From 4a711a83342250f9f5871137ca0956f4b27f6ed9 Mon Sep 17 00:00:00 2001 From: Christian Kotzbauer Date: Tue, 22 Feb 2022 19:32:52 +0100 Subject: [PATCH] Add vulnerability-operator (#89) * add vulnerability-operator Signed-off-by: Christian Kotzbauer * fix ident Signed-off-by: Christian Kotzbauer --- README.md | 1 + charts/vulnerability-operator/.helmignore | 21 +++++ charts/vulnerability-operator/Chart.yaml | 20 +++++ charts/vulnerability-operator/README.md | 71 +++++++++++++++++ .../templates/NOTES.txt | 6 ++ .../templates/_helpers.tpl | 63 +++++++++++++++ .../templates/clusterrole.yaml | 13 ++++ .../templates/clusterrolebinding.yaml | 14 ++++ .../templates/deployment.yaml | 76 +++++++++++++++++++ .../templates/ingress.yaml | 60 +++++++++++++++ .../templates/service.yaml | 15 ++++ .../templates/serviceaccount.yaml | 8 ++ .../templates/servicemonitor.yaml | 27 +++++++ charts/vulnerability-operator/values.yaml | 67 ++++++++++++++++ 14 files changed, 462 insertions(+) create mode 100644 charts/vulnerability-operator/.helmignore create mode 100644 charts/vulnerability-operator/Chart.yaml create mode 100644 charts/vulnerability-operator/README.md create mode 100644 charts/vulnerability-operator/templates/NOTES.txt create mode 100644 charts/vulnerability-operator/templates/_helpers.tpl create mode 100644 charts/vulnerability-operator/templates/clusterrole.yaml create mode 100644 charts/vulnerability-operator/templates/clusterrolebinding.yaml create mode 100644 charts/vulnerability-operator/templates/deployment.yaml create mode 100644 charts/vulnerability-operator/templates/ingress.yaml create mode 100644 charts/vulnerability-operator/templates/service.yaml create mode 100644 charts/vulnerability-operator/templates/serviceaccount.yaml create mode 100644 charts/vulnerability-operator/templates/servicemonitor.yaml create mode 100644 charts/vulnerability-operator/values.yaml diff --git a/README.md b/README.md index d1208c4..de36a33 100644 --- a/README.md +++ b/README.md @@ -18,3 +18,4 @@ helm repo add ckotzbauer https://ckotzbauer.github.io/helm-charts - [chekr](https://github.com/ckotzbauer/helm-charts/tree/main/charts/chekr) - [postgres-operator](https://github.com/ckotzbauer/helm-charts/tree/main/charts/postgres-operator) - [sbom-operator](https://github.com/ckotzbauer/helm-charts/tree/main/charts/sbom-operator) +- [vulnerability-operator](https://github.com/ckotzbauer/helm-charts/tree/main/charts/vulnerability-operator) diff --git a/charts/vulnerability-operator/.helmignore b/charts/vulnerability-operator/.helmignore new file mode 100644 index 0000000..daebc7d --- /dev/null +++ b/charts/vulnerability-operator/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/vulnerability-operator/Chart.yaml b/charts/vulnerability-operator/Chart.yaml new file mode 100644 index 0000000..6f3d2d2 --- /dev/null +++ b/charts/vulnerability-operator/Chart.yaml @@ -0,0 +1,20 @@ +apiVersion: v2 +description: Scans SBOMs for vulnerabilities +name: vulnerability-operator +version: 0.1.0 +appVersion: 0.1.0 +home: https://github.com/ckotzbauer/vulnerability-operator +sources: + - https://github.com/ckotzbauer/vulnerability-operator + - https://github.com/ckotzbauer/helm-charts +keywords: + - kubernetes-operator + - operator + - sbom + - grype + - vulnerability + - security + - supply-chain-security +maintainers: + - name: ckotzbauer + email: git@ckotzbauer.de diff --git a/charts/vulnerability-operator/README.md b/charts/vulnerability-operator/README.md new file mode 100644 index 0000000..377cd7d --- /dev/null +++ b/charts/vulnerability-operator/README.md @@ -0,0 +1,71 @@ +# vulnerability-operator + +> Scans SBOMs for vulnerabilities. + +Learn more: [https://github.com/ckotzbauer/vulnerability-operator](https://github.com/ckotzbauer/vulnerability-operator) + + +## Installing the Chart + +To install the chart with the release name `my-release`: + +```bash +$ helm install my-release ckotzbauer/vulnerability-operator +``` + +The command deploys the vulnerability-operator to the Kubernetes cluster using the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation. + +## Uninstalling the Chart + +To uninstall/delete the `my-release` deployment: + +```bash +$ helm delete my-release +``` +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Configuration + +The following table lists the configurable parameters of the vulnerability-operator chart and their default values. + +| Parameter | Description | Default | +| -------------------------------------- | ------------------------------------------------- | --------------------------------------------- | +| `image.repository` | container image repository | `ghcr.io/ckotzbauer/vulnerability-operator` | +| `image.tag` | container image tag | `0.1.0` | +| `image.pullPolicy` | container image pull policy | `IfNotPresent` | +| `args` | argument object for cli-args | `{}` | +| `envVars` | environment variables | `{}` | +| `nodeSelector` | node labels for pod assignment | `{}` | +| `tolerations` | node