├── .gitleaksignore ├── charts └── snyk-broker │ ├── templates │ ├── extra-resources.yaml │ ├── accept_configmap.yaml │ ├── serviceaccount.yaml │ ├── broker_service.yaml │ ├── NOTES.txt │ ├── _notes.tpl │ ├── broker_ingress.yaml │ ├── code_agent_deployment.yaml │ ├── secrets.yaml │ ├── cra_deployment.yaml │ ├── _helpers.tpl │ └── broker_deployment.yaml │ ├── Chart.yaml │ ├── tests │ ├── cra_deployment_test.yaml │ ├── cra_deployment_harbor_test.yaml │ ├── cra_deployment_digitalocean_test.yaml │ ├── broker_cra_deployment_test.yaml │ ├── cra_deployment_disablesuffixes_test.yaml │ ├── broker_cra_deployment_disablesuffixes_test.yaml │ ├── broker_deployment_apprisk_test.yaml │ ├── broker_deployment_customaccept_test.yaml │ ├── broker_deployment_ingress_test.yaml │ ├── broker_deployment_customaccept_disablesuffixes_test.yaml │ ├── fixtures │ │ ├── extra_pod_spec_values.yaml │ │ ├── cacert_values.yaml │ │ ├── customaccept_values.yaml │ │ ├── default_values_with_apprisk_enabled.yaml │ │ ├── default_values.yaml │ │ ├── default_values_ha_on.yaml │ │ ├── default_values_preflight_off.yaml │ │ ├── customaccept_values_disablesuffixes.yaml │ │ ├── default_values_disablesuffixes.yaml │ │ ├── default_values_ha_on_4_replicas.yaml │ │ ├── default_values_ha_on_disablesuffixes.yaml │ │ ├── default_values_with_ingress.yaml │ │ ├── default_values_with_ingress_disablesuffixes.yaml │ │ ├── default_values_preflight_off_disablesuffixes.yaml │ │ ├── default_values_ha_on_4_replicas_disablesuffixes.yaml │ │ ├── default_values_with_gitlab_scmtokenpool.yaml │ │ ├── default_values_with_github_scmtokenpool.yaml │ │ ├── default_values_cra_digital_ocean.yaml │ │ ├── default_values_with_github_useexternalsecretscmtokenpool_true.yaml │ │ ├── default_values_cra.yaml │ │ ├── default_values_cra_disablesuffixes.yaml │ │ ├── default_values_cra_harbor.yaml │ │ └── default_values_https_enabled.yaml │ ├── broker_deployment_ingress_disablesuffixes_test.yaml │ ├── broker_servicename_length_test.yaml │ ├── broker_cra_deployment_extraPodSpecs_test.yaml │ ├── broker_deployment_artifactory_test.yaml │ ├── broker_deployment_disable_secret_creation_test.yaml │ ├── broker_deployment_scm_token_pool_test.yaml │ ├── broker_deployment_disablesuffixes_test.yaml │ ├── broker_deployment_openshift_securityContext_test.yaml │ ├── broker_deployment_test.yaml │ ├── dummy_ca_cert.pem │ ├── broker_deployment_labels_test.yaml │ ├── dummy_tls_cert.crt │ ├── broker_deployment_tls_test.yaml │ ├── dummy_tls_key.key │ ├── broker_deployment_proxy_test.yaml │ ├── broker_cra_deployment_disable_tls_test.yaml │ ├── broker_deployment_apprisk_type_test.yaml │ ├── __snapshot__ │ │ ├── broker_cra_deployment_extraPodSpecs_test.yaml.snap │ │ ├── broker_deployment_apprisk_test.yaml.snap │ │ ├── broker_cra_deployment_test.yaml.snap │ │ ├── broker_cra_deployment_disablesuffixes_test.yaml.snap │ │ ├── broker_deployment_customaccept_disablesuffixes_test.yaml.snap │ │ ├── broker_deployment_ingress_disablesuffixes_test.yaml.snap │ │ ├── broker_deployment_customaccept_test.yaml.snap │ │ ├── broker_deployment_artifactory_test.yaml.snap │ │ ├── broker_deployment_ingress_test.yaml.snap │ │ ├── cra_deployment_disablesuffixes_test.yaml.snap │ │ ├── cra_deployment_test.yaml.snap │ │ ├── cra_deployment_digitalocean_test.yaml.snap │ │ └── cra_deployment_harbor_test.yaml.snap │ ├── broker_deployment_nexus_test.yaml │ └── broker_deployment_ca_test.yaml │ ├── .helmignore │ └── values.schema.json ├── package.json ├── override.yaml ├── .editorconfig ├── catalog-info.yaml ├── .github └── CODEOWNERS ├── commitlint.config.js ├── .gitleaks.toml ├── LICENSE ├── README.md ├── .pre-commit-config.yaml ├── .gitignore ├── .releaserc └── .circleci └── config.yml /.gitleaksignore: -------------------------------------------------------------------------------- 1 | 607a5d5d16b365165d8636e526ed92a2ea116719:charts/snyk-broker/tests/broker_deployment_ca_test.yaml:private-key:271 2 | -------------------------------------------------------------------------------- /charts/snyk-broker/templates/extra-resources.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | {{ range .Values.extraObjects }} 3 | --- 4 | {{ tpl (toYaml .) $ }} 5 | {{ end }} 6 | -------------------------------------------------------------------------------- /package.json: -------------------------------------------------------------------------------- 1 | { 2 | "devDependencies": { 3 | "@semantic-release/exec": "7.0.3", 4 | "semantic-release": "24.2.3" 5 | } 6 | } 7 | -------------------------------------------------------------------------------- /charts/snyk-broker/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: snyk-broker 3 | version: 0.0.0 4 | description: A Helm chart for Kubernetes 5 | type: application 6 | -------------------------------------------------------------------------------- /override.yaml: -------------------------------------------------------------------------------- 1 | env: 2 | # uncomment and update to use 3 | # - name: MYENVVAR 4 | # value: myenvvarvalue 5 | # - name: MYOTHERENVVAR 6 | # value: myothervalue -------------------------------------------------------------------------------- /.editorconfig: -------------------------------------------------------------------------------- 1 | root = true 2 | 3 | [*] 4 | charset = utf-8 5 | end_of_line = lf 6 | indent_size = 2 7 | indent_style = space 8 | insert_final_newline = true 9 | trim_trailing_whitespace = true 10 | 11 | [*.md] 12 | trim_trailing_whitespace = false 13 | 14 | -------------------------------------------------------------------------------- /catalog-info.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: backstage.io/v1alpha1 2 | kind: Component 3 | metadata: 4 | name: snyk-broker-helm 5 | annotations: 6 | github.com/project-slug: snyk/snyk-broker-helm 7 | github.com/team-slug: snyk/team-broker 8 | spec: 9 | type: supply-chain-tooling 10 | lifecycle: "-" 11 | owner: team-broker 12 | -------------------------------------------------------------------------------- /.github/CODEOWNERS: -------------------------------------------------------------------------------- 1 | * @snyk/access @snyk/platformeng_access 2 | 3 | charts/snyk-broker/templates/cra_deployment.yaml @snyk/infrasec_container 4 | charts/snyk-broker/tests/broker_cra_deployment_test.yaml @snyk/infrasec_container 5 | charts/snyk-broker/tests/cra_deployment_test.yaml @snyk/infrasec_container 6 | charts/snyk-broker/tests/fixtures/default_values_cra.yaml @snyk/infrasec_container 7 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/cra_deployment_test.yaml: -------------------------------------------------------------------------------- 1 | suite: test broker deployment 2 | chart: 3 | version: 0.0.0 4 | templates: 5 | - cra_deployment.yaml 6 | - broker_deployment.yaml 7 | values: 8 | - ./fixtures/default_values.yaml 9 | 10 | tests: 11 | - it: default values 12 | values: 13 | - ./fixtures/default_values_cra.yaml 14 | asserts: 15 | - matchSnapshot: {} 16 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/cra_deployment_harbor_test.yaml: -------------------------------------------------------------------------------- 1 | suite: test broker deployment 2 | chart: 3 | version: 0.0.0 4 | templates: 5 | - cra_deployment.yaml 6 | - broker_deployment.yaml 7 | values: 8 | - ./fixtures/default_values.yaml 9 | 10 | tests: 11 | - it: default values 12 | values: 13 | - ./fixtures/default_values_cra_harbor.yaml 14 | asserts: 15 | - matchSnapshot: {} 16 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/cra_deployment_digitalocean_test.yaml: -------------------------------------------------------------------------------- 1 | suite: test broker deployment 2 | chart: 3 | version: 0.0.0 4 | templates: 5 | - cra_deployment.yaml 6 | - broker_deployment.yaml 7 | values: 8 | - ./fixtures/default_values.yaml 9 | 10 | tests: 11 | - it: default values 12 | values: 13 | - ./fixtures/default_values_cra_digital_ocean.yaml 14 | asserts: 15 | - matchSnapshot: {} 16 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/broker_cra_deployment_test.yaml: -------------------------------------------------------------------------------- 1 | suite: test broker deployment 2 | chart: 3 | version: 0.0.0 4 | templates: 5 | - broker_deployment.yaml 6 | - broker_service.yaml 7 | - secrets.yaml 8 | - serviceaccount.yaml 9 | 10 | tests: 11 | - it: with CRA 12 | values: 13 | - ./fixtures/default_values.yaml 14 | - ./fixtures/default_values_cra.yaml 15 | asserts: 16 | - matchSnapshot: {} 17 | -------------------------------------------------------------------------------- /commitlint.config.js: -------------------------------------------------------------------------------- 1 | // https://commitlint.js.org/#/reference-rules 2 | // Conventional commit rules: https://github.com/conventional-changelog/commitlint/tree/4c9928ecc77d04deb40e36cec669853558aab03b/%40commitlint/config-conventional 3 | 4 | module.exports = { 5 | extends: ["@commitlint/config-conventional"], 6 | rules: { 7 | 'subject-case': [0, 'never'], // Allow sentence capitalization in commit messages 8 | }, 9 | }; 10 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/cra_deployment_disablesuffixes_test.yaml: -------------------------------------------------------------------------------- 1 | suite: test broker deployment (No suffixes) 2 | chart: 3 | version: 0.0.0 4 | templates: 5 | - cra_deployment.yaml 6 | - broker_deployment.yaml 7 | values: 8 | - ./fixtures/default_values.yaml 9 | 10 | tests: 11 | - it: default values 12 | values: 13 | - ./fixtures/default_values_cra_disablesuffixes.yaml 14 | asserts: 15 | - matchSnapshot: {} 16 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/broker_cra_deployment_disablesuffixes_test.yaml: -------------------------------------------------------------------------------- 1 | suite: test broker deployment (No suffixes) 2 | chart: 3 | version: 0.0.0 4 | templates: 5 | - broker_deployment.yaml 6 | - broker_service.yaml 7 | - secrets.yaml 8 | - serviceaccount.yaml 9 | 10 | tests: 11 | - it: with CRA 12 | values: 13 | - ./fixtures/default_values.yaml 14 | - ./fixtures/default_values_cra.yaml 15 | asserts: 16 | - matchSnapshot: {} 17 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/broker_deployment_apprisk_test.yaml: -------------------------------------------------------------------------------- 1 | suite: test broker deployment 2 | chart: 3 | version: 0.0.0 4 | templates: 5 | - broker_deployment.yaml 6 | - broker_service.yaml 7 | - secrets.yaml 8 | - serviceaccount.yaml 9 | 10 | tests: 11 | - it: apprisk enabled 12 | values: 13 | - ./fixtures/default_values.yaml 14 | - ./fixtures/default_values_with_apprisk_enabled.yaml 15 | asserts: 16 | - matchSnapshot: {} 17 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/broker_deployment_customaccept_test.yaml: -------------------------------------------------------------------------------- 1 | suite: test broker deployment 2 | chart: 3 | version: 0.0.0 4 | templates: 5 | - broker_deployment.yaml 6 | - broker_service.yaml 7 | - secrets.yaml 8 | - serviceaccount.yaml 9 | - accept_configmap.yaml 10 | values: 11 | - ./fixtures/default_values.yaml 12 | - ./fixtures/customaccept_values.yaml 13 | 14 | tests: 15 | - it: customaccept values 16 | asserts: 17 | - matchSnapshot: {} 18 | -------------------------------------------------------------------------------- /charts/snyk-broker/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /.gitleaks.toml: -------------------------------------------------------------------------------- 1 | [extend] 2 | useDefault = true 3 | 4 | [allowlist] 5 | description = "global allow list" 6 | paths = [ 7 | 'charts/snyk-broker/tests/__snapshot__/*', 8 | 'charts/snyk-broker/tests/.*(.key)$', 9 | 'charts/snyk-broker/tests/fixtures/*' 10 | ] 11 | 12 | # ignoring historical secrets from past commits 13 | # (not present in the current codebase) 14 | commits = [ 15 | "9c8b32139b73111b618fc946a7f64355e8429423", 16 | "74045878cc8bd9891485d7a85048ecd68d6d241f", 17 | ] 18 | -------------------------------------------------------------------------------- /charts/snyk-broker/templates/accept_configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- if (include "snyk-broker.acceptJson" .)}} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: {{ include "snyk-broker.fullname" . }}-accept-configmap{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | {{- include "snyk-broker.labels" . | nindent 4 }} 9 | data: 10 | accept.json: |- 11 | {{include "snyk-broker.acceptJson" . | indent 4}} 12 | {{- end }} -------------------------------------------------------------------------------- /charts/snyk-broker/tests/broker_deployment_ingress_test.yaml: -------------------------------------------------------------------------------- 1 | suite: test broker deployment with ingress 2 | chart: 3 | version: 0.0.0 4 | templates: 5 | - broker_deployment.yaml 6 | - broker_service.yaml 7 | - secrets.yaml 8 | - serviceaccount.yaml 9 | - broker_ingress.yaml 10 | values: 11 | - ./fixtures/default_values.yaml 12 | 13 | tests: 14 | - it: ingress 15 | values: 16 | - ./fixtures/default_values_with_ingress.yaml 17 | asserts: 18 | - matchSnapshot: {} 19 | -------------------------------------------------------------------------------- /charts/snyk-broker/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ include "snyk-broker.serviceAccountName" . }}{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | {{- include "snyk-broker.labels" . }} 9 | {{- with .Values.serviceAccount.annotations }} 10 | annotations: 11 | {{- toYaml . | nindent 4 }} 12 | {{- end }} 13 | {{- end }} 14 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/broker_deployment_customaccept_disablesuffixes_test.yaml: -------------------------------------------------------------------------------- 1 | suite: test broker deployment (No suffixes) 2 | chart: 3 | version: 0.0.0 4 | templates: 5 | - broker_deployment.yaml 6 | - broker_service.yaml 7 | - secrets.yaml 8 | - serviceaccount.yaml 9 | - accept_configmap.yaml 10 | values: 11 | - ./fixtures/default_values.yaml 12 | - ./fixtures/customaccept_values_disablesuffixes.yaml 13 | 14 | tests: 15 | - it: customaccept values 16 | asserts: 17 | - matchSnapshot: {} 18 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/fixtures/extra_pod_spec_values.yaml: -------------------------------------------------------------------------------- 1 | 2 | extraPodSpecs: 3 | tolerations: 4 | - key: "networking/something" 5 | operator: "Equal" 6 | value: "internal-pods" 7 | effect: "NoSchedule" 8 | nodeSelector: 9 | corp.io/node-classification: snyk 10 | 11 | extraPodSpecsCr: 12 | tolerations: 13 | - key: "networking/something" 14 | operator: "Equal" 15 | value: "internal-pods" 16 | effect: "NoSchedule" 17 | nodeSelector: 18 | corp.io/node-classification: snyk 19 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/broker_deployment_ingress_disablesuffixes_test.yaml: -------------------------------------------------------------------------------- 1 | suite: test broker deployment with ingress (No suffixes) 2 | chart: 3 | version: 0.0.0 4 | templates: 5 | - broker_deployment.yaml 6 | - broker_service.yaml 7 | - secrets.yaml 8 | - serviceaccount.yaml 9 | - broker_ingress.yaml 10 | values: 11 | - ./fixtures/default_values.yaml 12 | 13 | tests: 14 | - it: ingress 15 | values: 16 | - ./fixtures/default_values_with_ingress_disablesuffixes.yaml 17 | asserts: 18 | - matchSnapshot: {} 19 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/broker_servicename_length_test.yaml: -------------------------------------------------------------------------------- 1 | suite: test broker servicename length 2 | chart: 3 | version: 0.0.0 4 | templates: 5 | - broker_service.yaml 6 | 7 | tests: 8 | - it: should truncate scmType correctly when combined with release name and suffix 9 | values: 10 | - ./fixtures/default_values_cra.yaml 11 | release: 12 | name: "myrelease-really-long-release-name" 13 | asserts: 14 | - equal: 15 | path: metadata.name 16 | value: "container-reg-broker-service-myrelease-really-long-release-name" -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright 2015 Snyk Ltd. 2 | 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. 14 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | [![Snyk logo](https://snyk.io/style/asset/logo/snyk-print.svg)](https://snyk.io) 3 | 4 | # Helm Chart for Snyk Broker 5 | 6 | This is a Helm Chart to deploy the [Snyk Broker](https://docs.snyk.io/enterprise-setup/snyk-broker) 7 | 8 | > [!IMPORTANT] 9 | > This is the helm chart for the Classic Broker. The helm chart for the Universal Broker can be found [here](https://github.com/snyk/snyk-universal-broker-helm). 10 | 11 | ## Usage 12 | 13 | Please refer to our [extensive documentation](https://docs.snyk.io/enterprise-setup/snyk-broker/classic-broker/install-and-configure-snyk-broker/install-and-configure-broker-using-helm) 14 | -------------------------------------------------------------------------------- /charts/snyk-broker/templates/broker_service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ include "snyk-broker.brokerServiceName" . | nindent 4 }} 5 | namespace: {{ .Release.Namespace }} 6 | labels: 7 | {{- include "snyk-broker.labels" . }} 8 | {{- if .Values.serviceAnnotations }} 9 | annotations: 10 | {{- toYaml .Values.serviceAnnotations | nindent 4 }} 11 | {{- end }} 12 | spec: 13 | type: {{ .Values.service.brokerType }} 14 | ports: 15 | - port: {{ .Values.service.port }} 16 | targetPort: {{ .Values.deployment.container.containerPort }} 17 | selector: 18 | {{- include "snyk-broker.selectorLabels" . | nindent 4 }} 19 | -------------------------------------------------------------------------------- /charts/snyk-broker/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | Thank you for installing the Snyk Broker 2 | {{- if eq .Values.brokerServerUrl "https://broker.snyk.io" }} 3 | Login to the Snyk UI to start onboarding projects: https://app.snyk.io 4 | {{ else }} 5 | {{ $tenant := regexFind "[a-z]+.snyk.io" .Values.brokerServerUrl }} 6 | {{ printf "Login to the Snyk UI to start onboarding projects: https://app.%s" $tenant }} 7 | {{ end }} 8 | {{- if .Values.useExternalSecrets }} 9 | ### Secret Creation Disabled ### 10 | 11 | Ensure secrets are present on your cluster in the {{.Release.Namespace}} namespace: 12 | 13 | -> NAME:KEY 14 | {{- include "snyk-broker.requiredSecrets" . }} 15 | {{- end }} 16 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/broker_cra_deployment_extraPodSpecs_test.yaml: -------------------------------------------------------------------------------- 1 | suite: test broker deployment with extraPodSpec 2 | chart: 3 | version: 0.0.0 4 | templates: 5 | - broker_deployment.yaml 6 | - cra_deployment.yaml 7 | values: 8 | - ./fixtures/default_values.yaml 9 | - ./fixtures/default_values_cra.yaml 10 | - ./fixtures/extra_pod_spec_values.yaml 11 | 12 | tests: 13 | - it: renders extraPodSpecs CRA 14 | asserts: 15 | - matchSnapshot: 16 | path: spec.template.spec 17 | template: broker_deployment.yaml 18 | - matchSnapshot: 19 | path: spec.template.spec 20 | template: cra_deployment.yaml 21 | documentIndex: 0 22 | -------------------------------------------------------------------------------- /.pre-commit-config.yaml: -------------------------------------------------------------------------------- 1 | repos: 2 | - repo: https://github.com/gitleaks/gitleaks 3 | rev: v8.17.0 4 | hooks: 5 | - id: gitleaks 6 | stages: [ commit ] 7 | - repo: local 8 | hooks: 9 | - id: helm-unittest 10 | name: Helm Unittest 11 | entry: helm unittest charts/snyk-broker 12 | language: system 13 | files: ^charts/snyk-broker/ 14 | pass_filenames: false 15 | stages: [pre-commit] 16 | - repo: https://github.com/alessandrojcm/commitlint-pre-commit-hook 17 | rev: v9.22.0 18 | hooks: 19 | - id: commitlint 20 | stages: [commit-msg] 21 | additional_dependencies: ["@commitlint/config-conventional"] 22 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/broker_deployment_artifactory_test.yaml: -------------------------------------------------------------------------------- 1 | suite: broker deployment (artifactory) 2 | chart: 3 | version: 0.0.0 4 | templates: 5 | - broker_deployment.yaml 6 | - broker_service.yaml 7 | - secrets.yaml 8 | - serviceaccount.yaml 9 | values: 10 | - ./fixtures/default_values.yaml 11 | - ./fixtures/default_values.yaml 12 | 13 | tests: 14 | - it: should render artifactoryUrl and brokerClientValidationUrl as secrets 15 | set: 16 | scmType: artifactory 17 | artifactoryUrl: username:password@your-domain.com/artifactory 18 | brokerClientValidationUrl: https://username:password@your-domain.com/artifactory/api/system/ping 19 | asserts: 20 | - matchSnapshot: {} 21 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .dccache 2 | 3 | # General files for the project 4 | pkg/* 5 | *.pyc 6 | bin/* 7 | .project 8 | /.bin 9 | /_test/secrets/*.json 10 | node_modules/ 11 | 12 | # OSX leaves these everywhere on SMB shares 13 | ._* 14 | 15 | # OSX trash 16 | .DS_Store 17 | 18 | # Files generated by JetBrains IDEs, e.g. IntelliJ IDEA 19 | .idea/ 20 | *.iml 21 | 22 | # Vscode files 23 | .vscode 24 | 25 | # Emacs save files 26 | *~ 27 | \#*\# 28 | .\#* 29 | 30 | # Vim-related files 31 | [._]*.s[a-w][a-z] 32 | [._]s[a-w][a-z] 33 | *.un~ 34 | Session.vim 35 | .netrwhist 36 | 37 | 38 | 39 | .history 40 | 41 | temp 42 | 43 | accept.json 44 | acceptcode.json 45 | acceptcontainer.json 46 | bitbucket.crt 47 | .dccache 48 | 49 | # Helm Unittest Debug 50 | charts/snyk-broker/.debug 51 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/broker_deployment_disable_secret_creation_test.yaml: -------------------------------------------------------------------------------- 1 | # yaml-language-server: $schema=https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json 2 | suite: test secrets 3 | chart: 4 | version: 0.0.0 5 | templates: 6 | - secrets.yaml 7 | - broker_deployment.yaml 8 | values: 9 | - ./fixtures/default_values.yaml 10 | set: 11 | useExternalSecrets: true 12 | 13 | tests: 14 | - it: Does not create any secrets 15 | set: 16 | brokerToken: "" 17 | snykToken: "" 18 | asserts: 19 | - hasDocuments: 20 | count: 0 21 | template: secrets.yaml 22 | - it: Does not error with empty broker token 23 | set: 24 | brokerToken: "" 25 | asserts: 26 | - notFailedTemplate: {} 27 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/broker_deployment_scm_token_pool_test.yaml: -------------------------------------------------------------------------------- 1 | suite: test broker deployment (credential pooling) 2 | chart: 3 | version: 0.0.0 4 | templates: 5 | - broker_deployment.yaml 6 | - broker_service.yaml 7 | - secrets.yaml 8 | - serviceaccount.yaml 9 | values: 10 | - ./fixtures/default_values.yaml 11 | 12 | tests: 13 | - it: github token pool configured 14 | values: 15 | - ./fixtures/default_values_with_github_scmtokenpool.yaml 16 | asserts: 17 | - matchSnapshot: {} 18 | - it: gitlab token pool configured 19 | values: 20 | - ./fixtures/default_values_with_gitlab_scmtokenpool.yaml 21 | asserts: 22 | - matchSnapshot: {} 23 | - it: github token pool configured with enabled useExternalSecretScmTokenPool 24 | values: 25 | - ./fixtures/default_values_with_github_useexternalsecretscmtokenpool_true.yaml 26 | asserts: 27 | - matchSnapshot: {} 28 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/broker_deployment_disablesuffixes_test.yaml: -------------------------------------------------------------------------------- 1 | suite: test broker deployment (No suffixes) 2 | chart: 3 | version: 0.0.0 4 | templates: 5 | - broker_deployment.yaml 6 | - broker_service.yaml 7 | - secrets.yaml 8 | - serviceaccount.yaml 9 | 10 | tests: 11 | - it: default values 12 | values: 13 | - ./fixtures/default_values_disablesuffixes.yaml 14 | asserts: 15 | - matchSnapshot: {} 16 | - it: preflight checks off 17 | values: 18 | - ./fixtures/default_values_preflight_off_disablesuffixes.yaml 19 | asserts: 20 | - matchSnapshot: {} 21 | - it: HA mode on 22 | values: 23 | - ./fixtures/default_values_ha_on_disablesuffixes.yaml 24 | asserts: 25 | - matchSnapshot: {} 26 | - it: HA mode on with 4 replicas 27 | values: 28 | - ./fixtures/default_values_ha_on_4_replicas_disablesuffixes.yaml 29 | asserts: 30 | - matchSnapshot: {} 31 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/fixtures/cacert_values.yaml: -------------------------------------------------------------------------------- 1 | # Default values for snyk-broker. 2 | # This is a YAML-formatted file. 3 | # Declare variables to be passed into your templates. 