Skip to content

Commit

Permalink
Publish Helm Charts for version 3.0.59.0 (#27)
Browse files Browse the repository at this point in the history
Source-Version: 4033d3ecf23563d9af65847752922f81da914608
  • Loading branch information
roxbot committed Apr 29, 2021
1 parent eddaaa4 commit 2c80226
Show file tree
Hide file tree
Showing 242 changed files with 18,177 additions and 3 deletions.
23 changes: 23 additions & 0 deletions 3.0.59.0/central-services/.helmignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
7 changes: 7 additions & 0 deletions 3.0.59.0/central-services/Chart.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
apiVersion: v2 # Can probably be generalized to v1 later. TODO(ROX-5502).
name: stackrox-central-services
icon: https://www.stackrox.com/img/logo.svg
description: Helm Chart for StackRox Central Clusters
type: application
version: 59.0.0
appVersion: 3.0.59.0
180 changes: 180 additions & 0 deletions 3.0.59.0/central-services/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,180 @@
# StackRox Kubernetes Security Platform - Central Services Helm Chart

This Helm chart allows you to deploy the central services of the StackRox
Kubernetes Security Platform: StackRox Central and StackRox Scanner.

## Prerequisites

To deploy the central services for the StackRox Kubernetes Security platform
using Helm, you must:
- Have at least version 3.1 of the Helm tool installed on your machine
- Have credentials for the `stackrox.io` registry or the other image registry
you use.

## Add the Canonical Chart Location as a Helm Repository

The canonical repository for StackRox Helm charts is https://charts.stackrox.io.
To use StackRox Helm charts on your machine, run
```sh
helm repo add stackrox https://charts.stackrox.io
```
This command only needs to be run once on your machine. Whenever you are deploying
or upgrading a chart from a remote repository, it is advisable to run
```sh
helm repo update
```
beforehand.

## Deploy Central Services Using Helm

The basic command for deploying the central services is
```sh
helm install -n stackrox --create-namespace \
stackrox-central-services stackrox/central-services
```
If you have a copy of this chart on your machine, you can also reference the
path to this copy instead of `stackrox/central-services` above.

In order to be able to access StackRox Docker images, you also need image pull
credentials. There are several ways to inject the required credentials (if any)
into the installation process:
- **Explicitly specify username and password:** Use this if you are using the images
from the default registry (`stackrox.io`), or a registry that supports username/password
authentication. Pass the following arguments to the `helm install` command:
```sh
--set imagePullSecrets.username=<registry username> --set imagePullSecrets.password=<registry password>
```
- **Use pre-existing image pull secrets:** If you already have one or several image pull secrets
created in the namespace to which you are deploying, you can reference these in the following
way (we assume that your secrets are called `pull-secret-1` and `pull-secret-2`):
```sh
--set imagePullSecrets.useExisting="pull-secret-1;pull-secret-2"
```
- **Do not use image pull secrets:** If you are pulling your images from a registry in a private
network that does not require authentication, or if the default service account in the namespace
to which you are deploying is already configured with appropriate image pull secrets, you do
not need to specify any additional image pull secrets. To inform the installer that it does
not need to check for specified image pull secrets, pass the following option:
```sh
--set imagePullSecrets.allowNone=true
```

### Accessing the StackRox Portal After Deployment

Once you have deployed the StackRox Kubernetes Security Platform Central Services via
`helm install`, you will see an information text on the console that contains any things to
note, or warnings encountered during the installation text. In particular, it instructs you
how to connect to your Central deployment via port-forward (if you have not configured an
exposure method, see below), and the administrator password to use for the initial login.

### Applying Custom Configuration Options

This Helm chart has many different configuration options. For simple use cases, these can be
set directly on the `helm install` command line; however, we generally recommend that you
store your configuration in a dedicated file.

