From 75fd5b029d682e2f2a1337519bc6f3c5a1a210fc Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Tue, 24 Mar 2026 17:36:02 -0700
Subject: [PATCH] Use prowler image for registry enumeration init container

The kubectl image lacks curl/python3. Use the prowler image
(which has Python) with a pure-Python urllib script instead.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .../manifests/prowler/cronjob-image-scan.yaml | 42 +++++++++----------
 argocd/manifests/prowler/kustomization.yaml   |  2 -
 2 files changed, 19 insertions(+), 25 deletions(-)

diff --git a/argocd/manifests/prowler/cronjob-image-scan.yaml b/argocd/manifests/prowler/cronjob-image-scan.yaml
index 8ad85ad..b8dc4bf 100644
--- a/argocd/manifests/prowler/cronjob-image-scan.yaml
+++ b/argocd/manifests/prowler/cronjob-image-scan.yaml
@@ -20,31 +20,27 @@ spec:
             # not passed to provider constructor). Generate image list from
             # zot catalog API instead.
             - name: enumerate-images
-              image: registry.ops.eblu.me/blumeops/kubectl:kustomized
-              command: ["/bin/bash", "-c"]
+              image: registry.ops.eblu.me/blumeops/prowler:kustomized
+              command: ["python3", "-c"]
               args:
                 - |
-                  set -euo pipefail
-                  REGISTRY="https://registry.ops.eblu.me"
-                  repos=$(curl -sf "${REGISTRY}/v2/_catalog" | python3 -c "
-                  import json, sys
-                  for r in json.load(sys.stdin)['repositories']:
-                      if r.startswith('blumeops/'):
-                          print(r)
-                  ")
-                  > /shared/images.txt
-                  for repo in $repos; do
-                      tags=$(curl -sf "${REGISTRY}/v2/${repo}/tags/list" | python3 -c "
-                  import json, sys
-                  for t in (json.load(sys.stdin).get('tags') or []):
-                      print(t)
-                  ")
-                      for tag in $tags; do
-                          echo "registry.ops.eblu.me/${repo}:${tag}" >> /shared/images.txt
-                      done
-                  done
-                  echo "Discovered $(wc -l < /shared/images.txt) images"
-                  cat /shared/images.txt
+                  import json, urllib.request
+
+                  REGISTRY = "https://registry.ops.eblu.me"
+                  catalog = json.loads(urllib.request.urlopen(f"{REGISTRY}/v2/_catalog").read())
+                  images = []
+                  for repo in catalog["repositories"]:
+                      if not repo.startswith("blumeops/"):
+                          continue
+                      tags = json.loads(urllib.request.urlopen(f"{REGISTRY}/v2/{repo}/tags/list").read())
+                      for tag in tags.get("tags") or []:
+                          images.append(f"registry.ops.eblu.me/{repo}:{tag}")
+
+                  with open("/shared/images.txt", "w") as f:
+                      f.write("\n".join(images) + "\n")
+                  print(f"Discovered {len(images)} images")
+                  for img in images:
+                      print(img)
               volumeMounts:
                 - name: shared
                   mountPath: /shared
diff --git a/argocd/manifests/prowler/kustomization.yaml b/argocd/manifests/prowler/kustomization.yaml
index 68d7523..b34b2c1 100644
--- a/argocd/manifests/prowler/kustomization.yaml
+++ b/argocd/manifests/prowler/kustomization.yaml
@@ -16,5 +16,3 @@ resources:
 images:
   - name: registry.ops.eblu.me/blumeops/prowler
     newTag: v5.22.0-6960243
-  - name: registry.ops.eblu.me/blumeops/kubectl
-    newTag: v1.34.4-613f05d