Add vulcan-tracker component (#113)

.gitignore

@@ -1,3 +1,5 @@
 *.tgz
 Chart.lock
-
+*.swp
+*.swo
+.idea

examples/aws.yaml

@@ -76,6 +76,7 @@ api:
       username: kafka-user
       password: kafka-pwd
       topics: '{assets = "assets"}'
+    vulcantrackerTeams: "team1,team2"
   db:
     <<: *db
     host: api.postgres.host
@@ -448,3 +449,23 @@ vulndbapi:
     cache:
       enabled: true
       maxAge: 600
+tracker:
+  enabled: true
+  name: tracker
+  image:
+    repository: adevinta/vulcan-tracker
+    tag: tag-tracker
+    pullPolicy: Always
+  healthcheckPath: /healthcheck
+  conf:
+    logLevel: "error"
+    awsServerCredentialKey: "/path/to/credentials/"
+  # -- postgres database settings
+  db:
+    <<: *db
+    host: vultrackerdb.postgres.host
+    name: vultrackerdb
+    password: xxxxxxxxxx
+    user: vultrackerdb
+  imagePullSecrets:
+    - name: pullsecretname

examples/local.yaml

@@ -58,6 +58,7 @@ api:
         blockedChecks:
         excludingSuffixes:
           - experimental
+    vulcantrackerTeams: "team1,team2"
   ingress:
     enabled: true
     annotations:
@@ -122,3 +123,13 @@ vulndbapi:
         paths: [/]
   conf:
     readReplicaHost:
+
+tracker:
+  ingress:
+    enabled: true
+    hosts:
+      - host: tracker.vulcan.local
+        paths: [/]
+  conf:
+    logLevel: "error"
+    awsServerCredentialKey: "/path/to/credentials/"

examples/templates/aws.yaml

@@ -124,6 +124,21 @@ type: Opaque
 data:
   REDIS_PWD: "bXllbGFzdGljcHdk"
 ---
+# Source: vulcan/templates/tracker/secrets.yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: myrelease-vulcan-tracker
+  labels:
+    helm.sh/chart: vulcan-0.5.6
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/part-of: vulcan
+    app.kubernetes.io/instance: vulcan
+    app.kubernetes.io/name: tracker
+type: Opaque
+data:
+  PG_PASSWORD: "eHh4eHh4eHh4eA=="
+---
 # Source: vulcan/templates/vulndb/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -529,6 +544,50 @@ data:
       http-request use-service prometheus-exporter if { path /metrics }
       monitor-uri /healthz
 ---
+# Source: vulcan/templates/tracker/deployment.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: myrelease-vulcan-tracker-proxy
+  labels:
+    helm.sh/chart: vulcan-0.5.6
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/part-of: vulcan
+    app.kubernetes.io/instance: vulcan
+    app.kubernetes.io/name: tracker
+data:
+  haproxy.cfg: |
+    global
+      daemon
+      maxconn 64
+      log stdout format raw daemon
+  
+    defaults
+      mode http
+      timeout connect 5s
+      timeout client 25s
+      timeout server 25s
+      timeout tunnel 3600s
+      option  http-server-close
+  
+    frontend http
+      bind *:9090
+      log global
+      option httplog clf
+      http-request capture req.hdr(Host) len 50
+      http-request capture req.hdr(User-Agent) len 100
+  
+      default_backend app
+  
+    backend app
+      server app 127.0.0.1:8080
+  
+    frontend stats
+      bind *:9101
+      option http-use-htx
+      http-request use-service prometheus-exporter if { path /metrics }
+      monitor-uri /healthz
+---
 # Source: vulcan/templates/ui/deployment.yaml
 apiVersion: v1
 kind: ConfigMap
@@ -798,6 +857,28 @@ spec:
     app.kubernetes.io/instance: vulcan
     app.kubernetes.io/name: stream
 ---
+# Source: vulcan/templates/tracker/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: myrelease-vulcan-tracker
+  labels:
+    helm.sh/chart: vulcan-0.5.6
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/part-of: vulcan
+    app.kubernetes.io/instance: vulcan
+    app.kubernetes.io/name: tracker
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    app.kubernetes.io/instance: vulcan
+    app.kubernetes.io/name: tracker
+---
 # Source: vulcan/templates/ui/service.yaml
 apiVersion: v1
 kind: Service
@@ -983,6 +1064,10 @@ spec:
             value: "myrelease-vulcan-persistence"
           - name: VULNERABILITYDB_URL
             value: "http://myrelease-vulcan-vulndbapi/"
+          - name: VULCANTRACKER_URL
+            value: "http://myrelease-vulcan-tracker/"
+          - name: VULCANTRACKER_TEAMS
+            value: "team1,team2"
           - name: AWSCATALOGUE_KIND
             value: "CloudGovernance"
           - name: AWSCATALOGUE_URL
@@ -2160,6 +2245,141 @@ spec:
       imagePullSecrets:
         - name: pullsecretname
 ---
+# Source: vulcan/templates/tracker/deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: myrelease-vulcan-tracker
+  labels:
+    helm.sh/chart: vulcan-0.5.6
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/part-of: vulcan
+    app.kubernetes.io/instance: vulcan
+    app.kubernetes.io/name: tracker
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: vulcan
+      app.kubernetes.io/name: tracker
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/instance: vulcan
+        global-label: foo
+        global-namespace: 'ns'
+        app.kubernetes.io/name: tracker
+      annotations:
+        checksum/secrets: 766e2200ecd1fedbf5bc59975fada3271dfbfbba21a6b4538d3646195d3fda04
+        checksum/config-proxy: 4ba45566a092b043208fcf6bf26a0d842fc23e0e10b03c5802c85c930bb6e1c9
+        prometheus.io/scrape: 'true'
+        prometheus.io/port: '9101'
+    spec:
+      initContainers:
+        - name: waitfordb
+          image: "busybox:1.35.0"
+          imagePullPolicy: Always
+          command: ['sh', '-c', 'until nc -z "$PGHOST" "$PGPORT"; do echo WaitingDB && sleep 5; done;']
+          env:
+          - name: PGHOST
+            value: "vultrackerdb.postgres.host"
+          - name: PGPORT
+            value: "5432"
+      containers:
+
+        - name: dogstatsd
+          image: "datadog/dogstatsd:7.42.2"
+          envFrom:
+          - secretRef:
+              name: myrelease-vulcan-dogstatsd
+          ports:
+            - containerPort: 8125
+              name: dogstatsd
+              protocol: UDP
+        - name: proxy
+          image: "haproxy:2.4.23-alpine"
+          imagePullPolicy: Always
+          ports:
+            - name: http
+              containerPort: 9090
+            - name: metrics
+              containerPort: 9101
+          volumeMounts:
+          - mountPath: /usr/local/etc/haproxy
+            readOnly: true
+            name: config-proxy
+          lifecycle:
+            preStop:
+              exec:
+                command: ["/bin/sh","-c","sleep 30;"]
+        - name: tracker
+
+          image: "adevinta/vulcan-tracker:tag-tracker"
+          imagePullPolicy: Always
+          lifecycle:
+            preStop:
+              exec:
+                command: ["/bin/sh","-c","sleep 30;"]
+          livenessProbe:
+            httpGet:
+              path: /healthcheck
+              port: 8080
+            initialDelaySeconds: 5
+            periodSeconds: 10
+            timeoutSeconds: 3
+            successThreshold: 1
+            failureThreshold: 10
+          readinessProbe:
+            httpGet:
+              path: /healthcheck
+              port: 8080
+            initialDelaySeconds: 5
+            periodSeconds: 10
+            timeoutSeconds: 3
+            successThreshold: 1
+            failureThreshold: 5
+          env:
+          - name: PORT
+            value: "8080"
+          - name: PG_HOST
+            value: "vultrackerdb.postgres.host"
+          - name: PG_NAME
+            value: "vultrackerdb"
+          - name: PG_USER
+            value: "vultrackerdb"
+          - name: PG_PORT
+            value: "5432"
+          - name: PG_SSLMODE
+            value: "verify-full"
+          - name: PG_CA_B64
+            value: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVCakNDQXU2Z0F3SUJBZ0lKQU1jMFp6YVNVSzUxTUEwR0NTcUdTSWIzRFFFQkN3VUFNSUdQTVFzd0NRWUQKVlFRR0V3SlZVekVRTUE0R0ExVUVCd3dIVTJWaGRIUnNaVEVUTUJFR0ExVUVDQXdLVjJGemFHbHVaM1J2YmpFaQpNQ0FHQTFVRUNnd1pRVzFoZW05dUlGZGxZaUJUWlhKMmFXTmxjeXdnU1c1akxqRVRNQkVHQTFVRUN3d0tRVzFoCmVtOXVJRkpFVXpFZ01CNEdBMVVFQXd3WFFXMWhlbTl1SUZKRVV5QlNiMjkwSURJd01Ua2dRMEV3SGhjTk1Ua3cKT0RJeU1UY3dPRFV3V2hjTk1qUXdPREl5TVRjd09EVXdXakNCanpFTE1Ba0dBMVVFQmhNQ1ZWTXhFREFPQmdOVgpCQWNNQjFObFlYUjBiR1V4RXpBUkJnTlZCQWdNQ2xkaGMyaHBibWQwYjI0eElqQWdCZ05WQkFvTUdVRnRZWHB2CmJpQlhaV0lnVTJWeWRtbGpaWE1zSUVsdVl5NHhFekFSQmdOVkJBc01Da0Z0WVhwdmJpQlNSRk14SURBZUJnTlYKQkFNTUYwRnRZWHB2YmlCU1JGTWdVbTl2ZENBeU1ERTVJRU5CTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQwpBUThBTUlJQkNnS0NBUUVBclhuRi9FNi9RaCtrdTNoUVRTS1BNaFFRbENwb1d2bkl0aHpYNk1LM3A1YTBlWEtaCm9XSWpZY05ORzZVd0pqcDRmVVhsNmdscDUzSm9ibit0V05YODhkTkgybjhEVmJwcFN3U2NWRTJMcHVMKzk0dlkKMEVZRS9YeE43c3ZLZWE4WXZscnFrVUJLeXhMeFRqaCtVL0tyR09hSHh6OXYwbDZaTmxEYnVhWnczcUlXZEQvSQo2YU5iR2VSVVZ0cE02UCtiV0lveFZsL2NhUXlsUVM2Q0VZVWsrQ3BWeUpTa29wd0pselhUMDd0TW9ETDVXZ1g5Ck8wOEtWZ0ROejlxUC9JR3RBY1JkdVJjTmlvSDNFOXY5ODFRTzF6dC9HcGIyZjhOcUFqVVVDVVp6T25pajZteDkKTWNaKzljV1g4OENSelIwdlFPRFd1WnNjZ0kwOE52TTY5Rm4yU1FJREFRQUJvMk13WVRBT0JnTlZIUThCQWY4RQpCQU1DQVFZd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVWMxOWcyTHpMQTVqMEt4YzBMalphCnBtRC92Qjh3SHdZRFZSMGpCQmd3Rm9BVWMxOWcyTHpMQTVqMEt4YzBMalphcG1EL3ZCOHdEUVlKS29aSWh2Y04KQVFFTEJRQURnZ0VCQUhBRzdXVG15anpQUklNODVyVmorZldIc0xJdnFwdzZET2JJak1Xb2twbGlDZU1JTlpGVgp5bmZnQktzZjFFeHdidkpOellGWFc2ZGlobmd1REc5Vk1QcGkydXAvY3RRVE44dG05bkRLT3kwOHVOWm9vZk1jCk5VWnhLQ0VrVktaditJTDRvSG9lYXl0OGVndHYzdWpKTTZWMTRBc3RNUTZTd3Z3dkE5M0VQL1VnMmU0V0FYSHUKY2JJMU5BYlVnVkRxcCtEUmRmdlprZ1lLcnlqVFdkLzArMWZTOFgxYkJaVld6bDdlaXJOVm5IYlNIMlpEcE51WQowU0JkOGRqNUY2bGQzdDU4eWRaYnJUSHplN0pKT2Q4aWp5U0FwNC9raXU5VWZaV3VUUEFCekRhL0RTZHo5RGsvCnpQVzRDWFh2aExtRTAyVEE5L0hlQ3czS0VISXdpY051RWZ3PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg=="
+          - name: LOG_LEVEL
+            value: "error"
+          - name: AWSSERVERCREDENTIALS_KEY
+            value: "/path/to/credentials/"
+          - name: AWS_REGION
+            value: "eu-west-1"
+
+          - name: DOGSTATSD_ENABLED
+            value: "true"
+          - name: DOGSTATSD_HOST
+            value: "localhost"
+          - name: DOGSTATSD_PORT
+            value: "8125"
+          envFrom:
+          - secretRef:
+              name: myrelease-vulcan-tracker
+          ports:
+            - name: app
+              containerPort: 8080
+              protocol: TCP
+      volumes:
+      - name: config-proxy
+        configMap:
+          name: myrelease-vulcan-tracker-proxy
+
+      imagePullSecrets:
+        - name: pullsecretname
+---
 # Source: vulcan/templates/ui/deployment.yaml
 apiVersion: apps/v1
 kind: Deployment

examples/templates/local.yaml

@@ -204,6 +204,7 @@ data:
     CREATE DATABASE scanengine;
     CREATE DATABASE reportsgenerator;
     CREATE DATABASE vulnerabilitydb;
+    CREATE DATABASE tracker;
 ---
 # Source: vulcan/charts/redis/templates/configmap.yaml
 apiVersion: v1