diff --git a/contrib/helm/clair/.helmignore b/contrib/helm/clair/.helmignore new file mode 100644 index 00000000..f0c13194 --- /dev/null +++ b/contrib/helm/clair/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/contrib/helm/clair/Chart.yaml b/contrib/helm/clair/Chart.yaml new file mode 100644 index 00000000..ba3bdd78 --- /dev/null +++ b/contrib/helm/clair/Chart.yaml @@ -0,0 +1,11 @@ +name: clair +home: https://coreos.com/clair +version: 0.1.0 +appVersion: 3.0.0-pre +description: Clair is an open source project for the static analysis of vulnerabilities in application containers. +icon: https://cloud.githubusercontent.com/assets/343539/21630811/c5081e5c-d202-11e6-92eb-919d5999c77a.png +sources: + - https://github.com/coreos/clair +maintainers: + - name: Jimmy Zelinskie + - email: jimmy.zelinskie@coreos.com diff --git a/contrib/helm/clair/templates/_helpers.tpl b/contrib/helm/clair/templates/_helpers.tpl new file mode 100644 index 00000000..f0d83d2e --- /dev/null +++ b/contrib/helm/clair/templates/_helpers.tpl @@ -0,0 +1,16 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "fullname" -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/contrib/helm/clair/templates/configmap.yaml b/contrib/helm/clair/templates/configmap.yaml new file mode 100644 index 00000000..6a9858ff --- /dev/null +++ b/contrib/helm/clair/templates/configmap.yaml @@ -0,0 +1,87 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "fullname" . }} + labels: + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" +data: + config.yaml: | + clair: + database: + # Database driver + type: pgsql + options: + # PostgreSQL Connection string + # https://www.postgresql.org/docs/current/static/libpq-connect.html#LIBPQ-CONNSTRING + source: "{{ .Values.config.postgresURI }}" + + # Number of elements kept in the cache + # Values unlikely to change (e.g. namespaces) are cached in order to save prevent needless roundtrips to the database. + cachesize: 16384 + + # 32-bit URL-safe base64 key used to encrypt pagination tokens + # If one is not provided, it will be generated. + # Multiple clair instances in the same cluster need the same value. + paginationkey: "{{ .Values.config.paginationKey }}" + api: + # v3 grpc/RESTful API server address + addr: "0.0.0.0:6060" + + # Health server address + # This is an unencrypted endpoint useful for load balancers to check to healthiness of the clair server. + healthaddr: "0.0.0.0:6061" + + # Deadline before an API request will respond with a 503 + timeout: 900s + + # Optional PKI configuration + # If you want to easily generate client certificates and CAs, try the following projects: + # https://github.com/coreos/etcd-ca + # https://github.com/cloudflare/cfssl + servername: + cafile: + keyfile: + certfile: + + worker: + namespace_detectors: + {{- range $key, $value := .Values.config.enabledNamespaceDetectors }} + - {{ $value }} + {{- end }} + + feature_listers: + {{- range $key, $value := .Values.config.enabledFeatureListers }} + - {{ $value }} + {{- end }} + + updater: + # Frequency the database will be updated with vulnerabilities from the default data sources + # The value 0 disables the updater entirely. + interval: "{{ .Values.config.updateInterval }}" + enabledupdaters: + {{- range $key, $value := .Values.config.enabledUpdaters }} + - {{ $value }} + {{- end }} + + notifier: + # Number of attempts before the notification is marked as failed to be sent + attempts: 3 + + # Duration before a failed notification is retried + renotifyinterval: 2h + + http: + # Optional endpoint that will receive notifications via POST requests + endpoint: "{{ .Values.config.notificationWebhookEndpoint }}" + + # Optional PKI configuration + # If you want to easily generate client certificates and CAs, try the following projects: + # https://github.com/cloudflare/cfssl + # https://github.com/coreos/etcd-ca + servername: + cafile: + keyfile: + certfile: + + # Optional HTTP Proxy: must be a valid URL (including the scheme). + proxy: diff --git a/contrib/helm/clair/templates/deployment.yaml b/contrib/helm/clair/templates/deployment.yaml new file mode 100644 index 00000000..18073753 --- /dev/null +++ b/contrib/helm/clair/templates/deployment.yaml @@ -0,0 +1,46 @@ +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: {{ template "fullname" . }} + labels: + hertiage: {{ .Release.Service | quote }} + release: {{ .Release.Name | quote }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" + component: {{ .Release.Name }} +spec: + replicas: {{ .Values.replicaCount }} + template: + metadata: + labels: + app: {{ template "fullname" . }} + spec: + volumes: + - name: "{{ .Chart.Name }}-config" + configMap: + name: {{ template "fullname" . }} + containers: + - name: {{ .Chart.Name }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + args: + - "-log-level={{ .Values.logLevel }}" + ports: + - name: clair-api + containerPort: {{ .Values.service.internalApiPort }} + protocol: TCP + - name: clair-health + containerPort: {{ .Values.service.internalHealthPort }} + protocol: TCP + livenessProbe: + httpGet: + path: /health + port: {{ .Values.service.internalHealthPort }} + readinessProbe: + httpGet: + path: /health + port: {{ .Values.service.internalHealthPort }} + volumeMounts: + - name: "{{ .Chart.Name }}-config" + mountPath: /etc/clair + resources: +{{ toYaml .Values.resources | indent 10 }} diff --git a/contrib/helm/clair/templates/ingress.yaml b/contrib/helm/clair/templates/ingress.yaml new file mode 100644 index 00000000..c6c92c5f --- /dev/null +++ b/contrib/helm/clair/templates/ingress.yaml @@ -0,0 +1,32 @@ +{{- if .Values.ingress.enabled -}} +{{- $serviceName := include "fullname" . -}} +{{- $servicePort := .Values.service.externalPort -}} +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: {{ template "fullname" . }} + labels: + app: {{ template "fullname" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" + annotations: + {{- range $key, $value := .Values.ingress.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +spec: + rules: + {{- range $host := .Values.ingress.hosts }} + - host: {{ $host }} + http: + paths: + - path: / + backend: + serviceName: {{ $serviceName }} + servicePort: {{ $servicePort }} + {{- end -}} + {{- if .Values.ingress.tls }} + tls: +{{ toYaml .Values.ingress.tls | indent 4 }} + {{- end -}} +{{- end -}} diff --git a/contrib/helm/clair/templates/service.yaml b/contrib/helm/clair/templates/service.yaml new file mode 100644 index 00000000..1f9d26e4 --- /dev/null +++ b/contrib/helm/clair/templates/service.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "fullname" . }} + labels: + chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" +spec: + type: {{ .Values.service.type }} + ports: + - name: clair-api + port: {{ .Values.service.externalApiPort }} + targetPort: {{ .Values.service.internalApiPort }} + protocol: TCP + name: "{{ .Values.service.name }}-api" + - name: clair-health + port: {{ .Values.service.externalHealthPort }} + targetPort: {{ .Values.service.internalHealthPort }} + protocol: TCP + name: "{{ .Values.service.name }}-health" + selector: + app: {{ template "fullname" . }} diff --git a/contrib/helm/clair/values.yaml b/contrib/helm/clair/values.yaml new file mode 100644 index 00000000..369d5054 --- /dev/null +++ b/contrib/helm/clair/values.yaml @@ -0,0 +1,57 @@ +# Default values for clair. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. +replicaCount: 1 +logLevel: info +image: + repository: quay.io/coreos/clair-git + tag: latest + pullPolicy: Always +service: + name: clair + type: ClusterIP + internalApiPort: 6060 + externalApiPort: 6060 + internalHealthPort: 6061 + externalHealthPort: 6061 +ingress: + enabled: false + # Used to create Ingress record (should used with service.type: ClusterIP). + hosts: + - chart-example.local + annotations: + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + tls: + # Secrets must be manually created in the namespace. + # - secretName: chart-example-tls + # hosts: + # - chart-example.local +resources: + limits: + cpu: 100m + memory: 1Gi + requests: + cpu: 100m + memory: 128Mi +config: + postgresURI: "postgres://user:password@host:5432/postgres?sslmode=disable" + paginationKey: "XxoPtCUzrUv4JV5dS+yQ+MdW7yLEJnRMwigVY/bpgtQ=" + updateInterval: 2h + notificationWebhookEndpoint: https://example.com/notify/me + enabledUpdaters: + - debian + - ubuntu + - rhel + - oracle + - alpine + enabledNamespaceDetectors: + - os-release + - lsb-release + - apt-sources + - alpine-release + - redhat-release + enabledFeatureListers: + - apk + - dpkg + - rpm diff --git a/contrib/k8s/clair-kubernetes.yaml b/contrib/k8s/clair-kubernetes.yaml deleted file mode 100644 index 27ffe113..00000000 --- a/contrib/k8s/clair-kubernetes.yaml +++ /dev/null @@ -1,84 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: clairsvc - labels: - app: clair -spec: - type: NodePort - ports: - - port: 6060 - protocol: TCP - nodePort: 30060 - name: clair-port0 - - port: 6061 - protocol: TCP - nodePort: 30061 - name: clair-port1 - selector: - app: clair ---- -apiVersion: v1 -kind: ReplicationController -metadata: - name: clair -spec: - replicas: 1 - template: - metadata: - labels: - app: clair - spec: - volumes: - - name: secret-volume - secret: - secretName: clairsecret - containers: - - name: clair - image: quay.io/coreos/clair - args: - - "-config" - - "/config/config.yaml" - ports: - - containerPort: 6060 - - containerPort: 6061 - volumeMounts: - - mountPath: /config - name: secret-volume ---- -apiVersion: v1 -kind: ReplicationController -metadata: - labels: - app: postgres - name: clair-postgres -spec: - replicas: 1 - selector: - app: postgres - template: - metadata: - labels: - app: postgres - spec: - containers: - - image: postgres:latest - name: postgres - env: - - name: POSTGRES_PASSWORD - value: password - ports: - - containerPort: 5432 - name: postgres-port ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app: postgres - name: postgres -spec: - ports: - - port: 5432 - selector: - app: postgres diff --git a/contrib/k8s/config.yaml b/contrib/k8s/config.yaml deleted file mode 100644 index 93f9ed7e..00000000 --- a/contrib/k8s/config.yaml +++ /dev/null @@ -1,99 +0,0 @@ -# Copyright 2015 clair authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# The values specified here are the default values that Clair uses if no configuration file is specified or if the keys are not defined. -clair: - database: - # Database driver - type: pgsql - options: - # PostgreSQL Connection string - # https://www.postgresql.org/docs/current/static/libpq-connect.html#LIBPQ-CONNSTRING - source: postgres://postgres:password@postgres:5432/postgres?sslmode=disable - - # Number of elements kept in the cache - # Values unlikely to change (e.g. namespaces) are cached in order to save prevent needless roundtrips to the database. - cachesize: 16384 - - # 32-bit URL-safe base64 key used to encrypt pagination tokens - # If one is not provided, it will be generated. - # Multiple clair instances in the same cluster need the same value. - paginationkey: - - api: - # v3 grpc/RESTful API server address - addr: "0.0.0.0:6060" - - # Health server address - # This is an unencrypted endpoint useful for load balancers to check to healthiness of the clair server. - healthaddr: "0.0.0.0:6061" - - # Deadline before an API request will respond with a 503 - timeout: 900s - - # Optional PKI configuration - # If you want to easily generate client certificates and CAs, try the following projects: - # https://github.com/coreos/etcd-ca - # https://github.com/cloudflare/cfssl - servername: - cafile: - keyfile: - certfile: - - worker: - namespace_detectors: - - os-release - - lsb-release - - apt-sources - - alpine-release - - redhat-release - - feature_listers: - - apk - - dpkg - - rpm - - updater: - # Frequency the database will be updated with vulnerabilities from the default data sources - # The value 0 disables the updater entirely. - interval: 2h - enabledupdaters: - - debian - - ubuntu - - rhel - - oracle - - alpine - - notifier: - # Number of attempts before the notification is marked as failed to be sent - attempts: 3 - - # Duration before a failed notification is retried - renotifyinterval: 2h - - http: - # Optional endpoint that will receive notifications via POST requests - endpoint: - - # Optional PKI configuration - # If you want to easily generate client certificates and CAs, try the following projects: - # https://github.com/cloudflare/cfssl - # https://github.com/coreos/etcd-ca - servername: - cafile: - keyfile: - certfile: - - # Optional HTTP Proxy: must be a valid URL (including the scheme). - proxy: