refactor broker deployment

wiz-sec · Apr 20, 2023 · 9153a7d · 9153a7d
1 parent e03899d
commit 9153a7d
Show file tree

Hide file tree

Showing 15 changed files with 279 additions and 106 deletions.
diff --git a/wiz-broker-v2/.helmignore b/wiz-broker-v2/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/wiz-broker-v2/Chart.yaml b/wiz-broker-v2/Chart.yaml
@@ -0,0 +1,8 @@
+apiVersion: v2
+name: "wiz-broker-v2"
+description: Wiz Broker for tunneling http traffic to Wiz backend
+
+type: application
+
+version: 1.0.0
+appVersion: "2.0.162274"
diff --git a/wiz-broker-v2/templates/_helpers.tpl b/wiz-broker-v2/templates/_helpers.tpl
@@ -0,0 +1,68 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "wiz-broker.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "wiz-broker.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "wiz-broker.labels" -}}
+helm.sh/chart: {{ include "wiz-broker.chart" . }}
+{{ include "wiz-broker.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- if .Values.commonLabels }}
+{{- range $index, $content := .Values.commonLabels }}
+{{ $index }}: {{ tpl $content $ }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "wiz-broker.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "wiz-broker.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create Wiz broker properties to use
+*/}}
+
+{{- define "wiz-broker.wizConnectorSecretData" -}}
+{{- if not .Values.global.autoCreateConnector }}
+CONNECTOR_ID: {{ required "A valid .Values.global.wizConnector.connectorId entry required!" .Values.global.wizConnector.connectorId | quote}}
+CONNECTOR_TOKEN: {{ required "A valid .Values.global.wizConnector.connectorToken entry required!" .Values.global.wizConnector.connectorToken | quote }}
+TARGET_DOMAIN: {{ required "A valid .Values.global.wizConnector.targetDomain entry required!" .Values.global.wizConnector.targetDomain | quote }}
+TARGET_IP: {{ required "A valid .Values.global.wizConnector.targetIp entry required!" .Values.global.wizConnector.targetIp | quote }}
+TARGET_PORT: {{ required "A valid .Values.global.wizConnector.targetPort entry required!" .Values.global.wizConnector.targetPort | quote }}
+{{- end }}
+{{- end }}
+
+{{/*
+Secrets names
+*/}}
+
+{{- define "wiz-broker.apiTokenSecretName" -}}
+{{ coalesce (.Values.global.wizApiToken.secret.name) (printf "%s-api-token" .Release.Name) }}
+{{- end }}
+
+{{- define "wiz-broker.proxySecretName" -}}
+{{ coalesce (.Values.global.httpProxyConfiguration.secretName) (printf "%s-proxy-configuration" .Release.Name) }}
+{{- end }}
+
+{{- define "wiz-broker.connectorSecretName" -}}
+{{ coalesce (.Values.global.wizConnector.secretName) (printf "%s-connector" .Release.Name) }}
+{{- end }}
diff --git a/wiz-broker-v2/templates/secret-proxy.yaml b/wiz-broker-v2/templates/secret-proxy.yaml
@@ -0,0 +1,20 @@
+{{- if .Values.global.httpProxyConfiguration.enabled }}
+{{- if .Values.global.httpProxyConfiguration.create }}
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: {{ include "wiz-broker.proxySecretName" . | trim }}
+  namespace: {{ .Release.Namespace | quote }}
+  {{- with .Values.global.httpProxyConfiguration.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  labels:
+    {{- include "wiz-broker.labels" . | nindent 4 }}
+data:
+  httpProxy: {{ .Values.global.httpProxyConfiguration.httpProxy | b64enc | quote }}
+  httpsProxy: {{ .Values.global.httpProxyConfiguration.httpsProxy | b64enc | quote }}
+  noProxyAddress: {{ .Values.global.httpProxyConfiguration.noProxyAddress | b64enc | quote }}
+{{- end }}
+{{- end }}
diff --git a/...tor/templates/service-account-broker.yaml → wiz-broker-v2/templates/serviceaccount.yaml b/...tor/templates/service-account-broker.yaml → wiz-broker-v2/templates/serviceaccount.yaml
@@ -1,13 +1,13 @@
 {{- if .Values.broker.enabled }}
-{{- if .Values.broker.serviceAccount.create -}}
+{{- if .Values.serviceAccount.create -}}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ .Values.broker.serviceAccount.name }}
+  name: {{ .Values.serviceAccount.name }}
   namespace: {{ .Release.Namespace | quote }}
   labels:
     {{- include "wiz-kubernetes-connector.labels" . | nindent 4 }}
-  {{- with .Values.broker.serviceAccount.annotations }}
+  {{- with .Values.serviceAccount.annotations }}
   annotations:
     {{- toYaml . | nindent 4 }}
   {{- end }}

diff --git a/...ctor/templates/wiz-broker-deployment.yaml → ...r-v2/templates/wiz-broker-deployment.yaml b/...ctor/templates/wiz-broker-deployment.yaml → ...r-v2/templates/wiz-broker-deployment.yaml
@@ -5,42 +5,42 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: {{ include "wiz-kubernetes-connector.name" . }}-broker
+  name: {{ include "wiz-broker.name" . }}-broker
   namespace: {{ .Release.Namespace | quote }}
   labels:
-    {{- include "wiz-kubernetes-connector.labels" . | nindent 4 }}
+    {{- include "wiz-broker.labels" . | nindent 4 }}
 spec:
   replicas: 1
   selector:
     matchLabels:
-      {{- include "wiz-kubernetes-connector.selectorLabels" . | nindent 6 }}
+      {{- include "wiz-broker.selectorLabels" . | nindent 6 }}
   template:
     metadata:
       annotations:
         rollme: {{ randAlphaNum 5 | quote }}
         {{- with .Values.podAnnotations }}
-          {{- toYaml . | nindent 8 }}
+        {{- toYaml . | nindent 8 }}
         {{- end }}
       labels:
         {{/*
-        `labels` includes `selectorLabels`
-        */}}
-        {{- include "wiz-kubernetes-connector.labels" . | nindent 8 }}
+          `labels` includes `selectorLabels`
+          */}}
+          {{- include "wiz-broker.labels" . | nindent 8 }}
     spec:
       {{- with .Values.image.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      serviceAccountName: {{ .Values.broker.serviceAccount.name }}
+      serviceAccountName: {{ .Values.serviceAccount.name }}
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       volumes:
         - name: connector-data
           secret:
-            secretName: {{ include "wiz-kubernetes-connector.connectorSecretName" . | trim }}
+            secretName: {{ include "wiz-broker.connectorSecretName" . | trim }}
             items:
-            - key: connectorData
-              path: {{ $connectorDataFileName }}
+              - key: connectorData
+                path: {{ $connectorDataFileName }}
         {{- with .Values.broker.customVolumes }}
           {{- toYaml . | nindent 8 }}
         {{- end }}
@@ -62,17 +62,17 @@ spec:
           ]
           env:
           - name: WIZ_ENV
-            value: {{ .Values.wizApiToken.clientEndpoint | quote }}
-          {{- if not .Values.wizApiToken.usePodCustomEnvironmentVariablesFile }}
+            value: {{ .Values.global.wizApiToken.clientEndpoint | quote }}
+          {{- if not .Values.global.wizApiToken.usePodCustomEnvironmentVariablesFile }}
           - name: WIZ_CLIENT_ID
             valueFrom:
               secretKeyRef:
-                name: {{ include "wiz-kubernetes-connector.apiTokenSecretName" . | trim }}
+                name: {{ include "wiz-broker.apiTokenSecretName" . | trim }}
                 key: clientId
           - name: WIZ_CLIENT_TOKEN
             valueFrom:
               secretKeyRef:
-                name: {{ include "wiz-kubernetes-connector.apiTokenSecretName" . | trim }}
+                name: {{ include "wiz-broker.apiTokenSecretName" . | trim }}
                 key: clientToken
           {{- end }}
           {{- if .Values.broker.podCustomEnvironmentVariablesFile }}
@@ -83,11 +83,11 @@ spec:
           {{- end }}
           - name: TARGET_IP
             value: {{ .Values.broker.targetIp }}
-          {{- if .Values.httpProxyConfiguration.enabled }}
+          {{- if .Values.global.httpProxyConfiguration.enabled }}
           - name: HTTP_PROXY
             valueFrom:
               secretKeyRef:
-                name: {{ include "wiz-kubernetes-connector.proxySecretName" . | trim }}
+                name: {{ include "wiz-broker.proxySecretName" . | trim }}
                 key: httpsProxy # The frp project supports only HTTP_PROXY, it uses it for both http and https.  Our broker always uses https, so we're using the httpsProxy value here (See: https://github.com/fatedier/frp/#connecting-to-frps-via-http-proxy)
           {{- end }}
           resources:

diff --git a/wiz-broker-v2/values.yaml b/wiz-broker-v2/values.yaml
@@ -0,0 +1,43 @@
+# Default values for wiz-broker.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+# override default application name
+nameOverride: "wiz-broker"
+
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+
+  # Annotations to add to the service account
+  annotations: {}
+
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: "wiz-broker"
+
+  # Create RBAC resources for our service account.
+  # Needed to fetch kubernetes metadata from the api-server
+  rbac: true
+
+image:
+  registry: wiziopublic.azurecr.io/wiz-app
+  repository: wiz-broker
+  pullPolicy: IfNotPresent
+  # Overrides the image tag whose default is the chart appVersion.
+  tag: ""
+  imagePullSecrets: []
+
+broker:
+  enabled: true
+  targetIp: ""
+  podCustomEnvironmentVariablesFile: ""
+
+  customVolumes: []
+  customVolumeMounts: []
+
+podAnnotations: {}
+
+podSecurityContext:
+  runAsNonRoot: true
+  runAsUser: 1000
diff --git a/wiz-kubernetes-connector/Chart.yaml b/wiz-kubernetes-connector/Chart.yaml
@@ -22,3 +22,11 @@ version: 2.0.1
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
 appVersion: "2.0.162274"
+
+# Add wiz-broker dependency to the chart
+dependencies:
+  - name: "wiz-broker-v2"
+    version: "1.0.0"
+#    repository: "https://wiz-sec.github.io/charts"
+    repository: "file://../wiz-broker-v2"
+    condition: broker.enabled
diff --git a/wiz-kubernetes-connector/templates/NOTES.txt b/wiz-kubernetes-connector/templates/NOTES.txt
@@ -14,11 +14,11 @@ For uninstalling the wiz kubernetes connector you need to delete helm hooks reso
 Please run the following commands:
 helm uninstall {{ .Release.Name | quote }} -n {{ .Release.Namespace | quote }}
 {{- if .Values.broker.enabled }}
-{{- if .Values.wizConnector.createSecret }}
+{{- if .Values.global.wizConnector.createSecret }}
 kubectl delete secret {{ include "wiz-kubernetes-connector.connectorSecretName" . | trim }} -n {{ .Release.Namespace | quote }}
 {{- end }}
 {{- end }}
-{{- if and .Values.wizApiToken.secret.create .Values.autoCreateConnector.enabled }}
+{{- if and .Values.global.wizApiToken.secret.create .Values.autoCreateConnector.enabled }}
 kubectl delete secret {{ include "wiz-kubernetes-connector.apiTokenSecretName" . | trim }} -n {{ .Release.Namespace | quote }}
 {{- end }}
 {{- if .Values.clusterReader.installRbac }}

diff --git a/wiz-kubernetes-connector/templates/_helpers.tpl b/wiz-kubernetes-connector/templates/_helpers.tpl
@@ -42,12 +42,12 @@ Create Wiz connector properties to use
 */}}
 
 {{- define "wiz-kubernetes-connector.wizConnectorSecretData" -}}
-{{- if not .Values.autoCreateConnector.enabled }}
-CONNECTOR_ID: {{ required "A valid .Values.wizConnector.connectorId entry required!" .Values.wizConnector.connectorId | quote}}
-CONNECTOR_TOKEN: {{ required "A valid .Values.wizConnector.connectorToken entry required!" .Values.wizConnector.connectorToken | quote }}
-TARGET_DOMAIN: {{ required "A valid .Values.wizConnector.targetDomain entry required!" .Values.wizConnector.targetDomain | quote }}
-TARGET_IP: {{ required "A valid .Values.wizConnector.targetIp entry required!" .Values.wizConnector.targetIp | quote }}
-TARGET_PORT: {{ required "A valid .Values.wizConnector.targetPort entry required!" .Values.wizConnector.targetPort | quote }}
+{{- if not .Values.global.autoCreateConnector }}
+CONNECTOR_ID: {{ required "A valid .Values.global.wizConnector.connectorId entry required!" .Values.global.wizConnector.connectorId | quote}}
+CONNECTOR_TOKEN: {{ required "A valid .Values.global.wizConnector.connectorToken entry required!" .Values.global.wizConnector.connectorToken | quote }}
+TARGET_DOMAIN: {{ required "A valid .Values.global.wizConnector.targetDomain entry required!" .Values.global.wizConnector.targetDomain | quote }}
+TARGET_IP: {{ required "A valid .Values.global.wizConnector.targetIp entry required!" .Values.global.wizConnector.targetIp | quote }}
+TARGET_PORT: {{ required "A valid .Values.global.wizConnector.targetPort entry required!" .Values.global.wizConnector.targetPort | quote }}
 {{- end }}
 {{- end }}
 
@@ -56,15 +56,15 @@ Secrets names
 */}}
 
 {{- define "wiz-kubernetes-connector.apiTokenSecretName" -}}
-{{ coalesce (.Values.wizApiToken.secret.name) (printf "%s-api-token" .Release.Name) }}
+{{ coalesce (.Values.global.wizApiToken.secret.name) (printf "%s-api-token" .Release.Name) }}
 {{- end }}
 
 {{- define "wiz-kubernetes-connector.proxySecretName" -}}
-{{ coalesce (.Values.httpProxyConfiguration.secretName) (printf "%s-proxy-configuration" .Release.Name) }}
+{{ coalesce (.Values.global.httpProxyConfiguration.secretName) (printf "%s-proxy-configuration" .Release.Name) }}
 {{- end }}
 
 {{- define "wiz-kubernetes-connector.connectorSecretName" -}}
-{{ coalesce (.Values.wizConnector.secretName) (printf "%s-connector" .Release.Name) }}
+{{ coalesce (.Values.global.wizConnector.secretName) (printf "%s-connector" .Release.Name) }}
 {{- end }}
 
 {{- define "wiz-kubernetes-connector.clusterReaderToken" -}}
@@ -75,7 +75,7 @@ Secrets names
 Input parameters
 */}}
 {{- define "wiz-kubernetes-connector.apiServerEndpoint" -}}
-  {{- if and .Values.autoCreateConnector.enabled (not .Values.broker.enabled) }}
+  {{- if and .Values.global.autoCreateConnector (not .Values.broker.enabled) }}
     {{- required "A valid .Values.autoCreateConnector.apiServerEndpoint entry required!" .Values.autoCreateConnector.apiServerEndpoint -}}
   {{- else -}}
     {{ if .Values.autoCreateConnector.apiServerEndpoint }}

diff --git a/wiz-kubernetes-connector/templates/job-create-connector.yaml b/wiz-kubernetes-connector/templates/job-create-connector.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.autoCreateConnector.enabled }}
+{{- if .Values.global.autoCreateConnector }}
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -76,7 +76,7 @@ spec:
           - name: USE_CLI_ENV_FILE
             value: "true"
           {{- end }}
-          {{- if not .Values.wizApiToken.usePodCustomEnvironmentVariablesFile }}
+          {{- if not .Values.global.wizApiToken.usePodCustomEnvironmentVariablesFile }}
           - name: WIZ_CLIENT_ID
             valueFrom:
               secretKeyRef:
@@ -89,8 +89,8 @@ spec:
                 key: clientToken
           {{- end }}
           - name: WIZ_ENV
-            value: {{ .Values.wizApiToken.clientEndpoint | quote }}
-          {{- if .Values.httpProxyConfiguration.enabled }}
+            value: {{ .Values.global.wizApiToken.clientEndpoint | quote }}
+          {{- if .Values.global.httpProxyConfiguration.enabled }}
           - name: HTTP_PROXY
             valueFrom:
               secretKeyRef: