Merge pull request #586 from robertomlsoares/update-helm-chart

Helm Chart: Use Secret for config file. Fix some minor issues

contrib/helm/clair/templates/_config.yaml.tpl

@@ -0,0 +1,83 @@
+clair:
+  database:
+    # Database driver.
+    type: pgsql
+    options:
+      # PostgreSQL Connection string.
+      # https://www.postgresql.org/docs/current/static/libpq-connect.html#LIBPQ-CONNSTRING
+      {{- if .Values.config.postgresURI }}
+      source: "{{ .Values.config.postgresURI }}"
+      {{ else }}
+      source: "postgres://{{ .Values.postgresql.postgresUser }}:{{ .Values.postgresql.postgresPassword }}@{{ template "postgresql.fullname" . }}:5432/{{ .Values.postgresql.postgresDatabase }}?sslmode=disable"
+      {{ end }}
+
+      # Number of elements kept in the cache.
+      # Values unlikely to change (e.g. namespaces) are cached in order to save prevent needless roundtrips to the database.
+      cachesize: 16384
+
+      # 32-bit URL-safe base64 key used to encrypt pagination tokens.
+      # If one is not provided, it will be generated.
+      # Multiple clair instances in the same cluster need the same value.
+      paginationkey: "{{ .Values.config.paginationKey }}"
+  api:
+    # v3 grpc/RESTful API server address.
+    addr: "0.0.0.0:{{ .Values.service.internalApiPort }}"
+
+    # Health server address.
+    # This is an unencrypted endpoint useful for load balancers to check to healthiness of the clair server.
+    healthaddr: "0.0.0.0:{{ .Values.service.internalHealthPort }}"
+
+    # Deadline before an API request will respond with a 503.
+    timeout: 900s
+
+    # Optional PKI configuration.
+    # If you want to easily generate client certificates and CAs, try the following projects:
+    # https://github.com/coreos/etcd-ca
+    # https://github.com/cloudflare/cfssl
+    servername:
+    cafile:
+    keyfile:
+    certfile:
+
+  worker:
+    namespace_detectors:
+    {{- range $key, $value := .Values.config.enabledNamespaceDetectors }}
+    - {{ $value }}
+    {{- end }}
+
+    feature_listers:
+    {{- range $key, $value := .Values.config.enabledFeatureListers }}
+    - {{ $value }}
+    {{- end }}
+
+  updater:
+    # Frequency the database will be updated with vulnerabilities from the default data sources.
+    # The value 0 disables the updater entirely.
+    interval: "{{ .Values.config.updateInterval }}"
+    enabledupdaters:
+    {{- range $key, $value := .Values.config.enabledUpdaters }}
+    - {{ $value }}
+    {{- end }}
+
+  notifier:
+    # Number of attempts before the notification is marked as failed to be sent.
+    attempts: 3
+
+    # Duration before a failed notification is retried.
+    renotifyinterval: 2h
+
+    http:
+      # Optional endpoint that will receive notifications via POST requests.
+      endpoint: "{{ .Values.config.notificationWebhookEndpoint }}"
+
+      # Optional PKI configuration.
+      # If you want to easily generate client certificates and CAs, try the following projects:
+      # https://github.com/cloudflare/cfssl
+      # https://github.com/coreos/etcd-ca
+      servername:
+      cafile:
+      keyfile:
+      certfile:
+
+      # Optional HTTP Proxy: must be a valid URL (including the scheme).
+      proxy:

contrib/helm/clair/templates/_helpers.tpl

@@ -2,19 +2,29 @@
 {{/*
 Expand the name of the chart.
 */}}
-{{- define "name" -}}
+{{- define "clair.name" -}}
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
 {{/*
 Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
 */}}
-{{- define "fullname" -}}
+{{- define "clair.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
 {{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
 {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
+{{- end -}}
+{{- end -}}
 
+{{/*
 Create a default fully qualified postgresql name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 */}}

contrib/helm/clair/templates/configmap.yaml

@@ -1,92 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: {{ template "fullname" . }}
-  labels:
-    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
-data:
-  config.yaml: |
-    clair:
-      database:
-        # Database driver
-        type: pgsql
-        options:
-          # PostgreSQL Connection string
-          # https://www.postgresql.org/docs/current/static/libpq-connect.html#LIBPQ-CONNSTRING
-          # This should be done using secrets or Vault, but for now this will also work
-          {{- if .Values.config.postgresURI }}
-          source: "{{ .Values.config.postgresURI }}"
-          {{ else }}
-          source: "postgres://{{ .Values.postgresql.postgresUser }}:{{ .Values.postgresql.postgresPassword }}@{{ template "postgresql.fullname" . }}:5432/{{ .Values.postgresql.postgresDatabase }}?sslmode=disable"
-          {{ end }}
-
-          # Number of elements kept in the cache
-          # Values unlikely to change (e.g. namespaces) are cached in order to save prevent needless roundtrips to the database.
-          cachesize: 16384
-
-          # 32-bit URL-safe base64 key used to encrypt pagination tokens
-          # If one is not provided, it will be generated.
-          # Multiple clair instances in the same cluster need the same value.
-          paginationkey: "{{ .Values.config.paginationKey }}"
-      api:
-        # v3 grpc/RESTful API server address
-        addr: "0.0.0.0:6060"
-
-        # Health server address
-        # This is an unencrypted endpoint useful for load balancers to check to healthiness of the clair server.
-        healthaddr: "0.0.0.0:6061"
-
-        # Deadline before an API request will respond with a 503
-        timeout: 900s
-
-        # Optional PKI configuration
-        # If you want to easily generate client certificates and CAs, try the following projects:
-        # https://github.com/coreos/etcd-ca
-        # https://github.com/cloudflare/cfssl
-        servername:
-        cafile:
-        keyfile:
-        certfile:
-
-      worker:
-        namespace_detectors:
-        {{- range $key, $value := .Values.config.enabledNamespaceDetectors }}
-        - {{ $value }}
-        {{- end }}
-
-        feature_listers:
-        {{- range $key, $value := .Values.config.enabledFeatureListers }}
-        - {{ $value }}
-        {{- end }}
-
-      updater:
-        # Frequency the database will be updated with vulnerabilities from the default data sources
-        # The value 0 disables the updater entirely.
-        interval: "{{ .Values.config.updateInterval }}"
-        enabledupdaters:
-        {{- range $key, $value := .Values.config.enabledUpdaters }}
-        - {{ $value }}
-        {{- end }}
-
-      notifier:
-        # Number of attempts before the notification is marked as failed to be sent
-        attempts: 3
-
-        # Duration before a failed notification is retried
-        renotifyinterval: 2h
-
-        http:
-          # Optional endpoint that will receive notifications via POST requests
-          endpoint: "{{ .Values.config.notificationWebhookEndpoint }}"
-
-          # Optional PKI configuration
-          # If you want to easily generate client certificates and CAs, try the following projects:
-          # https://github.com/cloudflare/cfssl
-          # https://github.com/coreos/etcd-ca
-          servername:
-          cafile:
-          keyfile:
-          certfile:
-
-          # Optional HTTP Proxy: must be a valid URL (including the scheme).
-          proxy:

contrib/helm/clair/templates/deployment.yaml

@@ -1,23 +1,26 @@
-apiVersion: extensions/v1beta1
+apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: {{ template "fullname" . }}
+  name: {{ template "clair.fullname" . }}
   labels:
-    hertiage: {{ .Release.Service | quote }}
+    heritage: {{ .Release.Service | quote }}
     release: {{ .Release.Name | quote }}
     chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
-    component: {{ .Release.Name }}
+    app: {{ template "clair.fullname" . }}
 spec:
   replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      app: {{ template "clair.fullname" . }}
   template:
     metadata:
       labels:
-        app: {{ template "fullname" . }}
+        app: {{ template "clair.fullname" . }}
     spec:
       volumes:
       - name: "{{ .Chart.Name }}-config"
-        configMap:
+        secret:
-          name: {{ template "fullname" . }}
+          secretName: {{ template "clair.fullname" . }}
       containers:
       - name: {{ .Chart.Name }}
         image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
@@ -26,10 +29,10 @@ spec:
         - "-log-level={{ .Values.logLevel }}"
         {{ if .Values.insecureTls }}- "--insecure-tls" {{end}}
         ports:
-        - name: clair-api
+        - name: "{{ .Chart.Name }}-api"
           containerPort: {{ .Values.service.internalApiPort }}
           protocol: TCP
-        - name: clair-health
+        - name: "{{ .Chart.Name }}-health"
           containerPort: {{ .Values.service.internalHealthPort }}
           protocol: TCP
         livenessProbe:
@@ -43,5 +46,6 @@ spec:
         volumeMounts:
         - name: "{{ .Chart.Name }}-config"
           mountPath: /etc/clair
+          readOnly: true
         resources:
 {{ toYaml .Values.resources | indent 10 }}

contrib/helm/clair/templates/ingress.yaml

@@ -1,15 +1,15 @@
 {{- if .Values.ingress.enabled -}}
-{{- $serviceName := include "fullname" . -}}
+{{- $serviceName := include "clair.fullname" . -}}
 {{- $servicePort := .Values.service.externalApiPort -}}
 apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
-  name: {{ template "fullname" . }}
+  name: {{ template "clair.fullname" . }}
   labels:
-    app: {{ template "fullname" . }}
+    heritage: {{ .Release.Service | quote }}
+    release: {{ .Release.Name | quote }}
     chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
-    release: "{{ .Release.Name }}"
+    app: {{ template "clair.fullname" . }}
-    heritage: "{{ .Release.Service }}"
   annotations:
     {{- range $key, $value := .Values.ingress.annotations }}
       {{ $key }}: {{ $value | quote }}

contrib/helm/clair/templates/secret.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "clair.fullname" . }}
+  labels:
+    heritage: {{ .Release.Service | quote }}
+    release: {{ .Release.Name | quote }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
+    app: {{ template "clair.fullname" . }}
+type: Opaque
+data:
+  config.yaml: |-
+{{ include (print .Template.BasePath "/_config.yaml.tpl") . | b64enc | indent 4 }}

contrib/helm/clair/templates/service.yaml

@@ -1,21 +1,22 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: {{ template "fullname" . }}
+  name: {{ template "clair.fullname" . }}
   labels:
+    heritage: {{ .Release.Service | quote }}
+    release: {{ .Release.Name | quote }}
     chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
+    app: {{ template "clair.fullname" . }}
 spec:
   type: {{ .Values.service.type }}
   ports:
-  - name: clair-api
+  - name: "{{ .Chart.Name }}-api"
     port: {{ .Values.service.externalApiPort }}
     targetPort: {{ .Values.service.internalApiPort }}
     protocol: TCP
-    name: "{{ .Values.service.name }}-api"
+  - name: "{{ .Chart.Name }}-health"
-  - name: clair-health
     port: {{ .Values.service.externalHealthPort }}
     targetPort: {{ .Values.service.internalHealthPort }}
     protocol: TCP
-    name: "{{ .Values.service.name }}-health"
   selector:
-    app: {{ template "fullname" . }}
+    app: {{ template "clair.fullname" . }}

contrib/helm/clair/values.yaml

@@ -9,7 +9,6 @@ image:
   tag: latest
   pullPolicy: Always
 service:
-  name: clair
   type: ClusterIP
   internalApiPort: 6060
   externalApiPort: 6060