From 4207b37eab26650109e17df7dbd4d93bbb28e9b9 Mon Sep 17 00:00:00 2001 From: Blaize M Kaye Date: Mon, 9 Oct 2023 12:40:43 +1300 Subject: [PATCH 1/7] Adds service and deployment --- charts/lagoon-core/templates/_helpers.tpl | 29 ++++++++ .../templates/insights-trivy.deployment.yaml | 74 +++++++++++++++++++ .../templates/insights-trivy.service.yaml | 16 ++++ charts/lagoon-core/values.yaml | 6 ++ 4 files changed, 125 insertions(+) create mode 100644 charts/lagoon-core/templates/insights-trivy.deployment.yaml create mode 100644 charts/lagoon-core/templates/insights-trivy.service.yaml diff --git a/charts/lagoon-core/templates/_helpers.tpl b/charts/lagoon-core/templates/_helpers.tpl index b385141b..83dd426f 100644 --- a/charts/lagoon-core/templates/_helpers.tpl +++ b/charts/lagoon-core/templates/_helpers.tpl @@ -464,6 +464,35 @@ app.kubernetes.io/component: {{ include "lagoon-core.insightsHandler.fullname" . app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} +{{/* +Create a default fully qualified app name for insights-trivy. +*/}} +{{- define "lagoon-core.insightsTrivy.fullname" -}} +{{- include "lagoon-core.fullname" . }}-insights-trivy +{{- end }} + +{{/* +Common labels insights-trivy. +*/}} +{{- define "lagoon-core.insightsTrivy.labels" -}} +helm.sh/chart: {{ include "lagoon-core.chart" . }} +{{ include "lagoon-core.insightsTrivy.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels insights-trivy. +*/}} +{{- define "lagoon-core.insightsTrivy.selectorLabels" -}} +app.kubernetes.io/name: {{ include "lagoon-core.name" . }} +app.kubernetes.io/component: {{ include "lagoon-core.insightsTrivy.fullname" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + + {{/* Create a default fully qualified app name for logs2notifications. */}} diff --git a/charts/lagoon-core/templates/insights-trivy.deployment.yaml b/charts/lagoon-core/templates/insights-trivy.deployment.yaml new file mode 100644 index 00000000..caf74770 --- /dev/null +++ b/charts/lagoon-core/templates/insights-trivy.deployment.yaml @@ -0,0 +1,74 @@ +{{- if .Values.insightsTrivy.enabled -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "lagoon-core.insightsTrivy.fullname" . }} + labels: + {{- include "lagoon-core.insightsTrivy.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + {{- include "lagoon-core.insightsTrivy.selectorLabels" . | nindent 6 }} + template: + metadata: + annotations: + {{- with .Values.insightsTrivy.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "lagoon-core.insightsTrivy.selectorLabels" . | nindent 8 }} + spec: + securityContext: + {{- toYaml (coalesce .Values.insightsTrivy.podSecurityContext .Values.podSecurityContext) | nindent 8 }} + containers: + - name: insights-trivy + securityContext: + {{- toYaml .Values.insightsTrivy.securityContext | nindent 10 }} + image: "{{ .Values.insightsTrivy.image.repository }}:{{ coalesce .Values.insightsTrivy.image.tag .Values.imageTag .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.insightsTrivy.image.pullPolicy }} + resources: + {{- toYaml .Values.insightsTrivy.resources | nindent 10 }} + ports: + - containerPort: 4954 + protocol: TCP + name: TCP-4954 + livenessProbe: + httpGet: + path: /healthz + port: 4954 + readinessProbe: + httpGet: + path: /healthz + port: 4954 + {{- with .Values.insightsTrivy.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 50 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: In + values: + - {{ include "lagoon-core.name" . }} + - key: app.kubernetes.io/component + operator: In + values: + - {{ include "lagoon-core.insightsTrivy.fullname" . }} + - key: app.kubernetes.io/instance + operator: In + values: + - {{ .Release.Name }} + topologyKey: kubernetes.io/hostname + {{- with .Values.insightsTrivy.affinity }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.insightsTrivy.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/lagoon-core/templates/insights-trivy.service.yaml b/charts/lagoon-core/templates/insights-trivy.service.yaml new file mode 100644 index 00000000..b88c2cc8 --- /dev/null +++ b/charts/lagoon-core/templates/insights-trivy.service.yaml @@ -0,0 +1,16 @@ +{{- if .Values.insightsTrivy.enabled -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "lagoon-core.insightsTrivy.fullname" . }} + labels: + {{- include "lagoon-core.insightsTrivy.labels" . | nindent 4 }} +spec: + type: {{ .Values.insightsTrivy.service.type }} + ports: + - port: {{ .Values.insightsTrivy.service.port }} + targetPort: TCP-4954 + name: TCP + selector: + {{- include "lagoon-core.insightsTrivy.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/charts/lagoon-core/values.yaml b/charts/lagoon-core/values.yaml index 5850b605..489939b6 100644 --- a/charts/lagoon-core/values.yaml +++ b/charts/lagoon-core/values.yaml @@ -592,6 +592,12 @@ insightsHandler: targetCPUUtilizationPercentage: 80 # targetMemoryUtilizationPercentage: 80 +insightsTrivy: + enabled: false + service: + type: ClusterIP + port: 4954 + logs2notifications: enabled: true replicaCount: 2 From 7775552d1a1f1154760a14ba0a4206d411a116de Mon Sep 17 00:00:00 2001 From: Blaize M Kaye Date: Mon, 9 Oct 2023 12:48:54 +1300 Subject: [PATCH 2/7] Fixes port --- charts/lagoon-core/templates/insights-trivy.service.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/lagoon-core/templates/insights-trivy.service.yaml b/charts/lagoon-core/templates/insights-trivy.service.yaml index b88c2cc8..8431f0df 100644 --- a/charts/lagoon-core/templates/insights-trivy.service.yaml +++ b/charts/lagoon-core/templates/insights-trivy.service.yaml @@ -9,7 +9,7 @@ spec: type: {{ .Values.insightsTrivy.service.type }} ports: - port: {{ .Values.insightsTrivy.service.port }} - targetPort: TCP-4954 + targetPort: 4954 name: TCP selector: {{- include "lagoon-core.insightsTrivy.selectorLabels" . | nindent 4 }} From c6873e1080a045345af2337b7bb7495549569f57 Mon Sep 17 00:00:00 2001 From: Blaize M Kaye Date: Tue, 10 Oct 2023 09:39:57 +1300 Subject: [PATCH 3/7] fixes port names --- charts/lagoon-core/templates/insights-trivy.deployment.yaml | 4 ++-- charts/lagoon-core/templates/insights-trivy.service.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/lagoon-core/templates/insights-trivy.deployment.yaml b/charts/lagoon-core/templates/insights-trivy.deployment.yaml index caf74770..505d91a2 100644 --- a/charts/lagoon-core/templates/insights-trivy.deployment.yaml +++ b/charts/lagoon-core/templates/insights-trivy.deployment.yaml @@ -31,12 +31,12 @@ spec: ports: - containerPort: 4954 protocol: TCP - name: TCP-4954 + name: tcp-4954 livenessProbe: httpGet: path: /healthz port: 4954 - readinessProbe: + readinessProbe: httpGet: path: /healthz port: 4954 diff --git a/charts/lagoon-core/templates/insights-trivy.service.yaml b/charts/lagoon-core/templates/insights-trivy.service.yaml index 8431f0df..84f37e3d 100644 --- a/charts/lagoon-core/templates/insights-trivy.service.yaml +++ b/charts/lagoon-core/templates/insights-trivy.service.yaml @@ -10,7 +10,7 @@ spec: ports: - port: {{ .Values.insightsTrivy.service.port }} targetPort: 4954 - name: TCP + name: tcp-4954 selector: {{- include "lagoon-core.insightsTrivy.selectorLabels" . | nindent 4 }} {{- end }} From d45d63ffa73ca2ef150b5a552b31a84fdfed0367 Mon Sep 17 00:00:00 2001 From: Blaize M Kaye Date: Tue, 10 Oct 2023 13:12:34 +1300 Subject: [PATCH 4/7] Adds trivy scan vars to insights-handler --- .../lagoon-core/templates/insights-handler.deployment.