Include gdscan chart (#17)

* Include gdscan chart * removes the scanserver * adjust resources * Move gdscan to vaas/templates * change defaults * use oci for redis * remove config --------- Co-authored-by: PT-ATA No One <[email protected]>
GDATASoftwareAG · Mar 1, 2024 · 9b51791 · 9b51791
1 parent 26de12c
commit 9b51791
Show file tree

Hide file tree

Showing 15 changed files with 605 additions and 44 deletions.
diff --git a/.github/chart-testing-config.yaml b/.github/chart-testing-config.yaml
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -48,7 +48,7 @@ jobs:
         working-directory: charts/vaas
 
       - name: Run chart-testing (lint)
-        run: ct lint --config .github/chart-testing-config.yaml --validate-maintainers=false --charts charts/vaas
+        run: ct lint --validate-maintainers=false --charts charts/vaas
 
       - name: Push chart
         if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main'

diff --git a/charts/vaas/Chart.yaml b/charts/vaas/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: vaas
-version: 1.0.8
+version: 1.1.0
 description: Deployment of a Verdict-as-a-Service on-premise instance
 maintainers:
   - name: G DATA CyberDefense AG
@@ -10,11 +10,7 @@ dependencies:
   - name: redis
     version: 18.16.1
     condition: redis.enabled
-    repository: https://charts.bitnami.com/bitnami
-  - name: gdscan
-    version: 1.8.0
-    condition: gdscan.enabled
-    repository: https://gdatasoftwareag.github.io/gdscan/
+    repository: oci://registry-1.docker.io/bitnamicharts
   - name: mini-identity-provider
     version: 0.1.17
     condition: mini-identity-provider.enabled

