Rework vulnz chart, breaking changes.

- add persistence - use truechart as base
EugenMayer · Feb 26, 2024 · cd0ab14 · cd0ab14
1 parent 3b8334a
commit cd0ab14
Show file tree

Hide file tree

Showing 12 changed files with 147 additions and 150 deletions.
diff --git a/charts/vulnz-nvd-mirror/.gitignore b/charts/vulnz-nvd-mirror/.gitignore
@@ -0,0 +1 @@
+charts
diff --git a/charts/vulnz-nvd-mirror/CHANGELOG.md b/charts/vulnz-nvd-mirror/CHANGELOG.md
@@ -1,3 +1,10 @@
+## 0.1.0
+Breaking change! Please be sure to set the NVD_API_KEY using the new way since the chart was reworked.
+
+- Rework chart to base on TrueCharts. 
+- introduce persistence for downloaded cache
+- Change to ghcr.io/jeremylong/open-vulnerability-data-mirror
+
 ## 0.0.3
 - use temp. different docker image source `ghcr.io/eugenmayer/vulnz` instead of `ghcr.io/jeremylong/vulnz` until
   the PR https://github.com/jeremylong/Open-Vulnerability-Project/pull/114 has been merged and the official image has

diff --git a/charts/vulnz-nvd-mirror/Chart.lock b/charts/vulnz-nvd-mirror/Chart.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: common
+  repository: oci://tccr.io/truecharts
+  version: 18.0.3
+digest: sha256:e3bff0d08d2e5708253799cfe7dadba5350dbaec235c7d7e42a5c4352903e69a
+generated: "2024-02-26T09:03:57.247150711+01:00"
diff --git a/charts/vulnz-nvd-mirror/Chart.yaml b/charts/vulnz-nvd-mirror/Chart.yaml
@@ -1,12 +1,24 @@
+kubeVersion: ">=1.24.0-0"
 apiVersion: v2
-description: NVD api mirror and cache
 name: vulnz-nvd-mirror
-home: https://github.com/jeremylong/Open-Vulnerability-Project/vulnz
-version: 0.0.4
+version: 0.1.0
 appVersion: 5.1.1
+description: NVD api mirror and cache
+home: https://github.com/EugenMayer/helm-charts/tree/main/charts/vulnz-nvd-mirror
+deprecated: false
 keywords:
   - network
   - tools
   - development
 sources:
   - https://github.com/EugenMayer/helm-charts/tree/main/charts/vulnz-nvd-mirror
+  - https://github.com/jeremylong/Open-Vulnerability-Project/vulnz
+dependencies:
+  - name: common
+    version: 18.0.3
+    repository: oci://tccr.io/truecharts
+    condition: ""
+    alias: ""
+    tags: []
+    import-values: []
+type: application
diff --git a/charts/vulnz-nvd-mirror/README.md b/charts/vulnz-nvd-mirror/README.md
@@ -16,24 +16,47 @@ helm install eugenmayer/coredns-private-dns-fix
 
 # Configuration
 You can tweak the configuration. In general you can mass any ENV var you like using the map.
-For example to adjust the memory usage
+For example to adjust the memory usage or set any additional env var
 
 ```yaml
-vulnz:
-  env:
-    JAVA_OPT: -Xmx2g
+workload:
+  main:
+    podSpec:
+      containers:
+        main:
+          env:
+            JAVA_OPT: -Xmx2g
 ```
 
 ### API key
 
 There is a rate limit that can be eased by creating an API key on NVDs side. To let your mirror use the API key create secret
 with the key `NVD_API_KEY` and your API key as the value
 
-Add this secret under the name `vulnz-nvd-secret` and uncomment the following lines in the `values.yml`
+Either add your API key as ENV value directly
+```yaml
+workload:
+  main:
+    podSpec:
+      containers:
+        main:
+          env:
+            NVD_API_KEY: YOUR-API-KEY
+```
+
+Or via a secret you created:
 
 ```yaml
-nvd:
-  secretName: vulnz-nvd-secret
+workload:
+  main:
+    podSpec:
+      containers:
+        main:
+          env:
+            NVD_API_KEY:
+              secretKeyRef:
+                name: nvd-api-key-secret-ref
+                key: password
 ```
 
 Of course, you can change the secret name if you like.
@@ -66,15 +89,27 @@ dependencyCheck {
 
 ### Ingress
 
-See the [values.yml](values.yaml) ingress section and [templates/ingress.yaml](templates/ingress.yaml) for the usual setup.
+See the [values.yml](values.yaml) 
+A minimal example would be
+```yaml
+ingress:
+  main:
+    enabled: true
+    ingressClassName:  "nginx"
+    hosts:
+      -  host: vulnz-mirror.com
+         paths:
+           - path: /
+             pathType: Prefix
+```
 
 ### Volumes / PVC
 
-Considering this a pure mirror image (somewhat cache-like), and it takes about 25s to compute and download the entire data, I decided to not include a PVC. If you think differently, be free to discuss this in a PR / issue.
+By default the cached mirror data is persistence, see persistence in [values.yml](values.yaml)
 
 ### Values
 
-Check the `values.yaml` file
+Check the [values.yml](values.yaml)  file
 
 # Credits
 

diff --git a/charts/vulnz-nvd-mirror/templates/NOTES.txt b/charts/vulnz-nvd-mirror/templates/NOTES.txt
@@ -0,0 +1 @@
+{{- include "tc.v1.common.lib.chart.notes" $ -}}
diff --git a/charts/vulnz-nvd-mirror/templates/common.yaml b/charts/vulnz-nvd-mirror/templates/common.yaml
@@ -0,0 +1 @@
+{{ include "tc.v1.common.loader.all" . }}
diff --git a/charts/vulnz-nvd-mirror/templates/deployment.yml b/charts/vulnz-nvd-mirror/templates/deployment.yml
diff --git a/charts/vulnz-nvd-mirror/templates/ingress.yaml b/charts/vulnz-nvd-mirror/templates/ingress.yaml
diff --git a/charts/vulnz-nvd-mirror/templates/service.yml b/charts/vulnz-nvd-mirror/templates/service.yml
diff --git a/charts/vulnz-nvd-mirror/templates/vulnz-environment-configmap.yaml b/charts/vulnz-nvd-mirror/templates/vulnz-environment-configmap.yaml
diff --git a/charts/vulnz-nvd-mirror/values.yaml b/charts/vulnz-nvd-mirror/values.yaml
@@ -1,36 +1,77 @@
-deployment:
-  replicas: 1
-
 image:
-  # FIXME: cannot use the official repo until https://github.com/jeremylong/Open-Vulnerability-Project/pull/114
-  # has been merged
-  # repository: ghcr.io/jeremylong/vulnz
-  repository: ghcr.io/eugenmayer/vulnz
-  # tag: "0.0.1"
+  repository: ghcr.io/jeremylong/open-vulnerability-data-mirror
   pullPolicy: IfNotPresent
+  tag: v5.1.2
+
+
+persistence:
+  mirror:
+    enabled: true
+    size: 1Gi
+    mountPath: "/usr/local/apache2/htdocs"
 
-# set this to preseed your API key. the expected structure is
-# NVD_API_KEY=<key>
-nvd:
-  secretName:
-  # secretName: vulnz-nvd-secret
+securityContext:
+  container:
+    # currently supervisord is used and priv. dropped via gosu
+    runAsNonRoot: false
+    runAsGroup: 0
+    runAsUser: 0
+    readOnlyRootFilesystem: false
 
-vulnz:
-  env:
-    JAVA_OPT: -Xmx2g
+service:
+  main:
+    ports:
+      main:
+        port: 80
+        targetPort: 80
+
+workload:
+  main:
+    replicas: 1
+    strategy: Recreate
+    type: Deployment
+    podSpec:
+      containers:
+        main:
+          env:
+            # set this to preseed your API key. the expected structure is
+            #NVD_API_KEY:
+            #  secretKeyRef:
+            #    name: nvd-api-key
+            #    key: password
+            JAVA_OPT: -Xmx2g
+          probes:
+            readiness:
+              enabled: true
+              type: http
+              port: 80
+              path: /
+              spec:
+                initialDelaySeconds: 5
+                periodSeconds: 5
+            liveness:
+              enabled: true
+              type: http
+              port: 80
+              path: /
+              spec:
+                initialDelaySeconds: 30
+                periodSeconds: 5
 
 ingress:
-  enabled: false
-  className:
-  annotations: {}
-    # kubernetes.io/ingress.class: nginx
-  # kubernetes.io/tls-acme: "true"
-  hosts:
-    - host: chart-example.local
-      paths:
-        - path: /
-          pathType: ImplementationSpecific
-  tls: []
-  #  - secretName: chart-example-tls
-  #    hosts:
-  #      - chart-example.local
+  main:
+    enabled: false
+    primary: true
+    required: false
+    ingressClassName:  ""
+    targetSelector:
+      main: main
+    hosts:
+      -  host: vulnz.local
+         paths:
+           - path: /
+             pathType: Prefix
+
+portal:
+  open:
+    enabled: false