From f83b5452cfd205337ec693d5a79053495f7736d9 Mon Sep 17 00:00:00 2001 From: Sunny Yip Date: Sat, 3 Feb 2024 12:10:52 -0500 Subject: [PATCH 01/30] add ingress Signed-off-by: Sunny Yip --- charts/guac/ci/guac-ingress-values.yaml | 10 ++++++++++ charts/guac/values.yaml | 6 ++++++ 2 files changed, 16 insertions(+) create mode 100644 charts/guac/ci/guac-ingress-values.yaml diff --git a/charts/guac/ci/guac-ingress-values.yaml b/charts/guac/ci/guac-ingress-values.yaml new file mode 100644 index 0000000..fae83b6 --- /dev/null +++ b/charts/guac/ci/guac-ingress-values.yaml @@ -0,0 +1,10 @@ +# Ingest sample data to ensure the test instance is fully functional +guac: + sampleData: + ingest: true + + ingress: + enabled: true + ingressClassName: traefik + webuiHostname: web.guac.com + apiHostname: api.guac.com diff --git a/charts/guac/values.yaml b/charts/guac/values.yaml index f55f20e..ec2d526 100644 --- a/charts/guac/values.yaml +++ b/charts/guac/values.yaml @@ -190,6 +190,12 @@ guac: ingest: false jobName: ingest-guac-data + ingress: + enabled: false + # ingressClassName: + # webuiHostname: + # apiHostname: + ## @section nats ## @descriptionStart This is the configuration for nats. This is a subchart. See full documentation [here](https://docs.nats.io/running-a-nats-service/nats-kubernetes/helm-charts). From ee0fb6c9b3f8dc4b407f667cdfcade71972d3cf0 Mon Sep 17 00:00:00 2001 From: Sunny Yip Date: Sat, 3 Feb 2024 12:14:44 -0500 Subject: [PATCH 02/30] fix linting errors Signed-off-by: Sunny Yip --- charts/guac/values.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/guac/values.yaml b/charts/guac/values.yaml index ec2d526..1a161ac 100644 --- a/charts/guac/values.yaml +++ b/charts/guac/values.yaml @@ -192,9 +192,9 @@ guac: ingress: enabled: false - # ingressClassName: - # webuiHostname: - # apiHostname: + # ingressClassName: + # webuiHostname: + # apiHostname: ## @section nats From c648299535287511e6fc482a4796f2ed0210a999 Mon Sep 17 00:00:00 2001 From: Sunny Yip Date: Mon, 5 Feb 2024 13:30:19 -0500 Subject: [PATCH 03/30] add ingress and test Signed-off-by: Sunny Yip --- charts/guac/templates/ingress.yaml | 56 +++++++++++++++++++++++++++++ charts/guac/tests/ingress_test.yaml | 31 ++++++++++++++++ 2 files changed, 87 insertions(+) create mode 100644 charts/guac/templates/ingress.yaml create mode 100644 charts/guac/tests/ingress_test.yaml diff --git a/charts/guac/templates/ingress.yaml b/charts/guac/templates/ingress.yaml new file mode 100644 index 0000000..7796e18 --- /dev/null +++ b/charts/guac/templates/ingress.yaml @@ -0,0 +1,56 @@ +{{- if .Values.guac.ingress.enabled -}} +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ .Release.Namespace }} + namespace: {{ .Release.Namespace }} + +{{- if .Values.guac.ingress.annotations }} + annotations: +{{ toYaml .Values.guac.ingress.annotations | indent 4 }} +{{- end }} + + labels: +{{- include "guac.labels" . | nindent 4 }} +{{- range $key, $value := .Values.guac.ingress.extraLabels }} + {{ $key }}: {{ $value }} +{{- end }} + +spec: + {{- if .Values.guac.ingress.ingressClassName }} + ingressClassName: {{ .Values.guac.ingress.ingressClassName }} + {{- end }} + rules: + {{ if .Values.guac.ingress.webuiHostname }} + - host: {{ .Values.guac.ingress.webuiHostname }} + http: &http + paths: + - path: /playground + pathType: Prefix + backend: + service: + name: graphql-server + port: + number: 8080 + - path: / + pathType: Prefix + backend: + service: + name: visualizer + port: + number: 3000 + {{ end }} + {{ if .Values.guac.ingress.apiHostname }} + - host: {{ .Values.guac.ingress.apiHostname }} + http: + paths: + {{ end }} + - path: /query + pathType: Prefix + backend: + service: + name: graphql-server + port: + number: 8080 +{{- end -}} diff --git a/charts/guac/tests/ingress_test.yaml b/charts/guac/tests/ingress_test.yaml new file mode 100644 index 0000000..76803cb --- /dev/null +++ b/charts/guac/tests/ingress_test.yaml @@ -0,0 +1,31 @@ +# Copyright Kusari, Inc. and contributors +# Licensed under the MIT license. See LICENSE file in the project root for details. +suite: Ingress tests +templates: + - ingress.yaml + +tests: + - it: ingress should render + values: + # use Chart Testing config + - ../ci/guac-ingress-values.yaml + asserts: + - isKind: + of: Ingress + - hasDocuments: + count: 1 + - equal: + path: spec.ingressClassName + value: traefik + - equal: + path: spec.rules[0].host + value: web.guac.com + - equal: + path: spec.rules[1].host + value: api.guac.com + - equal: + path: metadata.annotations["test-annotation"] + value: test-value + - equal: + path: metadata.labels['test-label'] + value: test-value From 56b8a24251a9704192215ae69fbccad78164ffa2 Mon Sep 17 00:00:00 2001 From: Sunny Yip Date: Mon, 5 Feb 2024 13:32:24 -0500 Subject: [PATCH 04/30] update unit test Signed-off-by: Sunny Yip --- charts/guac/Chart.lock | 4 ++-- charts/guac/Chart.yaml | 1 + charts/guac/ci/guac-ingress-values.yaml | 7 +++++++ charts/guac/templates/_helpers.tpl | 2 -- charts/guac/templates/collectsub-deployment.yaml | 2 -- charts/guac/tests/collectsub_deployment_test.yaml | 4 ++-- charts/guac/tests/collectsub_service_test.yaml | 4 ++-- charts/guac/tests/depsdev-collector_deployment_test.yaml | 4 ++-- charts/guac/tests/graphql_deployment_test.yaml | 5 +++-- charts/guac/tests/graphql_service_test.yaml | 4 ++-- charts/guac/tests/ingestor_deployment_test.yaml | 4 ++-- charts/guac/tests/oci_collector_deployment_test.yaml | 4 ++-- charts/guac/tests/osv-certifier_deployment_test.yaml | 4 ++-- charts/guac/values.yaml | 1 + 14 files changed, 28 insertions(+), 22 deletions(-) diff --git a/charts/guac/Chart.lock b/charts/guac/Chart.lock index d068a2e..290857a 100644 --- a/charts/guac/Chart.lock +++ b/charts/guac/Chart.lock @@ -2,5 +2,5 @@ dependencies: - name: nats repository: https://nats-io.github.io/k8s/helm/charts/ version: 0.19.17 -digest: sha256:ecbbc3cea93f04cb5daf676ad1953d09c399396f2e74dbeb326521203240b508 -generated: "2023-08-16T14:24:33.92852-04:00" +digest: sha256:67184e8036c443a2c36cad0af6491bfe350c6b2f9e259c678e75ba80a3817af0 +generated: "2024-02-05T12:59:15.076843-05:00" diff --git a/charts/guac/Chart.yaml b/charts/guac/Chart.yaml index 32b0588..a689a3e 100644 --- a/charts/guac/Chart.yaml +++ b/charts/guac/Chart.yaml @@ -16,3 +16,4 @@ dependencies: - name: nats version: "~0.19.12" repository: "https://nats-io.github.io/k8s/helm/charts/" + condition: nats.enabled diff --git a/charts/guac/ci/guac-ingress-values.yaml b/charts/guac/ci/guac-ingress-values.yaml index fae83b6..76d8033 100644 --- a/charts/guac/ci/guac-ingress-values.yaml +++ b/charts/guac/ci/guac-ingress-values.yaml @@ -8,3 +8,10 @@ guac: ingressClassName: traefik webuiHostname: web.guac.com apiHostname: api.guac.com + annotations: + test-annotation: test-value + extraLabels: + test-label: test-value + +nats: + enabled: true diff --git a/charts/guac/templates/_helpers.tpl b/charts/guac/templates/_helpers.tpl index 2bad509..b6f4c5b 100644 --- a/charts/guac/templates/_helpers.tpl +++ b/charts/guac/templates/_helpers.tpl @@ -44,8 +44,6 @@ helm.sh/chart: {{ include "guac.chart" . }} {{- if .Chart.AppVersion }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} -app.kubernetes.io/instance: {{ .Release.Name }} -app.kubernetes.io/part-of: "guac" app.kubernetes.io/managed-by: {{ .Release.Service }} {{- end }} diff --git a/charts/guac/templates/collectsub-deployment.yaml b/charts/guac/templates/collectsub-deployment.yaml index 5339005..37eaa7c 100644 --- a/charts/guac/templates/collectsub-deployment.yaml +++ b/charts/guac/templates/collectsub-deployment.yaml @@ -12,8 +12,6 @@ metadata: {{- end }} labels: {{- include "guac.labels" . | nindent 4 }} - app.kubernetes.io/name: {{ .Values.guac.collectSub.name }} - app.kubernetes.io/component: {{ .Values.guac.collectSub.name }} spec: replicas: {{ .Values.guac.collectSub.replicas }} selector: diff --git a/charts/guac/tests/collectsub_deployment_test.yaml b/charts/guac/tests/collectsub_deployment_test.yaml index 42afd2e..2fa1c86 100644 --- a/charts/guac/tests/collectsub_deployment_test.yaml +++ b/charts/guac/tests/collectsub_deployment_test.yaml @@ -45,10 +45,10 @@ tests: path: spec.replicas value: 1 - equal: - path: spec.selector.matchLabels.app\.kubernetes\.io/name + path: spec.selector.matchLabels["app.kubernetes.io/name"] value: collectsub - equal: - path: spec.template.metadata.labels.app\.kubernetes\.io/name + path: spec.template.metadata.labels["app.kubernetes.io/name"] value: collectsub - it: should use tag if only tag is specified diff --git a/charts/guac/tests/collectsub_service_test.yaml b/charts/guac/tests/collectsub_service_test.yaml index 2f958da..097923f 100644 --- a/charts/guac/tests/collectsub_service_test.yaml +++ b/charts/guac/tests/collectsub_service_test.yaml @@ -20,8 +20,8 @@ tests: path: metadata.name value: collectsub - equal: - path: metadata.labels.app\.kubernetes\.io/name + path: metadata.labels["app.kubernetes.io/name"] value: collectsub - equal: - path: spec.selector.app\.kubernetes\.io/name + path: spec.selector["app.kubernetes.io/name"] value: collectsub \ No newline at end of file diff --git a/charts/guac/tests/depsdev-collector_deployment_test.yaml b/charts/guac/tests/depsdev-collector_deployment_test.yaml index c048b8b..26c592a 100644 --- a/charts/guac/tests/depsdev-collector_deployment_test.yaml +++ b/charts/guac/tests/depsdev-collector_deployment_test.yaml @@ -45,10 +45,10 @@ tests: path: spec.replicas value: 1 - equal: - path: spec.selector.matchLabels.app\.kubernetes\.io/name + path: spec.selector.matchLabels["app.kubernetes.io/name"] value: depsdev-collector - equal: - path: spec.template.metadata.labels.app\.kubernetes\.io/name + path: spec.template.metadata.labels["app.kubernetes.io/name"] value: depsdev-collector - it: should use tag if only tag is specified diff --git a/charts/guac/tests/graphql_deployment_test.yaml b/charts/guac/tests/graphql_deployment_test.yaml index 6116199..d26da0f 100644 --- a/charts/guac/tests/graphql_deployment_test.yaml +++ b/charts/guac/tests/graphql_deployment_test.yaml @@ -45,12 +45,13 @@ tests: path: spec.replicas value: 1 - equal: - path: spec.selector.matchLabels.app\.kubernetes\.io/name + path: spec.selector.matchLabels["app.kubernetes.io/name"] value: graphql-server - equal: - path: spec.template.metadata.labels.app\.kubernetes\.io/name + path: spec.template.metadata.labels["app.kubernetes.io/name"] value: graphql-server + - it: should use tag if only tag is specified values: - ./values_tag_no_digest.yaml diff --git a/charts/guac/tests/graphql_service_test.yaml b/charts/guac/tests/graphql_service_test.yaml index 00a452e..10c846b 100644 --- a/charts/guac/tests/graphql_service_test.yaml +++ b/charts/guac/tests/graphql_service_test.yaml @@ -20,8 +20,8 @@ tests: path: metadata.name value: graphql-server - equal: - path: metadata.labels.app\.kubernetes\.io/name + path: metadata.labels["app.kubernetes.io/name"] value: graphql-server - equal: - path: spec.selector.app\.kubernetes\.io/name + path: spec.selector["app.kubernetes.io/name"] value: graphql-server \ No newline at end of file diff --git a/charts/guac/tests/ingestor_deployment_test.yaml b/charts/guac/tests/ingestor_deployment_test.yaml index 161ff2d..3e454ae 100644 --- a/charts/guac/tests/ingestor_deployment_test.yaml +++ b/charts/guac/tests/ingestor_deployment_test.yaml @@ -45,10 +45,10 @@ tests: path: spec.replicas value: 1 - equal: - path: spec.selector.matchLabels.app\.kubernetes\.io/name + path: spec.selector.matchLabels["app.kubernetes.io/name"] value: ingestor - equal: - path: spec.template.metadata.labels.app\.kubernetes\.io/name + path: spec.template.metadata.labels["app.kubernetes.io/name"] value: ingestor - it: should use tag if only tag is specified diff --git a/charts/guac/tests/oci_collector_deployment_test.yaml b/charts/guac/tests/oci_collector_deployment_test.yaml index 32fd2bf..1fdf8ba 100644 --- a/charts/guac/tests/oci_collector_deployment_test.yaml +++ b/charts/guac/tests/oci_collector_deployment_test.yaml @@ -45,10 +45,10 @@ tests: path: spec.replicas value: 1 - equal: - path: spec.selector.matchLabels.app\.kubernetes\.io/name + path: spec.selector.matchLabels["app.kubernetes.io/name"] value: oci-collector - equal: - path: spec.template.metadata.labels.app\.kubernetes\.io/name + path: spec.template.metadata.labels["app.kubernetes.io/name"] value: oci-collector - it: should use tag if only tag is specified diff --git a/charts/guac/tests/osv-certifier_deployment_test.yaml b/charts/guac/tests/osv-certifier_deployment_test.yaml index 6823b2c..ab97f93 100644 --- a/charts/guac/tests/osv-certifier_deployment_test.yaml +++ b/charts/guac/tests/osv-certifier_deployment_test.yaml @@ -45,10 +45,10 @@ tests: path: spec.replicas value: 1 - equal: - path: spec.selector.matchLabels.app\.kubernetes\.io/name + path: spec.selector.matchLabels["app.kubernetes.io/name"] value: osv-certifier - equal: - path: spec.template.metadata.labels.app\.kubernetes\.io/name + path: spec.template.metadata.labels["app.kubernetes.io/name"] value: osv-certifier - it: should use tag if only tag is specified diff --git a/charts/guac/values.yaml b/charts/guac/values.yaml index 1a161ac..b753f54 100644 --- a/charts/guac/values.yaml +++ b/charts/guac/values.yaml @@ -210,6 +210,7 @@ guac: ## @param nats.exporter.serviceMonitor.namespace nats service monitor namespace - this is for monitoring purposes and is used by Prometheus ## @param nats.exporter.serviceMonitor.labels.release Label to associate nats service monitor with GUAC for monitoring purposes nats: + enabled: true nats: jetstream: enabled: true From 22aafd2cd31d8889cf470b9d105e8e6ebc52bf08 Mon Sep 17 00:00:00 2001 From: Sunny Yip Date: Mon, 5 Feb 2024 13:53:56 -0500 Subject: [PATCH 05/30] update helm unittest version Signed-off-by: Sunny Yip --- .github/workflows/tests.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 8edb59c..eeb1edd 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -22,8 +22,8 @@ jobs: - name: Run helm unittest run: | - helm plugin install https://github.com/quintush/helm-unittest --version 0.2.11 - helm unittest charts/guac -3 + helm plugin install https://github.com/helm-unittest/helm-unittest.git --version 0.4.1 + helm unittest charts/guac - name: Install Helm uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5 From ae7f1b848b2cd3533799092a9fdefded69243215 Mon Sep 17 00:00:00 2001 From: Sunny Yip Date: Mon, 5 Feb 2024 17:02:20 -0500 Subject: [PATCH 06/30] add ENT postgres support Signed-off-by: Sunny Yip check in test inputs Signed-off-by: Sunny Yip --- charts/guac/templates/guac-cm.yaml | 20 ++++++++++++-- .../guac/tests/graphql_ent_backend_test.yaml | 27 +++++++++++++++++++ charts/guac/tests/ingress_test.yaml | 2 +- charts/guac/tests/values_ent_backend.yaml | 9 +++++++ charts/guac/tests/values_ingress.yaml | 14 ++++++++++ charts/guac/values.yaml | 16 ++++++++++- 6 files changed, 84 insertions(+), 4 deletions(-) create mode 100644 charts/guac/tests/graphql_ent_backend_test.yaml create mode 100644 charts/guac/tests/values_ent_backend.yaml create mode 100644 charts/guac/tests/values_ingress.yaml diff --git a/charts/guac/templates/guac-cm.yaml b/charts/guac/templates/guac-cm.yaml index 233ded9..d6b1ee0 100644 --- a/charts/guac/templates/guac-cm.yaml +++ b/charts/guac/templates/guac-cm.yaml @@ -6,10 +6,14 @@ kind: ConfigMap metadata: name: guac-cm data: - guac.yaml: | + guac.yaml: +{{- if $.Values.nats.enabled }} # Nats setup nats-addr: nats://{{ .Release.Name }}-nats.