diff --git a/deploy/helm-charts/server/templates/configmap.yaml b/deploy/helm-charts/server/templates/configmap.yaml deleted file mode 100644 index 331fa2d9e..000000000 --- a/deploy/helm-charts/server/templates/configmap.yaml +++ /dev/null @@ -1,11 +0,0 @@ -{{- $globconfig := .Files.Glob "data/config.toml" }} -{{- if $globconfig }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ .Values.config_name }} - namespace: {{ .Release.Namespace }} -data: - terrascan-config: |- - {{ .Files.Get "data/config.toml" | b64enc }} -{{- end }} diff --git a/deploy/helm-charts/server/values.yaml b/deploy/helm-charts/server/values.yaml deleted file mode 100644 index 6ee736420..000000000 --- a/deploy/helm-charts/server/values.yaml +++ /dev/null @@ -1,10 +0,0 @@ -terrascan_webhook_key: terrakey -terrascan_container_image: accurics/terrascan:1.6.0 -use_debug: true -cert_secret_name: terrascancerts -ssh_secret_name: terrascanssh -config_name: terrascanconfig -name: terrascan -persistence: - enabled: false - existingclaim: terrascanPvc diff --git a/deploy/helm-charts/webhook/Chart.yaml b/deploy/helm-charts/webhook/Chart.yaml deleted file mode 100644 index c94a4d63e..000000000 --- a/deploy/helm-charts/webhook/Chart.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: v1 -name: terrascan -version: 1.0.0 -appVersion: v1.6.0 -description: A Helm chart for running terrascan in server mode -icon: https://raw.githubusercontent.com/accurics/terrascan/master/docs/img/terrascan-icon-white.png -home: https://github.com/accurics/terrascan -keywords: - - terrascan - - opa - - security -sources: - - https://github.com/accurics/terrascan -maintainers: - - name: jlk - email: jlk@accurics.com - - name: dev-gaur - email: devang.gaur@accurics.com diff --git a/deploy/helm-charts/webhook/templates/validating-webhook.yaml b/deploy/helm-charts/webhook/templates/validating-webhook.yaml deleted file mode 100644 index 4490fd774..000000000 --- a/deploy/helm-charts/webhook/templates/validating-webhook.yaml +++ /dev/null @@ -1,59 +0,0 @@ -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: {{ .Values.name }} -webhooks: - - name: {{ .Values.webhook.name }} - admissionReviewVersions: - {{- range .Values.webhook.admissionReviewVersions }} - - {{ . | printf "%s" }} - {{ end }} - failurePolicy: {{ .Values.webhook.failurePolicy }} - sideEffects: {{ .Values.webhook.sideEffects }} - clientConfig: - service: - name: {{ .Values.name }} - namespace: {{ .Release.Namespace }} - path: {{ .Values.terrascan_webhook_key | printf "/v1/k8s/webhooks/%s/scan/validate" }} - caBundle: {{ .Files.Get "data/server.crt" | b64enc }} - rules: - - apiGroups: - {{- range .Values.webhook.apiGroups }} - {{- if eq . ""}} - - "" - {{- else if eq . "*" }} - - "*" - {{- else }} - - {{ . -}} - {{- end }} - {{- end }} - resources: - {{- range .Values.webhook.resources }} - {{- if eq . ""}} - - "" - {{- else if eq . "*" }} - - "*" - {{- else }} - - {{ . -}} - {{- end }} - {{- end }} - apiVersions: - {{- range .Values.webhook.apiVersions }} - {{- if eq . ""}} - - "" - {{- else if eq . "*" }} - - "*" - {{- else }} - - {{ . -}} - {{- end }} - {{- end }} - operations: - {{- range .Values.webhook.operations }} - {{- if eq . ""}} - - "" - {{- else if eq . "*" }} - - "*" - {{- else }} - - {{ . -}} - {{- end }} - {{- end }} diff --git a/deploy/helm-charts/server/Chart.yaml b/deploy/helm/Chart.yaml similarity index 91% rename from deploy/helm-charts/server/Chart.yaml rename to deploy/helm/Chart.yaml index b02663363..84fcb6074 100644 --- a/deploy/helm-charts/server/Chart.yaml +++ b/deploy/helm/Chart.yaml @@ -22,3 +22,5 @@ maintainers: email: devang.gaur@accurics.com - name: yusuf-kanchwala email: yusuf.kanchwala@accurics.com + - name: rahulchheda + email: rahul.chheda@accurics.com diff --git a/deploy/helm-charts/README.md b/deploy/helm/README.md similarity index 67% rename from deploy/helm-charts/README.md rename to deploy/helm/README.md index 3a1e756f9..9859000d1 100644 --- a/deploy/helm-charts/README.md +++ b/deploy/helm/README.md @@ -7,17 +7,28 @@ In server mode, terrascan will act both as an API server for performing remote scans of IAC, as well as a validating admission webhook for a Kubernetes cluster. Further details can be found in the [main documentation](https://docs.accurics.com/projects/accurics-terrascan/en/latest/). -There are two helm charts: - -1. In the `server/` directory : to deploy terrascan in server mode. -2. In the `webhook/` directory : to setup a validating webhook that uses the deployed terrascan server from step 1, as its backend. ## Usage ### Set up TLS certificates A requirement to run an admission controller is that communication happens over TLS. This helm chart expects to find the certificate -at `server/data/server.crt` and key at `server/data/server.key`. -If you opt to deploy the webhook as well, please copy `server/data/server.crt` at `webhook/data/server.crt` +at `data/server.crt` and key at `data/server.key`. + +There's a `data/domain.cnf` file available for you to edit and generate key & certificate. You can use the following command: + + ```bash + openssl req -x509 -sha256 -nodes -newkey rsa:2048 -keyout data/server.key -out data/server.crt -config data/domain.cnf + ``` + +In the `data/domain.cnf` file, we have configured DNS names as `terrascan.terrascan.svc`, assuming the defaults that service +will be named `terrascan` and hosted in `terrascan` namespace. You'll have to manually change that as per your requirements. + +### Terrascan configuration file +This chart will look for a [terrascan configuration +file](https://docs.accurics.com/projects/accurics-terrascan/en/latest/usage/#config-file) +at `data/config.toml`. If that file exists before running `helm +install`, it's contents will be loaded into a configMap and provided +to the terrascan server. ### Set up SSH config for private remote repo scan If you're opting to utilise the remote repo scan feature for ***private*** repositories, @@ -53,13 +64,6 @@ persistence: existingclaim: pvcClaimName ``` -### Terrascan configuration file -This chart will look for a [terrascan configuration -file](https://docs.accurics.com/projects/accurics-terrascan/en/latest/usage/#config-file) -at `server/data/config.toml`. If that file exists before running `helm -install`, it's contents will be loaded into a configMap and provided -to the terrascan server. - ### Deploy Once your TLS certificate is generated and the values in the `values.yaml` configuration file have been reviewed, you can install @@ -67,47 +71,57 @@ the chart with the following command: 1. Deploying Terrascan Server. - *Ensure that your current working directory is `server/`.* + For just installing a terrascan server deployment and service, + ``` - helm install . + helm install . -n ``` - Where `` is the name you want to assign to this installed chart. - This value will be used in various resources to make them both distinct and identifiable. + Where `` is the name you want to assign to this installed chart. + This value will be used in various resources to make them both distinct and identifiable. - This will use your current namespace unless `-n ` is specified + #### Verification - #### Verification - - You can query for the pod using the following command. + You can query for the pod using the following command. ``` kubectl get pod -n -w ``` - Watch the pod until it attains the `Running` state. + Watch the pod until it attains the `Running` state. - Verify the logs of the terrascan pod using the following command. + Verify the logs of the terrascan pod using the following command. ``` kubectl -n logs ``` If you see a log that goes like `server listening on port : `, the deployment went smooth. -2. Deploying Validating Webhook. + ###Deploying Validating Webhook. + + For installing the terrascan deployment and service along the validating webhook, - *Ensure that your current working directory is `webhook/`.