Merge branch 'main' of github.com:GDATASoftwareAG/gdscan

GDATASoftwareAG · Feb 10, 2023 · 94dc2c6 · 94dc2c6
2 parents d3e6a8b + f903c9c
commit 94dc2c6
Show file tree

Hide file tree

Showing 12 changed files with 346 additions and 37 deletions.
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1 @@
+*-local.yaml
diff --git a/README.md b/README.md
@@ -11,7 +11,7 @@ The chart deploys one pod, consisting of two containers:
 
 ## Usage
 
-1. Contact G DATA to get an access token (free trail possible): [Contact us](mailto:oem@gdata.de)
+1. Contact G DATA to get an access token (free trial possible): [Contact us](mailto:oem@gdata.de)
 
 The token has to be set in the `secret.dockerconfigjson` variable on deployment.
 
@@ -46,7 +46,7 @@ helm upgrade gdscan  gdscan/gdscan -f values.yaml
 
 ## Pricing
 
-For pricing details please [contact us](mailto:oem@gdata.de). A free trail is possible.
+For pricing details please [contact us](mailto:oem@gdata.de). A free trial is possible.
 
 
 # Options

diff --git a/charts/gdscan/Chart.yaml b/charts/gdscan/Chart.yaml
@@ -5,5 +5,4 @@ maintainers:
   - name: G DATA CyberDefense AG
     email: oem@gdata.de
 type: application
-version: 0.1.10
-appVersion: "1.0.2"
+version: 0.7.1
diff --git a/charts/gdscan/templates/_helpers.tpl b/charts/gdscan/templates/_helpers.tpl
@@ -50,3 +50,50 @@ app.kubernetes.io/name: {{ include "gdscan.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 
+{{- define "common.tplvalues.render" -}}
+    {{- if typeIs "string" .value }}
+        {{- tpl .value .context }}
+    {{- else }}
+        {{- tpl (.value | toYaml) .context }}
+    {{- end }}
+{{- end -}}
+
+{{- define "common.names.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "vaas.claimName" -}}
+{{- if and .Values.persistence.existingClaim }}
+    {{- printf "%s" (tpl .Values.persistence.existingClaim $) -}}
+{{- else -}}
+    {{- printf "%s" (include "common.names.fullname" .) -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "common.storage.class" -}}
+
+{{- $storageClass := .persistence.storageClass -}}
+{{- if .global -}}
+    {{- if .global.storageClass -}}
+        {{- $storageClass = .global.storageClass -}}
+    {{- end -}}
+{{- end -}}
+
+{{- if $storageClass -}}
+  {{- if (eq "-" $storageClass) -}}
+      {{- printf "storageClassName: \"\"" -}}
+  {{- else }}
+      {{- printf "storageClassName: %s" $storageClass -}}
+  {{- end -}}
+{{- end -}}
+
+{{- end -}}
diff --git a/charts/gdscan/templates/deployment.yaml b/charts/gdscan/templates/deployment.yaml
@@ -1,10 +1,13 @@
+{{- if or (.Values.persistence.enabled | not) (eq .Values.persistence.accessMode "ReadWriteMany" ) }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ include "gdscan.fullname" . }}
   labels:
     {{- include "gdscan.labels" . | nindent 4 }}
 spec:
+  strategy:
+    type: {{ .Values.deploymentStrategy }}
   {{- if not .Values.autoscaling.enabled }}
   replicas: {{ .Values.replicaCount }}
   {{- end }}
@@ -22,8 +25,16 @@ spec:
     spec:
       volumes:
         - name: samples
+        {{- if .Values.persistence.enabled }}
+          persistentVolumeClaim:
+            claimName: {{ include "vaas.claimName" . }}
+        {{- else }}
           emptyDir:
-            sizeLimit: 32Gi
+            sizeLimit: {{ .Values.persistence.size | quote }}
+          {{- if .Values.persistence.memory }}
+            medium : "Memory"
+          {{- end }}
+        {{- end }}
         - name: scan-socket
           emptyDir: {}
       {{- with .Values.imagePullSecrets }}
@@ -35,25 +46,25 @@ spec:
           env:
             - name: date
               value: "{{ now | unixEpoch }}"
-          image: "{{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default .Chart.AppVersion }}"
+          image: '{{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default "latest" }}'
           imagePullPolicy: {{ .Values.server.image.pullPolicy }}
           volumeMounts:
             - name: samples
               mountPath: /tmp/scan
             - name: scan-socket
               mountPath: /var/share/run
           resources:
-            {{- toYaml .Values.resources | nindent 12 }}
+            {{- toYaml .Values.resources.server | nindent 12 }}
         - name: {{ .Values.client.name }}
-          image: "{{ .Values.client.image.repository }}:{{ .Values.client.image.tag | default .Chart.AppVersion }}"
+          image: '{{ .Values.client.image.repository }}:{{ .Values.client.image.tag | default "latest" }}'
           imagePullPolicy: {{ .Values.client.image.pullPolicy }}
           volumeMounts:
             - name: samples
               mountPath: /tmp/scan
             - name: scan-socket
               mountPath: /var/share/run
           resources:
-            {{- toYaml .Values.resources | nindent 12 }}
+            {{- toYaml .Values.resources.client | nindent 12 }}
           ports:
             - name: api
               containerPort: 8080
@@ -82,3 +93,4 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+{{- end }}
diff --git a/charts/gdscan/templates/horizontal-pod-autoscaler.yaml b/charts/gdscan/templates/horizontal-pod-autoscaler.yaml
@@ -0,0 +1,26 @@
+{{- if and .Values.autoscaling.enabled }}
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ include "gdscan.fullname" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels: {{- include "gdscan.labels" . | nindent 4 }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    {{- if and (.Values.persistence.enabled) (eq .Values.persistence.accessMode "ReadWriteOnce" ) }}
+    kind: StatefulSet
+    {{- else }}
+    kind: Deployment
+    {{- end }}
+    name: {{ include "gdscan.fullname" . }}
+  minReplicas: {{ .Values.autoscaling.minReplicas }}
+  maxReplicas: {{ .Values.autoscaling.maxReplicas }}
+  metrics:
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.autoscaling.targetCPU }}
+{{- end }}
diff --git a/charts/gdscan/templates/persistent-volume-claim.yaml b/charts/gdscan/templates/persistent-volume-claim.yaml
@@ -0,0 +1,16 @@
+{{- if and (.Values.persistence.enabled) (eq .Values.persistence.accessMode "ReadWriteMany" ) }}
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: {{ include "common.names.fullname" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels: 
+    {{- include "gdscan.selectorLabels" . | nindent 4 }}
+spec:
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: {{ .Values.persistence.size | quote }}
+  {{- include "common.storage.class" (dict "persistence" .Values.persistence "global" .Values.global) | nindent 2 }}
+{{- end }}
diff --git a/charts/gdscan/templates/secret.yaml b/charts/gdscan/templates/secret.yaml
@@ -1,8 +1,10 @@
+{{- if .Values.imagePullSecrets }}
 apiVersion: v1
 kind: Secret
 metadata:
   name: gdscanregistry
   namespace: {{ .Release.Namespace }}
 data:
   .dockerconfigjson: {{ required "You need to set the dockerconfigjson for the private registry" .Values.secret.dockerconfigjson }}
-type: kubernetes.io/dockerconfigjson
+type: kubernetes.io/dockerconfigjson
+{{- end -}}
diff --git a/charts/gdscan/templates/stateful-set.yaml b/charts/gdscan/templates/stateful-set.yaml
@@ -0,0 +1,93 @@
+{{- if and (.Values.persistence.enabled) (eq .Values.persistence.accessMode "ReadWriteOnce" ) }}
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: {{ include "gdscan.fullname" . }}
+  labels:
+    {{- include "gdscan.labels" . | nindent 4 }}
+spec:
+  serviceName: {{ include "gdscan.fullname" . }}
+  {{- if not .Values.autoscaling.enabled }}
+  replicas: {{ .Values.replicaCount }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "gdscan.selectorLabels" . | nindent 6 }}
+  volumeClaimTemplates:
+    - metadata:
+        name: samples
+      spec:
+        accessModes: [ "ReadWriteOnce" ]
+        {{- include "common.storage.class" (dict "persistence" .Values.persistence "global" .Values.global) | nindent 8 }}
+        resources:
+          requests:
+            storage: {{ .Values.persistence.size | quote }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "gdscan.selectorLabels" . | nindent 8 }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets: 
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      volumes:
+        - name: scan-socket
+          emptyDir: {}
+      containers:
+        - name: {{ .Values.server.name }}
+          env:
+            - name: date
+              value: "{{ now | unixEpoch }}"
+          image: "{{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.server.image.pullPolicy }}
+          volumeMounts:
+            - name: samples
+              mountPath: /tmp/scan
+            - name: scan-socket
+              mountPath: /var/share/run
+          resources:
+            {{- toYaml .Values.resources.server | nindent 12 }}
+        - name: {{ .Values.client.name }}
+          image: "{{ .Values.client.image.repository }}:{{ .Values.client.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.client.image.pullPolicy }}
+          volumeMounts:
+            - name: samples
+              mountPath: /tmp/scan
+            - name: scan-socket
+              mountPath: /var/share/run
+          resources:
+            {{- toYaml .Values.resources.client | nindent 12 }}
+          ports:
+            - name: api
+              containerPort: 8080
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: api
+            initialDelaySeconds: 5
+            periodSeconds: 5
+          readinessProbe:
+            httpGet:
+              path: /health
+              port: api
+            initialDelaySeconds: 5
+            periodSeconds: 5     
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+{{- end }}
diff --git a/charts/gdscan/templates/update.yaml b/charts/gdscan/templates/update.yaml
@@ -0,0 +1,85 @@
+{{- if .Values.autoUpdate.enabled -}}
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: update
+  namespace: "{{ .Release.Namespace }}"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: update
+  namespace: "{{ .Release.Namespace }}"
+rules:
+  - apiGroups: ["apps", "extensions"]
+    resources: ["deployments", "statefulsets"]
+    resourceNames: [{{ include "gdscan.fullname" . }}]
+    verbs:
+      ["get", "patch", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: update
+  namespace: "{{ .Release.Namespace }}"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: update
+subjects:
+  - kind: ServiceAccount
+    name: update
+    namespace: "{{ .Release.Namespace }}"
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: update
+  namespace: "{{ .Release.Namespace }}"
+spec:
+  startingDeadlineSeconds: 300
+  successfulJobsHistoryLimit: 1
+  failedJobsHistoryLimit: 1
+  concurrencyPolicy: Forbid
+  schedule: "{{ .Values.autoUpdate.schedule }}"
+  jobTemplate:
+    spec:
+      backoffLimit: 2
+      activeDeadlineSeconds: 600
+      template:
+        metadata:
+          labels:
+            app.kubernetes.io/name: update
+            app.kubernetes.io/namespace: "{{ .Release.Namespace }}"
+        spec:
+          serviceAccountName: update
+          restartPolicy: Never
+          containers:
+            - name: kubectl
+              image: bitnami/kubectl
+              command:
+                - "kubectl"
+                - "rollout"
+                - "restart"
+{{- if and (.Values.persistence.enabled) (eq .Values.persistence.accessMode "ReadWriteOnce" ) }}
+                - "statefulset/{{ include "gdscan.fullname" . }}"
+{{- else }}
+                - "deployment/{{ include "gdscan.fullname" . }}"
+{{- end }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: "{{ .Release.Name }}-update"
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: update
+      app.kubernetes.io/namespace: {{ .Release.Namespace }}
+  policyTypes:
+    - Egress
+  ingress: []
+  egress:
+    - ports:
+        - port: 6443
+{{- end}}