Initial commit (#1)

* Initial commit

* signed commit

* Update Makefile

* deleting values.yaml file

* added release.yml file

* added resources to containers

* added codeowners

.github/workflows/CODEOWNERS

@@ -0,0 +1,2 @@
+* @metal-toolbox/hollow-core
+* @metal-toolbox/security-core

.github/workflows/helm-library-ci.yml

@@ -0,0 +1,20 @@
+name: helm-test
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+  workflow_dispatch:
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Install Helm
+        uses: azure/setup-helm@v3
+        with:
+          version: v3.10.0
+
+      - name: Run a one-line script
+        run: cd charts/audittail/tests && helm dependency update ./consumerapp && helm template consumerapp ./consumerapp/ --debug

.github/workflows/helm-release.yml

@@ -0,0 +1,34 @@
+name: Release Charts
+
+on:
+  push:
+    branches:
+      - master
+
+jobs:
+  release:
+    permissions:
+      contents: write
+      packages: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Configure Git
+        run: |
+          git config user.name "hnadiminti-equinix"
+          git config user.email "hari.nadiminti@eu.equinix.com"
+      - name: Install Helm
+        uses: azure/setup-helm@v3
+        with:
+          version: v3.10.0
+
+      - name: Run chart-releaser
+        uses: helm/chart-releaser-action@v1.4.1
+        with:
+          charts_dir: charts
+        env:
+          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/release.yml

@@ -0,0 +1,28 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - v**
+
+jobs:
+  auto-release:
+    name: Create Release
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Release
+        uses: softprops/action-gh-release@v1
+        with:
+          generate_release_notes: true
+
+  container-main:
+    uses: metal-toolbox/container-push/.github/workflows/container-push.yml@main
+    with:
+      name: audittail
+      tag: ${GITHUB_REF_NAME}
+      dockerfile_path: images/audittail/Dockerfile

.github/workflows/security.yml

@@ -0,0 +1,58 @@
+---
+name: security
+
+# Run for all pushes to main and pull requests when Go or YAML files change
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ main ]
+  schedule:
+    - cron: '23 20 * * 2'
+
+jobs:
+  scan-trivy:
+    name: sec-scan-trivy
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout 
+        uses: actions/checkout@v3
+
+      - name: Run Trivy vulnerability scanner in repo mode
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          security-checks: 'vuln,config,secret'
+          ignore-unfixed: true
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'HIGH,CRITICAL'
+          skip-dirs: 'tests'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'
+
+  scan-anchore:
+    name: sec-scan-anchore
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout 
+        uses: actions/checkout@v3
+
+      - name: Scan current project
+        id: codescan
+        uses: anchore/scan-action@v3
+        with:
+          path: "."
+          severity-cutoff: high
+          acs-report-enable: true
+
+      - name: upload Anchore scan SARIF report
+        uses: github/codeql-action/upload-sarif@v2
+        if: ${{ always() }}
+        with:
+          sarif_file: ${{ steps.codescan.outputs.sarif }}

Makefile

@@ -0,0 +1,14 @@
+TAG?=
+
+
+.PHONY: release
+release: ## Issues a release
+	@test -n "$(TAG)" || (echo "The TAG variable must be set" && exit 1)
+	@echo "Releasing $(TAG)"
+	git checkout -b "release-$(TAG)"
+	sed -i -E s/v[0-9]+\.[0-9]+\.[0-9]+/$(TAG)/ charts/audittail/templates/_values.tpl
+	git add charts/audittail/templates/_values.tpl
+	git commit -m "Release $(TAG)"
+	git tag -m "Release $(TAG)" "$(TAG)"
+	git push origin "release-$(TAG)"
+	git push origin "$(TAG)"

charts/audittail/Chart.yaml

@@ -0,0 +1,18 @@
+apiVersion: v2
+name: audittail
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: library
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 1.0.0

charts/audittail/templates/_args.tpl

@@ -0,0 +1,13 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Kubernetes container arguments
+*/}}
+{{- define "audittail.args" -}}
+- '-f'
+- '/app-audit/audit.log'
+{{- end -}}
+
+{{- define "audittail.initargs" -}}
+- 'init'
+{{ include "audittail.args" .}}
+{{- end -}}

charts/audittail/templates/_helpers.tpl

@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "audittail.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "audittail.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "audittail.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "audittail.labels" -}}
+helm.sh/chart: {{ include "audittail.chart" . }}
+{{ include "audittail.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "audittail.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "audittail.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "audittail.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "audittail.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

charts/audittail/templates/_initContainer.tpl

@@ -0,0 +1,12 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Kubernetes Init Container
+*/}}
+{{- define "audittail.initContainer" -}}
+  - image: {{ include "audittail.image" .}}
+  name: {{ template "audittail.initContainerName" }}
+  args: {{ include "audittail.initargs" . | nindent 4}}
+  securityContext: {{ include "audittail.securityContext" . | nindent 4}}
+  resources: {{ include "audittail.resources" . | nindent 4}}
+  volumeMounts: {{ include "audittail.volumeMount" . | nindent 4}}
+{{- end -}}

charts/audittail/templates/_resources.tpl

@@ -0,0 +1,12 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Kubernetes Container Resources
+*/}}
+{{- define "audittail.resources" -}}
+requests:
+  memory: "128Mi"
+  cpu: "100m"
+limits:
+  memory: "256Mi"
+  cpu: "200m"
+{{- end -}}

charts/audittail/templates/_securityContext.tpl

@@ -0,0 +1,8 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Kubernetes Container Security Context
+*/}}
+{{- define "audittail.securityContext" -}}
+allowPrivilegeEscalation: false
+runAsNonRoot: true
+{{- end -}}

charts/audittail/templates/_sidecarContainer.tpl

@@ -0,0 +1,13 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Kubernetes Init Container
+*/}}
+{{- define "audittail.sidecarContainer" -}}
+  - image: {{ include "audittail.image" .}}
+  name: {{ template "audittail.sidecarContainerName" }}
+  args: {{ include "audittail.args" .| nindent 4}}
+  securityContext: {{ include "audittail.securityContext" . | nindent 4}}
+  resources: {{ include "audittail.resources" . | nindent 4}}
+  volumeMounts: {{ include "audittail.volumeMount" . | nindent 4}}
+      readOnly: true
+{{- end -}}

charts/audittail/templates/_values.tpl

@@ -0,0 +1,36 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+audittail log path
+*/}}
+
+{{- define "audittail.auditLogPath" -}}
+{{- printf "/app-audit/audit.log" -}}
+{{- end -}}
+
+
+{{- define "audittail.image" -}}
+{{- if .Values.auditailImage -}}
+{{- .Values.auditailImage -}}
+{{- else -}}
+{{- printf "ghcr.io/metal-toolbox/audittail:v0.5.1" -}}
+{{- end -}}
+{{- end -}}
+
+
+{{- define "audittail.volumeName" -}}
+{{- printf "audit-logs" -}}
+{{- end -}}
+
+
+{{- define "audittail.mountPath" -}}
+{{- printf "/app-audit" -}}
+{{- end -}}
+
+
+{{- define "audittail.initContainerName" -}}
+{{- printf "init-audit-logs" -}}
+{{- end -}}
+
+{{- define "audittail.sidecarContainerName" -}}
+{{- printf "audit-logger" -}}
+{{- end -}}

charts/audittail/templates/_volume.tpl

@@ -0,0 +1,8 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Kubernetes Volumes
+*/}}
+{{- define "audittail.volume" -}}
+- name: {{ template "audittail.volumeName" }}
+  emptyDir: {}
+{{- end -}}

charts/audittail/templates/_volumeMount.tpl

@@ -0,0 +1,8 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Kubernetes Volume Mounts
+*/}}
+{{- define "audittail.volumeMount" -}}
+- mountPath: {{ template "audittail.mountPath" }}
+  name: {{ template "audittail.volumeName" }}
+{{- end -}}

charts/audittail/tests/consumerapp/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/