From bc6f37f1ae0df5a7c01184ef1483a889e82e86ba Mon Sep 17 00:00:00 2001 From: Roberto Soares Date: Wed, 8 Aug 2018 14:54:35 +0200 Subject: [PATCH] Helm Chart: Use Secret for config file. Fix some minor issues - Config file for Clair now is inside a Secret. Fixes #581. - Update helper template to use latest Helm conventions for "name" and "fullname". - Update labels to use the recommended labels by Helm. See: https://docs.helm.sh/chart_best_practices/#standard-labels - Remove service.name from values file because it is not used. Service discovery for parent charts can be made by using the "clair.fullname" template since template functions are shared between charts. --- contrib/helm/clair/templates/_config.yaml.tpl | 83 +++++++++++++++++ contrib/helm/clair/templates/_helpers.tpl | 14 ++- contrib/helm/clair/templates/configmap.yaml | 92 ------------------- contrib/helm/clair/templates/deployment.yaml | 22 +++-- contrib/helm/clair/templates/ingress.yaml | 10 +- contrib/helm/clair/templates/secret.yaml | 13 +++ contrib/helm/clair/templates/service.yaml | 13 +-- contrib/helm/clair/values.yaml | 1 - 8 files changed, 133 insertions(+), 115 deletions(-) create mode 100644 contrib/helm/clair/templates/_config.yaml.tpl delete mode 100644 contrib/helm/clair/templates/configmap.yaml create mode 100644 contrib/helm/clair/templates/secret.yaml diff --git a/contrib/helm/clair/templates/_config.yaml.tpl b/contrib/helm/clair/templates/_config.yaml.tpl new file mode 100644 index 00000000..6d823706 --- /dev/null +++ b/contrib/helm/clair/templates/_config.yaml.tpl @@ -0,0 +1,83 @@ +clair: + database: + # Database driver. + type: pgsql + options: + # PostgreSQL Connection string. + # https://www.postgresql.org/docs/current/static/libpq-connect.html#LIBPQ-CONNSTRING + {{- if .Values.config.postgresURI }} + source: "{{ .Values.config.postgresURI }}" + {{ else }} + source: "postgres://{{ .Values.postgresql.postgresUser }}:{{ .Values.postgresql.postgresPassword }}@{{ template "postgresql.fullname" . }}:5432/{{ .Values.postgresql.postgresDatabase }}?sslmode=disable" + {{ end }} + + # Number of elements kept in the cache. + # Values unlikely to change (e.g. namespaces) are cached in order to save prevent needless roundtrips to the database. + cachesize: 16384 + + # 32-bit URL-safe base64 key used to encrypt pagination tokens. + # If one is not provided, it will be generated. + # Multiple clair instances in the same cluster need the same value. + paginationkey: "{{ .Values.config.paginationKey }}" + api: + # v3 grpc/RESTful API server address. + addr: "0.0.0.0:{{ .Values.service.internalApiPort }}" + + # Health server address. + # This is an unencrypted endpoint useful for load balancers to check to healthiness of the clair server. + healthaddr: "0.0.0.0:{{ .Values.service.internalHealthPort }}" + + # Deadline before an API request will respond with a 503. + timeout: 900s + + # Optional PKI configuration. + # If you want to easily generate client certificates and CAs, try the following projects: + # https://github.com/coreos/etcd-ca + # https://github.com/cloudflare/cfssl + servername: + cafile: + keyfile: + certfile: + + worker: + namespace_detectors: + {{- range $key, $value := .Values.config.enabledNamespaceDetectors }} + - {{ $value }} + {{- end }} + + feature_listers: + {{- range $key, $value := .Values.config.enabledFeatureListers }} + - {{ $value }} + {{- end }} + + updater: + # Frequency the database will be updated with vulnerabilities from the default data sources. + # The value 0 disables the updater entirely. + interval: "{{ .Values.config.updateInterval }}" + enabledupdaters: + {{- range $key, $value := .Values.config.enabledUpdaters }} + - {{ $value }} + {{- end }} + + notifier: + # Number of attempts before the notification is marked as failed to be sent. + attempts: 3 + + # Duration before a failed notification is retried. + renotifyinterval: 2h + + http: + # Optional endpoint that will receive notifications via POST requests. + endpoint: "{{ .Values.config.notificationWebhookEndpoint }}" + + # Optional PKI configuration. + # If you want to easily generate client certificates and CAs, try the following projects: + # https://github.com/cloudflare/cfssl + # https://github.com/coreos/etcd-ca + servername: + cafile: + keyfile: + certfile: + + # Optional HTTP Proxy: must be a valid URL (including the scheme). + proxy: diff --git a/contrib/helm/clair/templates/_helpers.tpl b/contrib/helm/clair/templates/_helpers.tpl index e91cc6b6..b91f6746 100644 --- a/contrib/helm/clair/templates/_helpers.tpl +++ b/contrib/helm/clair/templates/_helpers.tpl @@ -2,19 +2,29 @@ {{/* Expand the name of the chart. */}} -{{- define "name" -}} +{{- define "clair.name" -}} {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} {{- end -}} {{/* Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. */}} -{{- define "fullname" -}} +{{- define "clair.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} {{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{- end -}} +{{- end -}} +{{/* Create a default fully qualified postgresql name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). */}} diff --git a/contrib/helm/clair/templates/configmap.yaml b/contrib/helm/clair/templates/configmap.yaml deleted file mode 100644 index 7c592bd4..00000000 --- a/contrib/helm/clair/templates/configmap.yaml +++ /dev/null @@ -1,92 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "fullname" . }} - labels: - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" -data: - config.yaml: | - clair: - database: - # Database driver - type: pgsql - options: - # PostgreSQL Connection string - # https://www.postgresql.org/docs/current/static/libpq-connect.html#LIBPQ-CONNSTRING - # This should be done using secrets or Vault, but for now this will also work - {{- if .Values.config.postgresURI }} - source: "{{ .Values.config.postgresURI }}" - {{ else }} - source: "postgres://{{ .Values.postgresql.postgresUser }}:{{ .Values.postgresql.postgresPassword }}@{{ template "postgresql.fullname" . }}:5432/{{ .Values.postgresql.postgresDatabase }}?sslmode=disable" - {{ end }} - - # Number of elements kept in the cache - # Values unlikely to change (e.g. namespaces) are cached in order to save prevent needless roundtrips to the database. - cachesize: 16384 - - # 32-bit URL-safe base64 key used to encrypt pagination tokens - # If one is not provided, it will be generated. - # Multiple clair instances in the same cluster need the same value. - paginationkey: "{{ .Values.config.paginationKey }}" - api: - # v3 grpc/RESTful API server address - addr: "0.0.0.0:6060" - - # Health server address - # This is an unencrypted endpoint useful for load balancers to check to healthiness of the clair server. - healthaddr: "0.0.0.0:6061" - - # Deadline before an API request will respond with a 503 - timeout: 900s - - # Optional PKI configuration - # If you want to easily generate client certificates and CAs, try the following projects: - # https://github.com/coreos/etcd-ca - # https://github.com/cloudflare/cfssl - servername: - cafile: - keyfile: - certfile: - - worker: - namespace_detectors: - {{- range $key, $value := .Values.config.enabledNamespaceDetectors }} - - {{ $value }} - {{- end }} - - feature_listers: - {{- range $key, $value := .Values.config.enabledFeatureListers }} - - {{ $value }} - {{- end }} - - updater: - # Frequency the database will be updated with vulnerabilities from the default data sources - # The value 0 disables the updater entirely. - interval: "{{ .Values.config.updateInterval }}" - enabledupdaters: - {{- range $key, $value := .Values.config.enabledUpdaters }} - - {{ $value }} - {{- end }} - - notifier: - # Number of attempts before the notification is marked as failed to be sent - attempts: 3 - - # Duration before a failed notification is retried - renotifyinterval: 2h - - http: - # Optional endpoint that will receive notifications via POST requests - endpoint: "{{ .Values.config.notificationWebhookEndpoint }}" - - # Optional PKI configuration - # If you want to easily generate client certificates and CAs, try the following projects: - # https://github.com/cloudflare/cfssl - # https://github.com/coreos/etcd-ca - servername: - cafile: - keyfile: - certfile: - - # Optional HTTP Proxy: must be a valid URL (including the scheme). - proxy: diff --git a/contrib/helm/clair/templates/deployment.yaml b/contrib/helm/clair/templates/deployment.yaml index 561bb0f9..8bbe297f 100644 --- a/contrib/helm/clair/templates/deployment.yaml +++ b/contrib/helm/clair/templates/deployment.yaml @@ -1,23 +1,26 @@ -apiVersion: extensions/v1beta1 +apiVersion: apps/v1 kind: Deployment metadata: - name: {{ template "fullname" . }} + name: {{ template "clair.fullname" . }} labels: - hertiage: {{ .Release.Service | quote }} + heritage: {{ .Release.Service | quote }} release: {{ .Release.Name | quote }} chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" - component: {{ .Release.Name }} + app: {{ template "clair.fullname" . }} spec: replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app: {{ template "clair.fullname" . }} template: metadata: labels: - app: {{ template "fullname" . }} + app: {{ template "clair.fullname" . }} spec: volumes: - name: "{{ .Chart.Name }}-config" - configMap: - name: {{ template "fullname" . }} + secret: + secretName: {{ template "clair.fullname" . }} containers: - name: {{ .Chart.Name }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" @@ -26,10 +29,10 @@ spec: - "-log-level={{ .Values.logLevel }}" {{ if .Values.insecureTls }}- "--insecure-tls" {{end}} ports: - - name: clair-api + - name: "{{ .Chart.Name }}-api" containerPort: {{ .Values.service.internalApiPort }} protocol: TCP - - name: clair-health + - name: "{{ .Chart.Name }}-health" containerPort: {{ .Values.service.internalHealthPort }} protocol: TCP livenessProbe: @@ -43,5 +46,6 @@ spec: volumeMounts: - name: "{{ .Chart.Name }}-config" mountPath: /etc/clair + readOnly: true resources: {{ toYaml .Values.resources | indent 10 }} diff --git a/contrib/helm/clair/templates/ingress.yaml b/contrib/helm/clair/templates/ingress.yaml index 7b1c5cdd..1256cc46 100644 --- a/contrib/helm/clair/templates/ingress.yaml +++ b/contrib/helm/clair/templates/ingress.yaml @@ -1,15 +1,15 @@ {{- if .Values.ingress.enabled -}} -{{- $serviceName := include "fullname" . -}} +{{- $serviceName := include "clair.fullname" . -}} {{- $servicePort := .Values.service.externalApiPort -}} apiVersion: extensions/v1beta1 kind: Ingress metadata: - name: {{ template "fullname" . }} + name: {{ template "clair.fullname" . }} labels: - app: {{ template "fullname" . }} + heritage: {{ .Release.Service | quote }} + release: {{ .Release.Name | quote }} chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" - release: "{{ .Release.Name }}" - heritage: "{{ .Release.Service }}" + app: {{ template "clair.fullname" . }} annotations: {{- range $key, $value := .Values.ingress.annotations }} {{ $key }}: {{ $value | quote }} diff --git a/contrib/helm/clair/templates/secret.yaml b/contrib/helm/clair/templates/secret.yaml new file mode 100644 index 00000000..238bb8f5 --- /dev/null +++ b/contrib/helm/clair/templates/secret.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "clair.fullname" . }} + labels: + heritage: {{ .Release.Service | quote }} + release: {{ .Release.Name | quote }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" + app: {{ template "clair.fullname" . }} +type: Opaque +data: + config.yaml: |- +{{ include (print .Template.BasePath "/_config.yaml.tpl") . | b64enc | indent 4 }} diff --git a/contrib/helm/clair/templates/service.yaml b/contrib/helm/clair/templates/service.yaml index 1f9d26e4..c50b177a 100644 --- a/contrib/helm/clair/templates/service.yaml +++ b/contrib/helm/clair/templates/service.yaml @@ -1,21 +1,22 @@ apiVersion: v1 kind: Service metadata: - name: {{ template "fullname" . }} + name: {{ template "clair.fullname" . }} labels: + heritage: {{ .Release.Service | quote }} + release: {{ .Release.Name | quote }} chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" + app: {{ template "clair.fullname" . }} spec: type: {{ .Values.service.type }} ports: - - name: clair-api + - name: "{{ .Chart.Name }}-api" port: {{ .Values.service.externalApiPort }} targetPort: {{ .Values.service.internalApiPort }} protocol: TCP - name: "{{ .Values.service.name }}-api" - - name: clair-health + - name: "{{ .Chart.Name }}-health" port: {{ .Values.service.externalHealthPort }} targetPort: {{ .Values.service.internalHealthPort }} protocol: TCP - name: "{{ .Values.service.name }}-health" selector: - app: {{ template "fullname" . }} + app: {{ template "clair.fullname" . }} diff --git a/contrib/helm/clair/values.yaml b/contrib/helm/clair/values.yaml index 717eea37..b58b94fb 100644 --- a/contrib/helm/clair/values.yaml +++ b/contrib/helm/clair/values.yaml @@ -9,7 +9,6 @@ image: tag: latest pullPolicy: Always service: - name: clair type: ClusterIP internalApiPort: 6060 externalApiPort: 6060