diff --git a/deploy/helm-charts/server/Chart.yaml b/deploy/helm/Chart.yaml similarity index 90% rename from deploy/helm-charts/server/Chart.yaml rename to deploy/helm/Chart.yaml index b02663363..055146051 100644 --- a/deploy/helm-charts/server/Chart.yaml +++ b/deploy/helm/Chart.yaml @@ -22,3 +22,5 @@ maintainers: email: devang.gaur@accurics.com - name: yusuf-kanchwala email: yusuf.kanchwala@accurics.com + - name: yusuf-kanchwala + email: rahul.chheda@accurics.com diff --git a/deploy/helm-charts/README.md b/deploy/helm/README.md similarity index 67% rename from deploy/helm-charts/README.md rename to deploy/helm/README.md index 3a1e756f9..9859000d1 100644 --- a/deploy/helm-charts/README.md +++ b/deploy/helm/README.md @@ -7,17 +7,28 @@ In server mode, terrascan will act both as an API server for performing remote scans of IAC, as well as a validating admission webhook for a Kubernetes cluster. Further details can be found in the [main documentation](https://docs.accurics.com/projects/accurics-terrascan/en/latest/). -There are two helm charts: - -1. In the `server/` directory : to deploy terrascan in server mode. -2. In the `webhook/` directory : to setup a validating webhook that uses the deployed terrascan server from step 1, as its backend. ## Usage ### Set up TLS certificates A requirement to run an admission controller is that communication happens over TLS. This helm chart expects to find the certificate -at `server/data/server.crt` and key at `server/data/server.key`. -If you opt to deploy the webhook as well, please copy `server/data/server.crt` at `webhook/data/server.crt` +at `data/server.crt` and key at `data/server.key`. + +There's a `data/domain.cnf` file available for you to edit and generate key & certificate. You can use the following command: + + ```bash + openssl req -x509 -sha256 -nodes -newkey rsa:2048 -keyout data/server.key -out data/server.crt -config data/domain.cnf + ``` + +In the `data/domain.cnf` file, we have configured DNS names as `terrascan.terrascan.svc`, assuming the defaults that service +will be named `terrascan` and hosted in `terrascan` namespace. You'll have to manually change that as per your requirements. + +### Terrascan configuration file +This chart will look for a [terrascan configuration +file](https://docs.accurics.com/projects/accurics-terrascan/en/latest/usage/#config-file) +at `data/config.toml`. If that file exists before running `helm +install`, it's contents will be loaded into a configMap and provided +to the terrascan server. ### Set up SSH config for private remote repo scan If you're opting to utilise the remote repo scan feature for ***private*** repositories, @@ -53,13 +64,6 @@ persistence: existingclaim: pvcClaimName ``` -### Terrascan configuration file -This chart will look for a [terrascan configuration -file](https://docs.accurics.com/projects/accurics-terrascan/en/latest/usage/#config-file) -at `server/data/config.toml`. If that file exists before running `helm -install`, it's contents will be loaded into a configMap and provided -to the terrascan server. - ### Deploy Once your TLS certificate is generated and the values in the `values.yaml` configuration file have been reviewed, you can install @@ -67,47 +71,57 @@ the chart with the following command: 1. Deploying Terrascan Server. - *Ensure that your current working directory is `server/`.* + For just installing a terrascan server deployment and service, + ``` - helm install . + helm install . -n ``` - Where `` is the name you want to assign to this installed chart. - This value will be used in various resources to make them both distinct and identifiable. + Where `` is the name you want to assign to this installed chart. + This value will be used in various resources to make them both distinct and identifiable. - This will use your current namespace unless `-n ` is specified + #### Verification - #### Verification - - You can query for the pod using the following command. + You can query for the pod using the following command. ``` kubectl get pod -n -w ``` - Watch the pod until it attains the `Running` state. + Watch the pod until it attains the `Running` state. - Verify the logs of the terrascan pod using the following command. + Verify the logs of the terrascan pod using the following command. ``` kubectl -n logs ``` If you see a log that goes like `server listening on port : `, the deployment went smooth. -2. Deploying Validating Webhook. + ###Deploying Validating Webhook. + + For installing the terrascan deployment and service along the validating webhook, - *Ensure that your current working directory is `webhook/`.