diff --git a/4.3.5/central-services/.helmignore b/4.3.5/central-services/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/4.3.5/central-services/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/4.3.5/central-services/Chart.yaml b/4.3.5/central-services/Chart.yaml new file mode 100644 index 0000000..2e82f5f --- /dev/null +++ b/4.3.5/central-services/Chart.yaml @@ -0,0 +1,7 @@ +apiVersion: v2 # Can probably be generalized to v1 later. TODO(ROX-5502). +name: stackrox-central-services +icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/Red_Hat-Hat_icon.png +description: Helm Chart for StackRox Central Service +type: application +version: 400.3.5 +appVersion: 4.3.5 diff --git a/4.3.5/central-services/README.md b/4.3.5/central-services/README.md new file mode 100644 index 0000000..f62a658 --- /dev/null +++ b/4.3.5/central-services/README.md @@ -0,0 +1,179 @@ +# StackRox Kubernetes Security Platform - Central Services Helm Chart + +This Helm chart allows you to deploy the central services of the StackRox +Kubernetes Security Platform: StackRox Central and StackRox Scanner. + +If you want to install Red Hat Advanced Cluster Security, refer to +[Installing quickly using Helm charts](https://docs.openshift.com/acs/installing/installing_helm/install-helm-quick.html) +for up to date information. + +## Prerequisites + +To deploy the central services for the StackRox Kubernetes Security platform +using Helm, you must: +- Have at least version 3.1 of the Helm tool installed on your machine + +## Add the Canonical Chart Location as a Helm Repository + +The canonical repository for StackRox Helm charts is https://charts.stackrox.io. +To use StackRox Helm charts on your machine, run +```sh +helm repo add stackrox https://charts.stackrox.io +``` +This command only needs to be run once on your machine. Whenever you are deploying +or upgrading a chart from a remote repository, it is advisable to run +```sh +helm repo update +``` +beforehand. + +## Deploy Central Services Using Helm + +The basic command for deploying the central services is +```sh +helm install -n stackrox --create-namespace \ + --set central.persistence.none=true \ + stackrox-central-services stackrox/stackrox-central-services +``` +If you have a copy of this chart on your machine, you can also reference the +path to this copy instead of `stackrox/stackrox-central-services` above. + +In case you use image mirroring or otherwise access StackRox container images from non-standard location, +you may also need to provide image pull credentials. +There are several ways to inject the required credentials (if any) into the installation process: + +- **Explicitly specify username and password:** Use this if you are using a registry that supports username/password + authentication. Pass the following arguments to the `helm install` command: + ```sh + --set imagePullSecrets.username= --set imagePullSecrets.password= + ``` +- **Use pre-existing image pull secrets:** If you already have one or several image pull secrets + created in the namespace to which you are deploying, you can reference these in the following + way (we assume that your secrets are called `pull-secret-1` and `pull-secret-2`): + ```sh + --set imagePullSecrets.useExisting="pull-secret-1;pull-secret-2" + ``` +- **Do not use image pull secrets:** If you are pulling your images from quay.io/stackrox-io or a registry in a private + network that does not require authentication, or if the default service account in the namespace + to which you are deploying is already configured with appropriate image pull secrets, you do + not need to specify any additional image pull secrets. + +### Accessing the StackRox Portal After Deployment + +Once you have deployed the StackRox Kubernetes Security Platform Central Services via +`helm install`, you will see an information text on the console that contains any things to +note, or warnings encountered during the installation text. In particular, it instructs you +how to connect to your Central deployment via port-forward (if you have not configured an +exposure method, see below), and the administrator password to use for the initial login. + +### Applying Custom Configuration Options + +This Helm chart has many different configuration options. For simple use cases, these can be +set directly on the `helm install` command line; however, we generally recommend that you +store your configuration in a dedicated file. + +#### Using the `--set` family of command-line flags + +This approach is the quickest way to customize the deployment, but it does not work for +more complex configuration settings. Via the `--set` and `--set-file` flags, which need to be +appended to your `helm install` invocation, you can inject configuration values into the +installation process. Here are some examples: +- **Deploy StackRox in offline mode:** This configures StackRox in a way such that it will not + reach out to any external endpoints. + ```sh + --set env.offlineMode=true + ``` +- **Configure a fixed administrator password:** This sets the password with which you log in to + the StackRox portal as an administrator. If you do not configure a password yourself, one will + be created for you and printed as part of the installation notes. + ```sh + --set central.adminPassword.value=mysupersecretpassword + ``` + +#### Using configuration YAML files and the `-f` command-line flag + +To ensure the best possible upgrade experience, it is recommended that you store all custom +configuration options in two files: `values-public.yaml` and `values-private.yaml`. The former +contains all non-sensitive configuration options (such as whether to run in offline mode), and the +latter contains all sensitive configuration options (such as the administrator password, or +custom TLS certificates). The `values-public.yaml` file can be stored in, for example, your Git +repository, while the `values-private.yaml` file should be stored in a secrets management +system. + +There is a large number of configuration options that cannot all be discussed in minute detail +in this README file. However, the Helm chart contains example configuration files +`values-public.yaml.example` and `values-private.yaml.example`, that list all the available +configuration options, along with documentation. The following is just a brief example of what +can be configured via those files: +- **`values-public.yaml`:** + ```yaml + env: + offlineMode: true # run in offline mode + + central: + # Use custom resource overrides for central + resources: + requests: + cpu: 4 + memory: "8Gi" + limits: + cpu: 8 + memory: "16Gi" + + # Expose central via a LoadBalancer service + exposure: + loadBalancer: + enabled: true + + scanner: + # Run without StackRox Scanner (NOT RECOMMENDED) + disable: true + + customize: + # Apply the important-service=true label for all objects managed by this chart. + labels: + important-service: true + # Set the CLUSTER=important-cluster environment variable for all containers in the + # central deployment: + central: + envVars: + CLUSTER: important-cluster + ``` +- **`values-private.yaml`**: + ```yaml + central: + # Configure a default TLS certificate (public cert + private key) for central + defaultTLS: + cert: | + -----BEGIN CERTIFICATE----- + MII... + -----END CERTIFICATE----- + key: | + -----BEGIN EC PRIVATE KEY----- + MHc... + -----END EC PRIVATE KEY----- + ``` + +After you have created these YAML files, you can inject the configuration options into the +installation process via the `-f` flag, i.e., by appending the following options to the +`helm install` invocation: +```sh +-f values-public.yaml -f values-private.yaml +``` + +### Changing Configuration Options After Deployment + +If you wish to make any changes to the deployment, simply change the configuration options +in your `values-public.yaml` and/or `values-private.yaml` file(s), and inject them into an +`helm upgrade` invocation: +```sh +helm upgrade -n stackrox stackrox-central-services stackrox/stackrox-central-services \ + -f values-public.yaml \ + -f values-private.yaml +``` +Under most circumstances, you will not need to supply the `values-private.yaml` file, unless +you want changes to sensitive configuration options to be applied. + +Of course you can also specify configuration values via the `--set` or `--set-file` command-line +flags. However, these options will be forgotten with the next `helm upgrade` invocation, unless +you supply them again. diff --git a/4.3.5/central-services/assets/Red_Hat-Hat_icon.png b/4.3.5/central-services/assets/Red_Hat-Hat_icon.png new file mode 100644 index 0000000..fae985e Binary files /dev/null and b/4.3.5/central-services/assets/Red_Hat-Hat_icon.png differ diff --git a/4.3.5/central-services/assets/StackRox_icon.png b/4.3.5/central-services/assets/StackRox_icon.png new file mode 100644 index 0000000..3c136e3 Binary files /dev/null and b/4.3.5/central-services/assets/StackRox_icon.png differ diff --git a/4.3.5/central-services/config-templates/scanner/config.yaml.tpl b/4.3.5/central-services/config-templates/scanner/config.yaml.tpl new file mode 100644 index 0000000..5efc0b9 --- /dev/null +++ b/4.3.5/central-services/config-templates/scanner/config.yaml.tpl @@ -0,0 +1,48 @@ +{{- /* + This is the configuration file template for Scanner. + Except for in extremely rare circumstances, you DO NOT need to modify this file. + All config options that are possibly dynamic are templated out and can be modified + via `--set`/values-files specified via `-f`. + */ -}} + +# Configuration file for scanner. + +scanner: + centralEndpoint: https://central.{{ .Release.Namespace }}.svc + sensorEndpoint: https://sensor.{{ .Release.Namespace }}.svc + database: + # Database driver + type: pgsql + options: + # PostgreSQL Connection string + # https://www.postgresql.org/docs/current/static/libpq-connect.html#LIBPQ-CONNSTRING + source: host=scanner-db.{{ .Release.Namespace }}.svc port=5432 user=postgres sslmode={{- if eq .Release.Namespace "stackrox" }}verify-full{{- else }}verify-ca{{- end }} statement_timeout=60000 + + # Number of elements kept in the cache + # Values unlikely to change (e.g. namespaces) are cached in order to save prevent needless roundtrips to the database. + cachesize: 16384 + + api: + httpsPort: 8080 + grpcPort: 8443 + + updater: + # Frequency with which the scanner will poll for vulnerability updates. + interval: 5m + + logLevel: {{ ._rox.scanner.logLevel }} + + # The scanner intentionally avoids extracting or analyzing any files + # larger than the following default sizes to prevent DoS attacks. + # Leave these commented to use a reasonable default. + + # The max size of files in images that are extracted. + # Increasing this number increases memory pressure. + # maxExtractableFileSizeMB: 200 + # The max size of ELF executable files that are analyzed. + # Increasing this number may increase disk pressure. + # maxELFExecutableFileSizeMB: 800 + # The max size of image file reader buffer. Image file data beyond this limit are overflowed to temporary files on disk. + # maxImageFileReaderBufferSizeMB: 100 + + exposeMonitoring: false diff --git a/4.3.5/central-services/config/central/config.yaml.default b/4.3.5/central-services/config/central/config.yaml.default new file mode 100644 index 0000000..d85c852 --- /dev/null +++ b/4.3.5/central-services/config/central/config.yaml.default @@ -0,0 +1,7 @@ +maintenance: + safeMode: false # When set to true, Central will sleep forever on the next restart + compaction: + enabled: true + bucketFillFraction: .5 # This controls how densely to compact the buckets. Usually not advised to modify + freeFractionThreshold: 0.75 # This is the threshold for free bytes / total bytes after which compaction will occur + forceRollbackVersion: none # This is the config and target rollback version after upgrade complete. diff --git a/4.3.5/central-services/config/central/endpoints.yaml.default b/4.3.5/central-services/config/central/endpoints.yaml.default new file mode 100644 index 0000000..25549d6 --- /dev/null +++ b/4.3.5/central-services/config/central/endpoints.yaml.default @@ -0,0 +1,31 @@ +# Sample endpoints.yaml configuration for StackRox Central. +# +# # CAREFUL: If the following line is uncommented, do not expose the default endpoint on port 8443 by default. +# # This will break normal operation. +# disableDefault: true # if true, don't serve on :8443 +# endpoints: +# # Serve plaintext HTTP only on port 8080 +# - listen: ":8080" +# # Backend protocols, possible values are 'http' and 'grpc'. If unset or empty, assume both. +# protocols: +# - http +# tls: +# # Disable TLS. If this is not specified, assume TLS is enabled. +# disable: true +# # Serve HTTP and gRPC for sensors only on port 8444 +# - listen: ":8444" +# tls: +# # Which TLS certificates to serve, possible values are 'service' (StackRox-generated service certificates) +# # and 'default' (user-configured default TLS certificate). If unset or empty, assume both. +# serverCerts: +# - default +# - service +# # Client authentication settings. +# clientAuth: +# # Enforce TLS client authentication. If unset, do not enforce, only request certificates +# # opportunistically. +# required: true +# # Which TLS client CAs to serve, possible values are 'service' (CA for StackRox-generated service +# # certificates) and 'user' (CAs for PKI auth providers). If unset or empty, assume both. +# certAuthorities: # if not set, assume ["user", "service"] +# - service diff --git a/4.3.5/central-services/config/centraldb/pg_hba.conf.default b/4.3.5/central-services/config/centraldb/pg_hba.conf.default new file mode 100644 index 0000000..8229f95 --- /dev/null +++ b/4.3.5/central-services/config/centraldb/pg_hba.conf.default @@ -0,0 +1,103 @@ +# PostgreSQL Client Authentication Configuration File +# =================================================== +# +# Refer to the "Client Authentication" section in the PostgreSQL +# documentation for a complete description of this file. A short +# synopsis follows. +# +# This file controls: which hosts are allowed to connect, how clients +# are authenticated, which PostgreSQL user names they can use, which +# databases they can access. Records take one of these forms: +# +# local DATABASE USER METHOD [OPTIONS] +# host DATABASE USER ADDRESS METHOD [OPTIONS] +# hostssl DATABASE USER ADDRESS METHOD [OPTIONS] +# hostnossl DATABASE USER ADDRESS METHOD [OPTIONS] +# +# (The uppercase items must be replaced by actual values.) +# +# The first field is the connection type: "local" is a Unix-domain +# socket, "host" is either a plain or SSL-encrypted TCP/IP socket, +# "hostssl" is an SSL-encrypted TCP/IP socket, and "hostnossl" is a +# plain TCP/IP socket. +# +# DATABASE can be "all", "sameuser", "samerole", "replication", a +# database name, or a comma-separated list thereof. The "all" +# keyword does not match "replication". Access to replication +# must be enabled in a separate record (see example below). +# +# USER can be "all", a user name, a group name prefixed with "+", or a +# comma-separated list thereof. In both the DATABASE and USER fields +# you can also write a file name prefixed with "@" to include names +# from a separate file. +# +# ADDRESS specifies the set of hosts the record matches. It can be a +# host name, or it is made up of an IP address and a CIDR mask that is +# an integer (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that +# specifies the number of significant bits in the mask. A host name +# that starts with a dot (.) matches a suffix of the actual host name. +# Alternatively, you can write an IP address and netmask in separate +# columns to specify the set of hosts. Instead of a CIDR-address, you +# can write "samehost" to match any of the server's own IP addresses, +# or "samenet" to match any address in any subnet that the server is +# directly connected to. +# +# METHOD can be "trust", "reject", "md5", "password", "scram-sha-256", +# "gss", "sspi", "ident", "peer", "pam", "ldap", "radius" or "cert". +# Note that "password" sends passwords in clear text; "md5" or +# "scram-sha-256" are preferred since they send encrypted passwords. +# +# OPTIONS are a set of options for the authentication in the format +# NAME=VALUE. The available options depend on the different +# authentication methods -- refer to the "Client Authentication" +# section in the documentation for a list of which options are +# available for which authentication methods. +# +# Database and user names containing spaces, commas, quotes and other +# special characters must be quoted. Quoting one of the keywords +# "all", "sameuser", "samerole" or "replication" makes the name lose +# its special character, and just match a database or username with +# that name. +# +# This file is read on server startup and when the server receives a +# SIGHUP signal. If you edit the file on a running system, you have to +# SIGHUP the server for the changes to take effect, run "pg_ctl reload", +# or execute "SELECT pg_reload_conf()". +# +# Put your actual configuration here +# ---------------------------------- +# +# If you want to allow non-local connections, you need to add more +# "host" records. In that case you will also need to make PostgreSQL +# listen on a non-local interface via the listen_addresses +# configuration parameter, or via the -i or -h command line switches. + +# CAUTION: Configuring the system for local "trust" authentication +# allows any local user to connect as any PostgreSQL user, including +# the database superuser. If you do not trust all your local users, +# use another authentication method. + + +# TYPE DATABASE USER ADDRESS METHOD + +# "local" is for Unix domain socket connections only +local all all scram-sha-256 +# IPv4 local connections: +host all all 127.0.0.1/32 scram-sha-256 +# IPv6 local connections: +host all all ::1/128 scram-sha-256 +# Allow replication connections from localhost, by a user with the +# replication privilege. +local replication all trust +host replication all 127.0.0.1/32 trust +host replication all ::1/128 trust + +### STACKROX MODIFIED +# Reject all non ssl connections from IPs +hostnossl all all 0.0.0.0/0 reject +hostnossl all all ::0/0 reject + +# Accept connections from ssl with password +hostssl all all 0.0.0.0/0 scram-sha-256 +hostssl all all ::0/0 scram-sha-256 +### diff --git a/4.3.5/central-services/config/centraldb/postgresql.conf.default b/4.3.5/central-services/config/centraldb/postgresql.conf.default new file mode 100644 index 0000000..057e7ea --- /dev/null +++ b/4.3.5/central-services/config/centraldb/postgresql.conf.default @@ -0,0 +1,29 @@ +hba_file = '/etc/stackrox.d/config/pg_hba.conf' +listen_addresses = '*' +max_connections = 200 +password_encryption = scram-sha-256 + +ssl = on +ssl_ca_file = '/run/secrets/stackrox.io/certs/root.crt' +ssl_cert_file = '/run/secrets/stackrox.io/certs/server.crt' +ssl_key_file = '/run/secrets/stackrox.io/certs/server.key' + +shared_buffers = 2GB +work_mem = 40MB +maintenance_work_mem = 512MB +effective_cache_size = 4GB + +dynamic_shared_memory_type = posix +max_wal_size = 5GB +min_wal_size = 80MB + +log_timezone = 'Etc/UTC' +datestyle = 'iso, mdy' +timezone = 'Etc/UTC' +lc_messages = 'en_US.utf8' +lc_monetary = 'en_US.utf8' # locale for monetary formatting +lc_numeric = 'en_US.utf8' # locale for number formatting +lc_time = 'en_US.utf8' # locale for time formatting + +default_text_search_config = 'pg_catalog.english' +shared_preload_libraries = 'pg_stat_statements' # StackRox customized \ No newline at end of file diff --git a/4.3.5/central-services/config/proxy-config.yaml.default b/4.3.5/central-services/config/proxy-config.yaml.default new file mode 100644 index 0000000..8692a77 --- /dev/null +++ b/4.3.5/central-services/config/proxy-config.yaml.default @@ -0,0 +1,26 @@ +# # NOTE: Both central and scanner should be restarted if this secret is changed. +# # While it is possible that some components will pick up the new proxy configuration +# # without a restart, it cannot be guaranteed that this will apply to every possible +# # integration etc. +# url: http://proxy.name:port +# username: username +# password: password +# # If the following value is set to true, the proxy wil NOT be excluded for the default hosts: +# # - *.stackrox, *.stackrox.svc +# # - localhost, localhost.localdomain, 127.0.0.0/8, ::1 +# # - *.local +# omitDefaultExcludes: false +# excludes: # hostnames (may include * components) for which not to use a proxy, like in-cluster repositories. +# - some.domain +# # The following configuration sections allow specifying a different proxy to be used for HTTP(S) connections. +# # If they are omitted, the above configuration is used for HTTP(S) connections as well as TCP connections. +# # If only the `http` section is given, it will be used for HTTPS connections as well. +# # Note: in most cases, a single, global proxy configuration is sufficient. +# http: +# url: http://http-proxy.name:port +# username: username +# password: password +# https: +# url: http://https-proxy.name:port +# username: username +# password: password diff --git a/4.3.5/central-services/internal/bootstrap-defaults.yaml.tpl b/4.3.5/central-services/internal/bootstrap-defaults.yaml.tpl new file mode 100644 index 0000000..8f8e559 --- /dev/null +++ b/4.3.5/central-services/internal/bootstrap-defaults.yaml.tpl @@ -0,0 +1,16 @@ +# This file contains defaults that need to be merged into our config struct before we can +# execute the "normal" defaulting logic. As a result, none of these values can be overridden +# by defaults specified in defaults.yaml and platforms/*.yaml - that is okay. + +{{- if eq .Release.Name "test-release" }} +{{- include "srox.warn" (list . "You are using a release name that is reserved for tests. In order to allow linting to work, certain checks have been relaxed. If you are deploying to a real environment, we recommend that you choose a different release name.") }} +allowNonstandardNamespace: true +allowNonstandardReleaseName: true +{{- else }} +allowNonstandardNamespace: false +allowNonstandardReleaseName: false +{{- end }} + +meta: + useLookup: true + fileOverrides: {} diff --git a/4.3.5/central-services/internal/config-shape.yaml b/4.3.5/central-services/internal/config-shape.yaml new file mode 100644 index 0000000..e1ce4b7 --- /dev/null +++ b/4.3.5/central-services/internal/config-shape.yaml @@ -0,0 +1,163 @@ +licenseKey: null # string +imagePullSecrets: + username: null # string + password: null # string + allowNone: null # bool + useExisting: null # string | [string] + useFromDefaultServiceAccount: null # bool +image: + registry: null # string +env: + installMethod: null # string + openshift: null # bool + istio: null # bool + platform: null # string + offlineMode: null # bool + proxyConfig: null # string | dict +ca: + cert: null # string + key: null # string + generate: null # bool +additionalCAs: null # string | [string] | dict +central: + telemetry: + enabled: null # bool + storage: + endpoint: null # string + key: null # string + config: null # string | dict + dbConfig: null # string | dict + endpointsConfig: null # string | dict + nodeSelector: null # string | dict + tolerations: null # [dict] + affinity: null # dict + exposeMonitoring: null # bool + jwtSigner: + key: null # string + generate: null # bool + serviceTLS: + cert: null # string + key: null # string + generate: null # bool + defaultTLS: + cert: null # string + key: null # string + reference: null # string + image: + registry: null # string + name: null # string + tag: null # string + fullRef: null # string + adminPassword: + value: null # string + generate: null # bool + htpasswd: null # string + resources: null # string | dict + persistence: + hostPath: null # string + persistentVolumeClaim: + claimName: null # string + createClaim: null # bool + storageClass: null # string + size: null # int | string + volume: + volumeSpec: null # dict + none: null # bool + exposure: + loadBalancer: + enabled: null # bool + port: null # int + ip: null # string + nodePort: + enabled: null # bool + port: null # int + route: + enabled: null # bool + host: null # string + declarativeConfiguration: + mounts: + configMaps: null # [string] + secrets: null # [string] + extraMounts: null # [dict] + db: + nodeSelector: null # string | dict + tolerations: null # [dict] + source: + connectionString: null # string + minConns: null # int + maxConns: null # int + statementTimeoutMs: null #int + configOverride: null # string + password: + value: null # string + generate: null # bool + serviceTLS: + cert: null # string + key: null # string + generate: null # bool + image: + registry: null # string + name: null # string + tag: null # string + fullRef: null # string + resources: null # string | dict + persistence: + hostPath: null # string + persistentVolumeClaim: + claimName: null # string + createClaim: null # bool + storageClass: null # string + size: null # int | string + volume: + volumeSpec: null # dict + none: null # bool + extraMounts: null # [dict] +customize: + labels: {} # dict + annotations: {} # dict + podLabels: {} # dict + podAnnotations: {} # dict + envVars: {} # dict + central: + labels: {} # dict + annotations: {} # dict + podLabels: {} # dict + podAnnotations: {} # dict + envVars: {} # dict + db: + labels: {} # dict + annotations: {} # dict + podLabels: {} # dict + podAnnotations: {} # dict + envVars: {} # dict + scanner: + labels: {} # dict + annotations: {} # dict + podLabels: {} # dict + podAnnotations: {} # dict + envVars: {} # dict + scanner-db: + labels: {} # dict + annotations: {} # dict + podLabels: {} # dict + podAnnotations: {} # dict + envVars: {} # dict + other: {} # dict +allowNonstandardNamespace: null # bool +allowNonstandardReleaseName: null # bool +enableOpenShiftMonitoring: null # bool +monitoring: + openshift: + enabled: null # bool +meta: + useLookup: null # bool + fileOverrides: {} # dict + apiServer: + version: null # string + overrideAPIResources: null # [string] + extraAPIResources: null # [string] + noCreateStorageClass: null # bool +globalPrefix: null # string +system: + createSCCs: null # bool + enablePodSecurityPolicies: null # bool diff --git a/4.3.5/central-services/internal/defaults.yaml b/4.3.5/central-services/internal/defaults.yaml new file mode 100644 index 0000000..76b9f92 --- /dev/null +++ b/4.3.5/central-services/internal/defaults.yaml @@ -0,0 +1,175 @@ +defaults: + + imagePullSecrets: + allowNone: false + useExisting: [] + useFromDefaultServiceAccount: true + + image: + registry: stackrox.io + + env: + offlineMode: false + + central: + config: "@config/central/config.yaml|config/central/config.yaml.default" + endpointsConfig: "@config/central/endpoints.yaml|config/central/endpoints.yaml.default" + + exposeMonitoring: false + + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + # Central is single-homed, so avoid preemptible nodes. + - weight: 100 + preference: + matchExpressions: + - key: cloud.google.com/gke-preemptible + operator: NotIn + values: + - "true" + - weight: 50 + preference: + matchExpressions: + - key: node-role.kubernetes.io/infra + operator: Exists + - weight: 25 + preference: + matchExpressions: + - key: node-role.kubernetes.io/compute + operator: Exists + # From v1.20 node-role.kubernetes.io/control-plane replaces node-role.kubernetes.io/master (removed in + # v1.25). We apply both because our goal is not to run pods on control plane nodes for any version of k8s. + - weight: 100 + preference: + matchExpressions: + - key: node-role.kubernetes.io/master + operator: DoesNotExist + - weight: 100 + preference: + matchExpressions: + - key: node-role.kubernetes.io/control-plane + operator: DoesNotExist + + image: + name: main + tag: 4.3.5 + + resources: + requests: + memory: "4Gi" + cpu: "1500m" + limits: + memory: "8Gi" + cpu: "4000m" + + exposure: + loadBalancer: + enabled: false + port: 443 + nodePort: + enabled: false + port: null + route: + enabled: false + db: + external: false + + source: + minConns: 10 + maxConns: 90 + statementTimeoutMs: 1200000 + + postgresConfig: "@config/centraldb/postgresql.conf|config/centraldb/postgresql.conf.default" + hbaConfig: "@config/centraldb/pg_hba.conf|config/centraldb/pg_hba.conf.default" + + image: + name: central-db + tag: 4.3.5 + + resources: + requests: + memory: "8Gi" + cpu: "4" + limits: + memory: "16Gi" + cpu: "8" + scanner: + disable: false + replicas: 3 + logLevel: INFO + mode: full + + autoscaling: + disable: false + minReplicas: 2 + maxReplicas: 5 + + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchLabels: + app: scanner + topologyKey: kubernetes.io/hostname + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 50 + preference: + matchExpressions: + - key: node-role.kubernetes.io/infra + operator: Exists + - weight: 25 + preference: + matchExpressions: + - key: node-role.kubernetes.io/compute + operator: Exists + # From v1.20 node-role.kubernetes.io/control-plane replaces node-role.kubernetes.io/master (removed in + # v1.25). We apply both because our goal is not to run pods on control plane nodes for any version of k8s. + - weight: 100 + preference: + matchExpressions: + - key: node-role.kubernetes.io/master + operator: DoesNotExist + - weight: 100 + preference: + matchExpressions: + - key: node-role.kubernetes.io/control-plane + operator: DoesNotExist + + resources: + requests: + memory: "1500Mi" + cpu: "1000m" + limits: + memory: "4Gi" + cpu: "2000m" + + image: + name: scanner + tag: 4.3.5 + + dbResources: + limits: + cpu: "2000m" + memory: "4Gi" + requests: + cpu: "200m" + memory: "200Mi" + + dbImage: + name: scanner-db + tag: 4.3.5 + + system: + createSCCs: true + +pvcDefaults: + claimName: "stackrox-db" + size: "100Gi" + +dbPVCDefaults: + claimName: "central-db" + size: "100Gi" diff --git a/4.3.5/central-services/internal/expandables.yaml b/4.3.5/central-services/internal/expandables.yaml new file mode 100644 index 0000000..75a3d11 --- /dev/null +++ b/4.3.5/central-services/internal/expandables.yaml @@ -0,0 +1,48 @@ +licenseKey: true +imagePullSecrets: + username: true + password: true +env: + proxyConfig: true +ca: + cert: true + key: true +central: + config: true + endpointsConfig: true + nodeSelector: true + jwtSigner: + key: true + serviceTLS: + cert: true + key: true + defaultTLS: + cert: true + key: true + adminPassword: + value: true + htpasswd: true + resources: true + db: + postgresConfig: true + hbaConfig: true + nodeSelector: true + serviceTLS: + cert: true + key: true + password: + value: true + resources: true +scanner: + resources: true + dbResources: true + nodeSelector: true + dbNodeSelector: true + dbPassword: + value: true + serviceTLS: + cert: true + key: true + dbServiceTLS: + cert: true + key: true diff --git a/4.3.5/central-services/internal/platforms/default.yaml b/4.3.5/central-services/internal/platforms/default.yaml new file mode 100644 index 0000000..180f5c8 --- /dev/null +++ b/4.3.5/central-services/internal/platforms/default.yaml @@ -0,0 +1,2 @@ +# Empty defaults file for the "default" platform. This file only exists to mark the platform +# name as valid. diff --git a/4.3.5/central-services/internal/platforms/gke.yaml b/4.3.5/central-services/internal/platforms/gke.yaml new file mode 100644 index 0000000..70d7b32 --- /dev/null +++ b/4.3.5/central-services/internal/platforms/gke.yaml @@ -0,0 +1,2 @@ +pvcDefaults: + storageClass: "stackrox-gke-ssd" diff --git a/4.3.5/central-services/internal/scanner-config-shape.yaml b/4.3.5/central-services/internal/scanner-config-shape.yaml new file mode 100644 index 0000000..da3b315 --- /dev/null +++ b/4.3.5/central-services/internal/scanner-config-shape.yaml @@ -0,0 +1,40 @@ +scanner: + mode: null # string + disable: null # bool + replicas: null # int + logLevel: null # string + nodeSelector: null # string | dict + dbNodeSelector: null # string | dict + tolerations: null # [dict] + dbTolerations: null # [dict] + autoscaling: + disable: null # bool + minReplicas: null # int + maxReplicas: null # int + affinity: null # dict + resources: null # string | dict + image: + registry: null # string + name: null # string + tag: null # string + fullRef: null # string + dbImage: + registry: null # string + name: null # string + tag: null # string + fullRef: null # string + dbResources: null # string | dict + dbPassword: + value: null # string + generate: null # bool + serviceTLS: + cert: null # string + key: null # string + generate: null # bool + dbServiceTLS: + cert: null # string + key: null # string + generate: null # bool + exposeMonitoring: null # bool +system: + enablePodSecurityPolicies: null # bool diff --git a/4.3.5/central-services/templates/00-additional-ca.yaml b/4.3.5/central-services/templates/00-additional-ca.yaml new file mode 100644 index 0000000..67b0c2b --- /dev/null +++ b/4.3.5/central-services/templates/00-additional-ca.yaml @@ -0,0 +1,21 @@ +{{- include "srox.init" . -}} + +{{- if ._rox._additionalCAs }} +apiVersion: v1 +kind: Secret +metadata: + name: additional-ca + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "secret" "additional-ca") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "additional-ca") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": keep +type: Opaque +stringData: + {{- range $name, $cert := ._rox._additionalCAs }} + {{ $name | quote }}: | + {{- $cert | nindent 4 }} + {{- end }} +{{- end }} diff --git a/4.3.5/central-services/templates/00-image-pull-secret.yaml b/4.3.5/central-services/templates/00-image-pull-secret.yaml new file mode 100644 index 0000000..1fc3e34 --- /dev/null +++ b/4.3.5/central-services/templates/00-image-pull-secret.yaml @@ -0,0 +1,18 @@ +{{- include "srox.init" . -}} + +{{- if ._rox.imagePullSecrets._dockerAuths }} +apiVersion: v1 +kind: Secret +type: kubernetes.io/dockerconfigjson +metadata: + name: stackrox + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "secret" "stackrox") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "stackrox") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": keep +data: + .dockerconfigjson: {{ dict "auths" ._rox.imagePullSecrets._dockerAuths | toJson | b64enc | quote }} +{{ end }} diff --git a/4.3.5/central-services/templates/00-injected-ca-bundle.yaml b/4.3.5/central-services/templates/00-injected-ca-bundle.yaml new file mode 100644 index 0000000..3289c2a --- /dev/null +++ b/4.3.5/central-services/templates/00-injected-ca-bundle.yaml @@ -0,0 +1,15 @@ +{{- include "srox.init" . -}} + +{{- if eq ._rox.env.openshift 4 }} +{{ $injectedCABundleName := printf "injected-cabundle-%s" .Release.Name }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ $injectedCABundleName }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "configmap" $injectedCABundleName) | nindent 4 }} + "config.openshift.io/inject-trusted-cabundle": "true" + annotations: + {{- include "srox.annotations" (list . "configmap" $injectedCABundleName) | nindent 4 }} +{{- end }} diff --git a/4.3.5/central-services/templates/00-proxy-config-secret.yaml b/4.3.5/central-services/templates/00-proxy-config-secret.yaml new file mode 100644 index 0000000..c357179 --- /dev/null +++ b/4.3.5/central-services/templates/00-proxy-config-secret.yaml @@ -0,0 +1,20 @@ +{{- include "srox.init" . -}} + +{{- if ._rox.env._proxyConfig -}} +apiVersion: v1 +kind: Secret +metadata: + name: proxy-config + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "secret" "proxy-config") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "proxy-config") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": "keep" +type: Opaque +stringData: + config.yaml: | + {{- ._rox.env._proxyConfig | nindent 4 }} + +{{ end }} diff --git a/4.3.5/central-services/templates/00-stackrox-application.yaml b/4.3.5/central-services/templates/00-stackrox-application.yaml new file mode 100644 index 0000000..6cdf9ca --- /dev/null +++ b/4.3.5/central-services/templates/00-stackrox-application.yaml @@ -0,0 +1,122 @@ +{{- include "srox.init" . -}} + +{{- if has "app.k8s.io/v1beta1/Application" ._rox._apiServer.apiResources -}} +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: stackrox + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "application" "stackrox") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "application" "stackrox") | nindent 4 }} + {{ if eq ._rox.image.registry "quay.io/stackrox-io" }} + kubernetes-engine.cloud.google.com/icon: "data:image/png;base64,{{ .Files.Get "assets/StackRox_icon.png" | b64enc }}" + {{ else }} + kubernetes-engine.cloud.google.com/icon: "data:image/png;base64,{{ .Files.Get "assets/Red_Hat-Hat_icon.png" | b64enc }}" + {{ end }} +spec: + descriptor: + type: StackRox + version: {{ .Chart.AppVersion | quote }} + description: |- + StackRox Kubernetes Security Platform + + Version {{ .Chart.AppVersion }} + + ## Thank you for installing StackRox! + +
+ + #### Support + + [Email support@stackrox.com](mailto:support@stackrox.com?cc=sales@stackrox.com&Subject=StackRox%20Support%20Question&Body=Dear%20StackRox%20support,) + + ## Connecting to StackRox + +
+ + #### Directly using a Load Balancer + + When deploying StackRox with the `Load Balancer` network configuration, the service can be accessed directly. + + $CONNECT + + #### Tunneling via Port Forward + + When deploying StackRox with the `Node Port` or `None` network configuration, the service must be accessed using a port forward tunnel. + + - Step 1 - Start the port forward tunnel to the StackRox Central service. + + ``` + $ kubectl -n stackrox port-forward svc/central 8443:443 + ``` + + - Step 2 - In a browser, [visit https://localhost:8443](https://localhost:8443) to access StackRox. + + keywords: + - "stackrox" + - "kube" + - "security" + maintainers: + - name: StackRox, Inc. + url: https://stackrox.com + owners: + - name: StackRox, Inc. + url: https://stackrox.com + links: + - description: StackRox Help Documentation + url: "https://help.stackrox.com" + + info: + - name: StackRox namespace + value: stackrox + - name: StackRox admin username + value: "admin" + + selector: + matchLabels: + app.kubernetes.io/name: stackrox + + componentKinds: + - group: '' + kind: ConfigMap + - group: '' + kind: Secret + - group: '' + kind: PersistentVolumeClaim + - group: '' + kind: PersistentVolume + - group: '' + kind: Service + - group: '' + kind: ServiceAccount + - group: rbac.authorization.k8s.io + kind: ClusterRole + - group: rbac.authorization.k8s.io + kind: ClusterRoleBinding + - group: apps + kind: Deployment + - group: networking.k8s.io + kind: NetworkPolicy + - group: rbac.authorization.k8s.io + kind: Role + - group: rbac.authorization.k8s.io + kind: RoleBinding + - group: route.openshift.io + kind: Route + - group: security.openshift.io + kind: SecurityContextConstraints + - group: admissionregistration.k8s.io + kind: ValidatingWebhookConfiguration + - group: autoscaling + kind: HorizontalPodAutoscaler + - group: storage.k8s.io + kind: StorageClass + - group: networking.istio.io + kind: DestinationRule +{{- if ._rox.system.enablePodSecurityPolicies }} + - group: policy + kind: PodSecurityPolicy +{{- end }} +{{- end }} diff --git a/4.3.5/central-services/templates/00-storage-class.yaml b/4.3.5/central-services/templates/00-storage-class.yaml new file mode 100644 index 0000000..4a5664e --- /dev/null +++ b/4.3.5/central-services/templates/00-storage-class.yaml @@ -0,0 +1,27 @@ +{{- include "srox.init" . -}} + +{{- if ._rox.central.persistence._pvcCfg }} +{{- if ._rox.central.persistence._pvcCfg.storageClass -}} +{{- if eq ._rox.central.persistence._pvcCfg.storageClass "stackrox-gke-ssd" }} +{{- $lookupOut := dict -}} +{{- $storageClassName := include "srox.globalResourceName" (list . "stackrox-gke-ssd") -}} +{{- $_ := include "srox.safeLookup" (list . $lookupOut "storage.k8s.io/v1" "StorageClass" "" $storageClassName) -}} +{{- if and (not $lookupOut.result) (or .Release.IsInstall $lookupOut.reliable) (not ._rox.meta.noCreateStorageClass) -}} +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: {{ $storageClassName }} + labels: + {{- include "srox.labels" (list . "storageclass" "stackrox-gke-ssd") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "storageclass" "stackrox-gke-ssd") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": keep + "helm.sh/hook-delete-policy": never +provisioner: kubernetes.io/gce-pd +parameters: + type: pd-ssd +{{- end -}} +{{- end }} +{{- end -}} +{{- end }} diff --git a/4.3.5/central-services/templates/01-central-00-db-serviceaccount.yaml b/4.3.5/central-services/templates/01-central-00-db-serviceaccount.yaml new file mode 100644 index 0000000..782f4e6 --- /dev/null +++ b/4.3.5/central-services/templates/01-central-00-db-serviceaccount.yaml @@ -0,0 +1,16 @@ +{{- include "srox.init" . -}} +{{ if not ._rox.central.db.external -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: central-db + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "serviceaccount" "central-db") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "serviceaccount" "central-db") | nindent 4 }} +imagePullSecrets: + {{- range $secretName := ._rox.imagePullSecrets._names }} +- name: {{ quote $secretName }} + {{- end }} +{{- end }} diff --git a/4.3.5/central-services/templates/01-central-00-serviceaccount.yaml b/4.3.5/central-services/templates/01-central-00-serviceaccount.yaml new file mode 100644 index 0000000..8c257f6 --- /dev/null +++ b/4.3.5/central-services/templates/01-central-00-serviceaccount.yaml @@ -0,0 +1,19 @@ +{{- include "srox.init" . -}} + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: central + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "serviceaccount" "central") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "serviceaccount" "central") | nindent 4 }} + {{- if and (eq ._rox.env.openshift 4) (not ._rox.env.managedServices) }} + serviceaccounts.openshift.io/oauth-redirectreference.main: '{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"central"}}' + serviceaccounts.openshift.io/oauth-redirecturi.main: "sso/providers/openshift/callback" + {{- end }} +imagePullSecrets: +{{- range $secretName := ._rox.imagePullSecrets._names }} +- name: {{ quote $secretName }} +{{- end }} diff --git a/4.3.5/central-services/templates/01-central-01-license-secret.yaml b/4.3.5/central-services/templates/01-central-01-license-secret.yaml new file mode 100644 index 0000000..0d26dda --- /dev/null +++ b/4.3.5/central-services/templates/01-central-01-license-secret.yaml @@ -0,0 +1,21 @@ +{{- include "srox.init" . -}} + +{{- if ._rox._licenseKey -}} + +apiVersion: v1 +kind: Secret +metadata: + name: central-license + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "secret" "central-license") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "central-license") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": "keep" +type: Opaque +stringData: + license.lic: | + {{- ._rox._licenseKey | nindent 4 }} + +{{ end }} diff --git a/4.3.5/central-services/templates/01-central-02-db-psps.yaml b/4.3.5/central-services/templates/01-central-02-db-psps.yaml new file mode 100644 index 0000000..4c81428 --- /dev/null +++ b/4.3.5/central-services/templates/01-central-02-db-psps.yaml @@ -0,0 +1,81 @@ +{{- include "srox.init" . -}} + +{{- if and (not ._rox.central.db.external) ._rox.system.enablePodSecurityPolicies }} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "srox.globalResourceName" (list . "stackrox-central-db-psp") }} + labels: + {{- include "srox.labels" (list . "clusterrole" "stackrox-central-db-psp") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "clusterrole" "stackrox-central-db-psp") | nindent 4 }} +rules: + - apiGroups: + - policy + resources: + - podsecuritypolicies + resourceNames: + - {{ include "srox.globalResourceName" (list . "stackrox-central-db") }} + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: stackrox-central-db-psp + namespace: {{.Release.Namespace}} + labels: + {{- include "srox.labels" (list . "rolebinding" "stackrox-central-db-psp") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "rolebinding" "stackrox-central-db-psp") | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "srox.globalResourceName" (list . "stackrox-central-db-psp") }} +subjects: + - kind: ServiceAccount + name: central-db + namespace: {{.Release.Namespace}} +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "srox.globalResourceName" (list . "stackrox-central-db") }} + labels: + {{- include "srox.labels" (list . "podsecuritypolicy" "stackrox-central-db") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "podsecuritypolicy" "stackrox-central-db") | nindent 4 }} +spec: + privileged: false + allowPrivilegeEscalation: false + volumes: + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + - 'persistentVolumeClaim' + - 'hostPath' + - 'configMap' + {{- if ._rox.central.persistence.hostPath }} + allowedHostPaths: + {{- /* TODO(ROX-9807): Use a designated path for central-db for now. Need to move hostPath from central to central-db */}} + - pathPrefix: {{._rox.central.persistence.hostPath}}-db + {{- end}} + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAs' + ranges: + - min: 70 + max: 70 + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 70 + max: 70 +{{- end }} diff --git a/4.3.5/central-services/templates/01-central-02-db-security.yaml b/4.3.5/central-services/templates/01-central-02-db-security.yaml new file mode 100644 index 0000000..20ead97 --- /dev/null +++ b/4.3.5/central-services/templates/01-central-02-db-security.yaml @@ -0,0 +1,82 @@ +{{- include "srox.init" . -}} + +{{- if and ._rox.env.openshift (not ._rox.central.db.external) ._rox.system.createSCCs }} +kind: SecurityContextConstraints +apiVersion: security.openshift.io/v1 +metadata: + name: {{ include "srox.globalResourceName" (list . "stackrox-central-db") }} + labels: + {{- include "srox.labels" (list . "securitycontextconstraints" "stackrox-central-db") | nindent 4 }} + annotations: + kubernetes.io/description: stackrox-central-db is the security constraint for the central database + {{- include "srox.annotations" (list . "securitycontextconstraints" "stackrox-central-db") | nindent 4 }} +allowHostDirVolumePlugin: {{ ._rox.central.persistence.hostPath | not | not }} +allowedCapabilities: [] +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: false +allowPrivilegedContainer: false +defaultAddCapabilities: [] +fsGroup: + type: MustRunAs + ranges: + - max: 70 + min: 70 +priority: 0 +readOnlyRootFilesystem: false +requiredDropCapabilities: [] +runAsUser: + type: MustRunAs + uid: 70 +seLinuxContext: + type: "RunAsAny" +seccompProfiles: + - '*' +users: + - system:serviceaccount:{{ .Release.Namespace }}:central-db +volumes: + - '*' +{{- else if eq ._rox.env.openshift 4 }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: use-central-db-scc + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "role" "use-central-db-scc") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "role" "use-central-db-scc") | nindent 4 }} +rules: +- apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + resourceNames: + - anyuid + {{- if ._rox.central.persistence.hostPath }} + - hostmount-anyuid + {{- end }} + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: central-db-use-scc + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "rolebinding" "central-db-use-scc") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "rolebinding" "central-db-use-scc") | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: use-central-db-scc +subjects: +- kind: ServiceAccount + name: central-db + namespace: {{.Release.Namespace}} +{{- end }} diff --git a/4.3.5/central-services/templates/01-central-02-psps.yaml b/4.3.5/central-services/templates/01-central-02-psps.yaml new file mode 100644 index 0000000..1ba51f5 --- /dev/null +++ b/4.3.5/central-services/templates/01-central-02-psps.yaml @@ -0,0 +1,80 @@ +{{- include "srox.init" . -}} + +{{- if ._rox.system.enablePodSecurityPolicies }} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "srox.globalResourceName" (list . "stackrox-central-psp") }} + labels: + {{- include "srox.labels" (list . "clusterrole" "stackrox-central-psp") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "clusterrole" "stackrox-central-psp") | nindent 4 }} +rules: + - apiGroups: + - policy + resources: + - podsecuritypolicies + resourceNames: + - {{ include "srox.globalResourceName" (list . "stackrox-central") }} + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: stackrox-central-psp + namespace: {{.Release.Namespace}} + labels: + {{- include "srox.labels" (list . "rolebinding" "stackrox-central-psp") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "rolebinding" "stackrox-central-psp") | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "srox.globalResourceName" (list . "stackrox-central-psp") }} +subjects: + - kind: ServiceAccount + name: central + namespace: {{.Release.Namespace}} +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "srox.globalResourceName" (list . "stackrox-central") }} + labels: + {{- include "srox.labels" (list . "podsecuritypolicy" "stackrox-central") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "podsecuritypolicy" "stackrox-central") | nindent 4 }} +spec: + privileged: false + allowPrivilegeEscalation: false + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + - 'persistentVolumeClaim' + - 'hostPath' + {{ if ._rox.central.persistence.hostPath -}} + allowedHostPaths: + - pathPrefix: {{ ._rox.central.persistence.hostPath }} + {{- end}} + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAs' + ranges: + - min: 4000 + max: 4000 + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 4000 + max: 4000 +{{- end }} diff --git a/4.3.5/central-services/templates/01-central-02-security.yaml b/4.3.5/central-services/templates/01-central-02-security.yaml new file mode 100644 index 0000000..ee734a6 --- /dev/null +++ b/4.3.5/central-services/templates/01-central-02-security.yaml @@ -0,0 +1,85 @@ +{{- include "srox.init" . -}} + +{{- if and ._rox.env.openshift ._rox.system.createSCCs }} +--- + +kind: SecurityContextConstraints +apiVersion: security.openshift.io/v1 +metadata: + name: {{ include "srox.globalResourceName" (list . "stackrox-central") }} + labels: + {{- include "srox.labels" (list . "securitycontextconstraints" "stackrox-central") | nindent 4 }} + annotations: + kubernetes.io/description: stackrox-central is the security constraint for the central server + {{- include "srox.annotations" (list . "securitycontextconstraints" "stackrox-central") | nindent 4 }} +allowHostDirVolumePlugin: {{ ._rox.central.persistence.hostPath | not | not }} +allowedCapabilities: [] +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: false +allowPrivilegedContainer: false +defaultAddCapabilities: [] +fsGroup: + type: MustRunAs + ranges: + - max: 4000 + min: 4000 +priority: 0 +readOnlyRootFilesystem: true +requiredDropCapabilities: [] +runAsUser: + type: MustRunAs + uid: 4000 +seLinuxContext: + type: MustRunAs +seccompProfiles: + - '*' +users: + - system:serviceaccount:{{ .Release.Namespace }}:central +volumes: + - '*' + +{{- else if eq ._rox.env.openshift 4 }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: use-central-scc + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "role" "use-central-scc") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "role" "use-central-scc") | nindent 4 }} +rules: +- apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + resourceNames: + - anyuid + {{- if ._rox.central.persistence.hostPath }} + - hostmount-anyuid + {{- end }} + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: central-use-scc + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "rolebinding" "central-use-scc") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "rolebinding" "central-use-scc") | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: use-central-scc +subjects: +- kind: ServiceAccount + name: central + namespace: {{.Release.Namespace}} +{{- end }} diff --git a/4.3.5/central-services/templates/01-central-03-diagnostics-rbac.yaml b/4.3.5/central-services/templates/01-central-03-diagnostics-rbac.yaml new file mode 100644 index 0000000..4c83007 --- /dev/null +++ b/4.3.5/central-services/templates/01-central-03-diagnostics-rbac.yaml @@ -0,0 +1,45 @@ +{{- include "srox.init" . -}} + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: stackrox-central-diagnostics + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "role" "stackrox-central-diagnostics") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "role" "stackrox-central-diagnostics") | nindent 4 }} +rules: +- apiGroups: + - '*' + resources: + - "deployments" + - "daemonsets" + - "replicasets" + - "configmaps" + - "services" + - "pods" + - "pods/log" + - "events" + - "namespaces" + verbs: + - get + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: stackrox-central-diagnostics + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "rolebinding" "stackrox-central-diagnostics") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "rolebinding" "stackrox-central-diagnostics") | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: stackrox-central-diagnostics +subjects: + - kind: ServiceAccount + name: central + namespace: {{ .Release.Namespace }} diff --git a/4.3.5/central-services/templates/01-central-04-htpasswd-secret.yaml b/4.3.5/central-services/templates/01-central-04-htpasswd-secret.yaml new file mode 100644 index 0000000..59b338e --- /dev/null +++ b/4.3.5/central-services/templates/01-central-04-htpasswd-secret.yaml @@ -0,0 +1,22 @@ +{{- include "srox.init" . -}} + +{{- if ._rox.central._adminPassword -}} +{{- if ._rox.central._adminPassword.htpasswd -}} +apiVersion: v1 +kind: Secret +metadata: + name: central-htpasswd + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "secret" "central-htpasswd") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "central-htpasswd") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": "keep" +type: Opaque +stringData: + htpasswd: | + {{- ._rox.central._adminPassword.htpasswd | nindent 4 }} + +{{- end -}} +{{- end -}} diff --git a/4.3.5/central-services/templates/01-central-05-db-tls-secret.yaml b/4.3.5/central-services/templates/01-central-05-db-tls-secret.yaml new file mode 100644 index 0000000..3a3a1fa --- /dev/null +++ b/4.3.5/central-services/templates/01-central-05-db-tls-secret.yaml @@ -0,0 +1,23 @@ +{{- include "srox.init" . -}} + +{{- if and ._rox.central.db._serviceTLS ._rox._ca }} +apiVersion: v1 +kind: Secret +metadata: + name: central-db-tls + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "secret" "central-db-tls") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "central-db-tls") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": "keep" +type: Opaque +stringData: + ca.pem: | + {{- ._rox._ca.Cert | nindent 4 }} + cert.pem: | + {{- ._rox.central.db._serviceTLS.Cert | nindent 4 }} + key.pem: | + {{- ._rox.central.db._serviceTLS.Key | nindent 4 }} +{{- end }} diff --git a/4.3.5/central-services/templates/01-central-05-tls-secret.yaml b/4.3.5/central-services/templates/01-central-05-tls-secret.yaml new file mode 100644 index 0000000..1850d46 --- /dev/null +++ b/4.3.5/central-services/templates/01-central-05-tls-secret.yaml @@ -0,0 +1,30 @@ +{{- include "srox.init" . -}} + +{{- if and ._rox._ca ._rox.central._serviceTLS ._rox.central._jwtSigner -}} + +apiVersion: v1 +kind: Secret +metadata: + name: central-tls + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "secret" "central-tls") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "central-tls") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": "keep" +type: Opaque +stringData: + ca.pem: | + {{- ._rox._ca.Cert | nindent 4 }} + ca-key.pem: | + {{- ._rox._ca.Key | nindent 4 }} + jwt-key.pem: | + {{- ._rox.central._jwtSigner.Key | nindent 4 }} + cert.pem: | + {{- ._rox.central._serviceTLS.Cert | nindent 4 }} + key.pem: | + {{- ._rox.central._serviceTLS.Key | nindent 4 }} +{{- else if or ._rox.central._serviceTLS ._rox.central._jwtSigner }} +{{ include "srox.fail" "Service TLS certificates and/or JWT signer key can only be created/updated if all data AND the service CA are present/specified." }} +{{- end }} diff --git a/4.3.5/central-services/templates/01-central-06-default-tls-cert-secret.yaml b/4.3.5/central-services/templates/01-central-06-default-tls-cert-secret.yaml new file mode 100644 index 0000000..010444c --- /dev/null +++ b/4.3.5/central-services/templates/01-central-06-default-tls-cert-secret.yaml @@ -0,0 +1,22 @@ +{{- include "srox.init" . -}} + +{{ if ._rox.central._defaultTLS }} + +apiVersion: v1 +kind: Secret +metadata: + name: central-default-tls-cert + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "secret" "central-default-tls-cert") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "central-default-tls-cert") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" +type: kubernetes.io/tls +stringData: + tls.crt: | + {{- ._rox.central._defaultTLS.Cert | nindent 4 }} + tls.key: | + {{- ._rox.central._defaultTLS.Key | nindent 4 }} + +{{- end }} diff --git a/4.3.5/central-services/templates/01-central-08-configmap.yaml b/4.3.5/central-services/templates/01-central-08-configmap.yaml new file mode 100644 index 0000000..9420e59 --- /dev/null +++ b/4.3.5/central-services/templates/01-central-08-configmap.yaml @@ -0,0 +1,14 @@ +{{- include "srox.init" . -}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: central-config + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "configmap" "central-config") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "configmap" "central-config") | nindent 4 }} +data: + central-config.yaml: | + {{- ._rox.central._config | nindent 4 }} diff --git a/4.3.5/central-services/templates/01-central-08-db-configmap.yaml b/4.3.5/central-services/templates/01-central-08-db-configmap.yaml new file mode 100644 index 0000000..0a0a2c7 --- /dev/null +++ b/4.3.5/central-services/templates/01-central-08-db-configmap.yaml @@ -0,0 +1,17 @@ +{{- include "srox.init" . -}} +{{- if not ._rox.central.db.external }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: central-db-config + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "configmap" "central-db-config") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "configmap" "central-db-config") | nindent 4 }} +data: + postgresql.conf: | + {{- ._rox.central.db._postgresConfig | nindent 4 }} + pg_hba.conf: | + {{- ._rox.central.db._hbaConfig | nindent 4 }} +{{- end }} diff --git a/4.3.5/central-services/templates/01-central-08-external-db-configmap.yaml b/4.3.5/central-services/templates/01-central-08-external-db-configmap.yaml new file mode 100644 index 0000000..48d2427 --- /dev/null +++ b/4.3.5/central-services/templates/01-central-08-external-db-configmap.yaml @@ -0,0 +1,29 @@ +{{- include "srox.init" . -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: central-external-db + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "configmap" "central-external-db") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "configmap" "central-external-db") | nindent 4 }} +data: + central-external-db.yaml: | + centralDB: + {{- if ._rox.central.db.external }} + external: true + source: {{ ._rox.central.db.source.connectionString }} pool_min_conns={{ ._rox.central.db.source.minConns }} pool_max_conns={{ ._rox.central.db.source.maxConns }} + {{- else }} + external: false + source: > + host=central-db.{{ .Release.Namespace }}.svc + port=5432 + user=postgres + sslmode={{- if eq .Release.Namespace "stackrox" }}verify-full{{- else }}verify-ca{{- end }} + sslrootcert=/run/secrets/stackrox.io/certs/ca.pem + statement_timeout={{ ._rox.central.db.source.statementTimeoutMs }} + pool_min_conns={{ ._rox.central.db.source.minConns }} + pool_max_conns={{ ._rox.central.db.source.maxConns }} + client_encoding=UTF8 + {{- end }} diff --git a/4.3.5/central-services/templates/01-central-09-endpoints-config.yaml b/4.3.5/central-services/templates/01-central-09-endpoints-config.yaml new file mode 100644 index 0000000..fa6204e --- /dev/null +++ b/4.3.5/central-services/templates/01-central-09-endpoints-config.yaml @@ -0,0 +1,17 @@ +{{- include "srox.init" . -}} + +{{- if ._rox.central._endpointsConfig -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: central-endpoints + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "configmap" "central-endpoints") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "configmap" "central-endpoints") | nindent 4 }} +data: + endpoints.yaml: | + {{- ._rox.central._endpointsConfig | nindent 4 }} + +{{- end -}} diff --git a/4.3.5/central-services/templates/01-central-10-db-networkpolicy.yaml b/4.3.5/central-services/templates/01-central-10-db-networkpolicy.yaml new file mode 100644 index 0000000..6cd2201 --- /dev/null +++ b/4.3.5/central-services/templates/01-central-10-db-networkpolicy.yaml @@ -0,0 +1,27 @@ +{{- include "srox.init" . -}} +{{ if not ._rox.central.db.external -}} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: central-db + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "networkpolicy" "central-db") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "networkpolicy" "central-db") | nindent 4 }} +spec: + policyTypes: + - Ingress + - Egress + ingress: + - from: + - podSelector: + matchLabels: + app: central + ports: + - port: 5432 + protocol: TCP + podSelector: + matchLabels: + app: central-db +{{- end }} diff --git a/4.3.5/central-services/templates/01-central-10-networkpolicy.yaml b/4.3.5/central-services/templates/01-central-10-networkpolicy.yaml new file mode 100644 index 0000000..90fbd9d --- /dev/null +++ b/4.3.5/central-services/templates/01-central-10-networkpolicy.yaml @@ -0,0 +1,65 @@ +{{- include "srox.init" . -}} + +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-ext-to-central + namespace: {{.Release.Namespace}} + labels: + {{- include "srox.labels" (list . "networkpolicy" "allow-ext-to-central") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "networkpolicy" "allow-ext-to-central") | nindent 4 }} +spec: + ingress: + {{- toYaml ._rox.central._netPolIngressRules | nindent 4 }} + podSelector: + matchLabels: + app: central + policyTypes: + - Ingress + +{{ if ._rox.central.exposeMonitoring }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: central-monitoring + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "networkpolicy" "central-monitoring") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "networkpolicy" "central-monitoring") | nindent 4 }} +spec: + ingress: + - ports: + - port: 9090 + protocol: TCP + podSelector: + matchLabels: + app: central + policyTypes: + - Ingress +{{ end }} + +{{- if ._rox.monitoring.openshift.enabled }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: central-monitoring-tls + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "networkpolicy" "central-monitoring-tls") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "networkpolicy" "central-monitoring-tls") | nindent 4 }} +spec: + ingress: + - ports: + - port: 9091 + protocol: TCP + podSelector: + matchLabels: + app: central + policyTypes: + - Ingress +{{- end }} diff --git a/4.3.5/central-services/templates/01-central-11-db-pvc.yaml b/4.3.5/central-services/templates/01-central-11-db-pvc.yaml new file mode 100644 index 0000000..656dfec --- /dev/null +++ b/4.3.5/central-services/templates/01-central-11-db-pvc.yaml @@ -0,0 +1,66 @@ +{{- include "srox.init" . -}} + +{{ if not ._rox.central.db.external -}} +{{ if ._rox.central.db.persistence._pvcCfg -}} +{{- $pvcCfg := ._rox.central.db.persistence._pvcCfg -}} +{{- $claimName := $pvcCfg.claimName -}} +{{/* In a multiple namespace setting, storageClassName is generated by globalResourceName */}} +{{- $storageClassName := "" }} +{{- if $pvcCfg.storageClass }} + {{- if eq $pvcCfg.storageClass "stackrox-gke-ssd" }} + {{- $storageClassName = include "srox.globalResourceName" (list . "stackrox-gke-ssd") }} + {{- else }} + {{- $storageClassName = $pvcCfg.storageClass }} +{{- end}} +{{- end}} +{{- if $pvcCfg.volume.volumeSpec }} +{{- $pvName := (print $claimName "-pv") -}} +apiVersion: v1 +kind: PersistentVolume +metadata: + name: {{ $pvName }} + labels: + {{- include "srox.labels" (list . "persistentvolume" $pvName) | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "persistentvolume" $pvName) | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": keep + "helm.sh/hook-delete-policy": never +spec: + {{- if $storageClassName }} + storageClassName: {{ $storageClassName }} + {{- end}} + capacity: + storage: {{ include "srox.formatStorageSize" $pvcCfg.size }} + accessModes: + - ReadWriteOnce + claimRef: + namespace: {{ .Release.Namespace }} + name: {{ $claimName }} + {{- toYaml $pvcCfg.volume.volumeSpec | nindent 2 }} +--- +{{- end }} +{{- /* TODO(ROX-9807): Move customized PVC from Central to Central DB */}} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ $claimName }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "persistentvolumeclaim" "central-db") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "persistentvolumeclaim" "central-db") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": keep + "helm.sh/hook-delete-policy": never +spec: + {{- if $storageClassName }} + storageClassName: {{ $storageClassName }} + {{- end }} + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ include "srox.formatStorageSize" $pvcCfg.size }} +{{- end }} +{{- end }} diff --git a/4.3.5/central-services/templates/01-central-11-pvc.yaml b/4.3.5/central-services/templates/01-central-11-pvc.yaml new file mode 100644 index 0000000..0279278 --- /dev/null +++ b/4.3.5/central-services/templates/01-central-11-pvc.yaml @@ -0,0 +1,63 @@ +{{- include "srox.init" . -}} + +{{ if ._rox.central.persistence._pvcCfg -}} +{{- $pvcCfg := ._rox.central.persistence._pvcCfg -}} +{{- $claimName := $pvcCfg.claimName -}} +{{/* In a multiple namespace setting, storageClassName is generated by globalResourceName */}} +{{- $storageClassName := "" }} +{{- if $pvcCfg.storageClass }} + {{- if eq $pvcCfg.storageClass "stackrox-gke-ssd" }} + {{- $storageClassName = include "srox.globalResourceName" (list . "stackrox-gke-ssd") }} + {{- else }} + {{- $storageClassName = $pvcCfg.storageClass }} + {{- end}} +{{- end}} +{{- if $pvcCfg.volume.volumeSpec }} +{{- $pvName := (print $claimName "-pv") -}} +apiVersion: v1 +kind: PersistentVolume +metadata: + name: {{ $pvName }} + labels: + {{- include "srox.labels" (list . "persistentvolume" $pvName) | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "persistentvolume" $pvName) | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": keep + "helm.sh/hook-delete-policy": never +spec: + {{- if $storageClassName }} + storageClassName: {{ $storageClassName }} + {{- end}} + capacity: + storage: {{ include "srox.formatStorageSize" $pvcCfg.size }} + accessModes: + - ReadWriteOnce + claimRef: + namespace: {{ .Release.Namespace }} + name: {{ $claimName }} + {{- toYaml $pvcCfg.volume.volumeSpec | nindent 2 }} +--- +{{- end }} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ $claimName }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "persistentvolumeclaim" $claimName) | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "persistentvolumeclaim" $claimName) | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": keep + "helm.sh/hook-delete-policy": never +spec: + {{- if $storageClassName }} + storageClassName: {{ $storageClassName }} + {{- end }} + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ include "srox.formatStorageSize" $pvcCfg.size }} +{{- end }} diff --git a/4.3.5/central-services/templates/01-central-12-central-db.yaml b/4.3.5/central-services/templates/01-central-12-central-db.yaml new file mode 100644 index 0000000..e48b466 --- /dev/null +++ b/4.3.5/central-services/templates/01-central-12-central-db.yaml @@ -0,0 +1,196 @@ +{{- include "srox.init" . -}} + +{{ if not ._rox.central.db.external -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: central-db + namespace: {{ .Release.Namespace }} + labels: + app: central-db + {{- include "srox.labels" (list . "deployment" "central-db") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "deployment" "central-db") | nindent 4 }} +spec: + replicas: 1 + minReadySeconds: 15 + selector: + matchLabels: + app: central-db + strategy: + type: Recreate + template: + metadata: + namespace: {{ .Release.Namespace }} + labels: + app: central-db + {{- include "srox.podLabels" (list . "deployment" "central-db") | nindent 8 }} + annotations: + {{- include "srox.podAnnotations" (list . "deployment" "central-db") | nindent 8 }} + spec: + {{- if ._rox.central.db._nodeSelector }} + nodeSelector: + {{- ._rox.central.db._nodeSelector | nindent 8 }} + {{- end }} + {{- if ._rox.central.db.tolerations }} + tolerations: + {{- toYaml ._rox.central.db.tolerations | nindent 8 }} + {{- end }} + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + # Central-db is single-homed, so avoid preemptible nodes. + - weight: 100 + preference: + matchExpressions: + - key: cloud.google.com/gke-preemptible + operator: NotIn + values: + - "true" + - weight: 50 + preference: + matchExpressions: + - key: node-role.kubernetes.io/infra + operator: Exists + - weight: 25 + preference: + matchExpressions: + - key: node-role.kubernetes.io/compute + operator: Exists + # From v1.20 node-role.kubernetes.io/control-plane replaces node-role.kubernetes.io/master (removed in + # v1.25). We apply both because our goal is not to run pods on control plane nodes for any version of k8s. + - weight: 100 + preference: + matchExpressions: + - key: node-role.kubernetes.io/master + operator: DoesNotExist + - weight: 100 + preference: + matchExpressions: + - key: node-role.kubernetes.io/control-plane + operator: DoesNotExist + serviceAccountName: central-db + terminationGracePeriodSeconds: 120 + initContainers: + - name: init-db + image: {{ ._rox.central.db.image.fullRef | quote }} + env: + - name: PGDATA + value: "/var/lib/postgresql/data/pgdata" + command: + - init-entrypoint.sh + volumeMounts: + - name: disk + mountPath: /var/lib/postgresql/data + - name: central-db-password + mountPath: /run/secrets/stackrox.io/secrets + resources: + {{- ._rox.central.db._resources | nindent 10 }} + securityContext: + runAsUser: 70 + runAsGroup: 70 + containers: + - name: central-db + image: {{ ._rox.central.db.image.fullRef | quote }} + env: + - name: POSTGRES_HOST_AUTH_METHOD + value: "password" + - name: PGDATA + value: "/var/lib/postgresql/data/pgdata" + ports: + - containerPort: 5432 + name: postgresql + protocol: TCP + readinessProbe: + exec: + command: + - /bin/sh + - -c + - -e + - | + exec pg_isready -U "postgres" -h 127.0.0.1 -p 5432 + failureThreshold: 3 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: + {{- ._rox.central.db._resources | nindent 10 }} + securityContext: + runAsUser: 70 + runAsGroup: 70 + volumeMounts: + - name: config-volume + mountPath: /etc/stackrox.d/config/ + - mountPath: /var/lib/postgresql/data + name: disk + - name: central-db-tls-volume + mountPath: /run/secrets/stackrox.io/certs + - mountPath: /dev/shm + name: shared-memory + securityContext: + fsGroup: 70 + volumes: + - name: disk + {{- toYaml ._rox.central.db.persistence._volumeCfg | nindent 8 }} + - name: config-volume + configMap: + name: {{ default "central-db-config" ._rox.central.db.configOverride }} + - name: central-db-password + secret: + secretName: central-db-password + - name: central-db-tls-volume + secret: + secretName: central-db-tls + defaultMode: 0640 + items: + - key: cert.pem + path: server.crt + - key: key.pem + path: server.key + - key: ca.pem + path: root.crt + - name: shared-memory + emptyDir: + medium: Memory + {{- /* Keep this in sync with shared_buffers in config/centraldb/postgresql.conf */}} + sizeLimit: 2Gi +--- +apiVersion: v1 +kind: Service +metadata: + name: central-db + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "service" "central-db") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "service" "central-db") | nindent 4 }} +spec: + ports: + - name: tcp-db + port: 5432 + protocol: TCP + targetPort: postgresql + selector: + app: central-db + type: ClusterIP +{{- end }} +{{- if ._rox.central.db._password }} +{{- if not (kindIs "invalid" ._rox.central.db._password.value) }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: central-db-password + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "secret" "central-db-password") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "central-db-password") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": keep +type: Opaque +stringData: + password: | + {{- ._rox.central.db._password.value | nindent 4 }} +{{- end }} +{{- end }} diff --git a/4.3.5/central-services/templates/01-central-13-deployment.yaml b/4.3.5/central-services/templates/01-central-13-deployment.yaml new file mode 100644 index 0000000..f56a974 --- /dev/null +++ b/4.3.5/central-services/templates/01-central-13-deployment.yaml @@ -0,0 +1,271 @@ +{{- include "srox.init" . -}} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: central + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "deployment" "central") | nindent 4 }} + app: central + annotations: + {{- include "srox.annotations" (list . "deployment" "central") | nindent 4 }} +spec: + replicas: 1 + minReadySeconds: 15 + selector: + matchLabels: + app: central + strategy: + type: Recreate + template: + metadata: + namespace: {{ .Release.Namespace }} + labels: + app: central + {{- include "srox.podLabels" (list . "deployment" "central") | nindent 8 }} + annotations: + traffic.sidecar.istio.io/excludeInboundPorts: "8443" + {{- include "srox.podAnnotations" (list . "deployment" "central") | nindent 8 }} + spec: + {{- if ._rox.central._nodeSelector }} + nodeSelector: + {{- ._rox.central._nodeSelector | nindent 8 }} + {{- end }} + {{- if ._rox.central.tolerations }} + tolerations: + {{- toYaml ._rox.central.tolerations | nindent 8 }} + {{- end }} + affinity: + {{- toYaml ._rox.central.affinity | nindent 8 }} + serviceAccountName: central + securityContext: + fsGroup: 4000 + runAsUser: 4000 + containers: + - name: central + image: {{ ._rox.central.image.fullRef | quote }} + command: + - /stackrox/central-entrypoint.sh + ports: + {{- toYaml ._rox.central._containerPorts | nindent 10 }} + readinessProbe: + httpGet: + scheme: HTTPS + path: /v1/ping + port: 8443 + resources: + {{- ._rox.central._resources | nindent 10 }} + securityContext: + capabilities: + drop: ["NET_RAW"] + readOnlyRootFilesystem: true + env: + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- if ne (._rox.central.telemetry.enabled | toString) "false" }} + {{- if ._rox.central.telemetry.storage.endpoint }} + - name: ROX_TELEMETRY_ENDPOINT + value: {{ ._rox.central.telemetry.storage.endpoint | quote }} + {{- end }} + {{- if ._rox.central.telemetry.storage.key }} + - name: ROX_TELEMETRY_STORAGE_KEY_V1 + value: {{ ._rox.central.telemetry.storage.key | quote }} + {{- end }} + {{- end }} + - name: ROX_OFFLINE_MODE + value: {{ ._rox.env.offlineMode | quote }} + {{- if and (eq ._rox.env.openshift 4) (not ._rox.env.managedServices) }} + - name: ROX_ENABLE_OPENSHIFT_AUTH + value: "true" + {{- end }} + {{- if ._rox.env.openshift }} + - name: ROX_OPENSHIFT + value: "true" + {{- end }} + {{- if ._rox.env.managedServices }} + - name: ROX_MANAGED_CENTRAL + value: "true" + - name: ROX_ENABLE_CENTRAL_DIAGNOSTICS + value: "false" + - name: ROX_ENABLE_KERNEL_PACKAGE_UPLOAD + value: "false" + - name: ROX_TENANT_ID + valueFrom: + fieldRef: + fieldPath: metadata.labels['rhacs.redhat.com/tenant'] + {{- end }} + {{- if ._rox.central.notifierSecretsEncryption }} + {{- if ._rox.central.notifierSecretsEncryption.enabled }} + - name: ROX_ENC_NOTIFIER_CREDS + value: "true" + {{- end }} + {{- end }} + {{- if ._rox.monitoring.openshift.enabled }} + - name: ROX_ENABLE_SECURE_METRICS + value: "true" + {{- end }} + - name: ROX_INSTALL_METHOD + value: {{ ._rox.env.installMethod | quote }} + {{- include "srox.envVars" (list . "deployment" "central" "central") | nindent 8 }} + volumeMounts: + - name: varlog + mountPath: /var/log/stackrox/ + - name: central-tmp-volume + mountPath: /tmp + - name: central-etc-ssl-volume + mountPath: /etc/ssl + - name: central-etc-pki-volume + mountPath: /etc/pki/ca-trust + - name: central-certs-volume + mountPath: /run/secrets/stackrox.io/certs/ + readOnly: true + - name: central-default-tls-cert-volume + mountPath: /run/secrets/stackrox.io/default-tls-cert/ + readOnly: true + - name: central-htpasswd-volume + mountPath: /run/secrets/stackrox.io/htpasswd/ + readOnly: true + - name: central-jwt-volume + mountPath: /run/secrets/stackrox.io/jwt/ + readOnly: true + - name: additional-ca-volume + mountPath: /usr/local/share/ca-certificates/ + readOnly: true + - name: central-license-volume + mountPath: /run/secrets/stackrox.io/central-license/ + readOnly: true + - name: stackrox-db + mountPath: /var/lib/stackrox + - name: central-config-volume + mountPath: /etc/stackrox + - name: proxy-config-volume + mountPath: /run/secrets/stackrox.io/proxy-config/ + readOnly: true + - name: endpoints-config-volume + mountPath: /etc/stackrox.d/endpoints/ + readOnly: true + - name: central-db-password + mountPath: /run/secrets/stackrox.io/db-password + - name: central-external-db-volume + mountPath: /etc/ext-db + {{- if ._rox.central.notifierSecretsEncryption }} + {{- if ._rox.central.notifierSecretsEncryption.enabled }} + - name: central-encryption-key + mountPath: /run/secrets/stackrox.io/central-encryption-key + {{- end }} + {{- end }} + {{- if ._rox.monitoring.openshift.enabled }} + - name: monitoring-tls + mountPath: /run/secrets/stackrox.io/monitoring-tls + readOnly: true + {{- end }} + {{- range $extraMount := (default list ._rox.central.extraMounts) }} + - name: {{ $extraMount.name }} + {{- $extraMount.mount | toYaml | nindent 10 }} + {{- end }} + {{- range $mount := (default list ._rox.central.declarativeConfiguration.mounts.configMaps) }} + - name: {{ $mount }} + mountPath: /run/stackrox.io/declarative-configuration/{{ $mount }} + readOnly: true + {{- end }} + {{- range $mount := (default list ._rox.central.declarativeConfiguration.mounts.secrets) }} + - name: {{ $mount }} + mountPath: /run/stackrox.io/declarative-configuration/{{ $mount }} + readOnly: true + {{- end }} + {{- include "srox.injectedCABundleVolumeMount" . | nindent 8 }} + volumes: + - name: varlog + emptyDir: {} + - name: central-tmp-volume + emptyDir: {} + - name: central-etc-ssl-volume + emptyDir: {} + - name: central-etc-pki-volume + emptyDir: {} + - name: central-certs-volume + secret: + secretName: central-tls + - name: central-default-tls-cert-volume + secret: + secretName: {{ default "central-default-tls-cert" ._rox.central.defaultTLS.reference }} + optional: true + - name: central-htpasswd-volume + secret: + secretName: central-htpasswd + optional: true + - name: central-jwt-volume + secret: + secretName: central-tls + items: + - key: jwt-key.pem + path: jwt-key.pem + - name: additional-ca-volume + secret: + secretName: additional-ca + optional: true + - name: central-license-volume + secret: + secretName: central-license + optional: true + - name: central-config-volume + configMap: + name: central-config + optional: true + - name: proxy-config-volume + secret: + secretName: proxy-config + optional: true + - name: endpoints-config-volume + configMap: + name: central-endpoints + - name: central-db-password + secret: + secretName: central-db-password + - name: central-external-db-volume + configMap: + name: central-external-db + optional: true + {{- if ._rox.central.notifierSecretsEncryption }} + {{- if ._rox.central.notifierSecretsEncryption.enabled }} + - name: central-encryption-key + secret: + secretName: central-encryption-key + {{- end }} + {{- end }} + - name: stackrox-db + {{- toYaml ._rox.central.persistence._volumeCfg | nindent 8 }} + {{- if ._rox.monitoring.openshift.enabled }} + - name: monitoring-tls + secret: + secretName: central-monitoring-tls + optional: true + {{- end }} + {{- range $extraMount := (default list ._rox.central.extraMounts) }} + - name: {{ $extraMount.name }} + {{- $extraMount.source | toYaml | nindent 8 }} + {{- end }} + {{- range $mount := (default list ._rox.central.declarativeConfiguration.mounts.configMaps) }} + - name: {{ $mount }} + configMap: + name: {{ $mount }} + optional: true + {{- end }} + {{- range $mount := (default list ._rox.central.declarativeConfiguration.mounts.secrets) }} + - name: {{ $mount }} + secret: + secretName: {{ $mount }} + optional: true + {{- end }} + {{- include "srox.injectedCABundleVolume" . | nindent 6 }} diff --git a/4.3.5/central-services/templates/01-central-14-service.yaml b/4.3.5/central-services/templates/01-central-14-service.yaml new file mode 100644 index 0000000..f459fd7 --- /dev/null +++ b/4.3.5/central-services/templates/01-central-14-service.yaml @@ -0,0 +1,43 @@ +{{- include "srox.init" . -}} + +apiVersion: v1 +kind: Service +metadata: + name: central + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "service" "central") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "service" "central") | nindent 4 }} + {{- if ._rox.monitoring.openshift.enabled }} + service.beta.openshift.io/serving-cert-secret-name: central-monitoring-tls + {{- end }} +spec: + ports: + {{- toYaml ._rox.central._servicePorts | nindent 4 }} + selector: + app: central + type: ClusterIP + +{{ if ._rox.env.istio }} +--- + +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: central-internal-no-istio-mtls + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "destinationrule" "central-internal-no-istio-mtls") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "destinationrule" "central-internal-no-istio-mtls") | nindent 4 }} + stackrox.io/description: "Disable Istio mTLS for port 443, since StackRox services use built-in mTLS." +spec: + host: central.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + portLevelSettings: + - port: + number: 443 + tls: + mode: DISABLE +{{ end }} diff --git a/4.3.5/central-services/templates/01-central-15-exposure.yaml b/4.3.5/central-services/templates/01-central-15-exposure.yaml new file mode 100644 index 0000000..9bfdbbb --- /dev/null +++ b/4.3.5/central-services/templates/01-central-15-exposure.yaml @@ -0,0 +1,95 @@ +{{- include "srox.init" . -}} + +{{- if ._rox.central.exposure.route.enabled }} +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: central + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "route" "central") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "route" "central") | nindent 4 }} +spec: +{{- if ._rox.central.exposure.route.host }} + host: {{ ._rox.central.exposure.route.host }} +{{- end }} + port: + targetPort: https + tls: + termination: passthrough + to: + kind: Service + name: central +--- +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: central-mtls + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "route" "central-mtls") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "route" "central-mtls") | nindent 4 }} +spec: + host: "central.{{ .Release.Namespace }}" + port: + targetPort: https + tls: + termination: passthrough + to: + kind: Service + name: central +--- +{{- end }} + +{{- if ._rox.central.exposure.nodePort.enabled }} +apiVersion: v1 +kind: Service +metadata: + annotations: + {{- include "srox.annotations" (list . "service" "central-loadbalancer") | nindent 4 }} + cloud.google.com/app-protocols: '{"api": "HTTPS"}' + service.alpha.kubernetes.io/app-protocols: '{"api": "HTTPS"}' + name: central-loadbalancer + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "service" "central-loadbalancer") | nindent 4 }} +spec: + type: NodePort + ports: + - port: 443 + targetPort: api +{{- if ._rox.central.exposure.nodePort.port }} + nodePort: {{ ._rox.central.exposure.nodePort.port }} +{{- end }} + selector: + app: central +--- +{{- end }} + +{{- if ._rox.central.exposure.loadBalancer.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: central-loadbalancer + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "service" "central-loadbalancer") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "service" "central-loadbalancer") | nindent 4 }} +spec: + type: LoadBalancer + # This ensures that the client source IP is retained for audit logging purposes. + # Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + externalTrafficPolicy: Local + ports: + - port: {{ ._rox.central.exposure.loadBalancer.port }} + targetPort: api + selector: + app: central +{{- if ._rox.central.exposure.loadBalancer.ip }} + loadBalancerIP: {{ ._rox.central.exposure.loadBalancer.ip }} +{{- end }} +--- +{{- end}} diff --git a/4.3.5/central-services/templates/02-scanner-00-serviceaccount.yaml b/4.3.5/central-services/templates/02-scanner-00-serviceaccount.yaml new file mode 100644 index 0000000..a27c602 --- /dev/null +++ b/4.3.5/central-services/templates/02-scanner-00-serviceaccount.yaml @@ -0,0 +1,19 @@ +{{- include "srox.init" . -}} + +{{- if not ._rox.scanner.disable -}} + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: scanner + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "serviceaccount" "scanner") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "serviceaccount" "scanner") | nindent 4 }} +imagePullSecrets: +{{- range $secretName := ._rox.imagePullSecrets._names }} +- name: {{ quote $secretName }} +{{- end }} + +{{ end -}} diff --git a/4.3.5/central-services/templates/02-scanner-01-psps.yaml b/4.3.5/central-services/templates/02-scanner-01-psps.yaml new file mode 100644 index 0000000..23b398c --- /dev/null +++ b/4.3.5/central-services/templates/02-scanner-01-psps.yaml @@ -0,0 +1,69 @@ +{{- include "srox.init" . -}} + +{{- if and (not ._rox.scanner.disable) ._rox.system.enablePodSecurityPolicies }} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "srox.globalResourceName" (list . "stackrox-scanner-psp") }} + labels: + {{- include "srox.labels" (list . "clusterrole" "stackrox-scanner-psp") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "clusterrole" "stackrox-scanner-psp") | nindent 4 }} +rules: +- apiGroups: + - policy + resources: + - podsecuritypolicies + resourceNames: + - {{ include "srox.globalResourceName" (list . "stackrox-scanner") }} + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: stackrox-scanner-psp + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "rolebinding" "stackrox-scanner-psp") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "rolebinding" "stackrox-scanner-psp") | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "srox.globalResourceName" (list . "stackrox-scanner-psp") }} +subjects: + - kind: ServiceAccount + name: scanner + namespace: {{ .Release.Namespace }} +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "srox.globalResourceName" (list . "stackrox-scanner") }} + labels: + {{- include "srox.labels" (list . "podsecuritypolicy" "stackrox-scanner") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "podsecuritypolicy" "stackrox-scanner") | nindent 4 }} +spec: + privileged: false + allowPrivilegeEscalation: false + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + - 'persistentVolumeClaim' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' +{{- end }} diff --git a/4.3.5/central-services/templates/02-scanner-01-security.yaml b/4.3.5/central-services/templates/02-scanner-01-security.yaml new file mode 100644 index 0000000..3c1d92b --- /dev/null +++ b/4.3.5/central-services/templates/02-scanner-01-security.yaml @@ -0,0 +1,78 @@ +{{- include "srox.init" . -}} + +{{- if not ._rox.scanner.disable }} +{{- if and ._rox.env.openshift ._rox.system.createSCCs }} +kind: SecurityContextConstraints +apiVersion: security.openshift.io/v1 +metadata: + name: {{ include "srox.globalResourceName" (list . "stackrox-scanner") }} + labels: + {{- include "srox.labels" (list . "securitycontextconstraints" "stackrox-scanner") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "securitycontextconstraints" "stackrox-scanner") | nindent 4 }} + kubernetes.io/description: stackrox-scanner is the security constraint for the Scanner container +priority: 0 +runAsUser: + type: RunAsAny +seLinuxContext: + type: RunAsAny +seccompProfiles: + - '*' +users: + - system:serviceaccount:{{ .Release.Namespace }}:scanner +volumes: + - '*' +allowHostDirVolumePlugin: false +allowedCapabilities: [] +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: false +allowPrivilegedContainer: false +defaultAddCapabilities: [] +fsGroup: + type: RunAsAny +readOnlyRootFilesystem: false +requiredDropCapabilities: [] + +{{- else if eq ._rox.env.openshift 4 }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: use-scanner-scc + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "role" "use-scanner-scc") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "role" "use-scanner-scc") | nindent 4 }} +rules: +- apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + resourceNames: + - anyuid + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: scanner-use-scc + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "rolebinding" "scanner-use-scc") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "rolebinding" "scanner-use-scc") | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: use-scanner-scc +subjects: +- kind: ServiceAccount + name: scanner + namespace: {{ .Release.Namespace }} +{{- end }} +{{- end }} diff --git a/4.3.5/central-services/templates/02-scanner-02-db-password-secret.yaml b/4.3.5/central-services/templates/02-scanner-02-db-password-secret.yaml new file mode 100644 index 0000000..c6c0bc1 --- /dev/null +++ b/4.3.5/central-services/templates/02-scanner-02-db-password-secret.yaml @@ -0,0 +1,27 @@ +{{- include "srox.init" . -}} + +{{- if not ._rox.scanner.disable -}} + +{{- if ._rox.scanner._dbPassword -}} +{{- if not (kindIs "invalid" ._rox.scanner._dbPassword.value) -}} + +apiVersion: v1 +kind: Secret +metadata: + name: scanner-db-password + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "secret" "scanner-db-password") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "scanner-db-password") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": keep +type: Opaque +stringData: + password: | + {{- ._rox.scanner._dbPassword.value | nindent 4 }} + +{{- end -}} +{{- end -}} + +{{ end -}} diff --git a/4.3.5/central-services/templates/02-scanner-03-tls-secret.yaml b/4.3.5/central-services/templates/02-scanner-03-tls-secret.yaml new file mode 100644 index 0000000..7c590ff --- /dev/null +++ b/4.3.5/central-services/templates/02-scanner-03-tls-secret.yaml @@ -0,0 +1,55 @@ +{{- include "srox.init" . -}} + +{{- if not ._rox.scanner.disable -}} + +{{- if and ._rox.scanner._serviceTLS ._rox._ca -}} + +apiVersion: v1 +kind: Secret +metadata: + name: scanner-tls + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "secret" "scanner-tls") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "scanner-tls") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": keep +type: Opaque +stringData: + ca.pem: | + {{- ._rox._ca.Cert | nindent 4 }} + cert.pem: | + {{- ._rox.scanner._serviceTLS.Cert | nindent 4 }} + key.pem: | + {{- ._rox.scanner._serviceTLS.Key | nindent 4 }} + +--- + +{{- end }} + +{{ if and ._rox.scanner._dbServiceTLS ._rox._ca -}} + +apiVersion: v1 +kind: Secret +metadata: + name: scanner-db-tls + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "secret" "scanner-db-tls") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "scanner-db-tls") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": "keep" +type: Opaque +stringData: + ca.pem: | + {{- ._rox._ca.Cert | nindent 4 }} + cert.pem: | + {{- ._rox.scanner._dbServiceTLS.Cert | nindent 4 }} + key.pem: | + {{- ._rox.scanner._dbServiceTLS.Key | nindent 4 }} + +{{- end -}} + +{{ end -}} diff --git a/4.3.5/central-services/templates/02-scanner-04-scanner-config.yaml b/4.3.5/central-services/templates/02-scanner-04-scanner-config.yaml new file mode 100644 index 0000000..4ed16c7 --- /dev/null +++ b/4.3.5/central-services/templates/02-scanner-04-scanner-config.yaml @@ -0,0 +1,18 @@ +{{- include "srox.init" . -}} + +{{- if not ._rox.scanner.disable -}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: scanner-config + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "configmap" "scanner-config") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "configmap" "scanner-config") | nindent 4 }} +data: + config.yaml: | + {{- tpl (.Files.Get "config-templates/scanner/config.yaml.tpl") . | nindent 4 }} + +{{ end -}} diff --git a/4.3.5/central-services/templates/02-scanner-05-network-policy.yaml b/4.3.5/central-services/templates/02-scanner-05-network-policy.yaml new file mode 100644 index 0000000..99f7233 --- /dev/null +++ b/4.3.5/central-services/templates/02-scanner-05-network-policy.yaml @@ -0,0 +1,91 @@ +{{- include "srox.init" . -}} + +{{- if not ._rox.scanner.disable -}} + +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: scanner + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "networkpolicy" "scanner") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "networkpolicy" "scanner") | nindent 4 }} +spec: + podSelector: + matchLabels: + app: scanner + ingress: + - from: + - podSelector: + matchLabels: + app: central + ports: + - port: 8080 + protocol: TCP + - port: 8443 + protocol: TCP +{{ if or (eq ._rox.scanner.mode "slim") ._rox.env.openshift }} + - from: + - podSelector: + matchLabels: + app: sensor + ports: + - port: 8080 + protocol: TCP + - port: 8443 + protocol: TCP +{{ end }} + policyTypes: + - Ingress + +--- + +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: scanner-db + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "networkpolicy" "scanner-db") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "networkpolicy" "scanner-db") | nindent 4 }} +spec: + podSelector: + matchLabels: + app: scanner-db + ingress: + - from: + - podSelector: + matchLabels: + app: scanner + ports: + - port: 5432 + protocol: TCP + policyTypes: + - Ingress + +{{ end -}} + +{{ if ._rox.scanner.exposeMonitoring }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: scanner-monitoring + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "networkpolicy" "scanner-monitoring") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "networkpolicy" "scanner-monitoring") | nindent 4 }} +spec: + ingress: + - ports: + - port: 9090 + protocol: TCP + podSelector: + matchLabels: + app: scanner + policyTypes: + - Ingress +{{ end }} diff --git a/4.3.5/central-services/templates/02-scanner-06-deployment.yaml b/4.3.5/central-services/templates/02-scanner-06-deployment.yaml new file mode 100644 index 0000000..89ac82c --- /dev/null +++ b/4.3.5/central-services/templates/02-scanner-06-deployment.yaml @@ -0,0 +1,296 @@ +{{- include "srox.init" . -}} + +{{- if not ._rox.scanner.disable -}} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: scanner + namespace: {{ .Release.Namespace }} + labels: + app: scanner + {{- include "srox.labels" (list . "deployment" "scanner") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "deployment" "scanner") | nindent 4 }} +spec: + replicas: {{ ._rox.scanner.replicas }} + minReadySeconds: 15 + selector: + matchLabels: + app: scanner + strategy: + type: Recreate + template: + metadata: + namespace: {{ .Release.Namespace }} + labels: + app: scanner + {{- include "srox.podLabels" (list . "deployment" "scanner") | nindent 8 }} + annotations: + traffic.sidecar.istio.io/excludeInboundPorts: "8080,8443" + {{- include "srox.podAnnotations" (list . "deployment" "scanner") | nindent 8 }} + spec: + {{- if ._rox.scanner._nodeSelector }} + nodeSelector: + {{- ._rox.scanner._nodeSelector | nindent 8 }} + {{- end }} + {{- if ._rox.scanner.tolerations }} + tolerations: + {{- toYaml ._rox.scanner.tolerations | nindent 8 }} + {{- end }} + affinity: + {{- toYaml ._rox.scanner.affinity | nindent 8 }} + containers: + - name: scanner + {{ if eq ._rox.scanner.mode "slim" -}} + image: {{ ._rox.scanner.slimImage.fullRef | quote }} + {{ else }} + image: {{ ._rox.scanner.image.fullRef | quote }} + {{ end -}} + env: + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- if ._rox.env.openshift }} + - name: ROX_OPENSHIFT_API + value: "true" + {{- end}} + {{- include "srox.envVars" (list . "deployment" "scanner" "scanner") | nindent 8 }} + resources: + {{- ._rox.scanner._resources | nindent 10 }} + command: + - /entrypoint.sh + ports: + - name: https + containerPort: 8080 + - name: grpc + containerPort: 8443 + {{ if ._rox.scanner.exposeMonitoring -}} + - name: monitoring + containerPort: 9090 + {{- end}} + securityContext: + capabilities: + drop: ["NET_RAW"] + runAsUser: 65534 + readinessProbe: + httpGet: + scheme: HTTPS + path: /scanner/ping + port: 8080 + timeoutSeconds: 10 + periodSeconds: 10 + failureThreshold: 6 + successThreshold: 1 + volumeMounts: + - name: scanner-etc-ssl-volume + mountPath: /etc/ssl + - name: scanner-etc-pki-volume + mountPath: /etc/pki/ca-trust + - name: additional-ca-volume + mountPath: /usr/local/share/ca-certificates/ + readOnly: true + - name: scanner-config-volume + mountPath: /etc/scanner + readOnly: true + - name: scanner-tls-volume + mountPath: /run/secrets/stackrox.io/certs/ + readOnly: true + - name: vuln-temp-db + mountPath: /var/lib/stackrox + - name: proxy-config-volume + mountPath: /run/secrets/stackrox.io/proxy-config/ + readOnly: true + - name: scanner-db-password + mountPath: /run/secrets/stackrox.io/secrets + readOnly: true + {{- include "srox.injectedCABundleVolumeMount" . | nindent 8 }} + securityContext: + runAsNonRoot: true + runAsUser: 65534 + serviceAccountName: scanner + volumes: + - name: additional-ca-volume + secret: + defaultMode: 420 + optional: true + secretName: additional-ca + - name: scanner-etc-ssl-volume + emptyDir: {} + - name: scanner-etc-pki-volume + emptyDir: {} + - name: scanner-config-volume + configMap: + name: scanner-config + - name: scanner-tls-volume + secret: + secretName: scanner-tls + - name: vuln-temp-db + emptyDir: {} + - name: proxy-config-volume + secret: + secretName: proxy-config + optional: true + - name: scanner-db-password + secret: + secretName: scanner-db-password + {{- include "srox.injectedCABundleVolume" . | nindent 6 }} +--- + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: scanner-db + namespace: {{ .Release.Namespace }} + labels: + app: scanner-db + {{- include "srox.labels" (list . "deployment" "scanner-db") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "deployment" "scanner-db") | nindent 4 }} +spec: + replicas: 1 + minReadySeconds: 15 + selector: + matchLabels: + app: scanner-db + strategy: + type: Recreate + template: + metadata: + namespace: {{ .Release.Namespace }} + labels: + app: scanner-db + {{- include "srox.podLabels" (list . "deployment" "scanner-db") | nindent 8 }} + annotations: + traffic.sidecar.istio.io/excludeInboundPorts: "5432" + {{- include "srox.podAnnotations" (list . "deployment" "scanner-db") | nindent 8 }} + spec: + {{- if ._rox.scanner._dbNodeSelector }} + nodeSelector: + {{- ._rox.scanner._dbNodeSelector | nindent 8 }} + {{- end }} + {{- if ._rox.scanner.dbTolerations }} + tolerations: + {{- toYaml ._rox.scanner.dbTolerations | nindent 8 }} + {{- end }} + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + # ScannerDB is single-homed, so avoid preemptible nodes. + - weight: 100 + preference: + matchExpressions: + - key: cloud.google.com/gke-preemptible + operator: NotIn + values: + - "true" + - weight: 50 + preference: + matchExpressions: + - key: node-role.kubernetes.io/infra + operator: Exists + - weight: 25 + preference: + matchExpressions: + - key: node-role.kubernetes.io/compute + operator: Exists + # From v1.20 node-role.kubernetes.io/control-plane replaces node-role.kubernetes.io/master (removed in + # v1.25). We apply both because our goal is not to run pods on control plane nodes for any version of k8s. + - weight: 100 + preference: + matchExpressions: + - key: node-role.kubernetes.io/master + operator: DoesNotExist + - weight: 100 + preference: + matchExpressions: + - key: node-role.kubernetes.io/control-plane + operator: DoesNotExist + initContainers: + - name: init-db + {{ if eq ._rox.scanner.mode "slim" -}} + image: {{ ._rox.scanner.slimDBImage.fullRef | quote }} + {{ else -}} + image: {{ ._rox.scanner.dbImage.fullRef | quote }} + {{ end -}} + env: + - name: POSTGRES_PASSWORD_FILE + value: "/run/secrets/stackrox.io/secrets/password" + - name: ROX_SCANNER_DB_INIT + value: "true" + resources: + {{- ._rox.scanner._dbResources | nindent 12 }} + volumeMounts: + - name: scanner-db-data + mountPath: /var/lib/postgresql/data + - name: scanner-db-tls-volume + mountPath: /run/secrets/stackrox.io/certs + readOnly: true + - name: scanner-db-password + mountPath: /run/secrets/stackrox.io/secrets + readOnly: true + containers: + - name: db + {{ if eq ._rox.scanner.mode "slim" -}} + image: {{ ._rox.scanner.slimDBImage.fullRef | quote }} + {{ else -}} + image: {{ ._rox.scanner.dbImage.fullRef | quote }} + {{ end -}} + env: + {{- include "srox.envVars" (list . "deployment" "scanner-db" "db") | nindent 10 }} + ports: + - name: tcp-postgresql + protocol: TCP + containerPort: 5432 + resources: + {{- ._rox.scanner._dbResources | nindent 10 }} + volumeMounts: + - name: scanner-db-data + mountPath: /var/lib/postgresql/data + - name: scanner-db-tls-volume + mountPath: /run/secrets/stackrox.io/certs + readOnly: true + serviceAccountName: scanner + securityContext: + fsGroup: 70 + runAsGroup: 70 + runAsNonRoot: true + runAsUser: 70 + volumes: + - name: scanner-config-volume + configMap: + name: scanner-config + - name: scanner-tls-volume + secret: + secretName: scanner-tls + - name: scanner-db-tls-volume + secret: + secretName: scanner-db-tls + defaultMode: 0640 + items: + - key: cert.pem + path: server.crt + - key: key.pem + path: server.key + - key: ca.pem + path: root.crt + - name: scanner-db-data + emptyDir: {} + - name: scanner-db-password + secret: + secretName: scanner-db-password + +{{ end -}} diff --git a/4.3.5/central-services/templates/02-scanner-07-service.yaml b/4.3.5/central-services/templates/02-scanner-07-service.yaml new file mode 100644 index 0000000..2f65b15 --- /dev/null +++ b/4.3.5/central-services/templates/02-scanner-07-service.yaml @@ -0,0 +1,99 @@ +{{- include "srox.init" . -}} + +{{- if not ._rox.scanner.disable -}} + +apiVersion: v1 +kind: Service +metadata: + name: scanner + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "service" "scanner") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "service" "scanner") | nindent 4 }} +spec: + ports: + - name: https-scanner + port: 8080 + targetPort: 8080 + - name: grpcs-scanner + port: 8443 + targetPort: 8443 + {{ if ._rox.scanner.exposeMonitoring -}} + - name: monitoring + port: 9090 + targetPort: monitoring + {{- end}} + selector: + app: scanner + type: ClusterIP + +--- + +apiVersion: v1 +kind: Service +metadata: + name: scanner-db + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "service" "scanner-db") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "service" "scanner-db") | nindent 4 }} +spec: + ports: + - name: tcp-db + port: 5432 + targetPort: 5432 + selector: + app: scanner-db + type: ClusterIP + +{{ if ._rox.env.istio }} +--- + +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: scanner-internal-no-istio-mtls + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "destinationrule" "scanner-internal-no-istio-mtls") | nindent 4 }} + annotations: + stackrox.io/description: "Disable Istio mTLS for ports 8080 and 8443, since StackRox services use built-in mTLS." + {{- include "srox.annotations" (list . "destinationrule" "scanner-internal-no-istio-mtls") | nindent 4 }} +spec: + host: scanner.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + portLevelSettings: + - port: + number: 8080 + tls: + mode: DISABLE + - port: + number: 8443 + tls: + mode: DISABLE + +--- + +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: scanner-db-internal-no-istio-mtls + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "destinationrule" "scanner-db-internal-no-istio-mtls") | nindent 4 }} + annotations: + stackrox.io/description: "Disable Istio mTLS for port 5432, since StackRox services use built-in mTLS." + {{- include "srox.annotations" (list . "destinationrule" "scanner-db-internal-no-istio-mtls") | nindent 4 }} +spec: + host: scanner-db.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + portLevelSettings: + - port: + number: 5432 + tls: + mode: DISABLE +{{ end }} + +{{ end -}} diff --git a/4.3.5/central-services/templates/02-scanner-08-hpa.yaml b/4.3.5/central-services/templates/02-scanner-08-hpa.yaml new file mode 100644 index 0000000..c7af476 --- /dev/null +++ b/4.3.5/central-services/templates/02-scanner-08-hpa.yaml @@ -0,0 +1,25 @@ +{{- include "srox.init" . -}} + +{{- if not ._rox.scanner.disable -}} + +{{- if not ._rox.scanner.autoscaling.disable -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: scanner + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "horizontalpodautoscaler" "scanner") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "horizontalpodautoscaler" "scanner") | nindent 4 }} +spec: + minReplicas: {{ ._rox.scanner.autoscaling.minReplicas }} + maxReplicas: {{ ._rox.scanner.autoscaling.maxReplicas }} + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: scanner + targetCPUUtilizationPercentage: 150 +{{ end -}} + +{{ end -}} diff --git a/4.3.5/central-services/templates/99-generated-values-secret.yaml b/4.3.5/central-services/templates/99-generated-values-secret.yaml new file mode 100644 index 0000000..b3499e8 --- /dev/null +++ b/4.3.5/central-services/templates/99-generated-values-secret.yaml @@ -0,0 +1,25 @@ +{{- include "srox.init" . -}} + +{{- if ._rox._state.generated -}} + +apiVersion: v1 +kind: Secret +metadata: + name: {{ ._rox._state.generatedName }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "secret" "generated-helm-config") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "generated-helm-config") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": "keep" + "helm.sh/hook-delete-policy": "never" +stringData: + generated-values.yaml: | + # The following values were generated by the StackRox Central Services Helm chart. + # You can pass this file to `helm install` via the `-f` parameter, which in conjunction + # with your local values files and values specified via `--set` will allow you to + # deterministically reproduce the deployment. + {{- ._rox._state.generated | toYaml | nindent 4 }} + +{{- end -}} diff --git a/4.3.5/central-services/templates/99-openshift-monitoring.yaml b/4.3.5/central-services/templates/99-openshift-monitoring.yaml new file mode 100644 index 0000000..e9c512e --- /dev/null +++ b/4.3.5/central-services/templates/99-openshift-monitoring.yaml @@ -0,0 +1,134 @@ +{{- include "srox.init" . -}} + +{{- if and ._rox.monitoring ._rox.monitoring.openshift ._rox.monitoring.openshift.enabled -}} + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: central-prometheus-k8s + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "role" "central-prometheus-k8s") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "role" "central-prometheus-k8s") | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - services + - endpoints + - pods + verbs: + - get + - list + - watch + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: central-prometheus-k8s + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "rolebinding" "central-prometheus-k8s") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "rolebinding" "central-prometheus-k8s") | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: central-prometheus-k8s +subjects: +- kind: ServiceAccount + name: prometheus-k8s + namespace: openshift-monitoring + +--- + +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: "central-monitor-{{ .Release.Namespace }}" + namespace: openshift-monitoring + labels: + {{- include "srox.labels" (list . "servicemonitor" (print "central-monitor-" .Release.Namespace)) | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "servicemonitor" (print "central-monitor-" .Release.Namespace)) | nindent 4 }} +spec: + endpoints: + - interval: 30s + path: metrics + port: monitoring-tls + scheme: https + tlsConfig: + caFile: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt + certFile: /etc/prometheus/secrets/metrics-client-certs/tls.crt + keyFile: /etc/prometheus/secrets/metrics-client-certs/tls.key + serverName: "central.{{ .Release.Namespace }}.svc" + selector: + matchLabels: + app.kubernetes.io/component: central + namespaceSelector: + matchNames: + - "{{ .Release.Namespace }}" + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: "rhacs-central-auth-reader-{{ .Release.Namespace }}" + namespace: kube-system + labels: + {{- include "srox.labels" (list . "rolebinding" (print "rhacs-central-auth-reader-" .Release.Namespace)) | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "rolebinding" (print "rhacs-central-auth-reader-" .Release.Namespace)) | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: + - kind: ServiceAccount + name: central + namespace: "{{ .Release.Namespace }}" + +--- + +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: "central-telemeter-{{ .Release.Namespace }}" + namespace: openshift-monitoring + labels: + {{- include "srox.labels" (list . "prometheusrule" (print "central-telemeter-" .Release.Namespace )) | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "prometheusrule" (print "central-telemeter-" .Release.Namespace )) | nindent 4 }} +spec: + groups: + - name: rhacs.telemeter + rules: + - expr: | + max by (build, central_id, central_version, hosting, install_method) ( + rox_central_info{branding="RHACS"} + ) + record: rhacs:telemetry:rox_central_info + + - expr: | + max by (central_id) ( + rox_central_secured_clusters{branding="RHACS"} + ) + record: rhacs:telemetry:rox_central_secured_clusters + + - expr: | + max by (central_id) ( + rox_central_secured_nodes{branding="RHACS"} + ) + record: rhacs:telemetry:rox_central_secured_nodes + + - expr: | + max by (central_id) ( + rox_central_secured_vcpus{branding="RHACS"} + ) + record: rhacs:telemetry:rox_central_secured_vcpus + +{{- end -}} diff --git a/4.3.5/central-services/templates/NOTES.txt b/4.3.5/central-services/templates/NOTES.txt new file mode 100644 index 0000000..27922b2 --- /dev/null +++ b/4.3.5/central-services/templates/NOTES.txt @@ -0,0 +1,56 @@ +{{- $_ := include "srox.init" . -}} + +StackRox {{.Chart.AppVersion}} has been installed. + + +{{ if include "srox.checkGenerated" (list . "central.adminPassword.value") -}} +An administrator password has been generated automatically. Use username 'admin' and the following +password to log in for initial setup: + + {{ ._rox.central._adminPassword.value }} + +{{ end -}} + +{{ if ._rox._state.notes -}} +Please take note of the following: +{{ range ._rox._state.notes }} +- {{ . | wrapWith 98 "\n " -}} +{{ end }} + +{{ end -}} + +{{ if ._rox._state.generated -}} +One or several values were automatically generated by Helm. In order to reproduce this deployment +in the future, you can export these values by running + + $ kubectl -n {{ .Release.Namespace }} get secret {{ ._rox._state.generatedName }} \ + -o go-template='{{ `{{ index .data "generated-values.yaml" }}` }}' | \ + base64 --decode >generated-values.yaml + +This file might contain sensitive data, so store it in a safe place. + +{{ end -}} + +{{ if ._rox._state.warnings -}} +When installing StackRox, the following warnings were encountered: +{{ range ._rox._state.warnings }} +- WARNING: {{ . | wrapWith 98 "\n " -}} +{{ end }} + +{{ end -}} + +{{ if ._rox.env.openshift -}} +IMPORTANT: You have deployed into an OpenShift-enabled cluster. If you see that your pods + are not scheduling, run + + oc annotate namespace/{{ .Release.Namespace }} --overwrite openshift.io/node-selector="" +{{ end -}} + + +{{ if ne (._rox.central.telemetry.enabled | toString) "false" }} +StackRox Kubernetes Security Platform collects and transmits anonymous usage and +system configuration information. If you want to OPT OUT from this, use +--set central.telemetry.enabled=false. +{{ end }} + +Thank you for using StackRox! diff --git a/4.3.5/central-services/templates/_central_endpoints.tpl b/4.3.5/central-services/templates/_central_endpoints.tpl new file mode 100644 index 0000000..3bde7d4 --- /dev/null +++ b/4.3.5/central-services/templates/_central_endpoints.tpl @@ -0,0 +1,59 @@ +{{ define "srox.configureCentralEndpoints" }} +{{ $central := . }} +{{ $containerPorts := list (dict "name" "api" "containerPort" 8443) }} +{{ $netPolIngressRules := list (dict "ports" (list (dict "port" 8443 "protocol" "TCP"))) }} +{{ $servicePorts := list (dict "name" "https" "targetPort" "api" "port" 443) }} +{{ $cfgDict := fromYaml $central._endpointsConfig }} +{{ if kindIs "map" $cfgDict }} + {{ if $cfgDict.disableDefault }} + {{ $containerPorts = list }} + {{ $netPolIngressRules = list }} + {{ $servicePorts = list }} + {{ end }} + {{ range $epCfg := default list $cfgDict.endpoints }} + {{ if and $epCfg.listen (kindIs "string" $epCfg.listen) }} + {{ $listenParts := splitList ":" $epCfg.listen }} + {{ if $listenParts }} + {{ $port := last $listenParts }} + {{ if $port }} + {{ if regexMatch "[0-9]+" $port }} + {{ $port = int $port }} + {{ end }} + {{ $containerPort := dict "containerPort" $port }} + {{ if and $epCfg.name (kindIs "string" $epCfg.name) }} + {{ $_ := set $containerPort "name" $epCfg.name }} + {{ end }} + {{ $containerPorts = append $containerPorts $containerPort }} + {{ if $epCfg.servicePort }} + {{ $servicePort := dict "targetPort" $port "port" $epCfg.servicePort }} + {{ if $containerPort.name }} + {{ $_ := set $servicePort "name" $containerPort.name }} + {{ end }} + {{ $servicePorts = append $servicePorts $servicePort }} + {{ end }} + {{ if not (kindIs "invalid" $epCfg.allowIngressFrom) }} + {{ $fromList := $epCfg.allowIngressFrom }} + {{ if not (kindIs "slice" $fromList) }} + {{ $fromList = list $fromList }} + {{ end }} + {{ $netPolIngressRule := dict "ports" (list (dict "port" $port "protocol" "TCP")) "from" $fromList }} + {{ $netPolIngressRules = append $netPolIngressRules $netPolIngressRule }} + {{ end }} + {{ end }} + {{ end }} + {{ end }} + {{ end }} +{{ end }} +{{ if $central.exposeMonitoring }} + {{ $containerPorts = append $containerPorts (dict "name" "monitoring" "containerPort" 9090) }} + {{ $servicePorts = append $servicePorts (dict "name" "monitoring" "targetPort" "monitoring" "port" 9090) }} +{{ end }} +# The (...) safe-guard against nil pointer evaluations for Helm versions built with Go < 1.18. +{{ if ((($central.monitoring).openshift).enabled) }} + {{ $containerPorts = append $containerPorts (dict "name" "monitoring-tls" "containerPort" 9091) }} + {{ $servicePorts = append $servicePorts (dict "name" "monitoring-tls" "targetPort" "monitoring-tls" "port" 9091) }} +{{ end }} +{{ $_ := set $central "_containerPorts" $containerPorts }} +{{ $_ = set $central "_servicePorts" $servicePorts }} +{{ $_ = set $central "_netPolIngressRules" $netPolIngressRules }} +{{ end }} diff --git a/4.3.5/central-services/templates/_central_setup.tpl b/4.3.5/central-services/templates/_central_setup.tpl new file mode 100644 index 0000000..6584ad1 --- /dev/null +++ b/4.3.5/central-services/templates/_central_setup.tpl @@ -0,0 +1,140 @@ +{{/* + srox.centralSetup $ + + Configures and initializes central specific values like certificates, admin password or persistence. + */}} +{{ define "srox.centralSetup" }} +{{ $ := . }} +{{ $env := $._rox.env }} +{{ $_ := set $ "_rox" $._rox }} +{{ $centralCfg := $._rox.central }} +{{ $centralDBCfg := $._rox.central.db }} + +{{/* Image settings */}} +{{ include "srox.configureImage" (list $ $centralCfg.image) }} + +{{/* Admin password */}} +{{ include "srox.configurePassword" (list $ "central.adminPassword" "admin") }} + +{{/* Service TLS Certificates */}} +{{ $centralCertSpec := dict "CN" "CENTRAL_SERVICE: Central" "dnsBase" "central" }} +{{ include "srox.configureCrypto" (list $ "central.serviceTLS" $centralCertSpec) }} + +{{/* JWT Token Signer */}} +{{ $jwtSignerSpec := dict "keyOnly" "rsa" }} +{{ include "srox.configureCrypto" (list $ "central.jwtSigner" $jwtSignerSpec) }} + +{{/* Setup Default TLS Certificate. */}} +{{ if $._rox.central.defaultTLS }} + {{ $cert := $._rox.central.defaultTLS._cert }} + {{ $key := $._rox.central.defaultTLS._key }} + {{ if and $cert $key }} + {{ $defaultTLSCert := dict "Cert" $cert "Key" $key }} + {{ $_ := set $._rox.central "_defaultTLS" $defaultTLSCert }} + {{ include "srox.note" (list $ "Configured default TLS certificate") }} + {{ else if or $cert $key }} + {{ include "srox.fail" "Must specify either none or both of central.defaultTLS.cert and central.defaultTLS.key" }} + {{ end }} +{{ end }} + +{{/* Central DB password */}} +{{/* Always set up the password for Postgres if it is enabled */}} +{{ include "srox.configurePassword" (list $ "central.db.password") }} +{{ if not $centralDBCfg.external }} +{{ include "srox.configureImage" (list $ $centralDBCfg.image) }} + +{{/* Central DB Service TLS Certificates */}} +{{ $centralDBCertSpec := dict "CN" "CENTRAL_DB_SERVICE: Central DB" "dnsBase" "central-db" }} +{{ include "srox.configureCrypto" (list $ "central.db.serviceTLS" $centralDBCertSpec) }} +{{ end }} + +{{/* + Setup configuration for persistence backend. + TODO(ROX-16253): Remove PVC + */}} +{{ $volumeCfg := dict }} +{{ if $centralCfg.persistence.none }} + {{ $_ := set $volumeCfg "emptyDir" dict }} +{{ end }} +{{ if $centralCfg.persistence.hostPath }} + {{ if not $centralCfg.nodeSelector }} + {{ include "srox.warn" (list $ "You have selected host path persistence, but not specified a node selector. This is unlikely to work reliably.") }} + {{ end }} + {{ $_ := set $volumeCfg "hostPath" (dict "path" $centralCfg.persistence.hostPath) }} +{{ end }} +{{/* Configure PVC if either any of the settings in `central.persistence.persistentVolumeClaim` are provided, + or no other persistence backend has been configured yet. */}} +{{ if or (not (deepEqual $._rox._configShape.central.persistence.persistentVolumeClaim $centralCfg.persistence.persistentVolumeClaim)) (not $volumeCfg) }} + {{ $pvcCfg := $centralCfg.persistence.persistentVolumeClaim }} + {{ $_ := include "srox.mergeInto" (list $pvcCfg $._rox._defaults.pvcDefaults (dict "createClaim" $.Release.IsInstall)) }} + {{ $_ = set $volumeCfg "persistentVolumeClaim" (dict "claimName" $pvcCfg.claimName) }} + {{ if $pvcCfg.createClaim }} + {{ $_ = set $centralCfg.persistence "_pvcCfg" $pvcCfg }} + {{ end }} +{{ end }} + +{{/* + Central's DB PVC config setup + */}} +{{ $dbVolumeCfg := dict }} +{{ if not $centralDBCfg.external }} +{{ if $centralDBCfg.persistence.none }} + {{ include "srox.warn" (list $ "You have selected no persistence backend. Every deletion of the StackRox Central DB pod will cause you to lose all your data. This is STRONGLY recommended against.") }} + {{ $_ := set $dbVolumeCfg "emptyDir" dict }} +{{ end }} +{{ if $centralDBCfg.persistence.hostPath }} + {{ if not $centralDBCfg.nodeSelector }} + {{ include "srox.warn" (list $ "You have selected host path persistence, but not specified a node selector. This is unlikely to work reliably.") }} + {{ end }} + {{ $_ := set $dbVolumeCfg "hostPath" (dict "path" $centralDBCfg.persistence.hostPath) }} +{{ end }} +{{/* Configure PVC if either any of the settings in `centralDB.persistence.persistentVolumeClaim` are provided, + or no other persistence backend has been configured yet. */}} +{{ if or (not (deepEqual $._rox._configShape.central.db.persistence.persistentVolumeClaim $centralDBCfg.persistence.persistentVolumeClaim)) (not $dbVolumeCfg) }} + {{ $dbPVCCfg := $centralDBCfg.persistence.persistentVolumeClaim }} + {{ $_ := include "srox.mergeInto" (list $dbPVCCfg $._rox._defaults.dbPVCDefaults (dict "createClaim" (or .Release.IsInstall (eq $._rox._renderMode "centralDBOnly")))) }} + {{ $_ = set $dbVolumeCfg "persistentVolumeClaim" (dict "claimName" $dbPVCCfg.claimName) }} + {{ if $dbPVCCfg.createClaim }} + {{ $_ = set $centralDBCfg.persistence "_pvcCfg" $dbPVCCfg }} + {{ end }} +{{ end }} +{{ end }} + +{{ $allPersistenceMethods := keys $volumeCfg | sortAlpha }} +{{ if ne (len $allPersistenceMethods) 1 }} + {{ include "srox.fail" (printf "Invalid or no persistence configurations for central: [%s]" (join "," $allPersistenceMethods)) }} +{{ end }} +{{ $_ = set $centralCfg.persistence "_volumeCfg" $volumeCfg }} +{{ if not $centralDBCfg.external }} +{{ $_ = set $centralDBCfg.persistence "_volumeCfg" $dbVolumeCfg }} +{{ end }} + +{{/* Endpoint configuration */}} +{{ include "srox.configureCentralEndpoints" $._rox.central }} + +{{/* + Exposure configuration setup & sanity checks. + */}} +{{ if $._rox.central.exposure.loadBalancer.enabled }} + {{ include "srox.note" (list $ (printf "Exposing StackRox Central via LoadBalancer service.")) }} +{{ end }} +{{ if $._rox.central.exposure.nodePort.enabled }} + {{ include "srox.note" (list $ (printf "Exposing StackRox Central via NodePort service.")) }} +{{ end }} +{{ if $._rox.central.exposure.route.enabled }} + {{ if not $env.openshift }} + {{ include "srox.fail" (printf "The exposure method 'Route' is only available on OpenShift clusters.") }} + {{ end }} + {{ include "srox.note" (list $ (printf "Exposing StackRox Central via OpenShift Route https://central.