From f72bf6054b2b6a7d3491ded964e4dd14dfabe970 Mon Sep 17 00:00:00 2001 From: saumil Macwan Date: Mon, 9 Sep 2024 22:13:33 -0400 Subject: [PATCH] feat: addressing feedback --- .gitleaks.toml | 2 +- snyk-universal-broker/templates/ingress.yaml | 102 ++++++------------ snyk-universal-broker/templates/secrets.yaml | 20 +--- snyk-universal-broker/templates/service.yaml | 2 +- .../templates/statefulset.yaml | 30 ++---- .../templates/tls-secret.yaml | 10 +- snyk-universal-broker/values.yaml | 42 +++----- 7 files changed, 62 insertions(+), 146 deletions(-) diff --git a/.gitleaks.toml b/.gitleaks.toml index 9a8b9d5..e2691f4 100644 --- a/.gitleaks.toml +++ b/.gitleaks.toml @@ -2,4 +2,4 @@ useDefault = true [allowList] -paths = ['''hybrid-platform/tests'''] \ No newline at end of file +paths = ['''snyk-universa-broker/tests'''] \ No newline at end of file diff --git a/snyk-universal-broker/templates/ingress.yaml b/snyk-universal-broker/templates/ingress.yaml index d7b50e9..40baabc 100644 --- a/snyk-universal-broker/templates/ingress.yaml +++ b/snyk-universal-broker/templates/ingress.yaml @@ -1,81 +1,45 @@ -{{- if .Values.brokerIngress.enabled -}} -{{- $ingressApiIsStable := eq (include "snyk-broker.ingress.isStable" .) "true" -}} -{{- $ingressSupportsIngressClassName := eq (include "snyk-broker.ingress.supportsIngressClassName" .) "true" -}} -{{- $ingressSupportsPathType := eq (include "snyk-broker.ingress.supportsPathType" .) "true" -}} -{{- $fullName := include "snyk-broker.fullname" . -}} -{{- $servicePort := .Values.service.port -}} -{{- $scmType := .Values.scmType -}} -{{- $ingressPath := .Values.brokerIngress.path -}} -{{- $ingressPathType := .Values.brokerIngress.pathType -}} -{{- $extraPaths := .Values.brokerIngress.extraPaths -}} -{{- $releaseName := .Release.Name -}} -{{- $disableSuffixes := .Values.disableSuffixes }} -apiVersion: {{ include "snyk-broker.ingress.apiVersion" . }} +{{- if .Values.brokerIngress.enabled }} +apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }} kind: Ingress metadata: - name: {{ $fullName }}{{ if not $disableSuffixes}}-{{ .Release.Name }}{{ end }} + name: {{ include "common.names.fullname" . }} namespace: {{ .Release.Namespace }} - labels: - {{- include "snyk-broker.labels" . | nindent 4 }} - {{- with .Values.brokerIngress.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- if .Values.brokerIngress.annotations }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} annotations: - {{- range $key, $value := .Values.brokerIngress.annotations }} - {{ $key }}: {{ tpl $value $ | quote }} + {{- if or .Values.ingress.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.ingress.annotations .Values.commonAnnotations ) "context" . ) }} + {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} {{- end }} - {{- end }} spec: - {{- if and $ingressSupportsIngressClassName .Values.brokerIngress.ingressClassName }} - ingressClassName: {{ .Values.brokerIngress.ingressClassName }} - {{- end -}} -{{- if .Values.brokerIngress.tls }} - tls: -{{ tpl (toYaml .Values.brokerIngress.tls) $ | indent 4 }} -{{- end }} + {{- if and .Values.ingress.ingressClassName (eq "true" (include "common.ingress.supportsIngressClassname" .)) }} + ingressClassName: {{ .Values.ingress.ingressClassName | quote }} + {{- end }} rules: - {{- if .Values.brokerIngress.hosts }} - {{- range .Values.brokerIngress.hosts }} - - host: {{ tpl . $}} + {{- if .Values.ingress.hostname }} + - host: {{ tpl .Values.ingress.hostname . }} http: paths: -{{- if $extraPaths }} -{{ toYaml $extraPaths | indent 10 }} -{{- end }} - - path: {{ $ingressPath }} - {{- if $ingressSupportsPathType }} - pathType: {{ $ingressPathType }} + {{- if .Values.ingress.extraPaths }} + {{- include "common.tplvalues.render" (dict "value" .Values.ingress.extraPaths "context" $) | nindent 10 }} + {{- end }} + - path: {{ .Values.ingress.path }} + {{- if eq "true" (include "common.ingress.supportsPathType" .) }} + pathType: {{ .Values.ingress.pathType }} {{- end }} - backend: - {{- if $ingressApiIsStable }} + backend: service: - name: {{ include "snyk-broker.brokerServiceName" $ }} + name: {{ include "common.names.fullname" . }} port: - number: {{ $servicePort }} - {{- else }} - serviceName: {{ $scmType }}-broker-service{{ if not $disableSuffixes}}-{{ $releaseName }}{{ end }} - servicePort: {{ $servicePort }} - {{- end }} - {{- end }} - {{- else }} - - http: - paths: - - backend: - {{- if $ingressApiIsStable }} - service: - name: {{ include "snyk-broker.brokerServiceName" . }} - port: - number: {{ $servicePort }} - {{- else }} - serviceName: {{ include "snyk-broker.brokerServiceName" . }} - servicePort: {{ $servicePort }} - {{- end }} - {{- if $ingressPath }} - path: {{ $ingressPath }} - {{- end }} - {{- if $ingressSupportsPathType }} - pathType: {{ $ingressPathType }} - {{- end }} - {{- end -}} -{{- end }} + number: {{ .Values.service.port }} + {{- end }} + {{- if .Values.ingress.tls }} + tls: + - hosts: + - {{ tpl .Values.ingress.hostname . | quote }} + {{- if .Values.ingress.existingSecret }} + secretName: {{ .Values.ingress.existingSecret }} + {{- else }} + secretName: {{ printf "%s-tls" (tpl .Values.ingress.hostname .) | trunc 63 | trimSuffix "-" }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/snyk-universal-broker/templates/secrets.yaml b/snyk-universal-broker/templates/secrets.yaml index 4baf992..1a1f633 100644 --- a/snyk-universal-broker/templates/secrets.yaml +++ b/snyk-universal-broker/templates/secrets.yaml @@ -11,24 +11,14 @@ stringData: clientId: {{ .Values.clientId | quote }} clientSecret: {{ .Values.clientSecret | quote }} --- -{{- if and (not .Values.existingSecrets) (or .Values.brokerToken .Values.credentialReferences.GITHUB_TOKEN .Values.credentialReferences.GITLAB_TOKEN .Values.credentialReferences.BITBUCKET_PASSWORD .Values.credentialReferences.AZURE_REPOS_TOKEN) }} +{{- if not .Values.existingSecrets }} apiVersion: v1 kind: Secret metadata: - name: {{ printf "%s-broker-scm-credential" (include "common.names.fullname" .) }} + name: {{ printf "%s-universal-broker-scm-credential-reference" (include "common.names.fullname" .) }} type: Opaque stringData: - BROKER_TOKEN: {{ .Values.brokerToken | quote }} - {{- if .Values.credentialReferences.GITHUB_TOKEN }} - GITHUB_TOKEN: {{ .Values.credentialReferences.GITHUB_TOKEN | quote }} - {{- end }} - {{- if .Values.credentialReferences.GITLAB_TOKEN }} - GITLAB_TOKEN: {{ .Values.credentialReferences.GITLAB_TOKEN | quote }} - {{- end }} - {{- if .Values.credentialReferences.BITBUCKET_PASSWORD }} - BITBUCKET_PASSWORD: {{ .Values.credentialReferences.BITBUCKET_PASSWORD | quote }} - {{- end }} - {{- if .Values.credentialReferences.AZURE_REPOS_TOKEN }} - AZURE_REPOS_TOKEN: {{ .Values.credentialReferences.AZURE_REPOS_TOKEN | quote }} - {{- end }} +{{- range $key, $value := .Values.credentialReferences }} + {{ $key }}: {{ $value | quote }} +{{- end }} {{- end }} \ No newline at end of file diff --git a/snyk-universal-broker/templates/service.yaml b/snyk-universal-broker/templates/service.yaml index 7d22082..a2973f0 100644 --- a/snyk-universal-broker/templates/service.yaml +++ b/snyk-universal-broker/templates/service.yaml @@ -8,5 +8,5 @@ spec: type: {{ .Values.service.brokerType }} ports: - port: {{ .Values.service.port }} - # targetPort: {{ .Values.deployment.container.containerPort }} + targetPort: {{ .Values.containerPort }} selector: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 6 }} diff --git a/snyk-universal-broker/templates/statefulset.yaml b/snyk-universal-broker/templates/statefulset.yaml index cc9e8bf..aef351f 100644 --- a/snyk-universal-broker/templates/statefulset.yaml +++ b/snyk-universal-broker/templates/statefulset.yaml @@ -5,11 +5,7 @@ metadata: namespace: {{ .Release.Namespace }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} spec: - {{- if .Values.highAvailabilityMode.enabled }} - replicas: {{ .Values.replicaCount }} - {{ else }} - replicas: 1 - {{- end }} + replicas: {{ ternary .Values.replicaCount 1 .Values.highAvailabilityMode.enabled }} updateStrategy: type: "RollingUpdate" rollingUpdate: @@ -54,7 +50,7 @@ spec: imagePullPolicy: {{ .Values.image.pullPolicy }} ports: - name: http - containerPort: {{ .Values.deployment.container.containerPort }} + containerPort: {{ .Values.containerPort }} {{- if .Values.brokerLivenessProbe.enabled }} livenessProbe: httpGet: @@ -83,15 +79,10 @@ spec: {{- toYaml .Values.extraContainerSpecs | nindent 10 }} {{- end }} envFrom: - {{- if .Values.existingSecrets }} - secretRef: - name: {{ .Values.existingSecrets }} - {{- else }} - - secretRef: - name: {{ printf "%s-broker-scm-credential" (include "common.names.fullname" .) }} - {{- end }} + name: {{ ternary .Values.existingSecrets (printf "%s-broker-scm-credential" (include "common.names.fullname" .)) (not (empty .Values.existingSecrets)) }} volumeMounts: - {{- if or (.Values.caCert) (.Values.caCertFile) }} + {{- if .Values.caCert }} - name: {{ include "common.names.fullname" . }}-cacert-volume mountPath: /home/node/cacert readOnly: true @@ -120,22 +111,13 @@ spec: value: {{ .Values.logLevel }} - name: LOG_ENABLE_BODY value: {{ .Values.logEnableBody | squote }} - - {{- if and (.Values.caCert) (not .Values.caCertFile) }} - # HTTPS Inspection - - name: CA_CERT - value: /home/node/cacert/{{ .Values.caCert }} - - name: NODE_EXTRA_CA_CERTS - value: /home/node/cacert/{{ .Values.caCert }} - {{- end }} - {{- if and (.Values.caCertFile) (not .Values.caCert) }} + {{- if .Values.caCert }} # HTTPS Inspection - name: CA_CERT value: /home/node/cacert/cacert - name: NODE_EXTRA_CA_CERTS value: /home/node/cacert/cacert {{- end }} - {{- if .Values.httpsCert }} # HTTPS Config - name: HTTPS_CERT @@ -186,7 +168,7 @@ spec: value: {{ .Values.brokerDispatcherUrl }} # Mount Accept.json and Certs volumes: - {{- if or (.Values.caCert) (.Values.caCertFile) }} + {{- if .Values.caCert }} - name: {{ include "common.names.fullname" . }}-cacert-volume secret: secretName: {{ include "snyk-broker.caCertSecretName" . }} diff --git a/snyk-universal-broker/templates/tls-secret.yaml b/snyk-universal-broker/templates/tls-secret.yaml index 6b31812..1df6475 100644 --- a/snyk-universal-broker/templates/tls-secret.yaml +++ b/snyk-universal-broker/templates/tls-secret.yaml @@ -8,11 +8,11 @@ metadata: labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} type: kubernetes.io/tls data: - tls.crt: {{ (.Files.Get .Values.httpsCert) | b64enc | quote }} - tls.key: {{ (.Files.Get .Values.httpsKey) | b64enc | quote }} + tls.crt: {{ .Values.httpsCert | b64enc | nindent 4 }} + tls.key: {{ .Values.httpsKey | b64enc | nindent 4 }} --- {{- end }} -{{- if or .Values.caCert .Values.caCertFile }} +{{- if .Values.caCert }} apiVersion: v1 kind: Secret metadata: @@ -20,9 +20,5 @@ metadata: namespace: {{ .Release.Namespace }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} data: -{{- if and .Values.caCert (not .Values.caCertFile) }} -{{ (.Files.Glob .Values.caCert).AsSecrets | nindent 2 }} -{{- else if and .Values.caCertFile (not .Values.caCert) }} cacert: {{ .Values.caCertFile | trim | b64enc | nindent 4}} -{{- end }} {{- end }} \ No newline at end of file diff --git a/snyk-universal-broker/values.yaml b/snyk-universal-broker/values.yaml index cd0d439..5c439ac 100644 --- a/snyk-universal-broker/values.yaml +++ b/snyk-universal-broker/values.yaml @@ -4,13 +4,10 @@ ##### Snyk Specific Values ##### -## @param brokerToken is a value from Snyk. Get this from the integration settings page or your Snyk Representative ## @param brokerClientUrl is the address of the broker. This needs to be the address of itself. In the case of Kubernetes, you need to ensure that you are pointing to the cluster ingress you have setup. ## @param brokerServerUrl is default endpoint for broker server ## @param preflightChecks.enabled broker client preflight checks -brokerToken: "" -## E.g. ## brokerClientUrl:http://kubernetes-ingress.domain.com:8000 brokerClientUrl: "" ## See https://docs.snyk.io/working-with-snyk/regional-hosting-and-data-residency#broker-urls for regional endpoints @@ -26,16 +23,11 @@ clientSecret: "" ##### SCM Tokens ##### existingSecrets: "" # Name of an existing secret if it exists -credentialReferences: - GITHUB_TOKEN: "" # Token value if a new secret needs to be created - GITLAB_TOKEN: "" - BITBUCKET_PASSWORD: "" - AZURE_REPOS_TOKEN: "" +credentialReferences: [] ##### Universal Broker Deployment ##### -deployment: - container: - containerPort: 8000 + +containerPort: 8000 ## @param brokerResources Set container requests and limits for different resources like CPU or memory (essential for production workloads) @@ -51,6 +43,7 @@ brokerResources: commonLabels: {} customLabels: {} +commonAnnotations: {} # Health and System Check Paths for the broker healthCheckPath: &healthCheckPath "/healthcheck" @@ -110,8 +103,8 @@ logEnableBody: "false" ##### Enable HTTPS ##### ## @param enableBrokerLocalWebserverOverHttps enables Broker client to run a HTTPS server instead of the default HTTP server -## @param httpsCert provides location for HTTPS cert( File must be within the Helm Chart directory.) -## @param httpskey provides location for HTTPS cert( File must be within the Helm Chart directory.) +## @param httpsCert provides HTTPS cert +## @param httpskey provides HTTPS cert key enableBrokerLocalWebserverOverHttps: false httpsCert: "" @@ -119,15 +112,10 @@ httpsKey: "" ##### HTTPS Inspection ##### -# Filename of custom certificate to allow visibility for SSL Inspection (e.g "ca.pem") -# Include any/all certificates required for a full trust chain. -# File must be within the Helm Chart directory. -caCert: "" - -# Set caCertFile to read certificate content from the values.yaml file as a multiline string: +# Set caCert to read certificate content from the values.yaml file as a multiline string: # Include any/all certificates required for a full trust chain. # -# caCertFile: |- +# caCert: |- # ----- BEGIN CERTIFICATE ----- # < certificate data > # ----- END CERTIFICATE ----- @@ -138,7 +126,7 @@ caCert: "" # or # # caCertFile: "----- BEGIN CERTIFICATE -----\n.....\n----- END CERTIFICATE -----" -caCertFile: "" +caCert: "" # Set to `true` to disable trust validation when providing your own CA certificate. disableCaCertTrust: false @@ -161,9 +149,9 @@ noProxy: "" image: repository: snyk/broker - pullPolicy: Always + pullPolicy: IfNotPresent # Overrides the image tag. If left empty the latest version is used - tag: "" + tag: "universal" ##### Broker Image Pull Secrets Parameters ##### imagePullSecrets: [] # - name: registrySecretName @@ -181,8 +169,6 @@ serviceAccount: podAnnotations: {} -podSecurityContext: {} - ##### security context ##### ## @param SecurityContext.runAsUser Set Consul containers' Security Context runAsUser ## @param SecurityContext.allowPrivilegeEscalation Set Consul containers' Security Context allowPrivilegeEscalation @@ -197,17 +183,15 @@ securityContext: allowPrivilegeEscalation: false runAsNonRoot: true runAsUser: 1000 + fsGroup: 1000 ##### Service Types ##### # If you prefer to adjust how communication to the cluster occurs, these values can be adjusted service: - # Snyk Broker brokerType: ClusterIP port: 8000 - - tls: [] # - secretName: chart-example-tls # hosts: @@ -229,13 +213,13 @@ brokerIngress: ## E.g. ## kubernetes.io/ingress.class: nginx ## kubernetes.io/tls-acme: "true" - labels: {} path: / pathType: Prefix hosts: - # Must match the Broker client url ## Extra paths to prepend to every host configuration. This is useful when working with annotation based services. extraPaths: [] + existingSecret: "" tls: enabled: false secret: