├── .gitignore ├── .helmignore ├── Chart.yaml ├── LICENSE.pdf ├── README.md ├── THIRDPARTY.txt ├── charts └── .gitkeep ├── collect-logs.sh ├── requirements.yaml ├── templates ├── NOTES.txt ├── _helpers.tpl ├── activation-code.yaml ├── auth.yaml ├── content-scan.yaml ├── db.yaml ├── docs.yaml ├── frontend.yaml ├── image-scan.yaml ├── license.yaml ├── malware-scan.yaml ├── metrics.yaml ├── outbound-proxy.yaml ├── proxy.yaml ├── registry.yaml ├── registryviews.yaml ├── scan.yaml ├── secrets.yaml ├── serviceaccounts.yaml ├── tasks.yaml └── vulnerability-scan.yaml └── values.yaml /.gitignore: -------------------------------------------------------------------------------- 1 | *.swp 2 | .idea/ 3 | -------------------------------------------------------------------------------- /.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | -------------------------------------------------------------------------------- /Chart.yaml: -------------------------------------------------------------------------------- 1 | name: smartcheck 2 | description: Deep Security Smart Check 3 | version: "1.2.83" 4 | kubeVersion: ">=1.10.0-0" 5 | icon: data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz48IURPQ1RZUEUgc3ZnIFBVQkxJQyAiLS8vVzNDLy9EVEQgU1ZHIDEuMS8vRU4iICJodHRwOi8vd3d3LnczLm9yZy9HcmFwaGljcy9TVkcvMS4xL0RURC9zdmcxMS5kdGQiPjxzdmcgdmVyc2lvbj0iMS4xIiBpZD0iTGF5ZXJfMSIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxuczp4bGluaz0iaHR0cDovL3d3dy53My5vcmcvMTk5OS94bGluayIgeD0iMHB4IiB5PSIwcHgiIHdpZHRoPSIyOC44cHgiIGhlaWdodD0iMjguOHB4IiB2aWV3Qm94PSIyMy44OTIgMi4yMjYgMjguOCAyOC44IiBlbmFibGUtYmFja2dyb3VuZD0ibmV3IDIzLjg5MiAyLjIyNiAyOC44IDI4LjgiIHhtbDpzcGFjZT0icHJlc2VydmUiPjxnPjxnPjxwYXRoIGZpbGw9IiNGRkZGRkYiIGQ9Ik01MS42OTUsMTYuNjIyYzAsNy4zOTItNS45OSwxMy4zODItMTMuMzgxLDEzLjM4MmMtNy4zOTYsMC0xMy4zODktNS45OS0xMy4zODktMTMuMzgyIGMwLTcuMzk1LDUuOTkzLTEzLjM4MywxMy4zODktMTMuMzgzQzQ1LjcwNSwzLjIzOSw1MS42OTUsOS4yMjksNTEuNjk1LDE2LjYyMnoiLz48cGF0aCBmaWxsPSIjRUQxQzI0IiBkPSJNMjcuMzMyLDE5LjE4OGMwLjAwOC0wLjAwNiwwLjAxMy0wLjAyNSwwLjAxOS0wLjAzOWMwLjAxOC0wLjA0OSwwLjAzOS0wLjA5NiwwLjA1NS0wLjE0NiBjMC4wMTktMC4wNDMsMC4wMzUtMC4wODIsMC4wNTItMC4xMjVjMC4wMDgtMC4wMjUsMC4wMTYtMC4wNDYsMC4wMjMtMC4wNjJjMC4yNS0wLjYxOSwwLjU2NC0xLjI1MywwLjk0Ny0xLjg5MyBjMC4wNS0wLjExMywwLjEwMy0wLjIxMywwLjE1Ny0wLjMyMmwtMS42MTEsMC4wMDhsMC4zOTMtMC44NmMxLjMyNi0wLjM2NCwzLjUzNy0xLjEwNCw1LjY1LTMuMTQ2bDAuMDU5LTAuMDA5aDEuMTEybC0xLjQzNSwzLjA3NyBsMi4zMDYtMC4wMDZsLTAuNDI1LDAuOTE4bC0yLjMwMiwwLjAxYzAsMC0xLjA4LDIuMTYtMS40NDcsMy43MDZjLTAuMjg1LDEuNzI5LTAuMDA2LDMuMDE2LDEuNTQsMy40OTYgYzAuOTU1LDAuMjk1LDIuMTQ2LDAuMjI3LDMuNDI5LTAuMTMzYzIuOTg3LTAuOTM2LDYuMTc3LTIuOTg2LDguNTE1LTUuNzA1YzMuODQ3LTQuNDY5LDMuOTI0LTkuMDQyLDAuMTY5LTEwLjIwMyBjLTIuNDA1LTAuNzUyLTUuNzk4LDAuMDgyLTguOTM5LDEuOTUyYzMuOTE3LTIuNTI3LDguMjE3LTMuNzEzLDExLjE5Mi0yLjc4NmMwLjU1NCwwLjE3LDEuMDM5LDAuNDExLDEuNDQ5LDAuNzA3IGMtMi40NTEtMi43MDEtNi00LjQwMy05LjkzNy00LjQwM2MtNy40MDcsMC0xMy40MTIsNi4wMDItMTMuNDEyLDEzLjQwOGMwLDIuNzMyLDAuODE4LDUuMjc2LDIuMjI2LDcuMzk5IEMyNi41ODMsMjIuNzIzLDI2LjY2LDIxLjA0NSwyNy4zMzIsMTkuMTg4TDI3LjMzMiwxOS4xODh6Ii8+PHBhdGggZmlsbD0iI0VEMUMyNCIgZD0iTTQ5LjcyLDkuNTQ2YzAuOSwyLjQzNi0wLjIyMSw2LjA3NC0zLjMyLDkuNjcxYy00LjY0OCw1LjQwNi0xMS45OTUsOC42NzYtMTYuNDAyLDcuMzExIGMtMC41NDctMC4xNzYtMS4wMjItMC40MDYtMS40My0wLjY5OWMyLjQ0OSwyLjYxMSw1LjkyNSw0LjI0Niw5Ljc4OCw0LjI0NmM3LjQwNSwwLDEzLjQwOC02LjAwOCwxMy40MDgtMTMuNDEzIEM1MS43NjMsMTQuMDQ2LDUxLjAxNywxMS42MDYsNDkuNzIsOS41NDZMNDkuNzIsOS41NDZ6Ii8+PC9nPjwvZz48cmVjdCB4PSIyMy44OTIiIHk9IjIuMjI2IiBmaWxsPSJub25lIiB3aWR0aD0iMjguOCIgaGVpZ2h0PSIyOC44Ii8+PC9zdmc+Cgo= 6 | keywords: [] 7 | home: https://github.com/deep-security/smartcheck-helm 8 | maintainers: 9 | - name: Trend Micro 10 | url: https://www.trendmicro.com/smartcheck 11 | engine: gotpl 12 | appVersion: "1.2.83" 13 | deprecated: false 14 | tillerVersion: ">2.14.0" 15 | -------------------------------------------------------------------------------- /LICENSE.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/deep-security/smartcheck-helm/2089137b764a9c054d69e1388e104190a1cc8b90/LICENSE.pdf -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Deep Security Smart Check 2 | 3 | ## End of Life Notice 4 | 5 | This product has reached the [End-of-Life (EOL)](https://success.trendmicro.com/dcx/s/solution/000195559?language=en_US) status in December 2023 and is no longer actively supported by Trend Micro. 6 | 7 | 8 | As an alternative to the Deep Security Smart Check product, the [Trend Micro Artifact Scanner](https://docs.trendmicro.com/en-us/documentation/article/trend-vision-one-tmas-about) can be used to perform pre-runtime scans on artifacts, including container images. 9 | -------------------------------------------------------------------------------- /THIRDPARTY.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/deep-security/smartcheck-helm/2089137b764a9c054d69e1388e104190a1cc8b90/THIRDPARTY.txt -------------------------------------------------------------------------------- /charts/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/deep-security/smartcheck-helm/2089137b764a9c054d69e1388e104190a1cc8b90/charts/.gitkeep -------------------------------------------------------------------------------- /collect-logs.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # A helper script to fetch Kubernetes settings and Deep Security Smart Check logs. 4 | # Optionally, you can also collect malware-scan core dump files (if available) using this script. 5 | # 6 | 7 | unset CURRENT_NS 8 | unset NAMESPACE 9 | 10 | KUBECTL=kubectl 11 | HELM=helm 12 | RELEASE="deepsecurity-smartcheck" 13 | NAMESPACE="" 14 | 15 | # By default, no core dump files are collected. 16 | # If collecting core dump is true, 2 core files are collected. 17 | COLLECTDUMP=false 18 | DUMPFILES=2 19 | COREPATTERN="core" 20 | 21 | NOW=$(date +%s) 22 | RESULTDIR="/tmp/smartcheck-${NOW}" 23 | 24 | help() 25 | { 26 | cat << EOF 27 | Helper script to fetch Kubernetes setting and Deep Security Smart Check logs. 28 | Optionally, you can also collect malware-scan core dump files (if available) using this script. 29 | Options: 30 | -release [Optional] Specifies the Deep Security Smart Check release name. The default is deepsecurity-smartcheck 31 | -namespace [Optional] Specifies the the namespace of Deep Security Smart Check deployment. 32 | The default is the current namespace or default. 33 | -collectdump [Optional] Flag to enable collecting malware-scan core dump files. 34 | The default number of core dump files is 2. You can change it by exporting environment variable - DUMPFILES. 35 | Collecting core dump files takes longer time. 36 | -corefilepattern [Optional] S[ecifies the core dump file name prefix pattern. The default value is 'core'. 37 | -resultdir [Optional] Specifies the directory to save the logs. 38 | 39 | Usage examples: 40 | # Display this help 41 | ./collect-logs.sh -h | H 42 | 43 | # Collect logs for the default release and namespace 44 | ./collect-logs.sh 45 | 46 | # Collect logs for the named release and namespace 47 | ./collect-logs.sh -release deepsecurity-smartcheck -namespace trendmicro 48 | 49 | # Collect logs with optional core dump files if available 50 | ./collect-logs.sh -collectdump 51 | 52 | # Collect logs with core dump files if available, with optional core dump file pattern as 'core'. 53 | ./collect-logs.sh -collectdump -corefilepattern core 54 | 55 | # Collect logs and core dump from named release and namespace 56 | ./collect-logs.sh -release deepsecurity-smartcheck -namespace trendmicro -resultdir /tmp/smartcheck-log -collectdump -corefilepattern core 57 | 58 | # Change the number of core dump files to be collected 59 | export MAX_DUMP_FILES=3 60 | EOF 61 | } 62 | 63 | ##### 64 | # check prerequisites 65 | ##### 66 | command_exists () { 67 | command -v "$1" >/dev/null 2>&1 68 | } 69 | 70 | if ! command_exists $KUBECTL; then 71 | echo "No kubectl command found, exiting..." 72 | echo "Use option -h for help." 73 | exit 1 74 | fi 75 | 76 | if ! command_exists $HELM; then 77 | echo "No helm command found, exiting..." 78 | echo "Use option -h for help." 79 | exit 1 80 | fi 81 | 82 | while [[ $# -gt 0 ]] 83 | do 84 | key="$1" 85 | case $key in 86 | -h|-H) 87 | help 88 | exit 0 89 | ;; 90 | -release) 91 | RELEASE=$2 92 | shift 93 | shift 94 | ;; 95 | -namespace) 96 | NAMESPACE=$2 97 | shift 98 | shift 99 | ;; 100 | -resultdir) 101 | RESULTDIR=$2 102 | shift 103 | shift 104 | ;; 105 | -collectdump) 106 | COLLECTDUMP=true 107 | shift 108 | ;; 109 | -corefilepattern) 110 | COREPATTERN="$2" 111 | shift 112 | shift 113 | ;; 114 | *) 115 | echo "Unrecognized options are specified: $1" 116 | echo "Use option -h for help." 117 | exit 1 118 | ;; 119 | esac 120 | done 121 | 122 | CURRENT_NS=$($KUBECTL config view --minify --output 'jsonpath={..namespace}') 123 | CURRENT_NS=${CURRENT_NS:-default} 124 | NAMESPACE=${NAMESPACE:-$CURRENT_NS} 125 | NAMESPACE_PARAM="--namespace=$NAMESPACE" 126 | 127 | echo "Collect logs for application release $RELEASE from namespace $NAMESPACE" 128 | if [ $COLLECTDUMP == true ]; then 129 | # check if environment variable - MAX_DUMP_FILES is specified 130 | if [ ! -z "$MAX_DUMP_FILES" ]; then 131 | # check if MAX_DUMP_FILES specifies a valid number 132 | if [ "$MAX_DUMP_FILES" -eq "$MAX_DUMP_FILES" ] 2>/dev/null; then 133 | if [ $MAX_DUMP_FILES -gt 0 ]; then 134 | DUMPFILES=$MAX_DUMP_FILES 135 | else 136 | echo "Invalid core dump file number is specified. It must be greater than 0. Default value $DUMPFILES is used." 137 | fi 138 | else 139 | echo "Invalid core dump file number is specified. It must be a number. Default value $DUMPFILES is used." 140 | fi 141 | fi 142 | 143 | echo "Collect $DUMPFILES core dump files if available" 144 | fi 145 | 146 | PODS=$($KUBECTL get pods "$NAMESPACE_PARAM" -o=jsonpath='{range .items[*]}{.metadata.name}{";"}{end}' -l release=$RELEASE) 147 | if [ -z "${PODS}" ]; then 148 | echo "No Smart Check pods are found in release '$RELEASE' in namespace '$NAMESPACE'. Do you specify correct Smart Check release and namespace? Use option -h for help." 149 | exit 1 150 | fi 151 | 152 | # Get Helm version since 'helm list' on Helm 3 does not display all namespaces unless specified. However, this flag does not exist in Helm 2 153 | case X`helm version --template="{{.Version}}"` in 154 | Xv3.*) 155 | HELM_COMMAND="$HELM list --all-namespaces";; 156 | *) 157 | HELM_COMMAND="$HELM list";; 158 | esac 159 | 160 | # prepare the output folder 161 | MASTER_DIR="${RESULTDIR}/master" 162 | mkdir -p "$MASTER_DIR/apps" 163 | echo "Results folder is: $RESULTDIR" 164 | 165 | ##### 166 | # setting logs 167 | ##### 168 | COMMANDS=( "version:$KUBECTL version" 169 | "components:$KUBECTL get componentstatuses" 170 | "events:$KUBECTL get events --all-namespaces" 171 | "storageclass:$KUBECTL describe storageclass" 172 | "helm:$HELM_COMMAND" 173 | "helm-status:$HELM status $RELEASE" 174 | "nodes:$KUBECTL describe nodes" 175 | "podlist:$KUBECTL get pods --all-namespaces" 176 | "smartcheck-get:$KUBECTL get all --all-namespaces -l release=$RELEASE" 177 | "smartcheck-desc:$KUBECTL describe all --all-namespaces -l release=$RELEASE" 178 | "smartcheck-desc-netpol:$KUBECTL describe networkpolicy --all-namespaces -l release=$RELEASE" 179 | "smartcheck-secrets:$KUBECTL get secrets --all-namespaces -l release=$RELEASE" 180 | "smartcheck-config:$KUBECTL describe configmap --all-namespaces -l release=$RELEASE") 181 | 182 | echo "Fetching setting logs..." 183 | for command in "${COMMANDS[@]}"; do 184 | KEY="${command%%:*}" 185 | VALUE="${command##*:}" 186 | echo "Command:" "$VALUE" > "$MASTER_DIR/$KEY.log" 187 | echo "====================================" >> "$MASTER_DIR/$KEY.log" 188 | $VALUE >> "$MASTER_DIR/$KEY.log" 2>&1 189 | done 190 | 191 | ##### 192 | # application logs 193 | ##### 194 | for pod in $(echo "$PODS" | tr ";" "\n"); do 195 | CONTAINERS=$($KUBECTL get pods "$NAMESPACE_PARAM" "$pod" -o jsonpath='{.spec.initContainers[*].name}') 196 | for container in $CONTAINERS; do 197 | echo "Fetching Deep Security Smart Check logs... $pod - $container" 198 | $KUBECTL logs "$NAMESPACE_PARAM" "$pod" -c "$container" > "$MASTER_DIR/apps/$pod-$container.log" 199 | # check for any previous containers, this would indicate a crash 200 | PREV_LOGFILE="$MASTER_DIR/apps/$pod-$container-previous.log" 201 | if ! $KUBECTL logs "$NAMESPACE_PARAM" "$pod" -c "$container" -p > "$PREV_LOGFILE" 2>/dev/null; then 202 | rm -f "$PREV_LOGFILE" 203 | fi 204 | done 205 | 206 | # list containers in pod 207 | CONTAINERS=$($KUBECTL get pods "$NAMESPACE_PARAM" "$pod" -o jsonpath='{.spec.containers[*].name}') 208 | for container in $CONTAINERS; do 209 | echo "Fetching Deep Security Smart Check logs... $pod - $container" 210 | $KUBECTL logs "$NAMESPACE_PARAM" "$pod" -c "$container" > "$MASTER_DIR/apps/$pod-$container.log" 211 | # check for any previous containers, this would indicate a crash 212 | PREV_LOGFILE="$MASTER_DIR/apps/$pod-$container-previous.log" 213 | if ! $KUBECTL logs "$NAMESPACE_PARAM" "$pod" -c "$container" -p > "$PREV_LOGFILE" 2>/dev/null; then 214 | rm -f "$PREV_LOGFILE" 215 | fi 216 | done 217 | done 218 | 219 | #### 220 | # collect core dump files from malware-scan pods 221 | #### 222 | if [ $COLLECTDUMP == true ]; then 223 | fetchcount=0 224 | for malware_scan_pod in $(echo "$PODS" | tr ";" "\n" | grep malware-scan); do 225 | COREFILES=$($KUBECTL exec "$malware_scan_pod" -- ls /tmp | grep "$COREPATTERN") 226 | if [ -z "$COREFILES" ]; then 227 | continue 228 | fi 229 | 230 | if [ ${#COREFILES[@]} -gt 0 ]; then 231 | mkdir -p "$MASTER_DIR/apps/$malware_scan_pod" 232 | for corefile in $COREFILES; do 233 | if [ $fetchcount -ge $DUMPFILES ]; then 234 | echo "Done fetching $fetchcount dump files" 235 | break 2 236 | fi 237 | echo "Fetching core dump file $corefile from $malware_scan_pod ..." 238 | $KUBECTL cp $malware_scan_pod:/tmp/$corefile "$MASTER_DIR/apps/$malware_scan_pod/$corefile" > /dev/null 239 | ((fetchcount++)) 240 | done 241 | fi 242 | done 243 | fi 244 | 245 | echo "Find collected logs at: $RESULTDIR" -------------------------------------------------------------------------------- /requirements.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/deep-security/smartcheck-helm/2089137b764a9c054d69e1388e104190a1cc8b90/requirements.yaml -------------------------------------------------------------------------------- /templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | {{ if contains "LoadBalancer" .Values.service.type }} 2 | It may take a few minutes for the LoadBalancer IP to be available. 3 | You can watch the status of the load balancer by running: 4 | 5 | kubectl get svc --watch {{ if not (eq "default" .Release.Namespace) }}--namespace {{ .Release.Namespace }} {{ end }}proxy 6 | {{- else if contains "ClusterIP" .Values.service.type }} 7 | It may take a few seconds for the proxy service to be available. 8 | You can watch the status of the proxy pod by running: 9 | 10 | export POD_NAME=$(kubectl get pods {{ if not (eq "default" .Release.Namespace) }}--namespace {{ .Release.Namespace }} {{ end }}-l "service=proxy,release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") 11 | kubectl get {{ if not (eq "default" .Release.Namespace) }}--namespace {{ .Release.Namespace }} {{ end }}--watch pods $POD_NAME 12 | {{- end }} 13 | 14 | 1. Get the application URL by running these commands: 15 | {{- if contains "NodePort" .Values.service.type }} 16 | export NODE_PORT=$(kubectl get {{ if not (eq "default" .Release.Namespace) }}--namespace {{ .Release.Namespace }} {{ end }}-o jsonpath="{.spec.ports[0].nodePort}" services proxy) 17 | export NODE_IP=$(kubectl get nodes {{ if not (eq "default" .Release.Namespace) }}--namespace {{ .Release.Namespace }} {{ end }}-o jsonpath="{.items[0].status.addresses[0].address}") 18 | echo Application URL: https://$NODE_IP:$NODE_PORT/ 19 | {{- else if contains "LoadBalancer" .Values.service.type }} 20 | Google Cloud or Azure: 21 | export SERVICE_IP=$(kubectl get svc {{ if not (eq "default" .Release.Namespace) }}--namespace {{ .Release.Namespace }} {{ end }}proxy -o jsonpath='{.status.loadBalancer.ingress[0].ip}') 22 | AWS: 23 | export SERVICE_IP=$(kubectl get svc {{ if not (eq "default" .Release.Namespace) }}--namespace {{ .Release.Namespace }} {{ end }}proxy -o jsonpath='{.status.loadBalancer.ingress[0].hostname}') 24 | echo https://$SERVICE_IP:{{ default 443 .Values.service.httpsPort }}/ 25 | {{- else if contains "ClusterIP" .Values.service.type }} 26 | echo Application URL: https://localhost:8443/ 27 | kubectl port-forward {{ if not (eq "default" .Release.Namespace) }}--namespace {{ .Release.Namespace }} {{ end }}deployment/proxy 8443:https 28 | 29 | See `kubectl port-forward --help` for more details on what `kubectl port-forward` can do. 30 | {{- end }} 31 | 32 | 2. Get the initial administrator user name and password by running these commands: 33 | 34 | echo Username: $(kubectl get {{ if not (eq "default" .Release.Namespace) }}--namespace {{ .Release.Namespace }} {{ end }}secrets -o jsonpath='{ .data.userName }' {{ template "smartcheck.fullname" . }}-auth | base64 --decode) 35 | echo Password: $(kubectl get {{ if not (eq "default" .Release.Namespace) }}--namespace {{ .Release.Namespace }} {{ end }}secrets -o jsonpath='{ .data.password }' {{ template "smartcheck.fullname" . }}-auth | base64 --decode) 36 | 37 | 3. (Optional) Replace the certificate that the service is using. See the 38 | instructions in the README.md file under "Advanced Topics" > "Replacing the 39 | service certificate" Use the following values in the kubectl commands: 40 | 41 | Release: {{ .Release.Name }} 42 | {{- if not .Values.certificate.secret.name }} 43 | Secret: {{ template "smartcheck.fullname" . }}-tls-certificate 44 | {{- else }} 45 | Secret: {{ .Values.certificate.secret.name }} 46 | {{- end }} 47 | {{- if not (eq "default" .Release.Namespace) }} 48 | Namespace: {{ .Release.Namespace -}} 49 | {{- end }} 50 | 51 | {{ if not .Values.persistence.enabled -}} 52 | ############################################################################### 53 | ##### ##### 54 | ##### WARNING: Persistence is disabled! You will lose your data if the ##### 55 | ##### database pods are terminated. ##### 56 | ##### ##### 57 | ############################################################################### 58 | {{- end -}} 59 | -------------------------------------------------------------------------------- /templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* vim: set filetype=mustache: */}} 2 | {{/* 3 | Expand the name of the chart. 4 | */}} 5 | {{- define "smartcheck.name" -}} 6 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} 7 | {{- end -}} 8 | 9 | 10 | {{/* 11 | Create a default fully qualified app name. 12 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 13 | If release name contains chart name it will be used as a full name. 14 | */}} 15 | {{- define "smartcheck.fullname" -}} 16 | {{- if .Values.fullnameOverride -}} 17 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} 18 | {{- else -}} 19 | {{- $name := default .Chart.Name .Values.nameOverride -}} 20 | {{- if contains $name .Release.Name -}} 21 | {{- .Release.Name | trunc 63 | trimSuffix "-" -}} 22 | {{- else -}} 23 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} 24 | {{- end -}} 25 | {{- end -}} 26 | {{- end -}} 27 | 28 | 29 | {{/* 30 | Create chart name and version as used by the chart label. 31 | */}} 32 | {{- define "smartcheck.chart" -}} 33 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} 34 | {{- end -}} 35 | 36 | {{/* Image and pull policy */}} 37 | {{- define "image" -}} 38 | {{- $project := (default (default "deepsecurity" .defaults.project) .image.project) }} 39 | {{- $repository := printf "%s/%s" $project (required ".repository is required!" .image.repository) }} 40 | {{- $tag := (default .defaults.tag .image.tag) }} 41 | image: {{ include "image.source" (dict "repository" $repository "registry" .image.registry "tag" $tag "imageDefaults" .defaults "digest" .image.digest) }} 42 | imagePullPolicy: {{ default (default "Always" .defaults.pullPolicy) .image.pullPolicy }} 43 | {{- end -}}{{/* define image*/}} 44 | 45 | {{/* 46 | Create an image source. 47 | */}} 48 | {{- define "image.source" -}} 49 | {{- if or (eq (default "" .registry) "-") (eq (default "-" .imageDefaults.registry) "-") -}} 50 | {{- if .digest -}} 51 | {{- printf "%s@%s" .repository .digest | quote -}} 52 | {{- else -}} 53 | {{- printf "%s:%s" .repository .tag | quote -}} 54 | {{- end -}} 55 | {{- else -}} 56 | {{- if .digest -}} 57 | {{- printf "%s/%s@%s" (default .imageDefaults.registry .registry) .repository .digest | quote -}} 58 | {{- else -}} 59 | {{- printf "%s/%s:%s" (default .imageDefaults.registry .registry) .repository .tag | quote -}} 60 | {{- end -}} 61 | {{- end -}} 62 | {{- end -}} 63 | 64 | 65 | {{/* 66 | Provide network policy for additional outbound ports 67 | */}} 68 | {{- define "smartcheck.networkpolicy.outbound" -}} 69 | {{ if .Values.networkPolicy.enabled }} 70 | {{- range $port := .Values.networkPolicy.additionalOutboundPorts }} 71 | - to: # any 72 | ports: 73 | - protocol: TCP 74 | port: {{ $port }} 75 | {{- end }} 76 | {{- end }} 77 | {{- end -}}{{/*define*/}} 78 | 79 | 80 | {{/* 81 | Provide HTTP proxy environment variables 82 | */}} 83 | {{- define "smartcheck.proxy.env" -}} 84 | - name: _PROXY_CONFIG_CHECKSUM 85 | value: {{ include (print $.Template.BasePath "/outbound-proxy.yaml") . | sha256sum }} 86 | - name: HTTP_PROXY 87 | valueFrom: 88 | configMapKeyRef: 89 | name: {{ template "smartcheck.fullname" . }}-outbound-proxy 90 | key: httpProxy 91 | - name: HTTPS_PROXY 92 | valueFrom: 93 | configMapKeyRef: 94 | name: {{ template "smartcheck.fullname" . }}-outbound-proxy 95 | key: httpsProxy 96 | - name: NO_PROXY 97 | valueFrom: 98 | configMapKeyRef: 99 | name: {{ template "smartcheck.fullname" . }}-outbound-proxy 100 | key: noProxy 101 | - name: PROXY_USER 102 | valueFrom: 103 | secretKeyRef: 104 | name: {{ template "smartcheck.fullname" . }}-outbound-proxy-credentials 105 | key: username 106 | - name: PROXY_PASS 107 | valueFrom: 108 | secretKeyRef: 109 | name: {{ template "smartcheck.fullname" . }}-outbound-proxy-credentials 110 | key: password 111 | {{- end -}}{{/*define*/}} 112 | 113 | 114 | {{- define "smartcheck.to-internal-service-networkpolicy" -}} 115 | - to: 116 | {{- $release := .Release.Name -}} 117 | {{- $heritage := .Release.Service -}} 118 | {{- $extraLabels := default (dict) .Values.extraLabels -}} 119 | {{ range default (list) .services }} 120 | - podSelector: 121 | matchLabels: 122 | service: {{ . }} 123 | release: {{ $release }} 124 | heritage: {{ $heritage }} 125 | {{- range $k, $v := $extraLabels }} 126 | {{ $k }}: {{ quote $v }} 127 | {{- end }}{{/* range $extraLabels */}} 128 | {{- end -}}{{/* range .services */}} 129 | ports: 130 | - protocol: TCP 131 | port: 8081 132 | {{- end -}}{{/* define */}} 133 | 134 | 135 | {{- define "smartcheck.to-dns-networkpolicy" -}} 136 | - to: # any 137 | ports: 138 | - protocol: TCP 139 | port: 53 140 | - protocol: UDP 141 | port: 53 142 | {{- end -}}{{/* define */}} 143 | 144 | 145 | {{- define "smartcheck.to-db-networkpolicy" -}} 146 | {{- if not .Values.db.host }} 147 | - to: 148 | - podSelector: 149 | matchLabels: 150 | service: db 151 | release: {{ .Release.Name }} 152 | heritage: {{ .Release.Service }} 153 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 154 | {{ $k }}: {{ quote $v }} 155 | {{- end }}{{/* .Values.extraLabels **/}} 156 | ports: 157 | - protocol: TCP 158 | port: {{ default 5432 .Values.db.port }} 159 | {{- else }}{{/* Values.db.host */}} 160 | - to: # any 161 | ports: 162 | - protocol: TCP 163 | port: {{ default 5432 .Values.db.port }} 164 | {{- end -}}{{/* Values.db.host */}} 165 | {{- end -}}{{/* define */}} 166 | 167 | 168 | {{/* 169 | Create a database secret for a service 170 | 171 | Example: 172 | include "smartcheck.service.database.secret" (dict "Chart" .Chart "Values" .Values "Release" .Release "service" "auth") 173 | 174 | => a Secret with keys `database-user`, `database-password`, and `database-secret` 175 | 176 | The database user and password will be derived from .Values.auth.secretSeed and the provided service name. 177 | The database secret will be derived from .Values.auth.secretSeed and the release name unless .Values.db.secret is provided, in which case that value will be used. 178 | */}} 179 | {{- define "smartcheck.service.database.secret" -}} 180 | apiVersion: v1 181 | kind: Secret 182 | metadata: 183 | name: {{ template "smartcheck.fullname" . }}-{{ .service }}-db 184 | labels: 185 | app: {{ template "smartcheck.name" . }} 186 | release: "{{ .Release.Name }}" 187 | heritage: "{{ .Release.Service }}" 188 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 189 | {{ $k }}: {{ quote $v }} 190 | {{- end }} 191 | type: Opaque 192 | data: 193 | {{- $user := derivePassword 1 "maximum" (toString (required "You must provide a value for auth.secretSeed. Use --set auth.secretSeed={password} or include a value in your overrides.yaml file." (default .Values.auth.masterPassword .Values.auth.secretSeed))) (join "-" (list .service "db-user")) .Release.Name | toString }} 194 | {{- $userIncludeHost := false -}} {{/* check if user is in format user@host which is usually required by Azure DB for PostgreSQL */}} 195 | {{- if and (not (empty .Values.db.user)) (not (empty .Values.db.host)) -}} 196 | {{- if and (contains "@" .Values.db.user) (hasSuffix ".azure.com" .Values.db.host) -}} 197 | {{- $userIncludeHost = true -}} 198 | {{- end }} 199 | {{- end }} 200 | {{ if $userIncludeHost -}} 201 | {{- $hostParts := (split "." .Values.db.host) -}} 202 | {{- $host := $hostParts._0 -}} 203 | database-user-full: {{ printf "%s@%s" $user $host | b64enc | quote -}} 204 | {{ else -}} 205 | database-user-full: {{ printf "%s" $user | b64enc | quote -}} 206 | {{- end }} 207 | database-user: {{ $user | b64enc | quote }} 208 | database-password: {{ derivePassword 1 "maximum" (toString (default .Values.auth.masterPassword .Values.auth.secretSeed)) (join "-" (list .service "db-password" "2")) .Release.Name | toString | b64enc | quote }} 209 | {{ if .Values.db.secret -}} 210 | database-secret: {{ .Values.db.secret | toString | b64enc | quote }} 211 | {{ else -}} 212 | database-secret: {{ derivePassword 1 "maximum" (toString (default .Values.auth.masterPassword .Values.auth.secretSeed)) "db-secret" .Release.Name | toString | b64enc | quote }} 213 | {{- end }} 214 | {{- end -}}{{/*define*/}} 215 | 216 | 217 | {{/* 218 | Provide database environment variables for a service. 219 | */}} 220 | {{- define "smartcheck.service.database.env" -}} 221 | - name: PGDATABASE 222 | value: {{ join "" (list .service "db") }} 223 | - name: PGHOST 224 | value: {{ default "db" .Values.db.host | quote }} 225 | - name: PGPORT 226 | value: {{ default "5432" .Values.db.port | quote }} 227 | - name: PGSSLMODE 228 | value: {{ if .Values.db.host }}{{ default "" .Values.db.tls.mode | quote }}{{ else }}disable{{ end }} 229 | {{- if hasKey (default (dict) .Values.db) "tls" -}} 230 | {{- if hasKey (default (dict) .Values.db.tls) "ca" }} 231 | {{- if hasKey .Values.db.tls.ca "valueFrom" -}} 232 | {{- if or (ne "" (default "" .Values.db.tls.ca.valueFrom.secretKeyRef.name)) (ne "" (default "" .Values.db.tls.ca.valueFrom.configMapKeyRef.name)) }} 233 | - name: PGSSLROOTCERT 234 | value: /trust/db/ca.pem 235 | {{- end -}}{{/* if secretKeyRef.name || configMapKeyRef.name */}} 236 | {{- end -}}{{/* if hasKey .Values.db.tls.ca.valueFrom */}} 237 | {{- end }}{{/* if hasKey .Values.db.tls "ca" */}} 238 | {{- end }}{{/* if hasKey .Values.db "tls" */}} 239 | - name: _DB_CREDENTIALS_SECRET_CHECKSUM 240 | value: {{ include "smartcheck.service.database.secret" (dict "Chart" .Chart "Values" .Values "Release" .Release "service" .service) | sha256sum }} 241 | - name: PGUSER 242 | valueFrom: 243 | secretKeyRef: 244 | name: {{ template "smartcheck.fullname" . }}-{{ .service }}-db 245 | key: database-user-full 246 | - name: PGPASSWORD 247 | valueFrom: 248 | secretKeyRef: 249 | name: {{ template "smartcheck.fullname" . }}-{{ .service }}-db 250 | key: database-password 251 | - name: PGCONNECT_TIMEOUT 252 | value: "5" 253 | - name: DB_SECRET 254 | valueFrom: 255 | secretKeyRef: 256 | name: {{ template "smartcheck.fullname" . }}-{{ .service }}-db 257 | key: database-secret 258 | - name: DB_MAX_IDLE_CONNS 259 | value: {{ default 25 .Values.db.maxIdleConnections | quote }} 260 | - name: DB_MAX_OPEN_CONNS 261 | value: {{ default 25 .Values.db.maxOpenConnections | quote }} 262 | - name: DB_CONN_MAX_LIFE_TIME 263 | value: {{ default "10m" .Values.db.connMaxLifetime | quote }} 264 | {{- end }}{{/*define*/}} 265 | 266 | {{- define "smartcheck.activation-code.env" -}} 267 | - name: _ACTIVATION_CODE_SECRET_CHECKSUM 268 | value: {{ include (print $.Template.BasePath "/activation-code.yaml") . | sha256sum }} 269 | - name: ACTIVATION_CODE 270 | valueFrom: 271 | secretKeyRef: 272 | name: {{ template "smartcheck.fullname" . }}-activation-code 273 | key: code 274 | {{- end -}}{{/*define */}} 275 | 276 | {{- define "smartcheck.db-trust-volume" -}} 277 | {{- if hasKey (default (dict) .Values.db) "tls" -}} 278 | {{- if hasKey .Values.db.tls "ca" -}} 279 | {{- if hasKey .Values.db.tls.ca "valueFrom" -}} 280 | {{- if or (ne "" (default "" .Values.db.tls.ca.valueFrom.secretKeyRef.name)) (ne "" (default "" .Values.db.tls.ca.valueFrom.configMapKeyRef.name)) -}} 281 | - name: database-ca 282 | {{- if .Values.db.tls.ca.valueFrom.secretKeyRef.name }} 283 | secret: 284 | secretName: {{ .Values.db.tls.ca.valueFrom.secretKeyRef.name }} 285 | items: 286 | - key: {{ required ".key is required!" .Values.db.tls.ca.valueFrom.secretKeyRef.key }} 287 | path: ca.pem 288 | {{- else if .Values.db.tls.ca.valueFrom.configMapKeyRef.name }} 289 | configMap: 290 | name: {{ .Values.db.tls.ca.valueFrom.configMapKeyRef.name }} 291 | items: 292 | - key: {{ required ".key is required!" .Values.db.tls.ca.valueFrom.configMapKeyRef.key }} 293 | path: ca.pem 294 | {{- end -}}{{/* else if .Values.db.tls.ca.valueFrom.configMapKeyRef.name */}} 295 | {{- end -}}{{/* if secretKeyRef.name || configMapKeyRef.name */}} 296 | {{- end -}}{{/* if hasKey .Values.db.tls.ca "valueFrom" */}} 297 | {{- end -}}{{/* if hasKey .Values.db.tls "ca" */}} 298 | {{- end -}}{{/* if hasKey .Values.db "tls" */}} 299 | {{- end -}} 300 | 301 | {{- define "smartcheck.db-trust-volume-mount" -}} 302 | {{- if hasKey (default (dict) .Values.db) "tls" -}} 303 | {{- if hasKey .Values.db.tls "ca" -}} 304 | {{- if hasKey .Values.db.tls.ca "valueFrom" -}} 305 | {{- if or (ne "" (default "" .Values.db.tls.ca.valueFrom.secretKeyRef.name)) (ne "" (default "" .Values.db.tls.ca.valueFrom.configMapKeyRef.name)) -}} 306 | - name: database-ca 307 | mountPath: /trust/db 308 | readOnly: true 309 | {{- end -}}{{/* if secretKeyRef.name || configMapKeyRef.name */}} 310 | {{- end -}}{{/* if hasKey .Values.db.tls.ca "valueFrom" */}} 311 | {{- end -}}{{/* if hasKey .Values.db.tls "ca" */}} 312 | {{- end -}}{{/* if hasKey .Values.db "tls" */}} 313 | {{- end -}} 314 | 315 | 316 | {{/* 317 | DB init container 318 | */}} 319 | {{- define "smartcheck.db-initcontainer" -}} 320 | name: db-init 321 | {{- if .Values.securityContext.enabled }} 322 | {{- $securityContext := default .Values.securityContext.default (index .Values.securityContext .service) }} 323 | {{- $initDBContainerSecurityContext := default .Values.securityContext.default.container $securityContext.initDBContainer }} 324 | securityContext: {{- toYaml $initDBContainerSecurityContext | nindent 4 }} 325 | {{- end }}{{/* if .Values.securityContext.enabled */}} 326 | {{- $imageDefaults := .Values.images.defaults }} 327 | {{- with .Values.images.dbInitializer -}} 328 | {{- $project := (default (default "deepsecurity" $imageDefaults.project) .project) }} 329 | {{- $repository := printf "%s/%s" $project (required ".repository is required!" .repository) }} 330 | {{- $tag := (default $imageDefaults.tag .tag) }} 331 | image: {{ include "image.source" (dict "repository" $repository "registry" .registry "tag" $tag "imageDefaults" $imageDefaults "digest" .digest) }} 332 | imagePullPolicy: {{ default (default "Always" $imageDefaults.pullPolicy) .pullPolicy }} 333 | {{- end }}{{/* with .Values.images.dbInitializer */}} 334 | args: 335 | - postgres 336 | - --service-username=$(SERVICE_USER) 337 | - --service-password=$(SERVICE_PASS) 338 | - --service-database=$(SERVICE_DB) 339 | {{- $volumeMounts := include "smartcheck.db-trust-volume-mount" . | nindent 2 }} 340 | {{- if (trim $volumeMounts) }} 341 | volumeMounts: 342 | {{- $volumeMounts }} 343 | {{- end }}{{/* if $volumeMounts */}} 344 | env: 345 | - name: PGHOST 346 | value: {{ default "db" .Values.db.host | quote }} 347 | - name: PGPORT 348 | value: {{ default "5432" .Values.db.port | quote }} 349 | - name: PGSSLMODE 350 | value: {{ if .Values.db.host }}{{ default "" .Values.db.tls.mode | quote }}{{ else }}disable{{ end }} 351 | {{- if hasKey (default (dict) .Values.db) "tls" -}} 352 | {{- if hasKey (default (dict) .Values.db.tls) "ca" }} 353 | {{- if hasKey .Values.db.tls.ca "valueFrom" -}} 354 | {{- if or (ne "" (default "" .Values.db.tls.ca.valueFrom.secretKeyRef.name)) (ne "" (default "" .Values.db.tls.ca.valueFrom.configMapKeyRef.name)) }} 355 | - name: PGSSLROOTCERT 356 | value: /trust/db/ca.pem 357 | {{- end -}}{{/* if secretKeyRef.name || configMapKeyRef.name */}} 358 | {{- end -}}{{/* if hasKey .Values.db.tls.ca.valueFrom */}} 359 | {{- end }}{{/* if hasKey .Values.db.tls "ca" */}} 360 | {{- end }}{{/* if hasKey .Values.db "tls" */}} 361 | - name: PGUSER 362 | valueFrom: 363 | secretKeyRef: 364 | key: database-user 365 | name: {{ template "smartcheck.fullname" . }}-db 366 | - name: PGPASSWORD 367 | valueFrom: 368 | secretKeyRef: 369 | key: database-password 370 | name: {{ template "smartcheck.fullname" . }}-db 371 | - name: PGCONNECT_TIMEOUT 372 | value: "5" 373 | - name: SERVICE_DB 374 | value: {{ .service }}db 375 | - name: SERVICE_USER 376 | valueFrom: 377 | secretKeyRef: 378 | key: database-user 379 | name: {{ template "smartcheck.fullname" . }}-{{ .service }}-db 380 | - name: SERVICE_PASS 381 | valueFrom: 382 | secretKeyRef: 383 | key: database-password 384 | name: {{ template "smartcheck.fullname" . }}-{{ .service }}-db 385 | {{- range $key, $value := .Values.db.env }} 386 | - name: {{ $key }} 387 | value: {{ $value }} 388 | {{- end }} 389 | resources: {{ toYaml (default .Values.resources.defaults .Values.resources.dbInit) | nindent 2 }} 390 | {{- end -}}{{/* define */}} 391 | 392 | {{/* 393 | Vulnerability DB init container 394 | */}} 395 | {{- define "smartcheck.vulndb-initcontainer" -}} 396 | name: {{ .service }}-db-init 397 | {{- if .Values.securityContext.enabled }} 398 | {{- $securityContext := default .Values.securityContext.default (index .Values.securityContext .service) }} 399 | {{- $initVulnDBContainerSecurityContext := default .Values.securityContext.default.container $securityContext.initVulnDBContainer }} 400 | securityContext: {{- toYaml $initVulnDBContainerSecurityContext | nindent 4 }} 401 | {{- end }}{{/* if .Values.securityContext.enabled */}} 402 | {{- $imageDefaults := .Values.images.defaults }} 403 | {{- with .Values.images.vulnDBInitializer -}} 404 | {{- $project := (default (default "deepsecurity" $imageDefaults.project) .project) }} 405 | {{- $repository := printf "%s/%s" $project (required ".repository is required!" .repository) }} 406 | {{- $tag := (default $imageDefaults.tag .tag) }} 407 | image: {{ include "image.source" (dict "repository" $repository "registry" .registry "tag" $tag "imageDefaults" $imageDefaults "digest" .digest) }} 408 | imagePullPolicy: {{ default (default "Always" $imageDefaults.pullPolicy) .pullPolicy }} 409 | {{- end }}{{/* with .Values.images.vulnDBInitializer */}} 410 | {{- $volumeMounts := include "smartcheck.db-trust-volume-mount" . | nindent 2 }} 411 | {{- if (trim $volumeMounts) }} 412 | volumeMounts: 413 | {{- $volumeMounts }} 414 | {{- end }}{{/* if $volumeMounts */}} 415 | env: 416 | {{- include "smartcheck.service.database.env" (dict "Chart" .Chart "Release" .Release "Values" .Values "service" .service) | nindent 2 }} 417 | resources: {{ toYaml (default .Values.resources.defaults .Values.resources.vulnDBInit) | nindent 2 }} 418 | args: 419 | - {{ .Values.vulnerabilityScan.appendSeverity | quote }} 420 | - {{ .Values.vulnerabilityScan.forceRestoreDB | quote }} 421 | {{- end -}}{{/* define */}} 422 | 423 | 424 | {{/* 425 | Service account name 426 | */}} 427 | {{- define "smartcheck.service.account.name" -}} 428 | {{- if (index (index .Values.serviceAccount .role) "annotations") -}} 429 | {{ template "smartcheck.fullname" . }}-{{ lower .role }} 430 | {{- else -}} 431 | default 432 | {{- end -}}{{/* if */}} 433 | {{- end -}}{{/* define */}} 434 | 435 | {{/* 436 | Create a service account for a service 437 | 438 | Example: 439 | include "smartcheck.service.account" (dict "Chart" .Chart "Values" .Values "Release" .Release "role" "registryRead" "annotations" $annotationsMap) 440 | */}} 441 | 442 | {{- define "smartcheck.service.account" -}} 443 | apiVersion: v1 444 | kind: ServiceAccount 445 | metadata: 446 | name: {{ include "smartcheck.service.account.name" (dict "Chart" .Chart "Values" .Values "Release" .Release "role" .role) }} 447 | annotations: 448 | {{- range $key, $value := .annotations }} 449 | {{ $key }}: {{ $value | quote }} 450 | {{- end }} 451 | {{- end -}}{{/* define */}} 452 | 453 | {{- define "smartcheck.auth.initial-user.secret" -}} 454 | apiVersion: v1 455 | kind: Secret 456 | metadata: 457 | name: {{ template "smartcheck.fullname" . }}-auth 458 | labels: 459 | app: {{ template "smartcheck.name" . }} 460 | release: "{{ .Release.Name }}" 461 | heritage: "{{ .Release.Service }}" 462 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 463 | {{ $k }}: {{ quote $v }} 464 | {{- end }} 465 | type: Opaque 466 | data: 467 | userName: {{ default "administrator" .Values.auth.userName | toString | b64enc | quote }} 468 | password: {{ default (derivePassword 1 "maximum" (toString (default .Values.auth.masterPassword .Values.auth.secretSeed)) (default "administrator" .Values.auth.userName) .Release.Name) .Values.auth.password | toString | b64enc | quote }} 469 | {{- end -}}{{/* define */}} 470 | -------------------------------------------------------------------------------- /templates/activation-code.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: {{ template "smartcheck.fullname" . }}-activation-code 5 | labels: 6 | app: {{ template "smartcheck.name" . }} 7 | release: "{{ .Release.Name }}" 8 | heritage: "{{ .Release.Service }}" 9 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 10 | {{ $k }}: {{ quote $v }} 11 | {{- end }} 12 | {{- if not (empty .Values.activationCode) }} 13 | {{- $ac := .Values.activationCode | regexFind "^[A-Z0-9]{2}-[A-Z0-9]{4}-[A-Z0-9]{5}-[A-Z0-9]{5}-[A-Z0-9]{5}-[A-Z0-9]{5}-[A-Z0-9]{5}$" | required ".Values.activationCode is invalid. It should be in a form of XX-XXXX-XXXXX-XXXXX-XXXXX-XXXXX-XXXXX" }} 14 | {{- end }} 15 | type: Opaque 16 | data: 17 | code: {{ default "" .Values.activationCode | toString | b64enc | quote }} 18 | -------------------------------------------------------------------------------- /templates/auth.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: auth 5 | labels: 6 | service: auth 7 | release: {{ .Release.Name }} 8 | heritage: {{ .Release.Service }} 9 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 10 | {{ $k }}: {{ quote $v }} 11 | {{- end }}{{/* range .Values.extraLabels */}} 12 | spec: 13 | ports: 14 | - port: 8080 15 | protocol: TCP 16 | name: external 17 | selector: 18 | service: auth 19 | release: {{ .Release.Name }} 20 | 21 | --- 22 | {{ include "smartcheck.service.database.secret" (dict "Chart" .Chart "Values" .Values "Release" .Release "service" "auth") }} 23 | --- 24 | {{ include "smartcheck.auth.initial-user.secret" . }} 25 | --- 26 | apiVersion: v1 27 | kind: Service 28 | metadata: 29 | name: auth-internal 30 | labels: 31 | service: auth-internal 32 | release: {{ .Release.Name }} 33 | heritage: {{ .Release.Service }} 34 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 35 | {{ $k }}: {{ quote $v }} 36 | {{- end }}{{/* range .Values.extraLabels */}} 37 | spec: 38 | ports: 39 | - port: 8081 40 | protocol: TCP 41 | name: internal 42 | selector: 43 | service: auth 44 | release: {{ .Release.Name }} 45 | 46 | --- 47 | apiVersion: apps/v1 48 | kind: Deployment 49 | metadata: 50 | name: auth 51 | labels: 52 | service: auth 53 | release: {{ .Release.Name }} 54 | heritage: {{ .Release.Service }} 55 | appVersion: {{ .Chart.AppVersion }} 56 | metrics: include 57 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 58 | {{ $k }}: {{ quote $v }} 59 | {{- end }}{{/* range .Values.extraLabels */}} 60 | spec: 61 | # We set revisionHistoryLimit to 0 because rollback should be done 62 | # using `helm rollback` rather than with `kubectl rollout undo`, so 63 | # we don't need to keep the old `ReplicaSet`s around. 64 | # https://kubernetes.io/docs/concepts/workloads/controllers/deployment 65 | revisionHistoryLimit: 0 66 | replicas: {{ default 1 .Values.replicas.auth }} 67 | selector: 68 | matchLabels: 69 | service: auth 70 | release: {{ .Release.Name }} 71 | template: 72 | metadata: 73 | labels: 74 | service: auth 75 | release: {{ .Release.Name }} 76 | heritage: {{ .Release.Service }} 77 | appVersion: {{ .Chart.AppVersion }} 78 | metrics: include 79 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 80 | {{ $k }}: {{ quote $v }} 81 | {{- end }}{{/* range .Values.extraLabels */}} 82 | spec: 83 | automountServiceAccountToken: false 84 | {{- $securityContextEnabled := .Values.securityContext.enabled }} 85 | {{- $securityContext := default .Values.securityContext.default .Values.securityContext.auth }} 86 | {{- $podSecurityContext := default .Values.securityContext.default.pod $securityContext.pod }} 87 | {{- $containerSecurityContext := default .Values.securityContext.default.container $securityContext.container }} 88 | {{- if $securityContextEnabled }} 89 | securityContext: {{ toYaml $podSecurityContext | nindent 8 }} 90 | {{- end }}{{/* if $securityContextEnabled */}} 91 | initContainers: 92 | - {{ include "smartcheck.db-initcontainer" (dict "Values" .Values "Chart" .Chart "Release" .Release "service" "auth") | nindent 10 | trim }} 93 | 94 | {{- $imageDefaults := .Values.images.defaults }} 95 | {{- with .Values.images.auth }} 96 | {{- $secret := (default (default "" $imageDefaults.imagePullSecret) .imagePullSecret) }} 97 | {{- if $secret }} 98 | imagePullSecrets: 99 | - name: {{ $secret | quote }} 100 | {{- end }}{{/* if $secret */}} 101 | containers: 102 | - name: auth 103 | {{- if $securityContextEnabled }} 104 | securityContext: {{ toYaml $containerSecurityContext | nindent 12 }} 105 | {{- end }} 106 | {{- $project := (default (default "deepsecurity" $imageDefaults.project) .project) }} 107 | {{- $repository := printf "%s/%s" $project (required ".repository is required!" .repository) }} 108 | {{- $tag := (default $imageDefaults.tag .tag) }} 109 | image: {{ include "image.source" (dict "repository" $repository "registry" .registry "tag" $tag "imageDefaults" $imageDefaults "digest" .digest) }} 110 | imagePullPolicy: {{ default (default "Always" $imageDefaults.pullPolicy) .pullPolicy }} 111 | {{- end }}{{/* with .Values.images.auth */}} 112 | ports: 113 | - containerPort: 8080 114 | name: external 115 | - containerPort: 8081 116 | name: internal 117 | - containerPort: 8082 118 | name: metrics 119 | - containerPort: 8083 120 | name: health 121 | livenessProbe: 122 | httpGet: 123 | path: /health 124 | port: 8083 125 | initialDelaySeconds: 10 126 | timeoutSeconds: 5 127 | failureThreshold: 6 128 | readinessProbe: 129 | httpGet: 130 | path: /health 131 | port: 8083 132 | initialDelaySeconds: 10 133 | timeoutSeconds: 5 134 | failureThreshold: 6 135 | args: 136 | - --internal-base=http://auth-internal:8081 137 | - --authorization-url=http://localhost:8081 # see https://github.com/kubernetes/kubernetes/issues/61593 138 | - --database-connection-string=postgres:postgres:// 139 | - --database-secret=$(DB_SECRET) 140 | - --initial-role={{ default "admin" .Values.auth.roleName }} 141 | - --auditor-role={{ default "auditor" .Values.auth.auditorRoleName }} 142 | - --user-role={{ default "user" .Values.auth.userRoleName }} 143 | - --initial-user=$(INITIAL_USER) 144 | - --initial-password=$(INITIAL_PASSWORD) 145 | - --token-audience={{ default "deepsecurity-smartcheck" .Values.auth.tokenAudience }} 146 | - --use-strict-transport-security=true 147 | - --use-strict-transport-security-includes-subdomains=false 148 | - --use-strict-transport-security-includes-preload=false 149 | {{- if .Values.auth.saml.enabled }} 150 | - --saml-entity-id={{ .Values.auth.saml.entityID }} 151 | - --saml-assertion-consumer-url={{ .Values.auth.saml.location }} 152 | - --saml-max-roles={{ default 10 .Values.auth.saml.maxRoles }} 153 | {{- end }}{{/* if .Values.auth.saml.enabled */}} 154 | {{- if .Values.telemetry.enabled }} 155 | - --telemetry-endpoint=http://metrics-internal:8081 156 | {{- end }} 157 | {{- if .Values.auth.sessionDuration }} 158 | - --token-lifetime={{ .Values.auth.sessionDuration }} 159 | {{- end }}{{/* if .Values.auth.sessionDuration */}} 160 | {{- if .Values.auth.sessionKeyLifetime }} 161 | - --token-key-lifetime={{ .Values.auth.sessionKeyLifetime }} 162 | {{- end }}{{/* if .Values.auth.sessionKeyLifetime */}} 163 | env: 164 | {{- include "smartcheck.service.database.env" (dict "Chart" .Chart "Release" .Release "Values" .Values "service" "auth") | nindent 12 }} 165 | {{- include "smartcheck.proxy.env" . | nindent 12 }} 166 | - name: _INITIAL_USER_SECRET_CHECKSUM 167 | value: {{ include "smartcheck.auth.initial-user.secret" . | sha256sum }} 168 | - name: INITIAL_USER 169 | valueFrom: 170 | secretKeyRef: 171 | key: userName 172 | name: {{ template "smartcheck.fullname" . }}-auth 173 | - name: INITIAL_PASSWORD 174 | valueFrom: 175 | secretKeyRef: 176 | key: password 177 | name: {{ template "smartcheck.fullname" . }}-auth 178 | volumeMounts: 179 | {{- $volumeMounts := include "smartcheck.db-trust-volume-mount" . | nindent 12 }} 180 | {{- if (trim $volumeMounts) }} 181 | {{- $volumeMounts }} 182 | {{- else }} 183 | [] 184 | {{- end }}{{/* if $volumeMounts */}} 185 | resources: {{ toYaml (default .Values.resources.defaults .Values.resources.auth) | nindent 12 }} 186 | volumes: 187 | {{- $volumes := include "smartcheck.db-trust-volume" . | nindent 8 }} 188 | {{- if (trim $volumes) }} 189 | {{- $volumes }} 190 | {{- else }} 191 | [] 192 | {{- end }}{{/* if $volumes */}} 193 | nodeSelector: {{ toYaml (default .Values.nodeSelector.defaults .Values.nodeSelector.auth) | nindent 8 }} 194 | tolerations: {{ toYaml (default .Values.tolerations.defaults .Values.tolerations.auth) | nindent 8 }} 195 | restartPolicy: Always 196 | 197 | {{ if .Values.networkPolicy.enabled }} 198 | --- 199 | apiVersion: networking.k8s.io/v1 200 | kind: NetworkPolicy 201 | metadata: 202 | name: auth 203 | labels: 204 | service: auth 205 | release: {{ .Release.Name }} 206 | heritage: {{ .Release.Service }} 207 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 208 | {{ $k }}: {{ quote $v }} 209 | {{- end }}{{/* range .Values.extraLabels */}} 210 | spec: 211 | podSelector: 212 | matchLabels: 213 | service: auth 214 | release: {{ .Release.Name }} 215 | heritage: {{ .Release.Service }} 216 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 217 | {{ $k }}: {{ quote $v }} 218 | {{- end }}{{/* range .Values.extraLabels */}} 219 | policyTypes: 220 | - Ingress 221 | - Egress 222 | ingress: 223 | - from: 224 | - podSelector: 225 | matchLabels: 226 | service: proxy 227 | release: {{ .Release.Name }} 228 | heritage: {{ .Release.Service }} 229 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 230 | {{ $k }}: {{ quote $v }} 231 | {{- end }}{{/* range .Values.extraLabels */}} 232 | ports: 233 | - protocol: TCP 234 | port: 8080 235 | - from: 236 | - podSelector: 237 | matchLabels: 238 | service: registryviews 239 | release: {{ .Release.Name }} 240 | heritage: {{ .Release.Service }} 241 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 242 | {{ $k }}: {{ quote $v }} 243 | {{- end }}{{/* range .Values.extraLabels */}} 244 | - podSelector: 245 | matchLabels: 246 | service: scan 247 | release: {{ .Release.Name }} 248 | heritage: {{ .Release.Service }} 249 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 250 | {{ $k }}: {{ quote $v }} 251 | {{- end }}{{/* range .Values.extraLabels */}} 252 | - podSelector: 253 | matchLabels: 254 | service: auth 255 | release: {{ .Release.Name }} 256 | heritage: {{ .Release.Service }} 257 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 258 | {{ $k }}: {{ quote $v }} 259 | {{- end }}{{/* range .Values.extraLabels */}} 260 | - podSelector: 261 | matchLabels: 262 | service: license 263 | release: {{ .Release.Name }} 264 | heritage: {{ .Release.Service }} 265 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 266 | {{ $k }}: {{ quote $v }} 267 | {{- end }}{{/* range .Values.extraLabels */}} 268 | ports: 269 | - protocol: TCP 270 | port: 8081 271 | - from: # any -- this is for metrics 272 | ports: 273 | - protocol: TCP 274 | port: 8082 275 | - from: # any -- this should just be kubelet for health probes 276 | ports: 277 | - protocol: TCP 278 | port: 8083 279 | egress: 280 | {{- include "smartcheck.to-dns-networkpolicy" . | nindent 4 }} 281 | {{- include "smartcheck.to-db-networkpolicy" . | nindent 4 }} 282 | {{- include "smartcheck.to-internal-service-networkpolicy" (dict "Release" .Release "Values" .Values "services" (list "auth" "metrics")) | nindent 4 }} 283 | # allow egress on ports 443 / 80 for access to SAML metadata 284 | - to: # any 285 | ports: 286 | - protocol: TCP 287 | port: 443 288 | - protocol: TCP 289 | port: 80 290 | {{- end }}{{/* if networkPolicy.enabled */}} 291 | -------------------------------------------------------------------------------- /templates/content-scan.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: content-scan-internal 5 | labels: 6 | service: content-scan 7 | release: {{ .Release.Name }} 8 | heritage: {{ .Release.Service }} 9 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 10 | {{ $k }}: {{ quote $v }} 11 | {{- end }} 12 | spec: 13 | ports: 14 | - port: 8081 15 | targetPort: 8081 16 | protocol: TCP 17 | name: internal 18 | selector: 19 | service: content-scan 20 | release: {{ .Release.Name }} 21 | 22 | --- 23 | apiVersion: apps/v1 24 | kind: Deployment 25 | metadata: 26 | name: content-scan 27 | labels: 28 | service: content-scan 29 | release: {{ .Release.Name }} 30 | heritage: {{ .Release.Service }} 31 | appVersion: {{ .Chart.AppVersion }} 32 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 33 | {{ $k }}: {{ quote $v }} 34 | {{- end }} 35 | spec: 36 | # We set revisionHistoryLimit to 0 because rollback should be done 37 | # using `helm rollback` rather than with `kubectl rollout undo`, so 38 | # we don't need to keep the old `ReplicaSet`s around. 39 | # https://kubernetes.io/docs/concepts/workloads/controllers/deployment 40 | revisionHistoryLimit: 0 41 | replicas: {{ default 1 .Values.replicas.contentScan }} 42 | selector: 43 | matchLabels: 44 | service: content-scan 45 | release: {{ .Release.Name }} 46 | template: 47 | metadata: 48 | labels: 49 | service: content-scan 50 | release: {{ .Release.Name }} 51 | heritage: {{ .Release.Service }} 52 | appVersion: {{ .Chart.AppVersion }} 53 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 54 | {{ $k }}: {{ quote $v }} 55 | {{- end }} 56 | spec: 57 | automountServiceAccountToken: false 58 | {{- $securityContextEnabled := .Values.securityContext.enabled }} 59 | {{- $securityContext := default .Values.securityContext.default .Values.securityContext.contentScan }} 60 | {{- $podSecurityContext := default .Values.securityContext.default.pod $securityContext.pod }} 61 | {{- $containerSecurityContext := default .Values.securityContext.default.container $securityContext.container }} 62 | {{- if $securityContextEnabled }} 63 | securityContext: 64 | {{ toYaml $podSecurityContext | indent 8 }} 65 | {{- end }} 66 | {{- $imageDefaults := .Values.images.defaults }} 67 | {{- with .Values.images.contentScan }} 68 | {{- $secret := (default (default "" $imageDefaults.imagePullSecret) .imagePullSecret) }} 69 | {{- if not (eq "" $secret) }} 70 | imagePullSecrets: 71 | - name: {{ $secret | quote }} 72 | {{- end }} 73 | containers: 74 | - name: content-scan 75 | {{- if $securityContextEnabled }} 76 | securityContext: 77 | {{ toYaml $containerSecurityContext | indent 12 }} 78 | {{- end }} 79 | {{- $project := (default (default "deepsecurity" $imageDefaults.project) .project) }} 80 | {{- $repository := printf "%s/%s" $project (required ".repository is required!" .repository) }} 81 | {{- $tag := (default $imageDefaults.tag .tag) }} 82 | image: {{ include "image.source" (dict "repository" $repository "registry" .registry "tag" $tag "imageDefaults" $imageDefaults "digest" .digest) }} 83 | imagePullPolicy: {{ default (default "Always" $imageDefaults.pullPolicy) .pullPolicy }} 84 | {{- end }} 85 | ports: 86 | - containerPort: 8081 87 | name: internal 88 | # TODO probes 89 | # livenessProbe: 90 | # readinessProbe: 91 | args: 92 | - --bind-port=8081 93 | env: [] 94 | volumeMounts: 95 | - name: tmp-folder 96 | mountPath: /tmp 97 | resources: 98 | {{ toYaml (default .Values.resources.defaults .Values.resources.contentScan) | indent 12 }} 99 | volumes: 100 | - name: tmp-folder 101 | emptyDir: 102 | sizeLimit: {{ default "1Gi" .Values.scan.contentScan.workVolume.sizeLimit | quote }} 103 | nodeSelector: 104 | {{ toYaml (default .Values.nodeSelector.defaults .Values.nodeSelector.contentScan) | indent 8 }} 105 | tolerations: 106 | {{ toYaml (default .Values.tolerations.defaults .Values.tolerations.contentScan) | indent 8 }} 107 | restartPolicy: Always 108 | 109 | {{ if .Values.networkPolicy.enabled }} 110 | --- 111 | apiVersion: networking.k8s.io/v1 112 | kind: NetworkPolicy 113 | metadata: 114 | name: content-scan 115 | labels: 116 | service: content-scan 117 | release: {{ .Release.Name }} 118 | heritage: {{ .Release.Service }} 119 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 120 | {{ $k }}: {{ quote $v }} 121 | {{- end }} 122 | spec: 123 | podSelector: 124 | matchLabels: 125 | service: content-scan 126 | release: {{ .Release.Name }} 127 | heritage: {{ .Release.Service }} 128 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 129 | {{ $k }}: {{ quote $v }} 130 | {{- end }} 131 | policyTypes: 132 | - Ingress 133 | - Egress 134 | ingress: 135 | - from: 136 | - podSelector: 137 | matchLabels: 138 | service: scan 139 | release: {{ .Release.Name }} 140 | heritage: {{ .Release.Service }} 141 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 142 | {{ $k }}: {{ quote $v }} 143 | {{- end }} 144 | ports: 145 | - protocol: TCP 146 | port: 8081 147 | egress: 148 | - to: 149 | - podSelector: 150 | matchLabels: 151 | service: scan 152 | release: {{ .Release.Name }} 153 | heritage: {{ .Release.Service }} 154 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 155 | {{ $k }}: {{ quote $v }} 156 | {{- end }} 157 | ports: 158 | - protocol: TCP 159 | port: 8081 160 | - to: # any 161 | ports: 162 | - protocol: TCP 163 | port: 53 164 | - protocol: UDP 165 | port: 53 166 | {{- end }} 167 | -------------------------------------------------------------------------------- /templates/db.yaml: -------------------------------------------------------------------------------- 1 | {{- if not .Values.db.host -}} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: db 6 | labels: 7 | service: db 8 | release: {{ .Release.Name }} 9 | heritage: {{ .Release.Service }} 10 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 11 | {{ $k }}: {{ quote $v }} 12 | {{- end }} 13 | spec: 14 | type: ClusterIP 15 | ports: 16 | - port: 5432 17 | protocol: TCP 18 | name: db 19 | selector: 20 | service: db 21 | release: {{ .Release.Name }} 22 | 23 | {{ if .Values.persistence.enabled }} 24 | --- 25 | apiVersion: v1 26 | kind: PersistentVolumeClaim 27 | metadata: 28 | name: {{ template "smartcheck.fullname" . }}-app-db 29 | labels: 30 | service: db 31 | release: {{ .Release.Name }} 32 | heritage: {{ .Release.Service }} 33 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 34 | {{ $k }}: {{ quote $v }} 35 | {{- end }} 36 | spec: 37 | accessModes: 38 | - ReadWriteOnce 39 | {{- $storageClassName := default (default "" .Values.persistence.storageClassName) .Values.persistence.db.storageClassName }} 40 | {{- if $storageClassName }} 41 | storageClassName: {{ $storageClassName }} 42 | {{- end }} 43 | resources: 44 | requests: 45 | storage: {{ default "8Gi" .Values.persistence.db.size }} 46 | 47 | {{ end }} 48 | --- 49 | apiVersion: apps/v1 50 | kind: Deployment 51 | metadata: 52 | name: db 53 | labels: 54 | service: db 55 | release: {{ .Release.Name }} 56 | heritage: {{ .Release.Service }} 57 | appVersion: {{ .Chart.AppVersion }} 58 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 59 | {{ $k }}: {{ quote $v }} 60 | {{- end }} 61 | spec: 62 | # We use `Recreate` as the update strategy because a rolling update 63 | # will not work -- the new pod won't come up because it can't mount 64 | # the ReadWriteOnce PV. 65 | strategy: 66 | type: Recreate 67 | # Providing an explicitly-null rollingUpdate because of helm#5144 68 | rollingUpdate: null 69 | # We set revisionHistoryLimit to 0 because rollback should be done 70 | # using `helm rollback` rather than with `kubectl rollout undo`, so 71 | # we don't need to keep the old `ReplicaSet`s around. 72 | # https://kubernetes.io/docs/concepts/workloads/controllers/deployment 73 | revisionHistoryLimit: 0 74 | replicas: {{ default 1 .Values.replicas.db }} 75 | selector: 76 | matchLabels: 77 | service: db 78 | release: {{ .Release.Name }} 79 | template: 80 | metadata: 81 | labels: 82 | service: db 83 | release: {{ .Release.Name }} 84 | heritage: {{ .Release.Service }} 85 | appVersion: {{ .Chart.AppVersion }} 86 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 87 | {{ $k }}: {{ quote $v }} 88 | {{- end }} 89 | spec: 90 | automountServiceAccountToken: false 91 | {{- $securityContextEnabled := .Values.securityContext.enabled }} 92 | {{- $securityContext := default .Values.securityContext.default .Values.securityContext.db }} 93 | {{- $podSecurityContext := default .Values.securityContext.default.pod $securityContext.pod }} 94 | {{- $containerSecurityContext := default .Values.securityContext.default.container $securityContext.container }} 95 | {{- if $securityContextEnabled }} 96 | securityContext: 97 | {{ toYaml $podSecurityContext | indent 8 }} 98 | {{- end }} 99 | {{- $imageDefaults := .Values.images.defaults }} 100 | {{- with .Values.images.db }} 101 | {{- $secret := (default (default "" $imageDefaults.imagePullSecret) .imagePullSecret) }} 102 | {{- if not (eq "" $secret) }} 103 | imagePullSecrets: 104 | - name: {{ $secret | quote }} 105 | {{- end }} 106 | containers: 107 | - name: db 108 | {{- if $securityContextEnabled }} 109 | securityContext: 110 | {{ toYaml $containerSecurityContext | indent 12 }} 111 | {{- end }} 112 | {{- $project := (default (default "deepsecurity" $imageDefaults.project) .project) }} 113 | {{- $repository := printf "%s/%s" $project (required ".repository is required!" .repository) }} 114 | {{- $tag := (default $imageDefaults.tag .tag) }} 115 | image: {{ include "image.source" (dict "repository" $repository "registry" .registry "tag" $tag "imageDefaults" $imageDefaults "digest" .digest) }} 116 | imagePullPolicy: {{ default (default "Always" $imageDefaults.pullPolicy) .pullPolicy }} 117 | {{- end }} 118 | ports: 119 | - name: db 120 | containerPort: 5432 121 | livenessProbe: 122 | exec: 123 | command: 124 | - sh 125 | - -c 126 | - exec pg_isready -U "$POSTGRES_USER" 127 | initialDelaySeconds: 10 128 | timeoutSeconds: 15 129 | failureThreshold: 3 130 | readinessProbe: 131 | exec: 132 | command: 133 | - sh 134 | - -c 135 | - exec pg_isready -U "$POSTGRES_USER" 136 | initialDelaySeconds: 10 137 | timeoutSeconds: 15 138 | failureThreshold: 60 139 | env: 140 | ## POSTGRES_DB 141 | ## This optional environment variable can be used to define a different name for the default 142 | ## database that is created when the image is first started. If it is not specified, then the 143 | ## value of POSTGRES_USER will be used. 144 | ## See also: https://hub.docker.com/_/postgres/ 145 | - name: POSTGRES_DB 146 | value: "" 147 | 148 | ## POSTGRES_INITDB_ARGS 149 | ## This optional environment variable can be used to send arguments to postgres initdb. 150 | ## The value is a space separated string of arguments as postgres initdb would expect them. 151 | ## See also: https://hub.docker.com/_/postgres/ 152 | - name: POSTGRES_INITDB_ARGS 153 | value: "" 154 | 155 | ## PGDATA 156 | ## This optional environment variable can be used to define another location - like a subdirectory 157 | ## - for the database files. The default is /var/lib/postgresql/data, but if the data volume you're 158 | ## using is a fs mountpoint (like with GCE persistent disks), Postgres initdb recommends a subdirectory 159 | ## (for example /var/lib/postgresql/data/pgdata ) be created to contain the data. 160 | ## See also: https://hub.docker.com/_/postgres/ 161 | - name: PGDATA 162 | value: /var/lib/postgresql/data/pgdata 163 | 164 | ## POSTGRES_USER 165 | ## This optional environment variable is used in conjunction with POSTGRES_PASSWORD to set a user 166 | ## and its password. This variable will create the specified user with superuser power and a database 167 | ## with the same name. If it is not specified, then the default user of postgres will be used. 168 | ## See also: https://hub.docker.com/_/postgres/ 169 | - name: POSTGRES_USER 170 | valueFrom: 171 | secretKeyRef: 172 | key: database-user 173 | name: {{ template "smartcheck.fullname" . }}-db 174 | 175 | ## POSTGRES_PASSWORD 176 | ## This environment variable is recommended for you to use the PostgreSQL image. This environment 177 | ## variable sets the superuser password for PostgreSQL. The default superuser is defined by the 178 | ## POSTGRES_USER environment variable. 179 | ## 180 | ## Note 1: The PostgreSQL image sets up trust authentication locally so you may notice a password 181 | ## is not required when connecting from localhost (inside the same container). However, a password 182 | ## will be required if connecting from a different host/container. 183 | ## 184 | ## Note 2: This variable defines the superuser password in the PostgreSQL instance, as set by the 185 | ## initdb script during inital container startup. It has no effect on the PGPASSWORD environment 186 | ## variable that may be used by the psql client at runtime, as described at 187 | ## https://www.postgresql.org/docs/10/static/libpq-envars.html. 188 | ## See also: https://hub.docker.com/_/postgres/ 189 | - name: POSTGRES_PASSWORD 190 | valueFrom: 191 | secretKeyRef: 192 | key: database-password 193 | name: {{ template "smartcheck.fullname" . }}-db 194 | 195 | volumeMounts: 196 | - name: varrun 197 | mountPath: /var/run/postgresql 198 | - name: tmp 199 | mountPath: /tmp 200 | - name: data 201 | mountPath: /var/lib/postgresql/data 202 | subPath: postgresql-db 203 | resources: 204 | {{ toYaml (default .Values.resources.defaults .Values.resources.db) | indent 12 }} 205 | volumes: 206 | - name: varrun 207 | emptyDir: 208 | sizeLimit: 1Mi 209 | - name: tmp 210 | emptyDir: 211 | sizeLimit: 100Mi 212 | - name: data 213 | {{ if .Values.persistence.enabled }} 214 | persistentVolumeClaim: 215 | claimName: {{ template "smartcheck.fullname" . }}-app-db 216 | {{ else }} 217 | emptyDir: 218 | sizeLimit: {{ default "8Gi" .Values.persistence.db.size }} 219 | {{ end }} 220 | nodeSelector: 221 | {{ toYaml (default .Values.nodeSelector.defaults .Values.nodeSelector.db) | indent 8 }} 222 | tolerations: 223 | {{ toYaml (default .Values.tolerations.defaults .Values.tolerations.db) | indent 8 }} 224 | restartPolicy: Always 225 | 226 | {{ if .Values.networkPolicy.enabled }} 227 | --- 228 | apiVersion: networking.k8s.io/v1 229 | kind: NetworkPolicy 230 | metadata: 231 | name: db 232 | labels: 233 | service: db 234 | release: {{ .Release.Name }} 235 | heritage: {{ .Release.Service }} 236 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 237 | {{ $k }}: {{ quote $v }} 238 | {{- end }} 239 | spec: 240 | podSelector: 241 | matchLabels: 242 | service: db 243 | release: {{ .Release.Name }} 244 | heritage: {{ .Release.Service }} 245 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 246 | {{ $k }}: {{ quote $v }} 247 | {{- end }} 248 | policyTypes: 249 | - Ingress 250 | - Egress 251 | ingress: 252 | - from: 253 | - podSelector: 254 | matchLabels: 255 | service: registryviews 256 | release: {{ .Release.Name }} 257 | heritage: {{ .Release.Service }} 258 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 259 | {{ $k }}: {{ quote $v }} 260 | {{- end }} 261 | - podSelector: 262 | matchLabels: 263 | service: scan 264 | release: {{ .Release.Name }} 265 | heritage: {{ .Release.Service }} 266 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 267 | {{ $k }}: {{ quote $v }} 268 | {{- end }} 269 | - podSelector: 270 | matchLabels: 271 | service: auth 272 | release: {{ .Release.Name }} 273 | heritage: {{ .Release.Service }} 274 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 275 | {{ $k }}: {{ quote $v }} 276 | {{- end }} 277 | - podSelector: 278 | matchLabels: 279 | service: image-scan 280 | release: {{ .Release.Name }} 281 | heritage: {{ .Release.Service }} 282 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 283 | {{ $k }}: {{ quote $v }} 284 | {{- end }} 285 | - podSelector: 286 | matchLabels: 287 | service: vulnerability-scan 288 | release: {{ .Release.Name }} 289 | heritage: {{ .Release.Service }} 290 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 291 | {{ $k }}: {{ quote $v }} 292 | {{- end }} 293 | - podSelector: 294 | matchLabels: 295 | service: metrics 296 | release: {{ .Release.Name }} 297 | heritage: {{ .Release.Service }} 298 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 299 | {{ $k }}: {{ quote $v }} 300 | {{- end }} 301 | ports: 302 | - protocol: TCP 303 | port: 5432 304 | {{- end }} 305 | {{- end -}}{{/* if not .Values.db.host */}} 306 | -------------------------------------------------------------------------------- /templates/docs.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: docs 5 | labels: 6 | service: docs 7 | release: {{ .Release.Name }} 8 | heritage: {{ .Release.Service }} 9 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 10 | {{ $k }}: {{ quote $v }} 11 | {{- end }} 12 | spec: 13 | ports: 14 | - port: 8080 15 | protocol: TCP 16 | name: external 17 | selector: 18 | service: docs 19 | release: {{ .Release.Name }} 20 | 21 | --- 22 | apiVersion: apps/v1 23 | kind: Deployment 24 | metadata: 25 | name: docs 26 | labels: 27 | service: docs 28 | release: {{ .Release.Name }} 29 | heritage: {{ .Release.Service }} 30 | appVersion: {{ .Chart.AppVersion }} 31 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 32 | {{ $k }}: {{ quote $v }} 33 | {{- end }} 34 | spec: 35 | # We set revisionHistoryLimit to 0 because rollback should be done 36 | # using `helm rollback` rather than with `kubectl rollout undo`, so 37 | # we don't need to keep the old `ReplicaSet`s around. 38 | # https://kubernetes.io/docs/concepts/workloads/controllers/deployment 39 | revisionHistoryLimit: 0 40 | replicas: {{ default 1 .Values.replicas.docs }} 41 | selector: 42 | matchLabels: 43 | service: docs 44 | release: {{ .Release.Name }} 45 | template: 46 | metadata: 47 | labels: 48 | service: docs 49 | release: {{ .Release.Name }} 50 | heritage: {{ .Release.Service }} 51 | appVersion: {{ .Chart.AppVersion }} 52 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 53 | {{ $k }}: {{ quote $v }} 54 | {{- end }} 55 | spec: 56 | automountServiceAccountToken: false 57 | {{- $securityContextEnabled := .Values.securityContext.enabled }} 58 | {{- $securityContext := default .Values.securityContext.default .Values.securityContext.docs }} 59 | {{- $podSecurityContext := default .Values.securityContext.default.pod $securityContext.pod }} 60 | {{- $containerSecurityContext := default .Values.securityContext.default.container $securityContext.container }} 61 | {{- if $securityContextEnabled }} 62 | securityContext: 63 | {{ toYaml $podSecurityContext | indent 8 }} 64 | {{- end }} 65 | {{- $imageDefaults := .Values.images.defaults }} 66 | {{- with .Values.images.docs }} 67 | {{- $secret := (default (default "" $imageDefaults.imagePullSecret) .imagePullSecret) }} 68 | {{- if not (eq "" $secret) }} 69 | imagePullSecrets: 70 | - name: {{ $secret | quote }} 71 | {{- end }} 72 | containers: 73 | - name: docs 74 | {{- if $securityContextEnabled }} 75 | securityContext: 76 | {{ toYaml $containerSecurityContext | indent 12 }} 77 | {{- end }} 78 | {{- $project := (default (default "deepsecurity" $imageDefaults.project) .project) }} 79 | {{- $repository := printf "%s/%s" $project (required ".repository is required!" .repository) }} 80 | {{- $tag := (default $imageDefaults.tag .tag) }} 81 | image: {{ include "image.source" (dict "repository" $repository "registry" .registry "tag" $tag "imageDefaults" $imageDefaults "digest" .digest) }} 82 | imagePullPolicy: {{ default (default "Always" $imageDefaults.pullPolicy) .pullPolicy }} 83 | {{- end }} 84 | ports: 85 | - containerPort: 8080 86 | name: external 87 | # TODO probes 88 | # livenessProbe: 89 | # readinessProbe: 90 | args: [] 91 | env: [] 92 | resources: 93 | {{ toYaml (default .Values.resources.defaults .Values.resources.docs) | indent 12 }} 94 | nodeSelector: 95 | {{ toYaml (default .Values.nodeSelector.defaults .Values.nodeSelector.docs) | indent 8 }} 96 | tolerations: 97 | {{ toYaml (default .Values.tolerations.defaults .Values.tolerations.docs) | indent 8 }} 98 | restartPolicy: Always 99 | 100 | {{ if .Values.networkPolicy.enabled }} 101 | --- 102 | apiVersion: networking.k8s.io/v1 103 | kind: NetworkPolicy 104 | metadata: 105 | name: docs 106 | labels: 107 | service: docs 108 | release: {{ .Release.Name }} 109 | heritage: {{ .Release.Service }} 110 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 111 | {{ $k }}: {{ quote $v }} 112 | {{- end }} 113 | spec: 114 | podSelector: 115 | matchLabels: 116 | service: docs 117 | release: {{ .Release.Name }} 118 | heritage: {{ .Release.Service }} 119 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 120 | {{ $k }}: {{ quote $v }} 121 | {{- end }} 122 | policyTypes: 123 | - Ingress 124 | - Egress 125 | ingress: 126 | - from: 127 | - podSelector: 128 | matchLabels: 129 | service: proxy 130 | release: {{ .Release.Name }} 131 | heritage: {{ .Release.Service }} 132 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 133 | {{ $k }}: {{ quote $v }} 134 | {{- end }} 135 | ports: 136 | - protocol: TCP 137 | port: 8080 138 | {{- end }} 139 | -------------------------------------------------------------------------------- /templates/frontend.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: frontend 5 | labels: 6 | service: frontend 7 | release: {{ .Release.Name }} 8 | heritage: {{ .Release.Service }} 9 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 10 | {{ $k }}: {{ quote $v }} 11 | {{- end }} 12 | spec: 13 | ports: 14 | - port: 8080 15 | protocol: TCP 16 | name: external 17 | selector: 18 | service: frontend 19 | release: {{ .Release.Name }} 20 | 21 | --- 22 | apiVersion: apps/v1 23 | kind: Deployment 24 | metadata: 25 | name: frontend 26 | labels: 27 | service: frontend 28 | release: {{ .Release.Name }} 29 | heritage: {{ .Release.Service }} 30 | appVersion: {{ .Chart.AppVersion }} 31 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 32 | {{ $k }}: {{ quote $v }} 33 | {{- end }} 34 | spec: 35 | # We set revisionHistoryLimit to 0 because rollback should be done 36 | # using `helm rollback` rather than with `kubectl rollout undo`, so 37 | # we don't need to keep the old `ReplicaSet`s around. 38 | # https://kubernetes.io/docs/concepts/workloads/controllers/deployment 39 | revisionHistoryLimit: 0 40 | replicas: {{ default 1 .Values.replicas.frontend }} 41 | selector: 42 | matchLabels: 43 | service: frontend 44 | release: {{ .Release.Name }} 45 | template: 46 | metadata: 47 | labels: 48 | service: frontend 49 | release: {{ .Release.Name }} 50 | heritage: {{ .Release.Service }} 51 | appVersion: {{ .Chart.AppVersion }} 52 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 53 | {{ $k }}: {{ quote $v }} 54 | {{- end }} 55 | spec: 56 | automountServiceAccountToken: false 57 | {{- $securityContextEnabled := .Values.securityContext.enabled }} 58 | {{- $securityContext := default .Values.securityContext.default .Values.securityContext.frontend }} 59 | {{- $podSecurityContext := default .Values.securityContext.default.pod $securityContext.pod }} 60 | {{- $containerSecurityContext := default .Values.securityContext.default.container $securityContext.container }} 61 | {{- if $securityContextEnabled }} 62 | securityContext: 63 | {{ toYaml $podSecurityContext | indent 8 }} 64 | {{- end }} 65 | {{- $imageDefaults := .Values.images.defaults }} 66 | {{- with .Values.images.frontend }} 67 | {{- $secret := (default (default "" $imageDefaults.imagePullSecret) .imagePullSecret) }} 68 | {{- if not (eq "" $secret) }} 69 | imagePullSecrets: 70 | - name: {{ $secret | quote }} 71 | {{- end }} 72 | containers: 73 | - name: frontend 74 | {{- if $securityContextEnabled }} 75 | securityContext: 76 | {{ toYaml $containerSecurityContext | indent 12 }} 77 | {{- end }} 78 | {{- $project := (default (default "deepsecurity" $imageDefaults.project) .project) }} 79 | {{- $repository := printf "%s/%s" $project (required ".repository is required!" .repository) }} 80 | {{- $tag := (default $imageDefaults.tag .tag) }} 81 | image: {{ include "image.source" (dict "repository" $repository "registry" .registry "tag" $tag "imageDefaults" $imageDefaults "digest" .digest) }} 82 | imagePullPolicy: {{ default (default "Always" $imageDefaults.pullPolicy) .pullPolicy }} 83 | {{- end }} 84 | ports: 85 | - containerPort: 8080 86 | name: external 87 | volumeMounts: 88 | - mountPath: /var/run 89 | name: varrun 90 | - mountPath: /var/cache/nginx 91 | name: varcache 92 | # TODO probes 93 | # livenessProbe: 94 | # readinessProbe: 95 | args: [] 96 | env: [] 97 | resources: 98 | {{ toYaml (default .Values.resources.defaults .Values.resources.frontend) | indent 12 }} 99 | volumes: 100 | - name: varrun 101 | emptyDir: 102 | sizeLimit: 1Mi 103 | - name: varcache 104 | emptyDir: 105 | sizeLimit: 10Mi 106 | nodeSelector: 107 | {{ toYaml (default .Values.nodeSelector.defaults .Values.nodeSelector.frontend) | indent 8 }} 108 | tolerations: 109 | {{ toYaml (default .Values.tolerations.defaults .Values.tolerations.frontend) | indent 8 }} 110 | restartPolicy: Always 111 | 112 | {{ if .Values.networkPolicy.enabled }} 113 | --- 114 | apiVersion: networking.k8s.io/v1 115 | kind: NetworkPolicy 116 | metadata: 117 | name: frontend 118 | labels: 119 | service: frontend 120 | release: {{ .Release.Name }} 121 | heritage: {{ .Release.Service }} 122 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 123 | {{ $k }}: {{ quote $v }} 124 | {{- end }} 125 | spec: 126 | podSelector: 127 | matchLabels: 128 | service: frontend 129 | release: {{ .Release.Name }} 130 | heritage: {{ .Release.Service }} 131 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 132 | {{ $k }}: {{ quote $v }} 133 | {{- end }} 134 | policyTypes: 135 | - Ingress 136 | - Egress 137 | ingress: 138 | - from: 139 | - podSelector: 140 | matchLabels: 141 | service: proxy 142 | release: {{ .Release.Name }} 143 | heritage: {{ .Release.Service }} 144 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 145 | {{ $k }}: {{ quote $v }} 146 | {{- end }} 147 | ports: 148 | - protocol: TCP 149 | port: 8080 150 | {{- end }} 151 | -------------------------------------------------------------------------------- /templates/image-scan.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: image-scan-internal 5 | labels: 6 | service: image-scan-internal 7 | release: {{ .Release.Name }} 8 | heritage: {{ .Release.Service }} 9 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 10 | {{ $k }}: {{ quote $v }} 11 | {{- end }}{{/* range .Values.extraLabels */}} 12 | spec: 13 | ports: 14 | - port: 8081 15 | protocol: TCP 16 | name: internal 17 | selector: 18 | service: image-scan 19 | release: {{ .Release.Name }} 20 | --- 21 | {{ include "smartcheck.service.database.secret" (dict "Chart" .Chart "Values" .Values "Release" .Release "service" "openscapscan") }} 22 | --- 23 | apiVersion: apps/v1 24 | kind: Deployment 25 | metadata: 26 | name: image-scan 27 | labels: 28 | service: image-scan 29 | release: {{ .Release.Name }} 30 | heritage: {{ .Release.Service }} 31 | appVersion: {{ .Chart.AppVersion }} 32 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 33 | {{ $k }}: {{ quote $v }} 34 | {{- end }}{{/* range .Values.extraLabels */}} 35 | spec: 36 | # We set revisionHistoryLimit to 0 because rollback should be done 37 | # using `helm rollback` rather than with `kubectl rollout undo`, so 38 | # we don't need to keep the old `ReplicaSet`s around. 39 | # https://kubernetes.io/docs/concepts/workloads/controllers/deployment 40 | revisionHistoryLimit: 0 41 | replicas: {{ default 1 .Values.replicas.imageScan }} 42 | selector: 43 | matchLabels: 44 | service: image-scan 45 | release: {{ .Release.Name }} 46 | template: 47 | metadata: 48 | labels: 49 | service: image-scan 50 | release: {{ .Release.Name }} 51 | heritage: {{ .Release.Service }} 52 | appVersion: {{ .Chart.AppVersion }} 53 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 54 | {{ $k }}: {{ quote $v }} 55 | {{- end }}{{/* range .Values.extraLabels */}} 56 | spec: 57 | automountServiceAccountToken: false 58 | {{- $securityContextEnabled := .Values.securityContext.enabled }} 59 | {{- $securityContext := default .Values.securityContext.default .Values.securityContext.imageScan }} 60 | {{- if $securityContextEnabled }} 61 | securityContext: {{ toYaml (default .Values.securityContext.default.pod $securityContext.pod) | nindent 8 }} 62 | {{- end }}{{/* if $securityContextEnabled */}} 63 | initContainers: 64 | - {{ include "smartcheck.db-initcontainer" (dict "Values" .Values "Chart" .Chart "Release" .Release "service" "openscapscan") | nindent 10 | trim }} 65 | 66 | {{- $secret := (default (default "" .Values.images.defaults.imagePullSecret) .Values.images.imageScan.imagePullSecret) }} 67 | {{- if $secret }} 68 | imagePullSecrets: 69 | - name: {{ $secret | quote }} 70 | {{- end }}{{/* if $secret */}} 71 | containers: 72 | - name: sca-scan 73 | {{- if $securityContextEnabled }} 74 | securityContext: {{ toYaml (default .Values.securityContext.default.container $securityContext.scaScanContainer) | nindent 12 }} 75 | {{- end }}{{/* if $securityContextEnabled */}} 76 | {{ include "image" (dict "defaults" .Values.images.defaults "image" .Values.images.scaScan) | nindent 10 }} 77 | ports: 78 | - containerPort: 3001 79 | name: sca-scan 80 | - containerPort: 3002 81 | name: sca-health 82 | args: 83 | - --bind-port=3001 84 | - --feed-dir=/data 85 | - --root=work/ 86 | {{- if .Values.telemetry.enabled }} 87 | - --telemetry-endpoint=http://metrics-internal:8081 88 | - --license-url=http://license-internal:8081 89 | - --cloud-one-api-key={{ default "" .Values.cloudOne.apiKey }} 90 | {{- end }} 91 | env: 92 | {{- include "smartcheck.activation-code.env" . | nindent 12 }} 93 | volumeMounts: 94 | - name: work 95 | mountPath: /work 96 | readOnly: true 97 | - name: sca-feed-data 98 | mountPath: /data 99 | readOnly: true 100 | resources: {{ toYaml (default .Values.resources.defaults .Values.resources.scaScan) | nindent 12 }} 101 | 102 | - name: sca-feed-consumer 103 | {{- if $securityContextEnabled }} 104 | securityContext: {{ toYaml (default .Values.securityContext.default.container $securityContext.scaFeedConsumerContainer) | nindent 12 }} 105 | {{- end }}{{/* if $securityContextEnabled */}} 106 | {{ include "image" (dict "defaults" .Values.images.defaults "image" .Values.images.scaFeedConsumer) | nindent 10 }} 107 | args: 108 | {{- if hasKey .Values "feed" }} 109 | {{- if hasKey .Values.feed "sca" }} 110 | {{- if hasKey .Values.feed.sca "url" }} 111 | - --feed-url={{ .Values.feed.sca.url }} 112 | {{- end }}{{/* if hasKey .values.feed.sca "url" */}} 113 | {{- if hasKey .Values.feed.sca "interval" }} 114 | - --every={{ .Values.feed.sca.interval }} 115 | {{- end }}{{/* if hasKey .values.feed.sca "interval" */}} 116 | {{- end }}{{/* if hasKey .Values.feed "sca" */}} 117 | {{- end }}{{/* if hasKey .Values "feed" */}} 118 | - --feed-dir=/data 119 | - --license-url=http://license-internal:8081 120 | - --cloud-one-api-key={{ default "" .Values.cloudOne.apiKey }} 121 | env: 122 | {{- include "smartcheck.proxy.env" . | nindent 12 }} 123 | {{- include "smartcheck.activation-code.env" . | nindent 12 }} 124 | volumeMounts: 125 | - name: sca-feed-data 126 | mountPath: /data 127 | resources: {{ toYaml (default .Values.resources.defaults .Values.resources.scaFeedConsumer) | nindent 12 }} 128 | 129 | - name: openscap-scan 130 | {{- if $securityContextEnabled }} 131 | securityContext: {{ toYaml (default .Values.securityContext.default.container $securityContext.openscapScanContainer) | nindent 12 }} 132 | {{- end }}{{/* if $securityContextEnabled */}} 133 | {{ include "image" (dict "defaults" .Values.images.defaults "image" .Values.images.openscapScan) | nindent 10 }} 134 | ports: 135 | - containerPort: 3011 136 | name: openscap-scan 137 | args: 138 | - --bind-port=3011 139 | - --oval-file=/data/oval.xml 140 | - --checklist-dir=/data 141 | - --root=work/ 142 | volumeMounts: 143 | - name: oscap-temp 144 | mountPath: /tmp 145 | - name: work 146 | mountPath: /work 147 | - name: oscap-feed-data 148 | mountPath: /data 149 | readOnly: true 150 | resources: {{ toYaml (default .Values.resources.defaults .Values.resources.openscapScan) | nindent 12 }} 151 | - name: image-scan 152 | {{- if $securityContextEnabled }} 153 | securityContext: {{ toYaml (default .Values.securityContext.default.container $securityContext.imageScanContainer) | nindent 12 }} 154 | {{- end }}{{/* if $securityContextEnabled */}} 155 | {{ include "image" (dict "defaults" .Values.images.defaults "image" .Values.images.imageScan) | nindent 10 }} 156 | ports: 157 | - containerPort: 8081 158 | name: internal 159 | - containerPort: 8083 160 | name: health 161 | livenessProbe: 162 | httpGet: 163 | path: /health 164 | port: 8083 165 | initialDelaySeconds: 10 166 | timeoutSeconds: 5 167 | failureThreshold: 6 168 | readinessProbe: 169 | httpGet: 170 | path: /health 171 | port: 8083 172 | initialDelaySeconds: 10 173 | timeoutSeconds: 5 174 | failureThreshold: 6 175 | args: 176 | - --log-level=info 177 | - --internal-base=http://image-scan-internal:8081 178 | - --authorization-url=http://auth-internal:8081 179 | - --database-connection-string=postgres:postgres:// 180 | - --database-secret=$(DB_SECRET) 181 | - --scanner-url=http://localhost:3011/api/scans 182 | - --scanner-url=http://localhost:3001/api/scans 183 | env: 184 | {{- include "smartcheck.service.database.env" (dict "Chart" .Chart "Release" .Release "Values" .Values "service" "openscapscan") | nindent 12 }} 185 | {{- include "smartcheck.proxy.env" . | nindent 12 }} 186 | volumeMounts: 187 | - name: work 188 | mountPath: /work 189 | {{- include "smartcheck.db-trust-volume-mount" . | nindent 12 }} 190 | resources: {{ toYaml (default .Values.resources.defaults .Values.resources.imageScan) | nindent 12 }} 191 | 192 | - name: openscap-feed-consumer 193 | {{- if $securityContextEnabled }} 194 | securityContext: {{ toYaml (default .Values.securityContext.default.container $securityContext.feedConsumerContainer) | nindent 12 }} 195 | {{- end }}{{/* if $securityContextEnabled */}} 196 | {{ include "image" (dict "defaults" .Values.images.defaults "image" .Values.images.openscapFeedConsumer) | nindent 10 }} 197 | ports: 198 | - containerPort: 8083 199 | name: health 200 | livenessProbe: 201 | httpGet: 202 | path: /health 203 | port: 8083 204 | initialDelaySeconds: 10 205 | timeoutSeconds: 5 206 | failureThreshold: 6 207 | readinessProbe: 208 | httpGet: 209 | path: /health 210 | port: 8083 211 | initialDelaySeconds: 10 212 | timeoutSeconds: 5 213 | failureThreshold: 6 214 | args: 215 | - sync 216 | {{- if hasKey .Values "feed" }} 217 | {{- if hasKey .Values.feed "openscap" }} 218 | {{- if hasKey .Values.feed.openscap "url" }} 219 | - --feed-url={{ .Values.feed.openscap.url }} 220 | {{- end }}{{/* if hasKey .values.feed.openscap "url" */}} 221 | {{- if hasKey .Values.feed.openscap "interval" }} 222 | - --every={{ .Values.feed.openscap.interval }} 223 | {{- end }}{{/* if hasKey .values.feed.openscap "interval" */}} 224 | {{- end }}{{/* if hasKey .Values.feed "openscap" */}} 225 | {{- end }}{{/* if hasKey .Values "feed" */}} 226 | - --authorization-token=$(ACTIVATION_CODE) 227 | - --license-url=http://license-internal:8081 228 | - --cloud-one-api-key={{ default "" .Values.cloudOne.apiKey }} 229 | - --initial-oval-file=/initial-oval.xml 230 | - --initial-checklists-directory=/initial-checklists 231 | env: 232 | {{- include "smartcheck.proxy.env" . | nindent 12 }} 233 | {{- include "smartcheck.activation-code.env" . | nindent 12 }} 234 | volumeMounts: 235 | - name: oscap-feed-data 236 | mountPath: /data 237 | resources: {{ toYaml (default .Values.resources.defaults .Values.resources.openscapFeedConsumer) | nindent 12 }} 238 | nodeSelector: {{ toYaml (default .Values.nodeSelector.defaults .Values.nodeSelector.imageScan) | nindent 8 }} 239 | tolerations: {{ toYaml (default .Values.tolerations.defaults .Values.tolerations.imageScan) | nindent 8 }} 240 | restartPolicy: Always 241 | volumes: 242 | - name: oscap-temp 243 | emptyDir: {} 244 | - name: oscap-feed-data 245 | emptyDir: 246 | sizeLimit: {{ default "1Gi" .Values.scan.openscap.dataVolume.sizeLimit | quote }} 247 | - name: sca-feed-data 248 | emptyDir: 249 | sizeLimit: {{ default "1Gi" .Values.scan.sca.dataVolume.sizeLimit | quote }} 250 | - name: work 251 | emptyDir: 252 | sizeLimit: {{ default "5Gi" .Values.scan.openscap.workVolume.sizeLimit | quote }} 253 | {{- include "smartcheck.db-trust-volume" . | nindent 8 }} 254 | 255 | {{ if .Values.networkPolicy.enabled }} 256 | --- 257 | apiVersion: networking.k8s.io/v1 258 | kind: NetworkPolicy 259 | metadata: 260 | name: image-scan 261 | labels: 262 | service: image-scan 263 | release: {{ .Release.Name }} 264 | heritage: {{ .Release.Service }} 265 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 266 | {{ $k }}: {{ quote $v }} 267 | {{- end }}{{/* range .Values.extraLabels */}} 268 | spec: 269 | podSelector: 270 | matchLabels: 271 | service: image-scan 272 | release: {{ .Release.Name }} 273 | heritage: {{ .Release.Service }} 274 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 275 | {{ $k }}: {{ quote $v }} 276 | {{- end }}{{/* range .Values.extraLabels */}} 277 | policyTypes: 278 | - Ingress 279 | - Egress 280 | ingress: 281 | - from: 282 | - podSelector: 283 | matchLabels: 284 | service: scan 285 | release: {{ .Release.Name }} 286 | heritage: {{ .Release.Service }} 287 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 288 | {{ $k }}: {{ quote $v }} 289 | {{- end }}{{/* range .Values.extraLabels */}} 290 | - podSelector: 291 | matchLabels: 292 | service: license 293 | release: {{ .Release.Name }} 294 | heritage: {{ .Release.Service }} 295 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 296 | {{ $k }}: {{ quote $v }} 297 | {{- end }}{{/* range .Values.extraLabels */}} 298 | ports: 299 | - protocol: TCP 300 | port: 8081 301 | - from: # any -- this is for metrics 302 | ports: 303 | - protocol: TCP 304 | port: 8082 305 | - from: # any -- this should just be kubelet for health probes 306 | ports: 307 | - protocol: TCP 308 | port: 8083 309 | egress: 310 | {{- include "smartcheck.to-dns-networkpolicy" . | nindent 4 }} 311 | {{- include "smartcheck.to-db-networkpolicy" . | nindent 4 }} 312 | {{- include "smartcheck.to-internal-service-networkpolicy" (dict "Release" .Release "Values" .Values "services" (list "scan" "metrics" "license")) | nindent 4 }} 313 | # allow egress for feed consumer 314 | - to: # any 315 | ports: 316 | - protocol: TCP 317 | port: 80 318 | - protocol: TCP 319 | port: 443 320 | {{- include "smartcheck.networkpolicy.outbound" . | nindent 4 }} 321 | {{- end }}{{/* if .Values.networkPolicy.enabled */}} 322 | -------------------------------------------------------------------------------- /templates/license.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: license 5 | labels: 6 | service: license 7 | release: {{ .Release.Name }} 8 | heritage: {{ .Release.Service }} 9 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 10 | {{ $k }}: {{ quote $v }} 11 | {{- end }} 12 | spec: 13 | ports: 14 | - port: 8080 15 | protocol: TCP 16 | name: external 17 | selector: 18 | service: license 19 | release: {{ .Release.Name }} 20 | 21 | --- 22 | apiVersion: v1 23 | kind: Service 24 | metadata: 25 | name: license-internal 26 | labels: 27 | service: license-internal 28 | release: {{ .Release.Name }} 29 | heritage: {{ .Release.Service }} 30 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 31 | {{ $k }}: {{ quote $v }} 32 | {{- end }} 33 | spec: 34 | ports: 35 | - port: 8081 36 | protocol: TCP 37 | name: internal 38 | selector: 39 | service: license 40 | release: {{ .Release.Name }} 41 | 42 | --- 43 | apiVersion: apps/v1 44 | kind: Deployment 45 | metadata: 46 | name: license 47 | labels: 48 | service: license 49 | release: {{ .Release.Name }} 50 | heritage: {{ .Release.Service }} 51 | appVersion: {{ .Chart.AppVersion }} 52 | metrics: include 53 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 54 | {{ $k }}: {{ quote $v }} 55 | {{- end }} 56 | spec: 57 | # We set revisionHistoryLimit to 0 because rollback should be done 58 | # using `helm rollback` rather than with `kubectl rollout undo`, so 59 | # we don't need to keep the old `ReplicaSet`s around. 60 | # https://kubernetes.io/docs/concepts/workloads/controllers/deployment 61 | revisionHistoryLimit: 0 62 | replicas: {{ default 1 .Values.replicas.license }} 63 | selector: 64 | matchLabels: 65 | service: license 66 | release: {{ .Release.Name }} 67 | template: 68 | metadata: 69 | labels: 70 | service: license 71 | release: {{ .Release.Name }} 72 | heritage: {{ .Release.Service }} 73 | appVersion: {{ .Chart.AppVersion }} 74 | metrics: include 75 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 76 | {{ $k }}: {{ quote $v }} 77 | {{- end }} 78 | spec: 79 | automountServiceAccountToken: false 80 | {{- $securityContextEnabled := .Values.securityContext.enabled }} 81 | {{- $securityContext := default .Values.securityContext.default .Values.securityContext.license }} 82 | {{- $podSecurityContext := default .Values.securityContext.default.pod $securityContext.pod }} 83 | {{- $containerSecurityContext := default .Values.securityContext.default.container $securityContext.container }} 84 | {{- if $securityContextEnabled }} 85 | securityContext: 86 | {{ toYaml $podSecurityContext | indent 8 }} 87 | {{- end }} 88 | {{- $imageDefaults := .Values.images.defaults }} 89 | {{- with .Values.images.license }} 90 | {{- $secret := (default (default "" $imageDefaults.imagePullSecret) .imagePullSecret) }} 91 | {{- if not (eq "" $secret) }} 92 | imagePullSecrets: 93 | - name: {{ $secret }} 94 | {{- end }} 95 | containers: 96 | - name: license 97 | {{- if $securityContextEnabled }} 98 | securityContext: 99 | {{ toYaml $containerSecurityContext | indent 12 }} 100 | {{- end }} 101 | {{- $project := (default (default "deepsecurity" $imageDefaults.project) .project) }} 102 | {{- $repository := printf "%s/%s" $project (required ".repository is required!" .repository) }} 103 | {{- $tag := (default $imageDefaults.tag .tag) }} 104 | image: {{ include "image.source" (dict "repository" $repository "registry" .registry "tag" $tag "imageDefaults" $imageDefaults "digest" .digest) }} 105 | imagePullPolicy: {{ default (default "Always" $imageDefaults.pullPolicy) .pullPolicy }} 106 | {{- end }} 107 | ports: 108 | - containerPort: 8080 109 | name: external 110 | - containerPort: 8081 111 | name: internal 112 | - containerPort: 8082 113 | name: metrics 114 | - containerPort: 8083 115 | name: health 116 | livenessProbe: 117 | httpGet: 118 | path: /health 119 | port: 8083 120 | initialDelaySeconds: 10 121 | timeoutSeconds: 5 122 | failureThreshold: 6 123 | readinessProbe: 124 | httpGet: 125 | path: /health 126 | port: 8083 127 | initialDelaySeconds: 10 128 | timeoutSeconds: 5 129 | failureThreshold: 6 130 | args: 131 | - --internal-base=http://license-internal:8081 132 | - --authorization-url=http://auth-internal:8081 133 | - --cloud-one-endpoint={{ default "" .Values.cloudOne.endpoint }} 134 | - --cloud-one-api-key={{ default "" .Values.cloudOne.apiKey }} 135 | - --use-strict-transport-security=true 136 | - --use-strict-transport-security-includes-subdomains=false 137 | - --use-strict-transport-security-includes-preload=false 138 | {{- if .Values.telemetry.enabled }} 139 | - --telemetry-endpoint=http://metrics-internal:8081 140 | {{- end }} 141 | {{if .Values.scan.malwareScan.enabled}} 142 | - --malware-scan-enabled=true 143 | {{end}} 144 | env: 145 | {{- include "smartcheck.proxy.env" . | nindent 12 }} 146 | {{- include "smartcheck.activation-code.env" . | nindent 12 }} 147 | resources: 148 | {{ toYaml (default .Values.resources.defaults .Values.resources.license) | indent 12 }} 149 | volumeMounts: 150 | - name: activation-code 151 | mountPath: /data/license 152 | volumes: 153 | - name: activation-code 154 | secret: 155 | secretName: {{ template "smartcheck.fullname" . }}-activation-code 156 | items: 157 | - key: code 158 | path: code 159 | nodeSelector: 160 | {{ toYaml (default .Values.nodeSelector.defaults .Values.nodeSelector.license) | indent 8 }} 161 | tolerations: 162 | {{ toYaml (default .Values.tolerations.defaults .Values.tolerations.license) | indent 8 }} 163 | restartPolicy: Always 164 | 165 | {{ if .Values.networkPolicy.enabled }} 166 | --- 167 | apiVersion: networking.k8s.io/v1 168 | kind: NetworkPolicy 169 | metadata: 170 | name: license 171 | labels: 172 | service: license 173 | release: {{ .Release.Name }} 174 | heritage: {{ .Release.Service }} 175 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 176 | {{ $k }}: {{ quote $v }} 177 | {{- end }} 178 | spec: 179 | podSelector: 180 | matchLabels: 181 | service: license 182 | release: {{ .Release.Name }} 183 | heritage: {{ .Release.Service }} 184 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 185 | {{ $k }}: {{ quote $v }} 186 | {{- end }} 187 | policyTypes: 188 | - Ingress 189 | - Egress 190 | ingress: 191 | - from: 192 | - podSelector: 193 | matchLabels: 194 | service: proxy 195 | release: {{ .Release.Name }} 196 | heritage: {{ .Release.Service }} 197 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 198 | {{ $k }}: {{ quote $v }} 199 | {{- end }} 200 | ports: 201 | - protocol: TCP 202 | port: 8080 203 | - from: 204 | - podSelector: 205 | matchLabels: 206 | service: registryviews 207 | release: {{ .Release.Name }} 208 | heritage: {{ .Release.Service }} 209 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 210 | {{ $k }}: {{ quote $v }} 211 | {{- end }} 212 | - podSelector: 213 | matchLabels: 214 | service: malware-scan 215 | release: {{ .Release.Name }} 216 | heritage: {{ .Release.Service }} 217 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 218 | {{ $k }}: {{ quote $v }} 219 | {{- end }} 220 | - podSelector: 221 | matchLabels: 222 | service: scan 223 | release: {{ .Release.Name }} 224 | heritage: {{ .Release.Service }} 225 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 226 | {{ $k }}: {{ quote $v }} 227 | {{- end }} 228 | - podSelector: 229 | matchLabels: 230 | service: image-scan 231 | release: {{ .Release.Name }} 232 | heritage: {{ .Release.Service }} 233 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 234 | {{ $k }}: {{ quote $v }} 235 | {{- end }} 236 | - podSelector: 237 | matchLabels: 238 | service: metrics 239 | release: {{ .Release.Name }} 240 | heritage: {{ .Release.Service }} 241 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 242 | {{ $k }}: {{ quote $v }} 243 | {{- end }} 244 | ports: 245 | - protocol: TCP 246 | port: 8081 247 | - from: # any -- this is for metrics 248 | ports: 249 | - protocol: TCP 250 | port: 8082 251 | - from: # any -- this should just be kubelet for health probes 252 | ports: 253 | - protocol: TCP 254 | port: 8083 255 | egress: 256 | {{- include "smartcheck.to-internal-service-networkpolicy" (dict "Release" .Release "Values" .Values "services" (list "auth" "metrics")) | nindent 4 }} 257 | - to: # any 258 | ports: 259 | - protocol: TCP 260 | port: 53 261 | - protocol: UDP 262 | port: 53 263 | - to: # any 264 | ports: 265 | - protocol: TCP 266 | port: 80 267 | - to: # any 268 | ports: 269 | - protocol: TCP 270 | port: 443 271 | {{- include "smartcheck.networkpolicy.outbound" . | nindent 4 }} 272 | {{- end }} 273 | -------------------------------------------------------------------------------- /templates/malware-scan.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: malware-scan-internal 5 | labels: 6 | service: malware-scan 7 | release: {{ .Release.Name }} 8 | heritage: {{ .Release.Service }} 9 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 10 | {{ $k }}: {{ quote $v }} 11 | {{- end }} 12 | spec: 13 | ports: 14 | - port: 8081 15 | targetPort: 8081 16 | protocol: TCP 17 | name: internal 18 | selector: 19 | service: malware-scan 20 | release: {{ .Release.Name }} 21 | 22 | --- 23 | apiVersion: apps/v1 24 | kind: Deployment 25 | metadata: 26 | name: malware-scan 27 | labels: 28 | service: malware-scan 29 | release: {{ .Release.Name }} 30 | heritage: {{ .Release.Service }} 31 | appVersion: {{ .Chart.AppVersion }} 32 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 33 | {{ $k }}: {{ quote $v }} 34 | {{- end }} 35 | spec: 36 | # We set revisionHistoryLimit to 0 because rollback should be done 37 | # using `helm rollback` rather than with `kubectl rollout undo`, so 38 | # we don't need to keep the old `ReplicaSet`s around. 39 | # https://kubernetes.io/docs/concepts/workloads/controllers/deployment 40 | revisionHistoryLimit: 0 41 | replicas: {{ default 1 .Values.replicas.malwareScan }} 42 | selector: 43 | matchLabels: 44 | service: malware-scan 45 | release: {{ .Release.Name }} 46 | template: 47 | metadata: 48 | labels: 49 | service: malware-scan 50 | release: {{ .Release.Name }} 51 | heritage: {{ .Release.Service }} 52 | appVersion: {{ .Chart.AppVersion }} 53 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 54 | {{ $k }}: {{ quote $v }} 55 | {{- end }} 56 | spec: 57 | automountServiceAccountToken: false 58 | {{- $securityContextEnabled := .Values.securityContext.enabled }} 59 | {{- $securityContext := default .Values.securityContext.default .Values.securityContext.malwareScan }} 60 | {{- $podSecurityContext := default .Values.securityContext.default.pod $securityContext.pod }} 61 | {{- $containerSecurityContext := default .Values.securityContext.default.container $securityContext.container }} 62 | {{- if $securityContextEnabled }} 63 | securityContext: 64 | {{ toYaml $podSecurityContext | indent 8 }} 65 | {{- end }} 66 | {{- $imageDefaults := .Values.images.defaults }} 67 | {{- with .Values.images.malwareScan }} 68 | {{- $secret := (default (default "" $imageDefaults.imagePullSecret) .imagePullSecret) }} 69 | {{- if not (eq "" $secret) }} 70 | imagePullSecrets: 71 | - name: {{ $secret | quote }} 72 | {{- end }} 73 | containers: 74 | - name: malware-scan 75 | {{- if $securityContextEnabled }} 76 | securityContext: 77 | {{ toYaml $containerSecurityContext | indent 12 }} 78 | {{- end }} 79 | {{- $project := (default (default "deepsecurity" $imageDefaults.project) .project) }} 80 | {{- $repository := printf "%s/%s" $project (required ".repository is required!" .repository) }} 81 | {{- $tag := (default $imageDefaults.tag .tag) }} 82 | image: {{ include "image.source" (dict "repository" $repository "registry" .registry "tag" $tag "imageDefaults" $imageDefaults "digest" .digest) }} 83 | imagePullPolicy: {{ default (default "Always" $imageDefaults.pullPolicy) .pullPolicy }} 84 | {{- end }} 85 | ports: 86 | - containerPort: 8081 87 | name: internal 88 | # TODO probes 89 | # livenessProbe: 90 | # readinessProbe: 91 | args: 92 | - --license-url=http://license-internal:8081 93 | env: 94 | {{- include "smartcheck.proxy.env" . | nindent 12 }} 95 | - name: APPLICATION_VERSION 96 | value: {{ .Chart.Version | quote }} 97 | # prefix of icrc/trendx scan engine core file 98 | - name: COREFILE_PATTERN 99 | value: {{ default "core*" .Values.malwareScan.coreFilePattern }} 100 | # minimum size of icrc scan engine core file 101 | - name: TOTAL_CORE_FILES_SIZE 102 | value: {{ default "200Mi" .Values.malwareScan.totalCoreFilesSize | quote }} 103 | {{ if .Values.malwareScan.verbose.icrc }} 104 | - name: VERBOSE_ICRC 105 | value: "1" 106 | {{- end }} 107 | {{ if .Values.malwareScan.verbose.trendx }} 108 | - name: VERBOSE_TRX 109 | value: "1" 110 | {{- end }} 111 | volumeMounts: 112 | - name: tmp 113 | mountPath: /tmp 114 | resources: 115 | {{ toYaml (default .Values.resources.defaults .Values.resources.malwareScan) | indent 12 }} 116 | volumes: 117 | - name: tmp 118 | emptyDir: 119 | sizeLimit: {{ default "500Mi" .Values.malwareScan.workVolume.sizeLimit | quote }} 120 | nodeSelector: 121 | {{ toYaml (default .Values.nodeSelector.defaults .Values.nodeSelector.malwareScan) | indent 8 }} 122 | tolerations: 123 | {{ toYaml (default .Values.tolerations.defaults .Values.tolerations.malwareScan) | indent 8 }} 124 | restartPolicy: Always 125 | 126 | {{ if .Values.networkPolicy.enabled }} 127 | --- 128 | apiVersion: networking.k8s.io/v1 129 | kind: NetworkPolicy 130 | metadata: 131 | name: malware-scan 132 | labels: 133 | service: malware-scan 134 | release: {{ .Release.Name }} 135 | heritage: {{ .Release.Service }} 136 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 137 | {{ $k }}: {{ quote $v }} 138 | {{- end }} 139 | spec: 140 | podSelector: 141 | matchLabels: 142 | service: malware-scan 143 | release: {{ .Release.Name }} 144 | heritage: {{ .Release.Service }} 145 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 146 | {{ $k }}: {{ quote $v }} 147 | {{- end }} 148 | policyTypes: 149 | - Ingress 150 | - Egress 151 | ingress: 152 | - from: 153 | - podSelector: 154 | matchLabels: 155 | service: scan 156 | release: {{ .Release.Name }} 157 | heritage: {{ .Release.Service }} 158 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 159 | {{ $k }}: {{ quote $v }} 160 | {{- end }} 161 | ports: 162 | - protocol: TCP 163 | port: 8081 164 | egress: 165 | - to: 166 | - podSelector: 167 | matchLabels: 168 | service: license 169 | release: {{ .Release.Name }} 170 | heritage: {{ .Release.Service }} 171 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 172 | {{ $k }}: {{ quote $v }} 173 | {{- end }} 174 | ports: 175 | - protocol: TCP 176 | port: 8081 177 | - to: # any 178 | ports: 179 | - protocol: TCP 180 | port: 53 181 | - protocol: UDP 182 | port: 53 183 | - to: # any 184 | ports: 185 | - protocol: TCP 186 | port: 443 187 | - to: # any - TODO do we really need port 80? What is served on port 80? 188 | ports: 189 | - protocol: TCP 190 | port: 80 191 | {{- include "smartcheck.networkpolicy.outbound" . | nindent 4 }} 192 | {{- end }} 193 | -------------------------------------------------------------------------------- /templates/metrics.yaml: -------------------------------------------------------------------------------- 1 | {{ if (and .Values.tasks.metricsCollector.enabled .Values.tasks.metricsReporter.enabled) }} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: metrics 6 | labels: 7 | service: metrics 8 | release: {{ .Release.Name }} 9 | heritage: {{ .Release.Service }} 10 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 11 | {{ $k }}: {{ quote $v }} 12 | {{- end }} 13 | spec: 14 | ports: 15 | - name: metrics 16 | port: 8082 17 | protocol: TCP 18 | targetPort: 8082 19 | selector: 20 | metrics: include 21 | release: {{ .Release.Name }} 22 | heritage: {{ .Release.Service }} 23 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 24 | {{ $k }}: {{ quote $v }} 25 | {{- end }} 26 | type: ClusterIP 27 | clusterIP: None 28 | sessionAffinity: None 29 | --- 30 | apiVersion: v1 31 | kind: Service 32 | metadata: 33 | name: metrics-internal 34 | labels: 35 | service: metrics 36 | release: {{ .Release.Name }} 37 | heritage: {{ .Release.Service }} 38 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 39 | {{ $k }}: {{ quote $v }} 40 | {{- end }} 41 | spec: 42 | type: ClusterIP 43 | ports: 44 | - port: 8081 45 | protocol: TCP 46 | targetPort: 8081 47 | name: metrics 48 | selector: 49 | service: metrics 50 | release: {{ .Release.Name }} 51 | --- 52 | {{ include "smartcheck.service.database.secret" (dict "Chart" .Chart "Values" .Values "Release" .Release "service" "metrics") }} 53 | --- 54 | apiVersion: v1 55 | kind: Secret 56 | metadata: 57 | name: {{ template "smartcheck.fullname" . }}-metrics 58 | labels: 59 | app: {{ template "smartcheck.name" . }} 60 | release: "{{ .Release.Name }}" 61 | heritage: "{{ .Release.Service }}" 62 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 63 | {{ $k }}: {{ quote $v }} 64 | {{- end }} 65 | type: Opaque 66 | data: 67 | apiKey: {{ default "" .Values.telemetry.apiKey | b64enc | quote }} 68 | publicKey: {{ default "" .Values.telemetry.publicKey | b64enc | quote }} 69 | --- 70 | apiVersion: apps/v1 71 | kind: Deployment 72 | metadata: 73 | name: metrics 74 | labels: 75 | service: metrics 76 | release: {{ .Release.Name }} 77 | heritage: {{ .Release.Service }} 78 | appVersion: {{ .Chart.AppVersion }} 79 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 80 | {{ $k }}: {{ quote $v }} 81 | {{- end }} 82 | spec: 83 | # We set revisionHistoryLimit to 0 because rollback should be done 84 | # using `helm rollback` rather than with `kubectl rollout undo`, so 85 | # we don't need to keep the old `ReplicaSet`s around. 86 | # https://kubernetes.io/docs/concepts/workloads/controllers/deployment 87 | revisionHistoryLimit: 0 88 | # Intentionally don't want to support multiple replicas here 89 | replicas: 1 90 | selector: 91 | matchLabels: 92 | service: metrics 93 | release: {{ .Release.Name }} 94 | template: 95 | metadata: 96 | labels: 97 | service: metrics 98 | release: {{ .Release.Name }} 99 | heritage: {{ .Release.Service }} 100 | appVersion: {{ .Chart.AppVersion }} 101 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 102 | {{ $k }}: {{ quote $v }} 103 | {{- end }} 104 | spec: 105 | serviceAccountName: {{ template "smartcheck.fullname" . }}-metrics-collector 106 | automountServiceAccountToken: true 107 | {{- $securityContextEnabled := .Values.securityContext.enabled }} 108 | {{- $securityContext := default .Values.securityContext.default .Values.securityContext.metricsCollector }} 109 | {{- $podSecurityContext := default .Values.securityContext.default.pod $securityContext.pod }} 110 | {{- $containerSecurityContext := default .Values.securityContext.default.container $securityContext.container }} 111 | {{- if $securityContextEnabled }} 112 | securityContext: {{ toYaml $podSecurityContext | nindent 8 }} 113 | {{- end }} 114 | initContainers: 115 | - {{ include "smartcheck.db-initcontainer" (dict "Values" .Values "Chart" .Chart "Release" .Release "service" "metrics") | nindent 10 | trim }} 116 | 117 | {{- $imageDefaults := .Values.images.defaults }} 118 | {{- with .Values.images.metrics }} 119 | {{- $secret := (default (default "" $imageDefaults.imagePullSecret) .imagePullSecret) }} 120 | {{- if not (eq "" $secret) }} 121 | imagePullSecrets: 122 | - name: {{ $secret | quote }} 123 | {{- end }} 124 | containers: 125 | - name: metrics 126 | {{- if $securityContextEnabled }} 127 | securityContext: {{ toYaml $containerSecurityContext | nindent 12 }} 128 | {{- end }} 129 | {{- $project := (default (default "deepsecurity" $imageDefaults.project) .project) }} 130 | {{- $repository := printf "%s/%s" $project (required ".repository is required!" .repository) }} 131 | {{- $tag := (default $imageDefaults.tag .tag) }} 132 | image: {{ include "image.source" (dict "repository" $repository "registry" .registry "tag" $tag "imageDefaults" $imageDefaults "digest" .digest) }} 133 | imagePullPolicy: {{ default (default "Always" $imageDefaults.pullPolicy) .pullPolicy }} 134 | {{- end }} 135 | args: 136 | - run 137 | - --namespace={{ .Release.Namespace }} 138 | - --metrics-service=metrics 139 | - --metrics-directory=/data/metrics 140 | - --activation-code=$(ACTIVATION_CODE) 141 | - --application-name=ZA 142 | - --product-code=DK 143 | - --service=ALL 144 | - --report-format=DSSC 145 | - --report-format-version=1.0 146 | - --target-url=$(TARGET_URL) 147 | - --metrics-directory=/data/metrics 148 | - --application-version=$(APPLICATION_VERSION) 149 | - --license-url=http://license-internal:8081 150 | - --flush 151 | {{- if .Values.telemetry.enabled }} 152 | - --telemetry-endpoint={{ .Values.telemetry.endpoint }} 153 | - --telemetry-interval={{ .Values.telemetry.interval }} 154 | - --telemetry-api-key={{ default "" .Values.telemetry.apiKey }} 155 | {{- if .Values.telemetry.publicKey }} 156 | - --telemetry-key-file=/telemetry/key.pem 157 | {{- end }}{{/* .Values.telemetry.publicKey */}} 158 | {{- end }}{{/* .Values.telemetry.enabled */}} 159 | env: 160 | - name: APPLICATION_VERSION 161 | value: {{ .Chart.Version | quote }} 162 | - name: TARGET_URL 163 | value: {{ .Values.tasks.metricsReporter.url }} 164 | {{- include "smartcheck.service.database.env" (dict "Chart" .Chart "Release" .Release "Values" .Values "service" "metrics") | nindent 12 }} 165 | {{- include "smartcheck.activation-code.env" . | nindent 12 }} 166 | {{- include "smartcheck.proxy.env" . | nindent 12 }} 167 | volumeMounts: 168 | - name: data 169 | mountPath: /data 170 | {{ include "smartcheck.db-trust-volume-mount" . | nindent 12 }} 171 | {{- if .Values.telemetry.publicKey }} 172 | - name: telemetry-secret 173 | mountPath: /telemetry 174 | {{- end }}{{/* .Values.telemetry.publicKey */}} 175 | resources: {{ toYaml (default .Values.resources.defaults .Values.resources.metrics) | nindent 12 }} 176 | volumes: 177 | - name: data 178 | emptyDir: {} 179 | {{- if .Values.telemetry.publicKey }} 180 | - name: telemetry-secret 181 | secret: 182 | secretName: {{ template "smartcheck.fullname" . }}-metrics 183 | items: 184 | - key: publicKey 185 | path: key.pem 186 | {{- end }}{{/* .Values.telemetry.publicKey */}} 187 | {{- include "smartcheck.db-trust-volume" . | nindent 8 }} 188 | restartPolicy: Always 189 | nodeSelector: {{ toYaml (default .Values.nodeSelector.defaults .Values.nodeSelector.metrics) | nindent 8 }} 190 | tolerations: {{ toYaml (default .Values.tolerations.defaults .Values.tolerations.metrics) | nindent 8 }} 191 | {{ if .Values.networkPolicy.enabled }} 192 | --- 193 | apiVersion: networking.k8s.io/v1 194 | kind: NetworkPolicy 195 | metadata: 196 | name: metrics 197 | labels: 198 | service: metrics 199 | release: {{ .Release.Name }} 200 | heritage: {{ .Release.Service }} 201 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 202 | {{ $k }}: {{ quote $v }} 203 | {{- end }} 204 | spec: 205 | podSelector: 206 | matchLabels: 207 | service: metrics 208 | release: {{ .Release.Name }} 209 | heritage: {{ .Release.Service }} 210 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 211 | {{ $k }}: {{ quote $v }} 212 | {{- end }} 213 | policyTypes: 214 | - Ingress 215 | - Egress 216 | ingress: 217 | - from: 218 | # Allow any pod in the application to send telemetry events 219 | - podSelector: 220 | matchLabels: 221 | release: {{ .Release.Name }} 222 | heritage: {{ .Release.Service }} 223 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 224 | {{ $k }}: {{ quote $v }} 225 | {{- end }} 226 | ports: 227 | - protocol: TCP 228 | port: 8081 229 | egress: 230 | - to: 231 | - podSelector: 232 | matchLabels: 233 | service: license 234 | release: {{ .Release.Name }} 235 | heritage: {{ .Release.Service }} 236 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 237 | {{ $k }}: {{ quote $v }} 238 | {{- end }} 239 | ports: 240 | - protocol: TCP 241 | port: 8081 242 | - to: 243 | - podSelector: 244 | matchLabels: 245 | metrics: include 246 | release: {{ .Release.Name }} 247 | heritage: {{ .Release.Service }} 248 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 249 | {{ $k }}: {{ quote $v }} 250 | {{- end }} 251 | ports: 252 | - protocol: TCP 253 | port: 8082 254 | - to: # any 255 | ports: 256 | - protocol: TCP 257 | port: 443 258 | - protocol: TCP 259 | port: 80 260 | {{- include "smartcheck.to-dns-networkpolicy" . | nindent 4 }} 261 | {{- include "smartcheck.to-db-networkpolicy" . | nindent 4 }} 262 | {{- include "smartcheck.networkpolicy.outbound" . | nindent 4 }} 263 | {{- end }}{{/* if .Values.networkPolicy.enabled */}} 264 | --- 265 | apiVersion: v1 266 | kind: ServiceAccount 267 | metadata: 268 | name: {{ template "smartcheck.fullname" . }}-metrics-collector 269 | labels: 270 | task: metrics-collector 271 | release: {{ .Release.Name }} 272 | heritage: {{ .Release.Service }} 273 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 274 | {{ $k }}: {{ quote $v }} 275 | {{- end }} 276 | --- 277 | apiVersion: rbac.authorization.k8s.io/v1 278 | kind: Role 279 | metadata: 280 | name: {{ template "smartcheck.fullname" . }}-metrics-collector-role 281 | labels: 282 | task: metrics-collector 283 | release: {{ .Release.Name }} 284 | heritage: {{ .Release.Service }} 285 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 286 | {{ $k }}: {{ quote $v }} 287 | {{- end }} 288 | rules: 289 | - apiGroups: [""] 290 | resources: ["endpoints"] 291 | verbs: ["get"] 292 | - apiGroups: [""] 293 | resources: ["pods"] 294 | verbs: ["list"] 295 | --- 296 | apiVersion: rbac.authorization.k8s.io/v1 297 | kind: RoleBinding 298 | metadata: 299 | name: {{ template "smartcheck.fullname" . }}-metrics-collector-role-binding 300 | labels: 301 | task: metrics-collector 302 | release: {{ .Release.Name }} 303 | heritage: {{ .Release.Service }} 304 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 305 | {{ $k }}: {{ quote $v }} 306 | {{- end }} 307 | subjects: 308 | - kind: ServiceAccount 309 | name: {{ template "smartcheck.fullname" . }}-metrics-collector 310 | namespace: {{ .Release.Namespace }} 311 | roleRef: 312 | kind: Role 313 | name: {{ template "smartcheck.fullname" . }}-metrics-collector-role 314 | apiGroup: rbac.authorization.k8s.io 315 | 316 | {{ end }}{{/* if (and .Values.tasks.metricsCollector.enabled .Values.tasks.metricsReporter.enabled) */}} 317 | -------------------------------------------------------------------------------- /templates/outbound-proxy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: {{ template "smartcheck.fullname" . }}-outbound-proxy 5 | labels: 6 | service: {{ template "smartcheck.fullname" . }}-outbound-proxy 7 | release: {{ .Release.Name }} 8 | heritage: {{ .Release.Service }} 9 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 10 | {{ $k }}: {{ quote $v }} 11 | {{- end }} 12 | data: 13 | httpProxy: {{ quote (default "" .Values.proxy.httpProxy) }} 14 | httpsProxy: {{ quote (default "" .Values.proxy.httpsProxy) }} 15 | noProxy: {{ (append (default (list) .Values.proxy.noProxy) "scan-internal") | join "," | quote }} 16 | --- 17 | apiVersion: v1 18 | kind: Secret 19 | metadata: 20 | name: {{ template "smartcheck.fullname" . }}-outbound-proxy-credentials 21 | labels: 22 | app: {{ template "smartcheck.name" . }} 23 | release: "{{ .Release.Name }}" 24 | heritage: "{{ .Release.Service }}" 25 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 26 | {{ $k }}: {{ quote $v }} 27 | {{- end }} 28 | type: Opaque 29 | data: 30 | username: {{ default "" .Values.proxy.username | toString | b64enc | quote }} 31 | password: {{ default "" .Values.proxy.password | toString | b64enc | quote }} 32 | -------------------------------------------------------------------------------- /templates/proxy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: proxy 5 | annotations: 6 | {{ toYaml .Values.service.annotations | indent 4 | trim }} 7 | labels: 8 | service: proxy 9 | release: {{ .Release.Name }} 10 | heritage: {{ .Release.Service }} 11 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 12 | {{ $k }}: {{ quote $v }} 13 | {{- end }} 14 | spec: 15 | type: {{ default "LoadBalancer" .Values.service.type }} 16 | ports: 17 | - port: {{ default 443 .Values.service.httpsPort }} 18 | targetPort: 8443 19 | protocol: TCP 20 | name: https 21 | - port: {{ default 80 .Values.service.httpPort }} 22 | targetPort: 8080 23 | protocol: TCP 24 | name: http 25 | {{ if .Values.registry.enabled }} 26 | - port: {{ default 5000 .Values.service.registryPort }} 27 | targetPort: 5000 28 | protocol: TCP 29 | name: registryhttps 30 | {{- end }} 31 | 32 | {{- if .Values.service.loadBalancerSourceRanges }} 33 | loadBalancerSourceRanges: 34 | {{- range $cidr := .Values.service.loadBalancerSourceRanges }} 35 | - {{ $cidr | quote }} 36 | {{- end }} 37 | {{- end }} 38 | 39 | selector: 40 | service: proxy 41 | release: {{ .Release.Name }} 42 | 43 | --- 44 | apiVersion: apps/v1 45 | kind: Deployment 46 | metadata: 47 | name: proxy 48 | labels: 49 | service: proxy 50 | release: {{ .Release.Name }} 51 | heritage: {{ .Release.Service }} 52 | appVersion: {{ .Chart.AppVersion }} 53 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 54 | {{ $k }}: {{ quote $v }} 55 | {{- end }} 56 | spec: 57 | # We set revisionHistoryLimit to 0 because rollback should be done 58 | # using `helm rollback` rather than with `kubectl rollout undo`, so 59 | # we don't need to keep the old `ReplicaSet`s around. 60 | # https://kubernetes.io/docs/concepts/workloads/controllers/deployment 61 | revisionHistoryLimit: 0 62 | replicas: {{ default 1 .Values.replicas.proxy }} 63 | selector: 64 | matchLabels: 65 | service: proxy 66 | release: {{ .Release.Name }} 67 | template: 68 | metadata: 69 | labels: 70 | service: proxy 71 | release: {{ .Release.Name }} 72 | heritage: {{ .Release.Service }} 73 | appVersion: {{ .Chart.AppVersion }} 74 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 75 | {{ $k }}: {{ quote $v }} 76 | {{- end }} 77 | spec: 78 | automountServiceAccountToken: false 79 | {{- $securityContextEnabled := .Values.securityContext.enabled }} 80 | {{- $securityContext := default .Values.securityContext.default .Values.securityContext.proxy }} 81 | {{- $podSecurityContext := default .Values.securityContext.default.pod $securityContext.pod }} 82 | {{- $containerSecurityContext := default .Values.securityContext.default.container $securityContext.container }} 83 | {{- if $securityContextEnabled }} 84 | securityContext: 85 | {{ toYaml $podSecurityContext | indent 8 }} 86 | {{- end }} 87 | {{- $imageDefaults := .Values.images.defaults }} 88 | {{- with .Values.images.proxy }} 89 | {{- $secret := (default (default "" $imageDefaults.imagePullSecret) .imagePullSecret) }} 90 | {{- if not (eq "" $secret) }} 91 | imagePullSecrets: 92 | - name: {{ $secret | quote }} 93 | {{- end }} 94 | containers: 95 | - name: proxy 96 | {{- if $securityContextEnabled }} 97 | securityContext: 98 | {{ toYaml $containerSecurityContext | indent 12 }} 99 | {{- end }} 100 | {{- $project := (default (default "deepsecurity" $imageDefaults.project) .project) }} 101 | {{- $repository := printf "%s/%s" $project (required ".repository is required!" .repository) }} 102 | {{- $tag := (default $imageDefaults.tag .tag) }} 103 | image: {{ include "image.source" (dict "repository" $repository "registry" .registry "tag" $tag "imageDefaults" $imageDefaults "digest" .digest) }} 104 | imagePullPolicy: {{ default (default "Always" $imageDefaults.pullPolicy) .pullPolicy }} 105 | {{- end }} 106 | ports: 107 | - containerPort: 8080 108 | name: http 109 | - containerPort: 8443 110 | name: https 111 | {{- if .Values.registry.enabled }} 112 | - containerPort: 5000 113 | name: registryhttps 114 | {{- end }} 115 | volumeMounts: 116 | - mountPath: /var/run 117 | name: varrun 118 | - mountPath: /var/cache/nginx 119 | name: varcache 120 | - mountPath: /secrets 121 | name: tls-secret 122 | - mountPath: /etc/nginx/dssc 123 | name: config 124 | # TODO probes 125 | # livenessProbe: 126 | # readinessProbe: 127 | command: 128 | - nginx 129 | - -g daemon off; 130 | # this looks wrong but with a space we get 131 | # nginx: [emerg] open() "/etc/nginx/ dssc/nginx.conf" failed (2: No such file or directory) 132 | - -cdssc/nginx.conf 133 | env: [] 134 | resources: 135 | {{ toYaml (default .Values.resources.defaults .Values.resources.proxy) | indent 12 }} 136 | volumes: 137 | - name: varrun 138 | emptyDir: 139 | sizeLimit: 1Mi 140 | - name: varcache 141 | emptyDir: 142 | sizeLimit: 10Mi 143 | - name: tls-secret 144 | secret: 145 | {{- if not .Values.certificate.secret.name }} 146 | secretName: {{ template "smartcheck.fullname" . }}-tls-certificate 147 | items: 148 | - key: certificate 149 | path: default_ssl.crt 150 | - key: privateKey 151 | path: default_ssl.key 152 | {{- else }} 153 | secretName: {{ .Values.certificate.secret.name }} 154 | items: 155 | - key: {{ default "tls.crt" .Values.certificate.secret.certificate }} 156 | path: default_ssl.crt 157 | - key: {{ default "tls.key" .Values.certificate.secret.privateKey }} 158 | path: default_ssl.key 159 | {{- end }} 160 | - name: config 161 | configMap: 162 | name: {{ template "smartcheck.fullname" . }}-proxy 163 | items: 164 | - key: proxy.conf 165 | path: nginx.conf 166 | nodeSelector: 167 | {{ toYaml (default .Values.nodeSelector.defaults .Values.nodeSelector.proxy) | indent 8 }} 168 | tolerations: 169 | {{ toYaml (default .Values.tolerations.defaults .Values.tolerations.proxy) | indent 8 }} 170 | restartPolicy: Always 171 | --- 172 | apiVersion: v1 173 | kind: ConfigMap 174 | metadata: 175 | name: {{ template "smartcheck.fullname" . }}-proxy 176 | labels: 177 | service: {{ template "smartcheck.fullname" . }}-proxy 178 | release: {{ .Release.Name }} 179 | heritage: {{ .Release.Service }} 180 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 181 | {{ $k }}: {{ quote $v }} 182 | {{- end }} 183 | data: 184 | proxy.conf: | 185 | # Derived from https://github.com/h5bp/server-configs-nginx/blob/master/doc/getting-started.md 186 | # 187 | # Configuration File - Nginx Server Configs 188 | # http://nginx.org/en/docs/dirindex.html 189 | 190 | # Run as a unique, less privileged user for security reasons. 191 | # Default: nobody nobody 192 | 193 | # Sets the worker threads to the number of CPU cores available in the system for best performance. 194 | # Should be > the number of CPU cores. 195 | # Maximum number of connections = worker_processes * worker_connections 196 | # Default: 1 197 | worker_processes auto; 198 | 199 | # Maximum number of open files per worker process. 200 | # Should be > worker_connections. 201 | # Default: no limit 202 | worker_rlimit_nofile 8192; 203 | 204 | events { 205 | # If you need more connections than this, you start optimizing your OS. 206 | # That's probably the point at which you hire people who are smarter than you as this is *a lot* of requests. 207 | # Should be < worker_rlimit_nofile. 208 | # Default: 512 209 | worker_connections 8000; 210 | } 211 | 212 | # Log errors and warnings to this file 213 | # This is only used when you don't override it on a server{} level 214 | # Default: logs/error.log error 215 | # The upstream nginx container creates sym links to stdout/stderr 216 | # https://github.com/nginxinc/docker-nginx/blob/8921999083def7ba43a06fabd5f80e4406651353/mainline/jessie/Dockerfile#L21-L23 217 | error_log /var/log/nginx/error.log error; 218 | 219 | # The file storing the process ID of the main process 220 | # Default: nginx.pid 221 | pid /var/run/nginx.pid; 222 | 223 | http { 224 | 225 | # Hide nginx version information. 226 | # Default: on 227 | server_tokens off; 228 | 229 | # Specify MIME types for files. 230 | include ../mime.types; 231 | 232 | # Default: text/plain 233 | default_type application/octet-stream; 234 | 235 | # Update charset_types to match updated mime.types. 236 | # text/html is always included by charset module. 237 | # Default: text/html text/xml text/plain text/vnd.wap.wml application/javascript application/rss+xml 238 | charset_types 239 | text/css 240 | text/plain 241 | text/vnd.wap.wml 242 | application/javascript 243 | application/json 244 | application/rss+xml 245 | application/xml; 246 | 247 | # Include $http_x_forwarded_for within default format used in log files 248 | log_format main '$remote_addr - $remote_user [$time_local] "$request" ' 249 | '$status $body_bytes_sent "$http_referer" ' 250 | '"$http_user_agent" "$http_x_forwarded_for"'; 251 | 252 | # For log field reference see https://nginx.org/en/docs/http/ngx_http_log_module.html 253 | # For more variables see https://nginx.org/en/docs/varindex.html 254 | log_format json_log escape=json 255 | '{' 256 | '"component": "proxy", ' 257 | '"dur": "${request_time}s", ' 258 | '"referer": "$http_referer", ' 259 | '"userAgent": "$http_user_agent", ' 260 | '"forwardedFor": "$http_x_forwarded_for", ' 261 | '"len": "$body_bytes_sent", ' 262 | '"method": "$request_method", ' 263 | '"proto": "$server_protocol", ' 264 | '"remoteAddr": "$remote_addr", ' 265 | '"requestID": "$sent_http_x_request_id", ' 266 | '"response": $status, ' 267 | '"severity": "info", ' 268 | '"timestamp": "$time_iso8601", ' 269 | '"uri": "$request_uri" ' 270 | '}'; 271 | 272 | # Log access to this file 273 | # This is only used when you don't override it on a server{} level 274 | # Default: logs/access.log combined 275 | # The upstream nginx container creates sym links to stdout/stderr 276 | # https://github.com/nginxinc/docker-nginx/blob/8921999083def7ba43a06fabd5f80e4406651353/mainline/jessie/Dockerfile#L21-L23 277 | access_log /var/log/nginx/access.log json_log; 278 | 279 | # How long to allow each connection to stay idle. 280 | # Longer values are better for each individual client, particularly for SSL, 281 | # but means that worker connections are tied up longer. 282 | # Default: 75s 283 | keepalive_timeout 20s; 284 | 285 | # Speed up file transfers by using sendfile() to copy directly 286 | # between descriptors rather than using read()/write(). 287 | # For performance reasons, on FreeBSD systems w/ ZFS 288 | # this option should be disabled as ZFS's ARC caches 289 | # frequently used files in RAM by default. 290 | # Default: off 291 | sendfile on; 292 | 293 | # Don't send out partial frames; this increases throughput 294 | # since TCP frames are filled up before being sent out. 295 | # Default: off 296 | tcp_nopush on; 297 | 298 | # Enable gzip compression. 299 | # Default: off 300 | gzip on; 301 | 302 | # Compression level (1-9). 303 | # 5 is a perfect compromise between size and CPU usage, offering about 304 | # 75% reduction for most ASCII files (almost identical to level 9). 305 | # Default: 1 306 | gzip_comp_level 5; 307 | 308 | # Don't compress anything that's already small and unlikely to shrink much 309 | # if at all (the default is 20 bytes, which is bad as that usually leads to 310 | # larger files after gzipping). 311 | # Default: 20 312 | gzip_min_length 256; 313 | 314 | # Compress data even for clients that are connecting to us via proxies, 315 | # identified by the "Via" header (required for CloudFront). 316 | # Default: off 317 | gzip_proxied any; 318 | 319 | # Tell proxies to cache both the gzipped and regular version of a resource 320 | # whenever the client's Accept-Encoding capabilities header varies; 321 | # Avoids the issue where a non-gzip capable client (which is extremely rare 322 | # today) would display gibberish if their proxy gave them the gzipped version. 323 | # Default: off 324 | gzip_vary on; 325 | 326 | # Compress all output labeled with one of the following MIME-types. 327 | # text/html is always compressed by gzip module. 328 | # Default: text/html 329 | gzip_types 330 | application/atom+xml 331 | application/javascript 332 | application/json 333 | application/ld+json 334 | application/manifest+json 335 | application/rss+xml 336 | application/vnd.geo+json 337 | application/vnd.ms-fontobject 338 | application/x-font-ttf 339 | application/x-web-app-manifest+json 340 | application/xhtml+xml 341 | application/xml 342 | font/opentype 343 | image/bmp 344 | image/svg+xml 345 | image/x-icon 346 | text/cache-manifest 347 | text/css 348 | text/plain 349 | text/vcard 350 | text/vnd.rim.location.xloc 351 | text/vtt 352 | text/x-component 353 | text/x-cross-domain-policy; 354 | 355 | # redirect all http traffic to https 356 | server { 357 | listen 8080; 358 | {{- if .Values.ipv6.enabled }} 359 | listen [::]:8080; 360 | {{- end }} 361 | server_name _; 362 | return 301 https://$host$request_uri; 363 | } 364 | 365 | {{ $apiRateLimiting := default (dict) (default (dict) .Values.rateLimiting).api -}} 366 | # 367 | # Code generated by helm. DO NOT EDIT. 368 | # 369 | limit_req_zone $binary_remote_addr zone=limit:{{ default 10 $apiRateLimiting.size }}m rate={{ default 10 $apiRateLimiting.rate }}r/s; 370 | 371 | # List of application servers 372 | upstream frontend_server { 373 | server frontend:8080; 374 | } 375 | upstream scan_server { 376 | server scan:8080; 377 | } 378 | upstream auth_server { 379 | server auth:8080; 380 | } 381 | upstream docs_server { 382 | server docs:8080; 383 | } 384 | upstream registryviews_server { 385 | server registryviews:8080; 386 | } 387 | upstream license_server { 388 | server license:8080; 389 | } 390 | 391 | # Configuration for the server 392 | server { 393 | # Running port 394 | {{- if .Values.ipv6.enabled }} 395 | listen [::]:8443 ssl http2 default_server; 396 | {{- end }} 397 | listen 8443 ssl http2 default_server; 398 | 399 | include ../ssl/ssl.conf; 400 | 401 | charset utf-8; 402 | 403 | error_page 401 /401.json; 404 | location = /401.json { 405 | root /etc/nginx/custom_errors; 406 | internal; 407 | } 408 | 409 | # Proxying the connections 410 | location / { 411 | proxy_pass http://frontend_server; 412 | proxy_redirect off; 413 | proxy_set_header Host $host; 414 | proxy_set_header X-Real-IP $remote_addr; 415 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 416 | proxy_set_header X-Forwarded-Host $server_name; 417 | 418 | add_header Vary "Authorization" always; 419 | add_header Strict-Transport-Security "max-age=31622400"; 420 | } 421 | 422 | location /api { 423 | # Short-circuit requests that don't have an authorization token. 424 | if ($http_authorization !~ "^Bearer") { 425 | return 401; 426 | } 427 | 428 | limit_req zone=limit burst={{ default 10 $apiRateLimiting.burst }}; 429 | limit_req_status {{ default 429 $apiRateLimiting.status }}; 430 | 431 | proxy_pass http://scan_server; 432 | proxy_redirect off; 433 | proxy_set_header Host $host; 434 | proxy_set_header X-Real-IP $remote_addr; 435 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 436 | proxy_set_header X-Forwarded-Host $server_name; 437 | 438 | add_header Vary "Authorization" always; 439 | } 440 | 441 | location /docs/ { 442 | proxy_pass http://docs_server; 443 | proxy_redirect off; 444 | proxy_set_header Host $host; 445 | proxy_set_header X-Real-IP $remote_addr; 446 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 447 | proxy_set_header X-Forwarded-Host $server_name; 448 | 449 | add_header Vary "Authorization" always; 450 | add_header Strict-Transport-Security "max-age=31622400"; 451 | } 452 | 453 | location ~ /saml/?$ { 454 | limit_req zone=limit burst={{ default 10 $apiRateLimiting.burst }}; 455 | limit_req_status {{ default 429 $apiRateLimiting.status }}; 456 | 457 | proxy_pass http://auth_server; 458 | proxy_redirect off; 459 | proxy_set_header Host $host; 460 | proxy_set_header X-Real-IP $remote_addr; 461 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 462 | 463 | add_header Vary "Authorization" always; 464 | } 465 | 466 | location ~ /api/sessions { 467 | # don't check for the Authorization header here because they won't 468 | # have a token until they create the session 469 | limit_req zone=limit burst={{ default 10 $apiRateLimiting.burst }}; 470 | limit_req_status {{ default 429 $apiRateLimiting.status }}; 471 | 472 | proxy_pass http://auth_server; 473 | proxy_redirect off; 474 | proxy_set_header Host $host; 475 | proxy_set_header X-Real-IP $remote_addr; 476 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 477 | proxy_set_header X-Forwarded-Host $server_name; 478 | 479 | add_header Vary "Authorization" always; 480 | } 481 | 482 | location ~ /api/(users|roles|identity-providers) { 483 | # Short-circuit requests that don't have an authorization token. 484 | if ($http_authorization !~ "^Bearer") { 485 | return 401; 486 | } 487 | 488 | limit_req zone=limit burst={{ default 10 $apiRateLimiting.burst }}; 489 | limit_req_status {{ default 429 $apiRateLimiting.status }}; 490 | 491 | proxy_pass http://auth_server; 492 | proxy_redirect off; 493 | proxy_set_header Host $host; 494 | proxy_set_header X-Real-IP $remote_addr; 495 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 496 | proxy_set_header X-Forwarded-Host $server_name; 497 | 498 | add_header Vary "Authorization" always; 499 | } 500 | 501 | location ~ /api/registries { 502 | # Short-circuit requests that don't have an authorization token. 503 | if ($http_authorization !~ "^Bearer") { 504 | return 401; 505 | } 506 | 507 | limit_req zone=limit burst={{ default 10 $apiRateLimiting.burst }}; 508 | limit_req_status {{ default 429 $apiRateLimiting.status }}; 509 | 510 | proxy_pass http://registryviews_server; 511 | proxy_redirect off; 512 | proxy_set_header Host $host; 513 | proxy_set_header X-Real-IP $remote_addr; 514 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 515 | proxy_set_header X-Forwarded-Host $server_name; 516 | 517 | add_header Vary "Authorization" always; 518 | } 519 | 520 | location ~ /api/license { 521 | # Short-circuit requests that don't have an authorization token. 522 | if ($http_authorization !~ "^Bearer") { 523 | return 401; 524 | } 525 | 526 | limit_req zone=limit burst={{ default 10 $apiRateLimiting.burst }}; 527 | limit_req_status {{ default 429 $apiRateLimiting.status }}; 528 | 529 | proxy_pass http://license_server; 530 | 531 | add_header Vary "Authorization" always; 532 | } 533 | } 534 | 535 | {{ if .Values.registry.enabled }} 536 | 537 | upstream registry_server { 538 | server registry:5000; 539 | } 540 | 541 | # Configuration for the registry 542 | server { 543 | 544 | # Running port 545 | {{- if .Values.ipv6.enabled }} 546 | listen [::]:5000 ssl http2 default_server; 547 | {{- end }} 548 | listen 5000 ssl http2 default_server; 549 | 550 | include ../ssl/ssl.conf; 551 | 552 | charset utf-8; 553 | 554 | # disable any limits to avoid HTTP 413 for large image uploads 555 | client_max_body_size 0; 556 | 557 | # required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486) 558 | chunked_transfer_encoding on; 559 | 560 | # required to avoid HTTP 405 Not allowed. 561 | location / { 562 | proxy_set_header Host $http_host; 563 | proxy_set_header X-Real-IP $remote_addr; 564 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 565 | proxy_set_header X-Forwarded-Host $server_name; 566 | proxy_set_header X-Forwarded-Proto $scheme; 567 | proxy_read_timeout 900; 568 | 569 | add_header Vary "Authorization" always; 570 | add_header Strict-Transport-Security "max-age=31622400"; 571 | } 572 | 573 | location /v2/ { 574 | 575 | # Do not allow connections from docker 1.5 and earlier 576 | # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents 577 | if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) { 578 | return 404; 579 | } 580 | 581 | proxy_pass https://registry_server; 582 | proxy_redirect off; 583 | proxy_set_header Host $http_host; 584 | proxy_set_header X-Real-IP $remote_addr; 585 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 586 | proxy_set_header X-Forwarded-Host $server_name; 587 | proxy_set_header X-Forwarded-Proto $scheme; 588 | proxy_read_timeout 900; 589 | 590 | add_header Vary "Authorization" always; 591 | add_header Strict-Transport-Security "max-age=31622400"; 592 | } 593 | } 594 | {{- end }}{{/* if .Values.registry.enabled */}} 595 | } 596 | 597 | {{ if .Values.networkPolicy.enabled }} 598 | --- 599 | apiVersion: networking.k8s.io/v1 600 | kind: NetworkPolicy 601 | metadata: 602 | name: proxy 603 | labels: 604 | service: proxy 605 | release: {{ .Release.Name }} 606 | heritage: {{ .Release.Service }} 607 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 608 | {{ $k }}: {{ quote $v }} 609 | {{- end }} 610 | spec: 611 | podSelector: 612 | matchLabels: 613 | service: proxy 614 | release: {{ .Release.Name }} 615 | heritage: {{ .Release.Service }} 616 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 617 | {{ $k }}: {{ quote $v }} 618 | {{- end }} 619 | policyTypes: 620 | - Ingress 621 | - Egress 622 | ingress: 623 | - from: # any 624 | ports: 625 | - protocol: TCP 626 | port: 8080 627 | - from: # any 628 | ports: 629 | - protocol: TCP 630 | port: 8443 631 | {{ if .Values.registry.enabled }} 632 | - from: # any 633 | ports: 634 | - protocol: TCP 635 | port: 5000 636 | {{- end }} 637 | egress: 638 | - to: 639 | - podSelector: 640 | matchLabels: 641 | service: frontend 642 | release: {{ .Release.Name }} 643 | heritage: {{ .Release.Service }} 644 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 645 | {{ $k }}: {{ quote $v }} 646 | {{- end }} 647 | - podSelector: 648 | matchLabels: 649 | service: scan 650 | release: {{ .Release.Name }} 651 | heritage: {{ .Release.Service }} 652 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 653 | {{ $k }}: {{ quote $v }} 654 | {{- end }} 655 | - podSelector: 656 | matchLabels: 657 | service: registryviews 658 | release: {{ .Release.Name }} 659 | heritage: {{ .Release.Service }} 660 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 661 | {{ $k }}: {{ quote $v }} 662 | {{- end }} 663 | - podSelector: 664 | matchLabels: 665 | service: auth 666 | release: {{ .Release.Name }} 667 | heritage: {{ .Release.Service }} 668 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 669 | {{ $k }}: {{ quote $v }} 670 | {{- end }} 671 | - podSelector: 672 | matchLabels: 673 | service: docs 674 | release: {{ .Release.Name }} 675 | heritage: {{ .Release.Service }} 676 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 677 | {{ $k }}: {{ quote $v }} 678 | {{- end }} 679 | - podSelector: 680 | matchLabels: 681 | service: license 682 | release: {{ .Release.Name }} 683 | heritage: {{ .Release.Service }} 684 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 685 | {{ $k }}: {{ quote $v }} 686 | {{- end }} 687 | ports: 688 | - protocol: TCP 689 | port: 8080 690 | {{ if .Values.registry.enabled }} 691 | - to: 692 | - podSelector: 693 | matchLabels: 694 | service: registry 695 | release: {{ .Release.Name }} 696 | heritage: {{ .Release.Service }} 697 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 698 | {{ $k }}: {{ quote $v }} 699 | {{- end }} 700 | ports: 701 | - protocol: TCP 702 | port: 5000 703 | {{- end }} 704 | - to: # any 705 | ports: 706 | - protocol: TCP 707 | port: 53 708 | - protocol: UDP 709 | port: 53 710 | {{- end }} 711 | -------------------------------------------------------------------------------- /templates/registry.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.registry.enabled -}} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: {{ template "smartcheck.fullname" . }}-registry-config 6 | labels: 7 | service: registry 8 | release: {{ .Release.Name }} 9 | heritage: {{ .Release.Service }} 10 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 11 | {{ $k }}: {{ quote $v }} 12 | {{- end }} 13 | data: 14 | config.yml: |- 15 | version: 0.1 16 | log: 17 | fields: 18 | service: registry 19 | formatter: json 20 | storage: 21 | filesystem: 22 | rootdirectory: /var/lib/registry 23 | delete: 24 | enabled: true 25 | http: 26 | addr: :5000 27 | headers: 28 | X-Content-Type-Options: [nosniff] 29 | health: 30 | storagedriver: 31 | enabled: true 32 | interval: 10s 33 | threshold: 3 34 | 35 | --- 36 | apiVersion: v1 37 | kind: Secret 38 | metadata: 39 | name: registry-auth 40 | labels: 41 | service: registry 42 | release: {{ .Release.Name }} 43 | heritage: {{ .Release.Service }} 44 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 45 | {{ $k }}: {{ quote $v }} 46 | {{- end }} 47 | type: Opaque 48 | data: 49 | {{- if (and .Values.registry.auth.username .Values.registry.auth.password) }} 50 | username: {{ .Values.registry.auth.username | toString | b64enc }} 51 | password: {{ .Values.registry.auth.password | toString | b64enc }} 52 | {{- end }} 53 | haSharedSecret: {{ randAlphaNum 16 | b64enc | quote }} 54 | 55 | 56 | --- 57 | apiVersion: apps/v1 58 | kind: Deployment 59 | metadata: 60 | name: registry 61 | labels: 62 | service: registry 63 | release: {{ .Release.Name }} 64 | heritage: {{ .Release.Service }} 65 | appVersion: {{ .Chart.AppVersion }} 66 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 67 | {{ $k }}: {{ quote $v }} 68 | {{- end }} 69 | spec: 70 | # We set revisionHistoryLimit to 0 because rollback should be done 71 | # using `helm rollback` rather than with `kubectl rollout undo`, so 72 | # we don't need to keep the old `ReplicaSet`s around. 73 | # https://kubernetes.io/docs/concepts/workloads/controllers/deployment 74 | revisionHistoryLimit: 0 75 | replicas: {{ default 1 .Values.replicas.registry }} 76 | minReadySeconds: 5 77 | selector: 78 | matchLabels: 79 | service: registry 80 | release: {{ .Release.Name }} 81 | template: 82 | metadata: 83 | labels: 84 | service: registry 85 | release: {{ .Release.Name }} 86 | heritage: {{ .Release.Service }} 87 | appVersion: {{ .Chart.AppVersion }} 88 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 89 | {{ $k }}: {{ quote $v }} 90 | {{- end }} 91 | spec: 92 | automountServiceAccountToken: false 93 | {{- $securityContextEnabled := .Values.securityContext.enabled }} 94 | {{- $securityContext := default .Values.securityContext.default .Values.securityContext.registry }} 95 | {{- $podSecurityContext := default .Values.securityContext.default.pod $securityContext.pod }} 96 | {{- $containerSecurityContext := default .Values.securityContext.default.container $securityContext.container }} 97 | {{- if $securityContextEnabled }} 98 | securityContext: 99 | {{ toYaml $podSecurityContext | indent 8 }} 100 | {{- end }} 101 | {{- $imageDefaults := .Values.images.defaults }} 102 | {{- with .Values.images.registry }} 103 | {{- $secret := (default (default "" $imageDefaults.imagePullSecret) .imagePullSecret) }} 104 | {{- if not (eq "" $secret) }} 105 | imagePullSecrets: 106 | - name: {{ $secret | quote }} 107 | {{- end }} 108 | containers: 109 | - name: registry 110 | {{- if $securityContextEnabled }} 111 | securityContext: 112 | {{ toYaml $containerSecurityContext | indent 10 }} 113 | {{- end }} 114 | {{- $project := (default (default "deepsecurity" $imageDefaults.project) .project) }} 115 | {{- $repository := printf "%s/%s" $project (required ".repository is required!" .repository) }} 116 | {{- $tag := (default $imageDefaults.tag .tag) }} 117 | image: {{ include "image.source" (dict "repository" $repository "registry" .registry "tag" $tag "imageDefaults" $imageDefaults "digest" .digest) }} 118 | imagePullPolicy: {{ default (default "IfNotPresent" $imageDefaults.pullPolicy) .pullPolicy }} 119 | {{- end }} 120 | command: 121 | - /entrypoint.sh 122 | - /bin/registry 123 | - serve 124 | - /etc/docker/registry/config.yml 125 | ports: 126 | - containerPort: 5000 127 | livenessProbe: 128 | httpGet: 129 | scheme: HTTPS 130 | path: / 131 | port: 5000 132 | readinessProbe: 133 | httpGet: 134 | scheme: HTTPS 135 | path: / 136 | port: 5000 137 | resources: 138 | {{ toYaml (default .Values.resources.defaults .Values.resources.registry) | indent 12 }} 139 | env: 140 | {{- if (and .Values.registry.auth.username .Values.registry.auth.password) }} 141 | - name: REGISTRY_AUTH 142 | value: "htpasswd" 143 | - name: REGISTRY_AUTH_HTPASSWD_REALM 144 | value: "Registry Realm" 145 | - name: REGISTRY_AUTH_HTPASSWD_PATH 146 | value: "/auth/htpasswd" 147 | {{- end }} 148 | - name: REGISTRY_HTTP_TLS_CERTIFICATE 149 | value: /etc/ssl/docker/tls.crt 150 | - name: REGISTRY_HTTP_TLS_KEY 151 | value: /etc/ssl/docker/tls.key 152 | - name: REGISTRY_HTTP_SECRET 153 | valueFrom: 154 | secretKeyRef: 155 | name: registry-auth 156 | key: haSharedSecret 157 | - name: REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY 158 | value: "/var/lib/registry" 159 | - name: REGISTRY_STORAGE_DELETE_ENABLED 160 | value: "true" 161 | volumeMounts: 162 | {{- if (and .Values.registry.auth.username .Values.registry.auth.password) }} 163 | - name: htpasswd 164 | mountPath: /auth 165 | readOnly: true 166 | {{- end }} 167 | - mountPath: /etc/ssl/docker 168 | name: tls-secret 169 | readOnly: true 170 | - name: data 171 | mountPath: /var/lib/registry/ 172 | - name: registry-config 173 | mountPath: /etc/docker/registry 174 | 175 | {{- if .Values.tasks.registryCleaner.enabled }} 176 | - name: garbage-collector 177 | {{- with .Values.images.registry }} 178 | {{- $project := (default (default "deepsecurity" $imageDefaults.project) .project) }} 179 | {{- $repository := printf "%s/%s" $project (required ".repository is required!" .repository) }} 180 | {{- $tag := (default $imageDefaults.tag .tag) }} 181 | image: {{ include "image.source" (dict "repository" $repository "registry" .registry "tag" $tag "imageDefaults" $imageDefaults "digest" .digest) }} 182 | imagePullPolicy: {{ default (default "IfNotPresent" $imageDefaults.pullPolicy) .pullPolicy }} 183 | {{- end }} 184 | command: ["/bin/sh", "-c"] 185 | args: ["while true; ./entrypoint.sh /bin/registry garbage-collect /etc/docker/registry/config.yml || true; do sleep 3600; done"] 186 | env: 187 | - name: REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY 188 | value: "/var/lib/registry" 189 | - name: REGISTRY_STORAGE_DELETE_ENABLED 190 | value: "true" 191 | volumeMounts: 192 | - name: data 193 | mountPath: /var/lib/registry/ 194 | - name: registry-config 195 | mountPath: /etc/docker/registry 196 | {{- if $securityContextEnabled }} 197 | securityContext: {{ toYaml $containerSecurityContext | nindent 10 }} 198 | {{- end }}{{/* if $securityContextEnabled*/}} 199 | resources: {{ toYaml (default .Values.resources.defaults .Values.resources.registryGarbageCollector) | nindent 10 }} 200 | 201 | - name: cleaner 202 | {{- with .Values.images.registryCleaner }} 203 | {{- $project := (default (default "deepsecurity" $imageDefaults.project) .project) }} 204 | {{- $repository := printf "%s/%s" $project (required ".repository is required!" .repository) }} 205 | {{- $tag := (default $imageDefaults.tag .tag) }} 206 | image: {{ include "image.source" (dict "repository" $repository "registry" .registry "tag" $tag "imageDefaults" $imageDefaults "digest" .digest) }} 207 | imagePullPolicy: {{ default (default "Always" $imageDefaults.pullPolicy) .pullPolicy }} 208 | {{- end }} 209 | {{- if $securityContextEnabled }} 210 | securityContext: {{ toYaml $containerSecurityContext | nindent 10 }} 211 | {{- end }}{{/* if $securityContextEnabled */}} 212 | resources: {{ toYaml (default .Values.resources.defaults .Values.resources.registryCleaner) | nindent 10 }} 213 | args: 214 | - purge-local 215 | {{- if (and .Values.registry.auth.username .Values.registry.auth.password) }} 216 | - --username=$(HTPASSWD_SECRET_USERNAME) 217 | - --password=$(HTPASSWD_SECRET_PASSWORD) 218 | env: 219 | - name: HTPASSWD_SECRET_USERNAME 220 | valueFrom: 221 | secretKeyRef: 222 | name: registry-auth 223 | key: username 224 | - name: HTPASSWD_SECRET_PASSWORD 225 | valueFrom: 226 | secretKeyRef: 227 | name: registry-auth 228 | key: password 229 | {{- end }} 230 | volumeMounts: 231 | - name: data 232 | mountPath: /var/lib/registry/ 233 | readOnly: true 234 | - mountPath: /etc/ssl/docker 235 | name: tls-secret 236 | readOnly: true 237 | {{- end }} 238 | 239 | {{- if (and .Values.registry.auth.username .Values.registry.auth.password) }} 240 | initContainers: 241 | {{- $imageDefaults := .Values.images.defaults }} 242 | {{- with .Values.images.registry }} 243 | - name: htpasswd 244 | {{- $project := (default (default "deepsecurity" $imageDefaults.project) .project) }} 245 | {{- $repository := printf "%s/%s" $project (required ".repository is required!" .repository) }} 246 | {{- $tag := (default $imageDefaults.tag .tag) }} 247 | image: {{ include "image.source" (dict "repository" $repository "registry" .registry "tag" $tag "imageDefaults" $imageDefaults "digest" .digest) }} 248 | imagePullPolicy: {{ default (default "IfNotPresent" $imageDefaults.pullPolicy) .pullPolicy }} 249 | {{- end }} 250 | env: 251 | - name: USERNAME 252 | valueFrom: 253 | secretKeyRef: 254 | name: registry-auth 255 | key: username 256 | - name: PASSWORD 257 | valueFrom: 258 | secretKeyRef: 259 | name: registry-auth 260 | key: password 261 | command: 262 | - /bin/sh 263 | - -c 264 | - ./entrypoint.sh htpasswd -Bbc /auth/htpasswd "$USERNAME" "$PASSWORD" 265 | volumeMounts: 266 | - name: htpasswd 267 | mountPath: "/auth" 268 | - name: empty-tmp 269 | mountPath: "/tmp" 270 | resources: {{ toYaml (default .Values.resources.defaults .Values.resources.htPasswd) | nindent 10 }} 271 | {{- if $securityContextEnabled }} 272 | securityContext: {{ toYaml $containerSecurityContext | nindent 10 }} 273 | {{- end }}{{/* if $securityContextEnabled */}} 274 | {{- end }} 275 | 276 | nodeSelector: 277 | {{ toYaml (default .Values.nodeSelector.defaults .Values.nodeSelector.registry) | indent 8 }} 278 | tolerations: 279 | {{ toYaml (default .Values.tolerations.defaults .Values.tolerations.registry) | indent 8 }} 280 | volumes: 281 | - name: empty-tmp 282 | emptyDir: {} 283 | {{- if (and .Values.registry.auth.username .Values.registry.auth.password) }} 284 | - name: htpasswd 285 | emptyDir: 286 | sizeLimit: 1Mi 287 | {{- end }} 288 | - name: data 289 | emptyDir: 290 | sizeLimit: {{ default "10Gi" .Values.registry.dataVolume.sizeLimit | quote }} 291 | - name: registry-config 292 | configMap: 293 | name: {{ template "smartcheck.fullname" . }}-registry-config 294 | - name: tls-secret 295 | secret: 296 | secretName: {{ required "certificate.secret.name is required when enabling pre-registry scanning. See https://github.com/deep-security/smartcheck-helm/wiki/Replace-the-service-certificate for instructions on replacing the default certificate." .Values.certificate.secret.name }} 297 | items: 298 | - key: {{ default "tls.crt" .Values.certificate.secret.certificate }} 299 | path: tls.crt 300 | - key: {{ default "tls.key" .Values.certificate.secret.privateKey }} 301 | path: tls.key 302 | 303 | --- 304 | apiVersion: v1 305 | kind: Service 306 | metadata: 307 | name: registry 308 | labels: 309 | service: registry 310 | release: {{ .Release.Name }} 311 | heritage: {{ .Release.Service }} 312 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 313 | {{ $k }}: {{ quote $v }} 314 | {{- end }} 315 | spec: 316 | type: ClusterIP 317 | ports: 318 | - port: 5000 319 | protocol: TCP 320 | name: registry 321 | targetPort: 5000 322 | selector: 323 | service: registry 324 | release: {{ .Release.Name }} 325 | 326 | {{ if .Values.networkPolicy.enabled }} 327 | --- 328 | apiVersion: networking.k8s.io/v1 329 | kind: NetworkPolicy 330 | metadata: 331 | name: registry 332 | labels: 333 | service: registry 334 | release: {{ .Release.Name }} 335 | heritage: {{ .Release.Service }} 336 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 337 | {{ $k }}: {{ quote $v }} 338 | {{- end }} 339 | spec: 340 | podSelector: 341 | matchLabels: 342 | service: registry 343 | release: {{ .Release.Name }} 344 | heritage: {{ .Release.Service }} 345 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 346 | {{ $k }}: {{ quote $v }} 347 | {{- end }} 348 | policyTypes: 349 | - Ingress 350 | - Egress 351 | ingress: 352 | - from: 353 | - podSelector: 354 | matchLabels: 355 | service: proxy 356 | release: {{ .Release.Name }} 357 | heritage: {{ .Release.Service }} 358 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 359 | {{ $k }}: {{ quote $v }} 360 | {{- end }} 361 | ports: 362 | - protocol: TCP 363 | port: 5000 364 | 365 | - from: # any -- this should just be kubelet for health probes 366 | ports: 367 | - protocol: TCP 368 | port: 8083 369 | {{- end }} 370 | 371 | {{- end -}} 372 | -------------------------------------------------------------------------------- /templates/registryviews.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: registryviews 5 | labels: 6 | service: registryviews 7 | release: {{ .Release.Name }} 8 | heritage: {{ .Release.Service }} 9 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 10 | {{ $k }}: {{ quote $v }} 11 | {{- end }}{{/* range .Values.extraLabels */}} 12 | spec: 13 | ports: 14 | - port: 8080 15 | protocol: TCP 16 | name: external 17 | selector: 18 | service: registryviews 19 | release: {{ .Release.Name }} 20 | --- 21 | {{ include "smartcheck.service.database.secret" (dict "Chart" .Chart "Values" .Values "Release" .Release "service" "registryviews") }} 22 | 23 | --- 24 | apiVersion: v1 25 | kind: Service 26 | metadata: 27 | name: registryviews-internal 28 | labels: 29 | service: registryviews-internal 30 | release: {{ .Release.Name }} 31 | heritage: {{ .Release.Service }} 32 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 33 | {{ $k }}: {{ quote $v }} 34 | {{- end }}{{/* range .Values.extraLabels */}} 35 | spec: 36 | ports: 37 | - port: 8081 38 | protocol: TCP 39 | name: internal 40 | selector: 41 | service: registryviews 42 | release: {{ .Release.Name }} 43 | 44 | --- 45 | apiVersion: apps/v1 46 | kind: Deployment 47 | metadata: 48 | name: registryviews 49 | labels: 50 | service: registryviews 51 | release: {{ .Release.Name }} 52 | heritage: {{ .Release.Service }} 53 | appVersion: {{ .Chart.AppVersion }} 54 | metrics: include 55 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 56 | {{ $k }}: {{ quote $v }} 57 | {{- end }}{{/* range .Values.extraLabels */}} 58 | spec: 59 | # We set revisionHistoryLimit to 0 because rollback should be done 60 | # using `helm rollback` rather than with `kubectl rollout undo`, so 61 | # we don't need to keep the old `ReplicaSet`s around. 62 | # https://kubernetes.io/docs/concepts/workloads/controllers/deployment 63 | revisionHistoryLimit: 0 64 | replicas: {{ default 1 .Values.replicas.registryviews }} 65 | selector: 66 | matchLabels: 67 | service: registryviews 68 | release: {{ .Release.Name }} 69 | template: 70 | metadata: 71 | labels: 72 | service: registryviews 73 | release: {{ .Release.Name }} 74 | heritage: {{ .Release.Service }} 75 | appVersion: {{ .Chart.AppVersion }} 76 | metrics: include 77 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 78 | {{ $k }}: {{ quote $v }} 79 | {{- end }}{{/* range .Values.extraLabels */}} 80 | spec: 81 | automountServiceAccountToken: false 82 | serviceAccountName: {{ include "smartcheck.service.account.name" (dict "Chart" .Chart "Values" .Values "Release" .Release "role" "registryAccess") }} 83 | {{- $securityContextEnabled := .Values.securityContext.enabled }} 84 | {{- $securityContext := default .Values.securityContext.default .Values.securityContext.registryviews }} 85 | {{- $podSecurityContext := default .Values.securityContext.default.pod $securityContext.pod }} 86 | {{- $containerSecurityContext := default .Values.securityContext.default.container $securityContext.container }} 87 | {{- if $securityContextEnabled }} 88 | securityContext: 89 | {{ toYaml $podSecurityContext | indent 8 }} 90 | {{- end }}{{/* if $securityContextEnabled */}} 91 | initContainers: 92 | - {{ include "smartcheck.db-initcontainer" (dict "Values" .Values "Chart" .Chart "Release" .Release "service" "registryviews") | nindent 10 | trim }} 93 | 94 | {{- $imageDefaults := .Values.images.defaults }} 95 | {{- with .Values.images.registryviews }} 96 | {{- $secret := (default (default "" $imageDefaults.imagePullSecret) .imagePullSecret) }} 97 | {{- if $secret }} 98 | imagePullSecrets: 99 | - name: {{ $secret | quote }} 100 | {{- end }}{{/* if $secret */}} 101 | containers: 102 | - name: registryviews 103 | {{- if $securityContextEnabled }} 104 | securityContext: {{ toYaml $containerSecurityContext | nindent 12 }} 105 | {{- end }}{{/* if $securityContextEnabled */}} 106 | {{- $project := (default (default "deepsecurity" $imageDefaults.project) .project) }} 107 | {{- $repository := printf "%s/%s" $project (required ".repository is required!" .repository) }} 108 | {{- $tag := (default $imageDefaults.tag .tag) }} 109 | image: {{ include "image.source" (dict "repository" $repository "registry" .registry "tag" $tag "imageDefaults" $imageDefaults "digest" .digest) }} 110 | imagePullPolicy: {{ default (default "Always" $imageDefaults.pullPolicy) .pullPolicy }} 111 | {{- end }}{{/* with .Values.images.registryviews */}} 112 | ports: 113 | - containerPort: 8080 114 | name: external 115 | - containerPort: 8081 116 | name: internal 117 | - containerPort: 8082 118 | name: metrics 119 | - containerPort: 8083 120 | name: health 121 | livenessProbe: 122 | httpGet: 123 | path: /health 124 | port: 8083 125 | initialDelaySeconds: 10 126 | timeoutSeconds: 5 127 | failureThreshold: 6 128 | readinessProbe: 129 | httpGet: 130 | path: /health 131 | port: 8083 132 | initialDelaySeconds: 10 133 | timeoutSeconds: 5 134 | failureThreshold: 6 135 | args: 136 | - --internal-base=http://registryviews:8081 137 | - --authorization-url=http://auth-internal:8081 138 | - --database-connection-string=postgres:postgres:// 139 | - --database-secret=$(DB_SECRET) 140 | - --scan-url=http://scan-internal:8081 141 | - --license-url=http://license-internal:8081 142 | - --use-strict-transport-security=true 143 | - --use-strict-transport-security-includes-subdomains=false 144 | - --use-strict-transport-security-includes-preload=false 145 | {{- if .Values.telemetry.enabled }} 146 | - --telemetry-endpoint=http://metrics-internal:8081 147 | {{- end }} 148 | env: 149 | {{- include "smartcheck.service.database.env" (dict "Chart" .Chart "Release" .Release "Values" .Values "service" "registryviews") | nindent 12 }} 150 | {{- include "smartcheck.proxy.env" . | nindent 12 }} 151 | volumeMounts: 152 | {{- $volumeMounts := include "smartcheck.db-trust-volume-mount" . | nindent 12 }} 153 | {{- if (trim $volumeMounts) }} 154 | {{- $volumeMounts }} 155 | {{- else }} 156 | # emptyDir: as the workaround of amazon-eks-pod-identity-webhook#17 (fixed in PR#18, does not deploy into the latest EKS yet.) 157 | - name: work 158 | mountPath: /work 159 | {{- end }}{{/* if $volumeMounts */}} 160 | resources: {{ toYaml (default .Values.resources.defaults .Values.resources.registryviews) | nindent 12 }} 161 | volumes: 162 | {{- $volumes := include "smartcheck.db-trust-volume" . | nindent 8 }} 163 | {{- if (trim $volumes) }} 164 | {{- $volumes }} 165 | {{- else }} 166 | # emptyDir: as the workaround of amazon-eks-pod-identity-webhook#17 (fixed in PR#18, does not deploy into the latest EKS yet.) 167 | - name: work 168 | emptyDir: {} 169 | {{- end }}{{/* if $volumes */}} 170 | nodeSelector: {{ toYaml (default .Values.nodeSelector.defaults .Values.nodeSelector.registryviews) | nindent 8 }} 171 | tolerations: {{ toYaml (default .Values.tolerations.defaults .Values.tolerations.registryviews) | nindent 8 }} 172 | restartPolicy: Always 173 | 174 | {{ if .Values.networkPolicy.enabled }} 175 | --- 176 | apiVersion: networking.k8s.io/v1 177 | kind: NetworkPolicy 178 | metadata: 179 | name: registryviews 180 | labels: 181 | service: registryviews 182 | release: {{ .Release.Name }} 183 | heritage: {{ .Release.Service }} 184 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 185 | {{ $k }}: {{ quote $v }} 186 | {{- end }}{{/* range .Values.extraLabels */}} 187 | spec: 188 | podSelector: 189 | matchLabels: 190 | service: registryviews 191 | release: {{ .Release.Name }} 192 | heritage: {{ .Release.Service }} 193 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 194 | {{ $k }}: {{ quote $v }} 195 | {{- end }}{{/* range .Values.extraLabels */}} 196 | policyTypes: 197 | - Ingress 198 | - Egress 199 | ingress: 200 | - from: 201 | - podSelector: 202 | matchLabels: 203 | service: proxy 204 | release: {{ .Release.Name }} 205 | heritage: {{ .Release.Service }} 206 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 207 | {{ $k }}: {{ quote $v }} 208 | {{- end }}{{/* range .Values.extraLabels */}} 209 | ports: 210 | - protocol: TCP 211 | port: 8080 212 | - from: 213 | - podSelector: 214 | matchLabels: 215 | service: scan 216 | release: {{ .Release.Name }} 217 | heritage: {{ .Release.Service }} 218 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 219 | {{ $k }}: {{ quote $v }} 220 | {{- end }}{{/* range .Values.extraLabels */}} 221 | - podSelector: 222 | matchLabels: 223 | task: scan 224 | release: {{ .Release.Name }} 225 | heritage: {{ .Release.Service }} 226 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 227 | {{ $k }}: {{ quote $v }} 228 | {{- end }}{{/* range .Values.extraLabels */}} 229 | ports: 230 | - protocol: TCP 231 | port: 8081 232 | 233 | - from: # any -- this is for metrics 234 | ports: 235 | - protocol: TCP 236 | port: 8082 237 | - from: # any -- this sould just be kubelet for health probes 238 | ports: 239 | - protocol: TCP 240 | port: 8083 241 | egress: 242 | {{- include "smartcheck.to-dns-networkpolicy" . | nindent 4 }} 243 | {{- include "smartcheck.to-db-networkpolicy" . | nindent 4 }} 244 | {{- include "smartcheck.to-internal-service-networkpolicy" (dict "Release" .Release "Values" .Values "services" (list "auth" "scan" "license" "metrics")) | nindent 4 }} 245 | # allow egress to registries on 80, 443, and any provided additional ports 246 | - to: # any 247 | ports: 248 | - protocol: TCP 249 | port: 80 250 | - protocol: TCP 251 | port: 443 252 | {{- range $port := .Values.networkPolicy.additionalRegistryPorts }} 253 | - protocol: TCP 254 | port: {{ $port }} 255 | {{- end }}{{/* range .Values.networkPolicy.additionalRegistryPorts */}} 256 | {{- include "smartcheck.networkpolicy.outbound" . | nindent 4 }} 257 | {{- end }}{{/* if .Values.networkPolicy.enabled */}} 258 | -------------------------------------------------------------------------------- /templates/scan.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: scan 5 | labels: 6 | service: scan 7 | release: {{ .Release.Name }} 8 | heritage: {{ .Release.Service }} 9 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 10 | {{ $k }}: {{ quote $v }} 11 | {{- end }}{{/* range .Values.extraLabels */}} 12 | spec: 13 | ports: 14 | - port: 8080 15 | protocol: TCP 16 | name: external 17 | selector: 18 | service: scan 19 | release: {{ .Release.Name }} 20 | --- 21 | {{ include "smartcheck.service.database.secret" (dict "Chart" .Chart "Values" .Values "Release" .Release "service" "scan") }} 22 | 23 | --- 24 | apiVersion: v1 25 | kind: Service 26 | metadata: 27 | name: scan-internal 28 | labels: 29 | service: scan-internal 30 | release: {{ .Release.Name }} 31 | heritage: {{ .Release.Service }} 32 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 33 | {{ $k }}: {{ quote $v }} 34 | {{- end }}{{/* range .Values.extraLabels */}} 35 | spec: 36 | ports: 37 | - port: 8081 38 | protocol: TCP 39 | name: internal 40 | selector: 41 | service: scan 42 | release: {{ .Release.Name }} 43 | 44 | --- 45 | apiVersion: apps/v1 46 | kind: Deployment 47 | metadata: 48 | name: scan 49 | labels: 50 | service: scan 51 | release: {{ .Release.Name }} 52 | heritage: {{ .Release.Service }} 53 | appVersion: {{ .Chart.AppVersion }} 54 | metrics: include 55 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 56 | {{ $k }}: {{ quote $v }} 57 | {{- end }}{{/* range .Values.extraLabels */}} 58 | spec: 59 | # We set revisionHistoryLimit to 0 because rollback should be done 60 | # using `helm rollback` rather than with `kubectl rollout undo`, so 61 | # we don't need to keep the old `ReplicaSet`s around. 62 | # https://kubernetes.io/docs/concepts/workloads/controllers/deployment 63 | revisionHistoryLimit: 0 64 | replicas: {{ default 1 .Values.replicas.scan }} 65 | selector: 66 | matchLabels: 67 | service: scan 68 | release: {{ .Release.Name }} 69 | template: 70 | metadata: 71 | labels: 72 | service: scan 73 | release: {{ .Release.Name }} 74 | heritage: {{ .Release.Service }} 75 | appVersion: {{ .Chart.AppVersion }} 76 | metrics: include 77 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 78 | {{ $k }}: {{ quote $v }} 79 | {{- end }}{{/* range .Values.extraLabels */}} 80 | spec: 81 | automountServiceAccountToken: false 82 | serviceAccountName: {{ include "smartcheck.service.account.name" (dict "Chart" .Chart "Values" .Values "Release" .Release "role" "registryAccess") }} 83 | {{- $securityContextEnabled := .Values.securityContext.enabled }} 84 | {{- $securityContext := default .Values.securityContext.default .Values.securityContext.scan }} 85 | {{- $podSecurityContext := default .Values.securityContext.default.pod $securityContext.pod }} 86 | {{- $containerSecurityContext := default .Values.securityContext.default.container $securityContext.container }} 87 | {{- if $securityContextEnabled }} 88 | securityContext: 89 | {{ toYaml $podSecurityContext | nindent 8 }} 90 | {{- end }}{{/* if $securityContextEnabled */}} 91 | initContainers: 92 | - {{ include "smartcheck.db-initcontainer" (dict "Values" .Values "Chart" .Chart "Release" .Release "service" "scan") | nindent 10 | trim }} 93 | 94 | {{- $imageDefaults := .Values.images.defaults }} 95 | {{- with .Values.images.scan }} 96 | {{- $secret := (default (default "" $imageDefaults.imagePullSecret) .imagePullSecret) }} 97 | {{- if not (eq "" $secret) }} 98 | imagePullSecrets: 99 | - name: {{ $secret | quote }} 100 | {{- end }}{{/* with .Values.images.scan */}} 101 | containers: 102 | - name: scan 103 | {{- if $securityContextEnabled }} 104 | securityContext: {{ toYaml $containerSecurityContext | nindent 12 }} 105 | {{- end }} 106 | {{- $project := (default (default "deepsecurity" $imageDefaults.project) .project) }} 107 | {{- $repository := printf "%s/%s" $project (required ".repository is required!" .repository) }} 108 | {{- $tag := (default $imageDefaults.tag .tag) }} 109 | image: {{ include "image.source" (dict "repository" $repository "registry" .registry "tag" $tag "imageDefaults" $imageDefaults "digest" .digest) }} 110 | imagePullPolicy: {{ default (default "Always" $imageDefaults.pullPolicy) .pullPolicy }} 111 | {{- end }} 112 | ports: 113 | - containerPort: 8080 114 | name: external 115 | - containerPort: 8081 116 | name: internal 117 | - containerPort: 8082 118 | name: metrics 119 | - containerPort: 8083 120 | name: health 121 | livenessProbe: 122 | httpGet: 123 | path: /health 124 | port: 8083 125 | initialDelaySeconds: 10 126 | timeoutSeconds: 5 127 | failureThreshold: 6 128 | readinessProbe: 129 | httpGet: 130 | path: /health 131 | port: 8083 132 | initialDelaySeconds: 10 133 | timeoutSeconds: 5 134 | failureThreshold: 6 135 | args: 136 | - --log-level=warning 137 | - --internal-base=http://scan-internal:8081 138 | - --authorization-url=http://auth-internal:8081 139 | - --database-connection-string=postgres:postgres:// 140 | - --database-secret=$(DB_SECRET) 141 | - --malware-scan-url=http://malware-scan-internal:8081 142 | - --content-scan-url=http://content-scan-internal:8081 143 | - --license-url=http://license-internal:8081 144 | - --vulnerability-scan-url=http://vulnerability-scan-internal:8081 145 | - --image-scan-url=http://image-scan-internal:8081 146 | - --content-source-scanner-webhook-url=http://registryviews-internal:8081/api/results 147 | - --use-strict-transport-security=true 148 | - --use-strict-transport-security-includes-subdomains=false 149 | - --use-strict-transport-security-includes-preload=false 150 | - --work-dir=/work 151 | - --vulnerability-scan-timeout={{ default "5m" .Values.scan.vulnerabilityScan.timeout }} 152 | - --image-scan-timeout={{ default "10m" .Values.scan.imageScan.timeout }} 153 | - --content-scan-timeout={{ default "5m" .Values.scan.contentScan.timeout }} 154 | - --malware-scan-timeout={{ default "1m" .Values.scan.malwareScan.timeout }} 155 | {{if .Values.scan.malwareScan.enabled}} 156 | - --malware-scan-enabled=true 157 | {{end}} 158 | - --rescan-prohibited-duration={{ default "24h" .Values.scan.rescanProhibitedDuration}} 159 | {{- with .Values.scan.results }} 160 | - --scan-retention-period={{ default 0 .ttl }} 161 | {{- end }} 162 | - --cloud-one-endpoint={{ default "" .Values.cloudOne.endpoint }} 163 | - --cloud-one-api-key={{ default "" .Values.cloudOne.apiKey }} 164 | {{if not .Values.scan.malwareCache.enabled}} 165 | - --malware-scan-cache-ttl=0s 166 | {{end}} 167 | {{- if .Values.telemetry.enabled }} 168 | - --telemetry-endpoint=http://metrics-internal:8081 169 | {{- end }} 170 | env: 171 | {{- include "smartcheck.service.database.env" (dict "Chart" .Chart "Release" .Release "Values" .Values "service" "scan") | nindent 12 }} 172 | {{- include "smartcheck.proxy.env" . | nindent 12 }} 173 | volumeMounts: 174 | {{- include "smartcheck.db-trust-volume-mount" . | nindent 12 }} 175 | - name: work 176 | mountPath: /work 177 | resources: {{ toYaml (default .Values.resources.defaults .Values.resources.scan) | nindent 12 }} 178 | volumes: 179 | {{- include "smartcheck.db-trust-volume" . | nindent 8 }} 180 | - name: work 181 | emptyDir: {} 182 | nodeSelector: {{ toYaml (default .Values.nodeSelector.defaults .Values.nodeSelector.scan) | nindent 8 }} 183 | tolerations: {{ toYaml (default .Values.tolerations.defaults .Values.tolerations.scan) | nindent 8 }} 184 | restartPolicy: Always 185 | 186 | {{ if .Values.networkPolicy.enabled }} 187 | --- 188 | apiVersion: networking.k8s.io/v1 189 | kind: NetworkPolicy 190 | metadata: 191 | name: scan 192 | labels: 193 | service: scan 194 | release: {{ .Release.Name }} 195 | heritage: {{ .Release.Service }} 196 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 197 | {{ $k }}: {{ quote $v }} 198 | {{- end }}{{/* range .Values.extraLabels */}} 199 | spec: 200 | podSelector: 201 | matchLabels: 202 | service: scan 203 | release: {{ .Release.Name }} 204 | heritage: {{ .Release.Service }} 205 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 206 | {{ $k }}: {{ quote $v }} 207 | {{- end }}{{/* range .Values.extraLabels */}} 208 | policyTypes: 209 | - Ingress 210 | - Egress 211 | ingress: 212 | - from: 213 | - podSelector: 214 | matchLabels: 215 | service: proxy 216 | release: {{ .Release.Name }} 217 | heritage: {{ .Release.Service }} 218 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 219 | {{ $k }}: {{ quote $v }} 220 | {{- end }}{{/* range .Values.extraLabels */}} 221 | ports: 222 | - protocol: TCP 223 | port: 8080 224 | - from: 225 | - podSelector: 226 | matchLabels: 227 | service: registryviews 228 | release: {{ .Release.Name }} 229 | heritage: {{ .Release.Service }} 230 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 231 | {{ $k }}: {{ quote $v }} 232 | {{- end }}{{/* range .Values.extraLabels */}} 233 | - podSelector: 234 | matchLabels: 235 | service: vulnerability-scan 236 | release: {{ .Release.Name }} 237 | heritage: {{ .Release.Service }} 238 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 239 | {{ $k }}: {{ quote $v }} 240 | {{- end }}{{/* range .Values.extraLabels */}} 241 | - podSelector: 242 | matchLabels: 243 | service: content-scan 244 | release: {{ .Release.Name }} 245 | heritage: {{ .Release.Service }} 246 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 247 | {{ $k }}: {{ quote $v }} 248 | {{- end }}{{/* range .Values.extraLabels */}} 249 | - podSelector: 250 | matchLabels: 251 | service: image-scan 252 | release: {{ .Release.Name }} 253 | heritage: {{ .Release.Service }} 254 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 255 | {{ $k }}: {{ quote $v }} 256 | {{- end }}{{/* range .Values.extraLabels */}} 257 | - podSelector: 258 | matchLabels: 259 | service: license 260 | release: {{ .Release.Name }} 261 | heritage: {{ .Release.Service }} 262 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 263 | {{ $k }}: {{ quote $v }} 264 | {{- end }}{{/* range .Values.extraLabels */}} 265 | ports: 266 | - protocol: TCP 267 | port: 8081 268 | - from: # any -- this is for metrics 269 | ports: 270 | - protocol: TCP 271 | port: 8082 272 | - from: # any -- this should just be kubelet for health probes 273 | ports: 274 | - protocol: TCP 275 | port: 8083 276 | egress: 277 | {{- include "smartcheck.to-dns-networkpolicy" . | nindent 4 }} 278 | {{- include "smartcheck.to-db-networkpolicy" . | nindent 4 }} 279 | {{- include "smartcheck.to-internal-service-networkpolicy" (dict "Release" .Release "Values" .Values "services" (list "auth" "registryviews" "malware-scan" "vulnerability-scan" "content-scan" "image-scan" "metrics" "license")) | nindent 4 }} 280 | - to: # any 281 | ports: 282 | - protocol: TCP 283 | port: 80 284 | - protocol: TCP 285 | port: 443 286 | {{- range $port := .Values.networkPolicy.additionalWebhookTargetPorts }} 287 | - protocol: TCP 288 | port: {{ $port }} 289 | {{- end }}{{/* range .Values.additionalWebhookTargetPorts */}} 290 | {{- range $port := .Values.networkPolicy.additionalRegistryPorts }} 291 | - protocol: TCP 292 | port: {{ $port }} 293 | {{- end }}{{/* range .Values.networkPolicy.additionalRegistryPorts */}} 294 | {{- include "smartcheck.networkpolicy.outbound" . | nindent 4 }} 295 | {{- end }}{{/* if .Values.networkPolicy.enabled */}} 296 | -------------------------------------------------------------------------------- /templates/secrets.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: {{ template "smartcheck.fullname" . }}-db 5 | labels: 6 | app: {{ template "smartcheck.name" . }} 7 | release: "{{ .Release.Name }}" 8 | heritage: "{{ .Release.Service }}" 9 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 10 | {{ $k }}: {{ quote $v }} 11 | {{- end }} 12 | type: Opaque 13 | data: 14 | {{ if .Values.db.user -}} 15 | database-user: {{ .Values.db.user | toString | b64enc | quote }} 16 | {{ else -}} 17 | database-user: {{ derivePassword 1 "maximum" (toString (required "You must provide a value for auth.secretSeed. Use --set auth.secretSeed={password} or include a value in your overrides.yaml file." (default .Values.auth.masterPassword .Values.auth.secretSeed))) "db-user" .Release.Name | toString | b64enc | quote }} 18 | {{ end -}} 19 | {{ if .Values.db.password -}} 20 | database-password: {{ .Values.db.password | toString | b64enc | quote }} 21 | {{ else -}} 22 | database-password: {{ derivePassword 1 "maximum" (toString (default .Values.auth.masterPassword .Values.auth.secretSeed)) "db-password" .Release.Name | toString | b64enc | quote }} 23 | {{ end -}} 24 | {{ if .Values.db.secret -}} 25 | database-secret: {{ .Values.db.secret | toString | b64enc | quote }} 26 | {{ else -}} 27 | database-secret: {{ derivePassword 1 "maximum" (toString (default .Values.auth.masterPassword .Values.auth.secretSeed)) "db-secret" .Release.Name | toString | b64enc | quote }} 28 | {{- end }} 29 | --- 30 | apiVersion: v1 31 | kind: Secret 32 | metadata: 33 | name: {{ template "smartcheck.fullname" . }}-cursor 34 | labels: 35 | app: {{ template "smartcheck.name" . }} 36 | release: "{{ .Release.Name }}" 37 | heritage: "{{ .Release.Service }}" 38 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 39 | {{ $k }}: {{ quote $v }} 40 | {{- end }} 41 | type: Opaque 42 | data: 43 | {{ if .Values.cursor.secret -}} 44 | secret: {{ .Values.cursor.secret | toString | b64enc | quote }} 45 | {{ else -}} 46 | secret: {{ derivePassword 1 "maximum" (toString (default .Values.auth.masterPassword .Values.auth.secretSeed)) "cursor-secret" .Release.Name | toString | b64enc | quote }} 47 | {{- end }} 48 | 49 | {{ if not .Values.certificate.secret.name }} 50 | --- 51 | apiVersion: v1 52 | kind: Secret 53 | metadata: 54 | name: {{ template "smartcheck.fullname" . }}-tls-certificate 55 | labels: 56 | app: {{ template "smartcheck.name" . }} 57 | release: "{{ .Release.Name }}" 58 | heritage: "{{ .Release.Service }}" 59 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 60 | {{ $k }}: {{ quote $v }} 61 | {{- end }} 62 | type: Opaque 63 | data: 64 | {{- with .Values.certificate }} 65 | {{- $cert := genSelfSignedCert (default "example.com" .commonName) (default nil .ipAlternativeNames) (default nil .dnsAlternativeNames) (default 3650 (int .lifetime)) }} 66 | privateKey: {{ $cert.Key | b64enc | quote }} 67 | certificate: {{ $cert.Cert | b64enc | quote }} 68 | {{- end }} 69 | {{ end }} 70 | 71 | -------------------------------------------------------------------------------- /templates/serviceaccounts.yaml: -------------------------------------------------------------------------------- 1 | {{- range $role, $settings := .Values.serviceAccount }} 2 | {{ if $settings.annotations }} 3 | --- 4 | {{ include "smartcheck.service.account" (dict "Chart" $.Chart "Values" $.Values "Release" $.Release "role" $role "annotations" $settings.annotations) }} 5 | {{- end }}{{/* if.settings.annotations */}} 6 | {{- end }}{{/* range.annotations */}} 7 | -------------------------------------------------------------------------------- /templates/tasks.yaml: -------------------------------------------------------------------------------- 1 | {{ if .Values.tasks.scan.enabled }} 2 | apiVersion: batch/v1 3 | kind: CronJob 4 | metadata: 5 | name: scan 6 | labels: 7 | task: scan 8 | release: {{ .Release.Name }} 9 | heritage: {{ .Release.Service }} 10 | appVersion: {{ .Chart.AppVersion }} 11 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 12 | {{ $k }}: {{ quote $v }} 13 | {{- end }} 14 | spec: 15 | startingDeadlineSeconds: 300 16 | concurrencyPolicy: Replace 17 | schedule: {{ quote .Values.tasks.scan.schedule }} 18 | successfulJobsHistoryLimit: 0 19 | jobTemplate: 20 | spec: 21 | template: 22 | metadata: 23 | labels: 24 | task: scan 25 | release: {{ .Release.Name }} 26 | heritage: {{ .Release.Service }} 27 | appVersion: {{ .Chart.AppVersion }} 28 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 29 | {{ $k }}: {{ quote $v }} 30 | {{- end }} 31 | spec: 32 | automountServiceAccountToken: false 33 | {{- $securityContextEnabled := .Values.securityContext.enabled }} 34 | {{- $securityContext := default .Values.securityContext.default .Values.securityContext.tasks }} 35 | {{- $podSecurityContext := default .Values.securityContext.default.pod $securityContext.pod }} 36 | {{- $containerSecurityContext := default .Values.securityContext.default.container $securityContext.container }} 37 | {{- if $securityContextEnabled }} 38 | securityContext: 39 | {{ toYaml $podSecurityContext | indent 12 }} 40 | {{- end }} 41 | {{- $imageDefaults := .Values.images.defaults }} 42 | {{- with .Values.images.tasks }} 43 | {{- $secret := (default (default "" $imageDefaults.imagePullSecret) .imagePullSecret) }} 44 | {{- if not (eq "" $secret) }} 45 | imagePullSecrets: 46 | - name: {{ $secret | quote }} 47 | {{- end }} 48 | containers: 49 | - name: tasks 50 | {{- if $securityContextEnabled }} 51 | securityContext: 52 | {{ toYaml $containerSecurityContext | indent 16 }} 53 | {{- end }} 54 | {{- $project := (default (default "deepsecurity" $imageDefaults.project) .project) }} 55 | {{- $repository := printf "%s/%s" $project (required ".repository is required!" .repository) }} 56 | {{- $tag := (default $imageDefaults.tag .tag) }} 57 | image: {{ include "image.source" (dict "repository" $repository "registry" .registry "tag" $tag "imageDefaults" $imageDefaults "digest" .digest) }} 58 | imagePullPolicy: {{ default (default "Always" $imageDefaults.pullPolicy) .pullPolicy }} 59 | {{- end }} 60 | args: 61 | - scan 62 | resources: 63 | {{ toYaml (default .Values.resources.defaults .Values.resources.tasks) | indent 16 }} 64 | restartPolicy: OnFailure 65 | nodeSelector: 66 | {{ toYaml (default .Values.nodeSelector.defaults .Values.nodeSelector.tasks) | indent 12 }} 67 | tolerations: 68 | {{ toYaml (default .Values.tolerations.defaults .Values.tolerations.tasks) | indent 12 }} 69 | {{ end }} 70 | 71 | {{ if .Values.networkPolicy.enabled }} 72 | --- 73 | apiVersion: networking.k8s.io/v1 74 | kind: NetworkPolicy 75 | metadata: 76 | name: tasks 77 | labels: 78 | task: scan 79 | release: {{ .Release.Name }} 80 | heritage: {{ .Release.Service }} 81 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 82 | {{ $k }}: {{ quote $v }} 83 | {{- end }} 84 | spec: 85 | podSelector: 86 | matchLabels: 87 | task: scan 88 | release: {{ .Release.Name }} 89 | heritage: {{ .Release.Service }} 90 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 91 | {{ $k }}: {{ quote $v }} 92 | {{- end }} 93 | policyTypes: 94 | - Ingress 95 | - Egress 96 | ingress: 97 | - from: 98 | ports: 99 | egress: 100 | - to: 101 | - podSelector: 102 | matchLabels: 103 | service: registryviews 104 | release: {{ .Release.Name }} 105 | heritage: {{ .Release.Service }} 106 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 107 | {{ $k }}: {{ quote $v }} 108 | {{- end }} 109 | ports: 110 | - protocol: TCP 111 | port: 8081 112 | - to: # any 113 | ports: 114 | - protocol: TCP 115 | port: 53 116 | - protocol: UDP 117 | port: 53 118 | {{- end }} 119 | -------------------------------------------------------------------------------- /templates/vulnerability-scan.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: vulnerability-scan-internal 5 | labels: 6 | service: vulnerability-scan 7 | release: {{ .Release.Name }} 8 | heritage: {{ .Release.Service }} 9 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 10 | {{ $k }}: {{ quote $v }} 11 | {{- end }} 12 | spec: 13 | ports: 14 | - port: 8081 15 | targetPort: 8081 16 | protocol: TCP 17 | name: internal 18 | selector: 19 | service: vulnerability-scan 20 | release: {{ .Release.Name }} 21 | --- 22 | {{ include "smartcheck.service.database.secret" (dict "Chart" .Chart "Values" .Values "Release" .Release "service" "vulnerabilityscan") }} 23 | 24 | --- 25 | apiVersion: v1 26 | kind: ConfigMap 27 | metadata: 28 | name: {{ template "smartcheck.fullname" . }}-vulnerability-scan 29 | labels: 30 | service: {{ template "smartcheck.fullname" . }}-vulnerability-scan 31 | release: {{ .Release.Name }} 32 | heritage: {{ .Release.Service }} 33 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 34 | {{ $k }}: {{ quote $v }} 35 | {{- end }} 36 | data: 37 | config.yaml: | 38 | clair: 39 | database: 40 | # Database driver 41 | type: pgsql 42 | options: 43 | # PostgreSQL Connection string 44 | # https://www.postgresql.org/docs/current/static/libpq-connect.html#LIBPQ-CONNSTRING 45 | # details are provided via environment variables 46 | source: "postgres://" 47 | 48 | # Number of elements kept in the cache 49 | # Values unlikely to change (e.g. namespaces) are cached in order to save prevent needless roundtrips to the database. 50 | cachesize: 16384 51 | 52 | # 32-bit URL-safe base64 key used to encrypt pagination tokens 53 | # Multiple clair instances in the same cluster need the same value. 54 | # We don't expose clair outside the application so this doesn't need to be a secret 55 | paginationkey: "XxoPtCUzrUv4JV5dS+yQ+MdW7yLEJnRMwigVY/bpgtQ=" 56 | api: 57 | # v3 grpc/RESTful API server address 58 | port: 8081 59 | 60 | # Health server address 61 | # This is an unencrypted endpoint useful for load balancers to check to healthiness of the clair server. 62 | healthport: 8083 63 | 64 | # Deadline before an API request will respond with a 503 65 | timeout: 300s 66 | 67 | # Optional PKI configuration 68 | # If you want to easily generate client certificates and CAs, try the following projects: 69 | # https://github.com/coreos/etcd-ca 70 | # https://github.com/cloudflare/cfssl 71 | servername: 72 | cafile: 73 | keyfile: 74 | certfile: 75 | 76 | updater: 77 | # Frequency the database will be updated with vulnerabilities from the default data sources 78 | # The value 0 disables the updater entirely. 79 | interval: "24h" 80 | appendSeverity: {{ .Values.vulnerabilityScan.appendSeverity }} 81 | 82 | --- 83 | apiVersion: apps/v1 84 | kind: Deployment 85 | metadata: 86 | name: vulnerability-scan 87 | labels: 88 | service: vulnerability-scan 89 | release: {{ .Release.Name }} 90 | heritage: {{ .Release.Service }} 91 | appVersion: {{ .Chart.AppVersion }} 92 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 93 | {{ $k }}: {{ quote $v }} 94 | {{- end }} 95 | spec: 96 | # We set revisionHistoryLimit to 0 because rollback should be done 97 | # using `helm rollback` rather than with `kubectl rollout undo`, so 98 | # we don't need to keep the old `ReplicaSet`s around. 99 | # https://kubernetes.io/docs/concepts/workloads/controllers/deployment 100 | revisionHistoryLimit: 0 101 | replicas: {{ default 1 .Values.replicas.vulnerabilityScan }} 102 | selector: 103 | matchLabels: 104 | service: vulnerability-scan 105 | release: {{ .Release.Name }} 106 | template: 107 | metadata: 108 | labels: 109 | service: vulnerability-scan 110 | release: {{ .Release.Name }} 111 | heritage: {{ .Release.Service }} 112 | appVersion: {{ .Chart.AppVersion }} 113 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 114 | {{ $k }}: {{ quote $v }} 115 | {{- end }} 116 | spec: 117 | automountServiceAccountToken: false 118 | {{- $securityContextEnabled := .Values.securityContext.enabled }} 119 | {{- $securityContext := default .Values.securityContext.default .Values.securityContext.vulnerabilityScan }} 120 | {{- $podSecurityContext := default .Values.securityContext.default.pod $securityContext.pod }} 121 | {{- $containerSecurityContext := default .Values.securityContext.default.container $securityContext.container }} 122 | {{- if $securityContextEnabled }} 123 | securityContext: 124 | {{ toYaml $podSecurityContext | indent 8 }} 125 | {{- end }} 126 | initContainers: 127 | - {{ include "smartcheck.db-initcontainer" (dict "Values" .Values "Chart" .Chart "Release" .Release "service" "vulnerabilityscan") | nindent 10 | trim }} 128 | - {{ include "smartcheck.vulndb-initcontainer" (dict "Values" .Values "Chart" .Chart "Release" .Release "service" "vulnerabilityscan") | nindent 10 | trim }} 129 | 130 | {{- $imageDefaults := .Values.images.defaults }} 131 | {{- with .Values.images.vulnerabilityScan }} 132 | {{- $secret := (default (default "" $imageDefaults.imagePullSecret) .imagePullSecret) }} 133 | {{- if not (eq "" $secret) }} 134 | imagePullSecrets: 135 | - name: {{ $secret | quote }} 136 | {{- end }} 137 | containers: 138 | - name: vulnerability-scan 139 | {{- if $securityContextEnabled }} 140 | securityContext: 141 | {{ toYaml $containerSecurityContext | indent 12 }} 142 | {{- end }} 143 | {{- $project := (default (default "deepsecurity" $imageDefaults.project) .project) }} 144 | {{- $repository := printf "%s/%s" $project (required ".repository is required!" .repository) }} 145 | {{- $tag := (default $imageDefaults.tag .tag) }} 146 | image: {{ include "image.source" (dict "repository" $repository "registry" .registry "tag" $tag "imageDefaults" $imageDefaults "digest" .digest) }} 147 | imagePullPolicy: {{ default (default "Always" $imageDefaults.pullPolicy) .pullPolicy }} 148 | {{- end }} 149 | ports: 150 | - containerPort: 8081 151 | name: internal 152 | - containerPort: 8083 153 | name: health 154 | readinessProbe: 155 | httpGet: 156 | path: /health 157 | port: 8083 158 | initialDelaySeconds: 30 159 | periodSeconds: 10 160 | timeoutSeconds: 5 161 | failureThreshold: 60 162 | args: 163 | - --log-level=debug 164 | env: 165 | - name: GOGC 166 | value: "40" 167 | {{- include "smartcheck.service.database.env" (dict "Chart" .Chart "Release" .Release "Values" .Values "service" "vulnerabilityscan") | nindent 12 }} 168 | {{- include "smartcheck.proxy.env" . | nindent 12 }} 169 | volumeMounts: 170 | - name: tmp 171 | mountPath: /tmp 172 | - name: config 173 | mountPath: /etc/clair 174 | {{- include "smartcheck.db-trust-volume-mount" . | nindent 12 }} 175 | resources: 176 | {{ toYaml (default .Values.resources.defaults .Values.resources.vulnerabilityScan) | indent 12 }} 177 | volumes: 178 | - name: tmp 179 | emptyDir: 180 | sizeLimit: {{ default "3Gi" .Values.vulnerabilityScan.workVolume.sizeLimit | quote }} 181 | - name: config 182 | configMap: 183 | name: {{ template "smartcheck.fullname" . }}-vulnerability-scan 184 | {{- include "smartcheck.db-trust-volume" . | nindent 8 }} 185 | nodeSelector: 186 | {{ toYaml (default .Values.nodeSelector.defaults .Values.nodeSelector.vulnerabilityScan) | indent 8 }} 187 | tolerations: 188 | {{ toYaml (default .Values.tolerations.defaults .Values.tolerations.vulnerabilityScan) | indent 8 }} 189 | restartPolicy: Always 190 | 191 | {{ if .Values.networkPolicy.enabled }} 192 | --- 193 | apiVersion: networking.k8s.io/v1 194 | kind: NetworkPolicy 195 | metadata: 196 | name: vulnerability-scan 197 | labels: 198 | service: vulnerability-scan 199 | release: {{ .Release.Name }} 200 | heritage: {{ .Release.Service }} 201 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 202 | {{ $k }}: {{ quote $v }} 203 | {{- end }} 204 | spec: 205 | podSelector: 206 | matchLabels: 207 | service: vulnerability-scan 208 | release: {{ .Release.Name }} 209 | heritage: {{ .Release.Service }} 210 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 211 | {{ $k }}: {{ quote $v }} 212 | {{- end }} 213 | policyTypes: 214 | - Ingress 215 | - Egress 216 | ingress: 217 | - from: 218 | - podSelector: 219 | matchLabels: 220 | service: scan 221 | release: {{ .Release.Name }} 222 | heritage: {{ .Release.Service }} 223 | {{- range $k, $v := (default (dict) .Values.extraLabels) }} 224 | {{ $k }}: {{ quote $v }} 225 | {{- end }} 226 | ports: 227 | - protocol: TCP 228 | port: 8081 229 | egress: 230 | {{- include "smartcheck.to-dns-networkpolicy" . | nindent 4 }} 231 | {{- include "smartcheck.to-db-networkpolicy" . | nindent 4 }} 232 | {{- include "smartcheck.to-internal-service-networkpolicy" (dict "Release" .Release "Values" .Values "services" (list "scan")) | nindent 4 }} 233 | # allow egress to vulnerability feed 234 | - to: # any 235 | ports: 236 | - protocol: TCP 237 | port: 443 238 | - protocol: TCP 239 | port: 80 240 | {{- include "smartcheck.networkpolicy.outbound" . | nindent 4 }} 241 | {{- end }} 242 | --------------------------------------------------------------------------------