* ``` - helm install . + helm install . -n --set webhook.mode=true ``` This will use your current namespace unless `-n ` is specified. - ***Ensure that you provide the exact same value as you did to deploy the `server/` chart in step 1.*** + #### Verification + Try creating a resource that's scanning by the webhook + + ```bash + kubectl run test-pod --image=nginx + ``` + #### Clean Up + + ```bash + helm uninstall -n + ``` ## TODO: This chart is a WIP - we intend to add the following functionality in the near future: - - [x] Storage support - volume for db - - [x] Add section for setting the validating-webhook up. - - [x] Add secrets to add ssh capabilities in the container, to enable remote repo scan feature. - - [ ] Support more load balancer types - - [ ] Support for ingress - - [ ] Flag for UI enable/disable - - [ ] Publish to Artifact hub - - [ ] Support TLS certificate/key in existing secrets +- [x] Storage support - volume for db +- [x] Add section for setting the validating-webhook up. +- [x] Add secrets to add ssh capabilities in the container, to enable remote repo scan feature. +- [ ] Support more load balancer types +- [ ] Support for ingress +- [ ] Flag for UI enable/disable +- [ ] Publish to Artifact hub +- [ ] Support TLS certificate/key in existing secrets diff --git a/deploy/helm-charts/server/templates/cert-secret.yaml b/deploy/helm/templates/cert-secret.yaml similarity index 100% rename from deploy/helm-charts/server/templates/cert-secret.yaml rename to deploy/helm/templates/cert-secret.yaml diff --git a/deploy/helm/templates/configmap.yaml b/deploy/helm/templates/configmap.yaml new file mode 100644 index 000000000..6535115b0 --- /dev/null +++ b/deploy/helm/templates/configmap.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Values.config_name }} + namespace: {{ .Release.Namespace }} +data: + terrascan-config: | +{{ .Files.Get "data/config.toml" | indent 4 }} diff --git a/deploy/helm-charts/server/templates/deployment.yaml b/deploy/helm/templates/deployments.yaml similarity index 59% rename from deploy/helm-charts/server/templates/deployment.yaml rename to deploy/helm/templates/deployments.yaml index 7af7de0d4..86d96e42f 100644 --- a/deploy/helm-charts/server/templates/deployment.yaml +++ b/deploy/helm/templates/deployments.yaml @@ -4,7 +4,7 @@ metadata: name: {{ .Values.name }} namespace: {{ .Release.Namespace }} spec: - replicas: 1 + replicas: {{ .Values.replicas }} selector: matchLabels: app: {{ .Values.name }} @@ -75,7 +75,7 @@ spec: {{- if $globconfig }} - name: config-volume configMap: - configMapName: {{ .Values.config_name }} + name: {{ .Values.config_name }} {{- end }} {{- if and .Values.persistence.enabled .Values.persistence.existingClaim }} - name: terrascan-data-sync @@ -87,3 +87,65 @@ spec: - name: terrascan-data-sync emptyDir: {} {{- end }} +{{- if .Values.webhook.mode }} +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: {{ .Values.name }} +webhooks: + - name: {{ .Values.webhook.name }} + admissionReviewVersions: + {{- range .Values.webhook.admissionReviewVersions }} + - {{ . | printf "%s" }} + {{ end }} + failurePolicy: Ignore + sideEffects: {{ .Values.webhook.sideEffects }} + clientConfig: + service: + name: {{ .Values.name }} + namespace: {{ .Release.Namespace }} + path: {{ .Values.terrascan_webhook_key | printf "/v1/k8s/webhooks/%s/scan/validate" }} + caBundle: {{ .Files.Get "data/server.crt" | b64enc }} + rules: + - apiGroups: + {{- range .Values.webhook.apiGroups }} + {{- if eq . ""}} + - "" + {{- else if eq . "*" }} + - "*" + {{- else }} + - {{ . -}} + {{- end }} + {{- end }} + resources: + {{- range .Values.webhook.resources }} + {{- if eq . ""}} + - "" + {{- else if eq . "*" }} + - "*" + {{- else }} + - {{ . -}} + {{- end }} + {{- end }} + apiVersions: + {{- range .Values.webhook.apiVersions }} + {{- if eq . ""}} + - "" + {{- else if eq . "*" }} + - "*" + {{- else }} + - {{ . -}} + {{- end }} + {{- end }} + operations: + {{- range .Values.webhook.operations }} + {{- if eq . ""}} + - "" + {{- else if eq . "*" }} + - "*" + {{- else }} + - {{ . -}} + {{- end }} + {{- end }} +{{- end }} diff --git a/deploy/helm/templates/policy_fail_vw.yaml b/deploy/helm/templates/policy_fail_vw.yaml new file mode 100644 index 000000000..0ab227da3 --- /dev/null +++ b/deploy/helm/templates/policy_fail_vw.yaml @@ -0,0 +1,66 @@ +# Had to create this file just to support validatingwebhookconfiguration failurePolicy to be FAIL. +# It turns out, webhook doesn't allow the terrascan server pod to come up in case failurePolicy is Fail. +# So, as a workaround, we create the webhook w/ Ignore, and then upgrade it to Fail in. post install chart hook. ref: https://helm.sh/docs/topics/charts_hooks/ +{{- if and .Values.webhook.mode (eq .Values.webhook.failurePolicy "Fail") }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: {{ .Values.name }} + annotations: + "helm.sh/hook": "post-install" +webhooks: + - name: {{ .Values.webhook.name }} + admissionReviewVersions: + {{- range .Values.webhook.admissionReviewVersions }} + - {{ . | printf "%s" }} + {{ end }} + failurePolicy: Fail + sideEffects: {{ .Values.webhook.sideEffects }} + clientConfig: + service: + name: {{ .Values.name }} + namespace: {{ .Release.Namespace }} + path: {{ .Values.terrascan_webhook_key | printf "/v1/k8s/webhooks/%s/scan/validate" }} + caBundle: {{ .Files.Get "data/server.crt" | b64enc }} + rules: + - apiGroups: + {{- range .Values.webhook.apiGroups }} + {{- if eq . ""}} + - "" + {{- else if eq . "*" }} + - "*" + {{- else }} + - {{ . -}} + {{- end }} + {{- end }} + resources: + {{- range .Values.webhook.resources }} + {{- if eq . ""}} + - "" + {{- else if eq . "*" }} + - "*" + {{- else }} + - {{ . -}} + {{- end }} + {{- end }} + apiVersions: + {{- range .Values.webhook.apiVersions }} + {{- if eq . ""}} + - "" + {{- else if eq . "*" }} + - "*" + {{- else }} + - {{ . -}} + {{- end }} + {{- end }} + operations: + {{- range .Values.webhook.operations }} + {{- if eq . ""}} + - "" + {{- else if eq . "*" }} + - "*" + {{- else }} + - {{ . -}} + {{- end }} + {{- end }} +{{- end -}} diff --git a/deploy/helm-charts/server/templates/service.yaml b/deploy/helm/templates/service.yaml similarity index 82% rename from deploy/helm-charts/server/templates/service.yaml rename to deploy/helm/templates/service.yaml index 90e5d3dff..55c702d83 100644 --- a/deploy/helm-charts/server/templates/service.yaml +++ b/deploy/helm/templates/service.yaml @@ -4,7 +4,7 @@ metadata: name: {{ .Values.name }} namespace: {{ .Release.Namespace }} spec: - type: LoadBalancer + type: {{ .Values.terrascan_service_type }} selector: app: {{ .Values.name }} ports: diff --git a/deploy/helm-charts/server/templates/ssh-secret.yaml b/deploy/helm/templates/ssh-secret.yaml similarity index 100% rename from deploy/helm-charts/server/templates/ssh-secret.yaml rename to deploy/helm/templates/ssh-secret.yaml diff --git a/deploy/helm-charts/webhook/values.yaml b/deploy/helm/values.yaml similarity index 50% rename from deploy/helm-charts/webhook/values.yaml rename to deploy/helm/values.yaml index 618dca158..0a140b02b 100644 --- a/deploy/helm-charts/webhook/values.yaml +++ b/deploy/helm/values.yaml @@ -1,8 +1,19 @@ terrascan_webhook_key: terrakey +terrascan_container_image: accurics/terrascan:1.6.0 +terrascan_service_type: ClusterIP +use_debug: true +cert_secret_name: terrascancerts +ssh_secret_name: terrascanssh +config_name: terrascanconfig +replicas: 1 name: terrascan +persistence: + enabled: false + existingclaim: terrascanPvc webhook: + mode: false name: webhook.terrascan.io - failurePolicy: Fail + failurePolicy: Ignore sideEffects: None admissionReviewVersions: - "v1"