From 27ee8bd5f8ebd15fa05d1eccf89d1edbe970a319 Mon Sep 17 00:00:00 2001 From: Ojaswa Sharma Date: Wed, 10 Apr 2024 16:10:51 +0530 Subject: [PATCH] feat: update charts --- code-analysis/Chart.yaml | 2 +- code-analysis/templates/andromeda.yaml | 113 ++----------- code-analysis/templates/bishamonten.yaml | 40 ++--- .../config.andromeda-enterpise-conf.yaml | 12 -- .../config.andromeda-nginx-conf.yaml | 12 -- .../config.bishamonten-hostconfig.yaml | 12 -- code-analysis/templates/config.yaml | 12 -- code-analysis/templates/cron.registry.yaml | 83 +++++++++ code-analysis/templates/cron.update.yaml | 157 ++++++++++++++++++ code-analysis/templates/ingress.yaml | 11 +- code-analysis/templates/janus.yaml | 19 --- .../templates/job.registry.pre-install.yaml | 130 +++++++++++++++ code-analysis/templates/mastervendor.yaml | 20 +-- code-analysis/templates/mongo.yaml | 54 ++---- code-analysis/templates/secrets.mongo.yaml | 40 ++--- code-analysis/templates/secrets.registry.yaml | 21 +-- code-analysis/values.yaml | 76 ++++++--- 17 files changed, 504 insertions(+), 310 deletions(-) create mode 100644 code-analysis/templates/cron.registry.yaml create mode 100644 code-analysis/templates/cron.update.yaml create mode 100644 code-analysis/templates/job.registry.pre-install.yaml diff --git a/code-analysis/Chart.yaml b/code-analysis/Chart.yaml index 5eae60f..f09851f 100644 --- a/code-analysis/Chart.yaml +++ b/code-analysis/Chart.yaml @@ -16,7 +16,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.4 +version: 0.1.5 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/code-analysis/templates/andromeda.yaml b/code-analysis/templates/andromeda.yaml index 5a9c097..8d9bfeb 100644 --- a/code-analysis/templates/andromeda.yaml +++ b/code-analysis/templates/andromeda.yaml @@ -2,19 +2,14 @@ apiVersion: v1 kind: Service metadata: name: {{ .Values.andromeda.serviceName }} - {{- if .Values.customLabels }} - labels: -{{- if .Values.customLabels }} -{{ toYaml .Values.customLabels | nindent 4}} -{{- end }} + labels: + {{- range $key, $val := .Values.andromeda.serviceLabels }} + {{ $key }}: {{ $val | quote }} {{- end }} - {{- if .Values.customAnnotations }} - annotations: -{{- if .Values.customAnnotations }} -{{ toYaml .Values.customAnnotations | nindent 4}} -{{- end }} + annotations: + {{- range $key, $val := .Values.andromeda.serviceAnnotations }} + {{ $key }}: {{ $val | quote }} {{- end }} - spec: type: {{ .Values.andromeda.serviceType }} selector: @@ -28,18 +23,6 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: privado-scanner-role - {{- if .Values.customLabels }} - labels: -{{- if .Values.customLabels }} -{{ toYaml .Values.customLabels | nindent 4}} -{{- end }} - {{- end }} - {{- if .Values.customAnnotations }} - annotations: -{{- if .Values.customAnnotations }} -{{ toYaml .Values.customAnnotations | nindent 4}} -{{- end }} - {{- end }} rules: - apiGroups: ["batch"] resources: @@ -64,18 +47,6 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: privado-scanner-rb - {{- if .Values.customLabels }} - labels: -{{- if .Values.customLabels }} -{{ toYaml .Values.customLabels | nindent 4}} -{{- end }} - {{- end }} - {{- if .Values.customAnnotations }} - annotations: -{{- if .Values.customAnnotations }} -{{ toYaml .Values.customAnnotations | nindent 4}} -{{- end }} - {{- end }} subjects: - kind: ServiceAccount name: privado-scanner-sa @@ -88,18 +59,6 @@ apiVersion: v1 kind: ServiceAccount metadata: name: privado-scanner-sa - {{- if .Values.customLabels }} - labels: -{{- if .Values.customLabels }} -{{ toYaml .Values.customLabels | nindent 4}} -{{- end }} - {{- end }} - {{- if .Values.customAnnotations }} - annotations: -{{- if .Values.customAnnotations }} -{{ toYaml .Values.customAnnotations | nindent 4}} -{{- end }} - {{- end }} --- apiVersion: v1 kind: PersistentVolumeClaim @@ -109,16 +68,6 @@ metadata: {{- range $key, $val := .Values.andromeda.volumes.annotations }} {{ $key }}: {{ $val | quote }} {{- end }} -{{- if .Values.customAnnotations }} -{{- toYaml .Values.customAnnotations | nindent 4 }} -{{- end }} - {{- if .Values.customLabels }} - labels: -{{- if .Values.customLabels }} -{{ toYaml .Values.customLabels | nindent 4}} -{{- end }} - {{- end }} - spec: storageClassName: {{ .Values.andromeda.volumes.storageClass }} # for eks "gp2" -> default accessModes: @@ -137,16 +86,6 @@ metadata: {{- range $key, $val := .Values.andromeda.volumes.annotations }} {{ $key }}: {{ $val | quote }} {{- end }} - {{- if .Values.customAnnotations }} - {{- toYaml .Values.customAnnotations | nindent 4 }} - {{- end }} - {{- if .Values.customLabels }} - labels: -{{- if .Values.customLabels }} -{{ toYaml .Values.customLabels | nindent 4}} -{{- end }} - {{- end }} - spec: storageClassName: {{ .Values.andromeda.volumes.storageClass }} # for eks "gp2" -> default accessModes: @@ -165,15 +104,6 @@ metadata: {{- range $key, $val := .Values.andromeda.volumes.annotations }} {{ $key }}: {{ $val | quote }} {{- end }} - {{- if .Values.customAnnotations }} - {{- toYaml .Values.customAnnotations | nindent 4 }} - {{- end }} - {{- if .Values.customLabels }} - labels: -{{- if .Values.customLabels }} -{{ toYaml .Values.customLabels | nindent 4}} -{{- end }} - {{- end }} spec: storageClassName: {{ .Values.andromeda.volumes.storageClass }} # for eks "gp2" -> default accessModes: @@ -192,15 +122,6 @@ metadata: {{- range $key, $val := .Values.andromeda.volumes.annotations }} {{ $key }}: {{ $val | quote }} {{- end }} - {{- if .Values.customAnnotations }} - {{- toYaml .Values.customAnnotations | nindent 4 }} - {{- end }} - {{- if .Values.customLabels }} - labels: -{{- if .Values.customLabels }} -{{ toYaml .Values.customLabels | nindent 4}} -{{- end }} - {{- end }} spec: storageClassName: {{ .Values.andromeda.volumes.storageClass }} # for eks "gp2" -> default accessModes: @@ -217,15 +138,13 @@ metadata: name: {{ .Values.andromeda.deploymentName }} labels: app: andromeda -{{- if .Values.customLabels }} -{{ toYaml .Values.customLabels | nindent 4}} -{{- end }} - {{- if .Values.customAnnotations }} - annotations: -{{- if .Values.customAnnotations }} -{{- toYaml .Values.customAnnotations | nindent 4 }} -{{- end }} - {{- end }} + {{- range $key, $val := .Values.andromeda.deploymentLabels }} + {{ $key }}: {{ $val | quote }} + {{- end }} + annotations: + {{- range $key, $val := .Values.andromeda.deploymentAnnotations }} + {{ $key }}: {{ $val | quote }} + {{- end }} spec: # deployment to pod mapping replicas: {{ .Values.andromeda.replicas }} @@ -237,16 +156,10 @@ spec: metadata: labels: app: {{ .Values.andromeda.podAppLabel }} -{{- if .Values.customLabels }} -{{ toYaml .Values.customLabels | nindent 8}} -{{- end }} annotations: checksum/config: {{ include (print $.Template.BasePath "/config.yaml") . | sha256sum | quote }} checksum/enterprise.conf: {{ include (print $.Template.BasePath "/config.andromeda-enterpise-conf.yaml") . | sha256sum | quote }} checksum/nginx.conf: {{ include (print $.Template.BasePath "/config.andromeda-nginx-conf.yaml") . | sha256sum | quote }} -{{- if .Values.customAnnotations }} -{{- toYaml .Values.customAnnotations | nindent 8 }} -{{- end }} spec: imagePullSecrets: - name: {{ .Values.base.imagePullSecret }} diff --git a/code-analysis/templates/bishamonten.yaml b/code-analysis/templates/bishamonten.yaml index a9b114e..3040523 100644 --- a/code-analysis/templates/bishamonten.yaml +++ b/code-analysis/templates/bishamonten.yaml @@ -2,17 +2,13 @@ apiVersion: v1 kind: Service metadata: name: {{ .Values.bishamonten.serviceName }} - {{- if .Values.customLabels }} - labels: -{{- if .Values.customLabels }} -{{ toYaml .Values.customLabels | nindent 4}} -{{- end }} - {{- end }} - {{- if .Values.customAnnotations }} - annotations: -{{- if .Values.customAnnotations }} -{{ toYaml .Values.customAnnotations | nindent 4}} -{{- end }} + labels: + {{- range $key, $val := .Values.bishamonten.serviceLabels }} + {{ $key }}: {{ $val | quote }} + {{- end }} + annotations: + {{- range $key, $val := .Values.bishamonten.serviceAnnotations }} + {{ $key }}: {{ $val | quote }} {{- end }} spec: type: {{ .Values.bishamonten.serviceType }} @@ -29,15 +25,13 @@ metadata: name: {{ .Values.bishamonten.deploymentName }} labels: app: bishamonten -{{- if .Values.customLabels }} -{{ toYaml .Values.customLabels | nindent 4}} -{{- end }} - {{- if .Values.customAnnotations }} - annotations: -{{- if .Values.customAnnotations }} -{{ toYaml .Values.customAnnotations | nindent 4}} -{{- end }} - {{- end }} + {{- range $key, $val := .Values.bishamonten.deploymentLabels }} + {{ $key }}: {{ $val | quote }} + {{- end }} + annotations: + {{- range $key, $val := .Values.bishamonten.deploymentAnnotations }} + {{ $key }}: {{ $val | quote }} + {{- end }} spec: # deployment to pod mapping replicas: {{ .Values.bishamonten.replicas }} @@ -49,14 +43,8 @@ spec: metadata: labels: app: {{ .Values.bishamonten.podAppLabel }} -{{- if .Values.customLabels }} -{{ toYaml .Values.customLabels | nindent 8}} -{{- end }} annotations: checksum/hostconfig: {{ include (print $.Template.BasePath "/config.bishamonten-hostconfig.yaml") . | sha256sum | quote }} -{{- if .Values.customAnnotations }} -{{- toYaml .Values.customAnnotations | nindent 8 }} -{{- end }} spec: imagePullSecrets: - name: {{ .Values.base.imagePullSecret }} diff --git a/code-analysis/templates/config.andromeda-enterpise-conf.yaml b/code-analysis/templates/config.andromeda-enterpise-conf.yaml index 7ac6d31..dff23f5 100644 --- a/code-analysis/templates/config.andromeda-enterpise-conf.yaml +++ b/code-analysis/templates/config.andromeda-enterpise-conf.yaml @@ -2,18 +2,6 @@ apiVersion: v1 kind: ConfigMap metadata: name: andromeda-enterprise-conf - {{- if .Values.customLabels }} - labels: -{{- if .Values.customLabels }} -{{ toYaml .Values.customLabels | nindent 4}} -{{- end }} - {{- end }} - {{- if .Values.customAnnotations }} - annotations: -{{- if .Values.customAnnotations }} -{{ toYaml .Values.customAnnotations | nindent 4}} -{{- end }} - {{- end }} data: enterprise.conf: | _SERVER_NAME_={{ .Values.base.host | quote }} diff --git a/code-analysis/templates/config.andromeda-nginx-conf.yaml b/code-analysis/templates/config.andromeda-nginx-conf.yaml index 02eff6f..f60c26e 100644 --- a/code-analysis/templates/config.andromeda-nginx-conf.yaml +++ b/code-analysis/templates/config.andromeda-nginx-conf.yaml @@ -2,18 +2,6 @@ apiVersion: v1 kind: ConfigMap metadata: name: andromeda-nginx-conf - {{- if .Values.customLabels }} - labels: -{{- if .Values.customLabels }} -{{ toYaml .Values.customLabels | nindent 4}} -{{- end }} - {{- end }} - {{- if .Values.customAnnotations }} - annotations: -{{- if .Values.customAnnotations }} -{{ toYaml .Values.customAnnotations | nindent 4}} -{{- end }} - {{- end }} data: andromeda-on-premise-enterprise.conf: | geo $limited { diff --git a/code-analysis/templates/config.bishamonten-hostconfig.yaml b/code-analysis/templates/config.bishamonten-hostconfig.yaml index a423fc7..acb250f 100644 --- a/code-analysis/templates/config.bishamonten-hostconfig.yaml +++ b/code-analysis/templates/config.bishamonten-hostconfig.yaml @@ -2,18 +2,6 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ .Values.bishamonten.volumeHostConfig.configName }} - {{- if .Values.customLabels }} - labels: -{{- if .Values.customLabels }} -{{ toYaml .Values.customLabels | nindent 4}} -{{- end }} - {{- end }} - {{- if .Values.customAnnotations }} - annotations: -{{- if .Values.customAnnotations }} -{{ toYaml .Values.customAnnotations | nindent 4}} -{{- end }} - {{- end }} data: env.js: | window.configuration = { diff --git a/code-analysis/templates/config.yaml b/code-analysis/templates/config.yaml index 2695861..6d803cb 100644 --- a/code-analysis/templates/config.yaml +++ b/code-analysis/templates/config.yaml @@ -2,18 +2,6 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ .Values.config.name }} - {{- if .Values.customLabels }} - labels: -{{- if .Values.customLabels }} -{{ toYaml .Values.customLabels | nindent 4}} -{{- end }} - {{- end }} - {{- if .Values.customAnnotations }} - annotations: -{{- if .Values.customAnnotations }} -{{ toYaml .Values.customAnnotations | nindent 4}} -{{- end }} - {{- end }} data: MONGO_HOST: {{ .Values.mongo.statefulSetName }}-0.{{ .Values.mongo.serviceName }}.{{ .Release.Namespace }}.svc.{{ .Values.base.clusterDomain }} MONGODB_HOST: {{ .Values.mongo.statefulSetName }}-0.{{ .Values.mongo.serviceName }}.{{ .Release.Namespace }}.svc.{{ .Values.base.clusterDomain }} diff --git a/code-analysis/templates/cron.registry.yaml b/code-analysis/templates/cron.registry.yaml new file mode 100644 index 0000000..5fe7a2b --- /dev/null +++ b/code-analysis/templates/cron.registry.yaml @@ -0,0 +1,83 @@ +{{- if .Values.registry.enable }} +{{- if .Capabilities.APIVersions.Has "batch/v1/CronJob" }} +apiVersion: batch/v1 +{{- else }} +apiVersion: batch/v1beta1 +{{- end }} +kind: CronJob +metadata: + name: {{ .Values.registry.cronName }} + labels: + {{- range $key, $val := .Values.registry.cronjobLabels }} + {{ $key }}: {{ $val | quote }} + {{- end }} + annotations: + {{- range $key, $val := .Values.registry.cronjobAnnotations }} + {{ $key }}: {{ $val | quote }} + {{- end }} +spec: + schedule: {{ .Values.registry.cronSchedule | quote }} + successfulJobsHistoryLimit: 0 + jobTemplate: + spec: + template: + spec: + serviceAccountName: {{ .Values.registry.serviceAccountName }} + restartPolicy: {{ .Values.registry.cronPodRestartPolicy }} + {{- if .Values.node.affinity.enable }} + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: {{ .Values.node.affinity.key }} + operator: {{ .Values.node.affinity.operator }} + {{- end }} + {{- if .Values.node.toleration.enable }} + tolerations: + - key: {{ .Values.node.toleration.key }} + operator: {{ .Values.node.toleration.operator }} + effect: {{ .Values.node.toleration.effect }} + {{- end }} + containers: + - name: ecr-token-helper + image: {{ .Values.registry.image.name }}:{{ .Values.registry.image.tag }} + imagePullPolicy: {{ .Values.base.imagePullPolicy }} + command: + - /bin/sh + - -c + - |- + kubectl delete secret -n $NAMESPACE --ignore-not-found $SECRET_NAME + if [ -n "$DOCKERHUB_USERNAME" ]; then + kubectl create secret -n $NAMESPACE docker-registry $SECRET_NAME \ + --docker-server=https://index.docker.io/v1/ \ + --docker-username=$DOCKERHUB_USERNAME \ + --docker-password=$DOCKERHUB_PASSWORD + else + TOKEN=`aws ecr get-login-password --region ${REGION} | cut -d' ' -f6` + kubectl create secret -n $NAMESPACE docker-registry $SECRET_NAME \ + --docker-server=$ECR_REPOSITORY \ + --docker-username=AWS \ + --docker-password=$TOKEN + fi + envFrom: + - secretRef: + name: {{ .Values.registry.secrets.name }} + env: + - name: SECRET_NAME + value: {{ .Values.base.imagePullSecret }} + {{- if .Values.registry.secrets.AWS_ACCESS_KEY_ID }} + - name: REGION + value: {{ tpl .Values.registry.region . }} + - name: ECR_REPOSITORY + value: 638117407428.dkr.ecr.{{ tpl .Values.registry.region . | trim }}.amazonaws.com + {{- end }} + {{- if .Values.registry.dockerhub.enable }} + - name: DOCKERHUB_USERNAME + value: {{ .Values.registry.dockerhub.username }} + - name: DOCKERHUB_PASSWORD + value: {{ .Values.registry.dockerhub.password }} + {{- end }} + - name: NAMESPACE + value: {{ .Release.Namespace }} +{{- end }} diff --git a/code-analysis/templates/cron.update.yaml b/code-analysis/templates/cron.update.yaml new file mode 100644 index 0000000..6ad563f --- /dev/null +++ b/code-analysis/templates/cron.update.yaml @@ -0,0 +1,157 @@ +{{- if .Values.autoupdates.enable }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ .Values.autoupdates.roleName }} +rules: + - apiGroups: [""] + resources: + - pods + - deployments + verbs: + - 'get' + - 'list' + - apiGroups: ["extensions", "apps"] + resources: + - deployments + verbs: + - 'get' + - 'patch' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ .Values.autoupdates.roleBindingName }} +subjects: + - kind: ServiceAccount + name: {{ .Values.autoupdates.serviceAccountName }} +roleRef: + kind: Role + name: {{ .Values.autoupdates.roleName }} + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.autoupdates.serviceAccountName }} +--- +{{- if .Capabilities.APIVersions.Has "batch/v1/CronJob" }} +apiVersion: batch/v1 +{{- else }} +apiVersion: batch/v1beta1 +{{- end }} +kind: CronJob +metadata: + name: {{ .Values.autoupdates.cronName }} + labels: + {{- range $key, $val := .Values.autoupdates.cronjobLabels }} + {{ $key }}: {{ $val | quote }} + {{- end }} + annotations: + {{- range $key, $val := .Values.autoupdates.cronjobAnnotations }} + {{ $key }}: {{ $val | quote }} + {{- end }} +spec: + schedule: {{ .Values.autoupdates.cronSchedule | quote }} + successfulJobsHistoryLimit: 1 + failedJobsHistoryLimit: 1 + jobTemplate: + spec: + template: + spec: + serviceAccountName: {{ .Values.autoupdates.serviceAccountName }} + restartPolicy: {{ .Values.autoupdates.cronPodRestartPolicy }} + {{- if .Values.node.affinity.enable }} + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: {{ .Values.node.affinity.key }} + operator: {{ .Values.node.affinity.operator }} + {{- end }} + {{- if .Values.node.toleration.enable }} + tolerations: + - key: {{ .Values.node.toleration.key }} + operator: {{ .Values.node.toleration.operator }} + effect: {{ .Values.node.toleration.effect }} + {{- end }} + containers: + - name: updater + image: {{ .Values.autoupdates.image.name }}:{{ .Values.autoupdates.image.tag }} + imagePullPolicy: {{ .Values.base.imagePullPolicy }} + command: + - /bin/bash + - -c + - |- + set -e + NAMESPACE={{ .Release.Namespace }} + {{- if .Values.registry.dockerhub.enable }} + # Assuming Docker Hub is enabled and credentials are provided + echo "Using Docker Hub for image updates" + # Function to get Docker Hub image SHA + function get_dockerhub_sha() { + REPO_NAME=$1 + TAG=$2 + TOKEN=$(curl -s -H "Content-Type: application/json" -X POST -d '{"username": "'$DOCKERHUB_USERNAME'", "password": "'$DOCKERHUB_PASSWORD'"}' "https://hub.docker.com/v2/users/login/" | jq -r .token) + IMAGE_SHA=$(curl -s -H "Authorization: Bearer ${TOKEN}" "https://hub.docker.com/v2/namespaces/${DOCKER_HUB_NAMESPACE}/repositories/${REPO_NAME}/tags/${TAG}/" | jq -r '.images[0].digest') + echo $IMAGE_SHA + } + {{- else }} + # Assuming AWS ECR is used + echo "Using AWS ECR for image updates" + # Function to get AWS ECR image SHA + function get_ecr_sha() { + REPO_NAME=$1 + TAG=$2 + IMAGE_SHA=`aws ecr describe-images --repository-name ${REPO_NAME} --region ${AWS_DEFAULT_REGION} --image-ids imageTag=${TAG} | jq -r ".imageDetails[0].imageDigest"` + + echo $IMAGE_SHA + } + {{- end }} + + # Function to check and patch deployment if there's an image SHA mismatch + function check_and_patch_deployment() { + DEPLOYMENT_NAME=$1 + POD_APP_LABEL=$2 + IMAGE_NAME=$3 + IMAGE_TAG=$4 + if [ {{ .Values.registry.dockerhub.enable }} == "true" ]; then + LATEST_IMAGE_SHA=$(get_dockerhub_sha $IMAGE_NAME $IMAGE_TAG) + else + LATEST_IMAGE_SHA=$(get_ecr_sha $IMAGE_NAME $IMAGE_TAG) + fi + POD=`kubectl -n $NAMESPACE get pods -l "app=$POD_APP_LABEL" -o name | head -1` + CURRENT_IMAGE_SHA=`kubectl -n $NAMESPACE get $POD -o jsonpath="{..imageID}" | cut -f 2 -d "@"` + + echo "> Current $DEPLOYMENT_NAME SHA: $CURRENT_IMAGE_SHA" + echo "> Latest $DEPLOYMENT_NAME SHA: $LATEST_IMAGE_SHA" + if [[ $CURRENT_IMAGE_SHA != $LATEST_IMAGE_SHA ]]; then + echo "> Update for $POD found" + echo "> Applying patch to $DEPLOYMENT_NAME" + kubectl -n $NAMESPACE patch deployment $DEPLOYMENT_NAME -p "{\"spec\": {\"template\":{\"metadata\":{\"annotations\":{\"{{ .Values.autoupdates.annotationName }}\":\"'$LATEST_IMAGE_SHA'\"}}}} }" + fi + } + + # Check and patch Andromeda deployment + echo "Checking updates for {{ .Values.andromeda.deploymentName }}" + + check_and_patch_deployment "{{ .Values.andromeda.deploymentName }}" "{{ .Values.andromeda.podAppLabel }}" "{{ splitList "/" (tpl .Values.andromeda.image.name .) | last }}" "{{ .Values.andromeda.image.tag }}" + + # Check and patch Bishamonten deployment + echo "Checking updates for {{ .Values.bishamonten.deploymentName }}" + check_and_patch_deployment "{{ .Values.bishamonten.deploymentName }}" "{{ .Values.bishamonten.podAppLabel }}" "{{ splitList "/" (tpl .Values.bishamonten.image.name .) | last }}" "{{ .Values.bishamonten.image.tag }}" + envFrom: + - secretRef: + name: {{ .Values.registry.secrets.name }} + env: + - name: SECRET_NAME + value: {{ .Values.base.imagePullSecret }} + - name: AWS_DEFAULT_REGION + value: {{ tpl .Values.registry.region . }} + - name: NAMESPACE + value: {{ .Release.Namespace }} + - name: DOCKER_HUB_NAMESPACE + value: {{ .Values.registry.dockerhub.namespace }} + +{{- end}} diff --git a/code-analysis/templates/ingress.yaml b/code-analysis/templates/ingress.yaml index 46808e9..accf93b 100644 --- a/code-analysis/templates/ingress.yaml +++ b/code-analysis/templates/ingress.yaml @@ -1,3 +1,4 @@ +{{- if .Values.ingress.enable }} apiVersion: networking.k8s.io/v1 kind: Ingress metadata: @@ -6,15 +7,6 @@ metadata: {{- range $key, $val := .Values.ingress.annotations }} {{ $key }}: {{ $val | quote }} {{- end }} -{{- if .Values.customLabels }} -{{ toYaml .Values.customLabels | nindent 4}} -{{- end }} - {{- if .Values.customAnnotations }} - annotations: -{{- if .Values.customAnnotations }} -{{- toYaml .Values.customAnnotations | nindent 4 }} -{{- end }} - {{- end }} spec: {{- if .Values.ingress.ingressClassName }} ingressClassName: {{ .Values.ingress.ingressClassName | quote }} @@ -44,3 +36,4 @@ spec: name: {{ .Values.bishamonten.serviceName }} port: number: {{ .Values.bishamonten.servicePort }} +{{- end}} diff --git a/code-analysis/templates/janus.yaml b/code-analysis/templates/janus.yaml index f49eda7..97109ed 100644 --- a/code-analysis/templates/janus.yaml +++ b/code-analysis/templates/janus.yaml @@ -6,16 +6,6 @@ metadata: {{- range $key, $val := .Values.janus.volumes.annotations }} {{ $key }}: {{ $val | quote }} {{- end }} -{{- if .Values.customAnnotations }} -{{- toYaml .Values.customAnnotations | nindent 4 }} -{{- end }} - {{- if .Values.customLabels }} - labels: -{{- if .Values.customLabels }} -{{ toYaml .Values.customLabels | nindent 4}} -{{- end }} - {{- end }} - spec: storageClassName: {{ .Values.janus.volumes.storageClass }} accessModes: @@ -34,15 +24,6 @@ metadata: {{- range $key, $val := .Values.janus.volumes.annotations }} {{ $key }}: {{ $val | quote }} {{- end }} -{{- if .Values.customAnnotations }} -{{- toYaml .Values.customAnnotations | nindent 4 }} -{{- end }} - {{- if .Values.customLabels }} - labels: -{{- if .Values.customLabels }} -{{ toYaml .Values.customLabels | nindent 4}} -{{- end }} - {{- end }} spec: storageClassName: {{ .Values.janus.volumes.storageClass }} accessModes: diff --git a/code-analysis/templates/job.registry.pre-install.yaml b/code-analysis/templates/job.registry.pre-install.yaml new file mode 100644 index 0000000..20c2fa3 --- /dev/null +++ b/code-analysis/templates/job.registry.pre-install.yaml @@ -0,0 +1,130 @@ +{{- if .Values.registry.enable }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ .Values.registry.roleName }} + annotations: + "helm.sh/hook-weight": "-10" + {{- range $key, $val := .Values.registry.helmHookAnnotations }} + {{ $key }}: {{ $val | quote }} + {{- end }} +rules: + - apiGroups: [""] + resources: + - secrets + - serviceaccounts + - serviceaccounts/token + verbs: + - 'delete' + - 'create' + - 'patch' + - 'get' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ .Values.registry.roleBindingName }} + annotations: + "helm.sh/hook-weight": "-10" + {{- range $key, $val := .Values.registry.helmHookAnnotations }} + {{ $key }}: {{ $val | quote }} + {{- end }} +subjects: + - kind: ServiceAccount + name: {{ .Values.registry.serviceAccountName }} +roleRef: + kind: Role + name: {{ .Values.registry.roleName }} + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.registry.serviceAccountName }} + annotations: + "helm.sh/hook-weight": "-10" + {{- range $key, $val := .Values.registry.helmHookAnnotations }} + {{ $key }}: {{ $val | quote }} + {{- end }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ .Values.registry.cronName }}-job + labels: + {{- range $key, $val := .Values.registry.cronjobLabels }} + {{ $key }}: {{ $val | quote }} + {{- end }} + annotations: + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + {{- range $key, $val := .Values.registry.helmHookAnnotations }} + {{ $key }}: {{ $val | quote }} + {{- end }} + {{- range $key, $val := .Values.registry.cronjobAnnotations }} + {{ $key }}: {{ $val | quote }} + {{- end }} +spec: + ttlSecondsAfterFinished: 600 + template: + spec: + serviceAccountName: {{ .Values.registry.serviceAccountName }} + restartPolicy: {{ .Values.registry.cronPodRestartPolicy }} + {{- if .Values.node.affinity.enable }} + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: {{ .Values.node.affinity.key }} + operator: {{ .Values.node.affinity.operator }} + {{- end }} + {{- if .Values.node.toleration.enable }} + tolerations: + - key: {{ .Values.node.toleration.key }} + operator: {{ .Values.node.toleration.operator }} + effect: {{ .Values.node.toleration.effect }} + {{- end }} + containers: + - name: registry-token-helper + image: {{ .Values.registry.image.name }}:{{ .Values.registry.image.tag }} + imagePullPolicy: {{ .Values.base.imagePullPolicy }} + command: + - /bin/sh + - -c + - |- + kubectl delete secret -n $NAMESPACE --ignore-not-found $SECRET_NAME + if [ -n "$DOCKERHUB_USERNAME" ]; then + kubectl create secret -n $NAMESPACE docker-registry $SECRET_NAME \ + --docker-server=https://index.docker.io/v1/ \ + --docker-username=$DOCKERHUB_USERNAME \ + --docker-password=$DOCKERHUB_PASSWORD + else + TOKEN=`aws ecr get-login-password --region ${REGION} | cut -d' ' -f6` + kubectl create secret -n $NAMESPACE docker-registry $SECRET_NAME \ + --docker-server=$ECR_REPOSITORY \ + --docker-username=AWS \ + --docker-password=$TOKEN + fi + envFrom: + - secretRef: + name: {{ .Values.registry.secrets.name }} + env: + - name: SECRET_NAME + value: {{ .Values.base.imagePullSecret }} + {{- if .Values.registry.secrets.AWS_ACCESS_KEY_ID }} + - name: REGION + value: {{ tpl .Values.registry.region . }} + - name: ECR_REPOSITORY + value: 638117407428.dkr.ecr.{{ tpl .Values.registry.region . | trim }}.amazonaws.com + {{- end }} + - name: NAMESPACE + value: {{ .Release.Namespace }} + {{- if .Values.registry.dockerhub.enable }} + - name: DOCKERHUB_USERNAME + value: {{ .Values.registry.dockerhub.username }} + - name: DOCKERHUB_PASSWORD + value: {{ .Values.registry.dockerhub.password }} + {{- end }} + +{{- end }} diff --git a/code-analysis/templates/mastervendor.yaml b/code-analysis/templates/mastervendor.yaml index 1f7a27e..515c7f5 100644 --- a/code-analysis/templates/mastervendor.yaml +++ b/code-analysis/templates/mastervendor.yaml @@ -1,19 +1,17 @@ -{{- if .Values.base.enableMasterVendorMigration }} +{{- if .Values.mastervendor.enable }} apiVersion: batch/v1 kind: Job metadata: name: {{ .Values.mastervendor.jobName }} - labels: + labels: app: mastervendor -{{- if .Values.customLabels }} -{{ toYaml .Values.customLabels | nindent 4}} -{{- end }} - {{- if .Values.customAnnotations }} - annotations: -{{- if .Values.customAnnotations }} -{{- toYaml .Values.customAnnotations | nindent 4 }} -{{- end }} - {{- end }} + {{- range $key, $val := .Values.mastervendor.jobLabels }} + {{ $key }}: {{ $val | quote }} + {{- end }} + annotations: + {{- range $key, $val := .Values.mastervendor.jobAnnotations }} + {{ $key }}: {{ $val | quote }} + {{- end }} spec: # pod template ttlSecondsAfterFinished: 300 diff --git a/code-analysis/templates/mongo.yaml b/code-analysis/templates/mongo.yaml index 3a0e007..0544666 100644 --- a/code-analysis/templates/mongo.yaml +++ b/code-analysis/templates/mongo.yaml @@ -2,18 +2,14 @@ apiVersion: v1 kind: Service metadata: name: {{ .Values.mongo.serviceName }} - {{- if .Values.customLabels }} - labels: -{{- if .Values.customLabels }} -{{ toYaml .Values.customLabels | nindent 4}} -{{- end }} - {{- end }} - {{- if .Values.customAnnotations }} - annotations: -{{- if .Values.customAnnotations }} -{{ toYaml .Values.customAnnotations | nindent 4}} -{{- end }} - {{- end }} + labels: + {{- range $key, $val := .Values.mongo.serviceLabels }} + {{ $key }}: {{ $val | quote }} + {{- end }} + annotations: + {{- range $key, $val := .Values.mongo.serviceAnnotations }} + {{ $key }}: {{ $val | quote }} + {{- end }} spec: clusterIP: None # Since replicasets connect to particular pods (with identitites: statefulset) selector: @@ -29,15 +25,13 @@ metadata: name: {{ .Values.mongo.statefulSetName }} labels: app: mongo -{{- if .Values.customLabels }} -{{ toYaml .Values.customLabels | nindent 4}} -{{- end }} - {{- if .Values.customAnnotations }} - annotations: -{{- if .Values.customAnnotations }} -{{- toYaml .Values.customAnnotations | nindent 4 }} -{{- end }} - {{- end }} + {{- range $key, $val := .Values.mongo.statefulSetLabels }} + {{ $key }}: {{ $val | quote }} + {{- end }} + annotations: + {{- range $key, $val := .Values.mongo.statefulSetAnnotations }} + {{ $key }}: {{ $val | quote }} + {{- end }} spec: replicas: 1 serviceName: {{ .Values.mongo.serviceName }} @@ -51,15 +45,6 @@ spec: {{- range $key, $val := .Values.mongo.volume.annotations }} {{ $key }}: {{ $val | quote }} {{- end }} -{{- if .Values.customAnnotations }} -{{- toYaml .Values.customAnnotations | nindent 12 }} -{{- end }} - {{- if .Values.customLabels }} - labels: -{{- if .Values.customLabels }} -{{ toYaml .Values.customLabels | nindent 12}} -{{- end }} - {{- end }} spec: storageClassName: {{ .Values.mongo.volume.storageClass }} accessModes: @@ -73,15 +58,6 @@ spec: metadata: labels: app: mongo -{{- if .Values.customLabels }} -{{ toYaml .Values.customLabels | nindent 8}} -{{- end }} - {{- if .Values.customAnnotations }} - annotations: -{{- if .Values.customAnnotations }} -{{- toYaml .Values.customAnnotations | nindent 8 }} -{{- end }} - {{- end }} spec: restartPolicy: {{ .Values.base.podRestartPolicy }} terminationGracePeriodSeconds: 15 diff --git a/code-analysis/templates/secrets.mongo.yaml b/code-analysis/templates/secrets.mongo.yaml index e95f4be..c9b88e2 100644 --- a/code-analysis/templates/secrets.mongo.yaml +++ b/code-analysis/templates/secrets.mongo.yaml @@ -2,18 +2,14 @@ apiVersion: v1 kind: Secret metadata: name: {{ .Values.mongo.secrets.name }} - {{- if .Values.customLabels }} - labels: -{{- if .Values.customLabels }} -{{ toYaml .Values.customLabels | nindent 4}} -{{- end }} - {{- end }} - {{- if .Values.customAnnotations }} - annotations: -{{- if .Values.customAnnotations }} -{{ toYaml .Values.customAnnotations | nindent 4}} -{{- end }} - {{- end }} + labels: + {{- range $key, $val := .Values.mongo.secrets.labels }} + {{ $key }}: {{ $val | quote }} + {{- end }} + annotations: + {{- range $key, $val := .Values.mongo.secrets.annotations }} + {{ $key }}: {{ $val | quote }} + {{- end }} type: Opaque data: # b64 encode with "echo -n secret | base64" @@ -24,18 +20,14 @@ apiVersion: v1 kind: Secret metadata: name: {{ .Values.mongo.encryptionSecret.name }} - {{- if .Values.customLabels }} - labels: -{{- if .Values.customLabels }} -{{ toYaml .Values.customLabels | nindent 4}} -{{- end }} - {{- end }} - {{- if .Values.customAnnotations }} - annotations: -{{- if .Values.customAnnotations }} -{{ toYaml .Values.customAnnotations | nindent 4}} -{{- end }} - {{- end }} + labels: + {{- range $key, $val := .Values.mongo.encryptionSecret.labels }} + {{ $key }}: {{ $val | quote }} + {{- end }} + annotations: + {{- range $key, $val := .Values.mongo.encryptionSecret.annotations }} + {{ $key }}: {{ $val | quote }} + {{- end }} type: Opaque data: MONGO_ENCRYPTION_KEY: {{ .Values.mongo.encryptionSecret.MONGO_ENCRYPTION_KEY | b64enc }} diff --git a/code-analysis/templates/secrets.registry.yaml b/code-analysis/templates/secrets.registry.yaml index 458882b..7f54954 100644 --- a/code-analysis/templates/secrets.registry.yaml +++ b/code-analysis/templates/secrets.registry.yaml @@ -1,21 +1,20 @@ +{{- if or .Values.registry.enable .Values.autoupdates.enable }} apiVersion: v1 kind: Secret metadata: name: {{ .Values.registry.secrets.name }} + labels: + {{- range $key, $val := .Values.registry.secrets.labels }} + {{ $key }}: {{ $val | quote }} + {{- end }} annotations: "helm.sh/hook-weight": "-10" {{- range $key, $val := .Values.registry.helmHookAnnotations }} {{ $key }}: {{ $val | quote }} {{- end }} -{{- if .Values.customAnnotations }} -{{- toYaml .Values.customAnnotations | nindent 4 }} -{{- end }} - {{- if .Values.customLabels }} - labels: -{{- if .Values.customLabels }} -{{ toYaml .Values.customLabels | nindent 4}} -{{- end }} - {{- end }} + {{- range $key, $val := .Values.registry.secrets.annotations }} + {{ $key }}: {{ $val | quote }} + {{- end }} type: Opaque data: {{- if .Values.registry.secrets.AWS_ACCESS_KEY_ID }} @@ -25,4 +24,6 @@ data: {{- if .Values.registry.dockerhub.enable }} DOCKERHUB_USERNAME: {{ required ".Values.registry.dockerhub.username is required" .Values.registry.dockerhub.username | b64enc }} DOCKERHUB_PASSWORD: {{ required ".Values.registry.dockerhub.password is required" .Values.registry.dockerhub.password | b64enc }} - {{- end }} \ No newline at end of file + {{- end }} + +{{- end }} diff --git a/code-analysis/values.yaml b/code-analysis/values.yaml index 3810dc6..e7e2317 100644 --- a/code-analysis/values.yaml +++ b/code-analysis/values.yaml @@ -10,24 +10,23 @@ base: imagePullSecret: regcred imagePullPolicy: Always podRestartPolicy: Always - enableMasterVendorMigration: false -# This label will be added to all the k8s resources managed by privado -customLabels: {} -# This annotation will be added to all the k8s resources managed by privado -customAnnotations: {} - - -# values related to registry secrets & cron +# values related to Privado's registry secrets & cron registry: + # enables or disables usage of privado's Registry + # disabling this would also mean that the organization + # would use self-maintained secrets with the deployment + enable: true region: "{{ if .Values.base.isProduction }} {{ .Values.base.prodRegion }} {{ else }} {{ .Values.base.testRegion }} {{ end }}" roleName: ecr-token-helper serviceAccountName: sa-ecr-token-helper roleBindingName: ecr-token-helper cronName: ecr-token-helper cronSchedule: "0 */6 * * *" - cronPodRestartPolicy: OnFailure + cronPodRestartPolicy: OnFailure + cronjobLabels: # key: value + cronjobAnnotations: # key: value image: name: public.ecr.aws/privado/awscli-kubectl tag: latest @@ -35,19 +34,25 @@ registry: "helm.sh/hook": "pre-install,pre-upgrade" secrets: name: ecr-iam-secrets + labels: # key: value + annotations: # key: value AWS_ACCESS_KEY_ID: AWS_SECRET_ACCESS_KEY: dockerhub: # keep value of below flag as true if you are using images from dockerhub enable: false -# The namespace is the first part of a Docker image name, followed by the repository name. -# The general format for referencing Docker images is: namespace/repository:tag + # The namespace is the first part of a Docker image name: namespace/repository:tag namespace: privadoai username: password: -updates: +# values related to auto-updating deployment images +autoupdates: + # enables or disables autoupdates for deployment + # supports ECR and DockerHub + # registry.secrets need to be configured + enable: true annotationName: "checksum/image-sha256" roleName: updater-role serviceAccountName: updater-sa @@ -55,11 +60,13 @@ updates: cronName: updater cronSchedule: "*/10 * * * *" cronPodRestartPolicy: OnFailure + cronjobLabels: # key: value + cronjobAnnotations: # key: value image: name: public.ecr.aws/privado/awscli-kubectl tag: latest - +# node affinity and toleration configurations for Privado resources node: affinity: enable: false @@ -74,6 +81,9 @@ node: # specific values related to ingress ingress: + # enables or disables Privado-provisioned Ingress + # Disabling would mean the Organization will provision the network routing resource + enable: true name: privado-ingress # needs this value from customer for their ingressClass # since most annotation-based support for controllers is now deprecated @@ -87,11 +97,15 @@ ingress: # Values related to mongo.yaml mongo: statefulSetName: mongo - image: + statefulSetLabels: # key: value + statefulSetAnnotations: # key: value + image: name: percona/percona-server-mongodb tag: "5.0" runAsUser: 0 serviceName: mongo-service + serviceLabels: # key: value + serviceAnnotations: # key: value servicePort: 27017 containerPort: 27017 wiredTigerCacheSizeGB: "4" @@ -111,10 +125,14 @@ mongo: annotations: secrets: name: mongo-secrets - MONGO_INITDB_ROOT_USERNAME: - MONGO_INITDB_ROOT_PASSWORD: + labels: # key: value + annotations: # key: value + MONGO_INITDB_ROOT_USERNAME: "" + MONGO_INITDB_ROOT_PASSWORD: "" encryptionSecret: name: mongo-encrpytion-secret + labels: # key: value + annotations: # key: value mountDirectory: "/keys" mountPath: "{{ .Values.mongo.encryptionSecret.mountDirectory }}/mong_opener" # use with tpl # generated using `openssl rand -base64 32` @@ -138,15 +156,19 @@ config: SCANNER_APP_INSPECTOR_IMAGE_URL: -# Values related to andromeda.yaml +# Values related to andromeda.yaml andromeda: deploymentName: andromeda + deploymentLabels: # key: value + deploymentAnnotations: # key: value replicas: 1 - image: + image: name: "638117407428.dkr.ecr.{{ if .Values.base.isProduction }}{{ .Values.base.prodRegion }}{{ else }}{{ .Values.base.testRegion }}{{ end }}.amazonaws.com/andromeda" tag: latest podAppLabel: andromeda serviceName: andromeda-service + serviceLabels: # key: value + serviceAnnotations: # key: value serviceType: ClusterIP servicePort: 6001 containerPort: 80 @@ -233,7 +255,7 @@ andromeda: CONFIG_AI_SERVICE_PATH: "" -# Values related to janus.yaml +# Values related to janus.yaml janus: volumes: storageClass: "efs-sc" # NEEDS-CUSTOMER-INPUT # should support RWX @@ -250,15 +272,19 @@ janus: mountPath: "/root/.gradle" -# Values related to bishamonten.yaml +# Values related to bishamonten.yaml bishamonten: deploymentName: bishamonten + deploymentLabels: # key: value + deploymentAnnotations: # key: value replicas: 1 - image: + image: name: "638117407428.dkr.ecr.{{ if .Values.base.isProduction }}{{ .Values.base.prodRegion }}{{ else }}{{ .Values.base.testRegion }}{{ end }}.amazonaws.com/bishamonten" tag: latest podAppLabel: bishamonten serviceName: bishamonten-service + serviceLabels: # key: value + serviceAnnotations: # key: value serviceType: ClusterIP servicePort: 4000 containerPort: 4000 @@ -275,18 +301,21 @@ bishamonten: mountPath: "/home/bishamonten/build/{{ .Values.bishamonten.volumeHostConfig.subPath }}" # use with tpl config: hostConfig: - host: '{{ .Values.base.protocol }}://{{ required "A valid .Values.base.host is required" .Values.base.host }}' # use with tpl + host: '{{ .Values.base.protocol }}://{{ required "A valid .Values.base.host is required" .Values.base.host }}' # use with tpl accountHost: '{{ .Values.base.protocol }}://{{ required "A valid .Values.base.host is required" .Values.base.host }}' # use with tpl isPremiseVersion: 1 + mastervendor: + enable: false image: name: "638117407428.dkr.ecr.{{ if .Values.base.isProduction }}{{ .Values.base.prodRegion }}{{ else }}{{ .Values.base.testRegion }}{{ end }}.amazonaws.com/master-vendor-base-image" tag: latest podRestartPolicy: Never podAppLabel: mastervendor - serviceName: mastervendor-service jobName: mastervendor + jobLabels: # key: value + jobAnnotations: # key: value resources: requests: cpu: "0.5" @@ -295,6 +324,7 @@ mastervendor: cpu: memory: + websitescan: resources: requests: