From e7fefb51a6ced32d5963b0dba8d5e530b2506f73 Mon Sep 17 00:00:00 2001 From: sunnyyip Date: Fri, 8 Mar 2024 16:03:22 -0500 Subject: [PATCH] feat: ingress, pubsub, blob store, ent support (#44) * add ingress Signed-off-by: Sunny Yip * fix linting errors Signed-off-by: Sunny Yip * add ingress and test Signed-off-by: Sunny Yip * update unit test Signed-off-by: Sunny Yip * update helm unittest version Signed-off-by: Sunny Yip * add ENT postgres support Signed-off-by: Sunny Yip check in test inputs Signed-off-by: Sunny Yip * bump helm chart version Signed-off-by: Sunny Yip fix test Signed-off-by: Sunny Yip * add pubsub and blob addr Signed-off-by: Sunny Yip add labels to collectsub Signed-off-by: Sunny Yip * add labels to collectsub Signed-off-by: Sunny Yip * set defaults for pubSubAddr and blobAddr Signed-off-by: Sunny Yip * fix white spaces Signed-off-by: Sunny Yip * add minio blobstore Signed-off-by: Sunny Yip * update test config and set namespace Signed-off-by: Sunny Yip * add minio chart to test Signed-off-by: Sunny Yip * fix whitespaces Signed-off-by: Sunny Yip * fix whitespaces Signed-off-by: Sunny Yip * make test work Signed-off-by: Sunny Yip * lower memory request for minio Signed-off-by: Sunny Yip * fix formatting Signed-off-by: Sunny Yip * pull image from ghcr Signed-off-by: Sunny Yip * login to ghcr Signed-off-by: Sunny Yip * login to ghcr Signed-off-by: Sunny Yip * use generated ns Signed-off-by: Sunny Yip * use latest build Signed-off-by: Sunny Yip * remove unused permission Signed-off-by: Sunny Yip * update README Signed-off-by: Sunny Yip * get local test running Signed-off-by: Sunny Yip * update README Signed-off-by: Sunny Yip * bump version and include minio as a dependency Signed-off-by: Sunny Yip * fix linting error Signed-off-by: Sunny Yip --------- Signed-off-by: Sunny Yip --- .github/workflows/tests.yaml | 18 +- charts/guac/Chart.lock | 7 +- charts/guac/Chart.yaml | 11 +- charts/guac/README.md | 209 +++++++++++------- charts/guac/schema.json | 165 ++++++++++++-- charts/guac/templates/_helpers.tpl | 2 - charts/guac/templates/api-only-ingress.yaml | 35 +++ .../guac/templates/collectsub-deployment.yaml | 11 + .../depsdev-collector-deployment.yaml | 11 + .../templates/graphql-server-deployment.yaml | 11 + charts/guac/templates/guac-cm.yaml | 27 ++- .../guac/templates/ingest-guac-data-job.yaml | 34 ++- .../guac/templates/ingestor-deployment.yaml | 11 + charts/guac/templates/ingress.yaml | 56 +++++ .../templates/osv-certifier-deployment.yaml | 11 + .../guac/templates/visualizer-deployment.yaml | 11 + .../tests/collectsub_deployment_test.yaml | 4 +- .../guac/tests/collectsub_service_test.yaml | 4 +- .../depsdev-collector_deployment_test.yaml | 4 +- .../guac/tests/graphql_deployment_test.yaml | 5 +- .../guac/tests/graphql_ent_backend_test.yaml | 28 +++ charts/guac/tests/graphql_service_test.yaml | 4 +- .../guac/tests/ingestor_deployment_test.yaml | 4 +- charts/guac/tests/ingress_test.yaml | 31 +++ .../tests/oci_collector_deployment_test.yaml | 4 +- .../tests/osv-certifier_deployment_test.yaml | 4 +- charts/guac/tests/values_ent_backend.yaml | 9 + charts/guac/tests/values_ingress.yaml | 14 ++ charts/guac/values.yaml | 118 +++++++++- 29 files changed, 727 insertions(+), 136 deletions(-) create mode 100644 charts/guac/templates/api-only-ingress.yaml create mode 100644 charts/guac/templates/ingress.yaml create mode 100644 charts/guac/tests/graphql_ent_backend_test.yaml create mode 100644 charts/guac/tests/ingress_test.yaml create mode 100644 charts/guac/tests/values_ent_backend.yaml create mode 100644 charts/guac/tests/values_ingress.yaml diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 8edb59c..59c2fed 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -22,8 +22,8 @@ jobs: - name: Run helm unittest run: | - helm plugin install https://github.com/quintush/helm-unittest --version 0.2.11 - helm unittest charts/guac -3 + helm plugin install https://github.com/helm-unittest/helm-unittest.git --version 0.4.1 + helm unittest charts/guac - name: Install Helm uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5 @@ -37,8 +37,9 @@ jobs: - name: Add Helm repos run: | - helm repo add neo4j https://helm.neo4j.com/neo4j + # helm repo add neo4j https://helm.neo4j.com/neo4j helm repo add nats https://nats-io.github.io/k8s/helm/charts + helm repo add minio https://charts.min.io/ - name: Set up chart-testing uses: helm/chart-testing-action@afea100a513515fbd68b0e72a7bb0ae34cb62aec # v2.3.1 @@ -66,6 +67,15 @@ jobs: version: 'v1.26.0' id: install + - name: Login to GitHub Container Registry + uses: docker/login-action@v1 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Run chart-testing (install) - run: ct install --all --helm-extra-args --timeout=600s + run: | + kubectl create ns chart-testing + ct install --all --helm-extra-args --timeout=600s # if: steps.list-changed.outputs.changed == 'true' diff --git a/charts/guac/Chart.lock b/charts/guac/Chart.lock index d068a2e..1176df0 100644 --- a/charts/guac/Chart.lock +++ b/charts/guac/Chart.lock @@ -2,5 +2,8 @@ dependencies: - name: nats repository: https://nats-io.github.io/k8s/helm/charts/ version: 0.19.17 -digest: sha256:ecbbc3cea93f04cb5daf676ad1953d09c399396f2e74dbeb326521203240b508 -generated: "2023-08-16T14:24:33.92852-04:00" +- name: minio + repository: https://charts.min.io/ + version: 5.0.15 +digest: sha256:bea07af7a724b783003cd5c82ac3763d7c3fb82b2c6df0fb0b8a3f82ebc1b577 +generated: "2024-02-28T21:29:37.996055-05:00" diff --git a/charts/guac/Chart.yaml b/charts/guac/Chart.yaml index 32b0588..f2d7a83 100644 --- a/charts/guac/Chart.yaml +++ b/charts/guac/Chart.yaml @@ -9,10 +9,17 @@ maintainers: email: guac-info@kusari.dev type: application -version: 0.2.6 -appVersion: "v0.4.0" +version: 0.2.7 +appVersion: "v0.5.0" dependencies: - name: nats version: "~0.19.12" repository: "https://nats-io.github.io/k8s/helm/charts/" + condition: nats.enabled + +# See s3 compatible storage config for MinIO at https://gocloud.dev/howto/blob/#s3 +- name: minio + version: "~5.0.15" + repository: "https://charts.min.io/" + condition: minio.enabled diff --git a/charts/guac/README.md b/charts/guac/README.md index 53fcdee..14d3c13 100644 --- a/charts/guac/README.md +++ b/charts/guac/README.md @@ -41,6 +41,7 @@ The full GUAC component deployment is a set of asynchronous services that combin - **NATS**: [NATS](https://nats.io/) is a messaging middleware used for communication between the GUAC components. +- **MinIO**: [MinIO](https://min.io/) is a S3 compatible object store used for holding SBOMs for ingesting into GUAC. ## Prerequisites @@ -94,97 +95,143 @@ kubectl port-forward svc/collectsub 2782:2782 This section contains parameters for configuring the different GUAC components. -| Name | Description | Value | -| -------------------------------------------------------------- | --------------------------------------------------------------------------------------- | ------------------------------------------------------ | -| `guac.guacImage.repository` | Path to the GUAC image | `ghcr.io/guacsec/guac` | -| `guac.guacImage.tag` | Tag if using an image tag. Optional | `v0.2.0` | -| `guac.guacImage.digest` | Sha256 Image Digest. It is strongly recommended to use this for verification. | `""` | -| `guac.guacImage.pullPolicy` | ImagePullPolicy for kubernetes | `IfNotPresent` | -| `guac.guacImage.workingDir` | Working Directory for GUAC | `/guac` | -| `guac.ociCollector.enabled` | String Whether to deploy OCI Collector | `true` | -| `guac.ociCollector.name` | String Name of the OCI Collector component. | `oci-collector` | -| `guac.ociCollector.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | -| `guac.ociCollector.replicas` | Number of replicas for oci collector deployment | `1` | -| `guac.ociCollector.image.command` | Command for the OCI Collector image. It is not recommended to override this. | `["sh","-c","/opt/guac/guaccollect image"]` | -| `guac.ociCollector.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | -| `guac.depsDevCollector.enabled` | String Whether to deploy Deps.Dev Collector | `true` | -| `guac.depsDevCollector.name` | String Name of the Deps.Dev Collector component. | `depsdev-collector` | -| `guac.depsDevCollector.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | -| `guac.depsDevCollector.replicas` | Number of replicas for depsdev collector deployment | `1` | -| `guac.depsDevCollector.image.command` | Command for the Deps.Dev Collector image. It is not recommended to override this. | `["sh","-c","/opt/guac/guaccollect deps_dev"]` | -| `guac.depsDevCollector.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | -| `guac.osvCertifier.enabled` | String Whether to deploy OSV Certifier | `true` | -| `guac.osvCertifier.name` | String Name of the OSV Certifier component. | `osv-certifier` | -| `guac.osvCertifier.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | -| `guac.osvCertifier.replicas` | Number of replicas for OSV Certifier deployment | `1` | -| `guac.osvCertifier.image.command` | Command for the OSV Certifier Collector image. It is not recommended to override this. | `["sh","-c","/opt/guac/guacone certifier osv --poll"]` | -| `guac.osvCertifier.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | -| `guac.ingestor.enabled` | String Whether to deploy Ingestor | `true` | -| `guac.ingestor.name` | String Name of the ingestor component. | `ingestor` | -| `guac.ingestor.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | -| `guac.ingestor.replicas` | Number of replicas for ingestor deployment | `1` | -| `guac.ingestor.image.command` | Command for the ingestor image. It is not recommended to override this. | `["sh","-c","/opt/guac/guacingest"]` | -| `guac.ingestor.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | -| `guac.collectSub.enabled` | String Whether to deploy Collector Sub | `true` | -| `guac.collectSub.name` | String Name of the Collector Sub component. | `collectsub` | -| `guac.collectSub.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | -| `guac.collectSub.replicas` | Number of replicas for Collector Sub deployment | `1` | -| `guac.collectSub.image.command` | Command for the Collector Sub image. It is not recommended to override this. | `["sh","-c","/opt/guac/guaccsub"]` | -| `guac.collectSub.image.ports[0].containerPort` | Port the Collector Sub container listens on | `2782` | -| `guac.collectSub.svcPorts[0].protocol` | Protocol used at Collector Sub | `TCP` | -| `guac.collectSub.svcPorts[0].port` | Port the Collector Sub service listens on | `2782` | -| `guac.collectSub.svcPorts[0].targetPort` | Port the Collector Sub container listens on | `2782` | -| `guac.collectSub.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | -| `guac.graphqlServer.enabled` | String Whether to deploy GraphQL Server | `true` | -| `guac.graphqlServer.name` | String Name of the GraphQL Server component. | `graphql-server` | -| `guac.graphqlServer.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | -| `guac.graphqlServer.replicas` | Number of replicas for GraphQL Server deployment | `1` | -| `guac.graphqlServer.image.command` | Command for the GraphQL Server image. It is not recommended to override this. | `["sh","-c","/opt/guac/guacgql"]` | -| `guac.graphqlServer.image.ports[0].containerPort` | Port the GraphQL Server container listens on | `8080` | -| `guac.graphqlServer.svcPorts[0].protocol` | Protocol used at the the GraphQL Server | `TCP` | -| `guac.graphqlServer.svcPorts[0].port` | Port the GraphQL Server service listens on | `8080` | -| `guac.graphqlServer.svcPorts[0].targetPort` | Port the GraphQL Server container listens on | `8080` | -| `guac.graphqlServer.backend` | which backend to use - only support inmem at the moment. | `inmem` | -| `guac.graphqlServer.debug` | Enable debug mode for graphql server; also enable the UI | `true` | -| `guac.graphqlServer.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | -| `guac.visualizer.enabled` | String Whether to deploy the visualizer. | `true` | -| `guac.visualizer.name` | String Name of the visualizer. | `visualizer` | -| `guac.visualizer.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | -| `guac.visualizer.replicas` | Number of replicas for visualizer deployment | `1` | -| `guac.visualizer.image.repository` | Path to the Ingestor image | `ghcr.io/guacsec/guac-visualizer` | -| `guac.visualizer.image.tag` | Tag if using an image tag. Optional | `v0.0.3` | -| `guac.visualizer.image.digest` | Sha256 Image Digest. It is strongly recommended to use this for verification. | `""` | -| `guac.visualizer.image.pullPolicy` | ImagePullPolicy for kubernetes | `IfNotPresent` | -| `guac.visualizer.image.ports[0].containerPort` | Port the visualizer container listens on | `3000` | -| `guac.visualizer.svcPorts[0].protocol` | Protocol used at the visualizer | `TCP` | -| `guac.visualizer.svcPorts[0].port` | Port the visualizer service listens on | `3000` | -| `guac.visualizer.svcPorts[0].targetPort` | Port the visualizer container listens on | `3000` | -| `guac.visualizer.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | -| `guac.observability.deployServiceMonitor` | Boolean Deploy the service monitor for observability | `false` | -| `guac.sampleData.ingest` | Boolean - whether to ingest sample data after deployment | `false` | -| `guac.sampleData.jobName` | Name of the sample data ingest job | `ingest-guac-data` | +| Name | Description | Value | +| -------------------------------------------------------------- | -------------------------------------------------------------------------------------------- | ------------------------------------------------------- | +| `guac.guacImage.repository` | Path to the GUAC image | `ghcr.io/guacsec/guac` | +| `guac.guacImage.tag` | Tag if using an image tag. Optional | `undefined` | +| `guac.guacImage.digest` | Sha256 Image Digest. It is strongly recommended to use this for verification. | `""` | +| `guac.guacImage.pullPolicy` | ImagePullPolicy for kubernetes | `IfNotPresent` | +| `guac.guacImage.workingDir` | Working Directory for GUAC | `/guac` | +| `guac.common.env` | Environment variables common apply for all guac services | `""` | +| `guac.ociCollector.enabled` | String Whether to deploy OCI Collector | `true` | +| `guac.ociCollector.name` | String Name of the OCI Collector component. | `oci-collector` | +| `guac.ociCollector.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | +| `guac.ociCollector.replicas` | Number of replicas for oci collector deployment | `1` | +| `guac.ociCollector.image.command` | Command for the OCI Collector image. It is not recommended to override this. | `["sh","-c","/opt/guac/guaccollect image"]` | +| `guac.ociCollector.env` | Environment variables for OCI Collector. | `{}` | +| `guac.ociCollector.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | +| `guac.depsDevCollector.enabled` | String Whether to deploy Deps.Dev Collector | `true` | +| `guac.depsDevCollector.name` | String Name of the Deps.Dev Collector component. | `depsdev-collector` | +| `guac.depsDevCollector.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | +| `guac.depsDevCollector.replicas` | Number of replicas for depsdev collector deployment | `1` | +| `guac.depsDevCollector.image.command` | Command for the Deps.Dev Collector image. It is not recommended to override this. | `["sh","-c","/opt/guac/guaccollect deps_dev"]` | +| `guac.depsDevCollector.env` | Environment variables for Deps.Dev Collector. | `{}` | +| `guac.depsDevCollector.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | +| `guac.osvCertifier.enabled` | String Whether to deploy OSV Certifier | `true` | +| `guac.osvCertifier.name` | String Name of the OSV Certifier component. | `osv-certifier` | +| `guac.osvCertifier.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | +| `guac.osvCertifier.replicas` | Number of replicas for OSV Certifier deployment | `1` | +| `guac.osvCertifier.image.command` | Command for the OSV Certifier Collector image. It is not recommended to override this. | `["sh","-c","/opt/guac/guacone certifier osv --poll"]` | +| `guac.osvCertifier.env` | Environment variables for OSV Certifier Collector. | `{}` | +| `guac.osvCertifier.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | +| `guac.ingestor.enabled` | String Whether to deploy Ingestor | `true` | +| `guac.ingestor.name` | String Name of the ingestor component. | `ingestor` | +| `guac.ingestor.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | +| `guac.ingestor.replicas` | Number of replicas for ingestor deployment | `1` | +| `guac.ingestor.image.command` | Command for the ingestor image. It is not recommended to override this. | `["sh","-c","/opt/guac/guacingest"]` | +| `guac.ingestor.env` | Environment variables for ingestor. | `{}` | +| `guac.ingestor.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | +| `guac.collectSub.enabled` | String Whether to deploy Collector Sub | `true` | +| `guac.collectSub.name` | String Name of the Collector Sub component. | `collectsub` | +| `guac.collectSub.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | +| `guac.collectSub.replicas` | Number of replicas for Collector Sub deployment | `1` | +| `guac.collectSub.image.command` | Command for the Collector Sub image. It is not recommended to override this. | `["sh","-c","/opt/guac/guaccsub"]` | +| `guac.collectSub.env` | Environment variables for Collector Sub. | `{}` | +| `guac.collectSub.image.ports[0].containerPort` | Port the Collector Sub container listens on | `2782` | +| `guac.collectSub.svcPorts[0].protocol` | Protocol used at Collector Sub | `TCP` | +| `guac.collectSub.svcPorts[0].port` | Port the Collector Sub service listens on | `2782` | +| `guac.collectSub.svcPorts[0].targetPort` | Port the Collector Sub container listens on | `2782` | +| `guac.collectSub.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | +| `guac.graphqlServer.enabled` | String Whether to deploy GraphQL Server | `true` | +| `guac.graphqlServer.name` | String Name of the GraphQL Server component. | `graphql-server` | +| `guac.graphqlServer.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | +| `guac.graphqlServer.replicas` | Number of replicas for GraphQL Server deployment | `1` | +| `guac.graphqlServer.image.command` | Command for the GraphQL Server image. It is not recommended to override this. | `["sh","-c","/opt/guac/guacgql"]` | +| `guac.graphqlServer.env` | Environment variables for GraphQL Server. | `{}` | +| `guac.graphqlServer.image.ports[0].containerPort` | Port the GraphQL Server container listens on | `8080` | +| `guac.graphqlServer.svcPorts[0].protocol` | Protocol used at the the GraphQL Server | `TCP` | +| `guac.graphqlServer.svcPorts[0].port` | Port the GraphQL Server service listens on | `8080` | +| `guac.graphqlServer.svcPorts[0].targetPort` | Port the GraphQL Server container listens on | `8080` | +| `guac.graphqlServer.backend` | which backend to use - keyvalue (default) | arango | ent. | `keyvalue` | +| `guac.graphqlServer.debug` | Enable debug mode for graphql server; also enable the UI | `true` | +| `guac.graphqlServer.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | +| `guac.visualizer.enabled` | String Whether to deploy the visualizer. | `true` | +| `guac.visualizer.name` | String Name of the visualizer. | `visualizer` | +| `guac.visualizer.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | +| `guac.visualizer.replicas` | Number of replicas for visualizer deployment | `1` | +| `guac.visualizer.image.repository` | Path to the Ingestor image | `ghcr.io/guacsec/guac-visualizer` | +| `guac.visualizer.image.tag` | Tag if using an image tag. Optional | `v0.0.3` | +| `guac.visualizer.image.digest` | Sha256 Image Digest. It is strongly recommended to use this for verification. | `""` | +| `guac.visualizer.image.pullPolicy` | ImagePullPolicy for kubernetes | `IfNotPresent` | +| `guac.visualizer.image.ports[0].containerPort` | Port the visualizer container listens on | `3000` | +| `guac.visualizer.svcPorts[0].protocol` | Protocol used at the visualizer | `TCP` | +| `guac.visualizer.svcPorts[0].port` | Port the visualizer service listens on | `3000` | +| `guac.visualizer.svcPorts[0].targetPort` | Port the visualizer container listens on | `3000` | +| `guac.visualizer.env` | Environment variables for the visualizer. | `{}` | +| `guac.visualizer.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | +| `guac.observability.deployServiceMonitor` | Boolean Deploy the service monitor for observability | `false` | +| `guac.sampleData.ingest` | Boolean Whether to ingest sample data after deployment | `false` | +| `guac.sampleData.jobName` | Name of the sample data ingest job | `ingest-guac-data` | +| `guac.sampleData.env` | Environment variables for the sample data ingest job | `{}` | +| `guac.ingress.enabled` | Whether to deploy an Ingress object | `false` | +| `guac.ingress.ingressClassName` | Ingress class name | `undefined` | +| `guac.ingress.webuiHostname` | DNS name for the UI components - e.g. Visualizer, GQL playground | `undefined` | +| `guac.ingress.apiHostname` | DNS name for the GQL API. When specified, GQL API won't be served at webuiHostname | `undefined` | +| `guac.ingress.annotations` | Annotations for the ingress object | `{}` | +| `guac.apiOnlyIngress.enabled` | Whether to deploy an Ingress object to expose API only | `false` | +| `guac.apiOnlyIngress.ingressClassName` | Ingress class name for API only ingress | `undefined` | +| `guac.apiOnlyIngress.apiHostname` | DNS name for the GQL API. | `undefined` | +| `guac.apiOnlyIngress.annotations` | Annotations for the API only ingress object | `{}` | +| `guac.backend.ent.db-driver` | database driver to use, one of [postgres | sqlite3 | mysql] or anything supported by sql.DB | `postgres` | +| `guac.backend.ent.db-address` | Full URL of database to connect to | `postgres://guac:guac@host:port/dbName?sslmode=disable` | +| `guac.backend.ent.db-migrate` | Wether to automatically run database migrations on start | `true` | +| `guac.backend.ent.db-debug` | Enable debug logging for database queries | `true` | +| `guac.pubSubAddr` | String gocloud connection string for pubsub configured via https://gocloud.dev/howto/pubsub/ | `undefined` | +| `guac.blobAddr` | gocloud connection string for blob store configured via https://gocloud.dev/howto/blob/ | `undefined` | ### nats This is the configuration for nats. This is a subchart. See full documentation [here](https://docs.nats.io/running-a-nats-service/nats-kubernetes/helm-charts). -| Name | Description | Value | -| ---------------------------------------------------------- | ------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `nats.nats.jetstream.enabled` | Boolean for enabling JetStream. | `true` | -| `nats.nats.limits.maxPayload` | Max Payload size for nats | `64MB` | -| `nats.nats.statefulSetPodLabels.app.kubernetes.io/part-of` | Label to associate nats with GUAC for monitoring purposes | `{"nats":{"jetstream":{"enabled":true},"limits":{"maxPayload":"64MB"},"statefulSetPodLabels":{"app.kubernetes.io/part-of":"guac"}},"natsbox":{"additionalLabels":{"app.kubernetes.io/part-of":"guac"},"podLabels":{"app.kubernetes.io/part-of":"guac"}},"exporter":{"enabled":true,"serviceMonitor":{"enabled":false,"namespace":"monitoring","labels":{"release":"monitoring"}}}}` | -| `nats.natsbox.additionalLabels.app.kubernetes.io/part-of` | Label to associate natsbox with GUAC for monitoring purposes | `guac` | -| `nats.natsbox.podLabels.app.kubernetes.io/part-of` | Label to associate natsbox with GUAC for monitoring purposes | `guac` | -| `nats.exporter.enabled` | Boolean to enable data collection | `true` | -| `nats.exporter.serviceMonitor.enabled` | Boolean to enable nats service monitor | `false` | -| `nats.exporter.serviceMonitor.namespace` | nats service monitor namespace - this is for monitoring purposes and is used by Prometheus | `monitoring` | -| `nats.exporter.serviceMonitor.labels.release` | Label to associate nats service monitor with GUAC for monitoring purposes | `monitoring` | +| Name | Description | Value | +| ---------------------------------------------------------- | ------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `nats.enabled` | Whehter to deploy nats | `true` | +| `nats.nats.jetstream.enabled` | Boolean for enabling JetStream. | `true` | +| `nats.nats.limits.maxPayload` | Max