%s." $.Release.Namespace)) }} +{{ end }} + +{{ if not (or $._rox.central.exposure.loadBalancer.enabled $._rox.central.exposure.nodePort.enabled $._rox.central.exposure.route.enabled) }} + {{ include "srox.note" (list $ "Not exposing StackRox Central, it will only be reachable cluster-internally.") }} + {{ include "srox.note" (list $ "To enable exposure via LoadBalancer service, use --set central.exposure.loadBalancer.enabled=true.") }} + {{ include "srox.note" (list $ "To enable exposure via NodePort service, use --set central.exposure.nodePort.enabled=true.") }} + {{ if $env.openshift }} + {{ include "srox.note" (list $ "To enable exposure via an OpenShift Route, use --set central.exposure.route.enabled=true.") }} + {{ end }} + {{ include "srox.note" (list $ (printf "To acccess StackRox Central via a port-forward on your local port 18443, run: kubectl -n %s port-forward svc/central 18443:443." .Release.Namespace)) }} +{{ end }} +{{ end }} diff --git a/4.3.5/central-services/templates/_crypto.tpl b/4.3.5/central-services/templates/_crypto.tpl new file mode 100644 index 0000000..1455288 --- /dev/null +++ b/4.3.5/central-services/templates/_crypto.tpl @@ -0,0 +1,239 @@ +{{/* + srox.configureCrypto $ $cryptoConfigPath $spec + + This helper function configures a private key or certificate (public cert + private key) + config entry, from an input config which is accessed via $cryptoConfigPath relative to + $._rox, which we'll refer to as $inputCfg. $inputCfg is expected to be a dict with at + least `key` and `generate` properties. If `generate` is null, it defaults to either `true` + on installations, and `false` on upgrades. `key` is an expandable string. + The result in either mode is written to a dict $outputCfg under $._rox accessed by the + $cryptoConfigPath, with a '_' prepended to the last path element. E.g., if + $cryptoConfigPath is "a.b.c", the input configuration will be read from $._rox.a.b.c, and + the output configuration will be stored in $._rox.a.b._c. + + Private key-only mode is selected if $spec.keyOnly contains a non-zero string, which specifies + the key algorithm to use. In this mode, if $inputCfg.key expands to a non-empty string, this + string will be copied to the `Key` property of $outputCfg. Otherwise, if $inputCfg.generate + is true (wrt. the above defaulting rules), a key with the algorithm prescribed by $spec.keyOnly + will be generated and stored in the `Key` property of $outputCfg. + + Certificate mode is the default. If $inputCfg.cert and $inputCfg.key expand to non-empty strings, + these strings will be copied to the `Cert` and `Key` properties of $outputCfg. Otherwise, if both + of them expand to empty strings (it is an error if only one of them expands to a non-empty + string), and $inputCfg.generate is true, a certificate and private key are generated with the + following options: + - If $inputCfg.ca is true, generate a CA certificate with common name $inputCfg.CN and a 5 year + validity duration. + - Otherwise, generate a leaf certificate with common name $inputCfg.CN and a 1 year validity + duration. The SANs for this certificate are derived from the base DNS name $inputCfg.dnsBase + according to "srox.computeSANs". + + Whenever certificates and/or private keys were generated, the $._rox._state.generated property + is updated to reflect the generated values, such that merging $._rox._state.generated in to + $.Values would have caused this template to simply use the generated values as-is. E.g., if + $cryptoConfigPath was "a.b.c" and $.Values.a.b.c.cert" and $.Values.a.b.c.key" were both empty, + $._rox._state.generated.a.b.c would be set to be a dict with `cert` and `key` properties of the + generated $outputCfg.Cert and $outputCfg.Key. + + If a certificate or private key was generated, $._rox._state.customCertGen is set to true. + */}} +{{- define "srox.configureCrypto" -}} +{{ $ := index . 0 }} +{{ $cryptoConfigPath := index . 1 }} +{{ $spec := index . 2 }} + +{{/* Resolve $cryptoConfigPath. */}} +{{ $cfg := $._rox }} +{{ $newGenerated := dict }} +{{ $genCfg := $newGenerated }} +{{ $cryptoConfigPathList := splitList "." $cryptoConfigPath }} +{{ range $pathElem := $cryptoConfigPathList }} + {{ $cfg = index $cfg $pathElem }} + {{ $newCfg := dict }} + {{ $_ := set $genCfg $pathElem $newCfg }} + {{ $genCfg = $newCfg }} +{{ end }} + +{{/* Make sure `cert` and `key` are expanded (this should already be the case, but better + safe than sorry. */}} +{{ $certExpandSpec := dict "cert" true "key" true }} +{{ include "srox.expandAll" (list $ $cfg $certExpandSpec $cryptoConfigPathList) }} + +{{ $certPEM := $cfg._cert }} +{{ $keyPEM := $cfg._key }} + +{{ $result := dict }} +{{ if $certPEM }} + {{ $result = dict "Cert" $certPEM "Key" (default "" $keyPEM) }} +{{ else if or $certPEM $keyPEM }} + {{ if and $keyPEM $spec.keyOnly }} + {{ $_ := set $result "Key" $keyPEM }} + {{ else }} + {{ include "srox.fail" (printf "Either none or both of %s.cert and %s.key must be specified" $cryptoConfigPath $cryptoConfigPath) }} + {{ end }} +{{ else }} + {{ $generate := $cfg.generate }} + {{ if kindIs "invalid" $generate }} + {{ $generate = $.Release.IsInstall }} + {{ end }} + {{ if $generate }} + {{ if $spec.ca }} + {{ $out := dict }} + {{ $_ := tpl "{{ $_ := set .out \"ca\" (genCA .cn 1825) }}" (dict "Template" $.Template "cn" $spec.CN "out" $out) }} + {{ $result = $out.ca }} + {{ else if $spec.keyOnly }} + {{ $key := tpl "{{ genPrivateKey .algo }}" (dict "Template" $.Template "algo" $spec.keyOnly) }} + {{ $_ := set $genCfg "key" $key }} + {{ $_ = set $result "Key" $key }} + {{ else }} + {{ if not $._rox._ca }} + {{ include "srox.fail" (printf "Tried to generate certificate for %s, but no CA certificate is available." $spec.CN) }} + {{ end }} + {{ $sans := dict }} + {{ include "srox.computeSANs" (list $ $sans $spec.dnsBase) }} + {{ $ca := $._rox._ca }} + {{ if kindIs "map" $ca }} + {{ $out := dict }} + {{ $_ := tpl "{{ $_ := set .out \"ca\" (buildCustomCert (b64enc .ca.Cert) (b64enc .ca.Key)) }}" (dict "Template" $.Template "ca" $ca "out" $out) }} + {{ $ca = $out.ca }} + {{ end }} + {{ $out := dict }} + {{ $_ := tpl "{{ $_ := set .out \"cert\" (genSignedCert .cn nil .sans 365 .ca) }}" (dict "Template" $.Template "cn" $spec.CN "sans" $sans.result "ca" $ca "out" $out) }} + {{ $result = $out.cert }} + {{ $_ := set $genCfg "cert" $result.Cert }} + {{ $_ = set $genCfg "key" $result.Key }} + {{ end }} + {{ $_ := set $genCfg "key" $result.Key }} + {{ if $result.Cert }} + {{ $_ = set $genCfg "cert" $result.Cert }} + {{ end }} + {{ $_ = set $._rox._state "customCertGen" true }} + {{ end }} +{{ end }} + +{{/* Store output configuration and generated properties */}} +{{ $newCfgRoot := dict }} +{{ $newCfg := $newCfgRoot }} +{{ range $pathElem := initial $cryptoConfigPathList }} + {{ $nextCfg := dict }} + {{ $_ := set $newCfg $pathElem $nextCfg }} + {{ $newCfg = $nextCfg }} +{{ end }} +{{ $_ := set $newCfg (last $cryptoConfigPathList | printf "_%s") $result }} +{{ $_ = include "srox.mergeInto" (list $._rox $newCfgRoot) }} +{{ $_ = include "srox.mergeInto" (list $._rox._state.generated $newGenerated) }} +{{ end }} + + +{{/* + srox.configurePassword $ $pwConfigPath [$htpasswdUser] + + This helper function reads a password configuration (YAML dict with `value` + and `generate` properties) referenced by $pwConfigPath relative to $._rox. It + ensures the dict with the same config path relative to $._rox and prepending an underscore + to the last path element is populated in the following way: + - If the `value` property of the input config is nonzero, set `value` in the result to the + expanded value. + - If the optional $htpasswdUser parameter is specified and the `htpasswd` property of the + input config is nonzero, set `htpasswd` in the result to the expanded value of that + property. + - If none of the above (non-mutually-exclusive) cases apply: + - If `generate` is true OR both `generate` is null and this is an installation, + not an upgrade, generate a random password with 32 alphanumeric characters. + - Otherwise, leave the result property empty. + - If the optional $htpasswdUser parameter was specified AND the `value` property in the + result property was set per the above rules AND the `htpasswd` property was not set, + populate the `htpasswd` property of the result by generating an htpasswd stanza with + the computed `value` as the password and $htpasswdUser as the username. + + The $._rox._state.generated property is adjusted accordingly. + */}} +{{- define "srox.configurePassword" -}} +{{ $ := index . 0 }} +{{ $pwConfigPath := index . 1 }} +{{ $htpasswdUser := "" }} +{{ if gt (len .) 2 }} + {{ $htpasswdUser = index . 2 }} +{{ end }} +{{ $cfg := $._rox }} +{{ $newGenerated := dict }} +{{ $genCfg := $newGenerated }} +{{ $pwConfigPathList := splitList "." $pwConfigPath }} +{{ range $pathElem := $pwConfigPathList }} + {{ $cfg = index $cfg $pathElem }} + {{ $newCfg := dict }} + {{ $_ := set $genCfg $pathElem $newCfg }} + {{ $genCfg = $newCfg }} +{{ end }} + +{{/* Make sure that `value` and `htpasswd` within $cfg are expanded (this should already be the + case but better safe than sorry). */}} +{{ $pwExpandSpec := dict "value" true "htpasswd" true }} +{{ include "srox.expandAll" (list $ $cfg $pwExpandSpec $pwConfigPathList) }} + +{{ $result := dict }} +{{ if and $htpasswdUser (not (kindIs "invalid" $cfg._htpasswd)) }} + {{ $htpasswd := $cfg._htpasswd }} + {{ $_ := set $result "htpasswd" $htpasswd }} +{{ end }} +{{ if not $result.htpasswd }} + {{ $pw := dict.nil }} + {{ if kindIs "invalid" $cfg._value }} + {{ $generate := $cfg.generate }} + {{ if kindIs "invalid" $generate }} + {{ $generate = $.Release.IsInstall }} + {{ end }} + {{ if $generate }} + {{ $pw = randAlphaNum 32 }} + {{ $_ := set $genCfg "value" $pw }} + {{ end }} + {{ else }} + {{ $pw = $cfg._value }} + {{ end }} + {{ if not (kindIs "invalid" $pw) }} + {{ $_ := set $result "value" $pw }} + {{ end }} + {{ if and $htpasswdUser $pw }} + {{ $htpasswd := tpl "{{ htpasswd .user .pw }}" (dict "Template" $.Template "user" $htpasswdUser "pw" $pw) }} + {{ $_ := set $result "htpasswd" $htpasswd }} + {{ end }} +{{ else if $cfg.value }} + {{ include "srox.fail" (printf "Both a htpasswd and a value are specified for %s, this is illegal. Remove the `value` property, or ensure that `htpasswd` is null." $pwConfigPath) }} +{{ end }} +{{ $newCfgRoot := dict }} +{{ $newCfg := $newCfgRoot }} +{{ range $pathElem := initial $pwConfigPathList }} + {{ $nextCfg := dict }} + {{ $_ := set $newCfg $pathElem $nextCfg }} + {{ $newCfg = $nextCfg }} +{{ end }} +{{ $_ := set $newCfg (last $pwConfigPathList | printf "_%s") $result }} +{{ $_ = include "srox.mergeInto" (list $._rox $newCfgRoot) }} +{{ $_ = include "srox.mergeInto" (list $._rox._state.generated $newGenerated) }} +{{ end }} + + +{{/* + srox.computeSANs $ $out $svcName + + Compute the applicable SANs for a service with name $svcName, deployed in namespace + $.Release.Namespace (= $releaseNS). + Generally, SANs following the pattern "$svcName.$releaseNS[.svc[.cluster.local]]" will be + generated. If $releaseNS is not "stackrox", another set of SANs with the same pattern, + but assuming $releaseNS = "stackrox", will be generated in addition. + The result is stored as a list in $out.result. + */}} +{{ define "srox.computeSANs" }} +{{ $ := index . 0 }} +{{ $out := index . 1 }} +{{ $svcName := index . 2 }} +{{ $releaseNS := $.Release.Namespace }} +{{ $sans := list }} +{{ range $ns := list $releaseNS "stackrox" | uniq | sortAlpha }} + {{ $baseDNS := printf "%s.%s" $svcName $ns }} + {{ range $suffix := tuple "" ".svc" ".svc.cluster.local" }} + {{ $sans = printf "%s%s" $baseDNS $suffix | append $sans }} + {{ end }} +{{ end }} +{{ $_ := set $out "result" $sans }} +{{ end }} diff --git a/4.3.5/central-services/templates/_dict.tpl b/4.3.5/central-services/templates/_dict.tpl new file mode 100644 index 0000000..bf14a6d --- /dev/null +++ b/4.3.5/central-services/templates/_dict.tpl @@ -0,0 +1,142 @@ +{{/* + srox.compactDict $target [$depth] + + Compacts a dict $target by removing entries with empty values. + By default, only the top-level dict $target itself is modified. If the optional $depth + parameter is specified and is non-zero, this determines the recursion depth over which the + compaction is applied to nested diocts as well. A $depth of -1 means to compact all nested + dicts, regardless of depth. + */}} +{{ define "srox.compactDict" }} +{{ $args := . }} +{{ if not (kindIs "slice" $args) }} + {{ $args = list $args 0 }} +{{ end }} +{{ $target := index $args 0 }} +{{ $depth := index $args 1 }} +{{ $zeroValKeys := list }} +{{ range $k, $v := $target }} + {{ if and (kindIs "map" $v) (ne $depth 0) }} + {{ include "srox.compactDict" (list $v (sub $depth 1)) }} + {{ end }} + {{ if not $v }} + {{ $zeroValKeys = append $zeroValKeys $k }} + {{ end }} +{{ end }} +{{ range $k := $zeroValKeys }} + {{ $_ := unset $target $k }} +{{ end }} +{{ end }} + +{{/* + srox.destructiveMergeOverwrite $out $dict1 $dict2... + + Recursively merges $dict1, $dict2 (in this order) into $out, similar to mergeOverwrite. + The eponymous difference is the fact that any explicit "null" entries in the source + dictionaries cause the respective entry to be deleted. + */}} +{{ define "srox.destructiveMergeOverwrite" }} +{{ $out := first . }} +{{ $toMergeList := rest . }} +{{ range $toMerge := $toMergeList }} + {{ range $k, $v := $toMerge }} + {{ if kindIs "invalid" $v }} + {{ $_ := unset $out $k }} + {{ else if kindIs "map" $v }} + {{ $outV := index $out $k }} + {{ if kindIs "invalid" $outV }} + {{ $_ := set $out $k (deepCopy $v) }} + {{ else if kindIs "map" $outV }} + {{ include "srox.destructiveMergeOverwrite" (list $outV $v) }} + {{ else }} + {{ fail (printf "when merging at key %s: incompatible kinds %s and %s" $k (kindOf $v) (kindOf $outV)) }} + {{ end }} + {{ else }} + {{ $_ := set $out $k $v }} + {{ end }} + {{ end }} +{{ end }} +{{ end }} + +{{/* + srox.stringifyDictValues $dict + + Recursively traverses $dict and converts every non-dict value to a string. + */}} +{{ define "srox.stringifyDictValues" }} +{{ $dict := . }} +{{ range $k, $v := $dict }} + {{ if kindIs "map" $v }} + {{ include "srox.stringifyDictValues" $v }} + {{ else }} + {{ $_ := set $dict $k (toString $v) }} + {{ end }} +{{ end }} +{{ end }} + +{{/* + srox.safeDictLookup $dict $out $path + + Looks up $path in $dict, and stores the result (if any) in $out.result. + $path is a dot-separated list of nested field names. An empty $path causes + $dict to be stored in $out.result. + + Example: srox.safeDictLookup $dict $out "a.b.c" stores the value of $dict.a.b.c, if + it exists, in $out.result. Otherwise, it does nothing - in particular, it does + not fail, as accessing $dict.a.b.c unconditionally would if any of $dict, $dict.a, + or $dict.a.b was not a dict. + */}} +{{ define "srox.safeDictLookup" }} +{{ $dict := index . 0 }} +{{ $out := index . 1 }} +{{ $path := index . 2 }} +{{ $curr := $dict }} +{{ $pathList := splitList "." $path | compact }} +{{ range $pathElem := $pathList }} + {{ if kindIs "map" $curr }} + {{ $curr = index $curr $pathElem }} + {{ else if not (kindIs "invalid" $curr) }} + {{ $curr = dict.nil }} + {{ end }} +{{ end }} +{{ if not (kindIs "invalid" $curr) }} + {{ $_ := set $out "result" $curr }} +{{ end }} +{{ end }} + + + +{{/* + srox.mergeInto $tgt $src1..$srcN + + Recursively merges values from $src1, ..., $srcN into $tgt, giving preference to + values in $tgt. + + Unlike Sprig's merge, this does not overwrite falsy values when explicitly defined, + with the exception of `null` values (this also sets it apart from Sprig's mergeOverwrite). + + Whenever entire (nested) dicts are merged as-is from one of the sources into $tgt, a deep + copy of the respective nested dict is created. + + An empty string is always returned, hence this should be invoked in the form + $_ := include "srox.mergeInto" (list $tgt $src1 $src2) + */}} +{{ define "srox.mergeInto" }} +{{ $tgt := first . }} +{{ range $src := rest . }} + {{ range $k, $srcV := $src }} + {{ $tgtV := index $tgt $k }} + {{ if kindIs "map" $srcV }} + {{ if kindIs "invalid" $tgtV }} + {{ $_ := set $tgt $k (deepCopy $srcV) }} + {{ else if kindIs "map" $tgtV }} + {{ $_ := include "srox.mergeInto" (list $tgtV $srcV) }} + {{ else }} + {{ fail (printf "Incompatible kinds for key %s: %s vs %s" $k (kindOf $srcV) (kindOf $tgtV)) }} + {{ end }} + {{ else if and (not (kindIs "invalid" $srcV)) (kindIs "invalid" $tgtV) }} + {{ $_ := set $tgt $k $srcV }} + {{ end }} + {{ end }} +{{ end }} +{{ end }} diff --git a/4.3.5/central-services/templates/_expand.tpl b/4.3.5/central-services/templates/_expand.tpl new file mode 100644 index 0000000..ed1cb1f --- /dev/null +++ b/4.3.5/central-services/templates/_expand.tpl @@ -0,0 +1,96 @@ +{{/* + srox.expandAll $ $target $expandable [$path] + + Expands values within $target that are flagged in $expandable, using $path + as the path from the configuration root to $target for error reporting purposes. + + If $target is nil, nothing happens. Otherwise, $target must be a dict. For every key + of $target that is also present in $expandable, the following action is performed: + - If the entry in $expandable is a dict, recursive invoke "srox.expandAll" on the + respective entries, with an adjusted $path. + - Otherwise, the entry in $expandable is assume to be of boolean value. If the value is + true, the corresponding entry's value in $target is expanded (see "srox._expandSingle" + below for a definition of expanding), and the result of the expansion is stored under + the key with a "_" prepended in $target. The original entry in $target is removed. This + ensures "srox.expandAll" is an idempotent operation). + */}} +{{ define "srox.expandAll" }} +{{ $args := . }} +{{ $ := index $args 0 }} +{{ $target := index $args 1 }} +{{ $expandable := index $args 2 }} +{{ $path := list }} +{{ if ge (len $args) 4 }} + {{ $path = index $args 3 }} + {{ if kindIs "string" $path }} + {{ $path = splitList "." $path | compact }} + {{ end }} +{{ end }} + +{{ if kindIs "map" $target }} + {{ range $k, $v := $expandable }} + {{ $childPath := append $path $k }} + {{ $targetV := index $target $k }} + {{ if kindIs "map" $v }} + {{ include "srox.expandAll" (list $ $targetV $v $childPath) }} + {{ else if $v }} + {{ if not (kindIs "invalid" $targetV) }} + {{ $expanded := include "srox._expandSingle" (list $ $targetV (join "." $childPath)) }} + {{ $_ := set $target (printf "_%s" $k) $expanded }} + {{ end }} + {{ $_ := unset $target $k }} + {{ end }} + {{ end }} +{{ else if not (kindIs "invalid" $target) }} + {{ include "srox.fail" (printf "Error expanding value at %s: expected map, got: %s" (join "." $path) (kindOf $target)) }} +{{ end }} +{{ end }} + +{{/* + srox.expand $ $spec + + Parses and expands a "specification string" in the following way: + - If $spec is a dictionary, return $spec rendered as a YAML. + - Otherwise, if $spec starts with a backslash character (`\`), return $spec minus the leading + backslash character. + - Otherwise, if $spec starts with an `@` character, strip off the first character and + treat the remainder of the string as a `|`-separated list of file names. Try to load + each referenced file, in order, via `stackrox.getFile`. The result is the first file + that could be successfully loaded. If no file could be loaded, expansion fails. + - Otherwise, return $spec as-is. + */}} +{{- define "srox._expandSingle" -}} + {{- $ := index . 0 -}} + {{- $spec := index . 1 -}} + {{- $context := index . 2 -}} + {{- $result := "" -}} + {{- if kindIs "string" $spec -}} + {{- if hasPrefix "\\" $spec -}} + {{- /* use \ as string-wide escape character */ -}} + {{- $result = trimPrefix "\\" $spec -}} + {{- else if hasPrefix "@" $spec -}} + {{- /* treat as file list (first found matches) */ -}} + {{- /* If the prefix is "@?" expansion will not fail if no files could be found, instead an empty string is returned. */ -}} + {{- $fileSpec := trimPrefix "@" $spec -}} + {{- $allowNotFound := false -}} + {{- if hasPrefix "?" $fileSpec -}} + {{- $allowNotFound = true -}} + {{- $fileSpec = trimPrefix "?" $fileSpec -}} + {{- end -}} + {{- $fileList := regexSplit "\\s*\\|\\s*" ($fileSpec | trim) -1 -}} + {{- $fileRes := dict -}} + {{- $_ := include "srox.loadFile" (list $ $fileRes $fileList) -}} + {{- if and (not $allowNotFound) (not $fileRes.found) -}} + {{- include "srox.fail" (printf "Expanding %s: file reference %q: none of the referenced files were found" $context $spec) -}} + {{- end -}} + {{- $result = default "" $fileRes.contents -}} + {{- else -}} + {{/* treat as raw string */}} + {{- $result = $spec -}} + {{- end -}} + {{- else if not (kindIs "invalid" $spec) -}} + {{- /* render non-string, non-nil values as YAML */ -}} + {{- $result = toYaml $spec -}} + {{- end -}} + {{- $result -}} +{{- end -}} diff --git a/4.3.5/central-services/templates/_format.tpl b/4.3.5/central-services/templates/_format.tpl new file mode 100644 index 0000000..745fe47 --- /dev/null +++ b/4.3.5/central-services/templates/_format.tpl @@ -0,0 +1,14 @@ +{{/* + srox.formatStorageSize $value + + Formats $value as a storage size. $value can be an integer or a string. + If no unit is specified (e.g., if $value is a string), a default unit of + Gigabytes ("Gi" suffix) is assumed. + */}} +{{- define "srox.formatStorageSize" -}} +{{- $val := toString . -}} +{{- if regexMatch "^[0-9]+$" $val -}} + {{- $val = printf "%sGi" $val -}} +{{- end -}} +{{- default "0" $val -}} +{{- end -}} diff --git a/4.3.5/central-services/templates/_helpers.tpl b/4.3.5/central-services/templates/_helpers.tpl new file mode 100644 index 0000000..e87f10f --- /dev/null +++ b/4.3.5/central-services/templates/_helpers.tpl @@ -0,0 +1,68 @@ +{{/* + Misceallaneous helper templates. + */}} + + + + +{{/* + srox.loadFile $ $out $fileName-or-list + + This helper function reads a file. It differs from $.Files.Get in that it also takes + $._rox.meta.fileOverrides into account. Furthermore, it can receive a list of file names, + and will try these files in order. Finally, it indicates whether a file was found via the + $out.found property (as opposed to $.Files.Get, which cannot distinguish between a successful + read of an empty file, and this file not being found). + The file contents will be returned via $out.contents + */}} +{{ define "srox.loadFile" }} +{{ $ := index . 0 }} +{{ $out := index . 1 }} +{{ $fileNames := index . 2 }} +{{ if not (kindIs "slice" $fileNames) }} + {{ $fileNames = list $fileNames }} +{{ end }} +{{ $contents := index dict "" }} +{{ range $fileName := $fileNames }} + {{ if kindIs "invalid" $contents }} + {{ $contents = index $._rox.meta.fileOverrides $fileName }} + {{ end }} + {{ if kindIs "invalid" $contents }} + {{ range $path, $_ := $.Files.Glob $fileName }} + {{ if kindIs "invalid" $contents }} + {{ $contents = $.Files.Get $path }} + {{ end }} + {{ end }} + {{ end }} +{{ end }} +{{ if not (kindIs "invalid" $contents) }} + {{ $_ := set $out "contents" $contents }} +{{ end }} +{{ $_ := set $out "found" (not (kindIs "invalid" $contents)) }} +{{ end }} + + +{{/* + srox.checkGenerated $ $cfgPath + + Checks if the value at configuration path $cfgPath (e.g., "central.adminPassword.value") was + generated. Evaluates to the string "true" if this is the case, and an empty string otherwise. + */}} +{{- define "srox.checkGenerated" -}} +{{- $ := index . 0 -}} +{{- $cfgPath := index . 1 -}} +{{- $genCfg := $._rox._state.generated -}} +{{- $exists := true -}} +{{- range $pathElem := splitList "." $cfgPath -}} + {{- if $exists -}} + {{- if hasKey $genCfg $pathElem -}} + {{- $genCfg = index $genCfg $pathElem -}} + {{- else -}} + {{- $exists = false -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- if $exists -}} +true +{{- end -}} +{{- end -}} diff --git a/4.3.5/central-services/templates/_image-pull-secrets.tpl b/4.3.5/central-services/templates/_image-pull-secrets.tpl new file mode 100644 index 0000000..9747e26 --- /dev/null +++ b/4.3.5/central-services/templates/_image-pull-secrets.tpl @@ -0,0 +1,85 @@ +{{/* + srox.configureImagePullSecrets $ $cfgName $imagePullSecrets $secretResourceName $defaultSecretNames $namespace + + Configures image pull secrets. + + This function enriches $imagePullSecrets based on the exposed configuration parameters to contain + a list of Kubernetes secret names as `_names` to be used as image pull secrets within the chart + templates. This list contains the following secrets: + + - Secrets referenced via $imagePullSecrets.useExisting. + - Image pull secrets associated with the default service account (if + $imagePullSecrets.useFromDefaultServiceAccount is true). + - $secretResourceName, if $imagePullSecrets.username is set. + - $defaultSecretNames. */}} + +{{ define "srox.configureImagePullSecrets" }} +{{ $ := index . 0 }} +{{ $cfgName := index . 1 }} +{{ $imagePullSecrets := index . 2 }} +{{ $secretResourceName := index . 3 }} +{{ $defaultSecretNames := index . 4 }} +{{ $namespace := index . 5 }} + +{{ $imagePullSecretNames := default list $imagePullSecrets.useExisting }} +{{ if not (kindIs "slice" $imagePullSecretNames) }} + {{ $imagePullSecretNames = regexSplit "\\s*[,;]\\s*" (trim $imagePullSecretNames) -1 }} +{{ end }} +{{ if $imagePullSecrets.useFromDefaultServiceAccount }} + {{ $defaultSA := dict }} + {{ include "srox.safeLookup" (list $ $defaultSA "v1" "ServiceAccount" $namespace "default") }} + {{ if $defaultSA.result }} + {{ range $ips := default list $defaultSA.result.imagePullSecrets }} + {{ if $ips.name }} + {{ $imagePullSecretNames = append $imagePullSecretNames $ips.name }} + {{ end }} + {{ end }} + {{ end }} +{{ end }} +{{ $imagePullCreds := dict }} +{{ if $imagePullSecrets._username }} + {{ $imagePullCreds = dict "username" $imagePullSecrets._username "password" $imagePullSecrets._password }} + {{ $imagePullSecretNames = append $imagePullSecretNames $secretResourceName }} +{{ else if $imagePullSecrets._password }} + {{ $msg := printf "Username missing in %q. Whenever an image pull password is specified, a username must be specified as well" $cfgName }} + {{ include "srox.fail" $msg }} +{{ end }} +{{ if and $.Release.IsInstall (not $imagePullSecretNames) (not $imagePullSecrets.allowNone) }} + {{ $msg := printf "You have not specified any image pull secrets, and no existing image pull secrets were automatically inferred. If your registry does not need image pull credentials, explicitly set the '%s.allowNone' option to 'true'" $cfgName }} + {{ include "srox.fail" $msg }} +{{ end }} + +{{ $imagePullSecretNames = concat (append $imagePullSecretNames $secretResourceName) $defaultSecretNames | uniq | sortAlpha }} +{{ $_ := set $imagePullSecrets "_names" $imagePullSecretNames }} +{{ $_ := set $imagePullSecrets "_creds" $imagePullCreds }} + +{{ end }} + +{{ define "srox.configureImagePullSecretsForDockerRegistry" }} +{{ $ := index . 0 }} +{{ $imagePullSecrets := index . 1 }} + +{{/* Setup Image Pull Secrets for Docker Registry. + Note: This must happen afterwards, as we rely on "srox.configureImage" to collect the + set of all referenced images first. */}} +{{ if $imagePullSecrets._username }} + {{ $dockerAuths := dict }} + {{ range $image := keys $._rox._state.referencedImages }} + {{ $registry := splitList "/" $image | first }} + {{ if eq $registry "docker.io" }} + {{/* Special case docker.io */}} + {{ $registry = "https://index.docker.io/v1/" }} + {{ else }} + {{ $registry = printf "https://%s" $registry }} + {{ end }} + {{ $_ := set $dockerAuths $registry dict }} + {{ end }} + {{ $authToken := printf "%s:%s" $imagePullSecrets._username $imagePullSecrets._password | b64enc }} + {{ range $regSettings := values $dockerAuths }} + {{ $_ := set $regSettings "auth" $authToken }} + {{ end }} + + {{ $_ := set $imagePullSecrets "_dockerAuths" $dockerAuths }} +{{ end }} + +{{ end }} diff --git a/4.3.5/central-services/templates/_images.tpl b/4.3.5/central-services/templates/_images.tpl new file mode 100644 index 0000000..dced29d --- /dev/null +++ b/4.3.5/central-services/templates/_images.tpl @@ -0,0 +1,34 @@ +{{/* + srox.configureImage $ $imageCfg + + Configures settings for a single image by augmenting/completing an existing image configuration + stanza. + + If $imageCfg.fullRef is empty: + First, the image registry is determined by inspecting $imageCfg.registry and, if this is empty, + $._rox.image.registry, ultimately defaulting to `docker.io`. The full image ref is then + constructed from the registry, $imageCfg.name (must be non-empty), and $imageCfg.tag (may be + empty, in which case "latest" is assumed). The result is stored in $imageCfg.fullRef. + + Afterwards (irrespective of the previous check), $imageCfg.fullRef is modified by prepending + "docker.io/" if and only if it did not contain a remote yet (i.e., the part before the first "/" + did not contain a dot (DNS name) or colon (port)). + + Finally, the resulting $imageCfg.fullRef is stored as a dict entry with value `true` in the + $._rox._state.referencedImages dict. + */}} +{{ define "srox.configureImage" }} +{{ $ := index . 0 }} +{{ $imageCfg := index . 1 }} +{{ $imageRef := $imageCfg.fullRef }} +{{ if not $imageRef }} + {{ $imageRef = printf "%s/%s:%s" (coalesce $imageCfg.registry $._rox.image.registry "docker.io") $imageCfg.name (default "latest" $imageCfg.tag) }} +{{ end }} +{{ $imageComponents := splitList "/" $imageRef }} +{{ $firstComponent := index $imageComponents 0 }} +{{ if or (lt (len $imageComponents) 2) (and (not (contains ":" $firstComponent)) (not (contains "." $firstComponent))) }} + {{ $imageRef = printf "docker.io/%s" $imageRef }} +{{ end }} +{{ $_ := set $imageCfg "fullRef" $imageRef }} +{{ $_ = set $._rox._state.referencedImages $imageRef true }} +{{ end }} diff --git a/4.3.5/central-services/templates/_init.tpl b/4.3.5/central-services/templates/_init.tpl new file mode 100644 index 0000000..6708058 --- /dev/null +++ b/4.3.5/central-services/templates/_init.tpl @@ -0,0 +1,285 @@ +{{/* + srox.init $ + + Initialization template for the internal data structures. + This template is designed to be included in every template file, but will only be executed + once by leveraging state sharing between templates. + */}} +{{ define "srox.init" }} + +{{ $ := . }} + +{{/* + On first(!) instantiation, set up the $._rox structure, containing everything required by + the resource template files. + */}} +{{ if not $._rox }} + +{{/* + Initial Setup + */}} + +{{/* + $rox / ._rox is the dictionary in which _all_ data that is modified by the init logic + is stored. + We ensure that it has the required shape, and then right after merging the user-specified + $.Values, we apply some bootstrap defaults. + */}} +{{ $rox := deepCopy $.Values }} +{{ $_ := set $ "_rox" $rox }} + +{{/* Global state (accessed from sub-templates) */}} +{{ $generatedName := printf "stackrox-generated-%s" (randAlphaNum 6 | lower) }} +{{ $state := dict "customCertGen" false "generated" dict "generatedName" $generatedName "notes" list "warnings" list "referencedImages" dict }} +{{ $_ = set $._rox "_state" $state }} + +{{ $configShape := $.Files.Get "internal/config-shape.yaml" | fromYaml }} +{{ $configShapeScanner := $.Files.Get "internal/scanner-config-shape.yaml" | fromYaml}} + +{{ $_ = include "srox.mergeInto" (list $rox $configShape $configShapeScanner (tpl ($.Files.Get "internal/bootstrap-defaults.yaml.tpl") . | fromYaml)) }} +{{ $_ = set $._rox "_configShape" $configShape }} + +{{/* + General validation. + */}} +{{ if ne $.Release.Namespace "stackrox" }} + {{ if $._rox.allowNonstandardNamespace }} + {{ include "srox.note" (list $ (printf "You have chosen to deploy to namespace '%s'." $.Release.Namespace)) }} + {{ else }} + {{ include "srox.fail" (printf "You have chosen to deploy to namespace '%s', not 'stackrox'. If this was accidental, please re-run helm with the '-n stackrox' option. Otherwise, if you need to deploy into this namespace, set the 'allowNonstandardNamespace' configuration value to true." $.Release.Namespace) }} + {{ end }} +{{ end }} + +{{ if ne $.Release.Name $.Chart.Name }} + {{ if $._rox.allowNonstandardReleaseName }} + {{ include "srox.warn" (list $ (printf "You have chosen a release name of '%s', not '%s'. Accompanying scripts and commands in documentation might require adjustments." $.Release.Name $.Chart.Name)) }} + {{ else }} + {{ include "srox.fail" (printf "You have chosen a release name of '%s', not '%s'. We strongly recommend using the standard release name. If you must use a different name, set the 'allowNonstandardReleaseName' configuration option to true." $.Release.Name $.Chart.Name) }} + {{ end }} +{{ end }} + + +{{ if and $.Release.IsInstall (not ._rox.central.persistence.none)}} + {{ include "srox.fail" (printf "Starting from 4.1, we stop creating central PVC during installation. Databases and persistent data are stored in Central DB or external databases. You may use `--set central.persistence.none=true` during Helm install to override default persistence config. Got %v" $._rox.central.persistence) }} +{{ end }} + + +{{ if $._rox.central.db.external }} + {{ if not $._rox.central.db.source.connectionString }} + {{ include "srox.warn" (list $ "You have chosen to bring your own Central DB without providing its connection string. We are using the default source string. To ensure the connection to your Central DB, you may override it with `--set central.db.source.connectionString=`.") }} + {{ end }} + {{ if not $._rox.central.db.password.value }} + {{ include "srox.warn" (list $ "You have chosen to bring your own Central DB without providing its password. We are using a generated password for now. To ensure the connection to your Central DB, you may provide your DB password by `--set central.db.password.value=`.") }} + {{ end }} +{{ end }} + +{{/* Initialize global prefix */}} +{{- include "srox.initGlobalPrefix" (list $) -}} + +{{/* + API Server setup. The problem with `.Capabilities.APIVersions` is that Helm does not + allow setting overrides for those when using `helm template` or `--dry-run`. Thus, + if we rely on `.Capabilities.APIVersions` directly, we lose flexibility for our chart + in these settings. Therefore, we use custom fields such that a user in principle has + the option to inject via `--set`/`-f` everything we rely upon. + */}} +{{ $apiResources := list }} +{{ if not (kindIs "invalid" $._rox.meta.apiServer.overrideAPIResources) }} + {{ $apiResources = $._rox.meta.apiServer.overrideAPIResources }} +{{ else }} + {{ range $apiResource := $.Capabilities.APIVersions }} + {{ $apiResources = append $apiResources $apiResource }} + {{ end }} +{{ end }} +{{ if $._rox.meta.apiServer.extraAPIResources }} + {{ $apiResources = concat $apiResources $._rox.meta.apiServer.extraAPIResources }} +{{ end }} +{{ $apiServerVersion := coalesce $._rox.meta.apiServer.version $.Capabilities.KubeVersion.Version }} +{{ $apiServer := dict "apiResources" $apiResources "version" $apiServerVersion }} +{{ $_ = set $._rox "_apiServer" $apiServer }} + +{{/* + Environment setup - part 1 + */}} +{{ $env := $._rox.env }} + +{{/* Detect openshift version */}} +{{ include "srox.autoSenseOpenshiftVersion" (list $) }} + +{{/* Openshift monitoring */}} +{{ if $._rox.enableOpenShiftMonitoring }} + {{ include "srox.warn" (list . "enableOpenShiftMonitoring option was replaced with monitoring.openshift.enabled") }} + {{ $_ := set $._rox "monitoring" (dict "openshift" (dict "enabled" true)) }} +{{ end }} +{{/* Default `monitoring.openshift.enabled = true` unless `env.openshift != 4`. */}} +{{ if kindIs "invalid" $._rox.monitoring.openshift.enabled }} +{{ $_ := set $._rox "monitoring" (dict "openshift" (dict "enabled" (eq $._rox.env.openshift 4))) }} +{{ end }} +{{ if and $._rox.monitoring.openshift.enabled (ne $._rox.env.openshift 4) }} + {{ include "srox.warn" (list . "'monitoring.openshift.enabled' is set to true, but the chart is not being deployed in an OpenShift 4 cluster. Proceeding with 'monitoring.openshift.enabled=false'.") }} + {{ $_ := set $._rox "monitoring" (dict "openshift" (dict "enabled" false)) }} +{{ end }} +{{ if $._rox.monitoring.openshift.enabled }} + {{ $_ := set $._rox.central "monitoring" dict }} + {{ include "srox.mergeInto" (list $._rox.central.monitoring $._rox.monitoring) }} +{{ end }} + +{{/* Infer GKE, if needed */}} +{{ if kindIs "invalid" $env.platform }} + {{ $platform := "default" }} + {{ if contains "-gke." $._rox._apiServer.version }} + {{ include "srox.note" (list $ "Based on API server properties, we have inferred that you are deploying into a GKE cluster. Set the `env.platform` property to a concrete value to override the auto-sensed value.") }} + {{ $platform = "gke" }} + {{ end }} + {{ $_ := set $env "platform" $platform }} +{{ end }} +{{/* Detect enablePodSecurityPolicies */}} +{{ include "srox.autoSensePodSecurityPolicies" (list $) }} + + +{{ $_ := set $env "installMethod" "helm" }} + + +{{/* Apply defaults */}} +{{ $defaultsCfg := dict }} +{{ $platformCfgFile := dict }} +{{ include "srox.loadFile" (list $ $platformCfgFile (printf "internal/platforms/%s.yaml" $env.platform)) }} +{{ if not $platformCfgFile.found }} + {{ include "srox.fail" (printf "Invalid platform %q. Please select a valid platform, or leave this field unset." $env.platform) }} +{{ end }} +{{ $_ = include "srox.mergeInto" (list $defaultsCfg (fromYaml $platformCfgFile.contents) ($.Files.Get "internal/defaults.yaml" | fromYaml)) }} +{{ $_ = set $rox "_defaults" $defaultsCfg }} +{{ $_ = include "srox.mergeInto" (list $rox $defaultsCfg.defaults) }} + + +{{/* Expand applicable config values */}} +{{ $expandables := $.Files.Get "internal/expandables.yaml" | fromYaml }} +{{ include "srox.expandAll" (list $ $rox $expandables) }} + +{{/* Initial image pull secret setup. + + Always assume that there are `stackrox` and `stackrox-scanner` image pull secrets, + even if they weren't specified. + This is required for updates anyway, so referencing it on first install will minimize a later + diff. */}} +{{ include "srox.configureImagePullSecrets" (list $ "imagePullSecrets" $._rox.imagePullSecrets "stackrox" (list "stackrox" "stackrox-scanner") $.Release.Namespace) }} + +{{/* Global CA setup */}} +{{ $caCertSpec := dict "CN" "StackRox Certificate Authority" "ca" true }} +{{ include "srox.configureCrypto" (list $ "ca" $caCertSpec) }} + +{{/* Additional CAs. */}} +{{ $additionalCAList := list }} +{{ if kindIs "string" $._rox.additionalCAs }} + {{ if trim $._rox.additionalCAs }} + {{ $additionalCAList = append $additionalCAList (dict "name" "ca.crt" "contents" $._rox.additionalCAs) }} + {{ end }} +{{ else if kindIs "slice" $._rox.additionalCAs }} + {{ range $contents := $._rox.additionalCAs }} + {{ $additionalCAList = append $additionalCAList (dict "name" "ca.crt" "contents" $contents) }} + {{ end }} +{{ else if kindIs "map" $._rox.additionalCAs }} + {{ range $name := keys $._rox.additionalCAs | sortAlpha }} + {{ $additionalCAList = append $additionalCAList (dict "name" $name "contents" (get $._rox.additionalCAs $name)) }} + {{ end }} +{{ else if not (kindIs "invalid" $._rox.additionalCAs) }} + {{ include "srox.fail" (printf "Invalid kind %s for additionalCAs" (kindOf $._rox.additionalCAs)) }} +{{ end }} +{{ range $path, $contents := .Files.Glob "secrets/additional-cas/**" }} + {{ $name := trimPrefix "secrets/additional-cas/" $path }} + {{ $additionalCAList = append $additionalCAList (dict "name" $name "contents" (toString $contents)) }} +{{ end }} +{{ $additionalCAs := dict }} +{{ range $idx, $elem := $additionalCAList }} + {{ if not (kindIs "string" $elem.contents) }} + {{ include "srox.fail" (printf "Invalid non-string contents kind %s at index %d (%q) of additionalCAs" (kindOf $elem.contents) $idx $elem.name) }} + {{ end }} + {{/* In a k8s secret, no characters other than alphanumeric, '.', '_' and '-' are allowed. Also, for the + update-ca-certificates script to work, the file names must end in '.crt'. */}} + + {{ $normalizedName := printf "%02d-%s.crt" $idx (regexReplaceAll "[^[:alnum:]._-]" $elem.name "-" | trimSuffix ".crt") }} + {{ $_ := set $additionalCAs $normalizedName $elem.contents }} +{{ end }} +{{ $_ = set $._rox "_additionalCAs" $additionalCAs }} + +{{/* Proxy configuration. + Note: The reason this is different is that unlike the endpoints config, the proxy configuration + might contain sensitive data and thus might _not_ be stored in the always available canonical + values file. However, this is probably rare. Therefore, for this particular instance we do decide + to rely on lookup magic for initially populating the secret with a default proxy config. + However, we won't take any chances, and therefore only create that secret if we can be reasonably + confident that lookup actually works, by trying to lookup the default service account. + */}} +{{ $proxyCfg := $env._proxyConfig }} +{{ $fileOut := dict }} +{{ include "srox.loadFile" (list $ $fileOut "config/proxy-config.yaml") }} +{{ if $fileOut.found }} + {{ if not (kindIs "invalid" $proxyCfg) }} + {{ include "srox.fail" "Both env.proxyConfig was specified, and a config/proxy-config.yaml was found. Please remove/rename the config file, or comment out the env.proxyConfig stanza." }} + {{ end }} + {{ $proxyCfg = $fileOut.contents }} +{{ end }} + +{{/* On first install, create a default proxy config, but only if we can be sure none exists. */}} +{{ if kindIs "invalid" $proxyCfg }} + {{ if $.Release.IsInstall }} + {{ $lookupOut := dict }} + {{ include "srox.safeLookup" (list $ $lookupOut "v1" "Secret" $.Release.Namespace "proxy-config") }} + {{ if and $lookupOut.reliable (not $lookupOut.result) }} + {{ $fileOut := dict }} + {{ include "srox.loadFile" (list $ $fileOut "config/proxy-config.yaml.default") }} + {{ $proxyCfg = $fileOut.contents }} + {{ end }} + {{ end }} +{{ end }} +{{ $_ = set $env "_proxyConfig" $proxyCfg }} +{{ $_ = set $._rox "_renderMode" "renderAll" }} + +{{/* + Central setup. + */}} + + +{{ include "srox.centralSetup" $ }} + + +{{/* + Scanner setup. + */}} + +{{ $scannerCfg := $._rox.scanner }} + +{{ if and $scannerCfg.disable (or $.Release.IsInstall $.Release.IsUpgrade) }} + {{/* We generally don't recommend customers run without scanner, so show a warning to the user */}} + {{ $action := ternary "deploy StackRox Central Services without Scanner" "upgrade StackRox Central Services without Scanner (possibly removing an existing Scanner deployment)" $.Release.IsInstall }} + {{ include "srox.warn" (list $ (printf "You have chosen to %s. Certain features dependent on image scanning might not work." $action)) }} +{{ else if not $scannerCfg.disable }} + {{ if and (ne $scannerCfg.mode "full") (ne $scannerCfg.mode "") }} + {{ include "srox.fail" (print "Only scanner full mode is allowed in Central. To solve this, set to full mode: scanner.mode=full.") }} + {{ end }} + {{ include "srox.scannerInit" (list $ $scannerCfg) }} +{{ end }} + + +{{/* + Post-processing steps. + */}} + + +{{/* Compact the post-processing config to prevent it from appearing non-empty if it doesn't + contain any concrete (leaf) values. */}} +{{ include "srox.compactDict" (list $._rox._state.generated -1) }} + +{{/* Setup Image Pull Secrets for Docker Registry. + Note: This must happen afterwards, as we rely on "srox.configureImage" to collect the + set of all referenced images first. */}} +{{ include "srox.configureImagePullSecretsForDockerRegistry" (list $ ._rox.imagePullSecrets) }} + +{{/* Final warnings based on state. */}} +{{ if $._rox._state.customCertGen }} + {{ include "srox.warn" (list $ "At least one certificate was generated by Helm. Helm limits the generation of custom certificates to RSA private keys, which have poorer computational performance. Consider using roxctl for certificate generation of certificates with ECDSA private keys for improved performance. (THIS IS NOT A SECURITY ISSUE)") }} +{{ end }} + +{{ end }} + +{{ end }} diff --git a/4.3.5/central-services/templates/_injected-ca-bundle.tpl b/4.3.5/central-services/templates/_injected-ca-bundle.tpl new file mode 100644 index 0000000..f831139 --- /dev/null +++ b/4.3.5/central-services/templates/_injected-ca-bundle.tpl @@ -0,0 +1,29 @@ +{{/* + srox.injectedCABundleVolume + + Configures ConfigMap volume to use in a deployment. + */}} +{{- define "srox.injectedCABundleVolume" -}} +{{- if eq ._rox.env.openshift 4 }} +- name: trusted-ca-volume + configMap: + name: injected-cabundle-{{ .Release.Name }} + items: + - key: ca-bundle.crt + path: tls-ca-bundle.pem + optional: true +{{ end }} +{{ end }} + +{{/* + srox.injectedCABundleVolumeMount + + Mounts the srox.injectedCABundle volume to a container. + */}} +{{- define "srox.injectedCABundleVolumeMount" -}} +{{- if eq ._rox.env.openshift 4 }} +- name: trusted-ca-volume + mountPath: /etc/pki/injected-ca-trust/ + readOnly: true +{{ end }} +{{ end }} diff --git a/4.3.5/central-services/templates/_labels.tpl b/4.3.5/central-services/templates/_labels.tpl new file mode 100644 index 0000000..b98b06c --- /dev/null +++ b/4.3.5/central-services/templates/_labels.tpl @@ -0,0 +1,31 @@ +{{/* + srox._labels $labels $ $objType $objName $forPod + + Writes all applicable [pod] labels (including default labels) for $objType/$objName + into $labels. Pod labels are written iff $forPod is true. + + This template receives the $ parameter as its second (not its first, as usual) parameter + such that it can be used easier in "srox.labels". + */}} +{{ define "srox._labels" }} +{{ $labels := index . 0 }} +{{ $ := index . 1 }} +{{ $objType := index . 2 }} +{{ $objName := index . 3 }} +{{ $forPod := index . 4 }} +{{ $_ := set $labels "app.kubernetes.io/name" "stackrox" }} +{{ $_ = set $labels "app.kubernetes.io/managed-by" $.Release.Service }} +{{ $_ = set $labels "helm.sh/chart" (printf "%s-%s" $.Chart.Name ($.Chart.Version | replace "+" "_")) }} +{{ $_ = set $labels "app.kubernetes.io/instance" $.Release.Name }} +{{ $_ = set $labels "app.kubernetes.io/version" $.Chart.AppVersion }} +{{ $_ = set $labels "app.kubernetes.io/part-of" "stackrox-central-services" }} +{{ $component := regexReplaceAll "^.*/\\d{2}-([a-z]+)-\\d{2}-[^/]+\\.yaml" $.Template.Name "${1}" }} +{{ if not (contains "/" $component) }} + {{ $_ = set $labels "app.kubernetes.io/component" $component }} +{{ end }} +{{ $metadataNames := list "labels" }} +{{ if $forPod }} + {{ $metadataNames = append $metadataNames "podLabels" }} +{{ end }} +{{ include "srox._customizeMetadata" (list $ $labels $objType $objName $metadataNames) }} +{{ end }} diff --git a/4.3.5/central-services/templates/_lookup.tpl b/4.3.5/central-services/templates/_lookup.tpl new file mode 100644 index 0000000..2dc0aa9 --- /dev/null +++ b/4.3.5/central-services/templates/_lookup.tpl @@ -0,0 +1,40 @@ +{{/* + srox.safeLookup $ $out $apiVersion $kind $ns $name + + This function does nothing if $.meta.useLookup is false; otherwise, it will + perform a `lookup $apiVersion $kind $ns $name` operation and store the result in + $out.result. + + Additionally, if a lookup was attempted, $out.reliable will contain a bool indicating + whether the result of lookup can be relied upon. This is determined to be the case if + the default service account in the release namespace can be found. + */}} +{{ define "srox.safeLookup" }} +{{ $ := index . 0 }} +{{ $out := index . 1 }} +{{ if $._rox.meta.useLookup }} + {{ if kindIs "invalid" $._rox._state.lookupWorks }} + {{ $testOut := dict }} + {{ include "srox._doLookup" (list $ $testOut "v1" "ServiceAccount" $.Release.Namespace "default") }} + {{ $_ := set $._rox._state "lookupWorks" ($testOut.result | not | not) }} + {{ end }} + {{ include "srox._doLookup" . }} + {{ $_ := set $out "reliable" $._rox._state.lookupWorks }} +{{ end }} +{{ end }} + + +{{/* + srox._doLookup $ $out $apiVersion $kind $ns $name + + Calls "lookup" with arguments $apiVersion $kind $ns $name, and stores the result + in $out.result. + + This function exists to prevent a parse error if the lookup function isn't defined. It does + so by deferring the execution of lookup to a template string instantiated via `tpl`. + */}} +{{ define "srox._doLookup" }} +{{ $ := index . 0 }} +{{ $tplArgs := dict "Template" $.Template "out" (index . 1) "apiVersion" (index . 2) "kind" (index . 3) "ns" (index . 4) "name" (index . 5) }} +{{ $_ := tpl "{{ $_ := set .out \"result\" (lookup .apiVersion .kind .ns .name) }}" $tplArgs }} +{{ end }} diff --git a/4.3.5/central-services/templates/_metadata.tpl b/4.3.5/central-services/templates/_metadata.tpl new file mode 100644 index 0000000..3ed131f --- /dev/null +++ b/4.3.5/central-services/templates/_metadata.tpl @@ -0,0 +1,194 @@ +{{/* + srox.labels $ $objType $objName + + Format labels for $objType/$objName as YAML. + */}} +{{- define "srox.labels" -}} +{{- $labels := dict -}} +{{- $_ := include "srox._labels" (append (prepend . $labels) false) -}} +{{- toYaml $labels -}} +{{- end -}} + +{{/* + srox.podLabels $ $objType $objName + + Format pod labels for $objType/$objName as YAML. + */}} +{{- define "srox.podLabels" -}} +{{- $labels := dict -}} +{{- $_ := include "srox._labels" (append (prepend . $labels) true) -}} +{{- toYaml $labels -}} +{{- end -}} + +{{/* + srox.annotations $ $objType $objName + + Format annotations for $objType/$objName as YAML. + */}} +{{- define "srox.annotations" -}} +{{- $annotations := dict -}} +{{- $_ := include "srox._annotations" (append (prepend . $annotations) false) -}} +{{- toYaml $annotations -}} +{{- end -}} + +{{/* + srox.podAnnotations $ $objType $objName + + Format pod annotations for $objType/$objName as YAML. + */}} +{{- define "srox.podAnnotations" -}} +{{- $annotations := dict -}} +{{- $_ := include "srox._annotations" (append (prepend . $annotations) true) -}} +{{- toYaml $annotations -}} +{{- end -}} + +{{/* + srox.envVars $ $objType $objName $containerName + + Format environment variables for container $containerName in + $objType/$objName as YAML. + */}} +{{- define "srox.envVars" -}} +{{- $envVars := dict -}} +{{- $_ := include "srox._envVars" (prepend . $envVars) -}} +{{- range $k := keys $envVars | sortAlpha -}} +{{- $v := index $envVars $k }} +- name: {{ quote $k }} +{{- if kindIs "map" $v }} + {{- toYaml $v | nindent 2 }} +{{- else }} + value: {{ quote $v }} +{{- end }} +{{ end -}} +{{- end -}} + +{{/* + srox._annotations $annotations $ $objType $objName $forPod + + Writes all applicable [pod] annotations (including default annotations) for + $objType/$objName into $annotations. Pod labels are written iff $forPod is true. + + This template receives the $ parameter as its second (not its first, as usual) parameter + such that it can be used easier in "srox.annotations". + */}} +{{ define "srox._annotations" }} +{{ $annotations := index . 0 }} +{{ $ := index . 1 }} +{{ $objType := index . 2 }} +{{ $objName := index . 3 }} +{{ $forPod := index . 4 }} +{{ $_ := set $annotations "meta.helm.sh/release-namespace" $.Release.Namespace }} +{{ $_ = set $annotations "meta.helm.sh/release-name" $.Release.Name }} +{{ $_ = set $annotations "owner" "stackrox" }} +{{ $_ = set $annotations "email" "support@stackrox.com" }} +{{ $metadataNames := list "annotations" }} +{{ if $forPod }} + {{ $metadataNames = append $metadataNames "podAnnotations" }} +{{ end }} +{{ include "srox._customizeMetadata" (list $ $annotations $objType $objName $metadataNames) }} +{{ end }} + +{{/* + srox._envVars $envVars $ $objType $objName $containerName + + Writes all applicable environment variables for $objType/$objName + into $envVars. + + This template receives the $ parameter as its second (not its first, as usual) parameter + such that it can be used easier in "srox.envVars". + */}} +{{ define "srox._envVars" }} +{{ $envVars := index . 0 }} +{{ $ := index . 1 }} +{{ $objType := index . 2 }} +{{ $objName := index . 3 }} +{{ $containerName := index . 4 }} +{{ $metadataNames := list "envVars" }} +{{ include "srox._customizeMetadata" (list $ $envVars $objType $objName $metadataNames) }} +{{ if $containerName }} + {{ $containerKey := printf "/%s" $containerName }} + {{ $envVarsForContainer := index $envVars $containerKey }} + {{ if $envVarsForContainer }} + {{ include "srox.destructiveMergeOverwrite" (list $envVars $envVarsForContainer) }} + {{ end }} +{{ end }} + +{{/* Remove all entries starting with / */}} +{{ range $key, $_ := $envVars }} + {{ if hasPrefix "/" $key }} + {{ $_ := unset $envVars $key }} + {{ end }} +{{ end }} +{{ end }} + +{{/* + srox._customizeMetadata $ $metadata $objType $objName $metadataNames + + Writes custom key/value metadata to $metadata by consulting all sub-dicts with names in + $metadataNames under the applicable custom metadata locations (._rox.customize, + ._rox.customize.other.$objType/*, ._rox.customize.other.$objType/$objName, and + ._rox.customizer.$objName [workloads only]). Dictionaries are consulted in this order, with + values from dictionaries consulted later overwriting values from dictionaries consulted + earlier. + */}} +{{ define "srox._customizeMetadata" }} +{{ $ := index . 0 }} +{{ $metadata := index . 1 }} +{{ $objType := index . 2 }} +{{ $objName := index . 3 }} +{{ $metadataNames := index . 4 }} + +{{ $overrideDictPaths := list "" (printf "other.%s/*" $objType) (printf "other.%s/%s" $objType $objName) }} +{{ if has $objType (list "deployment" "daemonset") }} + {{ $overrideDictPaths = append $overrideDictPaths $objName }} +{{ end }} + +{{ range $dictPath := $overrideDictPaths }} + {{ $customizeDict := $._rox.customize }} + {{ if $dictPath }} + {{ $resolvedOut := dict }} + {{ include "srox.safeDictLookup" (list $._rox.customize $resolvedOut $dictPath) }} + {{ $customizeDict = $resolvedOut.result }} + {{ end }} + {{ if $customizeDict }} + {{ range $metadataName := $metadataNames }} + {{ $customMetadata := index $customizeDict $metadataName }} + {{ include "srox.destructiveMergeOverwrite" (list $metadata $customMetadata) }} + {{ end }} + {{ end }} +{{ end }} +{{ end }} + +{{/* Add namespace specific prefixes for global resources to avoid resource name clashes for multi-namespace deployments. */}} +{{- define "srox.globalResourceName" -}} +{{- $ := index . 0 -}} +{{- $name := index . 1 -}} + +{{- if eq $.Release.Namespace "stackrox" -}} + {{- /* Standard namespace, use resource name as is. */ -}} + {{- $name -}} +{{- else -}} + {{- /* Add global prefix to resource name. */ -}} + {{- printf "%s-%s" $._rox.globalPrefix (trimPrefix "stackrox-" $name) -}} +{{- end -}} +{{- end -}} + +{{/* + srox.initGlobalPrefix $ + + Initializes prefix for global resources. + */}} +{{- define "srox.initGlobalPrefix" -}} +{{- $ := index . 0 -}} +{{ if kindIs "invalid" $._rox.globalPrefix }} + {{ if eq $.Release.Namespace "stackrox" }} + {{ $_ := set $._rox "globalPrefix" "stackrox" }} + {{ else }} + {{ $_ := set $._rox "globalPrefix" (printf "stackrox-%s" (trimPrefix "stackrox-" $.Release.Namespace)) }} + {{ end }} +{{ end }} + +{{ if ne $._rox.globalPrefix "stackrox" }} + {{ include "srox.note" (list $ (printf "Global Kubernetes resources are prefixed with '%s'." $._rox.globalPrefix)) }} +{{- end -}} +{{- end -}} diff --git a/4.3.5/central-services/templates/_openshift.tpl b/4.3.5/central-services/templates/_openshift.tpl new file mode 100644 index 0000000..85201cb --- /dev/null +++ b/4.3.5/central-services/templates/_openshift.tpl @@ -0,0 +1,47 @@ +{{/* + srox.autoSenseOpenshiftVersion $ + + This function detects the OpenShift version automatically based on the cluster the Helm chart is installed onto. + It writes the result to ._rox.env.openshift as an integer. + Possible results are: + - 3 (OpenShift 3) + - 4 (OpenShift 4) + - 0 (Non-Openshift cluster) + + If "true" is passed for $._rox.env.openshift the OpenShift version is detected based on the Kubernetes cluster version. + If the Kubernetes version is not available (i.e. when using Helm template) auto-sensing falls back on OpenShift 3 to be + backward compatible. + */}} + +{{ define "srox.autoSenseOpenshiftVersion" }} + +{{ $ := index . 0 }} +{{ $env := $._rox.env }} + +{{/* Infer OpenShift, if needed */}} +{{ if kindIs "invalid" $env.openshift }} + {{ $_ := set $env "openshift" (has "apps.openshift.io/v1" $._rox._apiServer.apiResources) }} +{{ end }} + +{{/* Infer openshift version */}} +{{ if and $env.openshift (kindIs "bool" $env.openshift) }} + {{/* Parse and add KubeVersion as semver from built-in resources. This is necessary to compare valid integer numbers. */}} + {{ $kubeVersion := semver $.Capabilities.KubeVersion.Version }} + + {{/* Default to OpenShift 3 if no openshift resources are available, i.e. in helm template commands */}} + {{ if not (has "apps.openshift.io/v1" $._rox._apiServer.apiResources) }} + {{ $_ := set $._rox.env "openshift" 3 }} + {{ else if gt $kubeVersion.Minor 11 }} + {{ $_ := set $env "openshift" 4 }} + {{ else }} + {{ $_ := set $env "openshift" 3 }} + {{ end }} + {{ include "srox.note" (list $ (printf "Based on API server properties, we have inferred that you are deploying into an OpenShift %d.x cluster. Set the `env.openshift` property explicitly to 3 or 4 to override the auto-sensed value." $env.openshift)) }} +{{ end }} +{{ if not (kindIs "bool" $env.openshift) }} + {{ $_ := set $env "openshift" (int $env.openshift) }} +{{ else if not $env.openshift }} + {{ $_ := set $env "openshift" 0 }} +{{ end }} + +{{ end }} diff --git a/4.3.5/central-services/templates/_psp.tpl b/4.3.5/central-services/templates/_psp.tpl new file mode 100644 index 0000000..bffb2a0 --- /dev/null +++ b/4.3.5/central-services/templates/_psp.tpl @@ -0,0 +1,19 @@ +{{/* + srox.autoSensePodSecurityPolicies $ + */}} + +{{ define "srox.autoSensePodSecurityPolicies" }} + +{{ $ := index . 0 }} +{{ $system := $._rox.system }} + +{{ if kindIs "invalid" $system.enablePodSecurityPolicies }} + {{ $_ := set $system "enablePodSecurityPolicies" (has "policy/v1beta1" $._rox._apiServer.apiResources) }} + {{ if $system.enablePodSecurityPolicies }} + {{ include "srox.note" (list $ (printf "PodSecurityPolicies are enabled, since your environment supports them according to API server properties.")) }} + {{ else }} + {{ include "srox.note" (list $ (printf "PodSecurityPolicies are disabled, since your environment does not support them according to API server properties.")) }} + {{ end }} +{{ end }} + +{{ end }} diff --git a/4.3.5/central-services/templates/_reporting.tpl b/4.3.5/central-services/templates/_reporting.tpl new file mode 100644 index 0000000..621e284 --- /dev/null +++ b/4.3.5/central-services/templates/_reporting.tpl @@ -0,0 +1,34 @@ +{{/* + srox.fail $message + + Print a nicely-formatted fatal error message and exit. + */}} +{{ define "srox.fail" }} +{{ printf "\n\nFATAL ERROR:\n%s" . | wrap 100 | fail }} +{{ end }} + +{{/* + srox.warn $ $message + + Add $message to the list of encountered warnings. + */}} +{{ define "srox.warn" }} +{{ $ := index . 0 }} +{{ $msg := index . 1 }} +{{ $warnings := $._rox._state.warnings }} +{{ $warnings = append $warnings $msg }} +{{ $_ := set $._rox._state "warnings" $warnings }} +{{ end }} + +{{/* + srox.note $ $message + + Add $message to the list notes that will be shown to the user after installation/upgrade. + */}} +{{ define "srox.note" }} +{{ $ := index . 0 }} +{{ $msg := index . 1 }} +{{ $notes := $._rox._state.notes }} +{{ $notes = append $notes $msg }} +{{ $_ := set $._rox._state "notes" $notes }} +{{ end }} diff --git a/4.3.5/central-services/templates/_scanner_init.tpl b/4.3.5/central-services/templates/_scanner_init.tpl new file mode 100644 index 0000000..75fbe95 --- /dev/null +++ b/4.3.5/central-services/templates/_scanner_init.tpl @@ -0,0 +1,40 @@ +{{/* + srox.scannerInit . $scannerConfig + + Initializes the scanner configuration. The scanner chart has two modes "full" and + "slim". + The "full" mode is used for stand-alone deployments, mostly along with StackRox's Central service. In this + mode, the image contains vulnerability data and the Helm chart can create its own certificates. + + The "slim" mode is used to deploy Scanner with a smaller image and does not generate TLS certificates, + typically deployed within a Secured Cluster to scan images stored in a registry only accessible to the current cluster. + The scanner chart defaults to "full" mode if no mode was provided. + + $scannerConfig contains all values which are configured by the user. The structure can be viewed in the according + config-shape. See internal/scanner-config-shape.yaml. + */}} + +{{ define "srox.scannerInit" }} + +{{ $ := index . 0 }} +{{ $scannerCfg := index . 1 }} + +{{ if or (eq $scannerCfg.mode "") (eq $scannerCfg.mode "full") }} + {{ include "srox.configureImage" (list $ $scannerCfg.image) }} + {{ include "srox.configureImage" (list $ $scannerCfg.dbImage) }} + + {{ $scannerCertSpec := dict "CN" "SCANNER_SERVICE: Scanner" "dnsBase" "scanner" }} + {{ include "srox.configureCrypto" (list $ "scanner.serviceTLS" $scannerCertSpec) }} + + {{ $scannerDBCertSpec := dict "CN" "SCANNER_DB_SERVICE: Scanner DB" "dnsBase" "scanner-db" }} + {{ include "srox.configureCrypto" (list $ "scanner.dbServiceTLS" $scannerDBCertSpec) }} +{{ else if eq $scannerCfg.mode "slim" }} + {{ include "srox.configureImage" (list $ $scannerCfg.slimImage) }} + {{ include "srox.configureImage" (list $ $scannerCfg.slimDBImage) }} +{{ else }} + {{ include "srox.fail" (printf "Unknown scanner mode %s" $scannerCfg.mode) }} +{{ end }} + +{{ include "srox.configurePassword" (list $ "scanner.dbPassword") }} + +{{ end }} diff --git a/4.3.5/central-services/values-private.yaml.example b/4.3.5/central-services/values-private.yaml.example new file mode 100644 index 0000000..41254aa --- /dev/null +++ b/4.3.5/central-services/values-private.yaml.example @@ -0,0 +1,178 @@ +# StackRox Kubernetes Security Platform - Central Services Chart +# PRIVATE configuration file. +# +# This file contains sensitive values relevant for the deployment of the +# StackRox Kubernetes Platform Central Services components. +# +# Apart from image pull secrets (see below), all the values in this file are +# optional or can be automatically generated at deployment time. +# Moreover, this file does not need to be provided (e.g., via `-f`) to a `helm upgrade` +# command, even if custom values are used - the previously set values +# will simply be preserved. +# +# The following values typically require user input, as they cannot be automatically generated +# (though each of them can be omitted): +# - `imagePullSecrets.username` and `imagePullSecrets.password` +# - `env.proxyConfig` +# - `central.defaultTLS` +# +# If you do choose to use this file (either by manually filling in values, or by +# generating it via the `roxctl central generate` command family), you must store +# it in a safe and secure place, such as a secrets management system. +# + +# # BEGIN CONFIGURATION VALUES SECTION + +# # Image pull credentials. If you do not specify these, you need to specify one of +# # the following: +# # - `imagePullSecrets.allowNone=true`: in case your registry allows pulling images without +# # credentials. +# # - `imagePullSecrets.useExisting="secret1;secret2;..."`: in case you have pre-existing image +# # pull secrets with the given name already created in the target namespace. +# # - `imagePullSecrets.useFromDefaultServiceAccount=true`: in case the default service account +# # in the target namespace is configured with sufficiently scoped image pull secrets. +# # If you do not know if any of the above applies to your situation, your best course of +# # action is probably to enter your image pull credentials here. +# imagePullSecrets: +# username: +# password: +# +# # Proxy configuration. This will only be required if you are running in an environment +# # where internet access is not possible by default. +# # Since this configuration may contain a proxy password, it is treated as a sensitive +# # piece of configuration. +# # The following example is a stripped-down one. For a full documentation, see the file +# # `config/proxy-config.yaml.default` that is shipped with this chart. +# env: +# proxyConfig: | +# url: http://proxy.name:port +# username: username +# password: password +# excludes: +# - some.domain +# +# +# # TLS Certificate Configuration. +# # Most of the following values are not typically required to be populated manually. You can +# # either omit them, in which case they will be auto-generated upon initial installation, +# # or they are populated when you invoke `roxctl central generate` to generate deployment +# # files. +# +# # Certificate Authority (CA) certificate for TLS certificates used internally +# # by StackRox services. +# ca: +# cert: | +# -----BEGIN CERTIFICATE----- +# +# -----END CERTIFICATE----- +# key: | +# -----BEGIN RSA PRIVATE KEY----- +# +# -----END RSA PRIVATE KEY----- +# +# # Secret configuration options for the StackRox Central deployment. +# central: +# # Private key to use for signing JSON web tokens (JWTs), which are used +# # for authentication. Omit to auto-generate (initial deployment) or use existing +# # (upgrade). +# jwtSigner: +# key: | +# -----BEGIN RSA PRIVATE KEY----- +# +# -----END RSA PRIVATE KEY----- +# # Internal "central.stackrox" service TLS certificate for the Central deployment. +# # Omit to auto-generate (initial deployment) or use existing (upgrade). +# serviceTLS: +# cert: | +# -----BEGIN CERTIFICATE----- +# +# -----END CERTIFICATE----- +# key: | +# -----BEGIN RSA PRIVATE KEY----- +# +# -----END RSA PRIVATE KEY----- +# +# # Default (user-facing) TLS certificate. +# # NOTE: In contrast to almost all other configuration options, this IS expected +# # to be manually populated. While any existing default TLS certificate secret +# # will be re-used on upgrade if this is omitted, nothing will be created on +# # initial deployment if this is not populated. +# defaultTLS: +# cert: | +# -----BEGIN CERTIFICATE----- +# +# -----END CERTIFICATE----- +# key: | +# -----BEGIN RSA PRIVATE KEY----- +# +# -----END RSA PRIVATE KEY----- +# +# # Administrator password for logging in to the StackRox portal. +# # You can either specify a plaintext password here, or an htpasswd file with a +# # bcrypt-encrypted password. +# # If you omit this setting, a password will be automatically generated upon initial +# # installation, and the existing administrator password secret will be re-used upon +# # upgrades. +# adminPassword: +# # The plaintext value of the administrator password. If you specify a password here, +# # you must omit the `htpasswd` setting. +# value: +# # The htpasswd contents of the administrator login credentials. If you specify a +# # value here, you must omit the `value` setting. +# # The password hash MUST be bcrypt. +# htpasswd: | +# admin: +# +# # Secret configuration options for the StackRox Central DB deployment. +# db: +# # The password to be used for authenticating central database access IF USING POSTGRES. +# # This is not user-relevant and only serves to properly secure the database with a +# # pre-shared secret. If this setting is omitted, a password will be automatically generated +# # upon initial deployment, and the existing password will be used upon upgrades. +# password: +# # The plaintext value of the administrator password. +# value: +# # Internal "central-db.stackrox.svc" service TLS certificate for the Central DB deployment. +# # Omit to auto-generate (initial deployment) or use existing (upgrade). +# serviceTLS: +# cert: | +# -----BEGIN CERTIFICATE----- +# +# -----END CERTIFICATE----- +# key: | +# -----BEGIN RSA PRIVATE KEY----- +# +# -----END RSA PRIVATE KEY----- +# +# # Secret configuration options for the StackRox Central deployment. +# scanner: +# # The password to be used for authenticating database access. This is not user-relevant +# # and only serves to properly secure the database with a pre-shared secret. If this +# # setting is omitted, a password will be automatically generated upon initial deployment, +# # and the existing password will be used upon upgrades. +# dbPassword: +# value: +# +# # Internal "scanner.stackrox.svc" service TLS certificate for the Scanner deployment. +# # Omit to auto-generate (initial deployment) or use existing (upgrade). +# serviceTLS: +# cert: | +# -----BEGIN CERTIFICATE----- +# +# -----END CERTIFICATE----- +# key: | +# -----BEGIN RSA PRIVATE KEY----- +# +# -----END RSA PRIVATE KEY----- +# +# # Internal "scanner-db.stackrox" service TLS certificate for the Scanner DB deployment. +# # Omit to auto-generate (initial deployment) or use existing (upgrade). +# dbServiceTLS: +# cert: | +# -----BEGIN CERTIFICATE----- +# +# -----END CERTIFICATE----- +# key: | +# -----BEGIN RSA PRIVATE KEY----- +# +# -----END RSA PRIVATE KEY----- diff --git a/4.3.5/central-services/values-public.yaml.example b/4.3.5/central-services/values-public.yaml.example new file mode 100644 index 0000000..b4e03e2 --- /dev/null +++ b/4.3.5/central-services/values-public.yaml.example @@ -0,0 +1,538 @@ +# StackRox Kubernetes Security Platform - Central Services Chart +# PUBLIC configuration file. +# +# This file contains general configuration values relevant for the deployment of the +# StackRox Kubernetes Platform Central Services components, which do not contain or reference +# sensitive data. This file can and should be stored in a source code management system +# and should be referenced on each `helm upgrade`. +# +# Most of the values in this file are optional, and you only should need to make modifications +# if the default deployment configuration is not sufficient for you for whatever reason. +# The most notable exception is the `imagePullSecrets` section, which needs to be configured +# according to the registry access in your environment. +# +# Other than that, the following are sections most likely require custom configuration: +# - `image.registry`: if you are pulling images from a registry other than `stackrox.io`. +# - `env.offlineMode`: if you want to run StackRox in offline mode. +# - `central.endpointsConfig`: if you want to expose additional endpoints (such as endpoints +# without TLS) in Central. +# - `central.resources`: if the default resource configuration for Central is not adequate +# for your environment. +# - `db.persistence`: for configuring where Central DB stores its postgres database volume. + +# # BEGIN CONFIGURATION VALUES SECTION + +# imagePullSecrets: +# # allowNone=true indicates that no image pull secrets are required to be configured +# # upon initial deployment. Use this setting if you are using a cluster-private registry +# # that does not require authentication. +# allowNone: false +# +# # useExisting specifies a list of existing Kubernetes image pull secrets in the target +# # namespace that should be used for trying to pull StackRox images. Use this if you have +# # your custom way of injecting image pull secrets. +# useExisting: +# - secret1 +# - secret2 +# +# # useFromDefaultServiceAccount=true will instruct the deployment logic to use any +# # image pull secrets referenced by the default service account in the target namespace. +# # This is a common way to grant namespace-wide access to a Docker image registry. +# # This behavior is the default, set the value to `false` if you do not want this. +# useFromDefaultServiceAccount: true +# +# image: +# # The registry relative to which all image references are resolved, unless +# # a specific registry is provided for particular workloads which takes precedence +# # (see `central.image`, `db.image`, `scanner.image`, and `scanner.dbImage` below). +# # This can be just a registry hostname such as `stackrox.io`, or a registry hostname with +# # a "remote" component such as `us.gcr.io/my-stackrox-mirror`. +# registry: us.gcr.io/my-stackrox-mirror +# +# env: +# # Treat the environment as an OpenShift cluster. Leave this unset to use auto-detection +# # based on available API resources on the server. +# # Set it to true to auto-detect the OpenShift version, otherwise set it explicitly. +# # Possible values: null, false, true, 3, 4 +# openshift: false +# +# # Whether the target cluster is an Istio-enabled cluster. If you deploy via `helm install`, +# # this can typically be determined automatically, so we recommend to not set a value here. +# # Set to true or false explicitly to override the auto-sensing logic only. +# istio: false +# +# # The "platform" of the target cluster into which StackRox is being deployed. This can +# # be the name of an infrastructure provider or product, and will tailor the StackRox +# # deployment to the respective target environment. Currently, the only supported platforms +# # are "default" and "gke". +# # If you deploy via `helm install`, the environment can typically be determined automatically, +# # choose a fixed value here only if you want to override the auto-sensing logic. +# platform: default +# +# # offlineMode=true instructs StackRox to not attempt any outgoing connections to the +# # internet. Use this in air-gapped environments, where it's important that workloads do +# # not even try to make outbound connections. Defaults to `false` when omitted. +# offlineMode: false +# +# # Additional certificate authorities (CAs) to trust, besides system roots. +# # Use this setting if Central or Scanner need to reach out to services that use certificates +# # issued by an authority in your organization, but are NOT globally trusted. In these cases, +# # specify the root CA certificate of your organization. +# additionalCAs: +# acme-labs-ca.crt: | +# -----BEGIN CERTIFICATE----- +# [... base64 (PEM) encoded certificate data ...] +# -----END CERTIFICATE----- +# +# # Public configuration options for the StackRox Central deployment. +# central: +# # General configuration options for the Central deployment. +# # See the `config/central/config.yaml.default` file that is shipped with this chart +# # for a fully documented version. +# config: | +# maintenance: +# safeMode: false +# compaction: +# enabled: true +# bucketFillFraction: .5 +# freeFractionThreshold: 0.75 +# # Configuration option for rolling back to a previous version after an upgrade has been completed. +# # Default to none. +# # By default, the user may initiate a rollback if upgrade fails before Central has started. +# # Users may rollback to their previous version once Central has started, but this may result in data loss, +# # so users must explicitly specify the version they are rolling back to in order to acknowledge the effects. +# forceRollbackVersion: 3.0.58.0 +# +# # Additional endpoints configuration for the Central deployment. +# # See the `config/central/endpoints.yaml.default` file that is shipped with this chart +# # for a fully documented version. +# endpointsConfig: | +# endpoints: +# - listen: ":8080" +# protocols: +# - http +# tls: +# disable: true +# +# # If you want to use a monitoring solution such as Prometheus, set the following value to +# # "true" to make a /metrics endpoint for Central available on port 9090. +# exposeMonitoring: true +# +# # If you want to enforce StackRox Central to only run on certain nodes, you can specify +# # a node selector here to make sure Central can only be scheduled on Nodes with the +# # given label. This is particular relevant for the "hostPath" persistence type. +# nodeSelector: +# # This can contain arbitrary `label-key: label-value` pairs. +# role: stackrox-central +# +# If the nodes selected by the node selector are tainted, you can specify the corresponding taint tolerations here. +# tolerations: +# - effect: NoSchedule +# key: infra +# value: reserved +# - effect: NoExecute +# key: infra +# value: reserved +# +# If scheduling needs specific affinities, you can specify the corresponding affinities here. +# affinity: +# nodeAffinity: +# preferredDuringSchedulingIgnoredDuringExecution: +# # Central is single-homed, so avoid preemptible nodes. +# - weight: 100 +# preference: +# matchExpressions: +# - key: cloud.google.com/gke-preemptible +# operator: NotIn +# values: +# - "true" +# - weight: 50 +# preference: +# matchExpressions: +# - key: node-role.kubernetes.io/infra +# operator: Exists +# - weight: 25 +# preference: +# matchExpressions: +# - key: node-role.kubernetes.io/compute +# operator: Exists +# # From v1.20 node-role.kubernetes.io/control-plane replaces node-role.kubernetes.io/master (removed in +# # v1.25). We apply both because our goal is not to run pods on control plane nodes for any version of k8s. +# - weight: 100 +# preference: +# matchExpressions: +# - key: node-role.kubernetes.io/master +# operator: DoesNotExist +# - weight: 100 +# preference: +# matchExpressions: +# - key: node-role.kubernetes.io/control-plane +# operator: DoesNotExist +# +# # Configures the Central image to be used. Most users will only need to configure a +# # custom registry (if any) at the global scope, and do not require any settings here. +# image: +# # A custom registry that will override the global `image.registry` setting for the +# # Central image. +# registry: us.gcr.io/stackrox-central-repo +# +# # A custom image name that will override the default `main`. +# name: custom-main +# +# # A custom image tag that will override the default tag based on the current +# # StackRox version. +# # IMPORTANT: If you set a value here, you will lose the ability to simply upgrade +# # by running `helm upgrade` against a more recent chart version. You MUST increment +# # the version referenced in this tag for every upgrade. It is therefore strongly +# # recommended that if you choose to mirror StackRox images in your own registry, +# # you preserve all image tags as-is. +# tag: custom-version +# +# # A full image name override that will be used as-is for the StackRox Central image. +# # This is only required in very rare circumstances, and its use is strongly discouraged. +# # If set, all other image-related values will be ignored for the StackRox Central image. +# # The following example value lists the full image ref that would be constructed from +# # the above components. +# fullRef: "us.gcr.io/stackrox-central-repo/custom-main:custom-version" +# +# # Custom resource overrides for the Central deployment. Use this if your environment is +# # very large or very small, and the default resource configuration does not provide +# # satisfactory performance. +# resources: +# requests: +# memory: "4Gi" +# cpu: "1500m" +# limits: +# memory: "8Gi" +# cpu: "4000m" +# +# # Configuration for exposing the StackRox Central deployment for external access. +# # Generally, only ONE of the nested values should be specified. If none is specified, +# # the Central deployment will not be exposed, and you must either manually expose it, +# # or access it via port-forwarding. +# exposure: +# # Exposure via a Kubernetes LoadBalancer service. +# loadBalancer: +# enabled: true +# # The port on which to expose StackRox Central. Defaults to 443. +# port: 443 +# # The static IP to assign to the load balancer. Defaults to dynamic. +# ip: 10.0.0.0 +# +# # Exposure via a Kubernetes NodePort service. +# nodePort: +# enabled: true +# # The port on the node under which to expose the service. Omit this for +# # letting Kubernetes automatically select a node port (recommended). +# port: 32000 +# +# # Exposure via an OpenShift route. Only available for OpenShift clusters +# route: +# enabled: true +# +# # Additional volume mounts for the Central container. Only few people will require this. +# extraMounts: +# - name: my-configmap # the name of the volume +# # The source of the volume. This will be embedded as-is in the `volume:` section of the +# # pod spec. +# source: +# configMap: +# name: my-configmap +# # The mount point of the volume. This will be embedded as-is in the `volumeMounts:` section +# # of the pod spec. +# mount: +# mountPath: /etc/my-config-data +# +# # Public configuration options for the StackRox Central DB: +# db: +# # If you want to enforce StackRox Central DB to only run on certain nodes, you can specify +# # a node selector here to make sure Central can only be scheduled on Nodes with the +# # given label. This is particular relevant for the "hostPath" persistence type. +# nodeSelector: +# # This can contain arbitrary `label-key: label-value` pairs. +# role: stackrox-central-db +# +# # If the nodes selected by the node selector are tainted, you can specify the corresponding taint tolerations here. +# tolerations: +# - effect: NoSchedule +# key: infra +# value: reserved +# - effect: NoExecute +# key: infra +# value: reserved +# +# # External signifies that a Postgres wire-compatible database has already been deployed and a Central DB pod +# # does not need to be deployed +# external: false +# +# # Customized Central DB source configurations to connect to Postgres database. +# # Default configurations are applied if the configurations are omitted. +# source: +# # ConnectionString should not be specified if the Central DB deployment is being managed by the helm chart +# # The connection string must be in the format described here https://www.postgresql.org/docs/current/static/libpq-connect.html#LIBPQ-CONNSTRING +# # The only connection string format supported is as specified in "34.1.1.1. Keyword/Value Connection Strings" +# # client_encoding=UTF8 is required in any connection string and the only supported encoding +# # statementTimeoutMs is ignored for external database connections +# # If using a connection that supports "statement_timeout" it is recommended to include "statement_timeout=1200000" +# # Do NOT use a connection string with a password field. Instead specify the value below in the password section in values-private.yaml. +# connectionString: "host=central-db.stackrox port=5432 user=postgres sslmode=verify-full" +# minConns: 10 +# maxConns: 90 +# statementTimeoutMs: 1200000 +# +# # Configures the Central DB image to be used. Most users will only need to configure a +# # custom registry (if any) at the global scope, and do not require any settings here. +# image: +# # A custom registry that will override the global `image.registry` setting for the +# # Central DB image. +# registry: us.gcr.io/central-db +# # A custom image name that will override the default `main`. +# name: custom-central-db +# # A custom image tag that will override the default tag based on the current +# # StackRox version. +# tag: custom-version +# +# # Custom resource overrides for the Central DB deployment. +# resources: +# requests: +# memory: "8Gi" +# cpu: "4" +# limits: +# memory: "16Gi" +# cpu: "8" +# +# # Persistence configuration for the StackRox Central DB. +# # Exactly ONE of the nested values should be specified. If none is specified, +# # the StackRox Central DB will be configured with the default PVC-based persistence. +# persistence: +# # The path on the node where to store the StackRox Central DB volume +# # when using host path persistence. +# hostPath: /var/lib/central-db +# # The persistent volume claim details when storing the StackRox database +# # on a persistent volume managed by a Kubernetes persistent volume claim (PVC). +# persistentVolumeClaim: +# # The name of the claim. This defaults to central-db if not set. +# claimName: central-db +# # Whether to create the claim upon deployment. The default is true; set this to false +# # if you have a pre-existing persistent volume claim that you want to use. +# createClaim: true +# # The storage class of the persistent volume. +# storageClass: stackrox-gke-ssd +# # The size of the persistent volume managed by the claim, in Gigabytes (or with an +# # explicit unit, such as "1Ti"). Defaults to 100Gi. +# size: 100 +# # If you want to bind a preexisting persistent volume, you can specify it here. +# volume: +# volumeSpec: +# # The section includes volume type specific config, the volume type can be: +# # gcePersistentDisk, hostpath, filestore(nfs) etc. +# gcePersistentDisk: +# # Type specific parameters. The specified persistent volume should have +# # been created. +# pdName: gke-pv +# +# # Public configuration options for the StackRox Scanner. +# scanner: +# # disable=true will cause the StackRox Kubernetes Security Platform to be +# # deployed without the StackRox Scanner, meaning that certain functionalities +# # may not be available. If this setting is changed prior to a `helm upgrade` +# # invocation, the existing StackRox scanner deployment will be removed. +# disable: false +# +# # The number of replicas for the Scanner deployment. If autoscaling is enabled (see below), +# # this determines the initial number of replicas. +# replicas: 3 +# +# # The log level for the scanner deployment. This typically does not need to be changed. +# logLevel: INFO +# +# # If you want to enforce StackRox Scanner to only run on certain nodes, you can specify +# # a node selector here to make sure Scanner can only be scheduled on Nodes with the +# # given label. +# nodeSelector: +# # This can contain arbitrary `label-key: label-value` pairs. +# role: stackrox-scanner +# +# If the nodes selected by the node selector are tainted, you can specify the corresponding taint tolerations here. +# tolerations: +# - effect: NoSchedule +# key: infra +# value: reserved +# - effect: NoExecute +# key: infra +# value: reserved +# +# If scheduling needs specific affinities, you can specify the corresponding affinities here. +# affinity: +# podAntiAffinity: +# preferredDuringSchedulingIgnoredDuringExecution: +# - weight: 100 +# podAffinityTerm: +# labelSelector: +# matchLabels: +# app: scanner +# topologyKey: kubernetes.io/hostname +# nodeAffinity: +# preferredDuringSchedulingIgnoredDuringExecution: +# - weight: 50 +# preference: +# matchExpressions: +# - key: node-role.kubernetes.io/infra +# operator: Exists +# - weight: 25 +# preference: +# matchExpressions: +# - key: node-role.kubernetes.io/compute +# operator: Exists +# # From v1.20 node-role.kubernetes.io/control-plane replaces node-role.kubernetes.io/master (removed in +# # v1.25). We apply both because our goal is not to run pods on control plane nodes for any version of k8s. +# - weight: 100 +# preference: +# matchExpressions: +# - key: node-role.kubernetes.io/master +# operator: DoesNotExist +# - weight: 100 +# preference: +# matchExpressions: +# - key: node-role.kubernetes.io/control-plane +# operator: DoesNotExist +# +# # If you want to enforce StackRox Scanner DB to only run on certain nodes, you can specify +# # a node selector here to make sure Scanner DB can only be scheduled on Nodes with the +# # given label. +# dbNodeSelector: +# # This can contain arbitrary `label-key: label-value` pairs. +# role: stackrox-scanner-db +# +# If the nodes selected by the node selector are tainted, you can specify the corresponding taint tolerations here. +# dbTolerations: +# - effect: NoSchedule +# key: infra +# value: reserved +# - effect: NoExecute +# key: infra +# value: reserved +# +# # Configuration for autoscaling the Scanner deployment. +# autoscaling: +# # disable=true causes autoscaling to be disabled. All other settings in this section +# # will have no effect. +# disable: false +# # The minimum number of replicas for autoscaling. The following value is the default. +# minReplicas: 2 +# # The maximum number of replicas for autoscaling. The following value is the default. +# maxReplicas: 5 +# +# # Custom resource overrides for the Scanner deployment. +# resources: +# requests: +# memory: "1500Mi" +# cpu: "1000m" +# limits: +# memory: "4Gi" +# cpu: "2000m" +# +# # Custom resource overrides for the Scanner DB deployment. +# dbResources: +# limits: +# cpu: "2000m" +# memory: "4Gi" +# requests: +# cpu: "200m" +# memory: "200Mi" +# +# # Custom configuration of the image to be used for the Scanner deployment. +# # See `central.image` for a full example. +# image: +# registry: us.gcr.io/stackrox-scanner-repo +# name: scanner # "scanner" is the default +# +# dbImage: +# registry: us.gcr.io/stackrox-scanner-db-repo +# name: scanner-db # "scanner-db" is the default +# +# +# # Customization Settings. +# # The following allows specifying custom Kubernetes metadata (labels and annotations) +# # for all objects instantiated by this Helm chart, as well as additional pod labels, +# # pod annotations, and container environment variables for workloads. +# # The configuration is hierarchical, in the sense that metadata that is defined at a more +# # generic scope (e.g., for all objects) can be overridden by metadata defined at a narrower +# # scope (e.g., only for the central deployment). +# customize: +# # Extra metadata for all objects. +# labels: +# my-label-key: my-label-value +# annotations: +# my-annotation-key: my-annotation-value +# +# # Extra pod metadata for all objects (only has an effect for workloads, i.e., deployments). +# podLabels: +# my-pod-label-key: my-pod-label-value +# podAnnotations: +# my-pod-annotation-key: my-pod-annotation-value +# +# # Extra environment variables for all containers in all objects. +# envVars: +# MY_ENV_VAR_NAME: MY_ENV_VAR_VALUE +# +# # Extra metadata for the central deployment only. +# central: +# labels: {} +# annotations: {} +# podLabels: {} +# podAnnotations: {} +# envVars: {} +# +# # Extra metadata for the central db deployment only. +# db: +# labels: {} +# annotations: {} +# podLabels: {} +# podAnnotations: {} +# envVars: {} +# +# # Extra metadata for the scanner deployment only. +# scanner: +# labels: {} +# annotations: {} +# podLabels: {} +# podAnnotations: {} +# envVars: {} +# +# # Extra metadata for the scanner-db deployment only. +# scanner-db: +# labels: {} +# annotations: {} +# podLabels: {} +# podAnnotations: {} +# envVars: {} +# +# # Extra metadata for all other objects. The keys in the following map can be +# # an object name of the form "service/central-loadbalancer", or a reference to all +# # objects of a given type in the form "service/*". The values under each key +# # are the five metadata overrides (labels, annotations, podLabels, podAnnotations, envVars) +# # as specified above, though only the first two will be relevant for non-workload +# # object types. +# other: +# "service/*": +# labels: {} +# annotations: {} +# +# # EXPERT SETTINGS +# # The following settings should only be changed if you know very well what you are doing. +# # The scenarios in which these are required are generally not supported. +# +# # Set allowNonstandardNamespace=true if you are deploying into a namespace other than +# # "stackrox". This has been observed to work in some case, but is not generally supported. +# allowNonstandardNamespace: false +# +# # Set allowNonstandardReleaseName=true if you are deploying with a release name other than +# # the default "stackrox-central-services". This has been observed to work in some cases, +# # but is not generally supported. +# allowNonstandardReleaseName: false + +# monitoring: +# # Enables integration with OpenShift platform monitoring. +# openshift: +# enabled: true diff --git a/4.3.5/central-services/values.yaml b/4.3.5/central-services/values.yaml new file mode 100644 index 0000000..cee8132 --- /dev/null +++ b/4.3.5/central-services/values.yaml @@ -0,0 +1,364 @@ +## StackRox Central chart default settings file. +## +## This file includes the default settings for the StackRox Central chart. +## It serves as a form of documentation for all the possible settings that a +## user can override are. HOWEVER, if you want to override some settings, DO NOT +## create a copy of this file to be used as a baseline, or modify it in place. +## Instead, create a file that contains only those settings you want to override, +## and pass it to helm or roxctl via the `-f` parameter. +## +## For example, if you want to disable the deployment of scanner, create a file +## `values-override.yaml` (or any name you choose) with the following contents: +## +## scanner: +## disable: true +## +## and then invoke helm by passing `-f values-override.yaml` to +## `helm install`/`helm upgrade`. +## +## Alternatively, if you want to override just a few values, you can set them directly +## via the `--set` command, e.g., +## $ helm install --set scanner.disable=true ... +## +## Note that an arbitrary number of `-f` and `--set` parameters can be combined. It is +## generally a good practice to store secret data such as the admin password separate from +## non-sensitive configuration data. +## +# +## Configuration for image pull secrets. +## These should usually be set via the command line when running `helm install`, e.g., +## helm install --set imagePullSecrets.username=myuser --set imagePullSecrets.password=mypass, +## or be stored in a separate YAML-encoded secrets file. +#imagePullSecrets: +# # Username and password to be used for pulling images. +# # These should usually be set via the command line when running `helm install`, e.g., +# # helm install --set imagePullSecrets.username=myuser --set imagePullSecrets.password=mypass, +# # or be stored in a separate YAML-encoded secrets file. +# username: null +# password: null +# +# # If no image pull secrets are provided, an installation would usually fail. In order to +# # prevent it from failing, this option must explicitly be set to true. +# allowNone: false +# +# # If there exist available image pull secrets in the cluster that are managed separately, +# # set this value to the list of the respective secret names. While it is recommended to +# # record the secret names in a persisted YAML file, providing a single string containing +# # a comma-delimited list of secret names is also supported, for easier interaction with +# # --set. +# useExisting: [] +# +# # Whether to import any secrets from the default service account existing in the StackRox +# # namespace. The default service account often contains "standard" image pull secrets that +# # should be used by default for image pulls, hence this defaults to true. Only has an effect +# # if server-side lookups are enabled. +# useFromDefaultServiceAccount: true +# +## Common settings for all image properties +#image: +# # The image registry to use. Unless overridden in the more specific configs, this +# # determines the base registry for each image referenced in this config file. +# registry: stackrox.io +# +## Settings regarding the installation environment +#env: +# # Treat the environment as an OpenShift cluster. Leave this unset to use auto-detection +# # based on available API resources on the server. +# # Possible values: null, false, true, 3, 4 +# openshift: null +# +# # Treat the environment as Istio-enabled. Leave this unset to use auto-detection based on +# # available API resources on the server. +# # Possible values: null, false, true +# istio: null +# +# # The cloud provider platform where the target Kubernetes cluster is running. Leave this +# # unset to use auto-detection based on the Kubernetes version. +# # Possible values: null, "default", "gke" +# platform: null +# +# # Whether to run StackRox in offline mode. When run in offline mode, no connections to external +# # endpoints will be made. +# offlineMode: false +# +# # The proxy configuration for Central and Scanner, specified either as an embedded YAML +# # directionary, or as an (expandable) string. +# proxyConfig: null +# +# +## Settings for the StackRox Service CA certificates. +## If `cert` and `key` are both set (it is an error to set only one of the two), the corresponding +## values are used as the PEM-encoded certificate and private key for the internal Service CA. +## If they are left unspecified, they are generated under the following conditions: +## - `generate` is explicitly set to true, or +## - `generate` is unset (null), and the Helm chart is being freshly installed (as opposed to being +## upgraded). +#ca: +# cert: null +# key: null +# generate: null +# + +## Additional CA certificates to trust, besides system roots +## If specified, this should be a map mapping file names to PEM-encoded contents. +#additionalCAs: null +# +central: +# # Settings for telemetry data collection. + telemetry: + enabled: false + storage: + endpoint: "" + key: "" +# +# +# config: "@config/central/config.yaml|config/central/config.yaml.default" +# +# endpointsConfig: "@config/central/endpoints.yaml|config/central/endpoints.yaml.default" +# +# +# nodeSelector: null +# +# jwtSigner: +# key: null +# generate: null +# +# # Settings for the internal service-to-service TLS certificate used by central. +# # See the documentation for `ca` at the top level for an explanation. +# serviceTLS: +# cert: null +# key: null +# generate: null +# +# defaultTLS: +# cert: null +# key: null +# +# image: +# registry: null +# name: main +# tag: 4.0.0 +# fullRef: null +# +# adminPassword: +# value: null +# generate: null +# htpasswd: null +# +# resources: +# requests: +# memory: "4Gi" +# cpu: "1500m" +# limits: +# memory: "8Gi" +# cpu: "4000m" +# +# persistence: +# hostPath: null +# persistentVolumeClaim: +# claimName: null +# createClaim: null +# storageClass: null +# size: null +# none: null +# +# exposure: +# +# # LoadBalancer configuration. +# # Disabled by default. +# # Default port is 443. +# loadBalancer: +# enabled: null +# port: null +# ip: null +# +# # NodePort configuration. +# # Disabled by default. +# nodePort: +# enabled: null +# port: null +# +# # Route configuration. +# # Disabled by default. +# route: +# enabled: null +# # Specify a custom hostname if desired, otherwise accept the default from OpenShift. +# host: null +# +# db: +# # External signifies that a Postgres wire-compatible database has already been deployed and a Central DB pod +# # does not need to be deployed +# external: false +# +# source: +# # ConnectionString should not be specified if the Central DB deployment is being managed by the helm chart +# # The connection string must be in the format described here https://www.postgresql.org/docs/current/static/libpq-connect.html#LIBPQ-CONNSTRING +# # client_encoding=UTF8 is required in any connection string and the only supported encoding +# # statementTimeoutMs is ignored for external database connections +# # If using a connection that supports "statement_timeout" it is recommended to include "statement_timeout=1200000" +# # Do NOT use a connection string with a password field. Instead specify the value below in the password section/ +# connectionString: null +# minConns: 10 +# maxConns: 90 +# statementTimeoutMs: 1200000 +# +# # The admin password setting for communication with Central's DB. +# # When a value is set explicitly, this is always used, even on upgrade. +# # Otherwise, a password will be automatically generated if `generate` is set to true, +# # or left unset (null) and the Helm chart is being installed (as opposed to upgraded). +# # Should only be used when utilizing Postgres as central's DB +# password: +# value: null +# generate: null +# +# postgresConfig: "@config/centraldb/postgresql.conf|config/centraldb/postgresql.conf.default" +# hbaConfig: "@config/centraldb/pg_hba.conf|config/centraldb/pg_hba.conf.default" +# +# # Specifying configOverride mounts the specified config map in the same namespace which must contain +# # both pg_hba.conf and postgresql.conf. This should only be used when the default settings are not +# # sufficient and manual override is required. +# configOverride: null +# +# nodeSelector: null +# +# # Settings for the internal service-to-service TLS certificate used by central. +# # See the documentation for `ca` at the top level for an explanation. +# serviceTLS: +# cert: null +# key: null +# generate: null +# +# image: +# registry: null +# name: central-db +# tag: 4.0.0 +# fullRef: null +# +# resources: +# requests: +# memory: "8Gi" +# cpu: "4" +# limits: +# memory: "16Gi" +# cpu: "8" +# +# persistence: +# hostPath: null +# persistentVolumeClaim: +# claimName: null +# createClaim: null +# storageClass: null +# size: null +# none: null +# +## Configuration options relating to StackRox Scanner. +#scanner: +# # If this is set to true, StackRox will be deployed without scanner. No other setting in this +# # section will have any effect. +# disable: false +# +# # Default number of scanner replicas created upon startup. The actual number might be higher +# # or lower if autoscaling is enabled (see below). +# replicas: 3 +# +# logLevel: INFO +# +# # Settings related to autoscaling the scanner deployment. +# autoscaling: +# # If true, autoscaling will be disabled. None of the other settings in this section will +# # have any effect. +# disable: false +# minReplicas: 1 +# maxReplicas: 5 +# +# # Resource settings for the scanner deployment. +# resources: +# requests: +# memory: "1500Mi" +# cpu: "1000m" +# limits: +# memory: "4Gi" +# cpu: "2000m" +# +# image: +# registry: null +# name: scanner +# tag: 2.3.2 +# fullRef: null +# +# dbImage: +# registry: null +# name: scanner-db +# tag: 2.3.2 +# fullRef: null +# +# # Resource settings for the scanner-db deployment. +# dbResources: +# limits: +# cpu: 2 +# memory: 4Gi +# requests: +# cpu: 200m +# memory: 200Mi +# +# # The admin password setting for communication with scanner's DB. +# # When a value is set explicitly, this is always used, even on upgrade. +# # Otherwise, a password will be automatically generated if `generate` is set to true, +# # or left unset (null) and the Helm chart is being installed (as opposed to upgraded). +# dbPassword: +# value: null +# generate: null +# +# # Settings for the internal service-to-service TLS certificate used by scanner. +# # See the documentation for `ca` at the top level for an explanation. +# serviceTLS: +# cert: null +# key: null +# generate: null +# +# # Settings for the internal service-to-service TLS certificate used by scanner-db. +# # See the documentation for `ca` at the top level for an explanation. +# dbServiceTLS: +# cert: null +# key: null +# generate: null +# +## EXPERT SETTINGS. You usually do not need to touch those. +# +## If set to true, allow deploying in a namespace other than "stackrox". This is unsupported, so +## use at your own risk. +#allowNonstandardNamespace: false +# +## If set to true, allow a release name other than "stackrox-central-services". There are no issues +## with that, but for streamlining purposes, we want to encourage all users to stick with the +## default name, and make it a little harder to deviate from that. +#allowNonstandardReleaseName: false +# +#meta: +# # This controls whether the built-in `lookup` function will be used. If you see an error +# # about there being no function `lookup`, set this to `false` (might be required on Helm +# # versions before 3.1). +# useLookup: true +# +# # This is a dictionary from file names to contents that can be used to inject files that +# # would usually be included via .Files.Get into the chart rendering. +# fileOverrides: {} +# +# # This configuration section allows overriding settings that would be inferred from the +# # running API server. +# apiServer: +# # The Kubernetes version running on the API server. This is used for auto-detection +# # of the platform. +# version: null +# # The list of available API resources on the server, in the form of "apps/v1" or +# # "apps/v1/Deployment". This is used to detect environment capabilities. +# overrideAPIResources: null +# # A list of extra API resources that should be assumed to exist on the API server. This +# # can be used in conjunction with both data obtained from the API server, or data set +# # via `overrideAPIResources`. +# extraAPIResources: [] +# +#monitoring: +# # Enables integration with OpenShift platform monitoring. +# openshift: +# enabled: true diff --git a/4.3.5/secured-cluster-services/.helmignore b/4.3.5/secured-cluster-services/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/4.3.5/secured-cluster-services/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/4.3.5/secured-cluster-services/Chart.yaml b/4.3.5/secured-cluster-services/Chart.yaml new file mode 100644 index 0000000..033de2d --- /dev/null +++ b/4.3.5/secured-cluster-services/Chart.yaml @@ -0,0 +1,7 @@ +apiVersion: v2 +name: stackrox-secured-cluster-services +icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/Red_Hat-Hat_icon.png +description: Helm Chart for StackRox Secured Clusters +type: application +version: 400.3.5 +appVersion: 4.3.5 diff --git a/4.3.5/secured-cluster-services/README.md b/4.3.5/secured-cluster-services/README.md new file mode 100644 index 0000000..29731e0 --- /dev/null +++ b/4.3.5/secured-cluster-services/README.md @@ -0,0 +1,468 @@ +# StackRox Kubernetes Security Platform - Secured Cluster Services Helm Chart + +This Helm chart allows you to deploy the necessary services on a StackRox +secured cluster: StackRox Sensor, StackRox Collector, and StackRox Admission +Control. +If you want to install Secured Cluster Services for Red Hat Advanced Cluster Security, +refer to [Installing the secured-cluster-services Helm chart](https://docs.openshift.com/acs/installing/installing_helm/install-helm-quick.html#installing-secured-cluster-services-quickly_acs-install-helm-quick). + +## Prerequisites + +To deploy the secured cluster services for the StackRox Kubernetes Security Platform, you must: +- Have at least version 3.1 of the Helm tool installed on your machine + +> **IMPORTANT** +> +> We publish new Helm charts with every new release of the StackRox Kubernetes +> Security Platform. Make sure to use a version of this chart that matches the +> StackRox Kubernetes Security Platform version you have installed. + +## Add the canonical chart location as a Helm repository + +The canonical repository for StackRox Helm charts is https://charts.stackrox.io. +To use StackRox Helm charts, run the following command: +```sh +helm repo add stackrox https://charts.stackrox.io +``` +Only run this command once per machine on which you want to use StackRox Helm +charts. + +Before you deploy or upgrade a chart from a remote repository, you must +run the following command: +```sh +helm repo update +``` + +## Install Secured Cluster Services + +Installing a new StackRox secured cluster requires a *cluster init bundle*. You +can generate a **cluster init bundle** by using the `roxctl` CLI or the StackRox +portal. You can use the same bundle to set up multiple StackRox secured +clusters by providing it as an input to the `helm install` command. + +> **NOTE**: +> +> - The following sections assume that you have a safe way to pass secrets to +> the helm command. +> - If not, you can decouple secret creation from installing or upgrading the +> Helm chart, see [Deployment with pre-created secrets](#deployment-with-pre-created-secrets) for more information. + +### Generate cluster init bundle + +Run the following command to generate a **cluster init bundle**: +```sh +roxctl central init-bundles generate --output cluster-init-bundle.yaml +``` + +- This command creates a **cluster init bundle** called + `cluster-init-bundle.yaml`. +- Make sure that you store this bundle securely as it contains secrets. You can + use the same bundle to set up multiple StackRox secured clusters. + +### Deploy Secured Cluster Services + +You can use the following command to deploy secured cluster services by using +this Helm chart: +```sh +helm install -n stackrox --create-namespace \ + stackrox-secured-cluster-services stackrox/stackrox-secured-cluster-services \ + -f \ + --set clusterName= \ + --set centralEndpoint= +``` +- In this command, you can replace the chart name + `stackrox/stackrox-secured-cluster-services` with the chart's file path if you have it + locally. +- The provided cluster name can either denote the intended name for a new secured cluster + or the name of an existing cluster, in which case the name will be reused and associated + with the Kubernetes cluster on which the chart is installed. + +After you deploy the StackRox Kubernetes Security Platform Secured Cluster +Services using the `helm install` command, you will see informative notes and +warnings related to the installation. The new cluster automatically registers +itself to StackRox Central, and it is visible in the StackRox portal as a +Helm-managed cluster. If the provided cluster name is already associated with +an existing secured cluster, the name will be reused and associated with the +cluster on which the chart is installed. + +In case you use image mirroring or otherwise access StackRox container images from non-standard location, +you may also need to provide image pull credentials. +There are several ways to inject the required credentials (if any) into the installation process: + +- **Explicitly specify username and password:** Use this if you are using a registry that supports username/password + authentication. Pass the following arguments to the `helm install` command: + ```sh + --set imagePullSecrets.username= --set imagePullSecrets.password= + ``` +- **Use pre-existing image pull secrets:** If you already have one or several image pull secrets + created in the namespace to which you are deploying, you can reference these in the following + way (we assume that your secrets are called `pull-secret-1` and `pull-secret-2`): + ```sh + --set imagePullSecrets.useExisting="pull-secret-1;pull-secret-2" + ``` +- **Do not use image pull secrets:** If you are pulling your images from quay.io/stackrox-io or a registry in a private + network that does not require authentication, or if the default service account in the namespace + to which you are deploying is already configured with appropriate image pull secrets, you do + not need to specify any additional image pull secrets. + +### Applying custom configuration options + +The secured cluster services Helm chart has many different configuration +options. You can directly specify these options when you run the `helm install` +command for simple use cases. + +However, we recommend storing your configuration in a file and using that file +for future upgrades or reconfiguration using the `helm upgrade` command. + +#### Specifying options with `--set` parameter + +You can use the `--set` and `--set-file` parameter with the `helm install` +command to specify various options to customize deployments quickly. However, +don't use them for specifying complex configurations. + +For example, +- **Configure cluster environment**: + ```sh + --set env.openshift=true + ``` +- **Configure collection method**: + ```sh + --set collector.collectionMethod=EBPF + ``` + +#### Using configuration YAML files and the `-f` command-line option + +We recommended that you store all custom configuration options in persisted files. + +The Secured Cluster Services Helm chart contains example configuration files +(called `values-public.yaml.example` and `values-private.yaml.example`), that list +all the available configuration options, along with documentation. + +The following sample configuration file (`secured-cluster.yaml`) uses a few of +the options which you can configure: +- **`values-public.yaml`:** + ```yaml + clusterName: "acme-cluster-01" + centralEndpoint: "central.acme-labs.internal" + + env: + istio: true # enable istio support + + sensor: + # Use custom resource overrides for sensor + resources: + requests: + cpu: "2" + memory: "4Gi" + limits: + cpu: "4" + memory: "8Gi" + + admissionControl: + dynamic: + disableBypass: true # Disable bypassing of Admission Controller + + customize: + # Apply the important-service=true label for all objects managed by this chart. + labels: + important-service: true + # Set the CLUSTER=important-cluster environment variable for all containers in the + # collector deployment: + collector: + envVars: + CLUSTER: important-cluster + ``` +- **`values-private.yaml`**: + ```yaml + imagePullSecrets: + username: + password: + ``` + +After you have created these YAML files, you can inject the configuration options into the +installation process via the `-f` flag, i.e., by appending the following options to the +`helm install` invocation: +```sh +helm install ... -f values-public.yaml -f values-private.yaml +``` + +#### Changing configuration options after deployment + +To make changes to the configuration of an existing deployment of the StackRox +Secured Cluster Services: +1. Change the configuration options in your YAML configuration file(s). +1. Use the `-f` option and specify the configuration file's path when you + run the `helm upgrade` command. + +For example, to apply configuration changes for the secured cluster, use the following command: +```sh +helm upgrade -n stackrox \ + stackrox-secured-cluster-services stackrox/stackrox-secured-cluster-services \ + --reuse-values \ + -f values-public.yaml \ + -f values-private.yaml +``` + +You can also specify configuration values using the `--set` or `--set-file` +parameters. However, these options aren't saved, and you'll have to specify all +the options again manually. + +#### Changing cluster name after deployment + +To change the name of the cluster shown in the StackRox portal, you must specify +values for both the `--clusterName` and the `--confirmNewClusterName` options: + +```sh +helm upgrade -n stackrox stackrox-secured-cluster-services --clusterName= --confirmNewClusterName= +``` + +> **NOTE:** +> +> When you change the cluster name: +> - The StackRox Kubernetes Security Platform either creates a new cluster or +> reuses an existing cluster if a cluster with the same name already exists. +> - The StackRox Kubernetes Security Platform doesn't rename the old cluster. +> The old cluster still shows up in the StackRox portal, but it doesn't +> receive any data. You must remove the old cluster if you don't want to see +> it in the StackRox portal. + +### Configuration + +The following table lists some common configuration parameters of this Helm +chart and their default values: + +|Parameter |Description | Default value | +|:---------|:-----------|:--------------| +|`clusterName`| Name of your cluster. | | +|`confirmNewClusterName`| You don't need to change this unless you upgrade and change the value for `clusterName`. In this case, set it to the new value of `clusterName`. This option exists to prevent you from [accidentally creating a new cluster with a different name](#changing-cluster-after-deployment). | `null` | +|`centralEndpoint`| Address of the Central endpoint, including the port number (without a trailing slash). If you are using a non-gRPC capable LoadBalancer, use the WebSocket protocol by prefixing the endpoint address with `wss://`. |`central.stackrox.svc:443` | +|`clusterLabels`| Custom labels associated with a secured cluster | `{}` | +|`additionalCAs`| Use it to add (named) PEM-encoded CA certificates for Sensor. | `{}` | +|`imagePullSecrets.username`| Specify username for accessing image registry. |`null`| +|`imagePullSecrets.password`| Specify password for accessing image registry. |`null`| +|`imagePullSecrets.useExisting`| Specify existing Kubernetes image pull secrets that should be used for trying to pull StackRox images. |`[]`| +|`imagePullSecrets.useFromDefaultServiceAccount`| This setting controls whether image pull secrets from a default service account in the target namespace should be used for image pulls. |`true`| +|`imagePullSecrets.useExisting`| Specify existing Kubernetes image pull secrets that should be used for trying to pull StackRox images. |`[]`| +|`imagePullSecrets.allowNone`| Enabling this setting indicates that no image pull secrets are required to be configured upon initial deployment. Use this setting if you are using a cluster-private registry that does not require authentication. |`false`| +|`image.main.name`|Repository from which to download the main image. |`main` | +|`image.collector.name`|Repository from which to download the collector image. |`collector` | +|`image.main.registry`| Address of the registry you are using for main image.|`stackrox.io` | +|`image.collector.registry`| Address of the registry you are using for collector image.|`collector.stackrox.io` | +|`sensor.endpoint`| Address of the Sensor endpoint including port number. No trailing slash.|`sensor.stackrox.svc:443` | +|`collector.collectionMethod`|Either `EBPF`, `CORE_BPF`, or `NO_COLLECTION`. |`EBPF` | +|`collector.disableTaintTolerations`|If you specify `false`, tolerations are applied to collector, and the collector pods can schedule onto all nodes with taints. If you specify it as `true`, no tolerations are applied, and the collector pods won't scheduled onto nodes with taints. |`false` | +|`collector.slimMode`| Specify `true` if you want to use a slim Collector image for deploying Collector. Using slim Collector images requires Central to provide the matching kernel module or eBPF probe. If you are running the StackRox Kubernetes Security Platform in offline mode, you must download a kernel support package from [stackrox.io](https://install.stackrox.io/collector/support-packages/index.html) and upload it to Central for slim Collectors to function. Otherwise, you must ensure that Central can access the online probe repository hosted at https://collector-modules.stackrox.io/.|`false` | +|`admissionControl.listenOnCreates`| This setting controls whether the cluster is configured to contact the StackRox Kubernetes Security Platform with `AdmissionReview` requests for `create` events on Kubernetes objects. |`false` | +|`admissionControl.listenOnUpdates`|This setting controls whether the cluster is configured to contact the StackRox Kubernetes Security Platform with `AdmissionReview` requests for `update` events on Kubernetes objects.|`false` | +|`admissionControl.listenOnEvents`|This setting controls whether the cluster is configured to contact the StackRox Kubernetes Security Platform with `AdmissionReview` requests for `update` Kubernetes events like `exec` and `portforward`.|`false` on OpenShift, `true` otherwise.| +|`admissionControl.dynamic.enforceOnCreates`| It controls whether the StackRox Kubernetes Security Platform evaluates policies; if it’s disabled, all `AdmissionReview` requests are automatically accepted. You must specify `listenOnCreates` as `true` for this to work. |`false` | +|`admissionControl.dynamic.enforceOnUpdates`| It controls whether the StackRox Kubernetes Security Platform evaluates policies for object updates; if it’s disabled, all `AdmissionReview` requests are automatically accepted. You must specify `listenOnUpdates` as `true` for this to work. |`false`| +|`admissionControl.dynamic.scanInline`| |`false` | +|`admissionControl.dynamic.disableBypass`|Set it to `true` to disable [bypassing the admission controller](https://help.stackrox.com/docs/manage-security-policies/use-admission-controller-enforcement/). |`false` | +|`admissionControl.dynamic.timeout`|The maximum time in seconds, the StackRox Kubernetes Security Platform should wait while evaluating admission review requests. Use it to set request timeouts when you enable image scanning. If the image scan runs longer than the specified time, the StackRox Kubernetes Security Platform accepts the request. Other enforcement options, such as scaling the deployment to zero replicas, are still applied later if the image violates applicable policies.|`3` | +|`registryOverride`|Use this parameter to override the default `docker.io` registry. Specify the name of your registry if you are using some other registry.| | +|`createUpgraderServiceAccount`| Specify `true` to create the `sensor-upgrader` account. By default, the StackRox Kubernetes Security Platform creates a service account called `sensor-upgrader` in each secured cluster. This account is highly privileged but is only used during upgrades. If you don’t create this account, you will have to complete future upgrades manually if the Sensor doesn’t have enough permissions. See [Enable automatic upgrades for secured clusters](https://help.stackrox.com/docs/configure-stackrox/enable-automatic-upgrades/) for more information.|`false` | +|`createSecrets`| Specify `false` to skip the orchestrator secret creation for the sensor, collector, and admission controller. | `true` | +|`customize`|Modern interface for specifying custom metadata for resources, including labels, annotations and environment variables. See below for more information.|`{}`| + + +The following table lists some advanced parameters, and you'll only need them in +non-standard environments: + +|Parameter |Description | Default value | +|:---------|:-----------|:--------------| +|`image.main.tag`| Tag of `main` image to use.|`null` | +|`image.collector.tag`| Tag of `collector` image to use.| `null` | +|`image.main.pullPolicy`| Image pull policy for `main` images.|`IfNotPresent`| +|`image.collector.pullPolicy`| Image pull policy for `collector` images.| `IfNotPresent` if `slimCollector` is enabled, `Always` otherwise.| +|`sensor.resources`|Resource specification for Sensor.|See below.| +|`collector.resources`|Resource specification for Collector.|See below.| +|`collector.complianceResources`|Resource specification for Collector's Compliance container.|See below.| +|`collector.nodeScanningResources`|Resource specification for Collector's Node Inventory container.|See below.| +|`collector.nodeSelector` | Node selector for Collector pods placement. | `null` (no placement constraints) | +|`admissionControl.resources`|Resource specification for Admission Control.|See below.| +|`sensor.imagePullPolicy`| Kubernetes image pull policy for Sensor. | `IfNotPresent` | +|`sensor.nodeSelector` | Node selector for Sensor pod placement. | `null` (no placement constraints) | +|`collector.imagePullPolicy`| Kubernetes image pull policy for Collector. | `Always` when deploying in slim mode, otherwise `IfNotPresent`. | +|`collector.complianceImagePullPolicy`| Kubernetes image pull policy for Collector. | `IfNotPresent` | +|`admissionControl.imagePullPolicy`| Kubernetes image pull policy for Admission Control. | `IfNotPresent` | +|`admissionControl.nodeSelector` | Node selector for Admission Control pods placement. | `null` (no placement constraints) | +|`exposeMonitoring`| This setting controls whether the monitoring port (TCP 9090) should be exposed on the services. | `false` | +|`env.openshift`| The StackRox Kubernetes Security Platform automatically detects the OpenShift version (`3.x` or `4.x`). Use this parameter to override the automatically detected version number, for example `4`. | `null` | +|`env.istio`| This setting can be used for overwriting the auto-sensing of Istio environments. If enabled, the cluster is set up for an Istio environment. | Auto-sensed, depends on environment. | +|`scanner.disable`| Scan images stored in the cluster's local registries. This variable is only available for the OpenShift Container Platform. | `true` | + +### Default resources + +Each container's default resource settings are defined in the +`internal/defaults.yaml` file in this chart. The following table lists the YAML +paths to the respective defaults for each container that this chart deploys: + +|Container |Path in `internal/defaults.yaml` | +|:----------------|:------------------------------------------| +|Sensor |`defaults.sensor.resources` | +|Collector |`defaults.collector.resources` | +|Compliance |`defaults.collector.complianceResources` | +|NodeInventory |`defaults.collector.nodeScanningResources`| +|Admission Control|`defaults.admissionControl.resources` | + +### Customization settings + +The `customize` setting allows specifying custom Kubernetes metadata (labels and +annotations) for all objects created by this Helm chart and additional pod +labels, pod annotations, and container environment variables for workloads. + +The configuration is hierarchical, in the sense that metadata defined at a more +generic scope (for example, for all objects) can be overridden by metadata +defined at a narrower scope (for example, only for the sensor deployment). + +For example: + +``` +customize: + # Extra metadata for all objects. + labels: + my-label-key: my-label-value + annotations: + my-annotation-key: my-annotation-value + # Extra pod metadata for all objects (only has an effect for workloads, i.e., deployments and daemonsets). + podLabels: + my-pod-label-key: my-pod-label-value + podAnnotations: + my-pod-annotation-key: my-pod-annotation-value + # Extra environment variables for all containers in all workloads. + envVars: + MY_ENV_VAR_NAME: MY_ENV_VAR_VALUE + # Extra metadata for the central deployment only. + sensor: + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + envVars: {} + # Extra metadata for the collector deployment only. + collector: + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + envVars: {} + # Extra metadata for the admission-control deployment only. + admission-control: + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + envVars: {} + # Extra metadata for all other objects. The keys in the following map can be + # an object name of the form "service/sensor", or a reference to all + # objects of a given type in the form "service/*". The values under each key + # are the five metadata overrides (labels, annotations, podLabels, podAnnotations, envVars) + # as specified above, though only the first two will be relevant for non-workload + # object types. + other: + "service/*": + labels: {} + annotations: {} +``` + +## Deployment with pre-created secrets + +The init bundle that you pass to the `helm` command using the `-f` flag creates +Kubernetes secrets for TLS certificates. If you don't want Helm to manage your +Kubernetes secrets, you can deploy the Secured Cluster Services chart without +creating secrets. However, it requires that you always specify the StackRox CA +certificate while installing or upgrading the Helm chart. This certificate +doesn't need to be kept secret. + +1. **Obtain the CA certificate configuration** either through the StackRox + portal or by using the `roxctl` CLI. + - **StackRox portal**: + 1. Navigate to **Platform Configuration** > **Integrations**. + 1. Under the **Authentication Tokens** section, select **Cluster Init Bundle**. + 1. Select **Get CA Config** on the top right to download the configuration + file called `ca-config.yaml`. + - **`roxctl CLI**: + 1. Run the following command: + ```sh + roxctl central init-bundles fetch-ca --output ca-config.yaml + ``` + This command writes the CA certificate configuration in a file called + `ca-config.yaml`. +1. **Use the CA certificate configuration in your Helm installation**. When you + run the `helm install` or the `helm upgrade` command, + pass the option `-f ca-config.yaml`: + ```sh + helm install -n stackrox stackrox-secured-cluster-services stackrox/stackrox-secured-cluster-services \ + -f ca-config.yaml \ + + ``` +1. **Disable TLS secret creation**. To prevent Helm from creating Kubernetes + secrets for the StackRox service certificates, set the `createSecrets` option + to `false`. You can either specify `createSecrets` option in a YAML + configuration file (such as `values-public.yaml`) or pass it to the `helm` + command by adding the `--set createSecrets=false` option. + +### Required Kubernetes secrets + +The following list contains the Kubernetes `Secret` objects that you need to +create in the `stackrox` namespace (or the custom namespace you are using) if +you configure the Helm chart to not create TLS certificate secrets. + +- `sensor-tls` with data: + - `ca.pem`: PEM-encoded StackRox CA certificate + - `sensor-cert.pem`: PEM-encoded StackRox Sensor certificate + - `sensor-key.pem`: PEM-encoded private key for the StackRox Sensor certificate +- `collector-tls` with data: + - `ca.pem`: PEM-encoded StackRox CA certificate + - `collector-cert.pem`: PEM-encoded StackRox Collector certificate + - `collector-key.pem`: PEM-encoded private key for the StackRox Collector certificate +- `admission-control-tls` with data: + - `ca.pem`: PEM-encoded StackRox CA certificate + - `admission-control-cert.pem`: PEM-encoded StackRox Admission Control certificate + - `admission-control-key.pem`: PEM-encoded private key for the StackRox Admision Control certificate + +#### Obtaining secrets for an existing cluster + +If you upgrade from a previous Helm chart, you can create certificates specific +to a particular cluster by using the following `roxctl` CLI command: + +```sh +export ROX_API_TOKEN= +roxctl -e sensor generate-certs +``` +Running this command create a file called `cluster--tls.yaml` in +the current directory. The file contains YAML manifests for the +[required Kubernetes secrets](#required-kubernetes-secrets). + +#### Obtaining secrets for an init bundle + +If you want to deploy multiple clusters using this Helm chart and want to create +certificates that can be used to register new clusters on-the-fly, you can +obtain the contents of an init bundle in the form of Kubernetes secrets. You can +use the StackRox portal or the `roxctl` CLI for this. + +- **Using the StackRox portal**: + 1. Navigate to **Platform Configuration** > **Integrations**. + 1. Under the **Authentication Tokens** section, select **Cluster Init Bundle**. + 1. Select the add **+** icon on the top left and enter a name for the new init + bundle. + 1. Select **Generate**. + 1. Select **Download Kubernetes Secrets File** at the bottom to save the + Kubernetes manifests to a file called + `-cluster-init-secrets.yaml`. +- **Using the `roxctl` CLI**: + 1. run the following command: + ```sh + roxctl central init-bundles generate --output-secrets cluster-init-secrets.yaml + ``` + This command stores the Kubernetes secret manifests for the cluster init + certificates in a file called `cluster-init-secrets.yaml`. + +You can then use the YAML file to generate secrets through any method that you like, for example, using Sealed Secrets. + +> **NOTE** +> +> Even when you use the certificates from an init bundle, you still need to +> specify the CA certificate configuration every time you install or upgrade the +> Helm chart. diff --git a/4.3.5/secured-cluster-services/assets/Red_Hat-Hat_icon.png b/4.3.5/secured-cluster-services/assets/Red_Hat-Hat_icon.png new file mode 100644 index 0000000..fae985e Binary files /dev/null and b/4.3.5/secured-cluster-services/assets/Red_Hat-Hat_icon.png differ diff --git a/4.3.5/secured-cluster-services/assets/StackRox_icon.png b/4.3.5/secured-cluster-services/assets/StackRox_icon.png new file mode 100644 index 0000000..3c136e3 Binary files /dev/null and b/4.3.5/secured-cluster-services/assets/StackRox_icon.png differ diff --git a/4.3.5/secured-cluster-services/config-templates/scanner/config.yaml.tpl b/4.3.5/secured-cluster-services/config-templates/scanner/config.yaml.tpl new file mode 100644 index 0000000..5efc0b9 --- /dev/null +++ b/4.3.5/secured-cluster-services/config-templates/scanner/config.yaml.tpl @@ -0,0 +1,48 @@ +{{- /* + This is the configuration file template for Scanner. + Except for in extremely rare circumstances, you DO NOT need to modify this file. + All config options that are possibly dynamic are templated out and can be modified + via `--set`/values-files specified via `-f`. + */ -}} + +# Configuration file for scanner. + +scanner: + centralEndpoint: https://central.{{ .Release.Namespace }}.svc + sensorEndpoint: https://sensor.{{ .Release.Namespace }}.svc + database: + # Database driver + type: pgsql + options: + # PostgreSQL Connection string + # https://www.postgresql.org/docs/current/static/libpq-connect.html#LIBPQ-CONNSTRING + source: host=scanner-db.{{ .Release.Namespace }}.svc port=5432 user=postgres sslmode={{- if eq .Release.Namespace "stackrox" }}verify-full{{- else }}verify-ca{{- end }} statement_timeout=60000 + + # Number of elements kept in the cache + # Values unlikely to change (e.g. namespaces) are cached in order to save prevent needless roundtrips to the database. + cachesize: 16384 + + api: + httpsPort: 8080 + grpcPort: 8443 + + updater: + # Frequency with which the scanner will poll for vulnerability updates. + interval: 5m + + logLevel: {{ ._rox.scanner.logLevel }} + + # The scanner intentionally avoids extracting or analyzing any files + # larger than the following default sizes to prevent DoS attacks. + # Leave these commented to use a reasonable default. + + # The max size of files in images that are extracted. + # Increasing this number increases memory pressure. + # maxExtractableFileSizeMB: 200 + # The max size of ELF executable files that are analyzed. + # Increasing this number may increase disk pressure. + # maxELFExecutableFileSizeMB: 800 + # The max size of image file reader buffer. Image file data beyond this limit are overflowed to temporary files on disk. + # maxImageFileReaderBufferSizeMB: 100 + + exposeMonitoring: false diff --git a/4.3.5/secured-cluster-services/internal/cluster-config.yaml.tpl b/4.3.5/secured-cluster-services/internal/cluster-config.yaml.tpl new file mode 100644 index 0000000..a85ddd7 --- /dev/null +++ b/4.3.5/secured-cluster-services/internal/cluster-config.yaml.tpl @@ -0,0 +1,33 @@ +{{- if ._rox.clusterName }} +clusterName: {{ ._rox.clusterName }} +{{- end }} +managedBy: {{ ._rox.managedBy }} +notHelmManaged: {{ eq ._rox.managedBy "MANAGER_TYPE_MANUAL" }} +clusterConfig: + staticConfig: + {{- if not ._rox.env.openshift }} + type: KUBERNETES_CLUSTER + {{- else }} + type: {{ if eq (int ._rox.env.openshift) 4 -}} OPENSHIFT4_CLUSTER {{- else -}} OPENSHIFT_CLUSTER {{ end }} + {{- end }} + mainImage: {{ coalesce ._rox.image.main._abbrevImageRef ._rox.image.main.fullRef }} + collectorImage: {{ coalesce ._rox.image.collector._abbrevImageRef ._rox.image.collector.fullRef }} + centralApiEndpoint: {{ ._rox.centralEndpoint }} + collectionMethod: {{ ._rox.collector.collectionMethod | upper | replace "-" "_" }} + admissionController: {{ ._rox.admissionControl.listenOnCreates }} + admissionControllerUpdates: {{ ._rox.admissionControl.listenOnUpdates }} + admissionControllerEvents: {{ ._rox.admissionControl.listenOnEvents }} + tolerationsConfig: + disabled: {{ ._rox.collector.disableTaintTolerations }} + slimCollector: {{ ._rox.collector.slimMode }} + dynamicConfig: + disableAuditLogs: {{ ._rox.auditLogs.disableCollection | not | not }} + admissionControllerConfig: + enabled: {{ ._rox.admissionControl.dynamic.enforceOnCreates }} + timeoutSeconds: {{ ._rox.admissionControl.dynamic.timeout }} + scanInline: {{ ._rox.admissionControl.dynamic.scanInline }} + disableBypass: {{ ._rox.admissionControl.dynamic.disableBypass }} + enforceOnUpdates: {{ ._rox.admissionControl.dynamic.enforceOnUpdates }} + registryOverride: {{ ._rox.registryOverride }} + configFingerprint: {{ ._rox._configFP }} + clusterLabels: {{- toYaml ._rox.clusterLabels | nindent 4 }} diff --git a/4.3.5/secured-cluster-services/internal/compatibility-translation.yaml b/4.3.5/secured-cluster-services/internal/compatibility-translation.yaml new file mode 100644 index 0000000..4e33afc --- /dev/null +++ b/4.3.5/secured-cluster-services/internal/compatibility-translation.yaml @@ -0,0 +1,137 @@ +# Configuration compatibility layer translation rules. +# +# This file is a YAML file describing an object following the shape of the legacy Chart configuration. +# Each leaf object is a config fragment template, that will be merged into the user-specified config when specified +# by the user. +# +# The config fragment templates may reference the values ".value" and ".rawValue", the former containing the +# JSON-encoded value of the input field, the latter containing the value as a parsed object. + +cluster: + name: | + clusterName: {{ .value }} + type: | + env: + openshift: {{ if eq .rawValue "OPENSHIFT4_CLUSTER" }} 4 {{ else }} {{ eq .rawValue "OPENSHIFT_CLUSTER" }} {{ end }} + +endpoint: + central: | + centralEndpoint: {{ .value }} + advertised: | + sensor: + endpoint: {{ .value }} + +image: + repository: + main: | + image: + main: + name: {{ .value }} + collector: | + image: + collector: + name: {{ .value }} + registry: + main: | + image: + main: + registry: {{ .value }} + collector: | + image: + collector: + registry: {{ .value }} + pullPolicy: + main: | + image: + main: + pullPolicy: {{ .value }} + collector: | + image: + collector: + pullPolicy: {{ .value }} + tag: + main: | + image: + main: + tag: {{ .value}} + collector: | + image: + collector: + tag: {{ .value }} + +config: + collectionMethod: | + collector: + collectionMethod: {{ .value }} + + dynamic: + enforce: null # bool + scanInline: null # bool + disableBypass: null # bool + timeout: null # natural number + enforceOnUpdates: null # bool + + admissionControl: + createService: | + admissionControl: + listenOnCreates: {{ .value }} + listenOnUpdates: | + admissionControl: + listenOnUpdates: {{ .value }} + listenOnEvents: | + admissionControl: + listenOnEvents: {{ .value }} + enableService: | + admissionControl: + dynamic: + enforceOnCreates: {{ .value }} + enforceOnUpdates: | + admissionControl: + dynamic: + enforceOnUpdates: {{ .value }} + scanInline: | + admissionControl: + dynamic: + scanInline: {{ .value }} + disableBypass: | + admissionControl: + dynamic: + disableBypass: {{ .value }} + timeout: | + admissionControl: + dynamic: + timeout: {{ .value }} + registryOverride: | + registryOverride: {{ .value }} + disableTaintTolerations: | + collector: + disableTaintTolerations: {{ .value }} + createUpgraderServiceAccount: | + createUpgraderServiceAccount: {{ .value }} + createSecrets: | + createSecrets: {{ .value }} + offlineMode: null # not used + slimCollector: | + collector: + slimMode: {{ .value }} + sensorResources: | + sensor: + resources: {{ .value }} + admissionControlResources: | + admissionControl: + resources: {{ .value }} + collectorResources: | + collector: + resources: {{ .value }} + complianceResources: | + collector: + complianceResources: {{ .value }} + exposeMonitoring: | + exposeMonitoring: {{ .value }} + +envVars: | + customize: + envVars: + {{- range $_, $v := .rawValue }} + {{ quote $v.name }}: {{ quote $v.value }} + {{- end }} diff --git a/4.3.5/secured-cluster-services/internal/config-shape.yaml b/4.3.5/secured-cluster-services/internal/config-shape.yaml new file mode 100644 index 0000000..57450fa --- /dev/null +++ b/4.3.5/secured-cluster-services/internal/config-shape.yaml @@ -0,0 +1,162 @@ +clusterName: null # string +clusterLabels: null # dict +confirmNewClusterName: null # string +centralEndpoint: null # string +registryOverride: null # string +exposeMonitoring: null # bool +createUpgraderServiceAccount: null # string +helmManaged: null +createSecrets: null +additionalCAs: null # [obj] +imagePullSecrets: + username: null # string + password: null # string + allowNone: null # bool + useExisting: null # string | [string] + useFromDefaultServiceAccount: null # bool +mainImagePullSecrets: + username: null # string + password: null # string + useExisting: null # string | [string] + useFromDefaultServiceAccount: null # bool + allowNone: null # bool +collectorImagePullSecrets: + username: null # string + password: null # string + useExisting: null # string | [string] + useFromDefaultServiceAccount: null # bool + allowNone: null # bool +image: + registry: null # string + main: + registry: null # string + name: null # string + repository: null # string + tag: null # string + fullRef: null # string + pullPolicy: null # string + collector: + slim: + fullRef: null # string + full: + fullRef: null # string + registry: null # string + name: null # string + repository: null # string + tag: null # string + fullRef: null # string + pullPolicy: null # string + scanner: + registry: null # string + name: null # string + repository: null # string + tag: null # string + fullRef: null # string + scannerDb: + registry: null # string + name: null # string + tag: null # string + fullRef: null # string +env: + openshift: null # bool | int + istio: null # bool +ca: + cert: null # string +sensor: + imagePullPolicy: null # string + endpoint: null # string + affinity: null # dict + resources: null # string | dict + serviceTLS: + cert: null # string + key: null # string + exposeMonitoring: null # bool + nodeSelector: null # string | dict + tolerations: null # [dict] + localImageScanning: + # Enables the local image scanning feature in Sensor. This disabled if local image scanning should not be used to prevent + # sensor reaching out to a scanner instance. + # This setting does not relate to the scanner deployment configuration which configures whether scanner should be deployed. + enabled: null # bool +admissionControl: + listenOnCreates: null # bool + listenOnUpdates: null # bool + listenOnEvents: null # bool + dynamic: + enforceOnCreates: null # bool + scanInline: null # bool + disableBypass: null # bool + timeout: null # natural number + enforceOnUpdates: null # bool + imagePullPolicy: null # string + replicas: null # int + affinity: null # dict + resources: null # string | dict + serviceTLS: + cert: null # string + key: null # string + exposeMonitoring: null # bool + nodeSelector: null # string | dict + tolerations: null # [dict] +collector: + collectionMethod: null # string + disableTaintTolerations: null # bool + slimMode: null # bool + imagePullPolicy: null # string + tolerations: null # [dict] + resources: null # string | dict + complianceImagePullPolicy: null # string + complianceResources: null # string | dict + nodeScanningResources: null # string | dict + serviceTLS: + cert: null # string + key: null # string + exposeMonitoring: null # bool + nodeSelector: null # string | dict + disableSELinuxOptions: null # bool + seLinuxOptionsType: null # string +auditLogs: + disableCollection: null # bool +customize: + labels: {} # dict + annotations: {} # dict + podLabels: {} # dict + podAnnotations: {} # dict + envVars: {} # dict + sensor: + labels: {} # dict + annotations: {} # dict + podLabels: {} # dict + podAnnotations: {} # dict + envVars: {} # dict + admission-control: + labels: {} # dict + annotations: {} # dict + podLabels: {} # dict + podAnnotations: {} # dict + envVars: {} # dict + collector: + labels: {} # dict + annotations: {} # dict + podLabels: {} # dict + podAnnotations: {} # dict + envVars: {} # dict + other: {} # dict +allowNonstandardNamespace: null # bool +allowNonstandardReleaseName: null # bool +enableOpenShiftMonitoring: null # bool +monitoring: + openshift: + enabled: null # bool +meta: + namespaceOverride: null # bool + useLookup: null # bool + fileOverrides: {} # dict + configFingerprintOverride: null # string + apiServer: + version: null # string + overrideAPIResources: null # [string] + extraAPIResources: null # [string] +system: + createSCCs: null # bool + enablePodSecurityPolicies: null # bool diff --git a/4.3.5/secured-cluster-services/internal/defaults/00-bootstrap.yaml b/4.3.5/secured-cluster-services/internal/defaults/00-bootstrap.yaml new file mode 100644 index 0000000..846ca57 --- /dev/null +++ b/4.3.5/secured-cluster-services/internal/defaults/00-bootstrap.yaml @@ -0,0 +1,15 @@ +# If we are being linted, magically apply settings that will not cause linting to break. +{{- if eq .Release.Name "test-release" }} +{{- include "srox.warn" (list . "You are using a release name that is reserved for tests. In order to allow linting to work, certain checks have been relaxed. If you are deploying to a real environment, we recommend that you choose a different release name.") }} +allowNonstandardNamespace: true +allowNonstandardReleaseName: true +clusterName: test-cluster-for-lint +{{- end }} +--- + +_namespace: {{ default .Release.Namespace ._rox.meta.namespaceOverride }} + +--- +meta: + useLookup: true + fileOverrides: {} diff --git a/4.3.5/secured-cluster-services/internal/defaults/10-env.yaml b/4.3.5/secured-cluster-services/internal/defaults/10-env.yaml new file mode 100644 index 0000000..48605ae --- /dev/null +++ b/4.3.5/secured-cluster-services/internal/defaults/10-env.yaml @@ -0,0 +1,11 @@ +# This file applies default environment configuration, based on available API server resources. +{{- if kindIs "invalid" ._rox.env.istio }} +env: + {{- if has "networking.istio.io/v1alpha3" ._rox._apiServer.apiResources }} + istio: true + {{- include "srox.note" (list . "Based on API server properties, we have inferred that you are deploying into an Istio-enabled cluster. Set the `env.istio` property explicitly to false/true to override the auto-sensed value.") }} + {{- else }} + istio: false + {{- end }} +{{- end }} +system: diff --git a/4.3.5/secured-cluster-services/internal/defaults/20-tls-files.yaml b/4.3.5/secured-cluster-services/internal/defaults/20-tls-files.yaml new file mode 100644 index 0000000..6eb6408 --- /dev/null +++ b/4.3.5/secured-cluster-services/internal/defaults/20-tls-files.yaml @@ -0,0 +1,23 @@ +# These defaults ensure that by default, certificates and keys are loaded from the respective files in the secrets/ +# directory that they needed to be placed in for the old sensor Helm chart. +# +# A user can specify either references to files (with a "@" prefix - note that this requires changing the chart, +# as Helm only allows accessing files that are part of the chart), or PEM-encoded certificates and keys directly. + +ca: + cert: "@?secrets/ca.pem" + +sensor: + serviceTLS: + cert: "@?secrets/sensor-cert.pem" + key: "@?secrets/sensor-key.pem" + +admissionControl: + serviceTLS: + cert: "@?secrets/admission-control-cert.pem" + key: "@?secrets/admission-control-key.pem" + +collector: + serviceTLS: + cert: "@?secrets/collector-cert.pem" + key: "@?secrets/collector-key.pem" diff --git a/4.3.5/secured-cluster-services/internal/defaults/30-base-config.yaml b/4.3.5/secured-cluster-services/internal/defaults/30-base-config.yaml new file mode 100644 index 0000000..f1b86f2 --- /dev/null +++ b/4.3.5/secured-cluster-services/internal/defaults/30-base-config.yaml @@ -0,0 +1,117 @@ +# This file contains basic configuration options for all services + +centralEndpoint: "central.{{ required "unknown namespace" ._rox._namespace }}.svc:443" +createUpgraderServiceAccount: false + +{{- if .Release.IsInstall }} +createSecrets: true +{{- end }} + +exposeMonitoring: false + +helmManaged: true + + +managedBy: MANAGER_TYPE_HELM_CHART + + +clusterName: "" +confirmNewClusterName: "" + +imagePullSecrets: + allowNone: false + useExisting: [] + useFromDefaultServiceAccount: true + +sensor: + endpoint: "sensor.{{ required "unknown namespace" ._rox._namespace }}.svc:443" + localImageScanning: + enabled: false + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + # Sensor is single-homed, so avoid preemptible nodes. + - weight: 100 + preference: + matchExpressions: + - key: cloud.google.com/gke-preemptible + operator: NotIn + values: + - "true" + - weight: 50 + preference: + matchExpressions: + - key: node-role.kubernetes.io/infra + operator: Exists + - weight: 25 + preference: + matchExpressions: + - key: node-role.kubernetes.io/compute + operator: Exists + # From v1.20 node-role.kubernetes.io/control-plane replaces node-role.kubernetes.io/master (removed in + # v1.25). We apply both because our goal is not to run pods on control plane nodes for any version of k8s. + - weight: 100 + preference: + matchExpressions: + - key: node-role.kubernetes.io/master + operator: DoesNotExist + - weight: 100 + preference: + matchExpressions: + - key: node-role.kubernetes.io/control-plane + operator: DoesNotExist + +admissionControl: + listenOnCreates: false + listenOnUpdates: false + listenOnEvents: {{ not ._rox.env.openshift }} + dynamic: + enforceOnCreates: false + scanInline: false + disableBypass: false + timeout: 20 + enforceOnUpdates: false + replicas: 3 + + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + # node-role.kubernetes.io/master is replaced by node-role.kubernetes.io/control-plane from certain version + # of k8s. We apply both to be compatible with any k8s version. + - weight: 50 + preference: + matchExpressions: + - key: node-role.kubernetes.io/master + operator: Exists + - weight: 50 + preference: + matchExpressions: + - key: node-role.kubernetes.io/control-plane + operator: Exists + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 60 + podAffinityTerm: + topologyKey: "kubernetes.io/hostname" + labelSelector: + matchLabels: + app: admission-control + +collector: + collectionMethod: "EBPF" + disableTaintTolerations: false + nodescanningEndpoint: "127.0.0.1:8444" + tolerations: + - operator: "Exists" + +auditLogs: + disableCollection: {{ ne ._rox.env.openshift 4 }} + +enableOpenShiftMonitoring: false +--- +sensor: + exposeMonitoring: {{ ._rox.exposeMonitoring }} +collector: + exposeMonitoring: {{ ._rox.exposeMonitoring }} +admissionControl: + exposeMonitoring: {{ ._rox.exposeMonitoring }} diff --git a/4.3.5/secured-cluster-services/internal/defaults/40-resources.yaml b/4.3.5/secured-cluster-services/internal/defaults/40-resources.yaml new file mode 100644 index 0000000..4dd0c19 --- /dev/null +++ b/4.3.5/secured-cluster-services/internal/defaults/40-resources.yaml @@ -0,0 +1,44 @@ +# This file contains the default resource requirements for the StackRox Secured Cluster services. + +sensor: + resources: + requests: + memory: "4Gi" + cpu: "2" + limits: + memory: "8Gi" + cpu: "4" + +admissionControl: + resources: + requests: + memory: "100Mi" + cpu: "50m" + limits: + memory: "500Mi" + cpu: "500m" + +collector: + resources: + requests: + memory: "320Mi" + cpu: "50m" + limits: + memory: "1Gi" + cpu: "750m" + + complianceResources: + requests: + memory: "10Mi" + cpu: "10m" + limits: + memory: "2Gi" + cpu: "1" + + nodeScanningResources: + requests: + memory: "10Mi" + cpu: "10m" + limits: + memory: "500Mi" + cpu: "1" diff --git a/4.3.5/secured-cluster-services/internal/defaults/50-images.yaml b/4.3.5/secured-cluster-services/internal/defaults/50-images.yaml new file mode 100644 index 0000000..1dea82e --- /dev/null +++ b/4.3.5/secured-cluster-services/internal/defaults/50-images.yaml @@ -0,0 +1,114 @@ +# This file contains the default image (registry + name + tag) settings) for all StackRox Secured Cluster +# Services. + +# Initialize default meta values +image: + registry: stackrox.io + main: + name: main + pullPolicy: IfNotPresent + collector: + name: collector + slimName: collector-slim + scanner: + name: scanner-slim + tag: 4.3.5 + + scannerDb: + name: scanner-db-slim + tag: 4.3.5 + +--- +# Add registry defaults +image: + main: + registry: {{ ._rox.image.registry }} + collector: + registry: {{ if or (eq ._rox.image.registry "stackrox.io") (eq ._rox.image.registry "registry.connect.redhat.com") }}collector.stackrox.io{{ else }}{{ ._rox.image.registry }}{{ end }} + scanner: + registry: {{ ._rox.image.registry }} + + scannerDb: + registry: {{ ._rox.image.registry }} + +--- +# Default to collector slim mode. If configured registry equals the default we can assume the cluster has internet connectivity. +collector: + slimMode: {{ eq ._rox.image.collector.registry "collector.stackrox.io" }} +--- +# Configure repository (registry + name) +image: + main: + repository: {{ list ._rox.image.main.registry ._rox.image.main.name | compact | join "/" }} + collector: + {{- if ._rox.collector.slimMode }} + repository: {{ list ._rox.image.collector.registry ._rox.image.collector.slimName | compact | join "/" }} + {{- else }} + repository: {{ list ._rox.image.collector.registry ._rox.image.collector.name | compact | join "/" }} + {{- end }} + scanner: + repository: {{ list ._rox.image.scanner.registry ._rox.image.scanner.name | compact | join "/" }} + + scannerDb: + repository: {{ list ._rox.image.scannerDb.registry ._rox.image.scannerDb.name | compact | join "/" }} + +--- +# Configure collector slim image full ref +image: + collector: + {{- if and ._rox.collector.slimMode ._rox.image.collector.slim.fullRef }} + fullRef: {{ ._rox.image.collector.slim.fullRef }} + {{- else if and (not ._rox.collector.slimMode) ._rox.image.collector.full.fullRef }} + fullRef: {{ ._rox.image.collector.full.fullRef }} + {{- end }} +--- +# Apply fullRef and configurations to images +image: + main: + {{- if or ._rox.image.main.tag ._rox.image.main.fullRef }} + {{- include "srox.warn" (list . "You have specified an explicit main image (tag). This will prevent the main image from being updated correctly when upgrading to a newer version of this chart.") }} + {{- else }} + _abbrevImageRef: {{ ._rox.image.main.repository }} + {{- end }} + tag: 4.3.5 + collector: + {{- if or ._rox.image.collector.tag ._rox.image.collector.fullRef }} + {{- include "srox.warn" (list . "You have specified an explicit collector image tag. This will prevent the collector image from being updated correctly when upgrading to a newer version of this chart.") }} + {{- if ._rox.collector.slimMode }} + {{- include "srox.warn" (list . "You have specified an explicit collector image tag. The slim collector setting will not have any effect.") }} + {{- end }} + {{- else }} + _abbrevImageRef: {{ ._rox.image.collector.repository }} + {{- end }} +--- +# Configure tags and pull policies +image: + collector: + {{- if ._rox.collector.slimMode }} + tag: "4.3.5" + pullPolicy: IfNotPresent + {{- else }} + tag: "4.3.5" + pullPolicy: Always + {{- end }} +--- +# Add fullRef references to images +# TODO(ROX-9261): Add support for image pull policy to scanner slim +image: + main: + fullRef: {{ printf "%s:%s" ._rox.image.main.repository ._rox.image.main.tag }} + collector: + fullRef: {{ printf "%s:%s" ._rox.image.collector.repository ._rox.image.collector.tag }} + scanner: + fullRef: {{ printf "%s:%s" ._rox.image.scanner.repository ._rox.image.scanner.tag }} + + scannerDb: + fullRef: {{ printf "%s:%s" ._rox.image.scannerDb.repository ._rox.image.scannerDb.tag }} + +collector: + imagePullPolicy: {{ ._rox.image.collector.pullPolicy }} + complianceImagePullPolicy: {{ ._rox.image.main.pullPolicy }} +sensor: + imagePullPolicy: {{ ._rox.image.main.pullPolicy }} +admissionControl: + imagePullPolicy: {{ ._rox.image.main.pullPolicy }} diff --git a/4.3.5/secured-cluster-services/internal/defaults/60-sccs.yaml b/4.3.5/secured-cluster-services/internal/defaults/60-sccs.yaml new file mode 100644 index 0000000..36e74fd --- /dev/null +++ b/4.3.5/secured-cluster-services/internal/defaults/60-sccs.yaml @@ -0,0 +1,2 @@ +system: + createSCCs: true diff --git a/4.3.5/secured-cluster-services/internal/defaults/70-scanner.yaml b/4.3.5/secured-cluster-services/internal/defaults/70-scanner.yaml new file mode 100644 index 0000000..43bc5d8 --- /dev/null +++ b/4.3.5/secured-cluster-services/internal/defaults/70-scanner.yaml @@ -0,0 +1,38 @@ +scanner: + disable: true + replicas: 3 + logLevel: INFO + mode: slim + + autoscaling: + disable: false + minReplicas: 2 + maxReplicas: 5 + + resources: + requests: + memory: "1500Mi" + cpu: "1000m" + limits: + memory: "4Gi" + cpu: "2000m" + + dbResources: + limits: + cpu: "2000m" + memory: "4Gi" + requests: + cpu: "200m" + memory: "200Mi" + + slimImage: + name: "" + tag: "" + fullRef: "" + repository: "" + + slimDBImage: + name: "" + tag: "" + fullRef: "" + repository: "" diff --git a/4.3.5/secured-cluster-services/internal/defaults/whats-this.md b/4.3.5/secured-cluster-services/internal/defaults/whats-this.md new file mode 100644 index 0000000..d58c8de --- /dev/null +++ b/4.3.5/secured-cluster-services/internal/defaults/whats-this.md @@ -0,0 +1,39 @@ +`defaults/` directory +====================== + +This directory provides a set of files that provide a lighter-weight interface for configuring +defaults in the Helm chart, allowing the use of template expressions (including referencing previously +applied defaults) without requiring (an excessive amount of) template control structures (such as +`{{ if kindIs "invalid" ... }}` to determine if a value has already been set). + +After applying some "bootstrap" configuration (such as for making available API server resources +visible in a uniform manner), each `.yaml` file in this directory is processed in an order determined +by its name (hence the `NN-` prefixes). Each YAML file consists of multiple documents (separated by +`---` lines) that are rendered as templates and then _merged_ into the effective configuration, giving +strict preference to already set values. + +Having a deterministic order is important for being able to rely on previously configured +values (either specified by the user or applied as a default). For example, the file +```yaml +group: + setting: "foo" + anotherSetting: 3 +--- +group: + derivedSetting: {{ printf "%s-%d" ._rox.group.setting ._rox.group.anotherSetting }} +``` +combined with the command-line setting `--set group.setting=bar` will result in the following +"effective" configuration: +```yaml +group: + setting: "bar" # user-specified value takes precedence - default value "foo" not applied + anotherSetting: 3 # default value + derivedSetting: bar-3 # combination of user-specified value and default value; "pure" default without + # any --set arguments would be "foo-3" +``` + +**Caveats**: +- Templating instructions must be contained to a single document within the multi-document YAML files. In particular, + the `---` separator must not be within a conditionally rendered block, or emitted by templating code. +- It is recommended to contain dependencies between default settings to a single YAML file. While the `NN-` prefixes + ensure a well-defined application order of individual files, having dependent blocks in the same file adds clarity. diff --git a/4.3.5/secured-cluster-services/internal/expandables.yaml b/4.3.5/secured-cluster-services/internal/expandables.yaml new file mode 100644 index 0000000..09ebbae --- /dev/null +++ b/4.3.5/secured-cluster-services/internal/expandables.yaml @@ -0,0 +1,44 @@ +imagePullSecrets: + username: true + password: true +mainImagePullSecrets: + username: true + password: true +collectorImagePullSecrets: + username: true + password: true +ca: + cert: true +sensor: + serviceTLS: + cert: true + key: true + resources: true + nodeSelector: true +admissionControl: + serviceTLS: + cert: true + key: true + resources: true + nodeSelector: true +collector: + serviceTLS: + cert: true + key: true + resources: true + complianceResources: true + nodeScanningResources: true + nodeSelector: true +scanner: + resources: true + dbResources: true + nodeSelector: true + dbNodeSelector: true + dbPassword: + value: true + serviceTLS: + cert: true + key: true + dbServiceTLS: + cert: true + key: true diff --git a/4.3.5/secured-cluster-services/internal/scanner-config-shape.yaml b/4.3.5/secured-cluster-services/internal/scanner-config-shape.yaml new file mode 100644 index 0000000..da3b315 --- /dev/null +++ b/4.3.5/secured-cluster-services/internal/scanner-config-shape.yaml @@ -0,0 +1,40 @@ +scanner: + mode: null # string + disable: null # bool + replicas: null # int + logLevel: null # string + nodeSelector: null # string | dict + dbNodeSelector: null # string | dict + tolerations: null # [dict] + dbTolerations: null # [dict] + autoscaling: + disable: null # bool + minReplicas: null # int + maxReplicas: null # int + affinity: null # dict + resources: null # string | dict + image: + registry: null # string + name: null # string + tag: null # string + fullRef: null # string + dbImage: + registry: null # string + name: null # string + tag: null # string + fullRef: null # string + dbResources: null # string | dict + dbPassword: + value: null # string + generate: null # bool + serviceTLS: + cert: null # string + key: null # string + generate: null # bool + dbServiceTLS: + cert: null # string + key: null # string + generate: null # bool + exposeMonitoring: null # bool +system: + enablePodSecurityPolicies: null # bool diff --git a/4.3.5/secured-cluster-services/scripts/fetch-secrets.sh b/4.3.5/secured-cluster-services/scripts/fetch-secrets.sh new file mode 100755 index 0000000..850a227 --- /dev/null +++ b/4.3.5/secured-cluster-services/scripts/fetch-secrets.sh @@ -0,0 +1,41 @@ +#!/bin/sh + +# fetch-secrets.sh +# Retrieves StackRox TLS secrets currently stored in the current Kubernetes context, and stores them in a format +# suitable for consumption by the Helm chart. +# +# The YAML bundle is printed to stdout, use output redirection (>filename) to store the output to a file. +# This script supports the following environment variables: +# - KUBECTL: the command to use for kubectl. Spaces will be tokenized by the shell interpreter (default: "kubectl"). +# - ROX_NAMESPACE: the namespace in which the current StackRox deployment runs (default: "stackrox") +# - FETCH_CA_ONLY: if set to "true", will create a bundle containing only the CA certificate (default: "false") + +DIR="$(cd "$(dirname "$0")" && pwd)" + +KUBECTL="${KUBECTL:-kubectl}" +ROX_NAMESPACE="${ROX_NAMESPACE:-stackrox}" + +FETCH_CA_ONLY="${FETCH_CA_ONLY:-false}" + +case "$FETCH_CA_ONLY" in + false|0) + TEMPLATE_FILE="fetched-secrets-bundle.yaml.tpl" + DESCRIPTION="certificates and keys" + ;; + true|1) + TEMPLATE_FILE="fetched-secrets-bundle-ca-only.yaml.tpl" + DESCRIPTION="CA certificate only" + ;; + *) + echo >&2 "Invalid value '$FETCH_CA_ONLY' for FETCH_CA_ONLY, only false and true are allowed" + exit 1 +esac + +# The leading '#' signs aren't required as they don't go to stdout, but when printing to the console, +# it looks more natural to include them. +echo >&2 "# Fetching $DESCRIPTION from current Kubernetes context (namespace $ROX_NAMESPACE), store" +echo >&2 "# the output in a file and pass it to helm via the -f parameter." + +$KUBECTL get --ignore-not-found -n "$ROX_NAMESPACE" \ + secret/sensor-tls secret/collector-tls secret/admission-control-tls \ + -o go-template-file="${DIR}/${TEMPLATE_FILE}" \ diff --git a/4.3.5/secured-cluster-services/scripts/fetched-secrets-bundle-ca-only.yaml.tpl b/4.3.5/secured-cluster-services/scripts/fetched-secrets-bundle-ca-only.yaml.tpl new file mode 100644 index 0000000..b5a13c2 --- /dev/null +++ b/4.3.5/secured-cluster-services/scripts/fetched-secrets-bundle-ca-only.yaml.tpl @@ -0,0 +1,9 @@ +{{- range $item := .items }} +{{- if eq $item.metadata.name "sensor-tls" }} +{{- $caPEM := index $item.data "ca.pem" }} +{{- if $caPEM }} +ca: + cert: "{{ $caPEM | base64decode | js }}" +{{- end }} +{{- end }} +{{- end }} diff --git a/4.3.5/secured-cluster-services/scripts/fetched-secrets-bundle.yaml.tpl b/4.3.5/secured-cluster-services/scripts/fetched-secrets-bundle.yaml.tpl new file mode 100644 index 0000000..72bb452 --- /dev/null +++ b/4.3.5/secured-cluster-services/scripts/fetched-secrets-bundle.yaml.tpl @@ -0,0 +1,35 @@ +{{- range $item := .items }} +{{- if eq $item.metadata.name "sensor-tls" }} +{{- $caPEM := index $item.data "ca.pem" }} +{{- if $caPEM }} +ca: + cert: "{{ $caPEM | base64decode | js }}" +{{- end }} +{{- $sensorCert := index $item.data "sensor-cert.pem" }} +{{- $sensorKey := index $item.data "sensor-key.pem" }} +{{- if and $sensorCert $sensorKey }} +sensor: + serviceTLS: + cert: "{{ $sensorCert | base64decode | js }}" + key: "{{ $sensorKey | base64decode | js }}" +{{- end }} +{{- else if eq $item.metadata.name "collector-tls" }} +{{- $collectorCert := index $item.data "collector-cert.pem" }} +{{- $collectorKey := index $item.data "collector-key.pem" }} +{{- if and $collectorCert $collectorKey }} +collector: + serviceTLS: + cert: "{{ $collectorCert | base64decode | js }}" + key: "{{ $collectorKey | base64decode | js }}" +{{- end }} +{{- else if eq $item.metadata.name "admission-control-tls" }} +{{- $admCtrlCert := index $item.data "admission-control-cert.pem" }} +{{- $admCtrlKey := index $item.data "admission-control-key.pem" }} +{{- if and $admCtrlCert $admCtrlKey }} +admissionControl: + serviceTLS: + cert: "{{ $admCtrlCert | base64decode | js }}" + key: "{{ $admCtrlKey | base64decode | js }}" +{{- end }} +{{- end }} +{{- end }} diff --git a/4.3.5/secured-cluster-services/sensor-chart-upgrade.md b/4.3.5/secured-cluster-services/sensor-chart-upgrade.md new file mode 100644 index 0000000..f3d5ddf --- /dev/null +++ b/4.3.5/secured-cluster-services/sensor-chart-upgrade.md @@ -0,0 +1,159 @@ +# Upgrading from the `sensor` Helm chart + +There are differences between the `sensor` Helm chart that was part of the +StackRox Kubernetes Security Platform version 3.0.54 and the Secured Cluster +Services Helm chart in the StackRox Kubernetes Security Platform version 3.0.55. + +Therefore, if you are using the StackRox Kubernetes Security Platform version 3.0.54 +or older, and you've used the `sensor` Helm chart, you must verify (and change) +the following additional options to upgrade to the new Helm charts for the +StackRox Kubernetes Security Platform version 3.0.55. + +## Namespace + +|Version 3.0.54 and older |Version 3.0.55 and newer | +|-------------------------|-------------------------| +|The `sensor` Helm chart creates all Kubernetes resources in the `stackrox` namespace, even if you've used the `-n`/`--namespace` flag to the `helm install` command.|The Secured Cluster Services Helm chart creates all resources in the namespace you specify by using the `-n`/`--namespace` flag. However, we recommend that you always install the chart in the `stackrox` namespace.| + +If you've previously installed the `sensor` Helm chart into a namespace other +than `stackrox`, you **must** set the namespace override option to `stackrox`. + +To do this, either: +- pass the `--set meta.namespaceOverride=stackrox` flag, or +- add the following section in your configuration file: + ```yaml + meta: + namespaceOverride: stackrox + ``` + +## Configuration file + +|Version 3.0.54 and older |Version 3.0.55 and newer | +|-------------------------|--------------------------| +|Installation using the `sensor` Helm chart requires adding your customizations in the `values.yaml` file that is part of the chart.|The Secured Cluster Services Helm chart uses a separate configuration file.| + +> **IMPORTANT** +> +> If you are using the Secured Cluster Services Helm chart, **do not** modify +> the `values.yaml` file that is part of the chart. + +We recommend that you always store the configuration in separate files: + +- `values-public.yaml`: include all non-sensitive configuration options in this + file. +- `values-private.yaml`: include all sensitive configuration options such as + image pull secrets or certificates and keys. + +You can also use a separate file for the cluster init bundle. For more +information, see the main [README.md](README.md) file. + +## Secrets injection + +|Version 3.0.54 and older |Version 3.0.55 and newer | +|-------------------------|--------------------------| +|The `sensor` Helm chart downloads certificates and private keys specific to a single cluster and stores them in the `secrets/` directory.|The Secured Cluster Services Helm chart uses cluster init bundles. For more information, see the main [README.md](README.md) file.| + +To upgrade, +1. Copy the `values.yaml` you used for the most recent installation or upgrade of the + `sensor` Helm chart and store it as `sensor-values.yaml`. +1. Connect to the Kubernetes cluster on which you've previously installed the + `sensor` Helm chart. +1. Run `./scripts/fetch-secrets.sh`. The `fetch-secrets.sh` script shows a YAML + file as output, which contains all secrets. Store the output of this command + in a file (you can use `./scripts/fetch-secrets.sh >secrets.yaml` to directly + write the command output to a file called `secrets.yaml`). +1. Run the `helm upgrade` command and pass the YAML (from the previous step) file by + using the `-f` option: + ```sh + helm upgrade -n stackrox sensor stackrox/secured-cluster-services \ + --reuse-values -f sensor-values.yaml -f ... + ``` + The above command assumes that you have added the https://charts.stackrox.io Helm + chart repository to your local Helm installation. See the main [README.md](README.md) + for instructions on how to set this up. + If you want to use this chart from a local directory, replace + `stackrox/secured-cluster-services` with the path to the chart directory. + +> **NOTE** +> +> Although you can copy the `secrets` directory from your old `sensor` Helm +> chart instead, we **do not** recommend doing it. + + +## Helm-managed clusters + +When you use the Secured Cluster Services Helm chart, the clusters it creates +are treated as Helm-managed by default. It means that whenever you run the +`helm upgrade` command afterward, it applies the configuration changes specified +in your Helm configuration file, overwriting any changes to settings you've done +through the StackRox portal. + +Additionally, because of the differences between the Helm upgrade and the +StackRox Kubernetes Security Platform automatic upgrade, you can't use +the automatic upgrades option from the StackRox portal. + +If you don't want an upgraded cluster to be treated as Helm-managed, set the +`helmManaged` configuration option to `false`. + +## Configuration format + +There are differences between the configuration format that the sensor Helm +chart uses and the Secured Cluster Services Helm chart's uses. We recommend that +you migrate to the new configuration format. + +Here is the list of old and new configuration options: + +|Old configuration option |New configuration option | +|-------------------------|-------------------------| +| `cluster.name` | `clusterName` | +| `cluster.type` | Set `env.openshift` to `true` for `cluster.type=OPENSHIFT_CLUSTER` and `false` for `cluster.type=KUBERNETES_CLUSTER`. Leave unset to automatically detect (recommended). | +| `endpoint.central` | `centralEndpoint` | +| `endpoint.advertised` | `sensor.endpoint` | +| `image.repository.main` | `image.main.name` | +| `image.repository.collector` | `image.collector.name` | +| `image.registry.main` | `image.main.registry` | +| `image.registry.collector` | `image.collector.registry` | +| `image.pullPolicy.main` | `image.main.pullPolicy` | +| `image.pullPolicy.collector` | `image.collector.pullPolicy` | +| `image.tag.main` | `image.main.tag` | +| `image.tag.collector` | `image.collector.tag` | +| `config.collectionMethod` | `collector.collectionMethod` | +| `config.admissionControl.createService` | `admissionControl.listenOnCreates` | +| `config.admissionControl.listenOnUpdates` | `admissionControl.listenOnUpdates` | +| `config.admissionControl.enableService` | `admissionControl.dynamic.enforceOnCreates` | +| `config.admissionControl.enforceOnUpdates` | `admissionControl.dynamic.enforceOnUpdates` | +| `config.admissionControl.scanInline` | `admissionControl.dynamic.scanInline` | +| `config.admissionControl.disableBypass` | `admissionControl.dynamic.disableBypass` | +| `config.admissionControl.timeout` | `admissionControl.dynamic.timeout` | +| `config.registryOverride` | `registryOverride` | +| `config.disableTaintTolerations` | `collector.disableTaintTolerations` | +| `config.createUpgraderServiceAccount` | `createUpgraderServiceAccount` | +| `config.createSecrets` | `createSecrets` | +| `config.offlineMode` | This option has no effect and will be removed. | +| `config.slimCollector` | `collector.slimMode` | +| `config.sensorResources` | `sensor.resources` | +| `config.admissionControlResources` | `admissionControl.resources` | +| `config.collectorResources` | `collector.resources` | +| `config.complianceResources` | `collector.complianceResources` | +| `config.exposeMonitoring` | `exposeMonitoring` | +| `envVars` | See example below | + +**Custom environment variables:** The old format for custom environment variable settings was +```yaml +envVars: +- name: ENV_VAR1 + value: "value1" +- name: ENV_VAR2 + value: "value2" +... +``` + +In the new configuration format, rewrite this as: +```yaml +customize: + envVars: + ENV_VAR1: "value1" + ENV_VAR2: "value2" +``` +You can find out more about customizing object labels, annotations, and environment variables in the main +[README.md](README.md). \ No newline at end of file diff --git a/4.3.5/secured-cluster-services/templates/00-collector-image-pull-secrets.yaml b/4.3.5/secured-cluster-services/templates/00-collector-image-pull-secrets.yaml new file mode 100644 index 0000000..eba103f --- /dev/null +++ b/4.3.5/secured-cluster-services/templates/00-collector-image-pull-secrets.yaml @@ -0,0 +1,18 @@ +{{- include "srox.init" . -}} + +{{- if ._rox.collectorImagePullSecrets._dockerAuths }} +apiVersion: v1 +kind: Secret +type: kubernetes.io/dockerconfigjson +metadata: + name: secured-cluster-services-collector + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "secret" "secured-cluster-services-collector") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "secured-cluster-services-collector") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": keep +data: + .dockerconfigjson: {{ dict "auths" ._rox.collectorImagePullSecrets._dockerAuths | toJson | b64enc | quote }} +{{ end }} diff --git a/4.3.5/secured-cluster-services/templates/00-injected-ca-bundle.yaml b/4.3.5/secured-cluster-services/templates/00-injected-ca-bundle.yaml new file mode 100644 index 0000000..3289c2a --- /dev/null +++ b/4.3.5/secured-cluster-services/templates/00-injected-ca-bundle.yaml @@ -0,0 +1,15 @@ +{{- include "srox.init" . -}} + +{{- if eq ._rox.env.openshift 4 }} +{{ $injectedCABundleName := printf "injected-cabundle-%s" .Release.Name }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ $injectedCABundleName }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "configmap" $injectedCABundleName) | nindent 4 }} + "config.openshift.io/inject-trusted-cabundle": "true" + annotations: + {{- include "srox.annotations" (list . "configmap" $injectedCABundleName) | nindent 4 }} +{{- end }} diff --git a/4.3.5/secured-cluster-services/templates/00-main-image-pull-secrets.yaml b/4.3.5/secured-cluster-services/templates/00-main-image-pull-secrets.yaml new file mode 100644 index 0000000..052aa3e --- /dev/null +++ b/4.3.5/secured-cluster-services/templates/00-main-image-pull-secrets.yaml @@ -0,0 +1,18 @@ +{{- include "srox.init" . -}} + +{{- if ._rox.mainImagePullSecrets._dockerAuths }} +apiVersion: v1 +kind: Secret +type: kubernetes.io/dockerconfigjson +metadata: + name: secured-cluster-services-main + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "secret" "secured-cluster-services-main") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "secured-cluster-services-main") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": keep +data: + .dockerconfigjson: {{ dict "auths" ._rox.mainImagePullSecrets._dockerAuths | toJson | b64enc | quote }} +{{ end }} diff --git a/4.3.5/secured-cluster-services/templates/02-scanner-00-serviceaccount.yaml b/4.3.5/secured-cluster-services/templates/02-scanner-00-serviceaccount.yaml new file mode 100644 index 0000000..a27c602 --- /dev/null +++ b/4.3.5/secured-cluster-services/templates/02-scanner-00-serviceaccount.yaml @@ -0,0 +1,19 @@ +{{- include "srox.init" . -}} + +{{- if not ._rox.scanner.disable -}} + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: scanner + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "serviceaccount" "scanner") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "serviceaccount" "scanner") | nindent 4 }} +imagePullSecrets: +{{- range $secretName := ._rox.imagePullSecrets._names }} +- name: {{ quote $secretName }} +{{- end }} + +{{ end -}} diff --git a/4.3.5/secured-cluster-services/templates/02-scanner-01-psps.yaml b/4.3.5/secured-cluster-services/templates/02-scanner-01-psps.yaml new file mode 100644 index 0000000..23b398c --- /dev/null +++ b/4.3.5/secured-cluster-services/templates/02-scanner-01-psps.yaml @@ -0,0 +1,69 @@ +{{- include "srox.init" . -}} + +{{- if and (not ._rox.scanner.disable) ._rox.system.enablePodSecurityPolicies }} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "srox.globalResourceName" (list . "stackrox-scanner-psp") }} + labels: + {{- include "srox.labels" (list . "clusterrole" "stackrox-scanner-psp") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "clusterrole" "stackrox-scanner-psp") | nindent 4 }} +rules: +- apiGroups: + - policy + resources: + - podsecuritypolicies + resourceNames: + - {{ include "srox.globalResourceName" (list . "stackrox-scanner") }} + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: stackrox-scanner-psp + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "rolebinding" "stackrox-scanner-psp") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "rolebinding" "stackrox-scanner-psp") | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "srox.globalResourceName" (list . "stackrox-scanner-psp") }} +subjects: + - kind: ServiceAccount + name: scanner + namespace: {{ .Release.Namespace }} +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "srox.globalResourceName" (list . "stackrox-scanner") }} + labels: + {{- include "srox.labels" (list . "podsecuritypolicy" "stackrox-scanner") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "podsecuritypolicy" "stackrox-scanner") | nindent 4 }} +spec: + privileged: false + allowPrivilegeEscalation: false + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + - 'persistentVolumeClaim' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' +{{- end }} diff --git a/4.3.5/secured-cluster-services/templates/02-scanner-01-security.yaml b/4.3.5/secured-cluster-services/templates/02-scanner-01-security.yaml new file mode 100644 index 0000000..3c1d92b --- /dev/null +++ b/4.3.5/secured-cluster-services/templates/02-scanner-01-security.yaml @@ -0,0 +1,78 @@ +{{- include "srox.init" . -}} + +{{- if not ._rox.scanner.disable }} +{{- if and ._rox.env.openshift ._rox.system.createSCCs }} +kind: SecurityContextConstraints +apiVersion: security.openshift.io/v1 +metadata: + name: {{ include "srox.globalResourceName" (list . "stackrox-scanner") }} + labels: + {{- include "srox.labels" (list . "securitycontextconstraints" "stackrox-scanner") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "securitycontextconstraints" "stackrox-scanner") | nindent 4 }} + kubernetes.io/description: stackrox-scanner is the security constraint for the Scanner container +priority: 0 +runAsUser: + type: RunAsAny +seLinuxContext: + type: RunAsAny +seccompProfiles: + - '*' +users: + - system:serviceaccount:{{ .Release.Namespace }}:scanner +volumes: + - '*' +allowHostDirVolumePlugin: false +allowedCapabilities: [] +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: false +allowPrivilegedContainer: false +defaultAddCapabilities: [] +fsGroup: + type: RunAsAny +readOnlyRootFilesystem: false +requiredDropCapabilities: [] + +{{- else if eq ._rox.env.openshift 4 }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: use-scanner-scc + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "role" "use-scanner-scc") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "role" "use-scanner-scc") | nindent 4 }} +rules: +- apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + resourceNames: + - anyuid + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: scanner-use-scc + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "rolebinding" "scanner-use-scc") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "rolebinding" "scanner-use-scc") | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: use-scanner-scc +subjects: +- kind: ServiceAccount + name: scanner + namespace: {{ .Release.Namespace }} +{{- end }} +{{- end }} diff --git a/4.3.5/secured-cluster-services/templates/02-scanner-02-db-password-secret.yaml b/4.3.5/secured-cluster-services/templates/02-scanner-02-db-password-secret.yaml new file mode 100644 index 0000000..c6c0bc1 --- /dev/null +++ b/4.3.5/secured-cluster-services/templates/02-scanner-02-db-password-secret.yaml @@ -0,0 +1,27 @@ +{{- include "srox.init" . -}} + +{{- if not ._rox.scanner.disable -}} + +{{- if ._rox.scanner._dbPassword -}} +{{- if not (kindIs "invalid" ._rox.scanner._dbPassword.value) -}} + +apiVersion: v1 +kind: Secret +metadata: + name: scanner-db-password + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "secret" "scanner-db-password") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "scanner-db-password") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": keep +type: Opaque +stringData: + password: | + {{- ._rox.scanner._dbPassword.value | nindent 4 }} + +{{- end -}} +{{- end -}} + +{{ end -}} diff --git a/4.3.5/secured-cluster-services/templates/02-scanner-04-scanner-config.yaml b/4.3.5/secured-cluster-services/templates/02-scanner-04-scanner-config.yaml new file mode 100644 index 0000000..4ed16c7 --- /dev/null +++ b/4.3.5/secured-cluster-services/templates/02-scanner-04-scanner-config.yaml @@ -0,0 +1,18 @@ +{{- include "srox.init" . -}} + +{{- if not ._rox.scanner.disable -}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: scanner-config + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "configmap" "scanner-config") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "configmap" "scanner-config") | nindent 4 }} +data: + config.yaml: | + {{- tpl (.Files.Get "config-templates/scanner/config.yaml.tpl") . | nindent 4 }} + +{{ end -}} diff --git a/4.3.5/secured-cluster-services/templates/02-scanner-05-network-policy.yaml b/4.3.5/secured-cluster-services/templates/02-scanner-05-network-policy.yaml new file mode 100644 index 0000000..99f7233 --- /dev/null +++ b/4.3.5/secured-cluster-services/templates/02-scanner-05-network-policy.yaml @@ -0,0 +1,91 @@ +{{- include "srox.init" . -}} + +{{- if not ._rox.scanner.disable -}} + +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: scanner + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "networkpolicy" "scanner") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "networkpolicy" "scanner") | nindent 4 }} +spec: + podSelector: + matchLabels: + app: scanner + ingress: + - from: + - podSelector: + matchLabels: + app: central + ports: + - port: 8080 + protocol: TCP + - port: 8443 + protocol: TCP +{{ if or (eq ._rox.scanner.mode "slim") ._rox.env.openshift }} + - from: + - podSelector: + matchLabels: + app: sensor + ports: + - port: 8080 + protocol: TCP + - port: 8443 + protocol: TCP +{{ end }} + policyTypes: + - Ingress + +--- + +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: scanner-db + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "networkpolicy" "scanner-db") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "networkpolicy" "scanner-db") | nindent 4 }} +spec: + podSelector: + matchLabels: + app: scanner-db + ingress: + - from: + - podSelector: + matchLabels: + app: scanner + ports: + - port: 5432 + protocol: TCP + policyTypes: + - Ingress + +{{ end -}} + +{{ if ._rox.scanner.exposeMonitoring }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: scanner-monitoring + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "networkpolicy" "scanner-monitoring") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "networkpolicy" "scanner-monitoring") | nindent 4 }} +spec: + ingress: + - ports: + - port: 9090 + protocol: TCP + podSelector: + matchLabels: + app: scanner + policyTypes: + - Ingress +{{ end }} diff --git a/4.3.5/secured-cluster-services/templates/02-scanner-06-deployment.yaml b/4.3.5/secured-cluster-services/templates/02-scanner-06-deployment.yaml new file mode 100644 index 0000000..89ac82c --- /dev/null +++ b/4.3.5/secured-cluster-services/templates/02-scanner-06-deployment.yaml @@ -0,0 +1,296 @@ +{{- include "srox.init" . -}} + +{{- if not ._rox.scanner.disable -}} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: scanner + namespace: {{ .Release.Namespace }} + labels: + app: scanner + {{- include "srox.labels" (list . "deployment" "scanner") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "deployment" "scanner") | nindent 4 }} +spec: + replicas: {{ ._rox.scanner.replicas }} + minReadySeconds: 15 + selector: + matchLabels: + app: scanner + strategy: + type: Recreate + template: + metadata: + namespace: {{ .Release.Namespace }} + labels: + app: scanner + {{- include "srox.podLabels" (list . "deployment" "scanner") | nindent 8 }} + annotations: + traffic.sidecar.istio.io/excludeInboundPorts: "8080,8443" + {{- include "srox.podAnnotations" (list . "deployment" "scanner") | nindent 8 }} + spec: + {{- if ._rox.scanner._nodeSelector }} + nodeSelector: + {{- ._rox.scanner._nodeSelector | nindent 8 }} + {{- end }} + {{- if ._rox.scanner.tolerations }} + tolerations: + {{- toYaml ._rox.scanner.tolerations | nindent 8 }} + {{- end }} + affinity: + {{- toYaml ._rox.scanner.affinity | nindent 8 }} + containers: + - name: scanner + {{ if eq ._rox.scanner.mode "slim" -}} + image: {{ ._rox.scanner.slimImage.fullRef | quote }} + {{ else }} + image: {{ ._rox.scanner.image.fullRef | quote }} + {{ end -}} + env: + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- if ._rox.env.openshift }} + - name: ROX_OPENSHIFT_API + value: "true" + {{- end}} + {{- include "srox.envVars" (list . "deployment" "scanner" "scanner") | nindent 8 }} + resources: + {{- ._rox.scanner._resources | nindent 10 }} + command: + - /entrypoint.sh + ports: + - name: https + containerPort: 8080 + - name: grpc + containerPort: 8443 + {{ if ._rox.scanner.exposeMonitoring -}} + - name: monitoring + containerPort: 9090 + {{- end}} + securityContext: + capabilities: + drop: ["NET_RAW"] + runAsUser: 65534 + readinessProbe: + httpGet: + scheme: HTTPS + path: /scanner/ping + port: 8080 + timeoutSeconds: 10 + periodSeconds: 10 + failureThreshold: 6 + successThreshold: 1 + volumeMounts: + - name: scanner-etc-ssl-volume + mountPath: /etc/ssl + - name: scanner-etc-pki-volume + mountPath: /etc/pki/ca-trust + - name: additional-ca-volume + mountPath: /usr/local/share/ca-certificates/ + readOnly: true + - name: scanner-config-volume + mountPath: /etc/scanner + readOnly: true + - name: scanner-tls-volume + mountPath: /run/secrets/stackrox.io/certs/ + readOnly: true + - name: vuln-temp-db + mountPath: /var/lib/stackrox + - name: proxy-config-volume + mountPath: /run/secrets/stackrox.io/proxy-config/ + readOnly: true + - name: scanner-db-password + mountPath: /run/secrets/stackrox.io/secrets + readOnly: true + {{- include "srox.injectedCABundleVolumeMount" . | nindent 8 }} + securityContext: + runAsNonRoot: true + runAsUser: 65534 + serviceAccountName: scanner + volumes: + - name: additional-ca-volume + secret: + defaultMode: 420 + optional: true + secretName: additional-ca + - name: scanner-etc-ssl-volume + emptyDir: {} + - name: scanner-etc-pki-volume + emptyDir: {} + - name: scanner-config-volume + configMap: + name: scanner-config + - name: scanner-tls-volume + secret: + secretName: scanner-tls + - name: vuln-temp-db + emptyDir: {} + - name: proxy-config-volume + secret: + secretName: proxy-config + optional: true + - name: scanner-db-password + secret: + secretName: scanner-db-password + {{- include "srox.injectedCABundleVolume" . | nindent 6 }} +--- + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: scanner-db + namespace: {{ .Release.Namespace }} + labels: + app: scanner-db + {{- include "srox.labels" (list . "deployment" "scanner-db") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "deployment" "scanner-db") | nindent 4 }} +spec: + replicas: 1 + minReadySeconds: 15 + selector: + matchLabels: + app: scanner-db + strategy: + type: Recreate + template: + metadata: + namespace: {{ .Release.Namespace }} + labels: + app: scanner-db + {{- include "srox.podLabels" (list . "deployment" "scanner-db") | nindent 8 }} + annotations: + traffic.sidecar.istio.io/excludeInboundPorts: "5432" + {{- include "srox.podAnnotations" (list . "deployment" "scanner-db") | nindent 8 }} + spec: + {{- if ._rox.scanner._dbNodeSelector }} + nodeSelector: + {{- ._rox.scanner._dbNodeSelector | nindent 8 }} + {{- end }} + {{- if ._rox.scanner.dbTolerations }} + tolerations: + {{- toYaml ._rox.scanner.dbTolerations | nindent 8 }} + {{- end }} + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + # ScannerDB is single-homed, so avoid preemptible nodes. + - weight: 100 + preference: + matchExpressions: + - key: cloud.google.com/gke-preemptible + operator: NotIn + values: + - "true" + - weight: 50 + preference: + matchExpressions: + - key: node-role.kubernetes.io/infra + operator: Exists + - weight: 25 + preference: + matchExpressions: + - key: node-role.kubernetes.io/compute + operator: Exists + # From v1.20 node-role.kubernetes.io/control-plane replaces node-role.kubernetes.io/master (removed in + # v1.25). We apply both because our goal is not to run pods on control plane nodes for any version of k8s. + - weight: 100 + preference: + matchExpressions: + - key: node-role.kubernetes.io/master + operator: DoesNotExist + - weight: 100 + preference: + matchExpressions: + - key: node-role.kubernetes.io/control-plane + operator: DoesNotExist + initContainers: + - name: init-db + {{ if eq ._rox.scanner.mode "slim" -}} + image: {{ ._rox.scanner.slimDBImage.fullRef | quote }} + {{ else -}} + image: {{ ._rox.scanner.dbImage.fullRef | quote }} + {{ end -}} + env: + - name: POSTGRES_PASSWORD_FILE + value: "/run/secrets/stackrox.io/secrets/password" + - name: ROX_SCANNER_DB_INIT + value: "true" + resources: + {{- ._rox.scanner._dbResources | nindent 12 }} + volumeMounts: + - name: scanner-db-data + mountPath: /var/lib/postgresql/data + - name: scanner-db-tls-volume + mountPath: /run/secrets/stackrox.io/certs + readOnly: true + - name: scanner-db-password + mountPath: /run/secrets/stackrox.io/secrets + readOnly: true + containers: + - name: db + {{ if eq ._rox.scanner.mode "slim" -}} + image: {{ ._rox.scanner.slimDBImage.fullRef | quote }} + {{ else -}} + image: {{ ._rox.scanner.dbImage.fullRef | quote }} + {{ end -}} + env: + {{- include "srox.envVars" (list . "deployment" "scanner-db" "db") | nindent 10 }} + ports: + - name: tcp-postgresql + protocol: TCP + containerPort: 5432 + resources: + {{- ._rox.scanner._dbResources | nindent 10 }} + volumeMounts: + - name: scanner-db-data + mountPath: /var/lib/postgresql/data + - name: scanner-db-tls-volume + mountPath: /run/secrets/stackrox.io/certs + readOnly: true + serviceAccountName: scanner + securityContext: + fsGroup: 70 + runAsGroup: 70 + runAsNonRoot: true + runAsUser: 70 + volumes: + - name: scanner-config-volume + configMap: + name: scanner-config + - name: scanner-tls-volume + secret: + secretName: scanner-tls + - name: scanner-db-tls-volume + secret: + secretName: scanner-db-tls + defaultMode: 0640 + items: + - key: cert.pem + path: server.crt + - key: key.pem + path: server.key + - key: ca.pem + path: root.crt + - name: scanner-db-data + emptyDir: {} + - name: scanner-db-password + secret: + secretName: scanner-db-password + +{{ end -}} diff --git a/4.3.5/secured-cluster-services/templates/02-scanner-07-service.yaml b/4.3.5/secured-cluster-services/templates/02-scanner-07-service.yaml new file mode 100644 index 0000000..2f65b15 --- /dev/null +++ b/4.3.5/secured-cluster-services/templates/02-scanner-07-service.yaml @@ -0,0 +1,99 @@ +{{- include "srox.init" . -}} + +{{- if not ._rox.scanner.disable -}} + +apiVersion: v1 +kind: Service +metadata: + name: scanner + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "service" "scanner") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "service" "scanner") | nindent 4 }} +spec: + ports: + - name: https-scanner + port: 8080 + targetPort: 8080 + - name: grpcs-scanner + port: 8443 + targetPort: 8443 + {{ if ._rox.scanner.exposeMonitoring -}} + - name: monitoring + port: 9090 + targetPort: monitoring + {{- end}} + selector: + app: scanner + type: ClusterIP + +--- + +apiVersion: v1 +kind: Service +metadata: + name: scanner-db + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "service" "scanner-db") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "service" "scanner-db") | nindent 4 }} +spec: + ports: + - name: tcp-db + port: 5432 + targetPort: 5432 + selector: + app: scanner-db + type: ClusterIP + +{{ if ._rox.env.istio }} +--- + +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: scanner-internal-no-istio-mtls + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "destinationrule" "scanner-internal-no-istio-mtls") | nindent 4 }} + annotations: + stackrox.io/description: "Disable Istio mTLS for ports 8080 and 8443, since StackRox services use built-in mTLS." + {{- include "srox.annotations" (list . "destinationrule" "scanner-internal-no-istio-mtls") | nindent 4 }} +spec: + host: scanner.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + portLevelSettings: + - port: + number: 8080 + tls: + mode: DISABLE + - port: + number: 8443 + tls: + mode: DISABLE + +--- + +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: scanner-db-internal-no-istio-mtls + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "destinationrule" "scanner-db-internal-no-istio-mtls") | nindent 4 }} + annotations: + stackrox.io/description: "Disable Istio mTLS for port 5432, since StackRox services use built-in mTLS." + {{- include "srox.annotations" (list . "destinationrule" "scanner-db-internal-no-istio-mtls") | nindent 4 }} +spec: + host: scanner-db.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + portLevelSettings: + - port: + number: 5432 + tls: + mode: DISABLE +{{ end }} + +{{ end -}} diff --git a/4.3.5/secured-cluster-services/templates/02-scanner-08-hpa.yaml b/4.3.5/secured-cluster-services/templates/02-scanner-08-hpa.yaml new file mode 100644 index 0000000..c7af476 --- /dev/null +++ b/4.3.5/secured-cluster-services/templates/02-scanner-08-hpa.yaml @@ -0,0 +1,25 @@ +{{- include "srox.init" . -}} + +{{- if not ._rox.scanner.disable -}} + +{{- if not ._rox.scanner.autoscaling.disable -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: scanner + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "horizontalpodautoscaler" "scanner") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "horizontalpodautoscaler" "scanner") | nindent 4 }} +spec: + minReplicas: {{ ._rox.scanner.autoscaling.minReplicas }} + maxReplicas: {{ ._rox.scanner.autoscaling.maxReplicas }} + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: scanner + targetCPUUtilizationPercentage: 150 +{{ end -}} + +{{ end -}} diff --git a/4.3.5/secured-cluster-services/templates/NOTES.txt b/4.3.5/secured-cluster-services/templates/NOTES.txt new file mode 100644 index 0000000..9c9fd01 --- /dev/null +++ b/4.3.5/secured-cluster-services/templates/NOTES.txt @@ -0,0 +1,40 @@ +{{- $_ := include "srox.init" . -}} + +StackRox Secured Cluster Services {{.Chart.AppVersion}} has been installed. + + +Secured Cluster Configuration Summary: + + Name: {{ ._rox.clusterName }} + Kubernetes Namespace: {{ ._rox._namespace }}{{ if ne .Release.Namespace ._rox._namespace }} [NOTE: Helm release is attached to namespace {{ .Release.Namespace }}]{{ end }} + Helm Release Name: {{ .Release.Name }} + Central Endpoint: {{ ._rox.centralEndpoint }} + OpenShift Cluster: {{ if eq ._rox.env.openshift 0 -}} false {{ else -}} {{ ._rox.env.openshift }} {{ end }} + Admission Control Webhooks deployed: {{ or ._rox.admissionControl.dynamic.listenOnCreates ._rox.admissionControl.dynamic.listenOnUpdates ._rox.admissionControl.dynamic.listenOnEvents}} + Admission Control Creates/Updates enforced: {{ or ._rox.admissionControl.dynamic.enforceOnCreates ._rox.admissionControl.dynamic.enforceOnUpdates }} + +{{ if ._rox._state.notes -}} +Please take note of the following: +{{ range ._rox._state.notes }} +- {{ . | wrapWith 98 "\n " -}} +{{ end }} + +{{ end -}} + +{{ if ._rox._state.warnings -}} +During installation, the following warnings were encountered: +{{ range ._rox._state.warnings }} +- WARNING: {{ . | wrapWith 98 "\n " -}} +{{ end }} + +{{ end -}} + +{{ if ._rox.env.openshift -}} +IMPORTANT: You have deployed into an OpenShift-enabled cluster. If you see that your pods + are not scheduling, run + + oc annotate namespace/{{ ._rox._namespace }} --overwrite openshift.io/node-selector="" +{{ end -}} + + +Thank you for using StackRox! diff --git a/4.3.5/secured-cluster-services/templates/_compatibility.tpl b/4.3.5/secured-cluster-services/templates/_compatibility.tpl new file mode 100644 index 0000000..c83ab2d --- /dev/null +++ b/4.3.5/secured-cluster-services/templates/_compatibility.tpl @@ -0,0 +1,51 @@ +{{ define "srox.applyCompatibilityTranslation" }} +{{ $ := index . 0 }} +{{ $values := index . 1 }} +{{ $translationRules := $.Files.Get "internal/compatibility-translation.yaml" | fromYaml }} +{{ include "srox._doApplyCompat" (list $values $.Template $values $translationRules list) }} +{{ end }} + +{{ define "srox._doApplyCompat" }} +{{ $values := index . 0 }} +{{ $template := index . 1 }} +{{ $valuesCtx := index . 2 }} +{{ $ruleCtx := index . 3 }} +{{ $ctxPath := index . 4 }} +{{ range $k, $v := $ruleCtx }} + {{ $oldVal := index $valuesCtx $k }} + {{ if not (kindIs "invalid" $oldVal) }} + {{ if kindIs "map" $v }} + {{ if kindIs "map" $oldVal }} + {{ include "srox._doApplyCompat" (list $values $template $oldVal $v (append $ctxPath $k)) }} + {{ if not $oldVal }} + {{ $_ := unset $valuesCtx $k }} + {{ end }} + {{ end }} + {{ else }} + {{ $_ := unset $valuesCtx $k }} + {{ if not (kindIs "invalid" $v) }} + {{ $tplCtx := dict "Template" $template "value" (toJson $oldVal) "rawValue" $oldVal }} + {{ $configFragment := tpl $v $tplCtx | fromYaml }} + {{ include "srox._mergeCompat" (list $values $configFragment (append $ctxPath $k) list) }} + {{ end }} + {{ end }} + {{ end }} +{{ end }} +{{ end }} + +{{ define "srox._mergeCompat" }} +{{ $values := index . 0 }} +{{ $newConfig := index . 1 }} +{{ $compatValuePath := index . 2 }} +{{ $path := index . 3 }} +{{ range $k, $v := $newConfig }} + {{ $currVal := index $values $k }} + {{ if kindIs "invalid" $currVal }} + {{ $_ := set $values $k $v }} + {{ else if and (kindIs "map" $v) (kindIs "map" $currVal) }} + {{ include "srox._mergeCompat" (list $currVal $v $compatValuePath (append $path $k)) }} + {{ else }} + {{ include "srox.fail" (printf "Conflict between legacy configuration values %s and explicitly set configuration value %s, please unset legacy value" (join "." $compatValuePath) (append $path $k | join ".")) }} + {{ end }} +{{ end }} +{{ end }} diff --git a/4.3.5/secured-cluster-services/templates/_crypto.tpl b/4.3.5/secured-cluster-services/templates/_crypto.tpl new file mode 100644 index 0000000..1455288 --- /dev/null +++ b/4.3.5/secured-cluster-services/templates/_crypto.tpl @@ -0,0 +1,239 @@ +{{/* + srox.configureCrypto $ $cryptoConfigPath $spec + + This helper function configures a private key or certificate (public cert + private key) + config entry, from an input config which is accessed via $cryptoConfigPath relative to + $._rox, which we'll refer to as $inputCfg. $inputCfg is expected to be a dict with at + least `key` and `generate` properties. If `generate` is null, it defaults to either `true` + on installations, and `false` on upgrades. `key` is an expandable string. + The result in either mode is written to a dict $outputCfg under $._rox accessed by the + $cryptoConfigPath, with a '_' prepended to the last path element. E.g., if + $cryptoConfigPath is "a.b.c", the input configuration will be read from $._rox.a.b.c, and + the output configuration will be stored in $._rox.a.b._c. + + Private key-only mode is selected if $spec.keyOnly contains a non-zero string, which specifies + the key algorithm to use. In this mode, if $inputCfg.key expands to a non-empty string, this + string will be copied to the `Key` property of $outputCfg. Otherwise, if $inputCfg.generate + is true (wrt. the above defaulting rules), a key with the algorithm prescribed by $spec.keyOnly + will be generated and stored in the `Key` property of $outputCfg. + + Certificate mode is the default. If $inputCfg.cert and $inputCfg.key expand to non-empty strings, + these strings will be copied to the `Cert` and `Key` properties of $outputCfg. Otherwise, if both + of them expand to empty strings (it is an error if only one of them expands to a non-empty + string), and $inputCfg.generate is true, a certificate and private key are generated with the + following options: + - If $inputCfg.ca is true, generate a CA certificate with common name $inputCfg.CN and a 5 year + validity duration. + - Otherwise, generate a leaf certificate with common name $inputCfg.CN and a 1 year validity + duration. The SANs for this certificate are derived from the base DNS name $inputCfg.dnsBase + according to "srox.computeSANs". + + Whenever certificates and/or private keys were generated, the $._rox._state.generated property + is updated to reflect the generated values, such that merging $._rox._state.generated in to + $.Values would have caused this template to simply use the generated values as-is. E.g., if + $cryptoConfigPath was "a.b.c" and $.Values.a.b.c.cert" and $.Values.a.b.c.key" were both empty, + $._rox._state.generated.a.b.c would be set to be a dict with `cert` and `key` properties of the + generated $outputCfg.Cert and $outputCfg.Key. + + If a certificate or private key was generated, $._rox._state.customCertGen is set to true. + */}} +{{- define "srox.configureCrypto" -}} +{{ $ := index . 0 }} +{{ $cryptoConfigPath := index . 1 }} +{{ $spec := index . 2 }} + +{{/* Resolve $cryptoConfigPath. */}} +{{ $cfg := $._rox }} +{{ $newGenerated := dict }} +{{ $genCfg := $newGenerated }} +{{ $cryptoConfigPathList := splitList "." $cryptoConfigPath }} +{{ range $pathElem := $cryptoConfigPathList }} + {{ $cfg = index $cfg $pathElem }} + {{ $newCfg := dict }} + {{ $_ := set $genCfg $pathElem $newCfg }} + {{ $genCfg = $newCfg }} +{{ end }} + +{{/* Make sure `cert` and `key` are expanded (this should already be the case, but better + safe than sorry. */}} +{{ $certExpandSpec := dict "cert" true "key" true }} +{{ include "srox.expandAll" (list $ $cfg $certExpandSpec $cryptoConfigPathList) }} + +{{ $certPEM := $cfg._cert }} +{{ $keyPEM := $cfg._key }} + +{{ $result := dict }} +{{ if $certPEM }} + {{ $result = dict "Cert" $certPEM "Key" (default "" $keyPEM) }} +{{ else if or $certPEM $keyPEM }} + {{ if and $keyPEM $spec.keyOnly }} + {{ $_ := set $result "Key" $keyPEM }} + {{ else }} + {{ include "srox.fail" (printf "Either none or both of %s.cert and %s.key must be specified" $cryptoConfigPath $cryptoConfigPath) }} + {{ end }} +{{ else }} + {{ $generate := $cfg.generate }} + {{ if kindIs "invalid" $generate }} + {{ $generate = $.Release.IsInstall }} + {{ end }} + {{ if $generate }} + {{ if $spec.ca }} + {{ $out := dict }} + {{ $_ := tpl "{{ $_ := set .out \"ca\" (genCA .cn 1825) }}" (dict "Template" $.Template "cn" $spec.CN "out" $out) }} + {{ $result = $out.ca }} + {{ else if $spec.keyOnly }} + {{ $key := tpl "{{ genPrivateKey .algo }}" (dict "Template" $.Template "algo" $spec.keyOnly) }} + {{ $_ := set $genCfg "key" $key }} + {{ $_ = set $result "Key" $key }} + {{ else }} + {{ if not $._rox._ca }} + {{ include "srox.fail" (printf "Tried to generate certificate for %s, but no CA certificate is available." $spec.CN) }} + {{ end }} + {{ $sans := dict }} + {{ include "srox.computeSANs" (list $ $sans $spec.dnsBase) }} + {{ $ca := $._rox._ca }} + {{ if kindIs "map" $ca }} + {{ $out := dict }} + {{ $_ := tpl "{{ $_ := set .out \"ca\" (buildCustomCert (b64enc .ca.Cert) (b64enc .ca.Key)) }}" (dict "Template" $.Template "ca" $ca "out" $out) }} + {{ $ca = $out.ca }} + {{ end }} + {{ $out := dict }} + {{ $_ := tpl "{{ $_ := set .out \"cert\" (genSignedCert .cn nil .sans 365 .ca) }}" (dict "Template" $.Template "cn" $spec.CN "sans" $sans.result "ca" $ca "out" $out) }} + {{ $result = $out.cert }} + {{ $_ := set $genCfg "cert" $result.Cert }} + {{ $_ = set $genCfg "key" $result.Key }} + {{ end }} + {{ $_ := set $genCfg "key" $result.Key }} + {{ if $result.Cert }} + {{ $_ = set $genCfg "cert" $result.Cert }} + {{ end }} + {{ $_ = set $._rox._state "customCertGen" true }} + {{ end }} +{{ end }} + +{{/* Store output configuration and generated properties */}} +{{ $newCfgRoot := dict }} +{{ $newCfg := $newCfgRoot }} +{{ range $pathElem := initial $cryptoConfigPathList }} + {{ $nextCfg := dict }} + {{ $_ := set $newCfg $pathElem $nextCfg }} + {{ $newCfg = $nextCfg }} +{{ end }} +{{ $_ := set $newCfg (last $cryptoConfigPathList | printf "_%s") $result }} +{{ $_ = include "srox.mergeInto" (list $._rox $newCfgRoot) }} +{{ $_ = include "srox.mergeInto" (list $._rox._state.generated $newGenerated) }} +{{ end }} + + +{{/* + srox.configurePassword $ $pwConfigPath [$htpasswdUser] + + This helper function reads a password configuration (YAML dict with `value` + and `generate` properties) referenced by $pwConfigPath relative to $._rox. It + ensures the dict with the same config path relative to $._rox and prepending an underscore + to the last path element is populated in the following way: + - If the `value` property of the input config is nonzero, set `value` in the result to the + expanded value. + - If the optional $htpasswdUser parameter is specified and the `htpasswd` property of the + input config is nonzero, set `htpasswd` in the result to the expanded value of that + property. + - If none of the above (non-mutually-exclusive) cases apply: + - If `generate` is true OR both `generate` is null and this is an installation, + not an upgrade, generate a random password with 32 alphanumeric characters. + - Otherwise, leave the result property empty. + - If the optional $htpasswdUser parameter was specified AND the `value` property in the + result property was set per the above rules AND the `htpasswd` property was not set, + populate the `htpasswd` property of the result by generating an htpasswd stanza with + the computed `value` as the password and $htpasswdUser as the username. + + The $._rox._state.generated property is adjusted accordingly. + */}} +{{- define "srox.configurePassword" -}} +{{ $ := index . 0 }} +{{ $pwConfigPath := index . 1 }} +{{ $htpasswdUser := "" }} +{{ if gt (len .) 2 }} + {{ $htpasswdUser = index . 2 }} +{{ end }} +{{ $cfg := $._rox }} +{{ $newGenerated := dict }} +{{ $genCfg := $newGenerated }} +{{ $pwConfigPathList := splitList "." $pwConfigPath }} +{{ range $pathElem := $pwConfigPathList }} + {{ $cfg = index $cfg $pathElem }} + {{ $newCfg := dict }} + {{ $_ := set $genCfg $pathElem $newCfg }} + {{ $genCfg = $newCfg }} +{{ end }} + +{{/* Make sure that `value` and `htpasswd` within $cfg are expanded (this should already be the + case but better safe than sorry). */}} +{{ $pwExpandSpec := dict "value" true "htpasswd" true }} +{{ include "srox.expandAll" (list $ $cfg $pwExpandSpec $pwConfigPathList) }} + +{{ $result := dict }} +{{ if and $htpasswdUser (not (kindIs "invalid" $cfg._htpasswd)) }} + {{ $htpasswd := $cfg._htpasswd }} + {{ $_ := set $result "htpasswd" $htpasswd }} +{{ end }} +{{ if not $result.htpasswd }} + {{ $pw := dict.nil }} + {{ if kindIs "invalid" $cfg._value }} + {{ $generate := $cfg.generate }} + {{ if kindIs "invalid" $generate }} + {{ $generate = $.Release.IsInstall }} + {{ end }} + {{ if $generate }} + {{ $pw = randAlphaNum 32 }} + {{ $_ := set $genCfg "value" $pw }} + {{ end }} + {{ else }} + {{ $pw = $cfg._value }} + {{ end }} + {{ if not (kindIs "invalid" $pw) }} + {{ $_ := set $result "value" $pw }} + {{ end }} + {{ if and $htpasswdUser $pw }} + {{ $htpasswd := tpl "{{ htpasswd .user .pw }}" (dict "Template" $.Template "user" $htpasswdUser "pw" $pw) }} + {{ $_ := set $result "htpasswd" $htpasswd }} + {{ end }} +{{ else if $cfg.value }} + {{ include "srox.fail" (printf "Both a htpasswd and a value are specified for %s, this is illegal. Remove the `value` property, or ensure that `htpasswd` is null." $pwConfigPath) }} +{{ end }} +{{ $newCfgRoot := dict }} +{{ $newCfg := $newCfgRoot }} +{{ range $pathElem := initial $pwConfigPathList }} + {{ $nextCfg := dict }} + {{ $_ := set $newCfg $pathElem $nextCfg }} + {{ $newCfg = $nextCfg }} +{{ end }} +{{ $_ := set $newCfg (last $pwConfigPathList | printf "_%s") $result }} +{{ $_ = include "srox.mergeInto" (list $._rox $newCfgRoot) }} +{{ $_ = include "srox.mergeInto" (list $._rox._state.generated $newGenerated) }} +{{ end }} + + +{{/* + srox.computeSANs $ $out $svcName + + Compute the applicable SANs for a service with name $svcName, deployed in namespace + $.Release.Namespace (= $releaseNS). + Generally, SANs following the pattern "$svcName.$releaseNS[.svc[.cluster.local]]" will be + generated. If $releaseNS is not "stackrox", another set of SANs with the same pattern, + but assuming $releaseNS = "stackrox", will be generated in addition. + The result is stored as a list in $out.result. + */}} +{{ define "srox.computeSANs" }} +{{ $ := index . 0 }} +{{ $out := index . 1 }} +{{ $svcName := index . 2 }} +{{ $releaseNS := $.Release.Namespace }} +{{ $sans := list }} +{{ range $ns := list $releaseNS "stackrox" | uniq | sortAlpha }} + {{ $baseDNS := printf "%s.%s" $svcName $ns }} + {{ range $suffix := tuple "" ".svc" ".svc.cluster.local" }} + {{ $sans = printf "%s%s" $baseDNS $suffix | append $sans }} + {{ end }} +{{ end }} +{{ $_ := set $out "result" $sans }} +{{ end }} diff --git a/4.3.5/secured-cluster-services/templates/_defaults.tpl b/4.3.5/secured-cluster-services/templates/_defaults.tpl new file mode 100644 index 0000000..7f8629b --- /dev/null +++ b/4.3.5/secured-cluster-services/templates/_defaults.tpl @@ -0,0 +1,35 @@ +{{/* + srox.applyDefaults . + + Applies defaults defined in `internal/defaults`, in an order that depends on the filenames. + */}} +{{ define "srox.applyDefaults" }} +{{ $ := . }} +{{/* Apply defaults */}} +{{ range $defaultsFile, $defaultsTpl := $.Files.Glob "internal/defaults/*.yaml" }} + {{ $tplSects := regexSplit "(^|\n)---($|\n)" (toString $defaultsTpl) -1 }} + {{ $sectCounter := 0 }} + {{ range $tplSect := $tplSects }} + {{/* + tpl will merely stop creating output if an error is encountered during rendering (not during parsing), but we want + to be certain that we recognized invalid templates. Hence, add a marker line at the end, and verify that it + shows up in the output. + */}} + {{ $renderedSect := tpl (list $tplSect "{{ \"\\n#MARKER\\n\" }}" | join "") $ }} + {{ if not (hasSuffix "\n#MARKER\n" $renderedSect) }} + {{ include "srox.fail" (printf "Section %d in defaults file %s contains invalid templating" $sectCounter $defaultsFile) }} + {{ end }} + {{/* + fromYaml only returns an empty dict upon error, but we want to be certain that we recognized invalid YAML. + Hence, add a marker value. + */}} + {{ $sectDict := fromYaml (cat $renderedSect "\n__marker: true\n") }} + {{ if not (index $sectDict "__marker") }} + {{ include "srox.fail" (printf "Section %d in defaults file %s contains invalid YAML" $sectCounter $defaultsFile) }} + {{ end }} + {{ $_ := unset $sectDict "__marker" }} + {{ $_ = include "srox.mergeInto" (list $._rox $sectDict) }} + {{ $sectCounter = add $sectCounter 1 }} + {{ end }} +{{ end }} +{{ end }} diff --git a/4.3.5/secured-cluster-services/templates/_dict.tpl b/4.3.5/secured-cluster-services/templates/_dict.tpl new file mode 100644 index 0000000..bf14a6d --- /dev/null +++ b/4.3.5/secured-cluster-services/templates/_dict.tpl @@ -0,0 +1,142 @@ +{{/* + srox.compactDict $target [$depth] + + Compacts a dict $target by removing entries with empty values. + By default, only the top-level dict $target itself is modified. If the optional $depth + parameter is specified and is non-zero, this determines the recursion depth over which the + compaction is applied to nested diocts as well. A $depth of -1 means to compact all nested + dicts, regardless of depth. + */}} +{{ define "srox.compactDict" }} +{{ $args := . }} +{{ if not (kindIs "slice" $args) }} + {{ $args = list $args 0 }} +{{ end }} +{{ $target := index $args 0 }} +{{ $depth := index $args 1 }} +{{ $zeroValKeys := list }} +{{ range $k, $v := $target }} + {{ if and (kindIs "map" $v) (ne $depth 0) }} + {{ include "srox.compactDict" (list $v (sub $depth 1)) }} + {{ end }} + {{ if not $v }} + {{ $zeroValKeys = append $zeroValKeys $k }} + {{ end }} +{{ end }} +{{ range $k := $zeroValKeys }} + {{ $_ := unset $target $k }} +{{ end }} +{{ end }} + +{{/* + srox.destructiveMergeOverwrite $out $dict1 $dict2... + + Recursively merges $dict1, $dict2 (in this order) into $out, similar to mergeOverwrite. + The eponymous difference is the fact that any explicit "null" entries in the source + dictionaries cause the respective entry to be deleted. + */}} +{{ define "srox.destructiveMergeOverwrite" }} +{{ $out := first . }} +{{ $toMergeList := rest . }} +{{ range $toMerge := $toMergeList }} + {{ range $k, $v := $toMerge }} + {{ if kindIs "invalid" $v }} + {{ $_ := unset $out $k }} + {{ else if kindIs "map" $v }} + {{ $outV := index $out $k }} + {{ if kindIs "invalid" $outV }} + {{ $_ := set $out $k (deepCopy $v) }} + {{ else if kindIs "map" $outV }} + {{ include "srox.destructiveMergeOverwrite" (list $outV $v) }} + {{ else }} + {{ fail (printf "when merging at key %s: incompatible kinds %s and %s" $k (kindOf $v) (kindOf $outV)) }} + {{ end }} + {{ else }} + {{ $_ := set $out $k $v }} + {{ end }} + {{ end }} +{{ end }} +{{ end }} + +{{/* + srox.stringifyDictValues $dict + + Recursively traverses $dict and converts every non-dict value to a string. + */}} +{{ define "srox.stringifyDictValues" }} +{{ $dict := . }} +{{ range $k, $v := $dict }} + {{ if kindIs "map" $v }} + {{ include "srox.stringifyDictValues" $v }} + {{ else }} + {{ $_ := set $dict $k (toString $v) }} + {{ end }} +{{ end }} +{{ end }} + +{{/* + srox.safeDictLookup $dict $out $path + + Looks up $path in $dict, and stores the result (if any) in $out.result. + $path is a dot-separated list of nested field names. An empty $path causes + $dict to be stored in $out.result. + + Example: srox.safeDictLookup $dict $out "a.b.c" stores the value of $dict.a.b.c, if + it exists, in $out.result. Otherwise, it does nothing - in particular, it does + not fail, as accessing $dict.a.b.c unconditionally would if any of $dict, $dict.a, + or $dict.a.b was not a dict. + */}} +{{ define "srox.safeDictLookup" }} +{{ $dict := index . 0 }} +{{ $out := index . 1 }} +{{ $path := index . 2 }} +{{ $curr := $dict }} +{{ $pathList := splitList "." $path | compact }} +{{ range $pathElem := $pathList }} + {{ if kindIs "map" $curr }} + {{ $curr = index $curr $pathElem }} + {{ else if not (kindIs "invalid" $curr) }} + {{ $curr = dict.nil }} + {{ end }} +{{ end }} +{{ if not (kindIs "invalid" $curr) }} + {{ $_ := set $out "result" $curr }} +{{ end }} +{{ end }} + + + +{{/* + srox.mergeInto $tgt $src1..$srcN + + Recursively merges values from $src1, ..., $srcN into $tgt, giving preference to + values in $tgt. + + Unlike Sprig's merge, this does not overwrite falsy values when explicitly defined, + with the exception of `null` values (this also sets it apart from Sprig's mergeOverwrite). + + Whenever entire (nested) dicts are merged as-is from one of the sources into $tgt, a deep + copy of the respective nested dict is created. + + An empty string is always returned, hence this should be invoked in the form + $_ := include "srox.mergeInto" (list $tgt $src1 $src2) + */}} +{{ define "srox.mergeInto" }} +{{ $tgt := first . }} +{{ range $src := rest . }} + {{ range $k, $srcV := $src }} + {{ $tgtV := index $tgt $k }} + {{ if kindIs "map" $srcV }} + {{ if kindIs "invalid" $tgtV }} + {{ $_ := set $tgt $k (deepCopy $srcV) }} + {{ else if kindIs "map" $tgtV }} + {{ $_ := include "srox.mergeInto" (list $tgtV $srcV) }} + {{ else }} + {{ fail (printf "Incompatible kinds for key %s: %s vs %s" $k (kindOf $srcV) (kindOf $tgtV)) }} + {{ end }} + {{ else if and (not (kindIs "invalid" $srcV)) (kindIs "invalid" $tgtV) }} + {{ $_ := set $tgt $k $srcV }} + {{ end }} + {{ end }} +{{ end }} +{{ end }} diff --git a/4.3.5/secured-cluster-services/templates/_expand.tpl b/4.3.5/secured-cluster-services/templates/_expand.tpl new file mode 100644 index 0000000..ed1cb1f --- /dev/null +++ b/4.3.5/secured-cluster-services/templates/_expand.tpl @@ -0,0 +1,96 @@ +{{/* + srox.expandAll $ $target $expandable [$path] + + Expands values within $target that are flagged in $expandable, using $path + as the path from the configuration root to $target for error reporting purposes. + + If $target is nil, nothing happens. Otherwise, $target must be a dict. For every key + of $target that is also present in $expandable, the following action is performed: + - If the entry in $expandable is a dict, recursive invoke "srox.expandAll" on the + respective entries, with an adjusted $path. + - Otherwise, the entry in $expandable is assume to be of boolean value. If the value is + true, the corresponding entry's value in $target is expanded (see "srox._expandSingle" + below for a definition of expanding), and the result of the expansion is stored under + the key with a "_" prepended in $target. The original entry in $target is removed. This + ensures "srox.expandAll" is an idempotent operation). + */}} +{{ define "srox.expandAll" }} +{{ $args := . }} +{{ $ := index $args 0 }} +{{ $target := index $args 1 }} +{{ $expandable := index $args 2 }} +{{ $path := list }} +{{ if ge (len $args) 4 }} + {{ $path = index $args 3 }} + {{ if kindIs "string" $path }} + {{ $path = splitList "." $path | compact }} + {{ end }} +{{ end }} + +{{ if kindIs "map" $target }} + {{ range $k, $v := $expandable }} + {{ $childPath := append $path $k }} + {{ $targetV := index $target $k }} + {{ if kindIs "map" $v }} + {{ include "srox.expandAll" (list $ $targetV $v $childPath) }} + {{ else if $v }} + {{ if not (kindIs "invalid" $targetV) }} + {{ $expanded := include "srox._expandSingle" (list $ $targetV (join "." $childPath)) }} + {{ $_ := set $target (printf "_%s" $k) $expanded }} + {{ end }} + {{ $_ := unset $target $k }} + {{ end }} + {{ end }} +{{ else if not (kindIs "invalid" $target) }} + {{ include "srox.fail" (printf "Error expanding value at %s: expected map, got: %s" (join "." $path) (kindOf $target)) }} +{{ end }} +{{ end }} + +{{/* + srox.expand $ $spec + + Parses and expands a "specification string" in the following way: + - If $spec is a dictionary, return $spec rendered as a YAML. + - Otherwise, if $spec starts with a backslash character (`\`), return $spec minus the leading + backslash character. + - Otherwise, if $spec starts with an `@` character, strip off the first character and + treat the remainder of the string as a `|`-separated list of file names. Try to load + each referenced file, in order, via `stackrox.getFile`. The result is the first file + that could be successfully loaded. If no file could be loaded, expansion fails. + - Otherwise, return $spec as-is. + */}} +{{- define "srox._expandSingle" -}} + {{- $ := index . 0 -}} + {{- $spec := index . 1 -}} + {{- $context := index . 2 -}} + {{- $result := "" -}} + {{- if kindIs "string" $spec -}} + {{- if hasPrefix "\\" $spec -}} + {{- /* use \ as string-wide escape character */ -}} + {{- $result = trimPrefix "\\" $spec -}} + {{- else if hasPrefix "@" $spec -}} + {{- /* treat as file list (first found matches) */ -}} + {{- /* If the prefix is "@?" expansion will not fail if no files could be found, instead an empty string is returned. */ -}} + {{- $fileSpec := trimPrefix "@" $spec -}} + {{- $allowNotFound := false -}} + {{- if hasPrefix "?" $fileSpec -}} + {{- $allowNotFound = true -}} + {{- $fileSpec = trimPrefix "?" $fileSpec -}} + {{- end -}} + {{- $fileList := regexSplit "\\s*\\|\\s*" ($fileSpec | trim) -1 -}} + {{- $fileRes := dict -}} + {{- $_ := include "srox.loadFile" (list $ $fileRes $fileList) -}} + {{- if and (not $allowNotFound) (not $fileRes.found) -}} + {{- include "srox.fail" (printf "Expanding %s: file reference %q: none of the referenced files were found" $context $spec) -}} + {{- end -}} + {{- $result = default "" $fileRes.contents -}} + {{- else -}} + {{/* treat as raw string */}} + {{- $result = $spec -}} + {{- end -}} + {{- else if not (kindIs "invalid" $spec) -}} + {{- /* render non-string, non-nil values as YAML */ -}} + {{- $result = toYaml $spec -}} + {{- end -}} + {{- $result -}} +{{- end -}} diff --git a/4.3.5/secured-cluster-services/templates/_format.tpl b/4.3.5/secured-cluster-services/templates/_format.tpl new file mode 100644 index 0000000..745fe47 --- /dev/null +++ b/4.3.5/secured-cluster-services/templates/_format.tpl @@ -0,0 +1,14 @@ +{{/* + srox.formatStorageSize $value + + Formats $value as a storage size. $value can be an integer or a string. + If no unit is specified (e.g., if $value is a string), a default unit of + Gigabytes ("Gi" suffix) is assumed. + */}} +{{- define "srox.formatStorageSize" -}} +{{- $val := toString . -}} +{{- if regexMatch "^[0-9]+$" $val -}} + {{- $val = printf "%sGi" $val -}} +{{- end -}} +{{- default "0" $val -}} +{{- end -}} diff --git a/4.3.5/secured-cluster-services/templates/_helpers.tpl b/4.3.5/secured-cluster-services/templates/_helpers.tpl new file mode 100644 index 0000000..e87f10f --- /dev/null +++ b/4.3.5/secured-cluster-services/templates/_helpers.tpl @@ -0,0 +1,68 @@ +{{/* + Misceallaneous helper templates. + */}} + + + + +{{/* + srox.loadFile $ $out $fileName-or-list + + This helper function reads a file. It differs from $.Files.Get in that it also takes + $._rox.meta.fileOverrides into account. Furthermore, it can receive a list of file names, + and will try these files in order. Finally, it indicates whether a file was found via the + $out.found property (as opposed to $.Files.Get, which cannot distinguish between a successful + read of an empty file, and this file not being found). + The file contents will be returned via $out.contents + */}} +{{ define "srox.loadFile" }} +{{ $ := index . 0 }} +{{ $out := index . 1 }} +{{ $fileNames := index . 2 }} +{{ if not (kindIs "slice" $fileNames) }} + {{ $fileNames = list $fileNames }} +{{ end }} +{{ $contents := index dict "" }} +{{ range $fileName := $fileNames }} + {{ if kindIs "invalid" $contents }} + {{ $contents = index $._rox.meta.fileOverrides $fileName }} + {{ end }} + {{ if kindIs "invalid" $contents }} + {{ range $path, $_ := $.Files.Glob $fileName }} + {{ if kindIs "invalid" $contents }} + {{ $contents = $.Files.Get $path }} + {{ end }} + {{ end }} + {{ end }} +{{ end }} +{{ if not (kindIs "invalid" $contents) }} + {{ $_ := set $out "contents" $contents }} +{{ end }} +{{ $_ := set $out "found" (not (kindIs "invalid" $contents)) }} +{{ end }} + + +{{/* + srox.checkGenerated $ $cfgPath + + Checks if the value at configuration path $cfgPath (e.g., "central.adminPassword.value") was + generated. Evaluates to the string "true" if this is the case, and an empty string otherwise. + */}} +{{- define "srox.checkGenerated" -}} +{{- $ := index . 0 -}} +{{- $cfgPath := index . 1 -}} +{{- $genCfg := $._rox._state.generated -}} +{{- $exists := true -}} +{{- range $pathElem := splitList "." $cfgPath -}} + {{- if $exists -}} + {{- if hasKey $genCfg $pathElem -}} + {{- $genCfg = index $genCfg $pathElem -}} + {{- else -}} + {{- $exists = false -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- if $exists -}} +true +{{- end -}} +{{- end -}} diff --git a/4.3.5/secured-cluster-services/templates/_image-pull-secrets.tpl b/4.3.5/secured-cluster-services/templates/_image-pull-secrets.tpl new file mode 100644 index 0000000..9747e26 --- /dev/null +++ b/4.3.5/secured-cluster-services/templates/_image-pull-secrets.tpl @@ -0,0 +1,85 @@ +{{/* + srox.configureImagePullSecrets $ $cfgName $imagePullSecrets $secretResourceName $defaultSecretNames $namespace + + Configures image pull secrets. + + This function enriches $imagePullSecrets based on the exposed configuration parameters to contain + a list of Kubernetes secret names as `_names` to be used as image pull secrets within the chart + templates. This list contains the following secrets: + + - Secrets referenced via $imagePullSecrets.useExisting. + - Image pull secrets associated with the default service account (if + $imagePullSecrets.useFromDefaultServiceAccount is true). + - $secretResourceName, if $imagePullSecrets.username is set. + - $defaultSecretNames. */}} + +{{ define "srox.configureImagePullSecrets" }} +{{ $ := index . 0 }} +{{ $cfgName := index . 1 }} +{{ $imagePullSecrets := index . 2 }} +{{ $secretResourceName := index . 3 }} +{{ $defaultSecretNames := index . 4 }} +{{ $namespace := index . 5 }} + +{{ $imagePullSecretNames := default list $imagePullSecrets.useExisting }} +{{ if not (kindIs "slice" $imagePullSecretNames) }} + {{ $imagePullSecretNames = regexSplit "\\s*[,;]\\s*" (trim $imagePullSecretNames) -1 }} +{{ end }} +{{ if $imagePullSecrets.useFromDefaultServiceAccount }} + {{ $defaultSA := dict }} + {{ include "srox.safeLookup" (list $ $defaultSA "v1" "ServiceAccount" $namespace "default") }} + {{ if $defaultSA.result }} + {{ range $ips := default list $defaultSA.result.imagePullSecrets }} + {{ if $ips.name }} + {{ $imagePullSecretNames = append $imagePullSecretNames $ips.name }} + {{ end }} + {{ end }} + {{ end }} +{{ end }} +{{ $imagePullCreds := dict }} +{{ if $imagePullSecrets._username }} + {{ $imagePullCreds = dict "username" $imagePullSecrets._username "password" $imagePullSecrets._password }} + {{ $imagePullSecretNames = append $imagePullSecretNames $secretResourceName }} +{{ else if $imagePullSecrets._password }} + {{ $msg := printf "Username missing in %q. Whenever an image pull password is specified, a username must be specified as well" $cfgName }} + {{ include "srox.fail" $msg }} +{{ end }} +{{ if and $.Release.IsInstall (not $imagePullSecretNames) (not $imagePullSecrets.allowNone) }} + {{ $msg := printf "You have not specified any image pull secrets, and no existing image pull secrets were automatically inferred. If your registry does not need image pull credentials, explicitly set the '%s.allowNone' option to 'true'" $cfgName }} + {{ include "srox.fail" $msg }} +{{ end }} + +{{ $imagePullSecretNames = concat (append $imagePullSecretNames $secretResourceName) $defaultSecretNames | uniq | sortAlpha }} +{{ $_ := set $imagePullSecrets "_names" $imagePullSecretNames }} +{{ $_ := set $imagePullSecrets "_creds" $imagePullCreds }} + +{{ end }} + +{{ define "srox.configureImagePullSecretsForDockerRegistry" }} +{{ $ := index . 0 }} +{{ $imagePullSecrets := index . 1 }} + +{{/* Setup Image Pull Secrets for Docker Registry. + Note: This must happen afterwards, as we rely on "srox.configureImage" to collect the + set of all referenced images first. */}} +{{ if $imagePullSecrets._username }} + {{ $dockerAuths := dict }} + {{ range $image := keys $._rox._state.referencedImages }} + {{ $registry := splitList "/" $image | first }} + {{ if eq $registry "docker.io" }} + {{/* Special case docker.io */}} + {{ $registry = "https://index.docker.io/v1/" }} + {{ else }} + {{ $registry = printf "https://%s" $registry }} + {{ end }} + {{ $_ := set $dockerAuths $registry dict }} + {{ end }} + {{ $authToken := printf "%s:%s" $imagePullSecrets._username $imagePullSecrets._password | b64enc }} + {{ range $regSettings := values $dockerAuths }} + {{ $_ := set $regSettings "auth" $authToken }} + {{ end }} + + {{ $_ := set $imagePullSecrets "_dockerAuths" $dockerAuths }} +{{ end }} + +{{ end }} diff --git a/4.3.5/secured-cluster-services/templates/_images.tpl b/4.3.5/secured-cluster-services/templates/_images.tpl new file mode 100644 index 0000000..dced29d --- /dev/null +++ b/4.3.5/secured-cluster-services/templates/_images.tpl @@ -0,0 +1,34 @@ +{{/* + srox.configureImage $ $imageCfg + + Configures settings for a single image by augmenting/completing an existing image configuration + stanza. + + If $imageCfg.fullRef is empty: + First, the image registry is determined by inspecting $imageCfg.registry and, if this is empty, + $._rox.image.registry, ultimately defaulting to `docker.io`. The full image ref is then + constructed from the registry, $imageCfg.name (must be non-empty), and $imageCfg.tag (may be + empty, in which case "latest" is assumed). The result is stored in $imageCfg.fullRef. + + Afterwards (irrespective of the previous check), $imageCfg.fullRef is modified by prepending + "docker.io/" if and only if it did not contain a remote yet (i.e., the part before the first "/" + did not contain a dot (DNS name) or colon (port)). + + Finally, the resulting $imageCfg.fullRef is stored as a dict entry with value `true` in the + $._rox._state.referencedImages dict. + */}} +{{ define "srox.configureImage" }} +{{ $ := index . 0 }} +{{ $imageCfg := index . 1 }} +{{ $imageRef := $imageCfg.fullRef }} +{{ if not $imageRef }} + {{ $imageRef = printf "%s/%s:%s" (coalesce $imageCfg.registry $._rox.image.registry "docker.io") $imageCfg.name (default "latest" $imageCfg.tag) }} +{{ end }} +{{ $imageComponents := splitList "/" $imageRef }} +{{ $firstComponent := index $imageComponents 0 }} +{{ if or (lt (len $imageComponents) 2) (and (not (contains ":" $firstComponent)) (not (contains "." $firstComponent))) }} + {{ $imageRef = printf "docker.io/%s" $imageRef }} +{{ end }} +{{ $_ := set $imageCfg "fullRef" $imageRef }} +{{ $_ = set $._rox._state.referencedImages $imageRef true }} +{{ end }} diff --git a/4.3.5/secured-cluster-services/templates/_init.tpl b/4.3.5/secured-cluster-services/templates/_init.tpl new file mode 100644 index 0000000..fd50428 --- /dev/null +++ b/4.3.5/secured-cluster-services/templates/_init.tpl @@ -0,0 +1,257 @@ +{{/* + srox.init $ + + Initialization template for the internal data structures. + This template is designed to be included in every template file, but will only be executed + once by leveraging state sharing between templates. + */}} +{{ define "srox.init" }} + +{{ $ := . }} + +{{/* + On first(!) instantiation, set up the $._rox structure, containing everything required by + the resource template files. + */}} +{{ if not $._rox }} + +{{/* + Calculate the fingerprint of the input config. + */}} +{{ $configFP := (.Values | toJson | sha256sum) }} + +{{/* + Initial Setup + */}} + +{{ $values := deepCopy $.Values }} +{{ include "srox.applyCompatibilityTranslation" (list $ $values) }} + +{{/* + $rox / ._rox is the dictionary in which _all_ data that is modified by the init logic + is stored. + We ensure that it has the required shape, and then right after merging the user-specified + $.Values, we apply some bootstrap defaults. + */}} +{{ $rox := deepCopy $values }} + + +{{ $configShape := $.Files.Get "internal/config-shape.yaml" | fromYaml }} + +{{/* Only merge scanner config shapes if feature flag is enabled and kubectl output is disabled */}} +{{ $configShapeScanner := $.Files.Get "internal/scanner-config-shape.yaml" | fromYaml }} + {{ $_ := include "srox.mergeInto" (list $rox $configShape $configShapeScanner) }} + + +{{ $_ = set $ "_rox" $rox }} + +{{/* Set the config fingerprint as computed or overridden via values. */}} +{{ $configFP = default $configFP $._rox.meta.configFingerprintOverride }} +{{ $_ = set $._rox "_configFP" $configFP }} + +{{/* Global state (accessed from sub-templates) */}} +{{ $state := dict "notes" list "warnings" list "referencedImages" dict "generated" dict }} +{{ $_ = set $._rox "_state" $state }} + +{{/* + API Server setup. The problem with `.Capabilities.APIVersions` is that Helm does not + allow setting overrides for those when using `helm template` or `--dry-run`. Thus, + if we rely on `.Capabilities.APIVersions` directly, we lose flexibility for our chart + in these settings. Therefore, we use custom fields such that a user in principle has + the option to inject via `--set`/`-f` everything we rely upon. + */}} +{{ $apiResources := list }} +{{ if not (kindIs "invalid" $._rox.meta.apiServer.overrideAPIResources) }} + {{ $apiResources = $._rox.meta.apiServer.overrideAPIResources }} +{{ else }} + {{ range $apiResource := $.Capabilities.APIVersions }} + {{ $apiResources = append $apiResources $apiResource }} + {{ end }} +{{ end }} +{{ if $._rox.meta.apiServer.extraAPIResources }} + {{ $apiResources = concat $apiResources $._rox.meta.apiServer.extraAPIResources }} +{{ end }} +{{ $apiServerVersion := coalesce $._rox.meta.apiServer.version $.Capabilities.KubeVersion.Version }} +{{ $apiServer := dict "apiResources" $apiResources "version" $apiServerVersion }} +{{ $_ = set $._rox "_apiServer" $apiServer }} + +{{/* + Environment setup +*/}} + +{{/* Detect openshift version */}} +{{ include "srox.autoSenseOpenshiftVersion" (list $) }} + +{{/* Openshift monitoring */}} +{{ if $._rox.enableOpenShiftMonitoring }} + {{ include "srox.warn" (list . "enableOpenShiftMonitoring option was replaced with monitoring.openshift.enabled") }} + {{ $_ := set $._rox "monitoring" (dict "openshift" (dict "enabled" true)) }} +{{ end }} +{{/* Default `monitoring.openshift.enabled = true` unless `env.openshift != 4`. */}} +{{ if kindIs "invalid" $._rox.monitoring.openshift.enabled }} +{{ $_ := set $._rox "monitoring" (dict "openshift" (dict "enabled" (eq $._rox.env.openshift 4))) }} +{{ end }} +{{ if and $._rox.monitoring.openshift.enabled (ne $._rox.env.openshift 4) }} + {{ include "srox.warn" (list . "'monitoring.openshift.enabled' is set to true, but the chart is not being deployed in an OpenShift 4 cluster. Proceeding with 'monitoring.openshift.enabled=false'.") }} + {{ $_ := set $._rox "monitoring" (dict "openshift" (dict "enabled" false)) }} +{{ end }} +{{/* Detect enablePodSecurityPolicies */}} +{{ include "srox.autoSensePodSecurityPolicies" (list $) }} + +{{ include "srox.applyDefaults" $ }} + +{{/* Expand applicable config values */}} +{{ $expandables := $.Files.Get "internal/expandables.yaml" | fromYaml }} +{{ include "srox.expandAll" (list $ $rox $expandables) }} + +{{/* + General validation of effective settings. + */}} + +{{ if not $.Release.IsUpgrade }} +{{ if ne $._rox._namespace "stackrox" }} + {{ if $._rox.allowNonstandardNamespace }} + {{ include "srox.note" (list $ (printf "You have chosen to deploy to namespace '%s'." $._rox._namespace)) }} + {{ else }} + {{ include "srox.fail" (printf "You have chosen to deploy to namespace '%s', not 'stackrox'. If this was accidental, please re-run helm with the '-n stackrox' option. Otherwise, if you need to deploy into this namespace, set the 'allowNonstandardNamespace' configuration value to true." $._rox._namespace) }} + {{ end }} +{{ end }} +{{ end }} + +{{/* If a cluster name should change the confirmNewClusterName value must match clusterName. */}} +{{ if and $._rox.confirmNewClusterName (ne $._rox.confirmNewClusterName $._rox.clusterName) }} + {{ include "srox.fail" (printf "Failed to change cluster name. Values for confirmNewClusterName '%s' did not match clusterName '%s'." $._rox.confirmNewClusterName $._rox.clusterName) }} +{{ end }} + + +{{ if not $.Release.IsUpgrade }} +{{ if ne $.Release.Name $.Chart.Name }} + {{ if $._rox.allowNonstandardReleaseName }} + {{ include "srox.warn" (list $ (printf "You have chosen a release name of '%s', not '%s'. Accompanying scripts and commands in documentation might require adjustments." $.Release.Name $.Chart.Name)) }} + {{ else }} + {{ include "srox.fail" (printf "You have chosen a release name of '%s', not '%s'. We strongly recommend using the standard release name. If you must use a different name, set the 'allowNonstandardReleaseName' configuration option to true." $.Release.Name $.Chart.Name) }} + {{ end }} +{{ end }} +{{ end }} + + + + + +{{ if and (not $._rox.auditLogs.disableCollection) (ne $._rox.env.openshift 4) }} + {{ include "srox.fail" "'auditLogs.disableCollection' is set to false, but the chart is not being deployed in OpenShift 4 mode. Set 'env.openshift' to '4' in order to enable OpenShift 4 features." }} +{{ end }} + + +{{ if and $._rox.admissionControl.dynamic.enforceOnCreates (not $._rox.admissionControl.listenOnCreates) }} + {{ include "srox.warn" (list $ "Incompatible settings: 'admissionControl.dynamic.enforceOnCreates' is set to true, while `admissionControl.listenOnCreates` is set to false. For the feature to be active, enable both settings by setting them to true.") }} +{{ end }} + +{{ if and $._rox.admissionControl.dynamic.enforceOnUpdates (not $._rox.admissionControl.listenOnUpdates) }} + {{ include "srox.warn" (list $ "Incompatible settings: 'admissionControl.dynamic.enforceOnUpdates' is set to true, while `admissionControl.listenOnUpdates` is set to false. For the feature to be active, enable both settings by setting them to true.") }} +{{ end }} + +{{ if and (eq $._rox.env.openshift 3) $._rox.admissionControl.listenOnEvents }} + {{ include "srox.fail" "'admissionControl.listenOnEvents' is set to true, but the chart is being deployed in OpenShift 3.x compatibility mode, which does not work with this feature. Set 'env.openshift' to '4' in order to enable OpenShift 4.x features." }} +{{ end }} +{{/* Initial image pull secret setup. */}} +{{ include "srox.mergeInto" (list $._rox.mainImagePullSecrets $._rox.imagePullSecrets) }} +{{ include "srox.configureImagePullSecrets" (list $ "mainImagePullSecrets" $._rox.mainImagePullSecrets "secured-cluster-services-main" (list "stackrox") $._rox._namespace) }} +{{ include "srox.mergeInto" (list $._rox.collectorImagePullSecrets $._rox.imagePullSecrets) }} +{{ include "srox.configureImagePullSecrets" (list $ "collectorImagePullSecrets" $._rox.collectorImagePullSecrets "secured-cluster-services-collector" (list "stackrox" "collector-stackrox") $._rox._namespace) }} + +{{/* Additional CAs. */}} +{{ $additionalCAList := list }} +{{ if kindIs "string" $._rox.additionalCAs }} + {{ if $._rox.additionalCAs }} + {{ $additionalCAList = append $additionalCAList (dict "name" "ca.crt" "contents" $._rox.additionalCAs) }} + {{ end }} +{{ else if kindIs "slice" $._rox.additionalCAs }} + {{ range $contents := $._rox.additionalCAs }} + {{ $additionalCAList = append $additionalCAList (dict "name" "ca.crt" "contents" $contents) }} + {{ end }} +{{ else if kindIs "map" $._rox.additionalCAs }} + {{ range $name := keys $._rox.additionalCAs | sortAlpha }} + {{ $additionalCAList = append $additionalCAList (dict "name" $name "contents" (get $._rox.additionalCAs $name)) }} + {{ end }} +{{ else if not (kindIs "invalid" $._rox.additionalCAs) }} + {{ include "srox.fail" (printf "Invalid kind %s for additionalCAs" (kindOf $._rox.additionalCAs)) }} +{{ end }} +{{ range $path, $contents := .Files.Glob "secrets/additional-cas/**" }} + {{ $name := trimPrefix "secrets/additional-cas/" $path }} + {{ $additionalCAList = append $additionalCAList (dict "name" $name "contents" (toString $contents)) }} +{{ end }} +{{ $additionalCAs := dict }} +{{ range $idx, $elem := $additionalCAList }} + {{ if not (kindIs "string" $elem.contents) }} + {{ include "srox.fail" (printf "Invalid non-string contents kind %s at index %d (%q) of additionalCAs" (kindOf $elem.contents) $idx $elem.name) }} + {{ end }} + {{/* In a k8s secret, no characters other than alphanumeric, '.', '_' and '-' are allowed. Also, for the + update-ca-certificates script to work, the file names must end in '.crt'. */}} + + {{ $normalizedName := printf "%02d-%s.crt" $idx (regexReplaceAll "[^[:alnum:]._-]" $elem.name "-" | trimSuffix ".crt") }} + {{ $_ := set $additionalCAs $normalizedName $elem.contents }} +{{ end }} +{{ $_ = set $._rox "_additionalCAs" $additionalCAs }} + +{{/* + Final validation (after merging in defaults). + */}} + +{{ if and ._rox.helmManaged (not ._rox.clusterName) }} + {{ include "srox.fail" "No cluster name specified. Set 'clusterName' to the desired cluster name." }} +{{ end }} + +{{/* Image settings */}} +{{ include "srox.configureImage" (list $ ._rox.image.main) }} +{{ include "srox.configureImage" (list $ ._rox.image.collector) }} +{{ include "srox.configureImage" (list $ ._rox.image.scanner) }} + +{{ include "srox.initGlobalPrefix" (list $) }} + +{{/* ManagedBy related settings */}} +{{/* The field `helmManaged` defaults to true, therefore `managedBy` will only be changed to `MANAGER_TYPE_MANUAL` here + in case it was explicitly set `helmManaged=false`. */}} +{{- if not ._rox.helmManaged }} + {{ $_ = set $._rox "managedBy" "MANAGER_TYPE_MANUAL" }} +{{- end }} + +{{/* + Local scanner setup. + */}} + +{{/* Disable scanner always in kubectl outputs */}} + + +{{ if eq ._rox.scanner.disable false }} + {{ $centralDeployment := dict }} + {{ include "srox.safeLookup" (list $ $centralDeployment "apps/v1" "Deployment" $.Release.Namespace "central") }} + {{ if $centralDeployment.result }} + {{ include "srox.note" (list $ "Detected central running in the same namespace. Not deploying scanner from this chart and configuring sensor to use existing scanner instance, if any.") }} + {{ $_ := set $._rox.sensor.localImageScanning "enabled" "true" }} + {{ $_ := set $._rox.scanner "disable" true }} + {{ end }} +{{ end }} + +{{ if eq ._rox.scanner.disable false }} + {{ if ne ._rox.scanner.mode "slim" }} + {{ include "srox.fail" (print "Only scanner slim mode is allowed in Secured Cluster. To solve this, set to slim mode: scanner.mode=slim.") }} + {{ end }} + + {{ $_ := set $._rox.sensor.localImageScanning "enabled" "true" }} + {{ $_ := set $._rox.scanner "slimImage" ._rox.image.scanner }} + {{ $_ := set $._rox.scanner "slimDBImage" ._rox.image.scannerDb }} + {{ include "srox.scannerInit" (list $ $._rox.scanner) }} + {{ include "srox.configureImagePullSecrets" (list $ "imagePullSecrets" $._rox.imagePullSecrets "secured-cluster-services-main" (list "stackrox" "stackrox-scanner") $.Release.Namespace) }} +{{ end }} + +{{/* + Post-processing steps. + */}} + +{{ include "srox.configureImagePullSecretsForDockerRegistry" (list $ ._rox.mainImagePullSecrets) }} +{{ include "srox.configureImagePullSecretsForDockerRegistry" (list $ ._rox.collectorImagePullSecrets) }} + +{{ end }} + +{{ end }} diff --git a/4.3.5/secured-cluster-services/templates/_injected-ca-bundle.tpl b/4.3.5/secured-cluster-services/templates/_injected-ca-bundle.tpl new file mode 100644 index 0000000..f831139 --- /dev/null +++ b/4.3.5/secured-cluster-services/templates/_injected-ca-bundle.tpl @@ -0,0 +1,29 @@ +{{/* + srox.injectedCABundleVolume + + Configures ConfigMap volume to use in a deployment. + */}} +{{- define "srox.injectedCABundleVolume" -}} +{{- if eq ._rox.env.openshift 4 }} +- name: trusted-ca-volume + configMap: + name: injected-cabundle-{{ .Release.Name }} + items: + - key: ca-bundle.crt + path: tls-ca-bundle.pem + optional: true +{{ end }} +{{ end }} + +{{/* + srox.injectedCABundleVolumeMount + + Mounts the srox.injectedCABundle volume to a container. + */}} +{{- define "srox.injectedCABundleVolumeMount" -}} +{{- if eq ._rox.env.openshift 4 }} +- name: trusted-ca-volume + mountPath: /etc/pki/injected-ca-trust/ + readOnly: true +{{ end }} +{{ end }} diff --git a/4.3.5/secured-cluster-services/templates/_labels.tpl b/4.3.5/secured-cluster-services/templates/_labels.tpl new file mode 100644 index 0000000..52714db --- /dev/null +++ b/4.3.5/secured-cluster-services/templates/_labels.tpl @@ -0,0 +1,31 @@ +{{/* + srox._labels $labels $ $objType $objName $forPod + + Writes all applicable [pod] labels (including default labels) for $objType/$objName + into $labels. Pod labels are written iff $forPod is true. + + This template receives the $ parameter as its second (not its first, as usual) parameter + such that it can be used easier in "srox.labels". + */}} +{{ define "srox._labels" }} +{{ $labels := index . 