From a43f0f1fd0d933210d7b6a3e80a71e0a1795260d Mon Sep 17 00:00:00 2001 From: sunnyyip Date: Tue, 30 Jul 2024 15:34:39 -0400 Subject: [PATCH] guac v0.8.0 release (#54) * bump version to 0.3.1 Signed-off-by: Sunny Yip * guac release v0.8.0 Signed-off-by: Sunny Yip * make certifier dayBetweenRescan a common variable for all certifiers Signed-off-by: Sunny Yip --------- Signed-off-by: Sunny Yip --- charts/guac/Chart.yaml | 4 +- charts/guac/README.md | 297 +++++++++--------- charts/guac/schema.json | 87 ++++- .../templates/cd-certifier-deployment.yaml | 88 ++++++ charts/guac/templates/cd-certifier-sa.yaml | 19 ++ charts/guac/templates/guac-cm.yaml | 6 +- .../tests/cd-certifier_deployment_test.yaml | 90 ++++++ charts/guac/tests/values_combine.yaml | 7 + charts/guac/tests/values_digest_and_tag.yaml | 3 + .../guac/tests/values_serviceaccount_all.yaml | 4 + .../guac/tests/values_serviceaccount_no.yaml | 4 + charts/guac/tests/values_tag_no_digest.yaml | 3 + charts/guac/values.yaml | 39 ++- 13 files changed, 497 insertions(+), 154 deletions(-) create mode 100644 charts/guac/templates/cd-certifier-deployment.yaml create mode 100644 charts/guac/templates/cd-certifier-sa.yaml create mode 100644 charts/guac/tests/cd-certifier_deployment_test.yaml diff --git a/charts/guac/Chart.yaml b/charts/guac/Chart.yaml index 6bd4147..a8d5f6b 100644 --- a/charts/guac/Chart.yaml +++ b/charts/guac/Chart.yaml @@ -9,8 +9,8 @@ maintainers: email: guac-info@kusari.dev type: application -version: 0.4.2 -appVersion: "v0.7.2" +version: 0.5.0 +appVersion: "v0.8.0" dependencies: - name: nats diff --git a/charts/guac/README.md b/charts/guac/README.md index 0495d2e..684a300 100644 --- a/charts/guac/README.md +++ b/charts/guac/README.md @@ -95,149 +95,160 @@ kubectl port-forward svc/collectsub 2782:2782 This section contains parameters for configuring the different GUAC components. -| Name | Description | Value | -| -------------------------------------------------------------- | -------------------------------------------------------------------------------------------- | ---------------------------------------------- | -| `guac.guacImage.repository` | Path to the GUAC image | `ghcr.io/guacsec/guac` | -| `guac.guacImage.tag` | Tag if using an image tag. Optional | `undefined` | -| `guac.guacImage.digest` | Sha256 Image Digest. It is strongly recommended to use this for verification. | `""` | -| `guac.guacImage.pullPolicy` | ImagePullPolicy for kubernetes | `IfNotPresent` | -| `guac.guacImage.workingDir` | Working Directory for GUAC | `/guac` | -| `guac.common.env` | common environment variables apply to all guac services | `""` | -| `guac.common.tolerations` | common tolerations apply to all guac services | `""` | -| `guac.configMap.enabled` | Whether to create the guac-cm configMap | `true` | -| `guac.ociCollector.enabled` | String Whether to deploy OCI Collector | `true` | -| `guac.ociCollector.name` | String Name of the OCI Collector component. | `oci-collector` | -| `guac.ociCollector.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | -| `guac.ociCollector.replicas` | Number of replicas for oci collector deployment | `1` | -| `guac.ociCollector.image.command` | Command for the OCI Collector image. It is not recommended to override this. | `["sh","-c","/opt/guac/guaccollect image"]` | -| `guac.ociCollector.env` | Environment variables for OCI Collector. | `[]` | -| `guac.ociCollector.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | -| `guac.ociCollector.tolerations` | | `[]` | -| `guac.ociCollector.serviceAccount.create` | - whether to create OCI Collector service account | `true` | -| `guac.ociCollector.serviceAccount.annotations` | - OCI Collector service account annotations | `{}` | -| `guac.ociCollector.resources` | - [map] resource requests or limits of the ociCollector deployment | `{}` | -| `guac.depsDevCollector.enabled` | String Whether to deploy Deps.Dev Collector | `true` | -| `guac.depsDevCollector.name` | String Name of the Deps.Dev Collector component. | `depsdev-collector` | -| `guac.depsDevCollector.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | -| `guac.depsDevCollector.replicas` | Number of replicas for depsdev collector deployment | `1` | -| `guac.depsDevCollector.image.command` | Command for the Deps.Dev Collector image. It is not recommended to override this. | `["sh","-c","/opt/guac/guaccollect deps_dev"]` | -| `guac.depsDevCollector.env` | Environment variables for Deps.Dev Collector. | `[]` | -| `guac.depsDevCollector.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | -| `guac.depsDevCollector.tolerations` | | `[]` | -| `guac.depsDevCollector.serviceAccount.create` | - whether to create depsDevCollector service account | `true` | -| `guac.depsDevCollector.serviceAccount.annotations` | | `{}` | -| `guac.depsDevCollector.resources` | - [map] resource requests or limits of the depsDevCollector deployment | `{}` | -| `guac.osvCertifier.enabled` | String Whether to deploy OSV Certifier | `true` | -| `guac.osvCertifier.name` | String Name of the OSV Certifier component. | `osv-certifier` | -| `guac.osvCertifier.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | -| `guac.osvCertifier.replicas` | Number of replicas for OSV Certifier deployment | `1` | -| `guac.osvCertifier.image.command` | Command for the OSV Certifier Collector image. It is not recommended to override this. | `["sh","-c","/opt/guac/guaccollect osv"]` | -| `guac.osvCertifier.env` | Environment variables for OSV Certifier Collector. | `[]` | -| `guac.osvCertifier.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | -| `guac.osvCertifier.tolerations` | | `[]` | -| `guac.osvCertifier.serviceAccount.create` | - whether to create osvCertifier service account | `true` | -| `guac.osvCertifier.serviceAccount.annotations` | - OSV Certifier service account annotations | `{}` | -| `guac.osvCertifier.resources` | - [map] resource requests or limits of the OSV Certifier deployment | `{}` | -| `guac.osvCertifier.dayBetweenRescan` | Day(s) to wait before rescanning for vulnerability. Default 0 means only run once | `0` | -| `guac.ingestor.enabled` | String Whether to deploy Ingestor | `true` | -| `guac.ingestor.name` | String Name of the ingestor component. | `ingestor` | -| `guac.ingestor.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | -| `guac.ingestor.replicas` | Number of replicas for ingestor deployment | `1` | -| `guac.ingestor.image.command` | Command for the ingestor image. It is not recommended to override this. | `["sh","-c","/opt/guac/guacingest"]` | -| `guac.ingestor.env` | Environment variables for ingestor. | `[]` | -| `guac.ingestor.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | -| `guac.ingestor.serviceAccount.create` | - whether to create ingestor service account | `true` | -| `guac.ingestor.serviceAccount.annotations` | - Ingestor service account annotations | `{}` | -| `guac.ingestor.tolerations` | | `[]` | -| `guac.ingestor.resources` | - [map] resource requests or limits of the ingestor deployment | `{}` | -| `guac.collectSub.enabled` | String Whether to deploy CollectSub | `true` | -| `guac.collectSub.name` | String Name of the CollectSub component. | `collectsub` | -| `guac.collectSub.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | -| `guac.collectSub.replicas` | Number of replicas for CollectSub deployment | `1` | -| `guac.collectSub.image.command` | Command for the CollectSub image. It is not recommended to override this. | `["sh","-c","/opt/guac/guaccsub"]` | -| `guac.collectSub.env` | Environment variables for CollectSub. | `[]` | -| `guac.collectSub.image.ports[0].containerPort` | Port the CollectSub container listens on | `2782` | -| `guac.collectSub.svcPorts[0].protocol` | Protocol used at CollectSub | `TCP` | -| `guac.collectSub.svcPorts[0].port` | Port the CollectSub service listens on | `2782` | -| `guac.collectSub.svcPorts[0].targetPort` | Port the CollectSub container listens on | `2782` | -| `guac.collectSub.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | -| `guac.collectSub.tolerations` | | `[]` | -| `guac.collectSub.serviceAccount.create` | - whether to create collectSub service account | `true` | -| `guac.collectSub.serviceAccount.annotations` | - CollectSub service account annotations | `{}` | -| `guac.collectSub.resources` | - [map] resource requests or limits of the collectSub deployment | `{}` | -| `guac.graphqlServer.enabled` | String Whether to deploy GraphQL Server | `true` | -| `guac.graphqlServer.name` | String Name of the GraphQL Server component. | `graphql-server` | -| `guac.graphqlServer.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | -| `guac.graphqlServer.replicas` | Number of replicas for GraphQL Server deployment | `1` | -| `guac.graphqlServer.image.command` | Command for the GraphQL Server image. It is not recommended to override this. | `["sh","-c","/opt/guac/guacgql"]` | -| `guac.graphqlServer.env` | Environment variables for GraphQL Server. | `[]` | -| `guac.graphqlServer.image.ports[0].containerPort` | Port the GraphQL Server container listens on | `8080` | -| `guac.graphqlServer.svcPorts[0].protocol` | Protocol used at the the GraphQL Server | `TCP` | -| `guac.graphqlServer.svcPorts[0].port` | Port the GraphQL Server service listens on | `8080` | -| `guac.graphqlServer.svcPorts[0].targetPort` | Port the GraphQL Server container listens on | `8080` | -| `guac.graphqlServer.nodePortSvcPorts` | NodePort service ports definition | `{}` | -| `guac.graphqlServer.backend` | which backend to use - keyvalue (default) | arango | ent. | `keyvalue` | -| `guac.graphqlServer.debug` | Enable debug mode for graphql server; also enable the UI | `true` | -| `guac.graphqlServer.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | -| `guac.graphqlServer.serviceAccount.create` | - whether to create graphqlServer service account | `true` | -| `guac.graphqlServer.serviceAccount.annotations` | - graphql server service account annotations | `{}` | -| `guac.graphqlServer.service.createNodePortService` | - Whether to deploy a NodePort type service | `false` | -| `guac.graphqlServer.additionalVolumeMounts` | | `[]` | -| `guac.graphqlServer.additionalVolumes` | | `[]` | -| `guac.graphqlServer.tolerations` | | `[]` | -| `guac.graphqlServer.resources` | - [map] resource requests or limits of the graphqlServer deployment | `{}` | -| `guac.restApi.enabled` | String Whether to deploy the restApi | `true` | -| `guac.restApi.name` | String Name of the restApi component. | `rest-api` | -| `guac.restApi.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | -| `guac.restApi.replicas` | Number of replicas for restApi deployment | `1` | -| `guac.restApi.image.command` | Command for the restApi image. It is not recommended to override this. | `["sh","-c","/opt/guac/guacrest"]` | -| `guac.restApi.env` | Environment variables for restApi. | `[]` | -| `guac.restApi.image.ports[0].containerPort` | Port the restApi container listens on | `8081` | -| `guac.restApi.svcPorts[0].protocol` | Protocol used at the the restApi | `TCP` | -| `guac.restApi.svcPorts[0].port` | Port the restApi service listens on | `8081` | -| `guac.restApi.svcPorts[0].targetPort` | Port the restApi container listens on | `8081` | -| `guac.restApi.serviceAccount.create` | - whether to create restApi service account | `true` | -| `guac.restApi.serviceAccount.annotations` | - graphql server service account annotations | `{}` | -| `guac.restApi.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | -| `guac.restApi.tolerations` | | `[]` | -| `guac.restApi.resources` | - [map] resource requests or limits of the restApi deployment | `{}` | -| `guac.visualizer.enabled` | String Whether to deploy the visualizer. | `true` | -| `guac.visualizer.name` | String Name of the visualizer. | `visualizer` | -| `guac.visualizer.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | -| `guac.visualizer.replicas` | Number of replicas for visualizer deployment | `1` | -| `guac.visualizer.image.repository` | Path to the Ingestor image | `ghcr.io/guacsec/guac-visualizer` | -| `guac.visualizer.image.tag` | Tag if using an image tag. Optional | `v0.0.3` | -| `guac.visualizer.image.digest` | Sha256 Image Digest. It is strongly recommended to use this for verification. | `""` | -| `guac.visualizer.image.pullPolicy` | ImagePullPolicy for kubernetes | `IfNotPresent` | -| `guac.visualizer.image.ports[0].containerPort` | Port the visualizer container listens on | `3000` | -| `guac.visualizer.svcPorts[0].protocol` | Protocol used at the visualizer | `TCP` | -| `guac.visualizer.svcPorts[0].port` | Port the visualizer service listens on | `3000` | -| `guac.visualizer.svcPorts[0].targetPort` | Port the visualizer container listens on | `3000` | -| `guac.visualizer.env` | Environment variables for the visualizer. | `[]` | -| `guac.visualizer.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | -| `guac.visualizer.tolerations` | | `[]` | -| `guac.observability.deployServiceMonitor` | Boolean Deploy the service monitor for observability | `false` | -| `guac.sampleData.ingest` | Boolean Whether to ingest sample data after deployment | `false` | -| `guac.sampleData.jobName` | Name of the sample data ingest job | `ingest-guac-data` | -| `guac.sampleData.env` | Environment variables for the sample data ingest job | `[]` | -| `guac.ingress.enabled` | Whether to deploy an Ingress object | `false` | -| `guac.ingress.ingressClassName` | Ingress class name | `undefined` | -| `guac.ingress.webuiHostname` | DNS name for the UI components - e.g. Visualizer, GQL playground | `undefined` | -| `guac.ingress.apiHostname` | DNS name for the GQL API. When specified, GQL API won't be served at webuiHostname | `undefined` | -| `guac.ingress.annotations` | Annotations for the ingress object | `{}` | -| `guac.apiOnlyIngress.enabled` | Whether to deploy an Ingress object to expose API only | `false` | -| `guac.apiOnlyIngress.ingressClassName` | Ingress class name for API only ingress | `undefined` | -| `guac.apiOnlyIngress.apiHostname` | DNS name for the GQL API. | `undefined` | -| `guac.apiOnlyIngress.annotations` | Annotations for the API only ingress object | `{}` | -| `guac.traefikIngressRoute.enabled` | Whether to deploy Traefik IngressRoute object | `false` | -| `guac.backend.ent.db-driver` | database driver to use, one of [postgres | sqlite3 | mysql] or anything supported by sql.DB | `postgres` | -| `guac.backend.ent.db-address` | Full URL of database to connect to | `undefined` | -| `guac.backend.ent.db-migrate` | Wether to automatically run database migrations on start | `true` | -| `guac.backend.ent.db-debug` | Enable debug logging for database queries | `true` | -| `guac.pubSubAddr` | String gocloud connection string for pubsub configured via https://gocloud.dev/howto/pubsub/ | `undefined` | -| `guac.collectorPublishToQueue` | Whether to publish ingestion message to pubsub queue | `true` | -| `guac.blobAddr` | gocloud connection string for blob store configured via https://gocloud.dev/howto/blob/ | `undefined` | -| `guac.additionalResources` | | `{}` | +| Name | Description | Value | +| -------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------- | ---------------------------------------------- | +| `guac.guacImage.repository` | Path to the GUAC image | `ghcr.io/guacsec/guac` | +| `guac.guacImage.tag` | Tag if using an image tag. Optional | `undefined` | +| `guac.guacImage.digest` | Sha256 Image Digest. It is strongly recommended to use this for verification. | `""` | +| `guac.guacImage.pullPolicy` | ImagePullPolicy for kubernetes | `IfNotPresent` | +| `guac.guacImage.workingDir` | Working Directory for GUAC | `/guac` | +| `guac.common.env` | common environment variables apply to all guac services | `""` | +| `guac.common.tolerations` | common tolerations apply to all guac services | `""` | +| `guac.common.certifier.dayBetweenRescan` | Day(s) to wait before the certifier rescanning - commonly apply to all certifiers. Default 0 means only run once | `0` | +| `guac.configMap.enabled` | Whether to create the guac-cm configMap | `true` | +| `guac.ociCollector.enabled` | String Whether to deploy OCI Collector | `true` | +| `guac.ociCollector.name` | String Name of the OCI Collector component. | `oci-collector` | +| `guac.ociCollector.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | +| `guac.ociCollector.replicas` | Number of replicas for oci collector deployment | `1` | +| `guac.ociCollector.image.command` | Command for the OCI Collector image. It is not recommended to override this. | `["sh","-c","/opt/guac/guaccollect image"]` | +| `guac.ociCollector.env` | Environment variables for OCI Collector. | `[]` | +| `guac.ociCollector.