From fa0accc69bae2602b6253b52650918a04572b8f4 Mon Sep 17 00:00:00 2001 From: Rahul M Chheda Date: Wed, 26 May 2021 23:36:39 +0530 Subject: [PATCH 1/9] Merge Webhook and Server Helm Chart Signed-off-by: Rahul M Chheda --- .../server/templates/configmap.yaml | 7 +-- .../{deployment.yaml => deployments.yaml} | 62 ++++++++++++++++++- deploy/helm-charts/server/values.yaml | 19 ++++++ deploy/helm-charts/webhook/Chart.yaml | 18 ------ .../webhook/templates/validating-webhook.yaml | 59 ------------------ deploy/helm-charts/webhook/values.yaml | 20 ------ 6 files changed, 82 insertions(+), 103 deletions(-) rename deploy/helm-charts/server/templates/{deployment.yaml => deployments.yaml} (60%) delete mode 100644 deploy/helm-charts/webhook/Chart.yaml delete mode 100644 deploy/helm-charts/webhook/templates/validating-webhook.yaml delete mode 100644 deploy/helm-charts/webhook/values.yaml diff --git a/deploy/helm-charts/server/templates/configmap.yaml b/deploy/helm-charts/server/templates/configmap.yaml index 331fa2d9e..6535115b0 100644 --- a/deploy/helm-charts/server/templates/configmap.yaml +++ b/deploy/helm-charts/server/templates/configmap.yaml @@ -1,11 +1,8 @@ -{{- $globconfig := .Files.Glob "data/config.toml" }} -{{- if $globconfig }} apiVersion: v1 kind: ConfigMap metadata: name: {{ .Values.config_name }} namespace: {{ .Release.Namespace }} data: - terrascan-config: |- - {{ .Files.Get "data/config.toml" | b64enc }} -{{- end }} + terrascan-config: | +{{ .Files.Get "data/config.toml" | indent 4 }} diff --git a/deploy/helm-charts/server/templates/deployment.yaml b/deploy/helm-charts/server/templates/deployments.yaml similarity index 60% rename from deploy/helm-charts/server/templates/deployment.yaml rename to deploy/helm-charts/server/templates/deployments.yaml index 7af7de0d4..469fc987c 100644 --- a/deploy/helm-charts/server/templates/deployment.yaml +++ b/deploy/helm-charts/server/templates/deployments.yaml @@ -75,7 +75,7 @@ spec: {{- if $globconfig }} - name: config-volume configMap: - configMapName: {{ .Values.config_name }} + name: {{ .Values.config_name }} {{- end }} {{- if and .Values.persistence.enabled .Values.persistence.existingClaim }} - name: terrascan-data-sync @@ -87,3 +87,63 @@ spec: - name: terrascan-data-sync emptyDir: {} {{- end }} +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: {{ .Values.name }} +webhooks: + - name: {{ .Values.webhook.name }} + admissionReviewVersions: + {{- range .Values.webhook.admissionReviewVersions }} + - {{ . | printf "%s" }} + {{ end }} + failurePolicy: {{ .Values.webhook.failurePolicy }} + sideEffects: {{ .Values.webhook.sideEffects }} + clientConfig: + service: + name: {{ .Values.name }} + namespace: {{ .Release.Namespace }} + path: {{ .Values.terrascan_webhook_key | printf "/v1/k8s/webhooks/%s/scan/validate" }} + caBundle: {{ .Files.Get "data/server.crt" | b64enc }} + rules: + - apiGroups: + {{- range .Values.webhook.apiGroups }} + {{- if eq . ""}} + - "" + {{- else if eq . "*" }} + - "*" + {{- else }} + - {{ . -}} + {{- end }} + {{- end }} + resources: + {{- range .Values.webhook.resources }} + {{- if eq . ""}} + - "" + {{- else if eq . "*" }} + - "*" + {{- else }} + - {{ . -}} + {{- end }} + {{- end }} + apiVersions: + {{- range .Values.webhook.apiVersions }} + {{- if eq . ""}} + - "" + {{- else if eq . "*" }} + - "*" + {{- else }} + - {{ . -}} + {{- end }} + {{- end }} + operations: + {{- range .Values.webhook.operations }} + {{- if eq . ""}} + - "" + {{- else if eq . "*" }} + - "*" + {{- else }} + - {{ . -}} + {{- end }} + {{- end }} diff --git a/deploy/helm-charts/server/values.yaml