Skip to content

Kubernetes-native package for OWASP Dependency Track, a continuous SBOM Analysis Platform for managing software supply chain security risks.

License

Notifications You must be signed in to change notification settings

kadras-io/package-for-dependency-track

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Dependency Track

Test Workflow Release Workflow The SLSA Level 3 badge The Apache 2.0 license badge Follow us on Twitter

A Carvel package for Dependency Track, a continuous SBOM Analysis Platform for managing software supply chain security risks.

🚀  Getting Started

Prerequisites

  • Kubernetes 1.29+

  • Carvel kctrl CLI.

  • Carvel kapp-controller deployed in your Kubernetes cluster. You can install it with Carvel kapp (recommended choice) or kubectl.

    kapp deploy -a kapp-controller -y \
      -f https://github.com/carvel-dev/kapp-controller/releases/latest/download/release.yml

Dependencies

Dependency Track requires the following packages included in the Kadras Engineering Platform and available to install from the Kadras package repository:

Installation

Add the Kadras package repository to your Kubernetes cluster:

kctrl package repository add -r kadras-packages \
  --url ghcr.io/kadras-io/kadras-packages \
  -n kadras-system --create-namespace
Installation without package repository The recommended way of installing the Dependency Track package is via the Kadras package repository. If you prefer not using the repository, you can add the package definition directly using kapp or kubectl.
kubectl create namespace kadras-system
kapp deploy -a dependency-track-package -n kadras-system -y \
  -f https://github.com/kadras-io/package-for-dependency-track/releases/latest/download/metadata.yml \
  -f https://github.com/kadras-io/package-for-dependency-track/releases/latest/download/package.yml

Install the Dependency Track package:

kctrl package install -i dependency-track \
  -p dependency-track.packages.kadras.io \
  -v ${VERSION} \
  -n kadras-system

Note You can find the ${VERSION} value by retrieving the list of package versions available in the Kadras package repository installed on your cluster.

kctrl package available list -p dependency-track.packages.kadras.io -n kadras-system

Verify the installed packages and their status:

kctrl package installed list -n kadras-system

📙  Documentation

Documentation, tutorials and examples for this package are available in the docs folder. For documentation specific to Dependency Track, check out dependencytrack.org.

🎯  Configuration

The Dependency Track package can be customized via a values.yml file.

domain_name: "dependency-track.kadras.io"
ingress_issuer: "kadras-ca-issuer"
postgresql:
  instances: 3

Reference the values.yml file from the kctrl command when installing or upgrading the package.

kctrl package install -i dependency-track \
  -p dependency-track.packages.kadras.io \
  -v ${VERSION} \
  -n kadras-system \
  --values-file values.yml

Values

The Dependency Track package has the following configurable properties.

Configurable properties
Config Default Description
system_requirement_check true Whether Dependency Track will check for memory and CPU requirements at startup time.
domain_name "" Domain name for Dependency Track. It must be a valid DNS name.
ingress_issuer "" A reference to the ClusterIssuer to use for enabling TLS in Dependency Track.

Settings for the API Server component.

Config Default Description
api_server.logging.level info Log verbosity level. Options: trace, debug, info, warn, error.
api_server.logging.format console Log encoding format. Options: console, json.
api_server.metrics.enabled true Whether to enable the generation of Prometheus metrics.
api_server.resources.cpu 0.5 CPU requests configuration for the API Server component.
api_server.resources.memory 5Gi Memory requests configuration for the API Server component.
api_server.limits.cpu 4 CPU limits configuration for the API Server component.
api_server.limits.memory 5Gi Memory limits configuration for the API Server component.
api_server.storage.class_name "" Class name for the PersistenceVolume to create.
api_server.storage.size 500Mi Size of the PersistenceVolume to create.

Settings for the Frontend component.

Config Default Description
frontend.replicas 1 The number of Frontend replicas. In order to enable high availability, it should be greater than 1.
frontend.resources.cpu 0.5 CPU requests configuration for the Frontend component.
frontend.resources.memory 5Gi Memory requests configuration for the Frontend component.
frontend.limits.cpu 4 CPU limits configuration for the Frontend component.
frontend.limits.memory 5Gi Memory limits configuration for the Frontend component.

Settings for the corporate proxy.

Config Default Description
proxy.https_proxy "" The HTTPS proxy to use for network traffic.
proxy.http_proxy "" The HTTP proxy to use for network traffic.
proxy.no_proxy "" A comma-separated list of hostnames, IP addresses, or IP ranges in CIDR format that should not use the proxy.

Settings for the PostgreSQL database.

Config Default Description
postgresql.instances 1 Number of instances for the PostgreSQL database cluster. Define at least 3 for production scenarios.
postgresql.storage.size 500Mi Size of the PersistenceVolume to create for each PostgreSQL instance.

🛡️  Security

The security process for reporting vulnerabilities is described in SECURITY.md.

🖊️  License

This project is licensed under the Apache License 2.0. See LICENSE for more information.

About

Kubernetes-native package for OWASP Dependency Track, a continuous SBOM Analysis Platform for managing software supply chain security risks.

Topics

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Packages