From b2eb60318c69348fd6e336a877383ad6090e19af Mon Sep 17 00:00:00 2001 From: Kevin Heise Date: Thu, 30 Nov 2023 11:38:02 +0100 Subject: [PATCH 01/25] Move existing charts into repo --- .gitignore | 0 charts/vaas/Chart.yaml | 24 ++++ charts/vaas/_helpers.tpl | 99 +++++++++++++++ charts/vaas/gateway/.helmignore | 23 ++++ charts/vaas/gateway/templates/NOTES.txt | 22 ++++ charts/vaas/gateway/templates/_helpers.tpl | 62 +++++++++ charts/vaas/gateway/templates/deployment.yaml | 61 +++++++++ charts/vaas/gateway/templates/hpa.yaml | 28 ++++ charts/vaas/gateway/templates/ingress.yaml | 61 +++++++++ charts/vaas/gateway/templates/service.yaml | 15 +++ .../gateway/templates/serviceaccount.yaml | 12 ++ .../templates/tests/test-connection.yaml | 15 +++ charts/vaas/scanner/Chart.yaml | 24 ++++ charts/vaas/scanner/templates/deployment.yaml | 110 ++++++++++++++++ charts/vaas/scanner/templates/hpa.yaml | 30 +++++ charts/vaas/scanner/templates/ingress.yaml | 61 +++++++++ charts/vaas/scanner/templates/pvc.yaml | 16 +++ charts/vaas/scanner/templates/secret.yaml | 10 ++ charts/vaas/scanner/templates/service.yaml | 15 +++ .../scanner/templates/serviceaccount.yaml | 12 ++ .../scanner/templates/servicemonitor.yaml | 15 +++ .../vaas/scanner/templates/statefulset.yaml | 120 ++++++++++++++++++ .../templates/tests/test-connection.yaml | 15 +++ charts/vaas/scanner/templates/update.yaml | 94 ++++++++++++++ charts/vaas/values.yaml | 99 +++++++++++++++ 25 files changed, 1043 insertions(+) create mode 100644 .gitignore create mode 100644 charts/vaas/Chart.yaml create mode 100644 charts/vaas/_helpers.tpl create mode 100644 charts/vaas/gateway/.helmignore create mode 100644 charts/vaas/gateway/templates/NOTES.txt create mode 100644 charts/vaas/gateway/templates/_helpers.tpl create mode 100644 charts/vaas/gateway/templates/deployment.yaml create mode 100644 charts/vaas/gateway/templates/hpa.yaml create mode 100644 charts/vaas/gateway/templates/ingress.yaml create mode 100644 charts/vaas/gateway/templates/service.yaml create mode 100644 charts/vaas/gateway/templates/serviceaccount.yaml create mode 100644 charts/vaas/gateway/templates/tests/test-connection.yaml create mode 100644 charts/vaas/scanner/Chart.yaml create mode 100644 charts/vaas/scanner/templates/deployment.yaml create mode 100644 charts/vaas/scanner/templates/hpa.yaml create mode 100644 charts/vaas/scanner/templates/ingress.yaml create mode 100644 charts/vaas/scanner/templates/pvc.yaml create mode 100644 charts/vaas/scanner/templates/secret.yaml create mode 100644 charts/vaas/scanner/templates/service.yaml create mode 100644 charts/vaas/scanner/templates/serviceaccount.yaml create mode 100644 charts/vaas/scanner/templates/servicemonitor.yaml create mode 100644 charts/vaas/scanner/templates/statefulset.yaml create mode 100644 charts/vaas/scanner/templates/tests/test-connection.yaml create mode 100644 charts/vaas/scanner/templates/update.yaml create mode 100644 charts/vaas/values.yaml diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e69de29 diff --git a/charts/vaas/Chart.yaml b/charts/vaas/Chart.yaml new file mode 100644 index 0000000..a3532b7 --- /dev/null +++ b/charts/vaas/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: vaas-helm +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.16.0" diff --git a/charts/vaas/_helpers.tpl b/charts/vaas/_helpers.tpl new file mode 100644 index 0000000..8453bdd --- /dev/null +++ b/charts/vaas/_helpers.tpl @@ -0,0 +1,99 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "scanner.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "scanner.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "scanner.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "scanner.labels" -}} +helm.sh/chart: {{ include "scanner.chart" . }} +{{ include "scanner.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "scanner.selectorLabels" -}} +app.kubernetes.io/name: {{ include "scanner.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{- define "common.tplvalues.render" -}} + {{- if typeIs "string" .value }} + {{- tpl .value .context }} + {{- else }} + {{- tpl (.value | toYaml) .context }} + {{- end }} +{{- end -}} + +{{- define "common.names.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "vaas.claimName" -}} +{{- if and .Values.persistence.existingClaim }} + {{- printf "%s" (tpl .Values.persistence.existingClaim $) -}} +{{- else -}} + {{- printf "%s" (include "common.names.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{- define "common.storage.class" -}} + +{{- $storageClass := .persistence.storageClass -}} +{{- if .global -}} + {{- if .global.storageClass -}} + {{- $storageClass = .global.storageClass -}} + {{- end -}} +{{- end -}} + +{{- if $storageClass -}} + {{- if (eq "-" $storageClass) -}} + {{- printf "storageClassName: \"\"" -}} + {{- else }} + {{- printf "storageClassName: %s" $storageClass -}} + {{- end -}} +{{- end -}} + +{{- end -}} \ No newline at end of file diff --git a/charts/vaas/gateway/.helmignore b/charts/vaas/gateway/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/charts/vaas/gateway/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/vaas/gateway/templates/NOTES.txt b/charts/vaas/gateway/templates/NOTES.txt new file mode 100644 index 0000000..5fec8e3 --- /dev/null +++ b/charts/vaas/gateway/templates/NOTES.txt @@ -0,0 +1,22 @@ +1. Get the application URL by running these commands: +{{- if .Values.ingress.enabled }} +{{- range $host := .Values.ingress.hosts }} + {{- range .paths }} + http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }} + {{- end }} +{{- end }} +{{- else if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "vaas-helm.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "vaas-helm.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "vaas-helm.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + echo http://$SERVICE_IP:{{ .Values.service.port }} +{{- else if contains "ClusterIP" .Values.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "vaas-helm.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") + echo "Visit http://127.0.0.1:8080 to use your application" + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT +{{- end }} diff --git a/charts/vaas/gateway/templates/_helpers.tpl b/charts/vaas/gateway/templates/_helpers.tpl new file mode 100644 index 0000000..8ed8047 --- /dev/null +++ b/charts/vaas/gateway/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "vaas-helm.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "vaas-helm.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "vaas-helm.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "vaas-helm.labels" -}} +helm.sh/chart: {{ include "vaas-helm.chart" . }} +{{ include "vaas-helm.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "vaas-helm.selectorLabels" -}} +app.kubernetes.io/name: {{ include "vaas-helm.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "vaas-helm.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "vaas-helm.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/charts/vaas/gateway/templates/deployment.yaml b/charts/vaas/gateway/templates/deployment.yaml new file mode 100644 index 0000000..8cb09d7 --- /dev/null +++ b/charts/vaas/gateway/templates/deployment.yaml @@ -0,0 +1,61 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "vaas-helm.fullname" . }} + labels: + {{- include "vaas-helm.labels" . | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "vaas-helm.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "vaas-helm.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "vaas-helm.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: http + containerPort: 80 + protocol: TCP + livenessProbe: + httpGet: + path: / + port: http + readinessProbe: + httpGet: + path: / + port: http + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/vaas/gateway/templates/hpa.yaml b/charts/vaas/gateway/templates/hpa.yaml new file mode 100644 index 0000000..64e2c1c --- /dev/null +++ b/charts/vaas/gateway/templates/hpa.yaml @@ -0,0 +1,28 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "vaas-helm.fullname" . }} + labels: + {{- include "vaas-helm.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "vaas-helm.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/charts/vaas/gateway/templates/ingress.yaml b/charts/vaas/gateway/templates/ingress.yaml new file mode 100644 index 0000000..872a307 --- /dev/null +++ b/charts/vaas/gateway/templates/ingress.yaml @@ -0,0 +1,61 @@ +{{- if .Values.ingress.enabled -}} +{{- $fullName := include "vaas-helm.fullname" . -}} +{{- $svcPort := .Values.service.port -}} +{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} + {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }} + {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}} + {{- end }} +{{- end }} +{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1 +{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1beta1 +{{- else -}} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + {{- include "vaas-helm.labels" . | nindent 4 }} + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} + ingressClassName: {{ .Values.ingress.className }} + {{- end }} + {{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + {{- range .Values.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} + pathType: {{ .pathType }} + {{- end }} + backend: + {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} + service: + name: {{ $fullName }} + port: + number: {{ $svcPort }} + {{- else }} + serviceName: {{ $fullName }} + servicePort: {{ $svcPort }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/vaas/gateway/templates/service.yaml b/charts/vaas/gateway/templates/service.yaml new file mode 100644 index 0000000..cedd79d --- /dev/null +++ b/charts/vaas/gateway/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "vaas-helm.fullname" . }} + labels: + {{- include "vaas-helm.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "vaas-helm.selectorLabels" . | nindent 4 }} diff --git a/charts/vaas/gateway/templates/serviceaccount.yaml b/charts/vaas/gateway/templates/serviceaccount.yaml new file mode 100644 index 0000000..8c8cd06 --- /dev/null +++ b/charts/vaas/gateway/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "vaas-helm.serviceAccountName" . }} + labels: + {{- include "vaas-helm.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/vaas/gateway/templates/tests/test-connection.yaml b/charts/vaas/gateway/templates/tests/test-connection.yaml new file mode 100644 index 0000000..485515b --- /dev/null +++ b/charts/vaas/gateway/templates/tests/test-connection.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "vaas-helm.fullname" . }}-test-connection" + labels: + {{- include "vaas-helm.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include "vaas-helm.fullname" . }}:{{ .Values.service.port }}'] + restartPolicy: Never diff --git a/charts/vaas/scanner/Chart.yaml b/charts/vaas/scanner/Chart.yaml new file mode 100644 index 0000000..85de508 --- /dev/null +++ b/charts/vaas/scanner/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: vaas +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.16.0" diff --git a/charts/vaas/scanner/templates/deployment.yaml b/charts/vaas/scanner/templates/deployment.yaml new file mode 100644 index 0000000..44b31d5 --- /dev/null +++ b/charts/vaas/scanner/templates/deployment.yaml @@ -0,0 +1,110 @@ +{{- if or (.Values.persistence.enabled | not) (eq .Values.persistence.accessMode "ReadWriteMany" ) }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "scanner.fullname" . }} + labels: + {{- include "scanner.labels" . | nindent 4 }} +spec: + strategy: + type: {{ .Values.deploymentStrategy }} + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "scanner.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "scanner.selectorLabels" . | nindent 8 }} + spec: + volumes: + - name: samples + {{- if .Values.persistence.enabled }} + persistentVolumeClaim: + claimName: {{ include "vaas.claimName" . }} + {{- else }} + emptyDir: + sizeLimit: {{ .Values.persistence.size | quote }} + {{- if .Values.persistence.memory }} + medium : "Memory" + {{- end }} + {{- end }} + - name: scan-socket + emptyDir: {} + {{- if .Values.client.containerSecurityContext.enabled }} + - name: client-tmp + emptyDir: {} + {{- end }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: {{ .Values.server.name }} + env: + - name: date + value: "{{ now | unixEpoch }}" + image: '{{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default "latest" }}' + imagePullPolicy: {{ .Values.server.image.pullPolicy }} + volumeMounts: + - name: samples + mountPath: /tmp/scan + - name: scan-socket + mountPath: /var/share/run + - name: server-var-log + mountPath: /var/log + resources: + {{- toYaml .Values.resources.server | nindent 12 }} + - name: {{ .Values.client.name }} + image: '{{ .Values.client.image.repository }}:{{ .Values.client.image.tag | default "latest" }}' + imagePullPolicy: {{ .Values.client.image.pullPolicy }} + {{- if .Values.client.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.client.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + volumeMounts: + - name: samples + mountPath: /tmp/scan + - name: scan-socket + mountPath: /var/share/run + {{- if .Values.client.containerSecurityContext.enabled }} + - name: client-tmp + mountPath: /tmp + {{- end }} + resources: + {{- toYaml .Values.resources.client | nindent 12 }} + ports: + - name: api + containerPort: 8080 + protocol: TCP + livenessProbe: + httpGet: + path: /health + port: api + initialDelaySeconds: 5 + periodSeconds: 5 + readinessProbe: + httpGet: + path: /health + port: api + initialDelaySeconds: 5 + periodSeconds: 5 + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/vaas/scanner/templates/hpa.yaml b/charts/vaas/scanner/templates/hpa.yaml new file mode 100644 index 0000000..fa14358 --- /dev/null +++ b/charts/vaas/scanner/templates/hpa.yaml @@ -0,0 +1,30 @@ +{{- if and .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "scanner.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "scanner.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + {{- if and (.Values.persistence.enabled) (eq .Values.persistence.accessMode "ReadWriteOnce" ) }} + kind: StatefulSet + {{- else }} + kind: Deployment + {{- end }} + name: {{ include "scanner.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + {{- if .Values.autoscaling.metrics }} + metrics: {{- toYaml .Values.autoscaling.metrics | nindent 4 }} + {{- else }} + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetCPU }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/vaas/scanner/templates/ingress.yaml b/charts/vaas/scanner/templates/ingress.yaml new file mode 100644 index 0000000..789415a --- /dev/null +++ b/charts/vaas/scanner/templates/ingress.yaml @@ -0,0 +1,61 @@ +{{- if .Values.ingress.enabled -}} +{{- $fullName := include "scanner.fullname" . -}} +{{- $svcPort := .Values.service.port -}} +{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} + {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }} + {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}} + {{- end }} +{{- end }} +{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1 +{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1beta1 +{{- else -}} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + {{- include "scanner.labels" . | nindent 4 }} + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} + ingressClassName: {{ .Values.ingress.className }} + {{- end }} + {{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + {{- range .Values.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} + pathType: {{ .pathType }} + {{- end }} + backend: + {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} + service: + name: {{ $fullName }} + port: + number: {{ $svcPort }} + {{- else }} + serviceName: {{ $fullName }} + servicePort: {{ $svcPort }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/vaas/scanner/templates/pvc.yaml b/charts/vaas/scanner/templates/pvc.yaml new file mode 100644 index 0000000..133ed72 --- /dev/null +++ b/charts/vaas/scanner/templates/pvc.yaml @@ -0,0 +1,16 @@ +{{- if and (.Values.persistence.enabled) (eq .Values.persistence.accessMode "ReadWriteMany" ) }} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + {{- include "scanner.selectorLabels" . | nindent 4 }} +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: {{ .Values.persistence.size | quote }} + {{- include "common.storage.class" (dict "persistence" .Values.persistence "global" .Values.global) | nindent 2 }} +{{- end }} \ No newline at end of file diff --git a/charts/vaas/scanner/templates/secret.yaml b/charts/vaas/scanner/templates/secret.yaml new file mode 100644 index 0000000..48fd329 --- /dev/null +++ b/charts/vaas/scanner/templates/secret.yaml @@ -0,0 +1,10 @@ +{{- if .Values.imagePullSecrets }} +apiVersion: v1 +kind: Secret +metadata: + name: scannerregistry + namespace: {{ .Release.Namespace }} +data: + .dockerconfigjson: {{ required "You need to set the dockerconfigjson for the private registry" .Values.secret.dockerconfigjson }} +type: kubernetes.io/dockerconfigjson +{{- end -}} \ No newline at end of file diff --git a/charts/vaas/scanner/templates/service.yaml b/charts/vaas/scanner/templates/service.yaml new file mode 100644 index 0000000..9bb8842 --- /dev/null +++ b/charts/vaas/scanner/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "scanner.fullname" . }} + labels: + {{- include "scanner.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: api + protocol: TCP + name: http + selector: + {{- include "scanner.selectorLabels" . | nindent 4 }} diff --git a/charts/vaas/scanner/templates/serviceaccount.yaml b/charts/vaas/scanner/templates/serviceaccount.yaml new file mode 100644 index 0000000..8c8cd06 --- /dev/null +++ b/charts/vaas/scanner/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "vaas-helm.serviceAccountName" . }} + labels: + {{- include "vaas-helm.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/vaas/scanner/templates/servicemonitor.yaml b/charts/vaas/scanner/templates/servicemonitor.yaml new file mode 100644 index 0000000..ffa1813 --- /dev/null +++ b/charts/vaas/scanner/templates/servicemonitor.yaml @@ -0,0 +1,15 @@ +{{- if .Values.metrics.servicemonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "scanner.fullname" . }} + labels: + {{- include "scanner.labels" . | nindent 4 }} +spec: + endpoints: + - port: {{ .Values.metrics.servicemonitor.port | quote }} + path: {{ .Values.metrics.servicemonitor.path }} + selector: + matchLabels: + {{- include "scanner.selectorLabels" . | nindent 8 }} +{{- end }} \ No newline at end of file diff --git a/charts/vaas/scanner/templates/statefulset.yaml b/charts/vaas/scanner/templates/statefulset.yaml new file mode 100644 index 0000000..dd0653e --- /dev/null +++ b/charts/vaas/scanner/templates/statefulset.yaml @@ -0,0 +1,120 @@ +{{- if and (.Values.persistence.enabled) (eq .Values.persistence.accessMode "ReadWriteOnce" ) }} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ include "scanner.fullname" . }} + labels: + {{- include "scanner.labels" . | nindent 4 }} +spec: + serviceName: {{ include "scanner.fullname" . }} + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "scanner.selectorLabels" . | nindent 6 }} + volumeClaimTemplates: + - metadata: + name: samples + spec: + accessModes: [ "ReadWriteOnce" ] + {{- include "common.storage.class" (dict "persistence" .Values.persistence "global" .Values.global) | nindent 8 }} + resources: + requests: + storage: {{ .Values.persistence.size | quote }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "scanner.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + volumes: + - name: server-tmp + emptyDir: {} + - name: scan-socket + emptyDir: {} + {{- if .Values.client.containerSecurityContext.enabled }} + - name: client-tmp + emptyDir: {} + {{- end }} + {{- if .Values.server.containerSecurityContext.enabled }} + - name: server-var-log + emptyDir: {} + {{- end }} + containers: + - name: {{ .Values.server.name }} + env: + - name: date + value: "{{ now | unixEpoch }}" + image: "{{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.server.image.pullPolicy }} + {{- if .Values.server.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.server.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + volumeMounts: + - name: server-tmp + mountPath: /tmp + - name: samples + mountPath: /tmp/scan + - name: scan-socket + mountPath: /var/share/run + {{- if .Values.server.containerSecurityContext.enabled }} + - name: server-var-log + mountPath: /var/log + {{- end }} + resources: + {{- toYaml .Values.resources.server | nindent 12 }} + - name: {{ .Values.client.name }} + image: "{{ .Values.client.image.repository }}:{{ .Values.client.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.client.image.pullPolicy }} + {{- if .Values.client.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.client.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + volumeMounts: + - name: samples + mountPath: /tmp/scan + - name: scan-socket + mountPath: /var/share/run + {{- if .Values.client.containerSecurityContext.enabled }} + - name: client-tmp + mountPath: /tmp + {{- end }} + resources: + {{- toYaml .Values.resources.client | nindent 12 }} + ports: + - name: api + containerPort: 8080 + protocol: TCP + livenessProbe: + httpGet: + path: /health + port: api + initialDelaySeconds: 5 + periodSeconds: 5 + readinessProbe: + httpGet: + path: /health + port: api + initialDelaySeconds: 5 + periodSeconds: 5 + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/vaas/scanner/templates/tests/test-connection.yaml b/charts/vaas/scanner/templates/tests/test-connection.yaml new file mode 100644 index 0000000..485515b --- /dev/null +++ b/charts/vaas/scanner/templates/tests/test-connection.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "vaas-helm.fullname" . }}-test-connection" + labels: + {{- include "vaas-helm.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include "vaas-helm.fullname" . }}:{{ .Values.service.port }}'] + restartPolicy: Never diff --git a/charts/vaas/scanner/templates/update.yaml b/charts/vaas/scanner/templates/update.yaml new file mode 100644 index 0000000..0de826d --- /dev/null +++ b/charts/vaas/scanner/templates/update.yaml @@ -0,0 +1,94 @@ +{{- if .Values.autoUpdate.enabled -}} +kind: ServiceAccount +apiVersion: v1 +metadata: + name: update + namespace: "{{ .Release.Namespace }}" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: update + namespace: "{{ .Release.Namespace }}" +rules: + - apiGroups: ["apps", "extensions"] + resources: ["deployments", "statefulsets"] + resourceNames: [{{ include "scanner.fullname" . }}] + verbs: + ["get", "patch", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: update + namespace: "{{ .Release.Namespace }}" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: update +subjects: + - kind: ServiceAccount + name: update + namespace: "{{ .Release.Namespace }}" +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: update + namespace: "{{ .Release.Namespace }}" +spec: + startingDeadlineSeconds: 300 + successfulJobsHistoryLimit: 1 + failedJobsHistoryLimit: 1 + concurrencyPolicy: Forbid + schedule: "{{ .Values.autoUpdate.schedule }}" + jobTemplate: + spec: + backoffLimit: 2 + activeDeadlineSeconds: 600 + template: + metadata: + labels: + app.kubernetes.io/name: update + app.kubernetes.io/namespace: "{{ .Release.Namespace }}" + spec: + serviceAccountName: update + restartPolicy: Never + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 12 }} + {{- end }} + containers: + - name: kubectl + image: "{{ .Values.autoUpdate.image.registry }}/{{ .Values.autoUpdate.image.repository }}:{{ .Values.autoUpdate.image.tag }}" + {{- if .Values.autoUpdate.