feat: add env-value-from as opt-in check for #705

docs/generated/checks.md

@@ -193,6 +193,22 @@ forbiddenCapabilities:
 **Remediation**: Confirm that your DeploymentLike doesn't have duplicate env vars names.
 
 **Template**: [duplicate-env-var](templates.md#duplicate-environment-variables)
+## env-value-from
+
+**Enabled by default**: No
+
+**Description**: Indicates when objects use a secret or configmap not included in the deployment.
+
+**Remediation**: Change the name or key to match a secret / configmap in the deployment.
+
+**Template**: [env-value-from](templates.md#env-references)
+
+**Parameters**:
+
+```yaml
+IgnoredConfigMaps: []
+IgnoredSecrets: []
+```
 ## env-var-secret
 
 **Enabled by default**: Yes

docs/generated/templates.md

@@ -275,6 +275,36 @@ KubeLinter supports the following templates:
 **Supported Objects**: DeploymentLike
 
 
+## Env references
+
+**Key**: `env-value-from`
+
+**Description**: Flag resources which use env variables from secrets/configmaps not included in the release
+
+**Supported Objects**: DeploymentLike
+
+
+**Parameters**:
+
+```yaml
+- arrayElemType: string
+  description: list of regular expressions specifying pattern(s) for secrets that
+    will be ignored.
+  name: ignoredSecrets
+  negationAllowed: true
+  regexAllowed: true
+  required: false
+  type: array
+- arrayElemType: string
+  description: list of regular expressions specifying pattern(s) for secrets that
+    will be ignored.
+  name: ignoredConfigMaps
+  negationAllowed: true
+  regexAllowed: true
+  required: false
+  type: array
+```
+
 ## Environment Variables
 
 **Key**: `env-var`

e2etests/bats-tests.sh

@@ -300,6 +300,18 @@ get_value_from() {
   [[ "${count}" == "2" ]]
 }
 
+@test "env-value-from" {
+  tmp="tests/checks/env-var-value-from.yml"
+  cmd="${KUBE_LINTER_BIN} lint --include env-value-from --do-not-auto-add-defaults --format json ${tmp}"
+  run ${cmd}
+  print_info "${status}" "${output}" "${cmd}" "${tmp}"
+  [ "$status" -eq 1 ]
+  message1=$(get_value_from "${lines[0]}" '.Reports[0].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[0].Diagnostic.Message')
+  count=$(get_value_from "${lines[0]}" '.Reports | length')
+  [[ "${message1}" == "Deployment: The container \"app\" is referring to an unknown key \"chimpmunk\" in secret \"secretsquirrels\"" ]]
+  [[ "${count}" == "1" ]]
+}
+
 @test "env-var-secret" {
   tmp="tests/checks/env-var-secret.yml"
   cmd="${KUBE_LINTER_BIN} lint --include env-var-secret --do-not-auto-add-defaults --format json ${tmp}"

go.mod

@@ -13,6 +13,7 @@ require (
 	github.com/mitchellh/mapstructure v1.5.0
 	github.com/openshift/api v0.0.0-20230406152840-ce21e3fe5da2
 	github.com/owenrumney/go-sarif/v2 v2.3.3
+	github.com/pkg/errors v0.9.1
 	github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.86.0
 	github.com/spf13/cobra v1.10.1
 	github.com/spf13/pflag v1.0.10
@@ -89,7 +90,6 @@ require (
 	github.com/opencontainers/image-spec v1.1.1 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
-	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/sagikazarmark/locafero v0.11.0 // indirect

pkg/builtinchecks/yamls/env-var-value-from.yaml

@@ -0,0 +1,12 @@
+# customChecks defines custom checks.
+name: "env-value-from"
+template: "env-value-from"
+description: "Indicates when objects use a secret or configmap not included in the deployment."
+remediation: >-
+  Change the name or key to match a secret / configmap in the deployment.
+scope:
+  objectKinds:
+    - DeploymentLike
+params:
+  IgnoredSecrets: []
+  IgnoredConfigMaps: []

pkg/templates/all/all.go

@@ -19,6 +19,7 @@ import (
 	_ "golang.stackrox.io/kube-linter/pkg/templates/dnsconfigoptions"
 	_ "golang.stackrox.io/kube-linter/pkg/templates/duplicatenvvar"
 	_ "golang.stackrox.io/kube-linter/pkg/templates/envvar"
+	_ "golang.stackrox.io/kube-linter/pkg/templates/envvarvaluefrom"
 	_ "golang.stackrox.io/kube-linter/pkg/templates/forbiddenannotation"
 	_ "golang.stackrox.io/kube-linter/pkg/templates/hostipc"
 	_ "golang.stackrox.io/kube-linter/pkg/templates/hostmounts"

pkg/templates/envvarvaluefrom/internal/params/params.go

@@ -0,0 +1,12 @@
+package params
+
+// Params represents the params accepted by this template.
+type Params struct {
+	// ignored list => these resources already exist in the cluster.
+
+	// list of regular expressions specifying pattern(s) for secrets that will be ignored.
+	IgnoredSecrets []string
+
+	// list of regular expressions specifying pattern(s) for secrets that will be ignored.
+	IgnoredConfigMaps []string
+}

pkg/templates/envvarvaluefrom/template.go

@@ -0,0 +1,150 @@
+package envvarvaluefrom
+
+import (
+	"fmt"
+	"regexp"
+
+	"github.com/pkg/errors"
+	"golang.stackrox.io/kube-linter/pkg/check"
+	"golang.stackrox.io/kube-linter/pkg/config"
+	"golang.stackrox.io/kube-linter/pkg/diagnostic"
+	"golang.stackrox.io/kube-linter/pkg/lintcontext"
+	"golang.stackrox.io/kube-linter/pkg/objectkinds"
+	"golang.stackrox.io/kube-linter/pkg/templates"
+	"golang.stackrox.io/kube-linter/pkg/templates/envvarvaluefrom/internal/params"
+	"golang.stackrox.io/kube-linter/pkg/templates/util"
+	v1 "k8s.io/api/core/v1"
+)
+
+const (
+	templateKey = "env-value-from"
+)
+
+func init() {
+	templates.Register(check.Template{
+		HumanName:   "Env references",
+		Key:         templateKey,
+		Description: "Flag resources which use env variables from secrets/configmaps not included in the release",
+		SupportedObjectKinds: config.ObjectKindsDesc{
+			ObjectKinds: []string{objectkinds.DeploymentLike},
+		},
+		Parameters:             params.ParamDescs,
+		ParseAndValidateParams: params.ParseAndValidate,
+		Instantiate: params.WrapInstantiateFunc(func(p params.Params) (check.Func, error) {
+			ignoredSecrets, err := extractRegexList(p.IgnoredSecrets)
+			if err != nil {
+				return nil, err
+			}
+			ignoredConfigMaps, err := extractRegexList(p.IgnoredConfigMaps)
+			if err != nil {
+				return nil, err
+			}
+			return func(lintCtx lintcontext.LintContext, object lintcontext.Object) []diagnostic.Diagnostic {
+				secrets := make(map[string]*v1.Secret)
+				configmaps := make(map[string]*v1.ConfigMap)
+				for _, obj := range lintCtx.Objects() {
+					if secret, found := obj.K8sObject.(*v1.Secret); found {
+						secrets[secret.Name] = secret // Fix: Remove ObjectMeta
+					}
+					if configmap, found := obj.K8sObject.(*v1.ConfigMap); found {
+						configmaps[configmap.Name] = configmap // Fix: Remove ObjectMeta
+					}
+				}
+				return lintForEachContainer(lintCtx, object, ignoredSecrets, ignoredConfigMaps, secrets, configmaps)
+			}, nil
+		}),
+	})
+}
+
+func lintForEachContainer(lintCtx lintcontext.LintContext, object lintcontext.Object, ignoredSecrets, ignoredConfigMaps []*regexp.Regexp, secrets map[string]*v1.Secret, configmaps map[string]*v1.ConfigMap) []diagnostic.Diagnostic {
+	return util.PerContainerCheck(func(container *v1.Container) []diagnostic.Diagnostic {
+		var results []diagnostic.Diagnostic
+		for _, envVar := range container.Env {
+			valueFrom := envVar.ValueFrom
+			if valueFrom == nil {
+				continue
+			}
+			if secretKeySelector := valueFrom.SecretKeyRef; secretKeySelector != nil {
+				if secretKeySelector.Optional != nil && *secretKeySelector.Optional {
+					continue
+				}
+				if isInRegexList(ignoredSecrets, secretKeySelector.Name) {
+					continue
+				}
+				secret, ok := secrets[secretKeySelector.Name]
+				if !ok {
+					results = append(results, diagnostic.Diagnostic{
+						Message: fmt.Sprintf("The container %q is referring to an unknown secret %q", container.Name, secretKeySelector.Name),
+					})
+					continue
+				}
+				if isInList(Keys(secret.Data), secretKeySelector.Key) || isInList(Keys(secret.StringData), secretKeySelector.Key) {
+					continue
+				}
+				results = append(results, diagnostic.Diagnostic{
+					Message: fmt.Sprintf("The container %q is referring to an unknown key %q in secret %q", container.Name, secretKeySelector.Key, secretKeySelector.Name),
+				})
+			}
+			if configMapSelector := valueFrom.ConfigMapKeyRef; configMapSelector != nil {
+				if configMapSelector.Optional != nil && *configMapSelector.Optional {
+					continue
+				}
+				if isInRegexList(ignoredConfigMaps, configMapSelector.Name) {
+					continue
+				}
+				configmap, ok := configmaps[configMapSelector.Name]
+				if !ok {
+					results = append(results, diagnostic.Diagnostic{
+						Message: fmt.Sprintf("The container %q is referring to an unknown config map %q", container.Name, configMapSelector.Name),
+					})
+					continue
+				}
+				if isInList(Keys(configmap.Data), configMapSelector.Key) || isInList(Keys(configmap.BinaryData), configMapSelector.Key) {
+					continue
+				}
+				results = append(results, diagnostic.Diagnostic{
+					Message: fmt.Sprintf("The container %q is referring to an unknown key %q in config map %q", container.Name, configMapSelector.Key, configMapSelector.Name),
+				})
+			}
+		}
+		return results
+	})(lintCtx, object)
+}
+
+func isInRegexList(regexlist []*regexp.Regexp, name string) bool {
+	for _, regex := range regexlist {
+		if regex.MatchString(name) {
+			return true
+		}
+	}
+	return false
+}
+
+func isInList(regexlist []string, name string) bool {
+	for _, regex := range regexlist {
+		if name == regex {
+			return true
+		}
+	}
+	return false
+}
+
+func Keys[K comparable, V any](m map[K]V) []K {
+	r := make([]K, 0, len(m))
+	for k := range m {
+		r = append(r, k)
+	}
+	return r
+}
+
+func extractRegexList(inputList []string) ([]*regexp.Regexp, error) {
+	result := make([]*regexp.Regexp, 0, len(inputList))
+	for _, res := range inputList {
+		rg, err := regexp.Compile(res)
+		if err != nil {
+			return nil, errors.Wrapf(err, "invalid regex %s", res)
+		}
+		result = append(result, rg)
+	}
+	return result, nil
+}