Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Run check workloads based on asynq queues #149

Draft
wants to merge 5 commits into
base: master
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions stable/vulcan/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -24,19 +24,19 @@ appVersion: 1.0.0

dependencies:
- name: postgresql
version: 12.5.7
version: 16.2.2
repository: oci://registry-1.docker.io/bitnamicharts
condition: postgresql.enabled
- name: redis
version: 17.11.5
version: 20.3.0
repository: oci://registry-1.docker.io/bitnamicharts
condition: redis.enabled
- name: minio
version: 12.6.4
version: 14.8.5
repository: oci://registry-1.docker.io/bitnamicharts
condition: minio.enabled
- name: localstack
version: 0.6.10
version: 0.6.17
repository: https://localstack.github.io/helm-charts
condition: localstack.enabled

Expand Down
193 changes: 193 additions & 0 deletions stable/vulcan/templates/checks/deployment.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,193 @@
{{- $_ := (set .Values "comp" .Values.checks) -}}
{{- if .Values.checks.gateway.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "vulcan.fullname" $ }}-checkgw
labels: {{- include "vulcan.labels" $ | nindent 4 }}
app.kubernetes.io/name: {{ include "vulcan.fullname" $ }}-checkgw
spec:
selector:
matchLabels: {{- include "vulcan.selectorLabels" $ | nindent 6 }}
app.kubernetes.io/name: {{ include "vulcan.fullname" $ }}-checkgw
template:
metadata:
labels: {{- include "vulcan.podLabels" $ | nindent 8 }}
app.kubernetes.io/name: {{ include "vulcan.fullname" $ }}-checkgw
spec:
containers:
- name: checkgw
image: {{ .Values.checks.gateway.image.repository }}:{{ .Values.checks.gateway.image.tag }}
env:
- name: REDIS_HOST
value: {{ include "vulcan.redis.host" $ | quote }}
- name: REDIS_USR
value: {{ include "vulcan.redis.username" $ | quote }}
- name: REDIS_PORT
value: {{ include "vulcan.redis.port" $ | quote }}
- name: REDIS_DB
value: {{ include "vulcan.redis.db" $ | quote }}
- name: AWS_DEFAULT_REGION
value: {{ $.Values.global.region | quote }}
- name: CHECKS_SQS_ARN
value: {{ tpl $.Values.checks.gateway.queueArn $ | quote }}
- name: AWS_SQS_ENDPOINT
value: {{ include "sqs.url" $ | quote }}
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
key: root-user
name: vulcan-minio
- name: AWS_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
key: root-password
name: vulcan-minio
---
{{- end }}
{{- range $key, $value := .Values.checks.checks }}
{{- if $value.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "vulcan.fullname" $ }}-check-{{ $key }}
labels: {{- include "vulcan.labels" $ | nindent 4 }}
app.kubernetes.io/name: {{ include "vulcan.fullname" $ }}-check-{{ $key }}
spec:
selector:
matchLabels: {{- include "vulcan.selectorLabels" $ | nindent 6 }}
app.kubernetes.io/name: {{ include "vulcan.fullname" $ }}-check-{{ $key }}
template:
metadata:
labels: {{- include "vulcan.podLabels" $ | nindent 8 }}
app.kubernetes.io/name: {{ include "vulcan.fullname" $ }}-check-{{ $key }}
{{- with $.Values.checks.annotations }}
annotations:
{{ toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with $value.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 6 }}
{{- end }}
{{- with $value.serviceAccount }}
serviceAccountName: {{ . }}
{{- end }}
initContainers:
- name: check
image: {{ $value.image.repository }}:{{ $value.image.tag }}
restartPolicy: Always
envFrom:
# TODO: set the requiered vars for each check
# - secretRef:
# name: vulcan-agent-vars
env:
- name: VULCAN_HTTP_PORT
value: "8080"
{{- range $i, $v := $value.vars }}
- name: {{ $v }}
valueFrom:
secretKeyRef:
name: vulcan-agent-vars
key: {{ $v }}
{{- end }}
ports:
- name: http
containerPort: 8080
protocol: TCP
containers:
- name: controller
image: {{ $.Values.checks.controller.image.repository }}:{{ $.Values.checks.controller.image.tag }}
env:
- name: REDIS_HOST
value: {{ include "vulcan.redis.host" $ | quote }}
- name: REDIS_USR
value: {{ include "vulcan.redis.username" $ | quote }}
- name: REDIS_PORT
value: {{ include "vulcan.redis.port" $ | quote }}
- name: REDIS_DB
value: {{ include "vulcan.redis.db" $ | quote }}
- name: CHECK_NAME
value: {{ $key }}
- name: CHECK_ENDPOINT
value: http://localhost:8080
- name: CONCURRENCY
value: {{ $value.concurrency | quote }}
- name: AWS_DEFAULT_REGION
value: {{ $.Values.global.region | quote }}
- name: CHECKS_SQS_ARN
value: {{ tpl $.Values.checks.controller.queueArn $| quote }}
- name: AWS_S3_BUCKET
value: {{ $.Values.checks.controller.bucketReports | quote }}
- name: AWS_S3_PATH_TEMPLATE
value: {{ $.Values.checks.controller.pathTemplate | quote }}
- name: CHECKTYPE_NAME
value: {{ $value.image.repository }}
- name: CHECKTYPE_VERSION
value: {{ $value.image.tag }}
{{- include "common-container-envs" $ | nindent 10 }}
---
apiVersion: v1
kind: Service
metadata:
name: {{ include "vulcan.fullname" $ }}-check-{{ $key }}
labels: {{- include "vulcan.labels" $ | nindent 4 }}
app.kubernetes.io/name: {{ include "vulcan.fullname" $ }}-check-{{ $key }}
spec:
ports:
- port: 80
targetPort: http
protocol: TCP
name: http
selector: {{- include "vulcan.selectorLabels" $ | nindent 4 }}
app.kubernetes.io/name: {{ include "vulcan.fullname" $ }}-check-{{ $key }}
{{- if $.Values.checks.ingresEnabled }}
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ include "vulcan.fullname" $ }}-check-{{ $key }}
labels: {{- include "vulcan.labels" $ | nindent 4 }}
app.kubernetes.io/name: {{ include "vulcan.fullname" $ }}-check-{{ $key }}
spec:
rules:
- host: {{ $key }}-check.localhost.direct
http:
paths:
- backend:
service:
name: {{ include "vulcan.fullname" $ }}-check-{{ $key }}
port:
number: 80
path: /
pathType: ImplementationSpecific
tls:
- hosts:
- {{ $key }}-checks.localhost.direct
secretName: localhost-direct-tls
{{- end }}
{{- if $.Values.checks.keda.enabled }}
---
apiVersion: keda.sh/v1alpha1
kind: ScaledObject
metadata:
name: {{ include "vulcan.fullname" $ }}-check-{{ $key }}
spec:
minReplicaCount: {{ $value.minReplicaCount | default 0 }}
maxReplicaCount: {{ $value.maxReplicaCount | default 5 }}
scaleTargetRef:
name: {{ include "vulcan.fullname" $ }}-check-{{ $key }}
triggers:
- type: redis
metadata:
address: {{ printf "%s:%s" (include "vulcan.redis.host" $) (include "vulcan.redis.port" $) }}
databaseIndex: {{ include "vulcan.redis.db" $ | quote }}
listName: {{ printf "asynq:{vulcan-%s}:pending" $key }}
listLength: {{ $value.listLength | default 5 | quote }}
activationListLength: "1" # optional
enableTLS: "false" # optional
unsafeSsl: "false" # optional
usernameFromEnv: REDIS_USR
{{- end }}
{{- end }}
{{- end }}
3 changes: 3 additions & 0 deletions stable/vulcan/templates/scanengine/_config.tpl
Original file line number Diff line number Diff line change
@@ -1,3 +1,6 @@
{{- define "scanengine-secrets" -}}
PG_PASSWORD: {{ include "pg.encryptedPassword" . | quote }}
{{- if .Values.comp.conf.queues.redisEnabled }}
REDIS_PWD: {{ include "vulcan.redis.encryptedPassword" . | quote }}
{{- end }}
{{- end -}}
10 changes: 10 additions & 0 deletions stable/vulcan/templates/scanengine/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,16 @@ spec:
- name: "QUEUES_{{ add1 $index }}_CHECKTYPES"
value: {{ $value.checktypes | quote }}
{{- end }}
{{- if .Values.comp.conf.queues.redisEnabled }}
- name: REDIS_HOST
value: {{ include "vulcan.redis.host" . | quote }}
- name: REDIS_USR
value: {{ include "vulcan.redis.username" . | quote }}
- name: REDIS_PORT
value: {{ include "vulcan.redis.port" . | quote }}
- name: REDIS_DB
value: {{ include "vulcan.redis.db" . | quote }}
{{- end }}
{{- include "common-container-envs" . | nindent 10 }}
envFrom:
- secretRef:
Expand Down
63 changes: 63 additions & 0 deletions stable/vulcan/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -483,6 +483,7 @@
checksSNS:
topicArn: arn:aws:sns:{{ .Values.global.region }}:{{ .Values.global.accountId }}:VulcanK8SChecks
queues:
enableRedis: false
default:
arn: arn:aws:sqs:{{ .Values.global.region }}:{{ .Values.global.accountId }}:VulcanK8SV2ChecksGeneric
# -- array of arn/checktypes
Expand All @@ -502,6 +503,13 @@
<<: *db
name: scanengine

redis:
host:
port:
username:
password:
db:

dogstatsd: *dogstatsd


Expand Down Expand Up @@ -691,3 +699,58 @@
# config2: |
# apiVersion: v1
# ...

checks:
name: checks
gateway:
enabled: false
image:
repository: checks-gateway
tag: dev
queueArn: arn:aws:sqs:{{ .Values.global.region }}:{{ .Values.global.accountId }}:VulcanK8SV2ChecksGeneric
controller:
image:
repository: checks-controller
tag: dev
queueArn: # arn:aws:sqs:{{ .Values.global.region }}:{{ .Values.global.accountId }}:VulcanK8SScanEngineCheckStatus

Check failure on line 715 in stable/vulcan/values.yaml

View workflow job for this annotation

GitHub Actions / lint-test (1.19.16)

715:15 [comments] too few spaces before comment

Check failure on line 715 in stable/vulcan/values.yaml

View workflow job for this annotation

GitHub Actions / lint-test (1.26.14)

715:15 [comments] too few spaces before comment

Check failure on line 715 in stable/vulcan/values.yaml

View workflow job for this annotation

GitHub Actions / lint-test (1.29.2)

715:15 [comments] too few spaces before comment
bucketReports: reports
pathTemplate: asynq/{{.CheckID}}/{{.CheckID}}.json
annotations:
keda:
enabled: false
checks:

Check failure on line 721 in stable/vulcan/values.yaml

View workflow job for this annotation

GitHub Actions / lint-test (1.19.16)

721:10 [trailing-spaces] trailing spaces

Check failure on line 721 in stable/vulcan/values.yaml

View workflow job for this annotation

GitHub Actions / lint-test (1.26.14)

721:10 [trailing-spaces] trailing spaces

Check failure on line 721 in stable/vulcan/values.yaml

View workflow job for this annotation

GitHub Actions / lint-test (1.29.2)

721:10 [trailing-spaces] trailing spaces
sleep:
serviceAccount: ""
enabled: false
concurrency: 3
image:
repository: vulcansec/vulcan-sleep
tag: checkshttp
vars: []
# trivy:
# concurrency: 10
# image:
# repository: vulcansec/vulcan-trivy
# tag: checkshttp
# vars:
# - GITHUB_ENTERPRISE_ENDPOINT
# - GITHUB_ENTERPRISE_TOKEN
# - REGISTRY_DOMAIN
# - REGISTRY_USERNAME
# - REGISTRY_PASSWORD
# minReplicaCount: 0
# maxReplicaCount: 5
# listLength: 10

ingressEnabled: false

meta:
s3: true
sqs: true

redis:
host:
port:
username:
password:
db:

Check failure on line 756 in stable/vulcan/values.yaml

View workflow job for this annotation

GitHub Actions / lint-test (1.19.16)

756:8 [trailing-spaces] trailing spaces

Check failure on line 756 in stable/vulcan/values.yaml

View workflow job for this annotation

GitHub Actions / lint-test (1.26.14)

756:8 [trailing-spaces] trailing spaces

Check failure on line 756 in stable/vulcan/values.yaml

View workflow job for this annotation

GitHub Actions / lint-test (1.29.2)

756:8 [trailing-spaces] trailing spaces
Loading