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.autoUpdate.containerSecurityContext "enabled" | toYaml | nindent 16 }} + {{- end }} + command: + - "kubectl" + - "rollout" + - "restart" +{{- if and (.Values.persistence.enabled) (eq .Values.persistence.accessMode "ReadWriteOnce" ) }} + - "statefulset/{{ include "scanner.fullname" . }}" +{{- else }} + - "deployment/{{ include "scanner.fullname" . }}" +{{- end }} +{{- if .Values.autoUpdate.networkPolicy.enabled }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: "{{ .Release.Name }}-update" +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: update + app.kubernetes.io/namespace: {{ .Release.Namespace }} + policyTypes: + - Egress + ingress: [] + egress: + - ports: + - port: {{ .Values.autoUpdate.networkPolicy.k8sApiPort }} +{{- end }} +{{- end}} \ No newline at end of file diff --git a/charts/vaas/values.yaml b/charts/vaas/values.yaml new file mode 100644 index 0000000..177f2a6 --- /dev/null +++ b/charts/vaas/values.yaml @@ -0,0 +1,99 @@ +replicaCount: 1 +deploymentStrategy: "Recreate" +server: + name: server + image: + repository: ghcr.io/gdatasoftwareag/scanserver + pullPolicy: Always + tag: 1.8.0 + containerSecurityContext: + enabled: false +client: + name: client + image: + repository: ghcr.io/gdatasoftwareag/scanclient + pullPolicy: Always + tag: 1.8.0 + containerSecurityContext: + enabled: false +terminationGracePeriodSeconds: 30 + +imagePullSecrets: + - name: scannerregistry + +nameOverride: "" +fullnameOverride: "" + +podAnnotations: {} + +secret: + dockerconfigjson: "" + +service: + type: "" + port: 8080 + +metrics: + servicemonitor: + enabled: false + port: 8080 + path: /metrics + +ingress: + enabled: false + className: "" + annotations: {} + hosts: + - host: scanner.local + paths: + - path: / + pathType: ImplementationSpecific + tls: [] + +resources: + server: + limits: + memory: 2Gi + requests: + cpu: 2 + memory: 2Gi + client: + limits: + memory: 128Mi + requests: + cpu: 1 + memory: 128Mi + +autoscaling: + enabled: false + minReplicas: 2 + maxReplicas: 20 + targetCPU: 75 + metrics: + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +persistence: + enabled: false + accessMode: ReadWriteOnce + memory: false + size: 5Gi + storageClass: "" + +autoUpdate: + image: + registry: docker.io + repository: bitnami/kubectl + tag: latest + containerSecurityContext: + enabled: false + enabled: true + # every hour + schedule: "0 * * * *" + networkPolicy: + enabled: true + k8sApiPort: 6443 From a23689c97d0e7dccf18e85e674c446365b9dd8ee Mon Sep 17 00:00:00 2001 From: Lennart Dohmann Date: Thu, 30 Nov 2023 16:15:30 +0100 Subject: [PATCH 02/25] WIP add deployment for gateway --- .gitignore | 2 + charts/vaas/gateway/templates/_helpers.tpl | 34 +++++++--- charts/vaas/gateway/templates/deployment.yaml | 65 ++++++++++++------- charts/vaas/gateway/templates/hpa.yaml | 6 +- charts/vaas/gateway/templates/ingress.yaml | 4 +- charts/vaas/gateway/templates/service.yaml | 6 +- .../gateway/templates/serviceaccount.yaml | 4 +- .../templates/tests/test-connection.yaml | 15 ----- 8 files changed, 79 insertions(+), 57 deletions(-) delete mode 100644 charts/vaas/gateway/templates/tests/test-connection.yaml diff --git a/.gitignore b/.gitignore index e69de29..0a95508 100644 --- a/.gitignore +++ b/.gitignore @@ -0,0 +1,2 @@ +.idea/ +.vscode/ \ No newline at end of file diff --git a/charts/vaas/gateway/templates/_helpers.tpl b/charts/vaas/gateway/templates/_helpers.tpl index 8ed8047..e2226b5 100644 --- a/charts/vaas/gateway/templates/_helpers.tpl +++ b/charts/vaas/gateway/templates/_helpers.tpl @@ -1,7 +1,7 @@ {{/* Expand the name of the chart. */}} -{{- define "vaas-helm.name" -}} +{{- define "gateway.name" -}} {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} {{- end }} @@ -10,7 +10,7 @@ Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). If release name contains chart name it will be used as a full name. */}} -{{- define "vaas-helm.fullname" -}} +{{- define "gateway.fullname" -}} {{- if .Values.fullnameOverride }} {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} {{- else }} @@ -26,16 +26,16 @@ If release name contains chart name it will be used as a full name. {{/* Create chart name and version as used by the chart label. */}} -{{- define "vaas-helm.chart" -}} +{{- define "gateway.chart" -}} {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} {{- end }} {{/* Common labels */}} -{{- define "vaas-helm.labels" -}} -helm.sh/chart: {{ include "vaas-helm.chart" . }} -{{ include "vaas-helm.selectorLabels" . }} +{{- define "gateway.labels" -}} +helm.sh/chart: {{ include "gateway.chart" . }} +{{ include "gateway.selectorLabels" . }} {{- if .Chart.AppVersion }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} @@ -45,18 +45,32 @@ app.kubernetes.io/managed-by: {{ .Release.Service }} {{/* Selector labels */}} -{{- define "vaas-helm.selectorLabels" -}} -app.kubernetes.io/name: {{ include "vaas-helm.name" . }} +{{- define "gateway.selectorLabels" -}} +app.kubernetes.io/name: {{ include "gateway.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} {{/* Create the name of the service account to use */}} -{{- define "vaas-helm.serviceAccountName" -}} +{{- define "gateway.serviceAccountName" -}} {{- if .Values.serviceAccount.create }} -{{- default (include "vaas-helm.fullname" .) .Values.serviceAccount.name }} +{{- default (include "gateway.fullname" .) .Values.serviceAccount.name }} {{- else }} {{- default "default" .Values.serviceAccount.name }} {{- end }} {{- end }} + +{{/* +Extracts environment variables from values.yaml and returns a list of key-value pairs. +*/}} +{{- define "gateway.extractEnvVars" -}} + {{- $envVars := .Values.env | default (list) -}} + {{- $result := list -}} + {{- range $envVars -}} + {{- $key := .name -}} + {{- $value := .value -}} + {{- $result = $result | append (list $key $value) -}} + {{- end -}} + {{- $result -}} +{{- end -}} diff --git a/charts/vaas/gateway/templates/deployment.yaml b/charts/vaas/gateway/templates/deployment.yaml index 8cb09d7..15f2133 100644 --- a/charts/vaas/gateway/templates/deployment.yaml +++ b/charts/vaas/gateway/templates/deployment.yaml @@ -1,16 +1,18 @@ apiVersion: apps/v1 -kind: Deployment +kind: StatefulSet metadata: - name: {{ include "vaas-helm.fullname" . }} + name: {{ include "gateway.fullname" . }} labels: - {{- include "vaas-helm.labels" . | nindent 4 }} + {{- include "gateway.labels" . | nindent 4 }} spec: + serviceName: {{ include "gateway.fullname" . }} {{- if not .Values.autoscaling.enabled }} replicas: {{ .Values.replicaCount }} {{- end }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} selector: matchLabels: - {{- include "vaas-helm.selectorLabels" . | nindent 6 }} + {{- include "gateway.selectorLabels" . | nindent 6 }} template: metadata: {{- with .Values.podAnnotations }} @@ -18,35 +20,54 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} labels: - {{- include "vaas-helm.selectorLabels" . | nindent 8 }} + {{- include "gateway.selectorLabels" . | nindent 8 }} spec: {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} - serviceAccountName: {{ include "vaas-helm.serviceAccountName" . }} - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + serviceAccountName: {{ include "gateway.serviceAccountName" . }} + volumes: + {{- if .Values.gateway.auth.enabled }} + - name: gateway-extra-appsettings + configMap: + name: gateway-extra-appsettings + items: + - key: "appsettings.{{ .Release.Name }}.json" + path: "appsettings.{{ .Release.Name }}.json" + {{- end }} + {{- if .Values.gateway.containerSecurityContext.enabled }} + - name: gateway-tmp + emptyDir: {} + {{- end }} containers: - - name: {{ .Chart.Name }} + - name: {{ include "gateway.name" . }} securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- toYaml .Values.gateway.containerSecurityContext | nindent 12 }} + image: '{{ .Values.gateway.image.repository }}:{{ .Values.gateway.image.tag | default "latest" }}' + imagePullPolicy: {{ .Values.gateway.image.pullPolicy }} + {{- if .Values.gateway.auth.enabled }} + volumeMounts: + - mountPath: "/data/appsettings.{{ .Release.Name }}.json" + subPath: "appsettings.{{ .Release.Name }}.json" + name: gateway-extra-appsettings + - mountPath: /tmp + name: gateway-temp + {{- end }} + env: + {{- range $key, $value := include "gateway.extractEnvVars" . }} + - name: {{ $key }} + value: {{ $value | quote }} + {{- end }} ports: + - name: ws + containerPort: 9090 + protocol: TCP - name: http - containerPort: 80 + containerPort: 8080 protocol: TCP - livenessProbe: - httpGet: - path: / - port: http - readinessProbe: - httpGet: - path: / - port: http resources: - {{- toYaml .Values.resources | nindent 12 }} + {{- toYaml .Values.gateway.resources | nindent 12 }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/vaas/gateway/templates/hpa.yaml b/charts/vaas/gateway/templates/hpa.yaml index 64e2c1c..3ed01ea 100644 --- a/charts/vaas/gateway/templates/hpa.yaml +++ b/charts/vaas/gateway/templates/hpa.yaml @@ -2,14 +2,14 @@ apiVersion: autoscaling/v2beta1 kind: HorizontalPodAutoscaler metadata: - name: {{ include "vaas-helm.fullname" . }} + name: {{ include "gateway.fullname" . }} labels: - {{- include "vaas-helm.labels" . | nindent 4 }} + {{- include "gateway.labels" . | nindent 4 }} spec: scaleTargetRef: apiVersion: apps/v1 kind: Deployment - name: {{ include "vaas-helm.fullname" . }} + name: {{ include "gateway.fullname" . }} minReplicas: {{ .Values.autoscaling.minReplicas }} maxReplicas: {{ .Values.autoscaling.maxReplicas }} metrics: diff --git a/charts/vaas/gateway/templates/ingress.yaml b/charts/vaas/gateway/templates/ingress.yaml index 872a307..6a8e07b 100644 --- a/charts/vaas/gateway/templates/ingress.yaml +++ b/charts/vaas/gateway/templates/ingress.yaml @@ -1,5 +1,5 @@ {{- if .Values.ingress.enabled -}} -{{- $fullName := include "vaas-helm.fullname" . -}} +{{- $fullName := include "gateway.fullname" . -}} {{- $svcPort := .Values.service.port -}} {{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }} @@ -17,7 +17,7 @@ kind: Ingress metadata: name: {{ $fullName }} labels: - {{- include "vaas-helm.labels" . | nindent 4 }} + {{- include "gateway.labels" . | nindent 4 }} {{- with .Values.ingress.annotations }} annotations: {{- toYaml . | nindent 4 }} diff --git a/charts/vaas/gateway/templates/service.yaml b/charts/vaas/gateway/templates/service.yaml index cedd79d..1a931f2 100644 --- a/charts/vaas/gateway/templates/service.yaml +++ b/charts/vaas/gateway/templates/service.yaml @@ -1,9 +1,9 @@ apiVersion: v1 kind: Service metadata: - name: {{ include "vaas-helm.fullname" . }} + name: {{ include "gateway.fullname" . }} labels: - {{- include "vaas-helm.labels" . | nindent 4 }} + {{- include "gateway.labels" . | nindent 4 }} spec: type: {{ .Values.service.type }} ports: @@ -12,4 +12,4 @@ spec: protocol: TCP name: http selector: - {{- include "vaas-helm.selectorLabels" . | nindent 4 }} + {{- include "gateway.selectorLabels" . | nindent 4 }} diff --git a/charts/vaas/gateway/templates/serviceaccount.yaml b/charts/vaas/gateway/templates/serviceaccount.yaml index 8c8cd06..e355a88 100644 --- a/charts/vaas/gateway/templates/serviceaccount.yaml +++ b/charts/vaas/gateway/templates/serviceaccount.yaml @@ -2,9 +2,9 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: {{ include "vaas-helm.serviceAccountName" . }} + name: {{ include "gateway.serviceAccountName" . }} labels: - {{- include "vaas-helm.labels" . | nindent 4 }} + {{- include "gateway.labels" . | nindent 4 }} {{- with .Values.serviceAccount.annotations }} annotations: {{- toYaml . | nindent 4 }} diff --git a/charts/vaas/gateway/templates/tests/test-connection.yaml b/charts/vaas/gateway/templates/tests/test-connection.yaml deleted file mode 100644 index 485515b..0000000 --- a/charts/vaas/gateway/templates/tests/test-connection.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: "{{ include "vaas-helm.fullname" . }}-test-connection" - labels: - {{- include "vaas-helm.labels" . | nindent 4 }} - annotations: - "helm.sh/hook": test -spec: - containers: - - name: wget - image: busybox - command: ['wget'] - args: ['{{ include "vaas-helm.fullname" . }}:{{ .Values.service.port }}'] - restartPolicy: Never From 1d4d5e1eabe004d11d726ba514496e274bcef6a0 Mon Sep 17 00:00:00 2001 From: Kevin Heise Date: Fri, 1 Dec 2023 11:22:06 +0100 Subject: [PATCH 03/25] add ingress sts and np --- charts/vaas/gateway/templates/deployment.yaml | 7 +- charts/vaas/gateway/templates/ingress.yaml | 45 ++++--- .../vaas/gateway/templates/networkpolicy.yaml | 114 ++++++++++++++++++ charts/vaas/gateway/templates/service.yaml | 10 +- .../vaas/gateway/templates/statefulset.yaml | 84 +++++++++++++ charts/vaas/values.yaml | 13 ++ 6 files changed, 243 insertions(+), 30 deletions(-) create mode 100644 charts/vaas/gateway/templates/networkpolicy.yaml create mode 100644 charts/vaas/gateway/templates/statefulset.yaml diff --git a/charts/vaas/gateway/templates/deployment.yaml b/charts/vaas/gateway/templates/deployment.yaml index 15f2133..1511812 100644 --- a/charts/vaas/gateway/templates/deployment.yaml +++ b/charts/vaas/gateway/templates/deployment.yaml @@ -1,5 +1,6 @@ +{{- if .Values.gateway.ws.enabled | not }} apiVersion: apps/v1 -kind: StatefulSet +kind: Deployment metadata: name: {{ include "gateway.fullname" . }} labels: @@ -60,9 +61,6 @@ spec: value: {{ $value | quote }} {{- end }} ports: - - name: ws - containerPort: 9090 - protocol: TCP - name: http containerPort: 8080 protocol: TCP @@ -80,3 +78,4 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} +{{- end }} diff --git a/charts/vaas/gateway/templates/ingress.yaml b/charts/vaas/gateway/templates/ingress.yaml index 6a8e07b..498bc81 100644 --- a/charts/vaas/gateway/templates/ingress.yaml +++ b/charts/vaas/gateway/templates/ingress.yaml @@ -1,9 +1,8 @@ -{{- if .Values.ingress.enabled -}} +{{- if .Values.gateway.ingress.enabled -}} {{- $fullName := include "gateway.fullname" . -}} -{{- $svcPort := .Values.service.port -}} -{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} - {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }} - {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}} +{{- if and .Values.gateway.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} + {{- if not (hasKey .Values.gateway.ingress.annotations "kubernetes.io/ingress.class") }} + {{- $_ := set .Values.gateway.ingress.annotations "kubernetes.io/ingress.class" .Values.gateway.ingress.className}} {{- end }} {{- end }} {{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} @@ -18,44 +17,42 @@ metadata: name: {{ $fullName }} labels: {{- include "gateway.labels" . | nindent 4 }} - {{- with .Values.ingress.annotations }} + {{- with .Values.gateway.ingress.annotations }} annotations: {{- toYaml . | nindent 4 }} {{- end }} spec: - {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} - ingressClassName: {{ .Values.ingress.className }} + {{- if and .Values.gateway.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} + ingressClassName: {{ .Values.gateway.ingress.className }} {{- end }} - {{- if .Values.ingress.tls }} + {{- if .Values.gateway.ingress.tls }} tls: - {{- range .Values.ingress.tls }} + {{- range .Values.gateway.ingress.tls }} - hosts: - {{- range .hosts }} + {{- range .Values.gateway.ingress.hosts }} - {{ . | quote }} {{- end }} - secretName: {{ .secretName }} + secretName: {{ .Values.gateway.ingress.secretName }} {{- end }} {{- end }} rules: - {{- range .Values.ingress.hosts }} - - host: {{ .host | quote }} + {{- range .Values.gateway.ingress.hosts }} + - host: {{ .Values.gateway.ingress.host | quote }} http: paths: - {{- range .paths }} - - path: {{ .path }} + - path: {{ .Values.gateway.ingress.hosts.path }} {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} - pathType: {{ .pathType }} + pathType: {{ .Values.gateway.ingress.hosts.pathtype }} {{- end }} backend: {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} service: - name: {{ $fullName }} + name: {{ .Values.gateway.ingress.hosts.service.name }} port: - number: {{ $svcPort }} + number: {{ .Values.gateway.ingress.hosts.service.port }} {{- else }} - serviceName: {{ $fullName }} - servicePort: {{ $svcPort }} - {{- end }} - {{- end }} - {{- end }} + serviceName: {{ .Values.gateway.ingress.hosts.service.name }} + servicePort: {{ .Values.gateway.ingress.hosts.service.port }} + {{- end }} + {{- end }} {{- end }} diff --git a/charts/vaas/gateway/templates/networkpolicy.yaml b/charts/vaas/gateway/templates/networkpolicy.yaml new file mode 100644 index 0000000..1bd2341 --- /dev/null +++ b/charts/vaas/gateway/templates/networkpolicy.yaml @@ -0,0 +1,114 @@ +{{- if .Values.networkPolicy.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "default-service.fullname" . }} + labels: + {{- include "default-service.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "default-service.selectorLabels" . | nindent 6 }} + policyTypes: + - Ingress + - Egress + {{- if .Values.networkPolicy.ingress }} + ingress: + {{- range .Values.networkPolicy.ingress }} + - from: + {{- range .blocks }} + - ipBlock: + cidr: {{ . }} + {{- end }} + {{- range .pods }} + - podSelector: + matchLabels: + {{- with .instance }} + app.kubernetes.io/instance: {{ . }} + {{ end }} + {{- with .name }} + app.kubernetes.io/name: {{ . }} + {{ end }} + {{- if .namespace }} + namespaceSelector: {{ .namespace }} + {{- else }} + namespaceSelector: {} + {{- end }} + {{- end }} + {{- range .namespaces }} + - namespaceSelector: {{- toYaml . | nindent 10 }} + {{- end }} + {{- if .ports }} + ports: + {{- range .ports.tcp }} + - protocol: TCP + port: {{ . }} + {{- end }} + {{- range .ports.udp }} + - protocol: UDP + port: {{ . }} + {{- end }} + {{- end }} + {{ end }} + {{- end }} + egress: + - to: + - namespaceSelector: {} + podSelector: + matchLabels: + k8s-app: kube-dns + ports: + - port: 53 + protocol: UDP + - to: + - namespaceSelector: {} + podSelector: + matchLabels: + app.kubernetes.io/name: otel-agent + ports: + - port: 6831 + protocol: UDP + - to: + # sentry.gdata.de + - ipBlock: + cidr: 194.156.84.16/32 + ports: + - port: 443 + protocol: TCP + {{ range .Values.networkPolicy.egress }} + - to: + {{- range .blocks }} + - ipBlock: + cidr: {{ . }} + {{- end }} + {{- range .pods }} + - podSelector: + matchLabels: + {{- with .instance }} + app.kubernetes.io/instance: {{ . }} + {{ end }} + {{- with .name }} + app.kubernetes.io/name: {{ . }} + {{ end }} + {{- if .namespace }} + namespaceSelector: {{ .namespace }} + {{- else }} + namespaceSelector: {} + {{- end }} + {{- end }} + {{- range .namespaces }} + - namespaceSelector: {{- toYaml . | nindent 10 }} + {{- end }} + {{- if .ports }} + ports: + {{- range .ports.tcp }} + - protocol: TCP + port: {{ . }} + {{- end }} + {{- range .ports.udp }} + - protocol: UDP + port: {{ . }} + {{- end }} + {{- end }} + {{ end }} +{{- end }} diff --git a/charts/vaas/gateway/templates/service.yaml b/charts/vaas/gateway/templates/service.yaml index 1a931f2..140fa30 100644 --- a/charts/vaas/gateway/templates/service.yaml +++ b/charts/vaas/gateway/templates/service.yaml @@ -5,11 +5,17 @@ metadata: labels: {{- include "gateway.labels" . | nindent 4 }} spec: - type: {{ .Values.service.type }} + type: {{ .Values.gateway.service.type }} ports: - - port: {{ .Values.service.port }} + - port: {{ .Values.gateway.service.http.port }} targetPort: http protocol: TCP name: http + {{- if .Values.gateway.ws.enabled }} + - port: {{ .Values.gateway.service.ws.port }} + targetPort: ws + protocol: TCP + name: ws + {{- end }} selector: {{- include "gateway.selectorLabels" . | nindent 4 }} diff --git a/charts/vaas/gateway/templates/statefulset.yaml b/charts/vaas/gateway/templates/statefulset.yaml new file mode 100644 index 0000000..1be9399 --- /dev/null +++ b/charts/vaas/gateway/templates/statefulset.yaml @@ -0,0 +1,84 @@ +{{- if .Values.gateway.ws.enabled }} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ include "gateway.fullname" . }} + labels: + {{- include "gateway.labels" . | nindent 4 }} +spec: + serviceName: {{ include "gateway.fullname" . }} + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + selector: + matchLabels: + {{- include "gateway.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "gateway.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "gateway.serviceAccountName" . }} + volumes: + {{- if .Values.gateway.auth.enabled }} + - name: gateway-extra-appsettings + configMap: + name: gateway-extra-appsettings + items: + - key: "appsettings.{{ .Release.Name }}.json" + path: "appsettings.{{ .Release.Name }}.json" + {{- end }} + {{- if .Values.gateway.containerSecurityContext.enabled }} + - name: gateway-tmp + emptyDir: {} + {{- end }} + containers: + - name: {{ include "gateway.name" . }} + securityContext: + {{- toYaml .Values.gateway.containerSecurityContext | nindent 12 }} + image: '{{ .Values.gateway.image.repository }}:{{ .Values.gateway.image.tag | default "latest" }}' + imagePullPolicy: {{ .Values.gateway.image.pullPolicy }} + {{- if .Values.gateway.auth.enabled }} + volumeMounts: + - mountPath: "/data/appsettings.{{ .Release.Name }}.json" + subPath: "appsettings.{{ .Release.Name }}.json" + name: gateway-extra-appsettings + - mountPath: /tmp + name: gateway-temp + {{- end }} + env: + {{- range $key, $value := include "gateway.extractEnvVars" . }} + - name: {{ $key }} + value: {{ $value | quote }} + {{- end }} + ports: + - name: ws + containerPort: 9090 + protocol: TCP + - name: http + containerPort: 8080 + protocol: TCP + resources: + {{- toYaml .Values.gateway.resources | nindent 12 }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/vaas/values.yaml b/charts/vaas/values.yaml index 177f2a6..996d7c5 100644 --- a/charts/vaas/values.yaml +++ b/charts/vaas/values.yaml @@ -97,3 +97,16 @@ autoUpdate: networkPolicy: enabled: true k8sApiPort: 6443 + +# values.yaml +ingress: + hosts: + - name: host1.example.com + service: + name: service1 + port: 8080 + - name: host2.example.com + service: + name: service2 + port: 9090 + From db4e43906e1aeac3399434deb239d0d8bbd12748 Mon Sep 17 00:00:00 2001 From: Kevin Heise Date: Mon, 4 Dec 2023 09:51:22 +0100 Subject: [PATCH 04/25] add more to charts --- .gitignore | 3 +- charts/vaas/gateway/templates/configmap.yaml | 9 ++ charts/vaas/gateway/templates/deployment.yaml | 4 +- charts/vaas/gateway/templates/ingress.yaml | 1 + .../vaas/gateway/templates/networkpolicy.yaml | 48 ++++------- .../templates/poddisruptionbudget.yaml | 12 +++ .../gateway/templates/serviceaccount.yaml | 12 --- .../gateway/templates/servicemonitor.yaml | 15 ++++ .../vaas/gateway/templates/statefulset.yaml | 84 ------------------- 9 files changed, 55 insertions(+), 133 deletions(-) create mode 100644 charts/vaas/gateway/templates/configmap.yaml create mode 100644 charts/vaas/gateway/templates/poddisruptionbudget.yaml delete mode 100644 charts/vaas/gateway/templates/serviceaccount.yaml create mode 100644 charts/vaas/gateway/templates/servicemonitor.yaml delete mode 100644 charts/vaas/gateway/templates/statefulset.yaml diff --git a/.gitignore b/.gitignore index 0a95508..eb661d4 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ .idea/ -.vscode/ \ No newline at end of file +.vscode/ +*.log \ No newline at end of file diff --git a/charts/vaas/gateway/templates/configmap.yaml b/charts/vaas/gateway/templates/configmap.yaml new file mode 100644 index 0000000..01e83bd --- /dev/null +++ b/charts/vaas/gateway/templates/configmap.yaml @@ -0,0 +1,9 @@ +#TODO: Remove once if OIDC Discovery is enabled +{{- if .Values.gateway.ws.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Values.gateway.configMap.name }} +data: +{{- toYaml .Values.gateway.configMap. | nindent 2 }} +{{- end }} \ No newline at end of file diff --git a/charts/vaas/gateway/templates/deployment.yaml b/charts/vaas/gateway/templates/deployment.yaml index 1511812..5fc8a7d 100644 --- a/charts/vaas/gateway/templates/deployment.yaml +++ b/charts/vaas/gateway/templates/deployment.yaml @@ -1,4 +1,3 @@ -{{- if .Values.gateway.ws.enabled | not }} apiVersion: apps/v1 kind: Deployment metadata: @@ -16,7 +15,7 @@ spec: {{- include "gateway.selectorLabels" . | nindent 6 }} template: metadata: - {{- with .Values.podAnnotations }} + {{- with .Values.podAnnotations }}Values.gateway.ingress annotations: {{- toYaml . | nindent 8 }} {{- end }} @@ -78,4 +77,3 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} -{{- end }} diff --git a/charts/vaas/gateway/templates/ingress.yaml b/charts/vaas/gateway/templates/ingress.yaml index 498bc81..46107e5 100644 --- a/charts/vaas/gateway/templates/ingress.yaml +++ b/charts/vaas/gateway/templates/ingress.yaml @@ -1,3 +1,4 @@ +#TODO: Check if Values in range are correct {{- if .Values.gateway.ingress.enabled -}} {{- $fullName := include "gateway.fullname" . -}} {{- if and .Values.gateway.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} diff --git a/charts/vaas/gateway/templates/networkpolicy.yaml b/charts/vaas/gateway/templates/networkpolicy.yaml index 1bd2341..f70e176 100644 --- a/charts/vaas/gateway/templates/networkpolicy.yaml +++ b/charts/vaas/gateway/templates/networkpolicy.yaml @@ -1,20 +1,21 @@ -{{- if .Values.networkPolicy.enabled }} +#TODO: Check if working +{{- if .Values.gateway.networkPolicy.enabled }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: {{ include "default-service.fullname" . }} + name: {{ include "gateway.fullname" . }} labels: - {{- include "default-service.labels" . | nindent 4 }} + {{- include "gateway.labels" . | nindent 4 }} spec: podSelector: matchLabels: - {{- include "default-service.selectorLabels" . | nindent 6 }} + {{- include "gateway.selectorLabels" . | nindent 6 }} policyTypes: - Ingress - Egress - {{- if .Values.networkPolicy.ingress }} + {{- if .Values.gateway.networkPolicy.ingress }} ingress: - {{- range .Values.networkPolicy.ingress }} + {{- range .Values.gateway.networkPolicy.ingress }} - from: {{- range .blocks }} - ipBlock: @@ -36,7 +37,7 @@ spec: {{- end }} {{- end }} {{- range .namespaces }} - - namespaceSelector: {{- toYaml . | nindent 10 }} + - namespaceSelector: {{- toYaml . servicemonitor| nindent 10 }} {{- end }} {{- if .ports }} ports: @@ -45,36 +46,17 @@ spec: port: {{ . }} {{- end }} {{- range .ports.udp }} - - protocol: UDP + - protocol: UDP name: my-configmap + port: {{ . }} - {{- end }} - {{- end }} + matchLabels: + app: "app1" + ports: + {{- end }} - to: + {{ end }} {{- end }} egress: - - to: - - namespaceSelector: {} - podSelector: - matchLabels: - k8s-app: kube-dns - ports: - - port: 53 - protocol: UDP - - to: - - namespaceSelector: {} - podSelector: - matchLabels: - app.kubernetes.io/name: otel-agent - ports: - - port: 6831 - protocol: UDP - - to: - # sentry.gdata.de - - ipBlock: - cidr: 194.156.84.16/32 - ports: - - port: 443 - protocol: TCP {{ range .Values.networkPolicy.egress }} - to: {{- range .blocks }} diff --git a/charts/vaas/gateway/templates/poddisruptionbudget.yaml b/charts/vaas/gateway/templates/poddisruptionbudget.yaml new file mode 100644 index 0000000..a1b06f5 --- /dev/null +++ b/charts/vaas/gateway/templates/poddisruptionbudget.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "gateway.fullname" . }} + labels: + {{- include "gateway.selectorLabels" . | nindent 4 }} +spec: + selector: + matchLabels: + {{- include "gateway.selectorLabels" . | nindent 6 }} + minAvailable: 1 \ No newline at end of file diff --git a/charts/vaas/gateway/templates/serviceaccount.yaml b/charts/vaas/gateway/templates/serviceaccount.yaml deleted file mode 100644 index e355a88..0000000 --- a/charts/vaas/gateway/templates/serviceaccount.yaml +++ /dev/null @@ -1,12 +0,0 @@ -{{- if .Values.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "gateway.serviceAccountName" . }} - labels: - {{- include "gateway.labels" . | nindent 4 }} - {{- with .Values.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -{{- end }} diff --git a/charts/vaas/gateway/templates/servicemonitor.yaml b/charts/vaas/gateway/templates/servicemonitor.yaml new file mode 100644 index 0000000..86a9b51 --- /dev/null +++ b/charts/vaas/gateway/templates/servicemonitor.yaml @@ -0,0 +1,15 @@ +{{- if .Values.metrics.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "gateway.fullname" . }} + labels: + {{- include "gateway.labels" . | nindent 4 }} +spec: + endpoints: + - port: {{ .Values.gateway.metrics.port | quote }} + path: {{ .Values.gateway.metrics.path }} + selector: + matchLabels: + {{- include "gateway.selectorLabels" . | nindent 8 }} +{{- end }} diff --git a/charts/vaas/gateway/templates/statefulset.yaml b/charts/vaas/gateway/templates/statefulset.yaml deleted file mode 100644 index 1be9399..0000000 --- a/charts/vaas/gateway/templates/statefulset.yaml +++ /dev/null @@ -1,84 +0,0 @@ -{{- if .Values.gateway.ws.enabled }} -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ include "gateway.fullname" . }} - labels: - {{- include "gateway.labels" . | nindent 4 }} -spec: - serviceName: {{ include "gateway.fullname" . }} - {{- if not .Values.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} - {{- end }} - revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} - selector: - matchLabels: - {{- include "gateway.selectorLabels" . | nindent 6 }} - template: - metadata: - {{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "gateway.selectorLabels" . | nindent 8 }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ include "gateway.serviceAccountName" . }} - volumes: - {{- if .Values.gateway.auth.enabled }} - - name: gateway-extra-appsettings - configMap: - name: gateway-extra-appsettings - items: - - key: "appsettings.{{ .Release.Name }}.json" - path: "appsettings.{{ .Release.Name }}.json" - {{- end }} - {{- if .Values.gateway.containerSecurityContext.enabled }} - - name: gateway-tmp - emptyDir: {} - {{- end }} - containers: - - name: {{ include "gateway.name" . }} - securityContext: - {{- toYaml .Values.gateway.containerSecurityContext | nindent 12 }} - image: '{{ .Values.gateway.image.repository }}:{{ .Values.gateway.image.tag | default "latest" }}' - imagePullPolicy: {{ .Values.gateway.image.pullPolicy }} - {{- if .Values.gateway.auth.enabled }} - volumeMounts: - - mountPath: "/data/appsettings.{{ .Release.Name }}.json" - subPath: "appsettings.{{ .Release.Name }}.json" - name: gateway-extra-appsettings - - mountPath: /tmp - name: gateway-temp - {{- end }} - env: - {{- range $key, $value := include "gateway.extractEnvVars" . }} - - name: {{ $key }} - value: {{ $value | quote }} - {{- end }} - ports: - - name: ws - containerPort: 9090 - protocol: TCP - - name: http - containerPort: 8080 - protocol: TCP - resources: - {{- toYaml .Values.gateway.resources | nindent 12 }} - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} -{{- end }} From 70fbbec29e1b1be989f0ef7bf74d8b461716f9b9 Mon Sep 17 00:00:00 2001 From: PT-ATA No One Date: Wed, 6 Dec 2023 16:06:02 +0100 Subject: [PATCH 05/25] fix folder stucture --- .gitignore | 3 +- README.md | 58 +++- charts/vaas/Chart.yaml | 20 +- charts/vaas/gateway/templates/configmap.yaml | 9 - charts/vaas/gateway/templates/hpa.yaml | 28 -- charts/vaas/scanner/Chart.yaml | 24 -- .../scanner/templates/serviceaccount.yaml | 12 - .../templates/tests/test-connection.yaml | 15 -- .../templates => templates/gateway}/NOTES.txt | 22 +- .../gateway}/_helpers.tpl | 37 ++- .../gateway}/ingress.yaml | 18 +- .../gateway}/networkpolicy.yaml | 26 +- .../gateway}/poddisruptionbudget.yaml | 2 +- .../gateway}/service.yaml | 2 - .../gateway}/servicemonitor.yaml | 2 +- .../gateway/statefulset.yaml} | 44 ++- .../vaas/{ => templates/scanner}/_helpers.tpl | 18 +- .../scanner}/deployment.yaml | 50 ++-- .../templates => templates/scanner}/hpa.yaml | 14 +- .../scanner}/ingress.yaml | 22 +- .../templates => templates/scanner}/pvc.yaml | 6 +- .../scanner}/secret.yaml | 4 +- .../scanner}/service.yaml | 4 +- .../scanner}/servicemonitor.yaml | 6 +- .../scanner}/statefulset.yaml | 54 ++-- .../scanner}/update.yaml | 18 +- charts/vaas/values.yaml | 253 +++++++++++------- 27 files changed, 396 insertions(+), 375 deletions(-) delete mode 100644 charts/vaas/gateway/templates/configmap.yaml delete mode 100644 charts/vaas/gateway/templates/hpa.yaml delete mode 100644 charts/vaas/scanner/Chart.yaml delete mode 100644 charts/vaas/scanner/templates/serviceaccount.yaml delete mode 100644 charts/vaas/scanner/templates/tests/test-connection.yaml rename charts/vaas/{gateway/templates => templates/gateway}/NOTES.txt (53%) rename charts/vaas/{gateway/templates => templates/gateway}/_helpers.tpl (57%) rename charts/vaas/{gateway/templates => templates/gateway}/ingress.yaml (75%) rename charts/vaas/{gateway/templates => templates/gateway}/networkpolicy.yaml (86%) rename charts/vaas/{gateway/templates => templates/gateway}/poddisruptionbudget.yaml (79%) rename charts/vaas/{gateway/templates => templates/gateway}/service.yaml (88%) rename charts/vaas/{gateway/templates => templates/gateway}/servicemonitor.yaml (90%) rename charts/vaas/{gateway/templates/deployment.yaml => templates/gateway/statefulset.yaml} (55%) rename charts/vaas/{ => templates/scanner}/_helpers.tpl (80%) rename charts/vaas/{scanner/templates => templates/scanner}/deployment.yaml (55%) rename charts/vaas/{scanner/templates => templates/scanner}/hpa.yaml (52%) rename charts/vaas/{scanner/templates => templates/scanner}/ingress.yaml (64%) rename charts/vaas/{scanner/templates => templates/scanner}/pvc.yaml (59%) rename charts/vaas/{scanner/templates => templates/scanner}/secret.yaml (64%) rename charts/vaas/{scanner/templates => templates/scanner}/service.yaml (76%) rename charts/vaas/{scanner/templates => templates/scanner}/servicemonitor.yaml (60%) rename charts/vaas/{scanner/templates => templates/scanner}/statefulset.yaml (54%) rename charts/vaas/{scanner/templates => templates/scanner}/update.yaml (72%) diff --git a/.gitignore b/.gitignore index eb661d4..1dee038 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ .idea/ .vscode/ -*.log \ No newline at end of file +*.log +*-locale.yaml \ No newline at end of file diff --git a/README.md b/README.md index 1ec3ea2..0dbd215 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,56 @@ -# vaas-helm -Helm Chart for VaaS on-premise +# Verdict-as-a-Service Helm Chart + +Vaas helm is a chart for deploying Verdict-as-a-Service on-premise. + +## Install Verdict-as-a-Service + +1. Create a minimal values.yaml file: + +The token has to be set in the `secret.dockerconfigjson` variable on deployment. + +```yaml +# values.yaml +secret: + dockerconfigjson: $$_BASE64_ENCODED_JSON_CONTAINING_TOKEN_$$ +``` + +Example of the dockerconfigjson + +```json +{ + "auths": { + "ghcr.io": { + "auth": "$$_BASE64_ENCODED_USERNAME_AND_TOKEN_$$" + } + } +} +``` + +2. Add the helm repository: + +```bash +helm repo add vaas https://gdatasoftwareag.github.io/vaas/ +``` + +3. Install Verdict-as-a-Service: + +```bash +helm install vaas gdatasoftware/vaas -f values.yaml +``` + +TODO: + +### Updating Verdict-as-a-Service + +```bash +helm repo update +helm upgrade gdscan gdscan/gdscan -f values.yaml +``` + +## Configuring Verdict-as-a-Service + +TODO + +| Name | Description | Value | +| ---------------------------------- | --------------------------------------------------------------------------------------------------------------------- | ------------------------ | +| `service.type` | service type | `ClusterIP` | diff --git a/charts/vaas/Chart.yaml b/charts/vaas/Chart.yaml index a3532b7..a7f3e7a 100644 --- a/charts/vaas/Chart.yaml +++ b/charts/vaas/Chart.yaml @@ -1,24 +1,6 @@ apiVersion: v2 -name: vaas-helm +name: vaas description: A Helm chart for Kubernetes - -# A chart can be either an 'application' or a 'library' chart. -# -# Application charts are a collection of templates that can be packaged into versioned archives -# to be deployed. -# -# Library charts provide useful utilities or functions for the chart developer. They're included as -# a dependency of application charts to inject those utilities and functions into the rendering -# pipeline. Library charts do not define any templates and therefore cannot be deployed. type: application - -# This is the chart version. This version number should be incremented each time you make changes -# to the chart and its templates, including the app version. -# Versions are expected to follow Semantic Versioning (https://semver.org/) version: 0.1.0 - -# This is the version number of the application being deployed. This version number should be -# incremented each time you make changes to the application. Versions are not expected to -# follow Semantic Versioning. They should reflect the version the application is using. -# It is recommended to use it with quotes. appVersion: "1.16.0" diff --git a/charts/vaas/gateway/templates/configmap.yaml b/charts/vaas/gateway/templates/configmap.yaml deleted file mode 100644 index 01e83bd..0000000 --- a/charts/vaas/gateway/templates/configmap.yaml +++ /dev/null @@ -1,9 +0,0 @@ -#TODO: Remove once if OIDC Discovery is enabled -{{- if .Values.gateway.ws.enabled }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ .Values.gateway.configMap.name }} -data: -{{- toYaml .Values.gateway.configMap. | nindent 2 }} -{{- end }} \ No newline at end of file diff --git a/charts/vaas/gateway/templates/hpa.yaml b/charts/vaas/gateway/templates/hpa.yaml deleted file mode 100644 index 3ed01ea..0000000 --- a/charts/vaas/gateway/templates/hpa.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if .Values.autoscaling.enabled }} -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler -metadata: - name: {{ include "gateway.fullname" . }} - labels: - {{- include "gateway.labels" . | nindent 4 }} -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ include "gateway.fullname" . }} - minReplicas: {{ .Values.autoscaling.minReplicas }} - maxReplicas: {{ .Values.autoscaling.maxReplicas }} - metrics: - {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} - - type: Resource - resource: - name: cpu - targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} - {{- end }} - {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} - - type: Resource - resource: - name: memory - targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} - {{- end }} -{{- end }} diff --git a/charts/vaas/scanner/Chart.yaml b/charts/vaas/scanner/Chart.yaml deleted file mode 100644 index 85de508..0000000 --- a/charts/vaas/scanner/Chart.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: v2 -name: vaas -description: A Helm chart for Kubernetes - -# A chart can be either an 'application' or a 'library' chart. -# -# Application charts are a collection of templates that can be packaged into versioned archives -# to be deployed. -# -# Library charts provide useful utilities or functions for the chart developer. They're included as -# a dependency of application charts to inject those utilities and functions into the rendering -# pipeline. Library charts do not define any templates and therefore cannot be deployed. -type: application - -# This is the chart version. This version number should be incremented each time you make changes -# to the chart and its templates, including the app version. -# Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.0 - -# This is the version number of the application being deployed. This version number should be -# incremented each time you make changes to the application. Versions are not expected to -# follow Semantic Versioning. They should reflect the version the application is using. -# It is recommended to use it with quotes. -appVersion: "1.16.0" diff --git a/charts/vaas/scanner/templates/serviceaccount.yaml b/charts/vaas/scanner/templates/serviceaccount.yaml deleted file mode 100644 index 8c8cd06..0000000 --- a/charts/vaas/scanner/templates/serviceaccount.yaml +++ /dev/null @@ -1,12 +0,0 @@ -{{- if .Values.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "vaas-helm.serviceAccountName" . }} - labels: - {{- include "vaas-helm.labels" . | nindent 4 }} - {{- with .Values.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -{{- end }} diff --git a/charts/vaas/scanner/templates/tests/test-connection.yaml b/charts/vaas/scanner/templates/tests/test-connection.yaml deleted file mode 100644 index 485515b..0000000 --- a/charts/vaas/scanner/templates/tests/test-connection.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: "{{ include "vaas-helm.fullname" . }}-test-connection" - labels: - {{- include "vaas-helm.labels" . | nindent 4 }} - annotations: - "helm.sh/hook": test -spec: - containers: - - name: wget - image: busybox - command: ['wget'] - args: ['{{ include "vaas-helm.fullname" . }}:{{ .Values.service.port }}'] - restartPolicy: Never diff --git a/charts/vaas/gateway/templates/NOTES.txt b/charts/vaas/templates/gateway/NOTES.txt similarity index 53% rename from charts/vaas/gateway/templates/NOTES.txt rename to charts/vaas/templates/gateway/NOTES.txt index 5fec8e3..13b159b 100644 --- a/charts/vaas/gateway/templates/NOTES.txt +++ b/charts/vaas/templates/gateway/NOTES.txt @@ -1,21 +1,21 @@ 1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range $host := .Values.ingress.hosts }} +{{- if .Values.gateway.ingress.enabled }} +{{- range $host := .Values.gateway.ingress.hosts }} {{- range .paths }} - http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }} + http{{ if $.Values.gateway.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }} {{- end }} {{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "vaas-helm.fullname" . }}) +{{- else if contains "NodePort" .Values.gateway.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "gateway.fullname" . }}) export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} +{{- else if contains "LoadBalancer" .Values.gateway.service.type }} NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "vaas-helm.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "vaas-helm.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") - echo http://$SERVICE_IP:{{ .Values.service.port }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "vaas-helm.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "gateway.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "gateway.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + echo http://$SERVICE_IP:{{ .Values.gateway.service.port }} +{{- else if contains "ClusterIP" .Values.gateway.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "gateway.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") echo "Visit http://127.0.0.1:8080 to use your application" kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT diff --git a/charts/vaas/gateway/templates/_helpers.tpl b/charts/vaas/templates/gateway/_helpers.tpl similarity index 57% rename from charts/vaas/gateway/templates/_helpers.tpl rename to charts/vaas/templates/gateway/_helpers.tpl index e2226b5..30f6a52 100644 --- a/charts/vaas/gateway/templates/_helpers.tpl +++ b/charts/vaas/templates/gateway/_helpers.tpl @@ -2,7 +2,7 @@ Expand the name of the chart. */}} {{- define "gateway.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- default .Chart.Name .Values.gateway.nameOverride | trunc 63 | trimSuffix "-" }} {{- end }} {{/* @@ -11,10 +11,10 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this If release name contains chart name it will be used as a full name. */}} {{- define "gateway.fullname" -}} -{{- if .Values.fullnameOverride }} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- if .Values.gateway.fullnameOverride }} +{{- .Values.gateway.fullnameOverride | trunc 63 | trimSuffix "-" }} {{- else }} -{{- $name := default .Chart.Name .Values.nameOverride }} +{{- $name := default .Chart.Name .Values.gateway.nameOverride }} {{- if contains $name .Release.Name }} {{- .Release.Name | trunc 63 | trimSuffix "-" }} {{- else }} @@ -54,10 +54,10 @@ app.kubernetes.io/instance: {{ .Release.Name }} Create the name of the service account to use */}} {{- define "gateway.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- default (include "gateway.fullname" .) .Values.serviceAccount.name }} +{{- if .Values.gateway.serviceAccount.create }} +{{- default (include "gateway.fullname" .) .Values.gateway.serviceAccount.name }} {{- else }} -{{- default "default" .Values.serviceAccount.name }} +{{- default "default" .Values.gateway.serviceAccount.name }} {{- end }} {{- end }} @@ -65,7 +65,7 @@ Create the name of the service account to use Extracts environment variables from values.yaml and returns a list of key-value pairs. */}} {{- define "gateway.extractEnvVars" -}} - {{- $envVars := .Values.env | default (list) -}} + {{- $envVars := .Values.gateway.env | default (list) -}} {{- $result := list -}} {{- range $envVars -}} {{- $key := .name -}} @@ -74,3 +74,24 @@ Extracts environment variables from values.yaml and returns a list of key-value {{- end -}} {{- $result -}} {{- end -}} + +{{/* +Create environment variables to configure gateway container. +*/}} +{{- define "gateway.env" }} +{{- if .Values.gateway.cloudhashlookup.enabled }} +- name: VerdictAsAService__Url + value: {{ .Values.gateway.options.url | quote }} +- name: VerdictAsAService__TokenUrl + value: {{ .Values.gateway.options.tokenurl | quote }} +- name: VerdictAsAService__Credentials__GrantType + value: {{ .Values.gateway.options.credentials.granttype | quote }} +- name: VerdictAsAService__Credentials__ClientId + value: {{ .Values.gateway.options.credentials.clientid | quote }} +- name: VerdictAsAService__Credentials__ClientSecret + {{ toYaml .Values.gateway.options.credentials.clientsecret }} +{{- end }} +{{- if .Values.gateway.env }} +{{ toYaml .Values.gateway.env }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/vaas/gateway/templates/ingress.yaml b/charts/vaas/templates/gateway/ingress.yaml similarity index 75% rename from charts/vaas/gateway/templates/ingress.yaml rename to charts/vaas/templates/gateway/ingress.yaml index 46107e5..53ec956 100644 --- a/charts/vaas/gateway/templates/ingress.yaml +++ b/charts/vaas/templates/gateway/ingress.yaml @@ -30,30 +30,30 @@ spec: tls: {{- range .Values.gateway.ingress.tls }} - hosts: - {{- range .Values.gateway.ingress.hosts }} + {{- range .hosts }} - {{ . | quote }} {{- end }} - secretName: {{ .Values.gateway.ingress.secretName }} + secretName: {{ .secretName }} {{- end }} {{- end }} rules: {{- range .Values.gateway.ingress.hosts }} - - host: {{ .Values.gateway.ingress.host | quote }} + - host: {{ .host | quote }} http: paths: - - path: {{ .Values.gateway.ingress.hosts.path }} + - path: {{ .paths }} {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} - pathType: {{ .Values.gateway.ingress.hosts.pathtype }} + pathType: {{ .pathtype }} {{- end }} backend: {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} service: - name: {{ .Values.gateway.ingress.hosts.service.name }} + name: {{ .service.name }} port: - number: {{ .Values.gateway.ingress.hosts.service.port }} + number: {{ .service.port }} {{- else }} - serviceName: {{ .Values.gateway.ingress.hosts.service.name }} - servicePort: {{ .Values.gateway.ingress.hosts.service.port }} + serviceName: {{ .service.name }} + servicePort: {{ .service.port }} {{- end }} {{- end }} {{- end }} diff --git a/charts/vaas/gateway/templates/networkpolicy.yaml b/charts/vaas/templates/gateway/networkpolicy.yaml similarity index 86% rename from charts/vaas/gateway/templates/networkpolicy.yaml rename to charts/vaas/templates/gateway/networkpolicy.yaml index f70e176..f4d6897 100644 --- a/charts/vaas/gateway/templates/networkpolicy.yaml +++ b/charts/vaas/templates/gateway/networkpolicy.yaml @@ -26,10 +26,10 @@ spec: matchLabels: {{- with .instance }} app.kubernetes.io/instance: {{ . }} - {{ end }} + {{- end }} {{- with .name }} app.kubernetes.io/name: {{ . }} - {{ end }} + {{- end }} {{- if .namespace }} namespaceSelector: {{ .namespace }} {{- else }} @@ -37,7 +37,7 @@ spec: {{- end }} {{- end }} {{- range .namespaces }} - - namespaceSelector: {{- toYaml . servicemonitor| nindent 10 }} + - namespaceSelector: {{- toYaml . | nindent 10 }} {{- end }} {{- if .ports }} ports: @@ -46,16 +46,13 @@ spec: port: {{ . }} {{- end }} {{- range .ports.udp }} - - protocol: UDP name: my-configmap - + - protocol: UDP port: {{ . }} - matchLabels: - app: "app1" - ports: - {{- end }} - to: - - {{ end }} + {{- end }} + {{- end }} + {{- end }} {{- end }} + {{- if .Values.gateway.networkPolicy.egress }} egress: {{ range .Values.networkPolicy.egress }} - to: @@ -68,10 +65,10 @@ spec: matchLabels: {{- with .instance }} app.kubernetes.io/instance: {{ . }} - {{ end }} + {{- end }} {{- with .name }} app.kubernetes.io/name: {{ . }} - {{ end }} + {{- end }} {{- if .namespace }} namespaceSelector: {{ .namespace }} {{- else }} @@ -92,5 +89,6 @@ spec: port: {{ . }} {{- end }} {{- end }} - {{ end }} + {{- end }} + {{- end }} {{- end }} diff --git a/charts/vaas/gateway/templates/poddisruptionbudget.yaml b/charts/vaas/templates/gateway/poddisruptionbudget.yaml similarity index 79% rename from charts/vaas/gateway/templates/poddisruptionbudget.yaml rename to charts/vaas/templates/gateway/poddisruptionbudget.yaml index a1b06f5..4097959 100644 --- a/charts/vaas/gateway/templates/poddisruptionbudget.yaml +++ b/charts/vaas/templates/gateway/poddisruptionbudget.yaml @@ -9,4 +9,4 @@ spec: selector: matchLabels: {{- include "gateway.selectorLabels" . | nindent 6 }} - minAvailable: 1 \ No newline at end of file + minAvailable: {{ .Values.gateway.podDisruptionBudget.minAvailable }} \ No newline at end of file diff --git a/charts/vaas/gateway/templates/service.yaml b/charts/vaas/templates/gateway/service.yaml similarity index 88% rename from charts/vaas/gateway/templates/service.yaml rename to charts/vaas/templates/gateway/service.yaml index 140fa30..5b73200 100644 --- a/charts/vaas/gateway/templates/service.yaml +++ b/charts/vaas/templates/gateway/service.yaml @@ -11,11 +11,9 @@ spec: targetPort: http protocol: TCP name: http - {{- if .Values.gateway.ws.enabled }} - port: {{ .Values.gateway.service.ws.port }} targetPort: ws protocol: TCP name: ws - {{- end }} selector: {{- include "gateway.selectorLabels" . | nindent 4 }} diff --git a/charts/vaas/gateway/templates/servicemonitor.yaml b/charts/vaas/templates/gateway/servicemonitor.yaml similarity index 90% rename from charts/vaas/gateway/templates/servicemonitor.yaml rename to charts/vaas/templates/gateway/servicemonitor.yaml index 86a9b51..f1926be 100644 --- a/charts/vaas/gateway/templates/servicemonitor.yaml +++ b/charts/vaas/templates/gateway/servicemonitor.yaml @@ -1,4 +1,4 @@ -{{- if .Values.metrics.enabled }} +{{- if .Values.gateway.metrics.enabled }} apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: diff --git a/charts/vaas/gateway/templates/deployment.yaml b/charts/vaas/templates/gateway/statefulset.yaml similarity index 55% rename from charts/vaas/gateway/templates/deployment.yaml rename to charts/vaas/templates/gateway/statefulset.yaml index 5fc8a7d..05802c9 100644 --- a/charts/vaas/gateway/templates/deployment.yaml +++ b/charts/vaas/templates/gateway/statefulset.yaml @@ -1,41 +1,32 @@ apiVersion: apps/v1 -kind: Deployment +kind: StatefulSet metadata: name: {{ include "gateway.fullname" . }} labels: {{- include "gateway.labels" . | nindent 4 }} spec: serviceName: {{ include "gateway.fullname" . }} - {{- if not .Values.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} + {{- if not .Values.gateway.autoscaling.enabled }} + replicas: {{ .Values.gateway.replicaCount }} {{- end }} - revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + revisionHistoryLimit: {{ .Values.gateway.revisionHistoryLimit }} selector: matchLabels: {{- include "gateway.selectorLabels" . | nindent 6 }} template: metadata: - {{- with .Values.podAnnotations }}Values.gateway.ingress + {{- with .Values.gateway.podAnnotations }} annotations: {{- toYaml . | nindent 8 }} {{- end }} labels: {{- include "gateway.selectorLabels" . | nindent 8 }} spec: - {{- with .Values.imagePullSecrets }} + {{- with .Values.gateway.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} - serviceAccountName: {{ include "gateway.serviceAccountName" . }} volumes: - {{- if .Values.gateway.auth.enabled }} - - name: gateway-extra-appsettings - configMap: - name: gateway-extra-appsettings - items: - - key: "appsettings.{{ .Release.Name }}.json" - path: "appsettings.{{ .Release.Name }}.json" - {{- end }} {{- if .Values.gateway.containerSecurityContext.enabled }} - name: gateway-tmp emptyDir: {} @@ -46,34 +37,29 @@ spec: {{- toYaml .Values.gateway.containerSecurityContext | nindent 12 }} image: '{{ .Values.gateway.image.repository }}:{{ .Values.gateway.image.tag | default "latest" }}' imagePullPolicy: {{ .Values.gateway.image.pullPolicy }} - {{- if .Values.gateway.auth.enabled }} volumeMounts: - - mountPath: "/data/appsettings.{{ .Release.Name }}.json" - subPath: "appsettings.{{ .Release.Name }}.json" - name: gateway-extra-appsettings - mountPath: /tmp name: gateway-temp - {{- end }} - env: - {{- range $key, $value := include "gateway.extractEnvVars" . }} - - name: {{ $key }} - value: {{ $value | quote }} - {{- end }} + env: + {{- include "gateway.env" . | nindent 12 }} ports: - name: http - containerPort: 8080 + containerPort: {{ .Values.gateway.service.http.port }} + protocol: TCP + - name: ws + containerPort: {{ .Values.gateway.service.ws.port }} protocol: TCP resources: {{- toYaml .Values.gateway.resources | nindent 12 }} - {{- with .Values.nodeSelector }} + {{- with .Values.gateway.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.affinity }} + {{- with .Values.gateway.affinity }} affinity: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.tolerations }} + {{- with .Values.gateway.tolerations }} tolerations: {{- toYaml . | nindent 8 }} {{- end }} diff --git a/charts/vaas/_helpers.tpl b/charts/vaas/templates/scanner/_helpers.tpl similarity index 80% rename from charts/vaas/_helpers.tpl rename to charts/vaas/templates/scanner/_helpers.tpl index 8453bdd..c935fac 100644 --- a/charts/vaas/_helpers.tpl +++ b/charts/vaas/templates/scanner/_helpers.tpl @@ -2,7 +2,7 @@ Expand the name of the chart. */}} {{- define "scanner.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- default .Chart.Name .Values.scanner.nameOverride | trunc 63 | trimSuffix "-" }} {{- end }} {{/* @@ -11,10 +11,10 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this If release name contains chart name it will be used as a full name. */}} {{- define "scanner.fullname" -}} -{{- if .Values.fullnameOverride }} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- if .Values.scanner.fullnameOverride }} +{{- .Values.scanner.fullnameOverride | trunc 63 | trimSuffix "-" }} {{- else }} -{{- $name := default .Chart.Name .Values.nameOverride }} +{{- $name := default .Chart.Name .Values.scanner.nameOverride }} {{- if contains $name .Release.Name }} {{- .Release.Name | trunc 63 | trimSuffix "-" }} {{- else }} @@ -59,10 +59,10 @@ app.kubernetes.io/instance: {{ .Release.Name }} {{- end -}} {{- define "common.names.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- if .Values.scanner.fullnameOverride -}} +{{- .Values.scanner.fullnameOverride | trunc 63 | trimSuffix "-" -}} {{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- $name := default .Chart.Name .Values.scanner.nameOverride -}} {{- if contains $name .Release.Name -}} {{- .Release.Name | trunc 63 | trimSuffix "-" -}} {{- else -}} @@ -72,8 +72,8 @@ app.kubernetes.io/instance: {{ .Release.Name }} {{- end -}} {{- define "vaas.claimName" -}} -{{- if and .Values.persistence.existingClaim }} - {{- printf "%s" (tpl .Values.persistence.existingClaim $) -}} +{{- if and .Values.scanner.persistence.existingClaim }} + {{- printf "%s" (tpl .Values.scanner.persistence.existingClaim $) -}} {{- else -}} {{- printf "%s" (include "common.names.fullname" .) -}} {{- end -}} diff --git a/charts/vaas/scanner/templates/deployment.yaml b/charts/vaas/templates/scanner/deployment.yaml similarity index 55% rename from charts/vaas/scanner/templates/deployment.yaml rename to charts/vaas/templates/scanner/deployment.yaml index 44b31d5..cf54960 100644 --- a/charts/vaas/scanner/templates/deployment.yaml +++ b/charts/vaas/templates/scanner/deployment.yaml @@ -1,4 +1,4 @@ -{{- if or (.Values.persistence.enabled | not) (eq .Values.persistence.accessMode "ReadWriteMany" ) }} +{{- if or (.Values.scanner.persistence.enabled | not) (eq .Values.scanner.persistence.accessMode "ReadWriteMany" ) }} apiVersion: apps/v1 kind: Deployment metadata: @@ -7,16 +7,16 @@ metadata: {{- include "scanner.labels" . | nindent 4 }} spec: strategy: - type: {{ .Values.deploymentStrategy }} - {{- if not .Values.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} + type: {{ .Values.scanner.deploymentStrategy }} + {{- if not .Values.scanner.autoscaling.enabled }} + replicas: {{ .Values.scanner.replicaCount }} {{- end }} selector: matchLabels: {{- include "scanner.selectorLabels" . | nindent 6 }} template: metadata: - {{- with .Values.podAnnotations }} + {{- with .Values.scanner.podAnnotations }} annotations: {{- toYaml . | nindent 8 }} {{- end }} @@ -25,33 +25,33 @@ spec: spec: volumes: - name: samples - {{- if .Values.persistence.enabled }} + {{- if .Values.scanner.persistence.enabled }} persistentVolumeClaim: claimName: {{ include "vaas.claimName" . }} {{- else }} emptyDir: - sizeLimit: {{ .Values.persistence.size | quote }} - {{- if .Values.persistence.memory }} + sizeLimit: {{ .Values.scanner.persistence.size | quote }} + {{- if .Values.scanner.persistence.memory }} medium : "Memory" {{- end }} {{- end }} - name: scan-socket emptyDir: {} - {{- if .Values.client.containerSecurityContext.enabled }} + {{- if .Values.scanner.client.containerSecurityContext.enabled }} - name: client-tmp emptyDir: {} {{- end }} - {{- with .Values.imagePullSecrets }} + {{- with .Values.scanner.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} containers: - - name: {{ .Values.server.name }} + - name: {{ .Values.scanner.server.name }} env: - name: date value: "{{ now | unixEpoch }}" - image: '{{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default "latest" }}' - imagePullPolicy: {{ .Values.server.image.pullPolicy }} + image: '{{ .Values.scanner.server.image.repository }}:{{ .Values.scanner.server.image.tag | default "latest" }}' + imagePullPolicy: {{ .Values.scanner.server.image.pullPolicy }} volumeMounts: - name: samples mountPath: /tmp/scan @@ -60,24 +60,24 @@ spec: - name: server-var-log mountPath: /var/log resources: - {{- toYaml .Values.resources.server | nindent 12 }} - - name: {{ .Values.client.name }} - image: '{{ .Values.client.image.repository }}:{{ .Values.client.image.tag | default "latest" }}' - imagePullPolicy: {{ .Values.client.image.pullPolicy }} - {{- if .Values.client.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.client.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- toYaml .Values.scanner.resources.server | nindent 12 }} + - name: {{ .Values.scanner.client.name }} + image: '{{ .Values.scanner.client.image.repository }}:{{ .Values.scanner.client.image.tag | default "latest" }}' + imagePullPolicy: {{ .Values.scanner.client.image.pullPolicy }} + {{- if .Values.scanner.client.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.scanner.client.containerSecurityContext "enabled" | toYaml | nindent 12 }} {{- end }} volumeMounts: - name: samples mountPath: /tmp/scan - name: scan-socket mountPath: /var/share/run - {{- if .Values.client.containerSecurityContext.enabled }} + {{- if .Values.scanner.client.containerSecurityContext.enabled }} - name: client-tmp mountPath: /tmp {{- end }} resources: - {{- toYaml .Values.resources.client | nindent 12 }} + {{- toYaml .Values.scanner.resources.client | nindent 12 }} ports: - name: api containerPort: 8080 @@ -94,16 +94,16 @@ spec: port: api initialDelaySeconds: 5 periodSeconds: 5 - terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} - {{- with .Values.nodeSelector }} + terminationGracePeriodSeconds: {{ .Values.scanner.terminationGracePeriodSeconds }} + {{- with .Values.scanner.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.affinity }} + {{- with .Values.scanner.affinity }} affinity: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.tolerations }} + {{- with .Values.scanner.tolerations }} tolerations: {{- toYaml . | nindent 8 }} {{- end }} diff --git a/charts/vaas/scanner/templates/hpa.yaml b/charts/vaas/templates/scanner/hpa.yaml similarity index 52% rename from charts/vaas/scanner/templates/hpa.yaml rename to charts/vaas/templates/scanner/hpa.yaml index fa14358..7f9d9ec 100644 --- a/charts/vaas/scanner/templates/hpa.yaml +++ b/charts/vaas/templates/scanner/hpa.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.autoscaling.enabled }} +{{- if and .Values.scanner.autoscaling.enabled }} apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: @@ -8,16 +8,16 @@ metadata: spec: scaleTargetRef: apiVersion: apps/v1 - {{- if and (.Values.persistence.enabled) (eq .Values.persistence.accessMode "ReadWriteOnce" ) }} + {{- if and (.Values.scanner.persistence.enabled) (eq .Values.scanner.persistence.accessMode "ReadWriteOnce" ) }} kind: StatefulSet {{- else }} kind: Deployment {{- end }} name: {{ include "scanner.fullname" . }} - minReplicas: {{ .Values.autoscaling.minReplicas }} - maxReplicas: {{ .Values.autoscaling.maxReplicas }} - {{- if .Values.autoscaling.metrics }} - metrics: {{- toYaml .Values.autoscaling.metrics | nindent 4 }} + minReplicas: {{ .Values.scanner.autoscaling.minReplicas }} + maxReplicas: {{ .Values.scanner.autoscaling.maxReplicas }} + {{- if .Values.scanner.autoscaling.metrics }} + metrics: {{- toYaml .Values.scanner.autoscaling.metrics | nindent 4 }} {{- else }} metrics: - type: Resource @@ -25,6 +25,6 @@ spec: name: cpu target: type: Utilization - averageUtilization: {{ .Values.autoscaling.targetCPU }} + averageUtilization: {{ .Values.scanner.autoscaling.targetCPU }} {{- end }} {{- end }} \ No newline at end of file diff --git a/charts/vaas/scanner/templates/ingress.yaml b/charts/vaas/templates/scanner/ingress.yaml similarity index 64% rename from charts/vaas/scanner/templates/ingress.yaml rename to charts/vaas/templates/scanner/ingress.yaml index 789415a..a8b6d46 100644 --- a/charts/vaas/scanner/templates/ingress.yaml +++ b/charts/vaas/templates/scanner/ingress.yaml @@ -1,9 +1,9 @@ -{{- if .Values.ingress.enabled -}} +{{- if .Values.scanner.ingress.enabled -}} {{- $fullName := include "scanner.fullname" . -}} -{{- $svcPort := .Values.service.port -}} -{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} - {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }} - {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}} +{{- $svcPort := .Values.scanner.service.port -}} +{{- if and .Values.scanner.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} + {{- if not (hasKey .Values.scanner.ingress.annotations "kubernetes.io/ingress.class") }} + {{- $_ := set .Values.scanner.ingress.annotations "kubernetes.io/ingress.class" .Values.scanner.ingress.className}} {{- end }} {{- end }} {{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} @@ -18,17 +18,17 @@ metadata: name: {{ $fullName }} labels: {{- include "scanner.labels" . | nindent 4 }} - {{- with .Values.ingress.annotations }} + {{- with .Values.scanner.ingress.annotations }} annotations: {{- toYaml . | nindent 4 }} {{- end }} spec: - {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} - ingressClassName: {{ .Values.ingress.className }} + {{- if and .Values.scanner.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} + ingressClassName: {{ .Values.scanner.ingress.className }} {{- end }} - {{- if .Values.ingress.tls }} + {{- if .Values.scanner.ingress.tls }} tls: - {{- range .Values.ingress.tls }} + {{- range .Values.scanner.ingress.tls }} - hosts: {{- range .hosts }} - {{ . | quote }} @@ -37,7 +37,7 @@ spec: {{- end }} {{- end }} rules: - {{- range .Values.ingress.hosts }} + {{- range .Values.scanner.ingress.hosts }} - host: {{ .host | quote }} http: paths: diff --git a/charts/vaas/scanner/templates/pvc.yaml b/charts/vaas/templates/scanner/pvc.yaml similarity index 59% rename from charts/vaas/scanner/templates/pvc.yaml rename to charts/vaas/templates/scanner/pvc.yaml index 133ed72..005f1e0 100644 --- a/charts/vaas/scanner/templates/pvc.yaml +++ b/charts/vaas/templates/scanner/pvc.yaml @@ -1,4 +1,4 @@ -{{- if and (.Values.persistence.enabled) (eq .Values.persistence.accessMode "ReadWriteMany" ) }} +{{- if and (.Values.scanner.persistence.enabled) (eq .Values.scanner.persistence.accessMode "ReadWriteMany" ) }} kind: PersistentVolumeClaim apiVersion: v1 metadata: @@ -11,6 +11,6 @@ spec: - ReadWriteMany resources: requests: - storage: {{ .Values.persistence.size | quote }} - {{- include "common.storage.class" (dict "persistence" .Values.persistence "global" .Values.global) | nindent 2 }} + storage: {{ .Values.scanner.persistence.size | quote }} + {{- include "common.storage.class" (dict "persistence" .Values.scanner.persistence "global" .Values.scanner.global) | nindent 2 }} {{- end }} \ No newline at end of file diff --git a/charts/vaas/scanner/templates/secret.yaml b/charts/vaas/templates/scanner/secret.yaml similarity index 64% rename from charts/vaas/scanner/templates/secret.yaml rename to charts/vaas/templates/scanner/secret.yaml index 48fd329..78966ed 100644 --- a/charts/vaas/scanner/templates/secret.yaml +++ b/charts/vaas/templates/scanner/secret.yaml @@ -1,10 +1,10 @@ -{{- if .Values.imagePullSecrets }} +{{- if .Values.scanner.imagePullSecrets }} apiVersion: v1 kind: Secret metadata: name: scannerregistry namespace: {{ .Release.Namespace }} data: - .dockerconfigjson: {{ required "You need to set the dockerconfigjson for the private registry" .Values.secret.dockerconfigjson }} + .dockerconfigjson: {{ required "You need to set the dockerconfigjson for the private registry" .Values.scanner.secret.dockerconfigjson }} type: kubernetes.io/dockerconfigjson {{- end -}} \ No newline at end of file diff --git a/charts/vaas/scanner/templates/service.yaml b/charts/vaas/templates/scanner/service.yaml similarity index 76% rename from charts/vaas/scanner/templates/service.yaml rename to charts/vaas/templates/scanner/service.yaml index 9bb8842..a1bed65 100644 --- a/charts/vaas/scanner/templates/service.yaml +++ b/charts/vaas/templates/scanner/service.yaml @@ -5,9 +5,9 @@ metadata: labels: {{- include "scanner.labels" . | nindent 4 }} spec: - type: {{ .Values.service.type }} + type: {{ .Values.scanner.service.type }} ports: - - port: {{ .Values.service.port }} + - port: {{ .Values.scanner.service.port }} targetPort: api protocol: TCP name: http diff --git a/charts/vaas/scanner/templates/servicemonitor.yaml b/charts/vaas/templates/scanner/servicemonitor.yaml similarity index 60% rename from charts/vaas/scanner/templates/servicemonitor.yaml rename to charts/vaas/templates/scanner/servicemonitor.yaml index ffa1813..2f033e1 100644 --- a/charts/vaas/scanner/templates/servicemonitor.yaml +++ b/charts/vaas/templates/scanner/servicemonitor.yaml @@ -1,4 +1,4 @@ -{{- if .Values.metrics.servicemonitor.enabled }} +{{- if .Values.scanner.metrics.servicemonitor.enabled }} apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: @@ -7,8 +7,8 @@ metadata: {{- include "scanner.labels" . | nindent 4 }} spec: endpoints: - - port: {{ .Values.metrics.servicemonitor.port | quote }} - path: {{ .Values.metrics.servicemonitor.path }} + - port: {{ .Values.scanner.metrics.servicemonitor.port | quote }} + path: {{ .Values.scanner.metrics.servicemonitor.path }} selector: matchLabels: {{- include "scanner.selectorLabels" . | nindent 8 }} diff --git a/charts/vaas/scanner/templates/statefulset.yaml b/charts/vaas/templates/scanner/statefulset.yaml similarity index 54% rename from charts/vaas/scanner/templates/statefulset.yaml rename to charts/vaas/templates/scanner/statefulset.yaml index dd0653e..ce9e8de 100644 --- a/charts/vaas/scanner/templates/statefulset.yaml +++ b/charts/vaas/templates/scanner/statefulset.yaml @@ -1,4 +1,4 @@ -{{- if and (.Values.persistence.enabled) (eq .Values.persistence.accessMode "ReadWriteOnce" ) }} +{{- if and (.Values.scanner.persistence.enabled) (eq .Values.scanner.persistence.accessMode "ReadWriteOnce" ) }} apiVersion: apps/v1 kind: StatefulSet metadata: @@ -7,8 +7,8 @@ metadata: {{- include "scanner.labels" . | nindent 4 }} spec: serviceName: {{ include "scanner.fullname" . }} - {{- if not .Values.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} + {{- if not .Values.scanner.autoscaling.enabled }} + replicas: {{ .Values.scanner.replicaCount }} {{- end }} selector: matchLabels: @@ -18,20 +18,20 @@ spec: name: samples spec: accessModes: [ "ReadWriteOnce" ] - {{- include "common.storage.class" (dict "persistence" .Values.persistence "global" .Values.global) | nindent 8 }} + {{- include "common.storage.class" (dict "persistence" .Values.scanner.persistence "global" .Values.scanner.global) | nindent 8 }} resources: requests: - storage: {{ .Values.persistence.size | quote }} + storage: {{ .Values.scanner.persistence.size | quote }} template: metadata: - {{- with .Values.podAnnotations }} + {{- with .Values.scanner.podAnnotations }} annotations: {{- toYaml . | nindent 8 }} {{- end }} labels: {{- include "scanner.selectorLabels" . | nindent 8 }} spec: - {{- with .Values.imagePullSecrets }} + {{- with .Values.scanner.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} @@ -40,23 +40,23 @@ spec: emptyDir: {} - name: scan-socket emptyDir: {} - {{- if .Values.client.containerSecurityContext.enabled }} + {{- if .Values.scanner.client.containerSecurityContext.enabled }} - name: client-tmp emptyDir: {} {{- end }} - {{- if .Values.server.containerSecurityContext.enabled }} + {{- if .Values.scanner.server.containerSecurityContext.enabled }} - name: server-var-log emptyDir: {} {{- end }} containers: - - name: {{ .Values.server.name }} + - name: {{ .Values.scanner.server.name }} env: - name: date value: "{{ now | unixEpoch }}" - image: "{{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.server.image.pullPolicy }} - {{- if .Values.server.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.server.containerSecurityContext "enabled" | toYaml | nindent 12 }} + image: "{{ .Values.scanner.server.image.repository }}:{{ .Values.scanner.server.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.scanner.server.image.pullPolicy }} + {{- if .Values.scanner.server.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.scanner.server.containerSecurityContext "enabled" | toYaml | nindent 12 }} {{- end }} volumeMounts: - name: server-tmp @@ -65,29 +65,29 @@ spec: mountPath: /tmp/scan - name: scan-socket mountPath: /var/share/run - {{- if .Values.server.containerSecurityContext.enabled }} + {{- if .Values.scanner.server.containerSecurityContext.enabled }} - name: server-var-log mountPath: /var/log {{- end }} resources: - {{- toYaml .Values.resources.server | nindent 12 }} - - name: {{ .Values.client.name }} - image: "{{ .Values.client.image.repository }}:{{ .Values.client.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.client.image.pullPolicy }} - {{- if .Values.client.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.client.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- toYaml .Values.scanner.resources.server | nindent 12 }} + - name: {{ .Values.scanner.client.name }} + image: "{{ .Values.scanner.client.image.repository }}:{{ .Values.scanner.client.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.scanner.client.image.pullPolicy }} + {{- if .Values.scanner.client.