From 480786334aabd79c86793aade0ecf5dbaddb00f5 Mon Sep 17 00:00:00 2001 From: doxthree Date: Tue, 16 Jan 2024 10:20:34 +0100 Subject: [PATCH] Create vaas chart * Move existing charts into repo * WIP add deployment for gateway * add ingress sts and np * add more to charts * fix folder stucture * move yamls to correct folder * chanhe structure again * remove whitespaces * Mini Identity Provider * Gateway starts * WIP * This state is working properly out of the box but needs refinement with full team * remove classname * fix handling with secrets & edit readme * add chart repo to command * add ct config for linting * fix path * add username * add pw for oci * remove oci * remove login * update * add oci repo * increase helm version * remove spaces * add cr token --------- Co-authored-by: Kevin Heise Co-authored-by: Lennart Dohmann Co-authored-by: PT-ATA No One --- .github/chart-testing-config.yaml | 3 + .github/workflows/ci.yaml | 50 ++++ .gitignore | 6 + README.md | 175 ++++++++++++- charts/vaas/Chart.lock | 12 + charts/vaas/Chart.yaml | 21 ++ charts/vaas/templates/gateway/NOTES.txt | 22 ++ charts/vaas/templates/gateway/_helpers.tpl | 87 +++++++ charts/vaas/templates/gateway/ingress.yaml | 60 +++++ .../vaas/templates/gateway/networkpolicy.yaml | 28 ++ .../gateway/poddisruptionbudget.yaml | 11 + charts/vaas/templates/gateway/secret.yaml | 10 + charts/vaas/templates/gateway/service.yaml | 19 ++ .../templates/gateway/servicemonitor.yaml | 15 ++ .../vaas/templates/gateway/statefulset.yaml | 60 +++++ charts/vaas/values.yaml | 241 ++++++++++++++++++ helm.sh | 13 + 17 files changed, 831 insertions(+), 2 deletions(-) create mode 100644 .github/chart-testing-config.yaml create mode 100644 .github/workflows/ci.yaml create mode 100644 .gitignore create mode 100644 charts/vaas/Chart.lock create mode 100644 charts/vaas/Chart.yaml create mode 100644 charts/vaas/templates/gateway/NOTES.txt create mode 100644 charts/vaas/templates/gateway/_helpers.tpl create mode 100644 charts/vaas/templates/gateway/ingress.yaml create mode 100644 charts/vaas/templates/gateway/networkpolicy.yaml create mode 100644 charts/vaas/templates/gateway/poddisruptionbudget.yaml create mode 100644 charts/vaas/templates/gateway/secret.yaml create mode 100644 charts/vaas/templates/gateway/service.yaml create mode 100644 charts/vaas/templates/gateway/servicemonitor.yaml create mode 100644 charts/vaas/templates/gateway/statefulset.yaml create mode 100644 charts/vaas/values.yaml create mode 100755 helm.sh diff --git a/.github/chart-testing-config.yaml b/.github/chart-testing-config.yaml new file mode 100644 index 0000000..968678b --- /dev/null +++ b/.github/chart-testing-config.yaml @@ -0,0 +1,3 @@ +chart-repos: + - bitnami=https://charts.bitnami.com/bitnami/ + - gdscan=https://gdatasoftwareag.github.io/gdscan/ \ No newline at end of file diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml new file mode 100644 index 0000000..cf27ebc --- /dev/null +++ b/.github/workflows/ci.yaml @@ -0,0 +1,50 @@ +name: Release Charts + +on: + push: + branches: + - main + tags: + - "*" + pull_request: + branches: + - main + +env: + HELM_EXPERIMENTAL_OCI: 1 + +jobs: + release: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + with: + fetch-depth: 0 + + - name: Configure Git + run: | + git config user.name "$GITHUB_ACTOR" + git config user.email "$GITHUB_ACTOR@users.noreply.github.com" + + - name: Install Helm + uses: azure/setup-helm@v3 + with: + version: v3.13.3 + + - name: Install python + uses: actions/setup-python@v4 + with: + python-version: 3.7 + + - name: Set up chart-testing + uses: helm/chart-testing-action@v2.6.1 + + - name: Run chart-testing (lint) + run: ct lint --config .github/chart-testing-config.yaml --validate-maintainers=false --charts charts/vaas + + - name: Run chart-releaser + if: github.ref == 'refs/heads/main' + uses: helm/chart-releaser-action@v1.5.0 + env: + CR_TOKEN: "${{ secrets.CR_TOKEN }}" \ No newline at end of file diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..65999cf --- /dev/null +++ b/.gitignore @@ -0,0 +1,6 @@ +.idea/ +.vscode/ +*.log +*-locale.yaml +*.tgz +.fleet/ \ No newline at end of file diff --git a/README.md b/README.md index 1ec3ea2..575e4d7 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,173 @@ -# vaas-helm -Helm Chart for VaaS on-premise +# Verdict-as-a-Service Helm Chart + +Vaas helm is a chart for deploying Verdict-as-a-Service on-premise. + +## Install Verdict-as-a-Service + +1. Create a minimal values.yaml file: + +The token has to be set in the `global.secret.dockerconfigjson` variable on deployment. + +```yaml +# values.yaml +global: + secret: + dockerconfigjson: $$_BASE64_ENCODED_JSON_CONTAINING_TOKEN_$$ +``` + +Copy the `secret.yaml` you got from G DATA to the template folder. + + +2. Add the helm repository: + +```bash +helm repo add vaas https://gdatasoftwareag.github.io/vaas/ +``` + +3. Install Verdict-as-a-Service: + +```bash +helm install vaas gdatasoftware/vaas -f values.yaml +``` + +### Updating Verdict-as-a-Service + +```bash +helm repo update +helm upgrade vaas gdatasoftware/vaas -f values.yaml +``` + +# Verdict-as-a-Service on-premise + +## Getting started + +### Deploy Verdict-as-a-Service in a Minikube test-environment + +* Start Minikube: + +``` +minikube start --cpus="6" --memory="6g" --addons ingress +``` + +* Check your Minikube IP: ```minikube ip``` + +* Add Minikube IP to your /etc/hosts: + +``` + vaas +``` + +* Run ```minikube dashboard``` + +* Deploy the VaaS helm chart: ```./helm.sh``` + +* Check the "Workload status" in the Minikube dashboard and wait until it is green + +### Use Verdict-as-a-Service with the Java SDK + +* Make sure that Java 17 & Gradle is installed + +* Extract Client secret with this command + +``` +export CLIENT_SECRET=$(kubectl get secret -n vaas vaas-client-secret -o jsonpath="{.data.secret}" | base64 -d) +``` + +* Set these environment variables for testing your local instance + +``` +export CLIENT_ID=vaas +export SCAN_PATH= +export VAAS_URL=ws://vaas/ws +export TOKEN_URL=http://vaas/auth/protocol/openid-connect/token +``` + +* Execute FileScan example in Java SDK example folder + +``` +./gradlew fileScan +``` + +## Configuring Verdict-as-a-Service + +| Parameter | Description | Value | +|-------------|-------------|-------| +| `ingress.enabled` | Enable/Disable the Ingress resource | `false` | +| `ingress.annotations` | Additional annotations for Ingress | `{}` | +| `ingress.hosts` | Hostnames and paths for Ingress | `[]` | +| `ingress.tls` | TLS configuration for Ingress | `[]` | +| `authentication.authority` | Authority for authentication | `""` | +| `nameOverride` | Overrides the application name | `""` | +| `fullnameOverride` | Overrides the full name | `""` | +| `networkPolicy.enabled` | Enable/Disable the default Network Policy | `false` | +| `secret.dockerconfigjson` | Docker authentication configuration | `""` | +| `service.type` | Type of Kubernetes service | `""` | +| `service.http.port` | HTTP port for the service | `8080` | +| `service.ws.port` | WebSocket port for the service | `9090` | +| `podDisruptionBudget.minAvailable` | Minimum available pods in case of disruption | `1` | +| `replicaCount` | Number of replicas | `1` | +| `revisionHistoryLimit` | Number of revisions in history | `1` | +| `resources.limits.memory` | Maximum memory usage | `512Mi` | +| `resources.requests.cpu` | Requested CPU performance | `0.5` | +| `resources.requests.memory` | Requested memory usage | `256Mi` | +| `containerSecurityContext.enabled` | Enable/Disable container security context | `false` | +| `cloudhashlookup.enabled` | Enable/Disable cloud hash lookup | `false` | +| `uploadUrl` | URL for the upload service | `"http://localhost:8080/upload"` | +| `imagePullSecrets` | List of image pull secrets | `- name: registry` | +| `podAnnotations` | Annotations for pods | `{}` | +| `nodeSelector` | Node labels for pod assignment | `{}` | +| `gdscan.nodeSelector` | gdscan Node labels for pod assignment | `{}` | +| `mini-identity-provider.nodeSelector` | mini-identity-provider Node labels for pod assignment | `{}` | +| `tolerations` | Tolerations for pods | `[]` | +| `affinity` | Affinity settings for pods | `{}` | + + +### Production environment + +In production you will have to configure a few values. + +#### Ingress +The default hostname is "vaas". To change it and provide a tls configuration, add this to your values.yaml: + +```yaml +mini-identity-provider: + issuer: "http://vaas/auth" + ingress: + hosts: + - host: vaas + paths: + - path: /auth(/|$)(.