Publish Helm Charts for version 4.3.6 (#135)

Source-Version: 04818fb16b1827ae74e33215862b5c4bea44c43d

4.3.6/central-services/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

4.3.6/central-services/Chart.yaml

@@ -0,0 +1,7 @@
+apiVersion: v2 # Can probably be generalized to v1 later. TODO(ROX-5502).
+name: stackrox-central-services
+icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/Red_Hat-Hat_icon.png
+description: Helm Chart for StackRox Central Service
+type: application
+version: 400.3.6
+appVersion: 4.3.6

4.3.6/central-services/README.md

@@ -0,0 +1,179 @@
+# StackRox Kubernetes Security Platform - Central Services Helm Chart
+
+This Helm chart allows you to deploy the central services of the StackRox
+Kubernetes Security Platform: StackRox Central and StackRox Scanner.
+
+If you want to install Red Hat Advanced Cluster Security, refer to
+[Installing quickly using Helm charts](https://docs.openshift.com/acs/installing/installing_helm/install-helm-quick.html)
+for up to date information.
+
+## Prerequisites
+
+To deploy the central services for the StackRox Kubernetes Security platform
+using Helm, you must:
+- Have at least version 3.1 of the Helm tool installed on your machine
+
+## Add the Canonical Chart Location as a Helm Repository
+
+The canonical repository for StackRox Helm charts is https://charts.stackrox.io.
+To use StackRox Helm charts on your machine, run
+```sh
+helm repo add stackrox https://charts.stackrox.io
+```
+This command only needs to be run once on your machine. Whenever you are deploying
+or upgrading a chart from a remote repository, it is advisable to run
+```sh
+helm repo update
+```
+beforehand.
+
+## Deploy Central Services Using Helm
+
+The basic command for deploying the central services is
+```sh
+helm install -n stackrox --create-namespace \
+    --set central.persistence.none=true \
+    stackrox-central-services stackrox/stackrox-central-services
+```
+If you have a copy of this chart on your machine, you can also reference the
+path to this copy instead of `stackrox/stackrox-central-services` above.
+
+In case you use image mirroring or otherwise access StackRox container images from non-standard location,
+you may also need to provide image pull credentials.
+There are several ways to inject the required credentials (if any) into the installation process:
+
+- **Explicitly specify username and password:** Use this if you are using a registry that supports username/password
+  authentication. Pass the following arguments to the `helm install` command:
+  ```sh
+  --set imagePullSecrets.username=<registry username> --set imagePullSecrets.password=<registry password>
+  ```
+- **Use pre-existing image pull secrets:** If you already have one or several image pull secrets
+  created in the namespace to which you are deploying, you can reference these in the following
+  way (we assume that your secrets are called `pull-secret-1` and `pull-secret-2`):
+  ```sh
+  --set imagePullSecrets.useExisting="pull-secret-1;pull-secret-2"
+  ```
+- **Do not use image pull secrets:** If you are pulling your images from quay.io/stackrox-io or a registry in a private
+  network that does not require authentication, or if the default service account in the namespace
+  to which you are deploying is already configured with appropriate image pull secrets, you do
+  not need to specify any additional image pull secrets.
+
+### Accessing the StackRox Portal After Deployment
+
+Once you have deployed the StackRox Kubernetes Security Platform Central Services via
+`helm install`, you will see an information text on the console that contains any things to
+note, or warnings encountered during the installation text. In particular, it instructs you
+how to connect to your Central deployment via port-forward (if you have not configured an
+exposure method, see below), and the administrator password to use for the initial login.
+
+### Applying Custom Configuration Options
+
+This Helm chart has many different configuration options. For simple use cases, these can be
+set directly on the `helm install` command line; however, we generally recommend that you
+store your configuration in a dedicated file.
+
+#### Using the `--set` family of command-line flags
+
+This approach is the quickest way to customize the deployment, but it does not work for
+more complex configuration settings. Via the `--set` and `--set-file` flags, which need to be
+appended to your `helm install` invocation, you can inject configuration values into the
+installation process. Here are some examples:
+- **Deploy StackRox in offline mode:** This configures StackRox in a way such that it will not
+  reach out to any external endpoints.
+  ```sh
+  --set env.offlineMode=true
+  ```
+- **Configure a fixed administrator password:** This sets the password with which you log in to
+  the StackRox portal as an administrator. If you do not configure a password yourself, one will
+  be created for you and printed as part of the installation notes.
+  ```sh
+  --set central.adminPassword.value=mysupersecretpassword
+  ```
+
+#### Using configuration YAML files and the `-f` command-line flag
+
+To ensure the best possible upgrade experience, it is recommended that you store all custom
+configuration options in two files: `values-public.yaml` and `values-private.yaml`. The former
+contains all non-sensitive configuration options (such as whether to run in offline mode), and the
+latter contains all sensitive configuration options (such as the administrator password, or
+custom TLS certificates). The `values-public.yaml` file can be stored in, for example, your Git
+repository, while the `values-private.yaml` file should be stored in a secrets management
+system.
+
+There is a large number of configuration options that cannot all be discussed in minute detail
+in this README file. However, the Helm chart contains example configuration files
+`values-public.yaml.example` and `values-private.yaml.example`, that list all the available
+configuration options, along with documentation. The following is just a brief example of what
+can be configured via those files:
+- **`values-public.yaml`:**
+  ```yaml
+  env:
+    offlineMode: true  # run in offline mode
+  
+  central:
+    # Use custom resource overrides for central
+    resources:
+      requests:
+        cpu: 4
+        memory: "8Gi"
+      limits:
+        cpu: 8
+        memory: "16Gi"
+  
+    # Expose central via a LoadBalancer service
+    exposure:
+      loadBalancer:
+        enabled: true
+  
+  scanner:
+    # Run without StackRox Scanner (NOT RECOMMENDED)
+    disable: true
+  
+  customize:
+    # Apply the important-service=true label for all objects managed by this chart.
+    labels:
+      important-service: true
+    # Set the CLUSTER=important-cluster environment variable for all containers in the
+    # central deployment:
+    central:
+      envVars:
+        CLUSTER: important-cluster
+  ```
+- **`values-private.yaml`**:
+  ```yaml
+  central:
+    # Configure a default TLS certificate (public cert + private key) for central
+    defaultTLS:
+      cert: |
+        -----BEGIN CERTIFICATE-----
+        MII...
+        -----END CERTIFICATE-----
+      key: |
+        -----BEGIN EC PRIVATE KEY-----
+        MHc...
+        -----END EC PRIVATE KEY-----
+  ```
+
+After you have created these YAML files, you can inject the configuration options into the
+installation process via the `-f` flag, i.e., by appending the following options to the
+`helm install` invocation:
+```sh
+-f values-public.yaml -f values-private.yaml
+```
+
+### Changing Configuration Options After Deployment
+
+If you wish to make any changes to the deployment, simply change the configuration options
+in your `values-public.yaml` and/or `values-private.yaml` file(s), and inject them into an
+`helm upgrade` invocation:
+```sh
+helm upgrade -n stackrox stackrox-central-services stackrox/stackrox-central-services \
+    -f values-public.yaml \
+    -f values-private.yaml
+```
+Under most circumstances, you will not need to supply the `values-private.yaml` file, unless
+you want changes to sensitive configuration options to be applied.
+
+Of course you can also specify configuration values via the `--set` or `--set-file` command-line
+flags. However, these options will be forgotten with the next `helm upgrade` invocation, unless
+you supply them again.

4.3.6/central-services/config-templates/scanner/config.yaml.tpl

@@ -0,0 +1,48 @@
+{{- /*
+  This is the configuration file template for Scanner.
+  Except for in extremely rare circumstances, you DO NOT need to modify this file.
+  All config options that are possibly dynamic are templated out and can be modified
+  via `--set`/values-files specified via `-f`.
+     */ -}}
+
+# Configuration file for scanner.
+
+scanner:
+  centralEndpoint: https://central.{{ .Release.Namespace }}.svc
+  sensorEndpoint: https://sensor.{{ .Release.Namespace }}.svc
+  database:
+    # Database driver
+    type: pgsql
+    options:
+      # PostgreSQL Connection string
+      # https://www.postgresql.org/docs/current/static/libpq-connect.html#LIBPQ-CONNSTRING
+      source: host=scanner-db.{{ .Release.Namespace }}.svc port=5432 user=postgres sslmode={{- if eq .Release.Namespace "stackrox" }}verify-full{{- else }}verify-ca{{- end }} statement_timeout=60000
+
+      # Number of elements kept in the cache
+      # Values unlikely to change (e.g. namespaces) are cached in order to save prevent needless roundtrips to the database.
+      cachesize: 16384
+
+  api:
+    httpsPort: 8080
+    grpcPort: 8443
+
+  updater:
+    # Frequency with which the scanner will poll for vulnerability updates.
+    interval: 5m
+
+  logLevel: {{ ._rox.scanner.logLevel }}
+
+  # The scanner intentionally avoids extracting or analyzing any files
+  # larger than the following default sizes to prevent DoS attacks.
+  # Leave these commented to use a reasonable default.
+
+  # The max size of files in images that are extracted.
+  # Increasing this number increases memory pressure.
+  # maxExtractableFileSizeMB: 200
+  # The max size of ELF executable files that are analyzed.
+  # Increasing this number may increase disk pressure.
+  # maxELFExecutableFileSizeMB: 800
+  # The max size of image file reader buffer. Image file data beyond this limit are overflowed to temporary files on disk.
+  # maxImageFileReaderBufferSizeMB: 100
+
+  exposeMonitoring: false

4.3.6/central-services/config/central/config.yaml.default

@@ -0,0 +1,7 @@
+maintenance:
+  safeMode: false # When set to true, Central will sleep forever on the next restart
+  compaction:
+    enabled: true
+    bucketFillFraction: .5 # This controls how densely to compact the buckets. Usually not advised to modify
+    freeFractionThreshold: 0.75 # This is the threshold for free bytes / total bytes after which compaction will occur
+  forceRollbackVersion: none # This is the config and target rollback version after upgrade complete.

4.3.6/central-services/config/central/endpoints.yaml.default

@@ -0,0 +1,31 @@
+# Sample endpoints.yaml configuration for StackRox Central.
+#
+# # CAREFUL: If the following line is uncommented, do not expose the default endpoint on port 8443 by default.
+# #          This will break normal operation.
+# disableDefault: true # if true, don't serve on :8443
+# endpoints:
+#   # Serve plaintext HTTP only on port 8080
+#   - listen: ":8080"
+#     # Backend protocols, possible values are 'http' and 'grpc'. If unset or empty, assume both.
+#     protocols:
+#       - http
+#     tls:
+#       # Disable TLS. If this is not specified, assume TLS is enabled.
+#       disable: true
+#   # Serve HTTP and  gRPC for sensors only on port 8444
+#   - listen: ":8444"
+#     tls:
+#       # Which TLS certificates to serve, possible values are 'service' (StackRox-generated service certificates)
+#       # and 'default' (user-configured default TLS certificate). If unset or empty, assume both.
+#       serverCerts:
+#         - default
+#         - service
+#       # Client authentication settings.
+#       clientAuth:
+#         # Enforce TLS client authentication. If unset, do not enforce, only request certificates
+#         # opportunistically.
+#         required: true
+#         # Which TLS client CAs to serve, possible values are 'service' (CA for StackRox-generated service
+#         # certificates) and 'user' (CAs for PKI auth providers). If unset or empty, assume both.
+#         certAuthorities: # if not set, assume ["user", "service"]
+#           - service