diff --git a/.checkov/ethadapter/values.yaml b/.checkov/ethadapter/values.yaml index 81b9af96..d2a92c19 100644 --- a/.checkov/ethadapter/values.yaml +++ b/.checkov/ethadapter/values.yaml @@ -1,3 +1,6 @@ +image: + sha: "somedigest" + # -- Security Context for the pod. # See [https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) podSecurityContext: {} diff --git a/charts/ethadapter/Chart.yaml b/charts/ethadapter/Chart.yaml index 486aecfd..ead1c063 100644 --- a/charts/ethadapter/Chart.yaml +++ b/charts/ethadapter/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.4.0 +version: 0.4.1 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/charts/ethadapter/README.md b/charts/ethadapter/README.md index 7713d268..1b0f2b64 100644 --- a/charts/ethadapter/README.md +++ b/charts/ethadapter/README.md @@ -1,6 +1,6 @@ # ethadapter -![Version: 0.4.0](https://img.shields.io/badge/Version-0.4.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square) +![Version: 0.4.1](https://img.shields.io/badge/Version-0.4.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square) A Helm chart for Pharma Ledger Ethereum Adapter Service @@ -58,7 +58,7 @@ This is to prevent exposing the service to the internet by accident!** Install the chart with the release name `ethadapter` in namespace `ethadapter` and read SmartContract address from pre-existing ConfigMap created by helm chart *smartcontract*. ```bash -helm upgrade --install ethadapter ph-ethadapter/ethadapter --version=0.4.0 \ +helm upgrade --install ethadapter pharmaledger-imi/ethadapter --version=0.4.1 \ --install \ --set secrets.orgAccountJson="\{\"address\": \"0xb5ced4530d6ccbb31b2b542fd9b4558b52296784\"\, \"privateKey\": \"0x6b93a268f68239d321981125ecf24488920c6b3d900043d56fef66adb776abd5\"\}" --wait \ @@ -79,7 +79,7 @@ helm upgrade --install ethadapter ph-ethadapter/ethadapter --version=0.4.0 \ 2. Install via helm to namespace `ethadapter` either by passing sensitive *Org Account JSON* value in JSON format as escaped string ```bash - helm upgrade --install ethadapter ph-ethadapter/ethadapter --version=0.4.0 \ + helm upgrade --install ethadapter pharmaledger-imi/ethadapter --version=0.4.1 \ --wait \ --timeout 10m \ --values my-config.yaml \ @@ -90,7 +90,7 @@ helm upgrade --install ethadapter ph-ethadapter/ethadapter --version=0.4.0 \ 3. or pass sensitive *Org Account JSON* value in JSON format as base64 encoded string ```bash - helm upgrade --install ethadapter ph-ethadapter/ethadapter --version=0.4.0 \ + helm upgrade --install ethadapter pharmaledger-imi/ethadapter --version=0.4.1 \ --wait \ --timeout 10m \ --values my-config.yaml \ @@ -230,23 +230,23 @@ rm -rf ./testresults/* # https://github.com/helm/helm/issues/5618 echo "" echo "Default values and secret passed as String" -helm template test-ethadapter ph-ethadapter/ethadapter --version=0.4.0 --values ./tests/data/default.yaml --set-string secrets.orgAccountJson="\{ \"key\": \"value\" \}" > ./tests/results/result_default2.yaml +helm template test-ethadapter pharmaledger-imi/ethadapter --version=0.4.1 --values ./tests/data/default.yaml --set-string secrets.orgAccountJson="\{ \"key\": \"value\" \}" > ./tests/results/result_default2.yaml echo "" echo "Default values and secret passed as base64 encoded String" -helm template test-ethadapter ph-ethadapter/ethadapter --version=0.4.0 --values ./tests/data/default.yaml --set-string secrets.orgAccountJsonBase64="eyAia2V5IjogInZhbHVlIiB9" > ./tests/results/result_default_base64.yaml +helm template test-ethadapter pharmaledger-imi/ethadapter --version=0.4.1 --values ./tests/data/default.yaml --set-string secrets.orgAccountJsonBase64="eyAia2V5IjogInZhbHVlIiB9" > ./tests/results/result_default_base64.yaml echo "" echo "LoadBalancer" -helm template test-ethadapter ph-ethadapter/ethadapter --version=0.4.0 --values ./tests/data/loadbalancer.yaml --set-string secrets.orgAccountJsonBase64="eyAia2V5IjogInZhbHVlIiB9" > ./tests/results/result_loadbalancer.yaml +helm template test-ethadapter pharmaledger-imi/ethadapter --version=0.4.1 --values ./tests/data/loadbalancer.yaml --set-string secrets.orgAccountJsonBase64="eyAia2V5IjogInZhbHVlIiB9" > ./tests/results/result_loadbalancer.yaml echo "" echo "LoadBalancer and annotations" -helm template test-ethadapter ph-ethadapter/ethadapter --version=0.4.0 --values ./tests/data/loadbalancer_annotations.yaml --set-string secrets.orgAccountJsonBase64="eyAia2V5IjogInZhbHVlIiB9" > ./tests/results/result_loadbalancer_annotations.yaml +helm template test-ethadapter pharmaledger-imi/ethadapter --version=0.4.1 --values ./tests/data/loadbalancer_annotations.yaml --set-string secrets.orgAccountJsonBase64="eyAia2V5IjogInZhbHVlIiB9" > ./tests/results/result_loadbalancer_annotations.yaml echo "" echo "Ingress via AWS LB Controller" -helm template test-ethadapter ph-ethadapter/ethadapter --version=0.4.0 --values ./tests/data/aws_lb_controller_ingress.yaml --set-string secrets.orgAccountJsonBase64="eyAia2V5IjogInZhbHVlIiB9" > ./tests/results/result_aws_lb_controller_ingress.yaml +helm template test-ethadapter pharmaledger-imi/ethadapter --version=0.4.1 --values ./tests/data/aws_lb_controller_ingress.yaml --set-string secrets.orgAccountJsonBase64="eyAia2V5IjogInZhbHVlIiB9" > ./tests/results/result_aws_lb_controller_ingress.yaml ``` ## Maintainers @@ -272,6 +272,7 @@ helm template test-ethadapter ph-ethadapter/ethadapter --version=0.4.0 --values | fullnameOverride | string | `""` | fullnameOverride completely replaces the generated name. From [https://stackoverflow.com/questions/63838705/what-is-the-difference-between-fullnameoverride-and-nameoverride-in-helm](https://stackoverflow.com/questions/63838705/what-is-the-difference-between-fullnameoverride-and-nameoverride-in-helm) | | image.pullPolicy | string | `"IfNotPresent"` | Image Pull Policy | | image.repository | string | `"pharmaledger/apiadapter"` | The repository of the container image | +| image.sha | string | `""` | sha256 digest of the image. Do not add the prefix "@sha256:" | | image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | | imagePullSecrets | list | `[]` | Secret(s) for pulling an container image from a private registry. See [https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/) | | ingress.annotations | object | `{}` | Ingress annotations. For AWS LB Controller, see [https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.3/guide/ingress/annotations/](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.3/guide/ingress/annotations/) For Azure Application Gateway Ingress Controller, see [https://azure.github.io/application-gateway-kubernetes-ingress/annotations/](https://azure.github.io/application-gateway-kubernetes-ingress/annotations/) For NGINX Ingress Controller, see [https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/) For Traefik Ingress Controller, see [https://doc.traefik.io/traefik/routing/providers/kubernetes-ingress/#annotations](https://doc.traefik.io/traefik/routing/providers/kubernetes-ingress/#annotations) | @@ -294,6 +295,7 @@ helm template test-ethadapter ph-ethadapter/ethadapter --version=0.4.0 --values | service.port | int | `3000` | Port where the service will be exposed | | service.type | string | `"ClusterIP"` | Either ClusterIP, NodePort or LoadBalancer. See [https://kubernetes.io/docs/concepts/services-networking/service/](https://kubernetes.io/docs/concepts/services-networking/service/) | | serviceAccount.annotations | object | `{}` | Annotations to add to the service account | +| serviceAccount.automountServiceAccountToken | bool | `false` | Whether automounting API credentials for a service account is enabled or not. See [https://docs.bridgecrew.io/docs/bc_k8s_35](https://docs.bridgecrew.io/docs/bc_k8s_35) | | serviceAccount.create | bool | `false` | Specifies whether a service account should be created | | serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | | tolerations | list | `[]` | Tolerations for scheduling a pod. See [https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | diff --git a/charts/ethadapter/README.md.gotmpl b/charts/ethadapter/README.md.gotmpl index 0d3b0447..89796ddc 100644 --- a/charts/ethadapter/README.md.gotmpl +++ b/charts/ethadapter/README.md.gotmpl @@ -58,7 +58,7 @@ This is to prevent exposing the service to the internet by accident!** Install the chart with the release name `ethadapter` in namespace `ethadapter` and read SmartContract address from pre-existing ConfigMap created by helm chart *smartcontract*. ```bash -helm upgrade --install ethadapter ph-ethadapter/ethadapter --version={{ template "chart.version" . }} \ +helm upgrade --install ethadapter pharmaledger-imi/ethadapter --version={{ template "chart.version" . }} \ --install \ --set secrets.orgAccountJson="\{\"address\": \"0xb5ced4530d6ccbb31b2b542fd9b4558b52296784\"\, \"privateKey\": \"0x6b93a268f68239d321981125ecf24488920c6b3d900043d56fef66adb776abd5\"\}" --wait \ @@ -79,7 +79,7 @@ helm upgrade --install ethadapter ph-ethadapter/ethadapter --version={{ template 2. Install via helm to namespace `ethadapter` either by passing sensitive *Org Account JSON* value in JSON format as escaped string ```bash - helm upgrade --install ethadapter ph-ethadapter/ethadapter --version={{ template "chart.version" . }} \ + helm upgrade --install ethadapter pharmaledger-imi/ethadapter --version={{ template "chart.version" . }} \ --wait \ --timeout 10m \ --values my-config.yaml \ @@ -90,7 +90,7 @@ helm upgrade --install ethadapter ph-ethadapter/ethadapter --version={{ template 3. or pass sensitive *Org Account JSON* value in JSON format as base64 encoded string ```bash - helm upgrade --install ethadapter ph-ethadapter/ethadapter --version={{ template "chart.version" . }} \ + helm upgrade --install ethadapter pharmaledger-imi/ethadapter --version={{ template "chart.version" . }} \ --wait \ --timeout 10m \ --values my-config.yaml \ @@ -230,23 +230,23 @@ rm -rf ./testresults/* # https://github.com/helm/helm/issues/5618 echo "" echo "Default values and secret passed as String" -helm template test-ethadapter ph-ethadapter/ethadapter --version={{ template "chart.version" . }} --values ./tests/data/default.yaml --set-string secrets.orgAccountJson="\{ \"key\": \"value\" \}" > ./tests/results/result_default2.yaml +helm template test-ethadapter pharmaledger-imi/ethadapter --version={{ template "chart.version" . }} --values ./tests/data/default.yaml --set-string secrets.orgAccountJson="\{ \"key\": \"value\" \}" > ./tests/results/result_default2.yaml echo "" echo "Default values and secret passed as base64 encoded String" -helm template test-ethadapter ph-ethadapter/ethadapter --version={{ template "chart.version" . }} --values ./tests/data/default.yaml --set-string secrets.orgAccountJsonBase64="eyAia2V5IjogInZhbHVlIiB9" > ./tests/results/result_default_base64.yaml +helm template test-ethadapter pharmaledger-imi/ethadapter --version={{ template "chart.version" . }} --values ./tests/data/default.yaml --set-string secrets.orgAccountJsonBase64="eyAia2V5IjogInZhbHVlIiB9" > ./tests/results/result_default_base64.yaml echo "" echo "LoadBalancer" -helm template test-ethadapter ph-ethadapter/ethadapter --version={{ template "chart.version" . }} --values ./tests/data/loadbalancer.yaml --set-string secrets.orgAccountJsonBase64="eyAia2V5IjogInZhbHVlIiB9" > ./tests/results/result_loadbalancer.yaml +helm template test-ethadapter pharmaledger-imi/ethadapter --version={{ template "chart.version" . }} --values ./tests/data/loadbalancer.yaml --set-string secrets.orgAccountJsonBase64="eyAia2V5IjogInZhbHVlIiB9" > ./tests/results/result_loadbalancer.yaml echo "" echo "LoadBalancer and annotations" -helm template test-ethadapter ph-ethadapter/ethadapter --version={{ template "chart.version" . }} --values ./tests/data/loadbalancer_annotations.yaml --set-string secrets.orgAccountJsonBase64="eyAia2V5IjogInZhbHVlIiB9" > ./tests/results/result_loadbalancer_annotations.yaml +helm template test-ethadapter pharmaledger-imi/ethadapter --version={{ template "chart.version" . }} --values ./tests/data/loadbalancer_annotations.yaml --set-string secrets.orgAccountJsonBase64="eyAia2V5IjogInZhbHVlIiB9" > ./tests/results/result_loadbalancer_annotations.yaml echo "" echo "Ingress via AWS LB Controller" -helm template test-ethadapter ph-ethadapter/ethadapter --version={{ template "chart.version" . }} --values ./tests/data/aws_lb_controller_ingress.yaml --set-string secrets.orgAccountJsonBase64="eyAia2V5IjogInZhbHVlIiB9" > ./tests/results/result_aws_lb_controller_ingress.yaml +helm template test-ethadapter pharmaledger-imi/ethadapter --version={{ template "chart.version" . }} --values ./tests/data/aws_lb_controller_ingress.yaml --set-string secrets.orgAccountJsonBase64="eyAia2V5IjogInZhbHVlIiB9" > ./tests/results/result_aws_lb_controller_ingress.yaml ``` {{ template "chart.maintainersSection" . }} diff --git a/charts/ethadapter/templates/deployment.yaml b/charts/ethadapter/templates/deployment.yaml index 8f0b45ba..c3546902 100644 --- a/charts/ethadapter/templates/deployment.yaml +++ b/charts/ethadapter/templates/deployment.yaml @@ -27,6 +27,7 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} + automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} serviceAccountName: {{ include "ethadapter.serviceAccountName" . }} securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} @@ -34,7 +35,11 @@ spec: - name: {{ .Chart.Name }} securityContext: {{- toYaml .Values.securityContext | nindent 12 }} + {{- if .Values.image.sha }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}@sha256:{{ .Values.image.sha }}" + {{- else }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + {{- end }} imagePullPolicy: {{ .Values.image.pullPolicy }} env: - name: RPC_ADDRESS diff --git a/charts/ethadapter/tests/deployment_automountServiceAccountToken.yaml b/charts/ethadapter/tests/deployment_automountServiceAccountToken.yaml new file mode 100644 index 00000000..053d1182 --- /dev/null +++ b/charts/ethadapter/tests/deployment_automountServiceAccountToken.yaml @@ -0,0 +1,21 @@ +suite: test deployment with automountServiceAccountToken enabled +templates: + - deployment.yaml + - configmap.yaml + - secret.yaml +tests: + - it: should work + set: + config: + rpcAddress: "rpcAddress_value" + smartContractAddress: "smartContractAddress_value" + smartContractAbi: "smartContractAbi_value" + secrets: + orgAccountJson: "{ \"key\": \"value\" }" + serviceAccount: + automountServiceAccountToken: true + asserts: + - template: deployment.yaml + equal: + path: spec.template.spec.automountServiceAccountToken + value: true \ No newline at end of file diff --git a/charts/ethadapter/tests/deployment_custom_image_and_sha_test.yaml b/charts/ethadapter/tests/deployment_custom_image_and_sha_test.yaml new file mode 100644 index 00000000..ba6e548c --- /dev/null +++ b/charts/ethadapter/tests/deployment_custom_image_and_sha_test.yaml @@ -0,0 +1,23 @@ +suite: test deployment with an custom image and sha +templates: + - deployment.yaml + - configmap.yaml + - secret.yaml +tests: + - it: should work + set: + config: + rpcAddress: "rpcAddress_value" + smartContractAddress: "smartContractAddress_value" + smartContractAbi: "smartContractAbi_value" + secrets: + orgAccountJson: "{ \"key\": \"value\" }" + image: + repository: custom_repository + tag: "custom_tag" + sha: "custom_sha" + asserts: + - template: deployment.yaml + equal: + path: spec.template.spec.containers[0].image + value: custom_repository:custom_tag@sha256:custom_sha diff --git a/charts/ethadapter/tests/deployment_custom_image_test.yaml b/charts/ethadapter/tests/deployment_custom_image_test.yaml index 1dcfe3e2..e75c675a 100644 --- a/charts/ethadapter/tests/deployment_custom_image_test.yaml +++ b/charts/ethadapter/tests/deployment_custom_image_test.yaml @@ -1,4 +1,4 @@ -suite: test deployment with an custom image +suite: test deployment with an custom image and pullPolicy Always templates: - deployment.yaml - configmap.yaml diff --git a/charts/ethadapter/values.yaml b/charts/ethadapter/values.yaml index fd8a0273..60add293 100644 --- a/charts/ethadapter/values.yaml +++ b/charts/ethadapter/values.yaml @@ -12,6 +12,9 @@ image: pullPolicy: IfNotPresent # -- Overrides the image tag whose default is the chart appVersion. tag: "" + # -- sha256 digest of the image. + # Do not add the prefix "@sha256:" + sha: "" # -- Secret(s) for pulling an container image from a private registry. # See [https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/) @@ -32,6 +35,10 @@ serviceAccount: # If not set and create is true, a name is generated using the fullname template name: "" + # -- Whether automounting API credentials for a service account is enabled or not. + # See [https://docs.bridgecrew.io/docs/bc_k8s_35](https://docs.bridgecrew.io/docs/bc_k8s_35) + automountServiceAccountToken: false + # -- Annotations added to the pod podAnnotations: {}