b/deploy/helm-charts/server/values.yaml index 6ee736420..962f786f9 100644 --- a/deploy/helm-charts/server/values.yaml +++ b/deploy/helm-charts/server/values.yaml @@ -8,3 +8,22 @@ name: terrascan persistence: enabled: false existingclaim: terrascanPvc + +webhook: + name: webhook.terrascan.io + failurePolicy: Ignore + sideEffects: None + admissionReviewVersions: + - "v1" + - "v1beta1" + apiGroups: + - "apps" + - "" + resources: + - "deployments" + - "pods" + apiVersions: + - "*" + operations: + - CREATE + - UPDATE diff --git a/deploy/helm-charts/webhook/Chart.yaml b/deploy/helm-charts/webhook/Chart.yaml deleted file mode 100644 index c94a4d63e..000000000 --- a/deploy/helm-charts/webhook/Chart.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: v1 -name: terrascan -version: 1.0.0 -appVersion: v1.6.0 -description: A Helm chart for running terrascan in server mode -icon: https://raw.githubusercontent.com/accurics/terrascan/master/docs/img/terrascan-icon-white.png -home: https://github.com/accurics/terrascan -keywords: - - terrascan - - opa - - security -sources: - - https://github.com/accurics/terrascan -maintainers: - - name: jlk - email: jlk@accurics.com - - name: dev-gaur - email: devang.gaur@accurics.com diff --git a/deploy/helm-charts/webhook/templates/validating-webhook.yaml b/deploy/helm-charts/webhook/templates/validating-webhook.yaml deleted file mode 100644 index 4490fd774..000000000 --- a/deploy/helm-charts/webhook/templates/validating-webhook.yaml +++ /dev/null @@ -1,59 +0,0 @@ -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: {{ .Values.name }} -webhooks: - - name: {{ .Values.webhook.name }} - admissionReviewVersions: - {{- range .Values.webhook.admissionReviewVersions }} - - {{ . | printf "%s" }} - {{ end }} - failurePolicy: {{ .Values.webhook.failurePolicy }} - sideEffects: {{ .Values.webhook.sideEffects }} - clientConfig: - service: - name: {{ .Values.name }} - namespace: {{ .Release.Namespace }} - path: {{ .Values.terrascan_webhook_key | printf "/v1/k8s/webhooks/%s/scan/validate" }} - caBundle: {{ .Files.Get "data/server.crt" | b64enc }} - rules: - - apiGroups: - {{- range .Values.webhook.apiGroups }} - {{- if eq . ""}} - - "" - {{- else if eq . "*" }} - - "*" - {{- else }} - - {{ . -}} - {{- end }} - {{- end }} - resources: - {{- range .Values.webhook.resources }} - {{- if eq . ""}} - - "" - {{- else if eq . "*" }} - - "*" - {{- else }} - - {{ . -}} - {{- end }} - {{- end }} - apiVersions: - {{- range .Values.webhook.apiVersions }} - {{- if eq . ""}} - - "" - {{- else if eq . "*" }} - - "*" - {{- else }} - - {{ . -}} - {{- end }} - {{- end }} - operations: - {{- range .Values.webhook.operations }} - {{- if eq . ""}} - - "" - {{- else if eq . "*" }} - - "*" - {{- else }} - - {{ . -}} - {{- end }} - {{- end }} diff --git a/deploy/helm-charts/webhook/values.yaml b/deploy/helm-charts/webhook/values.yaml deleted file mode 100644 index 618dca158..000000000 --- a/deploy/helm-charts/webhook/values.yaml +++ /dev/null @@ -1,20 +0,0 @@ -terrascan_webhook_key: terrakey -name: terrascan -webhook: - name: webhook.terrascan.io - failurePolicy: Fail - sideEffects: None - admissionReviewVersions: - - "v1" - - "v1beta1" - apiGroups: - - "apps" - - "" - resources: - - "deployments" - - "pods" - apiVersions: - - "*" - operations: - - CREATE - - UPDATE From dca9027c4feb379780abd606d109751e260d6dba Mon Sep 17 00:00:00 2001 From: Rahul M Chheda Date: Wed, 26 May 2021 23:42:10 +0530 Subject: [PATCH 2/9] Dont create LoadBalancer service Signed-off-by: Rahul M Chheda --- deploy/helm-charts/server/templates/service.