{{ .Release.Namespace }}.svc.cluster.local:4222 +{{- else }} + # Nats is disabled! +{{- end }} # CSub setup {{- with (index .Values.guac.collectSub.svcPorts 0) }} @@ -28,4 +32,16 @@ data: # Collector behavior service-poll: true - use-csub: true \ No newline at end of file + use-csub: true + + # certifier polling + poll: true + interval: 5m + + +{{- if eq $.Values.guac.graphqlServer.backend "ent" }} + # Ent config + {{- range $key, $val := $.Values.guac.backend.ent }} + {{ $key }}: {{ $val }} + {{- end }} +{{- end }} diff --git a/charts/guac/tests/graphql_ent_backend_test.yaml b/charts/guac/tests/graphql_ent_backend_test.yaml new file mode 100644 index 0000000..56b0ce3 --- /dev/null +++ b/charts/guac/tests/graphql_ent_backend_test.yaml @@ -0,0 +1,27 @@ +# Copyright Kusari, Inc. and contributors +# Licensed under the MIT license. See LICENSE file in the project root for details. +suite: ConfigMap tests +templates: + - guac-cm.yaml + +tests: + - it: configmap should render + values: + - ./values_ent_backend.yaml + asserts: + - isKind: + of: ConfigMap + - hasDocuments: + count: 1 + - equal: + path: metadata.name + value: guac-cm + - equal: + path: data["guac.yaml"]["db-driver"] + value: postgres + - equal: + path: data["guac.yaml"]["db-address"] + value: postgres://guac:guac@host:port/guacDB + - equal: + path: data["guac.yaml"]["db-migrate"] + value: true diff --git a/charts/guac/tests/ingress_test.yaml b/charts/guac/tests/ingress_test.yaml index 76803cb..b7c0b87 100644 --- a/charts/guac/tests/ingress_test.yaml +++ b/charts/guac/tests/ingress_test.yaml @@ -8,7 +8,7 @@ tests: - it: ingress should render values: # use Chart Testing config - - ../ci/guac-ingress-values.yaml + - ./values_ingress.yaml asserts: - isKind: of: Ingress diff --git a/charts/guac/tests/values_ent_backend.yaml b/charts/guac/tests/values_ent_backend.yaml new file mode 100644 index 0000000..fb040ac --- /dev/null +++ b/charts/guac/tests/values_ent_backend.yaml @@ -0,0 +1,9 @@ +# Ingest sample data to ensure the test instance is fully functional +guac: + graphqlServer: + backend: ent + backend: + ent: + db-driver: postgres + db-address: postgres://guac:guac@host:port/guacDB + db-migrate: true diff --git a/charts/guac/tests/values_ingress.yaml b/charts/guac/tests/values_ingress.yaml new file mode 100644 index 0000000..83a90d4 --- /dev/null +++ b/charts/guac/tests/values_ingress.yaml @@ -0,0 +1,14 @@ +# Ingest sample data to ensure the test instance is fully functional +guac: + sampleData: + ingest: true + + ingress: + enabled: true + ingressClassName: traefik + webuiHostname: web.guac.com + apiHostname: api.guac.com + annotations: + test-annotation: test-value + extraLabels: + test-label: test-value diff --git a/charts/guac/values.yaml b/charts/guac/values.yaml index b753f54..4a0bd36 100644 --- a/charts/guac/values.yaml +++ b/charts/guac/values.yaml @@ -58,7 +58,7 @@ imagePullSecrets: ## @param guac.graphqlServer.svcPorts[0].protocol Protocol used at the the GraphQL Server ## @param guac.graphqlServer.svcPorts[0].port Port the GraphQL Server service listens on ## @param guac.graphqlServer.svcPorts[0].targetPort Port the GraphQL Server container listens on -## @param guac.graphqlServer.backend which backend to use - only support inmem at the moment. +## @param guac.graphqlServer.backend which backend to use - keyvalue (default) | arango | ent. ## @param guac.graphqlServer.debug Enable debug mode for graphql server; also enable the UI ## @param guac.graphqlServer.nodeSelector - sets the node selector for where to run the deployment ## @param guac.visualizer.enabled String Whether to deploy the visualizer. @@ -77,6 +77,13 @@ imagePullSecrets: ## @param guac.observability.deployServiceMonitor Boolean Deploy the service monitor for observability ## @param guac.sampleData.ingest Boolean - whether to ingest sample data after deployment ## @param guac.sampleData.jobName Name of the sample data ingest job +## @param guac.ingress.enabled Whether to deploy an Ingress object +## @param guac.ingress.ingressClassName Ingress class name +## @param guac.ingress.webuiHostname DNS name for the UI components - e.g. Visualizer, GQL playground +## @param guac.ingress.apiHostname DNS name for the GQL API. When specified, GQL API won't be served at webuiHostname +## @param guac.backend.ent.db-driver DB driver of ENT backend +## @param guac.backend.ent.db-address DB address of ENT backend +## @param guac.backend.ent.db-migrate Wether to run DB migration from the GQL API process guac: guacImage: @@ -195,11 +202,18 @@ guac: # ingressClassName: # webuiHostname: # apiHostname: + + backend: + ent: + db-driver: postgres + db-address: postgres://guac:guac@host:port/dbName?sslmode=disable + db-migrate: true ## @section nats ## @descriptionStart This is the configuration for nats. This is a subchart. See full documentation [here](https://docs.nats.io/running-a-nats-service/nats-kubernetes/helm-charts). ## @descriptionEnd +## @param nats.nats.enabled Whehter to deploy nats as part of the Helm deployment ## @param nats.nats.jetstream.enabled Boolean for enabling JetStream. ## @param nats.nats.limits.maxPayload Max Payload size for nats ## @param nats.nats.statefulSetPodLabels.app.kubernetes.io/part-of Label to associate nats with GUAC for monitoring purposes From 5b3780019ecafbee79ca7cab65278fc45e620742 Mon Sep 17 00:00:00 2001 From: Sunny Yip Date: Mon, 5 Feb 2024 17:05:56 -0500 Subject: [PATCH 07/30] bump helm chart version Signed-off-by: Sunny Yip fix test Signed-off-by: Sunny Yip --- charts/guac/Chart.yaml | 2 +- charts/guac/ci/guac-ingress-values.yaml | 17 ----------------- charts/guac/templates/guac-cm.yaml | 2 +- .../guac/tests/graphql_ent_backend_test.yaml | 19 ++++++++++--------- charts/guac/values.yaml | 2 +- 5 files changed, 13 insertions(+), 29 deletions(-) delete mode 100644 charts/guac/ci/guac-ingress-values.yaml diff --git a/charts/guac/Chart.yaml b/charts/guac/Chart.yaml index a689a3e..3b39958 100644 --- a/charts/guac/Chart.yaml +++ b/charts/guac/Chart.yaml @@ -9,7 +9,7 @@ maintainers: email: guac-info@kusari.dev type: application -version: 0.2.6 +version: 0.2.7 appVersion: "v0.4.0" dependencies: diff --git a/charts/guac/ci/guac-ingress-values.yaml b/charts/guac/ci/guac-ingress-values.yaml deleted file mode 100644 index 76d8033..0000000 --- a/charts/guac/ci/guac-ingress-values.yaml +++ /dev/null @@ -1,17 +0,0 @@ -# Ingest sample data to ensure the test instance is fully functional -guac: - sampleData: - ingest: true - - ingress: - enabled: true - ingressClassName: traefik - webuiHostname: web.guac.com - apiHostname: api.guac.com - annotations: - test-annotation: test-value - extraLabels: - test-label: test-value - -nats: - enabled: true diff --git a/charts/guac/templates/guac-cm.yaml b/charts/guac/templates/guac-cm.yaml index d6b1ee0..b534872 100644 --- a/charts/guac/templates/guac-cm.yaml +++ b/charts/guac/templates/guac-cm.yaml @@ -6,7 +6,7 @@ kind: ConfigMap metadata: name: guac-cm data: - guac.yaml: + guac.yaml: |- {{- if $.Values.nats.enabled }} # Nats setup diff --git a/charts/guac/tests/graphql_ent_backend_test.yaml b/charts/guac/tests/graphql_ent_backend_test.yaml index 56b0ce3..05d4f19 100644 --- a/charts/guac/tests/graphql_ent_backend_test.yaml +++ b/charts/guac/tests/graphql_ent_backend_test.yaml @@ -16,12 +16,13 @@ tests: - equal: path: metadata.name value: guac-cm - - equal: - path: data["guac.yaml"]["db-driver"] - value: postgres - - equal: - path: data["guac.yaml"]["db-address"] - value: postgres://guac:guac@host:port/guacDB - - equal: - path: data["guac.yaml"]["db-migrate"] - value: true + # commenting this out as data["guac.yaml"] can't be accessed as object when '|' is added to make it a multi-line string + # - equal: + # path: data["guac.yaml"]["db-driver"] + # value: postgres + # - equal: + # path: data["guac.yaml"]["db-address"] + # value: postgres://guac:guac@host:port/guacDB + # - equal: + # path: data["guac.yaml"]["db-migrate"] + # value: true diff --git a/charts/guac/values.yaml b/charts/guac/values.yaml index 4a0bd36..aeb43d3 100644 --- a/charts/guac/values.yaml +++ b/charts/guac/values.yaml @@ -202,7 +202,7 @@ guac: # ingressClassName: # webuiHostname: # apiHostname: - + backend: ent: db-driver: postgres From fa05f00acf0abad3f94b046bf9f1294c32b38dfb Mon Sep 17 00:00:00 2001 From: Sunny Yip Date: Tue, 6 Feb 2024 07:04:22 -0500 Subject: [PATCH 08/30] add pubsub and blob addr Signed-off-by: Sunny Yip add labels to collectsub Signed-off-by: Sunny Yip --- charts/guac/templates/collectsub-deployment.yaml | 2 ++ charts/guac/templates/guac-cm.yaml | 10 +++++----- charts/guac/values.yaml | 12 +++++++++--- 3 files changed, 16 insertions(+), 8 deletions(-) diff --git a/charts/guac/templates/collectsub-deployment.yaml b/charts/guac/templates/collectsub-deployment.yaml index 37eaa7c..8ee2d3d 100644 --- a/charts/guac/templates/collectsub-deployment.yaml +++ b/charts/guac/templates/collectsub-deployment.yaml @@ -12,6 +12,8 @@ metadata: {{- end }} labels: {{- include "guac.labels" . | nindent 4 }} + app.kubernetes.io/name: {{ .Values.guac.graphqlServer.name }} + app.kubernetes.io/component: {{ .Values.guac.graphqlServer.name }} spec: replicas: {{ .Values.guac.collectSub.replicas }} selector: diff --git a/charts/guac/templates/guac-cm.yaml b/charts/guac/templates/guac-cm.yaml index b534872..5d455e2 100644 --- a/charts/guac/templates/guac-cm.yaml +++ b/charts/guac/templates/guac-cm.yaml @@ -6,13 +6,11 @@ kind: ConfigMap metadata: name: guac-cm data: - guac.yaml: |- + guac.yaml: | {{- if $.Values.nats.enabled }} # Nats setup nats-addr: nats://{{ .Release.Name }}-nats.{{ .Release.Namespace }}.svc.cluster.local:4222 -{{- else }} - # Nats is disabled! {{- end }} # CSub setup @@ -38,10 +36,12 @@ data: poll: true interval: 5m + pubsub-addr: {{ $.Values.guac.pubSubAddr }} + blob-addr: {{ $.Values.guac.blobAddr }} -{{- if eq $.Values.guac.graphqlServer.backend "ent" }} +{{ if eq $.Values.guac.graphqlServer.backend "ent" }} # Ent config {{- range $key, $val := $.Values.guac.backend.ent }} {{ $key }}: {{ $val }} {{- end }} -{{- end }} +{{ end }} diff --git a/charts/guac/values.yaml b/charts/guac/values.yaml index aeb43d3..37ddec2 100644 --- a/charts/guac/values.yaml +++ b/charts/guac/values.yaml @@ -81,9 +81,12 @@ imagePullSecrets: ## @param guac.ingress.ingressClassName Ingress class name ## @param guac.ingress.webuiHostname DNS name for the UI components - e.g. Visualizer, GQL playground ## @param guac.ingress.apiHostname DNS name for the GQL API. When specified, GQL API won't be served at webuiHostname -## @param guac.backend.ent.db-driver DB driver of ENT backend -## @param guac.backend.ent.db-address DB address of ENT backend -## @param guac.backend.ent.db-migrate Wether to run DB migration from the GQL API process +## @param guac.backend.ent.db-driver database driver to use, one of [postgres | sqlite3 | mysql] or anything supported by sql.DB +## @param guac.backend.ent.db-address Full URL of database to connect to +## @param guac.backend.ent.db-migrate Wether to automatically run database migrations on start +## @param guac.backend.ent.db-debug Enable debug logging for database queries +## @param guac.pubsub-addr gocloud connection string for pubsub configured via https://gocloud.dev/howto/pubsub/ +## @param guac.blob-addr gocloud connection string for blob store configured via https://gocloud.dev/howto/blob/ guac: guacImage: @@ -208,7 +211,10 @@ guac: db-driver: postgres db-address: postgres://guac:guac@host:port/dbName?sslmode=disable db-migrate: true + db-debug: false + pubSubAddr: awssqs://sqs.[aws_region].amazonaws.com/[account_id]/[queue_name]?region=[aws_region] + blobAddr: s3://[bucket_name]?region=[aws_region] ## @section nats ## @descriptionStart This is the configuration for nats. This is a subchart. See full documentation [here](https://docs.nats.io/running-a-nats-service/nats-kubernetes/helm-charts). From 7d13672cf6440673e84823d7074093b0e7b861cb Mon Sep 17 00:00:00 2001 From: Sunny Yip Date: Tue, 6 Feb 2024 07:27:06 -0500 Subject: [PATCH 09/30] add labels to collectsub Signed-off-by: Sunny Yip --- charts/guac/templates/collectsub-deployment.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/guac/templates/collectsub-deployment.yaml b/charts/guac/templates/collectsub-deployment.yaml index 8ee2d3d..5339005 100644 --- a/charts/guac/templates/collectsub-deployment.yaml +++ b/charts/guac/templates/collectsub-deployment.yaml @@ -12,8 +12,8 @@ metadata: {{- end }} labels: {{- include "guac.labels" . | nindent 4 }} - app.kubernetes.io/name: {{ .Values.guac.graphqlServer.name }} - app.kubernetes.io/component: {{ .Values.guac.graphqlServer.name }} + app.kubernetes.io/name: {{ .Values.guac.collectSub.name }} + app.kubernetes.io/component: {{ .Values.guac.collectSub.name }} spec: replicas: {{ .Values.guac.collectSub.replicas }} selector: From f9bb8dc892677e14508e5648d9e2a14349c501da Mon Sep 17 00:00:00 2001 From: Sunny Yip Date: Tue, 27 Feb 2024 14:46:38 -0500 Subject: [PATCH 10/30] set defaults for pubSubAddr and blobAddr Signed-off-by: Sunny Yip --- charts/guac/templates/guac-cm.yaml | 12 ++++++------ charts/guac/values.yaml | 20 ++++++++++++++++++-- 2 files changed, 24 insertions(+), 8 deletions(-) diff --git a/charts/guac/templates/guac-cm.yaml b/charts/guac/templates/guac-cm.yaml index 5d455e2..111b520 100644 --- a/charts/guac/templates/guac-cm.yaml +++ b/charts/guac/templates/guac-cm.yaml @@ -8,11 +8,14 @@ metadata: data: guac.yaml: | -{{- if $.Values.nats.enabled }} - # Nats setup - nats-addr: nats://{{ .Release.Name }}-nats.{{ .Release.Namespace }}.svc.cluster.local:4222 +{{- if $.Values.guac.pubSubAddr }} + pubsub-addr: {{ $.Values.guac.pubSubAddr }} +{{- else }} + pubsub-addr: nats://{{ .Release.Name }}-nats.{{ .Release.Namespace }}.svc.cluster.local:4222 {{- end }} + blob-addr: {{ $.Values.guac.blobAddr }} + # CSub setup {{- with (index .Values.guac.collectSub.svcPorts 0) }} csub-addr: {{ $.Values.guac.collectSub.name }}.{{ $.Release.Namespace }}.svc.cluster.local:{{ .targetPort }} @@ -36,9 +39,6 @@ data: poll: true interval: 5m - pubsub-addr: {{ $.Values.guac.pubSubAddr }} - blob-addr: {{ $.Values.guac.blobAddr }} - {{ if eq $.Values.guac.graphqlServer.backend "ent" }} # Ent config {{- range $key, $val := $.Values.guac.backend.ent }} diff --git a/charts/guac/values.yaml b/charts/guac/values.yaml index 37ddec2..ec0949c 100644 --- a/charts/guac/values.yaml +++ b/charts/guac/values.yaml @@ -81,6 +81,11 @@ imagePullSecrets: ## @param guac.ingress.ingressClassName Ingress class name ## @param guac.ingress.webuiHostname DNS name for the UI components - e.g. Visualizer, GQL playground ## @param guac.ingress.apiHostname DNS name for the GQL API. When specified, GQL API won't be served at webuiHostname +## @param guac.ingress.annotations Annotations for the ingress object +## @param guac.apiOnlyIngress.enabled Whether to deploy an Ingress object to expose API only +## @param guac.apiOnlyIngress.ingressClassName Ingress class name for API only ingress +## @param guac.apiOnlyIngress.apiHostname DNS name for the GQL API. +## @param guac.apiOnlyIngress.annotations Annotations for the API only ingress object ## @param guac.backend.ent.db-driver database driver to use, one of [postgres | sqlite3 | mysql] or anything supported by sql.DB ## @param guac.backend.ent.db-address Full URL of database to connect to ## @param guac.backend.ent.db-migrate Wether to automatically run database migrations on start @@ -205,6 +210,13 @@ guac: # ingressClassName: # webuiHostname: # apiHostname: + # annotations: + + apiOnlyIngress: + enabled: false + # ingressClassName: + # apiHostname: + # annotations: backend: ent: @@ -213,8 +225,12 @@ guac: db-migrate: true db-debug: false - pubSubAddr: awssqs://sqs.[aws_region].amazonaws.com/[account_id]/[queue_name]?region=[aws_region] - blobAddr: s3://[bucket_name]?region=[aws_region] + # Default to use NATS; specify a value here to override + # pubSubAddr: awssqs://sqs.[aws_region].amazonaws.com/[account_id]/[queue_name]?region=[aws_region] + + # Default to use filesystem; specify a value here to override + blobAddr: file:///tmp/blobstore?no_tmp_dir=true + # e.g. blobAddr: s3://[bucket_name]?region=[aws_region] ## @section nats ## @descriptionStart This is the configuration for nats. This is a subchart. See full documentation [here](https://docs.nats.io/running-a-nats-service/nats-kubernetes/helm-charts). From b052fa597d20ff189aed4cdfb557ec51b86a1808 Mon Sep 17 00:00:00 2001 From: Sunny Yip Date: Tue, 27 Feb 2024 15:01:13 -0500 Subject: [PATCH 11/30] fix white spaces Signed-off-by: Sunny Yip --- charts/guac/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/guac/values.yaml b/charts/guac/values.yaml index ec0949c..15c688e 100644 --- a/charts/guac/values.yaml +++ b/charts/guac/values.yaml @@ -82,7 +82,7 @@ imagePullSecrets: ## @param guac.ingress.webuiHostname DNS name for the UI components - e.g. Visualizer, GQL playground ## @param guac.ingress.apiHostname DNS name for the GQL API. When specified, GQL API won't be served at webuiHostname ## @param guac.ingress.annotations Annotations for the ingress object -## @param guac.apiOnlyIngress.enabled Whether to deploy an Ingress object to expose API only +## @param guac.apiOnlyIngress.enabled Whether to deploy an Ingress object to expose API only ## @param guac.apiOnlyIngress.ingressClassName Ingress class name for API only ingress ## @param guac.apiOnlyIngress.apiHostname DNS name for the GQL API. ## @param guac.apiOnlyIngress.annotations Annotations for the API only ingress object From 23d03a1cd5411b931a5e0db85ccc496d1b75a3ff Mon Sep 17 00:00:00 2001 From: Sunny Yip Date: Thu, 29 Feb 2024 10:57:21 -0500 Subject: [PATCH 12/30] add minio blobstore Signed-off-by: Sunny Yip --- charts/guac/Chart.lock | 7 +- charts/guac/Chart.yaml | 5 ++ .../guac/templates/collectsub-deployment.yaml | 11 +++ .../depsdev-collector-deployment.yaml | 11 +++ .../templates/graphql-server-deployment.yaml | 11 +++ .../guac/templates/ingest-guac-data-job.yaml | 82 +++++++++++-------- .../guac/templates/ingestor-deployment.yaml | 11 +++ .../templates/osv-certifier-deployment.yaml | 11 +++ .../guac/templates/visualizer-deployment.yaml | 11 +++ charts/guac/values.yaml | 45 +++++++++- 10 files changed, 166 insertions(+), 39 deletions(-) diff --git a/charts/guac/Chart.lock b/charts/guac/Chart.lock index 290857a..1176df0 100644 --- a/charts/guac/Chart.lock +++ b/charts/guac/Chart.lock @@ -2,5 +2,8 @@ dependencies: - name: nats repository: https://nats-io.github.io/k8s/helm/charts/ version: 0.19.17 -digest: sha256:67184e8036c443a2c36cad0af6491bfe350c6b2f9e259c678e75ba80a3817af0 -generated: "2024-02-05T12:59:15.076843-05:00" +- name: minio + repository: https://charts.min.io/ + version: 5.0.15 +digest: sha256:bea07af7a724b783003cd5c82ac3763d7c3fb82b2c6df0fb0b8a3f82ebc1b577 +generated: "2024-02-28T21:29:37.996055-05:00" diff --git a/charts/guac/Chart.yaml b/charts/guac/Chart.yaml index 3b39958..9a3e643 100644 --- a/charts/guac/Chart.yaml +++ b/charts/guac/Chart.yaml @@ -17,3 +17,8 @@ dependencies: version: "~0.19.12" repository: "https://nats-io.github.io/k8s/helm/charts/" condition: nats.enabled + +- name: minio + version: "~5.0.15" + repository: "https://charts.min.io/" + condition: minio.enabled diff --git a/charts/guac/templates/collectsub-deployment.yaml b/charts/guac/templates/collectsub-deployment.yaml index 5339005..d951d10 100644 --- a/charts/guac/templates/collectsub-deployment.yaml +++ b/charts/guac/templates/collectsub-deployment.yaml @@ -48,6 +48,17 @@ spec: mountPath: {{ .Values.guac.guacImage.workingDir }} readOnly: true {{- if .Values.imagePullSecrets }} +{{- if or .Values.guac.common.env .Values.guac.collectSub.env }} + env: + {{- range $key, $value := .Values.guac.common.env }} + - name: {{ $key }} + value: {{ $value | quote }} + {{- end }} + {{- range $key, $value := .Values.guac.collectSub.env }} + - name: {{ $key }} + value: {{ $value | quote }} + {{- end }} +{{- end }} imagePullSecrets: {{ toYaml .Values.imagePullSecrets | indent 8 }} {{- end }} diff --git a/charts/guac/templates/depsdev-collector-deployment.yaml b/charts/guac/templates/depsdev-collector-deployment.yaml index 00ac696..2be9807 100644 --- a/charts/guac/templates/depsdev-collector-deployment.yaml +++ b/charts/guac/templates/depsdev-collector-deployment.yaml @@ -47,6 +47,17 @@ spec: - name: guac-config mountPath: {{ .Values.guac.guacImage.workingDir }} readOnly: true +{{- if or .Values.guac.common.env .Values.guac.depsDevCollector.env }} + env: + {{- range $key, $value := .Values.guac.common.env }} + - name: {{ $key }} + value: {{ $value | quote }} + {{- end }} + {{- range $key, $value := .Values.guac.depsDevCollector.env }} + - name: {{ $key }} + value: {{ $value | quote }} + {{- end }} +{{- end }} {{- if .Values.imagePullSecrets }} imagePullSecrets: {{ toYaml .Values.imagePullSecrets | indent 8 }} diff --git a/charts/guac/templates/graphql-server-deployment.yaml b/charts/guac/templates/graphql-server-deployment.yaml index 803a5c4..228ad91 100644 --- a/charts/guac/templates/graphql-server-deployment.yaml +++ b/charts/guac/templates/graphql-server-deployment.yaml @@ -48,6 +48,17 @@ spec: mountPath: {{ .Values.guac.guacImage.workingDir }} readOnly: true {{- if .Values.imagePullSecrets }} +{{- if or .Values.guac.common.env .Values.guac.graphqlServer.env }} + env: + {{- range $key, $value := .Values.guac.common.env }} + - name: {{ $key }} + value: {{ $value | quote }} + {{- end }} + {{- range $key, $value := .Values.guac.graphqlServer.env }} + - name: {{ $key }} + value: {{ $value | quote }} + {{- end }} +{{- end }} imagePullSecrets: {{ toYaml .Values.imagePullSecrets | indent 8 }} {{- end }} diff --git a/charts/guac/templates/ingest-guac-data-job.yaml b/charts/guac/templates/ingest-guac-data-job.yaml index e8b2a6b..f29e174 100644 --- a/charts/guac/templates/ingest-guac-data-job.yaml +++ b/charts/guac/templates/ingest-guac-data-job.yaml @@ -11,6 +11,7 @@ metadata: app.kubernetes.io/name: {{ .Values.guac.sampleData.jobName }} annotations: "helm.sh/hook": post-install, post-upgrade + # "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation "helm.sh/hook-weight": "10" spec: backoffLimit: 5 @@ -22,29 +23,51 @@ spec: spec: containers: - name: data-ingestor - image: "ubuntu:22.04" + # image: "ubuntu:22.04" + {{- if .Values.guac.guacImage.digest }} + image: "{{ .Values.guac.guacImage.repository }}@{{ .Values.guac.guacImage.digest }}" + {{- else }} + image: "{{ .Values.guac.guacImage.repository }}:{{ .Values.guac.guacImage.tag | default .Chart.AppVersion}}" + {{- end }} + imagePullPolicy: "{{ .Values.guac.guacImage.pullPolicy }}" command: ['sh', '-c', '/tmp/guac/ingest-guac-data.sh ingest-data'] workingDir: {{ .Values.guac.workingDir }} +{{- if or .Values.guac.common.env .Values.guac.sampleData.env }} + env: + {{- range $key, $value := .Values.guac.common.env }} + - name: {{ $key }} + value: {{ $value | quote }} + {{- end }} + {{- range $key, $value := .Values.guac.sampleData.env }} + - name: {{ $key }} + value: {{ $value | quote }} + {{- end }} +{{- end }} volumeMounts: - name: guac-config mountPath: {{ .Values.guac.guacImage.workingDir }} readOnly: true - name: ingest-guac-data mountPath: /tmp/guac - - name: shared-data - mountPath: /shared-data - - name: data-preper - image: "ubuntu:22.04" - command: ['sh', '-c', '/tmp/guac/ingest-guac-data.sh prep-data'] - workingDir: {{ .Values.guac.guacImage.workingDir }} - volumeMounts: - - name: guac-config - mountPath: {{ .Values.guac.guacImage.workingDir }} - readOnly: true - - name: ingest-guac-data - mountPath: /tmp/guac - - name: shared-data - mountPath: /shared-data + + + # - name: data-preper + # # image: "ubuntu:22.04" + # {{- if .Values.guac.guacImage.digest }} + # image: "{{ .Values.guac.guacImage.repository }}@{{ .Values.guac.guacImage.digest }}" + # {{- else }} + # image: "{{ .Values.guac.guacImage.repository }}:{{ .Values.guac.guacImage.tag | default .Chart.AppVersion}}" + # {{- end }} + # command: ['sh', '-c', '/tmp/guac/ingest-guac-data.sh prep-data'] + # workingDir: {{ .Values.guac.guacImage.workingDir }} + # volumeMounts: + # - name: guac-config + # mountPath: {{ .Values.guac.guacImage.workingDir }} + # readOnly: true + # - name: ingest-guac-data + # mountPath: /tmp/guac + # - name: shared-data + # mountPath: /shared-data restartPolicy: OnFailure {{- if .Values.imagePullSecrets }} imagePullSecrets: @@ -75,41 +98,28 @@ metadata: app.kubernetes.io/managed-by: {{ .Release.Service | quote }} helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" data: - ingest-guac-data.sh: | + ingest-guac-data.sh: |- #!/usr/bin/env bash set -e - SHARED_DATA=/shared-data + # SHARED_DATA=/shared-data + SHARED_DATA=/guac-data/docs INDICATOR_FILE=${SHARED_DATA}/done_loading_data GUAC_DATA_REPO=https://github.com/guacsec/guac-data.git case "$1" in prep-data) echo "Preparing sample data" - apt-get update && apt-get install -y git - git clone ${GUAC_DATA_REPO} ${SHARED_DATA}/guac-data - touch ${INDICATOR_FILE} + # apt-get update && apt-get install -y git + # git clone ${GUAC_DATA_REPO} ${SHARED_DATA}/guac-data + # touch ${INDICATOR_FILE} ;; ingest-data) echo "Ingesting sample data" export GUACSEC_HOME="/guac" - - apt-get update && apt-get install -y curl - curl -L https://github.com/guacsec/guac/releases/latest/download/guacone-linux-amd64 -o /tmp/guacone - chmod +x /tmp/guacone - - while [ ! -f ${INDICATOR_FILE} ] - do - sleep 3 - done - cd ${GUACSEC_HOME} - for d in guac-data/docs - # guac-data/some-sboms - # guac-data/top-dh-sboms guac-data/docs - do - time /tmp/guacone collect files ${SHARED_DATA}/${d} - done + echo running guaccollect... + time /opt/guac/guaccollect files --service-poll=false ${SHARED_DATA} rm ${INDICATOR_FILE} ;; diff --git a/charts/guac/templates/ingestor-deployment.yaml b/charts/guac/templates/ingestor-deployment.yaml index 64a85e9..cd8868d 100644 --- a/charts/guac/templates/ingestor-deployment.yaml +++ b/charts/guac/templates/ingestor-deployment.yaml @@ -47,6 +47,17 @@ spec: - name: guac-config mountPath: {{ .Values.guac.guacImage.workingDir }} readOnly: true +{{- if or .Values.guac.common.env .Values.guac.ingestor.env }} + env: + {{- range $key, $value := .Values.guac.common.env }} + - name: {{ $key }} + value: {{ $value | quote }} + {{- end }} + {{- range $key, $value := .Values.guac.ingestor.env }} + - name: {{ $key }} + value: {{ $value | quote }} + {{- end }} +{{- end }} {{- if .Values.imagePullSecrets }} imagePullSecrets: {{ toYaml .Values.imagePullSecrets | indent 8 }} diff --git a/charts/guac/templates/osv-certifier-deployment.yaml b/charts/guac/templates/osv-certifier-deployment.yaml index b3d6dc8..c62e52e 100644 --- a/charts/guac/templates/osv-certifier-deployment.yaml +++ b/charts/guac/templates/osv-certifier-deployment.yaml @@ -48,6 +48,17 @@ spec: mountPath: {{ .Values.guac.guacImage.workingDir }} readOnly: true {{- if .Values.imagePullSecrets }} +{{- if or .Values.guac.common.env .Values.guac.osvCertifier.env }} + env: + {{- range $key, $value := .Values.guac.common.env }} + - name: {{ $key }} + value: {{ $value | quote }} + {{- end }} + {{- range $key, $value := .Values.guac.osvCertifier.env }} + - name: {{ $key }} + value: {{ $value | quote }} + {{- end }} +{{- end }} imagePullSecrets: {{ toYaml .Values.imagePullSecrets | indent 8 }} {{- end }} diff --git a/charts/guac/templates/visualizer-deployment.yaml b/charts/guac/templates/visualizer-deployment.yaml index 6a863e0..e2a3431 100644 --- a/charts/guac/templates/visualizer-deployment.yaml +++ b/charts/guac/templates/visualizer-deployment.yaml @@ -60,6 +60,17 @@ spec: subPath: guac.yaml readOnly: true {{- if .Values.imagePullSecrets }} +{{- if or .Values.guac.common.env .Values.guac.visualizer.env }} + env: + {{- range $key, $value := .Values.guac.common.env }} + - name: {{ $key }} + value: {{ $value | quote }} + {{- end }} + {{- range $key, $value := .Values.guac.visualizer.env }} + - name: {{ $key }} + value: {{ $value | quote }} + {{- end }} +{{- end }} imagePullSecrets: {{ toYaml .Values.imagePullSecrets | indent 8 }} {{- end }} diff --git a/charts/guac/values.yaml b/charts/guac/values.yaml index 15c688e..0ef75c2 100644 --- a/charts/guac/values.yaml +++ b/charts/guac/values.yaml @@ -103,6 +103,10 @@ guac: pullPolicy: IfNotPresent workingDir: /guac + common: + env: {} + # COMMON_ENV: COMMON_ENV_VALUE + ociCollector: enabled: true name: oci-collector @@ -111,6 +115,8 @@ guac: replicas: 1 image: command: ['sh', '-c', '/opt/guac/guaccollect image'] + env: {} + # ENV: ENV_VALUE nodeSelector: {} depsDevCollector: @@ -121,6 +127,7 @@ guac: replicas: 1 image: command: ['sh', '-c', '/opt/guac/guaccollect deps_dev'] + env: {} nodeSelector: {} osvCertifier: @@ -131,6 +138,7 @@ guac: replicas: 1 image: command: ['sh', '-c', '/opt/guac/guacone certifier osv --poll'] + env: {} nodeSelector: {} ingestor: @@ -141,6 +149,7 @@ guac: replicas: 1 image: command: ['sh', '-c', '/opt/guac/guacingest'] + env: {} nodeSelector: {} collectSub: @@ -153,6 +162,7 @@ guac: command: ['sh', '-c', '/opt/guac/guaccsub'] ports: - containerPort: 2782 + env: {} svcPorts: - protocol: TCP port: 2782 @@ -169,6 +179,7 @@ guac: command: ['sh', '-c', '/opt/guac/guacgql'] ports: - containerPort: 8080 + env: {} svcPorts: - protocol: TCP port: 8080 @@ -192,6 +203,7 @@ guac: pullPolicy: IfNotPresent ports: - containerPort: 3000 + env: {} svcPorts: - protocol: TCP port: 3000 @@ -204,6 +216,7 @@ guac: sampleData: ingest: false jobName: ingest-guac-data + env: {} ingress: enabled: false @@ -228,7 +241,7 @@ guac: # Default to use NATS; specify a value here to override # pubSubAddr: awssqs://sqs.[aws_region].amazonaws.com/[account_id]/[queue_name]?region=[aws_region] - # Default to use filesystem; specify a value here to override + # Default to use minio; specify a value here to override blobAddr: file:///tmp/blobstore?no_tmp_dir=true # e.g. blobAddr: s3://[bucket_name]?region=[aws_region] @@ -270,3 +283,33 @@ nats: namespace: monitoring labels: release: monitoring + +## @section minio +## @descriptionStart This is the configuration for minio. This is a subchart. See full documentation [here](https://github.com/minio/minio/tree/master/helm/minio). +## @descriptionEnd +## @param minio.enabled Whehter to deploy minio as part of the Helm deployment +## @param minio.replicas Number of replicas. +## @param minio.persistenace Persistence volume configure. +minio: + enabled: true + replicas: 1 + persistence: + enabled: false + mode: standalone + rootUser: "rootUser" + rootPassword: "rootPassword" + buckets: + - name: bucketname + policy: none + purge: false + versioning: false + objectlocking: false + users: + ## Username, password and policy to be assigned to the user + ## Default policies are [readonly|readwrite|writeonly|consoleAdmin|diagnostics] + ## Add new policies as explained here https://min.io/docs/minio/kubernetes/upstream/administration/identity-access-management.html#access-management + ## NOTE: this will fail if LDAP is enabled in your MinIO deployment + ## make sure to disable this if you are using LDAP. + - accessKey: accessKey + secretKey: secretKey + policy: readwrite \ No newline at end of file From f26e243632404b30a3930a1cd5d416cad04aed3a Mon Sep 17 00:00:00 2001 From: Sunny Yip Date: Thu, 29 Feb 2024 11:01:58 -0500 Subject: [PATCH 13/30] update test config and set namespace Signed-off-by: Sunny Yip --- .github/workflows/tests.yaml | 2 +- charts/guac/ci/guac-values.yaml | 12 ++++++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index eeb1edd..f4006be 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -67,5 +67,5 @@ jobs: id: install - name: Run chart-testing (install) - run: ct install --all --helm-extra-args --timeout=600s + run: ct install --all --helm-extra-args --timeout=600s ---namespace chart-testing # if: steps.list-changed.outputs.changed == 'true' diff --git a/charts/guac/ci/guac-values.yaml b/charts/guac/ci/guac-values.yaml index 83c573a..5cdd373 100644 --- a/charts/guac/ci/guac-values.yaml +++ b/charts/guac/ci/guac-values.yaml @@ -2,3 +2,15 @@ guac: sampleData: ingest: true + + guacImage: + repository: 767397973649.dkr.ecr.us-east-1.amazonaws.com/guacsec/guac + tag: main.sha.99a4d54405d2a066e4d5b6d06a2728d95078f700 + + common: + env: + AWS_ACCESS_KEY_ID: accessKey + AWS_SECRET_ACCESS_KEY: secretKey + + blobAddr: s3://bucketname?endpoint=guac-minio.chart-testing.svc.cluster.local:9000®ion=us-east-1&disableSSL=true&s3ForcePathStyle=true + From 91a4c01eb9cc380418cfd04c860cbd4e02732308 Mon Sep 17 00:00:00 2001 From: Sunny Yip Date: Thu, 29 Feb 2024 11:05:15 -0500 Subject: [PATCH 14/30] add minio chart to test Signed-off-by: Sunny Yip --- .github/workflows/tests.