From 01c8d78113c820a973612b4f41d0f29f5d6c4db3 Mon Sep 17 00:00:00 2001 From: John Kinsella Date: Tue, 11 May 2021 19:34:49 -0700 Subject: [PATCH] Initial addition of terrascan helm chart (#688) * Initial checkin of helm chart * Use clear name for API key key * Adding persistent volume support In some cases, user may want to have db storage on persistent volume. Also moved container image to parameter * Improving readme * tweaking readme * adding a little more readme * having values use latest terrascan image on dockerhub * updated charts with webhook * Additional helm work Working on some helm variable names for clarity, Added admission webook template * merging dev-gaur's webhook yaml into mine * removing random author line * further readme tweaks * Can't have templating in values.yaml * fixing linter errors * Update deploy/helm-charts/values.yaml Co-authored-by: Devang Gaur * removing notes file - shouldn't have been added * Removing webhook yaml from helm chart If the admission controller webhook is deployed at same time as terrascan service, there's sometimes a race condition where the webhook starts before terrascan, and then blocks terrascan from starting. So users can read about admission controller in the docs, and deploy that yaml manually. * adding security context for ts pod * bumping container version * bumping version in chart. * addition to the TODO list. - Co-authored-by: Devang Co-authored-by: Devang Gaur --- deploy/helm-charts/Chart.yaml | 20 +++++ deploy/helm-charts/README.md | 65 +++++++++++++++ deploy/helm-charts/templates/configmap.yaml | 11 +++ deploy/helm-charts/templates/deployment.yaml | 84 ++++++++++++++++++++ deploy/helm-charts/templates/secret.yaml | 11 +++ deploy/helm-charts/templates/service.yaml | 13 +++ deploy/helm-charts/values.yaml | 9 +++ 7 files changed, 213 insertions(+) create mode 100644 deploy/helm-charts/Chart.yaml create mode 100644 deploy/helm-charts/README.md create mode 100644 deploy/helm-charts/templates/configmap.yaml create mode 100644 deploy/helm-charts/templates/deployment.yaml create mode 100644 deploy/helm-charts/templates/secret.yaml create mode 100644 deploy/helm-charts/templates/service.yaml create mode 100644 deploy/helm-charts/values.yaml diff --git a/deploy/helm-charts/Chart.yaml b/deploy/helm-charts/Chart.yaml new file mode 100644 index 000000000..9d62eeb0c --- /dev/null +++ b/deploy/helm-charts/Chart.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +name: terrascan +version: 1.0.0 +appVersion: v1.6.0 +description: A Helm chart for running terrascan in server mode +icon: https://raw.githubusercontent.com/accurics/terrascan/master/docs/img/terrascan-icon-white.png +home: https://github.com/accurics/terrascan +keywords: + - terrascan + - opa + - security +sources: + - https://github.com/accurics/terrascan +maintainers: + - name: jlk + email: jlk@accurics.com + - name: dev-gaur + email: devang.gaur@accurics.com + - name: yusuf-kanchwala + email: yusuf.kanchwala@accurics.com diff --git a/deploy/helm-charts/README.md b/deploy/helm-charts/README.md new file mode 100644 index 000000000..aeaad67c9 --- /dev/null +++ b/deploy/helm-charts/README.md @@ -0,0 +1,65 @@ +# Helm chart for deploying terrascan in server mode + +This chart deploys terrascan as a server within your kubernetes cluster. By default it runs just terrascan by itself, but, +user creates namespace and secrets. + +In server mode, terrascan will act both as an API server for +performing remote scans of IAC, as well as a validating admission +webhook for a Kubernetes cluster. Further details can be found in +the [main documentation](https://docs.accurics.com/projects/accurics-terrascan/en/latest/). + +## Usage +### Set up TLS certificates +A requirement to run an admission controller is that communication +happens over TLS. This helm chart expects to find the certificate +at `data/server.crt` and key at `data/server.key`. + +### Persistent storage +By default, this chart will deploy terrascan with a `emptyDir` +volume - basically a temporary volume. If you intend to use the +admission controller functionality, then you may want to store the +admission controller database on a persistent volume. This chart +supports speciyfing a [persistent volume +claim](https://kubernetes.io/docs/concepts/storage/persistent-volumes/) for +the database - as storage, PVs, and PVCs are a wide topic within +Kubernetes ecosystem, the details of the PV/PVC creation are left +to the individual. + +To specify the use of a PVC, set `persistence.enable` to `true`, and then specify the name of an existing PVC: + +``` +persistence: + enabled: false + existingclaim: pvcClaimName +``` + +### Terrascan configuration file +This chart will look for a [terrascan configuration +file](https://docs.accurics.com/projects/accurics-terrascan/en/latest/usage/#config-file) +at `data/config.toml`. If that file exists before running `helm +install`, it's contents will be loaded into a configMap and provided +to the terrascan server. + +### Deploy +Once your TLS certificate is generated and the values in the +`values.yaml` configuration file have been reviewed, you can install +the chart with the following command: + +``` +helm install . +``` +Where `` is the name you want to assign to this installed chart. This value will be used in various resources to make them both distinct and identifable. + +This will use your current namespace unless `-n ` is specified + +## TODO: +This chart is a WIP - we intend to add the following functionality in the near future: + - [x] Storage support - volume for db + - [ ] Add a documention section for setting the validating-webhook up. + - [ ] Add secrets to add ssh capabilities in the container, to enable remote repo scan feature. + - [ ] Support more load balancer types + - [ ] Support for ingress + - [ ] Flag for UI enable/disable + - [ ] Publish to Artifact hub + - [ ] Support TLS certificate/key in existing secrets + diff --git a/deploy/helm-charts/templates/configmap.yaml b/deploy/helm-charts/templates/configmap.yaml new file mode 100644 index 000000000..2b6d398f3 --- /dev/null +++ b/deploy/helm-charts/templates/configmap.yaml @@ -0,0 +1,11 @@ +{{- $globconfig := .Files.Glob "../data/config.toml" }} +{{- if $globconfig }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Values.config_name }} + namespace: {{ .Release.Namespace }} +data: + terrascan-config: |- + {{ .Files.Get "../data/config.toml" | b64enc }} +{{- end }} diff --git a/deploy/helm-charts/templates/deployment.yaml b/deploy/helm-charts/templates/deployment.yaml new file mode 100644 index 000000000..c87fc3b70 --- /dev/null +++ b/deploy/helm-charts/templates/deployment.yaml @@ -0,0 +1,84 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .Values.name }} + namespace: {{ .Release.Namespace }} +spec: + replicas: 1 + selector: + matchLabels: + app: {{ .Values.name }} + template: + metadata: + labels: + app: {{ .Values.name }} + spec: + initContainers: + - name: git-cloner + image: alpine/git + args: + - clone + - --single-branch + - --branch=master + - https://github.com/accurics/terrascan.git + - /data + volumeMounts: + - mountPath: /data + name: terrascan-data-sync + containers: + - name: terrascan-server + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: false + image: {{ .Values.terrascan_container_image }} + command: + - terrascan + args: + - "server" + - "--cert-path" + - "/etc/certs/cert" + - "--key-path" + - "/etc/certs/key" +{{- if .Values.use_debug }} + - "-l" + - "debug" +{{- end }} +{{- $globconfig := .Files.Glob "../data/config.toml" }} +{{- if $globconfig }} + - "-c" + - "/etc/config/terrascan-config" +{{- end }} + env: + - name: "K8S_WEBHOOK_API_KEY" + value: {{ .Values.terrascan_api_key}} + volumeMounts: + - name: cert-volume + mountPath: /etc/certs +{{- $globconfig := .Files.Glob "../data/config.toml" }} +{{- if $globconfig }} + - name: config-volume + mountPath: /etc/config +{{- end }} + - name: terrascan-data-sync + mountPath: /home/terrascan/.terrascan + + volumes: + - name: cert-volume + secret: + secretName: {{ .Values.secret_name }} +{{- $globconfig := .Files.Glob "../data/config.toml" }} +{{- if $globconfig }} + - name: config-volume + configMap: + configMapName: {{ .Values.configname }} +{{- end }} +{{- if and .Values.persistence.enabled .Values.persistence.existingClaim }} + - name: terrascan-data-sync + persistentVolumeClaim: +{{- with .Values.persistence.existingClaim }} + claimName: {{ tpl . $ }} +{{- end }} +{{- else }} + - name: terrascan-data-sync + emptyDir: {} +{{- end }} diff --git a/deploy/helm-charts/templates/secret.yaml b/deploy/helm-charts/templates/secret.yaml new file mode 100644 index 000000000..9a6b65229 --- /dev/null +++ b/deploy/helm-charts/templates/secret.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.secret_name }} + namespace: {{ .Release.Namespace }} +type: Opaque +data: + key: |- + {{ .Files.Get "data/server.key" | b64enc }} + cert: |- + {{ .Files.Get "data/server.crt" | b64enc }} diff --git a/deploy/helm-charts/templates/service.yaml b/deploy/helm-charts/templates/service.yaml new file mode 100644 index 000000000..90e5d3dff --- /dev/null +++ b/deploy/helm-charts/templates/service.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.name }} + namespace: {{ .Release.Namespace }} +spec: + type: LoadBalancer + selector: + app: {{ .Values.name }} + ports: + - name: webhook + port: 443 + targetPort: 9010 diff --git a/deploy/helm-charts/values.yaml b/deploy/helm-charts/values.yaml new file mode 100644 index 000000000..3202f1597 --- /dev/null +++ b/deploy/helm-charts/values.yaml @@ -0,0 +1,9 @@ +terrascan_api_key: terrakey +terrascan_container_image: accurics/terrascan:1.6.0 +use_debug: true +secret_name: terrascancerts +config_name: terrascanconfig +name: terrascan +persistence: + enabled: false + existingclaim: terrascanPvc