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/deploy/helm-charts/server/templates/service.yaml b/deploy/helm-charts/server/templates/service.yaml index 90e5d3dff..4ec0fafd9 100644 --- a/deploy/helm-charts/server/templates/service.yaml +++ b/deploy/helm-charts/server/templates/service.yaml @@ -4,7 +4,6 @@ metadata: name: {{ .Values.name }} namespace: {{ .Release.Namespace }} spec: - type: LoadBalancer selector: app: {{ .Values.name }} ports: From f5fa8150146d3c4abc11982a69211c608924569b Mon Sep 17 00:00:00 2001 From: Rahul M Chheda Date: Thu, 27 May 2021 00:14:30 +0530 Subject: [PATCH 3/9] Allow fail policy Signed-off-by: Rahul M Chheda --- .../server/templates/deployments.yaml | 2 +- .../server/templates/policy_fail_vw.yaml | 62 +++++++++++++++++++ 2 files changed, 63 insertions(+), 1 deletion(-) create mode 100644 deploy/helm-charts/server/templates/policy_fail_vw.yaml diff --git a/deploy/helm-charts/server/templates/deployments.yaml b/deploy/helm-charts/server/templates/deployments.yaml index 469fc987c..451ce698a 100644 --- a/deploy/helm-charts/server/templates/deployments.yaml +++ b/deploy/helm-charts/server/templates/deployments.yaml @@ -98,7 +98,7 @@ webhooks: {{- range .Values.webhook.admissionReviewVersions }} - {{ . | printf "%s" }} {{ end }} - failurePolicy: {{ .Values.webhook.failurePolicy }} + failurePolicy: Ignore sideEffects: {{ .Values.webhook.sideEffects }} clientConfig: service: diff --git a/deploy/helm-charts/server/templates/policy_fail_vw.yaml b/deploy/helm-charts/server/templates/policy_fail_vw.yaml new file mode 100644 index 000000000..1eb7d01dc --- /dev/null +++ b/deploy/helm-charts/server/templates/policy_fail_vw.yaml @@ -0,0 +1,62 @@ +# if else block here +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: {{ .Values.name }} + annotations: + "helm.sh/hook": "post-install" +webhooks: + - name: {{ .Values.webhook.name }} + admissionReviewVersions: + {{- range .Values.webhook.admissionReviewVersions }} + - {{ . | printf "%s" }} + {{ end }} + failurePolicy: Fail + sideEffects: {{ .Values.webhook.sideEffects }} + clientConfig: + service: + name: {{ .Values.name }} + namespace: {{ .Release.Namespace }} + path: {{ .Values.terrascan_webhook_key | printf "/v1/k8s/webhooks/%s/scan/validate" }} + caBundle: {{ .Files.Get "data/server.crt" | b64enc }} + rules: + - apiGroups: + {{- range .Values.webhook.apiGroups }} + {{- if eq . ""}} + - "" + {{- else if eq . "*" }} + - "*" + {{- else }} + - {{ . -}} + {{- end }} + {{- end }} + resources: + {{- range .Values.webhook.resources }} + {{- if eq . ""}} + - "" + {{- else if eq . "*" }} + - "*" + {{- else }} + - {{ . -}} + {{- end }} + {{- end }} + apiVersions: + {{- range .Values.webhook.apiVersions }} + {{- if eq . ""}} + - "" + {{- else if eq . "*" }} + - "*" + {{- else }} + - {{ . -}} + {{- end }} + {{- end }} + operations: + {{- range .Values.webhook.operations }} + {{- if eq . ""}} + - "" + {{- else if eq . "*" }} + - "*" + {{- else }} + - {{ . -}} + {{- end }} + {{- end }} \ No newline at end of file From 014d696adf4b548e9b7c04a6b63912d1a641ef0e Mon Sep 17 00:00:00 2001 From: Rahul M Chheda Date: Thu, 27 May 2021 00:30:40 +0530 Subject: [PATCH 4/9] Allow webhook failurePolicy to be Fail Signed-off-by: Rahul M Chheda --- deploy/helm-charts/server/templates/policy_fail_vw.yaml | 5 +++-- deploy/helm-charts/server/values.yaml | 2 +- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/deploy/helm-charts/server/templates/policy_fail_vw.yaml b/deploy/helm-charts/server/templates/policy_fail_vw.yaml index 1eb7d01dc..c6591eea4 100644 --- a/deploy/helm-charts/server/templates/policy_fail_vw.yaml +++ b/deploy/helm-charts/server/templates/policy_fail_vw.yaml @@ -1,4 +1,4 @@ -# if else block here +{{- if eq .Values.webhook.failurePolicy "Fail" }} apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: @@ -59,4 +59,5 @@ webhooks: {{- else }} - {{ . -}} {{- end }} - {{- end }} \ No newline at end of file + {{- end }} +{{- end -}} \ No newline at end of file diff --git a/deploy/helm-charts/server/values.yaml b/deploy/helm-charts/server/values.yaml index 962f786f9..a593b0980 100644 --- a/deploy/helm-charts/server/values.yaml +++ b/deploy/helm-charts/server/values.yaml @@ -11,7 +11,7 @@ persistence: webhook: name: webhook.terrascan.io - failurePolicy: Ignore + failurePolicy: Fail sideEffects: None admissionReviewVersions: - "v1" From 02c3648c4b619b1bd2028de758491727dca1632f Mon Sep 17 00:00:00 2001 From: Devang Date: Thu, 27 May 2021 19:49:21 +0530 Subject: [PATCH 5/9] minor changes and shifting helm charts to deploy/helm/ Signed-off-by: Devang --- .../{helm-charts/server => helm}/Chart.yaml | 0 deploy/{helm-charts => helm}/README.md | 84 +++++++++++-------- .../templates/cert-secret.yaml | 0 .../server => helm}/templates/configmap.yaml | 0 .../templates/deployments.yaml | 2 + .../templates/policy_fail_vw.yaml | 4 +- .../server => helm}/templates/service.yaml | 1 + .../server => helm}/templates/ssh-secret.yaml | 0 .../{helm-charts/server => helm}/values.yaml | 5 +- 9 files changed, 57 insertions(+), 39 deletions(-) rename deploy/{helm-charts/server => helm}/Chart.yaml (100%) rename deploy/{helm-charts => helm}/README.md (67%) rename deploy/{helm-charts/server => helm}/templates/cert-secret.yaml (100%) rename deploy/{helm-charts/server => helm}/templates/configmap.yaml (100%) rename deploy/{helm-charts/server => helm}/templates/deployments.yaml (98%) rename deploy/{helm-charts/server => helm}/templates/policy_fail_vw.yaml (94%) rename deploy/{helm-charts/server => helm}/templates/service.yaml (82%) rename deploy/{helm-charts/server => helm}/templates/ssh-secret.yaml (100%) rename deploy/{helm-charts/server => helm}/values.yaml (87%) diff --git a/deploy/helm-charts/server/Chart.yaml b/deploy/helm/Chart.yaml similarity index 100% rename from deploy/helm-charts/server/Chart.yaml rename to deploy/helm/Chart.yaml diff --git a/deploy/helm-charts/README.md b/deploy/helm/README.md similarity index 67% rename from deploy/helm-charts/README.md rename to deploy/helm/README.md index 3a1e756f9..9859000d1 100644 --- a/deploy/helm-charts/README.md +++ b/deploy/helm/README.md @@ -7,17 +7,28 @@ In server mode, terrascan will act both as an API server for performing remote scans of IAC, as well as a validating admission webhook for a Kubernetes cluster. Further details can be found in the [main documentation](https://docs.accurics.com/projects/accurics-terrascan/en/latest/). -There are two helm charts: - -1. In the `server/` directory : to deploy terrascan in server mode. -2. In the `webhook/` directory : to setup a validating webhook that uses the deployed terrascan server from step 1, as its backend. ## Usage ### Set up TLS certificates A requirement to run an admission controller is that communication happens over TLS. This helm chart expects to find the certificate -at `server/data/server.crt` and key at `server/data/server.key`. -If you opt to deploy the webhook as well, please copy `server/data/server.crt` at `webhook/data/server.crt` +at `data/server.crt` and key at `data/server.key`. + +There's a `data/domain.cnf` file available for you to edit and generate key & certificate. You can use the following command: + + ```bash + openssl req -x509 -sha256 -nodes -newkey rsa:2048 -keyout data/server.key -out data/server.crt -config data/domain.cnf + ``` + +In the `data/domain.cnf` file, we have configured DNS names as `terrascan.terrascan.svc`, assuming the defaults that service +will be named `terrascan` and hosted in `terrascan` namespace. You'll have to manually change that as per your requirements. + +### Terrascan configuration file +This chart will look for a [terrascan configuration +file](https://docs.accurics.com/projects/accurics-terrascan/en/latest/usage/#config-file) +at `data/config.toml`. If that file exists before running `helm +install`, it's contents will be loaded into a configMap and provided +to the terrascan server. ### Set up SSH config for private remote repo scan If you're opting to utilise the remote repo scan feature for ***private*** repositories, @@ -53,13 +64,6 @@ persistence: existingclaim: pvcClaimName ``` -### Terrascan configuration file -This chart will look for a [terrascan configuration -file](https://docs.accurics.com/projects/accurics-terrascan/en/latest/usage/#config-file) -at `server/data/config.toml`. If that file exists before running `helm -install`, it's contents will be loaded into a configMap and provided -to the terrascan server. - ### Deploy Once your TLS certificate is generated and the values in the `values.yaml` configuration file have been reviewed, you can install @@ -67,47 +71,57 @@ the chart with the following command: 1. Deploying Terrascan Server. - *Ensure that your current working directory is `server/`.* + For just installing a terrascan server deployment and service, + ``` - helm install . + helm install . -n ``` - Where `` is the name you want to assign to this installed chart. - This value will be used in various resources to make them both distinct and identifiable. + Where `` is the name you want to assign to this installed chart. + This value will be used in various resources to make them both distinct and identifiable. - This will use your current namespace unless `-n ` is specified + #### Verification - #### Verification - - You can query for the pod using the following command. + You can query for the pod using the following command. ``` kubectl get pod -n -w ``` - Watch the pod until it attains the `Running` state. + Watch the pod until it attains the `Running` state. - Verify the logs of the terrascan pod using the following command. + Verify the logs of the terrascan pod using the following command. ``` kubectl -n logs ``` If you see a log that goes like `server listening on port : `, the deployment went smooth. -2. Deploying Validating Webhook. + ###Deploying Validating Webhook. + + For installing the terrascan deployment and service along the validating webhook, - *Ensure that your current working directory is `webhook/`.* ``` - helm install . + helm install . -n --set webhook.mode=true ``` This will use your current namespace unless `-n ` is specified. - ***Ensure that you provide the exact same value as you did to deploy the `server/` chart in step 1.