Merge pull request #27 from ScienceSoft-Inc/refactor_helm

Changes in helm charts for database and demo-app
ScienceSoft-Inc · Aug 11, 2022 · 9d37b9c · 9d37b9c
2 parents 7546437 + fc4a091
commit 9d37b9c
Show file tree

Hide file tree

Showing 8 changed files with 85 additions and 115 deletions.
diff --git a/README.md b/README.md
@@ -1,8 +1,8 @@
-![GitHub contributors](https://img.shields.io/github/contributors/ScienceSoft-Inc/k8s-container-integrity-monitor)
-![GitHub last commit](https://img.shields.io/github/last-commit/ScienceSoft-Inc/k8s-container-integrity-monitor)
-![GitHub](https://img.shields.io/github/license/ScienceSoft-Inc/k8s-container-integrity-monitor)
-![GitHub issues](https://img.shields.io/github/issues/ScienceSoft-Inc/k8s-container-integrity-monitor)
-![GitHub forks](https://img.shields.io/github/forks/ScienceSoft-Inc/k8s-container-integrity-monitor)
+[![GitHub contributors](https://img.shields.io/github/contributors/ScienceSoft-Inc/k8s-container-integrity-monitor)](https://github.com/ScienceSoft-Inc/k8s-container-integrity-monitor)
+[![GitHub last commit](https://img.shields.io/github/last-commit/ScienceSoft-Inc/k8s-container-integrity-monitor)](https://github.com/ScienceSoft-Inc/k8s-container-integrity-monitor)
+[![GitHub](https://img.shields.io/github/license/ScienceSoft-Inc/k8s-container-integrity-monitor)](https://github.com/ScienceSoft-Inc/k8s-container-integrity-monitor/blob/main/LICENSE)
+[![GitHub issues](https://img.shields.io/github/issues/ScienceSoft-Inc/k8s-container-integrity-monitor)](https://github.com/ScienceSoft-Inc/k8s-container-integrity-monitor/issues)
+[![GitHub forks](https://img.shields.io/github/forks/ScienceSoft-Inc/k8s-container-integrity-monitor)](https://github.com/ScienceSoft-Inc/k8s-container-integrity-monitor/network/members)
 
 ![Go](https://img.shields.io/badge/go-%2300ADD8.svg?style=for-the-badge&logo=go&logoColor=white)
 ![Kubernetes](https://img.shields.io/badge/kubernetes-%23326ce5.svg?style=for-the-badge&logo=kubernetes&logoColor=white)
@@ -41,131 +41,95 @@ k8s-container-integrity-monitor injects a `hasher-webhook-injector-sidecar` to y
 $ git clone https://github.com/ScienceSoft-Inc/k8s-container-integrity-monitor.git
 $ cd path/to/install
 ```
+Download the named modules into the module cache
+```
+go mod download
+```
+
+## :hammer: Installing components
 ### Running locally
-The code only works running inside a pod in Kubernetes
+The code only works running inside a pod in Kubernetes.
 You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster.
 If you do not already have a cluster, you can create one by using `minikube`.  
 Example https://minikube.sigs.k8s.io/docs/start/
 
+### Install Helm
+Before using helm charts you need to install helm on your local machine.  
+You can find the necessary installation information at this link https://helm.sh/docs/intro/install/
+
 ### Configuration
 To work properly, you first need to set the configuration files:
-+ environmental variables in the `.env` file
-+ config in file `manifests/hasher/configMap.yaml`
-+ secret for database `manifests/database/postgres-secret.yaml`
++ values in the file `helm-charts/database-to-integrity-sum/values.yaml`
++ values in the file `helm-charts/demo-apps-to-monitor/values.yaml`
++ values in the file `helm-charts/mutator/values.yaml`
 
-
-## :hammer: Installing components
-
-### Installation DATABASE
-Apply all annotations in directory "manifests/database/..":
+## Manual start
++ Minikube start
 ```
-kubectl apply -f manifests/database/postgres-db-pv.yaml
-kubectl apply -f manifests/database/postgres-db-pvc.yaml
-kubectl apply -f manifests/database/postgres-secret.yaml
-kubectl apply -f manifests/database/postgres-db-deployment.yaml
-kubectl apply -f manifests/database/postgres-db-service.yaml
+minikube start
 ```
+1) You should go to the `README.md` in the `./k8s-container-integrity-mutator` project and set all the settings and certificates.
 
-### Installation WEBHOOK
-Generate CA in /tmp :
+Build docker images mutator:
 ```
-cfssl gencert -initca ./webhook/tls/ca-csr.json | cfssljson -bare /tmp/ca
+eval $(minikube docker-env)
+cd k8s-container-integrity-mutator
+docker build -t mutator
 ```
-
-Generate private key and certificate for SSL connection:
+or 
 ```
-cfssl gencert \
--ca=/tmp/ca.pem \
--ca-key=/tmp/ca-key.pem \
--config=./webhook/tls/ca-config.json \
--hostname="k8s-webhook-injector,k8s-webhook-injector.default.svc.cluster.local,k8s-webhook-injector.default.svc,localhost,127.0.0.1" \
--profile=default \
-./webhook/tls/ca-csr.json | cfssljson -bare /tmp/k8s-webhook-injector
+eval $(minikube docker-env)
+docker build -t mutator -f k8s-container-integrity-mutator/Dockerfile .
 ```
-
-Move your SSL key and certificate to the ssl directory:
+Install helm chart:
+for example
 ```
-mkdir webhook/ssl
-mv /tmp/k8s-webhook-injector.pem ./webhook/ssl/k8s-webhook-injector.pem
-mv /tmp/k8s-webhook-injector-key.pem ./webhook/ssl/k8s-webhook-injector.key
+helm install mutator helm-charts/mutator
 ```
-
-Update configuration data in the manifests/webhook/webhook-configMap.yaml file with your key in the appropriate field `data:server.key` and certificate in the appropriate field `data:server.crt:`:
+2) You need to install the database using helm charts.  
+Update the on-disk dependencies to mirror Chart.yaml.
 ```
-cat ./webhook/ssl/k8s-webhook-injector.key | base64 | tr -d '\n'
-cat ./webhook/ssl/k8s-webhook-injector.pem | base64 | tr -d '\n'
+helm dependency update helm-charts/database-to-integrity-sum
 ```
-
-Update field `caBundle` value in the manifests/webhook/webhook-configuration.yaml file with your base64 encoded CA certificate:
+Install helm chart:
+for example
 ```
-cat /tmp/ca.pem | base64 | tr -d '\n'
+helm install db helm-charts/database-to-integrity-sum
 ```
 
-## Quick start
-Build docker images webhook and hasher:
+3) You should go to the `README.md` in the `./integrity-sum` project and set all the settings.
+   Build docker images mutator:
 ```
 eval $(minikube docker-env)
-docker build -t webhook -f webhook/Dockerfile .
-docker build -t hasher .
-```
-Apply webhook annotation:
+cd integrity-sum
+docker build -t hasher
 ```
-kubectl apply -f manifests/webhook/webhook-configMap.yaml
-kubectl apply -f manifests/webhook/webhook-deployment.yaml
-kubectl apply -f manifests/webhook/webhook-service.yaml
-kubectl apply -f manifests/webhook/webhook-configuration.yaml
+or
 ```
-Apply hasher annotation:
-```
-kubectl apply -f manifests/hasher/service-account-hasher.yaml
-kubectl apply -f manifests/hasher/configMap.yaml
+eval $(minikube docker-env)
+docker build -t hasher -f integrity-sum/Dockerfile .
 ```
-
-See examples in manifests/hasher directory for how to add the `hasher-webhook` sidecar-container to any pod, and the service account needed.
-For example there is manifests/hasher/test-nginx-deploy.yaml DEPLOYMENT files:
+Install helm chart:
+for example
 ```
-kubectl apply -f manifests/hasher/test-nginx-deploy.yaml
+helm install app helm-charts/demo-apps-to-monitor
 ```
 
-##Pay attention!
-If you want to use a hasher-webhook-injector-sidecar, then you need to specify the following data in your deployment:
-+ `spec:template:metadata:labels:hasher-webhook-injector-sidecar: "true"`
-+ `hasher-webhook-process-name: "your main process name"`
+## Quick start
+### Using Makefile
 
 ## Troubleshooting
 Sometimes you may find that pod is injected with sidecar container as expected, check the following items:
 
 1) The pod is in running state with `hasher-sidecar` sidecar container injected and no error logs.
-2) Check if the application pod has he correct labels `hasher-webhook-injector-sidecar: "true"` and installed `hasher-webhook-process-name`.
+2) Check if the application demo-pod has he correct labels `hasher-certificates-injector-sidecar: "true"` and installed `main-process-name`.
 ___________________________
-### :notebook_with_decorative_cover: Godoc extracts and generates documentation for Go programs
-#### Presents the documentation as a web page.
-```go
-godoc -http=:6060/sha256sum
-go doc packge.function_name
-```
-for example
-```go
-go doc pkg/api.Result
-```
-
 ### :mag: Running tests
 
 You need to go to the folder where the file is located *_test.go and run the following command:
 ```go
-go test -v
-```
-
-for example
-```go
-cd ../pkg/api
-go test -v
-```
-
-### :mag: Running linter "golangci-lint"
-```
-golangci-lint run
+go test -v ./..
 ```
 
-##License
-This project uses the MIT software license. See [full license file](https://github.com/ScienceSoft-Inc/k8s-container-integrity-monitor/blob/main/LICENSE)
+## License
+This project uses the MIT software license. See [full license file](https://github.com/ScienceSoft-Inc/k8s-container-integrity-monitor/blob/main/LICENSE)
diff --git a/helm-charts/database-to-integrity-sum/templates/secrets.yaml b/helm-charts/database-to-integrity-sum/templates/secrets.yaml
@@ -4,14 +4,14 @@ metadata:
   name: {{.Release.Name}}-{{ .Values.secretName}}
   namespace: {{ .Release.Namespace }}
 type: Opaque
-stringData:  # We dont need to worry about converting to base64
+stringData:  # We don't need to worry about converting to base64
   POSTGRES_USER: {{ .Values.postgresql.auth.username }}
   POSTGRES_PASSWORD: "{{ .Values.postgresql.auth.password }}"
   POSTGRES_DB: {{ .Values.postgresql.auth.database }}
 
   DB_HOST: {{.Release.Name}}-postgresql
-  DB_DRIVER: postgres
+  DB_DRIVER: {{ .Values.databaseDriver }}
   DB_USER: {{ .Values.postgresql.auth.username }}
   DB_PASSWORD: "{{ .Values.postgresql.auth.postgresPassword }}"
   DB_NAME: {{ .Values.postgresql.auth.database }}
-  DB_PORT: "5432"
+  DB_PORT: "{{ .Values.postgresql.primary.service.port}}"
diff --git a/helm-charts/database-to-integrity-sum/values.yaml b/helm-charts/database-to-integrity-sum/values.yaml
@@ -1,5 +1,7 @@
 # Dependency to database "postgresql"
-secretName: secret-database-to-integrety-sum # Set the unique name for secret for database
+# Set the unique name for secret for database
+secretName: secret-database-to-integrity-sum
+databaseDriver: postgres
 
 postgresql:
   auth:
@@ -16,10 +18,10 @@ postgresql:
         # Set by the initdb script during initial container startup
         00_init_extensions.sh: |
           #!/bin/sh
-          export PGPASSWORD=$POSTGRES_PASSWORD 
+          export PGPASSWORD=$POSTGRES_PASSWORD
           psql -w -d $POSTGRES_DB -U $POSTGRES_USER -c "
-          CREATE TABLE IF NOT EXISTS hashfiles 
-          ( 
+          CREATE TABLE IF NOT EXISTS hashfiles
+          (
           id                BIGSERIAL PRIMARY KEY,
           file_name         VARCHAR NOT NULL,
           full_file_path    TEXT    NOT NULL,
@@ -28,8 +30,7 @@ postgresql:
           name_deployment   TEXT,
           name_pod          TEXT,
           time_of_creation  VARCHAR (50),
-          image_tag         TEXT,
-          CONSTRAINT files_unique UNIQUE (full_file_path, algorithm)
+          image_tag         TEXT
           );"
 
     # Enable security context

diff --git a/helm-charts/demo-apps-to-monitor/Chart.yaml b/helm-charts/demo-apps-to-monitor/Chart.yaml
@@ -3,4 +3,4 @@ name       : NginxDemo-HelmChart
 description: Helm Chart for demonstration Container Monitor App work
 type       : application
 version    : 0.1.0
-
+appVersion: "1.0.0"
diff --git a/helm-charts/demo-apps-to-monitor/templates/configMap.yaml b/helm-charts/demo-apps-to-monitor/templates/configMap.yaml
@@ -1,8 +1,8 @@
 apiVersion: v1
-  kind: ConfigMap
-  metadata:
-    name: hasher-config
+kind: ConfigMap
+metadata:
+  name: {{.Release.Name}}-{{ .Values.configMap.name }}
   data:
     {{ .Values.container.name }}: |
       PID_NAME={{ .Values.configMap.processName }}
-      MOUNT_PATH={{ .Values.configMap.mountPath }}
+      MOUNT_PATH={{ .Values.configMap.mountPath }}
diff --git a/helm-charts/demo-apps-to-monitor/templates/deployment.yaml b/helm-charts/demo-apps-to-monitor/templates/deployment.yaml
@@ -1,7 +1,7 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: {{ .Values.metadata.deploymentName }}
+  name: {{ .Release.Name}}-{{ .Values.metadata.deploymentName }}
   labels:
     app: {{ .Values.metadata.appName }}
 spec:
@@ -18,13 +18,13 @@ spec:
     metadata:
       labels:
         app: {{ .Values.metadata.appName }}
-        hasher-webhook-process-name: "{{ .Values.processName }}"
-        hasher-webhook-injector-sidecar: "true"
+        main-process-name: "{{ .Values.configMap.processName }}"
+        hasher-certificates-injector-sidecar: "true"
     spec:
-      serviceAccountName: {{ .Values.serviceAccount }}
+      serviceAccountName: {{ .Release.Name}}-{{ .Values.serviceAccount }}
       shareProcessNamespace: true
       containers:
         - name: {{ .Values.container.name }}
           image: {{ .Values.container.image }}
           stdin: true
-          tty: true
+          tty: true
diff --git a/helm-charts/demo-apps-to-monitor/templates/serviceAccount.yaml b/helm-charts/demo-apps-to-monitor/templates/serviceAccount.yaml
@@ -1,13 +1,13 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ .Values.serviceAccount }}
+  name: {{.Release.Name}}-{{ .Values.serviceAccount }}
 
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: {{ .Values.serviceAccount }}
+  name: {{.Release.Name}}-{{ .Values.serviceAccount }}
 rules:
   - apiGroups: ["apps"]
     verbs: ["patch", "get", "list"]
@@ -23,11 +23,11 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: {{ .Values.serviceAccount }}
+  name: {{.Release.Name}}-{{ .Values.serviceAccount }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
-  name: {{ .Values.serviceAccount }}
+  name: {{.Release.Name}}-{{ .Values.serviceAccount }}
 subjects:
   - kind: ServiceAccount
-    name: {{ .Values.serviceAccount }}
+    name: {{.Release.Name}}-{{ .Values.serviceAccount }}
diff --git a/helm-charts/demo-apps-to-monitor/values.yaml b/helm-charts/demo-apps-to-monitor/values.yaml
@@ -21,5 +21,10 @@ replicaCount: 1
 
 # Configuration file variables
 configMap:
+  name: integrity-sum-config
   processName: nginx # Container process name
   mountPath: etc/nginx # Tracked folder path
+
+# Data secrets in the database
+secretNameDB: secret-database-to-integrity-sum
+releaseNameDB: db