Update Helm and Containerfile (#64)

* 1. fixed to copy only necessary scripts and policies. 2. adding a link to let /home/zap/.ZAP/policies refer to /home/rapidast/.ZAP/policies - this allows 'rapidast' image can be used for 'zap' scanner in the rapidast config * updated Helm README and chart default values
RedHatProductSecurity · Mar 29, 2023 · 38c5194 · 38c5194
1 parent d70eab4
commit 38c5194
Show file tree

Hide file tree

Showing 5 changed files with 20 additions and 13 deletions.
diff --git a/containerize/Containerfile b/containerize/Containerfile
@@ -7,12 +7,13 @@ FROM registry.access.redhat.com/ubi9-minimal
 
 RUN microdnf install -y procps tar gzip shadow-utils java-11-openjdk
 
+## ZAP
 RUN mkdir -p /tmp/zap
 RUN curl -sfL https://github.com/zaproxy/zaproxy/releases/download/v2.12.0/ZAP_2.12.0_Linux.tar.gz | tar zxvf - -C /tmp/zap
 RUN mv -T /tmp/zap/ZAP_2.12.0 /zap
 
-# Set up RapiDAST
 
+# Set up for RapiDAST
 RUN useradd -u 1000 -d /home/rapidast -m -s /bin/bash rapidast
 RUN echo rapidast:rapidast | chpasswd
 
@@ -32,18 +33,23 @@ ENV HOME /home/rapidast
 
 ENV PATH $PATH:/zap/:$HOME:$HOME/.local/bin
 
-#### RapiDAST
-
+## Install RapiDAST requirements
 RUN python3 -m ensurepip --upgrade
 RUN pip3 install -r requirements.txt
 
 
-# ZAP set up
-RUN cp -r $HOME/scanners/zap/scripts /zap/scripts
+# Finalize set up for ZAP
+RUN cp -r $HOME/scanners/zap/scripts/*.js /zap/scripts/
 RUN mkdir -p $HOME/.ZAP/policies
-RUN cp -r $HOME/scanners/zap/policies $HOME/.ZAP/policies
+RUN cp -r $HOME/scanners/zap/policies/*.policy $HOME/.ZAP/policies/
+
+## for compatiblity, in case /home/zap/.ZAP/policies is referred
+USER root
+RUN mkdir -p /home/zap/.ZAP
+RUN ln -s $HOME/.ZAP/policies/ /home/zap/.ZAP/policies
+USER rapidast
 
-# ZAP update
+## ZAP addon update
 RUN zap.sh -cmd -addonuninstall graaljs # delete until it is updated to fix https://security.snyk.io/vuln/SNYK-JAVA-ORGJAVADELIGHT-1279048
 RUN zap.sh -cmd -addonupdate
 RUN cp $HOME/.ZAP/plugin/*.zap /zap/plugin/  # This is necessary. Otherwise, for some reason, the next addoninstall command fails due to an error of 'network' addon not being found

diff --git a/helm/README.md b/helm/README.md
@@ -4,7 +4,7 @@ The Helm chart uses the official RapiDAST image: `quay.io/redhatproductsecurity/
 
 `values.yaml` contains various configuration items including a RapiDAST config template and default scan policy. Either you modify it for your environment or override by using `--set-file`, `--set` or `-f`.
 
-For example, using `--set-file config`, it is possible to update configuration for RapiDAST scans.
+For example, using `--set-file rapidastConfig`, it is possible to update configuration for RapiDAST scans.
 
 ```
 $ helm install rapidast ./helm/chart/ --set-file rapidastConfig=<your-rapidast-config-with-container-type-none.yaml>

diff --git a/helm/chart/templates/_helpers.tpl b/helm/chart/templates/_helpers.tpl
@@ -59,5 +59,4 @@ template:
         persistentVolumeClaim:
           claimName: {{ .Values.pvc }}
     restartPolicy: Never
-backoffLimit: 3
 {{- end }}
diff --git a/helm/chart/templates/job.yaml b/helm/chart/templates/job.yaml
@@ -11,7 +11,9 @@ spec:
   schedule: "{{ .Values.job.schedule }}"
   jobTemplate:
     spec:
+      backoffLimit: 0
 {{- include "rapidast-chart.job" . | nindent 6}}
 {{ else }}
+  backoffLimit: 3
 {{- include "rapidast-chart.job" . | nindent 2}}
 {{ end }}
diff --git a/helm/chart/values.yaml b/helm/chart/values.yaml
@@ -4,12 +4,12 @@
 
 image:
   repository: quay.io/redhatproductsecurity/rapidast
-  pullPolicy: IfNotPresent
-  tag: "2.0.0-rc1"
+  pullPolicy: Always
+  tag: "latest"
 
 job:
   cron: false
-  schedule: "* * * * *"
+  schedule: "0 22 * * *"  # used when job.cron is true, e.g. at 10pm daily
 
 resources: {}
   # It is recommended not to specify default resources and to leave this as a conscious
@@ -58,7 +58,7 @@ rapidastConfig: |
 
         container:
             # currently supported: `podman` and `none`
-            type: "podman"
+            type: "none"
 
     scanners:
         zap: