From b2b709543909cbe672fe69a1f7dcc68e68ecfc4d Mon Sep 17 00:00:00 2001 From: Floris Feddema Date: Wed, 7 Aug 2024 19:27:16 +0200 Subject: [PATCH 01/38] cyberchef: add initial chart --- charts/cyberchef/.helmignore | 23 +++++++++++++ charts/cyberchef/Chart.yaml | 3 ++ charts/cyberchef/README.md | 16 +++++++++ charts/cyberchef/templates/_helpers.tpl | 31 ++++++++++++++++++ charts/cyberchef/templates/deployment.yaml | 29 +++++++++++++++++ charts/cyberchef/templates/ingress.yaml | 28 ++++++++++++++++ charts/cyberchef/templates/service.yaml | 15 +++++++++ charts/cyberchef/values.yaml | 38 ++++++++++++++++++++++ 8 files changed, 183 insertions(+) create mode 100644 charts/cyberchef/.helmignore create mode 100644 charts/cyberchef/Chart.yaml create mode 100644 charts/cyberchef/README.md create mode 100644 charts/cyberchef/templates/_helpers.tpl create mode 100644 charts/cyberchef/templates/deployment.yaml create mode 100644 charts/cyberchef/templates/ingress.yaml create mode 100644 charts/cyberchef/templates/service.yaml create mode 100644 charts/cyberchef/values.yaml diff --git a/charts/cyberchef/.helmignore b/charts/cyberchef/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/charts/cyberchef/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/cyberchef/Chart.yaml b/charts/cyberchef/Chart.yaml new file mode 100644 index 0000000..2d4c014 --- /dev/null +++ b/charts/cyberchef/Chart.yaml @@ -0,0 +1,3 @@ +apiVersion: v2 +name: cyberchef +version: 1.0.0 diff --git a/charts/cyberchef/README.md b/charts/cyberchef/README.md new file mode 100644 index 0000000..f922225 --- /dev/null +++ b/charts/cyberchef/README.md @@ -0,0 +1,16 @@ +# Cyberchef + +## How to use + +Add repository by running: + +```bash +helm repo add k8s-at-our-home https://k8s-at-our-homes.github.io/helm-charts/ +helm install infro k8s-at-our-home/cyberchef +``` + +Or get the chart from ghcr.io: + +```bash +helm install infro oci://ghcr.io/k8s-at-our-homes/helm-charts/cyberchef +``` diff --git a/charts/cyberchef/templates/_helpers.tpl b/charts/cyberchef/templates/_helpers.tpl new file mode 100644 index 0000000..f383914 --- /dev/null +++ b/charts/cyberchef/templates/_helpers.tpl @@ -0,0 +1,31 @@ +{{- define "common.name" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "common.fullname" -}} +{{- if contains .Chart.Name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name .Chart.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + +{{- define "chartName" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "common.selectorLabels" -}} +app.kubernetes.io/name: {{ template "common.name" . }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/part-of: "cyberchef +{{- end -}} + +{{- define "common.labels" -}} +app.kubernetes.io/name: {{ template "common.name" . }} +helm.sh/chart: {{ include "chartName" . }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/version: {{ .Values.image.tag | quote }} +app.kubernetes.io/part-of: "cyberchef" +{{- end -}} diff --git a/charts/cyberchef/templates/deployment.yaml b/charts/cyberchef/templates/deployment.yaml new file mode 100644 index 0000000..f60e6c5 --- /dev/null +++ b/charts/cyberchef/templates/deployment.yaml @@ -0,0 +1,29 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "common.fullname" . }} + labels: + {{- include "common.labels" . | nindent 4 }} +spec: + revisionHistoryLimit: 0 + replicas: {{ .Values.replicas }} + selector: + matchLabels: + {{- include "common.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "common.selectorLabels" . | nindent 8 }} + spec: + nodeSelector: {{ .Values.nodeSelector | toYaml | nindent 8 }} + securityContext: {{ toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: core + image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: http + containerPort: 8080 + protocol: TCP + resources: {{ toYaml .Values.resources | nindent 12 }} + securityContext: {{ toYaml .Values.securityContext | nindent 12 }} diff --git a/charts/cyberchef/templates/ingress.yaml b/charts/cyberchef/templates/ingress.yaml new file mode 100644 index 0000000..19f0bce --- /dev/null +++ b/charts/cyberchef/templates/ingress.yaml @@ -0,0 +1,28 @@ +{{ if .Values.ingress.enabled }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ template "common.fullname" . }} + annotations: {{ toYaml .Values.ingress.annotations | nindent 4 }} + labels: + {{- include "common.labels" . | nindent 4 }} +spec: + ingressClassName: {{ .Values.ingress.class }} + rules: + - host: {{ .Values.ingress.domain }} + http: + paths: + - backend: + service: + name: {{ template "common.fullname" . }} + port: + number: 8080 + path: / + pathType: Prefix + {{- if .Values.ingress.tls.enabled }} + tls: + - hosts: + - {{ .Values.ingress.domain }} + secretName: {{ .Values.ingress.tls.secretName }} + {{- end }} +{{ end }} diff --git a/charts/cyberchef/templates/service.yaml b/charts/cyberchef/templates/service.yaml new file mode 100644 index 0000000..b0ed034 --- /dev/null +++ b/charts/cyberchef/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "common.fullname" . }} + labels: + {{- include "common.labels" . | nindent 4 }} +spec: + type: ClusterIP + ports: + - name: http + targetPort: 8080 + port: 8080 + protocol: TCP + selector: + {{- include "common.selectorLabels" . | nindent 4 }} diff --git a/charts/cyberchef/values.yaml b/charts/cyberchef/values.yaml new file mode 100644 index 0000000..66fdf87 --- /dev/null +++ b/charts/cyberchef/values.yaml @@ -0,0 +1,38 @@ +replicas: 1 + +nodeSelector: {} + +resources: {} +# requests: +# memory: 512Mi +# cpu: 100m +# limits: +# memory: 2048Mi + +podSecurityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + runAsNonRoot: true + +securityContext: + capabilities: + drop: [ "ALL" ] + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + privileged: false + +image: + registry: ghcr.io + repository: gchq/cyberchef + tag: 10.18.9 + pullPolicy: IfNotPresent + +ingress: + enabled: true + domain: cyberchef.example.com + class: + annotations: {} + tls: + enabled: true + secretName: From 683a31098cc2b6576a8852afc75aa1f8cb7d7a2c Mon Sep 17 00:00:00 2001 From: Floris Feddema Date: Wed, 7 Aug 2024 19:56:21 +0200 Subject: [PATCH 02/38] remove infro --- charts/cyberchef/README.md | 4 ++-- charts/cyberchef/templates/deployment.yaml | 9 +++------ 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/charts/cyberchef/README.md b/charts/cyberchef/README.md index f922225..5aab380 100644 --- a/charts/cyberchef/README.md +++ b/charts/cyberchef/README.md @@ -6,11 +6,11 @@ Add repository by running: ```bash helm repo add k8s-at-our-home https://k8s-at-our-homes.github.io/helm-charts/ -helm install infro k8s-at-our-home/cyberchef +helm install cyberchef k8s-at-our-home/cyberchef ``` Or get the chart from ghcr.io: ```bash -helm install infro oci://ghcr.io/k8s-at-our-homes/helm-charts/cyberchef +helm install cyberchef oci://ghcr.io/k8s-at-our-homes/helm-charts/cyberchef ``` diff --git a/charts/cyberchef/templates/deployment.yaml b/charts/cyberchef/templates/deployment.yaml index f60e6c5..f2f4126 100644 --- a/charts/cyberchef/templates/deployment.yaml +++ b/charts/cyberchef/templates/deployment.yaml @@ -2,18 +2,15 @@ apiVersion: apps/v1 kind: Deployment metadata: name: {{ template "common.fullname" . }} - labels: - {{- include "common.labels" . | nindent 4 }} + labels: {{- include "common.labels" . | nindent 4 }} spec: revisionHistoryLimit: 0 replicas: {{ .Values.replicas }} selector: - matchLabels: - {{- include "common.selectorLabels" . | nindent 6 }} + matchLabels: {{- include "common.selectorLabels" . | nindent 6 }} template: metadata: - labels: - {{- include "common.selectorLabels" . | nindent 8 }} + labels: {{- include "common.selectorLabels" . | nindent 8 }} spec: nodeSelector: {{ .Values.nodeSelector | toYaml | nindent 8 }} securityContext: {{ toYaml .Values.podSecurityContext | nindent 8 }} From 43074de008f7ffa5309ab438192383a5f90eb01c Mon Sep 17 00:00:00 2001 From: Floris Feddema Date: Wed, 7 Aug 2024 20:00:40 +0200 Subject: [PATCH 03/38] fix typo --- charts/cyberchef/templates/_helpers.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/cyberchef/templates/_helpers.tpl b/charts/cyberchef/templates/_helpers.tpl index f383914..5c5b626 100644 --- a/charts/cyberchef/templates/_helpers.tpl +++ b/charts/cyberchef/templates/_helpers.tpl @@ -18,7 +18,7 @@ app.kubernetes.io/name: {{ template "common.name" . }} app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/instance: {{ .Release.Name }} -app.kubernetes.io/part-of: "cyberchef +app.kubernetes.io/part-of: "cyberchef" {{- end -}} {{- define "common.labels" -}} From 8cac35bbe54e4a0a25fc9a443e686d6c135cac6c Mon Sep 17 00:00:00 2001 From: Floris Feddema Date: Wed, 7 Aug 2024 20:37:16 +0200 Subject: [PATCH 04/38] add check if exists in main branch --- .github/workflows/build.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index dd0411e..8e4f7f1 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -66,6 +66,12 @@ jobs: - name: Check for chart version change run: | + if git cat-file -e origin/main:charts/${{ matrix.chart }}/Chart.yaml >/dev/null; then + echo "Chart exists in main branch" + else + echo "Chart does not exist in main branch" + exit 1 + fi old_version=$(git show origin/main:charts/${{ matrix.chart }}/Chart.yaml | yq eval ".version") new_version=$(yq eval ".version" charts/${{ matrix.chart }}/Chart.yaml) if [ "$old_version" == "$new_version" ]; then From 7fd14049d38a0c707dc6a469e1792a896bb34e5c Mon Sep 17 00:00:00 2001 From: Floris Feddema Date: Wed, 7 Aug 2024 20:38:05 +0200 Subject: [PATCH 05/38] add check if exists in main branch --- .github/workflows/build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 8e4f7f1..161601b 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -70,7 +70,7 @@ jobs: echo "Chart exists in main branch" else echo "Chart does not exist in main branch" - exit 1 + exit 0 fi old_version=$(git show origin/main:charts/${{ matrix.chart }}/Chart.yaml | yq eval ".version") new_version=$(yq eval ".version" charts/${{ matrix.chart }}/Chart.yaml) From e0b0269bc1681af4ff2920095a285ef87736c344 Mon Sep 17 00:00:00 2001 From: Floris Feddema Date: Wed, 7 Aug 2024 22:33:19 +0200 Subject: [PATCH 06/38] add helm package --- .github/workflows/build.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 161601b..4634cf4 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -84,4 +84,5 @@ jobs: version=$(yq eval ".version" charts/${{ matrix.chart }}/Chart.yaml) yq e -i '.version = "env(version)-${{ github.base_ref }}.${{ github.run_id }}"' charts/${{ matrix.chart }}/Chart.yaml echo "Pushing chart ${{ matrix.chart }} with version $version-${{ github.head_ref }}.${GITHUB_SHA::7}" - helm push "${{ matrix.chart }}" "oci://ghcr.io/${{ github.repository }}" + helm package "${{ matrix.chart }}" + helm push "${{ matrix.chart }}.tgz" "oci://ghcr.io/${{ github.repository }}" From 42519b2916daaf832e657b6c86a3269e465a7e12 Mon Sep 17 00:00:00 2001 From: Floris Feddema Date: Wed, 7 Aug 2024 22:34:40 +0200 Subject: [PATCH 07/38] add debug --- .github/workflows/build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 4634cf4..8bd6ab6 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -85,4 +85,4 @@ jobs: yq e -i '.version = "env(version)-${{ github.base_ref }}.