*) + pathType: ImplementationSpecific + service: + name: provider + port: 8080 + tls: [] + +gateway: + ingress: + hosts: + - host: vaas + paths: + - path: /ws + pathType: ImplementationSpecific + service: + name: gateway + port: 9090 + - host: vaas + paths: + - path: / + pathType: ImplementationSpecific + service: + name: gateway + port: 8080 + tls: [] + uploadUrl: "http://vaas/upload" +``` + +Replace the "vaas" with your hostname in the following values: + +* mini-identity-provider.issuer +* mini-identity-provider.ingress.hosts.0.host +* gateway.ingress.0.host +* gateway.ingress.1.host +* gateway.uploadUrl diff --git a/charts/vaas/Chart.lock b/charts/vaas/Chart.lock new file mode 100644 index 0000000..5fc774f --- /dev/null +++ b/charts/vaas/Chart.lock @@ -0,0 +1,12 @@ +dependencies: +- name: redis + repository: https://charts.bitnami.com/bitnami + version: 18.1.5 +- name: gdscan + repository: https://gdatasoftwareag.github.io/gdscan/ + version: 1.4.5 +- name: mini-identity-provider + repository: oci://ghcr.io/gdatasoftwareag + version: 0.1.12 +digest: sha256:3a41433c3889a01631545c8346e9bb60194d0c571a31e2b7913d19a4ba03f3a5 +generated: "2024-01-16T09:02:43.648745472+01:00" diff --git a/charts/vaas/Chart.yaml b/charts/vaas/Chart.yaml new file mode 100644 index 0000000..d6fef30 --- /dev/null +++ b/charts/vaas/Chart.yaml @@ -0,0 +1,21 @@ +apiVersion: v2 +name: vaas +version: 1.0.0 +description: Deployment of a Verdict-as-a-Service on-premise instance +maintainers: + - name: G DATA CyberDefense AG + email: oem@gdata.de +type: application +dependencies: + - name: redis + version: 18.1.5 + condition: redis.enabled + repository: https://charts.bitnami.com/bitnami + - name: gdscan + version: 1.4.5 + condition: gdscan.enabled + repository: https://gdatasoftwareag.github.io/gdscan/ + - name: mini-identity-provider + version: 0.1.12 + condition: mini-identity-provider.enabled + repository: oci://ghcr.io/gdatasoftwareag diff --git a/charts/vaas/templates/gateway/NOTES.txt b/charts/vaas/templates/gateway/NOTES.txt new file mode 100644 index 0000000..13b159b --- /dev/null +++ b/charts/vaas/templates/gateway/NOTES.txt @@ -0,0 +1,22 @@ +1. Get the application URL by running these commands: +{{- if .Values.gateway.ingress.enabled }} +{{- range $host := .Values.gateway.ingress.hosts }} + {{- range .paths }} + http{{ if $.Values.gateway.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }} + {{- end }} +{{- end }} +{{- else if contains "NodePort" .Values.gateway.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "gateway.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.gateway.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "gateway.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "gateway.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + echo http://$SERVICE_IP:{{ .Values.gateway.service.port }} +{{- else if contains "ClusterIP" .Values.gateway.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "gateway.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") + echo "Visit http://127.0.0.1:8080 to use your application" + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT +{{- end }} diff --git a/charts/vaas/templates/gateway/_helpers.tpl b/charts/vaas/templates/gateway/_helpers.tpl new file mode 100644 index 0000000..30dfead --- /dev/null +++ b/charts/vaas/templates/gateway/_helpers.tpl @@ -0,0 +1,87 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "gateway.name" -}} +{{- default .Chart.Name .Values.gateway.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "gateway.fullname" -}} +{{- if .Values.gateway.fullnameOverride }} +{{- .Values.gateway.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.gateway.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{- define "gateway.imagePullSecrets" -}} +imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- if .Values.imagePullSecret }} + - name: {{ .Release.Name }}-registry-secret + {{- end }} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "gateway.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "gateway.labels" -}} +helm.sh/chart: {{ include "gateway.chart" . }} +{{ include "gateway.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "gateway.selectorLabels" -}} +app.kubernetes.io/name: {{ include "gateway.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create environment variables to configure gateway container. +*/}} +{{- define "gateway.env" }} +- name: Authentication__Schemes__Bearer__Authority + value: {{.Values.gateway.authentication.authority}} +- name: Authentication__Schemes__Bearer__RequireHttpsMetadata + value: "false" +- name: Upload__Endpoint + value: {{.Values.gateway.uploadUrl}} +- name: JwtSettings__Secret + value: {{ randAlphaNum 64 }} +{{- if .Values.gateway.cloudhashlookup.enabled }} +- name: VerdictAsAService__Url + value: {{ .Values.gateway.options.url | quote }} +- name: VerdictAsAService__TokenUrl + value: {{ .Values.gateway.options.tokenurl | quote }} +- name: VerdictAsAService__Credentials__GrantType + value: {{ .Values.gateway.options.credentials.granttype | quote }} +- name: VerdictAsAService__Credentials__ClientId + value: {{ .Values.gateway.options.credentials.clientid | quote }} +- name: VerdictAsAService__Credentials__ClientSecret + {{ toYaml .Values.gateway.options.credentials.clientsecret }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/vaas/templates/gateway/ingress.yaml b/charts/vaas/templates/gateway/ingress.yaml new file mode 100644 index 0000000..1d8f5e7 --- /dev/null +++ b/charts/vaas/templates/gateway/ingress.yaml @@ -0,0 +1,60 @@ +{{- if .Values.gateway.ingress.enabled -}} +{{- $fullName := include "gateway.fullname" . -}} +{{- if and .Values.gateway.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} + {{- if not (hasKey .Values.gateway.ingress.annotations "kubernetes.io/ingress.class") }} + {{- $_ := set .Values.gateway.ingress.annotations "kubernetes.io/ingress.class" .Values.gateway.ingress.className}} + {{- end }} +{{- end }} +{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1 +{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1beta1 +{{- else -}} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + {{- include "gateway.labels" . | nindent 4 }} + {{- with .Values.gateway.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if and .Values.gateway.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} + ingressClassName: {{ .Values.gateway.ingress.className }} + {{- end }} + {{- if .Values.gateway.ingress.tls }} + tls: + {{- range .Values.gateway.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + {{- range .Values.gateway.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} + pathType: {{ .pathType }} + {{- end }} + backend: + {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} + service: + name: {{ .service.name }} + port: + number: {{ .service.port }} + {{- else }} + serviceName: {{ .service.name }} + servicePort: {{ .service.port }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/vaas/templates/gateway/networkpolicy.yaml b/charts/vaas/templates/gateway/networkpolicy.yaml new file mode 100644 index 0000000..01766a6 --- /dev/null +++ b/charts/vaas/templates/gateway/networkpolicy.yaml @@ -0,0 +1,28 @@ +{{- if .Values.gateway.networkPolicy.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "gateway.fullname" . }} + labels: + {{- include "gateway.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "gateway.selectorLabels" . | nindent 6 }} + policyTypes: + - Ingress + - Egress + ingress: + - from: + ports: + - port: 8080 # Http + - port: 9090 # Websocket + egress: + - to: + ports: + - port: 443 # VerdictRequestForUrl + - port: 80 # VerdictRequestForUrl + - port: 6379 # Redis + - port: 8080 # GdScan + - port: 9090 # Cloud Gateway +{{- end }} \ No newline at end of file diff --git a/charts/vaas/templates/gateway/poddisruptionbudget.yaml b/charts/vaas/templates/gateway/poddisruptionbudget.yaml new file mode 100644 index 0000000..3bab721 --- /dev/null +++ b/charts/vaas/templates/gateway/poddisruptionbudget.yaml @@ -0,0 +1,11 @@ +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "gateway.fullname" . }} + labels: + {{- include "gateway.selectorLabels" . | nindent 4 }} +spec: + selector: + matchLabels: + {{- include "gateway.selectorLabels" . | nindent 6 }} + minAvailable: {{ .Values.gateway.podDisruptionBudget.minAvailable }} \ No newline at end of file diff --git a/charts/vaas/templates/gateway/secret.yaml b/charts/vaas/templates/gateway/secret.yaml new file mode 100644 index 0000000..0495eef --- /dev/null +++ b/charts/vaas/templates/gateway/secret.yaml @@ -0,0 +1,10 @@ +{{- if .Values.global.imagePullSecrets }} +apiVersion: v1 +kind: Secret +metadata: + name: registry + namespace: {{ .Release.Namespace }} +data: + .dockerconfigjson: {{ required "You need to set the dockerconfigjson for the private registry" .Values.global.secret.dockerconfigjson }} +type: kubernetes.io/dockerconfigjson +{{- end -}} \ No newline at end of file diff --git a/charts/vaas/templates/gateway/service.yaml b/charts/vaas/templates/gateway/service.yaml new file mode 100644 index 0000000..5b73200 --- /dev/null +++ b/charts/vaas/templates/gateway/service.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "gateway.fullname" . }} + labels: + {{- include "gateway.labels" . | nindent 4 }} +spec: + type: {{ .Values.gateway.service.type }} + ports: + - port: {{ .Values.gateway.service.http.port }} + targetPort: http + protocol: TCP + name: http + - port: {{ .Values.gateway.service.ws.port }} + targetPort: ws + protocol: TCP + name: ws + selector: + {{- include "gateway.selectorLabels" . | nindent 4 }} diff --git a/charts/vaas/templates/gateway/servicemonitor.yaml b/charts/vaas/templates/gateway/servicemonitor.yaml new file mode 100644 index 0000000..f1926be --- /dev/null +++ b/charts/vaas/templates/gateway/servicemonitor.yaml @@ -0,0 +1,15 @@ +{{- if .Values.gateway.metrics.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "gateway.fullname" . }} + labels: + {{- include "gateway.labels" . | nindent 4 }} +spec: + endpoints: + - port: {{ .Values.gateway.metrics.port | quote }} + path: {{ .Values.gateway.metrics.path }} + selector: + matchLabels: + {{- include "gateway.selectorLabels" . | nindent 8 }} +{{- end }} diff --git a/charts/vaas/templates/gateway/statefulset.yaml b/charts/vaas/templates/gateway/statefulset.yaml new file mode 100644 index 0000000..92ed189 --- /dev/null +++ b/charts/vaas/templates/gateway/statefulset.yaml @@ -0,0 +1,60 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ include "gateway.fullname" . }} + labels: + {{- include "gateway.labels" . | nindent 4 }} +spec: + serviceName: {{ include "gateway.fullname" . }} + {{- if not .Values.gateway.autoscaling.enabled }} + replicas: {{ .Values.gateway.replicaCount }} + {{- end }} + revisionHistoryLimit: {{ .Values.gateway.revisionHistoryLimit }} + selector: + matchLabels: + {{- include "gateway.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.gateway.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "gateway.selectorLabels" . | nindent 8 }} + spec: + {{- include "gateway.imagePullSecrets" . | nindent 6 }} + volumes: + - name: gateway-tmp + emptyDir: {} + containers: + - name: {{ include "gateway.name" . }} + securityContext: + readOnlyRootFilesystem: true + image: '{{ .Values.gateway.image.repository }}:{{ .Values.gateway.image.tag | default "latest" }}' + imagePullPolicy: {{ .Values.gateway.image.pullPolicy }} + volumeMounts: + - mountPath: /tmp + name: gateway-tmp + env: + {{- include "gateway.env" . | nindent 12 }} + ports: + - name: http + containerPort: {{ .Values.gateway.service.http.port }} + protocol: TCP + - name: ws + containerPort: {{ .Values.gateway.service.ws.port }} + protocol: TCP + resources: + {{- toYaml .Values.gateway.resources | nindent 12 }} + {{- with .Values.gateway.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.gateway.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.gateway.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/vaas/values.yaml b/charts/vaas/values.yaml new file mode 100644 index 0000000..c443c14 --- /dev/null +++ b/charts/vaas/values.yaml @@ -0,0 +1,241 @@ +global: + imagePullSecrets: [] + +mini-identity-provider: + issuer: "http://vaas/auth" + enabled: true + ingress: + className: "" + enabled: true + annotations: + nginx.ingress.kubernetes.io/use-regex: "true" + nginx.ingress.kubernetes.io/rewrite-target: /$2 + nginx.ingress.kubernetes.io/x-forwarded-prefix: "/auth" + hosts: + - host: vaas + paths: + - path: /auth(/|$)(.*) + pathType: ImplementationSpecific + service: + name: provider + port: 8080 + tls: [] + + image: + repository: ghcr.io/gdatasoftwareag/vaas/mini-identity-provider + pullPolicy: Always + tag: 0.1.4 + + service: + type: ClusterIP + http: + port: 8080 + + networkPolicy: + enabled: true + + podAnnotations: {} + nodeSelector: {} + tolerations: [] + affinity: {} + +gateway: + ingress: + enabled: true + className: "" + annotations: {} + hosts: + - host: vaas + paths: + - path: /ws + pathType: ImplementationSpecific + service: + name: gateway + port: 9090 + - host: vaas + paths: + - path: / + pathType: ImplementationSpecific + service: + name: gateway + port: 8080 + tls: [] + + authentication: + authority: http://provider:8080/ + + nameOverride: "" + fullnameOverride: "" + + networkPolicy: + enabled: true + + service: + type: ClusterIP + http: + port: 8080 + ws: + port: 9090 + + metrics: + enabled: false + port: 8080 + path: /metrics + + autoscaling: + enabled: false + minReplicas: 2 + maxReplicas: 20 + targetCPU: 75 + metrics: + + podDisruptionBudget: + minAvailable: 1 + + replicaCount: 1 + revisionHistoryLimit: 1 + resources: + limits: + memory: 512Mi + requests: + cpu: 0.5 + memory: 256Mi + + containerSecurityContext: + enabled: false + + image: + repository: ghcr.io/gdatasoftwareag/vaas/gateway + pullPolicy: Always + tag: 1.0.2 + + cloudhashlookup: + enabled: false + + uploadUrl: "http://vaas/upload" + + options: + url: "wss://gateway.production.vaas.gdatasecurity.de" + tokenurl: "https://account.gdata.de/realms/vaas-production/protocol/openid-connect/token" + credentials: + granttype: "ClientCredentials" + clientid: "" + clientsecret: + value: "" + + podAnnotations: {} + nodeSelector: {} + tolerations: [] + affinity: {} + + # This block is only for G DATA's internal usage. + hashlookup: + enabled: false + apikey: + value: "" + usageevents: + enabled: false + gdscanUrl: "http://gdscan:8080/scan/body" + + +gdscan: + replicaCount: 1 + deploymentStrategy: "Recreate" + server: + name: server + image: + repository: ghcr.io/gdatasoftwareag/vaas/scanserver + pullPolicy: Always + tag: 1.9.4 + containerSecurityContext: + enabled: false + client: + name: client + image: + repository: ghcr.io/gdatasoftwareag/vaas/scanner + pullPolicy: Always + tag: 1.9.4 + containerSecurityContext: + enabled: false + terminationGracePeriodSeconds: 30 + + nameOverride: "" + fullnameOverride: "gdscan" + + podAnnotations: {} + + service: + type: "ClusterIP" + port: 8080 + + metrics: + servicemonitor: + enabled: false + port: 8080 + path: /metrics + + resources: + server: + limits: + memory: 2Gi + requests: + cpu: 0.15 + memory: 2Gi + client: + limits: + memory: 1Gi + requests: + cpu: 1 + memory: 512Mi + + autoscaling: + enabled: false + minReplicas: 2 + maxReplicas: 20 + targetCPU: 75 + metrics: + + nodeSelector: {} + + tolerations: [] + + affinity: {} + + persistence: + enabled: true + size: 2Gi + accessMode: ReadWriteOnce + + autoUpdate: + image: + registry: docker.io + repository: bitnami/kubectl + tag: latest + containerSecurityContext: + enabled: false + enabled: true + schedule: "0 * * * *" + networkPolicy: + enabled: true + k8sApiPort: 6443 + +redis: + enabled: true + architecture: standalone + fullnameOverride: redis + auth: + enabled: false + master: + disableCommands: [] + resources: + limits: + memory: 128Mi + requests: + cpu: 100m + memory: 64Mi + persistence: + enabled: false + containerSecurityContext: + enabled: false + networkPolicy: + enabled: true diff --git a/helm.sh b/helm.sh new file mode 100755 index 0000000..9b01897 --- /dev/null +++ b/helm.sh @@ -0,0 +1,13 @@ +#!/bin/bash + +if [ "$#" -eq 0 ]; then + echo "Usage: $0 " + exit 1 +fi + +VALUES_FILE=$1 + +helm lint charts/vaas -f $VALUES_FILE +helm template charts/vaas -f $VALUES_FILE --debug +helm uninstall vaas -n vaas +helm install vaas charts/vaas -f $VALUES_FILE -n vaas --create-namespace