Skip to content

Commit

Permalink
EthAdapter 0.4.1 - Checkov fixes (#24)
Browse files Browse the repository at this point in the history
* ethadapter: do not mount serviceToken by default

* ethadapter: version bump

* doc version bump and fix repo name

* option to specify the image digest

* test for sha

* test for automountServiceAccountToken

* Cleanup tests
  • Loading branch information
tgip-work authored Apr 13, 2022
1 parent 2c2b12d commit a628d81
Show file tree
Hide file tree
Showing 9 changed files with 80 additions and 19 deletions.
3 changes: 3 additions & 0 deletions .checkov/ethadapter/values.yaml
Original file line number Diff line number Diff line change
@@ -1,3 +1,6 @@
image:
sha: "somedigest"

# -- Security Context for the pod.
# See [https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod)
podSecurityContext: {}
Expand Down
2 changes: 1 addition & 1 deletion charts/ethadapter/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.4.0
version: 0.4.1

# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
Expand Down
20 changes: 11 additions & 9 deletions charts/ethadapter/README.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# ethadapter

![Version: 0.4.0](https://img.shields.io/badge/Version-0.4.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square)
![Version: 0.4.1](https://img.shields.io/badge/Version-0.4.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square)

A Helm chart for Pharma Ledger Ethereum Adapter Service

Expand Down Expand Up @@ -58,7 +58,7 @@ This is to prevent exposing the service to the internet by accident!**
Install the chart with the release name `ethadapter` in namespace `ethadapter` and read SmartContract address from pre-existing ConfigMap created by helm chart *smartcontract*.

```bash
helm upgrade --install ethadapter ph-ethadapter/ethadapter --version=0.4.0 \
helm upgrade --install ethadapter pharmaledger-imi/ethadapter --version=0.4.1 \
--install \
--set secrets.orgAccountJson="\{\"address\": \"0xb5ced4530d6ccbb31b2b542fd9b4558b52296784\"\, \"privateKey\": \"0x6b93a268f68239d321981125ecf24488920c6b3d900043d56fef66adb776abd5\"\}"
--wait \
Expand All @@ -79,7 +79,7 @@ helm upgrade --install ethadapter ph-ethadapter/ethadapter --version=0.4.0 \
2. Install via helm to namespace `ethadapter` either by passing sensitive *Org Account JSON* value in JSON format as escaped string

```bash
helm upgrade --install ethadapter ph-ethadapter/ethadapter --version=0.4.0 \
helm upgrade --install ethadapter pharmaledger-imi/ethadapter --version=0.4.1 \
--wait \
--timeout 10m \
--values my-config.yaml \
Expand All @@ -90,7 +90,7 @@ helm upgrade --install ethadapter ph-ethadapter/ethadapter --version=0.4.0 \
3. or pass sensitive *Org Account JSON* value in JSON format as base64 encoded string

```bash
helm upgrade --install ethadapter ph-ethadapter/ethadapter --version=0.4.0 \
helm upgrade --install ethadapter pharmaledger-imi/ethadapter --version=0.4.1 \
--wait \
--timeout 10m \
--values my-config.yaml \
Expand Down Expand Up @@ -230,23 +230,23 @@ rm -rf ./testresults/*
# https://github.com/helm/helm/issues/5618
echo ""
echo "Default values and secret passed as String"
helm template test-ethadapter ph-ethadapter/ethadapter --version=0.4.0 --values ./tests/data/default.yaml --set-string secrets.orgAccountJson="\{ \"key\": \"value\" \}" > ./tests/results/result_default2.yaml
helm template test-ethadapter pharmaledger-imi/ethadapter --version=0.4.1 --values ./tests/data/default.yaml --set-string secrets.orgAccountJson="\{ \"key\": \"value\" \}" > ./tests/results/result_default2.yaml
echo ""
echo "Default values and secret passed as base64 encoded String"
helm template test-ethadapter ph-ethadapter/ethadapter --version=0.4.0 --values ./tests/data/default.yaml --set-string secrets.orgAccountJsonBase64="eyAia2V5IjogInZhbHVlIiB9" > ./tests/results/result_default_base64.yaml
helm template test-ethadapter pharmaledger-imi/ethadapter --version=0.4.1 --values ./tests/data/default.yaml --set-string secrets.orgAccountJsonBase64="eyAia2V5IjogInZhbHVlIiB9" > ./tests/results/result_default_base64.yaml
echo ""
echo "LoadBalancer"
helm template test-ethadapter ph-ethadapter/ethadapter --version=0.4.0 --values ./tests/data/loadbalancer.yaml --set-string secrets.orgAccountJsonBase64="eyAia2V5IjogInZhbHVlIiB9" > ./tests/results/result_loadbalancer.yaml
helm template test-ethadapter pharmaledger-imi/ethadapter --version=0.4.1 --values ./tests/data/loadbalancer.yaml --set-string secrets.orgAccountJsonBase64="eyAia2V5IjogInZhbHVlIiB9" > ./tests/results/result_loadbalancer.yaml
echo ""
echo "LoadBalancer and annotations"
helm template test-ethadapter ph-ethadapter/ethadapter --version=0.4.0 --values ./tests/data/loadbalancer_annotations.yaml --set-string secrets.orgAccountJsonBase64="eyAia2V5IjogInZhbHVlIiB9" > ./tests/results/result_loadbalancer_annotations.yaml
helm template test-ethadapter pharmaledger-imi/ethadapter --version=0.4.1 --values ./tests/data/loadbalancer_annotations.yaml --set-string secrets.orgAccountJsonBase64="eyAia2V5IjogInZhbHVlIiB9" > ./tests/results/result_loadbalancer_annotations.yaml
echo ""
echo "Ingress via AWS LB Controller"
helm template test-ethadapter ph-ethadapter/ethadapter --version=0.4.0 --values ./tests/data/aws_lb_controller_ingress.yaml --set-string secrets.orgAccountJsonBase64="eyAia2V5IjogInZhbHVlIiB9" > ./tests/results/result_aws_lb_controller_ingress.yaml
helm template test-ethadapter pharmaledger-imi/ethadapter --version=0.4.1 --values ./tests/data/aws_lb_controller_ingress.yaml --set-string secrets.orgAccountJsonBase64="eyAia2V5IjogInZhbHVlIiB9" > ./tests/results/result_aws_lb_controller_ingress.yaml
```

## Maintainers
Expand All @@ -272,6 +272,7 @@ helm template test-ethadapter ph-ethadapter/ethadapter --version=0.4.0 --values
| fullnameOverride | string | `""` | fullnameOverride completely replaces the generated name. From [https://stackoverflow.com/questions/63838705/what-is-the-difference-between-fullnameoverride-and-nameoverride-in-helm](https://stackoverflow.com/questions/63838705/what-is-the-difference-between-fullnameoverride-and-nameoverride-in-helm) |
| image.pullPolicy | string | `"IfNotPresent"` | Image Pull Policy |
| image.repository | string | `"pharmaledger/apiadapter"` | The repository of the container image |
| image.sha | string | `""` | sha256 digest of the image. Do not add the prefix "@sha256:" |
| image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. |
| imagePullSecrets | list | `[]` | Secret(s) for pulling an container image from a private registry. See [https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/) |
| ingress.annotations | object | `{}` | Ingress annotations. For AWS LB Controller, see [https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.3/guide/ingress/annotations/](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.3/guide/ingress/annotations/) For Azure Application Gateway Ingress Controller, see [https://azure.github.io/application-gateway-kubernetes-ingress/annotations/](https://azure.github.io/application-gateway-kubernetes-ingress/annotations/) For NGINX Ingress Controller, see [https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/) For Traefik Ingress Controller, see [https://doc.traefik.io/traefik/routing/providers/kubernetes-ingress/#annotations](https://doc.traefik.io/traefik/routing/providers/kubernetes-ingress/#annotations) |
Expand All @@ -294,6 +295,7 @@ helm template test-ethadapter ph-ethadapter/ethadapter --version=0.4.0 --values
| service.port | int | `3000` | Port where the service will be exposed |
| service.type | string | `"ClusterIP"` | Either ClusterIP, NodePort or LoadBalancer. See [https://kubernetes.io/docs/concepts/services-networking/service/](https://kubernetes.io/docs/concepts/services-networking/service/) |
| serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
| serviceAccount.automountServiceAccountToken | bool | `false` | Whether automounting API credentials for a service account is enabled or not. See [https://docs.bridgecrew.io/docs/bc_k8s_35](https://docs.bridgecrew.io/docs/bc_k8s_35) |
| serviceAccount.create | bool | `false` | Specifies whether a service account should be created |
| serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template |
| tolerations | list | `[]` | Tolerations for scheduling a pod. See [https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) |
Expand Down
16 changes: 8 additions & 8 deletions charts/ethadapter/README.md.gotmpl
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ This is to prevent exposing the service to the internet by accident!**
Install the chart with the release name `ethadapter` in namespace `ethadapter` and read SmartContract address from pre-existing ConfigMap created by helm chart *smartcontract*.

```bash
helm upgrade --install ethadapter ph-ethadapter/ethadapter --version={{ template "chart.version" . }} \
helm upgrade --install ethadapter pharmaledger-imi/ethadapter --version={{ template "chart.version" . }} \
--install \
--set secrets.orgAccountJson="\{\"address\": \"0xb5ced4530d6ccbb31b2b542fd9b4558b52296784\"\, \"privateKey\": \"0x6b93a268f68239d321981125ecf24488920c6b3d900043d56fef66adb776abd5\"\}"
--wait \
Expand All @@ -79,7 +79,7 @@ helm upgrade --install ethadapter ph-ethadapter/ethadapter --version={{ template
2. Install via helm to namespace `ethadapter` either by passing sensitive *Org Account JSON* value in JSON format as escaped string

```bash
helm upgrade --install ethadapter ph-ethadapter/ethadapter --version={{ template "chart.version" . }} \
helm upgrade --install ethadapter pharmaledger-imi/ethadapter --version={{ template "chart.version" . }} \
--wait \
--timeout 10m \
--values my-config.yaml \
Expand All @@ -90,7 +90,7 @@ helm upgrade --install ethadapter ph-ethadapter/ethadapter --version={{ template
3. or pass sensitive *Org Account JSON* value in JSON format as base64 encoded string

```bash
helm upgrade --install ethadapter ph-ethadapter/ethadapter --version={{ template "chart.version" . }} \
helm upgrade --install ethadapter pharmaledger-imi/ethadapter --version={{ template "chart.version" . }} \
--wait \
--timeout 10m \
--values my-config.yaml \
Expand Down Expand Up @@ -230,23 +230,23 @@ rm -rf ./testresults/*
# https://github.com/helm/helm/issues/5618
echo ""
echo "Default values and secret passed as String"
helm template test-ethadapter ph-ethadapter/ethadapter --version={{ template "chart.version" . }} --values ./tests/data/default.yaml --set-string secrets.orgAccountJson="\{ \"key\": \"value\" \}" > ./tests/results/result_default2.yaml
helm template test-ethadapter pharmaledger-imi/ethadapter --version={{ template "chart.version" . }} --values ./tests/data/default.yaml --set-string secrets.orgAccountJson="\{ \"key\": \"value\" \}" > ./tests/results/result_default2.yaml

echo ""
echo "Default values and secret passed as base64 encoded String"
helm template test-ethadapter ph-ethadapter/ethadapter --version={{ template "chart.version" . }} --values ./tests/data/default.yaml --set-string secrets.orgAccountJsonBase64="eyAia2V5IjogInZhbHVlIiB9" > ./tests/results/result_default_base64.yaml
helm template test-ethadapter pharmaledger-imi/ethadapter --version={{ template "chart.version" . }} --values ./tests/data/default.yaml --set-string secrets.orgAccountJsonBase64="eyAia2V5IjogInZhbHVlIiB9" > ./tests/results/result_default_base64.yaml

echo ""
echo "LoadBalancer"
helm template test-ethadapter ph-ethadapter/ethadapter --version={{ template "chart.version" . }} --values ./tests/data/loadbalancer.yaml --set-string secrets.orgAccountJsonBase64="eyAia2V5IjogInZhbHVlIiB9" > ./tests/results/result_loadbalancer.yaml
helm template test-ethadapter pharmaledger-imi/ethadapter --version={{ template "chart.version" . }} --values ./tests/data/loadbalancer.yaml --set-string secrets.orgAccountJsonBase64="eyAia2V5IjogInZhbHVlIiB9" > ./tests/results/result_loadbalancer.yaml

echo ""
echo "LoadBalancer and annotations"
helm template test-ethadapter ph-ethadapter/ethadapter --version={{ template "chart.version" . }} --values ./tests/data/loadbalancer_annotations.yaml --set-string secrets.orgAccountJsonBase64="eyAia2V5IjogInZhbHVlIiB9" > ./tests/results/result_loadbalancer_annotations.yaml
helm template test-ethadapter pharmaledger-imi/ethadapter --version={{ template "chart.version" . }} --values ./tests/data/loadbalancer_annotations.yaml --set-string secrets.orgAccountJsonBase64="eyAia2V5IjogInZhbHVlIiB9" > ./tests/results/result_loadbalancer_annotations.yaml

echo ""
echo "Ingress via AWS LB Controller"
helm template test-ethadapter ph-ethadapter/ethadapter --version={{ template "chart.version" . }} --values ./tests/data/aws_lb_controller_ingress.yaml --set-string secrets.orgAccountJsonBase64="eyAia2V5IjogInZhbHVlIiB9" > ./tests/results/result_aws_lb_controller_ingress.yaml
helm template test-ethadapter pharmaledger-imi/ethadapter --version={{ template "chart.version" . }} --values ./tests/data/aws_lb_controller_ingress.yaml --set-string secrets.orgAccountJsonBase64="eyAia2V5IjogInZhbHVlIiB9" > ./tests/results/result_aws_lb_controller_ingress.yaml
```

{{ template "chart.maintainersSection" . }}
Expand Down
5 changes: 5 additions & 0 deletions charts/ethadapter/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -27,14 +27,19 @@ spec:
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
serviceAccountName: {{ include "ethadapter.serviceAccountName" . }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
containers:
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
{{- if .Values.image.sha }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}@sha256:{{ .Values.image.sha }}"
{{- else }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
{{- end }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
env:
- name: RPC_ADDRESS
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
suite: test deployment with automountServiceAccountToken enabled
templates:
- deployment.yaml
- configmap.yaml
- secret.yaml
tests:
- it: should work
set:
config:
rpcAddress: "rpcAddress_value"
smartContractAddress: "smartContractAddress_value"
smartContractAbi: "smartContractAbi_value"
secrets:
orgAccountJson: "{ \"key\": \"value\" }"
serviceAccount:
automountServiceAccountToken: true
asserts:
- template: deployment.yaml
equal:
path: spec.template.spec.automountServiceAccountToken
value: true
23 changes: 23 additions & 0 deletions charts/ethadapter/tests/deployment_custom_image_and_sha_test.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
suite: test deployment with an custom image and sha
templates:
- deployment.yaml
- configmap.yaml
- secret.yaml
tests:
- it: should work
set:
config:
rpcAddress: "rpcAddress_value"
smartContractAddress: "smartContractAddress_value"
smartContractAbi: "smartContractAbi_value"
secrets:
orgAccountJson: "{ \"key\": \"value\" }"
image:
repository: custom_repository
tag: "custom_tag"
sha: "custom_sha"
asserts:
- template: deployment.yaml
equal:
path: spec.template.spec.containers[0].image
value: custom_repository:custom_tag@sha256:custom_sha
2 changes: 1 addition & 1 deletion charts/ethadapter/tests/deployment_custom_image_test.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
suite: test deployment with an custom image
suite: test deployment with an custom image and pullPolicy Always
templates:
- deployment.yaml
- configmap.yaml
Expand Down
7 changes: 7 additions & 0 deletions charts/ethadapter/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,9 @@ image:
pullPolicy: IfNotPresent
# -- Overrides the image tag whose default is the chart appVersion.
tag: ""
# -- sha256 digest of the image.
# Do not add the prefix "@sha256:"
sha: ""

# -- Secret(s) for pulling an container image from a private registry.
# See [https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/)
Expand All @@ -32,6 +35,10 @@ serviceAccount:
# If not set and create is true, a name is generated using the fullname template
name: ""

# -- Whether automounting API credentials for a service account is enabled or not.
# See [https://docs.bridgecrew.io/docs/bc_k8s_35](https://docs.bridgecrew.io/docs/bc_k8s_35)
automountServiceAccountToken: false

# -- Annotations added to the pod
podAnnotations: {}

Expand Down

0 comments on commit a628d81

Please sign in to comment.