From 2c80226c21f416a8e59b5c5eb96a005719a2aa67 Mon Sep 17 00:00:00 2001 From: roxbot Date: Thu, 29 Apr 2021 18:13:56 +0000 Subject: [PATCH] Publish Helm Charts for version 3.0.59.0 (#27) Source-Version: 4033d3ecf23563d9af65847752922f81da914608 --- 3.0.59.0/central-services/.helmignore | 23 + 3.0.59.0/central-services/Chart.yaml | 7 + 3.0.59.0/central-services/README.md | 180 +++++++ 3.0.59.0/central-services/assets/icon.png | Bin 0 -> 13406 bytes .../config-templates/scanner/config.yaml.tpl | 41 ++ .../config/central/config.yaml.default | 7 + .../config/central/endpoints.yaml.default | 31 ++ .../config/proxy-config.yaml.default | 26 + .../internal/bootstrap-defaults.yaml.tpl | 16 + .../internal/config-shape.yaml | 137 +++++ .../central-services/internal/defaults.yaml | 78 +++ .../internal/expandables.yaml | 38 ++ .../internal/platforms/default.yaml | 2 + .../internal/platforms/gke.yaml | 2 + ...re-resource-metadata-for-helm-migration.sh | 124 +++++ .../templates/00-additional-ca.yaml | 21 + .../templates/00-image-pull-secret.yaml | 18 + .../templates/00-proxy-config-secret.yaml | 20 + .../templates/00-stackrox-application.yaml | 114 ++++ .../templates/00-storage-class.yaml | 27 + .../01-central-00-serviceaccount.yaml | 16 + .../01-central-01-license-secret.yaml | 21 + .../templates/01-central-02-security.yaml | 121 +++++ .../01-central-03-diagnostics-rbac.yaml | 37 ++ .../01-central-04-htpasswd-secret.yaml | 22 + .../templates/01-central-05-tls-secret.yaml | 31 ++ ...01-central-06-default-tls-cert-secret.yaml | 22 + .../templates/01-central-08-configmap.yaml | 14 + .../01-central-09-endpoints-config.yaml | 17 + .../01-central-10-networkpolicy.yaml | 42 ++ .../templates/01-central-11-pvc.yaml | 63 +++ .../templates/01-central-12-deployment.yaml | 192 +++++++ .../templates/01-central-13-service.yaml | 40 ++ .../templates/01-central-14-exposure.yaml | 89 ++++ .../02-scanner-00-serviceaccount.yaml | 19 + .../templates/02-scanner-01-security.yaml | 113 ++++ .../02-scanner-02-db-password-secret.yaml | 27 + .../templates/02-scanner-03-tls-secret.yaml | 55 ++ .../02-scanner-04-scanner-config.yaml | 18 + .../02-scanner-05-network-policy.yaml | 57 ++ .../templates/02-scanner-06-deployment.yaml | 285 ++++++++++ .../templates/02-scanner-07-service.yaml | 94 ++++ .../templates/02-scanner-08-hpa.yaml | 25 + .../templates/99-generated-values-secret.yaml | 25 + 3.0.59.0/central-services/templates/NOTES.txt | 49 ++ .../templates/_central_endpoints.tpl | 54 ++ .../templates/_central_setup.tpl | 101 ++++ .../central-services/templates/_crypto.tpl | 239 +++++++++ 3.0.59.0/central-services/templates/_dict.tpl | 142 +++++ .../central-services/templates/_expand.tpl | 89 ++++ .../central-services/templates/_format.tpl | 14 + .../central-services/templates/_helpers.tpl | 68 +++ .../templates/_image-pull-secrets.tpl | 86 ++++ .../central-services/templates/_images.tpl | 34 ++ 3.0.59.0/central-services/templates/_init.tpl | 282 ++++++++++ .../central-services/templates/_lookup.tpl | 40 ++ .../central-services/templates/_metadata.tpl | 200 +++++++ .../central-services/templates/_reporting.tpl | 34 ++ .../values-private.yaml.example | 157 ++++++ .../values-public.yaml.example | 381 ++++++++++++++ 3.0.59.0/central-services/values.yaml | 292 +++++++++++ 3.0.59.0/secured-cluster-services/.helmignore | 23 + 3.0.59.0/secured-cluster-services/Chart.yaml | 7 + 3.0.59.0/secured-cluster-services/README.md | 487 ++++++++++++++++++ .../secured-cluster-services/assets/icon.png | Bin 0 -> 13406 bytes .../feature-flag-values.yaml | 28 + .../internal/cluster-config.yaml.tpl | 30 ++ .../internal/compatibility-translation.yaml | 137 +++++ .../internal/config-shape.yaml | 122 +++++ .../internal/defaults/00-bootstrap.yaml | 15 + .../internal/defaults/10-env.yaml | 20 + .../internal/defaults/20-tls-files.yaml | 23 + .../internal/defaults/30-base-config.yaml | 46 ++ .../internal/defaults/40-resources.yaml | 36 ++ .../internal/defaults/50-images.yaml | 66 +++ .../internal/defaults/whats-this.md | 39 ++ .../internal/expandables.yaml | 30 ++ .../scripts/fetch-secrets.sh | 41 ++ .../fetched-secrets-bundle-ca-only.yaml.tpl | 9 + .../scripts/fetched-secrets-bundle.yaml.tpl | 35 ++ .../sensor-chart-upgrade.md | 159 ++++++ .../00-collector-image-pull-secrets.yaml | 18 + .../templates/00-main-image-pull-secrets.yaml | 18 + .../templates/NOTES.txt | 38 ++ .../templates/_compatibility.tpl | 51 ++ .../templates/_defaults.tpl | 35 ++ .../templates/_dict.tpl | 142 +++++ .../templates/_expand.tpl | 96 ++++ .../templates/_helpers.tpl | 68 +++ .../templates/_image-pull-secrets.tpl | 86 ++++ .../templates/_images.tpl | 34 ++ .../templates/_init.tpl | 206 ++++++++ .../templates/_lookup.tpl | 40 ++ .../templates/_metadata.tpl | 187 +++++++ .../templates/_reporting.tpl | 34 ++ .../templates/additional-ca-sensor.yaml | 19 + .../admission-controller-netpol.yaml | 46 ++ .../admission-controller-pod-security.yaml | 75 +++ .../templates/admission-controller-rbac.yaml | 50 ++ .../templates/admission-controller-scc.yaml | 44 ++ .../admission-controller-secret.yaml | 30 ++ .../templates/admission-controller.yaml | 241 +++++++++ .../templates/cluster-config.yaml | 14 + .../templates/collector-netpol.yaml | 42 ++ .../templates/collector-pod-security.yaml | 70 +++ .../templates/collector-rbac.yaml | 16 + .../templates/collector-scc.yaml | 45 ++ .../templates/collector-secret.yaml | 30 ++ .../templates/collector.yaml | 156 ++++++ .../templates/sensor-netpol.yaml | 59 +++ .../templates/sensor-pod-security.yaml | 80 +++ .../templates/sensor-rbac.yaml | 284 ++++++++++ .../templates/sensor-scc.yaml | 47 ++ .../templates/sensor-secret.yaml | 30 ++ .../templates/sensor.yaml | 250 +++++++++ .../templates/service-ca.yaml | 16 + .../templates/upgrader-serviceaccount.yaml | 36 ++ .../values-private.yaml.example | 19 + .../values-public.yaml.example | 354 +++++++++++++ 3.0.59.0/secured-cluster-services/values.yaml | 9 + README.md | 4 +- latest | 2 +- rhacs/3.0.59.0/central-services/.helmignore | 23 + rhacs/3.0.59.0/central-services/Chart.yaml | 7 + rhacs/3.0.59.0/central-services/README.md | 180 +++++++ .../3.0.59.0/central-services/assets/icon.png | Bin 0 -> 13406 bytes .../config-templates/scanner/config.yaml.tpl | 41 ++ .../config/central/config.yaml.default | 7 + .../config/central/endpoints.yaml.default | 31 ++ .../config/proxy-config.yaml.default | 26 + .../internal/bootstrap-defaults.yaml.tpl | 16 + .../internal/config-shape.yaml | 137 +++++ .../central-services/internal/defaults.yaml | 78 +++ .../internal/expandables.yaml | 38 ++ .../internal/platforms/default.yaml | 2 + .../internal/platforms/gke.yaml | 2 + ...re-resource-metadata-for-helm-migration.sh | 124 +++++ .../templates/00-additional-ca.yaml | 21 + .../templates/00-image-pull-secret.yaml | 18 + .../templates/00-proxy-config-secret.yaml | 20 + .../templates/00-stackrox-application.yaml | 114 ++++ .../templates/00-storage-class.yaml | 27 + .../01-central-00-serviceaccount.yaml | 16 + .../01-central-01-license-secret.yaml | 21 + .../templates/01-central-02-security.yaml | 121 +++++ .../01-central-03-diagnostics-rbac.yaml | 37 ++ .../01-central-04-htpasswd-secret.yaml | 22 + .../templates/01-central-05-tls-secret.yaml | 31 ++ ...01-central-06-default-tls-cert-secret.yaml | 22 + .../templates/01-central-08-configmap.yaml | 14 + .../01-central-09-endpoints-config.yaml | 17 + .../01-central-10-networkpolicy.yaml | 42 ++ .../templates/01-central-11-pvc.yaml | 63 +++ .../templates/01-central-12-deployment.yaml | 192 +++++++ .../templates/01-central-13-service.yaml | 40 ++ .../templates/01-central-14-exposure.yaml | 89 ++++ .../02-scanner-00-serviceaccount.yaml | 19 + .../templates/02-scanner-01-security.yaml | 113 ++++ .../02-scanner-02-db-password-secret.yaml | 27 + .../templates/02-scanner-03-tls-secret.yaml | 55 ++ .../02-scanner-04-scanner-config.yaml | 18 + .../02-scanner-05-network-policy.yaml | 57 ++ .../templates/02-scanner-06-deployment.yaml | 285 ++++++++++ .../templates/02-scanner-07-service.yaml | 94 ++++ .../templates/02-scanner-08-hpa.yaml | 25 + .../templates/99-generated-values-secret.yaml | 25 + .../central-services/templates/NOTES.txt | 49 ++ .../templates/_central_endpoints.tpl | 54 ++ .../templates/_central_setup.tpl | 101 ++++ .../central-services/templates/_crypto.tpl | 239 +++++++++ .../central-services/templates/_dict.tpl | 142 +++++ .../central-services/templates/_expand.tpl | 89 ++++ .../central-services/templates/_format.tpl | 14 + .../central-services/templates/_helpers.tpl | 68 +++ .../templates/_image-pull-secrets.tpl | 86 ++++ .../central-services/templates/_images.tpl | 34 ++ .../central-services/templates/_init.tpl | 282 ++++++++++ .../central-services/templates/_lookup.tpl | 40 ++ .../central-services/templates/_metadata.tpl | 200 +++++++ .../central-services/templates/_reporting.tpl | 34 ++ .../values-private.yaml.example | 157 ++++++ .../values-public.yaml.example | 381 ++++++++++++++ rhacs/3.0.59.0/central-services/values.yaml | 292 +++++++++++ .../secured-cluster-services/.helmignore | 23 + .../secured-cluster-services/Chart.yaml | 7 + .../secured-cluster-services/README.md | 487 ++++++++++++++++++ .../secured-cluster-services/assets/icon.png | Bin 0 -> 13406 bytes .../feature-flag-values.yaml | 28 + .../internal/cluster-config.yaml.tpl | 30 ++ .../internal/compatibility-translation.yaml | 137 +++++ .../internal/config-shape.yaml | 122 +++++ .../internal/defaults/00-bootstrap.yaml | 15 + .../internal/defaults/10-env.yaml | 20 + .../internal/defaults/20-tls-files.yaml | 23 + .../internal/defaults/30-base-config.yaml | 46 ++ .../internal/defaults/40-resources.yaml | 36 ++ .../internal/defaults/50-images.yaml | 66 +++ .../internal/defaults/whats-this.md | 39 ++ .../internal/expandables.yaml | 30 ++ .../scripts/fetch-secrets.sh | 41 ++ .../fetched-secrets-bundle-ca-only.yaml.tpl | 9 + .../scripts/fetched-secrets-bundle.yaml.tpl | 35 ++ .../sensor-chart-upgrade.md | 159 ++++++ .../00-collector-image-pull-secrets.yaml | 18 + .../templates/00-main-image-pull-secrets.yaml | 18 + .../templates/NOTES.txt | 38 ++ .../templates/_compatibility.tpl | 51 ++ .../templates/_defaults.tpl | 35 ++ .../templates/_dict.tpl | 142 +++++ .../templates/_expand.tpl | 96 ++++ .../templates/_helpers.tpl | 68 +++ .../templates/_image-pull-secrets.tpl | 86 ++++ .../templates/_images.tpl | 34 ++ .../templates/_init.tpl | 206 ++++++++ .../templates/_lookup.tpl | 40 ++ .../templates/_metadata.tpl | 187 +++++++ .../templates/_reporting.tpl | 34 ++ .../templates/additional-ca-sensor.yaml | 19 + .../admission-controller-netpol.yaml | 46 ++ .../admission-controller-pod-security.yaml | 75 +++ .../templates/admission-controller-rbac.yaml | 50 ++ .../templates/admission-controller-scc.yaml | 44 ++ .../admission-controller-secret.yaml | 30 ++ .../templates/admission-controller.yaml | 241 +++++++++ .../templates/cluster-config.yaml | 14 + .../templates/collector-netpol.yaml | 42 ++ .../templates/collector-pod-security.yaml | 70 +++ .../templates/collector-rbac.yaml | 16 + .../templates/collector-scc.yaml | 45 ++ .../templates/collector-secret.yaml | 30 ++ .../templates/collector.yaml | 156 ++++++ .../templates/sensor-netpol.yaml | 59 +++ .../templates/sensor-pod-security.yaml | 80 +++ .../templates/sensor-rbac.yaml | 284 ++++++++++ .../templates/sensor-scc.yaml | 47 ++ .../templates/sensor-secret.yaml | 30 ++ .../templates/sensor.yaml | 250 +++++++++ .../templates/service-ca.yaml | 16 + .../templates/upgrader-serviceaccount.yaml | 36 ++ .../values-private.yaml.example | 19 + .../values-public.yaml.example | 354 +++++++++++++ .../secured-cluster-services/values.yaml | 9 + 242 files changed, 18177 insertions(+), 3 deletions(-) create mode 100644 3.0.59.0/central-services/.helmignore create mode 100644 3.0.59.0/central-services/Chart.yaml create mode 100644 3.0.59.0/central-services/README.md create mode 100644 3.0.59.0/central-services/assets/icon.png create mode 100644 3.0.59.0/central-services/config-templates/scanner/config.yaml.tpl create mode 100644 3.0.59.0/central-services/config/central/config.yaml.default create mode 100644 3.0.59.0/central-services/config/central/endpoints.yaml.default create mode 100644 3.0.59.0/central-services/config/proxy-config.yaml.default create mode 100644 3.0.59.0/central-services/internal/bootstrap-defaults.yaml.tpl create mode 100644 3.0.59.0/central-services/internal/config-shape.yaml create mode 100644 3.0.59.0/central-services/internal/defaults.yaml create mode 100644 3.0.59.0/central-services/internal/expandables.yaml create mode 100644 3.0.59.0/central-services/internal/platforms/default.yaml create mode 100644 3.0.59.0/central-services/internal/platforms/gke.yaml create mode 100755 3.0.59.0/central-services/scripts/prepare-resource-metadata-for-helm-migration.sh create mode 100644 3.0.59.0/central-services/templates/00-additional-ca.yaml create mode 100644 3.0.59.0/central-services/templates/00-image-pull-secret.yaml create mode 100644 3.0.59.0/central-services/templates/00-proxy-config-secret.yaml create mode 100644 3.0.59.0/central-services/templates/00-stackrox-application.yaml create mode 100644 3.0.59.0/central-services/templates/00-storage-class.yaml create mode 100644 3.0.59.0/central-services/templates/01-central-00-serviceaccount.yaml create mode 100644 3.0.59.0/central-services/templates/01-central-01-license-secret.yaml create mode 100644 3.0.59.0/central-services/templates/01-central-02-security.yaml create mode 100644 3.0.59.0/central-services/templates/01-central-03-diagnostics-rbac.yaml create mode 100644 3.0.59.0/central-services/templates/01-central-04-htpasswd-secret.yaml create mode 100644 3.0.59.0/central-services/templates/01-central-05-tls-secret.yaml create mode 100644 3.0.59.0/central-services/templates/01-central-06-default-tls-cert-secret.yaml create mode 100644 3.0.59.0/central-services/templates/01-central-08-configmap.yaml create mode 100644 3.0.59.0/central-services/templates/01-central-09-endpoints-config.yaml create mode 100644 3.0.59.0/central-services/templates/01-central-10-networkpolicy.yaml create mode 100644 3.0.59.0/central-services/templates/01-central-11-pvc.yaml create mode 100644 3.0.59.0/central-services/templates/01-central-12-deployment.yaml create mode 100644 3.0.59.0/central-services/templates/01-central-13-service.yaml create mode 100644 3.0.59.0/central-services/templates/01-central-14-exposure.yaml create mode 100644 3.0.59.0/central-services/templates/02-scanner-00-serviceaccount.yaml create mode 100644 3.0.59.0/central-services/templates/02-scanner-01-security.yaml create mode 100644 3.0.59.0/central-services/templates/02-scanner-02-db-password-secret.yaml create mode 100644 3.0.59.0/central-services/templates/02-scanner-03-tls-secret.yaml create mode 100644 3.0.59.0/central-services/templates/02-scanner-04-scanner-config.yaml create mode 100644 3.0.59.0/central-services/templates/02-scanner-05-network-policy.yaml create mode 100644 3.0.59.0/central-services/templates/02-scanner-06-deployment.yaml create mode 100644 3.0.59.0/central-services/templates/02-scanner-07-service.yaml create mode 100644 3.0.59.0/central-services/templates/02-scanner-08-hpa.yaml create mode 100644 3.0.59.0/central-services/templates/99-generated-values-secret.yaml create mode 100644 3.0.59.0/central-services/templates/NOTES.txt create mode 100644 3.0.59.0/central-services/templates/_central_endpoints.tpl create mode 100644 3.0.59.0/central-services/templates/_central_setup.tpl create mode 100644 3.0.59.0/central-services/templates/_crypto.tpl create mode 100644 3.0.59.0/central-services/templates/_dict.tpl create mode 100644 3.0.59.0/central-services/templates/_expand.tpl create mode 100644 3.0.59.0/central-services/templates/_format.tpl create mode 100644 3.0.59.0/central-services/templates/_helpers.tpl create mode 100644 3.0.59.0/central-services/templates/_image-pull-secrets.tpl create mode 100644 3.0.59.0/central-services/templates/_images.tpl create mode 100644 3.0.59.0/central-services/templates/_init.tpl create mode 100644 3.0.59.0/central-services/templates/_lookup.tpl create mode 100644 3.0.59.0/central-services/templates/_metadata.tpl create mode 100644 3.0.59.0/central-services/templates/_reporting.tpl create mode 100644 3.0.59.0/central-services/values-private.yaml.example create mode 100644 3.0.59.0/central-services/values-public.yaml.example create mode 100644 3.0.59.0/central-services/values.yaml create mode 100644 3.0.59.0/secured-cluster-services/.helmignore create mode 100644 3.0.59.0/secured-cluster-services/Chart.yaml create mode 100644 3.0.59.0/secured-cluster-services/README.md create mode 100644 3.0.59.0/secured-cluster-services/assets/icon.png create mode 100644 3.0.59.0/secured-cluster-services/feature-flag-values.yaml create mode 100644 3.0.59.0/secured-cluster-services/internal/cluster-config.yaml.tpl create mode 100644 3.0.59.0/secured-cluster-services/internal/compatibility-translation.yaml create mode 100644 3.0.59.0/secured-cluster-services/internal/config-shape.yaml create mode 100644 3.0.59.0/secured-cluster-services/internal/defaults/00-bootstrap.yaml create mode 100644 3.0.59.0/secured-cluster-services/internal/defaults/10-env.yaml create mode 100644 3.0.59.0/secured-cluster-services/internal/defaults/20-tls-files.yaml create mode 100644 3.0.59.0/secured-cluster-services/internal/defaults/30-base-config.yaml create mode 100644 3.0.59.0/secured-cluster-services/internal/defaults/40-resources.yaml create mode 100644 3.0.59.0/secured-cluster-services/internal/defaults/50-images.yaml create mode 100644 3.0.59.0/secured-cluster-services/internal/defaults/whats-this.md create mode 100644 3.0.59.0/secured-cluster-services/internal/expandables.yaml create mode 100755 3.0.59.0/secured-cluster-services/scripts/fetch-secrets.sh create mode 100644 3.0.59.0/secured-cluster-services/scripts/fetched-secrets-bundle-ca-only.yaml.tpl create mode 100644 3.0.59.0/secured-cluster-services/scripts/fetched-secrets-bundle.yaml.tpl create mode 100644 3.0.59.0/secured-cluster-services/sensor-chart-upgrade.md create mode 100644 3.0.59.0/secured-cluster-services/templates/00-collector-image-pull-secrets.yaml create mode 100644 3.0.59.0/secured-cluster-services/templates/00-main-image-pull-secrets.yaml create mode 100644 3.0.59.0/secured-cluster-services/templates/NOTES.txt create mode 100644 3.0.59.0/secured-cluster-services/templates/_compatibility.tpl create mode 100644 3.0.59.0/secured-cluster-services/templates/_defaults.tpl create mode 100644 3.0.59.0/secured-cluster-services/templates/_dict.tpl create mode 100644 3.0.59.0/secured-cluster-services/templates/_expand.tpl create mode 100644 3.0.59.0/secured-cluster-services/templates/_helpers.tpl create mode 100644 3.0.59.0/secured-cluster-services/templates/_image-pull-secrets.tpl create mode 100644 3.0.59.0/secured-cluster-services/templates/_images.tpl create mode 100644 3.0.59.0/secured-cluster-services/templates/_init.tpl create mode 100644 3.0.59.0/secured-cluster-services/templates/_lookup.tpl create mode 100644 3.0.59.0/secured-cluster-services/templates/_metadata.tpl create mode 100644 3.0.59.0/secured-cluster-services/templates/_reporting.tpl create mode 100644 3.0.59.0/secured-cluster-services/templates/additional-ca-sensor.yaml create mode 100644 3.0.59.0/secured-cluster-services/templates/admission-controller-netpol.yaml create mode 100644 3.0.59.0/secured-cluster-services/templates/admission-controller-pod-security.yaml create mode 100644 3.0.59.0/secured-cluster-services/templates/admission-controller-rbac.yaml create mode 100644 3.0.59.0/secured-cluster-services/templates/admission-controller-scc.yaml create mode 100644 3.0.59.0/secured-cluster-services/templates/admission-controller-secret.yaml create mode 100644 3.0.59.0/secured-cluster-services/templates/admission-controller.yaml create mode 100644 3.0.59.0/secured-cluster-services/templates/cluster-config.yaml create mode 100644 3.0.59.0/secured-cluster-services/templates/collector-netpol.yaml create mode 100644 3.0.59.0/secured-cluster-services/templates/collector-pod-security.yaml create mode 100644 3.0.59.0/secured-cluster-services/templates/collector-rbac.yaml create mode 100644 3.0.59.0/secured-cluster-services/templates/collector-scc.yaml create mode 100644 3.0.59.0/secured-cluster-services/templates/collector-secret.yaml create mode 100644 3.0.59.0/secured-cluster-services/templates/collector.yaml create mode 100644 3.0.59.0/secured-cluster-services/templates/sensor-netpol.yaml create mode 100644 3.0.59.0/secured-cluster-services/templates/sensor-pod-security.yaml create mode 100644 3.0.59.0/secured-cluster-services/templates/sensor-rbac.yaml create mode 100644 3.0.59.0/secured-cluster-services/templates/sensor-scc.yaml create mode 100644 3.0.59.0/secured-cluster-services/templates/sensor-secret.yaml create mode 100644 3.0.59.0/secured-cluster-services/templates/sensor.yaml create mode 100644 3.0.59.0/secured-cluster-services/templates/service-ca.yaml create mode 100644 3.0.59.0/secured-cluster-services/templates/upgrader-serviceaccount.yaml create mode 100644 3.0.59.0/secured-cluster-services/values-private.yaml.example create mode 100644 3.0.59.0/secured-cluster-services/values-public.yaml.example create mode 100644 3.0.59.0/secured-cluster-services/values.yaml create mode 100644 rhacs/3.0.59.0/central-services/.helmignore create mode 100644 rhacs/3.0.59.0/central-services/Chart.yaml create mode 100644 rhacs/3.0.59.0/central-services/README.md create mode 100644 rhacs/3.0.59.0/central-services/assets/icon.png create mode 100644 rhacs/3.0.59.0/central-services/config-templates/scanner/config.yaml.tpl create mode 100644 rhacs/3.0.59.0/central-services/config/central/config.yaml.default create mode 100644 rhacs/3.0.59.0/central-services/config/central/endpoints.yaml.default create mode 100644 rhacs/3.0.59.0/central-services/config/proxy-config.yaml.default create mode 100644 rhacs/3.0.59.0/central-services/internal/bootstrap-defaults.yaml.tpl create mode 100644 rhacs/3.0.59.0/central-services/internal/config-shape.yaml create mode 100644 rhacs/3.0.59.0/central-services/internal/defaults.yaml create mode 100644 rhacs/3.0.59.0/central-services/internal/expandables.yaml create mode 100644 rhacs/3.0.59.0/central-services/internal/platforms/default.yaml create mode 100644 rhacs/3.0.59.0/central-services/internal/platforms/gke.yaml create mode 100755 rhacs/3.0.59.0/central-services/scripts/prepare-resource-metadata-for-helm-migration.sh create mode 100644 rhacs/3.0.59.0/central-services/templates/00-additional-ca.yaml create mode 100644 rhacs/3.0.59.0/central-services/templates/00-image-pull-secret.yaml create mode 100644 rhacs/3.0.59.0/central-services/templates/00-proxy-config-secret.yaml create mode 100644 rhacs/3.0.59.0/central-services/templates/00-stackrox-application.yaml create mode 100644 rhacs/3.0.59.0/central-services/templates/00-storage-class.yaml create mode 100644 rhacs/3.0.59.0/central-services/templates/01-central-00-serviceaccount.yaml create mode 100644 rhacs/3.0.59.0/central-services/templates/01-central-01-license-secret.yaml create mode 100644 rhacs/3.0.59.0/central-services/templates/01-central-02-security.yaml create mode 100644 rhacs/3.0.59.0/central-services/templates/01-central-03-diagnostics-rbac.yaml create mode 100644 rhacs/3.0.59.0/central-services/templates/01-central-04-htpasswd-secret.yaml create mode 100644 rhacs/3.0.59.0/central-services/templates/01-central-05-tls-secret.yaml create mode 100644 rhacs/3.0.59.0/central-services/templates/01-central-06-default-tls-cert-secret.yaml create mode 100644 rhacs/3.0.59.0/central-services/templates/01-central-08-configmap.yaml create mode 100644 rhacs/3.0.59.0/central-services/templates/01-central-09-endpoints-config.yaml create mode 100644 rhacs/3.0.59.0/central-services/templates/01-central-10-networkpolicy.yaml create mode 100644 rhacs/3.0.59.0/central-services/templates/01-central-11-pvc.yaml create mode 100644 rhacs/3.0.59.0/central-services/templates/01-central-12-deployment.yaml create mode 100644 rhacs/3.0.59.0/central-services/templates/01-central-13-service.yaml create mode 100644 rhacs/3.0.59.0/central-services/templates/01-central-14-exposure.yaml create mode 100644 rhacs/3.0.59.0/central-services/templates/02-scanner-00-serviceaccount.yaml create mode 100644 rhacs/3.0.59.0/central-services/templates/02-scanner-01-security.yaml create mode 100644 rhacs/3.0.59.0/central-services/templates/02-scanner-02-db-password-secret.yaml create mode 100644 rhacs/3.0.59.0/central-services/templates/02-scanner-03-tls-secret.yaml create mode 100644 rhacs/3.0.59.0/central-services/templates/02-scanner-04-scanner-config.yaml create mode 100644 rhacs/3.0.59.0/central-services/templates/02-scanner-05-network-policy.yaml create mode 100644 rhacs/3.0.59.0/central-services/templates/02-scanner-06-deployment.yaml create mode 100644 rhacs/3.0.59.0/central-services/templates/02-scanner-07-service.yaml create mode 100644 rhacs/3.0.59.0/central-services/templates/02-scanner-08-hpa.yaml create mode 100644 rhacs/3.0.59.0/central-services/templates/99-generated-values-secret.yaml create mode 100644 rhacs/3.0.59.0/central-services/templates/NOTES.txt create mode 100644 rhacs/3.0.59.0/central-services/templates/_central_endpoints.tpl create mode 100644 rhacs/3.0.59.0/central-services/templates/_central_setup.tpl create mode 100644 rhacs/3.0.59.0/central-services/templates/_crypto.tpl create mode 100644 rhacs/3.0.59.0/central-services/templates/_dict.tpl create mode 100644 rhacs/3.0.59.0/central-services/templates/_expand.tpl create mode 100644 rhacs/3.0.59.0/central-services/templates/_format.tpl create mode 100644 rhacs/3.0.59.0/central-services/templates/_helpers.tpl create mode 100644 rhacs/3.0.59.0/central-services/templates/_image-pull-secrets.tpl create mode 100644 rhacs/3.0.59.0/central-services/templates/_images.tpl create mode 100644 rhacs/3.0.59.0/central-services/templates/_init.tpl create mode 100644 rhacs/3.0.59.0/central-services/templates/_lookup.tpl create mode 100644 rhacs/3.0.59.0/central-services/templates/_metadata.tpl create mode 100644 rhacs/3.0.59.0/central-services/templates/_reporting.tpl create mode 100644 rhacs/3.0.59.0/central-services/values-private.yaml.example create mode 100644 rhacs/3.0.59.0/central-services/values-public.yaml.example create mode 100644 rhacs/3.0.59.0/central-services/values.yaml create mode 100644 rhacs/3.0.59.0/secured-cluster-services/.helmignore create mode 100644 rhacs/3.0.59.0/secured-cluster-services/Chart.yaml create mode 100644 rhacs/3.0.59.0/secured-cluster-services/README.md create mode 100644 rhacs/3.0.59.0/secured-cluster-services/assets/icon.png create mode 100644 rhacs/3.0.59.0/secured-cluster-services/feature-flag-values.yaml create mode 100644 rhacs/3.0.59.0/secured-cluster-services/internal/cluster-config.yaml.tpl create mode 100644 rhacs/3.0.59.0/secured-cluster-services/internal/compatibility-translation.yaml create mode 100644 rhacs/3.0.59.0/secured-cluster-services/internal/config-shape.yaml create mode 100644 rhacs/3.0.59.0/secured-cluster-services/internal/defaults/00-bootstrap.yaml create mode 100644 rhacs/3.0.59.0/secured-cluster-services/internal/defaults/10-env.yaml create mode 100644 rhacs/3.0.59.0/secured-cluster-services/internal/defaults/20-tls-files.yaml create mode 100644 rhacs/3.0.59.0/secured-cluster-services/internal/defaults/30-base-config.yaml create mode 100644 rhacs/3.0.59.0/secured-cluster-services/internal/defaults/40-resources.yaml create mode 100644 rhacs/3.0.59.0/secured-cluster-services/internal/defaults/50-images.yaml create mode 100644 rhacs/3.0.59.0/secured-cluster-services/internal/defaults/whats-this.md create mode 100644 rhacs/3.0.59.0/secured-cluster-services/internal/expandables.yaml create mode 100755 rhacs/3.0.59.0/secured-cluster-services/scripts/fetch-secrets.sh create mode 100644 rhacs/3.0.59.0/secured-cluster-services/scripts/fetched-secrets-bundle-ca-only.yaml.tpl create mode 100644 rhacs/3.0.59.0/secured-cluster-services/scripts/fetched-secrets-bundle.yaml.tpl create mode 100644 rhacs/3.0.59.0/secured-cluster-services/sensor-chart-upgrade.md create mode 100644 rhacs/3.0.59.0/secured-cluster-services/templates/00-collector-image-pull-secrets.yaml create mode 100644 rhacs/3.0.59.0/secured-cluster-services/templates/00-main-image-pull-secrets.yaml create mode 100644 rhacs/3.0.59.0/secured-cluster-services/templates/NOTES.txt create mode 100644 rhacs/3.0.59.0/secured-cluster-services/templates/_compatibility.tpl create mode 100644 rhacs/3.0.59.0/secured-cluster-services/templates/_defaults.tpl create mode 100644 rhacs/3.0.59.0/secured-cluster-services/templates/_dict.tpl create mode 100644 rhacs/3.0.59.0/secured-cluster-services/templates/_expand.tpl create mode 100644 rhacs/3.0.59.0/secured-cluster-services/templates/_helpers.tpl create mode 100644 rhacs/3.0.59.0/secured-cluster-services/templates/_image-pull-secrets.tpl create mode 100644 rhacs/3.0.59.0/secured-cluster-services/templates/_images.tpl create mode 100644 rhacs/3.0.59.0/secured-cluster-services/templates/_init.tpl create mode 100644 rhacs/3.0.59.0/secured-cluster-services/templates/_lookup.tpl create mode 100644 rhacs/3.0.59.0/secured-cluster-services/templates/_metadata.tpl create mode 100644 rhacs/3.0.59.0/secured-cluster-services/templates/_reporting.tpl create mode 100644 rhacs/3.0.59.0/secured-cluster-services/templates/additional-ca-sensor.yaml create mode 100644 rhacs/3.0.59.0/secured-cluster-services/templates/admission-controller-netpol.yaml create mode 100644 rhacs/3.0.59.0/secured-cluster-services/templates/admission-controller-pod-security.yaml create mode 100644 rhacs/3.0.59.0/secured-cluster-services/templates/admission-controller-rbac.yaml create mode 100644 rhacs/3.0.59.0/secured-cluster-services/templates/admission-controller-scc.yaml create mode 100644 rhacs/3.0.59.0/secured-cluster-services/templates/admission-controller-secret.yaml create mode 100644 rhacs/3.0.59.0/secured-cluster-services/templates/admission-controller.yaml create mode 100644 rhacs/3.0.59.0/secured-cluster-services/templates/cluster-config.yaml create mode 100644 rhacs/3.0.59.0/secured-cluster-services/templates/collector-netpol.yaml create mode 100644 rhacs/3.0.59.0/secured-cluster-services/templates/collector-pod-security.yaml create mode 100644 rhacs/3.0.59.0/secured-cluster-services/templates/collector-rbac.yaml create mode 100644 rhacs/3.0.59.0/secured-cluster-services/templates/collector-scc.yaml create mode 100644 rhacs/3.0.59.0/secured-cluster-services/templates/collector-secret.yaml create mode 100644 rhacs/3.0.59.0/secured-cluster-services/templates/collector.yaml create mode 100644 rhacs/3.0.59.0/secured-cluster-services/templates/sensor-netpol.yaml create mode 100644 rhacs/3.0.59.0/secured-cluster-services/templates/sensor-pod-security.yaml create mode 100644 rhacs/3.0.59.0/secured-cluster-services/templates/sensor-rbac.yaml create mode 100644 rhacs/3.0.59.0/secured-cluster-services/templates/sensor-scc.yaml create mode 100644 rhacs/3.0.59.0/secured-cluster-services/templates/sensor-secret.yaml create mode 100644 rhacs/3.0.59.0/secured-cluster-services/templates/sensor.yaml create mode 100644 rhacs/3.0.59.0/secured-cluster-services/templates/service-ca.yaml create mode 100644 rhacs/3.0.59.0/secured-cluster-services/templates/upgrader-serviceaccount.yaml create mode 100644 rhacs/3.0.59.0/secured-cluster-services/values-private.yaml.example create mode 100644 rhacs/3.0.59.0/secured-cluster-services/values-public.yaml.example create mode 100644 rhacs/3.0.59.0/secured-cluster-services/values.yaml diff --git a/3.0.59.0/central-services/.helmignore b/3.0.59.0/central-services/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/3.0.59.0/central-services/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/3.0.59.0/central-services/Chart.yaml b/3.0.59.0/central-services/Chart.yaml new file mode 100644 index 0000000..22a045a --- /dev/null +++ b/3.0.59.0/central-services/Chart.yaml @@ -0,0 +1,7 @@ +apiVersion: v2 # Can probably be generalized to v1 later. TODO(ROX-5502). +name: stackrox-central-services +icon: https://www.stackrox.com/img/logo.svg +description: Helm Chart for StackRox Central Clusters +type: application +version: 59.0.0 +appVersion: 3.0.59.0 diff --git a/3.0.59.0/central-services/README.md b/3.0.59.0/central-services/README.md new file mode 100644 index 0000000..7f0fecc --- /dev/null +++ b/3.0.59.0/central-services/README.md @@ -0,0 +1,180 @@ +# StackRox Kubernetes Security Platform - Central Services Helm Chart + +This Helm chart allows you to deploy the central services of the StackRox +Kubernetes Security Platform: StackRox Central and StackRox Scanner. + +## Prerequisites + +To deploy the central services for the StackRox Kubernetes Security platform +using Helm, you must: +- Have at least version 3.1 of the Helm tool installed on your machine +- Have credentials for the `stackrox.io` registry or the other image registry + you use. + +## Add the Canonical Chart Location as a Helm Repository + +The canonical repository for StackRox Helm charts is https://charts.stackrox.io. +To use StackRox Helm charts on your machine, run +```sh +helm repo add stackrox https://charts.stackrox.io +``` +This command only needs to be run once on your machine. Whenever you are deploying +or upgrading a chart from a remote repository, it is advisable to run +```sh +helm repo update +``` +beforehand. + +## Deploy Central Services Using Helm + +The basic command for deploying the central services is +```sh +helm install -n stackrox --create-namespace \ + stackrox-central-services stackrox/central-services +``` +If you have a copy of this chart on your machine, you can also reference the +path to this copy instead of `stackrox/central-services` above. + +In order to be able to access StackRox Docker images, you also need image pull +credentials. There are several ways to inject the required credentials (if any) +into the installation process: +- **Explicitly specify username and password:** Use this if you are using the images + from the default registry (`stackrox.io`), or a registry that supports username/password + authentication. Pass the following arguments to the `helm install` command: + ```sh + --set imagePullSecrets.username= --set imagePullSecrets.password= + ``` +- **Use pre-existing image pull secrets:** If you already have one or several image pull secrets + created in the namespace to which you are deploying, you can reference these in the following + way (we assume that your secrets are called `pull-secret-1` and `pull-secret-2`): + ```sh + --set imagePullSecrets.useExisting="pull-secret-1;pull-secret-2" + ``` +- **Do not use image pull secrets:** If you are pulling your images from a registry in a private + network that does not require authentication, or if the default service account in the namespace + to which you are deploying is already configured with appropriate image pull secrets, you do + not need to specify any additional image pull secrets. To inform the installer that it does + not need to check for specified image pull secrets, pass the following option: + ```sh + --set imagePullSecrets.allowNone=true + ``` + +### Accessing the StackRox Portal After Deployment + +Once you have deployed the StackRox Kubernetes Security Platform Central Services via +`helm install`, you will see an information text on the console that contains any things to +note, or warnings encountered during the installation text. In particular, it instructs you +how to connect to your Central deployment via port-forward (if you have not configured an +exposure method, see below), and the administrator password to use for the initial login. + +### Applying Custom Configuration Options + +This Helm chart has many different configuration options. For simple use cases, these can be +set directly on the `helm install` command line; however, we generally recommend that you +store your configuration in a dedicated file. + +#### Using the `--set` family of command-line flags + +This approach is the quickest way to customize the deployment, but it does not work for +more complex configuration settings. Via the `--set` and `--set-file` flags, which need to be +appended to your `helm install` invocation, you can inject configuration values into the +installation process. Here are some examples: +- **Deploy StackRox in offline mode:** This configures StackRox in a way such that it will not + reach out to any external endpoints. + ```sh + --set env.offlineMode=true + ``` +- **Configure a fixed administrator password:** This sets the password with which you log in to + the StackRox portal as an administrator. If you do not configure a password yourself, one will + be created for you and printed as part of the installation notes. + ```sh + --set central.adminPassword.value=mysupersecretpassword + ``` + +#### Using configuration YAML files and the `-f` command-line flag + +To ensure the best possible upgrade experience, it is recommended that you store all custom +configuration options in two files: `values-public.yaml` and `values-private.yaml`. The former +contains all non-sensitive configuration options (such as whether to run in offline mode), and the +latter contains all sensitive configuration options (such as the administrator password, or +custom TLS certificates). The `values-public.yaml` file can be stored in, for example, your Git +repository, while the `values-private.yaml` file should be stored in a secrets management +system. + +There is a large number of configuration options that cannot all be discussed in minute detail +in this README file. However, the Helm chart contains example configuration files +`values-public.yaml.example` and `values-private.yaml.example`, that list all the available +configuration options, along with documentation. The following is just a brief example of what +can be configured via those files: +- **`values-public.yaml`:** + ```yaml + env: + offlineMode: true # run in offline mode + + central: + # Use custom resource overrides for central + resources: + requests: + cpu: 4 + memory: "8Gi" + limits: + cpu: 8 + memory: "16Gi" + + # Expose central via a LoadBalancer service + exposure: + loadBalancer: + enabled: true + + scanner: + # Run without StackRox Scanner (NOT RECOMMENDED) + disable: true + + customize: + # Apply the important-service=true label for all objects managed by this chart. + labels: + important-service: true + # Set the CLUSTER=important-cluster environment variable for all containers in the + # central deployment: + central: + envVars: + CLUSTER: important-cluster + ``` +- **`values-private.yaml`**: + ```yaml + central: + # Configure a default TLS certificate (public cert + private key) for central + defaultTLS: + cert: | + -----BEGIN CERTIFICATE----- + MII... + -----END CERTIFICATE----- + key: | + -----BEGIN EC PRIVATE KEY----- + MHc... + -----END EC PRIVATE KEY----- + ``` + +After you have created these YAML files, you can inject the configuration options into the +installation process via the `-f` flag, i.e., by appending the following options to the +`helm install` invocation: +```sh +-f values-public.yaml -f values-private.yaml +``` + +### Changing Configuration Options After Deployment + +If you wish to make any changes to the deployment, simply change the configuration options +in your `values-public.yaml` and/or `values-private.yaml` file(s), and inject them into an +`helm upgrade` invocation: +```sh +helm upgrade -n stackrox stackrox-central-services stackrox/central-services \ + -f values-public.yaml \ + -f values-private.yaml +``` +Under most circumstances, you will not need to supply the `values-private.yaml` file, unless +you want changes to sensitive configuration options to be applied. + +Of course you can also specify configuration values via the `--set` or `--set-file` command-line +flags. However, these options will be forgotten with the next `helm upgrade` invocation, unless +you supply them again. diff --git a/3.0.59.0/central-services/assets/icon.png b/3.0.59.0/central-services/assets/icon.png new file mode 100644 index 0000000000000000000000000000000000000000..3c136e3990a7382e8742c9079028abe00697c82c GIT binary patch literal 13406 zcmcJ0WmFtZx9$w??(PI91a}V-T!IYl4uiY9Yk=SuT!Kq*cL)~TU4#3b_dDN_b=JE7 z?wz%Ix_j3y>*}h#>v?uZDl2|QMIu51005}6GLov0^YA|h0uf(`Kj9?-66ecpN3IKo?9RLsz0suTgL;;5YfGaxyaBK(w@TUU+_>Ng^DuR#%L`NBI zX8-^h`=0{{$jl-D0HBbq)U{l+6u$7AIM}fonK~Gov3l4!LbL$@K@Wb&rJb3J5rv1H zt-Uk9hY;1jH25Lc|A^VBDE_75Vk1PQrJzh9;Q%(H;9})uWv3EGqM)D<1e==kt4d1$ zJ3Hh~h|1E%#gU(l&E4Id)%_Ez1K5J?BOf0h8#@OZ2L}s8gT>j?-o?m+#on3vKMMKJ zawN^1O~6);E>;fq6#tZKWbEMTB1A>?PeuRr`;T_ISegHKP4>?J?iQqjZ2zRNePm^4 z`>(PgSq1-*@~fITJJ`DZQ@n<~m5VTk;J=jrxA?zn`;S}_4t9=UGiPT=HsO!|&hkHH z|65-PY-I-N-#^v-m;V2h{cn9`O9vMR$g>7pnaJ9^n1Lac{X6%6Ht_$h@$a$(+5UN4 z|Ksuf$JqQ!3K<+>Btf?S8fal8bScJU0N~>w8s_U9GWue3P0 zQj!?Ouwi&GN9RrL16nq9CTBW}ZhGE}=jV9sxX>`r%Ay!=2kQdY9$&5u!)CpO9bU)L zJ~^DX-+L?NI;(u7mQEFoPykZHF-xOp#SqjId^GMh?hhD<07hf}zZ90wsH>~rY)N23 z<5Ay=A4BhG#W2FEPW}EwCg{@}Fd$=>Fgon>%XWT0EUgY9<3h+0YW-1?fB;(4Ozimf z`zhB+lZ_Ujh$K^Yi0UjLZ>i`WHuS~>(&ACnvePVg-KKM!vpGV_b}u^2DpD*WZOP__ zSc&12g>3j-gx|*9s`N!*=WDl9VcU~G*c7)4CyplJFr;ILa3zVE<|@*6hzNgbw61xe z@d|%N2Fv)pJwt~pd4`~f%7o~I0lv-FbtlYnM9zPMP=-u-)ra|0s;#HHI8$rDGCk_5Uk~+5AM5-hdti`LRpG-LpRS)3}Fnj=I zPe>F4dTnRM%GaBBz}NN8iPyurfdCDA8NGHV_oZ}g1U{-=)S#MH*UB(e!K;ikOd}n9 zR=xMbVoGSuj0DCfiom&SZ}cGr{fGo6aZ(@^i|vl6Ggbs+PUfDV%^TxjT{=1NckpMW zl1UJfhxqV>D9(>~O58FA0@c-G6GFWq_VLkQ&)+Mv;)!)pw9G`0kLqvuq8IYsA1QZd zXSpZ4S#yxMCZhBuL*03O@BR+4pc2;Nh%=r^?QfeAE7vPeM?r>;KvgC~+NvyoQPfmk zg+!d}w>cYAvI*{01n|TpU~cTIgJ$*X0sL>vkW*LY+TS24R$A#)2E0(aY^+2#fOrmJ zMh&i!JolfH1*2$S#T=u#*+Jz-!`O5kwzylSdE!3tN7#t8*A8=YfoZP$5?pV74*E@Jx_ zijJ?1IdIznDF6nO@Q^k;YCz?_{aTalO78VtHZysWafZ!;U4;orWP*VBEgp;B=QB09 z%H^%h0=59>(?9;>T(#tGdBh<^$)+%vo*6 z)tjkxyaLH_4h3q3Y=PG$x?XD2?sj+2#%Qa2B|=qL*wD{$*{BhOQIzw7OG_W?A~j-; zgW`j*D!b^?@{0L<%t=~(ZqvrU)wCKMTv85jG+*$Wu3^@HF?1NDi9uyfZtG;#YgK8l zl)14IM_Ra>`!hD9C%u*arBGCBphWZIEz@phlIm2TeB;k(2P14`OHuwFX0KJbFnjq?cZrQ`5~<8Df0P`?W4X) zL2$Ai5iC>@U?ZxCy|unCCYWaq^cKEAtT9q9g+=DXi9#anLBQ=It|P z6iu|(yU}roRhODR6cbFPlizX=PX;~d=yO~~>mm?uZUCHASXq=x4pi~LS zfStnjv*LqwMhn zCROx!x&~xHck{0rI(9c&J2J2FbU8c zLtBHq@HcmQtmvv>xa+_3-*Ii;q^qbzB^K)NlV@&ciKFc^hOxB{iXn< zZnB%&eyjM->)c<4xAg~XDMO~~U2MEAH!({6hA|GW7$%-Zok#>oUfgvw$1$%DT{Ke~ z+e7#c_2L~9;@ja{mR`ve#O}(RYc}Gz80A|D+vW#9TSVtDea|F(7p!HaDP#}Tw_5`H zGdP@&3WugrB#;*V_8&zj>iPAkYVkxY%vJCbh`Ko+553RA=QvGA94*?fs%*NjL~`c{ z<%$=?-pMcpgoGK3#!&|=>rRnr|CtBDsyhb`D2&GH-iO6y%J%x`8xr#u3pn+xJ;%#YiO(kVz9YY9w>vhqfsm+^u=~ z`7qeW8aTTyeYL+M;l-?kxuI5=#`t#Ew>FH;msNhwNTHsr0^2r_9(gUBUQXpiIf zz2i9OQ|630;kiJ4+vBN}e}(@{yd}mdHx&ugoCH+}K?bP^rvJCo^__3!RUTTEq!Y`S zwsR$DyTR!Tz!4z%gqkh)=~HU>V}My40Z+JOT%Z|UX$~Q<4%EmkWHb0xCT*Kf)SGKMAMp!5j&g2t`Bz2ToU>E9 zQXe^t_JMHM>h@Bc$0P05EJj5P$5cKnzkYiTb$p=JK zA)gl)r0PC6>X~e5;?!}(yoq$lN?_&u2UHc*M6Y6AJkNuXdY2;dg=rFjH1#B2xY%&_ zDzBs6Qe_DgTJi`-=XZQie|v`7OYpjT8R!`BFUS?UaI!bTUKv%KA4hoL4^1htqG3B-_YBi_>Zsq@iLYN=; zf!P~o4ElyTEujsZER6~6B9Mnig;0{Z%-Syu8@T{AiiR`ra2f$6?td); zCwVKyY<^4{G^4=}s;zH2`I78o_bfI;oR{ot#Yde^zvM>qHExB~SUr&1#&pLv+D#G? zd;5d=Qv5~4O)nnXiYRhssuXcOI3Oc%9W_QFI-tVeT!10&oj z7wdm)5d_5;?+3HF#E9 z6WvsUamdv;q1q1&n@-1{Cf7viUsXp@r(I)CcVKlMIH$vuhwAaG86ESY4Z6lARyt2G z?6O}|Rnm2k@_>n#CsqA^J~d_aX+l0X>aFA=Y;6AbZzlF)uMoSWQ}#(LSVjU<(4@i2n&IgyQfn3>F^kN2M@RMc5 zn~0`u(){l-=(SI_7;!a6a6LICBixKl9kcb6A2a+tgJF4W$4_l|&KcuL`o7aE8N?iM zN8#auXQWxU#G>?<_f@p|p2sh?c79}GAMC*6*(ZmS=$b?;3Fgl|gJ1Xc>`@Q9?#Tq< z>SkB@HOD~HA>5&VZ1GOXI0C#PAD|GFqi1436Ci%BMpX%pAl~u&U^ezHVTlreb?WE1 zz)6FSd`HG`B{=%Z@& z8r_Vv#Z3k}>UEjQ<;bs0?V$qlS1j+?VzjMt^(~e8>vH#tza63kM=)~0P;Lec&)cF& ziB8Vd)&qo7K`j|drhFqtR?-~)3Uvz2?X~XCx`iTHg8>)=Y$Bpr)G*3Wx)@%+V{x(k z7k2Wl(gaCjy?L#07G#B!$aR=Tj5*RoIFiqsz( zZct1K@}+!6#pxRIrCipyF}(_4mIWi$L#|^Roz9`m4O@LoUQk@H_Uo@uh$CJfIv{m4 z1qIK&hL`R9V5KAa)q5wsrYtvBUu$tir*v2T(J;RI5GA8sqWgDF z%12ScASSy7z{##N!E7mBhr|}t$j0g`gZLug{Kj}p%=C@3zXQpG(b@sB&wajfzD{W` zQOy<16}Etls*n+&U^e1yh8JcubaM04+D5pkC!e57I$4=xkA3M- zz!4di`gYu37TrBw`jgF6yo^VF^p<(yvf6NiAfgD&*I4)EaoPP(`GlEtT<#CE@poUA za$?aaBokDbbfx-C)^W2)1JouL4GtFd)YIds+m*oR23I-tIS{OQAQ4CV9cgM(n8Q!- zvgb{y2?5+D_O2Iq{A^>C*e#T$6S4u({{G&x6slNka5oipWu@d!`|DJEm>CihQt@*5 zEIuKd0h{hGST1zv%~^iiX>fUt{0IpetlIIzkld+1LpdWCvIb#!#9}wG8~b=;nrbe_ zQ?q+bPqOLSUOFlTy%tL>m|&#4N%XR5zBg*LIK(`Ol>Pi^GKJZC{;~UY8CBpo zBe>GVQqmercBV2@PYpLUtgh55;p>tpV`s%6x1%%x2sO`%?T}9Z@YhgkyW%^z1;Za28h=QW<&=@n# z14J?59+F+#z>Y(mb?+Wbvv)Y@=K&rLhQCyyp;zk56gmR!Kx$mB+3M|?QbqaLwJ-4@ zCNqEFS>WeUZH)<8*zs}d&!qzc>tsE*@t$eF*g%#5PKk<6_HewO(w&0h6SHE<+t|Q> z-yeP)b+$DeO^)?C+MD5TyiLdev%7JK(v{(J*Iy7*9|k$zr+8J9vj{02Juh1)W1(LQ!}lYn zTv-E;2F4ca-oEDCXHe4{dPV)Gj<5p zq+AgJc7pZds*5T!Au!)sI8)GUO5t4f-h_!8L74nnqPTdahCdeOu9$=OJQxz3!yG?0 zKFf7_V_&iGCc!e1$$)Bv*l9&-KikQaPNWe~H9B7>!{HtN_o>AbDfVz_;$s|mEq-Pu6&$>HL+Z=eq0~Qn zpXkiiblu5PAQOFKzYXq2%8L?81z9{SV{23XrKcajK87Op%PSxOYJuVFum_T_x4Iqx6}o0H&VyzVQ6dO4zuo5?1W|R?%~>4k`ag(D7?o7O zO}IStd>b3z?ZZ(w2|2CZXp}C$?Cxk3>#@Xr6J#k=EzW-myk+HKqwxALi)wF;TgY(| z$4QlCK9JevIa`~)kKcbw5bXCCJH2LAG)Z&Ry$zf!r)dAz+6bE-RD!Y6yTg6dLZ2FH zw734+RVDtt^yMMdMa8ZC`!^9)8_BIvkpVK&c?;lIX-?F?XypCzXgPUhQ{ol)13gsXW)(bRa(%7Q??q`P(y=gj49M5V-#8n&wL=B@=IcWF zEA3fi&0x-)hYnDca!M$(H|f%5bb|Dha|y#TzPYu5JL|$U9}ud;f=F9=Kh=9WhHt*T z=uq%?K=2Ny_{>Zqp8jC?0a0r9)Nf^)0xwz@$Vi3lapI^i8u1P?jMO0WaXl3;yvyjK zkM)2asFfMc1kN~qzrR7u-!nLO&`*i6PkX1?3wx-BobhYqMl@?VCAPz<&jKCmSt=EAd8tSpeF#DST~?g|Ez%bU zF(V_NDe%Lf+<0Hxwho1#$AQ!!6KXU;EhlUmuEwiW))cA3dZz*5mkL$v*C;QP^Z?<$ zSgg65@fWx0bpARLL&s`rw@Lno&@{>gnr<2JB~`|!Sbynpm1dX+EMsrqxlF2)3dhVbI!8a1sENT) zs4M|U1!vMSaWl$=^!|`SsM_jRTtxm>JthZSE^jTaQf6f;g9R53>0S=FC{7BHaL=Qc ziRMNyGA7ZHB|~7yQavI~ug9-lMGXDCQ5t%`dyDB<#Fyc3COnzWPS@kG^J@{X_Ze^n z^nOffvz`PMbbj1o{UBSxGZgAy$;6_2W#@0u1bn0E;Ao0UCOw2pj_D|EI@I!rYChwq z`4~4>+gDoueENvPuzo4X0!c|&3-htfsvfr+SB^pUGVcG}S8&=H1CQbJ9Vb0%^3xdN=(I@n7=n>@P z7bjWFx|ovQ418C#n3`D;_~c<9X&KD?`*Js-|4F&nf8wq?yIjkjM0d|qPXYG6;G z3b$2{U)c#kwXHL($!qnyCfl;W*UPa2Uu!D1f}TNb;NV;}QAEx?i2d!wV_sYX#I?d` zsfxc0R(W6kKtf@Ae|_Gb^^Jo-eAViQn$}&0$JL-;QYX<-X3JrVbcPz%gMPPUbF3~2 zT+ZsLaAoDtc=rUyw5_G(OI0`n{PSMTM3Rl|v6zKQ8UJv8hX2X>{X@_Fn+p7w@QF8q z>^Qk0JU-XF)29%r`MJBR#a$TZD&EAb zJ1Iw?tZZb;UkQCx^>2m_B`{hxZ5zGhBSHqVPWk?>-XGH801a`_gtFJ**lW1rWO{pn z|7=QnbyxpA0V-R`lz!*MW+W#VWbHJcBU>qL*yws5lh8-b#GQJAc_{34%YU*SJk)(j zCg?@wEhOigmiQReg(yPgK{>A+YO!^;0!qJ`T9Krj%P9i2QJ5;RW~v_r-SqhxbS4_O zf!YJ+m+Pt*#FuaFK?fGLXr#A>+TzwInHzRsaASBr6+M@9%P z^U~$9y+Yc#_133;&U}8F)x7AiPMRu+PI++W_X~pqO@TyPnNPvlnz^>=491Yp*MbCM z28vQ`nxR&nP4>*sGwU4{y7JXJ?U2VigQcD)51Gi9vKSWa{b78NHB$7phV<+0iN!Tb zCbN|*9GCZXSQGJBV+HOXZy_kZQmhH4VJp!2$zn)Ms$AQXzcV`r0eaf)?y!wU&*y!O*;e^T^%WJ14t+jcjWPBIGt>eH z*;JyJKa{LX4%^v>^qy&{i+1)mo?oBu$r)-vk1RVyceo1GYsxqHHiR_|Tl@JFgDAS$2IXqaK>7Yn`pwWJ`fW^2VxJb zy^bdgOCY<#;HL<#9ZZ|qAo`4fUjTiz>@JBwD&!ZYqk5zJV@faXOc;)mJVX+qQEWJ1 zwTFOG08Czk>;I;|Kmz+wCu4PZ$WLQy~m#3_9b_khSGgCm*LY*-;ysb6?hZWc1$qM`tn)C94-Uy+hJ3HL!gOAfO5`$?A>iZ5 zX(&#}xIz||tow%{gQSD?4&QePt1Vjm3-)b$Xu5(6AKj(?tCi&5ldz(%n5)=y=etM9 zs|v$g6L$e7ORuq&+i+;P+}>M6OC{`>D%t)(b;3Ubl%@^oH=ap}6x;az)f<7pB7Bs= zuM%TRl!bn}4@3MdBmGD6S+7rqK8Eie&;Cv1n@it8hE6Sf;8SM7mR4k+?$jKn5>cGC zX=md-tPfb-NG|AP6twV1DNuz(Ayp)p)_5@8VD$4`LD#D!-0z!-pWpb0 zRvVe5b&)+dPqeSUUK1xfI@ehq@q0*{JU{Fgz<7DFh3g@40BBF`e7_UqM)auvDsy}v zj&f$^Kb&|!l^DipL}|P|40}66C2k(-j_j7o6;xo_Wnh|R(gVHx-8;FtiHV6BzquJd zf2Hp}eg2H*^~B6VeQov>9fMDpVRgg?c9vJ?p`t_K8aH_Zb!C%n4`bE_z8V&ABYt#+ z!?~YdGkuV- zIwCYcgbvTZ?a9_~r@=>YrFj-AH6ov_TyB)zd(ns@6kFPo_ML@~A@ zG83dfl_|}(u*m_V1yoZh250&adB7!4$so00pD!Wb2e^=ER36bn0$nL;q;|pmofQr~ zTdsz-NxRJ2M|zOq^a^mOcl$W`=6iH>^3vnn<$X4|M*gJ$v8y?6G*W$o&4WZCT1x`c z(fzrL`+WCma~s(ABUy|e*r&NBRAIdw!)y7#itiy^BbGef{6?TL5rk^Hli-K2U~DMPh*mYuCQWP84w)Vi*tdRSaDxyj>Y!8 z0}QZwj#AbBydF^+E7!ay7Zw|C$IZ*P`e66#v(N*W1ptoG4&OgBzB$7(_%*pbMYe`p zgjs_8$K3RWoU%a3u8+v9Q7rvuf^Abd%)8%sm1nUA)c zHa|~x|GM&H^;UQD9@bi)X?AiITIR-o@4$H7h3{(jzEB}7+Fm4X3eYr!XVf$K?lE0_ zF7gGI_SQcvKd#gF=TGOT`I$^zp|TNG6hPSRhuc3-6YXD?-2;y>Tu;L|UsbNzuL3_6 z!?R#$-6YRyx`@;Bq;Bp>GQ zd%Knx%6CS&FGCbK>ip*(M+HBHE@nr)?e+b_^WKO`5-&INtS}YoM9+hviIJle#972e z+htOD0)L7iNt3_LJiS3kGR+&8Li+I`tVi7q2!PObqX4H5`@9SBeUGD5%3lxHRS}?9 zyq~i6*sIPQZS?PRg6T&7{DFj#t#O}8(GjruS1$2-y>v|a4t;hZ+9Kzh7BMyy-K8)Y z>Ssgg)8Tg+O>kuPsu&nMjB^+A+%LF{+zBuUK#dG~Q3lug*IkFtYOzsr!FHMUN6(SA2C?=5>V%Ei*X` z0M!LDu-x=$Ax4tlg{lx(B0vB?=%MAdojfAyja2tEMa&-uZ`=;F%#25`$8_EcDHw(` z?%k$Y9L{BFX3Q!cw-~e1rF>U=5fN&mXh-4J>5@&g*wE2x-v6+M!|Wc@hZ$r8KY0u6eGFwBL<*112h!^OP(Qr|25euyI zUCjRr6%F=F5Rlt*-Q(GyBqyl$e>n_g(lShlV@@@e+gV2H{B=(&IvM++Mr`P(199nN&S zgr$8HwlZmlSOl;t5wuh_DSOhYT;UT= z-I64{qZt9rUhkEaS#D%Pna$CGxmxW;;kGy=!W4f`BX5Fq`CPVhUkXDMjOpCZKR zopX1^tv+GDUqJk++NyHGY4<~%2LpEQvc#oX)enO@ zoYZViaS^J;cqwR_ykp?T&mO!;A$N*~x!BM{tq#^ps!tdZ8;|lR2dYa%LPlgxeuoQwZGXrPuO5iROfAyCpZsLo<`7 zjk~2|@}77)o2#P#=0D5OO|M2Em82Z}%#!nW(kww0-b!+tox#wFNJ8>QqD)_xO1npE z`G;5BZQc8Ts`%9Van%Bh8^rqr;Ig^lN_!5UyHw&jOQXi_AX2MT_Fv*bye-{3c(m-K zTXRGp9=`gKkOxQg{A2vRjFY}ZSuL=RoRm0S5^j)2<=t)zKC~WHYo;NBR!U7cN#a-@ z4b}IRZe_6kM~N&<_YKO-acLwHHgfzQsFR*;wf%BbEy#Y$qQ7^V)@WGbrVrLgr7Z9Ynh$-?pAi6tQZAZwps^Ioa zeifB=oSfX!(#{ee-W&#%Yt#)PoQM2}aA6>t6lFHL;L%iHTHjkRee~X*(YFk4YCd1I z78!VB-e|?FHZ9OoI)%qF>uZu#>JoD#2L+Ej)w{1)E@iUHr*x)8LT62xVgQgfw#2QJ z*q7uDM-T2=#MLi@@k^jpg_m$K>QyE`q2D~p6 zT|*u0-viLXH7f8Z z4beLfNUJ7%4RgUDD9Com>d6lGF~7#yOUgl<4Kdn`;~w@IY_Scqw{+CFZh9( zZHp;`yeBb{X2kbN-i}yj3uW#pgAT8Q^H(MY9v<62sFo54JuVJ^+VJzB%b|yoA6UiG z4{Q4|14JO}_D#k{>8>XPwhx$D?{p^L-63ITyXiY_h9%r0f&}s@R8S?+{+_KO?r2Tf zWs@PzW8BhpTOtn0D*Y6i%TepQXrvl*+~|2Cyw?pi09vHW>5td55>;bVfy%|XaRtN~ zy&NtMwvIvgJf*Bo1U2951-*1P6sKRxN!&X#O}>jmWmBHw31J8hn^}b69&^k$h$l(uUWbv$mgqZIg7I+3 zczu#~e`=2n(jJ{ahO!ZP%5eArkwwm|9)L1TskKm+f`FyZ~^&~XKV)eLds9g|P4e+!<>XJiBrUJ3GSNDqjX zE)ZnHc0-UaSrYJB-+a65u_NCO!iivyqOl;5d9BGkX8CLhs4JP%oEwz)^8?rvdad)> z@w}G{I3v->VyyfN&@vxyNByf8ZX&%s2yW~_1PS^(yYEPM;wQHYk?LVj#$mZ{O zv2U27Pz6PN>+Gx6suGl!p@w2kC%~Em1PL#Jq0DBJ?ZG3spBVOWg#@A1UH~LKi~y*VRF-a>G22J)2+V$(X~T0mdFs8c-Th-J7AkXJGJPtJdiM9-g^`m%!C* t_V2G6APDDwe(C^$J^%j;tx;Y@XgXYCubMwn{qq%%tdyc;wYXu>{{cr9X{P`H literal 0 HcmV?d00001 diff --git a/3.0.59.0/central-services/config-templates/scanner/config.yaml.tpl b/3.0.59.0/central-services/config-templates/scanner/config.yaml.tpl new file mode 100644 index 0000000..a502818 --- /dev/null +++ b/3.0.59.0/central-services/config-templates/scanner/config.yaml.tpl @@ -0,0 +1,41 @@ +{{- /* + This is the configuration file template for Scanner. + Except for in extremely rare circumstances, you DO NOT need to modify this file. + All config options that are possibly dynamic are templated out and can be modified + via `--set`/values-files specified via `-f`. + */ -}} + +# Configuration file for scanner. + +scanner: + {{- if ne .Release.Namespace "stackrox" }} + centralEndpoint: https://central.{{ .Release.Namespace }} + {{- end }} + database: + # Database driver + type: pgsql + options: + # PostgreSQL Connection string + # https://www.postgresql.org/docs/current/static/libpq-connect.html#LIBPQ-CONNSTRING + source: host=scanner-db.{{ .Release.Namespace }} port=5432 user=postgres sslmode={{- if eq .Release.Namespace "stackrox" }}verify-full{{- else }}verify-ca{{- end }} statement_timeout=60000 + + # Number of elements kept in the cache + # Values unlikely to change (e.g. namespaces) are cached in order to save prevent needless roundtrips to the database. + cachesize: 16384 + + api: + httpsPort: 8080 + grpcPort: 8081 + + updater: + # Frequency with which the scanner will poll for vulnerability updates. + interval: 5m + {{ if ._rox.env.offlineMode -}} + fetchFromCentral: true + {{- end }} + + logLevel: {{ ._rox.scanner.logLevel }} + + # The max size of files in images that are extracted. The scanner intentionally avoids extracting any files + # larger than this to prevent DoS attacks. Leave commmented to use a reasonable default. + # maxExtractableFileSizeMB: 200 diff --git a/3.0.59.0/central-services/config/central/config.yaml.default b/3.0.59.0/central-services/config/central/config.yaml.default new file mode 100644 index 0000000..98724d3 --- /dev/null +++ b/3.0.59.0/central-services/config/central/config.yaml.default @@ -0,0 +1,7 @@ +maintenance: + safeMode: false # When set to true, Central will sleep forever on the next restart + compaction: + enabled: true + bucketFillFraction: .5 # This controls how densely to compact the buckets. Usually not advised to modify + freeFractionThreshold: 0.75 # This is the threshold for free bytes / total bytes after which compaction will occur + forceRollbackVersion: none # This is the config and target rollback version after upgrade complete. diff --git a/3.0.59.0/central-services/config/central/endpoints.yaml.default b/3.0.59.0/central-services/config/central/endpoints.yaml.default new file mode 100644 index 0000000..25549d6 --- /dev/null +++ b/3.0.59.0/central-services/config/central/endpoints.yaml.default @@ -0,0 +1,31 @@ +# Sample endpoints.yaml configuration for StackRox Central. +# +# # CAREFUL: If the following line is uncommented, do not expose the default endpoint on port 8443 by default. +# # This will break normal operation. +# disableDefault: true # if true, don't serve on :8443 +# endpoints: +# # Serve plaintext HTTP only on port 8080 +# - listen: ":8080" +# # Backend protocols, possible values are 'http' and 'grpc'. If unset or empty, assume both. +# protocols: +# - http +# tls: +# # Disable TLS. If this is not specified, assume TLS is enabled. +# disable: true +# # Serve HTTP and gRPC for sensors only on port 8444 +# - listen: ":8444" +# tls: +# # Which TLS certificates to serve, possible values are 'service' (StackRox-generated service certificates) +# # and 'default' (user-configured default TLS certificate). If unset or empty, assume both. +# serverCerts: +# - default +# - service +# # Client authentication settings. +# clientAuth: +# # Enforce TLS client authentication. If unset, do not enforce, only request certificates +# # opportunistically. +# required: true +# # Which TLS client CAs to serve, possible values are 'service' (CA for StackRox-generated service +# # certificates) and 'user' (CAs for PKI auth providers). If unset or empty, assume both. +# certAuthorities: # if not set, assume ["user", "service"] +# - service diff --git a/3.0.59.0/central-services/config/proxy-config.yaml.default b/3.0.59.0/central-services/config/proxy-config.yaml.default new file mode 100644 index 0000000..8692a77 --- /dev/null +++ b/3.0.59.0/central-services/config/proxy-config.yaml.default @@ -0,0 +1,26 @@ +# # NOTE: Both central and scanner should be restarted if this secret is changed. +# # While it is possible that some components will pick up the new proxy configuration +# # without a restart, it cannot be guaranteed that this will apply to every possible +# # integration etc. +# url: http://proxy.name:port +# username: username +# password: password +# # If the following value is set to true, the proxy wil NOT be excluded for the default hosts: +# # - *.stackrox, *.stackrox.svc +# # - localhost, localhost.localdomain, 127.0.0.0/8, ::1 +# # - *.local +# omitDefaultExcludes: false +# excludes: # hostnames (may include * components) for which not to use a proxy, like in-cluster repositories. +# - some.domain +# # The following configuration sections allow specifying a different proxy to be used for HTTP(S) connections. +# # If they are omitted, the above configuration is used for HTTP(S) connections as well as TCP connections. +# # If only the `http` section is given, it will be used for HTTPS connections as well. +# # Note: in most cases, a single, global proxy configuration is sufficient. +# http: +# url: http://http-proxy.name:port +# username: username +# password: password +# https: +# url: http://https-proxy.name:port +# username: username +# password: password diff --git a/3.0.59.0/central-services/internal/bootstrap-defaults.yaml.tpl b/3.0.59.0/central-services/internal/bootstrap-defaults.yaml.tpl new file mode 100644 index 0000000..8f8e559 --- /dev/null +++ b/3.0.59.0/central-services/internal/bootstrap-defaults.yaml.tpl @@ -0,0 +1,16 @@ +# This file contains defaults that need to be merged into our config struct before we can +# execute the "normal" defaulting logic. As a result, none of these values can be overridden +# by defaults specified in defaults.yaml and platforms/*.yaml - that is okay. + +{{- if eq .Release.Name "test-release" }} +{{- include "srox.warn" (list . "You are using a release name that is reserved for tests. In order to allow linting to work, certain checks have been relaxed. If you are deploying to a real environment, we recommend that you choose a different release name.") }} +allowNonstandardNamespace: true +allowNonstandardReleaseName: true +{{- else }} +allowNonstandardNamespace: false +allowNonstandardReleaseName: false +{{- end }} + +meta: + useLookup: true + fileOverrides: {} diff --git a/3.0.59.0/central-services/internal/config-shape.yaml b/3.0.59.0/central-services/internal/config-shape.yaml new file mode 100644 index 0000000..cd8b1f3 --- /dev/null +++ b/3.0.59.0/central-services/internal/config-shape.yaml @@ -0,0 +1,137 @@ +licenseKey: null # string +imagePullSecrets: + username: null # string + password: null # string + allowNone: null # bool + useExisting: null # string | [string] + useFromDefaultServiceAccount: null # bool +image: + registry: null # string +env: + openshift: null # bool + istio: null # bool + platform: null # string + offlineMode: null # bool + proxyConfig: null # string | dict +ca: + cert: null # string + key: null # string + generate: null # bool +additionalCAs: null # string | [string] | dict +central: + disableTelemetry: null # bool + config: null # string | dict + endpointsConfig: null # string | dict + nodeSelector: null # string | dict + exposeMonitoring: null # bool + jwtSigner: + key: null # string + generate: null # bool + serviceTLS: + cert: null # string + key: null # string + generate: null # bool + defaultTLS: + cert: null # string + key: null # string + image: + registry: null # string + name: null # string + tag: null # string + fullRef: null # string + adminPassword: + value: null # string + generate: null # bool + htpasswd: null # string + resources: null # string | dict + persistence: + hostPath: null # string + persistentVolumeClaim: + claimName: null # string + createClaim: null # bool + storageClass: null # string + size: null # int | string + volume: + volumeSpec: null # dict + none: null # bool + exposure: + loadBalancer: + enabled: null # bool + port: null # int + ip: null # string + nodePort: + enabled: null # bool + port: null # int + route: + enabled: null # bool + extraMounts: null # [dict] + +scanner: + disable: null # bool + replicas: null # int + logLevel: null # string + nodeSelector: null # string | dict + dbNodeSelector: null # string | dict + autoscaling: + disable: null # bool + minReplicas: null # int + maxReplicas: null # int + resources: null # string | dict + image: + registry: null # string + name: null # string + tag: null # string + fullRef: null # string + dbImage: + registry: null # string + name: null # string + tag: null # string + fullRef: null # string + dbResources: null # string | dict + dbPassword: + value: null # string + generate: null # bool + serviceTLS: + cert: null # string + key: null # string + generate: null # bool + dbServiceTLS: + cert: null # string + key: null # string + generate: null # bool +customize: + labels: {} # dict + annotations: {} # dict + podLabels: {} # dict + podAnnotations: {} # dict + envVars: {} # dict + central: + labels: {} # dict + annotations: {} # dict + podLabels: {} # dict + podAnnotations: {} # dict + envVars: {} # dict + scanner: + labels: {} # dict + annotations: {} # dict + podLabels: {} # dict + podAnnotations: {} # dict + envVars: {} # dict + scanner-db: + labels: {} # dict + annotations: {} # dict + podLabels: {} # dict + podAnnotations: {} # dict + envVars: {} # dict + other: {} # dict +allowNonstandardNamespace: null # bool +allowNonstandardReleaseName: null # bool +meta: + useLookup: null # bool + fileOverrides: {} # dict + apiServer: + version: null # string + overrideAPIResources: null # [string] + extraAPIResources: null # [string] + noCreateStorageClass: null # bool +globalPrefix: null # string diff --git a/3.0.59.0/central-services/internal/defaults.yaml b/3.0.59.0/central-services/internal/defaults.yaml new file mode 100644 index 0000000..3db8057 --- /dev/null +++ b/3.0.59.0/central-services/internal/defaults.yaml @@ -0,0 +1,78 @@ +defaults: + + imagePullSecrets: + allowNone: false + useExisting: [] + useFromDefaultServiceAccount: true + + image: + registry: stackrox.io + + env: + offlineMode: false + + central: + config: "@config/central/config.yaml|config/central/config.yaml.default" + endpointsConfig: "@config/central/endpoints.yaml|config/central/endpoints.yaml.default" + + exposeMonitoring: false + + image: + name: main + tag: 3.0.59.0 + + resources: + requests: + memory: "4Gi" + cpu: "1500m" + limits: + memory: "8Gi" + cpu: "4000m" + + exposure: + loadBalancer: + enabled: false + port: 443 + nodePort: + enabled: false + port: null + route: + enabled: false + + scanner: + disable: false + replicas: 3 + logLevel: INFO + + autoscaling: + disable: false + minReplicas: 2 + maxReplicas: 5 + + resources: + requests: + memory: "1500Mi" + cpu: "1000m" + limits: + memory: "3000Mi" + cpu: "2000m" + + image: + name: scanner + tag: 2.13.0 + + dbResources: + limits: + cpu: "2000m" + memory: "4Gi" + requests: + cpu: "200m" + memory: "200Mi" + + dbImage: + name: scanner-db + tag: 2.13.0 + +pvcDefaults: + claimName: "stackrox-db" + size: "100Gi" diff --git a/3.0.59.0/central-services/internal/expandables.yaml b/3.0.59.0/central-services/internal/expandables.yaml new file mode 100644 index 0000000..e8190d4 --- /dev/null +++ b/3.0.59.0/central-services/internal/expandables.yaml @@ -0,0 +1,38 @@ +licenseKey: true +imagePullSecrets: + username: true + password: true +env: + proxyConfig: true +ca: + cert: true + key: true +central: + config: true + endpointsConfig: true + nodeSelector: true + jwtSigner: + key: true + serviceTLS: + cert: true + key: true + defaultTLS: + cert: true + key: true + adminPassword: + value: true + htpasswd: true + resources: true +scanner: + resources: true + dbResources: true + nodeSelector: true + dbNodeSelector: true + dbPassword: + value: true + serviceTLS: + cert: true + key: true + dbServiceTLS: + cert: true + key: true diff --git a/3.0.59.0/central-services/internal/platforms/default.yaml b/3.0.59.0/central-services/internal/platforms/default.yaml new file mode 100644 index 0000000..180f5c8 --- /dev/null +++ b/3.0.59.0/central-services/internal/platforms/default.yaml @@ -0,0 +1,2 @@ +# Empty defaults file for the "default" platform. This file only exists to mark the platform +# name as valid. diff --git a/3.0.59.0/central-services/internal/platforms/gke.yaml b/3.0.59.0/central-services/internal/platforms/gke.yaml new file mode 100644 index 0000000..70d7b32 --- /dev/null +++ b/3.0.59.0/central-services/internal/platforms/gke.yaml @@ -0,0 +1,2 @@ +pvcDefaults: + storageClass: "stackrox-gke-ssd" diff --git a/3.0.59.0/central-services/scripts/prepare-resource-metadata-for-helm-migration.sh b/3.0.59.0/central-services/scripts/prepare-resource-metadata-for-helm-migration.sh new file mode 100755 index 0000000..1688ec6 --- /dev/null +++ b/3.0.59.0/central-services/scripts/prepare-resource-metadata-for-helm-migration.sh @@ -0,0 +1,124 @@ +#!/usr/bin/env sh + +# Script for migrating to new Helm-style deployment. +# After running this script the state of all +# StackRox K8s resources should be ready for deploying +# using the new Helm chart using 'helm install'. + +set -eu + +# You can use this script for applying the kubectl commands to the relevant resources directly +# or let it output the necessary kubectl commands for patching the resources to stdout using: +# +# DRY_RUN=true ./prepare-resource-metadata-for-helm-migration.sh +# +# Further configuration options: +# +# * The namespace can be configured using the environment variable NAMESPACE +# (note that it defaults to "stackrox" and that is the only supported namespace). +# +# * By default this script uses kubectl to verify the existence of the Kubernetes resources before +# patching them. This can be disabled by setting SKIP_EXISTENCE_CHECK=true. + +KUBECTL="${KUBECTL:-kubectl}" +DRY_RUN="${DRY_RUN:-false}" +NAMESPACE="${STACKROX_NAMESPACE:-stackrox}" +SKIP_EXISTENCE_CHECK="${SKIP_EXISTENCE_CHECK:-false}" + +die() { + log "$@" + exit 1 +} + +log() { + echo "$@" >&2 +} + +if [ "$DRY_RUN" != "false" -a "$DRY_RUN" != "true" ]; then + die "Unsupported value for DRY_RUN: '$DRY_RUN'" +fi + +if [ "$SKIP_EXISTENCE_CHECK" != "false" -a "$SKIP_EXISTENCE_CHECK" != "true" ]; then + die "Unsupported value for SKIP_EXISTENCE_CHECK: '$SKIP_EXISTENCE_CHECK'" +fi + +add_label() { + if [ "$DRY_RUN" == "true" ]; then + echo $KUBECTL -n $NAMESPACE label "$kind" "$res" --overwrite "$1=$2" + else + $KUBECTL -n $NAMESPACE label "$kind" "$res" --overwrite "$1=$2" + fi + log " Set label $1=$2" +} + +add_annotation() { + if [ "$DRY_RUN" == "true" ]; then + echo $KUBECTL -n $NAMESPACE annotate "$kind" "$res" --overwrite "$1=$2" + else + $KUBECTL -n $NAMESPACE annotate "$kind" "$res" --overwrite "$1=$2" + fi + log " Set annotation $1=$2" +} + +patch_resource() { + kind="$1" + res="$2" + + if [ "$SKIP_EXISTENCE_CHECK" == "false" ]; then + $KUBECTL -n $NAMESPACE get "$kind" "$res" >/dev/null 2>&1 || { + log "Skipping ${kind}/${res}: Resource not known in cluster." + log + return + } + fi + + log "** Patching resource $kind/$res **" + add_label "app.kubernetes.io/name" "stackrox" + add_label "app.kubernetes.io/managed-by" "Helm" + add_annotation "meta.helm.sh/release-name" "stackrox-central-services" + add_annotation "meta.helm.sh/release-namespace" "$NAMESPACE" + log +} + +patch_resource "Application" "stackrox" +patch_resource "ClusterRole" "stackrox-central-psp" +patch_resource "ClusterRole" "stackrox-scanner-psp" +patch_resource "ConfigMap" "central-config" +patch_resource "ConfigMap" "central-endpoints" +patch_resource "ConfigMap" "scanner-config" +patch_resource "Deployment" "central" +patch_resource "Deployment" "scanner" +patch_resource "Deployment" "scanner-db" +patch_resource "DestinationRule" "central-internal-no-istio-mtls" +patch_resource "DestinationRule" "scanner-db-internal-no-istio-mtls" +patch_resource "DestinationRule" "scanner-internal-no-istio-mtls" +patch_resource "HorizontalPodAutoscaler" "scanner" +patch_resource "NetworkPolicy" "allow-ext-to-central" +patch_resource "NetworkPolicy" "scanner" +patch_resource "NetworkPolicy" "scanner-db" +patch_resource "PersistentVolumeClaim" "stackrox-db" +patch_resource "PodSecurityPolicy" "stackrox-central" +patch_resource "PodSecurityPolicy" "stackrox-scanner" +patch_resource "Role" "stackrox-central-diagnostics" +patch_resource "RoleBinding" "stackrox-central-diagnostics" +patch_resource "RoleBinding" "stackrox-central-psp" +patch_resource "RoleBinding" "stackrox-scanner-psp" +patch_resource "Route" "central" +patch_resource "Route" "central-mtls" +patch_resource "Secret" "central-default-tls-cert" +patch_resource "Secret" "central-htpasswd" +patch_resource "Secret" "central-license" +patch_resource "Secret" "central-tls" +patch_resource "Secret" "proxy-config" +patch_resource "Secret" "scanner-db-password" +patch_resource "Secret" "scanner-db-tls" +patch_resource "Secret" "scanner-tls" +patch_resource "Secret" "stackrox" +patch_resource "SecurityContextConstraints" "central" +patch_resource "SecurityContextConstraints" "scanner" +patch_resource "Service" "central" +patch_resource "Service" "central-loadbalancer" +patch_resource "Service" "scanner" +patch_resource "Service" "scanner-db" +patch_resource "ServiceAccount" "central" +patch_resource "ServiceAccount" "scanner" diff --git a/3.0.59.0/central-services/templates/00-additional-ca.yaml b/3.0.59.0/central-services/templates/00-additional-ca.yaml new file mode 100644 index 0000000..110b105 --- /dev/null +++ b/3.0.59.0/central-services/templates/00-additional-ca.yaml @@ -0,0 +1,21 @@ +{{- include "srox.init" . -}} + +{{- if ._rox._additionalCAs }} +apiVersion: v1 +kind: Secret +metadata: + name: additional-ca + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "secret" "additional-ca") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "additional-ca") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": keep +type: Opaque +stringData: + {{- range $name, $cert := ._rox._additionalCAs }} + {{ $name | quote }}: | + {{- $cert | nindent 4 }} + {{- end }} +{{- end }} diff --git a/3.0.59.0/central-services/templates/00-image-pull-secret.yaml b/3.0.59.0/central-services/templates/00-image-pull-secret.yaml new file mode 100644 index 0000000..1fc3e34 --- /dev/null +++ b/3.0.59.0/central-services/templates/00-image-pull-secret.yaml @@ -0,0 +1,18 @@ +{{- include "srox.init" . -}} + +{{- if ._rox.imagePullSecrets._dockerAuths }} +apiVersion: v1 +kind: Secret +type: kubernetes.io/dockerconfigjson +metadata: + name: stackrox + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "secret" "stackrox") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "stackrox") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": keep +data: + .dockerconfigjson: {{ dict "auths" ._rox.imagePullSecrets._dockerAuths | toJson | b64enc | quote }} +{{ end }} diff --git a/3.0.59.0/central-services/templates/00-proxy-config-secret.yaml b/3.0.59.0/central-services/templates/00-proxy-config-secret.yaml new file mode 100644 index 0000000..c357179 --- /dev/null +++ b/3.0.59.0/central-services/templates/00-proxy-config-secret.yaml @@ -0,0 +1,20 @@ +{{- include "srox.init" . -}} + +{{- if ._rox.env._proxyConfig -}} +apiVersion: v1 +kind: Secret +metadata: + name: proxy-config + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "secret" "proxy-config") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "proxy-config") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": "keep" +type: Opaque +stringData: + config.yaml: | + {{- ._rox.env._proxyConfig | nindent 4 }} + +{{ end }} diff --git a/3.0.59.0/central-services/templates/00-stackrox-application.yaml b/3.0.59.0/central-services/templates/00-stackrox-application.yaml new file mode 100644 index 0000000..34eaa5a --- /dev/null +++ b/3.0.59.0/central-services/templates/00-stackrox-application.yaml @@ -0,0 +1,114 @@ +{{- include "srox.init" . -}} + +{{- if has "app.k8s.io/v1beta1/Application" ._rox._apiServer.apiResources -}} +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: stackrox + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "application" "stackrox") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "application" "stackrox") | nindent 4 }} + kubernetes-engine.cloud.google.com/icon: "data:image/png;base64,{{ .Files.Get "assets/icon.png" | b64enc }}" +spec: + descriptor: + type: StackRox + version: {{ .Chart.AppVersion | quote }} + description: |- + StackRox Kubernetes Security Platform + + Version {{ .Chart.AppVersion }} + + ## Thank you for installing StackRox! + +
+ + #### Support + + [Email support@stackrox.com](mailto:support@stackrox.com?cc=sales@stackrox.com&Subject=StackRox%20Support%20Question&Body=Dear%20StackRox%20support,) + + ## Connecting to StackRox + +
+ + #### Directly using a Load Balancer + + When deploying StackRox with the `Load Balancer` network configuration, the service can be accessed directly. + + $CONNECT + + #### Tunneling via Port Forward + + When deploying StackRox with the `Node Port` or `None` network configuration, the service must be accessed using a port forward tunnel. + + - Step 1 - Start the port forward tunnel to the StackRox Central service. + + ``` + $ kubectl -n stackrox port-forward svc/central 8443:443 + ``` + + - Step 2 - In a browser, [visit https://localhost:8443](https://localhost:8443) to access StackRox. + + keywords: + - "stackrox" + - "kube" + - "security" + maintainers: + - name: StackRox, Inc. + url: https://stackrox.com + owners: + - name: StackRox, Inc. + url: https://stackrox.com + links: + - description: StackRox Help Documentation + url: "https://help.stackrox.com" + + info: + - name: StackRox namespace + value: stackrox + - name: StackRox admin username + value: "admin" + + selector: + matchLabels: + app.kubernetes.io/name: stackrox + + componentKinds: + - group: '' + kind: ConfigMap + - group: '' + kind: Secret + - group: '' + kind: PersistentVolumeClaim + - group: '' + kind: Service + - group: '' + kind: ServiceAccount + - group: rbac.authorization.k8s.io + kind: ClusterRole + - group: rbac.authorization.k8s.io + kind: ClusterRoleBinding + - group: apps + kind: Deployment + - group: networking.k8s.io + kind: NetworkPolicy + - group: rbac.authorization.k8s.io + kind: Role + - group: rbac.authorization.k8s.io + kind: RoleBinding + - group: route.openshift.io + kind: Route + - group: security.openshift.io + kind: SecurityContextConstraints + - group: admissionregistration.k8s.io + kind: ValidatingWebhookConfiguration + - group: autoscaling + kind: HorizontalPodAutoscaler + - group: storage.k8s.io + kind: StorageClass + - group: networking.istio.io + kind: DestinationRule + - group: policy + kind: PodSecurityPolicy +{{- end }} diff --git a/3.0.59.0/central-services/templates/00-storage-class.yaml b/3.0.59.0/central-services/templates/00-storage-class.yaml new file mode 100644 index 0000000..4a5664e --- /dev/null +++ b/3.0.59.0/central-services/templates/00-storage-class.yaml @@ -0,0 +1,27 @@ +{{- include "srox.init" . -}} + +{{- if ._rox.central.persistence._pvcCfg }} +{{- if ._rox.central.persistence._pvcCfg.storageClass -}} +{{- if eq ._rox.central.persistence._pvcCfg.storageClass "stackrox-gke-ssd" }} +{{- $lookupOut := dict -}} +{{- $storageClassName := include "srox.globalResourceName" (list . "stackrox-gke-ssd") -}} +{{- $_ := include "srox.safeLookup" (list . $lookupOut "storage.k8s.io/v1" "StorageClass" "" $storageClassName) -}} +{{- if and (not $lookupOut.result) (or .Release.IsInstall $lookupOut.reliable) (not ._rox.meta.noCreateStorageClass) -}} +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: {{ $storageClassName }} + labels: + {{- include "srox.labels" (list . "storageclass" "stackrox-gke-ssd") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "storageclass" "stackrox-gke-ssd") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": keep + "helm.sh/hook-delete-policy": never +provisioner: kubernetes.io/gce-pd +parameters: + type: pd-ssd +{{- end -}} +{{- end }} +{{- end -}} +{{- end }} diff --git a/3.0.59.0/central-services/templates/01-central-00-serviceaccount.yaml b/3.0.59.0/central-services/templates/01-central-00-serviceaccount.yaml new file mode 100644 index 0000000..2dc46a4 --- /dev/null +++ b/3.0.59.0/central-services/templates/01-central-00-serviceaccount.yaml @@ -0,0 +1,16 @@ +{{- include "srox.init" . -}} + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: central + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "serviceaccount" "central") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "serviceaccount" "central") | nindent 4 }} +imagePullSecrets: +{{- range $secretName := ._rox.imagePullSecrets._names }} +- name: {{ quote $secretName }} +{{- end }} + diff --git a/3.0.59.0/central-services/templates/01-central-01-license-secret.yaml b/3.0.59.0/central-services/templates/01-central-01-license-secret.yaml new file mode 100644 index 0000000..0d26dda --- /dev/null +++ b/3.0.59.0/central-services/templates/01-central-01-license-secret.yaml @@ -0,0 +1,21 @@ +{{- include "srox.init" . -}} + +{{- if ._rox._licenseKey -}} + +apiVersion: v1 +kind: Secret +metadata: + name: central-license + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "secret" "central-license") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "central-license") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": "keep" +type: Opaque +stringData: + license.lic: | + {{- ._rox._licenseKey | nindent 4 }} + +{{ end }} diff --git a/3.0.59.0/central-services/templates/01-central-02-security.yaml b/3.0.59.0/central-services/templates/01-central-02-security.yaml new file mode 100644 index 0000000..79108cc --- /dev/null +++ b/3.0.59.0/central-services/templates/01-central-02-security.yaml @@ -0,0 +1,121 @@ +{{- include "srox.init" . -}} + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "srox.globalResourceName" (list . "stackrox-central-psp") }} + labels: + {{- include "srox.labels" (list . "clusterrole" "stackrox-central-psp") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "clusterrole" "stackrox-central-psp") | nindent 4 }} +rules: + - apiGroups: + - policy + resources: + - podsecuritypolicies + resourceNames: + - {{ include "srox.globalResourceName" (list . "stackrox-central") }} + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: stackrox-central-psp + namespace: {{.Release.Namespace}} + labels: + {{- include "srox.labels" (list . "rolebinding" "stackrox-central-psp") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "rolebinding" "stackrox-central-psp") | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "srox.globalResourceName" (list . "stackrox-central-psp") }} +subjects: + - kind: ServiceAccount + name: central + namespace: {{.Release.Namespace}} +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "srox.globalResourceName" (list . "stackrox-central") }} + labels: + {{- include "srox.labels" (list . "podsecuritypolicy" "stackrox-central") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "podsecuritypolicy" "stackrox-central") | nindent 4 }} +spec: + privileged: false + allowPrivilegeEscalation: false + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + - 'persistentVolumeClaim' + - 'hostPath' + {{ if ._rox.central.persistence.hostPath -}} + allowedHostPaths: + - pathPrefix: {{ ._rox.central.persistence.hostPath }} + {{- end}} + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAs' + ranges: + - min: 4000 + max: 4000 + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 4000 + max: 4000 + +{{- if ._rox.env.openshift }} +--- + +kind: SecurityContextConstraints +apiVersion: security.openshift.io/v1 +metadata: + name: {{ include "srox.globalResourceName" (list . "central") }} + labels: + {{- include "srox.labels" (list . "securitycontextconstraints" "central") | nindent 4 }} + annotations: + kubernetes.io/description: central is the security constraint for the central server + {{- include "srox.annotations" (list . "securitycontextconstraints" "central") | nindent 4 }} +allowHostDirVolumePlugin: {{ ._rox.central.persistence.hostPath | not | not }} +allowedCapabilities: [] +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: false +allowPrivilegedContainer: false +defaultAddCapabilities: [] +fsGroup: + type: MustRunAs + ranges: + - max: 4000 + min: 4000 +priority: 0 +readOnlyRootFilesystem: true +requiredDropCapabilities: [] +runAsUser: + type: MustRunAs + uid: 4000 +seLinuxContext: + type: MustRunAs +seccompProfiles: + - '*' +users: + - system:serviceaccount:{{ .Release.Namespace }}:central +volumes: + - '*' + +{{- end }} diff --git a/3.0.59.0/central-services/templates/01-central-03-diagnostics-rbac.yaml b/3.0.59.0/central-services/templates/01-central-03-diagnostics-rbac.yaml new file mode 100644 index 0000000..4ceaca7 --- /dev/null +++ b/3.0.59.0/central-services/templates/01-central-03-diagnostics-rbac.yaml @@ -0,0 +1,37 @@ +{{- include "srox.init" . -}} + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: stackrox-central-diagnostics + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "role" "stackrox-central-diagnostics") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "role" "stackrox-central-diagnostics") | nindent 4 }} +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: stackrox-central-diagnostics + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "rolebinding" "stackrox-central-diagnostics") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "rolebinding" "stackrox-central-diagnostics") | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: stackrox-central-diagnostics +subjects: + - kind: ServiceAccount + name: central + namespace: {{ .Release.Namespace }} diff --git a/3.0.59.0/central-services/templates/01-central-04-htpasswd-secret.yaml b/3.0.59.0/central-services/templates/01-central-04-htpasswd-secret.yaml new file mode 100644 index 0000000..59b338e --- /dev/null +++ b/3.0.59.0/central-services/templates/01-central-04-htpasswd-secret.yaml @@ -0,0 +1,22 @@ +{{- include "srox.init" . -}} + +{{- if ._rox.central._adminPassword -}} +{{- if ._rox.central._adminPassword.htpasswd -}} +apiVersion: v1 +kind: Secret +metadata: + name: central-htpasswd + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "secret" "central-htpasswd") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "central-htpasswd") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": "keep" +type: Opaque +stringData: + htpasswd: | + {{- ._rox.central._adminPassword.htpasswd | nindent 4 }} + +{{- end -}} +{{- end -}} diff --git a/3.0.59.0/central-services/templates/01-central-05-tls-secret.yaml b/3.0.59.0/central-services/templates/01-central-05-tls-secret.yaml new file mode 100644 index 0000000..4ec928f --- /dev/null +++ b/3.0.59.0/central-services/templates/01-central-05-tls-secret.yaml @@ -0,0 +1,31 @@ +{{- include "srox.init" . -}} + +{{- if and ._rox._ca ._rox.central._serviceTLS ._rox.central._jwtSigner -}} + +apiVersion: v1 +kind: Secret +metadata: + name: central-tls + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "secret" "central-tls") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "central-tls") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": "keep" +type: Opaque +stringData: + ca.pem: | + {{- ._rox._ca.Cert | nindent 4 }} + ca-key.pem: | + {{- ._rox._ca.Key | nindent 4 }} + jwt-key.pem: | + {{- ._rox.central._jwtSigner.Key | nindent 4 }} + cert.pem: | + {{- ._rox.central._serviceTLS.Cert | nindent 4 }} + key.pem: | + {{- ._rox.central._serviceTLS.Key | nindent 4 }} + +{{- else if or ._rox.central._serviceTLS ._rox.central._jwtSigner }} +{{ include "srox.fail" "Service TLS certificates and/or JWT signer key can only be created/updated if all data AND the service CA are present/specified." }} +{{- end }} diff --git a/3.0.59.0/central-services/templates/01-central-06-default-tls-cert-secret.yaml b/3.0.59.0/central-services/templates/01-central-06-default-tls-cert-secret.yaml new file mode 100644 index 0000000..010444c --- /dev/null +++ b/3.0.59.0/central-services/templates/01-central-06-default-tls-cert-secret.yaml @@ -0,0 +1,22 @@ +{{- include "srox.init" . -}} + +{{ if ._rox.central._defaultTLS }} + +apiVersion: v1 +kind: Secret +metadata: + name: central-default-tls-cert + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "secret" "central-default-tls-cert") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "central-default-tls-cert") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" +type: kubernetes.io/tls +stringData: + tls.crt: | + {{- ._rox.central._defaultTLS.Cert | nindent 4 }} + tls.key: | + {{- ._rox.central._defaultTLS.Key | nindent 4 }} + +{{- end }} diff --git a/3.0.59.0/central-services/templates/01-central-08-configmap.yaml b/3.0.59.0/central-services/templates/01-central-08-configmap.yaml new file mode 100644 index 0000000..9420e59 --- /dev/null +++ b/3.0.59.0/central-services/templates/01-central-08-configmap.yaml @@ -0,0 +1,14 @@ +{{- include "srox.init" . -}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: central-config + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "configmap" "central-config") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "configmap" "central-config") | nindent 4 }} +data: + central-config.yaml: | + {{- ._rox.central._config | nindent 4 }} diff --git a/3.0.59.0/central-services/templates/01-central-09-endpoints-config.yaml b/3.0.59.0/central-services/templates/01-central-09-endpoints-config.yaml new file mode 100644 index 0000000..fa6204e --- /dev/null +++ b/3.0.59.0/central-services/templates/01-central-09-endpoints-config.yaml @@ -0,0 +1,17 @@ +{{- include "srox.init" . -}} + +{{- if ._rox.central._endpointsConfig -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: central-endpoints + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "configmap" "central-endpoints") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "configmap" "central-endpoints") | nindent 4 }} +data: + endpoints.yaml: | + {{- ._rox.central._endpointsConfig | nindent 4 }} + +{{- end -}} diff --git a/3.0.59.0/central-services/templates/01-central-10-networkpolicy.yaml b/3.0.59.0/central-services/templates/01-central-10-networkpolicy.yaml new file mode 100644 index 0000000..9ab574f --- /dev/null +++ b/3.0.59.0/central-services/templates/01-central-10-networkpolicy.yaml @@ -0,0 +1,42 @@ +{{- include "srox.init" . -}} + +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-ext-to-central + namespace: {{.Release.Namespace}} + labels: + {{- include "srox.labels" (list . "networkpolicy" "allow-ext-to-central") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "networkpolicy" "allow-ext-to-central") | nindent 4 }} +spec: + ingress: + {{- toYaml ._rox.central._netPolIngressRules | nindent 4 }} + podSelector: + matchLabels: + app: central + policyTypes: + - Ingress + +{{ if ._rox.central.exposeMonitoring }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: central-monitoring + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "networkpolicy" "central-monitoring") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "networkpolicy" "central-monitoring") | nindent 4 }} +spec: + ingress: + - ports: + - port: 9090 + protocol: TCP + podSelector: + matchLabels: + app: central + policyTypes: + - Ingress +{{ end }} diff --git a/3.0.59.0/central-services/templates/01-central-11-pvc.yaml b/3.0.59.0/central-services/templates/01-central-11-pvc.yaml new file mode 100644 index 0000000..570cf0f --- /dev/null +++ b/3.0.59.0/central-services/templates/01-central-11-pvc.yaml @@ -0,0 +1,63 @@ +{{- include "srox.init" . -}} + +{{ if ._rox.central.persistence._pvcCfg -}} +{{- $pvcCfg := ._rox.central.persistence._pvcCfg -}} +{{- $claimName := $pvcCfg.claimName -}} +{{/* In a multiple namespace setting, storageClassName is generated by globalResourceName */}} +{{- $storageClassName := "" }} +{{- if $pvcCfg.storageClass }} + {{- if eq $pvcCfg.storageClass "stackrox-gke-ssd" }} + {{- $storageClassName = include "srox.globalResourceName" (list . "stackrox-gke-ssd") }} + {{- else }} + {{- $storageClassName = $pvcCfg.storageClass }} + {{- end}} +{{- end}} +{{- if $pvcCfg.volume.volumeSpec }} +{{- $pvName := (print $claimName "-pv") -}} +apiVersion: v1 +kind: PersistentVolume +metadata: + name: {{ $pvName }} + labels: + {{- include "srox.labels" (list . "persistentvolume" $pvName) | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "persistentvolume" $pvName) | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": keep + "helm.sh/hook-delete-policy": never +spec: + {{- if $storageClassName }} + storageClassName: {{ $storageClassName }} + {{- end}} + capacity: + storage: {{ include "srox.formatStorageSize" $pvcCfg.size }} + accessModes: + - ReadWriteOnce + claimRef: + namespace: {{ .Release.Namespace }} + name: {{ $claimName }} + {{- toYaml $pvcCfg.volume.volumeSpec | nindent 2 }} +--- +{{- end }} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ $claimName }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "persistentvolumeclaim" $claimName) | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "persistentvolumeclaim" $claimName) | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": keep + "helm.sh/hook-delete-policy": never +spec: + {{- if $storageClassName }} + storageClassName: {{ $storageClassName }} + {{- end}} + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ include "srox.formatStorageSize" $pvcCfg.size }} +{{- end }} diff --git a/3.0.59.0/central-services/templates/01-central-12-deployment.yaml b/3.0.59.0/central-services/templates/01-central-12-deployment.yaml new file mode 100644 index 0000000..cad2416 --- /dev/null +++ b/3.0.59.0/central-services/templates/01-central-12-deployment.yaml @@ -0,0 +1,192 @@ +{{- include "srox.init" . -}} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: central + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "deployment" "central") | nindent 4 }} + app: central + annotations: + {{- include "srox.annotations" (list . "deployment" "central") | nindent 4 }} +spec: + replicas: 1 + minReadySeconds: 15 + selector: + matchLabels: + app: central + strategy: + type: Recreate + template: + metadata: + namespace: {{ .Release.Namespace }} + labels: + app: central + {{- include "srox.podLabels" (list . "deployment" "central") | nindent 8 }} + annotations: + traffic.sidecar.istio.io/excludeInboundPorts: "8443" + {{- include "srox.podAnnotations" (list . "deployment" "central") | nindent 8 }} + spec: + {{- if ._rox.central._nodeSelector }} + nodeSelector: + {{- ._rox.central._nodeSelector | nindent 8 }} + {{- end }} + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + # Central is single-homed, so avoid preemptible nodes. + - weight: 100 + preference: + matchExpressions: + - key: cloud.google.com/gke-preemptible + operator: NotIn + values: + - "true" + {{- if ._rox.env.openshift }} + - weight: 25 + preference: + matchExpressions: + - key: node-role.kubernetes.io/compute + operator: In + values: + - "true" + - weight: 75 + preference: + matchExpressions: + - key: node-role.kubernetes.io/infra + operator: NotIn + values: + - "true" + - weight: 100 + preference: + matchExpressions: + - key: node-role.kubernetes.io/master + operator: NotIn + values: + - "true" + {{- end}} + serviceAccountName: central + securityContext: + fsGroup: 4000 + runAsUser: 4000 + containers: + - name: central + image: {{ ._rox.central.image.fullRef | quote }} + command: + - /stackrox/central-entrypoint.sh + ports: + {{- toYaml ._rox.central._containerPorts | nindent 10 }} + readinessProbe: + httpGet: + scheme: HTTPS + path: /v1/ping + port: 8443 + resources: + {{- ._rox.central._resources | nindent 10 }} + securityContext: + capabilities: + drop: ["NET_RAW"] + readOnlyRootFilesystem: true + env: + - name: ROX_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: ROX_INIT_TELEMETRY_ENABLED + value: {{ ._rox.central.disableTelemetry | not | quote }} + - name: ROX_OFFLINE_MODE + value: {{ ._rox.env.offlineMode | quote }} + {{- include "srox.envVars" (list . "deployment" "central" "central") | nindent 8 }} + volumeMounts: + - name: varlog + mountPath: /var/log/stackrox/ + - name: central-tmp-volume + mountPath: /tmp + - name: central-etc-ssl-volume + mountPath: /etc/ssl + - name: central-etc-pki-volume + mountPath: /etc/pki/ca-trust + - name: central-certs-volume + mountPath: /run/secrets/stackrox.io/certs/ + readOnly: true + - name: central-default-tls-cert-volume + mountPath: /run/secrets/stackrox.io/default-tls-cert/ + readOnly: true + - name: central-htpasswd-volume + mountPath: /run/secrets/stackrox.io/htpasswd/ + readOnly: true + - name: central-jwt-volume + mountPath: /run/secrets/stackrox.io/jwt/ + readOnly: true + - name: additional-ca-volume + mountPath: /usr/local/share/ca-certificates/ + readOnly: true + - name: central-license-volume + mountPath: /run/secrets/stackrox.io/central-license/ + readOnly: true + - name: stackrox-db + mountPath: /var/lib/stackrox + - name: central-config-volume + mountPath: /etc/stackrox + - name: proxy-config-volume + mountPath: /run/secrets/stackrox.io/proxy-config/ + readOnly: true + - name: endpoints-config-volume + mountPath: /etc/stackrox.d/endpoints/ + readOnly: true + {{- range $extraMount := (default list ._rox.central.extraMounts) }} + - name: {{ $extraMount.name }} + {{- $extraMount.mount | toYaml | nindent 10 }} + {{- end }} + volumes: + - name: varlog + emptyDir: {} + - name: central-tmp-volume + emptyDir: {} + - name: central-etc-ssl-volume + emptyDir: {} + - name: central-etc-pki-volume + emptyDir: {} + - name: central-certs-volume + secret: + secretName: central-tls + - name: central-default-tls-cert-volume + secret: + secretName: central-default-tls-cert + optional: true + - name: central-htpasswd-volume + secret: + secretName: central-htpasswd + optional: true + - name: central-jwt-volume + secret: + secretName: central-tls + items: + - key: jwt-key.pem + path: jwt-key.pem + - name: additional-ca-volume + secret: + secretName: additional-ca + optional: true + - name: central-license-volume + secret: + secretName: central-license + optional: true + - name: central-config-volume + configMap: + name: central-config + optional: true + - name: proxy-config-volume + secret: + secretName: proxy-config + optional: true + - name: endpoints-config-volume + configMap: + name: central-endpoints + - name: stackrox-db + {{- toYaml ._rox.central.persistence._volumeCfg | nindent 8 }} + {{- range $extraMount := (default list ._rox.central.extraMounts) }} + - name: {{ $extraMount.name }} + {{- $extraMount.source | toYaml | nindent 8 }} + {{- end }} diff --git a/3.0.59.0/central-services/templates/01-central-13-service.yaml b/3.0.59.0/central-services/templates/01-central-13-service.yaml new file mode 100644 index 0000000..d8d67e9 --- /dev/null +++ b/3.0.59.0/central-services/templates/01-central-13-service.yaml @@ -0,0 +1,40 @@ +{{- include "srox.init" . -}} + +apiVersion: v1 +kind: Service +metadata: + name: central + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "service" "central") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "service" "central") | nindent 4 }} +spec: + ports: + {{- toYaml ._rox.central._servicePorts | nindent 4 }} + selector: + app: central + type: ClusterIP + +{{ if ._rox.env.istio }} +--- + +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: central-internal-no-istio-mtls + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "destinationrule" "central-internal-no-istio-mtls") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "destinationrule" "central-internal-no-istio-mtls") | nindent 4 }} + stackrox.io/description: "Disable Istio mTLS for port 443, since StackRox services use built-in mTLS." +spec: + host: central.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + portLevelSettings: + - port: + number: 443 + tls: + mode: DISABLE +{{ end }} diff --git a/3.0.59.0/central-services/templates/01-central-14-exposure.yaml b/3.0.59.0/central-services/templates/01-central-14-exposure.yaml new file mode 100644 index 0000000..ebaa3cd --- /dev/null +++ b/3.0.59.0/central-services/templates/01-central-14-exposure.yaml @@ -0,0 +1,89 @@ +{{- include "srox.init" . -}} + +{{- if ._rox.central.exposure.route.enabled }} +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: central + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "route" "central") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "route" "central") | nindent 4 }} +spec: + port: + targetPort: https + tls: + termination: passthrough + to: + kind: Service + name: central +--- +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: central-mtls + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "route" "central-mtls") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "route" "central-mtls") | nindent 4 }} +spec: + host: "central.{{ .Release.Namespace }}" + port: + targetPort: https + tls: + termination: passthrough + to: + kind: Service + name: central +--- +{{- end }} + +{{- if ._rox.central.exposure.nodePort.enabled }} +apiVersion: v1 +kind: Service +metadata: + annotations: + {{- include "srox.annotations" (list . "service" "central-loadbalancer") | nindent 4 }} + cloud.google.com/app-protocols: '{"api": "HTTPS"}' + service.alpha.kubernetes.io/app-protocols: '{"api": "HTTPS"}' + name: central-loadbalancer + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "service" "central-loadbalancer") | nindent 4 }} +spec: + type: NodePort + ports: + - port: 443 + targetPort: api +{{- if ._rox.central.exposure.nodePort.port }} + nodePort: {{ ._rox.central.exposure.nodePort.port }} +{{- end }} + selector: + app: central +--- +{{- end }} + +{{- if ._rox.central.exposure.loadBalancer.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: central-loadbalancer + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "service" "central-loadbalancer") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "service" "central-loadbalancer") | nindent 4 }} +spec: + type: LoadBalancer + ports: + - port: {{ ._rox.central.exposure.loadBalancer.port }} + targetPort: api + selector: + app: central +{{- if ._rox.central.exposure.loadBalancer.ip }} + loadBalancerIP: {{ ._rox.central.exposure.loadBalancer.ip }} +{{- end }} +--- +{{- end}} diff --git a/3.0.59.0/central-services/templates/02-scanner-00-serviceaccount.yaml b/3.0.59.0/central-services/templates/02-scanner-00-serviceaccount.yaml new file mode 100644 index 0000000..a27c602 --- /dev/null +++ b/3.0.59.0/central-services/templates/02-scanner-00-serviceaccount.yaml @@ -0,0 +1,19 @@ +{{- include "srox.init" . -}} + +{{- if not ._rox.scanner.disable -}} + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: scanner + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "serviceaccount" "scanner") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "serviceaccount" "scanner") | nindent 4 }} +imagePullSecrets: +{{- range $secretName := ._rox.imagePullSecrets._names }} +- name: {{ quote $secretName }} +{{- end }} + +{{ end -}} diff --git a/3.0.59.0/central-services/templates/02-scanner-01-security.yaml b/3.0.59.0/central-services/templates/02-scanner-01-security.yaml new file mode 100644 index 0000000..41944c1 --- /dev/null +++ b/3.0.59.0/central-services/templates/02-scanner-01-security.yaml @@ -0,0 +1,113 @@ +{{- include "srox.init" . -}} + +{{- if not ._rox.scanner.disable -}} + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "srox.globalResourceName" (list . "stackrox-scanner-psp") }} + labels: + {{- include "srox.labels" (list . "clusterrole" "stackrox-scanner-psp") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "clusterrole" "stackrox-scanner-psp") | nindent 4 }} +rules: +- apiGroups: + - policy + resources: + - podsecuritypolicies + resourceNames: + - {{ include "srox.globalResourceName" (list . "stackrox-scanner") }} + verbs: + - use + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: stackrox-scanner-psp + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "rolebinding" "stackrox-scanner-psp") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "rolebinding" "stackrox-scanner-psp") | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "srox.globalResourceName" (list . "stackrox-scanner-psp") }} +subjects: + - kind: ServiceAccount + name: scanner + namespace: {{ .Release.Namespace }} + +--- + +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "srox.globalResourceName" (list . "stackrox-scanner") }} + labels: + {{- include "srox.labels" (list . "podsecuritypolicy" "stackrox-scanner") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "podsecuritypolicy" "stackrox-scanner") | nindent 4 }} +spec: + privileged: false + allowPrivilegeEscalation: false + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + - 'persistentVolumeClaim' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + +{{- if ._rox.env.openshift }} +--- + +kind: SecurityContextConstraints +apiVersion: security.openshift.io/v1 +metadata: + name: {{ include "srox.globalResourceName" (list . "scanner") }} + labels: + {{- include "srox.labels" (list . "securitycontextconstraints" "scanner") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "securitycontextconstraints" "scanner") | nindent 4 }} + kubernetes.io/description: scanner is the security constraint for the Scanner container +priority: 0 +runAsUser: + type: RunAsAny +seLinuxContext: + type: RunAsAny +seccompProfiles: + - '*' +users: + - system:serviceaccount:{{ .Release.Namespace }}:scanner +volumes: + - '*' +allowHostDirVolumePlugin: false +allowedCapabilities: [] +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: false +allowPrivilegedContainer: false +defaultAddCapabilities: [] +fsGroup: + type: RunAsAny +readOnlyRootFilesystem: false +requiredDropCapabilities: [] +{{ end -}} + +{{ end -}} diff --git a/3.0.59.0/central-services/templates/02-scanner-02-db-password-secret.yaml b/3.0.59.0/central-services/templates/02-scanner-02-db-password-secret.yaml new file mode 100644 index 0000000..c6c0bc1 --- /dev/null +++ b/3.0.59.0/central-services/templates/02-scanner-02-db-password-secret.yaml @@ -0,0 +1,27 @@ +{{- include "srox.init" . -}} + +{{- if not ._rox.scanner.disable -}} + +{{- if ._rox.scanner._dbPassword -}} +{{- if not (kindIs "invalid" ._rox.scanner._dbPassword.value) -}} + +apiVersion: v1 +kind: Secret +metadata: + name: scanner-db-password + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "secret" "scanner-db-password") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "scanner-db-password") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": keep +type: Opaque +stringData: + password: | + {{- ._rox.scanner._dbPassword.value | nindent 4 }} + +{{- end -}} +{{- end -}} + +{{ end -}} diff --git a/3.0.59.0/central-services/templates/02-scanner-03-tls-secret.yaml b/3.0.59.0/central-services/templates/02-scanner-03-tls-secret.yaml new file mode 100644 index 0000000..7c590ff --- /dev/null +++ b/3.0.59.0/central-services/templates/02-scanner-03-tls-secret.yaml @@ -0,0 +1,55 @@ +{{- include "srox.init" . -}} + +{{- if not ._rox.scanner.disable -}} + +{{- if and ._rox.scanner._serviceTLS ._rox._ca -}} + +apiVersion: v1 +kind: Secret +metadata: + name: scanner-tls + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "secret" "scanner-tls") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "scanner-tls") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": keep +type: Opaque +stringData: + ca.pem: | + {{- ._rox._ca.Cert | nindent 4 }} + cert.pem: | + {{- ._rox.scanner._serviceTLS.Cert | nindent 4 }} + key.pem: | + {{- ._rox.scanner._serviceTLS.Key | nindent 4 }} + +--- + +{{- end }} + +{{ if and ._rox.scanner._dbServiceTLS ._rox._ca -}} + +apiVersion: v1 +kind: Secret +metadata: + name: scanner-db-tls + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "secret" "scanner-db-tls") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "scanner-db-tls") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": "keep" +type: Opaque +stringData: + ca.pem: | + {{- ._rox._ca.Cert | nindent 4 }} + cert.pem: | + {{- ._rox.scanner._dbServiceTLS.Cert | nindent 4 }} + key.pem: | + {{- ._rox.scanner._dbServiceTLS.Key | nindent 4 }} + +{{- end -}} + +{{ end -}} diff --git a/3.0.59.0/central-services/templates/02-scanner-04-scanner-config.yaml b/3.0.59.0/central-services/templates/02-scanner-04-scanner-config.yaml new file mode 100644 index 0000000..4ed16c7 --- /dev/null +++ b/3.0.59.0/central-services/templates/02-scanner-04-scanner-config.yaml @@ -0,0 +1,18 @@ +{{- include "srox.init" . -}} + +{{- if not ._rox.scanner.disable -}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: scanner-config + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "configmap" "scanner-config") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "configmap" "scanner-config") | nindent 4 }} +data: + config.yaml: | + {{- tpl (.Files.Get "config-templates/scanner/config.yaml.tpl") . | nindent 4 }} + +{{ end -}} diff --git a/3.0.59.0/central-services/templates/02-scanner-05-network-policy.yaml b/3.0.59.0/central-services/templates/02-scanner-05-network-policy.yaml new file mode 100644 index 0000000..824c63e --- /dev/null +++ b/3.0.59.0/central-services/templates/02-scanner-05-network-policy.yaml @@ -0,0 +1,57 @@ +{{- include "srox.init" . -}} + +{{- if not ._rox.scanner.disable -}} + +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: scanner + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "networkpolicy" "scanner") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "networkpolicy" "scanner") | nindent 4 }} +spec: + podSelector: + matchLabels: + app: scanner + ingress: + - from: + - podSelector: + matchLabels: + app: central + ports: + - port: 8080 + protocol: TCP + - port: 8443 + protocol: TCP + policyTypes: + - Ingress + +--- + +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: scanner-db + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "networkpolicy" "scanner-db") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "networkpolicy" "scanner-db") | nindent 4 }} +spec: + podSelector: + matchLabels: + app: scanner-db + ingress: + - from: + - podSelector: + matchLabels: + app: scanner + ports: + - port: 5432 + protocol: TCP + policyTypes: + - Ingress + +{{ end -}} diff --git a/3.0.59.0/central-services/templates/02-scanner-06-deployment.yaml b/3.0.59.0/central-services/templates/02-scanner-06-deployment.yaml new file mode 100644 index 0000000..3468ddb --- /dev/null +++ b/3.0.59.0/central-services/templates/02-scanner-06-deployment.yaml @@ -0,0 +1,285 @@ +{{- include "srox.init" . -}} + +{{- if not ._rox.scanner.disable -}} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: scanner + namespace: {{ .Release.Namespace }} + labels: + app: scanner + {{- include "srox.labels" (list . "deployment" "scanner") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "deployment" "scanner") | nindent 4 }} +spec: + replicas: {{ ._rox.scanner.replicas }} + minReadySeconds: 15 + selector: + matchLabels: + app: scanner + strategy: + type: Recreate + template: + metadata: + namespace: {{ .Release.Namespace }} + labels: + app: scanner + {{- include "srox.podLabels" (list . "deployment" "scanner") | nindent 8 }} + annotations: + traffic.sidecar.istio.io/excludeInboundPorts: "8080,8443" + {{- include "srox.podAnnotations" (list . "deployment" "scanner") | nindent 8 }} + spec: + {{- if ._rox.scanner._nodeSelector }} + nodeSelector: + {{- ._rox.scanner._nodeSelector | nindent 8 }} + {{- end }} + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchLabels: + app: scanner + topologyKey: kubernetes.io/hostname + {{- if ._rox.env.openshift }} + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 25 + preference: + matchExpressions: + - key: node-role.kubernetes.io/compute + operator: In + values: + - "true" + - weight: 75 + preference: + matchExpressions: + - key: node-role.kubernetes.io/infra + operator: NotIn + values: + - "true" + - weight: 100 + preference: + matchExpressions: + - key: node-role.kubernetes.io/master + operator: NotIn + values: + - "true" + {{- end }} + containers: + - name: scanner + image: {{ ._rox.scanner.image.fullRef | quote }} + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- include "srox.envVars" (list . "deployment" "scanner" "scanner") | nindent 8 }} + resources: + {{- ._rox.scanner._resources | nindent 10 }} + command: + - /entrypoint.sh + ports: + - name: https + containerPort: 8080 + - name: grpc + containerPort: 8443 + securityContext: + capabilities: + drop: ["NET_RAW"] + runAsUser: 4000 + readinessProbe: + httpGet: + scheme: HTTPS + path: /scanner/ping + port: 8080 + timeoutSeconds: 10 + periodSeconds: 10 + failureThreshold: 6 + successThreshold: 1 + volumeMounts: + - mountPath: /etc/ssl + name: scanner-etc-ssl-volume + - mountPath: /etc/pki/ca-trust + name: scanner-etc-pki-volume + - mountPath: /usr/local/share/ca-certificates/ + name: additional-ca-volume + readOnly: true + - name: scanner-config-volume + mountPath: /etc/scanner + readOnly: true + - name: scanner-tls-volume + mountPath: /run/secrets/stackrox.io/certs/ + readOnly: true + - name: vuln-temp-db + mountPath: /var/lib/stackrox + - name: proxy-config-volume + mountPath: /run/secrets/stackrox.io/proxy-config/ + readOnly: true + - name: scanner-db-password + mountPath: /run/secrets/stackrox.io/secrets + serviceAccountName: scanner + volumes: + - name: additional-ca-volume + secret: + defaultMode: 420 + optional: true + secretName: additional-ca + - emptyDir: {} + name: scanner-etc-ssl-volume + - emptyDir: {} + name: scanner-etc-pki-volume + - name: scanner-config-volume + configMap: + name: scanner-config + - name: scanner-tls-volume + secret: + secretName: scanner-tls + - name: vuln-temp-db + emptyDir: {} + - name: proxy-config-volume + secret: + secretName: proxy-config + optional: true + - name: scanner-db-password + secret: + secretName: scanner-db-password + +--- + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: scanner-db + namespace: {{ .Release.Namespace }} + labels: + app: scanner-db + {{- include "srox.labels" (list . "deployment" "scanner-db") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "deployment" "scanner-db") | nindent 4 }} +spec: + replicas: 1 + minReadySeconds: 15 + selector: + matchLabels: + app: scanner-db + strategy: + type: Recreate + template: + metadata: + namespace: {{ .Release.Namespace }} + labels: + app: scanner-db + {{- include "srox.podLabels" (list . "deployment" "scanner-db") | nindent 8 }} + annotations: + traffic.sidecar.istio.io/excludeInboundPorts: "5432" + {{- include "srox.podAnnotations" (list . "deployment" "scanner-db") | nindent 8 }} + spec: + {{- if ._rox.scanner._dbNodeSelector }} + nodeSelector: + {{- ._rox.scanner._dbNodeSelector | nindent 8 }} + {{- end }} + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + # ScannerDB is single-homed, so avoid preemptible nodes. + - weight: 100 + preference: + matchExpressions: + - key: cloud.google.com/gke-preemptible + operator: NotIn + values: + - "true" + {{ if ._rox.env.openshift }} + - weight: 25 + preference: + matchExpressions: + - key: node-role.kubernetes.io/compute + operator: In + values: + - "true" + - weight: 75 + preference: + matchExpressions: + - key: node-role.kubernetes.io/infra + operator: NotIn + values: + - "true" + - weight: 100 + preference: + matchExpressions: + - key: node-role.kubernetes.io/master + operator: NotIn + values: + - "true" + {{- end }} + initContainers: + - name: init-db + image: {{ ._rox.scanner.dbImage.fullRef | quote }} + command: + - /bin/sh + - -c + - | + mkdir -p /var/lib/postgresql/data + chmod 700 /var/lib/postgresql/data + chown -R postgres:postgres /var/lib/postgresql + volumeMounts: + - name: db-data + mountPath: /var/lib/postgresql/data + securityContext: + runAsUser: 0 + containers: + - name: db + command: ["/usr/local/bin/docker-entrypoint.sh", "postgres", "-c", "config_file=/etc/postgresql.conf"] + image: {{ ._rox.scanner.dbImage.fullRef | quote }} + ports: + - name: https-db + containerPort: 5432 + resources: + {{- ._rox.scanner._dbResources | nindent 10 }} + env: + {{- include "srox.envVars" (list . "deployment" "scanner-db" "db") | nindent 10 }} + securityContext: + runAsUser: 70 + runAsGroup: 70 + volumeMounts: + - name: db-data + mountPath: /var/lib/postgresql/data + - name: scanner-db-tls-volume + mountPath: /run/secrets/stackrox.io/certs + - name: scanner-db-password + mountPath: /run/secrets/stackrox.io/secrets + serviceAccountName: scanner + securityContext: + fsGroup: 70 + volumes: + - name: scanner-config-volume + configMap: + name: scanner-config + - name: scanner-tls-volume + secret: + secretName: scanner-tls + - name: scanner-db-tls-volume + secret: + secretName: scanner-db-tls + defaultMode: 0640 + items: + - key: cert.pem + path: server.crt + - key: key.pem + path: server.key + - key: ca.pem + path: root.crt + - name: db-data + emptyDir: {} + - name: scanner-db-password + secret: + secretName: scanner-db-password + +{{ end -}} diff --git a/3.0.59.0/central-services/templates/02-scanner-07-service.yaml b/3.0.59.0/central-services/templates/02-scanner-07-service.yaml new file mode 100644 index 0000000..6c6ad04 --- /dev/null +++ b/3.0.59.0/central-services/templates/02-scanner-07-service.yaml @@ -0,0 +1,94 @@ +{{- include "srox.init" . -}} + +{{- if not ._rox.scanner.disable -}} + +apiVersion: v1 +kind: Service +metadata: + name: scanner + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "service" "scanner") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "service" "scanner") | nindent 4 }} +spec: + ports: + - name: https-scanner + port: 8080 + targetPort: 8080 + - name: grpcs-scanner + port: 8443 + targetPort: 8443 + selector: + app: scanner + type: ClusterIP + +--- + +apiVersion: v1 +kind: Service +metadata: + name: scanner-db + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "service" "scanner-db") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "service" "scanner-db") | nindent 4 }} +spec: + ports: + - name: tcp-db + port: 5432 + targetPort: 5432 + selector: + app: scanner-db + type: ClusterIP + +{{ if ._rox.env.istio }} +--- + +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: scanner-internal-no-istio-mtls + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "destinationrule" "scanner-internal-no-istio-mtls") | nindent 4 }} + annotations: + stackrox.io/description: "Disable Istio mTLS for ports 8080 and 8443, since StackRox services use built-in mTLS." + {{- include "srox.annotations" (list . "destinationrule" "scanner-internal-no-istio-mtls") | nindent 4 }} +spec: + host: scanner.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + portLevelSettings: + - port: + number: 8080 + tls: + mode: DISABLE + - port: + number: 8443 + tls: + mode: DISABLE + +--- + +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: scanner-db-internal-no-istio-mtls + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "destinationrule" "scanner-db-internal-no-istio-mtls") | nindent 4 }} + annotations: + stackrox.io/description: "Disable Istio mTLS for port 5432, since StackRox services use built-in mTLS." + {{- include "srox.annotations" (list . "destinationrule" "scanner-db-internal-no-istio-mtls") | nindent 4 }} +spec: + host: scanner-db.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + portLevelSettings: + - port: + number: 5432 + tls: + mode: DISABLE +{{ end }} + +{{ end -}} diff --git a/3.0.59.0/central-services/templates/02-scanner-08-hpa.yaml b/3.0.59.0/central-services/templates/02-scanner-08-hpa.yaml new file mode 100644 index 0000000..c7af476 --- /dev/null +++ b/3.0.59.0/central-services/templates/02-scanner-08-hpa.yaml @@ -0,0 +1,25 @@ +{{- include "srox.init" . -}} + +{{- if not ._rox.scanner.disable -}} + +{{- if not ._rox.scanner.autoscaling.disable -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: scanner + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "horizontalpodautoscaler" "scanner") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "horizontalpodautoscaler" "scanner") | nindent 4 }} +spec: + minReplicas: {{ ._rox.scanner.autoscaling.minReplicas }} + maxReplicas: {{ ._rox.scanner.autoscaling.maxReplicas }} + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: scanner + targetCPUUtilizationPercentage: 150 +{{ end -}} + +{{ end -}} diff --git a/3.0.59.0/central-services/templates/99-generated-values-secret.yaml b/3.0.59.0/central-services/templates/99-generated-values-secret.yaml new file mode 100644 index 0000000..b3499e8 --- /dev/null +++ b/3.0.59.0/central-services/templates/99-generated-values-secret.yaml @@ -0,0 +1,25 @@ +{{- include "srox.init" . -}} + +{{- if ._rox._state.generated -}} + +apiVersion: v1 +kind: Secret +metadata: + name: {{ ._rox._state.generatedName }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "secret" "generated-helm-config") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "generated-helm-config") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": "keep" + "helm.sh/hook-delete-policy": "never" +stringData: + generated-values.yaml: | + # The following values were generated by the StackRox Central Services Helm chart. + # You can pass this file to `helm install` via the `-f` parameter, which in conjunction + # with your local values files and values specified via `--set` will allow you to + # deterministically reproduce the deployment. + {{- ._rox._state.generated | toYaml | nindent 4 }} + +{{- end -}} diff --git a/3.0.59.0/central-services/templates/NOTES.txt b/3.0.59.0/central-services/templates/NOTES.txt new file mode 100644 index 0000000..87db7f7 --- /dev/null +++ b/3.0.59.0/central-services/templates/NOTES.txt @@ -0,0 +1,49 @@ +{{- $_ := include "srox.init" . -}} + +StackRox {{.Chart.AppVersion}} has been installed. + +{{ if include "srox.checkGenerated" (list . "central.adminPassword.value") -}} +An administrator password has been generated automatically. Use username 'admin' and the following +password to log in for initial setup: + + {{ ._rox.central._adminPassword.value }} + +{{ end -}} + +{{ if ._rox._state.notes -}} +Please take note of the following: +{{ range ._rox._state.notes }} +- {{ . | wrapWith 98 "\n " -}} +{{ end }} + +{{ end -}} + +{{ if ._rox._state.generated -}} +One or several values were automatically generated by Helm. In order to reproduce this deployment +in the future, you can export these values by running + + $ kubectl -n {{ .Release.Namespace }} get secret {{ ._rox._state.generatedName }} \ + -o go-template='{{ `{{ index .data "generated-values.yaml" }}` }}' | \ + base64 --decode >generated-values.yaml + +This file might contain sensitive data, so store it in a safe place. + +{{ end -}} + +{{ if ._rox._state.warnings -}} +When installing StackRox, the following warnings were encountered: +{{ range ._rox._state.warnings }} +- WARNING: {{ . | wrapWith 98 "\n " -}} +{{ end }} + +{{ end -}} + +{{ if ._rox.env.openshift -}} +IMPORTANT: You have deployed into an OpenShift-enabled cluster. If you see that your pods + are not scheduling, run + + oc annotate namespace/{{ .Release.Namespace }} --overwrite openshift.io/node-selector="" +{{ end -}} + + +Thank you for using StackRox! diff --git a/3.0.59.0/central-services/templates/_central_endpoints.tpl b/3.0.59.0/central-services/templates/_central_endpoints.tpl new file mode 100644 index 0000000..3f01580 --- /dev/null +++ b/3.0.59.0/central-services/templates/_central_endpoints.tpl @@ -0,0 +1,54 @@ +{{ define "srox.configureCentralEndpoints" }} +{{ $central := . }} +{{ $containerPorts := list (dict "name" "api" "containerPort" 8443) }} +{{ $netPolIngressRules := list (dict "ports" (list (dict "port" 8443 "protocol" "TCP"))) }} +{{ $servicePorts := list (dict "name" "https" "targetPort" "api" "port" 443) }} +{{ $cfgDict := fromYaml $central._endpointsConfig }} +{{ if kindIs "map" $cfgDict }} + {{ if $cfgDict.disableDefault }} + {{ $containerPorts = list }} + {{ $netPolIngressRules = list }} + {{ $servicePorts = list }} + {{ end }} + {{ range $epCfg := default list $cfgDict.endpoints }} + {{ if and $epCfg.listen (kindIs "string" $epCfg.listen) }} + {{ $listenParts := splitList ":" $epCfg.listen }} + {{ if $listenParts }} + {{ $port := last $listenParts }} + {{ if $port }} + {{ if regexMatch "[0-9]+" $port }} + {{ $port = int $port }} + {{ end }} + {{ $containerPort := dict "containerPort" $port }} + {{ if and $epCfg.name (kindIs "string" $epCfg.name) }} + {{ $_ := set $containerPort "name" $epCfg.name }} + {{ end }} + {{ $containerPorts = append $containerPorts $containerPort }} + {{ if $epCfg.servicePort }} + {{ $servicePort := dict "targetPort" $port "port" $epCfg.servicePort }} + {{ if $containerPort.name }} + {{ $_ := set $servicePort "name" $containerPort.name }} + {{ end }} + {{ $servicePorts = append $servicePorts $servicePort }} + {{ end }} + {{ if not (kindIs "invalid" $epCfg.allowIngressFrom) }} + {{ $fromList := $epCfg.allowIngressFrom }} + {{ if not (kindIs "slice" $fromList) }} + {{ $fromList = list $fromList }} + {{ end }} + {{ $netPolIngressRule := dict "ports" (list (dict "port" $port "protocol" "TCP")) "from" $fromList }} + {{ $netPolIngressRules = append $netPolIngressRules $netPolIngressRule }} + {{ end }} + {{ end }} + {{ end }} + {{ end }} + {{ end }} +{{ end }} +{{ if $central.exposeMonitoring }} + {{ $containerPorts = append $containerPorts (dict "name" "monitoring" "containerPort" 9090) }} + {{ $servicePorts = append $servicePorts (dict "name" "monitoring" "targetPort" "monitoring" "port" 9090) }} +{{ end }} +{{ $_ := set $central "_containerPorts" $containerPorts }} +{{ $_ = set $central "_servicePorts" $servicePorts }} +{{ $_ = set $central "_netPolIngressRules" $netPolIngressRules }} +{{ end }} diff --git a/3.0.59.0/central-services/templates/_central_setup.tpl b/3.0.59.0/central-services/templates/_central_setup.tpl new file mode 100644 index 0000000..f79ff48 --- /dev/null +++ b/3.0.59.0/central-services/templates/_central_setup.tpl @@ -0,0 +1,101 @@ +{/* + srox.centralSetup $ + + Configures and initializes central specific values like certificates, admin password or persistence. + */}} +{{ define "srox.centralSetup" }} +{{ $ := . }} +{{ $env := $._rox.env }} +{{ $_ := set $ "_rox" $._rox }} +{{ $centralCfg := $._rox.central }} + +{{/* Image settings */}} +{{ if kindIs "invalid" $centralCfg.image.tag }} + {{ $_ := set $centralCfg.image "tag" $.Chart.AppVersion }} +{{ end }} +{{ include "srox.configureImage" (list $ $centralCfg.image) }} + +{{/* Admin password */}} +{{ include "srox.configurePassword" (list $ "central.adminPassword" "admin") }} + +{{/* Service TLS Certificates */}} +{{ $centralCertSpec := dict "CN" "CENTRAL_SERVICE: Central" "dnsBase" "central" }} +{{ include "srox.configureCrypto" (list $ "central.serviceTLS" $centralCertSpec) }} + +{{/* JWT Token Signer */}} +{{ $jwtSignerSpec := dict "keyOnly" "rsa" }} +{{ include "srox.configureCrypto" (list $ "central.jwtSigner" $jwtSignerSpec) }} + +{{/* Setup Default TLS Certificate. */}} +{{ if $._rox.central.defaultTLS }} + {{ $cert := $._rox.central.defaultTLS._cert }} + {{ $key := $._rox.central.defaultTLS._key }} + {{ if and $cert $key }} + {{ $defaultTLSCert := dict "Cert" $cert "Key" $key }} + {{ $_ := set $._rox.central "_defaultTLS" $defaultTLSCert }} + {{ include "srox.note" (list $ "Configured default TLS certificate") }} + {{ else if or $cert $key }} + {{ include "srox.fail" "Must specify either none or both of central.defaultTLS.cert and central.defaultTLS.key" }} + {{ end }} +{{ end }} + +{{/* + Setup configuration for persistence backend. + */}} +{{ $volumeCfg := dict }} +{{ if $centralCfg.persistence.none }} + {{ include "srox.warn" (list $ "You have selected no persistence backend. Every deletion of the StackRox Central pod will cause you to lose all your data. This is STRONGLY recommended against.") }} + {{ $_ := set $volumeCfg "emptyDir" dict }} +{{ end }} +{{ if $centralCfg.persistence.hostPath }} + {{ if not $centralCfg.nodeSelector }} + {{ include "srox.warn" (list $ "You have selected host path persistence, but not specified a node selector. This is unlikely to work reliably.") }} + {{ end }} + {{ $_ := set $volumeCfg "hostPath" (dict "path" $centralCfg.persistence.hostPath) }} +{{ end }} +{{/* Configure PVC if either any of the settings in `central.persistence.persistentVolumeClaim` are provided, + or no other persistence backend has been configured yet. */}} +{{ if or (not (deepEqual $._rox._configShape.central.persistence.persistentVolumeClaim $centralCfg.persistence.persistentVolumeClaim)) (not $volumeCfg) }} + {{ $pvcCfg := $centralCfg.persistence.persistentVolumeClaim }} + {{ $_ := include "srox.mergeInto" (list $pvcCfg $._rox._defaults.pvcDefaults (dict "createClaim" $.Release.IsInstall)) }} + {{ $_ = set $volumeCfg "persistentVolumeClaim" (dict "claimName" $pvcCfg.claimName) }} + {{ if $pvcCfg.createClaim }} + {{ $_ = set $centralCfg.persistence "_pvcCfg" $pvcCfg }} + {{ end }} +{{ end }} + +{{ $allPersistenceMethods := keys $volumeCfg | sortAlpha }} +{{ if ne (len $allPersistenceMethods) 1 }} + {{ include "srox.fail" (printf "Invalid or no persistence configurations for central: [%s]" (join "," $allPersistenceMethods)) }} +{{ end }} +{{ $_ = set $centralCfg.persistence "_volumeCfg" $volumeCfg }} + +{{/* Endpoint configuration */}} +{{ include "srox.configureCentralEndpoints" $._rox.central }} + +{{/* + Exposure configuration setup & sanity checks. + */}} +{{ if $._rox.central.exposure.loadBalancer.enabled }} + {{ include "srox.note" (list $ (printf "Exposing StackRox Central via LoadBalancer service.")) }} +{{ end }} +{{ if $._rox.central.exposure.nodePort.enabled }} + {{ include "srox.note" (list $ (printf "Exposing StackRox Central via NodePort service.")) }} +{{ end }} +{{ if $._rox.central.exposure.route.enabled }} + {{ if not $env.openshift }} + {{ include "srox.fail" (printf "The exposure method 'Route' is only available on OpenShift clusters.") }} + {{ end }} + {{ include "srox.note" (list $ (printf "Exposing StackRox Central via OpenShift Route https://central.%s." $.Release.Namespace)) }} +{{ end }} + +{{ if not (or $._rox.central.exposure.loadBalancer.enabled $._rox.central.exposure.nodePort.enabled $._rox.central.exposure.route.enabled) }} + {{ include "srox.note" (list $ "Not exposing StackRox Central, it will only be reachable cluster-internally.") }} + {{ include "srox.note" (list $ "To enable exposure via LoadBalancer service, use --set central.exposure.loadBalancer.enabled=true.") }} + {{ include "srox.note" (list $ "To enable exposure via NodePort service, use --set central.exposure.nodePort.enabled=true.") }} + {{ if $env.openshift }} + {{ include "srox.note" (list $ "To enable exposure via an OpenShift Route, use --set central.exposure.route.enabled=true.") }} + {{ end }} + {{ include "srox.note" (list $ (printf "To acccess StackRox Central via a port-forward on your local port 18443, run: kubectl -n %s port-forward svc/central 18443:443." .Release.Namespace)) }} +{{ end }} +{{ end }} diff --git a/3.0.59.0/central-services/templates/_crypto.tpl b/3.0.59.0/central-services/templates/_crypto.tpl new file mode 100644 index 0000000..1455288 --- /dev/null +++ b/3.0.59.0/central-services/templates/_crypto.tpl @@ -0,0 +1,239 @@ +{{/* + srox.configureCrypto $ $cryptoConfigPath $spec + + This helper function configures a private key or certificate (public cert + private key) + config entry, from an input config which is accessed via $cryptoConfigPath relative to + $._rox, which we'll refer to as $inputCfg. $inputCfg is expected to be a dict with at + least `key` and `generate` properties. If `generate` is null, it defaults to either `true` + on installations, and `false` on upgrades. `key` is an expandable string. + The result in either mode is written to a dict $outputCfg under $._rox accessed by the + $cryptoConfigPath, with a '_' prepended to the last path element. E.g., if + $cryptoConfigPath is "a.b.c", the input configuration will be read from $._rox.a.b.c, and + the output configuration will be stored in $._rox.a.b._c. + + Private key-only mode is selected if $spec.keyOnly contains a non-zero string, which specifies + the key algorithm to use. In this mode, if $inputCfg.key expands to a non-empty string, this + string will be copied to the `Key` property of $outputCfg. Otherwise, if $inputCfg.generate + is true (wrt. the above defaulting rules), a key with the algorithm prescribed by $spec.keyOnly + will be generated and stored in the `Key` property of $outputCfg. + + Certificate mode is the default. If $inputCfg.cert and $inputCfg.key expand to non-empty strings, + these strings will be copied to the `Cert` and `Key` properties of $outputCfg. Otherwise, if both + of them expand to empty strings (it is an error if only one of them expands to a non-empty + string), and $inputCfg.generate is true, a certificate and private key are generated with the + following options: + - If $inputCfg.ca is true, generate a CA certificate with common name $inputCfg.CN and a 5 year + validity duration. + - Otherwise, generate a leaf certificate with common name $inputCfg.CN and a 1 year validity + duration. The SANs for this certificate are derived from the base DNS name $inputCfg.dnsBase + according to "srox.computeSANs". + + Whenever certificates and/or private keys were generated, the $._rox._state.generated property + is updated to reflect the generated values, such that merging $._rox._state.generated in to + $.Values would have caused this template to simply use the generated values as-is. E.g., if + $cryptoConfigPath was "a.b.c" and $.Values.a.b.c.cert" and $.Values.a.b.c.key" were both empty, + $._rox._state.generated.a.b.c would be set to be a dict with `cert` and `key` properties of the + generated $outputCfg.Cert and $outputCfg.Key. + + If a certificate or private key was generated, $._rox._state.customCertGen is set to true. + */}} +{{- define "srox.configureCrypto" -}} +{{ $ := index . 0 }} +{{ $cryptoConfigPath := index . 1 }} +{{ $spec := index . 2 }} + +{{/* Resolve $cryptoConfigPath. */}} +{{ $cfg := $._rox }} +{{ $newGenerated := dict }} +{{ $genCfg := $newGenerated }} +{{ $cryptoConfigPathList := splitList "." $cryptoConfigPath }} +{{ range $pathElem := $cryptoConfigPathList }} + {{ $cfg = index $cfg $pathElem }} + {{ $newCfg := dict }} + {{ $_ := set $genCfg $pathElem $newCfg }} + {{ $genCfg = $newCfg }} +{{ end }} + +{{/* Make sure `cert` and `key` are expanded (this should already be the case, but better + safe than sorry. */}} +{{ $certExpandSpec := dict "cert" true "key" true }} +{{ include "srox.expandAll" (list $ $cfg $certExpandSpec $cryptoConfigPathList) }} + +{{ $certPEM := $cfg._cert }} +{{ $keyPEM := $cfg._key }} + +{{ $result := dict }} +{{ if $certPEM }} + {{ $result = dict "Cert" $certPEM "Key" (default "" $keyPEM) }} +{{ else if or $certPEM $keyPEM }} + {{ if and $keyPEM $spec.keyOnly }} + {{ $_ := set $result "Key" $keyPEM }} + {{ else }} + {{ include "srox.fail" (printf "Either none or both of %s.cert and %s.key must be specified" $cryptoConfigPath $cryptoConfigPath) }} + {{ end }} +{{ else }} + {{ $generate := $cfg.generate }} + {{ if kindIs "invalid" $generate }} + {{ $generate = $.Release.IsInstall }} + {{ end }} + {{ if $generate }} + {{ if $spec.ca }} + {{ $out := dict }} + {{ $_ := tpl "{{ $_ := set .out \"ca\" (genCA .cn 1825) }}" (dict "Template" $.Template "cn" $spec.CN "out" $out) }} + {{ $result = $out.ca }} + {{ else if $spec.keyOnly }} + {{ $key := tpl "{{ genPrivateKey .algo }}" (dict "Template" $.Template "algo" $spec.keyOnly) }} + {{ $_ := set $genCfg "key" $key }} + {{ $_ = set $result "Key" $key }} + {{ else }} + {{ if not $._rox._ca }} + {{ include "srox.fail" (printf "Tried to generate certificate for %s, but no CA certificate is available." $spec.CN) }} + {{ end }} + {{ $sans := dict }} + {{ include "srox.computeSANs" (list $ $sans $spec.dnsBase) }} + {{ $ca := $._rox._ca }} + {{ if kindIs "map" $ca }} + {{ $out := dict }} + {{ $_ := tpl "{{ $_ := set .out \"ca\" (buildCustomCert (b64enc .ca.Cert) (b64enc .ca.Key)) }}" (dict "Template" $.Template "ca" $ca "out" $out) }} + {{ $ca = $out.ca }} + {{ end }} + {{ $out := dict }} + {{ $_ := tpl "{{ $_ := set .out \"cert\" (genSignedCert .cn nil .sans 365 .ca) }}" (dict "Template" $.Template "cn" $spec.CN "sans" $sans.result "ca" $ca "out" $out) }} + {{ $result = $out.cert }} + {{ $_ := set $genCfg "cert" $result.Cert }} + {{ $_ = set $genCfg "key" $result.Key }} + {{ end }} + {{ $_ := set $genCfg "key" $result.Key }} + {{ if $result.Cert }} + {{ $_ = set $genCfg "cert" $result.Cert }} + {{ end }} + {{ $_ = set $._rox._state "customCertGen" true }} + {{ end }} +{{ end }} + +{{/* Store output configuration and generated properties */}} +{{ $newCfgRoot := dict }} +{{ $newCfg := $newCfgRoot }} +{{ range $pathElem := initial $cryptoConfigPathList }} + {{ $nextCfg := dict }} + {{ $_ := set $newCfg $pathElem $nextCfg }} + {{ $newCfg = $nextCfg }} +{{ end }} +{{ $_ := set $newCfg (last $cryptoConfigPathList | printf "_%s") $result }} +{{ $_ = include "srox.mergeInto" (list $._rox $newCfgRoot) }} +{{ $_ = include "srox.mergeInto" (list $._rox._state.generated $newGenerated) }} +{{ end }} + + +{{/* + srox.configurePassword $ $pwConfigPath [$htpasswdUser] + + This helper function reads a password configuration (YAML dict with `value` + and `generate` properties) referenced by $pwConfigPath relative to $._rox. It + ensures the dict with the same config path relative to $._rox and prepending an underscore + to the last path element is populated in the following way: + - If the `value` property of the input config is nonzero, set `value` in the result to the + expanded value. + - If the optional $htpasswdUser parameter is specified and the `htpasswd` property of the + input config is nonzero, set `htpasswd` in the result to the expanded value of that + property. + - If none of the above (non-mutually-exclusive) cases apply: + - If `generate` is true OR both `generate` is null and this is an installation, + not an upgrade, generate a random password with 32 alphanumeric characters. + - Otherwise, leave the result property empty. + - If the optional $htpasswdUser parameter was specified AND the `value` property in the + result property was set per the above rules AND the `htpasswd` property was not set, + populate the `htpasswd` property of the result by generating an htpasswd stanza with + the computed `value` as the password and $htpasswdUser as the username. + + The $._rox._state.generated property is adjusted accordingly. + */}} +{{- define "srox.configurePassword" -}} +{{ $ := index . 0 }} +{{ $pwConfigPath := index . 1 }} +{{ $htpasswdUser := "" }} +{{ if gt (len .) 2 }} + {{ $htpasswdUser = index . 2 }} +{{ end }} +{{ $cfg := $._rox }} +{{ $newGenerated := dict }} +{{ $genCfg := $newGenerated }} +{{ $pwConfigPathList := splitList "." $pwConfigPath }} +{{ range $pathElem := $pwConfigPathList }} + {{ $cfg = index $cfg $pathElem }} + {{ $newCfg := dict }} + {{ $_ := set $genCfg $pathElem $newCfg }} + {{ $genCfg = $newCfg }} +{{ end }} + +{{/* Make sure that `value` and `htpasswd` within $cfg are expanded (this should already be the + case but better safe than sorry). */}} +{{ $pwExpandSpec := dict "value" true "htpasswd" true }} +{{ include "srox.expandAll" (list $ $cfg $pwExpandSpec $pwConfigPathList) }} + +{{ $result := dict }} +{{ if and $htpasswdUser (not (kindIs "invalid" $cfg._htpasswd)) }} + {{ $htpasswd := $cfg._htpasswd }} + {{ $_ := set $result "htpasswd" $htpasswd }} +{{ end }} +{{ if not $result.htpasswd }} + {{ $pw := dict.nil }} + {{ if kindIs "invalid" $cfg._value }} + {{ $generate := $cfg.generate }} + {{ if kindIs "invalid" $generate }} + {{ $generate = $.Release.IsInstall }} + {{ end }} + {{ if $generate }} + {{ $pw = randAlphaNum 32 }} + {{ $_ := set $genCfg "value" $pw }} + {{ end }} + {{ else }} + {{ $pw = $cfg._value }} + {{ end }} + {{ if not (kindIs "invalid" $pw) }} + {{ $_ := set $result "value" $pw }} + {{ end }} + {{ if and $htpasswdUser $pw }} + {{ $htpasswd := tpl "{{ htpasswd .user .pw }}" (dict "Template" $.Template "user" $htpasswdUser "pw" $pw) }} + {{ $_ := set $result "htpasswd" $htpasswd }} + {{ end }} +{{ else if $cfg.value }} + {{ include "srox.fail" (printf "Both a htpasswd and a value are specified for %s, this is illegal. Remove the `value` property, or ensure that `htpasswd` is null." $pwConfigPath) }} +{{ end }} +{{ $newCfgRoot := dict }} +{{ $newCfg := $newCfgRoot }} +{{ range $pathElem := initial $pwConfigPathList }} + {{ $nextCfg := dict }} + {{ $_ := set $newCfg $pathElem $nextCfg }} + {{ $newCfg = $nextCfg }} +{{ end }} +{{ $_ := set $newCfg (last $pwConfigPathList | printf "_%s") $result }} +{{ $_ = include "srox.mergeInto" (list $._rox $newCfgRoot) }} +{{ $_ = include "srox.mergeInto" (list $._rox._state.generated $newGenerated) }} +{{ end }} + + +{{/* + srox.computeSANs $ $out $svcName + + Compute the applicable SANs for a service with name $svcName, deployed in namespace + $.Release.Namespace (= $releaseNS). + Generally, SANs following the pattern "$svcName.$releaseNS[.svc[.cluster.local]]" will be + generated. If $releaseNS is not "stackrox", another set of SANs with the same pattern, + but assuming $releaseNS = "stackrox", will be generated in addition. + The result is stored as a list in $out.result. + */}} +{{ define "srox.computeSANs" }} +{{ $ := index . 0 }} +{{ $out := index . 1 }} +{{ $svcName := index . 2 }} +{{ $releaseNS := $.Release.Namespace }} +{{ $sans := list }} +{{ range $ns := list $releaseNS "stackrox" | uniq | sortAlpha }} + {{ $baseDNS := printf "%s.%s" $svcName $ns }} + {{ range $suffix := tuple "" ".svc" ".svc.cluster.local" }} + {{ $sans = printf "%s%s" $baseDNS $suffix | append $sans }} + {{ end }} +{{ end }} +{{ $_ := set $out "result" $sans }} +{{ end }} diff --git a/3.0.59.0/central-services/templates/_dict.tpl b/3.0.59.0/central-services/templates/_dict.tpl new file mode 100644 index 0000000..bf14a6d --- /dev/null +++ b/3.0.59.0/central-services/templates/_dict.tpl @@ -0,0 +1,142 @@ +{{/* + srox.compactDict $target [$depth] + + Compacts a dict $target by removing entries with empty values. + By default, only the top-level dict $target itself is modified. If the optional $depth + parameter is specified and is non-zero, this determines the recursion depth over which the + compaction is applied to nested diocts as well. A $depth of -1 means to compact all nested + dicts, regardless of depth. + */}} +{{ define "srox.compactDict" }} +{{ $args := . }} +{{ if not (kindIs "slice" $args) }} + {{ $args = list $args 0 }} +{{ end }} +{{ $target := index $args 0 }} +{{ $depth := index $args 1 }} +{{ $zeroValKeys := list }} +{{ range $k, $v := $target }} + {{ if and (kindIs "map" $v) (ne $depth 0) }} + {{ include "srox.compactDict" (list $v (sub $depth 1)) }} + {{ end }} + {{ if not $v }} + {{ $zeroValKeys = append $zeroValKeys $k }} + {{ end }} +{{ end }} +{{ range $k := $zeroValKeys }} + {{ $_ := unset $target $k }} +{{ end }} +{{ end }} + +{{/* + srox.destructiveMergeOverwrite $out $dict1 $dict2... + + Recursively merges $dict1, $dict2 (in this order) into $out, similar to mergeOverwrite. + The eponymous difference is the fact that any explicit "null" entries in the source + dictionaries cause the respective entry to be deleted. + */}} +{{ define "srox.destructiveMergeOverwrite" }} +{{ $out := first . }} +{{ $toMergeList := rest . }} +{{ range $toMerge := $toMergeList }} + {{ range $k, $v := $toMerge }} + {{ if kindIs "invalid" $v }} + {{ $_ := unset $out $k }} + {{ else if kindIs "map" $v }} + {{ $outV := index $out $k }} + {{ if kindIs "invalid" $outV }} + {{ $_ := set $out $k (deepCopy $v) }} + {{ else if kindIs "map" $outV }} + {{ include "srox.destructiveMergeOverwrite" (list $outV $v) }} + {{ else }} + {{ fail (printf "when merging at key %s: incompatible kinds %s and %s" $k (kindOf $v) (kindOf $outV)) }} + {{ end }} + {{ else }} + {{ $_ := set $out $k $v }} + {{ end }} + {{ end }} +{{ end }} +{{ end }} + +{{/* + srox.stringifyDictValues $dict + + Recursively traverses $dict and converts every non-dict value to a string. + */}} +{{ define "srox.stringifyDictValues" }} +{{ $dict := . }} +{{ range $k, $v := $dict }} + {{ if kindIs "map" $v }} + {{ include "srox.stringifyDictValues" $v }} + {{ else }} + {{ $_ := set $dict $k (toString $v) }} + {{ end }} +{{ end }} +{{ end }} + +{{/* + srox.safeDictLookup $dict $out $path + + Looks up $path in $dict, and stores the result (if any) in $out.result. + $path is a dot-separated list of nested field names. An empty $path causes + $dict to be stored in $out.result. + + Example: srox.safeDictLookup $dict $out "a.b.c" stores the value of $dict.a.b.c, if + it exists, in $out.result. Otherwise, it does nothing - in particular, it does + not fail, as accessing $dict.a.b.c unconditionally would if any of $dict, $dict.a, + or $dict.a.b was not a dict. + */}} +{{ define "srox.safeDictLookup" }} +{{ $dict := index . 0 }} +{{ $out := index . 1 }} +{{ $path := index . 2 }} +{{ $curr := $dict }} +{{ $pathList := splitList "." $path | compact }} +{{ range $pathElem := $pathList }} + {{ if kindIs "map" $curr }} + {{ $curr = index $curr $pathElem }} + {{ else if not (kindIs "invalid" $curr) }} + {{ $curr = dict.nil }} + {{ end }} +{{ end }} +{{ if not (kindIs "invalid" $curr) }} + {{ $_ := set $out "result" $curr }} +{{ end }} +{{ end }} + + + +{{/* + srox.mergeInto $tgt $src1..$srcN + + Recursively merges values from $src1, ..., $srcN into $tgt, giving preference to + values in $tgt. + + Unlike Sprig's merge, this does not overwrite falsy values when explicitly defined, + with the exception of `null` values (this also sets it apart from Sprig's mergeOverwrite). + + Whenever entire (nested) dicts are merged as-is from one of the sources into $tgt, a deep + copy of the respective nested dict is created. + + An empty string is always returned, hence this should be invoked in the form + $_ := include "srox.mergeInto" (list $tgt $src1 $src2) + */}} +{{ define "srox.mergeInto" }} +{{ $tgt := first . }} +{{ range $src := rest . }} + {{ range $k, $srcV := $src }} + {{ $tgtV := index $tgt $k }} + {{ if kindIs "map" $srcV }} + {{ if kindIs "invalid" $tgtV }} + {{ $_ := set $tgt $k (deepCopy $srcV) }} + {{ else if kindIs "map" $tgtV }} + {{ $_ := include "srox.mergeInto" (list $tgtV $srcV) }} + {{ else }} + {{ fail (printf "Incompatible kinds for key %s: %s vs %s" $k (kindOf $srcV) (kindOf $tgtV)) }} + {{ end }} + {{ else if and (not (kindIs "invalid" $srcV)) (kindIs "invalid" $tgtV) }} + {{ $_ := set $tgt $k $srcV }} + {{ end }} + {{ end }} +{{ end }} +{{ end }} diff --git a/3.0.59.0/central-services/templates/_expand.tpl b/3.0.59.0/central-services/templates/_expand.tpl new file mode 100644 index 0000000..46d5bde --- /dev/null +++ b/3.0.59.0/central-services/templates/_expand.tpl @@ -0,0 +1,89 @@ +{{/* + srox.expandAll $ $target $expandable [$path] + + Expands values within $target that are flagged in $expandable, using $path + as the path from the configuration root to $target for error reporting purposes. + + If $target is nil, nothing happens. Otherwise, $target must be a dict. For every key + of $target that is also present in $expandable, the following action is performed: + - If the entry in $expandable is a dict, recursive invoke "srox.expandAll" on the + respective entries, with an adjusted $path. + - Otherwise, the entry in $expandable is assume to be of boolean value. If the value is + true, the corresponding entry's value in $target is expanded (see "srox._expandSingle" + below for a definition of expanding), and the result of the expansion is stored under + the key with a "_" prepended in $target. The original entry in $target is removed. This + ensures "srox.expandAll" is an idempotent operation). + */}} +{{ define "srox.expandAll" }} +{{ $args := . }} +{{ $ := index $args 0 }} +{{ $target := index $args 1 }} +{{ $expandable := index $args 2 }} +{{ $path := list }} +{{ if ge (len $args) 4 }} + {{ $path = index $args 3 }} + {{ if kindIs "string" $path }} + {{ $path = splitList "." $path | compact }} + {{ end }} +{{ end }} + +{{ if kindIs "map" $target }} + {{ range $k, $v := $expandable }} + {{ $childPath := append $path $k }} + {{ $targetV := index $target $k }} + {{ if kindIs "map" $v }} + {{ include "srox.expandAll" (list $ $targetV $v $childPath) }} + {{ else if $v }} + {{ if not (kindIs "invalid" $targetV) }} + {{ $expanded := include "srox._expandSingle" (list $ $targetV (join "." $childPath)) }} + {{ $_ := set $target (printf "_%s" $k) $expanded }} + {{ end }} + {{ $_ := unset $target $k }} + {{ end }} + {{ end }} +{{ else if not (kindIs "invalid" $target) }} + {{ include "srox.fail" (printf "Error expanding value at %s: expected map, got: %s" (join "." $path) (kindOf $target)) }} +{{ end }} +{{ end }} + +{{/* + srox.expand $ $spec + + Parses and expands a "specification string" in the following way: + - If $spec is a dictionary, return $spec rendered as a YAML. + - Otherwise, if $spec starts with a backslash character (`\`), return $spec minus the leading + backslash character. + - Otherwise, if $spec starts with an `@` character, strip off the first character and + treat the remainder of the string as a `|`-separated list of file names. Try to load + each referenced file, in order, via `stackrox.getFile`. The result is the first file + that could be successfully loaded. If no file could be loaded, expansion fails. + - Otherwise, return $spec as-is. + */}} +{{- define "srox._expandSingle" -}} + {{- $ := index . 0 -}} + {{- $spec := index . 1 -}} + {{- $context := index . 2 -}} + {{- $result := "" -}} + {{- if kindIs "string" $spec -}} + {{- if hasPrefix "\\" $spec -}} + {{- /* use \ as string-wide escape character */ -}} + {{- $result = trimPrefix "\\" $spec -}} + {{- else if hasPrefix "@" $spec -}} + {{- /* treat as file list (first found matches) */ -}} + {{- $fileList := regexSplit "\\s*\\|\\s*" ($spec | trimPrefix "@" | trim) -1 -}} + {{- $fileRes := dict -}} + {{- $_ := include "srox.loadFile" (list $ $fileRes $fileList) -}} + {{- if not $fileRes.found -}} + {{- include "srox.fail" (printf "Expanding %s: file reference %q: none of the referenced files were found" $context $spec) -}} + {{- end -}} + {{- $result = $fileRes.contents -}} + {{- else -}} + {{/* treat as raw string */}} + {{- $result = $spec -}} + {{- end -}} + {{- else if not (kindIs "invalid" $spec) -}} + {{- /* render non-string, non-nil values as YAML */ -}} + {{- $result = toYaml $spec -}} + {{- end -}} + {{- $result -}} +{{- end -}} diff --git a/3.0.59.0/central-services/templates/_format.tpl b/3.0.59.0/central-services/templates/_format.tpl new file mode 100644 index 0000000..745fe47 --- /dev/null +++ b/3.0.59.0/central-services/templates/_format.tpl @@ -0,0 +1,14 @@ +{{/* + srox.formatStorageSize $value + + Formats $value as a storage size. $value can be an integer or a string. + If no unit is specified (e.g., if $value is a string), a default unit of + Gigabytes ("Gi" suffix) is assumed. + */}} +{{- define "srox.formatStorageSize" -}} +{{- $val := toString . -}} +{{- if regexMatch "^[0-9]+$" $val -}} + {{- $val = printf "%sGi" $val -}} +{{- end -}} +{{- default "0" $val -}} +{{- end -}} diff --git a/3.0.59.0/central-services/templates/_helpers.tpl b/3.0.59.0/central-services/templates/_helpers.tpl new file mode 100644 index 0000000..e87f10f --- /dev/null +++ b/3.0.59.0/central-services/templates/_helpers.tpl @@ -0,0 +1,68 @@ +{{/* + Misceallaneous helper templates. + */}} + + + + +{{/* + srox.loadFile $ $out $fileName-or-list + + This helper function reads a file. It differs from $.Files.Get in that it also takes + $._rox.meta.fileOverrides into account. Furthermore, it can receive a list of file names, + and will try these files in order. Finally, it indicates whether a file was found via the + $out.found property (as opposed to $.Files.Get, which cannot distinguish between a successful + read of an empty file, and this file not being found). + The file contents will be returned via $out.contents + */}} +{{ define "srox.loadFile" }} +{{ $ := index . 0 }} +{{ $out := index . 1 }} +{{ $fileNames := index . 2 }} +{{ if not (kindIs "slice" $fileNames) }} + {{ $fileNames = list $fileNames }} +{{ end }} +{{ $contents := index dict "" }} +{{ range $fileName := $fileNames }} + {{ if kindIs "invalid" $contents }} + {{ $contents = index $._rox.meta.fileOverrides $fileName }} + {{ end }} + {{ if kindIs "invalid" $contents }} + {{ range $path, $_ := $.Files.Glob $fileName }} + {{ if kindIs "invalid" $contents }} + {{ $contents = $.Files.Get $path }} + {{ end }} + {{ end }} + {{ end }} +{{ end }} +{{ if not (kindIs "invalid" $contents) }} + {{ $_ := set $out "contents" $contents }} +{{ end }} +{{ $_ := set $out "found" (not (kindIs "invalid" $contents)) }} +{{ end }} + + +{{/* + srox.checkGenerated $ $cfgPath + + Checks if the value at configuration path $cfgPath (e.g., "central.adminPassword.value") was + generated. Evaluates to the string "true" if this is the case, and an empty string otherwise. + */}} +{{- define "srox.checkGenerated" -}} +{{- $ := index . 0 -}} +{{- $cfgPath := index . 1 -}} +{{- $genCfg := $._rox._state.generated -}} +{{- $exists := true -}} +{{- range $pathElem := splitList "." $cfgPath -}} + {{- if $exists -}} + {{- if hasKey $genCfg $pathElem -}} + {{- $genCfg = index $genCfg $pathElem -}} + {{- else -}} + {{- $exists = false -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- if $exists -}} +true +{{- end -}} +{{- end -}} diff --git a/3.0.59.0/central-services/templates/_image-pull-secrets.tpl b/3.0.59.0/central-services/templates/_image-pull-secrets.tpl new file mode 100644 index 0000000..217160d --- /dev/null +++ b/3.0.59.0/central-services/templates/_image-pull-secrets.tpl @@ -0,0 +1,86 @@ +{{/* + srox.configureImagePullSecrets $ $cfgName $imagePullSecrets $secretResourceName $defaultSecretNames $namespace + + Configures image pull secrets. + + This function enriches $imagePullSecrets based on the exposed configuration parameters to contain + a list of Kubernetes secret names as `_names` to be used as image pull secrets within the chart + templates. This list contains the following secrets: + + - Secrets referenced via $imagePullSecrets.useExisting. + - Image pull secrets associated with the default service account (if + $imagePullSecrets.useFromDefaultServiceAccount is true). + - $secretResourceName, if $imagePullSecrets.username is set. + - $defaultSecretNames. */}} + +{{ define "srox.configureImagePullSecrets" }} +{{ $ := index . 0 }} +{{ $cfgName := index . 1 }} +{{ $imagePullSecrets := index . 2 }} +{{ $secretResourceName := index . 3 }} +{{ $defaultSecretNames := index . 4 }} +{{ $namespace := index . 5 }} + +{{ $imagePullSecretNames := default list $imagePullSecrets.useExisting }} +{{ if not (kindIs "slice" $imagePullSecretNames) }} + {{ $imagePullSecretNames = regexSplit "\\s*[,;]\\s*" (trim $imagePullSecretNames) -1 }} +{{ end }} +{{ if $imagePullSecrets.useFromDefaultServiceAccount }} + {{ $defaultSA := dict }} + {{ include "srox.safeLookup" (list $ $defaultSA "v1" "ServiceAccount" $namespace "default") }} + {{ if $defaultSA.result }} + {{ range $ips := default list $defaultSA.result.imagePullSecrets }} + {{ if $ips.name }} + {{ $imagePullSecretNames = append $imagePullSecretNames $ips.name }} + {{ end }} + {{ end }} + {{ end }} +{{ end }} +{{ $imagePullCreds := dict }} +{{ if $imagePullSecrets._username }} + {{ $imagePullCreds = dict "username" $imagePullSecrets._username "password" $imagePullSecrets._password }} + {{ $imagePullSecretNames = append $imagePullSecretNames $secretResourceName }} +{{ else if $imagePullSecrets._password }} + {{ $msg := printf "Username missing in %q. Whenever an image pull password is specified, a username must be specified as well" $cfgName }} + {{ include "srox.fail" $msg }} +{{ end }} +{{ if and $.Release.IsInstall (not $imagePullSecretNames) (not $imagePullSecrets.allowNone) }} + {{ $msg := printf "You have not specified any image pull secrets, and no existing image pull secrets were automatically inferred. If your registry does not need image pull credentials, explicitly set the '%s.allowNone' option to 'true'" $cfgName }} + {{ include "srox.fail" $msg }} +{{ end }} + +{{ $imagePullSecretNames = concat (append $imagePullSecretNames $secretResourceName) $defaultSecretNames | uniq | sortAlpha }} +{{ $_ := set $imagePullSecrets "_names" $imagePullSecretNames }} +{{ $_ := set $imagePullSecrets "_creds" $imagePullCreds }} + +{{ end }} + +{{ define "srox.configureImagePullSecretsForDockerRegistry" }} +{{ $ := index . 0 }} +{{ $imagePullSecrets := index . 1 }} + +{{/* Setup Image Pull Secrets for Docker Registry. + Note: This must happen afterwards, as we rely on "srox.configureImage" to collect the + set of all referenced images first. */}} +{{ if $imagePullSecrets._username }} + {{ $dockerAuths := dict }} + {{ range $image := keys $._rox._state.referencedImages }} + {{ $registry := splitList "/" $image | first }} + {{ if eq $registry "docker.io" }} + {{/* Special case docker.io */}} + {{ $registry = "https://index.docker.io/v1/" }} + {{ else }} + {{ $registry = printf "https://%s" $registry }} + {{ end }} + {{ $_ := set $dockerAuths $registry dict }} + {{ end }} + {{ $authToken := printf "%s:%s" $imagePullSecrets._username $imagePullSecrets._password | b64enc }} + {{ range $regSettings := values $dockerAuths }} + {{ $_ := set $regSettings "auth" $authToken }} + {{ end }} + + {{ $_ := set $imagePullSecrets "_dockerAuths" $dockerAuths }} +{{ end }} + +{{ end }} + diff --git a/3.0.59.0/central-services/templates/_images.tpl b/3.0.59.0/central-services/templates/_images.tpl new file mode 100644 index 0000000..dced29d --- /dev/null +++ b/3.0.59.0/central-services/templates/_images.tpl @@ -0,0 +1,34 @@ +{{/* + srox.configureImage $ $imageCfg + + Configures settings for a single image by augmenting/completing an existing image configuration + stanza. + + If $imageCfg.fullRef is empty: + First, the image registry is determined by inspecting $imageCfg.registry and, if this is empty, + $._rox.image.registry, ultimately defaulting to `docker.io`. The full image ref is then + constructed from the registry, $imageCfg.name (must be non-empty), and $imageCfg.tag (may be + empty, in which case "latest" is assumed). The result is stored in $imageCfg.fullRef. + + Afterwards (irrespective of the previous check), $imageCfg.fullRef is modified by prepending + "docker.io/" if and only if it did not contain a remote yet (i.e., the part before the first "/" + did not contain a dot (DNS name) or colon (port)). + + Finally, the resulting $imageCfg.fullRef is stored as a dict entry with value `true` in the + $._rox._state.referencedImages dict. + */}} +{{ define "srox.configureImage" }} +{{ $ := index . 0 }} +{{ $imageCfg := index . 1 }} +{{ $imageRef := $imageCfg.fullRef }} +{{ if not $imageRef }} + {{ $imageRef = printf "%s/%s:%s" (coalesce $imageCfg.registry $._rox.image.registry "docker.io") $imageCfg.name (default "latest" $imageCfg.tag) }} +{{ end }} +{{ $imageComponents := splitList "/" $imageRef }} +{{ $firstComponent := index $imageComponents 0 }} +{{ if or (lt (len $imageComponents) 2) (and (not (contains ":" $firstComponent)) (not (contains "." $firstComponent))) }} + {{ $imageRef = printf "docker.io/%s" $imageRef }} +{{ end }} +{{ $_ := set $imageCfg "fullRef" $imageRef }} +{{ $_ = set $._rox._state.referencedImages $imageRef true }} +{{ end }} diff --git a/3.0.59.0/central-services/templates/_init.tpl b/3.0.59.0/central-services/templates/_init.tpl new file mode 100644 index 0000000..f1b446d --- /dev/null +++ b/3.0.59.0/central-services/templates/_init.tpl @@ -0,0 +1,282 @@ +{{/* + srox.init $ + + Initialization template for the internal data structures. + This template is designed to be included in every template file, but will only be executed + once by leveraging state sharing between templates. + */}} +{{ define "srox.init" }} + +{{ $ := . }} + +{{/* + On first(!) instantiation, set up the $._rox structure, containing everything required by + the resource template files. + */}} +{{ if not $._rox }} + +{{/* + Initial Setup + */}} + +{{/* + $rox / ._rox is the dictionary in which _all_ data that is modified by the init logic + is stored. + We ensure that it has the required shape, and then right after merging the user-specified + $.Values, we apply some bootstrap defaults. + */}} +{{ $rox := deepCopy $.Values }} +{{ $_ := set $ "_rox" $rox }} + +{{/* Global state (accessed from sub-templates) */}} +{{ $generatedName := printf "stackrox-generated-%s" (randAlphaNum 6 | lower) }} +{{ $state := dict "customCertGen" false "generated" dict "generatedName" $generatedName "notes" list "warnings" list "referencedImages" dict }} +{{ $_ = set $._rox "_state" $state }} + +{{ $configShape := $.Files.Get "internal/config-shape.yaml" | fromYaml }} +{{ $_ = include "srox.mergeInto" (list $rox $configShape (tpl ($.Files.Get "internal/bootstrap-defaults.yaml.tpl") . | fromYaml)) }} +{{ $_ = set $._rox "_configShape" $configShape }} + +{{/* + General validation. + */}} +{{ if ne $.Release.Namespace "stackrox" }} + {{ if $._rox.allowNonstandardNamespace }} + {{ include "srox.note" (list $ (printf "You have chosen to deploy to namespace '%s'." $.Release.Namespace)) }} + {{ else }} + {{ include "srox.fail" (printf "You have chosen to deploy to namespace '%s', not 'stackrox'. If this was accidental, please re-run helm with the '-n stackrox' option. Otherwise, if you need to deploy into this namespace, set the 'allowNonstandardNamespace' configuration value to true." $.Release.Namespace) }} + {{ end }} +{{ end }} + +{{ if ne $.Release.Name $.Chart.Name }} + {{ if $._rox.allowNonstandardReleaseName }} + {{ include "srox.warn" (list $ (printf "You have chosen a release name of '%s', not '%s'. Accompanying scripts and commands in documentation might require adjustments." $.Release.Name $.Chart.Name)) }} + {{ else }} + {{ include "srox.fail" (printf "You have chosen a release name of '%s', not '%s'. We strongly recommend using the standard release name. If you must use a different name, set the 'allowNonstandardReleaseName' configuration option to true." $.Release.Name $.Chart.Name) }} + {{ end }} +{{ end }} + +{{/* + Set prefix for global resources. + */}} +{{ if kindIs "invalid" $._rox.globalPrefix }} + {{ if eq $.Release.Namespace "stackrox" }} + {{ $_ := set $._rox "globalPrefix" "stackrox" }} + {{ else }} + {{ $_ := set $._rox "globalPrefix" (printf "stackrox-%s" (trimPrefix "stackrox-" $.Release.Namespace)) }} + {{ end }} +{{ end }} + +{{ if ne $._rox.globalPrefix "stackrox" }} + {{ include "srox.note" (list $ (printf "Global Kubernetes resources are prefixed with '%s'." $._rox.globalPrefix)) }} +{{ end }} + +{{/* + API Server setup. The problem with `.Capabilities.APIVersions` is that Helm does not + allow setting overrides for those when using `helm template` or `--dry-run`. Thus, + if we rely on `.Capabilities.APIVersions` directly, we lose flexibility for our chart + in these settings. Therefore, we use custom fields such that a user in principle has + the option to inject via `--set`/`-f` everything we rely upon. + */}} +{{ $apiResources := list }} +{{ if not (kindIs "invalid" $._rox.meta.apiServer.overrideAPIResources) }} + {{ $apiResources = $._rox.meta.apiServer.overrideAPIResources }} +{{ else }} + {{ range $apiResource := $.Capabilities.APIVersions }} + {{ $apiResources = append $apiResources $apiResource }} + {{ end }} +{{ end }} +{{ if $._rox.meta.apiServer.extraAPIResources }} + {{ $apiResources = concat $apiResources $._rox.meta.apiServer.extraAPIResources }} +{{ end }} +{{ $apiServerVersion := coalesce $._rox.meta.apiServer.version $.Capabilities.KubeVersion.Version }} +{{ $apiServer := dict "apiResources" $apiResources "version" $apiServerVersion }} +{{ $_ = set $._rox "_apiServer" $apiServer }} + +{{/* + Environment setup - part 1 + */}} +{{ $env := $._rox.env }} + +{{/* Infer OpenShift, if needed */}} +{{ if kindIs "invalid" $env.openshift }} + {{ $_ := set $env "openshift" (has "apps.openshift.io/v1" $._rox._apiServer.apiResources) }} +{{ end }} + +{{/* Infer openshift version */}} +{{ if and $env.openshift (kindIs "bool" $env.openshift) }} + {{/* Parse and add KubeVersion as semver from built-in resources. This is necessary to compare valid integer numbers. */}} + {{ $kubeVersion := semver .Capabilities.KubeVersion.Version }} + + {{/* Default to OpenShift 3 if no openshift resources are available, i.e. in helm template commands */}} + {{ if not (has "apps.openshift.io/v1" $._rox._apiServer.apiResources) }} + {{ $_ := set $._rox.env "openshift" 3 }} + {{ else if gt $kubeVersion.Minor 11 }} + {{ $_ := set $env "openshift" 4 }} + {{ else }} + {{ $_ := set $env "openshift" 3 }} + {{ end }} + {{ include "srox.note" (list $ (printf "Based on API server properties, we have inferred that you are deploying into an OpenShift %d.x cluster. Set the `env.openshift` property explicitly to 3 or 4 to override the auto-sensed value." $env.openshift)) }} +{{ end }} +{{ if not (kindIs "bool" $env.openshift) }} + {{ $_ := set $env "openshift" (int $env.openshift) }} +{{ else if not $env.openshift }} + {{ $_ := set $env "openshift" 0 }} +{{ end }} + +{{/* Infer GKE, if needed */}} +{{ if kindIs "invalid" $env.platform }} + {{ $platform := "default" }} + {{ if contains "-gke." $._rox._apiServer.version }} + {{ include "srox.note" (list $ "Based on API server properties, we have inferred that you are deploying into a GKE cluster. Set the `env.platform` property to a concrete value to override the auto-sensed value.") }} + {{ $platform = "gke" }} + {{ end }} + {{ $_ := set $env "platform" $platform }} +{{ end }} + +{{/* Apply defaults */}} +{{ $defaultsCfg := dict }} +{{ $platformCfgFile := dict }} +{{ include "srox.loadFile" (list $ $platformCfgFile (printf "internal/platforms/%s.yaml" $env.platform)) }} +{{ if not $platformCfgFile.found }} + {{ include "srox.fail" (printf "Invalid platform %q. Please select a valid platform, or leave this field unset." $env.platform) }} +{{ end }} +{{ $_ = include "srox.mergeInto" (list $defaultsCfg (fromYaml $platformCfgFile.contents) ($.Files.Get "internal/defaults.yaml" | fromYaml)) }} +{{ $_ = set $rox "_defaults" $defaultsCfg }} +{{ $_ = include "srox.mergeInto" (list $rox $defaultsCfg.defaults) }} + + +{{/* Expand applicable config values */}} +{{ $expandables := $.Files.Get "internal/expandables.yaml" | fromYaml }} +{{ include "srox.expandAll" (list $ $rox $expandables) }} + +{{/* Initial image pull secret setup. + + Always assume that there are `stackrox` and `stackrox-scanner` image pull secrets, + even if they weren't specified. + This is required for updates anyway, so referencing it on first install will minimize a later + diff. */}} +{{ include "srox.configureImagePullSecrets" (list $ "imagePullSecrets" $._rox.imagePullSecrets "stackrox" (list "stackrox" "stackrox-scanner") $.Release.Namespace) }} + +{{/* Global CA setup */}} +{{ $caCertSpec := dict "CN" "StackRox Certificate Authority" "ca" true }} +{{ include "srox.configureCrypto" (list $ "ca" $caCertSpec) }} + +{{/* Additional CAs. */}} +{{ $additionalCAList := list }} +{{ if kindIs "string" $._rox.additionalCAs }} + {{ if trim $._rox.additionalCAs }} + {{ $additionalCAList = append $additionalCAList (dict "name" "ca.crt" "contents" $._rox.additionalCAs) }} + {{ end }} +{{ else if kindIs "slice" $._rox.additionalCAs }} + {{ range $contents := $._rox.additionalCAs }} + {{ $additionalCAList = append $additionalCAList (dict "name" "ca.crt" "contents" $contents) }} + {{ end }} +{{ else if kindIs "map" $._rox.additionalCAs }} + {{ range $name := keys $._rox.additionalCAs | sortAlpha }} + {{ $additionalCAList = append $additionalCAList (dict "name" $name "contents" (get $._rox.additionalCAs $name)) }} + {{ end }} +{{ else if not (kindIs "invalid" $._rox.additionalCAs) }} + {{ include "srox.fail" (printf "Invalid kind %s for additionalCAs" (kindOf $._rox.additionalCAs)) }} +{{ end }} +{{ range $path, $contents := .Files.Glob "secrets/additional-cas/**" }} + {{ $name := trimPrefix "secrets/additional-cas/" $path }} + {{ $additionalCAList = append $additionalCAList (dict "name" $name "contents" (toString $contents)) }} +{{ end }} +{{ $additionalCAs := dict }} +{{ range $idx, $elem := $additionalCAList }} + {{ if not (kindIs "string" $elem.contents) }} + {{ include "srox.fail" (printf "Invalid non-string contents kind %s at index %d (%q) of additionalCAs" (kindOf $elem.contents) $idx $elem.name) }} + {{ end }} + {{/* In a k8s secret, no characters other than alphanumeric, '.', '_' and '-' are allowed. Also, for the + update-ca-certificates script to work, the file names must end in '.crt'. */}} + + {{ $normalizedName := printf "%02d-%s.crt" $idx (regexReplaceAll "[^[:alnum:]._-]" $elem.name "-" | trimSuffix ".crt") }} + {{ $_ := set $additionalCAs $normalizedName $elem.contents }} +{{ end }} +{{ $_ = set $._rox "_additionalCAs" $additionalCAs }} + +{{/* Proxy configuration. + Note: The reason this is different is that unlike the endpoints config, the proxy configuration + might contain sensitive data and thus might _not_ be stored in the always available canonical + values file. However, this is probably rare. Therefore, for this particular instance we do decide + to rely on lookup magic for initially populating the secret with a default proxy config. + However, we won't take any chances, and therefore only create that secret if we can be reasonably + confident that lookup actually works, by trying to lookup the default service account. + */}} +{{ $proxyCfg := $env._proxyConfig }} +{{ $fileOut := dict }} +{{ include "srox.loadFile" (list $ $fileOut "config/proxy-config.yaml") }} +{{ if $fileOut.found }} + {{ if not (kindIs "invalid" $proxyCfg) }} + {{ include "srox.fail" "Both env.proxyConfig was specified, and a config/proxy-config.yaml was found. Please remove/rename the config file, or comment out the env.proxyConfig stanza." }} + {{ end }} + {{ $proxyCfg = $fileOut.contents }} +{{ end }} + +{{/* On first install, create a default proxy config, but only if we can be sure none exists. */}} +{{ if and (kindIs "invalid" $proxyCfg) $.Release.IsInstall }} + {{ $lookupOut := dict }} + {{ include "srox.safeLookup" (list $ $lookupOut "v1" "Secret" $.Release.Namespace "proxy-config") }} + {{ if and $lookupOut.reliable (not $lookupOut.result) }} + {{ $fileOut := dict }} + {{ include "srox.loadFile" (list $ $fileOut "config/proxy-config.yaml.default") }} + {{ $proxyCfg = $fileOut.contents }} + {{ end }} +{{ end }} +{{ $_ = set $env "_proxyConfig" $proxyCfg }} + +{{/* + Central setup. + */}} + + +{{ include "srox.centralSetup" $ }} + + +{{/* + Scanner setup. + */}} + +{{ $scannerCfg := $._rox.scanner }} + +{{ if and $scannerCfg.disable (or $.Release.IsInstall $.Release.IsUpgrade) }} + {{/* We generally don't recommend customers run without scanner, so show a warning to the user */}} + {{ $action := ternary "deploy StackRox Central Services without Scanner" "upgrade StackRox Central Services without Scanner (possibly removing an existing Scanner deployment)" $.Release.IsInstall }} + {{ include "srox.warn" (list $ (printf "You have chosen to %s. Certain features dependent on image scanning might not work." $action)) }} +{{ else if not $scannerCfg.disable }} + {{ include "srox.configureImage" (list $ $scannerCfg.image) }} + {{ include "srox.configureImage" (list $ $scannerCfg.dbImage) }} + + {{ $scannerCertSpec := dict "CN" "SCANNER_SERVICE: Scanner" "dnsBase" "scanner" }} + {{ include "srox.configureCrypto" (list $ "scanner.serviceTLS" $scannerCertSpec) }} + + {{ $scannerDBCertSpec := dict "CN" "SCANNER_DB_SERVICE: Scanner DB" "dnsBase" "scanner-db" }} + {{ include "srox.configureCrypto" (list $ "scanner.dbServiceTLS" $scannerDBCertSpec) }} + + {{ include "srox.configurePassword" (list $ "scanner.dbPassword") }} +{{ end }} + + +{{/* + Post-processing steps. + */}} + + +{{/* Compact the post-processing config to prevent it from appearing non-empty if it doesn't + contain any concrete (leaf) values. */}} +{{ include "srox.compactDict" (list $._rox._state.generated -1) }} + +{{/* Setup Image Pull Secrets for Docker Registry. + Note: This must happen afterwards, as we rely on "srox.configureImage" to collect the + set of all referenced images first. */}} +{{ include "srox.configureImagePullSecretsForDockerRegistry" (list $ ._rox.imagePullSecrets) }} + +{{/* Final warnings based on state. */}} +{{ if $._rox._state.customCertGen }} + {{ include "srox.warn" (list $ "At least one certificate was generated by Helm. Helm limits the generation of custom certificates to RSA private keys, which have poorer computational performance. Consider using roxctl for certificate generation of certificates with ECDSA private keys for improved performance. (THIS IS NOT A SECURITY ISSUE)") }} +{{ end }} + +{{ end }} + +{{ end }} diff --git a/3.0.59.0/central-services/templates/_lookup.tpl b/3.0.59.0/central-services/templates/_lookup.tpl new file mode 100644 index 0000000..2dc0aa9 --- /dev/null +++ b/3.0.59.0/central-services/templates/_lookup.tpl @@ -0,0 +1,40 @@ +{{/* + srox.safeLookup $ $out $apiVersion $kind $ns $name + + This function does nothing if $.meta.useLookup is false; otherwise, it will + perform a `lookup $apiVersion $kind $ns $name` operation and store the result in + $out.result. + + Additionally, if a lookup was attempted, $out.reliable will contain a bool indicating + whether the result of lookup can be relied upon. This is determined to be the case if + the default service account in the release namespace can be found. + */}} +{{ define "srox.safeLookup" }} +{{ $ := index . 0 }} +{{ $out := index . 1 }} +{{ if $._rox.meta.useLookup }} + {{ if kindIs "invalid" $._rox._state.lookupWorks }} + {{ $testOut := dict }} + {{ include "srox._doLookup" (list $ $testOut "v1" "ServiceAccount" $.Release.Namespace "default") }} + {{ $_ := set $._rox._state "lookupWorks" ($testOut.result | not | not) }} + {{ end }} + {{ include "srox._doLookup" . }} + {{ $_ := set $out "reliable" $._rox._state.lookupWorks }} +{{ end }} +{{ end }} + + +{{/* + srox._doLookup $ $out $apiVersion $kind $ns $name + + Calls "lookup" with arguments $apiVersion $kind $ns $name, and stores the result + in $out.result. + + This function exists to prevent a parse error if the lookup function isn't defined. It does + so by deferring the execution of lookup to a template string instantiated via `tpl`. + */}} +{{ define "srox._doLookup" }} +{{ $ := index . 0 }} +{{ $tplArgs := dict "Template" $.Template "out" (index . 1) "apiVersion" (index . 2) "kind" (index . 3) "ns" (index . 4) "name" (index . 5) }} +{{ $_ := tpl "{{ $_ := set .out \"result\" (lookup .apiVersion .kind .ns .name) }}" $tplArgs }} +{{ end }} diff --git a/3.0.59.0/central-services/templates/_metadata.tpl b/3.0.59.0/central-services/templates/_metadata.tpl new file mode 100644 index 0000000..0a66ae1 --- /dev/null +++ b/3.0.59.0/central-services/templates/_metadata.tpl @@ -0,0 +1,200 @@ +{{/* + srox.labels $ $objType $objName + + Format labels for $objType/$objName as YAML. + */}} +{{- define "srox.labels" -}} +{{- $labels := dict -}} +{{- $_ := include "srox._labels" (append (prepend . $labels) false) -}} +{{- toYaml $labels -}} +{{- end -}} + +{{/* + srox.podLabels $ $objType $objName + + Format pod labels for $objType/$objName as YAML. + */}} +{{- define "srox.podLabels" -}} +{{- $labels := dict -}} +{{- $_ := include "srox._labels" (append (prepend . $labels) true) -}} +{{- toYaml $labels -}} +{{- end -}} + +{{/* + srox.annotations $ $objType $objName + + Format annotations for $objType/$objName as YAML. + */}} +{{- define "srox.annotations" -}} +{{- $annotations := dict -}} +{{- $_ := include "srox._annotations" (append (prepend . $annotations) false) -}} +{{- toYaml $annotations -}} +{{- end -}} + +{{/* + srox.podAnnotations $ $objType $objName + + Format pod annotations for $objType/$objName as YAML. + */}} +{{- define "srox.podAnnotations" -}} +{{- $annotations := dict -}} +{{- $_ := include "srox._annotations" (append (prepend . $annotations) true) -}} +{{- toYaml $annotations -}} +{{- end -}} + +{{/* + srox.envVars $ $objType $objName $containerName + + Format environment variables for container $containerName in + $objType/$objName as YAML. + */}} +{{- define "srox.envVars" -}} +{{- $envVars := dict -}} +{{- $_ := include "srox._envVars" (prepend . $envVars) -}} +{{- range $k, $v := $envVars -}} +- name: {{ quote $k }} + value: {{ quote $v }} +{{ end -}} +{{- end -}} + +{{/* + srox._labels $labels $ $objType $objName $forPod + + Writes all applicable [pod] labels (including default labels) for $objType/$objName + into $labels. Pod labels are written iff $forPod is true. + + This template receives the $ parameter as its second (not its first, as usual) parameter + such that it can be used easier in "srox.labels". + */}} +{{ define "srox._labels" }} +{{ $labels := index . 0 }} +{{ $ := index . 1 }} +{{ $objType := index . 2 }} +{{ $objName := index . 3 }} +{{ $forPod := index . 4 }} +{{ $_ := set $labels "app.kubernetes.io/name" "stackrox" }} +{{ $_ = set $labels "app.kubernetes.io/managed-by" $.Release.Service }} +{{ $_ = set $labels "helm.sh/chart" (printf "%s-%s" $.Chart.Name ($.Chart.Version | replace "+" "_")) }} +{{ $_ = set $labels "app.kubernetes.io/instance" $.Release.Name }} +{{ $_ = set $labels "app.kubernetes.io/version" $.Chart.AppVersion }} +{{ $_ = set $labels "app.kubernetes.io/part-of" "stackrox-central-services" }} +{{ $component := regexReplaceAll "^.*/\\d{2}-([a-z]+)-\\d{2}-[^/]+\\.yaml" $.Template.Name "${1}" }} +{{ if not (contains "/" $component) }} + {{ $_ = set $labels "app.kubernetes.io/component" $component }} +{{ end }} +{{ $metadataNames := list "labels" }} +{{ if $forPod }} + {{ $metadataNames = append $metadataNames "podLabels" }} +{{ end }} +{{ include "srox._customizeMetadata" (list $ $labels $objType $objName $metadataNames) }} +{{ end }} + +{{/* + srox._annotations $annotations $ $objType $objName $forPod + + Writes all applicable [pod] annotations (including default annotations) for + $objType/$objName into $annotations. Pod labels are written iff $forPod is true. + + This template receives the $ parameter as its second (not its first, as usual) parameter + such that it can be used easier in "srox.annotations". + */}} +{{ define "srox._annotations" }} +{{ $annotations := index . 0 }} +{{ $ := index . 1 }} +{{ $objType := index . 2 }} +{{ $objName := index . 3 }} +{{ $forPod := index . 4 }} +{{ $_ := set $annotations "meta.helm.sh/release-namespace" $.Release.Namespace }} +{{ $_ = set $annotations "meta.helm.sh/release-name" $.Release.Name }} +{{ $_ = set $annotations "owner" "stackrox" }} +{{ $_ = set $annotations "email" "support@stackrox.com" }} +{{ $metadataNames := list "annotations" }} +{{ if $forPod }} + {{ $metadataNames = append $metadataNames "podAnnotations" }} +{{ end }} +{{ include "srox._customizeMetadata" (list $ $annotations $objType $objName $metadataNames) }} +{{ end }} + +{{/* + srox._envVars $envVars $ $objType $objName $containerName + + Writes all applicable [pod] labels (including default labels) for $objType/$objName + into $labels. Pod labels are written iff $forPod is true. + + This template receives the $ parameter as its second (not its first, as usual) parameter + such that it can be used easier in "srox.labels". + */}} +{{ define "srox._envVars" }} +{{ $envVars := index . 0 }} +{{ $ := index . 1 }} +{{ $objType := index . 2 }} +{{ $objName := index . 3 }} +{{ $containerName := index . 4 }} +{{ $metadataNames := list "envVars" }} +{{ include "srox._customizeMetadata" (list $ $envVars $objType $objName $metadataNames) }} +{{ if $containerName }} + {{ $containerKey := printf "/%s" $containerName }} + {{ $envVarsForContainer := index $envVars $containerKey }} + {{ if $envVarsForContainer }} + {{ include "srox.destructiveMergeOverwrite" (list $envVars $envVarsForContainer) }} + {{ end }} +{{ end }} + +{{/* Remove all entries starting with / */}} +{{ range $key, $_ := $envVars }} + {{ if hasPrefix "/" $key }} + {{ $_ := unset $envVars $key }} + {{ end }} +{{ end }} +{{ end }} + +{{/* + srox._customizeMetadata $ $metadata $objType $objName $metadataNames + + Writes custom key/value metadata to $metadata by consulting all sub-dicts with names in + $metadataNames under the applicable custom metadata locations (._rox.customize, + ._rox.customize.other.$objType/*, ._rox.customize.other.$objType/$objName, and + ._rox.customizer.$objName [workloads only]). Dictionaries are consulted in this order, with + values from dictionaries consulted later overwriting values from dictionaries consulted + earlier. + */}} +{{ define "srox._customizeMetadata" }} +{{ $ := index . 0 }} +{{ $metadata := index . 1 }} +{{ $objType := index . 2 }} +{{ $objName := index . 3 }} +{{ $metadataNames := index . 4 }} + +{{ $overrideDictPaths := list "" (printf "other.%s/*" $objType) (printf "other.%s/%s" $objType $objName) }} +{{ if eq $objType "deployment" }} + {{ $overrideDictPaths = append $overrideDictPaths $objName }} +{{ end }} + +{{ range $dictPath := $overrideDictPaths }} + {{ $customizeDict := $._rox.customize }} + {{ if $dictPath }} + {{ $resolvedOut := dict }} + {{ include "srox.safeDictLookup" (list $._rox.customize $resolvedOut $dictPath) }} + {{ $customizeDict = $resolvedOut.result }} + {{ end }} + {{ if $customizeDict }} + {{ range $metadataName := $metadataNames }} + {{ $customMetadata := index $customizeDict $metadataName }} + {{ include "srox.destructiveMergeOverwrite" (list $metadata $customMetadata) }} + {{ end }} + {{ end }} +{{ end }} +{{ end }} + +{{/* Add namespace specific prefixes for global resources to avoid resource name clashes for multi-namespace deployments. */}} +{{- define "srox.globalResourceName" -}} +{{- $ := index . 0 -}} +{{- $name := index . 1 -}} +{{- if eq $.Release.Namespace "stackrox" -}} + {{- /* Standard namespace, use resource name as is. */ -}} + {{- $name -}} +{{- else -}} + {{- /* Add global prefix to resource name. */ -}} + {{- printf "%s-%s" $._rox.globalPrefix (trimPrefix "stackrox-" $name) -}} +{{- end -}} +{{- end -}} diff --git a/3.0.59.0/central-services/templates/_reporting.tpl b/3.0.59.0/central-services/templates/_reporting.tpl new file mode 100644 index 0000000..621e284 --- /dev/null +++ b/3.0.59.0/central-services/templates/_reporting.tpl @@ -0,0 +1,34 @@ +{{/* + srox.fail $message + + Print a nicely-formatted fatal error message and exit. + */}} +{{ define "srox.fail" }} +{{ printf "\n\nFATAL ERROR:\n%s" . | wrap 100 | fail }} +{{ end }} + +{{/* + srox.warn $ $message + + Add $message to the list of encountered warnings. + */}} +{{ define "srox.warn" }} +{{ $ := index . 0 }} +{{ $msg := index . 1 }} +{{ $warnings := $._rox._state.warnings }} +{{ $warnings = append $warnings $msg }} +{{ $_ := set $._rox._state "warnings" $warnings }} +{{ end }} + +{{/* + srox.note $ $message + + Add $message to the list notes that will be shown to the user after installation/upgrade. + */}} +{{ define "srox.note" }} +{{ $ := index . 0 }} +{{ $msg := index . 1 }} +{{ $notes := $._rox._state.notes }} +{{ $notes = append $notes $msg }} +{{ $_ := set $._rox._state "notes" $notes }} +{{ end }} diff --git a/3.0.59.0/central-services/values-private.yaml.example b/3.0.59.0/central-services/values-private.yaml.example new file mode 100644 index 0000000..b5be309 --- /dev/null +++ b/3.0.59.0/central-services/values-private.yaml.example @@ -0,0 +1,157 @@ +# StackRox Kubernetes Security Platform - Central Services Chart +# PRIVATE configuration file. +# +# This file contains sensitive values relevant for the deployment of the +# StackRox Kubernetes Platform Central Services components. +# +# Apart from image pull secrets (see below), all the values in this file are +# optional or can be automatically generated at deployment time. +# Moreover, this file does not need to be provided (e.g., via `-f`) to a `helm upgrade` +# command, even if custom values are used - the previously set values +# will simply be preserved. +# +# The following values typically require user input, as they cannot be automatically generated +# (though each of them can be omitted): +# - `imagePullSecrets.username` and `imagePullSecrets.password` +# - `env.proxyConfig` +# - `central.defaultTLS` +# +# If you do choose to use this file (either by manually filling in values, or by +# generating it via the `roxctl central generate` command family), you must store +# it in a safe and secure place, such as a secrets management system. +# + +# # BEGIN CONFIGURATION VALUES SECTION + +# # Image pull credentials. If you do not specify these, you need to specify one of +# # the following: +# # - `imagePullSecrets.allowNone=true`: in case your registry allows pulling images without +# # credentials. +# # - `imagePullSecrets.useExisting="secret1;secret2;..."`: in case you have pre-existing image +# # pull secrets with the given name already created in the target namespace. +# # - `imagePullSecrets.useFromDefaultServiceAccount=true`: in case the default service account +# # in the target namespace is configured with sufficiently scoped image pull secrets. +# # If you do not know if any of the above applies to your situation, your best course of +# # action is probably to enter your image pull credentials here. +# imagePullSecrets: +# username: +# password: +# +# # Proxy configuration. This will only be required if you are running in an environment +# # where internet access is not possible by default. +# # Since this configuration may contain a proxy password, it is treated as a sensitive +# # piece of configuration. +# # The following example is a stripped-down one. For a full documentation, see the file +# # `config/proxy-config.yaml.default` that is shipped with this chart. +# env: +# proxyConfig: | +# url: http://proxy.name:port +# username: username +# password: password +# excludes: +# - some.domain +# +# +# # TLS Certificate Configuration. +# # Most of the following values are not typically required to be populated manually. You can +# # either omit them, in which case they will be auto-generated upon initial installation, +# # or they are populated when you invoke `roxctl central generate` to generate deployment +# # files. +# +# # Certificate Authority (CA) certificate for TLS certificates used internally +# # by StackRox services. +# ca: +# cert: | +# -----BEGIN CERTIFICATE----- +# +# -----END CERTIFICATE----- +# key: | +# -----BEGIN RSA PRIVATE KEY----- +# +# -----END RSA PRIVATE KEY----- +# +# # Secret configuration options for the StackRox Central deployment. +# central: +# # Private key to use for signing JSON web tokens (JWTs), which are used +# # for authentication. Omit to auto-generate (initial deployment) or use existing +# # (upgrade). +# jwtSigner: +# key: | +# -----BEGIN RSA PRIVATE KEY----- +# +# -----END RSA PRIVATE KEY----- +# # Internal "central.stackrox" service TLS certificate for the Central deployment. +# # Omit to auto-generate (initial deployment) or use existing (upgrade). +# serviceTLS: +# cert: | +# -----BEGIN CERTIFICATE----- +# +# -----END CERTIFICATE----- +# key: | +# -----BEGIN RSA PRIVATE KEY----- +# +# -----END RSA PRIVATE KEY----- +# +# # Default (user-facing) TLS certificate. +# # NOTE: In contrast to almost all other configuration options, this IS expected +# # to be manually populated. While any existing default TLS certificate secret +# # will be re-used on upgrade if this is omitted, nothing will be created on +# # initial deployment if this is not populated. +# defaultTLS: +# cert: | +# -----BEGIN CERTIFICATE----- +# +# -----END CERTIFICATE----- +# key: | +# -----BEGIN RSA PRIVATE KEY----- +# +# -----END RSA PRIVATE KEY----- +# +# # Administrator password for logging in to the StackRox portal. +# # You can either specify a plaintext password here, or an htpasswd file with a +# # bcrypt-encrypted password. +# # If you omit this setting, a password will be automatically generated upon initial +# # installation, and the existing administrator password secret will be re-used upon +# # upgrades. +# adminPassword: +# # The plaintext value of the administrator password. If you specify a password here, +# # you must omit the `htpasswd` setting. +# value: +# # The htpasswd contents of the administrator login credentials. If you specify a +# # value here, you must omit the `value` setting. +# # The password hash MUST be bcrypt. +# htpasswd: | +# admin: +# +# # Secret configuration options for the StackRox Central deployment. +# scanner: +# # The password to be used for authenticating database access. This is not user-relevant +# # and only serves to properly secure the database with a pre-shared secret. If this +# # setting is omitted, a password will be automatically generated upon initial deployment, +# # and the existing password will be used upon upgrades. +# dbPassword: +# value: +# +# # Internal "scanner.stackrox" service TLS certificate for the Scanner deployment. +# # Omit to auto-generate (initial deployment) or use existing (upgrade). +# serviceTLS: +# cert: | +# -----BEGIN CERTIFICATE----- +# +# -----END CERTIFICATE----- +# key: | +# -----BEGIN RSA PRIVATE KEY----- +# +# -----END RSA PRIVATE KEY----- +# +# # Internal "scanner-db.stackrox" service TLS certificate for the Scanner DB deployment. +# # Omit to auto-generate (initial deployment) or use existing (upgrade). +# dbServiceTLS: +# cert: | +# -----BEGIN CERTIFICATE----- +# +# -----END CERTIFICATE----- +# key: | +# -----BEGIN RSA PRIVATE KEY----- +# +# -----END RSA PRIVATE KEY----- diff --git a/3.0.59.0/central-services/values-public.yaml.example b/3.0.59.0/central-services/values-public.yaml.example new file mode 100644 index 0000000..66e8044 --- /dev/null +++ b/3.0.59.0/central-services/values-public.yaml.example @@ -0,0 +1,381 @@ +# StackRox Kubernetes Security Platform - Central Services Chart +# PUBLIC configuration file. +# +# This file contains general configuration values relevant for the deployment of the +# StackRox Kubernetes Platform Central Services components, which do not contain or reference +# sensitive data. This file can and should be stored in a source code management system +# and should be referenced on each `helm upgrade`. +# +# Most of the values in this file are optional, and you only should need to make modifications +# if the default deployment configuration is not sufficient for you for whatever reason. +# The most notable exception is the `imagePullSecrets` section, which needs to be configured +# according to the registry access in your environment. +# +# Other than that, the following are sections that are the most likely to require custom +# configuration: +# - `image.registry`: if you are pulling images from a registry other than `stackrox.io`. +# - `env.offlineMode`: if you want to run StackRox in offline mode. +# - `central.disableTelemetry`: if you want to opt out of the transmission of telemetry and +# diagnostic data. +# - `central.endpointsConfig`: if you want to expose additional endpoints (such as endpoints +# without TLS) in Central. +# - `central.resources`: if the default resource configuration for Central is not adequate +# for your environment. +# - `central.persistence`: for configuring where Central stores its database volume. +# + +# # BEGIN CONFIGURATION VALUES SECTION + +# imagePullSecrets: +# # allowNone=true indicates that no image pull secrets are required to be configured +# # upon initial deployment. Use this setting if you are using a cluster-private registry +# # that does not require authentication. +# allowNone: false +# +# # useExisting specifies a list of existing Kubernetes image pull secrets in the target +# # namespace that should be used for trying to pull StackRox images. Use this if you have +# # your custom way of injecting image pull secrets. +# useExisting: +# - secret1 +# - secret2 +# +# # useFromDefaultServiceAccount=true will instruct the deployment logic to use any +# # image pull secrets referenced by the default service account in the target namespace. +# # This is a common way to grant namespace-wide access to a Docker image registry. +# # This behavior is the default, set the value to `false` if you do not want this. +# useFromDefaultServiceAccount: true +# +# image: +# # The registry relative to which all image references are resolved, if no more +# # specify registry is specified for the workloads (see `central.image`, `scanner.image`, +# # and `scanner.dbImage` below). +# # This can be just a registry hostname such as `stackrox.io`, or a registry hostname with +# # a "remote" component such as `us.gcr.io/my-stackrox-mirror`. +# registry: stackrox.io +# +# env: +# # Treat the environment as an OpenShift cluster. Leave this unset to use auto-detection +# # based on available API resources on the server. +# # Set it to true to auto-detect the OpenShift version, otherwise set it explicitly. +# # Possible values: null, false, true, 3, 4 +# openshift: false +# +# # Whether the target cluster is an Istio-enabled cluster. If you deploy via `helm install`, +# # this can typically be determined automatically, so we recommend to not set a value here. +# # Set to true or false explicitly to override the auto-sensing logic only. +# istio: false +# +# # The "platform" of the target cluster into which StackRox is being deployed. This can +# # be the name of an infrastructure provider or product, and will tailor the StackRox +# # deployment to the respective target environment. Currently, the only supported platforms +# # are "default" and "gke". +# # If you deploy via `helm install`, the environment can typically be determined automatically, +# # choose a fixed value here only if you want to override the auto-sensing logic. +# platform: default +# +# # offlineMode=true instructs StackRox to not attempt any outgoing connections to the +# # internet. Use this in air-gapped environments, where it's important that workloads do +# # not even try to make outbound connections. Defaults to `false` when omitted. +# offlineMode: false +# +# # Additional certificate authorities (CAs) to trust, besides system roots. +# # Use this setting if Central or Scanner need to reach out to services that use certificates +# # issued by an authority in your organization, but are NOT globally trusted. In these cases, +# # specify the root CA certificate of your organization. +# additionalCAs: +# acme-labs-ca.crt: | +# -----BEGIN CERTIFICATE----- +# [... base64 (PEM) encoded certificate data ...] +# -----END CERTIFICATE----- +# +# # Public configuration options for the StackRox Central deployment. +# central: +# # disableTelemetry=true will opt out of transmitting telemetry data to StackRox. +# # This only has an effect upon initial deployment. +# disableTelemetry: false +# +# # General configuration options for the Central deployment. +# # See the `config/central/config.yaml.default` file that is shipped with this chart +# # for a fully documented version. +# config: | +# maintenance: +# safeMode: false +# compaction: +# enabled: true +# bucketFillFraction: .5 +# freeFractionThreshold: 0.75 +# # Configuration option for rolling back to a previous version after an upgrade has been completed. +# # Default to none. +# # By default, the user may initiate a rollback if upgrade fails before Central has started. +# # Users may rollback to their previous version once Central has started, but this may result in data loss, +# # so users must explicitly specify the version they are rolling back to in order to acknowledge the effects. +# forceRollbackVersion: 3.0.58.0 +# +# # Additional endpoints configuration for the Central deployment. +# # See the `config/central/endpoints.yaml.default` file that is shipped with this chart +# # for a fully documented version. +# endpointsConfig: | +# endpoints: +# - listen: ":8080" +# protocols: +# - http +# tls: +# disable: true +# +# # If you want to use a monitoring solution such as Prometheus, set the following value to +# # "true" to make a /metrics endpoint for Central available on port 9090. +# exposeMonitoring: true +# +# # If you want to enforce StackRox Central to only run on certain nodes, you can specify +# # a node selector here to make sure Central can only be scheduled on Nodes with the +# # given label. This is particular relevant for the "hostPath" persistence type. +# nodeSelector: +# # This can contain arbitrary `label-key: label-value` pairs. +# role: stackrox-central +# +# # Configures the Central image to be used. Most users will only need to configure a +# # custom registry (if any) at the global scope, and do not require any settings here. +# image: +# # A custom registry that will override the global `image.registry` setting for the +# # Central image. +# registry: us.gcr.io/stackrox-central-repo +# +# # A custom image name that will override the default `main`. +# name: custom-main +# +# # A custom image tag that will override the default tag based on the current +# # StackRox version. +# # IMPORTANT: If you set a value here, you will lose the ability to simply upgrade +# # by running `helm upgrade` against a more recent chart version. You MUST increment +# # the version referenced in this tag for every upgrade. It is therefore strongly +# # recommended that if you choose to mirror StackRox images in your own registry, +# # you preserve all image tags as-is. +# tag: custom-version +# +# # A full image name override that will be used as-is for the StackRox Central image. +# # This is only required in very rare circumstances, and its use is strongly discouraged. +# # If set, all other image-related values will be ignored for the StackRox Central image. +# # The following example value lists the full image ref that would be constructed from +# # the above components. +# fullRef: "us.gcr.io/stackrox-central-repo/custom-main:custom-version" +# +# # Custom resource overrides for the Central deployment. Use this if your environment is +# # very large or very small, and the default resource configuration does not provide +# # satisfactory performance. +# resources: +# requests: +# memory: "4Gi" +# cpu: "1500m" +# limits: +# memory: "8Gi" +# cpu: "4000m" +# +# # Persistence configuration for the StackRox database volume. +# # Exactly ONE of the nested values should be specified. If none is specified, +# # the StackRox deployment will be configured with the default PVC-based persistence. +# persistence: +# # The path on the node where to store the StackRox database volume +# # when using host path persistence. +# hostPath: /var/lib/stackrox +# +# # The persistent volume claim details when storing the StackRox database +# # on a persistent volume managed by a Kubernetes persistent volume claim (PVC). +# persistentVolumeClaim: +# # The name of the claim. This defaults to stackrox-db if not set. +# claimName: stackrox-db +# +# # Whether to create the claim upon deployment. The default is true; set this to false +# # if you have a pre-existing persistent volume claim that you want to use. +# createClaim: true +# +# # The size of the persistent volume managed by the claim, in Gigabytes (or with an +# # explicit unit, such as "1Ti"). Defaults to 100Gi. +# size: 100 +# +# # If you want to bind a preexisting persistent volume, you can specify it here. +# volume: +# volumeSpec: +# # The section includes volume type specific config, the volume type can be: +# # gcePersistentDisk, hostpath, filestore(nfs) etc. +# gcePersistentDisk: +# # Type specific parameters. The specified persistent volume should have +# # been created. +# pdName: gke-pv +# +# # Configuration for exposing the StackRox Central deployment for external access. +# # Generally, only ONE of the nested values should be specified. If none is specified, +# # the Central deployment will not be exposed, and you must either manually expose it, +# # or access it via port-forwarding. +# exposure: +# # Exposure via a Kubernetes LoadBalancer service. +# loadBalancer: +# enabled: true +# # The port on which to expose StackRox Central. Defaults to 443. +# port: 443 +# # The static IP to assign to the load balancer. Defaults to dynamic. +# ip: 10.0.0.0 +# +# # Exposure via a Kubernetes NodePort service. +# nodePort: +# enabled: true +# # The port on the node under which to expose the service. Omit this for +# # letting Kubernetes automatically select a node port (recommended). +# port: 32000 +# +# # Exposure via an OpenShift route. Only available for OpenShift clusters +# route: +# enabled: true +# +# # Additional volume mounts for the Central container. Only few people will require this. +# extraMounts: +# - name: my-configmap # the name of the volume +# # The source of the volume. This will be embedded as-is in the `volume:` section of the +# # pod spec. +# source: +# configMap: +# name: my-configmap +# # The mount point of the volume. This will be embedded as-is in the `volumeMounts:` section +# # of the pod spec. +# mount: +# mountPath: /etc/my-config-data +# +# # Public configuration options for the StackRox Scanner. +# scanner: +# # disable=true will cause the StackRox Kubernetes Security Platform to be +# # deployed without the StackRox Scanner, meaning that certain functionalities +# # may not be available. If this setting is changed prior to a `helm upgrade` +# # invocation, the existing StackRox scanner deployment will be removed. +# disable: false +# +# # The number of replicas for the Scanner deployment. If autoscaling is enabled (see below), +# # this determines the initial number of replicas. +# replicas: 3 +# +# # The log level for the scanner deployment. This typically does not need to be changed. +# logLevel: INFO +# +# # If you want to enforce StackRox Scanner to only run on certain nodes, you can specify +# # a node selector here to make sure Scanner can only be scheduled on Nodes with the +# # given label. +# nodeSelector: +# # This can contain arbitrary `label-key: label-value` pairs. +# role: stackrox-scanner +# +# +# # If you want to enforce StackRox Scanner DB to only run on certain nodes, you can specify +# # a node selector here to make sure Scanner DB can only be scheduled on Nodes with the +# # given label. +# dbNodeSelector: +# # This can contain arbitrary `label-key: label-value` pairs. +# role: stackrox-scanner-db +# +# # Configuration for autoscaling the Scanner deployment. +# autoscaling: +# # disable=true causes autoscaling to be disabled. All other settings in this section +# # will have no effect. +# disable: false +# # The minimum number of replicas for autoscaling. The following value is the default. +# minReplicas: 2 +# # The maximum number of replicas for autoscaling. The following value is the default. +# maxReplicas: 5 +# +# # Custom resource overrides for the Scanner deployment. +# resources: +# requests: +# memory: "1500Mi" +# cpu: "1000m" +# limits: +# memory: "3000Mi" +# cpu: "2000m" +# +# # Custom resource overrides for the Scanner DB deployment. +# dbResources: +# limits: +# cpu: "2000m" +# memory: "4Gi" +# requests: +# cpu: "200m" +# memory: "200Mi" +# +# # Custom configuration of the image to be used for the Scanner deployment. +# # See `central.image` for a full example. +# image: +# registry: us.gcr.io/stackrox-scanner-repo +# name: scanner # "scanner" is the default +# +# dbImage: +# registry: us.gcr.io/stackrox-scanner-db-repo +# name: scanner-db # "scanner-db" is the default +# +# +# # Customization Settings. +# # The following allows specifying custom Kubernetes metadata (labels and annotations) +# # for all objects instantiated by this Helm chart, as well as additional pod labels, +# # pod annotations, and container environment variables for workloads. +# # The configuration is hierarchical, in the sense that metadata that is defined at a more +# # generic scope (e.g., for all objects) can be overridden by metadata defined at a narrower +# # scope (e.g., only for the central deployment). +# customize: +# # Extra metadata for all objects. +# labels: +# my-label-key: my-label-value +# annotations: +# my-annotation-key: my-annotation-value +# +# # Extra pod metadata for all objects (only has an effect for workloads, i.e., deployments). +# podLabels: +# my-pod-label-key: my-pod-label-value +# podAnnotations: +# my-pod-annotation-key: my-pod-annotation-value +# +# # Extra environment variables for all containers in all objects. +# envVars: +# MY_ENV_VAR_NAME: MY_ENV_VAR_VALUE +# +# # Extra metadata for the central deployment only. +# central: +# labels: {} +# annotations: {} +# podLabels: {} +# podAnnotations: {} +# envVars: {} +# +# # Extra metadata for the scanner deployment only. +# scanner: +# labels: {} +# annotations: {} +# podLabels: {} +# podAnnotations: {} +# envVars: {} +# +# # Extra metadata for the scanner-db deployment only. +# scanner-db: +# labels: {} +# annotations: {} +# podLabels: {} +# podAnnotations: {} +# envVars: {} +# +# # Extra metadata for all other objects. The keys in the following map can be +# # an object name of the form "service/central-loadbalancer", or a reference to all +# # objects of a given type in the form "service/*". The values under each key +# # are the five metadata overrides (labels, annotations, podLabels, podAnnotations, envVars) +# # as specified above, though only the first two will be relevant for non-workload +# # object types. +# other: +# "service/*": +# labels: {} +# annotations: {} +# +# # EXPERT SETTINGS +# # The following settings should only be changed if you know very well what you are doing. +# # The scenarios in which these are required are generally not supported. +# +# # Set allowNonstandardNamespace=true if you are deploying into a namespace other than +# # "stackrox". This has been observed to work in some case, but is not generally supported. +# allowNonstandardNamespace: false +# +# # Set allowNonstandardReleaseName=true if you are deploying with a release name other than +# # the default "stackrox-central-services". This has been observed to work in some cases, +# # but is not generally supported. +# allowNonstandardReleaseName: false diff --git a/3.0.59.0/central-services/values.yaml b/3.0.59.0/central-services/values.yaml new file mode 100644 index 0000000..7031fc6 --- /dev/null +++ b/3.0.59.0/central-services/values.yaml @@ -0,0 +1,292 @@ +## StackRox Central chart default settings file. +## +## This file includes the default settings for the StackRox Central chart. +## It serves as a form of documentation for all the possible settings that a +## user can override are. HOWEVER, if you want to override some settings, DO NOT +## create a copy of this file to be used as a baseline, or modify it in place. +## Instead, create a file that contains only those settings you want to override, +## and pass it to helm or roxctl via the `-f` parameter. +## +## For example, if you want to disable the deployment of scanner, create a file +## `values-override.yaml` (or any name you choose) with the following contents: +## +## scanner: +## disable: true +## +## and then invoke helm by passing `-f values-override.yaml` to +## `helm install`/`helm upgrade`. +## +## Alternatively, if you want to override just a few values, you can set them directly +## via the `--set` command, e.g., +## $ helm install --set scanner.disable=true ... +## +## Note that an arbitrary number of `-f` and `--set` parameters can be combined. It is +## generally a good practice to store secret data such as the admin password separate from +## non-sensitive configuration data. +## +# +## Configuration for image pull secrets. +## These should usually be set via the command line when running `helm install`, e.g., +## helm install --set imagePullSecrets.username=myuser --set imagePullSecrets.password=mypass, +## or be stored in a separate YAML-encoded secrets file. +#imagePullSecrets: +# # Username and password to be used for pulling images. +# # These should usually be set via the command line when running `helm install`, e.g., +# # helm install --set imagePullSecrets.username=myuser --set imagePullSecrets.password=mypass, +# # or be stored in a separate YAML-encoded secrets file. +# username: null +# password: null +# +# # If no image pull secrets are provided, an installation would usually fail. In order to +# # prevent it from failing, this option must explicitly be set to true. +# allowNone: false +# +# # If there exist available image pull secrets in the cluster that are managed separately, +# # set this value to the list of the respective secret names. While it is recommended to +# # record the secret names in a persisted YAML file, providing a single string containing +# # a comma-delimited list of secret names is also supported, for easier interaction with +# # --set. +# useExisting: [] +# +# # Whether to import any secrets from the default service account existing in the StackRox +# # namespace. The default service account often contains "standard" image pull secrets that +# # should be used by default for image pulls, hence this defaults to true. Only has an effect +# # if server-side lookups are enabled. +# useFromDefaultServiceAccount: true +# +## Common settings for all image properties +#image: +# # The image registry to use. Unless overridden in the more specific configs, this +# # determines the base registry for each image referenced in this config file. +# registry: stackrox.io +# +## Settings regarding the installation environment +#env: +# # Treat the environment as an OpenShift cluster. Leave this unset to use auto-detection +# # based on available API resources on the server. +# # Possible values: null, false, true, 3, 4 +# openshift: null +# +# # Treat the environment as Istio-enabled. Leave this unset to use auto-detection based on +# # available API resources on the server. +# # Possible values: null, false, true +# istio: null +# +# # The cloud provider platform where the target Kubernetes cluster is running. Leave this +# # unset to use auto-detection based on the Kubernetes version. +# # Possible values: null, "default", "gke" +# platform: null +# +# # Whether to run StackRox in offline mode. When run in offline mode, no connections to external +# # endpoints will be made. +# offlineMode: false +# +# # The proxy configuration for Central and Scanner, specified either as an embedded YAML +# # directionary, or as an (expandable) string. +# proxyConfig: null +# +# +## Settings for the StackRox Service CA certificates. +## If `cert` and `key` are both set (it is an error to set only one of the two), the corresponding +## values are used as the PEM-encoded certificate and private key for the internal Service CA. +## If they are left unspecified, they are generated under the following conditions: +## - `generate` is explicitly set to true, or +## - `generate` is unset (null), and the Helm chart is being freshly installed (as opposed to being +## upgraded). +#ca: +# cert: null +# key: null +# generate: null +# + +## Additional CA certificates to trust, besides system roots +## If specified, this should be a map mapping file names to PEM-encoded contents. +#additionalCAs: null +# +#central: +# +# # Indicates whether telemetry data collection should be disabled. This defaults to true +# # in offline mode, and false otherwise. Only has an effect upon the first installation. +# disableTelemetry: null +# +# +# config: "@config/central/config.yaml|config/central/config.yaml.default" +# +# endpointsConfig: "@config/central/endpoints.yaml|config/central/endpoints.yaml.default" +# +# +# nodeSelector: null +# +# jwtSigner: +# key: null +# generate: null +# +# # Settings for the internal service-to-service TLS certificate used by central. +# # See the documentation for `ca` at the top level for an explanation. +# serviceTLS: +# cert: null +# key: null +# generate: null +# +# defaultTLS: +# cert: null +# key: null +# +# image: +# registry: null +# name: main +# tag: 3.0.48.x-121-g337915cd3d +# fullRef: null +# +# adminPassword: +# value: null +# generate: null +# htpasswd: null +# +# resources: +# requests: +# memory: "4Gi" +# cpu: "1500m" +# limits: +# memory: "8Gi" +# cpu: "4000m" +# +# persistence: +# hostPath: null +# persistentVolumeClaim: +# claimName: null +# createClaim: null +# storageClass: null +# size: null +# none: null +# +# +# exposure: +# +# # LoadBalancer configuration. +# # Disabled by default. +# # Default port is 443. +# loadBalancer: +# enabled: null +# port: null +# ip: null +# +# # NodePort configuration. +# # Disabled by default. +# nodePort: +# enabled: null +# port: null +# +# # Route configuration. +# # Disabled by default. +# route: +# enabled: null +# +# +## Configuration options relating to StackRox Scanner. +#scanner: +# # If this is set to true, StackRox will be deployed without scanner. No other setting in this +# # section will have any effect. +# disable: false +# +# # Default number of scanner replicas created upon startup. The actual number might be higher +# # or lower if autoscaling is enabled (see below). +# replicas: 3 +# +# logLevel: INFO +# +# # Settings related to autoscaling the scanner deployment. +# autoscaling: +# # If true, autoscaling will be disabled. None of the other settings in this section will +# # have any effect. +# disable: false +# minReplicas: 1 +# maxReplicas: 5 +# +# # Resource settings for the scanner deployment. +# resources: +# requests: +# memory: "1500Mi" +# cpu: "1000m" +# limits: +# memory: "3000Mi" +# cpu: "2000m" +# +# image: +# registry: null +# name: scanner +# tag: 2.3.2 +# fullRef: null +# +# dbImage: +# registry: null +# name: scanner-db +# tag: 2.3.2 +# fullRef: null +# +# # Resource settings for the scanner-db deployment. +# dbResources: +# limits: +# cpu: 2 +# memory: 4Gi +# requests: +# cpu: 200m +# memory: 200Mi +# +# # The admin password setting for communication with scanner's DB. +# # When a value is set explicitly, this is always used, even on upgrade. +# # Otherwise, a password will be automatically generated if `generate` is set to true, +# # or left unset (null) and the Helm chart is being installed (as upposed to upgraded). +# dbPassword: +# value: null +# generate: null +# +# # Settings for the internal service-to-service TLS certificate used by scanner. +# # See the documentation for `ca` at the top level for an explanation. +# serviceTLS: +# cert: null +# key: null +# generate: null +# +# # Settings for the internal service-to-service TLS certificate used by scanner-db. +# # See the documentation for `ca` at the top level for an explanation. +# dbServiceTLS: +# cert: null +# key: null +# generate: null +# +## EXPERT SETTINGS. You usually do not need to touch those. +# +## If set to true, allow deploying in a namespace other than "stackrox". This is unsupported, so +## use at your own risk. +#allowNonstandardNamespace: false +# +## If set to true, allow a release name other than "stackrox-central-services". There are no issues +## with that, but for streamlining purposes, we want to encourage all users to stick with the +## default name, and make it a little harder to deviate from that. +#allowNonstandardReleaseName: false +# +#meta: +# # This controls whether the built-in `lookup` function will be used. If you see an error +# # about there being no function `lookup`, set this to `false` (might be required on Helm +# # versions before 3.1). +# useLookup: true +# +# # This is a dictionary from file names to contents that can be used to inject files that +# # would usually be included via .Files.Get into the chart rendering. +# fileOverrides: {} +# +# # This configuration section allows overriding settings that would be inferred from the +# # running API server. +# apiServer: +# # The Kubernetes version running on the API server. This is used for auto-detection +# # of the platform. +# version: null +# # The list of available API resources on the server, in the form of "apps/v1" or +# # "apps/v1/Deployment". This is used to detect environment capabilities. +# overrideAPIResources: null +# # A list of extra API resources that should be assumed to exist on the API server. This +# # can be used in conjunction with both data obtained from the API server, or data set +# # via `overrideAPIResources`. +# extraAPIResources: [] +# diff --git a/3.0.59.0/secured-cluster-services/.helmignore b/3.0.59.0/secured-cluster-services/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/3.0.59.0/secured-cluster-services/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/3.0.59.0/secured-cluster-services/Chart.yaml b/3.0.59.0/secured-cluster-services/Chart.yaml new file mode 100644 index 0000000..eb97574 --- /dev/null +++ b/3.0.59.0/secured-cluster-services/Chart.yaml @@ -0,0 +1,7 @@ +apiVersion: v2 +name: stackrox-secured-cluster-services +icon: https://www.stackrox.com/img/logo.svg +description: Helm Chart for StackRox Secured Clusters +type: application +version: 59.0.0 +appVersion: 3.0.59.0 diff --git a/3.0.59.0/secured-cluster-services/README.md b/3.0.59.0/secured-cluster-services/README.md new file mode 100644 index 0000000..39624a9 --- /dev/null +++ b/3.0.59.0/secured-cluster-services/README.md @@ -0,0 +1,487 @@ + +# StackRox Kubernetes Security Platform - Secured Cluster Services Helm Chart + +This Helm chart allows you to deploy the necessary services on a StackRox +secured cluster: StackRox Sensor, StackRox Collector, and StackRox Admission +Control. + +**PLEASE NOTE:** This Helm chart supersedes the `sensor` Helm chart shipped for previous +versions of the StackRox Kubernetes Security Platform. If you have previously used the +`sensor` chart, see the [sensor-chart-upgrade.md](sensor-chart-upgrade.md) document in this +directory for instructions on how to upgrade. + +## Prerequisites + +To deploy the secured cluster services for the StackRox Kubernetes Security Platform, you must: +- Have at least version 3.1 of the Helm tool installed on your machine +- Have credentials for the `stackrox.io` registry or the other image registry + you use. + +> **IMPORTANT** +> +> We publish new Helm charts with every new release of the StackRox Kubernetes +> Security Platform. Make sure to use a version of this chart that matches the +> StackRox Kubernetes Security Platform version you have installed. + +## Add the canonical chart location as a Helm repository + +The canonical repository for StackRox Helm charts is https://charts.stackrox.io. +To use StackRox Helm charts, run the following command: +```sh +helm repo add stackrox https://charts.stackrox.io +``` +Only run this command once per machine on which you want to use StackRox Helm +charts. + +Before you deploy or upgrade a chart from a remote repository, you must +run the following command: +```sh +helm repo update +``` + +## Install Secured Cluster Services + +Installing a new StackRox secured cluster requires a *cluster init bundle*. You +can generate a **cluster init bundle** by using the `roxctl` CLI or the StackRox +portal. You can use the same bundle to set up multiple StackRox secured +clusters by providing it as an input to the `helm install` command. + +> **NOTE**: +> +> - The following sections assume that you have a safe way to pass secrets to +> the helm command. +> - If not, you can decouple secret creation from installing or upgrading the +> Helm chart, see [Deployment with pre-created secrets](#deployment-with-pre-created-secrets) for more information. + +### Generate cluster init bundle + +To generate a **cluster init bundle** by using the `roxctl` CLI, make sure that +you are running the StackRox Kubernetes Security Platform and the `roxctl` CLI +version 3.0.55 or newer. + +Run the following command to generate a **cluster init bundle**: +```sh +roxctl central init-bundles generate --output cluster-init-bundle.yaml +``` + +- This command creates a **cluster init bundle** called + `cluster-init-bundle.yaml`. +- Make sure that you store this bundle securely as it contains secrets. You can + use the same bundle to set up multiple StackRox secured clusters. + +### Deploy Secured Cluster Services + +You can use the following command to deploy secured cluster services by using +this Helm chart: +```sh +helm install -n stackrox --create-namespace \ + stackrox-secured-cluster-services stackrox/secured-cluster-services \ + -f \ + --set clusterName= \ + --set centralEndpoint= +``` +- In this command, you can replace the chart name + `stackrox/secured-cluster-services` with the chart's file path if you have it + locally. +- The provided cluster name can either denote the intended name for a new secured cluster + or the name of an existing cluster, in which case the name will be reused and associated + with the Kubernetes cluster on which the chart is installed. + +To access StackRox Docker images, you also need image pull credentials. While +installing, you can inject the required credentials (if any) by using one of the +following ways: + +#### Specify username and password + +Pass the following arguments to the `helm install` command if you are using the +images from the default registry (`stackrox.io`) or a registry that supports +authentication by using username and password: + +```sh +--set imagePullSecrets.username= --set imagePullSecrets.password= +``` + +#### Use pre-existing image pull secrets +If you already created one or multiple image pull secrets in the namespace in +which you are deploying, you can reference these secrets as follows: + +```sh +--set imagePullSecrets.useExisting="pull-secret-name1;pull-secret-name2" +``` + +#### Skip image pull secrets +When you are pulling the images from a registry in a private network that does +not require authentication, or if you've already configured the namespace's (in +which you are deploying) default service account with the appropriate image pull +secrets. In that case, you do not need to specify any additional image pull +secrets. To disable image pull secrets, pass the following arguments to the +`helm install` command: + +```sh +--set imagePullSecrets.allowNone=true +``` + +After you deploy the StackRox Kubernetes Security Platform Secured Cluster +Services using the `helm install` command, you will see informative notes and +warnings related to the installation. The new cluster automatically registers +itself to StackRox Central, and it is visible in the StackRox portal as a +Helm-managed cluster. If the provided cluster name is already associated with +an existing secured cluster, the name will be reused and associated with the +cluster on which the chart is installed. + +### Applying custom configuration options + +The secured cluster services Helm chart has many different configuration +options. You can directly specify these options when you run the `helm install` +command for simple use cases. + +However, we recommend storing your configuration in a file and using that file +for future upgrades or reconfiguration using the `helm upgrade` command. + +#### Specifying options with `--set` parameter + +You can use the `--set` and `--set-file` parameter with the `helm install` +command to specify various options to customize deployments quickly. However, +don't use them for specifying complex configurations. + +For example, +- **Configure cluster environment**: + ```sh + --set env.openshift=true + ``` +- **Configure collection method**: + ```sh + --set collector.collectionMethod=EBPF + ``` + +#### Using configuration YAML files and the `-f` command-line option + +We recommended that you store all custom configuration options in persisted files. + +The Secured Cluster Services Helm chart contains example configuration files +(called `values-public.yaml.example` and `values-private.yaml.example`), that list +all the available configuration options, along with documentation. + +The following sample configuration file (`secured-cluster.yaml`) uses a few of +the options which you can configure: +- **`values-public.yaml`:** + ```yaml + clusterName: "acme-cluster-01" + centralEndpoint: "central.acme-labs.internal" + + env: + istio: true # enable istio support + + sensor: + # Use custom resource overrides for sensor + resources: + requests: + cpu: "1" + memory: "1Gi" + limits: + cpu: "2" + memory: "4Gi" + + admissionControl: + dynamic: + disableBypass: true # Disable bypassing of Admission Controller + + customize: + # Apply the important-service=true label for all objects managed by this chart. + labels: + important-service: true + # Set the CLUSTER=important-cluster environment variable for all containers in the + # collector deployment: + collector: + envVars: + CLUSTER: important-cluster + ``` +- **`values-private.yaml`**: + ```yaml + imagePullSecrets: + username: + password: + ``` + +After you have created these YAML files, you can inject the configuration options into the +installation process via the `-f` flag, i.e., by appending the following options to the +`helm install` invocation: +```sh +helm install ... -f values-public.yaml -f values-private.yaml +``` + +#### Changing configuration options after deployment + +To make changes to the configuration of an existing deployment of the StackRox +Secured Cluster Services: +1. Change the configuration options in your YAML configuration file(s). +1. Use the `-f` option and specify the configuration file's path when you + run the `helm upgrade` command. + +For example, to apply configuration changes for the secured cluster, use the following command: +```sh +helm upgrade -n stackrox \ + stackrox-secured-cluster-services stackrox/secured-cluster-services \ + --reuse-values \ + -f values-public.yaml \ + -f values-private.yaml +``` + +You can also specify configuration values using the `--set` or `--set-file` +parameters. However, these options aren't saved, and you'll have to specify all +the options again manually. + +#### Changing cluster name after deployment + +To change the name of the cluster shown in the StackRox portal, you must specify +values for both the `--clusterName` and the `--confirmNewClusterName` options: + +```sh +helm upgrade -n stackrox stackrox-secured-cluster-services --clusterName= --confirmNewClusterName= +``` + +> **NOTE:** +> +> When you change the cluster name: +> - The StackRox Kubernetes Security Platform either creates a new cluster or +> reuses an existing cluster if a cluster with the same name already exists. +> - The StackRox Kubernetes Security Platform doesn't rename the old cluster. +> The old cluster still shows up in the StackRox portal, but it doesn't +> receive any data. You must remove the old cluster if you don't want to see +> it in the StackRox portal. + +### Configuration + +The following table lists some common configuration parameters of this Helm +chart and their default values: + +|Parameter |Description | Default value | +|:---------|:-----------|:--------------| +|`clusterName`| Name of your cluster. | | +|`confirmNewClusterName`| You don't need to change this unless you upgrade and change the value for `clusterName`. In this case, set it to the new value of `clusterName`. This option exists to prevent you from [accidentally creating a new cluster with a different name](#changing-cluster-after-deployment). | `null` | +|`centralEndpoint`| Address of the Central endpoint, including the port number (without a trailing slash). If you are using a non-gRPC capable LoadBalancer, use the WebSocket protocol by prefixing the endpoint address with `wss://`. |`central.stackrox:443` | +|`additionalCAs`| Use it to add (named) PEM-encoded CA certificates for Sensor. | `{}` | +|`imagePullSecrets.username`| Specify username for accessing image registry. |`null`| +|`imagePullSecrets.password`| Specify password for accessing image registry. |`null`| +|`imagePullSecrets.useExisting`| Specify existing Kubernetes image pull secrets that should be used for trying to pull StackRox images. |`[]`| +|`imagePullSecrets.useFromDefaultServiceAccount`| This setting controls whether image pull secrets from a default service account in the target namespace should be used for image pulls. |`true`| +|`imagePullSecrets.useExisting`| Specify existing Kubernetes image pull secrets that should be used for trying to pull StackRox images. |`[]`| +|`imagePullSecrets.allowNone`| Enabling this setting indicates that no image pull secrets are required to be configured upon initial deployment. Use this setting if you are using a cluster-private registry that does not require authentication. |`false`| +|`image.main.name`|Repository from which to download the main image. |`main` | +|`image.collector.name`|Repository from which to download the collector image. |`collector` | +|`image.main.registry`| Address of the registry you are using for main image.|`stackrox.io` | +|`image.collector.registry`| Address of the registry you are using for collector image.|`collector.stackrox.io` | +|`sensor.endpoint`| Address of the Sensor endpoint including port number. No trailing slash.|`sensor.stackrox:443` | +|`collector.collectionMethod`|Either `EBPF`, `KERNEL_MODULE`, or `NO_COLLECTION`. |`KERNEL_MODULE` | +|`collector.disableTaintTolerations`|If you specify `false`, tolerations are applied to collector, and the collector pods can schedule onto all nodes with taints. If you specify it as `true`, no tolerations are applied, and the collector pods won't scheduled onto nodes with taints. |`false` | +|`collector.slimMode`| Specify `true` if you want to use a slim Collector image for deploying Collector. Using slim Collector images requires Central to provide the matching kernel module or eBPF probe. If you are running the StackRox Kubernetes Security Platform in offline mode, you must download a kernel support package from [stackrox.io](https://install.stackrox.io/collector/support-packages/index.html) and upload it to Central for slim Collectors to function. Otherwise, you must ensure that Central can access the online probe repository hosted at https://collector-modules.stackrox.io/.|`false` | +|`admissionControl.listenOnCreates`| This setting controls whether the cluster is configured to contact the StackRox Kubernetes Security Platform with `AdmissionReview` requests for `create` events on Kubernetes objects. |`false` | +|`admissionControl.listenOnUpdates`|This setting controls whether the cluster is configured to contact the StackRox Kubernetes Security Platform with `AdmissionReview` requests for `update` events on Kubernetes objects.|`false` | +|`admissionControl.listenOnEvents`|This setting controls whether the cluster is configured to contact the StackRox Kubernetes Security Platform with `AdmissionReview` requests for `update` Kubernetes events like `exec` and `portforward`.|`false` on OpenShift, `true` otherwise.| +|`admissionControl.dynamic.enforceOnCreates`| It controls whether the StackRox Kubernetes Security Platform evaluates policies; if it’s disabled, all `AdmissionReview` requests are automatically accepted. You must specify `listenOnCreates` as `true` for this to work. |`false` | +|`admissionControl.dynamic.enforceOnUpdates`| It controls whether the StackRox Kubernetes Security Platform evaluates policies for object updates; if it’s disabled, all `AdmissionReview` requests are automatically accepted. You must specify `listenOnUpdates` as `true` for this to work. |`false`| +|`admissionControl.dynamic.scanInline`| |`false` | +|`admissionControl.dynamic.disableBypass`|Set it to `true` to disable [bypassing the admission controller](https://help.stackrox.com/docs/manage-security-policies/use-admission-controller-enforcement/). |`false` | +|`admissionControl.dynamic.timeout`|The maximum time in seconds, the StackRox Kubernetes Security Platform should wait while evaluating admission review requests. Use it to set request timeouts when you enable image scanning. If the image scan runs longer than the specified time, the StackRox Kubernetes Security Platform accepts the request. Other enforcement options, such as scaling the deployment to zero replicas, are still applied later if the image violates applicable policies.|`3` | +|`registryOverride`|Use this parameter to override the default `docker.io` registry. Specify the name of your registry if you are using some other registry.| | +|`createUpgraderServiceAccount`| Specify `true` to create the `sensor-upgrader` account. By default, the StackRox Kubernetes Security Platform creates a service account called `sensor-upgrader` in each secured cluster. This account is highly privileged but is only used during upgrades. If you don’t create this account, you will have to complete future upgrades manually if the Sensor doesn’t have enough permissions. See [Enable automatic upgrades for secured clusters](https://help.stackrox.com/docs/configure-stackrox/enable-automatic-upgrades/) for more information.|`false` | +|`createSecrets`| Specify `false` to skip the orchestrator secret creation for the sensor, collector, and admission controller. | `true` | +|`customize`|Modern interface for specifying custom metadata for resources, including labels, annotations and environment variables. See below for more information.|`{}`| + +The following table lists some advanced parameters, and you'll only need them in +non-standard environments: + +|Parameter |Description | Default value | +|:---------|:-----------|:--------------| +|`image.main.tag`| Tag of `main` image to use.|`null` | +|`image.collector.tag`| Tag of `collector` image to use.| `null` | +|`image.main.pullPolicy`| Image pull policy for `main` images.|`IfNotPresent`| +|`image.collector.pullPolicy`| Image pull policy for `collector` images.| `IfNotPresent` if `slimCollector` is enabled, `Always` otherwise.| +|`sensor.resources`|Resource specification for Sensor.|See below.| +|`collector.resources`|Resource specification for Collector.|See below.| +|`collector.complianceResources`|Resource specification for Collector's Compliance container.|See below.| +|`collector.nodeSelector` | Node selector for Collector pods placement. | `null` (no placement constraints) | +|`admissionControl.resources`|Resource specification for Admission Control.|See below.| +|`sensor.imagePullPolicy`| Kubernetes image pull policy for Sensor. | `IfNotPresent` | +|`sensor.nodeSelector` | Node selector for Sensor pod placement. | `null` (no placement constraints) | +|`collector.imagePullPolicy`| Kubernetes image pull policy for Sensor. | `Always` when deploying in slim mode, otherwise `IfNotPresent`. | +|`collector.complianceImagePullPolicy`| Kubernetes image pull policy for Sensor. | `IfNotPresent` | +|`admissionControl.imagePullPolicy`| Kubernetes image pull policy for Admission Control. | `IfNotPresent` | +|`admissionControl.nodeSelector` | Node selector for Admission Control pods placement. | `null` (no placement constraints) | +|`exposeMonitoring`| This setting controls whether the monitoring port (TCP 9090) should be exposed on the services. | `false` | +|`env.openshift`| The StackRox Kubernetes Security Platform automatically detects the OpenShift version (`3.x` or `4.x`). Use this parameter to override the automatically detected version number, for example `4`. | `null` | +|`env.istio`| This setting can be used for overwriting the auto-sensing of Istio environments. If enabled, the cluster is set up for an Istio environment. | Auto-sensed, depends on environment. | + +### Default resources + +Each container's default resource settings are defined in the +`internal/defaults.yaml` file in this chart. The following table lists the YAML +paths to the respective defaults for each container that this chart deploys: + +|Container |Path in `internal/defaults.yaml` | +|:----------------|:---------------------------------------| +|Sensor |`defaults.sensor.resources` | +|Collector |`defaults.collector.resources` | +|Compliance |`defaults.collector.complianceResources`| +|Admission Control|`defaults.admissionControl.resources` | + +### Customization settings + +The `customize` setting allows specifying custom Kubernetes metadata (labels and +annotations) for all objects created by this Helm chart and additional pod +labels, pod annotations, and container environment variables for workloads. + +The configuration is hierarchical, in the sense that metadata defined at a more +generic scope (for example, for all objects) can be overridden by metadata +defined at a narrower scope (for example, only for the sensor deployment). + +For example: + +``` +customize: + # Extra metadata for all objects. + labels: + my-label-key: my-label-value + annotations: + my-annotation-key: my-annotation-value + # Extra pod metadata for all objects (only has an effect for workloads, i.e., deployments and daemonsets). + podLabels: + my-pod-label-key: my-pod-label-value + podAnnotations: + my-pod-annotation-key: my-pod-annotation-value + # Extra environment variables for all containers in all workloads. + envVars: + MY_ENV_VAR_NAME: MY_ENV_VAR_VALUE + # Extra metadata for the central deployment only. + sensor: + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + envVars: {} + # Extra metadata for the collector deployment only. + collector: + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + envVars: {} + # Extra metadata for the admission-control deployment only. + admission-control: + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + envVars: {} + # Extra metadata for all other objects. The keys in the following map can be + # an object name of the form "service/sensor", or a reference to all + # objects of a given type in the form "service/*". The values under each key + # are the five metadata overrides (labels, annotations, podLabels, podAnnotations, envVars) + # as specified above, though only the first two will be relevant for non-workload + # object types. + other: + "service/*": + labels: {} + annotations: {} +``` + +## Deployment with pre-created secrets + +The init bundle that you pass to the `helm` command using the `-f` flag creates +Kubernetes secrets for TLS certificates. If you don't want Helm to manage your +Kubernetes secrets, you can deploy the Secured Cluster Services chart without +creating secrets. However, it requires that you always specify the StackRox CA +certificate while installing or upgrading the Helm chart. This certificate +doesn't need to be kept secret. + +1. **Obtain the CA certificate configuration** either through the StackRox + portal or by using the `roxctl` CLI. + - **StackRox portal**: + 1. Navigate to **Platform Configuration** > **Integrations**. + 1. Under the **Authentication Tokens** section, select **Cluster Init Bundle**. + 1. Select **Get CA Config** on the top right to download the configuration + file called `ca-config.yaml`. + - **`roxctl CLI**: + 1. Run the following command: + ```sh + roxctl central init-bundles fetch-ca --output ca-config.yaml + ``` + This command writes the CA certificate configuration in a file called + `ca-config.yaml`. +1. **Use the CA certificate configuration in your Helm installation**. When you + run the `helm install` or the `helm upgrade` command, + pass the option `-f ca-config.yaml`: + ```sh + helm install -n stackrox stackrox-secured-cluster-services stackrox/secured-cluster-services \ + -f ca-config.yaml \ + + ``` +1. **Disable TLS secret creation**. To prevent Helm from creating Kubernetes + secrets for the StackRox service certificates, set the `createSecrets` option + to `false`. You can either specify `createSecrets` option in a YAML + configuration file (such as `values-public.yaml`) or pass it to the `helm` + command by adding the `--set createSecrets=false` option. + +### Required Kubernetes secrets + +The following list contains the Kubernetes `Secret` objects that you need to +create in the `stackrox` namespace (or the custom namespace you are using) if +you configure the Helm chart to not create TLS certificate secrets. + +- `sensor-tls` with data: + - `ca.pem`: PEM-encoded StackRox CA certificate + - `sensor-cert.pem`: PEM-encoded StackRox Sensor certificate + - `sensor-key.pem`: PEM-encoded private key for the StackRox Sensor certificate +- `collector-tls` with data: + - `ca.pem`: PEM-encoded StackRox CA certificate + - `collector-cert.pem`: PEM-encoded StackRox Collector certificate + - `collector-key.pem`: PEM-encoded private key for the StackRox Collector certificate +- `admission-control-tls` with data: + - `ca.pem`: PEM-encoded StackRox CA certificate + - `admission-control-cert.pem`: PEM-encoded StackRox Admission Control certificate + - `admission-control-key.pem`: PEM-encoded private key for the StackRox Admision Control certificate + +#### Obtaining secrets for an existing cluster + +If you upgrade from a previous Helm chart, you can create certificates specific +to a particular cluster by using the following `roxctl` CLI command: + +```sh +export ROX_API_TOKEN= +roxctl -e sensor generate-certs +``` +Running this command create a file called `cluster--tls.yaml` in +the current directory. The file contains YAML manifests for the +[required Kubernetes secrets](#required-kubernetes-secrets). + +#### Obtaining secrets for an init bundle + +If you want to deploy multiple clusters using this Helm chart and want to create +certificates that can be used to register new clusters on-the-fly, you can +obtain the contents of an init bundle in the form of Kubernetes secrets. You can +use the StackRox portal or the `roxctl` CLI for this. + +- **Using the StackRox portal**: + 1. Navigate to **Platform Configuration** > **Integrations**. + 1. Under the **Authentication Tokens** section, select **Cluster Init Bundle**. + 1. Select the add **+** icon on the top left and enter a name for the new init + bundle. + 1. Select **Generate**. + 1. Select **Download Kubernetes Secrets File** at the bottom to save the + Kubernetes manifests to a file called + `-cluster-init-secrets.yaml`. +- **Using the `roxctl` CLI**: + 1. run the following command: + ```sh + roxctl central init-bundles generate --output-secrets cluster-init-secrets.yaml + ``` + This command stores the Kubernetes secret manifests for the cluster init + certificates in a file called `cluster-init-secrets.yaml`. + +You can then use the YAML file to generate secrets through any method that you like, for example, using Sealed Secrets. + +> **NOTE** +> +> Even when you use the certificates from an init bundle, you still need to +> specify the CA certificate configuration every time you install or upgrade the +> Helm chart. diff --git a/3.0.59.0/secured-cluster-services/assets/icon.png b/3.0.59.0/secured-cluster-services/assets/icon.png new file mode 100644 index 0000000000000000000000000000000000000000..3c136e3990a7382e8742c9079028abe00697c82c GIT binary patch literal 13406 zcmcJ0WmFtZx9$w??(PI91a}V-T!IYl4uiY9Yk=SuT!Kq*cL)~TU4#3b_dDN_b=JE7 z?wz%Ix_j3y>*}h#>v?uZDl2|QMIu51005}6GLov0^YA|h0uf(`Kj9?-66ecpN3IKo?9RLsz0suTgL;;5YfGaxyaBK(w@TUU+_>Ng^DuR#%L`NBI zX8-^h`=0{{$jl-D0HBbq)U{l+6u$7AIM}fonK~Gov3l4!LbL$@K@Wb&rJb3J5rv1H zt-Uk9hY;1jH25Lc|A^VBDE_75Vk1PQrJzh9;Q%(H;9})uWv3EGqM)D<1e==kt4d1$ zJ3Hh~h|1E%#gU(l&E4Id)%_Ez1K5J?BOf0h8#@OZ2L}s8gT>j?-o?m+#on3vKMMKJ zawN^1O~6);E>;fq6#tZKWbEMTB1A>?PeuRr`;T_ISegHKP4>?J?iQqjZ2zRNePm^4 z`>(PgSq1-*@~fITJJ`DZQ@n<~m5VTk;J=jrxA?zn`;S}_4t9=UGiPT=HsO!|&hkHH z|65-PY-I-N-#^v-m;V2h{cn9`O9vMR$g>7pnaJ9^n1Lac{X6%6Ht_$h@$a$(+5UN4 z|Ksuf$JqQ!3K<+>Btf?S8fal8bScJU0N~>w8s_U9GWue3P0 zQj!?Ouwi&GN9RrL16nq9CTBW}ZhGE}=jV9sxX>`r%Ay!=2kQdY9$&5u!)CpO9bU)L zJ~^DX-+L?NI;(u7mQEFoPykZHF-xOp#SqjId^GMh?hhD<07hf}zZ90wsH>~rY)N23 z<5Ay=A4BhG#W2FEPW}EwCg{@}Fd$=>Fgon>%XWT0EUgY9<3h+0YW-1?fB;(4Ozimf z`zhB+lZ_Ujh$K^Yi0UjLZ>i`WHuS~>(&ACnvePVg-KKM!vpGV_b}u^2DpD*WZOP__ zSc&12g>3j-gx|*9s`N!*=WDl9VcU~G*c7)4CyplJFr;ILa3zVE<|@*6hzNgbw61xe z@d|%N2Fv)pJwt~pd4`~f%7o~I0lv-FbtlYnM9zPMP=-u-)ra|0s;#HHI8$rDGCk_5Uk~+5AM5-hdti`LRpG-LpRS)3}Fnj=I zPe>F4dTnRM%GaBBz}NN8iPyurfdCDA8NGHV_oZ}g1U{-=)S#MH*UB(e!K;ikOd}n9 zR=xMbVoGSuj0DCfiom&SZ}cGr{fGo6aZ(@^i|vl6Ggbs+PUfDV%^TxjT{=1NckpMW zl1UJfhxqV>D9(>~O58FA0@c-G6GFWq_VLkQ&)+Mv;)!)pw9G`0kLqvuq8IYsA1QZd zXSpZ4S#yxMCZhBuL*03O@BR+4pc2;Nh%=r^?QfeAE7vPeM?r>;KvgC~+NvyoQPfmk zg+!d}w>cYAvI*{01n|TpU~cTIgJ$*X0sL>vkW*LY+TS24R$A#)2E0(aY^+2#fOrmJ zMh&i!JolfH1*2$S#T=u#*+Jz-!`O5kwzylSdE!3tN7#t8*A8=YfoZP$5?pV74*E@Jx_ zijJ?1IdIznDF6nO@Q^k;YCz?_{aTalO78VtHZysWafZ!;U4;orWP*VBEgp;B=QB09 z%H^%h0=59>(?9;>T(#tGdBh<^$)+%vo*6 z)tjkxyaLH_4h3q3Y=PG$x?XD2?sj+2#%Qa2B|=qL*wD{$*{BhOQIzw7OG_W?A~j-; zgW`j*D!b^?@{0L<%t=~(ZqvrU)wCKMTv85jG+*$Wu3^@HF?1NDi9uyfZtG;#YgK8l zl)14IM_Ra>`!hD9C%u*arBGCBphWZIEz@phlIm2TeB;k(2P14`OHuwFX0KJbFnjq?cZrQ`5~<8Df0P`?W4X) zL2$Ai5iC>@U?ZxCy|unCCYWaq^cKEAtT9q9g+=DXi9#anLBQ=It|P z6iu|(yU}roRhODR6cbFPlizX=PX;~d=yO~~>mm?uZUCHASXq=x4pi~LS zfStnjv*LqwMhn zCROx!x&~xHck{0rI(9c&J2J2FbU8c zLtBHq@HcmQtmvv>xa+_3-*Ii;q^qbzB^K)NlV@&ciKFc^hOxB{iXn< zZnB%&eyjM->)c<4xAg~XDMO~~U2MEAH!({6hA|GW7$%-Zok#>oUfgvw$1$%DT{Ke~ z+e7#c_2L~9;@ja{mR`ve#O}(RYc}Gz80A|D+vW#9TSVtDea|F(7p!HaDP#}Tw_5`H zGdP@&3WugrB#;*V_8&zj>iPAkYVkxY%vJCbh`Ko+553RA=QvGA94*?fs%*NjL~`c{ z<%$=?-pMcpgoGK3#!&|=>rRnr|CtBDsyhb`D2&GH-iO6y%J%x`8xr#u3pn+xJ;%#YiO(kVz9YY9w>vhqfsm+^u=~ z`7qeW8aTTyeYL+M;l-?kxuI5=#`t#Ew>FH;msNhwNTHsr0^2r_9(gUBUQXpiIf zz2i9OQ|630;kiJ4+vBN}e}(@{yd}mdHx&ugoCH+}K?bP^rvJCo^__3!RUTTEq!Y`S zwsR$DyTR!Tz!4z%gqkh)=~HU>V}My40Z+JOT%Z|UX$~Q<4%EmkWHb0xCT*Kf)SGKMAMp!5j&g2t`Bz2ToU>E9 zQXe^t_JMHM>h@Bc$0P05EJj5P$5cKnzkYiTb$p=JK zA)gl)r0PC6>X~e5;?!}(yoq$lN?_&u2UHc*M6Y6AJkNuXdY2;dg=rFjH1#B2xY%&_ zDzBs6Qe_DgTJi`-=XZQie|v`7OYpjT8R!`BFUS?UaI!bTUKv%KA4hoL4^1htqG3B-_YBi_>Zsq@iLYN=; zf!P~o4ElyTEujsZER6~6B9Mnig;0{Z%-Syu8@T{AiiR`ra2f$6?td); zCwVKyY<^4{G^4=}s;zH2`I78o_bfI;oR{ot#Yde^zvM>qHExB~SUr&1#&pLv+D#G? zd;5d=Qv5~4O)nnXiYRhssuXcOI3Oc%9W_QFI-tVeT!10&oj z7wdm)5d_5;?+3HF#E9 z6WvsUamdv;q1q1&n@-1{Cf7viUsXp@r(I)CcVKlMIH$vuhwAaG86ESY4Z6lARyt2G z?6O}|Rnm2k@_>n#CsqA^J~d_aX+l0X>aFA=Y;6AbZzlF)uMoSWQ}#(LSVjU<(4@i2n&IgyQfn3>F^kN2M@RMc5 zn~0`u(){l-=(SI_7;!a6a6LICBixKl9kcb6A2a+tgJF4W$4_l|&KcuL`o7aE8N?iM zN8#auXQWxU#G>?<_f@p|p2sh?c79}GAMC*6*(ZmS=$b?;3Fgl|gJ1Xc>`@Q9?#Tq< z>SkB@HOD~HA>5&VZ1GOXI0C#PAD|GFqi1436Ci%BMpX%pAl~u&U^ezHVTlreb?WE1 zz)6FSd`HG`B{=%Z@& z8r_Vv#Z3k}>UEjQ<;bs0?V$qlS1j+?VzjMt^(~e8>vH#tza63kM=)~0P;Lec&)cF& ziB8Vd)&qo7K`j|drhFqtR?-~)3Uvz2?X~XCx`iTHg8>)=Y$Bpr)G*3Wx)@%+V{x(k z7k2Wl(gaCjy?L#07G#B!$aR=Tj5*RoIFiqsz( zZct1K@}+!6#pxRIrCipyF}(_4mIWi$L#|^Roz9`m4O@LoUQk@H_Uo@uh$CJfIv{m4 z1qIK&hL`R9V5KAa)q5wsrYtvBUu$tir*v2T(J;RI5GA8sqWgDF z%12ScASSy7z{##N!E7mBhr|}t$j0g`gZLug{Kj}p%=C@3zXQpG(b@sB&wajfzD{W` zQOy<16}Etls*n+&U^e1yh8JcubaM04+D5pkC!e57I$4=xkA3M- zz!4di`gYu37TrBw`jgF6yo^VF^p<(yvf6NiAfgD&*I4)EaoPP(`GlEtT<#CE@poUA za$?aaBokDbbfx-C)^W2)1JouL4GtFd)YIds+m*oR23I-tIS{OQAQ4CV9cgM(n8Q!- zvgb{y2?5+D_O2Iq{A^>C*e#T$6S4u({{G&x6slNka5oipWu@d!`|DJEm>CihQt@*5 zEIuKd0h{hGST1zv%~^iiX>fUt{0IpetlIIzkld+1LpdWCvIb#!#9}wG8~b=;nrbe_ zQ?q+bPqOLSUOFlTy%tL>m|&#4N%XR5zBg*LIK(`Ol>Pi^GKJZC{;~UY8CBpo zBe>GVQqmercBV2@PYpLUtgh55;p>tpV`s%6x1%%x2sO`%?T}9Z@YhgkyW%^z1;Za28h=QW<&=@n# z14J?59+F+#z>Y(mb?+Wbvv)Y@=K&rLhQCyyp;zk56gmR!Kx$mB+3M|?QbqaLwJ-4@ zCNqEFS>WeUZH)<8*zs}d&!qzc>tsE*@t$eF*g%#5PKk<6_HewO(w&0h6SHE<+t|Q> z-yeP)b+$DeO^)?C+MD5TyiLdev%7JK(v{(J*Iy7*9|k$zr+8J9vj{02Juh1)W1(LQ!}lYn zTv-E;2F4ca-oEDCXHe4{dPV)Gj<5p zq+AgJc7pZds*5T!Au!)sI8)GUO5t4f-h_!8L74nnqPTdahCdeOu9$=OJQxz3!yG?0 zKFf7_V_&iGCc!e1$$)Bv*l9&-KikQaPNWe~H9B7>!{HtN_o>AbDfVz_;$s|mEq-Pu6&$>HL+Z=eq0~Qn zpXkiiblu5PAQOFKzYXq2%8L?81z9{SV{23XrKcajK87Op%PSxOYJuVFum_T_x4Iqx6}o0H&VyzVQ6dO4zuo5?1W|R?%~>4k`ag(D7?o7O zO}IStd>b3z?ZZ(w2|2CZXp}C$?Cxk3>#@Xr6J#k=EzW-myk+HKqwxALi)wF;TgY(| z$4QlCK9JevIa`~)kKcbw5bXCCJH2LAG)Z&Ry$zf!r)dAz+6bE-RD!Y6yTg6dLZ2FH zw734+RVDtt^yMMdMa8ZC`!^9)8_BIvkpVK&c?;lIX-?F?XypCzXgPUhQ{ol)13gsXW)(bRa(%7Q??q`P(y=gj49M5V-#8n&wL=B@=IcWF zEA3fi&0x-)hYnDca!M$(H|f%5bb|Dha|y#TzPYu5JL|$U9}ud;f=F9=Kh=9WhHt*T z=uq%?K=2Ny_{>Zqp8jC?0a0r9)Nf^)0xwz@$Vi3lapI^i8u1P?jMO0WaXl3;yvyjK zkM)2asFfMc1kN~qzrR7u-!nLO&`*i6PkX1?3wx-BobhYqMl@?VCAPz<&jKCmSt=EAd8tSpeF#DST~?g|Ez%bU zF(V_NDe%Lf+<0Hxwho1#$AQ!!6KXU;EhlUmuEwiW))cA3dZz*5mkL$v*C;QP^Z?<$ zSgg65@fWx0bpARLL&s`rw@Lno&@{>gnr<2JB~`|!Sbynpm1dX+EMsrqxlF2)3dhVbI!8a1sENT) zs4M|U1!vMSaWl$=^!|`SsM_jRTtxm>JthZSE^jTaQf6f;g9R53>0S=FC{7BHaL=Qc ziRMNyGA7ZHB|~7yQavI~ug9-lMGXDCQ5t%`dyDB<#Fyc3COnzWPS@kG^J@{X_Ze^n z^nOffvz`PMbbj1o{UBSxGZgAy$;6_2W#@0u1bn0E;Ao0UCOw2pj_D|EI@I!rYChwq z`4~4>+gDoueENvPuzo4X0!c|&3-htfsvfr+SB^pUGVcG}S8&=H1CQbJ9Vb0%^3xdN=(I@n7=n>@P z7bjWFx|ovQ418C#n3`D;_~c<9X&KD?`*Js-|4F&nf8wq?yIjkjM0d|qPXYG6;G z3b$2{U)c#kwXHL($!qnyCfl;W*UPa2Uu!D1f}TNb;NV;}QAEx?i2d!wV_sYX#I?d` zsfxc0R(W6kKtf@Ae|_Gb^^Jo-eAViQn$}&0$JL-;QYX<-X3JrVbcPz%gMPPUbF3~2 zT+ZsLaAoDtc=rUyw5_G(OI0`n{PSMTM3Rl|v6zKQ8UJv8hX2X>{X@_Fn+p7w@QF8q z>^Qk0JU-XF)29%r`MJBR#a$TZD&EAb zJ1Iw?tZZb;UkQCx^>2m_B`{hxZ5zGhBSHqVPWk?>-XGH801a`_gtFJ**lW1rWO{pn z|7=QnbyxpA0V-R`lz!*MW+W#VWbHJcBU>qL*yws5lh8-b#GQJAc_{34%YU*SJk)(j zCg?@wEhOigmiQReg(yPgK{>A+YO!^;0!qJ`T9Krj%P9i2QJ5;RW~v_r-SqhxbS4_O zf!YJ+m+Pt*#FuaFK?fGLXr#A>+TzwInHzRsaASBr6+M@9%P z^U~$9y+Yc#_133;&U}8F)x7AiPMRu+PI++W_X~pqO@TyPnNPvlnz^>=491Yp*MbCM z28vQ`nxR&nP4>*sGwU4{y7JXJ?U2VigQcD)51Gi9vKSWa{b78NHB$7phV<+0iN!Tb zCbN|*9GCZXSQGJBV+HOXZy_kZQmhH4VJp!2$zn)Ms$AQXzcV`r0eaf)?y!wU&*y!O*;e^T^%WJ14t+jcjWPBIGt>eH z*;JyJKa{LX4%^v>^qy&{i+1)mo?oBu$r)-vk1RVyceo1GYsxqHHiR_|Tl@JFgDAS$2IXqaK>7Yn`pwWJ`fW^2VxJb zy^bdgOCY<#;HL<#9ZZ|qAo`4fUjTiz>@JBwD&!ZYqk5zJV@faXOc;)mJVX+qQEWJ1 zwTFOG08Czk>;I;|Kmz+wCu4PZ$WLQy~m#3_9b_khSGgCm*LY*-;ysb6?hZWc1$qM`tn)C94-Uy+hJ3HL!gOAfO5`$?A>iZ5 zX(&#}xIz||tow%{gQSD?4&QePt1Vjm3-)b$Xu5(6AKj(?tCi&5ldz(%n5)=y=etM9 zs|v$g6L$e7ORuq&+i+;P+}>M6OC{`>D%t)(b;3Ubl%@^oH=ap}6x;az)f<7pB7Bs= zuM%TRl!bn}4@3MdBmGD6S+7rqK8Eie&;Cv1n@it8hE6Sf;8SM7mR4k+?$jKn5>cGC zX=md-tPfb-NG|AP6twV1DNuz(Ayp)p)_5@8VD$4`LD#D!-0z!-pWpb0 zRvVe5b&)+dPqeSUUK1xfI@ehq@q0*{JU{Fgz<7DFh3g@40BBF`e7_UqM)auvDsy}v zj&f$^Kb&|!l^DipL}|P|40}66C2k(-j_j7o6;xo_Wnh|R(gVHx-8;FtiHV6BzquJd zf2Hp}eg2H*^~B6VeQov>9fMDpVRgg?c9vJ?p`t_K8aH_Zb!C%n4`bE_z8V&ABYt#+ z!?~YdGkuV- zIwCYcgbvTZ?a9_~r@=>YrFj-AH6ov_TyB)zd(ns@6kFPo_ML@~A@ zG83dfl_|}(u*m_V1yoZh250&adB7!4$so00pD!Wb2e^=ER36bn0$nL;q;|pmofQr~ zTdsz-NxRJ2M|zOq^a^mOcl$W`=6iH>^3vnn<$X4|M*gJ$v8y?6G*W$o&4WZCT1x`c z(fzrL`+WCma~s(ABUy|e*r&NBRAIdw!)y7#itiy^BbGef{6?TL5rk^Hli-K2U~DMPh*mYuCQWP84w)Vi*tdRSaDxyj>Y!8 z0}QZwj#AbBydF^+E7!ay7Zw|C$IZ*P`e66#v(N*W1ptoG4&OgBzB$7(_%*pbMYe`p zgjs_8$K3RWoU%a3u8+v9Q7rvuf^Abd%)8%sm1nUA)c zHa|~x|GM&H^;UQD9@bi)X?AiITIR-o@4$H7h3{(jzEB}7+Fm4X3eYr!XVf$K?lE0_ zF7gGI_SQcvKd#gF=TGOT`I$^zp|TNG6hPSRhuc3-6YXD?-2;y>Tu;L|UsbNzuL3_6 z!?R#$-6YRyx`@;Bq;Bp>GQ zd%Knx%6CS&FGCbK>ip*(M+HBHE@nr)?e+b_^WKO`5-&INtS}YoM9+hviIJle#972e z+htOD0)L7iNt3_LJiS3kGR+&8Li+I`tVi7q2!PObqX4H5`@9SBeUGD5%3lxHRS}?9 zyq~i6*sIPQZS?PRg6T&7{DFj#t#O}8(GjruS1$2-y>v|a4t;hZ+9Kzh7BMyy-K8)Y z>Ssgg)8Tg+O>kuPsu&nMjB^+A+%LF{+zBuUK#dG~Q3lug*IkFtYOzsr!FHMUN6(SA2C?=5>V%Ei*X` z0M!LDu-x=$Ax4tlg{lx(B0vB?=%MAdojfAyja2tEMa&-uZ`=;F%#25`$8_EcDHw(` z?%k$Y9L{BFX3Q!cw-~e1rF>U=5fN&mXh-4J>5@&g*wE2x-v6+M!|Wc@hZ$r8KY0u6eGFwBL<*112h!^OP(Qr|25euyI zUCjRr6%F=F5Rlt*-Q(GyBqyl$e>n_g(lShlV@@@e+gV2H{B=(&IvM++Mr`P(199nN&S zgr$8HwlZmlSOl;t5wuh_DSOhYT;UT= z-I64{qZt9rUhkEaS#D%Pna$CGxmxW;;kGy=!W4f`BX5Fq`CPVhUkXDMjOpCZKR zopX1^tv+GDUqJk++NyHGY4<~%2LpEQvc#oX)enO@ zoYZViaS^J;cqwR_ykp?T&mO!;A$N*~x!BM{tq#^ps!tdZ8;|lR2dYa%LPlgxeuoQwZGXrPuO5iROfAyCpZsLo<`7 zjk~2|@}77)o2#P#=0D5OO|M2Em82Z}%#!nW(kww0-b!+tox#wFNJ8>QqD)_xO1npE z`G;5BZQc8Ts`%9Van%Bh8^rqr;Ig^lN_!5UyHw&jOQXi_AX2MT_Fv*bye-{3c(m-K zTXRGp9=`gKkOxQg{A2vRjFY}ZSuL=RoRm0S5^j)2<=t)zKC~WHYo;NBR!U7cN#a-@ z4b}IRZe_6kM~N&<_YKO-acLwHHgfzQsFR*;wf%BbEy#Y$qQ7^V)@WGbrVrLgr7Z9Ynh$-?pAi6tQZAZwps^Ioa zeifB=oSfX!(#{ee-W&#%Yt#)PoQM2}aA6>t6lFHL;L%iHTHjkRee~X*(YFk4YCd1I z78!VB-e|?FHZ9OoI)%qF>uZu#>JoD#2L+Ej)w{1)E@iUHr*x)8LT62xVgQgfw#2QJ z*q7uDM-T2=#MLi@@k^jpg_m$K>QyE`q2D~p6 zT|*u0-viLXH7f8Z z4beLfNUJ7%4RgUDD9Com>d6lGF~7#yOUgl<4Kdn`;~w@IY_Scqw{+CFZh9( zZHp;`yeBb{X2kbN-i}yj3uW#pgAT8Q^H(MY9v<62sFo54JuVJ^+VJzB%b|yoA6UiG z4{Q4|14JO}_D#k{>8>XPwhx$D?{p^L-63ITyXiY_h9%r0f&}s@R8S?+{+_KO?r2Tf zWs@PzW8BhpTOtn0D*Y6i%TepQXrvl*+~|2Cyw?pi09vHW>5td55>;bVfy%|XaRtN~ zy&NtMwvIvgJf*Bo1U2951-*1P6sKRxN!&X#O}>jmWmBHw31J8hn^}b69&^k$h$l(uUWbv$mgqZIg7I+3 zczu#~e`=2n(jJ{ahO!ZP%5eArkwwm|9)L1TskKm+f`FyZ~^&~XKV)eLds9g|P4e+!<>XJiBrUJ3GSNDqjX zE)ZnHc0-UaSrYJB-+a65u_NCO!iivyqOl;5d9BGkX8CLhs4JP%oEwz)^8?rvdad)> z@w}G{I3v->VyyfN&@vxyNByf8ZX&%s2yW~_1PS^(yYEPM;wQHYk?LVj#$mZ{O zv2U27Pz6PN>+Gx6suGl!p@w2kC%~Em1PL#Jq0DBJ?ZG3spBVOWg#@A1UH~LKi~y*VRF-a>G22J)2+V$(X~T0mdFs8c-Th-J7AkXJGJPtJdiM9-g^`m%!C* t_V2G6APDDwe(C^$J^%j;tx;Y@XgXYCubMwn{qq%%tdyc;wYXu>{{cr9X{P`H literal 0 HcmV?d00001 diff --git a/3.0.59.0/secured-cluster-services/feature-flag-values.yaml b/3.0.59.0/secured-cluster-services/feature-flag-values.yaml new file mode 100644 index 0000000..2a0c5a0 --- /dev/null +++ b/3.0.59.0/secured-cluster-services/feature-flag-values.yaml @@ -0,0 +1,28 @@ + +envVars: +- name: ROX_COMPLIANCE_IN_ROCKSDB + value: "true" +- name: ROX_CSV_EXPORT + value: "false" +- name: ROX_ENABLE_ROLLBACK + value: "true" +- name: ROX_HOST_SCANNING + value: "true" +- name: ROX_INACTIVE_IMAGE_SCANNING_UI + value: "true" +- name: ROX_INTEGRATIONS_AS_CONFIG + value: "false" +- name: ROX_K8S_AUDIT_LOG_DETECTION + value: "false" +- name: ROX_NETWORK_DETECTION_BASELINE_SIMULATION + value: "false" +- name: ROX_NETWORK_DETECTION_BASELINE_VIOLATION + value: "true" +- name: ROX_NETWORK_DETECTION_BLOCKED_FLOWS + value: "false" +- name: ROX_SCOPED_ACCESS_CONTROL_V2 + value: "false" +- name: ROX_SENSOR_INSTALLATION_EXPERIENCE + value: "true" +- name: ROX_SENSOR_TLS_CHALLENGE + value: "true" diff --git a/3.0.59.0/secured-cluster-services/internal/cluster-config.yaml.tpl b/3.0.59.0/secured-cluster-services/internal/cluster-config.yaml.tpl new file mode 100644 index 0000000..9c58023 --- /dev/null +++ b/3.0.59.0/secured-cluster-services/internal/cluster-config.yaml.tpl @@ -0,0 +1,30 @@ +{{- if ._rox.clusterName }} +clusterName: {{ ._rox.clusterName }} +{{- end }} +notHelmManaged: {{ not ._rox.helmManaged }} +clusterConfig: + staticConfig: + {{- if not ._rox.env.openshift }} + type: KUBERNETES_CLUSTER + {{- else }} + type: {{ if eq (int ._rox.env.openshift) 4 -}} OPENSHIFT4_CLUSTER {{- else -}} OPENSHIFT_CLUSTER {{ end }} + {{- end }} + mainImage: {{ coalesce ._rox.image.main._abbrevImageRef ._rox.image.main.fullRef }} + collectorImage: {{ coalesce ._rox.image.collector._abbrevImageRef ._rox.image.collector.fullRef }} + centralApiEndpoint: {{ ._rox.centralEndpoint }} + collectionMethod: {{ ._rox.collector.collectionMethod | upper | replace "-" "_" }} + admissionController: {{ ._rox.admissionControl.listenOnCreates }} + admissionControllerUpdates: {{ ._rox.admissionControl.listenOnUpdates }} + admissionControllerEvents: {{ ._rox.admissionControl.listenOnEvents }} + tolerationsConfig: + disabled: {{ ._rox.collector.disableTaintTolerations }} + slimCollector: {{ ._rox.collector.slimMode }} + dynamicConfig: + admissionControllerConfig: + enabled: {{ ._rox.admissionControl.dynamic.enforceOnCreates }} + timeoutSeconds: {{ ._rox.admissionControl.dynamic.timeout }} + scanInline: {{ ._rox.admissionControl.dynamic.scanInline }} + disableBypass: {{ ._rox.admissionControl.dynamic.disableBypass }} + enforceOnUpdates: {{ ._rox.admissionControl.dynamic.enforceOnUpdates }} + registryOverride: {{ ._rox.registryOverride }} + configFingerprint: {{ ._rox._configFP }} diff --git a/3.0.59.0/secured-cluster-services/internal/compatibility-translation.yaml b/3.0.59.0/secured-cluster-services/internal/compatibility-translation.yaml new file mode 100644 index 0000000..4e33afc --- /dev/null +++ b/3.0.59.0/secured-cluster-services/internal/compatibility-translation.yaml @@ -0,0 +1,137 @@ +# Configuration compatibility layer translation rules. +# +# This file is a YAML file describing an object following the shape of the legacy Chart configuration. +# Each leaf object is a config fragment template, that will be merged into the user-specified config when specified +# by the user. +# +# The config fragment templates may reference the values ".value" and ".rawValue", the former containing the +# JSON-encoded value of the input field, the latter containing the value as a parsed object. + +cluster: + name: | + clusterName: {{ .value }} + type: | + env: + openshift: {{ if eq .rawValue "OPENSHIFT4_CLUSTER" }} 4 {{ else }} {{ eq .rawValue "OPENSHIFT_CLUSTER" }} {{ end }} + +endpoint: + central: | + centralEndpoint: {{ .value }} + advertised: | + sensor: + endpoint: {{ .value }} + +image: + repository: + main: | + image: + main: + name: {{ .value }} + collector: | + image: + collector: + name: {{ .value }} + registry: + main: | + image: + main: + registry: {{ .value }} + collector: | + image: + collector: + registry: {{ .value }} + pullPolicy: + main: | + image: + main: + pullPolicy: {{ .value }} + collector: | + image: + collector: + pullPolicy: {{ .value }} + tag: + main: | + image: + main: + tag: {{ .value}} + collector: | + image: + collector: + tag: {{ .value }} + +config: + collectionMethod: | + collector: + collectionMethod: {{ .value }} + + dynamic: + enforce: null # bool + scanInline: null # bool + disableBypass: null # bool + timeout: null # natural number + enforceOnUpdates: null # bool + + admissionControl: + createService: | + admissionControl: + listenOnCreates: {{ .value }} + listenOnUpdates: | + admissionControl: + listenOnUpdates: {{ .value }} + listenOnEvents: | + admissionControl: + listenOnEvents: {{ .value }} + enableService: | + admissionControl: + dynamic: + enforceOnCreates: {{ .value }} + enforceOnUpdates: | + admissionControl: + dynamic: + enforceOnUpdates: {{ .value }} + scanInline: | + admissionControl: + dynamic: + scanInline: {{ .value }} + disableBypass: | + admissionControl: + dynamic: + disableBypass: {{ .value }} + timeout: | + admissionControl: + dynamic: + timeout: {{ .value }} + registryOverride: | + registryOverride: {{ .value }} + disableTaintTolerations: | + collector: + disableTaintTolerations: {{ .value }} + createUpgraderServiceAccount: | + createUpgraderServiceAccount: {{ .value }} + createSecrets: | + createSecrets: {{ .value }} + offlineMode: null # not used + slimCollector: | + collector: + slimMode: {{ .value }} + sensorResources: | + sensor: + resources: {{ .value }} + admissionControlResources: | + admissionControl: + resources: {{ .value }} + collectorResources: | + collector: + resources: {{ .value }} + complianceResources: | + collector: + complianceResources: {{ .value }} + exposeMonitoring: | + exposeMonitoring: {{ .value }} + +envVars: | + customize: + envVars: + {{- range $_, $v := .rawValue }} + {{ quote $v.name }}: {{ quote $v.value }} + {{- end }} diff --git a/3.0.59.0/secured-cluster-services/internal/config-shape.yaml b/3.0.59.0/secured-cluster-services/internal/config-shape.yaml new file mode 100644 index 0000000..f21ae54 --- /dev/null +++ b/3.0.59.0/secured-cluster-services/internal/config-shape.yaml @@ -0,0 +1,122 @@ +clusterName: null # string +confirmNewClusterName: null # string +centralEndpoint: null # string +registryOverride: null # string +exposeMonitoring: null # bool +createUpgraderServiceAccount: null # string +helmManaged: null +createSecrets: null +additionalCAs: null # [obj] +imagePullSecrets: + username: null # string + password: null # string + allowNone: null # bool + useExisting: null # string | [string] + useFromDefaultServiceAccount: null # bool +mainImagePullSecrets: + username: null # string + password: null # string + useExisting: null # string | [string] + useFromDefaultServiceAccount: null # bool + allowNone: null # bool +collectorImagePullSecrets: + username: null # string + password: null # string + useExisting: null # string | [string] + useFromDefaultServiceAccount: null # bool + allowNone: null # bool +image: + registry: null # string + main: + registry: null # string + name: null # string + repository: null # string + tag: null # string + fullRef: null # string + pullPolicy: null # string + collector: + registry: null # string + name: null # string + repository: null # string + tag: null # string + fullRef: null # string + pullPolicy: null # string +env: + openshift: null # bool + istio: null # bool +ca: + cert: null # string +sensor: + imagePullPolicy: null # string + endpoint: null # string + resources: null # string | dict + serviceTLS: + cert: null # string + key: null # string + exposeMonitoring: null # bool + nodeSelector: null # string | dict +admissionControl: + listenOnCreates: null # bool + listenOnUpdates: null # bool + listenOnEvents: null # bool + dynamic: + enforceOnCreates: null # bool + scanInline: null # bool + disableBypass: null # bool + timeout: null # natural number + enforceOnUpdates: null # bool + imagePullPolicy: null # string + resources: null # string | dict + serviceTLS: + cert: null # string + key: null # string + exposeMonitoring: null # bool + nodeSelector: null # string | dict +collector: + collectionMethod: null # string + disableTaintTolerations: null # bool + slimMode: null # bool + imagePullPolicy: null # string + resources: null # string | dict + complianceImagePullPolicy: null # string + complianceResources: null # string | dict + serviceTLS: + cert: null # string + key: null # string + exposeMonitoring: null # bool + nodeSelector: null # string | dict +customize: + labels: {} # dict + annotations: {} # dict + podLabels: {} # dict + podAnnotations: {} # dict + envVars: {} # dict + sensor: + labels: {} # dict + annotations: {} # dict + podLabels: {} # dict + podAnnotations: {} # dict + envVars: {} # dict + admission-control: + labels: {} # dict + annotations: {} # dict + podLabels: {} # dict + podAnnotations: {} # dict + envVars: {} # dict + collector: + labels: {} # dict + annotations: {} # dict + podLabels: {} # dict + podAnnotations: {} # dict + envVars: {} # dict + other: {} # dict +allowNonstandardNamespace: null # bool +allowNonstandardReleaseName: null # bool +meta: + namespaceOverride: null # bool + useLookup: null # bool + fileOverrides: {} # dict + apiServer: + version: null # string + overrideAPIResources: null # [string] + extraAPIResources: null # [string] diff --git a/3.0.59.0/secured-cluster-services/internal/defaults/00-bootstrap.yaml b/3.0.59.0/secured-cluster-services/internal/defaults/00-bootstrap.yaml new file mode 100644 index 0000000..846ca57 --- /dev/null +++ b/3.0.59.0/secured-cluster-services/internal/defaults/00-bootstrap.yaml @@ -0,0 +1,15 @@ +# If we are being linted, magically apply settings that will not cause linting to break. +{{- if eq .Release.Name "test-release" }} +{{- include "srox.warn" (list . "You are using a release name that is reserved for tests. In order to allow linting to work, certain checks have been relaxed. If you are deploying to a real environment, we recommend that you choose a different release name.") }} +allowNonstandardNamespace: true +allowNonstandardReleaseName: true +clusterName: test-cluster-for-lint +{{- end }} +--- + +_namespace: {{ default .Release.Namespace ._rox.meta.namespaceOverride }} + +--- +meta: + useLookup: true + fileOverrides: {} diff --git a/3.0.59.0/secured-cluster-services/internal/defaults/10-env.yaml b/3.0.59.0/secured-cluster-services/internal/defaults/10-env.yaml new file mode 100644 index 0000000..101a77b --- /dev/null +++ b/3.0.59.0/secured-cluster-services/internal/defaults/10-env.yaml @@ -0,0 +1,20 @@ +# This file applies default environment configuration, based on available API server resources. + +{{- if kindIs "invalid" ._rox.env.openshift }} +env: + {{- if has "apps.openshift.io/v1" ._rox._apiServer.apiResources }} + openshift: true + {{- else }} + openshift: false + {{- end }} +{{- end }} +--- +{{- if kindIs "invalid" ._rox.env.istio }} +env: + {{- if has "networking.istio.io/v1alpha3" ._rox._apiServer.apiResources }} + istio: true + {{- include "srox.note" (list . "Based on API server properties, we have inferred that you are deploying into an Istio-enabled cluster. Set the `env.istio` property explicitly to false/true to override the auto-sensed value.") }} + {{- else }} + istio: false + {{- end }} +{{- end }} diff --git a/3.0.59.0/secured-cluster-services/internal/defaults/20-tls-files.yaml b/3.0.59.0/secured-cluster-services/internal/defaults/20-tls-files.yaml new file mode 100644 index 0000000..6eb6408 --- /dev/null +++ b/3.0.59.0/secured-cluster-services/internal/defaults/20-tls-files.yaml @@ -0,0 +1,23 @@ +# These defaults ensure that by default, certificates and keys are loaded from the respective files in the secrets/ +# directory that they needed to be placed in for the old sensor Helm chart. +# +# A user can specify either references to files (with a "@" prefix - note that this requires changing the chart, +# as Helm only allows accessing files that are part of the chart), or PEM-encoded certificates and keys directly. + +ca: + cert: "@?secrets/ca.pem" + +sensor: + serviceTLS: + cert: "@?secrets/sensor-cert.pem" + key: "@?secrets/sensor-key.pem" + +admissionControl: + serviceTLS: + cert: "@?secrets/admission-control-cert.pem" + key: "@?secrets/admission-control-key.pem" + +collector: + serviceTLS: + cert: "@?secrets/collector-cert.pem" + key: "@?secrets/collector-key.pem" diff --git a/3.0.59.0/secured-cluster-services/internal/defaults/30-base-config.yaml b/3.0.59.0/secured-cluster-services/internal/defaults/30-base-config.yaml new file mode 100644 index 0000000..27fa087 --- /dev/null +++ b/3.0.59.0/secured-cluster-services/internal/defaults/30-base-config.yaml @@ -0,0 +1,46 @@ +# This file contains basic configuration options for all services + +centralEndpoint: "central.{{ required "unknown namespace" ._rox._namespace }}:443" +createUpgraderServiceAccount: false + +{{- if .Release.IsInstall }} +createSecrets: true +{{- end }} + +exposeMonitoring: false + +helmManaged: true + +clusterName: "" +confirmNewClusterName: "" + +imagePullSecrets: + allowNone: false + useExisting: [] + useFromDefaultServiceAccount: true + +sensor: + endpoint: "sensor.{{ required "unknown namespace" ._rox._namespace }}:443" + +admissionControl: + listenOnCreates: false + listenOnUpdates: false + listenOnEvents: {{ not ._rox.env.openshift }} + dynamic: + enforceOnCreates: false + scanInline: false + disableBypass: false + timeout: 3 + enforceOnUpdates: false + +collector: + collectionMethod: "KERNEL_MODULE" + disableTaintTolerations: false + +--- +sensor: + exposeMonitoring: {{ ._rox.exposeMonitoring }} +collector: + exposeMonitoring: {{ ._rox.exposeMonitoring }} +admissionControl: + exposeMonitoring: {{ ._rox.exposeMonitoring }} diff --git a/3.0.59.0/secured-cluster-services/internal/defaults/40-resources.yaml b/3.0.59.0/secured-cluster-services/internal/defaults/40-resources.yaml new file mode 100644 index 0000000..5002bfb --- /dev/null +++ b/3.0.59.0/secured-cluster-services/internal/defaults/40-resources.yaml @@ -0,0 +1,36 @@ +# This file contains the default resource requirements for the StackRox Secured Cluster services. + +sensor: + resources: + requests: + memory: "1Gi" + cpu: "1" + limits: + memory: "4Gi" + cpu: "2" + +admissionControl: + resources: + requests: + memory: "100Mi" + cpu: "50m" + limits: + memory: "500Mi" + cpu: "500m" + +collector: + resources: + requests: + memory: "320Mi" + cpu: "50m" + limits: + memory: "1Gi" + cpu: "750m" + + complianceResources: + requests: + memory: "10Mi" + cpu: "10m" + limits: + memory: "2Gi" + cpu: "1" diff --git a/3.0.59.0/secured-cluster-services/internal/defaults/50-images.yaml b/3.0.59.0/secured-cluster-services/internal/defaults/50-images.yaml new file mode 100644 index 0000000..bf8449b --- /dev/null +++ b/3.0.59.0/secured-cluster-services/internal/defaults/50-images.yaml @@ -0,0 +1,66 @@ +# This file contains the default image (registry + name + tag) settings) for all StackRox Secured Cluster +# Services. + +image: + registry: stackrox.io + main: + name: main + pullPolicy: IfNotPresent + collector: + name: collector +--- +image: + main: + registry: {{ ._rox.image.registry }} + collector: + registry: {{ if or (eq ._rox.image.registry "stackrox.io") (eq ._rox.image.registry "registry.connect.redhat.com") }}collector.stackrox.io{{ else }}{{ ._rox.image.registry }}{{ end }} +--- +image: + main: + repository: {{ list ._rox.image.main.registry ._rox.image.main.name | compact | join "/" }} + collector: + repository: {{ list ._rox.image.collector.registry ._rox.image.collector.name | compact | join "/" }} +--- +image: + main: + {{- if or ._rox.image.main.tag ._rox.image.main.fullRef }} + {{- include "srox.warn" (list . "You have specified an explicit main image (tag). This will prevent the main image from being updated correctly when upgrading to a newer version of this chart.") }} + {{- else }} + _abbrevImageRef: {{ ._rox.image.main.repository }} + {{- end }} + tag: {{ .Chart.AppVersion }} + collector: + {{- if or ._rox.image.collector.tag ._rox.image.collector.fullRef }} + {{- include "srox.warn" (list . "You have specified an explicit collector image tag. This will prevent the collector image from being updated correctly when upgrading to a newer version of this chart.") }} + {{- if ._rox.collector.slimMode }} + {{- include "srox.warn" (list . "You have specified an explicit collector image tag. The slim collector setting will not have any effect.") }} + {{- end }} + {{- else }} + _abbrevImageRef: {{ ._rox.image.collector.repository }} + {{- end }} +--- +collector: + slimMode: {{ eq ._rox.image.collector.registry "collector.stackrox.io" }} +--- +image: + collector: + {{- if ._rox.collector.slimMode }} + tag: "3.1.22-slim" + pullPolicy: IfNotPresent + {{- else }} + tag: "3.1.22-latest" + pullPolicy: Always + {{- end }} +--- +image: + main: + fullRef: {{ printf "%s:%s" ._rox.image.main.repository ._rox.image.main.tag }} + collector: + fullRef: {{ printf "%s:%s" ._rox.image.collector.repository ._rox.image.collector.tag }} +collector: + imagePullPolicy: {{ ._rox.image.collector.pullPolicy }} + complianceImagePullPolicy: {{ ._rox.image.main.pullPolicy }} +sensor: + imagePullPolicy: {{ ._rox.image.main.pullPolicy }} +admissionControl: + imagePullPolicy: {{ ._rox.image.main.pullPolicy }} diff --git a/3.0.59.0/secured-cluster-services/internal/defaults/whats-this.md b/3.0.59.0/secured-cluster-services/internal/defaults/whats-this.md new file mode 100644 index 0000000..d58c8de --- /dev/null +++ b/3.0.59.0/secured-cluster-services/internal/defaults/whats-this.md @@ -0,0 +1,39 @@ +`defaults/` directory +====================== + +This directory provides a set of files that provide a lighter-weight interface for configuring +defaults in the Helm chart, allowing the use of template expressions (including referencing previously +applied defaults) without requiring (an excessive amount of) template control structures (such as +`{{ if kindIs "invalid" ... }}` to determine if a value has already been set). + +After applying some "bootstrap" configuration (such as for making available API server resources +visible in a uniform manner), each `.yaml` file in this directory is processed in an order determined +by its name (hence the `NN-` prefixes). Each YAML file consists of multiple documents (separated by +`---` lines) that are rendered as templates and then _merged_ into the effective configuration, giving +strict preference to already set values. + +Having a deterministic order is important for being able to rely on previously configured +values (either specified by the user or applied as a default). For example, the file +```yaml +group: + setting: "foo" + anotherSetting: 3 +--- +group: + derivedSetting: {{ printf "%s-%d" ._rox.group.setting ._rox.group.anotherSetting }} +``` +combined with the command-line setting `--set group.setting=bar` will result in the following +"effective" configuration: +```yaml +group: + setting: "bar" # user-specified value takes precedence - default value "foo" not applied + anotherSetting: 3 # default value + derivedSetting: bar-3 # combination of user-specified value and default value; "pure" default without + # any --set arguments would be "foo-3" +``` + +**Caveats**: +- Templating instructions must be contained to a single document within the multi-document YAML files. In particular, + the `---` separator must not be within a conditionally rendered block, or emitted by templating code. +- It is recommended to contain dependencies between default settings to a single YAML file. While the `NN-` prefixes + ensure a well-defined application order of individual files, having dependent blocks in the same file adds clarity. diff --git a/3.0.59.0/secured-cluster-services/internal/expandables.yaml b/3.0.59.0/secured-cluster-services/internal/expandables.yaml new file mode 100644 index 0000000..d2b9dad --- /dev/null +++ b/3.0.59.0/secured-cluster-services/internal/expandables.yaml @@ -0,0 +1,30 @@ +imagePullSecrets: + username: true + password: true +mainImagePullSecrets: + username: true + password: true +collectorImagePullSecrets: + username: true + password: true +ca: + cert: true +sensor: + serviceTLS: + cert: true + key: true + resources: true + nodeSelector: true +admissionControl: + serviceTLS: + cert: true + key: true + resources: true + nodeSelector: true +collector: + serviceTLS: + cert: true + key: true + resources: true + complianceResources: true + nodeSelector: true diff --git a/3.0.59.0/secured-cluster-services/scripts/fetch-secrets.sh b/3.0.59.0/secured-cluster-services/scripts/fetch-secrets.sh new file mode 100755 index 0000000..850a227 --- /dev/null +++ b/3.0.59.0/secured-cluster-services/scripts/fetch-secrets.sh @@ -0,0 +1,41 @@ +#!/bin/sh + +# fetch-secrets.sh +# Retrieves StackRox TLS secrets currently stored in the current Kubernetes context, and stores them in a format +# suitable for consumption by the Helm chart. +# +# The YAML bundle is printed to stdout, use output redirection (>filename) to store the output to a file. +# This script supports the following environment variables: +# - KUBECTL: the command to use for kubectl. Spaces will be tokenized by the shell interpreter (default: "kubectl"). +# - ROX_NAMESPACE: the namespace in which the current StackRox deployment runs (default: "stackrox") +# - FETCH_CA_ONLY: if set to "true", will create a bundle containing only the CA certificate (default: "false") + +DIR="$(cd "$(dirname "$0")" && pwd)" + +KUBECTL="${KUBECTL:-kubectl}" +ROX_NAMESPACE="${ROX_NAMESPACE:-stackrox}" + +FETCH_CA_ONLY="${FETCH_CA_ONLY:-false}" + +case "$FETCH_CA_ONLY" in + false|0) + TEMPLATE_FILE="fetched-secrets-bundle.yaml.tpl" + DESCRIPTION="certificates and keys" + ;; + true|1) + TEMPLATE_FILE="fetched-secrets-bundle-ca-only.yaml.tpl" + DESCRIPTION="CA certificate only" + ;; + *) + echo >&2 "Invalid value '$FETCH_CA_ONLY' for FETCH_CA_ONLY, only false and true are allowed" + exit 1 +esac + +# The leading '#' signs aren't required as they don't go to stdout, but when printing to the console, +# it looks more natural to include them. +echo >&2 "# Fetching $DESCRIPTION from current Kubernetes context (namespace $ROX_NAMESPACE), store" +echo >&2 "# the output in a file and pass it to helm via the -f parameter." + +$KUBECTL get --ignore-not-found -n "$ROX_NAMESPACE" \ + secret/sensor-tls secret/collector-tls secret/admission-control-tls \ + -o go-template-file="${DIR}/${TEMPLATE_FILE}" \ diff --git a/3.0.59.0/secured-cluster-services/scripts/fetched-secrets-bundle-ca-only.yaml.tpl b/3.0.59.0/secured-cluster-services/scripts/fetched-secrets-bundle-ca-only.yaml.tpl new file mode 100644 index 0000000..b5a13c2 --- /dev/null +++ b/3.0.59.0/secured-cluster-services/scripts/fetched-secrets-bundle-ca-only.yaml.tpl @@ -0,0 +1,9 @@ +{{- range $item := .items }} +{{- if eq $item.metadata.name "sensor-tls" }} +{{- $caPEM := index $item.data "ca.pem" }} +{{- if $caPEM }} +ca: + cert: "{{ $caPEM | base64decode | js }}" +{{- end }} +{{- end }} +{{- end }} diff --git a/3.0.59.0/secured-cluster-services/scripts/fetched-secrets-bundle.yaml.tpl b/3.0.59.0/secured-cluster-services/scripts/fetched-secrets-bundle.yaml.tpl new file mode 100644 index 0000000..72bb452 --- /dev/null +++ b/3.0.59.0/secured-cluster-services/scripts/fetched-secrets-bundle.yaml.tpl @@ -0,0 +1,35 @@ +{{- range $item := .items }} +{{- if eq $item.metadata.name "sensor-tls" }} +{{- $caPEM := index $item.data "ca.pem" }} +{{- if $caPEM }} +ca: + cert: "{{ $caPEM | base64decode | js }}" +{{- end }} +{{- $sensorCert := index $item.data "sensor-cert.pem" }} +{{- $sensorKey := index $item.data "sensor-key.pem" }} +{{- if and $sensorCert $sensorKey }} +sensor: + serviceTLS: + cert: "{{ $sensorCert | base64decode | js }}" + key: "{{ $sensorKey | base64decode | js }}" +{{- end }} +{{- else if eq $item.metadata.name "collector-tls" }} +{{- $collectorCert := index $item.data "collector-cert.pem" }} +{{- $collectorKey := index $item.data "collector-key.pem" }} +{{- if and $collectorCert $collectorKey }} +collector: + serviceTLS: + cert: "{{ $collectorCert | base64decode | js }}" + key: "{{ $collectorKey | base64decode | js }}" +{{- end }} +{{- else if eq $item.metadata.name "admission-control-tls" }} +{{- $admCtrlCert := index $item.data "admission-control-cert.pem" }} +{{- $admCtrlKey := index $item.data "admission-control-key.pem" }} +{{- if and $admCtrlCert $admCtrlKey }} +admissionControl: + serviceTLS: + cert: "{{ $admCtrlCert | base64decode | js }}" + key: "{{ $admCtrlKey | base64decode | js }}" +{{- end }} +{{- end }} +{{- end }} diff --git a/3.0.59.0/secured-cluster-services/sensor-chart-upgrade.md b/3.0.59.0/secured-cluster-services/sensor-chart-upgrade.md new file mode 100644 index 0000000..f3d5ddf --- /dev/null +++ b/3.0.59.0/secured-cluster-services/sensor-chart-upgrade.md @@ -0,0 +1,159 @@ +# Upgrading from the `sensor` Helm chart + +There are differences between the `sensor` Helm chart that was part of the +StackRox Kubernetes Security Platform version 3.0.54 and the Secured Cluster +Services Helm chart in the StackRox Kubernetes Security Platform version 3.0.55. + +Therefore, if you are using the StackRox Kubernetes Security Platform version 3.0.54 +or older, and you've used the `sensor` Helm chart, you must verify (and change) +the following additional options to upgrade to the new Helm charts for the +StackRox Kubernetes Security Platform version 3.0.55. + +## Namespace + +|Version 3.0.54 and older |Version 3.0.55 and newer | +|-------------------------|-------------------------| +|The `sensor` Helm chart creates all Kubernetes resources in the `stackrox` namespace, even if you've used the `-n`/`--namespace` flag to the `helm install` command.|The Secured Cluster Services Helm chart creates all resources in the namespace you specify by using the `-n`/`--namespace` flag. However, we recommend that you always install the chart in the `stackrox` namespace.| + +If you've previously installed the `sensor` Helm chart into a namespace other +than `stackrox`, you **must** set the namespace override option to `stackrox`. + +To do this, either: +- pass the `--set meta.namespaceOverride=stackrox` flag, or +- add the following section in your configuration file: + ```yaml + meta: + namespaceOverride: stackrox + ``` + +## Configuration file + +|Version 3.0.54 and older |Version 3.0.55 and newer | +|-------------------------|--------------------------| +|Installation using the `sensor` Helm chart requires adding your customizations in the `values.yaml` file that is part of the chart.|The Secured Cluster Services Helm chart uses a separate configuration file.| + +> **IMPORTANT** +> +> If you are using the Secured Cluster Services Helm chart, **do not** modify +> the `values.yaml` file that is part of the chart. + +We recommend that you always store the configuration in separate files: + +- `values-public.yaml`: include all non-sensitive configuration options in this + file. +- `values-private.yaml`: include all sensitive configuration options such as + image pull secrets or certificates and keys. + +You can also use a separate file for the cluster init bundle. For more +information, see the main [README.md](README.md) file. + +## Secrets injection + +|Version 3.0.54 and older |Version 3.0.55 and newer | +|-------------------------|--------------------------| +|The `sensor` Helm chart downloads certificates and private keys specific to a single cluster and stores them in the `secrets/` directory.|The Secured Cluster Services Helm chart uses cluster init bundles. For more information, see the main [README.md](README.md) file.| + +To upgrade, +1. Copy the `values.yaml` you used for the most recent installation or upgrade of the + `sensor` Helm chart and store it as `sensor-values.yaml`. +1. Connect to the Kubernetes cluster on which you've previously installed the + `sensor` Helm chart. +1. Run `./scripts/fetch-secrets.sh`. The `fetch-secrets.sh` script shows a YAML + file as output, which contains all secrets. Store the output of this command + in a file (you can use `./scripts/fetch-secrets.sh >secrets.yaml` to directly + write the command output to a file called `secrets.yaml`). +1. Run the `helm upgrade` command and pass the YAML (from the previous step) file by + using the `-f` option: + ```sh + helm upgrade -n stackrox sensor stackrox/secured-cluster-services \ + --reuse-values -f sensor-values.yaml -f ... + ``` + The above command assumes that you have added the https://charts.stackrox.io Helm + chart repository to your local Helm installation. See the main [README.md](README.md) + for instructions on how to set this up. + If you want to use this chart from a local directory, replace + `stackrox/secured-cluster-services` with the path to the chart directory. + +> **NOTE** +> +> Although you can copy the `secrets` directory from your old `sensor` Helm +> chart instead, we **do not** recommend doing it. + + +## Helm-managed clusters + +When you use the Secured Cluster Services Helm chart, the clusters it creates +are treated as Helm-managed by default. It means that whenever you run the +`helm upgrade` command afterward, it applies the configuration changes specified +in your Helm configuration file, overwriting any changes to settings you've done +through the StackRox portal. + +Additionally, because of the differences between the Helm upgrade and the +StackRox Kubernetes Security Platform automatic upgrade, you can't use +the automatic upgrades option from the StackRox portal. + +If you don't want an upgraded cluster to be treated as Helm-managed, set the +`helmManaged` configuration option to `false`. + +## Configuration format + +There are differences between the configuration format that the sensor Helm +chart uses and the Secured Cluster Services Helm chart's uses. We recommend that +you migrate to the new configuration format. + +Here is the list of old and new configuration options: + +|Old configuration option |New configuration option | +|-------------------------|-------------------------| +| `cluster.name` | `clusterName` | +| `cluster.type` | Set `env.openshift` to `true` for `cluster.type=OPENSHIFT_CLUSTER` and `false` for `cluster.type=KUBERNETES_CLUSTER`. Leave unset to automatically detect (recommended). | +| `endpoint.central` | `centralEndpoint` | +| `endpoint.advertised` | `sensor.endpoint` | +| `image.repository.main` | `image.main.name` | +| `image.repository.collector` | `image.collector.name` | +| `image.registry.main` | `image.main.registry` | +| `image.registry.collector` | `image.collector.registry` | +| `image.pullPolicy.main` | `image.main.pullPolicy` | +| `image.pullPolicy.collector` | `image.collector.pullPolicy` | +| `image.tag.main` | `image.main.tag` | +| `image.tag.collector` | `image.collector.tag` | +| `config.collectionMethod` | `collector.collectionMethod` | +| `config.admissionControl.createService` | `admissionControl.listenOnCreates` | +| `config.admissionControl.listenOnUpdates` | `admissionControl.listenOnUpdates` | +| `config.admissionControl.enableService` | `admissionControl.dynamic.enforceOnCreates` | +| `config.admissionControl.enforceOnUpdates` | `admissionControl.dynamic.enforceOnUpdates` | +| `config.admissionControl.scanInline` | `admissionControl.dynamic.scanInline` | +| `config.admissionControl.disableBypass` | `admissionControl.dynamic.disableBypass` | +| `config.admissionControl.timeout` | `admissionControl.dynamic.timeout` | +| `config.registryOverride` | `registryOverride` | +| `config.disableTaintTolerations` | `collector.disableTaintTolerations` | +| `config.createUpgraderServiceAccount` | `createUpgraderServiceAccount` | +| `config.createSecrets` | `createSecrets` | +| `config.offlineMode` | This option has no effect and will be removed. | +| `config.slimCollector` | `collector.slimMode` | +| `config.sensorResources` | `sensor.resources` | +| `config.admissionControlResources` | `admissionControl.resources` | +| `config.collectorResources` | `collector.resources` | +| `config.complianceResources` | `collector.complianceResources` | +| `config.exposeMonitoring` | `exposeMonitoring` | +| `envVars` | See example below | + +**Custom environment variables:** The old format for custom environment variable settings was +```yaml +envVars: +- name: ENV_VAR1 + value: "value1" +- name: ENV_VAR2 + value: "value2" +... +``` + +In the new configuration format, rewrite this as: +```yaml +customize: + envVars: + ENV_VAR1: "value1" + ENV_VAR2: "value2" +``` +You can find out more about customizing object labels, annotations, and environment variables in the main +[README.md](README.md). \ No newline at end of file diff --git a/3.0.59.0/secured-cluster-services/templates/00-collector-image-pull-secrets.yaml b/3.0.59.0/secured-cluster-services/templates/00-collector-image-pull-secrets.yaml new file mode 100644 index 0000000..eba103f --- /dev/null +++ b/3.0.59.0/secured-cluster-services/templates/00-collector-image-pull-secrets.yaml @@ -0,0 +1,18 @@ +{{- include "srox.init" . -}} + +{{- if ._rox.collectorImagePullSecrets._dockerAuths }} +apiVersion: v1 +kind: Secret +type: kubernetes.io/dockerconfigjson +metadata: + name: secured-cluster-services-collector + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "secret" "secured-cluster-services-collector") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "secured-cluster-services-collector") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": keep +data: + .dockerconfigjson: {{ dict "auths" ._rox.collectorImagePullSecrets._dockerAuths | toJson | b64enc | quote }} +{{ end }} diff --git a/3.0.59.0/secured-cluster-services/templates/00-main-image-pull-secrets.yaml b/3.0.59.0/secured-cluster-services/templates/00-main-image-pull-secrets.yaml new file mode 100644 index 0000000..052aa3e --- /dev/null +++ b/3.0.59.0/secured-cluster-services/templates/00-main-image-pull-secrets.yaml @@ -0,0 +1,18 @@ +{{- include "srox.init" . -}} + +{{- if ._rox.mainImagePullSecrets._dockerAuths }} +apiVersion: v1 +kind: Secret +type: kubernetes.io/dockerconfigjson +metadata: + name: secured-cluster-services-main + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "secret" "secured-cluster-services-main") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "secured-cluster-services-main") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": keep +data: + .dockerconfigjson: {{ dict "auths" ._rox.mainImagePullSecrets._dockerAuths | toJson | b64enc | quote }} +{{ end }} diff --git a/3.0.59.0/secured-cluster-services/templates/NOTES.txt b/3.0.59.0/secured-cluster-services/templates/NOTES.txt new file mode 100644 index 0000000..fd2efcf --- /dev/null +++ b/3.0.59.0/secured-cluster-services/templates/NOTES.txt @@ -0,0 +1,38 @@ +{{- $_ := include "srox.init" . -}} + +StackRox Secured Cluster Services {{.Chart.AppVersion}} has been installed. + +Secured Cluster Configuration Summary: + + Name: {{ ._rox.clusterName }} + Kubernetes Namespace: {{ ._rox._namespace }}{{ if ne .Release.Namespace ._rox._namespace }} [NOTE: Helm release is attached to namespace {{ .Release.Namespace }}]{{ end }} + Helm Release Name: {{ .Release.Name }} + Central Endpoint: {{ ._rox.centralEndpoint }} + OpenShift Cluster: {{ ._rox.env.openshift }} + Admission Control Webhooks deployed: {{ or ._rox.admissionControl.dynamic.listenOnCreates ._rox.admissionControl.dynamic.listenOnUpdates ._rox.admissionControl.dynamic.listenOnEvents}} + Admission Control Creates/Updates enforced: {{ or ._rox.admissionControl.dynamic.enforceOnCreates ._rox.admissionControl.dynamic.enforceOnUpdates }} + +{{ if ._rox._state.notes -}} +Please take note of the following: +{{ range ._rox._state.notes }} +- {{ . | wrapWith 98 "\n " -}} +{{ end }} + +{{ end -}} + +{{ if ._rox._state.warnings -}} +During installation, the following warnings were encountered: +{{ range ._rox._state.warnings }} +- WARNING: {{ . | wrapWith 98 "\n " -}} +{{ end }} + +{{ end -}} + +{{ if ._rox.env.openshift -}} +IMPORTANT: You have deployed into an OpenShift-enabled cluster. If you see that your pods + are not scheduling, run + + oc annotate namespace/{{ ._rox._namespace }} --overwrite openshift.io/node-selector="" +{{ end -}} + +Thank you for using StackRox! diff --git a/3.0.59.0/secured-cluster-services/templates/_compatibility.tpl b/3.0.59.0/secured-cluster-services/templates/_compatibility.tpl new file mode 100644 index 0000000..c83ab2d --- /dev/null +++ b/3.0.59.0/secured-cluster-services/templates/_compatibility.tpl @@ -0,0 +1,51 @@ +{{ define "srox.applyCompatibilityTranslation" }} +{{ $ := index . 0 }} +{{ $values := index . 1 }} +{{ $translationRules := $.Files.Get "internal/compatibility-translation.yaml" | fromYaml }} +{{ include "srox._doApplyCompat" (list $values $.Template $values $translationRules list) }} +{{ end }} + +{{ define "srox._doApplyCompat" }} +{{ $values := index . 0 }} +{{ $template := index . 1 }} +{{ $valuesCtx := index . 2 }} +{{ $ruleCtx := index . 3 }} +{{ $ctxPath := index . 4 }} +{{ range $k, $v := $ruleCtx }} + {{ $oldVal := index $valuesCtx $k }} + {{ if not (kindIs "invalid" $oldVal) }} + {{ if kindIs "map" $v }} + {{ if kindIs "map" $oldVal }} + {{ include "srox._doApplyCompat" (list $values $template $oldVal $v (append $ctxPath $k)) }} + {{ if not $oldVal }} + {{ $_ := unset $valuesCtx $k }} + {{ end }} + {{ end }} + {{ else }} + {{ $_ := unset $valuesCtx $k }} + {{ if not (kindIs "invalid" $v) }} + {{ $tplCtx := dict "Template" $template "value" (toJson $oldVal) "rawValue" $oldVal }} + {{ $configFragment := tpl $v $tplCtx | fromYaml }} + {{ include "srox._mergeCompat" (list $values $configFragment (append $ctxPath $k) list) }} + {{ end }} + {{ end }} + {{ end }} +{{ end }} +{{ end }} + +{{ define "srox._mergeCompat" }} +{{ $values := index . 0 }} +{{ $newConfig := index . 1 }} +{{ $compatValuePath := index . 2 }} +{{ $path := index . 3 }} +{{ range $k, $v := $newConfig }} + {{ $currVal := index $values $k }} + {{ if kindIs "invalid" $currVal }} + {{ $_ := set $values $k $v }} + {{ else if and (kindIs "map" $v) (kindIs "map" $currVal) }} + {{ include "srox._mergeCompat" (list $currVal $v $compatValuePath (append $path $k)) }} + {{ else }} + {{ include "srox.fail" (printf "Conflict between legacy configuration values %s and explicitly set configuration value %s, please unset legacy value" (join "." $compatValuePath) (append $path $k | join ".")) }} + {{ end }} +{{ end }} +{{ end }} diff --git a/3.0.59.0/secured-cluster-services/templates/_defaults.tpl b/3.0.59.0/secured-cluster-services/templates/_defaults.tpl new file mode 100644 index 0000000..7f8629b --- /dev/null +++ b/3.0.59.0/secured-cluster-services/templates/_defaults.tpl @@ -0,0 +1,35 @@ +{{/* + srox.applyDefaults . + + Applies defaults defined in `internal/defaults`, in an order that depends on the filenames. + */}} +{{ define "srox.applyDefaults" }} +{{ $ := . }} +{{/* Apply defaults */}} +{{ range $defaultsFile, $defaultsTpl := $.Files.Glob "internal/defaults/*.yaml" }} + {{ $tplSects := regexSplit "(^|\n)---($|\n)" (toString $defaultsTpl) -1 }} + {{ $sectCounter := 0 }} + {{ range $tplSect := $tplSects }} + {{/* + tpl will merely stop creating output if an error is encountered during rendering (not during parsing), but we want + to be certain that we recognized invalid templates. Hence, add a marker line at the end, and verify that it + shows up in the output. + */}} + {{ $renderedSect := tpl (list $tplSect "{{ \"\\n#MARKER\\n\" }}" | join "") $ }} + {{ if not (hasSuffix "\n#MARKER\n" $renderedSect) }} + {{ include "srox.fail" (printf "Section %d in defaults file %s contains invalid templating" $sectCounter $defaultsFile) }} + {{ end }} + {{/* + fromYaml only returns an empty dict upon error, but we want to be certain that we recognized invalid YAML. + Hence, add a marker value. + */}} + {{ $sectDict := fromYaml (cat $renderedSect "\n__marker: true\n") }} + {{ if not (index $sectDict "__marker") }} + {{ include "srox.fail" (printf "Section %d in defaults file %s contains invalid YAML" $sectCounter $defaultsFile) }} + {{ end }} + {{ $_ := unset $sectDict "__marker" }} + {{ $_ = include "srox.mergeInto" (list $._rox $sectDict) }} + {{ $sectCounter = add $sectCounter 1 }} + {{ end }} +{{ end }} +{{ end }} diff --git a/3.0.59.0/secured-cluster-services/templates/_dict.tpl b/3.0.59.0/secured-cluster-services/templates/_dict.tpl new file mode 100644 index 0000000..bf14a6d --- /dev/null +++ b/3.0.59.0/secured-cluster-services/templates/_dict.tpl @@ -0,0 +1,142 @@ +{{/* + srox.compactDict $target [$depth] + + Compacts a dict $target by removing entries with empty values. + By default, only the top-level dict $target itself is modified. If the optional $depth + parameter is specified and is non-zero, this determines the recursion depth over which the + compaction is applied to nested diocts as well. A $depth of -1 means to compact all nested + dicts, regardless of depth. + */}} +{{ define "srox.compactDict" }} +{{ $args := . }} +{{ if not (kindIs "slice" $args) }} + {{ $args = list $args 0 }} +{{ end }} +{{ $target := index $args 0 }} +{{ $depth := index $args 1 }} +{{ $zeroValKeys := list }} +{{ range $k, $v := $target }} + {{ if and (kindIs "map" $v) (ne $depth 0) }} + {{ include "srox.compactDict" (list $v (sub $depth 1)) }} + {{ end }} + {{ if not $v }} + {{ $zeroValKeys = append $zeroValKeys $k }} + {{ end }} +{{ end }} +{{ range $k := $zeroValKeys }} + {{ $_ := unset $target $k }} +{{ end }} +{{ end }} + +{{/* + srox.destructiveMergeOverwrite $out $dict1 $dict2... + + Recursively merges $dict1, $dict2 (in this order) into $out, similar to mergeOverwrite. + The eponymous difference is the fact that any explicit "null" entries in the source + dictionaries cause the respective entry to be deleted. + */}} +{{ define "srox.destructiveMergeOverwrite" }} +{{ $out := first . }} +{{ $toMergeList := rest . }} +{{ range $toMerge := $toMergeList }} + {{ range $k, $v := $toMerge }} + {{ if kindIs "invalid" $v }} + {{ $_ := unset $out $k }} + {{ else if kindIs "map" $v }} + {{ $outV := index $out $k }} + {{ if kindIs "invalid" $outV }} + {{ $_ := set $out $k (deepCopy $v) }} + {{ else if kindIs "map" $outV }} + {{ include "srox.destructiveMergeOverwrite" (list $outV $v) }} + {{ else }} + {{ fail (printf "when merging at key %s: incompatible kinds %s and %s" $k (kindOf $v) (kindOf $outV)) }} + {{ end }} + {{ else }} + {{ $_ := set $out $k $v }} + {{ end }} + {{ end }} +{{ end }} +{{ end }} + +{{/* + srox.stringifyDictValues $dict + + Recursively traverses $dict and converts every non-dict value to a string. + */}} +{{ define "srox.stringifyDictValues" }} +{{ $dict := . }} +{{ range $k, $v := $dict }} + {{ if kindIs "map" $v }} + {{ include "srox.stringifyDictValues" $v }} + {{ else }} + {{ $_ := set $dict $k (toString $v) }} + {{ end }} +{{ end }} +{{ end }} + +{{/* + srox.safeDictLookup $dict $out $path + + Looks up $path in $dict, and stores the result (if any) in $out.result. + $path is a dot-separated list of nested field names. An empty $path causes + $dict to be stored in $out.result. + + Example: srox.safeDictLookup $dict $out "a.b.c" stores the value of $dict.a.b.c, if + it exists, in $out.result. Otherwise, it does nothing - in particular, it does + not fail, as accessing $dict.a.b.c unconditionally would if any of $dict, $dict.a, + or $dict.a.b was not a dict. + */}} +{{ define "srox.safeDictLookup" }} +{{ $dict := index . 0 }} +{{ $out := index . 1 }} +{{ $path := index . 2 }} +{{ $curr := $dict }} +{{ $pathList := splitList "." $path | compact }} +{{ range $pathElem := $pathList }} + {{ if kindIs "map" $curr }} + {{ $curr = index $curr $pathElem }} + {{ else if not (kindIs "invalid" $curr) }} + {{ $curr = dict.nil }} + {{ end }} +{{ end }} +{{ if not (kindIs "invalid" $curr) }} + {{ $_ := set $out "result" $curr }} +{{ end }} +{{ end }} + + + +{{/* + srox.mergeInto $tgt $src1..$srcN + + Recursively merges values from $src1, ..., $srcN into $tgt, giving preference to + values in $tgt. + + Unlike Sprig's merge, this does not overwrite falsy values when explicitly defined, + with the exception of `null` values (this also sets it apart from Sprig's mergeOverwrite). + + Whenever entire (nested) dicts are merged as-is from one of the sources into $tgt, a deep + copy of the respective nested dict is created. + + An empty string is always returned, hence this should be invoked in the form + $_ := include "srox.mergeInto" (list $tgt $src1 $src2) + */}} +{{ define "srox.mergeInto" }} +{{ $tgt := first . }} +{{ range $src := rest . }} + {{ range $k, $srcV := $src }} + {{ $tgtV := index $tgt $k }} + {{ if kindIs "map" $srcV }} + {{ if kindIs "invalid" $tgtV }} + {{ $_ := set $tgt $k (deepCopy $srcV) }} + {{ else if kindIs "map" $tgtV }} + {{ $_ := include "srox.mergeInto" (list $tgtV $srcV) }} + {{ else }} + {{ fail (printf "Incompatible kinds for key %s: %s vs %s" $k (kindOf $srcV) (kindOf $tgtV)) }} + {{ end }} + {{ else if and (not (kindIs "invalid" $srcV)) (kindIs "invalid" $tgtV) }} + {{ $_ := set $tgt $k $srcV }} + {{ end }} + {{ end }} +{{ end }} +{{ end }} diff --git a/3.0.59.0/secured-cluster-services/templates/_expand.tpl b/3.0.59.0/secured-cluster-services/templates/_expand.tpl new file mode 100644 index 0000000..ed1cb1f --- /dev/null +++ b/3.0.59.0/secured-cluster-services/templates/_expand.tpl @@ -0,0 +1,96 @@ +{{/* + srox.expandAll $ $target $expandable [$path] + + Expands values within $target that are flagged in $expandable, using $path + as the path from the configuration root to $target for error reporting purposes. + + If $target is nil, nothing happens. Otherwise, $target must be a dict. For every key + of $target that is also present in $expandable, the following action is performed: + - If the entry in $expandable is a dict, recursive invoke "srox.expandAll" on the + respective entries, with an adjusted $path. + - Otherwise, the entry in $expandable is assume to be of boolean value. If the value is + true, the corresponding entry's value in $target is expanded (see "srox._expandSingle" + below for a definition of expanding), and the result of the expansion is stored under + the key with a "_" prepended in $target. The original entry in $target is removed. This + ensures "srox.expandAll" is an idempotent operation). + */}} +{{ define "srox.expandAll" }} +{{ $args := . }} +{{ $ := index $args 0 }} +{{ $target := index $args 1 }} +{{ $expandable := index $args 2 }} +{{ $path := list }} +{{ if ge (len $args) 4 }} + {{ $path = index $args 3 }} + {{ if kindIs "string" $path }} + {{ $path = splitList "." $path | compact }} + {{ end }} +{{ end }} + +{{ if kindIs "map" $target }} + {{ range $k, $v := $expandable }} + {{ $childPath := append $path $k }} + {{ $targetV := index $target $k }} + {{ if kindIs "map" $v }} + {{ include "srox.expandAll" (list $ $targetV $v $childPath) }} + {{ else if $v }} + {{ if not (kindIs "invalid" $targetV) }} + {{ $expanded := include "srox._expandSingle" (list $ $targetV (join "." $childPath)) }} + {{ $_ := set $target (printf "_%s" $k) $expanded }} + {{ end }} + {{ $_ := unset $target $k }} + {{ end }} + {{ end }} +{{ else if not (kindIs "invalid" $target) }} + {{ include "srox.fail" (printf "Error expanding value at %s: expected map, got: %s" (join "." $path) (kindOf $target)) }} +{{ end }} +{{ end }} + +{{/* + srox.expand $ $spec + + Parses and expands a "specification string" in the following way: + - If $spec is a dictionary, return $spec rendered as a YAML. + - Otherwise, if $spec starts with a backslash character (`\`), return $spec minus the leading + backslash character. + - Otherwise, if $spec starts with an `@` character, strip off the first character and + treat the remainder of the string as a `|`-separated list of file names. Try to load + each referenced file, in order, via `stackrox.getFile`. The result is the first file + that could be successfully loaded. If no file could be loaded, expansion fails. + - Otherwise, return $spec as-is. + */}} +{{- define "srox._expandSingle" -}} + {{- $ := index . 0 -}} + {{- $spec := index . 1 -}} + {{- $context := index . 2 -}} + {{- $result := "" -}} + {{- if kindIs "string" $spec -}} + {{- if hasPrefix "\\" $spec -}} + {{- /* use \ as string-wide escape character */ -}} + {{- $result = trimPrefix "\\" $spec -}} + {{- else if hasPrefix "@" $spec -}} + {{- /* treat as file list (first found matches) */ -}} + {{- /* If the prefix is "@?" expansion will not fail if no files could be found, instead an empty string is returned. */ -}} + {{- $fileSpec := trimPrefix "@" $spec -}} + {{- $allowNotFound := false -}} + {{- if hasPrefix "?" $fileSpec -}} + {{- $allowNotFound = true -}} + {{- $fileSpec = trimPrefix "?" $fileSpec -}} + {{- end -}} + {{- $fileList := regexSplit "\\s*\\|\\s*" ($fileSpec | trim) -1 -}} + {{- $fileRes := dict -}} + {{- $_ := include "srox.loadFile" (list $ $fileRes $fileList) -}} + {{- if and (not $allowNotFound) (not $fileRes.found) -}} + {{- include "srox.fail" (printf "Expanding %s: file reference %q: none of the referenced files were found" $context $spec) -}} + {{- end -}} + {{- $result = default "" $fileRes.contents -}} + {{- else -}} + {{/* treat as raw string */}} + {{- $result = $spec -}} + {{- end -}} + {{- else if not (kindIs "invalid" $spec) -}} + {{- /* render non-string, non-nil values as YAML */ -}} + {{- $result = toYaml $spec -}} + {{- end -}} + {{- $result -}} +{{- end -}} diff --git a/3.0.59.0/secured-cluster-services/templates/_helpers.tpl b/3.0.59.0/secured-cluster-services/templates/_helpers.tpl new file mode 100644 index 0000000..e87f10f --- /dev/null +++ b/3.0.59.0/secured-cluster-services/templates/_helpers.tpl @@ -0,0 +1,68 @@ +{{/* + Misceallaneous helper templates. + */}} + + + + +{{/* + srox.loadFile $ $out $fileName-or-list + + This helper function reads a file. It differs from $.Files.Get in that it also takes + $._rox.meta.fileOverrides into account. Furthermore, it can receive a list of file names, + and will try these files in order. Finally, it indicates whether a file was found via the + $out.found property (as opposed to $.Files.Get, which cannot distinguish between a successful + read of an empty file, and this file not being found). + The file contents will be returned via $out.contents + */}} +{{ define "srox.loadFile" }} +{{ $ := index . 0 }} +{{ $out := index . 1 }} +{{ $fileNames := index . 2 }} +{{ if not (kindIs "slice" $fileNames) }} + {{ $fileNames = list $fileNames }} +{{ end }} +{{ $contents := index dict "" }} +{{ range $fileName := $fileNames }} + {{ if kindIs "invalid" $contents }} + {{ $contents = index $._rox.meta.fileOverrides $fileName }} + {{ end }} + {{ if kindIs "invalid" $contents }} + {{ range $path, $_ := $.Files.Glob $fileName }} + {{ if kindIs "invalid" $contents }} + {{ $contents = $.Files.Get $path }} + {{ end }} + {{ end }} + {{ end }} +{{ end }} +{{ if not (kindIs "invalid" $contents) }} + {{ $_ := set $out "contents" $contents }} +{{ end }} +{{ $_ := set $out "found" (not (kindIs "invalid" $contents)) }} +{{ end }} + + +{{/* + srox.checkGenerated $ $cfgPath + + Checks if the value at configuration path $cfgPath (e.g., "central.adminPassword.value") was + generated. Evaluates to the string "true" if this is the case, and an empty string otherwise. + */}} +{{- define "srox.checkGenerated" -}} +{{- $ := index . 0 -}} +{{- $cfgPath := index . 1 -}} +{{- $genCfg := $._rox._state.generated -}} +{{- $exists := true -}} +{{- range $pathElem := splitList "." $cfgPath -}} + {{- if $exists -}} + {{- if hasKey $genCfg $pathElem -}} + {{- $genCfg = index $genCfg $pathElem -}} + {{- else -}} + {{- $exists = false -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- if $exists -}} +true +{{- end -}} +{{- end -}} diff --git a/3.0.59.0/secured-cluster-services/templates/_image-pull-secrets.tpl b/3.0.59.0/secured-cluster-services/templates/_image-pull-secrets.tpl new file mode 100644 index 0000000..217160d --- /dev/null +++ b/3.0.59.0/secured-cluster-services/templates/_image-pull-secrets.tpl @@ -0,0 +1,86 @@ +{{/* + srox.configureImagePullSecrets $ $cfgName $imagePullSecrets $secretResourceName $defaultSecretNames $namespace + + Configures image pull secrets. + + This function enriches $imagePullSecrets based on the exposed configuration parameters to contain + a list of Kubernetes secret names as `_names` to be used as image pull secrets within the chart + templates. This list contains the following secrets: + + - Secrets referenced via $imagePullSecrets.useExisting. + - Image pull secrets associated with the default service account (if + $imagePullSecrets.useFromDefaultServiceAccount is true). + - $secretResourceName, if $imagePullSecrets.username is set. + - $defaultSecretNames. */}} + +{{ define "srox.configureImagePullSecrets" }} +{{ $ := index . 0 }} +{{ $cfgName := index . 1 }} +{{ $imagePullSecrets := index . 2 }} +{{ $secretResourceName := index . 3 }} +{{ $defaultSecretNames := index . 4 }} +{{ $namespace := index . 5 }} + +{{ $imagePullSecretNames := default list $imagePullSecrets.useExisting }} +{{ if not (kindIs "slice" $imagePullSecretNames) }} + {{ $imagePullSecretNames = regexSplit "\\s*[,;]\\s*" (trim $imagePullSecretNames) -1 }} +{{ end }} +{{ if $imagePullSecrets.useFromDefaultServiceAccount }} + {{ $defaultSA := dict }} + {{ include "srox.safeLookup" (list $ $defaultSA "v1" "ServiceAccount" $namespace "default") }} + {{ if $defaultSA.result }} + {{ range $ips := default list $defaultSA.result.imagePullSecrets }} + {{ if $ips.name }} + {{ $imagePullSecretNames = append $imagePullSecretNames $ips.name }} + {{ end }} + {{ end }} + {{ end }} +{{ end }} +{{ $imagePullCreds := dict }} +{{ if $imagePullSecrets._username }} + {{ $imagePullCreds = dict "username" $imagePullSecrets._username "password" $imagePullSecrets._password }} + {{ $imagePullSecretNames = append $imagePullSecretNames $secretResourceName }} +{{ else if $imagePullSecrets._password }} + {{ $msg := printf "Username missing in %q. Whenever an image pull password is specified, a username must be specified as well" $cfgName }} + {{ include "srox.fail" $msg }} +{{ end }} +{{ if and $.Release.IsInstall (not $imagePullSecretNames) (not $imagePullSecrets.allowNone) }} + {{ $msg := printf "You have not specified any image pull secrets, and no existing image pull secrets were automatically inferred. If your registry does not need image pull credentials, explicitly set the '%s.allowNone' option to 'true'" $cfgName }} + {{ include "srox.fail" $msg }} +{{ end }} + +{{ $imagePullSecretNames = concat (append $imagePullSecretNames $secretResourceName) $defaultSecretNames | uniq | sortAlpha }} +{{ $_ := set $imagePullSecrets "_names" $imagePullSecretNames }} +{{ $_ := set $imagePullSecrets "_creds" $imagePullCreds }} + +{{ end }} + +{{ define "srox.configureImagePullSecretsForDockerRegistry" }} +{{ $ := index . 0 }} +{{ $imagePullSecrets := index . 1 }} + +{{/* Setup Image Pull Secrets for Docker Registry. + Note: This must happen afterwards, as we rely on "srox.configureImage" to collect the + set of all referenced images first. */}} +{{ if $imagePullSecrets._username }} + {{ $dockerAuths := dict }} + {{ range $image := keys $._rox._state.referencedImages }} + {{ $registry := splitList "/" $image | first }} + {{ if eq $registry "docker.io" }} + {{/* Special case docker.io */}} + {{ $registry = "https://index.docker.io/v1/" }} + {{ else }} + {{ $registry = printf "https://%s" $registry }} + {{ end }} + {{ $_ := set $dockerAuths $registry dict }} + {{ end }} + {{ $authToken := printf "%s:%s" $imagePullSecrets._username $imagePullSecrets._password | b64enc }} + {{ range $regSettings := values $dockerAuths }} + {{ $_ := set $regSettings "auth" $authToken }} + {{ end }} + + {{ $_ := set $imagePullSecrets "_dockerAuths" $dockerAuths }} +{{ end }} + +{{ end }} + diff --git a/3.0.59.0/secured-cluster-services/templates/_images.tpl b/3.0.59.0/secured-cluster-services/templates/_images.tpl new file mode 100644 index 0000000..dced29d --- /dev/null +++ b/3.0.59.0/secured-cluster-services/templates/_images.tpl @@ -0,0 +1,34 @@ +{{/* + srox.configureImage $ $imageCfg + + Configures settings for a single image by augmenting/completing an existing image configuration + stanza. + + If $imageCfg.fullRef is empty: + First, the image registry is determined by inspecting $imageCfg.registry and, if this is empty, + $._rox.image.registry, ultimately defaulting to `docker.io`. The full image ref is then + constructed from the registry, $imageCfg.name (must be non-empty), and $imageCfg.tag (may be + empty, in which case "latest" is assumed). The result is stored in $imageCfg.fullRef. + + Afterwards (irrespective of the previous check), $imageCfg.fullRef is modified by prepending + "docker.io/" if and only if it did not contain a remote yet (i.e., the part before the first "/" + did not contain a dot (DNS name) or colon (port)). + + Finally, the resulting $imageCfg.fullRef is stored as a dict entry with value `true` in the + $._rox._state.referencedImages dict. + */}} +{{ define "srox.configureImage" }} +{{ $ := index . 0 }} +{{ $imageCfg := index . 1 }} +{{ $imageRef := $imageCfg.fullRef }} +{{ if not $imageRef }} + {{ $imageRef = printf "%s/%s:%s" (coalesce $imageCfg.registry $._rox.image.registry "docker.io") $imageCfg.name (default "latest" $imageCfg.tag) }} +{{ end }} +{{ $imageComponents := splitList "/" $imageRef }} +{{ $firstComponent := index $imageComponents 0 }} +{{ if or (lt (len $imageComponents) 2) (and (not (contains ":" $firstComponent)) (not (contains "." $firstComponent))) }} + {{ $imageRef = printf "docker.io/%s" $imageRef }} +{{ end }} +{{ $_ := set $imageCfg "fullRef" $imageRef }} +{{ $_ = set $._rox._state.referencedImages $imageRef true }} +{{ end }} diff --git a/3.0.59.0/secured-cluster-services/templates/_init.tpl b/3.0.59.0/secured-cluster-services/templates/_init.tpl new file mode 100644 index 0000000..a2b3ece --- /dev/null +++ b/3.0.59.0/secured-cluster-services/templates/_init.tpl @@ -0,0 +1,206 @@ +{{/* + srox.init $ + + Initialization template for the internal data structures. + This template is designed to be included in every template file, but will only be executed + once by leveraging state sharing between templates. + */}} +{{ define "srox.init" }} + +{{ $ := . }} + +{{/* + On first(!) instantiation, set up the $._rox structure, containing everything required by + the resource template files. + */}} +{{ if not $._rox }} + +{{/* + Calculate the fingerprint of the input config. + */}} +{{ $configFP := printf "%s-%d" (.Values | toJson | sha256sum) .Release.Revision }} + +{{/* + Initial Setup + */}} + +{{ $values := deepCopy $.Values }} +{{ include "srox.applyCompatibilityTranslation" (list $ $values) }} + +{{/* + $rox / ._rox is the dictionary in which _all_ data that is modified by the init logic + is stored. + We ensure that it has the required shape, and then right after merging the user-specified + $.Values, we apply some bootstrap defaults. + */}} +{{ $rox := deepCopy $values }} +{{ $_ := include "srox.mergeInto" (list $rox ($.Files.Get "internal/config-shape.yaml" | fromYaml)) }} +{{ $_ = set $ "_rox" $rox }} + +{{/* Set the config fingerprint */}} +{{ $_ = set $._rox "_configFP" $configFP }} + +{{/* Global state (accessed from sub-templates) */}} +{{ $state := dict "notes" list "warnings" list "referencedImages" dict }} +{{ $_ = set $._rox "_state" $state }} + +{{/* + API Server setup. The problem with `.Capabilities.APIVersions` is that Helm does not + allow setting overrides for those when using `helm template` or `--dry-run`. Thus, + if we rely on `.Capabilities.APIVersions` directly, we lose flexibility for our chart + in these settings. Therefore, we use custom fields such that a user in principle has + the option to inject via `--set`/`-f` everything we rely upon. + */}} +{{ $apiResources := list }} +{{ if not (kindIs "invalid" $._rox.meta.apiServer.overrideAPIResources) }} + {{ $apiResources = $._rox.meta.apiServer.overrideAPIResources }} +{{ else }} + {{ range $apiResource := $.Capabilities.APIVersions }} + {{ $apiResources = append $apiResources $apiResource }} + {{ end }} +{{ end }} +{{ if $._rox.meta.apiServer.extraAPIResources }} + {{ $apiResources = concat $apiResources $._rox.meta.apiServer.extraAPIResources }} +{{ end }} +{{ $apiServerVersion := coalesce $._rox.meta.apiServer.version $.Capabilities.KubeVersion.Version }} +{{ $apiServer := dict "apiResources" $apiResources "version" $apiServerVersion }} +{{ $_ = set $._rox "_apiServer" $apiServer }} + +{{ include "srox.applyDefaults" $ }} + +{{/* Expand applicable config values */}} +{{ $expandables := $.Files.Get "internal/expandables.yaml" | fromYaml }} +{{ include "srox.expandAll" (list $ $rox $expandables) }} + +{{/* + General validation of effective settings. + */}} + +{{ if not $.Release.IsUpgrade }} +{{ if ne $._rox._namespace "stackrox" }} + {{ if $._rox.allowNonstandardNamespace }} + {{ include "srox.note" (list $ (printf "You have chosen to deploy to namespace '%s'." $._rox._namespace)) }} + {{ else }} + {{ include "srox.fail" (printf "You have chosen to deploy to namespace '%s', not 'stackrox'. If this was accidental, please re-run helm with the '-n stackrox' option. Otherwise, if you need to deploy into this namespace, set the 'allowNonstandardNamespace' configuration value to true." $._rox._namespace) }} + {{ end }} +{{ end }} +{{ end }} + +{{/* If a cluster name should change the confirmNewClusterName value must match clusterName. */}} +{{ if and $._rox.confirmNewClusterName (ne $._rox.confirmNewClusterName $._rox.clusterName) }} + {{ include "srox.fail" (printf "Failed to change cluster name. Values for confirmNewClusterName '%s' did not match clusterName '%s'." $._rox.confirmNewClusterName $._rox.clusterName) }} +{{ end }} + + +{{ if not $.Release.IsUpgrade }} +{{ if ne $.Release.Name $.Chart.Name }} + {{ if $._rox.allowNonstandardReleaseName }} + {{ include "srox.warn" (list $ (printf "You have chosen a release name of '%s', not '%s'. Accompanying scripts and commands in documentation might require adjustments." $.Release.Name $.Chart.Name)) }} + {{ else }} + {{ include "srox.fail" (printf "You have chosen a release name of '%s', not '%s'. We strongly recommend using the standard release name. If you must use a different name, set the 'allowNonstandardReleaseName' configuration option to true." $.Release.Name $.Chart.Name) }} + {{ end }} +{{ end }} +{{ end }} + + + +{{/* + Environment setup +*/}} + +{{/* Infer openshift version */}} +{{ if and $._rox.env.openshift (kindIs "bool" $._rox.env.openshift) }} + {{/* Parse and add KubeVersion as semver from built-in resources. This is necessary to compare valid integer numbers. */}} + {{ $kubeVersion := semver .Capabilities.KubeVersion.Version }} + + {{/* Default to OpenShift 3 if no openshift resources are available, i.e. in helm tempalte commands */}} + {{ if not (has "apps.openshift.io/v1" $._rox._apiServer.apiResources) }} + {{ $_ := set $._rox.env "openshift" 3 }} + {{ else if gt $kubeVersion.Minor 11 }} + {{ $_ := set $._rox.env "openshift" 4 }} + {{ else }} + {{ $_ := set $._rox.env "openshift" 3 }} + {{ end }} + + {{ include "srox.note" (list $ (printf "Based on API server properties, we have inferred that you are deploying into an OpenShift %d cluster. Set the `env.openshift` property explicitly to 3 or 4 to override the auto-sensed value." $._rox.env.openshift)) }} +{{ end }} +{{ if not (kindIs "bool" $._rox.env.openshift) }} + {{ $_ := set $._rox.env "openshift" (int $._rox.env.openshift) }} +{{ else if not $._rox.env.openshift }} + {{ $_ := set $._rox.env "openshift" 0 }} +{{ end }} + +{{ if and $._rox.admissionControl.dynamic.enforceOnCreates (not $._rox.admissionControl.listenOnCreates) }} + {{ include "srox.warn" (list $ "Incompatible settings: 'admissionControl.dynamic.enforceOnCreates' is set to true, while `admissionControl.listenOnCreates` is set to false. For the feature to be active, enable both settings by setting them to true.") }} +{{ end }} + +{{ if and $._rox.admissionControl.dynamic.enforceOnUpdates (not $._rox.admissionControl.listenOnUpdates) }} + {{ include "srox.warn" (list $ "Incompatible settings: 'admissionControl.dynamic.enforceOnUpdates' is set to true, while `admissionControl.listenOnUpdates` is set to false. For the feature to be active, enable both settings by setting them to true.") }} +{{ end }} + +{{ if and (eq $._rox.env.openshift 3) $._rox.admissionControl.listenOnEvents }} + {{ include "srox.fail" "'admissionControl.listenOnEvents' is set to true, but the chart is being deployed in OpenShift 3.x compatibility mode, which does not work with this feature. Set 'env.openshift' to '4' in order to enable OpenShift 4.x features." }} +{{ end }} + +{{/* Initial image pull secret setup. */}} +{{ include "srox.mergeInto" (list $._rox.mainImagePullSecrets $._rox.imagePullSecrets) }} +{{ include "srox.configureImagePullSecrets" (list $ "mainImagePullSecrets" $._rox.mainImagePullSecrets "secured-cluster-services-main" (list "stackrox") $._rox._namespace) }} +{{ include "srox.mergeInto" (list $._rox.collectorImagePullSecrets $._rox.imagePullSecrets) }} +{{ include "srox.configureImagePullSecrets" (list $ "collectorImagePullSecrets" $._rox.collectorImagePullSecrets "secured-cluster-services-collector" (list "stackrox" "collector-stackrox") $._rox._namespace) }} + +{{/* Additional CAs. */}} +{{ $additionalCAList := list }} +{{ if kindIs "string" $._rox.additionalCAs }} + {{ if $._rox.additionalCAs }} + {{ $additionalCAList = append $additionalCAList (dict "name" "ca.crt" "contents" $._rox.additionalCAs) }} + {{ end }} +{{ else if kindIs "slice" $._rox.additionalCAs }} + {{ range $contents := $._rox.additionalCAs }} + {{ $additionalCAList = append $additionalCAList (dict "name" "ca.crt" "contents" $contents) }} + {{ end }} +{{ else if kindIs "map" $._rox.additionalCAs }} + {{ range $name := keys $._rox.additionalCAs | sortAlpha }} + {{ $additionalCAList = append $additionalCAList (dict "name" $name "contents" (get $._rox.additionalCAs $name)) }} + {{ end }} +{{ else if not (kindIs "invalid" $._rox.additionalCAs) }} + {{ include "srox.fail" (printf "Invalid kind %s for additionalCAs" (kindOf $._rox.additionalCAs)) }} +{{ end }} +{{ range $path, $contents := .Files.Glob "secrets/additional-cas/**" }} + {{ $name := trimPrefix "secrets/additional-cas/" $path }} + {{ $additionalCAList = append $additionalCAList (dict "name" $name "contents" (toString $contents)) }} +{{ end }} +{{ $additionalCAs := dict }} +{{ range $idx, $elem := $additionalCAList }} + {{ if not (kindIs "string" $elem.contents) }} + {{ include "srox.fail" (printf "Invalid non-string contents kind %s at index %d (%q) of additionalCAs" (kindOf $elem.contents) $idx $elem.name) }} + {{ end }} + {{/* In a k8s secret, no characters other than alphanumeric, '.', '_' and '-' are allowed. Also, for the + update-ca-certificates script to work, the file names must end in '.crt'. */}} + + {{ $normalizedName := printf "%02d-%s.crt" $idx (regexReplaceAll "[^[:alnum:]._-]" $elem.name "-" | trimSuffix ".crt") }} + {{ $_ := set $additionalCAs $normalizedName $elem.contents }} +{{ end }} +{{ $_ = set $._rox "_additionalCAs" $additionalCAs }} + +{{/* + Final validation (after merging in defaults). + */}} + +{{ if and ._rox.helmManaged (not ._rox.clusterName) }} + {{ include "srox.fail" "No cluster name specified. Set 'clusterName' to the desired cluster name." }} +{{ end }} + +{{/* Image settings */}} +{{ include "srox.configureImage" (list $ ._rox.image.main) }} +{{ include "srox.configureImage" (list $ ._rox.image.collector) }} + +{{/* + Post-processing steps. + */}} + +{{ include "srox.configureImagePullSecretsForDockerRegistry" (list $ ._rox.mainImagePullSecrets) }} +{{ include "srox.configureImagePullSecretsForDockerRegistry" (list $ ._rox.collectorImagePullSecrets) }} + +{{ end }} + +{{ end }} diff --git a/3.0.59.0/secured-cluster-services/templates/_lookup.tpl b/3.0.59.0/secured-cluster-services/templates/_lookup.tpl new file mode 100644 index 0000000..17f6306 --- /dev/null +++ b/3.0.59.0/secured-cluster-services/templates/_lookup.tpl @@ -0,0 +1,40 @@ +{{/* + srox.safeLookup $ $out $apiVersion $kind $ns $name + + This function does nothing if $.meta.useLookup is false; otherwise, it will + perform a `lookup $apiVersion $kind $ns $name` operation and store the result in + $out.result. + + Additionally, if a lookup was attempted, $out.reliable will contain a bool indicating + whether the result of lookup can be relied upon. This is determined to be the case if + the default service account in the release namespace can be found. + */}} +{{ define "srox.safeLookup" }} +{{ $ := index . 0 }} +{{ $out := index . 1 }} +{{ if $._rox.meta.useLookup }} + {{ if kindIs "invalid" $._rox._state.lookupWorks }} + {{ $testOut := dict }} + {{ include "srox._doLookup" (list $ $testOut "v1" "ServiceAccount" $._rox._namespace "default") }} + {{ $_ := set $._rox._state "lookupWorks" ($testOut.result | not | not) }} + {{ end }} + {{ include "srox._doLookup" . }} + {{ $_ := set $out "reliable" $._rox._state.lookupWorks }} +{{ end }} +{{ end }} + + +{{/* + srox._doLookup $ $out $apiVersion $kind $ns $name + + Calls "lookup" with arguments $apiVersion $kind $ns $name, and stores the result + in $out.result. + + This function exists to prevent a parse error if the lookup function isn't defined. It does + so by deferring the execution of lookup to a template string instantiated via `tpl`. + */}} +{{ define "srox._doLookup" }} +{{ $ := index . 0 }} +{{ $tplArgs := dict "Template" $.Template "out" (index . 1) "apiVersion" (index . 2) "kind" (index . 3) "ns" (index . 4) "name" (index . 5) }} +{{ $_ := tpl "{{ $_ := set .out \"result\" (lookup .apiVersion .kind .ns .name) }}" $tplArgs }} +{{ end }} diff --git a/3.0.59.0/secured-cluster-services/templates/_metadata.tpl b/3.0.59.0/secured-cluster-services/templates/_metadata.tpl new file mode 100644 index 0000000..ed8fd3b --- /dev/null +++ b/3.0.59.0/secured-cluster-services/templates/_metadata.tpl @@ -0,0 +1,187 @@ +{{/* + srox.labels $ $objType $objName + + Format labels for $objType/$objName as YAML. + */}} +{{- define "srox.labels" -}} +{{- $labels := dict -}} +{{- $_ := include "srox._labels" (append (prepend . $labels) false) -}} +{{- toYaml $labels -}} +{{- end -}} + +{{/* + srox.podLabels $ $objType $objName + + Format pod labels for $objType/$objName as YAML. + */}} +{{- define "srox.podLabels" -}} +{{- $labels := dict -}} +{{- $_ := include "srox._labels" (append (prepend . $labels) true) -}} +{{- toYaml $labels -}} +{{- end -}} + +{{/* + srox.annotations $ $objType $objName + + Format annotations for $objType/$objName as YAML. + */}} +{{- define "srox.annotations" -}} +{{- $annotations := dict -}} +{{- $_ := include "srox._annotations" (append (prepend . $annotations) false) -}} +{{- toYaml $annotations -}} +{{- end -}} + +{{/* + srox.podAnnotations $ $objType $objName + + Format pod annotations for $objType/$objName as YAML. + */}} +{{- define "srox.podAnnotations" -}} +{{- $annotations := dict -}} +{{- $_ := include "srox._annotations" (append (prepend . $annotations) true) -}} +{{- toYaml $annotations -}} +{{- end -}} + +{{/* + srox.envVars $ $objType $objName $containerName + + Format environment variables for container $containerName in + $objType/$objName as YAML. + */}} +{{- define "srox.envVars" -}} +{{- $envVars := dict -}} +{{- $_ := include "srox._envVars" (prepend . $envVars) -}} +{{- range $k, $v := $envVars -}} +- name: {{ quote $k }} + value: {{ quote $v }} +{{ end -}} +{{- end -}} + +{{/* + srox._labels $labels $ $objType $objName $forPod + + Writes all applicable [pod] labels (including default labels) for $objType/$objName + into $labels. Pod labels are written iff $forPod is true. + + This template receives the $ parameter as its second (not its first, as usual) parameter + such that it can be used easier in "srox.labels". + */}} +{{ define "srox._labels" }} +{{ $labels := index . 0 }} +{{ $ := index . 1 }} +{{ $objType := index . 2 }} +{{ $objName := index . 3 }} +{{ $forPod := index . 4 }} +{{ $_ := set $labels "app.kubernetes.io/name" "stackrox" }} +{{ $_ = set $labels "app.kubernetes.io/managed-by" $.Release.Service }} +{{ $_ = set $labels "helm.sh/chart" (printf "%s-%s" $.Chart.Name ($.Chart.Version | replace "+" "_")) }} +{{ $_ = set $labels "app.kubernetes.io/instance" $.Release.Name }} +{{ $_ = set $labels "app.kubernetes.io/version" $.Chart.AppVersion }} +{{ $_ = set $labels "app.kubernetes.io/part-of" "stackrox-secured-cluster-services" }} +{{ $component := regexReplaceAll "^.*/\\d{2}-([a-z]+)-\\d{2}-[^/]+\\.yaml" $.Template.Name "${1}" }} +{{ if not (contains "/" $component) }} + {{ $_ = set $labels "app.kubernetes.io/component" $component }} +{{ end }} +{{ $metadataNames := list "labels" }} +{{ if $forPod }} + {{ $metadataNames = append $metadataNames "podLabels" }} +{{ end }} +{{ include "srox._customizeMetadata" (list $ $labels $objType $objName $metadataNames) }} +{{ end }} + +{{/* + srox._annotations $annotations $ $objType $objName $forPod + + Writes all applicable [pod] annotations (including default annotations) for + $objType/$objName into $annotations. Pod labels are written iff $forPod is true. + + This template receives the $ parameter as its second (not its first, as usual) parameter + such that it can be used easier in "srox.annotations". + */}} +{{ define "srox._annotations" }} +{{ $annotations := index . 0 }} +{{ $ := index . 1 }} +{{ $objType := index . 2 }} +{{ $objName := index . 3 }} +{{ $forPod := index . 4 }} +{{ $_ := set $annotations "meta.helm.sh/release-namespace" $.Release.Namespace }} +{{ $_ = set $annotations "meta.helm.sh/release-name" $.Release.Name }} +{{ $_ = set $annotations "owner" "stackrox" }} +{{ $_ = set $annotations "email" "support@stackrox.com" }} +{{ $metadataNames := list "annotations" }} +{{ if $forPod }} + {{ $metadataNames = append $metadataNames "podAnnotations" }} +{{ end }} +{{ include "srox._customizeMetadata" (list $ $annotations $objType $objName $metadataNames) }} +{{ end }} + +{{/* + srox._envVars $envVars $ $objType $objName $containerName + + Writes all applicable [pod] labels (including default labels) for $objType/$objName + into $labels. Pod labels are written iff $forPod is true. + + This template receives the $ parameter as its second (not its first, as usual) parameter + such that it can be used easier in "srox.labels". + */}} +{{ define "srox._envVars" }} +{{ $envVars := index . 0 }} +{{ $ := index . 1 }} +{{ $objType := index . 2 }} +{{ $objName := index . 3 }} +{{ $containerName := index . 4 }} +{{ $metadataNames := list "envVars" }} +{{ include "srox._customizeMetadata" (list $ $envVars $objType $objName $metadataNames) }} +{{ if $containerName }} + {{ $containerKey := printf "/%s" $containerName }} + {{ $envVarsForContainer := index $envVars $containerKey }} + {{ if $envVarsForContainer }} + {{ include "srox.destructiveMergeOverwrite" (list $envVars $envVarsForContainer) }} + {{ end }} +{{ end }} + +{{/* Remove all entries starting with / */}} +{{ range $key, $_ := $envVars }} + {{ if hasPrefix "/" $key }} + {{ $_ := unset $envVars $key }} + {{ end }} +{{ end }} +{{ end }} + +{{/* + srox._customizeMetadata $ $metadata $objType $objName $metadataNames + + Writes custom key/value metadata to $metadata by consulting all sub-dicts with names in + $metadataNames under the applicable custom metadata locations (._rox.customize, + ._rox.customize.other.$objType/*, ._rox.customize.other.$objType/$objName, and + ._rox.customizer.$objName [workloads only]). Dictionaries are consulted in this order, with + values from dictionaries consulted later overwriting values from dictionaries consulted + earlier. + */}} +{{ define "srox._customizeMetadata" }} +{{ $ := index . 0 }} +{{ $metadata := index . 1 }} +{{ $objType := index . 2 }} +{{ $objName := index . 3 }} +{{ $metadataNames := index . 4 }} + +{{ $overrideDictPaths := list "" (printf "other.%s/*" $objType) (printf "other.%s/%s" $objType $objName) }} +{{ if has $objType (list "deployment" "daemonset") }} + {{ $overrideDictPaths = append $overrideDictPaths $objName }} +{{ end }} + +{{ range $dictPath := $overrideDictPaths }} + {{ $customizeDict := $._rox.customize }} + {{ if $dictPath }} + {{ $resolvedOut := dict }} + {{ include "srox.safeDictLookup" (list $._rox.customize $resolvedOut $dictPath) }} + {{ $customizeDict = $resolvedOut.result }} + {{ end }} + {{ if $customizeDict }} + {{ range $metadataName := $metadataNames }} + {{ $customMetadata := index $customizeDict $metadataName }} + {{ include "srox.destructiveMergeOverwrite" (list $metadata $customMetadata) }} + {{ end }} + {{ end }} +{{ end }} +{{ end }} diff --git a/3.0.59.0/secured-cluster-services/templates/_reporting.tpl b/3.0.59.0/secured-cluster-services/templates/_reporting.tpl new file mode 100644 index 0000000..621e284 --- /dev/null +++ b/3.0.59.0/secured-cluster-services/templates/_reporting.tpl @@ -0,0 +1,34 @@ +{{/* + srox.fail $message + + Print a nicely-formatted fatal error message and exit. + */}} +{{ define "srox.fail" }} +{{ printf "\n\nFATAL ERROR:\n%s" . | wrap 100 | fail }} +{{ end }} + +{{/* + srox.warn $ $message + + Add $message to the list of encountered warnings. + */}} +{{ define "srox.warn" }} +{{ $ := index . 0 }} +{{ $msg := index . 1 }} +{{ $warnings := $._rox._state.warnings }} +{{ $warnings = append $warnings $msg }} +{{ $_ := set $._rox._state "warnings" $warnings }} +{{ end }} + +{{/* + srox.note $ $message + + Add $message to the list notes that will be shown to the user after installation/upgrade. + */}} +{{ define "srox.note" }} +{{ $ := index . 0 }} +{{ $msg := index . 1 }} +{{ $notes := $._rox._state.notes }} +{{ $notes = append $notes $msg }} +{{ $_ := set $._rox._state "notes" $notes }} +{{ end }} diff --git a/3.0.59.0/secured-cluster-services/templates/additional-ca-sensor.yaml b/3.0.59.0/secured-cluster-services/templates/additional-ca-sensor.yaml new file mode 100644 index 0000000..aa1801c --- /dev/null +++ b/3.0.59.0/secured-cluster-services/templates/additional-ca-sensor.yaml @@ -0,0 +1,19 @@ +{{- include "srox.init" . -}} + +{{- if ._rox._additionalCAs }} +apiVersion: v1 +kind: Secret +metadata: + name: additional-ca-sensor + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "secret" "additional-ca-sensor") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "additional-ca-sensor") | nindent 4 }} +type: Opaque +stringData: + {{- range $name, $cert := ._rox._additionalCAs }} + {{ $name | quote }}: | + {{- $cert | nindent 4 }} + {{- end }} +{{- end }} diff --git a/3.0.59.0/secured-cluster-services/templates/admission-controller-netpol.yaml b/3.0.59.0/secured-cluster-services/templates/admission-controller-netpol.yaml new file mode 100644 index 0000000..1ab0341 --- /dev/null +++ b/3.0.59.0/secured-cluster-services/templates/admission-controller-netpol.yaml @@ -0,0 +1,46 @@ +{{- include "srox.init" . -}} + +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: admission-control-no-ingress + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "networkpolicy" "admission-control-no-ingress") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "networkpolicy" "admission-control-no-ingress") | nindent 4 }} +spec: + podSelector: + matchLabels: + app: admission-control + ingress: + - ports: + - protocol: TCP + port: 8443 + policyTypes: + - Ingress + +{{- if ._rox.admissionControl.exposeMonitoring }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: admission-control-monitoring + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "networkpolicy" "admission-control-monitoring") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "networkpolicy" "admission-control-monitoring") | nindent 4 }} +spec: + ingress: + - ports: + - port: 9090 + protocol: TCP + podSelector: + matchLabels: + app: admission-control + policyTypes: + - Ingress +{{- end }} diff --git a/3.0.59.0/secured-cluster-services/templates/admission-controller-pod-security.yaml b/3.0.59.0/secured-cluster-services/templates/admission-controller-pod-security.yaml new file mode 100644 index 0000000..db9b92d --- /dev/null +++ b/3.0.59.0/secured-cluster-services/templates/admission-controller-pod-security.yaml @@ -0,0 +1,75 @@ +{{- include "srox.init" . -}} + +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: stackrox-admission-control + labels: + {{- include "srox.labels" (list . "podsecuritypolicy" "stackrox-admission-control") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "podsecuritypolicy" "stackrox-admission-control") | nindent 4 }} +spec: + privileged: false + allowPrivilegeEscalation: false + volumes: + - 'configMap' + - 'emptyDir' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAs' + ranges: + - min: 4000 + max: 4000 + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 4000 + max: 4000 +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox-admission-control-psp + labels: + {{- include "srox.labels" (list . "clusterrole" "stackrox-admission-control-psp") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "clusterrole" "stackrox-admission-control-psp") | nindent 4 }} +rules: + - apiGroups: + - policy + resources: + - podsecuritypolicies + resourceNames: + - stackrox-admission-control + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: stackrox-admission-control-psp + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "rolebinding" "stackrox-admission-control-psp") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "rolebinding" "stackrox-admission-control-psp") | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: stackrox-admission-control-psp +subjects: + - kind: ServiceAccount + name: admission-control + namespace: {{ ._rox._namespace }} + diff --git a/3.0.59.0/secured-cluster-services/templates/admission-controller-rbac.yaml b/3.0.59.0/secured-cluster-services/templates/admission-controller-rbac.yaml new file mode 100644 index 0000000..1e4e11e --- /dev/null +++ b/3.0.59.0/secured-cluster-services/templates/admission-controller-rbac.yaml @@ -0,0 +1,50 @@ +{{- include "srox.init" . -}} + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: admission-control + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "serviceaccount" "admission-control") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "serviceaccount" "admission-control") | nindent 4 }} +imagePullSecrets: +{{- range $secretName := ._rox.mainImagePullSecrets._names }} +- name: {{ quote $secretName }} +{{- end }} +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: watch-config + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "role" "watch-config") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "role" "watch-config") | nindent 4 }} +rules: + - apiGroups: [''] + resources: ['configmaps'] + verbs: ['get', 'list', 'watch'] +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: admission-control-watch-config + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "rolebinding" "admission-control-watch-config") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "rolebinding" "admission-control-watch-config") | nindent 4 }} +subjects: + - kind: ServiceAccount + name: admission-control + namespace: {{ ._rox._namespace }} +roleRef: + kind: Role + name: watch-config + apiGroup: rbac.authorization.k8s.io diff --git a/3.0.59.0/secured-cluster-services/templates/admission-controller-scc.yaml b/3.0.59.0/secured-cluster-services/templates/admission-controller-scc.yaml new file mode 100644 index 0000000..365fcd6 --- /dev/null +++ b/3.0.59.0/secured-cluster-services/templates/admission-controller-scc.yaml @@ -0,0 +1,44 @@ +{{- include "srox.init" . -}} + +{{- if ._rox.env.openshift }} +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: admission-control + labels: + {{- include "srox.labels" (list . "securitycontextconstraints" "admission-control") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "securitycontextconstraints" "admission-control") | nindent 4 }} + kubernetes.io/description: admission-control is the security constraint for the admission controller +users: + - system:serviceaccount:{{ ._rox._namespace }}:admission-control +priority: 0 +runAsUser: + type: RunAsAny +seLinuxContext: + type: RunAsAny +seccompProfiles: + - '*' +supplementalGroups: + type: RunAsAny +fsGroup: + type: RunAsAny +groups: [] +readOnlyRootFilesystem: true +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: false +allowPrivilegedContainer: false +allowedCapabilities: [] +defaultAddCapabilities: [] +requiredDropCapabilities: [] +volumes: + - configMap + - downwardAPI + - emptyDir + - secret +{{- end }} diff --git a/3.0.59.0/secured-cluster-services/templates/admission-controller-secret.yaml b/3.0.59.0/secured-cluster-services/templates/admission-controller-secret.yaml new file mode 100644 index 0000000..3abcb9a --- /dev/null +++ b/3.0.59.0/secured-cluster-services/templates/admission-controller-secret.yaml @@ -0,0 +1,30 @@ +{{- include "srox.init" . -}} + +{{- if or ._rox.createSecrets (and (kindIs "invalid" ._rox.createSecrets) (or ._rox.admissionControl.serviceTLS._cert ._rox.admissionControl.serviceTLS._key)) }} + +{{/* Admission control TLS secret isn't required, so do not fail here. */}} +{{- if and ._rox.ca._cert ._rox.admissionControl.serviceTLS._cert ._rox.admissionControl.serviceTLS._key }} + +apiVersion: v1 +kind: Secret +metadata: + name: admission-control-tls + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "secret" "admission-control-tls") | nindent 4 }} + auto-upgrade.stackrox.io/component: sensor + annotations: + {{- include "srox.annotations" (list . "secret" "admission-control-tls") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": "keep" +type: Opaque +stringData: + ca.pem: | + {{- ._rox.ca._cert | nindent 4 }} + admission-control-cert.pem: | + {{- ._rox.admissionControl.serviceTLS._cert | nindent 4 }} + admission-control-key.pem: | + {{- ._rox.admissionControl.serviceTLS._key | nindent 4 }} + +{{- end }} +{{- end }} diff --git a/3.0.59.0/secured-cluster-services/templates/admission-controller.yaml b/3.0.59.0/secured-cluster-services/templates/admission-controller.yaml new file mode 100644 index 0000000..85aba33 --- /dev/null +++ b/3.0.59.0/secured-cluster-services/templates/admission-controller.yaml @@ -0,0 +1,241 @@ +{{- include "srox.init" . -}} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: admission-control + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "deployment" "admission-control") | nindent 4 }} + app: admission-control + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "deployment" "admission-control") | nindent 4 }} +spec: + replicas: 3 + minReadySeconds: 0 + selector: + matchLabels: + app: admission-control + template: + metadata: + namespace: {{ ._rox._namespace }} + labels: + app: admission-control + {{- include "srox.podLabels" (list . "deployment" "admission-control") | nindent 8 }} + annotations: + traffic.sidecar.istio.io/excludeInboundPorts: "8443" + {{- include "srox.podAnnotations" (list . "deployment" "admission-control") | nindent 8 }} + spec: + # Attempt to schedule these on master nodes + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 50 + preference: + matchExpressions: + - key: node-role.kubernetes.io/master + operator: In + values: + - "true" + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 60 + podAffinityTerm: + namespaces: ["stackrox"] + topologyKey: "kubernetes.io/hostname" + labelSelector: + matchLabels: + app: admission-control + {{- if ._rox.admissionControl._nodeSelector }} + nodeSelector: + {{- ._rox.admissionControl._nodeSelector | nindent 8 }} + {{- end}} + securityContext: + runAsUser: 4000 + fsGroup: 4000 + serviceAccountName: admission-control + containers: + - image: {{ quote ._rox.image.main.fullRef }} + imagePullPolicy: {{ ._rox.admissionControl.imagePullPolicy }} + name: admission-control + readinessProbe: + httpGet: + scheme: HTTPS + path: /ready + port: 8443 + initialDelaySeconds: 5 + periodSeconds: 5 + failureThreshold: 1 + ports: + - containerPort: 8443 + name: webhook + command: + - admission-control + resources: + {{- ._rox.admissionControl._resources | nindent 12 }} + securityContext: + runAsNonRoot: true + readOnlyRootFilesystem: true + env: + - name: ROX_SENSOR_ENDPOINT + value: {{ ._rox.sensor.endpoint }} + {{- include "srox.envVars" (list . "deployment" "admission-controller" "admission-controller") | nindent 10 }} + volumeMounts: + - name: config + mountPath: /run/config/stackrox.io/admission-control/config/ + readOnly: true + - name: config-store + mountPath: /var/lib/stackrox/admission-control/ + - name: ca + mountPath: /run/secrets/stackrox.io/ca/ + readOnly: true + - name: certs + mountPath: /run/secrets/stackrox.io/certs/ + readOnly: true + - name: ssl + mountPath: /etc/ssl + - name: pki + mountPath: /etc/pki/ca-trust/ + - name: additional-cas + mountPath: /usr/local/share/ca-certificates/ + readOnly: true + volumes: + - name: certs + secret: + secretName: admission-control-tls + optional: true + items: + - key: admission-control-cert.pem + path: cert.pem + - key: admission-control-key.pem + path: key.pem + - key: ca.pem + path: ca.pem + - name: ca + secret: + secretName: service-ca + optional: true + - name: config + configMap: + name: admission-control + optional: true + - name: config-store + emptyDir: {} + - name: ssl + emptyDir: {} + - name: pki + emptyDir: {} + - name: additional-cas + secret: + secretName: additional-ca-sensor + optional: true +--- + +apiVersion: v1 +kind: Service +metadata: + name: admission-control + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "service" "admission-control") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "service" "admission-control") | nindent 4 }} +spec: + ports: + - name: https + port: 443 + targetPort: webhook + protocol: TCP + selector: + app: admission-control + type: ClusterIP + sessionAffinity: None +--- + +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: ValidatingWebhookConfiguration +metadata: + name: stackrox + labels: + {{- include "srox.labels" (list . "validatingwebhookconfiguration" "stackrox") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "validatingwebhookconfiguration" "stackrox") | nindent 4 }} +{{- if not (or ._rox.admissionControl.listenOnEvents ._rox.admissionControl.listenOnCreates ._rox.admissionControl.listenOnUpdates) }} +webhooks: [] +{{else}} +webhooks: + {{- if or ._rox.admissionControl.listenOnCreates ._rox.admissionControl.listenOnUpdates }} + - name: policyeval.stackrox.io + {{- if not (eq ._rox.env.openshift 3) }} + sideEffects: NoneOnDryRun + {{- end }} + rules: + - apiGroups: + - '*' + apiVersions: + - '*' + operations: + {{- if ._rox.admissionControl.listenOnCreates }} + - CREATE + {{- end }} + {{- if ._rox.admissionControl.listenOnUpdates }} + - UPDATE + {{- end }} + resources: + - pods + - deployments + - replicasets + - replicationcontrollers + - statefulsets + - daemonsets + - cronjobs + - jobs + {{- if ._rox.env.openshift }} + - deploymentconfigs + {{- end }} + namespaceSelector: + matchExpressions: + - key: namespace.metadata.stackrox.io/name + operator: NotIn + values: + - stackrox + - kube-system + - kube-public + - istio-system + failurePolicy: Ignore + clientConfig: + caBundle: {{ required "The 'ca.cert' config option MUST be set to StackRox's Service CA certificate in order for the admission controller to be usable" ._rox.ca._cert | b64enc }} + service: + namespace: {{ ._rox._namespace }} + name: admission-control + path: /validate + {{- end}} + {{- if ._rox.admissionControl.listenOnEvents }} + - name: k8sevents.stackrox.io + {{- if not (eq ._rox.env.openshift 3) }} + sideEffects: NoneOnDryRun + {{- end }} + rules: + - apiGroups: + - '*' + apiVersions: + - '*' + operations: + - CONNECT + resources: + - pods + - pods/attach + - pods/exec + - pods/portforward + failurePolicy: Ignore + clientConfig: + caBundle: {{ required "The 'ca.cert' config option MUST be set to StackRox's Service CA certificate in order for the admission controller to be usable" ._rox.ca._cert | b64enc }} + service: + namespace: {{ ._rox._namespace }} + name: admission-control + path: /events + {{- end }} +{{- end }} diff --git a/3.0.59.0/secured-cluster-services/templates/cluster-config.yaml b/3.0.59.0/secured-cluster-services/templates/cluster-config.yaml new file mode 100644 index 0000000..20c81f6 --- /dev/null +++ b/3.0.59.0/secured-cluster-services/templates/cluster-config.yaml @@ -0,0 +1,14 @@ +{{- include "srox.init" . -}} + +apiVersion: v1 +kind: Secret +metadata: + name: helm-cluster-config + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "secret" "helm-cluster-config") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "helm-cluster-config") | nindent 4 }} +stringData: + config.yaml: | + {{- tpl (.Files.Get "internal/cluster-config.yaml.tpl") . | nindent 4 }} diff --git a/3.0.59.0/secured-cluster-services/templates/collector-netpol.yaml b/3.0.59.0/secured-cluster-services/templates/collector-netpol.yaml new file mode 100644 index 0000000..d38422a --- /dev/null +++ b/3.0.59.0/secured-cluster-services/templates/collector-netpol.yaml @@ -0,0 +1,42 @@ +{{- include "srox.init" . -}} + +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: collector-no-ingress + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "networkpolicy" "collector-no-ingress") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "networkpolicy" "collector-no-ingress") | nindent 4 }} +spec: + podSelector: + matchLabels: + app: collector + policyTypes: + - Ingress + +{{ if ._rox.collector.exposeMonitoring }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: collector-monitoring + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "networkpolicy" "collector-monitoring") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "networkpolicy" "collector-monitoring") | nindent 4 }} +spec: + ingress: + - ports: + - port: 9090 + protocol: TCP + podSelector: + matchLabels: + app: collector + policyTypes: + - Ingress +{{ end }} diff --git a/3.0.59.0/secured-cluster-services/templates/collector-pod-security.yaml b/3.0.59.0/secured-cluster-services/templates/collector-pod-security.yaml new file mode 100644 index 0000000..6c219a3 --- /dev/null +++ b/3.0.59.0/secured-cluster-services/templates/collector-pod-security.yaml @@ -0,0 +1,70 @@ +{{- include "srox.init" . -}} + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox-collector-psp + labels: + {{- include "srox.labels" (list . "clusterrole" "stackrox-collector-psp") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "clusterrole" "stackrox-collector-psp") | nindent 4 }} +rules: + - apiGroups: + - policy + resources: + - podsecuritypolicies + resourceNames: + - stackrox-collector + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: stackrox-collector-psp + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "rolebinding" "stackrox-collector-psp") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "rolebinding" "stackrox-collector-psp") | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: stackrox-collector-psp +subjects: + - kind: ServiceAccount + name: collector + namespace: {{ ._rox._namespace }} +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: stackrox-collector + labels: + {{- include "srox.labels" (list . "podsecuritypolicy" "stackrox-collector") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "podsecuritypolicy" "stackrox-collector") | nindent 4 }} +spec: + privileged: true + allowPrivilegeEscalation: true + allowedCapabilities: + - '*' + volumes: + - '*' + allowedHostPaths: + - pathPrefix: / + readOnly: true + hostNetwork: false + hostIPC: false + hostPID: true + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' diff --git a/3.0.59.0/secured-cluster-services/templates/collector-rbac.yaml b/3.0.59.0/secured-cluster-services/templates/collector-rbac.yaml new file mode 100644 index 0000000..5d4ffd9 --- /dev/null +++ b/3.0.59.0/secured-cluster-services/templates/collector-rbac.yaml @@ -0,0 +1,16 @@ +{{- include "srox.init" . -}} + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: collector + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "serviceaccount" "collector") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "serviceaccount" "collector") | nindent 4 }} +imagePullSecrets: +{{- range $secretName := concat ._rox.collectorImagePullSecrets._names ._rox.mainImagePullSecrets._names | uniq }} +- name: {{ quote $secretName }} +{{- end }} diff --git a/3.0.59.0/secured-cluster-services/templates/collector-scc.yaml b/3.0.59.0/secured-cluster-services/templates/collector-scc.yaml new file mode 100644 index 0000000..313c4ff --- /dev/null +++ b/3.0.59.0/secured-cluster-services/templates/collector-scc.yaml @@ -0,0 +1,45 @@ +{{- include "srox.init" . -}} + +{{- if ._rox.env.openshift }} +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: collector + labels: + {{- include "srox.labels" (list . "securitycontextconstraints" "collector") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "securitycontextconstraints" "collector") | nindent 4 }} + kubernetes.io/description: This SCC is based on privileged, hostaccess, and hostmount-anyuid +users: + - system:serviceaccount:{{ ._rox._namespace }}:collector +allowHostDirVolumePlugin: true +allowPrivilegedContainer: true +fsGroup: + type: RunAsAny +groups: [] +priority: 0 +readOnlyRootFilesystem: true +runAsUser: + type: RunAsAny +seLinuxContext: + type: RunAsAny +seccompProfiles: + - '*' +supplementalGroups: + type: RunAsAny +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: true +allowedCapabilities: [] +defaultAddCapabilities: [] +requiredDropCapabilities: [] +volumes: + - configMap + - downwardAPI + - emptyDir + - hostPath + - secret +{{- end }} diff --git a/3.0.59.0/secured-cluster-services/templates/collector-secret.yaml b/3.0.59.0/secured-cluster-services/templates/collector-secret.yaml new file mode 100644 index 0000000..6b07ea2 --- /dev/null +++ b/3.0.59.0/secured-cluster-services/templates/collector-secret.yaml @@ -0,0 +1,30 @@ +{{- include "srox.init" . -}} + +{{- if or ._rox.createSecrets (and (kindIs "invalid" ._rox.createSecrets) (or ._rox.collector.serviceTLS._cert ._rox.collector.serviceTLS._key)) }} + +{{- if not (and ._rox.ca._cert ._rox.collector.serviceTLS._cert ._rox.collector.serviceTLS._key) }} + {{ include "srox.fail" "Requested secret creation, but not all of CA certificate, collector certificate, collector private key are available. Set the 'createSecrets' config option to false if you do not want secrets to be created." }} +{{- end }} + +apiVersion: v1 +kind: Secret +metadata: + labels: + {{- include "srox.labels" (list . "secret" "collector-tls") | nindent 4 }} + auto-upgrade.stackrox.io/component: sensor + annotations: + {{- include "srox.annotations" (list . "secret" "collector-tls") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": "keep" + name: collector-tls + namespace: {{ ._rox._namespace }} +type: Opaque +stringData: + ca.pem: | + {{- ._rox.ca._cert | nindent 4 }} + collector-cert.pem: | + {{- ._rox.collector.serviceTLS._cert | nindent 4 }} + collector-key.pem: | + {{- ._rox.collector.serviceTLS._key | nindent 4 }} + +{{- end }} diff --git a/3.0.59.0/secured-cluster-services/templates/collector.yaml b/3.0.59.0/secured-cluster-services/templates/collector.yaml new file mode 100644 index 0000000..d55763c --- /dev/null +++ b/3.0.59.0/secured-cluster-services/templates/collector.yaml @@ -0,0 +1,156 @@ +{{- include "srox.init" . -}} + +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: + {{- include "srox.labels" (list . "daemonset" "collector") | nindent 4 }} + service: collector + app: collector + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "daemonset" "collector") | nindent 4 }} + name: collector + namespace: {{ ._rox._namespace }} +spec: + selector: + matchLabels: + service: collector + template: + metadata: + namespace: {{ ._rox._namespace }} + labels: + service: collector + app: collector + {{- include "srox.podLabels" (list . "daemonset" "collector") | nindent 8 }} + annotations: + {{- include "srox.podAnnotations" (list . "daemonset" "collector") | nindent 8 }} + spec: + {{- if not ._rox.collector.disableTaintTolerations }} + tolerations: + - operator: "Exists" + {{- end}} + {{- if ._rox.collector._nodeSelector }} + nodeSelector: + {{- ._rox.collector._nodeSelector | nindent 8 }} + {{- end}} + serviceAccountName: collector + containers: + {{- if ne ._rox.collector.collectionMethod "NO_COLLECTION"}} + - name: collector + image: {{ quote ._rox.image.collector.fullRef }} + imagePullPolicy: {{ ._rox.collector.imagePullPolicy }} + env: + - name: COLLECTOR_CONFIG + value: '{"tlsConfig":{"caCertPath":"/var/run/secrets/stackrox.io/certs/ca.pem","clientCertPath":"/var/run/secrets/stackrox.io/certs/cert.pem","clientKeyPath":"/var/run/secrets/stackrox.io/certs/key.pem"}}' + - name: COLLECTION_METHOD + value: {{ ._rox.collector.collectionMethod }} + - name: GRPC_SERVER + value: {{ ._rox.sensor.endpoint }} + - name: SNI_HOSTNAME + value: "sensor.stackrox" + {{- include "srox.envVars" (list . "daemonset" "collector" "collector") | nindent 8 }} + resources: + {{- ._rox.collector._resources | nindent 10 }} + securityContext: + capabilities: + drop: + - NET_RAW + privileged: true + readOnlyRootFilesystem: true + volumeMounts: + - mountPath: /host/var/run/docker.sock + name: var-run-docker-sock + readOnly: true + - mountPath: /host/proc + name: proc-ro + readOnly: true + - mountPath: /module + name: tmpfs-module + - mountPath: /host/etc + name: etc-ro + readOnly: true + - mountPath: /host/usr/lib + name: usr-lib-ro + readOnly: true + - mountPath: /host/sys + name: sys-ro + readOnly: true + - mountPath: /host/dev + name: dev-ro + readOnly: true + - mountPath: /run/secrets/stackrox.io/certs/ + name: certs + readOnly: true + {{- end }} + - command: + - stackrox/compliance + env: + - name: ROX_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: ROX_ADVERTISED_ENDPOINT + value: {{ quote ._rox.sensor.endpoint }} + {{- include "srox.envVars" (list . "daemonset" "collector" "compliance") | nindent 8 }} + image: {{ quote ._rox.image.main.fullRef }} + imagePullPolicy: {{ ._rox.collector.complianceImagePullPolicy }} + name: compliance + resources: + {{- ._rox.collector._complianceResources | nindent 10 }} + securityContext: + runAsUser: 0 + readOnlyRootFilesystem: true + seLinuxOptions: + type: "container_runtime_t" + volumeMounts: + - mountPath: /etc/ssl/ + name: etc-ssl + - mountPath: /etc/pki/ca-trust/ + name: etc-pki-volume + - mountPath: /host + name: host-root-ro + readOnly: true + - mountPath: /run/secrets/stackrox.io/certs/ + name: certs + readOnly: true + volumes: + - hostPath: + path: /var/run/docker.sock + name: var-run-docker-sock + - hostPath: + path: /proc + name: proc-ro + - emptyDir: + medium: Memory + name: tmpfs-module + - hostPath: + path: /etc + name: etc-ro + - hostPath: + path: /usr/lib + name: usr-lib-ro + - hostPath: + path: /sys/ + name: sys-ro + - hostPath: + path: /dev + name: dev-ro + - name: certs + secret: + secretName: collector-tls + items: + - key: collector-cert.pem + path: cert.pem + - key: collector-key.pem + path: key.pem + - key: ca.pem + path: ca.pem + - hostPath: + path: / + name: host-root-ro + - name: etc-ssl + emptyDir: {} + - name: etc-pki-volume + emptyDir: {} diff --git a/3.0.59.0/secured-cluster-services/templates/sensor-netpol.yaml b/3.0.59.0/secured-cluster-services/templates/sensor-netpol.yaml new file mode 100644 index 0000000..645a918 --- /dev/null +++ b/3.0.59.0/secured-cluster-services/templates/sensor-netpol.yaml @@ -0,0 +1,59 @@ +{{- include "srox.init" . -}} + +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: sensor + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "networkpolicy" "sensor") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "networkpolicy" "sensor") | nindent 4 }} +spec: + ingress: + - from: + - podSelector: + matchLabels: + app: collector + - podSelector: + matchLabels: + service: collector + - podSelector: + matchLabels: + app: admission-control + ports: + - port: 8443 + protocol: TCP + - ports: + - port: 9443 + protocol: TCP + podSelector: + matchLabels: + app: sensor + policyTypes: + - Ingress + +{{ if ._rox.sensor.exposeMonitoring }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: sensor-monitoring + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "networkpolicy" "sensor-monitoring") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "networkpolicy" "sensor-monitoring") | nindent 4 }} +spec: + ingress: + - ports: + - port: 9090 + protocol: TCP + podSelector: + matchLabels: + app: sensor + policyTypes: + - Ingress +{{ end }} diff --git a/3.0.59.0/secured-cluster-services/templates/sensor-pod-security.yaml b/3.0.59.0/secured-cluster-services/templates/sensor-pod-security.yaml new file mode 100644 index 0000000..ae147ad --- /dev/null +++ b/3.0.59.0/secured-cluster-services/templates/sensor-pod-security.yaml @@ -0,0 +1,80 @@ +{{- include "srox.init" . -}} + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox-sensor-psp + labels: + {{- include "srox.labels" (list . "clusterrole" "stackrox-sensor-psp") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "clusterrole" "stackrox-sensor-psp") | nindent 4 }} +rules: + - apiGroups: + - policy + resources: + - podsecuritypolicies + resourceNames: + - stackrox-sensor + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: stackrox-sensor-psp + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "rolebinding" "stackrox-sensor-psp") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "rolebinding" "stackrox-sensor-psp") | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: stackrox-sensor-psp +subjects: + - kind: ServiceAccount + name: sensor + namespace: {{ ._rox._namespace }} + - kind: ServiceAccount + name: sensor-upgrader + namespace: {{ ._rox._namespace }} +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: stackrox-sensor + labels: + {{- include "srox.labels" (list . "podsecuritypolicy" "stackrox-sensor") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "podsecuritypolicy" "stackrox-sensor") | nindent 4 }} +spec: + privileged: false + allowPrivilegeEscalation: false + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + - 'persistentVolumeClaim' + - 'hostPath' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAs' + ranges: + - min: 4000 + max: 4000 + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 4000 + max: 4000 diff --git a/3.0.59.0/secured-cluster-services/templates/sensor-rbac.yaml b/3.0.59.0/secured-cluster-services/templates/sensor-rbac.yaml new file mode 100644 index 0000000..8ec4387 --- /dev/null +++ b/3.0.59.0/secured-cluster-services/templates/sensor-rbac.yaml @@ -0,0 +1,284 @@ +{{- include "srox.init" . -}} + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: sensor + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "serviceaccount" "sensor") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "serviceaccount" "sensor") | nindent 4 }} +imagePullSecrets: +{{- range $secretName := ._rox.mainImagePullSecrets._names }} +- name: {{ quote $secretName }} +{{- end }} + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox:view-cluster + labels: + {{- include "srox.labels" (list . "clusterrole" "stackrox:view-cluster") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "clusterrole" "stackrox:view-cluster") | nindent 4 }} +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - watch + - list +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox:monitor-cluster + labels: + {{- include "srox.labels" (list . "clusterrolebinding" "stackrox:monitor-cluster") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "clusterrolebinding" "stackrox:monitor-cluster") | nindent 4 }} +subjects: +- kind: ServiceAccount + name: sensor + namespace: {{ ._rox._namespace }} +roleRef: + kind: ClusterRole + name: stackrox:view-cluster + apiGroup: rbac.authorization.k8s.io +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: edit + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "role" "edit") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "role" "edit") | nindent 4 }} +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - '*' +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: manage-namespace + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "rolebinding" "manage-namespace") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "rolebinding" "manage-namespace") | nindent 4 }} +subjects: +- kind: ServiceAccount + name: sensor + namespace: {{ ._rox._namespace }} +roleRef: + kind: Role + name: edit + apiGroup: rbac.authorization.k8s.io +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox:edit-workloads + labels: + {{- include "srox.labels" (list . "clusterrole" "stackrox:edit-workloads") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "clusterrole" "stackrox:edit-workloads") | nindent 4 }} +rules: +- resources: + - cronjobs + - jobs + - daemonsets + - deployments + - deployments/scale + - deploymentconfigs + - pods + - replicasets + - replicationcontrollers + - services + - statefulsets + apiGroups: + - '*' + verbs: + - update + - patch + - delete +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox:enforce-policies + labels: + {{- include "srox.labels" (list . "clusterrolebinding" "stackrox:enforce-policies") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "clusterrolebinding" "stackrox:enforce-policies") | nindent 4 }} +subjects: +- kind: ServiceAccount + name: sensor + namespace: {{ ._rox._namespace }} +roleRef: + kind: ClusterRole + name: stackrox:edit-workloads + apiGroup: rbac.authorization.k8s.io +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox:network-policies + labels: + {{- include "srox.labels" (list . "clusterrole" "stackrox:network-policies") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "clusterrole" "stackrox:network-policies") | nindent 4 }} +rules: +- resources: + - 'networkpolicies' + apiGroups: + - networking.k8s.io + - extensions + verbs: + - get + - watch + - list + - create + - update + - patch + - delete +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox:network-policies-binding + labels: + {{- include "srox.labels" (list . "clusterrolebinding" "stackrox:network-policies-binding") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "clusterrolebinding" "stackrox:network-policies-binding") | nindent 4 }} +subjects: +- kind: ServiceAccount + name: sensor + namespace: {{ ._rox._namespace }} +roleRef: + kind: ClusterRole + name: stackrox:network-policies + apiGroup: rbac.authorization.k8s.io +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox:update-namespaces + labels: + {{- include "srox.labels" (list . "clusterrole" "stackrox:update-namespaces") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "clusterrole" "stackrox:update-namespaces") | nindent 4 }} +rules: +- resources: + - namespaces + apiGroups: [""] + verbs: + - update +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox:update-namespaces-binding + labels: + {{- include "srox.labels" (list . "clusterrolebinding" "stackrox:update-namespaces-binding") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "clusterrolebinding" "stackrox:update-namespaces-binding") | nindent 4 }} +subjects: +- kind: ServiceAccount + name: sensor + namespace: {{ ._rox._namespace }} +roleRef: + kind: ClusterRole + name: stackrox:update-namespaces + apiGroup: rbac.authorization.k8s.io +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox:create-events + labels: + {{- include "srox.labels" (list . "clusterrole" "stackrox:create-events") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "clusterrole" "stackrox:create-events") | nindent 4 }} +rules: +- resources: + - events + apiGroups: [""] + verbs: + - create + - patch + - list +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox:create-events-binding + labels: + {{- include "srox.labels" (list . "clusterrolebinding" "stackrox:create-events-binding") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "clusterrolebinding" "stackrox:create-events-binding") | nindent 4 }} +subjects: +- kind: ServiceAccount + name: sensor + namespace: {{ ._rox._namespace }} +roleRef: + kind: ClusterRole + name: stackrox:create-events + apiGroup: rbac.authorization.k8s.io +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox:review-tokens + labels: + {{- include "srox.labels" (list . "clusterrole" "stackrox:review-tokens") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "clusterrole" "stackrox:review-tokens") | nindent 4 }} +rules: +- resources: + - tokenreviews + apiGroups: ["authentication.k8s.io"] + verbs: + - create +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox:review-tokens-binding + labels: + {{- include "srox.labels" (list . "clusterrolebinding" "stackrox:review-tokens-binding") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "clusterrolebinding" "stackrox:review-tokens-binding") | nindent 4 }} +subjects: +- kind: ServiceAccount + name: sensor + namespace: {{ ._rox._namespace }} +roleRef: + kind: ClusterRole + name: stackrox:review-tokens + apiGroup: rbac.authorization.k8s.io diff --git a/3.0.59.0/secured-cluster-services/templates/sensor-scc.yaml b/3.0.59.0/secured-cluster-services/templates/sensor-scc.yaml new file mode 100644 index 0000000..fbdd7fc --- /dev/null +++ b/3.0.59.0/secured-cluster-services/templates/sensor-scc.yaml @@ -0,0 +1,47 @@ +{{- include "srox.init" . -}} + +{{- if ._rox.env.openshift }} + +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: sensor + labels: + {{- include "srox.labels" (list . "securitycontextconstraints" "sensor") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "securitycontextconstraints" "sensor") | nindent 4 }} + kubernetes.io/description: sensor is the security constraint for the sensor +users: + - system:serviceaccount:{{ ._rox._namespace }}:sensor + - system:serviceaccount:{{ ._rox._namespace }}:sensor-upgrader +priority: 0 +runAsUser: + type: RunAsAny +seLinuxContext: + type: RunAsAny +seccompProfiles: + - '*' +supplementalGroups: + type: RunAsAny +fsGroup: + type: RunAsAny +groups: [] +readOnlyRootFilesystem: true +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: true +allowPrivilegedContainer: false +allowedCapabilities: [] +defaultAddCapabilities: [] +requiredDropCapabilities: [] +volumes: + - configMap + - downwardAPI + - emptyDir + - secret + +{{- end }} diff --git a/3.0.59.0/secured-cluster-services/templates/sensor-secret.yaml b/3.0.59.0/secured-cluster-services/templates/sensor-secret.yaml new file mode 100644 index 0000000..848e1f2 --- /dev/null +++ b/3.0.59.0/secured-cluster-services/templates/sensor-secret.yaml @@ -0,0 +1,30 @@ +{{- include "srox.init" . -}} + +{{- if or ._rox.createSecrets (and (kindIs "invalid" ._rox.createSecrets) (or ._rox.sensor.serviceTLS._cert ._rox.sensor.serviceTLS._key)) }} + +{{- if not (and ._rox.ca._cert ._rox.sensor.serviceTLS._cert ._rox.sensor.serviceTLS._key) }} + {{ include "srox.fail" "Requested secret creation, but not all of CA certificate, sensor certificate, sensor private key are available. Set the 'createSecrets' config option to false if you do not want secrets to be created." }} +{{- end }} + +apiVersion: v1 +kind: Secret +metadata: + name: sensor-tls + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "secret" "sensor-tls") | nindent 4 }} + auto-upgrade.stackrox.io/component: sensor + annotations: + {{- include "srox.annotations" (list . "secret" "sensor-tls") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": "keep" +type: Opaque +stringData: + ca.pem: | + {{- ._rox.ca._cert | nindent 4 }} + sensor-cert.pem: | + {{- ._rox.sensor.serviceTLS._cert | nindent 4 }} + sensor-key.pem: | + {{- ._rox.sensor.serviceTLS._key | nindent 4 }} + +{{- end }} diff --git a/3.0.59.0/secured-cluster-services/templates/sensor.yaml b/3.0.59.0/secured-cluster-services/templates/sensor.yaml new file mode 100644 index 0000000..4e0b9b3 --- /dev/null +++ b/3.0.59.0/secured-cluster-services/templates/sensor.yaml @@ -0,0 +1,250 @@ +{{- include "srox.init" . -}} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: sensor + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "deployment" "sensor") | nindent 4 }} + app: sensor + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "deployment" "sensor") | nindent 4 }} +spec: + replicas: 1 + minReadySeconds: 15 + selector: + matchLabels: + app: sensor + strategy: + type: Recreate + template: + metadata: + labels: + app: sensor + {{- include "srox.podLabels" (list . "deployment" "sensor") | nindent 8 }} + annotations: + traffic.sidecar.istio.io/excludeInboundPorts: "8443,9443" + {{- include "srox.podAnnotations" (list . "deployment" "sensor") | nindent 8 }} + spec: + {{- if ._rox.sensor._nodeSelector }} + nodeSelector: + {{- ._rox.sensor._nodeSelector | nindent 8 }} + {{- end}} + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + # Sensor is single-homed, so avoid preemptible nodes. + - weight: 100 + preference: + matchExpressions: + - key: cloud.google.com/gke-preemptible + operator: NotIn + values: + - "true" + {{- if ._rox.env.openshift }} + - weight: 25 + preference: + matchExpressions: + - key: node-role.kubernetes.io/compute + operator: In + values: + - "true" + - weight: 75 + preference: + matchExpressions: + - key: node-role.kubernetes.io/infra + operator: NotIn + values: + - "true" + - weight: 100 + preference: + matchExpressions: + - key: node-role.kubernetes.io/master + operator: NotIn + values: + - "true" + {{- end}} + securityContext: + runAsUser: 4000 + fsGroup: 4000 + serviceAccountName: sensor + containers: + - image: {{ quote ._rox.image.main.fullRef }} + imagePullPolicy: {{ ._rox.sensor.imagePullPolicy }} + name: sensor + readinessProbe: + httpGet: + scheme: HTTPS + path: /admissioncontroller + port: 9443 + ports: + - containerPort: 8443 + name: api + - containerPort: 9443 + name: webhook + command: + - kubernetes-sensor + resources: + {{- ._rox.sensor._resources | nindent 10 }} + securityContext: + runAsNonRoot: true + readOnlyRootFilesystem: true + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: ROX_CENTRAL_ENDPOINT + value: {{ ._rox.centralEndpoint }} + - name: ROX_ADVERTISED_ENDPOINT + value: {{ ._rox.sensor.endpoint }} + {{- if ._rox.env.openshift }} + - name: ROX_OPENSHIFT_API + value: "true" + {{- end}} + - name: ROX_HELM_CLUSTER_CONFIG_FP + value: {{ quote ._rox._configFP }} + {{- include "srox.envVars" (list . "deployment" "sensor" "sensor") | nindent 8 }} + volumeMounts: + - name: varlog + mountPath: /var/log/stackrox/ + - name: sensor-etc-ssl-volume + mountPath: /etc/ssl/ + - name: sensor-etc-pki-volume + mountPath: /etc/pki/ca-trust/ + - name: certs + mountPath: /run/secrets/stackrox.io/certs/ + readOnly: true + - name: additional-ca-volume + mountPath: /usr/local/share/ca-certificates/ + readOnly: true + - name: cache + mountPath: /var/cache/stackrox + - name: helm-cluster-config + mountPath: /run/secrets/stackrox.io/helm-cluster-config/ + readOnly: true + - name: helm-effective-cluster-name + mountPath: /run/secrets/stackrox.io/helm-effective-cluster-name/ + readOnly: true + volumes: + - name: certs + secret: + secretName: sensor-tls + items: + - key: sensor-cert.pem + path: cert.pem + - key: sensor-key.pem + path: key.pem + - key: ca.pem + path: ca.pem + - name: sensor-etc-ssl-volume + emptyDir: {} + - name: sensor-etc-pki-volume + emptyDir: {} + - name: additional-ca-volume + secret: + secretName: additional-ca-sensor + optional: true + - name: varlog + emptyDir: {} + - name: cache + emptyDir: {} + - name: helm-cluster-config + secret: + secretName: helm-cluster-config + optional: true + - name: helm-effective-cluster-name + secret: + secretName: helm-effective-cluster-name + optional: true +--- +apiVersion: v1 +kind: Service +metadata: + name: sensor + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "service" "sensor") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "service" "sensor") | nindent 4 }} +spec: + ports: + - name: https + port: 443 + targetPort: api + protocol: TCP + {{- if ._rox.sensor.exposeMonitoring }} + - name: monitoring + port: 9090 + targetPort: 9090 + protocol: TCP + {{- end }} + selector: + app: sensor + type: ClusterIP + sessionAffinity: None +--- + +{{- if ._rox.env.istio }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: sensor-internal-no-istio-mtls + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "destinationrule" "sensor-internal-no-istio-mtls") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "destinationrule" "sensor-internal-no-istio-mtls") | nindent 4 }} + stackrox.io/description: "Disable Istio mTLS for port 443, since StackRox services use built-in mTLS." +spec: + host: sensor.stackrox.svc.cluster.local + trafficPolicy: + portLevelSettings: + - port: + number: 443 + tls: + mode: DISABLE +--- +{{- end }} + +apiVersion: v1 +kind: Service +metadata: + name: sensor-webhook + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "service" "sensor-webhook") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "service" "sensor-webhook") | nindent 4 }} +spec: + ports: + - name: https + port: 443 + targetPort: webhook + protocol: TCP + selector: + app: sensor + type: ClusterIP + sessionAffinity: None +{{- if or .Release.IsInstall (eq ._rox.confirmNewClusterName ._rox.clusterName) }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: helm-effective-cluster-name + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "secret" "helm-effective-cluster-name") | nindent 4 }} + auto-upgrade.stackrox.io/component: sensor + annotations: + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": "keep" + {{- include "srox.annotations" (list . "secret" "helm-effective-cluster-name") | nindent 4 }} +stringData: + cluster-name: | + {{- ._rox.clusterName | nindent 4 }} +{{- end}} diff --git a/3.0.59.0/secured-cluster-services/templates/service-ca.yaml b/3.0.59.0/secured-cluster-services/templates/service-ca.yaml new file mode 100644 index 0000000..3f3b5fd --- /dev/null +++ b/3.0.59.0/secured-cluster-services/templates/service-ca.yaml @@ -0,0 +1,16 @@ +{{- include "srox.init" . -}} + +apiVersion: v1 +kind: Secret +metadata: + name: service-ca + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "secret" "service-ca") | nindent 4 }} + auto-upgrade.stackrox.io/component: sensor + annotations: + {{- include "srox.annotations" (list . "secret" "service-ca") | nindent 4 }} +type: Opaque +stringData: + ca.pem: | + {{- required "A CA certificate must be specified" ._rox.ca._cert | nindent 4 }} diff --git a/3.0.59.0/secured-cluster-services/templates/upgrader-serviceaccount.yaml b/3.0.59.0/secured-cluster-services/templates/upgrader-serviceaccount.yaml new file mode 100644 index 0000000..af12eb1 --- /dev/null +++ b/3.0.59.0/secured-cluster-services/templates/upgrader-serviceaccount.yaml @@ -0,0 +1,36 @@ +{{- include "srox.init" . -}} + +{{- if ._rox.createUpgraderServiceAccount }} + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: sensor-upgrader + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "serviceaccount" "sensor-upgrader") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "serviceaccount" "sensor-upgrader") | nindent 4 }} +imagePullSecrets: +{{- range $secretName := ._rox.mainImagePullSecrets._names }} +- name: {{ quote $secretName }} +{{- end }} +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox:upgrade-sensors + labels: + {{- include "srox.labels" (list . "clusterrolebinding" "stackrox:upgrade-sensors") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "clusterrolebinding" "stackrox:upgrade-sensors") | nindent 4 }} +subjects: +- kind: ServiceAccount + name: sensor-upgrader + namespace: {{ ._rox._namespace }} +roleRef: + kind: ClusterRole + name: cluster-admin + apiGroup: rbac.authorization.k8s.io + +{{- end }} diff --git a/3.0.59.0/secured-cluster-services/values-private.yaml.example b/3.0.59.0/secured-cluster-services/values-private.yaml.example new file mode 100644 index 0000000..ecdec21 --- /dev/null +++ b/3.0.59.0/secured-cluster-services/values-private.yaml.example @@ -0,0 +1,19 @@ +# # BEGIN CONFIGURATION VALUES SECTION +# +# # Image pull credentials. If you do not specify these, you need to specify one of +# # the following: +# # - `imagePullSecrets.allowNone=true`: in case your registry allows pulling images without +# # credentials. +# # - `imagePullSecrets.useExisting="secret1;secret2;..."`: in case you have pre-existing image +# # pull secrets with the given name already created in the target namespace. +# # - `imagePullSecrets.useFromDefaultServiceAccount=true`: in case the default service account +# # in the target namespace is configured with sufficiently scoped image pull secrets. +# # +# # Since the above settings do not expose any confidential data, they can safely be added +# # to the values-public.yaml configuration file or provided on the command line. +# +# # If you do not know if any of the above applies to your situation, your best course of +# # action is probably to enter your image pull credentials here. +# imagePullSecrets: +# username: +# password: diff --git a/3.0.59.0/secured-cluster-services/values-public.yaml.example b/3.0.59.0/secured-cluster-services/values-public.yaml.example new file mode 100644 index 0000000..a3f081e --- /dev/null +++ b/3.0.59.0/secured-cluster-services/values-public.yaml.example @@ -0,0 +1,354 @@ +# StackRox Kubernetes Security Platform - Secured Cluster Services Chart +# PUBLIC configuration file. +# +# This file contains general configuration values relevant for the deployment of the +# StackRox Kubernetes Platform Secured Cluster Services components, which do not contain +# or reference sensitive data. This file can and should be stored in a source code +# management system and should be referenced on each `helm upgrade`. +# +# Most of the values in this file are optional, and you only should need to make modifications +# if the default deployment configuration is not sufficient for you for whatever reason. +# The most notable exceptios are +# +# - `clusterName`, +# - `centralEndpoint` and +# - `imagePullSecrets`. +# +# # BEGIN CONFIGURATION VALUES SECTION +# +## The cluster name. A new cluster of this name will be automatically registered at StackRox Central +## when deploying this Helm chart. Make sure that this name is unique among the set of secured clusters. +#clusterName: null +# +## To change the cluster name, confirm the new cluster name in this field. It should match the `clusterName` value. +## You don't need to change this unless you upgrade and change the value for clusterName. +## In this case, set it to the new value of clusterName. This option exists to prevent you from accidentally +## creating a new cluster with a different name. +#confirmNewClusterName: null +# +## The gRPC endpoint for accessing StackRox Central. +#centralEndpoint: central.{{ .Release.Namespace }}:443 +# +## A dictionary of additional CA certificates to include (PEM encoded). +## For example: +## additionalCAs: +## acme-labs-ca.pem: | +## -----BEGIN CERTIFICATE----- +## [...] +## -----END CERTIFICATE----- +#additionalCAs: null +# +# Specify `true` to create the `sensor-upgrader` account. By default, the StackRox Kubernetes +# Security Platform creates a service account called `sensor-upgrader` in each secured cluster. +# This account is highly privileged but is only used during upgrades. If you don’t create this +# account, you will have to complete future upgrades manually if the Sensor doesn’t have enough +# permissions. See +# [Enable automatic upgrades for secured clusters](https://help.stackrox.com/docs/configure-stackrox/enable-automatic-upgrades/) +# for more information. +# Note that auto-upgrades for Helm-managed clusters are disabled. +#createUpgraderServiceAccount: false +# +## Configuration for image pull secrets. +## These should usually be set via the command line when running `helm install`, e.g., +## helm install --set imagePullSecrets.username=myuser --set imagePullSecrets.password=mypass, +## or be stored in a separate YAML-encoded secrets file. +#imagePullSecrets: +# +# # If no image pull secrets are provided, an installation would usually fail. In order to +# # prevent it from failing, this option must explicitly be set to true. +# allowNone: false +# +# # If there exist available image pull secrets in the cluster that are managed separately, +# # set this value to the list of the respective secret names. While it is recommended to +# # record the secret names in a persisted YAML file, providing a single string containing +# # a comma-delimited list of secret names is also supported, for easier interaction with +# # --set. +# useExisting: [] +# +# # Whether to import any secrets from the default service account existing in the StackRox +# # namespace. The default service account often contains "standard" image pull secrets that +# # should be used by default for image pulls, hence this defaults to true. Only has an effect +# # if server-side lookups are enabled. +# useFromDefaultServiceAccount: true +# +## Settings regarding the installation environment +#env: +# # Treat the environment as an OpenShift cluster. Leave this unset to use auto-detection +# # based on available API resources on the server. +# # Set it to true to auto-detect the OpenShift version, otherwise set it explicitly. +# # Possible values: null, false, true, 3, 4 +# openshift: null +# +# # Treat the environment as Istio-enabled. Leave this unset to use auto-detection based on +# # available API resources on the server. +# # Possible values: null, false, true +# istio: null +# +## PEM-encoded StackRox Service CA certificate. +#ca: +# cert: null +# +## Image configuration +#image: +# # The image registry to use. Unless overridden in the more specific configs, this +# # determines the base registry for each image referenced in this config file. +# registry: my.image-registry.io +# +# # Configuration for the `main` image -- used by Sensor, Admission Control, Compliance. +# main: +# registry: null # if set to null, use `image.registry` +# name: main # the final image name is composed of the registry and the name, plus the tag below +# tag: null # should be left as null - will get picked up from the Chart version. +# fullRef: null # you can set a full image reference such as stackrox.io/main:1.2.3.4 here, but this is not +# # recommended. +# # The default pull policy for this image. Can be overridden for each individual service. +# pullPolicy: IfNotPresent +# +# # Configuration for the `collector` image -- used by Collector. +# collector: +# registry: null +# name: collector +# tag: null +# fullRef: null +# pullPolicy: IfNotPresent +# +## Sensor specific configuration. +#sensor: +# +# # Kubernetes image pull policy for Sensor. +# imagePullPolicy: IfNotPresent +# +# # Resource configuration for the sensor container. +# resources: +# requests: +# memory: "1Gi" +# cpu: "1" +# limits: +# memory: "4Gi" +# cpu: "2" +# +# # Settings for the internal service-to-service TLS certificate used by Sensor. +# serviceTLS: +# cert: null +# key: null +# +# # Use a nodeSelector for sensor +# nodeSelector +# environment: production +# +# # Address of the Sensor endpoint including port number. No trailing slash. +# # Rarely needs to be changed. +# endpoint: sensor.stackrox:443 +# +## Admission Control specific configuration. +#admissionControl: +# +# # This setting controls whether the cluster is configured to contact the StackRox +# # Kubernetes Security Platform with `AdmissionReview` requests for create events on +# # Kubernetes objects. +# listenOnCreates: false +# +# # This setting controls whether the cluster is configured to contact the StackRox Kubernetes +# # Security Platform with `AdmissionReview` requests for update events on Kubernetes objects. +# listenOnUpdates: false +# +# # This setting controls whether the cluster is configured to contact the StackRox +# # Kubernetes Security Platform with `AdmissionReview` requests for update Kubernetes events +# # like exec and portforward. +# # +# # Defaults to `false` on OpenShift, to `true` otherwise. +# listenOnEvents: true +# +# +# # Dynamic part of the configuration which is retrieved from Central and can be modified through +# # the frontend. +# dynamic: +# +# # It controls whether the StackRox Kubernetes Security Platform evaluates policies for object +# # updates; if it’s disabled, all `AdmissionReview` requests are automatically accepted. You must +# # specify `listenOnUpdates` as `true` for this to work. +# enforceOnUpdates: false +# +# # Controls whether the StackRox Kubernetes Security Platform evaluates policies. +# # If disabled, all AdmissionReview requests are automatically accepted. You must specify +# # `listenOnCreates` as `true` for this to work. +# enforceOnCreates: false +# +# scanInline: false +# +# # If enabled, bypassing the Admission Controller is disabled. +# disableBypass: false +# +# # The maximum time in seconds, the StackRox Kubernetes Security Platform should wait while +# # evaluating admission review requests. Use it to set request timeouts when you enable image scanning. +# # If the image scan runs longer than the specified time, the StackRox Kubernetes Security Platform +# # accepts the request. Other enforcement options, such as scaling the deployment to zero replicas, +# # are still applied later if the image violates applicable policies. +# timeout: 3 +# +# # Kubernetes image pull policy for Admission Control. +# imagePullPolicy: IfNotPresent +# +# # Resource configuration for the Admission Control container. +# resources: +# requests: +# memory: "100Mi" +# cpu: "50m" +# limits: +# memory: "500Mi" +# cpu: "500m" +# +# # Settings for the internal service-to-service TLS certificate used by Admission Control. +# serviceTLS: +# cert: null +# key: null +# +## Collector specific configuration. +#collector: +# +# # Collection method to use. Can be one of: +# # - EBPF +# # - KERNEL_MODULE +# # - NO_COLLECTION +# collectionMethod: KERNEL_MODULE +# +# # Configure usage of taint tolerations. If `false`, tolerations are applied to collector, +# # and the collector pods can schedule onto all nodes with taints. If `true`, no tolerations +# # are applied, and the collector pods won't scheduled onto nodes with taints. +# disableTaintTolerations: false +# +# # Configure whether slim Collector images should be used or not. Using slim Collector images +# # requires Central to provide the matching kernel module or eBPF probe. If you are running +# # the StackRox Kubernetes Security Platform in offline mode, you must download a kernel support +# # package from [stackrox.io](https://install.stackrox.io/collector/support-packages/index.html) +# # and upload it to Central for slim Collectors to function. Otherwise, you must ensure that +# # Central can access the online probe repository hosted at https://collector-modules.stackrox.io/. +# slimMode: false +# +# # Kubernetes image pull policy for Collector. +# imagePullPolicy: IfNotPresent +# +# # Resource configuration for the Collector container. +# resources: +# requests: +# memory: "320Mi" +# cpu: "50m" +# limits: +# memory: "1Gi" +# cpu: "750m" +# +# complianceImagePullPolicy: IfNotPresent +# +# # Resource configuration for the Compliance container. +# complianceResources: +# requests: +# memory: "10Mi" +# cpu: "10m" +# limits: +# memory: "2Gi" +# cpu: "1" +# +# # Settings for the internal service-to-service TLS certificate used by Collector. +# serviceTLS: +# cert: null +# key: null +# +# # Customization Settings. +# # The following allows specifying custom Kubernetes metadata (labels and annotations) +# # for all objects instantiated by this Helm chart, as well as additional pod labels, +# # pod annotations, and container environment variables for workloads. +# # The configuration is hierarchical, in the sense that metadata that is defined at a more +# # generic scope (e.g., for all objects) can be overridden by metadata defined at a narrower +# # scope (e.g., only for the central deployment). +# customize: +# # Extra metadata for all objects. +# labels: +# my-label-key: my-label-value +# annotations: +# my-annotation-key: my-annotation-value +# +# # Extra pod metadata for all objects (only has an effect for workloads, i.e., deployments). +# podLabels: +# my-pod-label-key: my-pod-label-value +# podAnnotations: +# my-pod-annotation-key: my-pod-annotation-value +# +# # Extra environment variables for all containers in all objects. +# envVars: +# MY_ENV_VAR_NAME: MY_ENV_VAR_VALUE +# +# # Extra metadata for the Sensor deployment only. +# sensor: +# labels: {} +# annotations: {} +# podLabels: {} +# podAnnotations: {} +# envVars: {} +# +# # Extra metadata for the collector daemon set only. +# collector: +# labels: {} +# annotations: {} +# podLabels: {} +# podAnnotations: {} +# envVars: {} +# +# # Extra metadata for the admission control only. +# admission-control: +# labels: {} +# annotations: {} +# podLabels: {} +# podAnnotations: {} +# envVars: {} +# +# # Extra metadata for the compliance only. +# compliance: +# labels: {} +# annotations: {} +# podLabels: {} +# podAnnotations: {} +# envVars: {} +# +# # Extra metadata for all other objects. The keys in the following map can be +# # an object name of the form "service/central-loadbalancer", or a reference to all +# # objects of a given type in the form "service/*". The values under each key +# # are the five metadata overrides (labels, annotations, podLabels, podAnnotations, envVars) +# # as specified above, though only the first two will be relevant for non-workload +# # object types. +# other: +# "service/*": +# labels: {} +# annotations: {} +# +# # EXPERT SETTINGS +# # The following settings should only be changed if you know very well what you are doing. +# # The scenarios in which these are required are generally not supported. +# +# # Set allowNonstandardNamespace=true if you are deploying into a namespace other than +# # "stackrox". This has been observed to work in some case, but is not generally supported. +# allowNonstandardNamespace: false +# +# # Set allowNonstandardReleaseName=true if you are deploying with a release name other than +# # the default "stackrox-central-services". This has been observed to work in some cases, +# # but is not generally supported. +# allowNonstandardReleaseName: false +# +# +#meta: +# # This is a dictionary from file names to contents that can be used to inject files that +# # would usually be included via .Files.Get into the chart rendering. +# fileOverrides: {} +# +# # This configuration section allows overriding settings that would be inferred from the +# # running API server. +# apiServer: +# # The Kubernetes version running on the API server. This is used for auto-detection +# # of the platform. +# version: null +# # The list of available API resources on the server, in the form of "apps/v1" or +# # "apps/v1/Deployment". This is used to detect environment capabilities. +# overrideAPIResources: null +# # A list of extra API resources that should be assumed to exist on the API server. This +# # can be used in conjunction with both data obtained from the API server, or data set +# # via `overrideAPIResources`. +# extraAPIResources: [] diff --git a/3.0.59.0/secured-cluster-services/values.yaml b/3.0.59.0/secured-cluster-services/values.yaml new file mode 100644 index 0000000..3297a22 --- /dev/null +++ b/3.0.59.0/secured-cluster-services/values.yaml @@ -0,0 +1,9 @@ +## StackRox Secured Cluster Services chart +## values.yaml +## +## This file contains no values. In particular, you should NOT modify this file; instead, +## create your own configuration file and pass it to `helm` via the `-f` parameter. +## For this, you can use the files `values-private.yaml.example` and `values-public.yaml.example` +## that are part of the chart as a blueprint. +## +## Please also consult README.md for a list of available configuration options. diff --git a/README.md b/README.md index 1912907..eb309c0 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -[![Latest version: 3.0.58.1](https://img.shields.io/badge/Latest%20version-3.0.58.1-green.svg)][Latest version] +[![Latest version: 3.0.55.0](https://img.shields.io/badge/Latest%20version-3.0.55.0-green.svg)][Latest version] # Helm charts for the StackRox Kubernetes Security Platform @@ -109,4 +109,4 @@ Helm charts for the [StackRox Kubernetes Security Platform](https://www.stackrox licensed under [Apache License 2.0](./LICENSE). -[Latest version]: ./3.0.58.1/ \ No newline at end of file +[Latest version]: ./3.0.55.0/ \ No newline at end of file diff --git a/latest b/latest index 5ed8796..8a44bb6 120000 --- a/latest +++ b/latest @@ -1 +1 @@ -./3.0.58.1/ \ No newline at end of file +./3.0.50.1/ \ No newline at end of file diff --git a/rhacs/3.0.59.0/central-services/.helmignore b/rhacs/3.0.59.0/central-services/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/rhacs/3.0.59.0/central-services/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/rhacs/3.0.59.0/central-services/Chart.yaml b/rhacs/3.0.59.0/central-services/Chart.yaml new file mode 100644 index 0000000..22a045a --- /dev/null +++ b/rhacs/3.0.59.0/central-services/Chart.yaml @@ -0,0 +1,7 @@ +apiVersion: v2 # Can probably be generalized to v1 later. TODO(ROX-5502). +name: stackrox-central-services +icon: https://www.stackrox.com/img/logo.svg +description: Helm Chart for StackRox Central Clusters +type: application +version: 59.0.0 +appVersion: 3.0.59.0 diff --git a/rhacs/3.0.59.0/central-services/README.md b/rhacs/3.0.59.0/central-services/README.md new file mode 100644 index 0000000..b28e701 --- /dev/null +++ b/rhacs/3.0.59.0/central-services/README.md @@ -0,0 +1,180 @@ +# StackRox Kubernetes Security Platform - Central Services Helm Chart + +This Helm chart allows you to deploy the central services of the StackRox +Kubernetes Security Platform: StackRox Central and StackRox Scanner. + +## Prerequisites + +To deploy the central services for the StackRox Kubernetes Security platform +using Helm, you must: +- Have at least version 3.1 of the Helm tool installed on your machine +- Have credentials for the `stackrox.io` registry or the other image registry + you use. + +## Add the Canonical Chart Location as a Helm Repository + +The canonical repository for StackRox Helm charts is http://mirror.openshift.com/pub/rhacs/charts. +To use StackRox Helm charts on your machine, run +```sh +helm repo add stackrox http://mirror.openshift.com/pub/rhacs/charts +``` +This command only needs to be run once on your machine. Whenever you are deploying +or upgrading a chart from a remote repository, it is advisable to run +```sh +helm repo update +``` +beforehand. + +## Deploy Central Services Using Helm + +The basic command for deploying the central services is +```sh +helm install -n stackrox --create-namespace \ + stackrox-central-services stackrox/central-services +``` +If you have a copy of this chart on your machine, you can also reference the +path to this copy instead of `stackrox/central-services` above. + +In order to be able to access StackRox Docker images, you also need image pull +credentials. There are several ways to inject the required credentials (if any) +into the installation process: +- **Explicitly specify username and password:** Use this if you are using the images + from the default registry (`registry.redhat.io/rh-acs`), or a registry that supports username/password + authentication. Pass the following arguments to the `helm install` command: + ```sh + --set imagePullSecrets.username= --set imagePullSecrets.password= + ``` +- **Use pre-existing image pull secrets:** If you already have one or several image pull secrets + created in the namespace to which you are deploying, you can reference these in the following + way (we assume that your secrets are called `pull-secret-1` and `pull-secret-2`): + ```sh + --set imagePullSecrets.useExisting="pull-secret-1;pull-secret-2" + ``` +- **Do not use image pull secrets:** If you are pulling your images from a registry in a private + network that does not require authentication, or if the default service account in the namespace + to which you are deploying is already configured with appropriate image pull secrets, you do + not need to specify any additional image pull secrets. To inform the installer that it does + not need to check for specified image pull secrets, pass the following option: + ```sh + --set imagePullSecrets.allowNone=true + ``` + +### Accessing the StackRox Portal After Deployment + +Once you have deployed the StackRox Kubernetes Security Platform Central Services via +`helm install`, you will see an information text on the console that contains any things to +note, or warnings encountered during the installation text. In particular, it instructs you +how to connect to your Central deployment via port-forward (if you have not configured an +exposure method, see below), and the administrator password to use for the initial login. + +### Applying Custom Configuration Options + +This Helm chart has many different configuration options. For simple use cases, these can be +set directly on the `helm install` command line; however, we generally recommend that you +store your configuration in a dedicated file. + +#### Using the `--set` family of command-line flags + +This approach is the quickest way to customize the deployment, but it does not work for +more complex configuration settings. Via the `--set` and `--set-file` flags, which need to be +appended to your `helm install` invocation, you can inject configuration values into the +installation process. Here are some examples: +- **Deploy StackRox in offline mode:** This configures StackRox in a way such that it will not + reach out to any external endpoints. + ```sh + --set env.offlineMode=true + ``` +- **Configure a fixed administrator password:** This sets the password with which you log in to + the StackRox portal as an administrator. If you do not configure a password yourself, one will + be created for you and printed as part of the installation notes. + ```sh + --set central.adminPassword.value=mysupersecretpassword + ``` + +#### Using configuration YAML files and the `-f` command-line flag + +To ensure the best possible upgrade experience, it is recommended that you store all custom +configuration options in two files: `values-public.yaml` and `values-private.yaml`. The former +contains all non-sensitive configuration options (such as whether to run in offline mode), and the +latter contains all sensitive configuration options (such as the administrator password, or +custom TLS certificates). The `values-public.yaml` file can be stored in, for example, your Git +repository, while the `values-private.yaml` file should be stored in a secrets management +system. + +There is a large number of configuration options that cannot all be discussed in minute detail +in this README file. However, the Helm chart contains example configuration files +`values-public.yaml.example` and `values-private.yaml.example`, that list all the available +configuration options, along with documentation. The following is just a brief example of what +can be configured via those files: +- **`values-public.yaml`:** + ```yaml + env: + offlineMode: true # run in offline mode + + central: + # Use custom resource overrides for central + resources: + requests: + cpu: 4 + memory: "8Gi" + limits: + cpu: 8 + memory: "16Gi" + + # Expose central via a LoadBalancer service + exposure: + loadBalancer: + enabled: true + + scanner: + # Run without StackRox Scanner (NOT RECOMMENDED) + disable: true + + customize: + # Apply the important-service=true label for all objects managed by this chart. + labels: + important-service: true + # Set the CLUSTER=important-cluster environment variable for all containers in the + # central deployment: + central: + envVars: + CLUSTER: important-cluster + ``` +- **`values-private.yaml`**: + ```yaml + central: + # Configure a default TLS certificate (public cert + private key) for central + defaultTLS: + cert: | + -----BEGIN CERTIFICATE----- + MII... + -----END CERTIFICATE----- + key: | + -----BEGIN EC PRIVATE KEY----- + MHc... + -----END EC PRIVATE KEY----- + ``` + +After you have created these YAML files, you can inject the configuration options into the +installation process via the `-f` flag, i.e., by appending the following options to the +`helm install` invocation: +```sh +-f values-public.yaml -f values-private.yaml +``` + +### Changing Configuration Options After Deployment + +If you wish to make any changes to the deployment, simply change the configuration options +in your `values-public.yaml` and/or `values-private.yaml` file(s), and inject them into an +`helm upgrade` invocation: +```sh +helm upgrade -n stackrox stackrox-central-services stackrox/central-services \ + -f values-public.yaml \ + -f values-private.yaml +``` +Under most circumstances, you will not need to supply the `values-private.yaml` file, unless +you want changes to sensitive configuration options to be applied. + +Of course you can also specify configuration values via the `--set` or `--set-file` command-line +flags. However, these options will be forgotten with the next `helm upgrade` invocation, unless +you supply them again. diff --git a/rhacs/3.0.59.0/central-services/assets/icon.png b/rhacs/3.0.59.0/central-services/assets/icon.png new file mode 100644 index 0000000000000000000000000000000000000000..3c136e3990a7382e8742c9079028abe00697c82c GIT binary patch literal 13406 zcmcJ0WmFtZx9$w??(PI91a}V-T!IYl4uiY9Yk=SuT!Kq*cL)~TU4#3b_dDN_b=JE7 z?wz%Ix_j3y>*}h#>v?uZDl2|QMIu51005}6GLov0^YA|h0uf(`Kj9?-66ecpN3IKo?9RLsz0suTgL;;5YfGaxyaBK(w@TUU+_>Ng^DuR#%L`NBI zX8-^h`=0{{$jl-D0HBbq)U{l+6u$7AIM}fonK~Gov3l4!LbL$@K@Wb&rJb3J5rv1H zt-Uk9hY;1jH25Lc|A^VBDE_75Vk1PQrJzh9;Q%(H;9})uWv3EGqM)D<1e==kt4d1$ zJ3Hh~h|1E%#gU(l&E4Id)%_Ez1K5J?BOf0h8#@OZ2L}s8gT>j?-o?m+#on3vKMMKJ zawN^1O~6);E>;fq6#tZKWbEMTB1A>?PeuRr`;T_ISegHKP4>?J?iQqjZ2zRNePm^4 z`>(PgSq1-*@~fITJJ`DZQ@n<~m5VTk;J=jrxA?zn`;S}_4t9=UGiPT=HsO!|&hkHH z|65-PY-I-N-#^v-m;V2h{cn9`O9vMR$g>7pnaJ9^n1Lac{X6%6Ht_$h@$a$(+5UN4 z|Ksuf$JqQ!3K<+>Btf?S8fal8bScJU0N~>w8s_U9GWue3P0 zQj!?Ouwi&GN9RrL16nq9CTBW}ZhGE}=jV9sxX>`r%Ay!=2kQdY9$&5u!)CpO9bU)L zJ~^DX-+L?NI;(u7mQEFoPykZHF-xOp#SqjId^GMh?hhD<07hf}zZ90wsH>~rY)N23 z<5Ay=A4BhG#W2FEPW}EwCg{@}Fd$=>Fgon>%XWT0EUgY9<3h+0YW-1?fB;(4Ozimf z`zhB+lZ_Ujh$K^Yi0UjLZ>i`WHuS~>(&ACnvePVg-KKM!vpGV_b}u^2DpD*WZOP__ zSc&12g>3j-gx|*9s`N!*=WDl9VcU~G*c7)4CyplJFr;ILa3zVE<|@*6hzNgbw61xe z@d|%N2Fv)pJwt~pd4`~f%7o~I0lv-FbtlYnM9zPMP=-u-)ra|0s;#HHI8$rDGCk_5Uk~+5AM5-hdti`LRpG-LpRS)3}Fnj=I zPe>F4dTnRM%GaBBz}NN8iPyurfdCDA8NGHV_oZ}g1U{-=)S#MH*UB(e!K;ikOd}n9 zR=xMbVoGSuj0DCfiom&SZ}cGr{fGo6aZ(@^i|vl6Ggbs+PUfDV%^TxjT{=1NckpMW zl1UJfhxqV>D9(>~O58FA0@c-G6GFWq_VLkQ&)+Mv;)!)pw9G`0kLqvuq8IYsA1QZd zXSpZ4S#yxMCZhBuL*03O@BR+4pc2;Nh%=r^?QfeAE7vPeM?r>;KvgC~+NvyoQPfmk zg+!d}w>cYAvI*{01n|TpU~cTIgJ$*X0sL>vkW*LY+TS24R$A#)2E0(aY^+2#fOrmJ zMh&i!JolfH1*2$S#T=u#*+Jz-!`O5kwzylSdE!3tN7#t8*A8=YfoZP$5?pV74*E@Jx_ zijJ?1IdIznDF6nO@Q^k;YCz?_{aTalO78VtHZysWafZ!;U4;orWP*VBEgp;B=QB09 z%H^%h0=59>(?9;>T(#tGdBh<^$)+%vo*6 z)tjkxyaLH_4h3q3Y=PG$x?XD2?sj+2#%Qa2B|=qL*wD{$*{BhOQIzw7OG_W?A~j-; zgW`j*D!b^?@{0L<%t=~(ZqvrU)wCKMTv85jG+*$Wu3^@HF?1NDi9uyfZtG;#YgK8l zl)14IM_Ra>`!hD9C%u*arBGCBphWZIEz@phlIm2TeB;k(2P14`OHuwFX0KJbFnjq?cZrQ`5~<8Df0P`?W4X) zL2$Ai5iC>@U?ZxCy|unCCYWaq^cKEAtT9q9g+=DXi9#anLBQ=It|P z6iu|(yU}roRhODR6cbFPlizX=PX;~d=yO~~>mm?uZUCHASXq=x4pi~LS zfStnjv*LqwMhn zCROx!x&~xHck{0rI(9c&J2J2FbU8c zLtBHq@HcmQtmvv>xa+_3-*Ii;q^qbzB^K)NlV@&ciKFc^hOxB{iXn< zZnB%&eyjM->)c<4xAg~XDMO~~U2MEAH!({6hA|GW7$%-Zok#>oUfgvw$1$%DT{Ke~ z+e7#c_2L~9;@ja{mR`ve#O}(RYc}Gz80A|D+vW#9TSVtDea|F(7p!HaDP#}Tw_5`H zGdP@&3WugrB#;*V_8&zj>iPAkYVkxY%vJCbh`Ko+553RA=QvGA94*?fs%*NjL~`c{ z<%$=?-pMcpgoGK3#!&|=>rRnr|CtBDsyhb`D2&GH-iO6y%J%x`8xr#u3pn+xJ;%#YiO(kVz9YY9w>vhqfsm+^u=~ z`7qeW8aTTyeYL+M;l-?kxuI5=#`t#Ew>FH;msNhwNTHsr0^2r_9(gUBUQXpiIf zz2i9OQ|630;kiJ4+vBN}e}(@{yd}mdHx&ugoCH+}K?bP^rvJCo^__3!RUTTEq!Y`S zwsR$DyTR!Tz!4z%gqkh)=~HU>V}My40Z+JOT%Z|UX$~Q<4%EmkWHb0xCT*Kf)SGKMAMp!5j&g2t`Bz2ToU>E9 zQXe^t_JMHM>h@Bc$0P05EJj5P$5cKnzkYiTb$p=JK zA)gl)r0PC6>X~e5;?!}(yoq$lN?_&u2UHc*M6Y6AJkNuXdY2;dg=rFjH1#B2xY%&_ zDzBs6Qe_DgTJi`-=XZQie|v`7OYpjT8R!`BFUS?UaI!bTUKv%KA4hoL4^1htqG3B-_YBi_>Zsq@iLYN=; zf!P~o4ElyTEujsZER6~6B9Mnig;0{Z%-Syu8@T{AiiR`ra2f$6?td); zCwVKyY<^4{G^4=}s;zH2`I78o_bfI;oR{ot#Yde^zvM>qHExB~SUr&1#&pLv+D#G? zd;5d=Qv5~4O)nnXiYRhssuXcOI3Oc%9W_QFI-tVeT!10&oj z7wdm)5d_5;?+3HF#E9 z6WvsUamdv;q1q1&n@-1{Cf7viUsXp@r(I)CcVKlMIH$vuhwAaG86ESY4Z6lARyt2G z?6O}|Rnm2k@_>n#CsqA^J~d_aX+l0X>aFA=Y;6AbZzlF)uMoSWQ}#(LSVjU<(4@i2n&IgyQfn3>F^kN2M@RMc5 zn~0`u(){l-=(SI_7;!a6a6LICBixKl9kcb6A2a+tgJF4W$4_l|&KcuL`o7aE8N?iM zN8#auXQWxU#G>?<_f@p|p2sh?c79}GAMC*6*(ZmS=$b?;3Fgl|gJ1Xc>`@Q9?#Tq< z>SkB@HOD~HA>5&VZ1GOXI0C#PAD|GFqi1436Ci%BMpX%pAl~u&U^ezHVTlreb?WE1 zz)6FSd`HG`B{=%Z@& z8r_Vv#Z3k}>UEjQ<;bs0?V$qlS1j+?VzjMt^(~e8>vH#tza63kM=)~0P;Lec&)cF& ziB8Vd)&qo7K`j|drhFqtR?-~)3Uvz2?X~XCx`iTHg8>)=Y$Bpr)G*3Wx)@%+V{x(k z7k2Wl(gaCjy?L#07G#B!$aR=Tj5*RoIFiqsz( zZct1K@}+!6#pxRIrCipyF}(_4mIWi$L#|^Roz9`m4O@LoUQk@H_Uo@uh$CJfIv{m4 z1qIK&hL`R9V5KAa)q5wsrYtvBUu$tir*v2T(J;RI5GA8sqWgDF z%12ScASSy7z{##N!E7mBhr|}t$j0g`gZLug{Kj}p%=C@3zXQpG(b@sB&wajfzD{W` zQOy<16}Etls*n+&U^e1yh8JcubaM04+D5pkC!e57I$4=xkA3M- zz!4di`gYu37TrBw`jgF6yo^VF^p<(yvf6NiAfgD&*I4)EaoPP(`GlEtT<#CE@poUA za$?aaBokDbbfx-C)^W2)1JouL4GtFd)YIds+m*oR23I-tIS{OQAQ4CV9cgM(n8Q!- zvgb{y2?5+D_O2Iq{A^>C*e#T$6S4u({{G&x6slNka5oipWu@d!`|DJEm>CihQt@*5 zEIuKd0h{hGST1zv%~^iiX>fUt{0IpetlIIzkld+1LpdWCvIb#!#9}wG8~b=;nrbe_ zQ?q+bPqOLSUOFlTy%tL>m|&#4N%XR5zBg*LIK(`Ol>Pi^GKJZC{;~UY8CBpo zBe>GVQqmercBV2@PYpLUtgh55;p>tpV`s%6x1%%x2sO`%?T}9Z@YhgkyW%^z1;Za28h=QW<&=@n# z14J?59+F+#z>Y(mb?+Wbvv)Y@=K&rLhQCyyp;zk56gmR!Kx$mB+3M|?QbqaLwJ-4@ zCNqEFS>WeUZH)<8*zs}d&!qzc>tsE*@t$eF*g%#5PKk<6_HewO(w&0h6SHE<+t|Q> z-yeP)b+$DeO^)?C+MD5TyiLdev%7JK(v{(J*Iy7*9|k$zr+8J9vj{02Juh1)W1(LQ!}lYn zTv-E;2F4ca-oEDCXHe4{dPV)Gj<5p zq+AgJc7pZds*5T!Au!)sI8)GUO5t4f-h_!8L74nnqPTdahCdeOu9$=OJQxz3!yG?0 zKFf7_V_&iGCc!e1$$)Bv*l9&-KikQaPNWe~H9B7>!{HtN_o>AbDfVz_;$s|mEq-Pu6&$>HL+Z=eq0~Qn zpXkiiblu5PAQOFKzYXq2%8L?81z9{SV{23XrKcajK87Op%PSxOYJuVFum_T_x4Iqx6}o0H&VyzVQ6dO4zuo5?1W|R?%~>4k`ag(D7?o7O zO}IStd>b3z?ZZ(w2|2CZXp}C$?Cxk3>#@Xr6J#k=EzW-myk+HKqwxALi)wF;TgY(| z$4QlCK9JevIa`~)kKcbw5bXCCJH2LAG)Z&Ry$zf!r)dAz+6bE-RD!Y6yTg6dLZ2FH zw734+RVDtt^yMMdMa8ZC`!^9)8_BIvkpVK&c?;lIX-?F?XypCzXgPUhQ{ol)13gsXW)(bRa(%7Q??q`P(y=gj49M5V-#8n&wL=B@=IcWF zEA3fi&0x-)hYnDca!M$(H|f%5bb|Dha|y#TzPYu5JL|$U9}ud;f=F9=Kh=9WhHt*T z=uq%?K=2Ny_{>Zqp8jC?0a0r9)Nf^)0xwz@$Vi3lapI^i8u1P?jMO0WaXl3;yvyjK zkM)2asFfMc1kN~qzrR7u-!nLO&`*i6PkX1?3wx-BobhYqMl@?VCAPz<&jKCmSt=EAd8tSpeF#DST~?g|Ez%bU zF(V_NDe%Lf+<0Hxwho1#$AQ!!6KXU;EhlUmuEwiW))cA3dZz*5mkL$v*C;QP^Z?<$ zSgg65@fWx0bpARLL&s`rw@Lno&@{>gnr<2JB~`|!Sbynpm1dX+EMsrqxlF2)3dhVbI!8a1sENT) zs4M|U1!vMSaWl$=^!|`SsM_jRTtxm>JthZSE^jTaQf6f;g9R53>0S=FC{7BHaL=Qc ziRMNyGA7ZHB|~7yQavI~ug9-lMGXDCQ5t%`dyDB<#Fyc3COnzWPS@kG^J@{X_Ze^n z^nOffvz`PMbbj1o{UBSxGZgAy$;6_2W#@0u1bn0E;Ao0UCOw2pj_D|EI@I!rYChwq z`4~4>+gDoueENvPuzo4X0!c|&3-htfsvfr+SB^pUGVcG}S8&=H1CQbJ9Vb0%^3xdN=(I@n7=n>@P z7bjWFx|ovQ418C#n3`D;_~c<9X&KD?`*Js-|4F&nf8wq?yIjkjM0d|qPXYG6;G z3b$2{U)c#kwXHL($!qnyCfl;W*UPa2Uu!D1f}TNb;NV;}QAEx?i2d!wV_sYX#I?d` zsfxc0R(W6kKtf@Ae|_Gb^^Jo-eAViQn$}&0$JL-;QYX<-X3JrVbcPz%gMPPUbF3~2 zT+ZsLaAoDtc=rUyw5_G(OI0`n{PSMTM3Rl|v6zKQ8UJv8hX2X>{X@_Fn+p7w@QF8q z>^Qk0JU-XF)29%r`MJBR#a$TZD&EAb zJ1Iw?tZZb;UkQCx^>2m_B`{hxZ5zGhBSHqVPWk?>-XGH801a`_gtFJ**lW1rWO{pn z|7=QnbyxpA0V-R`lz!*MW+W#VWbHJcBU>qL*yws5lh8-b#GQJAc_{34%YU*SJk)(j zCg?@wEhOigmiQReg(yPgK{>A+YO!^;0!qJ`T9Krj%P9i2QJ5;RW~v_r-SqhxbS4_O zf!YJ+m+Pt*#FuaFK?fGLXr#A>+TzwInHzRsaASBr6+M@9%P z^U~$9y+Yc#_133;&U}8F)x7AiPMRu+PI++W_X~pqO@TyPnNPvlnz^>=491Yp*MbCM z28vQ`nxR&nP4>*sGwU4{y7JXJ?U2VigQcD)51Gi9vKSWa{b78NHB$7phV<+0iN!Tb zCbN|*9GCZXSQGJBV+HOXZy_kZQmhH4VJp!2$zn)Ms$AQXzcV`r0eaf)?y!wU&*y!O*;e^T^%WJ14t+jcjWPBIGt>eH z*;JyJKa{LX4%^v>^qy&{i+1)mo?oBu$r)-vk1RVyceo1GYsxqHHiR_|Tl@JFgDAS$2IXqaK>7Yn`pwWJ`fW^2VxJb zy^bdgOCY<#;HL<#9ZZ|qAo`4fUjTiz>@JBwD&!ZYqk5zJV@faXOc;)mJVX+qQEWJ1 zwTFOG08Czk>;I;|Kmz+wCu4PZ$WLQy~m#3_9b_khSGgCm*LY*-;ysb6?hZWc1$qM`tn)C94-Uy+hJ3HL!gOAfO5`$?A>iZ5 zX(&#}xIz||tow%{gQSD?4&QePt1Vjm3-)b$Xu5(6AKj(?tCi&5ldz(%n5)=y=etM9 zs|v$g6L$e7ORuq&+i+;P+}>M6OC{`>D%t)(b;3Ubl%@^oH=ap}6x;az)f<7pB7Bs= zuM%TRl!bn}4@3MdBmGD6S+7rqK8Eie&;Cv1n@it8hE6Sf;8SM7mR4k+?$jKn5>cGC zX=md-tPfb-NG|AP6twV1DNuz(Ayp)p)_5@8VD$4`LD#D!-0z!-pWpb0 zRvVe5b&)+dPqeSUUK1xfI@ehq@q0*{JU{Fgz<7DFh3g@40BBF`e7_UqM)auvDsy}v zj&f$^Kb&|!l^DipL}|P|40}66C2k(-j_j7o6;xo_Wnh|R(gVHx-8;FtiHV6BzquJd zf2Hp}eg2H*^~B6VeQov>9fMDpVRgg?c9vJ?p`t_K8aH_Zb!C%n4`bE_z8V&ABYt#+ z!?~YdGkuV- zIwCYcgbvTZ?a9_~r@=>YrFj-AH6ov_TyB)zd(ns@6kFPo_ML@~A@ zG83dfl_|}(u*m_V1yoZh250&adB7!4$so00pD!Wb2e^=ER36bn0$nL;q;|pmofQr~ zTdsz-NxRJ2M|zOq^a^mOcl$W`=6iH>^3vnn<$X4|M*gJ$v8y?6G*W$o&4WZCT1x`c z(fzrL`+WCma~s(ABUy|e*r&NBRAIdw!)y7#itiy^BbGef{6?TL5rk^Hli-K2U~DMPh*mYuCQWP84w)Vi*tdRSaDxyj>Y!8 z0}QZwj#AbBydF^+E7!ay7Zw|C$IZ*P`e66#v(N*W1ptoG4&OgBzB$7(_%*pbMYe`p zgjs_8$K3RWoU%a3u8+v9Q7rvuf^Abd%)8%sm1nUA)c zHa|~x|GM&H^;UQD9@bi)X?AiITIR-o@4$H7h3{(jzEB}7+Fm4X3eYr!XVf$K?lE0_ zF7gGI_SQcvKd#gF=TGOT`I$^zp|TNG6hPSRhuc3-6YXD?-2;y>Tu;L|UsbNzuL3_6 z!?R#$-6YRyx`@;Bq;Bp>GQ zd%Knx%6CS&FGCbK>ip*(M+HBHE@nr)?e+b_^WKO`5-&INtS}YoM9+hviIJle#972e z+htOD0)L7iNt3_LJiS3kGR+&8Li+I`tVi7q2!PObqX4H5`@9SBeUGD5%3lxHRS}?9 zyq~i6*sIPQZS?PRg6T&7{DFj#t#O}8(GjruS1$2-y>v|a4t;hZ+9Kzh7BMyy-K8)Y z>Ssgg)8Tg+O>kuPsu&nMjB^+A+%LF{+zBuUK#dG~Q3lug*IkFtYOzsr!FHMUN6(SA2C?=5>V%Ei*X` z0M!LDu-x=$Ax4tlg{lx(B0vB?=%MAdojfAyja2tEMa&-uZ`=;F%#25`$8_EcDHw(` z?%k$Y9L{BFX3Q!cw-~e1rF>U=5fN&mXh-4J>5@&g*wE2x-v6+M!|Wc@hZ$r8KY0u6eGFwBL<*112h!^OP(Qr|25euyI zUCjRr6%F=F5Rlt*-Q(GyBqyl$e>n_g(lShlV@@@e+gV2H{B=(&IvM++Mr`P(199nN&S zgr$8HwlZmlSOl;t5wuh_DSOhYT;UT= z-I64{qZt9rUhkEaS#D%Pna$CGxmxW;;kGy=!W4f`BX5Fq`CPVhUkXDMjOpCZKR zopX1^tv+GDUqJk++NyHGY4<~%2LpEQvc#oX)enO@ zoYZViaS^J;cqwR_ykp?T&mO!;A$N*~x!BM{tq#^ps!tdZ8;|lR2dYa%LPlgxeuoQwZGXrPuO5iROfAyCpZsLo<`7 zjk~2|@}77)o2#P#=0D5OO|M2Em82Z}%#!nW(kww0-b!+tox#wFNJ8>QqD)_xO1npE z`G;5BZQc8Ts`%9Van%Bh8^rqr;Ig^lN_!5UyHw&jOQXi_AX2MT_Fv*bye-{3c(m-K zTXRGp9=`gKkOxQg{A2vRjFY}ZSuL=RoRm0S5^j)2<=t)zKC~WHYo;NBR!U7cN#a-@ z4b}IRZe_6kM~N&<_YKO-acLwHHgfzQsFR*;wf%BbEy#Y$qQ7^V)@WGbrVrLgr7Z9Ynh$-?pAi6tQZAZwps^Ioa zeifB=oSfX!(#{ee-W&#%Yt#)PoQM2}aA6>t6lFHL;L%iHTHjkRee~X*(YFk4YCd1I z78!VB-e|?FHZ9OoI)%qF>uZu#>JoD#2L+Ej)w{1)E@iUHr*x)8LT62xVgQgfw#2QJ z*q7uDM-T2=#MLi@@k^jpg_m$K>QyE`q2D~p6 zT|*u0-viLXH7f8Z z4beLfNUJ7%4RgUDD9Com>d6lGF~7#yOUgl<4Kdn`;~w@IY_Scqw{+CFZh9( zZHp;`yeBb{X2kbN-i}yj3uW#pgAT8Q^H(MY9v<62sFo54JuVJ^+VJzB%b|yoA6UiG z4{Q4|14JO}_D#k{>8>XPwhx$D?{p^L-63ITyXiY_h9%r0f&}s@R8S?+{+_KO?r2Tf zWs@PzW8BhpTOtn0D*Y6i%TepQXrvl*+~|2Cyw?pi09vHW>5td55>;bVfy%|XaRtN~ zy&NtMwvIvgJf*Bo1U2951-*1P6sKRxN!&X#O}>jmWmBHw31J8hn^}b69&^k$h$l(uUWbv$mgqZIg7I+3 zczu#~e`=2n(jJ{ahO!ZP%5eArkwwm|9)L1TskKm+f`FyZ~^&~XKV)eLds9g|P4e+!<>XJiBrUJ3GSNDqjX zE)ZnHc0-UaSrYJB-+a65u_NCO!iivyqOl;5d9BGkX8CLhs4JP%oEwz)^8?rvdad)> z@w}G{I3v->VyyfN&@vxyNByf8ZX&%s2yW~_1PS^(yYEPM;wQHYk?LVj#$mZ{O zv2U27Pz6PN>+Gx6suGl!p@w2kC%~Em1PL#Jq0DBJ?ZG3spBVOWg#@A1UH~LKi~y*VRF-a>G22J)2+V$(X~T0mdFs8c-Th-J7AkXJGJPtJdiM9-g^`m%!C* t_V2G6APDDwe(C^$J^%j;tx;Y@XgXYCubMwn{qq%%tdyc;wYXu>{{cr9X{P`H literal 0 HcmV?d00001 diff --git a/rhacs/3.0.59.0/central-services/config-templates/scanner/config.yaml.tpl b/rhacs/3.0.59.0/central-services/config-templates/scanner/config.yaml.tpl new file mode 100644 index 0000000..a502818 --- /dev/null +++ b/rhacs/3.0.59.0/central-services/config-templates/scanner/config.yaml.tpl @@ -0,0 +1,41 @@ +{{- /* + This is the configuration file template for Scanner. + Except for in extremely rare circumstances, you DO NOT need to modify this file. + All config options that are possibly dynamic are templated out and can be modified + via `--set`/values-files specified via `-f`. + */ -}} + +# Configuration file for scanner. + +scanner: + {{- if ne .Release.Namespace "stackrox" }} + centralEndpoint: https://central.{{ .Release.Namespace }} + {{- end }} + database: + # Database driver + type: pgsql + options: + # PostgreSQL Connection string + # https://www.postgresql.org/docs/current/static/libpq-connect.html#LIBPQ-CONNSTRING + source: host=scanner-db.{{ .Release.Namespace }} port=5432 user=postgres sslmode={{- if eq .Release.Namespace "stackrox" }}verify-full{{- else }}verify-ca{{- end }} statement_timeout=60000 + + # Number of elements kept in the cache + # Values unlikely to change (e.g. namespaces) are cached in order to save prevent needless roundtrips to the database. + cachesize: 16384 + + api: + httpsPort: 8080 + grpcPort: 8081 + + updater: + # Frequency with which the scanner will poll for vulnerability updates. + interval: 5m + {{ if ._rox.env.offlineMode -}} + fetchFromCentral: true + {{- end }} + + logLevel: {{ ._rox.scanner.logLevel }} + + # The max size of files in images that are extracted. The scanner intentionally avoids extracting any files + # larger than this to prevent DoS attacks. Leave commmented to use a reasonable default. + # maxExtractableFileSizeMB: 200 diff --git a/rhacs/3.0.59.0/central-services/config/central/config.yaml.default b/rhacs/3.0.59.0/central-services/config/central/config.yaml.default new file mode 100644 index 0000000..98724d3 --- /dev/null +++ b/rhacs/3.0.59.0/central-services/config/central/config.yaml.default @@ -0,0 +1,7 @@ +maintenance: + safeMode: false # When set to true, Central will sleep forever on the next restart + compaction: + enabled: true + bucketFillFraction: .5 # This controls how densely to compact the buckets. Usually not advised to modify + freeFractionThreshold: 0.75 # This is the threshold for free bytes / total bytes after which compaction will occur + forceRollbackVersion: none # This is the config and target rollback version after upgrade complete. diff --git a/rhacs/3.0.59.0/central-services/config/central/endpoints.yaml.default b/rhacs/3.0.59.0/central-services/config/central/endpoints.yaml.default new file mode 100644 index 0000000..25549d6 --- /dev/null +++ b/rhacs/3.0.59.0/central-services/config/central/endpoints.yaml.default @@ -0,0 +1,31 @@ +# Sample endpoints.yaml configuration for StackRox Central. +# +# # CAREFUL: If the following line is uncommented, do not expose the default endpoint on port 8443 by default. +# # This will break normal operation. +# disableDefault: true # if true, don't serve on :8443 +# endpoints: +# # Serve plaintext HTTP only on port 8080 +# - listen: ":8080" +# # Backend protocols, possible values are 'http' and 'grpc'. If unset or empty, assume both. +# protocols: +# - http +# tls: +# # Disable TLS. If this is not specified, assume TLS is enabled. +# disable: true +# # Serve HTTP and gRPC for sensors only on port 8444 +# - listen: ":8444" +# tls: +# # Which TLS certificates to serve, possible values are 'service' (StackRox-generated service certificates) +# # and 'default' (user-configured default TLS certificate). If unset or empty, assume both. +# serverCerts: +# - default +# - service +# # Client authentication settings. +# clientAuth: +# # Enforce TLS client authentication. If unset, do not enforce, only request certificates +# # opportunistically. +# required: true +# # Which TLS client CAs to serve, possible values are 'service' (CA for StackRox-generated service +# # certificates) and 'user' (CAs for PKI auth providers). If unset or empty, assume both. +# certAuthorities: # if not set, assume ["user", "service"] +# - service diff --git a/rhacs/3.0.59.0/central-services/config/proxy-config.yaml.default b/rhacs/3.0.59.0/central-services/config/proxy-config.yaml.default new file mode 100644 index 0000000..8692a77 --- /dev/null +++ b/rhacs/3.0.59.0/central-services/config/proxy-config.yaml.default @@ -0,0 +1,26 @@ +# # NOTE: Both central and scanner should be restarted if this secret is changed. +# # While it is possible that some components will pick up the new proxy configuration +# # without a restart, it cannot be guaranteed that this will apply to every possible +# # integration etc. +# url: http://proxy.name:port +# username: username +# password: password +# # If the following value is set to true, the proxy wil NOT be excluded for the default hosts: +# # - *.stackrox, *.stackrox.svc +# # - localhost, localhost.localdomain, 127.0.0.0/8, ::1 +# # - *.local +# omitDefaultExcludes: false +# excludes: # hostnames (may include * components) for which not to use a proxy, like in-cluster repositories. +# - some.domain +# # The following configuration sections allow specifying a different proxy to be used for HTTP(S) connections. +# # If they are omitted, the above configuration is used for HTTP(S) connections as well as TCP connections. +# # If only the `http` section is given, it will be used for HTTPS connections as well. +# # Note: in most cases, a single, global proxy configuration is sufficient. +# http: +# url: http://http-proxy.name:port +# username: username +# password: password +# https: +# url: http://https-proxy.name:port +# username: username +# password: password diff --git a/rhacs/3.0.59.0/central-services/internal/bootstrap-defaults.yaml.tpl b/rhacs/3.0.59.0/central-services/internal/bootstrap-defaults.yaml.tpl new file mode 100644 index 0000000..8f8e559 --- /dev/null +++ b/rhacs/3.0.59.0/central-services/internal/bootstrap-defaults.yaml.tpl @@ -0,0 +1,16 @@ +# This file contains defaults that need to be merged into our config struct before we can +# execute the "normal" defaulting logic. As a result, none of these values can be overridden +# by defaults specified in defaults.yaml and platforms/*.yaml - that is okay. + +{{- if eq .Release.Name "test-release" }} +{{- include "srox.warn" (list . "You are using a release name that is reserved for tests. In order to allow linting to work, certain checks have been relaxed. If you are deploying to a real environment, we recommend that you choose a different release name.") }} +allowNonstandardNamespace: true +allowNonstandardReleaseName: true +{{- else }} +allowNonstandardNamespace: false +allowNonstandardReleaseName: false +{{- end }} + +meta: + useLookup: true + fileOverrides: {} diff --git a/rhacs/3.0.59.0/central-services/internal/config-shape.yaml b/rhacs/3.0.59.0/central-services/internal/config-shape.yaml new file mode 100644 index 0000000..cd8b1f3 --- /dev/null +++ b/rhacs/3.0.59.0/central-services/internal/config-shape.yaml @@ -0,0 +1,137 @@ +licenseKey: null # string +imagePullSecrets: + username: null # string + password: null # string + allowNone: null # bool + useExisting: null # string | [string] + useFromDefaultServiceAccount: null # bool +image: + registry: null # string +env: + openshift: null # bool + istio: null # bool + platform: null # string + offlineMode: null # bool + proxyConfig: null # string | dict +ca: + cert: null # string + key: null # string + generate: null # bool +additionalCAs: null # string | [string] | dict +central: + disableTelemetry: null # bool + config: null # string | dict + endpointsConfig: null # string | dict + nodeSelector: null # string | dict + exposeMonitoring: null # bool + jwtSigner: + key: null # string + generate: null # bool + serviceTLS: + cert: null # string + key: null # string + generate: null # bool + defaultTLS: + cert: null # string + key: null # string + image: + registry: null # string + name: null # string + tag: null # string + fullRef: null # string + adminPassword: + value: null # string + generate: null # bool + htpasswd: null # string + resources: null # string | dict + persistence: + hostPath: null # string + persistentVolumeClaim: + claimName: null # string + createClaim: null # bool + storageClass: null # string + size: null # int | string + volume: + volumeSpec: null # dict + none: null # bool + exposure: + loadBalancer: + enabled: null # bool + port: null # int + ip: null # string + nodePort: + enabled: null # bool + port: null # int + route: + enabled: null # bool + extraMounts: null # [dict] + +scanner: + disable: null # bool + replicas: null # int + logLevel: null # string + nodeSelector: null # string | dict + dbNodeSelector: null # string | dict + autoscaling: + disable: null # bool + minReplicas: null # int + maxReplicas: null # int + resources: null # string | dict + image: + registry: null # string + name: null # string + tag: null # string + fullRef: null # string + dbImage: + registry: null # string + name: null # string + tag: null # string + fullRef: null # string + dbResources: null # string | dict + dbPassword: + value: null # string + generate: null # bool + serviceTLS: + cert: null # string + key: null # string + generate: null # bool + dbServiceTLS: + cert: null # string + key: null # string + generate: null # bool +customize: + labels: {} # dict + annotations: {} # dict + podLabels: {} # dict + podAnnotations: {} # dict + envVars: {} # dict + central: + labels: {} # dict + annotations: {} # dict + podLabels: {} # dict + podAnnotations: {} # dict + envVars: {} # dict + scanner: + labels: {} # dict + annotations: {} # dict + podLabels: {} # dict + podAnnotations: {} # dict + envVars: {} # dict + scanner-db: + labels: {} # dict + annotations: {} # dict + podLabels: {} # dict + podAnnotations: {} # dict + envVars: {} # dict + other: {} # dict +allowNonstandardNamespace: null # bool +allowNonstandardReleaseName: null # bool +meta: + useLookup: null # bool + fileOverrides: {} # dict + apiServer: + version: null # string + overrideAPIResources: null # [string] + extraAPIResources: null # [string] + noCreateStorageClass: null # bool +globalPrefix: null # string diff --git a/rhacs/3.0.59.0/central-services/internal/defaults.yaml b/rhacs/3.0.59.0/central-services/internal/defaults.yaml new file mode 100644 index 0000000..0e35d6b --- /dev/null +++ b/rhacs/3.0.59.0/central-services/internal/defaults.yaml @@ -0,0 +1,78 @@ +defaults: + + imagePullSecrets: + allowNone: false + useExisting: [] + useFromDefaultServiceAccount: true + + image: + registry: registry.redhat.io/rh-acs + + env: + offlineMode: false + + central: + config: "@config/central/config.yaml|config/central/config.yaml.default" + endpointsConfig: "@config/central/endpoints.yaml|config/central/endpoints.yaml.default" + + exposeMonitoring: false + + image: + name: main + tag: 3.0.59.0 + + resources: + requests: + memory: "4Gi" + cpu: "1500m" + limits: + memory: "8Gi" + cpu: "4000m" + + exposure: + loadBalancer: + enabled: false + port: 443 + nodePort: + enabled: false + port: null + route: + enabled: false + + scanner: + disable: false + replicas: 3 + logLevel: INFO + + autoscaling: + disable: false + minReplicas: 2 + maxReplicas: 5 + + resources: + requests: + memory: "1500Mi" + cpu: "1000m" + limits: + memory: "3000Mi" + cpu: "2000m" + + image: + name: scanner + tag: 2.13.0 + + dbResources: + limits: + cpu: "2000m" + memory: "4Gi" + requests: + cpu: "200m" + memory: "200Mi" + + dbImage: + name: scanner-db + tag: 2.13.0 + +pvcDefaults: + claimName: "stackrox-db" + size: "100Gi" diff --git a/rhacs/3.0.59.0/central-services/internal/expandables.yaml b/rhacs/3.0.59.0/central-services/internal/expandables.yaml new file mode 100644 index 0000000..e8190d4 --- /dev/null +++ b/rhacs/3.0.59.0/central-services/internal/expandables.yaml @@ -0,0 +1,38 @@ +licenseKey: true +imagePullSecrets: + username: true + password: true +env: + proxyConfig: true +ca: + cert: true + key: true +central: + config: true + endpointsConfig: true + nodeSelector: true + jwtSigner: + key: true + serviceTLS: + cert: true + key: true + defaultTLS: + cert: true + key: true + adminPassword: + value: true + htpasswd: true + resources: true +scanner: + resources: true + dbResources: true + nodeSelector: true + dbNodeSelector: true + dbPassword: + value: true + serviceTLS: + cert: true + key: true + dbServiceTLS: + cert: true + key: true diff --git a/rhacs/3.0.59.0/central-services/internal/platforms/default.yaml b/rhacs/3.0.59.0/central-services/internal/platforms/default.yaml new file mode 100644 index 0000000..180f5c8 --- /dev/null +++ b/rhacs/3.0.59.0/central-services/internal/platforms/default.yaml @@ -0,0 +1,2 @@ +# Empty defaults file for the "default" platform. This file only exists to mark the platform +# name as valid. diff --git a/rhacs/3.0.59.0/central-services/internal/platforms/gke.yaml b/rhacs/3.0.59.0/central-services/internal/platforms/gke.yaml new file mode 100644 index 0000000..70d7b32 --- /dev/null +++ b/rhacs/3.0.59.0/central-services/internal/platforms/gke.yaml @@ -0,0 +1,2 @@ +pvcDefaults: + storageClass: "stackrox-gke-ssd" diff --git a/rhacs/3.0.59.0/central-services/scripts/prepare-resource-metadata-for-helm-migration.sh b/rhacs/3.0.59.0/central-services/scripts/prepare-resource-metadata-for-helm-migration.sh new file mode 100755 index 0000000..1688ec6 --- /dev/null +++ b/rhacs/3.0.59.0/central-services/scripts/prepare-resource-metadata-for-helm-migration.sh @@ -0,0 +1,124 @@ +#!/usr/bin/env sh + +# Script for migrating to new Helm-style deployment. +# After running this script the state of all +# StackRox K8s resources should be ready for deploying +# using the new Helm chart using 'helm install'. + +set -eu + +# You can use this script for applying the kubectl commands to the relevant resources directly +# or let it output the necessary kubectl commands for patching the resources to stdout using: +# +# DRY_RUN=true ./prepare-resource-metadata-for-helm-migration.sh +# +# Further configuration options: +# +# * The namespace can be configured using the environment variable NAMESPACE +# (note that it defaults to "stackrox" and that is the only supported namespace). +# +# * By default this script uses kubectl to verify the existence of the Kubernetes resources before +# patching them. This can be disabled by setting SKIP_EXISTENCE_CHECK=true. + +KUBECTL="${KUBECTL:-kubectl}" +DRY_RUN="${DRY_RUN:-false}" +NAMESPACE="${STACKROX_NAMESPACE:-stackrox}" +SKIP_EXISTENCE_CHECK="${SKIP_EXISTENCE_CHECK:-false}" + +die() { + log "$@" + exit 1 +} + +log() { + echo "$@" >&2 +} + +if [ "$DRY_RUN" != "false" -a "$DRY_RUN" != "true" ]; then + die "Unsupported value for DRY_RUN: '$DRY_RUN'" +fi + +if [ "$SKIP_EXISTENCE_CHECK" != "false" -a "$SKIP_EXISTENCE_CHECK" != "true" ]; then + die "Unsupported value for SKIP_EXISTENCE_CHECK: '$SKIP_EXISTENCE_CHECK'" +fi + +add_label() { + if [ "$DRY_RUN" == "true" ]; then + echo $KUBECTL -n $NAMESPACE label "$kind" "$res" --overwrite "$1=$2" + else + $KUBECTL -n $NAMESPACE label "$kind" "$res" --overwrite "$1=$2" + fi + log " Set label $1=$2" +} + +add_annotation() { + if [ "$DRY_RUN" == "true" ]; then + echo $KUBECTL -n $NAMESPACE annotate "$kind" "$res" --overwrite "$1=$2" + else + $KUBECTL -n $NAMESPACE annotate "$kind" "$res" --overwrite "$1=$2" + fi + log " Set annotation $1=$2" +} + +patch_resource() { + kind="$1" + res="$2" + + if [ "$SKIP_EXISTENCE_CHECK" == "false" ]; then + $KUBECTL -n $NAMESPACE get "$kind" "$res" >/dev/null 2>&1 || { + log "Skipping ${kind}/${res}: Resource not known in cluster." + log + return + } + fi + + log "** Patching resource $kind/$res **" + add_label "app.kubernetes.io/name" "stackrox" + add_label "app.kubernetes.io/managed-by" "Helm" + add_annotation "meta.helm.sh/release-name" "stackrox-central-services" + add_annotation "meta.helm.sh/release-namespace" "$NAMESPACE" + log +} + +patch_resource "Application" "stackrox" +patch_resource "ClusterRole" "stackrox-central-psp" +patch_resource "ClusterRole" "stackrox-scanner-psp" +patch_resource "ConfigMap" "central-config" +patch_resource "ConfigMap" "central-endpoints" +patch_resource "ConfigMap" "scanner-config" +patch_resource "Deployment" "central" +patch_resource "Deployment" "scanner" +patch_resource "Deployment" "scanner-db" +patch_resource "DestinationRule" "central-internal-no-istio-mtls" +patch_resource "DestinationRule" "scanner-db-internal-no-istio-mtls" +patch_resource "DestinationRule" "scanner-internal-no-istio-mtls" +patch_resource "HorizontalPodAutoscaler" "scanner" +patch_resource "NetworkPolicy" "allow-ext-to-central" +patch_resource "NetworkPolicy" "scanner" +patch_resource "NetworkPolicy" "scanner-db" +patch_resource "PersistentVolumeClaim" "stackrox-db" +patch_resource "PodSecurityPolicy" "stackrox-central" +patch_resource "PodSecurityPolicy" "stackrox-scanner" +patch_resource "Role" "stackrox-central-diagnostics" +patch_resource "RoleBinding" "stackrox-central-diagnostics" +patch_resource "RoleBinding" "stackrox-central-psp" +patch_resource "RoleBinding" "stackrox-scanner-psp" +patch_resource "Route" "central" +patch_resource "Route" "central-mtls" +patch_resource "Secret" "central-default-tls-cert" +patch_resource "Secret" "central-htpasswd" +patch_resource "Secret" "central-license" +patch_resource "Secret" "central-tls" +patch_resource "Secret" "proxy-config" +patch_resource "Secret" "scanner-db-password" +patch_resource "Secret" "scanner-db-tls" +patch_resource "Secret" "scanner-tls" +patch_resource "Secret" "stackrox" +patch_resource "SecurityContextConstraints" "central" +patch_resource "SecurityContextConstraints" "scanner" +patch_resource "Service" "central" +patch_resource "Service" "central-loadbalancer" +patch_resource "Service" "scanner" +patch_resource "Service" "scanner-db" +patch_resource "ServiceAccount" "central" +patch_resource "ServiceAccount" "scanner" diff --git a/rhacs/3.0.59.0/central-services/templates/00-additional-ca.yaml b/rhacs/3.0.59.0/central-services/templates/00-additional-ca.yaml new file mode 100644 index 0000000..110b105 --- /dev/null +++ b/rhacs/3.0.59.0/central-services/templates/00-additional-ca.yaml @@ -0,0 +1,21 @@ +{{- include "srox.init" . -}} + +{{- if ._rox._additionalCAs }} +apiVersion: v1 +kind: Secret +metadata: + name: additional-ca + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "secret" "additional-ca") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "additional-ca") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": keep +type: Opaque +stringData: + {{- range $name, $cert := ._rox._additionalCAs }} + {{ $name | quote }}: | + {{- $cert | nindent 4 }} + {{- end }} +{{- end }} diff --git a/rhacs/3.0.59.0/central-services/templates/00-image-pull-secret.yaml b/rhacs/3.0.59.0/central-services/templates/00-image-pull-secret.yaml new file mode 100644 index 0000000..1fc3e34 --- /dev/null +++ b/rhacs/3.0.59.0/central-services/templates/00-image-pull-secret.yaml @@ -0,0 +1,18 @@ +{{- include "srox.init" . -}} + +{{- if ._rox.imagePullSecrets._dockerAuths }} +apiVersion: v1 +kind: Secret +type: kubernetes.io/dockerconfigjson +metadata: + name: stackrox + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "secret" "stackrox") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "stackrox") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": keep +data: + .dockerconfigjson: {{ dict "auths" ._rox.imagePullSecrets._dockerAuths | toJson | b64enc | quote }} +{{ end }} diff --git a/rhacs/3.0.59.0/central-services/templates/00-proxy-config-secret.yaml b/rhacs/3.0.59.0/central-services/templates/00-proxy-config-secret.yaml new file mode 100644 index 0000000..c357179 --- /dev/null +++ b/rhacs/3.0.59.0/central-services/templates/00-proxy-config-secret.yaml @@ -0,0 +1,20 @@ +{{- include "srox.init" . -}} + +{{- if ._rox.env._proxyConfig -}} +apiVersion: v1 +kind: Secret +metadata: + name: proxy-config + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "secret" "proxy-config") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "proxy-config") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": "keep" +type: Opaque +stringData: + config.yaml: | + {{- ._rox.env._proxyConfig | nindent 4 }} + +{{ end }} diff --git a/rhacs/3.0.59.0/central-services/templates/00-stackrox-application.yaml b/rhacs/3.0.59.0/central-services/templates/00-stackrox-application.yaml new file mode 100644 index 0000000..34eaa5a --- /dev/null +++ b/rhacs/3.0.59.0/central-services/templates/00-stackrox-application.yaml @@ -0,0 +1,114 @@ +{{- include "srox.init" . -}} + +{{- if has "app.k8s.io/v1beta1/Application" ._rox._apiServer.apiResources -}} +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: stackrox + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "application" "stackrox") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "application" "stackrox") | nindent 4 }} + kubernetes-engine.cloud.google.com/icon: "data:image/png;base64,{{ .Files.Get "assets/icon.png" | b64enc }}" +spec: + descriptor: + type: StackRox + version: {{ .Chart.AppVersion | quote }} + description: |- + StackRox Kubernetes Security Platform + + Version {{ .Chart.AppVersion }} + + ## Thank you for installing StackRox! + +
+ + #### Support + + [Email support@stackrox.com](mailto:support@stackrox.com?cc=sales@stackrox.com&Subject=StackRox%20Support%20Question&Body=Dear%20StackRox%20support,) + + ## Connecting to StackRox + +
+ + #### Directly using a Load Balancer + + When deploying StackRox with the `Load Balancer` network configuration, the service can be accessed directly. + + $CONNECT + + #### Tunneling via Port Forward + + When deploying StackRox with the `Node Port` or `None` network configuration, the service must be accessed using a port forward tunnel. + + - Step 1 - Start the port forward tunnel to the StackRox Central service. + + ``` + $ kubectl -n stackrox port-forward svc/central 8443:443 + ``` + + - Step 2 - In a browser, [visit https://localhost:8443](https://localhost:8443) to access StackRox. + + keywords: + - "stackrox" + - "kube" + - "security" + maintainers: + - name: StackRox, Inc. + url: https://stackrox.com + owners: + - name: StackRox, Inc. + url: https://stackrox.com + links: + - description: StackRox Help Documentation + url: "https://help.stackrox.com" + + info: + - name: StackRox namespace + value: stackrox + - name: StackRox admin username + value: "admin" + + selector: + matchLabels: + app.kubernetes.io/name: stackrox + + componentKinds: + - group: '' + kind: ConfigMap + - group: '' + kind: Secret + - group: '' + kind: PersistentVolumeClaim + - group: '' + kind: Service + - group: '' + kind: ServiceAccount + - group: rbac.authorization.k8s.io + kind: ClusterRole + - group: rbac.authorization.k8s.io + kind: ClusterRoleBinding + - group: apps + kind: Deployment + - group: networking.k8s.io + kind: NetworkPolicy + - group: rbac.authorization.k8s.io + kind: Role + - group: rbac.authorization.k8s.io + kind: RoleBinding + - group: route.openshift.io + kind: Route + - group: security.openshift.io + kind: SecurityContextConstraints + - group: admissionregistration.k8s.io + kind: ValidatingWebhookConfiguration + - group: autoscaling + kind: HorizontalPodAutoscaler + - group: storage.k8s.io + kind: StorageClass + - group: networking.istio.io + kind: DestinationRule + - group: policy + kind: PodSecurityPolicy +{{- end }} diff --git a/rhacs/3.0.59.0/central-services/templates/00-storage-class.yaml b/rhacs/3.0.59.0/central-services/templates/00-storage-class.yaml new file mode 100644 index 0000000..4a5664e --- /dev/null +++ b/rhacs/3.0.59.0/central-services/templates/00-storage-class.yaml @@ -0,0 +1,27 @@ +{{- include "srox.init" . -}} + +{{- if ._rox.central.persistence._pvcCfg }} +{{- if ._rox.central.persistence._pvcCfg.storageClass -}} +{{- if eq ._rox.central.persistence._pvcCfg.storageClass "stackrox-gke-ssd" }} +{{- $lookupOut := dict -}} +{{- $storageClassName := include "srox.globalResourceName" (list . "stackrox-gke-ssd") -}} +{{- $_ := include "srox.safeLookup" (list . $lookupOut "storage.k8s.io/v1" "StorageClass" "" $storageClassName) -}} +{{- if and (not $lookupOut.result) (or .Release.IsInstall $lookupOut.reliable) (not ._rox.meta.noCreateStorageClass) -}} +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: {{ $storageClassName }} + labels: + {{- include "srox.labels" (list . "storageclass" "stackrox-gke-ssd") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "storageclass" "stackrox-gke-ssd") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": keep + "helm.sh/hook-delete-policy": never +provisioner: kubernetes.io/gce-pd +parameters: + type: pd-ssd +{{- end -}} +{{- end }} +{{- end -}} +{{- end }} diff --git a/rhacs/3.0.59.0/central-services/templates/01-central-00-serviceaccount.yaml b/rhacs/3.0.59.0/central-services/templates/01-central-00-serviceaccount.yaml new file mode 100644 index 0000000..2dc46a4 --- /dev/null +++ b/rhacs/3.0.59.0/central-services/templates/01-central-00-serviceaccount.yaml @@ -0,0 +1,16 @@ +{{- include "srox.init" . -}} + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: central + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "serviceaccount" "central") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "serviceaccount" "central") | nindent 4 }} +imagePullSecrets: +{{- range $secretName := ._rox.imagePullSecrets._names }} +- name: {{ quote $secretName }} +{{- end }} + diff --git a/rhacs/3.0.59.0/central-services/templates/01-central-01-license-secret.yaml b/rhacs/3.0.59.0/central-services/templates/01-central-01-license-secret.yaml new file mode 100644 index 0000000..0d26dda --- /dev/null +++ b/rhacs/3.0.59.0/central-services/templates/01-central-01-license-secret.yaml @@ -0,0 +1,21 @@ +{{- include "srox.init" . -}} + +{{- if ._rox._licenseKey -}} + +apiVersion: v1 +kind: Secret +metadata: + name: central-license + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "secret" "central-license") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "central-license") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": "keep" +type: Opaque +stringData: + license.lic: | + {{- ._rox._licenseKey | nindent 4 }} + +{{ end }} diff --git a/rhacs/3.0.59.0/central-services/templates/01-central-02-security.yaml b/rhacs/3.0.59.0/central-services/templates/01-central-02-security.yaml new file mode 100644 index 0000000..79108cc --- /dev/null +++ b/rhacs/3.0.59.0/central-services/templates/01-central-02-security.yaml @@ -0,0 +1,121 @@ +{{- include "srox.init" . -}} + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "srox.globalResourceName" (list . "stackrox-central-psp") }} + labels: + {{- include "srox.labels" (list . "clusterrole" "stackrox-central-psp") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "clusterrole" "stackrox-central-psp") | nindent 4 }} +rules: + - apiGroups: + - policy + resources: + - podsecuritypolicies + resourceNames: + - {{ include "srox.globalResourceName" (list . "stackrox-central") }} + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: stackrox-central-psp + namespace: {{.Release.Namespace}} + labels: + {{- include "srox.labels" (list . "rolebinding" "stackrox-central-psp") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "rolebinding" "stackrox-central-psp") | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "srox.globalResourceName" (list . "stackrox-central-psp") }} +subjects: + - kind: ServiceAccount + name: central + namespace: {{.Release.Namespace}} +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "srox.globalResourceName" (list . "stackrox-central") }} + labels: + {{- include "srox.labels" (list . "podsecuritypolicy" "stackrox-central") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "podsecuritypolicy" "stackrox-central") | nindent 4 }} +spec: + privileged: false + allowPrivilegeEscalation: false + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + - 'persistentVolumeClaim' + - 'hostPath' + {{ if ._rox.central.persistence.hostPath -}} + allowedHostPaths: + - pathPrefix: {{ ._rox.central.persistence.hostPath }} + {{- end}} + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAs' + ranges: + - min: 4000 + max: 4000 + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 4000 + max: 4000 + +{{- if ._rox.env.openshift }} +--- + +kind: SecurityContextConstraints +apiVersion: security.openshift.io/v1 +metadata: + name: {{ include "srox.globalResourceName" (list . "central") }} + labels: + {{- include "srox.labels" (list . "securitycontextconstraints" "central") | nindent 4 }} + annotations: + kubernetes.io/description: central is the security constraint for the central server + {{- include "srox.annotations" (list . "securitycontextconstraints" "central") | nindent 4 }} +allowHostDirVolumePlugin: {{ ._rox.central.persistence.hostPath | not | not }} +allowedCapabilities: [] +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: false +allowPrivilegedContainer: false +defaultAddCapabilities: [] +fsGroup: + type: MustRunAs + ranges: + - max: 4000 + min: 4000 +priority: 0 +readOnlyRootFilesystem: true +requiredDropCapabilities: [] +runAsUser: + type: MustRunAs + uid: 4000 +seLinuxContext: + type: MustRunAs +seccompProfiles: + - '*' +users: + - system:serviceaccount:{{ .Release.Namespace }}:central +volumes: + - '*' + +{{- end }} diff --git a/rhacs/3.0.59.0/central-services/templates/01-central-03-diagnostics-rbac.yaml b/rhacs/3.0.59.0/central-services/templates/01-central-03-diagnostics-rbac.yaml new file mode 100644 index 0000000..4ceaca7 --- /dev/null +++ b/rhacs/3.0.59.0/central-services/templates/01-central-03-diagnostics-rbac.yaml @@ -0,0 +1,37 @@ +{{- include "srox.init" . -}} + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: stackrox-central-diagnostics + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "role" "stackrox-central-diagnostics") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "role" "stackrox-central-diagnostics") | nindent 4 }} +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: stackrox-central-diagnostics + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "rolebinding" "stackrox-central-diagnostics") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "rolebinding" "stackrox-central-diagnostics") | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: stackrox-central-diagnostics +subjects: + - kind: ServiceAccount + name: central + namespace: {{ .Release.Namespace }} diff --git a/rhacs/3.0.59.0/central-services/templates/01-central-04-htpasswd-secret.yaml b/rhacs/3.0.59.0/central-services/templates/01-central-04-htpasswd-secret.yaml new file mode 100644 index 0000000..59b338e --- /dev/null +++ b/rhacs/3.0.59.0/central-services/templates/01-central-04-htpasswd-secret.yaml @@ -0,0 +1,22 @@ +{{- include "srox.init" . -}} + +{{- if ._rox.central._adminPassword -}} +{{- if ._rox.central._adminPassword.htpasswd -}} +apiVersion: v1 +kind: Secret +metadata: + name: central-htpasswd + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "secret" "central-htpasswd") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "central-htpasswd") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": "keep" +type: Opaque +stringData: + htpasswd: | + {{- ._rox.central._adminPassword.htpasswd | nindent 4 }} + +{{- end -}} +{{- end -}} diff --git a/rhacs/3.0.59.0/central-services/templates/01-central-05-tls-secret.yaml b/rhacs/3.0.59.0/central-services/templates/01-central-05-tls-secret.yaml new file mode 100644 index 0000000..4ec928f --- /dev/null +++ b/rhacs/3.0.59.0/central-services/templates/01-central-05-tls-secret.yaml @@ -0,0 +1,31 @@ +{{- include "srox.init" . -}} + +{{- if and ._rox._ca ._rox.central._serviceTLS ._rox.central._jwtSigner -}} + +apiVersion: v1 +kind: Secret +metadata: + name: central-tls + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "secret" "central-tls") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "central-tls") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": "keep" +type: Opaque +stringData: + ca.pem: | + {{- ._rox._ca.Cert | nindent 4 }} + ca-key.pem: | + {{- ._rox._ca.Key | nindent 4 }} + jwt-key.pem: | + {{- ._rox.central._jwtSigner.Key | nindent 4 }} + cert.pem: | + {{- ._rox.central._serviceTLS.Cert | nindent 4 }} + key.pem: | + {{- ._rox.central._serviceTLS.Key | nindent 4 }} + +{{- else if or ._rox.central._serviceTLS ._rox.central._jwtSigner }} +{{ include "srox.fail" "Service TLS certificates and/or JWT signer key can only be created/updated if all data AND the service CA are present/specified." }} +{{- end }} diff --git a/rhacs/3.0.59.0/central-services/templates/01-central-06-default-tls-cert-secret.yaml b/rhacs/3.0.59.0/central-services/templates/01-central-06-default-tls-cert-secret.yaml new file mode 100644 index 0000000..010444c --- /dev/null +++ b/rhacs/3.0.59.0/central-services/templates/01-central-06-default-tls-cert-secret.yaml @@ -0,0 +1,22 @@ +{{- include "srox.init" . -}} + +{{ if ._rox.central._defaultTLS }} + +apiVersion: v1 +kind: Secret +metadata: + name: central-default-tls-cert + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "secret" "central-default-tls-cert") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "central-default-tls-cert") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" +type: kubernetes.io/tls +stringData: + tls.crt: | + {{- ._rox.central._defaultTLS.Cert | nindent 4 }} + tls.key: | + {{- ._rox.central._defaultTLS.Key | nindent 4 }} + +{{- end }} diff --git a/rhacs/3.0.59.0/central-services/templates/01-central-08-configmap.yaml b/rhacs/3.0.59.0/central-services/templates/01-central-08-configmap.yaml new file mode 100644 index 0000000..9420e59 --- /dev/null +++ b/rhacs/3.0.59.0/central-services/templates/01-central-08-configmap.yaml @@ -0,0 +1,14 @@ +{{- include "srox.init" . -}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: central-config + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "configmap" "central-config") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "configmap" "central-config") | nindent 4 }} +data: + central-config.yaml: | + {{- ._rox.central._config | nindent 4 }} diff --git a/rhacs/3.0.59.0/central-services/templates/01-central-09-endpoints-config.yaml b/rhacs/3.0.59.0/central-services/templates/01-central-09-endpoints-config.yaml new file mode 100644 index 0000000..fa6204e --- /dev/null +++ b/rhacs/3.0.59.0/central-services/templates/01-central-09-endpoints-config.yaml @@ -0,0 +1,17 @@ +{{- include "srox.init" . -}} + +{{- if ._rox.central._endpointsConfig -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: central-endpoints + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "configmap" "central-endpoints") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "configmap" "central-endpoints") | nindent 4 }} +data: + endpoints.yaml: | + {{- ._rox.central._endpointsConfig | nindent 4 }} + +{{- end -}} diff --git a/rhacs/3.0.59.0/central-services/templates/01-central-10-networkpolicy.yaml b/rhacs/3.0.59.0/central-services/templates/01-central-10-networkpolicy.yaml new file mode 100644 index 0000000..9ab574f --- /dev/null +++ b/rhacs/3.0.59.0/central-services/templates/01-central-10-networkpolicy.yaml @@ -0,0 +1,42 @@ +{{- include "srox.init" . -}} + +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-ext-to-central + namespace: {{.Release.Namespace}} + labels: + {{- include "srox.labels" (list . "networkpolicy" "allow-ext-to-central") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "networkpolicy" "allow-ext-to-central") | nindent 4 }} +spec: + ingress: + {{- toYaml ._rox.central._netPolIngressRules | nindent 4 }} + podSelector: + matchLabels: + app: central + policyTypes: + - Ingress + +{{ if ._rox.central.exposeMonitoring }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: central-monitoring + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "networkpolicy" "central-monitoring") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "networkpolicy" "central-monitoring") | nindent 4 }} +spec: + ingress: + - ports: + - port: 9090 + protocol: TCP + podSelector: + matchLabels: + app: central + policyTypes: + - Ingress +{{ end }} diff --git a/rhacs/3.0.59.0/central-services/templates/01-central-11-pvc.yaml b/rhacs/3.0.59.0/central-services/templates/01-central-11-pvc.yaml new file mode 100644 index 0000000..570cf0f --- /dev/null +++ b/rhacs/3.0.59.0/central-services/templates/01-central-11-pvc.yaml @@ -0,0 +1,63 @@ +{{- include "srox.init" . -}} + +{{ if ._rox.central.persistence._pvcCfg -}} +{{- $pvcCfg := ._rox.central.persistence._pvcCfg -}} +{{- $claimName := $pvcCfg.claimName -}} +{{/* In a multiple namespace setting, storageClassName is generated by globalResourceName */}} +{{- $storageClassName := "" }} +{{- if $pvcCfg.storageClass }} + {{- if eq $pvcCfg.storageClass "stackrox-gke-ssd" }} + {{- $storageClassName = include "srox.globalResourceName" (list . "stackrox-gke-ssd") }} + {{- else }} + {{- $storageClassName = $pvcCfg.storageClass }} + {{- end}} +{{- end}} +{{- if $pvcCfg.volume.volumeSpec }} +{{- $pvName := (print $claimName "-pv") -}} +apiVersion: v1 +kind: PersistentVolume +metadata: + name: {{ $pvName }} + labels: + {{- include "srox.labels" (list . "persistentvolume" $pvName) | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "persistentvolume" $pvName) | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": keep + "helm.sh/hook-delete-policy": never +spec: + {{- if $storageClassName }} + storageClassName: {{ $storageClassName }} + {{- end}} + capacity: + storage: {{ include "srox.formatStorageSize" $pvcCfg.size }} + accessModes: + - ReadWriteOnce + claimRef: + namespace: {{ .Release.Namespace }} + name: {{ $claimName }} + {{- toYaml $pvcCfg.volume.volumeSpec | nindent 2 }} +--- +{{- end }} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ $claimName }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "persistentvolumeclaim" $claimName) | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "persistentvolumeclaim" $claimName) | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": keep + "helm.sh/hook-delete-policy": never +spec: + {{- if $storageClassName }} + storageClassName: {{ $storageClassName }} + {{- end}} + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ include "srox.formatStorageSize" $pvcCfg.size }} +{{- end }} diff --git a/rhacs/3.0.59.0/central-services/templates/01-central-12-deployment.yaml b/rhacs/3.0.59.0/central-services/templates/01-central-12-deployment.yaml new file mode 100644 index 0000000..cad2416 --- /dev/null +++ b/rhacs/3.0.59.0/central-services/templates/01-central-12-deployment.yaml @@ -0,0 +1,192 @@ +{{- include "srox.init" . -}} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: central + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "deployment" "central") | nindent 4 }} + app: central + annotations: + {{- include "srox.annotations" (list . "deployment" "central") | nindent 4 }} +spec: + replicas: 1 + minReadySeconds: 15 + selector: + matchLabels: + app: central + strategy: + type: Recreate + template: + metadata: + namespace: {{ .Release.Namespace }} + labels: + app: central + {{- include "srox.podLabels" (list . "deployment" "central") | nindent 8 }} + annotations: + traffic.sidecar.istio.io/excludeInboundPorts: "8443" + {{- include "srox.podAnnotations" (list . "deployment" "central") | nindent 8 }} + spec: + {{- if ._rox.central._nodeSelector }} + nodeSelector: + {{- ._rox.central._nodeSelector | nindent 8 }} + {{- end }} + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + # Central is single-homed, so avoid preemptible nodes. + - weight: 100 + preference: + matchExpressions: + - key: cloud.google.com/gke-preemptible + operator: NotIn + values: + - "true" + {{- if ._rox.env.openshift }} + - weight: 25 + preference: + matchExpressions: + - key: node-role.kubernetes.io/compute + operator: In + values: + - "true" + - weight: 75 + preference: + matchExpressions: + - key: node-role.kubernetes.io/infra + operator: NotIn + values: + - "true" + - weight: 100 + preference: + matchExpressions: + - key: node-role.kubernetes.io/master + operator: NotIn + values: + - "true" + {{- end}} + serviceAccountName: central + securityContext: + fsGroup: 4000 + runAsUser: 4000 + containers: + - name: central + image: {{ ._rox.central.image.fullRef | quote }} + command: + - /stackrox/central-entrypoint.sh + ports: + {{- toYaml ._rox.central._containerPorts | nindent 10 }} + readinessProbe: + httpGet: + scheme: HTTPS + path: /v1/ping + port: 8443 + resources: + {{- ._rox.central._resources | nindent 10 }} + securityContext: + capabilities: + drop: ["NET_RAW"] + readOnlyRootFilesystem: true + env: + - name: ROX_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: ROX_INIT_TELEMETRY_ENABLED + value: {{ ._rox.central.disableTelemetry | not | quote }} + - name: ROX_OFFLINE_MODE + value: {{ ._rox.env.offlineMode | quote }} + {{- include "srox.envVars" (list . "deployment" "central" "central") | nindent 8 }} + volumeMounts: + - name: varlog + mountPath: /var/log/stackrox/ + - name: central-tmp-volume + mountPath: /tmp + - name: central-etc-ssl-volume + mountPath: /etc/ssl + - name: central-etc-pki-volume + mountPath: /etc/pki/ca-trust + - name: central-certs-volume + mountPath: /run/secrets/stackrox.io/certs/ + readOnly: true + - name: central-default-tls-cert-volume + mountPath: /run/secrets/stackrox.io/default-tls-cert/ + readOnly: true + - name: central-htpasswd-volume + mountPath: /run/secrets/stackrox.io/htpasswd/ + readOnly: true + - name: central-jwt-volume + mountPath: /run/secrets/stackrox.io/jwt/ + readOnly: true + - name: additional-ca-volume + mountPath: /usr/local/share/ca-certificates/ + readOnly: true + - name: central-license-volume + mountPath: /run/secrets/stackrox.io/central-license/ + readOnly: true + - name: stackrox-db + mountPath: /var/lib/stackrox + - name: central-config-volume + mountPath: /etc/stackrox + - name: proxy-config-volume + mountPath: /run/secrets/stackrox.io/proxy-config/ + readOnly: true + - name: endpoints-config-volume + mountPath: /etc/stackrox.d/endpoints/ + readOnly: true + {{- range $extraMount := (default list ._rox.central.extraMounts) }} + - name: {{ $extraMount.name }} + {{- $extraMount.mount | toYaml | nindent 10 }} + {{- end }} + volumes: + - name: varlog + emptyDir: {} + - name: central-tmp-volume + emptyDir: {} + - name: central-etc-ssl-volume + emptyDir: {} + - name: central-etc-pki-volume + emptyDir: {} + - name: central-certs-volume + secret: + secretName: central-tls + - name: central-default-tls-cert-volume + secret: + secretName: central-default-tls-cert + optional: true + - name: central-htpasswd-volume + secret: + secretName: central-htpasswd + optional: true + - name: central-jwt-volume + secret: + secretName: central-tls + items: + - key: jwt-key.pem + path: jwt-key.pem + - name: additional-ca-volume + secret: + secretName: additional-ca + optional: true + - name: central-license-volume + secret: + secretName: central-license + optional: true + - name: central-config-volume + configMap: + name: central-config + optional: true + - name: proxy-config-volume + secret: + secretName: proxy-config + optional: true + - name: endpoints-config-volume + configMap: + name: central-endpoints + - name: stackrox-db + {{- toYaml ._rox.central.persistence._volumeCfg | nindent 8 }} + {{- range $extraMount := (default list ._rox.central.extraMounts) }} + - name: {{ $extraMount.name }} + {{- $extraMount.source | toYaml | nindent 8 }} + {{- end }} diff --git a/rhacs/3.0.59.0/central-services/templates/01-central-13-service.yaml b/rhacs/3.0.59.0/central-services/templates/01-central-13-service.yaml new file mode 100644 index 0000000..d8d67e9 --- /dev/null +++ b/rhacs/3.0.59.0/central-services/templates/01-central-13-service.yaml @@ -0,0 +1,40 @@ +{{- include "srox.init" . -}} + +apiVersion: v1 +kind: Service +metadata: + name: central + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "service" "central") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "service" "central") | nindent 4 }} +spec: + ports: + {{- toYaml ._rox.central._servicePorts | nindent 4 }} + selector: + app: central + type: ClusterIP + +{{ if ._rox.env.istio }} +--- + +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: central-internal-no-istio-mtls + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "destinationrule" "central-internal-no-istio-mtls") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "destinationrule" "central-internal-no-istio-mtls") | nindent 4 }} + stackrox.io/description: "Disable Istio mTLS for port 443, since StackRox services use built-in mTLS." +spec: + host: central.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + portLevelSettings: + - port: + number: 443 + tls: + mode: DISABLE +{{ end }} diff --git a/rhacs/3.0.59.0/central-services/templates/01-central-14-exposure.yaml b/rhacs/3.0.59.0/central-services/templates/01-central-14-exposure.yaml new file mode 100644 index 0000000..ebaa3cd --- /dev/null +++ b/rhacs/3.0.59.0/central-services/templates/01-central-14-exposure.yaml @@ -0,0 +1,89 @@ +{{- include "srox.init" . -}} + +{{- if ._rox.central.exposure.route.enabled }} +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: central + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "route" "central") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "route" "central") | nindent 4 }} +spec: + port: + targetPort: https + tls: + termination: passthrough + to: + kind: Service + name: central +--- +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: central-mtls + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "route" "central-mtls") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "route" "central-mtls") | nindent 4 }} +spec: + host: "central.{{ .Release.Namespace }}" + port: + targetPort: https + tls: + termination: passthrough + to: + kind: Service + name: central +--- +{{- end }} + +{{- if ._rox.central.exposure.nodePort.enabled }} +apiVersion: v1 +kind: Service +metadata: + annotations: + {{- include "srox.annotations" (list . "service" "central-loadbalancer") | nindent 4 }} + cloud.google.com/app-protocols: '{"api": "HTTPS"}' + service.alpha.kubernetes.io/app-protocols: '{"api": "HTTPS"}' + name: central-loadbalancer + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "service" "central-loadbalancer") | nindent 4 }} +spec: + type: NodePort + ports: + - port: 443 + targetPort: api +{{- if ._rox.central.exposure.nodePort.port }} + nodePort: {{ ._rox.central.exposure.nodePort.port }} +{{- end }} + selector: + app: central +--- +{{- end }} + +{{- if ._rox.central.exposure.loadBalancer.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: central-loadbalancer + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "service" "central-loadbalancer") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "service" "central-loadbalancer") | nindent 4 }} +spec: + type: LoadBalancer + ports: + - port: {{ ._rox.central.exposure.loadBalancer.port }} + targetPort: api + selector: + app: central +{{- if ._rox.central.exposure.loadBalancer.ip }} + loadBalancerIP: {{ ._rox.central.exposure.loadBalancer.ip }} +{{- end }} +--- +{{- end}} diff --git a/rhacs/3.0.59.0/central-services/templates/02-scanner-00-serviceaccount.yaml b/rhacs/3.0.59.0/central-services/templates/02-scanner-00-serviceaccount.yaml new file mode 100644 index 0000000..a27c602 --- /dev/null +++ b/rhacs/3.0.59.0/central-services/templates/02-scanner-00-serviceaccount.yaml @@ -0,0 +1,19 @@ +{{- include "srox.init" . -}} + +{{- if not ._rox.scanner.disable -}} + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: scanner + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "serviceaccount" "scanner") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "serviceaccount" "scanner") | nindent 4 }} +imagePullSecrets: +{{- range $secretName := ._rox.imagePullSecrets._names }} +- name: {{ quote $secretName }} +{{- end }} + +{{ end -}} diff --git a/rhacs/3.0.59.0/central-services/templates/02-scanner-01-security.yaml b/rhacs/3.0.59.0/central-services/templates/02-scanner-01-security.yaml new file mode 100644 index 0000000..41944c1 --- /dev/null +++ b/rhacs/3.0.59.0/central-services/templates/02-scanner-01-security.yaml @@ -0,0 +1,113 @@ +{{- include "srox.init" . -}} + +{{- if not ._rox.scanner.disable -}} + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "srox.globalResourceName" (list . "stackrox-scanner-psp") }} + labels: + {{- include "srox.labels" (list . "clusterrole" "stackrox-scanner-psp") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "clusterrole" "stackrox-scanner-psp") | nindent 4 }} +rules: +- apiGroups: + - policy + resources: + - podsecuritypolicies + resourceNames: + - {{ include "srox.globalResourceName" (list . "stackrox-scanner") }} + verbs: + - use + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: stackrox-scanner-psp + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "rolebinding" "stackrox-scanner-psp") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "rolebinding" "stackrox-scanner-psp") | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "srox.globalResourceName" (list . "stackrox-scanner-psp") }} +subjects: + - kind: ServiceAccount + name: scanner + namespace: {{ .Release.Namespace }} + +--- + +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "srox.globalResourceName" (list . "stackrox-scanner") }} + labels: + {{- include "srox.labels" (list . "podsecuritypolicy" "stackrox-scanner") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "podsecuritypolicy" "stackrox-scanner") | nindent 4 }} +spec: + privileged: false + allowPrivilegeEscalation: false + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + - 'persistentVolumeClaim' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + +{{- if ._rox.env.openshift }} +--- + +kind: SecurityContextConstraints +apiVersion: security.openshift.io/v1 +metadata: + name: {{ include "srox.globalResourceName" (list . "scanner") }} + labels: + {{- include "srox.labels" (list . "securitycontextconstraints" "scanner") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "securitycontextconstraints" "scanner") | nindent 4 }} + kubernetes.io/description: scanner is the security constraint for the Scanner container +priority: 0 +runAsUser: + type: RunAsAny +seLinuxContext: + type: RunAsAny +seccompProfiles: + - '*' +users: + - system:serviceaccount:{{ .Release.Namespace }}:scanner +volumes: + - '*' +allowHostDirVolumePlugin: false +allowedCapabilities: [] +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: false +allowPrivilegedContainer: false +defaultAddCapabilities: [] +fsGroup: + type: RunAsAny +readOnlyRootFilesystem: false +requiredDropCapabilities: [] +{{ end -}} + +{{ end -}} diff --git a/rhacs/3.0.59.0/central-services/templates/02-scanner-02-db-password-secret.yaml b/rhacs/3.0.59.0/central-services/templates/02-scanner-02-db-password-secret.yaml new file mode 100644 index 0000000..c6c0bc1 --- /dev/null +++ b/rhacs/3.0.59.0/central-services/templates/02-scanner-02-db-password-secret.yaml @@ -0,0 +1,27 @@ +{{- include "srox.init" . -}} + +{{- if not ._rox.scanner.disable -}} + +{{- if ._rox.scanner._dbPassword -}} +{{- if not (kindIs "invalid" ._rox.scanner._dbPassword.value) -}} + +apiVersion: v1 +kind: Secret +metadata: + name: scanner-db-password + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "secret" "scanner-db-password") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "scanner-db-password") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": keep +type: Opaque +stringData: + password: | + {{- ._rox.scanner._dbPassword.value | nindent 4 }} + +{{- end -}} +{{- end -}} + +{{ end -}} diff --git a/rhacs/3.0.59.0/central-services/templates/02-scanner-03-tls-secret.yaml b/rhacs/3.0.59.0/central-services/templates/02-scanner-03-tls-secret.yaml new file mode 100644 index 0000000..7c590ff --- /dev/null +++ b/rhacs/3.0.59.0/central-services/templates/02-scanner-03-tls-secret.yaml @@ -0,0 +1,55 @@ +{{- include "srox.init" . -}} + +{{- if not ._rox.scanner.disable -}} + +{{- if and ._rox.scanner._serviceTLS ._rox._ca -}} + +apiVersion: v1 +kind: Secret +metadata: + name: scanner-tls + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "secret" "scanner-tls") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "scanner-tls") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": keep +type: Opaque +stringData: + ca.pem: | + {{- ._rox._ca.Cert | nindent 4 }} + cert.pem: | + {{- ._rox.scanner._serviceTLS.Cert | nindent 4 }} + key.pem: | + {{- ._rox.scanner._serviceTLS.Key | nindent 4 }} + +--- + +{{- end }} + +{{ if and ._rox.scanner._dbServiceTLS ._rox._ca -}} + +apiVersion: v1 +kind: Secret +metadata: + name: scanner-db-tls + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "secret" "scanner-db-tls") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "scanner-db-tls") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": "keep" +type: Opaque +stringData: + ca.pem: | + {{- ._rox._ca.Cert | nindent 4 }} + cert.pem: | + {{- ._rox.scanner._dbServiceTLS.Cert | nindent 4 }} + key.pem: | + {{- ._rox.scanner._dbServiceTLS.Key | nindent 4 }} + +{{- end -}} + +{{ end -}} diff --git a/rhacs/3.0.59.0/central-services/templates/02-scanner-04-scanner-config.yaml b/rhacs/3.0.59.0/central-services/templates/02-scanner-04-scanner-config.yaml new file mode 100644 index 0000000..4ed16c7 --- /dev/null +++ b/rhacs/3.0.59.0/central-services/templates/02-scanner-04-scanner-config.yaml @@ -0,0 +1,18 @@ +{{- include "srox.init" . -}} + +{{- if not ._rox.scanner.disable -}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: scanner-config + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "configmap" "scanner-config") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "configmap" "scanner-config") | nindent 4 }} +data: + config.yaml: | + {{- tpl (.Files.Get "config-templates/scanner/config.yaml.tpl") . | nindent 4 }} + +{{ end -}} diff --git a/rhacs/3.0.59.0/central-services/templates/02-scanner-05-network-policy.yaml b/rhacs/3.0.59.0/central-services/templates/02-scanner-05-network-policy.yaml new file mode 100644 index 0000000..824c63e --- /dev/null +++ b/rhacs/3.0.59.0/central-services/templates/02-scanner-05-network-policy.yaml @@ -0,0 +1,57 @@ +{{- include "srox.init" . -}} + +{{- if not ._rox.scanner.disable -}} + +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: scanner + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "networkpolicy" "scanner") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "networkpolicy" "scanner") | nindent 4 }} +spec: + podSelector: + matchLabels: + app: scanner + ingress: + - from: + - podSelector: + matchLabels: + app: central + ports: + - port: 8080 + protocol: TCP + - port: 8443 + protocol: TCP + policyTypes: + - Ingress + +--- + +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: scanner-db + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "networkpolicy" "scanner-db") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "networkpolicy" "scanner-db") | nindent 4 }} +spec: + podSelector: + matchLabels: + app: scanner-db + ingress: + - from: + - podSelector: + matchLabels: + app: scanner + ports: + - port: 5432 + protocol: TCP + policyTypes: + - Ingress + +{{ end -}} diff --git a/rhacs/3.0.59.0/central-services/templates/02-scanner-06-deployment.yaml b/rhacs/3.0.59.0/central-services/templates/02-scanner-06-deployment.yaml new file mode 100644 index 0000000..3468ddb --- /dev/null +++ b/rhacs/3.0.59.0/central-services/templates/02-scanner-06-deployment.yaml @@ -0,0 +1,285 @@ +{{- include "srox.init" . -}} + +{{- if not ._rox.scanner.disable -}} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: scanner + namespace: {{ .Release.Namespace }} + labels: + app: scanner + {{- include "srox.labels" (list . "deployment" "scanner") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "deployment" "scanner") | nindent 4 }} +spec: + replicas: {{ ._rox.scanner.replicas }} + minReadySeconds: 15 + selector: + matchLabels: + app: scanner + strategy: + type: Recreate + template: + metadata: + namespace: {{ .Release.Namespace }} + labels: + app: scanner + {{- include "srox.podLabels" (list . "deployment" "scanner") | nindent 8 }} + annotations: + traffic.sidecar.istio.io/excludeInboundPorts: "8080,8443" + {{- include "srox.podAnnotations" (list . "deployment" "scanner") | nindent 8 }} + spec: + {{- if ._rox.scanner._nodeSelector }} + nodeSelector: + {{- ._rox.scanner._nodeSelector | nindent 8 }} + {{- end }} + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchLabels: + app: scanner + topologyKey: kubernetes.io/hostname + {{- if ._rox.env.openshift }} + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 25 + preference: + matchExpressions: + - key: node-role.kubernetes.io/compute + operator: In + values: + - "true" + - weight: 75 + preference: + matchExpressions: + - key: node-role.kubernetes.io/infra + operator: NotIn + values: + - "true" + - weight: 100 + preference: + matchExpressions: + - key: node-role.kubernetes.io/master + operator: NotIn + values: + - "true" + {{- end }} + containers: + - name: scanner + image: {{ ._rox.scanner.image.fullRef | quote }} + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- include "srox.envVars" (list . "deployment" "scanner" "scanner") | nindent 8 }} + resources: + {{- ._rox.scanner._resources | nindent 10 }} + command: + - /entrypoint.sh + ports: + - name: https + containerPort: 8080 + - name: grpc + containerPort: 8443 + securityContext: + capabilities: + drop: ["NET_RAW"] + runAsUser: 4000 + readinessProbe: + httpGet: + scheme: HTTPS + path: /scanner/ping + port: 8080 + timeoutSeconds: 10 + periodSeconds: 10 + failureThreshold: 6 + successThreshold: 1 + volumeMounts: + - mountPath: /etc/ssl + name: scanner-etc-ssl-volume + - mountPath: /etc/pki/ca-trust + name: scanner-etc-pki-volume + - mountPath: /usr/local/share/ca-certificates/ + name: additional-ca-volume + readOnly: true + - name: scanner-config-volume + mountPath: /etc/scanner + readOnly: true + - name: scanner-tls-volume + mountPath: /run/secrets/stackrox.io/certs/ + readOnly: true + - name: vuln-temp-db + mountPath: /var/lib/stackrox + - name: proxy-config-volume + mountPath: /run/secrets/stackrox.io/proxy-config/ + readOnly: true + - name: scanner-db-password + mountPath: /run/secrets/stackrox.io/secrets + serviceAccountName: scanner + volumes: + - name: additional-ca-volume + secret: + defaultMode: 420 + optional: true + secretName: additional-ca + - emptyDir: {} + name: scanner-etc-ssl-volume + - emptyDir: {} + name: scanner-etc-pki-volume + - name: scanner-config-volume + configMap: + name: scanner-config + - name: scanner-tls-volume + secret: + secretName: scanner-tls + - name: vuln-temp-db + emptyDir: {} + - name: proxy-config-volume + secret: + secretName: proxy-config + optional: true + - name: scanner-db-password + secret: + secretName: scanner-db-password + +--- + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: scanner-db + namespace: {{ .Release.Namespace }} + labels: + app: scanner-db + {{- include "srox.labels" (list . "deployment" "scanner-db") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "deployment" "scanner-db") | nindent 4 }} +spec: + replicas: 1 + minReadySeconds: 15 + selector: + matchLabels: + app: scanner-db + strategy: + type: Recreate + template: + metadata: + namespace: {{ .Release.Namespace }} + labels: + app: scanner-db + {{- include "srox.podLabels" (list . "deployment" "scanner-db") | nindent 8 }} + annotations: + traffic.sidecar.istio.io/excludeInboundPorts: "5432" + {{- include "srox.podAnnotations" (list . "deployment" "scanner-db") | nindent 8 }} + spec: + {{- if ._rox.scanner._dbNodeSelector }} + nodeSelector: + {{- ._rox.scanner._dbNodeSelector | nindent 8 }} + {{- end }} + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + # ScannerDB is single-homed, so avoid preemptible nodes. + - weight: 100 + preference: + matchExpressions: + - key: cloud.google.com/gke-preemptible + operator: NotIn + values: + - "true" + {{ if ._rox.env.openshift }} + - weight: 25 + preference: + matchExpressions: + - key: node-role.kubernetes.io/compute + operator: In + values: + - "true" + - weight: 75 + preference: + matchExpressions: + - key: node-role.kubernetes.io/infra + operator: NotIn + values: + - "true" + - weight: 100 + preference: + matchExpressions: + - key: node-role.kubernetes.io/master + operator: NotIn + values: + - "true" + {{- end }} + initContainers: + - name: init-db + image: {{ ._rox.scanner.dbImage.fullRef | quote }} + command: + - /bin/sh + - -c + - | + mkdir -p /var/lib/postgresql/data + chmod 700 /var/lib/postgresql/data + chown -R postgres:postgres /var/lib/postgresql + volumeMounts: + - name: db-data + mountPath: /var/lib/postgresql/data + securityContext: + runAsUser: 0 + containers: + - name: db + command: ["/usr/local/bin/docker-entrypoint.sh", "postgres", "-c", "config_file=/etc/postgresql.conf"] + image: {{ ._rox.scanner.dbImage.fullRef | quote }} + ports: + - name: https-db + containerPort: 5432 + resources: + {{- ._rox.scanner._dbResources | nindent 10 }} + env: + {{- include "srox.envVars" (list . "deployment" "scanner-db" "db") | nindent 10 }} + securityContext: + runAsUser: 70 + runAsGroup: 70 + volumeMounts: + - name: db-data + mountPath: /var/lib/postgresql/data + - name: scanner-db-tls-volume + mountPath: /run/secrets/stackrox.io/certs + - name: scanner-db-password + mountPath: /run/secrets/stackrox.io/secrets + serviceAccountName: scanner + securityContext: + fsGroup: 70 + volumes: + - name: scanner-config-volume + configMap: + name: scanner-config + - name: scanner-tls-volume + secret: + secretName: scanner-tls + - name: scanner-db-tls-volume + secret: + secretName: scanner-db-tls + defaultMode: 0640 + items: + - key: cert.pem + path: server.crt + - key: key.pem + path: server.key + - key: ca.pem + path: root.crt + - name: db-data + emptyDir: {} + - name: scanner-db-password + secret: + secretName: scanner-db-password + +{{ end -}} diff --git a/rhacs/3.0.59.0/central-services/templates/02-scanner-07-service.yaml b/rhacs/3.0.59.0/central-services/templates/02-scanner-07-service.yaml new file mode 100644 index 0000000..6c6ad04 --- /dev/null +++ b/rhacs/3.0.59.0/central-services/templates/02-scanner-07-service.yaml @@ -0,0 +1,94 @@ +{{- include "srox.init" . -}} + +{{- if not ._rox.scanner.disable -}} + +apiVersion: v1 +kind: Service +metadata: + name: scanner + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "service" "scanner") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "service" "scanner") | nindent 4 }} +spec: + ports: + - name: https-scanner + port: 8080 + targetPort: 8080 + - name: grpcs-scanner + port: 8443 + targetPort: 8443 + selector: + app: scanner + type: ClusterIP + +--- + +apiVersion: v1 +kind: Service +metadata: + name: scanner-db + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "service" "scanner-db") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "service" "scanner-db") | nindent 4 }} +spec: + ports: + - name: tcp-db + port: 5432 + targetPort: 5432 + selector: + app: scanner-db + type: ClusterIP + +{{ if ._rox.env.istio }} +--- + +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: scanner-internal-no-istio-mtls + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "destinationrule" "scanner-internal-no-istio-mtls") | nindent 4 }} + annotations: + stackrox.io/description: "Disable Istio mTLS for ports 8080 and 8443, since StackRox services use built-in mTLS." + {{- include "srox.annotations" (list . "destinationrule" "scanner-internal-no-istio-mtls") | nindent 4 }} +spec: + host: scanner.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + portLevelSettings: + - port: + number: 8080 + tls: + mode: DISABLE + - port: + number: 8443 + tls: + mode: DISABLE + +--- + +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: scanner-db-internal-no-istio-mtls + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "destinationrule" "scanner-db-internal-no-istio-mtls") | nindent 4 }} + annotations: + stackrox.io/description: "Disable Istio mTLS for port 5432, since StackRox services use built-in mTLS." + {{- include "srox.annotations" (list . "destinationrule" "scanner-db-internal-no-istio-mtls") | nindent 4 }} +spec: + host: scanner-db.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + portLevelSettings: + - port: + number: 5432 + tls: + mode: DISABLE +{{ end }} + +{{ end -}} diff --git a/rhacs/3.0.59.0/central-services/templates/02-scanner-08-hpa.yaml b/rhacs/3.0.59.0/central-services/templates/02-scanner-08-hpa.yaml new file mode 100644 index 0000000..c7af476 --- /dev/null +++ b/rhacs/3.0.59.0/central-services/templates/02-scanner-08-hpa.yaml @@ -0,0 +1,25 @@ +{{- include "srox.init" . -}} + +{{- if not ._rox.scanner.disable -}} + +{{- if not ._rox.scanner.autoscaling.disable -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: scanner + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "horizontalpodautoscaler" "scanner") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "horizontalpodautoscaler" "scanner") | nindent 4 }} +spec: + minReplicas: {{ ._rox.scanner.autoscaling.minReplicas }} + maxReplicas: {{ ._rox.scanner.autoscaling.maxReplicas }} + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: scanner + targetCPUUtilizationPercentage: 150 +{{ end -}} + +{{ end -}} diff --git a/rhacs/3.0.59.0/central-services/templates/99-generated-values-secret.yaml b/rhacs/3.0.59.0/central-services/templates/99-generated-values-secret.yaml new file mode 100644 index 0000000..b3499e8 --- /dev/null +++ b/rhacs/3.0.59.0/central-services/templates/99-generated-values-secret.yaml @@ -0,0 +1,25 @@ +{{- include "srox.init" . -}} + +{{- if ._rox._state.generated -}} + +apiVersion: v1 +kind: Secret +metadata: + name: {{ ._rox._state.generatedName }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "secret" "generated-helm-config") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "generated-helm-config") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": "keep" + "helm.sh/hook-delete-policy": "never" +stringData: + generated-values.yaml: | + # The following values were generated by the StackRox Central Services Helm chart. + # You can pass this file to `helm install` via the `-f` parameter, which in conjunction + # with your local values files and values specified via `--set` will allow you to + # deterministically reproduce the deployment. + {{- ._rox._state.generated | toYaml | nindent 4 }} + +{{- end -}} diff --git a/rhacs/3.0.59.0/central-services/templates/NOTES.txt b/rhacs/3.0.59.0/central-services/templates/NOTES.txt new file mode 100644 index 0000000..87db7f7 --- /dev/null +++ b/rhacs/3.0.59.0/central-services/templates/NOTES.txt @@ -0,0 +1,49 @@ +{{- $_ := include "srox.init" . -}} + +StackRox {{.Chart.AppVersion}} has been installed. + +{{ if include "srox.checkGenerated" (list . "central.adminPassword.value") -}} +An administrator password has been generated automatically. Use username 'admin' and the following +password to log in for initial setup: + + {{ ._rox.central._adminPassword.value }} + +{{ end -}} + +{{ if ._rox._state.notes -}} +Please take note of the following: +{{ range ._rox._state.notes }} +- {{ . | wrapWith 98 "\n " -}} +{{ end }} + +{{ end -}} + +{{ if ._rox._state.generated -}} +One or several values were automatically generated by Helm. In order to reproduce this deployment +in the future, you can export these values by running + + $ kubectl -n {{ .Release.Namespace }} get secret {{ ._rox._state.generatedName }} \ + -o go-template='{{ `{{ index .data "generated-values.yaml" }}` }}' | \ + base64 --decode >generated-values.yaml + +This file might contain sensitive data, so store it in a safe place. + +{{ end -}} + +{{ if ._rox._state.warnings -}} +When installing StackRox, the following warnings were encountered: +{{ range ._rox._state.warnings }} +- WARNING: {{ . | wrapWith 98 "\n " -}} +{{ end }} + +{{ end -}} + +{{ if ._rox.env.openshift -}} +IMPORTANT: You have deployed into an OpenShift-enabled cluster. If you see that your pods + are not scheduling, run + + oc annotate namespace/{{ .Release.Namespace }} --overwrite openshift.io/node-selector="" +{{ end -}} + + +Thank you for using StackRox! diff --git a/rhacs/3.0.59.0/central-services/templates/_central_endpoints.tpl b/rhacs/3.0.59.0/central-services/templates/_central_endpoints.tpl new file mode 100644 index 0000000..3f01580 --- /dev/null +++ b/rhacs/3.0.59.0/central-services/templates/_central_endpoints.tpl @@ -0,0 +1,54 @@ +{{ define "srox.configureCentralEndpoints" }} +{{ $central := . }} +{{ $containerPorts := list (dict "name" "api" "containerPort" 8443) }} +{{ $netPolIngressRules := list (dict "ports" (list (dict "port" 8443 "protocol" "TCP"))) }} +{{ $servicePorts := list (dict "name" "https" "targetPort" "api" "port" 443) }} +{{ $cfgDict := fromYaml $central._endpointsConfig }} +{{ if kindIs "map" $cfgDict }} + {{ if $cfgDict.disableDefault }} + {{ $containerPorts = list }} + {{ $netPolIngressRules = list }} + {{ $servicePorts = list }} + {{ end }} + {{ range $epCfg := default list $cfgDict.endpoints }} + {{ if and $epCfg.listen (kindIs "string" $epCfg.listen) }} + {{ $listenParts := splitList ":" $epCfg.listen }} + {{ if $listenParts }} + {{ $port := last $listenParts }} + {{ if $port }} + {{ if regexMatch "[0-9]+" $port }} + {{ $port = int $port }} + {{ end }} + {{ $containerPort := dict "containerPort" $port }} + {{ if and $epCfg.name (kindIs "string" $epCfg.name) }} + {{ $_ := set $containerPort "name" $epCfg.name }} + {{ end }} + {{ $containerPorts = append $containerPorts $containerPort }} + {{ if $epCfg.servicePort }} + {{ $servicePort := dict "targetPort" $port "port" $epCfg.servicePort }} + {{ if $containerPort.name }} + {{ $_ := set $servicePort "name" $containerPort.name }} + {{ end }} + {{ $servicePorts = append $servicePorts $servicePort }} + {{ end }} + {{ if not (kindIs "invalid" $epCfg.allowIngressFrom) }} + {{ $fromList := $epCfg.allowIngressFrom }} + {{ if not (kindIs "slice" $fromList) }} + {{ $fromList = list $fromList }} + {{ end }} + {{ $netPolIngressRule := dict "ports" (list (dict "port" $port "protocol" "TCP")) "from" $fromList }} + {{ $netPolIngressRules = append $netPolIngressRules $netPolIngressRule }} + {{ end }} + {{ end }} + {{ end }} + {{ end }} + {{ end }} +{{ end }} +{{ if $central.exposeMonitoring }} + {{ $containerPorts = append $containerPorts (dict "name" "monitoring" "containerPort" 9090) }} + {{ $servicePorts = append $servicePorts (dict "name" "monitoring" "targetPort" "monitoring" "port" 9090) }} +{{ end }} +{{ $_ := set $central "_containerPorts" $containerPorts }} +{{ $_ = set $central "_servicePorts" $servicePorts }} +{{ $_ = set $central "_netPolIngressRules" $netPolIngressRules }} +{{ end }} diff --git a/rhacs/3.0.59.0/central-services/templates/_central_setup.tpl b/rhacs/3.0.59.0/central-services/templates/_central_setup.tpl new file mode 100644 index 0000000..f79ff48 --- /dev/null +++ b/rhacs/3.0.59.0/central-services/templates/_central_setup.tpl @@ -0,0 +1,101 @@ +{/* + srox.centralSetup $ + + Configures and initializes central specific values like certificates, admin password or persistence. + */}} +{{ define "srox.centralSetup" }} +{{ $ := . }} +{{ $env := $._rox.env }} +{{ $_ := set $ "_rox" $._rox }} +{{ $centralCfg := $._rox.central }} + +{{/* Image settings */}} +{{ if kindIs "invalid" $centralCfg.image.tag }} + {{ $_ := set $centralCfg.image "tag" $.Chart.AppVersion }} +{{ end }} +{{ include "srox.configureImage" (list $ $centralCfg.image) }} + +{{/* Admin password */}} +{{ include "srox.configurePassword" (list $ "central.adminPassword" "admin") }} + +{{/* Service TLS Certificates */}} +{{ $centralCertSpec := dict "CN" "CENTRAL_SERVICE: Central" "dnsBase" "central" }} +{{ include "srox.configureCrypto" (list $ "central.serviceTLS" $centralCertSpec) }} + +{{/* JWT Token Signer */}} +{{ $jwtSignerSpec := dict "keyOnly" "rsa" }} +{{ include "srox.configureCrypto" (list $ "central.jwtSigner" $jwtSignerSpec) }} + +{{/* Setup Default TLS Certificate. */}} +{{ if $._rox.central.defaultTLS }} + {{ $cert := $._rox.central.defaultTLS._cert }} + {{ $key := $._rox.central.defaultTLS._key }} + {{ if and $cert $key }} + {{ $defaultTLSCert := dict "Cert" $cert "Key" $key }} + {{ $_ := set $._rox.central "_defaultTLS" $defaultTLSCert }} + {{ include "srox.note" (list $ "Configured default TLS certificate") }} + {{ else if or $cert $key }} + {{ include "srox.fail" "Must specify either none or both of central.defaultTLS.cert and central.defaultTLS.key" }} + {{ end }} +{{ end }} + +{{/* + Setup configuration for persistence backend. + */}} +{{ $volumeCfg := dict }} +{{ if $centralCfg.persistence.none }} + {{ include "srox.warn" (list $ "You have selected no persistence backend. Every deletion of the StackRox Central pod will cause you to lose all your data. This is STRONGLY recommended against.") }} + {{ $_ := set $volumeCfg "emptyDir" dict }} +{{ end }} +{{ if $centralCfg.persistence.hostPath }} + {{ if not $centralCfg.nodeSelector }} + {{ include "srox.warn" (list $ "You have selected host path persistence, but not specified a node selector. This is unlikely to work reliably.") }} + {{ end }} + {{ $_ := set $volumeCfg "hostPath" (dict "path" $centralCfg.persistence.hostPath) }} +{{ end }} +{{/* Configure PVC if either any of the settings in `central.persistence.persistentVolumeClaim` are provided, + or no other persistence backend has been configured yet. */}} +{{ if or (not (deepEqual $._rox._configShape.central.persistence.persistentVolumeClaim $centralCfg.persistence.persistentVolumeClaim)) (not $volumeCfg) }} + {{ $pvcCfg := $centralCfg.persistence.persistentVolumeClaim }} + {{ $_ := include "srox.mergeInto" (list $pvcCfg $._rox._defaults.pvcDefaults (dict "createClaim" $.Release.IsInstall)) }} + {{ $_ = set $volumeCfg "persistentVolumeClaim" (dict "claimName" $pvcCfg.claimName) }} + {{ if $pvcCfg.createClaim }} + {{ $_ = set $centralCfg.persistence "_pvcCfg" $pvcCfg }} + {{ end }} +{{ end }} + +{{ $allPersistenceMethods := keys $volumeCfg | sortAlpha }} +{{ if ne (len $allPersistenceMethods) 1 }} + {{ include "srox.fail" (printf "Invalid or no persistence configurations for central: [%s]" (join "," $allPersistenceMethods)) }} +{{ end }} +{{ $_ = set $centralCfg.persistence "_volumeCfg" $volumeCfg }} + +{{/* Endpoint configuration */}} +{{ include "srox.configureCentralEndpoints" $._rox.central }} + +{{/* + Exposure configuration setup & sanity checks. + */}} +{{ if $._rox.central.exposure.loadBalancer.enabled }} + {{ include "srox.note" (list $ (printf "Exposing StackRox Central via LoadBalancer service.")) }} +{{ end }} +{{ if $._rox.central.exposure.nodePort.enabled }} + {{ include "srox.note" (list $ (printf "Exposing StackRox Central via NodePort service.")) }} +{{ end }} +{{ if $._rox.central.exposure.route.enabled }} + {{ if not $env.openshift }} + {{ include "srox.fail" (printf "The exposure method 'Route' is only available on OpenShift clusters.") }} + {{ end }} + {{ include "srox.note" (list $ (printf "Exposing StackRox Central via OpenShift Route https://central.%s." $.Release.Namespace)) }} +{{ end }} + +{{ if not (or $._rox.central.exposure.loadBalancer.enabled $._rox.central.exposure.nodePort.enabled $._rox.central.exposure.route.enabled) }} + {{ include "srox.note" (list $ "Not exposing StackRox Central, it will only be reachable cluster-internally.") }} + {{ include "srox.note" (list $ "To enable exposure via LoadBalancer service, use --set central.exposure.loadBalancer.enabled=true.") }} + {{ include "srox.note" (list $ "To enable exposure via NodePort service, use --set central.exposure.nodePort.enabled=true.") }} + {{ if $env.openshift }} + {{ include "srox.note" (list $ "To enable exposure via an OpenShift Route, use --set central.exposure.route.enabled=true.") }} + {{ end }} + {{ include "srox.note" (list $ (printf "To acccess StackRox Central via a port-forward on your local port 18443, run: kubectl -n %s port-forward svc/central 18443:443." .Release.Namespace)) }} +{{ end }} +{{ end }} diff --git a/rhacs/3.0.59.0/central-services/templates/_crypto.tpl b/rhacs/3.0.59.0/central-services/templates/_crypto.tpl new file mode 100644 index 0000000..1455288 --- /dev/null +++ b/rhacs/3.0.59.0/central-services/templates/_crypto.tpl @@ -0,0 +1,239 @@ +{{/* + srox.configureCrypto $ $cryptoConfigPath $spec + + This helper function configures a private key or certificate (public cert + private key) + config entry, from an input config which is accessed via $cryptoConfigPath relative to + $._rox, which we'll refer to as $inputCfg. $inputCfg is expected to be a dict with at + least `key` and `generate` properties. If `generate` is null, it defaults to either `true` + on installations, and `false` on upgrades. `key` is an expandable string. + The result in either mode is written to a dict $outputCfg under $._rox accessed by the + $cryptoConfigPath, with a '_' prepended to the last path element. E.g., if + $cryptoConfigPath is "a.b.c", the input configuration will be read from $._rox.a.b.c, and + the output configuration will be stored in $._rox.a.b._c. + + Private key-only mode is selected if $spec.keyOnly contains a non-zero string, which specifies + the key algorithm to use. In this mode, if $inputCfg.key expands to a non-empty string, this + string will be copied to the `Key` property of $outputCfg. Otherwise, if $inputCfg.generate + is true (wrt. the above defaulting rules), a key with the algorithm prescribed by $spec.keyOnly + will be generated and stored in the `Key` property of $outputCfg. + + Certificate mode is the default. If $inputCfg.cert and $inputCfg.key expand to non-empty strings, + these strings will be copied to the `Cert` and `Key` properties of $outputCfg. Otherwise, if both + of them expand to empty strings (it is an error if only one of them expands to a non-empty + string), and $inputCfg.generate is true, a certificate and private key are generated with the + following options: + - If $inputCfg.ca is true, generate a CA certificate with common name $inputCfg.CN and a 5 year + validity duration. + - Otherwise, generate a leaf certificate with common name $inputCfg.CN and a 1 year validity + duration. The SANs for this certificate are derived from the base DNS name $inputCfg.dnsBase + according to "srox.computeSANs". + + Whenever certificates and/or private keys were generated, the $._rox._state.generated property + is updated to reflect the generated values, such that merging $._rox._state.generated in to + $.Values would have caused this template to simply use the generated values as-is. E.g., if + $cryptoConfigPath was "a.b.c" and $.Values.a.b.c.cert" and $.Values.a.b.c.key" were both empty, + $._rox._state.generated.a.b.c would be set to be a dict with `cert` and `key` properties of the + generated $outputCfg.Cert and $outputCfg.Key. + + If a certificate or private key was generated, $._rox._state.customCertGen is set to true. + */}} +{{- define "srox.configureCrypto" -}} +{{ $ := index . 0 }} +{{ $cryptoConfigPath := index . 1 }} +{{ $spec := index . 2 }} + +{{/* Resolve $cryptoConfigPath. */}} +{{ $cfg := $._rox }} +{{ $newGenerated := dict }} +{{ $genCfg := $newGenerated }} +{{ $cryptoConfigPathList := splitList "." $cryptoConfigPath }} +{{ range $pathElem := $cryptoConfigPathList }} + {{ $cfg = index $cfg $pathElem }} + {{ $newCfg := dict }} + {{ $_ := set $genCfg $pathElem $newCfg }} + {{ $genCfg = $newCfg }} +{{ end }} + +{{/* Make sure `cert` and `key` are expanded (this should already be the case, but better + safe than sorry. */}} +{{ $certExpandSpec := dict "cert" true "key" true }} +{{ include "srox.expandAll" (list $ $cfg $certExpandSpec $cryptoConfigPathList) }} + +{{ $certPEM := $cfg._cert }} +{{ $keyPEM := $cfg._key }} + +{{ $result := dict }} +{{ if $certPEM }} + {{ $result = dict "Cert" $certPEM "Key" (default "" $keyPEM) }} +{{ else if or $certPEM $keyPEM }} + {{ if and $keyPEM $spec.keyOnly }} + {{ $_ := set $result "Key" $keyPEM }} + {{ else }} + {{ include "srox.fail" (printf "Either none or both of %s.cert and %s.key must be specified" $cryptoConfigPath $cryptoConfigPath) }} + {{ end }} +{{ else }} + {{ $generate := $cfg.generate }} + {{ if kindIs "invalid" $generate }} + {{ $generate = $.Release.IsInstall }} + {{ end }} + {{ if $generate }} + {{ if $spec.ca }} + {{ $out := dict }} + {{ $_ := tpl "{{ $_ := set .out \"ca\" (genCA .cn 1825) }}" (dict "Template" $.Template "cn" $spec.CN "out" $out) }} + {{ $result = $out.ca }} + {{ else if $spec.keyOnly }} + {{ $key := tpl "{{ genPrivateKey .algo }}" (dict "Template" $.Template "algo" $spec.keyOnly) }} + {{ $_ := set $genCfg "key" $key }} + {{ $_ = set $result "Key" $key }} + {{ else }} + {{ if not $._rox._ca }} + {{ include "srox.fail" (printf "Tried to generate certificate for %s, but no CA certificate is available." $spec.CN) }} + {{ end }} + {{ $sans := dict }} + {{ include "srox.computeSANs" (list $ $sans $spec.dnsBase) }} + {{ $ca := $._rox._ca }} + {{ if kindIs "map" $ca }} + {{ $out := dict }} + {{ $_ := tpl "{{ $_ := set .out \"ca\" (buildCustomCert (b64enc .ca.Cert) (b64enc .ca.Key)) }}" (dict "Template" $.Template "ca" $ca "out" $out) }} + {{ $ca = $out.ca }} + {{ end }} + {{ $out := dict }} + {{ $_ := tpl "{{ $_ := set .out \"cert\" (genSignedCert .cn nil .sans 365 .ca) }}" (dict "Template" $.Template "cn" $spec.CN "sans" $sans.result "ca" $ca "out" $out) }} + {{ $result = $out.cert }} + {{ $_ := set $genCfg "cert" $result.Cert }} + {{ $_ = set $genCfg "key" $result.Key }} + {{ end }} + {{ $_ := set $genCfg "key" $result.Key }} + {{ if $result.Cert }} + {{ $_ = set $genCfg "cert" $result.Cert }} + {{ end }} + {{ $_ = set $._rox._state "customCertGen" true }} + {{ end }} +{{ end }} + +{{/* Store output configuration and generated properties */}} +{{ $newCfgRoot := dict }} +{{ $newCfg := $newCfgRoot }} +{{ range $pathElem := initial $cryptoConfigPathList }} + {{ $nextCfg := dict }} + {{ $_ := set $newCfg $pathElem $nextCfg }} + {{ $newCfg = $nextCfg }} +{{ end }} +{{ $_ := set $newCfg (last $cryptoConfigPathList | printf "_%s") $result }} +{{ $_ = include "srox.mergeInto" (list $._rox $newCfgRoot) }} +{{ $_ = include "srox.mergeInto" (list $._rox._state.generated $newGenerated) }} +{{ end }} + + +{{/* + srox.configurePassword $ $pwConfigPath [$htpasswdUser] + + This helper function reads a password configuration (YAML dict with `value` + and `generate` properties) referenced by $pwConfigPath relative to $._rox. It + ensures the dict with the same config path relative to $._rox and prepending an underscore + to the last path element is populated in the following way: + - If the `value` property of the input config is nonzero, set `value` in the result to the + expanded value. + - If the optional $htpasswdUser parameter is specified and the `htpasswd` property of the + input config is nonzero, set `htpasswd` in the result to the expanded value of that + property. + - If none of the above (non-mutually-exclusive) cases apply: + - If `generate` is true OR both `generate` is null and this is an installation, + not an upgrade, generate a random password with 32 alphanumeric characters. + - Otherwise, leave the result property empty. + - If the optional $htpasswdUser parameter was specified AND the `value` property in the + result property was set per the above rules AND the `htpasswd` property was not set, + populate the `htpasswd` property of the result by generating an htpasswd stanza with + the computed `value` as the password and $htpasswdUser as the username. + + The $._rox._state.generated property is adjusted accordingly. + */}} +{{- define "srox.configurePassword" -}} +{{ $ := index . 0 }} +{{ $pwConfigPath := index . 1 }} +{{ $htpasswdUser := "" }} +{{ if gt (len .) 2 }} + {{ $htpasswdUser = index . 2 }} +{{ end }} +{{ $cfg := $._rox }} +{{ $newGenerated := dict }} +{{ $genCfg := $newGenerated }} +{{ $pwConfigPathList := splitList "." $pwConfigPath }} +{{ range $pathElem := $pwConfigPathList }} + {{ $cfg = index $cfg $pathElem }} + {{ $newCfg := dict }} + {{ $_ := set $genCfg $pathElem $newCfg }} + {{ $genCfg = $newCfg }} +{{ end }} + +{{/* Make sure that `value` and `htpasswd` within $cfg are expanded (this should already be the + case but better safe than sorry). */}} +{{ $pwExpandSpec := dict "value" true "htpasswd" true }} +{{ include "srox.expandAll" (list $ $cfg $pwExpandSpec $pwConfigPathList) }} + +{{ $result := dict }} +{{ if and $htpasswdUser (not (kindIs "invalid" $cfg._htpasswd)) }} + {{ $htpasswd := $cfg._htpasswd }} + {{ $_ := set $result "htpasswd" $htpasswd }} +{{ end }} +{{ if not $result.htpasswd }} + {{ $pw := dict.nil }} + {{ if kindIs "invalid" $cfg._value }} + {{ $generate := $cfg.generate }} + {{ if kindIs "invalid" $generate }} + {{ $generate = $.Release.IsInstall }} + {{ end }} + {{ if $generate }} + {{ $pw = randAlphaNum 32 }} + {{ $_ := set $genCfg "value" $pw }} + {{ end }} + {{ else }} + {{ $pw = $cfg._value }} + {{ end }} + {{ if not (kindIs "invalid" $pw) }} + {{ $_ := set $result "value" $pw }} + {{ end }} + {{ if and $htpasswdUser $pw }} + {{ $htpasswd := tpl "{{ htpasswd .user .pw }}" (dict "Template" $.Template "user" $htpasswdUser "pw" $pw) }} + {{ $_ := set $result "htpasswd" $htpasswd }} + {{ end }} +{{ else if $cfg.value }} + {{ include "srox.fail" (printf "Both a htpasswd and a value are specified for %s, this is illegal. Remove the `value` property, or ensure that `htpasswd` is null." $pwConfigPath) }} +{{ end }} +{{ $newCfgRoot := dict }} +{{ $newCfg := $newCfgRoot }} +{{ range $pathElem := initial $pwConfigPathList }} + {{ $nextCfg := dict }} + {{ $_ := set $newCfg $pathElem $nextCfg }} + {{ $newCfg = $nextCfg }} +{{ end }} +{{ $_ := set $newCfg (last $pwConfigPathList | printf "_%s") $result }} +{{ $_ = include "srox.mergeInto" (list $._rox $newCfgRoot) }} +{{ $_ = include "srox.mergeInto" (list $._rox._state.generated $newGenerated) }} +{{ end }} + + +{{/* + srox.computeSANs $ $out $svcName + + Compute the applicable SANs for a service with name $svcName, deployed in namespace + $.Release.Namespace (= $releaseNS). + Generally, SANs following the pattern "$svcName.$releaseNS[.svc[.cluster.local]]" will be + generated. If $releaseNS is not "stackrox", another set of SANs with the same pattern, + but assuming $releaseNS = "stackrox", will be generated in addition. + The result is stored as a list in $out.result. + */}} +{{ define "srox.computeSANs" }} +{{ $ := index . 0 }} +{{ $out := index . 1 }} +{{ $svcName := index . 2 }} +{{ $releaseNS := $.Release.Namespace }} +{{ $sans := list }} +{{ range $ns := list $releaseNS "stackrox" | uniq | sortAlpha }} + {{ $baseDNS := printf "%s.%s" $svcName $ns }} + {{ range $suffix := tuple "" ".svc" ".svc.cluster.local" }} + {{ $sans = printf "%s%s" $baseDNS $suffix | append $sans }} + {{ end }} +{{ end }} +{{ $_ := set $out "result" $sans }} +{{ end }} diff --git a/rhacs/3.0.59.0/central-services/templates/_dict.tpl b/rhacs/3.0.59.0/central-services/templates/_dict.tpl new file mode 100644 index 0000000..bf14a6d --- /dev/null +++ b/rhacs/3.0.59.0/central-services/templates/_dict.tpl @@ -0,0 +1,142 @@ +{{/* + srox.compactDict $target [$depth] + + Compacts a dict $target by removing entries with empty values. + By default, only the top-level dict $target itself is modified. If the optional $depth + parameter is specified and is non-zero, this determines the recursion depth over which the + compaction is applied to nested diocts as well. A $depth of -1 means to compact all nested + dicts, regardless of depth. + */}} +{{ define "srox.compactDict" }} +{{ $args := . }} +{{ if not (kindIs "slice" $args) }} + {{ $args = list $args 0 }} +{{ end }} +{{ $target := index $args 0 }} +{{ $depth := index $args 1 }} +{{ $zeroValKeys := list }} +{{ range $k, $v := $target }} + {{ if and (kindIs "map" $v) (ne $depth 0) }} + {{ include "srox.compactDict" (list $v (sub $depth 1)) }} + {{ end }} + {{ if not $v }} + {{ $zeroValKeys = append $zeroValKeys $k }} + {{ end }} +{{ end }} +{{ range $k := $zeroValKeys }} + {{ $_ := unset $target $k }} +{{ end }} +{{ end }} + +{{/* + srox.destructiveMergeOverwrite $out $dict1 $dict2... + + Recursively merges $dict1, $dict2 (in this order) into $out, similar to mergeOverwrite. + The eponymous difference is the fact that any explicit "null" entries in the source + dictionaries cause the respective entry to be deleted. + */}} +{{ define "srox.destructiveMergeOverwrite" }} +{{ $out := first . }} +{{ $toMergeList := rest . }} +{{ range $toMerge := $toMergeList }} + {{ range $k, $v := $toMerge }} + {{ if kindIs "invalid" $v }} + {{ $_ := unset $out $k }} + {{ else if kindIs "map" $v }} + {{ $outV := index $out $k }} + {{ if kindIs "invalid" $outV }} + {{ $_ := set $out $k (deepCopy $v) }} + {{ else if kindIs "map" $outV }} + {{ include "srox.destructiveMergeOverwrite" (list $outV $v) }} + {{ else }} + {{ fail (printf "when merging at key %s: incompatible kinds %s and %s" $k (kindOf $v) (kindOf $outV)) }} + {{ end }} + {{ else }} + {{ $_ := set $out $k $v }} + {{ end }} + {{ end }} +{{ end }} +{{ end }} + +{{/* + srox.stringifyDictValues $dict + + Recursively traverses $dict and converts every non-dict value to a string. + */}} +{{ define "srox.stringifyDictValues" }} +{{ $dict := . }} +{{ range $k, $v := $dict }} + {{ if kindIs "map" $v }} + {{ include "srox.stringifyDictValues" $v }} + {{ else }} + {{ $_ := set $dict $k (toString $v) }} + {{ end }} +{{ end }} +{{ end }} + +{{/* + srox.safeDictLookup $dict $out $path + + Looks up $path in $dict, and stores the result (if any) in $out.result. + $path is a dot-separated list of nested field names. An empty $path causes + $dict to be stored in $out.result. + + Example: srox.safeDictLookup $dict $out "a.b.c" stores the value of $dict.a.b.c, if + it exists, in $out.result. Otherwise, it does nothing - in particular, it does + not fail, as accessing $dict.a.b.c unconditionally would if any of $dict, $dict.a, + or $dict.a.b was not a dict. + */}} +{{ define "srox.safeDictLookup" }} +{{ $dict := index . 0 }} +{{ $out := index . 1 }} +{{ $path := index . 2 }} +{{ $curr := $dict }} +{{ $pathList := splitList "." $path | compact }} +{{ range $pathElem := $pathList }} + {{ if kindIs "map" $curr }} + {{ $curr = index $curr $pathElem }} + {{ else if not (kindIs "invalid" $curr) }} + {{ $curr = dict.nil }} + {{ end }} +{{ end }} +{{ if not (kindIs "invalid" $curr) }} + {{ $_ := set $out "result" $curr }} +{{ end }} +{{ end }} + + + +{{/* + srox.mergeInto $tgt $src1..$srcN + + Recursively merges values from $src1, ..., $srcN into $tgt, giving preference to + values in $tgt. + + Unlike Sprig's merge, this does not overwrite falsy values when explicitly defined, + with the exception of `null` values (this also sets it apart from Sprig's mergeOverwrite). + + Whenever entire (nested) dicts are merged as-is from one of the sources into $tgt, a deep + copy of the respective nested dict is created. + + An empty string is always returned, hence this should be invoked in the form + $_ := include "srox.mergeInto" (list $tgt $src1 $src2) + */}} +{{ define "srox.mergeInto" }} +{{ $tgt := first . }} +{{ range $src := rest . }} + {{ range $k, $srcV := $src }} + {{ $tgtV := index $tgt $k }} + {{ if kindIs "map" $srcV }} + {{ if kindIs "invalid" $tgtV }} + {{ $_ := set $tgt $k (deepCopy $srcV) }} + {{ else if kindIs "map" $tgtV }} + {{ $_ := include "srox.mergeInto" (list $tgtV $srcV) }} + {{ else }} + {{ fail (printf "Incompatible kinds for key %s: %s vs %s" $k (kindOf $srcV) (kindOf $tgtV)) }} + {{ end }} + {{ else if and (not (kindIs "invalid" $srcV)) (kindIs "invalid" $tgtV) }} + {{ $_ := set $tgt $k $srcV }} + {{ end }} + {{ end }} +{{ end }} +{{ end }} diff --git a/rhacs/3.0.59.0/central-services/templates/_expand.tpl b/rhacs/3.0.59.0/central-services/templates/_expand.tpl new file mode 100644 index 0000000..46d5bde --- /dev/null +++ b/rhacs/3.0.59.0/central-services/templates/_expand.tpl @@ -0,0 +1,89 @@ +{{/* + srox.expandAll $ $target $expandable [$path] + + Expands values within $target that are flagged in $expandable, using $path + as the path from the configuration root to $target for error reporting purposes. + + If $target is nil, nothing happens. Otherwise, $target must be a dict. For every key + of $target that is also present in $expandable, the following action is performed: + - If the entry in $expandable is a dict, recursive invoke "srox.expandAll" on the + respective entries, with an adjusted $path. + - Otherwise, the entry in $expandable is assume to be of boolean value. If the value is + true, the corresponding entry's value in $target is expanded (see "srox._expandSingle" + below for a definition of expanding), and the result of the expansion is stored under + the key with a "_" prepended in $target. The original entry in $target is removed. This + ensures "srox.expandAll" is an idempotent operation). + */}} +{{ define "srox.expandAll" }} +{{ $args := . }} +{{ $ := index $args 0 }} +{{ $target := index $args 1 }} +{{ $expandable := index $args 2 }} +{{ $path := list }} +{{ if ge (len $args) 4 }} + {{ $path = index $args 3 }} + {{ if kindIs "string" $path }} + {{ $path = splitList "." $path | compact }} + {{ end }} +{{ end }} + +{{ if kindIs "map" $target }} + {{ range $k, $v := $expandable }} + {{ $childPath := append $path $k }} + {{ $targetV := index $target $k }} + {{ if kindIs "map" $v }} + {{ include "srox.expandAll" (list $ $targetV $v $childPath) }} + {{ else if $v }} + {{ if not (kindIs "invalid" $targetV) }} + {{ $expanded := include "srox._expandSingle" (list $ $targetV (join "." $childPath)) }} + {{ $_ := set $target (printf "_%s" $k) $expanded }} + {{ end }} + {{ $_ := unset $target $k }} + {{ end }} + {{ end }} +{{ else if not (kindIs "invalid" $target) }} + {{ include "srox.fail" (printf "Error expanding value at %s: expected map, got: %s" (join "." $path) (kindOf $target)) }} +{{ end }} +{{ end }} + +{{/* + srox.expand $ $spec + + Parses and expands a "specification string" in the following way: + - If $spec is a dictionary, return $spec rendered as a YAML. + - Otherwise, if $spec starts with a backslash character (`\`), return $spec minus the leading + backslash character. + - Otherwise, if $spec starts with an `@` character, strip off the first character and + treat the remainder of the string as a `|`-separated list of file names. Try to load + each referenced file, in order, via `stackrox.getFile`. The result is the first file + that could be successfully loaded. If no file could be loaded, expansion fails. + - Otherwise, return $spec as-is. + */}} +{{- define "srox._expandSingle" -}} + {{- $ := index . 0 -}} + {{- $spec := index . 1 -}} + {{- $context := index . 2 -}} + {{- $result := "" -}} + {{- if kindIs "string" $spec -}} + {{- if hasPrefix "\\" $spec -}} + {{- /* use \ as string-wide escape character */ -}} + {{- $result = trimPrefix "\\" $spec -}} + {{- else if hasPrefix "@" $spec -}} + {{- /* treat as file list (first found matches) */ -}} + {{- $fileList := regexSplit "\\s*\\|\\s*" ($spec | trimPrefix "@" | trim) -1 -}} + {{- $fileRes := dict -}} + {{- $_ := include "srox.loadFile" (list $ $fileRes $fileList) -}} + {{- if not $fileRes.found -}} + {{- include "srox.fail" (printf "Expanding %s: file reference %q: none of the referenced files were found" $context $spec) -}} + {{- end -}} + {{- $result = $fileRes.contents -}} + {{- else -}} + {{/* treat as raw string */}} + {{- $result = $spec -}} + {{- end -}} + {{- else if not (kindIs "invalid" $spec) -}} + {{- /* render non-string, non-nil values as YAML */ -}} + {{- $result = toYaml $spec -}} + {{- end -}} + {{- $result -}} +{{- end -}} diff --git a/rhacs/3.0.59.0/central-services/templates/_format.tpl b/rhacs/3.0.59.0/central-services/templates/_format.tpl new file mode 100644 index 0000000..745fe47 --- /dev/null +++ b/rhacs/3.0.59.0/central-services/templates/_format.tpl @@ -0,0 +1,14 @@ +{{/* + srox.formatStorageSize $value + + Formats $value as a storage size. $value can be an integer or a string. + If no unit is specified (e.g., if $value is a string), a default unit of + Gigabytes ("Gi" suffix) is assumed. + */}} +{{- define "srox.formatStorageSize" -}} +{{- $val := toString . -}} +{{- if regexMatch "^[0-9]+$" $val -}} + {{- $val = printf "%sGi" $val -}} +{{- end -}} +{{- default "0" $val -}} +{{- end -}} diff --git a/rhacs/3.0.59.0/central-services/templates/_helpers.tpl b/rhacs/3.0.59.0/central-services/templates/_helpers.tpl new file mode 100644 index 0000000..e87f10f --- /dev/null +++ b/rhacs/3.0.59.0/central-services/templates/_helpers.tpl @@ -0,0 +1,68 @@ +{{/* + Misceallaneous helper templates. + */}} + + + + +{{/* + srox.loadFile $ $out $fileName-or-list + + This helper function reads a file. It differs from $.Files.Get in that it also takes + $._rox.meta.fileOverrides into account. Furthermore, it can receive a list of file names, + and will try these files in order. Finally, it indicates whether a file was found via the + $out.found property (as opposed to $.Files.Get, which cannot distinguish between a successful + read of an empty file, and this file not being found). + The file contents will be returned via $out.contents + */}} +{{ define "srox.loadFile" }} +{{ $ := index . 0 }} +{{ $out := index . 1 }} +{{ $fileNames := index . 2 }} +{{ if not (kindIs "slice" $fileNames) }} + {{ $fileNames = list $fileNames }} +{{ end }} +{{ $contents := index dict "" }} +{{ range $fileName := $fileNames }} + {{ if kindIs "invalid" $contents }} + {{ $contents = index $._rox.meta.fileOverrides $fileName }} + {{ end }} + {{ if kindIs "invalid" $contents }} + {{ range $path, $_ := $.Files.Glob $fileName }} + {{ if kindIs "invalid" $contents }} + {{ $contents = $.Files.Get $path }} + {{ end }} + {{ end }} + {{ end }} +{{ end }} +{{ if not (kindIs "invalid" $contents) }} + {{ $_ := set $out "contents" $contents }} +{{ end }} +{{ $_ := set $out "found" (not (kindIs "invalid" $contents)) }} +{{ end }} + + +{{/* + srox.checkGenerated $ $cfgPath + + Checks if the value at configuration path $cfgPath (e.g., "central.adminPassword.value") was + generated. Evaluates to the string "true" if this is the case, and an empty string otherwise. + */}} +{{- define "srox.checkGenerated" -}} +{{- $ := index . 0 -}} +{{- $cfgPath := index . 1 -}} +{{- $genCfg := $._rox._state.generated -}} +{{- $exists := true -}} +{{- range $pathElem := splitList "." $cfgPath -}} + {{- if $exists -}} + {{- if hasKey $genCfg $pathElem -}} + {{- $genCfg = index $genCfg $pathElem -}} + {{- else -}} + {{- $exists = false -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- if $exists -}} +true +{{- end -}} +{{- end -}} diff --git a/rhacs/3.0.59.0/central-services/templates/_image-pull-secrets.tpl b/rhacs/3.0.59.0/central-services/templates/_image-pull-secrets.tpl new file mode 100644 index 0000000..217160d --- /dev/null +++ b/rhacs/3.0.59.0/central-services/templates/_image-pull-secrets.tpl @@ -0,0 +1,86 @@ +{{/* + srox.configureImagePullSecrets $ $cfgName $imagePullSecrets $secretResourceName $defaultSecretNames $namespace + + Configures image pull secrets. + + This function enriches $imagePullSecrets based on the exposed configuration parameters to contain + a list of Kubernetes secret names as `_names` to be used as image pull secrets within the chart + templates. This list contains the following secrets: + + - Secrets referenced via $imagePullSecrets.useExisting. + - Image pull secrets associated with the default service account (if + $imagePullSecrets.useFromDefaultServiceAccount is true). + - $secretResourceName, if $imagePullSecrets.username is set. + - $defaultSecretNames. */}} + +{{ define "srox.configureImagePullSecrets" }} +{{ $ := index . 0 }} +{{ $cfgName := index . 1 }} +{{ $imagePullSecrets := index . 2 }} +{{ $secretResourceName := index . 3 }} +{{ $defaultSecretNames := index . 4 }} +{{ $namespace := index . 5 }} + +{{ $imagePullSecretNames := default list $imagePullSecrets.useExisting }} +{{ if not (kindIs "slice" $imagePullSecretNames) }} + {{ $imagePullSecretNames = regexSplit "\\s*[,;]\\s*" (trim $imagePullSecretNames) -1 }} +{{ end }} +{{ if $imagePullSecrets.useFromDefaultServiceAccount }} + {{ $defaultSA := dict }} + {{ include "srox.safeLookup" (list $ $defaultSA "v1" "ServiceAccount" $namespace "default") }} + {{ if $defaultSA.result }} + {{ range $ips := default list $defaultSA.result.imagePullSecrets }} + {{ if $ips.name }} + {{ $imagePullSecretNames = append $imagePullSecretNames $ips.name }} + {{ end }} + {{ end }} + {{ end }} +{{ end }} +{{ $imagePullCreds := dict }} +{{ if $imagePullSecrets._username }} + {{ $imagePullCreds = dict "username" $imagePullSecrets._username "password" $imagePullSecrets._password }} + {{ $imagePullSecretNames = append $imagePullSecretNames $secretResourceName }} +{{ else if $imagePullSecrets._password }} + {{ $msg := printf "Username missing in %q. Whenever an image pull password is specified, a username must be specified as well" $cfgName }} + {{ include "srox.fail" $msg }} +{{ end }} +{{ if and $.Release.IsInstall (not $imagePullSecretNames) (not $imagePullSecrets.allowNone) }} + {{ $msg := printf "You have not specified any image pull secrets, and no existing image pull secrets were automatically inferred. If your registry does not need image pull credentials, explicitly set the '%s.allowNone' option to 'true'" $cfgName }} + {{ include "srox.fail" $msg }} +{{ end }} + +{{ $imagePullSecretNames = concat (append $imagePullSecretNames $secretResourceName) $defaultSecretNames | uniq | sortAlpha }} +{{ $_ := set $imagePullSecrets "_names" $imagePullSecretNames }} +{{ $_ := set $imagePullSecrets "_creds" $imagePullCreds }} + +{{ end }} + +{{ define "srox.configureImagePullSecretsForDockerRegistry" }} +{{ $ := index . 0 }} +{{ $imagePullSecrets := index . 1 }} + +{{/* Setup Image Pull Secrets for Docker Registry. + Note: This must happen afterwards, as we rely on "srox.configureImage" to collect the + set of all referenced images first. */}} +{{ if $imagePullSecrets._username }} + {{ $dockerAuths := dict }} + {{ range $image := keys $._rox._state.referencedImages }} + {{ $registry := splitList "/" $image | first }} + {{ if eq $registry "docker.io" }} + {{/* Special case docker.io */}} + {{ $registry = "https://index.docker.io/v1/" }} + {{ else }} + {{ $registry = printf "https://%s" $registry }} + {{ end }} + {{ $_ := set $dockerAuths $registry dict }} + {{ end }} + {{ $authToken := printf "%s:%s" $imagePullSecrets._username $imagePullSecrets._password | b64enc }} + {{ range $regSettings := values $dockerAuths }} + {{ $_ := set $regSettings "auth" $authToken }} + {{ end }} + + {{ $_ := set $imagePullSecrets "_dockerAuths" $dockerAuths }} +{{ end }} + +{{ end }} + diff --git a/rhacs/3.0.59.0/central-services/templates/_images.tpl b/rhacs/3.0.59.0/central-services/templates/_images.tpl new file mode 100644 index 0000000..dced29d --- /dev/null +++ b/rhacs/3.0.59.0/central-services/templates/_images.tpl @@ -0,0 +1,34 @@ +{{/* + srox.configureImage $ $imageCfg + + Configures settings for a single image by augmenting/completing an existing image configuration + stanza. + + If $imageCfg.fullRef is empty: + First, the image registry is determined by inspecting $imageCfg.registry and, if this is empty, + $._rox.image.registry, ultimately defaulting to `docker.io`. The full image ref is then + constructed from the registry, $imageCfg.name (must be non-empty), and $imageCfg.tag (may be + empty, in which case "latest" is assumed). The result is stored in $imageCfg.fullRef. + + Afterwards (irrespective of the previous check), $imageCfg.fullRef is modified by prepending + "docker.io/" if and only if it did not contain a remote yet (i.e., the part before the first "/" + did not contain a dot (DNS name) or colon (port)). + + Finally, the resulting $imageCfg.fullRef is stored as a dict entry with value `true` in the + $._rox._state.referencedImages dict. + */}} +{{ define "srox.configureImage" }} +{{ $ := index . 0 }} +{{ $imageCfg := index . 1 }} +{{ $imageRef := $imageCfg.fullRef }} +{{ if not $imageRef }} + {{ $imageRef = printf "%s/%s:%s" (coalesce $imageCfg.registry $._rox.image.registry "docker.io") $imageCfg.name (default "latest" $imageCfg.tag) }} +{{ end }} +{{ $imageComponents := splitList "/" $imageRef }} +{{ $firstComponent := index $imageComponents 0 }} +{{ if or (lt (len $imageComponents) 2) (and (not (contains ":" $firstComponent)) (not (contains "." $firstComponent))) }} + {{ $imageRef = printf "docker.io/%s" $imageRef }} +{{ end }} +{{ $_ := set $imageCfg "fullRef" $imageRef }} +{{ $_ = set $._rox._state.referencedImages $imageRef true }} +{{ end }} diff --git a/rhacs/3.0.59.0/central-services/templates/_init.tpl b/rhacs/3.0.59.0/central-services/templates/_init.tpl new file mode 100644 index 0000000..f1b446d --- /dev/null +++ b/rhacs/3.0.59.0/central-services/templates/_init.tpl @@ -0,0 +1,282 @@ +{{/* + srox.init $ + + Initialization template for the internal data structures. + This template is designed to be included in every template file, but will only be executed + once by leveraging state sharing between templates. + */}} +{{ define "srox.init" }} + +{{ $ := . }} + +{{/* + On first(!) instantiation, set up the $._rox structure, containing everything required by + the resource template files. + */}} +{{ if not $._rox }} + +{{/* + Initial Setup + */}} + +{{/* + $rox / ._rox is the dictionary in which _all_ data that is modified by the init logic + is stored. + We ensure that it has the required shape, and then right after merging the user-specified + $.Values, we apply some bootstrap defaults. + */}} +{{ $rox := deepCopy $.Values }} +{{ $_ := set $ "_rox" $rox }} + +{{/* Global state (accessed from sub-templates) */}} +{{ $generatedName := printf "stackrox-generated-%s" (randAlphaNum 6 | lower) }} +{{ $state := dict "customCertGen" false "generated" dict "generatedName" $generatedName "notes" list "warnings" list "referencedImages" dict }} +{{ $_ = set $._rox "_state" $state }} + +{{ $configShape := $.Files.Get "internal/config-shape.yaml" | fromYaml }} +{{ $_ = include "srox.mergeInto" (list $rox $configShape (tpl ($.Files.Get "internal/bootstrap-defaults.yaml.tpl") . | fromYaml)) }} +{{ $_ = set $._rox "_configShape" $configShape }} + +{{/* + General validation. + */}} +{{ if ne $.Release.Namespace "stackrox" }} + {{ if $._rox.allowNonstandardNamespace }} + {{ include "srox.note" (list $ (printf "You have chosen to deploy to namespace '%s'." $.Release.Namespace)) }} + {{ else }} + {{ include "srox.fail" (printf "You have chosen to deploy to namespace '%s', not 'stackrox'. If this was accidental, please re-run helm with the '-n stackrox' option. Otherwise, if you need to deploy into this namespace, set the 'allowNonstandardNamespace' configuration value to true." $.Release.Namespace) }} + {{ end }} +{{ end }} + +{{ if ne $.Release.Name $.Chart.Name }} + {{ if $._rox.allowNonstandardReleaseName }} + {{ include "srox.warn" (list $ (printf "You have chosen a release name of '%s', not '%s'. Accompanying scripts and commands in documentation might require adjustments." $.Release.Name $.Chart.Name)) }} + {{ else }} + {{ include "srox.fail" (printf "You have chosen a release name of '%s', not '%s'. We strongly recommend using the standard release name. If you must use a different name, set the 'allowNonstandardReleaseName' configuration option to true." $.Release.Name $.Chart.Name) }} + {{ end }} +{{ end }} + +{{/* + Set prefix for global resources. + */}} +{{ if kindIs "invalid" $._rox.globalPrefix }} + {{ if eq $.Release.Namespace "stackrox" }} + {{ $_ := set $._rox "globalPrefix" "stackrox" }} + {{ else }} + {{ $_ := set $._rox "globalPrefix" (printf "stackrox-%s" (trimPrefix "stackrox-" $.Release.Namespace)) }} + {{ end }} +{{ end }} + +{{ if ne $._rox.globalPrefix "stackrox" }} + {{ include "srox.note" (list $ (printf "Global Kubernetes resources are prefixed with '%s'." $._rox.globalPrefix)) }} +{{ end }} + +{{/* + API Server setup. The problem with `.Capabilities.APIVersions` is that Helm does not + allow setting overrides for those when using `helm template` or `--dry-run`. Thus, + if we rely on `.Capabilities.APIVersions` directly, we lose flexibility for our chart + in these settings. Therefore, we use custom fields such that a user in principle has + the option to inject via `--set`/`-f` everything we rely upon. + */}} +{{ $apiResources := list }} +{{ if not (kindIs "invalid" $._rox.meta.apiServer.overrideAPIResources) }} + {{ $apiResources = $._rox.meta.apiServer.overrideAPIResources }} +{{ else }} + {{ range $apiResource := $.Capabilities.APIVersions }} + {{ $apiResources = append $apiResources $apiResource }} + {{ end }} +{{ end }} +{{ if $._rox.meta.apiServer.extraAPIResources }} + {{ $apiResources = concat $apiResources $._rox.meta.apiServer.extraAPIResources }} +{{ end }} +{{ $apiServerVersion := coalesce $._rox.meta.apiServer.version $.Capabilities.KubeVersion.Version }} +{{ $apiServer := dict "apiResources" $apiResources "version" $apiServerVersion }} +{{ $_ = set $._rox "_apiServer" $apiServer }} + +{{/* + Environment setup - part 1 + */}} +{{ $env := $._rox.env }} + +{{/* Infer OpenShift, if needed */}} +{{ if kindIs "invalid" $env.openshift }} + {{ $_ := set $env "openshift" (has "apps.openshift.io/v1" $._rox._apiServer.apiResources) }} +{{ end }} + +{{/* Infer openshift version */}} +{{ if and $env.openshift (kindIs "bool" $env.openshift) }} + {{/* Parse and add KubeVersion as semver from built-in resources. This is necessary to compare valid integer numbers. */}} + {{ $kubeVersion := semver .Capabilities.KubeVersion.Version }} + + {{/* Default to OpenShift 3 if no openshift resources are available, i.e. in helm template commands */}} + {{ if not (has "apps.openshift.io/v1" $._rox._apiServer.apiResources) }} + {{ $_ := set $._rox.env "openshift" 3 }} + {{ else if gt $kubeVersion.Minor 11 }} + {{ $_ := set $env "openshift" 4 }} + {{ else }} + {{ $_ := set $env "openshift" 3 }} + {{ end }} + {{ include "srox.note" (list $ (printf "Based on API server properties, we have inferred that you are deploying into an OpenShift %d.x cluster. Set the `env.openshift` property explicitly to 3 or 4 to override the auto-sensed value." $env.openshift)) }} +{{ end }} +{{ if not (kindIs "bool" $env.openshift) }} + {{ $_ := set $env "openshift" (int $env.openshift) }} +{{ else if not $env.openshift }} + {{ $_ := set $env "openshift" 0 }} +{{ end }} + +{{/* Infer GKE, if needed */}} +{{ if kindIs "invalid" $env.platform }} + {{ $platform := "default" }} + {{ if contains "-gke." $._rox._apiServer.version }} + {{ include "srox.note" (list $ "Based on API server properties, we have inferred that you are deploying into a GKE cluster. Set the `env.platform` property to a concrete value to override the auto-sensed value.") }} + {{ $platform = "gke" }} + {{ end }} + {{ $_ := set $env "platform" $platform }} +{{ end }} + +{{/* Apply defaults */}} +{{ $defaultsCfg := dict }} +{{ $platformCfgFile := dict }} +{{ include "srox.loadFile" (list $ $platformCfgFile (printf "internal/platforms/%s.yaml" $env.platform)) }} +{{ if not $platformCfgFile.found }} + {{ include "srox.fail" (printf "Invalid platform %q. Please select a valid platform, or leave this field unset." $env.platform) }} +{{ end }} +{{ $_ = include "srox.mergeInto" (list $defaultsCfg (fromYaml $platformCfgFile.contents) ($.Files.Get "internal/defaults.yaml" | fromYaml)) }} +{{ $_ = set $rox "_defaults" $defaultsCfg }} +{{ $_ = include "srox.mergeInto" (list $rox $defaultsCfg.defaults) }} + + +{{/* Expand applicable config values */}} +{{ $expandables := $.Files.Get "internal/expandables.yaml" | fromYaml }} +{{ include "srox.expandAll" (list $ $rox $expandables) }} + +{{/* Initial image pull secret setup. + + Always assume that there are `stackrox` and `stackrox-scanner` image pull secrets, + even if they weren't specified. + This is required for updates anyway, so referencing it on first install will minimize a later + diff. */}} +{{ include "srox.configureImagePullSecrets" (list $ "imagePullSecrets" $._rox.imagePullSecrets "stackrox" (list "stackrox" "stackrox-scanner") $.Release.Namespace) }} + +{{/* Global CA setup */}} +{{ $caCertSpec := dict "CN" "StackRox Certificate Authority" "ca" true }} +{{ include "srox.configureCrypto" (list $ "ca" $caCertSpec) }} + +{{/* Additional CAs. */}} +{{ $additionalCAList := list }} +{{ if kindIs "string" $._rox.additionalCAs }} + {{ if trim $._rox.additionalCAs }} + {{ $additionalCAList = append $additionalCAList (dict "name" "ca.crt" "contents" $._rox.additionalCAs) }} + {{ end }} +{{ else if kindIs "slice" $._rox.additionalCAs }} + {{ range $contents := $._rox.additionalCAs }} + {{ $additionalCAList = append $additionalCAList (dict "name" "ca.crt" "contents" $contents) }} + {{ end }} +{{ else if kindIs "map" $._rox.additionalCAs }} + {{ range $name := keys $._rox.additionalCAs | sortAlpha }} + {{ $additionalCAList = append $additionalCAList (dict "name" $name "contents" (get $._rox.additionalCAs $name)) }} + {{ end }} +{{ else if not (kindIs "invalid" $._rox.additionalCAs) }} + {{ include "srox.fail" (printf "Invalid kind %s for additionalCAs" (kindOf $._rox.additionalCAs)) }} +{{ end }} +{{ range $path, $contents := .Files.Glob "secrets/additional-cas/**" }} + {{ $name := trimPrefix "secrets/additional-cas/" $path }} + {{ $additionalCAList = append $additionalCAList (dict "name" $name "contents" (toString $contents)) }} +{{ end }} +{{ $additionalCAs := dict }} +{{ range $idx, $elem := $additionalCAList }} + {{ if not (kindIs "string" $elem.contents) }} + {{ include "srox.fail" (printf "Invalid non-string contents kind %s at index %d (%q) of additionalCAs" (kindOf $elem.contents) $idx $elem.name) }} + {{ end }} + {{/* In a k8s secret, no characters other than alphanumeric, '.', '_' and '-' are allowed. Also, for the + update-ca-certificates script to work, the file names must end in '.crt'. */}} + + {{ $normalizedName := printf "%02d-%s.crt" $idx (regexReplaceAll "[^[:alnum:]._-]" $elem.name "-" | trimSuffix ".crt") }} + {{ $_ := set $additionalCAs $normalizedName $elem.contents }} +{{ end }} +{{ $_ = set $._rox "_additionalCAs" $additionalCAs }} + +{{/* Proxy configuration. + Note: The reason this is different is that unlike the endpoints config, the proxy configuration + might contain sensitive data and thus might _not_ be stored in the always available canonical + values file. However, this is probably rare. Therefore, for this particular instance we do decide + to rely on lookup magic for initially populating the secret with a default proxy config. + However, we won't take any chances, and therefore only create that secret if we can be reasonably + confident that lookup actually works, by trying to lookup the default service account. + */}} +{{ $proxyCfg := $env._proxyConfig }} +{{ $fileOut := dict }} +{{ include "srox.loadFile" (list $ $fileOut "config/proxy-config.yaml") }} +{{ if $fileOut.found }} + {{ if not (kindIs "invalid" $proxyCfg) }} + {{ include "srox.fail" "Both env.proxyConfig was specified, and a config/proxy-config.yaml was found. Please remove/rename the config file, or comment out the env.proxyConfig stanza." }} + {{ end }} + {{ $proxyCfg = $fileOut.contents }} +{{ end }} + +{{/* On first install, create a default proxy config, but only if we can be sure none exists. */}} +{{ if and (kindIs "invalid" $proxyCfg) $.Release.IsInstall }} + {{ $lookupOut := dict }} + {{ include "srox.safeLookup" (list $ $lookupOut "v1" "Secret" $.Release.Namespace "proxy-config") }} + {{ if and $lookupOut.reliable (not $lookupOut.result) }} + {{ $fileOut := dict }} + {{ include "srox.loadFile" (list $ $fileOut "config/proxy-config.yaml.default") }} + {{ $proxyCfg = $fileOut.contents }} + {{ end }} +{{ end }} +{{ $_ = set $env "_proxyConfig" $proxyCfg }} + +{{/* + Central setup. + */}} + + +{{ include "srox.centralSetup" $ }} + + +{{/* + Scanner setup. + */}} + +{{ $scannerCfg := $._rox.scanner }} + +{{ if and $scannerCfg.disable (or $.Release.IsInstall $.Release.IsUpgrade) }} + {{/* We generally don't recommend customers run without scanner, so show a warning to the user */}} + {{ $action := ternary "deploy StackRox Central Services without Scanner" "upgrade StackRox Central Services without Scanner (possibly removing an existing Scanner deployment)" $.Release.IsInstall }} + {{ include "srox.warn" (list $ (printf "You have chosen to %s. Certain features dependent on image scanning might not work." $action)) }} +{{ else if not $scannerCfg.disable }} + {{ include "srox.configureImage" (list $ $scannerCfg.image) }} + {{ include "srox.configureImage" (list $ $scannerCfg.dbImage) }} + + {{ $scannerCertSpec := dict "CN" "SCANNER_SERVICE: Scanner" "dnsBase" "scanner" }} + {{ include "srox.configureCrypto" (list $ "scanner.serviceTLS" $scannerCertSpec) }} + + {{ $scannerDBCertSpec := dict "CN" "SCANNER_DB_SERVICE: Scanner DB" "dnsBase" "scanner-db" }} + {{ include "srox.configureCrypto" (list $ "scanner.dbServiceTLS" $scannerDBCertSpec) }} + + {{ include "srox.configurePassword" (list $ "scanner.dbPassword") }} +{{ end }} + + +{{/* + Post-processing steps. + */}} + + +{{/* Compact the post-processing config to prevent it from appearing non-empty if it doesn't + contain any concrete (leaf) values. */}} +{{ include "srox.compactDict" (list $._rox._state.generated -1) }} + +{{/* Setup Image Pull Secrets for Docker Registry. + Note: This must happen afterwards, as we rely on "srox.configureImage" to collect the + set of all referenced images first. */}} +{{ include "srox.configureImagePullSecretsForDockerRegistry" (list $ ._rox.imagePullSecrets) }} + +{{/* Final warnings based on state. */}} +{{ if $._rox._state.customCertGen }} + {{ include "srox.warn" (list $ "At least one certificate was generated by Helm. Helm limits the generation of custom certificates to RSA private keys, which have poorer computational performance. Consider using roxctl for certificate generation of certificates with ECDSA private keys for improved performance. (THIS IS NOT A SECURITY ISSUE)") }} +{{ end }} + +{{ end }} + +{{ end }} diff --git a/rhacs/3.0.59.0/central-services/templates/_lookup.tpl b/rhacs/3.0.59.0/central-services/templates/_lookup.tpl new file mode 100644 index 0000000..2dc0aa9 --- /dev/null +++ b/rhacs/3.0.59.0/central-services/templates/_lookup.tpl @@ -0,0 +1,40 @@ +{{/* + srox.safeLookup $ $out $apiVersion $kind $ns $name + + This function does nothing if $.meta.useLookup is false; otherwise, it will + perform a `lookup $apiVersion $kind $ns $name` operation and store the result in + $out.result. + + Additionally, if a lookup was attempted, $out.reliable will contain a bool indicating + whether the result of lookup can be relied upon. This is determined to be the case if + the default service account in the release namespace can be found. + */}} +{{ define "srox.safeLookup" }} +{{ $ := index . 0 }} +{{ $out := index . 1 }} +{{ if $._rox.meta.useLookup }} + {{ if kindIs "invalid" $._rox._state.lookupWorks }} + {{ $testOut := dict }} + {{ include "srox._doLookup" (list $ $testOut "v1" "ServiceAccount" $.Release.Namespace "default") }} + {{ $_ := set $._rox._state "lookupWorks" ($testOut.result | not | not) }} + {{ end }} + {{ include "srox._doLookup" . }} + {{ $_ := set $out "reliable" $._rox._state.lookupWorks }} +{{ end }} +{{ end }} + + +{{/* + srox._doLookup $ $out $apiVersion $kind $ns $name + + Calls "lookup" with arguments $apiVersion $kind $ns $name, and stores the result + in $out.result. + + This function exists to prevent a parse error if the lookup function isn't defined. It does + so by deferring the execution of lookup to a template string instantiated via `tpl`. + */}} +{{ define "srox._doLookup" }} +{{ $ := index . 0 }} +{{ $tplArgs := dict "Template" $.Template "out" (index . 1) "apiVersion" (index . 2) "kind" (index . 3) "ns" (index . 4) "name" (index . 5) }} +{{ $_ := tpl "{{ $_ := set .out \"result\" (lookup .apiVersion .kind .ns .name) }}" $tplArgs }} +{{ end }} diff --git a/rhacs/3.0.59.0/central-services/templates/_metadata.tpl b/rhacs/3.0.59.0/central-services/templates/_metadata.tpl new file mode 100644 index 0000000..0a66ae1 --- /dev/null +++ b/rhacs/3.0.59.0/central-services/templates/_metadata.tpl @@ -0,0 +1,200 @@ +{{/* + srox.labels $ $objType $objName + + Format labels for $objType/$objName as YAML. + */}} +{{- define "srox.labels" -}} +{{- $labels := dict -}} +{{- $_ := include "srox._labels" (append (prepend . $labels) false) -}} +{{- toYaml $labels -}} +{{- end -}} + +{{/* + srox.podLabels $ $objType $objName + + Format pod labels for $objType/$objName as YAML. + */}} +{{- define "srox.podLabels" -}} +{{- $labels := dict -}} +{{- $_ := include "srox._labels" (append (prepend . $labels) true) -}} +{{- toYaml $labels -}} +{{- end -}} + +{{/* + srox.annotations $ $objType $objName + + Format annotations for $objType/$objName as YAML. + */}} +{{- define "srox.annotations" -}} +{{- $annotations := dict -}} +{{- $_ := include "srox._annotations" (append (prepend . $annotations) false) -}} +{{- toYaml $annotations -}} +{{- end -}} + +{{/* + srox.podAnnotations $ $objType $objName + + Format pod annotations for $objType/$objName as YAML. + */}} +{{- define "srox.podAnnotations" -}} +{{- $annotations := dict -}} +{{- $_ := include "srox._annotations" (append (prepend . $annotations) true) -}} +{{- toYaml $annotations -}} +{{- end -}} + +{{/* + srox.envVars $ $objType $objName $containerName + + Format environment variables for container $containerName in + $objType/$objName as YAML. + */}} +{{- define "srox.envVars" -}} +{{- $envVars := dict -}} +{{- $_ := include "srox._envVars" (prepend . $envVars) -}} +{{- range $k, $v := $envVars -}} +- name: {{ quote $k }} + value: {{ quote $v }} +{{ end -}} +{{- end -}} + +{{/* + srox._labels $labels $ $objType $objName $forPod + + Writes all applicable [pod] labels (including default labels) for $objType/$objName + into $labels. Pod labels are written iff $forPod is true. + + This template receives the $ parameter as its second (not its first, as usual) parameter + such that it can be used easier in "srox.labels". + */}} +{{ define "srox._labels" }} +{{ $labels := index . 0 }} +{{ $ := index . 1 }} +{{ $objType := index . 2 }} +{{ $objName := index . 3 }} +{{ $forPod := index . 4 }} +{{ $_ := set $labels "app.kubernetes.io/name" "stackrox" }} +{{ $_ = set $labels "app.kubernetes.io/managed-by" $.Release.Service }} +{{ $_ = set $labels "helm.sh/chart" (printf "%s-%s" $.Chart.Name ($.Chart.Version | replace "+" "_")) }} +{{ $_ = set $labels "app.kubernetes.io/instance" $.Release.Name }} +{{ $_ = set $labels "app.kubernetes.io/version" $.Chart.AppVersion }} +{{ $_ = set $labels "app.kubernetes.io/part-of" "stackrox-central-services" }} +{{ $component := regexReplaceAll "^.*/\\d{2}-([a-z]+)-\\d{2}-[^/]+\\.yaml" $.Template.Name "${1}" }} +{{ if not (contains "/" $component) }} + {{ $_ = set $labels "app.kubernetes.io/component" $component }} +{{ end }} +{{ $metadataNames := list "labels" }} +{{ if $forPod }} + {{ $metadataNames = append $metadataNames "podLabels" }} +{{ end }} +{{ include "srox._customizeMetadata" (list $ $labels $objType $objName $metadataNames) }} +{{ end }} + +{{/* + srox._annotations $annotations $ $objType $objName $forPod + + Writes all applicable [pod] annotations (including default annotations) for + $objType/$objName into $annotations. Pod labels are written iff $forPod is true. + + This template receives the $ parameter as its second (not its first, as usual) parameter + such that it can be used easier in "srox.annotations". + */}} +{{ define "srox._annotations" }} +{{ $annotations := index . 0 }} +{{ $ := index . 1 }} +{{ $objType := index . 2 }} +{{ $objName := index . 3 }} +{{ $forPod := index . 4 }} +{{ $_ := set $annotations "meta.helm.sh/release-namespace" $.Release.Namespace }} +{{ $_ = set $annotations "meta.helm.sh/release-name" $.Release.Name }} +{{ $_ = set $annotations "owner" "stackrox" }} +{{ $_ = set $annotations "email" "support@stackrox.com" }} +{{ $metadataNames := list "annotations" }} +{{ if $forPod }} + {{ $metadataNames = append $metadataNames "podAnnotations" }} +{{ end }} +{{ include "srox._customizeMetadata" (list $ $annotations $objType $objName $metadataNames) }} +{{ end }} + +{{/* + srox._envVars $envVars $ $objType $objName $containerName + + Writes all applicable [pod] labels (including default labels) for $objType/$objName + into $labels. Pod labels are written iff $forPod is true. + + This template receives the $ parameter as its second (not its first, as usual) parameter + such that it can be used easier in "srox.labels". + */}} +{{ define "srox._envVars" }} +{{ $envVars := index . 0 }} +{{ $ := index . 1 }} +{{ $objType := index . 2 }} +{{ $objName := index . 3 }} +{{ $containerName := index . 4 }} +{{ $metadataNames := list "envVars" }} +{{ include "srox._customizeMetadata" (list $ $envVars $objType $objName $metadataNames) }} +{{ if $containerName }} + {{ $containerKey := printf "/%s" $containerName }} + {{ $envVarsForContainer := index $envVars $containerKey }} + {{ if $envVarsForContainer }} + {{ include "srox.destructiveMergeOverwrite" (list $envVars $envVarsForContainer) }} + {{ end }} +{{ end }} + +{{/* Remove all entries starting with / */}} +{{ range $key, $_ := $envVars }} + {{ if hasPrefix "/" $key }} + {{ $_ := unset $envVars $key }} + {{ end }} +{{ end }} +{{ end }} + +{{/* + srox._customizeMetadata $ $metadata $objType $objName $metadataNames + + Writes custom key/value metadata to $metadata by consulting all sub-dicts with names in + $metadataNames under the applicable custom metadata locations (._rox.customize, + ._rox.customize.other.$objType/*, ._rox.customize.other.$objType/$objName, and + ._rox.customizer.$objName [workloads only]). Dictionaries are consulted in this order, with + values from dictionaries consulted later overwriting values from dictionaries consulted + earlier. + */}} +{{ define "srox._customizeMetadata" }} +{{ $ := index . 0 }} +{{ $metadata := index . 1 }} +{{ $objType := index . 2 }} +{{ $objName := index . 3 }} +{{ $metadataNames := index . 4 }} + +{{ $overrideDictPaths := list "" (printf "other.%s/*" $objType) (printf "other.%s/%s" $objType $objName) }} +{{ if eq $objType "deployment" }} + {{ $overrideDictPaths = append $overrideDictPaths $objName }} +{{ end }} + +{{ range $dictPath := $overrideDictPaths }} + {{ $customizeDict := $._rox.customize }} + {{ if $dictPath }} + {{ $resolvedOut := dict }} + {{ include "srox.safeDictLookup" (list $._rox.customize $resolvedOut $dictPath) }} + {{ $customizeDict = $resolvedOut.result }} + {{ end }} + {{ if $customizeDict }} + {{ range $metadataName := $metadataNames }} + {{ $customMetadata := index $customizeDict $metadataName }} + {{ include "srox.destructiveMergeOverwrite" (list $metadata $customMetadata) }} + {{ end }} + {{ end }} +{{ end }} +{{ end }} + +{{/* Add namespace specific prefixes for global resources to avoid resource name clashes for multi-namespace deployments. */}} +{{- define "srox.globalResourceName" -}} +{{- $ := index . 0 -}} +{{- $name := index . 1 -}} +{{- if eq $.Release.Namespace "stackrox" -}} + {{- /* Standard namespace, use resource name as is. */ -}} + {{- $name -}} +{{- else -}} + {{- /* Add global prefix to resource name. */ -}} + {{- printf "%s-%s" $._rox.globalPrefix (trimPrefix "stackrox-" $name) -}} +{{- end -}} +{{- end -}} diff --git a/rhacs/3.0.59.0/central-services/templates/_reporting.tpl b/rhacs/3.0.59.0/central-services/templates/_reporting.tpl new file mode 100644 index 0000000..621e284 --- /dev/null +++ b/rhacs/3.0.59.0/central-services/templates/_reporting.tpl @@ -0,0 +1,34 @@ +{{/* + srox.fail $message + + Print a nicely-formatted fatal error message and exit. + */}} +{{ define "srox.fail" }} +{{ printf "\n\nFATAL ERROR:\n%s" . | wrap 100 | fail }} +{{ end }} + +{{/* + srox.warn $ $message + + Add $message to the list of encountered warnings. + */}} +{{ define "srox.warn" }} +{{ $ := index . 0 }} +{{ $msg := index . 1 }} +{{ $warnings := $._rox._state.warnings }} +{{ $warnings = append $warnings $msg }} +{{ $_ := set $._rox._state "warnings" $warnings }} +{{ end }} + +{{/* + srox.note $ $message + + Add $message to the list notes that will be shown to the user after installation/upgrade. + */}} +{{ define "srox.note" }} +{{ $ := index . 0 }} +{{ $msg := index . 1 }} +{{ $notes := $._rox._state.notes }} +{{ $notes = append $notes $msg }} +{{ $_ := set $._rox._state "notes" $notes }} +{{ end }} diff --git a/rhacs/3.0.59.0/central-services/values-private.yaml.example b/rhacs/3.0.59.0/central-services/values-private.yaml.example new file mode 100644 index 0000000..b5be309 --- /dev/null +++ b/rhacs/3.0.59.0/central-services/values-private.yaml.example @@ -0,0 +1,157 @@ +# StackRox Kubernetes Security Platform - Central Services Chart +# PRIVATE configuration file. +# +# This file contains sensitive values relevant for the deployment of the +# StackRox Kubernetes Platform Central Services components. +# +# Apart from image pull secrets (see below), all the values in this file are +# optional or can be automatically generated at deployment time. +# Moreover, this file does not need to be provided (e.g., via `-f`) to a `helm upgrade` +# command, even if custom values are used - the previously set values +# will simply be preserved. +# +# The following values typically require user input, as they cannot be automatically generated +# (though each of them can be omitted): +# - `imagePullSecrets.username` and `imagePullSecrets.password` +# - `env.proxyConfig` +# - `central.defaultTLS` +# +# If you do choose to use this file (either by manually filling in values, or by +# generating it via the `roxctl central generate` command family), you must store +# it in a safe and secure place, such as a secrets management system. +# + +# # BEGIN CONFIGURATION VALUES SECTION + +# # Image pull credentials. If you do not specify these, you need to specify one of +# # the following: +# # - `imagePullSecrets.allowNone=true`: in case your registry allows pulling images without +# # credentials. +# # - `imagePullSecrets.useExisting="secret1;secret2;..."`: in case you have pre-existing image +# # pull secrets with the given name already created in the target namespace. +# # - `imagePullSecrets.useFromDefaultServiceAccount=true`: in case the default service account +# # in the target namespace is configured with sufficiently scoped image pull secrets. +# # If you do not know if any of the above applies to your situation, your best course of +# # action is probably to enter your image pull credentials here. +# imagePullSecrets: +# username: +# password: +# +# # Proxy configuration. This will only be required if you are running in an environment +# # where internet access is not possible by default. +# # Since this configuration may contain a proxy password, it is treated as a sensitive +# # piece of configuration. +# # The following example is a stripped-down one. For a full documentation, see the file +# # `config/proxy-config.yaml.default` that is shipped with this chart. +# env: +# proxyConfig: | +# url: http://proxy.name:port +# username: username +# password: password +# excludes: +# - some.domain +# +# +# # TLS Certificate Configuration. +# # Most of the following values are not typically required to be populated manually. You can +# # either omit them, in which case they will be auto-generated upon initial installation, +# # or they are populated when you invoke `roxctl central generate` to generate deployment +# # files. +# +# # Certificate Authority (CA) certificate for TLS certificates used internally +# # by StackRox services. +# ca: +# cert: | +# -----BEGIN CERTIFICATE----- +# +# -----END CERTIFICATE----- +# key: | +# -----BEGIN RSA PRIVATE KEY----- +# +# -----END RSA PRIVATE KEY----- +# +# # Secret configuration options for the StackRox Central deployment. +# central: +# # Private key to use for signing JSON web tokens (JWTs), which are used +# # for authentication. Omit to auto-generate (initial deployment) or use existing +# # (upgrade). +# jwtSigner: +# key: | +# -----BEGIN RSA PRIVATE KEY----- +# +# -----END RSA PRIVATE KEY----- +# # Internal "central.stackrox" service TLS certificate for the Central deployment. +# # Omit to auto-generate (initial deployment) or use existing (upgrade). +# serviceTLS: +# cert: | +# -----BEGIN CERTIFICATE----- +# +# -----END CERTIFICATE----- +# key: | +# -----BEGIN RSA PRIVATE KEY----- +# +# -----END RSA PRIVATE KEY----- +# +# # Default (user-facing) TLS certificate. +# # NOTE: In contrast to almost all other configuration options, this IS expected +# # to be manually populated. While any existing default TLS certificate secret +# # will be re-used on upgrade if this is omitted, nothing will be created on +# # initial deployment if this is not populated. +# defaultTLS: +# cert: | +# -----BEGIN CERTIFICATE----- +# +# -----END CERTIFICATE----- +# key: | +# -----BEGIN RSA PRIVATE KEY----- +# +# -----END RSA PRIVATE KEY----- +# +# # Administrator password for logging in to the StackRox portal. +# # You can either specify a plaintext password here, or an htpasswd file with a +# # bcrypt-encrypted password. +# # If you omit this setting, a password will be automatically generated upon initial +# # installation, and the existing administrator password secret will be re-used upon +# # upgrades. +# adminPassword: +# # The plaintext value of the administrator password. If you specify a password here, +# # you must omit the `htpasswd` setting. +# value: +# # The htpasswd contents of the administrator login credentials. If you specify a +# # value here, you must omit the `value` setting. +# # The password hash MUST be bcrypt. +# htpasswd: | +# admin: +# +# # Secret configuration options for the StackRox Central deployment. +# scanner: +# # The password to be used for authenticating database access. This is not user-relevant +# # and only serves to properly secure the database with a pre-shared secret. If this +# # setting is omitted, a password will be automatically generated upon initial deployment, +# # and the existing password will be used upon upgrades. +# dbPassword: +# value: +# +# # Internal "scanner.stackrox" service TLS certificate for the Scanner deployment. +# # Omit to auto-generate (initial deployment) or use existing (upgrade). +# serviceTLS: +# cert: | +# -----BEGIN CERTIFICATE----- +# +# -----END CERTIFICATE----- +# key: | +# -----BEGIN RSA PRIVATE KEY----- +# +# -----END RSA PRIVATE KEY----- +# +# # Internal "scanner-db.stackrox" service TLS certificate for the Scanner DB deployment. +# # Omit to auto-generate (initial deployment) or use existing (upgrade). +# dbServiceTLS: +# cert: | +# -----BEGIN CERTIFICATE----- +# +# -----END CERTIFICATE----- +# key: | +# -----BEGIN RSA PRIVATE KEY----- +# +# -----END RSA PRIVATE KEY----- diff --git a/rhacs/3.0.59.0/central-services/values-public.yaml.example b/rhacs/3.0.59.0/central-services/values-public.yaml.example new file mode 100644 index 0000000..66e8044 --- /dev/null +++ b/rhacs/3.0.59.0/central-services/values-public.yaml.example @@ -0,0 +1,381 @@ +# StackRox Kubernetes Security Platform - Central Services Chart +# PUBLIC configuration file. +# +# This file contains general configuration values relevant for the deployment of the +# StackRox Kubernetes Platform Central Services components, which do not contain or reference +# sensitive data. This file can and should be stored in a source code management system +# and should be referenced on each `helm upgrade`. +# +# Most of the values in this file are optional, and you only should need to make modifications +# if the default deployment configuration is not sufficient for you for whatever reason. +# The most notable exception is the `imagePullSecrets` section, which needs to be configured +# according to the registry access in your environment. +# +# Other than that, the following are sections that are the most likely to require custom +# configuration: +# - `image.registry`: if you are pulling images from a registry other than `stackrox.io`. +# - `env.offlineMode`: if you want to run StackRox in offline mode. +# - `central.disableTelemetry`: if you want to opt out of the transmission of telemetry and +# diagnostic data. +# - `central.endpointsConfig`: if you want to expose additional endpoints (such as endpoints +# without TLS) in Central. +# - `central.resources`: if the default resource configuration for Central is not adequate +# for your environment. +# - `central.persistence`: for configuring where Central stores its database volume. +# + +# # BEGIN CONFIGURATION VALUES SECTION + +# imagePullSecrets: +# # allowNone=true indicates that no image pull secrets are required to be configured +# # upon initial deployment. Use this setting if you are using a cluster-private registry +# # that does not require authentication. +# allowNone: false +# +# # useExisting specifies a list of existing Kubernetes image pull secrets in the target +# # namespace that should be used for trying to pull StackRox images. Use this if you have +# # your custom way of injecting image pull secrets. +# useExisting: +# - secret1 +# - secret2 +# +# # useFromDefaultServiceAccount=true will instruct the deployment logic to use any +# # image pull secrets referenced by the default service account in the target namespace. +# # This is a common way to grant namespace-wide access to a Docker image registry. +# # This behavior is the default, set the value to `false` if you do not want this. +# useFromDefaultServiceAccount: true +# +# image: +# # The registry relative to which all image references are resolved, if no more +# # specify registry is specified for the workloads (see `central.image`, `scanner.image`, +# # and `scanner.dbImage` below). +# # This can be just a registry hostname such as `stackrox.io`, or a registry hostname with +# # a "remote" component such as `us.gcr.io/my-stackrox-mirror`. +# registry: stackrox.io +# +# env: +# # Treat the environment as an OpenShift cluster. Leave this unset to use auto-detection +# # based on available API resources on the server. +# # Set it to true to auto-detect the OpenShift version, otherwise set it explicitly. +# # Possible values: null, false, true, 3, 4 +# openshift: false +# +# # Whether the target cluster is an Istio-enabled cluster. If you deploy via `helm install`, +# # this can typically be determined automatically, so we recommend to not set a value here. +# # Set to true or false explicitly to override the auto-sensing logic only. +# istio: false +# +# # The "platform" of the target cluster into which StackRox is being deployed. This can +# # be the name of an infrastructure provider or product, and will tailor the StackRox +# # deployment to the respective target environment. Currently, the only supported platforms +# # are "default" and "gke". +# # If you deploy via `helm install`, the environment can typically be determined automatically, +# # choose a fixed value here only if you want to override the auto-sensing logic. +# platform: default +# +# # offlineMode=true instructs StackRox to not attempt any outgoing connections to the +# # internet. Use this in air-gapped environments, where it's important that workloads do +# # not even try to make outbound connections. Defaults to `false` when omitted. +# offlineMode: false +# +# # Additional certificate authorities (CAs) to trust, besides system roots. +# # Use this setting if Central or Scanner need to reach out to services that use certificates +# # issued by an authority in your organization, but are NOT globally trusted. In these cases, +# # specify the root CA certificate of your organization. +# additionalCAs: +# acme-labs-ca.crt: | +# -----BEGIN CERTIFICATE----- +# [... base64 (PEM) encoded certificate data ...] +# -----END CERTIFICATE----- +# +# # Public configuration options for the StackRox Central deployment. +# central: +# # disableTelemetry=true will opt out of transmitting telemetry data to StackRox. +# # This only has an effect upon initial deployment. +# disableTelemetry: false +# +# # General configuration options for the Central deployment. +# # See the `config/central/config.yaml.default` file that is shipped with this chart +# # for a fully documented version. +# config: | +# maintenance: +# safeMode: false +# compaction: +# enabled: true +# bucketFillFraction: .5 +# freeFractionThreshold: 0.75 +# # Configuration option for rolling back to a previous version after an upgrade has been completed. +# # Default to none. +# # By default, the user may initiate a rollback if upgrade fails before Central has started. +# # Users may rollback to their previous version once Central has started, but this may result in data loss, +# # so users must explicitly specify the version they are rolling back to in order to acknowledge the effects. +# forceRollbackVersion: 3.0.58.0 +# +# # Additional endpoints configuration for the Central deployment. +# # See the `config/central/endpoints.yaml.default` file that is shipped with this chart +# # for a fully documented version. +# endpointsConfig: | +# endpoints: +# - listen: ":8080" +# protocols: +# - http +# tls: +# disable: true +# +# # If you want to use a monitoring solution such as Prometheus, set the following value to +# # "true" to make a /metrics endpoint for Central available on port 9090. +# exposeMonitoring: true +# +# # If you want to enforce StackRox Central to only run on certain nodes, you can specify +# # a node selector here to make sure Central can only be scheduled on Nodes with the +# # given label. This is particular relevant for the "hostPath" persistence type. +# nodeSelector: +# # This can contain arbitrary `label-key: label-value` pairs. +# role: stackrox-central +# +# # Configures the Central image to be used. Most users will only need to configure a +# # custom registry (if any) at the global scope, and do not require any settings here. +# image: +# # A custom registry that will override the global `image.registry` setting for the +# # Central image. +# registry: us.gcr.io/stackrox-central-repo +# +# # A custom image name that will override the default `main`. +# name: custom-main +# +# # A custom image tag that will override the default tag based on the current +# # StackRox version. +# # IMPORTANT: If you set a value here, you will lose the ability to simply upgrade +# # by running `helm upgrade` against a more recent chart version. You MUST increment +# # the version referenced in this tag for every upgrade. It is therefore strongly +# # recommended that if you choose to mirror StackRox images in your own registry, +# # you preserve all image tags as-is. +# tag: custom-version +# +# # A full image name override that will be used as-is for the StackRox Central image. +# # This is only required in very rare circumstances, and its use is strongly discouraged. +# # If set, all other image-related values will be ignored for the StackRox Central image. +# # The following example value lists the full image ref that would be constructed from +# # the above components. +# fullRef: "us.gcr.io/stackrox-central-repo/custom-main:custom-version" +# +# # Custom resource overrides for the Central deployment. Use this if your environment is +# # very large or very small, and the default resource configuration does not provide +# # satisfactory performance. +# resources: +# requests: +# memory: "4Gi" +# cpu: "1500m" +# limits: +# memory: "8Gi" +# cpu: "4000m" +# +# # Persistence configuration for the StackRox database volume. +# # Exactly ONE of the nested values should be specified. If none is specified, +# # the StackRox deployment will be configured with the default PVC-based persistence. +# persistence: +# # The path on the node where to store the StackRox database volume +# # when using host path persistence. +# hostPath: /var/lib/stackrox +# +# # The persistent volume claim details when storing the StackRox database +# # on a persistent volume managed by a Kubernetes persistent volume claim (PVC). +# persistentVolumeClaim: +# # The name of the claim. This defaults to stackrox-db if not set. +# claimName: stackrox-db +# +# # Whether to create the claim upon deployment. The default is true; set this to false +# # if you have a pre-existing persistent volume claim that you want to use. +# createClaim: true +# +# # The size of the persistent volume managed by the claim, in Gigabytes (or with an +# # explicit unit, such as "1Ti"). Defaults to 100Gi. +# size: 100 +# +# # If you want to bind a preexisting persistent volume, you can specify it here. +# volume: +# volumeSpec: +# # The section includes volume type specific config, the volume type can be: +# # gcePersistentDisk, hostpath, filestore(nfs) etc. +# gcePersistentDisk: +# # Type specific parameters. The specified persistent volume should have +# # been created. +# pdName: gke-pv +# +# # Configuration for exposing the StackRox Central deployment for external access. +# # Generally, only ONE of the nested values should be specified. If none is specified, +# # the Central deployment will not be exposed, and you must either manually expose it, +# # or access it via port-forwarding. +# exposure: +# # Exposure via a Kubernetes LoadBalancer service. +# loadBalancer: +# enabled: true +# # The port on which to expose StackRox Central. Defaults to 443. +# port: 443 +# # The static IP to assign to the load balancer. Defaults to dynamic. +# ip: 10.0.0.0 +# +# # Exposure via a Kubernetes NodePort service. +# nodePort: +# enabled: true +# # The port on the node under which to expose the service. Omit this for +# # letting Kubernetes automatically select a node port (recommended). +# port: 32000 +# +# # Exposure via an OpenShift route. Only available for OpenShift clusters +# route: +# enabled: true +# +# # Additional volume mounts for the Central container. Only few people will require this. +# extraMounts: +# - name: my-configmap # the name of the volume +# # The source of the volume. This will be embedded as-is in the `volume:` section of the +# # pod spec. +# source: +# configMap: +# name: my-configmap +# # The mount point of the volume. This will be embedded as-is in the `volumeMounts:` section +# # of the pod spec. +# mount: +# mountPath: /etc/my-config-data +# +# # Public configuration options for the StackRox Scanner. +# scanner: +# # disable=true will cause the StackRox Kubernetes Security Platform to be +# # deployed without the StackRox Scanner, meaning that certain functionalities +# # may not be available. If this setting is changed prior to a `helm upgrade` +# # invocation, the existing StackRox scanner deployment will be removed. +# disable: false +# +# # The number of replicas for the Scanner deployment. If autoscaling is enabled (see below), +# # this determines the initial number of replicas. +# replicas: 3 +# +# # The log level for the scanner deployment. This typically does not need to be changed. +# logLevel: INFO +# +# # If you want to enforce StackRox Scanner to only run on certain nodes, you can specify +# # a node selector here to make sure Scanner can only be scheduled on Nodes with the +# # given label. +# nodeSelector: +# # This can contain arbitrary `label-key: label-value` pairs. +# role: stackrox-scanner +# +# +# # If you want to enforce StackRox Scanner DB to only run on certain nodes, you can specify +# # a node selector here to make sure Scanner DB can only be scheduled on Nodes with the +# # given label. +# dbNodeSelector: +# # This can contain arbitrary `label-key: label-value` pairs. +# role: stackrox-scanner-db +# +# # Configuration for autoscaling the Scanner deployment. +# autoscaling: +# # disable=true causes autoscaling to be disabled. All other settings in this section +# # will have no effect. +# disable: false +# # The minimum number of replicas for autoscaling. The following value is the default. +# minReplicas: 2 +# # The maximum number of replicas for autoscaling. The following value is the default. +# maxReplicas: 5 +# +# # Custom resource overrides for the Scanner deployment. +# resources: +# requests: +# memory: "1500Mi" +# cpu: "1000m" +# limits: +# memory: "3000Mi" +# cpu: "2000m" +# +# # Custom resource overrides for the Scanner DB deployment. +# dbResources: +# limits: +# cpu: "2000m" +# memory: "4Gi" +# requests: +# cpu: "200m" +# memory: "200Mi" +# +# # Custom configuration of the image to be used for the Scanner deployment. +# # See `central.image` for a full example. +# image: +# registry: us.gcr.io/stackrox-scanner-repo +# name: scanner # "scanner" is the default +# +# dbImage: +# registry: us.gcr.io/stackrox-scanner-db-repo +# name: scanner-db # "scanner-db" is the default +# +# +# # Customization Settings. +# # The following allows specifying custom Kubernetes metadata (labels and annotations) +# # for all objects instantiated by this Helm chart, as well as additional pod labels, +# # pod annotations, and container environment variables for workloads. +# # The configuration is hierarchical, in the sense that metadata that is defined at a more +# # generic scope (e.g., for all objects) can be overridden by metadata defined at a narrower +# # scope (e.g., only for the central deployment). +# customize: +# # Extra metadata for all objects. +# labels: +# my-label-key: my-label-value +# annotations: +# my-annotation-key: my-annotation-value +# +# # Extra pod metadata for all objects (only has an effect for workloads, i.e., deployments). +# podLabels: +# my-pod-label-key: my-pod-label-value +# podAnnotations: +# my-pod-annotation-key: my-pod-annotation-value +# +# # Extra environment variables for all containers in all objects. +# envVars: +# MY_ENV_VAR_NAME: MY_ENV_VAR_VALUE +# +# # Extra metadata for the central deployment only. +# central: +# labels: {} +# annotations: {} +# podLabels: {} +# podAnnotations: {} +# envVars: {} +# +# # Extra metadata for the scanner deployment only. +# scanner: +# labels: {} +# annotations: {} +# podLabels: {} +# podAnnotations: {} +# envVars: {} +# +# # Extra metadata for the scanner-db deployment only. +# scanner-db: +# labels: {} +# annotations: {} +# podLabels: {} +# podAnnotations: {} +# envVars: {} +# +# # Extra metadata for all other objects. The keys in the following map can be +# # an object name of the form "service/central-loadbalancer", or a reference to all +# # objects of a given type in the form "service/*". The values under each key +# # are the five metadata overrides (labels, annotations, podLabels, podAnnotations, envVars) +# # as specified above, though only the first two will be relevant for non-workload +# # object types. +# other: +# "service/*": +# labels: {} +# annotations: {} +# +# # EXPERT SETTINGS +# # The following settings should only be changed if you know very well what you are doing. +# # The scenarios in which these are required are generally not supported. +# +# # Set allowNonstandardNamespace=true if you are deploying into a namespace other than +# # "stackrox". This has been observed to work in some case, but is not generally supported. +# allowNonstandardNamespace: false +# +# # Set allowNonstandardReleaseName=true if you are deploying with a release name other than +# # the default "stackrox-central-services". This has been observed to work in some cases, +# # but is not generally supported. +# allowNonstandardReleaseName: false diff --git a/rhacs/3.0.59.0/central-services/values.yaml b/rhacs/3.0.59.0/central-services/values.yaml new file mode 100644 index 0000000..7031fc6 --- /dev/null +++ b/rhacs/3.0.59.0/central-services/values.yaml @@ -0,0 +1,292 @@ +## StackRox Central chart default settings file. +## +## This file includes the default settings for the StackRox Central chart. +## It serves as a form of documentation for all the possible settings that a +## user can override are. HOWEVER, if you want to override some settings, DO NOT +## create a copy of this file to be used as a baseline, or modify it in place. +## Instead, create a file that contains only those settings you want to override, +## and pass it to helm or roxctl via the `-f` parameter. +## +## For example, if you want to disable the deployment of scanner, create a file +## `values-override.yaml` (or any name you choose) with the following contents: +## +## scanner: +## disable: true +## +## and then invoke helm by passing `-f values-override.yaml` to +## `helm install`/`helm upgrade`. +## +## Alternatively, if you want to override just a few values, you can set them directly +## via the `--set` command, e.g., +## $ helm install --set scanner.disable=true ... +## +## Note that an arbitrary number of `-f` and `--set` parameters can be combined. It is +## generally a good practice to store secret data such as the admin password separate from +## non-sensitive configuration data. +## +# +## Configuration for image pull secrets. +## These should usually be set via the command line when running `helm install`, e.g., +## helm install --set imagePullSecrets.username=myuser --set imagePullSecrets.password=mypass, +## or be stored in a separate YAML-encoded secrets file. +#imagePullSecrets: +# # Username and password to be used for pulling images. +# # These should usually be set via the command line when running `helm install`, e.g., +# # helm install --set imagePullSecrets.username=myuser --set imagePullSecrets.password=mypass, +# # or be stored in a separate YAML-encoded secrets file. +# username: null +# password: null +# +# # If no image pull secrets are provided, an installation would usually fail. In order to +# # prevent it from failing, this option must explicitly be set to true. +# allowNone: false +# +# # If there exist available image pull secrets in the cluster that are managed separately, +# # set this value to the list of the respective secret names. While it is recommended to +# # record the secret names in a persisted YAML file, providing a single string containing +# # a comma-delimited list of secret names is also supported, for easier interaction with +# # --set. +# useExisting: [] +# +# # Whether to import any secrets from the default service account existing in the StackRox +# # namespace. The default service account often contains "standard" image pull secrets that +# # should be used by default for image pulls, hence this defaults to true. Only has an effect +# # if server-side lookups are enabled. +# useFromDefaultServiceAccount: true +# +## Common settings for all image properties +#image: +# # The image registry to use. Unless overridden in the more specific configs, this +# # determines the base registry for each image referenced in this config file. +# registry: stackrox.io +# +## Settings regarding the installation environment +#env: +# # Treat the environment as an OpenShift cluster. Leave this unset to use auto-detection +# # based on available API resources on the server. +# # Possible values: null, false, true, 3, 4 +# openshift: null +# +# # Treat the environment as Istio-enabled. Leave this unset to use auto-detection based on +# # available API resources on the server. +# # Possible values: null, false, true +# istio: null +# +# # The cloud provider platform where the target Kubernetes cluster is running. Leave this +# # unset to use auto-detection based on the Kubernetes version. +# # Possible values: null, "default", "gke" +# platform: null +# +# # Whether to run StackRox in offline mode. When run in offline mode, no connections to external +# # endpoints will be made. +# offlineMode: false +# +# # The proxy configuration for Central and Scanner, specified either as an embedded YAML +# # directionary, or as an (expandable) string. +# proxyConfig: null +# +# +## Settings for the StackRox Service CA certificates. +## If `cert` and `key` are both set (it is an error to set only one of the two), the corresponding +## values are used as the PEM-encoded certificate and private key for the internal Service CA. +## If they are left unspecified, they are generated under the following conditions: +## - `generate` is explicitly set to true, or +## - `generate` is unset (null), and the Helm chart is being freshly installed (as opposed to being +## upgraded). +#ca: +# cert: null +# key: null +# generate: null +# + +## Additional CA certificates to trust, besides system roots +## If specified, this should be a map mapping file names to PEM-encoded contents. +#additionalCAs: null +# +#central: +# +# # Indicates whether telemetry data collection should be disabled. This defaults to true +# # in offline mode, and false otherwise. Only has an effect upon the first installation. +# disableTelemetry: null +# +# +# config: "@config/central/config.yaml|config/central/config.yaml.default" +# +# endpointsConfig: "@config/central/endpoints.yaml|config/central/endpoints.yaml.default" +# +# +# nodeSelector: null +# +# jwtSigner: +# key: null +# generate: null +# +# # Settings for the internal service-to-service TLS certificate used by central. +# # See the documentation for `ca` at the top level for an explanation. +# serviceTLS: +# cert: null +# key: null +# generate: null +# +# defaultTLS: +# cert: null +# key: null +# +# image: +# registry: null +# name: main +# tag: 3.0.48.x-121-g337915cd3d +# fullRef: null +# +# adminPassword: +# value: null +# generate: null +# htpasswd: null +# +# resources: +# requests: +# memory: "4Gi" +# cpu: "1500m" +# limits: +# memory: "8Gi" +# cpu: "4000m" +# +# persistence: +# hostPath: null +# persistentVolumeClaim: +# claimName: null +# createClaim: null +# storageClass: null +# size: null +# none: null +# +# +# exposure: +# +# # LoadBalancer configuration. +# # Disabled by default. +# # Default port is 443. +# loadBalancer: +# enabled: null +# port: null +# ip: null +# +# # NodePort configuration. +# # Disabled by default. +# nodePort: +# enabled: null +# port: null +# +# # Route configuration. +# # Disabled by default. +# route: +# enabled: null +# +# +## Configuration options relating to StackRox Scanner. +#scanner: +# # If this is set to true, StackRox will be deployed without scanner. No other setting in this +# # section will have any effect. +# disable: false +# +# # Default number of scanner replicas created upon startup. The actual number might be higher +# # or lower if autoscaling is enabled (see below). +# replicas: 3 +# +# logLevel: INFO +# +# # Settings related to autoscaling the scanner deployment. +# autoscaling: +# # If true, autoscaling will be disabled. None of the other settings in this section will +# # have any effect. +# disable: false +# minReplicas: 1 +# maxReplicas: 5 +# +# # Resource settings for the scanner deployment. +# resources: +# requests: +# memory: "1500Mi" +# cpu: "1000m" +# limits: +# memory: "3000Mi" +# cpu: "2000m" +# +# image: +# registry: null +# name: scanner +# tag: 2.3.2 +# fullRef: null +# +# dbImage: +# registry: null +# name: scanner-db +# tag: 2.3.2 +# fullRef: null +# +# # Resource settings for the scanner-db deployment. +# dbResources: +# limits: +# cpu: 2 +# memory: 4Gi +# requests: +# cpu: 200m +# memory: 200Mi +# +# # The admin password setting for communication with scanner's DB. +# # When a value is set explicitly, this is always used, even on upgrade. +# # Otherwise, a password will be automatically generated if `generate` is set to true, +# # or left unset (null) and the Helm chart is being installed (as upposed to upgraded). +# dbPassword: +# value: null +# generate: null +# +# # Settings for the internal service-to-service TLS certificate used by scanner. +# # See the documentation for `ca` at the top level for an explanation. +# serviceTLS: +# cert: null +# key: null +# generate: null +# +# # Settings for the internal service-to-service TLS certificate used by scanner-db. +# # See the documentation for `ca` at the top level for an explanation. +# dbServiceTLS: +# cert: null +# key: null +# generate: null +# +## EXPERT SETTINGS. You usually do not need to touch those. +# +## If set to true, allow deploying in a namespace other than "stackrox". This is unsupported, so +## use at your own risk. +#allowNonstandardNamespace: false +# +## If set to true, allow a release name other than "stackrox-central-services". There are no issues +## with that, but for streamlining purposes, we want to encourage all users to stick with the +## default name, and make it a little harder to deviate from that. +#allowNonstandardReleaseName: false +# +#meta: +# # This controls whether the built-in `lookup` function will be used. If you see an error +# # about there being no function `lookup`, set this to `false` (might be required on Helm +# # versions before 3.1). +# useLookup: true +# +# # This is a dictionary from file names to contents that can be used to inject files that +# # would usually be included via .Files.Get into the chart rendering. +# fileOverrides: {} +# +# # This configuration section allows overriding settings that would be inferred from the +# # running API server. +# apiServer: +# # The Kubernetes version running on the API server. This is used for auto-detection +# # of the platform. +# version: null +# # The list of available API resources on the server, in the form of "apps/v1" or +# # "apps/v1/Deployment". This is used to detect environment capabilities. +# overrideAPIResources: null +# # A list of extra API resources that should be assumed to exist on the API server. This +# # can be used in conjunction with both data obtained from the API server, or data set +# # via `overrideAPIResources`. +# extraAPIResources: [] +# diff --git a/rhacs/3.0.59.0/secured-cluster-services/.helmignore b/rhacs/3.0.59.0/secured-cluster-services/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/rhacs/3.0.59.0/secured-cluster-services/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/rhacs/3.0.59.0/secured-cluster-services/Chart.yaml b/rhacs/3.0.59.0/secured-cluster-services/Chart.yaml new file mode 100644 index 0000000..eb97574 --- /dev/null +++ b/rhacs/3.0.59.0/secured-cluster-services/Chart.yaml @@ -0,0 +1,7 @@ +apiVersion: v2 +name: stackrox-secured-cluster-services +icon: https://www.stackrox.com/img/logo.svg +description: Helm Chart for StackRox Secured Clusters +type: application +version: 59.0.0 +appVersion: 3.0.59.0 diff --git a/rhacs/3.0.59.0/secured-cluster-services/README.md b/rhacs/3.0.59.0/secured-cluster-services/README.md new file mode 100644 index 0000000..d322a17 --- /dev/null +++ b/rhacs/3.0.59.0/secured-cluster-services/README.md @@ -0,0 +1,487 @@ + +# StackRox Kubernetes Security Platform - Secured Cluster Services Helm Chart + +This Helm chart allows you to deploy the necessary services on a StackRox +secured cluster: StackRox Sensor, StackRox Collector, and StackRox Admission +Control. + +**PLEASE NOTE:** This Helm chart supersedes the `sensor` Helm chart shipped for previous +versions of the StackRox Kubernetes Security Platform. If you have previously used the +`sensor` chart, see the [sensor-chart-upgrade.md](sensor-chart-upgrade.md) document in this +directory for instructions on how to upgrade. + +## Prerequisites + +To deploy the secured cluster services for the StackRox Kubernetes Security Platform, you must: +- Have at least version 3.1 of the Helm tool installed on your machine +- Have credentials for the `registry.redhat.io/rh-acs` registry or the other image registry + you use. + +> **IMPORTANT** +> +> We publish new Helm charts with every new release of the StackRox Kubernetes +> Security Platform. Make sure to use a version of this chart that matches the +> StackRox Kubernetes Security Platform version you have installed. + +## Add the canonical chart location as a Helm repository + +The canonical repository for StackRox Helm charts is http://mirror.openshift.com/pub/rhacs/charts. +To use StackRox Helm charts, run the following command: +```sh +helm repo add stackrox http://mirror.openshift.com/pub/rhacs/charts +``` +Only run this command once per machine on which you want to use StackRox Helm +charts. + +Before you deploy or upgrade a chart from a remote repository, you must +run the following command: +```sh +helm repo update +``` + +## Install Secured Cluster Services + +Installing a new StackRox secured cluster requires a *cluster init bundle*. You +can generate a **cluster init bundle** by using the `roxctl` CLI or the StackRox +portal. You can use the same bundle to set up multiple StackRox secured +clusters by providing it as an input to the `helm install` command. + +> **NOTE**: +> +> - The following sections assume that you have a safe way to pass secrets to +> the helm command. +> - If not, you can decouple secret creation from installing or upgrading the +> Helm chart, see [Deployment with pre-created secrets](#deployment-with-pre-created-secrets) for more information. + +### Generate cluster init bundle + +To generate a **cluster init bundle** by using the `roxctl` CLI, make sure that +you are running the StackRox Kubernetes Security Platform and the `roxctl` CLI +version 3.0.55 or newer. + +Run the following command to generate a **cluster init bundle**: +```sh +roxctl central init-bundles generate --output cluster-init-bundle.yaml +``` + +- This command creates a **cluster init bundle** called + `cluster-init-bundle.yaml`. +- Make sure that you store this bundle securely as it contains secrets. You can + use the same bundle to set up multiple StackRox secured clusters. + +### Deploy Secured Cluster Services + +You can use the following command to deploy secured cluster services by using +this Helm chart: +```sh +helm install -n stackrox --create-namespace \ + stackrox-secured-cluster-services stackrox/secured-cluster-services \ + -f \ + --set clusterName= \ + --set centralEndpoint= +``` +- In this command, you can replace the chart name + `stackrox/secured-cluster-services` with the chart's file path if you have it + locally. +- The provided cluster name can either denote the intended name for a new secured cluster + or the name of an existing cluster, in which case the name will be reused and associated + with the Kubernetes cluster on which the chart is installed. + +To access StackRox Docker images, you also need image pull credentials. While +installing, you can inject the required credentials (if any) by using one of the +following ways: + +#### Specify username and password + +Pass the following arguments to the `helm install` command if you are using the +images from the default registry (`registry.redhat.io/rh-acs`) or a registry that supports +authentication by using username and password: + +```sh +--set imagePullSecrets.username= --set imagePullSecrets.password= +``` + +#### Use pre-existing image pull secrets +If you already created one or multiple image pull secrets in the namespace in +which you are deploying, you can reference these secrets as follows: + +```sh +--set imagePullSecrets.useExisting="pull-secret-name1;pull-secret-name2" +``` + +#### Skip image pull secrets +When you are pulling the images from a registry in a private network that does +not require authentication, or if you've already configured the namespace's (in +which you are deploying) default service account with the appropriate image pull +secrets. In that case, you do not need to specify any additional image pull +secrets. To disable image pull secrets, pass the following arguments to the +`helm install` command: + +```sh +--set imagePullSecrets.allowNone=true +``` + +After you deploy the StackRox Kubernetes Security Platform Secured Cluster +Services using the `helm install` command, you will see informative notes and +warnings related to the installation. The new cluster automatically registers +itself to StackRox Central, and it is visible in the StackRox portal as a +Helm-managed cluster. If the provided cluster name is already associated with +an existing secured cluster, the name will be reused and associated with the +cluster on which the chart is installed. + +### Applying custom configuration options + +The secured cluster services Helm chart has many different configuration +options. You can directly specify these options when you run the `helm install` +command for simple use cases. + +However, we recommend storing your configuration in a file and using that file +for future upgrades or reconfiguration using the `helm upgrade` command. + +#### Specifying options with `--set` parameter + +You can use the `--set` and `--set-file` parameter with the `helm install` +command to specify various options to customize deployments quickly. However, +don't use them for specifying complex configurations. + +For example, +- **Configure cluster environment**: + ```sh + --set env.openshift=true + ``` +- **Configure collection method**: + ```sh + --set collector.collectionMethod=EBPF + ``` + +#### Using configuration YAML files and the `-f` command-line option + +We recommended that you store all custom configuration options in persisted files. + +The Secured Cluster Services Helm chart contains example configuration files +(called `values-public.yaml.example` and `values-private.yaml.example`), that list +all the available configuration options, along with documentation. + +The following sample configuration file (`secured-cluster.yaml`) uses a few of +the options which you can configure: +- **`values-public.yaml`:** + ```yaml + clusterName: "acme-cluster-01" + centralEndpoint: "central.acme-labs.internal" + + env: + istio: true # enable istio support + + sensor: + # Use custom resource overrides for sensor + resources: + requests: + cpu: "1" + memory: "1Gi" + limits: + cpu: "2" + memory: "4Gi" + + admissionControl: + dynamic: + disableBypass: true # Disable bypassing of Admission Controller + + customize: + # Apply the important-service=true label for all objects managed by this chart. + labels: + important-service: true + # Set the CLUSTER=important-cluster environment variable for all containers in the + # collector deployment: + collector: + envVars: + CLUSTER: important-cluster + ``` +- **`values-private.yaml`**: + ```yaml + imagePullSecrets: + username: + password: + ``` + +After you have created these YAML files, you can inject the configuration options into the +installation process via the `-f` flag, i.e., by appending the following options to the +`helm install` invocation: +```sh +helm install ... -f values-public.yaml -f values-private.yaml +``` + +#### Changing configuration options after deployment + +To make changes to the configuration of an existing deployment of the StackRox +Secured Cluster Services: +1. Change the configuration options in your YAML configuration file(s). +1. Use the `-f` option and specify the configuration file's path when you + run the `helm upgrade` command. + +For example, to apply configuration changes for the secured cluster, use the following command: +```sh +helm upgrade -n stackrox \ + stackrox-secured-cluster-services stackrox/secured-cluster-services \ + --reuse-values \ + -f values-public.yaml \ + -f values-private.yaml +``` + +You can also specify configuration values using the `--set` or `--set-file` +parameters. However, these options aren't saved, and you'll have to specify all +the options again manually. + +#### Changing cluster name after deployment + +To change the name of the cluster shown in the StackRox portal, you must specify +values for both the `--clusterName` and the `--confirmNewClusterName` options: + +```sh +helm upgrade -n stackrox stackrox-secured-cluster-services --clusterName= --confirmNewClusterName= +``` + +> **NOTE:** +> +> When you change the cluster name: +> - The StackRox Kubernetes Security Platform either creates a new cluster or +> reuses an existing cluster if a cluster with the same name already exists. +> - The StackRox Kubernetes Security Platform doesn't rename the old cluster. +> The old cluster still shows up in the StackRox portal, but it doesn't +> receive any data. You must remove the old cluster if you don't want to see +> it in the StackRox portal. + +### Configuration + +The following table lists some common configuration parameters of this Helm +chart and their default values: + +|Parameter |Description | Default value | +|:---------|:-----------|:--------------| +|`clusterName`| Name of your cluster. | | +|`confirmNewClusterName`| You don't need to change this unless you upgrade and change the value for `clusterName`. In this case, set it to the new value of `clusterName`. This option exists to prevent you from [accidentally creating a new cluster with a different name](#changing-cluster-after-deployment). | `null` | +|`centralEndpoint`| Address of the Central endpoint, including the port number (without a trailing slash). If you are using a non-gRPC capable LoadBalancer, use the WebSocket protocol by prefixing the endpoint address with `wss://`. |`central.stackrox:443` | +|`additionalCAs`| Use it to add (named) PEM-encoded CA certificates for Sensor. | `{}` | +|`imagePullSecrets.username`| Specify username for accessing image registry. |`null`| +|`imagePullSecrets.password`| Specify password for accessing image registry. |`null`| +|`imagePullSecrets.useExisting`| Specify existing Kubernetes image pull secrets that should be used for trying to pull StackRox images. |`[]`| +|`imagePullSecrets.useFromDefaultServiceAccount`| This setting controls whether image pull secrets from a default service account in the target namespace should be used for image pulls. |`true`| +|`imagePullSecrets.useExisting`| Specify existing Kubernetes image pull secrets that should be used for trying to pull StackRox images. |`[]`| +|`imagePullSecrets.allowNone`| Enabling this setting indicates that no image pull secrets are required to be configured upon initial deployment. Use this setting if you are using a cluster-private registry that does not require authentication. |`false`| +|`image.main.name`|Repository from which to download the main image. |`main` | +|`image.collector.name`|Repository from which to download the collector image. |`collector` | +|`image.main.registry`| Address of the registry you are using for main image.|`registry.redhat.io/rh-acs` | +|`image.collector.registry`| Address of the registry you are using for collector image.|`registry.redhat.io/rh-acs` | +|`sensor.endpoint`| Address of the Sensor endpoint including port number. No trailing slash.|`sensor.stackrox:443` | +|`collector.collectionMethod`|Either `EBPF`, `KERNEL_MODULE`, or `NO_COLLECTION`. |`KERNEL_MODULE` | +|`collector.disableTaintTolerations`|If you specify `false`, tolerations are applied to collector, and the collector pods can schedule onto all nodes with taints. If you specify it as `true`, no tolerations are applied, and the collector pods won't scheduled onto nodes with taints. |`false` | +|`collector.slimMode`| Specify `true` if you want to use a slim Collector image for deploying Collector. Using slim Collector images requires Central to provide the matching kernel module or eBPF probe. If you are running the StackRox Kubernetes Security Platform in offline mode, you must download a kernel support package from [stackrox.io](https://install.stackrox.io/collector/support-packages/index.html) and upload it to Central for slim Collectors to function. Otherwise, you must ensure that Central can access the online probe repository hosted at https://collector-modules.stackrox.io/.|`false` | +|`admissionControl.listenOnCreates`| This setting controls whether the cluster is configured to contact the StackRox Kubernetes Security Platform with `AdmissionReview` requests for `create` events on Kubernetes objects. |`false` | +|`admissionControl.listenOnUpdates`|This setting controls whether the cluster is configured to contact the StackRox Kubernetes Security Platform with `AdmissionReview` requests for `update` events on Kubernetes objects.|`false` | +|`admissionControl.listenOnEvents`|This setting controls whether the cluster is configured to contact the StackRox Kubernetes Security Platform with `AdmissionReview` requests for `update` Kubernetes events like `exec` and `portforward`.|`false` on OpenShift, `true` otherwise.| +|`admissionControl.dynamic.enforceOnCreates`| It controls whether the StackRox Kubernetes Security Platform evaluates policies; if it’s disabled, all `AdmissionReview` requests are automatically accepted. You must specify `listenOnCreates` as `true` for this to work. |`false` | +|`admissionControl.dynamic.enforceOnUpdates`| It controls whether the StackRox Kubernetes Security Platform evaluates policies for object updates; if it’s disabled, all `AdmissionReview` requests are automatically accepted. You must specify `listenOnUpdates` as `true` for this to work. |`false`| +|`admissionControl.dynamic.scanInline`| |`false` | +|`admissionControl.dynamic.disableBypass`|Set it to `true` to disable [bypassing the admission controller](https://help.stackrox.com/docs/manage-security-policies/use-admission-controller-enforcement/). |`false` | +|`admissionControl.dynamic.timeout`|The maximum time in seconds, the StackRox Kubernetes Security Platform should wait while evaluating admission review requests. Use it to set request timeouts when you enable image scanning. If the image scan runs longer than the specified time, the StackRox Kubernetes Security Platform accepts the request. Other enforcement options, such as scaling the deployment to zero replicas, are still applied later if the image violates applicable policies.|`3` | +|`registryOverride`|Use this parameter to override the default `docker.io` registry. Specify the name of your registry if you are using some other registry.| | +|`createUpgraderServiceAccount`| Specify `true` to create the `sensor-upgrader` account. By default, the StackRox Kubernetes Security Platform creates a service account called `sensor-upgrader` in each secured cluster. This account is highly privileged but is only used during upgrades. If you don’t create this account, you will have to complete future upgrades manually if the Sensor doesn’t have enough permissions. See [Enable automatic upgrades for secured clusters](https://help.stackrox.com/docs/configure-stackrox/enable-automatic-upgrades/) for more information.|`false` | +|`createSecrets`| Specify `false` to skip the orchestrator secret creation for the sensor, collector, and admission controller. | `true` | +|`customize`|Modern interface for specifying custom metadata for resources, including labels, annotations and environment variables. See below for more information.|`{}`| + +The following table lists some advanced parameters, and you'll only need them in +non-standard environments: + +|Parameter |Description | Default value | +|:---------|:-----------|:--------------| +|`image.main.tag`| Tag of `main` image to use.|`null` | +|`image.collector.tag`| Tag of `collector` image to use.| `null` | +|`image.main.pullPolicy`| Image pull policy for `main` images.|`IfNotPresent`| +|`image.collector.pullPolicy`| Image pull policy for `collector` images.| `IfNotPresent` if `slimCollector` is enabled, `Always` otherwise.| +|`sensor.resources`|Resource specification for Sensor.|See below.| +|`collector.resources`|Resource specification for Collector.|See below.| +|`collector.complianceResources`|Resource specification for Collector's Compliance container.|See below.| +|`collector.nodeSelector` | Node selector for Collector pods placement. | `null` (no placement constraints) | +|`admissionControl.resources`|Resource specification for Admission Control.|See below.| +|`sensor.imagePullPolicy`| Kubernetes image pull policy for Sensor. | `IfNotPresent` | +|`sensor.nodeSelector` | Node selector for Sensor pod placement. | `null` (no placement constraints) | +|`collector.imagePullPolicy`| Kubernetes image pull policy for Sensor. | `Always` when deploying in slim mode, otherwise `IfNotPresent`. | +|`collector.complianceImagePullPolicy`| Kubernetes image pull policy for Sensor. | `IfNotPresent` | +|`admissionControl.imagePullPolicy`| Kubernetes image pull policy for Admission Control. | `IfNotPresent` | +|`admissionControl.nodeSelector` | Node selector for Admission Control pods placement. | `null` (no placement constraints) | +|`exposeMonitoring`| This setting controls whether the monitoring port (TCP 9090) should be exposed on the services. | `false` | +|`env.openshift`| The StackRox Kubernetes Security Platform automatically detects the OpenShift version (`3.x` or `4.x`). Use this parameter to override the automatically detected version number, for example `4`. | `null` | +|`env.istio`| This setting can be used for overwriting the auto-sensing of Istio environments. If enabled, the cluster is set up for an Istio environment. | Auto-sensed, depends on environment. | + +### Default resources + +Each container's default resource settings are defined in the +`internal/defaults.yaml` file in this chart. The following table lists the YAML +paths to the respective defaults for each container that this chart deploys: + +|Container |Path in `internal/defaults.yaml` | +|:----------------|:---------------------------------------| +|Sensor |`defaults.sensor.resources` | +|Collector |`defaults.collector.resources` | +|Compliance |`defaults.collector.complianceResources`| +|Admission Control|`defaults.admissionControl.resources` | + +### Customization settings + +The `customize` setting allows specifying custom Kubernetes metadata (labels and +annotations) for all objects created by this Helm chart and additional pod +labels, pod annotations, and container environment variables for workloads. + +The configuration is hierarchical, in the sense that metadata defined at a more +generic scope (for example, for all objects) can be overridden by metadata +defined at a narrower scope (for example, only for the sensor deployment). + +For example: + +``` +customize: + # Extra metadata for all objects. + labels: + my-label-key: my-label-value + annotations: + my-annotation-key: my-annotation-value + # Extra pod metadata for all objects (only has an effect for workloads, i.e., deployments and daemonsets). + podLabels: + my-pod-label-key: my-pod-label-value + podAnnotations: + my-pod-annotation-key: my-pod-annotation-value + # Extra environment variables for all containers in all workloads. + envVars: + MY_ENV_VAR_NAME: MY_ENV_VAR_VALUE + # Extra metadata for the central deployment only. + sensor: + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + envVars: {} + # Extra metadata for the collector deployment only. + collector: + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + envVars: {} + # Extra metadata for the admission-control deployment only. + admission-control: + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + envVars: {} + # Extra metadata for all other objects. The keys in the following map can be + # an object name of the form "service/sensor", or a reference to all + # objects of a given type in the form "service/*". The values under each key + # are the five metadata overrides (labels, annotations, podLabels, podAnnotations, envVars) + # as specified above, though only the first two will be relevant for non-workload + # object types. + other: + "service/*": + labels: {} + annotations: {} +``` + +## Deployment with pre-created secrets + +The init bundle that you pass to the `helm` command using the `-f` flag creates +Kubernetes secrets for TLS certificates. If you don't want Helm to manage your +Kubernetes secrets, you can deploy the Secured Cluster Services chart without +creating secrets. However, it requires that you always specify the StackRox CA +certificate while installing or upgrading the Helm chart. This certificate +doesn't need to be kept secret. + +1. **Obtain the CA certificate configuration** either through the StackRox + portal or by using the `roxctl` CLI. + - **StackRox portal**: + 1. Navigate to **Platform Configuration** > **Integrations**. + 1. Under the **Authentication Tokens** section, select **Cluster Init Bundle**. + 1. Select **Get CA Config** on the top right to download the configuration + file called `ca-config.yaml`. + - **`roxctl CLI**: + 1. Run the following command: + ```sh + roxctl central init-bundles fetch-ca --output ca-config.yaml + ``` + This command writes the CA certificate configuration in a file called + `ca-config.yaml`. +1. **Use the CA certificate configuration in your Helm installation**. When you + run the `helm install` or the `helm upgrade` command, + pass the option `-f ca-config.yaml`: + ```sh + helm install -n stackrox stackrox-secured-cluster-services stackrox/secured-cluster-services \ + -f ca-config.yaml \ + + ``` +1. **Disable TLS secret creation**. To prevent Helm from creating Kubernetes + secrets for the StackRox service certificates, set the `createSecrets` option + to `false`. You can either specify `createSecrets` option in a YAML + configuration file (such as `values-public.yaml`) or pass it to the `helm` + command by adding the `--set createSecrets=false` option. + +### Required Kubernetes secrets + +The following list contains the Kubernetes `Secret` objects that you need to +create in the `stackrox` namespace (or the custom namespace you are using) if +you configure the Helm chart to not create TLS certificate secrets. + +- `sensor-tls` with data: + - `ca.pem`: PEM-encoded StackRox CA certificate + - `sensor-cert.pem`: PEM-encoded StackRox Sensor certificate + - `sensor-key.pem`: PEM-encoded private key for the StackRox Sensor certificate +- `collector-tls` with data: + - `ca.pem`: PEM-encoded StackRox CA certificate + - `collector-cert.pem`: PEM-encoded StackRox Collector certificate + - `collector-key.pem`: PEM-encoded private key for the StackRox Collector certificate +- `admission-control-tls` with data: + - `ca.pem`: PEM-encoded StackRox CA certificate + - `admission-control-cert.pem`: PEM-encoded StackRox Admission Control certificate + - `admission-control-key.pem`: PEM-encoded private key for the StackRox Admision Control certificate + +#### Obtaining secrets for an existing cluster + +If you upgrade from a previous Helm chart, you can create certificates specific +to a particular cluster by using the following `roxctl` CLI command: + +```sh +export ROX_API_TOKEN= +roxctl -e sensor generate-certs +``` +Running this command create a file called `cluster--tls.yaml` in +the current directory. The file contains YAML manifests for the +[required Kubernetes secrets](#required-kubernetes-secrets). + +#### Obtaining secrets for an init bundle + +If you want to deploy multiple clusters using this Helm chart and want to create +certificates that can be used to register new clusters on-the-fly, you can +obtain the contents of an init bundle in the form of Kubernetes secrets. You can +use the StackRox portal or the `roxctl` CLI for this. + +- **Using the StackRox portal**: + 1. Navigate to **Platform Configuration** > **Integrations**. + 1. Under the **Authentication Tokens** section, select **Cluster Init Bundle**. + 1. Select the add **+** icon on the top left and enter a name for the new init + bundle. + 1. Select **Generate**. + 1. Select **Download Kubernetes Secrets File** at the bottom to save the + Kubernetes manifests to a file called + `-cluster-init-secrets.yaml`. +- **Using the `roxctl` CLI**: + 1. run the following command: + ```sh + roxctl central init-bundles generate --output-secrets cluster-init-secrets.yaml + ``` + This command stores the Kubernetes secret manifests for the cluster init + certificates in a file called `cluster-init-secrets.yaml`. + +You can then use the YAML file to generate secrets through any method that you like, for example, using Sealed Secrets. + +> **NOTE** +> +> Even when you use the certificates from an init bundle, you still need to +> specify the CA certificate configuration every time you install or upgrade the +> Helm chart. diff --git a/rhacs/3.0.59.0/secured-cluster-services/assets/icon.png b/rhacs/3.0.59.0/secured-cluster-services/assets/icon.png new file mode 100644 index 0000000000000000000000000000000000000000..3c136e3990a7382e8742c9079028abe00697c82c GIT binary patch literal 13406 zcmcJ0WmFtZx9$w??(PI91a}V-T!IYl4uiY9Yk=SuT!Kq*cL)~TU4#3b_dDN_b=JE7 z?wz%Ix_j3y>*}h#>v?uZDl2|QMIu51005}6GLov0^YA|h0uf(`Kj9?-66ecpN3IKo?9RLsz0suTgL;;5YfGaxyaBK(w@TUU+_>Ng^DuR#%L`NBI zX8-^h`=0{{$jl-D0HBbq)U{l+6u$7AIM}fonK~Gov3l4!LbL$@K@Wb&rJb3J5rv1H zt-Uk9hY;1jH25Lc|A^VBDE_75Vk1PQrJzh9;Q%(H;9})uWv3EGqM)D<1e==kt4d1$ zJ3Hh~h|1E%#gU(l&E4Id)%_Ez1K5J?BOf0h8#@OZ2L}s8gT>j?-o?m+#on3vKMMKJ zawN^1O~6);E>;fq6#tZKWbEMTB1A>?PeuRr`;T_ISegHKP4>?J?iQqjZ2zRNePm^4 z`>(PgSq1-*@~fITJJ`DZQ@n<~m5VTk;J=jrxA?zn`;S}_4t9=UGiPT=HsO!|&hkHH z|65-PY-I-N-#^v-m;V2h{cn9`O9vMR$g>7pnaJ9^n1Lac{X6%6Ht_$h@$a$(+5UN4 z|Ksuf$JqQ!3K<+>Btf?S8fal8bScJU0N~>w8s_U9GWue3P0 zQj!?Ouwi&GN9RrL16nq9CTBW}ZhGE}=jV9sxX>`r%Ay!=2kQdY9$&5u!)CpO9bU)L zJ~^DX-+L?NI;(u7mQEFoPykZHF-xOp#SqjId^GMh?hhD<07hf}zZ90wsH>~rY)N23 z<5Ay=A4BhG#W2FEPW}EwCg{@}Fd$=>Fgon>%XWT0EUgY9<3h+0YW-1?fB;(4Ozimf z`zhB+lZ_Ujh$K^Yi0UjLZ>i`WHuS~>(&ACnvePVg-KKM!vpGV_b}u^2DpD*WZOP__ zSc&12g>3j-gx|*9s`N!*=WDl9VcU~G*c7)4CyplJFr;ILa3zVE<|@*6hzNgbw61xe z@d|%N2Fv)pJwt~pd4`~f%7o~I0lv-FbtlYnM9zPMP=-u-)ra|0s;#HHI8$rDGCk_5Uk~+5AM5-hdti`LRpG-LpRS)3}Fnj=I zPe>F4dTnRM%GaBBz}NN8iPyurfdCDA8NGHV_oZ}g1U{-=)S#MH*UB(e!K;ikOd}n9 zR=xMbVoGSuj0DCfiom&SZ}cGr{fGo6aZ(@^i|vl6Ggbs+PUfDV%^TxjT{=1NckpMW zl1UJfhxqV>D9(>~O58FA0@c-G6GFWq_VLkQ&)+Mv;)!)pw9G`0kLqvuq8IYsA1QZd zXSpZ4S#yxMCZhBuL*03O@BR+4pc2;Nh%=r^?QfeAE7vPeM?r>;KvgC~+NvyoQPfmk zg+!d}w>cYAvI*{01n|TpU~cTIgJ$*X0sL>vkW*LY+TS24R$A#)2E0(aY^+2#fOrmJ zMh&i!JolfH1*2$S#T=u#*+Jz-!`O5kwzylSdE!3tN7#t8*A8=YfoZP$5?pV74*E@Jx_ zijJ?1IdIznDF6nO@Q^k;YCz?_{aTalO78VtHZysWafZ!;U4;orWP*VBEgp;B=QB09 z%H^%h0=59>(?9;>T(#tGdBh<^$)+%vo*6 z)tjkxyaLH_4h3q3Y=PG$x?XD2?sj+2#%Qa2B|=qL*wD{$*{BhOQIzw7OG_W?A~j-; zgW`j*D!b^?@{0L<%t=~(ZqvrU)wCKMTv85jG+*$Wu3^@HF?1NDi9uyfZtG;#YgK8l zl)14IM_Ra>`!hD9C%u*arBGCBphWZIEz@phlIm2TeB;k(2P14`OHuwFX0KJbFnjq?cZrQ`5~<8Df0P`?W4X) zL2$Ai5iC>@U?ZxCy|unCCYWaq^cKEAtT9q9g+=DXi9#anLBQ=It|P z6iu|(yU}roRhODR6cbFPlizX=PX;~d=yO~~>mm?uZUCHASXq=x4pi~LS zfStnjv*LqwMhn zCROx!x&~xHck{0rI(9c&J2J2FbU8c zLtBHq@HcmQtmvv>xa+_3-*Ii;q^qbzB^K)NlV@&ciKFc^hOxB{iXn< zZnB%&eyjM->)c<4xAg~XDMO~~U2MEAH!({6hA|GW7$%-Zok#>oUfgvw$1$%DT{Ke~ z+e7#c_2L~9;@ja{mR`ve#O}(RYc}Gz80A|D+vW#9TSVtDea|F(7p!HaDP#}Tw_5`H zGdP@&3WugrB#;*V_8&zj>iPAkYVkxY%vJCbh`Ko+553RA=QvGA94*?fs%*NjL~`c{ z<%$=?-pMcpgoGK3#!&|=>rRnr|CtBDsyhb`D2&GH-iO6y%J%x`8xr#u3pn+xJ;%#YiO(kVz9YY9w>vhqfsm+^u=~ z`7qeW8aTTyeYL+M;l-?kxuI5=#`t#Ew>FH;msNhwNTHsr0^2r_9(gUBUQXpiIf zz2i9OQ|630;kiJ4+vBN}e}(@{yd}mdHx&ugoCH+}K?bP^rvJCo^__3!RUTTEq!Y`S zwsR$DyTR!Tz!4z%gqkh)=~HU>V}My40Z+JOT%Z|UX$~Q<4%EmkWHb0xCT*Kf)SGKMAMp!5j&g2t`Bz2ToU>E9 zQXe^t_JMHM>h@Bc$0P05EJj5P$5cKnzkYiTb$p=JK zA)gl)r0PC6>X~e5;?!}(yoq$lN?_&u2UHc*M6Y6AJkNuXdY2;dg=rFjH1#B2xY%&_ zDzBs6Qe_DgTJi`-=XZQie|v`7OYpjT8R!`BFUS?UaI!bTUKv%KA4hoL4^1htqG3B-_YBi_>Zsq@iLYN=; zf!P~o4ElyTEujsZER6~6B9Mnig;0{Z%-Syu8@T{AiiR`ra2f$6?td); zCwVKyY<^4{G^4=}s;zH2`I78o_bfI;oR{ot#Yde^zvM>qHExB~SUr&1#&pLv+D#G? zd;5d=Qv5~4O)nnXiYRhssuXcOI3Oc%9W_QFI-tVeT!10&oj z7wdm)5d_5;?+3HF#E9 z6WvsUamdv;q1q1&n@-1{Cf7viUsXp@r(I)CcVKlMIH$vuhwAaG86ESY4Z6lARyt2G z?6O}|Rnm2k@_>n#CsqA^J~d_aX+l0X>aFA=Y;6AbZzlF)uMoSWQ}#(LSVjU<(4@i2n&IgyQfn3>F^kN2M@RMc5 zn~0`u(){l-=(SI_7;!a6a6LICBixKl9kcb6A2a+tgJF4W$4_l|&KcuL`o7aE8N?iM zN8#auXQWxU#G>?<_f@p|p2sh?c79}GAMC*6*(ZmS=$b?;3Fgl|gJ1Xc>`@Q9?#Tq< z>SkB@HOD~HA>5&VZ1GOXI0C#PAD|GFqi1436Ci%BMpX%pAl~u&U^ezHVTlreb?WE1 zz)6FSd`HG`B{=%Z@& z8r_Vv#Z3k}>UEjQ<;bs0?V$qlS1j+?VzjMt^(~e8>vH#tza63kM=)~0P;Lec&)cF& ziB8Vd)&qo7K`j|drhFqtR?-~)3Uvz2?X~XCx`iTHg8>)=Y$Bpr)G*3Wx)@%+V{x(k z7k2Wl(gaCjy?L#07G#B!$aR=Tj5*RoIFiqsz( zZct1K@}+!6#pxRIrCipyF}(_4mIWi$L#|^Roz9`m4O@LoUQk@H_Uo@uh$CJfIv{m4 z1qIK&hL`R9V5KAa)q5wsrYtvBUu$tir*v2T(J;RI5GA8sqWgDF z%12ScASSy7z{##N!E7mBhr|}t$j0g`gZLug{Kj}p%=C@3zXQpG(b@sB&wajfzD{W` zQOy<16}Etls*n+&U^e1yh8JcubaM04+D5pkC!e57I$4=xkA3M- zz!4di`gYu37TrBw`jgF6yo^VF^p<(yvf6NiAfgD&*I4)EaoPP(`GlEtT<#CE@poUA za$?aaBokDbbfx-C)^W2)1JouL4GtFd)YIds+m*oR23I-tIS{OQAQ4CV9cgM(n8Q!- zvgb{y2?5+D_O2Iq{A^>C*e#T$6S4u({{G&x6slNka5oipWu@d!`|DJEm>CihQt@*5 zEIuKd0h{hGST1zv%~^iiX>fUt{0IpetlIIzkld+1LpdWCvIb#!#9}wG8~b=;nrbe_ zQ?q+bPqOLSUOFlTy%tL>m|&#4N%XR5zBg*LIK(`Ol>Pi^GKJZC{;~UY8CBpo zBe>GVQqmercBV2@PYpLUtgh55;p>tpV`s%6x1%%x2sO`%?T}9Z@YhgkyW%^z1;Za28h=QW<&=@n# z14J?59+F+#z>Y(mb?+Wbvv)Y@=K&rLhQCyyp;zk56gmR!Kx$mB+3M|?QbqaLwJ-4@ zCNqEFS>WeUZH)<8*zs}d&!qzc>tsE*@t$eF*g%#5PKk<6_HewO(w&0h6SHE<+t|Q> z-yeP)b+$DeO^)?C+MD5TyiLdev%7JK(v{(J*Iy7*9|k$zr+8J9vj{02Juh1)W1(LQ!}lYn zTv-E;2F4ca-oEDCXHe4{dPV)Gj<5p zq+AgJc7pZds*5T!Au!)sI8)GUO5t4f-h_!8L74nnqPTdahCdeOu9$=OJQxz3!yG?0 zKFf7_V_&iGCc!e1$$)Bv*l9&-KikQaPNWe~H9B7>!{HtN_o>AbDfVz_;$s|mEq-Pu6&$>HL+Z=eq0~Qn zpXkiiblu5PAQOFKzYXq2%8L?81z9{SV{23XrKcajK87Op%PSxOYJuVFum_T_x4Iqx6}o0H&VyzVQ6dO4zuo5?1W|R?%~>4k`ag(D7?o7O zO}IStd>b3z?ZZ(w2|2CZXp}C$?Cxk3>#@Xr6J#k=EzW-myk+HKqwxALi)wF;TgY(| z$4QlCK9JevIa`~)kKcbw5bXCCJH2LAG)Z&Ry$zf!r)dAz+6bE-RD!Y6yTg6dLZ2FH zw734+RVDtt^yMMdMa8ZC`!^9)8_BIvkpVK&c?;lIX-?F?XypCzXgPUhQ{ol)13gsXW)(bRa(%7Q??q`P(y=gj49M5V-#8n&wL=B@=IcWF zEA3fi&0x-)hYnDca!M$(H|f%5bb|Dha|y#TzPYu5JL|$U9}ud;f=F9=Kh=9WhHt*T z=uq%?K=2Ny_{>Zqp8jC?0a0r9)Nf^)0xwz@$Vi3lapI^i8u1P?jMO0WaXl3;yvyjK zkM)2asFfMc1kN~qzrR7u-!nLO&`*i6PkX1?3wx-BobhYqMl@?VCAPz<&jKCmSt=EAd8tSpeF#DST~?g|Ez%bU zF(V_NDe%Lf+<0Hxwho1#$AQ!!6KXU;EhlUmuEwiW))cA3dZz*5mkL$v*C;QP^Z?<$ zSgg65@fWx0bpARLL&s`rw@Lno&@{>gnr<2JB~`|!Sbynpm1dX+EMsrqxlF2)3dhVbI!8a1sENT) zs4M|U1!vMSaWl$=^!|`SsM_jRTtxm>JthZSE^jTaQf6f;g9R53>0S=FC{7BHaL=Qc ziRMNyGA7ZHB|~7yQavI~ug9-lMGXDCQ5t%`dyDB<#Fyc3COnzWPS@kG^J@{X_Ze^n z^nOffvz`PMbbj1o{UBSxGZgAy$;6_2W#@0u1bn0E;Ao0UCOw2pj_D|EI@I!rYChwq z`4~4>+gDoueENvPuzo4X0!c|&3-htfsvfr+SB^pUGVcG}S8&=H1CQbJ9Vb0%^3xdN=(I@n7=n>@P z7bjWFx|ovQ418C#n3`D;_~c<9X&KD?`*Js-|4F&nf8wq?yIjkjM0d|qPXYG6;G z3b$2{U)c#kwXHL($!qnyCfl;W*UPa2Uu!D1f}TNb;NV;}QAEx?i2d!wV_sYX#I?d` zsfxc0R(W6kKtf@Ae|_Gb^^Jo-eAViQn$}&0$JL-;QYX<-X3JrVbcPz%gMPPUbF3~2 zT+ZsLaAoDtc=rUyw5_G(OI0`n{PSMTM3Rl|v6zKQ8UJv8hX2X>{X@_Fn+p7w@QF8q z>^Qk0JU-XF)29%r`MJBR#a$TZD&EAb zJ1Iw?tZZb;UkQCx^>2m_B`{hxZ5zGhBSHqVPWk?>-XGH801a`_gtFJ**lW1rWO{pn z|7=QnbyxpA0V-R`lz!*MW+W#VWbHJcBU>qL*yws5lh8-b#GQJAc_{34%YU*SJk)(j zCg?@wEhOigmiQReg(yPgK{>A+YO!^;0!qJ`T9Krj%P9i2QJ5;RW~v_r-SqhxbS4_O zf!YJ+m+Pt*#FuaFK?fGLXr#A>+TzwInHzRsaASBr6+M@9%P z^U~$9y+Yc#_133;&U}8F)x7AiPMRu+PI++W_X~pqO@TyPnNPvlnz^>=491Yp*MbCM z28vQ`nxR&nP4>*sGwU4{y7JXJ?U2VigQcD)51Gi9vKSWa{b78NHB$7phV<+0iN!Tb zCbN|*9GCZXSQGJBV+HOXZy_kZQmhH4VJp!2$zn)Ms$AQXzcV`r0eaf)?y!wU&*y!O*;e^T^%WJ14t+jcjWPBIGt>eH z*;JyJKa{LX4%^v>^qy&{i+1)mo?oBu$r)-vk1RVyceo1GYsxqHHiR_|Tl@JFgDAS$2IXqaK>7Yn`pwWJ`fW^2VxJb zy^bdgOCY<#;HL<#9ZZ|qAo`4fUjTiz>@JBwD&!ZYqk5zJV@faXOc;)mJVX+qQEWJ1 zwTFOG08Czk>;I;|Kmz+wCu4PZ$WLQy~m#3_9b_khSGgCm*LY*-;ysb6?hZWc1$qM`tn)C94-Uy+hJ3HL!gOAfO5`$?A>iZ5 zX(&#}xIz||tow%{gQSD?4&QePt1Vjm3-)b$Xu5(6AKj(?tCi&5ldz(%n5)=y=etM9 zs|v$g6L$e7ORuq&+i+;P+}>M6OC{`>D%t)(b;3Ubl%@^oH=ap}6x;az)f<7pB7Bs= zuM%TRl!bn}4@3MdBmGD6S+7rqK8Eie&;Cv1n@it8hE6Sf;8SM7mR4k+?$jKn5>cGC zX=md-tPfb-NG|AP6twV1DNuz(Ayp)p)_5@8VD$4`LD#D!-0z!-pWpb0 zRvVe5b&)+dPqeSUUK1xfI@ehq@q0*{JU{Fgz<7DFh3g@40BBF`e7_UqM)auvDsy}v zj&f$^Kb&|!l^DipL}|P|40}66C2k(-j_j7o6;xo_Wnh|R(gVHx-8;FtiHV6BzquJd zf2Hp}eg2H*^~B6VeQov>9fMDpVRgg?c9vJ?p`t_K8aH_Zb!C%n4`bE_z8V&ABYt#+ z!?~YdGkuV- zIwCYcgbvTZ?a9_~r@=>YrFj-AH6ov_TyB)zd(ns@6kFPo_ML@~A@ zG83dfl_|}(u*m_V1yoZh250&adB7!4$so00pD!Wb2e^=ER36bn0$nL;q;|pmofQr~ zTdsz-NxRJ2M|zOq^a^mOcl$W`=6iH>^3vnn<$X4|M*gJ$v8y?6G*W$o&4WZCT1x`c z(fzrL`+WCma~s(ABUy|e*r&NBRAIdw!)y7#itiy^BbGef{6?TL5rk^Hli-K2U~DMPh*mYuCQWP84w)Vi*tdRSaDxyj>Y!8 z0}QZwj#AbBydF^+E7!ay7Zw|C$IZ*P`e66#v(N*W1ptoG4&OgBzB$7(_%*pbMYe`p zgjs_8$K3RWoU%a3u8+v9Q7rvuf^Abd%)8%sm1nUA)c zHa|~x|GM&H^;UQD9@bi)X?AiITIR-o@4$H7h3{(jzEB}7+Fm4X3eYr!XVf$K?lE0_ zF7gGI_SQcvKd#gF=TGOT`I$^zp|TNG6hPSRhuc3-6YXD?-2;y>Tu;L|UsbNzuL3_6 z!?R#$-6YRyx`@;Bq;Bp>GQ zd%Knx%6CS&FGCbK>ip*(M+HBHE@nr)?e+b_^WKO`5-&INtS}YoM9+hviIJle#972e z+htOD0)L7iNt3_LJiS3kGR+&8Li+I`tVi7q2!PObqX4H5`@9SBeUGD5%3lxHRS}?9 zyq~i6*sIPQZS?PRg6T&7{DFj#t#O}8(GjruS1$2-y>v|a4t;hZ+9Kzh7BMyy-K8)Y z>Ssgg)8Tg+O>kuPsu&nMjB^+A+%LF{+zBuUK#dG~Q3lug*IkFtYOzsr!FHMUN6(SA2C?=5>V%Ei*X` z0M!LDu-x=$Ax4tlg{lx(B0vB?=%MAdojfAyja2tEMa&-uZ`=;F%#25`$8_EcDHw(` z?%k$Y9L{BFX3Q!cw-~e1rF>U=5fN&mXh-4J>5@&g*wE2x-v6+M!|Wc@hZ$r8KY0u6eGFwBL<*112h!^OP(Qr|25euyI zUCjRr6%F=F5Rlt*-Q(GyBqyl$e>n_g(lShlV@@@e+gV2H{B=(&IvM++Mr`P(199nN&S zgr$8HwlZmlSOl;t5wuh_DSOhYT;UT= z-I64{qZt9rUhkEaS#D%Pna$CGxmxW;;kGy=!W4f`BX5Fq`CPVhUkXDMjOpCZKR zopX1^tv+GDUqJk++NyHGY4<~%2LpEQvc#oX)enO@ zoYZViaS^J;cqwR_ykp?T&mO!;A$N*~x!BM{tq#^ps!tdZ8;|lR2dYa%LPlgxeuoQwZGXrPuO5iROfAyCpZsLo<`7 zjk~2|@}77)o2#P#=0D5OO|M2Em82Z}%#!nW(kww0-b!+tox#wFNJ8>QqD)_xO1npE z`G;5BZQc8Ts`%9Van%Bh8^rqr;Ig^lN_!5UyHw&jOQXi_AX2MT_Fv*bye-{3c(m-K zTXRGp9=`gKkOxQg{A2vRjFY}ZSuL=RoRm0S5^j)2<=t)zKC~WHYo;NBR!U7cN#a-@ z4b}IRZe_6kM~N&<_YKO-acLwHHgfzQsFR*;wf%BbEy#Y$qQ7^V)@WGbrVrLgr7Z9Ynh$-?pAi6tQZAZwps^Ioa zeifB=oSfX!(#{ee-W&#%Yt#)PoQM2}aA6>t6lFHL;L%iHTHjkRee~X*(YFk4YCd1I z78!VB-e|?FHZ9OoI)%qF>uZu#>JoD#2L+Ej)w{1)E@iUHr*x)8LT62xVgQgfw#2QJ z*q7uDM-T2=#MLi@@k^jpg_m$K>QyE`q2D~p6 zT|*u0-viLXH7f8Z z4beLfNUJ7%4RgUDD9Com>d6lGF~7#yOUgl<4Kdn`;~w@IY_Scqw{+CFZh9( zZHp;`yeBb{X2kbN-i}yj3uW#pgAT8Q^H(MY9v<62sFo54JuVJ^+VJzB%b|yoA6UiG z4{Q4|14JO}_D#k{>8>XPwhx$D?{p^L-63ITyXiY_h9%r0f&}s@R8S?+{+_KO?r2Tf zWs@PzW8BhpTOtn0D*Y6i%TepQXrvl*+~|2Cyw?pi09vHW>5td55>;bVfy%|XaRtN~ zy&NtMwvIvgJf*Bo1U2951-*1P6sKRxN!&X#O}>jmWmBHw31J8hn^}b69&^k$h$l(uUWbv$mgqZIg7I+3 zczu#~e`=2n(jJ{ahO!ZP%5eArkwwm|9)L1TskKm+f`FyZ~^&~XKV)eLds9g|P4e+!<>XJiBrUJ3GSNDqjX zE)ZnHc0-UaSrYJB-+a65u_NCO!iivyqOl;5d9BGkX8CLhs4JP%oEwz)^8?rvdad)> z@w}G{I3v->VyyfN&@vxyNByf8ZX&%s2yW~_1PS^(yYEPM;wQHYk?LVj#$mZ{O zv2U27Pz6PN>+Gx6suGl!p@w2kC%~Em1PL#Jq0DBJ?ZG3spBVOWg#@A1UH~LKi~y*VRF-a>G22J)2+V$(X~T0mdFs8c-Th-J7AkXJGJPtJdiM9-g^`m%!C* t_V2G6APDDwe(C^$J^%j;tx;Y@XgXYCubMwn{qq%%tdyc;wYXu>{{cr9X{P`H literal 0 HcmV?d00001 diff --git a/rhacs/3.0.59.0/secured-cluster-services/feature-flag-values.yaml b/rhacs/3.0.59.0/secured-cluster-services/feature-flag-values.yaml new file mode 100644 index 0000000..2a0c5a0 --- /dev/null +++ b/rhacs/3.0.59.0/secured-cluster-services/feature-flag-values.yaml @@ -0,0 +1,28 @@ + +envVars: +- name: ROX_COMPLIANCE_IN_ROCKSDB + value: "true" +- name: ROX_CSV_EXPORT + value: "false" +- name: ROX_ENABLE_ROLLBACK + value: "true" +- name: ROX_HOST_SCANNING + value: "true" +- name: ROX_INACTIVE_IMAGE_SCANNING_UI + value: "true" +- name: ROX_INTEGRATIONS_AS_CONFIG + value: "false" +- name: ROX_K8S_AUDIT_LOG_DETECTION + value: "false" +- name: ROX_NETWORK_DETECTION_BASELINE_SIMULATION + value: "false" +- name: ROX_NETWORK_DETECTION_BASELINE_VIOLATION + value: "true" +- name: ROX_NETWORK_DETECTION_BLOCKED_FLOWS + value: "false" +- name: ROX_SCOPED_ACCESS_CONTROL_V2 + value: "false" +- name: ROX_SENSOR_INSTALLATION_EXPERIENCE + value: "true" +- name: ROX_SENSOR_TLS_CHALLENGE + value: "true" diff --git a/rhacs/3.0.59.0/secured-cluster-services/internal/cluster-config.yaml.tpl b/rhacs/3.0.59.0/secured-cluster-services/internal/cluster-config.yaml.tpl new file mode 100644 index 0000000..9c58023 --- /dev/null +++ b/rhacs/3.0.59.0/secured-cluster-services/internal/cluster-config.yaml.tpl @@ -0,0 +1,30 @@ +{{- if ._rox.clusterName }} +clusterName: {{ ._rox.clusterName }} +{{- end }} +notHelmManaged: {{ not ._rox.helmManaged }} +clusterConfig: + staticConfig: + {{- if not ._rox.env.openshift }} + type: KUBERNETES_CLUSTER + {{- else }} + type: {{ if eq (int ._rox.env.openshift) 4 -}} OPENSHIFT4_CLUSTER {{- else -}} OPENSHIFT_CLUSTER {{ end }} + {{- end }} + mainImage: {{ coalesce ._rox.image.main._abbrevImageRef ._rox.image.main.fullRef }} + collectorImage: {{ coalesce ._rox.image.collector._abbrevImageRef ._rox.image.collector.fullRef }} + centralApiEndpoint: {{ ._rox.centralEndpoint }} + collectionMethod: {{ ._rox.collector.collectionMethod | upper | replace "-" "_" }} + admissionController: {{ ._rox.admissionControl.listenOnCreates }} + admissionControllerUpdates: {{ ._rox.admissionControl.listenOnUpdates }} + admissionControllerEvents: {{ ._rox.admissionControl.listenOnEvents }} + tolerationsConfig: + disabled: {{ ._rox.collector.disableTaintTolerations }} + slimCollector: {{ ._rox.collector.slimMode }} + dynamicConfig: + admissionControllerConfig: + enabled: {{ ._rox.admissionControl.dynamic.enforceOnCreates }} + timeoutSeconds: {{ ._rox.admissionControl.dynamic.timeout }} + scanInline: {{ ._rox.admissionControl.dynamic.scanInline }} + disableBypass: {{ ._rox.admissionControl.dynamic.disableBypass }} + enforceOnUpdates: {{ ._rox.admissionControl.dynamic.enforceOnUpdates }} + registryOverride: {{ ._rox.registryOverride }} + configFingerprint: {{ ._rox._configFP }} diff --git a/rhacs/3.0.59.0/secured-cluster-services/internal/compatibility-translation.yaml b/rhacs/3.0.59.0/secured-cluster-services/internal/compatibility-translation.yaml new file mode 100644 index 0000000..4e33afc --- /dev/null +++ b/rhacs/3.0.59.0/secured-cluster-services/internal/compatibility-translation.yaml @@ -0,0 +1,137 @@ +# Configuration compatibility layer translation rules. +# +# This file is a YAML file describing an object following the shape of the legacy Chart configuration. +# Each leaf object is a config fragment template, that will be merged into the user-specified config when specified +# by the user. +# +# The config fragment templates may reference the values ".value" and ".rawValue", the former containing the +# JSON-encoded value of the input field, the latter containing the value as a parsed object. + +cluster: + name: | + clusterName: {{ .value }} + type: | + env: + openshift: {{ if eq .rawValue "OPENSHIFT4_CLUSTER" }} 4 {{ else }} {{ eq .rawValue "OPENSHIFT_CLUSTER" }} {{ end }} + +endpoint: + central: | + centralEndpoint: {{ .value }} + advertised: | + sensor: + endpoint: {{ .value }} + +image: + repository: + main: | + image: + main: + name: {{ .value }} + collector: | + image: + collector: + name: {{ .value }} + registry: + main: | + image: + main: + registry: {{ .value }} + collector: | + image: + collector: + registry: {{ .value }} + pullPolicy: + main: | + image: + main: + pullPolicy: {{ .value }} + collector: | + image: + collector: + pullPolicy: {{ .value }} + tag: + main: | + image: + main: + tag: {{ .value}} + collector: | + image: + collector: + tag: {{ .value }} + +config: + collectionMethod: | + collector: + collectionMethod: {{ .value }} + + dynamic: + enforce: null # bool + scanInline: null # bool + disableBypass: null # bool + timeout: null # natural number + enforceOnUpdates: null # bool + + admissionControl: + createService: | + admissionControl: + listenOnCreates: {{ .value }} + listenOnUpdates: | + admissionControl: + listenOnUpdates: {{ .value }} + listenOnEvents: | + admissionControl: + listenOnEvents: {{ .value }} + enableService: | + admissionControl: + dynamic: + enforceOnCreates: {{ .value }} + enforceOnUpdates: | + admissionControl: + dynamic: + enforceOnUpdates: {{ .value }} + scanInline: | + admissionControl: + dynamic: + scanInline: {{ .value }} + disableBypass: | + admissionControl: + dynamic: + disableBypass: {{ .value }} + timeout: | + admissionControl: + dynamic: + timeout: {{ .value }} + registryOverride: | + registryOverride: {{ .value }} + disableTaintTolerations: | + collector: + disableTaintTolerations: {{ .value }} + createUpgraderServiceAccount: | + createUpgraderServiceAccount: {{ .value }} + createSecrets: | + createSecrets: {{ .value }} + offlineMode: null # not used + slimCollector: | + collector: + slimMode: {{ .value }} + sensorResources: | + sensor: + resources: {{ .value }} + admissionControlResources: | + admissionControl: + resources: {{ .value }} + collectorResources: | + collector: + resources: {{ .value }} + complianceResources: | + collector: + complianceResources: {{ .value }} + exposeMonitoring: | + exposeMonitoring: {{ .value }} + +envVars: | + customize: + envVars: + {{- range $_, $v := .rawValue }} + {{ quote $v.name }}: {{ quote $v.value }} + {{- end }} diff --git a/rhacs/3.0.59.0/secured-cluster-services/internal/config-shape.yaml b/rhacs/3.0.59.0/secured-cluster-services/internal/config-shape.yaml new file mode 100644 index 0000000..f21ae54 --- /dev/null +++ b/rhacs/3.0.59.0/secured-cluster-services/internal/config-shape.yaml @@ -0,0 +1,122 @@ +clusterName: null # string +confirmNewClusterName: null # string +centralEndpoint: null # string +registryOverride: null # string +exposeMonitoring: null # bool +createUpgraderServiceAccount: null # string +helmManaged: null +createSecrets: null +additionalCAs: null # [obj] +imagePullSecrets: + username: null # string + password: null # string + allowNone: null # bool + useExisting: null # string | [string] + useFromDefaultServiceAccount: null # bool +mainImagePullSecrets: + username: null # string + password: null # string + useExisting: null # string | [string] + useFromDefaultServiceAccount: null # bool + allowNone: null # bool +collectorImagePullSecrets: + username: null # string + password: null # string + useExisting: null # string | [string] + useFromDefaultServiceAccount: null # bool + allowNone: null # bool +image: + registry: null # string + main: + registry: null # string + name: null # string + repository: null # string + tag: null # string + fullRef: null # string + pullPolicy: null # string + collector: + registry: null # string + name: null # string + repository: null # string + tag: null # string + fullRef: null # string + pullPolicy: null # string +env: + openshift: null # bool + istio: null # bool +ca: + cert: null # string +sensor: + imagePullPolicy: null # string + endpoint: null # string + resources: null # string | dict + serviceTLS: + cert: null # string + key: null # string + exposeMonitoring: null # bool + nodeSelector: null # string | dict +admissionControl: + listenOnCreates: null # bool + listenOnUpdates: null # bool + listenOnEvents: null # bool + dynamic: + enforceOnCreates: null # bool + scanInline: null # bool + disableBypass: null # bool + timeout: null # natural number + enforceOnUpdates: null # bool + imagePullPolicy: null # string + resources: null # string | dict + serviceTLS: + cert: null # string + key: null # string + exposeMonitoring: null # bool + nodeSelector: null # string | dict +collector: + collectionMethod: null # string + disableTaintTolerations: null # bool + slimMode: null # bool + imagePullPolicy: null # string + resources: null # string | dict + complianceImagePullPolicy: null # string + complianceResources: null # string | dict + serviceTLS: + cert: null # string + key: null # string + exposeMonitoring: null # bool + nodeSelector: null # string | dict +customize: + labels: {} # dict + annotations: {} # dict + podLabels: {} # dict + podAnnotations: {} # dict + envVars: {} # dict + sensor: + labels: {} # dict + annotations: {} # dict + podLabels: {} # dict + podAnnotations: {} # dict + envVars: {} # dict + admission-control: + labels: {} # dict + annotations: {} # dict + podLabels: {} # dict + podAnnotations: {} # dict + envVars: {} # dict + collector: + labels: {} # dict + annotations: {} # dict + podLabels: {} # dict + podAnnotations: {} # dict + envVars: {} # dict + other: {} # dict +allowNonstandardNamespace: null # bool +allowNonstandardReleaseName: null # bool +meta: + namespaceOverride: null # bool + useLookup: null # bool + fileOverrides: {} # dict + apiServer: + version: null # string + overrideAPIResources: null # [string] + extraAPIResources: null # [string] diff --git a/rhacs/3.0.59.0/secured-cluster-services/internal/defaults/00-bootstrap.yaml b/rhacs/3.0.59.0/secured-cluster-services/internal/defaults/00-bootstrap.yaml new file mode 100644 index 0000000..846ca57 --- /dev/null +++ b/rhacs/3.0.59.0/secured-cluster-services/internal/defaults/00-bootstrap.yaml @@ -0,0 +1,15 @@ +# If we are being linted, magically apply settings that will not cause linting to break. +{{- if eq .Release.Name "test-release" }} +{{- include "srox.warn" (list . "You are using a release name that is reserved for tests. In order to allow linting to work, certain checks have been relaxed. If you are deploying to a real environment, we recommend that you choose a different release name.") }} +allowNonstandardNamespace: true +allowNonstandardReleaseName: true +clusterName: test-cluster-for-lint +{{- end }} +--- + +_namespace: {{ default .Release.Namespace ._rox.meta.namespaceOverride }} + +--- +meta: + useLookup: true + fileOverrides: {} diff --git a/rhacs/3.0.59.0/secured-cluster-services/internal/defaults/10-env.yaml b/rhacs/3.0.59.0/secured-cluster-services/internal/defaults/10-env.yaml new file mode 100644 index 0000000..101a77b --- /dev/null +++ b/rhacs/3.0.59.0/secured-cluster-services/internal/defaults/10-env.yaml @@ -0,0 +1,20 @@ +# This file applies default environment configuration, based on available API server resources. + +{{- if kindIs "invalid" ._rox.env.openshift }} +env: + {{- if has "apps.openshift.io/v1" ._rox._apiServer.apiResources }} + openshift: true + {{- else }} + openshift: false + {{- end }} +{{- end }} +--- +{{- if kindIs "invalid" ._rox.env.istio }} +env: + {{- if has "networking.istio.io/v1alpha3" ._rox._apiServer.apiResources }} + istio: true + {{- include "srox.note" (list . "Based on API server properties, we have inferred that you are deploying into an Istio-enabled cluster. Set the `env.istio` property explicitly to false/true to override the auto-sensed value.") }} + {{- else }} + istio: false + {{- end }} +{{- end }} diff --git a/rhacs/3.0.59.0/secured-cluster-services/internal/defaults/20-tls-files.yaml b/rhacs/3.0.59.0/secured-cluster-services/internal/defaults/20-tls-files.yaml new file mode 100644 index 0000000..6eb6408 --- /dev/null +++ b/rhacs/3.0.59.0/secured-cluster-services/internal/defaults/20-tls-files.yaml @@ -0,0 +1,23 @@ +# These defaults ensure that by default, certificates and keys are loaded from the respective files in the secrets/ +# directory that they needed to be placed in for the old sensor Helm chart. +# +# A user can specify either references to files (with a "@" prefix - note that this requires changing the chart, +# as Helm only allows accessing files that are part of the chart), or PEM-encoded certificates and keys directly. + +ca: + cert: "@?secrets/ca.pem" + +sensor: + serviceTLS: + cert: "@?secrets/sensor-cert.pem" + key: "@?secrets/sensor-key.pem" + +admissionControl: + serviceTLS: + cert: "@?secrets/admission-control-cert.pem" + key: "@?secrets/admission-control-key.pem" + +collector: + serviceTLS: + cert: "@?secrets/collector-cert.pem" + key: "@?secrets/collector-key.pem" diff --git a/rhacs/3.0.59.0/secured-cluster-services/internal/defaults/30-base-config.yaml b/rhacs/3.0.59.0/secured-cluster-services/internal/defaults/30-base-config.yaml new file mode 100644 index 0000000..27fa087 --- /dev/null +++ b/rhacs/3.0.59.0/secured-cluster-services/internal/defaults/30-base-config.yaml @@ -0,0 +1,46 @@ +# This file contains basic configuration options for all services + +centralEndpoint: "central.{{ required "unknown namespace" ._rox._namespace }}:443" +createUpgraderServiceAccount: false + +{{- if .Release.IsInstall }} +createSecrets: true +{{- end }} + +exposeMonitoring: false + +helmManaged: true + +clusterName: "" +confirmNewClusterName: "" + +imagePullSecrets: + allowNone: false + useExisting: [] + useFromDefaultServiceAccount: true + +sensor: + endpoint: "sensor.{{ required "unknown namespace" ._rox._namespace }}:443" + +admissionControl: + listenOnCreates: false + listenOnUpdates: false + listenOnEvents: {{ not ._rox.env.openshift }} + dynamic: + enforceOnCreates: false + scanInline: false + disableBypass: false + timeout: 3 + enforceOnUpdates: false + +collector: + collectionMethod: "KERNEL_MODULE" + disableTaintTolerations: false + +--- +sensor: + exposeMonitoring: {{ ._rox.exposeMonitoring }} +collector: + exposeMonitoring: {{ ._rox.exposeMonitoring }} +admissionControl: + exposeMonitoring: {{ ._rox.exposeMonitoring }} diff --git a/rhacs/3.0.59.0/secured-cluster-services/internal/defaults/40-resources.yaml b/rhacs/3.0.59.0/secured-cluster-services/internal/defaults/40-resources.yaml new file mode 100644 index 0000000..5002bfb --- /dev/null +++ b/rhacs/3.0.59.0/secured-cluster-services/internal/defaults/40-resources.yaml @@ -0,0 +1,36 @@ +# This file contains the default resource requirements for the StackRox Secured Cluster services. + +sensor: + resources: + requests: + memory: "1Gi" + cpu: "1" + limits: + memory: "4Gi" + cpu: "2" + +admissionControl: + resources: + requests: + memory: "100Mi" + cpu: "50m" + limits: + memory: "500Mi" + cpu: "500m" + +collector: + resources: + requests: + memory: "320Mi" + cpu: "50m" + limits: + memory: "1Gi" + cpu: "750m" + + complianceResources: + requests: + memory: "10Mi" + cpu: "10m" + limits: + memory: "2Gi" + cpu: "1" diff --git a/rhacs/3.0.59.0/secured-cluster-services/internal/defaults/50-images.yaml b/rhacs/3.0.59.0/secured-cluster-services/internal/defaults/50-images.yaml new file mode 100644 index 0000000..1c18fec --- /dev/null +++ b/rhacs/3.0.59.0/secured-cluster-services/internal/defaults/50-images.yaml @@ -0,0 +1,66 @@ +# This file contains the default image (registry + name + tag) settings) for all StackRox Secured Cluster +# Services. + +image: + registry: registry.redhat.io/rh-acs + main: + name: main + pullPolicy: IfNotPresent + collector: + name: collector +--- +image: + main: + registry: {{ ._rox.image.registry }} + collector: + registry: {{ if or (eq ._rox.image.registry "stackrox.io") (eq ._rox.image.registry "registry.connect.redhat.com") }}collector.stackrox.io{{ else }}{{ ._rox.image.registry }}{{ end }} +--- +image: + main: + repository: {{ list ._rox.image.main.registry ._rox.image.main.name | compact | join "/" }} + collector: + repository: {{ list ._rox.image.collector.registry ._rox.image.collector.name | compact | join "/" }} +--- +image: + main: + {{- if or ._rox.image.main.tag ._rox.image.main.fullRef }} + {{- include "srox.warn" (list . "You have specified an explicit main image (tag). This will prevent the main image from being updated correctly when upgrading to a newer version of this chart.") }} + {{- else }} + _abbrevImageRef: {{ ._rox.image.main.repository }} + {{- end }} + tag: {{ .Chart.AppVersion }} + collector: + {{- if or ._rox.image.collector.tag ._rox.image.collector.fullRef }} + {{- include "srox.warn" (list . "You have specified an explicit collector image tag. This will prevent the collector image from being updated correctly when upgrading to a newer version of this chart.") }} + {{- if ._rox.collector.slimMode }} + {{- include "srox.warn" (list . "You have specified an explicit collector image tag. The slim collector setting will not have any effect.") }} + {{- end }} + {{- else }} + _abbrevImageRef: {{ ._rox.image.collector.repository }} + {{- end }} +--- +collector: + slimMode: {{ eq ._rox.image.collector.registry "registry.redhat.io/rh-acs" }} +--- +image: + collector: + {{- if ._rox.collector.slimMode }} + tag: "3.1.22-slim" + pullPolicy: IfNotPresent + {{- else }} + tag: "3.1.22-latest" + pullPolicy: Always + {{- end }} +--- +image: + main: + fullRef: {{ printf "%s:%s" ._rox.image.main.repository ._rox.image.main.tag }} + collector: + fullRef: {{ printf "%s:%s" ._rox.image.collector.repository ._rox.image.collector.tag }} +collector: + imagePullPolicy: {{ ._rox.image.collector.pullPolicy }} + complianceImagePullPolicy: {{ ._rox.image.main.pullPolicy }} +sensor: + imagePullPolicy: {{ ._rox.image.main.pullPolicy }} +admissionControl: + imagePullPolicy: {{ ._rox.image.main.pullPolicy }} diff --git a/rhacs/3.0.59.0/secured-cluster-services/internal/defaults/whats-this.md b/rhacs/3.0.59.0/secured-cluster-services/internal/defaults/whats-this.md new file mode 100644 index 0000000..d58c8de --- /dev/null +++ b/rhacs/3.0.59.0/secured-cluster-services/internal/defaults/whats-this.md @@ -0,0 +1,39 @@ +`defaults/` directory +====================== + +This directory provides a set of files that provide a lighter-weight interface for configuring +defaults in the Helm chart, allowing the use of template expressions (including referencing previously +applied defaults) without requiring (an excessive amount of) template control structures (such as +`{{ if kindIs "invalid" ... }}` to determine if a value has already been set). + +After applying some "bootstrap" configuration (such as for making available API server resources +visible in a uniform manner), each `.yaml` file in this directory is processed in an order determined +by its name (hence the `NN-` prefixes). Each YAML file consists of multiple documents (separated by +`---` lines) that are rendered as templates and then _merged_ into the effective configuration, giving +strict preference to already set values. + +Having a deterministic order is important for being able to rely on previously configured +values (either specified by the user or applied as a default). For example, the file +```yaml +group: + setting: "foo" + anotherSetting: 3 +--- +group: + derivedSetting: {{ printf "%s-%d" ._rox.group.setting ._rox.group.anotherSetting }} +``` +combined with the command-line setting `--set group.setting=bar` will result in the following +"effective" configuration: +```yaml +group: + setting: "bar" # user-specified value takes precedence - default value "foo" not applied + anotherSetting: 3 # default value + derivedSetting: bar-3 # combination of user-specified value and default value; "pure" default without + # any --set arguments would be "foo-3" +``` + +**Caveats**: +- Templating instructions must be contained to a single document within the multi-document YAML files. In particular, + the `---` separator must not be within a conditionally rendered block, or emitted by templating code. +- It is recommended to contain dependencies between default settings to a single YAML file. While the `NN-` prefixes + ensure a well-defined application order of individual files, having dependent blocks in the same file adds clarity. diff --git a/rhacs/3.0.59.0/secured-cluster-services/internal/expandables.yaml b/rhacs/3.0.59.0/secured-cluster-services/internal/expandables.yaml new file mode 100644 index 0000000..d2b9dad --- /dev/null +++ b/rhacs/3.0.59.0/secured-cluster-services/internal/expandables.yaml @@ -0,0 +1,30 @@ +imagePullSecrets: + username: true + password: true +mainImagePullSecrets: + username: true + password: true +collectorImagePullSecrets: + username: true + password: true +ca: + cert: true +sensor: + serviceTLS: + cert: true + key: true + resources: true + nodeSelector: true +admissionControl: + serviceTLS: + cert: true + key: true + resources: true + nodeSelector: true +collector: + serviceTLS: + cert: true + key: true + resources: true + complianceResources: true + nodeSelector: true diff --git a/rhacs/3.0.59.0/secured-cluster-services/scripts/fetch-secrets.sh b/rhacs/3.0.59.0/secured-cluster-services/scripts/fetch-secrets.sh new file mode 100755 index 0000000..850a227 --- /dev/null +++ b/rhacs/3.0.59.0/secured-cluster-services/scripts/fetch-secrets.sh @@ -0,0 +1,41 @@ +#!/bin/sh + +# fetch-secrets.sh +# Retrieves StackRox TLS secrets currently stored in the current Kubernetes context, and stores them in a format +# suitable for consumption by the Helm chart. +# +# The YAML bundle is printed to stdout, use output redirection (>filename) to store the output to a file. +# This script supports the following environment variables: +# - KUBECTL: the command to use for kubectl. Spaces will be tokenized by the shell interpreter (default: "kubectl"). +# - ROX_NAMESPACE: the namespace in which the current StackRox deployment runs (default: "stackrox") +# - FETCH_CA_ONLY: if set to "true", will create a bundle containing only the CA certificate (default: "false") + +DIR="$(cd "$(dirname "$0")" && pwd)" + +KUBECTL="${KUBECTL:-kubectl}" +ROX_NAMESPACE="${ROX_NAMESPACE:-stackrox}" + +FETCH_CA_ONLY="${FETCH_CA_ONLY:-false}" + +case "$FETCH_CA_ONLY" in + false|0) + TEMPLATE_FILE="fetched-secrets-bundle.yaml.tpl" + DESCRIPTION="certificates and keys" + ;; + true|1) + TEMPLATE_FILE="fetched-secrets-bundle-ca-only.yaml.tpl" + DESCRIPTION="CA certificate only" + ;; + *) + echo >&2 "Invalid value '$FETCH_CA_ONLY' for FETCH_CA_ONLY, only false and true are allowed" + exit 1 +esac + +# The leading '#' signs aren't required as they don't go to stdout, but when printing to the console, +# it looks more natural to include them. +echo >&2 "# Fetching $DESCRIPTION from current Kubernetes context (namespace $ROX_NAMESPACE), store" +echo >&2 "# the output in a file and pass it to helm via the -f parameter." + +$KUBECTL get --ignore-not-found -n "$ROX_NAMESPACE" \ + secret/sensor-tls secret/collector-tls secret/admission-control-tls \ + -o go-template-file="${DIR}/${TEMPLATE_FILE}" \ diff --git a/rhacs/3.0.59.0/secured-cluster-services/scripts/fetched-secrets-bundle-ca-only.yaml.tpl b/rhacs/3.0.59.0/secured-cluster-services/scripts/fetched-secrets-bundle-ca-only.yaml.tpl new file mode 100644 index 0000000..b5a13c2 --- /dev/null +++ b/rhacs/3.0.59.0/secured-cluster-services/scripts/fetched-secrets-bundle-ca-only.yaml.tpl @@ -0,0 +1,9 @@ +{{- range $item := .items }} +{{- if eq $item.metadata.name "sensor-tls" }} +{{- $caPEM := index $item.data "ca.pem" }} +{{- if $caPEM }} +ca: + cert: "{{ $caPEM | base64decode | js }}" +{{- end }} +{{- end }} +{{- end }} diff --git a/rhacs/3.0.59.0/secured-cluster-services/scripts/fetched-secrets-bundle.yaml.tpl b/rhacs/3.0.59.0/secured-cluster-services/scripts/fetched-secrets-bundle.yaml.tpl new file mode 100644 index 0000000..72bb452 --- /dev/null +++ b/rhacs/3.0.59.0/secured-cluster-services/scripts/fetched-secrets-bundle.yaml.tpl @@ -0,0 +1,35 @@ +{{- range $item := .items }} +{{- if eq $item.metadata.name "sensor-tls" }} +{{- $caPEM := index $item.data "ca.pem" }} +{{- if $caPEM }} +ca: + cert: "{{ $caPEM | base64decode | js }}" +{{- end }} +{{- $sensorCert := index $item.data "sensor-cert.pem" }} +{{- $sensorKey := index $item.data "sensor-key.pem" }} +{{- if and $sensorCert $sensorKey }} +sensor: + serviceTLS: + cert: "{{ $sensorCert | base64decode | js }}" + key: "{{ $sensorKey | base64decode | js }}" +{{- end }} +{{- else if eq $item.metadata.name "collector-tls" }} +{{- $collectorCert := index $item.data "collector-cert.pem" }} +{{- $collectorKey := index $item.data "collector-key.pem" }} +{{- if and $collectorCert $collectorKey }} +collector: + serviceTLS: + cert: "{{ $collectorCert | base64decode | js }}" + key: "{{ $collectorKey | base64decode | js }}" +{{- end }} +{{- else if eq $item.metadata.name "admission-control-tls" }} +{{- $admCtrlCert := index $item.data "admission-control-cert.pem" }} +{{- $admCtrlKey := index $item.data "admission-control-key.pem" }} +{{- if and $admCtrlCert $admCtrlKey }} +admissionControl: + serviceTLS: + cert: "{{ $admCtrlCert | base64decode | js }}" + key: "{{ $admCtrlKey | base64decode | js }}" +{{- end }} +{{- end }} +{{- end }} diff --git a/rhacs/3.0.59.0/secured-cluster-services/sensor-chart-upgrade.md b/rhacs/3.0.59.0/secured-cluster-services/sensor-chart-upgrade.md new file mode 100644 index 0000000..4c451ad --- /dev/null +++ b/rhacs/3.0.59.0/secured-cluster-services/sensor-chart-upgrade.md @@ -0,0 +1,159 @@ +# Upgrading from the `sensor` Helm chart + +There are differences between the `sensor` Helm chart that was part of the +StackRox Kubernetes Security Platform version 3.0.54 and the Secured Cluster +Services Helm chart in the StackRox Kubernetes Security Platform version 3.0.55. + +Therefore, if you are using the StackRox Kubernetes Security Platform version 3.0.54 +or older, and you've used the `sensor` Helm chart, you must verify (and change) +the following additional options to upgrade to the new Helm charts for the +StackRox Kubernetes Security Platform version 3.0.55. + +## Namespace + +|Version 3.0.54 and older |Version 3.0.55 and newer | +|-------------------------|-------------------------| +|The `sensor` Helm chart creates all Kubernetes resources in the `stackrox` namespace, even if you've used the `-n`/`--namespace` flag to the `helm install` command.|The Secured Cluster Services Helm chart creates all resources in the namespace you specify by using the `-n`/`--namespace` flag. However, we recommend that you always install the chart in the `stackrox` namespace.| + +If you've previously installed the `sensor` Helm chart into a namespace other +than `stackrox`, you **must** set the namespace override option to `stackrox`. + +To do this, either: +- pass the `--set meta.namespaceOverride=stackrox` flag, or +- add the following section in your configuration file: + ```yaml + meta: + namespaceOverride: stackrox + ``` + +## Configuration file + +|Version 3.0.54 and older |Version 3.0.55 and newer | +|-------------------------|--------------------------| +|Installation using the `sensor` Helm chart requires adding your customizations in the `values.yaml` file that is part of the chart.|The Secured Cluster Services Helm chart uses a separate configuration file.| + +> **IMPORTANT** +> +> If you are using the Secured Cluster Services Helm chart, **do not** modify +> the `values.yaml` file that is part of the chart. + +We recommend that you always store the configuration in separate files: + +- `values-public.yaml`: include all non-sensitive configuration options in this + file. +- `values-private.yaml`: include all sensitive configuration options such as + image pull secrets or certificates and keys. + +You can also use a separate file for the cluster init bundle. For more +information, see the main [README.md](README.md) file. + +## Secrets injection + +|Version 3.0.54 and older |Version 3.0.55 and newer | +|-------------------------|--------------------------| +|The `sensor` Helm chart downloads certificates and private keys specific to a single cluster and stores them in the `secrets/` directory.|The Secured Cluster Services Helm chart uses cluster init bundles. For more information, see the main [README.md](README.md) file.| + +To upgrade, +1. Copy the `values.yaml` you used for the most recent installation or upgrade of the + `sensor` Helm chart and store it as `sensor-values.yaml`. +1. Connect to the Kubernetes cluster on which you've previously installed the + `sensor` Helm chart. +1. Run `./scripts/fetch-secrets.sh`. The `fetch-secrets.sh` script shows a YAML + file as output, which contains all secrets. Store the output of this command + in a file (you can use `./scripts/fetch-secrets.sh >secrets.yaml` to directly + write the command output to a file called `secrets.yaml`). +1. Run the `helm upgrade` command and pass the YAML (from the previous step) file by + using the `-f` option: + ```sh + helm upgrade -n stackrox sensor stackrox/secured-cluster-services \ + --reuse-values -f sensor-values.yaml -f ... + ``` + The above command assumes that you have added the http://mirror.openshift.com/pub/rhacs/charts Helm + chart repository to your local Helm installation. See the main [README.md](README.md) + for instructions on how to set this up. + If you want to use this chart from a local directory, replace + `stackrox/secured-cluster-services` with the path to the chart directory. + +> **NOTE** +> +> Although you can copy the `secrets` directory from your old `sensor` Helm +> chart instead, we **do not** recommend doing it. + + +## Helm-managed clusters + +When you use the Secured Cluster Services Helm chart, the clusters it creates +are treated as Helm-managed by default. It means that whenever you run the +`helm upgrade` command afterward, it applies the configuration changes specified +in your Helm configuration file, overwriting any changes to settings you've done +through the StackRox portal. + +Additionally, because of the differences between the Helm upgrade and the +StackRox Kubernetes Security Platform automatic upgrade, you can't use +the automatic upgrades option from the StackRox portal. + +If you don't want an upgraded cluster to be treated as Helm-managed, set the +`helmManaged` configuration option to `false`. + +## Configuration format + +There are differences between the configuration format that the sensor Helm +chart uses and the Secured Cluster Services Helm chart's uses. We recommend that +you migrate to the new configuration format. + +Here is the list of old and new configuration options: + +|Old configuration option |New configuration option | +|-------------------------|-------------------------| +| `cluster.name` | `clusterName` | +| `cluster.type` | Set `env.openshift` to `true` for `cluster.type=OPENSHIFT_CLUSTER` and `false` for `cluster.type=KUBERNETES_CLUSTER`. Leave unset to automatically detect (recommended). | +| `endpoint.central` | `centralEndpoint` | +| `endpoint.advertised` | `sensor.endpoint` | +| `image.repository.main` | `image.main.name` | +| `image.repository.collector` | `image.collector.name` | +| `image.registry.main` | `image.main.registry` | +| `image.registry.collector` | `image.collector.registry` | +| `image.pullPolicy.main` | `image.main.pullPolicy` | +| `image.pullPolicy.collector` | `image.collector.pullPolicy` | +| `image.tag.main` | `image.main.tag` | +| `image.tag.collector` | `image.collector.tag` | +| `config.collectionMethod` | `collector.collectionMethod` | +| `config.admissionControl.createService` | `admissionControl.listenOnCreates` | +| `config.admissionControl.listenOnUpdates` | `admissionControl.listenOnUpdates` | +| `config.admissionControl.enableService` | `admissionControl.dynamic.enforceOnCreates` | +| `config.admissionControl.enforceOnUpdates` | `admissionControl.dynamic.enforceOnUpdates` | +| `config.admissionControl.scanInline` | `admissionControl.dynamic.scanInline` | +| `config.admissionControl.disableBypass` | `admissionControl.dynamic.disableBypass` | +| `config.admissionControl.timeout` | `admissionControl.dynamic.timeout` | +| `config.registryOverride` | `registryOverride` | +| `config.disableTaintTolerations` | `collector.disableTaintTolerations` | +| `config.createUpgraderServiceAccount` | `createUpgraderServiceAccount` | +| `config.createSecrets` | `createSecrets` | +| `config.offlineMode` | This option has no effect and will be removed. | +| `config.slimCollector` | `collector.slimMode` | +| `config.sensorResources` | `sensor.resources` | +| `config.admissionControlResources` | `admissionControl.resources` | +| `config.collectorResources` | `collector.resources` | +| `config.complianceResources` | `collector.complianceResources` | +| `config.exposeMonitoring` | `exposeMonitoring` | +| `envVars` | See example below | + +**Custom environment variables:** The old format for custom environment variable settings was +```yaml +envVars: +- name: ENV_VAR1 + value: "value1" +- name: ENV_VAR2 + value: "value2" +... +``` + +In the new configuration format, rewrite this as: +```yaml +customize: + envVars: + ENV_VAR1: "value1" + ENV_VAR2: "value2" +``` +You can find out more about customizing object labels, annotations, and environment variables in the main +[README.md](README.md). \ No newline at end of file diff --git a/rhacs/3.0.59.0/secured-cluster-services/templates/00-collector-image-pull-secrets.yaml b/rhacs/3.0.59.0/secured-cluster-services/templates/00-collector-image-pull-secrets.yaml new file mode 100644 index 0000000..eba103f --- /dev/null +++ b/rhacs/3.0.59.0/secured-cluster-services/templates/00-collector-image-pull-secrets.yaml @@ -0,0 +1,18 @@ +{{- include "srox.init" . -}} + +{{- if ._rox.collectorImagePullSecrets._dockerAuths }} +apiVersion: v1 +kind: Secret +type: kubernetes.io/dockerconfigjson +metadata: + name: secured-cluster-services-collector + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "secret" "secured-cluster-services-collector") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "secured-cluster-services-collector") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": keep +data: + .dockerconfigjson: {{ dict "auths" ._rox.collectorImagePullSecrets._dockerAuths | toJson | b64enc | quote }} +{{ end }} diff --git a/rhacs/3.0.59.0/secured-cluster-services/templates/00-main-image-pull-secrets.yaml b/rhacs/3.0.59.0/secured-cluster-services/templates/00-main-image-pull-secrets.yaml new file mode 100644 index 0000000..052aa3e --- /dev/null +++ b/rhacs/3.0.59.0/secured-cluster-services/templates/00-main-image-pull-secrets.yaml @@ -0,0 +1,18 @@ +{{- include "srox.init" . -}} + +{{- if ._rox.mainImagePullSecrets._dockerAuths }} +apiVersion: v1 +kind: Secret +type: kubernetes.io/dockerconfigjson +metadata: + name: secured-cluster-services-main + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "secret" "secured-cluster-services-main") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "secured-cluster-services-main") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": keep +data: + .dockerconfigjson: {{ dict "auths" ._rox.mainImagePullSecrets._dockerAuths | toJson | b64enc | quote }} +{{ end }} diff --git a/rhacs/3.0.59.0/secured-cluster-services/templates/NOTES.txt b/rhacs/3.0.59.0/secured-cluster-services/templates/NOTES.txt new file mode 100644 index 0000000..fd2efcf --- /dev/null +++ b/rhacs/3.0.59.0/secured-cluster-services/templates/NOTES.txt @@ -0,0 +1,38 @@ +{{- $_ := include "srox.init" . -}} + +StackRox Secured Cluster Services {{.Chart.AppVersion}} has been installed. + +Secured Cluster Configuration Summary: + + Name: {{ ._rox.clusterName }} + Kubernetes Namespace: {{ ._rox._namespace }}{{ if ne .Release.Namespace ._rox._namespace }} [NOTE: Helm release is attached to namespace {{ .Release.Namespace }}]{{ end }} + Helm Release Name: {{ .Release.Name }} + Central Endpoint: {{ ._rox.centralEndpoint }} + OpenShift Cluster: {{ ._rox.env.openshift }} + Admission Control Webhooks deployed: {{ or ._rox.admissionControl.dynamic.listenOnCreates ._rox.admissionControl.dynamic.listenOnUpdates ._rox.admissionControl.dynamic.listenOnEvents}} + Admission Control Creates/Updates enforced: {{ or ._rox.admissionControl.dynamic.enforceOnCreates ._rox.admissionControl.dynamic.enforceOnUpdates }} + +{{ if ._rox._state.notes -}} +Please take note of the following: +{{ range ._rox._state.notes }} +- {{ . | wrapWith 98 "\n " -}} +{{ end }} + +{{ end -}} + +{{ if ._rox._state.warnings -}} +During installation, the following warnings were encountered: +{{ range ._rox._state.warnings }} +- WARNING: {{ . | wrapWith 98 "\n " -}} +{{ end }} + +{{ end -}} + +{{ if ._rox.env.openshift -}} +IMPORTANT: You have deployed into an OpenShift-enabled cluster. If you see that your pods + are not scheduling, run + + oc annotate namespace/{{ ._rox._namespace }} --overwrite openshift.io/node-selector="" +{{ end -}} + +Thank you for using StackRox! diff --git a/rhacs/3.0.59.0/secured-cluster-services/templates/_compatibility.tpl b/rhacs/3.0.59.0/secured-cluster-services/templates/_compatibility.tpl new file mode 100644 index 0000000..c83ab2d --- /dev/null +++ b/rhacs/3.0.59.0/secured-cluster-services/templates/_compatibility.tpl @@ -0,0 +1,51 @@ +{{ define "srox.applyCompatibilityTranslation" }} +{{ $ := index . 0 }} +{{ $values := index . 1 }} +{{ $translationRules := $.Files.Get "internal/compatibility-translation.yaml" | fromYaml }} +{{ include "srox._doApplyCompat" (list $values $.Template $values $translationRules list) }} +{{ end }} + +{{ define "srox._doApplyCompat" }} +{{ $values := index . 0 }} +{{ $template := index . 1 }} +{{ $valuesCtx := index . 2 }} +{{ $ruleCtx := index . 3 }} +{{ $ctxPath := index . 4 }} +{{ range $k, $v := $ruleCtx }} + {{ $oldVal := index $valuesCtx $k }} + {{ if not (kindIs "invalid" $oldVal) }} + {{ if kindIs "map" $v }} + {{ if kindIs "map" $oldVal }} + {{ include "srox._doApplyCompat" (list $values $template $oldVal $v (append $ctxPath $k)) }} + {{ if not $oldVal }} + {{ $_ := unset $valuesCtx $k }} + {{ end }} + {{ end }} + {{ else }} + {{ $_ := unset $valuesCtx $k }} + {{ if not (kindIs "invalid" $v) }} + {{ $tplCtx := dict "Template" $template "value" (toJson $oldVal) "rawValue" $oldVal }} + {{ $configFragment := tpl $v $tplCtx | fromYaml }} + {{ include "srox._mergeCompat" (list $values $configFragment (append $ctxPath $k) list) }} + {{ end }} + {{ end }} + {{ end }} +{{ end }} +{{ end }} + +{{ define "srox._mergeCompat" }} +{{ $values := index . 0 }} +{{ $newConfig := index . 1 }} +{{ $compatValuePath := index . 2 }} +{{ $path := index . 3 }} +{{ range $k, $v := $newConfig }} + {{ $currVal := index $values $k }} + {{ if kindIs "invalid" $currVal }} + {{ $_ := set $values $k $v }} + {{ else if and (kindIs "map" $v) (kindIs "map" $currVal) }} + {{ include "srox._mergeCompat" (list $currVal $v $compatValuePath (append $path $k)) }} + {{ else }} + {{ include "srox.fail" (printf "Conflict between legacy configuration values %s and explicitly set configuration value %s, please unset legacy value" (join "." $compatValuePath) (append $path $k | join ".")) }} + {{ end }} +{{ end }} +{{ end }} diff --git a/rhacs/3.0.59.0/secured-cluster-services/templates/_defaults.tpl b/rhacs/3.0.59.0/secured-cluster-services/templates/_defaults.tpl new file mode 100644 index 0000000..7f8629b --- /dev/null +++ b/rhacs/3.0.59.0/secured-cluster-services/templates/_defaults.tpl @@ -0,0 +1,35 @@ +{{/* + srox.applyDefaults . + + Applies defaults defined in `internal/defaults`, in an order that depends on the filenames. + */}} +{{ define "srox.applyDefaults" }} +{{ $ := . }} +{{/* Apply defaults */}} +{{ range $defaultsFile, $defaultsTpl := $.Files.Glob "internal/defaults/*.yaml" }} + {{ $tplSects := regexSplit "(^|\n)---($|\n)" (toString $defaultsTpl) -1 }} + {{ $sectCounter := 0 }} + {{ range $tplSect := $tplSects }} + {{/* + tpl will merely stop creating output if an error is encountered during rendering (not during parsing), but we want + to be certain that we recognized invalid templates. Hence, add a marker line at the end, and verify that it + shows up in the output. + */}} + {{ $renderedSect := tpl (list $tplSect "{{ \"\\n#MARKER\\n\" }}" | join "") $ }} + {{ if not (hasSuffix "\n#MARKER\n" $renderedSect) }} + {{ include "srox.fail" (printf "Section %d in defaults file %s contains invalid templating" $sectCounter $defaultsFile) }} + {{ end }} + {{/* + fromYaml only returns an empty dict upon error, but we want to be certain that we recognized invalid YAML. + Hence, add a marker value. + */}} + {{ $sectDict := fromYaml (cat $renderedSect "\n__marker: true\n") }} + {{ if not (index $sectDict "__marker") }} + {{ include "srox.fail" (printf "Section %d in defaults file %s contains invalid YAML" $sectCounter $defaultsFile) }} + {{ end }} + {{ $_ := unset $sectDict "__marker" }} + {{ $_ = include "srox.mergeInto" (list $._rox $sectDict) }} + {{ $sectCounter = add $sectCounter 1 }} + {{ end }} +{{ end }} +{{ end }} diff --git a/rhacs/3.0.59.0/secured-cluster-services/templates/_dict.tpl b/rhacs/3.0.59.0/secured-cluster-services/templates/_dict.tpl new file mode 100644 index 0000000..bf14a6d --- /dev/null +++ b/rhacs/3.0.59.0/secured-cluster-services/templates/_dict.tpl @@ -0,0 +1,142 @@ +{{/* + srox.compactDict $target [$depth] + + Compacts a dict $target by removing entries with empty values. + By default, only the top-level dict $target itself is modified. If the optional $depth + parameter is specified and is non-zero, this determines the recursion depth over which the + compaction is applied to nested diocts as well. A $depth of -1 means to compact all nested + dicts, regardless of depth. + */}} +{{ define "srox.compactDict" }} +{{ $args := . }} +{{ if not (kindIs "slice" $args) }} + {{ $args = list $args 0 }} +{{ end }} +{{ $target := index $args 0 }} +{{ $depth := index $args 1 }} +{{ $zeroValKeys := list }} +{{ range $k, $v := $target }} + {{ if and (kindIs "map" $v) (ne $depth 0) }} + {{ include "srox.compactDict" (list $v (sub $depth 1)) }} + {{ end }} + {{ if not $v }} + {{ $zeroValKeys = append $zeroValKeys $k }} + {{ end }} +{{ end }} +{{ range $k := $zeroValKeys }} + {{ $_ := unset $target $k }} +{{ end }} +{{ end }} + +{{/* + srox.destructiveMergeOverwrite $out $dict1 $dict2... + + Recursively merges $dict1, $dict2 (in this order) into $out, similar to mergeOverwrite. + The eponymous difference is the fact that any explicit "null" entries in the source + dictionaries cause the respective entry to be deleted. + */}} +{{ define "srox.destructiveMergeOverwrite" }} +{{ $out := first . }} +{{ $toMergeList := rest . }} +{{ range $toMerge := $toMergeList }} + {{ range $k, $v := $toMerge }} + {{ if kindIs "invalid" $v }} + {{ $_ := unset $out $k }} + {{ else if kindIs "map" $v }} + {{ $outV := index $out $k }} + {{ if kindIs "invalid" $outV }} + {{ $_ := set $out $k (deepCopy $v) }} + {{ else if kindIs "map" $outV }} + {{ include "srox.destructiveMergeOverwrite" (list $outV $v) }} + {{ else }} + {{ fail (printf "when merging at key %s: incompatible kinds %s and %s" $k (kindOf $v) (kindOf $outV)) }} + {{ end }} + {{ else }} + {{ $_ := set $out $k $v }} + {{ end }} + {{ end }} +{{ end }} +{{ end }} + +{{/* + srox.stringifyDictValues $dict + + Recursively traverses $dict and converts every non-dict value to a string. + */}} +{{ define "srox.stringifyDictValues" }} +{{ $dict := . }} +{{ range $k, $v := $dict }} + {{ if kindIs "map" $v }} + {{ include "srox.stringifyDictValues" $v }} + {{ else }} + {{ $_ := set $dict $k (toString $v) }} + {{ end }} +{{ end }} +{{ end }} + +{{/* + srox.safeDictLookup $dict $out $path + + Looks up $path in $dict, and stores the result (if any) in $out.result. + $path is a dot-separated list of nested field names. An empty $path causes + $dict to be stored in $out.result. + + Example: srox.safeDictLookup $dict $out "a.b.c" stores the value of $dict.a.b.c, if + it exists, in $out.result. Otherwise, it does nothing - in particular, it does + not fail, as accessing $dict.a.b.c unconditionally would if any of $dict, $dict.a, + or $dict.a.b was not a dict. + */}} +{{ define "srox.safeDictLookup" }} +{{ $dict := index . 0 }} +{{ $out := index . 1 }} +{{ $path := index . 2 }} +{{ $curr := $dict }} +{{ $pathList := splitList "." $path | compact }} +{{ range $pathElem := $pathList }} + {{ if kindIs "map" $curr }} + {{ $curr = index $curr $pathElem }} + {{ else if not (kindIs "invalid" $curr) }} + {{ $curr = dict.nil }} + {{ end }} +{{ end }} +{{ if not (kindIs "invalid" $curr) }} + {{ $_ := set $out "result" $curr }} +{{ end }} +{{ end }} + + + +{{/* + srox.mergeInto $tgt $src1..$srcN + + Recursively merges values from $src1, ..., $srcN into $tgt, giving preference to + values in $tgt. + + Unlike Sprig's merge, this does not overwrite falsy values when explicitly defined, + with the exception of `null` values (this also sets it apart from Sprig's mergeOverwrite). + + Whenever entire (nested) dicts are merged as-is from one of the sources into $tgt, a deep + copy of the respective nested dict is created. + + An empty string is always returned, hence this should be invoked in the form + $_ := include "srox.mergeInto" (list $tgt $src1 $src2) + */}} +{{ define "srox.mergeInto" }} +{{ $tgt := first . }} +{{ range $src := rest . }} + {{ range $k, $srcV := $src }} + {{ $tgtV := index $tgt $k }} + {{ if kindIs "map" $srcV }} + {{ if kindIs "invalid" $tgtV }} + {{ $_ := set $tgt $k (deepCopy $srcV) }} + {{ else if kindIs "map" $tgtV }} + {{ $_ := include "srox.mergeInto" (list $tgtV $srcV) }} + {{ else }} + {{ fail (printf "Incompatible kinds for key %s: %s vs %s" $k (kindOf $srcV) (kindOf $tgtV)) }} + {{ end }} + {{ else if and (not (kindIs "invalid" $srcV)) (kindIs "invalid" $tgtV) }} + {{ $_ := set $tgt $k $srcV }} + {{ end }} + {{ end }} +{{ end }} +{{ end }} diff --git a/rhacs/3.0.59.0/secured-cluster-services/templates/_expand.tpl b/rhacs/3.0.59.0/secured-cluster-services/templates/_expand.tpl new file mode 100644 index 0000000..ed1cb1f --- /dev/null +++ b/rhacs/3.0.59.0/secured-cluster-services/templates/_expand.tpl @@ -0,0 +1,96 @@ +{{/* + srox.expandAll $ $target $expandable [$path] + + Expands values within $target that are flagged in $expandable, using $path + as the path from the configuration root to $target for error reporting purposes. + + If $target is nil, nothing happens. Otherwise, $target must be a dict. For every key + of $target that is also present in $expandable, the following action is performed: + - If the entry in $expandable is a dict, recursive invoke "srox.expandAll" on the + respective entries, with an adjusted $path. + - Otherwise, the entry in $expandable is assume to be of boolean value. If the value is + true, the corresponding entry's value in $target is expanded (see "srox._expandSingle" + below for a definition of expanding), and the result of the expansion is stored under + the key with a "_" prepended in $target. The original entry in $target is removed. This + ensures "srox.expandAll" is an idempotent operation). + */}} +{{ define "srox.expandAll" }} +{{ $args := . }} +{{ $ := index $args 0 }} +{{ $target := index $args 1 }} +{{ $expandable := index $args 2 }} +{{ $path := list }} +{{ if ge (len $args) 4 }} + {{ $path = index $args 3 }} + {{ if kindIs "string" $path }} + {{ $path = splitList "." $path | compact }} + {{ end }} +{{ end }} + +{{ if kindIs "map" $target }} + {{ range $k, $v := $expandable }} + {{ $childPath := append $path $k }} + {{ $targetV := index $target $k }} + {{ if kindIs "map" $v }} + {{ include "srox.expandAll" (list $ $targetV $v $childPath) }} + {{ else if $v }} + {{ if not (kindIs "invalid" $targetV) }} + {{ $expanded := include "srox._expandSingle" (list $ $targetV (join "." $childPath)) }} + {{ $_ := set $target (printf "_%s" $k) $expanded }} + {{ end }} + {{ $_ := unset $target $k }} + {{ end }} + {{ end }} +{{ else if not (kindIs "invalid" $target) }} + {{ include "srox.fail" (printf "Error expanding value at %s: expected map, got: %s" (join "." $path) (kindOf $target)) }} +{{ end }} +{{ end }} + +{{/* + srox.expand $ $spec + + Parses and expands a "specification string" in the following way: + - If $spec is a dictionary, return $spec rendered as a YAML. + - Otherwise, if $spec starts with a backslash character (`\`), return $spec minus the leading + backslash character. + - Otherwise, if $spec starts with an `@` character, strip off the first character and + treat the remainder of the string as a `|`-separated list of file names. Try to load + each referenced file, in order, via `stackrox.getFile`. The result is the first file + that could be successfully loaded. If no file could be loaded, expansion fails. + - Otherwise, return $spec as-is. + */}} +{{- define "srox._expandSingle" -}} + {{- $ := index . 0 -}} + {{- $spec := index . 1 -}} + {{- $context := index . 2 -}} + {{- $result := "" -}} + {{- if kindIs "string" $spec -}} + {{- if hasPrefix "\\" $spec -}} + {{- /* use \ as string-wide escape character */ -}} + {{- $result = trimPrefix "\\" $spec -}} + {{- else if hasPrefix "@" $spec -}} + {{- /* treat as file list (first found matches) */ -}} + {{- /* If the prefix is "@?" expansion will not fail if no files could be found, instead an empty string is returned. */ -}} + {{- $fileSpec := trimPrefix "@" $spec -}} + {{- $allowNotFound := false -}} + {{- if hasPrefix "?" $fileSpec -}} + {{- $allowNotFound = true -}} + {{- $fileSpec = trimPrefix "?" $fileSpec -}} + {{- end -}} + {{- $fileList := regexSplit "\\s*\\|\\s*" ($fileSpec | trim) -1 -}} + {{- $fileRes := dict -}} + {{- $_ := include "srox.loadFile" (list $ $fileRes $fileList) -}} + {{- if and (not $allowNotFound) (not $fileRes.found) -}} + {{- include "srox.fail" (printf "Expanding %s: file reference %q: none of the referenced files were found" $context $spec) -}} + {{- end -}} + {{- $result = default "" $fileRes.contents -}} + {{- else -}} + {{/* treat as raw string */}} + {{- $result = $spec -}} + {{- end -}} + {{- else if not (kindIs "invalid" $spec) -}} + {{- /* render non-string, non-nil values as YAML */ -}} + {{- $result = toYaml $spec -}} + {{- end -}} + {{- $result -}} +{{- end -}} diff --git a/rhacs/3.0.59.0/secured-cluster-services/templates/_helpers.tpl b/rhacs/3.0.59.0/secured-cluster-services/templates/_helpers.tpl new file mode 100644 index 0000000..e87f10f --- /dev/null +++ b/rhacs/3.0.59.0/secured-cluster-services/templates/_helpers.tpl @@ -0,0 +1,68 @@ +{{/* + Misceallaneous helper templates. + */}} + + + + +{{/* + srox.loadFile $ $out $fileName-or-list + + This helper function reads a file. It differs from $.Files.Get in that it also takes + $._rox.meta.fileOverrides into account. Furthermore, it can receive a list of file names, + and will try these files in order. Finally, it indicates whether a file was found via the + $out.found property (as opposed to $.Files.Get, which cannot distinguish between a successful + read of an empty file, and this file not being found). + The file contents will be returned via $out.contents + */}} +{{ define "srox.loadFile" }} +{{ $ := index . 0 }} +{{ $out := index . 1 }} +{{ $fileNames := index . 2 }} +{{ if not (kindIs "slice" $fileNames) }} + {{ $fileNames = list $fileNames }} +{{ end }} +{{ $contents := index dict "" }} +{{ range $fileName := $fileNames }} + {{ if kindIs "invalid" $contents }} + {{ $contents = index $._rox.meta.fileOverrides $fileName }} + {{ end }} + {{ if kindIs "invalid" $contents }} + {{ range $path, $_ := $.Files.Glob $fileName }} + {{ if kindIs "invalid" $contents }} + {{ $contents = $.Files.Get $path }} + {{ end }} + {{ end }} + {{ end }} +{{ end }} +{{ if not (kindIs "invalid" $contents) }} + {{ $_ := set $out "contents" $contents }} +{{ end }} +{{ $_ := set $out "found" (not (kindIs "invalid" $contents)) }} +{{ end }} + + +{{/* + srox.checkGenerated $ $cfgPath + + Checks if the value at configuration path $cfgPath (e.g., "central.adminPassword.value") was + generated. Evaluates to the string "true" if this is the case, and an empty string otherwise. + */}} +{{- define "srox.checkGenerated" -}} +{{- $ := index . 0 -}} +{{- $cfgPath := index . 1 -}} +{{- $genCfg := $._rox._state.generated -}} +{{- $exists := true -}} +{{- range $pathElem := splitList "." $cfgPath -}} + {{- if $exists -}} + {{- if hasKey $genCfg $pathElem -}} + {{- $genCfg = index $genCfg $pathElem -}} + {{- else -}} + {{- $exists = false -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- if $exists -}} +true +{{- end -}} +{{- end -}} diff --git a/rhacs/3.0.59.0/secured-cluster-services/templates/_image-pull-secrets.tpl b/rhacs/3.0.59.0/secured-cluster-services/templates/_image-pull-secrets.tpl new file mode 100644 index 0000000..217160d --- /dev/null +++ b/rhacs/3.0.59.0/secured-cluster-services/templates/_image-pull-secrets.tpl @@ -0,0 +1,86 @@ +{{/* + srox.configureImagePullSecrets $ $cfgName $imagePullSecrets $secretResourceName $defaultSecretNames $namespace + + Configures image pull secrets. + + This function enriches $imagePullSecrets based on the exposed configuration parameters to contain + a list of Kubernetes secret names as `_names` to be used as image pull secrets within the chart + templates. This list contains the following secrets: + + - Secrets referenced via $imagePullSecrets.useExisting. + - Image pull secrets associated with the default service account (if + $imagePullSecrets.useFromDefaultServiceAccount is true). + - $secretResourceName, if $imagePullSecrets.username is set. + - $defaultSecretNames. */}} + +{{ define "srox.configureImagePullSecrets" }} +{{ $ := index . 0 }} +{{ $cfgName := index . 1 }} +{{ $imagePullSecrets := index . 2 }} +{{ $secretResourceName := index . 3 }} +{{ $defaultSecretNames := index . 4 }} +{{ $namespace := index . 5 }} + +{{ $imagePullSecretNames := default list $imagePullSecrets.useExisting }} +{{ if not (kindIs "slice" $imagePullSecretNames) }} + {{ $imagePullSecretNames = regexSplit "\\s*[,;]\\s*" (trim $imagePullSecretNames) -1 }} +{{ end }} +{{ if $imagePullSecrets.useFromDefaultServiceAccount }} + {{ $defaultSA := dict }} + {{ include "srox.safeLookup" (list $ $defaultSA "v1" "ServiceAccount" $namespace "default") }} + {{ if $defaultSA.result }} + {{ range $ips := default list $defaultSA.result.imagePullSecrets }} + {{ if $ips.name }} + {{ $imagePullSecretNames = append $imagePullSecretNames $ips.name }} + {{ end }} + {{ end }} + {{ end }} +{{ end }} +{{ $imagePullCreds := dict }} +{{ if $imagePullSecrets._username }} + {{ $imagePullCreds = dict "username" $imagePullSecrets._username "password" $imagePullSecrets._password }} + {{ $imagePullSecretNames = append $imagePullSecretNames $secretResourceName }} +{{ else if $imagePullSecrets._password }} + {{ $msg := printf "Username missing in %q. Whenever an image pull password is specified, a username must be specified as well" $cfgName }} + {{ include "srox.fail" $msg }} +{{ end }} +{{ if and $.Release.IsInstall (not $imagePullSecretNames) (not $imagePullSecrets.allowNone) }} + {{ $msg := printf "You have not specified any image pull secrets, and no existing image pull secrets were automatically inferred. If your registry does not need image pull credentials, explicitly set the '%s.allowNone' option to 'true'" $cfgName }} + {{ include "srox.fail" $msg }} +{{ end }} + +{{ $imagePullSecretNames = concat (append $imagePullSecretNames $secretResourceName) $defaultSecretNames | uniq | sortAlpha }} +{{ $_ := set $imagePullSecrets "_names" $imagePullSecretNames }} +{{ $_ := set $imagePullSecrets "_creds" $imagePullCreds }} + +{{ end }} + +{{ define "srox.configureImagePullSecretsForDockerRegistry" }} +{{ $ := index . 0 }} +{{ $imagePullSecrets := index . 1 }} + +{{/* Setup Image Pull Secrets for Docker Registry. + Note: This must happen afterwards, as we rely on "srox.configureImage" to collect the + set of all referenced images first. */}} +{{ if $imagePullSecrets._username }} + {{ $dockerAuths := dict }} + {{ range $image := keys $._rox._state.referencedImages }} + {{ $registry := splitList "/" $image | first }} + {{ if eq $registry "docker.io" }} + {{/* Special case docker.io */}} + {{ $registry = "https://index.docker.io/v1/" }} + {{ else }} + {{ $registry = printf "https://%s" $registry }} + {{ end }} + {{ $_ := set $dockerAuths $registry dict }} + {{ end }} + {{ $authToken := printf "%s:%s" $imagePullSecrets._username $imagePullSecrets._password | b64enc }} + {{ range $regSettings := values $dockerAuths }} + {{ $_ := set $regSettings "auth" $authToken }} + {{ end }} + + {{ $_ := set $imagePullSecrets "_dockerAuths" $dockerAuths }} +{{ end }} + +{{ end }} + diff --git a/rhacs/3.0.59.0/secured-cluster-services/templates/_images.tpl b/rhacs/3.0.59.0/secured-cluster-services/templates/_images.tpl new file mode 100644 index 0000000..dced29d --- /dev/null +++ b/rhacs/3.0.59.0/secured-cluster-services/templates/_images.tpl @@ -0,0 +1,34 @@ +{{/* + srox.configureImage $ $imageCfg + + Configures settings for a single image by augmenting/completing an existing image configuration + stanza. + + If $imageCfg.fullRef is empty: + First, the image registry is determined by inspecting $imageCfg.registry and, if this is empty, + $._rox.image.registry, ultimately defaulting to `docker.io`. The full image ref is then + constructed from the registry, $imageCfg.name (must be non-empty), and $imageCfg.tag (may be + empty, in which case "latest" is assumed). The result is stored in $imageCfg.fullRef. + + Afterwards (irrespective of the previous check), $imageCfg.fullRef is modified by prepending + "docker.io/" if and only if it did not contain a remote yet (i.e., the part before the first "/" + did not contain a dot (DNS name) or colon (port)). + + Finally, the resulting $imageCfg.fullRef is stored as a dict entry with value `true` in the + $._rox._state.referencedImages dict. + */}} +{{ define "srox.configureImage" }} +{{ $ := index . 0 }} +{{ $imageCfg := index . 1 }} +{{ $imageRef := $imageCfg.fullRef }} +{{ if not $imageRef }} + {{ $imageRef = printf "%s/%s:%s" (coalesce $imageCfg.registry $._rox.image.registry "docker.io") $imageCfg.name (default "latest" $imageCfg.tag) }} +{{ end }} +{{ $imageComponents := splitList "/" $imageRef }} +{{ $firstComponent := index $imageComponents 0 }} +{{ if or (lt (len $imageComponents) 2) (and (not (contains ":" $firstComponent)) (not (contains "." $firstComponent))) }} + {{ $imageRef = printf "docker.io/%s" $imageRef }} +{{ end }} +{{ $_ := set $imageCfg "fullRef" $imageRef }} +{{ $_ = set $._rox._state.referencedImages $imageRef true }} +{{ end }} diff --git a/rhacs/3.0.59.0/secured-cluster-services/templates/_init.tpl b/rhacs/3.0.59.0/secured-cluster-services/templates/_init.tpl new file mode 100644 index 0000000..a2b3ece --- /dev/null +++ b/rhacs/3.0.59.0/secured-cluster-services/templates/_init.tpl @@ -0,0 +1,206 @@ +{{/* + srox.init $ + + Initialization template for the internal data structures. + This template is designed to be included in every template file, but will only be executed + once by leveraging state sharing between templates. + */}} +{{ define "srox.init" }} + +{{ $ := . }} + +{{/* + On first(!) instantiation, set up the $._rox structure, containing everything required by + the resource template files. + */}} +{{ if not $._rox }} + +{{/* + Calculate the fingerprint of the input config. + */}} +{{ $configFP := printf "%s-%d" (.Values | toJson | sha256sum) .Release.Revision }} + +{{/* + Initial Setup + */}} + +{{ $values := deepCopy $.Values }} +{{ include "srox.applyCompatibilityTranslation" (list $ $values) }} + +{{/* + $rox / ._rox is the dictionary in which _all_ data that is modified by the init logic + is stored. + We ensure that it has the required shape, and then right after merging the user-specified + $.Values, we apply some bootstrap defaults. + */}} +{{ $rox := deepCopy $values }} +{{ $_ := include "srox.mergeInto" (list $rox ($.Files.Get "internal/config-shape.yaml" | fromYaml)) }} +{{ $_ = set $ "_rox" $rox }} + +{{/* Set the config fingerprint */}} +{{ $_ = set $._rox "_configFP" $configFP }} + +{{/* Global state (accessed from sub-templates) */}} +{{ $state := dict "notes" list "warnings" list "referencedImages" dict }} +{{ $_ = set $._rox "_state" $state }} + +{{/* + API Server setup. The problem with `.Capabilities.APIVersions` is that Helm does not + allow setting overrides for those when using `helm template` or `--dry-run`. Thus, + if we rely on `.Capabilities.APIVersions` directly, we lose flexibility for our chart + in these settings. Therefore, we use custom fields such that a user in principle has + the option to inject via `--set`/`-f` everything we rely upon. + */}} +{{ $apiResources := list }} +{{ if not (kindIs "invalid" $._rox.meta.apiServer.overrideAPIResources) }} + {{ $apiResources = $._rox.meta.apiServer.overrideAPIResources }} +{{ else }} + {{ range $apiResource := $.Capabilities.APIVersions }} + {{ $apiResources = append $apiResources $apiResource }} + {{ end }} +{{ end }} +{{ if $._rox.meta.apiServer.extraAPIResources }} + {{ $apiResources = concat $apiResources $._rox.meta.apiServer.extraAPIResources }} +{{ end }} +{{ $apiServerVersion := coalesce $._rox.meta.apiServer.version $.Capabilities.KubeVersion.Version }} +{{ $apiServer := dict "apiResources" $apiResources "version" $apiServerVersion }} +{{ $_ = set $._rox "_apiServer" $apiServer }} + +{{ include "srox.applyDefaults" $ }} + +{{/* Expand applicable config values */}} +{{ $expandables := $.Files.Get "internal/expandables.yaml" | fromYaml }} +{{ include "srox.expandAll" (list $ $rox $expandables) }} + +{{/* + General validation of effective settings. + */}} + +{{ if not $.Release.IsUpgrade }} +{{ if ne $._rox._namespace "stackrox" }} + {{ if $._rox.allowNonstandardNamespace }} + {{ include "srox.note" (list $ (printf "You have chosen to deploy to namespace '%s'." $._rox._namespace)) }} + {{ else }} + {{ include "srox.fail" (printf "You have chosen to deploy to namespace '%s', not 'stackrox'. If this was accidental, please re-run helm with the '-n stackrox' option. Otherwise, if you need to deploy into this namespace, set the 'allowNonstandardNamespace' configuration value to true." $._rox._namespace) }} + {{ end }} +{{ end }} +{{ end }} + +{{/* If a cluster name should change the confirmNewClusterName value must match clusterName. */}} +{{ if and $._rox.confirmNewClusterName (ne $._rox.confirmNewClusterName $._rox.clusterName) }} + {{ include "srox.fail" (printf "Failed to change cluster name. Values for confirmNewClusterName '%s' did not match clusterName '%s'." $._rox.confirmNewClusterName $._rox.clusterName) }} +{{ end }} + + +{{ if not $.Release.IsUpgrade }} +{{ if ne $.Release.Name $.Chart.Name }} + {{ if $._rox.allowNonstandardReleaseName }} + {{ include "srox.warn" (list $ (printf "You have chosen a release name of '%s', not '%s'. Accompanying scripts and commands in documentation might require adjustments." $.Release.Name $.Chart.Name)) }} + {{ else }} + {{ include "srox.fail" (printf "You have chosen a release name of '%s', not '%s'. We strongly recommend using the standard release name. If you must use a different name, set the 'allowNonstandardReleaseName' configuration option to true." $.Release.Name $.Chart.Name) }} + {{ end }} +{{ end }} +{{ end }} + + + +{{/* + Environment setup +*/}} + +{{/* Infer openshift version */}} +{{ if and $._rox.env.openshift (kindIs "bool" $._rox.env.openshift) }} + {{/* Parse and add KubeVersion as semver from built-in resources. This is necessary to compare valid integer numbers. */}} + {{ $kubeVersion := semver .Capabilities.KubeVersion.Version }} + + {{/* Default to OpenShift 3 if no openshift resources are available, i.e. in helm tempalte commands */}} + {{ if not (has "apps.openshift.io/v1" $._rox._apiServer.apiResources) }} + {{ $_ := set $._rox.env "openshift" 3 }} + {{ else if gt $kubeVersion.Minor 11 }} + {{ $_ := set $._rox.env "openshift" 4 }} + {{ else }} + {{ $_ := set $._rox.env "openshift" 3 }} + {{ end }} + + {{ include "srox.note" (list $ (printf "Based on API server properties, we have inferred that you are deploying into an OpenShift %d cluster. Set the `env.openshift` property explicitly to 3 or 4 to override the auto-sensed value." $._rox.env.openshift)) }} +{{ end }} +{{ if not (kindIs "bool" $._rox.env.openshift) }} + {{ $_ := set $._rox.env "openshift" (int $._rox.env.openshift) }} +{{ else if not $._rox.env.openshift }} + {{ $_ := set $._rox.env "openshift" 0 }} +{{ end }} + +{{ if and $._rox.admissionControl.dynamic.enforceOnCreates (not $._rox.admissionControl.listenOnCreates) }} + {{ include "srox.warn" (list $ "Incompatible settings: 'admissionControl.dynamic.enforceOnCreates' is set to true, while `admissionControl.listenOnCreates` is set to false. For the feature to be active, enable both settings by setting them to true.") }} +{{ end }} + +{{ if and $._rox.admissionControl.dynamic.enforceOnUpdates (not $._rox.admissionControl.listenOnUpdates) }} + {{ include "srox.warn" (list $ "Incompatible settings: 'admissionControl.dynamic.enforceOnUpdates' is set to true, while `admissionControl.listenOnUpdates` is set to false. For the feature to be active, enable both settings by setting them to true.") }} +{{ end }} + +{{ if and (eq $._rox.env.openshift 3) $._rox.admissionControl.listenOnEvents }} + {{ include "srox.fail" "'admissionControl.listenOnEvents' is set to true, but the chart is being deployed in OpenShift 3.x compatibility mode, which does not work with this feature. Set 'env.openshift' to '4' in order to enable OpenShift 4.x features." }} +{{ end }} + +{{/* Initial image pull secret setup. */}} +{{ include "srox.mergeInto" (list $._rox.mainImagePullSecrets $._rox.imagePullSecrets) }} +{{ include "srox.configureImagePullSecrets" (list $ "mainImagePullSecrets" $._rox.mainImagePullSecrets "secured-cluster-services-main" (list "stackrox") $._rox._namespace) }} +{{ include "srox.mergeInto" (list $._rox.collectorImagePullSecrets $._rox.imagePullSecrets) }} +{{ include "srox.configureImagePullSecrets" (list $ "collectorImagePullSecrets" $._rox.collectorImagePullSecrets "secured-cluster-services-collector" (list "stackrox" "collector-stackrox") $._rox._namespace) }} + +{{/* Additional CAs. */}} +{{ $additionalCAList := list }} +{{ if kindIs "string" $._rox.additionalCAs }} + {{ if $._rox.additionalCAs }} + {{ $additionalCAList = append $additionalCAList (dict "name" "ca.crt" "contents" $._rox.additionalCAs) }} + {{ end }} +{{ else if kindIs "slice" $._rox.additionalCAs }} + {{ range $contents := $._rox.additionalCAs }} + {{ $additionalCAList = append $additionalCAList (dict "name" "ca.crt" "contents" $contents) }} + {{ end }} +{{ else if kindIs "map" $._rox.additionalCAs }} + {{ range $name := keys $._rox.additionalCAs | sortAlpha }} + {{ $additionalCAList = append $additionalCAList (dict "name" $name "contents" (get $._rox.additionalCAs $name)) }} + {{ end }} +{{ else if not (kindIs "invalid" $._rox.additionalCAs) }} + {{ include "srox.fail" (printf "Invalid kind %s for additionalCAs" (kindOf $._rox.additionalCAs)) }} +{{ end }} +{{ range $path, $contents := .Files.Glob "secrets/additional-cas/**" }} + {{ $name := trimPrefix "secrets/additional-cas/" $path }} + {{ $additionalCAList = append $additionalCAList (dict "name" $name "contents" (toString $contents)) }} +{{ end }} +{{ $additionalCAs := dict }} +{{ range $idx, $elem := $additionalCAList }} + {{ if not (kindIs "string" $elem.contents) }} + {{ include "srox.fail" (printf "Invalid non-string contents kind %s at index %d (%q) of additionalCAs" (kindOf $elem.contents) $idx $elem.name) }} + {{ end }} + {{/* In a k8s secret, no characters other than alphanumeric, '.', '_' and '-' are allowed. Also, for the + update-ca-certificates script to work, the file names must end in '.crt'. */}} + + {{ $normalizedName := printf "%02d-%s.crt" $idx (regexReplaceAll "[^[:alnum:]._-]" $elem.name "-" | trimSuffix ".crt") }} + {{ $_ := set $additionalCAs $normalizedName $elem.contents }} +{{ end }} +{{ $_ = set $._rox "_additionalCAs" $additionalCAs }} + +{{/* + Final validation (after merging in defaults). + */}} + +{{ if and ._rox.helmManaged (not ._rox.clusterName) }} + {{ include "srox.fail" "No cluster name specified. Set 'clusterName' to the desired cluster name." }} +{{ end }} + +{{/* Image settings */}} +{{ include "srox.configureImage" (list $ ._rox.image.main) }} +{{ include "srox.configureImage" (list $ ._rox.image.collector) }} + +{{/* + Post-processing steps. + */}} + +{{ include "srox.configureImagePullSecretsForDockerRegistry" (list $ ._rox.mainImagePullSecrets) }} +{{ include "srox.configureImagePullSecretsForDockerRegistry" (list $ ._rox.collectorImagePullSecrets) }} + +{{ end }} + +{{ end }} diff --git a/rhacs/3.0.59.0/secured-cluster-services/templates/_lookup.tpl b/rhacs/3.0.59.0/secured-cluster-services/templates/_lookup.tpl new file mode 100644 index 0000000..17f6306 --- /dev/null +++ b/rhacs/3.0.59.0/secured-cluster-services/templates/_lookup.tpl @@ -0,0 +1,40 @@ +{{/* + srox.safeLookup $ $out $apiVersion $kind $ns $name + + This function does nothing if $.meta.useLookup is false; otherwise, it will + perform a `lookup $apiVersion $kind $ns $name` operation and store the result in + $out.result. + + Additionally, if a lookup was attempted, $out.reliable will contain a bool indicating + whether the result of lookup can be relied upon. This is determined to be the case if + the default service account in the release namespace can be found. + */}} +{{ define "srox.safeLookup" }} +{{ $ := index . 0 }} +{{ $out := index . 1 }} +{{ if $._rox.meta.useLookup }} + {{ if kindIs "invalid" $._rox._state.lookupWorks }} + {{ $testOut := dict }} + {{ include "srox._doLookup" (list $ $testOut "v1" "ServiceAccount" $._rox._namespace "default") }} + {{ $_ := set $._rox._state "lookupWorks" ($testOut.result | not | not) }} + {{ end }} + {{ include "srox._doLookup" . }} + {{ $_ := set $out "reliable" $._rox._state.lookupWorks }} +{{ end }} +{{ end }} + + +{{/* + srox._doLookup $ $out $apiVersion $kind $ns $name + + Calls "lookup" with arguments $apiVersion $kind $ns $name, and stores the result + in $out.result. + + This function exists to prevent a parse error if the lookup function isn't defined. It does + so by deferring the execution of lookup to a template string instantiated via `tpl`. + */}} +{{ define "srox._doLookup" }} +{{ $ := index . 0 }} +{{ $tplArgs := dict "Template" $.Template "out" (index . 1) "apiVersion" (index . 2) "kind" (index . 3) "ns" (index . 4) "name" (index . 5) }} +{{ $_ := tpl "{{ $_ := set .out \"result\" (lookup .apiVersion .kind .ns .name) }}" $tplArgs }} +{{ end }} diff --git a/rhacs/3.0.59.0/secured-cluster-services/templates/_metadata.tpl b/rhacs/3.0.59.0/secured-cluster-services/templates/_metadata.tpl new file mode 100644 index 0000000..ed8fd3b --- /dev/null +++ b/rhacs/3.0.59.0/secured-cluster-services/templates/_metadata.tpl @@ -0,0 +1,187 @@ +{{/* + srox.labels $ $objType $objName + + Format labels for $objType/$objName as YAML. + */}} +{{- define "srox.labels" -}} +{{- $labels := dict -}} +{{- $_ := include "srox._labels" (append (prepend . $labels) false) -}} +{{- toYaml $labels -}} +{{- end -}} + +{{/* + srox.podLabels $ $objType $objName + + Format pod labels for $objType/$objName as YAML. + */}} +{{- define "srox.podLabels" -}} +{{- $labels := dict -}} +{{- $_ := include "srox._labels" (append (prepend . $labels) true) -}} +{{- toYaml $labels -}} +{{- end -}} + +{{/* + srox.annotations $ $objType $objName + + Format annotations for $objType/$objName as YAML. + */}} +{{- define "srox.annotations" -}} +{{- $annotations := dict -}} +{{- $_ := include "srox._annotations" (append (prepend . $annotations) false) -}} +{{- toYaml $annotations -}} +{{- end -}} + +{{/* + srox.podAnnotations $ $objType $objName + + Format pod annotations for $objType/$objName as YAML. + */}} +{{- define "srox.podAnnotations" -}} +{{- $annotations := dict -}} +{{- $_ := include "srox._annotations" (append (prepend . $annotations) true) -}} +{{- toYaml $annotations -}} +{{- end -}} + +{{/* + srox.envVars $ $objType $objName $containerName + + Format environment variables for container $containerName in + $objType/$objName as YAML. + */}} +{{- define "srox.envVars" -}} +{{- $envVars := dict -}} +{{- $_ := include "srox._envVars" (prepend . $envVars) -}} +{{- range $k, $v := $envVars -}} +- name: {{ quote $k }} + value: {{ quote $v }} +{{ end -}} +{{- end -}} + +{{/* + srox._labels $labels $ $objType $objName $forPod + + Writes all applicable [pod] labels (including default labels) for $objType/$objName + into $labels. Pod labels are written iff $forPod is true. + + This template receives the $ parameter as its second (not its first, as usual) parameter + such that it can be used easier in "srox.labels". + */}} +{{ define "srox._labels" }} +{{ $labels := index . 0 }} +{{ $ := index . 1 }} +{{ $objType := index . 2 }} +{{ $objName := index . 3 }} +{{ $forPod := index . 4 }} +{{ $_ := set $labels "app.kubernetes.io/name" "stackrox" }} +{{ $_ = set $labels "app.kubernetes.io/managed-by" $.Release.Service }} +{{ $_ = set $labels "helm.sh/chart" (printf "%s-%s" $.Chart.Name ($.Chart.Version | replace "+" "_")) }} +{{ $_ = set $labels "app.kubernetes.io/instance" $.Release.Name }} +{{ $_ = set $labels "app.kubernetes.io/version" $.Chart.AppVersion }} +{{ $_ = set $labels "app.kubernetes.io/part-of" "stackrox-secured-cluster-services" }} +{{ $component := regexReplaceAll "^.*/\\d{2}-([a-z]+)-\\d{2}-[^/]+\\.yaml" $.Template.Name "${1}" }} +{{ if not (contains "/" $component) }} + {{ $_ = set $labels "app.kubernetes.io/component" $component }} +{{ end }} +{{ $metadataNames := list "labels" }} +{{ if $forPod }} + {{ $metadataNames = append $metadataNames "podLabels" }} +{{ end }} +{{ include "srox._customizeMetadata" (list $ $labels $objType $objName $metadataNames) }} +{{ end }} + +{{/* + srox._annotations $annotations $ $objType $objName $forPod + + Writes all applicable [pod] annotations (including default annotations) for + $objType/$objName into $annotations. Pod labels are written iff $forPod is true. + + This template receives the $ parameter as its second (not its first, as usual) parameter + such that it can be used easier in "srox.annotations". + */}} +{{ define "srox._annotations" }} +{{ $annotations := index . 0 }} +{{ $ := index . 1 }} +{{ $objType := index . 2 }} +{{ $objName := index . 3 }} +{{ $forPod := index . 4 }} +{{ $_ := set $annotations "meta.helm.sh/release-namespace" $.Release.Namespace }} +{{ $_ = set $annotations "meta.helm.sh/release-name" $.Release.Name }} +{{ $_ = set $annotations "owner" "stackrox" }} +{{ $_ = set $annotations "email" "support@stackrox.com" }} +{{ $metadataNames := list "annotations" }} +{{ if $forPod }} + {{ $metadataNames = append $metadataNames "podAnnotations" }} +{{ end }} +{{ include "srox._customizeMetadata" (list $ $annotations $objType $objName $metadataNames) }} +{{ end }} + +{{/* + srox._envVars $envVars $ $objType $objName $containerName + + Writes all applicable [pod] labels (including default labels) for $objType/$objName + into $labels. Pod labels are written iff $forPod is true. + + This template receives the $ parameter as its second (not its first, as usual) parameter + such that it can be used easier in "srox.labels". + */}} +{{ define "srox._envVars" }} +{{ $envVars := index . 0 }} +{{ $ := index . 1 }} +{{ $objType := index . 2 }} +{{ $objName := index . 3 }} +{{ $containerName := index . 4 }} +{{ $metadataNames := list "envVars" }} +{{ include "srox._customizeMetadata" (list $ $envVars $objType $objName $metadataNames) }} +{{ if $containerName }} + {{ $containerKey := printf "/%s" $containerName }} + {{ $envVarsForContainer := index $envVars $containerKey }} + {{ if $envVarsForContainer }} + {{ include "srox.destructiveMergeOverwrite" (list $envVars $envVarsForContainer) }} + {{ end }} +{{ end }} + +{{/* Remove all entries starting with / */}} +{{ range $key, $_ := $envVars }} + {{ if hasPrefix "/" $key }} + {{ $_ := unset $envVars $key }} + {{ end }} +{{ end }} +{{ end }} + +{{/* + srox._customizeMetadata $ $metadata $objType $objName $metadataNames + + Writes custom key/value metadata to $metadata by consulting all sub-dicts with names in + $metadataNames under the applicable custom metadata locations (._rox.customize, + ._rox.customize.other.$objType/*, ._rox.customize.other.$objType/$objName, and + ._rox.customizer.$objName [workloads only]). Dictionaries are consulted in this order, with + values from dictionaries consulted later overwriting values from dictionaries consulted + earlier. + */}} +{{ define "srox._customizeMetadata" }} +{{ $ := index . 0 }} +{{ $metadata := index . 1 }} +{{ $objType := index . 2 }} +{{ $objName := index . 3 }} +{{ $metadataNames := index . 4 }} + +{{ $overrideDictPaths := list "" (printf "other.%s/*" $objType) (printf "other.%s/%s" $objType $objName) }} +{{ if has $objType (list "deployment" "daemonset") }} + {{ $overrideDictPaths = append $overrideDictPaths $objName }} +{{ end }} + +{{ range $dictPath := $overrideDictPaths }} + {{ $customizeDict := $._rox.customize }} + {{ if $dictPath }} + {{ $resolvedOut := dict }} + {{ include "srox.safeDictLookup" (list $._rox.customize $resolvedOut $dictPath) }} + {{ $customizeDict = $resolvedOut.result }} + {{ end }} + {{ if $customizeDict }} + {{ range $metadataName := $metadataNames }} + {{ $customMetadata := index $customizeDict $metadataName }} + {{ include "srox.destructiveMergeOverwrite" (list $metadata $customMetadata) }} + {{ end }} + {{ end }} +{{ end }} +{{ end }} diff --git a/rhacs/3.0.59.0/secured-cluster-services/templates/_reporting.tpl b/rhacs/3.0.59.0/secured-cluster-services/templates/_reporting.tpl new file mode 100644 index 0000000..621e284 --- /dev/null +++ b/rhacs/3.0.59.0/secured-cluster-services/templates/_reporting.tpl @@ -0,0 +1,34 @@ +{{/* + srox.fail $message + + Print a nicely-formatted fatal error message and exit. + */}} +{{ define "srox.fail" }} +{{ printf "\n\nFATAL ERROR:\n%s" . | wrap 100 | fail }} +{{ end }} + +{{/* + srox.warn $ $message + + Add $message to the list of encountered warnings. + */}} +{{ define "srox.warn" }} +{{ $ := index . 0 }} +{{ $msg := index . 1 }} +{{ $warnings := $._rox._state.warnings }} +{{ $warnings = append $warnings $msg }} +{{ $_ := set $._rox._state "warnings" $warnings }} +{{ end }} + +{{/* + srox.note $ $message + + Add $message to the list notes that will be shown to the user after installation/upgrade. + */}} +{{ define "srox.note" }} +{{ $ := index . 0 }} +{{ $msg := index . 1 }} +{{ $notes := $._rox._state.notes }} +{{ $notes = append $notes $msg }} +{{ $_ := set $._rox._state "notes" $notes }} +{{ end }} diff --git a/rhacs/3.0.59.0/secured-cluster-services/templates/additional-ca-sensor.yaml b/rhacs/3.0.59.0/secured-cluster-services/templates/additional-ca-sensor.yaml new file mode 100644 index 0000000..aa1801c --- /dev/null +++ b/rhacs/3.0.59.0/secured-cluster-services/templates/additional-ca-sensor.yaml @@ -0,0 +1,19 @@ +{{- include "srox.init" . -}} + +{{- if ._rox._additionalCAs }} +apiVersion: v1 +kind: Secret +metadata: + name: additional-ca-sensor + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "secret" "additional-ca-sensor") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "additional-ca-sensor") | nindent 4 }} +type: Opaque +stringData: + {{- range $name, $cert := ._rox._additionalCAs }} + {{ $name | quote }}: | + {{- $cert | nindent 4 }} + {{- end }} +{{- end }} diff --git a/rhacs/3.0.59.0/secured-cluster-services/templates/admission-controller-netpol.yaml b/rhacs/3.0.59.0/secured-cluster-services/templates/admission-controller-netpol.yaml new file mode 100644 index 0000000..1ab0341 --- /dev/null +++ b/rhacs/3.0.59.0/secured-cluster-services/templates/admission-controller-netpol.yaml @@ -0,0 +1,46 @@ +{{- include "srox.init" . -}} + +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: admission-control-no-ingress + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "networkpolicy" "admission-control-no-ingress") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "networkpolicy" "admission-control-no-ingress") | nindent 4 }} +spec: + podSelector: + matchLabels: + app: admission-control + ingress: + - ports: + - protocol: TCP + port: 8443 + policyTypes: + - Ingress + +{{- if ._rox.admissionControl.exposeMonitoring }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: admission-control-monitoring + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "networkpolicy" "admission-control-monitoring") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "networkpolicy" "admission-control-monitoring") | nindent 4 }} +spec: + ingress: + - ports: + - port: 9090 + protocol: TCP + podSelector: + matchLabels: + app: admission-control + policyTypes: + - Ingress +{{- end }} diff --git a/rhacs/3.0.59.0/secured-cluster-services/templates/admission-controller-pod-security.yaml b/rhacs/3.0.59.0/secured-cluster-services/templates/admission-controller-pod-security.yaml new file mode 100644 index 0000000..db9b92d --- /dev/null +++ b/rhacs/3.0.59.0/secured-cluster-services/templates/admission-controller-pod-security.yaml @@ -0,0 +1,75 @@ +{{- include "srox.init" . -}} + +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: stackrox-admission-control + labels: + {{- include "srox.labels" (list . "podsecuritypolicy" "stackrox-admission-control") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "podsecuritypolicy" "stackrox-admission-control") | nindent 4 }} +spec: + privileged: false + allowPrivilegeEscalation: false + volumes: + - 'configMap' + - 'emptyDir' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAs' + ranges: + - min: 4000 + max: 4000 + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 4000 + max: 4000 +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox-admission-control-psp + labels: + {{- include "srox.labels" (list . "clusterrole" "stackrox-admission-control-psp") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "clusterrole" "stackrox-admission-control-psp") | nindent 4 }} +rules: + - apiGroups: + - policy + resources: + - podsecuritypolicies + resourceNames: + - stackrox-admission-control + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: stackrox-admission-control-psp + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "rolebinding" "stackrox-admission-control-psp") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "rolebinding" "stackrox-admission-control-psp") | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: stackrox-admission-control-psp +subjects: + - kind: ServiceAccount + name: admission-control + namespace: {{ ._rox._namespace }} + diff --git a/rhacs/3.0.59.0/secured-cluster-services/templates/admission-controller-rbac.yaml b/rhacs/3.0.59.0/secured-cluster-services/templates/admission-controller-rbac.yaml new file mode 100644 index 0000000..1e4e11e --- /dev/null +++ b/rhacs/3.0.59.0/secured-cluster-services/templates/admission-controller-rbac.yaml @@ -0,0 +1,50 @@ +{{- include "srox.init" . -}} + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: admission-control + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "serviceaccount" "admission-control") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "serviceaccount" "admission-control") | nindent 4 }} +imagePullSecrets: +{{- range $secretName := ._rox.mainImagePullSecrets._names }} +- name: {{ quote $secretName }} +{{- end }} +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: watch-config + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "role" "watch-config") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "role" "watch-config") | nindent 4 }} +rules: + - apiGroups: [''] + resources: ['configmaps'] + verbs: ['get', 'list', 'watch'] +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: admission-control-watch-config + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "rolebinding" "admission-control-watch-config") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "rolebinding" "admission-control-watch-config") | nindent 4 }} +subjects: + - kind: ServiceAccount + name: admission-control + namespace: {{ ._rox._namespace }} +roleRef: + kind: Role + name: watch-config + apiGroup: rbac.authorization.k8s.io diff --git a/rhacs/3.0.59.0/secured-cluster-services/templates/admission-controller-scc.yaml b/rhacs/3.0.59.0/secured-cluster-services/templates/admission-controller-scc.yaml new file mode 100644 index 0000000..365fcd6 --- /dev/null +++ b/rhacs/3.0.59.0/secured-cluster-services/templates/admission-controller-scc.yaml @@ -0,0 +1,44 @@ +{{- include "srox.init" . -}} + +{{- if ._rox.env.openshift }} +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: admission-control + labels: + {{- include "srox.labels" (list . "securitycontextconstraints" "admission-control") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "securitycontextconstraints" "admission-control") | nindent 4 }} + kubernetes.io/description: admission-control is the security constraint for the admission controller +users: + - system:serviceaccount:{{ ._rox._namespace }}:admission-control +priority: 0 +runAsUser: + type: RunAsAny +seLinuxContext: + type: RunAsAny +seccompProfiles: + - '*' +supplementalGroups: + type: RunAsAny +fsGroup: + type: RunAsAny +groups: [] +readOnlyRootFilesystem: true +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: false +allowPrivilegedContainer: false +allowedCapabilities: [] +defaultAddCapabilities: [] +requiredDropCapabilities: [] +volumes: + - configMap + - downwardAPI + - emptyDir + - secret +{{- end }} diff --git a/rhacs/3.0.59.0/secured-cluster-services/templates/admission-controller-secret.yaml b/rhacs/3.0.59.0/secured-cluster-services/templates/admission-controller-secret.yaml new file mode 100644 index 0000000..3abcb9a --- /dev/null +++ b/rhacs/3.0.59.0/secured-cluster-services/templates/admission-controller-secret.yaml @@ -0,0 +1,30 @@ +{{- include "srox.init" . -}} + +{{- if or ._rox.createSecrets (and (kindIs "invalid" ._rox.createSecrets) (or ._rox.admissionControl.serviceTLS._cert ._rox.admissionControl.serviceTLS._key)) }} + +{{/* Admission control TLS secret isn't required, so do not fail here. */}} +{{- if and ._rox.ca._cert ._rox.admissionControl.serviceTLS._cert ._rox.admissionControl.serviceTLS._key }} + +apiVersion: v1 +kind: Secret +metadata: + name: admission-control-tls + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "secret" "admission-control-tls") | nindent 4 }} + auto-upgrade.stackrox.io/component: sensor + annotations: + {{- include "srox.annotations" (list . "secret" "admission-control-tls") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": "keep" +type: Opaque +stringData: + ca.pem: | + {{- ._rox.ca._cert | nindent 4 }} + admission-control-cert.pem: | + {{- ._rox.admissionControl.serviceTLS._cert | nindent 4 }} + admission-control-key.pem: | + {{- ._rox.admissionControl.serviceTLS._key | nindent 4 }} + +{{- end }} +{{- end }} diff --git a/rhacs/3.0.59.0/secured-cluster-services/templates/admission-controller.yaml b/rhacs/3.0.59.0/secured-cluster-services/templates/admission-controller.yaml new file mode 100644 index 0000000..85aba33 --- /dev/null +++ b/rhacs/3.0.59.0/secured-cluster-services/templates/admission-controller.yaml @@ -0,0 +1,241 @@ +{{- include "srox.init" . -}} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: admission-control + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "deployment" "admission-control") | nindent 4 }} + app: admission-control + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "deployment" "admission-control") | nindent 4 }} +spec: + replicas: 3 + minReadySeconds: 0 + selector: + matchLabels: + app: admission-control + template: + metadata: + namespace: {{ ._rox._namespace }} + labels: + app: admission-control + {{- include "srox.podLabels" (list . "deployment" "admission-control") | nindent 8 }} + annotations: + traffic.sidecar.istio.io/excludeInboundPorts: "8443" + {{- include "srox.podAnnotations" (list . "deployment" "admission-control") | nindent 8 }} + spec: + # Attempt to schedule these on master nodes + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 50 + preference: + matchExpressions: + - key: node-role.kubernetes.io/master + operator: In + values: + - "true" + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 60 + podAffinityTerm: + namespaces: ["stackrox"] + topologyKey: "kubernetes.io/hostname" + labelSelector: + matchLabels: + app: admission-control + {{- if ._rox.admissionControl._nodeSelector }} + nodeSelector: + {{- ._rox.admissionControl._nodeSelector | nindent 8 }} + {{- end}} + securityContext: + runAsUser: 4000 + fsGroup: 4000 + serviceAccountName: admission-control + containers: + - image: {{ quote ._rox.image.main.fullRef }} + imagePullPolicy: {{ ._rox.admissionControl.imagePullPolicy }} + name: admission-control + readinessProbe: + httpGet: + scheme: HTTPS + path: /ready + port: 8443 + initialDelaySeconds: 5 + periodSeconds: 5 + failureThreshold: 1 + ports: + - containerPort: 8443 + name: webhook + command: + - admission-control + resources: + {{- ._rox.admissionControl._resources | nindent 12 }} + securityContext: + runAsNonRoot: true + readOnlyRootFilesystem: true + env: + - name: ROX_SENSOR_ENDPOINT + value: {{ ._rox.sensor.endpoint }} + {{- include "srox.envVars" (list . "deployment" "admission-controller" "admission-controller") | nindent 10 }} + volumeMounts: + - name: config + mountPath: /run/config/stackrox.io/admission-control/config/ + readOnly: true + - name: config-store + mountPath: /var/lib/stackrox/admission-control/ + - name: ca + mountPath: /run/secrets/stackrox.io/ca/ + readOnly: true + - name: certs + mountPath: /run/secrets/stackrox.io/certs/ + readOnly: true + - name: ssl + mountPath: /etc/ssl + - name: pki + mountPath: /etc/pki/ca-trust/ + - name: additional-cas + mountPath: /usr/local/share/ca-certificates/ + readOnly: true + volumes: + - name: certs + secret: + secretName: admission-control-tls + optional: true + items: + - key: admission-control-cert.pem + path: cert.pem + - key: admission-control-key.pem + path: key.pem + - key: ca.pem + path: ca.pem + - name: ca + secret: + secretName: service-ca + optional: true + - name: config + configMap: + name: admission-control + optional: true + - name: config-store + emptyDir: {} + - name: ssl + emptyDir: {} + - name: pki + emptyDir: {} + - name: additional-cas + secret: + secretName: additional-ca-sensor + optional: true +--- + +apiVersion: v1 +kind: Service +metadata: + name: admission-control + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "service" "admission-control") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "service" "admission-control") | nindent 4 }} +spec: + ports: + - name: https + port: 443 + targetPort: webhook + protocol: TCP + selector: + app: admission-control + type: ClusterIP + sessionAffinity: None +--- + +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: ValidatingWebhookConfiguration +metadata: + name: stackrox + labels: + {{- include "srox.labels" (list . "validatingwebhookconfiguration" "stackrox") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "validatingwebhookconfiguration" "stackrox") | nindent 4 }} +{{- if not (or ._rox.admissionControl.listenOnEvents ._rox.admissionControl.listenOnCreates ._rox.admissionControl.listenOnUpdates) }} +webhooks: [] +{{else}} +webhooks: + {{- if or ._rox.admissionControl.listenOnCreates ._rox.admissionControl.listenOnUpdates }} + - name: policyeval.stackrox.io + {{- if not (eq ._rox.env.openshift 3) }} + sideEffects: NoneOnDryRun + {{- end }} + rules: + - apiGroups: + - '*' + apiVersions: + - '*' + operations: + {{- if ._rox.admissionControl.listenOnCreates }} + - CREATE + {{- end }} + {{- if ._rox.admissionControl.listenOnUpdates }} + - UPDATE + {{- end }} + resources: + - pods + - deployments + - replicasets + - replicationcontrollers + - statefulsets + - daemonsets + - cronjobs + - jobs + {{- if ._rox.env.openshift }} + - deploymentconfigs + {{- end }} + namespaceSelector: + matchExpressions: + - key: namespace.metadata.stackrox.io/name + operator: NotIn + values: + - stackrox + - kube-system + - kube-public + - istio-system + failurePolicy: Ignore + clientConfig: + caBundle: {{ required "The 'ca.cert' config option MUST be set to StackRox's Service CA certificate in order for the admission controller to be usable" ._rox.ca._cert | b64enc }} + service: + namespace: {{ ._rox._namespace }} + name: admission-control + path: /validate + {{- end}} + {{- if ._rox.admissionControl.listenOnEvents }} + - name: k8sevents.stackrox.io + {{- if not (eq ._rox.env.openshift 3) }} + sideEffects: NoneOnDryRun + {{- end }} + rules: + - apiGroups: + - '*' + apiVersions: + - '*' + operations: + - CONNECT + resources: + - pods + - pods/attach + - pods/exec + - pods/portforward + failurePolicy: Ignore + clientConfig: + caBundle: {{ required "The 'ca.cert' config option MUST be set to StackRox's Service CA certificate in order for the admission controller to be usable" ._rox.ca._cert | b64enc }} + service: + namespace: {{ ._rox._namespace }} + name: admission-control + path: /events + {{- end }} +{{- end }} diff --git a/rhacs/3.0.59.0/secured-cluster-services/templates/cluster-config.yaml b/rhacs/3.0.59.0/secured-cluster-services/templates/cluster-config.yaml new file mode 100644 index 0000000..20c81f6 --- /dev/null +++ b/rhacs/3.0.59.0/secured-cluster-services/templates/cluster-config.yaml @@ -0,0 +1,14 @@ +{{- include "srox.init" . -}} + +apiVersion: v1 +kind: Secret +metadata: + name: helm-cluster-config + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "secret" "helm-cluster-config") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "helm-cluster-config") | nindent 4 }} +stringData: + config.yaml: | + {{- tpl (.Files.Get "internal/cluster-config.yaml.tpl") . | nindent 4 }} diff --git a/rhacs/3.0.59.0/secured-cluster-services/templates/collector-netpol.yaml b/rhacs/3.0.59.0/secured-cluster-services/templates/collector-netpol.yaml new file mode 100644 index 0000000..d38422a --- /dev/null +++ b/rhacs/3.0.59.0/secured-cluster-services/templates/collector-netpol.yaml @@ -0,0 +1,42 @@ +{{- include "srox.init" . -}} + +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: collector-no-ingress + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "networkpolicy" "collector-no-ingress") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "networkpolicy" "collector-no-ingress") | nindent 4 }} +spec: + podSelector: + matchLabels: + app: collector + policyTypes: + - Ingress + +{{ if ._rox.collector.exposeMonitoring }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: collector-monitoring + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "networkpolicy" "collector-monitoring") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "networkpolicy" "collector-monitoring") | nindent 4 }} +spec: + ingress: + - ports: + - port: 9090 + protocol: TCP + podSelector: + matchLabels: + app: collector + policyTypes: + - Ingress +{{ end }} diff --git a/rhacs/3.0.59.0/secured-cluster-services/templates/collector-pod-security.yaml b/rhacs/3.0.59.0/secured-cluster-services/templates/collector-pod-security.yaml new file mode 100644 index 0000000..6c219a3 --- /dev/null +++ b/rhacs/3.0.59.0/secured-cluster-services/templates/collector-pod-security.yaml @@ -0,0 +1,70 @@ +{{- include "srox.init" . -}} + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox-collector-psp + labels: + {{- include "srox.labels" (list . "clusterrole" "stackrox-collector-psp") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "clusterrole" "stackrox-collector-psp") | nindent 4 }} +rules: + - apiGroups: + - policy + resources: + - podsecuritypolicies + resourceNames: + - stackrox-collector + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: stackrox-collector-psp + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "rolebinding" "stackrox-collector-psp") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "rolebinding" "stackrox-collector-psp") | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: stackrox-collector-psp +subjects: + - kind: ServiceAccount + name: collector + namespace: {{ ._rox._namespace }} +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: stackrox-collector + labels: + {{- include "srox.labels" (list . "podsecuritypolicy" "stackrox-collector") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "podsecuritypolicy" "stackrox-collector") | nindent 4 }} +spec: + privileged: true + allowPrivilegeEscalation: true + allowedCapabilities: + - '*' + volumes: + - '*' + allowedHostPaths: + - pathPrefix: / + readOnly: true + hostNetwork: false + hostIPC: false + hostPID: true + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' diff --git a/rhacs/3.0.59.0/secured-cluster-services/templates/collector-rbac.yaml b/rhacs/3.0.59.0/secured-cluster-services/templates/collector-rbac.yaml new file mode 100644 index 0000000..5d4ffd9 --- /dev/null +++ b/rhacs/3.0.59.0/secured-cluster-services/templates/collector-rbac.yaml @@ -0,0 +1,16 @@ +{{- include "srox.init" . -}} + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: collector + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "serviceaccount" "collector") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "serviceaccount" "collector") | nindent 4 }} +imagePullSecrets: +{{- range $secretName := concat ._rox.collectorImagePullSecrets._names ._rox.mainImagePullSecrets._names | uniq }} +- name: {{ quote $secretName }} +{{- end }} diff --git a/rhacs/3.0.59.0/secured-cluster-services/templates/collector-scc.yaml b/rhacs/3.0.59.0/secured-cluster-services/templates/collector-scc.yaml new file mode 100644 index 0000000..313c4ff --- /dev/null +++ b/rhacs/3.0.59.0/secured-cluster-services/templates/collector-scc.yaml @@ -0,0 +1,45 @@ +{{- include "srox.init" . -}} + +{{- if ._rox.env.openshift }} +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: collector + labels: + {{- include "srox.labels" (list . "securitycontextconstraints" "collector") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "securitycontextconstraints" "collector") | nindent 4 }} + kubernetes.io/description: This SCC is based on privileged, hostaccess, and hostmount-anyuid +users: + - system:serviceaccount:{{ ._rox._namespace }}:collector +allowHostDirVolumePlugin: true +allowPrivilegedContainer: true +fsGroup: + type: RunAsAny +groups: [] +priority: 0 +readOnlyRootFilesystem: true +runAsUser: + type: RunAsAny +seLinuxContext: + type: RunAsAny +seccompProfiles: + - '*' +supplementalGroups: + type: RunAsAny +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: true +allowedCapabilities: [] +defaultAddCapabilities: [] +requiredDropCapabilities: [] +volumes: + - configMap + - downwardAPI + - emptyDir + - hostPath + - secret +{{- end }} diff --git a/rhacs/3.0.59.0/secured-cluster-services/templates/collector-secret.yaml b/rhacs/3.0.59.0/secured-cluster-services/templates/collector-secret.yaml new file mode 100644 index 0000000..6b07ea2 --- /dev/null +++ b/rhacs/3.0.59.0/secured-cluster-services/templates/collector-secret.yaml @@ -0,0 +1,30 @@ +{{- include "srox.init" . -}} + +{{- if or ._rox.createSecrets (and (kindIs "invalid" ._rox.createSecrets) (or ._rox.collector.serviceTLS._cert ._rox.collector.serviceTLS._key)) }} + +{{- if not (and ._rox.ca._cert ._rox.collector.serviceTLS._cert ._rox.collector.serviceTLS._key) }} + {{ include "srox.fail" "Requested secret creation, but not all of CA certificate, collector certificate, collector private key are available. Set the 'createSecrets' config option to false if you do not want secrets to be created." }} +{{- end }} + +apiVersion: v1 +kind: Secret +metadata: + labels: + {{- include "srox.labels" (list . "secret" "collector-tls") | nindent 4 }} + auto-upgrade.stackrox.io/component: sensor + annotations: + {{- include "srox.annotations" (list . "secret" "collector-tls") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": "keep" + name: collector-tls + namespace: {{ ._rox._namespace }} +type: Opaque +stringData: + ca.pem: | + {{- ._rox.ca._cert | nindent 4 }} + collector-cert.pem: | + {{- ._rox.collector.serviceTLS._cert | nindent 4 }} + collector-key.pem: | + {{- ._rox.collector.serviceTLS._key | nindent 4 }} + +{{- end }} diff --git a/rhacs/3.0.59.0/secured-cluster-services/templates/collector.yaml b/rhacs/3.0.59.0/secured-cluster-services/templates/collector.yaml new file mode 100644 index 0000000..d55763c --- /dev/null +++ b/rhacs/3.0.59.0/secured-cluster-services/templates/collector.yaml @@ -0,0 +1,156 @@ +{{- include "srox.init" . -}} + +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: + {{- include "srox.labels" (list . "daemonset" "collector") | nindent 4 }} + service: collector + app: collector + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "daemonset" "collector") | nindent 4 }} + name: collector + namespace: {{ ._rox._namespace }} +spec: + selector: + matchLabels: + service: collector + template: + metadata: + namespace: {{ ._rox._namespace }} + labels: + service: collector + app: collector + {{- include "srox.podLabels" (list . "daemonset" "collector") | nindent 8 }} + annotations: + {{- include "srox.podAnnotations" (list . "daemonset" "collector") | nindent 8 }} + spec: + {{- if not ._rox.collector.disableTaintTolerations }} + tolerations: + - operator: "Exists" + {{- end}} + {{- if ._rox.collector._nodeSelector }} + nodeSelector: + {{- ._rox.collector._nodeSelector | nindent 8 }} + {{- end}} + serviceAccountName: collector + containers: + {{- if ne ._rox.collector.collectionMethod "NO_COLLECTION"}} + - name: collector + image: {{ quote ._rox.image.collector.fullRef }} + imagePullPolicy: {{ ._rox.collector.imagePullPolicy }} + env: + - name: COLLECTOR_CONFIG + value: '{"tlsConfig":{"caCertPath":"/var/run/secrets/stackrox.io/certs/ca.pem","clientCertPath":"/var/run/secrets/stackrox.io/certs/cert.pem","clientKeyPath":"/var/run/secrets/stackrox.io/certs/key.pem"}}' + - name: COLLECTION_METHOD + value: {{ ._rox.collector.collectionMethod }} + - name: GRPC_SERVER + value: {{ ._rox.sensor.endpoint }} + - name: SNI_HOSTNAME + value: "sensor.stackrox" + {{- include "srox.envVars" (list . "daemonset" "collector" "collector") | nindent 8 }} + resources: + {{- ._rox.collector._resources | nindent 10 }} + securityContext: + capabilities: + drop: + - NET_RAW + privileged: true + readOnlyRootFilesystem: true + volumeMounts: + - mountPath: /host/var/run/docker.sock + name: var-run-docker-sock + readOnly: true + - mountPath: /host/proc + name: proc-ro + readOnly: true + - mountPath: /module + name: tmpfs-module + - mountPath: /host/etc + name: etc-ro + readOnly: true + - mountPath: /host/usr/lib + name: usr-lib-ro + readOnly: true + - mountPath: /host/sys + name: sys-ro + readOnly: true + - mountPath: /host/dev + name: dev-ro + readOnly: true + - mountPath: /run/secrets/stackrox.io/certs/ + name: certs + readOnly: true + {{- end }} + - command: + - stackrox/compliance + env: + - name: ROX_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: ROX_ADVERTISED_ENDPOINT + value: {{ quote ._rox.sensor.endpoint }} + {{- include "srox.envVars" (list . "daemonset" "collector" "compliance") | nindent 8 }} + image: {{ quote ._rox.image.main.fullRef }} + imagePullPolicy: {{ ._rox.collector.complianceImagePullPolicy }} + name: compliance + resources: + {{- ._rox.collector._complianceResources | nindent 10 }} + securityContext: + runAsUser: 0 + readOnlyRootFilesystem: true + seLinuxOptions: + type: "container_runtime_t" + volumeMounts: + - mountPath: /etc/ssl/ + name: etc-ssl + - mountPath: /etc/pki/ca-trust/ + name: etc-pki-volume + - mountPath: /host + name: host-root-ro + readOnly: true + - mountPath: /run/secrets/stackrox.io/certs/ + name: certs + readOnly: true + volumes: + - hostPath: + path: /var/run/docker.sock + name: var-run-docker-sock + - hostPath: + path: /proc + name: proc-ro + - emptyDir: + medium: Memory + name: tmpfs-module + - hostPath: + path: /etc + name: etc-ro + - hostPath: + path: /usr/lib + name: usr-lib-ro + - hostPath: + path: /sys/ + name: sys-ro + - hostPath: + path: /dev + name: dev-ro + - name: certs + secret: + secretName: collector-tls + items: + - key: collector-cert.pem + path: cert.pem + - key: collector-key.pem + path: key.pem + - key: ca.pem + path: ca.pem + - hostPath: + path: / + name: host-root-ro + - name: etc-ssl + emptyDir: {} + - name: etc-pki-volume + emptyDir: {} diff --git a/rhacs/3.0.59.0/secured-cluster-services/templates/sensor-netpol.yaml b/rhacs/3.0.59.0/secured-cluster-services/templates/sensor-netpol.yaml new file mode 100644 index 0000000..645a918 --- /dev/null +++ b/rhacs/3.0.59.0/secured-cluster-services/templates/sensor-netpol.yaml @@ -0,0 +1,59 @@ +{{- include "srox.init" . -}} + +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: sensor + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "networkpolicy" "sensor") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "networkpolicy" "sensor") | nindent 4 }} +spec: + ingress: + - from: + - podSelector: + matchLabels: + app: collector + - podSelector: + matchLabels: + service: collector + - podSelector: + matchLabels: + app: admission-control + ports: + - port: 8443 + protocol: TCP + - ports: + - port: 9443 + protocol: TCP + podSelector: + matchLabels: + app: sensor + policyTypes: + - Ingress + +{{ if ._rox.sensor.exposeMonitoring }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: sensor-monitoring + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "networkpolicy" "sensor-monitoring") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "networkpolicy" "sensor-monitoring") | nindent 4 }} +spec: + ingress: + - ports: + - port: 9090 + protocol: TCP + podSelector: + matchLabels: + app: sensor + policyTypes: + - Ingress +{{ end }} diff --git a/rhacs/3.0.59.0/secured-cluster-services/templates/sensor-pod-security.yaml b/rhacs/3.0.59.0/secured-cluster-services/templates/sensor-pod-security.yaml new file mode 100644 index 0000000..ae147ad --- /dev/null +++ b/rhacs/3.0.59.0/secured-cluster-services/templates/sensor-pod-security.yaml @@ -0,0 +1,80 @@ +{{- include "srox.init" . -}} + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox-sensor-psp + labels: + {{- include "srox.labels" (list . "clusterrole" "stackrox-sensor-psp") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "clusterrole" "stackrox-sensor-psp") | nindent 4 }} +rules: + - apiGroups: + - policy + resources: + - podsecuritypolicies + resourceNames: + - stackrox-sensor + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: stackrox-sensor-psp + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "rolebinding" "stackrox-sensor-psp") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "rolebinding" "stackrox-sensor-psp") | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: stackrox-sensor-psp +subjects: + - kind: ServiceAccount + name: sensor + namespace: {{ ._rox._namespace }} + - kind: ServiceAccount + name: sensor-upgrader + namespace: {{ ._rox._namespace }} +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: stackrox-sensor + labels: + {{- include "srox.labels" (list . "podsecuritypolicy" "stackrox-sensor") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "podsecuritypolicy" "stackrox-sensor") | nindent 4 }} +spec: + privileged: false + allowPrivilegeEscalation: false + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + - 'persistentVolumeClaim' + - 'hostPath' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAs' + ranges: + - min: 4000 + max: 4000 + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 4000 + max: 4000 diff --git a/rhacs/3.0.59.0/secured-cluster-services/templates/sensor-rbac.yaml b/rhacs/3.0.59.0/secured-cluster-services/templates/sensor-rbac.yaml new file mode 100644 index 0000000..8ec4387 --- /dev/null +++ b/rhacs/3.0.59.0/secured-cluster-services/templates/sensor-rbac.yaml @@ -0,0 +1,284 @@ +{{- include "srox.init" . -}} + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: sensor + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "serviceaccount" "sensor") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "serviceaccount" "sensor") | nindent 4 }} +imagePullSecrets: +{{- range $secretName := ._rox.mainImagePullSecrets._names }} +- name: {{ quote $secretName }} +{{- end }} + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox:view-cluster + labels: + {{- include "srox.labels" (list . "clusterrole" "stackrox:view-cluster") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "clusterrole" "stackrox:view-cluster") | nindent 4 }} +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - watch + - list +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox:monitor-cluster + labels: + {{- include "srox.labels" (list . "clusterrolebinding" "stackrox:monitor-cluster") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "clusterrolebinding" "stackrox:monitor-cluster") | nindent 4 }} +subjects: +- kind: ServiceAccount + name: sensor + namespace: {{ ._rox._namespace }} +roleRef: + kind: ClusterRole + name: stackrox:view-cluster + apiGroup: rbac.authorization.k8s.io +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: edit + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "role" "edit") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "role" "edit") | nindent 4 }} +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - '*' +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: manage-namespace + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "rolebinding" "manage-namespace") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "rolebinding" "manage-namespace") | nindent 4 }} +subjects: +- kind: ServiceAccount + name: sensor + namespace: {{ ._rox._namespace }} +roleRef: + kind: Role + name: edit + apiGroup: rbac.authorization.k8s.io +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox:edit-workloads + labels: + {{- include "srox.labels" (list . "clusterrole" "stackrox:edit-workloads") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "clusterrole" "stackrox:edit-workloads") | nindent 4 }} +rules: +- resources: + - cronjobs + - jobs + - daemonsets + - deployments + - deployments/scale + - deploymentconfigs + - pods + - replicasets + - replicationcontrollers + - services + - statefulsets + apiGroups: + - '*' + verbs: + - update + - patch + - delete +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox:enforce-policies + labels: + {{- include "srox.labels" (list . "clusterrolebinding" "stackrox:enforce-policies") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "clusterrolebinding" "stackrox:enforce-policies") | nindent 4 }} +subjects: +- kind: ServiceAccount + name: sensor + namespace: {{ ._rox._namespace }} +roleRef: + kind: ClusterRole + name: stackrox:edit-workloads + apiGroup: rbac.authorization.k8s.io +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox:network-policies + labels: + {{- include "srox.labels" (list . "clusterrole" "stackrox:network-policies") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "clusterrole" "stackrox:network-policies") | nindent 4 }} +rules: +- resources: + - 'networkpolicies' + apiGroups: + - networking.k8s.io + - extensions + verbs: + - get + - watch + - list + - create + - update + - patch + - delete +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox:network-policies-binding + labels: + {{- include "srox.labels" (list . "clusterrolebinding" "stackrox:network-policies-binding") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "clusterrolebinding" "stackrox:network-policies-binding") | nindent 4 }} +subjects: +- kind: ServiceAccount + name: sensor + namespace: {{ ._rox._namespace }} +roleRef: + kind: ClusterRole + name: stackrox:network-policies + apiGroup: rbac.authorization.k8s.io +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox:update-namespaces + labels: + {{- include "srox.labels" (list . "clusterrole" "stackrox:update-namespaces") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "clusterrole" "stackrox:update-namespaces") | nindent 4 }} +rules: +- resources: + - namespaces + apiGroups: [""] + verbs: + - update +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox:update-namespaces-binding + labels: + {{- include "srox.labels" (list . "clusterrolebinding" "stackrox:update-namespaces-binding") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "clusterrolebinding" "stackrox:update-namespaces-binding") | nindent 4 }} +subjects: +- kind: ServiceAccount + name: sensor + namespace: {{ ._rox._namespace }} +roleRef: + kind: ClusterRole + name: stackrox:update-namespaces + apiGroup: rbac.authorization.k8s.io +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox:create-events + labels: + {{- include "srox.labels" (list . "clusterrole" "stackrox:create-events") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "clusterrole" "stackrox:create-events") | nindent 4 }} +rules: +- resources: + - events + apiGroups: [""] + verbs: + - create + - patch + - list +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox:create-events-binding + labels: + {{- include "srox.labels" (list . "clusterrolebinding" "stackrox:create-events-binding") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "clusterrolebinding" "stackrox:create-events-binding") | nindent 4 }} +subjects: +- kind: ServiceAccount + name: sensor + namespace: {{ ._rox._namespace }} +roleRef: + kind: ClusterRole + name: stackrox:create-events + apiGroup: rbac.authorization.k8s.io +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox:review-tokens + labels: + {{- include "srox.labels" (list . "clusterrole" "stackrox:review-tokens") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "clusterrole" "stackrox:review-tokens") | nindent 4 }} +rules: +- resources: + - tokenreviews + apiGroups: ["authentication.k8s.io"] + verbs: + - create +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox:review-tokens-binding + labels: + {{- include "srox.labels" (list . "clusterrolebinding" "stackrox:review-tokens-binding") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "clusterrolebinding" "stackrox:review-tokens-binding") | nindent 4 }} +subjects: +- kind: ServiceAccount + name: sensor + namespace: {{ ._rox._namespace }} +roleRef: + kind: ClusterRole + name: stackrox:review-tokens + apiGroup: rbac.authorization.k8s.io diff --git a/rhacs/3.0.59.0/secured-cluster-services/templates/sensor-scc.yaml b/rhacs/3.0.59.0/secured-cluster-services/templates/sensor-scc.yaml new file mode 100644 index 0000000..fbdd7fc --- /dev/null +++ b/rhacs/3.0.59.0/secured-cluster-services/templates/sensor-scc.yaml @@ -0,0 +1,47 @@ +{{- include "srox.init" . -}} + +{{- if ._rox.env.openshift }} + +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: sensor + labels: + {{- include "srox.labels" (list . "securitycontextconstraints" "sensor") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "securitycontextconstraints" "sensor") | nindent 4 }} + kubernetes.io/description: sensor is the security constraint for the sensor +users: + - system:serviceaccount:{{ ._rox._namespace }}:sensor + - system:serviceaccount:{{ ._rox._namespace }}:sensor-upgrader +priority: 0 +runAsUser: + type: RunAsAny +seLinuxContext: + type: RunAsAny +seccompProfiles: + - '*' +supplementalGroups: + type: RunAsAny +fsGroup: + type: RunAsAny +groups: [] +readOnlyRootFilesystem: true +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: true +allowPrivilegedContainer: false +allowedCapabilities: [] +defaultAddCapabilities: [] +requiredDropCapabilities: [] +volumes: + - configMap + - downwardAPI + - emptyDir + - secret + +{{- end }} diff --git a/rhacs/3.0.59.0/secured-cluster-services/templates/sensor-secret.yaml b/rhacs/3.0.59.0/secured-cluster-services/templates/sensor-secret.yaml new file mode 100644 index 0000000..848e1f2 --- /dev/null +++ b/rhacs/3.0.59.0/secured-cluster-services/templates/sensor-secret.yaml @@ -0,0 +1,30 @@ +{{- include "srox.init" . -}} + +{{- if or ._rox.createSecrets (and (kindIs "invalid" ._rox.createSecrets) (or ._rox.sensor.serviceTLS._cert ._rox.sensor.serviceTLS._key)) }} + +{{- if not (and ._rox.ca._cert ._rox.sensor.serviceTLS._cert ._rox.sensor.serviceTLS._key) }} + {{ include "srox.fail" "Requested secret creation, but not all of CA certificate, sensor certificate, sensor private key are available. Set the 'createSecrets' config option to false if you do not want secrets to be created." }} +{{- end }} + +apiVersion: v1 +kind: Secret +metadata: + name: sensor-tls + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "secret" "sensor-tls") | nindent 4 }} + auto-upgrade.stackrox.io/component: sensor + annotations: + {{- include "srox.annotations" (list . "secret" "sensor-tls") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": "keep" +type: Opaque +stringData: + ca.pem: | + {{- ._rox.ca._cert | nindent 4 }} + sensor-cert.pem: | + {{- ._rox.sensor.serviceTLS._cert | nindent 4 }} + sensor-key.pem: | + {{- ._rox.sensor.serviceTLS._key | nindent 4 }} + +{{- end }} diff --git a/rhacs/3.0.59.0/secured-cluster-services/templates/sensor.yaml b/rhacs/3.0.59.0/secured-cluster-services/templates/sensor.yaml new file mode 100644 index 0000000..4e0b9b3 --- /dev/null +++ b/rhacs/3.0.59.0/secured-cluster-services/templates/sensor.yaml @@ -0,0 +1,250 @@ +{{- include "srox.init" . -}} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: sensor + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "deployment" "sensor") | nindent 4 }} + app: sensor + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "deployment" "sensor") | nindent 4 }} +spec: + replicas: 1 + minReadySeconds: 15 + selector: + matchLabels: + app: sensor + strategy: + type: Recreate + template: + metadata: + labels: + app: sensor + {{- include "srox.podLabels" (list . "deployment" "sensor") | nindent 8 }} + annotations: + traffic.sidecar.istio.io/excludeInboundPorts: "8443,9443" + {{- include "srox.podAnnotations" (list . "deployment" "sensor") | nindent 8 }} + spec: + {{- if ._rox.sensor._nodeSelector }} + nodeSelector: + {{- ._rox.sensor._nodeSelector | nindent 8 }} + {{- end}} + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + # Sensor is single-homed, so avoid preemptible nodes. + - weight: 100 + preference: + matchExpressions: + - key: cloud.google.com/gke-preemptible + operator: NotIn + values: + - "true" + {{- if ._rox.env.openshift }} + - weight: 25 + preference: + matchExpressions: + - key: node-role.kubernetes.io/compute + operator: In + values: + - "true" + - weight: 75 + preference: + matchExpressions: + - key: node-role.kubernetes.io/infra + operator: NotIn + values: + - "true" + - weight: 100 + preference: + matchExpressions: + - key: node-role.kubernetes.io/master + operator: NotIn + values: + - "true" + {{- end}} + securityContext: + runAsUser: 4000 + fsGroup: 4000 + serviceAccountName: sensor + containers: + - image: {{ quote ._rox.image.main.fullRef }} + imagePullPolicy: {{ ._rox.sensor.imagePullPolicy }} + name: sensor + readinessProbe: + httpGet: + scheme: HTTPS + path: /admissioncontroller + port: 9443 + ports: + - containerPort: 8443 + name: api + - containerPort: 9443 + name: webhook + command: + - kubernetes-sensor + resources: + {{- ._rox.sensor._resources | nindent 10 }} + securityContext: + runAsNonRoot: true + readOnlyRootFilesystem: true + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: ROX_CENTRAL_ENDPOINT + value: {{ ._rox.centralEndpoint }} + - name: ROX_ADVERTISED_ENDPOINT + value: {{ ._rox.sensor.endpoint }} + {{- if ._rox.env.openshift }} + - name: ROX_OPENSHIFT_API + value: "true" + {{- end}} + - name: ROX_HELM_CLUSTER_CONFIG_FP + value: {{ quote ._rox._configFP }} + {{- include "srox.envVars" (list . "deployment" "sensor" "sensor") | nindent 8 }} + volumeMounts: + - name: varlog + mountPath: /var/log/stackrox/ + - name: sensor-etc-ssl-volume + mountPath: /etc/ssl/ + - name: sensor-etc-pki-volume + mountPath: /etc/pki/ca-trust/ + - name: certs + mountPath: /run/secrets/stackrox.io/certs/ + readOnly: true + - name: additional-ca-volume + mountPath: /usr/local/share/ca-certificates/ + readOnly: true + - name: cache + mountPath: /var/cache/stackrox + - name: helm-cluster-config + mountPath: /run/secrets/stackrox.io/helm-cluster-config/ + readOnly: true + - name: helm-effective-cluster-name + mountPath: /run/secrets/stackrox.io/helm-effective-cluster-name/ + readOnly: true + volumes: + - name: certs + secret: + secretName: sensor-tls + items: + - key: sensor-cert.pem + path: cert.pem + - key: sensor-key.pem + path: key.pem + - key: ca.pem + path: ca.pem + - name: sensor-etc-ssl-volume + emptyDir: {} + - name: sensor-etc-pki-volume + emptyDir: {} + - name: additional-ca-volume + secret: + secretName: additional-ca-sensor + optional: true + - name: varlog + emptyDir: {} + - name: cache + emptyDir: {} + - name: helm-cluster-config + secret: + secretName: helm-cluster-config + optional: true + - name: helm-effective-cluster-name + secret: + secretName: helm-effective-cluster-name + optional: true +--- +apiVersion: v1 +kind: Service +metadata: + name: sensor + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "service" "sensor") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "service" "sensor") | nindent 4 }} +spec: + ports: + - name: https + port: 443 + targetPort: api + protocol: TCP + {{- if ._rox.sensor.exposeMonitoring }} + - name: monitoring + port: 9090 + targetPort: 9090 + protocol: TCP + {{- end }} + selector: + app: sensor + type: ClusterIP + sessionAffinity: None +--- + +{{- if ._rox.env.istio }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: sensor-internal-no-istio-mtls + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "destinationrule" "sensor-internal-no-istio-mtls") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "destinationrule" "sensor-internal-no-istio-mtls") | nindent 4 }} + stackrox.io/description: "Disable Istio mTLS for port 443, since StackRox services use built-in mTLS." +spec: + host: sensor.stackrox.svc.cluster.local + trafficPolicy: + portLevelSettings: + - port: + number: 443 + tls: + mode: DISABLE +--- +{{- end }} + +apiVersion: v1 +kind: Service +metadata: + name: sensor-webhook + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "service" "sensor-webhook") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "service" "sensor-webhook") | nindent 4 }} +spec: + ports: + - name: https + port: 443 + targetPort: webhook + protocol: TCP + selector: + app: sensor + type: ClusterIP + sessionAffinity: None +{{- if or .Release.IsInstall (eq ._rox.confirmNewClusterName ._rox.clusterName) }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: helm-effective-cluster-name + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "secret" "helm-effective-cluster-name") | nindent 4 }} + auto-upgrade.stackrox.io/component: sensor + annotations: + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": "keep" + {{- include "srox.annotations" (list . "secret" "helm-effective-cluster-name") | nindent 4 }} +stringData: + cluster-name: | + {{- ._rox.clusterName | nindent 4 }} +{{- end}} diff --git a/rhacs/3.0.59.0/secured-cluster-services/templates/service-ca.yaml b/rhacs/3.0.59.0/secured-cluster-services/templates/service-ca.yaml new file mode 100644 index 0000000..3f3b5fd --- /dev/null +++ b/rhacs/3.0.59.0/secured-cluster-services/templates/service-ca.yaml @@ -0,0 +1,16 @@ +{{- include "srox.init" . -}} + +apiVersion: v1 +kind: Secret +metadata: + name: service-ca + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "secret" "service-ca") | nindent 4 }} + auto-upgrade.stackrox.io/component: sensor + annotations: + {{- include "srox.annotations" (list . "secret" "service-ca") | nindent 4 }} +type: Opaque +stringData: + ca.pem: | + {{- required "A CA certificate must be specified" ._rox.ca._cert | nindent 4 }} diff --git a/rhacs/3.0.59.0/secured-cluster-services/templates/upgrader-serviceaccount.yaml b/rhacs/3.0.59.0/secured-cluster-services/templates/upgrader-serviceaccount.yaml new file mode 100644 index 0000000..af12eb1 --- /dev/null +++ b/rhacs/3.0.59.0/secured-cluster-services/templates/upgrader-serviceaccount.yaml @@ -0,0 +1,36 @@ +{{- include "srox.init" . -}} + +{{- if ._rox.createUpgraderServiceAccount }} + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: sensor-upgrader + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "serviceaccount" "sensor-upgrader") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "serviceaccount" "sensor-upgrader") | nindent 4 }} +imagePullSecrets: +{{- range $secretName := ._rox.mainImagePullSecrets._names }} +- name: {{ quote $secretName }} +{{- end }} +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox:upgrade-sensors + labels: + {{- include "srox.labels" (list . "clusterrolebinding" "stackrox:upgrade-sensors") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "clusterrolebinding" "stackrox:upgrade-sensors") | nindent 4 }} +subjects: +- kind: ServiceAccount + name: sensor-upgrader + namespace: {{ ._rox._namespace }} +roleRef: + kind: ClusterRole + name: cluster-admin + apiGroup: rbac.authorization.k8s.io + +{{- end }} diff --git a/rhacs/3.0.59.0/secured-cluster-services/values-private.yaml.example b/rhacs/3.0.59.0/secured-cluster-services/values-private.yaml.example new file mode 100644 index 0000000..ecdec21 --- /dev/null +++ b/rhacs/3.0.59.0/secured-cluster-services/values-private.yaml.example @@ -0,0 +1,19 @@ +# # BEGIN CONFIGURATION VALUES SECTION +# +# # Image pull credentials. If you do not specify these, you need to specify one of +# # the following: +# # - `imagePullSecrets.allowNone=true`: in case your registry allows pulling images without +# # credentials. +# # - `imagePullSecrets.useExisting="secret1;secret2;..."`: in case you have pre-existing image +# # pull secrets with the given name already created in the target namespace. +# # - `imagePullSecrets.useFromDefaultServiceAccount=true`: in case the default service account +# # in the target namespace is configured with sufficiently scoped image pull secrets. +# # +# # Since the above settings do not expose any confidential data, they can safely be added +# # to the values-public.yaml configuration file or provided on the command line. +# +# # If you do not know if any of the above applies to your situation, your best course of +# # action is probably to enter your image pull credentials here. +# imagePullSecrets: +# username: +# password: diff --git a/rhacs/3.0.59.0/secured-cluster-services/values-public.yaml.example b/rhacs/3.0.59.0/secured-cluster-services/values-public.yaml.example new file mode 100644 index 0000000..a3f081e --- /dev/null +++ b/rhacs/3.0.59.0/secured-cluster-services/values-public.yaml.example @@ -0,0 +1,354 @@ +# StackRox Kubernetes Security Platform - Secured Cluster Services Chart +# PUBLIC configuration file. +# +# This file contains general configuration values relevant for the deployment of the +# StackRox Kubernetes Platform Secured Cluster Services components, which do not contain +# or reference sensitive data. This file can and should be stored in a source code +# management system and should be referenced on each `helm upgrade`. +# +# Most of the values in this file are optional, and you only should need to make modifications +# if the default deployment configuration is not sufficient for you for whatever reason. +# The most notable exceptios are +# +# - `clusterName`, +# - `centralEndpoint` and +# - `imagePullSecrets`. +# +# # BEGIN CONFIGURATION VALUES SECTION +# +## The cluster name. A new cluster of this name will be automatically registered at StackRox Central +## when deploying this Helm chart. Make sure that this name is unique among the set of secured clusters. +#clusterName: null +# +## To change the cluster name, confirm the new cluster name in this field. It should match the `clusterName` value. +## You don't need to change this unless you upgrade and change the value for clusterName. +## In this case, set it to the new value of clusterName. This option exists to prevent you from accidentally +## creating a new cluster with a different name. +#confirmNewClusterName: null +# +## The gRPC endpoint for accessing StackRox Central. +#centralEndpoint: central.{{ .Release.Namespace }}:443 +# +## A dictionary of additional CA certificates to include (PEM encoded). +## For example: +## additionalCAs: +## acme-labs-ca.pem: | +## -----BEGIN CERTIFICATE----- +## [...] +## -----END CERTIFICATE----- +#additionalCAs: null +# +# Specify `true` to create the `sensor-upgrader` account. By default, the StackRox Kubernetes +# Security Platform creates a service account called `sensor-upgrader` in each secured cluster. +# This account is highly privileged but is only used during upgrades. If you don’t create this +# account, you will have to complete future upgrades manually if the Sensor doesn’t have enough +# permissions. See +# [Enable automatic upgrades for secured clusters](https://help.stackrox.com/docs/configure-stackrox/enable-automatic-upgrades/) +# for more information. +# Note that auto-upgrades for Helm-managed clusters are disabled. +#createUpgraderServiceAccount: false +# +## Configuration for image pull secrets. +## These should usually be set via the command line when running `helm install`, e.g., +## helm install --set imagePullSecrets.username=myuser --set imagePullSecrets.password=mypass, +## or be stored in a separate YAML-encoded secrets file. +#imagePullSecrets: +# +# # If no image pull secrets are provided, an installation would usually fail. In order to +# # prevent it from failing, this option must explicitly be set to true. +# allowNone: false +# +# # If there exist available image pull secrets in the cluster that are managed separately, +# # set this value to the list of the respective secret names. While it is recommended to +# # record the secret names in a persisted YAML file, providing a single string containing +# # a comma-delimited list of secret names is also supported, for easier interaction with +# # --set. +# useExisting: [] +# +# # Whether to import any secrets from the default service account existing in the StackRox +# # namespace. The default service account often contains "standard" image pull secrets that +# # should be used by default for image pulls, hence this defaults to true. Only has an effect +# # if server-side lookups are enabled. +# useFromDefaultServiceAccount: true +# +## Settings regarding the installation environment +#env: +# # Treat the environment as an OpenShift cluster. Leave this unset to use auto-detection +# # based on available API resources on the server. +# # Set it to true to auto-detect the OpenShift version, otherwise set it explicitly. +# # Possible values: null, false, true, 3, 4 +# openshift: null +# +# # Treat the environment as Istio-enabled. Leave this unset to use auto-detection based on +# # available API resources on the server. +# # Possible values: null, false, true +# istio: null +# +## PEM-encoded StackRox Service CA certificate. +#ca: +# cert: null +# +## Image configuration +#image: +# # The image registry to use. Unless overridden in the more specific configs, this +# # determines the base registry for each image referenced in this config file. +# registry: my.image-registry.io +# +# # Configuration for the `main` image -- used by Sensor, Admission Control, Compliance. +# main: +# registry: null # if set to null, use `image.registry` +# name: main # the final image name is composed of the registry and the name, plus the tag below +# tag: null # should be left as null - will get picked up from the Chart version. +# fullRef: null # you can set a full image reference such as stackrox.io/main:1.2.3.4 here, but this is not +# # recommended. +# # The default pull policy for this image. Can be overridden for each individual service. +# pullPolicy: IfNotPresent +# +# # Configuration for the `collector` image -- used by Collector. +# collector: +# registry: null +# name: collector +# tag: null +# fullRef: null +# pullPolicy: IfNotPresent +# +## Sensor specific configuration. +#sensor: +# +# # Kubernetes image pull policy for Sensor. +# imagePullPolicy: IfNotPresent +# +# # Resource configuration for the sensor container. +# resources: +# requests: +# memory: "1Gi" +# cpu: "1" +# limits: +# memory: "4Gi" +# cpu: "2" +# +# # Settings for the internal service-to-service TLS certificate used by Sensor. +# serviceTLS: +# cert: null +# key: null +# +# # Use a nodeSelector for sensor +# nodeSelector +# environment: production +# +# # Address of the Sensor endpoint including port number. No trailing slash. +# # Rarely needs to be changed. +# endpoint: sensor.stackrox:443 +# +## Admission Control specific configuration. +#admissionControl: +# +# # This setting controls whether the cluster is configured to contact the StackRox +# # Kubernetes Security Platform with `AdmissionReview` requests for create events on +# # Kubernetes objects. +# listenOnCreates: false +# +# # This setting controls whether the cluster is configured to contact the StackRox Kubernetes +# # Security Platform with `AdmissionReview` requests for update events on Kubernetes objects. +# listenOnUpdates: false +# +# # This setting controls whether the cluster is configured to contact the StackRox +# # Kubernetes Security Platform with `AdmissionReview` requests for update Kubernetes events +# # like exec and portforward. +# # +# # Defaults to `false` on OpenShift, to `true` otherwise. +# listenOnEvents: true +# +# +# # Dynamic part of the configuration which is retrieved from Central and can be modified through +# # the frontend. +# dynamic: +# +# # It controls whether the StackRox Kubernetes Security Platform evaluates policies for object +# # updates; if it’s disabled, all `AdmissionReview` requests are automatically accepted. You must +# # specify `listenOnUpdates` as `true` for this to work. +# enforceOnUpdates: false +# +# # Controls whether the StackRox Kubernetes Security Platform evaluates policies. +# # If disabled, all AdmissionReview requests are automatically accepted. You must specify +# # `listenOnCreates` as `true` for this to work. +# enforceOnCreates: false +# +# scanInline: false +# +# # If enabled, bypassing the Admission Controller is disabled. +# disableBypass: false +# +# # The maximum time in seconds, the StackRox Kubernetes Security Platform should wait while +# # evaluating admission review requests. Use it to set request timeouts when you enable image scanning. +# # If the image scan runs longer than the specified time, the StackRox Kubernetes Security Platform +# # accepts the request. Other enforcement options, such as scaling the deployment to zero replicas, +# # are still applied later if the image violates applicable policies. +# timeout: 3 +# +# # Kubernetes image pull policy for Admission Control. +# imagePullPolicy: IfNotPresent +# +# # Resource configuration for the Admission Control container. +# resources: +# requests: +# memory: "100Mi" +# cpu: "50m" +# limits: +# memory: "500Mi" +# cpu: "500m" +# +# # Settings for the internal service-to-service TLS certificate used by Admission Control. +# serviceTLS: +# cert: null +# key: null +# +## Collector specific configuration. +#collector: +# +# # Collection method to use. Can be one of: +# # - EBPF +# # - KERNEL_MODULE +# # - NO_COLLECTION +# collectionMethod: KERNEL_MODULE +# +# # Configure usage of taint tolerations. If `false`, tolerations are applied to collector, +# # and the collector pods can schedule onto all nodes with taints. If `true`, no tolerations +# # are applied, and the collector pods won't scheduled onto nodes with taints. +# disableTaintTolerations: false +# +# # Configure whether slim Collector images should be used or not. Using slim Collector images +# # requires Central to provide the matching kernel module or eBPF probe. If you are running +# # the StackRox Kubernetes Security Platform in offline mode, you must download a kernel support +# # package from [stackrox.io](https://install.stackrox.io/collector/support-packages/index.html) +# # and upload it to Central for slim Collectors to function. Otherwise, you must ensure that +# # Central can access the online probe repository hosted at https://collector-modules.stackrox.io/. +# slimMode: false +# +# # Kubernetes image pull policy for Collector. +# imagePullPolicy: IfNotPresent +# +# # Resource configuration for the Collector container. +# resources: +# requests: +# memory: "320Mi" +# cpu: "50m" +# limits: +# memory: "1Gi" +# cpu: "750m" +# +# complianceImagePullPolicy: IfNotPresent +# +# # Resource configuration for the Compliance container. +# complianceResources: +# requests: +# memory: "10Mi" +# cpu: "10m" +# limits: +# memory: "2Gi" +# cpu: "1" +# +# # Settings for the internal service-to-service TLS certificate used by Collector. +# serviceTLS: +# cert: null +# key: null +# +# # Customization Settings. +# # The following allows specifying custom Kubernetes metadata (labels and annotations) +# # for all objects instantiated by this Helm chart, as well as additional pod labels, +# # pod annotations, and container environment variables for workloads. +# # The configuration is hierarchical, in the sense that metadata that is defined at a more +# # generic scope (e.g., for all objects) can be overridden by metadata defined at a narrower +# # scope (e.g., only for the central deployment). +# customize: +# # Extra metadata for all objects. +# labels: +# my-label-key: my-label-value +# annotations: +# my-annotation-key: my-annotation-value +# +# # Extra pod metadata for all objects (only has an effect for workloads, i.e., deployments). +# podLabels: +# my-pod-label-key: my-pod-label-value +# podAnnotations: +# my-pod-annotation-key: my-pod-annotation-value +# +# # Extra environment variables for all containers in all objects. +# envVars: +# MY_ENV_VAR_NAME: MY_ENV_VAR_VALUE +# +# # Extra metadata for the Sensor deployment only. +# sensor: +# labels: {} +# annotations: {} +# podLabels: {} +# podAnnotations: {} +# envVars: {} +# +# # Extra metadata for the collector daemon set only. +# collector: +# labels: {} +# annotations: {} +# podLabels: {} +# podAnnotations: {} +# envVars: {} +# +# # Extra metadata for the admission control only. +# admission-control: +# labels: {} +# annotations: {} +# podLabels: {} +# podAnnotations: {} +# envVars: {} +# +# # Extra metadata for the compliance only. +# compliance: +# labels: {} +# annotations: {} +# podLabels: {} +# podAnnotations: {} +# envVars: {} +# +# # Extra metadata for all other objects. The keys in the following map can be +# # an object name of the form "service/central-loadbalancer", or a reference to all +# # objects of a given type in the form "service/*". The values under each key +# # are the five metadata overrides (labels, annotations, podLabels, podAnnotations, envVars) +# # as specified above, though only the first two will be relevant for non-workload +# # object types. +# other: +# "service/*": +# labels: {} +# annotations: {} +# +# # EXPERT SETTINGS +# # The following settings should only be changed if you know very well what you are doing. +# # The scenarios in which these are required are generally not supported. +# +# # Set allowNonstandardNamespace=true if you are deploying into a namespace other than +# # "stackrox". This has been observed to work in some case, but is not generally supported. +# allowNonstandardNamespace: false +# +# # Set allowNonstandardReleaseName=true if you are deploying with a release name other than +# # the default "stackrox-central-services". This has been observed to work in some cases, +# # but is not generally supported. +# allowNonstandardReleaseName: false +# +# +#meta: +# # This is a dictionary from file names to contents that can be used to inject files that +# # would usually be included via .Files.Get into the chart rendering. +# fileOverrides: {} +# +# # This configuration section allows overriding settings that would be inferred from the +# # running API server. +# apiServer: +# # The Kubernetes version running on the API server. This is used for auto-detection +# # of the platform. +# version: null +# # The list of available API resources on the server, in the form of "apps/v1" or +# # "apps/v1/Deployment". This is used to detect environment capabilities. +# overrideAPIResources: null +# # A list of extra API resources that should be assumed to exist on the API server. This +# # can be used in conjunction with both data obtained from the API server, or data set +# # via `overrideAPIResources`. +# extraAPIResources: [] diff --git a/rhacs/3.0.59.0/secured-cluster-services/values.yaml b/rhacs/3.0.59.0/secured-cluster-services/values.yaml new file mode 100644 index 0000000..3297a22 --- /dev/null +++ b/rhacs/3.0.59.0/secured-cluster-services/values.yaml @@ -0,0 +1,9 @@ +## StackRox Secured Cluster Services chart +## values.yaml +## +## This file contains no values. In particular, you should NOT modify this file; instead, +## create your own configuration file and pass it to `helm` via the `-f` parameter. +## For this, you can use the files `values-private.yaml.example` and `values-public.yaml.example` +## that are part of the chart as a blueprint. +## +## Please also consult README.md for a list of available configuration options.