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/charts/lagoon-core/templates/insights-handler.deployment.yaml b/charts/lagoon-core/templates/insights-handler.deployment.yaml index f8238f28..5395c9aa 100644 --- a/charts/lagoon-core/templates/insights-handler.deployment.yaml +++ b/charts/lagoon-core/templates/insights-handler.deployment.yaml @@ -74,6 +74,12 @@ spec: value: http://{{ include "lagoon-core.api.fullname" . }}:{{ .Values.api.service.port }}/graphql - name: HTTP_LISTEN_PORT value: "3000" + {{- if .Values.insightsTrivy.enabled }} + - name: PROBLEMS_FROM_SBOM + value: "true" + - name: TRIVY_SERVER_ENDPOINT + value: http://{{ include "lagoon-core.insightsTrivy.fullname" . }}:{{ .Values.insightsTrivy.service.port }} + {{- end }} {{- range $key, $val := .Values.insightsHandler.additionalEnvs }} - name: {{ $key }} value: {{ $val | quote }} From 80be135892d3e4ee5b8e2178e4905c8e44792f63 Mon Sep 17 00:00:00 2001 From: Blaize M Kaye Date: Thu, 26 Oct 2023 11:57:52 +1300 Subject: [PATCH 5/7] Adds image --- charts/lagoon-core/templates/insights-trivy.deployment.yaml | 1 + charts/lagoon-core/values.yaml | 3 +++ 2 files changed, 4 insertions(+) diff --git a/charts/lagoon-core/templates/insights-trivy.deployment.yaml b/charts/lagoon-core/templates/insights-trivy.deployment.yaml index 505d91a2..1c4f580a 100644 --- a/charts/lagoon-core/templates/insights-trivy.deployment.yaml +++ b/charts/lagoon-core/templates/insights-trivy.deployment.yaml @@ -28,6 +28,7 @@ spec: imagePullPolicy: {{ .Values.insightsTrivy.image.pullPolicy }} resources: {{- toYaml .Values.insightsTrivy.resources | nindent 10 }} + command: ["trivy", "server", "--cache-dir=/tmp", "--listen=0.0.0.0:4954", "-d"] ports: - containerPort: 4954 protocol: TCP diff --git a/charts/lagoon-core/values.yaml b/charts/lagoon-core/values.yaml index 22c217ca..536d7d4e 100644 --- a/charts/lagoon-core/values.yaml +++ b/charts/lagoon-core/values.yaml @@ -618,6 +618,9 @@ insightsHandler: # targetMemoryUtilizationPercentage: 80 insightsTrivy: + image: + repository: aquasec/trivy + tag: latest enabled: false service: type: ClusterIP From 3e23e278d73464d745e4831571d1a00a1bf1e039 Mon Sep 17 00:00:00 2001 From: Blaize M Kaye Date: Thu, 26 Oct 2023 12:37:05 +1300 Subject: [PATCH 6/7] Updates Chart.yaml version and artifacthub changes --- charts/lagoon-core/Chart.yaml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/charts/lagoon-core/Chart.yaml b/charts/lagoon-core/Chart.yaml index 8ed78ecd..9e289bfe 100644 --- a/charts/lagoon-core/Chart.yaml +++ b/charts/lagoon-core/Chart.yaml @@ -21,7 +21,7 @@ type: application # time you make changes to the chart and its templates, including the app # version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.38.0 +version: 1.39.0 # This is the version number of the application being deployed. This version # number should be incremented each time you make changes to the application. @@ -40,7 +40,5 @@ dependencies: # Valid supported kinds are added, changed, deprecated, removed, fixed and security annotations: artifacthub.io/changes: | - - kind: changed - description: require minimum Kubernetes 1.23 - - kind: changed - description: removed autoscaling api version helper + - kind: added + description: Insights trivy service From 65cb5297f844bf8622dc3999a5e7f7d3a51e5bc1 Mon Sep 17 00:00:00 2001 From: Blaize M Kaye Date: Thu, 26 Oct 2023 14:10:07 +1300 Subject: [PATCH 7/7] Moves insights trivy details under insights handler --- .../insights-handler.deployment.yaml | 4 ++-- .../templates/insights-trivy.deployment.yaml | 20 +++++++++---------- .../templates/insights-trivy.service.yaml | 6 +++--- charts/lagoon-core/values.yaml | 17 ++++++++-------- 4 files changed, 23 insertions(+), 24 deletions(-) diff --git a/charts/lagoon-core/templates/insights-handler.deployment.yaml b/charts/lagoon-core/templates/insights-handler.deployment.yaml index 5395c9aa..5e64d799 100644 --- a/charts/lagoon-core/templates/insights-handler.deployment.yaml +++ b/charts/lagoon-core/templates/insights-handler.deployment.yaml @@ -74,11 +74,11 @@ spec: value: http://{{ include "lagoon-core.api.fullname" . }}:{{ .Values.api.service.port }}/graphql - name: HTTP_LISTEN_PORT value: "3000" - {{- if .Values.insightsTrivy.enabled }} + {{- if .Values.insightsHandler.trivy.enabled }} - name: PROBLEMS_FROM_SBOM value: "true" - name: TRIVY_SERVER_ENDPOINT - value: http://{{ include "lagoon-core.insightsTrivy.fullname" . }}:{{ .Values.insightsTrivy.service.port }} + value: http://{{ include "lagoon-core.insightsTrivy.fullname" . }}:{{ .Values.insightsHandler.trivy.service.port }} {{- end }} {{- range $key, $val := .Values.insightsHandler.additionalEnvs }} - name: {{ $key }} diff --git a/charts/lagoon-core/templates/insights-trivy.deployment.yaml b/charts/lagoon-core/templates/insights-trivy.deployment.yaml index 1c4f580a..dc99ff3b 100644 --- a/charts/lagoon-core/templates/insights-trivy.deployment.yaml +++ b/charts/lagoon-core/templates/insights-trivy.deployment.yaml @@ -1,4 +1,4 @@ -{{- if .Values.insightsTrivy.enabled -}} +{{- if .Values.insightsHandler.trivy.enabled -}} apiVersion: apps/v1 kind: Deployment metadata: @@ -12,22 +12,22 @@ spec: template: metadata: annotations: - {{- with .Values.insightsTrivy.podAnnotations }} + {{- with .Values.insightsHandler.trivy.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} labels: {{- include "lagoon-core.insightsTrivy.selectorLabels" . | nindent 8 }} spec: securityContext: - {{- toYaml (coalesce .Values.insightsTrivy.podSecurityContext .Values.podSecurityContext) | nindent 8 }} + {{- toYaml (coalesce .Values.insightsHandler.trivy.podSecurityContext .Values.podSecurityContext) | nindent 8 }} containers: - name: insights-trivy securityContext: - {{- toYaml .Values.insightsTrivy.securityContext | nindent 10 }} - image: "{{ .Values.insightsTrivy.image.repository }}:{{ coalesce .Values.insightsTrivy.image.tag .Values.imageTag .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.insightsTrivy.image.pullPolicy }} + {{- toYaml .Values.insightsHandler.trivy.securityContext | nindent 10 }} + image: "{{ .Values.insightsHandler.trivy.image.repository }}:{{ coalesce .Values.insightsHandler.trivy.image.tag .Values.imageTag .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.insightsHandler.trivy.image.pullPolicy }} resources: - {{- toYaml .Values.insightsTrivy.resources | nindent 10 }} + {{- toYaml .Values.insightsHandler.trivy.resources | nindent 10 }} command: ["trivy", "server", "--cache-dir=/tmp", "--listen=0.0.0.0:4954", "-d"] ports: - containerPort: 4954 @@ -41,7 +41,7 @@ spec: httpGet: path: /healthz port: 4954 - {{- with .Values.insightsTrivy.nodeSelector }} + {{- with .Values.insightsHandler.trivy.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} {{- end }} @@ -65,10 +65,10 @@ spec: values: - {{ .Release.Name }} topologyKey: kubernetes.io/hostname - {{- with .Values.insightsTrivy.affinity }} + {{- with .Values.insightsHandler.trivy.affinity }} {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.insightsTrivy.tolerations }} + {{- with .Values.insightsHandler.trivy.tolerations }} tolerations: {{- toYaml . | nindent 8 }} {{- end }} diff --git a/charts/lagoon-core/templates/insights-trivy.service.yaml b/charts/lagoon-core/templates/insights-trivy.service.yaml index 84f37e3d..23868e10 100644 --- a/charts/lagoon-core/templates/insights-trivy.service.yaml +++ b/charts/lagoon-core/templates/insights-trivy.service.yaml @@ -1,4 +1,4 @@ -{{- if .Values.insightsTrivy.enabled -}} +{{- if .Values.insightsHandler.trivy.enabled -}} apiVersion: v1 kind: Service metadata: @@ -6,9 +6,9 @@ metadata: labels: {{- include "lagoon-core.insightsTrivy.labels" . | nindent 4 }} spec: - type: {{ .Values.insightsTrivy.service.type }} + type: {{ .Values.insightsHandler.trivy.service.type }} ports: - - port: {{ .Values.insightsTrivy.service.port }} + - port: {{ .Values.insightsHandler.trivy.service.port }} targetPort: 4954 name: tcp-4954 selector: diff --git a/charts/lagoon-core/values.yaml b/charts/lagoon-core/values.yaml index 536d7d4e..af899ac2 100644 --- a/charts/lagoon-core/values.yaml +++ b/charts/lagoon-core/values.yaml @@ -616,15 +616,14 @@ insightsHandler: maxReplicas: 100 targetCPUUtilizationPercentage: 80 # targetMemoryUtilizationPercentage: 80 - -insightsTrivy: - image: - repository: aquasec/trivy - tag: latest - enabled: false - service: - type: ClusterIP - port: 4954 + trivy: + enabled: false + image: + repository: aquasec/trivy + tag: latest + service: + type: ClusterIP + port: 4954 logs2notifications: enabled: true