contrib: replace old k8s manifests with helm

contrib/helm/clair/.helmignore

@@ -0,0 +1,21 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj

contrib/helm/clair/Chart.yaml

@@ -0,0 +1,11 @@
+name: clair
+home: https://coreos.com/clair
+version: 0.1.0
+appVersion: 3.0.0-pre
+description: Clair is an open source project for the static analysis of vulnerabilities in application containers.
+icon: https://cloud.githubusercontent.com/assets/343539/21630811/c5081e5c-d202-11e6-92eb-919d5999c77a.png
+sources:
+  - https://github.com/coreos/clair
+maintainers:
+  - name: Jimmy Zelinskie
+  - email: jimmy.zelinskie@coreos.com

contrib/helm/clair/templates/_helpers.tpl

@@ -0,0 +1,16 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "fullname" -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}

contrib/helm/clair/templates/configmap.yaml

@@ -0,0 +1,87 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "fullname" . }}
+  labels:
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+data:
+  config.yaml: |
+    clair:
+      database:
+        # Database driver
+        type: pgsql
+        options:
+          # PostgreSQL Connection string
+          # https://www.postgresql.org/docs/current/static/libpq-connect.html#LIBPQ-CONNSTRING
+          source: "{{ .Values.config.postgresURI }}"
+
+          # Number of elements kept in the cache
+          # Values unlikely to change (e.g. namespaces) are cached in order to save prevent needless roundtrips to the database.
+          cachesize: 16384
+
+          # 32-bit URL-safe base64 key used to encrypt pagination tokens
+          # If one is not provided, it will be generated.
+          # Multiple clair instances in the same cluster need the same value.
+          paginationkey: "{{ .Values.config.paginationKey }}"
+      api:
+        # v3 grpc/RESTful API server address
+        addr: "0.0.0.0:6060"
+
+        # Health server address
+        # This is an unencrypted endpoint useful for load balancers to check to healthiness of the clair server.
+        healthaddr: "0.0.0.0:6061"
+
+        # Deadline before an API request will respond with a 503
+        timeout: 900s
+
+        # Optional PKI configuration
+        # If you want to easily generate client certificates and CAs, try the following projects:
+        # https://github.com/coreos/etcd-ca
+        # https://github.com/cloudflare/cfssl
+        servername:
+        cafile:
+        keyfile:
+        certfile:
+
+      worker:
+        namespace_detectors:
+        {{- range $key, $value := .Values.config.enabledNamespaceDetectors }}
+        - {{ $value }}
+        {{- end }}
+
+        feature_listers:
+        {{- range $key, $value := .Values.config.enabledFeatureListers }}
+        - {{ $value }}
+        {{- end }}
+
+      updater:
+        # Frequency the database will be updated with vulnerabilities from the default data sources
+        # The value 0 disables the updater entirely.
+        interval: "{{ .Values.config.updateInterval }}"
+        enabledupdaters:
+        {{- range $key, $value := .Values.config.enabledUpdaters }}
+        - {{ $value }}
+        {{- end }}
+
+      notifier:
+        # Number of attempts before the notification is marked as failed to be sent
+        attempts: 3
+
+        # Duration before a failed notification is retried
+        renotifyinterval: 2h
+
+        http:
+          # Optional endpoint that will receive notifications via POST requests
+          endpoint: "{{ .Values.config.notificationWebhookEndpoint }}"
+
+          # Optional PKI configuration
+          # If you want to easily generate client certificates and CAs, try the following projects:
+          # https://github.com/cloudflare/cfssl
+          # https://github.com/coreos/etcd-ca
+          servername:
+          cafile:
+          keyfile:
+          certfile:
+
+          # Optional HTTP Proxy: must be a valid URL (including the scheme).
+          proxy:

contrib/helm/clair/templates/deployment.yaml

@@ -0,0 +1,46 @@
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: {{ template "fullname" . }}
+  labels:
+    hertiage: {{ .Release.Service | quote }}
+    release: {{ .Release.Name | quote }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
+    component: {{ .Release.Name }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  template:
+    metadata:
+      labels:
+        app: {{ template "fullname" . }}
+    spec:
+      volumes:
+      - name: "{{ .Chart.Name }}-config"
+        configMap:
+          name: {{ template "fullname" . }}
+      containers:
+      - name: {{ .Chart.Name }}
+        image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        args:
+        - "-log-level={{ .Values.logLevel }}"
+        ports:
+        - name: clair-api
+          containerPort: {{ .Values.service.internalApiPort }}
+          protocol: TCP
+        - name: clair-health
+          containerPort: {{ .Values.service.internalHealthPort }}
+          protocol: TCP
+        livenessProbe:
+          httpGet:
+            path: /health
+            port: {{ .Values.service.internalHealthPort }}
+        readinessProbe:
+          httpGet:
+            path: /health
+            port: {{ .Values.service.internalHealthPort }}
+        volumeMounts:
+        - name: "{{ .Chart.Name }}-config"
+          mountPath: /etc/clair
+        resources:
+{{ toYaml .Values.resources | indent 10 }}

contrib/helm/clair/templates/ingress.yaml

@@ -0,0 +1,32 @@
+{{- if .Values.ingress.enabled -}}
+{{- $serviceName := include "fullname" . -}}
+{{- $servicePort := .Values.service.externalPort -}}
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: {{ template "fullname" . }}
+  labels:
+    app: {{ template "fullname" . }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+  annotations:
+    {{- range $key, $value := .Values.ingress.annotations }}
+      {{ $key }}: {{ $value | quote }}
+    {{- end }}
+spec:
+  rules:
+    {{- range $host := .Values.ingress.hosts }}
+    - host: {{ $host }}
+      http:
+        paths:
+          - path: /
+            backend:
+              serviceName: {{ $serviceName }}
+              servicePort: {{ $servicePort }}
+    {{- end -}}
+  {{- if .Values.ingress.tls }}
+  tls:
+{{ toYaml .Values.ingress.tls | indent 4 }}
+  {{- end -}}
+{{- end -}}

contrib/helm/clair/templates/service.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "fullname" . }}
+  labels:
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+  - name: clair-api
+    port: {{ .Values.service.externalApiPort }}
+    targetPort: {{ .Values.service.internalApiPort }}
+    protocol: TCP
+    name: "{{ .Values.service.name }}-api"
+  - name: clair-health
+    port: {{ .Values.service.externalHealthPort }}
+    targetPort: {{ .Values.service.internalHealthPort }}
+    protocol: TCP
+    name: "{{ .Values.service.name }}-health"
+  selector:
+    app: {{ template "fullname" . }}

contrib/helm/clair/values.yaml

@@ -0,0 +1,57 @@
+# Default values for clair.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+replicaCount: 1
+logLevel: info
+image:
+  repository: quay.io/coreos/clair-git
+  tag: latest
+  pullPolicy: Always
+service:
+  name: clair
+  type: ClusterIP
+  internalApiPort: 6060
+  externalApiPort: 6060
+  internalHealthPort: 6061
+  externalHealthPort: 6061
+ingress:
+  enabled: false
+  # Used to create Ingress record (should used with service.type: ClusterIP).
+  hosts:
+    - chart-example.local
+  annotations:
+    # kubernetes.io/ingress.class: nginx
+    # kubernetes.io/tls-acme: "true"
+  tls:
+    # Secrets must be manually created in the namespace.
+    # - secretName: chart-example-tls
+    #   hosts:
+    #     - chart-example.local
+resources:
+  limits:
+    cpu: 100m
+    memory: 1Gi
+  requests:
+    cpu: 100m
+    memory: 128Mi
+config:
+  postgresURI: "postgres://user:password@host:5432/postgres?sslmode=disable"
+  paginationKey: "XxoPtCUzrUv4JV5dS+yQ+MdW7yLEJnRMwigVY/bpgtQ="
+  updateInterval: 2h
+  notificationWebhookEndpoint: https://example.com/notify/me
+  enabledUpdaters:
+  - debian
+  - ubuntu
+  - rhel
+  - oracle
+  - alpine
+  enabledNamespaceDetectors:
+  - os-release
+  - lsb-release
+  - apt-sources
+  - alpine-release
+  - redhat-release
+  enabledFeatureListers:
+  - apk
+  - dpkg
+  - rpm

contrib/k8s/clair-kubernetes.yaml

@@ -1,84 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: clairsvc
-  labels:
-    app: clair
-spec:
-  type: NodePort
-  ports:
-  - port: 6060
-    protocol: TCP
-    nodePort: 30060
-    name: clair-port0
-  - port: 6061
-    protocol: TCP
-    nodePort: 30061
-    name: clair-port1
-  selector:
-    app: clair
----
-apiVersion: v1
-kind: ReplicationController
-metadata:
-  name: clair
-spec:
-  replicas: 1
-  template:
-    metadata:
-      labels:
-        app: clair
-    spec:
-      volumes:
-      - name: secret-volume
-        secret:
-          secretName: clairsecret
-      containers:
-      - name: clair
-        image: quay.io/coreos/clair
-        args:
-          - "-config"
-          - "/config/config.yaml"
-        ports:
-        - containerPort: 6060
-        - containerPort: 6061
-        volumeMounts:
-        - mountPath: /config
-          name: secret-volume
----
-apiVersion: v1
-kind: ReplicationController
-metadata:
-  labels:
-    app: postgres
-  name: clair-postgres
-spec:
-  replicas: 1
-  selector:
-    app: postgres
-  template:
-    metadata:
-      labels:
-        app: postgres
-    spec:
-      containers:
-      - image: postgres:latest
-        name: postgres
-        env:
-        - name: POSTGRES_PASSWORD
-          value: password
-        ports:
-        - containerPort: 5432
-          name: postgres-port
----
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app: postgres
-  name: postgres
-spec:
-  ports:
-    - port: 5432
-  selector:
-    app: postgres

contrib/k8s/config.yaml

@@ -1,99 +0,0 @@
-# Copyright 2015 clair authors
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# The values specified here are the default values that Clair uses if no configuration file is specified or if the keys are not defined.
-clair:
-  database:
-    # Database driver
-    type: pgsql
-    options:
-      # PostgreSQL Connection string
-      # https://www.postgresql.org/docs/current/static/libpq-connect.html#LIBPQ-CONNSTRING
-      source: postgres://postgres:password@postgres:5432/postgres?sslmode=disable
-
-      # Number of elements kept in the cache
-      # Values unlikely to change (e.g. namespaces) are cached in order to save prevent needless roundtrips to the database.
-      cachesize: 16384
-      
-      # 32-bit URL-safe base64 key used to encrypt pagination tokens
-      # If one is not provided, it will be generated.
-      # Multiple clair instances in the same cluster need the same value.
-      paginationkey: 
-
-  api:
-    # v3 grpc/RESTful API server address
-    addr: "0.0.0.0:6060"
-
-    # Health server address
-    # This is an unencrypted endpoint useful for load balancers to check to healthiness of the clair server.
-    healthaddr: "0.0.0.0:6061"
-
-    # Deadline before an API request will respond with a 503
-    timeout: 900s
-
-    # Optional PKI configuration
-    # If you want to easily generate client certificates and CAs, try the following projects:
-    # https://github.com/coreos/etcd-ca
-    # https://github.com/cloudflare/cfssl
-    servername:
-    cafile:
-    keyfile:
-    certfile:
-
-  worker:
-    namespace_detectors:
-      - os-release
-      - lsb-release
-      - apt-sources
-      - alpine-release
-      - redhat-release
-
-    feature_listers:
-      - apk
-      - dpkg
-      - rpm
-
-  updater:
-    # Frequency the database will be updated with vulnerabilities from the default data sources
-    # The value 0 disables the updater entirely.
-    interval: 2h
-    enabledupdaters: 
-      - debian
-      - ubuntu
-      - rhel
-      - oracle
-      - alpine
-
-  notifier:
-    # Number of attempts before the notification is marked as failed to be sent
-    attempts: 3
-
-    # Duration before a failed notification is retried
-    renotifyinterval: 2h
-
-    http:
-      # Optional endpoint that will receive notifications via POST requests
-      endpoint:
-
-      # Optional PKI configuration
-      # If you want to easily generate client certificates and CAs, try the following projects:
-      # https://github.com/cloudflare/cfssl
-      # https://github.com/coreos/etcd-ca
-      servername:
-      cafile: 
-      keyfile: 
-      certfile: 
-
-      # Optional HTTP Proxy: must be a valid URL (including the scheme).
-      proxy: