Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable scanning yaml that has been templated from a helm chart #62

Open
sudermanjr opened this issue Nov 19, 2021 · 6 comments
Open

Enable scanning yaml that has been templated from a helm chart #62

sudermanjr opened this issue Nov 19, 2021 · 6 comments
Labels
enhancement Adding additional functionality or improvements pinned Prevents stalebot from removing

Comments

@sudermanjr
Copy link
Member

Is your feature request related to a problem? Please describe.
If I generate my yaml and then apply it, there's no helm release object, rendering nova useless to me.

Describe the solution you'd like
If I want to maintain a repository of Yaml manifests that have been generated by a helm template command, the generated yaml will still generally have the helm annotations that say what chart it came from. Nova could detect that and do its magic after that. This could work on all in-cluster objects too, depending on what you wanted to give nova access to

Describe alternatives you've considered
This could be somewhat mitigated by #18 as well.

Additional context
Related to #45, which is working with a similar problem statement in that ArgoCD is in use. (I'm using argocd with the generated yaml manifests)

@sudermanjr sudermanjr added the enhancement Adding additional functionality or improvements label Nov 19, 2021
@jpelletier1
Copy link

Sounds like a great idea, and one that would expand Nova usage.

@github-actions github-actions bot added the stale Marked as stale by stalebot label Jan 19, 2022
@lucasreed lucasreed added the pinned Prevents stalebot from removing label Jan 27, 2022
@lucasreed lucasreed reopened this Jan 27, 2022
@lucasreed lucasreed removed the stale Marked as stale by stalebot label Jan 27, 2022
@HariSekhon
Copy link

HariSekhon commented Aug 23, 2022

FYI for the Kustomize-specific scenario in #141 I've created a CI/CD workflow that installs all kustomization.yaml apps and then runs Nova.

Right now it finds nothing because Nova must be looking for Helm release information, but once it starts scanning for applied templates via helm annotations I can use this workflow to immediately test it:

https://github.com/HariSekhon/Kubernetes-configs/runs/7971985694?check_suite_focus=true

@HariSekhon
Copy link

Ideally Nova could work on the resulting yaml by using the helm annotations to get the version information and compare that to upstream as that is much faster and more efficient and gives more options for CI/CD integration.

@HariSekhon
Copy link

HariSekhon commented Sep 1, 2022

For Kustomize I've also created another script kustomize_install_helm_charts.sh to parse out and install the Helm chart(s) the old-fashioned non-GitOps way using Helm CLI so that Nova can be run on it right now:

https://github.com/HariSekhon/DevOps-Bash-tools

I've used this in my Kubernetes repo's GitHub Actions CI/CD workflow and this works for me as a workaround until Nova can scan the helm release annotations from the Kubernetes objects instead:

https://github.com/HariSekhon/Kubernetes-configs/actions/workflows/nova.yaml

@frimik
Copy link

frimik commented Nov 20, 2023

Thinking a bit out loud here...

All my helm releases come from Jsonnet ( https://tanka.dev ) - so I guess I could theoretically craft my own helm.sh/release.v1 Secrets that Helm (and Nova) expects?

Update: Interesting, did not expect that. The helm release data in this secret contain ALOT... basically all of the manifests and some metadata. The problematic part for me is not that it's double base64 encoded, but that it's also gzipped.

After experimenting I find the gzip is optional. And only some of the data is necessary for nova find to work. This means I have a way forward with plain jsonnet.

@marianod92
Copy link

marianod92 commented Nov 9, 2024

Hi Guys,

Any update on this?

I'm working with ArgoCD + Kustomize. I'm able to run nova find --containers, but what I really need is to generate a report at the helm packages level. Since ArgoCD handles the installation on its own and the Helm Releases aren’t available via CLI, I’m unable to generate the report using nova find --helm.

Any workarounds for this?

image

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement Adding additional functionality or improvements pinned Prevents stalebot from removing
Projects
None yet
Development

No branches or pull requests

6 participants