Feature/horusec platfrom helm

.talismanrc

@@ -0,0 +1,3 @@
+fileignoreconfig:
+- filename: deployments/helm/horusec-platform/values.yaml
+  checksum: 16a6ac86da601ae1c504b54b0b337e955b7fd32e8cce38677316e4198c22908f

deployments/helm/horusec-platform/README.md

@@ -227,6 +227,10 @@ A Helm chart for Kubernetes
 | components.webhook.container.securityContext.runAsNonRoot | bool | `true` |  |
 | components.webhook.container.securityContext.runAsUser | int | `1000` |  |
 | components.webhook.extraEnv | list | `[]` |  |
+| components.webhook.ingress.enabled | bool | `true` |  |
+| components.webhook.ingress.host | string | `"webhook.local"` |  |
+| components.webhook.ingress.path | string | `"/webhook"` |  |
+| components.webhook.ingress.tls | string | `nil` |  |
 | components.webhook.name | string | `"webhook"` |  |
 | components.webhook.pod.autoscaling.enabled | bool | `false` |  |
 | components.webhook.pod.autoscaling.maxReplicas | int | `3` |  |
@@ -269,5 +273,6 @@ A Helm chart for Kubernetes
 | global.keycloak.otp | bool | `false` |  |
 | global.keycloak.publicURL | string | `""` |  |
 | global.keycloak.realm | string | `"horusec"` |  |
-
+| global.ingress.certManager | bool | `"false"` |  |
+| global.ingress.annotations | string | `kubernetes.io/ingress.class: "nginx"` |  |
 ----------------------------------------------

deployments/helm/horusec-platform/templates/_helpers.tpl

@@ -55,6 +55,28 @@ Return the proper Horusec Auth URI scheme
 {{- end -}}
 {{- end -}}
 
+{{/*
+Return the proper Horusec Vulnerability URI scheme
+*/}}
+{{- define "vulnerability.uri.scheme" -}}
+{{- if .Values.components.vulnerability.ingress.tls -}}
+{{- "https" -}}
+{{- else -}}
+{{- "http" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the proper Horusec Webhook URI scheme
+*/}}
+{{- define "webhook.uri.scheme" -}}
+{{- if .Values.components.webhook.ingress.tls -}}
+{{- "https" -}}
+{{- else -}}
+{{- "http" -}}
+{{- end -}}
+{{- end -}}
+
 {{/*
 Return the proper Horusec Auth image name
 */}}
@@ -365,6 +387,51 @@ True if Ingress is enabled for any of the components.
 {{- end -}}
 {{- end -}}
 
+{{/*
+If enabled, return Ingress Rules.
+*/}}
+{{- define "ingress.rules" -}}
+{{- $components := list -}}
+{{- range $_, $component := .Values.components -}}
+    {{- if $component.ingress -}}
+        {{- $components = append $components $component -}}
+    {{- end -}}
+{{- end -}}
+
+{{- $hosts := dict -}}
+{{- range $_, $component := $components -}}
+    {{- if $component.ingress -}}
+    {{ if not (hasKey $hosts $component.ingress.host) }}
+        {{- $ingresses := list -}}
+        {{- range $_, $otherComponent := $components -}}
+            {{- if eq $component.ingress.host $otherComponent.ingress.host -}}
+                {{- $ingresses = append $ingresses $otherComponent -}}
+            {{- end -}}
+        {{- end -}}
+        {{- $_ := set $hosts $component.ingress.host (compact $ingresses) -}}
+    {{- end -}}
+    {{- end -}}
+{{- end -}}
+
+rules:
+{{- range $host, $components := $hosts }}
+  - host: {{ $host }}
+    http:
+      paths:
+        {{- range $component := $components }}
+        - backend:
+            serviceName: {{ $component.name }}
+            servicePort: {{ $component.port.http }}
+          {{- if not (eq "manager" $component.name) }}
+          path: {{ $component.ingress.path }}
+          {{- if eq "true" (include "ingress.supportsPathType" .) }}
+          pathType: Prefix
+          {{- end }}
+          {{- end }}
+        {{- end }}
+{{- end -}}
+{{- end -}}
+
 
 {{/*
 If enabled, return SSL/TLS Ingress YAML configuration.

deployments/helm/horusec-platform/templates/deployments/auth.yaml

@@ -34,6 +34,10 @@ spec:
             value: {{ required "A valid global.broker.host is required!" .Values.global.broker.host }}
           - name: HORUSEC_BROKER_PORT
             value: {{ .Values.global.broker.port | quote }}
+          - name: HORUSEC_MANAGER_URL
+            value: {{ .Values.components.manager.ingress.host | quote }}
+          - name: HORUSEC_AUTH_URL
+            value: {{ .Values.components.auth.ingress.host| quote }}
           - name: HORUSEC_AUTH_TYPE
             value: {{ .Values.components.auth.type }}
           - name: HORUSEC_ENABLE_APPLICATION_ADMIN

deployments/helm/horusec-platform/templates/deployments/manager.yaml

@@ -28,6 +28,10 @@ spec:
             value: {{ template "core.uri.scheme" . -}}:\/\/{{- .Values.components.core.ingress.host }}
           - name: REACT_APP_HORUSEC_ENDPOINT_AUTH
             value: {{ template "auth.uri.scheme" . -}}:\/\/{{- .Values.components.auth.ingress.host }}
+          - name: REACT_APP_HORUSEC_ENDPOINT_VULNERABILITY
+            value: {{ template "vulnerability.uri.scheme" . -}}:\/\/{{- .Values.components.vulnerability.ingress.host }}
+          - name: REACT_APP_HORUSEC_ENDPOINT_WEBHOOK
+            value: {{ template "webhook.uri.scheme" . -}}:\/\/{{- .Values.components.webhook.ingress.host }}
           - name: REACT_APP_HORUSEC_MANAGER_PATH
             value: \{{ .Values.components.manager.ingress.path }}
           {{- if eq .Values.components.auth.type "keycloak" }}

deployments/helm/horusec-platform/templates/deployments/messages.yaml

@@ -36,11 +36,13 @@ spec:
               secretKeyRef:
               {{- toYaml .Values.global.broker.password.secretKeyRef | nindent 16 }}
           - name: HORUSEC_SMTP_ADDRESS
-            value: {{ .Values.global.mailServer.host }}
+            value: {{ .Values.components.messages.mailServer.host }}
           - name: HORUSEC_SMTP_HOST
-            value: {{ .Values.global.mailServer.host }}
+            value: {{ .Values.components.messages.mailServer.host }}
           - name: HORUSEC_SMTP_PORT
-            value: {{ .Values.global.mailServer.port | quote }}
+            value: {{ .Values.components.messages.mailServer.port | quote }}
+          - name: HORUSEC_EMAIL_FROM
+            value: {{ .Values.components.messages.mailServer.from | quote }}
           - name: HORUSEC_SMTP_USERNAME
             valueFrom:
               secretKeyRef:

deployments/helm/horusec-platform/templates/ingresses/horusec.yaml

@@ -6,69 +6,14 @@ metadata:
     app: horusec-manager
   name: horusec
   namespace: {{ .Release.Namespace }}
-spec:
-  rules:
-    {{- if .Values.components.analytic.ingress.enabled }}
-    - host: {{ .Values.components.analytic.ingress.host }}
-      http:
-        paths:
-          - backend:
-              serviceName: analytic
-              servicePort: {{ .Values.components.analytic.port.http }}
-            path: /analytic
-    {{- end }}
-    {{- if .Values.components.api.ingress.enabled }}
-    - host: {{ .Values.components.api.ingress.host }}
-      http:
-        paths:
-          - backend:
-              serviceName: api
-              servicePort: {{ .Values.components.api.port.http }}
-            path: /api
-    {{- end }}
-    {{- if .Values.components.auth.ingress.enabled }}
-    - host: {{ .Values.components.auth.ingress.host }}
-      http:
-        paths:
-          - backend:
-              serviceName: auth
-              servicePort: {{ .Values.components.auth.port.http }}
-            path: /auth
-    {{- end }}
-    {{- if .Values.components.core.ingress.enabled }}
-    - host: {{ .Values.components.core.ingress.host }}
-      http:
-        paths:
-          - backend:
-              serviceName: core
-              servicePort: {{ .Values.components.core.port.http }}
-            path: /core
-    {{- end }}
-    {{- if .Values.components.manager.ingress.enabled }}
-    - host: {{ .Values.components.manager.ingress.host }}
-      http:
-        paths:
-          - backend:
-              serviceName: manager
-              servicePort: {{ .Values.components.manager.port.http }}
-    {{- end }}
-    {{- if .Values.components.messages.ingress.enabled }}
-    - host: {{ .Values.components.messages.ingress.host }}
-      http:
-        paths:
-          - backend:
-              serviceName: messages
-              servicePort: {{ .Values.components.messages.port.http }}
-            path: /messages
-    {{- end }}
-    {{- if .Values.components.vulnerability.ingress.enabled }}
-    - host: {{ .Values.components.vulnerability.ingress.host }}
-      http:
-        paths:
-          - backend:
-              serviceName: vulnerability
-              servicePort: {{ .Values.components.vulnerability.port.http }}
-            path: /vulnerability
+  annotations:
+    {{- if .Values.global.ingress.certManager }}
+    kubernetes.io/tls-acme: "true"
     {{- end }}
+  {{- with .Values.global.ingress.annotations  }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+{{- include "ingress.rules" . | nindent 2 }}
 {{- include "ingress.tls" . | nindent 2 }}
-{{- end }}
+{{- end }}

deployments/helm/horusec-platform/values.yaml

@@ -20,7 +20,7 @@ components:
         runAsNonRoot: true
         runAsUser: 1000
     database:
-      host: ""
+      host: "postgresql"
       logMode: false
       migration:
         image:
@@ -46,6 +46,7 @@ components:
       host: analytic.local
       path: /analytic
       tls: null
+      #   secretName: analytic-tls
     name: analytic
     pod:
       autoscaling:
@@ -81,6 +82,7 @@ components:
       host: api.local
       path: /api
       tls: null
+      #   secretName: api-tls
     name: api
     pod:
       autoscaling:
@@ -116,6 +118,7 @@ components:
       host: auth.local
       path: /auth
       tls: null
+      #   secretName: auth-tls
     name: auth
     pod:
       autoscaling:
@@ -153,6 +156,7 @@ components:
       host: core.local
       path: /core
       tls: null
+      #   secretName: core-tls
     name: core
     pod:
       autoscaling:
@@ -188,6 +192,7 @@ components:
       host: manager.local
       path: /manager
       tls: null
+      #   secretName: manager-tls
     name: manager
     pod:
       autoscaling:
@@ -224,8 +229,10 @@ components:
       host: messages.local
       path: /messages
       tls: null
+      #   secretName: messages-tls
     mailServer:
       host: smtp.mailtrap.io
+      from: horusec@zup.com.br
       password:
         secretKeyRef:
           key: password
@@ -270,6 +277,7 @@ components:
       host: vulnerability.local
       path: /vulnerability
       tls: null
+      #   secretName: vulnerability-tls
     name: vulnerability
     pod:
       autoscaling:
@@ -300,6 +308,12 @@ components:
         runAsNonRoot: true
         runAsUser: 1000
     extraEnv: [ ]
+    ingress:
+      enabled: true
+      host: webhook.local
+      path: /webhook
+      tls: null
+      #   secretName: webhook-tls
     name: webhook
     pod:
       autoscaling:
@@ -327,7 +341,7 @@ global:
         key: username
         name: horusec-administrator
   broker:
-    host: ""
+    host: "rabbitmq"
     password:
       secretKeyRef:
         key: password
@@ -338,7 +352,7 @@ global:
         key: username
         name: horusec-broker
   database:
-    host: ""
+    host: "postgresql"
     logMode: false
     migration:
       image:
@@ -375,3 +389,7 @@ global:
     otp: false
     publicURL: ""
     realm: horusec
+  ingress:
+    certManager: true
+    annotations: {}
+      # kubernetes.io/ingress.class: "nginx"

manager/deployments/scripts/run-nginx.sh

@@ -18,6 +18,9 @@ sed -i -e "s/window.REACT_APP_HORUSEC_ENDPOINT_ANALYTIC=\"\"/window.REACT_APP_HO
 sed -i -e "s/window.REACT_APP_HORUSEC_ENDPOINT_CORE=\"\"/window.REACT_APP_HORUSEC_ENDPOINT_CORE=\"$REACT_APP_HORUSEC_ENDPOINT_CORE\"/g" "/var/www/index.html"
 sed -i -e "s/window.REACT_APP_HORUSEC_ENDPOINT_AUTH=\"\"/window.REACT_APP_HORUSEC_ENDPOINT_AUTH=\"$REACT_APP_HORUSEC_ENDPOINT_AUTH\"/g" "/var/www/index.html"
 
+sed -i -e "s/window.REACT_APP_HORUSEC_ENDPOINT_VULNERABILITY=\"\"/window.REACT_APP_HORUSEC_ENDPOINT_VULNERABILITY=\"$REACT_APP_HORUSEC_ENDPOINT_VULNERABILITY\"/g" "/var/www/index.html"
+sed -i -e "s/window.REACT_APP_HORUSEC_ENDPOINT_WEBHOOK=\"\"/window.REACT_APP_HORUSEC_ENDPOINT_WEBHOOK=\"$REACT_APP_HORUSEC_ENDPOINT_WEBHOOK\"/g" "/var/www/index.html"
+
 sed -i -e "s/window.REACT_APP_HORUSEC_MANAGER_PATH=\"\"/window.REACT_APP_HORUSEC_MANAGER_PATH=\"$REACT_APP_HORUSEC_MANAGER_PATH\"/g" "/var/www/index.html"
 
 sed -i -e "s/window.REACT_APP_KEYCLOAK_CLIENT_ID=\"\"/window.REACT_APP_KEYCLOAK_CLIENT_ID=\"$REACT_APP_KEYCLOAK_CLIENT_ID\"/g" "/var/www/index.html"