From 58b88b4b54e923f1a91fece1383a324601bde7ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nathana=C3=ABl=20M=2E?= Date: Sat, 21 Dec 2024 12:45:12 +0100 Subject: [PATCH 01/11] New Helm chart first iteration ready --- .gitignore | 1 + charts/ciso-assistant-next/.helmignore | 23 ++ charts/ciso-assistant-next/Chart.yaml | 13 + charts/ciso-assistant-next/README.md | 34 +++ .../templates/_helpers.tpl | 75 ++++++ .../templates/backend/deployment.yaml | 110 ++++++++ .../backend/persistentvolumeclaim.yaml | 22 ++ .../templates/backend/secret.yaml | 17 ++ .../templates/backend/service.yaml | 19 ++ .../templates/frontend/deployment.yaml | 65 +++++ .../templates/frontend/service.yaml | 19 ++ .../templates/ingress/ingress.yaml | 40 +++ .../templates/ingress/tls-secret.yaml | 14 + charts/ciso-assistant-next/values.yaml | 248 ++++++++++++++++++ 14 files changed, 700 insertions(+) create mode 100644 charts/ciso-assistant-next/.helmignore create mode 100644 charts/ciso-assistant-next/Chart.yaml create mode 100644 charts/ciso-assistant-next/README.md create mode 100644 charts/ciso-assistant-next/templates/_helpers.tpl create mode 100644 charts/ciso-assistant-next/templates/backend/deployment.yaml create mode 100644 charts/ciso-assistant-next/templates/backend/persistentvolumeclaim.yaml create mode 100644 charts/ciso-assistant-next/templates/backend/secret.yaml create mode 100644 charts/ciso-assistant-next/templates/backend/service.yaml create mode 100644 charts/ciso-assistant-next/templates/frontend/deployment.yaml create mode 100644 charts/ciso-assistant-next/templates/frontend/service.yaml create mode 100644 charts/ciso-assistant-next/templates/ingress/ingress.yaml create mode 100644 charts/ciso-assistant-next/templates/ingress/tls-secret.yaml create mode 100644 charts/ciso-assistant-next/values.yaml diff --git a/.gitignore b/.gitignore index aceaa0b7e..77f822d28 100644 --- a/.gitignore +++ b/.gitignore @@ -15,3 +15,4 @@ caddy_data/ **/dist/ **/.meta charts/custom-values.yaml +**/charts/*/charts \ No newline at end of file diff --git a/charts/ciso-assistant-next/.helmignore b/charts/ciso-assistant-next/.helmignore new file mode 100644 index 000000000..691fa13d6 --- /dev/null +++ b/charts/ciso-assistant-next/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ \ No newline at end of file diff --git a/charts/ciso-assistant-next/Chart.yaml b/charts/ciso-assistant-next/Chart.yaml new file mode 100644 index 000000000..60f9ae9c6 --- /dev/null +++ b/charts/ciso-assistant-next/Chart.yaml @@ -0,0 +1,13 @@ +apiVersion: v2 +name: ciso-assistant +description: A Helm chart for CISO Assistant k8s's deployment +type: application +version: 0.1.0 +appVersion: "v1.9.3" +icon: https://intuitem.com/ciso-assistant.svg +sources: + - https://github.com/intuitem/ciso-assistant-community +#dependencies: +# - name: postgresql +# version: "16.3.3" +# repository: "oci://registry-1.docker.io/bitnamicharts" diff --git a/charts/ciso-assistant-next/README.md b/charts/ciso-assistant-next/README.md new file mode 100644 index 000000000..a790916b2 --- /dev/null +++ b/charts/ciso-assistant-next/README.md @@ -0,0 +1,34 @@ +## Installation + +### Pulling default values + +``` +helm show values . > ../custom-values.yaml +``` + +### Creating a dedicated namespace + +``` +kubectl create ns ciso-assistant +``` + +### Install + +``` +helm install my-release . -f ../custom-values.yaml -n ciso-assistant +``` + +### Uninstall + +``` +helm uninstall my-release -n ciso-assistant +``` + + +## Upgrading + +When upgrading, make sure to: +1. Backup your persistent volumes +2. Update any custom values +3. Run: helm repo update +4. Run: helm upgrade my-release . --set global.image.tag= diff --git a/charts/ciso-assistant-next/templates/_helpers.tpl b/charts/ciso-assistant-next/templates/_helpers.tpl new file mode 100644 index 000000000..9f3d9917d --- /dev/null +++ b/charts/ciso-assistant-next/templates/_helpers.tpl @@ -0,0 +1,75 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "ciso-assistant.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +*/}} +{{- define "ciso-assistant.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "ciso-assistant.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Define CISO Assistant default tag version. +*/}} +{{- define "ciso-assistant.defaultTag" -}} +{{- default .Chart.AppVersion .Values.global.image.tag -}} +{{- end -}} + +{{/* +Return valid version label +*/}} +{{- define "ciso-assistant.versionLabelValue" -}} +{{ regexReplaceAll "[^-A-Za-z0-9_.]" (include "ciso-assistant.defaultTag" .) "-" | trunc 63 | trimAll "-" | trimAll "_" | trimAll "." | quote }} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "ciso-assistant.labels" -}} +helm.sh/chart: {{ include "ciso-assistant.chart" .context }} +{{ include "ciso-assistant.selectorLabels" (dict "context" .context "component" .component "name" .name) }} +app.kubernetes.io/managed-by: {{ .context.Release.Service }} +app.kubernetes.io/version: {{ include "ciso-assistant.versionLabelValue" .context }} +{{- with .context.Values.global.commonLabels }} +{{ toYaml . }} +{{- end }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "ciso-assistant.selectorLabels" -}} +app.kubernetes.io/name: {{ include "ciso-assistant.name" .context }} +app.kubernetes.io/instance: {{ .context.Release.Name }} +{{- if .component }} +app.kubernetes.io/component: {{ .component }} +{{- end }} +{{- end }} + +{{/* +Define complete url based on scheme and domain +*/}} +{{- define "ciso-assistant.url" -}} +{{- $scheme := ternary "https" "http" .Values.ingress.tls -}} +{{- printf "%s://%s" $scheme .Values.global.domain -}} +{{- end -}} \ No newline at end of file diff --git a/charts/ciso-assistant-next/templates/backend/deployment.yaml b/charts/ciso-assistant-next/templates/backend/deployment.yaml new file mode 100644 index 000000000..b0f67e020 --- /dev/null +++ b/charts/ciso-assistant-next/templates/backend/deployment.yaml @@ -0,0 +1,110 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "ciso-assistant.fullname" . }}-backend + namespace: {{ .Release.Namespace }} + labels: + {{- include "ciso-assistant.labels" (dict "context" . "component" .Values.backend.name "component" .Values.backend.name) | nindent 4 }} +spec: + replicas: {{ .Values.backend.replicas }} + selector: + matchLabels: + {{- include "ciso-assistant.selectorLabels" (dict "context" . "component" .Values.backend.name) | nindent 6 }} + template: + metadata: + annotations: + checksum/secret-backend: {{ include (print $.Template.BasePath "/backend/secret.yaml") . | sha256sum }} + labels: + {{- include "ciso-assistant.labels" (dict "context" . "component" .Values.backend.name "component" .Values.backend.name) | nindent 8 }} + spec: + {{- with .Values.backend.imagePullSecrets | default .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.global.securityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: {{ .Values.backend.name }} + image: {{ default .Values.global.image.registry .Values.backend.image.registry }}/{{ .Values.backend.image.repository }}:{{ default (include "ciso-assistant.defaultTag" .) .Values.backend.image.tag }} + imagePullPolicy: {{ default .Values.global.image.imagePullPolicy .Values.backend.image.imagePullPolicy }} + env: + {{- with .Values.backend.env }} + {{- toYaml . | nindent 10 }} + {{- end }} + - name: DJANGO_DEBUG + value: {{ ternary "True" "False" .Values.backend.config.djangoDebug | quote }} + - name: CISO_ASSISTANT_SUPERUSER_EMAIL + value: {{ .Values.backend.config.emailAdmin }} + - name: CISO_ASSISTANT_URL + value: {{ template "ciso-assistant.url" . }} + - name: ALLOWED_HOSTS + value: localhost,127.0.0.1,{{ include "ciso-assistant.fullname" . }}-backend,{{ template "ciso-assistant.url" . }} + - name: DEFAULT_FROM_EMAIL + value: {{ .Values.backend.config.smtp.defaultFrom | quote }} + - name: EMAIL_HOST + value: {{ .Values.backend.config.smtp.primary.host | quote }} + - name: EMAIL_PORT + value: {{ .Values.backend.config.smtp.primary.port | quote }} + - name: EMAIL_USE_TLS + value: {{ .Values.backend.config.smtp.primary.useTls | quote }} + {{- if .Values.backend.config.smtp.primary.username }} + - name: EMAIL_HOST_USER + value: {{ .Values.backend.config.smtp.primary.username | quote }} + {{- end }} + {{- if .Values.backend.config.smtp.primary.password }} + - name: EMAIL_HOST_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "ciso-assistant.fullname" . }}-backend + key: email-primary-password + {{- end }} + - name: EMAIL_HOST_RESCUE + value: {{ .Values.backend.config.smtp.rescue.host | quote }} + - name: EMAIL_PORT_RESCUE + value: {{ .Values.backend.config.smtp.rescue.port | quote }} + - name: EMAIL_USE_TLS_RESCUE + value: {{ .Values.backend.config.smtp.rescue.useTls | quote }} + {{- if .Values.backend.config.smtp.rescue.username }} + - name: EMAIL_HOST_USER_RESCUE + value: {{ .Values.backend.config.smtp.rescue.username | quote }} + {{- end }} + {{- if .Values.backend.config.smtp.rescue.password }} + - name: EMAIL_HOST_PASSWORD_RESCUE + valueFrom: + secretKeyRef: + name: {{ include "ciso-assistant.fullname" . }}-backend + key: email-rescue-password + {{- end }} + {{- if .Values.backend.persistence.enabled }} + volumeMounts: + - name: backend-data + mountPath: /code/db + {{- end }} + ports: + - name: http + containerPort: 8000 + protocol: TCP + {{- if .Values.backend.resources }} + resources: + {{ toYaml .Values.backend.resources | indent 10 }} + {{- end }} + {{- with .Values.backend.containerSecurityContext }} + securityContext: + {{- toYaml . | nindent 10 }} + {{- end }} + {{- with .Values.global.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.global.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.backend.persistence.enabled }} + volumes: + - name: backend-data + persistentVolumeClaim: + claimName: {{ include "ciso-assistant.fullname" . }}-backend + {{- end }} diff --git a/charts/ciso-assistant-next/templates/backend/persistentvolumeclaim.yaml b/charts/ciso-assistant-next/templates/backend/persistentvolumeclaim.yaml new file mode 100644 index 000000000..303333cd4 --- /dev/null +++ b/charts/ciso-assistant-next/templates/backend/persistentvolumeclaim.yaml @@ -0,0 +1,22 @@ +{{- if .Values.backend.persistence.enabled }} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ include "ciso-assistant.fullname" . }}-backend + namespace: {{ .Release.Namespace }} + {{- with .Values.backend.service.