From 62dacb011eff39cc1570f5b4c5130d00f8a1bd4d Mon Sep 17 00:00:00 2001 From: Hari N <99889761+hnadiminti-equinix@users.noreply.github.com> Date: Thu, 22 Dec 2022 17:43:50 +0000 Subject: [PATCH] Initial commit (#1) * Initial commit * signed commit * Update Makefile * deleting values.yaml file * added release.yml file * added resources to containers * added codeowners --- .github/workflows/CODEOWNERS | 2 + .github/workflows/helm-library-ci.yml | 20 ++++++ .github/workflows/helm-release.yml | 34 ++++++++++ .github/workflows/release.yml | 28 +++++++++ .github/workflows/security.yml | 58 +++++++++++++++++ Makefile | 14 +++++ charts/audittail/Chart.yaml | 18 ++++++ charts/audittail/templates/_args.tpl | 13 ++++ charts/audittail/templates/_helpers.tpl | 62 +++++++++++++++++++ charts/audittail/templates/_initContainer.tpl | 12 ++++ charts/audittail/templates/_resources.tpl | 12 ++++ .../audittail/templates/_securityContext.tpl | 8 +++ .../audittail/templates/_sidecarContainer.tpl | 13 ++++ charts/audittail/templates/_values.tpl | 36 +++++++++++ charts/audittail/templates/_volume.tpl | 8 +++ charts/audittail/templates/_volumeMount.tpl | 8 +++ .../audittail/tests/consumerapp/.helmignore | 23 +++++++ charts/audittail/tests/consumerapp/Chart.yaml | 29 +++++++++ .../tests/consumerapp/templates/_helpers.tpl | 62 +++++++++++++++++++ .../consumerapp/templates/deployment.yaml | 31 ++++++++++ 20 files changed, 491 insertions(+) create mode 100644 .github/workflows/CODEOWNERS create mode 100644 .github/workflows/helm-library-ci.yml create mode 100644 .github/workflows/helm-release.yml create mode 100644 .github/workflows/release.yml create mode 100644 .github/workflows/security.yml create mode 100644 Makefile create mode 100644 charts/audittail/Chart.yaml create mode 100644 charts/audittail/templates/_args.tpl create mode 100644 charts/audittail/templates/_helpers.tpl create mode 100644 charts/audittail/templates/_initContainer.tpl create mode 100644 charts/audittail/templates/_resources.tpl create mode 100644 charts/audittail/templates/_securityContext.tpl create mode 100644 charts/audittail/templates/_sidecarContainer.tpl create mode 100644 charts/audittail/templates/_values.tpl create mode 100644 charts/audittail/templates/_volume.tpl create mode 100644 charts/audittail/templates/_volumeMount.tpl create mode 100644 charts/audittail/tests/consumerapp/.helmignore create mode 100644 charts/audittail/tests/consumerapp/Chart.yaml create mode 100644 charts/audittail/tests/consumerapp/templates/_helpers.tpl create mode 100644 charts/audittail/tests/consumerapp/templates/deployment.yaml diff --git a/.github/workflows/CODEOWNERS b/.github/workflows/CODEOWNERS new file mode 100644 index 0000000..2fa7ee3 --- /dev/null +++ b/.github/workflows/CODEOWNERS @@ -0,0 +1,2 @@ +* @metal-toolbox/hollow-core +* @metal-toolbox/security-core diff --git a/.github/workflows/helm-library-ci.yml b/.github/workflows/helm-library-ci.yml new file mode 100644 index 0000000..83bef2f --- /dev/null +++ b/.github/workflows/helm-library-ci.yml @@ -0,0 +1,20 @@ +name: helm-test +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + workflow_dispatch: +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + + - name: Install Helm + uses: azure/setup-helm@v3 + with: + version: v3.10.0 + + - name: Run a one-line script + run: cd charts/audittail/tests && helm dependency update ./consumerapp && helm template consumerapp ./consumerapp/ --debug diff --git a/.github/workflows/helm-release.yml b/.github/workflows/helm-release.yml new file mode 100644 index 0000000..7c7400b --- /dev/null +++ b/.github/workflows/helm-release.yml @@ -0,0 +1,34 @@ +name: Release Charts + +on: + push: + branches: + - master + +jobs: + release: + permissions: + contents: write + packages: write + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + with: + fetch-depth: 0 + + - name: Configure Git + run: | + git config user.name "hnadiminti-equinix" + git config user.email "hari.nadiminti@eu.equinix.com" + - name: Install Helm + uses: azure/setup-helm@v3 + with: + version: v3.10.0 + + - name: Run chart-releaser + uses: helm/chart-releaser-action@v1.4.1 + with: + charts_dir: charts + env: + CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..78a77e6 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,28 @@ +name: Release + +on: + push: + tags: + - v** + +jobs: + auto-release: + name: Create Release + runs-on: ubuntu-latest + permissions: + contents: write + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Release + uses: softprops/action-gh-release@v1 + with: + generate_release_notes: true + + container-main: + uses: metal-toolbox/container-push/.github/workflows/container-push.yml@main + with: + name: audittail + tag: ${GITHUB_REF_NAME} + dockerfile_path: images/audittail/Dockerfile diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml new file mode 100644 index 0000000..c395ba7 --- /dev/null +++ b/.github/workflows/security.yml @@ -0,0 +1,58 @@ +--- +name: security + +# Run for all pushes to main and pull requests when Go or YAML files change +on: + push: + branches: + - main + pull_request: + # The branches below must be a subset of the branches above + branches: [ main ] + schedule: + - cron: '23 20 * * 2' + +jobs: + scan-trivy: + name: sec-scan-trivy + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + security-checks: 'vuln,config,secret' + ignore-unfixed: true + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'HIGH,CRITICAL' + skip-dirs: 'tests' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results.sarif' + + scan-anchore: + name: sec-scan-anchore + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Scan current project + id: codescan + uses: anchore/scan-action@v3 + with: + path: "." + severity-cutoff: high + acs-report-enable: true + + - name: upload Anchore scan SARIF report + uses: github/codeql-action/upload-sarif@v2 + if: ${{ always() }} + with: + sarif_file: ${{ steps.codescan.outputs.sarif }} diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..5034fd9 --- /dev/null +++ b/Makefile @@ -0,0 +1,14 @@ +TAG?= + + +.PHONY: release +release: ## Issues a release + @test -n "$(TAG)" || (echo "The TAG variable must be set" && exit 1) + @echo "Releasing $(TAG)" + git checkout -b "release-$(TAG)" + sed -i -E s/v[0-9]+\.[0-9]+\.[0-9]+/$(TAG)/ charts/audittail/templates/_values.tpl + git add charts/audittail/templates/_values.tpl + git commit -m "Release $(TAG)" + git tag -m "Release $(TAG)" "$(TAG)" + git push origin "release-$(TAG)" + git push origin "$(TAG)" diff --git a/charts/audittail/Chart.yaml b/charts/audittail/Chart.yaml new file mode 100644 index 0000000..9ce4843 --- /dev/null +++ b/charts/audittail/Chart.yaml @@ -0,0 +1,18 @@ +apiVersion: v2 +name: audittail +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: library + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 1.0.0 diff --git a/charts/audittail/templates/_args.tpl b/charts/audittail/templates/_args.tpl new file mode 100644 index 0000000..6dbe429 --- /dev/null +++ b/charts/audittail/templates/_args.tpl @@ -0,0 +1,13 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Kubernetes container arguments +*/}} +{{- define "audittail.args" -}} +- '-f' +- '/app-audit/audit.log' +{{- end -}} + +{{- define "audittail.initargs" -}} +- 'init' +{{ include "audittail.args" .}} +{{- end -}} diff --git a/charts/audittail/templates/_helpers.tpl b/charts/audittail/templates/_helpers.tpl new file mode 100644 index 0000000..96b17e7 --- /dev/null +++ b/charts/audittail/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "audittail.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "audittail.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "audittail.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "audittail.labels" -}} +helm.sh/chart: {{ include "audittail.chart" . }} +{{ include "audittail.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "audittail.selectorLabels" -}} +app.kubernetes.io/name: {{ include "audittail.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "audittail.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "audittail.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/charts/audittail/templates/_initContainer.tpl b/charts/audittail/templates/_initContainer.tpl new file mode 100644 index 0000000..8925fa6 --- /dev/null +++ b/charts/audittail/templates/_initContainer.tpl @@ -0,0 +1,12 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Kubernetes Init Container +*/}} +{{- define "audittail.initContainer" -}} + - image: {{ include "audittail.image" .}} + name: {{ template "audittail.initContainerName" }} + args: {{ include "audittail.initargs" . | nindent 4}} + securityContext: {{ include "audittail.securityContext" . | nindent 4}} + resources: {{ include "audittail.resources" . | nindent 4}} + volumeMounts: {{ include "audittail.volumeMount" . | nindent 4}} +{{- end -}} diff --git a/charts/audittail/templates/_resources.tpl b/charts/audittail/templates/_resources.tpl new file mode 100644 index 0000000..723fc4e --- /dev/null +++ b/charts/audittail/templates/_resources.tpl @@ -0,0 +1,12 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Kubernetes Container Resources +*/}} +{{- define "audittail.resources" -}} +requests: + memory: "128Mi" + cpu: "100m" +limits: + memory: "256Mi" + cpu: "200m" +{{- end -}} diff --git a/charts/audittail/templates/_securityContext.tpl b/charts/audittail/templates/_securityContext.tpl new file mode 100644 index 0000000..93f2f10 --- /dev/null +++ b/charts/audittail/templates/_securityContext.tpl @@ -0,0 +1,8 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Kubernetes Container Security Context +*/}} +{{- define "audittail.securityContext" -}} +allowPrivilegeEscalation: false +runAsNonRoot: true +{{- end -}} diff --git a/charts/audittail/templates/_sidecarContainer.tpl b/charts/audittail/templates/_sidecarContainer.tpl new file mode 100644 index 0000000..ba39f21 --- /dev/null +++ b/charts/audittail/templates/_sidecarContainer.tpl @@ -0,0 +1,13 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Kubernetes Init Container +*/}} +{{- define "audittail.sidecarContainer" -}} + - image: {{ include "audittail.image" .}} + name: {{ template "audittail.sidecarContainerName" }} + args: {{ include "audittail.args" .| nindent 4}} + securityContext: {{ include "audittail.securityContext" . | nindent 4}} + resources: {{ include "audittail.resources" . | nindent 4}} + volumeMounts: {{ include "audittail.volumeMount" . | nindent 4}} + readOnly: true +{{- end -}} diff --git a/charts/audittail/templates/_values.tpl b/charts/audittail/templates/_values.tpl new file mode 100644 index 0000000..8dd94c5 --- /dev/null +++ b/charts/audittail/templates/_values.tpl @@ -0,0 +1,36 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +audittail log path +*/}} + +{{- define "audittail.auditLogPath" -}} +{{- printf "/app-audit/audit.log" -}} +{{- end -}} + + +{{- define "audittail.image" -}} +{{- if .Values.auditailImage -}} +{{- .Values.auditailImage -}} +{{- else -}} +{{- printf "ghcr.io/metal-toolbox/audittail:v0.5.1" -}} +{{- end -}} +{{- end -}} + + +{{- define "audittail.volumeName" -}} +{{- printf "audit-logs" -}} +{{- end -}} + + +{{- define "audittail.mountPath" -}} +{{- printf "/app-audit" -}} +{{- end -}} + + +{{- define "audittail.initContainerName" -}} +{{- printf "init-audit-logs" -}} +{{- end -}} + +{{- define "audittail.sidecarContainerName" -}} +{{- printf "audit-logger" -}} +{{- end -}} diff --git a/charts/audittail/templates/_volume.tpl b/charts/audittail/templates/_volume.tpl new file mode 100644 index 0000000..3982700 --- /dev/null +++ b/charts/audittail/templates/_volume.tpl @@ -0,0 +1,8 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Kubernetes Volumes +*/}} +{{- define "audittail.volume" -}} +- name: {{ template "audittail.volumeName" }} + emptyDir: {} +{{- end -}} diff --git a/charts/audittail/templates/_volumeMount.tpl b/charts/audittail/templates/_volumeMount.tpl new file mode 100644 index 0000000..148dc55 --- /dev/null +++ b/charts/audittail/templates/_volumeMount.tpl @@ -0,0 +1,8 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Kubernetes Volume Mounts +*/}} +{{- define "audittail.volumeMount" -}} +- mountPath: {{ template "audittail.mountPath" }} + name: {{ template "audittail.volumeName" }} +{{- end -}} diff --git a/charts/audittail/tests/consumerapp/.helmignore b/charts/audittail/tests/consumerapp/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/charts/audittail/tests/consumerapp/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/audittail/tests/consumerapp/Chart.yaml b/charts/audittail/tests/consumerapp/Chart.yaml new file mode 100644 index 0000000..be6c039 --- /dev/null +++ b/charts/audittail/tests/consumerapp/Chart.yaml @@ -0,0 +1,29 @@ +apiVersion: v2 +name: consumerapp +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.16.0" + +dependencies: + - name: audittail + version: 1.0.0 + repository: file://../../../audittail diff --git a/charts/audittail/tests/consumerapp/templates/_helpers.tpl b/charts/audittail/tests/consumerapp/templates/_helpers.tpl new file mode 100644 index 0000000..71d3926 --- /dev/null +++ b/charts/audittail/tests/consumerapp/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "consumerapp.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "consumerapp.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "consumerapp.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "consumerapp.labels" -}} +helm.sh/chart: {{ include "consumerapp.chart" . }} +{{ include "consumerapp.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "consumerapp.selectorLabels" -}} +app.kubernetes.io/name: {{ include "consumerapp.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "consumerapp.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "consumerapp.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/charts/audittail/tests/consumerapp/templates/deployment.yaml b/charts/audittail/tests/consumerapp/templates/deployment.yaml new file mode 100644 index 0000000..a51142f --- /dev/null +++ b/charts/audittail/tests/consumerapp/templates/deployment.yaml @@ -0,0 +1,31 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: test-app + labels: + app: k8s-app +spec: + replicas: 1 + selector: + matchLabels: + app: k8s + template: + metadata: + labels: + app: k8s + spec: + initContainers: + {{- include "audittail.initContainer" .| nindent 8 }} + containers: + - image: nginx:1.0 + name: nginx + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + args: + - --audit-log-path={{ template "audittail.auditLogPath" }} + volumeMounts: + {{- include "audittail.volumeMount" . | nindent 12}} + {{- include "audittail.sidecarContainer" .| nindent 8 }} + volumes: + {{- include "audittail.volume" . | nindent 8}}