⭐️ Enable cnspec by default (#730)

* enable cnspec by default and cleanup extra test logic

Signed-off-by: Ivan Milchev <[email protected]>

* fix workflow references

Signed-off-by: Ivan Milchev <[email protected]>

Signed-off-by: Ivan Milchev <[email protected]>

.github/workflows/cloud-tests.yaml

@@ -5,11 +5,11 @@ on:
     - cron: '0 23 * * 0'
   workflow_dispatch:
     inputs:
-      mondooClientImageTag:
+      cnspecImageTag:
         required: true
         type: string
         default: edge-latest-rootless
-        description: The image tag to use for the mondoo client image
+        description: The image tag to use for the cnspec image
       mondooOperatorImageTag:
         required: true
         type: string
@@ -35,7 +35,7 @@ on:
 
 env:
   MONDOO_OPERATOR_IMAGE_TAG: ${{ github.event.inputs.mondooOperatorImageTag || 'main' }}
-  MONDOO_CLIENT_IMAGE_TAG: ${{ github.event.inputs.mondooClientImageTag || 'edge-latest-rootless' }}
+  CNSPEC_IMAGE_TAG: ${{ github.event.inputs.cnspecImageTag || 'edge-latest-rootless' }}
 
 jobs:
   aks-integration-test:

.github/workflows/edge-integration-tests.yaml

@@ -2,16 +2,16 @@ name: Edge integration tests
 on:
   workflow_dispatch:
     inputs:
-      mondooClientImageTag:
-        description: "The Mondoo client image tag to be used for the integration tests"
+      cnspecImageTag:
+        description: "The cnspec image tag to be used for the integration tests"
         required: true
         type: string
 
 jobs:
   integration-tests:
     uses: ./.github/workflows/integration-tests.yaml
     with:
-      mondooClientImageTag: ${{ github.event.inputs.mondooClientImageTag }}
+      cnspecImageTag: ${{ github.event.inputs.cnspecImageTag }}
       useEdge: true
     secrets: inherit
 

.github/workflows/integration-tests.yaml

@@ -2,7 +2,7 @@ name: Integration tests
 on:
   workflow_call:
     inputs:
-      mondooClientImageTag:
+      cnspecImageTag:
         required: true
         type: string
       useEdge:
@@ -16,7 +16,7 @@ on:
         required: true
 
 env:
-  MONDOO_CLIENT_IMAGE_TAG: ${{ github.event.inputs.mondooClientImageTag }}
+  CNSPEC_IMAGE_TAG: ${{ github.event.inputs.cnspecImageTag }}
 
 # https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
 permissions:

.github/workflows/tests-forks.yaml

@@ -54,5 +54,5 @@ jobs:
     if: needs.unit-tests.result == 'success'
     uses: ./.github/workflows/integration-tests.yaml
     with:
-      mondooClientImageTag: ""
+      cnspecImageTag: ""
     secrets: inherit

.github/workflows/tests.yaml

@@ -30,5 +30,5 @@ jobs:
     if: needs.unit-tests.result == 'success'
     uses: ./.github/workflows/integration-tests.yaml
     with:
-      mondooClientImageTag: ""
+      cnspecImageTag: ""
     secrets: inherit

config/manager/manager.yaml

@@ -43,6 +43,8 @@ spec:
         env:
         - name: FEATURE_ENABLE_GARBAGE_COLLECTION
           value: "1"
+        - name: FEATURE_ENABLE_CNSPEC
+          value: "1"
         image: controller:latest
         imagePullPolicy: IfNotPresent
         name: manager

tests/framework/installer/installer.go

@@ -14,10 +14,8 @@ import (
 	"go.mondoo.com/mondoo-operator/pkg/utils/k8s"
 	"go.mondoo.com/mondoo-operator/tests/framework/utils"
 	"go.uber.org/zap"
-	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/types"
 )
 
 const (
@@ -93,30 +91,6 @@ func (i *MondooInstaller) InstallOperator() error {
 		return err
 	}
 
-	// Set the cnspec feature flag for the operator if cnspec is enabled
-	if i.Settings.enableCnspec {
-		zap.S().Info("cnspec enabled for test suite")
-		ctx := context.Background()
-
-		err := i.K8sHelper.ExecuteWithRetries(func() (bool, error) {
-			dep := &appsv1.Deployment{}
-			if err := i.K8sHelper.Clientset.Get(ctx, types.NamespacedName{Namespace: i.Settings.Namespace, Name: "mondoo-operator-controller-manager"}, dep); err != nil {
-				zap.S().Warnf("failed to get mondoo-operator-controller-manager deployment: %v", err)
-				return false, nil
-			}
-
-			dep.Spec.Template.Spec.Containers[0].Env = append(dep.Spec.Template.Spec.Containers[0].Env, corev1.EnvVar{Name: "FEATURE_ENABLE_CNSPEC", Value: "1"})
-			if err := i.K8sHelper.Clientset.Update(ctx, dep); err != nil {
-				zap.S().Warnf("failed to update mondoo-operator-controller-manager deployment: %v", err)
-				return false, nil
-			}
-			return true, nil
-		})
-		if err != nil {
-			return err
-		}
-	}
-
 	watchLabel := "app.kubernetes.io/name=mondoo-operator"
 	if !i.K8sHelper.IsPodReady(watchLabel, i.Settings.Namespace) {
 		return fmt.Errorf("mondoo operator is not in a ready state")

tests/framework/installer/settings.go

@@ -12,16 +12,6 @@ type Settings struct {
 	Namespace      string
 	token          string
 	installRelease bool
-	enableCnspec   bool
-}
-
-func (s Settings) EnableCnspec() Settings {
-	s.enableCnspec = true
-	return s
-}
-
-func (s Settings) GetEnableCnspec() bool {
-	return s.enableCnspec
 }
 
 func (s Settings) SetToken(token string) Settings {

tests/framework/utils/audit_config.go

@@ -12,25 +12,25 @@ import (
 )
 
 const (
-	MondooClientSecret         = "mondoo-client"
-	MondooTokenSecret          = "mondoo-token"
-	MondooClientImageTagEnvVar = "MONDOO_CLIENT_IMAGE_TAG"
+	MondooClientSecret   = "mondoo-client"
+	MondooTokenSecret    = "mondoo-token"
+	CnspecImageTagEnvVar = "CNSPEC_IMAGE_TAG"
 )
 
-var mondooClientImageTag = ""
+var cnspecImageTag = ""
 
 func init() {
-	imageTag, ok := os.LookupEnv(MondooClientImageTagEnvVar)
+	imageTag, ok := os.LookupEnv(CnspecImageTagEnvVar)
 	if ok {
-		mondooClientImageTag = imageTag
+		cnspecImageTag = imageTag
 	}
 }
 
 // DefaultAuditConfigMinimal returns a new Mondoo audit config with minimal default settings to
 // make sure a test passes (e.g. setting the correct secret name). Values which have defaults are not set.
 // This means that using this function in unit tests might result in strange behavior. For unit tests use
 // DefaultAuditConfig instead.
-func DefaultAuditConfigMinimal(ns string, workloads, nodes, admission, enableCnspec, consoleIntegration bool) mondoov2.MondooAuditConfig {
+func DefaultAuditConfigMinimal(ns string, workloads, nodes, admission, consoleIntegration bool) mondoov2.MondooAuditConfig {
 	auditConfig := mondoov2.MondooAuditConfig{
 		ObjectMeta: v1.ObjectMeta{
 			Name:      "mondoo-client",
@@ -47,9 +47,9 @@ func DefaultAuditConfigMinimal(ns string, workloads, nodes, admission, enableCns
 	}
 