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + {{- include "ciso-assistant.labels" (dict "context" . "component" .Values.backend.name "component" .Values.backend.name) | nindent 4 }} +spec: + accessModes: + - {{ .Values.backend.persistence.accessMode }} + resources: + requests: + storage: {{ .Values.backend.persistence.size }} + {{- if .Values.backend.persistence.storageClass }} + storageClassName: {{ .Values.backend.persistence.storageClass }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/ciso-assistant-next/templates/backend/secret.yaml b/charts/ciso-assistant-next/templates/backend/secret.yaml new file mode 100644 index 000000000..4854669cb --- /dev/null +++ b/charts/ciso-assistant-next/templates/backend/secret.yaml @@ -0,0 +1,17 @@ +{{- if or .Values.backend.config.smtp.primary.password .Values.backend.config.smtp.rescue.password }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "ciso-assistant.fullname" . }}-backend + namespace: {{ .Release.Namespace }} + labels: + {{- include "ciso-assistant.labels" (dict "context" . "component" .Values.backend.name "component" .Values.backend.name) | nindent 4 }} +type: Opaque +data: + {{- if .Values.backend.config.smtp.primary.password }} + email-primary-password: {{ .Values.backend.config.smtp.primary.password | b64enc | quote}} + {{- end }} + {{- if .Values.backend.config.smtp.rescue.password }} + email-rescue-password: {{ .Values.backend.config.smtp.rescue.password | b64enc | quote}} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/ciso-assistant-next/templates/backend/service.yaml b/charts/ciso-assistant-next/templates/backend/service.yaml new file mode 100644 index 000000000..dc7142ea7 --- /dev/null +++ b/charts/ciso-assistant-next/templates/backend/service.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "ciso-assistant.fullname" . }}-backend + namespace: {{ .Release.Namespace }} + {{- with .Values.backend.service.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + {{- include "ciso-assistant.labels" (dict "context" . "component" .Values.backend.name "component" .Values.backend.name) | nindent 4 }} +spec: + ports: + - name: {{ .Values.backend.service.portName }} + protocol: TCP + port: {{ .Values.backend.service.port }} + targetPort: http + selector: + {{- include "ciso-assistant.selectorLabels" (dict "context" . "component" .Values.backend.name) | nindent 4 }} \ No newline at end of file diff --git a/charts/ciso-assistant-next/templates/frontend/deployment.yaml b/charts/ciso-assistant-next/templates/frontend/deployment.yaml new file mode 100644 index 000000000..90b9211ef --- /dev/null +++ b/charts/ciso-assistant-next/templates/frontend/deployment.yaml @@ -0,0 +1,65 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "ciso-assistant.fullname" . }}-frontend + namespace: {{ .Release.Namespace }} + labels: + {{- include "ciso-assistant.labels" (dict "context" . "component" .Values.frontend.name "component" .Values.frontend.name) | nindent 4 }} +spec: + replicas: {{ .Values.frontend.replicas }} + selector: + matchLabels: + {{- include "ciso-assistant.selectorLabels" (dict "context" . "component" .Values.frontend.name) | nindent 6 }} + template: + metadata: + labels: + {{- include "ciso-assistant.labels" (dict "context" . "component" .Values.frontend.name "component" .Values.frontend.name) | nindent 8 }} + spec: + {{- with .Values.frontend.imagePullSecrets | default .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.global.securityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: {{ .Values.frontend.name }} + image: {{ default .Values.global.image.registry .Values.frontend.image.registry }}/{{ .Values.frontend.image.repository }}:{{ default (include "ciso-assistant.defaultTag" .) .Values.frontend.image.tag }} + imagePullPolicy: {{ default .Values.global.image.imagePullPolicy .Values.frontend.image.imagePullPolicy }} + env: + {{- with .Values.frontend.env }} + {{- toYaml . | nindent 10 }} + {{- end }} + - name: ORIGIN + value: {{ template "ciso-assistant.url" . }} + - name: PROTOCOL_HEADER + value: x-forwarded-proto + - name: HOST_HEADER + value: x-forwarded-host + - name: PUBLIC_BACKEND_API_URL + value: http://{{ include "ciso-assistant.fullname" . }}-backend/api + - name: PUBLIC_BACKEND_API_EXPOSED_URL + value: {{ template "ciso-assistant.url" . }}/api + - name: BODY_SIZE_LIMIT + value: {{ .Values.frontend.config.bodySizeLimit | quote }} + ports: + - name: http + containerPort: 3000 + protocol: TCP + {{- if .Values.frontend.resources }} + resources: + {{ toYaml .Values.frontend.resources | indent 10 }} + {{- end }} + {{- with .Values.frontend.containerSecurityContext }} + securityContext: + {{- toYaml . | nindent 10 }} + {{- end }} + {{- with .Values.global.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.global.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} \ No newline at end of file diff --git a/charts/ciso-assistant-next/templates/frontend/service.yaml b/charts/ciso-assistant-next/templates/frontend/service.yaml new file mode 100644 index 000000000..ac1ac729c --- /dev/null +++ b/charts/ciso-assistant-next/templates/frontend/service.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "ciso-assistant.fullname" . }}-frontend + namespace: {{ .Release.Namespace }} + {{- with .Values.frontend.service.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + {{- include "ciso-assistant.labels" (dict "context" . "component" .Values.frontend.name "component" .Values.frontend.name) | nindent 4 }} +spec: + ports: + - name: {{ .Values.frontend.service.portName }} + protocol: TCP + port: {{ .Values.frontend.service.port }} + targetPort: http + selector: + {{- include "ciso-assistant.selectorLabels" (dict "context" . "component" .Values.frontend.name) | nindent 4 }} \ No newline at end of file diff --git a/charts/ciso-assistant-next/templates/ingress/ingress.yaml b/charts/ciso-assistant-next/templates/ingress/ingress.yaml new file mode 100644 index 000000000..9be3337fc --- /dev/null +++ b/charts/ciso-assistant-next/templates/ingress/ingress.yaml @@ -0,0 +1,40 @@ +{{- if .Values.ingress.enabled }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ include "ciso-assistant.fullname" . }} + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + {{- include "ciso-assistant.labels" (dict "context" . "component" .Values.frontend.name) | nindent 4 }} +spec: + {{- with .Values.ingress.ingressClassName }} + ingressClassName: {{ . }} + {{- end }} + rules: + - host: {{ .Values.global.domain }} + http: + paths: + - backend: + service: + name: {{ include "ciso-assistant.fullname" . }}-frontend + port: + number: {{ .Values.frontend.service.port }} + path: / + pathType: Prefix + - backend: + service: + name: {{ include "ciso-assistant.fullname" . }}-backend + port: + number: {{ .Values.backend.service.port }} + path: /api/ + pathType: Prefix + {{- if .Values.ingress.tls }} + tls: + - hosts: + - {{ .Values.global.domain }} + secretName: {{ include "ciso-assistant.fullname" . }}-tls + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/ciso-assistant-next/templates/ingress/tls-secret.yaml b/charts/ciso-assistant-next/templates/ingress/tls-secret.yaml new file mode 100644 index 000000000..83b2259e7 --- /dev/null +++ b/charts/ciso-assistant-next/templates/ingress/tls-secret.yaml @@ -0,0 +1,14 @@ +{{- if and .Values.ingress.enabled .Values.ingress.tls }} +{{- if .Values.ingress.certificateSecret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "ciso-assistant.fullname" . }}-tls + labels: + {{- include "ciso-assistant.labels" (dict "context" . "component" .Values.frontend.name) | nindent 4 }} +type: kubernetes.io/tls +data: + tls.crt: {{ .Values.ingress.certificateSecret.certificate | b64enc }} + tls.key: {{ .Values.ingress.certificateSecret.key | b64enc }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/ciso-assistant-next/values.yaml b/charts/ciso-assistant-next/values.yaml new file mode 100644 index 000000000..b3c1861f7 --- /dev/null +++ b/charts/ciso-assistant-next/values.yaml @@ -0,0 +1,248 @@ +## CISO Assistant configuration +## Ref: https://github.com/intuitem/ciso-assistant-community +## + +# -- Provide a name in place of `ciso-assistant` +nameOverride: ciso-assistant +# -- String to fully override `"ciso-assistant.fullname"` +fullnameOverride: "" + +## Globally shared configuration +global: + # -- Default domain used by all components + ## Used for ingresses, certificates, environnement vars, etc. + domain: octopus.foo.bar + + # Default image used by all components + image: + # -- If defined, a registry applied to all CISO Assistant deployments + registry: ghcr.io + # -- Overrides the global CISO Assistant image tag whose default is the chart appVersion + tag: "" + # -- If defined, a imagePullPolicy applied to all CISO Assistant deployments + imagePullPolicy: IfNotPresent + + # -- Secrets with credentials to pull images from a private registry + imagePullSecrets: [] + + # -- Labels to add to all deployed objects + commonLabels: {} + + # -- Kubernetes cluster domain name + clusterDomain: cluster.local + + # -- Toggle and define pod-level security context + securityContext: {} + # fsGroupChangePolicy: Always + # sysctls: [] + # supplementalGroups: [] + # fsGroup: 1001 + + # -- Default node selector for all components + nodeSelector: {} + + # -- Default tolerations for all components + tolerations: [] + +## CISO Assistant backend +backend: + # -- Backend name + name: backend + + # -- The number of backend pods to run + replicas: 1 + + ## Backend specific config + config: + # -- Email admin for initial configuration + emailAdmin: admin@example.net + + # -- SMTP configuration + smtp: + defaultFrom: no-reply@ciso-assistant.net + debug: false + primary: + host: primary.cool-mailer.net + port: 587 + username: apikey + password: "primary_password_here" + useTls: true + rescue: + host: smtp.secondary.mailer.cloud + port: 587 + username: username + password: "rescue_password_here" + useTls: true + + # -- Set the database type (sqlite or pgsql) + databaseType: sqlite + + # -- Enable Django debug mode + djangoDebug: false + + # -- Backend persistence configuration (used for sqlitedb and proofs storage) + persistence: + enabled: true + size: 5Gi + storageClass: "" + accessMode: ReadWriteOnce + + ## Backend image + image: + # -- Registry to use for the backend + # @default -- `""` (defaults to global.image.registry) + registry: "" + # -- Repository to use for the backend + repository: intuitem/ciso-assistant-community/backend + # -- Tag to use for the backend + # @default -- `""` (defaults to global.image.tag) + tag: "" + # -- Image pull policy for the backend + # @default -- `""` (defaults to global.image.imagePullPolicy) + imagePullPolicy: "" + + # -- Secrets with credentials to pull images from a private registry + # @default -- `[]` (defaults to global.imagePullSecrets) + imagePullSecrets: [] + + # -- Resources for the backend + resources: {} + # requests: + # cpu: 100m + # memory: 512Mi + # limits: + # cpu: 256m + # memory: 1024Mi + + # -- Environment variables to pass to backend + env: [] + + # -- Toggle and define container-level security context + containerSecurityContext: + # seLinuxOptions: {} + # runAsUser: 1001 + # runAsGroup: 1001 + # runAsNonRoot: true + # privileged: false + # readOnlyRootFilesystem: true + # allowPrivilegeEscalation: false + # capabilities: + # drop: ["ALL"] + # seccompProfile: + # type: "RuntimeDefault" + + ## Backend service configuration + service: + # -- Backend service annotations + annotations: {} + # -- Backend service labels + labels: {} + # -- Backend service http port + port: 80 + # -- Backend service port name + portName: http + + +## CISO Assistant frontend +frontend: + # -- Frontend name + name: frontend + + # -- The number of frontend pods to run + replicas: 1 + + ## Frontend specific config + config: + # -- Configure body size limit for uploads in bytes (unit suffix like K/M/G can be used) + bodySizeLimit: "50M" + + ## Frontend image + image: + # -- Registry to use for the frontend + # @default -- `""` (defaults to global.image.registry) + registry: "" + # -- Repository to use for the frontend + repository: intuitem/ciso-assistant-community/frontend + # -- Tag to use for the frontend + # @default -- `""` (defaults to global.image.tag) + tag: "" + # -- Image pull policy for the frontend + # @default -- `""` (defaults to global.image.imagePullPolicy) + imagePullPolicy: "" + + # -- Secrets with credentials to pull images from a private registry + # @default -- `[]` (defaults to global.imagePullSecrets) + imagePullSecrets: [] + + # -- Resources for the frontend + resources: {} + # requests: + # cpu: 100m + # memory: 512Mi + # limits: + # cpu: 256m + # memory: 1024Mi + + # -- Environment variables to pass to frontend + env: [] + + # -- Toggle and define container-level security context + containerSecurityContext: + # seLinuxOptions: {} + # runAsUser: 1001 + # runAsGroup: 1001 + # runAsNonRoot: true + # privileged: false + # readOnlyRootFilesystem: true + # allowPrivilegeEscalation: false + # capabilities: + # drop: ["ALL"] + # seccompProfile: + # type: "RuntimeDefault" + + ## Frontend service configuration + service: + # -- Frontend service annotations + annotations: {} + # -- Frontend service labels + labels: {} + # -- Frontend service http port + port: 80 + # -- Frontend service port name + portName: http + +# CISO Assistant ingress configuration +ingress: + # -- Enable an ingress resource for the CISO Assistant + enabled: true + # -- Additional ingress labels + labels: {} + # -- Additional ingress annotations + annotations: {} + # nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + # cert-manager.io/cluster-issuer: letsencrypt + # -- Defines which ingress controller will implement the resource + ingressClassName: "" + # -- CISO Assistant hostname + # @default -- `""` (defaults to global.domain) + hostname: "" + # -- The path to CISO Assistant + path: / + # -- Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific` + pathType: Prefix + + # -- Enable TLS configuration for the hostname defined at `ingress.hostname` + ## TLS certificate will be retrieved from a TLS secret `{{ ciso-assistant.fullname }}-tls` + ## You can create this secret manually via `certificateSecret` option + tls: false + # -- Custom TLS certificate as secret + ## Note: 'key' and 'certificate' are expected in PEM format + certificateSecret: {} + # key: |- + # -----BEGIN RSA PRIVATE KEY----- + # ... + # -----END RSA PRIVATE KEY----- + # certificate: |- + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- From e6272a5e2d49b54b9b1154bc2e6f955401629384 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nathana=C3=ABl=20M=2E?= Date: Wed, 25 Dec 2024 13:52:23 +0100 Subject: [PATCH 02/11] Add PgSQL support --- charts/ciso-assistant-next/Chart.lock | 6 ++ charts/ciso-assistant-next/Chart.yaml | 9 +-- .../templates/backend/deployment.yaml | 66 +++++++++++++++++-- charts/ciso-assistant-next/values.yaml | 62 +++++++++++++++-- 4 files changed, 127 insertions(+), 16 deletions(-) create mode 100644 charts/ciso-assistant-next/Chart.lock diff --git a/charts/ciso-assistant-next/Chart.lock b/charts/ciso-assistant-next/Chart.lock new file mode 100644 index 000000000..0ba08e089 --- /dev/null +++ b/charts/ciso-assistant-next/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: postgresql + repository: oci://registry-1.docker.io/bitnamicharts + version: 16.3.4 +digest: sha256:55fdc174ee8e9fe9525c9ab609f172c60e3271df3e754b7f8b80f752172e183c +generated: "2024-12-25T12:17:41.0140471+01:00" diff --git a/charts/ciso-assistant-next/Chart.yaml b/charts/ciso-assistant-next/Chart.yaml index 60f9ae9c6..ec39ace66 100644 --- a/charts/ciso-assistant-next/Chart.yaml +++ b/charts/ciso-assistant-next/Chart.yaml @@ -7,7 +7,8 @@ appVersion: "v1.9.3" icon: https://intuitem.com/ciso-assistant.svg sources: - https://github.com/intuitem/ciso-assistant-community -#dependencies: -# - name: postgresql -# version: "16.3.3" -# repository: "oci://registry-1.docker.io/bitnamicharts" +dependencies: + - name: postgresql + version: "16.3.4" + repository: "oci://registry-1.docker.io/bitnamicharts" + condition: postgresql.enabled diff --git a/charts/ciso-assistant-next/templates/backend/deployment.yaml b/charts/ciso-assistant-next/templates/backend/deployment.yaml index b0f67e020..5b60a63ec 100644 --- a/charts/ciso-assistant-next/templates/backend/deployment.yaml +++ b/charts/ciso-assistant-next/templates/backend/deployment.yaml @@ -33,6 +33,47 @@ spec: {{- with .Values.backend.env }} {{- toYaml . | nindent 10 }} {{- end }} + {{- if and (eq .Values.backend.config.databaseType "sqlite") .Values.backend.persistence.sqlite.enabled }} + - name: SQLITE_FILE + value: /ciso/db/ciso-assistant.sqlite3 + {{- else if eq .Values.backend.config.databaseType "pgsql" }} + - name: DB_HOST + value: {{ template "ciso-assistant.fullname" . }}-postgresql + - name: DB_PORT + value: 5432 + - name: POSTGRES_NAME + value: {{ .Values.postgresql.global.postgresql.auth.database | quote }} + - name: POSTGRES_USER + value: {{ .Values.postgresql.global.postgresql.auth.username }} + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "ciso-assistant.fullname" . }}-postgresql + key: password + {{- else if eq .Values.backend.config.databaseType "externalPgsql" }} + - name: DB_HOST + value: {{ .Values.externalPgsql.host | quote }} + - name: DB_PORT + value: {{ .Values.externalPgsql.port | quote }} + - name: POSTGRES_NAME + value: {{ .Values.externalPgsql.database | quote }} + - name: POSTGRES_USER + value: {{ .Values.externalPgsql.user | quote }} + {{- if .Values.externalPgsql.existingSecret }} + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.externalPgsql.existingSecret }} + key: password + {{- else }} + - name: POSTGRES_PASSWORD + value: {{ .Values.externalPgsql.password | quote }} + {{- end }} + {{- end }} + {{- if .Values.backend.persistence.localStorage.enabled }} + - name: LOCAL_STORAGE_DIRECTORY + value: /ciso/localStorage + {{- end }} - name: DJANGO_DEBUG value: {{ ternary "True" "False" .Values.backend.config.djangoDebug | quote }} - name: CISO_ASSISTANT_SUPERUSER_EMAIL @@ -77,10 +118,16 @@ spec: name: {{ include "ciso-assistant.fullname" . }}-backend key: email-rescue-password {{- end }} - {{- if .Values.backend.persistence.enabled }} + {{- if or (and (eq .Values.backend.config.databaseType "sqlite") .Values.backend.persistence.sqlite.enabled) .Values.backend.persistence.localStorage.enabled }} volumeMounts: - - name: backend-data - mountPath: /code/db + {{- if and (eq .Values.backend.config.databaseType "sqlite") .Values.backend.persistence.sqlite.enabled }} + - name: sqlite-data + mountPath: /ciso/db + {{- end }} + {{- if .Values.backend.persistence.localStorage.enabled }} + - name: localstorage-data + mountPath: /ciso/localStorage + {{- end }} {{- end }} ports: - name: http @@ -102,9 +149,16 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} - {{- if .Values.backend.persistence.enabled }} + {{- if or (and (eq .Values.backend.config.databaseType "sqlite") .Values.backend.persistence.sqlite.enabled) .Values.backend.persistence.localStorage.enabled }} volumes: - - name: backend-data + {{- if and (eq .Values.backend.config.databaseType "sqlite") .Values.backend.persistence.sqlite.enabled }} + - name: sqlite-data + persistentVolumeClaim: + claimName: {{ include "ciso-assistant.fullname" . }}-sqlite + {{- end }} + {{- if .Values.backend.persistence.localStorage.enabled }} + - name: localstorage-data persistentVolumeClaim: - claimName: {{ include "ciso-assistant.fullname" . }}-backend + claimName: {{ include "ciso-assistant.fullname" . }}-localstorage {{- end }} + {{- end }} \ No newline at end of file diff --git a/charts/ciso-assistant-next/values.yaml b/charts/ciso-assistant-next/values.yaml index b3c1861f7..26a5b34c5 100644 --- a/charts/ciso-assistant-next/values.yaml +++ b/charts/ciso-assistant-next/values.yaml @@ -74,18 +74,26 @@ backend: password: "rescue_password_here" useTls: true - # -- Set the database type (sqlite or pgsql) + # -- Set the database type (sqlite, pgsql or externalPgsql) + ## Note : PostgreSQL database configuration at `postgresql` or `externalPgsql` section databaseType: sqlite # -- Enable Django debug mode djangoDebug: false - # -- Backend persistence configuration (used for sqlitedb and proofs storage) + # -- Backend persistence configuration (used for sqlitedb and local storage) + ## Note: SQLite PVC will not be created if `backend.config.databaseType` is not with `sqlite` value persistence: - enabled: true - size: 5Gi - storageClass: "" - accessMode: ReadWriteOnce + sqlite: + enabled: true + size: 5Gi + storageClass: "" + accessMode: ReadWriteOnce + localStorage: + enabled: true + size: 5Gi + storageClass: "" + accessMode: ReadWriteOnce ## Backend image image: @@ -246,3 +254,45 @@ ingress: # -----BEGIN CERTIFICATE----- # ... # -----END CERTIFICATE----- + +## Bundeled PostgreSQL database configuration (Bitnami chart) +## Ref: https://artifacthub.io/packages/helm/bitnami/postgresql +## Note: Don't enable if you use SQLite mode or external PgSQL database +postgresql: + enabled: false + # -- Customize auth to create ciso-assistant user. + ## Can be used to define static passwords. + global: + postgresql: + auth: + # postgresPassword: "" + database: ciso-assistant + username: ciso-assistant + # password: "" + # -- PostgreSQL persistant volume size (default 8Gi). + primary: + persistence: + size: 5Gi + +## External PostgreSQL database configuration +## Note: All of these values are only used when backend.config.databaseType is set to externalPgsql +externalPgsql: + # -- Host of an external PostgreSQL instance to connect + ## + host: "" + # -- User of an external PostgreSQL instance to connect + ## + user: ciso-assistant + # -- Password of an external PostgreSQL instance to connect + ## + password: "" + # -- Secret containing the password of an external PostgreSQL instance to connect + ## Name of an existing secret resource containing the DB password in a 'password' key + ## + existingSecret: "" + # -- Database inside an external PostgreSQL to connect + ## + database: ciso-assistant + # -- Port of an external PostgreSQL to connect + ## + port: 5432 From 0564e72d71ebeaa69f83b319560f0ccb1a34c227 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nathana=C3=ABl=20M=2E?= Date: Wed, 25 Dec 2024 14:00:30 +0100 Subject: [PATCH 03/11] Enable securityContexts and add missing PVC --- .../templates/backend/deployment.yaml | 4 +- .../backend/persistentvolumeclaim.yaml | 37 ++++++++---- .../templates/backend/secret.yaml | 2 +- .../templates/backend/service.yaml | 2 +- .../templates/frontend/deployment.yaml | 4 +- .../templates/frontend/service.yaml | 2 +- charts/ciso-assistant-next/values.yaml | 56 +++++++++---------- 7 files changed, 61 insertions(+), 46 deletions(-) diff --git a/charts/ciso-assistant-next/templates/backend/deployment.yaml b/charts/ciso-assistant-next/templates/backend/deployment.yaml index 5b60a63ec..29d5a5669 100644 --- a/charts/ciso-assistant-next/templates/backend/deployment.yaml +++ b/charts/ciso-assistant-next/templates/backend/deployment.yaml @@ -4,7 +4,7 @@ metadata: name: {{ template "ciso-assistant.fullname" . }}-backend namespace: {{ .Release.Namespace }} labels: - {{- include "ciso-assistant.labels" (dict "context" . "component" .Values.backend.name "component" .Values.backend.name) | nindent 4 }} + {{- include "ciso-assistant.labels" (dict "context" . "name" .Values.backend.name "component" .Values.backend.name) | nindent 4 }} spec: replicas: {{ .Values.backend.replicas }} selector: @@ -15,7 +15,7 @@ spec: annotations: checksum/secret-backend: {{ include (print $.Template.BasePath "/backend/secret.yaml") . | sha256sum }} labels: - {{- include "ciso-assistant.labels" (dict "context" . "component" .Values.backend.name "component" .Values.backend.name) | nindent 8 }} + {{- include "ciso-assistant.labels" (dict "context" . "name" .Values.backend.name "component" .Values.backend.name) | nindent 8 }} spec: {{- with .Values.backend.imagePullSecrets | default .Values.global.imagePullSecrets }} imagePullSecrets: diff --git a/charts/ciso-assistant-next/templates/backend/persistentvolumeclaim.yaml b/charts/ciso-assistant-next/templates/backend/persistentvolumeclaim.yaml index 303333cd4..e9b7b410f 100644 --- a/charts/ciso-assistant-next/templates/backend/persistentvolumeclaim.yaml +++ b/charts/ciso-assistant-next/templates/backend/persistentvolumeclaim.yaml @@ -1,22 +1,37 @@ -{{- if .Values.backend.persistence.enabled }} +{{- if and (eq .Values.backend.config.databaseType "sqlite") .Values.backend.persistence.sqlite.enabled }} kind: PersistentVolumeClaim apiVersion: v1 metadata: - name: {{ include "ciso-assistant.fullname" . }}-backend + name: {{ include "ciso-assistant.fullname" . }}-sqlite namespace: {{ .Release.Namespace }} - {{- with .Values.backend.service.annotations }} - annotations: - {{- toYaml . | nindent 4 }} + labels: + {{- include "ciso-assistant.labels" (dict "context" . "name" .Values.backend.name "component" .Values.backend.name) | nindent 4 }} +spec: + accessModes: + - {{ .Values.backend.persistence.sqlite.accessMode }} + resources: + requests: + storage: {{ .Values.backend.persistence.sqlite.size }} + {{- if .Values.backend.persistence.sqlite.storageClass }} + storageClassName: {{ .Values.backend.persistence.sqlite.storageClass }} {{- end }} +{{- end }} +--- +{{- if .Values.backend.persistence.localStorage.enabled }} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ include "ciso-assistant.fullname" . }}-localstorage + namespace: {{ .Release.Namespace }} labels: - {{- include "ciso-assistant.labels" (dict "context" . "component" .Values.backend.name "component" .Values.backend.name) | nindent 4 }} + {{- include "ciso-assistant.labels" (dict "context" . "name" .Values.backend.name "component" .Values.backend.name) | nindent 4 }} spec: accessModes: - - {{ .Values.backend.persistence.accessMode }} + - {{ .Values.backend.persistence.localStorage.accessMode }} resources: requests: - storage: {{ .Values.backend.persistence.size }} - {{- if .Values.backend.persistence.storageClass }} - storageClassName: {{ .Values.backend.persistence.storageClass }} + storage: {{ .Values.backend.persistence.localStorage.size }} + {{- if .Values.backend.persistence.localStorage.storageClass }} + storageClassName: {{ .Values.backend.persistence.localStorage.storageClass }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/ciso-assistant-next/templates/backend/secret.yaml b/charts/ciso-assistant-next/templates/backend/secret.yaml index 4854669cb..a88b66a1d 100644 --- a/charts/ciso-assistant-next/templates/backend/secret.yaml +++ b/charts/ciso-assistant-next/templates/backend/secret.yaml @@ -5,7 +5,7 @@ metadata: name: {{ include "ciso-assistant.fullname" . }}-backend namespace: {{ .Release.Namespace }} labels: - {{- include "ciso-assistant.labels" (dict "context" . "component" .Values.backend.name "component" .Values.backend.name) | nindent 4 }} + {{- include "ciso-assistant.labels" (dict "context" . "name" .Values.backend.name "component" .Values.backend.name) | nindent 4 }} type: Opaque data: {{- if .Values.backend.config.smtp.primary.password }} diff --git a/charts/ciso-assistant-next/templates/backend/service.yaml b/charts/ciso-assistant-next/templates/backend/service.yaml index dc7142ea7..b138f5b68 100644 --- a/charts/ciso-assistant-next/templates/backend/service.yaml +++ b/charts/ciso-assistant-next/templates/backend/service.yaml @@ -8,7 +8,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} labels: - {{- include "ciso-assistant.labels" (dict "context" . "component" .Values.backend.name "component" .Values.backend.name) | nindent 4 }} + {{- include "ciso-assistant.labels" (dict "context" . "name" .Values.backend.name "component" .Values.backend.name) | nindent 4 }} spec: ports: - name: {{ .Values.backend.service.portName }} diff --git a/charts/ciso-assistant-next/templates/frontend/deployment.yaml b/charts/ciso-assistant-next/templates/frontend/deployment.yaml index 90b9211ef..de2aa3cdb 100644 --- a/charts/ciso-assistant-next/templates/frontend/deployment.yaml +++ b/charts/ciso-assistant-next/templates/frontend/deployment.yaml @@ -4,7 +4,7 @@ metadata: name: {{ template "ciso-assistant.fullname" . }}-frontend namespace: {{ .Release.Namespace }} labels: - {{- include "ciso-assistant.labels" (dict "context" . "component" .Values.frontend.name "component" .Values.frontend.name) | nindent 4 }} + {{- include "ciso-assistant.labels" (dict "context" . "name" .Values.frontend.name "component" .Values.frontend.name) | nindent 4 }} spec: replicas: {{ .Values.frontend.replicas }} selector: @@ -13,7 +13,7 @@ spec: template: metadata: labels: - {{- include "ciso-assistant.labels" (dict "context" . "component" .Values.frontend.name "component" .Values.frontend.name) | nindent 8 }} + {{- include "ciso-assistant.labels" (dict "context" . "name" .Values.frontend.name "component" .Values.frontend.name) | nindent 8 }} spec: {{- with .Values.frontend.imagePullSecrets | default .Values.global.imagePullSecrets }} imagePullSecrets: diff --git a/charts/ciso-assistant-next/templates/frontend/service.yaml b/charts/ciso-assistant-next/templates/frontend/service.yaml index ac1ac729c..e4583371f 100644 --- a/charts/ciso-assistant-next/templates/frontend/service.yaml +++ b/charts/ciso-assistant-next/templates/frontend/service.yaml @@ -8,7 +8,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} labels: - {{- include "ciso-assistant.labels" (dict "context" . "component" .Values.frontend.name "component" .Values.frontend.name) | nindent 4 }} + {{- include "ciso-assistant.labels" (dict "context" . "name" .Values.frontend.name "component" .Values.frontend.name) | nindent 4 }} spec: ports: - name: {{ .Values.frontend.service.portName }} diff --git a/charts/ciso-assistant-next/values.yaml b/charts/ciso-assistant-next/values.yaml index 26a5b34c5..7bc12e368 100644 --- a/charts/ciso-assistant-next/values.yaml +++ b/charts/ciso-assistant-next/values.yaml @@ -32,11 +32,11 @@ global: clusterDomain: cluster.local # -- Toggle and define pod-level security context - securityContext: {} - # fsGroupChangePolicy: Always - # sysctls: [] - # supplementalGroups: [] - # fsGroup: 1001 + securityContext: + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] + fsGroup: 1001 # -- Default node selector for all components nodeSelector: {} @@ -82,7 +82,7 @@ backend: djangoDebug: false # -- Backend persistence configuration (used for sqlitedb and local storage) - ## Note: SQLite PVC will not be created if `backend.config.databaseType` is not with `sqlite` value + ## Note: SQLite PVC will be created only `backend.config.databaseType` use `sqlite` value persistence: sqlite: enabled: true @@ -127,17 +127,17 @@ backend: # -- Toggle and define container-level security context containerSecurityContext: - # seLinuxOptions: {} - # runAsUser: 1001 - # runAsGroup: 1001 - # runAsNonRoot: true - # privileged: false - # readOnlyRootFilesystem: true - # allowPrivilegeEscalation: false - # capabilities: - # drop: ["ALL"] - # seccompProfile: - # type: "RuntimeDefault" + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" ## Backend service configuration service: @@ -196,17 +196,17 @@ frontend: # -- Toggle and define container-level security context containerSecurityContext: - # seLinuxOptions: {} - # runAsUser: 1001 - # runAsGroup: 1001 - # runAsNonRoot: true - # privileged: false - # readOnlyRootFilesystem: true - # allowPrivilegeEscalation: false - # capabilities: - # drop: ["ALL"] - # seccompProfile: - # type: "RuntimeDefault" + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" ## Frontend service configuration service: From 7f94a55ffebc725d60d34369593aebb2702b2d3b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nathana=C3=ABl=20M=2E?= Date: Wed, 25 Dec 2024 14:28:04 +0100 Subject: [PATCH 04/11] Add comments for helm-docs generator --- charts/ciso-assistant-next/Chart.yaml | 1 + charts/ciso-assistant-next/README.md | 123 ++++++++++++++++++++----- charts/ciso-assistant-next/values.yaml | 53 +++++++---- 3 files changed, 135 insertions(+), 42 deletions(-) diff --git a/charts/ciso-assistant-next/Chart.yaml b/charts/ciso-assistant-next/Chart.yaml index ec39ace66..0441178ea 100644 --- a/charts/ciso-assistant-next/Chart.yaml +++ b/charts/ciso-assistant-next/Chart.yaml @@ -5,6 +5,7 @@ type: application version: 0.1.0 appVersion: "v1.9.3" icon: https://intuitem.com/ciso-assistant.svg +home: https://intuitem.com sources: - https://github.com/intuitem/ciso-assistant-community dependencies: diff --git a/charts/ciso-assistant-next/README.md b/charts/ciso-assistant-next/README.md index a790916b2..f35683c77 100644 --- a/charts/ciso-assistant-next/README.md +++ b/charts/ciso-assistant-next/README.md @@ -1,34 +1,109 @@ -## Installation +# ciso-assistant -### Pulling default values +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.9.3](https://img.shields.io/badge/AppVersion-v1.9.3-informational?style=flat-square) -``` -helm show values . > ../custom-values.yaml -``` +A Helm chart for CISO Assistant k8s's deployment -### Creating a dedicated namespace +**Homepage:** -``` -kubectl create ns ciso-assistant -``` +## Source Code -### Install +* -``` -helm install my-release . -f ../custom-values.yaml -n ciso-assistant -``` +## Requirements -### Uninstall +| Repository | Name | Version | +|------------|------|---------| +| oci://registry-1.docker.io/bitnamicharts | postgresql | 16.3.4 | -``` -helm uninstall my-release -n ciso-assistant -``` +## Values +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| backend.config.databaseType | string | `"sqlite"` | Set the database type (sqlite, pgsql or externalPgsql) # Note : PostgreSQL database configuration at `postgresql` or `externalPgsql` section | +| backend.config.djangoDebug | bool | `false` | Enable Django debug mode | +| backend.config.emailAdmin | string | `"admin@example.net"` | Admin email for initial configuration | +| backend.config.smtp.defaultFrom | string | `"no-reply@ciso-assistant.net"` | Default from email address | +| backend.config.smtp.primary.host | string | `"primary.cool-mailer.net"` | Primary SMTP hostname | +| backend.config.smtp.primary.password | string | `"primary_password_here"` | Primary SMTP password | +| backend.config.smtp.primary.port | int | `587` | Primary SMTP post | +| backend.config.smtp.primary.useTls | bool | `true` | Enable TLS for primary SMTP | +| backend.config.smtp.primary.username | string | `"apikey"` | Primary SMTP username | +| backend.config.smtp.rescue.host | string | `"smtp.secondary.mailer.cloud"` | Rescue SMTP hostname | +| backend.config.smtp.rescue.password | string | `"rescue_password_here"` | Rescue SMTP hostname | +| backend.config.smtp.rescue.port | int | `587` | Rescue SMTP hostname | +| backend.config.smtp.rescue.useTls | bool | `true` | Enable TLS for rescue SMTP | +| backend.config.smtp.rescue.username | string | `"username"` | Rescue SMTP hostname | +| backend.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":1001,"runAsNonRoot":true,"runAsUser":1001,"seLinuxOptions":{},"seccompProfile":{"type":"RuntimeDefault"}}` | Toggle and define container-level security context | +| backend.env | list | `[]` | Environment variables to pass to backend | +| backend.image.imagePullPolicy | string | `""` (defaults to global.image.imagePullPolicy) | Image pull policy for the backend | +| backend.image.registry | string | `""` (defaults to global.image.registry) | Registry to use for the backend | +| backend.image.repository | string | `"intuitem/ciso-assistant-community/backend"` | Repository to use for the backend | +| backend.image.tag | string | `""` (defaults to global.image.tag) | Tag to use for the backend | +| backend.imagePullSecrets | list | `[]` (defaults to global.imagePullSecrets) | Secrets with credentials to pull images from a private registry | +| backend.name | string | `"backend"` | Backend name | +| backend.persistence.localStorage.accessMode | string | `"ReadWriteOnce"` | Local Storage persistant volume accessMode | +| backend.persistence.localStorage.enabled | bool | `true` | Enable Local Storage persistence | +| backend.persistence.localStorage.size | string | `"5Gi"` | Local Storage persistant volume size | +| backend.persistence.localStorage.storageClass | string | `""` | Local Storage persistant volume storageClass | +| backend.persistence.sqlite.accessMode | string | `"ReadWriteOnce"` | SQLite persistant volume accessMode | +| backend.persistence.sqlite.enabled | bool | `true` | Enable SQLite persistence Note: only when `backend.config.databaseType` use `sqlite` value | +| backend.persistence.sqlite.size | string | `"5Gi"` | SQLite persistant volume size | +| backend.persistence.sqlite.storageClass | string | `""` | SQLite persistant volume storageClass | +| backend.replicas | int | `1` | The number of backend pods to run | +| backend.resources | object | `{}` | Resources for the backend | +| backend.service.annotations | object | `{}` | Backend service annotations | +| backend.service.labels | object | `{}` | Backend service labels | +| backend.service.port | int | `80` | Backend service http port | +| backend.service.portName | string | `"http"` | Backend service port name | +| externalPgsql.database | string | `"ciso-assistant"` | Database inside an external PostgreSQL to connect | +| externalPgsql.existingSecret | string | `""` | Secret containing the password of an external PostgreSQL instance to connect # Name of an existing secret resource containing the DB password in a 'password' key | +| externalPgsql.host | string | `""` | Host of an external PostgreSQL instance to connect | +| externalPgsql.password | string | `""` | Password of an external PostgreSQL instance to connect | +| externalPgsql.port | int | `5432` | Port of an external PostgreSQL to connect | +| externalPgsql.user | string | `"ciso-assistant"` | User of an external PostgreSQL instance to connect | +| frontend.config.bodySizeLimit | string | `"50M"` | Configure body size limit for uploads in bytes (unit suffix like K/M/G can be used) | +| frontend.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":1001,"runAsNonRoot":true,"runAsUser":1001,"seLinuxOptions":{},"seccompProfile":{"type":"RuntimeDefault"}}` | Toggle and define container-level security context | +| frontend.env | list | `[]` | Environment variables to pass to frontend | +| frontend.image.imagePullPolicy | string | `""` (defaults to global.image.imagePullPolicy) | Image pull policy for the frontend | +| frontend.image.registry | string | `""` (defaults to global.image.registry) | Registry to use for the frontend | +| frontend.image.repository | string | `"intuitem/ciso-assistant-community/frontend"` | Repository to use for the frontend | +| frontend.image.tag | string | `""` (defaults to global.image.tag) | Tag to use for the frontend | +| frontend.imagePullSecrets | list | `[]` (defaults to global.imagePullSecrets) | Secrets with credentials to pull images from a private registry | +| frontend.name | string | `"frontend"` | Frontend name | +| frontend.replicas | int | `1` | The number of frontend pods to run | +| frontend.resources | object | `{}` | Resources for the frontend | +| frontend.service.annotations | object | `{}` | Frontend service annotations | +| frontend.service.labels | object | `{}` | Frontend service labels | +| frontend.service.port | int | `80` | Frontend service http port | +| frontend.service.portName | string | `"http"` | Frontend service port name | +| fullnameOverride | string | `""` | String to fully override `"ciso-assistant.fullname"` | +| global.clusterDomain | string | `"cluster.local"` | Kubernetes cluster domain name | +| global.commonLabels | object | `{}` | Labels to add to all deployed objects | +| global.domain | string | `"octopus.foo.bar"` | Default domain used by all components # Used for ingresses, certificates, environnement vars, etc. | +| global.image.imagePullPolicy | string | `"IfNotPresent"` | If defined, a imagePullPolicy applied to all CISO Assistant deployments | +| global.image.registry | string | `"ghcr.io"` | If defined, a registry applied to all CISO Assistant deployments | +| global.image.tag | string | `""` | Overrides the global CISO Assistant image tag whose default is the chart appVersion | +| global.imagePullSecrets | list | `[]` | Secrets with credentials to pull images from a private registry | +| global.nodeSelector | object | `{}` | Default node selector for all components | +| global.securityContext | object | `{"fsGroup":1001,"fsGroupChangePolicy":"Always","supplementalGroups":[],"sysctls":[]}` | Toggle and define pod-level security context | +| global.tolerations | list | `[]` | Default tolerations for all components | +| ingress.annotations | object | `{}` | Additional ingress annotations | +| ingress.certificateSecret | object | `{}` | Custom TLS certificate as secret # Note: 'key' and 'certificate' are expected in PEM format | +| ingress.enabled | bool | `true` | Enable an ingress resource for the CISO Assistant | +| ingress.hostname | string | `""` (defaults to global.domain) | CISO Assistant hostname | +| ingress.ingressClassName | string | `""` | Defines which ingress controller will implement the resource | +| ingress.labels | object | `{}` | Additional ingress labels | +| ingress.path | string | `"/"` | The path to CISO Assistant | +| ingress.pathType | string | `"Prefix"` | Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific` | +| ingress.tls | bool | `false` | Enable TLS configuration for the hostname defined at `ingress.hostname` # TLS certificate will be retrieved from a TLS secret `{{ ciso-assistant.fullname }}-tls` # You can create this secret manually via `certificateSecret` option | +| nameOverride | string | `"ciso-assistant"` | Provide a name in place of `ciso-assistant` | +| postgresql.enabled | bool | `false` | Enable to deploy PostgreSQL. | +| postgresql.global.postgresql.auth.database | string | `"ciso-assistant"` | Database name | +| postgresql.global.postgresql.auth.password | string | `""` | Database user account password # Note: if not set, it will be dynamically generated | +| postgresql.global.postgresql.auth.postgresPassword | string | `""` | Super-user postgres account password # Note: if not set, it will be dynamically generated | +| postgresql.global.postgresql.auth.username | string | `"ciso-assistant"` | Database username | +| postgresql.primary.persistence.size | string | `"5Gi"` | PostgreSQL persistant volume size (default 8Gi). | -## Upgrading - -When upgrading, make sure to: -1. Backup your persistent volumes -2. Update any custom values -3. Run: helm repo update -4. Run: helm upgrade my-release . --set global.image.tag= +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2) diff --git a/charts/ciso-assistant-next/values.yaml b/charts/ciso-assistant-next/values.yaml index 7bc12e368..276282180 100644 --- a/charts/ciso-assistant-next/values.yaml +++ b/charts/ciso-assistant-next/values.yaml @@ -54,25 +54,35 @@ backend: ## Backend specific config config: - # -- Email admin for initial configuration + # -- Admin email for initial configuration emailAdmin: admin@example.net - # -- SMTP configuration + ## SMTP configuration smtp: + # -- Default from email address defaultFrom: no-reply@ciso-assistant.net - debug: false primary: + # -- Primary SMTP hostname host: primary.cool-mailer.net + # -- Primary SMTP post port: 587 + # -- Enable TLS for primary SMTP + useTls: true + # -- Primary SMTP username username: apikey + # -- Primary SMTP password password: "primary_password_here" - useTls: true rescue: + # -- Rescue SMTP hostname host: smtp.secondary.mailer.cloud + # -- Rescue SMTP hostname port: 587 + # -- Enable TLS for rescue SMTP + useTls: true + # -- Rescue SMTP hostname username: username + # -- Rescue SMTP hostname password: "rescue_password_here" - useTls: true # -- Set the database type (sqlite, pgsql or externalPgsql) ## Note : PostgreSQL database configuration at `postgresql` or `externalPgsql` section @@ -81,18 +91,26 @@ backend: # -- Enable Django debug mode djangoDebug: false - # -- Backend persistence configuration (used for sqlitedb and local storage) - ## Note: SQLite PVC will be created only `backend.config.databaseType` use `sqlite` value + ## Backend persistence configuration (used for sqlitedb and local storage) persistence: sqlite: + # -- Enable SQLite persistence + # Note: only when `backend.config.databaseType` use `sqlite` value enabled: true + # -- SQLite persistant volume size size: 5Gi + # -- SQLite persistant volume storageClass storageClass: "" + # -- SQLite persistant volume accessMode accessMode: ReadWriteOnce localStorage: + # -- Enable Local Storage persistence enabled: true + # -- Local Storage persistant volume size size: 5Gi + # -- Local Storage persistant volume storageClass storageClass: "" + # -- Local Storage persistant volume accessMode accessMode: ReadWriteOnce ## Backend image @@ -259,40 +277,39 @@ ingress: ## Ref: https://artifacthub.io/packages/helm/bitnami/postgresql ## Note: Don't enable if you use SQLite mode or external PgSQL database postgresql: + # -- Enable to deploy PostgreSQL. enabled: false - # -- Customize auth to create ciso-assistant user. - ## Can be used to define static passwords. global: postgresql: auth: - # postgresPassword: "" + # -- Super-user postgres account password + ## Note: if not set, it will be dynamically generated + postgresPassword: "" + # -- Database name database: ciso-assistant + # -- Database username username: ciso-assistant - # password: "" - # -- PostgreSQL persistant volume size (default 8Gi). + # -- Database user account password + ## Note: if not set, it will be dynamically generated + password: "" primary: persistence: + # -- PostgreSQL persistant volume size (default 8Gi). size: 5Gi ## External PostgreSQL database configuration ## Note: All of these values are only used when backend.config.databaseType is set to externalPgsql externalPgsql: # -- Host of an external PostgreSQL instance to connect - ## host: "" # -- User of an external PostgreSQL instance to connect - ## user: ciso-assistant # -- Password of an external PostgreSQL instance to connect - ## password: "" # -- Secret containing the password of an external PostgreSQL instance to connect ## Name of an existing secret resource containing the DB password in a 'password' key - ## existingSecret: "" # -- Database inside an external PostgreSQL to connect - ## database: ciso-assistant # -- Port of an external PostgreSQL to connect - ## port: 5432 From a49a5c47a354d5a658c501e69aed5bf5921604d2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nathana=C3=ABl=20M=2E?= Date: Sat, 28 Dec 2024 15:23:27 +0100 Subject: [PATCH 05/11] Fix warning & add template for helm docs generation --- charts/ciso-assistant-next/README.md | 14 ++++++++- charts/ciso-assistant-next/README.md.gotmpl | 30 +++++++++++++++++++ .../templates/backend/deployment.yaml | 4 +-- 3 files changed, 45 insertions(+), 3 deletions(-) create mode 100644 charts/ciso-assistant-next/README.md.gotmpl diff --git a/charts/ciso-assistant-next/README.md b/charts/ciso-assistant-next/README.md index f35683c77..e428af9b0 100644 --- a/charts/ciso-assistant-next/README.md +++ b/charts/ciso-assistant-next/README.md @@ -16,6 +16,18 @@ A Helm chart for CISO Assistant k8s's deployment |------------|------|---------| | oci://registry-1.docker.io/bitnamicharts | postgresql | 16.3.4 | +## Installing the chart + +To install the chart, firt get the values.yaml file and customize values. + +``` +helm show values oci://ghcr.io/intuitem/ciso-assistant > custom.yaml +``` +To deploy the release : +``` +helm install ciso-assistant-release oci://ghcr.io/intuitem/ciso-assistant -f custom.yaml +``` + ## Values | Key | Type | Default | Description | @@ -106,4 +118,4 @@ A Helm chart for CISO Assistant k8s's deployment | postgresql.primary.persistence.size | string | `"5Gi"` | PostgreSQL persistant volume size (default 8Gi). | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2) +Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2) \ No newline at end of file diff --git a/charts/ciso-assistant-next/README.md.gotmpl b/charts/ciso-assistant-next/README.md.gotmpl new file mode 100644 index 000000000..7ca4d17b9 --- /dev/null +++ b/charts/ciso-assistant-next/README.md.gotmpl @@ -0,0 +1,30 @@ +{{ template "chart.header" . }} +{{ template "chart.deprecationWarning" . }} + +{{ template "chart.badgesSection" . }} + +{{ template "chart.description" . }} + +{{ template "chart.homepageLine" . }} + +{{ template "chart.maintainersSection" . }} + +{{ template "chart.sourcesSection" . }} + +{{ template "chart.requirementsSection" . }} + +## Installing the chart + +To install the chart, firt get the values.yaml file and customize values. + +``` +helm show values oci://ghcr.io/intuitem/ciso-assistant > custom.yaml +``` +To deploy the release : +``` +helm install ciso-assistant-release oci://ghcr.io/intuitem/ciso-assistant -f custom.yaml +``` + +{{ template "chart.valuesSection" . }} + +{{ template "helm-docs.versionFooter" . }} \ No newline at end of file diff --git a/charts/ciso-assistant-next/templates/backend/deployment.yaml b/charts/ciso-assistant-next/templates/backend/deployment.yaml index 29d5a5669..c7a9b8c65 100644 --- a/charts/ciso-assistant-next/templates/backend/deployment.yaml +++ b/charts/ciso-assistant-next/templates/backend/deployment.yaml @@ -97,7 +97,7 @@ spec: {{- if .Values.backend.config.smtp.primary.password }} - name: EMAIL_HOST_PASSWORD valueFrom: - secretKeyRef: + secretKeyRef: name: {{ include "ciso-assistant.fullname" . }}-backend key: email-primary-password {{- end }} @@ -114,7 +114,7 @@ spec: {{- if .Values.backend.config.smtp.rescue.password }} - name: EMAIL_HOST_PASSWORD_RESCUE valueFrom: - secretKeyRef: + secretKeyRef: name: {{ include "ciso-assistant.fullname" . }}-backend key: email-rescue-password {{- end }} From 1753a6acf0376bb9713acaeb486198702e803e70 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nathana=C3=ABl=20M=2E?= Date: Tue, 14 Jan 2025 14:58:06 +0100 Subject: [PATCH 06/11] Revert security context, add /tmp volume and djangoSecretKey on backend --- charts/ciso-assistant-next/README.md | 12 +++-- .../templates/backend/deployment.yaml | 10 ++++ .../templates/backend/secret.yaml | 1 + charts/ciso-assistant-next/values.yaml | 51 ++++++++++--------- 4 files changed, 47 insertions(+), 27 deletions(-) diff --git a/charts/ciso-assistant-next/README.md b/charts/ciso-assistant-next/README.md index e428af9b0..577cf1ff7 100644 --- a/charts/ciso-assistant-next/README.md +++ b/charts/ciso-assistant-next/README.md @@ -1,11 +1,15 @@ # ciso-assistant -![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.9.3](https://img.shields.io/badge/AppVersion-v1.9.3-informational?style=flat-square) + + +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.9.3](https://img.shields.io/badge/AppVersion-v1.9.3-informational?style=flat-square) A Helm chart for CISO Assistant k8s's deployment **Homepage:** + + ## Source Code * @@ -34,6 +38,7 @@ helm install ciso-assistant-release oci://ghcr.io/intuitem/ciso-assistant -f cus |-----|------|---------|-------------| | backend.config.databaseType | string | `"sqlite"` | Set the database type (sqlite, pgsql or externalPgsql) # Note : PostgreSQL database configuration at `postgresql` or `externalPgsql` section | | backend.config.djangoDebug | bool | `false` | Enable Django debug mode | +| backend.config.djangoSecretKey | string | `"changeme"` | Set Django secret key | | backend.config.emailAdmin | string | `"admin@example.net"` | Admin email for initial configuration | | backend.config.smtp.defaultFrom | string | `"no-reply@ciso-assistant.net"` | Default from email address | | backend.config.smtp.primary.host | string | `"primary.cool-mailer.net"` | Primary SMTP hostname | @@ -46,7 +51,7 @@ helm install ciso-assistant-release oci://ghcr.io/intuitem/ciso-assistant -f cus | backend.config.smtp.rescue.port | int | `587` | Rescue SMTP hostname | | backend.config.smtp.rescue.useTls | bool | `true` | Enable TLS for rescue SMTP | | backend.config.smtp.rescue.username | string | `"username"` | Rescue SMTP hostname | -| backend.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":1001,"runAsNonRoot":true,"runAsUser":1001,"seLinuxOptions":{},"seccompProfile":{"type":"RuntimeDefault"}}` | Toggle and define container-level security context | +| backend.containerSecurityContext | object | `{}` | Toggle and define container-level security context | | backend.env | list | `[]` | Environment variables to pass to backend | | backend.image.imagePullPolicy | string | `""` (defaults to global.image.imagePullPolicy) | Image pull policy for the backend | | backend.image.registry | string | `""` (defaults to global.image.registry) | Registry to use for the backend | @@ -75,7 +80,7 @@ helm install ciso-assistant-release oci://ghcr.io/intuitem/ciso-assistant -f cus | externalPgsql.port | int | `5432` | Port of an external PostgreSQL to connect | | externalPgsql.user | string | `"ciso-assistant"` | User of an external PostgreSQL instance to connect | | frontend.config.bodySizeLimit | string | `"50M"` | Configure body size limit for uploads in bytes (unit suffix like K/M/G can be used) | -| frontend.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":1001,"runAsNonRoot":true,"runAsUser":1001,"seLinuxOptions":{},"seccompProfile":{"type":"RuntimeDefault"}}` | Toggle and define container-level security context | +| frontend.containerSecurityContext | object | `{}` | Toggle and define container-level security context | | frontend.env | list | `[]` | Environment variables to pass to frontend | | frontend.image.imagePullPolicy | string | `""` (defaults to global.image.imagePullPolicy) | Image pull policy for the frontend | | frontend.image.registry | string | `""` (defaults to global.image.registry) | Registry to use for the frontend | @@ -117,5 +122,6 @@ helm install ciso-assistant-release oci://ghcr.io/intuitem/ciso-assistant -f cus | postgresql.global.postgresql.auth.username | string | `"ciso-assistant"` | Database username | | postgresql.primary.persistence.size | string | `"5Gi"` | PostgreSQL persistant volume size (default 8Gi). | + ---------------------------------------------- Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2) \ No newline at end of file diff --git a/charts/ciso-assistant-next/templates/backend/deployment.yaml b/charts/ciso-assistant-next/templates/backend/deployment.yaml index c7a9b8c65..8ad8686f6 100644 --- a/charts/ciso-assistant-next/templates/backend/deployment.yaml +++ b/charts/ciso-assistant-next/templates/backend/deployment.yaml @@ -76,6 +76,11 @@ spec: {{- end }} - name: DJANGO_DEBUG value: {{ ternary "True" "False" .Values.backend.config.djangoDebug | quote }} + - name: DJANGO_SECRET_KEY + valueFrom: + secretKeyRef: + name: {{ include "ciso-assistant.fullname" . }}-backend + key: django-secret-key - name: CISO_ASSISTANT_SUPERUSER_EMAIL value: {{ .Values.backend.config.emailAdmin }} - name: CISO_ASSISTANT_URL @@ -120,6 +125,8 @@ spec: {{- end }} {{- if or (and (eq .Values.backend.config.databaseType "sqlite") .Values.backend.persistence.sqlite.enabled) .Values.backend.persistence.localStorage.enabled }} volumeMounts: + - mountPath: /tmp + name: tmp-data {{- if and (eq .Values.backend.config.databaseType "sqlite") .Values.backend.persistence.sqlite.enabled }} - name: sqlite-data mountPath: /ciso/db @@ -151,6 +158,9 @@ spec: {{- end }} {{- if or (and (eq .Values.backend.config.databaseType "sqlite") .Values.backend.persistence.sqlite.enabled) .Values.backend.persistence.localStorage.enabled }} volumes: + - name: tmp-data + emptyDir: + sizeLimit: 256Mi {{- if and (eq .Values.backend.config.databaseType "sqlite") .Values.backend.persistence.sqlite.enabled }} - name: sqlite-data persistentVolumeClaim: diff --git a/charts/ciso-assistant-next/templates/backend/secret.yaml b/charts/ciso-assistant-next/templates/backend/secret.yaml index a88b66a1d..078e2725e 100644 --- a/charts/ciso-assistant-next/templates/backend/secret.yaml +++ b/charts/ciso-assistant-next/templates/backend/secret.yaml @@ -8,6 +8,7 @@ metadata: {{- include "ciso-assistant.labels" (dict "context" . "name" .Values.backend.name "component" .Values.backend.name) | nindent 4 }} type: Opaque data: + django-secret-key: {{ .Values.backend.config.djangoSecretKey | b64enc | quote}} {{- if .Values.backend.config.smtp.primary.password }} email-primary-password: {{ .Values.backend.config.smtp.primary.password | b64enc | quote}} {{- end }} diff --git a/charts/ciso-assistant-next/values.yaml b/charts/ciso-assistant-next/values.yaml index 276282180..802189f29 100644 --- a/charts/ciso-assistant-next/values.yaml +++ b/charts/ciso-assistant-next/values.yaml @@ -88,6 +88,9 @@ backend: ## Note : PostgreSQL database configuration at `postgresql` or `externalPgsql` section databaseType: sqlite + # -- Set Django secret key + djangoSecretKey: "changeme" + # -- Enable Django debug mode djangoDebug: false @@ -144,18 +147,18 @@ backend: env: [] # -- Toggle and define container-level security context - containerSecurityContext: - seLinuxOptions: {} - runAsUser: 1001 - runAsGroup: 1001 - runAsNonRoot: true - privileged: false - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - capabilities: - drop: ["ALL"] - seccompProfile: - type: "RuntimeDefault" + containerSecurityContext: {} + # seLinuxOptions: {} + # runAsUser: 1001 + # runAsGroup: 1001 + # runAsNonRoot: true + # privileged: false + # readOnlyRootFilesystem: true + # allowPrivilegeEscalation: false + # capabilities: + # drop: ["ALL"] + # seccompProfile: + # type: "RuntimeDefault" ## Backend service configuration service: @@ -213,18 +216,18 @@ frontend: env: [] # -- Toggle and define container-level security context - containerSecurityContext: - seLinuxOptions: {} - runAsUser: 1001 - runAsGroup: 1001 - runAsNonRoot: true - privileged: false - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - capabilities: - drop: ["ALL"] - seccompProfile: - type: "RuntimeDefault" + containerSecurityContext: {} + # seLinuxOptions: {} + # runAsUser: 1001 + # runAsGroup: 1001 + # runAsNonRoot: true + # privileged: false + # readOnlyRootFilesystem: true + # allowPrivilegeEscalation: false + # capabilities: + # drop: ["ALL"] + # seccompProfile: + # type: "RuntimeDefault" ## Frontend service configuration service: From 9ca3e4a91140893cf9faa03f380a23e0c84a9d64 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nathana=C3=ABl=20M=2E?= Date: Tue, 14 Jan 2025 15:01:26 +0100 Subject: [PATCH 07/11] Update appVersion and pgSQL chart dependency --- charts/ciso-assistant-next/Chart.lock | 6 +++--- charts/ciso-assistant-next/Chart.yaml | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/charts/ciso-assistant-next/Chart.lock b/charts/ciso-assistant-next/Chart.lock index 0ba08e089..6f6d813a5 100644 --- a/charts/ciso-assistant-next/Chart.lock +++ b/charts/ciso-assistant-next/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: postgresql repository: oci://registry-1.docker.io/bitnamicharts - version: 16.3.4 -digest: sha256:55fdc174ee8e9fe9525c9ab609f172c60e3271df3e754b7f8b80f752172e183c -generated: "2024-12-25T12:17:41.0140471+01:00" + version: 16.4.2 +digest: sha256:324a049cebac3214b20fa37981d674ac1b52de900188b094028d55a12f6b2efd +generated: "2025-01-14T15:00:53.2616265+01:00" diff --git a/charts/ciso-assistant-next/Chart.yaml b/charts/ciso-assistant-next/Chart.yaml index 0441178ea..bb9756503 100644 --- a/charts/ciso-assistant-next/Chart.yaml +++ b/charts/ciso-assistant-next/Chart.yaml @@ -3,13 +3,13 @@ name: ciso-assistant description: A Helm chart for CISO Assistant k8s's deployment type: application version: 0.1.0 -appVersion: "v1.9.3" +appVersion: "v2.0.6" icon: https://intuitem.com/ciso-assistant.svg home: https://intuitem.com sources: - https://github.com/intuitem/ciso-assistant-community dependencies: - name: postgresql - version: "16.3.4" + version: "16.4.2" repository: "oci://registry-1.docker.io/bitnamicharts" condition: postgresql.enabled From 38e610bae5e367e8b04d64df8dcc2566a1e9bbdb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nathana=C3=ABl=20M=2E?= Date: Tue, 14 Jan 2025 16:10:37 +0100 Subject: [PATCH 08/11] Fix value format issue --- .../ciso-assistant-next/templates/backend/deployment.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/ciso-assistant-next/templates/backend/deployment.yaml b/charts/ciso-assistant-next/templates/backend/deployment.yaml index 8ad8686f6..b9ff3bfd3 100644 --- a/charts/ciso-assistant-next/templates/backend/deployment.yaml +++ b/charts/ciso-assistant-next/templates/backend/deployment.yaml @@ -40,7 +40,7 @@ spec: - name: DB_HOST value: {{ template "ciso-assistant.fullname" . }}-postgresql - name: DB_PORT - value: 5432 + value: "5432" - name: POSTGRES_NAME value: {{ .Values.postgresql.global.postgresql.auth.database | quote }} - name: POSTGRES_USER @@ -123,10 +123,10 @@ spec: name: {{ include "ciso-assistant.fullname" . }}-backend key: email-rescue-password {{- end }} - {{- if or (and (eq .Values.backend.config.databaseType "sqlite") .Values.backend.persistence.sqlite.enabled) .Values.backend.persistence.localStorage.enabled }} volumeMounts: - - mountPath: /tmp - name: tmp-data + - name: tmp-data + mountPath: /tmp + {{- if or (and (eq .Values.backend.config.databaseType "sqlite") .Values.backend.persistence.sqlite.enabled) .Values.backend.persistence.localStorage.enabled }} {{- if and (eq .Values.backend.config.databaseType "sqlite") .Values.backend.persistence.sqlite.enabled }} - name: sqlite-data mountPath: /ciso/db From 29ac372e7ae1ae5aaf8c9a081d11447807279713 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nathana=C3=ABl=20M=2E?= Date: Tue, 14 Jan 2025 17:27:30 +0100 Subject: [PATCH 09/11] Disable global securityContext --- charts/ciso-assistant-next/README.md | 10 +++++----- charts/ciso-assistant-next/values.yaml | 13 ++++++++----- 2 files changed, 13 insertions(+), 10 deletions(-) diff --git a/charts/ciso-assistant-next/README.md b/charts/ciso-assistant-next/README.md index 577cf1ff7..f2c0fe6cd 100644 --- a/charts/ciso-assistant-next/README.md +++ b/charts/ciso-assistant-next/README.md @@ -2,7 +2,7 @@ -![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.9.3](https://img.shields.io/badge/AppVersion-v1.9.3-informational?style=flat-square) +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v2.0.6](https://img.shields.io/badge/AppVersion-v2.0.6-informational?style=flat-square) A Helm chart for CISO Assistant k8s's deployment @@ -18,7 +18,7 @@ A Helm chart for CISO Assistant k8s's deployment | Repository | Name | Version | |------------|------|---------| -| oci://registry-1.docker.io/bitnamicharts | postgresql | 16.3.4 | +| oci://registry-1.docker.io/bitnamicharts | postgresql | 16.4.2 | ## Installing the chart @@ -51,7 +51,7 @@ helm install ciso-assistant-release oci://ghcr.io/intuitem/ciso-assistant -f cus | backend.config.smtp.rescue.port | int | `587` | Rescue SMTP hostname | | backend.config.smtp.rescue.useTls | bool | `true` | Enable TLS for rescue SMTP | | backend.config.smtp.rescue.username | string | `"username"` | Rescue SMTP hostname | -| backend.containerSecurityContext | object | `{}` | Toggle and define container-level security context | +| backend.containerSecurityContext | object | `{}` | Toggle and define container-level security context | | backend.env | list | `[]` | Environment variables to pass to backend | | backend.image.imagePullPolicy | string | `""` (defaults to global.image.imagePullPolicy) | Image pull policy for the backend | | backend.image.registry | string | `""` (defaults to global.image.registry) | Registry to use for the backend | @@ -80,7 +80,7 @@ helm install ciso-assistant-release oci://ghcr.io/intuitem/ciso-assistant -f cus | externalPgsql.port | int | `5432` | Port of an external PostgreSQL to connect | | externalPgsql.user | string | `"ciso-assistant"` | User of an external PostgreSQL instance to connect | | frontend.config.bodySizeLimit | string | `"50M"` | Configure body size limit for uploads in bytes (unit suffix like K/M/G can be used) | -| frontend.containerSecurityContext | object | `{}` | Toggle and define container-level security context | +| frontend.containerSecurityContext | object | `{}` | Toggle and define container-level security context | | frontend.env | list | `[]` | Environment variables to pass to frontend | | frontend.image.imagePullPolicy | string | `""` (defaults to global.image.imagePullPolicy) | Image pull policy for the frontend | | frontend.image.registry | string | `""` (defaults to global.image.registry) | Registry to use for the frontend | @@ -103,7 +103,7 @@ helm install ciso-assistant-release oci://ghcr.io/intuitem/ciso-assistant -f cus | global.image.tag | string | `""` | Overrides the global CISO Assistant image tag whose default is the chart appVersion | | global.imagePullSecrets | list | `[]` | Secrets with credentials to pull images from a private registry | | global.nodeSelector | object | `{}` | Default node selector for all components | -| global.securityContext | object | `{"fsGroup":1001,"fsGroupChangePolicy":"Always","supplementalGroups":[],"sysctls":[]}` | Toggle and define pod-level security context | +| global.securityContext | object | `{}` | Toggle and define pod-level security context | | global.tolerations | list | `[]` | Default tolerations for all components | | ingress.annotations | object | `{}` | Additional ingress annotations | | ingress.certificateSecret | object | `{}` | Custom TLS certificate as secret # Note: 'key' and 'certificate' are expected in PEM format | diff --git a/charts/ciso-assistant-next/values.yaml b/charts/ciso-assistant-next/values.yaml index 802189f29..4a05feacf 100644 --- a/charts/ciso-assistant-next/values.yaml +++ b/charts/ciso-assistant-next/values.yaml @@ -32,11 +32,12 @@ global: clusterDomain: cluster.local # -- Toggle and define pod-level security context - securityContext: - fsGroupChangePolicy: Always - sysctls: [] - supplementalGroups: [] - fsGroup: 1001 + # @default -- `{}` + securityContext: {} + # fsGroupChangePolicy: Always + # sysctls: [] + # supplementalGroups: [] + # fsGroup: 1001 # -- Default node selector for all components nodeSelector: {} @@ -147,6 +148,7 @@ backend: env: [] # -- Toggle and define container-level security context + # @default -- `{}` containerSecurityContext: {} # seLinuxOptions: {} # runAsUser: 1001 @@ -216,6 +218,7 @@ frontend: env: [] # -- Toggle and define container-level security context + # @default -- `{}` containerSecurityContext: {} # seLinuxOptions: {} # runAsUser: 1001 From 8b4b85ed0a9a5e670b12bb071acb1ed7c5d4948d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nathana=C3=ABl=20M=2E?= Date: Wed, 15 Jan 2025 09:35:14 +0100 Subject: [PATCH 10/11] Fix issues and move tls option to global --- charts/ciso-assistant-next/README.md | 3 +-- .../templates/backend/deployment.yaml | 4 ---- .../templates/ingress/ingress.yaml | 2 +- charts/ciso-assistant-next/values.yaml | 11 +++-------- 4 files changed, 5 insertions(+), 15 deletions(-) diff --git a/charts/ciso-assistant-next/README.md b/charts/ciso-assistant-next/README.md index f2c0fe6cd..35d1b469e 100644 --- a/charts/ciso-assistant-next/README.md +++ b/charts/ciso-assistant-next/README.md @@ -104,16 +104,15 @@ helm install ciso-assistant-release oci://ghcr.io/intuitem/ciso-assistant -f cus | global.imagePullSecrets | list | `[]` | Secrets with credentials to pull images from a private registry | | global.nodeSelector | object | `{}` | Default node selector for all components | | global.securityContext | object | `{}` | Toggle and define pod-level security context | +| global.tls | bool | `false` | Globally enable TLS (Ingress, URLs, etc.) | | global.tolerations | list | `[]` | Default tolerations for all components | | ingress.annotations | object | `{}` | Additional ingress annotations | | ingress.certificateSecret | object | `{}` | Custom TLS certificate as secret # Note: 'key' and 'certificate' are expected in PEM format | | ingress.enabled | bool | `true` | Enable an ingress resource for the CISO Assistant | -| ingress.hostname | string | `""` (defaults to global.domain) | CISO Assistant hostname | | ingress.ingressClassName | string | `""` | Defines which ingress controller will implement the resource | | ingress.labels | object | `{}` | Additional ingress labels | | ingress.path | string | `"/"` | The path to CISO Assistant | | ingress.pathType | string | `"Prefix"` | Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific` | -| ingress.tls | bool | `false` | Enable TLS configuration for the hostname defined at `ingress.hostname` # TLS certificate will be retrieved from a TLS secret `{{ ciso-assistant.fullname }}-tls` # You can create this secret manually via `certificateSecret` option | | nameOverride | string | `"ciso-assistant"` | Provide a name in place of `ciso-assistant` | | postgresql.enabled | bool | `false` | Enable to deploy PostgreSQL. | | postgresql.global.postgresql.auth.database | string | `"ciso-assistant"` | Database name | diff --git a/charts/ciso-assistant-next/templates/backend/deployment.yaml b/charts/ciso-assistant-next/templates/backend/deployment.yaml index b9ff3bfd3..dbcc9e136 100644 --- a/charts/ciso-assistant-next/templates/backend/deployment.yaml +++ b/charts/ciso-assistant-next/templates/backend/deployment.yaml @@ -126,7 +126,6 @@ spec: volumeMounts: - name: tmp-data mountPath: /tmp - {{- if or (and (eq .Values.backend.config.databaseType "sqlite") .Values.backend.persistence.sqlite.enabled) .Values.backend.persistence.localStorage.enabled }} {{- if and (eq .Values.backend.config.databaseType "sqlite") .Values.backend.persistence.sqlite.enabled }} - name: sqlite-data mountPath: /ciso/db @@ -135,7 +134,6 @@ spec: - name: localstorage-data mountPath: /ciso/localStorage {{- end }} - {{- end }} ports: - name: http containerPort: 8000 @@ -156,7 +154,6 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} - {{- if or (and (eq .Values.backend.config.databaseType "sqlite") .Values.backend.persistence.sqlite.enabled) .Values.backend.persistence.localStorage.enabled }} volumes: - name: tmp-data emptyDir: @@ -170,5 +167,4 @@ spec: - name: localstorage-data persistentVolumeClaim: claimName: {{ include "ciso-assistant.fullname" . }}-localstorage - {{- end }} {{- end }} \ No newline at end of file diff --git a/charts/ciso-assistant-next/templates/ingress/ingress.yaml b/charts/ciso-assistant-next/templates/ingress/ingress.yaml index 9be3337fc..b02bf2c76 100644 --- a/charts/ciso-assistant-next/templates/ingress/ingress.yaml +++ b/charts/ciso-assistant-next/templates/ingress/ingress.yaml @@ -31,7 +31,7 @@ spec: number: {{ .Values.backend.service.port }} path: /api/ pathType: Prefix - {{- if .Values.ingress.tls }} + {{- if .Values.global.tls }} tls: - hosts: - {{ .Values.global.domain }} diff --git a/charts/ciso-assistant-next/values.yaml b/charts/ciso-assistant-next/values.yaml index 4a05feacf..75bddbd82 100644 --- a/charts/ciso-assistant-next/values.yaml +++ b/charts/ciso-assistant-next/values.yaml @@ -12,6 +12,8 @@ global: # -- Default domain used by all components ## Used for ingresses, certificates, environnement vars, etc. domain: octopus.foo.bar + # -- Globally enable TLS (Ingress, URLs, etc.) + tls: false # Default image used by all components image: @@ -244,6 +246,7 @@ frontend: portName: http # CISO Assistant ingress configuration +# Note: host and tls values are inherited from global.domain and global.tls ingress: # -- Enable an ingress resource for the CISO Assistant enabled: true @@ -255,18 +258,10 @@ ingress: # cert-manager.io/cluster-issuer: letsencrypt # -- Defines which ingress controller will implement the resource ingressClassName: "" - # -- CISO Assistant hostname - # @default -- `""` (defaults to global.domain) - hostname: "" # -- The path to CISO Assistant path: / # -- Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific` pathType: Prefix - - # -- Enable TLS configuration for the hostname defined at `ingress.hostname` - ## TLS certificate will be retrieved from a TLS secret `{{ ciso-assistant.fullname }}-tls` - ## You can create this secret manually via `certificateSecret` option - tls: false # -- Custom TLS certificate as secret ## Note: 'key' and 'certificate' are expected in PEM format certificateSecret: {} From d4ff49bebd29993c0f13551a3d4f7249800c6736 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nathana=C3=ABl=20M=2E?= Date: Wed, 15 Jan 2025 21:29:36 +0100 Subject: [PATCH 11/11] Fix forgotten value replacement --- charts/ciso-assistant-next/templates/_helpers.tpl | 2 +- charts/ciso-assistant-next/templates/ingress/tls-secret.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/ciso-assistant-next/templates/_helpers.tpl b/charts/ciso-assistant-next/templates/_helpers.tpl index 9f3d9917d..413189f4a 100644 --- a/charts/ciso-assistant-next/templates/_helpers.tpl +++ b/charts/ciso-assistant-next/templates/_helpers.tpl @@ -70,6 +70,6 @@ app.kubernetes.io/component: {{ .component }} Define complete url based on scheme and domain */}} {{- define "ciso-assistant.url" -}} -{{- $scheme := ternary "https" "http" .Values.ingress.tls -}} +{{- $scheme := ternary "https" "http" .Values.global.tls -}} {{- printf "%s://%s" $scheme .Values.global.domain -}} {{- end -}} \ No newline at end of file diff --git a/charts/ciso-assistant-next/templates/ingress/tls-secret.yaml b/charts/ciso-assistant-next/templates/ingress/tls-secret.yaml index 83b2259e7..b2684c0b4 100644 --- a/charts/ciso-assistant-next/templates/ingress/tls-secret.yaml +++ b/charts/ciso-assistant-next/templates/ingress/tls-secret.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.ingress.enabled .Values.ingress.tls }} +{{- if and .Values.ingress.enabled .Values.global.tls }} {{- if .Values.ingress.certificateSecret }} apiVersion: v1 kind: Secret