OCS should not read logs but read configmaps instead
OCS module in gitlab-agent should do the following:
-
Once OCS starts, delete all configmaps with label agent.gitlab.com/ocs-ns:<namespace>
andagent.gitlab.com/agent-id:<agent_id>
to make sure there are no orphan configmaps left from previous runs. -
Update the code where we handle a failed scanning pod: We just need to read the exit code to know exactly why the scanning pod failed. In case of a failure make sure that this pod did not leave any configmaps behind. If it did, delete them. -
Update the code where we handle a successful scanning pod: -
In a loop start reading chained configmaps. The configmapname should be ocs-<namespace_to_scan>-<agend_id>-x
wherex
is the number of configmap. -
for every configmap payload decode the base64 payload -
unzip the payload -
get the payload from the protobuf format
-
-
Once we have all the payloads (a list of vulnerabilities) parsed we need to calculate Scanner part of the payload. Transform the list of vulnerabilities to a list of payloads. A payload is the format expected by Gitlab when we create vulnerabilities. -
Create the vulnerabilities. -
Delete all chained configmaps by deleting all configmaps with label agent.gitlab.com/ocs-ns:<namespace>
andagent.gitlab.com/agent-id:<agent_id>
-
resolve-starboard-vulnerabilities should remain in exactly the same place. So after all the threads are done handling the returned Scanning pods we shold resolve the starboard vulnerabilities.
Related links
Edited by Nick Ilieskou