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.scanner.client.containerSecurityContext "enabled" | toYaml | nindent 12 }} {{- end }} volumeMounts: - name: samples mountPath: /tmp/scan - name: scan-socket mountPath: /var/share/run - {{- if .Values.client.containerSecurityContext.enabled }} + {{- if .Values.scanner.client.containerSecurityContext.enabled }} - name: client-tmp mountPath: /tmp {{- end }} resources: - {{- toYaml .Values.resources.client | nindent 12 }} + {{- toYaml .Values.scanner.resources.client | nindent 12 }} ports: - name: api containerPort: 8080 @@ -104,16 +104,16 @@ spec: port: api initialDelaySeconds: 5 periodSeconds: 5 - terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} - {{- with .Values.nodeSelector }} + terminationGracePeriodSeconds: {{ .Values.scanner.terminationGracePeriodSeconds }} + {{- with .Values.scanner.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.affinity }} + {{- with .Values.scanner.affinity }} affinity: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.tolerations }} + {{- with .Values.scanner.tolerations }} tolerations: {{- toYaml . | nindent 8 }} {{- end }} diff --git a/charts/vaas/scanner/templates/update.yaml b/charts/vaas/templates/scanner/update.yaml similarity index 72% rename from charts/vaas/scanner/templates/update.yaml rename to charts/vaas/templates/scanner/update.yaml index 0de826d..a9b9236 100644 --- a/charts/vaas/scanner/templates/update.yaml +++ b/charts/vaas/templates/scanner/update.yaml @@ -1,4 +1,4 @@ -{{- if .Values.autoUpdate.enabled -}} +{{- if .Values.scanner.autoUpdate.enabled -}} kind: ServiceAccount apiVersion: v1 metadata: @@ -41,7 +41,7 @@ spec: successfulJobsHistoryLimit: 1 failedJobsHistoryLimit: 1 concurrencyPolicy: Forbid - schedule: "{{ .Values.autoUpdate.schedule }}" + schedule: "{{ .Values.scanner.autoUpdate.schedule }}" jobTemplate: spec: backoffLimit: 2 @@ -54,26 +54,26 @@ spec: spec: serviceAccountName: update restartPolicy: Never - {{- with .Values.nodeSelector }} + {{- with .Values.scanner.nodeSelector }} nodeSelector: {{- toYaml . | nindent 12 }} {{- end }} containers: - name: kubectl - image: "{{ .Values.autoUpdate.image.registry }}/{{ .Values.autoUpdate.image.repository }}:{{ .Values.autoUpdate.image.tag }}" - {{- if .Values.autoUpdate.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.autoUpdate.containerSecurityContext "enabled" | toYaml | nindent 16 }} + image: "{{ .Values.scanner.autoUpdate.image.registry }}/{{ .Values.scanner.autoUpdate.image.repository }}:{{ .Values.scanner.autoUpdate.image.tag }}" + {{- if .Values.scanner.autoUpdate.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.scanner.autoUpdate.containerSecurityContext "enabled" | toYaml | nindent 16 }} {{- end }} command: - "kubectl" - "rollout" - "restart" -{{- if and (.Values.persistence.enabled) (eq .Values.persistence.accessMode "ReadWriteOnce" ) }} +{{- if and (.Values.scanner.persistence.enabled) (eq .Values.scanner.persistence.accessMode "ReadWriteOnce" ) }} - "statefulset/{{ include "scanner.fullname" . }}" {{- else }} - "deployment/{{ include "scanner.fullname" . }}" {{- end }} -{{- if .Values.autoUpdate.networkPolicy.enabled }} +{{- if .Values.scanner.autoUpdate.networkPolicy.enabled }} --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy @@ -89,6 +89,6 @@ spec: ingress: [] egress: - ports: - - port: {{ .Values.autoUpdate.networkPolicy.k8sApiPort }} + - port: {{ .Values.scanner.autoUpdate.networkPolicy.k8sApiPort }} {{- end }} {{- end}} \ No newline at end of file diff --git a/charts/vaas/values.yaml b/charts/vaas/values.yaml index 996d7c5..53fbc46 100644 --- a/charts/vaas/values.yaml +++ b/charts/vaas/values.yaml @@ -1,112 +1,181 @@ -replicaCount: 1 -deploymentStrategy: "Recreate" -server: - name: server - image: - repository: ghcr.io/gdatasoftwareag/scanserver - pullPolicy: Always - tag: 1.8.0 +gateway: + ingress: + enabled: false + className: "" + annotations: {} + hosts: + - host: gateway.local + paths: + - path: / + pathType: ImplementationSpecific + service: + name: "" + port: 9090 + - host: upload.local + paths: + - path: / + pathType: ImplementationSpecific + service: + name: "" + port: 8080 + tls: [] + + secret: + dockerconfigjson: "" + + nameOverride: "" + fullnameOverride: "" + + networkPolicy: + enabled: false + ingress: [] + egress: [] + + service: + type: "" + http: + port: 8080 + ws: + port: 9090 + + metrics: + enabled: false + port: 8080 + path: /metrics + + autoscaling: + enabled: false + minReplicas: 2 + maxReplicas: 20 + targetCPU: 75 + metrics: + + podDisruptionBudget: + minAvailable: 1 + + replicaCount: 1 + revisionHistoryLimit: 1 + resources: + limits: + memory: 512Mi + requests: + cpu: 0.5 + memory: 256Mi + containerSecurityContext: enabled: false -client: - name: client + image: - repository: ghcr.io/gdatasoftwareag/scanclient + repository: ghcr.io/gdatasoftwareag/vaas/gateway pullPolicy: Always - tag: 1.8.0 - containerSecurityContext: - enabled: false -terminationGracePeriodSeconds: 30 + tag: latest -imagePullSecrets: - - name: scannerregistry + env: -nameOverride: "" -fullnameOverride: "" + imagePullSecrets: {} + podAnnotations: {} + nodeSelector: {} + tolerations: [] + affinity: {} + -podAnnotations: {} +scanner: + replicaCount: 1 + deploymentStrategy: "Recreate" + server: + name: server + image: + repository: ghcr.io/gdatasoftwareag/scanserver + pullPolicy: Always + tag: 1.8.0 + containerSecurityContext: + enabled: false + client: + name: client + image: + repository: ghcr.io/gdatasoftwareag/scanclient + pullPolicy: Always + tag: 1.8.0 + containerSecurityContext: + enabled: false + terminationGracePeriodSeconds: 30 -secret: - dockerconfigjson: "" + imagePullSecrets: + - name: scannerregistry -service: - type: "" - port: 8080 + nameOverride: "" + fullnameOverride: "" -metrics: - servicemonitor: - enabled: false + podAnnotations: {} + + secret: + dockerconfigjson: "" + + service: + type: "" port: 8080 - path: /metrics -ingress: - enabled: false - className: "" - annotations: {} - hosts: - - host: scanner.local - paths: - - path: / - pathType: ImplementationSpecific - tls: [] - -resources: - server: - limits: - memory: 2Gi - requests: - cpu: 2 - memory: 2Gi - client: - limits: - memory: 128Mi - requests: - cpu: 1 - memory: 128Mi - -autoscaling: - enabled: false - minReplicas: 2 - maxReplicas: 20 - targetCPU: 75 metrics: + servicemonitor: + enabled: false + port: 8080 + path: /metrics -nodeSelector: {} + ingress: + enabled: false + className: "" + annotations: {} + hosts: + - host: scanner.local + paths: + - path: / + pathType: ImplementationSpecific + tls: [] + + resources: + server: + limits: + memory: 2Gi + requests: + cpu: 2 + memory: 2Gi + client: + limits: + memory: 128Mi + requests: + cpu: 1 + memory: 128Mi + + autoscaling: + enabled: false + minReplicas: 2 + maxReplicas: 20 + targetCPU: 75 + metrics: -tolerations: [] + nodeSelector: {} -affinity: {} + tolerations: [] -persistence: - enabled: false - accessMode: ReadWriteOnce - memory: false - size: 5Gi - storageClass: "" + affinity: {} -autoUpdate: - image: - registry: docker.io - repository: bitnami/kubectl - tag: latest - containerSecurityContext: + persistence: enabled: false - enabled: true - # every hour - schedule: "0 * * * *" - networkPolicy: + accessMode: ReadWriteOnce + memory: false + size: 5Gi + storageClass: "" + + autoUpdate: + image: + registry: docker.io + repository: bitnami/kubectl + tag: latest + containerSecurityContext: + enabled: false enabled: true - k8sApiPort: 6443 - -# values.yaml -ingress: - hosts: - - name: host1.example.com - service: - name: service1 - port: 8080 - - name: host2.example.com - service: - name: service2 - port: 9090 - + # every hour + schedule: "0 * * * *" + networkPolicy: + enabled: true + k8sApiPort: 6443 From 24fae14ab096e11d217dc8a86eb54b4aab25ac69 Mon Sep 17 00:00:00 2001 From: PT-ATA No One Date: Thu, 14 Dec 2023 11:11:24 +0100 Subject: [PATCH 06/25] move yamls to correct folder --- .gitignore | 3 +- Chart.lock | 9 + Chart.yaml | 17 ++ charts/vaas/Chart.yaml | 6 - charts/vaas/gateway/.helmignore | 23 --- .../vaas/templates/gateway/networkpolicy.yaml | 94 --------- charts/vaas/templates/scanner/_helpers.tpl | 99 ---------- charts/vaas/templates/scanner/deployment.yaml | 110 ----------- charts/vaas/templates/scanner/hpa.yaml | 30 --- charts/vaas/templates/scanner/ingress.yaml | 61 ------ charts/vaas/templates/scanner/pvc.yaml | 16 -- charts/vaas/templates/scanner/service.yaml | 15 -- .../templates/scanner/servicemonitor.yaml | 15 -- .../vaas/templates/scanner/statefulset.yaml | 120 ------------ charts/vaas/templates/scanner/update.yaml | 94 --------- charts/vaas/values.yaml | 181 ------------------ .../templates => templates}/gateway/NOTES.txt | 0 .../gateway/_helpers.tpl | 34 +--- .../gateway/ingress.yaml | 15 +- templates/gateway/networkpolicy.yaml | 28 +++ .../gateway/poddisruptionbudget.yaml | 1 - .../scanner => templates/gateway}/secret.yaml | 6 +- .../gateway/service.yaml | 0 .../gateway/servicemonitor.yaml | 0 .../gateway/statefulset.yaml | 6 +- values.yaml | 122 ++++++++++++ 26 files changed, 196 insertions(+), 909 deletions(-) create mode 100644 Chart.lock create mode 100644 Chart.yaml delete mode 100644 charts/vaas/Chart.yaml delete mode 100644 charts/vaas/gateway/.helmignore delete mode 100644 charts/vaas/templates/gateway/networkpolicy.yaml delete mode 100644 charts/vaas/templates/scanner/_helpers.tpl delete mode 100644 charts/vaas/templates/scanner/deployment.yaml delete mode 100644 charts/vaas/templates/scanner/hpa.yaml delete mode 100644 charts/vaas/templates/scanner/ingress.yaml delete mode 100644 charts/vaas/templates/scanner/pvc.yaml delete mode 100644 charts/vaas/templates/scanner/service.yaml delete mode 100644 charts/vaas/templates/scanner/servicemonitor.yaml delete mode 100644 charts/vaas/templates/scanner/statefulset.yaml delete mode 100644 charts/vaas/templates/scanner/update.yaml delete mode 100644 charts/vaas/values.yaml rename {charts/vaas/templates => templates}/gateway/NOTES.txt (100%) rename {charts/vaas/templates => templates}/gateway/_helpers.tpl (71%) rename {charts/vaas/templates => templates}/gateway/ingress.yaml (90%) create mode 100644 templates/gateway/networkpolicy.yaml rename {charts/vaas/templates => templates}/gateway/poddisruptionbudget.yaml (98%) rename {charts/vaas/templates/scanner => templates/gateway}/secret.yaml (57%) rename {charts/vaas/templates => templates}/gateway/service.yaml (100%) rename {charts/vaas/templates => templates}/gateway/servicemonitor.yaml (100%) rename {charts/vaas/templates => templates}/gateway/statefulset.yaml (90%) create mode 100644 values.yaml diff --git a/.gitignore b/.gitignore index 1dee038..be359b5 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,5 @@ .idea/ .vscode/ *.log -*-locale.yaml \ No newline at end of file +*-locale.yaml +*.tgz \ No newline at end of file diff --git a/Chart.lock b/Chart.lock new file mode 100644 index 0000000..414e086 --- /dev/null +++ b/Chart.lock @@ -0,0 +1,9 @@ +dependencies: +- name: redis + repository: https://charts.bitnami.com/bitnami + version: 18.1.5 +- name: gdscan + repository: https://gdatasoftwareag.github.io/gdscan/ + version: 1.4.2 +digest: sha256:51e3b55c0a6db37616d9111b7f10212ee76b34e9650df2ea8d20c1f505cdc45d +generated: "2023-12-07T11:20:19.544076537+01:00" diff --git a/Chart.yaml b/Chart.yaml new file mode 100644 index 0000000..07afefe --- /dev/null +++ b/Chart.yaml @@ -0,0 +1,17 @@ +apiVersion: v2 +name: vaas +version: 1.0.0 +description: Deployment of a Verdict-as-a-Service on-premise instance +maintainers: + - name: G DATA CyberDefense AG + email: oem@gdata.de +type: application +dependencies: + - name: redis + version: 18.1.5 + condition: redis.enabled + repository: https://charts.bitnami.com/bitnami + - name: gdscan + version: 1.4.2 + condition: gdscan.enabled + repository: https://gdatasoftwareag.github.io/gdscan/ \ No newline at end of file diff --git a/charts/vaas/Chart.yaml b/charts/vaas/Chart.yaml deleted file mode 100644 index a7f3e7a..0000000 --- a/charts/vaas/Chart.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v2 -name: vaas -description: A Helm chart for Kubernetes -type: application -version: 0.1.0 -appVersion: "1.16.0" diff --git a/charts/vaas/gateway/.helmignore b/charts/vaas/gateway/.helmignore deleted file mode 100644 index 0e8a0eb..0000000 --- a/charts/vaas/gateway/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/charts/vaas/templates/gateway/networkpolicy.yaml b/charts/vaas/templates/gateway/networkpolicy.yaml deleted file mode 100644 index f4d6897..0000000 --- a/charts/vaas/templates/gateway/networkpolicy.yaml +++ /dev/null @@ -1,94 +0,0 @@ -#TODO: Check if working -{{- if .Values.gateway.networkPolicy.enabled }} -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ include "gateway.fullname" . }} - labels: - {{- include "gateway.labels" . | nindent 4 }} -spec: - podSelector: - matchLabels: - {{- include "gateway.selectorLabels" . | nindent 6 }} - policyTypes: - - Ingress - - Egress - {{- if .Values.gateway.networkPolicy.ingress }} - ingress: - {{- range .Values.gateway.networkPolicy.ingress }} - - from: - {{- range .blocks }} - - ipBlock: - cidr: {{ . }} - {{- end }} - {{- range .pods }} - - podSelector: - matchLabels: - {{- with .instance }} - app.kubernetes.io/instance: {{ . }} - {{- end }} - {{- with .name }} - app.kubernetes.io/name: {{ . }} - {{- end }} - {{- if .namespace }} - namespaceSelector: {{ .namespace }} - {{- else }} - namespaceSelector: {} - {{- end }} - {{- end }} - {{- range .namespaces }} - - namespaceSelector: {{- toYaml . | nindent 10 }} - {{- end }} - {{- if .ports }} - ports: - {{- range .ports.tcp }} - - protocol: TCP - port: {{ . }} - {{- end }} - {{- range .ports.udp }} - - protocol: UDP - port: {{ . }} - {{- end }} - {{- end }} - {{- end }} - {{- end }} - {{- if .Values.gateway.networkPolicy.egress }} - egress: - {{ range .Values.networkPolicy.egress }} - - to: - {{- range .blocks }} - - ipBlock: - cidr: {{ . }} - {{- end }} - {{- range .pods }} - - podSelector: - matchLabels: - {{- with .instance }} - app.kubernetes.io/instance: {{ . }} - {{- end }} - {{- with .name }} - app.kubernetes.io/name: {{ . }} - {{- end }} - {{- if .namespace }} - namespaceSelector: {{ .namespace }} - {{- else }} - namespaceSelector: {} - {{- end }} - {{- end }} - {{- range .namespaces }} - - namespaceSelector: {{- toYaml . | nindent 10 }} - {{- end }} - {{- if .ports }} - ports: - {{- range .ports.tcp }} - - protocol: TCP - port: {{ . }} - {{- end }} - {{- range .ports.udp }} - - protocol: UDP - port: {{ . }} - {{- end }} - {{- end }} - {{- end }} - {{- end }} -{{- end }} diff --git a/charts/vaas/templates/scanner/_helpers.tpl b/charts/vaas/templates/scanner/_helpers.tpl deleted file mode 100644 index c935fac..0000000 --- a/charts/vaas/templates/scanner/_helpers.tpl +++ /dev/null @@ -1,99 +0,0 @@ -{{/* -Expand the name of the chart. -*/}} -{{- define "scanner.name" -}} -{{- default .Chart.Name .Values.scanner.nameOverride | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "scanner.fullname" -}} -{{- if .Values.scanner.fullnameOverride }} -{{- .Values.scanner.fullnameOverride | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- $name := default .Chart.Name .Values.scanner.nameOverride }} -{{- if contains $name .Release.Name }} -{{- .Release.Name | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end }} -{{- end }} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "scanner.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Common labels -*/}} -{{- define "scanner.labels" -}} -helm.sh/chart: {{ include "scanner.chart" . }} -{{ include "scanner.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} - -{{/* -Selector labels -*/}} -{{- define "scanner.selectorLabels" -}} -app.kubernetes.io/name: {{ include "scanner.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- end }} - -{{- define "common.tplvalues.render" -}} - {{- if typeIs "string" .value }} - {{- tpl .value .context }} - {{- else }} - {{- tpl (.value | toYaml) .context }} - {{- end }} -{{- end -}} - -{{- define "common.names.fullname" -}} -{{- if .Values.scanner.fullnameOverride -}} -{{- .Values.scanner.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.scanner.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{- define "vaas.claimName" -}} -{{- if and .Values.scanner.persistence.existingClaim }} - {{- printf "%s" (tpl .Values.scanner.persistence.existingClaim $) -}} -{{- else -}} - {{- printf "%s" (include "common.names.fullname" .) -}} -{{- end -}} -{{- end -}} - -{{- define "common.storage.class" -}} - -{{- $storageClass := .persistence.storageClass -}} -{{- if .global -}} - {{- if .global.storageClass -}} - {{- $storageClass = .global.storageClass -}} - {{- end -}} -{{- end -}} - -{{- if $storageClass -}} - {{- if (eq "-" $storageClass) -}} - {{- printf "storageClassName: \"\"" -}} - {{- else }} - {{- printf "storageClassName: %s" $storageClass -}} - {{- end -}} -{{- end -}} - -{{- end -}} \ No newline at end of file diff --git a/charts/vaas/templates/scanner/deployment.yaml b/charts/vaas/templates/scanner/deployment.yaml deleted file mode 100644 index cf54960..0000000 --- a/charts/vaas/templates/scanner/deployment.yaml +++ /dev/null @@ -1,110 +0,0 @@ -{{- if or (.Values.scanner.persistence.enabled | not) (eq .Values.scanner.persistence.accessMode "ReadWriteMany" ) }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "scanner.fullname" . }} - labels: - {{- include "scanner.labels" . | nindent 4 }} -spec: - strategy: - type: {{ .Values.scanner.deploymentStrategy }} - {{- if not .Values.scanner.autoscaling.enabled }} - replicas: {{ .Values.scanner.replicaCount }} - {{- end }} - selector: - matchLabels: - {{- include "scanner.selectorLabels" . | nindent 6 }} - template: - metadata: - {{- with .Values.scanner.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "scanner.selectorLabels" . | nindent 8 }} - spec: - volumes: - - name: samples - {{- if .Values.scanner.persistence.enabled }} - persistentVolumeClaim: - claimName: {{ include "vaas.claimName" . }} - {{- else }} - emptyDir: - sizeLimit: {{ .Values.scanner.persistence.size | quote }} - {{- if .Values.scanner.persistence.memory }} - medium : "Memory" - {{- end }} - {{- end }} - - name: scan-socket - emptyDir: {} - {{- if .Values.scanner.client.containerSecurityContext.enabled }} - - name: client-tmp - emptyDir: {} - {{- end }} - {{- with .Values.scanner.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - containers: - - name: {{ .Values.scanner.server.name }} - env: - - name: date - value: "{{ now | unixEpoch }}" - image: '{{ .Values.scanner.server.image.repository }}:{{ .Values.scanner.server.image.tag | default "latest" }}' - imagePullPolicy: {{ .Values.scanner.server.image.pullPolicy }} - volumeMounts: - - name: samples - mountPath: /tmp/scan - - name: scan-socket - mountPath: /var/share/run - - name: server-var-log - mountPath: /var/log - resources: - {{- toYaml .Values.scanner.resources.server | nindent 12 }} - - name: {{ .Values.scanner.client.name }} - image: '{{ .Values.scanner.client.image.repository }}:{{ .Values.scanner.client.image.tag | default "latest" }}' - imagePullPolicy: {{ .Values.scanner.client.image.pullPolicy }} - {{- if .Values.scanner.client.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.scanner.client.containerSecurityContext "enabled" | toYaml | nindent 12 }} - {{- end }} - volumeMounts: - - name: samples - mountPath: /tmp/scan - - name: scan-socket - mountPath: /var/share/run - {{- if .Values.scanner.client.containerSecurityContext.enabled }} - - name: client-tmp - mountPath: /tmp - {{- end }} - resources: - {{- toYaml .Values.scanner.resources.client | nindent 12 }} - ports: - - name: api - containerPort: 8080 - protocol: TCP - livenessProbe: - httpGet: - path: /health - port: api - initialDelaySeconds: 5 - periodSeconds: 5 - readinessProbe: - httpGet: - path: /health - port: api - initialDelaySeconds: 5 - periodSeconds: 5 - terminationGracePeriodSeconds: {{ .Values.scanner.terminationGracePeriodSeconds }} - {{- with .Values.scanner.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.scanner.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.scanner.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} -{{- end }} \ No newline at end of file diff --git a/charts/vaas/templates/scanner/hpa.yaml b/charts/vaas/templates/scanner/hpa.yaml deleted file mode 100644 index 7f9d9ec..0000000 --- a/charts/vaas/templates/scanner/hpa.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{- if and .Values.scanner.autoscaling.enabled }} -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - name: {{ include "scanner.fullname" . }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "scanner.labels" . | nindent 4 }} -spec: - scaleTargetRef: - apiVersion: apps/v1 - {{- if and (.Values.scanner.persistence.enabled) (eq .Values.scanner.persistence.accessMode "ReadWriteOnce" ) }} - kind: StatefulSet - {{- else }} - kind: Deployment - {{- end }} - name: {{ include "scanner.fullname" . }} - minReplicas: {{ .Values.scanner.autoscaling.minReplicas }} - maxReplicas: {{ .Values.scanner.autoscaling.maxReplicas }} - {{- if .Values.scanner.autoscaling.metrics }} - metrics: {{- toYaml .Values.scanner.autoscaling.metrics | nindent 4 }} - {{- else }} - metrics: - - type: Resource - resource: - name: cpu - target: - type: Utilization - averageUtilization: {{ .Values.scanner.autoscaling.targetCPU }} - {{- end }} -{{- end }} \ No newline at end of file diff --git a/charts/vaas/templates/scanner/ingress.yaml b/charts/vaas/templates/scanner/ingress.yaml deleted file mode 100644 index a8b6d46..0000000 --- a/charts/vaas/templates/scanner/ingress.yaml +++ /dev/null @@ -1,61 +0,0 @@ -{{- if .Values.scanner.ingress.enabled -}} -{{- $fullName := include "scanner.fullname" . -}} -{{- $svcPort := .Values.scanner.service.port -}} -{{- if and .Values.scanner.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} - {{- if not (hasKey .Values.scanner.ingress.annotations "kubernetes.io/ingress.class") }} - {{- $_ := set .Values.scanner.ingress.annotations "kubernetes.io/ingress.class" .Values.scanner.ingress.className}} - {{- end }} -{{- end }} -{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} -apiVersion: networking.k8s.io/v1 -{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} -apiVersion: networking.k8s.io/v1beta1 -{{- else -}} -apiVersion: extensions/v1beta1 -{{- end }} -kind: Ingress -metadata: - name: {{ $fullName }} - labels: - {{- include "scanner.labels" . | nindent 4 }} - {{- with .Values.scanner.ingress.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - {{- if and .Values.scanner.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} - ingressClassName: {{ .Values.scanner.ingress.className }} - {{- end }} - {{- if .Values.scanner.ingress.tls }} - tls: - {{- range .Values.scanner.ingress.tls }} - - hosts: - {{- range .hosts }} - - {{ . | quote }} - {{- end }} - secretName: {{ .secretName }} - {{- end }} - {{- end }} - rules: - {{- range .Values.scanner.ingress.hosts }} - - host: {{ .host | quote }} - http: - paths: - {{- range .paths }} - - path: {{ .path }} - {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} - pathType: {{ .pathType }} - {{- end }} - backend: - {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} - service: - name: {{ $fullName }} - port: - number: {{ $svcPort }} - {{- else }} - serviceName: {{ $fullName }} - servicePort: {{ $svcPort }} - {{- end }} - {{- end }} - {{- end }} -{{- end }} diff --git a/charts/vaas/templates/scanner/pvc.yaml b/charts/vaas/templates/scanner/pvc.yaml deleted file mode 100644 index 005f1e0..0000000 --- a/charts/vaas/templates/scanner/pvc.