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | +| `guac.ociCollector.tolerations` | | `[]` | +| `guac.ociCollector.serviceAccount.create` | - whether to create OCI Collector service account | `true` | +| `guac.ociCollector.serviceAccount.annotations` | - OCI Collector service account annotations | `{}` | +| `guac.ociCollector.resources` | - [map] resource requests or limits of the ociCollector deployment | `{}` | +| `guac.depsDevCollector.enabled` | String Whether to deploy Deps.Dev Collector | `true` | +| `guac.depsDevCollector.name` | String Name of the Deps.Dev Collector component. | `depsdev-collector` | +| `guac.depsDevCollector.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | +| `guac.depsDevCollector.replicas` | Number of replicas for depsdev collector deployment | `1` | +| `guac.depsDevCollector.image.command` | Command for the Deps.Dev Collector image. It is not recommended to override this. | `["sh","-c","/opt/guac/guaccollect deps_dev"]` | +| `guac.depsDevCollector.env` | Environment variables for Deps.Dev Collector. | `[]` | +| `guac.depsDevCollector.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | +| `guac.depsDevCollector.tolerations` | | `[]` | +| `guac.depsDevCollector.serviceAccount.create` | - whether to create depsDevCollector service account | `true` | +| `guac.depsDevCollector.serviceAccount.annotations` | | `{}` | +| `guac.depsDevCollector.resources` | - [map] resource requests or limits of the depsDevCollector deployment | `{}` | +| `guac.osvCertifier.enabled` | String Whether to deploy OSV Certifier | `true` | +| `guac.osvCertifier.name` | String Name of the OSV Certifier component. | `osv-certifier` | +| `guac.osvCertifier.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | +| `guac.osvCertifier.replicas` | Number of replicas for OSV Certifier deployment | `1` | +| `guac.osvCertifier.image.command` | Command for the OSV Certifier Collector image. It is not recommended to override this. | `["sh","-c","/opt/guac/guaccollect osv"]` | +| `guac.osvCertifier.env` | Environment variables for OSV Certifier. | `[]` | +| `guac.osvCertifier.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | +| `guac.osvCertifier.tolerations` | | `[]` | +| `guac.osvCertifier.serviceAccount.create` | - whether to create osvCertifier service account | `true` | +| `guac.osvCertifier.serviceAccount.annotations` | - OSV Certifier service account annotations | `{}` | +| `guac.osvCertifier.resources` | - [map] resource requests or limits of the OSV Certifier deployment | `{}` | +| `guac.cdCertifier.enabled` | String Whether to deploy CD Certifier | `true` | +| `guac.cdCertifier.name` | String Name of the CD Certifier component. | `cd-certifier` | +| `guac.cdCertifier.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | +| `guac.cdCertifier.replicas` | Number of replicas for CD Certifier deployment | `1` | +| `guac.cdCertifier.image.command` | Command for the CD Certifier Collector image. It is not recommended to override this. | `["sh","-c","/opt/guac/guaccollect cd"]` | +| `guac.cdCertifier.env` | Environment variables for CD Certifier. | `[]` | +| `guac.cdCertifier.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | +| `guac.cdCertifier.tolerations` | | `[]` | +| `guac.cdCertifier.serviceAccount.create` | - whether to create cdCertifier service account | `true` | +| `guac.cdCertifier.serviceAccount.annotations` | - CD Certifier service account annotations | `{}` | +| `guac.cdCertifier.resources` | - [map] resource requests or limits of the cd Certifier deployment | `{}` | +| `guac.ingestor.enabled` | String Whether to deploy Ingestor | `true` | +| `guac.ingestor.name` | String Name of the ingestor component. | `ingestor` | +| `guac.ingestor.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | +| `guac.ingestor.replicas` | Number of replicas for ingestor deployment | `1` | +| `guac.ingestor.image.command` | Command for the ingestor image. It is not recommended to override this. | `["sh","-c","/opt/guac/guacingest"]` | +| `guac.ingestor.env` | Environment variables for ingestor. | `[]` | +| `guac.ingestor.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | +| `guac.ingestor.serviceAccount.create` | - whether to create ingestor service account | `true` | +| `guac.ingestor.serviceAccount.annotations` | - Ingestor service account annotations | `{}` | +| `guac.ingestor.tolerations` | | `[]` | +| `guac.ingestor.resources` | - [map] resource requests or limits of the ingestor deployment | `{}` | +| `guac.collectSub.enabled` | String Whether to deploy CollectSub | `true` | +| `guac.collectSub.name` | String Name of the CollectSub component. | `collectsub` | +| `guac.collectSub.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | +| `guac.collectSub.replicas` | Number of replicas for CollectSub deployment | `1` | +| `guac.collectSub.image.command` | Command for the CollectSub image. It is not recommended to override this. | `["sh","-c","/opt/guac/guaccsub"]` | +| `guac.collectSub.env` | Environment variables for CollectSub. | `[]` | +| `guac.collectSub.image.ports[0].containerPort` | Port the CollectSub container listens on | `2782` | +| `guac.collectSub.svcPorts[0].protocol` | Protocol used at CollectSub | `TCP` | +| `guac.collectSub.svcPorts[0].port` | Port the CollectSub service listens on | `2782` | +| `guac.collectSub.svcPorts[0].targetPort` | Port the CollectSub container listens on | `2782` | +| `guac.collectSub.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | +| `guac.collectSub.tolerations` | | `[]` | +| `guac.collectSub.serviceAccount.create` | - whether to create collectSub service account | `true` | +| `guac.collectSub.serviceAccount.annotations` | - CollectSub service account annotations | `{}` | +| `guac.collectSub.resources` | - [map] resource requests or limits of the collectSub deployment | `{}` | +| `guac.graphqlServer.enabled` | String Whether to deploy GraphQL Server | `true` | +| `guac.graphqlServer.name` | String Name of the GraphQL Server component. | `graphql-server` | +| `guac.graphqlServer.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | +| `guac.graphqlServer.replicas` | Number of replicas for GraphQL Server deployment | `1` | +| `guac.graphqlServer.image.command` | Command for the GraphQL Server image. It is not recommended to override this. | `["sh","-c","/opt/guac/guacgql"]` | +| `guac.graphqlServer.env` | Environment variables for GraphQL Server. | `[]` | +| `guac.graphqlServer.image.ports[0].containerPort` | Port the GraphQL Server container listens on | `8080` | +| `guac.graphqlServer.svcPorts[0].protocol` | Protocol used at the the GraphQL Server | `TCP` | +| `guac.graphqlServer.svcPorts[0].port` | Port the GraphQL Server service listens on | `8080` | +| `guac.graphqlServer.svcPorts[0].targetPort` | Port the GraphQL Server container listens on | `8080` | +| `guac.graphqlServer.nodePortSvcPorts` | NodePort service ports definition | `{}` | +| `guac.graphqlServer.backend` | which backend to use - keyvalue (default) | arango | ent. | `keyvalue` | +| `guac.graphqlServer.debug` | Enable debug mode for graphql server; also enable the UI | `true` | +| `guac.graphqlServer.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | +| `guac.graphqlServer.serviceAccount.create` | - whether to create graphqlServer service account | `true` | +| `guac.graphqlServer.serviceAccount.annotations` | - graphql server service account annotations | `{}` | +| `guac.graphqlServer.service.createNodePortService` | - Whether to deploy a NodePort type service | `false` | +| `guac.graphqlServer.additionalVolumeMounts` | | `[]` | +| `guac.graphqlServer.additionalVolumes` | | `[]` | +| `guac.graphqlServer.tolerations` | | `[]` | +| `guac.graphqlServer.resources` | - [map] resource requests or limits of the graphqlServer deployment | `{}` | +| `guac.restApi.enabled` | String Whether to deploy the restApi | `true` | +| `guac.restApi.name` | String Name of the restApi component. | `rest-api` | +| `guac.restApi.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | +| `guac.restApi.replicas` | Number of replicas for restApi deployment | `1` | +| `guac.restApi.image.command` | Command for the restApi image. It is not recommended to override this. | `["sh","-c","/opt/guac/guacrest"]` | +| `guac.restApi.env` | Environment variables for restApi. | `[]` | +| `guac.restApi.image.ports[0].containerPort` | Port the restApi container listens on | `8081` | +| `guac.restApi.svcPorts[0].protocol` | Protocol used at the the restApi | `TCP` | +| `guac.restApi.svcPorts[0].port` | Port the restApi service listens on | `8081` | +| `guac.restApi.svcPorts[0].targetPort` | Port the restApi container listens on | `8081` | +| `guac.restApi.serviceAccount.create` | - whether to create restApi service account | `true` | +| `guac.restApi.serviceAccount.annotations` | - graphql server service account annotations | `{}` | +| `guac.restApi.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | +| `guac.restApi.tolerations` | | `[]` | +| `guac.restApi.resources` | - [map] resource requests or limits of the restApi deployment | `{}` | +| `guac.visualizer.enabled` | String Whether to deploy the visualizer. | `true` | +| `guac.visualizer.name` | String Name of the visualizer. | `visualizer` | +| `guac.visualizer.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | +| `guac.visualizer.replicas` | Number of replicas for visualizer deployment | `1` | +| `guac.visualizer.image.repository` | Path to the Ingestor image | `ghcr.io/guacsec/guac-visualizer` | +| `guac.visualizer.image.tag` | Tag if using an image tag. Optional | `v0.0.3` | +| `guac.visualizer.image.digest` | Sha256 Image Digest. It is strongly recommended to use this for verification. | `""` | +| `guac.visualizer.image.pullPolicy` | ImagePullPolicy for kubernetes | `IfNotPresent` | +| `guac.visualizer.image.ports[0].containerPort` | Port the visualizer container listens on | `3000` | +| `guac.visualizer.svcPorts[0].protocol` | Protocol used at the visualizer | `TCP` | +| `guac.visualizer.svcPorts[0].port` | Port the visualizer service listens on | `3000` | +| `guac.visualizer.svcPorts[0].targetPort` | Port the visualizer container listens on | `3000` | +| `guac.visualizer.env` | Environment variables for the visualizer. | `[]` | +| `guac.visualizer.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | +| `guac.visualizer.tolerations` | | `[]` | +| `guac.observability.deployServiceMonitor` | Boolean Deploy the service monitor for observability | `false` | +| `guac.sampleData.ingest` | Boolean Whether to ingest sample data after deployment | `false` | +| `guac.sampleData.jobName` | Name of the sample data ingest job | `ingest-guac-data` | +| `guac.sampleData.env` | Environment variables for the sample data ingest job | `[]` | +| `guac.ingress.enabled` | Whether to deploy an Ingress object | `false` | +| `guac.ingress.ingressClassName` | Ingress class name | `undefined` | +| `guac.ingress.webuiHostname` | DNS name for the UI components - e.g. Visualizer, GQL playground | `undefined` | +| `guac.ingress.apiHostname` | DNS name for the GQL API. When specified, GQL API won't be served at webuiHostname | `undefined` | +| `guac.ingress.annotations` | Annotations for the ingress object | `{}` | +| `guac.apiOnlyIngress.enabled` | Whether to deploy an Ingress object to expose API only | `false` | +| `guac.apiOnlyIngress.ingressClassName` | Ingress class name for API only ingress | `undefined` | +| `guac.apiOnlyIngress.apiHostname` | DNS name for the GQL API. | `undefined` | +| `guac.apiOnlyIngress.annotations` | Annotations for the API only ingress object | `{}` | +| `guac.traefikIngressRoute.enabled` | Whether to deploy Traefik IngressRoute object | `false` | +| `guac.backend.ent.db-driver` | database driver to use, one of [postgres | sqlite3 | mysql] or anything supported by sql.DB | `postgres` | +| `guac.backend.ent.db-address` | Full URL of database to connect to | `undefined` | +| `guac.backend.ent.db-migrate` | Wether to automatically run database migrations on start | `true` | +| `guac.backend.ent.db-debug` | Enable debug logging for database queries | `true` | +| `guac.pubSubAddr` | String gocloud connection string for pubsub configured via https://gocloud.dev/howto/pubsub/ | `undefined` | +| `guac.collectorPublishToQueue` | Whether to publish ingestion message to pubsub queue | `true` | +| `guac.blobAddr` | gocloud connection string for blob store configured via https://gocloud.dev/howto/blob/ | `undefined` | +| `guac.additionalResources` | | `{}` | ### nats diff --git a/charts/guac/schema.json b/charts/guac/schema.json index 8b60b61..d9f2051 100644 --- a/charts/guac/schema.json +++ b/charts/guac/schema.json @@ -55,6 +55,16 @@ "type": "string", "description": "common tolerations apply to all guac services", "default": "\"\"" + }, + "certifier": { + "type": "object", + "properties": { + "dayBetweenRescan": { + "type": "string", + "description": "Day(s) to wait before the certifier rescanning - commonly apply to all certifiers. Default 0 means only run once", + "default": "0" + } + } } } }, @@ -253,7 +263,7 @@ }, "env": { "type": "array", - "description": "Environment variables for OSV Certifier Collector.", + "description": "Environment variables for OSV Certifier.", "default": [], "items": {} }, @@ -287,11 +297,80 @@ "type": "object", "description": "- [map] resource requests or limits of the OSV Certifier deployment", "default": {} + } + } + }, + "cdCertifier": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "String Whether to deploy CD Certifier", + "default": true + }, + "name": { + "type": "string", + "description": "String Name of the CD Certifier component.", + "default": "cd-certifier" }, - "dayBetweenRescan": { + "replicas": { "type": "number", - "description": "Day(s) to wait before rescanning for vulnerability. Default 0 means only run once", - "default": 0 + "description": "Number of replicas for CD Certifier deployment", + "default": 1 + }, + "image": { + "type": "object", + "properties": { + "command": { + "type": "array", + "description": "Command for the CD Certifier Collector image. It is not recommended to override this.", + "default": [ + "sh", + "-c", + "/opt/guac/guaccollect cd" + ], + "items": { + "type": "string" + } + } + } + }, + "env": { + "type": "array", + "description": "Environment variables for CD Certifier.", + "default": [], + "items": {} + }, + "nodeSelector": { + "type": "object", + "description": "- sets the node selector for where to run the deployment", + "default": {} + }, + "tolerations": { + "type": "array", + "description": "", + "default": [], + "items": {} + }, + "serviceAccount": { + "type": "object", + "properties": { + "create": { + "type": "boolean", + "description": "- whether to create cdCertifier service account", + "default": true + }, + "annotations": { + "type": "object", + "description": "- CD Certifier service account annotations", + "default": {} + } + } + }, + "resources": { + "type": "object", + "description": "- [map] resource requests or limits of the cd Certifier deployment", + "default": {} } } }, diff --git a/charts/guac/templates/cd-certifier-deployment.yaml b/charts/guac/templates/cd-certifier-deployment.yaml new file mode 100644 index 0000000..e4ba2ef --- /dev/null +++ b/charts/guac/templates/cd-certifier-deployment.yaml @@ -0,0 +1,88 @@ +# Copyright Kusari, Inc. and contributors +# Licensed under the MIT license. See LICENSE file in the project root for details. +{{ if .Values.guac.cdCertifier.enabled }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .Values.guac.cdCertifier.name }} +{{- if .Values.guac.cdCertifier.annotations }} + annotations: +{{ toYaml .Values.guac.cdCertifier.annotations | indent 4 }} +{{- end }} + labels: + {{- include "guac.labels" . | nindent 4 }} + app.kubernetes.io/name: {{ .Values.guac.cdCertifier.name }} + app.kubernetes.io/component: {{ .Values.guac.cdCertifier.name }} +spec: + replicas: {{ .Values.guac.cdCertifier.replicas }} + selector: + matchLabels: + {{- include "guac.selectorLabels" . | nindent 6 }} + app.kubernetes.io/name: {{ .Values.guac.cdCertifier.name }} + app.kubernetes.io/component: {{ .Values.guac.cdCertifier.name }} + template: + metadata: + labels: + {{- include "guac.selectorLabels" . | nindent 8 }} + app.kubernetes.io/name: {{ .Values.guac.cdCertifier.name }} + app.kubernetes.io/component: {{ .Values.guac.cdCertifier.name }} + spec: + serviceAccountName: {{ .Values.guac.cdCertifier.name }} + containers: + - name: {{ .Values.guac.cdCertifier.name }} + {{- if .Values.guac.guacImage.digest }} + image: "{{ .Values.guac.guacImage.repository }}@{{ .Values.guac.guacImage.digest }}" + {{- else }} + image: "{{ .Values.guac.guacImage.repository }}:{{ .Values.guac.guacImage.tag | default .Chart.AppVersion}}" + {{- end }} + imagePullPolicy: "{{ .Values.guac.guacImage.pullPolicy }}" + command: +{{ toYaml .Values.guac.cdCertifier.image.command | indent 10 }} + workingDir: {{ .Values.guac.guacImage.workingDir }} +{{- if .Values.guac.cdCertifier.ports }} + ports: +{{ toYaml .Values.guac.cdCertifier.image.ports | indent 10 }} +{{- end }} +{{- if .Values.guac.cdCertifier.resources }} + resources: {{- toYaml .Values.guac.cdCertifier.resources | nindent 10 }} +{{- end }} + volumeMounts: + - name: guac-config + mountPath: {{ .Values.guac.guacImage.workingDir }} + readOnly: true + +{{- if or .Values.guac.common.env .Values.guac.cdCertifier.env }} + env: +{{- if .Values.guac.common.env }} +{{ toYaml .Values.guac.common.env | indent 10 }} +{{- end }} +{{- if .Values.guac.cdCertifier.env }} +{{ toYaml .Values.guac.cdCertifier.env | indent 10 }} +{{- end }} +{{- end }} + +{{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} +{{- end }} + volumes: + - name: guac-config + configMap: + name: guac-cm +{{- if .Values.guac.cdCertifier.nodeSelector }} + nodeSelector: +{{ toYaml .Values.guac.cdCertifier.nodeSelector | indent 8 }} +{{- end }} + +{{- if or .Values.guac.common.tolerations .Values.guac.cdCertifier.tolerations }} + tolerations: +{{- if .Values.guac.common.tolerations }} +{{ toYaml .Values.guac.common.tolerations | indent 8 }} +{{- end }} +{{- if .Values.guac.cdCertifier.tolerations }} +{{ toYaml .Values.guac.cdCertifier.tolerations | indent 8 }} +{{- end }} +{{- end }} + +{{- end }} diff --git a/charts/guac/templates/cd-certifier-sa.yaml b/charts/guac/templates/cd-certifier-sa.yaml new file mode 100644 index 0000000..18d7926 --- /dev/null +++ b/charts/guac/templates/cd-certifier-sa.yaml @@ -0,0 +1,19 @@ +# Copyright Kusari, Inc. and contributors +# Licensed under the MIT license. See LICENSE file in the project root for details. +{{ if .Values.guac.cdCertifier.enabled }} +{{ if .Values.guac.cdCertifier.serviceAccount.create }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.guac.cdCertifier.name }} +{{- if .Values.guac.cdCertifier.annotations }} + annotations: +{{ toYaml .Values.guac.cdCertifier.serviceAccount.annotations | indent 4 }} +{{- end }} + labels: + {{- include "guac.labels" . | nindent 4 }} + app.kubernetes.io/name: {{ .Values.guac.cdCertifier.name }} + app.kubernetes.io/component: {{ .Values.guac.cdCertifier.name }} +{{- end }} +{{- end }} diff --git a/charts/guac/templates/guac-cm.yaml b/charts/guac/templates/guac-cm.yaml index a9f54e4..b7525b6 100644 --- a/charts/guac/templates/guac-cm.yaml +++ b/charts/guac/templates/guac-cm.yaml @@ -43,8 +43,10 @@ data: service-poll: true use-csub: true - # OscCertifier behavior - last-scan: {{ .Values.guac.osvCertifier.dayBetweenRescan }} + # Certifier behavior - i.e. OSV and CD +{{- if $.Values.guac.common.certifier.dayBetweenRescan }} + last-scan: {{ .Values.guac.common.certifier.dayBetweenRescan }} +{{- end }} poll: true interval: 5m # how often to poll graphql-server to discover new packages diff --git a/charts/guac/tests/cd-certifier_deployment_test.yaml b/charts/guac/tests/cd-certifier_deployment_test.yaml new file mode 100644 index 0000000..b76fc07 --- /dev/null +++ b/charts/guac/tests/cd-certifier_deployment_test.yaml @@ -0,0 +1,90 @@ +# Copyright Kusari, Inc. and contributors +# Licensed under the MIT license. See LICENSE file in the project root for details. +suite: CD Certifier Deployment tests +templates: + - cd-certifier-deployment.yaml + +tests: + - it: deployment should render + asserts: + - isKind: + of: Deployment + - hasDocuments: + count: 1 + + - it: should run the cdCertifier image + values: + - ./values_digest_and_tag.yaml + asserts: + - equal: + path: spec.template.spec.containers[0].name + value: cd-certifier + - equal: + path: spec.template.spec.containers[0].image + value: ghcr.io/guacsec/guac@sha256:167e823f36e268f66b12a79d4c4b39df23c2f87847817c161b6c6ddbc9ee5c4e + + - it: should run the cdCertifier sub command + values: + - ./values_digest_and_tag.yaml + asserts: + - equal: + path: spec.template.spec.containers[0].command[0] + value: "sh" + - equal: + path: spec.template.spec.containers[0].command[1] + value: "-c" + - equal: + path: spec.template.spec.containers[0].command[2] + value: "/opt/guac/guaccollect cd" + + - it: should respect spec level parameters + values: + - ./values_digest_and_tag.yaml + asserts: + - equal: + path: spec.replicas + value: 1 + - equal: + path: spec.selector.matchLabels["app.kubernetes.io/name"] + value: cd-certifier + - equal: + path: spec.template.metadata.labels["app.kubernetes.io/name"] + value: cd-certifier + + - it: should use tag if only tag is specified + values: + - ./values_tag_no_digest.yaml + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: ghcr.io/guacsec/guac:latest + + - it: should include tolerations + values: + - ./values_combine.yaml + asserts: + - equal: + path: spec.template.spec.tolerations[0].key + value: "kusari.cloud/common" + - equal: + path: spec.template.spec.tolerations[0].value + value: common + - equal: + path: spec.template.spec.tolerations[0].effect + value: NoSchedule + - equal: + path: spec.template.spec.tolerations[0].operator + value: Equal + + - equal: + path: spec.template.spec.tolerations[1].key + value: "kusari.cloud/own" + - equal: + path: spec.template.spec.tolerations[1].value + value: own + - equal: + path: spec.template.spec.tolerations[1].effect + value: NoSchedule + - equal: + path: spec.template.spec.tolerations[1].operator + value: Equal diff --git a/charts/guac/tests/values_combine.yaml b/charts/guac/tests/values_combine.yaml index 48474b6..d42743d 100644 --- a/charts/guac/tests/values_combine.yaml +++ b/charts/guac/tests/values_combine.yaml @@ -30,6 +30,13 @@ guac: operator: Equal value: own + cdCertifier: + tolerations: + - effect: NoSchedule + key: kusari.cloud/own + operator: Equal + value: own + ingestor: tolerations: - effect: NoSchedule diff --git a/charts/guac/tests/values_digest_and_tag.yaml b/charts/guac/tests/values_digest_and_tag.yaml index e433589..5666aab 100644 --- a/charts/guac/tests/values_digest_and_tag.yaml +++ b/charts/guac/tests/values_digest_and_tag.yaml @@ -23,6 +23,9 @@ guac: osvCertifier: name: osv-certifier + cdCertifier: + name: cd-certifier + graphqlServer: name: graphql-server diff --git a/charts/guac/tests/values_serviceaccount_all.yaml b/charts/guac/tests/values_serviceaccount_all.yaml index ff5cf3f..85e7add 100644 --- a/charts/guac/tests/values_serviceaccount_all.yaml +++ b/charts/guac/tests/values_serviceaccount_all.yaml @@ -14,6 +14,10 @@ guac: serviceAccount: create: true + cdCertifier: + serviceAccount: + create: true + ingestor: serviceAccount: create: true diff --git a/charts/guac/tests/values_serviceaccount_no.yaml b/charts/guac/tests/values_serviceaccount_no.yaml index 2a78986..3c11207 100644 --- a/charts/guac/tests/values_serviceaccount_no.yaml +++ b/charts/guac/tests/values_serviceaccount_no.yaml @@ -14,6 +14,10 @@ guac: serviceAccount: create: false + cdCertifier: + serviceAccount: + create: false + ingestor: serviceAccount: create: false diff --git a/charts/guac/tests/values_tag_no_digest.yaml b/charts/guac/tests/values_tag_no_digest.yaml index d64f583..23b309e 100644 --- a/charts/guac/tests/values_tag_no_digest.yaml +++ b/charts/guac/tests/values_tag_no_digest.yaml @@ -20,6 +20,9 @@ guac: osvCertifier: name: osv-certifier + cdCertifier: + name: cd-certifier + ingestor: name: ingestor diff --git a/charts/guac/values.yaml b/charts/guac/values.yaml index f1c7795..ae7bc69 100644 --- a/charts/guac/values.yaml +++ b/charts/guac/values.yaml @@ -17,6 +17,7 @@ imagePullSecrets: ## @param guac.guacImage.workingDir Working Directory for GUAC ## @param guac.common.env [string] common environment variables apply to all guac services ## @param guac.common.tolerations [string] common tolerations apply to all guac services +## @param guac.common.certifier.dayBetweenRescan Day(s) to wait before the certifier rescanning - commonly apply to all certifiers. Default 0 means only run once ## @param guac.configMap.enabled Whether to create the guac-cm configMap ## @param guac.ociCollector.enabled String Whether to deploy OCI Collector ## @param guac.ociCollector.name String Name of the OCI Collector component. @@ -45,13 +46,23 @@ imagePullSecrets: ## @param guac.osvCertifier.annotations.reloader.stakater.com/auto [string] Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) ## @param guac.osvCertifier.replicas Number of replicas for OSV Certifier deployment ## @param guac.osvCertifier.image.command Command for the OSV Certifier Collector image. It is not recommended to override this. -## @param guac.osvCertifier.env Environment variables for OSV Certifier Collector. +## @param guac.osvCertifier.env Environment variables for OSV Certifier. ## @param guac.osvCertifier.nodeSelector - sets the node selector for where to run the deployment ## @param guac.osvCertifier.tolerations ## @param guac.osvCertifier.serviceAccount.create - whether to create osvCertifier service account ## @param guac.osvCertifier.serviceAccount.annotations - OSV Certifier service account annotations ## @param guac.osvCertifier.resources - [map] resource requests or limits of the OSV Certifier deployment -## @param guac.osvCertifier.dayBetweenRescan Day(s) to wait before rescanning for vulnerability. Default 0 means only run once +## @param guac.cdCertifier.enabled String Whether to deploy CD Certifier +## @param guac.cdCertifier.name String Name of the CD Certifier component. +## @param guac.cdCertifier.annotations.reloader.stakater.com/auto [string] Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) +## @param guac.cdCertifier.replicas Number of replicas for CD Certifier deployment +## @param guac.cdCertifier.image.command Command for the CD Certifier Collector image. It is not recommended to override this. +## @param guac.cdCertifier.env Environment variables for CD Certifier. +## @param guac.cdCertifier.nodeSelector - sets the node selector for where to run the deployment +## @param guac.cdCertifier.tolerations +## @param guac.cdCertifier.serviceAccount.create - whether to create cdCertifier service account +## @param guac.cdCertifier.serviceAccount.annotations - CD Certifier service account annotations +## @param guac.cdCertifier.resources - [map] resource requests or limits of the cd Certifier deployment ## @param guac.ingestor.enabled String Whether to deploy Ingestor ## @param guac.ingestor.name String Name of the ingestor component. ## @param guac.ingestor.annotations.reloader.stakater.com/auto [string] Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) @@ -172,6 +183,9 @@ guac: value: secretKey tolerations: [] + certifier: + dayBetweenRescan: "0" + configMap: enabled: true @@ -231,7 +245,25 @@ guac: # requests: # cpu: "0.25" # memory: "0.5G" - dayBetweenRescan: 0 + + cdCertifier: + enabled: true + name: cd-certifier + annotations: + reloader.stakater.com/auto: "true" + replicas: 1 + image: + command: ['sh', '-c', '/opt/guac/guaccollect cd'] + env: [] + nodeSelector: {} + tolerations: [] + serviceAccount: + create: true + annotations: {} + resources: {} + # requests: + # cpu: "0.25" + # memory: "0.5G" ingestor: enabled: true @@ -337,6 +369,7 @@ guac: # requests: # cpu: "0.25" # memory: "0.5G" + visualizer: enabled: true name: visualizer