${{ github.run_id }}"' charts/${{ matrix.chart }}/Chart.yaml echo "Pushing chart ${{ matrix.chart }} with version $version-${{ github.head_ref }}.${GITHUB_SHA::7}" helm package "${{ matrix.chart }}" - helm push "${{ matrix.chart }}.tgz" "oci://ghcr.io/${{ github.repository }}" + helm push "${{ matrix.chart }}.tgz" "oci://ghcr.io/${{ github.repository }}" --debug From 103d8bbeac41fa2fe0869ee236abc85e9c1d4c1e Mon Sep 17 00:00:00 2001 From: Floris Feddema Date: Wed, 7 Aug 2024 22:35:40 +0200 Subject: [PATCH 08/38] add debug --- .github/workflows/build.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 8bd6ab6..d87f404 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -84,5 +84,4 @@ jobs: version=$(yq eval ".version" charts/${{ matrix.chart }}/Chart.yaml) yq e -i '.version = "env(version)-${{ github.base_ref }}.${{ github.run_id }}"' charts/${{ matrix.chart }}/Chart.yaml echo "Pushing chart ${{ matrix.chart }} with version $version-${{ github.head_ref }}.${GITHUB_SHA::7}" - helm package "${{ matrix.chart }}" - helm push "${{ matrix.chart }}.tgz" "oci://ghcr.io/${{ github.repository }}" --debug + helm push "${{ matrix.chart }}" "oci://ghcr.io/${{ github.repository }}" --debug From ca27ef315ed1e2b12a21e712fabeeb03be7da0c6 Mon Sep 17 00:00:00 2001 From: Floris Feddema Date: Wed, 7 Aug 2024 22:36:30 +0200 Subject: [PATCH 09/38] add debug --- .github/workflows/build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index d87f404..cecd09f 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -84,4 +84,4 @@ jobs: version=$(yq eval ".version" charts/${{ matrix.chart }}/Chart.yaml) yq e -i '.version = "env(version)-${{ github.base_ref }}.${{ github.run_id }}"' charts/${{ matrix.chart }}/Chart.yaml echo "Pushing chart ${{ matrix.chart }} with version $version-${{ github.head_ref }}.${GITHUB_SHA::7}" - helm push "${{ matrix.chart }}" "oci://ghcr.io/${{ github.repository }}" --debug + helm push "charts/${{ matrix.chart }}" "oci://ghcr.io/${{ github.repository }}" --debug From 60b73b388103b9a7116537db3e10a9152877dd1e Mon Sep 17 00:00:00 2001 From: Floris Feddema Date: Wed, 7 Aug 2024 22:37:28 +0200 Subject: [PATCH 10/38] add debug --- .github/workflows/build.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index cecd09f..3a41ba1 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -84,4 +84,5 @@ jobs: version=$(yq eval ".version" charts/${{ matrix.chart }}/Chart.yaml) yq e -i '.version = "env(version)-${{ github.base_ref }}.${{ github.run_id }}"' charts/${{ matrix.chart }}/Chart.yaml echo "Pushing chart ${{ matrix.chart }} with version $version-${{ github.head_ref }}.${GITHUB_SHA::7}" + help package charts/${{ matrix.chart }} helm push "charts/${{ matrix.chart }}" "oci://ghcr.io/${{ github.repository }}" --debug From 7c68a819718ae6702ef695afcab87e5fcab34c15 Mon Sep 17 00:00:00 2001 From: Floris Feddema Date: Wed, 7 Aug 2024 22:40:35 +0200 Subject: [PATCH 11/38] add debug --- .github/workflows/build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 3a41ba1..9738371 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -85,4 +85,4 @@ jobs: yq e -i '.version = "env(version)-${{ github.base_ref }}.${{ github.run_id }}"' charts/${{ matrix.chart }}/Chart.yaml echo "Pushing chart ${{ matrix.chart }} with version $version-${{ github.head_ref }}.${GITHUB_SHA::7}" help package charts/${{ matrix.chart }} - helm push "charts/${{ matrix.chart }}" "oci://ghcr.io/${{ github.repository }}" --debug + helm push charts/${{ matrix.chart }}/${{ matrix.chart }}-$version-${{ github.head_ref }}.${GITHUB_SHA::7} "oci://ghcr.io/${{ github.repository }}" From 98dcfa815540a5fdd21d1328a26aa4d85e835ee7 Mon Sep 17 00:00:00 2001 From: Floris Feddema Date: Wed, 7 Aug 2024 22:41:21 +0200 Subject: [PATCH 12/38] replace help with helm --- .github/workflows/build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 9738371..0c8c2c6 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -84,5 +84,5 @@ jobs: version=$(yq eval ".version" charts/${{ matrix.chart }}/Chart.yaml) yq e -i '.version = "env(version)-${{ github.base_ref }}.${{ github.run_id }}"' charts/${{ matrix.chart }}/Chart.yaml echo "Pushing chart ${{ matrix.chart }} with version $version-${{ github.head_ref }}.${GITHUB_SHA::7}" - help package charts/${{ matrix.chart }} + helm package charts/${{ matrix.chart }} helm push charts/${{ matrix.chart }}/${{ matrix.chart }}-$version-${{ github.head_ref }}.${GITHUB_SHA::7} "oci://ghcr.io/${{ github.repository }}" From df7f7f559dd78e07d57e40b2f5c6f436ee69e3cb Mon Sep 17 00:00:00 2001 From: Floris Feddema Date: Wed, 7 Aug 2024 22:42:55 +0200 Subject: [PATCH 13/38] help --- .github/workflows/build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 0c8c2c6..cf70283 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -85,4 +85,4 @@ jobs: yq e -i '.version = "env(version)-${{ github.base_ref }}.${{ github.run_id }}"' charts/${{ matrix.chart }}/Chart.yaml echo "Pushing chart ${{ matrix.chart }} with version $version-${{ github.head_ref }}.${GITHUB_SHA::7}" helm package charts/${{ matrix.chart }} - helm push charts/${{ matrix.chart }}/${{ matrix.chart }}-$version-${{ github.head_ref }}.${GITHUB_SHA::7} "oci://ghcr.io/${{ github.repository }}" + helm push "charts/${{ matrix.chart }}/${{ matrix.chart }}-$(version)-${{ github.head_ref }}.${GITHUB_SHA::7}" "oci://ghcr.io/${{ github.repository }}" From 5e314b1d3e3e7786011d5d0515bfb6ddf9fe1a8f Mon Sep 17 00:00:00 2001 From: Floris Feddema Date: Wed, 7 Aug 2024 22:44:36 +0200 Subject: [PATCH 14/38] help --- .github/workflows/build.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index cf70283..d32a315 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -81,8 +81,7 @@ jobs: - name: Push chart to GHCR run: | - version=$(yq eval ".version" charts/${{ matrix.chart }}/Chart.yaml) - yq e -i '.version = "env(version)-${{ github.base_ref }}.${{ github.run_id }}"' charts/${{ matrix.chart }}/Chart.yaml + version=$(yq eval ".version" charts/${{ matrix.chart }}/Chart.yaml) yq e -i '.version = "env(version)-${{ github.base_ref }}.${{ github.run_id }}"' charts/${{ matrix.chart }}/Chart.yaml echo "Pushing chart ${{ matrix.chart }} with version $version-${{ github.head_ref }}.${GITHUB_SHA::7}" helm package charts/${{ matrix.chart }} helm push "charts/${{ matrix.chart }}/${{ matrix.chart }}-$(version)-${{ github.head_ref }}.${GITHUB_SHA::7}" "oci://ghcr.io/${{ github.repository }}" From df008577d3215d8c0c690af6b923d27a0f744213 Mon Sep 17 00:00:00 2001 From: Floris Feddema Date: Wed, 7 Aug 2024 22:47:02 +0200 Subject: [PATCH 15/38] help --- .github/workflows/build.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index d32a315..9a7650b 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -81,7 +81,7 @@ jobs: - name: Push chart to GHCR run: | - version=$(yq eval ".version" charts/${{ matrix.chart }}/Chart.yaml) yq e -i '.version = "env(version)-${{ github.base_ref }}.${{ github.run_id }}"' charts/${{ matrix.chart }}/Chart.yaml + version=$(yq eval ".version" charts/${{ matrix.chart }}/Chart.yaml) echo "Pushing chart ${{ matrix.chart }} with version $version-${{ github.head_ref }}.${GITHUB_SHA::7}" - helm package charts/${{ matrix.chart }} - helm push "charts/${{ matrix.chart }}/${{ matrix.chart }}-$(version)-${{ github.head_ref }}.${GITHUB_SHA::7}" "oci://ghcr.io/${{ github.repository }}" + helm package charts/${{ matrix.chart }} --version "$version-${{ github.head_ref }}.${GITHUB_SHA::7}" + helm push "charts/${{ matrix.chart }}/${{ matrix.chart }}-$version-${{ github.head_ref }}.${GITHUB_SHA::7}" "oci://ghcr.io/${{ github.repository }}" From ac794c7d7cb9ed347dfc7aacf3a8d574645ce814 Mon Sep 17 00:00:00 2001 From: Floris Feddema Date: Wed, 7 Aug 2024 22:47:53 +0200 Subject: [PATCH 16/38] now it should work --- .github/workflows/build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 9a7650b..063d35b 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -84,4 +84,4 @@ jobs: version=$(yq eval ".version" charts/${{ matrix.chart }}/Chart.yaml) echo "Pushing chart ${{ matrix.chart }} with version $version-${{ github.head_ref }}.${GITHUB_SHA::7}" helm package charts/${{ matrix.chart }} --version "$version-${{ github.head_ref }}.${GITHUB_SHA::7}" - helm push "charts/${{ matrix.chart }}/${{ matrix.chart }}-$version-${{ github.head_ref }}.${GITHUB_SHA::7}" "oci://ghcr.io/${{ github.repository }}" + helm push "charts/${{ matrix.chart }}/${{ matrix.chart }}-$version-${{ github.head_ref }}.${GITHUB_SHA::7}.tgz" "oci://ghcr.io/${{ github.repository }}" From 1573c37570482d7195de8a9fbe814eae1a0bcbf2 Mon Sep 17 00:00:00 2001 From: Floris Feddema Date: Wed, 7 Aug 2024 22:55:19 +0200 Subject: [PATCH 17/38] now it should work --- .github/workflows/build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 063d35b..94d16d4 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -84,4 +84,4 @@ jobs: version=$(yq eval ".version" charts/${{ matrix.chart }}/Chart.yaml) echo "Pushing chart ${{ matrix.chart }} with version $version-${{ github.head_ref }}.${GITHUB_SHA::7}" helm package charts/${{ matrix.chart }} --version "$version-${{ github.head_ref }}.${GITHUB_SHA::7}" - helm push "charts/${{ matrix.chart }}/${{ matrix.chart }}-$version-${{ github.head_ref }}.${GITHUB_SHA::7}.tgz" "oci://ghcr.io/${{ github.repository }}" + helm push "${{ matrix.chart }}-$version-${{ github.head_ref }}.${GITHUB_SHA::7}.tgz" "oci://ghcr.io/${{ github.repository }}" From 420ac914701dac84613a963cdb336354e525c957 Mon Sep 17 00:00:00 2001 From: Floris Feddema Date: Wed, 7 Aug 2024 23:09:19 +0200 Subject: [PATCH 18/38] add helm login --- .github/workflows/build.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 94d16d4..88ea789 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -79,6 +79,10 @@ jobs: exit 1 fi + - name: helm login + run: | + echo ${{ secrets.GITHUB_TOKEN }} | helm registry login ghcr.io -u $ --password-stdin + - name: Push chart to GHCR run: | version=$(yq eval ".version" charts/${{ matrix.chart }}/Chart.yaml) From 150d4c0e677eec72449b5c7a62a63ef5b7deaf90 Mon Sep 17 00:00:00 2001 From: Floris Feddema Date: Wed, 7 Aug 2024 23:11:11 +0200 Subject: [PATCH 19/38] add permissions --- .github/workflows/build.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 88ea789..370eaaf 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -29,6 +29,10 @@ jobs: runs-on: ubuntu-latest needs: create-matrix + permissions: + contents: read + packages: write + strategy: fail-fast: false matrix: @@ -79,10 +83,6 @@ jobs: exit 1 fi - - name: helm login - run: | - echo ${{ secrets.GITHUB_TOKEN }} | helm registry login ghcr.io -u $ --password-stdin - - name: Push chart to GHCR run: | version=$(yq eval ".version" charts/${{ matrix.chart }}/Chart.yaml) From 0671919ee6ce2fb47b2740896e15a4f9c6780583 Mon Sep 17 00:00:00 2001 From: Floris Feddema Date: Wed, 7 Aug 2024 23:51:12 +0200 Subject: [PATCH 20/38] add emptydir --- charts/cyberchef/templates/deployment.