README: add instructions for kubernetes

Add a quick and easy way to run this on top of kubernetes. It isn't production ready but gives people a starting point.
2016-03-18 10:05:17 -07:00 · 2016-03-18 10:05:17 -07:00 · 9ce0956f1a
commit 9ce0956f1a
parent 093107c6d8
3 changed files with 175 additions and 1 deletions
--- a/README.md
+++ b/README.md
@ -44,9 +44,25 @@ Clair detects some vulnerabilities and sends a webhook to your continuous deploy
 During the first run, Clair will bootstrap its database with vulnerability data from its data sources.
 It can take several minutes before the database has been fully populated.
 **NOTE:** These setups are not meant for production workloads, but as a quick way to get started.
 ### Kubernetes
 An easy way to run Clair is with Kubernetes.
 If you are using the [CoreOS Kubernetes single-node instructions][single-node] for vagrant you will be able to access Clair at http://172.17.4.99:30061/ after following these instructions.
 ```
 git clone https://github.com/coreos/clair
 cd clair/contrib/k8s
 kubectl create -f clair-kubernetes.yaml
 kubectl create secret generic clairsecret --from-file=./config.yaml
 ```
 [single-node]: https://coreos.com/kubernetes/docs/latest/kubernetes-on-vagrant-single.html
 ### Docker Compose
-The easiest way to get an instance of Clair running is to use Docker Compose to run everything locally.
+Another easy way to get an instance of Clair running is to use Docker Compose to run everything locally.
 This runs a PostgreSQL database insecurely and locally in a container.
 This method should only be used for testing.
--- a/contrib/k8s/clair-kubernetes.yaml
+++ b/contrib/k8s/clair-kubernetes.yaml
@ -0,0 +1,84 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: clairsvc
  labels:
    app: clair
 spec:
  type: NodePort
  ports:
  - port: 6060
    protocol: TCP
    nodePort: 30060
    name: clair-port0
  - port: 6061
    protocol: TCP
    nodePort: 30061
    name: clair-port1
  selector:
    app: clair
 ---
 apiVersion: v1
 kind: ReplicationController
 metadata:
  name: clair
 spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: clair
    spec:
      volumes:
      - name: secret-volume
        secret:
          secretName: clairsecret
      containers:
      - name: clair
        image: quay.io/coreos/clair
        args:
          - "-config"
          - "/config/config.yaml"
        ports:
        - containerPort: 6060
        - containerPort: 6061
        volumeMounts:
        - mountPath: /config
          name: secret-volume
 ---
 apiVersion: v1
 kind: ReplicationController
 metadata:
  labels:
    app: postgres
  name: clair-postgres
 spec:
  replicas: 1
  selector:
    app: postgres
  template:
    metadata:
      labels:
        app: postgres
    spec:
      containers:
      - image: postgres:latest
        name: postgres
        env:
        - name: POSTGRES_PASSWORD
          value: password
        ports:
        - containerPort: 5432
          name: postgres-port
 ---
 apiVersion: v1
 kind: Service
 metadata:
  labels:
    app: postgres
  name: postgres
 spec:
  ports:
    - port: 5432
  selector:
    app: postgres
--- a/contrib/k8s/config.yaml
+++ b/contrib/k8s/config.yaml
@ -0,0 +1,74 @@
 # Copyright 2015 clair authors
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 # The values specified here are the default values that Clair uses if no configuration file is specified or if the keys are not defined.
 clair:
  database:
    # PostgreSQL Connection string
    # http://www.postgresql.org/docs/9.4/static/libpq-connect.html
    source: postgres://postgres:password@postgres:5432/postgres?sslmode=disable
    # Number of elements kept in the cache
    # Values unlikely to change (e.g. namespaces) are cached in order to save prevent needless roundtrips to the database.
    cacheSize: 16384
  api:
    # API server port
    port: 6060
    # Health server port
    # This is an unencrypted endpoint useful for load balancers to check to healthiness of the clair server.
    healthport: 6061
    # Deadline before an API request will respond with a 503
    timeout: 900s
    # 32-bit URL-safe base64 key used to encrypt pagination tokens
    # If one is not provided, it will be generated.
    # Multiple clair instances in the same cluster need the same value.
    paginationKey:
    # Optional PKI configuration
    # If you want to easily generate client certificates and CAs, try the following projects:
    # https://github.com/coreos/etcd-ca
    # https://github.com/cloudflare/cfssl
    servername:
    cafile:
    keyfile:
    certfile:
  updater:
    # Frequency the database will be updated with vulnerabilities from the default data sources
    # The value 0 disables the updater entirely.
    interval: 2h
  notifier:
    # Number of attempts before the notification is marked as failed to be sent
    attempts: 3
    # Duration before a failed notification is retried
    renotifyInterval: 2h
    http:
      # Optional endpoint that will receive notifications via POST requests
      endpoint:
      # Optional PKI configuration
      # If you want to easily generate client certificates and CAs, try the following projects:
      # https://github.com/cloudflare/cfssl
      # https://github.com/coreos/etcd-ca
      servername:
      cafile:
      keyfile:
      certfile: