location --request POST "https://${URL}/api/v1/artifact/?tenant_id=${TENANT_ID}&data_type=KB&label_id=${LABEL_NAME}&save_to_s3=true" --header "Tenant-Id: ${TENANT_ID}" --header "Authorization: Bearer ${AUTH_TOKEN}" --form "file=@\"./data/report.json\"" && cat /data/report.json']
+            args: ['/bin/sh entrypoint.sh && ./curl_command.sh']
             name: cis-k8s-cronjob
             resources: {}
             env:
@@ -24,11 +24,19 @@ spec:
               - name: LABEL_NAME
                 value: {{ .Values.accuknox.label }}
               - name: CLUSTER_ID
-                value: {{ .Values.accuknox.clusterId }}
+                value: {{ .Values.accuknox.clusterID }}
               - name: TENANT_ID
-                value: {{ .Values.accuknox.tenantId | quote}}
+                value: {{ .Values.accuknox.tenantID | quote}}
               - name: URL
-                value: {{ .Values.accuknox.url }}
+                value: {{ .Values.accuknox.URL }}
+              - name: CERT_BUNDLE_PATH
+                value: {{ .Values.accuknox.certBundlePath | quote }}
+              - name: CERT_BUNDLE_URL
+                value: {{ .Values.accuknox.certBundleURL }}
+              - name: USE_INSECURE_CONNECTION
+                value: {{ .Values.accuknox.useInsecureConnection | quote }}
+              - name: DATA_TYPE
+                value: "KB"
             volumeMounts:
             - mountPath: /data
               name: datapath

diff --git a/cis-k8s-job/templates/cis-job.yaml b/cis-k8s-job/templates/cis-job.yaml
@@ -13,7 +13,7 @@ spec:
       containers:
       - image: accuknox/accuknox-job:latest
         command: ["/bin/sh", "-c"]
-        args: ['/bin/sh entrypoint.sh && curl --location --request POST "https://${URL}/api/v1/artifact/?tenant_id=${TENANT_ID}&data_type=KB&label_id=${LABEL_NAME}&save_to_s3=true" --header "Tenant-Id: ${TENANT_ID}" --header "Authorization: Bearer ${AUTH_TOKEN}" --form "file=@\"./data/report.json\"" && cat /data/report.json']
+        args: ['/bin/sh entrypoint.sh && ./curl_command.sh']
         name: cis-k8s-cronjob
         resources: {}
         env:
@@ -24,11 +24,19 @@ spec:
           - name: LABEL_NAME
             value: {{ .Values.accuknox.label }}
           - name: CLUSTER_ID
-            value: {{ .Values.accuknox.clusterId }}
+            value: {{ .Values.accuknox.clusterID }}
           - name: TENANT_ID
-            value: {{ .Values.accuknox.tenantId | quote}}
+            value: {{ .Values.accuknox.tenantID | quote}}
           - name: URL
-            value: {{ .Values.accuknox.url }}
+            value: {{ .Values.accuknox.URL }}
+          - name: CERT_BUNDLE_PATH
+            value: {{ .Values.accuknox.certBundlePath | quote }}
+          - name: CERT_BUNDLE_URL
+            value: {{ .Values.accuknox.certBundleURL }}
+          - name: USE_INSECURE_CONNECTION
+            value: {{ .Values.accuknox.useInsecureConnection | quote }}
+          - name: DATA_TYPE
+            value: "KB"
         volumeMounts:
         - mountPath: /data
           name: datapath