Payload size for nats | `64MB` | +| `nats.nats.statefulSetPodLabels.app.kubernetes.io/part-of` | Label to associate nats with GUAC for monitoring purposes | `{"enabled":true,"nats":{"jetstream":{"enabled":true},"limits":{"maxPayload":"64MB"},"statefulSetPodLabels":{"app.kubernetes.io/part-of":"guac"}},"natsbox":{"enabled":false,"additionalLabels":{"app.kubernetes.io/part-of":"guac"},"podLabels":{"app.kubernetes.io/part-of":"guac"}},"exporter":{"enabled":false,"serviceMonitor":{"enabled":false,"namespace":"monitoring","labels":{"release":"monitoring"}}}}` | +| `nats.natsbox.enabled` | Whehter to run natsbox | `false` | +| `nats.natsbox.additionalLabels.app.kubernetes.io/part-of` | Label to associate natsbox with GUAC for monitoring purposes | `guac` | +| `nats.natsbox.podLabels.app.kubernetes.io/part-of` | Label to associate natsbox with GUAC for monitoring purposes | `guac` | +| `nats.exporter.enabled` | Boolean to enable data collection | `false` | +| `nats.exporter.serviceMonitor.enabled` | Boolean to enable nats service monitor | `false` | +| `nats.exporter.serviceMonitor.namespace` | String nats service monitor namespace - this is for monitoring purposes and is used by Prometheus | `monitoring` | +| `nats.exporter.serviceMonitor.labels.release` | Label to associate nats service monitor with GUAC for monitoring purposes | `monitoring` | + +### minio + +This is the configuration for minio. This is a subchart. See full documentation [here](https://github.com/minio/minio/tree/master/helm/minio). + +| Name | Description | Value | +| -------------------- | ------------------------------------------------------------------------------ | -------------- | +| `minio.enabled` | Whehter to deploy minio as part of the Helm deployment | `true` | +| `minio.replicas` | Number of replicas. | `1` | +| `minio.persistence` | Persistence volume configuration. | `{}` | +| `minio.mode` | minio mode, i.e. standalone or distributed | `standalone` | +| `minio.resources` | resource requests and limits | `{}` | +| `minio.rootUser` | root user name. | `rootUser` | +| `minio.rootPassword` | root user password. | `rootPassword` | +| `minio.buckets` | List of buckets to create after deployment. | `{}` | +| `minio.users` | List of users, in terms of creds and permissions, to create after deployment.? | `{}` | ## Developing For running the unit tests, install the unittest plugin. `helm plugin install https://github.com/quintush/helm-unittest` -To Run unit tests +To run unit tests `helm unittest charts/guac -3` + +To run Helm chart-testing (ct) lint and install tests + +`ct install --all --helm-extra-args --timeout=600s` \ No newline at end of file diff --git a/charts/guac/schema.json b/charts/guac/schema.json index e4a2596..9b43137 100644 --- a/charts/guac/schema.json +++ b/charts/guac/schema.json @@ -26,16 +26,10 @@ "description": "Path to the GUAC image", "default": "ghcr.io/guacsec/guac" }, - "tag": { - "type": "string", - "description": "Tag if using an image tag. Optional", - "default": "v0.2.0", - "nullable": true - }, "digest": { "type": "string", "description": "Sha256 Image Digest. It is strongly recommended to use this for verification.", - "default": "" + "default": "\"\"" }, "pullPolicy": { "type": "string", @@ -49,6 +43,16 @@ } } }, + "common": { + "type": "object", + "properties": { + "env": { + "type": "string", + "description": "Environment variables common apply for all guac services", + "default": "\"\"" + } + } + }, "ociCollector": { "type": "object", "properties": { @@ -84,6 +88,11 @@ } } }, + "env": { + "type": "object", + "description": "Environment variables for OCI Collector.", + "default": {} + }, "nodeSelector": { "type": "object", "description": "- sets the node selector for where to run the deployment", @@ -126,6 +135,11 @@ } } }, + "env": { + "type": "object", + "description": "Environment variables for Deps.Dev Collector.", + "default": {} + }, "nodeSelector": { "type": "object", "description": "- sets the node selector for where to run the deployment", @@ -168,6 +182,11 @@ } } }, + "env": { + "type": "object", + "description": "Environment variables for OSV Certifier Collector.", + "default": {} + }, "nodeSelector": { "type": "object", "description": "- sets the node selector for where to run the deployment", @@ -210,6 +229,11 @@ } } }, + "env": { + "type": "object", + "description": "Environment variables for ingestor.", + "default": {} + }, "nodeSelector": { "type": "object", "description": "- sets the node selector for where to run the deployment", @@ -265,6 +289,11 @@ } } }, + "env": { + "type": "object", + "description": "Environment variables for Collector Sub.", + "default": {} + }, "svcPorts": { "type": "array", "description": "Protocol used at Collector Sub", @@ -341,6 +370,11 @@ } } }, + "env": { + "type": "object", + "description": "Environment variables for GraphQL Server.", + "default": {} + }, "svcPorts": { "type": "array", "description": "Protocol used at the the GraphQL Server", @@ -364,8 +398,8 @@ }, "backend": { "type": "string", - "description": "which backend to use - only support inmem at the moment.", - "default": "inmem" + "description": "which backend to use - keyvalue (default) | arango | ent.", + "default": "keyvalue" }, "debug": { "type": "boolean", @@ -414,7 +448,7 @@ "digest": { "type": "string", "description": "Sha256 Image Digest. It is strongly recommended to use this for verification.", - "default": "" + "default": "\"\"" }, "pullPolicy": { "type": "string", @@ -457,6 +491,11 @@ } } }, + "env": { + "type": "object", + "description": "Environment variables for the visualizer.", + "default": {} + }, "nodeSelector": { "type": "object", "description": "- sets the node selector for where to run the deployment", @@ -479,13 +518,68 @@ "properties": { "ingest": { "type": "boolean", - "description": "Boolean - whether to ingest sample data after deployment", + "description": "Boolean Whether to ingest sample data after deployment", "default": false }, "jobName": { "type": "string", "description": "Name of the sample data ingest job", "default": "ingest-guac-data" + }, + "env": { + "type": "object", + "description": "Environment variables for the sample data ingest job", + "default": {} + } + } + }, + "ingress": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "Whether to deploy an Ingress object", + "default": false + } + } + }, + "apiOnlyIngress": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "Whether to deploy an Ingress object to expose API only", + "default": false + } + } + }, + "backend": { + "type": "object", + "properties": { + "ent": { + "type": "object", + "properties": { + "db-driver": { + "type": "string", + "description": "database driver to use, one of [postgres | sqlite3 | mysql] or anything supported by sql.DB", + "default": "postgres" + }, + "db-address": { + "type": "string", + "description": "Full URL of database to connect to", + "default": "postgres://guac:guac@host:port/dbName?sslmode=disable" + }, + "db-migrate": { + "type": "boolean", + "description": "Wether to automatically run database migrations on start", + "default": true + }, + "db-debug": { + "type": "boolean", + "description": "Enable debug logging for database queries", + "default": true + } + } } } } @@ -494,6 +588,11 @@ "nats": { "type": "object", "properties": { + "enabled": { + "type": "boolean", + "description": "Whehter to deploy nats", + "default": true + }, "nats": { "type": "object", "properties": { @@ -519,13 +618,23 @@ } } }, + "natsbox": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "Whehter to run natsbox", + "default": false + } + } + }, "exporter": { "type": "object", "properties": { "enabled": { "type": "boolean", "description": "Boolean to enable data collection", - "default": true + "default": false }, "serviceMonitor": { "type": "object", @@ -537,7 +646,7 @@ }, "namespace": { "type": "string", - "description": "nats service monitor namespace - this is for monitoring purposes and is used by Prometheus", + "description": "String nats service monitor namespace - this is for monitoring purposes and is used by Prometheus", "default": "monitoring" }, "labels": { @@ -555,6 +664,36 @@ } } } + }, + "minio": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "Whehter to deploy minio as part of the Helm deployment", + "default": true + }, + "replicas": { + "type": "number", + "description": "Number of replicas.", + "default": 1 + }, + "mode": { + "type": "string", + "description": "minio mode, i.e. standalone or distributed", + "default": "standalone" + }, + "rootUser": { + "type": "string", + "description": "root user name.", + "default": "rootUser" + }, + "rootPassword": { + "type": "string", + "description": "root user password.", + "default": "rootPassword" + } + } } } } \ No newline at end of file diff --git a/charts/guac/templates/_helpers.tpl b/charts/guac/templates/_helpers.tpl index 2bad509..b6f4c5b 100644 --- a/charts/guac/templates/_helpers.tpl +++ b/charts/guac/templates/_helpers.tpl @@ -44,8 +44,6 @@ helm.sh/chart: {{ include "guac.chart" . }} {{- if .Chart.AppVersion }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} -app.kubernetes.io/instance: {{ .Release.Name }} -app.kubernetes.io/part-of: "guac" app.kubernetes.io/managed-by: {{ .Release.Service }} {{- end }} diff --git a/charts/guac/templates/api-only-ingress.yaml b/charts/guac/templates/api-only-ingress.yaml new file mode 100644 index 0000000..0f589d7 --- /dev/null +++ b/charts/guac/templates/api-only-ingress.yaml @@ -0,0 +1,35 @@ +{{- if .Values.guac.apiOnlyIngress.enabled -}} +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ .Release.Namespace }} + namespace: {{ .Release.Namespace }} + +{{- if .Values.guac.apiOnlyIngress.annotations }} + annotations: +{{ toYaml .Values.guac.apiOnlyIngress.annotations | indent 4 }} +{{- end }} + + labels: +{{- include "guac.labels" . | nindent 4 }} +{{- range $key, $value := .Values.guac.apiOnlyIngress.extraLabels }} + {{ $key }}: {{ $value }} +{{- end }} + +spec: + {{- if .Values.guac.apiOnlyIngress.ingressClassName }} + ingressClassName: {{ .Values.guac.apiOnlyIngress.ingressClassName }} + {{- end }} + rules: + - host: {{ .Values.guac.apiOnlyIngress.apiHostname }} + http: + paths: + - path: /query + pathType: Prefix + backend: + service: + name: graphql-server + port: + number: 8080 +{{- end -}} diff --git a/charts/guac/templates/collectsub-deployment.yaml b/charts/guac/templates/collectsub-deployment.yaml index 5339005..d951d10 100644 --- a/charts/guac/templates/collectsub-deployment.yaml +++ b/charts/guac/templates/collectsub-deployment.yaml @@ -48,6 +48,17 @@ spec: mountPath: {{ .Values.guac.guacImage.workingDir }} readOnly: true {{- if .Values.imagePullSecrets }} +{{- if or .Values.guac.common.env .Values.guac.collectSub.env }} + env: + {{- range $key, $value := .Values.guac.common.env }} + - name: {{ $key }} + value: {{ $value | quote }} + {{- end }} + {{- range $key, $value := .Values.guac.collectSub.env }} + - name: {{ $key }} + value: {{ $value | quote }} + {{- end }} +{{- end }} imagePullSecrets: {{ toYaml .Values.imagePullSecrets | indent 8 }} {{- end }} diff --git a/charts/guac/templates/depsdev-collector-deployment.yaml b/charts/guac/templates/depsdev-collector-deployment.yaml index 00ac696..2be9807 100644 --- a/charts/guac/templates/depsdev-collector-deployment.yaml +++ b/charts/guac/templates/depsdev-collector-deployment.yaml @@ -47,6 +47,17 @@ spec: - name: guac-config mountPath: {{ .Values.guac.guacImage.workingDir }} readOnly: true +{{- if or .Values.guac.common.env .Values.guac.depsDevCollector.env }} + env: + {{- range $key, $value := .Values.guac.common.env }} + - name: {{ $key }} + value: {{ $value | quote }} + {{- end }} + {{- range $key, $value := .Values.guac.depsDevCollector.env }} + - name: {{ $key }} + value: {{ $value | quote }} + {{- end }} +{{- end }} {{- if .Values.imagePullSecrets }} imagePullSecrets: {{ toYaml .Values.imagePullSecrets | indent 8 }} diff --git a/charts/guac/templates/graphql-server-deployment.yaml b/charts/guac/templates/graphql-server-deployment.yaml index 803a5c4..228ad91 100644 --- a/charts/guac/templates/graphql-server-deployment.yaml +++ b/charts/guac/templates/graphql-server-deployment.yaml @@ -48,6 +48,17 @@ spec: mountPath: {{ .Values.guac.guacImage.workingDir }} readOnly: true {{- if .Values.imagePullSecrets }} +{{- if or .Values.guac.common.env .Values.guac.graphqlServer.env }} + env: + {{- range $key, $value := .Values.guac.common.env }} + - name: {{ $key }} + value: {{ $value | quote }} + {{- end }} + {{- range $key, $value := .Values.guac.graphqlServer.env }} + - name: {{ $key }} + value: {{ $value | quote }} + {{- end }} +{{- end }} imagePullSecrets: {{ toYaml .Values.imagePullSecrets | indent 8 }} {{- end }} diff --git a/charts/guac/templates/guac-cm.yaml b/charts/guac/templates/guac-cm.yaml index 233ded9..41adefb 100644 --- a/charts/guac/templates/guac-cm.yaml +++ b/charts/guac/templates/guac-cm.yaml @@ -8,8 +8,18 @@ metadata: data: guac.yaml: | - # Nats setup - nats-addr: nats://{{ .Release.Name }}-nats.{{ .Release.Namespace }}.svc.cluster.local:4222 +{{- if $.Values.guac.pubSubAddr }} + pubsub-addr: {{ $.Values.guac.pubSubAddr }} +{{- else }} + pubsub-addr: nats://{{ .Release.Name }}-nats.{{ .Release.Namespace }}.svc.cluster.local:4222 +{{- end }} + +{{- if $.Values.guac.blobAddr }} + blob-addr: {{ $.Values.guac.blobAddr }} +{{- else }} + blob-addr: s3://bucketname?endpoint={{ .Release.Namespace }}-minio.{{ .Release.Namespace }}.svc.cluster.local:9000®ion=us-east-1&disableSSL=true&s3ForcePathStyle=true +{{- end }} + # CSub setup {{- with (index .Values.guac.collectSub.svcPorts 0) }} @@ -28,4 +38,15 @@ data: # Collector behavior service-poll: true - use-csub: true \ No newline at end of file + use-csub: true + + # certifier polling + poll: true + interval: 5m + +{{ if eq $.Values.guac.graphqlServer.backend "ent" }} + # Ent config + {{- range $key, $val := $.Values.guac.backend.ent }} + {{ $key }}: {{ $val }} + {{- end }} +{{ end }} diff --git a/charts/guac/templates/ingest-guac-data-job.yaml b/charts/guac/templates/ingest-guac-data-job.yaml index e8b2a6b..30f839c 100644 --- a/charts/guac/templates/ingest-guac-data-job.yaml +++ b/charts/guac/templates/ingest-guac-data-job.yaml @@ -25,6 +25,17 @@ spec: image: "ubuntu:22.04" command: ['sh', '-c', '/tmp/guac/ingest-guac-data.sh ingest-data'] workingDir: {{ .Values.guac.workingDir }} +{{- if or .Values.guac.common.env .Values.guac.sampleData.env }} + env: + {{- range $key, $value := .Values.guac.common.env }} + - name: {{ $key }} + value: {{ $value | quote }} + {{- end }} + {{- range $key, $value := .Values.guac.sampleData.env }} + - name: {{ $key }} + value: {{ $value | quote }} + {{- end }} +{{- end }} volumeMounts: - name: guac-config mountPath: {{ .Values.guac.guacImage.workingDir }} @@ -96,7 +107,8 @@ data: apt-get update && apt-get install -y curl curl -L https://github.com/guacsec/guac/releases/latest/download/guacone-linux-amd64 -o /tmp/guacone - chmod +x /tmp/guacone + curl -L https://github.com/guacsec/guac/releases/latest/download/guaccollect-linux-amd64 -o /tmp/guaccollect + chmod +x /tmp/guacone /tmp/guaccollect while [ ! -f ${INDICATOR_FILE} ] do @@ -104,12 +116,18 @@ data: done cd ${GUACSEC_HOME} - for d in guac-data/docs - # guac-data/some-sboms - # guac-data/top-dh-sboms guac-data/docs - do - time /tmp/guacone collect files ${SHARED_DATA}/${d} - done + + echo running guaccollect... at ${SHARED_DATA}/guac-data/docs + ls -la ${SHARED_DATA}/guac-data/docs + time /tmp/guaccollect files --service-poll=false ${SHARED_DATA}/guac-data/docs + + echo running guacone collect... + time /tmp/guacone collect files ${SHARED_DATA}/guac-data/top-dh-sboms/zookeeper.json + # for d in guac-data/docs + # do + # done + + rm ${INDICATOR_FILE} ;; @@ -118,4 +136,4 @@ data: ;; esac -{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/guac/templates/ingestor-deployment.yaml b/charts/guac/templates/ingestor-deployment.yaml index 64a85e9..cd8868d 100644 --- a/charts/guac/templates/ingestor-deployment.yaml +++ b/charts/guac/templates/ingestor-deployment.yaml @@ -47,6 +47,17 @@ spec: - name: guac-config mountPath: {{ .Values.guac.guacImage.workingDir }} readOnly: true +{{- if or .Values.guac.common.env .Values.guac.ingestor.env }} + env: + {{- range $key, $value := .Values.guac.common.env }} + - name: {{ $key }} + value: {{ $value | quote }} + {{- end }} + {{- range $key, $value := .Values.guac.ingestor.env }} + - name: {{ $key }} + value: {{ $value | quote }} + {{- end }} +{{- end }} {{- if .Values.imagePullSecrets }} imagePullSecrets: {{ toYaml .Values.imagePullSecrets | indent 8 }} diff --git a/charts/guac/templates/ingress.yaml b/charts/guac/templates/ingress.yaml new file mode 100644 index 0000000..7796e18 --- /dev/null +++ b/charts/guac/templates/ingress.yaml @@ -0,0 +1,56 @@ +{{- if .Values.guac.ingress.enabled -}} +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ .Release.Namespace }} + namespace: {{ .Release.Namespace }} + +{{- if .Values.guac.ingress.annotations }} + annotations: +{{ toYaml .Values.guac.ingress.annotations | indent 4 }} +{{- end }} + + labels: +{{- include "guac.labels" . | nindent 4 }} +{{- range $key, $value := .Values.guac.ingress.extraLabels }} + {{ $key }}: {{ $value }} +{{- end }} + +spec: + {{- if .Values.guac.ingress.ingressClassName }} + ingressClassName: {{ .Values.guac.ingress.ingressClassName }} + {{- end }} + rules: + {{ if .Values.guac.ingress.webuiHostname }} + - host: {{ .Values.guac.ingress.webuiHostname }} + http: &http + paths: + - path: /playground + pathType: Prefix + backend: + service: + name: graphql-server + port: + number: 8080 + - path: / + pathType: Prefix + backend: + service: + name: visualizer + port: + number: 3000 + {{ end }} + {{ if .Values.guac.ingress.apiHostname }} + - host: {{ .Values.guac.ingress.apiHostname }} + http: + paths: + {{ end }} + - path: /query + pathType: Prefix + backend: + service: + name: graphql-server + port: + number: 8080 +{{- end -}} diff --git a/charts/guac/templates/osv-certifier-deployment.yaml b/charts/guac/templates/osv-certifier-deployment.yaml index b3d6dc8..c62e52e 100644 --- a/charts/guac/templates/osv-certifier-deployment.yaml +++ b/charts/guac/templates/osv-certifier-deployment.yaml @@ -48,6 +48,17 @@ spec: mountPath: {{ .Values.guac.guacImage.workingDir }} readOnly: true {{- if .Values.imagePullSecrets }} +{{- if or .Values.guac.common.env .Values.guac.osvCertifier.env }} + env: + {{- range $key, $value := .Values.guac.common.env }} + - name: {{ $key }} + value: {{ $value | quote }} + {{- end }} + {{- range $key, $value := .Values.guac.osvCertifier.env }} + - name: {{ $key }} + value: {{ $value | quote }} + {{- end }} +{{- end }} imagePullSecrets: {{ toYaml .Values.imagePullSecrets | indent 8 }} {{- end }} diff --git a/charts/guac/templates/visualizer-deployment.yaml b/charts/guac/templates/visualizer-deployment.yaml index 6a863e0..e2a3431 100644 --- a/charts/guac/templates/visualizer-deployment.yaml +++ b/charts/guac/templates/visualizer-deployment.yaml @@ -60,6 +60,17 @@ spec: subPath: guac.yaml readOnly: true {{- if .Values.imagePullSecrets }} +{{- if or .Values.guac.common.env .Values.guac.visualizer.env }} + env: + {{- range $key, $value := .Values.guac.common.env }} + - name: {{ $key }} + value: {{ $value | quote }} + {{- end }} + {{- range $key, $value := .Values.guac.visualizer.env }} + - name: {{ $key }} + value: {{ $value | quote }} + {{- end }} +{{- end }} imagePullSecrets: {{ toYaml .Values.imagePullSecrets | indent 8 }} {{- end }} diff --git a/charts/guac/tests/collectsub_deployment_test.yaml b/charts/guac/tests/collectsub_deployment_test.yaml index 42afd2e..2fa1c86 100644 --- a/charts/guac/tests/collectsub_deployment_test.yaml +++ b/charts/guac/tests/collectsub_deployment_test.yaml @@ -45,10 +45,10 @@ tests: path: spec.replicas value: 1 - equal: - path: spec.selector.matchLabels.app\.kubernetes\.io/name + path: spec.selector.matchLabels["app.kubernetes.io/name"] value: collectsub - equal: - path: spec.template.metadata.labels.app\.kubernetes\.io/name + path: spec.template.metadata.labels["app.kubernetes.io/name"] value: collectsub - it: should use tag if only tag is specified diff --git a/charts/guac/tests/collectsub_service_test.yaml b/charts/guac/tests/collectsub_service_test.yaml index 2f958da..097923f 100644 --- a/charts/guac/tests/collectsub_service_test.yaml +++ b/charts/guac/tests/collectsub_service_test.yaml @@ -20,8 +20,8 @@ tests: path: metadata.name value: collectsub - equal: - path: metadata.labels.app\.kubernetes\.io/name + path: metadata.labels["app.kubernetes.io/name"] value: collectsub - equal: - path: spec.selector.app\.kubernetes\.io/name + path: spec.selector["app.kubernetes.io/name"] value: collectsub \ No newline at end of file diff --git a/charts/guac/tests/depsdev-collector_deployment_test.yaml b/charts/guac/tests/depsdev-collector_deployment_test.yaml index c048b8b..26c592a 100644 --- a/charts/guac/tests/depsdev-collector_deployment_test.yaml +++ b/charts/guac/tests/depsdev-collector_deployment_test.yaml @@ -45,10 +45,10 @@ tests: path: spec.replicas value: 1 - equal: - path: spec.selector.matchLabels.app\.kubernetes\.io/name + path: spec.selector.matchLabels["app.kubernetes.io/name"] value: depsdev-collector - equal: - path: spec.template.metadata.labels.app\.kubernetes\.io/name + path: spec.template.metadata.labels["app.kubernetes.io/name"] value: depsdev-collector - it: should use tag if only tag is specified diff --git a/charts/guac/tests/graphql_deployment_test.yaml b/charts/guac/tests/graphql_deployment_test.yaml index 6116199..d26da0f 100644 --- a/charts/guac/tests/graphql_deployment_test.yaml +++ b/charts/guac/tests/graphql_deployment_test.yaml @@ -45,12 +45,13 @@ tests: path: spec.replicas value: 1 - equal: - path: spec.selector.matchLabels.app\.kubernetes\.io/name + path: spec.selector.matchLabels["app.kubernetes.io/name"] value: graphql-server - equal: - path: spec.template.metadata.labels.app\.kubernetes\.io/name + path: spec.template.metadata.labels["app.kubernetes.io/name"] value: graphql-server + - it: should use tag if only tag is specified values: - ./values_tag_no_digest.yaml diff --git a/charts/guac/tests/graphql_ent_backend_test.yaml b/charts/guac/tests/graphql_ent_backend_test.yaml new file mode 100644 index 0000000..05d4f19 --- /dev/null +++ b/charts/guac/tests/graphql_ent_backend_test.yaml @@ -0,0 +1,28 @@ +# Copyright Kusari, Inc. and contributors +# Licensed under the MIT license. See LICENSE file in the project root for details. +suite: ConfigMap tests +templates: + - guac-cm.yaml + +tests: + - it: configmap should render + values: + - ./values_ent_backend.yaml + asserts: + - isKind: + of: ConfigMap + - hasDocuments: + count: 1 + - equal: + path: metadata.name + value: guac-cm + # commenting this out as data["guac.yaml"] can't be accessed as object when '|' is added to make it a multi-line string + # - equal: + # path: data["guac.yaml"]["db-driver"] + # value: postgres + # - equal: + # path: data["guac.yaml"]["db-address"] + # value: postgres://guac:guac@host:port/guacDB + # - equal: + # path: data["guac.yaml"]["db-migrate"] + # value: true diff --git a/charts/guac/tests/graphql_service_test.yaml b/charts/guac/tests/graphql_service_test.yaml index 00a452e..10c846b 100644 --- a/charts/guac/tests/graphql_service_test.yaml +++ b/charts/guac/tests/graphql_service_test.yaml @@ -20,8 +20,8 @@ tests: path: metadata.name value: graphql-server - equal: - path: metadata.labels.app\.kubernetes\.io/name + path: metadata.labels["app.kubernetes.io/name"] value: graphql-server - equal: - path: spec.selector.app\.kubernetes\.io/name + path: spec.selector["app.kubernetes.io/name"] value: graphql-server \ No newline at end of file diff --git a/charts/guac/tests/ingestor_deployment_test.yaml b/charts/guac/tests/ingestor_deployment_test.yaml index 161ff2d..3e454ae 100644 --- a/charts/guac/tests/ingestor_deployment_test.yaml +++ b/charts/guac/tests/ingestor_deployment_test.yaml @@ -45,10 +45,10 @@ tests: path: spec.replicas value: 1 - equal: - path: spec.selector.matchLabels.app\.kubernetes\.io/name + path: spec.selector.matchLabels["app.kubernetes.io/name"] value: ingestor - equal: - path: spec.template.metadata.labels.app\.kubernetes\.io/name + path: spec.template.metadata.labels["app.kubernetes.io/name"] value: ingestor - it: should use tag if only tag is specified diff --git a/charts/guac/tests/ingress_test.yaml b/charts/guac/tests/ingress_test.yaml new file mode 100644 index 0000000..b7c0b87 --- /dev/null +++ b/charts/guac/tests/ingress_test.yaml @@ -0,0 +1,31 @@ +# Copyright Kusari, Inc. and contributors +# Licensed under the MIT license. See LICENSE file in the project root for details. +suite: Ingress tests +templates: + - ingress.yaml + +tests: + - it: ingress should render + values: + # use Chart Testing config + - ./values_ingress.yaml + asserts: + - isKind: + of: Ingress + - hasDocuments: + count: 1 + - equal: + path: spec.ingressClassName + value: traefik + - equal: + path: spec.rules[0].host + value: web.guac.com + - equal: + path: spec.rules[1].host + value: api.guac.com + - equal: + path: metadata.annotations["test-annotation"] + value: test-value + - equal: + path: metadata.labels['test-label'] + value: test-value diff --git a/charts/guac/tests/oci_collector_deployment_test.yaml b/charts/guac/tests/oci_collector_deployment_test.yaml index 32fd2bf..1fdf8ba 100644 --- a/charts/guac/tests/oci_collector_deployment_test.yaml +++ b/charts/guac/tests/oci_collector_deployment_test.yaml @@ -45,10 +45,10 @@ tests: path: spec.replicas value: 1 - equal: - path: spec.selector.matchLabels.app\.kubernetes\.io/name + path: spec.selector.matchLabels["app.kubernetes.io/name"] value: oci-collector - equal: - path: spec.template.metadata.labels.app\.kubernetes\.io/name + path: spec.template.metadata.labels["app.kubernetes.io/name"] value: oci-collector - it: should use tag if only tag is specified diff --git a/charts/guac/tests/osv-certifier_deployment_test.yaml b/charts/guac/tests/osv-certifier_deployment_test.yaml index 6823b2c..ab97f93 100644 --- a/charts/guac/tests/osv-certifier_deployment_test.yaml +++ b/charts/guac/tests/osv-certifier_deployment_test.yaml @@ -45,10 +45,10 @@ tests: path: spec.replicas value: 1 - equal: - path: spec.selector.matchLabels.app\.kubernetes\.io/name + path: spec.selector.matchLabels["app.kubernetes.io/name"] value: osv-certifier - equal: - path: spec.template.metadata.labels.app\.kubernetes\.io/name + path: spec.template.metadata.labels["app.kubernetes.io/name"] value: osv-certifier - it: should use tag if only tag is specified diff --git a/charts/guac/tests/values_ent_backend.yaml b/charts/guac/tests/values_ent_backend.yaml new file mode 100644 index 0000000..fb040ac --- /dev/null +++ b/charts/guac/tests/values_ent_backend.yaml @@ -0,0 +1,9 @@ +# Ingest sample data to ensure the test instance is fully functional +guac: + graphqlServer: + backend: ent + backend: + ent: + db-driver: postgres + db-address: postgres://guac:guac@host:port/guacDB + db-migrate: true diff --git a/charts/guac/tests/values_ingress.yaml b/charts/guac/tests/values_ingress.yaml new file mode 100644 index 0000000..83a90d4 --- /dev/null +++ b/charts/guac/tests/values_ingress.yaml @@ -0,0 +1,14 @@ +# Ingest sample data to ensure the test instance is fully functional +guac: + sampleData: + ingest: true + + ingress: + enabled: true + ingressClassName: traefik + webuiHostname: web.guac.com + apiHostname: api.guac.com + annotations: + test-annotation: test-value + extraLabels: + test-label: test-value diff --git a/charts/guac/values.yaml b/charts/guac/values.yaml index f55f20e..7245041 100644 --- a/charts/guac/values.yaml +++ b/charts/guac/values.yaml @@ -15,35 +15,41 @@ imagePullSecrets: ## @param guac.guacImage.digest [string] Sha256 Image Digest. It is strongly recommended to use this for verification. ## @param guac.guacImage.pullPolicy ImagePullPolicy for kubernetes ## @param guac.guacImage.workingDir Working Directory for GUAC +## @param guac.common.env [string] Environment variables common apply for all guac services ## @param guac.ociCollector.enabled String Whether to deploy OCI Collector ## @param guac.ociCollector.name String Name of the OCI Collector component. ## @param guac.ociCollector.annotations.reloader.stakater.com/auto [string] Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) ## @param guac.ociCollector.replicas Number of replicas for oci collector deployment ## @param guac.ociCollector.image.command Command for the OCI Collector image. It is not recommended to override this. +## @param guac.ociCollector.env Environment variables for OCI Collector. ## @param guac.ociCollector.nodeSelector - sets the node selector for where to run the deployment ## @param guac.depsDevCollector.enabled String Whether to deploy Deps.Dev Collector ## @param guac.depsDevCollector.name String Name of the Deps.Dev Collector component. ## @param guac.depsDevCollector.annotations.reloader.stakater.com/auto [string] Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) ## @param guac.depsDevCollector.replicas Number of replicas for depsdev collector deployment ## @param guac.depsDevCollector.image.command Command for the Deps.Dev Collector image. It is not recommended to override this. +## @param guac.depsDevCollector.env Environment variables for Deps.Dev Collector. ## @param guac.depsDevCollector.nodeSelector - sets the node selector for where to run the deployment ## @param guac.osvCertifier.enabled String Whether to deploy OSV Certifier ## @param guac.osvCertifier.name String Name of the OSV Certifier component. ## @param guac.osvCertifier.annotations.reloader.stakater.com/auto [string] Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) ## @param guac.osvCertifier.replicas Number of replicas for OSV Certifier deployment ## @param guac.osvCertifier.image.command Command for the OSV Certifier Collector image. It is not recommended to override this. +## @param guac.osvCertifier.env Environment variables for OSV Certifier Collector. ## @param guac.osvCertifier.nodeSelector - sets the node selector for where to run the deployment ## @param guac.ingestor.enabled String Whether to deploy Ingestor ## @param guac.ingestor.name String Name of the ingestor component. ## @param guac.ingestor.annotations.reloader.stakater.com/auto [string] Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) ## @param guac.ingestor.replicas Number of replicas for ingestor deployment ## @param guac.ingestor.image.command Command for the ingestor image. It is not recommended to override this. +## @param guac.ingestor.env Environment variables for ingestor. ## @param guac.ingestor.nodeSelector - sets the node selector for where to run the deployment ## @param guac.collectSub.enabled String Whether to deploy Collector Sub ## @param guac.collectSub.name String Name of the Collector Sub component. ## @param guac.collectSub.annotations.reloader.stakater.com/auto [string] Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) ## @param guac.collectSub.replicas Number of replicas for Collector Sub deployment ## @param guac.collectSub.image.command Command for the Collector Sub image. It is not recommended to override this. +## @param guac.collectSub.env Environment variables for Collector Sub. ## @param guac.collectSub.image.ports[0].containerPort Port the Collector Sub container listens on ## @param guac.collectSub.svcPorts[0].protocol Protocol used at Collector Sub ## @param guac.collectSub.svcPorts[0].port Port the Collector Sub service listens on @@ -54,11 +60,12 @@ imagePullSecrets: ## @param guac.graphqlServer.annotations.reloader.stakater.com/auto [string] Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) ## @param guac.graphqlServer.replicas Number of replicas for GraphQL Server deployment ## @param guac.graphqlServer.image.command Command for the GraphQL Server image. It is not recommended to override this. +## @param guac.graphqlServer.env Environment variables for GraphQL Server. ## @param guac.graphqlServer.image.ports[0].containerPort Port the GraphQL Server container listens on ## @param guac.graphqlServer.svcPorts[0].protocol Protocol used at the the GraphQL Server ## @param guac.graphqlServer.svcPorts[0].port Port the GraphQL Server service listens on ## @param guac.graphqlServer.svcPorts[0].targetPort Port the GraphQL Server container listens on -## @param guac.graphqlServer.backend which backend to use - only support inmem at the moment. +## @param guac.graphqlServer.backend which backend to use - keyvalue (default) | arango | ent. ## @param guac.graphqlServer.debug Enable debug mode for graphql server; also enable the UI ## @param guac.graphqlServer.nodeSelector - sets the node selector for where to run the deployment ## @param guac.visualizer.enabled String Whether to deploy the visualizer. @@ -73,21 +80,46 @@ imagePullSecrets: ## @param guac.visualizer.svcPorts[0].protocol Protocol used at the visualizer ## @param guac.visualizer.svcPorts[0].port Port the visualizer service listens on ## @param guac.visualizer.svcPorts[0].targetPort Port the visualizer container listens on +## @param guac.visualizer.env Environment variables for the visualizer. ## @param guac.visualizer.nodeSelector - sets the node selector for where to run the deployment ## @param guac.observability.deployServiceMonitor Boolean Deploy the service monitor for observability -## @param guac.sampleData.ingest Boolean - whether to ingest sample data after deployment +## @param guac.sampleData.ingest Boolean Whether to ingest sample data after deployment ## @param guac.sampleData.jobName Name of the sample data ingest job +## @param guac.sampleData.env Environment variables for the sample data ingest job +## @param guac.ingress.enabled Whether to deploy an Ingress object +## @param guac.ingress.ingressClassName [nullable] Ingress class name +## @param guac.ingress.webuiHostname [nullable] DNS name for the UI components - e.g. Visualizer, GQL playground +## @param guac.ingress.apiHostname [nullable] DNS name for the GQL API. When specified, GQL API won't be served at webuiHostname +## @param guac.ingress.annotations [object] Annotations for the ingress object +## @param guac.apiOnlyIngress.enabled Whether to deploy an Ingress object to expose API only +## @param guac.apiOnlyIngress.ingressClassName [nullable] Ingress class name for API only ingress +## @param guac.apiOnlyIngress.apiHostname [nullable] DNS name for the GQL API. +## @param guac.apiOnlyIngress.annotations [object] Annotations for the API only ingress object +## @param guac.backend.ent.db-driver database driver to use, one of [postgres | sqlite3 | mysql] or anything supported by sql.DB +## @param guac.backend.ent.db-address Full URL of database to connect to +## @param guac.backend.ent.db-migrate Wether to automatically run database migrations on start +## @param guac.backend.ent.db-debug Enable debug logging for database queries +## @param guac.pubSubAddr [nullable] String gocloud connection string for pubsub configured via https://gocloud.dev/howto/pubsub/ +## @param guac.blobAddr [nullable] gocloud connection string for blob store configured via https://gocloud.dev/howto/blob/ guac: guacImage: repository: ghcr.io/guacsec/guac # if not set appVersion field from Chart.yaml is used - tag: v0.4.0 + # tag: v0.5.0 # When digest is set to a non-empty value, images will be pulled by digest (regardless of tag value). digest: "" pullPolicy: IfNotPresent workingDir: /guac + common: + # env: {} + # COMMON_ENV_NAME: COMMON_ENV_VALUE + env: + # default creds (set at minio.users) for accessing minio blobstore. Remove when changing default blobAddr. + AWS_ACCESS_KEY_ID: accessKey + AWS_SECRET_ACCESS_KEY: secretKey + ociCollector: enabled: true name: oci-collector @@ -96,6 +128,8 @@ guac: replicas: 1 image: command: ['sh', '-c', '/opt/guac/guaccollect image'] + env: {} + # ENV_NAME: ENV_VALUE nodeSelector: {} depsDevCollector: @@ -106,6 +140,7 @@ guac: replicas: 1 image: command: ['sh', '-c', '/opt/guac/guaccollect deps_dev'] + env: {} nodeSelector: {} osvCertifier: @@ -116,6 +151,7 @@ guac: replicas: 1 image: command: ['sh', '-c', '/opt/guac/guacone certifier osv --poll'] + env: {} nodeSelector: {} ingestor: @@ -126,6 +162,7 @@ guac: replicas: 1 image: command: ['sh', '-c', '/opt/guac/guacingest'] + env: {} nodeSelector: {} collectSub: @@ -138,6 +175,7 @@ guac: command: ['sh', '-c', '/opt/guac/guaccsub'] ports: - containerPort: 2782 + env: {} svcPorts: - protocol: TCP port: 2782 @@ -154,6 +192,7 @@ guac: command: ['sh', '-c', '/opt/guac/guacgql'] ports: - containerPort: 8080 + env: {} svcPorts: - protocol: TCP port: 8080 @@ -177,6 +216,7 @@ guac: pullPolicy: IfNotPresent ports: - containerPort: 3000 + env: {} svcPorts: - protocol: TCP port: 3000 @@ -189,21 +229,54 @@ guac: sampleData: ingest: false jobName: ingest-guac-data + env: {} + + ingress: + enabled: false + # ingressClassName: + # webuiHostname: + # apiHostname: + # annotations: + + apiOnlyIngress: + enabled: false + # ingressClassName: + # apiHostname: + # annotations: + + backend: + ent: + db-driver: postgres + db-address: postgres://guac:guac@host:port/dbName?sslmode=disable + db-migrate: true + db-debug: true + + # Default to use NATS; specify a value here to override + # e.g. + # pubSubAddr: awssqs://sqs.[aws_region].amazonaws.com/[account_id]/[queue_name]?region=[aws_region] + + # Default to use minio; specify a value here to override + # e.g. + # blobAddr: s3://[bucket_name]?region=[aws_region] + # blobAddr: file:///tmp/blobstore?no_tmp_dir=true ## @section nats ## @descriptionStart This is the configuration for nats. This is a subchart. See full documentation [here](https://docs.nats.io/running-a-nats-service/nats-kubernetes/helm-charts). ## @descriptionEnd +## @param nats.enabled Whehter to deploy nats ## @param nats.nats.jetstream.enabled Boolean for enabling JetStream. ## @param nats.nats.limits.maxPayload Max Payload size for nats ## @param nats.nats.statefulSetPodLabels.app.kubernetes.io/part-of Label to associate nats with GUAC for monitoring purposes +## @param nats.natsbox.enabled Whehter to run natsbox ## @param nats.natsbox.additionalLabels.app.kubernetes.io/part-of Label to associate natsbox with GUAC for monitoring purposes ## @param nats.natsbox.podLabels.app.kubernetes.io/part-of Label to associate natsbox with GUAC for monitoring purposes ## @param nats.exporter.enabled Boolean to enable data collection ## @param nats.exporter.serviceMonitor.enabled Boolean to enable nats service monitor -## @param nats.exporter.serviceMonitor.namespace nats service monitor namespace - this is for monitoring purposes and is used by Prometheus +## @param nats.exporter.serviceMonitor.namespace String nats service monitor namespace - this is for monitoring purposes and is used by Prometheus ## @param nats.exporter.serviceMonitor.labels.release Label to associate nats service monitor with GUAC for monitoring purposes nats: + enabled: true nats: jetstream: enabled: true @@ -214,16 +287,51 @@ nats: app.kubernetes.io/part-of: "guac" natsbox: + enabled: false additionalLabels: app.kubernetes.io/part-of: "guac" podLabels: app.kubernetes.io/part-of: "guac" exporter: - enabled: true + enabled: false serviceMonitor: enabled: false ## Specify the namespace where Prometheus Operator is running namespace: monitoring labels: release: monitoring + +## @section minio +## @descriptionStart This is the configuration for minio. This is a subchart. See full documentation [here](https://github.com/minio/minio/tree/master/helm/minio). +## @descriptionEnd +## @param minio.enabled Whehter to deploy minio as part of the Helm deployment +## @param minio.replicas Number of replicas. +## @param minio.persistence [object] Persistence volume configuration. +## @param minio.mode minio mode, i.e. standalone or distributed +## @param minio.resources [object] resource requests and limits +## @param minio.rootUser root user name. +## @param minio.rootPassword root user password. +## @param minio.buckets [object] List of buckets to create after deployment. +## @param minio.users [object] List of users, in terms of creds and permissions, to create after deployment.? +minio: + enabled: true + replicas: 1 + persistence: + enabled: false + mode: standalone + resources: + requests: + memory: 1Gi + rootUser: "rootUser" + rootPassword: "rootPassword" + buckets: + - name: bucketname + policy: none + purge: false + versioning: false + objectlocking: false + users: + - accessKey: accessKey + secretKey: secretKey + policy: readwrite