diff --git a/README.md b/README.md index 7829c88..3a3d0d3 100644 --- a/README.md +++ b/README.md @@ -19,3 +19,4 @@ helm repo add ckotzbauer https://ckotzbauer.github.io/helm-charts - [nfs-client-provisioner](https://github.com/ckotzbauer/helm-charts/tree/main/charts/nfs-client-provisioner) - [postgres-operator](https://github.com/ckotzbauer/helm-charts/tree/main/charts/postgres-operator) - [prometheus-blackbox-exporter](https://github.com/ckotzbauer/helm-charts/tree/main/charts/prometheus-blackbox-exporter) +- [sbom-operator](https://github.com/ckotzbauer/helm-charts/tree/main/charts/sbom-operator) diff --git a/charts/sbom-operator/.helmignore b/charts/sbom-operator/.helmignore new file mode 100644 index 0000000..daebc7d --- /dev/null +++ b/charts/sbom-operator/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/sbom-operator/Chart.yaml b/charts/sbom-operator/Chart.yaml new file mode 100644 index 0000000..14cbc9b --- /dev/null +++ b/charts/sbom-operator/Chart.yaml @@ -0,0 +1,19 @@ +apiVersion: v2 +description: Catalogue all images of a Kubernetes cluster to Git with Syft +name: sbom-operator +version: 0.1.0 +appVersion: 0.1.0 +home: https://github.com/ckotzbauer/sbom-operator +sources: + - https://github.com/ckotzbauer/sbom-operator + - https://github.com/ckotzbauer/helm-charts +keywords: + - kubernetes-operator + - operator + - sbom + - syft + - git + - supply-chain-security +maintainers: + - name: ckotzbauer + email: git@ckotzbauer.de diff --git a/charts/sbom-operator/README.md b/charts/sbom-operator/README.md new file mode 100644 index 0000000..12cbfd3 --- /dev/null +++ b/charts/sbom-operator/README.md @@ -0,0 +1,60 @@ +# sbom-operator + +> Catalogue all images of a Kubernetes cluster to Git with Syft. + +Learn more: [https://github.com/ckotzbauer/sbom-operator](https://github.com/ckotzbauer/sbom-operator) + + +## Installing the Chart + +To install the chart with the release name `my-release`: + +```bash +$ helm install my-release ckotzbauer/sbom-operator +``` + +The command deploys the sbom-operator operator on the Kubernetes cluster using the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation. + +## Uninstalling the Chart + +To uninstall/delete the `my-release` deployment: + +```bash +$ helm delete my-release +``` +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Configuration + +The following table lists the configurable parameters of the sbom-operator chart and their default values. + +| Parameter | Description | Default | +| -------------------------------------- | ------------------------------------------------- | ---------------------------------------- | +| `image.repository` | container image repository | `ghcr.io/ckotzbauer/sbom-operator` | +| `image.tag` | container image tag | `0.1.0` | +| `image.pullPolicy` | container image pull policy | `IfNotPresent` | +| `nodeSelector` | node labels for pod assignment | `{}` | +| `tolerations` | node tolerations for pod assignment | `[]` | +| `affinity` | node affinity for pod assignment | `{}` | +| `podAnnotations` | annotations to add to each pod | `{}` | +| `resources` | pod resource requests & limits | See [values.yaml](values.yaml) | +| `securityContext` | container securityContext | See [values.yaml](values.yaml) | +| `serviceAccount.create` | Should we create a ServiceAccount | `true` | +| `serviceAccount.name` | Name of the ServiceAccount to use | null | + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```bash +$ helm install my-release \ + --set key_1=value_1,key_2=value_2 \ + ckotzbauer/sbom-operator +``` + +Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, + +```bash +# example for staging +$ helm install my-release -f values.yaml ckotzbauer/sbom-operator +``` + +> **Tip**: You can use the default [values.yaml](values.yaml) diff --git a/charts/sbom-operator/templates/NOTES.txt b/charts/sbom-operator/templates/NOTES.txt new file mode 100644 index 0000000..920c959 --- /dev/null +++ b/charts/sbom-operator/templates/NOTES.txt @@ -0,0 +1,6 @@ +** Please be patient while the chart is being deployed ** + +To monitor the deployment, execute the following command: + + kubectl get pods -l name={{ template "app.name" . }} --namespace {{ .Release.Namespace }} -w + diff --git a/charts/sbom-operator/templates/_helpers.tpl b/charts/sbom-operator/templates/_helpers.tpl new file mode 100644 index 0000000..87dd772 --- /dev/null +++ b/charts/sbom-operator/templates/_helpers.tpl @@ -0,0 +1,63 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "app.