ROX-19158: Add cluster param to scan requests

[dcaravel]

As part of ROX-18691 a cluster parameter has been added to the various APIs that result in image scans

This PR modifies the Jenkins plugin to accept a new cluster parameter and pass that parameter to the various ACS API's used by the Plugin

Tests Performed

• Created jobs:
  • acs-freestyle-ocp-internal - freestyle job not using cluster param, expected to fail w/ no scan
  • acs-freestyle-ocp-internal-cluster - freestyle job using cluster param, expected to fail but with successful scan
  • acs-pipeline-ocp-internal - same as above just a pipeline job
  • acs-pipeline-ocp-internal-cluster - same as above just a pipeline job
• Ran jobs and confirmed expected results

Help Text For New Param

acs-freestyle-ocp-internal

Job Setup

Console Output

Started by user [admin](http://localhost:8080/user/admin)
Running as SYSTEM
Building in workspace /home/dcaravel/.jenkins/workspace/acs-freestyle-ocp-internal
Checking image image-registry.openshift-image-registry.svc:5000/dave/dave-is:latest...
ERROR: Fatal error: Failed image scan request. Status code: 500. Error: image enrichment error: error getting metadata for image: image-registry.openshift-image-registry.svc:5000/dave/dave-is:latest error: no matching image registries found: please add an image integration for image-registry.openshift-image-registry.svc:5000. Aborting ...
Finished: FAILURE

acs-freestyle-ocp-internal-cluster

Job Setup

Console Output

Started by user [admin](http://localhost:8080/user/admin)
Running as SYSTEM
Building in workspace /home/dcaravel/.jenkins/workspace/acs-freestyle-ocp-internal-with-cluster
Checking image image-registry.openshift-image-registry.svc:5000/dave/dave-is:latest...
Archiving artifacts
Cleaning up the workspace ...
ERROR: At least one image violated at least one enforced system policy. Marking StackRox Image Security plugin build step failed. Check the report for additional details.
Finished: FAILURE

Successful Report

acs-pipeline-ocp-internal

Job Setup

pipeline {
    agent any

    stages {
        stage('Test') {
            steps {
                withCredentials([string(credentialsId: 'stackrox-api-token', variable: 'apiToken')]) {
                    stackrox (
                        apiToken: apiToken,
                        caCertPEM: '',
                        enableTLSVerification: false,
                        failOnCriticalPluginError: true,
                        failOnPolicyEvalFailure: true,
                        portalAddress: 'https://<address>',
                        imageNames: "image-registry.openshift-image-registry.svc:5000/dave/dave-is:latest",
                        cluster: ""
                    )
                }
            }
        }
    }
}

Console Output

Started by user [admin](http://localhost:8080/user/admin)
[Pipeline] Start of Pipeline
[Pipeline] node
Running on [Jenkins](http://localhost:8080/computer/(built-in)/) in /home/dcaravel/.jenkins/workspace/acs-pipeline-ocp-internal
[Pipeline] {
[Pipeline] stage
[Pipeline] { (Test)
[Pipeline] withCredentials
Masking supported pattern matches of $apiToken
[Pipeline] {
[Pipeline] stackrox
Checking image image-registry.openshift-image-registry.svc:5000/dave/dave-is:latest...
[Pipeline] }
[Pipeline] // withCredentials
[Pipeline] }
[Pipeline] // stage
[Pipeline] }
[Pipeline] // node
[Pipeline] End of Pipeline
ERROR: Fatal error: Failed image scan request. Status code: 500. Error: image enrichment error: error getting metadata for image: image-registry.openshift-image-registry.svc:5000/dave/dave-is:latest error: no matching image registries found: please add an image integration for image-registry.openshift-image-registry.svc:5000. Aborting ...
Finished: FAILURE

acs-pipeline-ocp-internal-cluster

Job Setup (cluster added)

pipeline {
    agent any

    stages {
        stage('Test') {
            steps {
                withCredentials([string(credentialsId: 'stackrox-api-token', variable: 'apiToken')]) {
                    stackrox (
                        apiToken: apiToken,
                        caCertPEM: '',
                        enableTLSVerification: false,
                        failOnCriticalPluginError: true,
                        failOnPolicyEvalFailure: true,
                        portalAddress: 'https://34.23.176.25',
                        imageNames: "image-registry.openshift-image-registry.svc:5000/dave/dave-is:latest",
                        cluster: "remote"
                    )
                }
            }
        }
    }
}

Console Output

Started by user [admin](http://localhost:8080/user/admin)
[Pipeline] Start of Pipeline
[Pipeline] node
Running on [Jenkins](http://localhost:8080/computer/(built-in)/) in /home/dcaravel/.jenkins/workspace/acs-pipeline-ocp-internal-cluster
[Pipeline] {
[Pipeline] stage
[Pipeline] { (Test)
[Pipeline] withCredentials
Masking supported pattern matches of $apiToken
[Pipeline] {
[Pipeline] stackrox
Checking image image-registry.openshift-image-registry.svc:5000/dave/dave-is:latest...
Archiving artifacts
Cleaning up the workspace ...
[Pipeline] }
[Pipeline] // withCredentials
[Pipeline] }
[Pipeline] // stage
[Pipeline] }
[Pipeline] // node
[Pipeline] End of Pipeline
ERROR: At least one image violated at least one enforced system policy. Marking StackRox Image Security plugin build step failed. Check the report for additional details.
Finished: FAILURE

Successful Report

Ensured works with multiple images as well

Related PRs

• ROX-19158: Add cluster parameter to roxctl image scan requests stackrox#7758
• ROX-18525: Add cluster param to ad-hoc scan APIs stackrox#7738
• ROX-19156: Infer namespace for delegated scans stackrox#7650

[dhaus67]

Code looks good to me, can you also update https://github.com/stackrox/jenkins-plugin/blob/master/stackrox-container-image-scanner/README.md#freestyle-project which holds the description of the parameters as well as some sample pipelines? It'd be great to update that.

[dhaus67]

Sorry for the delay in review, but LGTM!