diff --git a/cis-k8s-job/values.yaml b/cis-k8s-job/values.yaml
@@ -7,6 +7,10 @@ accuknox:
   cronTab: "30 9 * * *"
   clusterName: ""
   label: ""
-  clusterId: ""
-  tenantId: ""
-  url: "cspm.demo.accuknox.com"
+  clusterID: ""
+  tenantID: ""
+  URL: "cspm.demo.accuknox.com"
+  certBundlePath: ""  # Set this for cert local path if needed .
+  certBundleURL: ""  # Set this for cert URL if needed (if certBundlePath is set as well certBundlePath will take precedent)
+  useInsecureConnection: false  # Set to true if insecure connection is needed
+
diff --git a/curl_command.sh b/curl_command.sh
@@ -0,0 +1,34 @@
+#!/bin/sh
+
+# Initialize CURL_FLAGS to handle both insecure and certificate usage
+CURL_FLAGS=""
+
+# Always add --insecure if USE_INSECURE_CONNECTION is true
+if [ "$USE_INSECURE_CONNECTION" = "true" ]; then
+    CURL_FLAGS="$CURL_FLAGS --insecure"
+fi
+
+# Add certificate flags if CERT_BUNDLE_PATH is provided
+if [ -n "$CERT_BUNDLE_PATH" ]; then
+    echo "Using in-line certificate content from CERT_BUNDLE_PATH..."
+    printf "%b" "$CERT_BUNDLE_PATH" > /tmp/cert.pem
+    CURL_FLAGS="$CURL_FLAGS --cacert /tmp/cert.pem"
+elif [ -n "$CERT_BUNDLE_URL" ]; then
+    echo "Attempting to download certificate from $CERT_BUNDLE_URL..."
+    if curl -o /tmp/cert.pem "$CERT_BUNDLE_URL"; then
+        CURL_FLAGS="$CURL_FLAGS --cacert /tmp/cert.pem"
+    else
+        echo "Certificate not available or failed to download."
+    fi
+fi
+
+# main curl command
+curl --location --request POST "https://${URL}/api/v1/artifact/?tenant_id=${TENANT_ID}&data_type=${DATA_TYPE}&label_id=${LABEL_NAME}&save_to_s3=true" \
+    --header "Tenant-Id: ${TENANT_ID}" \
+    --header "Authorization: Bearer ${AUTH_TOKEN}" \
+    $CURL_FLAGS \
+    --form "file=@/data/report.json"
+
+# Print the report
+cat /data/report.json
+
diff --git a/k8s-risk-assessment-job/templates/configmap.yaml b/k8s-risk-assessment-job/templates/configmap.yaml
@@ -33,8 +33,5 @@ data:
     cat /data/report.json
 
     # push
-    curl --location --request POST \
-    --header "Authorization: Bearer ${AUTH_TOKEN}" \
-    --header "Tenant-Id: ${TENANT_ID}" \
-    --form "file=@\"/data/report.json\"" \
-    "https://${URL}/api/v1/artifact/?tenant_id=${TENANT_ID}&data_type=KS&save_to_s3=false&label_id=${LABEL_NAME}"
+
+    /curl_command.sh
diff --git a/k8s-risk-assessment-job/templates/cronjob.yaml b/k8s-risk-assessment-job/templates/cronjob.yaml
@@ -51,6 +51,14 @@ spec:
                   value: {{ .Values.accuknox.clusterID | quote }}
                 - name: LABEL_NAME
                   value: {{ .Values.accuknox.label }}
+                - name: CERT_BUNDLE_PATH
+                  value: {{ .Values.accuknox.certBundlePath | quote }}
+                - name: CERT_BUNDLE_URL
+                  value: {{ .Values.accuknox.certBundleURL }}
+                - name: USE_INSECURE_CONNECTION
+                  value: {{ .Values.accuknox.useInsecureConnection | quote }}
+                - name: DATA_TYPE
+                  value: "KS"
               volumeMounts:
                 - mountPath: /data
                   name: datapath

diff --git a/k8s-risk-assessment-job/templates/job.yaml b/k8s-risk-assessment-job/templates/job.yaml
@@ -45,6 +45,14 @@ spec:
               value: {{ .Values.accuknox.clusterID | quote }}
             - name: LABEL_NAME
               value: {{ .Values.accuknox.label }}
+            - name: CERT_BUNDLE_PATH
+              value: {{ .Values.accuknox.certBundlePath | quote }}
+            - name: CERT_BUNDLE_URL
+              value: {{ .Values.accuknox.certBundleURL }}
+            - name: USE_INSECURE_CONNECTION
+              value: {{ .Values.accuknox.useInsecureConnection | quote }}
+            - name: DATA_TYPE
+              value: "KS"
           volumeMounts:
             - mountPath: /data
               name: datapath