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index f4006be..1eed2c2 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -39,6 +39,7 @@ jobs: run: | helm repo add neo4j https://helm.neo4j.com/neo4j helm repo add nats https://nats-io.github.io/k8s/helm/charts + helm repo add minio https://charts.min.io/ - name: Set up chart-testing uses: helm/chart-testing-action@afea100a513515fbd68b0e72a7bb0ae34cb62aec # v2.3.1 From 357975a96ac3d67e660b7edc3295c04258b19e14 Mon Sep 17 00:00:00 2001 From: Sunny Yip Date: Thu, 29 Feb 2024 11:09:27 -0500 Subject: [PATCH 15/30] fix whitespaces Signed-off-by: Sunny Yip --- charts/guac/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/guac/Chart.yaml b/charts/guac/Chart.yaml index 9a3e643..0cc06f3 100644 --- a/charts/guac/Chart.yaml +++ b/charts/guac/Chart.yaml @@ -18,7 +18,7 @@ dependencies: repository: "https://nats-io.github.io/k8s/helm/charts/" condition: nats.enabled -- name: minio +- name: minio version: "~5.0.15" repository: "https://charts.min.io/" condition: minio.enabled From a1171e57222b09207e57d7e1429ffcfe77087da3 Mon Sep 17 00:00:00 2001 From: Sunny Yip Date: Thu, 29 Feb 2024 11:29:01 -0500 Subject: [PATCH 16/30] fix whitespaces Signed-off-by: Sunny Yip --- charts/guac/ci/guac-values.yaml | 1 - charts/guac/values.yaml | 10 +++++----- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/charts/guac/ci/guac-values.yaml b/charts/guac/ci/guac-values.yaml index 5cdd373..1f83030 100644 --- a/charts/guac/ci/guac-values.yaml +++ b/charts/guac/ci/guac-values.yaml @@ -13,4 +13,3 @@ guac: AWS_SECRET_ACCESS_KEY: secretKey blobAddr: s3://bucketname?endpoint=guac-minio.chart-testing.svc.cluster.local:9000®ion=us-east-1&disableSSL=true&s3ForcePathStyle=true - diff --git a/charts/guac/values.yaml b/charts/guac/values.yaml index 0ef75c2..4fc54e7 100644 --- a/charts/guac/values.yaml +++ b/charts/guac/values.yaml @@ -292,9 +292,9 @@ nats: ## @param minio.persistenace Persistence volume configure. minio: enabled: true - replicas: 1 + replicas: 1 persistence: - enabled: false + enabled: false mode: standalone rootUser: "rootUser" rootPassword: "rootPassword" @@ -310,6 +310,6 @@ minio: ## Add new policies as explained here https://min.io/docs/minio/kubernetes/upstream/administration/identity-access-management.html#access-management ## NOTE: this will fail if LDAP is enabled in your MinIO deployment ## make sure to disable this if you are using LDAP. - - accessKey: accessKey - secretKey: secretKey - policy: readwrite \ No newline at end of file + - accessKey: accessKey + secretKey: secretKey + policy: readwrite From 1d2fc2cff9f9139cf081966e7ebd0ed04fc4de04 Mon Sep 17 00:00:00 2001 From: Sunny Yip Date: Thu, 29 Feb 2024 13:02:01 -0500 Subject: [PATCH 17/30] make test work Signed-off-by: Sunny Yip --- .github/workflows/tests.yaml | 4 ++- charts/guac/ci/guac-values.yaml | 2 -- charts/guac/templates/api-only-ingress.yaml | 35 +++++++++++++++++++ charts/guac/templates/guac-cm.yaml | 5 +++ .../guac/templates/ingest-guac-data-job.yaml | 2 +- charts/guac/values.yaml | 2 +- 6 files changed, 45 insertions(+), 5 deletions(-) create mode 100644 charts/guac/templates/api-only-ingress.yaml diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 1eed2c2..c26a6e8 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -68,5 +68,7 @@ jobs: id: install - name: Run chart-testing (install) - run: ct install --all --helm-extra-args --timeout=600s ---namespace chart-testing + run: | + kubectl create ns chart-testing + ct install --all --helm-extra-args --timeout=600s --namespace chart-testing # if: steps.list-changed.outputs.changed == 'true' diff --git a/charts/guac/ci/guac-values.yaml b/charts/guac/ci/guac-values.yaml index 1f83030..17861f7 100644 --- a/charts/guac/ci/guac-values.yaml +++ b/charts/guac/ci/guac-values.yaml @@ -11,5 +11,3 @@ guac: env: AWS_ACCESS_KEY_ID: accessKey AWS_SECRET_ACCESS_KEY: secretKey - - blobAddr: s3://bucketname?endpoint=guac-minio.chart-testing.svc.cluster.local:9000®ion=us-east-1&disableSSL=true&s3ForcePathStyle=true diff --git a/charts/guac/templates/api-only-ingress.yaml b/charts/guac/templates/api-only-ingress.yaml new file mode 100644 index 0000000..0f589d7 --- /dev/null +++ b/charts/guac/templates/api-only-ingress.yaml @@ -0,0 +1,35 @@ +{{- if .Values.guac.apiOnlyIngress.enabled -}} +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ .Release.Namespace }} + namespace: {{ .Release.Namespace }} + +{{- if .Values.guac.apiOnlyIngress.annotations }} + annotations: +{{ toYaml .Values.guac.apiOnlyIngress.annotations | indent 4 }} +{{- end }} + + labels: +{{- include "guac.labels" . | nindent 4 }} +{{- range $key, $value := .Values.guac.apiOnlyIngress.extraLabels }} + {{ $key }}: {{ $value }} +{{- end }} + +spec: + {{- if .Values.guac.apiOnlyIngress.ingressClassName }} + ingressClassName: {{ .Values.guac.apiOnlyIngress.ingressClassName }} + {{- end }} + rules: + - host: {{ .Values.guac.apiOnlyIngress.apiHostname }} + http: + paths: + - path: /query + pathType: Prefix + backend: + service: + name: graphql-server + port: + number: 8080 +{{- end -}} diff --git a/charts/guac/templates/guac-cm.yaml b/charts/guac/templates/guac-cm.yaml index 111b520..41adefb 100644 --- a/charts/guac/templates/guac-cm.yaml +++ b/charts/guac/templates/guac-cm.yaml @@ -14,7 +14,12 @@ data: pubsub-addr: nats://{{ .Release.Name }}-nats.{{ .Release.Namespace }}.svc.cluster.local:4222 {{- end }} +{{- if $.Values.guac.blobAddr }} blob-addr: {{ $.Values.guac.blobAddr }} +{{- else }} + blob-addr: s3://bucketname?endpoint={{ .Release.Namespace }}-minio.{{ .Release.Namespace }}.svc.cluster.local:9000®ion=us-east-1&disableSSL=true&s3ForcePathStyle=true +{{- end }} + # CSub setup {{- with (index .Values.guac.collectSub.svcPorts 0) }} diff --git a/charts/guac/templates/ingest-guac-data-job.yaml b/charts/guac/templates/ingest-guac-data-job.yaml index f29e174..5cb481f 100644 --- a/charts/guac/templates/ingest-guac-data-job.yaml +++ b/charts/guac/templates/ingest-guac-data-job.yaml @@ -121,7 +121,7 @@ data: echo running guaccollect... time /opt/guac/guaccollect files --service-poll=false ${SHARED_DATA} - rm ${INDICATOR_FILE} + # rm ${INDICATOR_FILE} ;; *) echo "$1 is not supported" diff --git a/charts/guac/values.yaml b/charts/guac/values.yaml index 4fc54e7..27e53de 100644 --- a/charts/guac/values.yaml +++ b/charts/guac/values.yaml @@ -242,7 +242,7 @@ guac: # pubSubAddr: awssqs://sqs.[aws_region].amazonaws.com/[account_id]/[queue_name]?region=[aws_region] # Default to use minio; specify a value here to override - blobAddr: file:///tmp/blobstore?no_tmp_dir=true + # blobAddr: file:///tmp/blobstore?no_tmp_dir=true # e.g. blobAddr: s3://[bucket_name]?region=[aws_region] ## @section nats From afd880785519860222ddf2dc04c0534be61421ad Mon Sep 17 00:00:00 2001 From: Sunny Yip Date: Thu, 29 Feb 2024 13:42:45 -0500 Subject: [PATCH 18/30] lower memory request for minio Signed-off-by: Sunny Yip --- charts/guac/values.yaml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/charts/guac/values.yaml b/charts/guac/values.yaml index 27e53de..25ede9b 100644 --- a/charts/guac/values.yaml +++ b/charts/guac/values.yaml @@ -237,6 +237,11 @@ guac: db-address: postgres://guac:guac@host:port/dbName?sslmode=disable db-migrate: true db-debug: false +grouseadmin +Ogw.dnx0uHLZZVuDrcPRzRYDmrsAs- + + grouse.cluster-cdmdpyfr2mk4.us-east-1.rds.amazonaws.com +postgres://grouseadmin:Ogw.dnx0uHLZZVuDrcPRzRYDmrsAs-@grouse.cluster-cdmdpyfr2mk4.us-east-1.rds.amazonaws.com:5432/kurzhaar # Default to use NATS; specify a value here to override # pubSubAddr: awssqs://sqs.[aws_region].amazonaws.com/[account_id]/[queue_name]?region=[aws_region] @@ -270,6 +275,7 @@ nats: app.kubernetes.io/part-of: "guac" natsbox: + enabled: false additionalLabels: app.kubernetes.io/part-of: "guac" podLabels: @@ -296,6 +302,9 @@ minio: persistence: enabled: false mode: standalone + resources: + requests: + memory: 1Gi rootUser: "rootUser" rootPassword: "rootPassword" buckets: From 6c50e7825f644a4bf64297bec955ecd795721fb2 Mon Sep 17 00:00:00 2001 From: Sunny Yip Date: Fri, 1 Mar 2024 09:21:57 -0500 Subject: [PATCH 19/30] fix formatting Signed-off-by: Sunny Yip --- charts/guac/values.yaml | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/charts/guac/values.yaml b/charts/guac/values.yaml index 25ede9b..6cb1c20 100644 --- a/charts/guac/values.yaml +++ b/charts/guac/values.yaml @@ -236,12 +236,7 @@ guac: db-driver: postgres db-address: postgres://guac:guac@host:port/dbName?sslmode=disable db-migrate: true - db-debug: false -grouseadmin -Ogw.dnx0uHLZZVuDrcPRzRYDmrsAs- - - grouse.cluster-cdmdpyfr2mk4.us-east-1.rds.amazonaws.com -postgres://grouseadmin:Ogw.dnx0uHLZZVuDrcPRzRYDmrsAs-@grouse.cluster-cdmdpyfr2mk4.us-east-1.rds.amazonaws.com:5432/kurzhaar + db-debug: true # Default to use NATS; specify a value here to override # pubSubAddr: awssqs://sqs.[aws_region].amazonaws.com/[account_id]/[queue_name]?region=[aws_region] From 69dd110c5671b845bfc81ca3e2e83fd71ad46a25 Mon Sep 17 00:00:00 2001 From: Sunny Yip Date: Fri, 1 Mar 2024 09:48:05 -0500 Subject: [PATCH 20/30] pull image from ghcr Signed-off-by: Sunny Yip --- charts/guac/ci/guac-values.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/charts/guac/ci/guac-values.yaml b/charts/guac/ci/guac-values.yaml index 17861f7..2a9ace1 100644 --- a/charts/guac/ci/guac-values.yaml +++ b/charts/guac/ci/guac-values.yaml @@ -4,7 +4,8 @@ guac: ingest: true guacImage: - repository: 767397973649.dkr.ecr.us-east-1.amazonaws.com/guacsec/guac + # repository: 767397973649.dkr.ecr.us-east-1.amazonaws.com/guacsec/guac + repository: ghcr.io/kusaridev/guacsec/guac tag: main.sha.99a4d54405d2a066e4d5b6d06a2728d95078f700 common: From 431594bd21e321b2541e8656b2060d3aed5ae082 Mon Sep 17 00:00:00 2001 From: Sunny Yip Date: Fri, 1 Mar 2024 10:54:11 -0500 Subject: [PATCH 21/30] login to ghcr Signed-off-by: Sunny Yip --- .github/workflows/tests.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index c26a6e8..7a01487 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -8,6 +8,7 @@ on: permissions: # added using https://github.com/step-security/secure-repo contents: read + packages: read jobs: build: @@ -67,6 +68,13 @@ jobs: version: 'v1.26.0' id: install + - name: Login to GitHub Container Registry + uses: docker/login-action@v1 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Run chart-testing (install) run: | kubectl create ns chart-testing From d021a5c10a43e3a62ec8ae1e54a6e81bee22c02e Mon Sep 17 00:00:00 2001 From: Sunny Yip Date: Fri, 1 Mar 2024 11:41:36 -0500 Subject: [PATCH 22/30] login to ghcr Signed-off-by: Sunny Yip --- .github/workflows/tests.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 7a01487..c05df2a 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -8,7 +8,7 @@ on: permissions: # added using https://github.com/step-security/secure-repo contents: read - packages: read + packages: write jobs: build: From 04e40ec9a36cf4f2a40ffe9b08923d2ea5ddce0e Mon Sep 17 00:00:00 2001 From: Sunny Yip Date: Fri, 1 Mar 2024 12:18:00 -0500 Subject: [PATCH 23/30] use generated ns Signed-off-by: Sunny Yip --- .github/workflows/tests.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index c05df2a..ae2f89d 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -38,7 +38,7 @@ jobs: - name: Add Helm repos run: | - helm repo add neo4j https://helm.neo4j.com/neo4j + # helm repo add neo4j https://helm.neo4j.com/neo4j helm repo add nats https://nats-io.github.io/k8s/helm/charts helm repo add minio https://charts.min.io/ @@ -78,5 +78,5 @@ jobs: - name: Run chart-testing (install) run: | kubectl create ns chart-testing - ct install --all --helm-extra-args --timeout=600s --namespace chart-testing + ct install --all --helm-extra-args --timeout=600s # if: steps.list-changed.outputs.changed == 'true' From 45fa550ee07fadd0ed782fe0481366107effe754 Mon Sep 17 00:00:00 2001 From: Sunny Yip Date: Fri, 1 Mar 2024 12:25:22 -0500 Subject: [PATCH 24/30] use latest build Signed-off-by: Sunny Yip --- charts/guac/ci/guac-values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/guac/ci/guac-values.yaml b/charts/guac/ci/guac-values.yaml index 2a9ace1..98f713e 100644 --- a/charts/guac/ci/guac-values.yaml +++ b/charts/guac/ci/guac-values.yaml @@ -6,7 +6,7 @@ guac: guacImage: # repository: 767397973649.dkr.ecr.us-east-1.amazonaws.com/guacsec/guac repository: ghcr.io/kusaridev/guacsec/guac - tag: main.sha.99a4d54405d2a066e4d5b6d06a2728d95078f700 + tag: main.sha.d5feab145165f144f006045736ffb65a767e0643 common: env: From 7e82fb9bc5d27eac516f71d8d315ca6862df55e3 Mon Sep 17 00:00:00 2001 From: Sunny Yip Date: Fri, 1 Mar 2024 15:54:05 -0500 Subject: [PATCH 25/30] remove unused permission Signed-off-by: Sunny Yip --- .github/workflows/tests.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index ae2f89d..59c2fed 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -8,7 +8,6 @@ on: permissions: # added using https://github.com/step-security/secure-repo contents: read - packages: write jobs: build: From aae487e458e54ff86f7daa2cbb8d25abc7ca8e49 Mon Sep 17 00:00:00 2001 From: Sunny Yip Date: Fri, 8 Mar 2024 10:30:04 -0500 Subject: [PATCH 26/30] update README Signed-off-by: Sunny Yip --- charts/guac/README.md | 195 +++++++++++++++++++++++----------------- charts/guac/schema.json | 149 ++++++++++++++++++++++++++++-- charts/guac/values.yaml | 64 ++++++++----- 3 files changed, 297 insertions(+), 111 deletions(-) diff --git a/charts/guac/README.md b/charts/guac/README.md index 53fcdee..b3635c2 100644 --- a/charts/guac/README.md +++ b/charts/guac/README.md @@ -41,6 +41,7 @@ The full GUAC component deployment is a set of asynchronous services that combin - **NATS**: [NATS](https://nats.io/) is a messaging middleware used for communication between the GUAC components. +- **MinIO**: [MinIO](https://min.io/) is a S3 compatible object store used for holding SBOMs for ingesting into GUAC. ## Prerequisites @@ -94,97 +95,129 @@ kubectl port-forward svc/collectsub 2782:2782 This section contains parameters for configuring the different GUAC components. -| Name | Description | Value | -| -------------------------------------------------------------- | --------------------------------------------------------------------------------------- | ------------------------------------------------------ | -| `guac.guacImage.repository` | Path to the GUAC image | `ghcr.io/guacsec/guac` | -| `guac.guacImage.tag` | Tag if using an image tag. Optional | `v0.2.0` | -| `guac.guacImage.digest` | Sha256 Image Digest. It is strongly recommended to use this for verification. | `""` | -| `guac.guacImage.pullPolicy` | ImagePullPolicy for kubernetes | `IfNotPresent` | -| `guac.guacImage.workingDir` | Working Directory for GUAC | `/guac` | -| `guac.ociCollector.enabled` | String Whether to deploy OCI Collector | `true` | -| `guac.ociCollector.name` | String Name of the OCI Collector component. | `oci-collector` | -| `guac.ociCollector.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | -| `guac.ociCollector.replicas` | Number of replicas for oci collector deployment | `1` | -| `guac.ociCollector.image.command` | Command for the OCI Collector image. It is not recommended to override this. | `["sh","-c","/opt/guac/guaccollect image"]` | -| `guac.ociCollector.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | -| `guac.depsDevCollector.enabled` | String Whether to deploy Deps.Dev Collector | `true` | -| `guac.depsDevCollector.name` | String Name of the Deps.Dev Collector component. | `depsdev-collector` | -| `guac.depsDevCollector.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | -| `guac.depsDevCollector.replicas` | Number of replicas for depsdev collector deployment | `1` | -| `guac.depsDevCollector.image.command` | Command for the Deps.Dev Collector image. It is not recommended to override this. | `["sh","-c","/opt/guac/guaccollect deps_dev"]` | -| `guac.depsDevCollector.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | -| `guac.osvCertifier.enabled` | String Whether to deploy OSV Certifier | `true` | -| `guac.osvCertifier.name` | String Name of the OSV Certifier component. | `osv-certifier` | -| `guac.osvCertifier.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | -| `guac.osvCertifier.replicas` | Number of replicas for OSV Certifier deployment | `1` | -| `guac.osvCertifier.image.command` | Command for the OSV Certifier Collector image. It is not recommended to override this. | `["sh","-c","/opt/guac/guacone certifier osv --poll"]` | -| `guac.osvCertifier.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | -| `guac.ingestor.enabled` | String Whether to deploy Ingestor | `true` | -| `guac.ingestor.name` | String Name of the ingestor component. | `ingestor` | -| `guac.ingestor.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | -| `guac.ingestor.replicas` | Number of replicas for ingestor deployment | `1` | -| `guac.ingestor.image.command` | Command for the ingestor image. It is not recommended to override this. | `["sh","-c","/opt/guac/guacingest"]` | -| `guac.ingestor.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | -| `guac.collectSub.enabled` | String Whether to deploy Collector Sub | `true` | -| `guac.collectSub.name` | String Name of the Collector Sub component. | `collectsub` | -| `guac.collectSub.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | -| `guac.collectSub.replicas` | Number of replicas for Collector Sub deployment | `1` | -| `guac.collectSub.image.command` | Command for the Collector Sub image. It is not recommended to override this. | `["sh","-c","/opt/guac/guaccsub"]` | -| `guac.collectSub.image.ports[0].containerPort` | Port the Collector Sub container listens on | `2782` | -| `guac.collectSub.svcPorts[0].protocol` | Protocol used at Collector Sub | `TCP` | -| `guac.collectSub.svcPorts[0].port` | Port the Collector Sub service listens on | `2782` | -| `guac.collectSub.svcPorts[0].targetPort` | Port the Collector Sub container listens on | `2782` | -| `guac.collectSub.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | -| `guac.graphqlServer.enabled` | String Whether to deploy GraphQL Server | `true` | -| `guac.graphqlServer.name` | String Name of the GraphQL Server component. | `graphql-server` | -| `guac.graphqlServer.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | -| `guac.graphqlServer.replicas` | Number of replicas for GraphQL Server deployment | `1` | -| `guac.graphqlServer.image.command` | Command for the GraphQL Server image. It is not recommended to override this. | `["sh","-c","/opt/guac/guacgql"]` | -| `guac.graphqlServer.image.ports[0].containerPort` | Port the GraphQL Server container listens on | `8080` | -| `guac.graphqlServer.svcPorts[0].protocol` | Protocol used at the the GraphQL Server | `TCP` | -| `guac.graphqlServer.svcPorts[0].port` | Port the GraphQL Server service listens on | `8080` | -| `guac.graphqlServer.svcPorts[0].targetPort` | Port the GraphQL Server container listens on | `8080` | -| `guac.graphqlServer.backend` | which backend to use - only support inmem at the moment. | `inmem` | -| `guac.graphqlServer.debug` | Enable debug mode for graphql server; also enable the UI | `true` | -| `guac.graphqlServer.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | -| `guac.visualizer.enabled` | String Whether to deploy the visualizer. | `true` | -| `guac.visualizer.name` | String Name of the visualizer. | `visualizer` | -| `guac.visualizer.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | -| `guac.visualizer.replicas` | Number of replicas for visualizer deployment | `1` | -| `guac.visualizer.image.repository` | Path to the Ingestor image | `ghcr.io/guacsec/guac-visualizer` | -| `guac.visualizer.image.tag` | Tag if using an image tag. Optional | `v0.0.3` | -| `guac.visualizer.image.digest` | Sha256 Image Digest. It is strongly recommended to use this for verification. | `""` | -| `guac.visualizer.image.pullPolicy` | ImagePullPolicy for kubernetes | `IfNotPresent` | -| `guac.visualizer.image.ports[0].containerPort` | Port the visualizer container listens on | `3000` | -| `guac.visualizer.svcPorts[0].protocol` | Protocol used at the visualizer | `TCP` | -| `guac.visualizer.svcPorts[0].port` | Port the visualizer service listens on | `3000` | -| `guac.visualizer.svcPorts[0].targetPort` | Port the visualizer container listens on | `3000` | -| `guac.visualizer.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | -| `guac.observability.deployServiceMonitor` | Boolean Deploy the service monitor for observability | `false` | -| `guac.sampleData.ingest` | Boolean - whether to ingest sample data after deployment | `false` | -| `guac.sampleData.jobName` | Name of the sample data ingest job | `ingest-guac-data` | +| Name | Description | Value | +| -------------------------------------------------------------- | ------------------------------------------------------------------------------------------- | ------------------------------------------------------- | +| `guac.guacImage.repository` | Path to the GUAC image | `ghcr.io/guacsec/guac` | +| `guac.guacImage.tag` | Tag if using an image tag. Optional | `v0.5.0` | +| `guac.guacImage.digest` | Sha256 Image Digest. It is strongly recommended to use this for verification. | `""` | +| `guac.guacImage.pullPolicy` | ImagePullPolicy for kubernetes | `IfNotPresent` | +| `guac.guacImage.workingDir` | Working Directory for GUAC | `/guac` | +| `guac.ociCollector.enabled` | String Whether to deploy OCI Collector | `true` | +| `guac.ociCollector.name` | String Name of the OCI Collector component. | `oci-collector` | +| `guac.ociCollector.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | +| `guac.ociCollector.replicas` | Number of replicas for oci collector deployment | `1` | +| `guac.ociCollector.image.command` | Command for the OCI Collector image. It is not recommended to override this. | `["sh","-c","/opt/guac/guaccollect image"]` | +| `guac.ociCollector.env` | Environment variables for OCI Collector. | `{}` | +| `guac.ociCollector.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | +| `guac.depsDevCollector.enabled` | String Whether to deploy Deps.Dev Collector | `true` | +| `guac.depsDevCollector.name` | String Name of the Deps.Dev Collector component. | `depsdev-collector` | +| `guac.depsDevCollector.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | +| `guac.depsDevCollector.replicas` | Number of replicas for depsdev collector deployment | `1` | +| `guac.depsDevCollector.image.command` | Command for the Deps.Dev Collector image. It is not recommended to override this. | `["sh","-c","/opt/guac/guaccollect deps_dev"]` | +| `guac.depsDevCollector.env` | Environment variables for Deps.Dev Collector. | `{}` | +| `guac.depsDevCollector.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | +| `guac.osvCertifier.enabled` | String Whether to deploy OSV Certifier | `true` | +| `guac.osvCertifier.name` | String Name of the OSV Certifier component. | `osv-certifier` | +| `guac.osvCertifier.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | +| `guac.osvCertifier.replicas` | Number of replicas for OSV Certifier deployment | `1` | +| `guac.osvCertifier.image.command` | Command for the OSV Certifier Collector image. It is not recommended to override this. | `["sh","-c","/opt/guac/guacone certifier osv --poll"]` | +| `guac.osvCertifier.env` | Environment variables for OSV Certifier Collector. | `{}` | +| `guac.osvCertifier.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | +| `guac.ingestor.enabled` | String Whether to deploy Ingestor | `true` | +| `guac.ingestor.name` | String Name of the ingestor component. | `ingestor` | +| `guac.ingestor.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | +| `guac.ingestor.replicas` | Number of replicas for ingestor deployment | `1` | +| `guac.ingestor.image.command` | Command for the ingestor image. It is not recommended to override this. | `["sh","-c","/opt/guac/guacingest"]` | +| `guac.ingestor.env` | Environment variables for ingestor. | `{}` | +| `guac.ingestor.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | +| `guac.collectSub.enabled` | String Whether to deploy Collector Sub | `true` | +| `guac.collectSub.name` | String Name of the Collector Sub component. | `collectsub` | +| `guac.collectSub.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | +| `guac.collectSub.replicas` | Number of replicas for Collector Sub deployment | `1` | +| `guac.collectSub.image.command` | Command for the Collector Sub image. It is not recommended to override this. | `["sh","-c","/opt/guac/guaccsub"]` | +| `guac.collectSub.env` | Environment variables for Collector Sub. | `{}` | +| `guac.collectSub.image.ports[0].containerPort` | Port the Collector Sub container listens on | `2782` | +| `guac.collectSub.svcPorts[0].protocol` | Protocol used at Collector Sub | `TCP` | +| `guac.collectSub.svcPorts[0].port` | Port the Collector Sub service listens on | `2782` | +| `guac.collectSub.svcPorts[0].targetPort` | Port the Collector Sub container listens on | `2782` | +| `guac.collectSub.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | +| `guac.graphqlServer.enabled` | String Whether to deploy GraphQL Server | `true` | +| `guac.graphqlServer.name` | String Name of the GraphQL Server component. | `graphql-server` | +| `guac.graphqlServer.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | +| `guac.graphqlServer.replicas` | Number of replicas for GraphQL Server deployment | `1` | +| `guac.graphqlServer.image.command` | Command for the GraphQL Server image. It is not recommended to override this. | `["sh","-c","/opt/guac/guacgql"]` | +| `guac.graphqlServer.env` | Environment variables for GraphQL Server. | `{}` | +| `guac.graphqlServer.image.ports[0].containerPort` | Port the GraphQL Server container listens on | `8080` | +| `guac.graphqlServer.svcPorts[0].protocol` | Protocol used at the the GraphQL Server | `TCP` | +| `guac.graphqlServer.svcPorts[0].port` | Port the GraphQL Server service listens on | `8080` | +| `guac.graphqlServer.svcPorts[0].targetPort` | Port the GraphQL Server container listens on | `8080` | +| `guac.graphqlServer.backend` | which backend to use - keyvalue (default) | arango | ent. | `keyvalue` | +| `guac.graphqlServer.debug` | Enable debug mode for graphql server; also enable the UI | `true` | +| `guac.graphqlServer.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | +| `guac.visualizer.enabled` | String Whether to deploy the visualizer. | `true` | +| `guac.visualizer.name` | String Name of the visualizer. | `visualizer` | +| `guac.visualizer.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | +| `guac.visualizer.replicas` | Number of replicas for visualizer deployment | `1` | +| `guac.visualizer.image.repository` | Path to the Ingestor image | `ghcr.io/guacsec/guac-visualizer` | +| `guac.visualizer.image.tag` | Tag if using an image tag. Optional | `v0.0.3` | +| `guac.visualizer.image.digest` | Sha256 Image Digest. It is strongly recommended to use this for verification. | `""` | +| `guac.visualizer.image.pullPolicy` | ImagePullPolicy for kubernetes | `IfNotPresent` | +| `guac.visualizer.image.ports[0].containerPort` | Port the visualizer container listens on | `3000` | +| `guac.visualizer.svcPorts[0].protocol` | Protocol used at the visualizer | `TCP` | +| `guac.visualizer.svcPorts[0].port` | Port the visualizer service listens on | `3000` | +| `guac.visualizer.svcPorts[0].targetPort` | Port the visualizer container listens on | `3000` | +| `guac.visualizer.env` | Environment variables for the visualizer. | `{}` | +| `guac.visualizer.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | +| `guac.observability.deployServiceMonitor` | Boolean Deploy the service monitor for observability | `false` | +| `guac.sampleData.ingest` | Boolean - whether to ingest sample data after deployment | `false` | +| `guac.sampleData.jobName` | Name of the sample data ingest job | `ingest-guac-data` | +| `guac.sampleData.env` | Environment variables for the sample data ingest job | `{}` | +| `guac.ingress.enabled` | Whether to deploy an Ingress object | `false` | +| `guac.apiOnlyIngress.enabled` | Whether to deploy an Ingress object to expose API only | `false` | +| `guac.backend.ent.db-driver` | database driver to use, one of [postgres | sqlite3 | mysql] or anything supported by sql.DB | `postgres` | +| `guac.backend.ent.db-address` | Full URL of database to connect to | `postgres://guac:guac@host:port/dbName?sslmode=disable` | +| `guac.backend.ent.db-migrate` | Wether to automatically run database migrations on start | `true` | +| `guac.backend.ent.db-debug` | Enable debug logging for database queries | `true` | ### nats This is the configuration for nats. This is a subchart. See full documentation [here](https://docs.nats.io/running-a-nats-service/nats-kubernetes/helm-charts). -| Name | Description | Value | -| ---------------------------------------------------------- | ------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `nats.nats.jetstream.enabled` | Boolean for enabling JetStream. | `true` | -| `nats.nats.limits.maxPayload` | Max Payload size for nats | `64MB` | -| `nats.nats.statefulSetPodLabels.app.kubernetes.io/part-of` | Label to associate nats with GUAC for monitoring purposes | `{"nats":{"jetstream":{"enabled":true},"limits":{"maxPayload":"64MB"},"statefulSetPodLabels":{"app.kubernetes.io/part-of":"guac"}},"natsbox":{"additionalLabels":{"app.kubernetes.io/part-of":"guac"},"podLabels":{"app.kubernetes.io/part-of":"guac"}},"exporter":{"enabled":true,"serviceMonitor":{"enabled":false,"namespace":"monitoring","labels":{"release":"monitoring"}}}}` | -| `nats.natsbox.additionalLabels.app.kubernetes.io/part-of` | Label to associate natsbox with GUAC for monitoring purposes | `guac` | -| `nats.natsbox.podLabels.app.kubernetes.io/part-of` | Label to associate natsbox with GUAC for monitoring purposes | `guac` | -| `nats.exporter.enabled` | Boolean to enable data collection | `true` | -| `nats.exporter.serviceMonitor.enabled` | Boolean to enable nats service monitor | `false` | -| `nats.exporter.serviceMonitor.namespace` | nats service monitor namespace - this is for monitoring purposes and is used by Prometheus | `monitoring` | -| `nats.exporter.serviceMonitor.labels.release` | Label to associate nats service monitor with GUAC for monitoring purposes | `monitoring` | +| Name | Description | Value | +| ---------------------------------------------------------- | ------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `nats.enabled` | Whehter to deploy nats | `true` | +| `nats.nats.jetstream.enabled` | Boolean for enabling JetStream. | `true` | +| `nats.nats.limits.maxPayload` | Max Payload size for nats | `64MB` | +| `nats.nats.statefulSetPodLabels.app.kubernetes.io/part-of` | Label to associate nats with GUAC for monitoring purposes | `{"enabled":true,"nats":{"jetstream":{"enabled":true},"limits":{"maxPayload":"64MB"},"statefulSetPodLabels":{"app.kubernetes.io/part-of":"guac"}},"natsbox":{"enabled":false,"additionalLabels":{"app.kubernetes.io/part-of":"guac"},"podLabels":{"app.kubernetes.io/part-of":"guac"}},"exporter":{"enabled":false,"serviceMonitor":{"enabled":false,"namespace":"monitoring","labels":{"release":"monitoring"}}}}` | +| `nats.natsbox.enabled` | Whehter to run natsbox | `false` | +| `nats.natsbox.additionalLabels.app.kubernetes.io/part-of` | Label to associate natsbox with GUAC for monitoring purposes | `guac` | +| `nats.natsbox.podLabels.app.kubernetes.io/part-of` | Label to associate natsbox with GUAC for monitoring purposes | `guac` | +| `nats.exporter.enabled` | Boolean to enable data collection | `false` | +| `nats.exporter.serviceMonitor.enabled` | Boolean to enable nats service monitor | `false` | +| `nats.exporter.serviceMonitor.namespace` | String nats service monitor namespace - this is for monitoring purposes and is used by Prometheus | `monitoring` | +| `nats.exporter.serviceMonitor.labels.release` | Label to associate nats service monitor with GUAC for monitoring purposes | `monitoring` | + +### minio + +This is the configuration for minio. This is a subchart. See full documentation [here](https://github.com/minio/minio/tree/master/helm/minio). + +| Name | Description | Value | +| -------------------- | ------------------------------------------------------ | -------------- | +| `minio.enabled` | Whehter to deploy minio as part of the Helm deployment | `true` | +| `minio.replicas` | Number of replicas. | `1` | +| `minio.mode` | minio mode, i.e. standalone or distributed | `standalone` | +| `minio.rootUser` | root user name. | `rootUser` | +| `minio.rootPassword` | root user password. | `rootPassword` | ## Developing For running the unit tests, install the unittest plugin. `helm plugin install https://github.com/quintush/helm-unittest` -To Run unit tests +To run unit tests `helm unittest charts/guac -3` + +To run Helm chart-testing (ct) lint and install tests + +`ct install --all --helm-extra-args --timeout=600s` \ No newline at end of file diff --git a/charts/guac/schema.json b/charts/guac/schema.json index e4a2596..bfb5a74 100644 --- a/charts/guac/schema.json +++ b/charts/guac/schema.json @@ -29,13 +29,13 @@ "tag": { "type": "string", "description": "Tag if using an image tag. Optional", - "default": "v0.2.0", + "default": "v0.5.0", "nullable": true }, "digest": { "type": "string", "description": "Sha256 Image Digest. It is strongly recommended to use this for verification.", - "default": "" + "default": "\"\"" }, "pullPolicy": { "type": "string", @@ -84,6 +84,11 @@ } } }, + "env": { + "type": "object", + "description": "Environment variables for OCI Collector.", + "default": {} + }, "nodeSelector": { "type": "object", "description": "- sets the node selector for where to run the deployment", @@ -126,6 +131,11 @@ } } }, + "env": { + "type": "object", + "description": "Environment variables for Deps.Dev Collector.", + "default": {} + }, "nodeSelector": { "type": "object", "description": "- sets the node selector for where to run the deployment", @@ -168,6 +178,11 @@ } } }, + "env": { + "type": "object", + "description": "Environment variables for OSV Certifier Collector.", + "default": {} + }, "nodeSelector": { "type": "object", "description": "- sets the node selector for where to run the deployment", @@ -210,6 +225,11 @@ } } }, + "env": { + "type": "object", + "description": "Environment variables for ingestor.", + "default": {} + }, "nodeSelector": { "type": "object", "description": "- sets the node selector for where to run the deployment", @@ -265,6 +285,11 @@ } } }, + "env": { + "type": "object", + "description": "Environment variables for Collector Sub.", + "default": {} + }, "svcPorts": { "type": "array", "description": "Protocol used at Collector Sub", @@ -341,6 +366,11 @@ } } }, + "env": { + "type": "object", + "description": "Environment variables for GraphQL Server.", + "default": {} + }, "svcPorts": { "type": "array", "description": "Protocol used at the the GraphQL Server", @@ -364,8 +394,8 @@ }, "backend": { "type": "string", - "description": "which backend to use - only support inmem at the moment.", - "default": "inmem" + "description": "which backend to use - keyvalue (default) | arango | ent.", + "default": "keyvalue" }, "debug": { "type": "boolean", @@ -414,7 +444,7 @@ "digest": { "type": "string", "description": "Sha256 Image Digest. It is strongly recommended to use this for verification.", - "default": "" + "default": "\"\"" }, "pullPolicy": { "type": "string", @@ -457,6 +487,11 @@ } } }, + "env": { + "type": "object", + "description": "Environment variables for the visualizer.", + "default": {} + }, "nodeSelector": { "type": "object", "description": "- sets the node selector for where to run the deployment", @@ -486,6 +521,61 @@ "type": "string", "description": "Name of the sample data ingest job", "default": "ingest-guac-data" + }, + "env": { + "type": "object", + "description": "Environment variables for the sample data ingest job", + "default": {} + } + } + }, + "ingress": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "Whether to deploy an Ingress object", + "default": false + } + } + }, + "apiOnlyIngress": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "Whether to deploy an Ingress object to expose API only", + "default": false + } + } + }, + "backend": { + "type": "object", + "properties": { + "ent": { + "type": "object", + "properties": { + "db-driver": { + "type": "string", + "description": "database driver to use, one of [postgres | sqlite3 | mysql] or anything supported by sql.DB", + "default": "postgres" + }, + "db-address": { + "type": "string", + "description": "Full URL of database to connect to", + "default": "postgres://guac:guac@host:port/dbName?sslmode=disable" + }, + "db-migrate": { + "type": "boolean", + "description": "Wether to automatically run database migrations on start", + "default": true + }, + "db-debug": { + "type": "boolean", + "description": "Enable debug logging for database queries", + "default": true + } + } } } } @@ -494,6 +584,11 @@ "nats": { "type": "object", "properties": { + "enabled": { + "type": "boolean", + "description": "Whehter to deploy nats", + "default": true + }, "nats": { "type": "object", "properties": { @@ -519,13 +614,23 @@ } } }, + "natsbox": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "Whehter to run natsbox", + "default": false + } + } + }, "exporter": { "type": "object", "properties": { "enabled": { "type": "boolean", "description": "Boolean to enable data collection", - "default": true + "default": false }, "serviceMonitor": { "type": "object", @@ -537,7 +642,7 @@ }, "namespace": { "type": "string", - "description": "nats service monitor namespace - this is for monitoring purposes and is used by Prometheus", + "description": "String nats service monitor namespace - this is for monitoring purposes and is used by Prometheus", "default": "monitoring" }, "labels": { @@ -555,6 +660,36 @@ } } } + }, + "minio": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "Whehter to deploy minio as part of the Helm deployment", + "default": true + }, + "replicas": { + "type": "number", + "description": "Number of replicas.", + "default": 1 + }, + "mode": { + "type": "string", + "description": "minio mode, i.e. standalone or distributed", + "default": "standalone" + }, + "rootUser": { + "type": "string", + "description": "root user name.", + "default": "rootUser" + }, + "rootPassword": { + "type": "string", + "description": "root user password.", + "default": "rootPassword" + } + } } } } \ No newline at end of file diff --git a/charts/guac/values.yaml b/charts/guac/values.yaml index 6cb1c20..2b36f34 100644 --- a/charts/guac/values.yaml +++ b/charts/guac/values.yaml @@ -15,35 +15,41 @@ imagePullSecrets: ## @param guac.guacImage.digest [string] Sha256 Image Digest. It is strongly recommended to use this for verification. ## @param guac.guacImage.pullPolicy ImagePullPolicy for kubernetes ## @param guac.guacImage.workingDir Working Directory for GUAC +## @skip guac.common.env [] Environment variables common apply for all guac services ## @param guac.ociCollector.enabled String Whether to deploy OCI Collector ## @param guac.ociCollector.name String Name of the OCI Collector component. ## @param guac.ociCollector.annotations.reloader.stakater.com/auto [string] Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) ## @param guac.ociCollector.replicas Number of replicas for oci collector deployment ## @param guac.ociCollector.image.command Command for the OCI Collector image. It is not recommended to override this. +## @param guac.ociCollector.env Environment variables for OCI Collector. ## @param guac.ociCollector.nodeSelector - sets the node selector for where to run the deployment ## @param guac.depsDevCollector.enabled String Whether to deploy Deps.Dev Collector ## @param guac.depsDevCollector.name String Name of the Deps.Dev Collector component. ## @param guac.depsDevCollector.annotations.reloader.stakater.com/auto [string] Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) ## @param guac.depsDevCollector.replicas Number of replicas for depsdev collector deployment ## @param guac.depsDevCollector.image.command Command for the Deps.Dev Collector image. It is not recommended to override this. +## @param guac.depsDevCollector.env Environment variables for Deps.Dev Collector. ## @param guac.depsDevCollector.nodeSelector - sets the node selector for where to run the deployment ## @param guac.osvCertifier.enabled String Whether to deploy OSV Certifier ## @param guac.osvCertifier.name String Name of the OSV Certifier component. ## @param guac.osvCertifier.annotations.reloader.stakater.com/auto [string] Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) ## @param guac.osvCertifier.replicas Number of replicas for OSV Certifier deployment ## @param guac.osvCertifier.image.command Command for the OSV Certifier Collector image. It is not recommended to override this. +## @param guac.osvCertifier.env Environment variables for OSV Certifier Collector. ## @param guac.osvCertifier.nodeSelector - sets the node selector for where to run the deployment ## @param guac.ingestor.enabled String Whether to deploy Ingestor ## @param guac.ingestor.name String Name of the ingestor component. ## @param guac.ingestor.annotations.reloader.stakater.com/auto [string] Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) ## @param guac.ingestor.replicas Number of replicas for ingestor deployment ## @param guac.ingestor.image.command Command for the ingestor image. It is not recommended to override this. +## @param guac.ingestor.env Environment variables for ingestor. ## @param guac.ingestor.nodeSelector - sets the node selector for where to run the deployment ## @param guac.collectSub.enabled String Whether to deploy Collector Sub ## @param guac.collectSub.name String Name of the Collector Sub component. ## @param guac.collectSub.annotations.reloader.stakater.com/auto [string] Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) ## @param guac.collectSub.replicas Number of replicas for Collector Sub deployment ## @param guac.collectSub.image.command Command for the Collector Sub image. It is not recommended to override this. +## @param guac.collectSub.env Environment variables for Collector Sub. ## @param guac.collectSub.image.ports[0].containerPort Port the Collector Sub container listens on ## @param guac.collectSub.svcPorts[0].protocol Protocol used at Collector Sub ## @param guac.collectSub.svcPorts[0].port Port the Collector Sub service listens on @@ -54,6 +60,7 @@ imagePullSecrets: ## @param guac.graphqlServer.annotations.reloader.stakater.com/auto [string] Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) ## @param guac.graphqlServer.replicas Number of replicas for GraphQL Server deployment ## @param guac.graphqlServer.image.command Command for the GraphQL Server image. It is not recommended to override this. +## @param guac.graphqlServer.env Environment variables for GraphQL Server. ## @param guac.graphqlServer.image.ports[0].containerPort Port the GraphQL Server container listens on ## @param guac.graphqlServer.svcPorts[0].protocol Protocol used at the the GraphQL Server ## @param guac.graphqlServer.svcPorts[0].port Port the GraphQL Server service listens on @@ -73,39 +80,45 @@ imagePullSecrets: ## @param guac.visualizer.svcPorts[0].protocol Protocol used at the visualizer ## @param guac.visualizer.svcPorts[0].port Port the visualizer service listens on ## @param guac.visualizer.svcPorts[0].targetPort Port the visualizer container listens on +## @param guac.visualizer.env Environment variables for the visualizer. ## @param guac.visualizer.nodeSelector - sets the node selector for where to run the deployment ## @param guac.observability.deployServiceMonitor Boolean Deploy the service monitor for observability ## @param guac.sampleData.ingest Boolean - whether to ingest sample data after deployment ## @param guac.sampleData.jobName Name of the sample data ingest job +## @param guac.sampleData.env Environment variables for the sample data ingest job ## @param guac.ingress.enabled Whether to deploy an Ingress object -## @param guac.ingress.ingressClassName Ingress class name -## @param guac.ingress.webuiHostname DNS name for the UI components - e.g. Visualizer, GQL playground -## @param guac.ingress.apiHostname DNS name for the GQL API. When specified, GQL API won't be served at webuiHostname -## @param guac.ingress.annotations Annotations for the ingress object +## @disabled-param guac.ingress.ingressClassName Ingress class name +## @disabled-param guac.ingress.webuiHostname DNS name for the UI components - e.g. Visualizer, GQL playground +## @disabled-param guac.ingress.apiHostname DNS name for the GQL API. When specified, GQL API won't be served at webuiHostname +## @disabled-param guac.ingress.annotations Annotations for the ingress object ## @param guac.apiOnlyIngress.enabled Whether to deploy an Ingress object to expose API only -## @param guac.apiOnlyIngress.ingressClassName Ingress class name for API only ingress -## @param guac.apiOnlyIngress.apiHostname DNS name for the GQL API. -## @param guac.apiOnlyIngress.annotations Annotations for the API only ingress object +## @disabled-param guac.apiOnlyIngress.ingressClassName Ingress class name for API only ingress +## @disabled-param guac.apiOnlyIngress.apiHostname DNS name for the GQL API. +## @disabled-param guac.apiOnlyIngress.annotations Annotations for the API only ingress object ## @param guac.backend.ent.db-driver database driver to use, one of [postgres | sqlite3 | mysql] or anything supported by sql.DB ## @param guac.backend.ent.db-address Full URL of database to connect to ## @param guac.backend.ent.db-migrate Wether to automatically run database migrations on start ## @param guac.backend.ent.db-debug Enable debug logging for database queries -## @param guac.pubsub-addr gocloud connection string for pubsub configured via https://gocloud.dev/howto/pubsub/ -## @param guac.blob-addr gocloud connection string for blob store configured via https://gocloud.dev/howto/blob/ +## @skip guac.pubSubAddr String gocloud connection string for pubsub configured via https://gocloud.dev/howto/pubsub/ +## @skip guac.blobAddr String gocloud connection string for blob store configured via https://gocloud.dev/howto/blob/ guac: guacImage: repository: ghcr.io/guacsec/guac # if not set appVersion field from Chart.yaml is used - tag: v0.4.0 + tag: v0.5.0 # When digest is set to a non-empty value, images will be pulled by digest (regardless of tag value). digest: "" pullPolicy: IfNotPresent workingDir: /guac common: - env: {} - # COMMON_ENV: COMMON_ENV_VALUE + # env: {} + # COMMON_ENV_NAME: COMMON_ENV_VALUE + env: + # default creds (set at minio.users) for accessing minio blobstore. Remove when changing default blobAddr. + AWS_ACCESS_KEY_ID: accessKey + AWS_SECRET_ACCESS_KEY: secretKey ociCollector: enabled: true @@ -116,7 +129,7 @@ guac: image: command: ['sh', '-c', '/opt/guac/guaccollect image'] env: {} - # ENV: ENV_VALUE + # ENV_NAME: ENV_VALUE nodeSelector: {} depsDevCollector: @@ -239,24 +252,28 @@ guac: db-debug: true # Default to use NATS; specify a value here to override + # e.g. # pubSubAddr: awssqs://sqs.[aws_region].amazonaws.com/[account_id]/[queue_name]?region=[aws_region] # Default to use minio; specify a value here to override + # e.g. + # blobAddr: s3://[bucket_name]?region=[aws_region] # blobAddr: file:///tmp/blobstore?no_tmp_dir=true - # e.g. blobAddr: s3://[bucket_name]?region=[aws_region] + ## @section nats ## @descriptionStart This is the configuration for nats. This is a subchart. See full documentation [here](https://docs.nats.io/running-a-nats-service/nats-kubernetes/helm-charts). ## @descriptionEnd -## @param nats.nats.enabled Whehter to deploy nats as part of the Helm deployment +## @param nats.enabled Whehter to deploy nats ## @param nats.nats.jetstream.enabled Boolean for enabling JetStream. ## @param nats.nats.limits.maxPayload Max Payload size for nats ## @param nats.nats.statefulSetPodLabels.app.kubernetes.io/part-of Label to associate nats with GUAC for monitoring purposes +## @param nats.natsbox.enabled Whehter to run natsbox ## @param nats.natsbox.additionalLabels.app.kubernetes.io/part-of Label to associate natsbox with GUAC for monitoring purposes ## @param nats.natsbox.podLabels.app.kubernetes.io/part-of Label to associate natsbox with GUAC for monitoring purposes ## @param nats.exporter.enabled Boolean to enable data collection ## @param nats.exporter.serviceMonitor.enabled Boolean to enable nats service monitor -## @param nats.exporter.serviceMonitor.namespace nats service monitor namespace - this is for monitoring purposes and is used by Prometheus +## @param nats.exporter.serviceMonitor.namespace String nats service monitor namespace - this is for monitoring purposes and is used by Prometheus ## @param nats.exporter.serviceMonitor.labels.release Label to associate nats service monitor with GUAC for monitoring purposes nats: enabled: true @@ -277,7 +294,7 @@ nats: app.kubernetes.io/part-of: "guac" exporter: - enabled: true + enabled: false serviceMonitor: enabled: false ## Specify the namespace where Prometheus Operator is running @@ -290,7 +307,13 @@ nats: ## @descriptionEnd ## @param minio.enabled Whehter to deploy minio as part of the Helm deployment ## @param minio.replicas Number of replicas. -## @param minio.persistenace Persistence volume configure. +## @skip minio.persistence Persistence volume configuration. +## @param minio.mode minio mode, i.e. standalone or distributed +## @skip minio.resources resource requests and limits +## @param minio.rootUser root user name. +## @param minio.rootPassword root user password. +## @skip minio.buckets List of buckets to create after deployment.? +## @skip minio.users List of users, in terms of creds and permissions, to create after deployment.? minio: enabled: true replicas: 1 @@ -309,11 +332,6 @@ minio: versioning: false objectlocking: false users: - ## Username, password and policy to be assigned to the user - ## Default policies are [readonly|readwrite|writeonly|consoleAdmin|diagnostics] - ## Add new policies as explained here https://min.io/docs/minio/kubernetes/upstream/administration/identity-access-management.html#access-management - ## NOTE: this will fail if LDAP is enabled in your MinIO deployment - ## make sure to disable this if you are using LDAP. - accessKey: accessKey secretKey: secretKey policy: readwrite From 4ebd2fdf006bfcf83d4d897ee72624b17e4afb87 Mon Sep 17 00:00:00 2001 From: Sunny Yip Date: Fri, 8 Mar 2024 10:40:01 -0500 Subject: [PATCH 27/30] get local test running Signed-off-by: Sunny Yip --- charts/guac/ci/guac-values.yaml | 10 --- .../guac/templates/ingest-guac-data-job.yaml | 82 ++++++++++--------- 2 files changed, 45 insertions(+), 47 deletions(-) diff --git a/charts/guac/ci/guac-values.yaml b/charts/guac/ci/guac-values.yaml index 98f713e..83c573a 100644 --- a/charts/guac/ci/guac-values.yaml +++ b/charts/guac/ci/guac-values.yaml @@ -2,13 +2,3 @@ guac: sampleData: ingest: true - - guacImage: - # repository: 767397973649.dkr.ecr.us-east-1.amazonaws.com/guacsec/guac - repository: ghcr.io/kusaridev/guacsec/guac - tag: main.sha.d5feab145165f144f006045736ffb65a767e0643 - - common: - env: - AWS_ACCESS_KEY_ID: accessKey - AWS_SECRET_ACCESS_KEY: secretKey diff --git a/charts/guac/templates/ingest-guac-data-job.yaml b/charts/guac/templates/ingest-guac-data-job.yaml index 5cb481f..30f839c 100644 --- a/charts/guac/templates/ingest-guac-data-job.yaml +++ b/charts/guac/templates/ingest-guac-data-job.yaml @@ -11,7 +11,6 @@ metadata: app.kubernetes.io/name: {{ .Values.guac.sampleData.jobName }} annotations: "helm.sh/hook": post-install, post-upgrade - # "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation "helm.sh/hook-weight": "10" spec: backoffLimit: 5 @@ -23,13 +22,7 @@ spec: spec: containers: - name: data-ingestor - # image: "ubuntu:22.04" - {{- if .Values.guac.guacImage.digest }} - image: "{{ .Values.guac.guacImage.repository }}@{{ .Values.guac.guacImage.digest }}" - {{- else }} - image: "{{ .Values.guac.guacImage.repository }}:{{ .Values.guac.guacImage.tag | default .Chart.AppVersion}}" - {{- end }} - imagePullPolicy: "{{ .Values.guac.guacImage.pullPolicy }}" + image: "ubuntu:22.04" command: ['sh', '-c', '/tmp/guac/ingest-guac-data.sh ingest-data'] workingDir: {{ .Values.guac.workingDir }} {{- if or .Values.guac.common.env .Values.guac.sampleData.env }} @@ -49,25 +42,20 @@ spec: readOnly: true - name: ingest-guac-data mountPath: /tmp/guac - - - # - name: data-preper - # # image: "ubuntu:22.04" - # {{- if .Values.guac.guacImage.digest }} - # image: "{{ .Values.guac.guacImage.repository }}@{{ .Values.guac.guacImage.digest }}" - # {{- else }} - # image: "{{ .Values.guac.guacImage.repository }}:{{ .Values.guac.guacImage.tag | default .Chart.AppVersion}}" - # {{- end }} - # command: ['sh', '-c', '/tmp/guac/ingest-guac-data.sh prep-data'] - # workingDir: {{ .Values.guac.guacImage.workingDir }} - # volumeMounts: - # - name: guac-config - # mountPath: {{ .Values.guac.guacImage.workingDir }} - # readOnly: true - # - name: ingest-guac-data - # mountPath: /tmp/guac - # - name: shared-data - # mountPath: /shared-data + - name: shared-data + mountPath: /shared-data + - name: data-preper + image: "ubuntu:22.04" + command: ['sh', '-c', '/tmp/guac/ingest-guac-data.sh prep-data'] + workingDir: {{ .Values.guac.guacImage.workingDir }} + volumeMounts: + - name: guac-config + mountPath: {{ .Values.guac.guacImage.workingDir }} + readOnly: true + - name: ingest-guac-data + mountPath: /tmp/guac + - name: shared-data + mountPath: /shared-data restartPolicy: OnFailure {{- if .Values.imagePullSecrets }} imagePullSecrets: @@ -98,34 +86,54 @@ metadata: app.kubernetes.io/managed-by: {{ .Release.Service | quote }} helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" data: - ingest-guac-data.sh: |- + ingest-guac-data.sh: | #!/usr/bin/env bash set -e - # SHARED_DATA=/shared-data - SHARED_DATA=/guac-data/docs + SHARED_DATA=/shared-data INDICATOR_FILE=${SHARED_DATA}/done_loading_data GUAC_DATA_REPO=https://github.com/guacsec/guac-data.git case "$1" in prep-data) echo "Preparing sample data" - # apt-get update && apt-get install -y git - # git clone ${GUAC_DATA_REPO} ${SHARED_DATA}/guac-data - # touch ${INDICATOR_FILE} + apt-get update && apt-get install -y git + git clone ${GUAC_DATA_REPO} ${SHARED_DATA}/guac-data + touch ${INDICATOR_FILE} ;; ingest-data) echo "Ingesting sample data" export GUACSEC_HOME="/guac" + + apt-get update && apt-get install -y curl + curl -L https://github.com/guacsec/guac/releases/latest/download/guacone-linux-amd64 -o /tmp/guacone + curl -L https://github.com/guacsec/guac/releases/latest/download/guaccollect-linux-amd64 -o /tmp/guaccollect + chmod +x /tmp/guacone /tmp/guaccollect + + while [ ! -f ${INDICATOR_FILE} ] + do + sleep 3 + done + cd ${GUACSEC_HOME} - echo running guaccollect... - time /opt/guac/guaccollect files --service-poll=false ${SHARED_DATA} - # rm ${INDICATOR_FILE} + echo running guaccollect... at ${SHARED_DATA}/guac-data/docs + ls -la ${SHARED_DATA}/guac-data/docs + time /tmp/guaccollect files --service-poll=false ${SHARED_DATA}/guac-data/docs + + echo running guacone collect... + time /tmp/guacone collect files ${SHARED_DATA}/guac-data/top-dh-sboms/zookeeper.json + # for d in guac-data/docs + # do + # done + + + + rm ${INDICATOR_FILE} ;; *) echo "$1 is not supported" ;; esac -{{- end }} +{{- end }} \ No newline at end of file From 36e81f6065891e7bc9f7b560ae370469510d5b6c Mon Sep 17 00:00:00 2001 From: Sunny Yip Date: Fri, 8 Mar 2024 10:54:45 -0500 Subject: [PATCH 28/30] update README Signed-off-by: Sunny Yip --- charts/guac/README.md | 194 +++++++++++++++++++++------------------- charts/guac/schema.json | 18 ++-- charts/guac/values.yaml | 32 +++---- 3 files changed, 131 insertions(+), 113 deletions(-) diff --git a/charts/guac/README.md b/charts/guac/README.md index b3635c2..14d3c13 100644 --- a/charts/guac/README.md +++ b/charts/guac/README.md @@ -95,89 +95,99 @@ kubectl port-forward svc/collectsub 2782:2782 This section contains parameters for configuring the different GUAC components. -| Name | Description | Value | -| -------------------------------------------------------------- | ------------------------------------------------------------------------------------------- | ------------------------------------------------------- | -| `guac.guacImage.repository` | Path to the GUAC image | `ghcr.io/guacsec/guac` | -| `guac.guacImage.tag` | Tag if using an image tag. Optional | `v0.5.0` | -| `guac.guacImage.digest` | Sha256 Image Digest. It is strongly recommended to use this for verification. | `""` | -| `guac.guacImage.pullPolicy` | ImagePullPolicy for kubernetes | `IfNotPresent` | -| `guac.guacImage.workingDir` | Working Directory for GUAC | `/guac` | -| `guac.ociCollector.enabled` | String Whether to deploy OCI Collector | `true` | -| `guac.ociCollector.name` | String Name of the OCI Collector component. | `oci-collector` | -| `guac.ociCollector.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | -| `guac.ociCollector.replicas` | Number of replicas for oci collector deployment | `1` | -| `guac.ociCollector.image.command` | Command for the OCI Collector image. It is not recommended to override this. | `["sh","-c","/opt/guac/guaccollect image"]` | -| `guac.ociCollector.env` | Environment variables for OCI Collector. | `{}` | -| `guac.ociCollector.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | -| `guac.depsDevCollector.enabled` | String Whether to deploy Deps.Dev Collector | `true` | -| `guac.depsDevCollector.name` | String Name of the Deps.Dev Collector component. | `depsdev-collector` | -| `guac.depsDevCollector.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | -| `guac.depsDevCollector.replicas` | Number of replicas for depsdev collector deployment | `1` | -| `guac.depsDevCollector.image.command` | Command for the Deps.Dev Collector image. It is not recommended to override this. | `["sh","-c","/opt/guac/guaccollect deps_dev"]` | -| `guac.depsDevCollector.env` | Environment variables for Deps.Dev Collector. | `{}` | -| `guac.depsDevCollector.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | -| `guac.osvCertifier.enabled` | String Whether to deploy OSV Certifier | `true` | -| `guac.osvCertifier.name` | String Name of the OSV Certifier component. | `osv-certifier` | -| `guac.osvCertifier.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | -| `guac.osvCertifier.replicas` | Number of replicas for OSV Certifier deployment | `1` | -| `guac.osvCertifier.image.command` | Command for the OSV Certifier Collector image. It is not recommended to override this. | `["sh","-c","/opt/guac/guacone certifier osv --poll"]` | -| `guac.osvCertifier.env` | Environment variables for OSV Certifier Collector. | `{}` | -| `guac.osvCertifier.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | -| `guac.ingestor.enabled` | String Whether to deploy Ingestor | `true` | -| `guac.ingestor.name` | String Name of the ingestor component. | `ingestor` | -| `guac.ingestor.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | -| `guac.ingestor.replicas` | Number of replicas for ingestor deployment | `1` | -| `guac.ingestor.image.command` | Command for the ingestor image. It is not recommended to override this. | `["sh","-c","/opt/guac/guacingest"]` | -| `guac.ingestor.env` | Environment variables for ingestor. | `{}` | -| `guac.ingestor.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | -| `guac.collectSub.enabled` | String Whether to deploy Collector Sub | `true` | -| `guac.collectSub.name` | String Name of the Collector Sub component. | `collectsub` | -| `guac.collectSub.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | -| `guac.collectSub.replicas` | Number of replicas for Collector Sub deployment | `1` | -| `guac.collectSub.image.command` | Command for the Collector Sub image. It is not recommended to override this. | `["sh","-c","/opt/guac/guaccsub"]` | -| `guac.collectSub.env` | Environment variables for Collector Sub. | `{}` | -| `guac.collectSub.image.ports[0].containerPort` | Port the Collector Sub container listens on | `2782` | -| `guac.collectSub.svcPorts[0].protocol` | Protocol used at Collector Sub | `TCP` | -| `guac.collectSub.svcPorts[0].port` | Port the Collector Sub service listens on | `2782` | -| `guac.collectSub.svcPorts[0].targetPort` | Port the Collector Sub container listens on | `2782` | -| `guac.collectSub.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | -| `guac.graphqlServer.enabled` | String Whether to deploy GraphQL Server | `true` | -| `guac.graphqlServer.name` | String Name of the GraphQL Server component. | `graphql-server` | -| `guac.graphqlServer.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | -| `guac.graphqlServer.replicas` | Number of replicas for GraphQL Server deployment | `1` | -| `guac.graphqlServer.image.command` | Command for the GraphQL Server image. It is not recommended to override this. | `["sh","-c","/opt/guac/guacgql"]` | -| `guac.graphqlServer.env` | Environment variables for GraphQL Server. | `{}` | -| `guac.graphqlServer.image.ports[0].containerPort` | Port the GraphQL Server container listens on | `8080` | -| `guac.graphqlServer.svcPorts[0].protocol` | Protocol used at the the GraphQL Server | `TCP` | -| `guac.graphqlServer.svcPorts[0].port` | Port the GraphQL Server service listens on | `8080` | -| `guac.graphqlServer.svcPorts[0].targetPort` | Port the GraphQL Server container listens on | `8080` | -| `guac.graphqlServer.backend` | which backend to use - keyvalue (default) | arango | ent. | `keyvalue` | -| `guac.graphqlServer.debug` | Enable debug mode for graphql server; also enable the UI | `true` | -| `guac.graphqlServer.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | -| `guac.visualizer.enabled` | String Whether to deploy the visualizer. | `true` | -| `guac.visualizer.name` | String Name of the visualizer. | `visualizer` | -| `guac.visualizer.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | -| `guac.visualizer.replicas` | Number of replicas for visualizer deployment | `1` | -| `guac.visualizer.image.repository` | Path to the Ingestor image | `ghcr.io/guacsec/guac-visualizer` | -| `guac.visualizer.image.tag` | Tag if using an image tag. Optional | `v0.0.3` | -| `guac.visualizer.image.digest` | Sha256 Image Digest. It is strongly recommended to use this for verification. | `""` | -| `guac.visualizer.image.pullPolicy` | ImagePullPolicy for kubernetes | `IfNotPresent` | -| `guac.visualizer.image.ports[0].containerPort` | Port the visualizer container listens on | `3000` | -| `guac.visualizer.svcPorts[0].protocol` | Protocol used at the visualizer | `TCP` | -| `guac.visualizer.svcPorts[0].port` | Port the visualizer service listens on | `3000` | -| `guac.visualizer.svcPorts[0].targetPort` | Port the visualizer container listens on | `3000` | -| `guac.visualizer.env` | Environment variables for the visualizer. | `{}` | -| `guac.visualizer.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | -| `guac.observability.deployServiceMonitor` | Boolean Deploy the service monitor for observability | `false` | -| `guac.sampleData.ingest` | Boolean - whether to ingest sample data after deployment | `false` | -| `guac.sampleData.jobName` | Name of the sample data ingest job | `ingest-guac-data` | -| `guac.sampleData.env` | Environment variables for the sample data ingest job | `{}` | -| `guac.ingress.enabled` | Whether to deploy an Ingress object | `false` | -| `guac.apiOnlyIngress.enabled` | Whether to deploy an Ingress object to expose API only | `false` | -| `guac.backend.ent.db-driver` | database driver to use, one of [postgres | sqlite3 | mysql] or anything supported by sql.DB | `postgres` | -| `guac.backend.ent.db-address` | Full URL of database to connect to | `postgres://guac:guac@host:port/dbName?sslmode=disable` | -| `guac.backend.ent.db-migrate` | Wether to automatically run database migrations on start | `true` | -| `guac.backend.ent.db-debug` | Enable debug logging for database queries | `true` | +| Name | Description | Value | +| -------------------------------------------------------------- | -------------------------------------------------------------------------------------------- | ------------------------------------------------------- | +| `guac.guacImage.repository` | Path to the GUAC image | `ghcr.io/guacsec/guac` | +| `guac.guacImage.tag` | Tag if using an image tag. Optional | `undefined` | +| `guac.guacImage.digest` | Sha256 Image Digest. It is strongly recommended to use this for verification. | `""` | +| `guac.guacImage.pullPolicy` | ImagePullPolicy for kubernetes | `IfNotPresent` | +| `guac.guacImage.workingDir` | Working Directory for GUAC | `/guac` | +| `guac.common.env` | Environment variables common apply for all guac services | `""` | +| `guac.ociCollector.enabled` | String Whether to deploy OCI Collector | `true` | +| `guac.ociCollector.name` | String Name of the OCI Collector component. | `oci-collector` | +| `guac.ociCollector.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | +| `guac.ociCollector.replicas` | Number of replicas for oci collector deployment | `1` | +| `guac.ociCollector.image.command` | Command for the OCI Collector image. It is not recommended to override this. | `["sh","-c","/opt/guac/guaccollect image"]` | +| `guac.ociCollector.env` | Environment variables for OCI Collector. | `{}` | +| `guac.ociCollector.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | +| `guac.depsDevCollector.enabled` | String Whether to deploy Deps.Dev Collector | `true` | +| `guac.depsDevCollector.name` | String Name of the Deps.Dev Collector component. | `depsdev-collector` | +| `guac.depsDevCollector.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | +| `guac.depsDevCollector.replicas` | Number of replicas for depsdev collector deployment | `1` | +| `guac.depsDevCollector.image.command` | Command for the Deps.Dev Collector image. It is not recommended to override this. | `["sh","-c","/opt/guac/guaccollect deps_dev"]` | +| `guac.depsDevCollector.env` | Environment variables for Deps.Dev Collector. | `{}` | +| `guac.depsDevCollector.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | +| `guac.osvCertifier.enabled` | String Whether to deploy OSV Certifier | `true` | +| `guac.osvCertifier.name` | String Name of the OSV Certifier component. | `osv-certifier` | +| `guac.osvCertifier.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | +| `guac.osvCertifier.replicas` | Number of replicas for OSV Certifier deployment | `1` | +| `guac.osvCertifier.image.command` | Command for the OSV Certifier Collector image. It is not recommended to override this. | `["sh","-c","/opt/guac/guacone certifier osv --poll"]` | +| `guac.osvCertifier.env` | Environment variables for OSV Certifier Collector. | `{}` | +| `guac.osvCertifier.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | +| `guac.ingestor.enabled` | String Whether to deploy Ingestor | `true` | +| `guac.ingestor.name` | String Name of the ingestor component. | `ingestor` | +| `guac.ingestor.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | +| `guac.ingestor.replicas` | Number of replicas for ingestor deployment | `1` | +| `guac.ingestor.image.command` | Command for the ingestor image. It is not recommended to override this. | `["sh","-c","/opt/guac/guacingest"]` | +| `guac.ingestor.env` | Environment variables for ingestor. | `{}` | +| `guac.ingestor.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | +| `guac.collectSub.enabled` | String Whether to deploy Collector Sub | `true` | +| `guac.collectSub.name` | String Name of the Collector Sub component. | `collectsub` | +| `guac.collectSub.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | +| `guac.collectSub.replicas` | Number of replicas for Collector Sub deployment | `1` | +| `guac.collectSub.image.command` | Command for the Collector Sub image. It is not recommended to override this. | `["sh","-c","/opt/guac/guaccsub"]` | +| `guac.collectSub.env` | Environment variables for Collector Sub. | `{}` | +| `guac.collectSub.image.ports[0].containerPort` | Port the Collector Sub container listens on | `2782` | +| `guac.collectSub.svcPorts[0].protocol` | Protocol used at Collector Sub | `TCP` | +| `guac.collectSub.svcPorts[0].port` | Port the Collector Sub service listens on | `2782` | +| `guac.collectSub.svcPorts[0].targetPort` | Port the Collector Sub container listens on | `2782` | +| `guac.collectSub.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | +| `guac.graphqlServer.enabled` | String Whether to deploy GraphQL Server | `true` | +| `guac.graphqlServer.name` | String Name of the GraphQL Server component. | `graphql-server` | +| `guac.graphqlServer.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | +| `guac.graphqlServer.replicas` | Number of replicas for GraphQL Server deployment | `1` | +| `guac.graphqlServer.image.command` | Command for the GraphQL Server image. It is not recommended to override this. | `["sh","-c","/opt/guac/guacgql"]` | +| `guac.graphqlServer.env` | Environment variables for GraphQL Server. | `{}` | +| `guac.graphqlServer.image.ports[0].containerPort` | Port the GraphQL Server container listens on | `8080` | +| `guac.graphqlServer.svcPorts[0].protocol` | Protocol used at the the GraphQL Server | `TCP` | +| `guac.graphqlServer.svcPorts[0].port` | Port the GraphQL Server service listens on | `8080` | +| `guac.graphqlServer.svcPorts[0].targetPort` | Port the GraphQL Server container listens on | `8080` | +| `guac.graphqlServer.backend` | which backend to use - keyvalue (default) | arango | ent. | `keyvalue` | +| `guac.graphqlServer.debug` | Enable debug mode for graphql server; also enable the UI | `true` | +| `guac.graphqlServer.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | +| `guac.visualizer.enabled` | String Whether to deploy the visualizer. | `true` | +| `guac.visualizer.name` | String Name of the visualizer. | `visualizer` | +| `guac.visualizer.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | +| `guac.visualizer.replicas` | Number of replicas for visualizer deployment | `1` | +| `guac.visualizer.image.repository` | Path to the Ingestor image | `ghcr.io/guacsec/guac-visualizer` | +| `guac.visualizer.image.tag` | Tag if using an image tag. Optional | `v0.0.3` | +| `guac.visualizer.image.digest` | Sha256 Image Digest. It is strongly recommended to use this for verification. | `""` | +| `guac.visualizer.image.pullPolicy` | ImagePullPolicy for kubernetes | `IfNotPresent` | +| `guac.visualizer.image.ports[0].containerPort` | Port the visualizer container listens on | `3000` | +| `guac.visualizer.svcPorts[0].protocol` | Protocol used at the visualizer | `TCP` | +| `guac.visualizer.svcPorts[0].port` | Port the visualizer service listens on | `3000` | +| `guac.visualizer.svcPorts[0].targetPort` | Port the visualizer container listens on | `3000` | +| `guac.visualizer.env` | Environment variables for the visualizer. | `{}` | +| `guac.visualizer.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | +| `guac.observability.deployServiceMonitor` | Boolean Deploy the service monitor for observability | `false` | +| `guac.sampleData.ingest` | Boolean Whether to ingest sample data after deployment | `false` | +| `guac.sampleData.jobName` | Name of the sample data ingest job | `ingest-guac-data` | +| `guac.sampleData.env` | Environment variables for the sample data ingest job | `{}` | +| `guac.ingress.enabled` | Whether to deploy an Ingress object | `false` | +| `guac.ingress.ingressClassName` | Ingress class name | `undefined` | +| `guac.ingress.webuiHostname` | DNS name for the UI components - e.g. Visualizer, GQL playground | `undefined` | +| `guac.ingress.apiHostname` | DNS name for the GQL API. When specified, GQL API won't be served at webuiHostname | `undefined` | +| `guac.ingress.annotations` | Annotations for the ingress object | `{}` | +| `guac.apiOnlyIngress.enabled` | Whether to deploy an Ingress object to expose API only | `false` | +| `guac.apiOnlyIngress.ingressClassName` | Ingress class name for API only ingress | `undefined` | +| `guac.apiOnlyIngress.apiHostname` | DNS name for the GQL API. | `undefined` | +| `guac.apiOnlyIngress.annotations` | Annotations for the API only ingress object | `{}` | +| `guac.backend.ent.db-driver` | database driver to use, one of [postgres | sqlite3 | mysql] or anything supported by sql.DB | `postgres` | +| `guac.backend.ent.db-address` | Full URL of database to connect to | `postgres://guac:guac@host:port/dbName?sslmode=disable` | +| `guac.backend.ent.db-migrate` | Wether to automatically run database migrations on start | `true` | +| `guac.backend.ent.db-debug` | Enable debug logging for database queries | `true` | +| `guac.pubSubAddr` | String gocloud connection string for pubsub configured via https://gocloud.dev/howto/pubsub/ | `undefined` | +| `guac.blobAddr` | gocloud connection string for blob store configured via https://gocloud.dev/howto/blob/ | `undefined` | ### nats @@ -201,13 +211,17 @@ This is the configuration for nats. This is a subchart. See full documentation This is the configuration for minio. This is a subchart. See full documentation [here](https://github.com/minio/minio/tree/master/helm/minio). -| Name | Description | Value | -| -------------------- | ------------------------------------------------------ | -------------- | -| `minio.enabled` | Whehter to deploy minio as part of the Helm deployment | `true` | -| `minio.replicas` | Number of replicas. | `1` | -| `minio.mode` | minio mode, i.e. standalone or distributed | `standalone` | -| `minio.rootUser` | root user name. | `rootUser` | -| `minio.rootPassword` | root user password. | `rootPassword` | +| Name | Description | Value | +| -------------------- | ------------------------------------------------------------------------------ | -------------- | +| `minio.enabled` | Whehter to deploy minio as part of the Helm deployment | `true` | +| `minio.replicas` | Number of replicas. | `1` | +| `minio.persistence` | Persistence volume configuration. | `{}` | +| `minio.mode` | minio mode, i.e. standalone or distributed | `standalone` | +| `minio.resources` | resource requests and limits | `{}` | +| `minio.rootUser` | root user name. | `rootUser` | +| `minio.rootPassword` | root user password. | `rootPassword` | +| `minio.buckets` | List of buckets to create after deployment. | `{}` | +| `minio.users` | List of users, in terms of creds and permissions, to create after deployment.? | `{}` | ## Developing For running the unit tests, install the unittest plugin. diff --git a/charts/guac/schema.json b/charts/guac/schema.json index bfb5a74..9b43137 100644 --- a/charts/guac/schema.json +++ b/charts/guac/schema.json @@ -26,12 +26,6 @@ "description": "Path to the GUAC image", "default": "ghcr.io/guacsec/guac" }, - "tag": { - "type": "string", - "description": "Tag if using an image tag. Optional", - "default": "v0.5.0", - "nullable": true - }, "digest": { "type": "string", "description": "Sha256 Image Digest. It is strongly recommended to use this for verification.", @@ -49,6 +43,16 @@ } } }, + "common": { + "type": "object", + "properties": { + "env": { + "type": "string", + "description": "Environment variables common apply for all guac services", + "default": "\"\"" + } + } + }, "ociCollector": { "type": "object", "properties": { @@ -514,7 +518,7 @@ "properties": { "ingest": { "type": "boolean", - "description": "Boolean - whether to ingest sample data after deployment", + "description": "Boolean Whether to ingest sample data after deployment", "default": false }, "jobName": { diff --git a/charts/guac/values.yaml b/charts/guac/values.yaml index 2b36f34..4d1598b 100644 --- a/charts/guac/values.yaml +++ b/charts/guac/values.yaml @@ -15,7 +15,7 @@ imagePullSecrets: ## @param guac.guacImage.digest [string] Sha256 Image Digest. It is strongly recommended to use this for verification. ## @param guac.guacImage.pullPolicy ImagePullPolicy for kubernetes ## @param guac.guacImage.workingDir Working Directory for GUAC -## @skip guac.common.env [] Environment variables common apply for all guac services +## @param guac.common.env [string] Environment variables common apply for all guac services ## @param guac.ociCollector.enabled String Whether to deploy OCI Collector ## @param guac.ociCollector.name String Name of the OCI Collector component. ## @param guac.ociCollector.annotations.reloader.stakater.com/auto [string] Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) @@ -83,30 +83,30 @@ imagePullSecrets: ## @param guac.visualizer.env Environment variables for the visualizer. ## @param guac.visualizer.nodeSelector - sets the node selector for where to run the deployment ## @param guac.observability.deployServiceMonitor Boolean Deploy the service monitor for observability -## @param guac.sampleData.ingest Boolean - whether to ingest sample data after deployment +## @param guac.sampleData.ingest Boolean Whether to ingest sample data after deployment ## @param guac.sampleData.jobName Name of the sample data ingest job ## @param guac.sampleData.env Environment variables for the sample data ingest job ## @param guac.ingress.enabled Whether to deploy an Ingress object -## @disabled-param guac.ingress.ingressClassName Ingress class name -## @disabled-param guac.ingress.webuiHostname DNS name for the UI components - e.g. Visualizer, GQL playground -## @disabled-param guac.ingress.apiHostname DNS name for the GQL API. When specified, GQL API won't be served at webuiHostname -## @disabled-param guac.ingress.annotations Annotations for the ingress object +## @param guac.ingress.ingressClassName [nullable] Ingress class name +## @param guac.ingress.webuiHostname [nullable] DNS name for the UI components - e.g. Visualizer, GQL playground +## @param guac.ingress.apiHostname [nullable] DNS name for the GQL API. When specified, GQL API won't be served at webuiHostname +## @param guac.ingress.annotations [object] Annotations for the ingress object ## @param guac.apiOnlyIngress.enabled Whether to deploy an Ingress object to expose API only -## @disabled-param guac.apiOnlyIngress.ingressClassName Ingress class name for API only ingress -## @disabled-param guac.apiOnlyIngress.apiHostname DNS name for the GQL API. -## @disabled-param guac.apiOnlyIngress.annotations Annotations for the API only ingress object +## @param guac.apiOnlyIngress.ingressClassName [nullable] Ingress class name for API only ingress +## @param guac.apiOnlyIngress.apiHostname [nullable] DNS name for the GQL API. +## @param guac.apiOnlyIngress.annotations [object] Annotations for the API only ingress object ## @param guac.backend.ent.db-driver database driver to use, one of [postgres | sqlite3 | mysql] or anything supported by sql.DB ## @param guac.backend.ent.db-address Full URL of database to connect to ## @param guac.backend.ent.db-migrate Wether to automatically run database migrations on start ## @param guac.backend.ent.db-debug Enable debug logging for database queries -## @skip guac.pubSubAddr String gocloud connection string for pubsub configured via https://gocloud.dev/howto/pubsub/ -## @skip guac.blobAddr String gocloud connection string for blob store configured via https://gocloud.dev/howto/blob/ +## @param guac.pubSubAddr [nullable] String gocloud connection string for pubsub configured via https://gocloud.dev/howto/pubsub/ +## @param guac.blobAddr [nullable] gocloud connection string for blob store configured via https://gocloud.dev/howto/blob/ guac: guacImage: repository: ghcr.io/guacsec/guac # if not set appVersion field from Chart.yaml is used - tag: v0.5.0 + # tag: v0.5.0 # When digest is set to a non-empty value, images will be pulled by digest (regardless of tag value). digest: "" pullPolicy: IfNotPresent @@ -307,13 +307,13 @@ nats: ## @descriptionEnd ## @param minio.enabled Whehter to deploy minio as part of the Helm deployment ## @param minio.replicas Number of replicas. -## @skip minio.persistence Persistence volume configuration. +## @param minio.persistence [object] Persistence volume configuration. ## @param minio.mode minio mode, i.e. standalone or distributed -## @skip minio.resources resource requests and limits +## @param minio.resources [object] resource requests and limits ## @param minio.rootUser root user name. ## @param minio.rootPassword root user password. -## @skip minio.buckets List of buckets to create after deployment.? -## @skip minio.users List of users, in terms of creds and permissions, to create after deployment.? +## @param minio.buckets [object] List of buckets to create after deployment. +## @param minio.users [object] List of users, in terms of creds and permissions, to create after deployment.? minio: enabled: true replicas: 1 From f86edb33b10e3deba0d6d76fecd0fa70dda00cf2 Mon Sep 17 00:00:00 2001 From: Sunny Yip Date: Fri, 8 Mar 2024 10:55:09 -0500 Subject: [PATCH 29/30] bump version and include minio as a dependency Signed-off-by: Sunny Yip --- charts/guac/Chart.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/charts/guac/Chart.yaml b/charts/guac/Chart.yaml index 0cc06f3..f2d7a83 100644 --- a/charts/guac/Chart.yaml +++ b/charts/guac/Chart.yaml @@ -10,7 +10,7 @@ maintainers: type: application version: 0.2.7 -appVersion: "v0.4.0" +appVersion: "v0.5.0" dependencies: - name: nats @@ -18,6 +18,7 @@ dependencies: repository: "https://nats-io.github.io/k8s/helm/charts/" condition: nats.enabled +# See s3 compatible storage config for MinIO at https://gocloud.dev/howto/blob/#s3 - name: minio version: "~5.0.15" repository: "https://charts.min.io/" From cbfd5fef04dc647b9cafc7148356718328109ec6 Mon Sep 17 00:00:00 2001 From: Sunny Yip Date: Fri, 8 Mar 2024 11:00:10 -0500 Subject: [PATCH 30/30] fix linting error Signed-off-by: Sunny Yip --- charts/guac/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/guac/values.yaml b/charts/guac/values.yaml index 4d1598b..7245041 100644 --- a/charts/guac/values.yaml +++ b/charts/guac/values.yaml @@ -116,7 +116,7 @@ guac: # env: {} # COMMON_ENV_NAME: COMMON_ENV_VALUE env: - # default creds (set at minio.users) for accessing minio blobstore. Remove when changing default blobAddr. + # default creds (set at minio.users) for accessing minio blobstore. Remove when changing default blobAddr. AWS_ACCESS_KEY_ID: accessKey AWS_SECRET_ACCESS_KEY: secretKey