4 | 5 | ##### Snyk Specific Values ##### 6 | 7 | # Broker Token is a value from Snyk. Get this from the integration settings page or your Snyk Representative 8 | brokerToken: "12345a6b-78d9-1e2f-3abc-456def789123" 9 | 10 | # brokerClientUrl is the address of the broker. This needs to be the address of itself. In the case of Kubernetes, you need to ensure that you are pointing to the cluster ingress you have setup. 11 | # Ex: http://kubernetes-ingress.domain.com:8000/broker 12 | brokerClientUrl: "http://brokerclient" 13 | 14 | # Do not touch unless directed by a Snyk Representative 15 | brokerServerUrl: "https://broker.test.snyk.io" 16 | 17 | preflightChecks: 18 | enabled: true 19 | 20 | highAvailabilityMode: 21 | enabled: false 22 | brokerDispatcherUrl: "https://api.test.snyk.io" 23 | 24 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/fixtures/customaccept_values.yaml: -------------------------------------------------------------------------------- 1 | # Default values for snyk-broker. 2 | # This is a YAML-formatted file. 3 | # Declare variables to be passed into your templates. 4 | 5 | ##### Snyk Specific Values ##### 6 | 7 | # Broker Token is a value from Snyk. Get this from the integration settings page or your Snyk Representative 8 | brokerToken: "12345a6b-78d9-1e2f-3abc-456def789123" 9 | 10 | # brokerClientUrl is the address of the broker. This needs to be the address of itself. In the case of Kubernetes, you need to ensure that you are pointing to the cluster ingress you have setup. 11 | # Ex: http://kubernetes-ingress.domain.com:8000/broker 12 | brokerClientUrl: "http://brokerclient" 13 | 14 | # Do not touch unless directed by a Snyk Representative 15 | brokerServerUrl: "https://broker.test.snyk.io" 16 | 17 | preflightChecks: 18 | enabled: true 19 | 20 | highAvailabilityMode: 21 | enabled: false 22 | brokerDispatcherUrl: "https://api.test.snyk.io" 23 | 24 | acceptJson: | 25 | test 26 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/fixtures/default_values_with_apprisk_enabled.yaml: -------------------------------------------------------------------------------- 1 | # Default values for snyk-broker. 2 | # This is a YAML-formatted file. 3 | # Declare variables to be passed into your templates. 4 | 5 | ##### Snyk Specific Values ##### 6 | 7 | # Broker Token is a value from Snyk. Get this from the integration settings page or your Snyk Representative 8 | brokerToken: "12345a6b-78d9-1e2f-3abc-456def789123" 9 | 10 | # brokerClientUrl is the address of the broker. This needs to be the address of itself. In the case of Kubernetes, you need to ensure that you are pointing to the cluster ingress you have setup. 11 | # Ex: http://kubernetes-ingress.domain.com:8000/broker 12 | brokerClientUrl: "http://brokerclient" 13 | 14 | # Do not touch unless directed by a Snyk Representative 15 | brokerServerUrl: "https://broker.test.snyk.io" 16 | 17 | preflightChecks: 18 | enabled: true 19 | 20 | highAvailabilityMode: 21 | enabled: false 22 | brokerDispatcherUrl: "https://api.test.snyk.io" 23 | 24 | enableAppRisk: true 25 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/fixtures/default_values.yaml: -------------------------------------------------------------------------------- 1 | # Default values for snyk-broker. 2 | # This is a YAML-formatted file. 3 | # Declare variables to be passed into your templates. 4 | 5 | ##### Snyk Specific Values ##### 6 | 7 | # Broker Token is a value from Snyk. Get this from the integration settings page or your Snyk Representative 8 | brokerToken: "12345a6b-78d9-1e2f-3abc-456def789123" 9 | 10 | snykToken: "12345a6b-78d9-1e2f-3abc-456def789123" 11 | 12 | # brokerClientUrl is the address of the broker. This needs to be the address of itself. In the case of Kubernetes, you need to ensure that you are pointing to the cluster ingress you have setup. 13 | # Ex: http://kubernetes-ingress.domain.com:8000/broker 14 | brokerClientUrl: "http://brokerclient" 15 | 16 | # Do not touch unless directed by a Snyk Representative 17 | brokerServerUrl: "https://broker.test.snyk.io" 18 | 19 | preflightChecks: 20 | enabled: true 21 | 22 | highAvailabilityMode: 23 | enabled: false 24 | brokerDispatcherUrl: "https://api.test.snyk.io" 25 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/fixtures/default_values_ha_on.yaml: -------------------------------------------------------------------------------- 1 | # Default values for snyk-broker. 2 | # This is a YAML-formatted file. 3 | # Declare variables to be passed into your templates. 4 | 5 | ##### Snyk Specific Values ##### 6 | 7 | # Broker Token is a value from Snyk. Get this from the integration settings page or your Snyk Representative 8 | brokerToken: "12345a6b-78d9-1e2f-3abc-456def789123" 9 | snykToken: "12345a6b-78d9-1e2f-3abc-456def789123" 10 | # brokerClientUrl is the address of the broker. This needs to be the address of itself. In the case of Kubernetes, you need to ensure that you are pointing to the cluster ingress you have setup. 11 | # Ex: http://kubernetes-ingress.domain.com:8000/broker 12 | brokerClientUrl: "http://brokerclient" 13 | 14 | # Do not touch unless directed by a Snyk Representative 15 | brokerServerUrl: "https://broker.test.snyk.io" 16 | 17 | preflightChecks: 18 | enabled: true 19 | 20 | highAvailabilityMode: 21 | enabled: true 22 | brokerDispatcherUrl: "https://api.test.snyk.io" 23 | 24 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/fixtures/default_values_preflight_off.yaml: -------------------------------------------------------------------------------- 1 | # Default values for snyk-broker. 2 | # This is a YAML-formatted file. 3 | # Declare variables to be passed into your templates. 4 | 5 | ##### Snyk Specific Values ##### 6 | 7 | # Broker Token is a value from Snyk. Get this from the integration settings page or your Snyk Representative 8 | brokerToken: "12345a6b-78d9-1e2f-3abc-456def789123" 9 | snykToken: "12345a6b-78d9-1e2f-3abc-456def789123" 10 | # brokerClientUrl is the address of the broker. This needs to be the address of itself. In the case of Kubernetes, you need to ensure that you are pointing to the cluster ingress you have setup. 11 | # Ex: http://kubernetes-ingress.domain.com:8000/broker 12 | brokerClientUrl: "http://brokerclient" 13 | 14 | # Do not touch unless directed by a Snyk Representative 15 | brokerServerUrl: "https://broker.test.snyk.io" 16 | 17 | preflightChecks: 18 | enabled: false 19 | 20 | highAvailabilityMode: 21 | enabled: false 22 | brokerDispatcherUrl: "https://api.test.snyk.io" 23 | 24 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/fixtures/customaccept_values_disablesuffixes.yaml: -------------------------------------------------------------------------------- 1 | # Default values for snyk-broker. 2 | # This is a YAML-formatted file. 3 | # Declare variables to be passed into your templates. 4 | 5 | ##### Snyk Specific Values ##### 6 | 7 | # Broker Token is a value from Snyk. Get this from the integration settings page or your Snyk Representative 8 | brokerToken: "12345a6b-78d9-1e2f-3abc-456def789123" 9 | 10 | # brokerClientUrl is the address of the broker. This needs to be the address of itself. In the case of Kubernetes, you need to ensure that you are pointing to the cluster ingress you have setup. 11 | # Ex: http://kubernetes-ingress.domain.com:8000/broker 12 | brokerClientUrl: "http://brokerclient" 13 | 14 | # Do not touch unless directed by a Snyk Representative 15 | brokerServerUrl: "https://broker.test.snyk.io" 16 | 17 | preflightChecks: 18 | enabled: true 19 | 20 | highAvailabilityMode: 21 | enabled: false 22 | brokerDispatcherUrl: "https://api.test.snyk.io" 23 | 24 | acceptJson: | 25 | test 26 | 27 | disableSuffixes: true 28 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/fixtures/default_values_disablesuffixes.yaml: -------------------------------------------------------------------------------- 1 | # Default values for snyk-broker. 2 | # This is a YAML-formatted file. 3 | # Declare variables to be passed into your templates. 4 | 5 | ##### Snyk Specific Values ##### 6 | 7 | # Broker Token is a value from Snyk. Get this from the integration settings page or your Snyk Representative 8 | brokerToken: "12345a6b-78d9-1e2f-3abc-456def789123" 9 | snykToken: "12345a6b-78d9-1e2f-3abc-456def789123" 10 | # brokerClientUrl is the address of the broker. This needs to be the address of itself. In the case of Kubernetes, you need to ensure that you are pointing to the cluster ingress you have setup. 11 | # Ex: http://kubernetes-ingress.domain.com:8000/broker 12 | brokerClientUrl: "http://brokerclient" 13 | 14 | # Do not touch unless directed by a Snyk Representative 15 | brokerServerUrl: "https://broker.test.snyk.io" 16 | 17 | preflightChecks: 18 | enabled: true 19 | 20 | highAvailabilityMode: 21 | enabled: false 22 | brokerDispatcherUrl: "https://api.test.snyk.io" 23 | 24 | disableSuffixes: true 25 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/fixtures/default_values_ha_on_4_replicas.yaml: -------------------------------------------------------------------------------- 1 | # Default values for snyk-broker. 2 | # This is a YAML-formatted file. 3 | # Declare variables to be passed into your templates. 4 | 5 | ##### Snyk Specific Values ##### 6 | 7 | # Broker Token is a value from Snyk. Get this from the integration settings page or your Snyk Representative 8 | brokerToken: "12345a6b-78d9-1e2f-3abc-456def789123" 9 | snykToken: "12345a6b-78d9-1e2f-3abc-456def789123" 10 | # brokerClientUrl is the address of the broker. This needs to be the address of itself. In the case of Kubernetes, you need to ensure that you are pointing to the cluster ingress you have setup. 11 | # Ex: http://kubernetes-ingress.domain.com:8000/broker 12 | brokerClientUrl: "http://brokerclient" 13 | 14 | # Do not touch unless directed by a Snyk Representative 15 | brokerServerUrl: "https://broker.test.snyk.io" 16 | 17 | preflightChecks: 18 | enabled: true 19 | 20 | highAvailabilityMode: 21 | enabled: true 22 | brokerDispatcherUrl: "https://api.test.snyk.io" 23 | 24 | replicaCount: 4 25 | 26 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/fixtures/default_values_ha_on_disablesuffixes.yaml: -------------------------------------------------------------------------------- 1 | # Default values for snyk-broker. 2 | # This is a YAML-formatted file. 3 | # Declare variables to be passed into your templates. 4 | 5 | ##### Snyk Specific Values ##### 6 | 7 | # Broker Token is a value from Snyk. Get this from the integration settings page or your Snyk Representative 8 | brokerToken: "12345a6b-78d9-1e2f-3abc-456def789123" 9 | snykToken: "12345a6b-78d9-1e2f-3abc-456def789123" 10 | # brokerClientUrl is the address of the broker. This needs to be the address of itself. In the case of Kubernetes, you need to ensure that you are pointing to the cluster ingress you have setup. 11 | # Ex: http://kubernetes-ingress.domain.com:8000/broker 12 | brokerClientUrl: "http://brokerclient" 13 | 14 | # Do not touch unless directed by a Snyk Representative 15 | brokerServerUrl: "https://broker.test.snyk.io" 16 | 17 | preflightChecks: 18 | enabled: true 19 | 20 | highAvailabilityMode: 21 | enabled: true 22 | brokerDispatcherUrl: "https://api.test.snyk.io" 23 | 24 | disableSuffixes: true 25 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/fixtures/default_values_with_ingress.yaml: -------------------------------------------------------------------------------- 1 | # Default values for snyk-broker. 2 | # This is a YAML-formatted file. 3 | # Declare variables to be passed into your templates. 4 | 5 | ##### Snyk Specific Values ##### 6 | 7 | # Broker Token is a value from Snyk. Get this from the integration settings page or your Snyk Representative 8 | brokerToken: "12345a6b-78d9-1e2f-3abc-456def789123" 9 | 10 | # brokerClientUrl is the address of the broker. This needs to be the address of itself. In the case of Kubernetes, you need to ensure that you are pointing to the cluster ingress you have setup. 11 | # Ex: http://kubernetes-ingress.domain.com:8000/broker 12 | brokerClientUrl: "http://brokerclient" 13 | 14 | # Do not touch unless directed by a Snyk Representative 15 | brokerServerUrl: "https://broker.test.snyk.io" 16 | 17 | preflightChecks: 18 | enabled: true 19 | 20 | highAvailabilityMode: 21 | enabled: false 22 | brokerDispatcherUrl: "https://api.test.snyk.io" 23 | 24 | brokerIngress: 25 | enabled: true 26 | labels: 27 | customLabel: customValue 28 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/fixtures/default_values_with_ingress_disablesuffixes.yaml: -------------------------------------------------------------------------------- 1 | # Default values for snyk-broker. 2 | # This is a YAML-formatted file. 3 | # Declare variables to be passed into your templates. 4 | 5 | ##### Snyk Specific Values ##### 6 | 7 | # Broker Token is a value from Snyk. Get this from the integration settings page or your Snyk Representative 8 | brokerToken: "12345a6b-78d9-1e2f-3abc-456def789123" 9 | 10 | # brokerClientUrl is the address of the broker. This needs to be the address of itself. In the case of Kubernetes, you need to ensure that you are pointing to the cluster ingress you have setup. 11 | # Ex: http://kubernetes-ingress.domain.com:8000/broker 12 | brokerClientUrl: "http://brokerclient" 13 | 14 | # Do not touch unless directed by a Snyk Representative 15 | brokerServerUrl: "https://broker.test.snyk.io" 16 | 17 | preflightChecks: 18 | enabled: true 19 | 20 | highAvailabilityMode: 21 | enabled: false 22 | brokerDispatcherUrl: "https://api.test.snyk.io" 23 | 24 | brokerIngress: 25 | enabled: true 26 | 27 | disableSuffixes: true 28 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/fixtures/default_values_preflight_off_disablesuffixes.yaml: -------------------------------------------------------------------------------- 1 | # Default values for snyk-broker. 2 | # This is a YAML-formatted file. 3 | # Declare variables to be passed into your templates. 4 | 5 | ##### Snyk Specific Values ##### 6 | 7 | # Broker Token is a value from Snyk. Get this from the integration settings page or your Snyk Representative 8 | brokerToken: "12345a6b-78d9-1e2f-3abc-456def789123" 9 | snykToken: "12345a6b-78d9-1e2f-3abc-456def789123" 10 | # brokerClientUrl is the address of the broker. This needs to be the address of itself. In the case of Kubernetes, you need to ensure that you are pointing to the cluster ingress you have setup. 11 | # Ex: http://kubernetes-ingress.domain.com:8000/broker 12 | brokerClientUrl: "http://brokerclient" 13 | 14 | # Do not touch unless directed by a Snyk Representative 15 | brokerServerUrl: "https://broker.test.snyk.io" 16 | 17 | preflightChecks: 18 | enabled: false 19 | 20 | highAvailabilityMode: 21 | enabled: false 22 | brokerDispatcherUrl: "https://api.test.snyk.io" 23 | 24 | disableSuffixes: true 25 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/fixtures/default_values_ha_on_4_replicas_disablesuffixes.yaml: -------------------------------------------------------------------------------- 1 | # Default values for snyk-broker. 2 | # This is a YAML-formatted file. 3 | # Declare variables to be passed into your templates. 4 | 5 | ##### Snyk Specific Values ##### 6 | 7 | # Broker Token is a value from Snyk. Get this from the integration settings page or your Snyk Representative 8 | brokerToken: "12345a6b-78d9-1e2f-3abc-456def789123" 9 | snykToken: "12345a6b-78d9-1e2f-3abc-456def789123" 10 | # brokerClientUrl is the address of the broker. This needs to be the address of itself. In the case of Kubernetes, you need to ensure that you are pointing to the cluster ingress you have setup. 11 | # Ex: http://kubernetes-ingress.domain.com:8000/broker 12 | brokerClientUrl: "http://brokerclient" 13 | 14 | # Do not touch unless directed by a Snyk Representative 15 | brokerServerUrl: "https://broker.test.snyk.io" 16 | 17 | preflightChecks: 18 | enabled: true 19 | 20 | highAvailabilityMode: 21 | enabled: true 22 | brokerDispatcherUrl: "https://api.test.snyk.io" 23 | 24 | replicaCount: 4 25 | 26 | disableSuffixes: true 27 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/fixtures/default_values_with_gitlab_scmtokenpool.yaml: -------------------------------------------------------------------------------- 1 | # Default values for snyk-broker. 2 | # This is a YAML-formatted file. 3 | # Declare variables to be passed into your templates. 4 | 5 | ##### Snyk Specific Values ##### 6 | 7 | # Broker Token is a value from Snyk. Get this from the integration settings page or your Snyk Representative 8 | brokerToken: "12345a6b-78d9-1e2f-3abc-456def789123" 9 | 10 | # GitLab token pool, comma-separated 11 | scmTokenPool: "gl_token_1,gl_token_2" 12 | scmType: "gitlab" 13 | 14 | # brokerClientUrl is the address of the broker. This needs to be the address of itself. In the case of Kubernetes, you need to ensure that you are pointing to the cluster ingress you have setup. 15 | # Ex: http://kubernetes-ingress.domain.com:8000/broker 16 | brokerClientUrl: "http://brokerclient" 17 | 18 | # Do not touch unless directed by a Snyk Representative 19 | brokerServerUrl: "https://broker.test.snyk.io" 20 | 21 | 22 | preflightChecks: 23 | enabled: true 24 | 25 | highAvailabilityMode: 26 | enabled: false 27 | brokerDispatcherUrl: "https://api.test.snyk.io" 28 | 29 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/fixtures/default_values_with_github_scmtokenpool.yaml: -------------------------------------------------------------------------------- 1 | # Default values for snyk-broker. 2 | # This is a YAML-formatted file. 3 | # Declare variables to be passed into your templates. 4 | 5 | ##### Snyk Specific Values ##### 6 | 7 | # Broker Token is a value from Snyk. Get this from the integration settings page or your Snyk Representative 8 | brokerToken: "12345a6b-78d9-1e2f-3abc-456def789123" 9 | 10 | # GitHub token pool, comma-separated 11 | scmType: "github-com" 12 | scmTokenPool: "gh_token1,gh_token2,gh_token3" 13 | 14 | # brokerClientUrl is the address of the broker. This needs to be the address of itself. In the case of Kubernetes, you need to ensure that you are pointing to the cluster ingress you have setup. 15 | # Ex: http://kubernetes-ingress.domain.com:8000/broker 16 | brokerClientUrl: "http://brokerclient" 17 | 18 | # Do not touch unless directed by a Snyk Representative 19 | brokerServerUrl: "https://broker.test.snyk.io" 20 | 21 | 22 | preflightChecks: 23 | enabled: true 24 | 25 | highAvailabilityMode: 26 | enabled: false 27 | brokerDispatcherUrl: "https://api.test.snyk.io" 28 | 29 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/fixtures/default_values_cra_digital_ocean.yaml: -------------------------------------------------------------------------------- 1 | # Default values for snyk-broker with Container Registry Agent. 2 | # This is a YAML-formatted file. 3 | # Declare variables to be passed into your templates. 4 | 5 | ##### Snyk Specific Values ##### 6 | 7 | # Broker Token is a value from Snyk. Get this from the integration settings page or your Snyk Representative 8 | brokerToken: "12345a6b-78d9-1e2f-3abc-456def789123" 9 | 10 | # brokerClientUrl is the address of the broker. This needs to be the address of itself. In the case of Kubernetes, you need to ensure that you are pointing to the cluster ingress you have setup. 11 | # Ex: http://kubernetes-ingress.domain.com:8000/broker 12 | brokerClientUrl: "http://brokerclient" 13 | 14 | # Do not touch unless directed by a Snyk Representative 15 | brokerServerUrl: "https://broker.test.snyk.io" 16 | 17 | preflightChecks: 18 | enabled: true 19 | 20 | highAvailabilityMode: 21 | enabled: false 22 | brokerDispatcherUrl: "https://api.test.snyk.io" 23 | 24 | scmType: "container-registry-agent" 25 | 26 | crType: "digitalocean-cr" 27 | 28 | crBase: "digitaloceanbase" 29 | 30 | crToken: "mytoken" 31 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/fixtures/default_values_with_github_useexternalsecretscmtokenpool_true.yaml: -------------------------------------------------------------------------------- 1 | # Default values for snyk-broker. 2 | # This is a YAML-formatted file. 3 | # Declare variables to be passed into your templates. 4 | 5 | ##### Snyk Specific Values ##### 6 | 7 | # Broker Token is a value from Snyk. Get this from the integration settings page or your Snyk Representative 8 | brokerToken: "12345a6b-78d9-1e2f-3abc-456def789123" 9 | 10 | # GitHub token pool, comma-separated 11 | scmType: "github-com" 12 | scmTokenPool: "" 13 | useExternalSecretScmTokenPool: true 14 | 15 | # brokerClientUrl is the address of the broker. This needs to be the address of itself. In the case of Kubernetes, you need to ensure that you are pointing to the cluster ingress you have setup. 16 | # Ex: http://kubernetes-ingress.domain.com:8000/broker 17 | brokerClientUrl: "http://brokerclient" 18 | 19 | # Do not touch unless directed by a Snyk Representative 20 | brokerServerUrl: "https://broker.test.snyk.io" 21 | 22 | 23 | preflightChecks: 24 | enabled: true 25 | 26 | highAvailabilityMode: 27 | enabled: false 28 | brokerDispatcherUrl: "https://api.test.snyk.io" 29 | 30 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/broker_deployment_openshift_securityContext_test.yaml: -------------------------------------------------------------------------------- 1 | suite: test openshift broker deployment securityContext 2 | chart: 3 | version: 0.0.0 4 | templates: 5 | - broker_deployment.yaml 6 | 7 | tests: 8 | - it: "should include runAsUser when openshift is false" 9 | set: 10 | securityContext: 11 | capabilities: 12 | drop: 13 | - ALL 14 | readOnlyRootFilesystem: true 15 | allowPrivilegeEscalation: false 16 | runAsNonRoot: true 17 | runAsUser: 1000 18 | openshift: false 19 | asserts: 20 | - equal: 21 | path: "spec.template.spec.containers[0].securityContext.runAsUser" 22 | value: 1000 23 | 24 | - it: "should omit runAsUser when openshift is true" 25 | set: 26 | securityContext: 27 | capabilities: 28 | drop: 29 | - ALL 30 | readOnlyRootFilesystem: true 31 | allowPrivilegeEscalation: false 32 | runAsNonRoot: true 33 | runAsUser: 1000 34 | openshift: true 35 | asserts: 36 | - notExists: 37 | path: "spec.template.spec.containers[0].securityContext.runAsUser" 38 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/broker_deployment_test.yaml: -------------------------------------------------------------------------------- 1 | suite: test broker deployment 2 | chart: 3 | version: 0.0.0 4 | templates: 5 | - broker_deployment.yaml 6 | - broker_service.yaml 7 | - secrets.yaml 8 | - serviceaccount.yaml 9 | 10 | tests: 11 | - it: default values 12 | values: 13 | - ./fixtures/default_values.yaml 14 | asserts: 15 | - matchSnapshot: {} 16 | - it: HTTPS enabled 17 | values: 18 | - ./fixtures/default_values_https_enabled.yaml 19 | asserts: 20 | - matchSnapshot: {} 21 | - it: preflight checks off 22 | values: 23 | - ./fixtures/default_values_preflight_off.yaml 24 | asserts: 25 | - matchSnapshot: {} 26 | - it: HA mode on 27 | values: 28 | - ./fixtures/default_values_ha_on.yaml 29 | asserts: 30 | - matchSnapshot: {} 31 | - it: HA mode on with 4 replicas 32 | values: 33 | - ./fixtures/default_values_ha_on_4_replicas.yaml 34 | asserts: 35 | - matchSnapshot: {} 36 | - it: Does not fail if no broker token is specified 37 | set: 38 | brokerToken: "" 39 | asserts: 40 | - notFailedTemplate: {} 41 | template: broker_deployment.yaml 42 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/fixtures/default_values_cra.yaml: -------------------------------------------------------------------------------- 1 | # Default values for snyk-broker with Container Registry Agent. 2 | # This is a YAML-formatted file. 3 | # Declare variables to be passed into your templates. 4 | 5 | ##### Snyk Specific Values ##### 6 | 7 | # Broker Token is a value from Snyk. Get this from the integration settings page or your Snyk Representative 8 | brokerToken: "12345a6b-78d9-1e2f-3abc-456def789123" 9 | 10 | # brokerClientUrl is the address of the broker. This needs to be the address of itself. In the case of Kubernetes, you need to ensure that you are pointing to the cluster ingress you have setup. 11 | # Ex: http://kubernetes-ingress.domain.com:8000/broker 12 | brokerClientUrl: "http://brokerclient" 13 | 14 | # Do not touch unless directed by a Snyk Representative 15 | brokerServerUrl: "https://broker.test.snyk.io" 16 | 17 | preflightChecks: 18 | enabled: true 19 | 20 | highAvailabilityMode: 21 | enabled: false 22 | brokerDispatcherUrl: "https://api.test.snyk.io" 23 | 24 | scmType: "container-registry-agent" 25 | 26 | crType: "ecr" 27 | 28 | crRoleArn: "arn:aws-us-gov:iam::123456789012:role" 29 | 30 | crRegion: "eu-west" 31 | 32 | crExternalId: "11111111-1111-1111-1111-111111111111" 33 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/fixtures/default_values_cra_disablesuffixes.yaml: -------------------------------------------------------------------------------- 1 | # Default values for snyk-broker with Container Registry Agent. 2 | # This is a YAML-formatted file. 3 | # Declare variables to be passed into your templates. 4 | 5 | ##### Snyk Specific Values ##### 6 | 7 | # Broker Token is a value from Snyk. Get this from the integration settings page or your Snyk Representative 8 | brokerToken: "12345a6b-78d9-1e2f-3abc-456def789123" 9 | 10 | # brokerClientUrl is the address of the broker. This needs to be the address of itself. In the case of Kubernetes, you need to ensure that you are pointing to the cluster ingress you have setup. 11 | # Ex: http://kubernetes-ingress.domain.com:8000/broker 12 | brokerClientUrl: "http://brokerclient" 13 | 14 | # Do not touch unless directed by a Snyk Representative 15 | brokerServerUrl: "https://broker.test.snyk.io" 16 | 17 | preflightChecks: 18 | enabled: true 19 | 20 | highAvailabilityMode: 21 | enabled: false 22 | brokerDispatcherUrl: "https://api.test.snyk.io" 23 | 24 | scmType: "container-registry-agent" 25 | 26 | crType: "ecr" 27 | 28 | crRoleArn: "arn:aws-us-gov:iam::123456789012:role" 29 | 30 | crRegion: "eu-west" 31 | 32 | crExternalId: "11111111-1111-1111-1111-111111111111" 33 | 34 | disableSuffixes: true 35 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/fixtures/default_values_cra_harbor.yaml: -------------------------------------------------------------------------------- 1 | # Default values for snyk-broker with Container Registry Agent. 2 | # This is a YAML-formatted file. 3 | # Declare variables to be passed into your templates. 4 | 5 | ##### Snyk Specific Values ##### 6 | 7 | # Broker Token is a value from Snyk. Get this from the integration settings page or your Snyk Representative 8 | brokerToken: "12345a6b-78d9-1e2f-3abc-456def789123" 9 | 10 | # brokerClientUrl is the address of the broker. This needs to be the address of itself. In the case of Kubernetes, you need to ensure that you are pointing to the cluster ingress you have setup. 11 | # Ex: http://kubernetes-ingress.domain.com:8000/broker 12 | brokerClientUrl: "http://brokerclient" 13 | 14 | # Do not touch unless directed by a Snyk Representative 15 | brokerServerUrl: "https://broker.test.snyk.io" 16 | 17 | preflightChecks: 18 | enabled: true 19 | 20 | highAvailabilityMode: 21 | enabled: false 22 | brokerDispatcherUrl: "https://api.test.snyk.io" 23 | 24 | scmType: "container-registry-agent" 25 | 26 | # https://docs.snyk.io/enterprise-configuration/snyk-broker/snyk-broker-container-registry-agent/install-broker-for-container-registry-agent-using-helm 27 | crType: "harbor-cr" 28 | 29 | crBase: "crBaseValue" 30 | 31 | crUsername: myusername 32 | 33 | crPassword: mypassword 34 | -------------------------------------------------------------------------------- /.releaserc: -------------------------------------------------------------------------------- 1 | { 2 | "branches": [ 3 | { 4 | "name": "main" 5 | } 6 | ], 7 | "repositoryUrl": "https://github.com/snyk/snyk-broker-helm.git", 8 | "tagFormat": "snyk-broker-${version}", 9 | "plugins": [ 10 | "@semantic-release/commit-analyzer", 11 | [ 12 | "@semantic-release/exec", 13 | { 14 | # prepare folders for charts and index file (needed for chart-releaser) 15 | "prepareCmd": "mkdir -p .cr-release-packages/ && mkdir -p .cr-index/" 16 | } 17 | ], 18 | [ 19 | "@semantic-release/exec", 20 | { 21 | # package the chart into a versioned chart archive file 22 | "prepareCmd": "helm package charts/snyk-broker/ --destination .cr-release-packages/ --version ${nextRelease.version}" 23 | } 24 | ], 25 | [ 26 | "@semantic-release/exec", 27 | { 28 | # upload the chart package to GitHub Releases 29 | "publishCmd": "cr upload --owner snyk --git-repo snyk-broker-helm --push --skip-existing --token $GH_TOKEN" 30 | }, 31 | ], 32 | [ 33 | "@semantic-release/exec", 34 | { 35 | # update the chart repository index.yaml file based on given GitHub release 36 | "publishCmd": "cr index --owner snyk --git-repo snyk-broker-helm --push --token $GH_TOKEN" 37 | } 38 | ] 39 | ] 40 | } 41 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/dummy_ca_cert.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIDYzCCAksCFAYMPiMLU27bbnNw60gZkdMg4Rr2MA0GCSqGSIb3DQEBCwUAMG4x 3 | CzAJBgNVBAYTAkNIMQswCQYDVQQIDAJBQTELMAkGA1UEBwwCQUExCzAJBgNVBAoM 4 | AkFBMQswCQYDVQQLDAJBQTELMAkGA1UEAwwCQUExHjAcBgkqhkiG9w0BCQEWD2Fu 5 | dG9pbmVAc255ay5pbzAeFw0yMzA4MzEyMTE2NDRaFw0yNDA4MzAyMTE2NDRaMG4x 6 | CzAJBgNVBAYTAkNIMQswCQYDVQQIDAJBQTELMAkGA1UEBwwCQUExCzAJBgNVBAoM 7 | AkFBMQswCQYDVQQLDAJBQTELMAkGA1UEAwwCQUExHjAcBgkqhkiG9w0BCQEWD2Fu 8 | dG9pbmVAc255ay5pbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPSe 9 | fzWIMgAFuIwP4ScnLoZPb75dKLy8Ao2QtowF6WyntFuNWPJPLbs8sTeRPPbtbDYn 10 | k2rfi15vQWL7HB7uKqTwFdXmf4kZu9SNxH1c7q+KNtYm1hiMBOlhM951N3gcefCE 11 | W8A2rD95ngZlDdnFfBmsWvomg2a8OQjveMA9Nl3aR8qFNsym52yphTAilV+QMmmj 12 | Xc7V/ElQElXN9uoSIbg6eTZ/yNqPDkdEQ+0f033IheHTdjFgnmCY4kFBp/4X6dDj 13 | vUbmfvQ8c3GN11SvyoJgrd0grquiIp3qHRXIfr+U6Z5aAT+G4/paTnuRlMFhpQwV 14 | D0Ur9jto7i/xo0gDArMCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAP7c+rHqEbST8 15 | Vd25DNmhwb4hEGI2K8+YWixauZJOcRwamLrQree7UHn0EeWW+qZa2ec5G2y2fGb9 16 | HrB6C3LvDb0rmXWXbWTSM3Mj55ITDIYD3xBe2I5+jlykrxlEsC5QwFXMMbDKFwQj 17 | J7V6gFfjJweX8Ko9kUdXdKmx2/napkPEkU8hoAZ4cMaaqfx6d2hvQL+2flQkjH+A 18 | B3AgJ/FdaW0sb5caSstO1BEg3NgpJjO1YKRkxb1hkrjNRSJ2NfTkCwiTp9yIz25u 19 | 2UANxr7bbnEPd4bkk7OjE6SL+RH3YMCa3sBqtKwY14vs61AoWlS1bE0z8aRRsX49 20 | owemeenoGQ== 21 | -----END CERTIFICATE----- 22 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/fixtures/default_values_https_enabled.yaml: -------------------------------------------------------------------------------- 1 | # Default values for snyk-broker. 2 | # This is a YAML-formatted file. 3 | # Declare variables to be passed into your templates. 4 | 5 | ##### Snyk Specific Values ##### 6 | 7 | # Broker Token is a value from Snyk. Get this from the integration settings page or your Snyk Representative 8 | brokerToken: "12345a6b-78d9-1e2f-3abc-456def789123" 9 | snykToken: "12345a6b-78d9-1e2f-3abc-456def789123" 10 | # brokerClientUrl is the address of the broker. This needs to be the address of itself. In the case of Kubernetes, you need to ensure that you are pointing to the cluster ingress you have setup. 11 | # Ex: http://kubernetes-ingress.domain.com:8000/broker 12 | brokerClientUrl: "http://brokerclient" 13 | 14 | # Do not touch unless directed by a Snyk Representative 15 | brokerServerUrl: "https://broker.test.snyk.io" 16 | 17 | preflightChecks: 18 | enabled: true 19 | 20 | highAvailabilityMode: 21 | enabled: false 22 | brokerDispatcherUrl: "https://api.test.snyk.io" 23 | 24 | # To enable broker client to run a HTTPS server enable enableBrokerLocalWebserverOverHttps flag and also provide location of HTTPS_CERT and HTTPS_KEY 25 | enableBrokerLocalWebserverOverHttps: true 26 | 27 | # Location of mounted cert 28 | httpsCert: "dummy_tls_cert.crt" 29 | 30 | # Location of mounted HTTPS key 31 | httpsKey: "dummy_tls_key.key" 32 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/broker_deployment_labels_test.yaml: -------------------------------------------------------------------------------- 1 | suite: test broker deployment 2 | chart: 3 | version: 0.0.0 4 | templates: 5 | - broker_deployment.yaml 6 | - broker_service.yaml 7 | - serviceaccount.yaml 8 | values: 9 | - ./fixtures/default_values.yaml 10 | 11 | tests: 12 | - it: handles duplicative labels and adds new labels 13 | set: 14 | labels: 15 | app.kubernetes.io/name: "my duplicated label" 16 | test: node1 17 | asserts: 18 | - equal: 19 | path: metadata.labels 20 | value: 21 | app.kubernetes.io/instance: RELEASE-NAME 22 | app.kubernetes.io/managed-by: Helm 23 | app.kubernetes.io/name: snyk-broker-RELEASE-NAME 24 | helm.sh/chart: snyk-broker-0.0.0 25 | test: node1 26 | - it: sets a label 27 | set: 28 | labels: 29 | costCenter: prodsec 30 | asserts: 31 | - equal: 32 | path: metadata.labels.costCenter 33 | value: prodsec 34 | - it: sets a label on the broker pod 35 | set: 36 | labels: 37 | costCenter: prodsec 38 | asserts: 39 | - equal: 40 | path: spec.template.metadata.labels.costCenter 41 | value: prodsec 42 | template: broker_deployment.yaml 43 | - it: does not override a default label on the broker pod 44 | set: 45 | labels: 46 | app.kubernetes.io/name: fake 47 | asserts: 48 | - equal: 49 | path: spec.template.metadata.labels["app.kubernetes.io/name"] 50 | value: snyk-broker-RELEASE-NAME 51 | template: broker_deployment.yaml 52 | -------------------------------------------------------------------------------- /charts/snyk-broker/templates/_notes.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | */}} 3 | {{- define "snyk-broker.requiredSecrets" -}} 4 | {{- $scmTemplates := (list "scmTokenOrPool") }} 5 | {{- $artifactoryTemplates := (list "artifactoryUrl" "brokerClientValidationUrl" ) }} 6 | {{- $nexusTemplates := (list "baseNexusUrl" "nexusUrl" "brokerClientValidationUrl" )}} 7 | {{- $containerRegistryAgentTemplates := (list "scmToken" )}} 8 | {{- $templatesPerType := (dict "github-com" $scmTemplates "github-enterprise" $scmTemplates "gitlab" $scmTemplates "bitbucket-server" $scmTemplates "bitbucket-server-bearer-auth" $scmTemplates "azure-repos" $scmTemplates "artifactory" $artifactoryTemplates "nexus" $nexusTemplates "jira" $scmTemplates "jira-bearer-auth" $scmTemplates "container-registry-agent" $containerRegistryAgentTemplates ) }} 9 | {{- if not .Values.useExternalSecrets -}} 10 | {{- if not .Values.brokerToken }} 11 | {{ printf "-> %s:%s " (include "snyk-broker.brokerTokenSecretName" . ) (include "snyk-broker.brokerTokenSecretKey" . ) }} 12 | {{- end }} 13 | {{- range (get $templatesPerType .Values.scmType ) }} 14 | {{- $secretObject := (first (fromYamlArray (include (printf "snyk-broker.%s" . ) $ ))) }} 15 | {{- $envName := $secretObject.name }} 16 | {{- $name := $secretObject.valueFrom.secretKeyRef.name }} 17 | {{- $key := $secretObject.valueFrom.secretKeyRef.key }} 18 | {{ printf "-> %s:%s <%s>" $name $key $envName }} 19 | {{- end }} 20 | {{- if .Values.httpsSecret.name }} 21 | {{ printf "-> %s:%s " .Values.httpsSecret.name "tls.crt" }} 22 | {{ printf "-> %s:%s " .Values.httpsSecret.name "tls.key" }} 23 | {{- end }} 24 | {{- if (and .Values.caCertFileSecret.name .Values.caCertFileSecret.key ) }} 25 | {{ printf "-> %s:%s " .Values.caCertFileSecret.name .Values.caCertFileSecret.key }} 26 | {{- end }} 27 | {{- end }} 28 | {{- end }} 29 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/dummy_tls_cert.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIFazCCA1OgAwIBAgIUXsVXn57owX5UJCSgmpiUCDscyuUwDQYJKoZIhvcNAQEL 3 | BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM 4 | GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNDAzMTMxNDQzMjlaFw0yNTAz 5 | MTMxNDQzMjlaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw 6 | HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggIiMA0GCSqGSIb3DQEB 7 | AQUAA4ICDwAwggIKAoICAQDkefnSLZV/5MXPQ17xCnYY8q4drlL0qDcY3GaXsWd1 8 | wvc6ACjl5/nOzsxVG6d0iXYXYJY7ORrfJB/EzI/tZddgw45ONtgpdAKBxSLuUK4+ 9 | isAa8N1BCy3/GTrFYi6jiXfwuG1/m1x+GeUUsLY2QV6z8jykSCtqgRf5Uj0Rt1Hl 10 | N1Termrd1Nebpe0xrWuUC5o/1H49kysRQvTT4a8CEqN5dctRITOZfZrSGjjZEEZj 11 | eBnzv/5J73nTGBThiar8Ii3iPeH4pbnefQR0oRFpwEmeI3Tptm/3qZeZjtWTf4lU 12 | BopkgrdszlQBdPbV/hqse9NgxtLq6xS5f0R+0oImk7TCNHHNkA4UkJ70JFWATGZK 13 | aK6+gDNJ+ATLP5SaCMtZcFDyVCWuSi+kHn58keOT7qU1cC+8GdW6A48NIL5KhA8O 14 | TCZE4tyMQMBCuqP27tQAoAGw+LssJD1AtmknR7SckfoX2D2xuAT74/RclZpRe+Q2 15 | YrccNqTa5g2TIWduQW1yZ1ZhZGq7iQKIoH4R9Is8v6hbfxbul6jeW0zW5qUMYBoW 16 | 1CfmC3Zfba9i63RKlY6WHoH9UWqSHVcpJeZgV91e0imzl8Xu0Wg74aXqbA55H70+ 17 | 3pr/pvGK1tsmlV7uelJ5C8sVoh1zSG5SGeCa216mbF4wYzOZXzzqzE7hWIzL2F/p 18 | nQIDAQABo1MwUTAdBgNVHQ4EFgQULOSPdDfPDfBlmXVGYgmlQDWA3GcwHwYDVR0j 19 | BBgwFoAULOSPdDfPDfBlmXVGYgmlQDWA3GcwDwYDVR0TAQH/BAUwAwEB/zANBgkq 20 | hkiG9w0BAQsFAAOCAgEAoArXK/8jPEjGOjq/Ek3KppWAYZpZzE4TkfT+F+AsisXU 21 | oRCRDlecSkWeK5er9xpKM66kEjmADIinHO+CsBzSt+oxuU8z1sVNmOBBZLI+B7an 22 | ++0eLg0pyNNS2gHydJskdbEFK4xNNGLn847bawlDf3bq30OQ3KGW5EBCZklc9GEf 23 | UA/GoX/RNhLe7e0RJy08J9Dfe8/rvBHIArmKIcM+MzDkR+6JhUYXXdIAFY4jpMxd 24 | 5Fieqj+NUF2UUFdjbtKEOjXzaNA2RRkesHaOqGAxV9FxVFRuggH3DJxiSwjzBH2z 25 | Nvjq5VVgh6/vRbcKUYu73H5JNAdLFFruuo9lTCuNdkrzEBS3zjyx2qrAuVVWOcPc 26 | pKm7cPgQ41H33+zWxEbotug14WoklFyDFfTVK/RCXLuFVnYIR4dL/Bsjbr23UsKU 27 | Th+tVL+T6uKr8UoMe0ODINsX8xguywo7j4Xa09/FHlnZ9VYVOX3U3CkRs5v17uiB 28 | oByUzTpMODcsFjJiE7TDZMAxVwazzwA12OO4ieOXlB3wiHR/uVo94MDNIVL/cQVG 29 | d6Oj6Vz9+MmyhEaHJsXJQv0c3UrpURI7Rn1UN1oUa4vb2HX58GnQC5vJ6GP5NBvG 30 | VQQ3xdXU2kQDPvbzHW4cF8nbIzbErXdRkqinZIEosNMhCdEtjdCeLg/Hn0K3LPk= 31 | -----END CERTIFICATE----- 32 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/broker_deployment_tls_test.yaml: -------------------------------------------------------------------------------- 1 | # yaml-language-server: $schema=https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json 2 | suite: Broker with TLS 3 | chart: 4 | version: 0.0.0 5 | templates: 6 | - broker_deployment.yaml 7 | - ingress.yaml 8 | values: 9 | - ./fixtures/default_values.yaml 10 | - ./fixtures/default_values_https_enabled.yaml 11 | 12 | tests: 13 | - it: sets https correctly 14 | asserts: 15 | - contains: 16 | path: spec.template.spec.containers[0].env 17 | content: 18 | name: HTTPS_CERT 19 | value: /home/node/tls-cert/tls.crt 20 | template: broker_deployment.yaml 21 | - contains: 22 | path: spec.template.spec.containers[0].env 23 | content: 24 | name: HTTPS_KEY 25 | value: /home/node/tls-cert/tls.key 26 | template: broker_deployment.yaml 27 | - it: uses an external tls secret 28 | set: 29 | useExternalSecrets: true 30 | httpsSecret: 31 | name: my-ingress-cert 32 | asserts: 33 | - contains: 34 | path: spec.template.spec.volumes 35 | content: 36 | name: RELEASE-NAME-snyk-broker-tls-secret-volume 37 | secret: 38 | secretName: my-ingress-cert 39 | template: broker_deployment.yaml 40 | - contains: 41 | path: spec.template.spec.containers[0].env 42 | content: 43 | name: HTTPS_CERT 44 | value: /home/node/tls-cert/tls.crt 45 | template: broker_deployment.yaml 46 | - contains: 47 | path: spec.template.spec.containers[0].env 48 | content: 49 | name: HTTPS_KEY 50 | value: /home/node/tls-cert/tls.key 51 | template: broker_deployment.yaml 52 | - exists: 53 | path: spec.template.spec.containers[0].volumeMounts 54 | template: broker_deployment.yaml 55 | - contains: 56 | path: spec.template.spec.containers[0].volumeMounts 57 | content: 58 | name: RELEASE-NAME-snyk-broker-tls-secret-volume 59 | mountPath: /home/node/tls-cert/ 60 | readOnly: true 61 | template: broker_deployment.yaml 62 | -------------------------------------------------------------------------------- /.circleci/config.yml: -------------------------------------------------------------------------------- 1 | version: 2.1 2 | 3 | orbs: 4 | prodsec: snyk/prodsec-orb@1.0 5 | helm: circleci/helm@3 6 | commitlint: conventional-changelog/commitlint@1.0 7 | 8 | executors: 9 | k8s: 10 | docker: 11 | - image: alpine/k8s:1.28.14 12 | resource_class: small 13 | node: 14 | docker: 15 | - image: cimg/node:lts 16 | resource_class: small 17 | 18 | commands: 19 | install-chart-releaser: 20 | parameters: 21 | cr-version: 22 | type: string 23 | default: "1.7.0" 24 | steps: 25 | - restore_cache: 26 | key: chart-releaser-<> 27 | - run: 28 | name: install chart-releaser 29 | command: | 30 | if [[ ! -f cr.tar.gz ]]; then 31 | curl -sSLo cr.tar.gz "https://github.com/helm/chart-releaser/releases/download/v<>/chart-releaser_<>_linux_amd64.tar.gz" 32 | fi 33 | tar -xzvf cr.tar.gz cr 34 | sudo mv cr /usr/local/bin/cr 35 | cr version 36 | - save_cache: 37 | paths: 38 | - cr.tar.gz 39 | key: chart-releaser-<> 40 | 41 | jobs: 42 | unittest: 43 | executor: k8s 44 | steps: 45 | - checkout 46 | - run: 47 | name: helm unittest 48 | command: helm unittest charts/snyk-broker 49 | 50 | publish: 51 | executor: node 52 | steps: 53 | - checkout 54 | - helm/install_helm_client 55 | - install-chart-releaser 56 | - run: 57 | name: install semantic-release and plugins 58 | command: sudo npm ci 59 | - run: 60 | # this is required by chart-releaser 61 | name: ensure that git uses https origin 62 | command: | 63 | git config url."https://github.com/".insteadOf "git@github.com:" 64 | git remote get-url --push origin 65 | - run: 66 | name: publish 67 | command: npx semantic-release 68 | 69 | workflows: 70 | validate_and_publish: 71 | jobs: 72 | - prodsec/secrets-scan: 73 | name: Scan repository for secrets 74 | context: 75 | - snyk-bot-slack 76 | channel: broker-alerts 77 | - commitlint/lint: 78 | name: Conventional Commit Lint 79 | filters: 80 | branches: 81 | ignore: [main] 82 | node-version: 20.11.1 83 | - unittest 84 | - publish: 85 | context: 86 | - team-hybrid-common 87 | filters: 88 | branches: 89 | only: 90 | - main 91 | -------------------------------------------------------------------------------- /charts/snyk-broker/templates/broker_ingress.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.brokerIngress.enabled -}} 2 | {{- $ingressApiIsStable := eq (include "snyk-broker.ingress.isStable" .) "true" -}} 3 | {{- $ingressSupportsIngressClassName := eq (include "snyk-broker.ingress.supportsIngressClassName" .) "true" -}} 4 | {{- $ingressSupportsPathType := eq (include "snyk-broker.ingress.supportsPathType" .) "true" -}} 5 | {{- $fullName := include "snyk-broker.fullname" . -}} 6 | {{- $servicePort := .Values.service.port -}} 7 | {{- $scmType := .Values.scmType -}} 8 | {{- $ingressPath := .Values.brokerIngress.path -}} 9 | {{- $ingressPathType := .Values.brokerIngress.pathType -}} 10 | {{- $extraPaths := .Values.brokerIngress.extraPaths -}} 11 | {{- $releaseName := .Release.Name -}} 12 | {{- $disableSuffixes := .Values.disableSuffixes }} 13 | apiVersion: {{ include "snyk-broker.ingress.apiVersion" . }} 14 | kind: Ingress 15 | metadata: 16 | name: {{ $fullName }}{{ if not $disableSuffixes}}-{{ .Release.Name }}{{ end }} 17 | namespace: {{ .Release.Namespace }} 18 | labels: 19 | {{- include "snyk-broker.labels" . | nindent 4 }} 20 | {{- with .Values.brokerIngress.labels }} 21 | {{- toYaml . | nindent 8 }} 22 | {{- end }} 23 | {{- if .Values.brokerIngress.annotations }} 24 | annotations: 25 | {{- range $key, $value := .Values.brokerIngress.annotations }} 26 | {{ $key }}: {{ tpl $value $ | quote }} 27 | {{- end }} 28 | {{- end }} 29 | spec: 30 | {{- if and $ingressSupportsIngressClassName .Values.brokerIngress.ingressClassName }} 31 | ingressClassName: {{ .Values.brokerIngress.ingressClassName }} 32 | {{- end -}} 33 | {{- if .Values.brokerIngress.tls }} 34 | tls: 35 | {{ tpl (toYaml .Values.brokerIngress.tls) $ | indent 4 }} 36 | {{- end }} 37 | rules: 38 | {{- if .Values.brokerIngress.hosts }} 39 | {{- range .Values.brokerIngress.hosts }} 40 | - host: {{ tpl . $}} 41 | http: 42 | paths: 43 | {{- if $extraPaths }} 44 | {{ toYaml $extraPaths | indent 10 }} 45 | {{- end }} 46 | - path: {{ $ingressPath }} 47 | {{- if $ingressSupportsPathType }} 48 | pathType: {{ $ingressPathType }} 49 | {{- end }} 50 | backend: 51 | {{- if $ingressApiIsStable }} 52 | service: 53 | name: {{ include "snyk-broker.brokerServiceName" $ }} 54 | port: 55 | number: {{ $servicePort }} 56 | {{- else }} 57 | serviceName: {{ $scmType }}-broker-service{{ if not $disableSuffixes}}-{{ $releaseName }}{{ end }} 58 | servicePort: {{ $servicePort }} 59 | {{- end }} 60 | {{- end }} 61 | {{- else }} 62 | - http: 63 | paths: 64 | - backend: 65 | {{- if $ingressApiIsStable }} 66 | service: 67 | name: {{ include "snyk-broker.brokerServiceName" . }} 68 | port: 69 | number: {{ $servicePort }} 70 | {{- else }} 71 | serviceName: {{ include "snyk-broker.brokerServiceName" . }} 72 | servicePort: {{ $servicePort }} 73 | {{- end }} 74 | {{- if $ingressPath }} 75 | path: {{ $ingressPath }} 76 | {{- end }} 77 | {{- if $ingressSupportsPathType }} 78 | pathType: {{ $ingressPathType }} 79 | {{- end }} 80 | {{- end -}} 81 | {{- end }} 82 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/dummy_tls_key.key: -------------------------------------------------------------------------------- 1 | -----BEGIN PRIVATE KEY----- 2 | MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQDkefnSLZV/5MXP 3 | Q17xCnYY8q4drlL0qDcY3GaXsWd1wvc6ACjl5/nOzsxVG6d0iXYXYJY7ORrfJB/E 4 | zI/tZddgw45ONtgpdAKBxSLuUK4+isAa8N1BCy3/GTrFYi6jiXfwuG1/m1x+GeUU 5 | sLY2QV6z8jykSCtqgRf5Uj0Rt1HlN1Termrd1Nebpe0xrWuUC5o/1H49kysRQvTT 6 | 4a8CEqN5dctRITOZfZrSGjjZEEZjeBnzv/5J73nTGBThiar8Ii3iPeH4pbnefQR0 7 | oRFpwEmeI3Tptm/3qZeZjtWTf4lUBopkgrdszlQBdPbV/hqse9NgxtLq6xS5f0R+ 8 | 0oImk7TCNHHNkA4UkJ70JFWATGZKaK6+gDNJ+ATLP5SaCMtZcFDyVCWuSi+kHn58 9 | keOT7qU1cC+8GdW6A48NIL5KhA8OTCZE4tyMQMBCuqP27tQAoAGw+LssJD1Atmkn 10 | R7SckfoX2D2xuAT74/RclZpRe+Q2YrccNqTa5g2TIWduQW1yZ1ZhZGq7iQKIoH4R 11 | 9Is8v6hbfxbul6jeW0zW5qUMYBoW1CfmC3Zfba9i63RKlY6WHoH9UWqSHVcpJeZg 12 | V91e0imzl8Xu0Wg74aXqbA55H70+3pr/pvGK1tsmlV7uelJ5C8sVoh1zSG5SGeCa 13 | 216mbF4wYzOZXzzqzE7hWIzL2F/pnQIDAQABAoICAD+6Zhxh6plJzoMJX6oMKPS8 14 | fCR7Q1hKs1OT5mnZaepG/36GHOJD2kH9HLGAjSzMSswqfLz4KK6k/Nd/14V4KqMq 15 | 6L6YPaMSYMChpCSlDHUVbpAVLyG9ZI8LEoGL6UZkSbgzORem1h22S1eCEtD/WtMG 16 | djO8jZ+fcnhwn+gZIha1YE7ch6Jog9s+ZPK+VItu0Q+MzcmPCyw9aNzQzmfdmwt9 17 | 98AhaqsdhdmkxsaE651DGroKi3tD+M8QoIJoS/EX94RrjmQ0lauhY2TEqH6+y8n4 18 | SdwGryR9gXOri5cgs8VkLaXrcA5BXt0pKtB1mCsUPtl3m8061QUIoqpdPUBVYs1h 19 | tFix8C6rC1aQ2pXRWfOP7UjE5DO8WosIvd+OEdOmpbh3A4GKokxLTDQeKPCYv/jh 20 | avZ8cD9+RmQZzPJN1gMqrAU//k/CpSt3iLfP3g7pbia9OpwH/KQTfnVJUXnD5hgc 21 | Olg5rBy+z7EZpPV0LPd9iR1+24gtOwj07yntQjevbtPYflrjv7LLDkzveH2LNHPI 22 | yDROhWSnSMhpj8tsBbqgRDeZD5cpCz3HKRPTNOcYuF+eAlxcD2DxhnCgtCC8hvan 23 | qEHiOSfgAVxKMe+VvjJvxOBTSwXMQrf2LtQOaNxv31K46iDXT4swYNQkRIvSDeoZ 24 | spBg1SqAVomKsZxJSYthAoIBAQD1uOSDwEtjnaabLlox8P832L74i/WntAN2+Gnc 25 | qju5w2WHjYz0GwXyDO0nonBENfIIeXBACw/r/Miq80ThfPLCmi0lqZcUZJMhE79S 26 | 70VQ0UBkGbtoBtq4sL/cxtK9KBDl6gztoNaJ159XO9wmqZ1Zo1101NzRv0igOQkK 27 | 0nl4lELmFgGim9TdpJ3RABlBZNChE0Z9JU0WgHflMpnwFu4uBmH9gdWL99I1lcSK 28 | ZXVHwqtrhXvFp9AmjQvwj8IRI4mXAxBDqmqlle8YlorYN+cNckRiLGs4oJnween9 29 | lAceYfvUWv8/OM/BDaeq5S9IZ/EHg1lZgzK+hBMv9vS9Lv6LAoIBAQDuCGvt0Wsi 30 | HA6DbEsFEA6qYc7gUNRcqdtYAJFAY2qsrLVKIUDYGXNMQStVrmQP7i0XN5YGvETV 31 | Rrj5Tre7U3dIzWkFMAxZ4ymm8u3huJti8tFxi3a/rRk+xvUlJfyetaBKPWX+pprV 32 | 9fnyqRYWV+ZN+F28MkK/AJBqNl2lIDmNwbyySM2WtUJX1zaNASdAKyIKjGFQtw8h 33 | bmDD79s/tYmWWaW0AKKh73y8DBR9/IGO8Lj+LcPLeg+aE/MrTD9rbvv51IyfEHhD 34 | NyJDskat87Hr8fHweQlVSWQTJ2xFN700Y1nFvLcDRAnpEaBS+Lxl0G76fSIPuyD0 35 | HyQvJrc/aKV3AoIBAGPWj+KISxlagMskdjk8djY2tsE9/L37Aj1giYLDGClOHv6I 36 | oPC92hiS7/jeo0bTtFeFH/qlg/6aYt4yoZYMsoYnJpja4yvCAZW69E26Miu4GbWS 37 | TvbhchUAm7QUhKOel98SzdXvN7wiA/fptnVvDSPSoLJLmr0OP2/6PJZNFlXLx7K8 38 | 1kU/k6nKrOSyaZCMachIkKdgdIXkBNL3UFygtH220jGygxWvx5VGGOkyeAiELCov 39 | vi59FLHVNTi08GEOU2UsNXuIznQhC1iuMhPQAu0PtIE/EwGbH3D51/zUHGBX535M 40 | ytDhQGhsJ+fj3uZIdUJcN/2KtR97gmBGswH7CikCggEAK57reHeKNIQDvN3ZmaHp 41 | rhuid8UYRarzAVuJQs11PROhXWZepbt0P6Mpt9fvimPRa5HKMo3J53PAbh+Y2AFh 42 | uLu75TF68fYJKgkWwui7wRRSgYZXSqUEHVcEkbw2YTdTmodJ67LIaTFcjrWh0JJn 43 | KB69vsFPLgWCcZRo8NvI8EtysxFYa6fn8oUEAC8X7FB7OoejRdFmOnAp135bJX+1 44 | KRJgpW4AX8CtkSB9mODvNSy0GhB08xL5TPke9O5SKPP7xTrIUlYIU/kElHdVMIea 45 | MWzzM2ha54A9kK0G0GB4keMrDmuY9kY/srCCOvJORDJARDMuTMe0MEiMrv9fUYVx 46 | 3QKCAQB8w0ZhF7xMS5Tjzdetyurj2K/XtrfSc8jhitCGNoz8Gnc8kSP0trrhGydo 47 | /u5PIDmuzu2y6h9/K+pFt7aZ8TkHaoqVrG5YRuMpSaqUgWdtpHQ5pxoG1sb86Xh4 48 | lgQ4X6x9yu9bvUMfFVexfkLdXZOb0W7m/j/xXTLGueRABzMYYSwp9JnyldpoiR0e 49 | GzLH3RVE1pMM9cRxEFaD0fGy9yFSsDsb+Jm/A17Wq7/I8oGS4Co/QPmNBK7U8fpk 50 | yMtvaRgS1WKADj38X+8srg6uszO3teGAUbwP/pNq+TD9yhYJ9FOdPs0qi6rdpfUn 51 | ZFhsRfQR6YPsCdgBxShm4loyyGHe 52 | -----END PRIVATE KEY----- 53 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/broker_deployment_proxy_test.yaml: -------------------------------------------------------------------------------- 1 | # yaml-language-server: $schema=https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json 2 | suite: test broker proxy configuration 3 | chart: 4 | version: 0.0.0 5 | templates: 6 | - broker_deployment.yaml 7 | values: 8 | - ./fixtures/default_values.yaml 9 | 10 | tests: 11 | - it: sets an https proxy 12 | set: 13 | httpsProxy: &proxy http://my.proxy:8080 14 | asserts: 15 | - contains: 16 | path: spec.template.spec.containers[0].env 17 | content: 18 | name: HTTPS_PROXY 19 | value: *proxy 20 | - it: sets an http proxy 21 | set: 22 | httpProxy: *proxy 23 | asserts: 24 | - contains: 25 | path: spec.template.spec.containers[0].env 26 | content: 27 | name: HTTP_PROXY 28 | value: *proxy 29 | - it: sets both https and http proxy 30 | set: 31 | httpProxy: *proxy 32 | httpsProxy: *proxy 33 | asserts: 34 | - contains: 35 | path: spec.template.spec.containers[0].env 36 | content: 37 | name: HTTP_PROXY 38 | value: *proxy 39 | - contains: 40 | path: spec.template.spec.containers[0].env 41 | content: 42 | name: HTTPS_PROXY 43 | value: *proxy 44 | - it: rejects proxy without protocol 45 | set: 46 | httpsProxy: no.protocol.proxy:8080 47 | asserts: 48 | - failedTemplate: {} 49 | - it: sets noproxy without protocol 50 | set: 51 | noProxy: my.ghe.io 52 | asserts: 53 | - contains: 54 | path: spec.template.spec.containers[0].env 55 | content: 56 | name: NO_PROXY 57 | value: my.ghe.io 58 | - it: corrects noproxy by removing protocol 59 | set: 60 | noProxy: https://my.ghe.io 61 | asserts: 62 | - contains: 63 | path: spec.template.spec.containers[0].env 64 | content: 65 | name: NO_PROXY 66 | value: my.ghe.io 67 | - it: sets noproxy with multiple domains 68 | set: 69 | noProxy: my.ghe.io,my.other.host.tld 70 | asserts: 71 | - contains: 72 | path: spec.template.spec.containers[0].env 73 | content: 74 | name: NO_PROXY 75 | value: my.ghe.io,my.other.host.tld 76 | - it: corrects noproxy with multiple domains, one with protocol 77 | set: 78 | noProxy: my.ghe.io,https://my.private.site 79 | asserts: 80 | - contains: 81 | path: spec.template.spec.containers[0].env 82 | content: 83 | name: NO_PROXY 84 | value: my.ghe.io,my.private.site 85 | - it: corrects noproxy with multiple domains, one with protocol, with spaces 86 | set: 87 | noProxy: my.ghe.io, https://my.private.site 88 | asserts: 89 | - contains: 90 | path: spec.template.spec.containers[0].env 91 | content: 92 | name: NO_PROXY 93 | value: my.ghe.io,my.private.site 94 | - it: rejects noproxy with multiple domains, one with protocol, one with a port 95 | set: 96 | noProxy: my.ghe.io, https://my.private.site,notadomain:12334 97 | asserts: 98 | - failedTemplate: 99 | errorMessage: Entry notadomain:12334 for .Values.noProxy is invalid. Specify hostname only (no schema or port) 100 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/broker_cra_deployment_disable_tls_test.yaml: -------------------------------------------------------------------------------- 1 | # yaml-language-server: $schema=https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json 2 | suite: test broker deployment with CA 3 | chart: 4 | version: 0.0.0 5 | templates: 6 | - broker_deployment.yaml 7 | - cra_deployment.yaml 8 | - code_agent_deployment.yaml 9 | values: 10 | - ./fixtures/default_values.yaml 11 | - ./fixtures/default_values_cra.yaml 12 | set: 13 | enableCodeAgent: true 14 | 15 | tests: 16 | - it: disables tls trust with "disable" (string) 17 | set: 18 | tlsRejectUnauthorized: "disable" 19 | asserts: 20 | - contains: 21 | path: spec.template.spec.containers[0].env 22 | content: 23 | name: NODE_TLS_REJECT_UNAUTHORIZED 24 | value: "0" 25 | documentSelector: 26 | path: kind 27 | value: Deployment 28 | matchMany: true 29 | - it: disables tls trust with "0" (string) 30 | set: 31 | tlsRejectUnauthorized: "0" 32 | asserts: 33 | - contains: 34 | path: spec.template.spec.containers[0].env 35 | content: 36 | name: NODE_TLS_REJECT_UNAUTHORIZED 37 | value: "0" 38 | documentSelector: 39 | path: kind 40 | value: Deployment 41 | matchMany: true 42 | - it: disables tls trust with "false" (string) 43 | set: 44 | tlsRejectUnauthorized: "false" 45 | asserts: 46 | - contains: 47 | path: spec.template.spec.containers[0].env 48 | content: 49 | name: NODE_TLS_REJECT_UNAUTHORIZED 50 | value: "0" 51 | documentSelector: 52 | path: kind 53 | value: Deployment 54 | matchMany: true 55 | - it: disables tls trust with false (boolean) 56 | set: 57 | tlsRejectUnauthorized: false 58 | asserts: 59 | - contains: 60 | path: spec.template.spec.containers[0].env 61 | content: 62 | name: NODE_TLS_REJECT_UNAUTHORIZED 63 | value: "0" 64 | documentSelector: 65 | path: kind 66 | value: Deployment 67 | matchMany: true 68 | - it: disables tls trust with '0' (integer) 69 | set: 70 | tlsRejectUnauthorized: 0 71 | asserts: 72 | - contains: 73 | path: spec.template.spec.containers[0].env 74 | content: 75 | name: NODE_TLS_REJECT_UNAUTHORIZED 76 | value: "0" 77 | documentSelector: 78 | path: kind 79 | value: Deployment 80 | matchMany: true 81 | - it: enables tls trust by default "" (string) 82 | set: 83 | tlsRejectUnauthorized: "" 84 | asserts: 85 | - notContains: 86 | path: spec.template.spec.containers[0].env 87 | content: 88 | name: NODE_TLS_REJECT_UNAUTHORIZED 89 | value: "0" 90 | documentSelector: 91 | path: kind 92 | value: Deployment 93 | matchMany: true 94 | - it: does not allow true (bool) 95 | set: 96 | tlsRejectUnauthorized: true 97 | asserts: 98 | - failedTemplate: 99 | errorMessage: "values don't meet the specifications of the schema(s) in the following chart(s):\nsnyk-broker:\n- tlsRejectUnauthorized: tlsRejectUnauthorized must be one of the following: \"\", 0, \"0\", \"false\", false, \"disable\"\n" 100 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/broker_deployment_apprisk_type_test.yaml: -------------------------------------------------------------------------------- 1 | # yaml-language-server: $schema=https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json 2 | suite: broker deployment (apprisk type) 3 | chart: 4 | version: 0.0.0 5 | values: 6 | - ./fixtures/default_values.yaml 7 | templates: 8 | - secrets.yaml 9 | - broker_deployment.yaml 10 | scmType: apprisk 11 | 12 | tests: 13 | - it: should create secrets if sonarqubeHostUrl is defined 14 | template: secrets.yaml 15 | set: 16 | sonarqubeHostUrl: https://mysonarqube 17 | sonarqubeApiToken: abc123 18 | # disableSuffixes: true 19 | scmType: apprisk 20 | asserts: 21 | 22 | - isKind: 23 | of: Secret 24 | documentIndex: 2 25 | documentSelector: 26 | path: metadata.name 27 | value: apprisk-sonarqube-api-token-RELEASE-NAME 28 | - equal: 29 | path: data.apprisk-sonarqube-api-token 30 | value: YWJjMTIz 31 | documentIndex: 2 32 | documentSelector: 33 | path: metadata.name 34 | value: apprisk-sonarqube-api-token-RELEASE-NAME 35 | - hasDocuments: 36 | count: 3 37 | 38 | - it: should not create secrets if checkmarx only is defined 39 | template: secrets.yaml 40 | set: 41 | checkmarx: https://checkmarx 42 | scmType: apprisk 43 | asserts: 44 | - hasDocuments: 45 | count: 2 46 | - notEqual: 47 | path: metadata.name 48 | value: apprisk-sonarqube-api-token-RELEASE-NAME 49 | documentIndex: 0 50 | - notEqual: 51 | path: metadata.name 52 | value: apprisk-sonarqube-api-token-RELEASE-NAME 53 | documentIndex: 1 54 | 55 | - it: should create secrets if sonarqubeHostUrl is defined and checkmarx is set 56 | template: secrets.yaml 57 | set: 58 | sonarqubeHostUrl: https://mysonarqube 59 | sonarqubeApiToken: abc123 60 | checkmarx: https://checkmarx 61 | scmType: apprisk 62 | asserts: 63 | 64 | - isKind: 65 | of: Secret 66 | documentSelector: 67 | path: metadata.name 68 | value: apprisk-sonarqube-api-token-RELEASE-NAME 69 | - equal: 70 | path: data.apprisk-sonarqube-api-token 71 | value: YWJjMTIz 72 | documentIndex: 2 73 | documentSelector: 74 | path: metadata.name 75 | value: apprisk-sonarqube-api-token-RELEASE-NAME 76 | - hasDocuments: 77 | count: 3 78 | 79 | 80 | - it: references secrets in deployment and correct image 81 | release: 82 | name: unittest 83 | template: broker_deployment.yaml 84 | set: 85 | sonarqubeHostUrl: https://mysonarqube 86 | sonarqubeApiToken: abc123 87 | checkmarx: https://checkmarx 88 | disableSuffixes: true 89 | scmType: apprisk 90 | 91 | asserts: 92 | - equal: 93 | path: metadata.name 94 | value: apprisk-broker 95 | - contains: 96 | path: spec.template.spec.containers[0].env 97 | content: 98 | name: CHECKMARX 99 | value: https://checkmarx 100 | - contains: 101 | path: spec.template.spec.containers[0].env 102 | content: 103 | name: SONARQUBE_HOST_URL 104 | value: https://mysonarqube 105 | - contains: 106 | path: spec.template.spec.containers[0].env 107 | content: 108 | name: SONARQUBE_API_TOKEN 109 | valueFrom: 110 | secretKeyRef: 111 | name: apprisk-sonarqube-api-token 112 | key: "apprisk-sonarqube-api-token" 113 | - equal: 114 | path: spec.template.spec.containers[0].image 115 | value: snyk/broker:apprisk 116 | 117 | -------------------------------------------------------------------------------- /charts/snyk-broker/templates/code_agent_deployment.yaml: -------------------------------------------------------------------------------- 1 | {{ $setTlsRejectUnauthorized := include "snyk-broker.setTlsRejectUnauthorized" . }} 2 | {{- if .Values.enableCodeAgent }} 3 | apiVersion: apps/v1 4 | kind: Deployment 5 | metadata: 6 | name: "{{ .Values.scmType}}-code-agent{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }}" 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | app.kubernetes.io/name: {{ .Release.Name }}-ca 10 | app.kubernetes.io/instance: {{ .Release.Name }} 11 | spec: 12 | replicas: 1 13 | selector: 14 | matchLabels: 15 | app.kubernetes.io/name: {{ .Release.Name }}-ca 16 | app.kubernetes.io/instance: {{ .Release.Name }} 17 | template: 18 | metadata: 19 | {{- with .Values.podAnnotations }} 20 | annotations: 21 | {{- toYaml . | nindent 8 }} 22 | {{- end }} 23 | labels: 24 | app.kubernetes.io/name: {{ .Release.Name }}-ca 25 | app.kubernetes.io/instance: {{ .Release.Name }} 26 | spec: 27 | {{- with .Values.imagePullSecrets }} 28 | imagePullSecrets: 29 | {{- toYaml . | nindent 8 }} 30 | {{- end }} 31 | serviceAccountName: {{ include "snyk-broker.serviceAccountName" . }}{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} 32 | securityContext: 33 | {{- toYaml .Values.podSecurityContext | nindent 8 }} 34 | containers: 35 | - name: code-agent 36 | resources: 37 | limits: 38 | cpu: {{ .Values.caResources.limits.cpu }} 39 | memory: {{ .Values.caResources.limits.memory }} 40 | requests: 41 | cpu: {{ .Values.caResources.requests.cpu }} 42 | memory: {{ .Values.caResources.requests.memory}} 43 | securityContext: 44 | {{- toYaml .Values.securityContextCa | nindent 12 }} 45 | image: "{{ .Values.image.caRepository }}:{{ .Values.caImage}}" 46 | imagePullPolicy: {{ .Values.image.pullPolicy }} 47 | ports: 48 | - name: http 49 | containerPort: {{ .Values.deployment.container.caSnykPort }} 50 | env: 51 | - name: PORT 52 | value: {{ .Values.deployment.container.caSnykPort | squote }} 53 | {{- if .Values.upstreamUrlCodeAgent }} 54 | - name: UPSTREAM_URL 55 | value: {{ .Values.upstreamUrlCodeAgent | squote }} 56 | {{- end }} 57 | - name: SNYK_TOKEN 58 | valueFrom: 59 | secretKeyRef: 60 | name: snyk-token{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} 61 | key: snyk-token-key 62 | {{- if $setTlsRejectUnauthorized }} 63 | # Troubleshooting - Set to 0 for SSL inspection testing 64 | - name: NODE_TLS_REJECT_UNAUTHORIZED 65 | value: "0" 66 | {{- end }} 67 | {{- if .Values.httpsProxy }} 68 | # HTTPS Proxy Settings 69 | - name: HTTPS_PROXY 70 | value: {{ .Values.httpsProxy }} 71 | {{- end }} 72 | {{- if .Values.noProxy }} 73 | # No Proxy Settings 74 | - name: NO_PROXY 75 | value: {{ include "snyk-broker.noProxy" . }} 76 | {{- end }} 77 | {{- range .Values.env }} 78 | # custom env var in override.yaml 79 | - name: {{ .name }} 80 | value: {{ .value | squote }} 81 | {{- end}} 82 | --- 83 | apiVersion: v1 84 | kind: Service 85 | metadata: 86 | name: "code-agent-service{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }}" 87 | namespace: {{ .Release.Namespace }} 88 | labels: 89 | {{- include "snyk-broker.labels" . | nindent 4 }} 90 | spec: 91 | type: {{ .Values.service.caType }} 92 | ports: 93 | - port: {{ .Values.deployment.container.caSnykPort }} 94 | targetPort: {{ .Values.deployment.container.caSnykPort}} 95 | selector: 96 | app.kubernetes.io/name: {{ .Release.Name }}-ca 97 | app.kubernetes.io/instance: {{ .Release.Name }} 98 | {{- end }} 99 | -------------------------------------------------------------------------------- /charts/snyk-broker/templates/secrets.yaml: -------------------------------------------------------------------------------- 1 | {{- $scmToken := coalesce .Values.scmToken .Values.bitbucketPassword .Values.bitbucketPat .Values.azureReposToken .Values.jiraPassword .Values.jiraPat .Values.crPassword .Values.crToken | default "" }} 2 | {{- if .Values.brokerToken }} 3 | apiVersion: v1 4 | kind: Secret 5 | metadata: 6 | name: {{ include "snyk-broker.brokerTokenSecretName" . }} 7 | type: Opaque 8 | data: 9 | {{ include "snyk-broker.brokerTokenSecretKey" . }} : {{ .Values.brokerToken | b64enc | quote }} 10 | --- 11 | {{- end }} 12 | {{- if .Values.scmTokenPool }} 13 | apiVersion: v1 14 | kind: Secret 15 | metadata: 16 | name: {{ include "snyk-broker.scmTokenPoolSecretName" . }} 17 | type: Opaque 18 | data: 19 | {{ include "snyk-broker.scmTokenPoolSecretKey" . }} : {{ .Values.scmTokenPool | b64enc | quote }} 20 | --- 21 | {{- end }} 22 | {{- if $scmToken }} 23 | apiVersion: v1 24 | kind: Secret 25 | metadata: 26 | name: {{ include "snyk-broker.scmTokenSecretName" . }} 27 | type: Opaque 28 | data: 29 | {{ include "snyk-broker.scmTokenSecretKey" . }} : {{ $scmToken | b64enc | quote }} 30 | --- 31 | {{- end }} 32 | {{- if .Values.snykToken }} 33 | apiVersion: v1 34 | kind: Secret 35 | metadata: 36 | name: snyk-token{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} 37 | type: Opaque 38 | data: 39 | snyk-token-key : {{ .Values.snykToken | b64enc | quote }} 40 | --- 41 | {{- end }} 42 | {{- if .Values.artifactoryUrl }} 43 | apiVersion: v1 44 | kind: Secret 45 | metadata: 46 | name: {{ include "snyk-broker.artifactoryUrlSecretName" . }} 47 | type: Opaque 48 | data: 49 | {{ include "snyk-broker.artifactoryUrlSecretKey" . }} : {{ .Values.artifactoryUrl | b64enc | quote }} 50 | --- 51 | {{- end }} 52 | {{- if and ( or .Values.baseNexusUrl .Values.nexusUrl .Values.artifactoryUrl) (.Values.brokerClientValidationUrl) }} 53 | apiVersion: v1 54 | kind: Secret 55 | metadata: 56 | name: {{ include "snyk-broker.brokerClientValidationUrlSecretName" . }} 57 | type: Opaque 58 | data: 59 | {{ include "snyk-broker.brokerClientValidationUrlSecretKey" . }} : {{ .Values.brokerClientValidationUrl | b64enc | quote }} 60 | --- 61 | {{- end }} 62 | {{- if .Values.baseNexusUrl }} 63 | apiVersion: v1 64 | kind: Secret 65 | metadata: 66 | name: {{ include "snyk-broker.baseNexusUrlSecretName" . }} 67 | type: Opaque 68 | data: 69 | {{ include "snyk-broker.baseNexusUrlSecretKey" . }} : {{ .Values.baseNexusUrl | b64enc | quote }} 70 | --- 71 | {{- end }} 72 | {{- if .Values.nexusUrl }} 73 | apiVersion: v1 74 | kind: Secret 75 | metadata: 76 | name: {{ include "snyk-broker.nexusUrlSecretName" . }} 77 | type: Opaque 78 | data: 79 | {{ include "snyk-broker.nexusUrlSecretKey" . }} : {{ .Values.nexusUrl | b64enc | quote }} 80 | --- 81 | {{- end}} 82 | {{- if .Values.sonarqubeApiToken }} 83 | apiVersion: v1 84 | kind: Secret 85 | metadata: 86 | name: {{ include "snyk-broker.sonarqubeApiTokenSecretName" . }} 87 | type: Opaque 88 | data: 89 | {{ include "snyk-broker.sonarqubeApiTokenSecretKey" . }} : {{ .Values.sonarqubeApiToken | b64enc | quote }} 90 | --- 91 | {{- end}} 92 | {{- if and (.Values.httpsCert) (.Values.httpsKey) }} 93 | apiVersion: v1 94 | kind: Secret 95 | metadata: 96 | name: {{ include "snyk-broker.tlsSecretName" . }} 97 | type: kubernetes.io/tls 98 | data: 99 | tls.crt: {{ (.Files.Get .Values.httpsCert) | b64enc | quote }} 100 | tls.key: {{ (.Files.Get .Values.httpsKey) | b64enc | quote }} 101 | --- 102 | {{- end }} 103 | {{- if or .Values.caCert .Values.caCertFile }} 104 | apiVersion: v1 105 | kind: Secret 106 | metadata: 107 | name: {{ include "snyk-broker.caCertSecretName" . }} 108 | namespace: {{ .Release.Namespace }} 109 | labels: 110 | {{- include "snyk-broker.labels" . | nindent 4 }} 111 | data: 112 | {{- if and .Values.caCert (not .Values.caCertFile) }} 113 | {{ (.Files.Glob .Values.caCert).AsSecrets | nindent 2 }} 114 | {{- else if and .Values.caCertFile (not .Values.caCert) }} 115 | cacert: {{ .Values.caCertFile | trim | b64enc | nindent 4}} 116 | {{- end }} 117 | --- 118 | {{- end }} 119 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/__snapshot__/broker_cra_deployment_extraPodSpecs_test.yaml.snap: -------------------------------------------------------------------------------- 1 | renders extraPodSpecs CRA: 2 | 1: | 3 | containers: 4 | - env: 5 | - name: BROKER_SERVER_URL 6 | value: https://broker.test.snyk.io 7 | - name: BROKER_HEALTHCHECK_PATH 8 | value: /healthcheck 9 | - name: BROKER_SYSTEMCHECK_PATH 10 | value: /systemcheck 11 | - name: BROKER_TOKEN 12 | valueFrom: 13 | secretKeyRef: 14 | key: container-registry-agent-broker-token-key 15 | name: container-registry-agent-broker-token-RELEASE-NAME 16 | - name: CR_AGENT_URL 17 | value: http://cra-service-RELEASE-NAME:8081 18 | - name: CR_TYPE 19 | value: ecr 20 | - name: CR_ROLE_ARN 21 | value: arn:aws-us-gov:iam::123456789012:role 22 | - name: CR_REGION 23 | value: eu-west 24 | - name: CR_EXTERNAL_ID 25 | value: 11111111-1111-1111-1111-111111111111 26 | - name: PORT 27 | value: "8000" 28 | - name: BROKER_CLIENT_URL 29 | value: http://container-registry-agent-broker-service-RELEASE-NAME:8000 30 | - name: BROKER_CLIENT_VALIDATION_URL 31 | value: http://cra-service-RELEASE-NAME:8081/healthcheck 32 | - name: LOG_LEVEL 33 | value: info 34 | - name: LOG_ENABLE_BODY 35 | value: "false" 36 | - name: BROKER_DISPATCHER_BASE_URL 37 | value: https://api.test.snyk.io 38 | image: snyk/broker:container-registry-agent 39 | imagePullPolicy: Always 40 | livenessProbe: 41 | failureThreshold: 3 42 | httpGet: 43 | path: /healthcheck 44 | port: 8000 45 | scheme: HTTP 46 | initialDelaySeconds: 3 47 | periodSeconds: 10 48 | timeoutSeconds: 1 49 | name: container-registry-agent-broker-RELEASE-NAME 50 | ports: 51 | - containerPort: 8000 52 | name: http 53 | readinessProbe: 54 | failureThreshold: 3 55 | httpGet: 56 | path: /healthcheck 57 | port: 8000 58 | scheme: HTTP 59 | initialDelaySeconds: 3 60 | periodSeconds: 10 61 | timeoutSeconds: 1 62 | resources: 63 | limits: 64 | cpu: 1 65 | memory: 256Mi 66 | requests: 67 | cpu: 1 68 | memory: 256Mi 69 | securityContext: 70 | allowPrivilegeEscalation: false 71 | capabilities: 72 | drop: 73 | - ALL 74 | readOnlyRootFilesystem: true 75 | runAsNonRoot: true 76 | runAsUser: 1000 77 | volumeMounts: null 78 | nodeSelector: 79 | corp.io/node-classification: snyk 80 | securityContext: {} 81 | serviceAccountName: snyk-broker-RELEASE-NAME 82 | tolerations: 83 | - effect: NoSchedule 84 | key: networking/something 85 | operator: Equal 86 | value: internal-pods 87 | volumes: null 88 | 2: | 89 | containers: 90 | - env: 91 | - name: SNYK_PORT 92 | value: "8081" 93 | image: snyk/container-registry-agent:latest 94 | imagePullPolicy: Always 95 | name: container-registry-agent-RELEASE-NAME 96 | ports: 97 | - containerPort: 8081 98 | name: http 99 | resources: 100 | limits: 101 | cpu: 1 102 | memory: 2Gi 103 | requests: 104 | cpu: 1 105 | memory: 2Gi 106 | securityContext: 107 | allowPrivilegeEscalation: false 108 | capabilities: 109 | drop: 110 | - ALL 111 | readOnlyRootFilesystem: false 112 | runAsNonRoot: true 113 | runAsUser: 1000 114 | nodeSelector: 115 | corp.io/node-classification: snyk 116 | securityContext: {} 117 | serviceAccountName: snyk-broker-RELEASE-NAME 118 | tolerations: 119 | - effect: NoSchedule 120 | key: networking/something 121 | operator: Equal 122 | value: internal-pods 123 | -------------------------------------------------------------------------------- /charts/snyk-broker/templates/cra_deployment.yaml: -------------------------------------------------------------------------------- 1 | {{ $setTlsRejectUnauthorized := include "snyk-broker.setTlsRejectUnauthorized" . }} 2 | {{- if eq .Values.scmType "container-registry-agent" }} 3 | apiVersion: apps/v1 4 | kind: Deployment 5 | metadata: 6 | name: "{{ .Values.scmType}}-cra{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }}" 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | app.kubernetes.io/name: {{ .Release.Name }}-cr{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} 10 | app.kubernetes.io/instance: {{ .Release.Name }} 11 | spec: 12 | replicas: 1 13 | selector: 14 | matchLabels: 15 | app.kubernetes.io/name: {{ .Release.Name }}-cr{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} 16 | app.kubernetes.io/instance: {{ .Release.Name }} 17 | template: 18 | metadata: 19 | {{- with .Values.podAnnotations }} 20 | annotations: 21 | {{- toYaml . | nindent 8 }} 22 | {{- end }} 23 | labels: 24 | app.kubernetes.io/name: {{ .Release.Name }}-cr{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} 25 | app.kubernetes.io/instance: {{ .Release.Name }} 26 | spec: 27 | {{- if .Values.extraPodSpecsCr }} 28 | {{- toYaml .Values.extraPodSpecsCr | nindent 6 }} 29 | {{- end }} 30 | {{- with .Values.imagePullSecrets }} 31 | imagePullSecrets: 32 | {{- toYaml . | nindent 8 }} 33 | {{- end }} 34 | serviceAccountName: {{ include "snyk-broker.serviceAccountName" . }}{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} 35 | securityContext: 36 | {{- toYaml .Values.podSecurityContext | nindent 8 }} 37 | containers: 38 | - name: container-registry-agent{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} 39 | resources: 40 | limits: 41 | cpu: {{ .Values.crResources.limits.cpu }} 42 | memory: {{ .Values.crResources.limits.memory }} 43 | requests: 44 | cpu: {{ .Values.crResources.requests.cpu }} 45 | memory: {{ .Values.crResources.requests.memory}} 46 | securityContext: 47 | {{- toYaml .Values.securityContextCr | nindent 12 }} 48 | image: "{{ .Values.image.crRepository }}:{{ .Values.crImage}}" 49 | imagePullPolicy: {{ .Values.image.pullPolicy }} 50 | ports: 51 | - name: http 52 | containerPort: {{ .Values.deployment.container.crSnykPort }} 53 | env: 54 | - name: SNYK_PORT 55 | value: {{ .Values.deployment.container.crSnykPort | squote }} 56 | {{- if $setTlsRejectUnauthorized }} 57 | # Troubleshooting - Set to 0 for SSL inspection testing 58 | - name: NODE_TLS_REJECT_UNAUTHORIZED 59 | value: "0" 60 | {{- end }} 61 | {{- if .Values.caCert }} 62 | # HTTPS Inspection 63 | - name: CA_CERT 64 | value: /home/node/cacert/{{ .Values.caCert }} 65 | - name: NODE_EXTRA_CA_CERTS 66 | value: /home/node/cacert/{{ .Values.caCert }} 67 | {{- end }} 68 | {{- range .Values.env }} 69 | # custom env var in override.yaml 70 | - name: {{ .name }} 71 | value: {{ .value | squote }} 72 | {{- end}} 73 | {{- if .Values.caCert }} 74 | volumeMounts: 75 | - name: {{ include "snyk-broker.fullname" . }}-cacert-volume 76 | mountPath: /home/node/cacert 77 | readOnly: true 78 | {{- end }} 79 | {{- if .Values.caCert }} 80 | volumes: 81 | - name: {{ include "snyk-broker.fullname" . }}-cacert-volume 82 | configMap: 83 | name: {{ include "snyk-broker.fullname" . }}-cacert-configmap{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} 84 | {{- end }} 85 | --- 86 | apiVersion: v1 87 | kind: Service 88 | metadata: 89 | name: "cra-service{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }}" 90 | namespace: {{ .Release.Namespace }} 91 | labels: 92 | {{- include "snyk-broker.labels" . | nindent 4 }} 93 | spec: 94 | type: {{ .Values.service.crType }} 95 | ports: 96 | - port: {{ .Values.deployment.container.crSnykPort }} 97 | targetPort: {{ .Values.deployment.container.crSnykPort}} 98 | selector: 99 | app.kubernetes.io/name: {{ .Release.Name }}-cr{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} 100 | app.kubernetes.io/instance: {{ .Release.Name }} 101 | {{- end }} 102 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/__snapshot__/broker_deployment_apprisk_test.yaml.snap: -------------------------------------------------------------------------------- 1 | apprisk enabled: 2 | 1: | 3 | apiVersion: apps/v1 4 | kind: Deployment 5 | metadata: 6 | labels: 7 | app.kubernetes.io/instance: RELEASE-NAME 8 | app.kubernetes.io/managed-by: Helm 9 | app.kubernetes.io/name: snyk-broker-RELEASE-NAME 10 | helm.sh/chart: snyk-broker-0.0.0 11 | name: github-com-broker-RELEASE-NAME 12 | namespace: NAMESPACE 13 | spec: 14 | replicas: 1 15 | selector: 16 | matchLabels: 17 | app.kubernetes.io/instance: RELEASE-NAME 18 | app.kubernetes.io/name: snyk-broker-RELEASE-NAME 19 | template: 20 | metadata: 21 | labels: 22 | app.kubernetes.io/instance: RELEASE-NAME 23 | app.kubernetes.io/managed-by: Helm 24 | app.kubernetes.io/name: snyk-broker-RELEASE-NAME 25 | helm.sh/chart: snyk-broker-0.0.0 26 | spec: 27 | containers: 28 | - env: 29 | - name: BROKER_SERVER_URL 30 | value: https://broker.test.snyk.io 31 | - name: BROKER_HEALTHCHECK_PATH 32 | value: /healthcheck 33 | - name: BROKER_SYSTEMCHECK_PATH 34 | value: /systemcheck 35 | - name: BROKER_TOKEN 36 | valueFrom: 37 | secretKeyRef: 38 | key: github-com-broker-token-key 39 | name: github-com-broker-token-RELEASE-NAME 40 | - name: GITHUB_TOKEN 41 | valueFrom: 