Post upgrade TAP 1.12, workload failed with TemplatesNotFound: did not find the template of the resources [source-scanner]
search cancel

Post upgrade TAP 1.12, workload failed with TemplatesNotFound: did not find the template of the resources [source-scanner]

book

Article ID: 381843

calendar_today

Updated On:

Products

VMware Tanzu Application Platform VMware Tanzu Application Platform per vCPU

Issue/Introduction

Post upgrade TAP v1.12, the workload tanzu-java-web-app-tiny failed with below error message " Workload [TemplatesNotFound]: did not find the template of the resources) [source-scanner] ", screen-shot as below: 

Cause

Source scanning was removed from the default behavior in TAP 1.6. At the time it was scheduled for removal in TAP 1.9 with the deprecation of Scanning V1. Scanning v1 was deprecated in TAP 1.10, more details can refer to doc: https://techdocs.broadcom.com/us/en/vmware-tanzu/standalone-components/tanzu-application-platform/1-8/tap/scst-scan-overview.html . The template ClusterSourceTemplate "source-scanner-template" was removed in TAP 1.12. 

Resolution

The template ClusterSourceTemplate "source-scanner-template" is removed from the product, so better to not use it in the long run. There was reason for removing SCA scanning, as often it does not provide the true security posture since the scanners require the code to be built to provide accurate information and in this case the scanning was happening before code is built, also scanning happening via image scanning would capture the CVEs that SCA would have. 

If customer still need to use this template, they can create it manually with below yaml file.

#@ load("@ytt:data", "data")
 
 #@ if/end "source-scanner-template" not in data.values.excluded_templates:
 ---
 apiVersion: carto.run/v1alpha1
 kind: ClusterSourceTemplate
 metadata:
   name: source-scanner-template
 spec:
   urlPath: .status.artifact.blob.url
   revisionPath: .status.compliantArtifact.blob.revision
 
   healthRule:
     multiMatch:
       healthy:
         #! This applies for PolicySucceeded = True and NoPolicy = True
         matchConditions:
           - type: Succeeded
             status: "True"
       unhealthy:
         matchConditions:
           #! If policy failed with violations
           - type: PolicySucceeded
             status: "False"
 
           #! If policy failed with an error
           - type: PolicySucceeded
             status: Unknown
 
           #! If an error happened in any step of the scan
           - type: Succeeded
             status: "False"
 
   #@ label_exclusions = "[\"" + "\", \"".join(data.values.label_propagation_exclusions) + "\"]"
   #@yaml/text-templated-strings
   ytt: |
     #@ load("@ytt:data", "data")
 
     #@ def merge_labels(fixed_values):
     #@   labels = {}
     #@   if hasattr(data.values.workload.metadata, "labels"):
     #@     exclusions = (@= label_exclusions @)
     #@     for k,v in dict(data.values.workload.metadata.labels).items():
     #@       if k not in exclusions:
     #@         labels[k] = v
     #@       end
     #@     end
     #@   end
     #@   labels.update(fixed_values)
     #@   return labels
     #@ end
 
     ---
     apiVersion: scanning.apps.tanzu.vmware.com/v1beta1
     kind: SourceScan
     metadata:
       name: #@ data.values.workload.metadata.name
       labels: #@ merge_labels({ "app.kubernetes.io/component": "source-scan" })
     spec:
       blob:
         url: #@ data.values.source.url
         revision: #@ data.values.source.revision
       scanTemplate: #@ data.values.params.scanning_source_template
       #@ if data.values.params.scanning_source_policy != None and len(data.values.params.scanning_source_policy) > 0:
       scanPolicy: #@ data.values.params.scanning_source_policy
       #@ end
Powered by Wolken Software