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app.name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "app.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "app.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "app.labels" -}} +helm.sh/chart: {{ include "app.chart" . }} +{{ include "app.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "app.selectorLabels" -}} +app.kubernetes.io/name: {{ include "app.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "app.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "app.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} diff --git a/charts/sbom-operator/templates/clusterrole.yaml b/charts/sbom-operator/templates/clusterrole.yaml new file mode 100644 index 0000000..a4db967 --- /dev/null +++ b/charts/sbom-operator/templates/clusterrole.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "app.name" . }} + labels: + {{- include "app.labels" . | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - pods + - namespaces + verbs: + - list +- apiGroups: + - "" + resources: + - secrets + verbs: + - get diff --git a/charts/sbom-operator/templates/clusterrolebinding.yaml b/charts/sbom-operator/templates/clusterrolebinding.yaml new file mode 100644 index 0000000..b0027ad --- /dev/null +++ b/charts/sbom-operator/templates/clusterrolebinding.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "app.name" . }} + labels: + {{- include "app.labels" . | nindent 4 }} +subjects: +- kind: ServiceAccount + name: {{ template "app.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ template "app.name" . }} + apiGroup: rbac.authorization.k8s.io diff --git a/charts/sbom-operator/templates/deployment.yaml b/charts/sbom-operator/templates/deployment.yaml new file mode 100644 index 0000000..c141f5d --- /dev/null +++ b/charts/sbom-operator/templates/deployment.yaml @@ -0,0 +1,52 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "app.name" . }} + labels: + {{- include "app.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + {{- include "app.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "app.selectorLabels" . | nindent 8 }} + {{- if .Values.podAnnotations }} + annotations: +{{ toYaml .Values.podAnnotations | indent 8 }} + {{- end }} + spec: + serviceAccountName: {{ template "app.serviceAccountName" . }} + containers: + - name: {{ .Chart.Name }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + args: + {{- range $key, $value := .Values.args }} + {{- if $value }} + - --{{ $key }}={{ $value }} + {{- else }} + - --{{ $key }} + {{- end }} + {{- end }} + env: + {{- if .Values.envVars }} + {{ toYaml .Values.envVars | nindent 12 }} + {{- end }} + securityContext: +{{ toYaml .Values.securityContext | indent 12 }} + resources: +{{ toYaml .Values.resources | indent 12 }} + {{- with .Values.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} diff --git a/charts/sbom-operator/templates/serviceaccount.yaml b/charts/sbom-operator/templates/serviceaccount.yaml new file mode 100644 index 0000000..837e629 --- /dev/null +++ b/charts/sbom-operator/templates/serviceaccount.yaml @@ -0,0 +1,8 @@ +{{ if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "app.serviceAccountName" . }} + labels: + {{- include "app.labels" . | nindent 4 }} +{{- end -}} diff --git a/charts/sbom-operator/values.yaml b/charts/sbom-operator/values.yaml new file mode 100644 index 0000000..f0d9e6c --- /dev/null +++ b/charts/sbom-operator/values.yaml @@ -0,0 +1,37 @@ +# Default values for sbom-operator. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +image: + repository: ghcr.io/ckotzbauer/sbom-operator + tag: 0.1.0 + pullPolicy: IfNotPresent + +podAnnotations: {} + +resources: {} +# requests: +# cpu: 500m +# memory: 1Gi +# limits: +# cpu: 100m +# memory: 100Mi + +securityContext: + privileged: false + runAsUser: 1001 + runAsNonRoot: true + +serviceAccount: + # Specifies whether a ServiceAccount should be created + create: true + + # The name of the ServiceAccount to use. + # If not set and create is true, a name is generated using the fullname template + name: + +nodeSelector: {} + +tolerations: [] + +affinity: {}