[feat.] Merge Webhook and Server Helm Chart (#817)

* Merge Webhook and Server Helm Chart Signed-off-by: Rahul M Chheda <rahul.chheda@accurics.com> * Dont create LoadBalancer service Signed-off-by: Rahul M Chheda <rahul.chheda@accurics.com> * Allow fail policy Signed-off-by: Rahul M Chheda <rahul.chheda@accurics.com> * Allow webhook failurePolicy to be Fail Signed-off-by: Rahul M Chheda <rahul.chheda@accurics.com> * minor changes and shifting helm charts to deploy/helm/ Signed-off-by: Devang <devang.gaur.7@gmail.com> * addition to the helm chart maintainer list Signed-off-by: Devang <devang.gaur.7@gmail.com> * parameterized deployment replicas Signed-off-by: Devang <devang.gaur.7@gmail.com> * Fix name in maintainers Signed-off-by: Rahul M Chheda <rahul.chheda@accurics.com> * Add comment in helm template for reference Signed-off-by: Rahul M Chheda <rahul.chheda@accurics.com> Co-authored-by: Devang <devang.gaur.7@gmail.com>
tenable · May 27, 2021 · 1839b24 · 1839b24
1 parent a4d7af9
commit 1839b24
Show file tree

Hide file tree

Showing 13 changed files with 202 additions and 137 deletions.
diff --git a/deploy/helm-charts/server/templates/configmap.yaml b/deploy/helm-charts/server/templates/configmap.yaml
diff --git a/deploy/helm-charts/server/values.yaml b/deploy/helm-charts/server/values.yaml
diff --git a/deploy/helm-charts/webhook/Chart.yaml b/deploy/helm-charts/webhook/Chart.yaml
diff --git a/deploy/helm-charts/webhook/templates/validating-webhook.yaml b/deploy/helm-charts/webhook/templates/validating-webhook.yaml
diff --git a/deploy/helm-charts/server/Chart.yaml → deploy/helm/Chart.yaml b/deploy/helm-charts/server/Chart.yaml → deploy/helm/Chart.yaml
@@ -22,3 +22,5 @@ maintainers:
     email: devang.gaur@accurics.com
   - name: yusuf-kanchwala
     email: yusuf.kanchwala@accurics.com
+  - name: rahulchheda
+    email: rahul.chheda@accurics.com
diff --git a/deploy/helm-charts/README.md → deploy/helm/README.md b/deploy/helm-charts/README.md → deploy/helm/README.md
@@ -7,17 +7,28 @@ In server mode, terrascan will act both as an API server for
 performing remote scans of IAC, as well as a validating admission
 webhook for a Kubernetes cluster. Further details can be found in
 the [main documentation](https://docs.accurics.com/projects/accurics-terrascan/en/latest/).
-There are two helm charts:
-
-1. In the `server/` directory : to deploy terrascan in server mode.
-2. In the `webhook/` directory : to setup a validating webhook that uses the deployed terrascan server from step 1, as its backend.
 
 ## Usage
 ### Set up TLS certificates
 A requirement to run an admission controller is that communication
 happens over TLS. This helm chart expects to find the certificate
-at `server/data/server.crt` and key at `server/data/server.key`.
-If you opt to deploy the webhook as well, please copy `server/data/server.crt` at `webhook/data/server.crt`
+at `data/server.crt` and key at `data/server.key`.
+
+There's a `data/domain.cnf` file available for you to edit and generate key & certificate. You can use the following command:
+
+  ```bash
+  openssl req -x509 -sha256 -nodes -newkey rsa:2048 -keyout data/server.key -out data/server.crt -config data/domain.cnf
+  ```
+
+In the `data/domain.cnf` file, we have configured DNS names as `terrascan.terrascan.svc`, assuming the defaults that service
+will be named `terrascan` and hosted in `terrascan` namespace. You'll have to manually change that as per your requirements.
+
+### Terrascan configuration file
+This chart will look for a [terrascan configuration
+file](https://docs.accurics.com/projects/accurics-terrascan/en/latest/usage/#config-file)
+at `data/config.toml`. If that file exists before running `helm
+install`, it's contents will be loaded into a configMap and provided
+to the terrascan server.
 
 ### Set up SSH config for private remote repo scan
 If you're opting to utilise the remote repo scan feature for ***private*** repositories,
@@ -53,61 +64,64 @@ persistence:
   existingclaim: pvcClaimName
 ```
 
-### Terrascan configuration file
-This chart will look for a [terrascan configuration
-file](https://docs.accurics.com/projects/accurics-terrascan/en/latest/usage/#config-file)
-at `server/data/config.toml`. If that file exists before running `helm
-install`, it's contents will be loaded into a configMap and provided
-to the terrascan server.
-
 ### Deploy
 Once your TLS certificate is generated and the values in the
 `values.yaml` configuration file have been reviewed, you can install
 the chart with the following command:
 
 1. Deploying Terrascan Server.
 
-    *Ensure that your current working directory is `server/`.*
+   For just installing a terrascan server deployment and service,
+
     ```
-    helm install <releasename-for-server> .
+    helm install <release-name> . -n <namespace>
     ```
-    Where `<releasename-for-server>` is the name you want to assign to this installed chart.
-    This value will be used in various resources to make them both distinct and identifiable.
+   Where `<release-name>` is the name you want to assign to this installed chart.
+   This value will be used in various resources to make them both distinct and identifiable.
 
-    This will use your current namespace unless `-n <namespace>` is specified
+   #### Verification
 
-    #### Verification
-
-    You can query for the pod using the following command.
+   You can query for the pod using the following command.
     ```
     kubectl get pod -n <namespace> -w
     ```
-    Watch the pod until it attains the `Running` state.
+   Watch the pod until it attains the `Running` state.
 
-    Verify the logs of the terrascan pod using the following command.
+   Verify the logs of the terrascan pod using the following command.
     ```
     kubectl -n <namespace> logs <pod-name>
     ```
    If you see a log that goes like `server listening on port : <port-name>`, the deployment went smooth.
 
-2. Deploying Validating Webhook.
+   ###Deploying Validating Webhook.
+
+   For installing the terrascan deployment and service along the validating webhook,
 
-    *Ensure that your current working directory is `webhook/`.*
     ```
-    helm install <releasename-for-webhook> .
+    helm install <release-name> . -n <namespace> --set webhook.mode=true
     ```
    This will use your current namespace unless `-n <namespace>` is specified.
-   ***Ensure that you provide the exact same <namespace> value as you did to deploy the `server/` chart in step 1.***
 
+   #### Verification
+   Try creating a resource that's scanning by the webhook
+
+   ```bash
+    kubectl run test-pod --image=nginx
+   ```
 
+   #### Clean Up
+
+    ```bash
+    helm uninstall <release-name> -n <namespace>
+    ```
 
 ## TODO:
 This chart is a WIP - we intend to add the following functionality in the near future:
- - [x] Storage support - volume for db
- - [x] Add section for setting the validating-webhook up.
- - [x] Add secrets to add ssh capabilities in the container, to enable remote repo scan feature.
- - [ ] Support more load balancer types
- - [ ] Support for ingress
- - [ ] Flag for UI enable/disable
- - [ ] Publish to Artifact hub
- - [ ] Support TLS certificate/key in existing secrets
+- [x] Storage support - volume for db
+- [x] Add section for setting the validating-webhook up.
+- [x] Add secrets to add ssh capabilities in the container, to enable remote repo scan feature.
+- [ ] Support more load balancer types
+- [ ] Support for ingress
+- [ ] Flag for UI enable/disable
+- [ ] Publish to Artifact hub
+- [ ] Support TLS certificate/key in existing secrets
diff --git a/...-charts/server/templates/cert-secret.yaml → deploy/helm/templates/cert-secret.yaml b/...-charts/server/templates/cert-secret.yaml → deploy/helm/templates/cert-secret.yaml
diff --git a/deploy/helm/templates/configmap.yaml b/deploy/helm/templates/configmap.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Values.config_name }}
+  namespace: {{ .Release.Namespace }}
+data:
+  terrascan-config: |
+{{ .Files.Get "data/config.toml" | indent 4 }}
diff --git a/...m-charts/server/templates/deployment.yaml → deploy/helm/templates/deployments.yaml b/...m-charts/server/templates/deployment.yaml → deploy/helm/templates/deployments.yaml
@@ -4,7 +4,7 @@ metadata:
   name: {{ .Values.name }}
   namespace: {{ .Release.Namespace }}
 spec:
-  replicas: 1
+  replicas: {{ .Values.replicas }}
   selector:
     matchLabels:
       app: {{ .Values.name }}
@@ -75,7 +75,7 @@ spec:
 {{- if $globconfig }}
         - name: config-volume
           configMap:
-            configMapName: {{ .Values.config_name }}
+            name: {{ .Values.config_name }}
 {{- end }}
 {{- if and .Values.persistence.enabled .Values.persistence.existingClaim }}
         - name: terrascan-data-sync
@@ -87,3 +87,65 @@ spec:
         - name: terrascan-data-sync
           emptyDir: {}
 {{- end }}
+{{- if .Values.webhook.mode }}
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: {{ .Values.name }}
+webhooks:
+  - name: {{ .Values.webhook.name }}
+    admissionReviewVersions:
+    {{- range .Values.webhook.admissionReviewVersions }}
+    - {{ . | printf "%s" }}
+    {{ end }}
+    failurePolicy: Ignore
+    sideEffects: {{ .Values.webhook.sideEffects }}
+    clientConfig:
+      service:
+        name: {{ .Values.name }}
+        namespace: {{ .Release.Namespace }}
+        path: {{ .Values.terrascan_webhook_key | printf "/v1/k8s/webhooks/%s/scan/validate" }}
+      caBundle: {{ .Files.Get "data/server.crt" | b64enc }}
+    rules:
+      - apiGroups:
+        {{- range .Values.webhook.apiGroups }}
+        {{- if eq . ""}}
+        - ""
+        {{- else if eq . "*" }}
+        - "*"
+        {{- else }}
+        - {{ . -}}
+        {{- end }}
+        {{- end }}
+        resources:
+        {{- range .Values.webhook.resources }}
+        {{- if eq . ""}}
+        - ""
+        {{- else if eq . "*" }}
+        - "*"
+        {{- else }}
+        - {{ . -}}
+        {{- end }}
+        {{- end }}
+        apiVersions:
+        {{- range .Values.webhook.apiVersions }}
+        {{- if eq . ""}}
+        - ""
+        {{- else if eq . "*" }}
+        - "*"
+        {{- else }}
+        - {{ . -}}
+        {{- end }}
+        {{- end }}
+        operations:
+        {{- range .Values.webhook.operations }}
+        {{- if eq . ""}}
+        - ""
+        {{- else if eq . "*" }}
+        - "*"
+        {{- else }}
+        - {{ . -}}
+        {{- end }}
+        {{- end }}
+{{- end }}
diff --git a/deploy/helm/templates/policy_fail_vw.yaml b/deploy/helm/templates/policy_fail_vw.yaml
@@ -0,0 +1,66 @@
+# Had to create this file just to support validatingwebhookconfiguration failurePolicy to be FAIL.
+# It turns out, webhook doesn't allow the terrascan server pod to come up in case failurePolicy is Fail.
+# So, as a workaround, we create the webhook w/ Ignore, and then upgrade it to Fail in. post install chart hook. ref: https://helm.sh/docs/topics/charts_hooks/
+{{- if and .Values.webhook.mode (eq .Values.webhook.failurePolicy "Fail") }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: {{ .Values.name }}
+  annotations:
+    "helm.sh/hook": "post-install"
+webhooks:
+  - name: {{ .Values.webhook.name }}
+    admissionReviewVersions:
+    {{- range .Values.webhook.admissionReviewVersions }}
+    - {{ . | printf "%s" }}
+    {{ end }}
+    failurePolicy: Fail
+    sideEffects: {{ .Values.webhook.sideEffects }}
+    clientConfig:
+      service:
+        name: {{ .Values.name }}
+        namespace: {{ .Release.Namespace }}
+        path: {{ .Values.terrascan_webhook_key | printf "/v1/k8s/webhooks/%s/scan/validate" }}
+      caBundle: {{ .Files.Get "data/server.crt" | b64enc }}
+    rules:
+      - apiGroups:
+        {{- range .Values.webhook.apiGroups }}
+        {{- if eq . ""}}
+        - ""
+        {{- else if eq . "*" }}
+        - "*"
+        {{- else }}
+        - {{ . -}}
+        {{- end }}
+        {{- end }}
+        resources:
+        {{- range .Values.webhook.resources }}
+        {{- if eq . ""}}
+        - ""
+        {{- else if eq . "*" }}
+        - "*"
+        {{- else }}
+        - {{ . -}}
+        {{- end }}
+        {{- end }}
+        apiVersions:
+        {{- range .Values.webhook.apiVersions }}
+        {{- if eq . ""}}
+        - ""
+        {{- else if eq . "*" }}
+        - "*"
+        {{- else }}
+        - {{ . -}}
+        {{- end }}
+        {{- end }}
+        operations:
+        {{- range .Values.webhook.operations }}
+        {{- if eq . ""}}
+        - ""
+        {{- else if eq . "*" }}
+        - "*"
+        {{- else }}
+        - {{ . -}}
+        {{- end }}
+        {{- end }}
+{{- end -}}