#### Using the `--set` family of command-line flags

This approach is the quickest way to customize the deployment, but it does not work for
more complex configuration settings. Via the `--set` and `--set-file` flags, which need to be
appended to your `helm install` invocation, you can inject configuration values into the
installation process. Here are some examples:
- **Deploy StackRox in offline mode:** This configures StackRox in a way such that it will not
reach out to any external endpoints.
```sh
--set env.offlineMode=true
```
- **Configure a fixed administrator password:** This sets the password with which you log in to
the StackRox portal as an administrator. If you do not configure a password yourself, one will
be created for you and printed as part of the installation notes.
```sh
--set central.adminPassword.value=mysupersecretpassword
```

#### Using configuration YAML files and the `-f` command-line flag

To ensure the best possible upgrade experience, it is recommended that you store all custom
configuration options in two files: `values-public.yaml` and `values-private.yaml`. The former
contains all non-sensitive configuration options (such as whether to run in offline mode), and the
latter contains all sensitive configuration options (such as the administrator password, or
custom TLS certificates). The `values-public.yaml` file can be stored in, for example, your Git
repository, while the `values-private.yaml` file should be stored in a secrets management
system.

There is a large number of configuration options that cannot all be discussed in minute detail
in this README file. However, the Helm chart contains example configuration files
`values-public.yaml.example` and `values-private.yaml.example`, that list all the available
configuration options, along with documentation. The following is just a brief example of what
can be configured via those files:
- **`values-public.yaml`:**
```yaml
env:
offlineMode: true # run in offline mode

central:
# Use custom resource overrides for central
resources:
requests:
cpu: 4
memory: "8Gi"
limits:
cpu: 8
memory: "16Gi"

# Expose central via a LoadBalancer service
exposure:
loadBalancer:
enabled: true

scanner:
# Run without StackRox Scanner (NOT RECOMMENDED)
disable: true

customize:
# Apply the important-service=true label for all objects managed by this chart.
labels:
important-service: true
# Set the CLUSTER=important-cluster environment variable for all containers in the
# central deployment:
central:
envVars:
CLUSTER: important-cluster
```
- **`values-private.yaml`**:
```yaml
central:
# Configure a default TLS certificate (public cert + private key) for central
defaultTLS:
cert: |
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
key: |
-----BEGIN EC PRIVATE KEY-----
MHc...
-----END EC PRIVATE KEY-----
```

After you have created these YAML files, you can inject the configuration options into the
installation process via the `-f` flag, i.e., by appending the following options to the
`helm install` invocation:
```sh
-f values-public.yaml -f values-private.yaml
```

### Changing Configuration Options After Deployment

If you wish to make any changes to the deployment, simply change the configuration options
in your `values-public.yaml` and/or `values-private.yaml` file(s), and inject them into an
`helm upgrade` invocation:
```sh
helm upgrade -n stackrox stackrox-central-services stackrox/central-services \
-f values-public.yaml \
-f values-private.yaml
```
Under most circumstances, you will not need to supply the `values-private.yaml` file, unless
you want changes to sensitive configuration options to be applied.

Of course you can also specify configuration values via the `--set` or `--set-file` command-line
flags. However, these options will be forgotten with the next `helm upgrade` invocation, unless
you supply them again.
Binary file added 3.0.59.0/central-services/assets/icon.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
41 changes: 41 additions & 0 deletions 3.0.59.0/central-services/config-templates/scanner/config.yaml.tpl
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
{{- /*
This is the configuration file template for Scanner.
Except for in extremely rare circumstances, you DO NOT need to modify this file.
All config options that are possibly dynamic are templated out and can be modified
via `--set`/values-files specified via `-f`.
*/ -}}

# Configuration file for scanner.

scanner:
{{- if ne .Release.Namespace "stackrox" }}
centralEndpoint: https://central.{{ .Release.Namespace }}
{{- end }}
database:
# Database driver
type: pgsql
options:
# PostgreSQL Connection string
# https://www.postgresql.org/docs/current/static/libpq-connect.html#LIBPQ-CONNSTRING
source: host=scanner-db.{{ .Release.Namespace }} port=5432 user=postgres sslmode={{- if eq .Release.Namespace "stackrox" }}verify-full{{- else }}verify-ca{{- end }} statement_timeout=60000

# Number of elements kept in the cache
# Values unlikely to change (e.g. namespaces) are cached in order to save prevent needless roundtrips to the database.
cachesize: 16384

api:
httpsPort: 8080
grpcPort: 8081

updater:
# Frequency with which the scanner will poll for vulnerability updates.
interval: 5m
{{ if ._rox.env.offlineMode -}}
fetchFromCentral: true
{{- end }}

logLevel: {{ ._rox.scanner.logLevel }}

# The max size of files in images that are extracted. The scanner intentionally avoids extracting any files
# larger than this to prevent DoS attacks. Leave commmented to use a reasonable default.
# maxExtractableFileSizeMB: 200
7 changes: 7 additions & 0 deletions 3.0.59.0/central-services/config/central/config.yaml.default
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
maintenance:
safeMode: false # When set to true, Central will sleep forever on the next restart
compaction:
enabled: true
bucketFillFraction: .5 # This controls how densely to compact the buckets. Usually not advised to modify
freeFractionThreshold: 0.75 # This is the threshold for free bytes / total bytes after which compaction will occur
forceRollbackVersion: none # This is the config and target rollback version after upgrade complete.
31 changes: 31 additions & 0 deletions 3.0.59.0/central-services/config/central/endpoints.yaml.default
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
# Sample endpoints.yaml configuration for StackRox Central.
#
# # CAREFUL: If the following line is uncommented, do not expose the default endpoint on port 8443 by default.
# # This will break normal operation.
# disableDefault: true # if true, don't serve on :8443
# endpoints:
# # Serve plaintext HTTP only on port 8080
# - listen: ":8080"
# # Backend protocols, possible values are 'http' and 'grpc'. If unset or empty, assume both.
# protocols:
# - http
# tls:
# # Disable TLS. If this is not specified, assume TLS is enabled.
# disable: true
# # Serve HTTP and gRPC for sensors only on port 8444
# - listen: ":8444"
# tls:
# # Which TLS certificates to serve, possible values are 'service' (StackRox-generated service certificates)
# # and 'default' (user-configured default TLS certificate). If unset or empty, assume both.
# serverCerts:
# - default
# - service
# # Client authentication settings.
# clientAuth:
# # Enforce TLS client authentication. If unset, do not enforce, only request certificates
# # opportunistically.
# required: true
# # Which TLS client CAs to serve, possible values are 'service' (CA for StackRox-generated service
# # certificates) and 'user' (CAs for PKI auth providers). If unset or empty, assume both.
# certAuthorities: # if not set, assume ["user", "service"]
# - service
26 changes: 26 additions & 0 deletions 3.0.59.0/central-services/config/proxy-config.yaml.default
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
# # NOTE: Both central and scanner should be restarted if this secret is changed.
# # While it is possible that some components will pick up the new proxy configuration
# # without a restart, it cannot be guaranteed that this will apply to every possible
# # integration etc.
# url: http://proxy.name:port
# username: username
# password: password
# # If the following value is set to true, the proxy wil NOT be excluded for the default hosts:
# # - *.stackrox, *.stackrox.svc
# # - localhost, localhost.localdomain, 127.0.0.0/8, ::1
# # - *.local
# omitDefaultExcludes: false
# excludes: # hostnames (may include * components) for which not to use a proxy, like in-cluster repositories.
# - some.domain
# # The following configuration sections allow specifying a different proxy to be used for HTTP(S) connections.
# # If they are omitted, the above configuration is used for HTTP(S) connections as well as TCP connections.
# # If only the `http` section is given, it will be used for HTTPS connections as well.
# # Note: in most cases, a single, global proxy configuration is sufficient.
# http:
# url: http://http-proxy.name:port
# username: username
# password: password
# https:
# url: http://https-proxy.name:port
# username: username
# password: password
16 changes: 16 additions & 0 deletions 3.0.59.0/central-services/internal/bootstrap-defaults.yaml.tpl
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
# This file contains defaults that need to be merged into our config struct before we can
# execute the "normal" defaulting logic. As a result, none of these values can be overridden
# by defaults specified in defaults.yaml and platforms/*.yaml - that is okay.

{{- if eq .Release.Name "test-release" }}
{{- include "srox.warn" (list . "You are using a release name that is reserved for tests. In order to allow linting to work, certain checks have been relaxed. If you are deploying to a real environment, we recommend that you choose a different release name.") }}
allowNonstandardNamespace: true
allowNonstandardReleaseName: true
{{- else }}
allowNonstandardNamespace: false
allowNonstandardReleaseName: false
{{- end }}

meta:
useLookup: true
fileOverrides: {}
Loading

0 comments on commit 2c80226

Please sign in to comment.