feat: addressing feedback

.gitleaks.toml

@@ -2,4 +2,4 @@
 useDefault = true
 
 [allowList]
-paths = ['''hybrid-platform/tests''']
+paths = ['''snyk-universa-broker/tests''']

snyk-universal-broker/templates/ingress.yaml

@@ -1,81 +1,45 @@
-{{- if .Values.brokerIngress.enabled -}}
-{{- $ingressApiIsStable := eq (include "snyk-broker.ingress.isStable" .) "true" -}}
-{{- $ingressSupportsIngressClassName := eq (include "snyk-broker.ingress.supportsIngressClassName" .) "true" -}}
-{{- $ingressSupportsPathType := eq (include "snyk-broker.ingress.supportsPathType" .) "true" -}}
-{{- $fullName := include "snyk-broker.fullname" . -}}
-{{- $servicePort := .Values.service.port -}}
-{{- $scmType := .Values.scmType -}}
-{{- $ingressPath := .Values.brokerIngress.path -}}
-{{- $ingressPathType := .Values.brokerIngress.pathType -}}
-{{- $extraPaths := .Values.brokerIngress.extraPaths -}}
-{{- $releaseName := .Release.Name -}}
-{{- $disableSuffixes := .Values.disableSuffixes }}
-apiVersion: {{ include "snyk-broker.ingress.apiVersion" . }}
+{{- if .Values.brokerIngress.enabled }}
+apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }}
 kind: Ingress
 metadata:
-  name: {{ $fullName }}{{ if not $disableSuffixes}}-{{ .Release.Name }}{{ end }}
+  name: {{ include "common.names.fullname" . }}
   namespace: {{ .Release.Namespace }}
-  labels:
-    {{- include "snyk-broker.labels" . | nindent 4 }}
-    {{- with .Values.brokerIngress.labels }}
-    {{- toYaml . | nindent 4 }}
-    {{- end }}
-  {{- if .Values.brokerIngress.annotations }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
   annotations:
-    {{- range $key, $value := .Values.brokerIngress.annotations }}
-    {{ $key }}: {{ tpl $value $ | quote }}
+    {{- if or .Values.ingress.annotations .Values.commonAnnotations }}
+    {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.ingress.annotations .Values.commonAnnotations ) "context" . ) }}
+    {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
     {{- end }}
-  {{- end }}
 spec:
-  {{- if and $ingressSupportsIngressClassName .Values.brokerIngress.ingressClassName }}
-  ingressClassName: {{ .Values.brokerIngress.ingressClassName }}
-  {{- end -}}
-{{- if .Values.brokerIngress.tls }}
-  tls:
-{{ tpl (toYaml .Values.brokerIngress.tls) $ | indent 4 }}
-{{- end }}
+  {{- if and .Values.ingress.ingressClassName (eq "true" (include "common.ingress.supportsIngressClassname" .)) }}
+  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
+  {{- end }}
   rules:
-  {{- if .Values.brokerIngress.hosts  }}
-  {{- range .Values.brokerIngress.hosts }}
-    - host: {{ tpl . $}}
+    {{- if .Values.ingress.hostname }}
+    - host: {{ tpl .Values.ingress.hostname . }}
       http:
         paths:
-{{- if $extraPaths }}
-{{ toYaml $extraPaths | indent 10 }}
-{{- end }}
-          - path: {{ $ingressPath }}
-            {{- if $ingressSupportsPathType }}
-            pathType: {{ $ingressPathType }}
+          {{- if .Values.ingress.extraPaths }}
+          {{- include "common.tplvalues.render" (dict "value"  .Values.ingress.extraPaths "context" $) | nindent 10 }}
+          {{- end }}
+          - path: {{ .Values.ingress.path }}
+            {{- if eq "true" (include "common.ingress.supportsPathType" .) }}
+            pathType: {{ .Values.ingress.pathType }}
             {{- end }}
-            backend:
-              {{- if $ingressApiIsStable }}
+            backend: 
               service:
-                name: {{ include "snyk-broker.brokerServiceName" $ }}
+                name: {{ include "common.names.fullname" . }}
                 port:
-                  number: {{ $servicePort }}
-              {{- else }}
-              serviceName: {{ $scmType }}-broker-service{{ if not $disableSuffixes}}-{{ $releaseName }}{{ end }}
-              servicePort: {{ $servicePort }}
-              {{- end }}
-  {{- end }}
-  {{- else }}
-    - http:
-        paths:
-          - backend:
-              {{- if $ingressApiIsStable }}
-              service:
-                name: {{ include "snyk-broker.brokerServiceName" . }}
-                port:
-                  number: {{ $servicePort }}
-              {{- else }}
-              serviceName: {{ include "snyk-broker.brokerServiceName" . }}
-              servicePort: {{ $servicePort }}
-              {{- end }}
-            {{- if $ingressPath }}
-            path: {{ $ingressPath }}
-            {{- end }}
-            {{- if $ingressSupportsPathType }}
-            pathType: {{ $ingressPathType }}
-            {{- end }}
-  {{- end -}}
-{{- end }}
+                  number: {{ .Values.service.port }}
+    {{- end }}
+  {{- if .Values.ingress.tls }}
+  tls:
+    - hosts:
+        - {{ tpl .Values.ingress.hostname . | quote }}
+      {{- if .Values.ingress.existingSecret }}
+      secretName: {{ .Values.ingress.existingSecret }}
+      {{- else }}
+      secretName: {{ printf "%s-tls" (tpl .Values.ingress.hostname .) | trunc 63 | trimSuffix "-" }}
+      {{- end }}
+    {{- end }}
+{{- end }}

snyk-universal-broker/templates/secrets.yaml

@@ -11,24 +11,14 @@ stringData:
   clientId: {{ .Values.clientId | quote }}
   clientSecret: {{ .Values.clientSecret | quote }}
 ---
-{{- if and (not .Values.existingSecrets) (or .Values.brokerToken .Values.credentialReferences.GITHUB_TOKEN .Values.credentialReferences.GITLAB_TOKEN .Values.credentialReferences.BITBUCKET_PASSWORD .Values.credentialReferences.AZURE_REPOS_TOKEN) }}
+{{- if not .Values.existingSecrets }}
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ printf "%s-broker-scm-credential" (include "common.names.fullname" .) }}
+  name: {{ printf "%s-universal-broker-scm-credential-reference" (include "common.names.fullname" .) }}
 type: Opaque
 stringData:
-  BROKER_TOKEN: {{ .Values.brokerToken | quote }}
-  {{- if .Values.credentialReferences.GITHUB_TOKEN }}
-  GITHUB_TOKEN: {{ .Values.credentialReferences.GITHUB_TOKEN | quote }}
-  {{- end }}
-  {{- if .Values.credentialReferences.GITLAB_TOKEN }}
-  GITLAB_TOKEN: {{ .Values.credentialReferences.GITLAB_TOKEN | quote }}
-  {{- end }}
-  {{- if .Values.credentialReferences.BITBUCKET_PASSWORD }}
-  BITBUCKET_PASSWORD: {{ .Values.credentialReferences.BITBUCKET_PASSWORD | quote }}
-  {{- end }}
-  {{- if .Values.credentialReferences.AZURE_REPOS_TOKEN }}
-  AZURE_REPOS_TOKEN: {{ .Values.credentialReferences.AZURE_REPOS_TOKEN | quote }}
-  {{- end }}
+{{- range $key, $value := .Values.credentialReferences }}
+  {{ $key }}: {{ $value | quote }}
+{{- end }}
 {{- end }}

snyk-universal-broker/templates/service.yaml

@@ -8,5 +8,5 @@ spec:
   type: {{ .Values.service.brokerType }}
   ports:
     - port: {{ .Values.service.port }}
-      # targetPort: {{ .Values.deployment.container.containerPort }}
+      targetPort: {{ .Values.containerPort }}
   selector: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 6 }}

snyk-universal-broker/templates/statefulset.yaml

@@ -5,11 +5,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
 spec:
-  {{- if .Values.highAvailabilityMode.enabled }}
-  replicas: {{ .Values.replicaCount }}
-  {{ else }}
-  replicas: 1
-  {{- end }}
+  replicas: {{ ternary .Values.replicaCount 1 .Values.highAvailabilityMode.enabled }}
   updateStrategy:
     type: "RollingUpdate"
     rollingUpdate:
@@ -54,7 +50,7 @@ spec:
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           ports:
             - name: http
-              containerPort: {{ .Values.deployment.container.containerPort }}
+              containerPort: {{ .Values.containerPort }}
           {{- if .Values.brokerLivenessProbe.enabled }}
           livenessProbe:
             httpGet:
@@ -83,15 +79,10 @@ spec:
           {{- toYaml .Values.extraContainerSpecs | nindent 10 }}
           {{- end }}
           envFrom:
-            {{- if .Values.existingSecrets }}
             - secretRef:
-                name: {{ .Values.existingSecrets }}
-            {{- else }}
-            - secretRef:
-                name: {{ printf "%s-broker-scm-credential" (include "common.names.fullname" .) }}
-            {{- end }}
+                name: {{ ternary .Values.existingSecrets (printf "%s-broker-scm-credential" (include "common.names.fullname" .)) (not (empty .Values.existingSecrets)) }}
           volumeMounts:
-              {{- if or (.Values.caCert) (.Values.caCertFile) }}
+              {{- if .Values.caCert }}
               - name: {{ include "common.names.fullname" . }}-cacert-volume
                 mountPath: /home/node/cacert
                 readOnly: true
@@ -120,22 +111,13 @@ spec:
               value: {{ .Values.logLevel }}
             - name: LOG_ENABLE_BODY
               value: {{ .Values.logEnableBody | squote }}
-
-         {{- if and (.Values.caCert) (not .Values.caCertFile) }}
-         # HTTPS Inspection
-            - name: CA_CERT
-              value: /home/node/cacert/{{ .Values.caCert }}
-            - name: NODE_EXTRA_CA_CERTS
-              value: /home/node/cacert/{{ .Values.caCert }}
-         {{- end }}
-         {{- if and (.Values.caCertFile) (not .Values.caCert) }}
+         {{- if .Values.caCert }}
           # HTTPS Inspection
             - name: CA_CERT
               value: /home/node/cacert/cacert
             - name: NODE_EXTRA_CA_CERTS
               value: /home/node/cacert/cacert
          {{- end }}
-
          {{- if .Values.httpsCert }}
          # HTTPS Config
             - name: HTTPS_CERT
@@ -186,7 +168,7 @@ spec:
               value: {{ .Values.brokerDispatcherUrl }}
       # Mount Accept.json and Certs
       volumes:
-      {{- if or (.Values.caCert) (.Values.caCertFile) }}
+      {{- if .Values.caCert }}
       - name: {{ include "common.names.fullname" . }}-cacert-volume
         secret:
           secretName: {{ include "snyk-broker.caCertSecretName" . }}

snyk-universal-broker/templates/tls-secret.yaml

@@ -8,21 +8,17 @@ metadata:
   labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
 type: kubernetes.io/tls
 data:
-  tls.crt: {{ (.Files.Get .Values.httpsCert) | b64enc | quote }}
-  tls.key: {{ (.Files.Get .Values.httpsKey) | b64enc | quote }}
+  tls.crt: {{ .Values.httpsCert | b64enc | nindent 4 }}
+  tls.key: {{ .Values.httpsKey | b64enc | nindent 4 }}
 ---
 {{- end }}
-{{- if or .Values.caCert .Values.caCertFile }}
+{{- if .Values.caCert }}
 apiVersion: v1
 kind: Secret
 metadata:
   name: {{- printf "%s-cacerts" (include "common.names.fullname" .) }}
   namespace: {{ .Release.Namespace }}
   labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
 data:
-{{- if and .Values.caCert (not .Values.caCertFile) }}
-{{ (.Files.Glob .Values.caCert).AsSecrets | nindent 2 }}
-{{- else if and .Values.caCertFile (not .Values.caCert) }}
   cacert: {{ .Values.caCertFile | trim |  b64enc | nindent 4}}
-{{- end }}
 {{- end }}

snyk-universal-broker/values.yaml

@@ -4,13 +4,10 @@
 
 ##### Snyk Specific Values #####
 
-## @param brokerToken is a value from Snyk. Get this from the integration settings page or your Snyk Representative
 ## @param brokerClientUrl is the address of the broker. This needs to be the address of itself. In the case of Kubernetes, you need to ensure that you are pointing to the cluster ingress you have setup.
 ## @param brokerServerUrl is default endpoint for broker server
 ## @param preflightChecks.enabled broker client preflight checks
 
-brokerToken: ""
-## E.g.
 ## brokerClientUrl:http://kubernetes-ingress.domain.com:8000
 brokerClientUrl: ""
 ## See https://docs.snyk.io/working-with-snyk/regional-hosting-and-data-residency#broker-urls for regional endpoints
@@ -26,16 +23,11 @@ clientSecret: ""
 
 ##### SCM Tokens #####
 existingSecrets: "" # Name of an existing secret if it exists
-credentialReferences:
-  GITHUB_TOKEN: "" # Token value if a new secret needs to be created
-  GITLAB_TOKEN: ""
-  BITBUCKET_PASSWORD: ""
-  AZURE_REPOS_TOKEN: ""
+credentialReferences: []
 
 ##### Universal Broker Deployment #####
-deployment:
-   container:
-     containerPort: 8000
+
+containerPort: 8000
 
 ## @param brokerResources  Set container requests and limits for different resources like CPU or memory (essential for production workloads)
 
@@ -51,6 +43,7 @@ brokerResources:
 
 commonLabels: {}
 customLabels: {}
+commonAnnotations: {}
 
 # Health and System Check Paths for the broker
 healthCheckPath: &healthCheckPath "/healthcheck"
@@ -110,24 +103,19 @@ logEnableBody: "false"
 
 ##### Enable HTTPS #####
 ## @param enableBrokerLocalWebserverOverHttps enables Broker client to run a HTTPS server instead of the default HTTP server
-## @param httpsCert provides location for HTTPS cert( File must be within the Helm Chart directory.)
-## @param httpskey provides location for HTTPS cert( File must be within the Helm Chart directory.)
+## @param httpsCert provides HTTPS cert
+## @param httpskey provides HTTPS cert key
 
 enableBrokerLocalWebserverOverHttps: false
 httpsCert: ""
 httpsKey: ""
 
 ##### HTTPS Inspection #####
 
-# Filename of custom certificate to allow visibility for SSL Inspection (e.g "ca.pem")
-# Include any/all certificates required for a full trust chain.
-# File must be within the Helm Chart directory.
-caCert: ""
-
-# Set caCertFile to read certificate content from the values.yaml file as a multiline string:
+# Set caCert to read certificate content from the values.yaml file as a multiline string:
 # Include any/all certificates required for a full trust chain.
 #
-# caCertFile: |-
+# caCert: |-
 #   ----- BEGIN CERTIFICATE -----
 #   < certificate data >
 #   ----- END CERTIFICATE -----
@@ -138,7 +126,7 @@ caCert: ""
 # or
 #
 # caCertFile: "----- BEGIN CERTIFICATE -----\n.....\n----- END CERTIFICATE -----"
-caCertFile: ""
+caCert: ""
 
 # Set to `true` to disable trust validation when providing your own CA certificate.
 disableCaCertTrust: false
@@ -161,9 +149,9 @@ noProxy: ""
 
 image:
   repository: snyk/broker
-  pullPolicy: Always
+  pullPolicy: IfNotPresent
   # Overrides the image tag. If left empty the latest version is used
-  tag: ""
+  tag: "universal"
 ##### Broker Image Pull Secrets Parameters #####
 imagePullSecrets: []
 # - name: registrySecretName
@@ -181,8 +169,6 @@ serviceAccount:
 
 podAnnotations: {}
 
-podSecurityContext: {}
-
 ##### security context #####
   ## @param SecurityContext.runAsUser Set Consul containers' Security Context runAsUser
   ## @param SecurityContext.allowPrivilegeEscalation Set Consul containers' Security Context allowPrivilegeEscalation
@@ -197,17 +183,15 @@ securityContext:
    allowPrivilegeEscalation: false
    runAsNonRoot: true
    runAsUser: 1000
+   fsGroup: 1000
 
 
 ##### Service Types #####
 # If you prefer to adjust how communication to the cluster occurs, these values can be adjusted
 service:
-
   # Snyk Broker
   brokerType: ClusterIP
   port: 8000
-
-
   tls: []
   #  - secretName: chart-example-tls
   #    hosts:
@@ -229,13 +213,13 @@ brokerIngress:
     ## E.g.
     ## kubernetes.io/ingress.class: nginx
     ## kubernetes.io/tls-acme: "true"
-  labels: {}
   path: /
   pathType: Prefix
   hosts:
     - <ENTER_BROKER_CLIENT_URL> # Must match the Broker client url
   ## Extra paths to prepend to every host configuration. This is useful when working with annotation based services.
   extraPaths: []
+  existingSecret: ""
   tls:
     enabled: false
     secret: