Initial addition of terrascan helm chart (#688)

* Initial checkin of helm chart

* Use clear name for API key key

* Adding persistent volume support

In some cases, user may want to have db storage on persistent volume.
Also moved container image to parameter

* Improving readme

* tweaking readme

* adding a little more readme

* having values use latest terrascan image on dockerhub

* updated charts with webhook

* Additional helm work

Working on some helm variable names for clarity,
Added admission webook template

* merging dev-gaur's webhook yaml into mine

* removing random author line

* further readme tweaks

* Can't have templating in values.yaml

* fixing linter errors

* Update deploy/helm-charts/values.yaml

Co-authored-by: Devang Gaur <devang.gaur@accurics.com>

* removing notes file - shouldn't have been added

* Removing webhook yaml from helm chart

If the admission controller webhook is deployed at same time as
terrascan service, there's sometimes a race condition where the
webhook starts before terrascan, and then blocks terrascan from
starting.  So users can read about admission controller in the docs,
and deploy that yaml manually.

* adding security context for ts pod

* bumping container version

* bumping version in chart.

* addition to the TODO list.

-

Co-authored-by: Devang <devang.gaur.7@gmail.com>
Co-authored-by: Devang Gaur <devang.gaur@accurics.com>

deploy/helm-charts/Chart.yaml

@@ -0,0 +1,20 @@
+apiVersion: v1
+name: terrascan
+version: 1.0.0
+appVersion: v1.6.0
+description: A Helm chart for running terrascan in server mode
+icon: https://raw.githubusercontent.com/accurics/terrascan/master/docs/img/terrascan-icon-white.png
+home: https://github.com/accurics/terrascan
+keywords:
+  - terrascan
+  - opa
+  - security
+sources:
+  - https://github.com/accurics/terrascan
+maintainers:
+  - name: jlk
+    email: jlk@accurics.com
+  - name: dev-gaur
+    email: devang.gaur@accurics.com
+  - name: yusuf-kanchwala
+    email: yusuf.kanchwala@accurics.com

deploy/helm-charts/README.md

@@ -0,0 +1,65 @@
+# Helm chart for deploying terrascan in server mode
+
+This chart deploys terrascan as a server within your kubernetes cluster. By default it runs just terrascan by itself, but, 
+user creates namespace and secrets.
+
+In server mode, terrascan will act both as an API server for
+performing remote scans of IAC, as well as a validating admission
+webhook for a Kubernetes cluster. Further details can be found in
+the [main documentation](https://docs.accurics.com/projects/accurics-terrascan/en/latest/).
+
+## Usage
+### Set up TLS certificates
+A requirement to run an admission controller is that communication
+happens over TLS. This helm chart expects to find the certificate
+at `data/server.crt` and key at `data/server.key`.
+
+### Persistent storage
+By default, this chart will deploy terrascan with a `emptyDir`
+volume - basically a temporary volume. If you intend to use the
+admission controller functionality, then you may want to store the
+admission controller database on a persistent volume. This chart
+supports speciyfing a [persistent volume
+claim](https://kubernetes.io/docs/concepts/storage/persistent-volumes/) for
+the database - as storage, PVs, and PVCs are a wide topic within
+Kubernetes ecosystem, the details of the PV/PVC creation are left
+to the individual.
+
+To specify the use of a PVC, set `persistence.enable` to `true`, and then specify the name of an existing PVC:
+
+```
+persistence:
+  enabled: false
+  existingclaim: pvcClaimName
+```
+
+### Terrascan configuration file
+This chart will look for a [terrascan configuration
+file](https://docs.accurics.com/projects/accurics-terrascan/en/latest/usage/#config-file)
+at `data/config.toml`. If that file exists before running `helm
+install`, it's contents will be loaded into a configMap and provided
+to the terrascan server.
+
+### Deploy
+Once your TLS certificate is generated and the values in the
+`values.yaml` configuration file have been reviewed, you can install
+the chart with the following command:
+
+```
+helm install <releasename> .
+```
+Where `<releasename>` is the name you want to assign to this installed chart. This value will be used in various resources to make them both distinct and identifable.
+
+This will use your current namespace unless `-n <namespace>` is specified
+
+## TODO:
+This chart is a WIP - we intend to add the following functionality in the near future:
+ - [x] Storage support - volume for db
+ - [ ] Add a documention section for setting the validating-webhook up.
+ - [ ] Add secrets to add ssh capabilities in the container, to enable remote repo scan feature.
+ - [ ] Support more load balancer types
+ - [ ] Support for ingress
+ - [ ] Flag for UI enable/disable
+ - [ ] Publish to Artifact hub
+ - [ ] Support TLS certificate/key in existing secrets
+

deploy/helm-charts/templates/configmap.yaml

@@ -0,0 +1,11 @@
+{{- $globconfig := .Files.Glob "../data/config.toml" }}
+{{- if $globconfig }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Values.config_name }}
+  namespace: {{ .Release.Namespace }}
+data:
+  terrascan-config: |-
+    {{ .Files.Get "../data/config.toml" | b64enc }}
+{{- end }}

deploy/helm-charts/templates/deployment.yaml

@@ -0,0 +1,84 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Values.name }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: {{ .Values.name }}
+  template:
+    metadata:
+      labels:
+        app: {{ .Values.name }}
+    spec:
+      initContainers:
+        - name: git-cloner
+          image: alpine/git
+          args:
+            - clone
+            - --single-branch
+            - --branch=master
+            - https://github.com/accurics/terrascan.git
+            - /data
+          volumeMounts:
+            - mountPath: /data
+              name: terrascan-data-sync
+      containers:
+        - name: terrascan-server
+          securityContext:
+            allowPrivilegeEscalation: false
+            runAsNonRoot: false
+          image: {{ .Values.terrascan_container_image }}
+          command:
+            - terrascan
+          args:
+            - "server"
+            - "--cert-path"
+            - "/etc/certs/cert"
+            - "--key-path"
+            - "/etc/certs/key"
+{{- if .Values.use_debug }}
+            - "-l"
+            - "debug"
+{{- end }}
+{{- $globconfig := .Files.Glob "../data/config.toml" }}
+{{- if $globconfig }}
+            - "-c"
+            - "/etc/config/terrascan-config"
+{{- end }}
+          env:
+            - name: "K8S_WEBHOOK_API_KEY"
+              value: {{ .Values.terrascan_api_key}}
+          volumeMounts:
+            - name: cert-volume
+              mountPath: /etc/certs
+{{- $globconfig := .Files.Glob "../data/config.toml" }}
+{{- if $globconfig }}
+            - name: config-volume
+              mountPath: /etc/config
+{{- end }}
+            - name: terrascan-data-sync
+              mountPath: /home/terrascan/.terrascan
+
+      volumes:
+        - name: cert-volume
+          secret:
+            secretName: {{ .Values.secret_name }}
+{{- $globconfig := .Files.Glob "../data/config.toml" }}
+{{- if $globconfig }}
+        - name: config-volume
+          configMap:
+            configMapName: {{ .Values.configname }}
+{{- end }}
+{{- if and .Values.persistence.enabled .Values.persistence.existingClaim }}
+        - name: terrascan-data-sync
+          persistentVolumeClaim:
+{{- with .Values.persistence.existingClaim }}
+            claimName: {{ tpl . $ }}
+{{- end }}
+{{- else }}
+        - name: terrascan-data-sync
+          emptyDir: {}
+{{- end }}

deploy/helm-charts/templates/secret.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.secret_name }}
+  namespace: {{ .Release.Namespace }}
+type: Opaque
+data:
+  key: |-
+    {{ .Files.Get "data/server.key" | b64enc }}
+  cert: |-
+    {{ .Files.Get "data/server.crt" | b64enc }}

deploy/helm-charts/templates/service.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Values.name }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  type: LoadBalancer
+  selector:
+    app: {{ .Values.name }}
+  ports:
+    - name: webhook
+      port: 443
+      targetPort: 9010

deploy/helm-charts/values.yaml

@@ -0,0 +1,9 @@
+terrascan_api_key: terrakey
+terrascan_container_image: accurics/terrascan:1.6.0
+use_debug: true
+secret_name: terrascancerts
+config_name: terrascanconfig
+name: terrascan
+persistence:
+  enabled: false
+  existingclaim: terrascanPvc