From f161ca47d4c882f32c513595b1743d1bb9d9d4b0 Mon Sep 17 00:00:00 2001 From: Othar Linaker Date: Wed, 10 Mar 2021 23:04:21 +0100 Subject: [PATCH] Fix/dependency track (#43) Co-authored-by: David J. M. Karlsen --- .github/workflows/publish.yaml | 2 +- .github/workflows/test.yaml | 2 +- charts/dependency-track/Chart.lock | 9 + charts/dependency-track/Chart.yaml | 14 +- .../ci/nopersistence-values.yaml | 14 +- charts/dependency-track/ci/withpg-values.yaml | 10 + charts/dependency-track/requirements.lock | 6 - charts/dependency-track/requirements.yaml | 5 - charts/dependency-track/templates/NOTES.txt | 20 +- .../dependency-track/templates/_helpers.tpl | 63 +-- .../templates/backend/deployment.yaml | 78 +++ .../templates/backend/pvc.yaml | 21 + .../templates/backend/service.yaml | 14 + .../templates/backend/serviceaccount.yaml | 7 + .../dependency-track/templates/configmap.yaml | 11 - .../templates/deployment.yaml | 112 ----- .../templates/frontend/deployment.yaml | 48 ++ .../templates/frontend/service.yaml | 14 + .../templates/frontend/serviceaccount.yaml | 7 + .../dependency-track/templates/ingress.yaml | 56 +-- charts/dependency-track/templates/pvc.yaml | 23 - .../dependency-track/templates/service.yaml | 20 - .../templates/serviceaccount.yaml | 8 - .../templates/tests/test-connection.yaml | 15 - charts/dependency-track/values.yaml | 446 +++++------------- ct-config.yaml | 1 + 26 files changed, 401 insertions(+), 625 deletions(-) create mode 100644 charts/dependency-track/Chart.lock delete mode 100644 charts/dependency-track/requirements.lock delete mode 100644 charts/dependency-track/requirements.yaml create mode 100644 charts/dependency-track/templates/backend/deployment.yaml create mode 100644 charts/dependency-track/templates/backend/pvc.yaml create mode 100644 charts/dependency-track/templates/backend/service.yaml create mode 100644 charts/dependency-track/templates/backend/serviceaccount.yaml delete mode 100644 charts/dependency-track/templates/configmap.yaml delete mode 100644 charts/dependency-track/templates/deployment.yaml create mode 100644 charts/dependency-track/templates/frontend/deployment.yaml create mode 100644 charts/dependency-track/templates/frontend/service.yaml create mode 100644 charts/dependency-track/templates/frontend/serviceaccount.yaml delete mode 100644 charts/dependency-track/templates/pvc.yaml delete mode 100644 charts/dependency-track/templates/service.yaml delete mode 100644 charts/dependency-track/templates/serviceaccount.yaml delete mode 100644 charts/dependency-track/templates/tests/test-connection.yaml diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index fc10c6e..56def9a 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -21,7 +21,7 @@ jobs: - name: Install Helm uses: azure/setup-helm@v1 with: - version: v3.5.1 + version: v3.5.3 - name: add repos run: | diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index f1607d1..0cf6758 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -21,7 +21,7 @@ jobs: - name: Set up Helm uses: azure/setup-helm@v1 with: - version: v3.5.0 + version: v3.5.3 - uses: actions/setup-python@v2 with: diff --git a/charts/dependency-track/Chart.lock b/charts/dependency-track/Chart.lock new file mode 100644 index 0000000..39e69a6 --- /dev/null +++ b/charts/dependency-track/Chart.lock @@ -0,0 +1,9 @@ +dependencies: +- name: postgresql + repository: https://charts.bitnami.com/bitnami + version: 10.3.11 +- name: common + repository: https://charts.bitnami.com/bitnami + version: 1.4.1 +digest: sha256:5f84bde102eb7fce40c1fb7e9a8edd18b794fab7fe8747646045b08d8df52246 +generated: "2021-03-10T19:45:23.233811+01:00" diff --git a/charts/dependency-track/Chart.yaml b/charts/dependency-track/Chart.yaml index 9c80187..bd4e21d 100644 --- a/charts/dependency-track/Chart.yaml +++ b/charts/dependency-track/Chart.yaml @@ -1,10 +1,10 @@ -apiVersion: v1 -appVersion: 3.8.0 +apiVersion: v2 +appVersion: 4.1.0 description: | Dependency-Track is an intelligent Software Supply Chain Component Analysis platform that allows organizations to identify and reduce risk from the use of third-party and open source components. Dependency-Track takes a unique and highly beneficial approach by leveraging the capabilities of Software Bill-of-Materials (SBOM). This approach provides capabilities that traditional Software Composition Analysis (SCA) solutions cannot achieve. name: dependency-track home: https://dependencytrack.org/ -version: 0.2.4 +version: 1.0.0 icon: https://github.com/DependencyTrack/branding/blob/master/dt-logo-black-text.svg keywords: - security @@ -18,3 +18,11 @@ maintainers: sources: - https://docs.dependencytrack.org/ - https://github.com/evryfs/helm-charts +dependencies: +- name: postgresql + version: ~10.3 + repository: https://charts.bitnami.com/bitnami + condition: postgresql.enabled +- name: common + version: 1.4.x + repository: https://charts.bitnami.com/bitnami diff --git a/charts/dependency-track/ci/nopersistence-values.yaml b/charts/dependency-track/ci/nopersistence-values.yaml index 74379ac..2359e68 100644 --- a/charts/dependency-track/ci/nopersistence-values.yaml +++ b/charts/dependency-track/ci/nopersistence-values.yaml @@ -1,4 +1,14 @@ postgresql: enabled: false -persistentVolume: - enabled: false +apiserver: + persistentVolume: + enabled: false + resources: + requests: + cpu: 1600m + memory: 5Gi + limits: + cpu: 2 + memory: 5Gi +frontend: + replicaCount: 2 diff --git a/charts/dependency-track/ci/withpg-values.yaml b/charts/dependency-track/ci/withpg-values.yaml index dae90ef..cc1751c 100644 --- a/charts/dependency-track/ci/withpg-values.yaml +++ b/charts/dependency-track/ci/withpg-values.yaml @@ -1,2 +1,12 @@ postgresql: enabled: true +apiserver: + resources: + requests: + cpu: 1600m + memory: 5Gi + limits: + cpu: 2 + memory: 5Gi +frontend: + replicaCount: 2 diff --git a/charts/dependency-track/requirements.lock b/charts/dependency-track/requirements.lock deleted file mode 100644 index f0b308a..0000000 --- a/charts/dependency-track/requirements.lock +++ /dev/null @@ -1,6 +0,0 @@ -dependencies: -- name: postgresql - repository: https://charts.bitnami.com/bitnami - version: 8.10.6 -digest: sha256:366a55a98d438e4f6fa2494b3fcca6324bb0c08136c53ad488e06627b2f57395 -generated: 2020-06-23T00:31:22.216336+02:00 diff --git a/charts/dependency-track/requirements.yaml b/charts/dependency-track/requirements.yaml deleted file mode 100644 index fea6e3b..0000000 --- a/charts/dependency-track/requirements.yaml +++ /dev/null @@ -1,5 +0,0 @@ -dependencies: -- name: postgresql - version: ~8.10 - repository: https://charts.bitnami.com/bitnami - condition: postgresql.enabled diff --git a/charts/dependency-track/templates/NOTES.txt b/charts/dependency-track/templates/NOTES.txt index 2711073..5bf1776 100644 --- a/charts/dependency-track/templates/NOTES.txt +++ b/charts/dependency-track/templates/NOTES.txt @@ -1,21 +1,3 @@ -1. Get the application URL by running these commands: {{- if .Values.ingress.enabled }} -{{- range $host := .Values.ingress.hosts }} - {{- range .paths }} - http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ . }} - {{- end }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "dependency-track.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "dependency-track.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "dependency-track.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") - echo http://$SERVICE_IP:{{ .Values.service.port }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "dependency-track.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:80 +Visit {{ if .Values.ingress.tls.enabled }}https{{- else }}http{{- end }}://{{ .Values.ingress.host }} to use dependency-track. {{- end }} diff --git a/charts/dependency-track/templates/_helpers.tpl b/charts/dependency-track/templates/_helpers.tpl index 0d78c48..e349ca7 100644 --- a/charts/dependency-track/templates/_helpers.tpl +++ b/charts/dependency-track/templates/_helpers.tpl @@ -1,56 +1,29 @@ {{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "dependency-track.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "dependency-track.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} +{{- define "apiserver.image" -}} +{{- include "common.images.image" ( dict "imageRoot" .Values.apiserver.image "global" .Values.global ) -}} {{- end -}} + +{{- define "frontend.image" -}} +{{- include "common.images.image" ( dict "imageRoot" .Values.frontend.image "global" .Values.global ) -}} {{- end -}} -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "dependency-track.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- define "frontend.labels.standard" -}} +{{ include "common.labels.standard" . }} +app.kubernetes.io/component: frontend {{- end -}} -{{/* -Common labels -*/}} -{{- define "dependency-track.labels" -}} -app.kubernetes.io/name: {{ include "dependency-track.name" . }} -helm.sh/chart: {{ include "dependency-track.chart" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- define "frontend.labels.matchLabels" -}} +{{ include "common.labels.matchLabels" . }} +app.kubernetes.io/component: frontend {{- end -}} -{{/* -Create the name of the service account to use -*/}} -{{- define "dependency-track.serviceAccountName" -}} -{{- if .Values.serviceAccount.create -}} - {{ default (include "dependency-track.fullname" .) .Values.serviceAccount.name }} -{{- else -}} - {{ default "default" .Values.serviceAccount.name }} +{{- define "backend.labels.standard" -}} +{{ include "common.labels.standard" . }} +app.kubernetes.io/component: backend {{- end -}} + +{{- define "backend.labels.matchLabels" -}} +{{ include "common.labels.matchLabels" . }} +app.kubernetes.io/component: backend {{- end -}} diff --git a/charts/dependency-track/templates/backend/deployment.yaml b/charts/dependency-track/templates/backend/deployment.yaml new file mode 100644 index 0000000..5853b44 --- /dev/null +++ b/charts/dependency-track/templates/backend/deployment.yaml @@ -0,0 +1,78 @@ +apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} +kind: Deployment +metadata: + name: {{ include "common.names.fullname" . }}-apiserver + labels: {{- include "backend.labels.standard" . | nindent 4 }} +spec: + replicas: {{ .Values.apiserver.replicaCount }} + {{- if .Values.apiserver.persistentVolume.enabled }} + strategy: + type: Recreate + {{- end }} + selector: + matchLabels: {{- include "backend.labels.matchLabels" . | nindent 6 }} + template: + metadata: + labels: {{- include "backend.labels.standard" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecret: {{- toYaml . | nindent 6 }} + {{- end }} + serviceAccountName: {{ include "common.names.fullname" . }}-apiserver + securityContext: {{- toYaml .Values.apiserver.podSecurityContext | nindent 8 }} + {{- with .Values.apiserver.initContainers }} + initContainers: {{- toYaml . | nindent 6 }} + {{- end }} + containers: + - name: {{ .Chart.Name }}-apiserver + securityContext: {{- toYaml .Values.apiserver.securityContext | nindent 12 }} + image: {{ include "apiserver.image" . }} + imagePullPolicy: {{ .Values.apiserver.image.pullPolicy }} + {{- with .Values.apiserver.resources }} + resources: {{ . | toYaml | nindent 10 }} + {{- end }} + env: + - name: ALPINE_DATA_DIRECTORY + value: "/data" + {{- if .Values.postgresql.enabled }} + - name: ALPINE_DATABASE_MODE + value: "external" + - name: ALPINE_DATABASE_DRIVER + value: "org.postgresql.Driver" + - name: ALPINE_DATABASE_URL + value: jdbc:postgresql://{{ .Release.Name }}-postgresql/{{ .Values.postgresql.postgresqlDatabase }} + - name: ALPINE_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Release.Name }}-postgresql + key: postgresql-password + - name: ALPINE_DATABASE_USERNAME + value: {{ .Values.postgresql.postgresqlUsername }} + {{- end }} + {{- with .Values.apiserver.env }} + {{- toYaml . | nindent 8 }} + {{- end }} + volumeMounts: + - name: data + mountPath: /data + - name: tmp + mountPath: /tmp + ports: + - name: api + containerPort: 8080 + protocol: TCP + volumes: + - name: tmp + emptyDir: {} + - name: data + {{- if .Values.apiserver.persistentVolume.enabled }} + persistentVolumeClaim: + claimName: {{ if .Values.apiserver.persistentVolume.existingClaim }}{{ .Values.apiserver.persistentVolume.existingClaim }}{{- else }}{{ include "common.names.fullname" . }}-apiserver{{- end }} + {{- else }} + emptyDir: + {{- if .Values.apiserver.emptyDir.sizeLimit }} + sizeLimit: {{ .Values.apiserver.emptyDir.sizeLimit }} + {{- else }} + {} + {{- end -}} + {{- end }} diff --git a/charts/dependency-track/templates/backend/pvc.yaml b/charts/dependency-track/templates/backend/pvc.yaml new file mode 100644 index 0000000..3fa3612 --- /dev/null +++ b/charts/dependency-track/templates/backend/pvc.yaml @@ -0,0 +1,21 @@ +{{- if .Values.apiserver.persistentVolume.enabled -}} +{{- if not .Values.apiserver.persistentVolume.existingClaim -}} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + {{- with .Values.apiserver.persistentVolume.annotations }} + annotations: {{ toYaml .| nindent 4 }} + {{- end }} + labels: {{- include "backend.labels.standard" . | nindent 4 }} + name: {{ include "common.names.fullname" . }}-apiserver +spec: + accessModes: + - ReadWriteOnce +{{- with .Values.apiserver.persistentVolume.storageClass }} + storageClassName: "{{ . }}" +{{- end }} + resources: + requests: + storage: "{{ .Values.apiserver.persistentVolume.size }}" +{{- end -}} +{{- end -}} diff --git a/charts/dependency-track/templates/backend/service.yaml b/charts/dependency-track/templates/backend/service.yaml new file mode 100644 index 0000000..a8a3088 --- /dev/null +++ b/charts/dependency-track/templates/backend/service.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "common.names.fullname" . }}-apiserver + labels: {{- include "backend.labels.standard" . | nindent 4 }} + {{- with .Values.apiserver.service.annotations }} + annotations: {{- toYaml . | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.apiserver.service.type }} + ports: + - port: {{ .Values.apiserver.service.port }} + targetPort: api + selector: {{- include "backend.labels.matchLabels" . | nindent 4 }} diff --git a/charts/dependency-track/templates/backend/serviceaccount.yaml b/charts/dependency-track/templates/backend/serviceaccount.yaml new file mode 100644 index 0000000..e471927 --- /dev/null +++ b/charts/dependency-track/templates/backend/serviceaccount.yaml @@ -0,0 +1,7 @@ +{{- if .Values.apiserver.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "common.names.fullname" . }}-apiserver + labels: {{- include "frontend.labels.standard" . | nindent 4 }} +{{- end -}} diff --git a/charts/dependency-track/templates/configmap.yaml b/charts/dependency-track/templates/configmap.yaml deleted file mode 100644 index 23ddbee..0000000 --- a/charts/dependency-track/templates/configmap.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "dependency-track.fullname" . }} - labels: -{{ include "dependency-track.labels" . | indent 4 }} -data: -{{- range $key, $value := .Values.configmap }} -{{ $key | indent 2 }}: |- -{{ $value | indent 4}} -{{- end -}} diff --git a/charts/dependency-track/templates/deployment.yaml b/charts/dependency-track/templates/deployment.yaml deleted file mode 100644 index c0952e5..0000000 --- a/charts/dependency-track/templates/deployment.yaml +++ /dev/null @@ -1,112 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "dependency-track.fullname" . }} - labels: -{{ include "dependency-track.labels" . | indent 4 }} -spec: - replicas: {{ .Values.replicaCount }} - {{- if .Values.persistentVolume.enabled }} - strategy: - type: Recreate - {{- end }} - selector: - matchLabels: - app.kubernetes.io/name: {{ include "dependency-track.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - template: - metadata: - labels: - app.kubernetes.io/name: {{ include "dependency-track.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ template "dependency-track.serviceAccountName" . }} - securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} - {{- with .Values.initContainers }} - initContainers: {{- toYaml . | nindent 8 }} - {{- end }} - containers: - - name: {{ .Chart.Name }} - securityContext: {{- toYaml .Values.securityContext | nindent 12 }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - env: - - name: ALPINE_DATA_DIRECTORY - value: "/data" - {{- if .Values.postgresql.enabled }} - - name: ALPINE_DATABASE_MODE - value: "external" - - name: ALPINE_DATABASE_DRIVER - value: "org.postgresql.Driver" - - name: ALPINE_DATABASE_DRIVER_PATH - value: "/extlib/postgresql-42.2.5.jar" - - name: ALPINE_DATABASE_URL - value: jdbc:postgresql://{{ .Release.Name }}-postgresql/{{ .Values.postgresql.postgresqlDatabase }} - - name: ALPINE_DATABASE_PASSWORD - valueFrom: - secretKeyRef: - name: {{ .Release.Name }}-postgresql - key: postgresql-password - - name: ALPINE_DATABASE_USERNAME - value: {{ .Values.postgresql.postgresqlUsername }} - {{- end }} - {{- with .Values.env }} - {{- toYaml . | nindent 10 }} - {{- end }} - ports: - - name: http - containerPort: 8080 - protocol: TCP - livenessProbe: - initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} - httpGet: - path: / - port: http - readinessProbe: - initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} - httpGet: - path: / - port: http - resources: - {{- toYaml .Values.resources | nindent 12 }} - volumeMounts: - - name: data - mountPath: /data - - name: config - mountPath: /config - - name: tmp - mountPath: /tmp - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - volumes: - - name: config - configMap: - name: {{ include "dependency-track.fullname" . }} - - name: tmp - emptyDir: {} - - name: data - {{- if .Values.persistentVolume.enabled }} - persistentVolumeClaim: - claimName: {{ if .Values.persistentVolume.existingClaim }}{{ .Values.persistentVolume.existingClaim }}{{- else }}{{ template "dependency-track.fullname" . }}{{- end }} - {{- else }} - emptyDir: - {{- if .Values.emptyDir.sizeLimit }} - sizeLimit: {{ .Values.emptyDir.sizeLimit }} - {{- else }} - {} - {{- end -}} - {{- end }} diff --git a/charts/dependency-track/templates/frontend/deployment.yaml b/charts/dependency-track/templates/frontend/deployment.yaml new file mode 100644 index 0000000..fd19bff --- /dev/null +++ b/charts/dependency-track/templates/frontend/deployment.yaml @@ -0,0 +1,48 @@ +apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} +kind: Deployment +metadata: + name: {{ include "common.names.fullname" . }}-frontend + labels: {{- include "frontend.labels.standard" . | nindent 4 }} +spec: + replicas: {{ .Values.frontend.replicaCount }} + selector: + matchLabels: {{- include "frontend.labels.matchLabels" . | nindent 6 }} + template: + metadata: + labels: {{- include "frontend.labels.standard" . | nindent 8 }} + spec: + {{- with .Values.frontend.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 6 }} + {{- end }} + serviceAccountName: {{ include "common.names.fullname" . }}-frontend + securityContext: {{- toYaml .Values.frontend.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }}-frontend + securityContext: {{- toYaml .Values.frontend.securityContext | nindent 12 }} + {{- with .Values.frontend.resources }} + resources: {{ . | toYaml | nindent 10 }} + {{- end }} + image: {{ include "frontend.image" . }} + imagePullPolicy: {{ .Values.frontend.image.pullPolicy }} + {{- with .Values.frontend.env }} + env: {{- toYaml . | nindent 8 }} + {{- end }} + ports: + - name: http + containerPort: 80 + protocol: TCP + volumeMounts: + - name: tmp + mountPath: /tmp + #- name: config + # mountPath: /app/static + volumes: + - name: tmp + emptyDir: {} + # https://github.com/DependencyTrack/frontend/issues/60 + # - name: config + # configMap: + # name: {{ include "common.names.fullname" . }}-frontend + # items: + # - key: config.json + # path: config.json diff --git a/charts/dependency-track/templates/frontend/service.yaml b/charts/dependency-track/templates/frontend/service.yaml new file mode 100644 index 0000000..87f4cc3 --- /dev/null +++ b/charts/dependency-track/templates/frontend/service.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "common.names.fullname" . }}-frontend + labels: {{- include "frontend.labels.standard" . | nindent 4 }} + {{- with .Values.frontend.service.annotations }} + annotations: {{- toYaml . | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.frontend.service.type }} + ports: + - port: {{ .Values.frontend.service.port }} + targetPort: http + selector: {{- include "frontend.labels.matchLabels" . | nindent 4 }} diff --git a/charts/dependency-track/templates/frontend/serviceaccount.yaml b/charts/dependency-track/templates/frontend/serviceaccount.yaml new file mode 100644 index 0000000..010277d --- /dev/null +++ b/charts/dependency-track/templates/frontend/serviceaccount.yaml @@ -0,0 +1,7 @@ +{{- if .Values.frontend.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "common.names.fullname" . }}-frontend + labels: {{- include "backend.labels.standard" . | nindent 4 }} +{{- end -}} diff --git a/charts/dependency-track/templates/ingress.yaml b/charts/dependency-track/templates/ingress.yaml index c94d5eb..3110f7d 100644 --- a/charts/dependency-track/templates/ingress.yaml +++ b/charts/dependency-track/templates/ingress.yaml @@ -1,41 +1,35 @@ {{- if .Values.ingress.enabled -}} -{{- $fullName := include "dependency-track.fullname" . -}} -{{- $svcPort := .Values.service.port -}} -{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} -apiVersion: networking.k8s.io/v1beta1 -{{- else -}} -apiVersion: extensions/v1beta1 -{{- end }} +apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }} kind: Ingress metadata: - name: {{ $fullName }} - labels: -{{ include "dependency-track.labels" . | indent 4 }} + name: {{ include "common.names.fullname" . }} + labels: {{- include "common.labels.standard" . | nindent 4 }} {{- with .Values.ingress.annotations }} - annotations: - {{- toYaml . | nindent 4 }} + annotations: {{- toYaml . | nindent 4 }} {{- end }} spec: -{{- if .Values.ingress.tls }} + {{- if .Values.ingress.tls.enabled }} tls: - {{- range .Values.ingress.tls }} - - hosts: - {{- range .hosts }} - - {{ . | quote }} - {{- end }} - secretName: {{ .secretName }} + - hosts: + - {{ .Values.ingress.host }} + secretName: {{ .Values.ingress.tls.secretName }} {{- end }} -{{- end }} rules: - {{- range .Values.ingress.hosts }} - - host: {{ .host | quote }} - http: - paths: - {{- range .paths }} - - path: {{ . }} - backend: - serviceName: {{ $fullName }} - servicePort: {{ $svcPort }} - {{- end }} - {{- end }} + - host: {{ .Values.ingress.host }} + http: + paths: + - path: /api + pathType: Prefix + backend: + service: + name: {{ include "common.names.fullname" . }}-apiserver + port: + number: {{ .Values.apiserver.service.port }} + - path: / + pathType: Prefix + backend: + service: + name: {{ include "common.names.fullname" . }}-frontend + port: + number: {{ .Values.frontend.service.port }} {{- end }} diff --git a/charts/dependency-track/templates/pvc.yaml b/charts/dependency-track/templates/pvc.yaml deleted file mode 100644 index 500d1b6..0000000 --- a/charts/dependency-track/templates/pvc.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if .Values.persistentVolume.enabled -}} -{{- if not .Values.persistentVolume.existingClaim -}} -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - {{- if .Values.persistentVolume.annotations }} - annotations: -{{ toYaml .Values.persistentVolume.annotations | indent 4 }} - {{- end }} - labels: - {{- include "dependency-track.labels" . | nindent 4 }} - name: {{ template "dependency-track.fullname" . }} -spec: - accessModes: - - ReadWriteOnce -{{- with .Values.persistentVolume.storageClass }} - storageClassName: "{{ . }}" -{{- end }} - resources: - requests: - storage: "{{ .Values.persistentVolume.size }}" -{{- end -}} -{{- end -}} diff --git a/charts/dependency-track/templates/service.yaml b/charts/dependency-track/templates/service.yaml deleted file mode 100644 index bb3222d..0000000 --- a/charts/dependency-track/templates/service.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ include "dependency-track.fullname" . }} - labels: -{{ include "dependency-track.labels" . | indent 4 }} - {{- with .Values.service.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - type: {{ .Values.service.type }} - ports: - - port: {{ .Values.service.port }} - targetPort: http - protocol: TCP - name: http - selector: - app.kubernetes.io/name: {{ include "dependency-track.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/charts/dependency-track/templates/serviceaccount.yaml b/charts/dependency-track/templates/serviceaccount.yaml deleted file mode 100644 index 9e58765..0000000 --- a/charts/dependency-track/templates/serviceaccount.yaml +++ /dev/null @@ -1,8 +0,0 @@ -{{- if .Values.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ template "dependency-track.serviceAccountName" . }} - labels: -{{ include "dependency-track.labels" . | indent 4 }} -{{- end -}} diff --git a/charts/dependency-track/templates/tests/test-connection.yaml b/charts/dependency-track/templates/tests/test-connection.yaml deleted file mode 100644 index fe9206a..0000000 --- a/charts/dependency-track/templates/tests/test-connection.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: "{{ include "dependency-track.fullname" . }}-test-connection" - labels: -{{ include "dependency-track.labels" . | indent 4 }} - annotations: - "helm.sh/hook": test-success -spec: - containers: - - name: wget - image: busybox - command: ['wget'] - args: ['{{ include "dependency-track.fullname" . }}:{{ .Values.service.port }}'] - restartPolicy: Never diff --git a/charts/dependency-track/values.yaml b/charts/dependency-track/values.yaml index e592a6c..b49472b 100644 --- a/charts/dependency-track/values.yaml +++ b/charts/dependency-track/values.yaml @@ -1,340 +1,140 @@ # Default values for dependency-track. # This is a YAML-formatted file. # Declare variables to be passed into your templates. +# Since dependency-track 4.0, there are now two separate images. One for frontend, one for the apiserver. -# Max: 1 - DT is not designed for HA -replicaCount: 1 - -image: - repository: docker.io/owasp/dependency-track - tag: 3.8.0 - pullPolicy: IfNotPresent - -imagePullSecrets: [] -nameOverride: "" -fullnameOverride: "" -initContainers: [] - -readinessProbe: - initialDelaySeconds: 60 - -livenessProbe: - initialDelaySeconds: 60 - -serviceAccount: - # Specifies whether a service account should be created - create: true - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: - -podSecurityContext: - fsGroup: 1000 - -securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 - runAsGroup: 1000 +global: + imageRegistry: docker.io -service: - type: ClusterIP - port: 80 - annotations: {} - # cloud.google.com/load-balancer-type: "Internal" +# The frontend +frontend: + enabled: true + replicaCount: 2 + image: + repository: dependencytrack/frontend + tag: 1.2.0 + pullPolicy: IfNotPresent + imagePullSecrets: [] + # https://github.com/DependencyTrack/frontend/issues/60 + # configmap: + # config: | + # { + # "API_BASE_URL": "", + # "OIDC_ISSUER": "", + # "OIDC_CLIENT_ID": "", + # "OIDC_SCOPE": "openid profile email", + # "OIDC_FLOW": "" + # } + env: + - name: API_BASE_URL + value: "" + # See https://docs.dependencytrack.org/getting-started/configuration/ for frontend ENV variables. +# podSecurityContext: +# fsGroup: 1000 + securityContext: + allowPrivilegeEscalation: false + # binds to port 80 + runAsUser: 0 + # rootfs cannot be R/O because there is some messing around with file generation and whatnot - + service: + type: ClusterIP + port: 80 + annotations: {} + nodeSelector: {} + tolerations: [] + affinity: {} + emptyDir: + sizeLimit: 8Gi + resources: + # https://docs.dependencytrack.org/getting-started/deploy-docker/ + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 1 + memory: 512Mi + nameOverride: "" + fullnameOverride: "" + initContainers: [] + serviceAccount: + # Specifies whether a service account should be created + create: true + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: frontend-serviceaccount + readinessProbe: + initialDelaySeconds: 60 + livenessProbe: + initialDelaySeconds: 60 + +# The apiserver +apiserver: + enabled: true +# Max: 1 - DT is not designed for HA + replicaCount: 1 + image: + repository: dependencytrack/apiserver + tag: 4.1.0 + imagePullSecrets: [] + pullPolicy: IfNotPresent + env: [] + persistentVolume: + enabled: true + size: 8Gi + annotations: {} + storageClass: "" + podSecurityContext: + fsGroup: 1000 + securityContext: + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + service: + type: ClusterIP + port: 80 + annotations: {} + nodeSelector: {} + tolerations: [] + affinity: {} + emptyDir: + sizeLimit: 8Gi + resources: + # https://docs.dependencytrack.org/getting-started/deploy-docker/ + requests: + cpu: 2 + memory: 4608Mi + limits: + cpu: 4 + memory: 16Gi + nameOverride: "" + fullnameOverride: "" + initContainers: [] + serviceAccount: + # Specifies whether a service account should be created + create: true + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: apiserver-serviceaccount + # See https://docs.dependencytrack.org/getting-started/configuration/ for backend configuration options. + readinessProbe: + initialDelaySeconds: 60 + livenessProbe: + initialDelaySeconds: 60 ingress: enabled: false + tls: + enabled: false + secretName: "" annotations: {} # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" ## allow large bom.xml uploads: # nginx.ingress.kubernetes.io/proxy-body-size: 10m - hosts: - - host: chart-example.local - paths: - - "/" - - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local - -resources: - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - requests: - cpu: 1500m - memory: 4Gi - limits: - cpu: 4 - memory: 16Gi - -nodeSelector: {} - -tolerations: [] - -affinity: {} - -env: [] - -persistentVolume: - enabled: true - size: 8Gi - annotations: {} - storageClass: "" - -emptyDir: - sizeLimit: 8Gi - -configmap: - application.properties: | - ############################ Alpine Configuration ########################### - # Required - # Defines the number of worker threads that the event subsystem will consume. - # Events occur asynchronously and are processed by the Event subsystem. This - # value should be large enough to handle most production situations without - # introducing much delay, yet small enough not to pose additional load on an - # already resource-constrained server. - # A value of 0 will instruct Alpine to allocate 1 thread per CPU core. This - # can further be tweaked using the alpine.worker.thread.multiplier property. - # Default value is 0. - alpine.worker.threads=0 - - # Required - # Defines a multiplier that is used to calculate the number of threads used - # by the event subsystem. This property is only used when alpine.worker.threads - # is set to 0. A machine with 4 cores and a multiplier of 4, will use (at most) - # 16 worker threads. Default value is 4. - alpine.worker.thread.multiplier=4 - - # Required - # Defines the path to the data directory. This directory will hold logs, keys, - # and any database or index files along with application-specific files or - # directories. - alpine.data.directory=~/.dependency-track - - # Required - # Defines the interval (in seconds) to log general heath information. If value - # equals 0, watchdog logging will be disabled. - alpine.watchdog.logging.interval=0 - - # Required - # Defines the database mode of operation. Valid choices are: - # 'server', 'embedded', and 'external'. - # In server mode, the database will listen for connections from remote hosts. - # In embedded mode, the system will be more secure and slightly faster. - # External mode should be used when utilizing an external database server - # (i.e. mysql, postgresql, etc). - alpine.database.mode=embedded - - # Optional - # Defines the TCP port to use when the database.mode is set to 'server'. - alpine.database.port=9092 - - # Required - # Specifies the JDBC URL to use when connecting to the database. - alpine.database.url=jdbc:h2:~/.dependency-track/db - - # Required - # Specifies the JDBC driver class to use. - alpine.database.driver=org.h2.Driver - - # Optional - # Specifies the path (including filename) to where the JDBC driver is located. - # alpine.database.driver.path=/path/to/dbdriver.jar - - # Optional - # Specifies the username to use when authenticating to the database. - alpine.database.username=sa - - # Optional - # Specifies the password to use when authenticating to the database. - # alpine.database.password= - - # Optional - # Specifies if the database connection pool is enabled. - alpine.database.pool.enabled=true - - # Optional - # This property controls the maximum size that the pool is allowed to reach, - # including both idle and in-use connections. - alpine.database.pool.max.size=10 - - # Optional - # This property controls the maximum amount of time that a connection is - # allowed to sit idle in the pool. - alpine.database.pool.idle.timeout=600000 - - # Optional - # This property controls the maximum lifetime of a connection in the pool. - # An in-use connection will never be retired, only when it is closed will - # it then be removed. - alpine.database.pool.max.lifetime=600000 - - # Optional - # When authentication is enforced, API keys are required for automation, and - # the user interface will prevent anonymous access by prompting for login - # credentials. - alpine.enforce.authentication=true - - # Optional - # When authorization is enforced, team membership for both API keys and user - # accounts are restricted to what the team itself has access to. To enforce - # authorization, the enforce.authentication property (above) must be true. - alpine.enforce.authorization=true - - # Required - # Specifies the number of bcrypt rounds to use when hashing a users password. - # The higher the number the more secure the password, at the expense of - # hardware resources and additional time to generate the hash. - alpine.bcrypt.rounds=14 - - # Required - # Defines if LDAP will be used for user authentication. If enabled, - # alpine.ldap.* properties should be set accordingly. - alpine.ldap.enabled=false - - # Optional - # Specifies the LDAP server URL - # Example (Microsoft Active Directory): - # alpine.ldap.server.url=ldap://ldap.example.com:3268 - # alpine.ldap.server.url=ldaps://ldap.example.com:3269 - # Example (ApacheDS, Fedora 389 Directory, NetIQ/Novell eDirectory, etc): - # alpine.ldap.server.url=ldap://ldap.example.com:389 - # alpine.ldap.server.url=ldaps://ldap.example.com:636 - alpine.ldap.server.url=ldap://ldap.example.com:389 - - # Optional - # Specifies the base DN that all queries should search from - alpine.ldap.basedn=dc=example,dc=com - - # Optional - # Specifies the LDAP security authentication level to use. Its value is one of - # the following strings: "none", "simple", "strong". If this property is empty - # or unspecified, the behaviour is determined by the service provider. - alpine.ldap.security.auth=simple - - # Optional - # If anonymous access is not permitted, specify a username with limited access - # to the directory, just enough to perform searches. This should be the fully - # qualified DN of the user. - alpine.ldap.bind.username= - - # Optional - # If anonymous access is not permitted, specify a password for the username - # used to bind. - alpine.ldap.bind.password= - - # Optional - # Specifies if the username entered during login needs to be formatted prior - # to asserting credentials against the directory. For Active Directory, the - # userPrincipal attribute typically ends with the domain, whereas the - # samAccountName attribute and other directory server implementations do not. - # The %s variable will be substitued with the username asserted during login. - # Example (Microsoft Active Directory): - # alpine.ldap.auth.username.format=%s@example.com - # Example (ApacheDS, Fedora 389 Directory, NetIQ/Novell eDirectory, etc): - # alpine.ldap.auth.username.format=%s - alpine.ldap.auth.username.format=%s@example.com - - # Optional - # Specifies the Attribute that identifies a users ID - # Example (Microsoft