public_git
/
ckotzbauer_helm-charts
mirror of https://github.com/ckotzbauer/helm-charts.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Add vulnerability-operator (#89) 

* add vulnerability-operator

Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de>

* fix ident

Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de>
This commit is contained in:
Christian Kotzbauer 2022-02-22 19:32:52 +01:00 committed by GitHub
parent 135b4c5151
commit 4a711a8334
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
14 changed files with 462 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
README.md
View File

@ -18,3 +18,4 @@ helm repo add ckotzbauer https://ckotzbauer.github.io/helm-charts
- [chekr](https://github.com/ckotzbauer/helm-charts/tree/main/charts/chekr) - [chekr](https://github.com/ckotzbauer/helm-charts/tree/main/charts/chekr)
- [postgres-operator](https://github.com/ckotzbauer/helm-charts/tree/main/charts/postgres-operator) - [postgres-operator](https://github.com/ckotzbauer/helm-charts/tree/main/charts/postgres-operator)
- [sbom-operator](https://github.com/ckotzbauer/helm-charts/tree/main/charts/sbom-operator) - [sbom-operator](https://github.com/ckotzbauer/helm-charts/tree/main/charts/sbom-operator)
- [vulnerability-operator](https://github.com/ckotzbauer/helm-charts/tree/main/charts/vulnerability-operator)

21
charts/vulnerability-operator/.helmignore Normal file
View File

@ -0,0 +1,21 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj

20
charts/vulnerability-operator/Chart.yaml Normal file
View File

@ -0,0 +1,20 @@
apiVersion: v2
description: Scans SBOMs for vulnerabilities
name: vulnerability-operator
version: 0.1.0
appVersion: 0.1.0
home: https://github.com/ckotzbauer/vulnerability-operator
sources:
- https://github.com/ckotzbauer/vulnerability-operator
- https://github.com/ckotzbauer/helm-charts
keywords:
- kubernetes-operator
- operator
- sbom
- grype
- vulnerability
- security
- supply-chain-security
maintainers:
- name: ckotzbauer
email: git@ckotzbauer.de

71
charts/vulnerability-operator/README.md Normal file
View File

@ -0,0 +1,71 @@
# vulnerability-operator
> Scans SBOMs for vulnerabilities.
Learn more: [https://github.com/ckotzbauer/vulnerability-operator](https://github.com/ckotzbauer/vulnerability-operator)
## Installing the Chart
To install the chart with the release name `my-release`:
```bash
$ helm install my-release ckotzbauer/vulnerability-operator
```
The command deploys the vulnerability-operator to the Kubernetes cluster using the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation.
## Uninstalling the Chart
To uninstall/delete the `my-release` deployment:
```bash
$ helm delete my-release
```
The command removes all the Kubernetes components associated with the chart and deletes the release.
## Configuration
The following table lists the configurable parameters of the vulnerability-operator chart and their default values.
| Parameter | Description | Default |
| -------------------------------------- | ------------------------------------------------- | --------------------------------------------- |
| `image.repository` | container image repository | `ghcr.io/ckotzbauer/vulnerability-operator` |
| `image.tag` | container image tag | `0.1.0` |
| `image.pullPolicy` | container image pull policy | `IfNotPresent` |
| `args` | argument object for cli-args | `{}` |
| `envVars` | environment variables | `{}` |
| `nodeSelector` | node labels for pod assignment | `{}` |
| `tolerations` | node tolerations for pod assignment | `[]` |
| `affinity` | node affinity for pod assignment | `{}` |
| `podAnnotations` | annotations to add to each pod | `{}` |
| `resources` | pod resource requests & limits | See [values.yaml](values.yaml) |
| `securityContext` | container securityContext | See [values.yaml](values.yaml) |
| `serviceAccount.create` | Should we create a ServiceAccount | `true` |
| `serviceAccount.name` | Name of the ServiceAccount to use | null |
| `servicemonitor.enabled` | Should we create a ServiceMonitor | `false` |
| `servicemonitor.relabelings` | Configure relabelings for Prometheus | `{}` |
| `servicemonitor.metricRelabelings` | Configure metricRelabelings for Prometheus | `{}` |
| `servicemonitor.additionalLabels` | Additional labels for the ServiceMonitor object. | `{}` |
| `ingress.enabled` | whether to create an Ingress | `false` |
| `ingress.className` | name of the IngressClass | `""` |
| `ingress.annotations` | Annotations for the Ingress | `{}` |
| `ingress.hosts` | List of host-objects for the Ingress | `[]` |
| `ingress.tls` | List of TLS-configs for the Ingress | `[]` |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
```bash
$ helm install my-release \
--set key_1=value_1,key_2=value_2 \
ckotzbauer/vulnerability-operator
```
Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,
```bash
# example for staging
$ helm install my-release -f values.yaml ckotzbauer/vulnerability-operator
```
> **Tip**: You can use the default [values.yaml](values.yaml)

6
charts/vulnerability-operator/templates/NOTES.txt Normal file
View File

@ -0,0 +1,6 @@
** Please be patient while the chart is being deployed **
To monitor the deployment, execute the following command:
kubectl get pods -l name={{ template "app.name" . }} --namespace {{ .Release.Namespace }} -w

63
charts/vulnerability-operator/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,63 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "app.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app.name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "app.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "app.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Common labels
*/}}
{{- define "app.labels" -}}
helm.sh/chart: {{ include "app.chart" . }}
{{ include "app.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "app.selectorLabels" -}}
app.kubernetes.io/name: {{ include "app.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "app.serviceAccountName" -}}
{{- if .Values.serviceAccount.create -}}
{{ default (include "app.fullname" .) .Values.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.serviceAccount.name }}
{{- end -}}
{{- end -}}

