Merge pull request #621 from uselagoon/feature/insights-handler-trivy…

…-server Feature/insights handler trivy server
uselagoon · Oct 30, 2023 · 518c7b4 · 518c7b4
2 parents aec5fa6 + 65cb529
commit 518c7b4
Show file tree

Hide file tree

Showing 6 changed files with 137 additions and 5 deletions.
diff --git a/charts/lagoon-core/Chart.yaml b/charts/lagoon-core/Chart.yaml
@@ -21,7 +21,7 @@ type: application
 # time you make changes to the chart and its templates, including the app
 # version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.38.0
+version: 1.39.0
 
 # This is the version number of the application being deployed. This version
 # number should be incremented each time you make changes to the application.
@@ -40,7 +40,5 @@ dependencies:
 # Valid supported kinds are added, changed, deprecated, removed, fixed and security
 annotations:
   artifacthub.io/changes: |
-    - kind: changed
-      description: require minimum Kubernetes 1.23
-    - kind: changed
-      description: removed autoscaling api version helper
+    - kind: added
+      description: Insights trivy service
diff --git a/charts/lagoon-core/templates/_helpers.tpl b/charts/lagoon-core/templates/_helpers.tpl
@@ -464,6 +464,35 @@ app.kubernetes.io/component: {{ include "lagoon-core.insightsHandler.fullname" .
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 
+{{/*
+Create a default fully qualified app name for insights-trivy.
+*/}}
+{{- define "lagoon-core.insightsTrivy.fullname" -}}
+{{- include "lagoon-core.fullname" . }}-insights-trivy
+{{- end }}
+
+{{/*
+Common labels insights-trivy.
+*/}}
+{{- define "lagoon-core.insightsTrivy.labels" -}}
+helm.sh/chart: {{ include "lagoon-core.chart" . }}
+{{ include "lagoon-core.insightsTrivy.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels insights-trivy.
+*/}}
+{{- define "lagoon-core.insightsTrivy.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "lagoon-core.name" . }}
+app.kubernetes.io/component: {{ include "lagoon-core.insightsTrivy.fullname" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+
 {{/*
 Create a default fully qualified app name for logs2notifications.
 */}}

diff --git a/charts/lagoon-core/templates/insights-handler.deployment.yaml b/charts/lagoon-core/templates/insights-handler.deployment.yaml
@@ -74,6 +74,12 @@ spec:
           value: http://{{ include "lagoon-core.api.fullname" . }}:{{ .Values.api.service.port }}/graphql
         - name: HTTP_LISTEN_PORT
           value: "3000"
+      {{- if .Values.insightsHandler.trivy.enabled }}
+        - name: PROBLEMS_FROM_SBOM
+          value: "true"
+        - name: TRIVY_SERVER_ENDPOINT
+          value: http://{{ include "lagoon-core.insightsTrivy.fullname" . }}:{{ .Values.insightsHandler.trivy.service.port }}
+      {{- end }}
       {{- range $key, $val := .Values.insightsHandler.additionalEnvs }}
         - name: {{ $key }}
           value: {{ $val | quote }}

diff --git a/charts/lagoon-core/templates/insights-trivy.deployment.yaml b/charts/lagoon-core/templates/insights-trivy.deployment.yaml
@@ -0,0 +1,75 @@
+{{- if .Values.insightsHandler.trivy.enabled -}}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "lagoon-core.insightsTrivy.fullname" . }}
+  labels:
+    {{- include "lagoon-core.insightsTrivy.labels" . | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "lagoon-core.insightsTrivy.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      annotations:
+    {{- with .Values.insightsHandler.trivy.podAnnotations }}
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+      labels:
+        {{- include "lagoon-core.insightsTrivy.selectorLabels" . | nindent 8 }}
+    spec:
+      securityContext:
+        {{- toYaml (coalesce .Values.insightsHandler.trivy.podSecurityContext .Values.podSecurityContext) | nindent 8 }}
+      containers:
+      - name: insights-trivy
+        securityContext:
+          {{- toYaml .Values.insightsHandler.trivy.securityContext | nindent 10 }}
+        image: "{{ .Values.insightsHandler.trivy.image.repository }}:{{ coalesce .Values.insightsHandler.trivy.image.tag .Values.imageTag .Chart.AppVersion }}"
+        imagePullPolicy: {{ .Values.insightsHandler.trivy.image.pullPolicy }}
+        resources:
+          {{- toYaml .Values.insightsHandler.trivy.resources | nindent 10 }}
+        command: ["trivy", "server", "--cache-dir=/tmp", "--listen=0.0.0.0:4954", "-d"]
+        ports:
+            - containerPort: 4954
+              protocol: TCP
+              name: tcp-4954
+        livenessProbe:
+            httpGet:
+              path: /healthz
+              port: 4954
+        readinessProbe:
+            httpGet:
+              path: /healthz
+              port: 4954
+      {{- with .Values.insightsHandler.trivy.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      affinity:
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - weight: 50
+            podAffinityTerm:
+              labelSelector:
+                matchExpressions:
+                - key: app.kubernetes.io/name
+                  operator: In
+                  values:
+                  - {{ include "lagoon-core.name" . }}
+                - key: app.kubernetes.io/component
+                  operator: In
+                  values:
+                  - {{ include "lagoon-core.insightsTrivy.fullname" . }}
+                - key: app.kubernetes.io/instance
+                  operator: In
+                  values:
+                  - {{ .Release.Name }}
+              topologyKey: kubernetes.io/hostname
+      {{- with .Values.insightsHandler.trivy.affinity }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.insightsHandler.trivy.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+{{- end }}
diff --git a/charts/lagoon-core/templates/insights-trivy.service.yaml b/charts/lagoon-core/templates/insights-trivy.service.yaml
@@ -0,0 +1,16 @@
+{{- if .Values.insightsHandler.trivy.enabled -}}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "lagoon-core.insightsTrivy.fullname" . }}
+  labels:
+    {{- include "lagoon-core.insightsTrivy.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.insightsHandler.trivy.service.type }}
+  ports:
+  - port: {{ .Values.insightsHandler.trivy.service.port }}
+    targetPort: 4954
+    name: tcp-4954
+  selector:
+    {{- include "lagoon-core.insightsTrivy.selectorLabels" . | nindent 4 }}
+{{- end }}
diff --git a/charts/lagoon-core/values.yaml b/charts/lagoon-core/values.yaml
@@ -616,6 +616,14 @@ insightsHandler:
     maxReplicas: 100
     targetCPUUtilizationPercentage: 80
     # targetMemoryUtilizationPercentage: 80
+  trivy:
+    enabled: false
+    image:
+      repository: aquasec/trivy
+      tag: latest
+    service:
+      type: ClusterIP
+      port: 4954
 
 logs2notifications:
   enabled: true