├── .github └── workflows │ ├── release.yaml │ └── tests.yaml ├── .gitignore ├── .helmignore ├── CONTRIBUTING.md ├── LICENSE ├── README.md ├── charts └── guac │ ├── Chart.lock │ ├── Chart.yaml │ ├── README.md │ ├── ci │ └── guac-values.yaml │ ├── schema.json │ ├── templates │ ├── _helpers.tpl │ ├── additional-objects.yaml │ ├── api-only-ingress.yaml │ ├── cd-certifier-deployment.yaml │ ├── cd-certifier-sa.yaml │ ├── collectsub-deployment.yaml │ ├── collectsub-sa.yaml │ ├── collectsub-service.yaml │ ├── depsdev-collector-deployment.yaml │ ├── depsdev-collector-sa.yaml │ ├── graphql-server-deployment.yaml │ ├── graphql-server-sa.yaml │ ├── graphql-server-service.yaml │ ├── guac-cm.yaml │ ├── guacrest-deployment.yaml │ ├── guacrest-sa.yaml │ ├── guacrest-service.yaml │ ├── ingest-guac-data-job.yaml │ ├── ingestor-deployment.yaml │ ├── ingestor-sa.yaml │ ├── ingress.yaml │ ├── ingressroute.yaml │ ├── oci-collector-deployment.yaml │ ├── oci-collector-sa.yaml │ ├── osv-certifier-deployment.yaml │ ├── osv-certifier-sa.yaml │ ├── visualizer-deployment.yaml │ ├── visualizer-proxy-cm.yaml │ └── visualizer-service.yaml │ ├── tests │ ├── cd-certifier_deployment_test.yaml │ ├── collectsub_deployment_test.yaml │ ├── collectsub_service_test.yaml │ ├── configmap_no_test.yaml │ ├── configmap_test.yaml │ ├── depsdev-collector_deployment_test.yaml │ ├── graphql_deployment_test.yaml │ ├── graphql_service_test.yaml │ ├── ingestor_deployment_test.yaml │ ├── ingress_test.yaml │ ├── oci_collector_deployment_test.yaml │ ├── osv-certifier_deployment_test.yaml │ ├── rest-api_deployment_test.yaml │ ├── serviceaccount_all_test.yaml │ ├── serviceaccount_no_test.yaml │ ├── values_combine.yaml │ ├── values_common_certifier.yaml │ ├── values_configmap_no.yaml │ ├── values_digest_and_tag.yaml │ ├── values_ent_backend.yaml │ ├── values_graphql_deployment.yaml │ ├── values_graphql_service.yaml │ ├── values_ingress.yaml │ ├── values_serviceaccount_all.yaml │ ├── values_serviceaccount_no.yaml │ └── values_tag_no_digest.yaml │ └── values.yaml └── docs └── images └── GUAC-diagram.svg /.github/workflows/release.yaml: -------------------------------------------------------------------------------- 1 | name: Release Charts 2 | 3 | on: 4 | # run release job when changes are pushed to main 5 | # chart-releaser will only cut release when changes are detected 6 | # hence a tag push will not trigger chart release 7 | push: 8 | branches: 9 | - main 10 | 11 | permissions: # added using https://github.com/step-security/secure-repo 12 | contents: read 13 | 14 | jobs: 15 | release: 16 | runs-on: ubuntu-latest 17 | 18 | permissions: 19 | contents: write 20 | packages: write 21 | 22 | steps: 23 | - name: Harden Runner 24 | uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1 25 | with: 26 | egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs 27 | 28 | - name: Checkout 29 | uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0 30 | with: 31 | fetch-depth: 0 32 | 33 | - name: Configure Git 34 | run: | 35 | git config user.name "$GITHUB_ACTOR" 36 | git config user.email "$GITHUB_ACTOR@users.noreply.github.com" 37 | 38 | - name: Install Helm 39 | uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5 40 | with: 41 | version: 'v3.11.2' 42 | 43 | - name: Add Helm repos 44 | run: | 45 | helm repo add neo4j https://helm.neo4j.com/neo4j 46 | helm repo add nats https://nats-io.github.io/k8s/helm/charts 47 | helm repo add minio https://charts.min.io/ 48 | 49 | - name: Set up GPG Keys 50 | run: | 51 | cat <(echo -e "${{ secrets.GPG_KEYRING_BASE64 }}") | base64 -d | gpg --import --batch 52 | gpg --export-secret-keys > /home/runner/.gnupg/keyring.gpg 53 | 54 | - name: Run chart-releaser 55 | uses: helm/chart-releaser-action@be16258da8010256c6e82849661221415f031968 # v1.5.0 56 | env: 57 | CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" 58 | CR_SIGN: "true" 59 | # GPG_KEY_NAME is set at key creation time and is used to identify the key in the keyring here 60 | CR_KEY: "${{ secrets.GPG_KEY_NAME }}" 61 | CR_KEYRING: "/home/runner/.gnupg/keyring.gpg" -------------------------------------------------------------------------------- /.github/workflows/tests.yaml: -------------------------------------------------------------------------------- 1 | name: Helm Tests 2 | 3 | on: 4 | push: 5 | pull_request: 6 | branches: 7 | - main 8 | 9 | permissions: # added using https://github.com/step-security/secure-repo 10 | contents: read 11 | 12 | jobs: 13 | build: 14 | runs-on: ubuntu-latest 15 | steps: 16 | - name: Harden Runner 17 | uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1 18 | with: 19 | egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs 20 | 21 | - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0 22 | 23 | - name: Run helm unittest 24 | run: | 25 | helm plugin install https://github.com/helm-unittest/helm-unittest.git --version 0.4.1 26 | helm unittest charts/guac 27 | 28 | - name: Install Helm 29 | uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5 30 | with: 31 | version: 'v3.11.2' 32 | 33 | - uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4.5.0 34 | with: 35 | python-version: '3.9' 36 | check-latest: true 37 | 38 | - name: Add Helm repos 39 | run: | 40 | helm repo add nats https://nats-io.github.io/k8s/helm/charts 41 | helm repo add minio https://charts.min.io/ 42 | 43 | - name: Set up chart-testing 44 | uses: helm/chart-testing-action@afea100a513515fbd68b0e72a7bb0ae34cb62aec # v2.3.1 45 | 46 | # TO-DO: make this step work to avoid creating cluster and run ct when charts are changed 47 | # - name: Run chart-testing (list-changed) 48 | # id: list-changed 49 | # run: | 50 | # echo "::set-output name=changed::true" 51 | # changed=$(ct list-changed --target-branch ${{ github.event.repository.default_branch }}) 52 | # if [[ -n "$changed" ]]; then 53 | # echo "::set-output name=changed::true" 54 | # fi 55 | 56 | - name: Run chart-testing (lint) 57 | run: ct lint --all --target-branch ${{ github.event.repository.default_branch }} 58 | 59 | - name: Create kind cluster 60 | uses: helm/kind-action@d8ccf8fb623ce1bb360ae2f45f323d9d5c5e9f00 # v1.5.0 61 | # if: steps.list-changed.outputs.changed == 'true' 62 | 63 | - name: Set up kubectl 64 | uses: azure/setup-kubectl@901a10e89ea615cf61f57ac05cecdf23e7de06d8 # v3.2 65 | with: 66 | version: 'v1.26.0' 67 | id: install 68 | 69 | - name: Login to GitHub Container Registry 70 | uses: docker/login-action@v1 71 | with: 72 | registry: ghcr.io 73 | username: ${{ github.actor }} 74 | password: ${{ secrets.GITHUB_TOKEN }} 75 | 76 | - name: Run chart-testing (install) 77 | run: | 78 | kubectl create ns chart-testing 79 | ct install --all --helm-extra-args --timeout=600s 80 | # if: steps.list-changed.outputs.changed == 'true' 81 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # General files for the project 2 | pkg/* 3 | *.pyc 4 | bin/* 5 | .project 6 | /.bin 7 | /_test/secrets/*.json 8 | 9 | # OSX leaves these everywhere on SMB shares 10 | ._* 11 | 12 | # OSX trash 13 | .DS_Store 14 | 15 | # Files generated by JetBrains IDEs, e.g. IntelliJ IDEA 16 | .idea/ 17 | *.iml 18 | 19 | # Vscode files 20 | .vscode 21 | 22 | # Emacs save files 23 | *~ 24 | \#*\# 25 | .\#* 26 | 27 | # Vim-related files 28 | [._]*.s[a-w][a-z] 29 | [._]s[a-w][a-z] 30 | *.un~ 31 | Session.vim 32 | .netrwhist 33 | 34 | # Chart dependencies 35 | **/charts/*.tgz 36 | 37 | # Test snapshots 38 | tests/__snapshot__/** 39 | 40 | .history 41 | -------------------------------------------------------------------------------- /.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing Guidelines 2 | 3 | Contributions are welcome via GitHub pull requests. This document outlines the process to help get your contribution accepted. 4 | 5 | ## Sign off Your Work 6 | 7 | The Developer Certificate of Origin (DCO) is a lightweight way for contributors to certify that they wrote or otherwise have the right to submit the code they are contributing to the project. Here is the full text of the [DCO](http://developercertificate.org/). Contributors must sign-off that they adhere to these requirements by adding a `Signed-off-by` line to commit messages. 8 | 9 | ```text 10 | This is my commit message 11 | 12 | Signed-off-by: Awesome Dev 13 | ``` 14 | 15 | See `git help commit`: 16 | 17 | ```text 18 | -s, --signoff 19 | Add Signed-off-by line by the committer at the end of the commit log 20 | message. The meaning of a signoff depends on the project, but it typically 21 | certifies that committer has the rights to submit this work under the same 22 | license and agrees to a Developer Certificate of Origin (see 23 | http://developercertificate.org/ for more information). 24 | ``` 25 | 26 | ## How to Contribute 27 | 28 | 1. Fork this repository, develop, and test your changes 29 | 1. Remember to sign off your commits as described above 30 | 1. Submit a pull request 31 | 32 | ***NOTE***: In order to make testing and merging of PRs easier, please submit changes to multiple charts in separate PRs. 33 | 34 | ### Technical Requirements 35 | 36 | * Must pass [DCO check](#sign-off-your-work) 37 | * Must follow [Charts best practices](https://helm.sh/docs/topics/chart_best_practices/) 38 | * Must pass CI jobs for linting and installing changed charts with the [chart-testing](https://github.com/helm/chart-testing) tool 39 | * Any change to a chart requires a version bump following [semver](https://semver.org/) principles. See [Immutability](#immutability) and [Versioning](#versioning) below 40 | 41 | Once changes have been merged, the release job will automatically run to package and release changed charts. 42 | 43 | ### Immutability 44 | 45 | Chart releases must be immutable. Any change to a chart warrants a chart version bump even if it is only changed to the documentation. 46 | 47 | ### Versioning 48 | 49 | The chart `version` should follow [semver](https://semver.org/). -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) Kusari Inc and GUAC contributors 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # GUAC Helm Charts 2 | 3 | [![License](https://img.shields.io/badge/license-MIT-blue)](https://opensource.org/license/mit/) ![Release Charts](https://github.com/guacsec/helm-charts/actions/workflows/release.yaml/badge.svg) [![Releases downloads](https://img.shields.io/github/downloads/guacsec/helm-charts/total.svg)](https://github.com/guacsec/helm-charts/releases) 4 | 5 | This is a repository of [Helm](https://helm.sh) Charts for the [GUAC project](https://guac.sh). 6 | 7 | ## Usage 8 | [Helm](https://helm.sh) must be installed to use the charts. 9 | Please refer to Helm's [documentation](https://helm.sh/docs/) to get started. 10 | 11 | Once Helm is set up properly, add the repo as follows: 12 | 13 | ```console 14 | helm repo add guacsec https://guacsec.github.io/helm-charts 15 | ``` 16 | You can then run `helm search repo guacsec` to see the charts. 17 | 18 | ## Contributing 19 | 20 | The source code of all GUAC [Helm](https://helm.sh) charts can be found on Github: 21 | 22 | 23 | ## Helm charts build status 24 | ![Release Charts](https://github.com/guacsec/helm-charts/actions/workflows/release.yaml/badge.svg) 25 | -------------------------------------------------------------------------------- /charts/guac/Chart.lock: -------------------------------------------------------------------------------- 1 | dependencies: 2 | - name: nats 3 | repository: https://nats-io.github.io/k8s/helm/charts/ 4 | version: 0.19.17 5 | - name: minio 6 | repository: https://charts.min.io/ 7 | version: 5.0.15 8 | digest: sha256:bea07af7a724b783003cd5c82ac3763d7c3fb82b2c6df0fb0b8a3f82ebc1b577 9 | generated: "2024-11-26T17:45:20.471001+05:30" 10 | -------------------------------------------------------------------------------- /charts/guac/Chart.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Kusari, Inc. and GUAC contributors 2 | apiVersion: v2 3 | name: guac 4 | description: A Helm chart for deploying GUAC to Kubernetes 5 | 6 | maintainers: 7 | - name: kusaridev 8 | url: https://github.com/guacsec/helm-charts 9 | email: guac-info@kusari.dev 10 | 11 | type: application 12 | version: 0.6.2 13 | appVersion: "v0.14.0" 14 | 15 | dependencies: 16 | - name: nats 17 | version: "~0.19.12" 18 | repository: "https://nats-io.github.io/k8s/helm/charts/" 19 | condition: nats.enabled 20 | 21 | # See s3 compatible storage config for MinIO at https://gocloud.dev/howto/blob/#s3 22 | - name: minio 23 | version: "~5.0.15" 24 | repository: "https://charts.min.io/" 25 | condition: minio.enabled 26 | -------------------------------------------------------------------------------- /charts/guac/README.md: -------------------------------------------------------------------------------- 1 | # GUAC Helm Chart 2 | 3 | This is a [Helm Chart](https://helm.sh/docs/topics/charts/) for deploying [GUAC](https://github.com/guacsec/guac) to [Kubernetes](https://kubernetes.io/). 4 | 5 | For a complete demo on how to utilize [GUAC](https://github.com/guacsec/guac) using the services deployed by this chart, see the [guac use cases](https://docs.guac.sh/guac-use-cases/). 6 | 7 | Please visit the web site at https://guac.sh for latest news and documentation of [GUAC](https://github.com/guacsec/guac). 8 | 9 | :exclamation: **Not Production Ready** - [GUAC](https://github.com/guacsec/guac) is still under active development. This chart is provided for rapidly deploying [GUAC](https://github.com/guacsec/guac) for experiment purposes. 10 | Production support will be provided when [GUAC](https://github.com/guacsec/guac) is production ready. 11 | 12 | 13 | ## GUAC Components 14 | 15 | The full GUAC component deployment is a set of asynchronous services that combine to form a robust and scaleable pipeline. This is represented by the area in green in the diagrom below and is also the scope of this chart. 16 | 17 | ![Guac Diagram](../../docs/images/GUAC-diagram.svg) 18 | 19 | ### What is being deployed? 20 | 21 | - **GraphQL Server**: Serving GUAC GraphQL queries and storing the data. As the 22 | in-memory backend is used, no separate backend is needed behind the server. 23 | 24 | - **Collector-Subscriber**: This component helps communicate to the collectors 25 | when additional information is needed. 26 | 27 | - **Ingestor**: The ingestor listens for things to ingest through Nats, then 28 | pushes to the GraphQL Server. The ingestor also runs the assembler and parser 29 | internally. 30 | 31 | - **Image Collector**: This collector can pull OCI image metadata (SBOMs and 32 | attestations) from registries for further inspection. 33 | 34 | - **Deps.dev Collector**: This collector gathers further information from 35 | [Deps.dev](https://deps.dev/) for supported packages. 36 | 37 | - **OSV Certifier**: This certifier gathers OSV vulnerability information from 38 | [osv.dev](https://osv.dev/) about packages. 39 | 40 | - **GUAC Visualizer**: The GUAC Visualizer is an experimental utility that can be used to interact with GUAC services. It acts as a way to visualize the software supply chain graph, as well as a means to explore the supply chain and prototype policies. 41 | 42 | - **NATS**: [NATS](https://nats.io/) is a messaging middleware used for communication between the GUAC components. 43 | 44 | - **MinIO**: [MinIO](https://min.io/) is a S3 compatible object store used for holding SBOMs for ingesting into GUAC. 45 | 46 | ## Prerequisites 47 | 48 | * Kubernetes 1.19+ 49 | * Deploy one of these for local testing if you don't have a k8s cluster ready: 50 | * [kind](https://kind.sigs.k8s.io/), [minikube](https://minikube.sigs.k8s.io/docs/start/), [colima](https://github.com/abiosoft/colima) 51 | * [Helm](https://helm.sh/docs/intro/install/) v3.9.4+ 52 | * [kubectl](https://kubernetes.io/docs/tasks/tools/) v1.22+ 53 | 54 | ## Get Repository/Chart Info 55 | 56 | ```console 57 | helm repo add kusaridev https://kusaridev.github.io/helm-charts 58 | helm repo update 59 | 60 | helm search repo kusaridev/guac 61 | ``` 62 | 63 | _See [`helm repo`](https://helm.sh/docs/helm/helm_repo/) for command documentation._ 64 | 65 | ## Install Chart 66 | 67 | ```console 68 | helm install [RELEASE_NAME] kusaridev/guac 69 | ``` 70 | 71 | See [Customizing the Chart Before Installing](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing). To see all configurable options with detailed comments, visit the chart's [values.yaml](./values.yaml). Below you will find the configuration details, descriptions, and defaults. 72 | 73 | 74 | ### Accessing GUAC 75 | GUAC exposes a few interfaces for user interaction - including the GraphQL Server/Playground, NATS, and CollectSub service. You can access them via ```kubectl port-forward``` 76 | ``` 77 | kubectl port-forward svc/graphql-server 8080:8080 78 | kubectl port-forward svc/guac-nats 4222:4222 79 | kubectl port-forward svc/collectsub 2782:2782 80 | ``` 81 | 82 | ### Atlas Migration 83 | [Atlas](https://atlasgo.io/docs) is a language-independent tool for managing and migrating database schemas using modern DevOps principles. When changes to the ENT schema are made, there needs to be a path of migration. This can be done via Atlas as shown in the [ENT documentation](https://entgo.io/docs/versioned-migrations/#quick-guide). 84 | Atlas init container allows for running atlas migration for ENT. 85 | 86 | ## Uninstall 87 | 88 | `helm delete [RELEASE_NAME]` 89 | 90 | ## Parameters 91 | 92 | ### Global parameters 93 | 94 | | Name | Description | Value | 95 | | -------------------------- | ---------------------------------------------- | ----------------- | 96 | | `imagePullSecrets[0].name` | Docker registry secret name for pulling images | `imagepullsecret` | 97 | 98 | ### Guac 99 | 100 | This section contains parameters for configuring the different GUAC components. 101 | 102 | | Name | Description | Value | 103 | | -------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------- | 104 | | `guac.guacImage.repository` | Path to the GUAC image | `ghcr.io/guacsec/guac` | 105 | | `guac.guacImage.tag` | Tag if using an image tag. Optional | `undefined` | 106 | | `guac.guacImage.digest` | Sha256 Image Digest. It is strongly recommended to use this for verification. | `""` | 107 | | `guac.guacImage.pullPolicy` | ImagePullPolicy for kubernetes | `IfNotPresent` | 108 | | `guac.guacImage.workingDir` | Working Directory for GUAC | `/guac` | 109 | | `guac.common.env` | common environment variables apply to all guac services | `""` | 110 | | `guac.common.tolerations` | common tolerations apply to all guac services | `""` | 111 | | `guac.common.certifier.dayBetweenRescan` | Day(s) to wait before the certifier rescanning - commonly apply to all certifiers. Default 0 means only run once | `0` | 112 | | `guac.common.certifier.batchSize` | sets the batch size for pagination query for the certifier - commonly apply to all certifiers. Default 60000 | `60000` | 113 | | `guac.common.certifier.latency` | sets artificial latency on the certifier - commonly apply to all certifiers. Defaults to empty string (not enabled) but can set m, h, s...etc. | `nil` | 114 | | `guac.configMap.enabled` | Whether to create the guac-cm configMap | `true` | 115 | | `guac.ociCollector.enabled` | String Whether to deploy OCI Collector | `true` | 116 | | `guac.ociCollector.name` | String Name of the OCI Collector component. | `oci-collector` | 117 | | `guac.ociCollector.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | 118 | | `guac.ociCollector.replicas` | Number of replicas for oci collector deployment | `1` | 119 | | `guac.ociCollector.image.command` | Command for the OCI Collector image. It is not recommended to override this. | `["sh","-c","/opt/guac/guaccollect image"]` | 120 | | `guac.ociCollector.env` | Environment variables for OCI Collector. | `[]` | 121 | | `guac.ociCollector.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | 122 | | `guac.ociCollector.tolerations` | | `[]` | 123 | | `guac.ociCollector.serviceAccount.create` | - whether to create OCI Collector service account | `true` | 124 | | `guac.ociCollector.serviceAccount.annotations` | - OCI Collector service account annotations | `{}` | 125 | | `guac.ociCollector.resources` | - [map] resource requests or limits of the ociCollector deployment | `{}` | 126 | | `guac.depsDevCollector.enabled` | String Whether to deploy Deps.Dev Collector | `true` | 127 | | `guac.depsDevCollector.name` | String Name of the Deps.Dev Collector component. | `depsdev-collector` | 128 | | `guac.depsDevCollector.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | 129 | | `guac.depsDevCollector.replicas` | Number of replicas for depsdev collector deployment | `1` | 130 | | `guac.depsDevCollector.image.command` | Command for the Deps.Dev Collector image. It is not recommended to override this. | `["sh","-c","/opt/guac/guaccollect deps_dev"]` | 131 | | `guac.depsDevCollector.env` | Environment variables for Deps.Dev Collector. | `[]` | 132 | | `guac.depsDevCollector.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | 133 | | `guac.depsDevCollector.tolerations` | | `[]` | 134 | | `guac.depsDevCollector.serviceAccount.create` | - whether to create depsDevCollector service account | `true` | 135 | | `guac.depsDevCollector.serviceAccount.annotations` | | `{}` | 136 | | `guac.depsDevCollector.resources` | - [map] resource requests or limits of the depsDevCollector deployment | `{}` | 137 | | `guac.depsDevCollector.depsDevLatency` | - sets artificial latency on the deps.dev collector. Defaults to empty string (not enabled) but can set m, h, s...etc. | `nil` | 138 | | `guac.osvCertifier.enabled` | String Whether to deploy OSV Certifier | `true` | 139 | | `guac.osvCertifier.name` | String Name of the OSV Certifier component. | `osv-certifier` | 140 | | `guac.osvCertifier.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | 141 | | `guac.osvCertifier.replicas` | Number of replicas for OSV Certifier deployment | `1` | 142 | | `guac.osvCertifier.image.command` | Command for the OSV Certifier Collector image. It is not recommended to override this. | `["sh","-c","/opt/guac/guaccollect osv"]` | 143 | | `guac.osvCertifier.env` | Environment variables for OSV Certifier. | `[]` | 144 | | `guac.osvCertifier.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | 145 | | `guac.osvCertifier.tolerations` | | `[]` | 146 | | `guac.osvCertifier.serviceAccount.create` | - whether to create osvCertifier service account | `true` | 147 | | `guac.osvCertifier.serviceAccount.annotations` | - OSV Certifier service account annotations | `{}` | 148 | | `guac.osvCertifier.resources` | - [map] resource requests or limits of the OSV Certifier deployment | `{}` | 149 | | `guac.cdCertifier.enabled` | String Whether to deploy CD Certifier | `true` | 150 | | `guac.cdCertifier.name` | String Name of the CD Certifier component. | `cd-certifier` | 151 | | `guac.cdCertifier.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | 152 | | `guac.cdCertifier.replicas` | Number of replicas for CD Certifier deployment | `1` | 153 | | `guac.cdCertifier.image.command` | Command for the CD Certifier Collector image. It is not recommended to override this. | `["sh","-c","/opt/guac/guaccollect cd"]` | 154 | | `guac.cdCertifier.env` | Environment variables for CD Certifier. | `[]` | 155 | | `guac.cdCertifier.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | 156 | | `guac.cdCertifier.tolerations` | | `[]` | 157 | | `guac.cdCertifier.serviceAccount.create` | - whether to create cdCertifier service account | `true` | 158 | | `guac.cdCertifier.serviceAccount.annotations` | - CD Certifier service account annotations | `{}` | 159 | | `guac.cdCertifier.resources` | - [map] resource requests or limits of the cd Certifier deployment | `{}` | 160 | | `guac.ingestor.enabled` | String Whether to deploy Ingestor | `true` | 161 | | `guac.ingestor.name` | String Name of the ingestor component. | `ingestor` | 162 | | `guac.ingestor.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | 163 | | `guac.ingestor.replicas` | Number of replicas for ingestor deployment | `1` | 164 | | `guac.ingestor.image.command` | Command for the ingestor image. It is not recommended to override this. | `["sh","-c","/opt/guac/guacingest"]` | 165 | | `guac.ingestor.env` | Environment variables for ingestor. | `[]` | 166 | | `guac.ingestor.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | 167 | | `guac.ingestor.serviceAccount.create` | - whether to create ingestor service account | `true` | 168 | | `guac.ingestor.serviceAccount.annotations` | - Ingestor service account annotations | `{}` | 169 | | `guac.ingestor.tolerations` | | `[]` | 170 | | `guac.ingestor.resources` | - [map] resource requests or limits of the ingestor deployment | `{}` | 171 | | `guac.collectSub.enabled` | String Whether to deploy CollectSub | `true` | 172 | | `guac.collectSub.name` | String Name of the CollectSub component. | `collectsub` | 173 | | `guac.collectSub.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | 174 | | `guac.collectSub.replicas` | Number of replicas for CollectSub deployment | `1` | 175 | | `guac.collectSub.image.command` | Command for the CollectSub image. It is not recommended to override this. | `["sh","-c","/opt/guac/guaccsub"]` | 176 | | `guac.collectSub.env` | Environment variables for CollectSub. | `[]` | 177 | | `guac.collectSub.image.ports[0].containerPort` | Port the CollectSub container listens on | `2782` | 178 | | `guac.collectSub.svcPorts[0].protocol` | Protocol used at CollectSub | `TCP` | 179 | | `guac.collectSub.svcPorts[0].port` | Port the CollectSub service listens on | `2782` | 180 | | `guac.collectSub.svcPorts[0].targetPort` | Port the CollectSub container listens on | `2782` | 181 | | `guac.collectSub.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | 182 | | `guac.collectSub.tolerations` | | `[]` | 183 | | `guac.collectSub.serviceAccount.create` | - whether to create collectSub service account | `true` | 184 | | `guac.collectSub.serviceAccount.annotations` | - CollectSub service account annotations | `{}` | 185 | | `guac.collectSub.resources` | - [map] resource requests or limits of the collectSub deployment | `{}` | 186 | | `guac.graphqlServer.enabled` | String Whether to deploy GraphQL Server | `true` | 187 | | `guac.graphqlServer.name` | String Name of the GraphQL Server component. | `graphql-server` | 188 | | `guac.graphqlServer.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | 189 | | `guac.graphqlServer.replicas` | Number of replicas for GraphQL Server deployment | `1` | 190 | | `guac.graphqlServer.image.command` | Command for the GraphQL Server image. It is not recommended to override this. | `["sh","-c","/opt/guac/guacgql"]` | 191 | | `guac.graphqlServer.env` | Environment variables for GraphQL Server. | `[]` | 192 | | `guac.graphqlServer.image.ports[0].containerPort` | Port the GraphQL Server container listens on | `8080` | 193 | | `guac.graphqlServer.svcPorts[0].protocol` | Protocol used at the the GraphQL Server | `TCP` | 194 | | `guac.graphqlServer.svcPorts[0].port` | Port the GraphQL Server service listens on | `8080` | 195 | | `guac.graphqlServer.svcPorts[0].targetPort` | Port the GraphQL Server container listens on | `8080` | 196 | | `guac.graphqlServer.nodePortSvcPorts` | NodePort service ports definition | `{}` | 197 | | `guac.graphqlServer.backend` | which backend to use - keyvalue (default) | arango | ent. | `keyvalue` | 198 | | `guac.graphqlServer.debug` | Enable debug mode for graphql server; also enable the UI | `true` | 199 | | `guac.graphqlServer.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | 200 | | `guac.graphqlServer.serviceAccount.create` | - whether to create graphqlServer service account | `true` | 201 | | `guac.graphqlServer.serviceAccount.annotations` | - graphql server service account annotations | `{}` | 202 | | `guac.graphqlServer.service.createNodePortService` | - Whether to deploy a NodePort type service | `false` | 203 | | `guac.graphqlServer.additionalVolumeMounts` | | `[]` | 204 | | `guac.graphqlServer.additionalVolumes` | | `[]` | 205 | | `guac.graphqlServer.tolerations` | | `[]` | 206 | | `guac.graphqlServer.resources` | - [map] resource requests or limits of the graphqlServer deployment | `{}` | 207 | | `guac.restApi.enabled` | String Whether to deploy the restApi | `true` | 208 | | `guac.restApi.name` | String Name of the restApi component. | `rest-api` | 209 | | `guac.restApi.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | 210 | | `guac.restApi.replicas` | Number of replicas for restApi deployment | `1` | 211 | | `guac.restApi.image.command` | Command for the restApi image. It is not recommended to override this. | `["sh","-c","/opt/guac/guacrest"]` | 212 | | `guac.restApi.env` | Environment variables for restApi. | `[]` | 213 | | `guac.restApi.image.ports[0].containerPort` | Port the restApi container listens on | `8081` | 214 | | `guac.restApi.svcPorts[0].protocol` | Protocol used at the the restApi | `TCP` | 215 | | `guac.restApi.svcPorts[0].port` | Port the restApi service listens on | `8081` | 216 | | `guac.restApi.svcPorts[0].targetPort` | Port the restApi container listens on | `8081` | 217 | | `guac.restApi.serviceAccount.create` | - whether to create restApi service account | `true` | 218 | | `guac.restApi.serviceAccount.annotations` | - graphql server service account annotations | `{}` | 219 | | `guac.restApi.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | 220 | | `guac.restApi.tolerations` | | `[]` | 221 | | `guac.restApi.resources` | - [map] resource requests or limits of the restApi deployment | `{}` | 222 | | `guac.visualizer.enabled` | String Whether to deploy the visualizer. | `true` | 223 | | `guac.visualizer.name` | String Name of the visualizer. | `visualizer` | 224 | | `guac.visualizer.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | 225 | | `guac.visualizer.replicas` | Number of replicas for visualizer deployment | `1` | 226 | | `guac.visualizer.image.repository` | Path to the Ingestor image | `ghcr.io/guacsec/guac-visualizer` | 227 | | `guac.visualizer.image.tag` | Tag if using an image tag. Optional | `v0.0.3` | 228 | | `guac.visualizer.image.digest` | Sha256 Image Digest. It is strongly recommended to use this for verification. | `""` | 229 | | `guac.visualizer.image.pullPolicy` | ImagePullPolicy for kubernetes | `IfNotPresent` | 230 | | `guac.visualizer.image.ports[0].containerPort` | Port the visualizer container listens on | `3000` | 231 | | `guac.visualizer.svcPorts[0].protocol` | Protocol used at the visualizer | `TCP` | 232 | | `guac.visualizer.svcPorts[0].port` | Port the visualizer service listens on | `3000` | 233 | | `guac.visualizer.svcPorts[0].targetPort` | Port the visualizer container listens on | `3000` | 234 | | `guac.visualizer.env` | Environment variables for the visualizer. | `[]` | 235 | | `guac.visualizer.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | 236 | | `guac.visualizer.tolerations` | | `[]` | 237 | | `guac.observability.deployServiceMonitor` | Boolean Deploy the service monitor for observability | `false` | 238 | | `guac.sampleData.ingest` | Boolean Whether to ingest sample data after deployment | `false` | 239 | | `guac.sampleData.jobName` | Name of the sample data ingest job | `ingest-guac-data` | 240 | | `guac.sampleData.env` | Environment variables for the sample data ingest job | `[]` | 241 | | `guac.ingress.enabled` | Whether to deploy an Ingress object | `false` | 242 | | `guac.ingress.ingressClassName` | Ingress class name | `undefined` | 243 | | `guac.ingress.webuiHostname` | DNS name for the UI components - e.g. Visualizer, GQL playground | `undefined` | 244 | | `guac.ingress.apiHostname` | DNS name for the GQL API. When specified, GQL API won't be served at webuiHostname | `undefined` | 245 | | `guac.ingress.annotations` | Annotations for the ingress object | `{}` | 246 | | `guac.apiOnlyIngress.enabled` | Whether to deploy an Ingress object to expose API only | `false` | 247 | | `guac.apiOnlyIngress.ingressClassName` | Ingress class name for API only ingress | `undefined` | 248 | | `guac.apiOnlyIngress.apiHostname` | DNS name for the GQL API. | `undefined` | 249 | | `guac.apiOnlyIngress.annotations` | Annotations for the API only ingress object | `{}` | 250 | | `guac.traefikIngressRoute.enabled` | Whether to deploy Traefik IngressRoute object | `false` | 251 | | `guac.backend.ent.db-driver` | database driver to use, one of [postgres | sqlite3 | mysql] or anything supported by sql.DB | `postgres` | 252 | | `guac.backend.ent.db-address` | Full URL of database to connect to | `undefined` | 253 | | `guac.backend.ent.db-migrate` | Wether to automatically run database migrations on start | `true` | 254 | | `guac.backend.ent.db-debug` | Enable debug logging for database queries | `true` | 255 | | `guac.pubSubAddr` | String gocloud connection string for pubsub configured via https://gocloud.dev/howto/pubsub/ | `undefined` | 256 | | `guac.collectorPublishToQueue` | Whether to publish ingestion message to pubsub queue | `true` | 257 | | `guac.blobAddr` | gocloud connection string for blob store configured via https://gocloud.dev/howto/blob/ | `undefined` | 258 | | `guac.additionalResources` | | `{}` | 259 | 260 | ### nats 261 | 262 | This is the configuration for nats. This is a subchart. See full documentation [here](https://docs.nats.io/running-a-nats-service/nats-kubernetes/helm-charts). 263 | 264 | | Name | Description | Value | 265 | | ---------------------------------------------------------- | ------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | 266 | | `nats.enabled` | Whether to deploy nats | `true` | 267 | | `nats.nats.jetstream.enabled` | Boolean for enabling JetStream. | `true` | 268 | | `nats.nats.limits.maxPayload` | Max Payload size for nats | `64MB` | 269 | | `nats.nats.statefulSetPodLabels.app.kubernetes.io/part-of` | Label to associate nats with GUAC for monitoring purposes | `{"enabled":true,"nats":{"jetstream":{"enabled":true},"limits":{"maxPayload":"64MB"},"statefulSetPodLabels":{"app.kubernetes.io/part-of":"guac"}},"natsbox":{"enabled":false,"additionalLabels":{"app.kubernetes.io/part-of":"guac"},"podLabels":{"app.kubernetes.io/part-of":"guac"}},"exporter":{"enabled":false,"serviceMonitor":{"enabled":false,"namespace":"monitoring","labels":{"release":"monitoring"}}}}` | 270 | | `nats.natsbox.enabled` | Whehter to run natsbox | `false` | 271 | | `nats.natsbox.additionalLabels.app.kubernetes.io/part-of` | Label to associate natsbox with GUAC for monitoring purposes | `guac` | 272 | | `nats.natsbox.podLabels.app.kubernetes.io/part-of` | Label to associate natsbox with GUAC for monitoring purposes | `guac` | 273 | | `nats.exporter.enabled` | Boolean to enable data collection | `false` | 274 | | `nats.exporter.serviceMonitor.enabled` | Boolean to enable nats service monitor | `false` | 275 | | `nats.exporter.serviceMonitor.namespace` | String nats service monitor namespace - this is for monitoring purposes and is used by Prometheus | `monitoring` | 276 | | `nats.exporter.serviceMonitor.labels.release` | Label to associate nats service monitor with GUAC for monitoring purposes | `monitoring` | 277 | 278 | ### minio 279 | 280 | This is the configuration for minio. This is a subchart. See full documentation [here](https://github.com/minio/minio/tree/master/helm/minio). 281 | 282 | | Name | Description | Value | 283 | | -------------------- | ------------------------------------------------------------------------------ | -------------- | 284 | | `minio.enabled` | Whehter to deploy minio as part of the Helm deployment | `true` | 285 | | `minio.replicas` | Number of replicas. | `1` | 286 | | `minio.persistence` | Persistence volume configuration. | `{}` | 287 | | `minio.mode` | minio mode, i.e. standalone or distributed | `standalone` | 288 | | `minio.resources` | resource requests and limits | `{}` | 289 | | `minio.rootUser` | root user name. | `rootUser` | 290 | | `minio.rootPassword` | root user password. | `rootPassword` | 291 | | `minio.buckets` | List of buckets to create after deployment. | `{}` | 292 | | `minio.users` | List of users, in terms of creds and permissions, to create after deployment.? | `{}` | 293 | 294 | ### atlas 295 | 296 | This section contains parameters for configuring the atlas migration. 297 | 298 | | Name | Description | Value | 299 | | ------------------------ | ---------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | 300 | | `atlas.enabled` | Whether to add atlas init-container in graphql-server to manage schema migration via atlas. Defaults to false | `false` | 301 | | `atlas.image.command` | Command for the atlas migration. Overriding default entrypoint to read backend DB connection string from guac-cm | `["sh","-c","atlas migrate apply --dir file:///app/migrations --url $DB_ADDRESS?search_path=public"]` | 302 | | `atlas.image.repository` | Path to the atlas migration image | `ghcr.io/guacsec/guac/atlas-migration` | 303 | | `atlas.image.tag` | Tag if using an image tag. Optional | `undefined` | 304 | | `atlas.image.digest` | Sha256 Image Digest. It is strongly recommended to use this for verification. | `""` | 305 | | `atlas.image.pullPolicy` | ImagePullPolicy for kubernetes | `IfNotPresent` | 306 | | `atlas.name` | Name of the atlas migration component | `atlas-migration` | 307 | 308 | ## Developing 309 | For running the unit tests, install the unittest plugin. 310 | 311 | `helm plugin install https://github.com/quintush/helm-unittest` 312 | 313 | To run unit tests 314 | 315 | `helm unittest charts/guac -3` 316 | 317 | To run Helm chart-testing (ct) lint and install tests 318 | 319 | `ct install --all --helm-extra-args --timeout=600s` -------------------------------------------------------------------------------- /charts/guac/ci/guac-values.yaml: -------------------------------------------------------------------------------- 1 | # Ingest sample data to ensure the test instance is fully functional 2 | guac: 3 | sampleData: 4 | ingest: true 5 | 6 | graphqlServer: 7 | service: 8 | createNodePortService: true 9 | -------------------------------------------------------------------------------- /charts/guac/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {* 2 | Copyright Kusari, Inc. and GUAC contributors 3 | Licensed under the MIT license. See LICENSE file in the project root for details. 4 | *} 5 | 6 | {{/* 7 | Expand the name of the chart. 8 | */}} 9 | {{- define "guac.name" -}} 10 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} 11 | {{- end }} 12 | 13 | {{/* 14 | Create a default fully qualified app name. 15 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 16 | If release name contains chart name it will be used as a full name. 17 | */}} 18 | {{- define "guac.fullname" -}} 19 | {{- if .Values.fullnameOverride }} 20 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} 21 | {{- else }} 22 | {{- $name := default .Chart.Name .Values.nameOverride }} 23 | {{- if contains $name .Release.Name }} 24 | {{- .Release.Name | trunc 63 | trimSuffix "-" }} 25 | {{- else }} 26 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} 27 | {{- end }} 28 | {{- end }} 29 | {{- end }} 30 | 31 | {{/* 32 | Create chart name and version as used by the chart label. 33 | */}} 34 | {{- define "guac.chart" -}} 35 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} 36 | {{- end }} 37 | 38 | {{/* 39 | Common labels 40 | */}} 41 | {{- define "guac.labels" -}} 42 | helm.sh/chart: {{ include "guac.chart" . }} 43 | {{ include "guac.selectorLabels" . }} 44 | {{- if .Chart.AppVersion }} 45 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 46 | {{- end }} 47 | app.kubernetes.io/managed-by: {{ .Release.Service }} 48 | {{- end }} 49 | 50 | {{/* 51 | Selector labels 52 | */}} 53 | {{- define "guac.selectorLabels" -}} 54 | app.kubernetes.io/instance: {{ .Release.Name }} 55 | app.kubernetes.io/part-of: "guac" 56 | {{- end }} 57 | 58 | {{/* 59 | Create the name of the service account to use 60 | */}} 61 | {{- define "guac.serviceAccountName" -}} 62 | {{- if .Values.serviceAccount.create }} 63 | {{- default (include "guac.fullname" .) .Values.serviceAccount.name }} 64 | {{- else }} 65 | {{- default "default" .Values.serviceAccount.name }} 66 | {{- end }} 67 | {{- end }} 68 | -------------------------------------------------------------------------------- /charts/guac/templates/additional-objects.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.additionalObjects }} 2 | {{/* 3 | {{- toYaml .Values.guac.additionalResources }} 4 | */}} 5 | {{- range $.Values.additionalObjects }} 6 | --- 7 | {{ toYaml . }} 8 | {{- end }} 9 | {{- end }} -------------------------------------------------------------------------------- /charts/guac/templates/api-only-ingress.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.guac.apiOnlyIngress.enabled -}} 2 | --- 3 | apiVersion: networking.k8s.io/v1 4 | kind: Ingress 5 | metadata: 6 | name: {{ .Release.Namespace }} 7 | namespace: {{ .Release.Namespace }} 8 | 9 | {{- if .Values.guac.apiOnlyIngress.annotations }} 10 | annotations: 11 | {{ toYaml .Values.guac.apiOnlyIngress.annotations | indent 4 }} 12 | {{- end }} 13 | 14 | labels: 15 | {{- include "guac.labels" . | nindent 4 }} 16 | {{- range $key, $value := .Values.guac.apiOnlyIngress.extraLabels }} 17 | {{ $key }}: {{ $value }} 18 | {{- end }} 19 | 20 | spec: 21 | {{- if .Values.guac.apiOnlyIngress.ingressClassName }} 22 | ingressClassName: {{ .Values.guac.apiOnlyIngress.ingressClassName }} 23 | {{- end }} 24 | rules: 25 | - host: {{ .Values.guac.apiOnlyIngress.apiHostname }} 26 | http: 27 | paths: 28 | - path: /query 29 | pathType: Prefix 30 | backend: 31 | service: 32 | name: graphql-server 33 | port: 34 | number: 8080 35 | {{- end -}} 36 | -------------------------------------------------------------------------------- /charts/guac/templates/cd-certifier-deployment.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Kusari, Inc. and GUAC contributors 2 | # Licensed under the MIT license. See LICENSE file in the project root for details. 3 | {{ if .Values.guac.cdCertifier.enabled }} 4 | --- 5 | apiVersion: apps/v1 6 | kind: Deployment 7 | metadata: 8 | name: {{ .Values.guac.cdCertifier.name }} 9 | {{- if .Values.guac.cdCertifier.annotations }} 10 | annotations: 11 | {{ toYaml .Values.guac.cdCertifier.annotations | indent 4 }} 12 | {{- end }} 13 | labels: 14 | {{- include "guac.labels" . | nindent 4 }} 15 | app.kubernetes.io/name: {{ .Values.guac.cdCertifier.name }} 16 | app.kubernetes.io/component: {{ .Values.guac.cdCertifier.name }} 17 | spec: 18 | replicas: {{ .Values.guac.cdCertifier.replicas }} 19 | selector: 20 | matchLabels: 21 | {{- include "guac.selectorLabels" . | nindent 6 }} 22 | app.kubernetes.io/name: {{ .Values.guac.cdCertifier.name }} 23 | app.kubernetes.io/component: {{ .Values.guac.cdCertifier.name }} 24 | template: 25 | metadata: 26 | labels: 27 | {{- include "guac.selectorLabels" . | nindent 8 }} 28 | app.kubernetes.io/name: {{ .Values.guac.cdCertifier.name }} 29 | app.kubernetes.io/component: {{ .Values.guac.cdCertifier.name }} 30 | spec: 31 | serviceAccountName: {{ .Values.guac.cdCertifier.name }} 32 | containers: 33 | - name: {{ .Values.guac.cdCertifier.name }} 34 | {{- if .Values.guac.guacImage.digest }} 35 | image: "{{ .Values.guac.guacImage.repository }}@{{ .Values.guac.guacImage.digest }}" 36 | {{- else }} 37 | image: "{{ .Values.guac.guacImage.repository }}:{{ .Values.guac.guacImage.tag | default .Chart.AppVersion}}" 38 | {{- end }} 39 | imagePullPolicy: "{{ .Values.guac.guacImage.pullPolicy }}" 40 | command: 41 | {{ toYaml .Values.guac.cdCertifier.image.command | indent 10 }} 42 | workingDir: {{ .Values.guac.guacImage.workingDir }} 43 | {{- if .Values.guac.cdCertifier.ports }} 44 | ports: 45 | {{ toYaml .Values.guac.cdCertifier.image.ports | indent 10 }} 46 | {{- end }} 47 | {{- if .Values.guac.cdCertifier.resources }} 48 | resources: {{- toYaml .Values.guac.cdCertifier.resources | nindent 10 }} 49 | {{- end }} 50 | volumeMounts: 51 | - name: guac-config 52 | mountPath: {{ .Values.guac.guacImage.workingDir }} 53 | readOnly: true 54 | 55 | {{- if or .Values.guac.common.env .Values.guac.cdCertifier.env }} 56 | env: 57 | {{- if .Values.guac.common.env }} 58 | {{ toYaml .Values.guac.common.env | indent 10 }} 59 | {{- end }} 60 | {{- if .Values.guac.cdCertifier.env }} 61 | {{ toYaml .Values.guac.cdCertifier.env | indent 10 }} 62 | {{- end }} 63 | {{- end }} 64 | 65 | {{- if .Values.imagePullSecrets }} 66 | imagePullSecrets: 67 | {{ toYaml .Values.imagePullSecrets | indent 8 }} 68 | {{- end }} 69 | volumes: 70 | - name: guac-config 71 | configMap: 72 | name: guac-cm 73 | {{- if .Values.guac.cdCertifier.nodeSelector }} 74 | nodeSelector: 75 | {{ toYaml .Values.guac.cdCertifier.nodeSelector | indent 8 }} 76 | {{- end }} 77 | 78 | {{- if or .Values.guac.common.tolerations .Values.guac.cdCertifier.tolerations }} 79 | tolerations: 80 | {{- if .Values.guac.common.tolerations }} 81 | {{ toYaml .Values.guac.common.tolerations | indent 8 }} 82 | {{- end }} 83 | {{- if .Values.guac.cdCertifier.tolerations }} 84 | {{ toYaml .Values.guac.cdCertifier.tolerations | indent 8 }} 85 | {{- end }} 86 | {{- end }} 87 | 88 | {{- end }} 89 | -------------------------------------------------------------------------------- /charts/guac/templates/cd-certifier-sa.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Kusari, Inc. and GUAC contributors 2 | # Licensed under the MIT license. See LICENSE file in the project root for details. 3 | {{ if .Values.guac.cdCertifier.enabled }} 4 | {{ if .Values.guac.cdCertifier.serviceAccount.create }} 5 | --- 6 | apiVersion: v1 7 | kind: ServiceAccount 8 | metadata: 9 | name: {{ .Values.guac.cdCertifier.name }} 10 | {{- if .Values.guac.cdCertifier.annotations }} 11 | annotations: 12 | {{ toYaml .Values.guac.cdCertifier.serviceAccount.annotations | indent 4 }} 13 | {{- end }} 14 | labels: 15 | {{- include "guac.labels" . | nindent 4 }} 16 | app.kubernetes.io/name: {{ .Values.guac.cdCertifier.name }} 17 | app.kubernetes.io/component: {{ .Values.guac.cdCertifier.name }} 18 | {{- end }} 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /charts/guac/templates/collectsub-deployment.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Kusari, Inc. and GUAC contributors 2 | # Licensed under the MIT license. See LICENSE file in the project root for details. 3 | {{ if .Values.guac.collectSub.enabled }} 4 | --- 5 | apiVersion: apps/v1 6 | kind: Deployment 7 | metadata: 8 | name: {{ .Values.guac.collectSub.name }} 9 | {{- if .Values.guac.collectSub.annotations }} 10 | annotations: 11 | {{ toYaml .Values.guac.collectSub.annotations | indent 4 }} 12 | {{- end }} 13 | labels: 14 | {{- include "guac.labels" . | nindent 4 }} 15 | app.kubernetes.io/name: {{ .Values.guac.collectSub.name }} 16 | app.kubernetes.io/component: {{ .Values.guac.collectSub.name }} 17 | spec: 18 | replicas: {{ .Values.guac.collectSub.replicas }} 19 | selector: 20 | matchLabels: 21 | {{- include "guac.selectorLabels" . | nindent 6 }} 22 | app.kubernetes.io/name: {{ .Values.guac.collectSub.name }} 23 | app.kubernetes.io/component: {{ .Values.guac.collectSub.name }} 24 | template: 25 | metadata: 26 | labels: 27 | {{- include "guac.selectorLabels" . | nindent 8 }} 28 | app.kubernetes.io/name: {{ .Values.guac.collectSub.name }} 29 | app.kubernetes.io/component: {{ .Values.guac.collectSub.name }} 30 | spec: 31 | serviceAccountName: {{ .Values.guac.collectSub.name }} 32 | containers: 33 | - name: {{ .Values.guac.collectSub.name }} 34 | {{- if .Values.guac.guacImage.digest }} 35 | image: "{{ .Values.guac.guacImage.repository }}@{{ .Values.guac.guacImage.digest }}" 36 | {{- else }} 37 | image: "{{ .Values.guac.guacImage.repository }}:{{ .Values.guac.guacImage.tag | default .Chart.AppVersion}}" 38 | {{- end }} 39 | imagePullPolicy: "{{ .Values.guac.guacImage.pullPolicy }}" 40 | command: 41 | {{ toYaml .Values.guac.collectSub.image.command | indent 10 }} 42 | workingDir: {{ .Values.guac.guacImage.workingDir }} 43 | {{- if .Values.guac.collectSub.ports }} 44 | ports: 45 | {{ toYaml .Values.guac.collectSub.image.ports | indent 10 }} 46 | {{- end }} 47 | {{- if .Values.guac.collectSub.resources }} 48 | resources: {{- toYaml .Values.guac.collectSub.resources | nindent 10 }} 49 | {{- end }} 50 | volumeMounts: 51 | - name: guac-config 52 | mountPath: {{ .Values.guac.guacImage.workingDir }} 53 | readOnly: true 54 | 55 | {{- if or .Values.guac.common.env .Values.guac.collectSub.env }} 56 | env: 57 | {{- if .Values.guac.common.env }} 58 | {{ toYaml .Values.guac.common.env | indent 10 }} 59 | {{- end }} 60 | {{- if .Values.guac.collectSub.env }} 61 | {{ toYaml .Values.guac.collectSub.env | indent 10 }} 62 | {{- end }} 63 | {{- end }} 64 | 65 | {{- if .Values.imagePullSecrets }} 66 | imagePullSecrets: 67 | {{ toYaml .Values.imagePullSecrets | indent 8 }} 68 | {{- end }} 69 | volumes: 70 | - name: guac-config 71 | configMap: 72 | name: guac-cm 73 | {{- if .Values.guac.collectSub.nodeSelector }} 74 | nodeSelector: 75 | {{ toYaml .Values.guac.collectSub.nodeSelector | indent 8 }} 76 | {{- end }} 77 | 78 | {{- if or .Values.guac.common.tolerations .Values.guac.collectSub.tolerations }} 79 | tolerations: 80 | {{- if .Values.guac.common.tolerations }} 81 | {{ toYaml .Values.guac.common.tolerations | indent 8 }} 82 | {{- end }} 83 | {{- if .Values.guac.collectSub.tolerations }} 84 | {{ toYaml .Values.guac.collectSub.tolerations | indent 8 }} 85 | {{- end }} 86 | {{- end }} 87 | 88 | {{- end }} 89 | -------------------------------------------------------------------------------- /charts/guac/templates/collectsub-sa.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Kusari, Inc. and GUAC contributors 2 | # Licensed under the MIT license. See LICENSE file in the project root for details. 3 | {{ if .Values.guac.collectSub.enabled }} 4 | {{ if .Values.guac.collectSub.serviceAccount.create }} 5 | --- 6 | apiVersion: v1 7 | kind: ServiceAccount 8 | metadata: 9 | name: {{ .Values.guac.collectSub.name }} 10 | {{- if .Values.guac.collectSub.annotations }} 11 | annotations: 12 | {{ toYaml .Values.guac.collectSub.serviceAccount.annotations | indent 4 }} 13 | {{- end }} 14 | labels: 15 | {{- include "guac.labels" . | nindent 4 }} 16 | app.kubernetes.io/name: {{ .Values.guac.collectSub.name }} 17 | app.kubernetes.io/component: {{ .Values.guac.collectSub.name }} 18 | {{- end }} 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /charts/guac/templates/collectsub-service.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Kusari, Inc. and GUAC contributors 2 | # Licensed under the MIT license. See LICENSE file in the project root for details. 3 | {{ if .Values.guac.collectSub.enabled }} 4 | {{- if .Values.guac.collectSub.svcPorts }} 5 | --- 6 | apiVersion: v1 7 | kind: Service 8 | metadata: 9 | name: {{ .Values.guac.collectSub.name }} 10 | labels: {{- include "guac.labels" . | nindent 4 }} 11 | app.kubernetes.io/name: {{ .Values.guac.collectSub.name }} 12 | app.kubernetes.io/component: {{ .Values.guac.collectSub.name }} 13 | spec: 14 | selector: 15 | {{- include "guac.selectorLabels" . | nindent 4 }} 16 | app.kubernetes.io/name: {{ .Values.guac.collectSub.name }} 17 | app.kubernetes.io/component: {{ .Values.guac.collectSub.name }} 18 | ports: 19 | {{- range .Values.guac.collectSub.svcPorts }} 20 | - {{ . | toYaml | indent 6 | trim }} 21 | {{- end }} 22 | {{- end }} 23 | {{- end }} 24 | -------------------------------------------------------------------------------- /charts/guac/templates/depsdev-collector-deployment.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Kusari, Inc. and GUAC contributors 2 | # Licensed under the MIT license. See LICENSE file in the project root for details. 3 | {{ if .Values.guac.depsDevCollector.enabled }} 4 | --- 5 | apiVersion: apps/v1 6 | kind: Deployment 7 | metadata: 8 | name: {{ .Values.guac.depsDevCollector.name }} 9 | {{- if .Values.guac.depsDevCollector.annotations }} 10 | annotations: 11 | {{ toYaml .Values.guac.depsDevCollector.annotations | indent 4 }} 12 | {{- end }} 13 | labels: 14 | {{- include "guac.labels" . | nindent 4 }} 15 | app.kubernetes.io/name: {{ .Values.guac.depsDevCollector.name }} 16 | app.kubernetes.io/component: {{ .Values.guac.depsDevCollector.name }} 17 | spec: 18 | replicas: {{ .Values.guac.depsDevCollector.replicas }} 19 | selector: 20 | matchLabels: 21 | {{- include "guac.selectorLabels" . | nindent 6 }} 22 | app.kubernetes.io/name: {{ .Values.guac.depsDevCollector.name }} 23 | app.kubernetes.io/component: {{ .Values.guac.depsDevCollector.name }} 24 | template: 25 | metadata: 26 | labels: 27 | {{- include "guac.selectorLabels" . | nindent 8 }} 28 | app.kubernetes.io/name: {{ .Values.guac.depsDevCollector.name }} 29 | app.kubernetes.io/component: {{ .Values.guac.depsDevCollector.name }} 30 | spec: 31 | serviceAccountName: {{ .Values.guac.depsDevCollector.name }} 32 | containers: 33 | - name: {{ .Values.guac.depsDevCollector.name }} 34 | {{- if .Values.guac.guacImage.digest }} 35 | image: "{{ .Values.guac.guacImage.repository }}@{{ .Values.guac.guacImage.digest }}" 36 | {{- else }} 37 | image: "{{ .Values.guac.guacImage.repository }}:{{ .Values.guac.guacImage.tag | default .Chart.AppVersion}}" 38 | {{- end }} 39 | imagePullPolicy: "{{ .Values.guac.guacImage.pullPolicy }}" 40 | command: 41 | {{ toYaml .Values.guac.depsDevCollector.image.command | indent 10 }} 42 | workingDir: {{ .Values.guac.guacImage.workingDir }} 43 | {{- if .Values.guac.depsDevCollector.ports }} 44 | ports: 45 | {{ toYaml .Values.guac.depsDevCollector.image.ports | indent 10 }} 46 | {{- end }} 47 | {{- if .Values.guac.depsDevCollector.resources }} 48 | resources: {{- toYaml .Values.guac.depsDevCollector.resources | nindent 10 }} 49 | {{- end }} 50 | 51 | volumeMounts: 52 | - name: guac-config 53 | mountPath: {{ .Values.guac.guacImage.workingDir }} 54 | readOnly: true 55 | 56 | {{- if or .Values.guac.common.env .Values.guac.depsDevCollector.env }} 57 | env: 58 | {{- if .Values.guac.common.env }} 59 | {{ toYaml .Values.guac.common.env | indent 10 }} 60 | {{- end }} 61 | {{- if .Values.guac.depsDevCollector.env }} 62 | {{ toYaml .Values.guac.depsDevCollector.env | indent 10 }} 63 | {{- end }} 64 | {{- end }} 65 | 66 | {{- if .Values.imagePullSecrets }} 67 | imagePullSecrets: 68 | {{ toYaml .Values.imagePullSecrets | indent 8 }} 69 | {{- end }} 70 | volumes: 71 | - name: guac-config 72 | configMap: 73 | name: guac-cm 74 | {{- if .Values.guac.depsDevCollector.nodeSelector }} 75 | nodeSelector: 76 | {{ toYaml .Values.guac.depsDevCollector.nodeSelector | indent 8 }} 77 | {{- end }} 78 | 79 | {{- if or .Values.guac.common.tolerations .Values.guac.depsDevCollector.tolerations }} 80 | tolerations: 81 | {{- if .Values.guac.common.tolerations }} 82 | {{ toYaml .Values.guac.common.tolerations | indent 8 }} 83 | {{- end }} 84 | {{- if .Values.guac.depsDevCollector.tolerations }} 85 | {{ toYaml .Values.guac.depsDevCollector.tolerations | indent 8 }} 86 | {{- end }} 87 | {{- end }} 88 | 89 | 90 | {{- end }} 91 | -------------------------------------------------------------------------------- /charts/guac/templates/depsdev-collector-sa.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Kusari, Inc. and GUAC contributors 2 | # Licensed under the MIT license. See LICENSE file in the project root for details. 3 | {{ if .Values.guac.depsDevCollector.enabled }} 4 | {{ if .Values.guac.depsDevCollector.serviceAccount.create }} 5 | --- 6 | apiVersion: v1 7 | kind: ServiceAccount 8 | metadata: 9 | name: {{ .Values.guac.depsDevCollector.name }} 10 | {{- if .Values.guac.depsDevCollector.annotations }} 11 | annotations: 12 | {{ toYaml .Values.guac.depsDevCollector.serviceAccount.annotations | indent 4 }} 13 | {{- end }} 14 | labels: 15 | {{- include "guac.labels" . | nindent 4 }} 16 | app.kubernetes.io/name: {{ .Values.guac.depsDevCollector.name }} 17 | app.kubernetes.io/component: {{ .Values.guac.depsDevCollector.name }} 18 | {{- end }} 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /charts/guac/templates/graphql-server-deployment.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Kusari, Inc. and GUAC contributors 2 | # Licensed under the MIT license. See LICENSE file in the project root for details. 3 | {{ if .Values.guac.graphqlServer.enabled }} 4 | --- 5 | apiVersion: apps/v1 6 | kind: Deployment 7 | metadata: 8 | name: {{ .Values.guac.graphqlServer.name }} 9 | {{- if .Values.guac.graphqlServer.annotations }} 10 | annotations: 11 | {{ toYaml .Values.guac.graphqlServer.annotations | indent 4 }} 12 | {{- end }} 13 | labels: 14 | {{- include "guac.labels" . | nindent 4 }} 15 | app.kubernetes.io/name: {{ .Values.guac.graphqlServer.name }} 16 | app.kubernetes.io/component: {{ .Values.guac.graphqlServer.name }} 17 | spec: 18 | replicas: {{ .Values.guac.graphqlServer.replicas }} 19 | selector: 20 | matchLabels: 21 | {{- include "guac.selectorLabels" . | nindent 6 }} 22 | app.kubernetes.io/name: {{ .Values.guac.graphqlServer.name }} 23 | app.kubernetes.io/component: {{ .Values.guac.graphqlServer.name }} 24 | template: 25 | metadata: 26 | labels: 27 | {{- include "guac.selectorLabels" . | nindent 8 }} 28 | app.kubernetes.io/name: {{ .Values.guac.graphqlServer.name }} 29 | app.kubernetes.io/component: {{ .Values.guac.graphqlServer.name }} 30 | spec: 31 | serviceAccountName: {{ .Values.guac.graphqlServer.name }} 32 | {{- if .Values.atlas.enabled }} 33 | initContainers: 34 | - name: {{ .Values.atlas.name }} 35 | {{- if index .Values.guac.backend.ent "db-address" }} 36 | env: 37 | - name: DB_ADDRESS 38 | value: '{{ index .Values.guac.backend.ent "db-address" }}' 39 | {{- end }} 40 | {{- if .Values.atlas.image.digest }} 41 | image: "{{ .Values.atlas.image.repository }}@{{ .Values.atlas.image.digest }}" 42 | {{- else }} 43 | image: "{{ .Values.atlas.image.repository }}:{{ .Values.atlas.image.tag | default .Chart.AppVersion}}" 44 | {{- end }} 45 | imagePullPolicy: {{ .Values.atlas.image.pullPolicy }} 46 | command: 47 | {{ toYaml .Values.atlas.image.command | indent 10 }} 48 | {{- end }} 49 | containers: 50 | - name: {{ .Values.guac.graphqlServer.name }} 51 | {{- if .Values.guac.guacImage.digest }} 52 | image: "{{ .Values.guac.guacImage.repository }}@{{ .Values.guac.guacImage.digest }}" 53 | {{- else }} 54 | image: "{{ .Values.guac.guacImage.repository }}:{{ .Values.guac.guacImage.tag | default .Chart.AppVersion}}" 55 | {{- end }} 56 | imagePullPolicy: "{{ .Values.guac.guacImage.pullPolicy }}" 57 | command: 58 | {{ toYaml .Values.guac.graphqlServer.image.command | indent 10 }} 59 | workingDir: {{ .Values.guac.guacImage.workingDir }} 60 | {{- if .Values.guac.graphqlServer.ports }} 61 | ports: 62 | {{ toYaml .Values.guac.graphqlServer.image.ports | indent 10 }} 63 | {{- end }} 64 | {{- if .Values.guac.graphqlServer.resources }} 65 | resources: {{- toYaml .Values.guac.graphqlServer.resources | nindent 10 }} 66 | {{- end }} 67 | volumeMounts: 68 | - name: guac-config 69 | mountPath: {{ .Values.guac.guacImage.workingDir }} 70 | readOnly: true 71 | {{- if .Values.guac.graphqlServer.additionalVolumeMounts }} 72 | {{ toYaml .Values.guac.graphqlServer.additionalVolumeMounts | indent 10 }} 73 | {{- end }} 74 | 75 | {{- if or .Values.guac.common.env .Values.guac.graphqlServer.env }} 76 | env: 77 | {{- if .Values.guac.common.env }} 78 | {{ toYaml .Values.guac.common.env | indent 10 }} 79 | {{- end }} 80 | {{- if .Values.guac.graphqlServer.env }} 81 | {{ toYaml .Values.guac.graphqlServer.env | indent 10 }} 82 | {{- end }} 83 | {{- end }} 84 | 85 | {{- if .Values.imagePullSecrets }} 86 | imagePullSecrets: 87 | {{ toYaml .Values.imagePullSecrets | indent 8 }} 88 | {{- end }} 89 | volumes: 90 | - name: guac-config 91 | configMap: 92 | name: guac-cm 93 | {{- if .Values.guac.graphqlServer.additionalVolumes }} 94 | {{ toYaml .Values.guac.graphqlServer.additionalVolumes | indent 8 }} 95 | {{- end }} 96 | {{- if .Values.guac.graphqlServer.nodeSelector }} 97 | nodeSelector: 98 | {{ toYaml .Values.guac.graphqlServer.nodeSelector | indent 8 }} 99 | {{- end }} 100 | 101 | {{- if or .Values.guac.common.tolerations .Values.guac.graphqlServer.tolerations }} 102 | tolerations: 103 | {{- if .Values.guac.common.tolerations }} 104 | {{ toYaml .Values.guac.common.tolerations | indent 8 }} 105 | {{- end }} 106 | {{- if .Values.guac.graphqlServer.tolerations }} 107 | {{ toYaml .Values.guac.graphqlServer.tolerations | indent 8 }} 108 | {{- end }} 109 | {{- end }} 110 | 111 | {{- end }} 112 | -------------------------------------------------------------------------------- /charts/guac/templates/graphql-server-sa.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Kusari, Inc. and GUAC contributors 2 | # Licensed under the MIT license. See LICENSE file in the project root for details. 3 | {{ if .Values.guac.graphqlServer.enabled }} 4 | {{ if .Values.guac.graphqlServer.serviceAccount.create }} 5 | --- 6 | apiVersion: v1 7 | kind: ServiceAccount 8 | metadata: 9 | name: {{ .Values.guac.graphqlServer.name }} 10 | {{- if .Values.guac.graphqlServer.annotations }} 11 | annotations: 12 | {{ toYaml .Values.guac.graphqlServer.serviceAccount.annotations | indent 4 }} 13 | {{- end }} 14 | labels: 15 | {{- include "guac.labels" . | nindent 4 }} 16 | app.kubernetes.io/name: {{ .Values.guac.graphqlServer.name }} 17 | app.kubernetes.io/component: {{ .Values.guac.graphqlServer.name }} 18 | {{- end }} 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /charts/guac/templates/graphql-server-service.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Kusari, Inc. and GUAC contributors 2 | # Licensed under the MIT license. See LICENSE file in the project root for details. 3 | {{ if .Values.guac.graphqlServer.enabled }} 4 | {{- if .Values.guac.graphqlServer.svcPorts }} 5 | --- 6 | apiVersion: v1 7 | kind: Service 8 | metadata: 9 | name: {{ .Values.guac.graphqlServer.name }} 10 | labels: 11 | {{- include "guac.labels" . | nindent 4 }} 12 | app.kubernetes.io/name: {{ .Values.guac.graphqlServer.name }} 13 | app.kubernetes.io/component: {{ .Values.guac.graphqlServer.name }} 14 | spec: 15 | type: ClusterIP 16 | selector: 17 | {{- include "guac.selectorLabels" . | nindent 4 }} 18 | app.kubernetes.io/name: {{ .Values.guac.graphqlServer.name }} 19 | app.kubernetes.io/component: {{ .Values.guac.graphqlServer.name }} 20 | ports: 21 | {{- range .Values.guac.graphqlServer.svcPorts }} 22 | - {{ . | toYaml | indent 6 | trim }} 23 | {{- end }} 24 | {{- end }} 25 | {{- end }} 26 | 27 | {{ if .Values.guac.graphqlServer.enabled }} 28 | {{- if .Values.guac.graphqlServer.svcPorts }} 29 | {{ if .Values.guac.graphqlServer.service.createNodePortService }} 30 | --- 31 | apiVersion: v1 32 | kind: Service 33 | metadata: 34 | name: {{ .Values.guac.graphqlServer.name }}-nodeport 35 | labels: 36 | {{- include "guac.labels" . | nindent 4 }} 37 | app.kubernetes.io/name: {{ .Values.guac.graphqlServer.name }} 38 | app.kubernetes.io/component: {{ .Values.guac.graphqlServer.name }} 39 | spec: 40 | type: NodePort 41 | selector: 42 | {{- include "guac.selectorLabels" . | nindent 4 }} 43 | app.kubernetes.io/name: {{ .Values.guac.graphqlServer.name }} 44 | app.kubernetes.io/component: {{ .Values.guac.graphqlServer.name }} 45 | ports: 46 | {{- range .Values.guac.graphqlServer.nodePortSvcPorts }} 47 | - {{ . | toYaml | indent 6 | trim }} 48 | {{- end }} 49 | {{- end }} 50 | {{- end }} 51 | {{- end }} 52 | -------------------------------------------------------------------------------- /charts/guac/templates/guac-cm.yaml: -------------------------------------------------------------------------------- 1 | {{ if .Values.guac.configMap.enabled }} 2 | # Copyright Kusari, Inc. and GUAC contributors 3 | # Licensed under the MIT license. See LICENSE file in the project root for details. 4 | --- 5 | apiVersion: v1 6 | kind: ConfigMap 7 | metadata: 8 | name: guac-cm 9 | data: 10 | guac.yaml: | 11 | 12 | {{- if $.Values.guac.pubSubAddr }} 13 | pubsub-addr: {{ $.Values.guac.pubSubAddr }} 14 | {{- else }} 15 | pubsub-addr: nats://{{ .Release.Name }}-nats.{{ .Release.Namespace }}.svc.cluster.local:4222 16 | {{- end }} 17 | 18 | publish-to-queue: {{ $.Values.guac.collectorPublishToQueue }} 19 | 20 | {{- if $.Values.guac.blobAddr }} 21 | blob-addr: {{ $.Values.guac.blobAddr }} 22 | {{- else }} 23 | blob-addr: s3://bucketname?endpoint=http://{{ .Release.Namespace }}-minio.{{ .Release.Namespace }}.svc.cluster.local:9000®ion=us-east-1&disable_https=true&use_path_style=true 24 | {{- end }} 25 | 26 | 27 | # CSub setup 28 | {{- with (index .Values.guac.collectSub.svcPorts 0) }} 29 | csub-addr: {{ $.Values.guac.collectSub.name }}.{{ $.Release.Namespace }}.svc.cluster.local:{{ .targetPort }} 30 | csub-listen-port: {{ .targetPort }} 31 | {{- end }} 32 | 33 | # GQL setup 34 | {{- with (index .Values.guac.graphqlServer.svcPorts 0) }} 35 | gql-backend: {{ $.Values.guac.graphqlServer.backend }} 36 | gql-listen-port: {{ .targetPort }} 37 | gql-debug: {{ $.Values.guac.graphqlServer.debug }} 38 | gql-test-data: false 39 | gql-addr: http://{{ $.Values.guac.graphqlServer.name }}.{{ $.Release.Namespace }}.svc.cluster.local:{{ .targetPort }}/query 40 | {{- end }} 41 | 42 | # Collector behavior 43 | service-poll: true 44 | use-csub: true 45 | 46 | # Certifier behavior - i.e. OSV and CD 47 | {{- if $.Values.guac.common.certifier.dayBetweenRescan }} 48 | last-scan: {{ .Values.guac.common.certifier.dayBetweenRescan }} 49 | {{- end }} 50 | {{- if $.Values.guac.common.certifier.batchSize }} 51 | certifier-batch-size: {{ .Values.guac.common.certifier.batchSize }} 52 | {{- end }} 53 | {{- if $.Values.guac.common.certifier.latency }} 54 | certifier-latency: {{ .Values.guac.common.certifier.latency }} 55 | {{- end }} 56 | 57 | poll: true 58 | interval: 5m # how often to poll graphql-server to discover new packages 59 | 60 | {{ if eq $.Values.guac.graphqlServer.backend "ent" }} 61 | # Ent config 62 | {{- range $key, $val := $.Values.guac.backend.ent }} 63 | {{ $key }}: {{ $val }} 64 | {{- end }} 65 | {{ end }} 66 | 67 | {{ end }} 68 | -------------------------------------------------------------------------------- /charts/guac/templates/guacrest-deployment.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Kusari, Inc. and GUAC contributors 2 | # Licensed under the MIT license. See LICENSE file in the project root for details. 3 | {{ if .Values.guac.restApi.enabled }} 4 | --- 5 | apiVersion: apps/v1 6 | kind: Deployment 7 | metadata: 8 | name: {{ .Values.guac.restApi.name }} 9 | {{- if .Values.guac.restApi.annotations }} 10 | annotations: 11 | {{ toYaml .Values.guac.restApi.annotations | indent 4 }} 12 | {{- end }} 13 | labels: 14 | {{- include "guac.labels" . | nindent 4 }} 15 | app.kubernetes.io/name: {{ .Values.guac.restApi.name }} 16 | app.kubernetes.io/component: {{ .Values.guac.restApi.name }} 17 | spec: 18 | replicas: {{ .Values.guac.restApi.replicas }} 19 | selector: 20 | matchLabels: 21 | {{- include "guac.selectorLabels" . | nindent 6 }} 22 | app.kubernetes.io/name: {{ .Values.guac.restApi.name }} 23 | app.kubernetes.io/component: {{ .Values.guac.restApi.name }} 24 | template: 25 | metadata: 26 | labels: 27 | {{- include "guac.selectorLabels" . | nindent 8 }} 28 | app.kubernetes.io/name: {{ .Values.guac.restApi.name }} 29 | app.kubernetes.io/component: {{ .Values.guac.restApi.name }} 30 | spec: 31 | containers: 32 | - name: {{ .Values.guac.restApi.name }} 33 | {{- if .Values.guac.guacImage.digest }} 34 | image: "{{ .Values.guac.guacImage.repository }}@{{ .Values.guac.guacImage.digest }}" 35 | {{- else }} 36 | image: "{{ .Values.guac.guacImage.repository }}:{{ .Values.guac.guacImage.tag | default .Chart.AppVersion}}" 37 | {{- end }} 38 | imagePullPolicy: "{{ .Values.guac.guacImage.pullPolicy }}" 39 | command: 40 | {{ toYaml .Values.guac.restApi.image.command | indent 10 }} 41 | workingDir: {{ .Values.guac.guacImage.workingDir }} 42 | {{- if .Values.guac.restApi.ports }} 43 | ports: 44 | {{ toYaml .Values.guac.restApi.image.ports | indent 10 }} 45 | {{- end }} 46 | volumeMounts: 47 | - name: guac-config 48 | mountPath: {{ .Values.guac.guacImage.workingDir }} 49 | readOnly: true 50 | 51 | {{- if or .Values.guac.common.env .Values.guac.graphqlServer.env }} 52 | env: 53 | {{- if .Values.guac.common.env }} 54 | {{ toYaml .Values.guac.common.env | indent 10 }} 55 | {{- end }} 56 | {{- if .Values.guac.graphqlServer.env }} 57 | {{ toYaml .Values.guac.graphqlServer.env | indent 10 }} 58 | {{- end }} 59 | {{- end }} 60 | 61 | {{- if .Values.imagePullSecrets }} 62 | imagePullSecrets: 63 | {{ toYaml .Values.imagePullSecrets | indent 8 }} 64 | {{- end }} 65 | volumes: 66 | - name: guac-config 67 | configMap: 68 | name: guac-cm 69 | {{- if .Values.guac.restApi.nodeSelector }} 70 | nodeSelector: 71 | {{ toYaml .Values.guac.restApi.nodeSelector | indent 8 }} 72 | {{- end }} 73 | 74 | {{- if or .Values.guac.common.tolerations .Values.guac.restApi.tolerations }} 75 | tolerations: 76 | {{- if .Values.guac.common.tolerations }} 77 | {{ toYaml .Values.guac.common.tolerations | indent 8 }} 78 | {{- end }} 79 | {{- if .Values.guac.restApi.tolerations }} 80 | {{ toYaml .Values.guac.restApi.tolerations | indent 8 }} 81 | {{- end }} 82 | {{- end }} 83 | 84 | 85 | {{- end }} 86 | -------------------------------------------------------------------------------- /charts/guac/templates/guacrest-sa.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Kusari, Inc. and GUAC contributors 2 | # Licensed under the MIT license. See LICENSE file in the project root for details. 3 | {{ if .Values.guac.restApi.enabled }} 4 | {{ if .Values.guac.restApi.serviceAccount.create }} 5 | --- 6 | apiVersion: v1 7 | kind: ServiceAccount 8 | metadata: 9 | name: {{ .Values.guac.restApi.name }} 10 | {{- if .Values.guac.restApi.annotations }} 11 | annotations: 12 | {{ toYaml .Values.guac.restApi.serviceAccount.annotations | indent 4 }} 13 | {{- end }} 14 | labels: 15 | {{- include "guac.labels" . | nindent 4 }} 16 | app.kubernetes.io/name: {{ .Values.guac.restApi.name }} 17 | app.kubernetes.io/component: {{ .Values.guac.restApi.name }} 18 | {{- end }} 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /charts/guac/templates/guacrest-service.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Kusari, Inc. and GUAC contributors 2 | # Licensed under the MIT license. See LICENSE file in the project root for details. 3 | {{ if .Values.guac.restApi.enabled }} 4 | {{- if .Values.guac.restApi.svcPorts }} 5 | --- 6 | apiVersion: v1 7 | kind: Service 8 | metadata: 9 | name: {{ .Values.guac.restApi.name }} 10 | labels: 11 | {{- include "guac.labels" . | nindent 4 }} 12 | app.kubernetes.io/name: {{ .Values.guac.restApi.name }} 13 | app.kubernetes.io/component: {{ .Values.guac.restApi.name }} 14 | spec: 15 | selector: 16 | {{- include "guac.selectorLabels" . | nindent 4 }} 17 | app.kubernetes.io/name: {{ .Values.guac.restApi.name }} 18 | app.kubernetes.io/component: {{ .Values.guac.restApi.name }} 19 | ports: 20 | {{- range .Values.guac.restApi.svcPorts }} 21 | - {{ . | toYaml | indent 6 | trim }} 22 | {{- end }} 23 | {{- end }} 24 | {{- end }} 25 | -------------------------------------------------------------------------------- /charts/guac/templates/ingest-guac-data-job.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Kusari, Inc. and GUAC contributors 2 | # Licensed under the MIT license. See LICENSE file in the project root for details. 3 | {{- if .Values.guac.sampleData.ingest }} 4 | --- 5 | apiVersion: batch/v1 6 | kind: Job 7 | metadata: 8 | name: {{ .Values.guac.sampleData.jobName }} 9 | labels: 10 | {{- include "guac.labels" . | nindent 4 }} 11 | app.kubernetes.io/name: {{ .Values.guac.sampleData.jobName }} 12 | annotations: 13 | "helm.sh/hook": post-install, post-upgrade 14 | "helm.sh/hook-weight": "10" 15 | spec: 16 | backoffLimit: 5 17 | template: 18 | metadata: 19 | labels: 20 | {{- include "guac.labels" . | nindent 8 }} 21 | app.kubernetes.io/name: {{ .Values.guac.sampleData.jobName }} 22 | spec: 23 | containers: 24 | - name: data-ingestor 25 | image: "ubuntu:22.04" 26 | command: ['sh', '-c', '/tmp/guac/ingest-guac-data.sh ingest-data'] 27 | workingDir: {{ .Values.guac.workingDir }} 28 | 29 | {{- if or .Values.guac.common.env .Values.guac.sampleData.env }} 30 | env: 31 | {{- if .Values.guac.common.env }} 32 | {{ toYaml .Values.guac.common.env | indent 10 }} 33 | {{- end }} 34 | {{- if .Values.guac.sampleData.env }} 35 | {{ toYaml .Values.guac.sampleData.env | indent 10 }} 36 | {{- end }} 37 | {{- end }} 38 | 39 | volumeMounts: 40 | - name: guac-config 41 | mountPath: {{ .Values.guac.guacImage.workingDir }} 42 | readOnly: true 43 | - name: ingest-guac-data 44 | mountPath: /tmp/guac 45 | - name: shared-data 46 | mountPath: /shared-data 47 | - name: data-preper 48 | image: "ubuntu:22.04" 49 | command: ['sh', '-c', '/tmp/guac/ingest-guac-data.sh prep-data'] 50 | workingDir: {{ .Values.guac.guacImage.workingDir }} 51 | volumeMounts: 52 | - name: guac-config 53 | mountPath: {{ .Values.guac.guacImage.workingDir }} 54 | readOnly: true 55 | - name: ingest-guac-data 56 | mountPath: /tmp/guac 57 | - name: shared-data 58 | mountPath: /shared-data 59 | restartPolicy: OnFailure 60 | {{- if .Values.imagePullSecrets }} 61 | imagePullSecrets: 62 | {{ toYaml .Values.imagePullSecrets | indent 8 }} 63 | {{- end }} 64 | volumes: 65 | - name: guac-config 66 | configMap: 67 | name: guac-cm 68 | - name: ingest-guac-data 69 | configMap: 70 | name: {{ .Values.guac.sampleData.jobName }} 71 | defaultMode: 0755 72 | - name: shared-data 73 | emptyDir: {} 74 | 75 | --- 76 | apiVersion: v1 77 | kind: ConfigMap 78 | metadata: 79 | name: {{ .Values.guac.sampleData.jobName }} 80 | labels: 81 | app.kubernetes.io/name: {{ .Values.guac.sampleData.jobName }} 82 | app.kubernetes.io/component: {{ .Values.guac.sampleData.jobName }} 83 | app.kubernetes.io/instance: {{ .Release.Name | quote }} 84 | app.kubernetes.io/version: {{ .Chart.AppVersion }} 85 | app.kubernetes.io/part-of: "guac" 86 | app.kubernetes.io/managed-by: {{ .Release.Service | quote }} 87 | helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" 88 | data: 89 | ingest-guac-data.sh: | 90 | #!/usr/bin/env bash 91 | set -e 92 | 93 | SHARED_DATA=/shared-data 94 | INDICATOR_FILE=${SHARED_DATA}/done_loading_data 95 | GUAC_DATA_REPO=https://github.com/guacsec/guac-data.git 96 | 97 | case "$1" in 98 | 99 | prep-data) echo "Preparing sample data" 100 | apt-get update && apt-get install -y git 101 | git clone ${GUAC_DATA_REPO} ${SHARED_DATA}/guac-data 102 | touch ${INDICATOR_FILE} 103 | ;; 104 | 105 | ingest-data) echo "Ingesting sample data" 106 | export GUACSEC_HOME="/guac" 107 | 108 | apt-get update && apt-get install -y curl 109 | curl -L https://github.com/guacsec/guac/releases/latest/download/guacone-linux-amd64 -o /tmp/guacone 110 | curl -L https://github.com/guacsec/guac/releases/latest/download/guaccollect-linux-amd64 -o /tmp/guaccollect 111 | chmod +x /tmp/guacone /tmp/guaccollect 112 | 113 | while [ ! -f ${INDICATOR_FILE} ] 114 | do 115 | sleep 3 116 | done 117 | 118 | cd ${GUACSEC_HOME} 119 | 120 | echo running guaccollect... at ${SHARED_DATA}/guac-data/docs 121 | ls -la ${SHARED_DATA}/guac-data/docs 122 | time /tmp/guaccollect files --service-poll=false ${SHARED_DATA}/guac-data/docs 123 | 124 | sleep 3 125 | 126 | echo running guacone collect... 127 | time /tmp/guacone collect files ${SHARED_DATA}/guac-data/top-dh-sboms/zookeeper.json 128 | # for d in guac-data/docs 129 | # do 130 | # done 131 | 132 | 133 | 134 | rm ${INDICATOR_FILE} 135 | ;; 136 | 137 | *) echo "$1 is not supported" 138 | ;; 139 | esac 140 | 141 | {{- end }} 142 | -------------------------------------------------------------------------------- /charts/guac/templates/ingestor-deployment.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Kusari, Inc. and GUAC contributors 2 | # Licensed under the MIT license. See LICENSE file in the project root for details. 3 | {{ if .Values.guac.ingestor.enabled }} 4 | --- 5 | apiVersion: apps/v1 6 | kind: Deployment 7 | metadata: 8 | name: {{ .Values.guac.ingestor.name }} 9 | {{- if .Values.guac.ingestor.annotations }} 10 | annotations: 11 | {{ toYaml .Values.guac.ingestor.annotations | indent 4 }} 12 | {{- end }} 13 | labels: 14 | {{- include "guac.labels" . | nindent 4 }} 15 | app.kubernetes.io/name: {{ .Values.guac.ingestor.name }} 16 | app.kubernetes.io/component: {{ .Values.guac.ingestor.name }} 17 | spec: 18 | replicas: {{ .Values.guac.ingestor.replicas }} 19 | selector: 20 | matchLabels: 21 | {{- include "guac.selectorLabels" . | nindent 6 }} 22 | app.kubernetes.io/name: {{ .Values.guac.ingestor.name }} 23 | app.kubernetes.io/component: {{ .Values.guac.ingestor.name }} 24 | template: 25 | metadata: 26 | labels: 27 | {{- include "guac.selectorLabels" . | nindent 8 }} 28 | app.kubernetes.io/name: {{ .Values.guac.ingestor.name }} 29 | app.kubernetes.io/component: {{ .Values.guac.ingestor.name }} 30 | spec: 31 | serviceAccountName: {{ .Values.guac.ingestor.name }} 32 | containers: 33 | - name: {{ .Values.guac.ingestor.name }} 34 | {{- if .Values.guac.guacImage.digest }} 35 | image: "{{ .Values.guac.guacImage.repository }}@{{ .Values.guac.guacImage.digest }}" 36 | {{- else }} 37 | image: "{{ .Values.guac.guacImage.repository }}:{{ .Values.guac.guacImage.tag | default .Chart.AppVersion}}" 38 | {{- end }} 39 | imagePullPolicy: "{{ .Values.guac.guacImage.pullPolicy }}" 40 | command: 41 | {{ toYaml .Values.guac.ingestor.image.command | indent 10 }} 42 | workingDir: {{ .Values.guac.guacImage.workingDir }} 43 | {{- if .Values.guac.ingestor.ports }} 44 | ports: 45 | {{ toYaml .Values.guac.ingestor.image.ports | indent 10 }} 46 | {{- end }} 47 | {{- if .Values.guac.ingestor.resources }} 48 | resources: {{- toYaml .Values.guac.ingestor.resources | nindent 10 }} 49 | {{- end }} 50 | volumeMounts: 51 | - name: guac-config 52 | mountPath: {{ .Values.guac.guacImage.workingDir }} 53 | readOnly: true 54 | 55 | {{- if or .Values.guac.common.env .Values.guac.ingestor.env }} 56 | env: 57 | {{- if .Values.guac.common.env }} 58 | {{ toYaml .Values.guac.common.env | indent 10 }} 59 | {{- end }} 60 | {{- if .Values.guac.ingestor.env }} 61 | {{ toYaml .Values.guac.ingestor.env | indent 10 }} 62 | {{- end }} 63 | {{- end }} 64 | 65 | {{- if .Values.imagePullSecrets }} 66 | imagePullSecrets: 67 | {{ toYaml .Values.imagePullSecrets | indent 8 }} 68 | {{- end }} 69 | volumes: 70 | - name: guac-config 71 | configMap: 72 | name: guac-cm 73 | {{- if .Values.guac.ingestor.nodeSelector }} 74 | nodeSelector: 75 | {{ toYaml .Values.guac.ingestor.nodeSelector | indent 8 }} 76 | {{- end }} 77 | 78 | {{- if or .Values.guac.common.tolerations .Values.guac.ingestor.tolerations }} 79 | tolerations: 80 | {{- if .Values.guac.common.tolerations }} 81 | {{ toYaml .Values.guac.common.tolerations | indent 8 }} 82 | {{- end }} 83 | {{- if .Values.guac.ingestor.tolerations }} 84 | {{ toYaml .Values.guac.ingestor.tolerations | indent 8 }} 85 | {{- end }} 86 | {{- end }} 87 | 88 | 89 | {{- end }} 90 | -------------------------------------------------------------------------------- /charts/guac/templates/ingestor-sa.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Kusari, Inc. and GUAC contributors 2 | # Licensed under the MIT license. See LICENSE file in the project root for details. 3 | {{ if .Values.guac.ingestor.enabled }} 4 | {{ if .Values.guac.ingestor.serviceAccount.create }} 5 | --- 6 | apiVersion: v1 7 | kind: ServiceAccount 8 | metadata: 9 | name: {{ .Values.guac.ingestor.name }} 10 | {{- if .Values.guac.ingestor.annotations }} 11 | annotations: 12 | {{ toYaml .Values.guac.ingestor.serviceAccount.annotations | indent 4 }} 13 | {{- end }} 14 | labels: 15 | {{- include "guac.labels" . | nindent 4 }} 16 | app.kubernetes.io/name: {{ .Values.guac.ingestor.name }} 17 | app.kubernetes.io/component: {{ .Values.guac.ingestor.name }} 18 | {{- end }} 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /charts/guac/templates/ingress.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.guac.ingress.enabled -}} 2 | --- 3 | apiVersion: networking.k8s.io/v1 4 | kind: Ingress 5 | metadata: 6 | name: {{ .Release.Namespace }} 7 | namespace: {{ .Release.Namespace }} 8 | 9 | {{- if .Values.guac.ingress.annotations }} 10 | annotations: 11 | {{ toYaml .Values.guac.ingress.annotations | indent 4 }} 12 | {{- end }} 13 | 14 | labels: 15 | {{- include "guac.labels" . | nindent 4 }} 16 | {{- range $key, $value := .Values.guac.ingress.extraLabels }} 17 | {{ $key }}: {{ $value }} 18 | {{- end }} 19 | 20 | spec: 21 | {{- if .Values.guac.ingress.ingressClassName }} 22 | ingressClassName: {{ .Values.guac.ingress.ingressClassName }} 23 | {{- end }} 24 | rules: 25 | {{ if .Values.guac.ingress.webuiHostname }} 26 | - host: {{ .Values.guac.ingress.webuiHostname }} 27 | http: &http 28 | paths: 29 | - path: /playground 30 | pathType: Prefix 31 | backend: 32 | service: 33 | name: graphql-server 34 | port: 35 | number: 8080 36 | - path: / 37 | pathType: Prefix 38 | backend: 39 | service: 40 | name: visualizer 41 | port: 42 | number: 3000 43 | {{ end }} 44 | {{ if .Values.guac.ingress.apiHostname }} 45 | - host: {{ .Values.guac.ingress.apiHostname }} 46 | http: 47 | paths: 48 | {{ end }} 49 | - path: /query 50 | pathType: Prefix 51 | backend: 52 | service: 53 | name: graphql-server 54 | port: 55 | number: 8080 56 | {{- end -}} 57 | -------------------------------------------------------------------------------- /charts/guac/templates/ingressroute.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.guac.traefikIngressRoute.enabled -}} 2 | --- 3 | apiVersion: traefik.containo.us/v1alpha1 4 | kind: IngressRoute 5 | metadata: 6 | name: {{ .Release.Namespace }} 7 | namespace: {{ .Release.Namespace }} 8 | spec: 9 | entryPoints: 10 | {{- range .Values.guac.traefikIngressRoute.entryPoints }} 11 | - {{ . | toYaml | indent 6 | trim }} 12 | {{- end }} 13 | routes: 14 | - kind: Rule 15 | match: (Headers(`{{ .Values.guac.traefikIngressRoute.hostMatchingHeader }}`, `{{ .Values.guac.traefikIngressRoute.apiHostname }}`) && Path(`{{ .Values.guac.traefikIngressRoute.gqlPath }}`)) 16 | services: 17 | - kind: Service 18 | name: graphql-server 19 | namespace: {{ .Release.Namespace }} 20 | port: 8080 21 | scheme: http 22 | {{- end -}} 23 | -------------------------------------------------------------------------------- /charts/guac/templates/oci-collector-deployment.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Kusari, Inc. and GUAC contributors 2 | # Licensed under the MIT license. See LICENSE file in the project root for details. 3 | {{ if .Values.guac.ociCollector.enabled }} 4 | --- 5 | apiVersion: apps/v1 6 | kind: Deployment 7 | metadata: 8 | name: {{ .Values.guac.ociCollector.name }} 9 | {{- if .Values.guac.ociCollector.annotations }} 10 | annotations: 11 | {{ toYaml .Values.guac.ociCollector.annotations | indent 4 }} 12 | {{- end }} 13 | labels: 14 | {{- include "guac.labels" . | nindent 4 }} 15 | app.kubernetes.io/name: {{ .Values.guac.ociCollector.name }} 16 | app.kubernetes.io/component: {{ .Values.guac.ociCollector.name }} 17 | spec: 18 | replicas: {{ .Values.guac.ociCollector.replicas }} 19 | selector: 20 | matchLabels: 21 | {{- include "guac.selectorLabels" . | nindent 6 }} 22 | app.kubernetes.io/name: {{ .Values.guac.ociCollector.name }} 23 | app.kubernetes.io/component: {{ .Values.guac.ociCollector.name }} 24 | template: 25 | metadata: 26 | labels: 27 | {{- include "guac.selectorLabels" . | nindent 8 }} 28 | app.kubernetes.io/name: {{ .Values.guac.ociCollector.name }} 29 | app.kubernetes.io/component: {{ .Values.guac.ociCollector.name }} 30 | spec: 31 | serviceAccountName: {{ .Values.guac.ociCollector.name }} 32 | containers: 33 | - name: {{ .Values.guac.ociCollector.name }} 34 | {{- if .Values.guac.guacImage.digest }} 35 | image: "{{ .Values.guac.guacImage.repository }}@{{ .Values.guac.guacImage.digest }}" 36 | {{- else }} 37 | image: "{{ .Values.guac.guacImage.repository }}:{{ .Values.guac.guacImage.tag | default .Chart.AppVersion}}" 38 | {{- end }} 39 | imagePullPolicy: "{{ .Values.guac.guacImage.pullPolicy }}" 40 | command: 41 | {{ toYaml .Values.guac.ociCollector.image.command | indent 10 }} 42 | workingDir: {{ .Values.guac.guacImage.workingDir }} 43 | {{- if .Values.guac.ociCollector.ports }} 44 | ports: 45 | {{ toYaml .Values.guac.ociCollector.image.ports | indent 10 }} 46 | {{- end }} 47 | {{- if .Values.guac.ociCollector.resources }} 48 | resources: {{- toYaml .Values.guac.ociCollector.resources | nindent 10 }} 49 | {{- end }} 50 | volumeMounts: 51 | - name: guac-config 52 | mountPath: {{ .Values.guac.guacImage.workingDir }} 53 | readOnly: true 54 | 55 | {{- if or .Values.guac.common.env .Values.guac.ociCollector.env }} 56 | env: 57 | {{- if .Values.guac.common.env }} 58 | {{ toYaml .Values.guac.common.env | indent 10 }} 59 | {{- end }} 60 | {{- if .Values.guac.ociCollector.env }} 61 | {{ toYaml .Values.guac.ociCollector.env | indent 10 }} 62 | {{- end }} 63 | {{- end }} 64 | 65 | {{- if .Values.imagePullSecrets }} 66 | imagePullSecrets: 67 | {{ toYaml .Values.imagePullSecrets | indent 8 }} 68 | {{- end }} 69 | volumes: 70 | - name: guac-config 71 | configMap: 72 | name: guac-cm 73 | {{- if .Values.guac.ociCollector.nodeSelector }} 74 | nodeSelector: 75 | {{ toYaml .Values.guac.ociCollector.nodeSelector | indent 8 }} 76 | {{- end }} 77 | 78 | {{- if or .Values.guac.common.tolerations .Values.guac.ociCollector.tolerations }} 79 | tolerations: 80 | {{- if .Values.guac.common.tolerations }} 81 | {{ toYaml .Values.guac.common.tolerations | indent 8 }} 82 | {{- end }} 83 | {{- if .Values.guac.ociCollector.tolerations }} 84 | {{ toYaml .Values.guac.ociCollector.tolerations | indent 8 }} 85 | {{- end }} 86 | {{- end }} 87 | 88 | 89 | {{- end }} 90 | -------------------------------------------------------------------------------- /charts/guac/templates/oci-collector-sa.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Kusari, Inc. and GUAC contributors 2 | # Licensed under the MIT license. See LICENSE file in the project root for details. 3 | {{ if .Values.guac.ociCollector.enabled }} 4 | {{ if .Values.guac.ociCollector.serviceAccount.create }} 5 | --- 6 | apiVersion: v1 7 | kind: ServiceAccount 8 | metadata: 9 | name: {{ .Values.guac.ociCollector.name }} 10 | {{- if .Values.guac.ociCollector.annotations }} 11 | annotations: 12 | {{ toYaml .Values.guac.ociCollector.serviceAccount.annotations | indent 4 }} 13 | {{- end }} 14 | labels: 15 | {{- include "guac.labels" . | nindent 4 }} 16 | app.kubernetes.io/name: {{ .Values.guac.ociCollector.name }} 17 | app.kubernetes.io/component: {{ .Values.guac.ociCollector.name }} 18 | {{- end }} 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /charts/guac/templates/osv-certifier-deployment.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Kusari, Inc. and GUAC contributors 2 | # Licensed under the MIT license. See LICENSE file in the project root for details. 3 | {{ if .Values.guac.osvCertifier.enabled }} 4 | --- 5 | apiVersion: apps/v1 6 | kind: Deployment 7 | metadata: 8 | name: {{ .Values.guac.osvCertifier.name }} 9 | {{- if .Values.guac.osvCertifier.annotations }} 10 | annotations: 11 | {{ toYaml .Values.guac.osvCertifier.annotations | indent 4 }} 12 | {{- end }} 13 | labels: 14 | {{- include "guac.labels" . | nindent 4 }} 15 | app.kubernetes.io/name: {{ .Values.guac.osvCertifier.name }} 16 | app.kubernetes.io/component: {{ .Values.guac.osvCertifier.name }} 17 | spec: 18 | replicas: {{ .Values.guac.osvCertifier.replicas }} 19 | selector: 20 | matchLabels: 21 | {{- include "guac.selectorLabels" . | nindent 6 }} 22 | app.kubernetes.io/name: {{ .Values.guac.osvCertifier.name }} 23 | app.kubernetes.io/component: {{ .Values.guac.osvCertifier.name }} 24 | template: 25 | metadata: 26 | labels: 27 | {{- include "guac.selectorLabels" . | nindent 8 }} 28 | app.kubernetes.io/name: {{ .Values.guac.osvCertifier.name }} 29 | app.kubernetes.io/component: {{ .Values.guac.osvCertifier.name }} 30 | spec: 31 | serviceAccountName: {{ .Values.guac.osvCertifier.name }} 32 | containers: 33 | - name: {{ .Values.guac.osvCertifier.name }} 34 | {{- if .Values.guac.guacImage.digest }} 35 | image: "{{ .Values.guac.guacImage.repository }}@{{ .Values.guac.guacImage.digest }}" 36 | {{- else }} 37 | image: "{{ .Values.guac.guacImage.repository }}:{{ .Values.guac.guacImage.tag | default .Chart.AppVersion}}" 38 | {{- end }} 39 | imagePullPolicy: "{{ .Values.guac.guacImage.pullPolicy }}" 40 | command: 41 | {{ toYaml .Values.guac.osvCertifier.image.command | indent 10 }} 42 | workingDir: {{ .Values.guac.guacImage.workingDir }} 43 | {{- if .Values.guac.osvCertifier.ports }} 44 | ports: 45 | {{ toYaml .Values.guac.osvCertifier.image.ports | indent 10 }} 46 | {{- end }} 47 | {{- if .Values.guac.osvCertifier.resources }} 48 | resources: {{- toYaml .Values.guac.osvCertifier.resources | nindent 10 }} 49 | {{- end }} 50 | volumeMounts: 51 | - name: guac-config 52 | mountPath: {{ .Values.guac.guacImage.workingDir }} 53 | readOnly: true 54 | 55 | {{- if or .Values.guac.common.env .Values.guac.osvCertifier.env }} 56 | env: 57 | {{- if .Values.guac.common.env }} 58 | {{ toYaml .Values.guac.common.env | indent 10 }} 59 | {{- end }} 60 | {{- if .Values.guac.osvCertifier.env }} 61 | {{ toYaml .Values.guac.osvCertifier.env | indent 10 }} 62 | {{- end }} 63 | {{- end }} 64 | 65 | {{- if .Values.imagePullSecrets }} 66 | imagePullSecrets: 67 | {{ toYaml .Values.imagePullSecrets | indent 8 }} 68 | {{- end }} 69 | volumes: 70 | - name: guac-config 71 | configMap: 72 | name: guac-cm 73 | {{- if .Values.guac.osvCertifier.nodeSelector }} 74 | nodeSelector: 75 | {{ toYaml .Values.guac.osvCertifier.nodeSelector | indent 8 }} 76 | {{- end }} 77 | 78 | {{- if or .Values.guac.common.tolerations .Values.guac.osvCertifier.tolerations }} 79 | tolerations: 80 | {{- if .Values.guac.common.tolerations }} 81 | {{ toYaml .Values.guac.common.tolerations | indent 8 }} 82 | {{- end }} 83 | {{- if .Values.guac.osvCertifier.tolerations }} 84 | {{ toYaml .Values.guac.osvCertifier.tolerations | indent 8 }} 85 | {{- end }} 86 | {{- end }} 87 | 88 | {{- end }} 89 | -------------------------------------------------------------------------------- /charts/guac/templates/osv-certifier-sa.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Kusari, Inc. and GUAC contributors 2 | # Licensed under the MIT license. See LICENSE file in the project root for details. 3 | {{ if .Values.guac.osvCertifier.enabled }} 4 | {{ if .Values.guac.osvCertifier.serviceAccount.create }} 5 | --- 6 | apiVersion: v1 7 | kind: ServiceAccount 8 | metadata: 9 | name: {{ .Values.guac.osvCertifier.name }} 10 | {{- if .Values.guac.osvCertifier.annotations }} 11 | annotations: 12 | {{ toYaml .Values.guac.osvCertifier.serviceAccount.annotations | indent 4 }} 13 | {{- end }} 14 | labels: 15 | {{- include "guac.labels" . | nindent 4 }} 16 | app.kubernetes.io/name: {{ .Values.guac.osvCertifier.name }} 17 | app.kubernetes.io/component: {{ .Values.guac.osvCertifier.name }} 18 | {{- end }} 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /charts/guac/templates/visualizer-deployment.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Kusari, Inc. and GUAC contributors 2 | # Licensed under the MIT license. See LICENSE file in the project root for details. 3 | {{ if .Values.guac.visualizer.enabled }} 4 | --- 5 | apiVersion: apps/v1 6 | kind: Deployment 7 | metadata: 8 | name: {{ .Values.guac.visualizer.name }} 9 | {{- if .Values.guac.visualizer.annotations }} 10 | annotations: 11 | {{ toYaml .Values.guac.visualizer.annotations | indent 4 }} 12 | {{- end }} 13 | labels: 14 | {{- include "guac.labels" . | nindent 4 }} 15 | app.kubernetes.io/name: {{ .Values.guac.visualizer.name }} 16 | app.kubernetes.io/component: {{ .Values.guac.visualizer.name }} 17 | spec: 18 | replicas: {{ .Values.guac.visualizer.replicas }} 19 | selector: 20 | matchLabels: 21 | {{- include "guac.selectorLabels" . | nindent 6 }} 22 | app.kubernetes.io/name: {{ .Values.guac.visualizer.name }} 23 | app.kubernetes.io/component: {{ .Values.guac.visualizer.name }} 24 | template: 25 | metadata: 26 | labels: 27 | {{- include "guac.selectorLabels" . | nindent 8 }} 28 | app.kubernetes.io/name: {{ .Values.guac.visualizer.name }} 29 | app.kubernetes.io/component: {{ .Values.guac.visualizer.name }} 30 | spec: 31 | containers: 32 | # workaround the problem that next.config.js can't set gql-addr dynamically 33 | - name: nginx 34 | image: nginx:1.25.1 35 | ports: 36 | - containerPort: 8080 37 | volumeMounts: 38 | - name: visualizer-proxy-config 39 | mountPath: /etc/nginx/conf.d/default.conf 40 | subPath: default.conf 41 | readOnly: true 42 | - name: {{ .Values.guac.visualizer.name }} 43 | {{- if .Values.guac.visualizer.image.digest }} 44 | image: "{{ .Values.guac.visualizer.image.repository }}@{{ .Values.guac.visualizer.image.digest }}" 45 | {{- else }} 46 | image: "{{ .Values.guac.visualizer.image.repository }}:{{ .Values.guac.visualizer.image.tag | default .Chart.AppVersion}}" 47 | {{- end }} 48 | imagePullPolicy: "{{ .Values.guac.visualizer.image.pullPolicy }}" 49 | {{- if .Values.guac.visualizer.image.command }} 50 | command: 51 | {{ toYaml .Values.guac.visualizer.image.command | indent 10 }} 52 | {{- end }} 53 | {{- if .Values.guac.visualizer.image.ports }} 54 | ports: 55 | {{ toYaml .Values.guac.visualizer.image.ports | indent 10 }} 56 | {{- end }} 57 | volumeMounts: 58 | - name: guac-config 59 | mountPath: /workspace/guac/guac.yaml 60 | subPath: guac.yaml 61 | readOnly: true 62 | 63 | {{- if or .Values.guac.common.env .Values.guac.visualizer.env }} 64 | env: 65 | {{- if .Values.guac.common.env }} 66 | {{ toYaml .Values.guac.common.env | indent 10 }} 67 | {{- end }} 68 | {{- if .Values.guac.visualizer.env }} 69 | {{ toYaml .Values.guac.visualizer.env | indent 10 }} 70 | {{- end }} 71 | {{- end }} 72 | 73 | {{- if .Values.imagePullSecrets }} 74 | imagePullSecrets: 75 | {{ toYaml .Values.imagePullSecrets | indent 8 }} 76 | {{- end }} 77 | volumes: 78 | - name: guac-config 79 | configMap: 80 | name: guac-cm 81 | - name: visualizer-proxy-config 82 | configMap: 83 | name: visualizer-proxy-cm 84 | {{- if .Values.guac.visualizer.nodeSelector }} 85 | nodeSelector: 86 | {{ toYaml .Values.guac.visualizer.nodeSelector | indent 8 }} 87 | {{- end }} 88 | 89 | {{- if or .Values.guac.common.tolerations .Values.guac.visualizer.tolerations }} 90 | tolerations: 91 | {{- if .Values.guac.common.tolerations }} 92 | {{ toYaml .Values.guac.common.tolerations | indent 8 }} 93 | {{- end }} 94 | {{- if .Values.guac.visualizer.tolerations }} 95 | {{ toYaml .Values.guac.visualizer.tolerations | indent 8 }} 96 | {{- end }} 97 | {{- end }} 98 | 99 | 100 | {{- end }} 101 | -------------------------------------------------------------------------------- /charts/guac/templates/visualizer-proxy-cm.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Kusari, Inc. and GUAC contributors 2 | # Licensed under the MIT license. See LICENSE file in the project root for details. 3 | --- 4 | apiVersion: v1 5 | kind: ConfigMap 6 | metadata: 7 | name: visualizer-proxy-cm 8 | data: 9 | default.conf: | 10 | server { 11 | listen 8080; 12 | listen [::]:8080; 13 | server_name localhost; 14 | 15 | location / { 16 | root /usr/share/nginx/html; 17 | index index.html index.htm; 18 | } 19 | 20 | location /query { 21 | proxy_set_header X-Real-IP $remote_addr; 22 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 23 | proxy_set_header X-NginX-Proxy true; 24 | proxy_ssl_session_reuse off; 25 | {{- with (index .Values.guac.graphqlServer.svcPorts 0) }} 26 | proxy_pass http://{{ $.Values.guac.graphqlServer.name }}.{{ $.Release.Namespace }}.svc.cluster.local:{{ .targetPort }}/query; 27 | {{- end }} 28 | proxy_set_header Host $http_host; 29 | proxy_cache_bypass $http_upgrade; 30 | proxy_redirect off; 31 | } 32 | 33 | # redirect server error pages to the static page /50x.html 34 | # 35 | error_page 500 502 503 504 /50x.html; 36 | location = /50x.html { 37 | root /usr/share/nginx/html; 38 | } 39 | } 40 | -------------------------------------------------------------------------------- /charts/guac/templates/visualizer-service.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Kusari, Inc. and GUAC contributors 2 | # Licensed under the MIT license. See LICENSE file in the project root for details. 3 | {{ if .Values.guac.visualizer.enabled }} 4 | {{- if .Values.guac.visualizer.svcPorts }} 5 | --- 6 | apiVersion: v1 7 | kind: Service 8 | metadata: 9 | name: {{ .Values.guac.visualizer.name }} 10 | labels: {{- include "guac.labels" . | nindent 4 }} 11 | app.kubernetes.io/name: {{ .Values.guac.visualizer.name }} 12 | app.kubernetes.io/component: {{ .Values.guac.visualizer.name }} 13 | spec: 14 | selector: 15 | {{- include "guac.selectorLabels" . | nindent 4 }} 16 | app.kubernetes.io/name: {{ .Values.guac.visualizer.name }} 17 | app.kubernetes.io/component: {{ .Values.guac.visualizer.name }} 18 | ports: 19 | {{- range .Values.guac.visualizer.svcPorts }} 20 | - {{ . | toYaml | indent 6 | trim }} 21 | {{- end }} 22 | {{- end }} 23 | {{- end }} 24 | -------------------------------------------------------------------------------- /charts/guac/tests/cd-certifier_deployment_test.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Kusari, Inc. and GUAC contributors 2 | # Licensed under the MIT license. See LICENSE file in the project root for details. 3 | suite: CD Certifier Deployment tests 4 | templates: 5 | - cd-certifier-deployment.yaml 6 | 7 | tests: 8 | - it: deployment should render 9 | asserts: 10 | - isKind: 11 | of: Deployment 12 | - hasDocuments: 13 | count: 1 14 | 15 | - it: should run the cdCertifier image 16 | values: 17 | - ./values_digest_and_tag.yaml 18 | asserts: 19 | - equal: 20 | path: spec.template.spec.containers[0].name 21 | value: cd-certifier 22 | - equal: 23 | path: spec.template.spec.containers[0].image 24 | value: ghcr.io/guacsec/guac@sha256:167e823f36e268f66b12a79d4c4b39df23c2f87847817c161b6c6ddbc9ee5c4e 25 | 26 | - it: should run the cdCertifier sub command 27 | values: 28 | - ./values_digest_and_tag.yaml 29 | asserts: 30 | - equal: 31 | path: spec.template.spec.containers[0].command[0] 32 | value: "sh" 33 | - equal: 34 | path: spec.template.spec.containers[0].command[1] 35 | value: "-c" 36 | - equal: 37 | path: spec.template.spec.containers[0].command[2] 38 | value: "/opt/guac/guaccollect cd" 39 | 40 | - it: should respect spec level parameters 41 | values: 42 | - ./values_digest_and_tag.yaml 43 | asserts: 44 | - equal: 45 | path: spec.replicas 46 | value: 1 47 | - equal: 48 | path: spec.selector.matchLabels["app.kubernetes.io/name"] 49 | value: cd-certifier 50 | - equal: 51 | path: spec.template.metadata.labels["app.kubernetes.io/name"] 52 | value: cd-certifier 53 | 54 | - it: should use tag if only tag is specified 55 | values: 56 | - ./values_tag_no_digest.yaml 57 | asserts: 58 | - equal: 59 | path: spec.template.spec.containers[0].image 60 | value: ghcr.io/guacsec/guac:latest 61 | 62 | - it: should include tolerations 63 | values: 64 | - ./values_combine.yaml 65 | asserts: 66 | - equal: 67 | path: spec.template.spec.tolerations[0].key 68 | value: "kusari.cloud/common" 69 | - equal: 70 | path: spec.template.spec.tolerations[0].value 71 | value: common 72 | - equal: 73 | path: spec.template.spec.tolerations[0].effect 74 | value: NoSchedule 75 | - equal: 76 | path: spec.template.spec.tolerations[0].operator 77 | value: Equal 78 | 79 | - equal: 80 | path: spec.template.spec.tolerations[1].key 81 | value: "kusari.cloud/own" 82 | - equal: 83 | path: spec.template.spec.tolerations[1].value 84 | value: own 85 | - equal: 86 | path: spec.template.spec.tolerations[1].effect 87 | value: NoSchedule 88 | - equal: 89 | path: spec.template.spec.tolerations[1].operator 90 | value: Equal 91 | -------------------------------------------------------------------------------- /charts/guac/tests/collectsub_deployment_test.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Kusari, Inc. and GUAC contributors 2 | # Licensed under the MIT license. See LICENSE file in the project root for details. 3 | suite: Collectsub Deployment tests 4 | templates: 5 | - collectsub-deployment.yaml 6 | 7 | tests: 8 | - it: deployment should render 9 | asserts: 10 | - isKind: 11 | of: Deployment 12 | - hasDocuments: 13 | count: 1 14 | 15 | - it: should run the collector image 16 | values: 17 | - ./values_digest_and_tag.yaml 18 | asserts: 19 | - equal: 20 | path: spec.template.spec.containers[0].name 21 | value: collectsub 22 | - equal: 23 | path: spec.template.spec.containers[0].image 24 | value: ghcr.io/guacsec/guac@sha256:167e823f36e268f66b12a79d4c4b39df23c2f87847817c161b6c6ddbc9ee5c4e 25 | 26 | - it: should run the collector sub command 27 | values: 28 | - ./values_digest_and_tag.yaml 29 | asserts: 30 | - equal: 31 | path: spec.template.spec.containers[0].command[0] 32 | value: "sh" 33 | - equal: 34 | path: spec.template.spec.containers[0].command[1] 35 | value: "-c" 36 | - equal: 37 | path: spec.template.spec.containers[0].command[2] 38 | value: "/opt/guac/guaccsub" 39 | 40 | - it: should respect spec level parameters 41 | values: 42 | - ./values_digest_and_tag.yaml 43 | asserts: 44 | - equal: 45 | path: spec.replicas 46 | value: 1 47 | - equal: 48 | path: spec.selector.matchLabels["app.kubernetes.io/name"] 49 | value: collectsub 50 | - equal: 51 | path: spec.template.metadata.labels["app.kubernetes.io/name"] 52 | value: collectsub 53 | 54 | - it: should use tag if only tag is specified 55 | values: 56 | - ./values_tag_no_digest.yaml 57 | asserts: 58 | - equal: 59 | path: spec.template.spec.containers[0].image 60 | value: ghcr.io/guacsec/guac:latest 61 | 62 | - it: should include tolerations 63 | values: 64 | - ./values_combine.yaml 65 | asserts: 66 | - equal: 67 | path: spec.template.spec.tolerations[0].key 68 | value: "kusari.cloud/common" 69 | - equal: 70 | path: spec.template.spec.tolerations[0].value 71 | value: common 72 | - equal: 73 | path: spec.template.spec.tolerations[0].effect 74 | value: NoSchedule 75 | - equal: 76 | path: spec.template.spec.tolerations[0].operator 77 | value: Equal 78 | 79 | - equal: 80 | path: spec.template.spec.tolerations[1].key 81 | value: "kusari.cloud/own" 82 | - equal: 83 | path: spec.template.spec.tolerations[1].value 84 | value: own 85 | - equal: 86 | path: spec.template.spec.tolerations[1].effect 87 | value: NoSchedule 88 | - equal: 89 | path: spec.template.spec.tolerations[1].operator 90 | value: Equal 91 | -------------------------------------------------------------------------------- /charts/guac/tests/collectsub_service_test.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Kusari, Inc. and GUAC contributors 2 | # Licensed under the MIT license. See LICENSE file in the project root for details. 3 | suite: Collectsub Service tests 4 | templates: 5 | - collectsub-service.yaml 6 | 7 | tests: 8 | - it: service should render 9 | asserts: 10 | - isKind: 11 | of: Service 12 | - hasDocuments: 13 | count: 1 14 | 15 | - it: should respect spec level parameters 16 | values: 17 | - ./values_digest_and_tag.yaml 18 | asserts: 19 | - equal: 20 | path: metadata.name 21 | value: collectsub 22 | - equal: 23 | path: metadata.labels["app.kubernetes.io/name"] 24 | value: collectsub 25 | - equal: 26 | path: spec.selector["app.kubernetes.io/name"] 27 | value: collectsub 28 | -------------------------------------------------------------------------------- /charts/guac/tests/configmap_no_test.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Kusari, Inc. and GUAC contributors 2 | # Licensed under the MIT license. See LICENSE file in the project root for details. 3 | suite: No ConfigMap test 4 | templates: 5 | - guac-cm.yaml 6 | 7 | tests: 8 | - it: should not create ConfigMap 9 | values: 10 | - ./values_configmap_no.yaml 11 | asserts: 12 | - hasDocuments: 13 | count: 0 14 | -------------------------------------------------------------------------------- /charts/guac/tests/configmap_test.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Kusari, Inc. and GUAC contributors 2 | # Licensed under the MIT license. See LICENSE file in the project root for details. 3 | suite: ConfigMap tests 4 | templates: 5 | - guac-cm.yaml 6 | 7 | tests: 8 | - it: configmap should render 9 | values: 10 | - ./values_ent_backend.yaml 11 | - ./values_common_certifier.yaml 12 | asserts: 13 | - isKind: 14 | of: ConfigMap 15 | - hasDocuments: 16 | count: 1 17 | - equal: 18 | path: metadata.name 19 | value: guac-cm 20 | # commenting this out as data["guac.yaml"] can't be accessed as object when '|' is added to make it a multi-line string 21 | # - equal: 22 | # path: data["guac.yaml"]["db-driver"] 23 | # value: postgres 24 | # - equal: 25 | # path: data["guac.yaml"]["db-address"] 26 | # value: postgres://guac:guac@host:port/guacDB 27 | # - equal: 28 | # path: data["guac.yaml"]["db-migrate"] 29 | # value: true 30 | 31 | # - it: should override defaults 32 | # values: 33 | # - ./values_common_certifier.yaml 34 | # asserts: 35 | # - equal: 36 | # path: data.guac\.yaml.last-scan 37 | # value: "5" 38 | # - equal: 39 | # path: data.guac/.yaml.certifier-batch-size 40 | # value: "50000" 41 | # - equal: 42 | # path: data.guac/.yaml.certifier-latency 43 | # value: 5s 44 | -------------------------------------------------------------------------------- /charts/guac/tests/depsdev-collector_deployment_test.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Kusari, Inc. and GUAC contributors 2 | # Licensed under the MIT license. See LICENSE file in the project root for details. 3 | suite: DepsDev Collector Deployment tests 4 | templates: 5 | - depsdev-collector-deployment.yaml 6 | 7 | tests: 8 | - it: deployment should render 9 | asserts: 10 | - isKind: 11 | of: Deployment 12 | - hasDocuments: 13 | count: 1 14 | 15 | - it: should run the depsDevCollector image 16 | values: 17 | - ./values_digest_and_tag.yaml 18 | asserts: 19 | - equal: 20 | path: spec.template.spec.containers[0].name 21 | value: depsdev-collector 22 | - equal: 23 | path: spec.template.spec.containers[0].image 24 | value: ghcr.io/guacsec/guac@sha256:167e823f36e268f66b12a79d4c4b39df23c2f87847817c161b6c6ddbc9ee5c4e 25 | 26 | - it: should run the depsDevCollector sub command 27 | values: 28 | - ./values_digest_and_tag.yaml 29 | asserts: 30 | - equal: 31 | path: spec.template.spec.containers[0].command[0] 32 | value: "sh" 33 | - equal: 34 | path: spec.template.spec.containers[0].command[1] 35 | value: "-c" 36 | - equal: 37 | path: spec.template.spec.containers[0].command[2] 38 | value: "/opt/guac/guaccollect deps_dev" 39 | 40 | - it: should respect spec level parameters 41 | values: 42 | - ./values_digest_and_tag.yaml 43 | asserts: 44 | - equal: 45 | path: spec.replicas 46 | value: 1 47 | - equal: 48 | path: spec.selector.matchLabels["app.kubernetes.io/name"] 49 | value: depsdev-collector 50 | - equal: 51 | path: spec.template.metadata.labels["app.kubernetes.io/name"] 52 | value: depsdev-collector 53 | 54 | - it: should use tag if only tag is specified 55 | values: 56 | - ./values_tag_no_digest.yaml 57 | asserts: 58 | - equal: 59 | path: spec.template.spec.containers[0].image 60 | value: ghcr.io/guacsec/guac:latest 61 | 62 | - it: should include tolerations 63 | values: 64 | - ./values_combine.yaml 65 | asserts: 66 | - equal: 67 | path: spec.template.spec.tolerations[0].key 68 | value: "kusari.cloud/common" 69 | - equal: 70 | path: spec.template.spec.tolerations[0].value 71 | value: common 72 | - equal: 73 | path: spec.template.spec.tolerations[0].effect 74 | value: NoSchedule 75 | - equal: 76 | path: spec.template.spec.tolerations[0].operator 77 | value: Equal 78 | 79 | - equal: 80 | path: spec.template.spec.tolerations[1].key 81 | value: "kusari.cloud/own" 82 | - equal: 83 | path: spec.template.spec.tolerations[1].value 84 | value: own 85 | - equal: 86 | path: spec.template.spec.tolerations[1].effect 87 | value: NoSchedule 88 | - equal: 89 | path: spec.template.spec.tolerations[1].operator 90 | value: Equal 91 | -------------------------------------------------------------------------------- /charts/guac/tests/graphql_deployment_test.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Kusari, Inc. and GUAC contributors 2 | # Licensed under the MIT license. See LICENSE file in the project root for details. 3 | suite: GraphQL Deployment tests 4 | templates: 5 | - graphql-server-deployment.yaml 6 | 7 | tests: 8 | - it: deployment should render 9 | asserts: 10 | - isKind: 11 | of: Deployment 12 | - hasDocuments: 13 | count: 1 14 | 15 | - it: should run the gql image 16 | values: 17 | - ./values_digest_and_tag.yaml 18 | asserts: 19 | - equal: 20 | path: spec.template.spec.containers[0].name 21 | value: graphql-server 22 | - equal: 23 | path: spec.template.spec.containers[0].image 24 | value: ghcr.io/guacsec/guac@sha256:167e823f36e268f66b12a79d4c4b39df23c2f87847817c161b6c6ddbc9ee5c4e 25 | 26 | - it: should run the gql-server command 27 | values: 28 | - ./values_digest_and_tag.yaml 29 | asserts: 30 | - equal: 31 | path: spec.template.spec.containers[0].command[0] 32 | value: "sh" 33 | - equal: 34 | path: spec.template.spec.containers[0].command[1] 35 | value: "-c" 36 | - equal: 37 | path: spec.template.spec.containers[0].command[2] 38 | value: "/opt/guac/guacgql" 39 | 40 | - it: should respect spec level parameters 41 | values: 42 | - ./values_digest_and_tag.yaml 43 | asserts: 44 | - equal: 45 | path: spec.replicas 46 | value: 1 47 | - equal: 48 | path: spec.selector.matchLabels["app.kubernetes.io/name"] 49 | value: graphql-server 50 | - equal: 51 | path: spec.template.metadata.labels["app.kubernetes.io/name"] 52 | value: graphql-server 53 | 54 | 55 | - it: should use tag if only tag is specified 56 | values: 57 | - ./values_tag_no_digest.yaml 58 | asserts: 59 | - equal: 60 | path: spec.template.spec.containers[0].image 61 | value: ghcr.io/guacsec/guac:latest 62 | 63 | - it: should include tolerations 64 | values: 65 | - ./values_combine.yaml 66 | asserts: 67 | - equal: 68 | path: spec.template.spec.tolerations[0].key 69 | value: "kusari.cloud/common" 70 | - equal: 71 | path: spec.template.spec.tolerations[0].value 72 | value: common 73 | - equal: 74 | path: spec.template.spec.tolerations[0].effect 75 | value: NoSchedule 76 | - equal: 77 | path: spec.template.spec.tolerations[0].operator 78 | value: Equal 79 | 80 | - equal: 81 | path: spec.template.spec.tolerations[1].key 82 | value: "kusari.cloud/own" 83 | - equal: 84 | path: spec.template.spec.tolerations[1].value 85 | value: own 86 | - equal: 87 | path: spec.template.spec.tolerations[1].effect 88 | value: NoSchedule 89 | - equal: 90 | path: spec.template.spec.tolerations[1].operator 91 | value: Equal 92 | -------------------------------------------------------------------------------- /charts/guac/tests/graphql_service_test.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Kusari, Inc. and GUAC contributors 2 | # Licensed under the MIT license. See LICENSE file in the project root for details. 3 | suite: GraphQL Service tests 4 | templates: 5 | - graphql-server-service.yaml 6 | 7 | tests: 8 | - it: service should render 9 | values: 10 | - "./values_graphql_service.yaml" 11 | asserts: 12 | - isKind: 13 | of: Service 14 | - hasDocuments: 15 | count: 2 16 | - matchRegex: 17 | path: spec.type 18 | pattern: NodePort|ClusterIP 19 | 20 | - it: should respect spec level parameters 21 | values: 22 | - ./values_digest_and_tag.yaml 23 | asserts: 24 | - equal: 25 | path: metadata.name 26 | value: graphql-server 27 | - equal: 28 | path: metadata.labels["app.kubernetes.io/name"] 29 | value: graphql-server 30 | - equal: 31 | path: spec.selector["app.kubernetes.io/name"] 32 | value: graphql-server 33 | -------------------------------------------------------------------------------- /charts/guac/tests/ingestor_deployment_test.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Kusari, Inc. and GUAC contributors 2 | # Licensed under the MIT license. See LICENSE file in the project root for details. 3 | suite: Ingestor Deployment tests 4 | templates: 5 | - ingestor-deployment.yaml 6 | 7 | tests: 8 | - it: deployment should render 9 | asserts: 10 | - isKind: 11 | of: Deployment 12 | - hasDocuments: 13 | count: 1 14 | 15 | - it: should run the ingestor image 16 | values: 17 | - ./values_digest_and_tag.yaml 18 | asserts: 19 | - equal: 20 | path: spec.template.spec.containers[0].name 21 | value: ingestor 22 | - equal: 23 | path: spec.template.spec.containers[0].image 24 | value: ghcr.io/guacsec/guac@sha256:167e823f36e268f66b12a79d4c4b39df23c2f87847817c161b6c6ddbc9ee5c4e 25 | 26 | - it: should run the collector sub command 27 | values: 28 | - ./values_digest_and_tag.yaml 29 | asserts: 30 | - equal: 31 | path: spec.template.spec.containers[0].command[0] 32 | value: "sh" 33 | - equal: 34 | path: spec.template.spec.containers[0].command[1] 35 | value: "-c" 36 | - equal: 37 | path: spec.template.spec.containers[0].command[2] 38 | value: "/opt/guac/guacingest" 39 | 40 | - it: should respect spec level parameters 41 | values: 42 | - ./values_digest_and_tag.yaml 43 | asserts: 44 | - equal: 45 | path: spec.replicas 46 | value: 1 47 | - equal: 48 | path: spec.selector.matchLabels["app.kubernetes.io/name"] 49 | value: ingestor 50 | - equal: 51 | path: spec.template.metadata.labels["app.kubernetes.io/name"] 52 | value: ingestor 53 | 54 | - it: should use tag if only tag is specified 55 | values: 56 | - ./values_tag_no_digest.yaml 57 | asserts: 58 | - equal: 59 | path: spec.template.spec.containers[0].image 60 | value: ghcr.io/guacsec/guac:latest 61 | 62 | - it: should include tolerations 63 | values: 64 | - ./values_combine.yaml 65 | asserts: 66 | - equal: 67 | path: spec.template.spec.tolerations[0].key 68 | value: "kusari.cloud/common" 69 | - equal: 70 | path: spec.template.spec.tolerations[0].value 71 | value: common 72 | - equal: 73 | path: spec.template.spec.tolerations[0].effect 74 | value: NoSchedule 75 | - equal: 76 | path: spec.template.spec.tolerations[0].operator 77 | value: Equal 78 | 79 | - equal: 80 | path: spec.template.spec.tolerations[1].key 81 | value: "kusari.cloud/own" 82 | - equal: 83 | path: spec.template.spec.tolerations[1].value 84 | value: own 85 | - equal: 86 | path: spec.template.spec.tolerations[1].effect 87 | value: NoSchedule 88 | - equal: 89 | path: spec.template.spec.tolerations[1].operator 90 | value: Equal 91 | -------------------------------------------------------------------------------- /charts/guac/tests/ingress_test.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Kusari, Inc. and GUAC contributors 2 | # Licensed under the MIT license. See LICENSE file in the project root for details. 3 | suite: Ingress tests 4 | templates: 5 | - ingress.yaml 6 | 7 | tests: 8 | - it: ingress should render 9 | values: 10 | # use Chart Testing config 11 | - ./values_ingress.yaml 12 | asserts: 13 | - isKind: 14 | of: Ingress 15 | - hasDocuments: 16 | count: 1 17 | - equal: 18 | path: spec.ingressClassName 19 | value: traefik 20 | - equal: 21 | path: spec.rules[0].host 22 | value: web.guac.com 23 | - equal: 24 | path: spec.rules[1].host 25 | value: api.guac.com 26 | - equal: 27 | path: metadata.annotations["test-annotation"] 28 | value: test-value 29 | - equal: 30 | path: metadata.labels['test-label'] 31 | value: test-value 32 | -------------------------------------------------------------------------------- /charts/guac/tests/oci_collector_deployment_test.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Kusari, Inc. and GUAC contributors 2 | # Licensed under the MIT license. See LICENSE file in the project root for details. 3 | suite: OCI Collector Deployment tests 4 | templates: 5 | - oci-collector-deployment.yaml 6 | 7 | tests: 8 | - it: deployment should render 9 | asserts: 10 | - isKind: 11 | of: Deployment 12 | - hasDocuments: 13 | count: 1 14 | 15 | - it: should run the oci collector image 16 | values: 17 | - ./values_digest_and_tag.yaml 18 | asserts: 19 | - equal: 20 | path: spec.template.spec.containers[0].name 21 | value: oci-collector 22 | - equal: 23 | path: spec.template.spec.containers[0].image 24 | value: ghcr.io/guacsec/guac@sha256:167e823f36e268f66b12a79d4c4b39df23c2f87847817c161b6c6ddbc9ee5c4e 25 | 26 | - it: should run the collector sub command 27 | values: 28 | - ./values_digest_and_tag.yaml 29 | asserts: 30 | - equal: 31 | path: spec.template.spec.containers[0].command[0] 32 | value: "sh" 33 | - equal: 34 | path: spec.template.spec.containers[0].command[1] 35 | value: "-c" 36 | - equal: 37 | path: spec.template.spec.containers[0].command[2] 38 | value: "/opt/guac/guaccollect image" 39 | 40 | - it: should respect spec level parameters 41 | values: 42 | - ./values_digest_and_tag.yaml 43 | asserts: 44 | - equal: 45 | path: spec.replicas 46 | value: 1 47 | - equal: 48 | path: spec.selector.matchLabels["app.kubernetes.io/name"] 49 | value: oci-collector 50 | - equal: 51 | path: spec.template.metadata.labels["app.kubernetes.io/name"] 52 | value: oci-collector 53 | 54 | - it: should use tag if only tag is specified 55 | values: 56 | - ./values_tag_no_digest.yaml 57 | asserts: 58 | - equal: 59 | path: spec.template.spec.containers[0].image 60 | value: ghcr.io/guacsec/guac:latest 61 | 62 | - it: should include tolerations 63 | values: 64 | - ./values_combine.yaml 65 | asserts: 66 | - equal: 67 | path: spec.template.spec.tolerations[0].key 68 | value: "kusari.cloud/common" 69 | - equal: 70 | path: spec.template.spec.tolerations[0].value 71 | value: common 72 | - equal: 73 | path: spec.template.spec.tolerations[0].effect 74 | value: NoSchedule 75 | - equal: 76 | path: spec.template.spec.tolerations[0].operator 77 | value: Equal 78 | 79 | - equal: 80 | path: spec.template.spec.tolerations[1].key 81 | value: "kusari.cloud/own" 82 | - equal: 83 | path: spec.template.spec.tolerations[1].value 84 | value: own 85 | - equal: 86 | path: spec.template.spec.tolerations[1].effect 87 | value: NoSchedule 88 | - equal: 89 | path: spec.template.spec.tolerations[1].operator 90 | value: Equal 91 | -------------------------------------------------------------------------------- /charts/guac/tests/osv-certifier_deployment_test.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Kusari, Inc. and GUAC contributors 2 | # Licensed under the MIT license. See LICENSE file in the project root for details. 3 | suite: OSV Certifier Deployment tests 4 | templates: 5 | - osv-certifier-deployment.yaml 6 | 7 | tests: 8 | - it: deployment should render 9 | asserts: 10 | - isKind: 11 | of: Deployment 12 | - hasDocuments: 13 | count: 1 14 | 15 | - it: should run the osvCertifier image 16 | values: 17 | - ./values_digest_and_tag.yaml 18 | asserts: 19 | - equal: 20 | path: spec.template.spec.containers[0].name 21 | value: osv-certifier 22 | - equal: 23 | path: spec.template.spec.containers[0].image 24 | value: ghcr.io/guacsec/guac@sha256:167e823f36e268f66b12a79d4c4b39df23c2f87847817c161b6c6ddbc9ee5c4e 25 | 26 | - it: should run the osvCertifier sub command 27 | values: 28 | - ./values_digest_and_tag.yaml 29 | asserts: 30 | - equal: 31 | path: spec.template.spec.containers[0].command[0] 32 | value: "sh" 33 | - equal: 34 | path: spec.template.spec.containers[0].command[1] 35 | value: "-c" 36 | - equal: 37 | path: spec.template.spec.containers[0].command[2] 38 | value: "/opt/guac/guaccollect osv" 39 | 40 | - it: should respect spec level parameters 41 | values: 42 | - ./values_digest_and_tag.yaml 43 | asserts: 44 | - equal: 45 | path: spec.replicas 46 | value: 1 47 | - equal: 48 | path: spec.selector.matchLabels["app.kubernetes.io/name"] 49 | value: osv-certifier 50 | - equal: 51 | path: spec.template.metadata.labels["app.kubernetes.io/name"] 52 | value: osv-certifier 53 | 54 | - it: should use tag if only tag is specified 55 | values: 56 | - ./values_tag_no_digest.yaml 57 | asserts: 58 | - equal: 59 | path: spec.template.spec.containers[0].image 60 | value: ghcr.io/guacsec/guac:latest 61 | 62 | - it: should include tolerations 63 | values: 64 | - ./values_combine.yaml 65 | asserts: 66 | - equal: 67 | path: spec.template.spec.tolerations[0].key 68 | value: "kusari.cloud/common" 69 | - equal: 70 | path: spec.template.spec.tolerations[0].value 71 | value: common 72 | - equal: 73 | path: spec.template.spec.tolerations[0].effect 74 | value: NoSchedule 75 | - equal: 76 | path: spec.template.spec.tolerations[0].operator 77 | value: Equal 78 | 79 | - equal: 80 | path: spec.template.spec.tolerations[1].key 81 | value: "kusari.cloud/own" 82 | - equal: 83 | path: spec.template.spec.tolerations[1].value 84 | value: own 85 | - equal: 86 | path: spec.template.spec.tolerations[1].effect 87 | value: NoSchedule 88 | - equal: 89 | path: spec.template.spec.tolerations[1].operator 90 | value: Equal 91 | -------------------------------------------------------------------------------- /charts/guac/tests/rest-api_deployment_test.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Kusari, Inc. and GUAC contributors 2 | # Licensed under the MIT license. See LICENSE file in the project root for details. 3 | suite: OSV Certifier Deployment tests 4 | templates: 5 | - guacrest-deployment.yaml 6 | 7 | tests: 8 | - it: deployment should render 9 | asserts: 10 | - isKind: 11 | of: Deployment 12 | - hasDocuments: 13 | count: 1 14 | 15 | - it: should run the osvCertifier image 16 | values: 17 | - ./values_digest_and_tag.yaml 18 | asserts: 19 | - equal: 20 | path: spec.template.spec.containers[0].name 21 | value: rest-api 22 | - equal: 23 | path: spec.template.spec.containers[0].image 24 | value: ghcr.io/guacsec/guac@sha256:167e823f36e268f66b12a79d4c4b39df23c2f87847817c161b6c6ddbc9ee5c4e 25 | 26 | - it: should run the osvCertifier sub command 27 | values: 28 | - ./values_digest_and_tag.yaml 29 | asserts: 30 | - equal: 31 | path: spec.template.spec.containers[0].command[0] 32 | value: "sh" 33 | - equal: 34 | path: spec.template.spec.containers[0].command[1] 35 | value: "-c" 36 | - equal: 37 | path: spec.template.spec.containers[0].command[2] 38 | value: "/opt/guac/guacrest" 39 | 40 | - it: should respect spec level parameters 41 | values: 42 | - ./values_digest_and_tag.yaml 43 | asserts: 44 | - equal: 45 | path: spec.replicas 46 | value: 1 47 | - equal: 48 | path: spec.selector.matchLabels["app.kubernetes.io/name"] 49 | value: rest-api 50 | - equal: 51 | path: spec.template.metadata.labels["app.kubernetes.io/name"] 52 | value: rest-api 53 | 54 | - it: should use tag if only tag is specified 55 | values: 56 | - ./values_tag_no_digest.yaml 57 | asserts: 58 | - equal: 59 | path: spec.template.spec.containers[0].image 60 | value: ghcr.io/guacsec/guac:latest 61 | 62 | - it: should include tolerations 63 | values: 64 | - ./values_combine.yaml 65 | asserts: 66 | - equal: 67 | path: spec.template.spec.tolerations[0].key 68 | value: "kusari.cloud/common" 69 | - equal: 70 | path: spec.template.spec.tolerations[0].value 71 | value: common 72 | - equal: 73 | path: spec.template.spec.tolerations[0].effect 74 | value: NoSchedule 75 | - equal: 76 | path: spec.template.spec.tolerations[0].operator 77 | value: Equal 78 | 79 | - equal: 80 | path: spec.template.spec.tolerations[1].key 81 | value: "kusari.cloud/own" 82 | - equal: 83 | path: spec.template.spec.tolerations[1].value 84 | value: own 85 | - equal: 86 | path: spec.template.spec.tolerations[1].effect 87 | value: NoSchedule 88 | - equal: 89 | path: spec.template.spec.tolerations[1].operator 90 | value: Equal 91 | -------------------------------------------------------------------------------- /charts/guac/tests/serviceaccount_all_test.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Kusari, Inc. and GUAC contributors 2 | # Licensed under the MIT license. See LICENSE file in the project root for details. 3 | suite: All Service Account tests 4 | templates: 5 | - collectsub-sa.yaml 6 | - depsdev-collector-sa.yaml 7 | - graphql-server-sa.yaml 8 | - guacrest-sa.yaml 9 | - ingestor-sa.yaml 10 | - oci-collector-sa.yaml 11 | - osv-certifier-sa.yaml 12 | 13 | tests: 14 | - it: should not create service account 15 | values: 16 | - ./values_serviceaccount_all.yaml 17 | asserts: 18 | - hasDocuments: 19 | count: 1 20 | -------------------------------------------------------------------------------- /charts/guac/tests/serviceaccount_no_test.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Kusari, Inc. and GUAC contributors 2 | # Licensed under the MIT license. See LICENSE file in the project root for details. 3 | suite: No Service Account tests 4 | templates: 5 | - collectsub-sa.yaml 6 | - depsdev-collector-sa.yaml 7 | - graphql-server-sa.yaml 8 | - guacrest-sa.yaml 9 | - ingestor-sa.yaml 10 | - oci-collector-sa.yaml 11 | - osv-certifier-sa.yaml 12 | 13 | tests: 14 | - it: should not create service account 15 | values: 16 | - ./values_serviceaccount_no.yaml 17 | asserts: 18 | - hasDocuments: 19 | count: 0 20 | -------------------------------------------------------------------------------- /charts/guac/tests/values_combine.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Kusari, Inc. and GUAC contributors 2 | # Licensed under the MIT license. See LICENSE file in the project root for details. 3 | guac: 4 | 5 | common: 6 | tolerations: 7 | - effect: NoSchedule 8 | key: kusari.cloud/common 9 | operator: Equal 10 | value: common 11 | 12 | ociCollector: 13 | tolerations: 14 | - effect: NoSchedule 15 | key: kusari.cloud/own 16 | operator: Equal 17 | value: own 18 | 19 | depsDevCollector: 20 | tolerations: 21 | - effect: NoSchedule 22 | key: kusari.cloud/own 23 | operator: Equal 24 | value: own 25 | 26 | osvCertifier: 27 | tolerations: 28 | - effect: NoSchedule 29 | key: kusari.cloud/own 30 | operator: Equal 31 | value: own 32 | 33 | cdCertifier: 34 | tolerations: 35 | - effect: NoSchedule 36 | key: kusari.cloud/own 37 | operator: Equal 38 | value: own 39 | 40 | ingestor: 41 | tolerations: 42 | - effect: NoSchedule 43 | key: kusari.cloud/own 44 | operator: Equal 45 | value: own 46 | 47 | collectSub: 48 | tolerations: 49 | - effect: NoSchedule 50 | key: kusari.cloud/own 51 | operator: Equal 52 | value: own 53 | 54 | graphqlServer: 55 | tolerations: 56 | - effect: NoSchedule 57 | key: kusari.cloud/own 58 | operator: Equal 59 | value: own 60 | 61 | restApi: 62 | tolerations: 63 | - effect: NoSchedule 64 | key: kusari.cloud/own 65 | operator: Equal 66 | value: own 67 | 68 | visualizer: 69 | tolerations: 70 | - effect: NoSchedule 71 | key: kusari.cloud/own 72 | operator: Equal 73 | value: own 74 | -------------------------------------------------------------------------------- /charts/guac/tests/values_common_certifier.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Kusari, Inc. and GUAC contributors 2 | # Licensed under the MIT license. See LICENSE file in the project root for details. 3 | guac: 4 | common: 5 | certifier: 6 | dayBetweenRescan: "5" 7 | batchSize: "50000" 8 | latency: "5s" 9 | -------------------------------------------------------------------------------- /charts/guac/tests/values_configmap_no.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Kusari, Inc. and GUAC contributors 2 | # Licensed under the MIT license. See LICENSE file in the project root for details. 3 | guac: 4 | 5 | configMap: 6 | enabled: false 7 | -------------------------------------------------------------------------------- /charts/guac/tests/values_digest_and_tag.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Kusari, Inc. and GUAC contributors 2 | # Licensed under the MIT license. See LICENSE file in the project root for details. 3 | imagePullSecrets: 4 | - name: imagepullsecret 5 | 6 | guac: 7 | guacImage: 8 | repository: ghcr.io/guacsec/guac 9 | tag: "latest" 10 | digest: "sha256:167e823f36e268f66b12a79d4c4b39df23c2f87847817c161b6c6ddbc9ee5c4e" 11 | workingDir: /guac 12 | 13 | 14 | ociCollector: 15 | name: oci-collector 16 | 17 | depsDevCollector: 18 | name: depsdev-collector 19 | 20 | collectSub: 21 | name: collectsub 22 | 23 | osvCertifier: 24 | name: osv-certifier 25 | 26 | cdCertifier: 27 | name: cd-certifier 28 | 29 | graphqlServer: 30 | name: graphql-server 31 | 32 | ingestor: 33 | name: ingestor 34 | -------------------------------------------------------------------------------- /charts/guac/tests/values_ent_backend.yaml: -------------------------------------------------------------------------------- 1 | # Ingest sample data to ensure the test instance is fully functional 2 | guac: 3 | graphqlServer: 4 | backend: ent 5 | backend: 6 | ent: 7 | db-driver: postgres 8 | db-address: postgres://guac:guac@host:port/guacDB 9 | db-migrate: true 10 | -------------------------------------------------------------------------------- /charts/guac/tests/values_graphql_deployment.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Kusari, Inc. and GUAC contributors 2 | # Licensed under the MIT license. See LICENSE file in the project root for details. 3 | guac: 4 | graphqlServer: 5 | service: 6 | createNodePortService: true 7 | -------------------------------------------------------------------------------- /charts/guac/tests/values_graphql_service.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Kusari, Inc. and GUAC contributors 2 | # Licensed under the MIT license. See LICENSE file in the project root for details. 3 | guac: 4 | graphqlServer: 5 | service: 6 | createNodePortService: true 7 | -------------------------------------------------------------------------------- /charts/guac/tests/values_ingress.yaml: -------------------------------------------------------------------------------- 1 | # Ingest sample data to ensure the test instance is fully functional 2 | guac: 3 | sampleData: 4 | ingest: true 5 | 6 | ingress: 7 | enabled: true 8 | ingressClassName: traefik 9 | webuiHostname: web.guac.com 10 | apiHostname: api.guac.com 11 | annotations: 12 | test-annotation: test-value 13 | extraLabels: 14 | test-label: test-value 15 | -------------------------------------------------------------------------------- /charts/guac/tests/values_serviceaccount_all.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Kusari, Inc. and GUAC contributors 2 | # Licensed under the MIT license. See LICENSE file in the project root for details. 3 | guac: 4 | 5 | ociCollector: 6 | serviceAccount: 7 | create: true 8 | 9 | depsDevCollector: 10 | serviceAccount: 11 | create: true 12 | 13 | osvCertifier: 14 | serviceAccount: 15 | create: true 16 | 17 | cdCertifier: 18 | serviceAccount: 19 | create: true 20 | 21 | ingestor: 22 | serviceAccount: 23 | create: true 24 | 25 | collectSub: 26 | serviceAccount: 27 | create: true 28 | 29 | graphqlServer: 30 | serviceAccount: 31 | create: true 32 | 33 | restApi: 34 | serviceAccount: 35 | create: true 36 | 37 | visualizer: 38 | serviceAccount: 39 | create: true 40 | -------------------------------------------------------------------------------- /charts/guac/tests/values_serviceaccount_no.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Kusari, Inc. and GUAC contributors 2 | # Licensed under the MIT license. See LICENSE file in the project root for details. 3 | guac: 4 | 5 | ociCollector: 6 | serviceAccount: 7 | create: false 8 | 9 | depsDevCollector: 10 | serviceAccount: 11 | create: false 12 | 13 | osvCertifier: 14 | serviceAccount: 15 | create: false 16 | 17 | cdCertifier: 18 | serviceAccount: 19 | create: false 20 | 21 | ingestor: 22 | serviceAccount: 23 | create: false 24 | 25 | collectSub: 26 | serviceAccount: 27 | create: false 28 | 29 | graphqlServer: 30 | serviceAccount: 31 | create: false 32 | 33 | restApi: 34 | serviceAccount: 35 | create: false 36 | 37 | visualizer: 38 | serviceAccount: 39 | create: false 40 | -------------------------------------------------------------------------------- /charts/guac/tests/values_tag_no_digest.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Kusari, Inc. and GUAC contributors 2 | # Licensed under the MIT license. See LICENSE file in the project root for details. 3 | imagePullSecrets: 4 | - name: imagepullsecret 5 | 6 | guac: 7 | 8 | guacImage: 9 | repository: ghcr.io/guacsec/guac 10 | tag: "latest" 11 | digest: "" 12 | workingDir: /guac 13 | 14 | ociCollector: 15 | name: oci-collector 16 | 17 | depsDevCollector: 18 | name: depsdev-collector 19 | 20 | osvCertifier: 21 | name: osv-certifier 22 | 23 | cdCertifier: 24 | name: cd-certifier 25 | 26 | ingestor: 27 | name: ingestor 28 | 29 | collectSub: 30 | name: collectsub 31 | 32 | graphqlServer: 33 | name: graphql-server 34 | -------------------------------------------------------------------------------- /charts/guac/values.yaml: -------------------------------------------------------------------------------- 1 | # Default values for guac. 2 | # This is a YAML-formatted file. 3 | # Declare variables to be passed into your templates. 4 | 5 | ## @section Global parameters 6 | ## @param imagePullSecrets[0].name Docker registry secret name for pulling images 7 | imagePullSecrets: 8 | - name: imagepullsecret 9 | 10 | ## @section Guac 11 | ## @descriptionStart This section contains parameters for configuring the different GUAC components. 12 | ## @descriptionEnd 13 | ## @param guac.guacImage.repository Path to the GUAC image 14 | ## @param guac.guacImage.tag [nullable] Tag if using an image tag. Optional 15 | ## @param guac.guacImage.digest [string] Sha256 Image Digest. It is strongly recommended to use this for verification. 16 | ## @param guac.guacImage.pullPolicy ImagePullPolicy for kubernetes 17 | ## @param guac.guacImage.workingDir Working Directory for GUAC 18 | ## @param guac.common.env [string] common environment variables apply to all guac services 19 | ## @param guac.common.tolerations [string] common tolerations apply to all guac services 20 | ## @param guac.common.certifier.dayBetweenRescan Day(s) to wait before the certifier rescanning - commonly apply to all certifiers. Default 0 means only run once 21 | ## @param guac.common.certifier.batchSize sets the batch size for pagination query for the certifier - commonly apply to all certifiers. Default 60000 22 | ## @param guac.common.certifier.latency [nullable] sets artificial latency on the certifier - commonly apply to all certifiers. Defaults to empty string (not enabled) but can set m, h, s...etc. 23 | ## @param guac.configMap.enabled Whether to create the guac-cm configMap 24 | ## @param guac.ociCollector.enabled String Whether to deploy OCI Collector 25 | ## @param guac.ociCollector.name String Name of the OCI Collector component. 26 | ## @param guac.ociCollector.annotations.reloader.stakater.com/auto [string] Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) 27 | ## @param guac.ociCollector.replicas Number of replicas for oci collector deployment 28 | ## @param guac.ociCollector.image.command Command for the OCI Collector image. It is not recommended to override this. 29 | ## @param guac.ociCollector.env Environment variables for OCI Collector. 30 | ## @param guac.ociCollector.nodeSelector - sets the node selector for where to run the deployment 31 | ## @param guac.ociCollector.tolerations 32 | ## @param guac.ociCollector.serviceAccount.create - whether to create OCI Collector service account 33 | ## @param guac.ociCollector.serviceAccount.annotations - OCI Collector service account annotations 34 | ## @param guac.ociCollector.resources - [map] resource requests or limits of the ociCollector deployment 35 | ## @param guac.depsDevCollector.enabled String Whether to deploy Deps.Dev Collector 36 | ## @param guac.depsDevCollector.name String Name of the Deps.Dev Collector component. 37 | ## @param guac.depsDevCollector.annotations.reloader.stakater.com/auto [string] Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) 38 | ## @param guac.depsDevCollector.replicas Number of replicas for depsdev collector deployment 39 | ## @param guac.depsDevCollector.image.command Command for the Deps.Dev Collector image. It is not recommended to override this. 40 | ## @param guac.depsDevCollector.env Environment variables for Deps.Dev Collector. 41 | ## @param guac.depsDevCollector.nodeSelector - sets the node selector for where to run the deployment 42 | ## @param guac.depsDevCollector.tolerations 43 | ## @param guac.depsDevCollector.serviceAccount.create - whether to create depsDevCollector service account 44 | ## @param guac.depsDevCollector.serviceAccount.annotations 45 | ## @param guac.depsDevCollector.resources - [map] resource requests or limits of the depsDevCollector deployment 46 | ## @param guac.depsDevCollector.depsDevLatency [nullable] - sets artificial latency on the deps.dev collector. Defaults to empty string (not enabled) but can set m, h, s...etc. 47 | ## @param guac.osvCertifier.enabled String Whether to deploy OSV Certifier 48 | ## @param guac.osvCertifier.name String Name of the OSV Certifier component. 49 | ## @param guac.osvCertifier.annotations.reloader.stakater.com/auto [string] Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) 50 | ## @param guac.osvCertifier.replicas Number of replicas for OSV Certifier deployment 51 | ## @param guac.osvCertifier.image.command Command for the OSV Certifier Collector image. It is not recommended to override this. 52 | ## @param guac.osvCertifier.env Environment variables for OSV Certifier. 53 | ## @param guac.osvCertifier.nodeSelector - sets the node selector for where to run the deployment 54 | ## @param guac.osvCertifier.tolerations 55 | ## @param guac.osvCertifier.serviceAccount.create - whether to create osvCertifier service account 56 | ## @param guac.osvCertifier.serviceAccount.annotations - OSV Certifier service account annotations 57 | ## @param guac.osvCertifier.resources - [map] resource requests or limits of the OSV Certifier deployment 58 | ## @param guac.cdCertifier.enabled String Whether to deploy CD Certifier 59 | ## @param guac.cdCertifier.name String Name of the CD Certifier component. 60 | ## @param guac.cdCertifier.annotations.reloader.stakater.com/auto [string] Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) 61 | ## @param guac.cdCertifier.replicas Number of replicas for CD Certifier deployment 62 | ## @param guac.cdCertifier.image.command Command for the CD Certifier Collector image. It is not recommended to override this. 63 | ## @param guac.cdCertifier.env Environment variables for CD Certifier. 64 | ## @param guac.cdCertifier.nodeSelector - sets the node selector for where to run the deployment 65 | ## @param guac.cdCertifier.tolerations 66 | ## @param guac.cdCertifier.serviceAccount.create - whether to create cdCertifier service account 67 | ## @param guac.cdCertifier.serviceAccount.annotations - CD Certifier service account annotations 68 | ## @param guac.cdCertifier.resources - [map] resource requests or limits of the cd Certifier deployment 69 | ## @param guac.ingestor.enabled String Whether to deploy Ingestor 70 | ## @param guac.ingestor.name String Name of the ingestor component. 71 | ## @param guac.ingestor.annotations.reloader.stakater.com/auto [string] Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) 72 | ## @param guac.ingestor.replicas Number of replicas for ingestor deployment 73 | ## @param guac.ingestor.image.command Command for the ingestor image. It is not recommended to override this. 74 | ## @param guac.ingestor.env Environment variables for ingestor. 75 | ## @param guac.ingestor.nodeSelector - sets the node selector for where to run the deployment 76 | ## @param guac.ingestor.serviceAccount.create - whether to create ingestor service account 77 | ## @param guac.ingestor.serviceAccount.annotations - Ingestor service account annotations 78 | ## @param guac.ingestor.tolerations 79 | ## @param guac.ingestor.resources - [map] resource requests or limits of the ingestor deployment 80 | ## @param guac.collectSub.enabled String Whether to deploy CollectSub 81 | ## @param guac.collectSub.name String Name of the CollectSub component. 82 | ## @param guac.collectSub.annotations.reloader.stakater.com/auto [string] Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) 83 | ## @param guac.collectSub.replicas Number of replicas for CollectSub deployment 84 | ## @param guac.collectSub.image.command Command for the CollectSub image. It is not recommended to override this. 85 | ## @param guac.collectSub.env Environment variables for CollectSub. 86 | ## @param guac.collectSub.image.ports[0].containerPort Port the CollectSub container listens on 87 | ## @param guac.collectSub.svcPorts[0].protocol Protocol used at CollectSub 88 | ## @param guac.collectSub.svcPorts[0].port Port the CollectSub service listens on 89 | ## @param guac.collectSub.svcPorts[0].targetPort Port the CollectSub container listens on 90 | ## @param guac.collectSub.nodeSelector - sets the node selector for where to run the deployment 91 | ## @param guac.collectSub.tolerations 92 | ## @param guac.collectSub.serviceAccount.create - whether to create collectSub service account 93 | ## @param guac.collectSub.serviceAccount.annotations - CollectSub service account annotations 94 | ## @param guac.collectSub.resources - [map] resource requests or limits of the collectSub deployment 95 | ## @param guac.graphqlServer.enabled String Whether to deploy GraphQL Server 96 | ## @param guac.graphqlServer.name String Name of the GraphQL Server component. 97 | ## @param guac.graphqlServer.annotations.reloader.stakater.com/auto [string] Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) 98 | ## @param guac.graphqlServer.replicas Number of replicas for GraphQL Server deployment 99 | ## @param guac.graphqlServer.image.command Command for the GraphQL Server image. It is not recommended to override this. 100 | ## @param guac.graphqlServer.env Environment variables for GraphQL Server. 101 | ## @param guac.graphqlServer.image.ports[0].containerPort Port the GraphQL Server container listens on 102 | ## @param guac.graphqlServer.svcPorts[0].protocol Protocol used at the the GraphQL Server 103 | ## @param guac.graphqlServer.svcPorts[0].port Port the GraphQL Server service listens on 104 | ## @param guac.graphqlServer.svcPorts[0].targetPort Port the GraphQL Server container listens on 105 | ## @param guac.graphqlServer.nodePortSvcPorts [object] NodePort service ports definition 106 | ## @param guac.graphqlServer.backend which backend to use - keyvalue (default) | arango | ent. 107 | ## @param guac.graphqlServer.debug Enable debug mode for graphql server; also enable the UI 108 | ## @param guac.graphqlServer.nodeSelector - sets the node selector for where to run the deployment 109 | ## @param guac.graphqlServer.serviceAccount.create - whether to create graphqlServer service account 110 | ## @param guac.graphqlServer.serviceAccount.annotations - graphql server service account annotations 111 | ## @param guac.graphqlServer.service.createNodePortService - Whether to deploy a NodePort type service 112 | ## @param guac.graphqlServer.additionalVolumeMounts 113 | ## @param guac.graphqlServer.additionalVolumes 114 | ## @param guac.graphqlServer.tolerations 115 | ## @param guac.graphqlServer.resources - [map] resource requests or limits of the graphqlServer deployment 116 | ## @param guac.restApi.enabled String Whether to deploy the restApi 117 | ## @param guac.restApi.name String Name of the restApi component. 118 | ## @param guac.restApi.annotations.reloader.stakater.com/auto [string] Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) 119 | ## @param guac.restApi.replicas Number of replicas for restApi deployment 120 | ## @param guac.restApi.image.command Command for the restApi image. It is not recommended to override this. 121 | ## @param guac.restApi.env Environment variables for restApi. 122 | ## @param guac.restApi.image.ports[0].containerPort Port the restApi container listens on 123 | ## @param guac.restApi.svcPorts[0].protocol Protocol used at the the restApi 124 | ## @param guac.restApi.svcPorts[0].port Port the restApi service listens on 125 | ## @param guac.restApi.svcPorts[0].targetPort Port the restApi container listens on 126 | ## @param guac.restApi.serviceAccount.create - whether to create restApi service account 127 | ## @param guac.restApi.serviceAccount.annotations - graphql server service account annotations 128 | ## @param guac.restApi.nodeSelector - sets the node selector for where to run the deployment 129 | ## @param guac.restApi.tolerations 130 | ## @param guac.restApi.resources - [map] resource requests or limits of the restApi deployment 131 | ## @param guac.visualizer.enabled String Whether to deploy the visualizer. 132 | ## @param guac.visualizer.name String Name of the visualizer. 133 | ## @param guac.visualizer.annotations.reloader.stakater.com/auto [string] Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) 134 | ## @param guac.visualizer.replicas Number of replicas for visualizer deployment 135 | ## @param guac.visualizer.image.repository Path to the Ingestor image 136 | ## @param guac.visualizer.image.tag [nullable] Tag if using an image tag. Optional 137 | ## @param guac.visualizer.image.digest [string] Sha256 Image Digest. It is strongly recommended to use this for verification. 138 | ## @param guac.visualizer.image.pullPolicy ImagePullPolicy for kubernetes 139 | ## @param guac.visualizer.image.ports[0].containerPort Port the visualizer container listens on 140 | ## @param guac.visualizer.svcPorts[0].protocol Protocol used at the visualizer 141 | ## @param guac.visualizer.svcPorts[0].port Port the visualizer service listens on 142 | ## @param guac.visualizer.svcPorts[0].targetPort Port the visualizer container listens on 143 | ## @param guac.visualizer.env Environment variables for the visualizer. 144 | ## @param guac.visualizer.nodeSelector - sets the node selector for where to run the deployment 145 | ## @param guac.visualizer.tolerations 146 | ## @param guac.observability.deployServiceMonitor Boolean Deploy the service monitor for observability 147 | ## @param guac.sampleData.ingest Boolean Whether to ingest sample data after deployment 148 | ## @param guac.sampleData.jobName Name of the sample data ingest job 149 | ## @param guac.sampleData.env Environment variables for the sample data ingest job 150 | ## @param guac.ingress.enabled Whether to deploy an Ingress object 151 | ## @param guac.ingress.ingressClassName [nullable] Ingress class name 152 | ## @param guac.ingress.webuiHostname [nullable] DNS name for the UI components - e.g. Visualizer, GQL playground 153 | ## @param guac.ingress.apiHostname [nullable] DNS name for the GQL API. When specified, GQL API won't be served at webuiHostname 154 | ## @param guac.ingress.annotations [object] Annotations for the ingress object 155 | ## @param guac.apiOnlyIngress.enabled Whether to deploy an Ingress object to expose API only 156 | ## @param guac.apiOnlyIngress.ingressClassName [nullable] Ingress class name for API only ingress 157 | ## @param guac.apiOnlyIngress.apiHostname [nullable] DNS name for the GQL API. 158 | ## @param guac.apiOnlyIngress.annotations [object] Annotations for the API only ingress object 159 | ## @param guac.traefikIngressRoute.enabled Whether to deploy Traefik IngressRoute object 160 | ## @param guac.backend.ent.db-driver database driver to use, one of [postgres | sqlite3 | mysql] or anything supported by sql.DB 161 | ## @param guac.backend.ent.db-address [nullable] Full URL of database to connect to 162 | ## @param guac.backend.ent.db-migrate Wether to automatically run database migrations on start 163 | ## @param guac.backend.ent.db-debug Enable debug logging for database queries 164 | ## @param guac.pubSubAddr [nullable] String gocloud connection string for pubsub configured via https://gocloud.dev/howto/pubsub/ 165 | ## @param guac.collectorPublishToQueue Whether to publish ingestion message to pubsub queue 166 | ## @param guac.blobAddr [nullable] gocloud connection string for blob store configured via https://gocloud.dev/howto/blob/ 167 | ## @param guac.additionalResources 168 | 169 | guac: 170 | 171 | guacImage: 172 | repository: ghcr.io/guacsec/guac 173 | # if not set appVersion field from Chart.yaml is used 174 | # tag: 175 | # When digest is set to a non-empty value, images will be pulled by digest (regardless of tag value). 176 | digest: "" 177 | pullPolicy: IfNotPresent 178 | workingDir: /guac 179 | 180 | common: 181 | # env: [] 182 | env: 183 | # default creds (set at minio.users) for accessing minio blobstore. Remove when changing default blobAddr. 184 | - name: AWS_ACCESS_KEY_ID 185 | value: accessKey 186 | - name: AWS_SECRET_ACCESS_KEY 187 | value: secretKey 188 | tolerations: [] 189 | 190 | certifier: 191 | dayBetweenRescan: "0" 192 | batchSize: "60000" 193 | latency: 194 | 195 | configMap: 196 | enabled: true 197 | 198 | ociCollector: 199 | enabled: true 200 | name: oci-collector 201 | annotations: 202 | reloader.stakater.com/auto: "true" 203 | replicas: 1 204 | image: 205 | command: ['sh', '-c', '/opt/guac/guaccollect image'] 206 | env: [] 207 | nodeSelector: {} 208 | tolerations: [] 209 | serviceAccount: 210 | create: true 211 | annotations: {} 212 | resources: {} 213 | # requests: 214 | # cpu: "0.25" 215 | # memory: "0.5G" 216 | 217 | depsDevCollector: 218 | enabled: true 219 | name: depsdev-collector 220 | annotations: 221 | reloader.stakater.com/auto: "true" 222 | replicas: 1 223 | image: 224 | command: ['sh', '-c', '/opt/guac/guaccollect deps_dev'] 225 | env: [] 226 | nodeSelector: {} 227 | tolerations: [] 228 | serviceAccount: 229 | create: true 230 | annotations: {} 231 | resources: {} 232 | # requests: 233 | # cpu: "0.25" 234 | # memory: "0.5G" 235 | depsDevLatency: 236 | 237 | osvCertifier: 238 | enabled: true 239 | name: osv-certifier 240 | annotations: 241 | reloader.stakater.com/auto: "true" 242 | replicas: 1 243 | image: 244 | command: ['sh', '-c', '/opt/guac/guaccollect osv'] 245 | env: [] 246 | nodeSelector: {} 247 | tolerations: [] 248 | serviceAccount: 249 | create: true 250 | annotations: {} 251 | resources: {} 252 | # requests: 253 | # cpu: "0.25" 254 | # memory: "0.5G" 255 | 256 | cdCertifier: 257 | enabled: true 258 | name: cd-certifier 259 | annotations: 260 | reloader.stakater.com/auto: "true" 261 | replicas: 1 262 | image: 263 | command: ['sh', '-c', '/opt/guac/guaccollect cd'] 264 | env: [] 265 | nodeSelector: {} 266 | tolerations: [] 267 | serviceAccount: 268 | create: true 269 | annotations: {} 270 | resources: {} 271 | # requests: 272 | # cpu: "0.25" 273 | # memory: "0.5G" 274 | 275 | ingestor: 276 | enabled: true 277 | name: ingestor 278 | annotations: 279 | reloader.stakater.com/auto: "true" 280 | replicas: 1 281 | image: 282 | command: ['sh', '-c', '/opt/guac/guacingest'] 283 | env: [] 284 | nodeSelector: {} 285 | tolerations: [] 286 | serviceAccount: 287 | create: true 288 | annotations: {} 289 | resources: {} 290 | # requests: 291 | # cpu: "0.25" 292 | # memory: "0.5G" 293 | 294 | collectSub: 295 | enabled: true 296 | name: collectsub 297 | annotations: 298 | reloader.stakater.com/auto: "true" 299 | replicas: 1 300 | image: 301 | command: ['sh', '-c', '/opt/guac/guaccsub'] 302 | ports: 303 | - containerPort: 2782 304 | env: [] 305 | svcPorts: 306 | - protocol: TCP 307 | port: 2782 308 | targetPort: 2782 309 | nodeSelector: {} 310 | tolerations: [] 311 | serviceAccount: 312 | create: true 313 | annotations: {} 314 | resources: {} 315 | # requests: 316 | # cpu: "0.2" 317 | # memory: "300M" 318 | 319 | graphqlServer: 320 | enabled: true 321 | name: graphql-server 322 | annotations: 323 | reloader.stakater.com/auto: "true" 324 | replicas: 1 325 | image: 326 | command: ['sh', '-c', '/opt/guac/guacgql'] 327 | ports: 328 | - containerPort: 8080 329 | env: [] 330 | svcPorts: 331 | - protocol: TCP 332 | port: 8080 333 | targetPort: 8080 334 | additionalVolumeMounts: [] 335 | additionalVolumes: [] 336 | backend: keyvalue 337 | debug: true 338 | nodePortSvcPorts: 339 | - protocol: TCP 340 | port: 8080 341 | targetPort: 8080 342 | nodePort: 30080 343 | nodeSelector: {} 344 | tolerations: [] 345 | serviceAccount: 346 | create: true 347 | annotations: {} 348 | resources: {} 349 | # requests: 350 | # cpu: "0.2" 351 | # memory: "300M" 352 | service: 353 | createNodePortService: false 354 | 355 | restApi: 356 | enabled: true 357 | name: rest-api 358 | annotations: 359 | reloader.stakater.com/auto: "true" 360 | replicas: 1 361 | image: 362 | command: ['sh', '-c', '/opt/guac/guacrest'] 363 | ports: 364 | - containerPort: 8081 365 | env: [] 366 | svcPorts: 367 | - protocol: TCP 368 | port: 8081 369 | targetPort: 8081 370 | nodeSelector: {} 371 | tolerations: [] 372 | serviceAccount: 373 | create: true 374 | annotations: {} 375 | resources: {} 376 | # requests: 377 | # cpu: "0.25" 378 | # memory: "0.5G" 379 | 380 | visualizer: 381 | enabled: true 382 | name: visualizer 383 | annotations: 384 | reloader.stakater.com/auto: "true" 385 | replicas: 1 386 | image: 387 | repository: ghcr.io/guacsec/guac-visualizer 388 | # if not set appVersion field from Chart.yaml is used 389 | tag: "v0.4.10" 390 | # When digest is set to a non-empty value, images will be pulled by digest (regardless of tag value). 391 | digest: "" 392 | pullPolicy: IfNotPresent 393 | ports: 394 | - containerPort: 3000 395 | env: [] 396 | svcPorts: 397 | - protocol: TCP 398 | port: 3000 399 | targetPort: 3000 400 | nodeSelector: {} 401 | tolerations: [] 402 | 403 | observability: 404 | deployServiceMonitor: false 405 | 406 | sampleData: 407 | ingest: false 408 | jobName: ingest-guac-data 409 | env: [] 410 | 411 | ingress: 412 | enabled: false 413 | # ingressClassName: 414 | # webuiHostname: 415 | # apiHostname: 416 | # annotations: 417 | 418 | apiOnlyIngress: 419 | enabled: false 420 | # ingressClassName: 421 | # apiHostname: 422 | # annotations: 423 | 424 | traefikIngressRoute: 425 | enabled: false 426 | # entryPoints: [] 427 | # hostMatchingHeader: 428 | # gqlPath: /query 429 | # apiHostname: 430 | 431 | backend: 432 | ent: 433 | db-driver: postgres 434 | # db-address: postgres://guac:guac@host:port/dbName?sslmode=disable 435 | db-migrate: true 436 | db-debug: true 437 | 438 | # Default to use NATS; specify a value here to override 439 | # e.g. 440 | # pubSubAddr: awssqs://sqs.[aws_region].amazonaws.com/[account_id]/[queue_name]?region=[aws_region] 441 | 442 | collectorPublishToQueue: true 443 | 444 | # Default to use minio; specify a value here to override 445 | # e.g. 446 | # blobAddr: s3://[bucket_name]?region=[aws_region] 447 | # blobAddr: file:///tmp/blobstore?no_tmp_dir=true 448 | 449 | additionalResources: {} 450 | 451 | 452 | ## @section nats 453 | ## @descriptionStart This is the configuration for nats. This is a subchart. See full documentation [here](https://docs.nats.io/running-a-nats-service/nats-kubernetes/helm-charts). 454 | ## @descriptionEnd 455 | ## @param nats.enabled Whether to deploy nats 456 | ## @param nats.nats.jetstream.enabled Boolean for enabling JetStream. 457 | ## @param nats.nats.limits.maxPayload Max Payload size for nats 458 | ## @param nats.nats.statefulSetPodLabels.app.kubernetes.io/part-of Label to associate nats with GUAC for monitoring purposes 459 | ## @param nats.natsbox.enabled Whehter to run natsbox 460 | ## @param nats.natsbox.additionalLabels.app.kubernetes.io/part-of Label to associate natsbox with GUAC for monitoring purposes 461 | ## @param nats.natsbox.podLabels.app.kubernetes.io/part-of Label to associate natsbox with GUAC for monitoring purposes 462 | ## @param nats.exporter.enabled Boolean to enable data collection 463 | ## @param nats.exporter.serviceMonitor.enabled Boolean to enable nats service monitor 464 | ## @param nats.exporter.serviceMonitor.namespace String nats service monitor namespace - this is for monitoring purposes and is used by Prometheus 465 | ## @param nats.exporter.serviceMonitor.labels.release Label to associate nats service monitor with GUAC for monitoring purposes 466 | nats: 467 | enabled: true 468 | nats: 469 | jetstream: 470 | enabled: true 471 | limits: 472 | # change max payload from default 1MB to 64MB 473 | maxPayload: 64MB 474 | statefulSetPodLabels: 475 | app.kubernetes.io/part-of: "guac" 476 | 477 | natsbox: 478 | enabled: false 479 | additionalLabels: 480 | app.kubernetes.io/part-of: "guac" 481 | podLabels: 482 | app.kubernetes.io/part-of: "guac" 483 | 484 | exporter: 485 | enabled: false 486 | serviceMonitor: 487 | enabled: false 488 | ## Specify the namespace where Prometheus Operator is running 489 | namespace: monitoring 490 | labels: 491 | release: monitoring 492 | 493 | ## @section minio 494 | ## @descriptionStart This is the configuration for minio. This is a subchart. See full documentation [here](https://github.com/minio/minio/tree/master/helm/minio). 495 | ## @descriptionEnd 496 | ## @param minio.enabled Whehter to deploy minio as part of the Helm deployment 497 | ## @param minio.replicas Number of replicas. 498 | ## @param minio.persistence [object] Persistence volume configuration. 499 | ## @param minio.mode minio mode, i.e. standalone or distributed 500 | ## @param minio.resources [object] resource requests and limits 501 | ## @param minio.rootUser root user name. 502 | ## @param minio.rootPassword root user password. 503 | ## @param minio.buckets [object] List of buckets to create after deployment. 504 | ## @param minio.users [object] List of users, in terms of creds and permissions, to create after deployment.? 505 | minio: 506 | enabled: true 507 | replicas: 1 508 | persistence: 509 | enabled: false 510 | mode: standalone 511 | resources: 512 | requests: 513 | memory: 300Mi 514 | rootUser: "rootUser" 515 | rootPassword: "rootPassword" 516 | buckets: 517 | - name: bucketname 518 | policy: none 519 | purge: false 520 | versioning: false 521 | objectlocking: false 522 | users: 523 | - accessKey: accessKey 524 | secretKey: secretKey 525 | policy: readwrite 526 | 527 | ## @section atlas 528 | ## @descriptionStart This section contains parameters for configuring the atlas migration. 529 | ## @descriptionEnd 530 | ## @param atlas.enabled Whether to add atlas init-container in graphql-server to manage schema migration via atlas. Defaults to false 531 | ## @param atlas.image.command Command for the atlas migration. Overriding default entrypoint to read backend DB connection string from guac-cm 532 | ## @param atlas.image.repository Path to the atlas migration image 533 | ## @param atlas.image.tag [nullable] Tag if using an image tag. Optional 534 | ## @param atlas.image.digest [string] Sha256 Image Digest. It is strongly recommended to use this for verification. 535 | ## @param atlas.image.pullPolicy ImagePullPolicy for kubernetes 536 | ## @param atlas.name Name of the atlas migration component 537 | 538 | atlas: 539 | enabled: false 540 | image: 541 | command: ['sh', '-c', 'atlas migrate apply --dir file:///app/migrations --url $DB_ADDRESS?search_path=public'] 542 | repository: ghcr.io/guacsec/guac/atlas-migration 543 | # if not set appVersion field from Chart.yaml is used 544 | # tag: 545 | # When digest is set to a non-empty value, images will be pulled by digest (regardless of tag value). 546 | digest: "" 547 | pullPolicy: IfNotPresent 548 | name: atlas-migration 549 | --------------------------------------------------------------------------------