From d2f661248ea10b9b65640a677a7a9509c9c63f41 Mon Sep 17 00:00:00 2001 From: Kenan Warren Date: Thu, 19 Aug 2021 09:11:57 -0400 Subject: [PATCH] Move helm chart to central repo and update docs --- .github/workflows/release-chart.yml | 27 ----- configs/{raw => }/clusterRole.yml | 0 configs/{raw => }/clusterRoleBinding.yml | 0 configs/{raw => }/createSecret.yml | 0 configs/{raw => }/cronjobCluster.yml | 0 configs/{raw => }/cronjobNamespace.yml | 0 configs/helm/.gitignore | 2 - configs/helm/.helmignore | 23 ---- configs/helm/Chart.yaml | 7 -- configs/helm/README.md | 81 ------------- configs/helm/charts/.gitkeep | 0 configs/helm/templates/_helpers.tpl | 96 --------------- configs/helm/templates/clusterrole.yaml | 48 -------- .../helm/templates/clusterrolebinding.yaml | 20 ---- configs/helm/templates/cronjob.yaml | 63 ---------- configs/helm/templates/role.yaml | 48 -------- configs/helm/templates/rolebinding.yaml | 24 ---- configs/helm/templates/secret.yaml | 11 -- configs/helm/templates/serviceaccount.yaml | 11 -- configs/helm/values.yaml | 102 ---------------- configs/raw/README.md | 90 -------------- docs/development.md | 110 +++++++++++++++++- 22 files changed, 106 insertions(+), 657 deletions(-) delete mode 100644 .github/workflows/release-chart.yml rename configs/{raw => }/clusterRole.yml (100%) rename configs/{raw => }/clusterRoleBinding.yml (100%) rename configs/{raw => }/createSecret.yml (100%) rename configs/{raw => }/cronjobCluster.yml (100%) rename configs/{raw => }/cronjobNamespace.yml (100%) delete mode 100644 configs/helm/.gitignore delete mode 100644 configs/helm/.helmignore delete mode 100644 configs/helm/Chart.yaml delete mode 100644 configs/helm/README.md delete mode 100644 configs/helm/charts/.gitkeep delete mode 100644 configs/helm/templates/_helpers.tpl delete mode 100644 configs/helm/templates/clusterrole.yaml delete mode 100644 configs/helm/templates/clusterrolebinding.yaml delete mode 100644 configs/helm/templates/cronjob.yaml delete mode 100644 configs/helm/templates/role.yaml delete mode 100644 configs/helm/templates/rolebinding.yaml delete mode 100644 configs/helm/templates/secret.yaml delete mode 100644 configs/helm/templates/serviceaccount.yaml delete mode 100644 configs/helm/values.yaml delete mode 100644 configs/raw/README.md diff --git a/.github/workflows/release-chart.yml b/.github/workflows/release-chart.yml deleted file mode 100644 index 294eb6f..0000000 --- a/.github/workflows/release-chart.yml +++ /dev/null @@ -1,27 +0,0 @@ -name: Release Chart - -on: - push: - branches: - - main - -jobs: - release: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v2 - - - name: Fetch history - run: git fetch --prune --unshallow - - - name: Configure Git - run: | - git config user.name "$GITHUB_ACTOR" - git config user.email "$GITHUB_ACTOR@users.noreply.github.com" - - name: Run chart-releaser - uses: helm/chart-releaser-action@v1.0.0 - with: - charts_dir: configs/helm - env: - CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" diff --git a/configs/raw/clusterRole.yml b/configs/clusterRole.yml similarity index 100% rename from configs/raw/clusterRole.yml rename to configs/clusterRole.yml diff --git a/configs/raw/clusterRoleBinding.yml b/configs/clusterRoleBinding.yml similarity index 100% rename from configs/raw/clusterRoleBinding.yml rename to configs/clusterRoleBinding.yml diff --git a/configs/raw/createSecret.yml b/configs/createSecret.yml similarity index 100% rename from configs/raw/createSecret.yml rename to configs/createSecret.yml diff --git a/configs/raw/cronjobCluster.yml b/configs/cronjobCluster.yml similarity index 100% rename from configs/raw/cronjobCluster.yml rename to configs/cronjobCluster.yml diff --git a/configs/raw/cronjobNamespace.yml b/configs/cronjobNamespace.yml similarity index 100% rename from configs/raw/cronjobNamespace.yml rename to configs/cronjobNamespace.yml diff --git a/configs/helm/.gitignore b/configs/helm/.gitignore deleted file mode 100644 index c644411..0000000 --- a/configs/helm/.gitignore +++ /dev/null @@ -1,2 +0,0 @@ -requirements.lock -Chart.lock diff --git a/configs/helm/.helmignore b/configs/helm/.helmignore deleted file mode 100644 index 0e8a0eb..0000000 --- a/configs/helm/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/configs/helm/Chart.yaml b/configs/helm/Chart.yaml deleted file mode 100644 index 32db0d2..0000000 --- a/configs/helm/Chart.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v2 -name: graph-kubernetes -description: - Converts K8s resources into a graph model for ingestion into JupiterOne. -type: application -version: 0.1.0 -appVersion: '0.1.0' diff --git a/configs/helm/README.md b/configs/helm/README.md deleted file mode 100644 index be822ef..0000000 --- a/configs/helm/README.md +++ /dev/null @@ -1,81 +0,0 @@ -# JupiterOne Graph Kubernetes - -This chart bootstraps a -[graph-kubernetes](https://github.com/JupiterOne/graph-kubernetes) deployment on -a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) -package manager. - -## Prerequisites - -- Kubernetes 1.16+ -- Helm 3+ - -## Quickstart - -If you're ok with the defaults and just want to set your account specific -information run the following commands with your account information: - -```console -helm repo add jupiterone https://graph-kubernetes.github.io/helm-charts -helm repo update -helm install [RELEASE_NAME] jupiterone/graph-kubernetes --set secrets.jupiteroneAccountId="some-account-id" --set secrets.jupiteroneApiKey="some-api-key" --set secrets.jupiteroneIntegrationInstanceId="some-integration-instance-id" -``` - -## Get Repo Info - -```console -helm repo add jupiterone https://graph-kubernetes.github.io/helm-charts -helm repo update -``` - -_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command -documentation._ - -## Install Chart - -```console -$ helm install [RELEASE_NAME] jupiterone/graph-kubernetes -``` - -_See [configuration](#configuration) below._ - -_See [helm install](https://helm.sh/docs/helm/helm_install/) for command -documentation._ - -## Uninstall Chart - -```console -$ helm uninstall [RELEASE_NAME] -``` - -This removes all the Kubernetes components associated with the chart and deletes -the release. - -_See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall/) for command -documentation._ - -## Upgrading Chart - -```console -$ helm upgrade [RELEASE_NAME] jupiterone/graph-kubernetes --install -``` - -## Configuration - -See -[Customizing the Chart Before Installing](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing). -To see all configurable options with detailed comments, visit the chart's -[values.yaml](./values.yaml), or run these configuration commands: - -```console -$ helm show values jupiterone/graph-kubernetes -``` - -### RBAC Configuration - -To manually setup RBAC you need to set the parameter `rbac.create=false` and -specify the service account to be used by setting the parameters: -`serviceAccount.create` to `false` and `serviceAccount.name` to the name of a -pre-existing service account. - -Roles and RoleBindings resources will be created automatically. diff --git a/configs/helm/charts/.gitkeep b/configs/helm/charts/.gitkeep deleted file mode 100644 index e69de29..0000000 diff --git a/configs/helm/templates/_helpers.tpl b/configs/helm/templates/_helpers.tpl deleted file mode 100644 index 8cca3c0..0000000 --- a/configs/helm/templates/_helpers.tpl +++ /dev/null @@ -1,96 +0,0 @@ -{{/* -Expand the name of the chart. -*/}} -{{- define "graph-kubernetes.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "graph-kubernetes.fullname" -}} -{{- if .Values.fullnameOverride }} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- $name := default .Chart.Name .Values.nameOverride }} -{{- if contains $name .Release.Name }} -{{- .Release.Name | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end }} -{{- end }} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "graph-kubernetes.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Common labels -*/}} -{{- define "graph-kubernetes.labels" -}} -helm.sh/chart: {{ include "graph-kubernetes.chart" . }} -{{ include "graph-kubernetes.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} - -{{/* -Selector labels -*/}} -{{- define "graph-kubernetes.selectorLabels" -}} -app.kubernetes.io/name: {{ include "graph-kubernetes.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- end }} - -{{/* -Create the name of the service account to use -*/}} -{{- define "graph-kubernetes.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- default (include "graph-kubernetes.fullname" .) .Values.serviceAccount.name }} -{{- else }} -{{- default "default" .Values.serviceAccount.name }} -{{- end }} -{{- end }} - -{{/* -Define the graph-kubernetes.namespace template if set with forceNamespace or .Release.Namespace is set -https://github.com/prometheus-community/helm-charts/blob/main/charts/prometheus/templates/_helpers.tpl -*/}} -{{- define "graph-kubernetes.namespace" -}} -{{- if .Values.forceNamespace -}} -{{ printf "namespace: %s" .Values.forceNamespace }} -{{- else -}} -{{ printf "namespace: %s" .Release.Namespace }} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for rbac. -*/}} -{{- define "rbac.apiVersion" -}} -{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" }} -{{- print "rbac.authorization.k8s.io/v1" -}} -{{- else -}} -{{- print "rbac.authorization.k8s.io/v1beta1" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for cronjob. -*/}} -{{- define "cronjob.apiVersion" -}} -{{- if .Capabilities.APIVersions.Has "batch/v1" }} -{{- print "batch/v1" -}} -{{- else -}} -{{- print "batch/v1beta1" -}} -{{- end -}} -{{- end -}} diff --git a/configs/helm/templates/clusterrole.yaml b/configs/helm/templates/clusterrole.yaml deleted file mode 100644 index 5ec13d6..0000000 --- a/configs/helm/templates/clusterrole.yaml +++ /dev/null @@ -1,48 +0,0 @@ -{{- if and .Values.rbac.create .Values.rbac.useClusterRole (not .Values.rbac.useExistingRole) }} -apiVersion: {{ template "rbac.apiVersion" . }} -kind: ClusterRole -metadata: - name: {{ template "graph-kubernetes.fullname" . }} - labels: - {{- include "graph-kubernetes.labels" . | nindent 4 }} -rules: - - apiGroups: - - '' - resources: ['*'] - verbs: - - get - - list - - watch - - apiGroups: - - extensions - resources: ['*'] - verbs: - - get - - list - - watch - - apiGroups: - - apps - resources: ['*'] - verbs: - - get - - list - - watch - - apiGroups: - - batch - resources: ['*'] - verbs: - - get - - list - - watch - - apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterroles - - clusterrolebindings - - roles - - rolebindings - verbs: - - get - - list - - watch -{{ end }} diff --git a/configs/helm/templates/clusterrolebinding.yaml b/configs/helm/templates/clusterrolebinding.yaml deleted file mode 100644 index e622c5d..0000000 --- a/configs/helm/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if and .Values.rbac.create .Values.rbac.useClusterRole -}} -apiVersion: {{ template "rbac.apiVersion" . }} -kind: ClusterRoleBinding -metadata: - labels: - {{- include "graph-kubernetes.labels" . | nindent 4 }} - name: {{ template "graph-kubernetes.fullname" . }} -subjects: - - kind: ServiceAccount - name: {{ template "graph-kubernetes.serviceAccountName" . }} -{{ include "graph-kubernetes.namespace" . | indent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole -{{- if (not .Values.rbac.useExistingRole) }} - name: {{ template "graph-kubernetes.fullname" . }} -{{- else }} - name: {{ .Values.rbac.useExistingRole }} -{{- end }} -{{- end }} diff --git a/configs/helm/templates/cronjob.yaml b/configs/helm/templates/cronjob.yaml deleted file mode 100644 index 1e8b51f..0000000 --- a/configs/helm/templates/cronjob.yaml +++ /dev/null @@ -1,63 +0,0 @@ -apiVersion: {{ template "cronjob.apiVersion" . }} -kind: CronJob -metadata: - name: {{ template "graph-kubernetes.fullname" . }} -spec: - schedule: "{{ .Values.cronjob.schedule }}" - jobTemplate: - metadata: - {{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "graph-kubernetes.labels" . | nindent 12 }} - spec: - template: - spec: - restartPolicy: Never - serviceAccountName: {{ include "graph-kubernetes.serviceAccountName" . }} - {{- if .Values.securityContext }} - securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} - {{ end }} - containers: - - name: {{ .Chart.Name }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - env: - - name: ACCESS_TYPE - value: {{ ternary "cluster" "namespace" .Values.rbac.useClusterRole }} - - name: NAMESPACE - value: {{ .Release.Namespace }} - - name: JUPITERONE_ACCOUNT_ID - valueFrom: - secretKeyRef: - name: jupiterone-integration-secret - key: jupiteroneAccountId - - name: JUPITERONE_API_KEY - valueFrom: - secretKeyRef: - name: jupiterone-integration-secret - key: jupiteroneApiKey - - name: INTEGRATION_INSTANCE_ID - valueFrom: - secretKeyRef: - name: jupiterone-integration-secret - key: jupiteroneIntegrationInstanceId - - name: IS_RUNNING_TEST - value: 'false' - resources: - {{- toYaml .Values.resources | nindent 16 }} - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 12 }} - {{- end }} diff --git a/configs/helm/templates/role.yaml b/configs/helm/templates/role.yaml deleted file mode 100644 index 4547905..0000000 --- a/configs/helm/templates/role.yaml +++ /dev/null @@ -1,48 +0,0 @@ -{{- if and .Values.rbac.create (eq .Values.rbac.useClusterRole false) (not .Values.rbac.useExistingRole) }} -{{- range $.Values.namespaces }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ template "graph-kubernetes.fullname" . }} - labels: - {{- include "graph-kubernetes.labels" . | nindent 4 }} -rules: - - apiGroups: - - '' - resources: ['*'] - verbs: - - get - - list - - watch - - apiGroups: - - extensions - resources: ['*'] - verbs: - - get - - list - - watch - - apiGroups: - - apps - resources: ['*'] - verbs: - - get - - list - - watch - - apiGroups: - - batch - resources: ['*'] - verbs: - - get - - list - - watch - - apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - rolebindings - verbs: - - get - - list - - watch -{{- end }} -{{- end }} diff --git a/configs/helm/templates/rolebinding.yaml b/configs/helm/templates/rolebinding.yaml deleted file mode 100644 index aa876f7..0000000 --- a/configs/helm/templates/rolebinding.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{- if and .Values.rbac.create (eq .Values.rbac.useClusterRole false) -}} -{{ range $.Values.namespaces -}} ---- -apiVersion: {{ template "rbac.apiVersion" $ }} -kind: RoleBinding -metadata: - labels: - {{- include "graph-kubernetes.labels" $ | nindent 4 }} - name: {{ template "graph-kubernetes.fullname" $ }} - namespace: {{ . }} -subjects: - - kind: ServiceAccount - name: {{ template "graph-kubernetes.serviceAccountName" $ }} -{{ include "graph-kubernetes.namespace" $ | indent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role -{{- if (not $.Values.useExistingRole) }} - name: {{ template "graph-kubernetes.fullname" $ }} -{{- else }} - name: {{ $.Values.useExistingRole }} -{{- end }} -{{- end }} -{{ end }} diff --git a/configs/helm/templates/secret.yaml b/configs/helm/templates/secret.yaml deleted file mode 100644 index 53ea7a5..0000000 --- a/configs/helm/templates/secret.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "graph-kubernetes.fullname" . }} - labels: - {{- include "graph-kubernetes.labels" . | nindent 4 }} -type: Opaque -data: - jupiteroneAccountId: {{ default "" .Values.secrets.jupiteroneAccountId | b64enc | quote }} - jupiteroneApiKey: {{ default "" .Values.secrets.jupiteroneApiKey | b64enc | quote }} - jupiteroneIntegrationInstanceId: {{ default "" .Values.secrets.jupiteroneIntegrationInstanceId | b64enc | quote }} diff --git a/configs/helm/templates/serviceaccount.yaml b/configs/helm/templates/serviceaccount.yaml deleted file mode 100644 index 73bfe77..0000000 --- a/configs/helm/templates/serviceaccount.yaml +++ /dev/null @@ -1,11 +0,0 @@ -{{- if .Values.serviceAccount.create }} -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - {{- include "graph-kubernetes.labels" . | nindent 4 }} - name: {{ template "graph-kubernetes.serviceAccountName" . }} -{{ include "graph-kubernetes.namespace" . | indent 2 }} - annotations: -{{ toYaml .Values.serviceAccount.annotations | indent 4 }} -{{- end }} diff --git a/configs/helm/values.yaml b/configs/helm/values.yaml deleted file mode 100644 index b0c0635..0000000 --- a/configs/helm/values.yaml +++ /dev/null @@ -1,102 +0,0 @@ -################################ -########### General ############ -################################ -image: - repository: jupiterone/graph-kubernetes - pullPolicy: IfNotPresent - tag: "latest" - -cronjob: - schedule: "*/30 * * * *" - -secrets: - jupiteroneAccountId: - jupiteroneApiKey: - jupiteroneIntegrationInstanceId: - -## namespaces to ingest (instead of ingesting the entire cluster). Needed if you want to run without Cluster-admin privileges. -# namespaces: -# - yournamespace - -resources: - {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - -################################ -######### Scheduling ########### -################################ - -### Pod Annotations -## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ -## -podAnnotations: {} - -## Node labels -## Ref: https://kubernetes.io/docs/user-guide/node-selection/ -## -nodeSelector: {} - -## Node tolerations for alertmanager scheduling to nodes with taints -## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ -## -tolerations: [] -# - key: "key" -# operator: "Equal|Exists" -# value: "value" -# effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" - -### Node affinity -## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity -## -affinity: {} - -### Node anti affinity -## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity -## -antiAffinity: {} - -## Use an alternate scheduler, e.g. "stork". -## Ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ -## -# schedulerName: - -################################ -### Security Related Configs ### -################################ -rbac: - create: true - ## Use a ClusterRole (and ClusterRoleBinding) - ## - If set to false - we define a Role and RoleBinding in the defined namespaces ONLY - useClusterRole: true - - ## Set to a rolename to use existing role - skipping role creating - but still doing serviceaccount and rolebinding to the rolename set here. - useExistingRole: false - -serviceAccount: - # Specifies whether a service account should be created - create: true - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: - # Annotations to add to the service account - annotations: {} - -securityContext: {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 - -# Force namespace of namespaced resources -forceNamespace: null diff --git a/configs/raw/README.md b/configs/raw/README.md deleted file mode 100644 index c9f8e3f..0000000 --- a/configs/raw/README.md +++ /dev/null @@ -1,90 +0,0 @@ -# JupiterOne Graph Kubernetes - -## Authentication - -### RBAC - -This integration expects a service account with either specific namespace -read-only access or cluster-wide read-only access. - -### Creating service account with namespace read-only access - -1. Create a new service account - -`kubectl create sa jupiterone-integration` - -2. Assign namespace read-only access - -`kubectl create rolebinding jupiterone-integration-view --clusterrole=view --serviceaccount=default:jupiterone-integration --namespace=default` - -### Creating service account with cluster-wide read-only access - -1. Create a new service account - -`kubectl create sa jupiterone-integration-cluster` - -2. Assign cluster-wide read-only access - -`kubectl apply -f clusterRole.yml` - -`kubectl apply -f clusterRoleBinding.yml` - -If using a different service account name or different namespace name, make sure -to use the correct name in both the commands/yml listed above. - -## Secrets - -The integration requires you to store `jupiterone account id`, -`jupiterone api key` and `integration id` as secrets that will be read by the -pod. - -1. Update the `createSecret.yml` with base64 encoded values. -2. `kubectl apply -f createSecret.yml` - -## Deploying - -To deploy the built image as a pod: - -a) To create cronjob deployment for a service account with namespace read-only -access `kubectl apply -f cronjobNamespace.yml` - -b) To create deployment for a service account with entire cluster read-only -access `kubectl apply -f cronjobCluster.yml` - -## Debugging - -```console -# To check if the cronjob has been created -kubectl get cronjob - -# To check if the cronjob has spawned any jobs -kubectl get job - -# To see the logs -kubectl logs --selector job-name=job-name -``` - -## Uninstall - -```console -# Delete the deployment -kubectl delete cronjob - -# Delete the service account -kubectl delete serviceaccount -n - -# Delete the cluster role binding -kubectl delete clusterrolebinding - -# Delete the cluster role binding -kubectl delete clusterole -``` - -## Upgrading - -To upgrade a particular resource (cronjob, secrets, etc) all you need to do is -reapply the yaml: - -```console -kubectl apply -f resourceFile.yaml -``` diff --git a/docs/development.md b/docs/development.md index 17084b8..8c874d8 100644 --- a/docs/development.md +++ b/docs/development.md @@ -16,7 +16,109 @@ don't bother documenting that here. ## Provider account setup -There are two ways to install the integration in your Kubernetes cluster, Helm -and raw YAML. You can find the documentation for Helm -[here](../configs/helm/README.md) and the documentation for using raw YAML -[here](../configs/raw/README.md). +### Helm + +The easiest way to install and update the `graph-kubernetes` project is through +the published helm chart. You can find information on how to install our +repository [here](https://github.com/JupiterOne/helm-charts) with specific +information about maintain the graph-kubernetes chart +[here](https://github.com/JupiterOne/helm-charts/tree/main/charts/graph-kubernetes). + +#### Quickstart + +```console +helm repo add jupiterone https://jupiterone.github.io/helm-charts +helm repo update +helm install [RELEASE_NAME] jupiterone/graph-kubernetes --set secrets.jupiteroneAccountId="some-account-id" --set secrets.jupiteroneApiKey="some-api-key" --set secrets.jupiteroneIntegrationInstanceId="some-integration-instance-id" +``` + +### K8S Standard + +#### Authentication + +##### RBAC + +This integration expects a service account with either specific namespace +read-only access or cluster-wide read-only access. + +#### Creating service account with namespace read-only access + +1. Create a new service account + +`kubectl create sa jupiterone-integration` + +2. Assign namespace read-only access + +`kubectl create rolebinding jupiterone-integration-view --clusterrole=view --serviceaccount=default:jupiterone-integration --namespace=default` + +#### Creating service account with cluster-wide read-only access + +1. Create a new service account + +`kubectl create sa jupiterone-integration-cluster` + +2. Assign cluster-wide read-only access + +`kubectl apply -f clusterRole.yml` + +`kubectl apply -f clusterRoleBinding.yml` + +If using a different service account name or different namespace name, make sure +to use the correct name in both the commands/yml listed above. + +### Secrets + +The integration requires you to store `jupiterone account id`, +`jupiterone api key` and `integration id` as secrets that will be read by the +pod. + +1. Update the `createSecret.yml` with base64 encoded values. +2. `kubectl apply -f createSecret.yml` + +### Deploying + +To deploy the built image as a pod: + +a) To create cronjob deployment for a service account with namespace read-only +access `kubectl apply -f cronjobNamespace.yml` + +b) To create deployment for a service account with entire cluster read-only +access `kubectl apply -f cronjobCluster.yml` + +### Debugging + +```console +# To check if the cronjob has been created +kubectl get cronjob + +# To check if the cronjob has spawned any jobs +kubectl get job + +# To see the logs +kubectl logs --selector job-name=job-name +``` + +### Uninstall + +```console +# Delete the deployment +kubectl delete cronjob + +# Delete the service account +kubectl delete serviceaccount -n + +# Delete the cluster role binding +kubectl delete clusterrolebinding + +# Delete the cluster role binding +kubectl delete clusterole +``` + +### Upgrading + +To upgrade a particular resource (cronjob, secrets, etc) all you need to do is +reapply the yaml: + +```console +kubectl apply -f resourceFile.yaml +```