0 }} +{{ $ := index . 1 }} +{{ $objType := index . 2 }} +{{ $objName := index . 3 }} +{{ $forPod := index . 4 }} +{{ $_ := set $labels "app.kubernetes.io/name" "stackrox" }} +{{ $_ = set $labels "app.kubernetes.io/managed-by" $.Release.Service }} +{{ $_ = set $labels "helm.sh/chart" (printf "%s-%s" $.Chart.Name ($.Chart.Version | replace "+" "_")) }} +{{ $_ = set $labels "app.kubernetes.io/instance" $.Release.Name }} +{{ $_ = set $labels "app.kubernetes.io/version" $.Chart.AppVersion }} +{{ $_ = set $labels "app.kubernetes.io/part-of" "stackrox-secured-cluster-services" }} +{{ $component := regexReplaceAll "^.*/(admission-control|collector|sensor)[^/]*\\.yaml" $.Template.Name "${1}" }} +{{ if not (contains "/" $component) }} + {{ $_ = set $labels "app.kubernetes.io/component" $component }} +{{ end }} +{{ $metadataNames := list "labels" }} +{{ if $forPod }} + {{ $metadataNames = append $metadataNames "podLabels" }} +{{ end }} +{{ include "srox._customizeMetadata" (list $ $labels $objType $objName $metadataNames) }} +{{ end }} diff --git a/4.3.5/secured-cluster-services/templates/_lookup.tpl b/4.3.5/secured-cluster-services/templates/_lookup.tpl new file mode 100644 index 0000000..17f6306 --- /dev/null +++ b/4.3.5/secured-cluster-services/templates/_lookup.tpl @@ -0,0 +1,40 @@ +{{/* + srox.safeLookup $ $out $apiVersion $kind $ns $name + + This function does nothing if $.meta.useLookup is false; otherwise, it will + perform a `lookup $apiVersion $kind $ns $name` operation and store the result in + $out.result. + + Additionally, if a lookup was attempted, $out.reliable will contain a bool indicating + whether the result of lookup can be relied upon. This is determined to be the case if + the default service account in the release namespace can be found. + */}} +{{ define "srox.safeLookup" }} +{{ $ := index . 0 }} +{{ $out := index . 1 }} +{{ if $._rox.meta.useLookup }} + {{ if kindIs "invalid" $._rox._state.lookupWorks }} + {{ $testOut := dict }} + {{ include "srox._doLookup" (list $ $testOut "v1" "ServiceAccount" $._rox._namespace "default") }} + {{ $_ := set $._rox._state "lookupWorks" ($testOut.result | not | not) }} + {{ end }} + {{ include "srox._doLookup" . }} + {{ $_ := set $out "reliable" $._rox._state.lookupWorks }} +{{ end }} +{{ end }} + + +{{/* + srox._doLookup $ $out $apiVersion $kind $ns $name + + Calls "lookup" with arguments $apiVersion $kind $ns $name, and stores the result + in $out.result. + + This function exists to prevent a parse error if the lookup function isn't defined. It does + so by deferring the execution of lookup to a template string instantiated via `tpl`. + */}} +{{ define "srox._doLookup" }} +{{ $ := index . 0 }} +{{ $tplArgs := dict "Template" $.Template "out" (index . 1) "apiVersion" (index . 2) "kind" (index . 3) "ns" (index . 4) "name" (index . 5) }} +{{ $_ := tpl "{{ $_ := set .out \"result\" (lookup .apiVersion .kind .ns .name) }}" $tplArgs }} +{{ end }} diff --git a/4.3.5/secured-cluster-services/templates/_metadata.tpl b/4.3.5/secured-cluster-services/templates/_metadata.tpl new file mode 100644 index 0000000..3ed131f --- /dev/null +++ b/4.3.5/secured-cluster-services/templates/_metadata.tpl @@ -0,0 +1,194 @@ +{{/* + srox.labels $ $objType $objName + + Format labels for $objType/$objName as YAML. + */}} +{{- define "srox.labels" -}} +{{- $labels := dict -}} +{{- $_ := include "srox._labels" (append (prepend . $labels) false) -}} +{{- toYaml $labels -}} +{{- end -}} + +{{/* + srox.podLabels $ $objType $objName + + Format pod labels for $objType/$objName as YAML. + */}} +{{- define "srox.podLabels" -}} +{{- $labels := dict -}} +{{- $_ := include "srox._labels" (append (prepend . $labels) true) -}} +{{- toYaml $labels -}} +{{- end -}} + +{{/* + srox.annotations $ $objType $objName + + Format annotations for $objType/$objName as YAML. + */}} +{{- define "srox.annotations" -}} +{{- $annotations := dict -}} +{{- $_ := include "srox._annotations" (append (prepend . $annotations) false) -}} +{{- toYaml $annotations -}} +{{- end -}} + +{{/* + srox.podAnnotations $ $objType $objName + + Format pod annotations for $objType/$objName as YAML. + */}} +{{- define "srox.podAnnotations" -}} +{{- $annotations := dict -}} +{{- $_ := include "srox._annotations" (append (prepend . $annotations) true) -}} +{{- toYaml $annotations -}} +{{- end -}} + +{{/* + srox.envVars $ $objType $objName $containerName + + Format environment variables for container $containerName in + $objType/$objName as YAML. + */}} +{{- define "srox.envVars" -}} +{{- $envVars := dict -}} +{{- $_ := include "srox._envVars" (prepend . $envVars) -}} +{{- range $k := keys $envVars | sortAlpha -}} +{{- $v := index $envVars $k }} +- name: {{ quote $k }} +{{- if kindIs "map" $v }} + {{- toYaml $v | nindent 2 }} +{{- else }} + value: {{ quote $v }} +{{- end }} +{{ end -}} +{{- end -}} + +{{/* + srox._annotations $annotations $ $objType $objName $forPod + + Writes all applicable [pod] annotations (including default annotations) for + $objType/$objName into $annotations. Pod labels are written iff $forPod is true. + + This template receives the $ parameter as its second (not its first, as usual) parameter + such that it can be used easier in "srox.annotations". + */}} +{{ define "srox._annotations" }} +{{ $annotations := index . 0 }} +{{ $ := index . 1 }} +{{ $objType := index . 2 }} +{{ $objName := index . 3 }} +{{ $forPod := index . 4 }} +{{ $_ := set $annotations "meta.helm.sh/release-namespace" $.Release.Namespace }} +{{ $_ = set $annotations "meta.helm.sh/release-name" $.Release.Name }} +{{ $_ = set $annotations "owner" "stackrox" }} +{{ $_ = set $annotations "email" "support@stackrox.com" }} +{{ $metadataNames := list "annotations" }} +{{ if $forPod }} + {{ $metadataNames = append $metadataNames "podAnnotations" }} +{{ end }} +{{ include "srox._customizeMetadata" (list $ $annotations $objType $objName $metadataNames) }} +{{ end }} + +{{/* + srox._envVars $envVars $ $objType $objName $containerName + + Writes all applicable environment variables for $objType/$objName + into $envVars. + + This template receives the $ parameter as its second (not its first, as usual) parameter + such that it can be used easier in "srox.envVars". + */}} +{{ define "srox._envVars" }} +{{ $envVars := index . 0 }} +{{ $ := index . 1 }} +{{ $objType := index . 2 }} +{{ $objName := index . 3 }} +{{ $containerName := index . 4 }} +{{ $metadataNames := list "envVars" }} +{{ include "srox._customizeMetadata" (list $ $envVars $objType $objName $metadataNames) }} +{{ if $containerName }} + {{ $containerKey := printf "/%s" $containerName }} + {{ $envVarsForContainer := index $envVars $containerKey }} + {{ if $envVarsForContainer }} + {{ include "srox.destructiveMergeOverwrite" (list $envVars $envVarsForContainer) }} + {{ end }} +{{ end }} + +{{/* Remove all entries starting with / */}} +{{ range $key, $_ := $envVars }} + {{ if hasPrefix "/" $key }} + {{ $_ := unset $envVars $key }} + {{ end }} +{{ end }} +{{ end }} + +{{/* + srox._customizeMetadata $ $metadata $objType $objName $metadataNames + + Writes custom key/value metadata to $metadata by consulting all sub-dicts with names in + $metadataNames under the applicable custom metadata locations (._rox.customize, + ._rox.customize.other.$objType/*, ._rox.customize.other.$objType/$objName, and + ._rox.customizer.$objName [workloads only]). Dictionaries are consulted in this order, with + values from dictionaries consulted later overwriting values from dictionaries consulted + earlier. + */}} +{{ define "srox._customizeMetadata" }} +{{ $ := index . 0 }} +{{ $metadata := index . 1 }} +{{ $objType := index . 2 }} +{{ $objName := index . 3 }} +{{ $metadataNames := index . 4 }} + +{{ $overrideDictPaths := list "" (printf "other.%s/*" $objType) (printf "other.%s/%s" $objType $objName) }} +{{ if has $objType (list "deployment" "daemonset") }} + {{ $overrideDictPaths = append $overrideDictPaths $objName }} +{{ end }} + +{{ range $dictPath := $overrideDictPaths }} + {{ $customizeDict := $._rox.customize }} + {{ if $dictPath }} + {{ $resolvedOut := dict }} + {{ include "srox.safeDictLookup" (list $._rox.customize $resolvedOut $dictPath) }} + {{ $customizeDict = $resolvedOut.result }} + {{ end }} + {{ if $customizeDict }} + {{ range $metadataName := $metadataNames }} + {{ $customMetadata := index $customizeDict $metadataName }} + {{ include "srox.destructiveMergeOverwrite" (list $metadata $customMetadata) }} + {{ end }} + {{ end }} +{{ end }} +{{ end }} + +{{/* Add namespace specific prefixes for global resources to avoid resource name clashes for multi-namespace deployments. */}} +{{- define "srox.globalResourceName" -}} +{{- $ := index . 0 -}} +{{- $name := index . 1 -}} + +{{- if eq $.Release.Namespace "stackrox" -}} + {{- /* Standard namespace, use resource name as is. */ -}} + {{- $name -}} +{{- else -}} + {{- /* Add global prefix to resource name. */ -}} + {{- printf "%s-%s" $._rox.globalPrefix (trimPrefix "stackrox-" $name) -}} +{{- end -}} +{{- end -}} + +{{/* + srox.initGlobalPrefix $ + + Initializes prefix for global resources. + */}} +{{- define "srox.initGlobalPrefix" -}} +{{- $ := index . 0 -}} +{{ if kindIs "invalid" $._rox.globalPrefix }} + {{ if eq $.Release.Namespace "stackrox" }} + {{ $_ := set $._rox "globalPrefix" "stackrox" }} + {{ else }} + {{ $_ := set $._rox "globalPrefix" (printf "stackrox-%s" (trimPrefix "stackrox-" $.Release.Namespace)) }} + {{ end }} +{{ end }} + +{{ if ne $._rox.globalPrefix "stackrox" }} + {{ include "srox.note" (list $ (printf "Global Kubernetes resources are prefixed with '%s'." $._rox.globalPrefix)) }} +{{- end -}} +{{- end -}} diff --git a/4.3.5/secured-cluster-services/templates/_openshift.tpl b/4.3.5/secured-cluster-services/templates/_openshift.tpl new file mode 100644 index 0000000..85201cb --- /dev/null +++ b/4.3.5/secured-cluster-services/templates/_openshift.tpl @@ -0,0 +1,47 @@ +{{/* + srox.autoSenseOpenshiftVersion $ + + This function detects the OpenShift version automatically based on the cluster the Helm chart is installed onto. + It writes the result to ._rox.env.openshift as an integer. + Possible results are: + - 3 (OpenShift 3) + - 4 (OpenShift 4) + - 0 (Non-Openshift cluster) + + If "true" is passed for $._rox.env.openshift the OpenShift version is detected based on the Kubernetes cluster version. + If the Kubernetes version is not available (i.e. when using Helm template) auto-sensing falls back on OpenShift 3 to be + backward compatible. + */}} + +{{ define "srox.autoSenseOpenshiftVersion" }} + +{{ $ := index . 0 }} +{{ $env := $._rox.env }} + +{{/* Infer OpenShift, if needed */}} +{{ if kindIs "invalid" $env.openshift }} + {{ $_ := set $env "openshift" (has "apps.openshift.io/v1" $._rox._apiServer.apiResources) }} +{{ end }} + +{{/* Infer openshift version */}} +{{ if and $env.openshift (kindIs "bool" $env.openshift) }} + {{/* Parse and add KubeVersion as semver from built-in resources. This is necessary to compare valid integer numbers. */}} + {{ $kubeVersion := semver $.Capabilities.KubeVersion.Version }} + + {{/* Default to OpenShift 3 if no openshift resources are available, i.e. in helm template commands */}} + {{ if not (has "apps.openshift.io/v1" $._rox._apiServer.apiResources) }} + {{ $_ := set $._rox.env "openshift" 3 }} + {{ else if gt $kubeVersion.Minor 11 }} + {{ $_ := set $env "openshift" 4 }} + {{ else }} + {{ $_ := set $env "openshift" 3 }} + {{ end }} + {{ include "srox.note" (list $ (printf "Based on API server properties, we have inferred that you are deploying into an OpenShift %d.x cluster. Set the `env.openshift` property explicitly to 3 or 4 to override the auto-sensed value." $env.openshift)) }} +{{ end }} +{{ if not (kindIs "bool" $env.openshift) }} + {{ $_ := set $env "openshift" (int $env.openshift) }} +{{ else if not $env.openshift }} + {{ $_ := set $env "openshift" 0 }} +{{ end }} + +{{ end }} diff --git a/4.3.5/secured-cluster-services/templates/_psp.tpl b/4.3.5/secured-cluster-services/templates/_psp.tpl new file mode 100644 index 0000000..bffb2a0 --- /dev/null +++ b/4.3.5/secured-cluster-services/templates/_psp.tpl @@ -0,0 +1,19 @@ +{{/* + srox.autoSensePodSecurityPolicies $ + */}} + +{{ define "srox.autoSensePodSecurityPolicies" }} + +{{ $ := index . 0 }} +{{ $system := $._rox.system }} + +{{ if kindIs "invalid" $system.enablePodSecurityPolicies }} + {{ $_ := set $system "enablePodSecurityPolicies" (has "policy/v1beta1" $._rox._apiServer.apiResources) }} + {{ if $system.enablePodSecurityPolicies }} + {{ include "srox.note" (list $ (printf "PodSecurityPolicies are enabled, since your environment supports them according to API server properties.")) }} + {{ else }} + {{ include "srox.note" (list $ (printf "PodSecurityPolicies are disabled, since your environment does not support them according to API server properties.")) }} + {{ end }} +{{ end }} + +{{ end }} diff --git a/4.3.5/secured-cluster-services/templates/_reporting.tpl b/4.3.5/secured-cluster-services/templates/_reporting.tpl new file mode 100644 index 0000000..621e284 --- /dev/null +++ b/4.3.5/secured-cluster-services/templates/_reporting.tpl @@ -0,0 +1,34 @@ +{{/* + srox.fail $message + + Print a nicely-formatted fatal error message and exit. + */}} +{{ define "srox.fail" }} +{{ printf "\n\nFATAL ERROR:\n%s" . | wrap 100 | fail }} +{{ end }} + +{{/* + srox.warn $ $message + + Add $message to the list of encountered warnings. + */}} +{{ define "srox.warn" }} +{{ $ := index . 0 }} +{{ $msg := index . 1 }} +{{ $warnings := $._rox._state.warnings }} +{{ $warnings = append $warnings $msg }} +{{ $_ := set $._rox._state "warnings" $warnings }} +{{ end }} + +{{/* + srox.note $ $message + + Add $message to the list notes that will be shown to the user after installation/upgrade. + */}} +{{ define "srox.note" }} +{{ $ := index . 0 }} +{{ $msg := index . 1 }} +{{ $notes := $._rox._state.notes }} +{{ $notes = append $notes $msg }} +{{ $_ := set $._rox._state "notes" $notes }} +{{ end }} diff --git a/4.3.5/secured-cluster-services/templates/_scanner_init.tpl b/4.3.5/secured-cluster-services/templates/_scanner_init.tpl new file mode 100644 index 0000000..75fbe95 --- /dev/null +++ b/4.3.5/secured-cluster-services/templates/_scanner_init.tpl @@ -0,0 +1,40 @@ +{{/* + srox.scannerInit . $scannerConfig + + Initializes the scanner configuration. The scanner chart has two modes "full" and + "slim". + The "full" mode is used for stand-alone deployments, mostly along with StackRox's Central service. In this + mode, the image contains vulnerability data and the Helm chart can create its own certificates. + + The "slim" mode is used to deploy Scanner with a smaller image and does not generate TLS certificates, + typically deployed within a Secured Cluster to scan images stored in a registry only accessible to the current cluster. + The scanner chart defaults to "full" mode if no mode was provided. + + $scannerConfig contains all values which are configured by the user. The structure can be viewed in the according + config-shape. See internal/scanner-config-shape.yaml. + */}} + +{{ define "srox.scannerInit" }} + +{{ $ := index . 0 }} +{{ $scannerCfg := index . 1 }} + +{{ if or (eq $scannerCfg.mode "") (eq $scannerCfg.mode "full") }} + {{ include "srox.configureImage" (list $ $scannerCfg.image) }} + {{ include "srox.configureImage" (list $ $scannerCfg.dbImage) }} + + {{ $scannerCertSpec := dict "CN" "SCANNER_SERVICE: Scanner" "dnsBase" "scanner" }} + {{ include "srox.configureCrypto" (list $ "scanner.serviceTLS" $scannerCertSpec) }} + + {{ $scannerDBCertSpec := dict "CN" "SCANNER_DB_SERVICE: Scanner DB" "dnsBase" "scanner-db" }} + {{ include "srox.configureCrypto" (list $ "scanner.dbServiceTLS" $scannerDBCertSpec) }} +{{ else if eq $scannerCfg.mode "slim" }} + {{ include "srox.configureImage" (list $ $scannerCfg.slimImage) }} + {{ include "srox.configureImage" (list $ $scannerCfg.slimDBImage) }} +{{ else }} + {{ include "srox.fail" (printf "Unknown scanner mode %s" $scannerCfg.mode) }} +{{ end }} + +{{ include "srox.configurePassword" (list $ "scanner.dbPassword") }} + +{{ end }} diff --git a/4.3.5/secured-cluster-services/templates/additional-ca-sensor.yaml b/4.3.5/secured-cluster-services/templates/additional-ca-sensor.yaml new file mode 100644 index 0000000..aa1801c --- /dev/null +++ b/4.3.5/secured-cluster-services/templates/additional-ca-sensor.yaml @@ -0,0 +1,19 @@ +{{- include "srox.init" . -}} + +{{- if ._rox._additionalCAs }} +apiVersion: v1 +kind: Secret +metadata: + name: additional-ca-sensor + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "secret" "additional-ca-sensor") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "additional-ca-sensor") | nindent 4 }} +type: Opaque +stringData: + {{- range $name, $cert := ._rox._additionalCAs }} + {{ $name | quote }}: | + {{- $cert | nindent 4 }} + {{- end }} +{{- end }} diff --git a/4.3.5/secured-cluster-services/templates/admission-controller-netpol.yaml b/4.3.5/secured-cluster-services/templates/admission-controller-netpol.yaml new file mode 100644 index 0000000..1ab0341 --- /dev/null +++ b/4.3.5/secured-cluster-services/templates/admission-controller-netpol.yaml @@ -0,0 +1,46 @@ +{{- include "srox.init" . -}} + +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: admission-control-no-ingress + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "networkpolicy" "admission-control-no-ingress") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "networkpolicy" "admission-control-no-ingress") | nindent 4 }} +spec: + podSelector: + matchLabels: + app: admission-control + ingress: + - ports: + - protocol: TCP + port: 8443 + policyTypes: + - Ingress + +{{- if ._rox.admissionControl.exposeMonitoring }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: admission-control-monitoring + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "networkpolicy" "admission-control-monitoring") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "networkpolicy" "admission-control-monitoring") | nindent 4 }} +spec: + ingress: + - ports: + - port: 9090 + protocol: TCP + podSelector: + matchLabels: + app: admission-control + policyTypes: + - Ingress +{{- end }} diff --git a/4.3.5/secured-cluster-services/templates/admission-controller-pod-security.yaml b/4.3.5/secured-cluster-services/templates/admission-controller-pod-security.yaml new file mode 100644 index 0000000..d4011f4 --- /dev/null +++ b/4.3.5/secured-cluster-services/templates/admission-controller-pod-security.yaml @@ -0,0 +1,76 @@ +{{- include "srox.init" . -}} + +{{- if ._rox.system.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: stackrox-admission-control + labels: + {{- include "srox.labels" (list . "podsecuritypolicy" "stackrox-admission-control") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "podsecuritypolicy" "stackrox-admission-control") | nindent 4 }} +spec: + privileged: false + allowPrivilegeEscalation: false + volumes: + - 'configMap' + - 'emptyDir' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAs' + ranges: + - min: 4000 + max: 4000 + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 4000 + max: 4000 +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox-admission-control-psp + labels: + {{- include "srox.labels" (list . "clusterrole" "stackrox-admission-control-psp") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "clusterrole" "stackrox-admission-control-psp") | nindent 4 }} +rules: + - apiGroups: + - policy + resources: + - podsecuritypolicies + resourceNames: + - stackrox-admission-control + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: stackrox-admission-control-psp + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "rolebinding" "stackrox-admission-control-psp") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "rolebinding" "stackrox-admission-control-psp") | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: stackrox-admission-control-psp +subjects: + - kind: ServiceAccount + name: admission-control + namespace: {{ ._rox._namespace }} +{{- end }} diff --git a/4.3.5/secured-cluster-services/templates/admission-controller-rbac.yaml b/4.3.5/secured-cluster-services/templates/admission-controller-rbac.yaml new file mode 100644 index 0000000..1e4e11e --- /dev/null +++ b/4.3.5/secured-cluster-services/templates/admission-controller-rbac.yaml @@ -0,0 +1,50 @@ +{{- include "srox.init" . -}} + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: admission-control + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "serviceaccount" "admission-control") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "serviceaccount" "admission-control") | nindent 4 }} +imagePullSecrets: +{{- range $secretName := ._rox.mainImagePullSecrets._names }} +- name: {{ quote $secretName }} +{{- end }} +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: watch-config + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "role" "watch-config") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "role" "watch-config") | nindent 4 }} +rules: + - apiGroups: [''] + resources: ['configmaps'] + verbs: ['get', 'list', 'watch'] +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: admission-control-watch-config + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "rolebinding" "admission-control-watch-config") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "rolebinding" "admission-control-watch-config") | nindent 4 }} +subjects: + - kind: ServiceAccount + name: admission-control + namespace: {{ ._rox._namespace }} +roleRef: + kind: Role + name: watch-config + apiGroup: rbac.authorization.k8s.io diff --git a/4.3.5/secured-cluster-services/templates/admission-controller-scc.yaml b/4.3.5/secured-cluster-services/templates/admission-controller-scc.yaml new file mode 100644 index 0000000..e6bb807 --- /dev/null +++ b/4.3.5/secured-cluster-services/templates/admission-controller-scc.yaml @@ -0,0 +1,46 @@ +{{- include "srox.init" . -}} + +{{- if and ._rox.env.openshift ._rox.system.createSCCs }} + +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: stackrox-admission-control + labels: + {{- include "srox.labels" (list . "securitycontextconstraints" "stackrox-admission-control") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "securitycontextconstraints" "stackrox-admission-control") | nindent 4 }} + kubernetes.io/description: stackrox-admission-control is the security constraint for the admission controller +users: + - system:serviceaccount:{{ ._rox._namespace }}:admission-control +priority: 0 +runAsUser: + type: RunAsAny +seLinuxContext: + type: RunAsAny +seccompProfiles: + - '*' +supplementalGroups: + type: RunAsAny +fsGroup: + type: RunAsAny +groups: [] +readOnlyRootFilesystem: true +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: false +allowPrivilegedContainer: false +allowedCapabilities: [] +defaultAddCapabilities: [] +requiredDropCapabilities: [] +volumes: + - configMap + - downwardAPI + - emptyDir + - secret + +{{- end }} diff --git a/4.3.5/secured-cluster-services/templates/admission-controller-secret.yaml b/4.3.5/secured-cluster-services/templates/admission-controller-secret.yaml new file mode 100644 index 0000000..3abcb9a --- /dev/null +++ b/4.3.5/secured-cluster-services/templates/admission-controller-secret.yaml @@ -0,0 +1,30 @@ +{{- include "srox.init" . -}} + +{{- if or ._rox.createSecrets (and (kindIs "invalid" ._rox.createSecrets) (or ._rox.admissionControl.serviceTLS._cert ._rox.admissionControl.serviceTLS._key)) }} + +{{/* Admission control TLS secret isn't required, so do not fail here. */}} +{{- if and ._rox.ca._cert ._rox.admissionControl.serviceTLS._cert ._rox.admissionControl.serviceTLS._key }} + +apiVersion: v1 +kind: Secret +metadata: + name: admission-control-tls + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "secret" "admission-control-tls") | nindent 4 }} + auto-upgrade.stackrox.io/component: sensor + annotations: + {{- include "srox.annotations" (list . "secret" "admission-control-tls") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": "keep" +type: Opaque +stringData: + ca.pem: | + {{- ._rox.ca._cert | nindent 4 }} + admission-control-cert.pem: | + {{- ._rox.admissionControl.serviceTLS._cert | nindent 4 }} + admission-control-key.pem: | + {{- ._rox.admissionControl.serviceTLS._key | nindent 4 }} + +{{- end }} +{{- end }} diff --git a/4.3.5/secured-cluster-services/templates/admission-controller.yaml b/4.3.5/secured-cluster-services/templates/admission-controller.yaml new file mode 100644 index 0000000..778076d --- /dev/null +++ b/4.3.5/secured-cluster-services/templates/admission-controller.yaml @@ -0,0 +1,246 @@ +{{- include "srox.init" . -}} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: admission-control + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "deployment" "admission-control") | nindent 4 }} + app: admission-control + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "deployment" "admission-control") | nindent 4 }} +spec: + replicas: {{ ._rox.admissionControl.replicas }} + minReadySeconds: 0 + selector: + matchLabels: + app: admission-control + template: + metadata: + namespace: {{ ._rox._namespace }} + labels: + app: admission-control + {{- include "srox.podLabels" (list . "deployment" "admission-control") | nindent 8 }} + annotations: + traffic.sidecar.istio.io/excludeInboundPorts: "8443" + {{- include "srox.podAnnotations" (list . "deployment" "admission-control") | nindent 8 }} + spec: + # Attempt to schedule these on master nodes + {{- if ._rox.admissionControl.tolerations }} + tolerations: + {{- toYaml ._rox.admissionControl.tolerations | nindent 8 }} + {{- end }} + affinity: + {{- toYaml ._rox.admissionControl.affinity | nindent 8 }} + {{- if ._rox.admissionControl._nodeSelector }} + nodeSelector: + {{- ._rox.admissionControl._nodeSelector | nindent 8 }} + {{- end}} + {{- if not ._rox.env.openshift }} + securityContext: + runAsUser: 4000 + fsGroup: 4000 + {{- end }} + serviceAccountName: admission-control + containers: + - image: {{ quote ._rox.image.main.fullRef }} + imagePullPolicy: {{ ._rox.admissionControl.imagePullPolicy }} + name: admission-control + readinessProbe: + httpGet: + scheme: HTTPS + path: /ready + port: 8443 + initialDelaySeconds: 5 + periodSeconds: 5 + failureThreshold: 1 + ports: + - containerPort: 8443 + name: webhook + command: + - admission-control + resources: + {{- ._rox.admissionControl._resources | nindent 12 }} + securityContext: + runAsNonRoot: true + readOnlyRootFilesystem: true + env: + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: ROX_SENSOR_ENDPOINT + value: {{ ._rox.sensor.endpoint }} + {{- include "srox.envVars" (list . "deployment" "admission-controller" "admission-controller") | nindent 10 }} + volumeMounts: + - name: config + mountPath: /run/config/stackrox.io/admission-control/config/ + readOnly: true + - name: config-store + mountPath: /var/lib/stackrox/admission-control/ + - name: ca + mountPath: /run/secrets/stackrox.io/ca/ + readOnly: true + - name: certs + mountPath: /run/secrets/stackrox.io/certs/ + readOnly: true + - name: ssl + mountPath: /etc/ssl + - name: pki + mountPath: /etc/pki/ca-trust/ + - name: additional-cas + mountPath: /usr/local/share/ca-certificates/ + readOnly: true + {{- include "srox.injectedCABundleVolumeMount" . | nindent 12 }} + volumes: + - name: certs + secret: + secretName: admission-control-tls + optional: true + items: + - key: admission-control-cert.pem + path: cert.pem + - key: admission-control-key.pem + path: key.pem + - key: ca.pem + path: ca.pem + - name: ca + secret: + secretName: service-ca + optional: true + - name: config + configMap: + name: admission-control + optional: true + - name: config-store + emptyDir: {} + - name: ssl + emptyDir: {} + - name: pki + emptyDir: {} + - name: additional-cas + secret: + secretName: additional-ca-sensor + optional: true + {{- include "srox.injectedCABundleVolume" . | nindent 8 }} +--- + +apiVersion: v1 +kind: Service +metadata: + name: admission-control + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "service" "admission-control") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "service" "admission-control") | nindent 4 }} +spec: + ports: + - name: https + port: 443 + targetPort: webhook + protocol: TCP + selector: + app: admission-control + type: ClusterIP + sessionAffinity: None +--- +{{- if ne ._rox.env.openshift 3 }} +apiVersion: admissionregistration.k8s.io/v1 +{{- else }} +apiVersion: admissionregistration.k8s.io/v1beta1 +{{- end }} +kind: ValidatingWebhookConfiguration +metadata: + name: stackrox + labels: + {{- include "srox.labels" (list . "validatingwebhookconfiguration" "stackrox") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "validatingwebhookconfiguration" "stackrox") | nindent 4 }} +{{- if not (or ._rox.admissionControl.listenOnEvents ._rox.admissionControl.listenOnCreates ._rox.admissionControl.listenOnUpdates) }} +webhooks: [] +{{- else }} +webhooks: + {{- if or ._rox.admissionControl.listenOnCreates ._rox.admissionControl.listenOnUpdates }} + - name: policyeval.stackrox.io + {{- if ne ._rox.env.openshift 3 }} + sideEffects: NoneOnDryRun + admissionReviewVersions: [ "v1", "v1beta1" ] + timeoutSeconds: {{ add 2 ._rox.admissionControl.dynamic.timeout }} + {{- end }} + rules: + - apiGroups: + - '*' + apiVersions: + - '*' + operations: + {{- if ._rox.admissionControl.listenOnCreates }} + - CREATE + {{- end }} + {{- if ._rox.admissionControl.listenOnUpdates }} + - UPDATE + {{- end }} + resources: + - pods + - deployments + - replicasets + - replicationcontrollers + - statefulsets + - daemonsets + - cronjobs + - jobs + {{- if ._rox.env.openshift }} + - deploymentconfigs + {{- end }} + namespaceSelector: + matchExpressions: + - key: namespace.metadata.stackrox.io/name + operator: NotIn + values: + - stackrox + - kube-system + - kube-public + - istio-system + failurePolicy: Ignore + clientConfig: + caBundle: {{ required "The 'ca.cert' config option MUST be set to StackRox's Service CA certificate in order for the admission controller to be usable" ._rox.ca._cert | b64enc }} + service: + namespace: {{ ._rox._namespace }} + name: admission-control + path: /validate + {{- end}} + {{- if ._rox.admissionControl.listenOnEvents }} + - name: k8sevents.stackrox.io + {{- if ne ._rox.env.openshift 3 }} + sideEffects: NoneOnDryRun + admissionReviewVersions: [ "v1", "v1beta1" ] + timeoutSeconds: {{ add 2 ._rox.admissionControl.dynamic.timeout }} + {{- end }} + rules: + - apiGroups: + - '*' + apiVersions: + - '*' + operations: + - CONNECT + resources: + - pods + - pods/exec + - pods/portforward + failurePolicy: Ignore + clientConfig: + caBundle: {{ required "The 'ca.cert' config option MUST be set to StackRox's Service CA certificate in order for the admission controller to be usable" ._rox.ca._cert | b64enc }} + service: + namespace: {{ ._rox._namespace }} + name: admission-control + path: /events + {{- end }} +{{- end }} diff --git a/4.3.5/secured-cluster-services/templates/cluster-config.yaml b/4.3.5/secured-cluster-services/templates/cluster-config.yaml new file mode 100644 index 0000000..20c81f6 --- /dev/null +++ b/4.3.5/secured-cluster-services/templates/cluster-config.yaml @@ -0,0 +1,14 @@ +{{- include "srox.init" . -}} + +apiVersion: v1 +kind: Secret +metadata: + name: helm-cluster-config + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "secret" "helm-cluster-config") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "helm-cluster-config") | nindent 4 }} +stringData: + config.yaml: | + {{- tpl (.Files.Get "internal/cluster-config.yaml.tpl") . | nindent 4 }} diff --git a/4.3.5/secured-cluster-services/templates/collector-netpol.yaml b/4.3.5/secured-cluster-services/templates/collector-netpol.yaml new file mode 100644 index 0000000..3cf9214 --- /dev/null +++ b/4.3.5/secured-cluster-services/templates/collector-netpol.yaml @@ -0,0 +1,44 @@ +{{- include "srox.init" . -}} + +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: collector-no-ingress + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "networkpolicy" "collector-no-ingress") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "networkpolicy" "collector-no-ingress") | nindent 4 }} +spec: + podSelector: + matchLabels: + app: collector + policyTypes: + - Ingress + +{{ if ._rox.collector.exposeMonitoring }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: collector-monitoring + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "networkpolicy" "collector-monitoring") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "networkpolicy" "collector-monitoring") | nindent 4 }} +spec: + ingress: + - ports: + - port: 9090 + protocol: TCP + - port: 9091 + protocol: TCP + podSelector: + matchLabels: + app: collector + policyTypes: + - Ingress +{{ end }} diff --git a/4.3.5/secured-cluster-services/templates/collector-pod-security.yaml b/4.3.5/secured-cluster-services/templates/collector-pod-security.yaml new file mode 100644 index 0000000..d11ef4b --- /dev/null +++ b/4.3.5/secured-cluster-services/templates/collector-pod-security.yaml @@ -0,0 +1,72 @@ +{{- include "srox.init" . -}} + +{{- if ._rox.system.enablePodSecurityPolicies }} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox-collector-psp + labels: + {{- include "srox.labels" (list . "clusterrole" "stackrox-collector-psp") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "clusterrole" "stackrox-collector-psp") | nindent 4 }} +rules: + - apiGroups: + - policy + resources: + - podsecuritypolicies + resourceNames: + - stackrox-collector + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: stackrox-collector-psp + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "rolebinding" "stackrox-collector-psp") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "rolebinding" "stackrox-collector-psp") | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: stackrox-collector-psp +subjects: + - kind: ServiceAccount + name: collector + namespace: {{ ._rox._namespace }} +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: stackrox-collector + labels: + {{- include "srox.labels" (list . "podsecuritypolicy" "stackrox-collector") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "podsecuritypolicy" "stackrox-collector") | nindent 4 }} +spec: + privileged: true + allowPrivilegeEscalation: true + allowedCapabilities: + - '*' + volumes: + - '*' + allowedHostPaths: + - pathPrefix: / + readOnly: true + hostNetwork: false + hostIPC: false + hostPID: true + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' +{{- end }} diff --git a/4.3.5/secured-cluster-services/templates/collector-rbac.yaml b/4.3.5/secured-cluster-services/templates/collector-rbac.yaml new file mode 100644 index 0000000..5d4ffd9 --- /dev/null +++ b/4.3.5/secured-cluster-services/templates/collector-rbac.yaml @@ -0,0 +1,16 @@ +{{- include "srox.init" . -}} + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: collector + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "serviceaccount" "collector") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "serviceaccount" "collector") | nindent 4 }} +imagePullSecrets: +{{- range $secretName := concat ._rox.collectorImagePullSecrets._names ._rox.mainImagePullSecrets._names | uniq }} +- name: {{ quote $secretName }} +{{- end }} diff --git a/4.3.5/secured-cluster-services/templates/collector-scc.yaml b/4.3.5/secured-cluster-services/templates/collector-scc.yaml new file mode 100644 index 0000000..48d47dc --- /dev/null +++ b/4.3.5/secured-cluster-services/templates/collector-scc.yaml @@ -0,0 +1,91 @@ +{{- include "srox.init" . -}} + +{{- if and ._rox.env.openshift ._rox.system.createSCCs }} + +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: stackrox-collector + labels: + {{- include "srox.labels" (list . "securitycontextconstraints" "stackrox-collector") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "securitycontextconstraints" "stackrox-collector") | nindent 4 }} + kubernetes.io/description: This SCC is based on privileged, hostaccess, and hostmount-anyuid +users: + - system:serviceaccount:{{ ._rox._namespace }}:collector +allowHostDirVolumePlugin: true +allowPrivilegedContainer: true +fsGroup: + type: RunAsAny +groups: [] +priority: 0 +readOnlyRootFilesystem: true +runAsUser: + type: RunAsAny +seLinuxContext: + type: RunAsAny +seccompProfiles: + - '*' +supplementalGroups: + type: RunAsAny +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: true +allowedCapabilities: [] +defaultAddCapabilities: [] +requiredDropCapabilities: [] +volumes: + - configMap + - downwardAPI + - emptyDir + - hostPath + - secret + +{{- else if eq ._rox.env.openshift 4 }} + +{{- if false }} +# "fake" document separator to aid GVK extraction heuristic +--- +{{- end }} + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: use-privileged-scc + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "role" "use-privileged-scc") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "role" "use-privileged-scc") | nindent 4 }} +rules: +- apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + resourceNames: + - privileged + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: collector-use-scc + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "rolebinding" "collector-use-scc") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "rolebinding" "collector-use-scc") | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: use-privileged-scc +subjects: +- kind: ServiceAccount + name: collector + namespace: {{ ._rox._namespace }} + +{{- end }} diff --git a/4.3.5/secured-cluster-services/templates/collector-secret.yaml b/4.3.5/secured-cluster-services/templates/collector-secret.yaml new file mode 100644 index 0000000..6b07ea2 --- /dev/null +++ b/4.3.5/secured-cluster-services/templates/collector-secret.yaml @@ -0,0 +1,30 @@ +{{- include "srox.init" . -}} + +{{- if or ._rox.createSecrets (and (kindIs "invalid" ._rox.createSecrets) (or ._rox.collector.serviceTLS._cert ._rox.collector.serviceTLS._key)) }} + +{{- if not (and ._rox.ca._cert ._rox.collector.serviceTLS._cert ._rox.collector.serviceTLS._key) }} + {{ include "srox.fail" "Requested secret creation, but not all of CA certificate, collector certificate, collector private key are available. Set the 'createSecrets' config option to false if you do not want secrets to be created." }} +{{- end }} + +apiVersion: v1 +kind: Secret +metadata: + labels: + {{- include "srox.labels" (list . "secret" "collector-tls") | nindent 4 }} + auto-upgrade.stackrox.io/component: sensor + annotations: + {{- include "srox.annotations" (list . "secret" "collector-tls") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": "keep" + name: collector-tls + namespace: {{ ._rox._namespace }} +type: Opaque +stringData: + ca.pem: | + {{- ._rox.ca._cert | nindent 4 }} + collector-cert.pem: | + {{- ._rox.collector.serviceTLS._cert | nindent 4 }} + collector-key.pem: | + {{- ._rox.collector.serviceTLS._key | nindent 4 }} + +{{- end }} diff --git a/4.3.5/secured-cluster-services/templates/collector.yaml b/4.3.5/secured-cluster-services/templates/collector.yaml new file mode 100644 index 0000000..756c367 --- /dev/null +++ b/4.3.5/secured-cluster-services/templates/collector.yaml @@ -0,0 +1,218 @@ +{{- include "srox.init" . -}} + +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: + {{- include "srox.labels" (list . "daemonset" "collector") | nindent 4 }} + service: collector + app: collector + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "daemonset" "collector") | nindent 4 }} + name: collector + namespace: {{ ._rox._namespace }} +spec: + selector: + matchLabels: + service: collector + template: + metadata: + namespace: {{ ._rox._namespace }} + labels: + service: collector + app: collector + {{- include "srox.podLabels" (list . "daemonset" "collector") | nindent 8 }} + annotations: + {{- include "srox.podAnnotations" (list . "daemonset" "collector") | nindent 8 }} + spec: + {{- if not ._rox.collector.disableTaintTolerations }} + tolerations: + {{- toYaml ._rox.collector.tolerations | nindent 6 }} + {{- end }} + {{- if ._rox.collector._nodeSelector }} + nodeSelector: + {{- ._rox.collector._nodeSelector | nindent 8 }} + {{- end}} + serviceAccountName: collector + containers: + {{- if ne ._rox.collector.collectionMethod "NO_COLLECTION"}} + - name: collector + image: {{ quote ._rox.image.collector.fullRef }} + imagePullPolicy: {{ ._rox.collector.imagePullPolicy }} + {{- if ._rox.collector.exposeMonitoring }} + ports: + - containerPort: 9090 + name: monitoring + {{- end }} + env: + - name: COLLECTOR_CONFIG + value: '{"tlsConfig":{"caCertPath":"/var/run/secrets/stackrox.io/certs/ca.pem","clientCertPath":"/var/run/secrets/stackrox.io/certs/cert.pem","clientKeyPath":"/var/run/secrets/stackrox.io/certs/key.pem"}}' + - name: COLLECTION_METHOD + value: {{ ._rox.collector.collectionMethod }} + - name: GRPC_SERVER + value: {{ ._rox.sensor.endpoint }} + - name: SNI_HOSTNAME + value: "sensor.stackrox.svc" + {{- include "srox.envVars" (list . "daemonset" "collector" "collector") | nindent 8 }} + resources: + {{- ._rox.collector._resources | nindent 10 }} + securityContext: + capabilities: + drop: + - NET_RAW + privileged: true + readOnlyRootFilesystem: true + volumeMounts: + - mountPath: /host/proc + name: proc-ro + readOnly: true + mountPropagation: HostToContainer + - mountPath: /module + name: tmpfs-module + - mountPath: /host/etc + name: etc-ro + readOnly: true + mountPropagation: HostToContainer + - mountPath: /host/usr/lib + name: usr-lib-ro + readOnly: true + mountPropagation: HostToContainer + - mountPath: /host/sys + name: sys-ro + readOnly: true + mountPropagation: HostToContainer + - mountPath: /host/dev + name: dev-ro + readOnly: true + mountPropagation: HostToContainer + - mountPath: /run/secrets/stackrox.io/certs/ + name: certs + readOnly: true + {{- end }} + - command: + - stackrox/compliance + env: + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: ROX_CALL_NODE_INVENTORY_ENABLED + value: {{ if eq ._rox.env.openshift 4 }}"true"{{ else }}"false"{{ end }} + - name: ROX_METRICS_PORT + {{- if ._rox.collector.exposeMonitoring }} + value: ":9091" + {{- else}} + value: "disabled" + {{- end }} + - name: ROX_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: ROX_ADVERTISED_ENDPOINT + value: {{ quote ._rox.sensor.endpoint }} + - name: ROX_NODE_SCANNING_ENDPOINT + value: {{ quote ._rox.collector.nodescanningEndpoint }} + {{- include "srox.envVars" (list . "daemonset" "collector" "compliance") | nindent 8 }} + image: {{ quote ._rox.image.main.fullRef }} + imagePullPolicy: {{ ._rox.collector.complianceImagePullPolicy }} + name: compliance + {{- if ._rox.collector.exposeMonitoring }} + ports: + - containerPort: 9091 + name: monitoring + {{- end }} + resources: + {{- ._rox.collector._complianceResources | nindent 10 }} + securityContext: + runAsUser: 0 + readOnlyRootFilesystem: true + {{ if not ._rox.collector.disableSELinuxOptions }} + seLinuxOptions: + type: {{ ._rox.collector.seLinuxOptionsType | default "container_runtime_t" | quote }} + {{ end }} + volumeMounts: + - mountPath: /etc/ssl/ + name: etc-ssl + - mountPath: /etc/pki/ca-trust/ + name: etc-pki-volume + - mountPath: /host + name: host-root-ro + readOnly: true + mountPropagation: HostToContainer + - mountPath: /run/secrets/stackrox.io/certs/ + name: certs + readOnly: true + {{- if eq ._rox.env.openshift 4 }} + - name: node-inventory + image: {{ quote ._rox.image.scanner.fullRef }} + imagePullPolicy: IfNotPresent + command: ["/scanner", "--nodeinventory", "--config=", ""] + ports: + - containerPort: 8444 + name: grpc + resources: + {{- ._rox.collector._nodeScanningResources | nindent 10 }} + env: + - name: ROX_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + {{- include "srox.envVars" (list . "daemonset" "collector" "node-inventory") | nindent 8 }} + volumeMounts: + - mountPath: /host + name: host-root-ro + readOnly: true + mountPropagation: HostToContainer + - mountPath: /tmp/ + name: tmp-volume + - mountPath: /cache + name: cache-volume + {{- end }} + volumes: + - hostPath: + path: /proc + name: proc-ro + - emptyDir: + medium: Memory + name: tmpfs-module + - hostPath: + path: /etc + name: etc-ro + - hostPath: + path: /usr/lib + name: usr-lib-ro + - hostPath: + path: /sys/ + name: sys-ro + - hostPath: + path: /dev + name: dev-ro + - name: certs + secret: + secretName: collector-tls + items: + - key: collector-cert.pem + path: cert.pem + - key: collector-key.pem + path: key.pem + - key: ca.pem + path: ca.pem + - hostPath: + path: / + name: host-root-ro + - name: etc-ssl + emptyDir: {} + - name: etc-pki-volume + emptyDir: {} + - name: tmp-volume + emptyDir: {} + - name: cache-volume + emptyDir: + sizeLimit: 200Mi diff --git a/4.3.5/secured-cluster-services/templates/openshift-monitoring.yaml b/4.3.5/secured-cluster-services/templates/openshift-monitoring.yaml new file mode 100644 index 0000000..5b0aa89 --- /dev/null +++ b/4.3.5/secured-cluster-services/templates/openshift-monitoring.yaml @@ -0,0 +1,121 @@ +{{- include "srox.init" . -}} + +{{- if ._rox.monitoring.openshift.enabled -}} + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: secured-cluster-prometheus-k8s + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "role" "secured-cluster-prometheus-k8s") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "role" "secured-cluster-prometheus-k8s") | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - services + - endpoints + - pods + verbs: + - get + - list + - watch + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: secured-cluster-prometheus-k8s + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "rolebinding" "secured-cluster-prometheus-k8s") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "rolebinding" "secured-cluster-prometheus-k8s") | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: secured-cluster-prometheus-k8s +subjects: +- kind: ServiceAccount + name: prometheus-k8s + namespace: openshift-monitoring + +--- + +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: "sensor-monitor-{{ .Release.Namespace }}" + namespace: openshift-monitoring + labels: + {{- include "srox.labels" (list . "servicemonitor" (print "sensor-monitor-" .Release.Namespace)) | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "servicemonitor" (print "sensor-monitor-" .Release.Namespace)) | nindent 4 }} +spec: + endpoints: + - interval: 30s + path: metrics + port: monitoring-tls + scheme: https + tlsConfig: + caFile: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt + certFile: /etc/prometheus/secrets/metrics-client-certs/tls.crt + keyFile: /etc/prometheus/secrets/metrics-client-certs/tls.key + serverName: "sensor.{{ .Release.Namespace }}.svc" + selector: + matchLabels: + app.kubernetes.io/component: sensor + namespaceSelector: + matchNames: + - "{{ .Release.Namespace }}" + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: "rhacs-sensor-auth-reader-{{ .Release.Namespace }}" + namespace: kube-system + labels: + {{- include "srox.labels" (list . "rolebinding" (print "rhacs-sensor-auth-reader-" .Release.Namespace)) | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "rolebinding" (print "rhacs-sensor-auth-reader-" .Release.Namespace)) | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: + - kind: ServiceAccount + name: sensor + namespace: "{{ .Release.Namespace }}" + +--- + +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: "sensor-telemeter-{{ .Release.Namespace }}" + namespace: openshift-monitoring + labels: + {{- include "srox.labels" (list . "prometheusrule" (print "sensor-telemeter-" .Release.Namespace )) | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "prometheusrule" (print "sensor-telemeter-" .Release.Namespace )) | nindent 4 }} +spec: + groups: + - name: rhacs.telemeter + rules: + - expr: | + max by (build, central_id, hosting, install_method, sensor_id, sensor_version) ( + rox_sensor_info{branding="RHACS"} + ) + record: rhacs:telemetry:rox_sensor_info + +{{- end -}} diff --git a/4.3.5/secured-cluster-services/templates/sensor-netpol.yaml b/4.3.5/secured-cluster-services/templates/sensor-netpol.yaml new file mode 100644 index 0000000..50d0d6e --- /dev/null +++ b/4.3.5/secured-cluster-services/templates/sensor-netpol.yaml @@ -0,0 +1,88 @@ +{{- include "srox.init" . -}} + +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: sensor + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "networkpolicy" "sensor") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "networkpolicy" "sensor") | nindent 4 }} +spec: + ingress: + - from: + - podSelector: + matchLabels: + app: collector + - podSelector: + matchLabels: + service: collector + - podSelector: + matchLabels: + app: admission-control +{{ if ._rox.sensor.localImageScanning.enabled }} + - podSelector: + matchLabels: + app: scanner +{{ end }} + ports: + - port: 8443 + protocol: TCP + - ports: + - port: 9443 + protocol: TCP + podSelector: + matchLabels: + app: sensor + policyTypes: + - Ingress + +{{ if ._rox.sensor.exposeMonitoring }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: sensor-monitoring + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "networkpolicy" "sensor-monitoring") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "networkpolicy" "sensor-monitoring") | nindent 4 }} +spec: + ingress: + - ports: + - port: 9090 + protocol: TCP + podSelector: + matchLabels: + app: sensor + policyTypes: + - Ingress +{{ end }} + +{{- if ._rox.monitoring.openshift.enabled }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: sensor-monitoring-tls + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "networkpolicy" "sensor-monitoring-tls") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "networkpolicy" "sensor-monitoring-tls") | nindent 4 }} +spec: + ingress: + - ports: + - port: 9091 + protocol: TCP + podSelector: + matchLabels: + app: sensor + policyTypes: + - Ingress +{{- end }} diff --git a/4.3.5/secured-cluster-services/templates/sensor-pod-security.yaml b/4.3.5/secured-cluster-services/templates/sensor-pod-security.yaml new file mode 100644 index 0000000..e44a807 --- /dev/null +++ b/4.3.5/secured-cluster-services/templates/sensor-pod-security.yaml @@ -0,0 +1,82 @@ +{{- include "srox.init" . -}} + +{{- if ._rox.system.enablePodSecurityPolicies }} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox-sensor-psp + labels: + {{- include "srox.labels" (list . "clusterrole" "stackrox-sensor-psp") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "clusterrole" "stackrox-sensor-psp") | nindent 4 }} +rules: + - apiGroups: + - policy + resources: + - podsecuritypolicies + resourceNames: + - stackrox-sensor + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: stackrox-sensor-psp + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "rolebinding" "stackrox-sensor-psp") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "rolebinding" "stackrox-sensor-psp") | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: stackrox-sensor-psp +subjects: + - kind: ServiceAccount + name: sensor + namespace: {{ ._rox._namespace }} + - kind: ServiceAccount + name: sensor-upgrader + namespace: {{ ._rox._namespace }} +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: stackrox-sensor + labels: + {{- include "srox.labels" (list . "podsecuritypolicy" "stackrox-sensor") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "podsecuritypolicy" "stackrox-sensor") | nindent 4 }} +spec: + privileged: false + allowPrivilegeEscalation: false + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + - 'persistentVolumeClaim' + - 'hostPath' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAs' + ranges: + - min: 4000 + max: 4000 + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 4000 + max: 4000 +{{- end }} diff --git a/4.3.5/secured-cluster-services/templates/sensor-rbac.yaml b/4.3.5/secured-cluster-services/templates/sensor-rbac.yaml new file mode 100644 index 0000000..fb061be --- /dev/null +++ b/4.3.5/secured-cluster-services/templates/sensor-rbac.yaml @@ -0,0 +1,293 @@ +{{- include "srox.init" . -}} + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: sensor + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "serviceaccount" "sensor") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "serviceaccount" "sensor") | nindent 4 }} +imagePullSecrets: +{{- range $secretName := ._rox.mainImagePullSecrets._names }} +- name: {{ quote $secretName }} +{{- end }} + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox:view-cluster + labels: + {{- include "srox.labels" (list . "clusterrole" "stackrox:view-cluster") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "clusterrole" "stackrox:view-cluster") | nindent 4 }} +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - watch + - list +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox:monitor-cluster + labels: + {{- include "srox.labels" (list . "clusterrolebinding" "stackrox:monitor-cluster") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "clusterrolebinding" "stackrox:monitor-cluster") | nindent 4 }} +subjects: +- kind: ServiceAccount + name: sensor + namespace: {{ ._rox._namespace }} +roleRef: + kind: ClusterRole + name: stackrox:view-cluster + apiGroup: rbac.authorization.k8s.io +--- +# Role edit has all verbs but 'use' to disallow using any SCCs (resources: *). +# The permission to 'use' SCCs should be defined at finer granularity in other roles. +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: edit + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "role" "edit") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "role" "edit") | nindent 4 }} +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - create + - get + - list + - watch + - update + - patch + - delete + - deletecollection +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: manage-namespace + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "rolebinding" "manage-namespace") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "rolebinding" "manage-namespace") | nindent 4 }} +subjects: +- kind: ServiceAccount + name: sensor + namespace: {{ ._rox._namespace }} +roleRef: + kind: Role + name: edit + apiGroup: rbac.authorization.k8s.io +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox:edit-workloads + labels: + {{- include "srox.labels" (list . "clusterrole" "stackrox:edit-workloads") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "clusterrole" "stackrox:edit-workloads") | nindent 4 }} +rules: +- resources: + - cronjobs + - jobs + - daemonsets + - deployments + - deployments/scale + - deploymentconfigs + - pods + - replicasets + - replicationcontrollers + - services + - statefulsets + apiGroups: + - '*' + verbs: + - update + - patch + - delete +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox:enforce-policies + labels: + {{- include "srox.labels" (list . "clusterrolebinding" "stackrox:enforce-policies") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "clusterrolebinding" "stackrox:enforce-policies") | nindent 4 }} +subjects: +- kind: ServiceAccount + name: sensor + namespace: {{ ._rox._namespace }} +roleRef: + kind: ClusterRole + name: stackrox:edit-workloads + apiGroup: rbac.authorization.k8s.io +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox:network-policies + labels: + {{- include "srox.labels" (list . "clusterrole" "stackrox:network-policies") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "clusterrole" "stackrox:network-policies") | nindent 4 }} +rules: +- resources: + - 'networkpolicies' + apiGroups: + - networking.k8s.io + - extensions + verbs: + - get + - watch + - list + - create + - update + - patch + - delete +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox:network-policies-binding + labels: + {{- include "srox.labels" (list . "clusterrolebinding" "stackrox:network-policies-binding") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "clusterrolebinding" "stackrox:network-policies-binding") | nindent 4 }} +subjects: +- kind: ServiceAccount + name: sensor + namespace: {{ ._rox._namespace }} +roleRef: + kind: ClusterRole + name: stackrox:network-policies + apiGroup: rbac.authorization.k8s.io +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox:update-namespaces + labels: + {{- include "srox.labels" (list . "clusterrole" "stackrox:update-namespaces") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "clusterrole" "stackrox:update-namespaces") | nindent 4 }} +rules: +- resources: + - namespaces + apiGroups: [""] + verbs: + - update +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox:update-namespaces-binding + labels: + {{- include "srox.labels" (list . "clusterrolebinding" "stackrox:update-namespaces-binding") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "clusterrolebinding" "stackrox:update-namespaces-binding") | nindent 4 }} +subjects: +- kind: ServiceAccount + name: sensor + namespace: {{ ._rox._namespace }} +roleRef: + kind: ClusterRole + name: stackrox:update-namespaces + apiGroup: rbac.authorization.k8s.io +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox:create-events + labels: + {{- include "srox.labels" (list . "clusterrole" "stackrox:create-events") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "clusterrole" "stackrox:create-events") | nindent 4 }} +rules: +- resources: + - events + apiGroups: [""] + verbs: + - create + - patch + - list +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox:create-events-binding + labels: + {{- include "srox.labels" (list . "clusterrolebinding" "stackrox:create-events-binding") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "clusterrolebinding" "stackrox:create-events-binding") | nindent 4 }} +subjects: +- kind: ServiceAccount + name: sensor + namespace: {{ ._rox._namespace }} +roleRef: + kind: ClusterRole + name: stackrox:create-events + apiGroup: rbac.authorization.k8s.io +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox:review-tokens + labels: + {{- include "srox.labels" (list . "clusterrole" "stackrox:review-tokens") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "clusterrole" "stackrox:review-tokens") | nindent 4 }} +rules: +- resources: + - tokenreviews + apiGroups: ["authentication.k8s.io"] + verbs: + - create +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox:review-tokens-binding + labels: + {{- include "srox.labels" (list . "clusterrolebinding" "stackrox:review-tokens-binding") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "clusterrolebinding" "stackrox:review-tokens-binding") | nindent 4 }} +subjects: +- kind: ServiceAccount + name: sensor + namespace: {{ ._rox._namespace }} +roleRef: + kind: ClusterRole + name: stackrox:review-tokens + apiGroup: rbac.authorization.k8s.io diff --git a/4.3.5/secured-cluster-services/templates/sensor-scc.yaml b/4.3.5/secured-cluster-services/templates/sensor-scc.yaml new file mode 100644 index 0000000..b24a8fc --- /dev/null +++ b/4.3.5/secured-cluster-services/templates/sensor-scc.yaml @@ -0,0 +1,47 @@ +{{- include "srox.init" . -}} + +{{- if and ._rox.env.openshift ._rox.system.createSCCs }} + +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: stackrox-sensor + labels: + {{- include "srox.labels" (list . "securitycontextconstraints" "stackrox-sensor") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "securitycontextconstraints" "stackrox-sensor") | nindent 4 }} + kubernetes.io/description: stackrox-sensor is the security constraint for the sensor +users: + - system:serviceaccount:{{ ._rox._namespace }}:sensor + - system:serviceaccount:{{ ._rox._namespace }}:sensor-upgrader +priority: 0 +runAsUser: + type: RunAsAny +seLinuxContext: + type: RunAsAny +seccompProfiles: + - '*' +supplementalGroups: + type: RunAsAny +fsGroup: + type: RunAsAny +groups: [] +readOnlyRootFilesystem: true +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: true +allowPrivilegedContainer: false +allowedCapabilities: [] +defaultAddCapabilities: [] +requiredDropCapabilities: [] +volumes: + - configMap + - downwardAPI + - emptyDir + - secret + +{{- end }} diff --git a/4.3.5/secured-cluster-services/templates/sensor-secret.yaml b/4.3.5/secured-cluster-services/templates/sensor-secret.yaml new file mode 100644 index 0000000..848e1f2 --- /dev/null +++ b/4.3.5/secured-cluster-services/templates/sensor-secret.yaml @@ -0,0 +1,30 @@ +{{- include "srox.init" . -}} + +{{- if or ._rox.createSecrets (and (kindIs "invalid" ._rox.createSecrets) (or ._rox.sensor.serviceTLS._cert ._rox.sensor.serviceTLS._key)) }} + +{{- if not (and ._rox.ca._cert ._rox.sensor.serviceTLS._cert ._rox.sensor.serviceTLS._key) }} + {{ include "srox.fail" "Requested secret creation, but not all of CA certificate, sensor certificate, sensor private key are available. Set the 'createSecrets' config option to false if you do not want secrets to be created." }} +{{- end }} + +apiVersion: v1 +kind: Secret +metadata: + name: sensor-tls + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "secret" "sensor-tls") | nindent 4 }} + auto-upgrade.stackrox.io/component: sensor + annotations: + {{- include "srox.annotations" (list . "secret" "sensor-tls") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": "keep" +type: Opaque +stringData: + ca.pem: | + {{- ._rox.ca._cert | nindent 4 }} + sensor-cert.pem: | + {{- ._rox.sensor.serviceTLS._cert | nindent 4 }} + sensor-key.pem: | + {{- ._rox.sensor.serviceTLS._key | nindent 4 }} + +{{- end }} diff --git a/4.3.5/secured-cluster-services/templates/sensor.yaml b/4.3.5/secured-cluster-services/templates/sensor.yaml new file mode 100644 index 0000000..2534f42 --- /dev/null +++ b/4.3.5/secured-cluster-services/templates/sensor.yaml @@ -0,0 +1,280 @@ +{{- include "srox.init" . -}} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: sensor + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "deployment" "sensor") | nindent 4 }} + app: sensor + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "deployment" "sensor") | nindent 4 }} +spec: + replicas: 1 + minReadySeconds: 15 + selector: + matchLabels: + app: sensor + strategy: + type: Recreate + template: + metadata: + labels: + app: sensor + {{- include "srox.podLabels" (list . "deployment" "sensor") | nindent 8 }} + annotations: + traffic.sidecar.istio.io/excludeInboundPorts: "8443,9443" + {{- include "srox.podAnnotations" (list . "deployment" "sensor") | nindent 8 }} + spec: + {{- if ._rox.sensor._nodeSelector }} + nodeSelector: + {{- ._rox.sensor._nodeSelector | nindent 8 }} + {{- end}} + {{- if ._rox.sensor.tolerations }} + tolerations: + {{- toYaml ._rox.sensor.tolerations | nindent 8 }} + {{- end }} + affinity: + {{- toYaml ._rox.sensor.affinity | nindent 8 }} + {{- if not ._rox.env.openshift }} + securityContext: + runAsUser: 4000 + fsGroup: 4000 + {{- end }} + serviceAccountName: sensor + containers: + - image: {{ quote ._rox.image.main.fullRef }} + imagePullPolicy: {{ ._rox.sensor.imagePullPolicy }} + name: sensor + readinessProbe: + httpGet: + scheme: HTTPS + path: /ready + port: 9443 + ports: + - containerPort: 8443 + name: api + - containerPort: 9443 + name: webhook + {{- if ._rox.sensor.exposeMonitoring }} + - containerPort: 9090 + name: monitoring + {{- end }} + {{- if ._rox.monitoring.openshift.enabled }} + - containerPort: 9091 + name: monitoring-tls + {{- end }} + command: + - kubernetes-sensor + resources: + {{- ._rox.sensor._resources | nindent 10 }} + securityContext: + runAsNonRoot: true + readOnlyRootFilesystem: true + env: + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: K8S_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: ROX_CENTRAL_ENDPOINT + value: {{ ._rox.centralEndpoint }} + - name: ROX_ADVERTISED_ENDPOINT + value: {{ ._rox.sensor.endpoint }} + {{- if ._rox.env.openshift }} + - name: ROX_OPENSHIFT_API + value: "true" + {{- end }} + {{- if ._rox.sensor.localImageScanning.enabled }} + - name: ROX_SCANNER_GRPC_ENDPOINT + value: {{ printf "scanner.%s.svc:8443" .Release.Namespace }} + - name: ROX_LOCAL_IMAGE_SCANNING_ENABLED + value: "true" + {{- end }} + - name: ROX_HELM_CLUSTER_CONFIG_FP + value: {{ quote ._rox._configFP }} + {{- if ._rox.monitoring.openshift.enabled }} + - name: ROX_ENABLE_SECURE_METRICS + value: "true" + {{- end }} + {{- include "srox.envVars" (list . "deployment" "sensor" "sensor") | nindent 8 }} + volumeMounts: + - name: varlog + mountPath: /var/log/stackrox/ + - name: sensor-etc-ssl-volume + mountPath: /etc/ssl/ + - name: sensor-etc-pki-volume + mountPath: /etc/pki/ca-trust/ + - name: certs + mountPath: /run/secrets/stackrox.io/certs/ + readOnly: true + - name: additional-ca-volume + mountPath: /usr/local/share/ca-certificates/ + readOnly: true + - name: cache + mountPath: /var/cache/stackrox + - name: helm-cluster-config + mountPath: /run/secrets/stackrox.io/helm-cluster-config/ + readOnly: true + - name: helm-effective-cluster-name + mountPath: /run/secrets/stackrox.io/helm-effective-cluster-name/ + readOnly: true + {{- include "srox.injectedCABundleVolumeMount" . | nindent 8 }} + {{- if ._rox.monitoring.openshift.enabled }} + - name: monitoring-tls + mountPath: /run/secrets/stackrox.io/monitoring-tls + readOnly: true + {{- end }} + volumes: + - name: certs + secret: + secretName: sensor-tls + items: + - key: sensor-cert.pem + path: cert.pem + - key: sensor-key.pem + path: key.pem + - key: ca.pem + path: ca.pem + - name: sensor-etc-ssl-volume + emptyDir: {} + - name: sensor-etc-pki-volume + emptyDir: {} + - name: additional-ca-volume + secret: + secretName: additional-ca-sensor + optional: true + - name: varlog + emptyDir: {} + - name: cache + emptyDir: {} + - name: helm-cluster-config + secret: + secretName: helm-cluster-config + optional: true + - name: helm-effective-cluster-name + secret: + secretName: helm-effective-cluster-name + optional: true + {{- include "srox.injectedCABundleVolume" . | nindent 6 }} + {{- if ._rox.monitoring.openshift.enabled }} + - name: monitoring-tls + secret: + secretName: sensor-monitoring-tls + optional: true + {{- end }} +--- +apiVersion: v1 +kind: Service +metadata: + name: sensor + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "service" "sensor") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "service" "sensor") | nindent 4 }} + {{- if ._rox.monitoring.openshift.enabled }} + service.beta.openshift.io/serving-cert-secret-name: sensor-monitoring-tls + {{- end }} +spec: + ports: + - name: https + port: 443 + targetPort: api + protocol: TCP + {{- if ._rox.sensor.exposeMonitoring }} + - name: monitoring + port: 9090 + targetPort: monitoring + protocol: TCP + {{- end }} + {{- if ._rox.monitoring.openshift.enabled }} + - name: monitoring-tls + port: 9091 + targetPort: monitoring-tls + protocol: TCP + {{- end }} + selector: + app: sensor + type: ClusterIP + sessionAffinity: None +--- + +{{- if ._rox.env.istio }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: sensor-internal-no-istio-mtls + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "destinationrule" "sensor-internal-no-istio-mtls") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "destinationrule" "sensor-internal-no-istio-mtls") | nindent 4 }} + stackrox.io/description: "Disable Istio mTLS for port 443, since StackRox services use built-in mTLS." +spec: + host: sensor.stackrox.svc.cluster.local + trafficPolicy: + portLevelSettings: + - port: + number: 443 + tls: + mode: DISABLE +--- +{{- end }} + +apiVersion: v1 +kind: Service +metadata: + name: sensor-webhook + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "service" "sensor-webhook") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "service" "sensor-webhook") | nindent 4 }} +spec: + ports: + - name: https + port: 443 + targetPort: webhook + protocol: TCP + selector: + app: sensor + type: ClusterIP + sessionAffinity: None +{{- if or .Release.IsInstall (eq ._rox.confirmNewClusterName ._rox.clusterName) }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: helm-effective-cluster-name + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "secret" "helm-effective-cluster-name") | nindent 4 }} + auto-upgrade.stackrox.io/component: sensor + annotations: + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": "keep" + {{- include "srox.annotations" (list . "secret" "helm-effective-cluster-name") | nindent 4 }} +stringData: + cluster-name: | + {{- ._rox.clusterName | nindent 4 }} +{{- end}} diff --git a/4.3.5/secured-cluster-services/templates/service-ca.yaml b/4.3.5/secured-cluster-services/templates/service-ca.yaml new file mode 100644 index 0000000..3f3b5fd --- /dev/null +++ b/4.3.5/secured-cluster-services/templates/service-ca.yaml @@ -0,0 +1,16 @@ +{{- include "srox.init" . -}} + +apiVersion: v1 +kind: Secret +metadata: + name: service-ca + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "secret" "service-ca") | nindent 4 }} + auto-upgrade.stackrox.io/component: sensor + annotations: + {{- include "srox.annotations" (list . "secret" "service-ca") | nindent 4 }} +type: Opaque +stringData: + ca.pem: | + {{- required "A CA certificate must be specified" ._rox.ca._cert | nindent 4 }} diff --git a/4.3.5/secured-cluster-services/templates/upgrader-serviceaccount.yaml b/4.3.5/secured-cluster-services/templates/upgrader-serviceaccount.yaml new file mode 100644 index 0000000..af12eb1 --- /dev/null +++ b/4.3.5/secured-cluster-services/templates/upgrader-serviceaccount.yaml @@ -0,0 +1,36 @@ +{{- include "srox.init" . -}} + +{{- if ._rox.createUpgraderServiceAccount }} + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: sensor-upgrader + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "serviceaccount" "sensor-upgrader") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "serviceaccount" "sensor-upgrader") | nindent 4 }} +imagePullSecrets: +{{- range $secretName := ._rox.mainImagePullSecrets._names }} +- name: {{ quote $secretName }} +{{- end }} +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox:upgrade-sensors + labels: + {{- include "srox.labels" (list . "clusterrolebinding" "stackrox:upgrade-sensors") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "clusterrolebinding" "stackrox:upgrade-sensors") | nindent 4 }} +subjects: +- kind: ServiceAccount + name: sensor-upgrader + namespace: {{ ._rox._namespace }} +roleRef: + kind: ClusterRole + name: cluster-admin + apiGroup: rbac.authorization.k8s.io + +{{- end }} diff --git a/4.3.5/secured-cluster-services/values-private.yaml.example b/4.3.5/secured-cluster-services/values-private.yaml.example new file mode 100644 index 0000000..ecdec21 --- /dev/null +++ b/4.3.5/secured-cluster-services/values-private.yaml.example @@ -0,0 +1,19 @@ +# # BEGIN CONFIGURATION VALUES SECTION +# +# # Image pull credentials. If you do not specify these, you need to specify one of +# # the following: +# # - `imagePullSecrets.allowNone=true`: in case your registry allows pulling images without +# # credentials. +# # - `imagePullSecrets.useExisting="secret1;secret2;..."`: in case you have pre-existing image +# # pull secrets with the given name already created in the target namespace. +# # - `imagePullSecrets.useFromDefaultServiceAccount=true`: in case the default service account +# # in the target namespace is configured with sufficiently scoped image pull secrets. +# # +# # Since the above settings do not expose any confidential data, they can safely be added +# # to the values-public.yaml configuration file or provided on the command line. +# +# # If you do not know if any of the above applies to your situation, your best course of +# # action is probably to enter your image pull credentials here. +# imagePullSecrets: +# username: +# password: diff --git a/4.3.5/secured-cluster-services/values-public.yaml.example b/4.3.5/secured-cluster-services/values-public.yaml.example new file mode 100644 index 0000000..5bb9dc4 --- /dev/null +++ b/4.3.5/secured-cluster-services/values-public.yaml.example @@ -0,0 +1,465 @@ +# StackRox Kubernetes Security Platform - Secured Cluster Services Chart +# PUBLIC configuration file. +# +# This file contains general configuration values relevant for the deployment of the +# StackRox Kubernetes Platform Secured Cluster Services components, which do not contain +# or reference sensitive data. This file can and should be stored in a source code +# management system and should be referenced on each `helm upgrade`. +# +# Most of the values in this file are optional, and you only should need to make modifications +# if the default deployment configuration is not sufficient for you for whatever reason. +# The most notable exceptios are +# +# - `clusterName`, +# - `centralEndpoint` and +# - `imagePullSecrets`. +# +# # BEGIN CONFIGURATION VALUES SECTION +# +## The cluster name. A new cluster of this name will be automatically registered at StackRox Central +## when deploying this Helm chart. Make sure that this name is unique among the set of secured clusters. +#clusterName: null +# +## To change the cluster name, confirm the new cluster name in this field. It should match the `clusterName` value. +## You don't need to change this unless you upgrade and change the value for clusterName. +## In this case, set it to the new value of clusterName. This option exists to prevent you from accidentally +## creating a new cluster with a different name. +#confirmNewClusterName: null +# +## Custom labels associated with a secured cluster in StackRox. +#clusterLabels: {} +# +## The gRPC endpoint for accessing StackRox Central. +#centralEndpoint: central.{{ .Release.Namespace }}.svc:443 +# +## A dictionary of additional CA certificates to include (PEM encoded). +## For example: +## additionalCAs: +## acme-labs-ca.pem: | +## -----BEGIN CERTIFICATE----- +## [...] +## -----END CERTIFICATE----- +#additionalCAs: null +# +# Specify `true` to create the `sensor-upgrader` account. By default, the StackRox Kubernetes +# Security Platform creates a service account called `sensor-upgrader` in each secured cluster. +# This account is highly privileged but is only used during upgrades. If you don’t create this +# account, you will have to complete future upgrades manually if the Sensor doesn’t have enough +# permissions. See +# [Enable automatic upgrades for secured clusters](https://help.stackrox.com/docs/configure-stackrox/enable-automatic-upgrades/) +# for more information. +# Note that auto-upgrades for Helm-managed clusters are disabled. +#createUpgraderServiceAccount: false +# +## Configuration for image pull secrets. +## These should usually be set via the command line when running `helm install`, e.g., +## helm install --set imagePullSecrets.username=myuser --set imagePullSecrets.password=mypass, +## or be stored in a separate YAML-encoded secrets file. +#imagePullSecrets: +# +# # If no image pull secrets are provided, an installation would usually fail. In order to +# # prevent it from failing, this option must explicitly be set to true. +# allowNone: false +# +# # If there exist available image pull secrets in the cluster that are managed separately, +# # set this value to the list of the respective secret names. While it is recommended to +# # record the secret names in a persisted YAML file, providing a single string containing +# # a comma-delimited list of secret names is also supported, for easier interaction with +# # --set. +# useExisting: [] +# +# # Whether to import any secrets from the default service account existing in the StackRox +# # namespace. The default service account often contains "standard" image pull secrets that +# # should be used by default for image pulls, hence this defaults to true. Only has an effect +# # if server-side lookups are enabled. +# useFromDefaultServiceAccount: true +# +## Settings regarding the installation environment +#env: +# # Treat the environment as an OpenShift cluster. Leave this unset to use auto-detection +# # based on available API resources on the server. +# # Set it to true to auto-detect the OpenShift version, otherwise set it explicitly. +# # Possible values: null, false, true, 3, 4 +# openshift: null +# +# # Treat the environment as Istio-enabled. Leave this unset to use auto-detection based on +# # available API resources on the server. +# # Possible values: null, false, true +# istio: null +# +## PEM-encoded StackRox Service CA certificate. +#ca: +# cert: null +# +## Image configuration +#image: +# # The image registry to use. Unless overridden in the more specific configs, this +# # determines the base registry for each image referenced in this config file. +# registry: my.image-registry.io +# +# # Configuration for the `main` image -- used by Sensor, Admission Control, Compliance. +# main: +# registry: null # if set to null, use `image.registry` +# name: main # the final image name is composed of the registry and the name, plus the tag below +# tag: null # should be left as null - will get picked up from the Chart version. +# fullRef: null # you can set a full image reference such as stackrox.io/main:1.2.3.4 here, but this is not +# # recommended. +# # The default pull policy for this image. Can be overridden for each individual service. +# pullPolicy: IfNotPresent +# +# # Configuration for the `collector` image -- used by Collector. +# collector: +# registry: null +# name: collector +# tag: null +# fullRef: null +# pullPolicy: IfNotPresent +# +## Sensor specific configuration. +#sensor: +# +# # Kubernetes image pull policy for Sensor. +# imagePullPolicy: IfNotPresent +# +# # Resource configuration for the sensor container. +# resources: +# requests: +# memory: "4Gi" +# cpu: "2" +# limits: +# memory: "8Gi" +# cpu: "4" +# +# # Settings for the internal service-to-service TLS certificate used by Sensor. +# serviceTLS: +# cert: null +# key: null +# +# # Use a nodeSelector for sensor +# nodeSelector +# environment: production +# +# If the nodes selected by the node selector are tainted, you can specify the corresponding taint tolerations here. +# tolerations: +# - effect: NoSchedule +# key: infra +# value: reserved +# - effect: NoExecute +# key: infra +# value: reserved +# +# If scheduling needs specific affinities, you can specify the corresponding affinities here. +# affinity: +# nodeAffinity: +# preferredDuringSchedulingIgnoredDuringExecution: +# # Sensor is single-homed, so avoid preemptible nodes. +# - weight: 100 +# preference: +# matchExpressions: +# - key: cloud.google.com/gke-preemptible +# operator: NotIn +# values: +# - "true" +# - weight: 50 +# preference: +# matchExpressions: +# - key: node-role.kubernetes.io/infra +# operator: Exists +# - weight: 25 +# preference: +# matchExpressions: +# - key: node-role.kubernetes.io/compute +# operator: Exists +# # From v1.20 node-role.kubernetes.io/control-plane replaces node-role.kubernetes.io/master (removed in +# # v1.25). We apply both because our goal is not to run pods on control plane nodes for any version of k8s. +# - weight: 100 +# preference: +# matchExpressions: +# - key: node-role.kubernetes.io/master +# operator: DoesNotExist +# - weight: 100 +# preference: +# matchExpressions: +# - key: node-role.kubernetes.io/control-plane +# operator: DoesNotExist +# +# # Address of the Sensor endpoint including port number. No trailing slash. +# # Rarely needs to be changed. +# endpoint: sensor.stackrox.svc:443 +# +## Admission Control specific configuration. +#admissionControl: +# +# # This setting controls whether the cluster is configured to contact the StackRox +# # Kubernetes Security Platform with `AdmissionReview` requests for create events on +# # Kubernetes objects. +# listenOnCreates: false +# +# # This setting controls whether the cluster is configured to contact the StackRox Kubernetes +# # Security Platform with `AdmissionReview` requests for update events on Kubernetes objects. +# listenOnUpdates: false +# +# # This setting controls whether the cluster is configured to contact the StackRox +# # Kubernetes Security Platform with `AdmissionReview` requests for update Kubernetes events +# # like exec and portforward. +# # +# # Defaults to `false` on OpenShift, to `true` otherwise. +# listenOnEvents: true +# +# # Use a nodeSelector for admission control pods +# nodeSelector +# environment: production +# +# If the nodes selected by the node selector are tainted, you can specify the corresponding taint tolerations here. +# tolerations: +# - effect: NoSchedule +# key: infra +# value: reserved +# - effect: NoExecute +# key: infra +# value: reserved +# +# If scheduling needs specific affinities, you can specify the corresponding affinities here. +# affinity: +# nodeAffinity: +# preferredDuringSchedulingIgnoredDuringExecution: +# # node-role.kubernetes.io/master is replaced by node-role.kubernetes.io/control-plane from certain version +# # of k8s. We apply both to be compatible with any k8s version. +# - weight: 50 +# preference: +# matchExpressions: +# - key: node-role.kubernetes.io/master +# operator: Exists +# - weight: 50 +# preference: +# matchExpressions: +# - key: node-role.kubernetes.io/control-plane +# operator: Exists +# podAntiAffinity: +# preferredDuringSchedulingIgnoredDuringExecution: +# - weight: 60 +# podAffinityTerm: +# topologyKey: "kubernetes.io/hostname" +# labelSelector: +# matchLabels: +# app: admission-control +# +# # Dynamic part of the configuration which is retrieved from Central and can be modified through +# # the frontend. +# dynamic: +# +# # It controls whether the StackRox Kubernetes Security Platform evaluates policies for object +# # updates; if it’s disabled, all `AdmissionReview` requests are automatically accepted. You must +# # specify `listenOnUpdates` as `true` for this to work. +# enforceOnUpdates: false +# +# # Controls whether the StackRox Kubernetes Security Platform evaluates policies. +# # If disabled, all AdmissionReview requests are automatically accepted. You must specify +# # `listenOnCreates` as `true` for this to work. +# enforceOnCreates: false +# +# scanInline: false +# +# # If enabled, bypassing the Admission Controller is disabled. +# disableBypass: false +# +# # The maximum time in seconds, the StackRox Kubernetes Security Platform should wait while +# # evaluating admission review requests. Use it to set request timeouts when you enable image scanning. +# # If the image scan runs longer than the specified time, the StackRox Kubernetes Security Platform +# # accepts the request. Other enforcement options, such as scaling the deployment to zero replicas, +# # are still applied later if the image violates applicable policies. +# timeout: 3 +# +# # Kubernetes image pull policy for Admission Control. +# imagePullPolicy: IfNotPresent +# +# # Resource configuration for the Admission Control container. +# resources: +# requests: +# memory: "100Mi" +# cpu: "50m" +# limits: +# memory: "500Mi" +# cpu: "500m" +# +# # Replicas configures the replicas of the admission controller pod. +# replicas: 3 +# +# # Settings for the internal service-to-service TLS certificate used by Admission Control. +# serviceTLS: +# cert: null +# key: null +# +## Collector specific configuration. +#collector: +# +# # Collection method to use. Can be one of: +# # - EBPF +# # - CORE_BPF +# # - NO_COLLECTION +# collectionMethod: EBPF +# +# # Configure usage of taint tolerations. If `false`, tolerations are applied to collector, +# # and the collector pods can schedule onto all nodes with taints. If `true`, no tolerations +# # are applied, and the collector pods won't scheduled onto nodes with taints. +# disableTaintTolerations: false +# +# # Configure whether slim Collector images should be used or not. Using slim Collector images +# # requires Central to provide the matching kernel module or eBPF probe. If you are running +# # the StackRox Kubernetes Security Platform in offline mode, you must download a kernel support +# # package from [stackrox.io](https://install.stackrox.io/collector/support-packages/index.html) +# # and upload it to Central for slim Collectors to function. Otherwise, you must ensure that +# # Central can access the online probe repository hosted at https://collector-modules.stackrox.io/. +# slimMode: false +# +# # Kubernetes image pull policy for Collector. +# imagePullPolicy: IfNotPresent +# +# # Resource configuration for the Collector container. +# resources: +# requests: +# memory: "320Mi" +# cpu: "50m" +# limits: +# memory: "1Gi" +# cpu: "750m" +# +# If the nodes selected by the node selector are tainted, you can specify the corresponding taint tolerations here. +# tolerations: +# - operator: "Exists" +# +# complianceImagePullPolicy: IfNotPresent +# +# # Resource configuration for the Compliance container. +# complianceResources: +# requests: +# memory: "10Mi" +# cpu: "10m" +# limits: +# memory: "2Gi" +# cpu: "1" +# +# # Resource configuration for the Node Inventory container. +# nodeScanningResources: +# requests: +# memory: "10Mi" +# cpu: "10m" +# limits: +# memory: "500Mi" +# cpu: "1" +# +# # Settings for the internal service-to-service TLS certificate used by Collector. +# serviceTLS: +# cert: null +# key: null +# +# # Settings configuring the ingestion of audit logs: +# auditLogs: +# # Disable audit log collection. This setting defaults to false on OpenShift 4 clusters. On all other cluster types, +# # it defaults to true, and setting it to false will result in an error. +# disableCollection: false +# +# # Customization Settings. +# # The following allows specifying custom Kubernetes metadata (labels and annotations) +# # for all objects instantiated by this Helm chart, as well as additional pod labels, +# # pod annotations, and container environment variables for workloads. +# # The configuration is hierarchical, in the sense that metadata that is defined at a more +# # generic scope (e.g., for all objects) can be overridden by metadata defined at a narrower +# # scope (e.g., only for the sensor deployment). +# customize: +# # Extra metadata for all objects. +# labels: +# my-label-key: my-label-value +# annotations: +# my-annotation-key: my-annotation-value +# +# # Extra pod metadata for all objects (only has an effect for workloads, i.e., deployments). +# podLabels: +# my-pod-label-key: my-pod-label-value +# podAnnotations: +# my-pod-annotation-key: my-pod-annotation-value +# +# # Extra environment variables for all containers in all objects. +# envVars: +# MY_ENV_VAR_NAME: MY_ENV_VAR_VALUE +# +# # Extra metadata for the Sensor deployment only. +# sensor: +# labels: {} +# annotations: {} +# podLabels: {} +# podAnnotations: {} +# envVars: {} +# +# # Extra metadata for the collector daemon set only. +# collector: +# labels: {} +# annotations: {} +# podLabels: {} +# podAnnotations: {} +# envVars: {} +# +# # Extra metadata for the admission control only. +# admission-control: +# labels: {} +# annotations: {} +# podLabels: {} +# podAnnotations: {} +# envVars: {} +# +# # Extra metadata for the compliance only. +# compliance: +# labels: {} +# annotations: {} +# podLabels: {} +# podAnnotations: {} +# envVars: {} +# +# # Extra metadata for all other objects. The keys in the following map can be +# # an object name of the form "service/central-loadbalancer", or a reference to all +# # objects of a given type in the form "service/*". The values under each key +# # are the five metadata overrides (labels, annotations, podLabels, podAnnotations, envVars) +# # as specified above, though only the first two will be relevant for non-workload +# # object types. +# other: +# "service/*": +# labels: {} +# annotations: {} +# +# # EXPERT SETTINGS +# # The following settings should only be changed if you know very well what you are doing. +# # The scenarios in which these are required are generally not supported. +# +# # Set allowNonstandardNamespace=true if you are deploying into a namespace other than +# # "stackrox". This has been observed to work in some case, but is not generally supported. +# allowNonstandardNamespace: false +# +# # Set allowNonstandardReleaseName=true if you are deploying with a release name other than +# # the default "stackrox-central-services". This has been observed to work in some cases, +# # but is not generally supported. +# allowNonstandardReleaseName: false +# +# +#meta: +# # This is a dictionary from file names to contents that can be used to inject files that +# # would usually be included via .Files.Get into the chart rendering. +# fileOverrides: {} +# +# # This configuration section allows overriding settings that would be inferred from the +# # running API server. +# apiServer: +# # The Kubernetes version running on the API server. This is used for auto-detection +# # of the platform. +# version: null +# # The list of available API resources on the server, in the form of "apps/v1" or +# # "apps/v1/Deployment". This is used to detect environment capabilities. +# overrideAPIResources: null +# # A list of extra API resources that should be assumed to exist on the API server. This +# # can be used in conjunction with both data obtained from the API server, or data set +# # via `overrideAPIResources`. +# extraAPIResources: [] +# +#monitoring: +# # Enables integration with OpenShift platform monitoring. +# openshift: +# enabled: true diff --git a/4.3.5/secured-cluster-services/values-scanner.yaml.example b/4.3.5/secured-cluster-services/values-scanner.yaml.example new file mode 100644 index 0000000..c422153 --- /dev/null +++ b/4.3.5/secured-cluster-services/values-scanner.yaml.example @@ -0,0 +1,92 @@ +# # NOTE: +# # The Scanner is only available in the secured clusters on the OpenShift Container Platform. +# +# # Public configuration options for the StackRox Scanner: +# # When installing the Secured Cluster chart, a slim scanner mode is deployed with reduced image caching. +# # To run the scanner in the secured cluster, you must connect the Scanner to Sensor. +# +# # WARNING: +# # If deployed in the same namespace with Central it is only supported to install Scanner as part of Central's installation. +# # Sensor will use the existing Scanner to scan for local images. +# +# Image configuration for scanner: +# # For a complete example, see the `values-public.yaml.example` file. +# image: +# # Configuration for the `scanner` image that is used by Scanner. +# scanner: +# registry: null +# name: scanner-slim +# tag: null +# fullRef: null +# +# scanner: +# # disable=false Deploys a StackRox Scanner in the secured cluster to allow scanning images +# # from the OpenShift Container Platform cluster's local registries. +# disable: false +# +# # The number of replicas for the Scanner deployment. If autoscaling is enabled (see below), +# # this determines the initial number of replicas. +# replicas: 3 +# +# # The log level for the scanner deployment. This typically does not need to be changed. +# logLevel: INFO +# +# # If you want to enforce StackRox Scanner to only run on certain nodes, you can specify +# # a node selector here to make sure Scanner can only be scheduled on Nodes with the +# # given label. +# nodeSelector: +# # This can contain arbitrary `label-key: label-value` pairs. +# role: stackrox-scanner +# +# If the nodes selected by the node selector are tainted, you can specify the corresponding taint tolerations here. +# tolerations: +# - effect: NoSchedule +# key: infra +# value: reserved +# - effect: NoExecute +# key: infra +# value: reserved +# +# # If you want to enforce StackRox Scanner DB to only run on certain nodes, you can specify +# # a node selector here to make sure Scanner DB can only be scheduled on Nodes with the +# # given label. +# dbNodeSelector: +# # This can contain arbitrary `label-key: label-value` pairs. +# role: stackrox-scanner-db +# +# If the nodes selected by the node selector are tainted, you can specify the corresponding taint tolerations here. +# dbTolerations: +# - effect: NoSchedule +# key: infra +# value: reserved +# - effect: NoExecute +# key: infra +# value: reserved +# +# # Configuration for autoscaling the Scanner deployment. +# autoscaling: +# # disable=true causes autoscaling to be disabled. All other settings in this section +# # will have no effect. +# disable: false +# # The minimum number of replicas for autoscaling. The following value is the default. +# minReplicas: 2 +# # The maximum number of replicas for autoscaling. The following value is the default. +# maxReplicas: 5 +# +# # Custom resource overrides for the Scanner deployment. +# resources: +# requests: +# memory: "1500Mi" +# cpu: "1000m" +# limits: +# memory: "4Gi" +# cpu: "2000m" +# +# # Custom resource overrides for the Scanner DB deployment. +# dbResources: +# limits: +# cpu: "2000m" +# memory: "4Gi" +# requests: +# cpu: "200m" +# memory: "200Mi" diff --git a/4.3.5/secured-cluster-services/values.yaml b/4.3.5/secured-cluster-services/values.yaml new file mode 100644 index 0000000..3297a22 --- /dev/null +++ b/4.3.5/secured-cluster-services/values.yaml @@ -0,0 +1,9 @@ +## StackRox Secured Cluster Services chart +## values.yaml +## +## This file contains no values. In particular, you should NOT modify this file; instead, +## create your own configuration file and pass it to `helm` via the `-f` parameter. +## For this, you can use the files `values-private.yaml.example` and `values-public.yaml.example` +## that are part of the chart as a blueprint. +## +## Please also consult README.md for a list of available configuration options. diff --git a/README.md b/README.md index dccff3f..a9edc35 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -[![Latest version: 4.3.4](https://img.shields.io/badge/Latest%20version-4.3.4-green.svg)][Latest version] +[![Latest version: 3.0.55.0](https://img.shields.io/badge/Latest%20version-3.0.55.0-green.svg)][Latest version] # Helm charts for the StackRox Kubernetes Security Platform @@ -55,4 +55,4 @@ Helm charts for the [StackRox Kubernetes Security Platform](https://www.stackrox licensed under [Apache License 2.0](./LICENSE). -[Latest version]: ./4.3.4/ +[Latest version]: ./3.0.55.0/ diff --git a/latest b/latest index ea5fce4..8a44bb6 120000 --- a/latest +++ b/latest @@ -1 +1 @@ -./4.3.4/ \ No newline at end of file +./3.0.50.1/ \ No newline at end of file diff --git a/opensource/index.yaml b/opensource/index.yaml index df0e1f7..c03fb6d 100644 --- a/opensource/index.yaml +++ b/opensource/index.yaml @@ -1,9 +1,20 @@ apiVersion: v1 entries: stackrox-central-services: + - apiVersion: v2 + appVersion: 4.3.5 + created: "2024-03-13T16:43:58.150093825Z" + description: Helm Chart for StackRox Central Service + digest: a33d5754c78eca005e9a32a489fe8cb6a026f8c2af6fe146466e4f7a5f5161e8 + icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png + name: stackrox-central-services + type: application + urls: + - stackrox-central-services-400.3.5.tgz + version: 400.3.5 - apiVersion: v2 appVersion: 4.3.4 - created: "2024-02-12T22:53:43.566097787Z" + created: "2024-03-13T16:43:58.148295262Z" description: Helm Chart for StackRox Central Service digest: d0811c842cae01e7d515b666ed3559b9c7b3abea5e4658202a4da10da4c5837b icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -14,7 +25,7 @@ entries: version: 400.3.4 - apiVersion: v2 appVersion: 4.3.3 - created: "2024-02-12T22:53:43.563694241Z" + created: "2024-03-13T16:43:58.145879585Z" description: Helm Chart for StackRox Central Service digest: d25248716307dbc52b36e0d381eb0906f5732f5b5e60f042de7508b0a6268239 icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -25,7 +36,7 @@ entries: version: 400.3.3 - apiVersion: v2 appVersion: 4.3.2 - created: "2024-02-12T22:53:43.561894126Z" + created: "2024-03-13T16:43:58.144099395Z" description: Helm Chart for StackRox Central Service digest: 27c33b9849b17bdedb056d34bfa5aa2f92d16f2de601658a75b90ab7285d69f9 icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -36,7 +47,7 @@ entries: version: 400.3.2 - apiVersion: v2 appVersion: 4.3.1 - created: "2024-02-12T22:53:43.560123356Z" + created: "2024-03-13T16:43:58.142292196Z" description: Helm Chart for StackRox Central Service digest: ef9da4200243f2aeffdbb10d67e43787749d2838c231995d4cee7e6b94774b0c icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -47,7 +58,7 @@ entries: version: 400.3.1 - apiVersion: v2 appVersion: 4.3.0 - created: "2024-02-12T22:53:43.558304836Z" + created: "2024-03-13T16:43:58.140497119Z" description: Helm Chart for StackRox Central Service digest: 0aa9d33c6539190d4e32de0658010b09b312f5ee34b4ef008126a4226b7bc5e2 icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -58,7 +69,7 @@ entries: version: 400.3.0 - apiVersion: v2 appVersion: 4.2.4 - created: "2024-02-12T22:53:43.555869035Z" + created: "2024-03-13T16:43:58.137985626Z" description: Helm Chart for StackRox Central Service digest: 85d679bcfadd61ba00e0da009c358aaad2d112707cfd035f44f43b8a7fb9fc39 icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -69,7 +80,7 @@ entries: version: 400.2.4 - apiVersion: v2 appVersion: 4.2.3 - created: "2024-02-12T22:53:43.554069781Z" + created: "2024-03-13T16:43:58.136183225Z" description: Helm Chart for StackRox Central Service digest: a192b67fbb898667f1f858a9e75eefb4dc7823693fb4c091140e90b9b389b6fe icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -80,7 +91,7 @@ entries: version: 400.2.3 - apiVersion: v2 appVersion: 4.2.2 - created: "2024-02-12T22:53:43.552307926Z" + created: "2024-03-13T16:43:58.134381927Z" description: Helm Chart for StackRox Central Service digest: 26d896c0ac476e23df0bbe65d8c469874a0379ef2376f75ba41302e8beebc153 icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -91,7 +102,7 @@ entries: version: 400.2.2 - apiVersion: v2 appVersion: 4.2.1 - created: "2024-02-12T22:53:43.55051261Z" + created: "2024-03-13T16:43:58.132540613Z" description: Helm Chart for StackRox Central Service digest: 869c4fb79cc6f85f8009bf1a13760fed4acaa0138f47795f255639d9ab4d1947 icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -102,7 +113,7 @@ entries: version: 400.2.1 - apiVersion: v2 appVersion: 4.2.0 - created: "2024-02-12T22:53:43.548189772Z" + created: "2024-03-13T16:43:58.123264212Z" description: Helm Chart for StackRox Central Service digest: 33915b7ef1a8b0811d61774e14d7dce5f711eeeb33b5f250db04fd8f10a0ea85 icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -113,7 +124,7 @@ entries: version: 400.2.0 - apiVersion: v2 appVersion: 4.1.6 - created: "2024-02-12T22:53:43.546254487Z" + created: "2024-03-13T16:43:58.121426667Z" description: Helm Chart for StackRox Central Service digest: 65814f2b7a4acb3fba232f9395e5cc1779f6059897a5f6a10e912e54b0bf1dc6 icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -124,7 +135,7 @@ entries: version: 400.1.6 - apiVersion: v2 appVersion: 4.1.5 - created: "2024-02-12T22:53:43.544503773Z" + created: "2024-03-13T16:43:58.119667276Z" description: Helm Chart for StackRox Central Service digest: 582dfa2a49ce484d7cd55433f78579945057efe6fc571244f9be5b8210fed24e icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -135,7 +146,7 @@ entries: version: 400.1.5 - apiVersion: v2 appVersion: 4.1.4 - created: "2024-02-12T22:53:43.542775221Z" + created: "2024-03-13T16:43:58.117943561Z" description: Helm Chart for StackRox Central Service digest: ab660fdb76a7a71a6bf666269e2b313f03ce81e3eb39f16fa7b0feccafe0fddc icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -146,7 +157,7 @@ entries: version: 400.1.4 - apiVersion: v2 appVersion: 4.1.3 - created: "2024-02-12T22:53:43.54083235Z" + created: "2024-03-13T16:43:58.115525372Z" description: Helm Chart for StackRox Central Service digest: e073f4c37c34c19a793a0c1b741e2ee6c425915c047c98c2358f1cc30421ff50 icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -157,7 +168,7 @@ entries: version: 400.1.3 - apiVersion: v2 appVersion: 4.1.2 - created: "2024-02-12T22:53:43.538562803Z" + created: "2024-03-13T16:43:58.113825462Z" description: Helm Chart for StackRox Central Service digest: 3add7559d60bec74a5627d859bdb73f2787e476f3b4d801e81e85835fa44cfcc icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -168,7 +179,7 @@ entries: version: 400.1.2 - apiVersion: v2 appVersion: 4.1.1 - created: "2024-02-12T22:53:43.536825294Z" + created: "2024-03-13T16:43:58.112111846Z" description: Helm Chart for StackRox Central Service digest: c4e11d64ff283573ecd6129e5759f0c20e0e7e18ea5fae2813d20e5c03d5f47d icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -179,7 +190,7 @@ entries: version: 400.1.1 - apiVersion: v2 appVersion: 4.1.0 - created: "2024-02-12T22:53:43.535052739Z" + created: "2024-03-13T16:43:58.110361743Z" description: Helm Chart for StackRox Central Service digest: 9daf73d7e2d5930d4b8dc7730ff167046429ef18cb4b4b6bf1e1d7f51c95223a icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -190,7 +201,7 @@ entries: version: 400.1.0 - apiVersion: v2 appVersion: 4.0.5 - created: "2024-02-12T22:53:43.533280596Z" + created: "2024-03-13T16:43:58.108034029Z" description: Helm Chart for StackRox Central Service digest: 8d30f97407a9103c7f375b8aad6f28858abb1e52c401af5efdfc29f606a0b546 icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -201,7 +212,7 @@ entries: version: 400.0.5 - apiVersion: v2 appVersion: 4.0.4 - created: "2024-02-12T22:53:43.530740984Z" + created: "2024-03-13T16:43:58.106288765Z" description: Helm Chart for StackRox Central Service digest: ccb5ca6bfbc0eb7a948bd937eca331175d9c493e0974181aff7185fab75bda9e icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -212,7 +223,7 @@ entries: version: 400.0.4 - apiVersion: v2 appVersion: 4.0.3 - created: "2024-02-12T22:53:43.528976395Z" + created: "2024-03-13T16:43:58.104564359Z" description: Helm Chart for StackRox Central Service digest: 8ee22ceea86c50ca1b25e2e5bbdcd0a8abcf20534b03066fcd333ef2b74ba99c icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -223,7 +234,7 @@ entries: version: 400.0.3 - apiVersion: v2 appVersion: 4.0.2 - created: "2024-02-12T22:53:43.527221203Z" + created: "2024-03-13T16:43:58.102810589Z" description: Helm Chart for StackRox Central Service digest: 76b5ef10625e3f33b1502db29336231f30f78a40873311041abfcc6bb0d802ee icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -234,7 +245,7 @@ entries: version: 400.0.2 - apiVersion: v2 appVersion: 4.0.1 - created: "2024-02-12T22:53:43.525287339Z" + created: "2024-03-13T16:43:58.095284093Z" description: Helm Chart for StackRox Central Service digest: 787d0657cb9c47363d1b15a160a1d77117270e46b7cad81b9764985470c168c8 icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -245,7 +256,7 @@ entries: version: 400.0.1 - apiVersion: v2 appVersion: 4.0.0 - created: "2024-02-12T22:53:43.52141793Z" + created: "2024-03-13T16:43:58.093548918Z" description: Helm Chart for StackRox Central Service digest: cb79b0e12e89204dbb9e06e981ebb8ed71a23d90104ccc76ecbf9f573a7c1d89 icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -256,7 +267,7 @@ entries: version: 400.0.0 - apiVersion: v2 appVersion: 3.74.9 - created: "2024-02-12T22:53:43.614737294Z" + created: "2024-03-13T16:43:58.197546214Z" description: Helm Chart for StackRox Central Service digest: 29580407a9a36a612fdb5c083a942cad1390fbb43e62844dad054c6a5b0543f0 icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -267,7 +278,7 @@ entries: version: 74.9.0 - apiVersion: v2 appVersion: 3.74.8 - created: "2024-02-12T22:53:43.612871597Z" + created: "2024-03-13T16:43:58.195660699Z" description: Helm Chart for StackRox Central Service digest: 999594d1dc60d5e3770792312311470c090af9fb18513036af41e57b772761c3 icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -278,7 +289,7 @@ entries: version: 74.8.0 - apiVersion: v2 appVersion: 3.74.7 - created: "2024-02-12T22:53:43.611034493Z" + created: "2024-03-13T16:43:58.193825547Z" description: Helm Chart for StackRox Central Service digest: 3208a18bf3570b706088a4964008f23ca4b3fca4a31da699c020c08494aa6589 icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -289,7 +300,7 @@ entries: version: 74.7.0 - apiVersion: v2 appVersion: 3.74.6 - created: "2024-02-12T22:53:43.609148147Z" + created: "2024-03-13T16:43:58.19195002Z" description: Helm Chart for StackRox Central Service digest: 27caeaa0f03c39534131b3ea9209f7043cd3730fe6460d93b7bc768cc0af8b92 icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -300,7 +311,7 @@ entries: version: 74.6.0 - apiVersion: v2 appVersion: 3.74.5 - created: "2024-02-12T22:53:43.606485514Z" + created: "2024-03-13T16:43:58.190049858Z" description: Helm Chart for StackRox Central Service digest: e3f09e301e9becb613e2096c5965de0642467ef3beb2e2d321eb507518cfbbfe icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -311,7 +322,7 @@ entries: version: 74.5.0 - apiVersion: v2 appVersion: 3.74.4 - created: "2024-02-12T22:53:43.604568001Z" + created: "2024-03-13T16:43:58.187503805Z" description: Helm Chart for StackRox Central Service digest: 3c3c962f26bb1afd7d01063348e869352e18380899ba988c9a29d98f507ac0ec icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -322,7 +333,7 @@ entries: version: 74.4.0 - apiVersion: v2 appVersion: 3.74.3 - created: "2024-02-12T22:53:43.60271649Z" + created: "2024-03-13T16:43:58.185647684Z" description: Helm Chart for StackRox Central Service digest: 3480735d019cf9147e39e5eb5e30b26352b57b97ddfea70e18d8cfe525ba4b31 icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -333,7 +344,7 @@ entries: version: 74.3.0 - apiVersion: v2 appVersion: 3.74.2 - created: "2024-02-12T22:53:43.600823642Z" + created: "2024-03-13T16:43:58.183752832Z" description: Helm Chart for StackRox Central Service digest: b92aaa2f087c0c8ca06dd49960a55500c1ac711856b4b4aa945a849bdc7d474e icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -344,7 +355,7 @@ entries: version: 74.2.0 - apiVersion: v2 appVersion: 3.74.1 - created: "2024-02-12T22:53:43.598838102Z" + created: "2024-03-13T16:43:58.181878567Z" description: Helm Chart for StackRox Central Service digest: 487b016f61a934d62ccf06650289f109ea96bcdc3ae424aa3740485abadf65ad icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -355,7 +366,7 @@ entries: version: 74.1.0 - apiVersion: v2 appVersion: 3.74.0 - created: "2024-02-12T22:53:43.596195266Z" + created: "2024-03-13T16:43:58.179352592Z" description: Helm Chart for StackRox Central Service digest: 97b02189b39879635556453fcdc1c2707d196b65fa5b0c0098928aa24df8127a icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -366,7 +377,7 @@ entries: version: 74.0.0 - apiVersion: v2 appVersion: 3.73.5 - created: "2024-02-12T22:53:43.594343825Z" + created: "2024-03-13T16:43:58.177508273Z" description: Helm Chart for StackRox Central Service digest: 54bf152552c83b76dedaeac3109bff16ff07ab25bd9c7cb3fcf3eff996dc4a00 icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -377,7 +388,7 @@ entries: version: 73.5.0 - apiVersion: v2 appVersion: 3.73.4 - created: "2024-02-12T22:53:43.592458892Z" + created: "2024-03-13T16:43:58.175579808Z" description: Helm Chart for StackRox Central Service digest: 80651037b1be3e7f49eb97fdda3f96b423021187aa1f40eba3307a105390a5cc icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -388,7 +399,7 @@ entries: version: 73.4.0 - apiVersion: v2 appVersion: 3.73.3 - created: "2024-02-12T22:53:43.59051542Z" + created: "2024-03-13T16:43:58.17373066Z" description: Helm Chart for StackRox Central Service digest: 7fc78ddf8b1f8178d788df2d0e7d7c8845fb6190cd0399aa14140c320f541337 icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -399,7 +410,7 @@ entries: version: 73.3.0 - apiVersion: v2 appVersion: 3.73.2 - created: "2024-02-12T22:53:43.587830155Z" + created: "2024-03-13T16:43:58.171250867Z" description: Helm Chart for StackRox Central Service digest: 8aa72d09fc9e4625e7429cada53a779e11b6a81fb4902a1c95b697e51165815b icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -410,7 +421,7 @@ entries: version: 73.2.0 - apiVersion: v2 appVersion: 3.73.1 - created: "2024-02-12T22:53:43.585952897Z" + created: "2024-03-13T16:43:58.169413622Z" description: Helm Chart for StackRox Central Service digest: cc929f82add69b661161ebdcd3dae0e007a1c55d6860686db113e7d0cea72cfd icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -421,7 +432,7 @@ entries: version: 73.1.0 - apiVersion: v2 appVersion: 3.73.0 - created: "2024-02-12T22:53:43.584116524Z" + created: "2024-03-13T16:43:58.167518709Z" description: Helm Chart for StackRox Central Service digest: 59c30250551c5fddbdd5f32683b23538e9aad120bcf095d04c943989c56adef0 icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -432,7 +443,7 @@ entries: version: 73.0.0 - apiVersion: v2 appVersion: 3.72.4 - created: "2024-02-12T22:53:43.5822152Z" + created: "2024-03-13T16:43:58.165650847Z" description: Helm Chart for StackRox Central Service digest: 33c96fa6d02a45d8f3e189ffbe9fffb54e1979fc84d9d4cc2bfffb06048f8b60 icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -443,7 +454,7 @@ entries: version: 72.4.0 - apiVersion: v2 appVersion: 3.72.3 - created: "2024-02-12T22:53:43.580031176Z" + created: "2024-03-13T16:43:58.16367325Z" description: Helm Chart for StackRox Central Service digest: c9056c0972ab0c24c91900a91072528008b6302a8e066bff239e0e78cef2a4c5 icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -454,7 +465,7 @@ entries: version: 72.3.0 - apiVersion: v2 appVersion: 3.72.2 - created: "2024-02-12T22:53:43.578434519Z" + created: "2024-03-13T16:43:58.161705782Z" description: Helm Chart for StackRox Central Service digest: 41e069ecf8acd9b6b17399f8e3336e530eac73f0f988387e66d506e40c9486de icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -465,7 +476,7 @@ entries: version: 72.2.0 - apiVersion: v2 appVersion: 3.72.1 - created: "2024-02-12T22:53:43.576787759Z" + created: "2024-03-13T16:43:58.16011246Z" description: Helm Chart for StackRox Central Service digest: dffec915f18f9f0c88f7609ad6fb415e281557bf8695357dc1cecc0b4f1a8936 icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -476,7 +487,7 @@ entries: version: 72.1.0 - apiVersion: v2 appVersion: 3.72.0 - created: "2024-02-12T22:53:43.575166355Z" + created: "2024-03-13T16:43:58.158474355Z" description: Helm Chart for StackRox Central Service digest: 8be952be40ef29b13fc95bac4d6dff5b9289d34e32a32497e8465b4c1cce661e icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -487,7 +498,7 @@ entries: version: 72.0.0 - apiVersion: v2 appVersion: 3.71.3 - created: "2024-02-12T22:53:43.573355815Z" + created: "2024-03-13T16:43:58.156867237Z" description: Helm Chart for StackRox Central Clusters digest: df3fca54fb637426e3c895d7356b7dfb95ed64384e005919cfa8de571d48a20d icon: https://www.stackrox.com/img/logo.svg @@ -498,7 +509,7 @@ entries: version: 71.3.0 - apiVersion: v2 appVersion: 3.71.2 - created: "2024-02-12T22:53:43.570719526Z" + created: "2024-03-13T16:43:58.154969008Z" description: Helm Chart for StackRox Central Clusters digest: 7ff76bf8dc53b249ab1d9c61fd203f834777a39346e217e18862cb6b47808204 icon: https://www.stackrox.com/img/logo.svg @@ -509,7 +520,7 @@ entries: version: 71.2.0 - apiVersion: v2 appVersion: 3.71.0 - created: "2024-02-12T22:53:43.569172231Z" + created: "2024-03-13T16:43:58.153136141Z" description: Helm Chart for StackRox Central Clusters digest: 22115098ea95e326a08063c0fd5089647d729e58d6d668a9ad22841055f17498 icon: https://www.stackrox.com/img/logo.svg @@ -520,7 +531,7 @@ entries: version: 71.0.0 - apiVersion: v2 appVersion: 3.70.0 - created: "2024-02-12T22:53:43.56765422Z" + created: "2024-03-13T16:43:58.151582452Z" description: Helm Chart for StackRox Central Clusters digest: db1c6b84de673bcf72f41b21059b020ad91bd116ddb38772fc0292296e484e5f icon: https://www.stackrox.com/img/logo.svg @@ -530,9 +541,20 @@ entries: - stackrox-central-services-70.0.0.tgz version: 70.0.0 stackrox-secured-cluster-services: + - apiVersion: v2 + appVersion: 4.3.5 + created: "2024-03-13T16:43:58.242746231Z" + description: Helm Chart for StackRox Secured Clusters + digest: fd402064a38aff3fb04f96b0bb07be2f224e0fc4e82b6b8f2e78c244be93e74f + icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png + name: stackrox-secured-cluster-services + type: application + urls: + - stackrox-secured-cluster-services-400.3.5.tgz + version: 400.3.5 - apiVersion: v2 appVersion: 4.3.4 - created: "2024-02-12T22:53:43.658183275Z" + created: "2024-03-13T16:43:58.241042243Z" description: Helm Chart for StackRox Secured Clusters digest: aff0c0bbbc6a00774e0ddcec863092338125445937e61fb525d62b33a2defbb9 icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -543,7 +565,7 @@ entries: version: 400.3.4 - apiVersion: v2 appVersion: 4.3.3 - created: "2024-02-12T22:53:43.655935159Z" + created: "2024-03-13T16:43:58.238590873Z" description: Helm Chart for StackRox Secured Clusters digest: fb5fb6871823ee2e7d0cb061bacc680cf2595c2f4c33cb6c3d9aa9dc7551b874 icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -554,7 +576,7 @@ entries: version: 400.3.3 - apiVersion: v2 appVersion: 4.3.2 - created: "2024-02-12T22:53:43.654272629Z" + created: "2024-03-13T16:43:58.236917242Z" description: Helm Chart for StackRox Secured Clusters digest: b35677810e0b05f32171ea6de3048b34856364627f19caba1501c0b8eccda113 icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -565,7 +587,7 @@ entries: version: 400.3.2 - apiVersion: v2 appVersion: 4.3.1 - created: "2024-02-12T22:53:43.652590813Z" + created: "2024-03-13T16:43:58.235190061Z" description: Helm Chart for StackRox Secured Clusters digest: dc4c3c3d8719ce7f5027ae33d3a274b665914622db508239c3f0199d254c3396 icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -576,7 +598,7 @@ entries: version: 400.3.1 - apiVersion: v2 appVersion: 4.3.0 - created: "2024-02-12T22:53:43.650901795Z" + created: "2024-03-13T16:43:58.23348414Z" description: Helm Chart for StackRox Secured Clusters digest: 4954c026c24cc6b317834f14a55074c42fe8683678c4c6e2cfb00c5d6159caa1 icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -587,7 +609,7 @@ entries: version: 400.3.0 - apiVersion: v2 appVersion: 4.2.4 - created: "2024-02-12T22:53:43.64873588Z" + created: "2024-03-13T16:43:58.231379908Z" description: Helm Chart for StackRox Secured Clusters digest: f48032e9479874b0cc60e5a8e96220937f7882d412772f4744a04c715b0dcffc icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -598,7 +620,7 @@ entries: version: 400.2.4 - apiVersion: v2 appVersion: 4.2.3 - created: "2024-02-12T22:53:43.646893761Z" + created: "2024-03-13T16:43:58.229350895Z" description: Helm Chart for StackRox Secured Clusters digest: bc7a3de27ce6bfa2ecdb1ba82ae0453860e9c2197e51948c40d59ce17b0d08a3 icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -609,7 +631,7 @@ entries: version: 400.2.3 - apiVersion: v2 appVersion: 4.2.2 - created: "2024-02-12T22:53:43.645198731Z" + created: "2024-03-13T16:43:58.227627812Z" description: Helm Chart for StackRox Secured Clusters digest: b6e110b53a79245180d5489321d29b66def2216602ad4bdc806a45c6d48f70c9 icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -620,7 +642,7 @@ entries: version: 400.2.2 - apiVersion: v2 appVersion: 4.2.1 - created: "2024-02-12T22:53:43.643527284Z" + created: "2024-03-13T16:43:58.225951736Z" description: Helm Chart for StackRox Secured Clusters digest: cd0073952b8b268bec0037e8fc4e2b20a04cf3727391fde40f90b2a7d5a72d8d icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -631,7 +653,7 @@ entries: version: 400.2.1 - apiVersion: v2 appVersion: 4.2.0 - created: "2024-02-12T22:53:43.641787772Z" + created: "2024-03-13T16:43:58.22425414Z" description: Helm Chart for StackRox Secured Clusters digest: db306d052b0b6d78e6abf600183f1ea7d72e277bc3d50f29c190409777bc644c icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -642,7 +664,7 @@ entries: version: 400.2.0 - apiVersion: v2 appVersion: 4.1.6 - created: "2024-02-12T22:53:43.639267273Z" + created: "2024-03-13T16:43:58.221919284Z" description: Helm Chart for StackRox Secured Clusters digest: 923407171a8a028052cb58e7bfd8e2e4890b960c9933f890b6d3e4bb5da0acfb icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -653,7 +675,7 @@ entries: version: 400.1.6 - apiVersion: v2 appVersion: 4.1.5 - created: "2024-02-12T22:53:43.637537388Z" + created: "2024-03-13T16:43:58.220234862Z" description: Helm Chart for StackRox Secured Clusters digest: 06c091dcc43736530888509fbe773ce88c63957e7906ec386188f5f6a5224bf3 icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -664,7 +686,7 @@ entries: version: 400.1.5 - apiVersion: v2 appVersion: 4.1.4 - created: "2024-02-12T22:53:43.635836688Z" + created: "2024-03-13T16:43:58.218511609Z" description: Helm Chart for StackRox Secured Clusters digest: 3ed39a05313aa817cb5fc312787d33551dffe11b5f0047b43194676889c2b507 icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -675,7 +697,7 @@ entries: version: 400.1.4 - apiVersion: v2 appVersion: 4.1.3 - created: "2024-02-12T22:53:43.634112864Z" + created: "2024-03-13T16:43:58.21681793Z" description: Helm Chart for StackRox Secured Clusters digest: 18f5b5f0bd69c21302d276a914a5100a9e5cca72632e101127caddfc6dffecec icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -686,7 +708,7 @@ entries: version: 400.1.3 - apiVersion: v2 appVersion: 4.1.2 - created: "2024-02-12T22:53:43.631804422Z" + created: "2024-03-13T16:43:58.21455356Z" description: Helm Chart for StackRox Secured Clusters digest: 9a404831be82ea5ea6567c838b937760227bb1f98978955c4278383810de18e3 icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -697,7 +719,7 @@ entries: version: 400.1.2 - apiVersion: v2 appVersion: 4.1.1 - created: "2024-02-12T22:53:43.630104543Z" + created: "2024-03-13T16:43:58.212596031Z" description: Helm Chart for StackRox Secured Clusters digest: 294d6c05bc0cf4ab89afd38ce6ac16401e7b6ef7b4cc6f41ba276f308a32045f icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -708,7 +730,7 @@ entries: version: 400.1.1 - apiVersion: v2 appVersion: 4.1.0 - created: "2024-02-12T22:53:43.628438207Z" + created: "2024-03-13T16:43:58.210875723Z" description: Helm Chart for StackRox Secured Clusters digest: faad2e105677d7932514830e3993fa9078b5d7cd0fdcea750ab34d66a6f06979 icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -719,7 +741,7 @@ entries: version: 400.1.0 - apiVersion: v2 appVersion: 4.0.5 - created: "2024-02-12T22:53:43.626707941Z" + created: "2024-03-13T16:43:58.209146739Z" description: Helm Chart for StackRox Secured Clusters digest: 2f30cebf1819aa81586e36bd41b70867e54e7ae7ccda1f8ca0f78016a22c6382 icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -730,7 +752,7 @@ entries: version: 400.0.5 - apiVersion: v2 appVersion: 4.0.4 - created: "2024-02-12T22:53:43.624428026Z" + created: "2024-03-13T16:43:58.207412716Z" description: Helm Chart for StackRox Secured Clusters digest: 6892758562ae3c3480fce3796570da649515b627fe46fed500a333025f4868a0 icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -741,7 +763,7 @@ entries: version: 400.0.4 - apiVersion: v2 appVersion: 4.0.3 - created: "2024-02-12T22:53:43.622762771Z" + created: "2024-03-13T16:43:58.205057928Z" description: Helm Chart for StackRox Secured Clusters digest: 407faa33f01752e67a2cfd877f6c0fd3db3800c06a85d37d84fe8394f2f5dc92 icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -752,7 +774,7 @@ entries: version: 400.0.3 - apiVersion: v2 appVersion: 4.0.2 - created: "2024-02-12T22:53:43.621073721Z" + created: "2024-03-13T16:43:58.20334838Z" description: Helm Chart for StackRox Secured Clusters digest: 11a52ce31bb3342a466d315b7d63212d03596b6fb876d47be8a5f89f76290d14 icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -763,7 +785,7 @@ entries: version: 400.0.2 - apiVersion: v2 appVersion: 4.0.1 - created: "2024-02-12T22:53:43.619413356Z" + created: "2024-03-13T16:43:58.201655032Z" description: Helm Chart for StackRox Secured Clusters digest: 1d8e7a056677b9e3f87d3c2abcfd4ab070a39121c57d456864f65d07098fedcd icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -774,7 +796,7 @@ entries: version: 400.0.1 - apiVersion: v2 appVersion: 4.0.0 - created: "2024-02-12T22:53:43.617713377Z" + created: "2024-03-13T16:43:58.199929715Z" description: Helm Chart for StackRox Secured Clusters digest: e72173415fd130aee22a541a57dad01cb5aaabf041daaeed675ad056313cd2e5 icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -785,7 +807,7 @@ entries: version: 400.0.0 - apiVersion: v2 appVersion: 3.74.9 - created: "2024-02-12T22:53:43.70268028Z" + created: "2024-03-13T16:43:58.288978998Z" description: Helm Chart for StackRox Secured Clusters digest: 20b5ebafeb271885cfcd57a5f8b1e4a8f859deeca15f1419f320df20c899d94f icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -796,7 +818,7 @@ entries: version: 74.9.0 - apiVersion: v2 appVersion: 3.74.8 - created: "2024-02-12T22:53:43.700999607Z" + created: "2024-03-13T16:43:58.28689812Z" description: Helm Chart for StackRox Secured Clusters digest: f7f47aa1bb146f6ac80ccc73f1eca69b129cf4845e60a4c3188ef875107f1bb6 icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -807,7 +829,7 @@ entries: version: 74.8.0 - apiVersion: v2 appVersion: 3.74.7 - created: "2024-02-12T22:53:43.699347818Z" + created: "2024-03-13T16:43:58.284907179Z" description: Helm Chart for StackRox Secured Clusters digest: f4ccd4f78491695b88816a20ba9299771d992853dabbbba338c7c587f01753e3 icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -818,7 +840,7 @@ entries: version: 74.7.0 - apiVersion: v2 appVersion: 3.74.6 - created: "2024-02-12T22:53:43.696979319Z" + created: "2024-03-13T16:43:58.283152006Z" description: Helm Chart for StackRox Secured Clusters digest: c66ce4b6fc54ccbaad47c2455b8f9557079057450f2a64d6633ca20bbf06252f icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -829,7 +851,7 @@ entries: version: 74.6.0 - apiVersion: v2 appVersion: 3.74.5 - created: "2024-02-12T22:53:43.695343509Z" + created: "2024-03-13T16:43:58.281453468Z" description: Helm Chart for StackRox Secured Clusters digest: d631a15c2b56363f4e402bd802fa0f70bcbbde656b1c882562e38b622149556b icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -840,7 +862,7 @@ entries: version: 74.5.0 - apiVersion: v2 appVersion: 3.74.4 - created: "2024-02-12T22:53:43.693684987Z" + created: "2024-03-13T16:43:58.279747247Z" description: Helm Chart for StackRox Secured Clusters digest: cb1c78c41c1eb13362cf099cfe813b36a728a51c1a4dbc22a32a68692c234034 icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -851,7 +873,7 @@ entries: version: 74.4.0 - apiVersion: v2 appVersion: 3.74.3 - created: "2024-02-12T22:53:43.692027497Z" + created: "2024-03-13T16:43:58.277486324Z" description: Helm Chart for StackRox Secured Clusters digest: 50ab858bf9b559e435b8ff47fedd993060953d51b7a9750a0fa71385df3260d5 icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -862,7 +884,7 @@ entries: version: 74.3.0 - apiVersion: v2 appVersion: 3.74.2 - created: "2024-02-12T22:53:43.689716021Z" + created: "2024-03-13T16:43:58.275747882Z" description: Helm Chart for StackRox Secured Clusters digest: 295d7b22550ac2d8042c29a3bf601db764183b4666f65739d3ad3d9764bdca80 icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -873,7 +895,7 @@ entries: version: 74.2.0 - apiVersion: v2 appVersion: 3.74.1 - created: "2024-02-12T22:53:43.688059453Z" + created: "2024-03-13T16:43:58.274082886Z" description: Helm Chart for StackRox Secured Clusters digest: 46d92c2b85c4b1ce2cd6b23c9890c00e039502626f42982c66f80cd39819d41a icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -884,7 +906,7 @@ entries: version: 74.1.0 - apiVersion: v2 appVersion: 3.74.0 - created: "2024-02-12T22:53:43.686410618Z" + created: "2024-03-13T16:43:58.272322273Z" description: Helm Chart for StackRox Secured Clusters digest: b16de939fd234fbd62b3966e2ba0794d5e11e6dd5f782856f4562b0da42eb675 icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -895,7 +917,7 @@ entries: version: 74.0.0 - apiVersion: v2 appVersion: 3.73.5 - created: "2024-02-12T22:53:43.684733452Z" + created: "2024-03-13T16:43:58.269968237Z" description: Helm Chart for StackRox Secured Clusters digest: 05669d6da11df97070af8c402a2cd68a1052ed7457dfe5b5fdd729b30d1c6e3a icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -906,7 +928,7 @@ entries: version: 73.5.0 - apiVersion: v2 appVersion: 3.73.4 - created: "2024-02-12T22:53:43.683054842Z" + created: "2024-03-13T16:43:58.268309573Z" description: Helm Chart for StackRox Secured Clusters digest: da6ba1c98c51d7238ea44395f1bce8844b7276f932a26580d2e8bdb555c90e03 icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -917,7 +939,7 @@ entries: version: 73.4.0 - apiVersion: v2 appVersion: 3.73.3 - created: "2024-02-12T22:53:43.680782424Z" + created: "2024-03-13T16:43:58.266602079Z" description: Helm Chart for StackRox Secured Clusters digest: 5b50f8880babbdacf1e3e85faa5e23ebc37e80e3c29bbf1e83b75227c7b045e9 icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -928,7 +950,7 @@ entries: version: 73.3.0 - apiVersion: v2 appVersion: 3.73.2 - created: "2024-02-12T22:53:43.679111669Z" + created: "2024-03-13T16:43:58.264917788Z" description: Helm Chart for StackRox Secured Clusters digest: ab4e152523ac791491f832c90b92218597431594953fcf9fda8235aa9bb2c3ce icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -939,7 +961,7 @@ entries: version: 73.2.0 - apiVersion: v2 appVersion: 3.73.1 - created: "2024-02-12T22:53:43.677395429Z" + created: "2024-03-13T16:43:58.262534895Z" description: Helm Chart for StackRox Secured Clusters digest: 2dc578c3c905b996339b8d5f2f80428c03501a9c9699516dbf12ed11e2091750 icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -950,7 +972,7 @@ entries: version: 73.1.0 - apiVersion: v2 appVersion: 3.73.0 - created: "2024-02-12T22:53:43.675736055Z" + created: "2024-03-13T16:43:58.260849382Z" description: Helm Chart for StackRox Secured Clusters digest: 93e3298b3ee1f96db92b6e23a65591d7a9cb1bffa7871177187815599c8d021a icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -961,7 +983,7 @@ entries: version: 73.0.0 - apiVersion: v2 appVersion: 3.72.4 - created: "2024-02-12T22:53:43.673937856Z" + created: "2024-03-13T16:43:58.259125968Z" description: Helm Chart for StackRox Secured Clusters digest: e127489a3df22bf5bebbb56cbd6ccc8e9d1f56994cb077be045ca5bbbc1698f4 icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -972,7 +994,7 @@ entries: version: 72.4.0 - apiVersion: v2 appVersion: 3.72.3 - created: "2024-02-12T22:53:43.671811803Z" + created: "2024-03-13T16:43:58.257457437Z" description: Helm Chart for StackRox Secured Clusters digest: dfbd93015a9a8021d53390907dd9e209ca0ded07065cb032e05554eb2a2130ad icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -983,7 +1005,7 @@ entries: version: 72.3.0 - apiVersion: v2 appVersion: 3.72.2 - created: "2024-02-12T22:53:43.67013673Z" + created: "2024-03-13T16:43:58.255743591Z" description: Helm Chart for StackRox Secured Clusters digest: 105e5d5d4318153130d39ca7f65e54a0cdd4d7c56651af3a2da324287f7f412b icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -994,7 +1016,7 @@ entries: version: 72.2.0 - apiVersion: v2 appVersion: 3.72.1 - created: "2024-02-12T22:53:43.668498435Z" + created: "2024-03-13T16:43:58.253358747Z" description: Helm Chart for StackRox Secured Clusters digest: b7d6a675beef0e81bb78e8fbc15b12d9e6182f45918e6a4e9fd8833c6cd8b03e icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -1005,7 +1027,7 @@ entries: version: 72.1.0 - apiVersion: v2 appVersion: 3.72.0 - created: "2024-02-12T22:53:43.666830295Z" + created: "2024-03-13T16:43:58.251639961Z" description: Helm Chart for StackRox Secured Clusters digest: 099a3eb3a13c5fc7607d654b0bde4934c6cc5cd8c1c473a3cb64dbf75c540368 icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/StackRox_icon.png @@ -1016,7 +1038,7 @@ entries: version: 72.0.0 - apiVersion: v2 appVersion: 3.71.3 - created: "2024-02-12T22:53:43.664811493Z" + created: "2024-03-13T16:43:58.249979885Z" description: Helm Chart for StackRox Secured Clusters digest: f05b85662ed91d727ea7ebea0219be5ef0d80e657d69f40b961d5166c88d6292 icon: https://www.stackrox.com/img/logo.svg @@ -1027,7 +1049,7 @@ entries: version: 71.3.0 - apiVersion: v2 appVersion: 3.71.2 - created: "2024-02-12T22:53:43.662968067Z" + created: "2024-03-13T16:43:58.248349955Z" description: Helm Chart for StackRox Secured Clusters digest: 7624e7c16f5f22aaa34ffac654606fb974813f895f312cd1fbd6c103959e9ad0 icon: https://www.stackrox.com/img/logo.svg @@ -1038,7 +1060,7 @@ entries: version: 71.2.0 - apiVersion: v2 appVersion: 3.71.0 - created: "2024-02-12T22:53:43.661368344Z" + created: "2024-03-13T16:43:58.246098733Z" description: Helm Chart for StackRox Secured Clusters digest: eb8decbde7b849b7b21357c0b2812b404b6c08f69e97d2a57478a413223f21e3 icon: https://www.stackrox.com/img/logo.svg @@ -1049,7 +1071,7 @@ entries: version: 71.0.0 - apiVersion: v2 appVersion: 3.70.0 - created: "2024-02-12T22:53:43.659794729Z" + created: "2024-03-13T16:43:58.244502546Z" description: Helm Chart for StackRox Secured Clusters digest: e6ef2cdc20620fab37e0cfd6b5a5646c83e5b1360bd0a7eddd835f5824c16c8a icon: https://www.stackrox.com/img/logo.svg @@ -1058,4 +1080,4 @@ entries: urls: - stackrox-secured-cluster-services-70.0.0.tgz version: 70.0.0 -generated: "2024-02-12T22:53:43.519543046Z" +generated: "2024-03-13T16:43:58.091537138Z" diff --git a/opensource/stackrox-central-services-400.3.5.tgz b/opensource/stackrox-central-services-400.3.5.tgz new file mode 100644 index 0000000..f7e5201 Binary files /dev/null and b/opensource/stackrox-central-services-400.3.5.tgz differ diff --git a/opensource/stackrox-secured-cluster-services-400.3.5.tgz b/opensource/stackrox-secured-cluster-services-400.3.5.tgz new file mode 100644 index 0000000..fdeff82 Binary files /dev/null and b/opensource/stackrox-secured-cluster-services-400.3.5.tgz differ diff --git a/rhacs/4.3.5/central-services/.helmignore b/rhacs/4.3.5/central-services/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/rhacs/4.3.5/central-services/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/rhacs/4.3.5/central-services/Chart.yaml b/rhacs/4.3.5/central-services/Chart.yaml new file mode 100644 index 0000000..2e82f5f --- /dev/null +++ b/rhacs/4.3.5/central-services/Chart.yaml @@ -0,0 +1,7 @@ +apiVersion: v2 # Can probably be generalized to v1 later. TODO(ROX-5502). +name: stackrox-central-services +icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/Red_Hat-Hat_icon.png +description: Helm Chart for StackRox Central Service +type: application +version: 400.3.5 +appVersion: 4.3.5 diff --git a/rhacs/4.3.5/central-services/README.md b/rhacs/4.3.5/central-services/README.md new file mode 100644 index 0000000..9f1776c --- /dev/null +++ b/rhacs/4.3.5/central-services/README.md @@ -0,0 +1,179 @@ +# StackRox Kubernetes Security Platform - Central Services Helm Chart + +This Helm chart allows you to deploy the central services of the StackRox +Kubernetes Security Platform: StackRox Central and StackRox Scanner. + +If you want to install Red Hat Advanced Cluster Security, refer to +[Installing quickly using Helm charts](https://docs.openshift.com/acs/installing/installing_helm/install-helm-quick.html) +for up to date information. + +## Prerequisites + +To deploy the central services for the StackRox Kubernetes Security platform +using Helm, you must: +- Have at least version 3.1 of the Helm tool installed on your machine + +## Add the Canonical Chart Location as a Helm Repository + +The canonical repository for StackRox Helm charts is https://mirror.openshift.com/pub/rhacs/charts. +To use StackRox Helm charts on your machine, run +```sh +helm repo add stackrox https://mirror.openshift.com/pub/rhacs/charts +``` +This command only needs to be run once on your machine. Whenever you are deploying +or upgrading a chart from a remote repository, it is advisable to run +```sh +helm repo update +``` +beforehand. + +## Deploy Central Services Using Helm + +The basic command for deploying the central services is +```sh +helm install -n stackrox --create-namespace \ + --set central.persistence.none=true \ + stackrox-central-services stackrox/stackrox-central-services +``` +If you have a copy of this chart on your machine, you can also reference the +path to this copy instead of `stackrox/stackrox-central-services` above. + +In case you use image mirroring or otherwise access StackRox container images from non-standard location, +you may also need to provide image pull credentials. +There are several ways to inject the required credentials (if any) into the installation process: + +- **Explicitly specify username and password:** Use this if you are using a registry that supports username/password + authentication. Pass the following arguments to the `helm install` command: + ```sh + --set imagePullSecrets.username= --set imagePullSecrets.password= + ``` +- **Use pre-existing image pull secrets:** If you already have one or several image pull secrets + created in the namespace to which you are deploying, you can reference these in the following + way (we assume that your secrets are called `pull-secret-1` and `pull-secret-2`): + ```sh + --set imagePullSecrets.useExisting="pull-secret-1;pull-secret-2" + ``` +- **Do not use image pull secrets:** If you are pulling your images from quay.io/stackrox-io or a registry in a private + network that does not require authentication, or if the default service account in the namespace + to which you are deploying is already configured with appropriate image pull secrets, you do + not need to specify any additional image pull secrets. + +### Accessing the StackRox Portal After Deployment + +Once you have deployed the StackRox Kubernetes Security Platform Central Services via +`helm install`, you will see an information text on the console that contains any things to +note, or warnings encountered during the installation text. In particular, it instructs you +how to connect to your Central deployment via port-forward (if you have not configured an +exposure method, see below), and the administrator password to use for the initial login. + +### Applying Custom Configuration Options + +This Helm chart has many different configuration options. For simple use cases, these can be +set directly on the `helm install` command line; however, we generally recommend that you +store your configuration in a dedicated file. + +#### Using the `--set` family of command-line flags + +This approach is the quickest way to customize the deployment, but it does not work for +more complex configuration settings. Via the `--set` and `--set-file` flags, which need to be +appended to your `helm install` invocation, you can inject configuration values into the +installation process. Here are some examples: +- **Deploy StackRox in offline mode:** This configures StackRox in a way such that it will not + reach out to any external endpoints. + ```sh + --set env.offlineMode=true + ``` +- **Configure a fixed administrator password:** This sets the password with which you log in to + the StackRox portal as an administrator. If you do not configure a password yourself, one will + be created for you and printed as part of the installation notes. + ```sh + --set central.adminPassword.value=mysupersecretpassword + ``` + +#### Using configuration YAML files and the `-f` command-line flag + +To ensure the best possible upgrade experience, it is recommended that you store all custom +configuration options in two files: `values-public.yaml` and `values-private.yaml`. The former +contains all non-sensitive configuration options (such as whether to run in offline mode), and the +latter contains all sensitive configuration options (such as the administrator password, or +custom TLS certificates). The `values-public.yaml` file can be stored in, for example, your Git +repository, while the `values-private.yaml` file should be stored in a secrets management +system. + +There is a large number of configuration options that cannot all be discussed in minute detail +in this README file. However, the Helm chart contains example configuration files +`values-public.yaml.example` and `values-private.yaml.example`, that list all the available +configuration options, along with documentation. The following is just a brief example of what +can be configured via those files: +- **`values-public.yaml`:** + ```yaml + env: + offlineMode: true # run in offline mode + + central: + # Use custom resource overrides for central + resources: + requests: + cpu: 4 + memory: "8Gi" + limits: + cpu: 8 + memory: "16Gi" + + # Expose central via a LoadBalancer service + exposure: + loadBalancer: + enabled: true + + scanner: + # Run without StackRox Scanner (NOT RECOMMENDED) + disable: true + + customize: + # Apply the important-service=true label for all objects managed by this chart. + labels: + important-service: true + # Set the CLUSTER=important-cluster environment variable for all containers in the + # central deployment: + central: + envVars: + CLUSTER: important-cluster + ``` +- **`values-private.yaml`**: + ```yaml + central: + # Configure a default TLS certificate (public cert + private key) for central + defaultTLS: + cert: | + -----BEGIN CERTIFICATE----- + MII... + -----END CERTIFICATE----- + key: | + -----BEGIN EC PRIVATE KEY----- + MHc... + -----END EC PRIVATE KEY----- + ``` + +After you have created these YAML files, you can inject the configuration options into the +installation process via the `-f` flag, i.e., by appending the following options to the +`helm install` invocation: +```sh +-f values-public.yaml -f values-private.yaml +``` + +### Changing Configuration Options After Deployment + +If you wish to make any changes to the deployment, simply change the configuration options +in your `values-public.yaml` and/or `values-private.yaml` file(s), and inject them into an +`helm upgrade` invocation: +```sh +helm upgrade -n stackrox stackrox-central-services stackrox/stackrox-central-services \ + -f values-public.yaml \ + -f values-private.yaml +``` +Under most circumstances, you will not need to supply the `values-private.yaml` file, unless +you want changes to sensitive configuration options to be applied. + +Of course you can also specify configuration values via the `--set` or `--set-file` command-line +flags. However, these options will be forgotten with the next `helm upgrade` invocation, unless +you supply them again. diff --git a/rhacs/4.3.5/central-services/assets/Red_Hat-Hat_icon.png b/rhacs/4.3.5/central-services/assets/Red_Hat-Hat_icon.png new file mode 100644 index 0000000..fae985e Binary files /dev/null and b/rhacs/4.3.5/central-services/assets/Red_Hat-Hat_icon.png differ diff --git a/rhacs/4.3.5/central-services/assets/StackRox_icon.png b/rhacs/4.3.5/central-services/assets/StackRox_icon.png new file mode 100644 index 0000000..3c136e3 Binary files /dev/null and b/rhacs/4.3.5/central-services/assets/StackRox_icon.png differ diff --git a/rhacs/4.3.5/central-services/config-templates/scanner/config.yaml.tpl b/rhacs/4.3.5/central-services/config-templates/scanner/config.yaml.tpl new file mode 100644 index 0000000..5efc0b9 --- /dev/null +++ b/rhacs/4.3.5/central-services/config-templates/scanner/config.yaml.tpl @@ -0,0 +1,48 @@ +{{- /* + This is the configuration file template for Scanner. + Except for in extremely rare circumstances, you DO NOT need to modify this file. + All config options that are possibly dynamic are templated out and can be modified + via `--set`/values-files specified via `-f`. + */ -}} + +# Configuration file for scanner. + +scanner: + centralEndpoint: https://central.{{ .Release.Namespace }}.svc + sensorEndpoint: https://sensor.{{ .Release.Namespace }}.svc + database: + # Database driver + type: pgsql + options: + # PostgreSQL Connection string + # https://www.postgresql.org/docs/current/static/libpq-connect.html#LIBPQ-CONNSTRING + source: host=scanner-db.{{ .Release.Namespace }}.svc port=5432 user=postgres sslmode={{- if eq .Release.Namespace "stackrox" }}verify-full{{- else }}verify-ca{{- end }} statement_timeout=60000 + + # Number of elements kept in the cache + # Values unlikely to change (e.g. namespaces) are cached in order to save prevent needless roundtrips to the database. + cachesize: 16384 + + api: + httpsPort: 8080 + grpcPort: 8443 + + updater: + # Frequency with which the scanner will poll for vulnerability updates. + interval: 5m + + logLevel: {{ ._rox.scanner.logLevel }} + + # The scanner intentionally avoids extracting or analyzing any files + # larger than the following default sizes to prevent DoS attacks. + # Leave these commented to use a reasonable default. + + # The max size of files in images that are extracted. + # Increasing this number increases memory pressure. + # maxExtractableFileSizeMB: 200 + # The max size of ELF executable files that are analyzed. + # Increasing this number may increase disk pressure. + # maxELFExecutableFileSizeMB: 800 + # The max size of image file reader buffer. Image file data beyond this limit are overflowed to temporary files on disk. + # maxImageFileReaderBufferSizeMB: 100 + + exposeMonitoring: false diff --git a/rhacs/4.3.5/central-services/config/central/config.yaml.default b/rhacs/4.3.5/central-services/config/central/config.yaml.default new file mode 100644 index 0000000..d85c852 --- /dev/null +++ b/rhacs/4.3.5/central-services/config/central/config.yaml.default @@ -0,0 +1,7 @@ +maintenance: + safeMode: false # When set to true, Central will sleep forever on the next restart + compaction: + enabled: true + bucketFillFraction: .5 # This controls how densely to compact the buckets. Usually not advised to modify + freeFractionThreshold: 0.75 # This is the threshold for free bytes / total bytes after which compaction will occur + forceRollbackVersion: none # This is the config and target rollback version after upgrade complete. diff --git a/rhacs/4.3.5/central-services/config/central/endpoints.yaml.default b/rhacs/4.3.5/central-services/config/central/endpoints.yaml.default new file mode 100644 index 0000000..25549d6 --- /dev/null +++ b/rhacs/4.3.5/central-services/config/central/endpoints.yaml.default @@ -0,0 +1,31 @@ +# Sample endpoints.yaml configuration for StackRox Central. +# +# # CAREFUL: If the following line is uncommented, do not expose the default endpoint on port 8443 by default. +# # This will break normal operation. +# disableDefault: true # if true, don't serve on :8443 +# endpoints: +# # Serve plaintext HTTP only on port 8080 +# - listen: ":8080" +# # Backend protocols, possible values are 'http' and 'grpc'. If unset or empty, assume both. +# protocols: +# - http +# tls: +# # Disable TLS. If this is not specified, assume TLS is enabled. +# disable: true +# # Serve HTTP and gRPC for sensors only on port 8444 +# - listen: ":8444" +# tls: +# # Which TLS certificates to serve, possible values are 'service' (StackRox-generated service certificates) +# # and 'default' (user-configured default TLS certificate). If unset or empty, assume both. +# serverCerts: +# - default +# - service +# # Client authentication settings. +# clientAuth: +# # Enforce TLS client authentication. If unset, do not enforce, only request certificates +# # opportunistically. +# required: true +# # Which TLS client CAs to serve, possible values are 'service' (CA for StackRox-generated service +# # certificates) and 'user' (CAs for PKI auth providers). If unset or empty, assume both. +# certAuthorities: # if not set, assume ["user", "service"] +# - service diff --git a/rhacs/4.3.5/central-services/config/centraldb/pg_hba.conf.default b/rhacs/4.3.5/central-services/config/centraldb/pg_hba.conf.default new file mode 100644 index 0000000..8229f95 --- /dev/null +++ b/rhacs/4.3.5/central-services/config/centraldb/pg_hba.conf.default @@ -0,0 +1,103 @@ +# PostgreSQL Client Authentication Configuration File +# =================================================== +# +# Refer to the "Client Authentication" section in the PostgreSQL +# documentation for a complete description of this file. A short +# synopsis follows. +# +# This file controls: which hosts are allowed to connect, how clients +# are authenticated, which PostgreSQL user names they can use, which +# databases they can access. Records take one of these forms: +# +# local DATABASE USER METHOD [OPTIONS] +# host DATABASE USER ADDRESS METHOD [OPTIONS] +# hostssl DATABASE USER ADDRESS METHOD [OPTIONS] +# hostnossl DATABASE USER ADDRESS METHOD [OPTIONS] +# +# (The uppercase items must be replaced by actual values.) +# +# The first field is the connection type: "local" is a Unix-domain +# socket, "host" is either a plain or SSL-encrypted TCP/IP socket, +# "hostssl" is an SSL-encrypted TCP/IP socket, and "hostnossl" is a +# plain TCP/IP socket. +# +# DATABASE can be "all", "sameuser", "samerole", "replication", a +# database name, or a comma-separated list thereof. The "all" +# keyword does not match "replication". Access to replication +# must be enabled in a separate record (see example below). +# +# USER can be "all", a user name, a group name prefixed with "+", or a +# comma-separated list thereof. In both the DATABASE and USER fields +# you can also write a file name prefixed with "@" to include names +# from a separate file. +# +# ADDRESS specifies the set of hosts the record matches. It can be a +# host name, or it is made up of an IP address and a CIDR mask that is +# an integer (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that +# specifies the number of significant bits in the mask. A host name +# that starts with a dot (.) matches a suffix of the actual host name. +# Alternatively, you can write an IP address and netmask in separate +# columns to specify the set of hosts. Instead of a CIDR-address, you +# can write "samehost" to match any of the server's own IP addresses, +# or "samenet" to match any address in any subnet that the server is +# directly connected to. +# +# METHOD can be "trust", "reject", "md5", "password", "scram-sha-256", +# "gss", "sspi", "ident", "peer", "pam", "ldap", "radius" or "cert". +# Note that "password" sends passwords in clear text; "md5" or +# "scram-sha-256" are preferred since they send encrypted passwords. +# +# OPTIONS are a set of options for the authentication in the format +# NAME=VALUE. The available options depend on the different +# authentication methods -- refer to the "Client Authentication" +# section in the documentation for a list of which options are +# available for which authentication methods. +# +# Database and user names containing spaces, commas, quotes and other +# special characters must be quoted. Quoting one of the keywords +# "all", "sameuser", "samerole" or "replication" makes the name lose +# its special character, and just match a database or username with +# that name. +# +# This file is read on server startup and when the server receives a +# SIGHUP signal. If you edit the file on a running system, you have to +# SIGHUP the server for the changes to take effect, run "pg_ctl reload", +# or execute "SELECT pg_reload_conf()". +# +# Put your actual configuration here +# ---------------------------------- +# +# If you want to allow non-local connections, you need to add more +# "host" records. In that case you will also need to make PostgreSQL +# listen on a non-local interface via the listen_addresses +# configuration parameter, or via the -i or -h command line switches. + +# CAUTION: Configuring the system for local "trust" authentication +# allows any local user to connect as any PostgreSQL user, including +# the database superuser. If you do not trust all your local users, +# use another authentication method. + + +# TYPE DATABASE USER ADDRESS METHOD + +# "local" is for Unix domain socket connections only +local all all scram-sha-256 +# IPv4 local connections: +host all all 127.0.0.1/32 scram-sha-256 +# IPv6 local connections: +host all all ::1/128 scram-sha-256 +# Allow replication connections from localhost, by a user with the +# replication privilege. +local replication all trust +host replication all 127.0.0.1/32 trust +host replication all ::1/128 trust + +### STACKROX MODIFIED +# Reject all non ssl connections from IPs +hostnossl all all 0.0.0.0/0 reject +hostnossl all all ::0/0 reject + +# Accept connections from ssl with password +hostssl all all 0.0.0.0/0 scram-sha-256 +hostssl all all ::0/0 scram-sha-256 +### diff --git a/rhacs/4.3.5/central-services/config/centraldb/postgresql.conf.default b/rhacs/4.3.5/central-services/config/centraldb/postgresql.conf.default new file mode 100644 index 0000000..057e7ea --- /dev/null +++ b/rhacs/4.3.5/central-services/config/centraldb/postgresql.conf.default @@ -0,0 +1,29 @@ +hba_file = '/etc/stackrox.d/config/pg_hba.conf' +listen_addresses = '*' +max_connections = 200 +password_encryption = scram-sha-256 + +ssl = on +ssl_ca_file = '/run/secrets/stackrox.io/certs/root.crt' +ssl_cert_file = '/run/secrets/stackrox.io/certs/server.crt' +ssl_key_file = '/run/secrets/stackrox.io/certs/server.key' + +shared_buffers = 2GB +work_mem = 40MB +maintenance_work_mem = 512MB +effective_cache_size = 4GB + +dynamic_shared_memory_type = posix +max_wal_size = 5GB +min_wal_size = 80MB + +log_timezone = 'Etc/UTC' +datestyle = 'iso, mdy' +timezone = 'Etc/UTC' +lc_messages = 'en_US.utf8' +lc_monetary = 'en_US.utf8' # locale for monetary formatting +lc_numeric = 'en_US.utf8' # locale for number formatting +lc_time = 'en_US.utf8' # locale for time formatting + +default_text_search_config = 'pg_catalog.english' +shared_preload_libraries = 'pg_stat_statements' # StackRox customized \ No newline at end of file diff --git a/rhacs/4.3.5/central-services/config/proxy-config.yaml.default b/rhacs/4.3.5/central-services/config/proxy-config.yaml.default new file mode 100644 index 0000000..8692a77 --- /dev/null +++ b/rhacs/4.3.5/central-services/config/proxy-config.yaml.default @@ -0,0 +1,26 @@ +# # NOTE: Both central and scanner should be restarted if this secret is changed. +# # While it is possible that some components will pick up the new proxy configuration +# # without a restart, it cannot be guaranteed that this will apply to every possible +# # integration etc. +# url: http://proxy.name:port +# username: username +# password: password +# # If the following value is set to true, the proxy wil NOT be excluded for the default hosts: +# # - *.stackrox, *.stackrox.svc +# # - localhost, localhost.localdomain, 127.0.0.0/8, ::1 +# # - *.local +# omitDefaultExcludes: false +# excludes: # hostnames (may include * components) for which not to use a proxy, like in-cluster repositories. +# - some.domain +# # The following configuration sections allow specifying a different proxy to be used for HTTP(S) connections. +# # If they are omitted, the above configuration is used for HTTP(S) connections as well as TCP connections. +# # If only the `http` section is given, it will be used for HTTPS connections as well. +# # Note: in most cases, a single, global proxy configuration is sufficient. +# http: +# url: http://http-proxy.name:port +# username: username +# password: password +# https: +# url: http://https-proxy.name:port +# username: username +# password: password diff --git a/rhacs/4.3.5/central-services/internal/bootstrap-defaults.yaml.tpl b/rhacs/4.3.5/central-services/internal/bootstrap-defaults.yaml.tpl new file mode 100644 index 0000000..8f8e559 --- /dev/null +++ b/rhacs/4.3.5/central-services/internal/bootstrap-defaults.yaml.tpl @@ -0,0 +1,16 @@ +# This file contains defaults that need to be merged into our config struct before we can +# execute the "normal" defaulting logic. As a result, none of these values can be overridden +# by defaults specified in defaults.yaml and platforms/*.yaml - that is okay. + +{{- if eq .Release.Name "test-release" }} +{{- include "srox.warn" (list . "You are using a release name that is reserved for tests. In order to allow linting to work, certain checks have been relaxed. If you are deploying to a real environment, we recommend that you choose a different release name.") }} +allowNonstandardNamespace: true +allowNonstandardReleaseName: true +{{- else }} +allowNonstandardNamespace: false +allowNonstandardReleaseName: false +{{- end }} + +meta: + useLookup: true + fileOverrides: {} diff --git a/rhacs/4.3.5/central-services/internal/config-shape.yaml b/rhacs/4.3.5/central-services/internal/config-shape.yaml new file mode 100644 index 0000000..e1ce4b7 --- /dev/null +++ b/rhacs/4.3.5/central-services/internal/config-shape.yaml @@ -0,0 +1,163 @@ +licenseKey: null # string +imagePullSecrets: + username: null # string + password: null # string + allowNone: null # bool + useExisting: null # string | [string] + useFromDefaultServiceAccount: null # bool +image: + registry: null # string +env: + installMethod: null # string + openshift: null # bool + istio: null # bool + platform: null # string + offlineMode: null # bool + proxyConfig: null # string | dict +ca: + cert: null # string + key: null # string + generate: null # bool +additionalCAs: null # string | [string] | dict +central: + telemetry: + enabled: null # bool + storage: + endpoint: null # string + key: null # string + config: null # string | dict + dbConfig: null # string | dict + endpointsConfig: null # string | dict + nodeSelector: null # string | dict + tolerations: null # [dict] + affinity: null # dict + exposeMonitoring: null # bool + jwtSigner: + key: null # string + generate: null # bool + serviceTLS: + cert: null # string + key: null # string + generate: null # bool + defaultTLS: + cert: null # string + key: null # string + reference: null # string + image: + registry: null # string + name: null # string + tag: null # string + fullRef: null # string + adminPassword: + value: null # string + generate: null # bool + htpasswd: null # string + resources: null # string | dict + persistence: + hostPath: null # string + persistentVolumeClaim: + claimName: null # string + createClaim: null # bool + storageClass: null # string + size: null # int | string + volume: + volumeSpec: null # dict + none: null # bool + exposure: + loadBalancer: + enabled: null # bool + port: null # int + ip: null # string + nodePort: + enabled: null # bool + port: null # int + route: + enabled: null # bool + host: null # string + declarativeConfiguration: + mounts: + configMaps: null # [string] + secrets: null # [string] + extraMounts: null # [dict] + db: + nodeSelector: null # string | dict + tolerations: null # [dict] + source: + connectionString: null # string + minConns: null # int + maxConns: null # int + statementTimeoutMs: null #int + configOverride: null # string + password: + value: null # string + generate: null # bool + serviceTLS: + cert: null # string + key: null # string + generate: null # bool + image: + registry: null # string + name: null # string + tag: null # string + fullRef: null # string + resources: null # string | dict + persistence: + hostPath: null # string + persistentVolumeClaim: + claimName: null # string + createClaim: null # bool + storageClass: null # string + size: null # int | string + volume: + volumeSpec: null # dict + none: null # bool + extraMounts: null # [dict] +customize: + labels: {} # dict + annotations: {} # dict + podLabels: {} # dict + podAnnotations: {} # dict + envVars: {} # dict + central: + labels: {} # dict + annotations: {} # dict + podLabels: {} # dict + podAnnotations: {} # dict + envVars: {} # dict + db: + labels: {} # dict + annotations: {} # dict + podLabels: {} # dict + podAnnotations: {} # dict + envVars: {} # dict + scanner: + labels: {} # dict + annotations: {} # dict + podLabels: {} # dict + podAnnotations: {} # dict + envVars: {} # dict + scanner-db: + labels: {} # dict + annotations: {} # dict + podLabels: {} # dict + podAnnotations: {} # dict + envVars: {} # dict + other: {} # dict +allowNonstandardNamespace: null # bool +allowNonstandardReleaseName: null # bool +enableOpenShiftMonitoring: null # bool +monitoring: + openshift: + enabled: null # bool +meta: + useLookup: null # bool + fileOverrides: {} # dict + apiServer: + version: null # string + overrideAPIResources: null # [string] + extraAPIResources: null # [string] + noCreateStorageClass: null # bool +globalPrefix: null # string +system: + createSCCs: null # bool + enablePodSecurityPolicies: null # bool diff --git a/rhacs/4.3.5/central-services/internal/defaults.yaml b/rhacs/4.3.5/central-services/internal/defaults.yaml new file mode 100644 index 0000000..81dd3df --- /dev/null +++ b/rhacs/4.3.5/central-services/internal/defaults.yaml @@ -0,0 +1,175 @@ +defaults: + + imagePullSecrets: + allowNone: true + useExisting: [] + useFromDefaultServiceAccount: true + + image: + registry: registry.redhat.io/advanced-cluster-security + + env: + offlineMode: false + + central: + config: "@config/central/config.yaml|config/central/config.yaml.default" + endpointsConfig: "@config/central/endpoints.yaml|config/central/endpoints.yaml.default" + + exposeMonitoring: false + + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + # Central is single-homed, so avoid preemptible nodes. + - weight: 100 + preference: + matchExpressions: + - key: cloud.google.com/gke-preemptible + operator: NotIn + values: + - "true" + - weight: 50 + preference: + matchExpressions: + - key: node-role.kubernetes.io/infra + operator: Exists + - weight: 25 + preference: + matchExpressions: + - key: node-role.kubernetes.io/compute + operator: Exists + # From v1.20 node-role.kubernetes.io/control-plane replaces node-role.kubernetes.io/master (removed in + # v1.25). We apply both because our goal is not to run pods on control plane nodes for any version of k8s. + - weight: 100 + preference: + matchExpressions: + - key: node-role.kubernetes.io/master + operator: DoesNotExist + - weight: 100 + preference: + matchExpressions: + - key: node-role.kubernetes.io/control-plane + operator: DoesNotExist + + image: + name: rhacs-main-rhel8 + tag: 4.3.5 + + resources: + requests: + memory: "4Gi" + cpu: "1500m" + limits: + memory: "8Gi" + cpu: "4000m" + + exposure: + loadBalancer: + enabled: false + port: 443 + nodePort: + enabled: false + port: null + route: + enabled: false + db: + external: false + + source: + minConns: 10 + maxConns: 90 + statementTimeoutMs: 1200000 + + postgresConfig: "@config/centraldb/postgresql.conf|config/centraldb/postgresql.conf.default" + hbaConfig: "@config/centraldb/pg_hba.conf|config/centraldb/pg_hba.conf.default" + + image: + name: rhacs-central-db-rhel8 + tag: 4.3.5 + + resources: + requests: + memory: "8Gi" + cpu: "4" + limits: + memory: "16Gi" + cpu: "8" + scanner: + disable: false + replicas: 3 + logLevel: INFO + mode: full + + autoscaling: + disable: false + minReplicas: 2 + maxReplicas: 5 + + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchLabels: + app: scanner + topologyKey: kubernetes.io/hostname + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 50 + preference: + matchExpressions: + - key: node-role.kubernetes.io/infra + operator: Exists + - weight: 25 + preference: + matchExpressions: + - key: node-role.kubernetes.io/compute + operator: Exists + # From v1.20 node-role.kubernetes.io/control-plane replaces node-role.kubernetes.io/master (removed in + # v1.25). We apply both because our goal is not to run pods on control plane nodes for any version of k8s. + - weight: 100 + preference: + matchExpressions: + - key: node-role.kubernetes.io/master + operator: DoesNotExist + - weight: 100 + preference: + matchExpressions: + - key: node-role.kubernetes.io/control-plane + operator: DoesNotExist + + resources: + requests: + memory: "1500Mi" + cpu: "1000m" + limits: + memory: "4Gi" + cpu: "2000m" + + image: + name: rhacs-scanner-rhel8 + tag: 4.3.5 + + dbResources: + limits: + cpu: "2000m" + memory: "4Gi" + requests: + cpu: "200m" + memory: "200Mi" + + dbImage: + name: rhacs-scanner-db-rhel8 + tag: 4.3.5 + + system: + createSCCs: true + +pvcDefaults: + claimName: "stackrox-db" + size: "100Gi" + +dbPVCDefaults: + claimName: "central-db" + size: "100Gi" diff --git a/rhacs/4.3.5/central-services/internal/expandables.yaml b/rhacs/4.3.5/central-services/internal/expandables.yaml new file mode 100644 index 0000000..75a3d11 --- /dev/null +++ b/rhacs/4.3.5/central-services/internal/expandables.yaml @@ -0,0 +1,48 @@ +licenseKey: true +imagePullSecrets: + username: true + password: true +env: + proxyConfig: true +ca: + cert: true + key: true +central: + config: true + endpointsConfig: true + nodeSelector: true + jwtSigner: + key: true + serviceTLS: + cert: true + key: true + defaultTLS: + cert: true + key: true + adminPassword: + value: true + htpasswd: true + resources: true + db: + postgresConfig: true + hbaConfig: true + nodeSelector: true + serviceTLS: + cert: true + key: true + password: + value: true + resources: true +scanner: + resources: true + dbResources: true + nodeSelector: true + dbNodeSelector: true + dbPassword: + value: true + serviceTLS: + cert: true + key: true + dbServiceTLS: + cert: true + key: true diff --git a/rhacs/4.3.5/central-services/internal/platforms/default.yaml b/rhacs/4.3.5/central-services/internal/platforms/default.yaml new file mode 100644 index 0000000..180f5c8 --- /dev/null +++ b/rhacs/4.3.5/central-services/internal/platforms/default.yaml @@ -0,0 +1,2 @@ +# Empty defaults file for the "default" platform. This file only exists to mark the platform +# name as valid. diff --git a/rhacs/4.3.5/central-services/internal/platforms/gke.yaml b/rhacs/4.3.5/central-services/internal/platforms/gke.yaml new file mode 100644 index 0000000..70d7b32 --- /dev/null +++ b/rhacs/4.3.5/central-services/internal/platforms/gke.yaml @@ -0,0 +1,2 @@ +pvcDefaults: + storageClass: "stackrox-gke-ssd" diff --git a/rhacs/4.3.5/central-services/internal/scanner-config-shape.yaml b/rhacs/4.3.5/central-services/internal/scanner-config-shape.yaml new file mode 100644 index 0000000..da3b315 --- /dev/null +++ b/rhacs/4.3.5/central-services/internal/scanner-config-shape.yaml @@ -0,0 +1,40 @@ +scanner: + mode: null # string + disable: null # bool + replicas: null # int + logLevel: null # string + nodeSelector: null # string | dict + dbNodeSelector: null # string | dict + tolerations: null # [dict] + dbTolerations: null # [dict] + autoscaling: + disable: null # bool + minReplicas: null # int + maxReplicas: null # int + affinity: null # dict + resources: null # string | dict + image: + registry: null # string + name: null # string + tag: null # string + fullRef: null # string + dbImage: + registry: null # string + name: null # string + tag: null # string + fullRef: null # string + dbResources: null # string | dict + dbPassword: + value: null # string + generate: null # bool + serviceTLS: + cert: null # string + key: null # string + generate: null # bool + dbServiceTLS: + cert: null # string + key: null # string + generate: null # bool + exposeMonitoring: null # bool +system: + enablePodSecurityPolicies: null # bool diff --git a/rhacs/4.3.5/central-services/templates/00-additional-ca.yaml b/rhacs/4.3.5/central-services/templates/00-additional-ca.yaml new file mode 100644 index 0000000..67b0c2b --- /dev/null +++ b/rhacs/4.3.5/central-services/templates/00-additional-ca.yaml @@ -0,0 +1,21 @@ +{{- include "srox.init" . -}} + +{{- if ._rox._additionalCAs }} +apiVersion: v1 +kind: Secret +metadata: + name: additional-ca + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "secret" "additional-ca") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "additional-ca") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": keep +type: Opaque +stringData: + {{- range $name, $cert := ._rox._additionalCAs }} + {{ $name | quote }}: | + {{- $cert | nindent 4 }} + {{- end }} +{{- end }} diff --git a/rhacs/4.3.5/central-services/templates/00-image-pull-secret.yaml b/rhacs/4.3.5/central-services/templates/00-image-pull-secret.yaml new file mode 100644 index 0000000..1fc3e34 --- /dev/null +++ b/rhacs/4.3.5/central-services/templates/00-image-pull-secret.yaml @@ -0,0 +1,18 @@ +{{- include "srox.init" . -}} + +{{- if ._rox.imagePullSecrets._dockerAuths }} +apiVersion: v1 +kind: Secret +type: kubernetes.io/dockerconfigjson +metadata: + name: stackrox + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "secret" "stackrox") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "stackrox") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": keep +data: + .dockerconfigjson: {{ dict "auths" ._rox.imagePullSecrets._dockerAuths | toJson | b64enc | quote }} +{{ end }} diff --git a/rhacs/4.3.5/central-services/templates/00-injected-ca-bundle.yaml b/rhacs/4.3.5/central-services/templates/00-injected-ca-bundle.yaml new file mode 100644 index 0000000..3289c2a --- /dev/null +++ b/rhacs/4.3.5/central-services/templates/00-injected-ca-bundle.yaml @@ -0,0 +1,15 @@ +{{- include "srox.init" . -}} + +{{- if eq ._rox.env.openshift 4 }} +{{ $injectedCABundleName := printf "injected-cabundle-%s" .Release.Name }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ $injectedCABundleName }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "configmap" $injectedCABundleName) | nindent 4 }} + "config.openshift.io/inject-trusted-cabundle": "true" + annotations: + {{- include "srox.annotations" (list . "configmap" $injectedCABundleName) | nindent 4 }} +{{- end }} diff --git a/rhacs/4.3.5/central-services/templates/00-proxy-config-secret.yaml b/rhacs/4.3.5/central-services/templates/00-proxy-config-secret.yaml new file mode 100644 index 0000000..c357179 --- /dev/null +++ b/rhacs/4.3.5/central-services/templates/00-proxy-config-secret.yaml @@ -0,0 +1,20 @@ +{{- include "srox.init" . -}} + +{{- if ._rox.env._proxyConfig -}} +apiVersion: v1 +kind: Secret +metadata: + name: proxy-config + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "secret" "proxy-config") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "proxy-config") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": "keep" +type: Opaque +stringData: + config.yaml: | + {{- ._rox.env._proxyConfig | nindent 4 }} + +{{ end }} diff --git a/rhacs/4.3.5/central-services/templates/00-stackrox-application.yaml b/rhacs/4.3.5/central-services/templates/00-stackrox-application.yaml new file mode 100644 index 0000000..6cdf9ca --- /dev/null +++ b/rhacs/4.3.5/central-services/templates/00-stackrox-application.yaml @@ -0,0 +1,122 @@ +{{- include "srox.init" . -}} + +{{- if has "app.k8s.io/v1beta1/Application" ._rox._apiServer.apiResources -}} +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: stackrox + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "application" "stackrox") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "application" "stackrox") | nindent 4 }} + {{ if eq ._rox.image.registry "quay.io/stackrox-io" }} + kubernetes-engine.cloud.google.com/icon: "data:image/png;base64,{{ .Files.Get "assets/StackRox_icon.png" | b64enc }}" + {{ else }} + kubernetes-engine.cloud.google.com/icon: "data:image/png;base64,{{ .Files.Get "assets/Red_Hat-Hat_icon.png" | b64enc }}" + {{ end }} +spec: + descriptor: + type: StackRox + version: {{ .Chart.AppVersion | quote }} + description: |- + StackRox Kubernetes Security Platform + + Version {{ .Chart.AppVersion }} + + ## Thank you for installing StackRox! + +
+ + #### Support + + [Email support@stackrox.com](mailto:support@stackrox.com?cc=sales@stackrox.com&Subject=StackRox%20Support%20Question&Body=Dear%20StackRox%20support,) + + ## Connecting to StackRox + +
+ + #### Directly using a Load Balancer + + When deploying StackRox with the `Load Balancer` network configuration, the service can be accessed directly. + + $CONNECT + + #### Tunneling via Port Forward + + When deploying StackRox with the `Node Port` or `None` network configuration, the service must be accessed using a port forward tunnel. + + - Step 1 - Start the port forward tunnel to the StackRox Central service. + + ``` + $ kubectl -n stackrox port-forward svc/central 8443:443 + ``` + + - Step 2 - In a browser, [visit https://localhost:8443](https://localhost:8443) to access StackRox. + + keywords: + - "stackrox" + - "kube" + - "security" + maintainers: + - name: StackRox, Inc. + url: https://stackrox.com + owners: + - name: StackRox, Inc. + url: https://stackrox.com + links: + - description: StackRox Help Documentation + url: "https://help.stackrox.com" + + info: + - name: StackRox namespace + value: stackrox + - name: StackRox admin username + value: "admin" + + selector: + matchLabels: + app.kubernetes.io/name: stackrox + + componentKinds: + - group: '' + kind: ConfigMap + - group: '' + kind: Secret + - group: '' + kind: PersistentVolumeClaim + - group: '' + kind: PersistentVolume + - group: '' + kind: Service + - group: '' + kind: ServiceAccount + - group: rbac.authorization.k8s.io + kind: ClusterRole + - group: rbac.authorization.k8s.io + kind: ClusterRoleBinding + - group: apps + kind: Deployment + - group: networking.k8s.io + kind: NetworkPolicy + - group: rbac.authorization.k8s.io + kind: Role + - group: rbac.authorization.k8s.io + kind: RoleBinding + - group: route.openshift.io + kind: Route + - group: security.openshift.io + kind: SecurityContextConstraints + - group: admissionregistration.k8s.io + kind: ValidatingWebhookConfiguration + - group: autoscaling + kind: HorizontalPodAutoscaler + - group: storage.k8s.io + kind: StorageClass + - group: networking.istio.io + kind: DestinationRule +{{- if ._rox.system.enablePodSecurityPolicies }} + - group: policy + kind: PodSecurityPolicy +{{- end }} +{{- end }} diff --git a/rhacs/4.3.5/central-services/templates/00-storage-class.yaml b/rhacs/4.3.5/central-services/templates/00-storage-class.yaml new file mode 100644 index 0000000..4a5664e --- /dev/null +++ b/rhacs/4.3.5/central-services/templates/00-storage-class.yaml @@ -0,0 +1,27 @@ +{{- include "srox.init" . -}} + +{{- if ._rox.central.persistence._pvcCfg }} +{{- if ._rox.central.persistence._pvcCfg.storageClass -}} +{{- if eq ._rox.central.persistence._pvcCfg.storageClass "stackrox-gke-ssd" }} +{{- $lookupOut := dict -}} +{{- $storageClassName := include "srox.globalResourceName" (list . "stackrox-gke-ssd") -}} +{{- $_ := include "srox.safeLookup" (list . $lookupOut "storage.k8s.io/v1" "StorageClass" "" $storageClassName) -}} +{{- if and (not $lookupOut.result) (or .Release.IsInstall $lookupOut.reliable) (not ._rox.meta.noCreateStorageClass) -}} +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: {{ $storageClassName }} + labels: + {{- include "srox.labels" (list . "storageclass" "stackrox-gke-ssd") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "storageclass" "stackrox-gke-ssd") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": keep + "helm.sh/hook-delete-policy": never +provisioner: kubernetes.io/gce-pd +parameters: + type: pd-ssd +{{- end -}} +{{- end }} +{{- end -}} +{{- end }} diff --git a/rhacs/4.3.5/central-services/templates/01-central-00-db-serviceaccount.yaml b/rhacs/4.3.5/central-services/templates/01-central-00-db-serviceaccount.yaml new file mode 100644 index 0000000..782f4e6 --- /dev/null +++ b/rhacs/4.3.5/central-services/templates/01-central-00-db-serviceaccount.yaml @@ -0,0 +1,16 @@ +{{- include "srox.init" . -}} +{{ if not ._rox.central.db.external -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: central-db + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "serviceaccount" "central-db") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "serviceaccount" "central-db") | nindent 4 }} +imagePullSecrets: + {{- range $secretName := ._rox.imagePullSecrets._names }} +- name: {{ quote $secretName }} + {{- end }} +{{- end }} diff --git a/rhacs/4.3.5/central-services/templates/01-central-00-serviceaccount.yaml b/rhacs/4.3.5/central-services/templates/01-central-00-serviceaccount.yaml new file mode 100644 index 0000000..8c257f6 --- /dev/null +++ b/rhacs/4.3.5/central-services/templates/01-central-00-serviceaccount.yaml @@ -0,0 +1,19 @@ +{{- include "srox.init" . -}} + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: central + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "serviceaccount" "central") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "serviceaccount" "central") | nindent 4 }} + {{- if and (eq ._rox.env.openshift 4) (not ._rox.env.managedServices) }} + serviceaccounts.openshift.io/oauth-redirectreference.main: '{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"central"}}' + serviceaccounts.openshift.io/oauth-redirecturi.main: "sso/providers/openshift/callback" + {{- end }} +imagePullSecrets: +{{- range $secretName := ._rox.imagePullSecrets._names }} +- name: {{ quote $secretName }} +{{- end }} diff --git a/rhacs/4.3.5/central-services/templates/01-central-01-license-secret.yaml b/rhacs/4.3.5/central-services/templates/01-central-01-license-secret.yaml new file mode 100644 index 0000000..0d26dda --- /dev/null +++ b/rhacs/4.3.5/central-services/templates/01-central-01-license-secret.yaml @@ -0,0 +1,21 @@ +{{- include "srox.init" . -}} + +{{- if ._rox._licenseKey -}} + +apiVersion: v1 +kind: Secret +metadata: + name: central-license + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "secret" "central-license") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "central-license") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": "keep" +type: Opaque +stringData: + license.lic: | + {{- ._rox._licenseKey | nindent 4 }} + +{{ end }} diff --git a/rhacs/4.3.5/central-services/templates/01-central-02-db-psps.yaml b/rhacs/4.3.5/central-services/templates/01-central-02-db-psps.yaml new file mode 100644 index 0000000..4c81428 --- /dev/null +++ b/rhacs/4.3.5/central-services/templates/01-central-02-db-psps.yaml @@ -0,0 +1,81 @@ +{{- include "srox.init" . -}} + +{{- if and (not ._rox.central.db.external) ._rox.system.enablePodSecurityPolicies }} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "srox.globalResourceName" (list . "stackrox-central-db-psp") }} + labels: + {{- include "srox.labels" (list . "clusterrole" "stackrox-central-db-psp") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "clusterrole" "stackrox-central-db-psp") | nindent 4 }} +rules: + - apiGroups: + - policy + resources: + - podsecuritypolicies + resourceNames: + - {{ include "srox.globalResourceName" (list . "stackrox-central-db") }} + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: stackrox-central-db-psp + namespace: {{.Release.Namespace}} + labels: + {{- include "srox.labels" (list . "rolebinding" "stackrox-central-db-psp") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "rolebinding" "stackrox-central-db-psp") | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "srox.globalResourceName" (list . "stackrox-central-db-psp") }} +subjects: + - kind: ServiceAccount + name: central-db + namespace: {{.Release.Namespace}} +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "srox.globalResourceName" (list . "stackrox-central-db") }} + labels: + {{- include "srox.labels" (list . "podsecuritypolicy" "stackrox-central-db") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "podsecuritypolicy" "stackrox-central-db") | nindent 4 }} +spec: + privileged: false + allowPrivilegeEscalation: false + volumes: + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + - 'persistentVolumeClaim' + - 'hostPath' + - 'configMap' + {{- if ._rox.central.persistence.hostPath }} + allowedHostPaths: + {{- /* TODO(ROX-9807): Use a designated path for central-db for now. Need to move hostPath from central to central-db */}} + - pathPrefix: {{._rox.central.persistence.hostPath}}-db + {{- end}} + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAs' + ranges: + - min: 70 + max: 70 + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 70 + max: 70 +{{- end }} diff --git a/rhacs/4.3.5/central-services/templates/01-central-02-db-security.yaml b/rhacs/4.3.5/central-services/templates/01-central-02-db-security.yaml new file mode 100644 index 0000000..20ead97 --- /dev/null +++ b/rhacs/4.3.5/central-services/templates/01-central-02-db-security.yaml @@ -0,0 +1,82 @@ +{{- include "srox.init" . -}} + +{{- if and ._rox.env.openshift (not ._rox.central.db.external) ._rox.system.createSCCs }} +kind: SecurityContextConstraints +apiVersion: security.openshift.io/v1 +metadata: + name: {{ include "srox.globalResourceName" (list . "stackrox-central-db") }} + labels: + {{- include "srox.labels" (list . "securitycontextconstraints" "stackrox-central-db") | nindent 4 }} + annotations: + kubernetes.io/description: stackrox-central-db is the security constraint for the central database + {{- include "srox.annotations" (list . "securitycontextconstraints" "stackrox-central-db") | nindent 4 }} +allowHostDirVolumePlugin: {{ ._rox.central.persistence.hostPath | not | not }} +allowedCapabilities: [] +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: false +allowPrivilegedContainer: false +defaultAddCapabilities: [] +fsGroup: + type: MustRunAs + ranges: + - max: 70 + min: 70 +priority: 0 +readOnlyRootFilesystem: false +requiredDropCapabilities: [] +runAsUser: + type: MustRunAs + uid: 70 +seLinuxContext: + type: "RunAsAny" +seccompProfiles: + - '*' +users: + - system:serviceaccount:{{ .Release.Namespace }}:central-db +volumes: + - '*' +{{- else if eq ._rox.env.openshift 4 }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: use-central-db-scc + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "role" "use-central-db-scc") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "role" "use-central-db-scc") | nindent 4 }} +rules: +- apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + resourceNames: + - anyuid + {{- if ._rox.central.persistence.hostPath }} + - hostmount-anyuid + {{- end }} + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: central-db-use-scc + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "rolebinding" "central-db-use-scc") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "rolebinding" "central-db-use-scc") | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: use-central-db-scc +subjects: +- kind: ServiceAccount + name: central-db + namespace: {{.Release.Namespace}} +{{- end }} diff --git a/rhacs/4.3.5/central-services/templates/01-central-02-psps.yaml b/rhacs/4.3.5/central-services/templates/01-central-02-psps.yaml new file mode 100644 index 0000000..1ba51f5 --- /dev/null +++ b/rhacs/4.3.5/central-services/templates/01-central-02-psps.yaml @@ -0,0 +1,80 @@ +{{- include "srox.init" . -}} + +{{- if ._rox.system.enablePodSecurityPolicies }} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "srox.globalResourceName" (list . "stackrox-central-psp") }} + labels: + {{- include "srox.labels" (list . "clusterrole" "stackrox-central-psp") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "clusterrole" "stackrox-central-psp") | nindent 4 }} +rules: + - apiGroups: + - policy + resources: + - podsecuritypolicies + resourceNames: + - {{ include "srox.globalResourceName" (list . "stackrox-central") }} + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: stackrox-central-psp + namespace: {{.Release.Namespace}} + labels: + {{- include "srox.labels" (list . "rolebinding" "stackrox-central-psp") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "rolebinding" "stackrox-central-psp") | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "srox.globalResourceName" (list . "stackrox-central-psp") }} +subjects: + - kind: ServiceAccount + name: central + namespace: {{.Release.Namespace}} +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "srox.globalResourceName" (list . "stackrox-central") }} + labels: + {{- include "srox.labels" (list . "podsecuritypolicy" "stackrox-central") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "podsecuritypolicy" "stackrox-central") | nindent 4 }} +spec: + privileged: false + allowPrivilegeEscalation: false + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + - 'persistentVolumeClaim' + - 'hostPath' + {{ if ._rox.central.persistence.hostPath -}} + allowedHostPaths: + - pathPrefix: {{ ._rox.central.persistence.hostPath }} + {{- end}} + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAs' + ranges: + - min: 4000 + max: 4000 + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 4000 + max: 4000 +{{- end }} diff --git a/rhacs/4.3.5/central-services/templates/01-central-02-security.yaml b/rhacs/4.3.5/central-services/templates/01-central-02-security.yaml new file mode 100644 index 0000000..ee734a6 --- /dev/null +++ b/rhacs/4.3.5/central-services/templates/01-central-02-security.yaml @@ -0,0 +1,85 @@ +{{- include "srox.init" . -}} + +{{- if and ._rox.env.openshift ._rox.system.createSCCs }} +--- + +kind: SecurityContextConstraints +apiVersion: security.openshift.io/v1 +metadata: + name: {{ include "srox.globalResourceName" (list . "stackrox-central") }} + labels: + {{- include "srox.labels" (list . "securitycontextconstraints" "stackrox-central") | nindent 4 }} + annotations: + kubernetes.io/description: stackrox-central is the security constraint for the central server + {{- include "srox.annotations" (list . "securitycontextconstraints" "stackrox-central") | nindent 4 }} +allowHostDirVolumePlugin: {{ ._rox.central.persistence.hostPath | not | not }} +allowedCapabilities: [] +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: false +allowPrivilegedContainer: false +defaultAddCapabilities: [] +fsGroup: + type: MustRunAs + ranges: + - max: 4000 + min: 4000 +priority: 0 +readOnlyRootFilesystem: true +requiredDropCapabilities: [] +runAsUser: + type: MustRunAs + uid: 4000 +seLinuxContext: + type: MustRunAs +seccompProfiles: + - '*' +users: + - system:serviceaccount:{{ .Release.Namespace }}:central +volumes: + - '*' + +{{- else if eq ._rox.env.openshift 4 }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: use-central-scc + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "role" "use-central-scc") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "role" "use-central-scc") | nindent 4 }} +rules: +- apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + resourceNames: + - anyuid + {{- if ._rox.central.persistence.hostPath }} + - hostmount-anyuid + {{- end }} + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: central-use-scc + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "rolebinding" "central-use-scc") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "rolebinding" "central-use-scc") | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: use-central-scc +subjects: +- kind: ServiceAccount + name: central + namespace: {{.Release.Namespace}} +{{- end }} diff --git a/rhacs/4.3.5/central-services/templates/01-central-03-diagnostics-rbac.yaml b/rhacs/4.3.5/central-services/templates/01-central-03-diagnostics-rbac.yaml new file mode 100644 index 0000000..4c83007 --- /dev/null +++ b/rhacs/4.3.5/central-services/templates/01-central-03-diagnostics-rbac.yaml @@ -0,0 +1,45 @@ +{{- include "srox.init" . -}} + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: stackrox-central-diagnostics + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "role" "stackrox-central-diagnostics") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "role" "stackrox-central-diagnostics") | nindent 4 }} +rules: +- apiGroups: + - '*' + resources: + - "deployments" + - "daemonsets" + - "replicasets" + - "configmaps" + - "services" + - "pods" + - "pods/log" + - "events" + - "namespaces" + verbs: + - get + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: stackrox-central-diagnostics + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "rolebinding" "stackrox-central-diagnostics") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "rolebinding" "stackrox-central-diagnostics") | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: stackrox-central-diagnostics +subjects: + - kind: ServiceAccount + name: central + namespace: {{ .Release.Namespace }} diff --git a/rhacs/4.3.5/central-services/templates/01-central-04-htpasswd-secret.yaml b/rhacs/4.3.5/central-services/templates/01-central-04-htpasswd-secret.yaml new file mode 100644 index 0000000..59b338e --- /dev/null +++ b/rhacs/4.3.5/central-services/templates/01-central-04-htpasswd-secret.yaml @@ -0,0 +1,22 @@ +{{- include "srox.init" . -}} + +{{- if ._rox.central._adminPassword -}} +{{- if ._rox.central._adminPassword.htpasswd -}} +apiVersion: v1 +kind: Secret +metadata: + name: central-htpasswd + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "secret" "central-htpasswd") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "central-htpasswd") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": "keep" +type: Opaque +stringData: + htpasswd: | + {{- ._rox.central._adminPassword.htpasswd | nindent 4 }} + +{{- end -}} +{{- end -}} diff --git a/rhacs/4.3.5/central-services/templates/01-central-05-db-tls-secret.yaml b/rhacs/4.3.5/central-services/templates/01-central-05-db-tls-secret.yaml new file mode 100644 index 0000000..3a3a1fa --- /dev/null +++ b/rhacs/4.3.5/central-services/templates/01-central-05-db-tls-secret.yaml @@ -0,0 +1,23 @@ +{{- include "srox.init" . -}} + +{{- if and ._rox.central.db._serviceTLS ._rox._ca }} +apiVersion: v1 +kind: Secret +metadata: + name: central-db-tls + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "secret" "central-db-tls") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "central-db-tls") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": "keep" +type: Opaque +stringData: + ca.pem: | + {{- ._rox._ca.Cert | nindent 4 }} + cert.pem: | + {{- ._rox.central.db._serviceTLS.Cert | nindent 4 }} + key.pem: | + {{- ._rox.central.db._serviceTLS.Key | nindent 4 }} +{{- end }} diff --git a/rhacs/4.3.5/central-services/templates/01-central-05-tls-secret.yaml b/rhacs/4.3.5/central-services/templates/01-central-05-tls-secret.yaml new file mode 100644 index 0000000..1850d46 --- /dev/null +++ b/rhacs/4.3.5/central-services/templates/01-central-05-tls-secret.yaml @@ -0,0 +1,30 @@ +{{- include "srox.init" . -}} + +{{- if and ._rox._ca ._rox.central._serviceTLS ._rox.central._jwtSigner -}} + +apiVersion: v1 +kind: Secret +metadata: + name: central-tls + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "secret" "central-tls") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "central-tls") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": "keep" +type: Opaque +stringData: + ca.pem: | + {{- ._rox._ca.Cert | nindent 4 }} + ca-key.pem: | + {{- ._rox._ca.Key | nindent 4 }} + jwt-key.pem: | + {{- ._rox.central._jwtSigner.Key | nindent 4 }} + cert.pem: | + {{- ._rox.central._serviceTLS.Cert | nindent 4 }} + key.pem: | + {{- ._rox.central._serviceTLS.Key | nindent 4 }} +{{- else if or ._rox.central._serviceTLS ._rox.central._jwtSigner }} +{{ include "srox.fail" "Service TLS certificates and/or JWT signer key can only be created/updated if all data AND the service CA are present/specified." }} +{{- end }} diff --git a/rhacs/4.3.5/central-services/templates/01-central-06-default-tls-cert-secret.yaml b/rhacs/4.3.5/central-services/templates/01-central-06-default-tls-cert-secret.yaml new file mode 100644 index 0000000..010444c --- /dev/null +++ b/rhacs/4.3.5/central-services/templates/01-central-06-default-tls-cert-secret.yaml @@ -0,0 +1,22 @@ +{{- include "srox.init" . -}} + +{{ if ._rox.central._defaultTLS }} + +apiVersion: v1 +kind: Secret +metadata: + name: central-default-tls-cert + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "secret" "central-default-tls-cert") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "central-default-tls-cert") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" +type: kubernetes.io/tls +stringData: + tls.crt: | + {{- ._rox.central._defaultTLS.Cert | nindent 4 }} + tls.key: | + {{- ._rox.central._defaultTLS.Key | nindent 4 }} + +{{- end }} diff --git a/rhacs/4.3.5/central-services/templates/01-central-08-configmap.yaml b/rhacs/4.3.5/central-services/templates/01-central-08-configmap.yaml new file mode 100644 index 0000000..9420e59 --- /dev/null +++ b/rhacs/4.3.5/central-services/templates/01-central-08-configmap.yaml @@ -0,0 +1,14 @@ +{{- include "srox.init" . -}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: central-config + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "configmap" "central-config") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "configmap" "central-config") | nindent 4 }} +data: + central-config.yaml: | + {{- ._rox.central._config | nindent 4 }} diff --git a/rhacs/4.3.5/central-services/templates/01-central-08-db-configmap.yaml b/rhacs/4.3.5/central-services/templates/01-central-08-db-configmap.yaml new file mode 100644 index 0000000..0a0a2c7 --- /dev/null +++ b/rhacs/4.3.5/central-services/templates/01-central-08-db-configmap.yaml @@ -0,0 +1,17 @@ +{{- include "srox.init" . -}} +{{- if not ._rox.central.db.external }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: central-db-config + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "configmap" "central-db-config") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "configmap" "central-db-config") | nindent 4 }} +data: + postgresql.conf: | + {{- ._rox.central.db._postgresConfig | nindent 4 }} + pg_hba.conf: | + {{- ._rox.central.db._hbaConfig | nindent 4 }} +{{- end }} diff --git a/rhacs/4.3.5/central-services/templates/01-central-08-external-db-configmap.yaml b/rhacs/4.3.5/central-services/templates/01-central-08-external-db-configmap.yaml new file mode 100644 index 0000000..48d2427 --- /dev/null +++ b/rhacs/4.3.5/central-services/templates/01-central-08-external-db-configmap.yaml @@ -0,0 +1,29 @@ +{{- include "srox.init" . -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: central-external-db + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "configmap" "central-external-db") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "configmap" "central-external-db") | nindent 4 }} +data: + central-external-db.yaml: | + centralDB: + {{- if ._rox.central.db.external }} + external: true + source: {{ ._rox.central.db.source.connectionString }} pool_min_conns={{ ._rox.central.db.source.minConns }} pool_max_conns={{ ._rox.central.db.source.maxConns }} + {{- else }} + external: false + source: > + host=central-db.{{ .Release.Namespace }}.svc + port=5432 + user=postgres + sslmode={{- if eq .Release.Namespace "stackrox" }}verify-full{{- else }}verify-ca{{- end }} + sslrootcert=/run/secrets/stackrox.io/certs/ca.pem + statement_timeout={{ ._rox.central.db.source.statementTimeoutMs }} + pool_min_conns={{ ._rox.central.db.source.minConns }} + pool_max_conns={{ ._rox.central.db.source.maxConns }} + client_encoding=UTF8 + {{- end }} diff --git a/rhacs/4.3.5/central-services/templates/01-central-09-endpoints-config.yaml b/rhacs/4.3.5/central-services/templates/01-central-09-endpoints-config.yaml new file mode 100644 index 0000000..fa6204e --- /dev/null +++ b/rhacs/4.3.5/central-services/templates/01-central-09-endpoints-config.yaml @@ -0,0 +1,17 @@ +{{- include "srox.init" . -}} + +{{- if ._rox.central._endpointsConfig -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: central-endpoints + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "configmap" "central-endpoints") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "configmap" "central-endpoints") | nindent 4 }} +data: + endpoints.yaml: | + {{- ._rox.central._endpointsConfig | nindent 4 }} + +{{- end -}} diff --git a/rhacs/4.3.5/central-services/templates/01-central-10-db-networkpolicy.yaml b/rhacs/4.3.5/central-services/templates/01-central-10-db-networkpolicy.yaml new file mode 100644 index 0000000..6cd2201 --- /dev/null +++ b/rhacs/4.3.5/central-services/templates/01-central-10-db-networkpolicy.yaml @@ -0,0 +1,27 @@ +{{- include "srox.init" . -}} +{{ if not ._rox.central.db.external -}} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: central-db + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "networkpolicy" "central-db") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "networkpolicy" "central-db") | nindent 4 }} +spec: + policyTypes: + - Ingress + - Egress + ingress: + - from: + - podSelector: + matchLabels: + app: central + ports: + - port: 5432 + protocol: TCP + podSelector: + matchLabels: + app: central-db +{{- end }} diff --git a/rhacs/4.3.5/central-services/templates/01-central-10-networkpolicy.yaml b/rhacs/4.3.5/central-services/templates/01-central-10-networkpolicy.yaml new file mode 100644 index 0000000..90fbd9d --- /dev/null +++ b/rhacs/4.3.5/central-services/templates/01-central-10-networkpolicy.yaml @@ -0,0 +1,65 @@ +{{- include "srox.init" . -}} + +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-ext-to-central + namespace: {{.Release.Namespace}} + labels: + {{- include "srox.labels" (list . "networkpolicy" "allow-ext-to-central") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "networkpolicy" "allow-ext-to-central") | nindent 4 }} +spec: + ingress: + {{- toYaml ._rox.central._netPolIngressRules | nindent 4 }} + podSelector: + matchLabels: + app: central + policyTypes: + - Ingress + +{{ if ._rox.central.exposeMonitoring }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: central-monitoring + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "networkpolicy" "central-monitoring") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "networkpolicy" "central-monitoring") | nindent 4 }} +spec: + ingress: + - ports: + - port: 9090 + protocol: TCP + podSelector: + matchLabels: + app: central + policyTypes: + - Ingress +{{ end }} + +{{- if ._rox.monitoring.openshift.enabled }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: central-monitoring-tls + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "networkpolicy" "central-monitoring-tls") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "networkpolicy" "central-monitoring-tls") | nindent 4 }} +spec: + ingress: + - ports: + - port: 9091 + protocol: TCP + podSelector: + matchLabels: + app: central + policyTypes: + - Ingress +{{- end }} diff --git a/rhacs/4.3.5/central-services/templates/01-central-11-db-pvc.yaml b/rhacs/4.3.5/central-services/templates/01-central-11-db-pvc.yaml new file mode 100644 index 0000000..656dfec --- /dev/null +++ b/rhacs/4.3.5/central-services/templates/01-central-11-db-pvc.yaml @@ -0,0 +1,66 @@ +{{- include "srox.init" . -}} + +{{ if not ._rox.central.db.external -}} +{{ if ._rox.central.db.persistence._pvcCfg -}} +{{- $pvcCfg := ._rox.central.db.persistence._pvcCfg -}} +{{- $claimName := $pvcCfg.claimName -}} +{{/* In a multiple namespace setting, storageClassName is generated by globalResourceName */}} +{{- $storageClassName := "" }} +{{- if $pvcCfg.storageClass }} + {{- if eq $pvcCfg.storageClass "stackrox-gke-ssd" }} + {{- $storageClassName = include "srox.globalResourceName" (list . "stackrox-gke-ssd") }} + {{- else }} + {{- $storageClassName = $pvcCfg.storageClass }} +{{- end}} +{{- end}} +{{- if $pvcCfg.volume.volumeSpec }} +{{- $pvName := (print $claimName "-pv") -}} +apiVersion: v1 +kind: PersistentVolume +metadata: + name: {{ $pvName }} + labels: + {{- include "srox.labels" (list . "persistentvolume" $pvName) | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "persistentvolume" $pvName) | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": keep + "helm.sh/hook-delete-policy": never +spec: + {{- if $storageClassName }} + storageClassName: {{ $storageClassName }} + {{- end}} + capacity: + storage: {{ include "srox.formatStorageSize" $pvcCfg.size }} + accessModes: + - ReadWriteOnce + claimRef: + namespace: {{ .Release.Namespace }} + name: {{ $claimName }} + {{- toYaml $pvcCfg.volume.volumeSpec | nindent 2 }} +--- +{{- end }} +{{- /* TODO(ROX-9807): Move customized PVC from Central to Central DB */}} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ $claimName }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "persistentvolumeclaim" "central-db") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "persistentvolumeclaim" "central-db") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": keep + "helm.sh/hook-delete-policy": never +spec: + {{- if $storageClassName }} + storageClassName: {{ $storageClassName }} + {{- end }} + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ include "srox.formatStorageSize" $pvcCfg.size }} +{{- end }} +{{- end }} diff --git a/rhacs/4.3.5/central-services/templates/01-central-11-pvc.yaml b/rhacs/4.3.5/central-services/templates/01-central-11-pvc.yaml new file mode 100644 index 0000000..0279278 --- /dev/null +++ b/rhacs/4.3.5/central-services/templates/01-central-11-pvc.yaml @@ -0,0 +1,63 @@ +{{- include "srox.init" . -}} + +{{ if ._rox.central.persistence._pvcCfg -}} +{{- $pvcCfg := ._rox.central.persistence._pvcCfg -}} +{{- $claimName := $pvcCfg.claimName -}} +{{/* In a multiple namespace setting, storageClassName is generated by globalResourceName */}} +{{- $storageClassName := "" }} +{{- if $pvcCfg.storageClass }} + {{- if eq $pvcCfg.storageClass "stackrox-gke-ssd" }} + {{- $storageClassName = include "srox.globalResourceName" (list . "stackrox-gke-ssd") }} + {{- else }} + {{- $storageClassName = $pvcCfg.storageClass }} + {{- end}} +{{- end}} +{{- if $pvcCfg.volume.volumeSpec }} +{{- $pvName := (print $claimName "-pv") -}} +apiVersion: v1 +kind: PersistentVolume +metadata: + name: {{ $pvName }} + labels: + {{- include "srox.labels" (list . "persistentvolume" $pvName) | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "persistentvolume" $pvName) | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": keep + "helm.sh/hook-delete-policy": never +spec: + {{- if $storageClassName }} + storageClassName: {{ $storageClassName }} + {{- end}} + capacity: + storage: {{ include "srox.formatStorageSize" $pvcCfg.size }} + accessModes: + - ReadWriteOnce + claimRef: + namespace: {{ .Release.Namespace }} + name: {{ $claimName }} + {{- toYaml $pvcCfg.volume.volumeSpec | nindent 2 }} +--- +{{- end }} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ $claimName }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "persistentvolumeclaim" $claimName) | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "persistentvolumeclaim" $claimName) | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": keep + "helm.sh/hook-delete-policy": never +spec: + {{- if $storageClassName }} + storageClassName: {{ $storageClassName }} + {{- end }} + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ include "srox.formatStorageSize" $pvcCfg.size }} +{{- end }} diff --git a/rhacs/4.3.5/central-services/templates/01-central-12-central-db.yaml b/rhacs/4.3.5/central-services/templates/01-central-12-central-db.yaml new file mode 100644 index 0000000..e48b466 --- /dev/null +++ b/rhacs/4.3.5/central-services/templates/01-central-12-central-db.yaml @@ -0,0 +1,196 @@ +{{- include "srox.init" . -}} + +{{ if not ._rox.central.db.external -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: central-db + namespace: {{ .Release.Namespace }} + labels: + app: central-db + {{- include "srox.labels" (list . "deployment" "central-db") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "deployment" "central-db") | nindent 4 }} +spec: + replicas: 1 + minReadySeconds: 15 + selector: + matchLabels: + app: central-db + strategy: + type: Recreate + template: + metadata: + namespace: {{ .Release.Namespace }} + labels: + app: central-db + {{- include "srox.podLabels" (list . "deployment" "central-db") | nindent 8 }} + annotations: + {{- include "srox.podAnnotations" (list . "deployment" "central-db") | nindent 8 }} + spec: + {{- if ._rox.central.db._nodeSelector }} + nodeSelector: + {{- ._rox.central.db._nodeSelector | nindent 8 }} + {{- end }} + {{- if ._rox.central.db.tolerations }} + tolerations: + {{- toYaml ._rox.central.db.tolerations | nindent 8 }} + {{- end }} + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + # Central-db is single-homed, so avoid preemptible nodes. + - weight: 100 + preference: + matchExpressions: + - key: cloud.google.com/gke-preemptible + operator: NotIn + values: + - "true" + - weight: 50 + preference: + matchExpressions: + - key: node-role.kubernetes.io/infra + operator: Exists + - weight: 25 + preference: + matchExpressions: + - key: node-role.kubernetes.io/compute + operator: Exists + # From v1.20 node-role.kubernetes.io/control-plane replaces node-role.kubernetes.io/master (removed in + # v1.25). We apply both because our goal is not to run pods on control plane nodes for any version of k8s. + - weight: 100 + preference: + matchExpressions: + - key: node-role.kubernetes.io/master + operator: DoesNotExist + - weight: 100 + preference: + matchExpressions: + - key: node-role.kubernetes.io/control-plane + operator: DoesNotExist + serviceAccountName: central-db + terminationGracePeriodSeconds: 120 + initContainers: + - name: init-db + image: {{ ._rox.central.db.image.fullRef | quote }} + env: + - name: PGDATA + value: "/var/lib/postgresql/data/pgdata" + command: + - init-entrypoint.sh + volumeMounts: + - name: disk + mountPath: /var/lib/postgresql/data + - name: central-db-password + mountPath: /run/secrets/stackrox.io/secrets + resources: + {{- ._rox.central.db._resources | nindent 10 }} + securityContext: + runAsUser: 70 + runAsGroup: 70 + containers: + - name: central-db + image: {{ ._rox.central.db.image.fullRef | quote }} + env: + - name: POSTGRES_HOST_AUTH_METHOD + value: "password" + - name: PGDATA + value: "/var/lib/postgresql/data/pgdata" + ports: + - containerPort: 5432 + name: postgresql + protocol: TCP + readinessProbe: + exec: + command: + - /bin/sh + - -c + - -e + - | + exec pg_isready -U "postgres" -h 127.0.0.1 -p 5432 + failureThreshold: 3 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: + {{- ._rox.central.db._resources | nindent 10 }} + securityContext: + runAsUser: 70 + runAsGroup: 70 + volumeMounts: + - name: config-volume + mountPath: /etc/stackrox.d/config/ + - mountPath: /var/lib/postgresql/data + name: disk + - name: central-db-tls-volume + mountPath: /run/secrets/stackrox.io/certs + - mountPath: /dev/shm + name: shared-memory + securityContext: + fsGroup: 70 + volumes: + - name: disk + {{- toYaml ._rox.central.db.persistence._volumeCfg | nindent 8 }} + - name: config-volume + configMap: + name: {{ default "central-db-config" ._rox.central.db.configOverride }} + - name: central-db-password + secret: + secretName: central-db-password + - name: central-db-tls-volume + secret: + secretName: central-db-tls + defaultMode: 0640 + items: + - key: cert.pem + path: server.crt + - key: key.pem + path: server.key + - key: ca.pem + path: root.crt + - name: shared-memory + emptyDir: + medium: Memory + {{- /* Keep this in sync with shared_buffers in config/centraldb/postgresql.conf */}} + sizeLimit: 2Gi +--- +apiVersion: v1 +kind: Service +metadata: + name: central-db + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "service" "central-db") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "service" "central-db") | nindent 4 }} +spec: + ports: + - name: tcp-db + port: 5432 + protocol: TCP + targetPort: postgresql + selector: + app: central-db + type: ClusterIP +{{- end }} +{{- if ._rox.central.db._password }} +{{- if not (kindIs "invalid" ._rox.central.db._password.value) }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: central-db-password + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "secret" "central-db-password") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "central-db-password") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": keep +type: Opaque +stringData: + password: | + {{- ._rox.central.db._password.value | nindent 4 }} +{{- end }} +{{- end }} diff --git a/rhacs/4.3.5/central-services/templates/01-central-13-deployment.yaml b/rhacs/4.3.5/central-services/templates/01-central-13-deployment.yaml new file mode 100644 index 0000000..f56a974 --- /dev/null +++ b/rhacs/4.3.5/central-services/templates/01-central-13-deployment.yaml @@ -0,0 +1,271 @@ +{{- include "srox.init" . -}} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: central + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "deployment" "central") | nindent 4 }} + app: central + annotations: + {{- include "srox.annotations" (list . "deployment" "central") | nindent 4 }} +spec: + replicas: 1 + minReadySeconds: 15 + selector: + matchLabels: + app: central + strategy: + type: Recreate + template: + metadata: + namespace: {{ .Release.Namespace }} + labels: + app: central + {{- include "srox.podLabels" (list . "deployment" "central") | nindent 8 }} + annotations: + traffic.sidecar.istio.io/excludeInboundPorts: "8443" + {{- include "srox.podAnnotations" (list . "deployment" "central") | nindent 8 }} + spec: + {{- if ._rox.central._nodeSelector }} + nodeSelector: + {{- ._rox.central._nodeSelector | nindent 8 }} + {{- end }} + {{- if ._rox.central.tolerations }} + tolerations: + {{- toYaml ._rox.central.tolerations | nindent 8 }} + {{- end }} + affinity: + {{- toYaml ._rox.central.affinity | nindent 8 }} + serviceAccountName: central + securityContext: + fsGroup: 4000 + runAsUser: 4000 + containers: + - name: central + image: {{ ._rox.central.image.fullRef | quote }} + command: + - /stackrox/central-entrypoint.sh + ports: + {{- toYaml ._rox.central._containerPorts | nindent 10 }} + readinessProbe: + httpGet: + scheme: HTTPS + path: /v1/ping + port: 8443 + resources: + {{- ._rox.central._resources | nindent 10 }} + securityContext: + capabilities: + drop: ["NET_RAW"] + readOnlyRootFilesystem: true + env: + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- if ne (._rox.central.telemetry.enabled | toString) "false" }} + {{- if ._rox.central.telemetry.storage.endpoint }} + - name: ROX_TELEMETRY_ENDPOINT + value: {{ ._rox.central.telemetry.storage.endpoint | quote }} + {{- end }} + {{- if ._rox.central.telemetry.storage.key }} + - name: ROX_TELEMETRY_STORAGE_KEY_V1 + value: {{ ._rox.central.telemetry.storage.key | quote }} + {{- end }} + {{- end }} + - name: ROX_OFFLINE_MODE + value: {{ ._rox.env.offlineMode | quote }} + {{- if and (eq ._rox.env.openshift 4) (not ._rox.env.managedServices) }} + - name: ROX_ENABLE_OPENSHIFT_AUTH + value: "true" + {{- end }} + {{- if ._rox.env.openshift }} + - name: ROX_OPENSHIFT + value: "true" + {{- end }} + {{- if ._rox.env.managedServices }} + - name: ROX_MANAGED_CENTRAL + value: "true" + - name: ROX_ENABLE_CENTRAL_DIAGNOSTICS + value: "false" + - name: ROX_ENABLE_KERNEL_PACKAGE_UPLOAD + value: "false" + - name: ROX_TENANT_ID + valueFrom: + fieldRef: + fieldPath: metadata.labels['rhacs.redhat.com/tenant'] + {{- end }} + {{- if ._rox.central.notifierSecretsEncryption }} + {{- if ._rox.central.notifierSecretsEncryption.enabled }} + - name: ROX_ENC_NOTIFIER_CREDS + value: "true" + {{- end }} + {{- end }} + {{- if ._rox.monitoring.openshift.enabled }} + - name: ROX_ENABLE_SECURE_METRICS + value: "true" + {{- end }} + - name: ROX_INSTALL_METHOD + value: {{ ._rox.env.installMethod | quote }} + {{- include "srox.envVars" (list . "deployment" "central" "central") | nindent 8 }} + volumeMounts: + - name: varlog + mountPath: /var/log/stackrox/ + - name: central-tmp-volume + mountPath: /tmp + - name: central-etc-ssl-volume + mountPath: /etc/ssl + - name: central-etc-pki-volume + mountPath: /etc/pki/ca-trust + - name: central-certs-volume + mountPath: /run/secrets/stackrox.io/certs/ + readOnly: true + - name: central-default-tls-cert-volume + mountPath: /run/secrets/stackrox.io/default-tls-cert/ + readOnly: true + - name: central-htpasswd-volume + mountPath: /run/secrets/stackrox.io/htpasswd/ + readOnly: true + - name: central-jwt-volume + mountPath: /run/secrets/stackrox.io/jwt/ + readOnly: true + - name: additional-ca-volume + mountPath: /usr/local/share/ca-certificates/ + readOnly: true + - name: central-license-volume + mountPath: /run/secrets/stackrox.io/central-license/ + readOnly: true + - name: stackrox-db + mountPath: /var/lib/stackrox + - name: central-config-volume + mountPath: /etc/stackrox + - name: proxy-config-volume + mountPath: /run/secrets/stackrox.io/proxy-config/ + readOnly: true + - name: endpoints-config-volume + mountPath: /etc/stackrox.d/endpoints/ + readOnly: true + - name: central-db-password + mountPath: /run/secrets/stackrox.io/db-password + - name: central-external-db-volume + mountPath: /etc/ext-db + {{- if ._rox.central.notifierSecretsEncryption }} + {{- if ._rox.central.notifierSecretsEncryption.enabled }} + - name: central-encryption-key + mountPath: /run/secrets/stackrox.io/central-encryption-key + {{- end }} + {{- end }} + {{- if ._rox.monitoring.openshift.enabled }} + - name: monitoring-tls + mountPath: /run/secrets/stackrox.io/monitoring-tls + readOnly: true + {{- end }} + {{- range $extraMount := (default list ._rox.central.extraMounts) }} + - name: {{ $extraMount.name }} + {{- $extraMount.mount | toYaml | nindent 10 }} + {{- end }} + {{- range $mount := (default list ._rox.central.declarativeConfiguration.mounts.configMaps) }} + - name: {{ $mount }} + mountPath: /run/stackrox.io/declarative-configuration/{{ $mount }} + readOnly: true + {{- end }} + {{- range $mount := (default list ._rox.central.declarativeConfiguration.mounts.secrets) }} + - name: {{ $mount }} + mountPath: /run/stackrox.io/declarative-configuration/{{ $mount }} + readOnly: true + {{- end }} + {{- include "srox.injectedCABundleVolumeMount" . | nindent 8 }} + volumes: + - name: varlog + emptyDir: {} + - name: central-tmp-volume + emptyDir: {} + - name: central-etc-ssl-volume + emptyDir: {} + - name: central-etc-pki-volume + emptyDir: {} + - name: central-certs-volume + secret: + secretName: central-tls + - name: central-default-tls-cert-volume + secret: + secretName: {{ default "central-default-tls-cert" ._rox.central.defaultTLS.reference }} + optional: true + - name: central-htpasswd-volume + secret: + secretName: central-htpasswd + optional: true + - name: central-jwt-volume + secret: + secretName: central-tls + items: + - key: jwt-key.pem + path: jwt-key.pem + - name: additional-ca-volume + secret: + secretName: additional-ca + optional: true + - name: central-license-volume + secret: + secretName: central-license + optional: true + - name: central-config-volume + configMap: + name: central-config + optional: true + - name: proxy-config-volume + secret: + secretName: proxy-config + optional: true + - name: endpoints-config-volume + configMap: + name: central-endpoints + - name: central-db-password + secret: + secretName: central-db-password + - name: central-external-db-volume + configMap: + name: central-external-db + optional: true + {{- if ._rox.central.notifierSecretsEncryption }} + {{- if ._rox.central.notifierSecretsEncryption.enabled }} + - name: central-encryption-key + secret: + secretName: central-encryption-key + {{- end }} + {{- end }} + - name: stackrox-db + {{- toYaml ._rox.central.persistence._volumeCfg | nindent 8 }} + {{- if ._rox.monitoring.openshift.enabled }} + - name: monitoring-tls + secret: + secretName: central-monitoring-tls + optional: true + {{- end }} + {{- range $extraMount := (default list ._rox.central.extraMounts) }} + - name: {{ $extraMount.name }} + {{- $extraMount.source | toYaml | nindent 8 }} + {{- end }} + {{- range $mount := (default list ._rox.central.declarativeConfiguration.mounts.configMaps) }} + - name: {{ $mount }} + configMap: + name: {{ $mount }} + optional: true + {{- end }} + {{- range $mount := (default list ._rox.central.declarativeConfiguration.mounts.secrets) }} + - name: {{ $mount }} + secret: + secretName: {{ $mount }} + optional: true + {{- end }} + {{- include "srox.injectedCABundleVolume" . | nindent 6 }} diff --git a/rhacs/4.3.5/central-services/templates/01-central-14-service.yaml b/rhacs/4.3.5/central-services/templates/01-central-14-service.yaml new file mode 100644 index 0000000..f459fd7 --- /dev/null +++ b/rhacs/4.3.5/central-services/templates/01-central-14-service.yaml @@ -0,0 +1,43 @@ +{{- include "srox.init" . -}} + +apiVersion: v1 +kind: Service +metadata: + name: central + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "service" "central") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "service" "central") | nindent 4 }} + {{- if ._rox.monitoring.openshift.enabled }} + service.beta.openshift.io/serving-cert-secret-name: central-monitoring-tls + {{- end }} +spec: + ports: + {{- toYaml ._rox.central._servicePorts | nindent 4 }} + selector: + app: central + type: ClusterIP + +{{ if ._rox.env.istio }} +--- + +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: central-internal-no-istio-mtls + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "destinationrule" "central-internal-no-istio-mtls") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "destinationrule" "central-internal-no-istio-mtls") | nindent 4 }} + stackrox.io/description: "Disable Istio mTLS for port 443, since StackRox services use built-in mTLS." +spec: + host: central.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + portLevelSettings: + - port: + number: 443 + tls: + mode: DISABLE +{{ end }} diff --git a/rhacs/4.3.5/central-services/templates/01-central-15-exposure.yaml b/rhacs/4.3.5/central-services/templates/01-central-15-exposure.yaml new file mode 100644 index 0000000..9bfdbbb --- /dev/null +++ b/rhacs/4.3.5/central-services/templates/01-central-15-exposure.yaml @@ -0,0 +1,95 @@ +{{- include "srox.init" . -}} + +{{- if ._rox.central.exposure.route.enabled }} +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: central + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "route" "central") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "route" "central") | nindent 4 }} +spec: +{{- if ._rox.central.exposure.route.host }} + host: {{ ._rox.central.exposure.route.host }} +{{- end }} + port: + targetPort: https + tls: + termination: passthrough + to: + kind: Service + name: central +--- +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: central-mtls + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "route" "central-mtls") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "route" "central-mtls") | nindent 4 }} +spec: + host: "central.{{ .Release.Namespace }}" + port: + targetPort: https + tls: + termination: passthrough + to: + kind: Service + name: central +--- +{{- end }} + +{{- if ._rox.central.exposure.nodePort.enabled }} +apiVersion: v1 +kind: Service +metadata: + annotations: + {{- include "srox.annotations" (list . "service" "central-loadbalancer") | nindent 4 }} + cloud.google.com/app-protocols: '{"api": "HTTPS"}' + service.alpha.kubernetes.io/app-protocols: '{"api": "HTTPS"}' + name: central-loadbalancer + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "service" "central-loadbalancer") | nindent 4 }} +spec: + type: NodePort + ports: + - port: 443 + targetPort: api +{{- if ._rox.central.exposure.nodePort.port }} + nodePort: {{ ._rox.central.exposure.nodePort.port }} +{{- end }} + selector: + app: central +--- +{{- end }} + +{{- if ._rox.central.exposure.loadBalancer.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: central-loadbalancer + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "service" "central-loadbalancer") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "service" "central-loadbalancer") | nindent 4 }} +spec: + type: LoadBalancer + # This ensures that the client source IP is retained for audit logging purposes. + # Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + externalTrafficPolicy: Local + ports: + - port: {{ ._rox.central.exposure.loadBalancer.port }} + targetPort: api + selector: + app: central +{{- if ._rox.central.exposure.loadBalancer.ip }} + loadBalancerIP: {{ ._rox.central.exposure.loadBalancer.ip }} +{{- end }} +--- +{{- end}} diff --git a/rhacs/4.3.5/central-services/templates/02-scanner-00-serviceaccount.yaml b/rhacs/4.3.5/central-services/templates/02-scanner-00-serviceaccount.yaml new file mode 100644 index 0000000..a27c602 --- /dev/null +++ b/rhacs/4.3.5/central-services/templates/02-scanner-00-serviceaccount.yaml @@ -0,0 +1,19 @@ +{{- include "srox.init" . -}} + +{{- if not ._rox.scanner.disable -}} + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: scanner + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "serviceaccount" "scanner") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "serviceaccount" "scanner") | nindent 4 }} +imagePullSecrets: +{{- range $secretName := ._rox.imagePullSecrets._names }} +- name: {{ quote $secretName }} +{{- end }} + +{{ end -}} diff --git a/rhacs/4.3.5/central-services/templates/02-scanner-01-psps.yaml b/rhacs/4.3.5/central-services/templates/02-scanner-01-psps.yaml new file mode 100644 index 0000000..23b398c --- /dev/null +++ b/rhacs/4.3.5/central-services/templates/02-scanner-01-psps.yaml @@ -0,0 +1,69 @@ +{{- include "srox.init" . -}} + +{{- if and (not ._rox.scanner.disable) ._rox.system.enablePodSecurityPolicies }} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "srox.globalResourceName" (list . "stackrox-scanner-psp") }} + labels: + {{- include "srox.labels" (list . "clusterrole" "stackrox-scanner-psp") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "clusterrole" "stackrox-scanner-psp") | nindent 4 }} +rules: +- apiGroups: + - policy + resources: + - podsecuritypolicies + resourceNames: + - {{ include "srox.globalResourceName" (list . "stackrox-scanner") }} + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: stackrox-scanner-psp + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "rolebinding" "stackrox-scanner-psp") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "rolebinding" "stackrox-scanner-psp") | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "srox.globalResourceName" (list . "stackrox-scanner-psp") }} +subjects: + - kind: ServiceAccount + name: scanner + namespace: {{ .Release.Namespace }} +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "srox.globalResourceName" (list . "stackrox-scanner") }} + labels: + {{- include "srox.labels" (list . "podsecuritypolicy" "stackrox-scanner") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "podsecuritypolicy" "stackrox-scanner") | nindent 4 }} +spec: + privileged: false + allowPrivilegeEscalation: false + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + - 'persistentVolumeClaim' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' +{{- end }} diff --git a/rhacs/4.3.5/central-services/templates/02-scanner-01-security.yaml b/rhacs/4.3.5/central-services/templates/02-scanner-01-security.yaml new file mode 100644 index 0000000..3c1d92b --- /dev/null +++ b/rhacs/4.3.5/central-services/templates/02-scanner-01-security.yaml @@ -0,0 +1,78 @@ +{{- include "srox.init" . -}} + +{{- if not ._rox.scanner.disable }} +{{- if and ._rox.env.openshift ._rox.system.createSCCs }} +kind: SecurityContextConstraints +apiVersion: security.openshift.io/v1 +metadata: + name: {{ include "srox.globalResourceName" (list . "stackrox-scanner") }} + labels: + {{- include "srox.labels" (list . "securitycontextconstraints" "stackrox-scanner") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "securitycontextconstraints" "stackrox-scanner") | nindent 4 }} + kubernetes.io/description: stackrox-scanner is the security constraint for the Scanner container +priority: 0 +runAsUser: + type: RunAsAny +seLinuxContext: + type: RunAsAny +seccompProfiles: + - '*' +users: + - system:serviceaccount:{{ .Release.Namespace }}:scanner +volumes: + - '*' +allowHostDirVolumePlugin: false +allowedCapabilities: [] +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: false +allowPrivilegedContainer: false +defaultAddCapabilities: [] +fsGroup: + type: RunAsAny +readOnlyRootFilesystem: false +requiredDropCapabilities: [] + +{{- else if eq ._rox.env.openshift 4 }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: use-scanner-scc + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "role" "use-scanner-scc") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "role" "use-scanner-scc") | nindent 4 }} +rules: +- apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + resourceNames: + - anyuid + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: scanner-use-scc + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "rolebinding" "scanner-use-scc") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "rolebinding" "scanner-use-scc") | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: use-scanner-scc +subjects: +- kind: ServiceAccount + name: scanner + namespace: {{ .Release.Namespace }} +{{- end }} +{{- end }} diff --git a/rhacs/4.3.5/central-services/templates/02-scanner-02-db-password-secret.yaml b/rhacs/4.3.5/central-services/templates/02-scanner-02-db-password-secret.yaml new file mode 100644 index 0000000..c6c0bc1 --- /dev/null +++ b/rhacs/4.3.5/central-services/templates/02-scanner-02-db-password-secret.yaml @@ -0,0 +1,27 @@ +{{- include "srox.init" . -}} + +{{- if not ._rox.scanner.disable -}} + +{{- if ._rox.scanner._dbPassword -}} +{{- if not (kindIs "invalid" ._rox.scanner._dbPassword.value) -}} + +apiVersion: v1 +kind: Secret +metadata: + name: scanner-db-password + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "secret" "scanner-db-password") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "scanner-db-password") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": keep +type: Opaque +stringData: + password: | + {{- ._rox.scanner._dbPassword.value | nindent 4 }} + +{{- end -}} +{{- end -}} + +{{ end -}} diff --git a/rhacs/4.3.5/central-services/templates/02-scanner-03-tls-secret.yaml b/rhacs/4.3.5/central-services/templates/02-scanner-03-tls-secret.yaml new file mode 100644 index 0000000..7c590ff --- /dev/null +++ b/rhacs/4.3.5/central-services/templates/02-scanner-03-tls-secret.yaml @@ -0,0 +1,55 @@ +{{- include "srox.init" . -}} + +{{- if not ._rox.scanner.disable -}} + +{{- if and ._rox.scanner._serviceTLS ._rox._ca -}} + +apiVersion: v1 +kind: Secret +metadata: + name: scanner-tls + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "secret" "scanner-tls") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "scanner-tls") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": keep +type: Opaque +stringData: + ca.pem: | + {{- ._rox._ca.Cert | nindent 4 }} + cert.pem: | + {{- ._rox.scanner._serviceTLS.Cert | nindent 4 }} + key.pem: | + {{- ._rox.scanner._serviceTLS.Key | nindent 4 }} + +--- + +{{- end }} + +{{ if and ._rox.scanner._dbServiceTLS ._rox._ca -}} + +apiVersion: v1 +kind: Secret +metadata: + name: scanner-db-tls + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "secret" "scanner-db-tls") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "scanner-db-tls") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": "keep" +type: Opaque +stringData: + ca.pem: | + {{- ._rox._ca.Cert | nindent 4 }} + cert.pem: | + {{- ._rox.scanner._dbServiceTLS.Cert | nindent 4 }} + key.pem: | + {{- ._rox.scanner._dbServiceTLS.Key | nindent 4 }} + +{{- end -}} + +{{ end -}} diff --git a/rhacs/4.3.5/central-services/templates/02-scanner-04-scanner-config.yaml b/rhacs/4.3.5/central-services/templates/02-scanner-04-scanner-config.yaml new file mode 100644 index 0000000..4ed16c7 --- /dev/null +++ b/rhacs/4.3.5/central-services/templates/02-scanner-04-scanner-config.yaml @@ -0,0 +1,18 @@ +{{- include "srox.init" . -}} + +{{- if not ._rox.scanner.disable -}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: scanner-config + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "configmap" "scanner-config") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "configmap" "scanner-config") | nindent 4 }} +data: + config.yaml: | + {{- tpl (.Files.Get "config-templates/scanner/config.yaml.tpl") . | nindent 4 }} + +{{ end -}} diff --git a/rhacs/4.3.5/central-services/templates/02-scanner-05-network-policy.yaml b/rhacs/4.3.5/central-services/templates/02-scanner-05-network-policy.yaml new file mode 100644 index 0000000..99f7233 --- /dev/null +++ b/rhacs/4.3.5/central-services/templates/02-scanner-05-network-policy.yaml @@ -0,0 +1,91 @@ +{{- include "srox.init" . -}} + +{{- if not ._rox.scanner.disable -}} + +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: scanner + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "networkpolicy" "scanner") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "networkpolicy" "scanner") | nindent 4 }} +spec: + podSelector: + matchLabels: + app: scanner + ingress: + - from: + - podSelector: + matchLabels: + app: central + ports: + - port: 8080 + protocol: TCP + - port: 8443 + protocol: TCP +{{ if or (eq ._rox.scanner.mode "slim") ._rox.env.openshift }} + - from: + - podSelector: + matchLabels: + app: sensor + ports: + - port: 8080 + protocol: TCP + - port: 8443 + protocol: TCP +{{ end }} + policyTypes: + - Ingress + +--- + +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: scanner-db + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "networkpolicy" "scanner-db") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "networkpolicy" "scanner-db") | nindent 4 }} +spec: + podSelector: + matchLabels: + app: scanner-db + ingress: + - from: + - podSelector: + matchLabels: + app: scanner + ports: + - port: 5432 + protocol: TCP + policyTypes: + - Ingress + +{{ end -}} + +{{ if ._rox.scanner.exposeMonitoring }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: scanner-monitoring + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "networkpolicy" "scanner-monitoring") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "networkpolicy" "scanner-monitoring") | nindent 4 }} +spec: + ingress: + - ports: + - port: 9090 + protocol: TCP + podSelector: + matchLabels: + app: scanner + policyTypes: + - Ingress +{{ end }} diff --git a/rhacs/4.3.5/central-services/templates/02-scanner-06-deployment.yaml b/rhacs/4.3.5/central-services/templates/02-scanner-06-deployment.yaml new file mode 100644 index 0000000..89ac82c --- /dev/null +++ b/rhacs/4.3.5/central-services/templates/02-scanner-06-deployment.yaml @@ -0,0 +1,296 @@ +{{- include "srox.init" . -}} + +{{- if not ._rox.scanner.disable -}} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: scanner + namespace: {{ .Release.Namespace }} + labels: + app: scanner + {{- include "srox.labels" (list . "deployment" "scanner") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "deployment" "scanner") | nindent 4 }} +spec: + replicas: {{ ._rox.scanner.replicas }} + minReadySeconds: 15 + selector: + matchLabels: + app: scanner + strategy: + type: Recreate + template: + metadata: + namespace: {{ .Release.Namespace }} + labels: + app: scanner + {{- include "srox.podLabels" (list . "deployment" "scanner") | nindent 8 }} + annotations: + traffic.sidecar.istio.io/excludeInboundPorts: "8080,8443" + {{- include "srox.podAnnotations" (list . "deployment" "scanner") | nindent 8 }} + spec: + {{- if ._rox.scanner._nodeSelector }} + nodeSelector: + {{- ._rox.scanner._nodeSelector | nindent 8 }} + {{- end }} + {{- if ._rox.scanner.tolerations }} + tolerations: + {{- toYaml ._rox.scanner.tolerations | nindent 8 }} + {{- end }} + affinity: + {{- toYaml ._rox.scanner.affinity | nindent 8 }} + containers: + - name: scanner + {{ if eq ._rox.scanner.mode "slim" -}} + image: {{ ._rox.scanner.slimImage.fullRef | quote }} + {{ else }} + image: {{ ._rox.scanner.image.fullRef | quote }} + {{ end -}} + env: + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- if ._rox.env.openshift }} + - name: ROX_OPENSHIFT_API + value: "true" + {{- end}} + {{- include "srox.envVars" (list . "deployment" "scanner" "scanner") | nindent 8 }} + resources: + {{- ._rox.scanner._resources | nindent 10 }} + command: + - /entrypoint.sh + ports: + - name: https + containerPort: 8080 + - name: grpc + containerPort: 8443 + {{ if ._rox.scanner.exposeMonitoring -}} + - name: monitoring + containerPort: 9090 + {{- end}} + securityContext: + capabilities: + drop: ["NET_RAW"] + runAsUser: 65534 + readinessProbe: + httpGet: + scheme: HTTPS + path: /scanner/ping + port: 8080 + timeoutSeconds: 10 + periodSeconds: 10 + failureThreshold: 6 + successThreshold: 1 + volumeMounts: + - name: scanner-etc-ssl-volume + mountPath: /etc/ssl + - name: scanner-etc-pki-volume + mountPath: /etc/pki/ca-trust + - name: additional-ca-volume + mountPath: /usr/local/share/ca-certificates/ + readOnly: true + - name: scanner-config-volume + mountPath: /etc/scanner + readOnly: true + - name: scanner-tls-volume + mountPath: /run/secrets/stackrox.io/certs/ + readOnly: true + - name: vuln-temp-db + mountPath: /var/lib/stackrox + - name: proxy-config-volume + mountPath: /run/secrets/stackrox.io/proxy-config/ + readOnly: true + - name: scanner-db-password + mountPath: /run/secrets/stackrox.io/secrets + readOnly: true + {{- include "srox.injectedCABundleVolumeMount" . | nindent 8 }} + securityContext: + runAsNonRoot: true + runAsUser: 65534 + serviceAccountName: scanner + volumes: + - name: additional-ca-volume + secret: + defaultMode: 420 + optional: true + secretName: additional-ca + - name: scanner-etc-ssl-volume + emptyDir: {} + - name: scanner-etc-pki-volume + emptyDir: {} + - name: scanner-config-volume + configMap: + name: scanner-config + - name: scanner-tls-volume + secret: + secretName: scanner-tls + - name: vuln-temp-db + emptyDir: {} + - name: proxy-config-volume + secret: + secretName: proxy-config + optional: true + - name: scanner-db-password + secret: + secretName: scanner-db-password + {{- include "srox.injectedCABundleVolume" . | nindent 6 }} +--- + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: scanner-db + namespace: {{ .Release.Namespace }} + labels: + app: scanner-db + {{- include "srox.labels" (list . "deployment" "scanner-db") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "deployment" "scanner-db") | nindent 4 }} +spec: + replicas: 1 + minReadySeconds: 15 + selector: + matchLabels: + app: scanner-db + strategy: + type: Recreate + template: + metadata: + namespace: {{ .Release.Namespace }} + labels: + app: scanner-db + {{- include "srox.podLabels" (list . "deployment" "scanner-db") | nindent 8 }} + annotations: + traffic.sidecar.istio.io/excludeInboundPorts: "5432" + {{- include "srox.podAnnotations" (list . "deployment" "scanner-db") | nindent 8 }} + spec: + {{- if ._rox.scanner._dbNodeSelector }} + nodeSelector: + {{- ._rox.scanner._dbNodeSelector | nindent 8 }} + {{- end }} + {{- if ._rox.scanner.dbTolerations }} + tolerations: + {{- toYaml ._rox.scanner.dbTolerations | nindent 8 }} + {{- end }} + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + # ScannerDB is single-homed, so avoid preemptible nodes. + - weight: 100 + preference: + matchExpressions: + - key: cloud.google.com/gke-preemptible + operator: NotIn + values: + - "true" + - weight: 50 + preference: + matchExpressions: + - key: node-role.kubernetes.io/infra + operator: Exists + - weight: 25 + preference: + matchExpressions: + - key: node-role.kubernetes.io/compute + operator: Exists + # From v1.20 node-role.kubernetes.io/control-plane replaces node-role.kubernetes.io/master (removed in + # v1.25). We apply both because our goal is not to run pods on control plane nodes for any version of k8s. + - weight: 100 + preference: + matchExpressions: + - key: node-role.kubernetes.io/master + operator: DoesNotExist + - weight: 100 + preference: + matchExpressions: + - key: node-role.kubernetes.io/control-plane + operator: DoesNotExist + initContainers: + - name: init-db + {{ if eq ._rox.scanner.mode "slim" -}} + image: {{ ._rox.scanner.slimDBImage.fullRef | quote }} + {{ else -}} + image: {{ ._rox.scanner.dbImage.fullRef | quote }} + {{ end -}} + env: + - name: POSTGRES_PASSWORD_FILE + value: "/run/secrets/stackrox.io/secrets/password" + - name: ROX_SCANNER_DB_INIT + value: "true" + resources: + {{- ._rox.scanner._dbResources | nindent 12 }} + volumeMounts: + - name: scanner-db-data + mountPath: /var/lib/postgresql/data + - name: scanner-db-tls-volume + mountPath: /run/secrets/stackrox.io/certs + readOnly: true + - name: scanner-db-password + mountPath: /run/secrets/stackrox.io/secrets + readOnly: true + containers: + - name: db + {{ if eq ._rox.scanner.mode "slim" -}} + image: {{ ._rox.scanner.slimDBImage.fullRef | quote }} + {{ else -}} + image: {{ ._rox.scanner.dbImage.fullRef | quote }} + {{ end -}} + env: + {{- include "srox.envVars" (list . "deployment" "scanner-db" "db") | nindent 10 }} + ports: + - name: tcp-postgresql + protocol: TCP + containerPort: 5432 + resources: + {{- ._rox.scanner._dbResources | nindent 10 }} + volumeMounts: + - name: scanner-db-data + mountPath: /var/lib/postgresql/data + - name: scanner-db-tls-volume + mountPath: /run/secrets/stackrox.io/certs + readOnly: true + serviceAccountName: scanner + securityContext: + fsGroup: 70 + runAsGroup: 70 + runAsNonRoot: true + runAsUser: 70 + volumes: + - name: scanner-config-volume + configMap: + name: scanner-config + - name: scanner-tls-volume + secret: + secretName: scanner-tls + - name: scanner-db-tls-volume + secret: + secretName: scanner-db-tls + defaultMode: 0640 + items: + - key: cert.pem + path: server.crt + - key: key.pem + path: server.key + - key: ca.pem + path: root.crt + - name: scanner-db-data + emptyDir: {} + - name: scanner-db-password + secret: + secretName: scanner-db-password + +{{ end -}} diff --git a/rhacs/4.3.5/central-services/templates/02-scanner-07-service.yaml b/rhacs/4.3.5/central-services/templates/02-scanner-07-service.yaml new file mode 100644 index 0000000..2f65b15 --- /dev/null +++ b/rhacs/4.3.5/central-services/templates/02-scanner-07-service.yaml @@ -0,0 +1,99 @@ +{{- include "srox.init" . -}} + +{{- if not ._rox.scanner.disable -}} + +apiVersion: v1 +kind: Service +metadata: + name: scanner + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "service" "scanner") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "service" "scanner") | nindent 4 }} +spec: + ports: + - name: https-scanner + port: 8080 + targetPort: 8080 + - name: grpcs-scanner + port: 8443 + targetPort: 8443 + {{ if ._rox.scanner.exposeMonitoring -}} + - name: monitoring + port: 9090 + targetPort: monitoring + {{- end}} + selector: + app: scanner + type: ClusterIP + +--- + +apiVersion: v1 +kind: Service +metadata: + name: scanner-db + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "service" "scanner-db") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "service" "scanner-db") | nindent 4 }} +spec: + ports: + - name: tcp-db + port: 5432 + targetPort: 5432 + selector: + app: scanner-db + type: ClusterIP + +{{ if ._rox.env.istio }} +--- + +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: scanner-internal-no-istio-mtls + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "destinationrule" "scanner-internal-no-istio-mtls") | nindent 4 }} + annotations: + stackrox.io/description: "Disable Istio mTLS for ports 8080 and 8443, since StackRox services use built-in mTLS." + {{- include "srox.annotations" (list . "destinationrule" "scanner-internal-no-istio-mtls") | nindent 4 }} +spec: + host: scanner.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + portLevelSettings: + - port: + number: 8080 + tls: + mode: DISABLE + - port: + number: 8443 + tls: + mode: DISABLE + +--- + +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: scanner-db-internal-no-istio-mtls + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "destinationrule" "scanner-db-internal-no-istio-mtls") | nindent 4 }} + annotations: + stackrox.io/description: "Disable Istio mTLS for port 5432, since StackRox services use built-in mTLS." + {{- include "srox.annotations" (list . "destinationrule" "scanner-db-internal-no-istio-mtls") | nindent 4 }} +spec: + host: scanner-db.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + portLevelSettings: + - port: + number: 5432 + tls: + mode: DISABLE +{{ end }} + +{{ end -}} diff --git a/rhacs/4.3.5/central-services/templates/02-scanner-08-hpa.yaml b/rhacs/4.3.5/central-services/templates/02-scanner-08-hpa.yaml new file mode 100644 index 0000000..c7af476 --- /dev/null +++ b/rhacs/4.3.5/central-services/templates/02-scanner-08-hpa.yaml @@ -0,0 +1,25 @@ +{{- include "srox.init" . -}} + +{{- if not ._rox.scanner.disable -}} + +{{- if not ._rox.scanner.autoscaling.disable -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: scanner + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "horizontalpodautoscaler" "scanner") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "horizontalpodautoscaler" "scanner") | nindent 4 }} +spec: + minReplicas: {{ ._rox.scanner.autoscaling.minReplicas }} + maxReplicas: {{ ._rox.scanner.autoscaling.maxReplicas }} + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: scanner + targetCPUUtilizationPercentage: 150 +{{ end -}} + +{{ end -}} diff --git a/rhacs/4.3.5/central-services/templates/99-generated-values-secret.yaml b/rhacs/4.3.5/central-services/templates/99-generated-values-secret.yaml new file mode 100644 index 0000000..b3499e8 --- /dev/null +++ b/rhacs/4.3.5/central-services/templates/99-generated-values-secret.yaml @@ -0,0 +1,25 @@ +{{- include "srox.init" . -}} + +{{- if ._rox._state.generated -}} + +apiVersion: v1 +kind: Secret +metadata: + name: {{ ._rox._state.generatedName }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "secret" "generated-helm-config") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "generated-helm-config") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": "keep" + "helm.sh/hook-delete-policy": "never" +stringData: + generated-values.yaml: | + # The following values were generated by the StackRox Central Services Helm chart. + # You can pass this file to `helm install` via the `-f` parameter, which in conjunction + # with your local values files and values specified via `--set` will allow you to + # deterministically reproduce the deployment. + {{- ._rox._state.generated | toYaml | nindent 4 }} + +{{- end -}} diff --git a/rhacs/4.3.5/central-services/templates/99-openshift-monitoring.yaml b/rhacs/4.3.5/central-services/templates/99-openshift-monitoring.yaml new file mode 100644 index 0000000..e9c512e --- /dev/null +++ b/rhacs/4.3.5/central-services/templates/99-openshift-monitoring.yaml @@ -0,0 +1,134 @@ +{{- include "srox.init" . -}} + +{{- if and ._rox.monitoring ._rox.monitoring.openshift ._rox.monitoring.openshift.enabled -}} + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: central-prometheus-k8s + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "role" "central-prometheus-k8s") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "role" "central-prometheus-k8s") | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - services + - endpoints + - pods + verbs: + - get + - list + - watch + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: central-prometheus-k8s + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "rolebinding" "central-prometheus-k8s") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "rolebinding" "central-prometheus-k8s") | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: central-prometheus-k8s +subjects: +- kind: ServiceAccount + name: prometheus-k8s + namespace: openshift-monitoring + +--- + +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: "central-monitor-{{ .Release.Namespace }}" + namespace: openshift-monitoring + labels: + {{- include "srox.labels" (list . "servicemonitor" (print "central-monitor-" .Release.Namespace)) | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "servicemonitor" (print "central-monitor-" .Release.Namespace)) | nindent 4 }} +spec: + endpoints: + - interval: 30s + path: metrics + port: monitoring-tls + scheme: https + tlsConfig: + caFile: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt + certFile: /etc/prometheus/secrets/metrics-client-certs/tls.crt + keyFile: /etc/prometheus/secrets/metrics-client-certs/tls.key + serverName: "central.{{ .Release.Namespace }}.svc" + selector: + matchLabels: + app.kubernetes.io/component: central + namespaceSelector: + matchNames: + - "{{ .Release.Namespace }}" + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: "rhacs-central-auth-reader-{{ .Release.Namespace }}" + namespace: kube-system + labels: + {{- include "srox.labels" (list . "rolebinding" (print "rhacs-central-auth-reader-" .Release.Namespace)) | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "rolebinding" (print "rhacs-central-auth-reader-" .Release.Namespace)) | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: + - kind: ServiceAccount + name: central + namespace: "{{ .Release.Namespace }}" + +--- + +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: "central-telemeter-{{ .Release.Namespace }}" + namespace: openshift-monitoring + labels: + {{- include "srox.labels" (list . "prometheusrule" (print "central-telemeter-" .Release.Namespace )) | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "prometheusrule" (print "central-telemeter-" .Release.Namespace )) | nindent 4 }} +spec: + groups: + - name: rhacs.telemeter + rules: + - expr: | + max by (build, central_id, central_version, hosting, install_method) ( + rox_central_info{branding="RHACS"} + ) + record: rhacs:telemetry:rox_central_info + + - expr: | + max by (central_id) ( + rox_central_secured_clusters{branding="RHACS"} + ) + record: rhacs:telemetry:rox_central_secured_clusters + + - expr: | + max by (central_id) ( + rox_central_secured_nodes{branding="RHACS"} + ) + record: rhacs:telemetry:rox_central_secured_nodes + + - expr: | + max by (central_id) ( + rox_central_secured_vcpus{branding="RHACS"} + ) + record: rhacs:telemetry:rox_central_secured_vcpus + +{{- end -}} diff --git a/rhacs/4.3.5/central-services/templates/NOTES.txt b/rhacs/4.3.5/central-services/templates/NOTES.txt new file mode 100644 index 0000000..27922b2 --- /dev/null +++ b/rhacs/4.3.5/central-services/templates/NOTES.txt @@ -0,0 +1,56 @@ +{{- $_ := include "srox.init" . -}} + +StackRox {{.Chart.AppVersion}} has been installed. + + +{{ if include "srox.checkGenerated" (list . "central.adminPassword.value") -}} +An administrator password has been generated automatically. Use username 'admin' and the following +password to log in for initial setup: + + {{ ._rox.central._adminPassword.value }} + +{{ end -}} + +{{ if ._rox._state.notes -}} +Please take note of the following: +{{ range ._rox._state.notes }} +- {{ . | wrapWith 98 "\n " -}} +{{ end }} + +{{ end -}} + +{{ if ._rox._state.generated -}} +One or several values were automatically generated by Helm. In order to reproduce this deployment +in the future, you can export these values by running + + $ kubectl -n {{ .Release.Namespace }} get secret {{ ._rox._state.generatedName }} \ + -o go-template='{{ `{{ index .data "generated-values.yaml" }}` }}' | \ + base64 --decode >generated-values.yaml + +This file might contain sensitive data, so store it in a safe place. + +{{ end -}} + +{{ if ._rox._state.warnings -}} +When installing StackRox, the following warnings were encountered: +{{ range ._rox._state.warnings }} +- WARNING: {{ . | wrapWith 98 "\n " -}} +{{ end }} + +{{ end -}} + +{{ if ._rox.env.openshift -}} +IMPORTANT: You have deployed into an OpenShift-enabled cluster. If you see that your pods + are not scheduling, run + + oc annotate namespace/{{ .Release.Namespace }} --overwrite openshift.io/node-selector="" +{{ end -}} + + +{{ if ne (._rox.central.telemetry.enabled | toString) "false" }} +StackRox Kubernetes Security Platform collects and transmits anonymous usage and +system configuration information. If you want to OPT OUT from this, use +--set central.telemetry.enabled=false. +{{ end }} + +Thank you for using StackRox! diff --git a/rhacs/4.3.5/central-services/templates/_central_endpoints.tpl b/rhacs/4.3.5/central-services/templates/_central_endpoints.tpl new file mode 100644 index 0000000..3bde7d4 --- /dev/null +++ b/rhacs/4.3.5/central-services/templates/_central_endpoints.tpl @@ -0,0 +1,59 @@ +{{ define "srox.configureCentralEndpoints" }} +{{ $central := . }} +{{ $containerPorts := list (dict "name" "api" "containerPort" 8443) }} +{{ $netPolIngressRules := list (dict "ports" (list (dict "port" 8443 "protocol" "TCP"))) }} +{{ $servicePorts := list (dict "name" "https" "targetPort" "api" "port" 443) }} +{{ $cfgDict := fromYaml $central._endpointsConfig }} +{{ if kindIs "map" $cfgDict }} + {{ if $cfgDict.disableDefault }} + {{ $containerPorts = list }} + {{ $netPolIngressRules = list }} + {{ $servicePorts = list }} + {{ end }} + {{ range $epCfg := default list $cfgDict.endpoints }} + {{ if and $epCfg.listen (kindIs "string" $epCfg.listen) }} + {{ $listenParts := splitList ":" $epCfg.listen }} + {{ if $listenParts }} + {{ $port := last $listenParts }} + {{ if $port }} + {{ if regexMatch "[0-9]+" $port }} + {{ $port = int $port }} + {{ end }} + {{ $containerPort := dict "containerPort" $port }} + {{ if and $epCfg.name (kindIs "string" $epCfg.name) }} + {{ $_ := set $containerPort "name" $epCfg.name }} + {{ end }} + {{ $containerPorts = append $containerPorts $containerPort }} + {{ if $epCfg.servicePort }} + {{ $servicePort := dict "targetPort" $port "port" $epCfg.servicePort }} + {{ if $containerPort.name }} + {{ $_ := set $servicePort "name" $containerPort.name }} + {{ end }} + {{ $servicePorts = append $servicePorts $servicePort }} + {{ end }} + {{ if not (kindIs "invalid" $epCfg.allowIngressFrom) }} + {{ $fromList := $epCfg.allowIngressFrom }} + {{ if not (kindIs "slice" $fromList) }} + {{ $fromList = list $fromList }} + {{ end }} + {{ $netPolIngressRule := dict "ports" (list (dict "port" $port "protocol" "TCP")) "from" $fromList }} + {{ $netPolIngressRules = append $netPolIngressRules $netPolIngressRule }} + {{ end }} + {{ end }} + {{ end }} + {{ end }} + {{ end }} +{{ end }} +{{ if $central.exposeMonitoring }} + {{ $containerPorts = append $containerPorts (dict "name" "monitoring" "containerPort" 9090) }} + {{ $servicePorts = append $servicePorts (dict "name" "monitoring" "targetPort" "monitoring" "port" 9090) }} +{{ end }} +# The (...) safe-guard against nil pointer evaluations for Helm versions built with Go < 1.18. +{{ if ((($central.monitoring).openshift).enabled) }} + {{ $containerPorts = append $containerPorts (dict "name" "monitoring-tls" "containerPort" 9091) }} + {{ $servicePorts = append $servicePorts (dict "name" "monitoring-tls" "targetPort" "monitoring-tls" "port" 9091) }} +{{ end }} +{{ $_ := set $central "_containerPorts" $containerPorts }} +{{ $_ = set $central "_servicePorts" $servicePorts }} +{{ $_ = set $central "_netPolIngressRules" $netPolIngressRules }} +{{ end }} diff --git a/rhacs/4.3.5/central-services/templates/_central_setup.tpl b/rhacs/4.3.5/central-services/templates/_central_setup.tpl new file mode 100644 index 0000000..6584ad1 --- /dev/null +++ b/rhacs/4.3.5/central-services/templates/_central_setup.tpl @@ -0,0 +1,140 @@ +{{/* + srox.centralSetup $ + + Configures and initializes central specific values like certificates, admin password or persistence. + */}} +{{ define "srox.centralSetup" }} +{{ $ := . }} +{{ $env := $._rox.env }} +{{ $_ := set $ "_rox" $._rox }} +{{ $centralCfg := $._rox.central }} +{{ $centralDBCfg := $._rox.central.db }} + +{{/* Image settings */}} +{{ include "srox.configureImage" (list $ $centralCfg.image) }} + +{{/* Admin password */}} +{{ include "srox.configurePassword" (list $ "central.adminPassword" "admin") }} + +{{/* Service TLS Certificates */}} +{{ $centralCertSpec := dict "CN" "CENTRAL_SERVICE: Central" "dnsBase" "central" }} +{{ include "srox.configureCrypto" (list $ "central.serviceTLS" $centralCertSpec) }} + +{{/* JWT Token Signer */}} +{{ $jwtSignerSpec := dict "keyOnly" "rsa" }} +{{ include "srox.configureCrypto" (list $ "central.jwtSigner" $jwtSignerSpec) }} + +{{/* Setup Default TLS Certificate. */}} +{{ if $._rox.central.defaultTLS }} + {{ $cert := $._rox.central.defaultTLS._cert }} + {{ $key := $._rox.central.defaultTLS._key }} + {{ if and $cert $key }} + {{ $defaultTLSCert := dict "Cert" $cert "Key" $key }} + {{ $_ := set $._rox.central "_defaultTLS" $defaultTLSCert }} + {{ include "srox.note" (list $ "Configured default TLS certificate") }} + {{ else if or $cert $key }} + {{ include "srox.fail" "Must specify either none or both of central.defaultTLS.cert and central.defaultTLS.key" }} + {{ end }} +{{ end }} + +{{/* Central DB password */}} +{{/* Always set up the password for Postgres if it is enabled */}} +{{ include "srox.configurePassword" (list $ "central.db.password") }} +{{ if not $centralDBCfg.external }} +{{ include "srox.configureImage" (list $ $centralDBCfg.image) }} + +{{/* Central DB Service TLS Certificates */}} +{{ $centralDBCertSpec := dict "CN" "CENTRAL_DB_SERVICE: Central DB" "dnsBase" "central-db" }} +{{ include "srox.configureCrypto" (list $ "central.db.serviceTLS" $centralDBCertSpec) }} +{{ end }} + +{{/* + Setup configuration for persistence backend. + TODO(ROX-16253): Remove PVC + */}} +{{ $volumeCfg := dict }} +{{ if $centralCfg.persistence.none }} + {{ $_ := set $volumeCfg "emptyDir" dict }} +{{ end }} +{{ if $centralCfg.persistence.hostPath }} + {{ if not $centralCfg.nodeSelector }} + {{ include "srox.warn" (list $ "You have selected host path persistence, but not specified a node selector. This is unlikely to work reliably.") }} + {{ end }} + {{ $_ := set $volumeCfg "hostPath" (dict "path" $centralCfg.persistence.hostPath) }} +{{ end }} +{{/* Configure PVC if either any of the settings in `central.persistence.persistentVolumeClaim` are provided, + or no other persistence backend has been configured yet. */}} +{{ if or (not (deepEqual $._rox._configShape.central.persistence.persistentVolumeClaim $centralCfg.persistence.persistentVolumeClaim)) (not $volumeCfg) }} + {{ $pvcCfg := $centralCfg.persistence.persistentVolumeClaim }} + {{ $_ := include "srox.mergeInto" (list $pvcCfg $._rox._defaults.pvcDefaults (dict "createClaim" $.Release.IsInstall)) }} + {{ $_ = set $volumeCfg "persistentVolumeClaim" (dict "claimName" $pvcCfg.claimName) }} + {{ if $pvcCfg.createClaim }} + {{ $_ = set $centralCfg.persistence "_pvcCfg" $pvcCfg }} + {{ end }} +{{ end }} + +{{/* + Central's DB PVC config setup + */}} +{{ $dbVolumeCfg := dict }} +{{ if not $centralDBCfg.external }} +{{ if $centralDBCfg.persistence.none }} + {{ include "srox.warn" (list $ "You have selected no persistence backend. Every deletion of the StackRox Central DB pod will cause you to lose all your data. This is STRONGLY recommended against.") }} + {{ $_ := set $dbVolumeCfg "emptyDir" dict }} +{{ end }} +{{ if $centralDBCfg.persistence.hostPath }} + {{ if not $centralDBCfg.nodeSelector }} + {{ include "srox.warn" (list $ "You have selected host path persistence, but not specified a node selector. This is unlikely to work reliably.") }} + {{ end }} + {{ $_ := set $dbVolumeCfg "hostPath" (dict "path" $centralDBCfg.persistence.hostPath) }} +{{ end }} +{{/* Configure PVC if either any of the settings in `centralDB.persistence.persistentVolumeClaim` are provided, + or no other persistence backend has been configured yet. */}} +{{ if or (not (deepEqual $._rox._configShape.central.db.persistence.persistentVolumeClaim $centralDBCfg.persistence.persistentVolumeClaim)) (not $dbVolumeCfg) }} + {{ $dbPVCCfg := $centralDBCfg.persistence.persistentVolumeClaim }} + {{ $_ := include "srox.mergeInto" (list $dbPVCCfg $._rox._defaults.dbPVCDefaults (dict "createClaim" (or .Release.IsInstall (eq $._rox._renderMode "centralDBOnly")))) }} + {{ $_ = set $dbVolumeCfg "persistentVolumeClaim" (dict "claimName" $dbPVCCfg.claimName) }} + {{ if $dbPVCCfg.createClaim }} + {{ $_ = set $centralDBCfg.persistence "_pvcCfg" $dbPVCCfg }} + {{ end }} +{{ end }} +{{ end }} + +{{ $allPersistenceMethods := keys $volumeCfg | sortAlpha }} +{{ if ne (len $allPersistenceMethods) 1 }} + {{ include "srox.fail" (printf "Invalid or no persistence configurations for central: [%s]" (join "," $allPersistenceMethods)) }} +{{ end }} +{{ $_ = set $centralCfg.persistence "_volumeCfg" $volumeCfg }} +{{ if not $centralDBCfg.external }} +{{ $_ = set $centralDBCfg.persistence "_volumeCfg" $dbVolumeCfg }} +{{ end }} + +{{/* Endpoint configuration */}} +{{ include "srox.configureCentralEndpoints" $._rox.central }} + +{{/* + Exposure configuration setup & sanity checks. + */}} +{{ if $._rox.central.exposure.loadBalancer.enabled }} + {{ include "srox.note" (list $ (printf "Exposing StackRox Central via LoadBalancer service.")) }} +{{ end }} +{{ if $._rox.central.exposure.nodePort.enabled }} + {{ include "srox.note" (list $ (printf "Exposing StackRox Central via NodePort service.")) }} +{{ end }} +{{ if $._rox.central.exposure.route.enabled }} + {{ if not $env.openshift }} + {{ include "srox.fail" (printf "The exposure method 'Route' is only available on OpenShift clusters.") }} + {{ end }} + {{ include "srox.note" (list $ (printf "Exposing StackRox Central via OpenShift Route https://central.%s." $.Release.Namespace)) }} +{{ end }} + +{{ if not (or $._rox.central.exposure.loadBalancer.enabled $._rox.central.exposure.nodePort.enabled $._rox.central.exposure.route.enabled) }} + {{ include "srox.note" (list $ "Not exposing StackRox Central, it will only be reachable cluster-internally.") }} + {{ include "srox.note" (list $ "To enable exposure via LoadBalancer service, use --set central.exposure.loadBalancer.enabled=true.") }} + {{ include "srox.note" (list $ "To enable exposure via NodePort service, use --set central.exposure.nodePort.enabled=true.") }} + {{ if $env.openshift }} + {{ include "srox.note" (list $ "To enable exposure via an OpenShift Route, use --set central.exposure.route.enabled=true.") }} + {{ end }} + {{ include "srox.note" (list $ (printf "To acccess StackRox Central via a port-forward on your local port 18443, run: kubectl -n %s port-forward svc/central 18443:443." .Release.Namespace)) }} +{{ end }} +{{ end }} diff --git a/rhacs/4.3.5/central-services/templates/_crypto.tpl b/rhacs/4.3.5/central-services/templates/_crypto.tpl new file mode 100644 index 0000000..1455288 --- /dev/null +++ b/rhacs/4.3.5/central-services/templates/_crypto.tpl @@ -0,0 +1,239 @@ +{{/* + srox.configureCrypto $ $cryptoConfigPath $spec + + This helper function configures a private key or certificate (public cert + private key) + config entry, from an input config which is accessed via $cryptoConfigPath relative to + $._rox, which we'll refer to as $inputCfg. $inputCfg is expected to be a dict with at + least `key` and `generate` properties. If `generate` is null, it defaults to either `true` + on installations, and `false` on upgrades. `key` is an expandable string. + The result in either mode is written to a dict $outputCfg under $._rox accessed by the + $cryptoConfigPath, with a '_' prepended to the last path element. E.g., if + $cryptoConfigPath is "a.b.c", the input configuration will be read from $._rox.a.b.c, and + the output configuration will be stored in $._rox.a.b._c. + + Private key-only mode is selected if $spec.keyOnly contains a non-zero string, which specifies + the key algorithm to use. In this mode, if $inputCfg.key expands to a non-empty string, this + string will be copied to the `Key` property of $outputCfg. Otherwise, if $inputCfg.generate + is true (wrt. the above defaulting rules), a key with the algorithm prescribed by $spec.keyOnly + will be generated and stored in the `Key` property of $outputCfg. + + Certificate mode is the default. If $inputCfg.cert and $inputCfg.key expand to non-empty strings, + these strings will be copied to the `Cert` and `Key` properties of $outputCfg. Otherwise, if both + of them expand to empty strings (it is an error if only one of them expands to a non-empty + string), and $inputCfg.generate is true, a certificate and private key are generated with the + following options: + - If $inputCfg.ca is true, generate a CA certificate with common name $inputCfg.CN and a 5 year + validity duration. + - Otherwise, generate a leaf certificate with common name $inputCfg.CN and a 1 year validity + duration. The SANs for this certificate are derived from the base DNS name $inputCfg.dnsBase + according to "srox.computeSANs". + + Whenever certificates and/or private keys were generated, the $._rox._state.generated property + is updated to reflect the generated values, such that merging $._rox._state.generated in to + $.Values would have caused this template to simply use the generated values as-is. E.g., if + $cryptoConfigPath was "a.b.c" and $.Values.a.b.c.cert" and $.Values.a.b.c.key" were both empty, + $._rox._state.generated.a.b.c would be set to be a dict with `cert` and `key` properties of the + generated $outputCfg.Cert and $outputCfg.Key. + + If a certificate or private key was generated, $._rox._state.customCertGen is set to true. + */}} +{{- define "srox.configureCrypto" -}} +{{ $ := index . 0 }} +{{ $cryptoConfigPath := index . 1 }} +{{ $spec := index . 2 }} + +{{/* Resolve $cryptoConfigPath. */}} +{{ $cfg := $._rox }} +{{ $newGenerated := dict }} +{{ $genCfg := $newGenerated }} +{{ $cryptoConfigPathList := splitList "." $cryptoConfigPath }} +{{ range $pathElem := $cryptoConfigPathList }} + {{ $cfg = index $cfg $pathElem }} + {{ $newCfg := dict }} + {{ $_ := set $genCfg $pathElem $newCfg }} + {{ $genCfg = $newCfg }} +{{ end }} + +{{/* Make sure `cert` and `key` are expanded (this should already be the case, but better + safe than sorry. */}} +{{ $certExpandSpec := dict "cert" true "key" true }} +{{ include "srox.expandAll" (list $ $cfg $certExpandSpec $cryptoConfigPathList) }} + +{{ $certPEM := $cfg._cert }} +{{ $keyPEM := $cfg._key }} + +{{ $result := dict }} +{{ if $certPEM }} + {{ $result = dict "Cert" $certPEM "Key" (default "" $keyPEM) }} +{{ else if or $certPEM $keyPEM }} + {{ if and $keyPEM $spec.keyOnly }} + {{ $_ := set $result "Key" $keyPEM }} + {{ else }} + {{ include "srox.fail" (printf "Either none or both of %s.cert and %s.key must be specified" $cryptoConfigPath $cryptoConfigPath) }} + {{ end }} +{{ else }} + {{ $generate := $cfg.generate }} + {{ if kindIs "invalid" $generate }} + {{ $generate = $.Release.IsInstall }} + {{ end }} + {{ if $generate }} + {{ if $spec.ca }} + {{ $out := dict }} + {{ $_ := tpl "{{ $_ := set .out \"ca\" (genCA .cn 1825) }}" (dict "Template" $.Template "cn" $spec.CN "out" $out) }} + {{ $result = $out.ca }} + {{ else if $spec.keyOnly }} + {{ $key := tpl "{{ genPrivateKey .algo }}" (dict "Template" $.Template "algo" $spec.keyOnly) }} + {{ $_ := set $genCfg "key" $key }} + {{ $_ = set $result "Key" $key }} + {{ else }} + {{ if not $._rox._ca }} + {{ include "srox.fail" (printf "Tried to generate certificate for %s, but no CA certificate is available." $spec.CN) }} + {{ end }} + {{ $sans := dict }} + {{ include "srox.computeSANs" (list $ $sans $spec.dnsBase) }} + {{ $ca := $._rox._ca }} + {{ if kindIs "map" $ca }} + {{ $out := dict }} + {{ $_ := tpl "{{ $_ := set .out \"ca\" (buildCustomCert (b64enc .ca.Cert) (b64enc .ca.Key)) }}" (dict "Template" $.Template "ca" $ca "out" $out) }} + {{ $ca = $out.ca }} + {{ end }} + {{ $out := dict }} + {{ $_ := tpl "{{ $_ := set .out \"cert\" (genSignedCert .cn nil .sans 365 .ca) }}" (dict "Template" $.Template "cn" $spec.CN "sans" $sans.result "ca" $ca "out" $out) }} + {{ $result = $out.cert }} + {{ $_ := set $genCfg "cert" $result.Cert }} + {{ $_ = set $genCfg "key" $result.Key }} + {{ end }} + {{ $_ := set $genCfg "key" $result.Key }} + {{ if $result.Cert }} + {{ $_ = set $genCfg "cert" $result.Cert }} + {{ end }} + {{ $_ = set $._rox._state "customCertGen" true }} + {{ end }} +{{ end }} + +{{/* Store output configuration and generated properties */}} +{{ $newCfgRoot := dict }} +{{ $newCfg := $newCfgRoot }} +{{ range $pathElem := initial $cryptoConfigPathList }} + {{ $nextCfg := dict }} + {{ $_ := set $newCfg $pathElem $nextCfg }} + {{ $newCfg = $nextCfg }} +{{ end }} +{{ $_ := set $newCfg (last $cryptoConfigPathList | printf "_%s") $result }} +{{ $_ = include "srox.mergeInto" (list $._rox $newCfgRoot) }} +{{ $_ = include "srox.mergeInto" (list $._rox._state.generated $newGenerated) }} +{{ end }} + + +{{/* + srox.configurePassword $ $pwConfigPath [$htpasswdUser] + + This helper function reads a password configuration (YAML dict with `value` + and `generate` properties) referenced by $pwConfigPath relative to $._rox. It + ensures the dict with the same config path relative to $._rox and prepending an underscore + to the last path element is populated in the following way: + - If the `value` property of the input config is nonzero, set `value` in the result to the + expanded value. + - If the optional $htpasswdUser parameter is specified and the `htpasswd` property of the + input config is nonzero, set `htpasswd` in the result to the expanded value of that + property. + - If none of the above (non-mutually-exclusive) cases apply: + - If `generate` is true OR both `generate` is null and this is an installation, + not an upgrade, generate a random password with 32 alphanumeric characters. + - Otherwise, leave the result property empty. + - If the optional $htpasswdUser parameter was specified AND the `value` property in the + result property was set per the above rules AND the `htpasswd` property was not set, + populate the `htpasswd` property of the result by generating an htpasswd stanza with + the computed `value` as the password and $htpasswdUser as the username. + + The $._rox._state.generated property is adjusted accordingly. + */}} +{{- define "srox.configurePassword" -}} +{{ $ := index . 0 }} +{{ $pwConfigPath := index . 1 }} +{{ $htpasswdUser := "" }} +{{ if gt (len .) 2 }} + {{ $htpasswdUser = index . 2 }} +{{ end }} +{{ $cfg := $._rox }} +{{ $newGenerated := dict }} +{{ $genCfg := $newGenerated }} +{{ $pwConfigPathList := splitList "." $pwConfigPath }} +{{ range $pathElem := $pwConfigPathList }} + {{ $cfg = index $cfg $pathElem }} + {{ $newCfg := dict }} + {{ $_ := set $genCfg $pathElem $newCfg }} + {{ $genCfg = $newCfg }} +{{ end }} + +{{/* Make sure that `value` and `htpasswd` within $cfg are expanded (this should already be the + case but better safe than sorry). */}} +{{ $pwExpandSpec := dict "value" true "htpasswd" true }} +{{ include "srox.expandAll" (list $ $cfg $pwExpandSpec $pwConfigPathList) }} + +{{ $result := dict }} +{{ if and $htpasswdUser (not (kindIs "invalid" $cfg._htpasswd)) }} + {{ $htpasswd := $cfg._htpasswd }} + {{ $_ := set $result "htpasswd" $htpasswd }} +{{ end }} +{{ if not $result.htpasswd }} + {{ $pw := dict.nil }} + {{ if kindIs "invalid" $cfg._value }} + {{ $generate := $cfg.generate }} + {{ if kindIs "invalid" $generate }} + {{ $generate = $.Release.IsInstall }} + {{ end }} + {{ if $generate }} + {{ $pw = randAlphaNum 32 }} + {{ $_ := set $genCfg "value" $pw }} + {{ end }} + {{ else }} + {{ $pw = $cfg._value }} + {{ end }} + {{ if not (kindIs "invalid" $pw) }} + {{ $_ := set $result "value" $pw }} + {{ end }} + {{ if and $htpasswdUser $pw }} + {{ $htpasswd := tpl "{{ htpasswd .user .pw }}" (dict "Template" $.Template "user" $htpasswdUser "pw" $pw) }} + {{ $_ := set $result "htpasswd" $htpasswd }} + {{ end }} +{{ else if $cfg.value }} + {{ include "srox.fail" (printf "Both a htpasswd and a value are specified for %s, this is illegal. Remove the `value` property, or ensure that `htpasswd` is null." $pwConfigPath) }} +{{ end }} +{{ $newCfgRoot := dict }} +{{ $newCfg := $newCfgRoot }} +{{ range $pathElem := initial $pwConfigPathList }} + {{ $nextCfg := dict }} + {{ $_ := set $newCfg $pathElem $nextCfg }} + {{ $newCfg = $nextCfg }} +{{ end }} +{{ $_ := set $newCfg (last $pwConfigPathList | printf "_%s") $result }} +{{ $_ = include "srox.mergeInto" (list $._rox $newCfgRoot) }} +{{ $_ = include "srox.mergeInto" (list $._rox._state.generated $newGenerated) }} +{{ end }} + + +{{/* + srox.computeSANs $ $out $svcName + + Compute the applicable SANs for a service with name $svcName, deployed in namespace + $.Release.Namespace (= $releaseNS). + Generally, SANs following the pattern "$svcName.$releaseNS[.svc[.cluster.local]]" will be + generated. If $releaseNS is not "stackrox", another set of SANs with the same pattern, + but assuming $releaseNS = "stackrox", will be generated in addition. + The result is stored as a list in $out.result. + */}} +{{ define "srox.computeSANs" }} +{{ $ := index . 0 }} +{{ $out := index . 1 }} +{{ $svcName := index . 2 }} +{{ $releaseNS := $.Release.Namespace }} +{{ $sans := list }} +{{ range $ns := list $releaseNS "stackrox" | uniq | sortAlpha }} + {{ $baseDNS := printf "%s.%s" $svcName $ns }} + {{ range $suffix := tuple "" ".svc" ".svc.cluster.local" }} + {{ $sans = printf "%s%s" $baseDNS $suffix | append $sans }} + {{ end }} +{{ end }} +{{ $_ := set $out "result" $sans }} +{{ end }} diff --git a/rhacs/4.3.5/central-services/templates/_dict.tpl b/rhacs/4.3.5/central-services/templates/_dict.tpl new file mode 100644 index 0000000..bf14a6d --- /dev/null +++ b/rhacs/4.3.5/central-services/templates/_dict.tpl @@ -0,0 +1,142 @@ +{{/* + srox.compactDict $target [$depth] + + Compacts a dict $target by removing entries with empty values. + By default, only the top-level dict $target itself is modified. If the optional $depth + parameter is specified and is non-zero, this determines the recursion depth over which the + compaction is applied to nested diocts as well. A $depth of -1 means to compact all nested + dicts, regardless of depth. + */}} +{{ define "srox.compactDict" }} +{{ $args := . }} +{{ if not (kindIs "slice" $args) }} + {{ $args = list $args 0 }} +{{ end }} +{{ $target := index $args 0 }} +{{ $depth := index $args 1 }} +{{ $zeroValKeys := list }} +{{ range $k, $v := $target }} + {{ if and (kindIs "map" $v) (ne $depth 0) }} + {{ include "srox.compactDict" (list $v (sub $depth 1)) }} + {{ end }} + {{ if not $v }} + {{ $zeroValKeys = append $zeroValKeys $k }} + {{ end }} +{{ end }} +{{ range $k := $zeroValKeys }} + {{ $_ := unset $target $k }} +{{ end }} +{{ end }} + +{{/* + srox.destructiveMergeOverwrite $out $dict1 $dict2... + + Recursively merges $dict1, $dict2 (in this order) into $out, similar to mergeOverwrite. + The eponymous difference is the fact that any explicit "null" entries in the source + dictionaries cause the respective entry to be deleted. + */}} +{{ define "srox.destructiveMergeOverwrite" }} +{{ $out := first . }} +{{ $toMergeList := rest . }} +{{ range $toMerge := $toMergeList }} + {{ range $k, $v := $toMerge }} + {{ if kindIs "invalid" $v }} + {{ $_ := unset $out $k }} + {{ else if kindIs "map" $v }} + {{ $outV := index $out $k }} + {{ if kindIs "invalid" $outV }} + {{ $_ := set $out $k (deepCopy $v) }} + {{ else if kindIs "map" $outV }} + {{ include "srox.destructiveMergeOverwrite" (list $outV $v) }} + {{ else }} + {{ fail (printf "when merging at key %s: incompatible kinds %s and %s" $k (kindOf $v) (kindOf $outV)) }} + {{ end }} + {{ else }} + {{ $_ := set $out $k $v }} + {{ end }} + {{ end }} +{{ end }} +{{ end }} + +{{/* + srox.stringifyDictValues $dict + + Recursively traverses $dict and converts every non-dict value to a string. + */}} +{{ define "srox.stringifyDictValues" }} +{{ $dict := . }} +{{ range $k, $v := $dict }} + {{ if kindIs "map" $v }} + {{ include "srox.stringifyDictValues" $v }} + {{ else }} + {{ $_ := set $dict $k (toString $v) }} + {{ end }} +{{ end }} +{{ end }} + +{{/* + srox.safeDictLookup $dict $out $path + + Looks up $path in $dict, and stores the result (if any) in $out.result. + $path is a dot-separated list of nested field names. An empty $path causes + $dict to be stored in $out.result. + + Example: srox.safeDictLookup $dict $out "a.b.c" stores the value of $dict.a.b.c, if + it exists, in $out.result. Otherwise, it does nothing - in particular, it does + not fail, as accessing $dict.a.b.c unconditionally would if any of $dict, $dict.a, + or $dict.a.b was not a dict. + */}} +{{ define "srox.safeDictLookup" }} +{{ $dict := index . 0 }} +{{ $out := index . 1 }} +{{ $path := index . 2 }} +{{ $curr := $dict }} +{{ $pathList := splitList "." $path | compact }} +{{ range $pathElem := $pathList }} + {{ if kindIs "map" $curr }} + {{ $curr = index $curr $pathElem }} + {{ else if not (kindIs "invalid" $curr) }} + {{ $curr = dict.nil }} + {{ end }} +{{ end }} +{{ if not (kindIs "invalid" $curr) }} + {{ $_ := set $out "result" $curr }} +{{ end }} +{{ end }} + + + +{{/* + srox.mergeInto $tgt $src1..$srcN + + Recursively merges values from $src1, ..., $srcN into $tgt, giving preference to + values in $tgt. + + Unlike Sprig's merge, this does not overwrite falsy values when explicitly defined, + with the exception of `null` values (this also sets it apart from Sprig's mergeOverwrite). + + Whenever entire (nested) dicts are merged as-is from one of the sources into $tgt, a deep + copy of the respective nested dict is created. + + An empty string is always returned, hence this should be invoked in the form + $_ := include "srox.mergeInto" (list $tgt $src1 $src2) + */}} +{{ define "srox.mergeInto" }} +{{ $tgt := first . }} +{{ range $src := rest . }} + {{ range $k, $srcV := $src }} + {{ $tgtV := index $tgt $k }} + {{ if kindIs "map" $srcV }} + {{ if kindIs "invalid" $tgtV }} + {{ $_ := set $tgt $k (deepCopy $srcV) }} + {{ else if kindIs "map" $tgtV }} + {{ $_ := include "srox.mergeInto" (list $tgtV $srcV) }} + {{ else }} + {{ fail (printf "Incompatible kinds for key %s: %s vs %s" $k (kindOf $srcV) (kindOf $tgtV)) }} + {{ end }} + {{ else if and (not (kindIs "invalid" $srcV)) (kindIs "invalid" $tgtV) }} + {{ $_ := set $tgt $k $srcV }} + {{ end }} + {{ end }} +{{ end }} +{{ end }} diff --git a/rhacs/4.3.5/central-services/templates/_expand.tpl b/rhacs/4.3.5/central-services/templates/_expand.tpl new file mode 100644 index 0000000..ed1cb1f --- /dev/null +++ b/rhacs/4.3.5/central-services/templates/_expand.tpl @@ -0,0 +1,96 @@ +{{/* + srox.expandAll $ $target $expandable [$path] + + Expands values within $target that are flagged in $expandable, using $path + as the path from the configuration root to $target for error reporting purposes. + + If $target is nil, nothing happens. Otherwise, $target must be a dict. For every key + of $target that is also present in $expandable, the following action is performed: + - If the entry in $expandable is a dict, recursive invoke "srox.expandAll" on the + respective entries, with an adjusted $path. + - Otherwise, the entry in $expandable is assume to be of boolean value. If the value is + true, the corresponding entry's value in $target is expanded (see "srox._expandSingle" + below for a definition of expanding), and the result of the expansion is stored under + the key with a "_" prepended in $target. The original entry in $target is removed. This + ensures "srox.expandAll" is an idempotent operation). + */}} +{{ define "srox.expandAll" }} +{{ $args := . }} +{{ $ := index $args 0 }} +{{ $target := index $args 1 }} +{{ $expandable := index $args 2 }} +{{ $path := list }} +{{ if ge (len $args) 4 }} + {{ $path = index $args 3 }} + {{ if kindIs "string" $path }} + {{ $path = splitList "." $path | compact }} + {{ end }} +{{ end }} + +{{ if kindIs "map" $target }} + {{ range $k, $v := $expandable }} + {{ $childPath := append $path $k }} + {{ $targetV := index $target $k }} + {{ if kindIs "map" $v }} + {{ include "srox.expandAll" (list $ $targetV $v $childPath) }} + {{ else if $v }} + {{ if not (kindIs "invalid" $targetV) }} + {{ $expanded := include "srox._expandSingle" (list $ $targetV (join "." $childPath)) }} + {{ $_ := set $target (printf "_%s" $k) $expanded }} + {{ end }} + {{ $_ := unset $target $k }} + {{ end }} + {{ end }} +{{ else if not (kindIs "invalid" $target) }} + {{ include "srox.fail" (printf "Error expanding value at %s: expected map, got: %s" (join "." $path) (kindOf $target)) }} +{{ end }} +{{ end }} + +{{/* + srox.expand $ $spec + + Parses and expands a "specification string" in the following way: + - If $spec is a dictionary, return $spec rendered as a YAML. + - Otherwise, if $spec starts with a backslash character (`\`), return $spec minus the leading + backslash character. + - Otherwise, if $spec starts with an `@` character, strip off the first character and + treat the remainder of the string as a `|`-separated list of file names. Try to load + each referenced file, in order, via `stackrox.getFile`. The result is the first file + that could be successfully loaded. If no file could be loaded, expansion fails. + - Otherwise, return $spec as-is. + */}} +{{- define "srox._expandSingle" -}} + {{- $ := index . 0 -}} + {{- $spec := index . 1 -}} + {{- $context := index . 2 -}} + {{- $result := "" -}} + {{- if kindIs "string" $spec -}} + {{- if hasPrefix "\\" $spec -}} + {{- /* use \ as string-wide escape character */ -}} + {{- $result = trimPrefix "\\" $spec -}} + {{- else if hasPrefix "@" $spec -}} + {{- /* treat as file list (first found matches) */ -}} + {{- /* If the prefix is "@?" expansion will not fail if no files could be found, instead an empty string is returned. */ -}} + {{- $fileSpec := trimPrefix "@" $spec -}} + {{- $allowNotFound := false -}} + {{- if hasPrefix "?" $fileSpec -}} + {{- $allowNotFound = true -}} + {{- $fileSpec = trimPrefix "?" $fileSpec -}} + {{- end -}} + {{- $fileList := regexSplit "\\s*\\|\\s*" ($fileSpec | trim) -1 -}} + {{- $fileRes := dict -}} + {{- $_ := include "srox.loadFile" (list $ $fileRes $fileList) -}} + {{- if and (not $allowNotFound) (not $fileRes.found) -}} + {{- include "srox.fail" (printf "Expanding %s: file reference %q: none of the referenced files were found" $context $spec) -}} + {{- end -}} + {{- $result = default "" $fileRes.contents -}} + {{- else -}} + {{/* treat as raw string */}} + {{- $result = $spec -}} + {{- end -}} + {{- else if not (kindIs "invalid" $spec) -}} + {{- /* render non-string, non-nil values as YAML */ -}} + {{- $result = toYaml $spec -}} + {{- end -}} + {{- $result -}} +{{- end -}} diff --git a/rhacs/4.3.5/central-services/templates/_format.tpl b/rhacs/4.3.5/central-services/templates/_format.tpl new file mode 100644 index 0000000..745fe47 --- /dev/null +++ b/rhacs/4.3.5/central-services/templates/_format.tpl @@ -0,0 +1,14 @@ +{{/* + srox.formatStorageSize $value + + Formats $value as a storage size. $value can be an integer or a string. + If no unit is specified (e.g., if $value is a string), a default unit of + Gigabytes ("Gi" suffix) is assumed. + */}} +{{- define "srox.formatStorageSize" -}} +{{- $val := toString . -}} +{{- if regexMatch "^[0-9]+$" $val -}} + {{- $val = printf "%sGi" $val -}} +{{- end -}} +{{- default "0" $val -}} +{{- end -}} diff --git a/rhacs/4.3.5/central-services/templates/_helpers.tpl b/rhacs/4.3.5/central-services/templates/_helpers.tpl new file mode 100644 index 0000000..e87f10f --- /dev/null +++ b/rhacs/4.3.5/central-services/templates/_helpers.tpl @@ -0,0 +1,68 @@ +{{/* + Misceallaneous helper templates. + */}} + + + + +{{/* + srox.loadFile $ $out $fileName-or-list + + This helper function reads a file. It differs from $.Files.Get in that it also takes + $._rox.meta.fileOverrides into account. Furthermore, it can receive a list of file names, + and will try these files in order. Finally, it indicates whether a file was found via the + $out.found property (as opposed to $.Files.Get, which cannot distinguish between a successful + read of an empty file, and this file not being found). + The file contents will be returned via $out.contents + */}} +{{ define "srox.loadFile" }} +{{ $ := index . 0 }} +{{ $out := index . 1 }} +{{ $fileNames := index . 2 }} +{{ if not (kindIs "slice" $fileNames) }} + {{ $fileNames = list $fileNames }} +{{ end }} +{{ $contents := index dict "" }} +{{ range $fileName := $fileNames }} + {{ if kindIs "invalid" $contents }} + {{ $contents = index $._rox.meta.fileOverrides $fileName }} + {{ end }} + {{ if kindIs "invalid" $contents }} + {{ range $path, $_ := $.Files.Glob $fileName }} + {{ if kindIs "invalid" $contents }} + {{ $contents = $.Files.Get $path }} + {{ end }} + {{ end }} + {{ end }} +{{ end }} +{{ if not (kindIs "invalid" $contents) }} + {{ $_ := set $out "contents" $contents }} +{{ end }} +{{ $_ := set $out "found" (not (kindIs "invalid" $contents)) }} +{{ end }} + + +{{/* + srox.checkGenerated $ $cfgPath + + Checks if the value at configuration path $cfgPath (e.g., "central.adminPassword.value") was + generated. Evaluates to the string "true" if this is the case, and an empty string otherwise. + */}} +{{- define "srox.checkGenerated" -}} +{{- $ := index . 0 -}} +{{- $cfgPath := index . 1 -}} +{{- $genCfg := $._rox._state.generated -}} +{{- $exists := true -}} +{{- range $pathElem := splitList "." $cfgPath -}} + {{- if $exists -}} + {{- if hasKey $genCfg $pathElem -}} + {{- $genCfg = index $genCfg $pathElem -}} + {{- else -}} + {{- $exists = false -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- if $exists -}} +true +{{- end -}} +{{- end -}} diff --git a/rhacs/4.3.5/central-services/templates/_image-pull-secrets.tpl b/rhacs/4.3.5/central-services/templates/_image-pull-secrets.tpl new file mode 100644 index 0000000..9747e26 --- /dev/null +++ b/rhacs/4.3.5/central-services/templates/_image-pull-secrets.tpl @@ -0,0 +1,85 @@ +{{/* + srox.configureImagePullSecrets $ $cfgName $imagePullSecrets $secretResourceName $defaultSecretNames $namespace + + Configures image pull secrets. + + This function enriches $imagePullSecrets based on the exposed configuration parameters to contain + a list of Kubernetes secret names as `_names` to be used as image pull secrets within the chart + templates. This list contains the following secrets: + + - Secrets referenced via $imagePullSecrets.useExisting. + - Image pull secrets associated with the default service account (if + $imagePullSecrets.useFromDefaultServiceAccount is true). + - $secretResourceName, if $imagePullSecrets.username is set. + - $defaultSecretNames. */}} + +{{ define "srox.configureImagePullSecrets" }} +{{ $ := index . 0 }} +{{ $cfgName := index . 1 }} +{{ $imagePullSecrets := index . 2 }} +{{ $secretResourceName := index . 3 }} +{{ $defaultSecretNames := index . 4 }} +{{ $namespace := index . 5 }} + +{{ $imagePullSecretNames := default list $imagePullSecrets.useExisting }} +{{ if not (kindIs "slice" $imagePullSecretNames) }} + {{ $imagePullSecretNames = regexSplit "\\s*[,;]\\s*" (trim $imagePullSecretNames) -1 }} +{{ end }} +{{ if $imagePullSecrets.useFromDefaultServiceAccount }} + {{ $defaultSA := dict }} + {{ include "srox.safeLookup" (list $ $defaultSA "v1" "ServiceAccount" $namespace "default") }} + {{ if $defaultSA.result }} + {{ range $ips := default list $defaultSA.result.imagePullSecrets }} + {{ if $ips.name }} + {{ $imagePullSecretNames = append $imagePullSecretNames $ips.name }} + {{ end }} + {{ end }} + {{ end }} +{{ end }} +{{ $imagePullCreds := dict }} +{{ if $imagePullSecrets._username }} + {{ $imagePullCreds = dict "username" $imagePullSecrets._username "password" $imagePullSecrets._password }} + {{ $imagePullSecretNames = append $imagePullSecretNames $secretResourceName }} +{{ else if $imagePullSecrets._password }} + {{ $msg := printf "Username missing in %q. Whenever an image pull password is specified, a username must be specified as well" $cfgName }} + {{ include "srox.fail" $msg }} +{{ end }} +{{ if and $.Release.IsInstall (not $imagePullSecretNames) (not $imagePullSecrets.allowNone) }} + {{ $msg := printf "You have not specified any image pull secrets, and no existing image pull secrets were automatically inferred. If your registry does not need image pull credentials, explicitly set the '%s.allowNone' option to 'true'" $cfgName }} + {{ include "srox.fail" $msg }} +{{ end }} + +{{ $imagePullSecretNames = concat (append $imagePullSecretNames $secretResourceName) $defaultSecretNames | uniq | sortAlpha }} +{{ $_ := set $imagePullSecrets "_names" $imagePullSecretNames }} +{{ $_ := set $imagePullSecrets "_creds" $imagePullCreds }} + +{{ end }} + +{{ define "srox.configureImagePullSecretsForDockerRegistry" }} +{{ $ := index . 0 }} +{{ $imagePullSecrets := index . 1 }} + +{{/* Setup Image Pull Secrets for Docker Registry. + Note: This must happen afterwards, as we rely on "srox.configureImage" to collect the + set of all referenced images first. */}} +{{ if $imagePullSecrets._username }} + {{ $dockerAuths := dict }} + {{ range $image := keys $._rox._state.referencedImages }} + {{ $registry := splitList "/" $image | first }} + {{ if eq $registry "docker.io" }} + {{/* Special case docker.io */}} + {{ $registry = "https://index.docker.io/v1/" }} + {{ else }} + {{ $registry = printf "https://%s" $registry }} + {{ end }} + {{ $_ := set $dockerAuths $registry dict }} + {{ end }} + {{ $authToken := printf "%s:%s" $imagePullSecrets._username $imagePullSecrets._password | b64enc }} + {{ range $regSettings := values $dockerAuths }} + {{ $_ := set $regSettings "auth" $authToken }} + {{ end }} + + {{ $_ := set $imagePullSecrets "_dockerAuths" $dockerAuths }} +{{ end }} + +{{ end }} diff --git a/rhacs/4.3.5/central-services/templates/_images.tpl b/rhacs/4.3.5/central-services/templates/_images.tpl new file mode 100644 index 0000000..dced29d --- /dev/null +++ b/rhacs/4.3.5/central-services/templates/_images.tpl @@ -0,0 +1,34 @@ +{{/* + srox.configureImage $ $imageCfg + + Configures settings for a single image by augmenting/completing an existing image configuration + stanza. + + If $imageCfg.fullRef is empty: + First, the image registry is determined by inspecting $imageCfg.registry and, if this is empty, + $._rox.image.registry, ultimately defaulting to `docker.io`. The full image ref is then + constructed from the registry, $imageCfg.name (must be non-empty), and $imageCfg.tag (may be + empty, in which case "latest" is assumed). The result is stored in $imageCfg.fullRef. + + Afterwards (irrespective of the previous check), $imageCfg.fullRef is modified by prepending + "docker.io/" if and only if it did not contain a remote yet (i.e., the part before the first "/" + did not contain a dot (DNS name) or colon (port)). + + Finally, the resulting $imageCfg.fullRef is stored as a dict entry with value `true` in the + $._rox._state.referencedImages dict. + */}} +{{ define "srox.configureImage" }} +{{ $ := index . 0 }} +{{ $imageCfg := index . 1 }} +{{ $imageRef := $imageCfg.fullRef }} +{{ if not $imageRef }} + {{ $imageRef = printf "%s/%s:%s" (coalesce $imageCfg.registry $._rox.image.registry "docker.io") $imageCfg.name (default "latest" $imageCfg.tag) }} +{{ end }} +{{ $imageComponents := splitList "/" $imageRef }} +{{ $firstComponent := index $imageComponents 0 }} +{{ if or (lt (len $imageComponents) 2) (and (not (contains ":" $firstComponent)) (not (contains "." $firstComponent))) }} + {{ $imageRef = printf "docker.io/%s" $imageRef }} +{{ end }} +{{ $_ := set $imageCfg "fullRef" $imageRef }} +{{ $_ = set $._rox._state.referencedImages $imageRef true }} +{{ end }} diff --git a/rhacs/4.3.5/central-services/templates/_init.tpl b/rhacs/4.3.5/central-services/templates/_init.tpl new file mode 100644 index 0000000..6708058 --- /dev/null +++ b/rhacs/4.3.5/central-services/templates/_init.tpl @@ -0,0 +1,285 @@ +{{/* + srox.init $ + + Initialization template for the internal data structures. + This template is designed to be included in every template file, but will only be executed + once by leveraging state sharing between templates. + */}} +{{ define "srox.init" }} + +{{ $ := . }} + +{{/* + On first(!) instantiation, set up the $._rox structure, containing everything required by + the resource template files. + */}} +{{ if not $._rox }} + +{{/* + Initial Setup + */}} + +{{/* + $rox / ._rox is the dictionary in which _all_ data that is modified by the init logic + is stored. + We ensure that it has the required shape, and then right after merging the user-specified + $.Values, we apply some bootstrap defaults. + */}} +{{ $rox := deepCopy $.Values }} +{{ $_ := set $ "_rox" $rox }} + +{{/* Global state (accessed from sub-templates) */}} +{{ $generatedName := printf "stackrox-generated-%s" (randAlphaNum 6 | lower) }} +{{ $state := dict "customCertGen" false "generated" dict "generatedName" $generatedName "notes" list "warnings" list "referencedImages" dict }} +{{ $_ = set $._rox "_state" $state }} + +{{ $configShape := $.Files.Get "internal/config-shape.yaml" | fromYaml }} +{{ $configShapeScanner := $.Files.Get "internal/scanner-config-shape.yaml" | fromYaml}} + +{{ $_ = include "srox.mergeInto" (list $rox $configShape $configShapeScanner (tpl ($.Files.Get "internal/bootstrap-defaults.yaml.tpl") . | fromYaml)) }} +{{ $_ = set $._rox "_configShape" $configShape }} + +{{/* + General validation. + */}} +{{ if ne $.Release.Namespace "stackrox" }} + {{ if $._rox.allowNonstandardNamespace }} + {{ include "srox.note" (list $ (printf "You have chosen to deploy to namespace '%s'." $.Release.Namespace)) }} + {{ else }} + {{ include "srox.fail" (printf "You have chosen to deploy to namespace '%s', not 'stackrox'. If this was accidental, please re-run helm with the '-n stackrox' option. Otherwise, if you need to deploy into this namespace, set the 'allowNonstandardNamespace' configuration value to true." $.Release.Namespace) }} + {{ end }} +{{ end }} + +{{ if ne $.Release.Name $.Chart.Name }} + {{ if $._rox.allowNonstandardReleaseName }} + {{ include "srox.warn" (list $ (printf "You have chosen a release name of '%s', not '%s'. Accompanying scripts and commands in documentation might require adjustments." $.Release.Name $.Chart.Name)) }} + {{ else }} + {{ include "srox.fail" (printf "You have chosen a release name of '%s', not '%s'. We strongly recommend using the standard release name. If you must use a different name, set the 'allowNonstandardReleaseName' configuration option to true." $.Release.Name $.Chart.Name) }} + {{ end }} +{{ end }} + + +{{ if and $.Release.IsInstall (not ._rox.central.persistence.none)}} + {{ include "srox.fail" (printf "Starting from 4.1, we stop creating central PVC during installation. Databases and persistent data are stored in Central DB or external databases. You may use `--set central.persistence.none=true` during Helm install to override default persistence config. Got %v" $._rox.central.persistence) }} +{{ end }} + + +{{ if $._rox.central.db.external }} + {{ if not $._rox.central.db.source.connectionString }} + {{ include "srox.warn" (list $ "You have chosen to bring your own Central DB without providing its connection string. We are using the default source string. To ensure the connection to your Central DB, you may override it with `--set central.db.source.connectionString=`.") }} + {{ end }} + {{ if not $._rox.central.db.password.value }} + {{ include "srox.warn" (list $ "You have chosen to bring your own Central DB without providing its password. We are using a generated password for now. To ensure the connection to your Central DB, you may provide your DB password by `--set central.db.password.value=`.") }} + {{ end }} +{{ end }} + +{{/* Initialize global prefix */}} +{{- include "srox.initGlobalPrefix" (list $) -}} + +{{/* + API Server setup. The problem with `.Capabilities.APIVersions` is that Helm does not + allow setting overrides for those when using `helm template` or `--dry-run`. Thus, + if we rely on `.Capabilities.APIVersions` directly, we lose flexibility for our chart + in these settings. Therefore, we use custom fields such that a user in principle has + the option to inject via `--set`/`-f` everything we rely upon. + */}} +{{ $apiResources := list }} +{{ if not (kindIs "invalid" $._rox.meta.apiServer.overrideAPIResources) }} + {{ $apiResources = $._rox.meta.apiServer.overrideAPIResources }} +{{ else }} + {{ range $apiResource := $.Capabilities.APIVersions }} + {{ $apiResources = append $apiResources $apiResource }} + {{ end }} +{{ end }} +{{ if $._rox.meta.apiServer.extraAPIResources }} + {{ $apiResources = concat $apiResources $._rox.meta.apiServer.extraAPIResources }} +{{ end }} +{{ $apiServerVersion := coalesce $._rox.meta.apiServer.version $.Capabilities.KubeVersion.Version }} +{{ $apiServer := dict "apiResources" $apiResources "version" $apiServerVersion }} +{{ $_ = set $._rox "_apiServer" $apiServer }} + +{{/* + Environment setup - part 1 + */}} +{{ $env := $._rox.env }} + +{{/* Detect openshift version */}} +{{ include "srox.autoSenseOpenshiftVersion" (list $) }} + +{{/* Openshift monitoring */}} +{{ if $._rox.enableOpenShiftMonitoring }} + {{ include "srox.warn" (list . "enableOpenShiftMonitoring option was replaced with monitoring.openshift.enabled") }} + {{ $_ := set $._rox "monitoring" (dict "openshift" (dict "enabled" true)) }} +{{ end }} +{{/* Default `monitoring.openshift.enabled = true` unless `env.openshift != 4`. */}} +{{ if kindIs "invalid" $._rox.monitoring.openshift.enabled }} +{{ $_ := set $._rox "monitoring" (dict "openshift" (dict "enabled" (eq $._rox.env.openshift 4))) }} +{{ end }} +{{ if and $._rox.monitoring.openshift.enabled (ne $._rox.env.openshift 4) }} + {{ include "srox.warn" (list . "'monitoring.openshift.enabled' is set to true, but the chart is not being deployed in an OpenShift 4 cluster. Proceeding with 'monitoring.openshift.enabled=false'.") }} + {{ $_ := set $._rox "monitoring" (dict "openshift" (dict "enabled" false)) }} +{{ end }} +{{ if $._rox.monitoring.openshift.enabled }} + {{ $_ := set $._rox.central "monitoring" dict }} + {{ include "srox.mergeInto" (list $._rox.central.monitoring $._rox.monitoring) }} +{{ end }} + +{{/* Infer GKE, if needed */}} +{{ if kindIs "invalid" $env.platform }} + {{ $platform := "default" }} + {{ if contains "-gke." $._rox._apiServer.version }} + {{ include "srox.note" (list $ "Based on API server properties, we have inferred that you are deploying into a GKE cluster. Set the `env.platform` property to a concrete value to override the auto-sensed value.") }} + {{ $platform = "gke" }} + {{ end }} + {{ $_ := set $env "platform" $platform }} +{{ end }} +{{/* Detect enablePodSecurityPolicies */}} +{{ include "srox.autoSensePodSecurityPolicies" (list $) }} + + +{{ $_ := set $env "installMethod" "helm" }} + + +{{/* Apply defaults */}} +{{ $defaultsCfg := dict }} +{{ $platformCfgFile := dict }} +{{ include "srox.loadFile" (list $ $platformCfgFile (printf "internal/platforms/%s.yaml" $env.platform)) }} +{{ if not $platformCfgFile.found }} + {{ include "srox.fail" (printf "Invalid platform %q. Please select a valid platform, or leave this field unset." $env.platform) }} +{{ end }} +{{ $_ = include "srox.mergeInto" (list $defaultsCfg (fromYaml $platformCfgFile.contents) ($.Files.Get "internal/defaults.yaml" | fromYaml)) }} +{{ $_ = set $rox "_defaults" $defaultsCfg }} +{{ $_ = include "srox.mergeInto" (list $rox $defaultsCfg.defaults) }} + + +{{/* Expand applicable config values */}} +{{ $expandables := $.Files.Get "internal/expandables.yaml" | fromYaml }} +{{ include "srox.expandAll" (list $ $rox $expandables) }} + +{{/* Initial image pull secret setup. + + Always assume that there are `stackrox` and `stackrox-scanner` image pull secrets, + even if they weren't specified. + This is required for updates anyway, so referencing it on first install will minimize a later + diff. */}} +{{ include "srox.configureImagePullSecrets" (list $ "imagePullSecrets" $._rox.imagePullSecrets "stackrox" (list "stackrox" "stackrox-scanner") $.Release.Namespace) }} + +{{/* Global CA setup */}} +{{ $caCertSpec := dict "CN" "StackRox Certificate Authority" "ca" true }} +{{ include "srox.configureCrypto" (list $ "ca" $caCertSpec) }} + +{{/* Additional CAs. */}} +{{ $additionalCAList := list }} +{{ if kindIs "string" $._rox.additionalCAs }} + {{ if trim $._rox.additionalCAs }} + {{ $additionalCAList = append $additionalCAList (dict "name" "ca.crt" "contents" $._rox.additionalCAs) }} + {{ end }} +{{ else if kindIs "slice" $._rox.additionalCAs }} + {{ range $contents := $._rox.additionalCAs }} + {{ $additionalCAList = append $additionalCAList (dict "name" "ca.crt" "contents" $contents) }} + {{ end }} +{{ else if kindIs "map" $._rox.additionalCAs }} + {{ range $name := keys $._rox.additionalCAs | sortAlpha }} + {{ $additionalCAList = append $additionalCAList (dict "name" $name "contents" (get $._rox.additionalCAs $name)) }} + {{ end }} +{{ else if not (kindIs "invalid" $._rox.additionalCAs) }} + {{ include "srox.fail" (printf "Invalid kind %s for additionalCAs" (kindOf $._rox.additionalCAs)) }} +{{ end }} +{{ range $path, $contents := .Files.Glob "secrets/additional-cas/**" }} + {{ $name := trimPrefix "secrets/additional-cas/" $path }} + {{ $additionalCAList = append $additionalCAList (dict "name" $name "contents" (toString $contents)) }} +{{ end }} +{{ $additionalCAs := dict }} +{{ range $idx, $elem := $additionalCAList }} + {{ if not (kindIs "string" $elem.contents) }} + {{ include "srox.fail" (printf "Invalid non-string contents kind %s at index %d (%q) of additionalCAs" (kindOf $elem.contents) $idx $elem.name) }} + {{ end }} + {{/* In a k8s secret, no characters other than alphanumeric, '.', '_' and '-' are allowed. Also, for the + update-ca-certificates script to work, the file names must end in '.crt'. */}} + + {{ $normalizedName := printf "%02d-%s.crt" $idx (regexReplaceAll "[^[:alnum:]._-]" $elem.name "-" | trimSuffix ".crt") }} + {{ $_ := set $additionalCAs $normalizedName $elem.contents }} +{{ end }} +{{ $_ = set $._rox "_additionalCAs" $additionalCAs }} + +{{/* Proxy configuration. + Note: The reason this is different is that unlike the endpoints config, the proxy configuration + might contain sensitive data and thus might _not_ be stored in the always available canonical + values file. However, this is probably rare. Therefore, for this particular instance we do decide + to rely on lookup magic for initially populating the secret with a default proxy config. + However, we won't take any chances, and therefore only create that secret if we can be reasonably + confident that lookup actually works, by trying to lookup the default service account. + */}} +{{ $proxyCfg := $env._proxyConfig }} +{{ $fileOut := dict }} +{{ include "srox.loadFile" (list $ $fileOut "config/proxy-config.yaml") }} +{{ if $fileOut.found }} + {{ if not (kindIs "invalid" $proxyCfg) }} + {{ include "srox.fail" "Both env.proxyConfig was specified, and a config/proxy-config.yaml was found. Please remove/rename the config file, or comment out the env.proxyConfig stanza." }} + {{ end }} + {{ $proxyCfg = $fileOut.contents }} +{{ end }} + +{{/* On first install, create a default proxy config, but only if we can be sure none exists. */}} +{{ if kindIs "invalid" $proxyCfg }} + {{ if $.Release.IsInstall }} + {{ $lookupOut := dict }} + {{ include "srox.safeLookup" (list $ $lookupOut "v1" "Secret" $.Release.Namespace "proxy-config") }} + {{ if and $lookupOut.reliable (not $lookupOut.result) }} + {{ $fileOut := dict }} + {{ include "srox.loadFile" (list $ $fileOut "config/proxy-config.yaml.default") }} + {{ $proxyCfg = $fileOut.contents }} + {{ end }} + {{ end }} +{{ end }} +{{ $_ = set $env "_proxyConfig" $proxyCfg }} +{{ $_ = set $._rox "_renderMode" "renderAll" }} + +{{/* + Central setup. + */}} + + +{{ include "srox.centralSetup" $ }} + + +{{/* + Scanner setup. + */}} + +{{ $scannerCfg := $._rox.scanner }} + +{{ if and $scannerCfg.disable (or $.Release.IsInstall $.Release.IsUpgrade) }} + {{/* We generally don't recommend customers run without scanner, so show a warning to the user */}} + {{ $action := ternary "deploy StackRox Central Services without Scanner" "upgrade StackRox Central Services without Scanner (possibly removing an existing Scanner deployment)" $.Release.IsInstall }} + {{ include "srox.warn" (list $ (printf "You have chosen to %s. Certain features dependent on image scanning might not work." $action)) }} +{{ else if not $scannerCfg.disable }} + {{ if and (ne $scannerCfg.mode "full") (ne $scannerCfg.mode "") }} + {{ include "srox.fail" (print "Only scanner full mode is allowed in Central. To solve this, set to full mode: scanner.mode=full.") }} + {{ end }} + {{ include "srox.scannerInit" (list $ $scannerCfg) }} +{{ end }} + + +{{/* + Post-processing steps. + */}} + + +{{/* Compact the post-processing config to prevent it from appearing non-empty if it doesn't + contain any concrete (leaf) values. */}} +{{ include "srox.compactDict" (list $._rox._state.generated -1) }} + +{{/* Setup Image Pull Secrets for Docker Registry. + Note: This must happen afterwards, as we rely on "srox.configureImage" to collect the + set of all referenced images first. */}} +{{ include "srox.configureImagePullSecretsForDockerRegistry" (list $ ._rox.imagePullSecrets) }} + +{{/* Final warnings based on state. */}} +{{ if $._rox._state.customCertGen }} + {{ include "srox.warn" (list $ "At least one certificate was generated by Helm. Helm limits the generation of custom certificates to RSA private keys, which have poorer computational performance. Consider using roxctl for certificate generation of certificates with ECDSA private keys for improved performance. (THIS IS NOT A SECURITY ISSUE)") }} +{{ end }} + +{{ end }} + +{{ end }} diff --git a/rhacs/4.3.5/central-services/templates/_injected-ca-bundle.tpl b/rhacs/4.3.5/central-services/templates/_injected-ca-bundle.tpl new file mode 100644 index 0000000..f831139 --- /dev/null +++ b/rhacs/4.3.5/central-services/templates/_injected-ca-bundle.tpl @@ -0,0 +1,29 @@ +{{/* + srox.injectedCABundleVolume + + Configures ConfigMap volume to use in a deployment. + */}} +{{- define "srox.injectedCABundleVolume" -}} +{{- if eq ._rox.env.openshift 4 }} +- name: trusted-ca-volume + configMap: + name: injected-cabundle-{{ .Release.Name }} + items: + - key: ca-bundle.crt + path: tls-ca-bundle.pem + optional: true +{{ end }} +{{ end }} + +{{/* + srox.injectedCABundleVolumeMount + + Mounts the srox.injectedCABundle volume to a container. + */}} +{{- define "srox.injectedCABundleVolumeMount" -}} +{{- if eq ._rox.env.openshift 4 }} +- name: trusted-ca-volume + mountPath: /etc/pki/injected-ca-trust/ + readOnly: true +{{ end }} +{{ end }} diff --git a/rhacs/4.3.5/central-services/templates/_labels.tpl b/rhacs/4.3.5/central-services/templates/_labels.tpl new file mode 100644 index 0000000..b98b06c --- /dev/null +++ b/rhacs/4.3.5/central-services/templates/_labels.tpl @@ -0,0 +1,31 @@ +{{/* + srox._labels $labels $ $objType $objName $forPod + + Writes all applicable [pod] labels (including default labels) for $objType/$objName + into $labels. Pod labels are written iff $forPod is true. + + This template receives the $ parameter as its second (not its first, as usual) parameter + such that it can be used easier in "srox.labels". + */}} +{{ define "srox._labels" }} +{{ $labels := index . 0 }} +{{ $ := index . 1 }} +{{ $objType := index . 2 }} +{{ $objName := index . 3 }} +{{ $forPod := index . 4 }} +{{ $_ := set $labels "app.kubernetes.io/name" "stackrox" }} +{{ $_ = set $labels "app.kubernetes.io/managed-by" $.Release.Service }} +{{ $_ = set $labels "helm.sh/chart" (printf "%s-%s" $.Chart.Name ($.Chart.Version | replace "+" "_")) }} +{{ $_ = set $labels "app.kubernetes.io/instance" $.Release.Name }} +{{ $_ = set $labels "app.kubernetes.io/version" $.Chart.AppVersion }} +{{ $_ = set $labels "app.kubernetes.io/part-of" "stackrox-central-services" }} +{{ $component := regexReplaceAll "^.*/\\d{2}-([a-z]+)-\\d{2}-[^/]+\\.yaml" $.Template.Name "${1}" }} +{{ if not (contains "/" $component) }} + {{ $_ = set $labels "app.kubernetes.io/component" $component }} +{{ end }} +{{ $metadataNames := list "labels" }} +{{ if $forPod }} + {{ $metadataNames = append $metadataNames "podLabels" }} +{{ end }} +{{ include "srox._customizeMetadata" (list $ $labels $objType $objName $metadataNames) }} +{{ end }} diff --git a/rhacs/4.3.5/central-services/templates/_lookup.tpl b/rhacs/4.3.5/central-services/templates/_lookup.tpl new file mode 100644 index 0000000..2dc0aa9 --- /dev/null +++ b/rhacs/4.3.5/central-services/templates/_lookup.tpl @@ -0,0 +1,40 @@ +{{/* + srox.safeLookup $ $out $apiVersion $kind $ns $name + + This function does nothing if $.meta.useLookup is false; otherwise, it will + perform a `lookup $apiVersion $kind $ns $name` operation and store the result in + $out.result. + + Additionally, if a lookup was attempted, $out.reliable will contain a bool indicating + whether the result of lookup can be relied upon. This is determined to be the case if + the default service account in the release namespace can be found. + */}} +{{ define "srox.safeLookup" }} +{{ $ := index . 0 }} +{{ $out := index . 1 }} +{{ if $._rox.meta.useLookup }} + {{ if kindIs "invalid" $._rox._state.lookupWorks }} + {{ $testOut := dict }} + {{ include "srox._doLookup" (list $ $testOut "v1" "ServiceAccount" $.Release.Namespace "default") }} + {{ $_ := set $._rox._state "lookupWorks" ($testOut.result | not | not) }} + {{ end }} + {{ include "srox._doLookup" . }} + {{ $_ := set $out "reliable" $._rox._state.lookupWorks }} +{{ end }} +{{ end }} + + +{{/* + srox._doLookup $ $out $apiVersion $kind $ns $name + + Calls "lookup" with arguments $apiVersion $kind $ns $name, and stores the result + in $out.result. + + This function exists to prevent a parse error if the lookup function isn't defined. It does + so by deferring the execution of lookup to a template string instantiated via `tpl`. + */}} +{{ define "srox._doLookup" }} +{{ $ := index . 0 }} +{{ $tplArgs := dict "Template" $.Template "out" (index . 1) "apiVersion" (index . 2) "kind" (index . 3) "ns" (index . 4) "name" (index . 5) }} +{{ $_ := tpl "{{ $_ := set .out \"result\" (lookup .apiVersion .kind .ns .name) }}" $tplArgs }} +{{ end }} diff --git a/rhacs/4.3.5/central-services/templates/_metadata.tpl b/rhacs/4.3.5/central-services/templates/_metadata.tpl new file mode 100644 index 0000000..3ed131f --- /dev/null +++ b/rhacs/4.3.5/central-services/templates/_metadata.tpl @@ -0,0 +1,194 @@ +{{/* + srox.labels $ $objType $objName + + Format labels for $objType/$objName as YAML. + */}} +{{- define "srox.labels" -}} +{{- $labels := dict -}} +{{- $_ := include "srox._labels" (append (prepend . $labels) false) -}} +{{- toYaml $labels -}} +{{- end -}} + +{{/* + srox.podLabels $ $objType $objName + + Format pod labels for $objType/$objName as YAML. + */}} +{{- define "srox.podLabels" -}} +{{- $labels := dict -}} +{{- $_ := include "srox._labels" (append (prepend . $labels) true) -}} +{{- toYaml $labels -}} +{{- end -}} + +{{/* + srox.annotations $ $objType $objName + + Format annotations for $objType/$objName as YAML. + */}} +{{- define "srox.annotations" -}} +{{- $annotations := dict -}} +{{- $_ := include "srox._annotations" (append (prepend . $annotations) false) -}} +{{- toYaml $annotations -}} +{{- end -}} + +{{/* + srox.podAnnotations $ $objType $objName + + Format pod annotations for $objType/$objName as YAML. + */}} +{{- define "srox.podAnnotations" -}} +{{- $annotations := dict -}} +{{- $_ := include "srox._annotations" (append (prepend . $annotations) true) -}} +{{- toYaml $annotations -}} +{{- end -}} + +{{/* + srox.envVars $ $objType $objName $containerName + + Format environment variables for container $containerName in + $objType/$objName as YAML. + */}} +{{- define "srox.envVars" -}} +{{- $envVars := dict -}} +{{- $_ := include "srox._envVars" (prepend . $envVars) -}} +{{- range $k := keys $envVars | sortAlpha -}} +{{- $v := index $envVars $k }} +- name: {{ quote $k }} +{{- if kindIs "map" $v }} + {{- toYaml $v | nindent 2 }} +{{- else }} + value: {{ quote $v }} +{{- end }} +{{ end -}} +{{- end -}} + +{{/* + srox._annotations $annotations $ $objType $objName $forPod + + Writes all applicable [pod] annotations (including default annotations) for + $objType/$objName into $annotations. Pod labels are written iff $forPod is true. + + This template receives the $ parameter as its second (not its first, as usual) parameter + such that it can be used easier in "srox.annotations". + */}} +{{ define "srox._annotations" }} +{{ $annotations := index . 0 }} +{{ $ := index . 1 }} +{{ $objType := index . 2 }} +{{ $objName := index . 3 }} +{{ $forPod := index . 4 }} +{{ $_ := set $annotations "meta.helm.sh/release-namespace" $.Release.Namespace }} +{{ $_ = set $annotations "meta.helm.sh/release-name" $.Release.Name }} +{{ $_ = set $annotations "owner" "stackrox" }} +{{ $_ = set $annotations "email" "support@stackrox.com" }} +{{ $metadataNames := list "annotations" }} +{{ if $forPod }} + {{ $metadataNames = append $metadataNames "podAnnotations" }} +{{ end }} +{{ include "srox._customizeMetadata" (list $ $annotations $objType $objName $metadataNames) }} +{{ end }} + +{{/* + srox._envVars $envVars $ $objType $objName $containerName + + Writes all applicable environment variables for $objType/$objName + into $envVars. + + This template receives the $ parameter as its second (not its first, as usual) parameter + such that it can be used easier in "srox.envVars". + */}} +{{ define "srox._envVars" }} +{{ $envVars := index . 0 }} +{{ $ := index . 1 }} +{{ $objType := index . 2 }} +{{ $objName := index . 3 }} +{{ $containerName := index . 4 }} +{{ $metadataNames := list "envVars" }} +{{ include "srox._customizeMetadata" (list $ $envVars $objType $objName $metadataNames) }} +{{ if $containerName }} + {{ $containerKey := printf "/%s" $containerName }} + {{ $envVarsForContainer := index $envVars $containerKey }} + {{ if $envVarsForContainer }} + {{ include "srox.destructiveMergeOverwrite" (list $envVars $envVarsForContainer) }} + {{ end }} +{{ end }} + +{{/* Remove all entries starting with / */}} +{{ range $key, $_ := $envVars }} + {{ if hasPrefix "/" $key }} + {{ $_ := unset $envVars $key }} + {{ end }} +{{ end }} +{{ end }} + +{{/* + srox._customizeMetadata $ $metadata $objType $objName $metadataNames + + Writes custom key/value metadata to $metadata by consulting all sub-dicts with names in + $metadataNames under the applicable custom metadata locations (._rox.customize, + ._rox.customize.other.$objType/*, ._rox.customize.other.$objType/$objName, and + ._rox.customizer.$objName [workloads only]). Dictionaries are consulted in this order, with + values from dictionaries consulted later overwriting values from dictionaries consulted + earlier. + */}} +{{ define "srox._customizeMetadata" }} +{{ $ := index . 0 }} +{{ $metadata := index . 1 }} +{{ $objType := index . 2 }} +{{ $objName := index . 3 }} +{{ $metadataNames := index . 4 }} + +{{ $overrideDictPaths := list "" (printf "other.%s/*" $objType) (printf "other.%s/%s" $objType $objName) }} +{{ if has $objType (list "deployment" "daemonset") }} + {{ $overrideDictPaths = append $overrideDictPaths $objName }} +{{ end }} + +{{ range $dictPath := $overrideDictPaths }} + {{ $customizeDict := $._rox.customize }} + {{ if $dictPath }} + {{ $resolvedOut := dict }} + {{ include "srox.safeDictLookup" (list $._rox.customize $resolvedOut $dictPath) }} + {{ $customizeDict = $resolvedOut.result }} + {{ end }} + {{ if $customizeDict }} + {{ range $metadataName := $metadataNames }} + {{ $customMetadata := index $customizeDict $metadataName }} + {{ include "srox.destructiveMergeOverwrite" (list $metadata $customMetadata) }} + {{ end }} + {{ end }} +{{ end }} +{{ end }} + +{{/* Add namespace specific prefixes for global resources to avoid resource name clashes for multi-namespace deployments. */}} +{{- define "srox.globalResourceName" -}} +{{- $ := index . 0 -}} +{{- $name := index . 1 -}} + +{{- if eq $.Release.Namespace "stackrox" -}} + {{- /* Standard namespace, use resource name as is. */ -}} + {{- $name -}} +{{- else -}} + {{- /* Add global prefix to resource name. */ -}} + {{- printf "%s-%s" $._rox.globalPrefix (trimPrefix "stackrox-" $name) -}} +{{- end -}} +{{- end -}} + +{{/* + srox.initGlobalPrefix $ + + Initializes prefix for global resources. + */}} +{{- define "srox.initGlobalPrefix" -}} +{{- $ := index . 0 -}} +{{ if kindIs "invalid" $._rox.globalPrefix }} + {{ if eq $.Release.Namespace "stackrox" }} + {{ $_ := set $._rox "globalPrefix" "stackrox" }} + {{ else }} + {{ $_ := set $._rox "globalPrefix" (printf "stackrox-%s" (trimPrefix "stackrox-" $.Release.Namespace)) }} + {{ end }} +{{ end }} + +{{ if ne $._rox.globalPrefix "stackrox" }} + {{ include "srox.note" (list $ (printf "Global Kubernetes resources are prefixed with '%s'." $._rox.globalPrefix)) }} +{{- end -}} +{{- end -}} diff --git a/rhacs/4.3.5/central-services/templates/_openshift.tpl b/rhacs/4.3.5/central-services/templates/_openshift.tpl new file mode 100644 index 0000000..85201cb --- /dev/null +++ b/rhacs/4.3.5/central-services/templates/_openshift.tpl @@ -0,0 +1,47 @@ +{{/* + srox.autoSenseOpenshiftVersion $ + + This function detects the OpenShift version automatically based on the cluster the Helm chart is installed onto. + It writes the result to ._rox.env.openshift as an integer. + Possible results are: + - 3 (OpenShift 3) + - 4 (OpenShift 4) + - 0 (Non-Openshift cluster) + + If "true" is passed for $._rox.env.openshift the OpenShift version is detected based on the Kubernetes cluster version. + If the Kubernetes version is not available (i.e. when using Helm template) auto-sensing falls back on OpenShift 3 to be + backward compatible. + */}} + +{{ define "srox.autoSenseOpenshiftVersion" }} + +{{ $ := index . 0 }} +{{ $env := $._rox.env }} + +{{/* Infer OpenShift, if needed */}} +{{ if kindIs "invalid" $env.openshift }} + {{ $_ := set $env "openshift" (has "apps.openshift.io/v1" $._rox._apiServer.apiResources) }} +{{ end }} + +{{/* Infer openshift version */}} +{{ if and $env.openshift (kindIs "bool" $env.openshift) }} + {{/* Parse and add KubeVersion as semver from built-in resources. This is necessary to compare valid integer numbers. */}} + {{ $kubeVersion := semver $.Capabilities.KubeVersion.Version }} + + {{/* Default to OpenShift 3 if no openshift resources are available, i.e. in helm template commands */}} + {{ if not (has "apps.openshift.io/v1" $._rox._apiServer.apiResources) }} + {{ $_ := set $._rox.env "openshift" 3 }} + {{ else if gt $kubeVersion.Minor 11 }} + {{ $_ := set $env "openshift" 4 }} + {{ else }} + {{ $_ := set $env "openshift" 3 }} + {{ end }} + {{ include "srox.note" (list $ (printf "Based on API server properties, we have inferred that you are deploying into an OpenShift %d.x cluster. Set the `env.openshift` property explicitly to 3 or 4 to override the auto-sensed value." $env.openshift)) }} +{{ end }} +{{ if not (kindIs "bool" $env.openshift) }} + {{ $_ := set $env "openshift" (int $env.openshift) }} +{{ else if not $env.openshift }} + {{ $_ := set $env "openshift" 0 }} +{{ end }} + +{{ end }} diff --git a/rhacs/4.3.5/central-services/templates/_psp.tpl b/rhacs/4.3.5/central-services/templates/_psp.tpl new file mode 100644 index 0000000..bffb2a0 --- /dev/null +++ b/rhacs/4.3.5/central-services/templates/_psp.tpl @@ -0,0 +1,19 @@ +{{/* + srox.autoSensePodSecurityPolicies $ + */}} + +{{ define "srox.autoSensePodSecurityPolicies" }} + +{{ $ := index . 0 }} +{{ $system := $._rox.system }} + +{{ if kindIs "invalid" $system.enablePodSecurityPolicies }} + {{ $_ := set $system "enablePodSecurityPolicies" (has "policy/v1beta1" $._rox._apiServer.apiResources) }} + {{ if $system.enablePodSecurityPolicies }} + {{ include "srox.note" (list $ (printf "PodSecurityPolicies are enabled, since your environment supports them according to API server properties.")) }} + {{ else }} + {{ include "srox.note" (list $ (printf "PodSecurityPolicies are disabled, since your environment does not support them according to API server properties.")) }} + {{ end }} +{{ end }} + +{{ end }} diff --git a/rhacs/4.3.5/central-services/templates/_reporting.tpl b/rhacs/4.3.5/central-services/templates/_reporting.tpl new file mode 100644 index 0000000..621e284 --- /dev/null +++ b/rhacs/4.3.5/central-services/templates/_reporting.tpl @@ -0,0 +1,34 @@ +{{/* + srox.fail $message + + Print a nicely-formatted fatal error message and exit. + */}} +{{ define "srox.fail" }} +{{ printf "\n\nFATAL ERROR:\n%s" . | wrap 100 | fail }} +{{ end }} + +{{/* + srox.warn $ $message + + Add $message to the list of encountered warnings. + */}} +{{ define "srox.warn" }} +{{ $ := index . 0 }} +{{ $msg := index . 1 }} +{{ $warnings := $._rox._state.warnings }} +{{ $warnings = append $warnings $msg }} +{{ $_ := set $._rox._state "warnings" $warnings }} +{{ end }} + +{{/* + srox.note $ $message + + Add $message to the list notes that will be shown to the user after installation/upgrade. + */}} +{{ define "srox.note" }} +{{ $ := index . 0 }} +{{ $msg := index . 1 }} +{{ $notes := $._rox._state.notes }} +{{ $notes = append $notes $msg }} +{{ $_ := set $._rox._state "notes" $notes }} +{{ end }} diff --git a/rhacs/4.3.5/central-services/templates/_scanner_init.tpl b/rhacs/4.3.5/central-services/templates/_scanner_init.tpl new file mode 100644 index 0000000..75fbe95 --- /dev/null +++ b/rhacs/4.3.5/central-services/templates/_scanner_init.tpl @@ -0,0 +1,40 @@ +{{/* + srox.scannerInit . $scannerConfig + + Initializes the scanner configuration. The scanner chart has two modes "full" and + "slim". + The "full" mode is used for stand-alone deployments, mostly along with StackRox's Central service. In this + mode, the image contains vulnerability data and the Helm chart can create its own certificates. + + The "slim" mode is used to deploy Scanner with a smaller image and does not generate TLS certificates, + typically deployed within a Secured Cluster to scan images stored in a registry only accessible to the current cluster. + The scanner chart defaults to "full" mode if no mode was provided. + + $scannerConfig contains all values which are configured by the user. The structure can be viewed in the according + config-shape. See internal/scanner-config-shape.yaml. + */}} + +{{ define "srox.scannerInit" }} + +{{ $ := index . 0 }} +{{ $scannerCfg := index . 1 }} + +{{ if or (eq $scannerCfg.mode "") (eq $scannerCfg.mode "full") }} + {{ include "srox.configureImage" (list $ $scannerCfg.image) }} + {{ include "srox.configureImage" (list $ $scannerCfg.dbImage) }} + + {{ $scannerCertSpec := dict "CN" "SCANNER_SERVICE: Scanner" "dnsBase" "scanner" }} + {{ include "srox.configureCrypto" (list $ "scanner.serviceTLS" $scannerCertSpec) }} + + {{ $scannerDBCertSpec := dict "CN" "SCANNER_DB_SERVICE: Scanner DB" "dnsBase" "scanner-db" }} + {{ include "srox.configureCrypto" (list $ "scanner.dbServiceTLS" $scannerDBCertSpec) }} +{{ else if eq $scannerCfg.mode "slim" }} + {{ include "srox.configureImage" (list $ $scannerCfg.slimImage) }} + {{ include "srox.configureImage" (list $ $scannerCfg.slimDBImage) }} +{{ else }} + {{ include "srox.fail" (printf "Unknown scanner mode %s" $scannerCfg.mode) }} +{{ end }} + +{{ include "srox.configurePassword" (list $ "scanner.dbPassword") }} + +{{ end }} diff --git a/rhacs/4.3.5/central-services/values-private.yaml.example b/rhacs/4.3.5/central-services/values-private.yaml.example new file mode 100644 index 0000000..41254aa --- /dev/null +++ b/rhacs/4.3.5/central-services/values-private.yaml.example @@ -0,0 +1,178 @@ +# StackRox Kubernetes Security Platform - Central Services Chart +# PRIVATE configuration file. +# +# This file contains sensitive values relevant for the deployment of the +# StackRox Kubernetes Platform Central Services components. +# +# Apart from image pull secrets (see below), all the values in this file are +# optional or can be automatically generated at deployment time. +# Moreover, this file does not need to be provided (e.g., via `-f`) to a `helm upgrade` +# command, even if custom values are used - the previously set values +# will simply be preserved. +# +# The following values typically require user input, as they cannot be automatically generated +# (though each of them can be omitted): +# - `imagePullSecrets.username` and `imagePullSecrets.password` +# - `env.proxyConfig` +# - `central.defaultTLS` +# +# If you do choose to use this file (either by manually filling in values, or by +# generating it via the `roxctl central generate` command family), you must store +# it in a safe and secure place, such as a secrets management system. +# + +# # BEGIN CONFIGURATION VALUES SECTION + +# # Image pull credentials. If you do not specify these, you need to specify one of +# # the following: +# # - `imagePullSecrets.allowNone=true`: in case your registry allows pulling images without +# # credentials. +# # - `imagePullSecrets.useExisting="secret1;secret2;..."`: in case you have pre-existing image +# # pull secrets with the given name already created in the target namespace. +# # - `imagePullSecrets.useFromDefaultServiceAccount=true`: in case the default service account +# # in the target namespace is configured with sufficiently scoped image pull secrets. +# # If you do not know if any of the above applies to your situation, your best course of +# # action is probably to enter your image pull credentials here. +# imagePullSecrets: +# username: +# password: +# +# # Proxy configuration. This will only be required if you are running in an environment +# # where internet access is not possible by default. +# # Since this configuration may contain a proxy password, it is treated as a sensitive +# # piece of configuration. +# # The following example is a stripped-down one. For a full documentation, see the file +# # `config/proxy-config.yaml.default` that is shipped with this chart. +# env: +# proxyConfig: | +# url: http://proxy.name:port +# username: username +# password: password +# excludes: +# - some.domain +# +# +# # TLS Certificate Configuration. +# # Most of the following values are not typically required to be populated manually. You can +# # either omit them, in which case they will be auto-generated upon initial installation, +# # or they are populated when you invoke `roxctl central generate` to generate deployment +# # files. +# +# # Certificate Authority (CA) certificate for TLS certificates used internally +# # by StackRox services. +# ca: +# cert: | +# -----BEGIN CERTIFICATE----- +# +# -----END CERTIFICATE----- +# key: | +# -----BEGIN RSA PRIVATE KEY----- +# +# -----END RSA PRIVATE KEY----- +# +# # Secret configuration options for the StackRox Central deployment. +# central: +# # Private key to use for signing JSON web tokens (JWTs), which are used +# # for authentication. Omit to auto-generate (initial deployment) or use existing +# # (upgrade). +# jwtSigner: +# key: | +# -----BEGIN RSA PRIVATE KEY----- +# +# -----END RSA PRIVATE KEY----- +# # Internal "central.stackrox" service TLS certificate for the Central deployment. +# # Omit to auto-generate (initial deployment) or use existing (upgrade). +# serviceTLS: +# cert: | +# -----BEGIN CERTIFICATE----- +# +# -----END CERTIFICATE----- +# key: | +# -----BEGIN RSA PRIVATE KEY----- +# +# -----END RSA PRIVATE KEY----- +# +# # Default (user-facing) TLS certificate. +# # NOTE: In contrast to almost all other configuration options, this IS expected +# # to be manually populated. While any existing default TLS certificate secret +# # will be re-used on upgrade if this is omitted, nothing will be created on +# # initial deployment if this is not populated. +# defaultTLS: +# cert: | +# -----BEGIN CERTIFICATE----- +# +# -----END CERTIFICATE----- +# key: | +# -----BEGIN RSA PRIVATE KEY----- +# +# -----END RSA PRIVATE KEY----- +# +# # Administrator password for logging in to the StackRox portal. +# # You can either specify a plaintext password here, or an htpasswd file with a +# # bcrypt-encrypted password. +# # If you omit this setting, a password will be automatically generated upon initial +# # installation, and the existing administrator password secret will be re-used upon +# # upgrades. +# adminPassword: +# # The plaintext value of the administrator password. If you specify a password here, +# # you must omit the `htpasswd` setting. +# value: +# # The htpasswd contents of the administrator login credentials. If you specify a +# # value here, you must omit the `value` setting. +# # The password hash MUST be bcrypt. +# htpasswd: | +# admin: +# +# # Secret configuration options for the StackRox Central DB deployment. +# db: +# # The password to be used for authenticating central database access IF USING POSTGRES. +# # This is not user-relevant and only serves to properly secure the database with a +# # pre-shared secret. If this setting is omitted, a password will be automatically generated +# # upon initial deployment, and the existing password will be used upon upgrades. +# password: +# # The plaintext value of the administrator password. +# value: +# # Internal "central-db.stackrox.svc" service TLS certificate for the Central DB deployment. +# # Omit to auto-generate (initial deployment) or use existing (upgrade). +# serviceTLS: +# cert: | +# -----BEGIN CERTIFICATE----- +# +# -----END CERTIFICATE----- +# key: | +# -----BEGIN RSA PRIVATE KEY----- +# +# -----END RSA PRIVATE KEY----- +# +# # Secret configuration options for the StackRox Central deployment. +# scanner: +# # The password to be used for authenticating database access. This is not user-relevant +# # and only serves to properly secure the database with a pre-shared secret. If this +# # setting is omitted, a password will be automatically generated upon initial deployment, +# # and the existing password will be used upon upgrades. +# dbPassword: +# value: +# +# # Internal "scanner.stackrox.svc" service TLS certificate for the Scanner deployment. +# # Omit to auto-generate (initial deployment) or use existing (upgrade). +# serviceTLS: +# cert: | +# -----BEGIN CERTIFICATE----- +# +# -----END CERTIFICATE----- +# key: | +# -----BEGIN RSA PRIVATE KEY----- +# +# -----END RSA PRIVATE KEY----- +# +# # Internal "scanner-db.stackrox" service TLS certificate for the Scanner DB deployment. +# # Omit to auto-generate (initial deployment) or use existing (upgrade). +# dbServiceTLS: +# cert: | +# -----BEGIN CERTIFICATE----- +# +# -----END CERTIFICATE----- +# key: | +# -----BEGIN RSA PRIVATE KEY----- +# +# -----END RSA PRIVATE KEY----- diff --git a/rhacs/4.3.5/central-services/values-public.yaml.example b/rhacs/4.3.5/central-services/values-public.yaml.example new file mode 100644 index 0000000..4458bdd --- /dev/null +++ b/rhacs/4.3.5/central-services/values-public.yaml.example @@ -0,0 +1,538 @@ +# StackRox Kubernetes Security Platform - Central Services Chart +# PUBLIC configuration file. +# +# This file contains general configuration values relevant for the deployment of the +# StackRox Kubernetes Platform Central Services components, which do not contain or reference +# sensitive data. This file can and should be stored in a source code management system +# and should be referenced on each `helm upgrade`. +# +# Most of the values in this file are optional, and you only should need to make modifications +# if the default deployment configuration is not sufficient for you for whatever reason. +# The most notable exception is the `imagePullSecrets` section, which needs to be configured +# according to the registry access in your environment. +# +# Other than that, the following are sections most likely require custom configuration: +# - `image.registry`: if you are pulling images from a registry other than `registry.redhat.io/advanced-cluster-security`. +# - `env.offlineMode`: if you want to run StackRox in offline mode. +# - `central.endpointsConfig`: if you want to expose additional endpoints (such as endpoints +# without TLS) in Central. +# - `central.resources`: if the default resource configuration for Central is not adequate +# for your environment. +# - `db.persistence`: for configuring where Central DB stores its postgres database volume. + +# # BEGIN CONFIGURATION VALUES SECTION + +# imagePullSecrets: +# # allowNone=true indicates that no image pull secrets are required to be configured +# # upon initial deployment. Use this setting if you are using a cluster-private registry +# # that does not require authentication. +# allowNone: false +# +# # useExisting specifies a list of existing Kubernetes image pull secrets in the target +# # namespace that should be used for trying to pull StackRox images. Use this if you have +# # your custom way of injecting image pull secrets. +# useExisting: +# - secret1 +# - secret2 +# +# # useFromDefaultServiceAccount=true will instruct the deployment logic to use any +# # image pull secrets referenced by the default service account in the target namespace. +# # This is a common way to grant namespace-wide access to a Docker image registry. +# # This behavior is the default, set the value to `false` if you do not want this. +# useFromDefaultServiceAccount: true +# +# image: +# # The registry relative to which all image references are resolved, unless +# # a specific registry is provided for particular workloads which takes precedence +# # (see `central.image`, `db.image`, `scanner.image`, and `scanner.dbImage` below). +# # This can be just a registry hostname such as `stackrox.io`, or a registry hostname with +# # a "remote" component such as `us.gcr.io/my-stackrox-mirror`. +# registry: us.gcr.io/my-stackrox-mirror +# +# env: +# # Treat the environment as an OpenShift cluster. Leave this unset to use auto-detection +# # based on available API resources on the server. +# # Set it to true to auto-detect the OpenShift version, otherwise set it explicitly. +# # Possible values: null, false, true, 3, 4 +# openshift: false +# +# # Whether the target cluster is an Istio-enabled cluster. If you deploy via `helm install`, +# # this can typically be determined automatically, so we recommend to not set a value here. +# # Set to true or false explicitly to override the auto-sensing logic only. +# istio: false +# +# # The "platform" of the target cluster into which StackRox is being deployed. This can +# # be the name of an infrastructure provider or product, and will tailor the StackRox +# # deployment to the respective target environment. Currently, the only supported platforms +# # are "default" and "gke". +# # If you deploy via `helm install`, the environment can typically be determined automatically, +# # choose a fixed value here only if you want to override the auto-sensing logic. +# platform: default +# +# # offlineMode=true instructs StackRox to not attempt any outgoing connections to the +# # internet. Use this in air-gapped environments, where it's important that workloads do +# # not even try to make outbound connections. Defaults to `false` when omitted. +# offlineMode: false +# +# # Additional certificate authorities (CAs) to trust, besides system roots. +# # Use this setting if Central or Scanner need to reach out to services that use certificates +# # issued by an authority in your organization, but are NOT globally trusted. In these cases, +# # specify the root CA certificate of your organization. +# additionalCAs: +# acme-labs-ca.crt: | +# -----BEGIN CERTIFICATE----- +# [... base64 (PEM) encoded certificate data ...] +# -----END CERTIFICATE----- +# +# # Public configuration options for the StackRox Central deployment. +# central: +# # General configuration options for the Central deployment. +# # See the `config/central/config.yaml.default` file that is shipped with this chart +# # for a fully documented version. +# config: | +# maintenance: +# safeMode: false +# compaction: +# enabled: true +# bucketFillFraction: .5 +# freeFractionThreshold: 0.75 +# # Configuration option for rolling back to a previous version after an upgrade has been completed. +# # Default to none. +# # By default, the user may initiate a rollback if upgrade fails before Central has started. +# # Users may rollback to their previous version once Central has started, but this may result in data loss, +# # so users must explicitly specify the version they are rolling back to in order to acknowledge the effects. +# forceRollbackVersion: 3.0.58.0 +# +# # Additional endpoints configuration for the Central deployment. +# # See the `config/central/endpoints.yaml.default` file that is shipped with this chart +# # for a fully documented version. +# endpointsConfig: | +# endpoints: +# - listen: ":8080" +# protocols: +# - http +# tls: +# disable: true +# +# # If you want to use a monitoring solution such as Prometheus, set the following value to +# # "true" to make a /metrics endpoint for Central available on port 9090. +# exposeMonitoring: true +# +# # If you want to enforce StackRox Central to only run on certain nodes, you can specify +# # a node selector here to make sure Central can only be scheduled on Nodes with the +# # given label. This is particular relevant for the "hostPath" persistence type. +# nodeSelector: +# # This can contain arbitrary `label-key: label-value` pairs. +# role: stackrox-central +# +# If the nodes selected by the node selector are tainted, you can specify the corresponding taint tolerations here. +# tolerations: +# - effect: NoSchedule +# key: infra +# value: reserved +# - effect: NoExecute +# key: infra +# value: reserved +# +# If scheduling needs specific affinities, you can specify the corresponding affinities here. +# affinity: +# nodeAffinity: +# preferredDuringSchedulingIgnoredDuringExecution: +# # Central is single-homed, so avoid preemptible nodes. +# - weight: 100 +# preference: +# matchExpressions: +# - key: cloud.google.com/gke-preemptible +# operator: NotIn +# values: +# - "true" +# - weight: 50 +# preference: +# matchExpressions: +# - key: node-role.kubernetes.io/infra +# operator: Exists +# - weight: 25 +# preference: +# matchExpressions: +# - key: node-role.kubernetes.io/compute +# operator: Exists +# # From v1.20 node-role.kubernetes.io/control-plane replaces node-role.kubernetes.io/master (removed in +# # v1.25). We apply both because our goal is not to run pods on control plane nodes for any version of k8s. +# - weight: 100 +# preference: +# matchExpressions: +# - key: node-role.kubernetes.io/master +# operator: DoesNotExist +# - weight: 100 +# preference: +# matchExpressions: +# - key: node-role.kubernetes.io/control-plane +# operator: DoesNotExist +# +# # Configures the Central image to be used. Most users will only need to configure a +# # custom registry (if any) at the global scope, and do not require any settings here. +# image: +# # A custom registry that will override the global `image.registry` setting for the +# # Central image. +# registry: us.gcr.io/stackrox-central-repo +# +# # A custom image name that will override the default `main`. +# name: custom-main +# +# # A custom image tag that will override the default tag based on the current +# # StackRox version. +# # IMPORTANT: If you set a value here, you will lose the ability to simply upgrade +# # by running `helm upgrade` against a more recent chart version. You MUST increment +# # the version referenced in this tag for every upgrade. It is therefore strongly +# # recommended that if you choose to mirror StackRox images in your own registry, +# # you preserve all image tags as-is. +# tag: custom-version +# +# # A full image name override that will be used as-is for the StackRox Central image. +# # This is only required in very rare circumstances, and its use is strongly discouraged. +# # If set, all other image-related values will be ignored for the StackRox Central image. +# # The following example value lists the full image ref that would be constructed from +# # the above components. +# fullRef: "us.gcr.io/stackrox-central-repo/custom-main:custom-version" +# +# # Custom resource overrides for the Central deployment. Use this if your environment is +# # very large or very small, and the default resource configuration does not provide +# # satisfactory performance. +# resources: +# requests: +# memory: "4Gi" +# cpu: "1500m" +# limits: +# memory: "8Gi" +# cpu: "4000m" +# +# # Configuration for exposing the StackRox Central deployment for external access. +# # Generally, only ONE of the nested values should be specified. If none is specified, +# # the Central deployment will not be exposed, and you must either manually expose it, +# # or access it via port-forwarding. +# exposure: +# # Exposure via a Kubernetes LoadBalancer service. +# loadBalancer: +# enabled: true +# # The port on which to expose StackRox Central. Defaults to 443. +# port: 443 +# # The static IP to assign to the load balancer. Defaults to dynamic. +# ip: 10.0.0.0 +# +# # Exposure via a Kubernetes NodePort service. +# nodePort: +# enabled: true +# # The port on the node under which to expose the service. Omit this for +# # letting Kubernetes automatically select a node port (recommended). +# port: 32000 +# +# # Exposure via an OpenShift route. Only available for OpenShift clusters +# route: +# enabled: true +# +# # Additional volume mounts for the Central container. Only few people will require this. +# extraMounts: +# - name: my-configmap # the name of the volume +# # The source of the volume. This will be embedded as-is in the `volume:` section of the +# # pod spec. +# source: +# configMap: +# name: my-configmap +# # The mount point of the volume. This will be embedded as-is in the `volumeMounts:` section +# # of the pod spec. +# mount: +# mountPath: /etc/my-config-data +# +# # Public configuration options for the StackRox Central DB: +# db: +# # If you want to enforce StackRox Central DB to only run on certain nodes, you can specify +# # a node selector here to make sure Central can only be scheduled on Nodes with the +# # given label. This is particular relevant for the "hostPath" persistence type. +# nodeSelector: +# # This can contain arbitrary `label-key: label-value` pairs. +# role: stackrox-central-db +# +# # If the nodes selected by the node selector are tainted, you can specify the corresponding taint tolerations here. +# tolerations: +# - effect: NoSchedule +# key: infra +# value: reserved +# - effect: NoExecute +# key: infra +# value: reserved +# +# # External signifies that a Postgres wire-compatible database has already been deployed and a Central DB pod +# # does not need to be deployed +# external: false +# +# # Customized Central DB source configurations to connect to Postgres database. +# # Default configurations are applied if the configurations are omitted. +# source: +# # ConnectionString should not be specified if the Central DB deployment is being managed by the helm chart +# # The connection string must be in the format described here https://www.postgresql.org/docs/current/static/libpq-connect.html#LIBPQ-CONNSTRING +# # The only connection string format supported is as specified in "34.1.1.1. Keyword/Value Connection Strings" +# # client_encoding=UTF8 is required in any connection string and the only supported encoding +# # statementTimeoutMs is ignored for external database connections +# # If using a connection that supports "statement_timeout" it is recommended to include "statement_timeout=1200000" +# # Do NOT use a connection string with a password field. Instead specify the value below in the password section in values-private.yaml. +# connectionString: "host=central-db.stackrox port=5432 user=postgres sslmode=verify-full" +# minConns: 10 +# maxConns: 90 +# statementTimeoutMs: 1200000 +# +# # Configures the Central DB image to be used. Most users will only need to configure a +# # custom registry (if any) at the global scope, and do not require any settings here. +# image: +# # A custom registry that will override the global `image.registry` setting for the +# # Central DB image. +# registry: us.gcr.io/central-db +# # A custom image name that will override the default `main`. +# name: custom-central-db +# # A custom image tag that will override the default tag based on the current +# # StackRox version. +# tag: custom-version +# +# # Custom resource overrides for the Central DB deployment. +# resources: +# requests: +# memory: "8Gi" +# cpu: "4" +# limits: +# memory: "16Gi" +# cpu: "8" +# +# # Persistence configuration for the StackRox Central DB. +# # Exactly ONE of the nested values should be specified. If none is specified, +# # the StackRox Central DB will be configured with the default PVC-based persistence. +# persistence: +# # The path on the node where to store the StackRox Central DB volume +# # when using host path persistence. +# hostPath: /var/lib/central-db +# # The persistent volume claim details when storing the StackRox database +# # on a persistent volume managed by a Kubernetes persistent volume claim (PVC). +# persistentVolumeClaim: +# # The name of the claim. This defaults to central-db if not set. +# claimName: central-db +# # Whether to create the claim upon deployment. The default is true; set this to false +# # if you have a pre-existing persistent volume claim that you want to use. +# createClaim: true +# # The storage class of the persistent volume. +# storageClass: stackrox-gke-ssd +# # The size of the persistent volume managed by the claim, in Gigabytes (or with an +# # explicit unit, such as "1Ti"). Defaults to 100Gi. +# size: 100 +# # If you want to bind a preexisting persistent volume, you can specify it here. +# volume: +# volumeSpec: +# # The section includes volume type specific config, the volume type can be: +# # gcePersistentDisk, hostpath, filestore(nfs) etc. +# gcePersistentDisk: +# # Type specific parameters. The specified persistent volume should have +# # been created. +# pdName: gke-pv +# +# # Public configuration options for the StackRox Scanner. +# scanner: +# # disable=true will cause the StackRox Kubernetes Security Platform to be +# # deployed without the StackRox Scanner, meaning that certain functionalities +# # may not be available. If this setting is changed prior to a `helm upgrade` +# # invocation, the existing StackRox scanner deployment will be removed. +# disable: false +# +# # The number of replicas for the Scanner deployment. If autoscaling is enabled (see below), +# # this determines the initial number of replicas. +# replicas: 3 +# +# # The log level for the scanner deployment. This typically does not need to be changed. +# logLevel: INFO +# +# # If you want to enforce StackRox Scanner to only run on certain nodes, you can specify +# # a node selector here to make sure Scanner can only be scheduled on Nodes with the +# # given label. +# nodeSelector: +# # This can contain arbitrary `label-key: label-value` pairs. +# role: stackrox-scanner +# +# If the nodes selected by the node selector are tainted, you can specify the corresponding taint tolerations here. +# tolerations: +# - effect: NoSchedule +# key: infra +# value: reserved +# - effect: NoExecute +# key: infra +# value: reserved +# +# If scheduling needs specific affinities, you can specify the corresponding affinities here. +# affinity: +# podAntiAffinity: +# preferredDuringSchedulingIgnoredDuringExecution: +# - weight: 100 +# podAffinityTerm: +# labelSelector: +# matchLabels: +# app: scanner +# topologyKey: kubernetes.io/hostname +# nodeAffinity: +# preferredDuringSchedulingIgnoredDuringExecution: +# - weight: 50 +# preference: +# matchExpressions: +# - key: node-role.kubernetes.io/infra +# operator: Exists +# - weight: 25 +# preference: +# matchExpressions: +# - key: node-role.kubernetes.io/compute +# operator: Exists +# # From v1.20 node-role.kubernetes.io/control-plane replaces node-role.kubernetes.io/master (removed in +# # v1.25). We apply both because our goal is not to run pods on control plane nodes for any version of k8s. +# - weight: 100 +# preference: +# matchExpressions: +# - key: node-role.kubernetes.io/master +# operator: DoesNotExist +# - weight: 100 +# preference: +# matchExpressions: +# - key: node-role.kubernetes.io/control-plane +# operator: DoesNotExist +# +# # If you want to enforce StackRox Scanner DB to only run on certain nodes, you can specify +# # a node selector here to make sure Scanner DB can only be scheduled on Nodes with the +# # given label. +# dbNodeSelector: +# # This can contain arbitrary `label-key: label-value` pairs. +# role: stackrox-scanner-db +# +# If the nodes selected by the node selector are tainted, you can specify the corresponding taint tolerations here. +# dbTolerations: +# - effect: NoSchedule +# key: infra +# value: reserved +# - effect: NoExecute +# key: infra +# value: reserved +# +# # Configuration for autoscaling the Scanner deployment. +# autoscaling: +# # disable=true causes autoscaling to be disabled. All other settings in this section +# # will have no effect. +# disable: false +# # The minimum number of replicas for autoscaling. The following value is the default. +# minReplicas: 2 +# # The maximum number of replicas for autoscaling. The following value is the default. +# maxReplicas: 5 +# +# # Custom resource overrides for the Scanner deployment. +# resources: +# requests: +# memory: "1500Mi" +# cpu: "1000m" +# limits: +# memory: "4Gi" +# cpu: "2000m" +# +# # Custom resource overrides for the Scanner DB deployment. +# dbResources: +# limits: +# cpu: "2000m" +# memory: "4Gi" +# requests: +# cpu: "200m" +# memory: "200Mi" +# +# # Custom configuration of the image to be used for the Scanner deployment. +# # See `central.image` for a full example. +# image: +# registry: us.gcr.io/stackrox-scanner-repo +# name: scanner # "scanner" is the default +# +# dbImage: +# registry: us.gcr.io/stackrox-scanner-db-repo +# name: scanner-db # "scanner-db" is the default +# +# +# # Customization Settings. +# # The following allows specifying custom Kubernetes metadata (labels and annotations) +# # for all objects instantiated by this Helm chart, as well as additional pod labels, +# # pod annotations, and container environment variables for workloads. +# # The configuration is hierarchical, in the sense that metadata that is defined at a more +# # generic scope (e.g., for all objects) can be overridden by metadata defined at a narrower +# # scope (e.g., only for the central deployment). +# customize: +# # Extra metadata for all objects. +# labels: +# my-label-key: my-label-value +# annotations: +# my-annotation-key: my-annotation-value +# +# # Extra pod metadata for all objects (only has an effect for workloads, i.e., deployments). +# podLabels: +# my-pod-label-key: my-pod-label-value +# podAnnotations: +# my-pod-annotation-key: my-pod-annotation-value +# +# # Extra environment variables for all containers in all objects. +# envVars: +# MY_ENV_VAR_NAME: MY_ENV_VAR_VALUE +# +# # Extra metadata for the central deployment only. +# central: +# labels: {} +# annotations: {} +# podLabels: {} +# podAnnotations: {} +# envVars: {} +# +# # Extra metadata for the central db deployment only. +# db: +# labels: {} +# annotations: {} +# podLabels: {} +# podAnnotations: {} +# envVars: {} +# +# # Extra metadata for the scanner deployment only. +# scanner: +# labels: {} +# annotations: {} +# podLabels: {} +# podAnnotations: {} +# envVars: {} +# +# # Extra metadata for the scanner-db deployment only. +# scanner-db: +# labels: {} +# annotations: {} +# podLabels: {} +# podAnnotations: {} +# envVars: {} +# +# # Extra metadata for all other objects. The keys in the following map can be +# # an object name of the form "service/central-loadbalancer", or a reference to all +# # objects of a given type in the form "service/*". The values under each key +# # are the five metadata overrides (labels, annotations, podLabels, podAnnotations, envVars) +# # as specified above, though only the first two will be relevant for non-workload +# # object types. +# other: +# "service/*": +# labels: {} +# annotations: {} +# +# # EXPERT SETTINGS +# # The following settings should only be changed if you know very well what you are doing. +# # The scenarios in which these are required are generally not supported. +# +# # Set allowNonstandardNamespace=true if you are deploying into a namespace other than +# # "stackrox". This has been observed to work in some case, but is not generally supported. +# allowNonstandardNamespace: false +# +# # Set allowNonstandardReleaseName=true if you are deploying with a release name other than +# # the default "stackrox-central-services". This has been observed to work in some cases, +# # but is not generally supported. +# allowNonstandardReleaseName: false + +# monitoring: +# # Enables integration with OpenShift platform monitoring. +# openshift: +# enabled: true diff --git a/rhacs/4.3.5/central-services/values.yaml b/rhacs/4.3.5/central-services/values.yaml new file mode 100644 index 0000000..b8a6a4d --- /dev/null +++ b/rhacs/4.3.5/central-services/values.yaml @@ -0,0 +1,364 @@ +## StackRox Central chart default settings file. +## +## This file includes the default settings for the StackRox Central chart. +## It serves as a form of documentation for all the possible settings that a +## user can override are. HOWEVER, if you want to override some settings, DO NOT +## create a copy of this file to be used as a baseline, or modify it in place. +## Instead, create a file that contains only those settings you want to override, +## and pass it to helm or roxctl via the `-f` parameter. +## +## For example, if you want to disable the deployment of scanner, create a file +## `values-override.yaml` (or any name you choose) with the following contents: +## +## scanner: +## disable: true +## +## and then invoke helm by passing `-f values-override.yaml` to +## `helm install`/`helm upgrade`. +## +## Alternatively, if you want to override just a few values, you can set them directly +## via the `--set` command, e.g., +## $ helm install --set scanner.disable=true ... +## +## Note that an arbitrary number of `-f` and `--set` parameters can be combined. It is +## generally a good practice to store secret data such as the admin password separate from +## non-sensitive configuration data. +## +# +## Configuration for image pull secrets. +## These should usually be set via the command line when running `helm install`, e.g., +## helm install --set imagePullSecrets.username=myuser --set imagePullSecrets.password=mypass, +## or be stored in a separate YAML-encoded secrets file. +#imagePullSecrets: +# # Username and password to be used for pulling images. +# # These should usually be set via the command line when running `helm install`, e.g., +# # helm install --set imagePullSecrets.username=myuser --set imagePullSecrets.password=mypass, +# # or be stored in a separate YAML-encoded secrets file. +# username: null +# password: null +# +# # If no image pull secrets are provided, an installation would usually fail. In order to +# # prevent it from failing, this option must explicitly be set to true. +# allowNone: false +# +# # If there exist available image pull secrets in the cluster that are managed separately, +# # set this value to the list of the respective secret names. While it is recommended to +# # record the secret names in a persisted YAML file, providing a single string containing +# # a comma-delimited list of secret names is also supported, for easier interaction with +# # --set. +# useExisting: [] +# +# # Whether to import any secrets from the default service account existing in the StackRox +# # namespace. The default service account often contains "standard" image pull secrets that +# # should be used by default for image pulls, hence this defaults to true. Only has an effect +# # if server-side lookups are enabled. +# useFromDefaultServiceAccount: true +# +## Common settings for all image properties +#image: +# # The image registry to use. Unless overridden in the more specific configs, this +# # determines the base registry for each image referenced in this config file. +# registry: registry.redhat.io/advanced-cluster-security +# +## Settings regarding the installation environment +#env: +# # Treat the environment as an OpenShift cluster. Leave this unset to use auto-detection +# # based on available API resources on the server. +# # Possible values: null, false, true, 3, 4 +# openshift: null +# +# # Treat the environment as Istio-enabled. Leave this unset to use auto-detection based on +# # available API resources on the server. +# # Possible values: null, false, true +# istio: null +# +# # The cloud provider platform where the target Kubernetes cluster is running. Leave this +# # unset to use auto-detection based on the Kubernetes version. +# # Possible values: null, "default", "gke" +# platform: null +# +# # Whether to run StackRox in offline mode. When run in offline mode, no connections to external +# # endpoints will be made. +# offlineMode: false +# +# # The proxy configuration for Central and Scanner, specified either as an embedded YAML +# # directionary, or as an (expandable) string. +# proxyConfig: null +# +# +## Settings for the StackRox Service CA certificates. +## If `cert` and `key` are both set (it is an error to set only one of the two), the corresponding +## values are used as the PEM-encoded certificate and private key for the internal Service CA. +## If they are left unspecified, they are generated under the following conditions: +## - `generate` is explicitly set to true, or +## - `generate` is unset (null), and the Helm chart is being freshly installed (as opposed to being +## upgraded). +#ca: +# cert: null +# key: null +# generate: null +# + +## Additional CA certificates to trust, besides system roots +## If specified, this should be a map mapping file names to PEM-encoded contents. +#additionalCAs: null +# +central: +# # Settings for telemetry data collection. + telemetry: + enabled: false + storage: + endpoint: "" + key: "" +# +# +# config: "@config/central/config.yaml|config/central/config.yaml.default" +# +# endpointsConfig: "@config/central/endpoints.yaml|config/central/endpoints.yaml.default" +# +# +# nodeSelector: null +# +# jwtSigner: +# key: null +# generate: null +# +# # Settings for the internal service-to-service TLS certificate used by central. +# # See the documentation for `ca` at the top level for an explanation. +# serviceTLS: +# cert: null +# key: null +# generate: null +# +# defaultTLS: +# cert: null +# key: null +# +# image: +# registry: null +# name: main +# tag: 4.0.0 +# fullRef: null +# +# adminPassword: +# value: null +# generate: null +# htpasswd: null +# +# resources: +# requests: +# memory: "4Gi" +# cpu: "1500m" +# limits: +# memory: "8Gi" +# cpu: "4000m" +# +# persistence: +# hostPath: null +# persistentVolumeClaim: +# claimName: null +# createClaim: null +# storageClass: null +# size: null +# none: null +# +# exposure: +# +# # LoadBalancer configuration. +# # Disabled by default. +# # Default port is 443. +# loadBalancer: +# enabled: null +# port: null +# ip: null +# +# # NodePort configuration. +# # Disabled by default. +# nodePort: +# enabled: null +# port: null +# +# # Route configuration. +# # Disabled by default. +# route: +# enabled: null +# # Specify a custom hostname if desired, otherwise accept the default from OpenShift. +# host: null +# +# db: +# # External signifies that a Postgres wire-compatible database has already been deployed and a Central DB pod +# # does not need to be deployed +# external: false +# +# source: +# # ConnectionString should not be specified if the Central DB deployment is being managed by the helm chart +# # The connection string must be in the format described here https://www.postgresql.org/docs/current/static/libpq-connect.html#LIBPQ-CONNSTRING +# # client_encoding=UTF8 is required in any connection string and the only supported encoding +# # statementTimeoutMs is ignored for external database connections +# # If using a connection that supports "statement_timeout" it is recommended to include "statement_timeout=1200000" +# # Do NOT use a connection string with a password field. Instead specify the value below in the password section/ +# connectionString: null +# minConns: 10 +# maxConns: 90 +# statementTimeoutMs: 1200000 +# +# # The admin password setting for communication with Central's DB. +# # When a value is set explicitly, this is always used, even on upgrade. +# # Otherwise, a password will be automatically generated if `generate` is set to true, +# # or left unset (null) and the Helm chart is being installed (as opposed to upgraded). +# # Should only be used when utilizing Postgres as central's DB +# password: +# value: null +# generate: null +# +# postgresConfig: "@config/centraldb/postgresql.conf|config/centraldb/postgresql.conf.default" +# hbaConfig: "@config/centraldb/pg_hba.conf|config/centraldb/pg_hba.conf.default" +# +# # Specifying configOverride mounts the specified config map in the same namespace which must contain +# # both pg_hba.conf and postgresql.conf. This should only be used when the default settings are not +# # sufficient and manual override is required. +# configOverride: null +# +# nodeSelector: null +# +# # Settings for the internal service-to-service TLS certificate used by central. +# # See the documentation for `ca` at the top level for an explanation. +# serviceTLS: +# cert: null +# key: null +# generate: null +# +# image: +# registry: null +# name: central-db +# tag: 4.0.0 +# fullRef: null +# +# resources: +# requests: +# memory: "8Gi" +# cpu: "4" +# limits: +# memory: "16Gi" +# cpu: "8" +# +# persistence: +# hostPath: null +# persistentVolumeClaim: +# claimName: null +# createClaim: null +# storageClass: null +# size: null +# none: null +# +## Configuration options relating to StackRox Scanner. +#scanner: +# # If this is set to true, StackRox will be deployed without scanner. No other setting in this +# # section will have any effect. +# disable: false +# +# # Default number of scanner replicas created upon startup. The actual number might be higher +# # or lower if autoscaling is enabled (see below). +# replicas: 3 +# +# logLevel: INFO +# +# # Settings related to autoscaling the scanner deployment. +# autoscaling: +# # If true, autoscaling will be disabled. None of the other settings in this section will +# # have any effect. +# disable: false +# minReplicas: 1 +# maxReplicas: 5 +# +# # Resource settings for the scanner deployment. +# resources: +# requests: +# memory: "1500Mi" +# cpu: "1000m" +# limits: +# memory: "4Gi" +# cpu: "2000m" +# +# image: +# registry: null +# name: scanner +# tag: 2.3.2 +# fullRef: null +# +# dbImage: +# registry: null +# name: scanner-db +# tag: 2.3.2 +# fullRef: null +# +# # Resource settings for the scanner-db deployment. +# dbResources: +# limits: +# cpu: 2 +# memory: 4Gi +# requests: +# cpu: 200m +# memory: 200Mi +# +# # The admin password setting for communication with scanner's DB. +# # When a value is set explicitly, this is always used, even on upgrade. +# # Otherwise, a password will be automatically generated if `generate` is set to true, +# # or left unset (null) and the Helm chart is being installed (as opposed to upgraded). +# dbPassword: +# value: null +# generate: null +# +# # Settings for the internal service-to-service TLS certificate used by scanner. +# # See the documentation for `ca` at the top level for an explanation. +# serviceTLS: +# cert: null +# key: null +# generate: null +# +# # Settings for the internal service-to-service TLS certificate used by scanner-db. +# # See the documentation for `ca` at the top level for an explanation. +# dbServiceTLS: +# cert: null +# key: null +# generate: null +# +## EXPERT SETTINGS. You usually do not need to touch those. +# +## If set to true, allow deploying in a namespace other than "stackrox". This is unsupported, so +## use at your own risk. +#allowNonstandardNamespace: false +# +## If set to true, allow a release name other than "stackrox-central-services". There are no issues +## with that, but for streamlining purposes, we want to encourage all users to stick with the +## default name, and make it a little harder to deviate from that. +#allowNonstandardReleaseName: false +# +#meta: +# # This controls whether the built-in `lookup` function will be used. If you see an error +# # about there being no function `lookup`, set this to `false` (might be required on Helm +# # versions before 3.1). +# useLookup: true +# +# # This is a dictionary from file names to contents that can be used to inject files that +# # would usually be included via .Files.Get into the chart rendering. +# fileOverrides: {} +# +# # This configuration section allows overriding settings that would be inferred from the +# # running API server. +# apiServer: +# # The Kubernetes version running on the API server. This is used for auto-detection +# # of the platform. +# version: null +# # The list of available API resources on the server, in the form of "apps/v1" or +# # "apps/v1/Deployment". This is used to detect environment capabilities. +# overrideAPIResources: null +# # A list of extra API resources that should be assumed to exist on the API server. This +# # can be used in conjunction with both data obtained from the API server, or data set +# # via `overrideAPIResources`. +# extraAPIResources: [] +# +#monitoring: +# # Enables integration with OpenShift platform monitoring. +# openshift: +# enabled: true diff --git a/rhacs/4.3.5/secured-cluster-services/.helmignore b/rhacs/4.3.5/secured-cluster-services/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/rhacs/4.3.5/secured-cluster-services/Chart.yaml b/rhacs/4.3.5/secured-cluster-services/Chart.yaml new file mode 100644 index 0000000..033de2d --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/Chart.yaml @@ -0,0 +1,7 @@ +apiVersion: v2 +name: stackrox-secured-cluster-services +icon: https://raw.githubusercontent.com/stackrox/stackrox/master/image/templates/helm/shared/assets/Red_Hat-Hat_icon.png +description: Helm Chart for StackRox Secured Clusters +type: application +version: 400.3.5 +appVersion: 4.3.5 diff --git a/rhacs/4.3.5/secured-cluster-services/README.md b/rhacs/4.3.5/secured-cluster-services/README.md new file mode 100644 index 0000000..d77e5ef --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/README.md @@ -0,0 +1,468 @@ +# StackRox Kubernetes Security Platform - Secured Cluster Services Helm Chart + +This Helm chart allows you to deploy the necessary services on a StackRox +secured cluster: StackRox Sensor, StackRox Collector, and StackRox Admission +Control. +If you want to install Secured Cluster Services for Red Hat Advanced Cluster Security, +refer to [Installing the secured-cluster-services Helm chart](https://docs.openshift.com/acs/installing/installing_helm/install-helm-quick.html#installing-secured-cluster-services-quickly_acs-install-helm-quick). + +## Prerequisites + +To deploy the secured cluster services for the StackRox Kubernetes Security Platform, you must: +- Have at least version 3.1 of the Helm tool installed on your machine + +> **IMPORTANT** +> +> We publish new Helm charts with every new release of the StackRox Kubernetes +> Security Platform. Make sure to use a version of this chart that matches the +> StackRox Kubernetes Security Platform version you have installed. + +## Add the canonical chart location as a Helm repository + +The canonical repository for StackRox Helm charts is https://mirror.openshift.com/pub/rhacs/charts. +To use StackRox Helm charts, run the following command: +```sh +helm repo add stackrox https://mirror.openshift.com/pub/rhacs/charts +``` +Only run this command once per machine on which you want to use StackRox Helm +charts. + +Before you deploy or upgrade a chart from a remote repository, you must +run the following command: +```sh +helm repo update +``` + +## Install Secured Cluster Services + +Installing a new StackRox secured cluster requires a *cluster init bundle*. You +can generate a **cluster init bundle** by using the `roxctl` CLI or the StackRox +portal. You can use the same bundle to set up multiple StackRox secured +clusters by providing it as an input to the `helm install` command. + +> **NOTE**: +> +> - The following sections assume that you have a safe way to pass secrets to +> the helm command. +> - If not, you can decouple secret creation from installing or upgrading the +> Helm chart, see [Deployment with pre-created secrets](#deployment-with-pre-created-secrets) for more information. + +### Generate cluster init bundle + +Run the following command to generate a **cluster init bundle**: +```sh +roxctl central init-bundles generate --output cluster-init-bundle.yaml +``` + +- This command creates a **cluster init bundle** called + `cluster-init-bundle.yaml`. +- Make sure that you store this bundle securely as it contains secrets. You can + use the same bundle to set up multiple StackRox secured clusters. + +### Deploy Secured Cluster Services + +You can use the following command to deploy secured cluster services by using +this Helm chart: +```sh +helm install -n stackrox --create-namespace \ + stackrox-secured-cluster-services stackrox/stackrox-secured-cluster-services \ + -f \ + --set clusterName= \ + --set centralEndpoint= +``` +- In this command, you can replace the chart name + `stackrox/stackrox-secured-cluster-services` with the chart's file path if you have it + locally. +- The provided cluster name can either denote the intended name for a new secured cluster + or the name of an existing cluster, in which case the name will be reused and associated + with the Kubernetes cluster on which the chart is installed. + +After you deploy the StackRox Kubernetes Security Platform Secured Cluster +Services using the `helm install` command, you will see informative notes and +warnings related to the installation. The new cluster automatically registers +itself to StackRox Central, and it is visible in the StackRox portal as a +Helm-managed cluster. If the provided cluster name is already associated with +an existing secured cluster, the name will be reused and associated with the +cluster on which the chart is installed. + +In case you use image mirroring or otherwise access StackRox container images from non-standard location, +you may also need to provide image pull credentials. +There are several ways to inject the required credentials (if any) into the installation process: + +- **Explicitly specify username and password:** Use this if you are using a registry that supports username/password + authentication. Pass the following arguments to the `helm install` command: + ```sh + --set imagePullSecrets.username= --set imagePullSecrets.password= + ``` +- **Use pre-existing image pull secrets:** If you already have one or several image pull secrets + created in the namespace to which you are deploying, you can reference these in the following + way (we assume that your secrets are called `pull-secret-1` and `pull-secret-2`): + ```sh + --set imagePullSecrets.useExisting="pull-secret-1;pull-secret-2" + ``` +- **Do not use image pull secrets:** If you are pulling your images from quay.io/stackrox-io or a registry in a private + network that does not require authentication, or if the default service account in the namespace + to which you are deploying is already configured with appropriate image pull secrets, you do + not need to specify any additional image pull secrets. + +### Applying custom configuration options + +The secured cluster services Helm chart has many different configuration +options. You can directly specify these options when you run the `helm install` +command for simple use cases. + +However, we recommend storing your configuration in a file and using that file +for future upgrades or reconfiguration using the `helm upgrade` command. + +#### Specifying options with `--set` parameter + +You can use the `--set` and `--set-file` parameter with the `helm install` +command to specify various options to customize deployments quickly. However, +don't use them for specifying complex configurations. + +For example, +- **Configure cluster environment**: + ```sh + --set env.openshift=true + ``` +- **Configure collection method**: + ```sh + --set collector.collectionMethod=EBPF + ``` + +#### Using configuration YAML files and the `-f` command-line option + +We recommended that you store all custom configuration options in persisted files. + +The Secured Cluster Services Helm chart contains example configuration files +(called `values-public.yaml.example` and `values-private.yaml.example`), that list +all the available configuration options, along with documentation. + +The following sample configuration file (`secured-cluster.yaml`) uses a few of +the options which you can configure: +- **`values-public.yaml`:** + ```yaml + clusterName: "acme-cluster-01" + centralEndpoint: "central.acme-labs.internal" + + env: + istio: true # enable istio support + + sensor: + # Use custom resource overrides for sensor + resources: + requests: + cpu: "2" + memory: "4Gi" + limits: + cpu: "4" + memory: "8Gi" + + admissionControl: + dynamic: + disableBypass: true # Disable bypassing of Admission Controller + + customize: + # Apply the important-service=true label for all objects managed by this chart. + labels: + important-service: true + # Set the CLUSTER=important-cluster environment variable for all containers in the + # collector deployment: + collector: + envVars: + CLUSTER: important-cluster + ``` +- **`values-private.yaml`**: + ```yaml + imagePullSecrets: + username: + password: + ``` + +After you have created these YAML files, you can inject the configuration options into the +installation process via the `-f` flag, i.e., by appending the following options to the +`helm install` invocation: +```sh +helm install ... -f values-public.yaml -f values-private.yaml +``` + +#### Changing configuration options after deployment + +To make changes to the configuration of an existing deployment of the StackRox +Secured Cluster Services: +1. Change the configuration options in your YAML configuration file(s). +1. Use the `-f` option and specify the configuration file's path when you + run the `helm upgrade` command. + +For example, to apply configuration changes for the secured cluster, use the following command: +```sh +helm upgrade -n stackrox \ + stackrox-secured-cluster-services stackrox/stackrox-secured-cluster-services \ + --reuse-values \ + -f values-public.yaml \ + -f values-private.yaml +``` + +You can also specify configuration values using the `--set` or `--set-file` +parameters. However, these options aren't saved, and you'll have to specify all +the options again manually. + +#### Changing cluster name after deployment + +To change the name of the cluster shown in the StackRox portal, you must specify +values for both the `--clusterName` and the `--confirmNewClusterName` options: + +```sh +helm upgrade -n stackrox stackrox-secured-cluster-services --clusterName= --confirmNewClusterName= +``` + +> **NOTE:** +> +> When you change the cluster name: +> - The StackRox Kubernetes Security Platform either creates a new cluster or +> reuses an existing cluster if a cluster with the same name already exists. +> - The StackRox Kubernetes Security Platform doesn't rename the old cluster. +> The old cluster still shows up in the StackRox portal, but it doesn't +> receive any data. You must remove the old cluster if you don't want to see +> it in the StackRox portal. + +### Configuration + +The following table lists some common configuration parameters of this Helm +chart and their default values: + +|Parameter |Description | Default value | +|:---------|:-----------|:--------------| +|`clusterName`| Name of your cluster. | | +|`confirmNewClusterName`| You don't need to change this unless you upgrade and change the value for `clusterName`. In this case, set it to the new value of `clusterName`. This option exists to prevent you from [accidentally creating a new cluster with a different name](#changing-cluster-after-deployment). | `null` | +|`centralEndpoint`| Address of the Central endpoint, including the port number (without a trailing slash). If you are using a non-gRPC capable LoadBalancer, use the WebSocket protocol by prefixing the endpoint address with `wss://`. |`central.stackrox.svc:443` | +|`clusterLabels`| Custom labels associated with a secured cluster | `{}` | +|`additionalCAs`| Use it to add (named) PEM-encoded CA certificates for Sensor. | `{}` | +|`imagePullSecrets.username`| Specify username for accessing image registry. |`null`| +|`imagePullSecrets.password`| Specify password for accessing image registry. |`null`| +|`imagePullSecrets.useExisting`| Specify existing Kubernetes image pull secrets that should be used for trying to pull StackRox images. |`[]`| +|`imagePullSecrets.useFromDefaultServiceAccount`| This setting controls whether image pull secrets from a default service account in the target namespace should be used for image pulls. |`true`| +|`imagePullSecrets.useExisting`| Specify existing Kubernetes image pull secrets that should be used for trying to pull StackRox images. |`[]`| +|`imagePullSecrets.allowNone`| Enabling this setting indicates that no image pull secrets are required to be configured upon initial deployment. Use this setting if you are using a cluster-private registry that does not require authentication. |`false`| +|`image.main.name`|Repository from which to download the main image. |`main` | +|`image.collector.name`|Repository from which to download the collector image. |`collector` | +|`image.main.registry`| Address of the registry you are using for main image.|`registry.redhat.io/advanced-cluster-security` | +|`image.collector.registry`| Address of the registry you are using for collector image.|`registry.redhat.io/advanced-cluster-security` | +|`sensor.endpoint`| Address of the Sensor endpoint including port number. No trailing slash.|`sensor.stackrox.svc:443` | +|`collector.collectionMethod`|Either `EBPF`, `CORE_BPF`, or `NO_COLLECTION`. |`EBPF` | +|`collector.disableTaintTolerations`|If you specify `false`, tolerations are applied to collector, and the collector pods can schedule onto all nodes with taints. If you specify it as `true`, no tolerations are applied, and the collector pods won't scheduled onto nodes with taints. |`false` | +|`collector.slimMode`| Specify `true` if you want to use a slim Collector image for deploying Collector. Using slim Collector images requires Central to provide the matching kernel module or eBPF probe. If you are running the StackRox Kubernetes Security Platform in offline mode, you must download a kernel support package from [stackrox.io](https://install.stackrox.io/collector/support-packages/index.html) and upload it to Central for slim Collectors to function. Otherwise, you must ensure that Central can access the online probe repository hosted at https://collector-modules.stackrox.io/.|`false` | +|`admissionControl.listenOnCreates`| This setting controls whether the cluster is configured to contact the StackRox Kubernetes Security Platform with `AdmissionReview` requests for `create` events on Kubernetes objects. |`false` | +|`admissionControl.listenOnUpdates`|This setting controls whether the cluster is configured to contact the StackRox Kubernetes Security Platform with `AdmissionReview` requests for `update` events on Kubernetes objects.|`false` | +|`admissionControl.listenOnEvents`|This setting controls whether the cluster is configured to contact the StackRox Kubernetes Security Platform with `AdmissionReview` requests for `update` Kubernetes events like `exec` and `portforward`.|`false` on OpenShift, `true` otherwise.| +|`admissionControl.dynamic.enforceOnCreates`| It controls whether the StackRox Kubernetes Security Platform evaluates policies; if it’s disabled, all `AdmissionReview` requests are automatically accepted. You must specify `listenOnCreates` as `true` for this to work. |`false` | +|`admissionControl.dynamic.enforceOnUpdates`| It controls whether the StackRox Kubernetes Security Platform evaluates policies for object updates; if it’s disabled, all `AdmissionReview` requests are automatically accepted. You must specify `listenOnUpdates` as `true` for this to work. |`false`| +|`admissionControl.dynamic.scanInline`| |`false` | +|`admissionControl.dynamic.disableBypass`|Set it to `true` to disable [bypassing the admission controller](https://help.stackrox.com/docs/manage-security-policies/use-admission-controller-enforcement/). |`false` | +|`admissionControl.dynamic.timeout`|The maximum time in seconds, the StackRox Kubernetes Security Platform should wait while evaluating admission review requests. Use it to set request timeouts when you enable image scanning. If the image scan runs longer than the specified time, the StackRox Kubernetes Security Platform accepts the request. Other enforcement options, such as scaling the deployment to zero replicas, are still applied later if the image violates applicable policies.|`3` | +|`registryOverride`|Use this parameter to override the default `docker.io` registry. Specify the name of your registry if you are using some other registry.| | +|`createUpgraderServiceAccount`| Specify `true` to create the `sensor-upgrader` account. By default, the StackRox Kubernetes Security Platform creates a service account called `sensor-upgrader` in each secured cluster. This account is highly privileged but is only used during upgrades. If you don’t create this account, you will have to complete future upgrades manually if the Sensor doesn’t have enough permissions. See [Enable automatic upgrades for secured clusters](https://help.stackrox.com/docs/configure-stackrox/enable-automatic-upgrades/) for more information.|`false` | +|`createSecrets`| Specify `false` to skip the orchestrator secret creation for the sensor, collector, and admission controller. | `true` | +|`customize`|Modern interface for specifying custom metadata for resources, including labels, annotations and environment variables. See below for more information.|`{}`| + + +The following table lists some advanced parameters, and you'll only need them in +non-standard environments: + +|Parameter |Description | Default value | +|:---------|:-----------|:--------------| +|`image.main.tag`| Tag of `main` image to use.|`null` | +|`image.collector.tag`| Tag of `collector` image to use.| `null` | +|`image.main.pullPolicy`| Image pull policy for `main` images.|`IfNotPresent`| +|`image.collector.pullPolicy`| Image pull policy for `collector` images.| `IfNotPresent` if `slimCollector` is enabled, `Always` otherwise.| +|`sensor.resources`|Resource specification for Sensor.|See below.| +|`collector.resources`|Resource specification for Collector.|See below.| +|`collector.complianceResources`|Resource specification for Collector's Compliance container.|See below.| +|`collector.nodeScanningResources`|Resource specification for Collector's Node Inventory container.|See below.| +|`collector.nodeSelector` | Node selector for Collector pods placement. | `null` (no placement constraints) | +|`admissionControl.resources`|Resource specification for Admission Control.|See below.| +|`sensor.imagePullPolicy`| Kubernetes image pull policy for Sensor. | `IfNotPresent` | +|`sensor.nodeSelector` | Node selector for Sensor pod placement. | `null` (no placement constraints) | +|`collector.imagePullPolicy`| Kubernetes image pull policy for Collector. | `Always` when deploying in slim mode, otherwise `IfNotPresent`. | +|`collector.complianceImagePullPolicy`| Kubernetes image pull policy for Collector. | `IfNotPresent` | +|`admissionControl.imagePullPolicy`| Kubernetes image pull policy for Admission Control. | `IfNotPresent` | +|`admissionControl.nodeSelector` | Node selector for Admission Control pods placement. | `null` (no placement constraints) | +|`exposeMonitoring`| This setting controls whether the monitoring port (TCP 9090) should be exposed on the services. | `false` | +|`env.openshift`| The StackRox Kubernetes Security Platform automatically detects the OpenShift version (`3.x` or `4.x`). Use this parameter to override the automatically detected version number, for example `4`. | `null` | +|`env.istio`| This setting can be used for overwriting the auto-sensing of Istio environments. If enabled, the cluster is set up for an Istio environment. | Auto-sensed, depends on environment. | +|`scanner.disable`| Scan images stored in the cluster's local registries. This variable is only available for the OpenShift Container Platform. | `true` | + +### Default resources + +Each container's default resource settings are defined in the +`internal/defaults.yaml` file in this chart. The following table lists the YAML +paths to the respective defaults for each container that this chart deploys: + +|Container |Path in `internal/defaults.yaml` | +|:----------------|:------------------------------------------| +|Sensor |`defaults.sensor.resources` | +|Collector |`defaults.collector.resources` | +|Compliance |`defaults.collector.complianceResources` | +|NodeInventory |`defaults.collector.nodeScanningResources`| +|Admission Control|`defaults.admissionControl.resources` | + +### Customization settings + +The `customize` setting allows specifying custom Kubernetes metadata (labels and +annotations) for all objects created by this Helm chart and additional pod +labels, pod annotations, and container environment variables for workloads. + +The configuration is hierarchical, in the sense that metadata defined at a more +generic scope (for example, for all objects) can be overridden by metadata +defined at a narrower scope (for example, only for the sensor deployment). + +For example: + +``` +customize: + # Extra metadata for all objects. + labels: + my-label-key: my-label-value + annotations: + my-annotation-key: my-annotation-value + # Extra pod metadata for all objects (only has an effect for workloads, i.e., deployments and daemonsets). + podLabels: + my-pod-label-key: my-pod-label-value + podAnnotations: + my-pod-annotation-key: my-pod-annotation-value + # Extra environment variables for all containers in all workloads. + envVars: + MY_ENV_VAR_NAME: MY_ENV_VAR_VALUE + # Extra metadata for the central deployment only. + sensor: + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + envVars: {} + # Extra metadata for the collector deployment only. + collector: + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + envVars: {} + # Extra metadata for the admission-control deployment only. + admission-control: + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + envVars: {} + # Extra metadata for all other objects. The keys in the following map can be + # an object name of the form "service/sensor", or a reference to all + # objects of a given type in the form "service/*". The values under each key + # are the five metadata overrides (labels, annotations, podLabels, podAnnotations, envVars) + # as specified above, though only the first two will be relevant for non-workload + # object types. + other: + "service/*": + labels: {} + annotations: {} +``` + +## Deployment with pre-created secrets + +The init bundle that you pass to the `helm` command using the `-f` flag creates +Kubernetes secrets for TLS certificates. If you don't want Helm to manage your +Kubernetes secrets, you can deploy the Secured Cluster Services chart without +creating secrets. However, it requires that you always specify the StackRox CA +certificate while installing or upgrading the Helm chart. This certificate +doesn't need to be kept secret. + +1. **Obtain the CA certificate configuration** either through the StackRox + portal or by using the `roxctl` CLI. + - **StackRox portal**: + 1. Navigate to **Platform Configuration** > **Integrations**. + 1. Under the **Authentication Tokens** section, select **Cluster Init Bundle**. + 1. Select **Get CA Config** on the top right to download the configuration + file called `ca-config.yaml`. + - **`roxctl CLI**: + 1. Run the following command: + ```sh + roxctl central init-bundles fetch-ca --output ca-config.yaml + ``` + This command writes the CA certificate configuration in a file called + `ca-config.yaml`. +1. **Use the CA certificate configuration in your Helm installation**. When you + run the `helm install` or the `helm upgrade` command, + pass the option `-f ca-config.yaml`: + ```sh + helm install -n stackrox stackrox-secured-cluster-services stackrox/stackrox-secured-cluster-services \ + -f ca-config.yaml \ + + ``` +1. **Disable TLS secret creation**. To prevent Helm from creating Kubernetes + secrets for the StackRox service certificates, set the `createSecrets` option + to `false`. You can either specify `createSecrets` option in a YAML + configuration file (such as `values-public.yaml`) or pass it to the `helm` + command by adding the `--set createSecrets=false` option. + +### Required Kubernetes secrets + +The following list contains the Kubernetes `Secret` objects that you need to +create in the `stackrox` namespace (or the custom namespace you are using) if +you configure the Helm chart to not create TLS certificate secrets. + +- `sensor-tls` with data: + - `ca.pem`: PEM-encoded StackRox CA certificate + - `sensor-cert.pem`: PEM-encoded StackRox Sensor certificate + - `sensor-key.pem`: PEM-encoded private key for the StackRox Sensor certificate +- `collector-tls` with data: + - `ca.pem`: PEM-encoded StackRox CA certificate + - `collector-cert.pem`: PEM-encoded StackRox Collector certificate + - `collector-key.pem`: PEM-encoded private key for the StackRox Collector certificate +- `admission-control-tls` with data: + - `ca.pem`: PEM-encoded StackRox CA certificate + - `admission-control-cert.pem`: PEM-encoded StackRox Admission Control certificate + - `admission-control-key.pem`: PEM-encoded private key for the StackRox Admision Control certificate + +#### Obtaining secrets for an existing cluster + +If you upgrade from a previous Helm chart, you can create certificates specific +to a particular cluster by using the following `roxctl` CLI command: + +```sh +export ROX_API_TOKEN= +roxctl -e sensor generate-certs +``` +Running this command create a file called `cluster--tls.yaml` in +the current directory. The file contains YAML manifests for the +[required Kubernetes secrets](#required-kubernetes-secrets). + +#### Obtaining secrets for an init bundle + +If you want to deploy multiple clusters using this Helm chart and want to create +certificates that can be used to register new clusters on-the-fly, you can +obtain the contents of an init bundle in the form of Kubernetes secrets. You can +use the StackRox portal or the `roxctl` CLI for this. + +- **Using the StackRox portal**: + 1. Navigate to **Platform Configuration** > **Integrations**. + 1. Under the **Authentication Tokens** section, select **Cluster Init Bundle**. + 1. Select the add **+** icon on the top left and enter a name for the new init + bundle. + 1. Select **Generate**. + 1. Select **Download Kubernetes Secrets File** at the bottom to save the + Kubernetes manifests to a file called + `-cluster-init-secrets.yaml`. +- **Using the `roxctl` CLI**: + 1. run the following command: + ```sh + roxctl central init-bundles generate --output-secrets cluster-init-secrets.yaml + ``` + This command stores the Kubernetes secret manifests for the cluster init + certificates in a file called `cluster-init-secrets.yaml`. + +You can then use the YAML file to generate secrets through any method that you like, for example, using Sealed Secrets. + +> **NOTE** +> +> Even when you use the certificates from an init bundle, you still need to +> specify the CA certificate configuration every time you install or upgrade the +> Helm chart. diff --git a/rhacs/4.3.5/secured-cluster-services/assets/Red_Hat-Hat_icon.png b/rhacs/4.3.5/secured-cluster-services/assets/Red_Hat-Hat_icon.png new file mode 100644 index 0000000..fae985e Binary files /dev/null and b/rhacs/4.3.5/secured-cluster-services/assets/Red_Hat-Hat_icon.png differ diff --git a/rhacs/4.3.5/secured-cluster-services/assets/StackRox_icon.png b/rhacs/4.3.5/secured-cluster-services/assets/StackRox_icon.png new file mode 100644 index 0000000..3c136e3 Binary files /dev/null and b/rhacs/4.3.5/secured-cluster-services/assets/StackRox_icon.png differ diff --git a/rhacs/4.3.5/secured-cluster-services/config-templates/scanner/config.yaml.tpl b/rhacs/4.3.5/secured-cluster-services/config-templates/scanner/config.yaml.tpl new file mode 100644 index 0000000..5efc0b9 --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/config-templates/scanner/config.yaml.tpl @@ -0,0 +1,48 @@ +{{- /* + This is the configuration file template for Scanner. + Except for in extremely rare circumstances, you DO NOT need to modify this file. + All config options that are possibly dynamic are templated out and can be modified + via `--set`/values-files specified via `-f`. + */ -}} + +# Configuration file for scanner. + +scanner: + centralEndpoint: https://central.{{ .Release.Namespace }}.svc + sensorEndpoint: https://sensor.{{ .Release.Namespace }}.svc + database: + # Database driver + type: pgsql + options: + # PostgreSQL Connection string + # https://www.postgresql.org/docs/current/static/libpq-connect.html#LIBPQ-CONNSTRING + source: host=scanner-db.{{ .Release.Namespace }}.svc port=5432 user=postgres sslmode={{- if eq .Release.Namespace "stackrox" }}verify-full{{- else }}verify-ca{{- end }} statement_timeout=60000 + + # Number of elements kept in the cache + # Values unlikely to change (e.g. namespaces) are cached in order to save prevent needless roundtrips to the database. + cachesize: 16384 + + api: + httpsPort: 8080 + grpcPort: 8443 + + updater: + # Frequency with which the scanner will poll for vulnerability updates. + interval: 5m + + logLevel: {{ ._rox.scanner.logLevel }} + + # The scanner intentionally avoids extracting or analyzing any files + # larger than the following default sizes to prevent DoS attacks. + # Leave these commented to use a reasonable default. + + # The max size of files in images that are extracted. + # Increasing this number increases memory pressure. + # maxExtractableFileSizeMB: 200 + # The max size of ELF executable files that are analyzed. + # Increasing this number may increase disk pressure. + # maxELFExecutableFileSizeMB: 800 + # The max size of image file reader buffer. Image file data beyond this limit are overflowed to temporary files on disk. + # maxImageFileReaderBufferSizeMB: 100 + + exposeMonitoring: false diff --git a/rhacs/4.3.5/secured-cluster-services/internal/cluster-config.yaml.tpl b/rhacs/4.3.5/secured-cluster-services/internal/cluster-config.yaml.tpl new file mode 100644 index 0000000..a85ddd7 --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/internal/cluster-config.yaml.tpl @@ -0,0 +1,33 @@ +{{- if ._rox.clusterName }} +clusterName: {{ ._rox.clusterName }} +{{- end }} +managedBy: {{ ._rox.managedBy }} +notHelmManaged: {{ eq ._rox.managedBy "MANAGER_TYPE_MANUAL" }} +clusterConfig: + staticConfig: + {{- if not ._rox.env.openshift }} + type: KUBERNETES_CLUSTER + {{- else }} + type: {{ if eq (int ._rox.env.openshift) 4 -}} OPENSHIFT4_CLUSTER {{- else -}} OPENSHIFT_CLUSTER {{ end }} + {{- end }} + mainImage: {{ coalesce ._rox.image.main._abbrevImageRef ._rox.image.main.fullRef }} + collectorImage: {{ coalesce ._rox.image.collector._abbrevImageRef ._rox.image.collector.fullRef }} + centralApiEndpoint: {{ ._rox.centralEndpoint }} + collectionMethod: {{ ._rox.collector.collectionMethod | upper | replace "-" "_" }} + admissionController: {{ ._rox.admissionControl.listenOnCreates }} + admissionControllerUpdates: {{ ._rox.admissionControl.listenOnUpdates }} + admissionControllerEvents: {{ ._rox.admissionControl.listenOnEvents }} + tolerationsConfig: + disabled: {{ ._rox.collector.disableTaintTolerations }} + slimCollector: {{ ._rox.collector.slimMode }} + dynamicConfig: + disableAuditLogs: {{ ._rox.auditLogs.disableCollection | not | not }} + admissionControllerConfig: + enabled: {{ ._rox.admissionControl.dynamic.enforceOnCreates }} + timeoutSeconds: {{ ._rox.admissionControl.dynamic.timeout }} + scanInline: {{ ._rox.admissionControl.dynamic.scanInline }} + disableBypass: {{ ._rox.admissionControl.dynamic.disableBypass }} + enforceOnUpdates: {{ ._rox.admissionControl.dynamic.enforceOnUpdates }} + registryOverride: {{ ._rox.registryOverride }} + configFingerprint: {{ ._rox._configFP }} + clusterLabels: {{- toYaml ._rox.clusterLabels | nindent 4 }} diff --git a/rhacs/4.3.5/secured-cluster-services/internal/compatibility-translation.yaml b/rhacs/4.3.5/secured-cluster-services/internal/compatibility-translation.yaml new file mode 100644 index 0000000..4e33afc --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/internal/compatibility-translation.yaml @@ -0,0 +1,137 @@ +# Configuration compatibility layer translation rules. +# +# This file is a YAML file describing an object following the shape of the legacy Chart configuration. +# Each leaf object is a config fragment template, that will be merged into the user-specified config when specified +# by the user. +# +# The config fragment templates may reference the values ".value" and ".rawValue", the former containing the +# JSON-encoded value of the input field, the latter containing the value as a parsed object. + +cluster: + name: | + clusterName: {{ .value }} + type: | + env: + openshift: {{ if eq .rawValue "OPENSHIFT4_CLUSTER" }} 4 {{ else }} {{ eq .rawValue "OPENSHIFT_CLUSTER" }} {{ end }} + +endpoint: + central: | + centralEndpoint: {{ .value }} + advertised: | + sensor: + endpoint: {{ .value }} + +image: + repository: + main: | + image: + main: + name: {{ .value }} + collector: | + image: + collector: + name: {{ .value }} + registry: + main: | + image: + main: + registry: {{ .value }} + collector: | + image: + collector: + registry: {{ .value }} + pullPolicy: + main: | + image: + main: + pullPolicy: {{ .value }} + collector: | + image: + collector: + pullPolicy: {{ .value }} + tag: + main: | + image: + main: + tag: {{ .value}} + collector: | + image: + collector: + tag: {{ .value }} + +config: + collectionMethod: | + collector: + collectionMethod: {{ .value }} + + dynamic: + enforce: null # bool + scanInline: null # bool + disableBypass: null # bool + timeout: null # natural number + enforceOnUpdates: null # bool + + admissionControl: + createService: | + admissionControl: + listenOnCreates: {{ .value }} + listenOnUpdates: | + admissionControl: + listenOnUpdates: {{ .value }} + listenOnEvents: | + admissionControl: + listenOnEvents: {{ .value }} + enableService: | + admissionControl: + dynamic: + enforceOnCreates: {{ .value }} + enforceOnUpdates: | + admissionControl: + dynamic: + enforceOnUpdates: {{ .value }} + scanInline: | + admissionControl: + dynamic: + scanInline: {{ .value }} + disableBypass: | + admissionControl: + dynamic: + disableBypass: {{ .value }} + timeout: | + admissionControl: + dynamic: + timeout: {{ .value }} + registryOverride: | + registryOverride: {{ .value }} + disableTaintTolerations: | + collector: + disableTaintTolerations: {{ .value }} + createUpgraderServiceAccount: | + createUpgraderServiceAccount: {{ .value }} + createSecrets: | + createSecrets: {{ .value }} + offlineMode: null # not used + slimCollector: | + collector: + slimMode: {{ .value }} + sensorResources: | + sensor: + resources: {{ .value }} + admissionControlResources: | + admissionControl: + resources: {{ .value }} + collectorResources: | + collector: + resources: {{ .value }} + complianceResources: | + collector: + complianceResources: {{ .value }} + exposeMonitoring: | + exposeMonitoring: {{ .value }} + +envVars: | + customize: + envVars: + {{- range $_, $v := .rawValue }} + {{ quote $v.name }}: {{ quote $v.value }} + {{- end }} diff --git a/rhacs/4.3.5/secured-cluster-services/internal/config-shape.yaml b/rhacs/4.3.5/secured-cluster-services/internal/config-shape.yaml new file mode 100644 index 0000000..57450fa --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/internal/config-shape.yaml @@ -0,0 +1,162 @@ +clusterName: null # string +clusterLabels: null # dict +confirmNewClusterName: null # string +centralEndpoint: null # string +registryOverride: null # string +exposeMonitoring: null # bool +createUpgraderServiceAccount: null # string +helmManaged: null +createSecrets: null +additionalCAs: null # [obj] +imagePullSecrets: + username: null # string + password: null # string + allowNone: null # bool + useExisting: null # string | [string] + useFromDefaultServiceAccount: null # bool +mainImagePullSecrets: + username: null # string + password: null # string + useExisting: null # string | [string] + useFromDefaultServiceAccount: null # bool + allowNone: null # bool +collectorImagePullSecrets: + username: null # string + password: null # string + useExisting: null # string | [string] + useFromDefaultServiceAccount: null # bool + allowNone: null # bool +image: + registry: null # string + main: + registry: null # string + name: null # string + repository: null # string + tag: null # string + fullRef: null # string + pullPolicy: null # string + collector: + slim: + fullRef: null # string + full: + fullRef: null # string + registry: null # string + name: null # string + repository: null # string + tag: null # string + fullRef: null # string + pullPolicy: null # string + scanner: + registry: null # string + name: null # string + repository: null # string + tag: null # string + fullRef: null # string + scannerDb: + registry: null # string + name: null # string + tag: null # string + fullRef: null # string +env: + openshift: null # bool | int + istio: null # bool +ca: + cert: null # string +sensor: + imagePullPolicy: null # string + endpoint: null # string + affinity: null # dict + resources: null # string | dict + serviceTLS: + cert: null # string + key: null # string + exposeMonitoring: null # bool + nodeSelector: null # string | dict + tolerations: null # [dict] + localImageScanning: + # Enables the local image scanning feature in Sensor. This disabled if local image scanning should not be used to prevent + # sensor reaching out to a scanner instance. + # This setting does not relate to the scanner deployment configuration which configures whether scanner should be deployed. + enabled: null # bool +admissionControl: + listenOnCreates: null # bool + listenOnUpdates: null # bool + listenOnEvents: null # bool + dynamic: + enforceOnCreates: null # bool + scanInline: null # bool + disableBypass: null # bool + timeout: null # natural number + enforceOnUpdates: null # bool + imagePullPolicy: null # string + replicas: null # int + affinity: null # dict + resources: null # string | dict + serviceTLS: + cert: null # string + key: null # string + exposeMonitoring: null # bool + nodeSelector: null # string | dict + tolerations: null # [dict] +collector: + collectionMethod: null # string + disableTaintTolerations: null # bool + slimMode: null # bool + imagePullPolicy: null # string + tolerations: null # [dict] + resources: null # string | dict + complianceImagePullPolicy: null # string + complianceResources: null # string | dict + nodeScanningResources: null # string | dict + serviceTLS: + cert: null # string + key: null # string + exposeMonitoring: null # bool + nodeSelector: null # string | dict + disableSELinuxOptions: null # bool + seLinuxOptionsType: null # string +auditLogs: + disableCollection: null # bool +customize: + labels: {} # dict + annotations: {} # dict + podLabels: {} # dict + podAnnotations: {} # dict + envVars: {} # dict + sensor: + labels: {} # dict + annotations: {} # dict + podLabels: {} # dict + podAnnotations: {} # dict + envVars: {} # dict + admission-control: + labels: {} # dict + annotations: {} # dict + podLabels: {} # dict + podAnnotations: {} # dict + envVars: {} # dict + collector: + labels: {} # dict + annotations: {} # dict + podLabels: {} # dict + podAnnotations: {} # dict + envVars: {} # dict + other: {} # dict +allowNonstandardNamespace: null # bool +allowNonstandardReleaseName: null # bool +enableOpenShiftMonitoring: null # bool +monitoring: + openshift: + enabled: null # bool +meta: + namespaceOverride: null # bool + useLookup: null # bool + fileOverrides: {} # dict + configFingerprintOverride: null # string + apiServer: + version: null # string + overrideAPIResources: null # [string] + extraAPIResources: null # [string] +system: + createSCCs: null # bool + enablePodSecurityPolicies: null # bool diff --git a/rhacs/4.3.5/secured-cluster-services/internal/defaults/00-bootstrap.yaml b/rhacs/4.3.5/secured-cluster-services/internal/defaults/00-bootstrap.yaml new file mode 100644 index 0000000..846ca57 --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/internal/defaults/00-bootstrap.yaml @@ -0,0 +1,15 @@ +# If we are being linted, magically apply settings that will not cause linting to break. +{{- if eq .Release.Name "test-release" }} +{{- include "srox.warn" (list . "You are using a release name that is reserved for tests. In order to allow linting to work, certain checks have been relaxed. If you are deploying to a real environment, we recommend that you choose a different release name.") }} +allowNonstandardNamespace: true +allowNonstandardReleaseName: true +clusterName: test-cluster-for-lint +{{- end }} +--- + +_namespace: {{ default .Release.Namespace ._rox.meta.namespaceOverride }} + +--- +meta: + useLookup: true + fileOverrides: {} diff --git a/rhacs/4.3.5/secured-cluster-services/internal/defaults/10-env.yaml b/rhacs/4.3.5/secured-cluster-services/internal/defaults/10-env.yaml new file mode 100644 index 0000000..48605ae --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/internal/defaults/10-env.yaml @@ -0,0 +1,11 @@ +# This file applies default environment configuration, based on available API server resources. +{{- if kindIs "invalid" ._rox.env.istio }} +env: + {{- if has "networking.istio.io/v1alpha3" ._rox._apiServer.apiResources }} + istio: true + {{- include "srox.note" (list . "Based on API server properties, we have inferred that you are deploying into an Istio-enabled cluster. Set the `env.istio` property explicitly to false/true to override the auto-sensed value.") }} + {{- else }} + istio: false + {{- end }} +{{- end }} +system: diff --git a/rhacs/4.3.5/secured-cluster-services/internal/defaults/20-tls-files.yaml b/rhacs/4.3.5/secured-cluster-services/internal/defaults/20-tls-files.yaml new file mode 100644 index 0000000..6eb6408 --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/internal/defaults/20-tls-files.yaml @@ -0,0 +1,23 @@ +# These defaults ensure that by default, certificates and keys are loaded from the respective files in the secrets/ +# directory that they needed to be placed in for the old sensor Helm chart. +# +# A user can specify either references to files (with a "@" prefix - note that this requires changing the chart, +# as Helm only allows accessing files that are part of the chart), or PEM-encoded certificates and keys directly. + +ca: + cert: "@?secrets/ca.pem" + +sensor: + serviceTLS: + cert: "@?secrets/sensor-cert.pem" + key: "@?secrets/sensor-key.pem" + +admissionControl: + serviceTLS: + cert: "@?secrets/admission-control-cert.pem" + key: "@?secrets/admission-control-key.pem" + +collector: + serviceTLS: + cert: "@?secrets/collector-cert.pem" + key: "@?secrets/collector-key.pem" diff --git a/rhacs/4.3.5/secured-cluster-services/internal/defaults/30-base-config.yaml b/rhacs/4.3.5/secured-cluster-services/internal/defaults/30-base-config.yaml new file mode 100644 index 0000000..dcb4921 --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/internal/defaults/30-base-config.yaml @@ -0,0 +1,117 @@ +# This file contains basic configuration options for all services + +centralEndpoint: "central.{{ required "unknown namespace" ._rox._namespace }}.svc:443" +createUpgraderServiceAccount: false + +{{- if .Release.IsInstall }} +createSecrets: true +{{- end }} + +exposeMonitoring: false + +helmManaged: true + + +managedBy: MANAGER_TYPE_HELM_CHART + + +clusterName: "" +confirmNewClusterName: "" + +imagePullSecrets: + allowNone: true + useExisting: [] + useFromDefaultServiceAccount: true + +sensor: + endpoint: "sensor.{{ required "unknown namespace" ._rox._namespace }}.svc:443" + localImageScanning: + enabled: false + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + # Sensor is single-homed, so avoid preemptible nodes. + - weight: 100 + preference: + matchExpressions: + - key: cloud.google.com/gke-preemptible + operator: NotIn + values: + - "true" + - weight: 50 + preference: + matchExpressions: + - key: node-role.kubernetes.io/infra + operator: Exists + - weight: 25 + preference: + matchExpressions: + - key: node-role.kubernetes.io/compute + operator: Exists + # From v1.20 node-role.kubernetes.io/control-plane replaces node-role.kubernetes.io/master (removed in + # v1.25). We apply both because our goal is not to run pods on control plane nodes for any version of k8s. + - weight: 100 + preference: + matchExpressions: + - key: node-role.kubernetes.io/master + operator: DoesNotExist + - weight: 100 + preference: + matchExpressions: + - key: node-role.kubernetes.io/control-plane + operator: DoesNotExist + +admissionControl: + listenOnCreates: false + listenOnUpdates: false + listenOnEvents: {{ not ._rox.env.openshift }} + dynamic: + enforceOnCreates: false + scanInline: false + disableBypass: false + timeout: 20 + enforceOnUpdates: false + replicas: 3 + + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + # node-role.kubernetes.io/master is replaced by node-role.kubernetes.io/control-plane from certain version + # of k8s. We apply both to be compatible with any k8s version. + - weight: 50 + preference: + matchExpressions: + - key: node-role.kubernetes.io/master + operator: Exists + - weight: 50 + preference: + matchExpressions: + - key: node-role.kubernetes.io/control-plane + operator: Exists + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 60 + podAffinityTerm: + topologyKey: "kubernetes.io/hostname" + labelSelector: + matchLabels: + app: admission-control + +collector: + collectionMethod: "EBPF" + disableTaintTolerations: false + nodescanningEndpoint: "127.0.0.1:8444" + tolerations: + - operator: "Exists" + +auditLogs: + disableCollection: {{ ne ._rox.env.openshift 4 }} + +enableOpenShiftMonitoring: false +--- +sensor: + exposeMonitoring: {{ ._rox.exposeMonitoring }} +collector: + exposeMonitoring: {{ ._rox.exposeMonitoring }} +admissionControl: + exposeMonitoring: {{ ._rox.exposeMonitoring }} diff --git a/rhacs/4.3.5/secured-cluster-services/internal/defaults/40-resources.yaml b/rhacs/4.3.5/secured-cluster-services/internal/defaults/40-resources.yaml new file mode 100644 index 0000000..4dd0c19 --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/internal/defaults/40-resources.yaml @@ -0,0 +1,44 @@ +# This file contains the default resource requirements for the StackRox Secured Cluster services. + +sensor: + resources: + requests: + memory: "4Gi" + cpu: "2" + limits: + memory: "8Gi" + cpu: "4" + +admissionControl: + resources: + requests: + memory: "100Mi" + cpu: "50m" + limits: + memory: "500Mi" + cpu: "500m" + +collector: + resources: + requests: + memory: "320Mi" + cpu: "50m" + limits: + memory: "1Gi" + cpu: "750m" + + complianceResources: + requests: + memory: "10Mi" + cpu: "10m" + limits: + memory: "2Gi" + cpu: "1" + + nodeScanningResources: + requests: + memory: "10Mi" + cpu: "10m" + limits: + memory: "500Mi" + cpu: "1" diff --git a/rhacs/4.3.5/secured-cluster-services/internal/defaults/50-images.yaml b/rhacs/4.3.5/secured-cluster-services/internal/defaults/50-images.yaml new file mode 100644 index 0000000..2145fab --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/internal/defaults/50-images.yaml @@ -0,0 +1,114 @@ +# This file contains the default image (registry + name + tag) settings) for all StackRox Secured Cluster +# Services. + +# Initialize default meta values +image: + registry: registry.redhat.io/advanced-cluster-security + main: + name: rhacs-main-rhel8 + pullPolicy: IfNotPresent + collector: + name: rhacs-collector-rhel8 + slimName: rhacs-collector-slim-rhel8 + scanner: + name: rhacs-scanner-slim-rhel8 + tag: 4.3.5 + + scannerDb: + name: rhacs-scanner-db-slim-rhel8 + tag: 4.3.5 + +--- +# Add registry defaults +image: + main: + registry: {{ ._rox.image.registry }} + collector: + registry: {{ if or (eq ._rox.image.registry "stackrox.io") (eq ._rox.image.registry "registry.connect.redhat.com") }}collector.stackrox.io{{ else }}{{ ._rox.image.registry }}{{ end }} + scanner: + registry: {{ ._rox.image.registry }} + + scannerDb: + registry: {{ ._rox.image.registry }} + +--- +# Default to collector slim mode. If configured registry equals the default we can assume the cluster has internet connectivity. +collector: + slimMode: {{ eq ._rox.image.collector.registry "registry.redhat.io/advanced-cluster-security" }} +--- +# Configure repository (registry + name) +image: + main: + repository: {{ list ._rox.image.main.registry ._rox.image.main.name | compact | join "/" }} + collector: + {{- if ._rox.collector.slimMode }} + repository: {{ list ._rox.image.collector.registry ._rox.image.collector.slimName | compact | join "/" }} + {{- else }} + repository: {{ list ._rox.image.collector.registry ._rox.image.collector.name | compact | join "/" }} + {{- end }} + scanner: + repository: {{ list ._rox.image.scanner.registry ._rox.image.scanner.name | compact | join "/" }} + + scannerDb: + repository: {{ list ._rox.image.scannerDb.registry ._rox.image.scannerDb.name | compact | join "/" }} + +--- +# Configure collector slim image full ref +image: + collector: + {{- if and ._rox.collector.slimMode ._rox.image.collector.slim.fullRef }} + fullRef: {{ ._rox.image.collector.slim.fullRef }} + {{- else if and (not ._rox.collector.slimMode) ._rox.image.collector.full.fullRef }} + fullRef: {{ ._rox.image.collector.full.fullRef }} + {{- end }} +--- +# Apply fullRef and configurations to images +image: + main: + {{- if or ._rox.image.main.tag ._rox.image.main.fullRef }} + {{- include "srox.warn" (list . "You have specified an explicit main image (tag). This will prevent the main image from being updated correctly when upgrading to a newer version of this chart.") }} + {{- else }} + _abbrevImageRef: {{ ._rox.image.main.repository }} + {{- end }} + tag: 4.3.5 + collector: + {{- if or ._rox.image.collector.tag ._rox.image.collector.fullRef }} + {{- include "srox.warn" (list . "You have specified an explicit collector image tag. This will prevent the collector image from being updated correctly when upgrading to a newer version of this chart.") }} + {{- if ._rox.collector.slimMode }} + {{- include "srox.warn" (list . "You have specified an explicit collector image tag. The slim collector setting will not have any effect.") }} + {{- end }} + {{- else }} + _abbrevImageRef: {{ ._rox.image.collector.repository }} + {{- end }} +--- +# Configure tags and pull policies +image: + collector: + {{- if ._rox.collector.slimMode }} + tag: "4.3.5" + pullPolicy: IfNotPresent + {{- else }} + tag: "4.3.5" + pullPolicy: Always + {{- end }} +--- +# Add fullRef references to images +# TODO(ROX-9261): Add support for image pull policy to scanner slim +image: + main: + fullRef: {{ printf "%s:%s" ._rox.image.main.repository ._rox.image.main.tag }} + collector: + fullRef: {{ printf "%s:%s" ._rox.image.collector.repository ._rox.image.collector.tag }} + scanner: + fullRef: {{ printf "%s:%s" ._rox.image.scanner.repository ._rox.image.scanner.tag }} + + scannerDb: + fullRef: {{ printf "%s:%s" ._rox.image.scannerDb.repository ._rox.image.scannerDb.tag }} + +collector: + imagePullPolicy: {{ ._rox.image.collector.pullPolicy }} + complianceImagePullPolicy: {{ ._rox.image.main.pullPolicy }} +sensor: + imagePullPolicy: {{ ._rox.image.main.pullPolicy }} +admissionControl: + imagePullPolicy: {{ ._rox.image.main.pullPolicy }} diff --git a/rhacs/4.3.5/secured-cluster-services/internal/defaults/60-sccs.yaml b/rhacs/4.3.5/secured-cluster-services/internal/defaults/60-sccs.yaml new file mode 100644 index 0000000..36e74fd --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/internal/defaults/60-sccs.yaml @@ -0,0 +1,2 @@ +system: + createSCCs: true diff --git a/rhacs/4.3.5/secured-cluster-services/internal/defaults/70-scanner.yaml b/rhacs/4.3.5/secured-cluster-services/internal/defaults/70-scanner.yaml new file mode 100644 index 0000000..43bc5d8 --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/internal/defaults/70-scanner.yaml @@ -0,0 +1,38 @@ +scanner: + disable: true + replicas: 3 + logLevel: INFO + mode: slim + + autoscaling: + disable: false + minReplicas: 2 + maxReplicas: 5 + + resources: + requests: + memory: "1500Mi" + cpu: "1000m" + limits: + memory: "4Gi" + cpu: "2000m" + + dbResources: + limits: + cpu: "2000m" + memory: "4Gi" + requests: + cpu: "200m" + memory: "200Mi" + + slimImage: + name: "" + tag: "" + fullRef: "" + repository: "" + + slimDBImage: + name: "" + tag: "" + fullRef: "" + repository: "" diff --git a/rhacs/4.3.5/secured-cluster-services/internal/defaults/whats-this.md b/rhacs/4.3.5/secured-cluster-services/internal/defaults/whats-this.md new file mode 100644 index 0000000..d58c8de --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/internal/defaults/whats-this.md @@ -0,0 +1,39 @@ +`defaults/` directory +====================== + +This directory provides a set of files that provide a lighter-weight interface for configuring +defaults in the Helm chart, allowing the use of template expressions (including referencing previously +applied defaults) without requiring (an excessive amount of) template control structures (such as +`{{ if kindIs "invalid" ... }}` to determine if a value has already been set). + +After applying some "bootstrap" configuration (such as for making available API server resources +visible in a uniform manner), each `.yaml` file in this directory is processed in an order determined +by its name (hence the `NN-` prefixes). Each YAML file consists of multiple documents (separated by +`---` lines) that are rendered as templates and then _merged_ into the effective configuration, giving +strict preference to already set values. + +Having a deterministic order is important for being able to rely on previously configured +values (either specified by the user or applied as a default). For example, the file +```yaml +group: + setting: "foo" + anotherSetting: 3 +--- +group: + derivedSetting: {{ printf "%s-%d" ._rox.group.setting ._rox.group.anotherSetting }} +``` +combined with the command-line setting `--set group.setting=bar` will result in the following +"effective" configuration: +```yaml +group: + setting: "bar" # user-specified value takes precedence - default value "foo" not applied + anotherSetting: 3 # default value + derivedSetting: bar-3 # combination of user-specified value and default value; "pure" default without + # any --set arguments would be "foo-3" +``` + +**Caveats**: +- Templating instructions must be contained to a single document within the multi-document YAML files. In particular, + the `---` separator must not be within a conditionally rendered block, or emitted by templating code. +- It is recommended to contain dependencies between default settings to a single YAML file. While the `NN-` prefixes + ensure a well-defined application order of individual files, having dependent blocks in the same file adds clarity. diff --git a/rhacs/4.3.5/secured-cluster-services/internal/expandables.yaml b/rhacs/4.3.5/secured-cluster-services/internal/expandables.yaml new file mode 100644 index 0000000..09ebbae --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/internal/expandables.yaml @@ -0,0 +1,44 @@ +imagePullSecrets: + username: true + password: true +mainImagePullSecrets: + username: true + password: true +collectorImagePullSecrets: + username: true + password: true +ca: + cert: true +sensor: + serviceTLS: + cert: true + key: true + resources: true + nodeSelector: true +admissionControl: + serviceTLS: + cert: true + key: true + resources: true + nodeSelector: true +collector: + serviceTLS: + cert: true + key: true + resources: true + complianceResources: true + nodeScanningResources: true + nodeSelector: true +scanner: + resources: true + dbResources: true + nodeSelector: true + dbNodeSelector: true + dbPassword: + value: true + serviceTLS: + cert: true + key: true + dbServiceTLS: + cert: true + key: true diff --git a/rhacs/4.3.5/secured-cluster-services/internal/scanner-config-shape.yaml b/rhacs/4.3.5/secured-cluster-services/internal/scanner-config-shape.yaml new file mode 100644 index 0000000..da3b315 --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/internal/scanner-config-shape.yaml @@ -0,0 +1,40 @@ +scanner: + mode: null # string + disable: null # bool + replicas: null # int + logLevel: null # string + nodeSelector: null # string | dict + dbNodeSelector: null # string | dict + tolerations: null # [dict] + dbTolerations: null # [dict] + autoscaling: + disable: null # bool + minReplicas: null # int + maxReplicas: null # int + affinity: null # dict + resources: null # string | dict + image: + registry: null # string + name: null # string + tag: null # string + fullRef: null # string + dbImage: + registry: null # string + name: null # string + tag: null # string + fullRef: null # string + dbResources: null # string | dict + dbPassword: + value: null # string + generate: null # bool + serviceTLS: + cert: null # string + key: null # string + generate: null # bool + dbServiceTLS: + cert: null # string + key: null # string + generate: null # bool + exposeMonitoring: null # bool +system: + enablePodSecurityPolicies: null # bool diff --git a/rhacs/4.3.5/secured-cluster-services/scripts/fetch-secrets.sh b/rhacs/4.3.5/secured-cluster-services/scripts/fetch-secrets.sh new file mode 100755 index 0000000..850a227 --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/scripts/fetch-secrets.sh @@ -0,0 +1,41 @@ +#!/bin/sh + +# fetch-secrets.sh +# Retrieves StackRox TLS secrets currently stored in the current Kubernetes context, and stores them in a format +# suitable for consumption by the Helm chart. +# +# The YAML bundle is printed to stdout, use output redirection (>filename) to store the output to a file. +# This script supports the following environment variables: +# - KUBECTL: the command to use for kubectl. Spaces will be tokenized by the shell interpreter (default: "kubectl"). +# - ROX_NAMESPACE: the namespace in which the current StackRox deployment runs (default: "stackrox") +# - FETCH_CA_ONLY: if set to "true", will create a bundle containing only the CA certificate (default: "false") + +DIR="$(cd "$(dirname "$0")" && pwd)" + +KUBECTL="${KUBECTL:-kubectl}" +ROX_NAMESPACE="${ROX_NAMESPACE:-stackrox}" + +FETCH_CA_ONLY="${FETCH_CA_ONLY:-false}" + +case "$FETCH_CA_ONLY" in + false|0) + TEMPLATE_FILE="fetched-secrets-bundle.yaml.tpl" + DESCRIPTION="certificates and keys" + ;; + true|1) + TEMPLATE_FILE="fetched-secrets-bundle-ca-only.yaml.tpl" + DESCRIPTION="CA certificate only" + ;; + *) + echo >&2 "Invalid value '$FETCH_CA_ONLY' for FETCH_CA_ONLY, only false and true are allowed" + exit 1 +esac + +# The leading '#' signs aren't required as they don't go to stdout, but when printing to the console, +# it looks more natural to include them. +echo >&2 "# Fetching $DESCRIPTION from current Kubernetes context (namespace $ROX_NAMESPACE), store" +echo >&2 "# the output in a file and pass it to helm via the -f parameter." + +$KUBECTL get --ignore-not-found -n "$ROX_NAMESPACE" \ + secret/sensor-tls secret/collector-tls secret/admission-control-tls \ + -o go-template-file="${DIR}/${TEMPLATE_FILE}" \ diff --git a/rhacs/4.3.5/secured-cluster-services/scripts/fetched-secrets-bundle-ca-only.yaml.tpl b/rhacs/4.3.5/secured-cluster-services/scripts/fetched-secrets-bundle-ca-only.yaml.tpl new file mode 100644 index 0000000..b5a13c2 --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/scripts/fetched-secrets-bundle-ca-only.yaml.tpl @@ -0,0 +1,9 @@ +{{- range $item := .items }} +{{- if eq $item.metadata.name "sensor-tls" }} +{{- $caPEM := index $item.data "ca.pem" }} +{{- if $caPEM }} +ca: + cert: "{{ $caPEM | base64decode | js }}" +{{- end }} +{{- end }} +{{- end }} diff --git a/rhacs/4.3.5/secured-cluster-services/scripts/fetched-secrets-bundle.yaml.tpl b/rhacs/4.3.5/secured-cluster-services/scripts/fetched-secrets-bundle.yaml.tpl new file mode 100644 index 0000000..72bb452 --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/scripts/fetched-secrets-bundle.yaml.tpl @@ -0,0 +1,35 @@ +{{- range $item := .items }} +{{- if eq $item.metadata.name "sensor-tls" }} +{{- $caPEM := index $item.data "ca.pem" }} +{{- if $caPEM }} +ca: + cert: "{{ $caPEM | base64decode | js }}" +{{- end }} +{{- $sensorCert := index $item.data "sensor-cert.pem" }} +{{- $sensorKey := index $item.data "sensor-key.pem" }} +{{- if and $sensorCert $sensorKey }} +sensor: + serviceTLS: + cert: "{{ $sensorCert | base64decode | js }}" + key: "{{ $sensorKey | base64decode | js }}" +{{- end }} +{{- else if eq $item.metadata.name "collector-tls" }} +{{- $collectorCert := index $item.data "collector-cert.pem" }} +{{- $collectorKey := index $item.data "collector-key.pem" }} +{{- if and $collectorCert $collectorKey }} +collector: + serviceTLS: + cert: "{{ $collectorCert | base64decode | js }}" + key: "{{ $collectorKey | base64decode | js }}" +{{- end }} +{{- else if eq $item.metadata.name "admission-control-tls" }} +{{- $admCtrlCert := index $item.data "admission-control-cert.pem" }} +{{- $admCtrlKey := index $item.data "admission-control-key.pem" }} +{{- if and $admCtrlCert $admCtrlKey }} +admissionControl: + serviceTLS: + cert: "{{ $admCtrlCert | base64decode | js }}" + key: "{{ $admCtrlKey | base64decode | js }}" +{{- end }} +{{- end }} +{{- end }} diff --git a/rhacs/4.3.5/secured-cluster-services/sensor-chart-upgrade.md b/rhacs/4.3.5/secured-cluster-services/sensor-chart-upgrade.md new file mode 100644 index 0000000..615a03a --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/sensor-chart-upgrade.md @@ -0,0 +1,159 @@ +# Upgrading from the `sensor` Helm chart + +There are differences between the `sensor` Helm chart that was part of the +StackRox Kubernetes Security Platform version 3.0.54 and the Secured Cluster +Services Helm chart in the StackRox Kubernetes Security Platform version 3.0.55. + +Therefore, if you are using the StackRox Kubernetes Security Platform version 3.0.54 +or older, and you've used the `sensor` Helm chart, you must verify (and change) +the following additional options to upgrade to the new Helm charts for the +StackRox Kubernetes Security Platform version 3.0.55. + +## Namespace + +|Version 3.0.54 and older |Version 3.0.55 and newer | +|-------------------------|-------------------------| +|The `sensor` Helm chart creates all Kubernetes resources in the `stackrox` namespace, even if you've used the `-n`/`--namespace` flag to the `helm install` command.|The Secured Cluster Services Helm chart creates all resources in the namespace you specify by using the `-n`/`--namespace` flag. However, we recommend that you always install the chart in the `stackrox` namespace.| + +If you've previously installed the `sensor` Helm chart into a namespace other +than `stackrox`, you **must** set the namespace override option to `stackrox`. + +To do this, either: +- pass the `--set meta.namespaceOverride=stackrox` flag, or +- add the following section in your configuration file: + ```yaml + meta: + namespaceOverride: stackrox + ``` + +## Configuration file + +|Version 3.0.54 and older |Version 3.0.55 and newer | +|-------------------------|--------------------------| +|Installation using the `sensor` Helm chart requires adding your customizations in the `values.yaml` file that is part of the chart.|The Secured Cluster Services Helm chart uses a separate configuration file.| + +> **IMPORTANT** +> +> If you are using the Secured Cluster Services Helm chart, **do not** modify +> the `values.yaml` file that is part of the chart. + +We recommend that you always store the configuration in separate files: + +- `values-public.yaml`: include all non-sensitive configuration options in this + file. +- `values-private.yaml`: include all sensitive configuration options such as + image pull secrets or certificates and keys. + +You can also use a separate file for the cluster init bundle. For more +information, see the main [README.md](README.md) file. + +## Secrets injection + +|Version 3.0.54 and older |Version 3.0.55 and newer | +|-------------------------|--------------------------| +|The `sensor` Helm chart downloads certificates and private keys specific to a single cluster and stores them in the `secrets/` directory.|The Secured Cluster Services Helm chart uses cluster init bundles. For more information, see the main [README.md](README.md) file.| + +To upgrade, +1. Copy the `values.yaml` you used for the most recent installation or upgrade of the + `sensor` Helm chart and store it as `sensor-values.yaml`. +1. Connect to the Kubernetes cluster on which you've previously installed the + `sensor` Helm chart. +1. Run `./scripts/fetch-secrets.sh`. The `fetch-secrets.sh` script shows a YAML + file as output, which contains all secrets. Store the output of this command + in a file (you can use `./scripts/fetch-secrets.sh >secrets.yaml` to directly + write the command output to a file called `secrets.yaml`). +1. Run the `helm upgrade` command and pass the YAML (from the previous step) file by + using the `-f` option: + ```sh + helm upgrade -n stackrox sensor stackrox/secured-cluster-services \ + --reuse-values -f sensor-values.yaml -f ... + ``` + The above command assumes that you have added the https://mirror.openshift.com/pub/rhacs/charts Helm + chart repository to your local Helm installation. See the main [README.md](README.md) + for instructions on how to set this up. + If you want to use this chart from a local directory, replace + `stackrox/secured-cluster-services` with the path to the chart directory. + +> **NOTE** +> +> Although you can copy the `secrets` directory from your old `sensor` Helm +> chart instead, we **do not** recommend doing it. + + +## Helm-managed clusters + +When you use the Secured Cluster Services Helm chart, the clusters it creates +are treated as Helm-managed by default. It means that whenever you run the +`helm upgrade` command afterward, it applies the configuration changes specified +in your Helm configuration file, overwriting any changes to settings you've done +through the StackRox portal. + +Additionally, because of the differences between the Helm upgrade and the +StackRox Kubernetes Security Platform automatic upgrade, you can't use +the automatic upgrades option from the StackRox portal. + +If you don't want an upgraded cluster to be treated as Helm-managed, set the +`helmManaged` configuration option to `false`. + +## Configuration format + +There are differences between the configuration format that the sensor Helm +chart uses and the Secured Cluster Services Helm chart's uses. We recommend that +you migrate to the new configuration format. + +Here is the list of old and new configuration options: + +|Old configuration option |New configuration option | +|-------------------------|-------------------------| +| `cluster.name` | `clusterName` | +| `cluster.type` | Set `env.openshift` to `true` for `cluster.type=OPENSHIFT_CLUSTER` and `false` for `cluster.type=KUBERNETES_CLUSTER`. Leave unset to automatically detect (recommended). | +| `endpoint.central` | `centralEndpoint` | +| `endpoint.advertised` | `sensor.endpoint` | +| `image.repository.main` | `image.main.name` | +| `image.repository.collector` | `image.collector.name` | +| `image.registry.main` | `image.main.registry` | +| `image.registry.collector` | `image.collector.registry` | +| `image.pullPolicy.main` | `image.main.pullPolicy` | +| `image.pullPolicy.collector` | `image.collector.pullPolicy` | +| `image.tag.main` | `image.main.tag` | +| `image.tag.collector` | `image.collector.tag` | +| `config.collectionMethod` | `collector.collectionMethod` | +| `config.admissionControl.createService` | `admissionControl.listenOnCreates` | +| `config.admissionControl.listenOnUpdates` | `admissionControl.listenOnUpdates` | +| `config.admissionControl.enableService` | `admissionControl.dynamic.enforceOnCreates` | +| `config.admissionControl.enforceOnUpdates` | `admissionControl.dynamic.enforceOnUpdates` | +| `config.admissionControl.scanInline` | `admissionControl.dynamic.scanInline` | +| `config.admissionControl.disableBypass` | `admissionControl.dynamic.disableBypass` | +| `config.admissionControl.timeout` | `admissionControl.dynamic.timeout` | +| `config.registryOverride` | `registryOverride` | +| `config.disableTaintTolerations` | `collector.disableTaintTolerations` | +| `config.createUpgraderServiceAccount` | `createUpgraderServiceAccount` | +| `config.createSecrets` | `createSecrets` | +| `config.offlineMode` | This option has no effect and will be removed. | +| `config.slimCollector` | `collector.slimMode` | +| `config.sensorResources` | `sensor.resources` | +| `config.admissionControlResources` | `admissionControl.resources` | +| `config.collectorResources` | `collector.resources` | +| `config.complianceResources` | `collector.complianceResources` | +| `config.exposeMonitoring` | `exposeMonitoring` | +| `envVars` | See example below | + +**Custom environment variables:** The old format for custom environment variable settings was +```yaml +envVars: +- name: ENV_VAR1 + value: "value1" +- name: ENV_VAR2 + value: "value2" +... +``` + +In the new configuration format, rewrite this as: +```yaml +customize: + envVars: + ENV_VAR1: "value1" + ENV_VAR2: "value2" +``` +You can find out more about customizing object labels, annotations, and environment variables in the main +[README.md](README.md). \ No newline at end of file diff --git a/rhacs/4.3.5/secured-cluster-services/templates/00-collector-image-pull-secrets.yaml b/rhacs/4.3.5/secured-cluster-services/templates/00-collector-image-pull-secrets.yaml new file mode 100644 index 0000000..eba103f --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/templates/00-collector-image-pull-secrets.yaml @@ -0,0 +1,18 @@ +{{- include "srox.init" . -}} + +{{- if ._rox.collectorImagePullSecrets._dockerAuths }} +apiVersion: v1 +kind: Secret +type: kubernetes.io/dockerconfigjson +metadata: + name: secured-cluster-services-collector + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "secret" "secured-cluster-services-collector") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "secured-cluster-services-collector") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": keep +data: + .dockerconfigjson: {{ dict "auths" ._rox.collectorImagePullSecrets._dockerAuths | toJson | b64enc | quote }} +{{ end }} diff --git a/rhacs/4.3.5/secured-cluster-services/templates/00-injected-ca-bundle.yaml b/rhacs/4.3.5/secured-cluster-services/templates/00-injected-ca-bundle.yaml new file mode 100644 index 0000000..3289c2a --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/templates/00-injected-ca-bundle.yaml @@ -0,0 +1,15 @@ +{{- include "srox.init" . -}} + +{{- if eq ._rox.env.openshift 4 }} +{{ $injectedCABundleName := printf "injected-cabundle-%s" .Release.Name }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ $injectedCABundleName }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "configmap" $injectedCABundleName) | nindent 4 }} + "config.openshift.io/inject-trusted-cabundle": "true" + annotations: + {{- include "srox.annotations" (list . "configmap" $injectedCABundleName) | nindent 4 }} +{{- end }} diff --git a/rhacs/4.3.5/secured-cluster-services/templates/00-main-image-pull-secrets.yaml b/rhacs/4.3.5/secured-cluster-services/templates/00-main-image-pull-secrets.yaml new file mode 100644 index 0000000..052aa3e --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/templates/00-main-image-pull-secrets.yaml @@ -0,0 +1,18 @@ +{{- include "srox.init" . -}} + +{{- if ._rox.mainImagePullSecrets._dockerAuths }} +apiVersion: v1 +kind: Secret +type: kubernetes.io/dockerconfigjson +metadata: + name: secured-cluster-services-main + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "secret" "secured-cluster-services-main") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "secured-cluster-services-main") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": keep +data: + .dockerconfigjson: {{ dict "auths" ._rox.mainImagePullSecrets._dockerAuths | toJson | b64enc | quote }} +{{ end }} diff --git a/rhacs/4.3.5/secured-cluster-services/templates/02-scanner-00-serviceaccount.yaml b/rhacs/4.3.5/secured-cluster-services/templates/02-scanner-00-serviceaccount.yaml new file mode 100644 index 0000000..a27c602 --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/templates/02-scanner-00-serviceaccount.yaml @@ -0,0 +1,19 @@ +{{- include "srox.init" . -}} + +{{- if not ._rox.scanner.disable -}} + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: scanner + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "serviceaccount" "scanner") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "serviceaccount" "scanner") | nindent 4 }} +imagePullSecrets: +{{- range $secretName := ._rox.imagePullSecrets._names }} +- name: {{ quote $secretName }} +{{- end }} + +{{ end -}} diff --git a/rhacs/4.3.5/secured-cluster-services/templates/02-scanner-01-psps.yaml b/rhacs/4.3.5/secured-cluster-services/templates/02-scanner-01-psps.yaml new file mode 100644 index 0000000..23b398c --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/templates/02-scanner-01-psps.yaml @@ -0,0 +1,69 @@ +{{- include "srox.init" . -}} + +{{- if and (not ._rox.scanner.disable) ._rox.system.enablePodSecurityPolicies }} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "srox.globalResourceName" (list . "stackrox-scanner-psp") }} + labels: + {{- include "srox.labels" (list . "clusterrole" "stackrox-scanner-psp") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "clusterrole" "stackrox-scanner-psp") | nindent 4 }} +rules: +- apiGroups: + - policy + resources: + - podsecuritypolicies + resourceNames: + - {{ include "srox.globalResourceName" (list . "stackrox-scanner") }} + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: stackrox-scanner-psp + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "rolebinding" "stackrox-scanner-psp") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "rolebinding" "stackrox-scanner-psp") | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "srox.globalResourceName" (list . "stackrox-scanner-psp") }} +subjects: + - kind: ServiceAccount + name: scanner + namespace: {{ .Release.Namespace }} +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "srox.globalResourceName" (list . "stackrox-scanner") }} + labels: + {{- include "srox.labels" (list . "podsecuritypolicy" "stackrox-scanner") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "podsecuritypolicy" "stackrox-scanner") | nindent 4 }} +spec: + privileged: false + allowPrivilegeEscalation: false + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + - 'persistentVolumeClaim' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' +{{- end }} diff --git a/rhacs/4.3.5/secured-cluster-services/templates/02-scanner-01-security.yaml b/rhacs/4.3.5/secured-cluster-services/templates/02-scanner-01-security.yaml new file mode 100644 index 0000000..3c1d92b --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/templates/02-scanner-01-security.yaml @@ -0,0 +1,78 @@ +{{- include "srox.init" . -}} + +{{- if not ._rox.scanner.disable }} +{{- if and ._rox.env.openshift ._rox.system.createSCCs }} +kind: SecurityContextConstraints +apiVersion: security.openshift.io/v1 +metadata: + name: {{ include "srox.globalResourceName" (list . "stackrox-scanner") }} + labels: + {{- include "srox.labels" (list . "securitycontextconstraints" "stackrox-scanner") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "securitycontextconstraints" "stackrox-scanner") | nindent 4 }} + kubernetes.io/description: stackrox-scanner is the security constraint for the Scanner container +priority: 0 +runAsUser: + type: RunAsAny +seLinuxContext: + type: RunAsAny +seccompProfiles: + - '*' +users: + - system:serviceaccount:{{ .Release.Namespace }}:scanner +volumes: + - '*' +allowHostDirVolumePlugin: false +allowedCapabilities: [] +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: false +allowPrivilegedContainer: false +defaultAddCapabilities: [] +fsGroup: + type: RunAsAny +readOnlyRootFilesystem: false +requiredDropCapabilities: [] + +{{- else if eq ._rox.env.openshift 4 }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: use-scanner-scc + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "role" "use-scanner-scc") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "role" "use-scanner-scc") | nindent 4 }} +rules: +- apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + resourceNames: + - anyuid + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: scanner-use-scc + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "rolebinding" "scanner-use-scc") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "rolebinding" "scanner-use-scc") | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: use-scanner-scc +subjects: +- kind: ServiceAccount + name: scanner + namespace: {{ .Release.Namespace }} +{{- end }} +{{- end }} diff --git a/rhacs/4.3.5/secured-cluster-services/templates/02-scanner-02-db-password-secret.yaml b/rhacs/4.3.5/secured-cluster-services/templates/02-scanner-02-db-password-secret.yaml new file mode 100644 index 0000000..c6c0bc1 --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/templates/02-scanner-02-db-password-secret.yaml @@ -0,0 +1,27 @@ +{{- include "srox.init" . -}} + +{{- if not ._rox.scanner.disable -}} + +{{- if ._rox.scanner._dbPassword -}} +{{- if not (kindIs "invalid" ._rox.scanner._dbPassword.value) -}} + +apiVersion: v1 +kind: Secret +metadata: + name: scanner-db-password + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "secret" "scanner-db-password") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "scanner-db-password") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": keep +type: Opaque +stringData: + password: | + {{- ._rox.scanner._dbPassword.value | nindent 4 }} + +{{- end -}} +{{- end -}} + +{{ end -}} diff --git a/rhacs/4.3.5/secured-cluster-services/templates/02-scanner-04-scanner-config.yaml b/rhacs/4.3.5/secured-cluster-services/templates/02-scanner-04-scanner-config.yaml new file mode 100644 index 0000000..4ed16c7 --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/templates/02-scanner-04-scanner-config.yaml @@ -0,0 +1,18 @@ +{{- include "srox.init" . -}} + +{{- if not ._rox.scanner.disable -}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: scanner-config + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "configmap" "scanner-config") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "configmap" "scanner-config") | nindent 4 }} +data: + config.yaml: | + {{- tpl (.Files.Get "config-templates/scanner/config.yaml.tpl") . | nindent 4 }} + +{{ end -}} diff --git a/rhacs/4.3.5/secured-cluster-services/templates/02-scanner-05-network-policy.yaml b/rhacs/4.3.5/secured-cluster-services/templates/02-scanner-05-network-policy.yaml new file mode 100644 index 0000000..99f7233 --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/templates/02-scanner-05-network-policy.yaml @@ -0,0 +1,91 @@ +{{- include "srox.init" . -}} + +{{- if not ._rox.scanner.disable -}} + +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: scanner + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "networkpolicy" "scanner") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "networkpolicy" "scanner") | nindent 4 }} +spec: + podSelector: + matchLabels: + app: scanner + ingress: + - from: + - podSelector: + matchLabels: + app: central + ports: + - port: 8080 + protocol: TCP + - port: 8443 + protocol: TCP +{{ if or (eq ._rox.scanner.mode "slim") ._rox.env.openshift }} + - from: + - podSelector: + matchLabels: + app: sensor + ports: + - port: 8080 + protocol: TCP + - port: 8443 + protocol: TCP +{{ end }} + policyTypes: + - Ingress + +--- + +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: scanner-db + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "networkpolicy" "scanner-db") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "networkpolicy" "scanner-db") | nindent 4 }} +spec: + podSelector: + matchLabels: + app: scanner-db + ingress: + - from: + - podSelector: + matchLabels: + app: scanner + ports: + - port: 5432 + protocol: TCP + policyTypes: + - Ingress + +{{ end -}} + +{{ if ._rox.scanner.exposeMonitoring }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: scanner-monitoring + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "networkpolicy" "scanner-monitoring") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "networkpolicy" "scanner-monitoring") | nindent 4 }} +spec: + ingress: + - ports: + - port: 9090 + protocol: TCP + podSelector: + matchLabels: + app: scanner + policyTypes: + - Ingress +{{ end }} diff --git a/rhacs/4.3.5/secured-cluster-services/templates/02-scanner-06-deployment.yaml b/rhacs/4.3.5/secured-cluster-services/templates/02-scanner-06-deployment.yaml new file mode 100644 index 0000000..89ac82c --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/templates/02-scanner-06-deployment.yaml @@ -0,0 +1,296 @@ +{{- include "srox.init" . -}} + +{{- if not ._rox.scanner.disable -}} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: scanner + namespace: {{ .Release.Namespace }} + labels: + app: scanner + {{- include "srox.labels" (list . "deployment" "scanner") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "deployment" "scanner") | nindent 4 }} +spec: + replicas: {{ ._rox.scanner.replicas }} + minReadySeconds: 15 + selector: + matchLabels: + app: scanner + strategy: + type: Recreate + template: + metadata: + namespace: {{ .Release.Namespace }} + labels: + app: scanner + {{- include "srox.podLabels" (list . "deployment" "scanner") | nindent 8 }} + annotations: + traffic.sidecar.istio.io/excludeInboundPorts: "8080,8443" + {{- include "srox.podAnnotations" (list . "deployment" "scanner") | nindent 8 }} + spec: + {{- if ._rox.scanner._nodeSelector }} + nodeSelector: + {{- ._rox.scanner._nodeSelector | nindent 8 }} + {{- end }} + {{- if ._rox.scanner.tolerations }} + tolerations: + {{- toYaml ._rox.scanner.tolerations | nindent 8 }} + {{- end }} + affinity: + {{- toYaml ._rox.scanner.affinity | nindent 8 }} + containers: + - name: scanner + {{ if eq ._rox.scanner.mode "slim" -}} + image: {{ ._rox.scanner.slimImage.fullRef | quote }} + {{ else }} + image: {{ ._rox.scanner.image.fullRef | quote }} + {{ end -}} + env: + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- if ._rox.env.openshift }} + - name: ROX_OPENSHIFT_API + value: "true" + {{- end}} + {{- include "srox.envVars" (list . "deployment" "scanner" "scanner") | nindent 8 }} + resources: + {{- ._rox.scanner._resources | nindent 10 }} + command: + - /entrypoint.sh + ports: + - name: https + containerPort: 8080 + - name: grpc + containerPort: 8443 + {{ if ._rox.scanner.exposeMonitoring -}} + - name: monitoring + containerPort: 9090 + {{- end}} + securityContext: + capabilities: + drop: ["NET_RAW"] + runAsUser: 65534 + readinessProbe: + httpGet: + scheme: HTTPS + path: /scanner/ping + port: 8080 + timeoutSeconds: 10 + periodSeconds: 10 + failureThreshold: 6 + successThreshold: 1 + volumeMounts: + - name: scanner-etc-ssl-volume + mountPath: /etc/ssl + - name: scanner-etc-pki-volume + mountPath: /etc/pki/ca-trust + - name: additional-ca-volume + mountPath: /usr/local/share/ca-certificates/ + readOnly: true + - name: scanner-config-volume + mountPath: /etc/scanner + readOnly: true + - name: scanner-tls-volume + mountPath: /run/secrets/stackrox.io/certs/ + readOnly: true + - name: vuln-temp-db + mountPath: /var/lib/stackrox + - name: proxy-config-volume + mountPath: /run/secrets/stackrox.io/proxy-config/ + readOnly: true + - name: scanner-db-password + mountPath: /run/secrets/stackrox.io/secrets + readOnly: true + {{- include "srox.injectedCABundleVolumeMount" . | nindent 8 }} + securityContext: + runAsNonRoot: true + runAsUser: 65534 + serviceAccountName: scanner + volumes: + - name: additional-ca-volume + secret: + defaultMode: 420 + optional: true + secretName: additional-ca + - name: scanner-etc-ssl-volume + emptyDir: {} + - name: scanner-etc-pki-volume + emptyDir: {} + - name: scanner-config-volume + configMap: + name: scanner-config + - name: scanner-tls-volume + secret: + secretName: scanner-tls + - name: vuln-temp-db + emptyDir: {} + - name: proxy-config-volume + secret: + secretName: proxy-config + optional: true + - name: scanner-db-password + secret: + secretName: scanner-db-password + {{- include "srox.injectedCABundleVolume" . | nindent 6 }} +--- + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: scanner-db + namespace: {{ .Release.Namespace }} + labels: + app: scanner-db + {{- include "srox.labels" (list . "deployment" "scanner-db") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "deployment" "scanner-db") | nindent 4 }} +spec: + replicas: 1 + minReadySeconds: 15 + selector: + matchLabels: + app: scanner-db + strategy: + type: Recreate + template: + metadata: + namespace: {{ .Release.Namespace }} + labels: + app: scanner-db + {{- include "srox.podLabels" (list . "deployment" "scanner-db") | nindent 8 }} + annotations: + traffic.sidecar.istio.io/excludeInboundPorts: "5432" + {{- include "srox.podAnnotations" (list . "deployment" "scanner-db") | nindent 8 }} + spec: + {{- if ._rox.scanner._dbNodeSelector }} + nodeSelector: + {{- ._rox.scanner._dbNodeSelector | nindent 8 }} + {{- end }} + {{- if ._rox.scanner.dbTolerations }} + tolerations: + {{- toYaml ._rox.scanner.dbTolerations | nindent 8 }} + {{- end }} + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + # ScannerDB is single-homed, so avoid preemptible nodes. + - weight: 100 + preference: + matchExpressions: + - key: cloud.google.com/gke-preemptible + operator: NotIn + values: + - "true" + - weight: 50 + preference: + matchExpressions: + - key: node-role.kubernetes.io/infra + operator: Exists + - weight: 25 + preference: + matchExpressions: + - key: node-role.kubernetes.io/compute + operator: Exists + # From v1.20 node-role.kubernetes.io/control-plane replaces node-role.kubernetes.io/master (removed in + # v1.25). We apply both because our goal is not to run pods on control plane nodes for any version of k8s. + - weight: 100 + preference: + matchExpressions: + - key: node-role.kubernetes.io/master + operator: DoesNotExist + - weight: 100 + preference: + matchExpressions: + - key: node-role.kubernetes.io/control-plane + operator: DoesNotExist + initContainers: + - name: init-db + {{ if eq ._rox.scanner.mode "slim" -}} + image: {{ ._rox.scanner.slimDBImage.fullRef | quote }} + {{ else -}} + image: {{ ._rox.scanner.dbImage.fullRef | quote }} + {{ end -}} + env: + - name: POSTGRES_PASSWORD_FILE + value: "/run/secrets/stackrox.io/secrets/password" + - name: ROX_SCANNER_DB_INIT + value: "true" + resources: + {{- ._rox.scanner._dbResources | nindent 12 }} + volumeMounts: + - name: scanner-db-data + mountPath: /var/lib/postgresql/data + - name: scanner-db-tls-volume + mountPath: /run/secrets/stackrox.io/certs + readOnly: true + - name: scanner-db-password + mountPath: /run/secrets/stackrox.io/secrets + readOnly: true + containers: + - name: db + {{ if eq ._rox.scanner.mode "slim" -}} + image: {{ ._rox.scanner.slimDBImage.fullRef | quote }} + {{ else -}} + image: {{ ._rox.scanner.dbImage.fullRef | quote }} + {{ end -}} + env: + {{- include "srox.envVars" (list . "deployment" "scanner-db" "db") | nindent 10 }} + ports: + - name: tcp-postgresql + protocol: TCP + containerPort: 5432 + resources: + {{- ._rox.scanner._dbResources | nindent 10 }} + volumeMounts: + - name: scanner-db-data + mountPath: /var/lib/postgresql/data + - name: scanner-db-tls-volume + mountPath: /run/secrets/stackrox.io/certs + readOnly: true + serviceAccountName: scanner + securityContext: + fsGroup: 70 + runAsGroup: 70 + runAsNonRoot: true + runAsUser: 70 + volumes: + - name: scanner-config-volume + configMap: + name: scanner-config + - name: scanner-tls-volume + secret: + secretName: scanner-tls + - name: scanner-db-tls-volume + secret: + secretName: scanner-db-tls + defaultMode: 0640 + items: + - key: cert.pem + path: server.crt + - key: key.pem + path: server.key + - key: ca.pem + path: root.crt + - name: scanner-db-data + emptyDir: {} + - name: scanner-db-password + secret: + secretName: scanner-db-password + +{{ end -}} diff --git a/rhacs/4.3.5/secured-cluster-services/templates/02-scanner-07-service.yaml b/rhacs/4.3.5/secured-cluster-services/templates/02-scanner-07-service.yaml new file mode 100644 index 0000000..2f65b15 --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/templates/02-scanner-07-service.yaml @@ -0,0 +1,99 @@ +{{- include "srox.init" . -}} + +{{- if not ._rox.scanner.disable -}} + +apiVersion: v1 +kind: Service +metadata: + name: scanner + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "service" "scanner") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "service" "scanner") | nindent 4 }} +spec: + ports: + - name: https-scanner + port: 8080 + targetPort: 8080 + - name: grpcs-scanner + port: 8443 + targetPort: 8443 + {{ if ._rox.scanner.exposeMonitoring -}} + - name: monitoring + port: 9090 + targetPort: monitoring + {{- end}} + selector: + app: scanner + type: ClusterIP + +--- + +apiVersion: v1 +kind: Service +metadata: + name: scanner-db + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "service" "scanner-db") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "service" "scanner-db") | nindent 4 }} +spec: + ports: + - name: tcp-db + port: 5432 + targetPort: 5432 + selector: + app: scanner-db + type: ClusterIP + +{{ if ._rox.env.istio }} +--- + +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: scanner-internal-no-istio-mtls + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "destinationrule" "scanner-internal-no-istio-mtls") | nindent 4 }} + annotations: + stackrox.io/description: "Disable Istio mTLS for ports 8080 and 8443, since StackRox services use built-in mTLS." + {{- include "srox.annotations" (list . "destinationrule" "scanner-internal-no-istio-mtls") | nindent 4 }} +spec: + host: scanner.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + portLevelSettings: + - port: + number: 8080 + tls: + mode: DISABLE + - port: + number: 8443 + tls: + mode: DISABLE + +--- + +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: scanner-db-internal-no-istio-mtls + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "destinationrule" "scanner-db-internal-no-istio-mtls") | nindent 4 }} + annotations: + stackrox.io/description: "Disable Istio mTLS for port 5432, since StackRox services use built-in mTLS." + {{- include "srox.annotations" (list . "destinationrule" "scanner-db-internal-no-istio-mtls") | nindent 4 }} +spec: + host: scanner-db.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + portLevelSettings: + - port: + number: 5432 + tls: + mode: DISABLE +{{ end }} + +{{ end -}} diff --git a/rhacs/4.3.5/secured-cluster-services/templates/02-scanner-08-hpa.yaml b/rhacs/4.3.5/secured-cluster-services/templates/02-scanner-08-hpa.yaml new file mode 100644 index 0000000..c7af476 --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/templates/02-scanner-08-hpa.yaml @@ -0,0 +1,25 @@ +{{- include "srox.init" . -}} + +{{- if not ._rox.scanner.disable -}} + +{{- if not ._rox.scanner.autoscaling.disable -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: scanner + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "horizontalpodautoscaler" "scanner") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "horizontalpodautoscaler" "scanner") | nindent 4 }} +spec: + minReplicas: {{ ._rox.scanner.autoscaling.minReplicas }} + maxReplicas: {{ ._rox.scanner.autoscaling.maxReplicas }} + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: scanner + targetCPUUtilizationPercentage: 150 +{{ end -}} + +{{ end -}} diff --git a/rhacs/4.3.5/secured-cluster-services/templates/NOTES.txt b/rhacs/4.3.5/secured-cluster-services/templates/NOTES.txt new file mode 100644 index 0000000..9c9fd01 --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/templates/NOTES.txt @@ -0,0 +1,40 @@ +{{- $_ := include "srox.init" . -}} + +StackRox Secured Cluster Services {{.Chart.AppVersion}} has been installed. + + +Secured Cluster Configuration Summary: + + Name: {{ ._rox.clusterName }} + Kubernetes Namespace: {{ ._rox._namespace }}{{ if ne .Release.Namespace ._rox._namespace }} [NOTE: Helm release is attached to namespace {{ .Release.Namespace }}]{{ end }} + Helm Release Name: {{ .Release.Name }} + Central Endpoint: {{ ._rox.centralEndpoint }} + OpenShift Cluster: {{ if eq ._rox.env.openshift 0 -}} false {{ else -}} {{ ._rox.env.openshift }} {{ end }} + Admission Control Webhooks deployed: {{ or ._rox.admissionControl.dynamic.listenOnCreates ._rox.admissionControl.dynamic.listenOnUpdates ._rox.admissionControl.dynamic.listenOnEvents}} + Admission Control Creates/Updates enforced: {{ or ._rox.admissionControl.dynamic.enforceOnCreates ._rox.admissionControl.dynamic.enforceOnUpdates }} + +{{ if ._rox._state.notes -}} +Please take note of the following: +{{ range ._rox._state.notes }} +- {{ . | wrapWith 98 "\n " -}} +{{ end }} + +{{ end -}} + +{{ if ._rox._state.warnings -}} +During installation, the following warnings were encountered: +{{ range ._rox._state.warnings }} +- WARNING: {{ . | wrapWith 98 "\n " -}} +{{ end }} + +{{ end -}} + +{{ if ._rox.env.openshift -}} +IMPORTANT: You have deployed into an OpenShift-enabled cluster. If you see that your pods + are not scheduling, run + + oc annotate namespace/{{ ._rox._namespace }} --overwrite openshift.io/node-selector="" +{{ end -}} + + +Thank you for using StackRox! diff --git a/rhacs/4.3.5/secured-cluster-services/templates/_compatibility.tpl b/rhacs/4.3.5/secured-cluster-services/templates/_compatibility.tpl new file mode 100644 index 0000000..c83ab2d --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/templates/_compatibility.tpl @@ -0,0 +1,51 @@ +{{ define "srox.applyCompatibilityTranslation" }} +{{ $ := index . 0 }} +{{ $values := index . 1 }} +{{ $translationRules := $.Files.Get "internal/compatibility-translation.yaml" | fromYaml }} +{{ include "srox._doApplyCompat" (list $values $.Template $values $translationRules list) }} +{{ end }} + +{{ define "srox._doApplyCompat" }} +{{ $values := index . 0 }} +{{ $template := index . 1 }} +{{ $valuesCtx := index . 2 }} +{{ $ruleCtx := index . 3 }} +{{ $ctxPath := index . 4 }} +{{ range $k, $v := $ruleCtx }} + {{ $oldVal := index $valuesCtx $k }} + {{ if not (kindIs "invalid" $oldVal) }} + {{ if kindIs "map" $v }} + {{ if kindIs "map" $oldVal }} + {{ include "srox._doApplyCompat" (list $values $template $oldVal $v (append $ctxPath $k)) }} + {{ if not $oldVal }} + {{ $_ := unset $valuesCtx $k }} + {{ end }} + {{ end }} + {{ else }} + {{ $_ := unset $valuesCtx $k }} + {{ if not (kindIs "invalid" $v) }} + {{ $tplCtx := dict "Template" $template "value" (toJson $oldVal) "rawValue" $oldVal }} + {{ $configFragment := tpl $v $tplCtx | fromYaml }} + {{ include "srox._mergeCompat" (list $values $configFragment (append $ctxPath $k) list) }} + {{ end }} + {{ end }} + {{ end }} +{{ end }} +{{ end }} + +{{ define "srox._mergeCompat" }} +{{ $values := index . 0 }} +{{ $newConfig := index . 1 }} +{{ $compatValuePath := index . 2 }} +{{ $path := index . 3 }} +{{ range $k, $v := $newConfig }} + {{ $currVal := index $values $k }} + {{ if kindIs "invalid" $currVal }} + {{ $_ := set $values $k $v }} + {{ else if and (kindIs "map" $v) (kindIs "map" $currVal) }} + {{ include "srox._mergeCompat" (list $currVal $v $compatValuePath (append $path $k)) }} + {{ else }} + {{ include "srox.fail" (printf "Conflict between legacy configuration values %s and explicitly set configuration value %s, please unset legacy value" (join "." $compatValuePath) (append $path $k | join ".")) }} + {{ end }} +{{ end }} +{{ end }} diff --git a/rhacs/4.3.5/secured-cluster-services/templates/_crypto.tpl b/rhacs/4.3.5/secured-cluster-services/templates/_crypto.tpl new file mode 100644 index 0000000..1455288 --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/templates/_crypto.tpl @@ -0,0 +1,239 @@ +{{/* + srox.configureCrypto $ $cryptoConfigPath $spec + + This helper function configures a private key or certificate (public cert + private key) + config entry, from an input config which is accessed via $cryptoConfigPath relative to + $._rox, which we'll refer to as $inputCfg. $inputCfg is expected to be a dict with at + least `key` and `generate` properties. If `generate` is null, it defaults to either `true` + on installations, and `false` on upgrades. `key` is an expandable string. + The result in either mode is written to a dict $outputCfg under $._rox accessed by the + $cryptoConfigPath, with a '_' prepended to the last path element. E.g., if + $cryptoConfigPath is "a.b.c", the input configuration will be read from $._rox.a.b.c, and + the output configuration will be stored in $._rox.a.b._c. + + Private key-only mode is selected if $spec.keyOnly contains a non-zero string, which specifies + the key algorithm to use. In this mode, if $inputCfg.key expands to a non-empty string, this + string will be copied to the `Key` property of $outputCfg. Otherwise, if $inputCfg.generate + is true (wrt. the above defaulting rules), a key with the algorithm prescribed by $spec.keyOnly + will be generated and stored in the `Key` property of $outputCfg. + + Certificate mode is the default. If $inputCfg.cert and $inputCfg.key expand to non-empty strings, + these strings will be copied to the `Cert` and `Key` properties of $outputCfg. Otherwise, if both + of them expand to empty strings (it is an error if only one of them expands to a non-empty + string), and $inputCfg.generate is true, a certificate and private key are generated with the + following options: + - If $inputCfg.ca is true, generate a CA certificate with common name $inputCfg.CN and a 5 year + validity duration. + - Otherwise, generate a leaf certificate with common name $inputCfg.CN and a 1 year validity + duration. The SANs for this certificate are derived from the base DNS name $inputCfg.dnsBase + according to "srox.computeSANs". + + Whenever certificates and/or private keys were generated, the $._rox._state.generated property + is updated to reflect the generated values, such that merging $._rox._state.generated in to + $.Values would have caused this template to simply use the generated values as-is. E.g., if + $cryptoConfigPath was "a.b.c" and $.Values.a.b.c.cert" and $.Values.a.b.c.key" were both empty, + $._rox._state.generated.a.b.c would be set to be a dict with `cert` and `key` properties of the + generated $outputCfg.Cert and $outputCfg.Key. + + If a certificate or private key was generated, $._rox._state.customCertGen is set to true. + */}} +{{- define "srox.configureCrypto" -}} +{{ $ := index . 0 }} +{{ $cryptoConfigPath := index . 1 }} +{{ $spec := index . 2 }} + +{{/* Resolve $cryptoConfigPath. */}} +{{ $cfg := $._rox }} +{{ $newGenerated := dict }} +{{ $genCfg := $newGenerated }} +{{ $cryptoConfigPathList := splitList "." $cryptoConfigPath }} +{{ range $pathElem := $cryptoConfigPathList }} + {{ $cfg = index $cfg $pathElem }} + {{ $newCfg := dict }} + {{ $_ := set $genCfg $pathElem $newCfg }} + {{ $genCfg = $newCfg }} +{{ end }} + +{{/* Make sure `cert` and `key` are expanded (this should already be the case, but better + safe than sorry. */}} +{{ $certExpandSpec := dict "cert" true "key" true }} +{{ include "srox.expandAll" (list $ $cfg $certExpandSpec $cryptoConfigPathList) }} + +{{ $certPEM := $cfg._cert }} +{{ $keyPEM := $cfg._key }} + +{{ $result := dict }} +{{ if $certPEM }} + {{ $result = dict "Cert" $certPEM "Key" (default "" $keyPEM) }} +{{ else if or $certPEM $keyPEM }} + {{ if and $keyPEM $spec.keyOnly }} + {{ $_ := set $result "Key" $keyPEM }} + {{ else }} + {{ include "srox.fail" (printf "Either none or both of %s.cert and %s.key must be specified" $cryptoConfigPath $cryptoConfigPath) }} + {{ end }} +{{ else }} + {{ $generate := $cfg.generate }} + {{ if kindIs "invalid" $generate }} + {{ $generate = $.Release.IsInstall }} + {{ end }} + {{ if $generate }} + {{ if $spec.ca }} + {{ $out := dict }} + {{ $_ := tpl "{{ $_ := set .out \"ca\" (genCA .cn 1825) }}" (dict "Template" $.Template "cn" $spec.CN "out" $out) }} + {{ $result = $out.ca }} + {{ else if $spec.keyOnly }} + {{ $key := tpl "{{ genPrivateKey .algo }}" (dict "Template" $.Template "algo" $spec.keyOnly) }} + {{ $_ := set $genCfg "key" $key }} + {{ $_ = set $result "Key" $key }} + {{ else }} + {{ if not $._rox._ca }} + {{ include "srox.fail" (printf "Tried to generate certificate for %s, but no CA certificate is available." $spec.CN) }} + {{ end }} + {{ $sans := dict }} + {{ include "srox.computeSANs" (list $ $sans $spec.dnsBase) }} + {{ $ca := $._rox._ca }} + {{ if kindIs "map" $ca }} + {{ $out := dict }} + {{ $_ := tpl "{{ $_ := set .out \"ca\" (buildCustomCert (b64enc .ca.Cert) (b64enc .ca.Key)) }}" (dict "Template" $.Template "ca" $ca "out" $out) }} + {{ $ca = $out.ca }} + {{ end }} + {{ $out := dict }} + {{ $_ := tpl "{{ $_ := set .out \"cert\" (genSignedCert .cn nil .sans 365 .ca) }}" (dict "Template" $.Template "cn" $spec.CN "sans" $sans.result "ca" $ca "out" $out) }} + {{ $result = $out.cert }} + {{ $_ := set $genCfg "cert" $result.Cert }} + {{ $_ = set $genCfg "key" $result.Key }} + {{ end }} + {{ $_ := set $genCfg "key" $result.Key }} + {{ if $result.Cert }} + {{ $_ = set $genCfg "cert" $result.Cert }} + {{ end }} + {{ $_ = set $._rox._state "customCertGen" true }} + {{ end }} +{{ end }} + +{{/* Store output configuration and generated properties */}} +{{ $newCfgRoot := dict }} +{{ $newCfg := $newCfgRoot }} +{{ range $pathElem := initial $cryptoConfigPathList }} + {{ $nextCfg := dict }} + {{ $_ := set $newCfg $pathElem $nextCfg }} + {{ $newCfg = $nextCfg }} +{{ end }} +{{ $_ := set $newCfg (last $cryptoConfigPathList | printf "_%s") $result }} +{{ $_ = include "srox.mergeInto" (list $._rox $newCfgRoot) }} +{{ $_ = include "srox.mergeInto" (list $._rox._state.generated $newGenerated) }} +{{ end }} + + +{{/* + srox.configurePassword $ $pwConfigPath [$htpasswdUser] + + This helper function reads a password configuration (YAML dict with `value` + and `generate` properties) referenced by $pwConfigPath relative to $._rox. It + ensures the dict with the same config path relative to $._rox and prepending an underscore + to the last path element is populated in the following way: + - If the `value` property of the input config is nonzero, set `value` in the result to the + expanded value. + - If the optional $htpasswdUser parameter is specified and the `htpasswd` property of the + input config is nonzero, set `htpasswd` in the result to the expanded value of that + property. + - If none of the above (non-mutually-exclusive) cases apply: + - If `generate` is true OR both `generate` is null and this is an installation, + not an upgrade, generate a random password with 32 alphanumeric characters. + - Otherwise, leave the result property empty. + - If the optional $htpasswdUser parameter was specified AND the `value` property in the + result property was set per the above rules AND the `htpasswd` property was not set, + populate the `htpasswd` property of the result by generating an htpasswd stanza with + the computed `value` as the password and $htpasswdUser as the username. + + The $._rox._state.generated property is adjusted accordingly. + */}} +{{- define "srox.configurePassword" -}} +{{ $ := index . 0 }} +{{ $pwConfigPath := index . 1 }} +{{ $htpasswdUser := "" }} +{{ if gt (len .) 2 }} + {{ $htpasswdUser = index . 2 }} +{{ end }} +{{ $cfg := $._rox }} +{{ $newGenerated := dict }} +{{ $genCfg := $newGenerated }} +{{ $pwConfigPathList := splitList "." $pwConfigPath }} +{{ range $pathElem := $pwConfigPathList }} + {{ $cfg = index $cfg $pathElem }} + {{ $newCfg := dict }} + {{ $_ := set $genCfg $pathElem $newCfg }} + {{ $genCfg = $newCfg }} +{{ end }} + +{{/* Make sure that `value` and `htpasswd` within $cfg are expanded (this should already be the + case but better safe than sorry). */}} +{{ $pwExpandSpec := dict "value" true "htpasswd" true }} +{{ include "srox.expandAll" (list $ $cfg $pwExpandSpec $pwConfigPathList) }} + +{{ $result := dict }} +{{ if and $htpasswdUser (not (kindIs "invalid" $cfg._htpasswd)) }} + {{ $htpasswd := $cfg._htpasswd }} + {{ $_ := set $result "htpasswd" $htpasswd }} +{{ end }} +{{ if not $result.htpasswd }} + {{ $pw := dict.nil }} + {{ if kindIs "invalid" $cfg._value }} + {{ $generate := $cfg.generate }} + {{ if kindIs "invalid" $generate }} + {{ $generate = $.Release.IsInstall }} + {{ end }} + {{ if $generate }} + {{ $pw = randAlphaNum 32 }} + {{ $_ := set $genCfg "value" $pw }} + {{ end }} + {{ else }} + {{ $pw = $cfg._value }} + {{ end }} + {{ if not (kindIs "invalid" $pw) }} + {{ $_ := set $result "value" $pw }} + {{ end }} + {{ if and $htpasswdUser $pw }} + {{ $htpasswd := tpl "{{ htpasswd .user .pw }}" (dict "Template" $.Template "user" $htpasswdUser "pw" $pw) }} + {{ $_ := set $result "htpasswd" $htpasswd }} + {{ end }} +{{ else if $cfg.value }} + {{ include "srox.fail" (printf "Both a htpasswd and a value are specified for %s, this is illegal. Remove the `value` property, or ensure that `htpasswd` is null." $pwConfigPath) }} +{{ end }} +{{ $newCfgRoot := dict }} +{{ $newCfg := $newCfgRoot }} +{{ range $pathElem := initial $pwConfigPathList }} + {{ $nextCfg := dict }} + {{ $_ := set $newCfg $pathElem $nextCfg }} + {{ $newCfg = $nextCfg }} +{{ end }} +{{ $_ := set $newCfg (last $pwConfigPathList | printf "_%s") $result }} +{{ $_ = include "srox.mergeInto" (list $._rox $newCfgRoot) }} +{{ $_ = include "srox.mergeInto" (list $._rox._state.generated $newGenerated) }} +{{ end }} + + +{{/* + srox.computeSANs $ $out $svcName + + Compute the applicable SANs for a service with name $svcName, deployed in namespace + $.Release.Namespace (= $releaseNS). + Generally, SANs following the pattern "$svcName.$releaseNS[.svc[.cluster.local]]" will be + generated. If $releaseNS is not "stackrox", another set of SANs with the same pattern, + but assuming $releaseNS = "stackrox", will be generated in addition. + The result is stored as a list in $out.result. + */}} +{{ define "srox.computeSANs" }} +{{ $ := index . 0 }} +{{ $out := index . 1 }} +{{ $svcName := index . 2 }} +{{ $releaseNS := $.Release.Namespace }} +{{ $sans := list }} +{{ range $ns := list $releaseNS "stackrox" | uniq | sortAlpha }} + {{ $baseDNS := printf "%s.%s" $svcName $ns }} + {{ range $suffix := tuple "" ".svc" ".svc.cluster.local" }} + {{ $sans = printf "%s%s" $baseDNS $suffix | append $sans }} + {{ end }} +{{ end }} +{{ $_ := set $out "result" $sans }} +{{ end }} diff --git a/rhacs/4.3.5/secured-cluster-services/templates/_defaults.tpl b/rhacs/4.3.5/secured-cluster-services/templates/_defaults.tpl new file mode 100644 index 0000000..7f8629b --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/templates/_defaults.tpl @@ -0,0 +1,35 @@ +{{/* + srox.applyDefaults . + + Applies defaults defined in `internal/defaults`, in an order that depends on the filenames. + */}} +{{ define "srox.applyDefaults" }} +{{ $ := . }} +{{/* Apply defaults */}} +{{ range $defaultsFile, $defaultsTpl := $.Files.Glob "internal/defaults/*.yaml" }} + {{ $tplSects := regexSplit "(^|\n)---($|\n)" (toString $defaultsTpl) -1 }} + {{ $sectCounter := 0 }} + {{ range $tplSect := $tplSects }} + {{/* + tpl will merely stop creating output if an error is encountered during rendering (not during parsing), but we want + to be certain that we recognized invalid templates. Hence, add a marker line at the end, and verify that it + shows up in the output. + */}} + {{ $renderedSect := tpl (list $tplSect "{{ \"\\n#MARKER\\n\" }}" | join "") $ }} + {{ if not (hasSuffix "\n#MARKER\n" $renderedSect) }} + {{ include "srox.fail" (printf "Section %d in defaults file %s contains invalid templating" $sectCounter $defaultsFile) }} + {{ end }} + {{/* + fromYaml only returns an empty dict upon error, but we want to be certain that we recognized invalid YAML. + Hence, add a marker value. + */}} + {{ $sectDict := fromYaml (cat $renderedSect "\n__marker: true\n") }} + {{ if not (index $sectDict "__marker") }} + {{ include "srox.fail" (printf "Section %d in defaults file %s contains invalid YAML" $sectCounter $defaultsFile) }} + {{ end }} + {{ $_ := unset $sectDict "__marker" }} + {{ $_ = include "srox.mergeInto" (list $._rox $sectDict) }} + {{ $sectCounter = add $sectCounter 1 }} + {{ end }} +{{ end }} +{{ end }} diff --git a/rhacs/4.3.5/secured-cluster-services/templates/_dict.tpl b/rhacs/4.3.5/secured-cluster-services/templates/_dict.tpl new file mode 100644 index 0000000..bf14a6d --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/templates/_dict.tpl @@ -0,0 +1,142 @@ +{{/* + srox.compactDict $target [$depth] + + Compacts a dict $target by removing entries with empty values. + By default, only the top-level dict $target itself is modified. If the optional $depth + parameter is specified and is non-zero, this determines the recursion depth over which the + compaction is applied to nested diocts as well. A $depth of -1 means to compact all nested + dicts, regardless of depth. + */}} +{{ define "srox.compactDict" }} +{{ $args := . }} +{{ if not (kindIs "slice" $args) }} + {{ $args = list $args 0 }} +{{ end }} +{{ $target := index $args 0 }} +{{ $depth := index $args 1 }} +{{ $zeroValKeys := list }} +{{ range $k, $v := $target }} + {{ if and (kindIs "map" $v) (ne $depth 0) }} + {{ include "srox.compactDict" (list $v (sub $depth 1)) }} + {{ end }} + {{ if not $v }} + {{ $zeroValKeys = append $zeroValKeys $k }} + {{ end }} +{{ end }} +{{ range $k := $zeroValKeys }} + {{ $_ := unset $target $k }} +{{ end }} +{{ end }} + +{{/* + srox.destructiveMergeOverwrite $out $dict1 $dict2... + + Recursively merges $dict1, $dict2 (in this order) into $out, similar to mergeOverwrite. + The eponymous difference is the fact that any explicit "null" entries in the source + dictionaries cause the respective entry to be deleted. + */}} +{{ define "srox.destructiveMergeOverwrite" }} +{{ $out := first . }} +{{ $toMergeList := rest . }} +{{ range $toMerge := $toMergeList }} + {{ range $k, $v := $toMerge }} + {{ if kindIs "invalid" $v }} + {{ $_ := unset $out $k }} + {{ else if kindIs "map" $v }} + {{ $outV := index $out $k }} + {{ if kindIs "invalid" $outV }} + {{ $_ := set $out $k (deepCopy $v) }} + {{ else if kindIs "map" $outV }} + {{ include "srox.destructiveMergeOverwrite" (list $outV $v) }} + {{ else }} + {{ fail (printf "when merging at key %s: incompatible kinds %s and %s" $k (kindOf $v) (kindOf $outV)) }} + {{ end }} + {{ else }} + {{ $_ := set $out $k $v }} + {{ end }} + {{ end }} +{{ end }} +{{ end }} + +{{/* + srox.stringifyDictValues $dict + + Recursively traverses $dict and converts every non-dict value to a string. + */}} +{{ define "srox.stringifyDictValues" }} +{{ $dict := . }} +{{ range $k, $v := $dict }} + {{ if kindIs "map" $v }} + {{ include "srox.stringifyDictValues" $v }} + {{ else }} + {{ $_ := set $dict $k (toString $v) }} + {{ end }} +{{ end }} +{{ end }} + +{{/* + srox.safeDictLookup $dict $out $path + + Looks up $path in $dict, and stores the result (if any) in $out.result. + $path is a dot-separated list of nested field names. An empty $path causes + $dict to be stored in $out.result. + + Example: srox.safeDictLookup $dict $out "a.b.c" stores the value of $dict.a.b.c, if + it exists, in $out.result. Otherwise, it does nothing - in particular, it does + not fail, as accessing $dict.a.b.c unconditionally would if any of $dict, $dict.a, + or $dict.a.b was not a dict. + */}} +{{ define "srox.safeDictLookup" }} +{{ $dict := index . 0 }} +{{ $out := index . 1 }} +{{ $path := index . 2 }} +{{ $curr := $dict }} +{{ $pathList := splitList "." $path | compact }} +{{ range $pathElem := $pathList }} + {{ if kindIs "map" $curr }} + {{ $curr = index $curr $pathElem }} + {{ else if not (kindIs "invalid" $curr) }} + {{ $curr = dict.nil }} + {{ end }} +{{ end }} +{{ if not (kindIs "invalid" $curr) }} + {{ $_ := set $out "result" $curr }} +{{ end }} +{{ end }} + + + +{{/* + srox.mergeInto $tgt $src1..$srcN + + Recursively merges values from $src1, ..., $srcN into $tgt, giving preference to + values in $tgt. + + Unlike Sprig's merge, this does not overwrite falsy values when explicitly defined, + with the exception of `null` values (this also sets it apart from Sprig's mergeOverwrite). + + Whenever entire (nested) dicts are merged as-is from one of the sources into $tgt, a deep + copy of the respective nested dict is created. + + An empty string is always returned, hence this should be invoked in the form + $_ := include "srox.mergeInto" (list $tgt $src1 $src2) + */}} +{{ define "srox.mergeInto" }} +{{ $tgt := first . }} +{{ range $src := rest . }} + {{ range $k, $srcV := $src }} + {{ $tgtV := index $tgt $k }} + {{ if kindIs "map" $srcV }} + {{ if kindIs "invalid" $tgtV }} + {{ $_ := set $tgt $k (deepCopy $srcV) }} + {{ else if kindIs "map" $tgtV }} + {{ $_ := include "srox.mergeInto" (list $tgtV $srcV) }} + {{ else }} + {{ fail (printf "Incompatible kinds for key %s: %s vs %s" $k (kindOf $srcV) (kindOf $tgtV)) }} + {{ end }} + {{ else if and (not (kindIs "invalid" $srcV)) (kindIs "invalid" $tgtV) }} + {{ $_ := set $tgt $k $srcV }} + {{ end }} + {{ end }} +{{ end }} +{{ end }} diff --git a/rhacs/4.3.5/secured-cluster-services/templates/_expand.tpl b/rhacs/4.3.5/secured-cluster-services/templates/_expand.tpl new file mode 100644 index 0000000..ed1cb1f --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/templates/_expand.tpl @@ -0,0 +1,96 @@ +{{/* + srox.expandAll $ $target $expandable [$path] + + Expands values within $target that are flagged in $expandable, using $path + as the path from the configuration root to $target for error reporting purposes. + + If $target is nil, nothing happens. Otherwise, $target must be a dict. For every key + of $target that is also present in $expandable, the following action is performed: + - If the entry in $expandable is a dict, recursive invoke "srox.expandAll" on the + respective entries, with an adjusted $path. + - Otherwise, the entry in $expandable is assume to be of boolean value. If the value is + true, the corresponding entry's value in $target is expanded (see "srox._expandSingle" + below for a definition of expanding), and the result of the expansion is stored under + the key with a "_" prepended in $target. The original entry in $target is removed. This + ensures "srox.expandAll" is an idempotent operation). + */}} +{{ define "srox.expandAll" }} +{{ $args := . }} +{{ $ := index $args 0 }} +{{ $target := index $args 1 }} +{{ $expandable := index $args 2 }} +{{ $path := list }} +{{ if ge (len $args) 4 }} + {{ $path = index $args 3 }} + {{ if kindIs "string" $path }} + {{ $path = splitList "." $path | compact }} + {{ end }} +{{ end }} + +{{ if kindIs "map" $target }} + {{ range $k, $v := $expandable }} + {{ $childPath := append $path $k }} + {{ $targetV := index $target $k }} + {{ if kindIs "map" $v }} + {{ include "srox.expandAll" (list $ $targetV $v $childPath) }} + {{ else if $v }} + {{ if not (kindIs "invalid" $targetV) }} + {{ $expanded := include "srox._expandSingle" (list $ $targetV (join "." $childPath)) }} + {{ $_ := set $target (printf "_%s" $k) $expanded }} + {{ end }} + {{ $_ := unset $target $k }} + {{ end }} + {{ end }} +{{ else if not (kindIs "invalid" $target) }} + {{ include "srox.fail" (printf "Error expanding value at %s: expected map, got: %s" (join "." $path) (kindOf $target)) }} +{{ end }} +{{ end }} + +{{/* + srox.expand $ $spec + + Parses and expands a "specification string" in the following way: + - If $spec is a dictionary, return $spec rendered as a YAML. + - Otherwise, if $spec starts with a backslash character (`\`), return $spec minus the leading + backslash character. + - Otherwise, if $spec starts with an `@` character, strip off the first character and + treat the remainder of the string as a `|`-separated list of file names. Try to load + each referenced file, in order, via `stackrox.getFile`. The result is the first file + that could be successfully loaded. If no file could be loaded, expansion fails. + - Otherwise, return $spec as-is. + */}} +{{- define "srox._expandSingle" -}} + {{- $ := index . 0 -}} + {{- $spec := index . 1 -}} + {{- $context := index . 2 -}} + {{- $result := "" -}} + {{- if kindIs "string" $spec -}} + {{- if hasPrefix "\\" $spec -}} + {{- /* use \ as string-wide escape character */ -}} + {{- $result = trimPrefix "\\" $spec -}} + {{- else if hasPrefix "@" $spec -}} + {{- /* treat as file list (first found matches) */ -}} + {{- /* If the prefix is "@?" expansion will not fail if no files could be found, instead an empty string is returned. */ -}} + {{- $fileSpec := trimPrefix "@" $spec -}} + {{- $allowNotFound := false -}} + {{- if hasPrefix "?" $fileSpec -}} + {{- $allowNotFound = true -}} + {{- $fileSpec = trimPrefix "?" $fileSpec -}} + {{- end -}} + {{- $fileList := regexSplit "\\s*\\|\\s*" ($fileSpec | trim) -1 -}} + {{- $fileRes := dict -}} + {{- $_ := include "srox.loadFile" (list $ $fileRes $fileList) -}} + {{- if and (not $allowNotFound) (not $fileRes.found) -}} + {{- include "srox.fail" (printf "Expanding %s: file reference %q: none of the referenced files were found" $context $spec) -}} + {{- end -}} + {{- $result = default "" $fileRes.contents -}} + {{- else -}} + {{/* treat as raw string */}} + {{- $result = $spec -}} + {{- end -}} + {{- else if not (kindIs "invalid" $spec) -}} + {{- /* render non-string, non-nil values as YAML */ -}} + {{- $result = toYaml $spec -}} + {{- end -}} + {{- $result -}} +{{- end -}} diff --git a/rhacs/4.3.5/secured-cluster-services/templates/_format.tpl b/rhacs/4.3.5/secured-cluster-services/templates/_format.tpl new file mode 100644 index 0000000..745fe47 --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/templates/_format.tpl @@ -0,0 +1,14 @@ +{{/* + srox.formatStorageSize $value + + Formats $value as a storage size. $value can be an integer or a string. + If no unit is specified (e.g., if $value is a string), a default unit of + Gigabytes ("Gi" suffix) is assumed. + */}} +{{- define "srox.formatStorageSize" -}} +{{- $val := toString . -}} +{{- if regexMatch "^[0-9]+$" $val -}} + {{- $val = printf "%sGi" $val -}} +{{- end -}} +{{- default "0" $val -}} +{{- end -}} diff --git a/rhacs/4.3.5/secured-cluster-services/templates/_helpers.tpl b/rhacs/4.3.5/secured-cluster-services/templates/_helpers.tpl new file mode 100644 index 0000000..e87f10f --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/templates/_helpers.tpl @@ -0,0 +1,68 @@ +{{/* + Misceallaneous helper templates. + */}} + + + + +{{/* + srox.loadFile $ $out $fileName-or-list + + This helper function reads a file. It differs from $.Files.Get in that it also takes + $._rox.meta.fileOverrides into account. Furthermore, it can receive a list of file names, + and will try these files in order. Finally, it indicates whether a file was found via the + $out.found property (as opposed to $.Files.Get, which cannot distinguish between a successful + read of an empty file, and this file not being found). + The file contents will be returned via $out.contents + */}} +{{ define "srox.loadFile" }} +{{ $ := index . 0 }} +{{ $out := index . 1 }} +{{ $fileNames := index . 2 }} +{{ if not (kindIs "slice" $fileNames) }} + {{ $fileNames = list $fileNames }} +{{ end }} +{{ $contents := index dict "" }} +{{ range $fileName := $fileNames }} + {{ if kindIs "invalid" $contents }} + {{ $contents = index $._rox.meta.fileOverrides $fileName }} + {{ end }} + {{ if kindIs "invalid" $contents }} + {{ range $path, $_ := $.Files.Glob $fileName }} + {{ if kindIs "invalid" $contents }} + {{ $contents = $.Files.Get $path }} + {{ end }} + {{ end }} + {{ end }} +{{ end }} +{{ if not (kindIs "invalid" $contents) }} + {{ $_ := set $out "contents" $contents }} +{{ end }} +{{ $_ := set $out "found" (not (kindIs "invalid" $contents)) }} +{{ end }} + + +{{/* + srox.checkGenerated $ $cfgPath + + Checks if the value at configuration path $cfgPath (e.g., "central.adminPassword.value") was + generated. Evaluates to the string "true" if this is the case, and an empty string otherwise. + */}} +{{- define "srox.checkGenerated" -}} +{{- $ := index . 0 -}} +{{- $cfgPath := index . 1 -}} +{{- $genCfg := $._rox._state.generated -}} +{{- $exists := true -}} +{{- range $pathElem := splitList "." $cfgPath -}} + {{- if $exists -}} + {{- if hasKey $genCfg $pathElem -}} + {{- $genCfg = index $genCfg $pathElem -}} + {{- else -}} + {{- $exists = false -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- if $exists -}} +true +{{- end -}} +{{- end -}} diff --git a/rhacs/4.3.5/secured-cluster-services/templates/_image-pull-secrets.tpl b/rhacs/4.3.5/secured-cluster-services/templates/_image-pull-secrets.tpl new file mode 100644 index 0000000..9747e26 --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/templates/_image-pull-secrets.tpl @@ -0,0 +1,85 @@ +{{/* + srox.configureImagePullSecrets $ $cfgName $imagePullSecrets $secretResourceName $defaultSecretNames $namespace + + Configures image pull secrets. + + This function enriches $imagePullSecrets based on the exposed configuration parameters to contain + a list of Kubernetes secret names as `_names` to be used as image pull secrets within the chart + templates. This list contains the following secrets: + + - Secrets referenced via $imagePullSecrets.useExisting. + - Image pull secrets associated with the default service account (if + $imagePullSecrets.useFromDefaultServiceAccount is true). + - $secretResourceName, if $imagePullSecrets.username is set. + - $defaultSecretNames. */}} + +{{ define "srox.configureImagePullSecrets" }} +{{ $ := index . 0 }} +{{ $cfgName := index . 1 }} +{{ $imagePullSecrets := index . 2 }} +{{ $secretResourceName := index . 3 }} +{{ $defaultSecretNames := index . 4 }} +{{ $namespace := index . 5 }} + +{{ $imagePullSecretNames := default list $imagePullSecrets.useExisting }} +{{ if not (kindIs "slice" $imagePullSecretNames) }} + {{ $imagePullSecretNames = regexSplit "\\s*[,;]\\s*" (trim $imagePullSecretNames) -1 }} +{{ end }} +{{ if $imagePullSecrets.useFromDefaultServiceAccount }} + {{ $defaultSA := dict }} + {{ include "srox.safeLookup" (list $ $defaultSA "v1" "ServiceAccount" $namespace "default") }} + {{ if $defaultSA.result }} + {{ range $ips := default list $defaultSA.result.imagePullSecrets }} + {{ if $ips.name }} + {{ $imagePullSecretNames = append $imagePullSecretNames $ips.name }} + {{ end }} + {{ end }} + {{ end }} +{{ end }} +{{ $imagePullCreds := dict }} +{{ if $imagePullSecrets._username }} + {{ $imagePullCreds = dict "username" $imagePullSecrets._username "password" $imagePullSecrets._password }} + {{ $imagePullSecretNames = append $imagePullSecretNames $secretResourceName }} +{{ else if $imagePullSecrets._password }} + {{ $msg := printf "Username missing in %q. Whenever an image pull password is specified, a username must be specified as well" $cfgName }} + {{ include "srox.fail" $msg }} +{{ end }} +{{ if and $.Release.IsInstall (not $imagePullSecretNames) (not $imagePullSecrets.allowNone) }} + {{ $msg := printf "You have not specified any image pull secrets, and no existing image pull secrets were automatically inferred. If your registry does not need image pull credentials, explicitly set the '%s.allowNone' option to 'true'" $cfgName }} + {{ include "srox.fail" $msg }} +{{ end }} + +{{ $imagePullSecretNames = concat (append $imagePullSecretNames $secretResourceName) $defaultSecretNames | uniq | sortAlpha }} +{{ $_ := set $imagePullSecrets "_names" $imagePullSecretNames }} +{{ $_ := set $imagePullSecrets "_creds" $imagePullCreds }} + +{{ end }} + +{{ define "srox.configureImagePullSecretsForDockerRegistry" }} +{{ $ := index . 0 }} +{{ $imagePullSecrets := index . 1 }} + +{{/* Setup Image Pull Secrets for Docker Registry. + Note: This must happen afterwards, as we rely on "srox.configureImage" to collect the + set of all referenced images first. */}} +{{ if $imagePullSecrets._username }} + {{ $dockerAuths := dict }} + {{ range $image := keys $._rox._state.referencedImages }} + {{ $registry := splitList "/" $image | first }} + {{ if eq $registry "docker.io" }} + {{/* Special case docker.io */}} + {{ $registry = "https://index.docker.io/v1/" }} + {{ else }} + {{ $registry = printf "https://%s" $registry }} + {{ end }} + {{ $_ := set $dockerAuths $registry dict }} + {{ end }} + {{ $authToken := printf "%s:%s" $imagePullSecrets._username $imagePullSecrets._password | b64enc }} + {{ range $regSettings := values $dockerAuths }} + {{ $_ := set $regSettings "auth" $authToken }} + {{ end }} + + {{ $_ := set $imagePullSecrets "_dockerAuths" $dockerAuths }} +{{ end }} + +{{ end }} diff --git a/rhacs/4.3.5/secured-cluster-services/templates/_images.tpl b/rhacs/4.3.5/secured-cluster-services/templates/_images.tpl new file mode 100644 index 0000000..dced29d --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/templates/_images.tpl @@ -0,0 +1,34 @@ +{{/* + srox.configureImage $ $imageCfg + + Configures settings for a single image by augmenting/completing an existing image configuration + stanza. + + If $imageCfg.fullRef is empty: + First, the image registry is determined by inspecting $imageCfg.registry and, if this is empty, + $._rox.image.registry, ultimately defaulting to `docker.io`. The full image ref is then + constructed from the registry, $imageCfg.name (must be non-empty), and $imageCfg.tag (may be + empty, in which case "latest" is assumed). The result is stored in $imageCfg.fullRef. + + Afterwards (irrespective of the previous check), $imageCfg.fullRef is modified by prepending + "docker.io/" if and only if it did not contain a remote yet (i.e., the part before the first "/" + did not contain a dot (DNS name) or colon (port)). + + Finally, the resulting $imageCfg.fullRef is stored as a dict entry with value `true` in the + $._rox._state.referencedImages dict. + */}} +{{ define "srox.configureImage" }} +{{ $ := index . 0 }} +{{ $imageCfg := index . 1 }} +{{ $imageRef := $imageCfg.fullRef }} +{{ if not $imageRef }} + {{ $imageRef = printf "%s/%s:%s" (coalesce $imageCfg.registry $._rox.image.registry "docker.io") $imageCfg.name (default "latest" $imageCfg.tag) }} +{{ end }} +{{ $imageComponents := splitList "/" $imageRef }} +{{ $firstComponent := index $imageComponents 0 }} +{{ if or (lt (len $imageComponents) 2) (and (not (contains ":" $firstComponent)) (not (contains "." $firstComponent))) }} + {{ $imageRef = printf "docker.io/%s" $imageRef }} +{{ end }} +{{ $_ := set $imageCfg "fullRef" $imageRef }} +{{ $_ = set $._rox._state.referencedImages $imageRef true }} +{{ end }} diff --git a/rhacs/4.3.5/secured-cluster-services/templates/_init.tpl b/rhacs/4.3.5/secured-cluster-services/templates/_init.tpl new file mode 100644 index 0000000..fd50428 --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/templates/_init.tpl @@ -0,0 +1,257 @@ +{{/* + srox.init $ + + Initialization template for the internal data structures. + This template is designed to be included in every template file, but will only be executed + once by leveraging state sharing between templates. + */}} +{{ define "srox.init" }} + +{{ $ := . }} + +{{/* + On first(!) instantiation, set up the $._rox structure, containing everything required by + the resource template files. + */}} +{{ if not $._rox }} + +{{/* + Calculate the fingerprint of the input config. + */}} +{{ $configFP := (.Values | toJson | sha256sum) }} + +{{/* + Initial Setup + */}} + +{{ $values := deepCopy $.Values }} +{{ include "srox.applyCompatibilityTranslation" (list $ $values) }} + +{{/* + $rox / ._rox is the dictionary in which _all_ data that is modified by the init logic + is stored. + We ensure that it has the required shape, and then right after merging the user-specified + $.Values, we apply some bootstrap defaults. + */}} +{{ $rox := deepCopy $values }} + + +{{ $configShape := $.Files.Get "internal/config-shape.yaml" | fromYaml }} + +{{/* Only merge scanner config shapes if feature flag is enabled and kubectl output is disabled */}} +{{ $configShapeScanner := $.Files.Get "internal/scanner-config-shape.yaml" | fromYaml }} + {{ $_ := include "srox.mergeInto" (list $rox $configShape $configShapeScanner) }} + + +{{ $_ = set $ "_rox" $rox }} + +{{/* Set the config fingerprint as computed or overridden via values. */}} +{{ $configFP = default $configFP $._rox.meta.configFingerprintOverride }} +{{ $_ = set $._rox "_configFP" $configFP }} + +{{/* Global state (accessed from sub-templates) */}} +{{ $state := dict "notes" list "warnings" list "referencedImages" dict "generated" dict }} +{{ $_ = set $._rox "_state" $state }} + +{{/* + API Server setup. The problem with `.Capabilities.APIVersions` is that Helm does not + allow setting overrides for those when using `helm template` or `--dry-run`. Thus, + if we rely on `.Capabilities.APIVersions` directly, we lose flexibility for our chart + in these settings. Therefore, we use custom fields such that a user in principle has + the option to inject via `--set`/`-f` everything we rely upon. + */}} +{{ $apiResources := list }} +{{ if not (kindIs "invalid" $._rox.meta.apiServer.overrideAPIResources) }} + {{ $apiResources = $._rox.meta.apiServer.overrideAPIResources }} +{{ else }} + {{ range $apiResource := $.Capabilities.APIVersions }} + {{ $apiResources = append $apiResources $apiResource }} + {{ end }} +{{ end }} +{{ if $._rox.meta.apiServer.extraAPIResources }} + {{ $apiResources = concat $apiResources $._rox.meta.apiServer.extraAPIResources }} +{{ end }} +{{ $apiServerVersion := coalesce $._rox.meta.apiServer.version $.Capabilities.KubeVersion.Version }} +{{ $apiServer := dict "apiResources" $apiResources "version" $apiServerVersion }} +{{ $_ = set $._rox "_apiServer" $apiServer }} + +{{/* + Environment setup +*/}} + +{{/* Detect openshift version */}} +{{ include "srox.autoSenseOpenshiftVersion" (list $) }} + +{{/* Openshift monitoring */}} +{{ if $._rox.enableOpenShiftMonitoring }} + {{ include "srox.warn" (list . "enableOpenShiftMonitoring option was replaced with monitoring.openshift.enabled") }} + {{ $_ := set $._rox "monitoring" (dict "openshift" (dict "enabled" true)) }} +{{ end }} +{{/* Default `monitoring.openshift.enabled = true` unless `env.openshift != 4`. */}} +{{ if kindIs "invalid" $._rox.monitoring.openshift.enabled }} +{{ $_ := set $._rox "monitoring" (dict "openshift" (dict "enabled" (eq $._rox.env.openshift 4))) }} +{{ end }} +{{ if and $._rox.monitoring.openshift.enabled (ne $._rox.env.openshift 4) }} + {{ include "srox.warn" (list . "'monitoring.openshift.enabled' is set to true, but the chart is not being deployed in an OpenShift 4 cluster. Proceeding with 'monitoring.openshift.enabled=false'.") }} + {{ $_ := set $._rox "monitoring" (dict "openshift" (dict "enabled" false)) }} +{{ end }} +{{/* Detect enablePodSecurityPolicies */}} +{{ include "srox.autoSensePodSecurityPolicies" (list $) }} + +{{ include "srox.applyDefaults" $ }} + +{{/* Expand applicable config values */}} +{{ $expandables := $.Files.Get "internal/expandables.yaml" | fromYaml }} +{{ include "srox.expandAll" (list $ $rox $expandables) }} + +{{/* + General validation of effective settings. + */}} + +{{ if not $.Release.IsUpgrade }} +{{ if ne $._rox._namespace "stackrox" }} + {{ if $._rox.allowNonstandardNamespace }} + {{ include "srox.note" (list $ (printf "You have chosen to deploy to namespace '%s'." $._rox._namespace)) }} + {{ else }} + {{ include "srox.fail" (printf "You have chosen to deploy to namespace '%s', not 'stackrox'. If this was accidental, please re-run helm with the '-n stackrox' option. Otherwise, if you need to deploy into this namespace, set the 'allowNonstandardNamespace' configuration value to true." $._rox._namespace) }} + {{ end }} +{{ end }} +{{ end }} + +{{/* If a cluster name should change the confirmNewClusterName value must match clusterName. */}} +{{ if and $._rox.confirmNewClusterName (ne $._rox.confirmNewClusterName $._rox.clusterName) }} + {{ include "srox.fail" (printf "Failed to change cluster name. Values for confirmNewClusterName '%s' did not match clusterName '%s'." $._rox.confirmNewClusterName $._rox.clusterName) }} +{{ end }} + + +{{ if not $.Release.IsUpgrade }} +{{ if ne $.Release.Name $.Chart.Name }} + {{ if $._rox.allowNonstandardReleaseName }} + {{ include "srox.warn" (list $ (printf "You have chosen a release name of '%s', not '%s'. Accompanying scripts and commands in documentation might require adjustments." $.Release.Name $.Chart.Name)) }} + {{ else }} + {{ include "srox.fail" (printf "You have chosen a release name of '%s', not '%s'. We strongly recommend using the standard release name. If you must use a different name, set the 'allowNonstandardReleaseName' configuration option to true." $.Release.Name $.Chart.Name) }} + {{ end }} +{{ end }} +{{ end }} + + + + + +{{ if and (not $._rox.auditLogs.disableCollection) (ne $._rox.env.openshift 4) }} + {{ include "srox.fail" "'auditLogs.disableCollection' is set to false, but the chart is not being deployed in OpenShift 4 mode. Set 'env.openshift' to '4' in order to enable OpenShift 4 features." }} +{{ end }} + + +{{ if and $._rox.admissionControl.dynamic.enforceOnCreates (not $._rox.admissionControl.listenOnCreates) }} + {{ include "srox.warn" (list $ "Incompatible settings: 'admissionControl.dynamic.enforceOnCreates' is set to true, while `admissionControl.listenOnCreates` is set to false. For the feature to be active, enable both settings by setting them to true.") }} +{{ end }} + +{{ if and $._rox.admissionControl.dynamic.enforceOnUpdates (not $._rox.admissionControl.listenOnUpdates) }} + {{ include "srox.warn" (list $ "Incompatible settings: 'admissionControl.dynamic.enforceOnUpdates' is set to true, while `admissionControl.listenOnUpdates` is set to false. For the feature to be active, enable both settings by setting them to true.") }} +{{ end }} + +{{ if and (eq $._rox.env.openshift 3) $._rox.admissionControl.listenOnEvents }} + {{ include "srox.fail" "'admissionControl.listenOnEvents' is set to true, but the chart is being deployed in OpenShift 3.x compatibility mode, which does not work with this feature. Set 'env.openshift' to '4' in order to enable OpenShift 4.x features." }} +{{ end }} +{{/* Initial image pull secret setup. */}} +{{ include "srox.mergeInto" (list $._rox.mainImagePullSecrets $._rox.imagePullSecrets) }} +{{ include "srox.configureImagePullSecrets" (list $ "mainImagePullSecrets" $._rox.mainImagePullSecrets "secured-cluster-services-main" (list "stackrox") $._rox._namespace) }} +{{ include "srox.mergeInto" (list $._rox.collectorImagePullSecrets $._rox.imagePullSecrets) }} +{{ include "srox.configureImagePullSecrets" (list $ "collectorImagePullSecrets" $._rox.collectorImagePullSecrets "secured-cluster-services-collector" (list "stackrox" "collector-stackrox") $._rox._namespace) }} + +{{/* Additional CAs. */}} +{{ $additionalCAList := list }} +{{ if kindIs "string" $._rox.additionalCAs }} + {{ if $._rox.additionalCAs }} + {{ $additionalCAList = append $additionalCAList (dict "name" "ca.crt" "contents" $._rox.additionalCAs) }} + {{ end }} +{{ else if kindIs "slice" $._rox.additionalCAs }} + {{ range $contents := $._rox.additionalCAs }} + {{ $additionalCAList = append $additionalCAList (dict "name" "ca.crt" "contents" $contents) }} + {{ end }} +{{ else if kindIs "map" $._rox.additionalCAs }} + {{ range $name := keys $._rox.additionalCAs | sortAlpha }} + {{ $additionalCAList = append $additionalCAList (dict "name" $name "contents" (get $._rox.additionalCAs $name)) }} + {{ end }} +{{ else if not (kindIs "invalid" $._rox.additionalCAs) }} + {{ include "srox.fail" (printf "Invalid kind %s for additionalCAs" (kindOf $._rox.additionalCAs)) }} +{{ end }} +{{ range $path, $contents := .Files.Glob "secrets/additional-cas/**" }} + {{ $name := trimPrefix "secrets/additional-cas/" $path }} + {{ $additionalCAList = append $additionalCAList (dict "name" $name "contents" (toString $contents)) }} +{{ end }} +{{ $additionalCAs := dict }} +{{ range $idx, $elem := $additionalCAList }} + {{ if not (kindIs "string" $elem.contents) }} + {{ include "srox.fail" (printf "Invalid non-string contents kind %s at index %d (%q) of additionalCAs" (kindOf $elem.contents) $idx $elem.name) }} + {{ end }} + {{/* In a k8s secret, no characters other than alphanumeric, '.', '_' and '-' are allowed. Also, for the + update-ca-certificates script to work, the file names must end in '.crt'. */}} + + {{ $normalizedName := printf "%02d-%s.crt" $idx (regexReplaceAll "[^[:alnum:]._-]" $elem.name "-" | trimSuffix ".crt") }} + {{ $_ := set $additionalCAs $normalizedName $elem.contents }} +{{ end }} +{{ $_ = set $._rox "_additionalCAs" $additionalCAs }} + +{{/* + Final validation (after merging in defaults). + */}} + +{{ if and ._rox.helmManaged (not ._rox.clusterName) }} + {{ include "srox.fail" "No cluster name specified. Set 'clusterName' to the desired cluster name." }} +{{ end }} + +{{/* Image settings */}} +{{ include "srox.configureImage" (list $ ._rox.image.main) }} +{{ include "srox.configureImage" (list $ ._rox.image.collector) }} +{{ include "srox.configureImage" (list $ ._rox.image.scanner) }} + +{{ include "srox.initGlobalPrefix" (list $) }} + +{{/* ManagedBy related settings */}} +{{/* The field `helmManaged` defaults to true, therefore `managedBy` will only be changed to `MANAGER_TYPE_MANUAL` here + in case it was explicitly set `helmManaged=false`. */}} +{{- if not ._rox.helmManaged }} + {{ $_ = set $._rox "managedBy" "MANAGER_TYPE_MANUAL" }} +{{- end }} + +{{/* + Local scanner setup. + */}} + +{{/* Disable scanner always in kubectl outputs */}} + + +{{ if eq ._rox.scanner.disable false }} + {{ $centralDeployment := dict }} + {{ include "srox.safeLookup" (list $ $centralDeployment "apps/v1" "Deployment" $.Release.Namespace "central") }} + {{ if $centralDeployment.result }} + {{ include "srox.note" (list $ "Detected central running in the same namespace. Not deploying scanner from this chart and configuring sensor to use existing scanner instance, if any.") }} + {{ $_ := set $._rox.sensor.localImageScanning "enabled" "true" }} + {{ $_ := set $._rox.scanner "disable" true }} + {{ end }} +{{ end }} + +{{ if eq ._rox.scanner.disable false }} + {{ if ne ._rox.scanner.mode "slim" }} + {{ include "srox.fail" (print "Only scanner slim mode is allowed in Secured Cluster. To solve this, set to slim mode: scanner.mode=slim.") }} + {{ end }} + + {{ $_ := set $._rox.sensor.localImageScanning "enabled" "true" }} + {{ $_ := set $._rox.scanner "slimImage" ._rox.image.scanner }} + {{ $_ := set $._rox.scanner "slimDBImage" ._rox.image.scannerDb }} + {{ include "srox.scannerInit" (list $ $._rox.scanner) }} + {{ include "srox.configureImagePullSecrets" (list $ "imagePullSecrets" $._rox.imagePullSecrets "secured-cluster-services-main" (list "stackrox" "stackrox-scanner") $.Release.Namespace) }} +{{ end }} + +{{/* + Post-processing steps. + */}} + +{{ include "srox.configureImagePullSecretsForDockerRegistry" (list $ ._rox.mainImagePullSecrets) }} +{{ include "srox.configureImagePullSecretsForDockerRegistry" (list $ ._rox.collectorImagePullSecrets) }} + +{{ end }} + +{{ end }} diff --git a/rhacs/4.3.5/secured-cluster-services/templates/_injected-ca-bundle.tpl b/rhacs/4.3.5/secured-cluster-services/templates/_injected-ca-bundle.tpl new file mode 100644 index 0000000..f831139 --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/templates/_injected-ca-bundle.tpl @@ -0,0 +1,29 @@ +{{/* + srox.injectedCABundleVolume + + Configures ConfigMap volume to use in a deployment. + */}} +{{- define "srox.injectedCABundleVolume" -}} +{{- if eq ._rox.env.openshift 4 }} +- name: trusted-ca-volume + configMap: + name: injected-cabundle-{{ .Release.Name }} + items: + - key: ca-bundle.crt + path: tls-ca-bundle.pem + optional: true +{{ end }} +{{ end }} + +{{/* + srox.injectedCABundleVolumeMount + + Mounts the srox.injectedCABundle volume to a container. + */}} +{{- define "srox.injectedCABundleVolumeMount" -}} +{{- if eq ._rox.env.openshift 4 }} +- name: trusted-ca-volume + mountPath: /etc/pki/injected-ca-trust/ + readOnly: true +{{ end }} +{{ end }} diff --git a/rhacs/4.3.5/secured-cluster-services/templates/_labels.tpl b/rhacs/4.3.5/secured-cluster-services/templates/_labels.tpl new file mode 100644 index 0000000..52714db --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/templates/_labels.tpl @@ -0,0 +1,31 @@ +{{/* + srox._labels $labels $ $objType $objName $forPod + + Writes all applicable [pod] labels (including default labels) for $objType/$objName + into $labels. Pod labels are written iff $forPod is true. + + This template receives the $ parameter as its second (not its first, as usual) parameter + such that it can be used easier in "srox.labels". + */}} +{{ define "srox._labels" }} +{{ $labels := index . 0 }} +{{ $ := index . 1 }} +{{ $objType := index . 2 }} +{{ $objName := index . 3 }} +{{ $forPod := index . 4 }} +{{ $_ := set $labels "app.kubernetes.io/name" "stackrox" }} +{{ $_ = set $labels "app.kubernetes.io/managed-by" $.Release.Service }} +{{ $_ = set $labels "helm.sh/chart" (printf "%s-%s" $.Chart.Name ($.Chart.Version | replace "+" "_")) }} +{{ $_ = set $labels "app.kubernetes.io/instance" $.Release.Name }} +{{ $_ = set $labels "app.kubernetes.io/version" $.Chart.AppVersion }} +{{ $_ = set $labels "app.kubernetes.io/part-of" "stackrox-secured-cluster-services" }} +{{ $component := regexReplaceAll "^.*/(admission-control|collector|sensor)[^/]*\\.yaml" $.Template.Name "${1}" }} +{{ if not (contains "/" $component) }} + {{ $_ = set $labels "app.kubernetes.io/component" $component }} +{{ end }} +{{ $metadataNames := list "labels" }} +{{ if $forPod }} + {{ $metadataNames = append $metadataNames "podLabels" }} +{{ end }} +{{ include "srox._customizeMetadata" (list $ $labels $objType $objName $metadataNames) }} +{{ end }} diff --git a/rhacs/4.3.5/secured-cluster-services/templates/_lookup.tpl b/rhacs/4.3.5/secured-cluster-services/templates/_lookup.tpl new file mode 100644 index 0000000..17f6306 --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/templates/_lookup.tpl @@ -0,0 +1,40 @@ +{{/* + srox.safeLookup $ $out $apiVersion $kind $ns $name + + This function does nothing if $.meta.useLookup is false; otherwise, it will + perform a `lookup $apiVersion $kind $ns $name` operation and store the result in + $out.result. + + Additionally, if a lookup was attempted, $out.reliable will contain a bool indicating + whether the result of lookup can be relied upon. This is determined to be the case if + the default service account in the release namespace can be found. + */}} +{{ define "srox.safeLookup" }} +{{ $ := index . 0 }} +{{ $out := index . 1 }} +{{ if $._rox.meta.useLookup }} + {{ if kindIs "invalid" $._rox._state.lookupWorks }} + {{ $testOut := dict }} + {{ include "srox._doLookup" (list $ $testOut "v1" "ServiceAccount" $._rox._namespace "default") }} + {{ $_ := set $._rox._state "lookupWorks" ($testOut.result | not | not) }} + {{ end }} + {{ include "srox._doLookup" . }} + {{ $_ := set $out "reliable" $._rox._state.lookupWorks }} +{{ end }} +{{ end }} + + +{{/* + srox._doLookup $ $out $apiVersion $kind $ns $name + + Calls "lookup" with arguments $apiVersion $kind $ns $name, and stores the result + in $out.result. + + This function exists to prevent a parse error if the lookup function isn't defined. It does + so by deferring the execution of lookup to a template string instantiated via `tpl`. + */}} +{{ define "srox._doLookup" }} +{{ $ := index . 0 }} +{{ $tplArgs := dict "Template" $.Template "out" (index . 1) "apiVersion" (index . 2) "kind" (index . 3) "ns" (index . 4) "name" (index . 5) }} +{{ $_ := tpl "{{ $_ := set .out \"result\" (lookup .apiVersion .kind .ns .name) }}" $tplArgs }} +{{ end }} diff --git a/rhacs/4.3.5/secured-cluster-services/templates/_metadata.tpl b/rhacs/4.3.5/secured-cluster-services/templates/_metadata.tpl new file mode 100644 index 0000000..3ed131f --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/templates/_metadata.tpl @@ -0,0 +1,194 @@ +{{/* + srox.labels $ $objType $objName + + Format labels for $objType/$objName as YAML. + */}} +{{- define "srox.labels" -}} +{{- $labels := dict -}} +{{- $_ := include "srox._labels" (append (prepend . $labels) false) -}} +{{- toYaml $labels -}} +{{- end -}} + +{{/* + srox.podLabels $ $objType $objName + + Format pod labels for $objType/$objName as YAML. + */}} +{{- define "srox.podLabels" -}} +{{- $labels := dict -}} +{{- $_ := include "srox._labels" (append (prepend . $labels) true) -}} +{{- toYaml $labels -}} +{{- end -}} + +{{/* + srox.annotations $ $objType $objName + + Format annotations for $objType/$objName as YAML. + */}} +{{- define "srox.annotations" -}} +{{- $annotations := dict -}} +{{- $_ := include "srox._annotations" (append (prepend . $annotations) false) -}} +{{- toYaml $annotations -}} +{{- end -}} + +{{/* + srox.podAnnotations $ $objType $objName + + Format pod annotations for $objType/$objName as YAML. + */}} +{{- define "srox.podAnnotations" -}} +{{- $annotations := dict -}} +{{- $_ := include "srox._annotations" (append (prepend . $annotations) true) -}} +{{- toYaml $annotations -}} +{{- end -}} + +{{/* + srox.envVars $ $objType $objName $containerName + + Format environment variables for container $containerName in + $objType/$objName as YAML. + */}} +{{- define "srox.envVars" -}} +{{- $envVars := dict -}} +{{- $_ := include "srox._envVars" (prepend . $envVars) -}} +{{- range $k := keys $envVars | sortAlpha -}} +{{- $v := index $envVars $k }} +- name: {{ quote $k }} +{{- if kindIs "map" $v }} + {{- toYaml $v | nindent 2 }} +{{- else }} + value: {{ quote $v }} +{{- end }} +{{ end -}} +{{- end -}} + +{{/* + srox._annotations $annotations $ $objType $objName $forPod + + Writes all applicable [pod] annotations (including default annotations) for + $objType/$objName into $annotations. Pod labels are written iff $forPod is true. + + This template receives the $ parameter as its second (not its first, as usual) parameter + such that it can be used easier in "srox.annotations". + */}} +{{ define "srox._annotations" }} +{{ $annotations := index . 0 }} +{{ $ := index . 1 }} +{{ $objType := index . 2 }} +{{ $objName := index . 3 }} +{{ $forPod := index . 4 }} +{{ $_ := set $annotations "meta.helm.sh/release-namespace" $.Release.Namespace }} +{{ $_ = set $annotations "meta.helm.sh/release-name" $.Release.Name }} +{{ $_ = set $annotations "owner" "stackrox" }} +{{ $_ = set $annotations "email" "support@stackrox.com" }} +{{ $metadataNames := list "annotations" }} +{{ if $forPod }} + {{ $metadataNames = append $metadataNames "podAnnotations" }} +{{ end }} +{{ include "srox._customizeMetadata" (list $ $annotations $objType $objName $metadataNames) }} +{{ end }} + +{{/* + srox._envVars $envVars $ $objType $objName $containerName + + Writes all applicable environment variables for $objType/$objName + into $envVars. + + This template receives the $ parameter as its second (not its first, as usual) parameter + such that it can be used easier in "srox.envVars". + */}} +{{ define "srox._envVars" }} +{{ $envVars := index . 0 }} +{{ $ := index . 1 }} +{{ $objType := index . 2 }} +{{ $objName := index . 3 }} +{{ $containerName := index . 4 }} +{{ $metadataNames := list "envVars" }} +{{ include "srox._customizeMetadata" (list $ $envVars $objType $objName $metadataNames) }} +{{ if $containerName }} + {{ $containerKey := printf "/%s" $containerName }} + {{ $envVarsForContainer := index $envVars $containerKey }} + {{ if $envVarsForContainer }} + {{ include "srox.destructiveMergeOverwrite" (list $envVars $envVarsForContainer) }} + {{ end }} +{{ end }} + +{{/* Remove all entries starting with / */}} +{{ range $key, $_ := $envVars }} + {{ if hasPrefix "/" $key }} + {{ $_ := unset $envVars $key }} + {{ end }} +{{ end }} +{{ end }} + +{{/* + srox._customizeMetadata $ $metadata $objType $objName $metadataNames + + Writes custom key/value metadata to $metadata by consulting all sub-dicts with names in + $metadataNames under the applicable custom metadata locations (._rox.customize, + ._rox.customize.other.$objType/*, ._rox.customize.other.$objType/$objName, and + ._rox.customizer.$objName [workloads only]). Dictionaries are consulted in this order, with + values from dictionaries consulted later overwriting values from dictionaries consulted + earlier. + */}} +{{ define "srox._customizeMetadata" }} +{{ $ := index . 0 }} +{{ $metadata := index . 1 }} +{{ $objType := index . 2 }} +{{ $objName := index . 3 }} +{{ $metadataNames := index . 4 }} + +{{ $overrideDictPaths := list "" (printf "other.%s/*" $objType) (printf "other.%s/%s" $objType $objName) }} +{{ if has $objType (list "deployment" "daemonset") }} + {{ $overrideDictPaths = append $overrideDictPaths $objName }} +{{ end }} + +{{ range $dictPath := $overrideDictPaths }} + {{ $customizeDict := $._rox.customize }} + {{ if $dictPath }} + {{ $resolvedOut := dict }} + {{ include "srox.safeDictLookup" (list $._rox.customize $resolvedOut $dictPath) }} + {{ $customizeDict = $resolvedOut.result }} + {{ end }} + {{ if $customizeDict }} + {{ range $metadataName := $metadataNames }} + {{ $customMetadata := index $customizeDict $metadataName }} + {{ include "srox.destructiveMergeOverwrite" (list $metadata $customMetadata) }} + {{ end }} + {{ end }} +{{ end }} +{{ end }} + +{{/* Add namespace specific prefixes for global resources to avoid resource name clashes for multi-namespace deployments. */}} +{{- define "srox.globalResourceName" -}} +{{- $ := index . 0 -}} +{{- $name := index . 1 -}} + +{{- if eq $.Release.Namespace "stackrox" -}} + {{- /* Standard namespace, use resource name as is. */ -}} + {{- $name -}} +{{- else -}} + {{- /* Add global prefix to resource name. */ -}} + {{- printf "%s-%s" $._rox.globalPrefix (trimPrefix "stackrox-" $name) -}} +{{- end -}} +{{- end -}} + +{{/* + srox.initGlobalPrefix $ + + Initializes prefix for global resources. + */}} +{{- define "srox.initGlobalPrefix" -}} +{{- $ := index . 0 -}} +{{ if kindIs "invalid" $._rox.globalPrefix }} + {{ if eq $.Release.Namespace "stackrox" }} + {{ $_ := set $._rox "globalPrefix" "stackrox" }} + {{ else }} + {{ $_ := set $._rox "globalPrefix" (printf "stackrox-%s" (trimPrefix "stackrox-" $.Release.Namespace)) }} + {{ end }} +{{ end }} + +{{ if ne $._rox.globalPrefix "stackrox" }} + {{ include "srox.note" (list $ (printf "Global Kubernetes resources are prefixed with '%s'." $._rox.globalPrefix)) }} +{{- end -}} +{{- end -}} diff --git a/rhacs/4.3.5/secured-cluster-services/templates/_openshift.tpl b/rhacs/4.3.5/secured-cluster-services/templates/_openshift.tpl new file mode 100644 index 0000000..85201cb --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/templates/_openshift.tpl @@ -0,0 +1,47 @@ +{{/* + srox.autoSenseOpenshiftVersion $ + + This function detects the OpenShift version automatically based on the cluster the Helm chart is installed onto. + It writes the result to ._rox.env.openshift as an integer. + Possible results are: + - 3 (OpenShift 3) + - 4 (OpenShift 4) + - 0 (Non-Openshift cluster) + + If "true" is passed for $._rox.env.openshift the OpenShift version is detected based on the Kubernetes cluster version. + If the Kubernetes version is not available (i.e. when using Helm template) auto-sensing falls back on OpenShift 3 to be + backward compatible. + */}} + +{{ define "srox.autoSenseOpenshiftVersion" }} + +{{ $ := index . 0 }} +{{ $env := $._rox.env }} + +{{/* Infer OpenShift, if needed */}} +{{ if kindIs "invalid" $env.openshift }} + {{ $_ := set $env "openshift" (has "apps.openshift.io/v1" $._rox._apiServer.apiResources) }} +{{ end }} + +{{/* Infer openshift version */}} +{{ if and $env.openshift (kindIs "bool" $env.openshift) }} + {{/* Parse and add KubeVersion as semver from built-in resources. This is necessary to compare valid integer numbers. */}} + {{ $kubeVersion := semver $.Capabilities.KubeVersion.Version }} + + {{/* Default to OpenShift 3 if no openshift resources are available, i.e. in helm template commands */}} + {{ if not (has "apps.openshift.io/v1" $._rox._apiServer.apiResources) }} + {{ $_ := set $._rox.env "openshift" 3 }} + {{ else if gt $kubeVersion.Minor 11 }} + {{ $_ := set $env "openshift" 4 }} + {{ else }} + {{ $_ := set $env "openshift" 3 }} + {{ end }} + {{ include "srox.note" (list $ (printf "Based on API server properties, we have inferred that you are deploying into an OpenShift %d.x cluster. Set the `env.openshift` property explicitly to 3 or 4 to override the auto-sensed value." $env.openshift)) }} +{{ end }} +{{ if not (kindIs "bool" $env.openshift) }} + {{ $_ := set $env "openshift" (int $env.openshift) }} +{{ else if not $env.openshift }} + {{ $_ := set $env "openshift" 0 }} +{{ end }} + +{{ end }} diff --git a/rhacs/4.3.5/secured-cluster-services/templates/_psp.tpl b/rhacs/4.3.5/secured-cluster-services/templates/_psp.tpl new file mode 100644 index 0000000..bffb2a0 --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/templates/_psp.tpl @@ -0,0 +1,19 @@ +{{/* + srox.autoSensePodSecurityPolicies $ + */}} + +{{ define "srox.autoSensePodSecurityPolicies" }} + +{{ $ := index . 0 }} +{{ $system := $._rox.system }} + +{{ if kindIs "invalid" $system.enablePodSecurityPolicies }} + {{ $_ := set $system "enablePodSecurityPolicies" (has "policy/v1beta1" $._rox._apiServer.apiResources) }} + {{ if $system.enablePodSecurityPolicies }} + {{ include "srox.note" (list $ (printf "PodSecurityPolicies are enabled, since your environment supports them according to API server properties.")) }} + {{ else }} + {{ include "srox.note" (list $ (printf "PodSecurityPolicies are disabled, since your environment does not support them according to API server properties.")) }} + {{ end }} +{{ end }} + +{{ end }} diff --git a/rhacs/4.3.5/secured-cluster-services/templates/_reporting.tpl b/rhacs/4.3.5/secured-cluster-services/templates/_reporting.tpl new file mode 100644 index 0000000..621e284 --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/templates/_reporting.tpl @@ -0,0 +1,34 @@ +{{/* + srox.fail $message + + Print a nicely-formatted fatal error message and exit. + */}} +{{ define "srox.fail" }} +{{ printf "\n\nFATAL ERROR:\n%s" . | wrap 100 | fail }} +{{ end }} + +{{/* + srox.warn $ $message + + Add $message to the list of encountered warnings. + */}} +{{ define "srox.warn" }} +{{ $ := index . 0 }} +{{ $msg := index . 1 }} +{{ $warnings := $._rox._state.warnings }} +{{ $warnings = append $warnings $msg }} +{{ $_ := set $._rox._state "warnings" $warnings }} +{{ end }} + +{{/* + srox.note $ $message + + Add $message to the list notes that will be shown to the user after installation/upgrade. + */}} +{{ define "srox.note" }} +{{ $ := index . 0 }} +{{ $msg := index . 1 }} +{{ $notes := $._rox._state.notes }} +{{ $notes = append $notes $msg }} +{{ $_ := set $._rox._state "notes" $notes }} +{{ end }} diff --git a/rhacs/4.3.5/secured-cluster-services/templates/_scanner_init.tpl b/rhacs/4.3.5/secured-cluster-services/templates/_scanner_init.tpl new file mode 100644 index 0000000..75fbe95 --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/templates/_scanner_init.tpl @@ -0,0 +1,40 @@ +{{/* + srox.scannerInit . $scannerConfig + + Initializes the scanner configuration. The scanner chart has two modes "full" and + "slim". + The "full" mode is used for stand-alone deployments, mostly along with StackRox's Central service. In this + mode, the image contains vulnerability data and the Helm chart can create its own certificates. + + The "slim" mode is used to deploy Scanner with a smaller image and does not generate TLS certificates, + typically deployed within a Secured Cluster to scan images stored in a registry only accessible to the current cluster. + The scanner chart defaults to "full" mode if no mode was provided. + + $scannerConfig contains all values which are configured by the user. The structure can be viewed in the according + config-shape. See internal/scanner-config-shape.yaml. + */}} + +{{ define "srox.scannerInit" }} + +{{ $ := index . 0 }} +{{ $scannerCfg := index . 1 }} + +{{ if or (eq $scannerCfg.mode "") (eq $scannerCfg.mode "full") }} + {{ include "srox.configureImage" (list $ $scannerCfg.image) }} + {{ include "srox.configureImage" (list $ $scannerCfg.dbImage) }} + + {{ $scannerCertSpec := dict "CN" "SCANNER_SERVICE: Scanner" "dnsBase" "scanner" }} + {{ include "srox.configureCrypto" (list $ "scanner.serviceTLS" $scannerCertSpec) }} + + {{ $scannerDBCertSpec := dict "CN" "SCANNER_DB_SERVICE: Scanner DB" "dnsBase" "scanner-db" }} + {{ include "srox.configureCrypto" (list $ "scanner.dbServiceTLS" $scannerDBCertSpec) }} +{{ else if eq $scannerCfg.mode "slim" }} + {{ include "srox.configureImage" (list $ $scannerCfg.slimImage) }} + {{ include "srox.configureImage" (list $ $scannerCfg.slimDBImage) }} +{{ else }} + {{ include "srox.fail" (printf "Unknown scanner mode %s" $scannerCfg.mode) }} +{{ end }} + +{{ include "srox.configurePassword" (list $ "scanner.dbPassword") }} + +{{ end }} diff --git a/rhacs/4.3.5/secured-cluster-services/templates/additional-ca-sensor.yaml b/rhacs/4.3.5/secured-cluster-services/templates/additional-ca-sensor.yaml new file mode 100644 index 0000000..aa1801c --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/templates/additional-ca-sensor.yaml @@ -0,0 +1,19 @@ +{{- include "srox.init" . -}} + +{{- if ._rox._additionalCAs }} +apiVersion: v1 +kind: Secret +metadata: + name: additional-ca-sensor + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "secret" "additional-ca-sensor") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "additional-ca-sensor") | nindent 4 }} +type: Opaque +stringData: + {{- range $name, $cert := ._rox._additionalCAs }} + {{ $name | quote }}: | + {{- $cert | nindent 4 }} + {{- end }} +{{- end }} diff --git a/rhacs/4.3.5/secured-cluster-services/templates/admission-controller-netpol.yaml b/rhacs/4.3.5/secured-cluster-services/templates/admission-controller-netpol.yaml new file mode 100644 index 0000000..1ab0341 --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/templates/admission-controller-netpol.yaml @@ -0,0 +1,46 @@ +{{- include "srox.init" . -}} + +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: admission-control-no-ingress + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "networkpolicy" "admission-control-no-ingress") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "networkpolicy" "admission-control-no-ingress") | nindent 4 }} +spec: + podSelector: + matchLabels: + app: admission-control + ingress: + - ports: + - protocol: TCP + port: 8443 + policyTypes: + - Ingress + +{{- if ._rox.admissionControl.exposeMonitoring }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: admission-control-monitoring + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "networkpolicy" "admission-control-monitoring") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "networkpolicy" "admission-control-monitoring") | nindent 4 }} +spec: + ingress: + - ports: + - port: 9090 + protocol: TCP + podSelector: + matchLabels: + app: admission-control + policyTypes: + - Ingress +{{- end }} diff --git a/rhacs/4.3.5/secured-cluster-services/templates/admission-controller-pod-security.yaml b/rhacs/4.3.5/secured-cluster-services/templates/admission-controller-pod-security.yaml new file mode 100644 index 0000000..d4011f4 --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/templates/admission-controller-pod-security.yaml @@ -0,0 +1,76 @@ +{{- include "srox.init" . -}} + +{{- if ._rox.system.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: stackrox-admission-control + labels: + {{- include "srox.labels" (list . "podsecuritypolicy" "stackrox-admission-control") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "podsecuritypolicy" "stackrox-admission-control") | nindent 4 }} +spec: + privileged: false + allowPrivilegeEscalation: false + volumes: + - 'configMap' + - 'emptyDir' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAs' + ranges: + - min: 4000 + max: 4000 + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 4000 + max: 4000 +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox-admission-control-psp + labels: + {{- include "srox.labels" (list . "clusterrole" "stackrox-admission-control-psp") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "clusterrole" "stackrox-admission-control-psp") | nindent 4 }} +rules: + - apiGroups: + - policy + resources: + - podsecuritypolicies + resourceNames: + - stackrox-admission-control + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: stackrox-admission-control-psp + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "rolebinding" "stackrox-admission-control-psp") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "rolebinding" "stackrox-admission-control-psp") | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: stackrox-admission-control-psp +subjects: + - kind: ServiceAccount + name: admission-control + namespace: {{ ._rox._namespace }} +{{- end }} diff --git a/rhacs/4.3.5/secured-cluster-services/templates/admission-controller-rbac.yaml b/rhacs/4.3.5/secured-cluster-services/templates/admission-controller-rbac.yaml new file mode 100644 index 0000000..1e4e11e --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/templates/admission-controller-rbac.yaml @@ -0,0 +1,50 @@ +{{- include "srox.init" . -}} + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: admission-control + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "serviceaccount" "admission-control") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "serviceaccount" "admission-control") | nindent 4 }} +imagePullSecrets: +{{- range $secretName := ._rox.mainImagePullSecrets._names }} +- name: {{ quote $secretName }} +{{- end }} +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: watch-config + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "role" "watch-config") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "role" "watch-config") | nindent 4 }} +rules: + - apiGroups: [''] + resources: ['configmaps'] + verbs: ['get', 'list', 'watch'] +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: admission-control-watch-config + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "rolebinding" "admission-control-watch-config") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "rolebinding" "admission-control-watch-config") | nindent 4 }} +subjects: + - kind: ServiceAccount + name: admission-control + namespace: {{ ._rox._namespace }} +roleRef: + kind: Role + name: watch-config + apiGroup: rbac.authorization.k8s.io diff --git a/rhacs/4.3.5/secured-cluster-services/templates/admission-controller-scc.yaml b/rhacs/4.3.5/secured-cluster-services/templates/admission-controller-scc.yaml new file mode 100644 index 0000000..e6bb807 --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/templates/admission-controller-scc.yaml @@ -0,0 +1,46 @@ +{{- include "srox.init" . -}} + +{{- if and ._rox.env.openshift ._rox.system.createSCCs }} + +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: stackrox-admission-control + labels: + {{- include "srox.labels" (list . "securitycontextconstraints" "stackrox-admission-control") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "securitycontextconstraints" "stackrox-admission-control") | nindent 4 }} + kubernetes.io/description: stackrox-admission-control is the security constraint for the admission controller +users: + - system:serviceaccount:{{ ._rox._namespace }}:admission-control +priority: 0 +runAsUser: + type: RunAsAny +seLinuxContext: + type: RunAsAny +seccompProfiles: + - '*' +supplementalGroups: + type: RunAsAny +fsGroup: + type: RunAsAny +groups: [] +readOnlyRootFilesystem: true +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: false +allowPrivilegedContainer: false +allowedCapabilities: [] +defaultAddCapabilities: [] +requiredDropCapabilities: [] +volumes: + - configMap + - downwardAPI + - emptyDir + - secret + +{{- end }} diff --git a/rhacs/4.3.5/secured-cluster-services/templates/admission-controller-secret.yaml b/rhacs/4.3.5/secured-cluster-services/templates/admission-controller-secret.yaml new file mode 100644 index 0000000..3abcb9a --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/templates/admission-controller-secret.yaml @@ -0,0 +1,30 @@ +{{- include "srox.init" . -}} + +{{- if or ._rox.createSecrets (and (kindIs "invalid" ._rox.createSecrets) (or ._rox.admissionControl.serviceTLS._cert ._rox.admissionControl.serviceTLS._key)) }} + +{{/* Admission control TLS secret isn't required, so do not fail here. */}} +{{- if and ._rox.ca._cert ._rox.admissionControl.serviceTLS._cert ._rox.admissionControl.serviceTLS._key }} + +apiVersion: v1 +kind: Secret +metadata: + name: admission-control-tls + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "secret" "admission-control-tls") | nindent 4 }} + auto-upgrade.stackrox.io/component: sensor + annotations: + {{- include "srox.annotations" (list . "secret" "admission-control-tls") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": "keep" +type: Opaque +stringData: + ca.pem: | + {{- ._rox.ca._cert | nindent 4 }} + admission-control-cert.pem: | + {{- ._rox.admissionControl.serviceTLS._cert | nindent 4 }} + admission-control-key.pem: | + {{- ._rox.admissionControl.serviceTLS._key | nindent 4 }} + +{{- end }} +{{- end }} diff --git a/rhacs/4.3.5/secured-cluster-services/templates/admission-controller.yaml b/rhacs/4.3.5/secured-cluster-services/templates/admission-controller.yaml new file mode 100644 index 0000000..778076d --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/templates/admission-controller.yaml @@ -0,0 +1,246 @@ +{{- include "srox.init" . -}} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: admission-control + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "deployment" "admission-control") | nindent 4 }} + app: admission-control + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "deployment" "admission-control") | nindent 4 }} +spec: + replicas: {{ ._rox.admissionControl.replicas }} + minReadySeconds: 0 + selector: + matchLabels: + app: admission-control + template: + metadata: + namespace: {{ ._rox._namespace }} + labels: + app: admission-control + {{- include "srox.podLabels" (list . "deployment" "admission-control") | nindent 8 }} + annotations: + traffic.sidecar.istio.io/excludeInboundPorts: "8443" + {{- include "srox.podAnnotations" (list . "deployment" "admission-control") | nindent 8 }} + spec: + # Attempt to schedule these on master nodes + {{- if ._rox.admissionControl.tolerations }} + tolerations: + {{- toYaml ._rox.admissionControl.tolerations | nindent 8 }} + {{- end }} + affinity: + {{- toYaml ._rox.admissionControl.affinity | nindent 8 }} + {{- if ._rox.admissionControl._nodeSelector }} + nodeSelector: + {{- ._rox.admissionControl._nodeSelector | nindent 8 }} + {{- end}} + {{- if not ._rox.env.openshift }} + securityContext: + runAsUser: 4000 + fsGroup: 4000 + {{- end }} + serviceAccountName: admission-control + containers: + - image: {{ quote ._rox.image.main.fullRef }} + imagePullPolicy: {{ ._rox.admissionControl.imagePullPolicy }} + name: admission-control + readinessProbe: + httpGet: + scheme: HTTPS + path: /ready + port: 8443 + initialDelaySeconds: 5 + periodSeconds: 5 + failureThreshold: 1 + ports: + - containerPort: 8443 + name: webhook + command: + - admission-control + resources: + {{- ._rox.admissionControl._resources | nindent 12 }} + securityContext: + runAsNonRoot: true + readOnlyRootFilesystem: true + env: + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: ROX_SENSOR_ENDPOINT + value: {{ ._rox.sensor.endpoint }} + {{- include "srox.envVars" (list . "deployment" "admission-controller" "admission-controller") | nindent 10 }} + volumeMounts: + - name: config + mountPath: /run/config/stackrox.io/admission-control/config/ + readOnly: true + - name: config-store + mountPath: /var/lib/stackrox/admission-control/ + - name: ca + mountPath: /run/secrets/stackrox.io/ca/ + readOnly: true + - name: certs + mountPath: /run/secrets/stackrox.io/certs/ + readOnly: true + - name: ssl + mountPath: /etc/ssl + - name: pki + mountPath: /etc/pki/ca-trust/ + - name: additional-cas + mountPath: /usr/local/share/ca-certificates/ + readOnly: true + {{- include "srox.injectedCABundleVolumeMount" . | nindent 12 }} + volumes: + - name: certs + secret: + secretName: admission-control-tls + optional: true + items: + - key: admission-control-cert.pem + path: cert.pem + - key: admission-control-key.pem + path: key.pem + - key: ca.pem + path: ca.pem + - name: ca + secret: + secretName: service-ca + optional: true + - name: config + configMap: + name: admission-control + optional: true + - name: config-store + emptyDir: {} + - name: ssl + emptyDir: {} + - name: pki + emptyDir: {} + - name: additional-cas + secret: + secretName: additional-ca-sensor + optional: true + {{- include "srox.injectedCABundleVolume" . | nindent 8 }} +--- + +apiVersion: v1 +kind: Service +metadata: + name: admission-control + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "service" "admission-control") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "service" "admission-control") | nindent 4 }} +spec: + ports: + - name: https + port: 443 + targetPort: webhook + protocol: TCP + selector: + app: admission-control + type: ClusterIP + sessionAffinity: None +--- +{{- if ne ._rox.env.openshift 3 }} +apiVersion: admissionregistration.k8s.io/v1 +{{- else }} +apiVersion: admissionregistration.k8s.io/v1beta1 +{{- end }} +kind: ValidatingWebhookConfiguration +metadata: + name: stackrox + labels: + {{- include "srox.labels" (list . "validatingwebhookconfiguration" "stackrox") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "validatingwebhookconfiguration" "stackrox") | nindent 4 }} +{{- if not (or ._rox.admissionControl.listenOnEvents ._rox.admissionControl.listenOnCreates ._rox.admissionControl.listenOnUpdates) }} +webhooks: [] +{{- else }} +webhooks: + {{- if or ._rox.admissionControl.listenOnCreates ._rox.admissionControl.listenOnUpdates }} + - name: policyeval.stackrox.io + {{- if ne ._rox.env.openshift 3 }} + sideEffects: NoneOnDryRun + admissionReviewVersions: [ "v1", "v1beta1" ] + timeoutSeconds: {{ add 2 ._rox.admissionControl.dynamic.timeout }} + {{- end }} + rules: + - apiGroups: + - '*' + apiVersions: + - '*' + operations: + {{- if ._rox.admissionControl.listenOnCreates }} + - CREATE + {{- end }} + {{- if ._rox.admissionControl.listenOnUpdates }} + - UPDATE + {{- end }} + resources: + - pods + - deployments + - replicasets + - replicationcontrollers + - statefulsets + - daemonsets + - cronjobs + - jobs + {{- if ._rox.env.openshift }} + - deploymentconfigs + {{- end }} + namespaceSelector: + matchExpressions: + - key: namespace.metadata.stackrox.io/name + operator: NotIn + values: + - stackrox + - kube-system + - kube-public + - istio-system + failurePolicy: Ignore + clientConfig: + caBundle: {{ required "The 'ca.cert' config option MUST be set to StackRox's Service CA certificate in order for the admission controller to be usable" ._rox.ca._cert | b64enc }} + service: + namespace: {{ ._rox._namespace }} + name: admission-control + path: /validate + {{- end}} + {{- if ._rox.admissionControl.listenOnEvents }} + - name: k8sevents.stackrox.io + {{- if ne ._rox.env.openshift 3 }} + sideEffects: NoneOnDryRun + admissionReviewVersions: [ "v1", "v1beta1" ] + timeoutSeconds: {{ add 2 ._rox.admissionControl.dynamic.timeout }} + {{- end }} + rules: + - apiGroups: + - '*' + apiVersions: + - '*' + operations: + - CONNECT + resources: + - pods + - pods/exec + - pods/portforward + failurePolicy: Ignore + clientConfig: + caBundle: {{ required "The 'ca.cert' config option MUST be set to StackRox's Service CA certificate in order for the admission controller to be usable" ._rox.ca._cert | b64enc }} + service: + namespace: {{ ._rox._namespace }} + name: admission-control + path: /events + {{- end }} +{{- end }} diff --git a/rhacs/4.3.5/secured-cluster-services/templates/cluster-config.yaml b/rhacs/4.3.5/secured-cluster-services/templates/cluster-config.yaml new file mode 100644 index 0000000..20c81f6 --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/templates/cluster-config.yaml @@ -0,0 +1,14 @@ +{{- include "srox.init" . -}} + +apiVersion: v1 +kind: Secret +metadata: + name: helm-cluster-config + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "secret" "helm-cluster-config") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "secret" "helm-cluster-config") | nindent 4 }} +stringData: + config.yaml: | + {{- tpl (.Files.Get "internal/cluster-config.yaml.tpl") . | nindent 4 }} diff --git a/rhacs/4.3.5/secured-cluster-services/templates/collector-netpol.yaml b/rhacs/4.3.5/secured-cluster-services/templates/collector-netpol.yaml new file mode 100644 index 0000000..3cf9214 --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/templates/collector-netpol.yaml @@ -0,0 +1,44 @@ +{{- include "srox.init" . -}} + +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: collector-no-ingress + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "networkpolicy" "collector-no-ingress") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "networkpolicy" "collector-no-ingress") | nindent 4 }} +spec: + podSelector: + matchLabels: + app: collector + policyTypes: + - Ingress + +{{ if ._rox.collector.exposeMonitoring }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: collector-monitoring + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "networkpolicy" "collector-monitoring") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "networkpolicy" "collector-monitoring") | nindent 4 }} +spec: + ingress: + - ports: + - port: 9090 + protocol: TCP + - port: 9091 + protocol: TCP + podSelector: + matchLabels: + app: collector + policyTypes: + - Ingress +{{ end }} diff --git a/rhacs/4.3.5/secured-cluster-services/templates/collector-pod-security.yaml b/rhacs/4.3.5/secured-cluster-services/templates/collector-pod-security.yaml new file mode 100644 index 0000000..d11ef4b --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/templates/collector-pod-security.yaml @@ -0,0 +1,72 @@ +{{- include "srox.init" . -}} + +{{- if ._rox.system.enablePodSecurityPolicies }} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox-collector-psp + labels: + {{- include "srox.labels" (list . "clusterrole" "stackrox-collector-psp") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "clusterrole" "stackrox-collector-psp") | nindent 4 }} +rules: + - apiGroups: + - policy + resources: + - podsecuritypolicies + resourceNames: + - stackrox-collector + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: stackrox-collector-psp + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "rolebinding" "stackrox-collector-psp") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "rolebinding" "stackrox-collector-psp") | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: stackrox-collector-psp +subjects: + - kind: ServiceAccount + name: collector + namespace: {{ ._rox._namespace }} +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: stackrox-collector + labels: + {{- include "srox.labels" (list . "podsecuritypolicy" "stackrox-collector") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "podsecuritypolicy" "stackrox-collector") | nindent 4 }} +spec: + privileged: true + allowPrivilegeEscalation: true + allowedCapabilities: + - '*' + volumes: + - '*' + allowedHostPaths: + - pathPrefix: / + readOnly: true + hostNetwork: false + hostIPC: false + hostPID: true + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' +{{- end }} diff --git a/rhacs/4.3.5/secured-cluster-services/templates/collector-rbac.yaml b/rhacs/4.3.5/secured-cluster-services/templates/collector-rbac.yaml new file mode 100644 index 0000000..5d4ffd9 --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/templates/collector-rbac.yaml @@ -0,0 +1,16 @@ +{{- include "srox.init" . -}} + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: collector + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "serviceaccount" "collector") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "serviceaccount" "collector") | nindent 4 }} +imagePullSecrets: +{{- range $secretName := concat ._rox.collectorImagePullSecrets._names ._rox.mainImagePullSecrets._names | uniq }} +- name: {{ quote $secretName }} +{{- end }} diff --git a/rhacs/4.3.5/secured-cluster-services/templates/collector-scc.yaml b/rhacs/4.3.5/secured-cluster-services/templates/collector-scc.yaml new file mode 100644 index 0000000..48d47dc --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/templates/collector-scc.yaml @@ -0,0 +1,91 @@ +{{- include "srox.init" . -}} + +{{- if and ._rox.env.openshift ._rox.system.createSCCs }} + +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: stackrox-collector + labels: + {{- include "srox.labels" (list . "securitycontextconstraints" "stackrox-collector") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "securitycontextconstraints" "stackrox-collector") | nindent 4 }} + kubernetes.io/description: This SCC is based on privileged, hostaccess, and hostmount-anyuid +users: + - system:serviceaccount:{{ ._rox._namespace }}:collector +allowHostDirVolumePlugin: true +allowPrivilegedContainer: true +fsGroup: + type: RunAsAny +groups: [] +priority: 0 +readOnlyRootFilesystem: true +runAsUser: + type: RunAsAny +seLinuxContext: + type: RunAsAny +seccompProfiles: + - '*' +supplementalGroups: + type: RunAsAny +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: true +allowedCapabilities: [] +defaultAddCapabilities: [] +requiredDropCapabilities: [] +volumes: + - configMap + - downwardAPI + - emptyDir + - hostPath + - secret + +{{- else if eq ._rox.env.openshift 4 }} + +{{- if false }} +# "fake" document separator to aid GVK extraction heuristic +--- +{{- end }} + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: use-privileged-scc + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "role" "use-privileged-scc") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "role" "use-privileged-scc") | nindent 4 }} +rules: +- apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + resourceNames: + - privileged + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: collector-use-scc + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "rolebinding" "collector-use-scc") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "rolebinding" "collector-use-scc") | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: use-privileged-scc +subjects: +- kind: ServiceAccount + name: collector + namespace: {{ ._rox._namespace }} + +{{- end }} diff --git a/rhacs/4.3.5/secured-cluster-services/templates/collector-secret.yaml b/rhacs/4.3.5/secured-cluster-services/templates/collector-secret.yaml new file mode 100644 index 0000000..6b07ea2 --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/templates/collector-secret.yaml @@ -0,0 +1,30 @@ +{{- include "srox.init" . -}} + +{{- if or ._rox.createSecrets (and (kindIs "invalid" ._rox.createSecrets) (or ._rox.collector.serviceTLS._cert ._rox.collector.serviceTLS._key)) }} + +{{- if not (and ._rox.ca._cert ._rox.collector.serviceTLS._cert ._rox.collector.serviceTLS._key) }} + {{ include "srox.fail" "Requested secret creation, but not all of CA certificate, collector certificate, collector private key are available. Set the 'createSecrets' config option to false if you do not want secrets to be created." }} +{{- end }} + +apiVersion: v1 +kind: Secret +metadata: + labels: + {{- include "srox.labels" (list . "secret" "collector-tls") | nindent 4 }} + auto-upgrade.stackrox.io/component: sensor + annotations: + {{- include "srox.annotations" (list . "secret" "collector-tls") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": "keep" + name: collector-tls + namespace: {{ ._rox._namespace }} +type: Opaque +stringData: + ca.pem: | + {{- ._rox.ca._cert | nindent 4 }} + collector-cert.pem: | + {{- ._rox.collector.serviceTLS._cert | nindent 4 }} + collector-key.pem: | + {{- ._rox.collector.serviceTLS._key | nindent 4 }} + +{{- end }} diff --git a/rhacs/4.3.5/secured-cluster-services/templates/collector.yaml b/rhacs/4.3.5/secured-cluster-services/templates/collector.yaml new file mode 100644 index 0000000..756c367 --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/templates/collector.yaml @@ -0,0 +1,218 @@ +{{- include "srox.init" . -}} + +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: + {{- include "srox.labels" (list . "daemonset" "collector") | nindent 4 }} + service: collector + app: collector + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "daemonset" "collector") | nindent 4 }} + name: collector + namespace: {{ ._rox._namespace }} +spec: + selector: + matchLabels: + service: collector + template: + metadata: + namespace: {{ ._rox._namespace }} + labels: + service: collector + app: collector + {{- include "srox.podLabels" (list . "daemonset" "collector") | nindent 8 }} + annotations: + {{- include "srox.podAnnotations" (list . "daemonset" "collector") | nindent 8 }} + spec: + {{- if not ._rox.collector.disableTaintTolerations }} + tolerations: + {{- toYaml ._rox.collector.tolerations | nindent 6 }} + {{- end }} + {{- if ._rox.collector._nodeSelector }} + nodeSelector: + {{- ._rox.collector._nodeSelector | nindent 8 }} + {{- end}} + serviceAccountName: collector + containers: + {{- if ne ._rox.collector.collectionMethod "NO_COLLECTION"}} + - name: collector + image: {{ quote ._rox.image.collector.fullRef }} + imagePullPolicy: {{ ._rox.collector.imagePullPolicy }} + {{- if ._rox.collector.exposeMonitoring }} + ports: + - containerPort: 9090 + name: monitoring + {{- end }} + env: + - name: COLLECTOR_CONFIG + value: '{"tlsConfig":{"caCertPath":"/var/run/secrets/stackrox.io/certs/ca.pem","clientCertPath":"/var/run/secrets/stackrox.io/certs/cert.pem","clientKeyPath":"/var/run/secrets/stackrox.io/certs/key.pem"}}' + - name: COLLECTION_METHOD + value: {{ ._rox.collector.collectionMethod }} + - name: GRPC_SERVER + value: {{ ._rox.sensor.endpoint }} + - name: SNI_HOSTNAME + value: "sensor.stackrox.svc" + {{- include "srox.envVars" (list . "daemonset" "collector" "collector") | nindent 8 }} + resources: + {{- ._rox.collector._resources | nindent 10 }} + securityContext: + capabilities: + drop: + - NET_RAW + privileged: true + readOnlyRootFilesystem: true + volumeMounts: + - mountPath: /host/proc + name: proc-ro + readOnly: true + mountPropagation: HostToContainer + - mountPath: /module + name: tmpfs-module + - mountPath: /host/etc + name: etc-ro + readOnly: true + mountPropagation: HostToContainer + - mountPath: /host/usr/lib + name: usr-lib-ro + readOnly: true + mountPropagation: HostToContainer + - mountPath: /host/sys + name: sys-ro + readOnly: true + mountPropagation: HostToContainer + - mountPath: /host/dev + name: dev-ro + readOnly: true + mountPropagation: HostToContainer + - mountPath: /run/secrets/stackrox.io/certs/ + name: certs + readOnly: true + {{- end }} + - command: + - stackrox/compliance + env: + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: ROX_CALL_NODE_INVENTORY_ENABLED + value: {{ if eq ._rox.env.openshift 4 }}"true"{{ else }}"false"{{ end }} + - name: ROX_METRICS_PORT + {{- if ._rox.collector.exposeMonitoring }} + value: ":9091" + {{- else}} + value: "disabled" + {{- end }} + - name: ROX_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: ROX_ADVERTISED_ENDPOINT + value: {{ quote ._rox.sensor.endpoint }} + - name: ROX_NODE_SCANNING_ENDPOINT + value: {{ quote ._rox.collector.nodescanningEndpoint }} + {{- include "srox.envVars" (list . "daemonset" "collector" "compliance") | nindent 8 }} + image: {{ quote ._rox.image.main.fullRef }} + imagePullPolicy: {{ ._rox.collector.complianceImagePullPolicy }} + name: compliance + {{- if ._rox.collector.exposeMonitoring }} + ports: + - containerPort: 9091 + name: monitoring + {{- end }} + resources: + {{- ._rox.collector._complianceResources | nindent 10 }} + securityContext: + runAsUser: 0 + readOnlyRootFilesystem: true + {{ if not ._rox.collector.disableSELinuxOptions }} + seLinuxOptions: + type: {{ ._rox.collector.seLinuxOptionsType | default "container_runtime_t" | quote }} + {{ end }} + volumeMounts: + - mountPath: /etc/ssl/ + name: etc-ssl + - mountPath: /etc/pki/ca-trust/ + name: etc-pki-volume + - mountPath: /host + name: host-root-ro + readOnly: true + mountPropagation: HostToContainer + - mountPath: /run/secrets/stackrox.io/certs/ + name: certs + readOnly: true + {{- if eq ._rox.env.openshift 4 }} + - name: node-inventory + image: {{ quote ._rox.image.scanner.fullRef }} + imagePullPolicy: IfNotPresent + command: ["/scanner", "--nodeinventory", "--config=", ""] + ports: + - containerPort: 8444 + name: grpc + resources: + {{- ._rox.collector._nodeScanningResources | nindent 10 }} + env: + - name: ROX_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + {{- include "srox.envVars" (list . "daemonset" "collector" "node-inventory") | nindent 8 }} + volumeMounts: + - mountPath: /host + name: host-root-ro + readOnly: true + mountPropagation: HostToContainer + - mountPath: /tmp/ + name: tmp-volume + - mountPath: /cache + name: cache-volume + {{- end }} + volumes: + - hostPath: + path: /proc + name: proc-ro + - emptyDir: + medium: Memory + name: tmpfs-module + - hostPath: + path: /etc + name: etc-ro + - hostPath: + path: /usr/lib + name: usr-lib-ro + - hostPath: + path: /sys/ + name: sys-ro + - hostPath: + path: /dev + name: dev-ro + - name: certs + secret: + secretName: collector-tls + items: + - key: collector-cert.pem + path: cert.pem + - key: collector-key.pem + path: key.pem + - key: ca.pem + path: ca.pem + - hostPath: + path: / + name: host-root-ro + - name: etc-ssl + emptyDir: {} + - name: etc-pki-volume + emptyDir: {} + - name: tmp-volume + emptyDir: {} + - name: cache-volume + emptyDir: + sizeLimit: 200Mi diff --git a/rhacs/4.3.5/secured-cluster-services/templates/openshift-monitoring.yaml b/rhacs/4.3.5/secured-cluster-services/templates/openshift-monitoring.yaml new file mode 100644 index 0000000..5b0aa89 --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/templates/openshift-monitoring.yaml @@ -0,0 +1,121 @@ +{{- include "srox.init" . -}} + +{{- if ._rox.monitoring.openshift.enabled -}} + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: secured-cluster-prometheus-k8s + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "role" "secured-cluster-prometheus-k8s") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "role" "secured-cluster-prometheus-k8s") | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - services + - endpoints + - pods + verbs: + - get + - list + - watch + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: secured-cluster-prometheus-k8s + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "rolebinding" "secured-cluster-prometheus-k8s") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "rolebinding" "secured-cluster-prometheus-k8s") | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: secured-cluster-prometheus-k8s +subjects: +- kind: ServiceAccount + name: prometheus-k8s + namespace: openshift-monitoring + +--- + +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: "sensor-monitor-{{ .Release.Namespace }}" + namespace: openshift-monitoring + labels: + {{- include "srox.labels" (list . "servicemonitor" (print "sensor-monitor-" .Release.Namespace)) | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "servicemonitor" (print "sensor-monitor-" .Release.Namespace)) | nindent 4 }} +spec: + endpoints: + - interval: 30s + path: metrics + port: monitoring-tls + scheme: https + tlsConfig: + caFile: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt + certFile: /etc/prometheus/secrets/metrics-client-certs/tls.crt + keyFile: /etc/prometheus/secrets/metrics-client-certs/tls.key + serverName: "sensor.{{ .Release.Namespace }}.svc" + selector: + matchLabels: + app.kubernetes.io/component: sensor + namespaceSelector: + matchNames: + - "{{ .Release.Namespace }}" + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: "rhacs-sensor-auth-reader-{{ .Release.Namespace }}" + namespace: kube-system + labels: + {{- include "srox.labels" (list . "rolebinding" (print "rhacs-sensor-auth-reader-" .Release.Namespace)) | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "rolebinding" (print "rhacs-sensor-auth-reader-" .Release.Namespace)) | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: + - kind: ServiceAccount + name: sensor + namespace: "{{ .Release.Namespace }}" + +--- + +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: "sensor-telemeter-{{ .Release.Namespace }}" + namespace: openshift-monitoring + labels: + {{- include "srox.labels" (list . "prometheusrule" (print "sensor-telemeter-" .Release.Namespace )) | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "prometheusrule" (print "sensor-telemeter-" .Release.Namespace )) | nindent 4 }} +spec: + groups: + - name: rhacs.telemeter + rules: + - expr: | + max by (build, central_id, hosting, install_method, sensor_id, sensor_version) ( + rox_sensor_info{branding="RHACS"} + ) + record: rhacs:telemetry:rox_sensor_info + +{{- end -}} diff --git a/rhacs/4.3.5/secured-cluster-services/templates/sensor-netpol.yaml b/rhacs/4.3.5/secured-cluster-services/templates/sensor-netpol.yaml new file mode 100644 index 0000000..50d0d6e --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/templates/sensor-netpol.yaml @@ -0,0 +1,88 @@ +{{- include "srox.init" . -}} + +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: sensor + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "networkpolicy" "sensor") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "networkpolicy" "sensor") | nindent 4 }} +spec: + ingress: + - from: + - podSelector: + matchLabels: + app: collector + - podSelector: + matchLabels: + service: collector + - podSelector: + matchLabels: + app: admission-control +{{ if ._rox.sensor.localImageScanning.enabled }} + - podSelector: + matchLabels: + app: scanner +{{ end }} + ports: + - port: 8443 + protocol: TCP + - ports: + - port: 9443 + protocol: TCP + podSelector: + matchLabels: + app: sensor + policyTypes: + - Ingress + +{{ if ._rox.sensor.exposeMonitoring }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: sensor-monitoring + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "networkpolicy" "sensor-monitoring") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "networkpolicy" "sensor-monitoring") | nindent 4 }} +spec: + ingress: + - ports: + - port: 9090 + protocol: TCP + podSelector: + matchLabels: + app: sensor + policyTypes: + - Ingress +{{ end }} + +{{- if ._rox.monitoring.openshift.enabled }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: sensor-monitoring-tls + namespace: {{ .Release.Namespace }} + labels: + {{- include "srox.labels" (list . "networkpolicy" "sensor-monitoring-tls") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "networkpolicy" "sensor-monitoring-tls") | nindent 4 }} +spec: + ingress: + - ports: + - port: 9091 + protocol: TCP + podSelector: + matchLabels: + app: sensor + policyTypes: + - Ingress +{{- end }} diff --git a/rhacs/4.3.5/secured-cluster-services/templates/sensor-pod-security.yaml b/rhacs/4.3.5/secured-cluster-services/templates/sensor-pod-security.yaml new file mode 100644 index 0000000..e44a807 --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/templates/sensor-pod-security.yaml @@ -0,0 +1,82 @@ +{{- include "srox.init" . -}} + +{{- if ._rox.system.enablePodSecurityPolicies }} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox-sensor-psp + labels: + {{- include "srox.labels" (list . "clusterrole" "stackrox-sensor-psp") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "clusterrole" "stackrox-sensor-psp") | nindent 4 }} +rules: + - apiGroups: + - policy + resources: + - podsecuritypolicies + resourceNames: + - stackrox-sensor + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: stackrox-sensor-psp + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "rolebinding" "stackrox-sensor-psp") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "rolebinding" "stackrox-sensor-psp") | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: stackrox-sensor-psp +subjects: + - kind: ServiceAccount + name: sensor + namespace: {{ ._rox._namespace }} + - kind: ServiceAccount + name: sensor-upgrader + namespace: {{ ._rox._namespace }} +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: stackrox-sensor + labels: + {{- include "srox.labels" (list . "podsecuritypolicy" "stackrox-sensor") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "podsecuritypolicy" "stackrox-sensor") | nindent 4 }} +spec: + privileged: false + allowPrivilegeEscalation: false + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + - 'persistentVolumeClaim' + - 'hostPath' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAs' + ranges: + - min: 4000 + max: 4000 + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 4000 + max: 4000 +{{- end }} diff --git a/rhacs/4.3.5/secured-cluster-services/templates/sensor-rbac.yaml b/rhacs/4.3.5/secured-cluster-services/templates/sensor-rbac.yaml new file mode 100644 index 0000000..fb061be --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/templates/sensor-rbac.yaml @@ -0,0 +1,293 @@ +{{- include "srox.init" . -}} + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: sensor + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "serviceaccount" "sensor") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "serviceaccount" "sensor") | nindent 4 }} +imagePullSecrets: +{{- range $secretName := ._rox.mainImagePullSecrets._names }} +- name: {{ quote $secretName }} +{{- end }} + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox:view-cluster + labels: + {{- include "srox.labels" (list . "clusterrole" "stackrox:view-cluster") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "clusterrole" "stackrox:view-cluster") | nindent 4 }} +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - watch + - list +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox:monitor-cluster + labels: + {{- include "srox.labels" (list . "clusterrolebinding" "stackrox:monitor-cluster") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "clusterrolebinding" "stackrox:monitor-cluster") | nindent 4 }} +subjects: +- kind: ServiceAccount + name: sensor + namespace: {{ ._rox._namespace }} +roleRef: + kind: ClusterRole + name: stackrox:view-cluster + apiGroup: rbac.authorization.k8s.io +--- +# Role edit has all verbs but 'use' to disallow using any SCCs (resources: *). +# The permission to 'use' SCCs should be defined at finer granularity in other roles. +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: edit + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "role" "edit") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "role" "edit") | nindent 4 }} +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - create + - get + - list + - watch + - update + - patch + - delete + - deletecollection +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: manage-namespace + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "rolebinding" "manage-namespace") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "rolebinding" "manage-namespace") | nindent 4 }} +subjects: +- kind: ServiceAccount + name: sensor + namespace: {{ ._rox._namespace }} +roleRef: + kind: Role + name: edit + apiGroup: rbac.authorization.k8s.io +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox:edit-workloads + labels: + {{- include "srox.labels" (list . "clusterrole" "stackrox:edit-workloads") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "clusterrole" "stackrox:edit-workloads") | nindent 4 }} +rules: +- resources: + - cronjobs + - jobs + - daemonsets + - deployments + - deployments/scale + - deploymentconfigs + - pods + - replicasets + - replicationcontrollers + - services + - statefulsets + apiGroups: + - '*' + verbs: + - update + - patch + - delete +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox:enforce-policies + labels: + {{- include "srox.labels" (list . "clusterrolebinding" "stackrox:enforce-policies") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "clusterrolebinding" "stackrox:enforce-policies") | nindent 4 }} +subjects: +- kind: ServiceAccount + name: sensor + namespace: {{ ._rox._namespace }} +roleRef: + kind: ClusterRole + name: stackrox:edit-workloads + apiGroup: rbac.authorization.k8s.io +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox:network-policies + labels: + {{- include "srox.labels" (list . "clusterrole" "stackrox:network-policies") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "clusterrole" "stackrox:network-policies") | nindent 4 }} +rules: +- resources: + - 'networkpolicies' + apiGroups: + - networking.k8s.io + - extensions + verbs: + - get + - watch + - list + - create + - update + - patch + - delete +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox:network-policies-binding + labels: + {{- include "srox.labels" (list . "clusterrolebinding" "stackrox:network-policies-binding") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "clusterrolebinding" "stackrox:network-policies-binding") | nindent 4 }} +subjects: +- kind: ServiceAccount + name: sensor + namespace: {{ ._rox._namespace }} +roleRef: + kind: ClusterRole + name: stackrox:network-policies + apiGroup: rbac.authorization.k8s.io +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox:update-namespaces + labels: + {{- include "srox.labels" (list . "clusterrole" "stackrox:update-namespaces") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "clusterrole" "stackrox:update-namespaces") | nindent 4 }} +rules: +- resources: + - namespaces + apiGroups: [""] + verbs: + - update +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox:update-namespaces-binding + labels: + {{- include "srox.labels" (list . "clusterrolebinding" "stackrox:update-namespaces-binding") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "clusterrolebinding" "stackrox:update-namespaces-binding") | nindent 4 }} +subjects: +- kind: ServiceAccount + name: sensor + namespace: {{ ._rox._namespace }} +roleRef: + kind: ClusterRole + name: stackrox:update-namespaces + apiGroup: rbac.authorization.k8s.io +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox:create-events + labels: + {{- include "srox.labels" (list . "clusterrole" "stackrox:create-events") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "clusterrole" "stackrox:create-events") | nindent 4 }} +rules: +- resources: + - events + apiGroups: [""] + verbs: + - create + - patch + - list +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox:create-events-binding + labels: + {{- include "srox.labels" (list . "clusterrolebinding" "stackrox:create-events-binding") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "clusterrolebinding" "stackrox:create-events-binding") | nindent 4 }} +subjects: +- kind: ServiceAccount + name: sensor + namespace: {{ ._rox._namespace }} +roleRef: + kind: ClusterRole + name: stackrox:create-events + apiGroup: rbac.authorization.k8s.io +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox:review-tokens + labels: + {{- include "srox.labels" (list . "clusterrole" "stackrox:review-tokens") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "clusterrole" "stackrox:review-tokens") | nindent 4 }} +rules: +- resources: + - tokenreviews + apiGroups: ["authentication.k8s.io"] + verbs: + - create +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox:review-tokens-binding + labels: + {{- include "srox.labels" (list . "clusterrolebinding" "stackrox:review-tokens-binding") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "clusterrolebinding" "stackrox:review-tokens-binding") | nindent 4 }} +subjects: +- kind: ServiceAccount + name: sensor + namespace: {{ ._rox._namespace }} +roleRef: + kind: ClusterRole + name: stackrox:review-tokens + apiGroup: rbac.authorization.k8s.io diff --git a/rhacs/4.3.5/secured-cluster-services/templates/sensor-scc.yaml b/rhacs/4.3.5/secured-cluster-services/templates/sensor-scc.yaml new file mode 100644 index 0000000..b24a8fc --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/templates/sensor-scc.yaml @@ -0,0 +1,47 @@ +{{- include "srox.init" . -}} + +{{- if and ._rox.env.openshift ._rox.system.createSCCs }} + +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: stackrox-sensor + labels: + {{- include "srox.labels" (list . "securitycontextconstraints" "stackrox-sensor") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "securitycontextconstraints" "stackrox-sensor") | nindent 4 }} + kubernetes.io/description: stackrox-sensor is the security constraint for the sensor +users: + - system:serviceaccount:{{ ._rox._namespace }}:sensor + - system:serviceaccount:{{ ._rox._namespace }}:sensor-upgrader +priority: 0 +runAsUser: + type: RunAsAny +seLinuxContext: + type: RunAsAny +seccompProfiles: + - '*' +supplementalGroups: + type: RunAsAny +fsGroup: + type: RunAsAny +groups: [] +readOnlyRootFilesystem: true +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: true +allowPrivilegedContainer: false +allowedCapabilities: [] +defaultAddCapabilities: [] +requiredDropCapabilities: [] +volumes: + - configMap + - downwardAPI + - emptyDir + - secret + +{{- end }} diff --git a/rhacs/4.3.5/secured-cluster-services/templates/sensor-secret.yaml b/rhacs/4.3.5/secured-cluster-services/templates/sensor-secret.yaml new file mode 100644 index 0000000..848e1f2 --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/templates/sensor-secret.yaml @@ -0,0 +1,30 @@ +{{- include "srox.init" . -}} + +{{- if or ._rox.createSecrets (and (kindIs "invalid" ._rox.createSecrets) (or ._rox.sensor.serviceTLS._cert ._rox.sensor.serviceTLS._key)) }} + +{{- if not (and ._rox.ca._cert ._rox.sensor.serviceTLS._cert ._rox.sensor.serviceTLS._key) }} + {{ include "srox.fail" "Requested secret creation, but not all of CA certificate, sensor certificate, sensor private key are available. Set the 'createSecrets' config option to false if you do not want secrets to be created." }} +{{- end }} + +apiVersion: v1 +kind: Secret +metadata: + name: sensor-tls + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "secret" "sensor-tls") | nindent 4 }} + auto-upgrade.stackrox.io/component: sensor + annotations: + {{- include "srox.annotations" (list . "secret" "sensor-tls") | nindent 4 }} + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": "keep" +type: Opaque +stringData: + ca.pem: | + {{- ._rox.ca._cert | nindent 4 }} + sensor-cert.pem: | + {{- ._rox.sensor.serviceTLS._cert | nindent 4 }} + sensor-key.pem: | + {{- ._rox.sensor.serviceTLS._key | nindent 4 }} + +{{- end }} diff --git a/rhacs/4.3.5/secured-cluster-services/templates/sensor.yaml b/rhacs/4.3.5/secured-cluster-services/templates/sensor.yaml new file mode 100644 index 0000000..2534f42 --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/templates/sensor.yaml @@ -0,0 +1,280 @@ +{{- include "srox.init" . -}} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: sensor + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "deployment" "sensor") | nindent 4 }} + app: sensor + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "deployment" "sensor") | nindent 4 }} +spec: + replicas: 1 + minReadySeconds: 15 + selector: + matchLabels: + app: sensor + strategy: + type: Recreate + template: + metadata: + labels: + app: sensor + {{- include "srox.podLabels" (list . "deployment" "sensor") | nindent 8 }} + annotations: + traffic.sidecar.istio.io/excludeInboundPorts: "8443,9443" + {{- include "srox.podAnnotations" (list . "deployment" "sensor") | nindent 8 }} + spec: + {{- if ._rox.sensor._nodeSelector }} + nodeSelector: + {{- ._rox.sensor._nodeSelector | nindent 8 }} + {{- end}} + {{- if ._rox.sensor.tolerations }} + tolerations: + {{- toYaml ._rox.sensor.tolerations | nindent 8 }} + {{- end }} + affinity: + {{- toYaml ._rox.sensor.affinity | nindent 8 }} + {{- if not ._rox.env.openshift }} + securityContext: + runAsUser: 4000 + fsGroup: 4000 + {{- end }} + serviceAccountName: sensor + containers: + - image: {{ quote ._rox.image.main.fullRef }} + imagePullPolicy: {{ ._rox.sensor.imagePullPolicy }} + name: sensor + readinessProbe: + httpGet: + scheme: HTTPS + path: /ready + port: 9443 + ports: + - containerPort: 8443 + name: api + - containerPort: 9443 + name: webhook + {{- if ._rox.sensor.exposeMonitoring }} + - containerPort: 9090 + name: monitoring + {{- end }} + {{- if ._rox.monitoring.openshift.enabled }} + - containerPort: 9091 + name: monitoring-tls + {{- end }} + command: + - kubernetes-sensor + resources: + {{- ._rox.sensor._resources | nindent 10 }} + securityContext: + runAsNonRoot: true + readOnlyRootFilesystem: true + env: + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: K8S_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: ROX_CENTRAL_ENDPOINT + value: {{ ._rox.centralEndpoint }} + - name: ROX_ADVERTISED_ENDPOINT + value: {{ ._rox.sensor.endpoint }} + {{- if ._rox.env.openshift }} + - name: ROX_OPENSHIFT_API + value: "true" + {{- end }} + {{- if ._rox.sensor.localImageScanning.enabled }} + - name: ROX_SCANNER_GRPC_ENDPOINT + value: {{ printf "scanner.%s.svc:8443" .Release.Namespace }} + - name: ROX_LOCAL_IMAGE_SCANNING_ENABLED + value: "true" + {{- end }} + - name: ROX_HELM_CLUSTER_CONFIG_FP + value: {{ quote ._rox._configFP }} + {{- if ._rox.monitoring.openshift.enabled }} + - name: ROX_ENABLE_SECURE_METRICS + value: "true" + {{- end }} + {{- include "srox.envVars" (list . "deployment" "sensor" "sensor") | nindent 8 }} + volumeMounts: + - name: varlog + mountPath: /var/log/stackrox/ + - name: sensor-etc-ssl-volume + mountPath: /etc/ssl/ + - name: sensor-etc-pki-volume + mountPath: /etc/pki/ca-trust/ + - name: certs + mountPath: /run/secrets/stackrox.io/certs/ + readOnly: true + - name: additional-ca-volume + mountPath: /usr/local/share/ca-certificates/ + readOnly: true + - name: cache + mountPath: /var/cache/stackrox + - name: helm-cluster-config + mountPath: /run/secrets/stackrox.io/helm-cluster-config/ + readOnly: true + - name: helm-effective-cluster-name + mountPath: /run/secrets/stackrox.io/helm-effective-cluster-name/ + readOnly: true + {{- include "srox.injectedCABundleVolumeMount" . | nindent 8 }} + {{- if ._rox.monitoring.openshift.enabled }} + - name: monitoring-tls + mountPath: /run/secrets/stackrox.io/monitoring-tls + readOnly: true + {{- end }} + volumes: + - name: certs + secret: + secretName: sensor-tls + items: + - key: sensor-cert.pem + path: cert.pem + - key: sensor-key.pem + path: key.pem + - key: ca.pem + path: ca.pem + - name: sensor-etc-ssl-volume + emptyDir: {} + - name: sensor-etc-pki-volume + emptyDir: {} + - name: additional-ca-volume + secret: + secretName: additional-ca-sensor + optional: true + - name: varlog + emptyDir: {} + - name: cache + emptyDir: {} + - name: helm-cluster-config + secret: + secretName: helm-cluster-config + optional: true + - name: helm-effective-cluster-name + secret: + secretName: helm-effective-cluster-name + optional: true + {{- include "srox.injectedCABundleVolume" . | nindent 6 }} + {{- if ._rox.monitoring.openshift.enabled }} + - name: monitoring-tls + secret: + secretName: sensor-monitoring-tls + optional: true + {{- end }} +--- +apiVersion: v1 +kind: Service +metadata: + name: sensor + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "service" "sensor") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "service" "sensor") | nindent 4 }} + {{- if ._rox.monitoring.openshift.enabled }} + service.beta.openshift.io/serving-cert-secret-name: sensor-monitoring-tls + {{- end }} +spec: + ports: + - name: https + port: 443 + targetPort: api + protocol: TCP + {{- if ._rox.sensor.exposeMonitoring }} + - name: monitoring + port: 9090 + targetPort: monitoring + protocol: TCP + {{- end }} + {{- if ._rox.monitoring.openshift.enabled }} + - name: monitoring-tls + port: 9091 + targetPort: monitoring-tls + protocol: TCP + {{- end }} + selector: + app: sensor + type: ClusterIP + sessionAffinity: None +--- + +{{- if ._rox.env.istio }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: sensor-internal-no-istio-mtls + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "destinationrule" "sensor-internal-no-istio-mtls") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "destinationrule" "sensor-internal-no-istio-mtls") | nindent 4 }} + stackrox.io/description: "Disable Istio mTLS for port 443, since StackRox services use built-in mTLS." +spec: + host: sensor.stackrox.svc.cluster.local + trafficPolicy: + portLevelSettings: + - port: + number: 443 + tls: + mode: DISABLE +--- +{{- end }} + +apiVersion: v1 +kind: Service +metadata: + name: sensor-webhook + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "service" "sensor-webhook") | nindent 4 }} + auto-upgrade.stackrox.io/component: "sensor" + annotations: + {{- include "srox.annotations" (list . "service" "sensor-webhook") | nindent 4 }} +spec: + ports: + - name: https + port: 443 + targetPort: webhook + protocol: TCP + selector: + app: sensor + type: ClusterIP + sessionAffinity: None +{{- if or .Release.IsInstall (eq ._rox.confirmNewClusterName ._rox.clusterName) }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: helm-effective-cluster-name + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "secret" "helm-effective-cluster-name") | nindent 4 }} + auto-upgrade.stackrox.io/component: sensor + annotations: + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/resource-policy": "keep" + {{- include "srox.annotations" (list . "secret" "helm-effective-cluster-name") | nindent 4 }} +stringData: + cluster-name: | + {{- ._rox.clusterName | nindent 4 }} +{{- end}} diff --git a/rhacs/4.3.5/secured-cluster-services/templates/service-ca.yaml b/rhacs/4.3.5/secured-cluster-services/templates/service-ca.yaml new file mode 100644 index 0000000..3f3b5fd --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/templates/service-ca.yaml @@ -0,0 +1,16 @@ +{{- include "srox.init" . -}} + +apiVersion: v1 +kind: Secret +metadata: + name: service-ca + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "secret" "service-ca") | nindent 4 }} + auto-upgrade.stackrox.io/component: sensor + annotations: + {{- include "srox.annotations" (list . "secret" "service-ca") | nindent 4 }} +type: Opaque +stringData: + ca.pem: | + {{- required "A CA certificate must be specified" ._rox.ca._cert | nindent 4 }} diff --git a/rhacs/4.3.5/secured-cluster-services/templates/upgrader-serviceaccount.yaml b/rhacs/4.3.5/secured-cluster-services/templates/upgrader-serviceaccount.yaml new file mode 100644 index 0000000..af12eb1 --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/templates/upgrader-serviceaccount.yaml @@ -0,0 +1,36 @@ +{{- include "srox.init" . -}} + +{{- if ._rox.createUpgraderServiceAccount }} + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: sensor-upgrader + namespace: {{ ._rox._namespace }} + labels: + {{- include "srox.labels" (list . "serviceaccount" "sensor-upgrader") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "serviceaccount" "sensor-upgrader") | nindent 4 }} +imagePullSecrets: +{{- range $secretName := ._rox.mainImagePullSecrets._names }} +- name: {{ quote $secretName }} +{{- end }} +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: stackrox:upgrade-sensors + labels: + {{- include "srox.labels" (list . "clusterrolebinding" "stackrox:upgrade-sensors") | nindent 4 }} + annotations: + {{- include "srox.annotations" (list . "clusterrolebinding" "stackrox:upgrade-sensors") | nindent 4 }} +subjects: +- kind: ServiceAccount + name: sensor-upgrader + namespace: {{ ._rox._namespace }} +roleRef: + kind: ClusterRole + name: cluster-admin + apiGroup: rbac.authorization.k8s.io + +{{- end }} diff --git a/rhacs/4.3.5/secured-cluster-services/values-private.yaml.example b/rhacs/4.3.5/secured-cluster-services/values-private.yaml.example new file mode 100644 index 0000000..ecdec21 --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/values-private.yaml.example @@ -0,0 +1,19 @@ +# # BEGIN CONFIGURATION VALUES SECTION +# +# # Image pull credentials. If you do not specify these, you need to specify one of +# # the following: +# # - `imagePullSecrets.allowNone=true`: in case your registry allows pulling images without +# # credentials. +# # - `imagePullSecrets.useExisting="secret1;secret2;..."`: in case you have pre-existing image +# # pull secrets with the given name already created in the target namespace. +# # - `imagePullSecrets.useFromDefaultServiceAccount=true`: in case the default service account +# # in the target namespace is configured with sufficiently scoped image pull secrets. +# # +# # Since the above settings do not expose any confidential data, they can safely be added +# # to the values-public.yaml configuration file or provided on the command line. +# +# # If you do not know if any of the above applies to your situation, your best course of +# # action is probably to enter your image pull credentials here. +# imagePullSecrets: +# username: +# password: diff --git a/rhacs/4.3.5/secured-cluster-services/values-public.yaml.example b/rhacs/4.3.5/secured-cluster-services/values-public.yaml.example new file mode 100644 index 0000000..5bb9dc4 --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/values-public.yaml.example @@ -0,0 +1,465 @@ +# StackRox Kubernetes Security Platform - Secured Cluster Services Chart +# PUBLIC configuration file. +# +# This file contains general configuration values relevant for the deployment of the +# StackRox Kubernetes Platform Secured Cluster Services components, which do not contain +# or reference sensitive data. This file can and should be stored in a source code +# management system and should be referenced on each `helm upgrade`. +# +# Most of the values in this file are optional, and you only should need to make modifications +# if the default deployment configuration is not sufficient for you for whatever reason. +# The most notable exceptios are +# +# - `clusterName`, +# - `centralEndpoint` and +# - `imagePullSecrets`. +# +# # BEGIN CONFIGURATION VALUES SECTION +# +## The cluster name. A new cluster of this name will be automatically registered at StackRox Central +## when deploying this Helm chart. Make sure that this name is unique among the set of secured clusters. +#clusterName: null +# +## To change the cluster name, confirm the new cluster name in this field. It should match the `clusterName` value. +## You don't need to change this unless you upgrade and change the value for clusterName. +## In this case, set it to the new value of clusterName. This option exists to prevent you from accidentally +## creating a new cluster with a different name. +#confirmNewClusterName: null +# +## Custom labels associated with a secured cluster in StackRox. +#clusterLabels: {} +# +## The gRPC endpoint for accessing StackRox Central. +#centralEndpoint: central.{{ .Release.Namespace }}.svc:443 +# +## A dictionary of additional CA certificates to include (PEM encoded). +## For example: +## additionalCAs: +## acme-labs-ca.pem: | +## -----BEGIN CERTIFICATE----- +## [...] +## -----END CERTIFICATE----- +#additionalCAs: null +# +# Specify `true` to create the `sensor-upgrader` account. By default, the StackRox Kubernetes +# Security Platform creates a service account called `sensor-upgrader` in each secured cluster. +# This account is highly privileged but is only used during upgrades. If you don’t create this +# account, you will have to complete future upgrades manually if the Sensor doesn’t have enough +# permissions. See +# [Enable automatic upgrades for secured clusters](https://help.stackrox.com/docs/configure-stackrox/enable-automatic-upgrades/) +# for more information. +# Note that auto-upgrades for Helm-managed clusters are disabled. +#createUpgraderServiceAccount: false +# +## Configuration for image pull secrets. +## These should usually be set via the command line when running `helm install`, e.g., +## helm install --set imagePullSecrets.username=myuser --set imagePullSecrets.password=mypass, +## or be stored in a separate YAML-encoded secrets file. +#imagePullSecrets: +# +# # If no image pull secrets are provided, an installation would usually fail. In order to +# # prevent it from failing, this option must explicitly be set to true. +# allowNone: false +# +# # If there exist available image pull secrets in the cluster that are managed separately, +# # set this value to the list of the respective secret names. While it is recommended to +# # record the secret names in a persisted YAML file, providing a single string containing +# # a comma-delimited list of secret names is also supported, for easier interaction with +# # --set. +# useExisting: [] +# +# # Whether to import any secrets from the default service account existing in the StackRox +# # namespace. The default service account often contains "standard" image pull secrets that +# # should be used by default for image pulls, hence this defaults to true. Only has an effect +# # if server-side lookups are enabled. +# useFromDefaultServiceAccount: true +# +## Settings regarding the installation environment +#env: +# # Treat the environment as an OpenShift cluster. Leave this unset to use auto-detection +# # based on available API resources on the server. +# # Set it to true to auto-detect the OpenShift version, otherwise set it explicitly. +# # Possible values: null, false, true, 3, 4 +# openshift: null +# +# # Treat the environment as Istio-enabled. Leave this unset to use auto-detection based on +# # available API resources on the server. +# # Possible values: null, false, true +# istio: null +# +## PEM-encoded StackRox Service CA certificate. +#ca: +# cert: null +# +## Image configuration +#image: +# # The image registry to use. Unless overridden in the more specific configs, this +# # determines the base registry for each image referenced in this config file. +# registry: my.image-registry.io +# +# # Configuration for the `main` image -- used by Sensor, Admission Control, Compliance. +# main: +# registry: null # if set to null, use `image.registry` +# name: main # the final image name is composed of the registry and the name, plus the tag below +# tag: null # should be left as null - will get picked up from the Chart version. +# fullRef: null # you can set a full image reference such as stackrox.io/main:1.2.3.4 here, but this is not +# # recommended. +# # The default pull policy for this image. Can be overridden for each individual service. +# pullPolicy: IfNotPresent +# +# # Configuration for the `collector` image -- used by Collector. +# collector: +# registry: null +# name: collector +# tag: null +# fullRef: null +# pullPolicy: IfNotPresent +# +## Sensor specific configuration. +#sensor: +# +# # Kubernetes image pull policy for Sensor. +# imagePullPolicy: IfNotPresent +# +# # Resource configuration for the sensor container. +# resources: +# requests: +# memory: "4Gi" +# cpu: "2" +# limits: +# memory: "8Gi" +# cpu: "4" +# +# # Settings for the internal service-to-service TLS certificate used by Sensor. +# serviceTLS: +# cert: null +# key: null +# +# # Use a nodeSelector for sensor +# nodeSelector +# environment: production +# +# If the nodes selected by the node selector are tainted, you can specify the corresponding taint tolerations here. +# tolerations: +# - effect: NoSchedule +# key: infra +# value: reserved +# - effect: NoExecute +# key: infra +# value: reserved +# +# If scheduling needs specific affinities, you can specify the corresponding affinities here. +# affinity: +# nodeAffinity: +# preferredDuringSchedulingIgnoredDuringExecution: +# # Sensor is single-homed, so avoid preemptible nodes. +# - weight: 100 +# preference: +# matchExpressions: +# - key: cloud.google.com/gke-preemptible +# operator: NotIn +# values: +# - "true" +# - weight: 50 +# preference: +# matchExpressions: +# - key: node-role.kubernetes.io/infra +# operator: Exists +# - weight: 25 +# preference: +# matchExpressions: +# - key: node-role.kubernetes.io/compute +# operator: Exists +# # From v1.20 node-role.kubernetes.io/control-plane replaces node-role.kubernetes.io/master (removed in +# # v1.25). We apply both because our goal is not to run pods on control plane nodes for any version of k8s. +# - weight: 100 +# preference: +# matchExpressions: +# - key: node-role.kubernetes.io/master +# operator: DoesNotExist +# - weight: 100 +# preference: +# matchExpressions: +# - key: node-role.kubernetes.io/control-plane +# operator: DoesNotExist +# +# # Address of the Sensor endpoint including port number. No trailing slash. +# # Rarely needs to be changed. +# endpoint: sensor.stackrox.svc:443 +# +## Admission Control specific configuration. +#admissionControl: +# +# # This setting controls whether the cluster is configured to contact the StackRox +# # Kubernetes Security Platform with `AdmissionReview` requests for create events on +# # Kubernetes objects. +# listenOnCreates: false +# +# # This setting controls whether the cluster is configured to contact the StackRox Kubernetes +# # Security Platform with `AdmissionReview` requests for update events on Kubernetes objects. +# listenOnUpdates: false +# +# # This setting controls whether the cluster is configured to contact the StackRox +# # Kubernetes Security Platform with `AdmissionReview` requests for update Kubernetes events +# # like exec and portforward. +# # +# # Defaults to `false` on OpenShift, to `true` otherwise. +# listenOnEvents: true +# +# # Use a nodeSelector for admission control pods +# nodeSelector +# environment: production +# +# If the nodes selected by the node selector are tainted, you can specify the corresponding taint tolerations here. +# tolerations: +# - effect: NoSchedule +# key: infra +# value: reserved +# - effect: NoExecute +# key: infra +# value: reserved +# +# If scheduling needs specific affinities, you can specify the corresponding affinities here. +# affinity: +# nodeAffinity: +# preferredDuringSchedulingIgnoredDuringExecution: +# # node-role.kubernetes.io/master is replaced by node-role.kubernetes.io/control-plane from certain version +# # of k8s. We apply both to be compatible with any k8s version. +# - weight: 50 +# preference: +# matchExpressions: +# - key: node-role.kubernetes.io/master +# operator: Exists +# - weight: 50 +# preference: +# matchExpressions: +# - key: node-role.kubernetes.io/control-plane +# operator: Exists +# podAntiAffinity: +# preferredDuringSchedulingIgnoredDuringExecution: +# - weight: 60 +# podAffinityTerm: +# topologyKey: "kubernetes.io/hostname" +# labelSelector: +# matchLabels: +# app: admission-control +# +# # Dynamic part of the configuration which is retrieved from Central and can be modified through +# # the frontend. +# dynamic: +# +# # It controls whether the StackRox Kubernetes Security Platform evaluates policies for object +# # updates; if it’s disabled, all `AdmissionReview` requests are automatically accepted. You must +# # specify `listenOnUpdates` as `true` for this to work. +# enforceOnUpdates: false +# +# # Controls whether the StackRox Kubernetes Security Platform evaluates policies. +# # If disabled, all AdmissionReview requests are automatically accepted. You must specify +# # `listenOnCreates` as `true` for this to work. +# enforceOnCreates: false +# +# scanInline: false +# +# # If enabled, bypassing the Admission Controller is disabled. +# disableBypass: false +# +# # The maximum time in seconds, the StackRox Kubernetes Security Platform should wait while +# # evaluating admission review requests. Use it to set request timeouts when you enable image scanning. +# # If the image scan runs longer than the specified time, the StackRox Kubernetes Security Platform +# # accepts the request. Other enforcement options, such as scaling the deployment to zero replicas, +# # are still applied later if the image violates applicable policies. +# timeout: 3 +# +# # Kubernetes image pull policy for Admission Control. +# imagePullPolicy: IfNotPresent +# +# # Resource configuration for the Admission Control container. +# resources: +# requests: +# memory: "100Mi" +# cpu: "50m" +# limits: +# memory: "500Mi" +# cpu: "500m" +# +# # Replicas configures the replicas of the admission controller pod. +# replicas: 3 +# +# # Settings for the internal service-to-service TLS certificate used by Admission Control. +# serviceTLS: +# cert: null +# key: null +# +## Collector specific configuration. +#collector: +# +# # Collection method to use. Can be one of: +# # - EBPF +# # - CORE_BPF +# # - NO_COLLECTION +# collectionMethod: EBPF +# +# # Configure usage of taint tolerations. If `false`, tolerations are applied to collector, +# # and the collector pods can schedule onto all nodes with taints. If `true`, no tolerations +# # are applied, and the collector pods won't scheduled onto nodes with taints. +# disableTaintTolerations: false +# +# # Configure whether slim Collector images should be used or not. Using slim Collector images +# # requires Central to provide the matching kernel module or eBPF probe. If you are running +# # the StackRox Kubernetes Security Platform in offline mode, you must download a kernel support +# # package from [stackrox.io](https://install.stackrox.io/collector/support-packages/index.html) +# # and upload it to Central for slim Collectors to function. Otherwise, you must ensure that +# # Central can access the online probe repository hosted at https://collector-modules.stackrox.io/. +# slimMode: false +# +# # Kubernetes image pull policy for Collector. +# imagePullPolicy: IfNotPresent +# +# # Resource configuration for the Collector container. +# resources: +# requests: +# memory: "320Mi" +# cpu: "50m" +# limits: +# memory: "1Gi" +# cpu: "750m" +# +# If the nodes selected by the node selector are tainted, you can specify the corresponding taint tolerations here. +# tolerations: +# - operator: "Exists" +# +# complianceImagePullPolicy: IfNotPresent +# +# # Resource configuration for the Compliance container. +# complianceResources: +# requests: +# memory: "10Mi" +# cpu: "10m" +# limits: +# memory: "2Gi" +# cpu: "1" +# +# # Resource configuration for the Node Inventory container. +# nodeScanningResources: +# requests: +# memory: "10Mi" +# cpu: "10m" +# limits: +# memory: "500Mi" +# cpu: "1" +# +# # Settings for the internal service-to-service TLS certificate used by Collector. +# serviceTLS: +# cert: null +# key: null +# +# # Settings configuring the ingestion of audit logs: +# auditLogs: +# # Disable audit log collection. This setting defaults to false on OpenShift 4 clusters. On all other cluster types, +# # it defaults to true, and setting it to false will result in an error. +# disableCollection: false +# +# # Customization Settings. +# # The following allows specifying custom Kubernetes metadata (labels and annotations) +# # for all objects instantiated by this Helm chart, as well as additional pod labels, +# # pod annotations, and container environment variables for workloads. +# # The configuration is hierarchical, in the sense that metadata that is defined at a more +# # generic scope (e.g., for all objects) can be overridden by metadata defined at a narrower +# # scope (e.g., only for the sensor deployment). +# customize: +# # Extra metadata for all objects. +# labels: +# my-label-key: my-label-value +# annotations: +# my-annotation-key: my-annotation-value +# +# # Extra pod metadata for all objects (only has an effect for workloads, i.e., deployments). +# podLabels: +# my-pod-label-key: my-pod-label-value +# podAnnotations: +# my-pod-annotation-key: my-pod-annotation-value +# +# # Extra environment variables for all containers in all objects. +# envVars: +# MY_ENV_VAR_NAME: MY_ENV_VAR_VALUE +# +# # Extra metadata for the Sensor deployment only. +# sensor: +# labels: {} +# annotations: {} +# podLabels: {} +# podAnnotations: {} +# envVars: {} +# +# # Extra metadata for the collector daemon set only. +# collector: +# labels: {} +# annotations: {} +# podLabels: {} +# podAnnotations: {} +# envVars: {} +# +# # Extra metadata for the admission control only. +# admission-control: +# labels: {} +# annotations: {} +# podLabels: {} +# podAnnotations: {} +# envVars: {} +# +# # Extra metadata for the compliance only. +# compliance: +# labels: {} +# annotations: {} +# podLabels: {} +# podAnnotations: {} +# envVars: {} +# +# # Extra metadata for all other objects. The keys in the following map can be +# # an object name of the form "service/central-loadbalancer", or a reference to all +# # objects of a given type in the form "service/*". The values under each key +# # are the five metadata overrides (labels, annotations, podLabels, podAnnotations, envVars) +# # as specified above, though only the first two will be relevant for non-workload +# # object types. +# other: +# "service/*": +# labels: {} +# annotations: {} +# +# # EXPERT SETTINGS +# # The following settings should only be changed if you know very well what you are doing. +# # The scenarios in which these are required are generally not supported. +# +# # Set allowNonstandardNamespace=true if you are deploying into a namespace other than +# # "stackrox". This has been observed to work in some case, but is not generally supported. +# allowNonstandardNamespace: false +# +# # Set allowNonstandardReleaseName=true if you are deploying with a release name other than +# # the default "stackrox-central-services". This has been observed to work in some cases, +# # but is not generally supported. +# allowNonstandardReleaseName: false +# +# +#meta: +# # This is a dictionary from file names to contents that can be used to inject files that +# # would usually be included via .Files.Get into the chart rendering. +# fileOverrides: {} +# +# # This configuration section allows overriding settings that would be inferred from the +# # running API server. +# apiServer: +# # The Kubernetes version running on the API server. This is used for auto-detection +# # of the platform. +# version: null +# # The list of available API resources on the server, in the form of "apps/v1" or +# # "apps/v1/Deployment". This is used to detect environment capabilities. +# overrideAPIResources: null +# # A list of extra API resources that should be assumed to exist on the API server. This +# # can be used in conjunction with both data obtained from the API server, or data set +# # via `overrideAPIResources`. +# extraAPIResources: [] +# +#monitoring: +# # Enables integration with OpenShift platform monitoring. +# openshift: +# enabled: true diff --git a/rhacs/4.3.5/secured-cluster-services/values-scanner.yaml.example b/rhacs/4.3.5/secured-cluster-services/values-scanner.yaml.example new file mode 100644 index 0000000..c422153 --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/values-scanner.yaml.example @@ -0,0 +1,92 @@ +# # NOTE: +# # The Scanner is only available in the secured clusters on the OpenShift Container Platform. +# +# # Public configuration options for the StackRox Scanner: +# # When installing the Secured Cluster chart, a slim scanner mode is deployed with reduced image caching. +# # To run the scanner in the secured cluster, you must connect the Scanner to Sensor. +# +# # WARNING: +# # If deployed in the same namespace with Central it is only supported to install Scanner as part of Central's installation. +# # Sensor will use the existing Scanner to scan for local images. +# +# Image configuration for scanner: +# # For a complete example, see the `values-public.yaml.example` file. +# image: +# # Configuration for the `scanner` image that is used by Scanner. +# scanner: +# registry: null +# name: scanner-slim +# tag: null +# fullRef: null +# +# scanner: +# # disable=false Deploys a StackRox Scanner in the secured cluster to allow scanning images +# # from the OpenShift Container Platform cluster's local registries. +# disable: false +# +# # The number of replicas for the Scanner deployment. If autoscaling is enabled (see below), +# # this determines the initial number of replicas. +# replicas: 3 +# +# # The log level for the scanner deployment. This typically does not need to be changed. +# logLevel: INFO +# +# # If you want to enforce StackRox Scanner to only run on certain nodes, you can specify +# # a node selector here to make sure Scanner can only be scheduled on Nodes with the +# # given label. +# nodeSelector: +# # This can contain arbitrary `label-key: label-value` pairs. +# role: stackrox-scanner +# +# If the nodes selected by the node selector are tainted, you can specify the corresponding taint tolerations here. +# tolerations: +# - effect: NoSchedule +# key: infra +# value: reserved +# - effect: NoExecute +# key: infra +# value: reserved +# +# # If you want to enforce StackRox Scanner DB to only run on certain nodes, you can specify +# # a node selector here to make sure Scanner DB can only be scheduled on Nodes with the +# # given label. +# dbNodeSelector: +# # This can contain arbitrary `label-key: label-value` pairs. +# role: stackrox-scanner-db +# +# If the nodes selected by the node selector are tainted, you can specify the corresponding taint tolerations here. +# dbTolerations: +# - effect: NoSchedule +# key: infra +# value: reserved +# - effect: NoExecute +# key: infra +# value: reserved +# +# # Configuration for autoscaling the Scanner deployment. +# autoscaling: +# # disable=true causes autoscaling to be disabled. All other settings in this section +# # will have no effect. +# disable: false +# # The minimum number of replicas for autoscaling. The following value is the default. +# minReplicas: 2 +# # The maximum number of replicas for autoscaling. The following value is the default. +# maxReplicas: 5 +# +# # Custom resource overrides for the Scanner deployment. +# resources: +# requests: +# memory: "1500Mi" +# cpu: "1000m" +# limits: +# memory: "4Gi" +# cpu: "2000m" +# +# # Custom resource overrides for the Scanner DB deployment. +# dbResources: +# limits: +# cpu: "2000m" +# memory: "4Gi" +# requests: +# cpu: "200m" +# memory: "200Mi" diff --git a/rhacs/4.3.5/secured-cluster-services/values.yaml b/rhacs/4.3.5/secured-cluster-services/values.yaml new file mode 100644 index 0000000..3297a22 --- /dev/null +++ b/rhacs/4.3.5/secured-cluster-services/values.yaml @@ -0,0 +1,9 @@ +## StackRox Secured Cluster Services chart +## values.yaml +## +## This file contains no values. In particular, you should NOT modify this file; instead, +## create your own configuration file and pass it to `helm` via the `-f` parameter. +## For this, you can use the files `values-private.yaml.example` and `values-public.yaml.example` +## that are part of the chart as a blueprint. +## +## Please also consult README.md for a list of available configuration options.