From 81e3fc56d1a813598fb5a577ccc61acc9cec5e63 Mon Sep 17 00:00:00 2001 From: nscuro Date: Wed, 12 Jun 2024 16:29:26 +0200 Subject: [PATCH] Port enhancement from `dependency-track` chart to `hyades` Includes changes from: * https://github.com/DependencyTrack/helm-charts/pull/13 * https://github.com/DependencyTrack/helm-charts/pull/22 * https://github.com/DependencyTrack/helm-charts/pull/23 * https://github.com/DependencyTrack/helm-charts/pull/33 * https://github.com/DependencyTrack/helm-charts/pull/34 * https://github.com/DependencyTrack/helm-charts/pull/42 * https://github.com/DependencyTrack/helm-charts/pull/52 * https://github.com/DependencyTrack/helm-charts/pull/55 * https://github.com/DependencyTrack/helm-charts/pull/57 * https://github.com/DependencyTrack/helm-charts/pull/83 * https://github.com/DependencyTrack/helm-charts/pull/87 Co-authored-by: Pawel Mrowka Co-authored-by: Edvin Norling Co-authored-by: Jaz Ark Co-authored-by: Arnaud Hatzenbuhler Co-authored-by: Stefan Hynek Co-authored-by: Theodor van Nahl Co-authored-by: Sergiy Kulanov Signed-off-by: nscuro --- charts/hyades/templates/_helpers.tpl | 18 ++- .../templates/api-server/deployment.yaml | 25 +++- .../hyades/templates/api-server/ingress.yaml | 22 ---- .../hyades/templates/api-server/service.yaml | 3 + .../hyades/templates/frontend/deployment.yaml | 36 ++++- charts/hyades/templates/frontend/ingress.yaml | 23 ---- charts/hyades/templates/frontend/service.yaml | 3 + charts/hyades/templates/ingress.yaml | 46 +++++++ .../templates/mirror-service/deployment.yaml | 43 +++++- .../notification-publisher/deployment.yaml | 30 ++++- .../repo-meta-analyzer/deployment.yaml | 29 ++++- charts/hyades/templates/serviceaccount.yml | 9 ++ .../vuln-analyzer/service-headless.yaml | 22 ++++ .../templates/vuln-analyzer/service.yaml | 13 -- .../templates/vuln-analyzer/statefulset.yaml | 31 ++++- charts/hyades/values-minikube.yaml | 6 +- charts/hyades/values.yaml | 123 ++++++++++++++---- 17 files changed, 366 insertions(+), 116 deletions(-) delete mode 100644 charts/hyades/templates/api-server/ingress.yaml delete mode 100644 charts/hyades/templates/frontend/ingress.yaml create mode 100644 charts/hyades/templates/ingress.yaml create mode 100644 charts/hyades/templates/serviceaccount.yml create mode 100644 charts/hyades/templates/vuln-analyzer/service-headless.yaml delete mode 100644 charts/hyades/templates/vuln-analyzer/service.yaml diff --git a/charts/hyades/templates/_helpers.tpl b/charts/hyades/templates/_helpers.tpl index 2e40f8f..f03cbb7 100644 --- a/charts/hyades/templates/_helpers.tpl +++ b/charts/hyades/templates/_helpers.tpl @@ -35,7 +35,6 @@ Common labels */}} {{- define "hyades.commonLabels" -}} helm.sh/chart: {{ include "hyades.chart" . }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} app.kubernetes.io/part-of: {{ include "hyades.name" . }} app.kubernetes.io/managed-by: {{ .Release.Service }} {{- end -}} @@ -54,6 +53,7 @@ API server labels {{- define "hyades.apiServerLabels" -}} {{ include "hyades.commonLabels" . }} {{ include "hyades.apiServerSelectorLabels" . }} +app.kubernetes.io/version: {{ (.Values.apiServer.image.tag | default .Chart.AppVersion) | quote }} {{- end -}} {{/* @@ -93,6 +93,7 @@ Frontend labels {{- define "hyades.frontendLabels" -}} {{ include "hyades.commonLabels" . }} {{ include "hyades.frontendSelectorLabels" . }} +app.kubernetes.io/version: {{ (.Values.frontend.image.tag | default .Chart.AppVersion) | quote }} {{- end -}} {{/* @@ -132,6 +133,7 @@ Mirror service labels {{- define "hyades.mirrorServiceLabels" -}} {{ include "hyades.commonLabels" . }} {{ include "hyades.mirrorServiceSelectorLabels" . }} +app.kubernetes.io/version: {{ (.Values.mirrorService.image.tag | default .Chart.AppVersion) | quote }} {{- end -}} {{/* @@ -171,6 +173,7 @@ Notification publisher labels {{- define "hyades.notificationPublisherLabels" -}} {{ include "hyades.commonLabels" . }} {{ include "hyades.notificationPublisherSelectorLabels" . }} +app.kubernetes.io/version: {{ (.Values.notificationPublisher.image.tag | default .Chart.AppVersion) | quote }} {{- end -}} {{/* @@ -210,6 +213,7 @@ Repository metadata analyzer labels {{- define "hyades.repoMetaAnalyzerLabels" -}} {{ include "hyades.commonLabels" . }} {{ include "hyades.repoMetaAnalyzerSelectorLabels" . }} +app.kubernetes.io/version: {{ (.Values.repoMetaAnalyzer.image.tag | default .Chart.AppVersion) | quote }} {{- end -}} {{/* @@ -249,6 +253,7 @@ Vulnerability analyzer labels {{- define "hyades.vulnAnalyzerLabels" -}} {{ include "hyades.commonLabels" . }} {{ include "hyades.vulnAnalyzerSelectorLabels" . }} +app.kubernetes.io/version: {{ (.Values.vulnAnalyzer.image.tag | default .Chart.AppVersion) | quote }} {{- end -}} {{/* @@ -290,3 +295,14 @@ Vulnerability analyzer image {{- printf "%s-secret-key" (include "hyades.fullname" .) -}} {{- end -}} {{- end -}} + +{{/* +Create the name of the service account +*/}} +{{- define "hyades.serviceAccountName" -}} +{{- if .Values.common.serviceAccount.create }} +{{- default (include "hyades.fullname" .) .Values.common.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.common.serviceAccount.name }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/hyades/templates/api-server/deployment.yaml b/charts/hyades/templates/api-server/deployment.yaml index 5f61540..e65d1e0 100644 --- a/charts/hyades/templates/api-server/deployment.yaml +++ b/charts/hyades/templates/api-server/deployment.yaml @@ -23,6 +23,11 @@ spec: {{- with .Values.common.image.pullSecrets }} imagePullSecrets: {{- toYaml . | nindent 6 }} {{- end }} + initContainers: + {{- with .Values.apiServer.initContainers }} + {{- toYaml . | nindent 6 }} + {{- end }} + serviceAccountName: {{ include "hyades.serviceAccountName" . }} terminationGracePeriodSeconds: {{ .Values.apiServer.terminationGracePeriodSeconds }} containers: - name: {{ include "hyades.apiServerName" . }} @@ -73,9 +78,8 @@ spec: - name: KAFKA_TOPIC_PREFIX value: {{ . | quote }} {{- end }} - {{- range $k, $v := .Values.apiServer.extraEnv }} - - name: {{ $k }} - value: {{ $v | quote }} + {{- with .Values.apiServer.extraEnv }} + {{- toYaml . | nindent 8 }} {{- end }} {{- with .Values.apiServer.extraEnvFrom }} envFrom: {{ toYaml . | nindent 8 }} @@ -95,6 +99,9 @@ spec: mountPath: /var/run/secrets/secret.key readOnly: true {{- end }} + {{- with .Values.apiServer.additionalVolumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} livenessProbe: httpGet: scheme: HTTP @@ -115,6 +122,15 @@ spec: periodSeconds: {{ .Values.apiServer.probes.readiness.periodSeconds }} successThreshold: {{ .Values.apiServer.probes.readiness.successThreshold }} timeoutSeconds: {{ .Values.apiServer.probes.readiness.timeoutSeconds }} + {{- with .Values.apiServer.extraContainers }} + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.apiServer.tolerations }} + tolerations: {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.apiServer.nodeSelector }} + nodeSelector: {{- toYaml . | nindent 8 }} + {{- end }} volumes: - name: data emptyDir: {} @@ -125,4 +141,7 @@ spec: secret: secretName: {{ . }} {{- end }} + {{- with .Values.apiServer.additionalVolumes }} + {{- toYaml . | nindent 6 }} + {{- end }} {{- end }} \ No newline at end of file diff --git a/charts/hyades/templates/api-server/ingress.yaml b/charts/hyades/templates/api-server/ingress.yaml deleted file mode 100644 index a03b154..0000000 --- a/charts/hyades/templates/api-server/ingress.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if and .Values.apiServer.enabled .Values.apiServer.ingress.enabled }} -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: {{ include "hyades.apiServerFullname" . }} - namespace: {{ .Release.Namespace }} - {{- with .Values.apiServer.ingress.annotations }} - annotations: {{- toYaml . | nindent 4 }} - {{- end }} -spec: - rules: - - host: {{ .Values.apiServer.ingress.hostname | quote }} - http: - paths: - - path: /api - pathType: Prefix - backend: - service: - name: {{ include "hyades.apiServerFullname" . }} - port: - name: web -{{- end }} \ No newline at end of file diff --git a/charts/hyades/templates/api-server/service.yaml b/charts/hyades/templates/api-server/service.yaml index 0d070ed..927b487 100644 --- a/charts/hyades/templates/api-server/service.yaml +++ b/charts/hyades/templates/api-server/service.yaml @@ -6,6 +6,9 @@ metadata: name: {{ include "hyades.apiServerFullname" . }} namespace: {{ .Release.Namespace }} labels: {{- include "hyades.apiServerLabels" . | nindent 4 }} + {{- with .Values.apiServer.service.annotations }} + annotations: {{- toYaml . | nindent 4 }} + {{- end }} spec: type: {{ .Values.apiServer.service.type | quote }} ports: diff --git a/charts/hyades/templates/frontend/deployment.yaml b/charts/hyades/templates/frontend/deployment.yaml index 9d73871..e0b4436 100644 --- a/charts/hyades/templates/frontend/deployment.yaml +++ b/charts/hyades/templates/frontend/deployment.yaml @@ -20,6 +20,11 @@ spec: {{- with .Values.common.image.pullSecrets }} imagePullSecrets: {{- toYaml . | nindent 6 }} {{- end }} + initContainers: + {{- if .Values.frontend.initContainers }} + {{- toYaml .Values.frontend.initContainers | nindent 6 }} + {{- end }} + serviceAccountName: {{ include "hyades.serviceAccountName" . }} containers: - name: {{ include "hyades.frontendName" . }} image: {{ include "hyades.frontendImage" . }} @@ -39,14 +44,12 @@ spec: {{- with .Values.frontend.args }} args: {{ toYaml . | nindent 8 }} {{- end }} - resources: - {{- toYaml .Values.frontend.resources | nindent 10 }} + resources: {{- toYaml .Values.frontend.resources | nindent 10 }} env: - name: API_BASE_URL value: {{ .Values.frontend.apiBaseUrl | quote }} - {{- range $k, $v := .Values.frontend.extraEnv }} - - name: {{ $k }} - value: {{ $v | quote }} + {{- with .Values.frontend.extraEnv }} + {{- toYaml . | nindent 8 }} {{- end }} {{- with .Values.frontend.extraEnvFrom }} envFrom: {{ toYaml . | nindent 8 }} @@ -55,6 +58,12 @@ spec: - name: web containerPort: 8080 protocol: TCP + volumeMounts: + - name: tmp + mountPath: /tmp + {{- with .Values.frontend.additionalVolumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} livenessProbe: httpGet: scheme: HTTP @@ -75,4 +84,21 @@ spec: periodSeconds: {{ .Values.frontend.probes.readiness.periodSeconds }} successThreshold: {{ .Values.frontend.probes.readiness.successThreshold }} timeoutSeconds: {{ .Values.frontend.probes.readiness.timeoutSeconds }} + {{- with .Values.frontend.extraContainers }} + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.frontend.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.frontend.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + volumes: + - name: tmp + emptyDir: {} + {{- with .Values.frontend.additionalVolumes }} + {{- toYaml . | nindent 6 }} + {{- end }} {{- end }} \ No newline at end of file diff --git a/charts/hyades/templates/frontend/ingress.yaml b/charts/hyades/templates/frontend/ingress.yaml deleted file mode 100644 index 501e1a3..0000000 --- a/charts/hyades/templates/frontend/ingress.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if and .Values.frontend.enabled .Values.frontend.ingress.enabled }} -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: {{ include "hyades.frontendFullname" . }} - namespace: {{ .Release.Namespace }} - labels: {{- include "hyades.frontendLabels" . | nindent 4 }} - {{- with .Values.frontend.ingress.annotations }} - annotations: {{- toYaml . | nindent 4 }} - {{- end }} -spec: - rules: - - host: {{ .Values.frontend.ingress.hostname | quote }} - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: {{ include "hyades.frontendFullname" . }} - port: - name: web -{{- end }} \ No newline at end of file diff --git a/charts/hyades/templates/frontend/service.yaml b/charts/hyades/templates/frontend/service.yaml index c9d6a93..541897a 100644 --- a/charts/hyades/templates/frontend/service.yaml +++ b/charts/hyades/templates/frontend/service.yaml @@ -6,6 +6,9 @@ metadata: name: {{ include "hyades.frontendFullname" . }} namespace: {{ .Release.Namespace }} labels: {{- include "hyades.frontendLabels" . | nindent 4 }} + {{- with .Values.frontend.service.annotations }} + annotations: {{- toYaml . | nindent 4 }} + {{- end }} spec: type: {{ .Values.frontend.service.type | quote }} ports: diff --git a/charts/hyades/templates/ingress.yaml b/charts/hyades/templates/ingress.yaml new file mode 100644 index 0000000..cda47ab --- /dev/null +++ b/charts/hyades/templates/ingress.yaml @@ -0,0 +1,46 @@ +{{- if and .Values.ingress.enabled (or .Values.apiServer.enabled .Values.frontend.enabled) -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ include "hyades.fullname" . }} + namespace: {{ .Release.Namespace }} + {{- with .Values.ingress.annotations }} + annotations: {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if .Values.ingress.ingressClassName | empty | not }} + ingressClassName: {{ .Values.ingress.ingressClassName | quote }} + {{- end }} + {{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + - host: {{ .Values.ingress.hostname | quote }} + http: + paths: + {{- if .Values.apiServer.enabled }} + - path: /api + pathType: Prefix + backend: + service: + name: {{ include "hyades.apiServerFullname" . }} + port: + name: web + {{- end }} + {{- if .Values.frontend.enabled }} + - path: / + pathType: Prefix + backend: + service: + name: {{ include "hyades.frontendFullname" . }} + port: + name: web + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/hyades/templates/mirror-service/deployment.yaml b/charts/hyades/templates/mirror-service/deployment.yaml index 8d1bde5..827ece7 100644 --- a/charts/hyades/templates/mirror-service/deployment.yaml +++ b/charts/hyades/templates/mirror-service/deployment.yaml @@ -23,6 +23,11 @@ spec: {{- with .Values.common.image.pullSecrets }} imagePullSecrets: {{- toYaml . | nindent 6 }} {{- end }} + initContainers: + {{- if .Values.mirrorService.initContainers }} + {{- toYaml .Values.mirrorService.initContainers | nindent 6 }} + {{- end }} + serviceAccountName: {{ include "hyades.serviceAccountName" . }} containers: - name: {{ include "hyades.mirrorServiceName" . }} image: {{ include "hyades.mirrorServiceImage" . }} @@ -42,18 +47,36 @@ spec: {{- with .Values.mirrorService.args }} args: {{ toYaml . | nindent 8 }} {{- end }} - resources: - {{- toYaml .Values.mirrorService.resources | nindent 10 }} + resources: {{- toYaml .Values.mirrorService.resources | nindent 10 }} env: + {{- if (include "hyades.secretKeySecretName" .) }} + - name: ALPINE_SECRET_KEY_PATH + value: "/var/run/secrets/secret.key" + {{- end }} + - name: ALPINE_DATABASE_MODE + value: "external" + - name: ALPINE_DATABASE_DRIVER + value: "org.postgresql.Driver" + {{- with .Values.common.database.jdbcUrl }} + - name: ALPINE_DATABASE_URL + value: {{ tpl . $ | quote }} + {{- end}} + {{- with .Values.common.database.username }} + - name: ALPINE_DATABASE_USERNAME + value: {{ . | quote }} + {{- end }} + {{- with .Values.common.database.password }} + - name: ALPINE_DATABASE_PASSWORD + value: {{ . | quote }} + {{- end }} - name: KAFKA_BOOTSTRAP_SERVERS value: {{ tpl .Values.common.kafka.bootstrapServers $ | quote }} {{- with .Values.common.kafka.topicPrefix }} - name: KAFKA_TOPIC_PREFIX value: {{ . | quote }} {{- end }} - {{- range $k, $v := .Values.mirrorService.extraEnv }} - - name: {{ $k }} - value: {{ $v | quote }} + {{- with .Values.mirrorService.extraEnv }} + {{- toYaml . | nindent 8 }} {{- end }} {{- with .Values.mirrorService.extraEnvFrom }} envFrom: {{ toYaml . | nindent 8 }} @@ -71,6 +94,9 @@ spec: mountPath: /var/run/secrets/secret.key readOnly: true {{- end }} + {{- with .Values.mirrorService.additionalVolumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} livenessProbe: httpGet: scheme: HTTP @@ -94,9 +120,12 @@ spec: volumes: - name: tmp emptyDir: {} - {{- with (include "hyades.secretKeySecretName" .) }} + {{- with (include "hyades.secretKeySecretName" .) }} - name: secret-key secret: secretName: {{ . }} - {{- end }} + {{- end }} + {{- with .Values.mirrorService.additionalVolumes }} + {{- toYaml . | nindent 6 }} + {{- end }} {{- end }} \ No newline at end of file diff --git a/charts/hyades/templates/notification-publisher/deployment.yaml b/charts/hyades/templates/notification-publisher/deployment.yaml index a9d350d..91b3a79 100644 --- a/charts/hyades/templates/notification-publisher/deployment.yaml +++ b/charts/hyades/templates/notification-publisher/deployment.yaml @@ -17,12 +17,17 @@ spec: prometheus.io/scrape: "true" prometheus.io/path: /q/metrics {{- with .Values.notificationPublisher.annotations }} - {{ toYaml . | nindent 8 }} + {{ toYaml . | nindent 8 }} {{- end }} spec: {{- with .Values.common.image.pullSecrets }} imagePullSecrets: {{- toYaml . | nindent 6 }} {{- end }} + initContainers: + {{- with .Values.notificationPublisher.initContainers }} + {{- toYaml . | nindent 6 }} + {{- end }} + serviceAccountName: {{ include "hyades.serviceAccountName" . }} containers: - name: {{ include "hyades.notificationPublisherName" . }} image: {{ include "hyades.notificationPublisherImage" . }} @@ -42,8 +47,7 @@ spec: {{- with .Values.notificationPublisher.args }} args: {{ toYaml . | nindent 8 }} {{- end }} - resources: - {{- toYaml .Values.notificationPublisher.resources | nindent 10 }} + resources: {{- toYaml .Values.notificationPublisher.resources | nindent 10 }} env: {{- if (include "hyades.secretKeySecretName" .) }} - name: SECRET_KEY_PATH @@ -67,9 +71,8 @@ spec: - name: KAFKA_TOPIC_PREFIX value: {{ . | quote }} {{- end }} - {{- range $k, $v := .Values.notificationPublisher.extraEnv }} - - name: {{ $k }} - value: {{ $v | quote }} + {{- with .Values.notificationPublisher.extraEnv }} + {{- toYaml . | nindent 8 }} {{- end }} {{- with .Values.notificationPublisher.extraEnvFrom }} envFrom: {{ toYaml . | nindent 8 }} @@ -87,6 +90,9 @@ spec: mountPath: /var/run/secrets/secret.key readOnly: true {{- end }} + {{- with .Values.notificationPublisher.additionalVolumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} livenessProbe: httpGet: scheme: HTTP @@ -107,6 +113,15 @@ spec: periodSeconds: {{ .Values.notificationPublisher.probes.readiness.periodSeconds }} successThreshold: {{ .Values.notificationPublisher.probes.readiness.successThreshold }} timeoutSeconds: {{ .Values.notificationPublisher.probes.readiness.timeoutSeconds }} + {{- with .Values.notificationPublisher.extraContainers }} + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.notificationPublisher.tolerations }} + tolerations: {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.notificationPublisher.nodeSelector }} + nodeSelector: {{- toYaml . | nindent 8 }} + {{- end }} volumes: - name: tmp emptyDir: {} @@ -115,4 +130,7 @@ spec: secret: secretName: {{ . }} {{- end }} + {{- with .Values.notificationPublisher.additionalVolumes }} + {{- toYaml . | nindent 6 }} + {{- end }} {{- end }} \ No newline at end of file diff --git a/charts/hyades/templates/repo-meta-analyzer/deployment.yaml b/charts/hyades/templates/repo-meta-analyzer/deployment.yaml index 2941842..34f54f7 100644 --- a/charts/hyades/templates/repo-meta-analyzer/deployment.yaml +++ b/charts/hyades/templates/repo-meta-analyzer/deployment.yaml @@ -1,3 +1,4 @@ +{{- if .Values.repoMetaAnalyzer.enabled }} --- apiVersion: apps/v1 kind: Deployment @@ -16,12 +17,17 @@ spec: prometheus.io/scrape: "true" prometheus.io/path: /q/metrics {{- with .Values.repoMetaAnalyzer.annotations }} - {{ toYaml . | nindent 8 }} + {{ toYaml . | nindent 8 }} {{- end }} spec: {{- with .Values.common.image.pullSecrets }} imagePullSecrets: {{- toYaml . | nindent 6 }} {{- end }} + initContainers: + {{- with .Values.repoMetaAnalyzer.initContainers }} + {{- toYaml . | nindent 6 }} + {{- end }} + serviceAccountName: {{ include "hyades.serviceAccountName" . }} containers: - name: {{ include "hyades.repoMetaAnalyzerName" . }} image: {{ include "hyades.repoMetaAnalyzerImage" . }} @@ -66,9 +72,8 @@ spec: - name: KAFKA_TOPIC_PREFIX value: {{ . | quote }} {{- end }} - {{- range $k, $v := .Values.repoMetaAnalyzer.extraEnv }} - - name: {{ $k }} - value: {{ $v | quote }} + {{- with .Values.repoMetaAnalyzer.extraEnv }} + {{- toYaml . | nindent 8 }} {{- end }} {{- with .Values.repoMetaAnalyzer.extraEnvFrom }} envFrom: {{ toYaml . | nindent 8 }} @@ -86,6 +91,9 @@ spec: mountPath: /var/run/secrets/secret.key readOnly: true {{- end }} + {{- with .Values.repoMetaAnalyzer.additionalVolumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} livenessProbe: httpGet: scheme: HTTP @@ -106,6 +114,15 @@ spec: periodSeconds: {{ .Values.repoMetaAnalyzer.probes.readiness.periodSeconds }} successThreshold: {{ .Values.repoMetaAnalyzer.probes.readiness.successThreshold }} timeoutSeconds: {{ .Values.repoMetaAnalyzer.probes.readiness.timeoutSeconds }} + {{- with .Values.repoMetaAnalyzer.extraContainers }} + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.repoMetaAnalyzer.tolerations }} + tolerations: {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.repoMetaAnalyzer.nodeSelector }} + nodeSelector: {{- toYaml . | nindent 8 }} + {{- end }} volumes: - name: tmp emptyDir: {} @@ -114,3 +131,7 @@ spec: secret: secretName: {{ . }} {{- end }} + {{- with .Values.repoMetaAnalyzer.additionalVolumes }} + {{- toYaml . | nindent 6 }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/hyades/templates/serviceaccount.yml b/charts/hyades/templates/serviceaccount.yml new file mode 100644 index 0000000..87cb1cf --- /dev/null +++ b/charts/hyades/templates/serviceaccount.yml @@ -0,0 +1,9 @@ +{{- if .Values.common.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "hyades.serviceAccountName" . }} + labels: {{- include "hyades.commonLabels" . | nindent 4 }} + annotations: {{- toYaml .Values.common.serviceAccount.annotations | nindent 4 }} +automountServiceAccountToken: {{ .Values.common.serviceAccount.automount }} +{{- end }} \ No newline at end of file diff --git a/charts/hyades/templates/vuln-analyzer/service-headless.yaml b/charts/hyades/templates/vuln-analyzer/service-headless.yaml new file mode 100644 index 0000000..b272f34 --- /dev/null +++ b/charts/hyades/templates/vuln-analyzer/service-headless.yaml @@ -0,0 +1,22 @@ +{{- if .Values.vulnAnalyzer.enabled }} +{{/* +TODO: The headless service is only required when vulnAnalyzer is a StatefulSet. + Make this conditional when implementing https://github.com/DependencyTrack/helm-charts/issues/90 +*/}} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "hyades.vulnAnalyzerFullname" . }}-headless + namespace: {{ .Release.Namespace }} + labels: {{- include "hyades.vulnAnalyzerLabels" . | nindent 4 }} + {{- with .Values.vulnAnalyzer.service.annotations }} + annotations: {{- toYaml . | nindent 4 }} + {{- end }} +spec: + clusterIP: None + ports: + - port: 80 + targetPort: web + selector: {{- include "hyades.vulnAnalyzerSelectorLabels" . | nindent 4 }} +{{- end }} \ No newline at end of file diff --git a/charts/hyades/templates/vuln-analyzer/service.yaml b/charts/hyades/templates/vuln-analyzer/service.yaml deleted file mode 100644 index 942d9e3..0000000 --- a/charts/hyades/templates/vuln-analyzer/service.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ include "hyades.vulnAnalyzerFullname" . }} - namespace: {{ .Release.Namespace }} - labels: {{- include "hyades.vulnAnalyzerLabels" . | nindent 4 }} -spec: - clusterIP: None - ports: - - port: 80 - targetPort: web - selector: {{- include "hyades.vulnAnalyzerSelectorLabels" . | nindent 4 }} \ No newline at end of file diff --git a/charts/hyades/templates/vuln-analyzer/statefulset.yaml b/charts/hyades/templates/vuln-analyzer/statefulset.yaml index 97d3366..c1ec9e1 100644 --- a/charts/hyades/templates/vuln-analyzer/statefulset.yaml +++ b/charts/hyades/templates/vuln-analyzer/statefulset.yaml @@ -1,3 +1,4 @@ +{{- if .Values.vulnAnalyzer.enabled }} --- apiVersion: apps/v1 kind: StatefulSet @@ -6,7 +7,7 @@ metadata: namespace: {{ .Release.Namespace }} labels: {{- include "hyades.vulnAnalyzerLabels" . | nindent 4 }} spec: - serviceName: {{ include "hyades.vulnAnalyzerFullname" . }} + serviceName: {{ include "hyades.vulnAnalyzerFullname" . }}-headless replicas: {{ .Values.vulnAnalyzer.replicaCount }} selector: matchLabels: {{- include "hyades.vulnAnalyzerSelectorLabels" . | nindent 6 }} @@ -23,6 +24,11 @@ spec: {{- with .Values.common.image.pullSecrets }} imagePullSecrets: {{- toYaml . | nindent 6 }} {{- end }} + initContainers: + {{- with .Values.notificationPublisher.initContainers }} + {{- toYaml . | nindent 6 }} + {{- end }} + serviceAccountName: {{ include "hyades.serviceAccountName" . }} containers: - name: {{ include "hyades.vulnAnalyzerName" . }} image: {{ include "hyades.vulnAnalyzerImage" . }} @@ -68,9 +74,8 @@ spec: - name: KAFKA_TOPIC_PREFIX value: {{ . | quote }} {{- end }} - {{- range $k, $v := .Values.vulnAnalyzer.extraEnv }} - - name: {{ $k }} - value: {{ $v | quote }} + {{- with .Values.vulnAnalyzer.extraEnv }} + {{- toYaml . | nindent 8 }} {{- end }} {{- with .Values.vulnAnalyzer.extraEnvFrom }} envFrom: {{ toYaml . | nindent 8 }} @@ -84,6 +89,9 @@ spec: mountPath: /tmp - name: kafka-streams-state mountPath: /var/lib/kafka-streams + {{- with .Values.vulnAnalyzer.additionalVolumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} livenessProbe: httpGet: scheme: HTTP @@ -104,6 +112,15 @@ spec: periodSeconds: {{ .Values.vulnAnalyzer.probes.readiness.periodSeconds }} successThreshold: {{ .Values.vulnAnalyzer.probes.readiness.successThreshold }} timeoutSeconds: {{ .Values.vulnAnalyzer.probes.readiness.timeoutSeconds }} + {{- with .Values.vulnAnalyzer.extraContainers }} + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.vulnAnalyzer.tolerations }} + tolerations: {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.vulnAnalyzer.nodeSelector }} + nodeSelector: {{- toYaml . | nindent 8 }} + {{- end }} volumes: - name: tmp emptyDir: {} @@ -111,6 +128,9 @@ spec: - name: kafka-streams-state emptyDir: {} {{- end }} + {{- with .Values.vulnAnalyzer.additionalVolumes }} + {{- toYaml . | nindent 6 }} + {{- end }} {{- if .Values.vulnAnalyzer.persistentVolume.enabled }} volumeClaimTemplates: - metadata: @@ -122,4 +142,5 @@ spec: storage: {{ .Values.vulnAnalyzer.persistentVolume.size }} accessModes: - ReadWriteOnce - {{- end }} \ No newline at end of file + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/hyades/values-minikube.yaml b/charts/hyades/values-minikube.yaml index 8eea343..c1f3e55 100644 --- a/charts/hyades/values-minikube.yaml +++ b/charts/hyades/values-minikube.yaml @@ -10,7 +10,6 @@ common: createSecret: true apiServer: - replicaCount: 1 resources: requests: cpu: "2" @@ -22,11 +21,10 @@ apiServer: type: NodePort nodePort: 30080 extraEnv: - EXTRA_JAVA_OPTIONS: "-Xmx2g" + - name: EXTRA_JAVA_OPTIONS + value: "-Xmx2g" frontend: - enabled: true - replicaCount: 1 service: type: NodePort nodePort: 30081 diff --git a/charts/hyades/values.yaml b/charts/hyades/values.yaml index 417903a..917e50d 100644 --- a/charts/hyades/values.yaml +++ b/charts/hyades/values.yaml @@ -17,14 +17,22 @@ common: createSecret: false # -- Use the secret key defined in an existing secret. existingSecretName: "" + serviceAccount: + create: true + annotations: {} + # -- Use the name of the name of the release by default, or specify a custom name. + name: "" + # -- Whether the serviceAccount should mount the token. + automount: false apiServer: + # -- Whether the API server shall be deployed. enabled: true replicaCount: 1 annotations: {} image: repository: dependencytrack/hyades-apiserver - tag: 5.4.0 + tag: snapshot pullPolicy: Always command: [] args: [] @@ -35,7 +43,7 @@ apiServer: limits: cpu: "4" memory: 8Gi - extraEnv: {} + extraEnv: [] extraEnvFrom: [] probes: liveness: @@ -53,6 +61,7 @@ apiServer: service: type: ClusterIP nodePort: ~ + annotations: {} serviceMonitor: enabled: false namespace: monitoring @@ -62,18 +71,41 @@ apiServer: # Should always be equal to or greater than the sum of `_DRAIN_TIMEOUT` configurations to ensure graceful shutdown. # Refer to https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/ for details. terminationGracePeriodSeconds: 60 - ingress: - enabled: false - annotations: {} - hostname: "example.com" + initContainers: [] + # Use the following to fix permissions on the /data volume. + # initContainers: + # - name: fix-permissions + # image: docker.io/library/busybox + # command: + # - sh + # - -c + # - | + # chown -R 1000:1000 /data + # volumeMounts: + # - name: data + # mountPath: /data + # securityContext: + # capabilities: + # add: + # - CHOWN + # runAsNonRoot: false + # runAsUser: 0 + # seccompProfile: + # type: RuntimeDefault + extraContainers: [] + additionalVolumes: [] + additionalVolumeMounts: [] + tolerations: {} + nodeSelector: {} frontend: + # -- Whether the frontend shall be deployed. enabled: true replicaCount: 1 annotations: {} image: repository: dependencytrack/hyades-frontend - tag: 4.9.1 + tag: snapshot pullPolicy: Always command: [] args: [] @@ -102,20 +134,24 @@ frontend: service: type: ClusterIP nodePort: ~ - ingress: - enabled: false annotations: {} - hostname: "example.com" apiBaseUrl: "" + initContainers: [] + extraContainers: [] + additionalVolumes: [] + additionalVolumeMounts: [] + tolerations: {} + nodeSelector: {} mirrorService: + # -- Whether the mirror service shall be deployed. enabled: true # -- Number of replicas. Should be <= 1. replicaCount: 1 annotations: {} image: repository: dependencytrack/hyades-mirror-service - tag: 0.4.0-native + tag: snapshot-native pullPolicy: Always command: [] args: [] @@ -141,14 +177,21 @@ mirrorService: periodSeconds: 15 successThreshold: 1 timeoutSeconds: 5 + initContainers: [] + extraContainers: [] + additionalVolumes: [] + additionalVolumeMounts: [] + tolerations: {} + nodeSelector: {} notificationPublisher: + # -- Whether the notification publisher shall be deployed. enabled: true replicaCount: 1 annotations: {} image: repository: dependencytrack/hyades-notification-publisher - tag: 0.4.0-native + tag: snapshot-native pullPolicy: Always command: [] args: [] @@ -174,13 +217,21 @@ notificationPublisher: periodSeconds: 15 successThreshold: 1 timeoutSeconds: 5 + initContainers: [] + extraContainers: [] + additionalVolumes: [] + additionalVolumeMounts: [] + tolerations: {} + nodeSelector: {} repoMetaAnalyzer: + # -- Whether the repository metadata analyzer shall be deployed. + enabled: true annotations: {} replicaCount: 1 image: repository: dependencytrack/hyades-repository-meta-analyzer - tag: 0.4.0-native + tag: snapshot-native pullPolicy: Always command: [] args: [] @@ -206,13 +257,21 @@ repoMetaAnalyzer: periodSeconds: 15 successThreshold: 1 timeoutSeconds: 5 + initContainers: [] + extraContainers: [] + additionalVolumes: [] + additionalVolumeMounts: [] + tolerations: {} + nodeSelector: {} vulnAnalyzer: + # -- Whether the vulnerability analyzer shall be deployed. + enabled: true annotations: {} replicaCount: 1 image: repository: dependencytrack/hyades-vulnerability-analyzer - tag: 0.4.0-native + tag: snapshot-native pullPolicy: Always command: [] args: [] @@ -242,14 +301,32 @@ vulnAnalyzer: periodSeconds: 15 successThreshold: 1 timeoutSeconds: 5 + service: + annotations: {} + initContainers: [] + extraContainers: [] + additionalVolumes: [] + additionalVolumeMounts: [] + tolerations: {} + nodeSelector: {} + +ingress: + enabled: false + annotations: {} + hostname: "example.com" + ingressClassName: "" + tls: [] + # - secretName: dt-tls + # hosts: + # - example.com extraObjects: [] - # - apiVersion: "kubernetes-client.io/v1" - # kind: ExternalSecret - # metadata: - # name: tempo-secrets - # spec: - # backendType: aws - # data: - # - key: secret-access-key - # name: awssm-secret +# - apiVersion: "kubernetes-client.io/v1" +# kind: ExternalSecret +# metadata: +# name: tempo-secrets +# spec: +# backendType: aws +# data: +# - key: secret-access-key +# name: awssm-secret