mirror of
https://github.com/morten-olsen/homelab-nuclei-operator.git
synced 2026-02-08 02:16:23 +01:00
12d681ada1
This major refactor moves from synchronous subprocess-based scanning to asynchronous pod-based scanning using Kubernetes Jobs. ## Architecture Changes - Scanner jobs are now Kubernetes Jobs with TTLAfterFinished for automatic cleanup - Jobs have owner references for garbage collection when NucleiScan is deleted - Configurable concurrency limits, timeouts, and resource requirements ## New Features - Dual-mode binary: --mode=controller (default) or --mode=scanner - Annotation-based configuration for Ingress/VirtualService resources - Operator-level configuration via environment variables - Startup recovery for orphaned scans after operator restart - Periodic cleanup of stuck jobs ## New Files - DESIGN.md: Comprehensive architecture design document - internal/jobmanager/: Job Manager for creating/monitoring scanner jobs - internal/scanner/runner.go: Scanner mode implementation - internal/annotations/: Annotation parsing utilities - charts/nuclei-operator/templates/scanner-rbac.yaml: Scanner RBAC ## API Changes - Added ScannerConfig struct for per-scan scanner configuration - Added JobReference struct for tracking scanner jobs - Added ScannerConfig field to NucleiScanSpec - Added JobRef and ScanStartTime fields to NucleiScanStatus ## Supported Annotations - nuclei.homelab.mortenolsen.pro/enabled - nuclei.homelab.mortenolsen.pro/templates - nuclei.homelab.mortenolsen.pro/severity - nuclei.homelab.mortenolsen.pro/schedule - nuclei.homelab.mortenolsen.pro/timeout - nuclei.homelab.mortenolsen.pro/scanner-image ## RBAC Updates - Added Job and Pod permissions for operator - Created separate scanner service account with minimal permissions ## Documentation - Updated README, user-guide, api.md, and Helm chart README - Added example annotated Ingress resources
51 lines
1.4 KiB
YAML
51 lines
1.4 KiB
YAML
{{- if .Values.scanner.enabled }}
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: {{ include "nuclei-operator.fullname" . }}-scanner
|
|
namespace: {{ .Release.Namespace }}
|
|
labels:
|
|
{{- include "nuclei-operator.labels" . | nindent 4 }}
|
|
app.kubernetes.io/component: scanner
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: {{ include "nuclei-operator.fullname" . }}-scanner
|
|
labels:
|
|
{{- include "nuclei-operator.labels" . | nindent 4 }}
|
|
app.kubernetes.io/component: scanner
|
|
rules:
|
|
# Scanner needs to read NucleiScan resources
|
|
- apiGroups:
|
|
- nuclei.homelab.mortenolsen.pro
|
|
resources:
|
|
- nucleiscans
|
|
verbs:
|
|
- get
|
|
# Scanner needs to update NucleiScan status
|
|
- apiGroups:
|
|
- nuclei.homelab.mortenolsen.pro
|
|
resources:
|
|
- nucleiscans/status
|
|
verbs:
|
|
- get
|
|
- patch
|
|
- update
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: {{ include "nuclei-operator.fullname" . }}-scanner
|
|
labels:
|
|
{{- include "nuclei-operator.labels" . | nindent 4 }}
|
|
app.kubernetes.io/component: scanner
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: {{ include "nuclei-operator.fullname" . }}-scanner
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: {{ include "nuclei-operator.fullname" . }}-scanner
|
|
namespace: {{ .Release.Namespace }}
|
|
{{- end }} |