Merge pull request #18 from devops-ia/feat/add-topologyspreadcontraints

feat: add topologySpreadContraints
devops-ia · Sep 12, 2024 · 95704ca · 95704ca
2 parents 45392fd + ace3f64
commit 95704ca
Show file tree

Hide file tree

Showing 27 changed files with 336 additions and 169 deletions.
diff --git a/charts/openbas/README.md b/charts/openbas/README.md
@@ -58,8 +58,8 @@ _See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall/) for command doc
 ## OpenBAS
 
 * [Environment configuration](https://docs.openbas.io/latest/deployment/configuration/#platform)
-* [Collectors](https://github.com/OpenBAS-Platform/collectors/tree/main). Review `docker-compose.yaml` with the properly config or check collectors samples on [`collector-examples`](./collector-examples) folder.
-* [Injectors](https://github.com/OpenBAS-Platform/injectors/tree/main). Review `docker-compose.yaml` with the properly config or check injectors samples on [`injector-examples`](./injector-examples) folder.
+* [Collectors](https://github.com/OpenBAS-Platform/collectors/tree/main). Review `docker-compose.yaml` with the properly config or check collectors samples on [`collector-examples`](./examples/collector) folder.
+* [Injectors](https://github.com/OpenBAS-Platform/injectors/tree/main). Review `docker-compose.yaml` with the properly config or check injectors samples on [`injector-examples`](./examples/injector) folder.
 
 ## Basic installation and examples
 

diff --git a/charts/openbas/README.md.gotmpl b/charts/openbas/README.md.gotmpl
@@ -48,8 +48,8 @@ _See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall/) for command doc
 ## OpenBAS
 
 * [Environment configuration](https://docs.openbas.io/latest/deployment/configuration/#platform)
-* [Collectors](https://github.com/OpenBAS-Platform/collectors/tree/main). Review `docker-compose.yaml` with the properly config or check collectors samples on [`collector-examples`](./collector-examples) folder.
-* [Injectors](https://github.com/OpenBAS-Platform/injectors/tree/main). Review `docker-compose.yaml` with the properly config or check injectors samples on [`injector-examples`](./injector-examples) folder.
+* [Collectors](https://github.com/OpenBAS-Platform/collectors/tree/main). Review `docker-compose.yaml` with the properly config or check collectors samples on [`collector-examples`](./examples/collector) folder.
+* [Injectors](https://github.com/OpenBAS-Platform/injectors/tree/main). Review `docker-compose.yaml` with the properly config or check injectors samples on [`injector-examples`](./examples/injector) folder.
 
 ## Basic installation and examples
 

diff --git a/charts/openbas/ci/ci-common-values.yaml b/charts/openbas/ci/ci-common-values.yaml
@@ -41,6 +41,21 @@ podDisruptionBudget:
 autoscaling:
   enabled: true
 
+secrets:
+  OPENBAS_ADMIN_TOKEN: "b1976749-8a53-4f49-bf04-cafa2a3458c1"
+  OPENBAS_RABBITMQ_PASS: ChangeMe
+
+envFromSecrets:
+  OPENBAS_ADMIN_TOKEN:
+    name: openbas-ci-credentials
+    key: OPENBAS_ADMIN_TOKEN
+  OPENBAS_TOKEN:
+    name: openbas-ci-credentials
+    key: OPENBAS_TOKEN
+  OPENBAS_RABBITMQ_PASS:
+    name: openbas-ci-credentials
+    key: OPENBAS_RABBITMQ_PASS
+
 caldera:
   enabled: true
 
@@ -109,6 +124,11 @@ caldera:
   autoscaling:
     enabled: true
 
+  topologySpreadConstraints:
+    - maxSkew: 1
+      topologyKey: kubernetes.io/os
+      whenUnsatisfiable: DoNotSchedule
+
 collectors:
 - name: atomic-red-team
   enabled: true
@@ -137,6 +157,14 @@ collectors:
     COLLECTOR_ID: e668aa07-e1a3-41d8-8748-786be5df9dab
     COLLECTOR_NAME: "Atomic Red Team"
     COLLECTOR_LOG_LEVEL: error
+  envFromSecrets:
+    OPENBAS_TOKEN:
+      name: openbas-ci-credentials
+      key: OPENBAS_TOKEN
+  topologySpreadConstraints:
+    - maxSkew: 1
+      topologyKey: kubernetes.io/os
+      whenUnsatisfiable: DoNotSchedule
 
 injectors:
 - name: http-query
@@ -164,6 +192,14 @@ injectors:
     INJECTOR_ID: e668aa07-e1a3-41d8-8748-786be5df9dab
     INJECTOR_NAME: "HTTP query"
     INJECTOR_LOG_LEVEL: error
+  envFromSecrets:
+    OPENBAS_TOKEN:
+      name: openbas-ci-credentials
+      key: OPENBAS_TOKEN
+  topologySpreadConstraints:
+    - maxSkew: 1
+      topologyKey: kubernetes.io/os
+      whenUnsatisfiable: DoNotSchedule
 
 minio:
   fullnameOverride: openbas-ci-minio
@@ -184,6 +220,8 @@ postgresql:
 rabbitmq:
   fullnameOverride: openbas-ci-rabbitmq
   auth:
+    existingPasswordSecret: openbas-ci-credentials
+    existingSecretPasswordKey: OPENBAS_RABBITMQ_PASS
     erlangCookie: b25c953e-2193-4b8e-9f3b-9a3a5ba76d75
   clustering:
     enabled: false

diff --git a/...r-examples/collector-atomic-red-team.yaml → .../collector/collector-atomic-red-team.yaml b/...r-examples/collector-atomic-red-team.yaml → .../collector/collector-atomic-red-team.yaml
diff --git a/...xamples/collector-microsoft-defender.yaml → ...llector/collector-microsoft-defender.yaml b/...xamples/collector-microsoft-defender.yaml → ...llector/collector-microsoft-defender.yaml
diff --git a/...r-examples/collector-microsoft-entra.yaml → .../collector/collector-microsoft-entra.yaml b/...r-examples/collector-microsoft-entra.yaml → .../collector/collector-microsoft-entra.yaml
diff --git a/...xamples/collector-microsoft-sentinel.yaml → ...llector/collector-microsoft-sentinel.yaml b/...xamples/collector-microsoft-sentinel.yaml → ...llector/collector-microsoft-sentinel.yaml
diff --git a/...ctor-examples/collector-mitre-attack.yaml → ...les/collector/collector-mitre-attack.yaml b/...ctor-examples/collector-mitre-attack.yaml → ...les/collector/collector-mitre-attack.yaml
diff --git a/...les/collector-tanium-threat-response.yaml → ...tor/collector-tanium-threat-response.yaml b/...les/collector-tanium-threat-response.yaml → ...tor/collector-tanium-threat-response.yaml
diff --git a/...njector-examples/injector-http-query.yaml → ...xamples/injector/injector-http-query.yaml b/...njector-examples/injector-http-query.yaml → ...xamples/injector/injector-http-query.yaml
diff --git a/charts/openbas/templates/_helpers.tpl b/charts/openbas/templates/_helpers.tpl
@@ -60,3 +60,109 @@ Create the name of the service account to use
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}
 {{- end }}
+
+{{/*
+#######################
+SERVER SECTION
+#######################
+*/}}
+
+{{/*
+Default server component
+*/}}
+{{- define "openbas.serverComponentLabel" -}}
+openbas.component: server
+{{- end -}}
+
+{{/*
+Generate labels for server component
+*/}}
+{{- define "openbas.serverLabels" -}}
+{{- toYaml (merge ((include "openbas.labels" .) | fromYaml) ((include "openbas.serverComponentLabel" .) | fromYaml)) }}
+{{- end }}
+
+{{/*
+Generate selectorLabels for server component
+*/}}
+{{- define "openbas.selectorServerLabels" -}}
+{{- toYaml (merge ((include "openbas.selectorLabels" .) | fromYaml) ((include "openbas.serverComponentLabel" .) | fromYaml)) }}
+{{- end }}
+
+{{/*
+Ref: https://github.com/aws/karpenter-provider-aws/blob/main/charts/karpenter/templates/_helpers.tpl
+Patch the label selector on an object
+This template will add a labelSelector using matchLabels to the object referenced at _target if there is no labelSelector specified.
+The matchLabels are created with the selectorLabels template.
+This works because Helm treats dictionaries as mutable objects and allows passing them by reference.
+*/}}
+{{- define "openbas.patchSelectorServerLabels" -}}
+{{- if not (hasKey ._target "labelSelector") }}
+{{- $selectorLabels := (include "openbas.selectorServerLabels" .) | fromYaml }}
+{{- $_ := set ._target "labelSelector" (dict "matchLabels" $selectorLabels) }}
+{{- end }}
+{{- end }}
+
+{{/*
+Ref: https://github.com/aws/karpenter-provider-aws/blob/main/charts/karpenter/templates/_helpers.tpl
+Patch topology spread constraints
+This template uses the openbas.selectorLabels template to add a labelSelector to topologySpreadConstraints if one isn't specified.
+This works because Helm treats dictionaries as mutable objects and allows passing them by reference.
+*/}}
+{{- define "openbas.patchTopologySpreadConstraintsServer" -}}
+{{- range $constraint := .Values.topologySpreadConstraints }}
+{{- include "openbas.patchSelectorServerLabels" (merge (dict "_target" $constraint (include "openbas.selectorServerLabels" $)) $) }}
+{{- end }}
+{{- end }}
+
+{{/*
+#######################
+CALDERA SECTION
+#######################
+*/}}
+
+{{/*
+Default caldera component
+*/}}
+{{- define "openbas.calderaComponentLabel" -}}
+openbas.component: caldera
+{{- end -}}
+
+{{/*
+Generate labels for caldera component
+*/}}
+{{- define "openbas.calderaLabels" -}}
+{{- toYaml (merge ((include "openbas.labels" .) | fromYaml) ((include "openbas.calderaComponentLabel" .) | fromYaml)) }}
+{{- end }}
+
+{{/*
+Generate selectorLabels for caldera component
+*/}}
+{{- define "openbas.selectorCalderaLabels" -}}
+{{- toYaml (merge ((include "openbas.selectorLabels" .) | fromYaml) ((include "openbas.calderaComponentLabel" .) | fromYaml)) }}
+{{- end }}
+
+{{/*
+Ref: https://github.com/aws/karpenter-provider-aws/blob/main/charts/karpenter/templates/_helpers.tpl
+Patch the label selector on an object
+This template will add a labelSelector using matchLabels to the object referenced at _target if there is no labelSelector specified.
+The matchLabels are created with the selectorLabels template.
+This works because Helm treats dictionaries as mutable objects and allows passing them by reference.
+*/}}
+{{- define "openbas.patchSelectorCalderaLabels" -}}
+{{- if not (hasKey ._target "labelSelector") }}
+{{- $selectorLabels := (include "openbas.selectorCalderaLabels" .) | fromYaml }}
+{{- $_ := set ._target "labelSelector" (dict "matchLabels" $selectorLabels) }}
+{{- end }}
+{{- end }}
+
+{{/*
+Ref: https://github.com/aws/karpenter-provider-aws/blob/main/charts/karpenter/templates/_helpers.tpl
+Patch topology spread constraints
+This template uses the openbas.selectorLabels template to add a labelSelector to topologySpreadConstraints if one isn't specified.
+This works because Helm treats dictionaries as mutable objects and allows passing them by reference.
+*/}}
+{{- define "openbas.patchTopologySpreadConstraintsCaldera" -}}
+{{- range $constraint := .Values.caldera.topologySpreadConstraints }}
+{{- include "openbas.patchSelectorCalderaLabels" (merge (dict "_target" $constraint (include "openbas.selectorCalderaLabels" $)) $) }}
+{{- end }}
+{{- end }}
diff --git a/charts/openbas/templates/caldera/configmap.yaml b/charts/openbas/templates/caldera/configmap.yaml
@@ -3,8 +3,7 @@ kind: ConfigMap
 metadata:
   name: {{ include "openbas.fullname" . }}-caldera-config
   labels:
-    openbas.component: caldera
-    {{- include "openbas.labels" . | nindent 4 }}
+    {{- include "openbas.calderaLabels" . | nindent 4 }}
 data:
   local.yml: |
     {{- .Values.caldera.config | toYaml | nindent 4 }}
diff --git a/charts/openbas/templates/caldera/deployment.yaml b/charts/openbas/templates/caldera/deployment.yaml
@@ -4,16 +4,14 @@ kind: Deployment
 metadata:
   name: {{ include "openbas.fullname" . }}-caldera
   labels:
-    openbas.component: caldera
-    {{- include "openbas.labels" . | nindent 4 }}
+    {{- include "openbas.calderaLabels" . | nindent 4 }}
 spec:
   {{- if not .Values.caldera.autoscaling.enabled }}
   replicas: {{ .Values.caldera.replicaCount }}
   {{- end }}
   selector:
     matchLabels:
-      openbas.component: caldera
-      {{- include "openbas.selectorLabels" . | nindent 6 }}
+      {{- include "openbas.selectorCalderaLabels" . | nindent 6 }}
   template:
     metadata:
       annotations:
@@ -22,8 +20,7 @@ spec:
           {{- toYaml . | nindent 8 }}
         {{- end }}
       labels:
-        openbas.component: caldera
-        {{- include "openbas.selectorLabels" . | nindent 8 }}
+        {{- include "openbas.selectorCalderaLabels" . | nindent 8 }}
         {{- with .Values.caldera.podLabels }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
@@ -112,4 +109,9 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.caldera.topologySpreadConstraints }}
+      {{- $_ := include "openbas.patchTopologySpreadConstraintsCaldera" $ }}
+      topologySpreadConstraints:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
 {{- end }}
diff --git a/charts/openbas/templates/caldera/hpa.yaml b/charts/openbas/templates/caldera/hpa.yaml
@@ -4,8 +4,7 @@ kind: HorizontalPodAutoscaler
 metadata:
   name: {{ include "openbas.fullname" . }}-caldera
   labels:
-    openbas.component: caldera
-    {{- include "openbas.labels" . | nindent 4 }}
+    {{- include "openbas.calderaLabels" . | nindent 4 }}
 spec:
   scaleTargetRef:
     apiVersion: apps/v1

diff --git a/charts/openbas/templates/caldera/networkpolicy.yaml b/charts/openbas/templates/caldera/networkpolicy.yaml
@@ -4,16 +4,14 @@ kind: NetworkPolicy
 metadata:
   name: {{ include "openbas.fullname" . }}-caldera
   labels:
-    openbas.component: caldera
-    {{- include "openbas.labels" . | nindent 4 }}
+    {{- include "openbas.calderaLabels" . | nindent 4 }}
 spec:
   {{- if and (not .Values.caldera.networkPolicy.policyTypes) (not .Values.caldera.networkPolicy.ingress) (not .Values.caldera.networkPolicy.egress) }}
   podSelector: {}
   {{- else }}
   podSelector:
     matchLabels:
-      openbas.component: caldera
-      {{- include "openbas.selectorLabels" . | nindent 6 }}
+      {{- include "openbas.selectorCalderaLabels" . | nindent 6 }}
   {{- end }}
 
   {{- if .Values.caldera.networkPolicy.policyTypes }}

diff --git a/charts/openbas/templates/caldera/pdb.yaml b/charts/openbas/templates/caldera/pdb.yaml
@@ -4,13 +4,11 @@ kind: PodDisruptionBudget
 metadata:
   name: {{ include "openbas.fullname" . }}-caldera
   labels:
-    openbas.component: caldera
-    {{- include "openbas.labels" . | nindent 4 }}
+    {{- include "openbas.calderaLabels" . | nindent 4 }}
 spec:
   selector:
     matchLabels:
-      openbas.component: caldera
-      {{- include "openbas.selectorLabels" . | nindent 6 }}
+      {{- include "openbas.selectorCalderaLabels" . | nindent 6 }}
   {{- if .Values.caldera.podDisruptionBudget.minAvailable }}
   minAvailable: {{ .Values.caldera.podDisruptionBudget.minAvailable }}
   {{- end }}

diff --git a/charts/openbas/templates/caldera/service.yaml b/charts/openbas/templates/caldera/service.yaml
@@ -3,8 +3,7 @@ kind: Service
 metadata:
   name: {{ include "openbas.fullname" . }}-caldera
   labels:
-    openbas.component: caldera
-    {{- include "openbas.labels" . | nindent 4 }}
+    {{- include "openbas.calderaLabels" . | nindent 4 }}
 spec:
   type: {{ .Values.caldera.service.type }}
   ports:
@@ -13,5 +12,4 @@ spec:
       protocol: TCP
       name: http
   selector:
-    openbas.component: caldera
-    {{- include "openbas.selectorLabels" . | nindent 4 }}
+    {{- include "openbas.selectorCalderaLabels" . | nindent 4 }}
diff --git a/charts/openbas/templates/collector/deployment.yaml b/charts/openbas/templates/collector/deployment.yaml
@@ -135,6 +135,16 @@ spec:
       affinity:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- range $constraint := . }}
+        - labelSelector:
+            matchLabels:
+              openbas.collector: {{ $collectorName }}
+              {{- include "openbas.selectorLabels" $ | nindent 14 }}
+          {{- toYaml $constraint | nindent 10 }}
+        {{- end }}
+      {{- end }}
 
 {{- end }}
 {{- end }}
diff --git a/charts/openbas/templates/injector/deployment.yaml b/charts/openbas/templates/injector/deployment.yaml
@@ -135,6 +135,16 @@ spec:
       affinity:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- range $constraint := . }}
+        - labelSelector:
+            matchLabels:
+              openbas.injector: {{ $injectorName }}
+              {{- include "openbas.selectorLabels" $ | nindent 14 }}
+          {{- toYaml $constraint | nindent 10 }}
+        {{- end }}
+      {{- end }}
 
 {{- end }}
 {{- end }}
diff --git a/charts/openbas/templates/server/deployment.yaml b/charts/openbas/templates/server/deployment.yaml
@@ -3,25 +3,22 @@ kind: Deployment
 metadata:
   name: {{ include "openbas.fullname" . }}-server
   labels:
-    openbas.component: server
-    {{- include "openbas.labels" . | nindent 4 }}
+    {{- include "openbas.serverLabels" . | nindent 4 }}
 spec:
   {{- if not .Values.autoscaling.enabled }}
   replicas: {{ .Values.replicaCount }}
   {{- end }}
   selector:
     matchLabels:
-      openbas.component: server
-      {{- include "openbas.selectorLabels" . | nindent 6 }}
+      {{- include "openbas.selectorServerLabels" . | nindent 6 }}
   template:
     metadata:
       {{- with .Values.podAnnotations }}
       annotations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       labels:
-        openbas.component: server
-        {{- include "openbas.selectorLabels" . | nindent 8 }}
+        {{- include "openbas.selectorServerLabels" . | nindent 8 }}
         {{- with .Values.podLabels }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
@@ -175,3 +172,8 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.topologySpreadConstraints }}
+      {{- $_ := include "openbas.patchTopologySpreadConstraintsServer" $ }}
+      topologySpreadConstraints:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
diff --git a/charts/openbas/templates/server/hpa.yaml b/charts/openbas/templates/server/hpa.yaml
@@ -4,8 +4,7 @@ kind: HorizontalPodAutoscaler
 metadata:
   name: {{ include "openbas.fullname" . }}-server
   labels:
-    openbas.component: server
-    {{- include "openbas.labels" . | nindent 4 }}
+    {{- include "openbas.serverLabels" . | nindent 4 }}
 spec:
   scaleTargetRef:
     apiVersion: apps/v1