42 | secretKeyRef: 43 | key: github-com-token-key 44 | name: github-com-token-RELEASE-NAME 45 | - name: PORT 46 | value: "8000" 47 | - name: BROKER_CLIENT_URL 48 | value: http://brokerclient 49 | - name: LOG_LEVEL 50 | value: info 51 | - name: LOG_ENABLE_BODY 52 | value: "false" 53 | - name: ACCEPT_CODE 54 | value: "true" 55 | - name: ACCEPT_IAC 56 | value: tf,yaml,yml,json,tpl 57 | - name: ACCEPT_APPRISK 58 | value: "true" 59 | - name: BROKER_DISPATCHER_BASE_URL 60 | value: https://api.test.snyk.io 61 | image: snyk/broker:github-com 62 | imagePullPolicy: Always 63 | livenessProbe: 64 | failureThreshold: 3 65 | httpGet: 66 | path: /healthcheck 67 | port: 8000 68 | scheme: HTTP 69 | initialDelaySeconds: 3 70 | periodSeconds: 10 71 | timeoutSeconds: 1 72 | name: github-com-broker-RELEASE-NAME 73 | ports: 74 | - containerPort: 8000 75 | name: http 76 | readinessProbe: 77 | failureThreshold: 3 78 | httpGet: 79 | path: /healthcheck 80 | port: 8000 81 | scheme: HTTP 82 | initialDelaySeconds: 3 83 | periodSeconds: 10 84 | timeoutSeconds: 1 85 | resources: 86 | limits: 87 | cpu: 1 88 | memory: 256Mi 89 | requests: 90 | cpu: 1 91 | memory: 256Mi 92 | securityContext: 93 | allowPrivilegeEscalation: false 94 | capabilities: 95 | drop: 96 | - ALL 97 | readOnlyRootFilesystem: true 98 | runAsNonRoot: true 99 | runAsUser: 1000 100 | volumeMounts: null 101 | securityContext: {} 102 | serviceAccountName: snyk-broker-RELEASE-NAME 103 | volumes: null 104 | 2: | 105 | apiVersion: v1 106 | kind: Service 107 | metadata: 108 | labels: 109 | app.kubernetes.io/instance: RELEASE-NAME 110 | app.kubernetes.io/managed-by: Helm 111 | app.kubernetes.io/name: snyk-broker-RELEASE-NAME 112 | helm.sh/chart: snyk-broker-0.0.0 113 | name: github-com-broker-service-RELEASE-NAME 114 | namespace: NAMESPACE 115 | spec: 116 | ports: 117 | - port: 8000 118 | targetPort: 8000 119 | selector: 120 | app.kubernetes.io/instance: RELEASE-NAME 121 | app.kubernetes.io/name: snyk-broker-RELEASE-NAME 122 | type: ClusterIP 123 | 3: | 124 | apiVersion: v1 125 | data: 126 | github-com-broker-token-key: MTIzNDVhNmItNzhkOS0xZTJmLTNhYmMtNDU2ZGVmNzg5MTIz 127 | kind: Secret 128 | metadata: 129 | name: github-com-broker-token-RELEASE-NAME 130 | type: Opaque 131 | 4: | 132 | apiVersion: v1 133 | data: 134 | snyk-token-key: MTIzNDVhNmItNzhkOS0xZTJmLTNhYmMtNDU2ZGVmNzg5MTIz 135 | kind: Secret 136 | metadata: 137 | name: snyk-token-RELEASE-NAME 138 | type: Opaque 139 | 5: | 140 | apiVersion: v1 141 | kind: ServiceAccount 142 | metadata: 143 | labels: 144 | app.kubernetes.io/instance: RELEASE-NAME 145 | app.kubernetes.io/managed-by: Helm 146 | app.kubernetes.io/name: snyk-broker-RELEASE-NAME 147 | helm.sh/chart: snyk-broker-0.0.0 148 | name: snyk-broker-RELEASE-NAME 149 | namespace: NAMESPACE 150 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/__snapshot__/broker_cra_deployment_test.yaml.snap: -------------------------------------------------------------------------------- 1 | with CRA: 2 | 1: | 3 | apiVersion: apps/v1 4 | kind: Deployment 5 | metadata: 6 | labels: 7 | app.kubernetes.io/instance: RELEASE-NAME 8 | app.kubernetes.io/managed-by: Helm 9 | app.kubernetes.io/name: snyk-broker-RELEASE-NAME 10 | helm.sh/chart: snyk-broker-0.0.0 11 | name: container-registry-agent-broker-RELEASE-NAME 12 | namespace: NAMESPACE 13 | spec: 14 | replicas: 1 15 | selector: 16 | matchLabels: 17 | app.kubernetes.io/instance: RELEASE-NAME 18 | app.kubernetes.io/name: snyk-broker-RELEASE-NAME 19 | template: 20 | metadata: 21 | labels: 22 | app.kubernetes.io/instance: RELEASE-NAME 23 | app.kubernetes.io/managed-by: Helm 24 | app.kubernetes.io/name: snyk-broker-RELEASE-NAME 25 | helm.sh/chart: snyk-broker-0.0.0 26 | spec: 27 | containers: 28 | - env: 29 | - name: BROKER_SERVER_URL 30 | value: https://broker.test.snyk.io 31 | - name: BROKER_HEALTHCHECK_PATH 32 | value: /healthcheck 33 | - name: BROKER_SYSTEMCHECK_PATH 34 | value: /systemcheck 35 | - name: BROKER_TOKEN 36 | valueFrom: 37 | secretKeyRef: 38 | key: container-registry-agent-broker-token-key 39 | name: container-registry-agent-broker-token-RELEASE-NAME 40 | - name: CR_AGENT_URL 41 | value: http://cra-service-RELEASE-NAME:8081 42 | - name: CR_TYPE 43 | value: ecr 44 | - name: CR_ROLE_ARN 45 | value: arn:aws-us-gov:iam::123456789012:role 46 | - name: CR_REGION 47 | value: eu-west 48 | - name: CR_EXTERNAL_ID 49 | value: 11111111-1111-1111-1111-111111111111 50 | - name: PORT 51 | value: "8000" 52 | - name: BROKER_CLIENT_URL 53 | value: http://container-registry-agent-broker-service-RELEASE-NAME:8000 54 | - name: BROKER_CLIENT_VALIDATION_URL 55 | value: http://cra-service-RELEASE-NAME:8081/healthcheck 56 | - name: LOG_LEVEL 57 | value: info 58 | - name: LOG_ENABLE_BODY 59 | value: "false" 60 | - name: BROKER_DISPATCHER_BASE_URL 61 | value: https://api.test.snyk.io 62 | image: snyk/broker:container-registry-agent 63 | imagePullPolicy: Always 64 | livenessProbe: 65 | failureThreshold: 3 66 | httpGet: 67 | path: /healthcheck 68 | port: 8000 69 | scheme: HTTP 70 | initialDelaySeconds: 3 71 | periodSeconds: 10 72 | timeoutSeconds: 1 73 | name: container-registry-agent-broker-RELEASE-NAME 74 | ports: 75 | - containerPort: 8000 76 | name: http 77 | readinessProbe: 78 | failureThreshold: 3 79 | httpGet: 80 | path: /healthcheck 81 | port: 8000 82 | scheme: HTTP 83 | initialDelaySeconds: 3 84 | periodSeconds: 10 85 | timeoutSeconds: 1 86 | resources: 87 | limits: 88 | cpu: 1 89 | memory: 256Mi 90 | requests: 91 | cpu: 1 92 | memory: 256Mi 93 | securityContext: 94 | allowPrivilegeEscalation: false 95 | capabilities: 96 | drop: 97 | - ALL 98 | readOnlyRootFilesystem: true 99 | runAsNonRoot: true 100 | runAsUser: 1000 101 | volumeMounts: null 102 | securityContext: {} 103 | serviceAccountName: snyk-broker-RELEASE-NAME 104 | volumes: null 105 | 2: | 106 | apiVersion: v1 107 | kind: Service 108 | metadata: 109 | labels: 110 | app.kubernetes.io/instance: RELEASE-NAME 111 | app.kubernetes.io/managed-by: Helm 112 | app.kubernetes.io/name: snyk-broker-RELEASE-NAME 113 | helm.sh/chart: snyk-broker-0.0.0 114 | name: container-registry-agent-broker-service-RELEASE-NAME 115 | namespace: NAMESPACE 116 | spec: 117 | ports: 118 | - port: 8000 119 | targetPort: 8000 120 | selector: 121 | app.kubernetes.io/instance: RELEASE-NAME 122 | app.kubernetes.io/name: snyk-broker-RELEASE-NAME 123 | type: ClusterIP 124 | 3: | 125 | apiVersion: v1 126 | data: 127 | container-registry-agent-broker-token-key: MTIzNDVhNmItNzhkOS0xZTJmLTNhYmMtNDU2ZGVmNzg5MTIz 128 | kind: Secret 129 | metadata: 130 | name: container-registry-agent-broker-token-RELEASE-NAME 131 | type: Opaque 132 | 4: | 133 | apiVersion: v1 134 | data: 135 | snyk-token-key: MTIzNDVhNmItNzhkOS0xZTJmLTNhYmMtNDU2ZGVmNzg5MTIz 136 | kind: Secret 137 | metadata: 138 | name: snyk-token-RELEASE-NAME 139 | type: Opaque 140 | 5: | 141 | apiVersion: v1 142 | kind: ServiceAccount 143 | metadata: 144 | labels: 145 | app.kubernetes.io/instance: RELEASE-NAME 146 | app.kubernetes.io/managed-by: Helm 147 | app.kubernetes.io/name: snyk-broker-RELEASE-NAME 148 | helm.sh/chart: snyk-broker-0.0.0 149 | name: snyk-broker-RELEASE-NAME 150 | namespace: NAMESPACE 151 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/__snapshot__/broker_cra_deployment_disablesuffixes_test.yaml.snap: -------------------------------------------------------------------------------- 1 | with CRA: 2 | 1: | 3 | apiVersion: apps/v1 4 | kind: Deployment 5 | metadata: 6 | labels: 7 | app.kubernetes.io/instance: RELEASE-NAME 8 | app.kubernetes.io/managed-by: Helm 9 | app.kubernetes.io/name: snyk-broker-RELEASE-NAME 10 | helm.sh/chart: snyk-broker-0.0.0 11 | name: container-registry-agent-broker-RELEASE-NAME 12 | namespace: NAMESPACE 13 | spec: 14 | replicas: 1 15 | selector: 16 | matchLabels: 17 | app.kubernetes.io/instance: RELEASE-NAME 18 | app.kubernetes.io/name: snyk-broker-RELEASE-NAME 19 | template: 20 | metadata: 21 | labels: 22 | app.kubernetes.io/instance: RELEASE-NAME 23 | app.kubernetes.io/managed-by: Helm 24 | app.kubernetes.io/name: snyk-broker-RELEASE-NAME 25 | helm.sh/chart: snyk-broker-0.0.0 26 | spec: 27 | containers: 28 | - env: 29 | - name: BROKER_SERVER_URL 30 | value: https://broker.test.snyk.io 31 | - name: BROKER_HEALTHCHECK_PATH 32 | value: /healthcheck 33 | - name: BROKER_SYSTEMCHECK_PATH 34 | value: /systemcheck 35 | - name: BROKER_TOKEN 36 | valueFrom: 37 | secretKeyRef: 38 | key: container-registry-agent-broker-token-key 39 | name: container-registry-agent-broker-token-RELEASE-NAME 40 | - name: CR_AGENT_URL 41 | value: http://cra-service-RELEASE-NAME:8081 42 | - name: CR_TYPE 43 | value: ecr 44 | - name: CR_ROLE_ARN 45 | value: arn:aws-us-gov:iam::123456789012:role 46 | - name: CR_REGION 47 | value: eu-west 48 | - name: CR_EXTERNAL_ID 49 | value: 11111111-1111-1111-1111-111111111111 50 | - name: PORT 51 | value: "8000" 52 | - name: BROKER_CLIENT_URL 53 | value: http://container-registry-agent-broker-service-RELEASE-NAME:8000 54 | - name: BROKER_CLIENT_VALIDATION_URL 55 | value: http://cra-service-RELEASE-NAME:8081/healthcheck 56 | - name: LOG_LEVEL 57 | value: info 58 | - name: LOG_ENABLE_BODY 59 | value: "false" 60 | - name: BROKER_DISPATCHER_BASE_URL 61 | value: https://api.test.snyk.io 62 | image: snyk/broker:container-registry-agent 63 | imagePullPolicy: Always 64 | livenessProbe: 65 | failureThreshold: 3 66 | httpGet: 67 | path: /healthcheck 68 | port: 8000 69 | scheme: HTTP 70 | initialDelaySeconds: 3 71 | periodSeconds: 10 72 | timeoutSeconds: 1 73 | name: container-registry-agent-broker-RELEASE-NAME 74 | ports: 75 | - containerPort: 8000 76 | name: http 77 | readinessProbe: 78 | failureThreshold: 3 79 | httpGet: 80 | path: /healthcheck 81 | port: 8000 82 | scheme: HTTP 83 | initialDelaySeconds: 3 84 | periodSeconds: 10 85 | timeoutSeconds: 1 86 | resources: 87 | limits: 88 | cpu: 1 89 | memory: 256Mi 90 | requests: 91 | cpu: 1 92 | memory: 256Mi 93 | securityContext: 94 | allowPrivilegeEscalation: false 95 | capabilities: 96 | drop: 97 | - ALL 98 | readOnlyRootFilesystem: true 99 | runAsNonRoot: true 100 | runAsUser: 1000 101 | volumeMounts: null 102 | securityContext: {} 103 | serviceAccountName: snyk-broker-RELEASE-NAME 104 | volumes: null 105 | 2: | 106 | apiVersion: v1 107 | kind: Service 108 | metadata: 109 | labels: 110 | app.kubernetes.io/instance: RELEASE-NAME 111 | app.kubernetes.io/managed-by: Helm 112 | app.kubernetes.io/name: snyk-broker-RELEASE-NAME 113 | helm.sh/chart: snyk-broker-0.0.0 114 | name: container-registry-agent-broker-service-RELEASE-NAME 115 | namespace: NAMESPACE 116 | spec: 117 | ports: 118 | - port: 8000 119 | targetPort: 8000 120 | selector: 121 | app.kubernetes.io/instance: RELEASE-NAME 122 | app.kubernetes.io/name: snyk-broker-RELEASE-NAME 123 | type: ClusterIP 124 | 3: | 125 | apiVersion: v1 126 | data: 127 | container-registry-agent-broker-token-key: MTIzNDVhNmItNzhkOS0xZTJmLTNhYmMtNDU2ZGVmNzg5MTIz 128 | kind: Secret 129 | metadata: 130 | name: container-registry-agent-broker-token-RELEASE-NAME 131 | type: Opaque 132 | 4: | 133 | apiVersion: v1 134 | data: 135 | snyk-token-key: MTIzNDVhNmItNzhkOS0xZTJmLTNhYmMtNDU2ZGVmNzg5MTIz 136 | kind: Secret 137 | metadata: 138 | name: snyk-token-RELEASE-NAME 139 | type: Opaque 140 | 5: | 141 | apiVersion: v1 142 | kind: ServiceAccount 143 | metadata: 144 | labels: 145 | app.kubernetes.io/instance: RELEASE-NAME 146 | app.kubernetes.io/managed-by: Helm 147 | app.kubernetes.io/name: snyk-broker-RELEASE-NAME 148 | helm.sh/chart: snyk-broker-0.0.0 149 | name: snyk-broker-RELEASE-NAME 150 | namespace: NAMESPACE 151 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/__snapshot__/broker_deployment_customaccept_disablesuffixes_test.yaml.snap: -------------------------------------------------------------------------------- 1 | customaccept values: 2 | 1: | 3 | apiVersion: v1 4 | data: 5 | accept.json: test 6 | kind: ConfigMap 7 | metadata: 8 | labels: 9 | app.kubernetes.io/instance: RELEASE-NAME 10 | app.kubernetes.io/managed-by: Helm 11 | app.kubernetes.io/name: snyk-broker 12 | helm.sh/chart: snyk-broker-0.0.0 13 | name: RELEASE-NAME-snyk-broker-accept-configmap 14 | namespace: NAMESPACE 15 | 2: | 16 | apiVersion: apps/v1 17 | kind: Deployment 18 | metadata: 19 | labels: 20 | app.kubernetes.io/instance: RELEASE-NAME 21 | app.kubernetes.io/managed-by: Helm 22 | app.kubernetes.io/name: snyk-broker 23 | helm.sh/chart: snyk-broker-0.0.0 24 | name: github-com-broker 25 | namespace: NAMESPACE 26 | spec: 27 | replicas: 1 28 | selector: 29 | matchLabels: 30 | app.kubernetes.io/instance: RELEASE-NAME 31 | app.kubernetes.io/name: snyk-broker 32 | template: 33 | metadata: 34 | labels: 35 | app.kubernetes.io/instance: RELEASE-NAME 36 | app.kubernetes.io/managed-by: Helm 37 | app.kubernetes.io/name: snyk-broker 38 | helm.sh/chart: snyk-broker-0.0.0 39 | spec: 40 | containers: 41 | - env: 42 | - name: BROKER_SERVER_URL 43 | value: https://broker.test.snyk.io 44 | - name: BROKER_HEALTHCHECK_PATH 45 | value: /healthcheck 46 | - name: BROKER_SYSTEMCHECK_PATH 47 | value: /systemcheck 48 | - name: BROKER_TOKEN 49 | valueFrom: 50 | secretKeyRef: 51 | key: github-com-broker-token-key 52 | name: github-com-broker-token 53 | - name: GITHUB_TOKEN 54 | valueFrom: 55 | secretKeyRef: 56 | key: github-com-token-key 57 | name: github-com-token 58 | - name: PORT 59 | value: "8000" 60 | - name: BROKER_CLIENT_URL 61 | value: http://brokerclient 62 | - name: LOG_LEVEL 63 | value: info 64 | - name: LOG_ENABLE_BODY 65 | value: "false" 66 | - name: ACCEPT 67 | value: /home/node/private/accept.json 68 | - name: BROKER_DISPATCHER_BASE_URL 69 | value: https://api.test.snyk.io 70 | image: snyk/broker:github-com 71 | imagePullPolicy: Always 72 | livenessProbe: 73 | failureThreshold: 3 74 | httpGet: 75 | path: /healthcheck 76 | port: 8000 77 | scheme: HTTP 78 | initialDelaySeconds: 3 79 | periodSeconds: 10 80 | timeoutSeconds: 1 81 | name: github-com-broker 82 | ports: 83 | - containerPort: 8000 84 | name: http 85 | readinessProbe: 86 | failureThreshold: 3 87 | httpGet: 88 | path: /healthcheck 89 | port: 8000 90 | scheme: HTTP 91 | initialDelaySeconds: 3 92 | periodSeconds: 10 93 | timeoutSeconds: 1 94 | resources: 95 | limits: 96 | cpu: 1 97 | memory: 256Mi 98 | requests: 99 | cpu: 1 100 | memory: 256Mi 101 | securityContext: 102 | allowPrivilegeEscalation: false 103 | capabilities: 104 | drop: 105 | - ALL 106 | readOnlyRootFilesystem: true 107 | runAsNonRoot: true 108 | runAsUser: 1000 109 | volumeMounts: 110 | - mountPath: /home/node/private 111 | name: RELEASE-NAME-snyk-broker-accept-volume 112 | readOnly: true 113 | securityContext: {} 114 | serviceAccountName: snyk-broker 115 | volumes: 116 | - configMap: 117 | name: RELEASE-NAME-snyk-broker-accept-configmap 118 | name: RELEASE-NAME-snyk-broker-accept-volume 119 | 3: | 120 | apiVersion: v1 121 | kind: Service 122 | metadata: 123 | labels: 124 | app.kubernetes.io/instance: RELEASE-NAME 125 | app.kubernetes.io/managed-by: Helm 126 | app.kubernetes.io/name: snyk-broker 127 | helm.sh/chart: snyk-broker-0.0.0 128 | name: github-com-broker-service 129 | namespace: NAMESPACE 130 | spec: 131 | ports: 132 | - port: 8000 133 | targetPort: 8000 134 | selector: 135 | app.kubernetes.io/instance: RELEASE-NAME 136 | app.kubernetes.io/name: snyk-broker 137 | type: ClusterIP 138 | 4: | 139 | apiVersion: v1 140 | data: 141 | github-com-broker-token-key: MTIzNDVhNmItNzhkOS0xZTJmLTNhYmMtNDU2ZGVmNzg5MTIz 142 | kind: Secret 143 | metadata: 144 | name: github-com-broker-token 145 | type: Opaque 146 | 5: | 147 | apiVersion: v1 148 | data: 149 | snyk-token-key: MTIzNDVhNmItNzhkOS0xZTJmLTNhYmMtNDU2ZGVmNzg5MTIz 150 | kind: Secret 151 | metadata: 152 | name: snyk-token 153 | type: Opaque 154 | 6: | 155 | apiVersion: v1 156 | kind: ServiceAccount 157 | metadata: 158 | labels: 159 | app.kubernetes.io/instance: RELEASE-NAME 160 | app.kubernetes.io/managed-by: Helm 161 | app.kubernetes.io/name: snyk-broker 162 | helm.sh/chart: snyk-broker-0.0.0 163 | name: snyk-broker 164 | namespace: NAMESPACE 165 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/__snapshot__/broker_deployment_ingress_disablesuffixes_test.yaml.snap: -------------------------------------------------------------------------------- 1 | ingress: 2 | 1: | 3 | apiVersion: apps/v1 4 | kind: Deployment 5 | metadata: 6 | labels: 7 | app.kubernetes.io/instance: RELEASE-NAME 8 | app.kubernetes.io/managed-by: Helm 9 | app.kubernetes.io/name: snyk-broker 10 | helm.sh/chart: snyk-broker-0.0.0 11 | name: github-com-broker 12 | namespace: NAMESPACE 13 | spec: 14 | replicas: 1 15 | selector: 16 | matchLabels: 17 | app.kubernetes.io/instance: RELEASE-NAME 18 | app.kubernetes.io/name: snyk-broker 19 | template: 20 | metadata: 21 | labels: 22 | app.kubernetes.io/instance: RELEASE-NAME 23 | app.kubernetes.io/managed-by: Helm 24 | app.kubernetes.io/name: snyk-broker 25 | helm.sh/chart: snyk-broker-0.0.0 26 | spec: 27 | containers: 28 | - env: 29 | - name: BROKER_SERVER_URL 30 | value: https://broker.test.snyk.io 31 | - name: BROKER_HEALTHCHECK_PATH 32 | value: /healthcheck 33 | - name: BROKER_SYSTEMCHECK_PATH 34 | value: /systemcheck 35 | - name: BROKER_TOKEN 36 | valueFrom: 37 | secretKeyRef: 38 | key: github-com-broker-token-key 39 | name: github-com-broker-token 40 | - name: GITHUB_TOKEN 41 | valueFrom: 42 | secretKeyRef: 43 | key: github-com-token-key 44 | name: github-com-token 45 | - name: PORT 46 | value: "8000" 47 | - name: BROKER_CLIENT_URL 48 | value: http://brokerclient 49 | - name: LOG_LEVEL 50 | value: info 51 | - name: LOG_ENABLE_BODY 52 | value: "false" 53 | - name: ACCEPT_CODE 54 | value: "true" 55 | - name: ACCEPT_IAC 56 | value: tf,yaml,yml,json,tpl 57 | - name: ACCEPT_APPRISK 58 | value: "true" 59 | - name: BROKER_DISPATCHER_BASE_URL 60 | value: https://api.test.snyk.io 61 | image: snyk/broker:github-com 62 | imagePullPolicy: Always 63 | livenessProbe: 64 | failureThreshold: 3 65 | httpGet: 66 | path: /healthcheck 67 | port: 8000 68 | scheme: HTTP 69 | initialDelaySeconds: 3 70 | periodSeconds: 10 71 | timeoutSeconds: 1 72 | name: github-com-broker 73 | ports: 74 | - containerPort: 8000 75 | name: http 76 | readinessProbe: 77 | failureThreshold: 3 78 | httpGet: 79 | path: /healthcheck 80 | port: 8000 81 | scheme: HTTP 82 | initialDelaySeconds: 3 83 | periodSeconds: 10 84 | timeoutSeconds: 1 85 | resources: 86 | limits: 87 | cpu: 1 88 | memory: 256Mi 89 | requests: 90 | cpu: 1 91 | memory: 256Mi 92 | securityContext: 93 | allowPrivilegeEscalation: false 94 | capabilities: 95 | drop: 96 | - ALL 97 | readOnlyRootFilesystem: true 98 | runAsNonRoot: true 99 | runAsUser: 1000 100 | volumeMounts: null 101 | securityContext: {} 102 | serviceAccountName: snyk-broker 103 | volumes: null 104 | 2: | 105 | apiVersion: extensions/v1beta1 106 | kind: Ingress 107 | metadata: 108 | labels: 109 | app.kubernetes.io/instance: RELEASE-NAME 110 | app.kubernetes.io/managed-by: Helm 111 | app.kubernetes.io/name: snyk-broker 112 | helm.sh/chart: snyk-broker-0.0.0 113 | name: RELEASE-NAME-snyk-broker 114 | namespace: NAMESPACE 115 | spec: 116 | rules: 117 | - host: 118 | http: 119 | paths: 120 | - backend: 121 | serviceName: github-com-broker-service 122 | servicePort: 8000 123 | path: / 124 | 3: | 125 | apiVersion: v1 126 | kind: Service 127 | metadata: 128 | labels: 129 | app.kubernetes.io/instance: RELEASE-NAME 130 | app.kubernetes.io/managed-by: Helm 131 | app.kubernetes.io/name: snyk-broker 132 | helm.sh/chart: snyk-broker-0.0.0 133 | name: github-com-broker-service 134 | namespace: NAMESPACE 135 | spec: 136 | ports: 137 | - port: 8000 138 | targetPort: 8000 139 | selector: 140 | app.kubernetes.io/instance: RELEASE-NAME 141 | app.kubernetes.io/name: snyk-broker 142 | type: ClusterIP 143 | 4: | 144 | apiVersion: v1 145 | data: 146 | github-com-broker-token-key: MTIzNDVhNmItNzhkOS0xZTJmLTNhYmMtNDU2ZGVmNzg5MTIz 147 | kind: Secret 148 | metadata: 149 | name: github-com-broker-token 150 | type: Opaque 151 | 5: | 152 | apiVersion: v1 153 | data: 154 | snyk-token-key: MTIzNDVhNmItNzhkOS0xZTJmLTNhYmMtNDU2ZGVmNzg5MTIz 155 | kind: Secret 156 | metadata: 157 | name: snyk-token 158 | type: Opaque 159 | 6: | 160 | apiVersion: v1 161 | kind: ServiceAccount 162 | metadata: 163 | labels: 164 | app.kubernetes.io/instance: RELEASE-NAME 165 | app.kubernetes.io/managed-by: Helm 166 | app.kubernetes.io/name: snyk-broker 167 | helm.sh/chart: snyk-broker-0.0.0 168 | name: snyk-broker 169 | namespace: NAMESPACE 170 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/__snapshot__/broker_deployment_customaccept_test.yaml.snap: -------------------------------------------------------------------------------- 1 | customaccept values: 2 | 1: | 3 | apiVersion: v1 4 | data: 5 | accept.json: test 6 | kind: ConfigMap 7 | metadata: 8 | labels: 9 | app.kubernetes.io/instance: RELEASE-NAME 10 | app.kubernetes.io/managed-by: Helm 11 | app.kubernetes.io/name: snyk-broker-RELEASE-NAME 12 | helm.sh/chart: snyk-broker-0.0.0 13 | name: RELEASE-NAME-snyk-broker-accept-configmap-RELEASE-NAME 14 | namespace: NAMESPACE 15 | 2: | 16 | apiVersion: apps/v1 17 | kind: Deployment 18 | metadata: 19 | labels: 20 | app.kubernetes.io/instance: RELEASE-NAME 21 | app.kubernetes.io/managed-by: Helm 22 | app.kubernetes.io/name: snyk-broker-RELEASE-NAME 23 | helm.sh/chart: snyk-broker-0.0.0 24 | name: github-com-broker-RELEASE-NAME 25 | namespace: NAMESPACE 26 | spec: 27 | replicas: 1 28 | selector: 29 | matchLabels: 30 | app.kubernetes.io/instance: RELEASE-NAME 31 | app.kubernetes.io/name: snyk-broker-RELEASE-NAME 32 | template: 33 | metadata: 34 | labels: 35 | app.kubernetes.io/instance: RELEASE-NAME 36 | app.kubernetes.io/managed-by: Helm 37 | app.kubernetes.io/name: snyk-broker-RELEASE-NAME 38 | helm.sh/chart: snyk-broker-0.0.0 39 | spec: 40 | containers: 41 | - env: 42 | - name: BROKER_SERVER_URL 43 | value: https://broker.test.snyk.io 44 | - name: BROKER_HEALTHCHECK_PATH 45 | value: /healthcheck 46 | - name: BROKER_SYSTEMCHECK_PATH 47 | value: /systemcheck 48 | - name: BROKER_TOKEN 49 | valueFrom: 50 | secretKeyRef: 51 | key: github-com-broker-token-key 52 | name: github-com-broker-token-RELEASE-NAME 53 | - name: GITHUB_TOKEN 54 | valueFrom: 55 | secretKeyRef: 56 | key: github-com-token-key 57 | name: github-com-token-RELEASE-NAME 58 | - name: PORT 59 | value: "8000" 60 | - name: BROKER_CLIENT_URL 61 | value: http://brokerclient 62 | - name: LOG_LEVEL 63 | value: info 64 | - name: LOG_ENABLE_BODY 65 | value: "false" 66 | - name: ACCEPT 67 | value: /home/node/private/accept.json 68 | - name: BROKER_DISPATCHER_BASE_URL 69 | value: https://api.test.snyk.io 70 | image: snyk/broker:github-com 71 | imagePullPolicy: Always 72 | livenessProbe: 73 | failureThreshold: 3 74 | httpGet: 75 | path: /healthcheck 76 | port: 8000 77 | scheme: HTTP 78 | initialDelaySeconds: 3 79 | periodSeconds: 10 80 | timeoutSeconds: 1 81 | name: github-com-broker-RELEASE-NAME 82 | ports: 83 | - containerPort: 8000 84 | name: http 85 | readinessProbe: 86 | failureThreshold: 3 87 | httpGet: 88 | path: /healthcheck 89 | port: 8000 90 | scheme: HTTP 91 | initialDelaySeconds: 3 92 | periodSeconds: 10 93 | timeoutSeconds: 1 94 | resources: 95 | limits: 96 | cpu: 1 97 | memory: 256Mi 98 | requests: 99 | cpu: 1 100 | memory: 256Mi 101 | securityContext: 102 | allowPrivilegeEscalation: false 103 | capabilities: 104 | drop: 105 | - ALL 106 | readOnlyRootFilesystem: true 107 | runAsNonRoot: true 108 | runAsUser: 1000 109 | volumeMounts: 110 | - mountPath: /home/node/private 111 | name: RELEASE-NAME-snyk-broker-accept-volume 112 | readOnly: true 113 | securityContext: {} 114 | serviceAccountName: snyk-broker-RELEASE-NAME 115 | volumes: 116 | - configMap: 117 | name: RELEASE-NAME-snyk-broker-accept-configmap-RELEASE-NAME 118 | name: RELEASE-NAME-snyk-broker-accept-volume 119 | 3: | 120 | apiVersion: v1 121 | kind: Service 122 | metadata: 123 | labels: 124 | app.kubernetes.io/instance: RELEASE-NAME 125 | app.kubernetes.io/managed-by: Helm 126 | app.kubernetes.io/name: snyk-broker-RELEASE-NAME 127 | helm.sh/chart: snyk-broker-0.0.0 128 | name: github-com-broker-service-RELEASE-NAME 129 | namespace: NAMESPACE 130 | spec: 131 | ports: 132 | - port: 8000 133 | targetPort: 8000 134 | selector: 135 | app.kubernetes.io/instance: RELEASE-NAME 136 | app.kubernetes.io/name: snyk-broker-RELEASE-NAME 137 | type: ClusterIP 138 | 4: | 139 | apiVersion: v1 140 | data: 141 | github-com-broker-token-key: MTIzNDVhNmItNzhkOS0xZTJmLTNhYmMtNDU2ZGVmNzg5MTIz 142 | kind: Secret 143 | metadata: 144 | name: github-com-broker-token-RELEASE-NAME 145 | type: Opaque 146 | 5: | 147 | apiVersion: v1 148 | data: 149 | snyk-token-key: MTIzNDVhNmItNzhkOS0xZTJmLTNhYmMtNDU2ZGVmNzg5MTIz 150 | kind: Secret 151 | metadata: 152 | name: snyk-token-RELEASE-NAME 153 | type: Opaque 154 | 6: | 155 | apiVersion: v1 156 | kind: ServiceAccount 157 | metadata: 158 | labels: 159 | app.kubernetes.io/instance: RELEASE-NAME 160 | app.kubernetes.io/managed-by: Helm 161 | app.kubernetes.io/name: snyk-broker-RELEASE-NAME 162 | helm.sh/chart: snyk-broker-0.0.0 163 | name: snyk-broker-RELEASE-NAME 164 | namespace: NAMESPACE 165 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/__snapshot__/broker_deployment_artifactory_test.yaml.snap: -------------------------------------------------------------------------------- 1 | should render artifactoryUrl and brokerClientValidationUrl as secrets: 2 | 1: | 3 | apiVersion: apps/v1 4 | kind: Deployment 5 | metadata: 6 | labels: 7 | app.kubernetes.io/instance: RELEASE-NAME 8 | app.kubernetes.io/managed-by: Helm 9 | app.kubernetes.io/name: snyk-broker-RELEASE-NAME 10 | helm.sh/chart: snyk-broker-0.0.0 11 | name: artifactory-broker-RELEASE-NAME 12 | namespace: NAMESPACE 13 | spec: 14 | replicas: 1 15 | selector: 16 | matchLabels: 17 | app.kubernetes.io/instance: RELEASE-NAME 18 | app.kubernetes.io/name: snyk-broker-RELEASE-NAME 19 | template: 20 | metadata: 21 | labels: 22 | app.kubernetes.io/instance: RELEASE-NAME 23 | app.kubernetes.io/managed-by: Helm 24 | app.kubernetes.io/name: snyk-broker-RELEASE-NAME 25 | helm.sh/chart: snyk-broker-0.0.0 26 | spec: 27 | containers: 28 | - env: 29 | - name: BROKER_SERVER_URL 30 | value: https://broker.test.snyk.io 31 | - name: BROKER_HEALTHCHECK_PATH 32 | value: /healthcheck 33 | - name: BROKER_SYSTEMCHECK_PATH 34 | value: /systemcheck 35 | - name: BROKER_TOKEN 36 | valueFrom: 37 | secretKeyRef: 38 | key: artifactory-broker-token-key 39 | name: artifactory-broker-token-RELEASE-NAME 40 | - name: PORT 41 | value: "8000" 42 | - name: BROKER_CLIENT_URL 43 | value: http://brokerclient 44 | - name: ARTIFACTORY_URL 45 | valueFrom: 46 | secretKeyRef: 47 | key: artifactory-url 48 | name: artifactory-url-RELEASE-NAME 49 | - name: BROKER_CLIENT_VALIDATION_URL 50 | valueFrom: 51 | secretKeyRef: 52 | key: artifactory-broker-client-validation-url 53 | name: artifactory-broker-client-validation-url-RELEASE-NAME 54 | - name: LOG_LEVEL 55 | value: info 56 | - name: LOG_ENABLE_BODY 57 | value: "false" 58 | - name: BROKER_DISPATCHER_BASE_URL 59 | value: https://api.test.snyk.io 60 | image: snyk/broker:artifactory 61 | imagePullPolicy: Always 62 | livenessProbe: 63 | failureThreshold: 3 64 | httpGet: 65 | path: /healthcheck 66 | port: 8000 67 | scheme: HTTP 68 | initialDelaySeconds: 3 69 | periodSeconds: 10 70 | timeoutSeconds: 1 71 | name: artifactory-broker-RELEASE-NAME 72 | ports: 73 | - containerPort: 8000 74 | name: http 75 | readinessProbe: 76 | failureThreshold: 3 77 | httpGet: 78 | path: /healthcheck 79 | port: 8000 80 | scheme: HTTP 81 | initialDelaySeconds: 3 82 | periodSeconds: 10 83 | timeoutSeconds: 1 84 | resources: 85 | limits: 86 | cpu: 1 87 | memory: 256Mi 88 | requests: 89 | cpu: 1 90 | memory: 256Mi 91 | securityContext: 92 | allowPrivilegeEscalation: false 93 | capabilities: 94 | drop: 95 | - ALL 96 | readOnlyRootFilesystem: true 97 | runAsNonRoot: true 98 | runAsUser: 1000 99 | volumeMounts: null 100 | securityContext: {} 101 | serviceAccountName: snyk-broker-RELEASE-NAME 102 | volumes: null 103 | 2: | 104 | apiVersion: v1 105 | kind: Service 106 | metadata: 107 | labels: 108 | app.kubernetes.io/instance: RELEASE-NAME 109 | app.kubernetes.io/managed-by: Helm 110 | app.kubernetes.io/name: snyk-broker-RELEASE-NAME 111 | helm.sh/chart: snyk-broker-0.0.0 112 | name: artifactory-broker-service-RELEASE-NAME 113 | namespace: NAMESPACE 114 | spec: 115 | ports: 116 | - port: 8000 117 | targetPort: 8000 118 | selector: 119 | app.kubernetes.io/instance: RELEASE-NAME 120 | app.kubernetes.io/name: snyk-broker-RELEASE-NAME 121 | type: ClusterIP 122 | 3: | 123 | apiVersion: v1 124 | data: 125 | artifactory-broker-token-key: MTIzNDVhNmItNzhkOS0xZTJmLTNhYmMtNDU2ZGVmNzg5MTIz 126 | kind: Secret 127 | metadata: 128 | name: artifactory-broker-token-RELEASE-NAME 129 | type: Opaque 130 | 4: | 131 | apiVersion: v1 132 | data: 133 | snyk-token-key: MTIzNDVhNmItNzhkOS0xZTJmLTNhYmMtNDU2ZGVmNzg5MTIz 134 | kind: Secret 135 | metadata: 136 | name: snyk-token-RELEASE-NAME 137 | type: Opaque 138 | 5: | 139 | apiVersion: v1 140 | data: 141 | artifactory-url: dXNlcm5hbWU6cGFzc3dvcmRAeW91ci1kb21haW4uY29tL2FydGlmYWN0b3J5 142 | kind: Secret 143 | metadata: 144 | name: artifactory-url-RELEASE-NAME 145 | type: Opaque 146 | 6: | 147 | apiVersion: v1 148 | data: 149 | artifactory-broker-client-validation-url: aHR0cHM6Ly91c2VybmFtZTpwYXNzd29yZEB5b3VyLWRvbWFpbi5jb20vYXJ0aWZhY3RvcnkvYXBpL3N5c3RlbS9waW5n 150 | kind: Secret 151 | metadata: 152 | name: artifactory-broker-client-validation-url-RELEASE-NAME 153 | type: Opaque 154 | 7: | 155 | apiVersion: v1 156 | kind: ServiceAccount 157 | metadata: 158 | labels: 159 | app.kubernetes.io/instance: RELEASE-NAME 160 | app.kubernetes.io/managed-by: Helm 161 | app.kubernetes.io/name: snyk-broker-RELEASE-NAME 162 | helm.sh/chart: snyk-broker-0.0.0 163 | name: snyk-broker-RELEASE-NAME 164 | namespace: NAMESPACE 165 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/__snapshot__/broker_deployment_ingress_test.yaml.snap: -------------------------------------------------------------------------------- 1 | ingress: 2 | 1: | 3 | apiVersion: apps/v1 4 | kind: Deployment 5 | metadata: 6 | labels: 7 | app.kubernetes.io/instance: RELEASE-NAME 8 | app.kubernetes.io/managed-by: Helm 9 | app.kubernetes.io/name: snyk-broker-RELEASE-NAME 10 | helm.sh/chart: snyk-broker-0.0.0 11 | name: github-com-broker-RELEASE-NAME 12 | namespace: NAMESPACE 13 | spec: 14 | replicas: 1 15 | selector: 16 | matchLabels: 17 | app.kubernetes.io/instance: RELEASE-NAME 18 | app.kubernetes.io/name: snyk-broker-RELEASE-NAME 19 | template: 20 | metadata: 21 | labels: 22 | app.kubernetes.io/instance: RELEASE-NAME 23 | app.kubernetes.io/managed-by: Helm 24 | app.kubernetes.io/name: snyk-broker-RELEASE-NAME 25 | helm.sh/chart: snyk-broker-0.0.0 26 | spec: 27 | containers: 28 | - env: 29 | - name: BROKER_SERVER_URL 30 | value: https://broker.test.snyk.io 31 | - name: BROKER_HEALTHCHECK_PATH 32 | value: /healthcheck 33 | - name: BROKER_SYSTEMCHECK_PATH 34 | value: /systemcheck 35 | - name: BROKER_TOKEN 36 | valueFrom: 37 | secretKeyRef: 38 | key: github-com-broker-token-key 39 | name: github-com-broker-token-RELEASE-NAME 40 | - name: GITHUB_TOKEN 41 | valueFrom: 42 | secretKeyRef: 43 | key: github-com-token-key 44 | name: github-com-token-RELEASE-NAME 45 | - name: PORT 46 | value: "8000" 47 | - name: BROKER_CLIENT_URL 48 | value: http://brokerclient 49 | - name: LOG_LEVEL 50 | value: info 51 | - name: LOG_ENABLE_BODY 52 | value: "false" 53 | - name: ACCEPT_CODE 54 | value: "true" 55 | - name: ACCEPT_IAC 56 | value: tf,yaml,yml,json,tpl 57 | - name: ACCEPT_APPRISK 58 | value: "true" 59 | - name: BROKER_DISPATCHER_BASE_URL 60 | value: https://api.test.snyk.io 61 | image: snyk/broker:github-com 62 | imagePullPolicy: Always 63 | livenessProbe: 64 | failureThreshold: 3 65 | httpGet: 66 | path: /healthcheck 67 | port: 8000 68 | scheme: HTTP 69 | initialDelaySeconds: 3 70 | periodSeconds: 10 71 | timeoutSeconds: 1 72 | name: github-com-broker-RELEASE-NAME 73 | ports: 74 | - containerPort: 8000 75 | name: http 76 | readinessProbe: 77 | failureThreshold: 3 78 | httpGet: 79 | path: /healthcheck 80 | port: 8000 81 | scheme: HTTP 82 | initialDelaySeconds: 3 83 | periodSeconds: 10 84 | timeoutSeconds: 1 85 | resources: 86 | limits: 87 | cpu: 1 88 | memory: 256Mi 89 | requests: 90 | cpu: 1 91 | memory: 256Mi 92 | securityContext: 93 | allowPrivilegeEscalation: false 94 | capabilities: 95 | drop: 96 | - ALL 97 | readOnlyRootFilesystem: true 98 | runAsNonRoot: true 99 | runAsUser: 1000 100 | volumeMounts: null 101 | securityContext: {} 102 | serviceAccountName: snyk-broker-RELEASE-NAME 103 | volumes: null 104 | 2: | 105 | apiVersion: extensions/v1beta1 106 | kind: Ingress 107 | metadata: 108 | labels: 109 | app.kubernetes.io/instance: RELEASE-NAME 110 | app.kubernetes.io/managed-by: Helm 111 | app.kubernetes.io/name: snyk-broker-RELEASE-NAME 112 | customLabel: customValue 113 | helm.sh/chart: snyk-broker-0.0.0 114 | name: RELEASE-NAME-snyk-broker-RELEASE-NAME 115 | namespace: NAMESPACE 116 | spec: 117 | rules: 118 | - host: 119 | http: 120 | paths: 121 | - backend: 122 | serviceName: github-com-broker-service-RELEASE-NAME 123 | servicePort: 8000 124 | path: / 125 | 3: | 126 | apiVersion: v1 127 | kind: Service 128 | metadata: 129 | labels: 130 | app.kubernetes.io/instance: RELEASE-NAME 131 | app.kubernetes.io/managed-by: Helm 132 | app.kubernetes.io/name: snyk-broker-RELEASE-NAME 133 | helm.sh/chart: snyk-broker-0.0.0 134 | name: github-com-broker-service-RELEASE-NAME 135 | namespace: NAMESPACE 136 | spec: 137 | ports: 138 | - port: 8000 139 | targetPort: 8000 140 | selector: 141 | app.kubernetes.io/instance: RELEASE-NAME 142 | app.kubernetes.io/name: snyk-broker-RELEASE-NAME 143 | type: ClusterIP 144 | 4: | 145 | apiVersion: v1 146 | data: 147 | github-com-broker-token-key: MTIzNDVhNmItNzhkOS0xZTJmLTNhYmMtNDU2ZGVmNzg5MTIz 148 | kind: Secret 149 | metadata: 150 | name: github-com-broker-token-RELEASE-NAME 151 | type: Opaque 152 | 5: | 153 | apiVersion: v1 154 | data: 155 | snyk-token-key: MTIzNDVhNmItNzhkOS0xZTJmLTNhYmMtNDU2ZGVmNzg5MTIz 156 | kind: Secret 157 | metadata: 158 | name: snyk-token-RELEASE-NAME 159 | type: Opaque 160 | 6: | 161 | apiVersion: v1 162 | kind: ServiceAccount 163 | metadata: 164 | labels: 165 | app.kubernetes.io/instance: RELEASE-NAME 166 | app.kubernetes.io/managed-by: Helm 167 | app.kubernetes.io/name: snyk-broker-RELEASE-NAME 168 | helm.sh/chart: snyk-broker-0.0.0 169 | name: snyk-broker-RELEASE-NAME 170 | namespace: NAMESPACE 171 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/__snapshot__/cra_deployment_disablesuffixes_test.yaml.snap: -------------------------------------------------------------------------------- 1 | default values: 2 | 1: | 3 | apiVersion: apps/v1 4 | kind: Deployment 5 | metadata: 6 | labels: 7 | app.kubernetes.io/instance: RELEASE-NAME 8 | app.kubernetes.io/managed-by: Helm 9 | app.kubernetes.io/name: snyk-broker 10 | helm.sh/chart: snyk-broker-0.0.0 11 | name: container-registry-agent-broker 12 | namespace: NAMESPACE 13 | spec: 14 | replicas: 1 15 | selector: 16 | matchLabels: 17 | app.kubernetes.io/instance: RELEASE-NAME 18 | app.kubernetes.io/name: snyk-broker 19 | template: 20 | metadata: 21 | labels: 22 | app.kubernetes.io/instance: RELEASE-NAME 23 | app.kubernetes.io/managed-by: Helm 24 | app.kubernetes.io/name: snyk-broker 25 | helm.sh/chart: snyk-broker-0.0.0 26 | spec: 27 | containers: 28 | - env: 29 | - name: BROKER_SERVER_URL 30 | value: https://broker.test.snyk.io 31 | - name: BROKER_HEALTHCHECK_PATH 32 | value: /healthcheck 33 | - name: BROKER_SYSTEMCHECK_PATH 34 | value: /systemcheck 35 | - name: BROKER_TOKEN 36 | valueFrom: 37 | secretKeyRef: 38 | key: container-registry-agent-broker-token-key 39 | name: container-registry-agent-broker-token 40 | - name: CR_AGENT_URL 41 | value: http://cra-service:8081 42 | - name: CR_TYPE 43 | value: ecr 44 | - name: CR_ROLE_ARN 45 | value: arn:aws-us-gov:iam::123456789012:role 46 | - name: CR_REGION 47 | value: eu-west 48 | - name: CR_EXTERNAL_ID 49 | value: 11111111-1111-1111-1111-111111111111 50 | - name: PORT 51 | value: "8000" 52 | - name: BROKER_CLIENT_URL 53 | value: http://container-registry-agent-broker-service:8000 54 | - name: BROKER_CLIENT_VALIDATION_URL 55 | value: http://cra-service:8081/healthcheck 56 | - name: LOG_LEVEL 57 | value: info 58 | - name: LOG_ENABLE_BODY 59 | value: "false" 60 | - name: BROKER_DISPATCHER_BASE_URL 61 | value: https://api.test.snyk.io 62 | image: snyk/broker:container-registry-agent 63 | imagePullPolicy: Always 64 | livenessProbe: 65 | failureThreshold: 3 66 | httpGet: 67 | path: /healthcheck 68 | port: 8000 69 | scheme: HTTP 70 | initialDelaySeconds: 3 71 | periodSeconds: 10 72 | timeoutSeconds: 1 73 | name: container-registry-agent-broker 74 | ports: 75 | - containerPort: 8000 76 | name: http 77 | readinessProbe: 78 | failureThreshold: 3 79 | httpGet: 80 | path: /healthcheck 81 | port: 8000 82 | scheme: HTTP 83 | initialDelaySeconds: 3 84 | periodSeconds: 10 85 | timeoutSeconds: 1 86 | resources: 87 | limits: 88 | cpu: 1 89 | memory: 256Mi 90 | requests: 91 | cpu: 1 92 | memory: 256Mi 93 | securityContext: 94 | allowPrivilegeEscalation: false 95 | capabilities: 96 | drop: 97 | - ALL 98 | readOnlyRootFilesystem: true 99 | runAsNonRoot: true 100 | runAsUser: 1000 101 | volumeMounts: null 102 | securityContext: {} 103 | serviceAccountName: snyk-broker 104 | volumes: null 105 | 2: | 106 | apiVersion: apps/v1 107 | kind: Deployment 108 | metadata: 109 | labels: 110 | app.kubernetes.io/instance: RELEASE-NAME 111 | app.kubernetes.io/name: RELEASE-NAME-cr 112 | name: container-registry-agent-cra 113 | namespace: NAMESPACE 114 | spec: 115 | replicas: 1 116 | selector: 117 | matchLabels: 118 | app.kubernetes.io/instance: RELEASE-NAME 119 | app.kubernetes.io/name: RELEASE-NAME-cr 120 | template: 121 | metadata: 122 | labels: 123 | app.kubernetes.io/instance: RELEASE-NAME 124 | app.kubernetes.io/name: RELEASE-NAME-cr 125 | spec: 126 | containers: 127 | - env: 128 | - name: SNYK_PORT 129 | value: "8081" 130 | image: snyk/container-registry-agent:latest 131 | imagePullPolicy: Always 132 | name: container-registry-agent 133 | ports: 134 | - containerPort: 8081 135 | name: http 136 | resources: 137 | limits: 138 | cpu: 1 139 | memory: 2Gi 140 | requests: 141 | cpu: 1 142 | memory: 2Gi 143 | securityContext: 144 | allowPrivilegeEscalation: false 145 | capabilities: 146 | drop: 147 | - ALL 148 | readOnlyRootFilesystem: false 149 | runAsNonRoot: true 150 | runAsUser: 1000 151 | securityContext: {} 152 | serviceAccountName: snyk-broker 153 | 3: | 154 | apiVersion: v1 155 | kind: Service 156 | metadata: 157 | labels: 158 | app.kubernetes.io/instance: RELEASE-NAME 159 | app.kubernetes.io/managed-by: Helm 160 | app.kubernetes.io/name: snyk-broker 161 | helm.sh/chart: snyk-broker-0.0.0 162 | name: cra-service 163 | namespace: NAMESPACE 164 | spec: 165 | ports: 166 | - port: 8081 167 | targetPort: 8081 168 | selector: 169 | app.kubernetes.io/instance: RELEASE-NAME 170 | app.kubernetes.io/name: RELEASE-NAME-cr 171 | type: ClusterIP 172 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/__snapshot__/cra_deployment_test.yaml.snap: -------------------------------------------------------------------------------- 1 | default values: 2 | 1: | 3 | apiVersion: apps/v1 4 | kind: Deployment 5 | metadata: 6 | labels: 7 | app.kubernetes.io/instance: RELEASE-NAME 8 | app.kubernetes.io/managed-by: Helm 9 | app.kubernetes.io/name: snyk-broker-RELEASE-NAME 10 | helm.sh/chart: snyk-broker-0.0.0 11 | name: container-registry-agent-broker-RELEASE-NAME 12 | namespace: NAMESPACE 13 | spec: 14 | replicas: 1 15 | selector: 16 | matchLabels: 17 | app.kubernetes.io/instance: RELEASE-NAME 18 | app.kubernetes.io/name: snyk-broker-RELEASE-NAME 19 | template: 20 | metadata: 21 | labels: 22 | app.kubernetes.io/instance: RELEASE-NAME 23 | app.kubernetes.io/managed-by: Helm 24 | app.kubernetes.io/name: snyk-broker-RELEASE-NAME 25 | helm.sh/chart: snyk-broker-0.0.0 26 | spec: 27 | containers: 28 | - env: 29 | - name: BROKER_SERVER_URL 30 | value: https://broker.test.snyk.io 31 | - name: BROKER_HEALTHCHECK_PATH 32 | value: /healthcheck 33 | - name: BROKER_SYSTEMCHECK_PATH 34 | value: /systemcheck 35 | - name: BROKER_TOKEN 36 | valueFrom: 37 | secretKeyRef: 38 | key: container-registry-agent-broker-token-key 39 | name: container-registry-agent-broker-token-RELEASE-NAME 40 | - name: CR_AGENT_URL 41 | value: http://cra-service-RELEASE-NAME:8081 42 | - name: CR_TYPE 43 | value: ecr 44 | - name: CR_ROLE_ARN 45 | value: arn:aws-us-gov:iam::123456789012:role 46 | - name: CR_REGION 47 | value: eu-west 48 | - name: CR_EXTERNAL_ID 49 | value: 11111111-1111-1111-1111-111111111111 50 | - name: PORT 51 | value: "8000" 52 | - name: BROKER_CLIENT_URL 53 | value: http://container-registry-agent-broker-service-RELEASE-NAME:8000 54 | - name: BROKER_CLIENT_VALIDATION_URL 55 | value: http://cra-service-RELEASE-NAME:8081/healthcheck 56 | - name: LOG_LEVEL 57 | value: info 58 | - name: LOG_ENABLE_BODY 59 | value: "false" 60 | - name: BROKER_DISPATCHER_BASE_URL 61 | value: https://api.test.snyk.io 62 | image: snyk/broker:container-registry-agent 63 | imagePullPolicy: Always 64 | livenessProbe: 65 | failureThreshold: 3 66 | httpGet: 67 | path: /healthcheck 68 | port: 8000 69 | scheme: HTTP 70 | initialDelaySeconds: 3 71 | periodSeconds: 10 72 | timeoutSeconds: 1 73 | name: container-registry-agent-broker-RELEASE-NAME 74 | ports: 75 | - containerPort: 8000 76 | name: http 77 | readinessProbe: 78 | failureThreshold: 3 79 | httpGet: 80 | path: /healthcheck 81 | port: 8000 82 | scheme: HTTP 83 | initialDelaySeconds: 3 84 | periodSeconds: 10 85 | timeoutSeconds: 1 86 | resources: 87 | limits: 88 | cpu: 1 89 | memory: 256Mi 90 | requests: 91 | cpu: 1 92 | memory: 256Mi 93 | securityContext: 94 | allowPrivilegeEscalation: false 95 | capabilities: 96 | drop: 97 | - ALL 98 | readOnlyRootFilesystem: true 99 | runAsNonRoot: true 100 | runAsUser: 1000 101 | volumeMounts: null 102 | securityContext: {} 103 | serviceAccountName: snyk-broker-RELEASE-NAME 104 | volumes: null 105 | 2: | 106 | apiVersion: apps/v1 107 | kind: Deployment 108 | metadata: 109 | labels: 110 | app.kubernetes.io/instance: RELEASE-NAME 111 | app.kubernetes.io/name: RELEASE-NAME-cr-RELEASE-NAME 112 | name: container-registry-agent-cra-RELEASE-NAME 113 | namespace: NAMESPACE 114 | spec: 115 | replicas: 1 116 | selector: 117 | matchLabels: 118 | app.kubernetes.io/instance: RELEASE-NAME 119 | app.kubernetes.io/name: RELEASE-NAME-cr-RELEASE-NAME 120 | template: 121 | metadata: 122 | labels: 123 | app.kubernetes.io/instance: RELEASE-NAME 124 | app.kubernetes.io/name: RELEASE-NAME-cr-RELEASE-NAME 125 | spec: 126 | containers: 127 | - env: 128 | - name: SNYK_PORT 129 | value: "8081" 130 | image: snyk/container-registry-agent:latest 131 | imagePullPolicy: Always 132 | name: container-registry-agent-RELEASE-NAME 133 | ports: 134 | - containerPort: 8081 135 | name: http 136 | resources: 137 | limits: 138 | cpu: 1 139 | memory: 2Gi 140 | requests: 141 | cpu: 1 142 | memory: 2Gi 143 | securityContext: 144 | allowPrivilegeEscalation: false 145 | capabilities: 146 | drop: 147 | - ALL 148 | readOnlyRootFilesystem: false 149 | runAsNonRoot: true 150 | runAsUser: 1000 151 | securityContext: {} 152 | serviceAccountName: snyk-broker-RELEASE-NAME 153 | 3: | 154 | apiVersion: v1 155 | kind: Service 156 | metadata: 157 | labels: 158 | app.kubernetes.io/instance: RELEASE-NAME 159 | app.kubernetes.io/managed-by: Helm 160 | app.kubernetes.io/name: snyk-broker-RELEASE-NAME 161 | helm.sh/chart: snyk-broker-0.0.0 162 | name: cra-service-RELEASE-NAME 163 | namespace: NAMESPACE 164 | spec: 165 | ports: 166 | - port: 8081 167 | targetPort: 8081 168 | selector: 169 | app.kubernetes.io/instance: RELEASE-NAME 170 | app.kubernetes.io/name: RELEASE-NAME-cr-RELEASE-NAME 171 | type: ClusterIP 172 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/__snapshot__/cra_deployment_digitalocean_test.yaml.snap: -------------------------------------------------------------------------------- 1 | default values: 2 | 1: | 3 | apiVersion: apps/v1 4 | kind: Deployment 5 | metadata: 6 | labels: 7 | app.kubernetes.io/instance: RELEASE-NAME 8 | app.kubernetes.io/managed-by: Helm 9 | app.kubernetes.io/name: snyk-broker-RELEASE-NAME 10 | helm.sh/chart: snyk-broker-0.0.0 11 | name: container-registry-agent-broker-RELEASE-NAME 12 | namespace: NAMESPACE 13 | spec: 14 | replicas: 1 15 | selector: 16 | matchLabels: 17 | app.kubernetes.io/instance: RELEASE-NAME 18 | app.kubernetes.io/name: snyk-broker-RELEASE-NAME 19 | template: 20 | metadata: 21 | labels: 22 | app.kubernetes.io/instance: RELEASE-NAME 23 | app.kubernetes.io/managed-by: Helm 24 | app.kubernetes.io/name: snyk-broker-RELEASE-NAME 25 | helm.sh/chart: snyk-broker-0.0.0 26 | spec: 27 | containers: 28 | - env: 29 | - name: BROKER_SERVER_URL 30 | value: https://broker.test.snyk.io 31 | - name: BROKER_HEALTHCHECK_PATH 32 | value: /healthcheck 33 | - name: BROKER_SYSTEMCHECK_PATH 34 | value: /systemcheck 35 | - name: BROKER_TOKEN 36 | valueFrom: 37 | secretKeyRef: 38 | key: container-registry-agent-broker-token-key 39 | name: container-registry-agent-broker-token-RELEASE-NAME 40 | - name: CR_AGENT_URL 41 | value: http://cra-service-RELEASE-NAME:8081 42 | - name: CR_TYPE 43 | value: digitalocean-cr 44 | - name: CR_BASE 45 | value: digitaloceanbase 46 | - name: CR_TOKEN 47 | valueFrom: 48 | secretKeyRef: 49 | key: container-registry-agent-token-key 50 | name: container-registry-agent-token-RELEASE-NAME 51 | - name: PORT 52 | value: "8000" 53 | - name: BROKER_CLIENT_URL 54 | value: http://container-registry-agent-broker-service-RELEASE-NAME:8000 55 | - name: BROKER_CLIENT_VALIDATION_URL 56 | value: http://cra-service-RELEASE-NAME:8081/healthcheck 57 | - name: LOG_LEVEL 58 | value: info 59 | - name: LOG_ENABLE_BODY 60 | value: "false" 61 | - name: BROKER_DISPATCHER_BASE_URL 62 | value: https://api.test.snyk.io 63 | image: snyk/broker:container-registry-agent 64 | imagePullPolicy: Always 65 | livenessProbe: 66 | failureThreshold: 3 67 | httpGet: 68 | path: /healthcheck 69 | port: 8000 70 | scheme: HTTP 71 | initialDelaySeconds: 3 72 | periodSeconds: 10 73 | timeoutSeconds: 1 74 | name: container-registry-agent-broker-RELEASE-NAME 75 | ports: 76 | - containerPort: 8000 77 | name: http 78 | readinessProbe: 79 | failureThreshold: 3 80 | httpGet: 81 | path: /healthcheck 82 | port: 8000 83 | scheme: HTTP 84 | initialDelaySeconds: 3 85 | periodSeconds: 10 86 | timeoutSeconds: 1 87 | resources: 88 | limits: 89 | cpu: 1 90 | memory: 256Mi 91 | requests: 92 | cpu: 1 93 | memory: 256Mi 94 | securityContext: 95 | allowPrivilegeEscalation: false 96 | capabilities: 97 | drop: 98 | - ALL 99 | readOnlyRootFilesystem: true 100 | runAsNonRoot: true 101 | runAsUser: 1000 102 | volumeMounts: null 103 | securityContext: {} 104 | serviceAccountName: snyk-broker-RELEASE-NAME 105 | volumes: null 106 | 2: | 107 | apiVersion: apps/v1 108 | kind: Deployment 109 | metadata: 110 | labels: 111 | app.kubernetes.io/instance: RELEASE-NAME 112 | app.kubernetes.io/name: RELEASE-NAME-cr-RELEASE-NAME 113 | name: container-registry-agent-cra-RELEASE-NAME 114 | namespace: NAMESPACE 115 | spec: 116 | replicas: 1 117 | selector: 118 | matchLabels: 119 | app.kubernetes.io/instance: RELEASE-NAME 120 | app.kubernetes.io/name: RELEASE-NAME-cr-RELEASE-NAME 121 | template: 122 | metadata: 123 | labels: 124 | app.kubernetes.io/instance: RELEASE-NAME 125 | app.kubernetes.io/name: RELEASE-NAME-cr-RELEASE-NAME 126 | spec: 127 | containers: 128 | - env: 129 | - name: SNYK_PORT 130 | value: "8081" 131 | image: snyk/container-registry-agent:latest 132 | imagePullPolicy: Always 133 | name: container-registry-agent-RELEASE-NAME 134 | ports: 135 | - containerPort: 8081 136 | name: http 137 | resources: 138 | limits: 139 | cpu: 1 140 | memory: 2Gi 141 | requests: 142 | cpu: 1 143 | memory: 2Gi 144 | securityContext: 145 | allowPrivilegeEscalation: false 146 | capabilities: 147 | drop: 148 | - ALL 149 | readOnlyRootFilesystem: false 150 | runAsNonRoot: true 151 | runAsUser: 1000 152 | securityContext: {} 153 | serviceAccountName: snyk-broker-RELEASE-NAME 154 | 3: | 155 | apiVersion: v1 156 | kind: Service 157 | metadata: 158 | labels: 159 | app.kubernetes.io/instance: RELEASE-NAME 160 | app.kubernetes.io/managed-by: Helm 161 | app.kubernetes.io/name: snyk-broker-RELEASE-NAME 162 | helm.sh/chart: snyk-broker-0.0.0 163 | name: cra-service-RELEASE-NAME 164 | namespace: NAMESPACE 165 | spec: 166 | ports: 167 | - port: 8081 168 | targetPort: 8081 169 | selector: 170 | app.kubernetes.io/instance: RELEASE-NAME 171 | app.kubernetes.io/name: RELEASE-NAME-cr-RELEASE-NAME 172 | type: ClusterIP 173 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/__snapshot__/cra_deployment_harbor_test.yaml.snap: -------------------------------------------------------------------------------- 1 | default values: 2 | 1: | 3 | apiVersion: apps/v1 4 | kind: Deployment 5 | metadata: 6 | labels: 7 | app.kubernetes.io/instance: RELEASE-NAME 8 | app.kubernetes.io/managed-by: Helm 9 | app.kubernetes.io/name: snyk-broker-RELEASE-NAME 10 | helm.sh/chart: snyk-broker-0.0.0 11 | name: container-registry-agent-broker-RELEASE-NAME 12 | namespace: NAMESPACE 13 | spec: 14 | replicas: 1 15 | selector: 16 | matchLabels: 17 | app.kubernetes.io/instance: RELEASE-NAME 18 | app.kubernetes.io/name: snyk-broker-RELEASE-NAME 19 | template: 20 | metadata: 21 | labels: 22 | app.kubernetes.io/instance: RELEASE-NAME 23 | app.kubernetes.io/managed-by: Helm 24 | app.kubernetes.io/name: snyk-broker-RELEASE-NAME 25 | helm.sh/chart: snyk-broker-0.0.0 26 | spec: 27 | containers: 28 | - env: 29 | - name: BROKER_SERVER_URL 30 | value: https://broker.test.snyk.io 31 | - name: BROKER_HEALTHCHECK_PATH 32 | value: /healthcheck 33 | - name: BROKER_SYSTEMCHECK_PATH 34 | value: /systemcheck 35 | - name: BROKER_TOKEN 36 | valueFrom: 37 | secretKeyRef: 38 | key: container-registry-agent-broker-token-key 39 | name: container-registry-agent-broker-token-RELEASE-NAME 40 | - name: CR_AGENT_URL 41 | value: http://cra-service-RELEASE-NAME:8081 42 | - name: CR_TYPE 43 | value: harbor-cr 44 | - name: CR_BASE 45 | value: crBaseValue 46 | - name: CR_USERNAME 47 | value: myusername 48 | - name: CR_PASSWORD 49 | valueFrom: 50 | secretKeyRef: 51 | key: container-registry-agent-token-key 52 | name: container-registry-agent-token-RELEASE-NAME 53 | - name: PORT 54 | value: "8000" 55 | - name: BROKER_CLIENT_URL 56 | value: http://container-registry-agent-broker-service-RELEASE-NAME:8000 57 | - name: BROKER_CLIENT_VALIDATION_URL 58 | value: http://cra-service-RELEASE-NAME:8081/healthcheck 59 | - name: LOG_LEVEL 60 | value: info 61 | - name: LOG_ENABLE_BODY 62 | value: "false" 63 | - name: BROKER_DISPATCHER_BASE_URL 64 | value: https://api.test.snyk.io 65 | image: snyk/broker:container-registry-agent 66 | imagePullPolicy: Always 67 | livenessProbe: 68 | failureThreshold: 3 69 | httpGet: 70 | path: /healthcheck 71 | port: 8000 72 | scheme: HTTP 73 | initialDelaySeconds: 3 74 | periodSeconds: 10 75 | timeoutSeconds: 1 76 | name: container-registry-agent-broker-RELEASE-NAME 77 | ports: 78 | - containerPort: 8000 79 | name: http 80 | readinessProbe: 81 | failureThreshold: 3 82 | httpGet: 83 | path: /healthcheck 84 | port: 8000 85 | scheme: HTTP 86 | initialDelaySeconds: 3 87 | periodSeconds: 10 88 | timeoutSeconds: 1 89 | resources: 90 | limits: 91 | cpu: 1 92 | memory: 256Mi 93 | requests: 94 | cpu: 1 95 | memory: 256Mi 96 | securityContext: 97 | allowPrivilegeEscalation: false 98 | capabilities: 99 | drop: 100 | - ALL 101 | readOnlyRootFilesystem: true 102 | runAsNonRoot: true 103 | runAsUser: 1000 104 | volumeMounts: null 105 | securityContext: {} 106 | serviceAccountName: snyk-broker-RELEASE-NAME 107 | volumes: null 108 | 2: | 109 | apiVersion: apps/v1 110 | kind: Deployment 111 | metadata: 112 | labels: 113 | app.kubernetes.io/instance: RELEASE-NAME 114 | app.kubernetes.io/name: RELEASE-NAME-cr-RELEASE-NAME 115 | name: container-registry-agent-cra-RELEASE-NAME 116 | namespace: NAMESPACE 117 | spec: 118 | replicas: 1 119 | selector: 120 | matchLabels: 121 | app.kubernetes.io/instance: RELEASE-NAME 122 | app.kubernetes.io/name: RELEASE-NAME-cr-RELEASE-NAME 123 | template: 124 | metadata: 125 | labels: 126 | app.kubernetes.io/instance: RELEASE-NAME 127 | app.kubernetes.io/name: RELEASE-NAME-cr-RELEASE-NAME 128 | spec: 129 | containers: 130 | - env: 131 | - name: SNYK_PORT 132 | value: "8081" 133 | image: snyk/container-registry-agent:latest 134 | imagePullPolicy: Always 135 | name: container-registry-agent-RELEASE-NAME 136 | ports: 137 | - containerPort: 8081 138 | name: http 139 | resources: 140 | limits: 141 | cpu: 1 142 | memory: 2Gi 143 | requests: 144 | cpu: 1 145 | memory: 2Gi 146 | securityContext: 147 | allowPrivilegeEscalation: false 148 | capabilities: 149 | drop: 150 | - ALL 151 | readOnlyRootFilesystem: false 152 | runAsNonRoot: true 153 | runAsUser: 1000 154 | securityContext: {} 155 | serviceAccountName: snyk-broker-RELEASE-NAME 156 | 3: | 157 | apiVersion: v1 158 | kind: Service 159 | metadata: 160 | labels: 161 | app.kubernetes.io/instance: RELEASE-NAME 162 | app.kubernetes.io/managed-by: Helm 163 | app.kubernetes.io/name: snyk-broker-RELEASE-NAME 164 | helm.sh/chart: snyk-broker-0.0.0 165 | name: cra-service-RELEASE-NAME 166 | namespace: NAMESPACE 167 | spec: 168 | ports: 169 | - port: 8081 170 | targetPort: 8081 171 | selector: 172 | app.kubernetes.io/instance: RELEASE-NAME 173 | app.kubernetes.io/name: RELEASE-NAME-cr-RELEASE-NAME 174 | type: ClusterIP 175 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/broker_deployment_nexus_test.yaml: -------------------------------------------------------------------------------- 1 | # yaml-language-server: $schema=https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json 2 | suite: broker deployment (nexus) 3 | chart: 4 | version: 0.0.0 5 | values: 6 | - ./fixtures/default_values.yaml 7 | templates: 8 | - secrets.yaml 9 | - broker_deployment.yaml 10 | set: 11 | scmType: nexus 12 | 13 | tests: 14 | - it: should create secrets if brokerClientValidationUrl, baseNexusUrl and nexusUrl are defined 15 | template: secrets.yaml 16 | set: 17 | baseNexusUrl: https://username:password@your-domain.com 18 | nexusUrl: https://username:password@your-domain.com/repository 19 | brokerClientValidationUrl: https://username:password@your-domain.com/service/rest/v1/status/check 20 | disableSuffixes: true 21 | 22 | asserts: 23 | 24 | - isKind: 25 | of: Secret 26 | documentSelector: 27 | path: metadata.name 28 | value: nexus-broker-client-validation-url 29 | - equal: 30 | path: data.nexus-broker-client-validation-url 31 | value: aHR0cHM6Ly91c2VybmFtZTpwYXNzd29yZEB5b3VyLWRvbWFpbi5jb20vc2VydmljZS9yZXN0L3YxL3N0YXR1cy9jaGVjaw== 32 | documentSelector: 33 | path: metadata.name 34 | value: nexus-broker-client-validation-url 35 | 36 | - isKind: 37 | of: Secret 38 | documentSelector: 39 | path: metadata.name 40 | value: nexus-nexus-url 41 | - equal: 42 | path: data.nexus-nexus-url 43 | value: aHR0cHM6Ly91c2VybmFtZTpwYXNzd29yZEB5b3VyLWRvbWFpbi5jb20vcmVwb3NpdG9yeQ== 44 | documentSelector: 45 | path: metadata.name 46 | value: nexus-nexus-url 47 | 48 | - isKind: 49 | of: Secret 50 | documentSelector: 51 | path: metadata.name 52 | value: nexus-base-nexus-url 53 | - equal: 54 | path: data.nexus-base-nexus-url 55 | value: aHR0cHM6Ly91c2VybmFtZTpwYXNzd29yZEB5b3VyLWRvbWFpbi5jb20= 56 | documentSelector: 57 | path: metadata.name 58 | value: nexus-base-nexus-url 59 | 60 | 61 | - it: should create secrets if brokerClientValidationUrl and nexusUrl are defined 62 | template: secrets.yaml 63 | 64 | set: 65 | nexusUrl: https://username:password@your-domain.com/repository 66 | brokerClientValidationUrl: https://username:password@your-domain.com/service/rest/v1/status/check 67 | disableSuffixes: true 68 | 69 | asserts: 70 | 71 | - isKind: 72 | of: Secret 73 | documentSelector: 74 | path: metadata.name 75 | value: nexus-broker-client-validation-url 76 | - equal: 77 | path: data.nexus-broker-client-validation-url 78 | value: aHR0cHM6Ly91c2VybmFtZTpwYXNzd29yZEB5b3VyLWRvbWFpbi5jb20vc2VydmljZS9yZXN0L3YxL3N0YXR1cy9jaGVjaw== 79 | documentSelector: 80 | path: metadata.name 81 | value: nexus-broker-client-validation-url 82 | 83 | - isKind: 84 | of: Secret 85 | documentSelector: 86 | path: metadata.name 87 | value: nexus-nexus-url 88 | - equal: 89 | path: data.nexus-nexus-url 90 | value: aHR0cHM6Ly91c2VybmFtZTpwYXNzd29yZEB5b3VyLWRvbWFpbi5jb20vcmVwb3NpdG9yeQ== 91 | documentSelector: 92 | path: metadata.name 93 | value: nexus-nexus-url 94 | 95 | - containsDocument: 96 | kind: Secret 97 | apiVersion: v1 98 | name: nexus-nexus-base-url 99 | not: true 100 | 101 | - it: should create secrets if brokerClientValidationUrl and baseNexusUrl are defined 102 | template: secrets.yaml 103 | 104 | set: 105 | baseNexusUrl: https://username:password@your-domain.com 106 | brokerClientValidationUrl: https://username:password@your-domain.com/service/rest/v1/status/check 107 | disableSuffixes: true 108 | 109 | asserts: 110 | 111 | - isKind: 112 | of: Secret 113 | documentSelector: 114 | path: metadata.name 115 | value: nexus-broker-client-validation-url 116 | - equal: 117 | path: data.nexus-broker-client-validation-url 118 | value: aHR0cHM6Ly91c2VybmFtZTpwYXNzd29yZEB5b3VyLWRvbWFpbi5jb20vc2VydmljZS9yZXN0L3YxL3N0YXR1cy9jaGVjaw== 119 | documentSelector: 120 | path: metadata.name 121 | value: nexus-broker-client-validation-url 122 | 123 | - isKind: 124 | of: Secret 125 | documentSelector: 126 | path: metadata.name 127 | value: nexus-base-nexus-url 128 | - equal: 129 | path: data.nexus-base-nexus-url 130 | value: aHR0cHM6Ly91c2VybmFtZTpwYXNzd29yZEB5b3VyLWRvbWFpbi5jb20= 131 | documentSelector: 132 | path: metadata.name 133 | value: nexus-base-nexus-url 134 | 135 | - containsDocument: 136 | kind: Secret 137 | apiVersion: v1 138 | name: nexus-nexus-url 139 | not: true 140 | 141 | - it: should not create secret for brokerClientValidationUrl if value is empty 142 | template: secrets.yaml 143 | 144 | set: 145 | nexusUrl: https://username:password@your-domain.com/repository 146 | baseNexusUrl: https://username:password@your-domain.com 147 | disableSuffixes: true 148 | 149 | asserts: 150 | - containsDocument: 151 | kind: Secret 152 | apiVersion: v1 153 | name: nexus-broker-client-validation-url 154 | not: true 155 | 156 | - it: references secrets in deployment 157 | release: 158 | name: unittest 159 | template: broker_deployment.yaml 160 | set: 161 | baseNexusUrl: https://username:password@your-domain.com 162 | nexusUrl: https://username:password@your-domain.com/repository 163 | brokerClientValidationUrl: https://username:password@your-domain.com/service/rest/v1/status/check 164 | 165 | asserts: 166 | - contains: 167 | path: spec.template.spec.containers[0].env 168 | content: 169 | name: BASE_NEXUS_URL 170 | valueFrom: 171 | secretKeyRef: 172 | name: nexus-base-nexus-url-unittest 173 | key: "nexus-base-nexus-url" 174 | - contains: 175 | path: spec.template.spec.containers[0].env 176 | content: 177 | name: NEXUS_URL 178 | valueFrom: 179 | secretKeyRef: 180 | name: nexus-nexus-url-unittest 181 | key: "nexus-nexus-url" 182 | - contains: 183 | path: spec.template.spec.containers[0].env 184 | content: 185 | name: BROKER_CLIENT_VALIDATION_URL 186 | valueFrom: 187 | secretKeyRef: 188 | name: nexus-broker-client-validation-url-unittest 189 | key: "nexus-broker-client-validation-url" 190 | -------------------------------------------------------------------------------- /charts/snyk-broker/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Expand the name of the chart. 3 | */}} 4 | {{- define "snyk-broker.name" -}} 5 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} 6 | {{- end }} 7 | 8 | {{/* 9 | Create a default fully qualified app name. 10 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 11 | If release name contains chart name it will be used as a full name. 12 | */}} 13 | {{- define "snyk-broker.fullname" -}} 14 | {{- if .Values.fullnameOverride }} 15 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} 16 | {{- else }} 17 | {{- $name := default .Chart.Name .Values.nameOverride }} 18 | {{- if contains $name .Release.Name }} 19 | {{- .Release.Name | trunc 63 | trimSuffix "-" }} 20 | {{- else }} 21 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} 22 | {{- end }} 23 | {{- end }} 24 | {{- end }} 25 | 26 | {{/* 27 | Create chart name and version as used by the chart label. 28 | */}} 29 | {{- define "snyk-broker.chart" -}} 30 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} 31 | {{- end }} 32 | 33 | {{/* 34 | Common labels 35 | */}} 36 | {{- define "snyk-broker.labels" -}} 37 | {{- $commonLabels := dict "helm.sh/chart" (include "snyk-broker.chart" .) }} 38 | {{- $commonLabels = merge $commonLabels (include "snyk-broker.selectorLabels" . | fromYaml) }} 39 | {{- if .Chart.AppVersion }} 40 | {{- $commonLabels = merge $commonLabels (dict "app.kubernetes.io/version" (quote .Chart.AppVersion)) }} 41 | {{- end }} 42 | {{- $commonLabels = merge $commonLabels (dict "app.kubernetes.io/managed-by" .Release.Service) }} 43 | {{- with .Values.labels }} 44 | {{- $commonLabels = merge $commonLabels . }} 45 | {{- end }} 46 | {{- toYaml $commonLabels | nindent 4 }} 47 | {{- end }} 48 | 49 | {{/* 50 | Selector labels 51 | */}} 52 | {{- define "snyk-broker.selectorLabels" -}} 53 | app.kubernetes.io/name: {{ include "snyk-broker.name" . }}{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} 54 | app.kubernetes.io/instance: {{ .Release.Name }} 55 | {{- end }} 56 | 57 | {{/* 58 | Pod labels (merge normal labels and selectors) 59 | */}} 60 | {{- define "snyk-broker.podLabels" -}} 61 | {{- merge (include "snyk-broker.labels" . | fromYaml ) (include "snyk-broker.selectorLabels" . | fromYaml) | toYaml -}} 62 | {{- end }} 63 | 64 | {{/* 65 | Create the name of the service account to use 66 | */}} 67 | {{- define "snyk-broker.serviceAccountName" -}} 68 | {{- if .Values.serviceAccount.create }} 69 | {{- default (include "snyk-broker.fullname" .) .Values.serviceAccount.name }} 70 | {{- else }} 71 | {{- default "default" .Values.serviceAccount.name }} 72 | {{- end }} 73 | {{- end }} 74 | 75 | {{/* 76 | Content of accept.json configuration file (either provided as literal value) 77 | */}} 78 | {{- define "snyk-broker.acceptJson" -}} 79 | {{- with .Values.acceptJson}}{{.}}{{end}} 80 | {{- end}} 81 | 82 | {{/* 83 | Return the appropriate apiVersion for ingress. 84 | */}} 85 | {{- define "snyk-broker.ingress.apiVersion" -}} 86 | {{- if and (.Capabilities.APIVersions.Has "networking.k8s.io/v1") (semverCompare ">= 1.19-0" .Capabilities.KubeVersion.Version) -}} 87 | {{- print "networking.k8s.io/v1" -}} 88 | {{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" -}} 89 | {{- print "networking.k8s.io/v1beta1" -}} 90 | {{- else -}} 91 | {{- print "extensions/v1beta1" -}} 92 | {{- end -}} 93 | {{- end -}} 94 | 95 | {{/* 96 | Return if ingress is stable. 97 | */}} 98 | {{- define "snyk-broker.ingress.isStable" -}} 99 | {{- eq (include "snyk-broker.ingress.apiVersion" .) "networking.k8s.io/v1" -}} 100 | {{- end -}} 101 | {{/* 102 | Return if ingress supports ingressClassName. 103 | */}} 104 | {{- define "snyk-broker.ingress.supportsIngressClassName" -}} 105 | {{- or (eq (include "snyk-broker.ingress.isStable" .) "true") (and (eq (include "snyk-broker.ingress.apiVersion" .) "networking.k8s.io/v1beta1") (semverCompare ">= 1.18-0" .Capabilities.KubeVersion.Version)) -}} 106 | {{- end -}} 107 | {{/* 108 | Return if ingress supports pathType. 109 | */}} 110 | {{- define "snyk-broker.ingress.supportsPathType" -}} 111 | {{- or (eq (include "snyk-broker.ingress.isStable" .) "true") (and (eq (include "snyk-broker.ingress.apiVersion" .) "networking.k8s.io/v1beta1") (semverCompare ">= 1.18-0" .Capabilities.KubeVersion.Version)) -}} 112 | {{- end -}} 113 | 114 | {{/* 115 | Create the name of the broker service to use 116 | */}} 117 | {{- define "snyk-broker.brokerServiceName" -}} 118 | {{- if not .Values.disableSuffixes -}} 119 | {{- $service := "-broker-service-" -}} 120 | {{- $serviceLength := len $service -}} 121 | {{- $releaseNameLength := len .Release.Name -}} 122 | {{- $truncatedLength := int (sub 63 (add $serviceLength $releaseNameLength)) -}} 123 | {{- .Values.scmType | trunc $truncatedLength }}{{ $service }}{{ .Release.Name }} 124 | {{- else }} 125 | {{- .Values.scmType | trunc 47 }}-broker-service 126 | {{- end -}} 127 | {{- end -}} 128 | 129 | {{/* 130 | Create a secret name. 131 | Pass a dict of Context ($) and secretName: 132 | include "snyk-broker.genericSecretName" (dict "Context" $ "secretName" "secret-name") 133 | */}} 134 | {{- define "snyk-broker.genericSecretName" -}} 135 | {{- if not .Context.Values.disableSuffixes -}} 136 | {{ printf "%s-%s" ( include "snyk-broker.fullname" .Context ) .secretName }} 137 | {{- else -}} 138 | {{- printf "snyk-broker-%s" .secretName }} 139 | {{- end -}} 140 | {{- end -}} 141 | 142 | {{- define "snyk-broker.tlsSecretName" -}} 143 | {{- .Values.httpsSecret.name | default ( include "snyk-broker.genericSecretName" (dict "Context" . "secretName" "tls-secret" ) ) -}} 144 | {{- end }} 145 | 146 | {{- define "snyk-broker.caCertSecretName" -}} 147 | {{- .Values.caCertFileSecret.name | default ( include "snyk-broker.genericSecretName" (dict "Context" . "secretName" "cacert-secret" ) ) -}} 148 | {{- end }} 149 | 150 | {{/* 151 | Handle tlsRejectUnauthorized. 152 | If this is set to `false` (bool) we _want_ to disable trust. We don't allow `true`. 153 | If this is set to "" we want to enable trust - any other allowed string value disables. 154 | If this is set to `"0"` Helm might cast it as an integer - we need to catch that. 155 | Checking for definition is insufficient 156 | */}} 157 | {{- define "snyk-broker.setTlsRejectUnauthorized" -}} 158 | {{- $tlsRejectUnauthorized := .Values.tlsRejectUnauthorized -}} 159 | {{- if eq (kindOf $tlsRejectUnauthorized ) "bool" -}} 160 | true 161 | {{- end }} 162 | {{- if ( and ( eq (kindOf $tlsRejectUnauthorized ) "string") ( not ( eq $tlsRejectUnauthorized "" ) ) ) -}} 163 | true 164 | {{- end }} 165 | {{- if eq (toString $tlsRejectUnauthorized) "0" -}} 166 | true 167 | {{- end }} 168 | {{- end }} 169 | 170 | {{/* 171 | NoProxy helper 172 | Ensure all values are trimmed, separated by comma, and do not contain protocol or port 173 | Validate against RFC 1123 174 | */}} 175 | {{- define "snyk-broker.noProxy" -}} 176 | {{- $proxyUrls := .Values.noProxy | nospace -}} 177 | {{- $proxyUrlsWithoutProtocol := mustRegexReplaceAll "http(s?)://" $proxyUrls "" -}} 178 | {{- $sanitisedProxyUrls := "" -}} 179 | {{- range $proxyUrlsWithoutProtocol | split "," -}} 180 | {{- if ( mustRegexMatch "^[a-zA-Z0-9.-]+$" . ) -}} 181 | {{- $sanitisedProxyUrls = printf "%s,%s" $sanitisedProxyUrls . -}} 182 | {{- else }} 183 | {{- fail (printf "Entry %s for .Values.noProxy is invalid. Specify hostname only (no schema or port)" . ) -}} 184 | {{- end }} 185 | {{- end }} 186 | {{- $sanitisedProxyUrls | trimPrefix "," -}} 187 | {{- end }} 188 | 189 | {{/* 190 | Values are taken from .Values.securityContext. 191 | When .Values.openshift is true, the runAsUser field is omitted. 192 | */}} 193 | {{- define "snyk-broker.securityContext" -}} 194 | {{- $root := . -}} 195 | {{- $csc := $root.Values.securityContext | default dict -}} 196 | {{- $sc := ternary (omit $csc "runAsUser" "runAsGroup") $csc $root.Values.openshift -}} 197 | {{ toYaml $sc | nindent 2 }} 198 | {{- end }} 199 | -------------------------------------------------------------------------------- /charts/snyk-broker/templates/broker_deployment.yaml: -------------------------------------------------------------------------------- 1 | {{ $setTlsRejectUnauthorized := include "snyk-broker.setTlsRejectUnauthorized" . }} 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: "{{ .Values.scmType}}-broker{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }}" 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | {{- include "snyk-broker.labels" . }} 9 | spec: 10 | {{- if .Values.highAvailabilityMode.enabled }} 11 | replicas: {{ .Values.replicaCount }} 12 | {{ else }} 13 | replicas: 1 14 | {{- end }} 15 | selector: 16 | matchLabels: 17 | {{- include "snyk-broker.selectorLabels" . | nindent 6 }} 18 | template: 19 | metadata: 20 | {{- with .Values.podAnnotations }} 21 | annotations: 22 | {{- toYaml . | nindent 8 }} 23 | {{- end }} 24 | labels: 25 | {{- include "snyk-broker.podLabels" . | nindent 8 }} 26 | spec: 27 | {{- if .Values.extraPodSpecs }} 28 | {{- toYaml .Values.extraPodSpecs | nindent 6 }} 29 | {{- end }} 30 | {{- with .Values.imagePullSecrets }} 31 | imagePullSecrets: 32 | {{- toYaml . | nindent 8 }} 33 | {{- end }} 34 | serviceAccountName: {{ include "snyk-broker.serviceAccountName" . }}{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} 35 | securityContext: 36 | {{- toYaml .Values.podSecurityContext | nindent 8 }} 37 | containers: 38 | - name: "{{ .Values.scmType}}-broker{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }}" 39 | resources: 40 | limits: 41 | cpu: {{ .Values.brokerResources.limits.cpu }} 42 | memory: {{ .Values.brokerResources.limits.memory }} 43 | requests: 44 | cpu: {{ .Values.brokerResources.requests.cpu }} 45 | memory: {{ .Values.brokerResources.requests.memory}} 46 | securityContext: 47 | {{ include "snyk-broker.securityContext" . | nindent 12 }} 48 | {{- if .Values.image.tag }} 49 | image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}-{{ .Values.scmType }}" 50 | {{- else }} 51 | image: "{{ .Values.image.repository }}:{{ .Values.scmType }}" 52 | {{- end }} 53 | imagePullPolicy: {{ .Values.image.pullPolicy }} 54 | ports: 55 | - name: http 56 | containerPort: {{ .Values.deployment.container.containerPort }} 57 | {{- if .Values.brokerLivenessProbe.enabled }} 58 | livenessProbe: 59 | httpGet: 60 | port: {{ .Values.deployment.container.containerPort }} 61 | path: {{ .Values.brokerLivenessProbe.path }} 62 | {{- if or ( and (.Values.httpsCert) (.Values.httpsKey) ) ( .Values.enableBrokerLocalWebserverOverHttps ) }} 63 | scheme: HTTPS 64 | {{- else }} 65 | scheme: HTTP 66 | {{- end }} 67 | {{- toYaml .Values.brokerLivenessProbe.config | nindent 12 }} 68 | {{- end }} 69 | {{- if .Values.brokerReadinessProbe.enabled }} 70 | readinessProbe: 71 | httpGet: 72 | port: {{ .Values.deployment.container.containerPort }} 73 | path: {{ .Values.brokerReadinessProbe.path }} 74 | {{- if or ( and (.Values.httpsCert) (.Values.httpsKey) ) ( .Values.enableBrokerLocalWebserverOverHttps ) }} 75 | scheme: HTTPS 76 | {{- else }} 77 | scheme: HTTP 78 | {{- end }} 79 | {{- toYaml .Values.brokerReadinessProbe.config | nindent 12 }} 80 | {{- end }} 81 | {{- if .Values.extraContainerSpecs }} 82 | {{- toYaml .Values.extraContainerSpecs | nindent 10 }} 83 | {{- end }} 84 | volumeMounts: 85 | {{- if (include "snyk-broker.acceptJson" .)}} 86 | - name: {{ include "snyk-broker.fullname" . }}-accept-volume 87 | mountPath: /home/node/private 88 | readOnly: true 89 | {{- end }} 90 | {{- if or (.Values.caCert) (.Values.caCertFile) ( .Values.caCertFileSecret.name ) }} 91 | - name: {{ include "snyk-broker.fullname" . }}-cacert-volume 92 | mountPath: /home/node/cacert 93 | readOnly: true 94 | {{- end }} 95 | {{- if or ( and (.Values.httpsCert) (.Values.httpsKey) ) ( .Values.httpsSecret.name ) }} 96 | - name: {{ include "snyk-broker.fullname" . }}-tls-secret-volume 97 | mountPath: /home/node/tls-cert/ 98 | readOnly: true 99 | {{- end }} 100 | {{- if .Values.extraVolumeMounts }} 101 | {{ tpl (toYaml .Values.extraVolumeMounts | indent 14) . }} 102 | {{- end }} 103 | env: 104 | - name: BROKER_SERVER_URL 105 | value: {{ .Values.brokerServerUrl }} 106 | - name: BROKER_HEALTHCHECK_PATH 107 | value: {{ .Values.healthCheckPath }} 108 | - name: BROKER_SYSTEMCHECK_PATH 109 | value: {{ .Values.systemCheckPath }} 110 | {{- include "snyk-broker.apprisk" . | indent 12 }} 111 | {{- include "snyk-broker.githubCom" . | indent 12 }} 112 | {{- include "snyk-broker.githubEnterprise" . | indent 12 }} 113 | {{- include "snyk-broker.gitlab" . | indent 12 }} 114 | {{- include "snyk-broker.bitbucketServer" . | indent 12 }} 115 | {{- include "snyk-broker.bitbucketServerBearerAuth" . | indent 12 }} 116 | {{- include "snyk-broker.azureRepos" . | indent 12 }} 117 | {{- include "snyk-broker.artifactory" . | indent 12 }} 118 | {{- include "snyk-broker.nexus" . | indent 12 }} 119 | {{- include "snyk-broker.jira" . | indent 12 }} 120 | {{- include "snyk-broker.jiraBearerAuth" . | indent 12 }} 121 | {{- include "snyk-broker.containerRegistryAgent" . | indent 12 }} 122 | {{- if .Values.enableCodeAgent }} 123 | # Code Agent 124 | - name: GIT_CLIENT_URL 125 | value: {{ default (printf "http://code-agent-service:%s" (.Values.deployment.container.caSnykPort | toString)) .Values.gitClientUrl }} 126 | {{- end }} 127 | # Logging 128 | - name: LOG_LEVEL 129 | value: {{ .Values.logLevel }} 130 | - name: LOG_ENABLE_BODY 131 | value: {{ .Values.logEnableBody | squote }} 132 | 133 | {{- if and (.Values.caCert) (not .Values.caCertFile) }} 134 | # HTTPS Inspection 135 | - name: CA_CERT 136 | value: /home/node/cacert/{{ .Values.caCert }} 137 | - name: NODE_EXTRA_CA_CERTS 138 | value: /home/node/cacert/{{ .Values.caCert }} 139 | {{- end }} 140 | {{- if and (.Values.caCertFile) (not .Values.caCert) }} 141 | # HTTPS Inspection 142 | - name: CA_CERT 143 | value: /home/node/cacert/cacert 144 | - name: NODE_EXTRA_CA_CERTS 145 | value: /home/node/cacert/cacert 146 | {{- end }} 147 | 148 | {{- if .Values.caCertFileSecret.name }} 149 | # HTTPS Inspection 150 | - name: CA_CERT 151 | value: /home/node/cacert/{{ .Values.caCertFileSecret.key }} 152 | - name: NODE_EXTRA_CA_CERTS 153 | value: /home/node/cacert/{{ .Values.caCertFileSecret.key }} 154 | {{- end }} 155 | 156 | {{- if or .Values.httpsCert (.Values.httpsSecret.name) }} 157 | # HTTPS Config 158 | - name: HTTPS_CERT 159 | value: /home/node/tls-cert/tls.crt 160 | {{- end }} 161 | {{- if or .Values.httpsKey (.Values.httpsSecret.name) }} 162 | - name: HTTPS_KEY 163 | value: /home/node/tls-cert/tls.key 164 | {{- end }} 165 | {{- if or ( and $setTlsRejectUnauthorized (not .Values.caCert ) (not .Values.caCertFile) ) ( and (or .Values.caCert .Values.caCertFile ) .Values.disableCaCertTrust ) }} 166 | # Troubleshooting - Set to 0 for SSL inspection testing 167 | - name: NODE_TLS_REJECT_UNAUTHORIZED 168 | value: "0" 169 | {{- end }} 170 | 171 | {{- if .Values.httpProxy }} 172 | # HTTP Proxy Settings 173 | - name: HTTP_PROXY 174 | value: {{ .Values.httpProxy }} 175 | {{- end }} 176 | 177 | {{- if .Values.httpsProxy }} 178 | # HTTPS Proxy Settings 179 | - name: HTTPS_PROXY 180 | value: {{ .Values.httpsProxy }} 181 | {{- end }} 182 | 183 | {{- if .Values.noProxy }} 184 | # No Proxy Settings 185 | - name: NO_PROXY 186 | value: {{ include "snyk-broker.noProxy" . }} 187 | {{- end }} 188 | 189 | {{- if (include "snyk-broker.acceptJson" .)}} 190 | # Accept.json Environment Variables 191 | - name: ACCEPT 192 | value: /home/node/private/accept.json 193 | {{ else }} 194 | {{- if has .Values.scmType ( list "github-com" "github-enterprise" "bitbucket-server" "bitbucket-server-bearer-auth" "gitlab" "azure-repos") }} 195 | {{- if not .Values.disableAutoAcceptRules }} 196 | # Default Values to allow Snyk Code Snippets and Snyk IaC 197 | - name: ACCEPT_CODE 198 | value: "true" 199 | - name: ACCEPT_IAC 200 | value: "tf,yaml,yml,json,tpl" 201 | {{- end}} 202 | {{- if .Values.enableAppRisk }} 203 | - name: ACCEPT_APPRISK 204 | value: "true" 205 | {{- end }} 206 | {{- end}} 207 | {{- end }} 208 | # Broker Configuration 209 | {{- if not .Values.preflightChecks.enabled }} 210 | - name: PREFLIGHT_CHECKS_ENABLED 211 | value: "false" 212 | {{- end }} 213 | {{- if .Values.highAvailabilityMode.enabled }} 214 | - name: BROKER_HA_MODE_ENABLED 215 | value: "true" 216 | {{- end}} 217 | {{- range .Values.env }} 218 | # custom env var in override.yaml 219 | - name: {{ .name }} 220 | value: {{ .value | squote }} 221 | {{- end}} 222 | - name: BROKER_DISPATCHER_BASE_URL 223 | value: {{ .Values.brokerDispatcherUrl }} 224 | # Mount Accept.json and Certs 225 | volumes: 226 | {{- if (include "snyk-broker.acceptJson" .)}} 227 | - name: {{ include "snyk-broker.fullname" . }}-accept-volume 228 | configMap: 229 | name: {{ include "snyk-broker.fullname" . }}-accept-configmap{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} 230 | {{- end }} 231 | {{- if or .Values.caCert .Values.caCertFileSecret.name .Values.caCertFile }} 232 | - name: {{ include "snyk-broker.fullname" . }}-cacert-volume 233 | secret: 234 | secretName: {{ include "snyk-broker.caCertSecretName" . }} 235 | {{- end }} 236 | {{- if or .Values.httpsSecret.name ( and (.Values.httpsCert) (.Values.httpsKey) ) }} 237 | - name: {{ include "snyk-broker.fullname" . }}-tls-secret-volume 238 | secret: 239 | secretName: {{ include "snyk-broker.tlsSecretName" . }} 240 | {{- end }} 241 | {{- if .Values.extraVolumes }} 242 | {{ tpl (toYaml .Values.extraVolumes | indent 6) . }} 243 | {{- end }} 244 | -------------------------------------------------------------------------------- /charts/snyk-broker/values.schema.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://json-schema.org/draft/2020-12/schema", 3 | "$defs": { 4 | "urlNoSchema": { 5 | "type": "string", 6 | "not": { 7 | "pattern": "^http(s?):\/\/.*" 8 | } 9 | }, 10 | "urlWithSchema": { 11 | "type": "string", 12 | "pattern": "^$|^http(s?):\/\/.*" 13 | }, 14 | "secretNameKey": { 15 | "type": "object", 16 | "properties": { 17 | "name": { 18 | "type": "string" 19 | }, 20 | "key": { 21 | "type": "string" 22 | } 23 | }, 24 | "additionalProperties": false 25 | } 26 | }, 27 | "type": "object", 28 | "properties": { 29 | "brokerToken": { 30 | "anyOf": [ 31 | { 32 | "type": "string", 33 | "maxLength": 0 34 | }, 35 | { 36 | "type": "string", 37 | "format": "uuid" 38 | } 39 | ] 40 | }, 41 | "brokerTokenSecret": { 42 | "$ref": "#/$defs/secretNameKey" 43 | }, 44 | "brokerClientUrl": { 45 | "$ref": "#/$defs/urlWithSchema" 46 | }, 47 | "brokerServerUrl": { 48 | "type": "string", 49 | "default": "https://broker.snyk.io", 50 | "pattern": "^https:\/\/broker(.*)snyk(gov)?.io" 51 | }, 52 | "preflightChecks": { 53 | "type": "object", 54 | "properties": { 55 | "enabled": { 56 | "type": "boolean" 57 | } 58 | }, 59 | "additionalProperties": false 60 | }, 61 | "highAvailabilityMode": { 62 | "type": "object", 63 | "properties": { 64 | "enabled": { 65 | "type": "boolean" 66 | } 67 | }, 68 | "additionalProperties": false 69 | }, 70 | "disableSuffixes": { 71 | "type": "boolean" 72 | }, 73 | "brokerDispatcherUrl": { 74 | "type": "string", 75 | "default": "https://api.snyk.io", 76 | "pattern": "^https:\/\/api(.*)snyk(gov)?.io" 77 | }, 78 | "replicaCount": { 79 | "type": "integer", 80 | "default": 2, 81 | "minimum": 2, 82 | "maximum": 4 83 | }, 84 | "labels": { 85 | "type": "object" 86 | }, 87 | "scmType": { 88 | "type": "string", 89 | "enum": [ 90 | "apprisk", 91 | "github-com", 92 | "github-enterprise", 93 | "bitbucket-server", 94 | "bitbucket-server-bearer-auth", 95 | "gitlab", 96 | "azure-repos", 97 | "artifactory", 98 | "nexus", 99 | "nexus2", 100 | "jira", 101 | "jira-bearer-auth", 102 | "container-registry-agent" 103 | ] 104 | }, 105 | "scmToken": { 106 | "type": "string" 107 | }, 108 | "externalCredentialSecret": { 109 | "$ref": "#/$defs/secretNameKey" 110 | }, 111 | "scmTokenPool": { 112 | "type": "string" 113 | }, 114 | "scmTokenPoolSecret": { 115 | "$ref": "#/$defs/secretNameKey" 116 | }, 117 | "useExternalSecretScmTokenPool": { 118 | "type": "boolean" 119 | }, 120 | "github": { 121 | "$ref": "#/$defs/urlNoSchema" 122 | }, 123 | "githubApi": { 124 | "$ref": "#/$defs/urlNoSchema" 125 | }, 126 | "githubGraphQl": { 127 | "$ref": "#/$defs/urlNoSchema" 128 | }, 129 | "bitbucketUsername": { 130 | "type": "string" 131 | }, 132 | "bitbucketPassword": { 133 | "type": "string" 134 | }, 135 | "bitbucketPat": { 136 | "type": "string" 137 | }, 138 | "bitbucket": { 139 | "$ref": "#/$defs/urlNoSchema" 140 | }, 141 | "bitbucketApi": { 142 | "$ref": "#/$defs/urlNoSchema" 143 | }, 144 | "gitlab": { 145 | "$ref": "#/$defs/urlNoSchema" 146 | }, 147 | "azureReposOrg": { 148 | "type": "string" 149 | }, 150 | "azureReposHost": { 151 | "$ref": "#/$defs/urlNoSchema" 152 | }, 153 | "azureReposToken": { 154 | "type": "string" 155 | }, 156 | "artifactoryUrl": { 157 | "$ref": "#/$defs/urlNoSchema" 158 | }, 159 | "baseNexusUrl": { 160 | "$ref": "#/$defs/urlWithSchema" 161 | }, 162 | "nexusUrl": { 163 | "$ref": "#/$defs/urlWithSchema" 164 | }, 165 | "brokerClientValidationUrl": { 166 | "$ref": "#/$defs/urlWithSchema" 167 | }, 168 | "brokerClientValidationUrlSecret": { 169 | "$ref": "#/$defs/secretNameKey" 170 | }, 171 | "jiraUsername": { 172 | "type": "string" 173 | }, 174 | "jiraPassword": { 175 | "type": "string" 176 | }, 177 | "jiraPat": { 178 | "type": "string" 179 | }, 180 | "jiraHostname": { 181 | "$ref": "#/$defs/urlNoSchema" 182 | }, 183 | "crType": { 184 | "type": "string", 185 | "enum": [ 186 | "", 187 | "artifactory-cr", 188 | "harbor-cr", 189 | "acr", 190 | "gcr", 191 | "docker-hub", 192 | "quay-cr", 193 | "nexus-cr", 194 | "github-cr", 195 | "google-artifact-cr", 196 | "gitlab-cr", 197 | "ecr", 198 | "digitalocean-cr" 199 | ] 200 | }, 201 | "crBase": { 202 | "$ref": "#/$defs/urlNoSchema" 203 | }, 204 | "crUsername": { 205 | "type": "string" 206 | }, 207 | "crPassword": { 208 | "type": "string" 209 | }, 210 | "crRoleArn": { 211 | "type": "string" 212 | }, 213 | "crRegion": { 214 | "type": "string" 215 | }, 216 | "crExternalId": { 217 | "type": "string" 218 | }, 219 | "crToken": { 220 | "if": { 221 | "crType": { 222 | "const": "digitalocean-cr" 223 | } 224 | }, 225 | "then": { 226 | "type": "string", 227 | "required": [ 228 | "crToken" 229 | ] 230 | } 231 | }, 232 | "crImage": { 233 | "type": "string", 234 | "default": "latest" 235 | }, 236 | "enableAppRisk": { 237 | "type": [ 238 | "boolean", 239 | "string" 240 | ], 241 | "enum": [ 242 | true, 243 | "true", 244 | false, 245 | "" 246 | ] 247 | }, 248 | "enableCodeAgent": { 249 | "type": [ 250 | "boolean", 251 | "string" 252 | ], 253 | "enum": [ 254 | true, 255 | "true", 256 | false, 257 | "" 258 | ] 259 | }, 260 | "upstreamUrlCodeAgent": { 261 | "type": "string" 262 | }, 263 | "snykToken": { 264 | "anyOf": [ 265 | { 266 | "type": "string", 267 | "maxLength": 0 268 | }, 269 | { 270 | "type": "string", 271 | "format": "uuid" 272 | } 273 | ] 274 | }, 275 | "snykTokenSecret": { 276 | "$ref": "#/$defs/secretNameKey" 277 | }, 278 | "caImage": { 279 | "type": "string", 280 | "default": "latest" 281 | }, 282 | "gitClientUrl": { 283 | "type": "string" 284 | }, 285 | "logLevel": { 286 | "type": "string", 287 | "enum": [ 288 | "info", 289 | "debug" 290 | ] 291 | }, 292 | "logEnableBody": { 293 | "type": "string", 294 | "enum": [ 295 | "false", 296 | "true" 297 | ] 298 | }, 299 | "enableBrokerLocalWebserverOverHttps": { 300 | "type": "boolean" 301 | }, 302 | "httpsCert": { 303 | "type": "string" 304 | }, 305 | "httpsKey": { 306 | "type": "string" 307 | }, 308 | "httpsSecret": { 309 | "type": "object", 310 | "properties": { 311 | "name": { 312 | "type": "string" 313 | } 314 | } 315 | }, 316 | "caCert": { 317 | "type": "string" 318 | }, 319 | "caCertFile": { 320 | "type": "string", 321 | "pattern": "^$|^\\s*-----BEGIN CERTIFICATE-----(?:.|\\s)*-----END CERTIFICATE-----\\s*$" 322 | }, 323 | "caCertFileSecret": { 324 | "$ref": "#/$defs/secretNameKey" 325 | }, 326 | "disableCaCertTrust": { 327 | "type": "boolean" 328 | }, 329 | "tlsRejectUnauthorized": { 330 | "type": [ 331 | "string", 332 | "boolean", 333 | "integer" 334 | ], 335 | "enum": [ 336 | "", 337 | 0, 338 | "0", 339 | "false", 340 | false, 341 | "disable" 342 | ] 343 | }, 344 | "httpProxy": { 345 | "$ref": "#/$defs/urlWithSchema" 346 | }, 347 | "httpsProxy": { 348 | "$ref": "#/$defs/urlWithSchema" 349 | }, 350 | "noProxy": { 351 | "type": "string" 352 | }, 353 | "acceptJson": { 354 | "type": "string" 355 | }, 356 | "image": { 357 | "type": "object", 358 | "additionalProperties": false, 359 | "properties": { 360 | "repository": { 361 | "type": "string" 362 | }, 363 | "crRepository": { 364 | "type": "string" 365 | }, 366 | "caRepository": { 367 | "type": "string" 368 | }, 369 | "pullPolicy": { 370 | "type": "string", 371 | "enum": [ 372 | "Always", 373 | "IfNotPresent", 374 | "Never" 375 | ] 376 | }, 377 | "tag": { 378 | "type": "string" 379 | } 380 | } 381 | }, 382 | "imagePullSecrets": { 383 | "type": "array" 384 | }, 385 | "healthCheckPath": { 386 | "type": "string" 387 | }, 388 | "systemCheckPath": { 389 | "type": "string" 390 | }, 391 | "brokerLivenessProbe": { 392 | "type": "object", 393 | "additionalProperties": false, 394 | "properties": { 395 | "enabled": { 396 | "type": "boolean" 397 | }, 398 | "path": { 399 | "type": "string" 400 | }, 401 | "config": { 402 | "type": "object" 403 | } 404 | } 405 | }, 406 | "brokerReadinessProbe": { 407 | "type": "object", 408 | "additionalProperties": false, 409 | "properties": { 410 | "enabled": { 411 | "type": "boolean" 412 | }, 413 | "path": { 414 | "type": "string" 415 | }, 416 | "config": { 417 | "type": "object" 418 | } 419 | } 420 | }, 421 | "brokerResources": { 422 | "type": "object" 423 | }, 424 | "crResources": { 425 | "type": "object" 426 | }, 427 | "caResources": { 428 | "type": "object" 429 | }, 430 | "deployment": { 431 | "type": "object" 432 | }, 433 | "serviceAccount": { 434 | "type": "object", 435 | "additionalProperties": false, 436 | "properties": { 437 | "create": { 438 | "type": "boolean" 439 | }, 440 | "annotations": { 441 | "type": "object" 442 | }, 443 | "name": { 444 | "type": "string" 445 | } 446 | } 447 | }, 448 | "podAnnotations": { 449 | "type": "object" 450 | }, 451 | "podSecurityContext": { 452 | "type": "object" 453 | }, 454 | "securityContext": { 455 | "type": "object" 456 | }, 457 | "securityContextCr": { 458 | "type": "object" 459 | }, 460 | "securityContextCa": { 461 | "type": "object" 462 | }, 463 | "service": { 464 | "type": "object", 465 | "additionalProperties": false, 466 | "properties": { 467 | "brokerType": { 468 | "type": "string" 469 | }, 470 | "crType": { 471 | "type": "string" 472 | }, 473 | "caType": { 474 | "type": "string" 475 | }, 476 | "port": { 477 | "type": "integer" 478 | }, 479 | "tls": { 480 | "type": "array" 481 | } 482 | } 483 | }, 484 | "brokerIngress": { 485 | "type": "object", 486 | "properties": { 487 | "enabled": { 488 | "type": "boolean" 489 | }, 490 | "ingressClassName": { 491 | "type": "string" 492 | }, 493 | "annotations": { 494 | "type": "object" 495 | }, 496 | "labels": { 497 | "type": "object" 498 | }, 499 | "path": { 500 | "type": "string" 501 | }, 502 | "pathType": { 503 | "type": "string" 504 | }, 505 | "hosts": { 506 | "type": "array" 507 | }, 508 | "extraPaths": { 509 | "type": "array" 510 | }, 511 | "tls": { 512 | "type": "array" 513 | } 514 | } 515 | }, 516 | "extraObjects": { 517 | "type": "array" 518 | }, 519 | "extraVolumes": { 520 | "type": "array" 521 | }, 522 | "extraVolumeMounts": { 523 | "type": "array" 524 | }, 525 | "extraContainerSpecs": { 526 | "nullable": true 527 | }, 528 | "extraPodSpecs": { 529 | "nullable": true 530 | }, 531 | "extraPodSpecsCr": { 532 | "nullable": true 533 | } 534 | }, 535 | "additionalProperties": true 536 | } 537 | -------------------------------------------------------------------------------- /charts/snyk-broker/tests/broker_deployment_ca_test.yaml: -------------------------------------------------------------------------------- 1 | # yaml-language-server: $schema=https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json 2 | suite: test broker deployment with CA 3 | chart: 4 | version: 0.0.0 5 | templates: 6 | - broker_deployment.yaml 7 | - secrets.yaml 8 | values: 9 | - ./fixtures/default_values.yaml 10 | 11 | tests: 12 | - it: mounts a CA certificate from file 13 | set: 14 | caCert: tests/dummy_ca_cert.pem 15 | asserts: 16 | - contains: 17 | path: spec.template.spec.containers[0].env 18 | content: 19 | name: CA_CERT 20 | value: "/home/node/cacert/tests/dummy_ca_cert.pem" 21 | template: broker_deployment.yaml 22 | - contains: 23 | path: spec.template.spec.containers[0].env 24 | content: 25 | name: NODE_EXTRA_CA_CERTS 26 | value: "/home/node/cacert/tests/dummy_ca_cert.pem" 27 | template: broker_deployment.yaml 28 | - contains: 29 | path: spec.template.spec.volumes 30 | content: 31 | name: RELEASE-NAME-snyk-broker-cacert-volume 32 | secret: 33 | secretName: RELEASE-NAME-snyk-broker-cacert-secret 34 | template: broker_deployment.yaml 35 | - contains: 36 | path: spec.template.spec.containers[0].volumeMounts 37 | content: 38 | name: RELEASE-NAME-snyk-broker-cacert-volume 39 | mountPath: /home/node/cacert 40 | readOnly: true 41 | template: broker_deployment.yaml 42 | - exists: 43 | path: data["dummy_ca_cert.pem"] 44 | template: secrets.yaml 45 | documentSelector: 46 | path: metadata.name 47 | value: RELEASE-NAME-snyk-broker-cacert-secret 48 | 49 | - it: mounts a CA certificate from file without suffixes 50 | set: 51 | caCert: tests/dummy_ca_cert.pem 52 | disableSuffixes: true 53 | asserts: 54 | - contains: 55 | path: spec.template.spec.containers[0].env 56 | content: 57 | name: CA_CERT 58 | value: "/home/node/cacert/tests/dummy_ca_cert.pem" 59 | template: broker_deployment.yaml 60 | - contains: 61 | path: spec.template.spec.containers[0].env 62 | content: 63 | name: NODE_EXTRA_CA_CERTS 64 | value: "/home/node/cacert/tests/dummy_ca_cert.pem" 65 | template: broker_deployment.yaml 66 | - contains: 67 | path: spec.template.spec.volumes 68 | content: 69 | name: RELEASE-NAME-snyk-broker-cacert-volume 70 | secret: 71 | secretName: snyk-broker-cacert-secret 72 | template: broker_deployment.yaml 73 | - contains: 74 | path: spec.template.spec.containers[0].volumeMounts 75 | content: 76 | name: RELEASE-NAME-snyk-broker-cacert-volume 77 | mountPath: /home/node/cacert 78 | readOnly: true 79 | template: broker_deployment.yaml 80 | - exists: 81 | path: data["dummy_ca_cert.pem"] 82 | template: secrets.yaml 83 | documentSelector: 84 | path: metadata.name 85 | value: snyk-broker-cacert-secret 86 | 87 | - it: mounts a CA certificate from values file 88 | set: 89 | caCertFile: |- 90 | -----BEGIN CERTIFICATE----- 91 | CERTIFICATE GOES HERE 92 | -----END CERTIFICATE----- 93 | asserts: 94 | - contains: 95 | path: spec.template.spec.containers[0].env 96 | content: 97 | name: CA_CERT 98 | value: "/home/node/cacert/cacert" 99 | template: broker_deployment.yaml 100 | - contains: 101 | path: spec.template.spec.containers[0].env 102 | content: 103 | name: NODE_EXTRA_CA_CERTS 104 | value: "/home/node/cacert/cacert" 105 | template: broker_deployment.yaml 106 | - contains: 107 | path: spec.template.spec.containers[0].volumeMounts 108 | content: 109 | name: RELEASE-NAME-snyk-broker-cacert-volume 110 | mountPath: /home/node/cacert 111 | readOnly: true 112 | template: broker_deployment.yaml 113 | - contains: 114 | path: spec.template.spec.volumes 115 | content: 116 | name: RELEASE-NAME-snyk-broker-cacert-volume 117 | secret: 118 | secretName: RELEASE-NAME-snyk-broker-cacert-secret 119 | template: broker_deployment.yaml 120 | - equal: 121 | path: data.cacert 122 | value: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCkNFUlRJRklDQVRFIEdPRVMgSEVSRQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t 123 | template: secrets.yaml 124 | documentSelector: 125 | path: metadata.name 126 | value: RELEASE-NAME-snyk-broker-cacert-secret 127 | 128 | - it: mounts a CA certificate from values file (single line string) 129 | set: 130 | caCertFile: "-----BEGIN CERTIFICATE-----\nCERTIFICATE GOES HERE\n-----END CERTIFICATE-----" 131 | asserts: 132 | - contains: 133 | path: spec.template.spec.containers[0].env 134 | content: 135 | name: CA_CERT 136 | value: "/home/node/cacert/cacert" 137 | template: broker_deployment.yaml 138 | - contains: 139 | path: spec.template.spec.containers[0].env 140 | content: 141 | name: NODE_EXTRA_CA_CERTS 142 | value: "/home/node/cacert/cacert" 143 | template: broker_deployment.yaml 144 | - contains: 145 | path: spec.template.spec.containers[0].volumeMounts 146 | content: 147 | name: RELEASE-NAME-snyk-broker-cacert-volume 148 | mountPath: /home/node/cacert 149 | readOnly: true 150 | template: broker_deployment.yaml 151 | - contains: 152 | path: spec.template.spec.volumes 153 | content: 154 | name: RELEASE-NAME-snyk-broker-cacert-volume 155 | secret: 156 | secretName: RELEASE-NAME-snyk-broker-cacert-secret 157 | template: broker_deployment.yaml 158 | - equal: 159 | path: data.cacert 160 | value: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCkNFUlRJRklDQVRFIEdPRVMgSEVSRQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t 161 | template: secrets.yaml 162 | documentSelector: 163 | path: metadata.name 164 | value: RELEASE-NAME-snyk-broker-cacert-secret 165 | 166 | - it: explicitly disables CA trust 167 | set: 168 | caCertFile: "-----BEGIN CERTIFICATE-----\nCERTIFICATE GOES HERE\n-----END CERTIFICATE-----" 169 | disableCaCertTrust: true 170 | asserts: 171 | - contains: 172 | path: spec.template.spec.containers[0].env 173 | content: 174 | name: CA_CERT 175 | value: "/home/node/cacert/cacert" 176 | template: broker_deployment.yaml 177 | - contains: 178 | path: spec.template.spec.containers[0].env 179 | content: 180 | name: NODE_EXTRA_CA_CERTS 181 | value: "/home/node/cacert/cacert" 182 | template: broker_deployment.yaml 183 | - contains: 184 | path: spec.template.spec.containers[0].env 185 | content: 186 | name: NODE_TLS_REJECT_UNAUTHORIZED 187 | value: "0" 188 | template: broker_deployment.yaml 189 | - contains: 190 | path: spec.template.spec.containers[0].volumeMounts 191 | content: 192 | name: RELEASE-NAME-snyk-broker-cacert-volume 193 | mountPath: /home/node/cacert 194 | readOnly: true 195 | template: broker_deployment.yaml 196 | - contains: 197 | path: spec.template.spec.volumes 198 | content: 199 | name: RELEASE-NAME-snyk-broker-cacert-volume 200 | secret: 201 | secretName: RELEASE-NAME-snyk-broker-cacert-secret 202 | template: broker_deployment.yaml 203 | - equal: 204 | path: data.cacert 205 | value: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCkNFUlRJRklDQVRFIEdPRVMgSEVSRQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t 206 | template: secrets.yaml 207 | documentSelector: 208 | path: metadata.name 209 | value: RELEASE-NAME-snyk-broker-cacert-secret 210 | 211 | 212 | - it: does not disables CA trust if tlsRejectUnauthorized is true 213 | set: 214 | caCertFile: "-----BEGIN CERTIFICATE-----\nCERTIFICATE GOES HERE\n-----END CERTIFICATE-----" 215 | tlsRejectUnauthorized: "0" 216 | asserts: 217 | - contains: 218 | path: spec.template.spec.containers[0].env 219 | content: 220 | name: CA_CERT 221 | value: "/home/node/cacert/cacert" 222 | template: broker_deployment.yaml 223 | - contains: 224 | path: spec.template.spec.containers[0].env 225 | content: 226 | name: NODE_EXTRA_CA_CERTS 227 | value: "/home/node/cacert/cacert" 228 | template: broker_deployment.yaml 229 | - notContains: 230 | path: spec.template.spec.containers[0].env 231 | content: 232 | name: NODE_TLS_REJECT_UNAUTHORIZED 233 | value: "0" 234 | template: broker_deployment.yaml 235 | - contains: 236 | path: spec.template.spec.containers[0].volumeMounts 237 | content: 238 | name: RELEASE-NAME-snyk-broker-cacert-volume 239 | mountPath: /home/node/cacert 240 | readOnly: true 241 | template: broker_deployment.yaml 242 | - contains: 243 | path: spec.template.spec.volumes 244 | content: 245 | name: RELEASE-NAME-snyk-broker-cacert-volume 246 | secret: 247 | secretName: RELEASE-NAME-snyk-broker-cacert-secret 248 | template: broker_deployment.yaml 249 | - equal: 250 | path: data.cacert 251 | value: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCkNFUlRJRklDQVRFIEdPRVMgSEVSRQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t 252 | template: secrets.yaml 253 | documentSelector: 254 | path: metadata.name 255 | value: RELEASE-NAME-snyk-broker-cacert-secret 256 | 257 | - it: handles extra whitespace 258 | set: 259 | caCertFile: "\n \n-----BEGIN CERTIFICATE-----\nCERTIFICATE GOES HERE\n-----END CERTIFICATE-----\n\n\n" 260 | asserts: 261 | - equal: 262 | path: data.cacert 263 | value: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCkNFUlRJRklDQVRFIEdPRVMgSEVSRQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t 264 | template: secrets.yaml 265 | documentSelector: 266 | path: metadata.name 267 | value: RELEASE-NAME-snyk-broker-cacert-secret 268 | 269 | - it: rejects a non-PEM certificate 270 | set: 271 | caCertFile: "\n \n-----BEGIN RSA PRIVATE KEY-----\nCERTIFICATE GOES HERE\n-----END RSA PRIVATE KEY-----\n\n\n" #gitleaks:allow 272 | asserts: 273 | - failedTemplate: {} 274 | 275 | - it: correctly mounts an external CA secret 276 | set: 277 | useExternalSecrets: true 278 | caCertFileSecret: 279 | name: secret-ca-cert 280 | key: caCert 281 | asserts: 282 | - contains: 283 | path: spec.template.spec.volumes 284 | content: 285 | name: RELEASE-NAME-snyk-broker-cacert-volume 286 | secret: 287 | secretName: secret-ca-cert 288 | template: broker_deployment.yaml 289 | - exists: 290 | path: spec.template.spec.containers[0].volumeMounts 291 | template: broker_deployment.yaml 292 | - contains: 293 | path: spec.template.spec.containers[0].volumeMounts 294 | content: 295 | name: RELEASE-NAME-snyk-broker-cacert-volume 296 | mountPath: /home/node/cacert 297 | readOnly: true 298 | template: broker_deployment.yaml 299 | - contains: 300 | path: spec.template.spec.containers[0].env 301 | content: 302 | name: NODE_EXTRA_CA_CERTS 303 | value: "/home/node/cacert/caCert" 304 | template: broker_deployment.yaml 305 | - contains: 306 | path: spec.template.spec.containers[0].env 307 | content: 308 | name: CA_CERT 309 | value: "/home/node/cacert/caCert" 310 | template: broker_deployment.yaml 311 | 312 | 313 | - it: correctly mounts an external CA secret with default key 314 | set: 315 | useExternalSecrets: true 316 | caCertFileSecret: 317 | name: my-secret 318 | asserts: 319 | - contains: 320 | path: spec.template.spec.volumes 321 | content: 322 | name: RELEASE-NAME-snyk-broker-cacert-volume 323 | secret: 324 | secretName: my-secret 325 | template: broker_deployment.yaml 326 | - exists: 327 | path: spec.template.spec.containers[0].volumeMounts 328 | template: broker_deployment.yaml 329 | - contains: 330 | path: spec.template.spec.containers[0].volumeMounts 331 | content: 332 | name: RELEASE-NAME-snyk-broker-cacert-volume 333 | mountPath: /home/node/cacert 334 | readOnly: true 335 | template: broker_deployment.yaml 336 | --------------------------------------------------------------------------------