 	// cnspec doesn't get edge releases at the moment, so we cannot test that
-	if mondooClientImageTag != "" && !enableCnspec {
-		auditConfig.Spec.Scanner.Image.Tag = mondooClientImageTag
-		zap.S().Infof("Using image %s:%s for mondoo-client", mondoo.MondooClientImage, mondooClientImageTag)
+	if cnspecImageTag != "" {
+		auditConfig.Spec.Scanner.Image.Tag = cnspecImageTag
+		zap.S().Infof("Using image %s:%s for mondoo-client", mondoo.MondooClientImage, cnspecImageTag)
 	}
 
 	return auditConfig

tests/integration/audit_config_base_suite.go

@@ -49,7 +49,6 @@ type AuditConfigBaseSuite struct {
 	testCluster    *TestCluster
 	auditConfig    mondoov2.MondooAuditConfig
 	installRelease bool
-	enableCnspec   bool
 }
 
 func (s *AuditConfigBaseSuite) SetupSuite() {
@@ -59,10 +58,6 @@ func (s *AuditConfigBaseSuite) SetupSuite() {
 		settings = installer.NewReleaseSettings()
 	}
 
-	if s.enableCnspec {
-		settings = settings.EnableCnspec()
-	}
-
 	s.testCluster = StartTestCluster(s.ctx, settings, s.T)
 }
 

tests/integration/audit_config_namespace_test.go

@@ -76,27 +76,27 @@ func (s *AuditConfigCustomNamespaceSuite) TearDownSuite() {
 }
 
 func (s *AuditConfigCustomNamespaceSuite) TestReconcile_KubernetesResources() {
-	auditConfig := utils.DefaultAuditConfigMinimal(s.ns.Name, true, false, false, s.testCluster.Settings.GetEnableCnspec(), false)
+	auditConfig := utils.DefaultAuditConfigMinimal(s.ns.Name, true, false, false, false)
 	auditConfig.Spec.KubernetesResources.ContainerImageScanning = true
 	auditConfig.Spec.Scanner.ServiceAccountName = s.sa.Name
 	s.testMondooAuditConfigKubernetesResources(auditConfig)
 }
 
 func (s *AuditConfigCustomNamespaceSuite) TestReconcile_Nodes() {
-	auditConfig := utils.DefaultAuditConfigMinimal(s.ns.Name, false, true, false, s.testCluster.Settings.GetEnableCnspec(), false)
+	auditConfig := utils.DefaultAuditConfigMinimal(s.ns.Name, false, true, false, false)
 	auditConfig.Spec.Scanner.ServiceAccountName = s.sa.Name
 	s.testMondooAuditConfigNodes(auditConfig)
 }
 
 func (s *AuditConfigCustomNamespaceSuite) TestReconcile_Admission() {
-	auditConfig := utils.DefaultAuditConfigMinimal(s.ns.Name, false, false, true, s.testCluster.Settings.GetEnableCnspec(), false)
+	auditConfig := utils.DefaultAuditConfigMinimal(s.ns.Name, false, false, true, false)
 	auditConfig.Spec.Scanner.ServiceAccountName = s.sa.Name
 	auditConfig.Spec.Admission.ServiceAccountName = s.webhookServiceAccount.Name
 	s.testMondooAuditConfigAdmission(auditConfig)
 }
 
 func (s *AuditConfigCustomNamespaceSuite) TestReconcile_AdmissionMissingSA() {
-	auditConfig := utils.DefaultAuditConfigMinimal(s.ns.Name, false, false, true, s.testCluster.Settings.GetEnableCnspec(), false)
+	auditConfig := utils.DefaultAuditConfigMinimal(s.ns.Name, false, false, true, false)
 	auditConfig.Spec.Scanner.ServiceAccountName = "missing-serviceaccount"
 	auditConfig.Spec.Admission.ServiceAccountName = s.webhookServiceAccount.Name
 	s.testMondooAuditConfigAdmissionMissingSA(auditConfig)

tests/integration/audit_config_test.go

@@ -15,34 +15,34 @@ type AuditConfigSuite struct {
 }
 
 func (s *AuditConfigSuite) TestReconcile_AllDisabled() {
-	auditConfig := utils.DefaultAuditConfigMinimal(s.testCluster.Settings.Namespace, false, false, false, s.testCluster.Settings.GetEnableCnspec(), false)
+	auditConfig := utils.DefaultAuditConfigMinimal(s.testCluster.Settings.Namespace, false, false, false, false)
 	s.testMondooAuditConfigAllDisabled(auditConfig)
 }
 
 func (s *AuditConfigSuite) TestReconcile_KubernetesResources() {
-	auditConfig := utils.DefaultAuditConfigMinimal(s.testCluster.Settings.Namespace, true, false, false, s.testCluster.Settings.GetEnableCnspec(), false)
+	auditConfig := utils.DefaultAuditConfigMinimal(s.testCluster.Settings.Namespace, true, false, false, false)
 	auditConfig.Spec.KubernetesResources.ContainerImageScanning = true
 	s.testMondooAuditConfigKubernetesResources(auditConfig)
 }
 
 func (s *AuditConfigSuite) TestReconcile_Nodes() {
-	auditConfig := utils.DefaultAuditConfigMinimal(s.testCluster.Settings.Namespace, false, true, false, s.testCluster.Settings.GetEnableCnspec(), false)
+	auditConfig := utils.DefaultAuditConfigMinimal(s.testCluster.Settings.Namespace, false, true, false, false)
 	s.testMondooAuditConfigNodes(auditConfig)
 }
 
 func (s *AuditConfigSuite) TestReconcile_AdmissionPermissive() {
-	auditConfig := utils.DefaultAuditConfigMinimal(s.testCluster.Settings.Namespace, false, false, true, s.testCluster.Settings.GetEnableCnspec(), false)
+	auditConfig := utils.DefaultAuditConfigMinimal(s.testCluster.Settings.Namespace, false, false, true, false)
 	s.testMondooAuditConfigAdmission(auditConfig)
 }
 
 func (s *AuditConfigSuite) TestReconcile_AdmissionEnforcing() {
-	auditConfig := utils.DefaultAuditConfigMinimal(s.testCluster.Settings.Namespace, false, false, true, s.testCluster.Settings.GetEnableCnspec(), false)
+	auditConfig := utils.DefaultAuditConfigMinimal(s.testCluster.Settings.Namespace, false, false, true, false)
 	auditConfig.Spec.Admission.Mode = v1alpha2.Enforcing
 	s.testMondooAuditConfigAdmission(auditConfig)
 }
 
 func (s *AuditConfigSuite) TestReconcile_AdmissionEnforcingScaleDownScanApi() {
-	auditConfig := utils.DefaultAuditConfigMinimal(s.testCluster.Settings.Namespace, false, false, true, s.testCluster.Settings.GetEnableCnspec(), false)
+	auditConfig := utils.DefaultAuditConfigMinimal(s.testCluster.Settings.Namespace, false, false, true, false)
 	auditConfig.Spec.Admission.Mode = v1alpha2.Enforcing
 	auditConfig.Spec.Admission.Replicas = pointer.Int32(1)
 	auditConfig.Spec.Scanner.Replicas = pointer.Int32(1)

tests/integration/audit_config_upgrade_test.go

@@ -24,7 +24,7 @@ func (s *AuditConfigUpgradeSuite) TearDownSuite() {
 }
 
 func (s *AuditConfigUpgradeSuite) TestUpgradePreviousReleaseToLatest() {
-	auditConfig := utils.DefaultAuditConfigMinimal(s.testCluster.Settings.Namespace, true, true, true, s.testCluster.Settings.GetEnableCnspec(), false)
+	auditConfig := utils.DefaultAuditConfigMinimal(s.testCluster.Settings.Namespace, true, true, true, false)
 	s.testUpgradePreviousReleaseToLatest(auditConfig)
 }
 

tests/integration/e2e_test.go

@@ -109,7 +109,7 @@ func (s *E2eTestSuite) AfterTest(suiteName, testName string) {
 }
 
 func (s *E2eTestSuite) TestE2e_NodeScan() {
-	auditConfig := utils.DefaultAuditConfigMinimal(s.testCluster.Settings.Namespace, false, true, false, s.testCluster.Settings.GetEnableCnspec(), true)
+	auditConfig := utils.DefaultAuditConfigMinimal(s.testCluster.Settings.Namespace, false, true, false, true)
 
 	s.testMondooAuditConfigNodes(auditConfig)