feat: add vcn-metadata-attributes

Signed-off-by: Christian Kotzbauer <[email protected]>

internal/job/job.go

@@ -8,6 +8,7 @@ import (
 	"time"
 
 	batchv1 "k8s.io/api/batch/v1"
+	corev1 "k8s.io/api/core/v1"
 	meta "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	"github.com/ckotzbauer/sbom-operator/internal"
@@ -17,11 +18,18 @@ import (
 	"github.com/spf13/viper"
 )
 
+type imagePod struct {
+	Pod       string `json:"pod"`
+	Namespace string `json:"namespace"`
+	Cluster   string `json:"cluster"`
+}
+
 type imageConfig struct {
-	Host     string `json:"registry-host"`
-	User     string `json:"registry-user"`
-	Password string `json:"registry-password"`
-	Image    string `json:"image"`
+	Host     string     `json:"registry-host"`
+	User     string     `json:"registry-user"`
+	Password string     `json:"registry-password"`
+	Image    string     `json:"image"`
+	Pods     []imagePod `json:"pods"`
 }
 
 func StartJob(k8s *kubernetes.KubeClient, images map[string]kubernetes.ContainerImage) (*batchv1.Job, error) {
@@ -43,6 +51,7 @@ func StartJob(k8s *kubernetes.KubeClient, images map[string]kubernetes.Container
 			User:     cfg.Username,
 			Password: cfg.Password,
 			Image:    image.ImageID,
+			Pods:     convertPods(image.Pods),
 		})
 	}
 
@@ -111,3 +120,17 @@ func getJobEnvs() map[string]string {
 
 	return m
 }
+
+func convertPods(pods []corev1.Pod) []imagePod {
+	ips := make([]imagePod, 0)
+
+	for _, p := range pods {
+		ips = append(ips, imagePod{
+			Pod:       p.Name,
+			Namespace: p.Namespace,
+			Cluster:   viper.GetString(internal.ConfigKeyKubernetesClusterId),
+		})
+	}
+
+	return ips
+}

job-images/example-image-config.json

@@ -3,12 +3,26 @@
         "registry-host": "ghcr.io",
         "registry-user": "",
         "registry-password": "",
-        "image": "ghcr.io/ckotzbauer/sbom-operator:0.8.0"
+        "image": "ghcr.io/ckotzbauer/sbom-operator:0.8.0",
+        "pods": [
+            {
+                "pod": "sbom-operator-5d45c5d7f4-jflnq",
+                "namespace": "sbom",
+                "cluster": "default"
+            }
+        ]
     },
     {
         "registry-host": "docker.io",
         "registry-user": "",
         "registry-password": "",
-        "image": "docker.io/alpine:3.15.4"
+        "image": "docker.io/alpine:3.15.4",
+        "pods": [
+            {
+                "pod": "test-pod",
+                "namespace": "default",
+                "cluster": "default"
+            }
+        ]
     }
 ]

job-images/vcn/Dockerfile

@@ -1,6 +1,7 @@
+FROM codenotary/vcn:0.9.13 as vcn
 FROM docker:20.10.14-dind
 
-COPY vcn-v0.9.14-linux-amd64 /usr/local/bin/vcn
+COPY --from=vcn /bin/vcn /bin/vcn
 COPY entrypoint.sh /
 
 RUN mkdir .vcn && \

job-images/vcn/entrypoint.sh

@@ -22,6 +22,7 @@ for img in $(echo "${CONFIG}" | jq -r '.[] | @base64'); do
     USER=$(_jq '."registry-user"')
     PASSWORD=$(_jq '."registry-password"')
     IMAGE=$(_jq '."image"')
+    PODS=$(_jq '."pods"')
     echo "Process image ${IMAGE}"
 
     if [ ! -z "${USER}" ] && [ ! -z "${PASSWORD}" ]
@@ -30,8 +31,16 @@ for img in $(echo "${CONFIG}" | jq -r '.[] | @base64'); do
         docker login -u "${USER}" -p "${PASSWORD}" "${HOST}"
     fi
 
+    # Join Pods, Namespaces and Clusters with "," and form the attributes for notarization.
+    POD_STRING=$(echo $PODS | jq -r '[.[].pod] | join(",")')
+    NAMESPACE_STRING=$(echo $PODS | jq -r '[.[].namespace] | join(",")')
+    CLUSTER_STRING=$(echo $PODS | jq -r '[.[].cluster] | join(",")')
+
+    VCN_ATTR="--attr pod=${POD_STRING} --attr namespace=${NAMESPACE_STRING} --attr cluster=${CLUSTER_STRING}"
+    VCN_ARGS=("${VCN_ATTR}" "${VCN_EXTRA_ARGS:-""}" --bom docker://"${IMAGE}")
+
     docker pull "${IMAGE}" -q
-    vcn notarize --bom "docker://${IMAGE}" "${VCN_EXTRA_ARGS:-''}"
+    vcn notarize ${VCN_ARGS[@]}
     docker rm -f $(docker ps -aq)
     docker rmi "${IMAGE}"