tenable · devang-gaur · May 12, 2021 · Apr 22, 2021 · Apr 22, 2021 · Apr 23, 2021
@@ -0,0 +1,21 @@
+apiVersion: v1
+name: terrascan
+version: 1.0.0
+appVersion: v1.4.0
+description: A Helm chart for running terrascan in server mode
+icon: https://raw.githubusercontent.com/accurics/terrascan/master/docs/img/terrascan-icon-white.png
+home: https://github.com/accurics/terrascan
+keywords:
+  - terrascan
+  - opa
+  - security
+sources:
+  - https://github.com/accurics/terrascan
+maintainers:
+  - name: jlk
+    email: [email protected]
+  - name: steven-sheehy
+  - name: dev-gaur
+    email: [email protected]
+  - name: yusuf-kanchwala
+    email: [email protected]
@@ -0,0 +1,63 @@
+# Helm chart for deploying terrascan in server mode
+
+This chart deploys terrascan as a server within your kubernetes cluster. By default it runs just terrascan by itself, but 
+user creates namespace and secrets.
+
+In server mode, terrascan will act both as an API server for
+performing remote scans of IAC, as well as a validating admission
+webook for a Kubernetes cluster. Further details can be found in
+the [main documentation](https://docs.accurics.com/projects/accurics-terrascan/en/latest/).
+
+## Usage
+### Set up TLS certificates
+A requirement to run an admission controller is that communication
+happens over TLS. This helm chart expects to find the certificate
+at `data/server.crt` and key at `data/server.key`.
+
+### Persistent storage
+By default, this chart will deploy terrascan with a `emptyDir`
+volume - basically a temporary volume. If you are intend to use the
+adminssion controller functionality, then you may want to store the
+admission controller database on a persistent volume. This chart
+supports speciyfing a [persistent volume
+claim](https://kubernetes.io/docs/concepts/storage/persistent-volumes/) for
+the database - as storage, PVs, and PVCs are a wide topic within
+Kubernetes ecosystem, the details of the PV/PVC creation are left
+to the individual.
+
+To specify the use of a PVC, set `persistence.enable` to `true`, and then specify the name of an existing PVC:
+
+```
+persistence:
+  enabled: false
+  existingclaim: pvcClaimName
+```
+
+### Terrascan configuration file
+This chart will look for a [terrascan configuration
+file](https://docs.accurics.com/projects/accurics-terrascan/en/latest/usage/#config-file)
+at `data/config.toml`. If that file exists before running `helm
+install`, it's contents will be loaded into a configMap and provided
+to the terrascan server.
+
+### Deploy
+Once your TLS certificate is generated and the values in the
+`values.yaml` configuration file have been reviewed, you can install
+the chart with the following command:
+
+```
+helm install <releasename> .
+```
+Where `<releasename>` is the name you want to assign to this installed chart. This value will be used in various resources to make them both distinct and identifable.
+
+This will use your current namespace unless `-n <namespace>` is specified
+
+## TODO:
+This chart is a WIP - we intend to add the following functionality in the near future:
+ - [x] Storage support - volume for db
+ - [ ] Support more load balancer types
+ - [ ] Support for ingress
+ - [ ] Flag for UI enable/disable
+ - [ ] Publish to Artifact hub
+ - [ ] Support TLS certificate/key in existing secrets
+
diff --git a/deploy/helm-charts/templates/NOTES.txt b/deploy/helm-charts/templates/NOTES.txt
diff --git a/deploy/helm-charts/templates/README.md b/deploy/helm-charts/templates/README.md
@@ -0,0 +1,2 @@
+user creates namespace and secrets
+
@@ -0,0 +1,11 @@
+{{- $globconfig := .Files.Glob "../data/config.toml" }}
+{{- if $globconfig }}
+kind: ConfigMap
+version: v1
+metadata:
+  name: {{ .Values.config_name }}
+  namespace: {{ .Release.Namespace }}
+data:
+  terrascan-config: |-
+    {{ .Files.Get "../data/config.toml" | b64enc }}
+{{- end }}
@@ -0,0 +1,80 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Values.name }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: {{ .Values.name }}
+  template:
+    metadata:
+      labels:
+        app: {{ .Values.name }}
+    spec:
+      initContainers:
+        - name: git-cloner
+          image: alpine/git
+          args:
+            - clone
+            - --single-branch
+            - --branch=master
+            - https://github.com/accurics/terrascan.git
+            - /data
+          volumeMounts:
+            - mountPath: /data
+              name: terrascan-data-sync
+      containers:
+        - name: terrascan-server
+          image: {{ .Values.terrascan_container_image }}
+          command:
+            - terrascan
+          args:
+            - "server"
+            - "--cert-path"
+            - "/etc/certs/cert"
+            - "--key-path"
+            - "/etc/certs/key"
+{{- if .Values.use_debug }}
+            - "-l"
+            - "debug"
+{{- end }}
+{{- $globconfig := .Files.Glob "../data/config.toml" }}
+{{- if $globconfig }}
+            - "-c"
+            - "/etc/config/terrascan-config"
+{{- end }}
+          env:
+            - name: "K8S_WEBHOOK_API_KEY"
+              value: {{ .Values.terrascan_api_key}}
+          volumeMounts:
+            - name: cert-volume
+              mountPath: /etc/certs
+{{- $globconfig := .Files.Glob "../data/config.toml" }}
+{{- if $globconfig }}
+            - name: config-volume
+              mountPath: /etc/config
+{{- end }}
+            - name: terrascan-data-sync
+              mountPath: /home/terrascan/.terrascan
+
+      volumes:
+        - name: cert-volume
+          secret:
+            secretName: certs
+{{- $globconfig := .Files.Glob "../data/config.toml" }}
+{{- if $globconfig }}
+        - name: config-volume
+          configMap:
+            configMapName: {{ .Values.configname }}
+{{- end }}
+{{- if and .Values.persistence.enabled .Values.persistence.existingClaim }}
+        - name: terrascan-data-sync
+          persistentVolumeClaim:
+{{- with .Values.persistence.existingClaim }}
+            claimName: {{ tpl . $ }}
+{{- else }}
+        - name: terrascan-data-sync
+          emptyDir: {}
+{{- end }}
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.secret_name }}
+  namespace: {{ .Release.Namespace }}
+type: Opaque
+data:
+  key: |-
+    {{ .Files.Get "data/server.key" | b64enc }}
+  cert: |-
+    {{ .Files.Get "data/server.crt" | b64enc }}
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Values.name }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  type: LoadBalancer
+  selector:
+    app: {{ .Values.name }}
+  ports:
+    - name: webhook
+      port: 443
+      targetPort: 9010
@@ -0,0 +1,10 @@
+terrascan_api_key: terrakey
+terrascan_container_image: accurics/terrascan:latest
+use_debug: true
+secret_name: certs
+config_name: config
+name: terrahook
+persistence:
+  enabled: false
+  existingclaim: pvcClaimName
+