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/charts/cyberchef/templates/deployment.yaml b/charts/cyberchef/templates/deployment.yaml index f2f4126..3ac7b84 100644 --- a/charts/cyberchef/templates/deployment.yaml +++ b/charts/cyberchef/templates/deployment.yaml @@ -24,3 +24,9 @@ spec: protocol: TCP resources: {{ toYaml .Values.resources | nindent 12 }} securityContext: {{ toYaml .Values.securityContext | nindent 12 }} + volumeMounts: + - mountPath: /var/cache/nginx/ + name: cache + volumes: + - name: cache + emptyDir: {} From fb6d29d59d1d8a14084b527b92d256fff4a87f8c Mon Sep 17 00:00:00 2001 From: Floris Feddema Date: Wed, 7 Aug 2024 23:55:50 +0200 Subject: [PATCH 21/38] add port 80 --- charts/cyberchef/templates/deployment.yaml | 2 +- charts/cyberchef/templates/ingress.yaml | 2 +- charts/cyberchef/templates/service.yaml | 4 ++-- charts/cyberchef/values.yaml | 1 + 4 files changed, 5 insertions(+), 4 deletions(-) diff --git a/charts/cyberchef/templates/deployment.yaml b/charts/cyberchef/templates/deployment.yaml index 3ac7b84..ba0e640 100644 --- a/charts/cyberchef/templates/deployment.yaml +++ b/charts/cyberchef/templates/deployment.yaml @@ -20,7 +20,7 @@ spec: imagePullPolicy: {{ .Values.image.pullPolicy }} ports: - name: http - containerPort: 8080 + containerPort: 80 protocol: TCP resources: {{ toYaml .Values.resources | nindent 12 }} securityContext: {{ toYaml .Values.securityContext | nindent 12 }} diff --git a/charts/cyberchef/templates/ingress.yaml b/charts/cyberchef/templates/ingress.yaml index 19f0bce..ae5cd9d 100644 --- a/charts/cyberchef/templates/ingress.yaml +++ b/charts/cyberchef/templates/ingress.yaml @@ -16,7 +16,7 @@ spec: service: name: {{ template "common.fullname" . }} port: - number: 8080 + number: 80 path: / pathType: Prefix {{- if .Values.ingress.tls.enabled }} diff --git a/charts/cyberchef/templates/service.yaml b/charts/cyberchef/templates/service.yaml index b0ed034..44f1c59 100644 --- a/charts/cyberchef/templates/service.yaml +++ b/charts/cyberchef/templates/service.yaml @@ -8,8 +8,8 @@ spec: type: ClusterIP ports: - name: http - targetPort: 8080 - port: 8080 + targetPort: 80 + port: 80 protocol: TCP selector: {{- include "common.selectorLabels" . | nindent 4 }} diff --git a/charts/cyberchef/values.yaml b/charts/cyberchef/values.yaml index 66fdf87..92a9d80 100644 --- a/charts/cyberchef/values.yaml +++ b/charts/cyberchef/values.yaml @@ -18,6 +18,7 @@ podSecurityContext: securityContext: capabilities: drop: [ "ALL" ] + add: [ "NET_BIND_SERVICE" ] allowPrivilegeEscalation: false readOnlyRootFilesystem: true privileged: false From 10e84587d54b2d27988d971a5fe33d0033698bb1 Mon Sep 17 00:00:00 2001 From: Floris Feddema Date: Wed, 7 Aug 2024 23:58:56 +0200 Subject: [PATCH 22/38] add port 80 --- charts/cyberchef/values.yaml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/charts/cyberchef/values.yaml b/charts/cyberchef/values.yaml index 92a9d80..2fd95bf 100644 --- a/charts/cyberchef/values.yaml +++ b/charts/cyberchef/values.yaml @@ -10,10 +10,7 @@ resources: {} # memory: 2048Mi podSecurityContext: - runAsUser: 1000 - runAsGroup: 1000 - fsGroup: 1000 - runAsNonRoot: true + runAsNonRoot: false # Bind to port 80 requires root securityContext: capabilities: From 7ee3b490e814bde3151e2301c9ff61e8afbcb12d Mon Sep 17 00:00:00 2001 From: Floris Feddema Date: Thu, 8 Aug 2024 00:00:32 +0200 Subject: [PATCH 23/38] add run as user --- charts/cyberchef/values.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/charts/cyberchef/values.yaml b/charts/cyberchef/values.yaml index 2fd95bf..f99261d 100644 --- a/charts/cyberchef/values.yaml +++ b/charts/cyberchef/values.yaml @@ -10,6 +10,7 @@ resources: {} # memory: 2048Mi podSecurityContext: + runAsUser: 0 runAsNonRoot: false # Bind to port 80 requires root securityContext: From d6deffd7746fe16bec9835db4dd3e1a61b55220d Mon Sep 17 00:00:00 2001 From: Floris Feddema Date: Thu, 8 Aug 2024 00:01:47 +0200 Subject: [PATCH 24/38] add run as user --- charts/cyberchef/values.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/charts/cyberchef/values.yaml b/charts/cyberchef/values.yaml index f99261d..7640f17 100644 --- a/charts/cyberchef/values.yaml +++ b/charts/cyberchef/values.yaml @@ -10,7 +10,6 @@ resources: {} # memory: 2048Mi podSecurityContext: - runAsUser: 0 runAsNonRoot: false # Bind to port 80 requires root securityContext: @@ -18,7 +17,7 @@ securityContext: drop: [ "ALL" ] add: [ "NET_BIND_SERVICE" ] allowPrivilegeEscalation: false - readOnlyRootFilesystem: true + readOnlyRootFilesystem: false privileged: false image: From 5fdfe759719481acae2ad41a83d4892f9b7f21b6 Mon Sep 17 00:00:00 2001 From: Floris Feddema Date: Thu, 8 Aug 2024 00:03:29 +0200 Subject: [PATCH 25/38] add run privilleged --- charts/cyberchef/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/cyberchef/values.yaml b/charts/cyberchef/values.yaml index 7640f17..4aa7236 100644 --- a/charts/cyberchef/values.yaml +++ b/charts/cyberchef/values.yaml @@ -18,7 +18,7 @@ securityContext: add: [ "NET_BIND_SERVICE" ] allowPrivilegeEscalation: false readOnlyRootFilesystem: false - privileged: false + privileged: true image: registry: ghcr.io From e466cbe8b8d857cc5bd4fdf6e084064b2d5acf54 Mon Sep 17 00:00:00 2001 From: Floris Feddema Date: Thu, 8 Aug 2024 22:28:43 +0200 Subject: [PATCH 26/38] add image build --- .../{build.yaml => chart-build.yaml} | 2 +- .github/workflows/image-build.yaml | 79 +++++++++++++++++++ charts/cyberchef/values.yaml | 2 +- images/cyberchef/Dockerfile | 4 + 4 files changed, 85 insertions(+), 2 deletions(-) rename .github/workflows/{build.yaml => chart-build.yaml} (99%) create mode 100644 .github/workflows/image-build.yaml create mode 100644 images/cyberchef/Dockerfile diff --git a/.github/workflows/build.yaml b/.github/workflows/chart-build.yaml similarity index 99% rename from .github/workflows/build.yaml rename to .github/workflows/chart-build.yaml index 370eaaf..da97705 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/chart-build.yaml @@ -1,4 +1,4 @@ -name: Build Charts +name: Build Helm Charts on: pull_request: diff --git a/.github/workflows/image-build.yaml b/.github/workflows/image-build.yaml new file mode 100644 index 0000000..828465c --- /dev/null +++ b/.github/workflows/image-build.yaml @@ -0,0 +1,79 @@ +name: Build Images + +on: + push: + branches: + - main + paths: + - 'images/**' + +jobs: + create-matrix: + runs-on: ubuntu-latest + + outputs: + charts: ${{ steps.charts.outputs.charts }} + + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Create changed images matrix + id: images + run: | + images=$(git diff --merge-base origin/main --name-only | grep ^images/ | cut -d/ -f2 | uniq | sort | jq -R -s -c 'split("\n")[:-1]') + echo "images=${images}" + echo "images=${images}" >> "$GITHUB_OUTPUT" + + build-images: + runs-on: ubuntu-latest + needs: create-matrix + + permissions: + contents: read + packages: write + + strategy: + fail-fast: false + matrix: + imageName: ${{ fromJSON(needs.create-matrix.outputs.images) }} + + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + with: + platforms: linux/amd64,linux/arm64 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + with: + platforms: linux/amd64,linux/arm64 + + - name: Login to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Get version from Dockerfile + id: version + run: | + echo ::set-output name=VERSION::$(head -n 1 images/${{ matrix.imageName }}/Dockerfile | awk -F: '{print $NF}' | awk '{print $1}') + + - name: Build and push + uses: docker/build-push-action@v6 + with: + context: 'images/${{ matrix.imageName }}' + platforms: linux/amd64,linux/arm64 + tags: | + ghcr.io/${{ github.repository }}/${{ matrix.imageName }}:latest + ghcr.io/florisfeddema/enphase-envoy-prometheus-exporter:${{ steps.version.outputs.VERSION }} + push: true diff --git a/charts/cyberchef/values.yaml b/charts/cyberchef/values.yaml index 4aa7236..7640f17 100644 --- a/charts/cyberchef/values.yaml +++ b/charts/cyberchef/values.yaml @@ -18,7 +18,7 @@ securityContext: add: [ "NET_BIND_SERVICE" ] allowPrivilegeEscalation: false readOnlyRootFilesystem: false - privileged: true + privileged: false image: registry: ghcr.io diff --git a/images/cyberchef/Dockerfile b/images/cyberchef/Dockerfile new file mode 100644 index 0000000..80eb81a --- /dev/null +++ b/images/cyberchef/Dockerfile @@ -0,0 +1,4 @@ +FROM ghcr.io/gchq/cyberchef:10.18.9 AS build +FROM nginxinc/nginx-unprivileged:1.27.0-alpine3.19 AS run + +COPY --from=build /usr/share/nginx/html /usr/share/nginx/html From 6576473ffd90829f221f3ef5aec0a931f90220a0 Mon Sep 17 00:00:00 2001 From: Floris Feddema Date: Thu, 8 Aug 2024 22:30:46 +0200 Subject: [PATCH 27/38] add push on branch build --- .github/workflows/image-build.yaml | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/.github/workflows/image-build.yaml b/.github/workflows/image-build.yaml index 828465c..f6bbf7e 100644 --- a/.github/workflows/image-build.yaml +++ b/.github/workflows/image-build.yaml @@ -2,8 +2,6 @@ name: Build Images on: push: - branches: - - main paths: - 'images/**' @@ -70,10 +68,21 @@ jobs: - name: Build and push uses: docker/build-push-action@v6 + if: github.ref == 'refs/heads/main' with: context: 'images/${{ matrix.imageName }}' platforms: linux/amd64,linux/arm64 tags: | ghcr.io/${{ github.repository }}/${{ matrix.imageName }}:latest - ghcr.io/florisfeddema/enphase-envoy-prometheus-exporter:${{ steps.version.outputs.VERSION }} + ghcr.io/${{ github.repository }}/${{ matrix.imageName }}:${{ steps.version.outputs.VERSION }} + push: true + + - name: Build and push + uses: docker/build-push-action@v6 + if: github.ref != 'refs/heads/main' + with: + context: 'images/${{ matrix.imageName }}' + platforms: linux/amd64,linux/arm64 + tags: | + ghcr.io/${{ github.repository }}/${{ matrix.imageName }}:${{ steps.version.outputs.VERSION }}-${{ github.head_ref }}.${GITHUB_SHA::7} push: true From bac669718388bcc5a8d0cba81ddcb626cd5d6987 Mon Sep 17 00:00:00 2001 From: Floris Feddema Date: Thu, 8 Aug 2024 22:31:18 +0200 Subject: [PATCH 28/38] add push on branch build --- .github/workflows/image-build.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/image-build.yaml b/.github/workflows/image-build.yaml index f6bbf7e..b059244 100644 --- a/.github/workflows/image-build.yaml +++ b/.github/workflows/image-build.yaml @@ -4,6 +4,9 @@ on: push: paths: - 'images/**' + pull_request: + paths: + - 'images/**' jobs: create-matrix: From b7a7d948059599971796fbce7814c1020dc33a52 Mon Sep 17 00:00:00 2001 From: Floris Feddema Date: Thu, 8 Aug 2024 22:32:22 +0200 Subject: [PATCH 29/38] fix output --- .github/workflows/image-build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/image-build.yaml b/.github/workflows/image-build.yaml index b059244..c83b644 100644 --- a/.github/workflows/image-build.yaml +++ b/.github/workflows/image-build.yaml @@ -13,7 +13,7 @@ jobs: runs-on: ubuntu-latest outputs: - charts: ${{ steps.charts.outputs.charts }} + images: ${{ steps.images.outputs.images }} steps: - name: Checkout From 9ad9aa84b82397dfbfd5456e33b2eec3c5a9654b Mon Sep 17 00:00:00 2001 From: Floris Feddema Date: Thu, 8 Aug 2024 22:33:50 +0200 Subject: [PATCH 30/38] fix output --- .github/workflows/image-build.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/image-build.yaml b/.github/workflows/image-build.yaml index c83b644..bd1e62a 100644 --- a/.github/workflows/image-build.yaml +++ b/.github/workflows/image-build.yaml @@ -68,6 +68,7 @@ jobs: id: version run: | echo ::set-output name=VERSION::$(head -n 1 images/${{ matrix.imageName }}/Dockerfile | awk -F: '{print $NF}' | awk '{print $1}') + echo ::set-output name=SHA::${GITHUB_SHA::7} - name: Build and push uses: docker/build-push-action@v6 @@ -87,5 +88,5 @@ jobs: context: 'images/${{ matrix.imageName }}' platforms: linux/amd64,linux/arm64 tags: | - ghcr.io/${{ github.repository }}/${{ matrix.imageName }}:${{ steps.version.outputs.VERSION }}-${{ github.head_ref }}.${GITHUB_SHA::7} + ghcr.io/${{ github.repository }}/${{ matrix.imageName }}:${{ steps.version.outputs.VERSION }}-${{ github.head_ref }}.${{ steps.version.outputs.SHA }} push: true From f5c624e13536fd58377d78cc08e8b6f6ed0f06df Mon Sep 17 00:00:00 2001 From: Floris Feddema Date: Thu, 8 Aug 2024 22:35:49 +0200 Subject: [PATCH 31/38] remove deprecated output --- .github/workflows/image-build.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/image-build.yaml b/.github/workflows/image-build.yaml index bd1e62a..a6c46c6 100644 --- a/.github/workflows/image-build.yaml +++ b/.github/workflows/image-build.yaml @@ -67,9 +67,9 @@ jobs: - name: Get version from Dockerfile id: version run: | - echo ::set-output name=VERSION::$(head -n 1 images/${{ matrix.imageName }}/Dockerfile | awk -F: '{print $NF}' | awk '{print $1}') - echo ::set-output name=SHA::${GITHUB_SHA::7} - + echo ${GITHUB_SHA::7} >> "SHA" + $(head -n 1 images/${{ matrix.imageName }}/Dockerfile | awk -F: '{print $NF}' | awk '{print $1}') >> "VERSION" + - name: Build and push uses: docker/build-push-action@v6 if: github.ref == 'refs/heads/main' From d8f426d06437fc7e5ecbb10c0b68f8c4637c6a87 Mon Sep 17 00:00:00 2001 From: Floris Feddema Date: Thu, 8 Aug 2024 22:37:07 +0200 Subject: [PATCH 32/38] remove deprecated output --- .github/workflows/image-build.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/image-build.yaml b/.github/workflows/image-build.yaml index a6c46c6..ea9a3fa 100644 --- a/.github/workflows/image-build.yaml +++ b/.github/workflows/image-build.yaml @@ -67,8 +67,8 @@ jobs: - name: Get version from Dockerfile id: version run: | - echo ${GITHUB_SHA::7} >> "SHA" - $(head -n 1 images/${{ matrix.imageName }}/Dockerfile | awk -F: '{print $NF}' | awk '{print $1}') >> "VERSION" + echo "${GITHUB_SHA::7}" >> "SHA" + head -n 1 images/${{ matrix.imageName }}/Dockerfile | awk -F: '{print $NF}' | awk '{print $1}' >> "VERSION" - name: Build and push uses: docker/build-push-action@v6 From 9dd3294cee664d561b619e848c1891f62a40bbd6 Mon Sep 17 00:00:00 2001 From: Floris Feddema Date: Thu, 8 Aug 2024 22:39:05 +0200 Subject: [PATCH 33/38] add echo --- .github/workflows/image-build.yaml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/.github/workflows/image-build.yaml b/.github/workflows/image-build.yaml index ea9a3fa..1f0b7de 100644 --- a/.github/workflows/image-build.yaml +++ b/.github/workflows/image-build.yaml @@ -67,8 +67,13 @@ jobs: - name: Get version from Dockerfile id: version run: | - echo "${GITHUB_SHA::7}" >> "SHA" - head -n 1 images/${{ matrix.imageName }}/Dockerfile | awk -F: '{print $NF}' | awk '{print $1}' >> "VERSION" + sha=$(echo "${GITHUB_SHA::7}") + echo "$sha" + echo "$sha" >> "SHA" + version=$(head -n 1 images/${{ matrix.imageName }}/Dockerfile | awk -F: '{print $NF}' | awk '{print $1}') + echo "$version" + echo "$version" >> "VERSION" + - name: Build and push uses: docker/build-push-action@v6 From c42588af823cb2401f1b9c3403adfe65885ea4f4 Mon Sep 17 00:00:00 2001 From: Floris Feddema Date: Thu, 8 Aug 2024 22:42:42 +0200 Subject: [PATCH 34/38] fix output steps --- .github/workflows/image-build.yaml | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/.github/workflows/image-build.yaml b/.github/workflows/image-build.yaml index 1f0b7de..3636f1f 100644 --- a/.github/workflows/image-build.yaml +++ b/.github/workflows/image-build.yaml @@ -64,15 +64,19 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} + - name: Get short SHA + id: sha + run: | + sha=$(echo "${GITHUB_SHA::7}") + echo "SHA=$sha" + echo "SHA=$sha" >> "$GITHUB_OUTPUT" + - name: Get version from Dockerfile id: version run: | - sha=$(echo "${GITHUB_SHA::7}") - echo "$sha" - echo "$sha" >> "SHA" version=$(head -n 1 images/${{ matrix.imageName }}/Dockerfile | awk -F: '{print $NF}' | awk '{print $1}') - echo "$version" - echo "$version" >> "VERSION" + echo "VERSION=$version" + echo "VERSION=$version" >> "$GITHUB_OUTPUT" - name: Build and push @@ -93,5 +97,5 @@ jobs: context: 'images/${{ matrix.imageName }}' platforms: linux/amd64,linux/arm64 tags: | - ghcr.io/${{ github.repository }}/${{ matrix.imageName }}:${{ steps.version.outputs.VERSION }}-${{ github.head_ref }}.${{ steps.version.outputs.SHA }} + ghcr.io/${{ github.repository }}/${{ matrix.imageName }}:${{ steps.version.outputs.VERSION }}-${{ github.head_ref }}.${{ steps.sha.outputs.SHA }} push: true From ab602633a15411c644178c79540abb028f861c3b Mon Sep 17 00:00:00 2001 From: Floris Feddema Date: Thu, 8 Aug 2024 22:48:32 +0200 Subject: [PATCH 35/38] use new image --- charts/cyberchef/templates/deployment.yaml | 2 +- charts/cyberchef/templates/ingress.yaml | 2 +- charts/cyberchef/templates/service.yaml | 4 ++-- charts/cyberchef/values.yaml | 8 +++++--- 4 files changed, 9 insertions(+), 7 deletions(-) diff --git a/charts/cyberchef/templates/deployment.yaml b/charts/cyberchef/templates/deployment.yaml index ba0e640..3ac7b84 100644 --- a/charts/cyberchef/templates/deployment.yaml +++ b/charts/cyberchef/templates/deployment.yaml @@ -20,7 +20,7 @@ spec: imagePullPolicy: {{ .Values.image.pullPolicy }} ports: - name: http - containerPort: 80 + containerPort: 8080 protocol: TCP resources: {{ toYaml .Values.resources | nindent 12 }} securityContext: {{ toYaml .Values.securityContext | nindent 12 }} diff --git a/charts/cyberchef/templates/ingress.yaml b/charts/cyberchef/templates/ingress.yaml index ae5cd9d..19f0bce 100644 --- a/charts/cyberchef/templates/ingress.yaml +++ b/charts/cyberchef/templates/ingress.yaml @@ -16,7 +16,7 @@ spec: service: name: {{ template "common.fullname" . }} port: - number: 80 + number: 8080 path: / pathType: Prefix {{- if .Values.ingress.tls.enabled }} diff --git a/charts/cyberchef/templates/service.yaml b/charts/cyberchef/templates/service.yaml index 44f1c59..b0ed034 100644 --- a/charts/cyberchef/templates/service.yaml +++ b/charts/cyberchef/templates/service.yaml @@ -8,8 +8,8 @@ spec: type: ClusterIP ports: - name: http - targetPort: 80 - port: 80 + targetPort: 8080 + port: 8080 protocol: TCP selector: {{- include "common.selectorLabels" . | nindent 4 }} diff --git a/charts/cyberchef/values.yaml b/charts/cyberchef/values.yaml index 7640f17..66fdf87 100644 --- a/charts/cyberchef/values.yaml +++ b/charts/cyberchef/values.yaml @@ -10,14 +10,16 @@ resources: {} # memory: 2048Mi podSecurityContext: - runAsNonRoot: false # Bind to port 80 requires root + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + runAsNonRoot: true securityContext: capabilities: drop: [ "ALL" ] - add: [ "NET_BIND_SERVICE" ] allowPrivilegeEscalation: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true privileged: false image: From 0bac0a9c6bc447b959c2d1b15dd57a6c52394000 Mon Sep 17 00:00:00 2001 From: Floris Feddema Date: Thu, 8 Aug 2024 22:52:42 +0200 Subject: [PATCH 36/38] use new image --- .github/workflows/image-build.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/image-build.yaml b/.github/workflows/image-build.yaml index 3636f1f..fc1dbc7 100644 --- a/.github/workflows/image-build.yaml +++ b/.github/workflows/image-build.yaml @@ -86,8 +86,8 @@ jobs: context: 'images/${{ matrix.imageName }}' platforms: linux/amd64,linux/arm64 tags: | - ghcr.io/${{ github.repository }}/${{ matrix.imageName }}:latest - ghcr.io/${{ github.repository }}/${{ matrix.imageName }}:${{ steps.version.outputs.VERSION }} + ghcr.io/${{ github.repository_owner }}/${{ matrix.imageName }}:latest + ghcr.io/${{ github.repository_owner }}/${{ matrix.imageName }}:${{ steps.version.outputs.VERSION }} push: true - name: Build and push @@ -97,5 +97,5 @@ jobs: context: 'images/${{ matrix.imageName }}' platforms: linux/amd64,linux/arm64 tags: | - ghcr.io/${{ github.repository }}/${{ matrix.imageName }}:${{ steps.version.outputs.VERSION }}-${{ github.head_ref }}.${{ steps.sha.outputs.SHA }} + ghcr.io/${{ github.repository_owner }}/${{ matrix.imageName }}:${{ steps.version.outputs.VERSION }}-${{ github.head_ref }}.${{ steps.sha.outputs.SHA }} push: true From b8445394de9f99d492ad0e9dd3d83b3405caa7c7 Mon Sep 17 00:00:00 2001 From: Floris Feddema Date: Thu, 8 Aug 2024 22:55:05 +0200 Subject: [PATCH 37/38] use correct temp dir for unpriviliged image --- .github/workflows/image-build.yaml | 3 +-- charts/cyberchef/templates/deployment.yaml | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/image-build.yaml b/.github/workflows/image-build.yaml index fc1dbc7..a7fcb49 100644 --- a/.github/workflows/image-build.yaml +++ b/.github/workflows/image-build.yaml @@ -77,8 +77,7 @@ jobs: version=$(head -n 1 images/${{ matrix.imageName }}/Dockerfile | awk -F: '{print $NF}' | awk '{print $1}') echo "VERSION=$version" echo "VERSION=$version" >> "$GITHUB_OUTPUT" - - + - name: Build and push uses: docker/build-push-action@v6 if: github.ref == 'refs/heads/main' diff --git a/charts/cyberchef/templates/deployment.yaml b/charts/cyberchef/templates/deployment.yaml index 3ac7b84..223cd08 100644 --- a/charts/cyberchef/templates/deployment.yaml +++ b/charts/cyberchef/templates/deployment.yaml @@ -25,7 +25,7 @@ spec: resources: {{ toYaml .Values.resources | nindent 12 }} securityContext: {{ toYaml .Values.securityContext | nindent 12 }} volumeMounts: - - mountPath: /var/cache/nginx/ + - mountPath: /tmp/ name: cache volumes: - name: cache From 820efdf7ff2a14d6d2db5b5eee8dc296b0ff63db Mon Sep 17 00:00:00 2001 From: Floris Feddema Date: Thu, 8 Aug 2024 23:05:22 +0200 Subject: [PATCH 38/38] update image location --- charts/cyberchef/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/cyberchef/values.yaml b/charts/cyberchef/values.yaml index 66fdf87..acc7993 100644 --- a/charts/cyberchef/values.yaml +++ b/charts/cyberchef/values.yaml @@ -24,7 +24,7 @@ securityContext: image: registry: ghcr.io - repository: gchq/cyberchef + repository: k8s-at-our-homes/cyberchef tag: 10.18.9 pullPolicy: IfNotPresent