diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 0925b04..12437e6 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -147,7 +147,7 @@ jobs: uses: helm/chart-testing-action@v2.6.0 - name: Run chart install - run: ct install --config .github/ct.yaml + run: ct install --excluded-charts tsm-audit-server --config .github/ct.yaml - name: Cleanup AWS Credentials if: always() diff --git a/charts/tsm-audit-server/.helmignore b/charts/tsm-audit-server/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/charts/tsm-audit-server/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/tsm-audit-server/Chart.lock b/charts/tsm-audit-server/Chart.lock new file mode 100644 index 0000000..6b44ffd --- /dev/null +++ b/charts/tsm-audit-server/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: mongodb + repository: oci://registry-1.docker.io/bitnamicharts + version: 14.12.1 +digest: sha256:dbb872b4a0268fcc3af215b64b527a199f7acfbb40c01fa29140c78b82b9537a +generated: "2024-02-26T10:13:23.32287-06:00" diff --git a/charts/tsm-audit-server/Chart.yaml b/charts/tsm-audit-server/Chart.yaml new file mode 100644 index 0000000..dfcbdd9 --- /dev/null +++ b/charts/tsm-audit-server/Chart.yaml @@ -0,0 +1,14 @@ +apiVersion: v2 +name: tsm-audit-server +description: A Helm chart to deploy a Blockdaemon TSM audit server to kubernetes +maintainers: + - name: Blockdaemon + email: sre@blockdaemon.com +type: application +version: 0.1.0 +appVersion: "v1.1.0" +dependencies: + - name: mongodb + version: 14.12.1 + repository: oci://registry-1.docker.io/bitnamicharts + condition: mongodb.enabled diff --git a/charts/tsm-audit-server/README.md b/charts/tsm-audit-server/README.md new file mode 100644 index 0000000..8f33db2 --- /dev/null +++ b/charts/tsm-audit-server/README.md @@ -0,0 +1,63 @@ +# tsm-audit-server + +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.1.0](https://img.shields.io/badge/AppVersion-v1.1.0-informational?style=flat-square) + +A Helm chart to deploy a Blockdaemon TSM audit server to kubernetes + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Blockdaemon | | | + +## Requirements + +| Repository | Name | Version | +|------------|------|---------| +| oci://registry-1.docker.io/bitnamicharts | mongodb | 14.12.1 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{}` | | +| config.configFile | string | `""` | the configuration file that will be mounted into the TSM audit server. MUTUALLY EXCLUSIVE with configSecretName | +| config.configSecretName | string | `""` | The name of the secret containing the TSM audit server configuration file. MUTUALLY EXCLUSIVE with configFile | +| fullnameOverride | string | `""` | | +| image.pullPolicy | string | `"IfNotPresent"` | | +| image.repository | string | `""` | | +| image.tag | string | `""` | | +| imagePullSecrets | list | `[]` | | +| ingress.annotations | object | `{}` | | +| ingress.className | string | `""` | | +| ingress.enabled | bool | `false` | | +| ingress.hosts[0].host | string | `"chart-example.local"` | | +| ingress.hosts[0].paths[0].path | string | `"/"` | | +| ingress.hosts[0].paths[0].pathType | string | `"ImplementationSpecific"` | | +| ingress.tls | list | `[]` | | +| mongodb.enabled | bool | `false` | | +| nameOverride | string | `""` | | +| nodeSelector | object | `{}` | | +| podAnnotations | object | `{}` | | +| podLabels | object | `{}` | | +| podSecurityContext | object | `{}` | | +| replicaCount | int | `1` | | +| resources | object | `{}` | | +| securityContext | object | `{}` | | +| service.ports[0].name | string | `"log"` | | +| service.ports[0].port | int | `3000` | | +| service.ports[0].targetPort | int | `3000` | | +| service.ports[1].name | string | `"query"` | | +| service.ports[1].port | int | `8080` | | +| service.ports[1].targetPort | int | `8080` | | +| service.type | string | `"ClusterIP"` | | +| serviceAccount.annotations | object | `{}` | | +| serviceAccount.automount | bool | `true` | | +| serviceAccount.create | bool | `true` | | +| serviceAccount.name | string | `""` | | +| tolerations | list | `[]` | | +| volumeMounts | list | `[]` | | +| volumes | list | `[]` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0) diff --git a/charts/tsm-audit-server/ci/ingress.yaml b/charts/tsm-audit-server/ci/ingress.yaml new file mode 100644 index 0000000..2ca72ce --- /dev/null +++ b/charts/tsm-audit-server/ci/ingress.yaml @@ -0,0 +1,52 @@ +mongodb: + enabled: true + useStatefulSet: true + auth: + rootPassword: "" + disableJavascript: true +config: + configFile: | + [Database] + Host = "tsm-audit-mongodb:27017" + Username = "root" + Password = "" + + [LogServer] + Port = 3000 + PrivateKey = " + + [QueryServer] + Port = 8080 + CertificateFile = "" #HTTPS disabled + CertificateKeyFile = "" # HTTP disabled + + [TSM.demo] + Password = "" + PublicKeys = [ + "", + "", + ] + +image: + repository: "" + pullPolicy: Always + # Overrides the image tag whose default is the chart appVersion. + tag: "v1.1.0" + +service: + type: NodePort + +ingress: + enabled: true + className: "alb" + annotations: + alb.ingress.kubernetes.io/scheme: internet-facing + alb.ingress.kubernetes.io/certificate-arn: + alb.ingress.kubernetes.io/healthcheck-path: /ping + alb.ingress.kubernetes.io/success-codes: "204" + hosts: + - host: "tsm-audit.example.com" + paths: + - path: / + pathType: Prefix + port: 8080 diff --git a/charts/tsm-audit-server/templates/NOTES.txt b/charts/tsm-audit-server/templates/NOTES.txt new file mode 100644 index 0000000..d8eb754 --- /dev/null +++ b/charts/tsm-audit-server/templates/NOTES.txt @@ -0,0 +1,22 @@ +1. Get the application URL by running these commands: +{{- if .Values.ingress.enabled }} +{{- range $host := .Values.ingress.hosts }} + {{- range .paths }} + http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }} + {{- end }} +{{- end }} +{{- else if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "tsm-audit-server.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "tsm-audit-server.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "tsm-audit-server.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + echo http://$SERVICE_IP:{{ .Values.service.port }} +{{- else if contains "ClusterIP" .Values.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "tsm-audit-server.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") + echo "Visit http://127.0.0.1:8080 to use your application" + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT +{{- end }} diff --git a/charts/tsm-audit-server/templates/_helpers.tpl b/charts/tsm-audit-server/templates/_helpers.tpl new file mode 100644 index 0000000..f1faa02 --- /dev/null +++ b/charts/tsm-audit-server/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "tsm-audit-server.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "tsm-audit-server.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "tsm-audit-server.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "tsm-audit-server.labels" -}} +helm.sh/chart: {{ include "tsm-audit-server.chart" . }} +{{ include "tsm-audit-server.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "tsm-audit-server.selectorLabels" -}} +app.kubernetes.io/name: {{ include "tsm-audit-server.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "tsm-audit-server.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "tsm-audit-server.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/charts/tsm-audit-server/templates/configmap.yaml b/charts/tsm-audit-server/templates/configmap.yaml new file mode 100644 index 0000000..cb482c1 --- /dev/null +++ b/charts/tsm-audit-server/templates/configmap.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "tsm-audit-server.fullname" . }} + labels: + {{- include "tsm-audit-server.labels" . | nindent 4 }} +data: + config.toml: | + {{- .Values.config.configFile | nindent 4 }} \ No newline at end of file diff --git a/charts/tsm-audit-server/templates/deployment.yaml b/charts/tsm-audit-server/templates/deployment.yaml new file mode 100644 index 0000000..a0383e0 --- /dev/null +++ b/charts/tsm-audit-server/templates/deployment.yaml @@ -0,0 +1,94 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "tsm-audit-server.fullname" . }} + labels: + {{- include "tsm-audit-server.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "tsm-audit-server.selectorLabels" . | nindent 6 }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "tsm-audit-server.labels" . | nindent 8 }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "tsm-audit-server.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + {{- range .Values.service.ports }} + - containerPort: {{ .targetPort }} + name: {{ .name }} + protocol: TCP + {{- end }} + {{- if .Values.env }} + env: + {{- range $key, $value := .Values.env }} + - name: {{ $key }} + value: {{ $value | quote }} + {{- end }} + {{- end }} + livenessProbe: + httpGet: + path: /ping + port: query + readinessProbe: + httpGet: + path: /ping + port: query + resources: + {{- toYaml .Values.resources | nindent 12 }} + + volumeMounts: + - name: config-volume + mountPath: /config + {{- with .Values.volumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} + volumes: + - name: config-volume + {{- if and .Values.config.configFile .Values.config.configSecretName }} + {{- fail "config.configFile and config.configSecretName are mutually exclusive" }} + {{- else if .Values.config.configFile }} + configMap: + name: {{ template "tsm-audit-server.fullname" . }} + {{- else if .Values.config.configSecretName }} + secret: + secretName: {{ .Values.config.configSecretName }} + {{- end }} + {{- with .Values.volumes }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/tsm-audit-server/templates/ingress.yaml b/charts/tsm-audit-server/templates/ingress.yaml new file mode 100644 index 0000000..4639aba --- /dev/null +++ b/charts/tsm-audit-server/templates/ingress.yaml @@ -0,0 +1,58 @@ +{{- if .Values.ingress.enabled -}} +{{- $fullName := include "tsm-audit-server.fullname" . -}} +{{- $svcPort := .Values.service.port -}} +{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} + {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }} + {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}} + {{- end }} +{{- end }} +{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1 +{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1beta1 +{{- else -}} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + {{- include "tsm-audit-server.labels" . | nindent 4 }} + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} + ingressClassName: {{ .Values.ingress.className }} + {{- end }} + {{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + {{- range .Values.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path | quote }} + pathType: {{ .pathType }} + backend: + service: + {{- if .serviceName }} + name: {{ .serviceName }} + {{- else }} + name: {{ $fullName }} + {{- end }} + port: + number: {{ .port }} + {{- end -}} + {{- end }} +{{- end }} diff --git a/charts/tsm-audit-server/templates/service.yaml b/charts/tsm-audit-server/templates/service.yaml new file mode 100644 index 0000000..dc0ef2c --- /dev/null +++ b/charts/tsm-audit-server/templates/service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "tsm-audit-server.fullname" . }} + labels: + {{- include "tsm-audit-server.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + {{- range .Values.service.ports }} + - port: {{ .port }} + name: {{ .name }} + protocol: TCP + {{- end }} + selector: + {{- include "tsm-audit-server.selectorLabels" . | nindent 4 }} diff --git a/charts/tsm-audit-server/templates/serviceaccount.yaml b/charts/tsm-audit-server/templates/serviceaccount.yaml new file mode 100644 index 0000000..a84fbae --- /dev/null +++ b/charts/tsm-audit-server/templates/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "tsm-audit-server.serviceAccountName" . }} + labels: + {{- include "tsm-audit-server.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +automountServiceAccountToken: {{ .Values.serviceAccount.automount }} +{{- end }} diff --git a/charts/tsm-audit-server/templates/tests/test-connection.yaml b/charts/tsm-audit-server/templates/tests/test-connection.yaml new file mode 100644 index 0000000..f7720e4 --- /dev/null +++ b/charts/tsm-audit-server/templates/tests/test-connection.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "tsm-audit-server.fullname" . }}-test-connection" + labels: + {{- include "tsm-audit-server.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include "tsm-audit-server.fullname" . }}:{{ .Values.service.port }}'] + restartPolicy: Never diff --git a/charts/tsm-audit-server/values.yaml b/charts/tsm-audit-server/values.yaml new file mode 100644 index 0000000..97d5335 --- /dev/null +++ b/charts/tsm-audit-server/values.yaml @@ -0,0 +1,110 @@ +mongodb: + enabled: false + +# Default values for tsm-audit-server. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +config: + # -- the configuration file that will be mounted into the TSM audit server. MUTUALLY EXCLUSIVE with configSecretName + configFile: "" + # -- The name of the secret containing the TSM audit server configuration file. MUTUALLY EXCLUSIVE with configFile + configSecretName: "" + +image: + repository: "" + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "" + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Automatically mount a ServiceAccount's API credentials? + automount: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +podAnnotations: {} +podLabels: {} + +podSecurityContext: + {} + # fsGroup: 2000 + +securityContext: + {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +service: + type: ClusterIP + ports: + - port: 3000 + name: log + targetPort: 3000 + - port: 8080 + name: query + targetPort: 8080 + +ingress: + enabled: false + className: "" + annotations: + {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: chart-example.local + paths: + - path: / + pathType: ImplementationSpecific + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +resources: + {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +# Additional volumes on the output Deployment definition. +volumes: [] +# - name: foo +# secret: +# secretName: mysecret +# optional: false + +# Additional volumeMounts on the output Deployment definition. +volumeMounts: [] +# - name: foo +# mountPath: "/etc/foo" +# readOnly: true + +nodeSelector: {} + +tolerations: [] + +affinity: {} diff --git a/examples/audit-server/README.md b/examples/audit-server/README.md new file mode 100644 index 0000000..329d27d --- /dev/null +++ b/examples/audit-server/README.md @@ -0,0 +1,61 @@ +# TSM Audit Server + +An example values file for deploying the Builder Vault audit server. + +For instructions on how to generate the keys needed here, go to the Builder Vault [documentation](https://builder-vault-tsm.docs.blockdaemon.com/docs/audit-server). + +``` +mongodb: + enabled: true + useStatefulSet: true + auth: + rootPassword: "" + disableJavascript: true +config: + configFile: | + [Database] + Host = "tsm-audit-mongodb:27017" + Username = "root" + Password = "" + + [LogServer] + Port = 3000 + PrivateKey = " + + [QueryServer] + Port = 8080 + CertificateFile = "" #HTTPS disabled + CertificateKeyFile = "" # HTTP disabled + + [TSM.demo] + Password = "" + PublicKeys = [ + "", + "", + ] + +image: + repository: + pullPolicy: Always + # Overrides the image tag whose default is the chart appVersion. + tag: "v1.1.0" + +service: + type: NodePort + +ingress: + enabled: true + className: "alb" + annotations: + alb.ingress.kubernetes.io/scheme: internet-facing + alb.ingress.kubernetes.io/certificate-arn: + alb.ingress.kubernetes.io/healthcheck-path: /ping + alb.ingress.kubernetes.io/success-codes: "204" + hosts: + - host: "tsm-audit.example.com" + paths: + - path: / + pathType: Prefix + port: 8080 + +``` \ No newline at end of file