diff --git a/charts/vaas/templates/gdscan/_helpers.tpl b/charts/vaas/templates/gdscan/_helpers.tpl
@@ -0,0 +1,120 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "gdscan.name" -}}
+{{- default .Chart.Name .Values.gdscan.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "gdscan.fullname" -}}
+{{- if .Values.gdscan.fullnameOverride }}
+{{- .Values.gdscan.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.gdscan.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "gdscan.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "gdscan.labels" -}}
+helm.sh/chart: {{ include "gdscan.chart" . }}
+{{ include "gdscan.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{- define "gdscan.imagePullSecrets" -}}
+
+{{- $imagePullSecrets := concat (((.Values.global | default dict).imagePullSecrets)| default list) (.Values.gdscan.imagePullSecrets | default list) -}}
+{{- if gt (len $imagePullSecrets) 0 -}}
+imagePullSecrets:
+  {{- range $imagePullSecrets }}
+  - name: {{ . }}
+  {{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "gdscan.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "gdscan.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/namespace: {{ .Release.Namespace }}
+{{- end }}
+
+{{- define "common.tplValues.gdscan.render" -}}
+    {{- if typeIs "string" .value }}
+        {{- tpl .value .context }}
+    {{- else }}
+        {{- tpl (.value | toYaml) .context }}
+    {{- end }}
+{{- end -}}
+
+{{- define "gdscan.names.fullname" -}}
+{{- if .Values.gdscan.fullnameOverride -}}
+{{- .Values.gdscan.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.gdscan.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "vaas.claimName" -}}
+{{- if and .Values.gdscan.persistence.existingClaim }}
+    {{- printf "%s" (tpl .Values.gdscan.persistence.existingClaim $) -}}
+{{- else -}}
+    {{- printf "%s" (include "gdscan.names.fullname" .) -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "common.storage.class" -}}
+
+{{- $storageClass := .persistence.storageClass -}}
+{{- if .global -}}
+    {{- if .global.storageClass -}}
+        {{- $storageClass = .global.storageClass -}}
+    {{- end -}}
+{{- end -}}
+
+{{- if $storageClass -}}
+  {{- if (eq "-" $storageClass) -}}
+      {{- printf "storageClassName: \"\"" -}}
+  {{- else }}
+      {{- printf "storageClassName: %s" $storageClass -}}
+  {{- end -}}
+{{- end -}}
+
+{{- end -}}
+
+{{- define "common.secondsToHHMMSS" -}}
+{{- $totalSeconds := . -}}
+{{- $hours := div $totalSeconds 3600 | printf "%02d" -}}
+{{- $totalSeconds = mod $totalSeconds 3600 -}}
+{{- $minutes := div $totalSeconds 60 | printf "%02d" -}}
+{{- $seconds := mod $totalSeconds 60 | printf "%02d" -}}
+{{- printf "%s:%s:%s" $hours $minutes $seconds -}}
+{{- end -}}
diff --git a/charts/vaas/templates/gdscan/deployment.yaml b/charts/vaas/templates/gdscan/deployment.yaml
@@ -0,0 +1,89 @@
+{{- if or (.Values.gdscan.persistence.enabled | not) (eq .Values.gdscan.persistence.accessMode "ReadWriteMany" ) }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "gdscan.fullname" . }}
+  labels:
+    {{- include "gdscan.labels" . | nindent 4 }}
+spec:
+  strategy:
+    type: {{ .Values.gdscan.deploymentStrategy }}
+  {{- if not .Values.gdscan.autoscaling.enabled }}
+  replicas: {{ .Values.gdscan.replicaCount }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "gdscan.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.gdscan.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "gdscan.selectorLabels" . | nindent 8 }}
+    spec:
+      volumes:
+        - name: samples
+        {{- if .Values.gdscan.persistence.enabled }}
+          persistentVolumeClaim:
+            claimName: {{ include "vaas.claimName" . }}
+        {{- else }}
+          emptyDir:
+            sizeLimit: {{ .Values.gdscan.persistence.size | quote }}
+          {{- if .Values.gdscan.persistence.memory }}
+            medium : "Memory"
+          {{- end }}
+        {{- end }}
+        - name: client-tmp
+          emptyDir: {}
+      {{- include "gdscan.imagePullSecrets" . | nindent 6 }}
+      containers:
+        - name: {{ .Values.gdscan.client.name }}
+          image: '{{ .Values.gdscan.client.image.repository }}:{{ .Values.gdscan.client.image.tag | default "latest" }}'
+          imagePullPolicy: {{ .Values.gdscan.client.image.pullPolicy }}
+          {{- if .Values.gdscan.client.containerSecurityContext.enabled }}
+          securityContext: {{- omit .Values.gdscan.client.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+          {{- end }}
+          volumeMounts:
+            - name: samples
+              mountPath: /tmp/scan
+            - name: client-tmp
+              mountPath: /tmp
+          resources:
+            {{- toYaml .Values.gdscan.client.resources | nindent 12 }}
+          ports:
+            - name: api
+              containerPort: 8080
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: api
+            initialDelaySeconds: 15
+            periodSeconds: 5
+          readinessProbe:
+            httpGet:
+              path: /health
+              port: api
+            initialDelaySeconds: 15
+            periodSeconds: 5
+          env:
+            - name: HostOptions__ShutdownTimeout
+              value: {{ include "common.secondsToHHMMSS" .Values.gdscan.terminationGracePeriodSeconds | quote }}
+      terminationGracePeriodSeconds: {{ .Values.gdscan.terminationGracePeriodSeconds }}
+      {{- with .Values.gdscan.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.gdscan.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.gdscan.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      securityContext:
+        fsGroup: 1654
+{{- end }}
diff --git a/charts/vaas/templates/gdscan/horizontal-pod-autoscaler.yaml b/charts/vaas/templates/gdscan/horizontal-pod-autoscaler.yaml
@@ -0,0 +1,30 @@
+{{- if and .Values.gdscan.autoscaling.enabled }}
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ include "gdscan.fullname" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels: {{- include "gdscan.labels" . | nindent 4 }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    {{- if and (.Values.gdscan.persistence.enabled) (eq .Values.gdscan.persistence.accessMode "ReadWriteOnce" ) }}
+    kind: StatefulSet
+    {{- else }}
+    kind: Deployment
+    {{- end }}
+    name: {{ include "gdscan.fullname" . }}
+  minReplicas: {{ .Values.gdscan.autoscaling.minReplicas }}
+  maxReplicas: {{ .Values.gdscan.autoscaling.maxReplicas }}
+  {{- if .Values.gdscan.autoscaling.metrics }}
+  metrics: {{- toYaml .Values.gdscan.autoscaling.metrics | nindent 4 }}
+  {{- else }}
+  metrics:
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.gdscan.autoscaling.targetCPU }}
+  {{- end }}
+{{- end }}
diff --git a/charts/vaas/templates/gdscan/ingress.yaml b/charts/vaas/templates/gdscan/ingress.yaml
@@ -0,0 +1,61 @@
+{{- if .Values.gdscan.ingress.enabled -}}
+{{- $fullName := include "gdscan.fullname" . -}}
+{{- $svcPort := .Values.gdscan.service.port -}}
+{{- if and .Values.gdscan.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
+  {{- if not (hasKey .Values.gdscan.ingress.annotations "kubernetes.io/ingress.class") }}
+  {{- $_ := set .Values.gdscan.ingress.annotations "kubernetes.io/ingress.class" .Values.gdscan.ingress.className}}
+  {{- end }}
+{{- end }}
+{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1
+{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1beta1
+{{- else -}}
+apiVersion: extensions/v1beta1
+{{- end }}
+kind: Ingress
+metadata:
+  name: {{ $fullName }}
+  labels:
+    {{- include "gdscan.labels" . | nindent 4 }}
+  {{- with .Values.gdscan.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if and .Values.gdscan.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
+  ingressClassName: {{ .Values.gdscan.ingress.className }}
+  {{- end }}
+  {{- if .Values.gdscan.ingress.tls }}
+  tls:
+    {{- range .Values.gdscan.ingress.tls }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+        {{- end }}
+      secretName: {{ .secretName }}
+    {{- end }}
+  {{- end }}
+  rules:
+    {{- range .Values.gdscan.ingress.hosts }}
+    - host: {{ .host | quote }}
+      http:
+        paths:
+          {{- range .paths }}
+          - path: {{ .path }}
+            {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
+            pathType: {{ .pathType }}
+            {{- end }}
+            backend:
+              {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
+              service:
+                name: {{ $fullName }}
+                port:
+                  number: {{ $svcPort }}
+              {{- else }}
+              serviceName: {{ $fullName }}
+              servicePort: {{ $svcPort }}
+              {{- end }}
+          {{- end }}
+    {{- end }}
+{{- end }}
diff --git a/charts/vaas/templates/gdscan/networkpolicy.yaml b/charts/vaas/templates/gdscan/networkpolicy.yaml
@@ -0,0 +1,18 @@
+{{- if .Values.gdscan.networkPolicy.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "gdscan.fullname" . }}
+  labels:
+    {{- include "gdscan.labels" . | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "gdscan.selectorLabels" . | nindent 6 }}
+  policyTypes:
+  - Ingress
+  ingress:
+    - from:
+      ports:
+        - port: 8080 # Http
+{{- end }}
diff --git a/charts/vaas/templates/gdscan/persistent-volume-claim.yaml b/charts/vaas/templates/gdscan/persistent-volume-claim.yaml
@@ -0,0 +1,16 @@
+{{- if and (.Values.gdscan.persistence.enabled) (eq .Values.gdscan.persistence.accessMode "ReadWriteMany" ) }}
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: {{ include "gdscan.names.fullname" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels: 
+    {{- include "gdscan.selectorLabels" . | nindent 4 }}
+spec:
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: {{ .Values.gdscan.persistence.size | quote }}
+  {{- include "common.storage.class" (dict "persistence" .Values.gdscan.persistence "global" .Values.gdscan.global) | nindent 2 }}
+{{- end }}
diff --git a/charts/vaas/templates/gdscan/secret.yaml b/charts/vaas/templates/gdscan/secret.yaml
@@ -0,0 +1,10 @@
+{{- if .Values.global.imagePullSecrets }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: gdscanregistry
+  namespace: {{ .Release.Namespace }}
+data:
+  .dockerconfigjson: {{ required "You need to set the dockerconfigjson for the private registry" .Values.global.secret.dockerconfigjson }}
+type: kubernetes.io/dockerconfigjson
+{{- end -}}