From 130f39afac850029688a3a537a0b6e24d88de27e Mon Sep 17 00:00:00 2001 From: nissim Date: Thu, 21 Feb 2019 18:29:52 +0200 Subject: [PATCH] Update Helm to 4.0 and to support pks and unprivileged and more --- README.md | 72 ++++++++++++++++------ enforcer/templates/enforcer-daemonset.yaml | 27 ++++++++ enforcer/templates/rbac.yaml | 2 +- enforcer/values.yaml | 6 +- scanner/.helmignore | 21 +++++++ scanner/Chart.yaml | 5 ++ scanner/templates/_helpers.tpl | 32 ++++++++++ scanner/templates/scanner-deployment.yaml | 67 ++++++++++++++++++++ scanner/values.yaml | 43 +++++++++++++ server/templates/db-deployment.yaml | 8 ++- server/templates/db-password-secret.yaml | 20 +++++- server/templates/gate-deployment.yaml | 19 +++--- server/templates/rbac.yaml | 2 +- server/templates/scanner-deployment.yaml | 10 ++- server/templates/web-deployment.yaml | 28 +++++---- server/templates/web-secrets.yaml | 22 +++++++ server/templates/web-service.yaml | 2 + server/values.yaml | 20 +++--- 18 files changed, 343 insertions(+), 63 deletions(-) create mode 100644 scanner/.helmignore create mode 100644 scanner/Chart.yaml create mode 100644 scanner/templates/_helpers.tpl create mode 100644 scanner/templates/scanner-deployment.yaml create mode 100644 scanner/values.yaml create mode 100644 server/templates/web-secrets.yaml diff --git a/README.md b/README.md index 587d9e19..83fa38d9 100644 --- a/README.md +++ b/README.md @@ -4,12 +4,34 @@ These are Helm charts for installation and maintenance of Aqua Container Security Platform Console, Database, Gateway, Scanner, and Enforcer components. +## Contents + +- [Aqua Security Helm Charts](#aqua-security-helm-charts) + - [Contents](#contents) + - [Chart Details](#chart-details) + - [Prerequisites](#prerequisites) + - [Container Registry Credentials](#container-registry-credentials) + - [PostgreSQL database](#postgresql-database) + - [High-Volume Scanner Installation](#high-volume-scanner-installation) + - [Helm Customizations / Troubleshooting](#helm-customizations--troubleshooting) + - [Non-public cloud provider deployments](#non-public-cloud-provider-deployments) + - [Installing the Charts](#installing-the-charts) + - [Server (console)](#server-console) + - [Enforcer](#enforcer) + - [Scanner](#scanner) + - [Configurable Variables](#configurable-variables) + - [Console](#console) + - [Enforcer](#enforcer-1) + - [Scanner](#scanner-1) + - [Issues and feedback](#issues-and-feedback) + ## Chart Details This repository includes two charts that may be deployed separately: * [**Server**](server/) - deploys the Console, Gateway, and Database components, and optionally the Scanner component * [**Enforcer**](enforcer/) - deploys the Enforcer daemonset +* [**Scanner**](scanner/) - deploys the aqua scanner cli deployment ## Prerequisites @@ -23,7 +45,7 @@ First, create a new namespace named "aqua": kubectl create namespace aqua ``` -Next, create the secret: +Next, **(Optional)** create the secret: ```bash kubectl create secret docker-registry csp-registry-secret --docker-server="registry.aquasec.com" --namespace aqua --docker-username="jg@example.com" --docker-password="Truckin" --docker-email="jg@example.com" @@ -159,6 +181,12 @@ helm upgrade --install --namespace aqua csp ./server --set imageCredentials.user helm upgrade --install --namespace aqua csp-enforcer ./enforcer --set imageCredentials.username=<>,imageCredentials.password=<>,imageCredentials.email=<>,enforcerToken= ``` +### Scanner + +```bash +helm upgrade --install --namespace aqua scanner ./scanner --set imageCredentials.username=<>,imageCredentials.password=<>,imageCredentials.email=<> +``` + ## Configurable Variables The following table lists the configurable parameters of the Console and Enforcer charts with their default values. @@ -169,21 +197,21 @@ The following table lists the configurable parameters of the Console and Enforce | --------------------------------- | ------------------------------------ | ---------------------------------------------------------------------------- | | `imageCredentials.create` | Set if to create new pull image secret | `true` | | `imageCredentials.name` | Your Docker pull image secret name | `csp-registry-secret` | -| `imageCredentials.username` | Your Docker registry (DockerHub, etc.) username | N/A | -| `imageCredentials.password` | Your Docker registry (DockerHub, etc.) password | N/A | -| `imageCredentials.email` | Your Docker registry (DockerHub, etc.) email | N/A | +| `imageCredentials.username` | Your Docker registry (DockerHub, etc.) username | `N/A` | +| `imageCredentials.password` | Your Docker registry (DockerHub, etc.) password | `N/A` | +| `imageCredentials.email` | Your Docker registry (DockerHub, etc.) email | `N/A` | | `rbac.enabled` | Create a service account and a ClusterRole | `false` | | `rbac.roleRef` | Use an existing ClusterRole | `` | -| `admin.token` | Use this Aqua license token | N/A | -| `admin.password` | Use this Aqua admin password | N/A | +| `admin.token` | Use this Aqua license token | `N/A` | +| `admin.password` | Use this Aqua admin password | `N/A` | | `db.external.enabled` | Avoid installing a Postgres container and use an external database instead | `false` | -| `db.external.name` | PostgreSQL DB name | N/A | -| `db.external.host` | PostgreSQL DB hostname | N/A | -| `db.external.port` | PostgreSQL DB port | N/A | -| `db.external.user` | PostgreSQL DB username | N/A | -| `db.external.password` | PostgreSQL DB password | N/A | +| `db.external.name` | PostgreSQL DB name | ``N/A`` | +| `db.external.host` | PostgreSQL DB hostname | ``N/A`` | +| `db.external.port` | PostgreSQL DB port | `N/A` | +| `db.external.user` | PostgreSQL DB username | `N/A` | +| `db.external.password` | PostgreSQL DB password | `N/A` | | `db.image.repository` | Default PostgreSQL Docker image repository | `database` | -| `db.image.tag` | Default PostgreSQL Docker image tag | `3.5` | +| `db.image.tag` | Default PostgreSQL Docker image tag | `4.0` | | `db.service.type` | Default PostgreSQL service type | `ClusterIP` | | `db.persistence.enabled` | Enable a use of a PostgreSQL PVC | `true` | | `db.persistence.storageClass` | PostgreSQL PVC StorageClass | `default` | @@ -193,18 +221,18 @@ The following table lists the configurable parameters of the Console and Enforce | `web.service.type` | Web service type | `ClusterIP` | | `web.ingress.enabled` | Install ingress for the web component | `false` | | `web.image.repository` | Default Web Docker image repository | `server` | -| `web.image.tag` | Default Web Docker image tag | `3.5` | +| `web.image.tag` | Default Web Docker image tag | `4.0` | | `web.ingress.annotations` | Web ingress annotations | `{}` | | `web.ingress.hosts` | Web ingress hosts definition | `[]` | | `web.ingress.tls` | Web ingress tls | `[]` | | `gate.service.type` | Gate service type | `ClusterIP` | | `gate.image.repository` | Default Gate Docker image repository | `gate` | -| `gate.image.tag` | Default Gate Docker image tag | `3.5` | +| `gate.image.tag` | Default Gate Docker image tag | `4.0` | | `gate.publicIP` | Default Gate service public IP | `` | | `scanner.enabled` | Enable the Scanner-CLI component | `false` | | `scanner.replicas` | Number of Scanner-CLI replicas to run | `1` | -| `scanner.user` | Username for the scanner user assigned to the Scanner role | N/A | -| `scanner.password` | Password for scanner user | N/A | +| `scanner.user` | Username for the scanner user assigned to the Scanner role | `N/A` | +| `scanner.password` | Password for scanner user | `N/A` | ### Enforcer @@ -213,13 +241,17 @@ The following table lists the configurable parameters of the Console and Enforce | --------------------------------- | ------------------------------------ | ---------------------------------------------------------------------------- | | `imageCredentials.create` | Set if to create new pull image secret | `false` | | `imageCredentials.name` | Your Docker pull image secret name | `aqua-image-pull-secret` | -| `imageCredentials.username` | Your Docker registry (DockerHub, etc.) username | N/A | -| `imageCredentials.password` | Your Docker registry (DockerHub, etc.) password | N/A | -| `imageCredentials.email` | Your Docker registry (DockerHub, etc.) email | N/A | -| `enforcerToken` | Aqua Enforcer token | N/A | +| `imageCredentials.username` | Your Docker registry (DockerHub, etc.) username | `N/A` | +| `imageCredentials.password` | Your Docker registry (DockerHub, etc.) password | `N/A` | +| `imageCredentials.email` | Your Docker registry (DockerHub, etc.) email | `N/A` | +| `enforcerToken` | Aqua Enforcer token | `N/A` | | `server` | Gateway host name | `aqua-gateway` | | `port` | Gateway port | `3622` | + +### Scanner + + ## Issues and feedback If you encounter any problems or would like to give us feedback on deployments, we encourage you to raise issues here on GitHub. diff --git a/enforcer/templates/enforcer-daemonset.yaml b/enforcer/templates/enforcer-daemonset.yaml index 99aa812e..363729a8 100644 --- a/enforcer/templates/enforcer-daemonset.yaml +++ b/enforcer/templates/enforcer-daemonset.yaml @@ -11,6 +11,10 @@ metadata: spec: template: metadata: + annotations: + {{- if and (.Values.tolerations) (semverCompare "<1.6-0" .Capabilities.KubeVersion.GitVersion) }} + scheduler.alpha.kubernetes.io/tolerations: '{{ toJson .Values.tolerations }}' + {{- end }} labels: app: {{ .Release.Name }}-ds name: {{ .Release.Name }}-ds @@ -21,8 +25,27 @@ spec: - name: enforcer image: "{{ .Values.imageCredentials.repositoryUriPrefix }}/{{ .Values.image.repository }}:{{ .Values.image.tag }}" imagePullPolicy: "{{ .Values.image.pullPolicy }}" + {{- if .Values.privileged }} securityContext: privileged: true + {{- else }} + securityContext: + privileged: false + capabilities: + add: + - SYS_ADMIN + - NET_ADMIN + - NET_RAW + - SYS_PTRACE + - KILL + - MKNOD + - SETGID + - SETUID + - SYS_MODULE + - AUDIT_CONTROL + - SYSLOG + - SYS_CHROOT + {{- end }} env: - name: AQUA_TOKEN valueFrom: @@ -91,3 +114,7 @@ spec: nodeSelector: {{ toYaml .Values.nodeSelector | indent 8 }} {{- end }} + {{- if and (.Values.tolerations) (semverCompare "^1.6-0" .Capabilities.KubeVersion.GitVersion) }} + tolerations: +{{ toYaml .Values.tolerations | indent 6 }} + {{- end }} diff --git a/enforcer/templates/rbac.yaml b/enforcer/templates/rbac.yaml index dc996b7e..ff5d1b7c 100644 --- a/enforcer/templates/rbac.yaml +++ b/enforcer/templates/rbac.yaml @@ -11,7 +11,7 @@ metadata: release: "{{ .Release.Name }}" heritage: "{{ .Release.Service }}" spec: - privileged: true + privileged: {{ .Values.privileged }} hostPID: true allowedCapabilities: - '*' diff --git a/enforcer/values.yaml b/enforcer/values.yaml index 5dfebff7..eb682bea 100644 --- a/enforcer/values.yaml +++ b/enforcer/values.yaml @@ -5,9 +5,10 @@ imageCredentials: registry: "registry.aquasec.com" #REQUIRED only if create is true, for dockerhub - "index.docker.io/v1/" username: "" password: "" - email: + email: "example@gmail.com" enforcerToken: "" +privileged: true rbac: enabled: false @@ -19,12 +20,13 @@ gate: image: repository: enforcer - tag: 3.5 + tag: 4.0 pullPolicy: IfNotPresent livenessProbe: {} readinessProbe: {} nodeSelector: {} +tolerations: [] resources: requests: diff --git a/scanner/.helmignore b/scanner/.helmignore new file mode 100644 index 00000000..f0c13194 --- /dev/null +++ b/scanner/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/scanner/Chart.yaml b/scanner/Chart.yaml new file mode 100644 index 00000000..c9276197 --- /dev/null +++ b/scanner/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +appVersion: "1.0" +description: A Helm chart for the aqua scanner cli component +name: scanner +version: 0.1.0 diff --git a/scanner/templates/_helpers.tpl b/scanner/templates/_helpers.tpl new file mode 100644 index 00000000..120ad996 --- /dev/null +++ b/scanner/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "scanner.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "scanner.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "scanner.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/scanner/templates/scanner-deployment.yaml b/scanner/templates/scanner-deployment.yaml new file mode 100644 index 00000000..78c74968 --- /dev/null +++ b/scanner/templates/scanner-deployment.yaml @@ -0,0 +1,67 @@ +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: {{ .Release.Name }}-scanner + labels: + app: {{ .Release.Name }}-scanner + chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +spec: + replicas: {{ .Values.replicaCount }} + template: + metadata: + annotations: + {{- if and (.Values.tolerations) (semverCompare "<1.6-0" .Capabilities.KubeVersion.GitVersion) }} + scheduler.alpha.kubernetes.io/tolerations: '{{ toJson .Values.tolerations }}' + {{- end }} + labels: + app: {{ .Release.Name }}-scanner + name: {{ .Release.Name }}-scanner + spec: + serviceAccount: {{ .Values.serviceAccount }} + containers: + - name: scanner + image: "{{ .Values.imageCredentials.repositoryUriPrefix }}/{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: "{{ .Values.image.pullPolicy }}" + args: + - "daemon" + - "--user" + - "{{ required "Please specify a username associated with the Scanner role!" .Values.user }}" + - "--password" + - "{{ required "Please specify a password for a user associated with the Scanner role!" .Values.password }}" + - "--host" + - "http://{{ .Values.server.serviceName }}:{{ .Values.server.port }}" + volumeMounts: + - mountPath: /var/run/docker.sock + name: docker-socket-mount + ports: + - containerPort: 8080 + protocol: TCP +{{- with .Values.livenessProbe }} + livenessProbe: +{{ toYaml . | indent 10 }} +{{- end }} +{{- with .Values.readinessProbe }} + readinessProbe: +{{ toYaml . | indent 10 }} +{{- end }} + resources: +{{ toYaml .Values.resources | indent 12 }} + {{- with .Values.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if and (.Values.tolerations) (semverCompare "^1.6-0" .Capabilities.KubeVersion.GitVersion) }} + tolerations: +{{ toYaml .Values.tolerations | indent 6 }} + {{- end }} + volumes: + - name: docker-socket-mount + hostPath: + path: {{ .Values.docker.socket.path }} diff --git a/scanner/values.yaml b/scanner/values.yaml new file mode 100644 index 00000000..8a9d8db3 --- /dev/null +++ b/scanner/values.yaml @@ -0,0 +1,43 @@ +imageCredentials: + create: false + name: csp-registry-secret # When create is false please specify + repositoryUriPrefix: "registry.aquasec.com" # for dockerhub - "docker.io" + registry: "registry.aquasec.com" #REQUIRED only if create is true, for dockerhub - "index.docker.io/v1/" + username: "" + password: "" + email: "example@gmail.com" + +docker: + socket: + path: /var/run/docker.sock # pks - /var/vcap/data/sys/run/docker/docker.sock + +enabled: false +serviceAccount: aqua-sa +server: + serviceName: aqua-console-svc + port: 8080 + +image: + repository: scanner + tag: 4.0 + pullPolicy: IfNotPresent + +user: +password: +replicaCount: 1 +livenessProbe: {} +readinessProbe: {} +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi +nodeSelector: {} +tolerations: [] +affinity: {} diff --git a/server/templates/db-deployment.yaml b/server/templates/db-deployment.yaml index bd887826..25781e43 100644 --- a/server/templates/db-deployment.yaml +++ b/server/templates/db-deployment.yaml @@ -12,6 +12,10 @@ metadata: spec: template: metadata: + annotations: + {{- if and (.Values.db.tolerations) (semverCompare "<1.6-0" .Capabilities.KubeVersion.GitVersion) }} + scheduler.alpha.kubernetes.io/tolerations: '{{ toJson .Values.db.tolerations }}' + {{- end }} labels: app: {{ .Release.Name }}-database name: {{ .Release.Name }}-database @@ -55,9 +59,9 @@ spec: affinity: {{ toYaml . | indent 8 }} {{- end }} - {{- with .Values.db.tolerations }} + {{- if and (.Values.db.tolerations) (semverCompare "^1.6-0" .Capabilities.KubeVersion.GitVersion) }} tolerations: -{{ toYaml . | indent 8 }} +{{ toYaml .Values.db.tolerations | indent 6 }} {{- end }} volumes: - name: postgres-database diff --git a/server/templates/db-password-secret.yaml b/server/templates/db-password-secret.yaml index 07fff64b..697a0d1f 100644 --- a/server/templates/db-password-secret.yaml +++ b/server/templates/db-password-secret.yaml @@ -1,4 +1,22 @@ -{{- if not .Values.db.external.enabled }} + +{{- if .Values.db.external.enabled }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-database-password + labels: + app: {{ .Release.Name }}-database + chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" + annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-delete-policy": before-hook-creation +type: Opaque +data: + db-password: {{ .Values.db.external.password | b64enc | quote }} +{{- else }} --- apiVersion: v1 kind: Secret diff --git a/server/templates/gate-deployment.yaml b/server/templates/gate-deployment.yaml index 591e546b..ae0c5bfa 100644 --- a/server/templates/gate-deployment.yaml +++ b/server/templates/gate-deployment.yaml @@ -12,6 +12,10 @@ spec: replicas: {{ .Values.gate.replicaCount }} template: metadata: + annotations: + {{- if and (.Values.gate.tolerations) (semverCompare "<1.6-0" .Capabilities.KubeVersion.GitVersion) }} + scheduler.alpha.kubernetes.io/tolerations: '{{ toJson .Values.gate.tolerations }}' + {{- end }} labels: app: {{ .Release.Name }}-gateway name: {{ .Release.Name }}-gateway @@ -22,21 +26,16 @@ spec: image: "{{ .Values.imageCredentials.repositoryUriPrefix }}/{{ .Values.gate.image.repository }}:{{ .Values.gate.image.tag }}" imagePullPolicy: "{{ .Values.gate.image.pullPolicy }}" env: - # TODO: What default value should we use for SCALOCK_GATEWAY_PUBLIC_IP - name: SCALOCK_GATEWAY_PUBLIC_IP - value: {{ .Values.gate.publicIP | default "aqua-gateway" }} + value: {{ .Values.gate.publicIP | default "aqua-gateway-svc" }} value: aqua-gateway - name: SCALOCK_DBUSER value: {{ .Values.db.external.enabled | ternary .Values.db.external.user "postgres" }} - name: SCALOCK_DBPASSWORD - {{- if .Values.db.external.enabled }} - value: {{ .Values.db.external.password }} - {{- else }} valueFrom: secretKeyRef: name: {{ .Release.Name }}-database-password key: db-password - {{- end }} - name: SCALOCK_DBNAME value: {{ .Values.db.external.enabled | ternary .Values.db.external.name "scalock" }} - name: SCALOCK_DBHOST @@ -50,14 +49,10 @@ spec: - name: SCALOCK_AUDIT_DBUSER value: {{ .Values.db.external.enabled | ternary .Values.db.external.auditUser "postgres" }} - name: SCALOCK_AUDIT_DBPASSWORD - {{- if .Values.db.external.enabled }} - value: {{ .Values.db.external.auditPassword }} - {{- else }} valueFrom: secretKeyRef: name: {{ .Release.Name }}-database-password key: db-password - {{- end }} - name: SCALOCK_AUDIT_DBNAME value: {{ .Values.db.external.enabled | ternary .Values.db.external.auditName "slk_audit" }} - name: SCALOCK_AUDIT_DBHOST @@ -89,7 +84,7 @@ spec: affinity: {{ toYaml . | indent 8 }} {{- end }} - {{- with .Values.gate.tolerations }} + {{- if and (.Values.gate.tolerations) (semverCompare "^1.6-0" .Capabilities.KubeVersion.GitVersion) }} tolerations: -{{ toYaml . | indent 8 }} +{{ toYaml .Values.gate.tolerations | indent 6 }} {{- end }} diff --git a/server/templates/rbac.yaml b/server/templates/rbac.yaml index f289febb..c065dda6 100644 --- a/server/templates/rbac.yaml +++ b/server/templates/rbac.yaml @@ -11,7 +11,7 @@ metadata: release: "{{ .Release.Name }}" heritage: "{{ .Release.Service }}" spec: - privileged: true + privileged: {{ .Values.privileged }} allowedCapabilities: - '*' fsGroup: diff --git a/server/templates/scanner-deployment.yaml b/server/templates/scanner-deployment.yaml index 2378851d..60fd8444 100644 --- a/server/templates/scanner-deployment.yaml +++ b/server/templates/scanner-deployment.yaml @@ -12,6 +12,10 @@ spec: replicas: {{ .Values.scanner.replicaCount }} template: metadata: + annotations: + {{- if and (.Values.scanner.tolerations) (semverCompare "<1.6-0" .Capabilities.KubeVersion.GitVersion) }} + scheduler.alpha.kubernetes.io/tolerations: '{{ toJson .Values.scanner.tolerations }}' + {{- end }} labels: app: {{ .Release.Name }}-scanner name: {{ .Release.Name }}-scanner @@ -53,12 +57,12 @@ spec: affinity: {{ toYaml . | indent 8 }} {{- end }} - {{- with .Values.scanner.tolerations }} + {{- if and (.Values.scanner.tolerations) (semverCompare "^1.6-0" .Capabilities.KubeVersion.GitVersion) }} tolerations: -{{ toYaml . | indent 8 }} +{{ toYaml .Values.scanner.tolerations | indent 6 }} {{- end }} volumes: - name: docker-socket-mount hostPath: - path: /var/run/docker.sock + path: {{ .Values.docker.socket.path }} {{- end }} diff --git a/server/templates/web-deployment.yaml b/server/templates/web-deployment.yaml index ff2e1b67..a2f80c25 100644 --- a/server/templates/web-deployment.yaml +++ b/server/templates/web-deployment.yaml @@ -12,6 +12,10 @@ spec: replicas: {{ .Values.web.replicaCount }} template: metadata: + annotations: + {{- if and (.Values.web.tolerations) (semverCompare "<1.6-0" .Capabilities.KubeVersion.GitVersion) }} + scheduler.alpha.kubernetes.io/tolerations: '{{ toJson .Values.web.tolerations }}' + {{- end }} labels: app: {{ .Release.Name }}-console name: {{ .Release.Name }}-console @@ -25,14 +29,10 @@ spec: - name: SCALOCK_DBUSER value: {{ .Values.db.external.enabled | ternary .Values.db.external.user "postgres" }} - name: SCALOCK_DBPASSWORD - {{- if .Values.db.external.enabled }} - value: {{ .Values.db.external.password }} - {{- else }} valueFrom: secretKeyRef: name: {{ .Release.Name }}-database-password key: db-password - {{- end }} - name: SCALOCK_DBNAME value: {{ .Values.db.external.enabled | ternary .Values.db.external.name "scalock" }} - name: SCALOCK_DBHOST @@ -46,14 +46,10 @@ spec: - name: SCALOCK_AUDIT_DBUSER value: {{ .Values.db.external.enabled | ternary .Values.db.external.auditUser "postgres" }} - name: SCALOCK_AUDIT_DBPASSWORD - {{- if .Values.db.external.enabled }} - value: {{ .Values.db.external.auditPassword }} - {{- else }} valueFrom: secretKeyRef: name: {{ .Release.Name }}-database-password key: db-password - {{- end }} - name: SCALOCK_AUDIT_DBNAME value: {{ .Values.db.external.enabled | ternary .Values.db.external.auditName "slk_audit" }} - name: SCALOCK_AUDIT_DBHOST @@ -66,11 +62,17 @@ spec: value: {{ .Values.db.external.enabled | ternary .Values.db.external.auditPort "5432" | quote }} {{- if .Values.admin.token }} - name: LICENSE_TOKEN - value: {{ .Values.admin.token }} + valueFrom: + secretKeyRef: + name: {{ .Release.Name }}-console-secrets + key: license-token {{- end }} {{- if .Values.admin.password }} - name: ADMIN_PASSWORD - value: {{ .Values.admin.password }} + valueFrom: + secretKeyRef: + name: {{ .Release.Name }}-console-secrets + key: admin-password {{- end }} ports: - containerPort: 8080 @@ -96,11 +98,11 @@ spec: affinity: {{ toYaml . | indent 8 }} {{- end }} - {{- with .Values.web.tolerations }} + {{- if and (.Values.web.tolerations) (semverCompare "^1.6-0" .Capabilities.KubeVersion.GitVersion) }} tolerations: -{{ toYaml . | indent 8 }} +{{ toYaml .Values.web.tolerations | indent 6 }} {{- end }} volumes: - name: docker-socket-mount hostPath: - path: /var/run/docker.sock + path: {{ .Values.docker.socket.path }} diff --git a/server/templates/web-secrets.yaml b/server/templates/web-secrets.yaml new file mode 100644 index 00000000..dc870b89 --- /dev/null +++ b/server/templates/web-secrets.yaml @@ -0,0 +1,22 @@ +{{- if or (( .Values.admin.password) .Values.admin.token) }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-console-secrets + labels: + app: {{ .Release.Name }}-console + chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +metadata: + name: {{ .Release.Name }}-console-secrets +type: Opaque +data: +{{- if .Values.admin.password }} + admin-password: {{ .Values.admin.password | b64enc | quote }} +{{- end }} +{{- if .Values.admin.token }} + license-token: {{ .Values.admin.token | b64enc | quote }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/server/templates/web-service.yaml b/server/templates/web-service.yaml index 74ca9193..53507504 100644 --- a/server/templates/web-service.yaml +++ b/server/templates/web-service.yaml @@ -15,3 +15,5 @@ spec: ports: - port: {{ .Values.web.service.externalPort }} targetPort: 8080 + protocol: TCP + name: {{ .Release.Name }}-console diff --git a/server/values.yaml b/server/values.yaml index 6a09b5b8..7e2934c0 100644 --- a/server/values.yaml +++ b/server/values.yaml @@ -6,16 +6,20 @@ imageCredentials: registry: "registry.aquasec.com" #REQUIRED only if create is true, for dockerhub - "index.docker.io/v1/" username: "" password: "" - email: - + email: "example@gmail.com" rbac: enabled: true roleRef: admin: - token: "" - password: "" + token: + password: + clustermode: false + +docker: + socket: + path: /var/run/docker.sock # pks - /var/vcap/data/sys/run/docker/docker.sock db: external: @@ -32,7 +36,7 @@ db: auditPassword: image: repository: database - tag: 3.5 + tag: 4.0 pullPolicy: IfNotPresent service: type: ClusterIP @@ -73,7 +77,7 @@ db: gate: image: repository: gateway - tag: 3.5 + tag: 4.0 pullPolicy: IfNotPresent service: type: ClusterIP @@ -96,7 +100,7 @@ gate: web: image: repository: console - tag: 3.5 + tag: 4.0 pullPolicy: IfNotPresent service: type: ClusterIP @@ -129,7 +133,7 @@ scanner: enabled: false image: repository: scanner - tag: 3.5 + tag: 4.0 pullPolicy: IfNotPresent user: password: