Merge pull request #1 from dev-gaur/review_817

minor changes and shifting helm charts to deploy/helm/

deploy/helm-charts/server/Chart.yaml → deploy/helm/Chart.yaml

@@ -22,3 +22,5 @@ maintainers:
     email: devang.gaur@accurics.com
   - name: yusuf-kanchwala
     email: yusuf.kanchwala@accurics.com
+  - name: yusuf-kanchwala
+    email: rahul.chheda@accurics.com

deploy/helm-charts/README.md → deploy/helm/README.md

@@ -7,17 +7,28 @@ In server mode, terrascan will act both as an API server for
 performing remote scans of IAC, as well as a validating admission
 webhook for a Kubernetes cluster. Further details can be found in
 the [main documentation](https://docs.accurics.com/projects/accurics-terrascan/en/latest/).
-There are two helm charts:
-
-1. In the `server/` directory : to deploy terrascan in server mode.
-2. In the `webhook/` directory : to setup a validating webhook that uses the deployed terrascan server from step 1, as its backend.
 
 ## Usage
 ### Set up TLS certificates
 A requirement to run an admission controller is that communication
 happens over TLS. This helm chart expects to find the certificate
-at `server/data/server.crt` and key at `server/data/server.key`.
-If you opt to deploy the webhook as well, please copy `server/data/server.crt` at `webhook/data/server.crt`
+at `data/server.crt` and key at `data/server.key`.
+
+There's a `data/domain.cnf` file available for you to edit and generate key & certificate. You can use the following command:
+
+  ```bash
+  openssl req -x509 -sha256 -nodes -newkey rsa:2048 -keyout data/server.key -out data/server.crt -config data/domain.cnf
+  ```
+
+In the `data/domain.cnf` file, we have configured DNS names as `terrascan.terrascan.svc`, assuming the defaults that service
+will be named `terrascan` and hosted in `terrascan` namespace. You'll have to manually change that as per your requirements.
+
+### Terrascan configuration file
+This chart will look for a [terrascan configuration
+file](https://docs.accurics.com/projects/accurics-terrascan/en/latest/usage/#config-file)
+at `data/config.toml`. If that file exists before running `helm
+install`, it's contents will be loaded into a configMap and provided
+to the terrascan server.
 
 ### Set up SSH config for private remote repo scan
 If you're opting to utilise the remote repo scan feature for ***private*** repositories,
@@ -53,61 +64,64 @@ persistence:
   existingclaim: pvcClaimName
 ```
 
-### Terrascan configuration file
-This chart will look for a [terrascan configuration
-file](https://docs.accurics.com/projects/accurics-terrascan/en/latest/usage/#config-file)
-at `server/data/config.toml`. If that file exists before running `helm
-install`, it's contents will be loaded into a configMap and provided
-to the terrascan server.
-
 ### Deploy
 Once your TLS certificate is generated and the values in the
 `values.yaml` configuration file have been reviewed, you can install
 the chart with the following command:
 
 1. Deploying Terrascan Server.
 
-    *Ensure that your current working directory is `server/`.*
+   For just installing a terrascan server deployment and service,
+
     ```
-    helm install <releasename-for-server> .
+    helm install <release-name> . -n <namespace>
     ```
-    Where `<releasename-for-server>` is the name you want to assign to this installed chart.
-    This value will be used in various resources to make them both distinct and identifiable.
+   Where `<release-name>` is the name you want to assign to this installed chart.
+   This value will be used in various resources to make them both distinct and identifiable.
 
-    This will use your current namespace unless `-n <namespace>` is specified
+   #### Verification
 
-    #### Verification
-
-    You can query for the pod using the following command.
+   You can query for the pod using the following command.
     ```
     kubectl get pod -n <namespace> -w
     ```
-    Watch the pod until it attains the `Running` state.
+   Watch the pod until it attains the `Running` state.
 
-    Verify the logs of the terrascan pod using the following command.
+   Verify the logs of the terrascan pod using the following command.
     ```
     kubectl -n <namespace> logs <pod-name>
     ```
    If you see a log that goes like `server listening on port : <port-name>`, the deployment went smooth.
 
-2. Deploying Validating Webhook.
+   ###Deploying Validating Webhook.
+
+   For installing the terrascan deployment and service along the validating webhook,
 
-    *Ensure that your current working directory is `webhook/`.*
     ```
-    helm install <releasename-for-webhook> .
+    helm install <release-name> . -n <namespace> --set webhook.mode=true
     ```
    This will use your current namespace unless `-n <namespace>` is specified.
-   ***Ensure that you provide the exact same <namespace> value as you did to deploy the `server/` chart in step 1.***
 
+   #### Verification
+   Try creating a resource that's scanning by the webhook
+
+   ```bash
+    kubectl run test-pod --image=nginx
+   ```
 
+   #### Clean Up
+
+    ```bash
+    helm uninstall <release-name> -n <namespace>
+    ```
 
 ## TODO:
 This chart is a WIP - we intend to add the following functionality in the near future:
- - [x] Storage support - volume for db
- - [x] Add section for setting the validating-webhook up.
- - [x] Add secrets to add ssh capabilities in the container, to enable remote repo scan feature.
- - [ ] Support more load balancer types
- - [ ] Support for ingress
- - [ ] Flag for UI enable/disable
- - [ ] Publish to Artifact hub
- - [ ] Support TLS certificate/key in existing secrets
+- [x] Storage support - volume for db
+- [x] Add section for setting the validating-webhook up.
+- [x] Add secrets to add ssh capabilities in the container, to enable remote repo scan feature.
+- [ ] Support more load balancer types
+- [ ] Support for ingress
+- [ ] Flag for UI enable/disable
+- [ ] Publish to Artifact hub
+- [ ] Support TLS certificate/key in existing secrets

deploy/helm-charts/server/templates/deployments.yaml → deploy/helm/templates/deployments.yaml

@@ -4,7 +4,7 @@ metadata:
   name: {{ .Values.name }}
   namespace: {{ .Release.Namespace }}
 spec:
-  replicas: 1
+  replicas: {{ .Values.replicas }}
   selector:
     matchLabels:
       app: {{ .Values.name }}
@@ -87,6 +87,7 @@ spec:
         - name: terrascan-data-sync
           emptyDir: {}
 {{- end }}
+{{- if .Values.webhook.mode }}
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
@@ -147,3 +148,4 @@ webhooks:
         - {{ . -}}
         {{- end }}
         {{- end }}
+{{- end }}

deploy/helm-charts/server/templates/policy_fail_vw.yaml → deploy/helm/templates/policy_fail_vw.yaml

@@ -1,4 +1,4 @@
-{{- if eq .Values.webhook.failurePolicy "Fail" }}
+{{- if and .Values.webhook.mode (eq .Values.webhook.failurePolicy "Fail") }}
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
@@ -60,4 +60,4 @@ webhooks:
         - {{ . -}}
         {{- end }}
         {{- end }}
-{{- end -}}
+{{- end -}}

deploy/helm-charts/server/templates/service.yaml → deploy/helm/templates/service.yaml

@@ -4,6 +4,7 @@ metadata:
   name: {{ .Values.name }}
   namespace: {{ .Release.Namespace }}
 spec:
+  type: {{ .Values.terrascan_service_type }}
   selector:
     app: {{ .Values.name }}
   ports:

deploy/helm-charts/server/values.yaml → deploy/helm/values.yaml

@@ -1,17 +1,19 @@
 terrascan_webhook_key: terrakey
 terrascan_container_image: accurics/terrascan:1.6.0
+terrascan_service_type: ClusterIP
 use_debug: true
 cert_secret_name: terrascancerts
 ssh_secret_name: terrascanssh
 config_name: terrascanconfig
+replicas: 1
 name: terrascan
 persistence:
   enabled: false
   existingclaim: terrascanPvc
-
 webhook:
+  mode: false
   name: webhook.terrascan.io
-  failurePolicy: Fail
+  failurePolicy: Ignore
   sideEffects: None
   admissionReviewVersions:
     - "v1"