Create vaas chart

* Move existing charts into repo * WIP add deployment for gateway * add ingress sts and np * add more to charts * fix folder stucture * move yamls to correct folder * chanhe structure again * remove whitespaces * Mini Identity Provider * Gateway starts * WIP * This state is working properly out of the box but needs refinement with full team * remove classname * fix handling with secrets & edit readme * add chart repo to command * add ct config for linting * fix path * add username * add pw for oci * remove oci * remove login * update * add oci repo * increase helm version * remove spaces * add cr token --------- Co-authored-by: Kevin Heise <[email protected]> Co-authored-by: Lennart Dohmann <[email protected]> Co-authored-by: PT-ATA No One <[email protected]>
GDATASoftwareAG · Jan 16, 2024 · 4807863 · 4807863
1 parent e09fb62
commit 4807863
Show file tree

Hide file tree

Showing 17 changed files with 831 additions and 2 deletions.
diff --git a/.github/chart-testing-config.yaml b/.github/chart-testing-config.yaml
@@ -0,0 +1,3 @@
+chart-repos:
+  - bitnami=https://charts.bitnami.com/bitnami/
+  - gdscan=https://gdatasoftwareag.github.io/gdscan/
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -0,0 +1,50 @@
+name: Release Charts
+
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - "*"
+  pull_request:
+    branches:
+      - main
+
+env:
+  HELM_EXPERIMENTAL_OCI: 1
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Configure Git
+        run: |
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "[email protected]"
+
+      - name: Install Helm
+        uses: azure/setup-helm@v3
+        with:
+          version: v3.13.3
+
+      - name: Install python
+        uses: actions/setup-python@v4
+        with:
+          python-version: 3.7
+
+      - name: Set up chart-testing
+        uses: helm/[email protected]
+
+      - name: Run chart-testing (lint)
+        run: ct lint --config .github/chart-testing-config.yaml --validate-maintainers=false --charts charts/vaas
+
+      - name: Run chart-releaser
+        if: github.ref == 'refs/heads/main'
+        uses: helm/[email protected]
+        env:
+          CR_TOKEN: "${{ secrets.CR_TOKEN }}"
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,6 @@
+.idea/
+.vscode/
+*.log
+*-locale.yaml
+*.tgz
+.fleet/
diff --git a/README.md b/README.md
@@ -1,2 +1,173 @@
-# vaas-helm
-Helm Chart for VaaS on-premise
+# Verdict-as-a-Service Helm Chart
+
+Vaas helm is a chart for deploying Verdict-as-a-Service on-premise.
+
+## Install Verdict-as-a-Service
+
+1. Create a minimal values.yaml file:
+
+The token has to be set in the `global.secret.dockerconfigjson` variable on deployment.
+
+```yaml
+# values.yaml
+global:
+  secret: 
+    dockerconfigjson: $$_BASE64_ENCODED_JSON_CONTAINING_TOKEN_$$
+```
+
+Copy the `secret.yaml` you got from G DATA to the template folder.
+
+
+2. Add the helm repository:
+
+```bash
+helm repo add vaas https://gdatasoftwareag.github.io/vaas/
+```
+
+3. Install Verdict-as-a-Service:
+
+```bash
+helm install vaas gdatasoftware/vaas -f values.yaml
+```
+
+### Updating Verdict-as-a-Service
+
+```bash
+helm repo update
+helm upgrade vaas gdatasoftware/vaas -f values.yaml
+```
+
+# Verdict-as-a-Service on-premise
+
+## Getting started
+
+### Deploy Verdict-as-a-Service in a Minikube test-environment
+
+* Start Minikube:
+
+```
+minikube start --cpus="6" --memory="6g" --addons ingress
+```
+
+* Check your Minikube IP: ```minikube ip```
+
+* Add Minikube IP to your /etc/hosts:
+
+```
+<your-minikube-ip> vaas
+```
+
+* Run ```minikube dashboard```
+
+*  Deploy the VaaS helm chart: ```./helm.sh```
+
+* Check the "Workload status" in the Minikube dashboard and wait until it is green
+
+### Use Verdict-as-a-Service with the Java SDK
+
+* Make sure that Java 17 & Gradle is installed
+
+* Extract Client secret with this command
+
+```
+export CLIENT_SECRET=$(kubectl get secret -n vaas vaas-client-secret -o jsonpath="{.data.secret}" | base64 -d)
+```
+
+* Set these environment variables for testing your local instance
+
+```