13
charts/vulnerability-operator/templates/clusterrole.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "app.name" . }}
labels:
{{- include "app.labels" . | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- list

14
charts/vulnerability-operator/templates/clusterrolebinding.yaml Normal file
View File

@ -0,0 +1,14 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "app.name" . }}
labels:
{{- include "app.labels" . | nindent 4 }}
subjects:
- kind: ServiceAccount
name: {{ template "app.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
roleRef:
kind: ClusterRole
name: {{ template "app.name" . }}
apiGroup: rbac.authorization.k8s.io

76
charts/vulnerability-operator/templates/deployment.yaml Normal file
View File

@ -0,0 +1,76 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "app.name" . }}
labels:
{{- include "app.labels" . | nindent 4 }}
spec:
selector:
matchLabels:
{{- include "app.selectorLabels" . | nindent 6 }}
template:
metadata:
labels:
{{- include "app.selectorLabels" . | nindent 8 }}
{{- if .Values.podAnnotations }}
annotations:
{{ toYaml .Values.podAnnotations | indent 8 }}
{{- end }}
spec:
serviceAccountName: {{ template "app.serviceAccountName" . }}
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
args:
{{- range $key, $value := .Values.args }}
{{- if $value }}
- --{{ $key }}={{ $value }}
{{- else }}
- --{{ $key }}
{{- end }}
{{- end }}
env:
{{- if .Values.envVars }}
{{ toYaml .Values.envVars | nindent 12 }}
{{- end }}
ports:
- containerPort: 8080
name: http
protocol: TCP
livenessProbe:
timeoutSeconds: 3
httpGet:
path: "/health"
port: http
readinessProbe:
timeoutSeconds: 3
httpGet:
path: "/health"
port: http
securityContext:
{{ toYaml .Values.securityContext | indent 12 }}
resources:
{{ toYaml .Values.resources | indent 12 }}
volumeMounts:
- mountPath: /work
name: work
- mountPath: /tmp
name: tmp
volumes:
- name: work
emptyDir: {}
- name: tmp
emptyDir: {}
{{- with .Values.nodeSelector }}
nodeSelector:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{ toYaml . | indent 8 }}
{{- end }}

60
charts/vulnerability-operator/templates/ingress.yaml Normal file
View File

@ -0,0 +1,60 @@
{{- if .Values.ingress.enabled -}}
{{- $fullName := include "app.fullname" . -}}
{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
{{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
{{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
{{- end }}
{{- end }}
{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1
{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1beta1
{{- else -}}
apiVersion: extensions/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ $fullName }}
labels:
{{- include "app.labels" . | nindent 4 }}
{{- with .Values.ingress.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
ingressClassName: {{ .Values.ingress.className }}
{{- end }}
{{- if .Values.ingress.tls }}
tls:
{{- range .Values.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .paths }}
- path: {{ .path }}
{{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
pathType: {{ .pathType }}
{{- end }}
backend:
{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
service:
name: {{ $fullName }}
port:
number: 8080
{{- else }}
serviceName: {{ $fullName }}
servicePort: 8080
{{- end }}
{{- end }}
{{- end }}
{{- end }}

15
charts/vulnerability-operator/templates/service.yaml Normal file
View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Service
metadata:
name: {{ template "app.name" . }}
labels:
{{- include "app.labels" . | nindent 4 }}
spec:
type: ClusterIP
ports:
- name: http
port: 8080
targetPort: http
protocol: TCP
selector:
{{- include "app.selectorLabels" . | nindent 4 }}

8
charts/vulnerability-operator/templates/serviceaccount.yaml Normal file
View File

@ -0,0 +1,8 @@
{{ if .Values.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "app.serviceAccountName" . }}
labels:
{{- include "app.labels" . | nindent 4 }}
{{- end -}}

27
charts/vulnerability-operator/templates/servicemonitor.yaml Normal file
View File

@ -0,0 +1,27 @@
{{ if .Values.servicemonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ template "app.name" . }}
labels:
{{- include "app.labels" . | nindent 4 }}
{{- toYaml .Values.servicemonitor.additionalLabels | nindent 4 }}
spec:
selector:
matchLabels:
{{- include "app.selectorLabels" . | nindent 6 }}
namespaceSelector:
matchNames:
- {{ .Release.Namespace }}
endpoints:
- path: /metrics
port: http
{{- if .Values.servicemonitor.relabelings }}
relabelings:
{{- toYaml .Values.servicemonitor.relabelings | nindent 8 }}
{{- end -}}
{{- if .Values.servicemonitor.metricRelabelings }}
metricRelabelings:
{{- toYaml .Values.servicemonitor.metricRelabelings | nindent 8 }}
{{- end -}}
{{- end -}}

67
charts/vulnerability-operator/values.yaml Normal file
View File

@ -0,0 +1,67 @@
# Default values for sbom-operator.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
image:
repository: ghcr.io/ckotzbauer/vulnerability-operator
tag: ""
pullPolicy: IfNotPresent
args: {}
envVars: {}
podAnnotations: {}
resources: {}
# requests:
# cpu: 500m
# memory: 250Gi
# limits:
# cpu: 100m
# memory: 100Mi
securityContext:
capabilities:
drop:
- ALL
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
serviceAccount:
# Specifies whether a ServiceAccount should be created
create: true
# The name of the ServiceAccount to use.
# If not set and create is true, a name is generated using the fullname template
name:
servicemonitor:
enabled: false
relabelings: {}
metricRelabelings: {}
additionalLabels: {}
ingress:
enabled: false
className: ""
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
hosts:
- host: chart-example.local
paths:
- path: /
pathType: ImplementationSpecific
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
nodeSelector: {}
tolerations: []
affinity: {}