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{- if and (.Values.scanner.persistence.enabled) (eq .Values.scanner.persistence.accessMode "ReadWriteMany" ) }} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ include "common.names.fullname" . }} - namespace: {{ .Release.Namespace | quote }} - labels: - {{- include "scanner.selectorLabels" . | nindent 4 }} -spec: - accessModes: - - ReadWriteMany - resources: - requests: - storage: {{ .Values.scanner.persistence.size | quote }} - {{- include "common.storage.class" (dict "persistence" .Values.scanner.persistence "global" .Values.scanner.global) | nindent 2 }} -{{- end }} \ No newline at end of file diff --git a/charts/vaas/templates/scanner/service.yaml b/charts/vaas/templates/scanner/service.yaml deleted file mode 100644 index a1bed65..0000000 --- a/charts/vaas/templates/scanner/service.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ include "scanner.fullname" . }} - labels: - {{- include "scanner.labels" . | nindent 4 }} -spec: - type: {{ .Values.scanner.service.type }} - ports: - - port: {{ .Values.scanner.service.port }} - targetPort: api - protocol: TCP - name: http - selector: - {{- include "scanner.selectorLabels" . | nindent 4 }} diff --git a/charts/vaas/templates/scanner/servicemonitor.yaml b/charts/vaas/templates/scanner/servicemonitor.yaml deleted file mode 100644 index 2f033e1..0000000 --- a/charts/vaas/templates/scanner/servicemonitor.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- if .Values.scanner.metrics.servicemonitor.enabled }} -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ include "scanner.fullname" . }} - labels: - {{- include "scanner.labels" . | nindent 4 }} -spec: - endpoints: - - port: {{ .Values.scanner.metrics.servicemonitor.port | quote }} - path: {{ .Values.scanner.metrics.servicemonitor.path }} - selector: - matchLabels: - {{- include "scanner.selectorLabels" . | nindent 8 }} -{{- end }} \ No newline at end of file diff --git a/charts/vaas/templates/scanner/statefulset.yaml b/charts/vaas/templates/scanner/statefulset.yaml deleted file mode 100644 index ce9e8de..0000000 --- a/charts/vaas/templates/scanner/statefulset.yaml +++ /dev/null @@ -1,120 +0,0 @@ -{{- if and (.Values.scanner.persistence.enabled) (eq .Values.scanner.persistence.accessMode "ReadWriteOnce" ) }} -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ include "scanner.fullname" . }} - labels: - {{- include "scanner.labels" . | nindent 4 }} -spec: - serviceName: {{ include "scanner.fullname" . }} - {{- if not .Values.scanner.autoscaling.enabled }} - replicas: {{ .Values.scanner.replicaCount }} - {{- end }} - selector: - matchLabels: - {{- include "scanner.selectorLabels" . | nindent 6 }} - volumeClaimTemplates: - - metadata: - name: samples - spec: - accessModes: [ "ReadWriteOnce" ] - {{- include "common.storage.class" (dict "persistence" .Values.scanner.persistence "global" .Values.scanner.global) | nindent 8 }} - resources: - requests: - storage: {{ .Values.scanner.persistence.size | quote }} - template: - metadata: - {{- with .Values.scanner.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "scanner.selectorLabels" . | nindent 8 }} - spec: - {{- with .Values.scanner.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - volumes: - - name: server-tmp - emptyDir: {} - - name: scan-socket - emptyDir: {} - {{- if .Values.scanner.client.containerSecurityContext.enabled }} - - name: client-tmp - emptyDir: {} - {{- end }} - {{- if .Values.scanner.server.containerSecurityContext.enabled }} - - name: server-var-log - emptyDir: {} - {{- end }} - containers: - - name: {{ .Values.scanner.server.name }} - env: - - name: date - value: "{{ now | unixEpoch }}" - image: "{{ .Values.scanner.server.image.repository }}:{{ .Values.scanner.server.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.scanner.server.image.pullPolicy }} - {{- if .Values.scanner.server.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.scanner.server.containerSecurityContext "enabled" | toYaml | nindent 12 }} - {{- end }} - volumeMounts: - - name: server-tmp - mountPath: /tmp - - name: samples - mountPath: /tmp/scan - - name: scan-socket - mountPath: /var/share/run - {{- if .Values.scanner.server.containerSecurityContext.enabled }} - - name: server-var-log - mountPath: /var/log - {{- end }} - resources: - {{- toYaml .Values.scanner.resources.server | nindent 12 }} - - name: {{ .Values.scanner.client.name }} - image: "{{ .Values.scanner.client.image.repository }}:{{ .Values.scanner.client.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.scanner.client.image.pullPolicy }} - {{- if .Values.scanner.client.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.scanner.client.containerSecurityContext "enabled" | toYaml | nindent 12 }} - {{- end }} - volumeMounts: - - name: samples - mountPath: /tmp/scan - - name: scan-socket - mountPath: /var/share/run - {{- if .Values.scanner.client.containerSecurityContext.enabled }} - - name: client-tmp - mountPath: /tmp - {{- end }} - resources: - {{- toYaml .Values.scanner.resources.client | nindent 12 }} - ports: - - name: api - containerPort: 8080 - protocol: TCP - livenessProbe: - httpGet: - path: /health - port: api - initialDelaySeconds: 5 - periodSeconds: 5 - readinessProbe: - httpGet: - path: /health - port: api - initialDelaySeconds: 5 - periodSeconds: 5 - terminationGracePeriodSeconds: {{ .Values.scanner.terminationGracePeriodSeconds }} - {{- with .Values.scanner.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.scanner.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.scanner.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} -{{- end }} \ No newline at end of file diff --git a/charts/vaas/templates/scanner/update.yaml b/charts/vaas/templates/scanner/update.yaml deleted file mode 100644 index a9b9236..0000000 --- a/charts/vaas/templates/scanner/update.yaml +++ /dev/null @@ -1,94 +0,0 @@ -{{- if .Values.scanner.autoUpdate.enabled -}} -kind: ServiceAccount -apiVersion: v1 -metadata: - name: update - namespace: "{{ .Release.Namespace }}" ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: update - namespace: "{{ .Release.Namespace }}" -rules: - - apiGroups: ["apps", "extensions"] - resources: ["deployments", "statefulsets"] - resourceNames: [{{ include "scanner.fullname" . }}] - verbs: - ["get", "patch", "list", "watch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: update - namespace: "{{ .Release.Namespace }}" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: update -subjects: - - kind: ServiceAccount - name: update - namespace: "{{ .Release.Namespace }}" ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: update - namespace: "{{ .Release.Namespace }}" -spec: - startingDeadlineSeconds: 300 - successfulJobsHistoryLimit: 1 - failedJobsHistoryLimit: 1 - concurrencyPolicy: Forbid - schedule: "{{ .Values.scanner.autoUpdate.schedule }}" - jobTemplate: - spec: - backoffLimit: 2 - activeDeadlineSeconds: 600 - template: - metadata: - labels: - app.kubernetes.io/name: update - app.kubernetes.io/namespace: "{{ .Release.Namespace }}" - spec: - serviceAccountName: update - restartPolicy: Never - {{- with .Values.scanner.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 12 }} - {{- end }} - containers: - - name: kubectl - image: "{{ .Values.scanner.autoUpdate.image.registry }}/{{ .Values.scanner.autoUpdate.image.repository }}:{{ .Values.scanner.autoUpdate.image.tag }}" - {{- if .Values.scanner.autoUpdate.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.scanner.autoUpdate.containerSecurityContext "enabled" | toYaml | nindent 16 }} - {{- end }} - command: - - "kubectl" - - "rollout" - - "restart" -{{- if and (.Values.scanner.persistence.enabled) (eq .Values.scanner.persistence.accessMode "ReadWriteOnce" ) }} - - "statefulset/{{ include "scanner.fullname" . }}" -{{- else }} - - "deployment/{{ include "scanner.fullname" . }}" -{{- end }} -{{- if .Values.scanner.autoUpdate.networkPolicy.enabled }} ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: "{{ .Release.Name }}-update" -spec: - podSelector: - matchLabels: - app.kubernetes.io/name: update - app.kubernetes.io/namespace: {{ .Release.Namespace }} - policyTypes: - - Egress - ingress: [] - egress: - - ports: - - port: {{ .Values.scanner.autoUpdate.networkPolicy.k8sApiPort }} -{{- end }} -{{- end}} \ No newline at end of file diff --git a/charts/vaas/values.yaml b/charts/vaas/values.yaml deleted file mode 100644 index 53fbc46..0000000 --- a/charts/vaas/values.yaml +++ /dev/null @@ -1,181 +0,0 @@ -gateway: - ingress: - enabled: false - className: "" - annotations: {} - hosts: - - host: gateway.local - paths: - - path: / - pathType: ImplementationSpecific - service: - name: "" - port: 9090 - - host: upload.local - paths: - - path: / - pathType: ImplementationSpecific - service: - name: "" - port: 8080 - tls: [] - - secret: - dockerconfigjson: "" - - nameOverride: "" - fullnameOverride: "" - - networkPolicy: - enabled: false - ingress: [] - egress: [] - - service: - type: "" - http: - port: 8080 - ws: - port: 9090 - - metrics: - enabled: false - port: 8080 - path: /metrics - - autoscaling: - enabled: false - minReplicas: 2 - maxReplicas: 20 - targetCPU: 75 - metrics: - - podDisruptionBudget: - minAvailable: 1 - - replicaCount: 1 - revisionHistoryLimit: 1 - resources: - limits: - memory: 512Mi - requests: - cpu: 0.5 - memory: 256Mi - - containerSecurityContext: - enabled: false - - image: - repository: ghcr.io/gdatasoftwareag/vaas/gateway - pullPolicy: Always - tag: latest - - env: - - imagePullSecrets: {} - podAnnotations: {} - nodeSelector: {} - tolerations: [] - affinity: {} - - -scanner: - replicaCount: 1 - deploymentStrategy: "Recreate" - server: - name: server - image: - repository: ghcr.io/gdatasoftwareag/scanserver - pullPolicy: Always - tag: 1.8.0 - containerSecurityContext: - enabled: false - client: - name: client - image: - repository: ghcr.io/gdatasoftwareag/scanclient - pullPolicy: Always - tag: 1.8.0 - containerSecurityContext: - enabled: false - terminationGracePeriodSeconds: 30 - - imagePullSecrets: - - name: scannerregistry - - nameOverride: "" - fullnameOverride: "" - - podAnnotations: {} - - secret: - dockerconfigjson: "" - - service: - type: "" - port: 8080 - - metrics: - servicemonitor: - enabled: false - port: 8080 - path: /metrics - - ingress: - enabled: false - className: "" - annotations: {} - hosts: - - host: scanner.local - paths: - - path: / - pathType: ImplementationSpecific - tls: [] - - resources: - server: - limits: - memory: 2Gi - requests: - cpu: 2 - memory: 2Gi - client: - limits: - memory: 128Mi - requests: - cpu: 1 - memory: 128Mi - - autoscaling: - enabled: false - minReplicas: 2 - maxReplicas: 20 - targetCPU: 75 - metrics: - - nodeSelector: {} - - tolerations: [] - - affinity: {} - - persistence: - enabled: false - accessMode: ReadWriteOnce - memory: false - size: 5Gi - storageClass: "" - - autoUpdate: - image: - registry: docker.io - repository: bitnami/kubectl - tag: latest - containerSecurityContext: - enabled: false - enabled: true - # every hour - schedule: "0 * * * *" - networkPolicy: - enabled: true - k8sApiPort: 6443 diff --git a/charts/vaas/templates/gateway/NOTES.txt b/templates/gateway/NOTES.txt similarity index 100% rename from charts/vaas/templates/gateway/NOTES.txt rename to templates/gateway/NOTES.txt diff --git a/charts/vaas/templates/gateway/_helpers.tpl b/templates/gateway/_helpers.tpl similarity index 71% rename from charts/vaas/templates/gateway/_helpers.tpl rename to templates/gateway/_helpers.tpl index 30f6a52..a6c436e 100644 --- a/charts/vaas/templates/gateway/_helpers.tpl +++ b/templates/gateway/_helpers.tpl @@ -50,35 +50,14 @@ app.kubernetes.io/name: {{ include "gateway.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} -{{/* -Create the name of the service account to use -*/}} -{{- define "gateway.serviceAccountName" -}} -{{- if .Values.gateway.serviceAccount.create }} -{{- default (include "gateway.fullname" .) .Values.gateway.serviceAccount.name }} -{{- else }} -{{- default "default" .Values.gateway.serviceAccount.name }} -{{- end }} -{{- end }} - -{{/* -Extracts environment variables from values.yaml and returns a list of key-value pairs. -*/}} -{{- define "gateway.extractEnvVars" -}} - {{- $envVars := .Values.gateway.env | default (list) -}} - {{- $result := list -}} - {{- range $envVars -}} - {{- $key := .name -}} - {{- $value := .value -}} - {{- $result = $result | append (list $key $value) -}} - {{- end -}} - {{- $result -}} -{{- end -}} - {{/* Create environment variables to configure gateway container. */}} {{- define "gateway.env" }} +- name: Authentication__Schemes__Bearer__Authority + value: {{.Values.gateway.authentication.authority}} +- name: Upload__Endpoint + value: {{.Values.gateway.uploadUrl}} {{- if .Values.gateway.cloudhashlookup.enabled }} - name: VerdictAsAService__Url value: {{ .Values.gateway.options.url | quote }} @@ -89,9 +68,6 @@ Create environment variables to configure gateway container. - name: VerdictAsAService__Credentials__ClientId value: {{ .Values.gateway.options.credentials.clientid | quote }} - name: VerdictAsAService__Credentials__ClientSecret - {{ toYaml .Values.gateway.options.credentials.clientsecret }} -{{- end }} -{{- if .Values.gateway.env }} -{{ toYaml .Values.gateway.env }} + {{ toYaml .Values.gateway.options.credentials.clientsecret }} {{- end }} {{- end }} \ No newline at end of file diff --git a/charts/vaas/templates/gateway/ingress.yaml b/templates/gateway/ingress.yaml similarity index 90% rename from charts/vaas/templates/gateway/ingress.yaml rename to templates/gateway/ingress.yaml index 53ec956..1d8f5e7 100644 --- a/charts/vaas/templates/gateway/ingress.yaml +++ b/templates/gateway/ingress.yaml @@ -1,4 +1,3 @@ -#TODO: Check if Values in range are correct {{- if .Values.gateway.ingress.enabled -}} {{- $fullName := include "gateway.fullname" . -}} {{- if and .Values.gateway.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} @@ -30,7 +29,7 @@ spec: tls: {{- range .Values.gateway.ingress.tls }} - hosts: - {{- range .hosts }} + {{- range .hosts }} - {{ . | quote }} {{- end }} secretName: {{ .secretName }} @@ -41,9 +40,10 @@ spec: - host: {{ .host | quote }} http: paths: - - path: {{ .paths }} + {{- range .paths }} + - path: {{ .path }} {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} - pathType: {{ .pathtype }} + pathType: {{ .pathType }} {{- end }} backend: {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} @@ -54,6 +54,7 @@ spec: {{- else }} serviceName: {{ .service.name }} servicePort: {{ .service.port }} - {{- end }} - {{- end }} -{{- end }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/gateway/networkpolicy.yaml b/templates/gateway/networkpolicy.yaml new file mode 100644 index 0000000..01766a6 --- /dev/null +++ b/templates/gateway/networkpolicy.yaml @@ -0,0 +1,28 @@ +{{- if .Values.gateway.networkPolicy.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "gateway.fullname" . }} + labels: + {{- include "gateway.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "gateway.selectorLabels" . | nindent 6 }} + policyTypes: + - Ingress + - Egress + ingress: + - from: + ports: + - port: 8080 # Http + - port: 9090 # Websocket + egress: + - to: + ports: + - port: 443 # VerdictRequestForUrl + - port: 80 # VerdictRequestForUrl + - port: 6379 # Redis + - port: 8080 # GdScan + - port: 9090 # Cloud Gateway +{{- end }} \ No newline at end of file diff --git a/charts/vaas/templates/gateway/poddisruptionbudget.yaml b/templates/gateway/poddisruptionbudget.yaml similarity index 98% rename from charts/vaas/templates/gateway/poddisruptionbudget.yaml rename to templates/gateway/poddisruptionbudget.yaml index 4097959..3bab721 100644 --- a/charts/vaas/templates/gateway/poddisruptionbudget.yaml +++ b/templates/gateway/poddisruptionbudget.yaml @@ -1,4 +1,3 @@ ---- apiVersion: policy/v1 kind: PodDisruptionBudget metadata: diff --git a/charts/vaas/templates/scanner/secret.yaml b/templates/gateway/secret.yaml similarity index 57% rename from charts/vaas/templates/scanner/secret.yaml rename to templates/gateway/secret.yaml index 78966ed..5aed631 100644 --- a/charts/vaas/templates/scanner/secret.yaml +++ b/templates/gateway/secret.yaml @@ -1,10 +1,10 @@ -{{- if .Values.scanner.imagePullSecrets }} +{{- if .Values.gateway.imagePullSecrets }} apiVersion: v1 kind: Secret metadata: - name: scannerregistry + name: registry namespace: {{ .Release.Namespace }} data: - .dockerconfigjson: {{ required "You need to set the dockerconfigjson for the private registry" .Values.scanner.secret.dockerconfigjson }} + .dockerconfigjson: {{ required "You need to set the dockerconfigjson for the private registry" .Values.secret.dockerconfigjson }} type: kubernetes.io/dockerconfigjson {{- end -}} \ No newline at end of file diff --git a/charts/vaas/templates/gateway/service.yaml b/templates/gateway/service.yaml similarity index 100% rename from charts/vaas/templates/gateway/service.yaml rename to templates/gateway/service.yaml diff --git a/charts/vaas/templates/gateway/servicemonitor.yaml b/templates/gateway/servicemonitor.yaml similarity index 100% rename from charts/vaas/templates/gateway/servicemonitor.yaml rename to templates/gateway/servicemonitor.yaml diff --git a/charts/vaas/templates/gateway/statefulset.yaml b/templates/gateway/statefulset.yaml similarity index 90% rename from charts/vaas/templates/gateway/statefulset.yaml rename to templates/gateway/statefulset.yaml index 05802c9..a0ad014 100644 --- a/charts/vaas/templates/gateway/statefulset.yaml +++ b/templates/gateway/statefulset.yaml @@ -27,19 +27,17 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} volumes: - {{- if .Values.gateway.containerSecurityContext.enabled }} - name: gateway-tmp emptyDir: {} - {{- end }} containers: - name: {{ include "gateway.name" . }} securityContext: - {{- toYaml .Values.gateway.containerSecurityContext | nindent 12 }} + readOnlyRootFilesystem: true image: '{{ .Values.gateway.image.repository }}:{{ .Values.gateway.image.tag | default "latest" }}' imagePullPolicy: {{ .Values.gateway.image.pullPolicy }} volumeMounts: - mountPath: /tmp - name: gateway-temp + name: gateway-tmp env: {{- include "gateway.env" . | nindent 12 }} ports: diff --git a/values.yaml b/values.yaml new file mode 100644 index 0000000..e073100 --- /dev/null +++ b/values.yaml @@ -0,0 +1,122 @@ +gateway: + ingress: + enabled: false + annotations: {} + hosts: + - host: gateway.local + paths: + - path: / + pathType: ImplementationSpecific + service: + name: gateway + port: 9090 + - host: upload.local + paths: + - path: / + pathType: ImplementationSpecific + service: + name: gateway + port: 8080 + tls: [] + + authentication: + authority: "" + + nameOverride: "" + fullnameOverride: "" + + networkPolicy: + enabled: false + + service: + type: "" + http: + port: 8080 + ws: + port: 9090 + + metrics: + enabled: false + port: 8080 + path: /metrics + + autoscaling: + enabled: false + minReplicas: 2 + maxReplicas: 20 + targetCPU: 75 + metrics: + + podDisruptionBudget: + minAvailable: 1 + + replicaCount: 1 + revisionHistoryLimit: 1 + resources: + limits: + memory: 512Mi + requests: + cpu: 0.5 + memory: 256Mi + + containerSecurityContext: + enabled: false + + image: + repository: ghcr.io/gdatasoftwareag/vaas/gateway + pullPolicy: Always + tag: 1 + + cloudhashlookup: + enabled: false + hashlookup: + enabled: false + apikey: + value: "" + usageevents: + enabled: false + gdscanUrl: "http://gdscan:8080/scan/body" + uploadUrl: "http://localhost:8080/upload" + options: + url: "wss://gateway.production.vaas.gdatasecurity.de" + tokenurl: "https://account.gdata.de/realms/vaas-production/protocol/openid-connect/token" + credentials: + granttype: "ClientCredentials" + clientid: "" + clientsecret: + value: "" + + imagePullSecrets: + - name: registry + + podAnnotations: {} + nodeSelector: {} + tolerations: [] + affinity: {} + +gdscan: + imagePullSecrets: + - name: registry + +redis: + enabled: true + architecture: standalone + fullnameOverride: redis + auth: + enabled: false + master: + disableCommands: [] + resources: + limits: + cpu: "1" + memory: 512Mi + requests: + cpu: 500m + memory: 128Mi + persistence: + enabled: false + containerSecurityContext: + enabled: true + readOnlyRootFilesystem: true + networkPolicy: + enabled: true From 914ca16baf319ded0dc3bcc27889d6966c66dfbc Mon Sep 17 00:00:00 2001 From: PT-ATA No One Date: Thu, 14 Dec 2023 16:05:14 +0100 Subject: [PATCH 07/25] chanhe structure again --- .github/workflows/ci.yaml | 52 +++++++++++++++++++ Chart.lock => charts/vaas/Chart.lock | 0 Chart.yaml => charts/vaas/Chart.yaml | 2 +- .../vaas/templates}/gateway/NOTES.txt | 0 .../vaas/templates}/gateway/_helpers.tpl | 0 .../vaas/templates}/gateway/ingress.yaml | 0 .../templates}/gateway/networkpolicy.yaml | 0 .../gateway/poddisruptionbudget.yaml | 0 .../vaas/templates}/gateway/secret.yaml | 2 +- .../vaas/templates}/gateway/service.yaml | 0 .../templates}/gateway/servicemonitor.yaml | 0 .../vaas/templates}/gateway/statefulset.yaml | 0 values.yaml => charts/vaas/values.yaml | 3 ++ 13 files changed, 57 insertions(+), 2 deletions(-) create mode 100644 .github/workflows/ci.yaml rename Chart.lock => charts/vaas/Chart.lock (100%) rename Chart.yaml => charts/vaas/Chart.yaml (87%) rename {templates => charts/vaas/templates}/gateway/NOTES.txt (100%) rename {templates => charts/vaas/templates}/gateway/_helpers.tpl (100%) rename {templates => charts/vaas/templates}/gateway/ingress.yaml (100%) rename {templates => charts/vaas/templates}/gateway/networkpolicy.yaml (100%) rename {templates => charts/vaas/templates}/gateway/poddisruptionbudget.yaml (100%) rename {templates => charts/vaas/templates}/gateway/secret.yaml (76%) rename {templates => charts/vaas/templates}/gateway/service.yaml (100%) rename {templates => charts/vaas/templates}/gateway/servicemonitor.yaml (100%) rename {templates => charts/vaas/templates}/gateway/statefulset.yaml (100%) rename values.yaml => charts/vaas/values.yaml (98%) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml new file mode 100644 index 0000000..b4d6ec5 --- /dev/null +++ b/.github/workflows/ci.yaml @@ -0,0 +1,52 @@ +name: Release Charts + +on: + push: + branches: + - main + tags: + - "*" + pull_request: + branches: + - main + +jobs: + release: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + with: + fetch-depth: 0 + + - name: Configure Git + run: | + git config user.name "$GITHUB_ACTOR" + git config user.email "$GITHUB_ACTOR@users.noreply.github.com" + + - name: Install Helm + uses: azure/setup-helm@v3 + with: + version: v3.4.0 + + - name: Add deps + run: | + helm repo add gdscan https://gdatasoftwareag.github.io/gdscan/ + helm repo add bitnami https://charts.bitnami.com/bitnami/ + + - name: Install python + uses: actions/setup-python@v4 + with: + python-version: 3.7 + + - name: Set up chart-testing + uses: helm/chart-testing-action@v2.6.0 + + - name: Run chart-testing (lint) + run: ct lint --validate-maintainers=false --charts charts/vaas + + - name: Run chart-releaser + if: github.ref == 'refs/heads/main' + uses: helm/chart-releaser-action@v1.5.0 + env: + CR_TOKEN: "${{ secrets.BOT_SECRET }}" \ No newline at end of file diff --git a/Chart.lock b/charts/vaas/Chart.lock similarity index 100% rename from Chart.lock rename to charts/vaas/Chart.lock diff --git a/Chart.yaml b/charts/vaas/Chart.yaml similarity index 87% rename from Chart.yaml rename to charts/vaas/Chart.yaml index 07afefe..7fc63eb 100644 --- a/Chart.yaml +++ b/charts/vaas/Chart.yaml @@ -14,4 +14,4 @@ dependencies: - name: gdscan version: 1.4.2 condition: gdscan.enabled - repository: https://gdatasoftwareag.github.io/gdscan/ \ No newline at end of file + repository: https://gdatasoftwareag.github.io/gdscan/ diff --git a/templates/gateway/NOTES.txt b/charts/vaas/templates/gateway/NOTES.txt similarity index 100% rename from templates/gateway/NOTES.txt rename to charts/vaas/templates/gateway/NOTES.txt diff --git a/templates/gateway/_helpers.tpl b/charts/vaas/templates/gateway/_helpers.tpl similarity index 100% rename from templates/gateway/_helpers.tpl rename to charts/vaas/templates/gateway/_helpers.tpl diff --git a/templates/gateway/ingress.yaml b/charts/vaas/templates/gateway/ingress.yaml similarity index 100% rename from templates/gateway/ingress.yaml rename to charts/vaas/templates/gateway/ingress.yaml diff --git a/templates/gateway/networkpolicy.yaml b/charts/vaas/templates/gateway/networkpolicy.yaml similarity index 100% rename from templates/gateway/networkpolicy.yaml rename to charts/vaas/templates/gateway/networkpolicy.yaml diff --git a/templates/gateway/poddisruptionbudget.yaml b/charts/vaas/templates/gateway/poddisruptionbudget.yaml similarity index 100% rename from templates/gateway/poddisruptionbudget.yaml rename to charts/vaas/templates/gateway/poddisruptionbudget.yaml diff --git a/templates/gateway/secret.yaml b/charts/vaas/templates/gateway/secret.yaml similarity index 76% rename from templates/gateway/secret.yaml rename to charts/vaas/templates/gateway/secret.yaml index 5aed631..0522f1d 100644 --- a/templates/gateway/secret.yaml +++ b/charts/vaas/templates/gateway/secret.yaml @@ -5,6 +5,6 @@ metadata: name: registry namespace: {{ .Release.Namespace }} data: - .dockerconfigjson: {{ required "You need to set the dockerconfigjson for the private registry" .Values.secret.dockerconfigjson }} + .dockerconfigjson: {{ required "You need to set the dockerconfigjson for the private registry" .Values.gateway.secret.dockerconfigjson }} type: kubernetes.io/dockerconfigjson {{- end -}} \ No newline at end of file diff --git a/templates/gateway/service.yaml b/charts/vaas/templates/gateway/service.yaml similarity index 100% rename from templates/gateway/service.yaml rename to charts/vaas/templates/gateway/service.yaml diff --git a/templates/gateway/servicemonitor.yaml b/charts/vaas/templates/gateway/servicemonitor.yaml similarity index 100% rename from templates/gateway/servicemonitor.yaml rename to charts/vaas/templates/gateway/servicemonitor.yaml diff --git a/templates/gateway/statefulset.yaml b/charts/vaas/templates/gateway/statefulset.yaml similarity index 100% rename from templates/gateway/statefulset.yaml rename to charts/vaas/templates/gateway/statefulset.yaml diff --git a/values.yaml b/charts/vaas/values.yaml similarity index 98% rename from values.yaml rename to charts/vaas/values.yaml index e073100..76aade0 100644 --- a/values.yaml +++ b/charts/vaas/values.yaml @@ -28,6 +28,9 @@ gateway: networkPolicy: enabled: false + secret: + dockerconfigjson: "" + service: type: "" http: From 87fc9e126829ce3ec7949c84da5cb8275b27ddc9 Mon Sep 17 00:00:00 2001 From: PT-ATA No One Date: Tue, 19 Dec 2023 08:25:43 +0100 Subject: [PATCH 08/25] remove whitespaces --- .github/workflows/ci.yaml | 4 ++-- charts/vaas/values.yaml | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index b4d6ec5..7b39fd9 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -30,7 +30,7 @@ jobs: version: v3.4.0 - name: Add deps - run: | + run: | helm repo add gdscan https://gdatasoftwareag.github.io/gdscan/ helm repo add bitnami https://charts.bitnami.com/bitnami/ @@ -38,7 +38,7 @@ jobs: uses: actions/setup-python@v4 with: python-version: 3.7 - + - name: Set up chart-testing uses: helm/chart-testing-action@v2.6.0 diff --git a/charts/vaas/values.yaml b/charts/vaas/values.yaml index 76aade0..5da4fed 100644 --- a/charts/vaas/values.yaml +++ b/charts/vaas/values.yaml @@ -16,7 +16,7 @@ gateway: pathType: ImplementationSpecific service: name: gateway - port: 8080 + port: 8080 tls: [] authentication: @@ -24,7 +24,7 @@ gateway: nameOverride: "" fullnameOverride: "" - + networkPolicy: enabled: false @@ -51,7 +51,7 @@ gateway: metrics: podDisruptionBudget: - minAvailable: 1 + minAvailable: 1 replicaCount: 1 revisionHistoryLimit: 1 @@ -60,7 +60,7 @@ gateway: memory: 512Mi requests: cpu: 0.5 - memory: 256Mi + memory: 256Mi containerSecurityContext: enabled: false From cdeebce805f78117203d4820e548048bebce2601 Mon Sep 17 00:00:00 2001 From: PT-ATA No One Date: Wed, 10 Jan 2024 11:20:19 +0100 Subject: [PATCH 09/25] Mini Identity Provider --- README.md | 95 ++++++++++++++++++- charts/vaas/Chart.yaml | 4 + charts/vaas/templates/gateway/secret.yaml | 2 +- .../vaas/templates/gateway/statefulset.yaml | 6 +- charts/vaas/values.yaml | 30 ++++-- 5 files changed, 120 insertions(+), 17 deletions(-) diff --git a/README.md b/README.md index 0dbd215..7083179 100644 --- a/README.md +++ b/README.md @@ -49,8 +49,93 @@ helm upgrade gdscan gdscan/gdscan -f values.yaml ## Configuring Verdict-as-a-Service -TODO - -| Name | Description | Value | -| ---------------------------------- | --------------------------------------------------------------------------------------------------------------------- | ------------------------ | -| `service.type` | service type | `ClusterIP` | +| Parameter | Description | Value | +|-------------|-------------|-------| +| `ingress.enabled` | Enable/Disable the Ingress resource | `false` | +| `ingress.annotations` | Additional annotations for Ingress | `{}` | +| `ingress.hosts` | Hostnames and paths for Ingress | `[]` | +| `ingress.tls` | TLS configuration for Ingress | `[]` | +| `authentication.authority` | Authority for authentication | `""` | +| `nameOverride` | Overrides the application name | `""` | +| `fullnameOverride` | Overrides the full name | `""` | +| `networkPolicy.enabled` | Enable/Disable the Network Policy | `false` | +| `secret.dockerconfigjson` | Docker authentication configuration | `""` | +| `service.type` | Type of Kubernetes service | `""` | +| `service.http.port` | HTTP port for the service | `8080` | +| `service.ws.port` | WebSocket port for the service | `9090` | +| `metrics.enabled` | Enable/Disable metrics | `false` | +| `metrics.port` | Port for metrics | `8080` | +| `metrics.path` | Path for metrics | `/metrics` | +| `autoscaling.enabled` | Enable/Disable automatic scaling | `false` | +| `autoscaling.minReplicas` | Minimum number of replicas | `2` | +| `autoscaling.maxReplicas` | Maximum number of replicas | `20` | +| `autoscaling.targetCPU` | Target CPU usage for automatic scaling | `75` | +| `autoscaling.metrics` | Metrics for automatic scaling | | +| `podDisruptionBudget.minAvailable` | Minimum available pods in case of disruption | `1` | +| `replicaCount` | Number of replicas | `1` | +| `revisionHistoryLimit` | Number of revisions in history | `1` | +| `resources.limits.memory` | Maximum memory usage | `512Mi` | +| `resources.requests.cpu` | Requested CPU performance | `0.5` | +| `resources.requests.memory` | Requested memory usage | `256Mi` | +| `containerSecurityContext.enabled` | Enable/Disable container security context | `false` | +| `image.repository` | Docker image repository | `ghcr.io/gdatasoftwareag/vaas/gateway` | +| `image.pullPolicy` | Docker image pull policy | `Always` | +| `image.tag` | Docker image tag | `1` | +| `cloudhashlookup.enabled` | Enable/Disable cloud hash lookup | `false` | +| `hashlookup.enabled` | Enable/Disable local hash lookup | `false` | +| `hashlookup.apikey.value` | API key for local hash lookup | `""` | +| `usageevents.enabled` | Enable/Disable usage events | `false` | +| `gdscanUrl` | URL for the GDScan service | `"http://gdscan:8080/scan/body"` | +| `uploadUrl` | URL for the upload service | `"http://localhost:8080/upload"` | +| `options.url` | URL for options | `"wss://gateway.production.vaas.gdatasecurity.de"` | +| `options.tokenurl` | Token URL for options | `"https://account.gdata.de/realms/vaas-production/protocol/openid-connect/token"` | +| `options.credentials.granttype` | Grant type for options | `"ClientCredentials"` | +| `options.credentials.clientid` | Client ID for options | `""` | +| `options.credentials.clientsecret.value` | Client secret for options | `""` | +| `imagePullSecrets` | List of image pull secrets | `- name: registry` | +| `podAnnotations` | Annotations for pods | `{}` | +| `nodeSelector` | Node selector for pods | `{}` | +| `tolerations` | Tolerations for pods | `[]` | +| `affinity` | Affinity settings for pods | `{}` | + + + +## TODO + +### Getting started + +To install a development environment: + +* Minikube +* helm add repo +* helm login +* Create values.yaml with + +imagePullSecrets: ONLY 1 + +* helm install +* NOTES.txt include script lines to get URLs and credentials link to SDKs + * NodeIP + +### Production environment + +In production you will have to configure stuff. + +#### Ingress + +ingress: + enable: true (affects gateway, midp) + host: + vaas.local + auth + upload + verdicts + ws + +#### Scale workers + +#### Deny worker intra cluster access (no forUrl) + +#### NodeSelectors + +#### \ No newline at end of file diff --git a/charts/vaas/Chart.yaml b/charts/vaas/Chart.yaml index 7fc63eb..cd7b3d3 100644 --- a/charts/vaas/Chart.yaml +++ b/charts/vaas/Chart.yaml @@ -15,3 +15,7 @@ dependencies: version: 1.4.2 condition: gdscan.enabled repository: https://gdatasoftwareag.github.io/gdscan/ + - name: mini-identity-provider + version: 0.1.8 + condition: mini-identity-provider.enabled + repository: oci://ghcr.io/gdatasoftwareag diff --git a/charts/vaas/templates/gateway/secret.yaml b/charts/vaas/templates/gateway/secret.yaml index 0522f1d..c175182 100644 --- a/charts/vaas/templates/gateway/secret.yaml +++ b/charts/vaas/templates/gateway/secret.yaml @@ -1,4 +1,4 @@ -{{- if .Values.gateway.imagePullSecrets }} +{{- if .Values.global.imagePullSecrets }} apiVersion: v1 kind: Secret metadata: diff --git a/charts/vaas/templates/gateway/statefulset.yaml b/charts/vaas/templates/gateway/statefulset.yaml index a0ad014..77eb5ef 100644 --- a/charts/vaas/templates/gateway/statefulset.yaml +++ b/charts/vaas/templates/gateway/statefulset.yaml @@ -22,10 +22,10 @@ spec: labels: {{- include "gateway.selectorLabels" . | nindent 8 }} spec: - {{- with .Values.gateway.imagePullSecrets }} imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} volumes: - name: gateway-tmp emptyDir: {} diff --git a/charts/vaas/values.yaml b/charts/vaas/values.yaml index 5da4fed..469b476 100644 --- a/charts/vaas/values.yaml +++ b/charts/vaas/values.yaml @@ -1,3 +1,25 @@ +global: + imagePullSecrets: [] + vaasImageRegistry: "ghcr.io/gdatasoftwareag" + +mini-identity-provider: + enabled: true + ingress: + enabled: true + annotations: + nginx.ingress.kubernetes.io/use-regex: "true" + nginx.ingress.kubernetes.io/rewrite-target: /$2 + nginx.ingress.kubernetes.io/x-forwarded-prefix: "/auth" + hosts: + - host: vaas + paths: + - path: /auth(/|$)(.*) + pathType: ImplementationSpecific + service: + name: provider + port: 8080 + tls: [] + gateway: ingress: enabled: false @@ -88,19 +110,11 @@ gateway: clientid: "" clientsecret: value: "" - - imagePullSecrets: - - name: registry - podAnnotations: {} nodeSelector: {} tolerations: [] affinity: {} -gdscan: - imagePullSecrets: - - name: registry - redis: enabled: true architecture: standalone From df5737a23f90820f56fe97608fa68769b535fca2 Mon Sep 17 00:00:00 2001 From: PT-ATA No One Date: Wed, 10 Jan 2024 13:54:18 +0100 Subject: [PATCH 10/25] Gateway starts --- charts/vaas/Chart.yaml | 2 +- charts/vaas/templates/gateway/_helpers.tpl | 2 ++ charts/vaas/values.yaml | 10 ++++++---- 3 files changed, 9 insertions(+), 5 deletions(-) diff --git a/charts/vaas/Chart.yaml b/charts/vaas/Chart.yaml index cd7b3d3..e5d3a01 100644 --- a/charts/vaas/Chart.yaml +++ b/charts/vaas/Chart.yaml @@ -16,6 +16,6 @@ dependencies: condition: gdscan.enabled repository: https://gdatasoftwareag.github.io/gdscan/ - name: mini-identity-provider - version: 0.1.8 + version: 0.1.9 condition: mini-identity-provider.enabled repository: oci://ghcr.io/gdatasoftwareag diff --git a/charts/vaas/templates/gateway/_helpers.tpl b/charts/vaas/templates/gateway/_helpers.tpl index a6c436e..ee84d45 100644 --- a/charts/vaas/templates/gateway/_helpers.tpl +++ b/charts/vaas/templates/gateway/_helpers.tpl @@ -56,6 +56,8 @@ Create environment variables to configure gateway container. {{- define "gateway.env" }} - name: Authentication__Schemes__Bearer__Authority value: {{.Values.gateway.authentication.authority}} +- name: Authentication__Schemes__Bearer__RequireHttpsMetadata + value: "false" - name: Upload__Endpoint value: {{.Values.gateway.uploadUrl}} {{- if .Values.gateway.cloudhashlookup.enabled }} diff --git a/charts/vaas/values.yaml b/charts/vaas/values.yaml index 469b476..6ce6cb0 100644 --- a/charts/vaas/values.yaml +++ b/charts/vaas/values.yaml @@ -1,8 +1,10 @@ global: imagePullSecrets: [] vaasImageRegistry: "ghcr.io/gdatasoftwareag" + host: &vaasHost vaas mini-identity-provider: + issuer: http://vaas/auth enabled: true ingress: enabled: true @@ -11,7 +13,7 @@ mini-identity-provider: nginx.ingress.kubernetes.io/rewrite-target: /$2 nginx.ingress.kubernetes.io/x-forwarded-prefix: "/auth" hosts: - - host: vaas + - host: *vaasHost paths: - path: /auth(/|$)(.*) pathType: ImplementationSpecific @@ -25,14 +27,14 @@ gateway: enabled: false annotations: {} hosts: - - host: gateway.local + - host: *vaasHost paths: - - path: / + - path: /ws pathType: ImplementationSpecific service: name: gateway port: 9090 - - host: upload.local + - host: *vaasHost paths: - path: / pathType: ImplementationSpecific From d94a4e590ed9ab84ad24ee105f5d35b69834c98f Mon Sep 17 00:00:00 2001 From: PT-ATA No One Date: Fri, 12 Jan 2024 15:54:02 +0100 Subject: [PATCH 11/25] WIP * This state is working properly out of the box but needs refinement with full team --- .gitignore | 3 +- README.md | 71 +++++--- charts/vaas/Chart.lock | 7 +- charts/vaas/Chart.yaml | 2 +- charts/vaas/templates/gateway/_helpers.tpl | 4 +- .../vaas/templates/gateway/statefulset.yaml | 8 +- charts/vaas/values.yaml | 156 ++++++++++++++++-- helm.sh | 13 ++ 8 files changed, 219 insertions(+), 45 deletions(-) create mode 100755 helm.sh diff --git a/.gitignore b/.gitignore index be359b5..65999cf 100644 --- a/.gitignore +++ b/.gitignore @@ -2,4 +2,5 @@ .vscode/ *.log *-locale.yaml -*.tgz \ No newline at end of file +*.tgz +.fleet/ \ No newline at end of file diff --git a/README.md b/README.md index 7083179..cef06d6 100644 --- a/README.md +++ b/README.md @@ -38,8 +38,6 @@ helm repo add vaas https://gdatasoftwareag.github.io/vaas/ helm install vaas gdatasoftware/vaas -f values.yaml ``` -TODO: - ### Updating Verdict-as-a-Service ```bash @@ -47,6 +45,57 @@ helm repo update helm upgrade gdscan gdscan/gdscan -f values.yaml ``` +# Verdict-as-a-Service on-premise + +## Getting started + +### Deploy Verdict-as-a-Service in a Minikube test-environment + +* Start Minikube: + +``` +minikube start --cpus="6" --memory="6g" --addons ingress +``` + +* Check your Minikube IP: ```minikube ip``` + +* Add Minikube IP to your /etc/hosts: + +``` + vaas +``` + +* Run ```minikube dashboard``` + +* Deploy the VaaS helm chart: ```./helm.sh``` + +* Check the "Workload status" in the Minikube dashboard and wait until it is green + +### Use Verdict-as-a-Service with the Java SDK + +* Make sure that Java 17 & Gradle is installed + +* Extract Client secret with this command + +``` +export CLIENT_SECRET=$(kubectl get secret -n vaas vaas-client-secret -o jsonpath="{.data.secret}" | base64 -d) +``` + +* Set these environment variables for testing your local instance + +``` +export CLIENT_ID=vaas +export SCAN_PATH= +export VAAS_URL=ws://vaas/ws +export TOKEN_URL=https://vaas/auth/protocol/openid-connect/token +``` + +* Execute FileScan example in Java SDK example folder + +``` +./gradlew fileScan +``` + ## Configuring Verdict-as-a-Service | Parameter | Description | Value | @@ -99,24 +148,6 @@ helm upgrade gdscan gdscan/gdscan -f values.yaml | `affinity` | Affinity settings for pods | `{}` | - -## TODO - -### Getting started - -To install a development environment: - -* Minikube -* helm add repo -* helm login -* Create values.yaml with - -imagePullSecrets: ONLY 1 - -* helm install -* NOTES.txt include script lines to get URLs and credentials link to SDKs - * NodeIP - ### Production environment In production you will have to configure stuff. diff --git a/charts/vaas/Chart.lock b/charts/vaas/Chart.lock index 414e086..bde0b44 100644 --- a/charts/vaas/Chart.lock +++ b/charts/vaas/Chart.lock @@ -5,5 +5,8 @@ dependencies: - name: gdscan repository: https://gdatasoftwareag.github.io/gdscan/ version: 1.4.2 -digest: sha256:51e3b55c0a6db37616d9111b7f10212ee76b34e9650df2ea8d20c1f505cdc45d -generated: "2023-12-07T11:20:19.544076537+01:00" +- name: mini-identity-provider + repository: oci://ghcr.io/gdatasoftwareag + version: 0.1.11 +digest: sha256:52da0f8e6f27d1eb562284e2f076b2e0226a8f93d0b56be8e438ed61d5fcbfa0 +generated: "2024-01-12T13:29:22.640621206+01:00" diff --git a/charts/vaas/Chart.yaml b/charts/vaas/Chart.yaml index e5d3a01..153f0a5 100644 --- a/charts/vaas/Chart.yaml +++ b/charts/vaas/Chart.yaml @@ -16,6 +16,6 @@ dependencies: condition: gdscan.enabled repository: https://gdatasoftwareag.github.io/gdscan/ - name: mini-identity-provider - version: 0.1.9 + version: 0.1.11 condition: mini-identity-provider.enabled repository: oci://ghcr.io/gdatasoftwareag diff --git a/charts/vaas/templates/gateway/_helpers.tpl b/charts/vaas/templates/gateway/_helpers.tpl index ee84d45..0bad7f6 100644 --- a/charts/vaas/templates/gateway/_helpers.tpl +++ b/charts/vaas/templates/gateway/_helpers.tpl @@ -59,7 +59,9 @@ Create environment variables to configure gateway container. - name: Authentication__Schemes__Bearer__RequireHttpsMetadata value: "false" - name: Upload__Endpoint - value: {{.Values.gateway.uploadUrl}} + value: {{.Values.gateway.uploadUrl}} +- name: JwtSettings__Secret + value: {{ randAlphaNum 64 }} {{- if .Values.gateway.cloudhashlookup.enabled }} - name: VerdictAsAService__Url value: {{ .Values.gateway.options.url | quote }} diff --git a/charts/vaas/templates/gateway/statefulset.yaml b/charts/vaas/templates/gateway/statefulset.yaml index 77eb5ef..2723063 100644 --- a/charts/vaas/templates/gateway/statefulset.yaml +++ b/charts/vaas/templates/gateway/statefulset.yaml @@ -22,10 +22,10 @@ spec: labels: {{- include "gateway.selectorLabels" . | nindent 8 }} spec: - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} + {{- with .Values.gateway.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} volumes: - name: gateway-tmp emptyDir: {} diff --git a/charts/vaas/values.yaml b/charts/vaas/values.yaml index 6ce6cb0..12aacd6 100644 --- a/charts/vaas/values.yaml +++ b/charts/vaas/values.yaml @@ -1,12 +1,15 @@ global: - imagePullSecrets: [] + imagePullSecrets: + - name: registry vaasImageRegistry: "ghcr.io/gdatasoftwareag" host: &vaasHost vaas + versionTag: &versionTag production-latest mini-identity-provider: - issuer: http://vaas/auth + issuer: "http://vaas/auth" enabled: true ingress: + className: nginx enabled: true annotations: nginx.ingress.kubernetes.io/use-regex: "true" @@ -19,12 +22,34 @@ mini-identity-provider: pathType: ImplementationSpecific service: name: provider - port: 8080 - tls: [] + port: 8080 + tls: [] + + image: + repository: ghcr.io/gdatasoftwareag/vaas/mini-identity-provider + pullPolicy: Always + tag: latest + + service: + type: ClusterIP + http: + port: 8080 + + secret: + dockerconfigjson: "" + + networkPolicy: + enabled: true + + podAnnotations: {} + nodeSelector: {} + tolerations: [] + affinity: {} gateway: ingress: - enabled: false + enabled: true + className: "" annotations: {} hosts: - host: *vaasHost @@ -44,19 +69,19 @@ gateway: tls: [] authentication: - authority: "" + authority: http://provider:8080/ nameOverride: "" fullnameOverride: "" networkPolicy: - enabled: false + enabled: true secret: dockerconfigjson: "" service: - type: "" + type: ClusterIP http: port: 8080 ws: @@ -92,10 +117,14 @@ gateway: image: repository: ghcr.io/gdatasoftwareag/vaas/gateway pullPolicy: Always - tag: 1 + # TODO: Push to production-latest and change to anchor + tag: 1.0.2 cloudhashlookup: enabled: false + + # Do not touch. Really. Just don't. + # This block is only for G DATA's internal usage. hashlookup: enabled: false apikey: @@ -103,20 +132,117 @@ gateway: usageevents: enabled: false gdscanUrl: "http://gdscan:8080/scan/body" - uploadUrl: "http://localhost:8080/upload" + uploadUrl: "http://vaas/upload" options: url: "wss://gateway.production.vaas.gdatasecurity.de" tokenurl: "https://account.gdata.de/realms/vaas-production/protocol/openid-connect/token" credentials: granttype: "ClientCredentials" clientid: "" + # TODO: Secrify it clientsecret: value: "" + podAnnotations: {} nodeSelector: {} tolerations: [] affinity: {} +#TODO: ImagePullSecret from Global +gdscan: + replicaCount: 1 + deploymentStrategy: "Recreate" + server: + name: server + image: + repository: ghcr.io/gdatasoftwareag/vaas/scanserver + pullPolicy: Always + tag: *versionTag + containerSecurityContext: + enabled: false + client: + name: client + image: + repository: ghcr.io/gdatasoftwareag/vaas/scanner + pullPolicy: Always + tag: *versionTag + containerSecurityContext: + enabled: false + terminationGracePeriodSeconds: 30 + + nameOverride: "" + fullnameOverride: "gdscan" + + podAnnotations: {} + + service: + type: "ClusterIP" + port: 8080 + + metrics: + servicemonitor: + enabled: false + port: 8080 + path: /metrics + + #TODO: Do we need Ingress for Gdscan? + ingress: + enabled: false + className: "" + annotations: {} + hosts: + - host: gdscan.local + paths: + - path: / + pathType: ImplementationSpecific + tls: [] + + resources: + server: + limits: + memory: 2Gi + requests: + cpu: 0.15 + memory: 2Gi + client: + limits: + memory: 1Gi + requests: + cpu: 1 + memory: 512Mi + + autoscaling: + enabled: false + minReplicas: 2 + maxReplicas: 20 + targetCPU: 75 + metrics: + + nodeSelector: {} + + tolerations: [] + + affinity: {} + + persistence: + enabled: true + size: 2Gi + accessMode: ReadWriteOnce + + autoUpdate: + image: + registry: docker.io + repository: bitnami/kubectl + tag: latest + containerSecurityContext: + enabled: false + enabled: true + # every hour + schedule: "0 * * * *" + networkPolicy: + enabled: true + k8sApiPort: 6443 + redis: enabled: true architecture: standalone @@ -127,15 +253,13 @@ redis: disableCommands: [] resources: limits: - cpu: "1" - memory: 512Mi - requests: - cpu: 500m memory: 128Mi + requests: + cpu: 100m + memory: 64Mi persistence: enabled: false containerSecurityContext: - enabled: true - readOnlyRootFilesystem: true + enabled: false networkPolicy: enabled: true diff --git a/helm.sh b/helm.sh new file mode 100755 index 0000000..9b01897 --- /dev/null +++ b/helm.sh @@ -0,0 +1,13 @@ +#!/bin/bash + +if [ "$#" -eq 0 ]; then + echo "Usage: $0 " + exit 1 +fi + +VALUES_FILE=$1 + +helm lint charts/vaas -f $VALUES_FILE +helm template charts/vaas -f $VALUES_FILE --debug +helm uninstall vaas -n vaas +helm install vaas charts/vaas -f $VALUES_FILE -n vaas --create-namespace From 4f531222689f6fbfb0c16f493a58eeb2096fd7a5 Mon Sep 17 00:00:00 2001 From: PT-ATA No One Date: Fri, 12 Jan 2024 17:38:43 +0100 Subject: [PATCH 12/25] remove classname --- charts/vaas/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/vaas/values.yaml b/charts/vaas/values.yaml index 12aacd6..d7c3cc6 100644 --- a/charts/vaas/values.yaml +++ b/charts/vaas/values.yaml @@ -9,7 +9,7 @@ mini-identity-provider: issuer: "http://vaas/auth" enabled: true ingress: - className: nginx + className: "" enabled: true annotations: nginx.ingress.kubernetes.io/use-regex: "true" From d71666ea54ef7d157dbd17d6c2b89fe13ba303a1 Mon Sep 17 00:00:00 2001 From: PT-ATA No One Date: Mon, 15 Jan 2024 16:19:04 +0100 Subject: [PATCH 13/25] fix handling with secrets & edit readme --- README.md | 103 +++++++++--------- charts/vaas/Chart.lock | 8 +- charts/vaas/Chart.yaml | 4 +- charts/vaas/templates/gateway/_helpers.tpl | 10 ++ charts/vaas/templates/gateway/secret.yaml | 2 +- .../vaas/templates/gateway/statefulset.yaml | 5 +- charts/vaas/values.yaml | 62 +++-------- 7 files changed, 88 insertions(+), 106 deletions(-) diff --git a/README.md b/README.md index cef06d6..575e4d7 100644 --- a/README.md +++ b/README.md @@ -6,25 +6,17 @@ Vaas helm is a chart for deploying Verdict-as-a-Service on-premise. 1. Create a minimal values.yaml file: -The token has to be set in the `secret.dockerconfigjson` variable on deployment. +The token has to be set in the `global.secret.dockerconfigjson` variable on deployment. ```yaml # values.yaml -secret: +global: + secret: dockerconfigjson: $$_BASE64_ENCODED_JSON_CONTAINING_TOKEN_$$ ``` -Example of the dockerconfigjson +Copy the `secret.yaml` you got from G DATA to the template folder. -```json -{ - "auths": { - "ghcr.io": { - "auth": "$$_BASE64_ENCODED_USERNAME_AND_TOKEN_$$" - } - } -} -``` 2. Add the helm repository: @@ -42,7 +34,7 @@ helm install vaas gdatasoftware/vaas -f values.yaml ```bash helm repo update -helm upgrade gdscan gdscan/gdscan -f values.yaml +helm upgrade vaas gdatasoftware/vaas -f values.yaml ``` # Verdict-as-a-Service on-premise @@ -87,7 +79,7 @@ export CLIENT_SECRET=$(kubectl get secret -n vaas vaas-client-secret -o jsonpath export CLIENT_ID=vaas export SCAN_PATH= export VAAS_URL=ws://vaas/ws -export TOKEN_URL=https://vaas/auth/protocol/openid-connect/token +export TOKEN_URL=http://vaas/auth/protocol/openid-connect/token ``` * Execute FileScan example in Java SDK example folder @@ -107,19 +99,11 @@ export TOKEN_URL=https://vaas/auth/protocol/openid-connect/token | `authentication.authority` | Authority for authentication | `""` | | `nameOverride` | Overrides the application name | `""` | | `fullnameOverride` | Overrides the full name | `""` | -| `networkPolicy.enabled` | Enable/Disable the Network Policy | `false` | +| `networkPolicy.enabled` | Enable/Disable the default Network Policy | `false` | | `secret.dockerconfigjson` | Docker authentication configuration | `""` | | `service.type` | Type of Kubernetes service | `""` | | `service.http.port` | HTTP port for the service | `8080` | | `service.ws.port` | WebSocket port for the service | `9090` | -| `metrics.enabled` | Enable/Disable metrics | `false` | -| `metrics.port` | Port for metrics | `8080` | -| `metrics.path` | Path for metrics | `/metrics` | -| `autoscaling.enabled` | Enable/Disable automatic scaling | `false` | -| `autoscaling.minReplicas` | Minimum number of replicas | `2` | -| `autoscaling.maxReplicas` | Maximum number of replicas | `20` | -| `autoscaling.targetCPU` | Target CPU usage for automatic scaling | `75` | -| `autoscaling.metrics` | Metrics for automatic scaling | | | `podDisruptionBudget.minAvailable` | Minimum available pods in case of disruption | `1` | | `replicaCount` | Number of replicas | `1` | | `revisionHistoryLimit` | Number of revisions in history | `1` | @@ -127,46 +111,63 @@ export TOKEN_URL=https://vaas/auth/protocol/openid-connect/token | `resources.requests.cpu` | Requested CPU performance | `0.5` | | `resources.requests.memory` | Requested memory usage | `256Mi` | | `containerSecurityContext.enabled` | Enable/Disable container security context | `false` | -| `image.repository` | Docker image repository | `ghcr.io/gdatasoftwareag/vaas/gateway` | -| `image.pullPolicy` | Docker image pull policy | `Always` | -| `image.tag` | Docker image tag | `1` | | `cloudhashlookup.enabled` | Enable/Disable cloud hash lookup | `false` | -| `hashlookup.enabled` | Enable/Disable local hash lookup | `false` | -| `hashlookup.apikey.value` | API key for local hash lookup | `""` | -| `usageevents.enabled` | Enable/Disable usage events | `false` | -| `gdscanUrl` | URL for the GDScan service | `"http://gdscan:8080/scan/body"` | | `uploadUrl` | URL for the upload service | `"http://localhost:8080/upload"` | -| `options.url` | URL for options | `"wss://gateway.production.vaas.gdatasecurity.de"` | -| `options.tokenurl` | Token URL for options | `"https://account.gdata.de/realms/vaas-production/protocol/openid-connect/token"` | -| `options.credentials.granttype` | Grant type for options | `"ClientCredentials"` | -| `options.credentials.clientid` | Client ID for options | `""` | -| `options.credentials.clientsecret.value` | Client secret for options | `""` | | `imagePullSecrets` | List of image pull secrets | `- name: registry` | | `podAnnotations` | Annotations for pods | `{}` | -| `nodeSelector` | Node selector for pods | `{}` | +| `nodeSelector` | Node labels for pod assignment | `{}` | +| `gdscan.nodeSelector` | gdscan Node labels for pod assignment | `{}` | +| `mini-identity-provider.nodeSelector` | mini-identity-provider Node labels for pod assignment | `{}` | | `tolerations` | Tolerations for pods | `[]` | | `affinity` | Affinity settings for pods | `{}` | ### Production environment -In production you will have to configure stuff. +In production you will have to configure a few values. #### Ingress +The default hostname is "vaas". To change it and provide a tls configuration, add this to your values.yaml: -ingress: - enable: true (affects gateway, midp) - host: - vaas.local - auth - upload - verdicts - ws - -#### Scale workers - -#### Deny worker intra cluster access (no forUrl) +```yaml +mini-identity-provider: + issuer: "http://vaas/auth" + ingress: + hosts: + - host: vaas + paths: + - path: /auth(/|$)(.*) + pathType: ImplementationSpecific + service: + name: provider + port: 8080 + tls: [] + +gateway: + ingress: + hosts: + - host: vaas + paths: + - path: /ws + pathType: ImplementationSpecific + service: + name: gateway + port: 9090 + - host: vaas + paths: + - path: / + pathType: ImplementationSpecific + service: + name: gateway + port: 8080 + tls: [] + uploadUrl: "http://vaas/upload" +``` -#### NodeSelectors +Replace the "vaas" with your hostname in the following values: -#### \ No newline at end of file +* mini-identity-provider.issuer +* mini-identity-provider.ingress.hosts.0.host +* gateway.ingress.0.host +* gateway.ingress.1.host +* gateway.uploadUrl diff --git a/charts/vaas/Chart.lock b/charts/vaas/Chart.lock index bde0b44..43299e7 100644 --- a/charts/vaas/Chart.lock +++ b/charts/vaas/Chart.lock @@ -4,9 +4,9 @@ dependencies: version: 18.1.5 - name: gdscan repository: https://gdatasoftwareag.github.io/gdscan/ - version: 1.4.2 + version: 1.4.5 - name: mini-identity-provider repository: oci://ghcr.io/gdatasoftwareag - version: 0.1.11 -digest: sha256:52da0f8e6f27d1eb562284e2f076b2e0226a8f93d0b56be8e438ed61d5fcbfa0 -generated: "2024-01-12T13:29:22.640621206+01:00" + version: 0.1.12 +digest: sha256:3a41433c3889a01631545c8346e9bb60194d0c571a31e2b7913d19a4ba03f3a5 +generated: "2024-01-15T15:08:57.394438008+01:00" diff --git a/charts/vaas/Chart.yaml b/charts/vaas/Chart.yaml index 153f0a5..d6fef30 100644 --- a/charts/vaas/Chart.yaml +++ b/charts/vaas/Chart.yaml @@ -12,10 +12,10 @@ dependencies: condition: redis.enabled repository: https://charts.bitnami.com/bitnami - name: gdscan - version: 1.4.2 + version: 1.4.5 condition: gdscan.enabled repository: https://gdatasoftwareag.github.io/gdscan/ - name: mini-identity-provider - version: 0.1.11 + version: 0.1.12 condition: mini-identity-provider.enabled repository: oci://ghcr.io/gdatasoftwareag diff --git a/charts/vaas/templates/gateway/_helpers.tpl b/charts/vaas/templates/gateway/_helpers.tpl index 0bad7f6..ac1f060 100644 --- a/charts/vaas/templates/gateway/_helpers.tpl +++ b/charts/vaas/templates/gateway/_helpers.tpl @@ -23,6 +23,16 @@ If release name contains chart name it will be used as a full name. {{- end }} {{- end }} +{{- define "gateway.imagePullSecrets" -}} +imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- range .Values.imagePullSecrets }} + - name: {{ . }} + {{- end }} +{{- end -}} + {{/* Create chart name and version as used by the chart label. */}} diff --git a/charts/vaas/templates/gateway/secret.yaml b/charts/vaas/templates/gateway/secret.yaml index c175182..0495eef 100644 --- a/charts/vaas/templates/gateway/secret.yaml +++ b/charts/vaas/templates/gateway/secret.yaml @@ -5,6 +5,6 @@ metadata: name: registry namespace: {{ .Release.Namespace }} data: - .dockerconfigjson: {{ required "You need to set the dockerconfigjson for the private registry" .Values.gateway.secret.dockerconfigjson }} + .dockerconfigjson: {{ required "You need to set the dockerconfigjson for the private registry" .Values.global.secret.dockerconfigjson }} type: kubernetes.io/dockerconfigjson {{- end -}} \ No newline at end of file diff --git a/charts/vaas/templates/gateway/statefulset.yaml b/charts/vaas/templates/gateway/statefulset.yaml index 2723063..92ed189 100644 --- a/charts/vaas/templates/gateway/statefulset.yaml +++ b/charts/vaas/templates/gateway/statefulset.yaml @@ -22,10 +22,7 @@ spec: labels: {{- include "gateway.selectorLabels" . | nindent 8 }} spec: - {{- with .Values.gateway.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} + {{- include "gateway.imagePullSecrets" . | nindent 6 }} volumes: - name: gateway-tmp emptyDir: {} diff --git a/charts/vaas/values.yaml b/charts/vaas/values.yaml index d7c3cc6..2fea43c 100644 --- a/charts/vaas/values.yaml +++ b/charts/vaas/values.yaml @@ -1,10 +1,3 @@ -global: - imagePullSecrets: - - name: registry - vaasImageRegistry: "ghcr.io/gdatasoftwareag" - host: &vaasHost vaas - versionTag: &versionTag production-latest - mini-identity-provider: issuer: "http://vaas/auth" enabled: true @@ -16,7 +9,7 @@ mini-identity-provider: nginx.ingress.kubernetes.io/rewrite-target: /$2 nginx.ingress.kubernetes.io/x-forwarded-prefix: "/auth" hosts: - - host: *vaasHost + - host: vaas paths: - path: /auth(/|$)(.*) pathType: ImplementationSpecific @@ -28,16 +21,13 @@ mini-identity-provider: image: repository: ghcr.io/gdatasoftwareag/vaas/mini-identity-provider pullPolicy: Always - tag: latest + tag: 0.1.4 service: type: ClusterIP http: port: 8080 - secret: - dockerconfigjson: "" - networkPolicy: enabled: true @@ -52,14 +42,14 @@ gateway: className: "" annotations: {} hosts: - - host: *vaasHost + - host: vaas paths: - path: /ws pathType: ImplementationSpecific service: name: gateway port: 9090 - - host: *vaasHost + - host: vaas paths: - path: / pathType: ImplementationSpecific @@ -77,9 +67,6 @@ gateway: networkPolicy: enabled: true - secret: - dockerconfigjson: "" - service: type: ClusterIP http: @@ -117,22 +104,13 @@ gateway: image: repository: ghcr.io/gdatasoftwareag/vaas/gateway pullPolicy: Always - # TODO: Push to production-latest and change to anchor tag: 1.0.2 cloudhashlookup: enabled: false - # Do not touch. Really. Just don't. - # This block is only for G DATA's internal usage. - hashlookup: - enabled: false - apikey: - value: "" - usageevents: - enabled: false - gdscanUrl: "http://gdscan:8080/scan/body" - uploadUrl: "http://vaas/upload" + uploadUrl: "http://vaas/upload" + options: url: "wss://gateway.production.vaas.gdatasecurity.de" tokenurl: "https://account.gdata.de/realms/vaas-production/protocol/openid-connect/token" @@ -148,7 +126,16 @@ gateway: tolerations: [] affinity: {} -#TODO: ImagePullSecret from Global + # This block is only for G DATA's internal usage. + hashlookup: + enabled: false + apikey: + value: "" + usageevents: + enabled: false + gdscanUrl: "http://gdscan:8080/scan/body" + + gdscan: replicaCount: 1 deploymentStrategy: "Recreate" @@ -157,7 +144,7 @@ gdscan: image: repository: ghcr.io/gdatasoftwareag/vaas/scanserver pullPolicy: Always - tag: *versionTag + tag: 1.9.4 containerSecurityContext: enabled: false client: @@ -165,7 +152,7 @@ gdscan: image: repository: ghcr.io/gdatasoftwareag/vaas/scanner pullPolicy: Always - tag: *versionTag + tag: 1.9.4 containerSecurityContext: enabled: false terminationGracePeriodSeconds: 30 @@ -185,18 +172,6 @@ gdscan: port: 8080 path: /metrics - #TODO: Do we need Ingress for Gdscan? - ingress: - enabled: false - className: "" - annotations: {} - hosts: - - host: gdscan.local - paths: - - path: / - pathType: ImplementationSpecific - tls: [] - resources: server: limits: @@ -237,7 +212,6 @@ gdscan: containerSecurityContext: enabled: false enabled: true - # every hour schedule: "0 * * * *" networkPolicy: enabled: true From 31826b06248667c0dfd57b8c5fb81a77829b63fb Mon Sep 17 00:00:00 2001 From: PT-ATA No One Date: Mon, 15 Jan 2024 16:50:32 +0100 Subject: [PATCH 14/25] add chart repo to command --- .github/workflows/ci.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 7b39fd9..54589ac 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -10,6 +10,9 @@ on: branches: - main +env: + HELM_EXPERIMENTAL_OCI: 1 + jobs: release: runs-on: ubuntu-latest @@ -43,7 +46,7 @@ jobs: uses: helm/chart-testing-action@v2.6.0 - name: Run chart-testing (lint) - run: ct lint --validate-maintainers=false --charts charts/vaas + run: ct lint --chart-repos oci-registry=oci://ghcr.io/gdatasoftwareag --validate-maintainers=false --charts charts/vaas - name: Run chart-releaser if: github.ref == 'refs/heads/main' From 85794d156778c62ca09fa91c93332bc57b9fb68d Mon Sep 17 00:00:00 2001 From: PT-ATA No One Date: Mon, 15 Jan 2024 17:33:14 +0100 Subject: [PATCH 15/25] add ct config for linting --- .github/workflows/chart-testing-config.yaml | 4 ++++ .github/workflows/ci.yaml | 7 +------ 2 files changed, 5 insertions(+), 6 deletions(-) create mode 100644 .github/workflows/chart-testing-config.yaml diff --git a/.github/workflows/chart-testing-config.yaml b/.github/workflows/chart-testing-config.yaml new file mode 100644 index 0000000..8a581ab --- /dev/null +++ b/.github/workflows/chart-testing-config.yaml @@ -0,0 +1,4 @@ +chart-repos: + - bitnami=https://charts.bitnami.com/bitnami/ + - gdscan=https://gdatasoftwareag.github.io/gdscan/ + - oci-registry=oci://ghcr.io/gdatasoftwareag \ No newline at end of file diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 54589ac..2eb5fbd 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -32,11 +32,6 @@ jobs: with: version: v3.4.0 - - name: Add deps - run: | - helm repo add gdscan https://gdatasoftwareag.github.io/gdscan/ - helm repo add bitnami https://charts.bitnami.com/bitnami/ - - name: Install python uses: actions/setup-python@v4 with: @@ -46,7 +41,7 @@ jobs: uses: helm/chart-testing-action@v2.6.0 - name: Run chart-testing (lint) - run: ct lint --chart-repos oci-registry=oci://ghcr.io/gdatasoftwareag --validate-maintainers=false --charts charts/vaas + run: ct lint --config .github/chart-testing-config.yaml --validate-maintainers=false --charts charts/vaas - name: Run chart-releaser if: github.ref == 'refs/heads/main' From 90cfac99fde7d418c6f4135dd06d4c34b7a8d38c Mon Sep 17 00:00:00 2001 From: PT-ATA No One Date: Mon, 15 Jan 2024 17:34:27 +0100 Subject: [PATCH 16/25] fix path --- .github/{workflows => }/chart-testing-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename .github/{workflows => }/chart-testing-config.yaml (70%) diff --git a/.github/workflows/chart-testing-config.yaml b/.github/chart-testing-config.yaml similarity index 70% rename from .github/workflows/chart-testing-config.yaml rename to .github/chart-testing-config.yaml index 8a581ab..bf2a72d 100644 --- a/.github/workflows/chart-testing-config.yaml +++ b/.github/chart-testing-config.yaml @@ -1,4 +1,4 @@ chart-repos: - bitnami=https://charts.bitnami.com/bitnami/ - gdscan=https://gdatasoftwareag.github.io/gdscan/ - - oci-registry=oci://ghcr.io/gdatasoftwareag \ No newline at end of file + - oci-registry=oci://ghcr.io/gdatasoftwareag/ \ No newline at end of file From d7b66f30b41f5b5409faab7d761461fea2eb8d69 Mon Sep 17 00:00:00 2001 From: PT-ATA No One Date: Mon, 15 Jan 2024 17:46:10 +0100 Subject: [PATCH 17/25] add username --- .github/chart-testing-config.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/chart-testing-config.yaml b/.github/chart-testing-config.yaml index bf2a72d..8ca2d9a 100644 --- a/.github/chart-testing-config.yaml +++ b/.github/chart-testing-config.yaml @@ -1,4 +1,6 @@ chart-repos: - bitnami=https://charts.bitnami.com/bitnami/ - gdscan=https://gdatasoftwareag.github.io/gdscan/ - - oci-registry=oci://ghcr.io/gdatasoftwareag/ \ No newline at end of file + - oci-registry=oci://ghcr.io/gdatasoftwareag/ +helm-repo-extra-args: + - oci-registry=--username=GdataGithubBot \ No newline at end of file From d3ba682246f2977e3e577be4377a37cce5ad8a0f Mon Sep 17 00:00:00 2001 From: PT-ATA No One Date: Mon, 15 Jan 2024 17:51:56 +0100 Subject: [PATCH 18/25] add pw for oci --- .github/chart-testing-config.yaml | 4 +--- .github/workflows/ci.yaml | 2 +- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/chart-testing-config.yaml b/.github/chart-testing-config.yaml index 8ca2d9a..bf2a72d 100644 --- a/.github/chart-testing-config.yaml +++ b/.github/chart-testing-config.yaml @@ -1,6 +1,4 @@ chart-repos: - bitnami=https://charts.bitnami.com/bitnami/ - gdscan=https://gdatasoftwareag.github.io/gdscan/ - - oci-registry=oci://ghcr.io/gdatasoftwareag/ -helm-repo-extra-args: - - oci-registry=--username=GdataGithubBot \ No newline at end of file + - oci-registry=oci://ghcr.io/gdatasoftwareag/ \ No newline at end of file diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 2eb5fbd..da56164 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -41,7 +41,7 @@ jobs: uses: helm/chart-testing-action@v2.6.0 - name: Run chart-testing (lint) - run: ct lint --config .github/chart-testing-config.yaml --validate-maintainers=false --charts charts/vaas + run: ct lint --config .github/chart-testing-config.yaml --helm-repo-extra-args 'oci-registry=--username GdataGithubBot --password ${{ secrets.GHRC_PASSWORD }}' --validate-maintainers=false --charts charts/vaas - name: Run chart-releaser if: github.ref == 'refs/heads/main' From f698cf0353a153d9a2035f831d8ea52adbd01c8e Mon Sep 17 00:00:00 2001 From: Kevin Heise Date: Tue, 16 Jan 2024 08:43:03 +0100 Subject: [PATCH 19/25] remove oci --- .github/chart-testing-config.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/chart-testing-config.yaml b/.github/chart-testing-config.yaml index bf2a72d..968678b 100644 --- a/.github/chart-testing-config.yaml +++ b/.github/chart-testing-config.yaml @@ -1,4 +1,3 @@ chart-repos: - bitnami=https://charts.bitnami.com/bitnami/ - - gdscan=https://gdatasoftwareag.github.io/gdscan/ - - oci-registry=oci://ghcr.io/gdatasoftwareag/ \ No newline at end of file + - gdscan=https://gdatasoftwareag.github.io/gdscan/ \ No newline at end of file From da846099b7b1ec702883599f8c50a2b161978241 Mon Sep 17 00:00:00 2001 From: Kevin Heise Date: Tue, 16 Jan 2024 08:43:30 +0100 Subject: [PATCH 20/25] remove login --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index da56164..2eb5fbd 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -41,7 +41,7 @@ jobs: uses: helm/chart-testing-action@v2.6.0 - name: Run chart-testing (lint) - run: ct lint --config .github/chart-testing-config.yaml --helm-repo-extra-args 'oci-registry=--username GdataGithubBot --password ${{ secrets.GHRC_PASSWORD }}' --validate-maintainers=false --charts charts/vaas + run: ct lint --config .github/chart-testing-config.yaml --validate-maintainers=false --charts charts/vaas - name: Run chart-releaser if: github.ref == 'refs/heads/main' From 8a2775d0f5d0ef3ce0220ad3497dda8a09930c69 Mon Sep 17 00:00:00 2001 From: Kevin Heise Date: Tue, 16 Jan 2024 09:26:03 +0100 Subject: [PATCH 21/25] update --- .github/workflows/ci.yaml | 2 +- charts/vaas/Chart.lock | 2 +- charts/vaas/templates/gateway/_helpers.tpl | 4 ++-- charts/vaas/values.yaml | 3 +++ 4 files changed, 7 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 2eb5fbd..67486c4 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -38,7 +38,7 @@ jobs: python-version: 3.7 - name: Set up chart-testing - uses: helm/chart-testing-action@v2.6.0 + uses: helm/chart-testing-action@v2.6.1 - name: Run chart-testing (lint) run: ct lint --config .github/chart-testing-config.yaml --validate-maintainers=false --charts charts/vaas diff --git a/charts/vaas/Chart.lock b/charts/vaas/Chart.lock index 43299e7..5fc774f 100644 --- a/charts/vaas/Chart.lock +++ b/charts/vaas/Chart.lock @@ -9,4 +9,4 @@ dependencies: repository: oci://ghcr.io/gdatasoftwareag version: 0.1.12 digest: sha256:3a41433c3889a01631545c8346e9bb60194d0c571a31e2b7913d19a4ba03f3a5 -generated: "2024-01-15T15:08:57.394438008+01:00" +generated: "2024-01-16T09:02:43.648745472+01:00" diff --git a/charts/vaas/templates/gateway/_helpers.tpl b/charts/vaas/templates/gateway/_helpers.tpl index ac1f060..30dfead 100644 --- a/charts/vaas/templates/gateway/_helpers.tpl +++ b/charts/vaas/templates/gateway/_helpers.tpl @@ -28,8 +28,8 @@ imagePullSecrets: {{- range .Values.global.imagePullSecrets }} - name: {{ . }} {{- end }} - {{- range .Values.imagePullSecrets }} - - name: {{ . }} + {{- if .Values.imagePullSecret }} + - name: {{ .Release.Name }}-registry-secret {{- end }} {{- end -}} diff --git a/charts/vaas/values.yaml b/charts/vaas/values.yaml index 2fea43c..ebfd5cc 100644 --- a/charts/vaas/values.yaml +++ b/charts/vaas/values.yaml @@ -1,3 +1,6 @@ +global: + imagePullSecrets: [] + mini-identity-provider: issuer: "http://vaas/auth" enabled: true From 59cd2cbebcaf4da2a2c57ee7d37e0694a880ee48 Mon Sep 17 00:00:00 2001 From: Kevin Heise Date: Tue, 16 Jan 2024 09:29:41 +0100 Subject: [PATCH 22/25] add oci repo --- .github/chart-testing-config.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/chart-testing-config.yaml b/.github/chart-testing-config.yaml index 968678b..dfe5a26 100644 --- a/.github/chart-testing-config.yaml +++ b/.github/chart-testing-config.yaml @@ -1,3 +1,4 @@ chart-repos: - bitnami=https://charts.bitnami.com/bitnami/ - - gdscan=https://gdatasoftwareag.github.io/gdscan/ \ No newline at end of file + - gdscan=https://gdatasoftwareag.github.io/gdscan/ + - mipd=oci://ghcr.io/gdatasoftwareag/ \ No newline at end of file From 515bb7214f45260d1ae640d295552c9d95a64843 Mon Sep 17 00:00:00 2001 From: Kevin Heise Date: Tue, 16 Jan 2024 09:48:12 +0100 Subject: [PATCH 23/25] increase helm version --- .github/chart-testing-config.yaml | 3 +-- .github/workflows/ci.yaml | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/chart-testing-config.yaml b/.github/chart-testing-config.yaml index dfe5a26..968678b 100644 --- a/.github/chart-testing-config.yaml +++ b/.github/chart-testing-config.yaml @@ -1,4 +1,3 @@ chart-repos: - bitnami=https://charts.bitnami.com/bitnami/ - - gdscan=https://gdatasoftwareag.github.io/gdscan/ - - mipd=oci://ghcr.io/gdatasoftwareag/ \ No newline at end of file + - gdscan=https://gdatasoftwareag.github.io/gdscan/ \ No newline at end of file diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 67486c4..115f4ac 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -30,7 +30,7 @@ jobs: - name: Install Helm uses: azure/setup-helm@v3 with: - version: v3.4.0 + version: v3.13.3 - name: Install python uses: actions/setup-python@v4 From 2b2dcba5bd58a6ad2ea3fe30207e4d75775ccc3c Mon Sep 17 00:00:00 2001 From: Kevin Heise Date: Tue, 16 Jan 2024 10:11:54 +0100 Subject: [PATCH 24/25] remove spaces --- charts/vaas/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/vaas/values.yaml b/charts/vaas/values.yaml index ebfd5cc..fd7cd0d 100644 --- a/charts/vaas/values.yaml +++ b/charts/vaas/values.yaml @@ -112,7 +112,7 @@ gateway: cloudhashlookup: enabled: false - uploadUrl: "http://vaas/upload" + uploadUrl: "http://vaas/upload" options: url: "wss://gateway.production.vaas.gdatasecurity.de" From 29ae8862abcaa7200aebdf42f56f3ff22629c0f6 Mon Sep 17 00:00:00 2001 From: Kevin Heise Date: Tue, 16 Jan 2024 10:17:59 +0100 Subject: [PATCH 25/25] add cr token --- .github/workflows/ci.yaml | 2 +- charts/vaas/values.yaml | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 115f4ac..cf27ebc 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -47,4 +47,4 @@ jobs: if: github.ref == 'refs/heads/main' uses: helm/chart-releaser-action@v1.5.0 env: - CR_TOKEN: "${{ secrets.BOT_SECRET }}" \ No newline at end of file + CR_TOKEN: "${{ secrets.CR_TOKEN }}" \ No newline at end of file diff --git a/charts/vaas/values.yaml b/charts/vaas/values.yaml index fd7cd0d..c443c14 100644 --- a/charts/vaas/values.yaml +++ b/charts/vaas/values.yaml @@ -120,7 +120,6 @@ gateway: credentials: granttype: "ClientCredentials" clientid: "" - # TODO: Secrify it clientsecret: value: ""