* ``` - helm install . + helm install . -n --set webhook.mode=true ``` This will use your current namespace unless `-n ` is specified. - ***Ensure that you provide the exact same value as you did to deploy the `server/` chart in step 1.*** + #### Verification + Try creating a resource that's scanning by the webhook + + ```bash + kubectl run test-pod --image=nginx + ``` + #### Clean Up + + ```bash + helm uninstall -n + ``` ## TODO: This chart is a WIP - we intend to add the following functionality in the near future: - - [x] Storage support - volume for db - - [x] Add section for setting the validating-webhook up. - - [x] Add secrets to add ssh capabilities in the container, to enable remote repo scan feature. - - [ ] Support more load balancer types - - [ ] Support for ingress - - [ ] Flag for UI enable/disable - - [ ] Publish to Artifact hub - - [ ] Support TLS certificate/key in existing secrets +- [x] Storage support - volume for db +- [x] Add section for setting the validating-webhook up. +- [x] Add secrets to add ssh capabilities in the container, to enable remote repo scan feature. +- [ ] Support more load balancer types +- [ ] Support for ingress +- [ ] Flag for UI enable/disable +- [ ] Publish to Artifact hub +- [ ] Support TLS certificate/key in existing secrets diff --git a/deploy/helm-charts/server/templates/cert-secret.yaml b/deploy/helm/templates/cert-secret.yaml similarity index 100% rename from deploy/helm-charts/server/templates/cert-secret.yaml rename to deploy/helm/templates/cert-secret.yaml diff --git a/deploy/helm-charts/server/templates/configmap.yaml b/deploy/helm/templates/configmap.yaml similarity index 100% rename from deploy/helm-charts/server/templates/configmap.yaml rename to deploy/helm/templates/configmap.yaml diff --git a/deploy/helm-charts/server/templates/deployments.yaml b/deploy/helm/templates/deployments.yaml similarity index 98% rename from deploy/helm-charts/server/templates/deployments.yaml rename to deploy/helm/templates/deployments.yaml index 451ce698a..86d96e42f 100644 --- a/deploy/helm-charts/server/templates/deployments.yaml +++ b/deploy/helm/templates/deployments.yaml @@ -4,7 +4,7 @@ metadata: name: {{ .Values.name }} namespace: {{ .Release.Namespace }} spec: - replicas: 1 + replicas: {{ .Values.replicas }} selector: matchLabels: app: {{ .Values.name }} @@ -87,6 +87,7 @@ spec: - name: terrascan-data-sync emptyDir: {} {{- end }} +{{- if .Values.webhook.mode }} --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration @@ -147,3 +148,4 @@ webhooks: - {{ . -}} {{- end }} {{- end }} +{{- end }} diff --git a/deploy/helm-charts/server/templates/policy_fail_vw.yaml b/deploy/helm/templates/policy_fail_vw.yaml similarity index 94% rename from deploy/helm-charts/server/templates/policy_fail_vw.yaml rename to deploy/helm/templates/policy_fail_vw.yaml index c6591eea4..ca4fdfcd6 100644 --- a/deploy/helm-charts/server/templates/policy_fail_vw.yaml +++ b/deploy/helm/templates/policy_fail_vw.yaml @@ -1,4 +1,4 @@ -{{- if eq .Values.webhook.failurePolicy "Fail" }} +{{- if and .Values.webhook.mode (eq .Values.webhook.failurePolicy "Fail") }} apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: @@ -60,4 +60,4 @@ webhooks: - {{ . -}} {{- end }} {{- end }} -{{- end -}} \ No newline at end of file +{{- end -}} diff --git a/deploy/helm-charts/server/templates/service.yaml b/deploy/helm/templates/service.yaml similarity index 82% rename from deploy/helm-charts/server/templates/service.yaml rename to deploy/helm/templates/service.yaml index 4ec0fafd9..55c702d83 100644 --- a/deploy/helm-charts/server/templates/service.yaml +++ b/deploy/helm/templates/service.yaml @@ -4,6 +4,7 @@ metadata: name: {{ .Values.name }} namespace: {{ .Release.Namespace }} spec: + type: {{ .Values.terrascan_service_type }} selector: app: {{ .Values.name }} ports: diff --git a/deploy/helm-charts/server/templates/ssh-secret.yaml b/deploy/helm/templates/ssh-secret.yaml similarity index 100% rename from deploy/helm-charts/server/templates/ssh-secret.yaml rename to deploy/helm/templates/ssh-secret.yaml diff --git a/deploy/helm-charts/server/values.yaml b/deploy/helm/values.yaml similarity index 86% rename from deploy/helm-charts/server/values.yaml rename to deploy/helm/values.yaml index a593b0980..0a140b02b 100644 --- a/deploy/helm-charts/server/values.yaml +++ b/deploy/helm/values.yaml @@ -1,17 +1,19 @@ terrascan_webhook_key: terrakey terrascan_container_image: accurics/terrascan:1.6.0 +terrascan_service_type: ClusterIP use_debug: true cert_secret_name: terrascancerts ssh_secret_name: terrascanssh config_name: terrascanconfig +replicas: 1 name: terrascan persistence: enabled: false existingclaim: terrascanPvc - webhook: + mode: false name: webhook.terrascan.io - failurePolicy: Fail + failurePolicy: Ignore sideEffects: None admissionReviewVersions: - "v1"