Merge pull request #16 from kubewarden/artifacthub

 feat: Update artifacthub-pkg.yml automatically from now on

Author: viccuad

.github/workflows/release.yml

@@ -2,7 +2,6 @@ on:
   push:
     branches:
     - main
-    - master
     tags:
     - 'v*'
 
@@ -12,19 +11,18 @@ jobs:
 
   test:
     name: run tests and linters
-    uses: kubewarden/github-actions/.github/workflows/reusable-test-policy-rust.yml@v1
+    uses: kubewarden/github-actions/.github/workflows/reusable-test-policy-rust.yml@v3.1.0
 
   release:
     needs: test
     permissions:
-      # Required to create GH release
+      # Required to create GH releases
       contents: write
-      # Required to push to ghcr.io
+      # Required to push to GHCR
       packages: write
       # Required by cosign keyless signing
       id-token: write
 
-    uses: kubewarden/github-actions/.github/workflows/reusable-release-policy-rust.yml@v1
+    uses: kubewarden/github-actions/.github/workflows/reusable-release-policy-rust.yml@v3.1.0
     with:
-      input-wasm: env_variable_secrets_scanner_policy
       oci-target: ghcr.io/kubewarden/policies/env-variable-secrets-scanner

.github/workflows/test.yml

@@ -1,59 +1,6 @@
 on: [push, pull_request]
 name: Continuous integration
 jobs:
-  check:
-    name: Check
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-      - uses: actions-rs/toolchain@v1
-        with:
-          profile: minimal
-          toolchain: stable
-          override: true
-      - uses: actions-rs/cargo@v1
-        with:
-          command: check
   test:
-    name: Test Suite
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-      - uses: actions-rs/toolchain@v1
-        with:
-          profile: minimal
-          toolchain: stable
-          override: true
-      - uses: actions-rs/cargo@v1
-        with:
-          command: test
-  fmt:
-    name: Rustfmt
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-      - uses: actions-rs/toolchain@v1
-        with:
-          profile: minimal
-          toolchain: stable
-          override: true
-      - run: rustup component add rustfmt
-      - uses: actions-rs/cargo@v1
-        with:
-          command: fmt
-          args: --all -- --check
-  clippy:
-    name: Clippy
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-      - uses: actions-rs/toolchain@v1
-        with:
-          profile: minimal
-          toolchain: stable
-          override: true
-      - run: rustup component add clippy
-      - uses: actions-rs/cargo@v1
-        with:
-          command: clippy
-          args: -- -D warnings
+    name: run tests and linters
+    uses: kubewarden/github-actions/.github/workflows/[email protected]

Cargo.lock

@@ -1,6 +1,6 @@
 [package]
 name = "env-variable-secrets-scanner-policy"
-version = "0.1.5"
+version = "0.1.6"
 authors = ["raulcabello <[email protected]>"]
 edition = "2018"
 

Cargo.toml

@@ -1,11 +1,16 @@
 SOURCE_FILES := $(shell test -e src/ && find src -type f)
+VERSION := $(shell sed --posix -n 's,^version = \"\(.*\)\",\1,p' Cargo.toml)
 
 policy.wasm: $(SOURCE_FILES) Cargo.*
 	cargo build --target=wasm32-wasi --release
 	cp target/wasm32-wasi/release/*.wasm policy.wasm
 
-annotated-policy.wasm: policy.wasm metadata.yml
-	kwctl annotate -m metadata.yml -o annotated-policy.wasm policy.wasm
+artifacthub-pkg.yml: metadata.yml Cargo.toml
+	kwctl scaffold artifacthub --metadata-path metadata.yml --version $(VERSION) \
+		--output artifacthub-pkg.yml
+
+annotated-policy.wasm: policy.wasm metadata.yml artifacthub-pkg.yml
+	kwctl annotate -m metadata.yml -u README.md -o annotated-policy.wasm policy.wasm
 
 .PHONY: fmt
 fmt:
@@ -26,4 +31,4 @@ test: fmt lint
 .PHONY: clean
 clean:
 	cargo clean
-	rm -f policy.wasm annotated-policy.wasm
+	rm -f policy.wasm annotated-policy.wasm artifacthub-pkg.yml

Makefile

@@ -1,14 +1,19 @@
----
-version: 0.1.5
+# Kubewarden Artifacthub Package config
+#
+# Use this config to submit the policy to https://artifacthub.io.
+#
+# This config can be saved to its default location with:
+#   kwctl scaffold artifacthub > artifacthub-pkg.yml 
+version: 0.1.6
 name: env-variable-secrets-scanner
 displayName: Environment Variable Secrets Scanner
-createdAt: '2023-02-06T16:46:21+02:00'
-description: Reject Pods that contain secrets in an environment variable
+createdAt: 2023-03-21T12:09:38.582789264Z
+description: Policy that inspects env vars and rejects a request if a secret was found
 license: Apache-2.0
 homeURL: https://github.com/kubewarden/env-variable-secrets-scanner-policy
 containersImages:
 - name: policy
-  image: "ghcr.io/kubewarden/policies/env-variable-secrets-scanner:v0.1.5"
+  image: ghcr.io/kubewarden/policies/env-variable-secrets-scanner:v0.1.6
 keywords:
 - secrets
 - api keys
@@ -18,32 +23,61 @@ keywords:
 - confidential data leak
 links:
 - name: policy
-  url: https://github.com/kubewarden/env-variable-secrets-scanner-policy/releases/download/v0.1.5/policy.wasm
+  url: https://github.com/kubewarden/env-variable-secrets-scanner-policy/releases/download/v0.1.6/policy.wasm
 - name: source
   url: https://github.com/kubewarden/env-variable-secrets-scanner-policy
+install: |
+  The policy can be obtained using [`kwctl`](https://github.com/kubewarden/kwctl):
+  ```console
+  kwctl pull ghcr.io/kubewarden/policies/env-variable-secrets-scanner:v0.1.6
+  ```
+maintainers:
+- name: Kubewarden developers
+  email: [email protected]
 provider:
   name: kubewarden
 recommendations:
 - url: https://artifacthub.io/packages/helm/kubewarden/kubewarden-controller
 annotations:
+  kubewarden/mutation: 'false'
   kubewarden/resources: Pod,Deployment,Replicaset,Statefulset,Daemonset,Replicationcontroller,Job,Cronjob
-  kubewarden/mutation: false
-  kubewarden/contextAware: false
   kubewarden/rules: |
-    rules:
-      - apiGroups: [""]
-        apiVersions: ["v1"]
-        resources: ["pods"]
-        operations: ["CREATE"] # kubernetes doesn't allow to add/remove privileged containers to an already running pod
-      - apiGroups: [""]
-        apiVersions: ["v1"]
-        resources: ["replicationcontrollers"]
-        operations: ["CREATE", "UPDATE"]
-      - apiGroups: ["apps"]
-        apiVersions: ["v1"]
-        resources: ["deployments","replicasets","statefulsets","daemonsets"]
-        operations: ["CREATE", "UPDATE"]
-      - apiGroups: ["batch"]
-        apiVersions: ["v1"]
-        resources: ["jobs","cronjobs"]
-        operations: ["CREATE", "UPDATE"]
+    - apiGroups:
+      - ''
+      apiVersions:
+      - v1
+      resources:
+      - pods
+      operations:
+      - CREATE
+    - apiGroups:
+      - ''
+      apiVersions:
+      - v1
+      resources:
+      - replicationcontrollers
+      operations:
+      - CREATE
+      - UPDATE
+    - apiGroups:
+      - apps
+      apiVersions:
+      - v1
+      resources:
+      - deployments
+      - replicasets
+      - statefulsets
+      - daemonsets
+      operations:
+      - CREATE
+      - UPDATE
+    - apiGroups:
+      - batch
+      apiVersions:
+      - v1
+      resources:
+      - jobs
+      - cronjobs
+      operations:
+      - CREATE
+      - UPDATE

artifacthub-pkg.yml

@@ -19,35 +19,15 @@ mutating: false
 contextAware: false
 executionMode: kubewarden-wapc
 annotations:
+  # artifacthub specific
+  io.artifacthub.displayName: Environment Variable Secrets Scanner
+  io.artifacthub.resources: Pod,Deployment,Replicaset,Statefulset,Daemonset,Replicationcontroller,Job,Cronjob
+  io.artifacthub.keywords: secrets, api keys, tokens, secret leak, confidential data, confidential data leak
+  io.kubewarden.policy.ociUrl: ghcr.io/kubewarden/policies/env-variable-secrets-scanner
+  # rest
   io.kubewarden.policy.title: env-variable-secrets-scanner
   io.kubewarden.policy.description: Policy that inspects env vars and rejects a request if a secret was found
-  io.kubewarden.policy.author: raulcabello <[email protected]>
+  io.kubewarden.policy.author: "Kubewarden developers <[email protected]>"
   io.kubewarden.policy.url: https://github.com/kubewarden/env-variable-secrets-scanner-policy
   io.kubewarden.policy.source: https://github.com/kubewarden/env-variable-secrets-scanner-policy
   io.kubewarden.policy.license: Apache-2.0
-  io.kubewarden.policy.usage: |
-    This policy will reject pods that contain a secret in an environment variable in any container. It scans environment 
-    variables in all containers, init containers and ephemeral containers. The policy can detect secrets that are leaked via base64 encoded variables.
-    The policy looks for the following secrets being leaked: RSA private keys, SSH private keys and API tokens for different services like Slack, Facebook tokens, AWS, Google, New Relic Keys, etc.
-    
-    This policy is powered by the same rule engine used by [rusty hog](https://github.com/newrelic/rusty-hog), an open source secret scanner from New Relic.
-    
-    The policy can either target `Pods`, or [workload
-    resources](https://kubernetes.io/docs/concepts/workloads/) (`Deployments`,
-    `ReplicaSets`, `DaemonSets`, `ReplicationControllers`, `Jobs`, `CronJobs`) by
-    setting the policy's `spec.rules` accordingly.
-    
-    Both have trade-offs:
-    * Policy targets Pods: Different kind of resources (be them native or CRDs) can
-      create Pods. By having the policy target Pods, we guarantee that all the Pods
-      are going to be compliant, even those created from CRDs.
-      However, this could lead to confusion among users, as high level Kubernetes
-      resources would be successfully created, but they would stay in a non
-      reconciled state. Example: a Deployment creating a non-compliant Pod would be
-      created, but it would never have all its replicas running.
-    * Policy targets workload resources (e.g: Deployment): the policy inspect higher
-      order resource (e.g. Deployment): users will get immediate feedback about
-      rejections.
-      However, non compliant pods created by another high level resource (be it
-      native to Kubernetes, or a CRD), may not get rejected.
-