diff --git a/k8s-risk-assessment-job/values.yaml b/k8s-risk-assessment-job/values.yaml
@@ -18,3 +18,7 @@ accuknox:
   clusterID: 0
   label: ""
   secretName: ""
+  certBundlePath: ""  # Set this for cert local path if needed .
+  certBundleURL: ""  # Set this for cert URL if needed (if certBundlePath is set as well certBundlePath will take precedent)
+  useInsecureConnection: false  # Set to true if insecure connection is needed
+
diff --git a/k8tls-job/templates/k8tls-cronjob.yaml b/k8tls-job/templates/k8tls-cronjob.yaml
@@ -42,7 +42,7 @@ spec:
           containers:
           - image: accuknox/accuknox-job:latest
             command: ["/bin/sh", "-c"]
-            args: ['curl --location --request POST "https://${URL}/api/v1/artifact/?tenant_id=${TENANT_ID}&data_type=K8TLS&save_to_s3=false" --header "Tenant-Id: ${TENANT_ID}" --header "Authorization: Bearer ${AUTH_TOKEN}" --form "file=@\"/data/report.json\"" && cat /data/report.json']
+            args: ['./curl_command.sh']
             name: k8tls-job
             resources: {}
             env:
@@ -56,6 +56,14 @@ spec:
                 value: {{ if ne .Values.accuknox.clusterName "" }}{{ .Values.accuknox.clusterName }}{{ else }}{{ "default" }}{{ end }}
               - name: LABEL_NAME
                 value: {{ if ne .Values.accuknox.label "" }}{{ .Values.accuknox.label }}{{ else }}{{ "default" }}{{ end }}
+              - name: CERT_BUNDLE_PATH
+                value: {{ .Values.accuknox.certBundlePath | quote }}    
+              - name: CERT_BUNDLE_URL
+                value: {{ .Values.accuknox.certBundleURL }}
+              - name: USE_INSECURE_CONNECTION
+                value: {{ .Values.accuknox.useInsecureConnection | quote }}
+              - name: DATA_TYPE
+                value: "K8TLS"
             volumeMounts:
               - mountPath: /data
                 name: datapath

diff --git a/k8tls-job/templates/k8tls-job.yaml b/k8tls-job/templates/k8tls-job.yaml
@@ -12,7 +12,7 @@ spec:
       containers:
       - image: accuknox/accuknox-job:latest
         command: ["/bin/sh", "-c"]
-        args: ['curl --location --request POST "https://${URL}/api/v1/artifact/?tenant_id=${TENANT_ID}&data_type=K8TLS&save_to_s3=false" --header "Tenant-Id: ${TENANT_ID}" --header "Authorization: Bearer ${AUTH_TOKEN}" --form "file=@\"/data/report.json\"" && cat /data/report.json']
+        args: ['./curl_command.sh']
         name: k8tls-job
         resources: {}
         env:
@@ -26,6 +26,14 @@ spec:
             value: {{ if ne .Values.accuknox.clusterName "" }}{{ .Values.accuknox.clusterName }}{{ else }}{{ "default" }}{{ end }}
           - name: LABEL_NAME
             value: {{ if ne .Values.accuknox.label "" }}{{ .Values.accuknox.label }}{{ else }}{{ "default" }}{{ end }}
+          - name: CERT_BUNDLE_PATH
+            value: {{ .Values.accuknox.certBundlePath | quote }}   
+          - name: CERT_BUNDLE_URL
+            value: {{ .Values.accuknox.certBundleURL }}
+          - name: USE_INSECURE_CONNECTION
+            value: {{ .Values.accuknox.useInsecureConnection | quote }}
+          - name: DATA_TYPE
+            value: "K8TLS"
         volumeMounts:
           - mountPath: /data
             name: datapath

diff --git a/k8tls-job/values.yaml b/k8tls-job/values.yaml
@@ -9,3 +9,6 @@ accuknox:
   clusterName: ""
   label: ""
   URL: "cspm.demo.accuknox.com"
+  certBundlePath: ""  # Set this for cert local path if needed .
+  certBundleURL: ""  # Set this for cert URL if needed (if certBundlePath is set as well certBundlePath will take precedent)
+  useInsecureConnection: false  # Set to true if insecure connection is needed
diff --git a/kiem-job/templates/deployment.yaml b/kiem-job/templates/deployment.yaml
@@ -26,7 +26,8 @@ spec:
                   mountPath: /data
           containers:
             - image: accuknox/accuknox-job:latest
-              command: ['sh', '-c', 'curl --location --request POST "https://${URL}/api/v1/artifact/?tenant_id=${TENANT_ID}&data_type=KIEM&save_to_s3=false&label_id=${LABEL_NAME}" --header "Tenant-Id: ${TENANT_ID}" --header "Authorization: Bearer ${AUTH_TOKEN}" --form "file=@\"/data/report.json\""']
+              command: ["/bin/sh", "-c"]
+              args: ['./curl_command.sh']
               name: accuknox-kiem-cronjob
               resources: {}
               env:
@@ -40,6 +41,14 @@ spec:
                   value: {{ .Values.accuknox.clusterName }}
                 - name: LABEL_NAME
                   value: {{ .Values.accuknox.label | quote}}
+                - name: CERT_BUNDLE_PATH
+                  value: {{ .Values.accuknox.certBundlePath | quote }}                
+                - name: CERT_BUNDLE_URL
+                  value: {{ .Values.accuknox.certBundleURL }}
+                - name: USE_INSECURE_CONNECTION
+                  value: {{ .Values.accuknox.useInsecureConnection | quote }}
+                - name: DATA_TYPE
+                  value: "KIEM"
               volumeMounts:
                 - mountPath: /data
                   name: datapath      

diff --git a/kiem-job/templates/job.yaml b/kiem-job/templates/job.yaml
@@ -21,7 +21,8 @@ spec:
               mountPath: /data
       containers:
         - image: accuknox/accuknox-job:latest
-          command: ['sh', '-c', 'curl --location --request POST "https://${URL}/api/v1/artifact/?tenant_id=${TENANT_ID}&data_type=KIEM&save_to_s3=false&label_id=${LABEL_NAME}" --header "Tenant-Id: ${TENANT_ID}" --header "Authorization: Bearer ${AUTH_TOKEN}" --form "file=@\"/data/report.json\""']
+          command: ["/bin/sh", "-c"]
+          args: ['./curl_command.sh']
           name: accuknox-kiem-job
           resources: {}
           env:
@@ -35,6 +36,14 @@ spec:
               value: {{ .Values.accuknox.clusterName }}
             - name: LABEL_NAME
               value: {{ .Values.accuknox.label | quote}}
+            - name: CERT_BUNDLE_PATH
+              value: {{ .Values.accuknox.certBundlePath | quote }}   
+            - name: CERT_BUNDLE_URL
+              value: {{ .Values.accuknox.certBundleURL }}
+            - name: USE_INSECURE_CONNECTION
+              value: {{ .Values.accuknox.useInsecureConnection | quote }}
+            - name: DATA_TYPE
+              value: "KIEM"
           volumeMounts:
             - mountPath: /data
               name: datapath      

diff --git a/kiem-job/values.yaml b/kiem-job/values.yaml
@@ -11,3 +11,6 @@ accuknox:
   cronTab: "30 9 * * *"
   clusterName: ""
   label: ""
+  certBundlePath: ""  # Set this for cert local path if needed .
+  certBundleURL: ""  # Set this for cert URL if needed (if certBundlePath is set as well certBundlePath will take precedent)
+  useInsecureConnection: false  # Set to true if insecure connection is needed