+export CLIENT_ID=vaas
+export SCAN_PATH=<filepath-to-scan>
+export VAAS_URL=ws://vaas/ws
+export TOKEN_URL=http://vaas/auth/protocol/openid-connect/token
+```
+
+* Execute FileScan example in Java SDK example folder
+
+```
+./gradlew fileScan
+```
+
+## Configuring Verdict-as-a-Service
+
+| Parameter | Description | Value |
+|-------------|-------------|-------|
+| `ingress.enabled` | Enable/Disable the Ingress resource | `false` |
+| `ingress.annotations` | Additional annotations for Ingress | `{}` |
+| `ingress.hosts` | Hostnames and paths for Ingress | `[]` |
+| `ingress.tls` | TLS configuration for Ingress | `[]` |
+| `authentication.authority` | Authority for authentication | `""` |
+| `nameOverride` | Overrides the application name | `""` |
+| `fullnameOverride` | Overrides the full name | `""` |
+| `networkPolicy.enabled` | Enable/Disable the default Network Policy | `false` |
+| `secret.dockerconfigjson` | Docker authentication configuration | `""` |
+| `service.type` | Type of Kubernetes service | `""` |
+| `service.http.port` | HTTP port for the service | `8080` |
+| `service.ws.port` | WebSocket port for the service | `9090` |
+| `podDisruptionBudget.minAvailable` | Minimum available pods in case of disruption | `1` |
+| `replicaCount` | Number of replicas | `1` |
+| `revisionHistoryLimit` | Number of revisions in history | `1` |
+| `resources.limits.memory` | Maximum memory usage | `512Mi` |
+| `resources.requests.cpu` | Requested CPU performance | `0.5` |
+| `resources.requests.memory` | Requested memory usage | `256Mi` |
+| `containerSecurityContext.enabled` | Enable/Disable container security context | `false` |
+| `cloudhashlookup.enabled` | Enable/Disable cloud hash lookup | `false` |
+| `uploadUrl` | URL for the upload service | `"http://localhost:8080/upload"` |
+| `imagePullSecrets` | List of image pull secrets | `- name: registry` |
+| `podAnnotations` | Annotations for pods | `{}` |
+| `nodeSelector` | Node labels for pod assignment | `{}` |
+| `gdscan.nodeSelector` | gdscan Node labels for pod assignment | `{}` |
+| `mini-identity-provider.nodeSelector` | mini-identity-provider Node labels for pod assignment | `{}` |
+| `tolerations` | Tolerations for pods | `[]` |
+| `affinity` | Affinity settings for pods | `{}` |
+
+
+### Production environment
+
+In production you will have to configure a few values.
+
+#### Ingress
+The default hostname is "vaas". To change it and provide a tls configuration, add this to your values.yaml:
+
+```yaml
+mini-identity-provider:
+  issuer: "http://vaas/auth"
+  ingress:
+    hosts:
+    - host: vaas
+      paths:
+      - path: /auth(/|$)(.*)
+        pathType: ImplementationSpecific
+        service:
+          name: provider
+          port: 8080
+    tls: []
+
+gateway:
+  ingress:
+    hosts:
+      - host: vaas
+        paths:
+          - path: /ws
+            pathType: ImplementationSpecific
+            service:
+              name: gateway
+              port: 9090
+      - host: vaas
+        paths:
+          - path: /
+            pathType: ImplementationSpecific
+            service:
+              name: gateway
+              port: 8080
+    tls: []
+  uploadUrl: "http://vaas/upload"
+```
+
+Replace the "vaas" with your hostname in the following values:
+
+* mini-identity-provider.issuer
+* mini-identity-provider.ingress.hosts.0.host
+* gateway.ingress.0.host
+* gateway.ingress.1.host
+* gateway.uploadUrl
diff --git a/charts/vaas/Chart.lock b/charts/vaas/Chart.lock
@@ -0,0 +1,12 @@
+dependencies:
+- name: redis
+  repository: https://charts.bitnami.com/bitnami
+  version: 18.1.5
+- name: gdscan
+  repository: https://gdatasoftwareag.github.io/gdscan/
+  version: 1.4.5
+- name: mini-identity-provider
+  repository: oci://ghcr.io/gdatasoftwareag
+  version: 0.1.12
+digest: sha256:3a41433c3889a01631545c8346e9bb60194d0c571a31e2b7913d19a4ba03f3a5
+generated: "2024-01-16T09:02:43.648745472+01:00"
diff --git a/charts/vaas/Chart.yaml b/charts/vaas/Chart.yaml
@@ -0,0 +1,21 @@
+apiVersion: v2
+name: vaas
+version: 1.0.0
+description: Deployment of a Verdict-as-a-Service on-premise instance
+maintainers:
+  - name: G DATA CyberDefense AG
+    email: [email protected]
+type: application
+dependencies:
+  - name: redis
+    version: 18.1.5
+    condition: redis.enabled
+    repository: https://charts.bitnami.com/bitnami
+  - name: gdscan
+    version: 1.4.5
+    condition: gdscan.enabled
+    repository: https://gdatasoftwareag.github.io/gdscan/
+  - name: mini-identity-provider
+    version: 0.1.12
+    condition: mini-identity-provider.enabled
+    repository: oci://ghcr.io/gdatasoftwareag
diff --git a/charts/vaas/templates/gateway/NOTES.txt b/charts/vaas/templates/gateway/NOTES.txt
@@ -0,0 +1,22 @@
+1. Get the application URL by running these commands:
+{{- if .Values.gateway.ingress.enabled }}
+{{- range $host := .Values.gateway.ingress.hosts }}
+  {{- range .paths }}
+  http{{ if $.Values.gateway.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
+  {{- end }}
+{{- end }}
+{{- else if contains "NodePort" .Values.gateway.service.type }}
+  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "gateway.fullname" . }})
+  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+  echo http://$NODE_IP:$NODE_PORT
+{{- else if contains "LoadBalancer" .Values.gateway.service.type }}
+     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+           You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "gateway.fullname" . }}'
+  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "gateway.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
+  echo http://$SERVICE_IP:{{ .Values.gateway.service.port }}
+{{- else if contains "ClusterIP" .Values.gateway.service.type }}
+  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "gateway.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+  export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
+  echo "Visit http://127.0.0.1:8080 to use your application"
+  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
+{{- end }}
diff --git a/charts/vaas/templates/gateway/_helpers.tpl b/charts/vaas/templates/gateway/_helpers.tpl
@@ -0,0 +1,87 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "gateway.name" -}}
+{{- default .Chart.Name .Values.gateway.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "gateway.fullname" -}}
+{{- if .Values.gateway.fullnameOverride }}
+{{- .Values.gateway.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.gateway.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{- define "gateway.imagePullSecrets" -}}
+imagePullSecrets:
+  {{- range .Values.global.imagePullSecrets }}
+  - name: {{ . }}
+  {{- end }}
+  {{- if .Values.imagePullSecret }}
+  - name: {{ .Release.Name }}-registry-secret
+  {{- end }}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "gateway.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "gateway.labels" -}}
+helm.sh/chart: {{ include "gateway.chart" . }}
+{{ include "gateway.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "gateway.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "gateway.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create environment variables to configure gateway container.
+*/}}
+{{- define "gateway.env" }}
+- name: Authentication__Schemes__Bearer__Authority
+  value: {{.Values.gateway.authentication.authority}} 
+- name: Authentication__Schemes__Bearer__RequireHttpsMetadata
+  value: "false"
+- name: Upload__Endpoint
+  value: {{.Values.gateway.uploadUrl}}
+- name: JwtSettings__Secret
+  value: {{ randAlphaNum 64 }}
+{{- if .Values.gateway.cloudhashlookup.enabled }}
+- name: VerdictAsAService__Url
+  value: {{ .Values.gateway.options.url | quote }}
+- name: VerdictAsAService__TokenUrl
+  value: {{ .Values.gateway.options.tokenurl | quote }}
+- name: VerdictAsAService__Credentials__GrantType
+  value: {{ .Values.gateway.options.credentials.granttype | quote }}
+- name: VerdictAsAService__Credentials__ClientId
+  value: {{ .Values.gateway.options.credentials.clientid | quote }}
+- name: VerdictAsAService__Credentials__ClientSecret
+  {{ toYaml .Values.gateway.options.credentials.clientsecret }}
+{{- end }}
+{{- end }}