From fc4a0917880e81dbcfa734f91a2221e4aee9863c Mon Sep 17 00:00:00 2001 From: Irina-Kaborda Date: Fri, 5 Aug 2022 13:50:37 +0300 Subject: [PATCH] changed helm charts for database and demo-app, README --- README.md | 146 +++++++----------- .../templates/secrets.yaml | 6 +- .../database-to-integrity-sum/values.yaml | 13 +- helm-charts/demo-apps-to-monitor/Chart.yaml | 2 +- .../templates/configMap.yaml | 8 +- .../templates/deployment.yaml | 10 +- .../templates/serviceAccount.yaml | 10 +- helm-charts/demo-apps-to-monitor/values.yaml | 5 + 8 files changed, 85 insertions(+), 115 deletions(-) diff --git a/README.md b/README.md index 14d97f2..cd04517 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,8 @@ -![GitHub contributors](https://img.shields.io/github/contributors/ScienceSoft-Inc/k8s-container-integrity-monitor) -![GitHub last commit](https://img.shields.io/github/last-commit/ScienceSoft-Inc/k8s-container-integrity-monitor) -![GitHub](https://img.shields.io/github/license/ScienceSoft-Inc/k8s-container-integrity-monitor) -![GitHub issues](https://img.shields.io/github/issues/ScienceSoft-Inc/k8s-container-integrity-monitor) -![GitHub forks](https://img.shields.io/github/forks/ScienceSoft-Inc/k8s-container-integrity-monitor) +[![GitHub contributors](https://img.shields.io/github/contributors/ScienceSoft-Inc/k8s-container-integrity-monitor)](https://github.com/ScienceSoft-Inc/k8s-container-integrity-monitor) +[![GitHub last commit](https://img.shields.io/github/last-commit/ScienceSoft-Inc/k8s-container-integrity-monitor)](https://github.com/ScienceSoft-Inc/k8s-container-integrity-monitor) +[![GitHub](https://img.shields.io/github/license/ScienceSoft-Inc/k8s-container-integrity-monitor)](https://github.com/ScienceSoft-Inc/k8s-container-integrity-monitor/blob/main/LICENSE) +[![GitHub issues](https://img.shields.io/github/issues/ScienceSoft-Inc/k8s-container-integrity-monitor)](https://github.com/ScienceSoft-Inc/k8s-container-integrity-monitor/issues) +[![GitHub forks](https://img.shields.io/github/forks/ScienceSoft-Inc/k8s-container-integrity-monitor)](https://github.com/ScienceSoft-Inc/k8s-container-integrity-monitor/network/members) ![Go](https://img.shields.io/badge/go-%2300ADD8.svg?style=for-the-badge&logo=go&logoColor=white) ![Kubernetes](https://img.shields.io/badge/kubernetes-%23326ce5.svg?style=for-the-badge&logo=kubernetes&logoColor=white) @@ -41,131 +41,95 @@ k8s-container-integrity-monitor injects a `hasher-webhook-injector-sidecar` to y $ git clone https://github.com/ScienceSoft-Inc/k8s-container-integrity-monitor.git $ cd path/to/install ``` +Download the named modules into the module cache +``` +go mod download +``` + +## :hammer: Installing components ### Running locally -The code only works running inside a pod in Kubernetes +The code only works running inside a pod in Kubernetes. You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. If you do not already have a cluster, you can create one by using `minikube`. Example https://minikube.sigs.k8s.io/docs/start/ +### Install Helm +Before using helm charts you need to install helm on your local machine. +You can find the necessary installation information at this link https://helm.sh/docs/intro/install/ + ### Configuration To work properly, you first need to set the configuration files: -+ environmental variables in the `.env` file -+ config in file `manifests/hasher/configMap.yaml` -+ secret for database `manifests/database/postgres-secret.yaml` ++ values in the file `helm-charts/database-to-integrity-sum/values.yaml` ++ values in the file `helm-charts/demo-apps-to-monitor/values.yaml` ++ values in the file `helm-charts/mutator/values.yaml` - -## :hammer: Installing components - -### Installation DATABASE -Apply all annotations in directory "manifests/database/..": +## Manual start ++ Minikube start ``` -kubectl apply -f manifests/database/postgres-db-pv.yaml -kubectl apply -f manifests/database/postgres-db-pvc.yaml -kubectl apply -f manifests/database/postgres-secret.yaml -kubectl apply -f manifests/database/postgres-db-deployment.yaml -kubectl apply -f manifests/database/postgres-db-service.yaml +minikube start ``` +1) You should go to the `README.md` in the `./k8s-container-integrity-mutator` project and set all the settings and certificates. -### Installation WEBHOOK -Generate CA in /tmp : +Build docker images mutator: ``` -cfssl gencert -initca ./webhook/tls/ca-csr.json | cfssljson -bare /tmp/ca +eval $(minikube docker-env) +cd k8s-container-integrity-mutator +docker build -t mutator ``` - -Generate private key and certificate for SSL connection: +or ``` -cfssl gencert \ --ca=/tmp/ca.pem \ --ca-key=/tmp/ca-key.pem \ --config=./webhook/tls/ca-config.json \ --hostname="k8s-webhook-injector,k8s-webhook-injector.default.svc.cluster.local,k8s-webhook-injector.default.svc,localhost,127.0.0.1" \ --profile=default \ -./webhook/tls/ca-csr.json | cfssljson -bare /tmp/k8s-webhook-injector +eval $(minikube docker-env) +docker build -t mutator -f k8s-container-integrity-mutator/Dockerfile . ``` - -Move your SSL key and certificate to the ssl directory: +Install helm chart: +for example ``` -mkdir webhook/ssl -mv /tmp/k8s-webhook-injector.pem ./webhook/ssl/k8s-webhook-injector.pem -mv /tmp/k8s-webhook-injector-key.pem ./webhook/ssl/k8s-webhook-injector.key +helm install mutator helm-charts/mutator ``` - -Update configuration data in the manifests/webhook/webhook-configMap.yaml file with your key in the appropriate field `data:server.key` and certificate in the appropriate field `data:server.crt:`: +2) You need to install the database using helm charts. +Update the on-disk dependencies to mirror Chart.yaml. ``` -cat ./webhook/ssl/k8s-webhook-injector.key | base64 | tr -d '\n' -cat ./webhook/ssl/k8s-webhook-injector.pem | base64 | tr -d '\n' +helm dependency update helm-charts/database-to-integrity-sum ``` - -Update field `caBundle` value in the manifests/webhook/webhook-configuration.yaml file with your base64 encoded CA certificate: +Install helm chart: +for example ``` -cat /tmp/ca.pem | base64 | tr -d '\n' +helm install db helm-charts/database-to-integrity-sum ``` -## Quick start -Build docker images webhook and hasher: +3) You should go to the `README.md` in the `./integrity-sum` project and set all the settings. + Build docker images mutator: ``` eval $(minikube docker-env) -docker build -t webhook -f webhook/Dockerfile . -docker build -t hasher . -``` -Apply webhook annotation: +cd integrity-sum +docker build -t hasher ``` -kubectl apply -f manifests/webhook/webhook-configMap.yaml -kubectl apply -f manifests/webhook/webhook-deployment.yaml -kubectl apply -f manifests/webhook/webhook-service.yaml -kubectl apply -f manifests/webhook/webhook-configuration.yaml +or ``` -Apply hasher annotation: -``` -kubectl apply -f manifests/hasher/service-account-hasher.yaml -kubectl apply -f manifests/hasher/configMap.yaml +eval $(minikube docker-env) +docker build -t hasher -f integrity-sum/Dockerfile . ``` - -See examples in manifests/hasher directory for how to add the `hasher-webhook` sidecar-container to any pod, and the service account needed. -For example there is manifests/hasher/test-nginx-deploy.yaml DEPLOYMENT files: +Install helm chart: +for example ``` -kubectl apply -f manifests/hasher/test-nginx-deploy.yaml +helm install app helm-charts/demo-apps-to-monitor ``` -##Pay attention! -If you want to use a hasher-webhook-injector-sidecar, then you need to specify the following data in your deployment: -+ `spec:template:metadata:labels:hasher-webhook-injector-sidecar: "true"` -+ `hasher-webhook-process-name: "your main process name"` +## Quick start +### Using Makefile ## Troubleshooting Sometimes you may find that pod is injected with sidecar container as expected, check the following items: 1) The pod is in running state with `hasher-sidecar` sidecar container injected and no error logs. -2) Check if the application pod has he correct labels `hasher-webhook-injector-sidecar: "true"` and installed `hasher-webhook-process-name`. +2) Check if the application demo-pod has he correct labels `hasher-certificates-injector-sidecar: "true"` and installed `main-process-name`. ___________________________ -### :notebook_with_decorative_cover: Godoc extracts and generates documentation for Go programs -#### Presents the documentation as a web page. -```go -godoc -http=:6060/sha256sum -go doc packge.function_name -``` -for example -```go -go doc pkg/api.Result -``` - ### :mag: Running tests You need to go to the folder where the file is located *_test.go and run the following command: ```go -go test -v -``` - -for example -```go -cd ../pkg/api -go test -v -``` - -### :mag: Running linter "golangci-lint" -``` -golangci-lint run +go test -v ./.. ``` -##License -This project uses the MIT software license. See [full license file](https://github.com/ScienceSoft-Inc/k8s-container-integrity-monitor/blob/main/LICENSE) \ No newline at end of file +## License +This project uses the MIT software license. See [full license file](https://github.com/ScienceSoft-Inc/k8s-container-integrity-monitor/blob/main/LICENSE) diff --git a/helm-charts/database-to-integrity-sum/templates/secrets.yaml b/helm-charts/database-to-integrity-sum/templates/secrets.yaml index 1d79e15..80390da 100644 --- a/helm-charts/database-to-integrity-sum/templates/secrets.yaml +++ b/helm-charts/database-to-integrity-sum/templates/secrets.yaml @@ -4,14 +4,14 @@ metadata: name: {{.Release.Name}}-{{ .Values.secretName}} namespace: {{ .Release.Namespace }} type: Opaque -stringData: # We dont need to worry about converting to base64 +stringData: # We don't need to worry about converting to base64 POSTGRES_USER: {{ .Values.postgresql.auth.username }} POSTGRES_PASSWORD: "{{ .Values.postgresql.auth.password }}" POSTGRES_DB: {{ .Values.postgresql.auth.database }} DB_HOST: {{.Release.Name}}-postgresql - DB_DRIVER: postgres + DB_DRIVER: {{ .Values.databaseDriver }} DB_USER: {{ .Values.postgresql.auth.username }} DB_PASSWORD: "{{ .Values.postgresql.auth.postgresPassword }}" DB_NAME: {{ .Values.postgresql.auth.database }} - DB_PORT: "5432" + DB_PORT: "{{ .Values.postgresql.primary.service.port}}" diff --git a/helm-charts/database-to-integrity-sum/values.yaml b/helm-charts/database-to-integrity-sum/values.yaml index f38e102..aa47383 100644 --- a/helm-charts/database-to-integrity-sum/values.yaml +++ b/helm-charts/database-to-integrity-sum/values.yaml @@ -1,5 +1,7 @@ # Dependency to database "postgresql" -secretName: secret-database-to-integrety-sum # Set the unique name for secret for database +# Set the unique name for secret for database +secretName: secret-database-to-integrity-sum +databaseDriver: postgres postgresql: auth: @@ -16,10 +18,10 @@ postgresql: # Set by the initdb script during initial container startup 00_init_extensions.sh: | #!/bin/sh - export PGPASSWORD=$POSTGRES_PASSWORD + export PGPASSWORD=$POSTGRES_PASSWORD psql -w -d $POSTGRES_DB -U $POSTGRES_USER -c " - CREATE TABLE IF NOT EXISTS hashfiles - ( + CREATE TABLE IF NOT EXISTS hashfiles + ( id BIGSERIAL PRIMARY KEY, file_name VARCHAR NOT NULL, full_file_path TEXT NOT NULL, @@ -28,8 +30,7 @@ postgresql: name_deployment TEXT, name_pod TEXT, time_of_creation VARCHAR (50), - image_tag TEXT, - CONSTRAINT files_unique UNIQUE (full_file_path, algorithm) + image_tag TEXT );" # Enable security context diff --git a/helm-charts/demo-apps-to-monitor/Chart.yaml b/helm-charts/demo-apps-to-monitor/Chart.yaml index 8f96123..39d3feb 100644 --- a/helm-charts/demo-apps-to-monitor/Chart.yaml +++ b/helm-charts/demo-apps-to-monitor/Chart.yaml @@ -3,4 +3,4 @@ name : NginxDemo-HelmChart description: Helm Chart for demonstration Container Monitor App work type : application version : 0.1.0 - +appVersion: "1.0.0" diff --git a/helm-charts/demo-apps-to-monitor/templates/configMap.yaml b/helm-charts/demo-apps-to-monitor/templates/configMap.yaml index 759b2d3..cbb3b8b 100644 --- a/helm-charts/demo-apps-to-monitor/templates/configMap.yaml +++ b/helm-charts/demo-apps-to-monitor/templates/configMap.yaml @@ -1,8 +1,8 @@ apiVersion: v1 - kind: ConfigMap - metadata: - name: hasher-config +kind: ConfigMap +metadata: + name: {{.Release.Name}}-{{ .Values.configMap.name }} data: {{ .Values.container.name }}: | PID_NAME={{ .Values.configMap.processName }} - MOUNT_PATH={{ .Values.configMap.mountPath }} \ No newline at end of file + MOUNT_PATH={{ .Values.configMap.mountPath }} diff --git a/helm-charts/demo-apps-to-monitor/templates/deployment.yaml b/helm-charts/demo-apps-to-monitor/templates/deployment.yaml index 5c5ef57..1f37b96 100644 --- a/helm-charts/demo-apps-to-monitor/templates/deployment.yaml +++ b/helm-charts/demo-apps-to-monitor/templates/deployment.yaml @@ -1,7 +1,7 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: {{ .Values.metadata.deploymentName }} + name: {{ .Release.Name}}-{{ .Values.metadata.deploymentName }} labels: app: {{ .Values.metadata.appName }} spec: @@ -18,13 +18,13 @@ spec: metadata: labels: app: {{ .Values.metadata.appName }} - hasher-webhook-process-name: "{{ .Values.processName }}" - hasher-webhook-injector-sidecar: "true" + main-process-name: "{{ .Values.configMap.processName }}" + hasher-certificates-injector-sidecar: "true" spec: - serviceAccountName: {{ .Values.serviceAccount }} + serviceAccountName: {{ .Release.Name}}-{{ .Values.serviceAccount }} shareProcessNamespace: true containers: - name: {{ .Values.container.name }} image: {{ .Values.container.image }} stdin: true - tty: true \ No newline at end of file + tty: true diff --git a/helm-charts/demo-apps-to-monitor/templates/serviceAccount.yaml b/helm-charts/demo-apps-to-monitor/templates/serviceAccount.yaml index 5c9917a..a1c3900 100644 --- a/helm-charts/demo-apps-to-monitor/templates/serviceAccount.yaml +++ b/helm-charts/demo-apps-to-monitor/templates/serviceAccount.yaml @@ -1,13 +1,13 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: {{ .Values.serviceAccount }} + name: {{.Release.Name}}-{{ .Values.serviceAccount }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: {{ .Values.serviceAccount }} + name: {{.Release.Name}}-{{ .Values.serviceAccount }} rules: - apiGroups: ["apps"] verbs: ["patch", "get", "list"] @@ -23,11 +23,11 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: {{ .Values.serviceAccount }} + name: {{.Release.Name}}-{{ .Values.serviceAccount }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: {{ .Values.serviceAccount }} + name: {{.Release.Name}}-{{ .Values.serviceAccount }} subjects: - kind: ServiceAccount - name: {{ .Values.serviceAccount }} \ No newline at end of file + name: {{.Release.Name}}-{{ .Values.serviceAccount }} diff --git a/helm-charts/demo-apps-to-monitor/values.yaml b/helm-charts/demo-apps-to-monitor/values.yaml index c9672bc..1725b57 100644 --- a/helm-charts/demo-apps-to-monitor/values.yaml +++ b/helm-charts/demo-apps-to-monitor/values.yaml @@ -21,5 +21,10 @@ replicaCount: 1 # Configuration file variables configMap: + name: integrity-sum-config processName: nginx # Container process name mountPath: etc/nginx # Tracked folder path + +# Data secrets in the database +secretNameDB: secret-database-to-integrity-sum +releaseNameDB: db