*** + #### Verification + Try creating a resource that's scanning by the webhook + + ```bash + kubectl run test-pod --image=nginx + ``` + #### Clean Up + + ```bash + helm uninstall -n + ``` ## TODO: This chart is a WIP - we intend to add the following functionality in the near future: - - [x] Storage support - volume for db - - [x] Add section for setting the validating-webhook up. - - [x] Add secrets to add ssh capabilities in the container, to enable remote repo scan feature. - - [ ] Support more load balancer types - - [ ] Support for ingress - - [ ] Flag for UI enable/disable - - [ ] Publish to Artifact hub - - [ ] Support TLS certificate/key in existing secrets +- [x] Storage support - volume for db +- [x] Add section for setting the validating-webhook up. +- [x] Add secrets to add ssh capabilities in the container, to enable remote repo scan feature. +- [ ] Support more load balancer types +- [ ] Support for ingress +- [ ] Flag for UI enable/disable +- [ ] Publish to Artifact hub +- [ ] Support TLS certificate/key in existing secrets diff --git a/deploy/helm-charts/server/templates/cert-secret.yaml b/deploy/helm/templates/cert-secret.yaml similarity index 100% rename from deploy/helm-charts/server/templates/cert-secret.yaml rename to deploy/helm/templates/cert-secret.yaml diff --git a/deploy/helm-charts/server/templates/configmap.yaml b/deploy/helm/templates/configmap.yaml similarity index 100% rename from deploy/helm-charts/server/templates/configmap.yaml rename to deploy/helm/templates/configmap.yaml diff --git a/deploy/helm-charts/server/templates/deployments.yaml b/deploy/helm/templates/deployments.yaml similarity index 98% rename from deploy/helm-charts/server/templates/deployments.yaml rename to deploy/helm/templates/deployments.yaml index 451ce698a..aba9db3e5 100644 --- a/deploy/helm-charts/server/templates/deployments.yaml +++ b/deploy/helm/templates/deployments.yaml @@ -87,6 +87,7 @@ spec: - name: terrascan-data-sync emptyDir: {} {{- end }} +{{- if .Values.webhook.mode }} --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration @@ -147,3 +148,4 @@ webhooks: - {{ . -}} {{- end }} {{- end }} +{{- end }} diff --git a/deploy/helm-charts/server/templates/policy_fail_vw.yaml b/deploy/helm/templates/policy_fail_vw.yaml similarity index 94% rename from deploy/helm-charts/server/templates/policy_fail_vw.yaml rename to deploy/helm/templates/policy_fail_vw.yaml index c6591eea4..ca4fdfcd6 100644 --- a/deploy/helm-charts/server/templates/policy_fail_vw.yaml +++ b/deploy/helm/templates/policy_fail_vw.yaml @@ -1,4 +1,4 @@ -{{- if eq .Values.webhook.failurePolicy "Fail" }} +{{- if and .Values.webhook.mode (eq .Values.webhook.failurePolicy "Fail") }} apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: @@ -60,4 +60,4 @@ webhooks: - {{ . -}} {{- end }} {{- end }} -{{- end -}} \ No newline at end of file +{{- end -}} diff --git a/deploy/helm-charts/server/templates/service.yaml b/deploy/helm/templates/service.yaml similarity index 82% rename from deploy/helm-charts/server/templates/service.yaml rename to deploy/helm/templates/service.yaml index 4ec0fafd9..55c702d83 100644 --- a/deploy/helm-charts/server/templates/service.yaml +++ b/deploy/helm/templates/service.yaml @@ -4,6 +4,7 @@ metadata: name: {{ .Values.name }} namespace: {{ .Release.Namespace }} spec: + type: {{ .Values.terrascan_service_type }} selector: app: {{ .Values.name }} ports: diff --git a/deploy/helm-charts/server/templates/ssh-secret.yaml b/deploy/helm/templates/ssh-secret.yaml similarity index 100% rename from deploy/helm-charts/server/templates/ssh-secret.yaml rename to deploy/helm/templates/ssh-secret.yaml diff --git a/deploy/helm-charts/server/values.yaml b/deploy/helm/values.yaml similarity index 87% rename from deploy/helm-charts/server/values.yaml rename to deploy/helm/values.yaml index a593b0980..0972e62d5 100644 --- a/deploy/helm-charts/server/values.yaml +++ b/deploy/helm/values.yaml @@ -1,5 +1,6 @@ terrascan_webhook_key: terrakey terrascan_container_image: accurics/terrascan:1.6.0 +terrascan_service_type: ClusterIP use_debug: true cert_secret_name: terrascancerts ssh_secret_name: terrascanssh @@ -8,10 +9,10 @@ name: terrascan persistence: enabled: false existingclaim: terrascanPvc - webhook: + mode: false name: webhook.terrascan.io - failurePolicy: Fail + failurePolicy: Ignore sideEffects: None admissionReviewVersions: - "v1" From 576db26d6049a8d4a3abdf959685238fff62496d Mon Sep 17 00:00:00 2001 From: Devang Date: Thu, 27 May 2021 19:57:59 +0530 Subject: [PATCH 6/9] addition to the helm chart maintainer list Signed-off-by: Devang --- deploy/helm/Chart.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/deploy/helm/Chart.yaml b/deploy/helm/Chart.yaml index b02663363..055146051 100644 --- a/deploy/helm/Chart.yaml +++ b/deploy/helm/Chart.yaml @@ -22,3 +22,5 @@ maintainers: email: devang.gaur@accurics.com - name: yusuf-kanchwala email: yusuf.kanchwala@accurics.com + - name: yusuf-kanchwala + email: rahul.chheda@accurics.com From a299c02c1136ceae9d29d14284b445144ea832bf Mon Sep 17 00:00:00 2001 From: Devang Date: Thu, 27 May 2021 21:37:51 +0530 Subject: [PATCH 7/9] parameterized deployment replicas Signed-off-by: Devang --- deploy/helm/templates/deployments.yaml | 2 +- deploy/helm/values.yaml | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/deploy/helm/templates/deployments.yaml b/deploy/helm/templates/deployments.yaml index aba9db3e5..86d96e42f 100644 --- a/deploy/helm/templates/deployments.yaml +++ b/deploy/helm/templates/deployments.yaml @@ -4,7 +4,7 @@ metadata: name: {{ .Values.name }} namespace: {{ .Release.Namespace }} spec: - replicas: 1 + replicas: {{ .Values.replicas }} selector: matchLabels: app: {{ .Values.name }} diff --git a/deploy/helm/values.yaml b/deploy/helm/values.yaml index 0972e62d5..0a140b02b 100644 --- a/deploy/helm/values.yaml +++ b/deploy/helm/values.yaml @@ -5,6 +5,7 @@ use_debug: true cert_secret_name: terrascancerts ssh_secret_name: terrascanssh config_name: terrascanconfig +replicas: 1 name: terrascan persistence: enabled: false From 550ada25aa7da9f0e08e6221ce379e771bcf3395 Mon Sep 17 00:00:00 2001 From: Rahul M Chheda Date: Fri, 28 May 2021 02:16:02 +0530 Subject: [PATCH 8/9] Fix name in maintainers Signed-off-by: Rahul M Chheda --- deploy/helm/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/helm/Chart.yaml b/deploy/helm/Chart.yaml index 055146051..84fcb6074 100644 --- a/deploy/helm/Chart.yaml +++ b/deploy/helm/Chart.yaml @@ -22,5 +22,5 @@ maintainers: email: devang.gaur@accurics.com - name: yusuf-kanchwala email: yusuf.kanchwala@accurics.com - - name: yusuf-kanchwala + - name: rahulchheda email: rahul.chheda@accurics.com From 0e56753085798c8735c5ffe062172c176dbbd53f Mon Sep 17 00:00:00 2001 From: Rahul M Chheda Date: Fri, 28 May 2021 02:18:36 +0530 Subject: [PATCH 9/9] Add comment in helm template for reference Signed-off-by: Rahul M Chheda --- deploy/helm/templates/policy_fail_vw.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/deploy/helm/templates/policy_fail_vw.yaml b/deploy/helm/templates/policy_fail_vw.yaml index ca4fdfcd6..0ab227da3 100644 --- a/deploy/helm/templates/policy_fail_vw.yaml +++ b/deploy/helm/templates/policy_fail_vw.yaml @@ -1,3 +1,6 @@ +# Had to create this file just to support validatingwebhookconfiguration failurePolicy to be FAIL. +# It turns out, webhook doesn't allow the terrascan server pod to come up in case failurePolicy is Fail. +# So, as a workaround, we create the webhook w/ Ignore, and then upgrade it to Fail in. post install chart hook. ref: https://helm.sh/docs/topics/charts_hooks/ {{- if and .Values.webhook.mode (eq .Values.webhook.failurePolicy "Fail") }} apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration