From 1bbeaecb7ddd666d554d182e589928321e1b67d1 Mon Sep 17 00:00:00 2001 From: unglaublicherdude Date: Wed, 26 Jun 2024 15:50:53 +0200 Subject: [PATCH 1/5] fixes the secret handling you either have to configure a dockerjsonconfig or a global.imagepullsecrets but when you configure both, both are added to the imagepullsecrets in the deployments and stateful-sets --- .gitignore | 3 ++- charts/vaas/Chart.yaml | 2 +- charts/vaas/templates/gateway/_helpers.tpl | 11 +++++++---- charts/vaas/templates/gateway/secret.yaml | 16 ++++++++++++++-- charts/vaas/templates/gdscan/_helpers.tpl | 18 +++++++++++------- charts/vaas/templates/gdscan/secret.yaml | 16 ++++++++++++++-- charts/vaas/values.yaml | 1 + 7 files changed, 50 insertions(+), 17 deletions(-) diff --git a/.gitignore b/.gitignore index cfdd1fc..6ee74cd 100644 --- a/.gitignore +++ b/.gitignore @@ -8,4 +8,5 @@ *.tgz .fleet/ .output/ -Chart.lock \ No newline at end of file +Chart.lock +tmp/ \ No newline at end of file diff --git a/charts/vaas/Chart.yaml b/charts/vaas/Chart.yaml index 3b59611..66eaefc 100644 --- a/charts/vaas/Chart.yaml +++ b/charts/vaas/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: vaas -version: 1.8.1 +version: 1.9.0 description: Deployment of a Verdict-as-a-Service on-premise instance maintainers: - name: G DATA CyberDefense AG diff --git a/charts/vaas/templates/gateway/_helpers.tpl b/charts/vaas/templates/gateway/_helpers.tpl index ed1de22..416df9c 100644 --- a/charts/vaas/templates/gateway/_helpers.tpl +++ b/charts/vaas/templates/gateway/_helpers.tpl @@ -24,14 +24,17 @@ If release name contains chart name it will be used as a full name. {{- end }} {{- define "gateway.imagePullSecrets" -}} +{{- if or (gt (len .Values.global.imagePullSecrets) 0) ((.Values.global.secret).dockerconfigjson) -}} imagePullSecrets: {{- range .Values.global.imagePullSecrets }} - name: {{ . }} - {{- end }} - {{- if .Values.imagePullSecret }} - - name: {{ .Release.Name }}-registry-secret - {{- end }} + {{- end -}} + {{- if (.Values.global.secret).dockerconfigjson }} + - name: registry + {{- end -}} {{- end -}} +{{ end -}} + {{/* Create chart name and version as used by the chart label. diff --git a/charts/vaas/templates/gateway/secret.yaml b/charts/vaas/templates/gateway/secret.yaml index 0495eef..edf4b73 100644 --- a/charts/vaas/templates/gateway/secret.yaml +++ b/charts/vaas/templates/gateway/secret.yaml @@ -1,10 +1,22 @@ -{{- if .Values.global.imagePullSecrets }} +{{- if and (not .Values.global.imagePullSecrets) (not .Values.global.imagePullSecret)}} apiVersion: v1 kind: Secret metadata: name: registry namespace: {{ .Release.Namespace }} data: - .dockerconfigjson: {{ required "You need to set the dockerconfigjson for the private registry" .Values.global.secret.dockerconfigjson }} + .dockerconfigjson: {{ required "You need to set the dockerconfigjson for the private registry" (.Values.global.secret).dockerconfigjson }} type: kubernetes.io/dockerconfigjson +{{- end -}} +{{- if or (.Values.global.imagePullSecrets) (.Values.global.imagePullSecret)}} +{{- if (.Values.global.secret).dockerconfigjson }} +apiVersion: v1 +kind: Secret +metadata: + name: registry + namespace: {{ .Release.Namespace }} +data: + .dockerconfigjson: {{ .Values.global.secret.dockerconfigjson }} +type: kubernetes.io/dockerconfigjson +{{- end -}} {{- end -}} \ No newline at end of file diff --git a/charts/vaas/templates/gdscan/_helpers.tpl b/charts/vaas/templates/gdscan/_helpers.tpl index f980da0..196a61b 100644 --- a/charts/vaas/templates/gdscan/_helpers.tpl +++ b/charts/vaas/templates/gdscan/_helpers.tpl @@ -43,15 +43,19 @@ app.kubernetes.io/managed-by: {{ .Release.Service }} {{- end }} {{- define "gdscan.imagePullSecrets" -}} - -{{- $imagePullSecrets := concat (((.Values.global | default dict).imagePullSecrets)| default list) (.Values.gdscan.imagePullSecrets | default list) -}} -{{- if gt (len $imagePullSecrets) 0 -}} +{{- if or (gt (len .Values.global.imagePullSecrets) 0) (gt (len .Values.gdscan.imagePullSecrets) 0) ((.Values.global.secret).dockerconfigjson) -}} imagePullSecrets: - {{- range $imagePullSecrets }} + {{- range .Values.global.imagePullSecrets }} - name: {{ . }} - {{- end }} -{{- end }} -{{- end }} + {{- end -}} + {{- range .Values.gdscan.imagePullSecrets }} + - name: {{ . }} + {{- end -}} + {{- if (.Values.global.secret).dockerconfigjson }} + - name: gdscanregistry + {{- end -}} +{{- end -}} +{{ end -}} {{/* Selector labels diff --git a/charts/vaas/templates/gdscan/secret.yaml b/charts/vaas/templates/gdscan/secret.yaml index 03d7f30..5d6413f 100644 --- a/charts/vaas/templates/gdscan/secret.yaml +++ b/charts/vaas/templates/gdscan/secret.yaml @@ -1,10 +1,22 @@ -{{- if .Values.global.imagePullSecrets }} +{{- if and (not .Values.global.imagePullSecrets) (not .Values.global.imagePullSecret) (not .Values.gdscan.imagePullSecret)}} apiVersion: v1 kind: Secret metadata: name: gdscanregistry namespace: {{ .Release.Namespace }} data: - .dockerconfigjson: {{ required "You need to set the dockerconfigjson for the private registry" .Values.global.secret.dockerconfigjson }} + .dockerconfigjson: {{ required "You need to set the dockerconfigjson for the private registry" (.Values.global.secret).dockerconfigjson }} type: kubernetes.io/dockerconfigjson +{{- end -}} +{{- if or (.Values.global.imagePullSecrets) (.Values.global.imagePullSecret)}} +{{- if (.Values.global.secret).dockerconfigjson }} +apiVersion: v1 +kind: Secret +metadata: + name: gdscanregistry + namespace: {{ .Release.Namespace }} +data: + .dockerconfigjson: {{ .Values.global.secret.dockerconfigjson }} +type: kubernetes.io/dockerconfigjson +{{- end -}} {{- end -}} \ No newline at end of file diff --git a/charts/vaas/values.yaml b/charts/vaas/values.yaml index 64119e6..724f606 100644 --- a/charts/vaas/values.yaml +++ b/charts/vaas/values.yaml @@ -147,6 +147,7 @@ gateway: gdscanUrl: "http://gdscan:8080/scan/body" gdscan: + imagePullSecrets: [] replicaCount: 1 deploymentStrategy: "RollingUpdate" client: From 8cc090ee9650bcf0030d19cf3b08694f2ea59784 Mon Sep 17 00:00:00 2001 From: unglaublicherdude Date: Fri, 28 Jun 2024 10:10:40 +0200 Subject: [PATCH 2/5] refactors the secret handling to streamline it with the mini-identity-provider --- charts/vaas/templates/gateway/_helpers.tpl | 18 ++++++++---- charts/vaas/templates/gateway/secret.yaml | 22 --------------- charts/vaas/templates/gateway/secrets.yaml | 33 ++++++++++++++++++++++ charts/vaas/templates/gdscan/_helpers.tpl | 21 ++++++++------ charts/vaas/templates/gdscan/secret.yaml | 22 --------------- charts/vaas/templates/gdscan/secrets.yaml | 33 ++++++++++++++++++++++ charts/vaas/values.yaml | 7 ++++- 7 files changed, 98 insertions(+), 58 deletions(-) delete mode 100644 charts/vaas/templates/gateway/secret.yaml create mode 100644 charts/vaas/templates/gateway/secrets.yaml delete mode 100644 charts/vaas/templates/gdscan/secret.yaml create mode 100644 charts/vaas/templates/gdscan/secrets.yaml diff --git a/charts/vaas/templates/gateway/_helpers.tpl b/charts/vaas/templates/gateway/_helpers.tpl index 416df9c..b1a6817 100644 --- a/charts/vaas/templates/gateway/_helpers.tpl +++ b/charts/vaas/templates/gateway/_helpers.tpl @@ -24,14 +24,22 @@ If release name contains chart name it will be used as a full name. {{- end }} {{- define "gateway.imagePullSecrets" -}} -{{- if or (gt (len .Values.global.imagePullSecrets) 0) ((.Values.global.secret).dockerconfigjson) -}} +{{- if or (gt (len .Values.global.imagePullSecrets) 0) (.Values.imagePullSecret) (((.Values.global).secret).imagePullSecret) (((.Values.global).secret).dockerconfigjson) }} imagePullSecrets: {{- range .Values.global.imagePullSecrets }} - name: {{ . }} - {{- end -}} - {{- if (.Values.global.secret).dockerconfigjson }} - - name: registry - {{- end -}} + {{- end }} + {{- if .Values.imagePullSecret }} + - name: {{ include "gateway.fullname" . }}-image-pull-secret + {{- end }} + {{- if ((.Values.global).secret).imagePullSecret }} + - name: {{ include "gateway.fullname" . }}-global-image-pull-secret + {{- end }} + {{- if ((.Values.global).secret).dockerconfigjson }} + - name: {{ include "gateway.fullname" . }}-global-dockerconfigjson + {{- end }} +{{- else -}} +{{- fail "You have to set at least one imagePullSecret" }} {{- end -}} {{ end -}} diff --git a/charts/vaas/templates/gateway/secret.yaml b/charts/vaas/templates/gateway/secret.yaml deleted file mode 100644 index edf4b73..0000000 --- a/charts/vaas/templates/gateway/secret.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if and (not .Values.global.imagePullSecrets) (not .Values.global.imagePullSecret)}} -apiVersion: v1 -kind: Secret -metadata: - name: registry - namespace: {{ .Release.Namespace }} -data: - .dockerconfigjson: {{ required "You need to set the dockerconfigjson for the private registry" (.Values.global.secret).dockerconfigjson }} -type: kubernetes.io/dockerconfigjson -{{- end -}} -{{- if or (.Values.global.imagePullSecrets) (.Values.global.imagePullSecret)}} -{{- if (.Values.global.secret).dockerconfigjson }} -apiVersion: v1 -kind: Secret -metadata: - name: registry - namespace: {{ .Release.Namespace }} -data: - .dockerconfigjson: {{ .Values.global.secret.dockerconfigjson }} -type: kubernetes.io/dockerconfigjson -{{- end -}} -{{- end -}} \ No newline at end of file diff --git a/charts/vaas/templates/gateway/secrets.yaml b/charts/vaas/templates/gateway/secrets.yaml new file mode 100644 index 0000000..3f2e3e0 --- /dev/null +++ b/charts/vaas/templates/gateway/secrets.yaml @@ -0,0 +1,33 @@ +{{- if .Values.imagePullSecret }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "gateway.fullname" . }}-image-pull-secret + namespace: {{ .Release.Namespace }} +data: + .dockerconfigjson: {{ .Values.imagePullSecret }} +type: kubernetes.io/dockerconfigjson +{{- end }} +{{- if ((.Values.global).secret).imagePullSecret }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "gateway.fullname" . }}-global-image-pull-secret + namespace: {{ .Release.Namespace }} +data: + .dockerconfigjson: {{ .Values.global.secret.imagePullSecret }} +type: kubernetes.io/dockerconfigjson +{{- end }} +{{- if ((.Values.global).secret).dockerconfigjson }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "gateway.fullname" . }}-global-dockerconfigjson + namespace: {{ .Release.Namespace }} +data: + .dockerconfigjson: {{ .Values.global.secret.dockerconfigjson }} +type: kubernetes.io/dockerconfigjson +{{- end }} \ No newline at end of file diff --git a/charts/vaas/templates/gdscan/_helpers.tpl b/charts/vaas/templates/gdscan/_helpers.tpl index 196a61b..49200da 100644 --- a/charts/vaas/templates/gdscan/_helpers.tpl +++ b/charts/vaas/templates/gdscan/_helpers.tpl @@ -43,17 +43,22 @@ app.kubernetes.io/managed-by: {{ .Release.Service }} {{- end }} {{- define "gdscan.imagePullSecrets" -}} -{{- if or (gt (len .Values.global.imagePullSecrets) 0) (gt (len .Values.gdscan.imagePullSecrets) 0) ((.Values.global.secret).dockerconfigjson) -}} +{{- if or (gt (len .Values.global.imagePullSecrets) 0) (.Values.imagePullSecret) (((.Values.global).secret).imagePullSecret) (((.Values.global).secret).dockerconfigjson) }} imagePullSecrets: {{- range .Values.global.imagePullSecrets }} - name: {{ . }} - {{- end -}} - {{- range .Values.gdscan.imagePullSecrets }} - - name: {{ . }} - {{- end -}} - {{- if (.Values.global.secret).dockerconfigjson }} - - name: gdscanregistry - {{- end -}} + {{- end }} + {{- if .Values.imagePullSecret }} + - name: {{ include "gdscan.fullname" . }}-image-pull-secret + {{- end }} + {{- if ((.Values.global).secret).imagePullSecret }} + - name: {{ include "gdscan.fullname" . }}-global-image-pull-secret + {{- end }} + {{- if ((.Values.global).secret).dockerconfigjson }} + - name: {{ include "gdscan.fullname" . }}-global-dockerconfigjson + {{- end }} +{{- else -}} +{{- fail "You have to set at least one imagePullSecret" }} {{- end -}} {{ end -}} diff --git a/charts/vaas/templates/gdscan/secret.yaml b/charts/vaas/templates/gdscan/secret.yaml deleted file mode 100644 index 5d6413f..0000000 --- a/charts/vaas/templates/gdscan/secret.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if and (not .Values.global.imagePullSecrets) (not .Values.global.imagePullSecret) (not .Values.gdscan.imagePullSecret)}} -apiVersion: v1 -kind: Secret -metadata: - name: gdscanregistry - namespace: {{ .Release.Namespace }} -data: - .dockerconfigjson: {{ required "You need to set the dockerconfigjson for the private registry" (.Values.global.secret).dockerconfigjson }} -type: kubernetes.io/dockerconfigjson -{{- end -}} -{{- if or (.Values.global.imagePullSecrets) (.Values.global.imagePullSecret)}} -{{- if (.Values.global.secret).dockerconfigjson }} -apiVersion: v1 -kind: Secret -metadata: - name: gdscanregistry - namespace: {{ .Release.Namespace }} -data: - .dockerconfigjson: {{ .Values.global.secret.dockerconfigjson }} -type: kubernetes.io/dockerconfigjson -{{- end -}} -{{- end -}} \ No newline at end of file diff --git a/charts/vaas/templates/gdscan/secrets.yaml b/charts/vaas/templates/gdscan/secrets.yaml new file mode 100644 index 0000000..a21a266 --- /dev/null +++ b/charts/vaas/templates/gdscan/secrets.yaml @@ -0,0 +1,33 @@ +{{- if .Values.imagePullSecret }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "gdscan.fullname" . }}-image-pull-secret + namespace: {{ .Release.Namespace }} +data: + .dockerconfigjson: {{ .Values.imagePullSecret }} +type: kubernetes.io/dockerconfigjson +{{- end }} +{{- if ((.Values.global).secret).imagePullSecret }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "gdscan.fullname" . }}-global-image-pull-secret + namespace: {{ .Release.Namespace }} +data: + .dockerconfigjson: {{ .Values.global.secret.imagePullSecret }} +type: kubernetes.io/dockerconfigjson +{{- end }} +{{- if ((.Values.global).secret).dockerconfigjson }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "gdscan.fullname" . }}-global-dockerconfigjson + namespace: {{ .Release.Namespace }} +data: + .dockerconfigjson: {{ .Values.global.secret.dockerconfigjson }} +type: kubernetes.io/dockerconfigjson +{{- end }} \ No newline at end of file diff --git a/charts/vaas/values.yaml b/charts/vaas/values.yaml index 724f606..10af2fe 100644 --- a/charts/vaas/values.yaml +++ b/charts/vaas/values.yaml @@ -1,6 +1,11 @@ global: - imagePullSecrets: [] + imagePullSecrets: + - imagePullSecrets + secret: + dockerconfigjson: "e30K" + imagePullSecret: "e30K" +imagePullSecret: "e30K" mini-identity-provider: issuer: "http://vaas/auth" enabled: true From d7b9fdd4394374b43c3d452ab09688b4cf1a1503 Mon Sep 17 00:00:00 2001 From: unglaublicherdude Date: Fri, 28 Jun 2024 10:11:57 +0200 Subject: [PATCH 3/5] adds the DNS Port to the networkPolicy of the updater --- charts/vaas/templates/gdscan/update.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/charts/vaas/templates/gdscan/update.yaml b/charts/vaas/templates/gdscan/update.yaml index 488e365..09d898d 100644 --- a/charts/vaas/templates/gdscan/update.yaml +++ b/charts/vaas/templates/gdscan/update.yaml @@ -115,6 +115,7 @@ spec: - ports: - port: {{ .Values.gdscan.autoUpdate.networkPolicy.k8sApiPort }} - port: 443 - - port: 53 # DNS + - port: 53 + protocol: UDP {{- end }} {{- end}} From 4136a5b74896a8891d421df4ce84d69ad75ea6f8 Mon Sep 17 00:00:00 2001 From: unglaublicherdude Date: Fri, 28 Jun 2024 10:21:54 +0200 Subject: [PATCH 4/5] adjust config --- README.md | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 204b1ee..d8c659a 100644 --- a/README.md +++ b/README.md @@ -9,14 +9,21 @@ Vaas helm is a chart for deploying Verdict-as-a-Service on-premise. * Create a minimal values.yaml file. - To access the VaaS docker containers, the imagePullSecret has to be set in the `global.secret.dockerconfigjson` variable. +To access the VaaS docker containers, you have to provide at least one imagePullSecret. + +To set the image pull secret, you need to create a custom values.yaml file that includes the necessary configurations for image pull secrets. Here's how you can do it: + + 1. **Direct Image Pull Secrets**: If you have a direct image pull secret (a base64 encoded JSON containing Docker auth config), you can set it directly in the values.yaml file under either of these keys + * `global.secret.dockerconfigjson` + * `global.secret.imagePullSecret` + * `global.imagePullSecret` ```yaml global: - imagePullSecrets: - - registry secret: dockerconfigjson: "BASE64_ENCODED_JSON_CONTAINING_DOCKER_AUTH_CONFIG" + imagePullSecret: "BASE64_ENCODED_JSON_CONTAINING_DOCKER_AUTH_CONFIG" +imagePullSecret: "BASE64_ENCODED_JSON_CONTAINING_DOCKER_AUTH_CONFIG" ``` You can generate this value with a bash command like this @@ -32,6 +39,15 @@ echo '{ You need to substitute the username and password with the credentials we provided to you. + 2. **Global Image Pull Secrets**: You can specify a list of predeployed image pull secrets under the global.imagePullSecrets key. These are the names of Kubernetes secrets that contain the registry credentials. + +```yaml +global: + imagePullSecrets: + - my-image-pull-secret +``` + + * Install Verdict-as-a-Service: ```bash From 84813439c55dfdabd63cb0611015f10c107e48cb Mon Sep 17 00:00:00 2001 From: unglaublicherdude Date: Fri, 28 Jun 2024 10:41:10 +0200 Subject: [PATCH 5/5] also update the mini-identity-provider dependency --- charts/vaas/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/vaas/Chart.yaml b/charts/vaas/Chart.yaml index 66eaefc..65fa52e 100644 --- a/charts/vaas/Chart.yaml +++ b/charts/vaas/Chart.yaml @@ -12,6 +12,6 @@ dependencies: condition: redis.enabled repository: oci://registry-1.docker.io/bitnamicharts - name: mini-identity-provider - version: 0.4.0 + version: 0.5.0 condition: mini-identity-provider.enabled repository: oci://ghcr.io/gdatasoftwareag