diff options
Diffstat (limited to 'kubernetes/vvp/charts/vvp-imagescanner')
7 files changed, 373 insertions, 0 deletions
diff --git a/kubernetes/vvp/charts/vvp-imagescanner/Chart.yaml b/kubernetes/vvp/charts/vvp-imagescanner/Chart.yaml new file mode 100644 index 0000000000..f0b00dcf98 --- /dev/null +++ b/kubernetes/vvp/charts/vvp-imagescanner/Chart.yaml @@ -0,0 +1,18 @@ +# Copyright © 2018 Amdocs, AT&T, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +description: scan for validity and viruses on users files +name: vvp-imagescanner +version: 3.0.0 diff --git a/kubernetes/vvp/charts/vvp-imagescanner/requirements.yaml b/kubernetes/vvp/charts/vvp-imagescanner/requirements.yaml new file mode 100644 index 0000000000..9f44c6df28 --- /dev/null +++ b/kubernetes/vvp/charts/vvp-imagescanner/requirements.yaml @@ -0,0 +1,18 @@ +# Copyright © 2018 Amdocs, AT&T, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +dependencies: + - name: common + version: ~3.0.0 + repository: '@local' diff --git a/kubernetes/vvp/charts/vvp-imagescanner/resources/config/imagescanner/imagescannerconfig.py b/kubernetes/vvp/charts/vvp-imagescanner/resources/config/imagescanner/imagescannerconfig.py new file mode 100644 index 0000000000..1777b13ae0 --- /dev/null +++ b/kubernetes/vvp/charts/vvp-imagescanner/resources/config/imagescanner/imagescannerconfig.py @@ -0,0 +1,34 @@ +# Copyright © 2018 Amdocs, AT&T, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import os +from pathlib import Path +from awsauth import S3Auth +# A mapping from host names to Requests Authentication Objects; see +# http://docs.python-requests.org/en/master/user/authentication/ +AUTHS = {} +if 'S3_HOST' in os.environ: + AUTHS[os.environ['S3_HOST']] = S3Auth( + os.environ['AWS_ACCESS_KEY_ID'], + os.environ['AWS_SECRET_ACCESS_KEY'], + service_url='https://%s/' % os.environ['S3_HOST'] + ) +LOGS_PATH = Path(os.environ['IMAGESCANNER_LOGS_PATH']) +STATUSFILE = LOGS_PATH/'status.txt' +# A dict passed as kwargs to jenkins.Jenkins constructor. +JENKINS = { + 'url': 'http://jenkins:8080', + 'username': 'admin', + 'password': os.environ['SECRET_JENKINS_PASSWORD'], + } diff --git a/kubernetes/vvp/charts/vvp-imagescanner/templates/configmap.yaml b/kubernetes/vvp/charts/vvp-imagescanner/templates/configmap.yaml new file mode 100644 index 0000000000..59d60666ef --- /dev/null +++ b/kubernetes/vvp/charts/vvp-imagescanner/templates/configmap.yaml @@ -0,0 +1,91 @@ +# Copyright © 2018 Amdocs, AT&T, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: imagescanner-settings + namespace: {{ include "common.namespace" . }} +data: +{{ tpl (.Files.Glob "resources/config/imagescanner/*").AsConfig . | indent 2 }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: slack-tokens + namespace: {{ include "common.namespace" . }} +type: Opaque +data: + notifications: "" +--- +kind: Secret +apiVersion: v1 +metadata: + name: imagescanner-ssh + namespace: {{ include "common.namespace" . }} +type: Opaque +data: + # FIXME the imagescanner really should have its own private key, but then we + # have to adjust the gitlab wrapper script to set two public keys as + # deploykeys. + id_ed25519: "LS0tLS1CRUdJTiBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0KYjNCbGJuTnphQzFyWlhrdGRqRUFBQUFBQkc1dmJtVUFBQUFFYm05dVpRQUFBQUFBQUFBQkFBQUFNd0FBQUF0emMyZ3RaVwpReU5UVXhPUUFBQUNDRDEwanpvNGlSZjF4bTYzSWxMSEpGeTVUK0FoUnVmenZLdmdpMEhwZ1RVQUFBQUpqV3dKZDkxc0NYCmZRQUFBQXR6YzJndFpXUXlOVFV4T1FBQUFDQ0QxMGp6bzRpUmYxeG02M0lsTEhKRnk1VCtBaFJ1Znp2S3ZnaTBIcGdUVUEKQUFBRUFXRktNV0xsNkZnRUJ1Zzk3MSthdE5ZQnQ4R2R1V3pDWWd0L2o5VHU0U2g0UFhTUE9qaUpGL1hHYnJjaVVzY2tYTApsUDRDRkc1L084cStDTFFlbUJOUUFBQUFFM0JoZFd4QVVHRjFiQ2R6SUUxaFl5QlFjbThCQWc9PQotLS0tLUVORCBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0K" +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: site-certificate + namespace: {{ include "common.namespace" . }} +data: + site.crt: | + -----BEGIN CERTIFICATE----- + MIIDEDCCAfgCCQDhahVKE9/eUjANBgkqhkiG9w0BAQsFADBKMRAwDgYDVQQKDAdF + eGFtcGxlMRAwDgYDVQQLDAdleGFtcGxlMSQwIgYDVQQDDBtkZXZlbG9wbWVudC52 + dnAuZXhhbXBsZS5jb20wHhcNMTcxMjI0MTUzOTA3WhcNMTgxMjI0MTUzOTA3WjBK + MRAwDgYDVQQKDAdFeGFtcGxlMRAwDgYDVQQLDAdleGFtcGxlMSQwIgYDVQQDDBtk + ZXZlbG9wbWVudC52dnAuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB + DwAwggEKAoIBAQCkvNGXe+bdvL2kvrP2L3WABt2WCFoZ2Pn8Px0eEsRiJHVD0eWz + rgJYHFJu0C0cK9NYSKxVVI8LnKH7Ny5MFfM4Tqyr3UEOLs+fSwaAqM5tSyZU/tEK + ractA7bi9fDk2lkcs+LLuZMqGPZ37UZcZwsUQ0BONHP668LqkWqT9hNLIN4ejInr + 32WA3Y7hPNd8Cj+AaLt1x2cXYzi9hrE5l3h9ofkOpXsgDzeIHlp4jJ6kXXQf8UM5 + 1viqa2CWXHBHEG+5eftLSaeE6LAlNt5IJ6LcWEZgNtXr2es4LJC3FjXrv0gc04Cp + U2OfizpbhT11cLGaeXOq1cUCXNIb4FcJApoXAgMBAAEwDQYJKoZIhvcNAQELBQAD + ggEBAFGPDG9iurAhUKbFkY97xLA443U01bdwi7eAT5T9qo/RzOwcbuKWXVm1k5HK + CQO81nlLqLQwhI1+uTTmR41epuJxyGIaDgUySB+8fLzyRSIFaxKD+UeVPgipDNZs + h0sKSKrO6MoWzMLUYvdZRw6VIc+UpSCqPY+FKUBUHZtMpSFLnhHjRvVkiP4VvFXj + b7jQzHughzeITygws42fKK/MK7wQ6byaMVRbPbQKPAXNxd/UrSPeX+RzKRWOZ6R8 + Ulyp7dezXCP77UaTZTsxwlurPQIZNMshDxE/SbWt0Q1g28rj5KfAjoZs5Tg/gmQ8 + LLKI/b1OvKohaANGZ6We5U+ceeU= + -----END CERTIFICATE----- + wrapper.sh: | + #!/bin/sh + # This script is meant to be used as a wrapper, so that it can be easily + # used with docker or kubernetes' container command specification. + # + # Kubernetes' volumeMount creates symlinks for configMapped files at the + # target directory. + # Alpine's update-ca-certificates ignores symlinks. + # So we must contrive to copy the contents of the mounted cert (a symlink) + # into place as a normal file. + dev_cert="${0%/*}/site.crt" + echo >&2 "$0: Checking for site CA certificate at $dev_cert..." + if [ -s "$dev_cert" ]; then + echo >&2 "$0: Updating container CA certificate bundle with site certificate..." + cp -L "$dev_cert" /usr/local/share/ca-certificates/ + update-ca-certificates + else + echo >&2 "$0: No site CA certificate found." + fi + echo >&2 "$0: Launching command: $@" + exec "$@" + diff --git a/kubernetes/vvp/charts/vvp-imagescanner/templates/deployment.yaml b/kubernetes/vvp/charts/vvp-imagescanner/templates/deployment.yaml new file mode 100644 index 0000000000..d01a7d6960 --- /dev/null +++ b/kubernetes/vvp/charts/vvp-imagescanner/templates/deployment.yaml @@ -0,0 +1,123 @@ +# Copyright © 2018 Amdocs, AT&T, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} +spec: + replicas: {{ .Values.replicaCount }} + template: + metadata: + labels: + app: {{ include "common.name" . }} + name: {{ .Release.Name }} + spec: + imagePullSecrets: + - name: onapkey + containers: + - name: imagescanner-worker + image: "{{ include "common.repository" . }}/{{ .Values.image }}" + command: + - "sh" + - "/opt/site-certificate/wrapper.sh" + - "/usr/local/bin/imagescanner-worker" + securityContext: + privileged: true + volumeMounts: + - name: imagescanner-ssh + mountPath: /root/.ssh + - name: dev + mountPath: /dev + - name: logs + mountPath: /var/log/imagescanner + - name: imagescanner-settings + mountPath: /opt/imagescanner-settings + - name: site-certificate + mountPath: /opt/site-certificate + env: + - name: PYTHONPATH + value: /opt/imagescanner-settings + - name: S3_HOST + value: "dev-s3.vvp.example.com" + - name: S3_PORT + value: "443" + - name: AWS_ACCESS_KEY_ID + valueFrom: + secretKeyRef: {name: em-secret, key: aws_access_key_id} + - name: AWS_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: {name: em-secret, key: aws_secret_access_key} + - name: SECRET_JENKINS_PASSWORD + value: '' + - name: REQUESTS_CA_BUNDLE + value: /etc/ssl/certs/ca-certificates.crt + + - name: notifications-worker + image: "{{ include "common.repository" . }}/{{ .Values.image }}" + command: ["/usr/local/bin/notifications-worker"] + securityContext: + privileged: true + env: + - name: SLACK_TOKEN + valueFrom: + secretKeyRef: {name: slack-tokens, key: notifications} + - name: DOMAIN + value: "dev-em.vvp.example.com" + - name: PYTHONPATH + value: /opt/imagescanner-settings + - name: SECRET_JENKINS_PASSWORD + valueFrom: + secretKeyRef: {name: em-secret, key: jenkins_admin_password} + volumeMounts: + - name: imagescanner-settings + mountPath: /opt/imagescanner-settings + + - name: imagescanner-frontend + image: "{{ include "common.repository" . }}/{{ .Values.image }}" + command: ["/usr/local/bin/imagescanner-frontend"] + securityContext: + privileged: true + ports: + - containerPort: 80 + volumeMounts: + - name: logs + mountPath: /var/log/imagescanner + - name: imagescanner-settings + mountPath: /opt/imagescanner-settings + env: + - name: DEFAULT_SLACK_CHANNEL + value: "#notifications" + - name: SECRET_JENKINS_PASSWORD + value: '' + + volumes: + - name: imagescanner-ssh + secret: + secretName: imagescanner-ssh + defaultMode: 0600 + - name: dev + hostPath: + path: /dev + - name: logs + emptyDir: {} + - name: imagescanner-settings + configMap: + name: imagescanner-settings + - name: site-certificate + configMap: + name: site-certificate diff --git a/kubernetes/vvp/charts/vvp-imagescanner/templates/service.yaml b/kubernetes/vvp/charts/vvp-imagescanner/templates/service.yaml new file mode 100644 index 0000000000..a4260013a4 --- /dev/null +++ b/kubernetes/vvp/charts/vvp-imagescanner/templates/service.yaml @@ -0,0 +1,28 @@ +# Copyright © 2018 Amdocs, AT&T, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Service +metadata: + name: {{ include "common.servicename" . }} + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.internalPort }} + name: {{ .Values.service.portName | default "http" }} + selector: + app: {{ include "common.name" . }} diff --git a/kubernetes/vvp/charts/vvp-imagescanner/values.yaml b/kubernetes/vvp/charts/vvp-imagescanner/values.yaml new file mode 100644 index 0000000000..ed62413c4f --- /dev/null +++ b/kubernetes/vvp/charts/vvp-imagescanner/values.yaml @@ -0,0 +1,61 @@ +# Copyright © 2018 Amdocs, AT&T, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################# +# Global configuration defaults. +################################################################# +global: + nodePortPrefix: 302 + repository: nexus3.onap.org:10001 + readinessRepository: oomk8s + readinessImage: readiness-check:2.0.0 + loggingRepository: docker.elastic.co + loggingImage: beats/filebeat:5.5.0 + +################################################################# +# Application configuration defaults. +################################################################# +# application image +repository: nexus3.onap.org:10001 +image: onap/vvp/image-scanner:1.0.0 +pullPolicy: Always + +# flag to enable debugging - application support required +debugEnabled: false + +replicaCount: 1 + +nodeSelector: {} + +affinity: {} + +# probe configuration parameters +liveness: + initialDelaySeconds: 10 + periodSeconds: 10 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + +readiness: + initialDelaySeconds: 10 + periodSeconds: 10 + +service: + type: ClusterIP + internalPort: 80 + portName: web + +ingress: + enabled: false |