tolerations for pod assignment | `[]` | +| `affinity` | node affinity for pod assignment | `{}` | +| `podAnnotations` | annotations to add to each pod | `{}` | +| `resources` | pod resource requests & limits | See [values.yaml](values.yaml) | +| `securityContext` | container securityContext | See [values.yaml](values.yaml) | +| `serviceAccount.create` | Should we create a ServiceAccount | `true` | +| `serviceAccount.name` | Name of the ServiceAccount to use | null | +| `servicemonitor.enabled` | Should we create a ServiceMonitor | `false` | +| `servicemonitor.relabelings` | Configure relabelings for Prometheus | `{}` | +| `servicemonitor.metricRelabelings` | Configure metricRelabelings for Prometheus | `{}` | +| `servicemonitor.additionalLabels` | Additional labels for the ServiceMonitor object. | `{}` | +| `ingress.enabled` | whether to create an Ingress | `false` | +| `ingress.className` | name of the IngressClass | `""` | +| `ingress.annotations` | Annotations for the Ingress | `{}` | +| `ingress.hosts` | List of host-objects for the Ingress | `[]` | +| `ingress.tls` | List of TLS-configs for the Ingress | `[]` | + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```bash +$ helm install my-release \ + --set key_1=value_1,key_2=value_2 \ + ckotzbauer/vulnerability-operator +``` + +Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, + +```bash +# example for staging +$ helm install my-release -f values.yaml ckotzbauer/vulnerability-operator +``` + +> **Tip**: You can use the default [values.yaml](values.yaml) diff --git a/charts/vulnerability-operator/templates/NOTES.txt b/charts/vulnerability-operator/templates/NOTES.txt new file mode 100644 index 0000000..920c959 --- /dev/null +++ b/charts/vulnerability-operator/templates/NOTES.txt @@ -0,0 +1,6 @@ +** Please be patient while the chart is being deployed ** + +To monitor the deployment, execute the following command: + + kubectl get pods -l name={{ template "app.name" . }} --namespace {{ .Release.Namespace }} -w + diff --git a/charts/vulnerability-operator/templates/_helpers.tpl b/charts/vulnerability-operator/templates/_helpers.tpl new file mode 100644 index 0000000..87dd772 --- /dev/null +++ b/charts/vulnerability-operator/templates/_helpers.tpl @@ -0,0 +1,63 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "app.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app.name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "app.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "app.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "app.labels" -}} +helm.sh/chart: {{ include "app.chart" . }} +{{ include "app.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "app.selectorLabels" -}} +app.kubernetes.io/name: {{ include "app.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "app.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "app.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} diff --git a/charts/vulnerability-operator/templates/clusterrole.yaml b/charts/vulnerability-operator/templates/clusterrole.yaml new file mode 100644 index 0000000..31f67a3 --- /dev/null +++ b/charts/vulnerability-operator/templates/clusterrole.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "app.name" . }} + labels: + {{- include "app.labels" . | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - pods + verbs: + - list diff --git a/charts/vulnerability-operator/templates/clusterrolebinding.yaml b/charts/vulnerability-operator/templates/clusterrolebinding.yaml new file mode 100644 index 0000000..b0027ad --- /dev/null +++ b/charts/vulnerability-operator/templates/clusterrolebinding.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "app.name" . }} + labels: + {{- include "app.labels" . | nindent 4 }} +subjects: +- kind: ServiceAccount + name: {{ template "app.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ template "app.name" . }} + apiGroup: rbac.authorization.k8s.io diff --git a/charts/vulnerability-operator/templates/deployment.yaml b/charts/vulnerability-operator/templates/deployment.yaml new file mode 100644 index 0000000..ddf37fa --- /dev/null +++ b/charts/vulnerability-operator/templates/deployment.yaml @@ -0,0 +1,76 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "app.name" . }} + labels: + {{- include "app.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + {{- include "app.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "app.selectorLabels" . | nindent 8 }} + {{- if .Values.podAnnotations }} + annotations: +{{ toYaml .Values.podAnnotations | indent 8 }} + {{- end }} + spec: + serviceAccountName: {{ template "app.serviceAccountName" . }} + containers: + - name: {{ .Chart.Name }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + args: + {{- range $key, $value := .Values.args }} + {{- if $value }} + - --{{ $key }}={{ $value }} + {{- else }} + - --{{ $key }} + {{- end }} + {{- end }} + env: + {{- if .Values.envVars }} + {{ toYaml .Values.envVars | nindent 12 }} + {{- end }} + ports: + - containerPort: 8080 + name: http + protocol: TCP + livenessProbe: + timeoutSeconds: 3 + httpGet: + path: "/health" + port: http + readinessProbe: + timeoutSeconds: 3 + httpGet: + path: "/health" + port: http + securityContext: +{{ toYaml .Values.securityContext | indent 12 }} + resources: +{{ toYaml .Values.resources | indent 12 }} + volumeMounts: + - mountPath: /work + name: work + - mountPath: /tmp + name: tmp + volumes: + - name: work + emptyDir: {} + - name: tmp + emptyDir: {} + {{- with .Values.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} diff --git a/charts/vulnerability-operator/templates/ingress.yaml b/charts/vulnerability-operator/templates/ingress.yaml new file mode 100644 index 0000000..0b919d4 --- /dev/null +++ b/charts/vulnerability-operator/templates/ingress.yaml @@ -0,0 +1,60 @@ +{{- if .Values.ingress.enabled -}} +{{- $fullName := include "app.fullname" . -}} +{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} + {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }} + {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}} + {{- end }} +{{- end }} +{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1 +{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1beta1 +{{- else -}} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + {{- include "app.labels" . | nindent 4 }} + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} + ingressClassName: {{ .Values.ingress.className }} + {{- end }} + {{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + {{- range .Values.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} + pathType: {{ .pathType }} + {{- end }} + backend: + {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} + service: + name: {{ $fullName }} + port: + number: 8080 + {{- else }} + serviceName: {{ $fullName }} + servicePort: 8080 + {{- end }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/vulnerability-operator/templates/service.yaml b/charts/vulnerability-operator/templates/service.yaml new file mode 100644 index 0000000..2f7d451 --- /dev/null +++ b/charts/vulnerability-operator/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "app.name" . }} + labels: + {{- include "app.labels" . | nindent 4 }} +spec: + type: ClusterIP + ports: + - name: http + port: 8080 + targetPort: http + protocol: TCP + selector: + {{- include "app.selectorLabels" . | nindent 4 }} diff --git a/charts/vulnerability-operator/templates/serviceaccount.yaml b/charts/vulnerability-operator/templates/serviceaccount.yaml new file mode 100644 index 0000000..837e629 --- /dev/null +++ b/charts/vulnerability-operator/templates/serviceaccount.yaml @@ -0,0 +1,8 @@ +{{ if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "app.serviceAccountName" . }} + labels: + {{- include "app.labels" . | nindent 4 }} +{{- end -}} diff --git a/charts/vulnerability-operator/templates/servicemonitor.yaml b/charts/vulnerability-operator/templates/servicemonitor.yaml new file mode 100644 index 0000000..2407677 --- /dev/null +++ b/charts/vulnerability-operator/templates/servicemonitor.yaml @@ -0,0 +1,27 @@ +{{ if .Values.servicemonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "app.name" . }} + labels: + {{- include "app.labels" . | nindent 4 }} + {{- toYaml .Values.servicemonitor.additionalLabels | nindent 4 }} +spec: + selector: + matchLabels: + {{- include "app.selectorLabels" . | nindent 6 }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + endpoints: + - path: /metrics + port: http + {{- if .Values.servicemonitor.relabelings }} + relabelings: + {{- toYaml .Values.servicemonitor.relabelings | nindent 8 }} + {{- end -}} + {{- if .Values.servicemonitor.metricRelabelings }} + metricRelabelings: + {{- toYaml .Values.servicemonitor.metricRelabelings | nindent 8 }} + {{- end -}} +{{- end -}} diff --git a/charts/vulnerability-operator/values.yaml b/charts/vulnerability-operator/values.yaml new file mode 100644 index 0000000..4a876c5 --- /dev/null +++ b/charts/vulnerability-operator/values.yaml @@ -0,0 +1,67 @@ +# Default values for sbom-operator. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +image: + repository: ghcr.io/ckotzbauer/vulnerability-operator + tag: "" + pullPolicy: IfNotPresent + +args: {} + +envVars: {} + +podAnnotations: {} + +resources: {} +# requests: +# cpu: 500m +# memory: 250Gi +# limits: +# cpu: 100m +# memory: 100Mi + +securityContext: + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + +serviceAccount: + # Specifies whether a ServiceAccount should be created + create: true + + # The name of the ServiceAccount to use. + # If not set and create is true, a name is generated using the fullname template + name: + +servicemonitor: + enabled: false + relabelings: {} + metricRelabelings: {} + additionalLabels: {} + +ingress: + enabled: false + className: "" + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: chart-example.local + paths: + - path: / + pathType: ImplementationSpecific + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +nodeSelector: {} + +tolerations: [] + +affinity: {}