Active Directory): - # alpine.ldap.attribute.name=userPrincipalName - # Example (ApacheDS, Fedora 389 Directory, NetIQ/Novell eDirectory, etc): - # alpine.ldap.attribute.name=uid - alpine.ldap.attribute.name=userPrincipalName - - # Optional - # Specifies the LDAP attribute used to store a users email address - alpine.ldap.attribute.mail=mail - - # Optional - # Specifies the LDAP search filter used to retrieve all groups from the - # directory. - # Example (Microsoft Active Directory): - # alpine.ldap.groups.filter=(&(objectClass=group)(objectCategory=Group)) - # Example (ApacheDS, Fedora 389 Directory, NetIQ/Novell eDirectory, etc): - # alpine.ldap.groups.filter=(&(objectClass=groupOfUniqueNames)) - alpine.ldap.groups.filter=(&(objectClass=group)(objectCategory=Group)) - - # Optional - # Specifies the LDAP search filter to use to query a user and retrieve a list - # of groups the user is a member of. The {USER_DN} variable will be substituted - # with the actual value of the users DN at runtime. - # Example (Microsoft Active Directory): - # alpine.ldap.user.groups.filter=(&(objectClass=group)(objectCategory=Group)(member={USER_DN})) - # Example (Microsoft Active Directory - with nested group support): - # alpine.ldap.user.groups.filter=(member:1.2.840.113556.1.4.1941:={USER_DN}) - # Example (ApacheDS, Fedora 389 Directory, NetIQ/Novell eDirectory, etc): - # alpine.ldap.user.groups.filter=(&(objectClass=groupOfUniqueNames)(uniqueMember={USER_DN})) - alpine.ldap.user.groups.filter=(member:1.2.840.113556.1.4.1941:={USER_DN}) - - # Optional - # Specifies the LDAP search filter used to search for groups by their name. - # The {SEARCH_TERM} variable will be substituted at runtime. - # Example (Microsoft Active Directory): - # alpine.ldap.groups.search.filter=(&(objectClass=group)(objectCategory=Group)(cn=*{SEARCH_TERM}*)) - # Example (ApacheDS, Fedora 389 Directory, NetIQ/Novell eDirectory, etc): - # alpine.ldap.groups.search.filter=(&(objectClass=groupOfUniqueNames)(cn=*{SEARCH_TERM}*)) - alpine.ldap.groups.search.filter=(&(objectClass=group)(objectCategory=Group)(cn=*{SEARCH_TERM}*)) - - # Optional - # Specifies the LDAP search filter used to search for users by their name. - # The {SEARCH_TERM} variable will be substituted at runtime. - # Example (Microsoft Active Directory): - # alpine.ldap.users.search.filter=(&(objectClass=group)(objectCategory=Group)(cn=*{SEARCH_TERM}*)) - # Example (ApacheDS, Fedora 389 Directory, NetIQ/Novell eDirectory, etc): - # alpine.ldap.users.search.filter=(&(objectClass=inetOrgPerson)(cn=*{SEARCH_TERM}*)) - alpine.ldap.users.search.filter=(&(objectClass=user)(objectCategory=Person)(cn=*{SEARCH_TERM}*)) - - # Optional - # Specifies if mapped LDAP accounts are automatically created upon successful - # authentication. When a user logs in with valid credentials but an account has - # not been previously provisioned, an authentication failure will be returned. - # This allows admins to control specifically which ldap users can access the - # system and which users cannot. When this value is set to true, a local ldap - # user will be created and mapped to the ldap account automatically. This - # automatic provisioning only affects authentication, not authorization. - alpine.ldap.user.provisioning=false - - # Optional - # This option will ensure that team memberships for LDAP users are dynamic and - # synchronized with membership of LDAP groups. When a team is mapped to an LDAP - # group, all local LDAP users will automatically be assigned to the team if - # they are a member of the group the team is mapped to. If the user is later - # removed from the LDAP group, they will also be removed from the team. This - # option provides the ability to dynamically control user permissions via an - # external directory. - alpine.ldap.team.synchronization=false - - # Optional - # HTTP proxy. If the address is set, then the port must be set too. - # alpine.http.proxy.address=proxy.example.com - # alpine.http.proxy.port=8888 - # alpine.http.proxy.username= - # alpine.http.proxy.password= - - # Optional - # Cross-Origin Resource Sharing (CORS) headers to include in REST responses. - # If 'alpine.cors.enabled' is true, CORS headers will be sent, if false, no - # CORS headers will be sent. - # See Also: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS - # The following are default values - #alpine.cors.enabled=true - #alpine.cors.allow.origin=* - #alpine.cors.allow.methods=GET POST PUT DELETE OPTIONS - #alpine.cors.allow.headers=Origin, Content-Type, Authorization, X-Requested-With, Content-Length, Accept, Origin, X-Api-Key, X-Total-Count, * - #alpine.cors.expose.headers=Origin, Content-Type, Authorization, X-Requested-With, Content-Length, Accept, Origin, X-Api-Key, X-Total-Count - #alpine.cors.allow.credentials=true - #alpine.cors.max.age=3600 + host: chart-example.local +# Postgres variables postgresql: enabled: true postgresqlUsername: deptrack diff --git a/ct-config.yaml b/ct-config.yaml index 49b80e6..f98428d 100644 --- a/ct-config.yaml +++ b/ct-config.yaml @@ -1,4 +1,5 @@ remote: origin +helm-extra-args: --timeout 10m chart-dirs: - charts chart-repos: