Skip to content

Commit

Permalink
chore(deploy): align static YAMLs with Helm templates (aquasecurity#799)
Browse files Browse the repository at this point in the history
Resolves: aquasecurity#794

Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>
  • Loading branch information
danielpacak authored Nov 10, 2021
1 parent 9fcabbf commit ec82095
Show file tree
Hide file tree
Showing 10 changed files with 250 additions and 102 deletions.
21 changes: 21 additions & 0 deletions CONTRIBUTING.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ These guidelines will help you get started with the Starboard project.
- [In Cluster](#in-cluster)
- [Out of Cluster](#out-of-cluster)
- [Uninstall](#uninstall)
- [Update Static YAML Manifests](#update-static-yaml-manifests)
- [Operator Lifecycle Manager (OLM)](#operator-lifecycle-manager-olm)
- [Install OLM](#install-olm)
- [Build the Catalog Image](#build-the-catalog-image)
Expand Down Expand Up @@ -255,6 +256,26 @@ kubectl delete -f deploy/crd/vulnerabilityreports.crd.yaml \
-f deploy/crd/ciskubebenchreports.crd.yaml
```

## Update Static YAML Manifests

```
mkdir -p $TMPDIR/starboard-helm-template
```

```
helm template starboard-operator ./deploy/helm \
--namespace starboard-system --create-namespace \
--set="targetNamespaces=default" \
--set="managedBy=kubectl" \
--output-dir=$TMPDIR/starboard-helm-template
```

```
cp $TMPDIR/starboard-helm-template/starboard-operator/templates/rbac.yaml deploy/static/02-starboard-operator.rbac.yaml
cp $TMPDIR/starboard-helm-template/starboard-operator/templates/config.yaml deploy/static/03-starboard-operator.config.yaml
cp $TMPDIR/starboard-helm-template/starboard-operator/templates/deployment.yaml deploy/static/04-starboard-operator.deployment.yaml
```

## Operator Lifecycle Manager (OLM)

### Install OLM
Expand Down
4 changes: 3 additions & 1 deletion deploy/helm/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -35,12 +35,14 @@ Create chart name and version as used by the chart label.
Common labels
*/}}
{{- define "starboard-operator.labels" -}}
{{- if eq .Values.managedBy "Helm" -}}
helm.sh/chart: {{ include "starboard-operator.chart" . }}
{{ end -}}
{{ include "starboard-operator.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/managed-by: {{ .Values.managedBy }}
{{- end }}

{{/*
Expand Down
100 changes: 68 additions & 32 deletions deploy/helm/templates/config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,45 +6,58 @@ metadata:
labels:
{{- include "starboard-operator.labels" . | nindent 4 }}
data:
scanJob.tolerations: {{ .Values.starboard.scanJobTolerations | toJson | quote }}
scanJob.annotations: {{ .Values.starboard.scanJobAnnotations | quote }}
{{- with .Values.starboard.scanJobTolerations }}
scanJob.tolerations: {{ . | toJson | quote }}
{{- end }}
{{- with .Values.starboard.scanJobAnnotations }}
scanJob.annotations: {{ . | quote }}
{{- end }}
{{- if .Values.operator.vulnerabilityScannerEnabled }}
vulnerabilityReports.scanner: {{ .Values.starboard.vulnerabilityReportsPlugin | quote }}
{{- end }}
{{- if .Values.operator.kubernetesBenchmarkEnabled }}
kube-bench.imageRef: {{ required ".Values.kubeBench.imageRef is required" .Values.kubeBench.imageRef | quote }}
{{- end }}
{{- if .Values.operator.configAuditScannerEnabled }}
configAuditReports.scanner: {{ .Values.starboard.configAuditReportsPlugin | quote }}
{{- end }}
{{- if .Values.operator.kubernetesBenchmarkEnabled }}
kube-bench.imageRef: {{ required ".Values.kubeBench.imageRef is required" .Values.kubeBench.imageRef | quote }}
{{- end }}
---
apiVersion: v1
kind: Secret
metadata:
name: starboard
labels:
{{- include "starboard-operator.labels" . | nindent 4 }}
{{- if eq .Values.starboard.vulnerabilityReportsPlugin "Trivy" }}
{{- with .Values.trivy }}
{{- if .createConfig }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: starboard-trivy-config
labels:
{{- include "starboard-operator.labels" . | nindent 4 }}
{{- include "starboard-operator.labels" $ | nindent 4 }}
data:
trivy.imageRef: {{ required ".Values.trivy.imageRef is required" .Values.trivy.imageRef | quote }}
trivy.mode: {{ .Values.trivy.mode | quote }}
{{- if .Values.trivy.httpProxy }}
trivy.httpProxy: {{ .Values.trivy.httpProxy | quote }}
trivy.imageRef: {{ required ".Values.trivy.imageRef is required" .imageRef | quote }}
trivy.mode: {{ .mode | quote }}
{{- if .httpProxy }}
trivy.httpProxy: {{ .httpProxy | quote }}
{{- end }}
{{- if .Values.trivy.httpsProxy }}
trivy.httpsProxy: {{ .Values.trivy.httpsProxy | quote }}
{{- if .httpsProxy }}
trivy.httpsProxy: {{ .httpsProxy | quote }}
{{- end }}
{{- if .Values.trivy.noProxy }}
trivy.noProxy: {{ .Values.trivy.noProxy | quote }}
{{- if .noProxy }}
trivy.noProxy: {{ .noProxy | quote }}
{{- end }}
trivy.severity: {{ .Values.trivy.severity | quote }}
{{- if .Values.trivy.ignoreUnfixed }}
trivy.ignoreUnfixed: {{ .Values.trivy.ignoreUnfixed | quote }}
trivy.severity: {{ .severity | quote }}
{{- if .ignoreUnfixed }}
trivy.ignoreUnfixed: {{ .ignoreUnfixed | quote }}
{{- end }}
{{- if eq .Values.trivy.mode "ClientServer" }}
trivy.serverURL: {{ required ".Values.trivy.serverURL is required" .Values.trivy.serverURL | quote }}
{{- if eq .mode "ClientServer" }}
trivy.serverURL: {{ required ".Values.trivy.serverURL is required" .serverURL | quote }}
{{- end }}
{{- with .Values.trivy.resources }}
{{- with .resources }}
{{- with .requests }}
{{- if .cpu }}
trivy.resources.requests.cpu: {{ .cpu }}
Expand All @@ -68,9 +81,8 @@ kind: Secret
metadata:
name: starboard-trivy-config
labels:
{{- include "starboard-operator.labels" . | nindent 4 }}
{{- include "starboard-operator.labels" $ | nindent 4 }}
data:
{{- with .Values.trivy }}
{{- if .githubToken }}
trivy.githubToken: {{ .githubToken | b64enc | quote }}
{{- end }}
Expand All @@ -82,35 +94,59 @@ data:
trivy.serverCustomHeaders: {{ .serverCustomHeaders | b64enc | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- if eq .Values.starboard.configAuditReportsPlugin "Conftest" }}
{{- with .Values.conftest }}
{{- if .createConfig }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: starboard-conftest-config
labels:
{{- include "starboard-operator.labels" . | nindent 4 }}
{{- include "starboard-operator.labels" $ | nindent 4 }}
data:
conftest.imageRef: {{ required ".Values.conftest.imageRef is required" .Values.conftest.imageRef | quote }}
conftest.resources.requests.cpu: {{ .Values.conftest.resources.requests.cpu | quote }}
conftest.resources.requests.memory: {{ .Values.conftest.resources.requests.memory | quote }}
conftest.resources.limits.cpu: {{ .Values.conftest.resources.limits.cpu | quote }}
conftest.resources.limits.memory: {{ .Values.conftest.resources.limits.memory | quote }}
conftest.imageRef: {{ required ".Values.conftest.imageRef is required" .imageRef | quote }}
{{- with .resources }}
conftest.resources.requests.cpu: {{ .requests.cpu | quote }}
conftest.resources.requests.memory: {{ .requests.memory | quote }}
conftest.resources.limits.cpu: {{ .limits.cpu | quote }}
conftest.resources.limits.memory: {{ .limits.memory | quote }}
{{- end }}
{{- range $key, $val := .library }}
conftest.library.{{ $key }}: {{ $val | quote }}
{{- end }}
{{- range $key, $val := .policy }}
conftest.policy.{{ $key }}.rego: {{ $val.rego | quote }}
conftest.policy.{{ $key }}.kinds: {{ $val.kinds | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- if eq .Values.starboard.configAuditReportsPlugin "Polaris" }}
{{- with .Values.polaris }}
{{- if .createConfig }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: starboard-polaris-config
labels:
{{- include "starboard-operator.labels" . | nindent 4 }}
{{- include "starboard-operator.labels" $ | nindent 4 }}
data:
polaris.imageRef: {{ required ".Values.polaris.imageRef is required" .Values.polaris.imageRef | quote }}
polaris.imageRef: {{ required ".Values.polaris.imageRef is required" .imageRef | quote }}
{{- with .resources }}
polaris.resources.requests.cpu: {{ .requests.cpu | quote }}
polaris.resources.requests.memory: {{ .requests.memory | quote }}
polaris.resources.limits.cpu: {{ .limits.cpu | quote }}
polaris.resources.limits.memory: {{ .limits.memory | quote }}
{{- end }}
polaris.config.yaml: |
{{- toYaml .Values.polaris.config | nindent 4 }}
{{- toYaml .config | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}
{{- if eq .Values.starboard.vulnerabilityReportsPlugin "Aqua" }}
---
Expand Down
62 changes: 31 additions & 31 deletions deploy/helm/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -26,67 +26,73 @@ metadata:
{{- include "starboard-operator.labels" . | nindent 4 }}
spec:
replicas: {{ .Values.operator.replicas }}
strategy:
type: Recreate
selector:
matchLabels:
{{- include "starboard-operator.selectorLabels" . | nindent 6 }}
template:
metadata:
{{- with .Values.podAnnotations }}
annotations:
{{- with .Values.podAnnotations }}
{{- . | toYaml | nindent 8 }}
{{- end }}
{{- end }}
labels:
{{- include "starboard-operator.selectorLabels" . | nindent 8 }}
spec:
serviceAccountName: {{ include "starboard-operator.serviceAccountName" . }}
automountServiceAccountToken: true
containers:
- name: "{{ .Chart.Name }}"
- name: {{ .Chart.Name | quote }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
{{- with .Values.image.pullPolicy }}
imagePullPolicy: {{ . }}
{{- end }}
env:
- name: OPERATOR_NAMESPACE
value: {{ .Release.Namespace | quote }}
- name: OPERATOR_TARGET_NAMESPACES
value: {{ tpl .Values.targetNamespaces . | quote }}
- name: OPERATOR_SERVICE_ACCOUNT
value: {{ include "starboard-operator.serviceAccountName" . }}
{{- if gt (int .Values.operator.replicas) 1 }}
- name: OPERATOR_LEADER_ELECTION_ENABLED
value: "true"
{{- end }}
{{- if gt (int .Values.operator.replicas) 1 }}
- name: OPERATOR_LEADER_ELECTION_ID
value: {{ .Values.operator.leaderElectionId | quote }}
{{- end }}
value: {{ include "starboard-operator.serviceAccountName" . | quote }}
- name: OPERATOR_LOG_DEV_MODE
value: {{ .Values.operator.logDevMode | quote }}
- name: OPERATOR_SCAN_JOB_TIMEOUT
value: {{ .Values.operator.scanJobTimeout | quote }}
- name: OPERATOR_CONCURRENT_SCAN_JOBS_LIMIT
value: {{ .Values.operator.scanJobsConcurrentLimit | quote }}
- name: OPERATOR_SCAN_JOB_RETRY_AFTER
value: {{ .Values.operator.scanJobsRetryDelay | quote }}
- name: OPERATOR_BATCH_DELETE_LIMIT
value: {{ .Values.operator.batchDeleteLimit | quote }}
- name: OPERATOR_BATCH_DELETE_DELAY
value: {{ .Values.operator.batchDeleteDelay | quote }}
- name: OPERATOR_METRICS_BIND_ADDRESS
value: ":8080"
- name: OPERATOR_HEALTH_PROBE_BIND_ADDRESS
value: ":9090"
- name: OPERATOR_LOG_DEV_MODE
value: {{ .Values.operator.logDevMode | quote }}
- name: OPERATOR_CIS_KUBERNETES_BENCHMARK_ENABLED
value: {{ .Values.operator.kubernetesBenchmarkEnabled | quote }}
- name: OPERATOR_VULNERABILITY_SCANNER_ENABLED
value: {{ .Values.operator.vulnerabilityScannerEnabled | quote }}
- name: OPERATOR_CONFIG_AUDIT_SCANNER_ENABLED
value: {{ .Values.operator.configAuditScannerEnabled | quote }}
- name: OPERATOR_BATCH_DELETE_LIMIT
value: {{ .Values.operator.batchDeleteLimit | quote }}
- name: OPERATOR_BATCH_DELETE_DELAY
value: {{ .Values.operator.batchDeleteDelay | quote }}
{{- if gt (int .Values.operator.replicas) 1 }}
- name: OPERATOR_LEADER_ELECTION_ENABLED
value: "true"
- name: OPERATOR_LEADER_ELECTION_ID
value: {{ .Values.operator.leaderElectionId | quote }}
{{- end }}
ports:
# metrics port is exposed by the k8s Service and by default also
# have annotations which will help prometheus as a target for
# scraping of metrics
- name: metrics
containerPort: 8080
# probes port is not exposed by the k8s Service and used directly by
# kubelet for the readinessProbe and livenessProbe
- name: probes
containerPort: 9090
readinessProbe:
httpGet:
path: /readyz/
port: probes
initialDelaySeconds: 0
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
failureThreshold: 3
Expand All @@ -104,18 +110,12 @@ spec:
securityContext:
{{- . | toYaml | nindent 12 }}
{{- end }}
{{- with .Values.image.pullPolicy }}
imagePullPolicy: {{ . }}
{{- end }}
{{- with .Values.image.pullSecrets }}
imagePullSecrets:
{{- . | toYaml | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "starboard-operator.serviceAccountName" . }}
{{- with .Values.podSecurityContext }}
securityContext:
{{- . | toYaml | nindent 8 }}
{{- end }}
{{- .Values.podSecurityContext | toYaml | nindent 8 }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- . | toYaml | nindent 8 }}
Expand Down
Loading

0 comments on commit ec82095

Please sign in to comment.