Helm initialization of ClamAV virus scan (#3418)

- Copied Helm charts to our project from [source](https://github.com/bcgov/common-hosted-clamav-service) - Updated the values for our openshift namespace specific - Created github actions to enable install, upgrade, and uninstall clamav using helm Files that are changed .github/workflows/clamav.yml sims.code-workspace devops/helm/main/values-0c27fb-dev.yaml devops/helm/main/values-0c27fb-prod.yaml devops/helm/main/values-0c27fb-test.yaml devops/helm/main/values-a6ef19-dev.yaml devops/helm/main/values-a6ef19-prod.yaml devops/helm/main/values-a6ef19-test.yaml Note: This is just a template for the github action, so once it is merged will create another PR if there are any changes needed in the github action.
bcgov · Jun 13, 2024 · 4883eea · 4883eea
1 parent 0c170df
commit 4883eea
Show file tree

Hide file tree

Showing 29 changed files with 2,063 additions and 0 deletions.
diff --git a/.github/workflows/clamav.yml b/.github/workflows/clamav.yml
@@ -0,0 +1,46 @@
+name: ClamAV - Install/Upgrade/Remove
+run-name: ClamAV -  ${{ inputs.environment }} ClamAV in ${{ inputs.environment }} using ${{ inputs.gitRef }}
+
+on:
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: "Environment"
+        required: true
+        type: environment
+      action:
+        description: "Action"
+        required: true
+        type: choice
+        options:
+          - install
+          - upgrade
+          - uninstall
+      clamavImageTag:
+        description: "ClamAV Image Tag"
+        required: true
+        default: "main"
+      gitRef:
+        description: "Git Ref"
+        required: true
+        default: "main"
+
+jobs:
+  manageClamav:
+    name: ${{ inputs.environment }} ClamAV in ${{ inputs.environment }}
+    runs-on: ubuntu-latest
+    environment: ${{ inputs.environment }}
+    env:
+      NAMESPACE: ${{ secrets.OPENSHIFT_ENV_NAMESPACE }}
+    steps:
+      - name: Checkout Target Branch
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.gitRef }}
+      - name: Log in to OpenShift
+        run: |
+          oc login --token=${{ secrets.SA_TOKEN }} --server=${{ vars.OPENSHIFT_CLUSTER_URL }}
+      - name: Manage ClamAV
+        working-directory: "./devops/helm/clamAV/main/"
+        run: |
+          make ${{ inputs.action }} NAMESPACE=${{ secrets.OPENSHIFT_ENV_NAMESPACE }} IMAGE_TAG=${{ inputs.clamavImageTag }}
diff --git a/.gitignore b/.gitignore
@@ -18,3 +18,6 @@ testing/**/report/
 videos/
 cypress.env.json
 
+charts/
+template.yaml
+*.secret.yaml
diff --git a/devops/helm/clamAV/_clamav/.helmignore b/devops/helm/clamAV/_clamav/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/devops/helm/clamAV/_clamav/Chart.yaml b/devops/helm/clamAV/_clamav/Chart.yaml
@@ -0,0 +1,6 @@
+apiVersion: v2
+name: clamav
+description: A Helm chart for ClamAV
+type: application
+version: 0.1.0
+appVersion: "0.1.0"
diff --git a/devops/helm/clamAV/_clamav/README.md b/devops/helm/clamAV/_clamav/README.md
@@ -0,0 +1,15 @@
+# ClamAV
+
+## Test the image locally
+
+```sh
+docker run -it --rm \
+    --mount type=bind,source=/path/to/configurations,target=/etc/clamav \
+    --env 'CLAMAV_NO_CLAMD=false' \
+    --env 'CLAMAV_NO_FRESHCLAMD=false' \
+    --env 'CLAMAV_NO_MILTERD=true' \
+    --env 'CLAMD_STARTUP_TIMEOUT=1800' \
+    --env 'FRESHCLAM_CHECKS=1' \
+    -p 3310:3310 \
+    ghcr.io/bcgov/clamav-unprivileged:main
+```
diff --git a/devops/helm/clamAV/_clamav/configurations/1.0/clamav-milter.conf b/devops/helm/clamAV/_clamav/configurations/1.0/clamav-milter.conf
@@ -0,0 +1,292 @@
+##
+## Example config file for clamav-milter
+##
+
+##
+## Main options
+##
+
+# Define the interface through which we communicate with sendmail
+# This option is mandatory! Possible formats are:
+# [[unix|local]:]/path/to/file - to specify a unix domain socket
+# inet:port@[hostname|ip-address] - to specify an ipv4 socket
+# inet6:port@[hostname|ip-address] - to specify an ipv6 socket
+#
+# Default: no default
+#MilterSocket /tmp/clamav-milter.socket
+#MilterSocket inet:7357
+
+# Define the group ownership for the (unix) milter socket.
+# Default: disabled (the primary group of the user running clamd)
+#MilterSocketGroup virusgroup
+
+# Sets the permissions on the (unix) milter socket to the specified mode.
+# Default: disabled (obey umask)
+#MilterSocketMode 660
+
+# Remove stale socket after unclean shutdown.
+#
+# Default: yes
+#FixStaleSocket yes
+
+# Run as another user (clamav-milter must be started by root for this option
+# to work)
+#
+# Default: unset (don't drop privileges)
+#User clamav
+
+# Waiting for data from clamd will timeout after this time (seconds).
+# Value of 0 disables the timeout.
+#
+# Default: 120
+#ReadTimeout 300
+
+# Don't fork into background.
+#
+# Default: no
+#Foreground yes
+
+# Chroot to the specified directory.
+# Chrooting is performed just after reading the config file and before
+# dropping privileges.
+#
+# Default: unset (don't chroot)
+#Chroot /newroot
+
+# This option allows you to save a process identifier of the listening
+# daemon.
+# This file will be owned by root, as long as clamav-milter was started by
+# root.  It is recommended that the directory where this file is stored is
+# also owned by root to keep other users from tampering with it.
+#
+# Default: disabled
+#PidFile /var/run/clamav-milter.pid
+
+# Optional path to the global temporary directory.
+# Default: system specific (usually /tmp or /var/tmp).
+#
+#TemporaryDirectory /var/tmp
+
+##
+## Clamd options
+##
+
+# Define the clamd socket to connect to for scanning.
+# This option is mandatory! Syntax:
+# ClamdSocket unix:path
+# ClamdSocket tcp:host:port
+# The first syntax specifies a local unix socket (needs an absolute path) e.g.:
+#     ClamdSocket unix:/var/run/clamd/clamd.socket
+# The second syntax specifies a tcp local or remote tcp socket: the
+# host can be a hostname or an ip address; the ":port" field is only required
+# for IPv6 addresses, otherwise it defaults to 3310, e.g.:
+#     ClamdSocket tcp:192.168.0.1
+#
+# This option can be repeated several times with different sockets or even
+# with the same socket: clamd servers will be selected in a round-robin
+# fashion.
+#
+# Default: no default
+#ClamdSocket tcp:scanner.mydomain:7357
+
+
+##
+## Exclusions
+##
+
+# Messages originating from these hosts/networks will not be scanned
+# This option takes a host(name)/mask pair in CIRD notation and can be
+# repeated several times. If "/mask" is omitted, a host is assumed.
+# To specify a locally originated, non-smtp, email use the keyword "local"
+#
+# Default: unset (scan everything regardless of the origin)
+#LocalNet local
+#LocalNet 192.168.0.0/24
+#LocalNet 1111:2222:3333::/48
+
+# This option specifies a file which contains a list of basic POSIX regular
+# expressions. Addresses (sent to or from - see below) matching these regexes
+# will not be scanned.  Optionally each line can start with the string "From:"
+# or "To:" (note: no whitespace after the colon) indicating if it is,
+# respectively, the sender or recipient that is to be allowed.
+# If the field is missing, "To:" is assumed.
+# Lines starting with #, : or ! are ignored.
+#
+# Default unset (no exclusion applied)
+#AllowList /etc/allowed_addresses
+
+# Messages from authenticated SMTP users matching this extended POSIX
+# regular expression (egrep-like) will not be scanned.
+# As an alternative, a file containing a plain (not regex) list of names (one
+# per line) can be specified using the prefix "file:".
+# e.g. SkipAuthenticated file:/etc/good_guys
+#
+# Note: this is the AUTH login name!
+#
+# Default: unset (no allowing based on SMTP auth)
+#SkipAuthenticated ^(tom|dick|henry)$
+
+# Messages larger than this value won't be scanned.
+# Make sure this value is lower or equal than StreamMaxLength in clamd.conf
+#
+# Default: 25M
+#MaxFileSize 10M
+
+
+##
+## Actions
+##
+
+# The following group of options controls the delivery process under
+# different circumstances.
+# The following actions are available:
+# - Accept
+#   The message is accepted for delivery
+# - Reject
+#   Immediately refuse delivery (a 5xx error is returned to the peer)
+# - Defer
+#   Return a temporary failure message (4xx) to the peer
+# - Blackhole (not available for OnFail)
+#   Like Accept but the message is sent to oblivion
+# - Quarantine (not available for OnFail)
+#   Like Accept but message is quarantined instead of being delivered
+#
+# NOTE: In Sendmail the quarantine queue can be examined via mailq -qQ
+# For Postfix this causes the message to be placed on hold
+#
+# Action to be performed on clean messages (mostly useful for testing)
+# Default: Accept
+#OnClean Accept
+
+# Action to be performed on infected messages
+# Default: Quarantine
+#OnInfected Quarantine
+
+# Action to be performed on error conditions (this includes failure to
+# allocate data structures, no scanners available, network timeouts,
+# unknown scanner replies and the like)
+# Default: Defer
+#OnFail Defer
+
+# This option allows to set a specific rejection reason for infected messages
+# and it's therefore only useful together with "OnInfected Reject"
+# The string "%v", if present, will be replaced with the virus name.
+# Default: MTA specific
+#RejectMsg
+
+# If this option is set to "Replace" (or "Yes"), an "X-Virus-Scanned" and an
+# "X-Virus-Status" headers will be attached to each processed message, possibly
+# replacing existing headers.
+# If it is set to Add, the X-Virus headers are added possibly on top of the
+# existing ones.
+# Note that while "Replace" can potentially break DKIM signatures, "Add" may
+# confuse procmail and similar filters.
+# Default: no
+#AddHeader Replace
+
+# When AddHeader is in use, this option allows to arbitrary set the reported
+# hostname. This may be desirable in order to avoid leaking internal names.
+# If unset the real machine name is used.
+# Default: disabled
+#ReportHostname my.mail.server.name
+
+# Execute a command (possibly searching PATH) when an infected message is
+# found.
+# The following parameters are passed to the invoked program in this order:
+# virus name, queue id, sender, destination, subject, message id, message date.
+# Note #1: this requires MTA macroes to be available (see LogInfected below)
+# Note #2: the process is invoked in the context of clamav-milter
+# Note #3: clamav-milter will wait for the process to exit. Be quick or fork to
+# avoid unnecessary delays in email delivery
+# Default: disabled
+#VirusAction /usr/local/bin/my_infected_message_handler
+
+##
+## Logging options
+##
+
+# Uncomment this option to enable logging.
+# LogFile must be writable for the user running daemon.
+# A full path is required.
+#
+# Default: disabled
+#LogFile /tmp/clamav-milter.log
+
+# By default the log file is locked for writing - the lock protects against
+# running clamav-milter multiple times.
+# This option disables log file locking.
+#
+# Default: no
+#LogFileUnlock yes
+
+# Maximum size of the log file.
+# Value of 0 disables the limit.
+# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
+# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size
+# in bytes just don't use modifiers. If LogFileMaxSize is enabled, log
+# rotation (the LogRotate option) will always be enabled.
+#
+# Default: 1M
+#LogFileMaxSize 2M
+
+# Log time with each message.
+#
+# Default: no
+#LogTime yes
+
+# Use system logger (can work together with LogFile).
+#
+# Default: no
+#LogSyslog yes
+
+# Specify the type of syslog messages - please refer to 'man syslog'
+# for facility names.
+#
+# Default: LOG_LOCAL6
+#LogFacility LOG_MAIL
+
+# Enable verbose logging.
+#
+# Default: no
+#LogVerbose yes
+
+# Enable log rotation. Always enabled when LogFileMaxSize is enabled.
+# Default: no
+#LogRotate yes
+
+# This option allows to tune what is logged when a message is infected.
+# Possible values are Off (the default - nothing is logged),
+# Basic (minimal info logged), Full (verbose info logged)
+# Note:
+# For this to work properly in sendmail, make sure the msg_id, mail_addr,
+# rcpt_addr and i macroes are available in eom. In other words add a line like:
+# Milter.macros.eom={msg_id}, {mail_addr}, {rcpt_addr}, i
+# to your .cf file. Alternatively use the macro:
+# define(`confMILTER_MACROS_EOM', `{msg_id}, {mail_addr}, {rcpt_addr}, i')
+# Postfix should be working fine with the default settings.
+#
+# Default: disabled
+#LogInfected Basic
+
+# This option allows to tune what is logged when no threat is found in
+# a scanned message.
+# See LogInfected for possible values and caveats.
+# Useful in debugging but drastically increases the log size.
+# Default: disabled
+#LogClean Basic
+
+# This option affects the behaviour of LogInfected, LogClean and VirusAction
+# when a message with multiple recipients is scanned:
+# If SupportMultipleRecipients is off (the default)
+# then one single log entry is generated for the message and, in case the
+# message is determined to be malicious, the command indicated by VirusAction
+# is executed just once. In both cases only the last recipient is reported.
+# If SupportMultipleRecipients is on:
+# then one line is logged for each recipient and the command indicated
+# by VirusAction is also executed once for each recipient.
+#
+# Note: although it's probably a good idea to enable this option, the default
+# value
+# is currently set to off for legacy reasons.
+# Default: no
+#SupportMultipleRecipients yes