update zora chart

undistro · Sep 26, 2024 · 1f35df9 · 1f35df9
1 parent b15595b
commit 1f35df9
Show file tree

Hide file tree

Showing 11 changed files with 284 additions and 14 deletions.
diff --git a/charts/zora/Chart.yaml b/charts/zora/Chart.yaml
@@ -17,7 +17,7 @@ name: zora
 description: A multi-plugin solution that reports misconfigurations and vulnerabilities by scanning your cluster at scheduled times.
 icon: https://zora-docs.undistro.io/v0.7/assets/logo.svg
 type: application
-version: 0.9.3
-appVersion: "v0.9.3"
+version: 0.10.0-rc1
+appVersion: "v0.10.0-rc1"
 sources:
   - https://github.com/undistro/zora
diff --git a/charts/zora/README.md b/charts/zora/README.md
@@ -114,7 +114,7 @@ The following table lists the configurable parameters of the Zora chart and thei
 | scan.plugins.marvin.envFrom | list | `[]` | List of sources to populate environment variables in marvin container. |
 | scan.plugins.trivy.ignoreUnfixed | bool | `false` | Specifies whether only fixed vulnerabilities should be reported |
 | scan.plugins.trivy.ignoreDescriptions | bool | `false` | Specifies whether vulnerability descriptions should be ignored |
-| scan.plugins.trivy.resources | object | `{}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers) to add to `trivy` container |
+| scan.plugins.trivy.resources | object | `{"limits":{"cpu":"1500m","memory":"4096Mi"},"requests":{"cpu":"500m","memory":"2048Mi"}}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers) to add to `trivy` container |
 | scan.plugins.trivy.podAnnotations | object | `{}` | Annotations added to the trivy pods |
 | scan.plugins.trivy.image.repository | string | `"ghcr.io/undistro/trivy"` | trivy plugin image repository |
 | scan.plugins.trivy.image.tag | float | `0.53` | trivy plugin image tag |
@@ -124,7 +124,6 @@ The following table lists the configurable parameters of the Zora chart and thei
 | scan.plugins.trivy.timeout | string | `"10m"` | Trivy timeout |
 | scan.plugins.trivy.insecure | bool | `false` | Allow insecure server connections for Trivy |
 | scan.plugins.trivy.persistence.enabled | bool | `true` | Specifies whether Trivy vulnerabilities database should be persisted between the scans, using PersistentVolumeClaim |
-| scan.plugins.trivy.persistence.fsGroup | int | `0` | Specifies the fsGroup to use when mounting the persistent volume |
 | scan.plugins.trivy.persistence.accessMode | string | `"ReadWriteOnce"` | [Persistence access mode](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes) |
 | scan.plugins.trivy.persistence.storageClass | string | `""` | [Persistence storage class](https://kubernetes.io/docs/concepts/storage/storage-classes/). Set to empty for default storage class |
 | scan.plugins.trivy.persistence.storageRequest | string | `"2Gi"` | Persistence storage size |
@@ -144,6 +143,26 @@ The following table lists the configurable parameters of the Zora chart and thei
 | httpsProxy | string | `""` | HTTPS proxy URL |
 | noProxy | string | `"kubernetes.default.svc.*,127.0.0.1,localhost"` | Comma-separated list of URL patterns to be excluded from going through the proxy |
 | updateCRDs | bool | `true` for upgrades | Specifies whether CRDs should be updated by operator at startup |
+| tokenRefresh.image.repository | string | `"ghcr.io/undistro/zora/tokenrefresh"` | tokenrefresh image repository |
+| tokenRefresh.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion |
+| tokenRefresh.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
+| tokenRefresh.rbac.create | bool | `true` | Specifies whether Roles and RoleBindings should be created |
+| tokenRefresh.rbac.serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
+| tokenRefresh.rbac.serviceAccount.annotations | object | `{}` | Annotations to be added to service account |
+| tokenRefresh.rbac.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template |
+| tokenRefresh.minRefreshTime | string | `"1m"` | Minimum time to wait before checking for token refresh |
+| tokenRefresh.refreshThreshold | string | `"2h"` | Threshold relative to the token expiry timestamp, after which a token can be refreshed. |
+| tokenRefresh.nodeSelector | object | `{}` | [Node selection](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node) to constrain a Pod to only be able to run on particular Node(s) |
+| tokenRefresh.tolerations | list | `[]` | [Tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration) for pod assignment |
+| tokenRefresh.affinity | object | `{}` | Map of node/pod [affinities](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration) |
+| tokenRefresh.podAnnotations | object | `{"kubectl.kubernetes.io/default-container":"manager"}` | Annotations to be added to pods |
+| tokenRefresh.podSecurityContext | object | `{"runAsNonRoot":true}` | [Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context) to add to the pod |
+| tokenRefresh.securityContext | object | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true}` | [Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context) to add to `manager` container |
+| zoraauth.domain | string | `""` | The domain associated with the tokens |
+| zoraauth.clientId | string | `""` | The client id associated with the tokens |
+| zoraauth.accessToken | string | `""` | The access token authorizing access to the SaaS API server |
+| zoraauth.tokenType | string | `"Bearer"` | The type of the access token |
+| zoraauth.refreshToken | string | `""` | The refresh token for obtaining a new access token |
 
 Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
 

diff --git a/charts/zora/templates/_helpers.tpl b/charts/zora/templates/_helpers.tpl
@@ -77,6 +77,25 @@ Create the name of the service account to use in Operator
 {{- end }}
 {{- end }}
 
+{{/*
+TokenRefresh selector labels
+*/}}
+{{- define "zora.tokenRefreshSelectorLabels" -}}
+{{ include "zora.selectorLabels" . }}
+app.kubernetes.io/component: token-refresh
+{{- end }}
+
+{{/*
+Create the name of the service account to use in TokenRefresh
+*/}}
+{{- define "zora.tokenRefreshServiceAccountName" -}}
+{{- if .Values.tokenRefresh.rbac.serviceAccount.create }}
+{{- default (printf "%s-%s" (include "zora.fullname" .) "token-refresh") .Values.tokenRefresh.rbac.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.tokenRefresh.rbac.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
 {{- define "zora.imagePullSecret" }}
 {{- with .Values.imageCredentials }}
 {{- printf "{\"auths\":{\"%s\":{\"auth\":\"%s\"}}}" .registry (printf "%s:%s" .username .password | b64enc) | b64enc }}
@@ -149,3 +168,7 @@ Truncate a name to a specific length
 {{- $isHourBad := not (mustRegexMatch "^(?:\\d|[0-5]\\d)$" $hour) -}}
 {{- or $isMinuteBad $isHourBad -}}
 {{- end -}}
+
+{{- define "zora.saasTokenSecretName" -}}
+{{- printf "%s-saas-tokens" (include "zora.fullname" .) -}}
+{{- end }}
diff --git a/charts/zora/templates/hooks/delete.yaml b/charts/zora/templates/hooks/delete.yaml
@@ -66,5 +66,10 @@ spec:
         - --ignore-not-found=true
       securityContext:
         allowPrivilegeEscalation: false
+        capabilities:
+          drop:
+          - ALL
         readOnlyRootFilesystem: true
+        seccompProfile:
+          type: "RuntimeDefault"
   restartPolicy: Never
diff --git a/charts/zora/templates/hooks/install.yaml b/charts/zora/templates/hooks/install.yaml
@@ -37,6 +37,7 @@ spec:
         - |
           curl -kfsS -X POST '{{ tpl .Values.saas.installURL . }}' \
             -H 'content-type: application/json' \
+            -H 'Authorization: {{ .Values.zoraauth.tokenType }} {{ .Values.zoraauth.accessToken }}' \
           {{- if .Values.httpsProxy }}
             -x '{{ .Values.httpsProxy}}' \
           {{- end }}
@@ -49,6 +50,11 @@ spec:
               "revision" .Release.Revision) }}'
       securityContext:
         allowPrivilegeEscalation: false
+        capabilities:
+          drop:
+          - ALL
         readOnlyRootFilesystem: true
+        seccompProfile:
+          type: "RuntimeDefault"
   restartPolicy: Never
 {{- end }}
diff --git a/charts/zora/templates/operator/deployment.yaml b/charts/zora/templates/operator/deployment.yaml
@@ -12,6 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 {{ $secretName := printf "%s-serving-cert" (include "zora.fullname" .) -}}
+{{ $saasTokensSecretName := (include "zora.saasTokenSecretName" .) -}}
 {{- $serviceName := printf "%s-webhook" (include "zora.fullname" .) -}}
 {{- if .Values.operator.webhook.enabled -}}
 {{- $existingSecret := lookup "v1" "Secret" .Release.Namespace $secretName -}}
@@ -103,8 +104,7 @@ spec:
             - --worker-image={{ printf "%s:%s" .Values.scan.worker.image.repository (.Values.scan.worker.image.tag | default .Chart.AppVersion) }}
             - --cronjob-clusterrolebinding-name=zora-plugins-rolebinding
             - --cronjob-serviceaccount-name=zora-plugins
-            - --trivy-db-pvc={{- if .Values.scan.plugins.trivy.persistence.enabled }}trivy-db-pvc{{- end }}
-            - --trivy-db-fsgroup={{ .Values.scan.plugins.trivy.persistence.fsGroup }}
+            - --trivy-db-pvc={{- if .Values.scan.plugins.trivy.persistence.enabled }}trivy-db-volume{{- end }}
 {{- if .Values.scan.plugins.annotations}}
             - --cronjob-serviceaccount-annotations={{ $first := true }}{{- range $key, $value := .Values.scan.plugins.annotations }}{{if not $first}},{{else}}{{$first = false}}{{end}}{{ $key }}={{$value}}{{- end }}
 {{- end }}
@@ -119,6 +119,7 @@ spec:
             - --inject-conversion={{ .Values.operator.webhook.enabled }}
             - --webhook-service-name={{ $serviceName }}
             - --webhook-service-namespace={{ .Release.Namespace }}
+            - --token-path=/tmp/jwt-tokens/token
           image: "{{ .Values.operator.image.repository }}:{{ .Values.operator.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.operator.image.pullPolicy }}
           ports:
@@ -132,11 +133,16 @@ spec:
             - containerPort: 9443
               name: webhook-server
               protocol: TCP
+          {{- end }}
           volumeMounts:
+          {{- if .Values.operator.webhook.enabled }}
             - mountPath: /tmp/k8s-webhook-server/serving-certs
               name: cert
               readOnly: true
           {{- end }}
+            - mountPath: /tmp/jwt-tokens
+              name: jwt-tokens
+              readOnly: true
           livenessProbe:
             httpGet:
               path: /healthz
@@ -153,14 +159,19 @@ spec:
             {{- toYaml .Values.operator.resources | nindent 12 }}
           securityContext:
             {{- toYaml .Values.operator.securityContext | nindent 12 }}
-      {{- if .Values.operator.webhook.enabled }}
       volumes:
+      {{- if .Values.operator.webhook.enabled }}
         - name: cert
           secret:
             defaultMode: 420
             secretName: {{ $secretName }}
             optional: true
       {{- end }}
+        - name: jwt-tokens
+          secret:
+            defaultMode: 420
+            secretName: {{ $saasTokensSecretName }}
+            optional: true
       securityContext:
         {{- toYaml .Values.operator.podSecurityContext | nindent 8 }}
       serviceAccountName: {{ include "zora.operatorServiceAccountName" . }}

diff --git a/charts/zora/templates/plugins/trivy-job.yaml b/charts/zora/templates/plugins/trivy-job.yaml
@@ -21,12 +21,10 @@ spec:
   ttlSecondsAfterFinished: 0
   template:
     spec:
-      securityContext:
-        fsGroup: 0
       volumes:
         - name: trivy-db
           persistentVolumeClaim:
-            claimName: trivy-db-pvc
+            claimName: trivy-db-volume
       containers:
         - name: trivy-download-db
           image: "{{ .Values.scan.plugins.trivy.image.repository }}:{{ .Values.scan.plugins.trivy.image.tag }}"
@@ -35,7 +33,13 @@ spec:
           {{- end }}
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+              - ALL
             privileged: false
+            runAsNonRoot: true
+            seccompProfile:
+              type: "RuntimeDefault"
           volumeMounts:
             - mountPath: /tmp/trivy-cache
               name: trivy-db
@@ -70,4 +74,5 @@ spec:
               value: {{ .Values.noProxy | quote }}
             {{- end }}
       restartPolicy: OnFailure
+      serviceAccountName: zora-plugins
 {{- end }}
diff --git a/charts/zora/templates/plugins/trivy-pvc.yaml b/charts/zora/templates/plugins/trivy-pvc.yaml
@@ -16,7 +16,7 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: trivy-db-pvc
+  name: trivy-db-volume
 spec:
   {{- if .Values.scan.plugins.trivy.persistence.storageClass }}
   storageClassName: {{ .Values.scan.plugins.trivy.persistence.storageClass | quote }}

diff --git a/charts/zora/templates/tokenrefresh/deployment.yaml b/charts/zora/templates/tokenrefresh/deployment.yaml
@@ -0,0 +1,93 @@
+# Copyright 2022 Undistro Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- if .Values.saas.workspaceID -}}
+{{ $secretName := (include "zora.saasTokenSecretName" .) -}}
+{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace $secretName -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: undistro.io/jwtTokens
+data:
+{{- if $existingSecret }}
+  {{- toYaml $existingSecret.data | nindent 2 }}
+{{- else }}
+  token: {{ printf "{ \"access_token\": \"%s\", \"refresh_token\": \"%s\", \"token_type\": \"%s\" }" .Values.zoraauth.accessToken .Values.zoraauth.refreshToken .Values.zoraauth.tokenType | b64enc }}
+{{- end }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "zora.fullname" . }}-tokenrefresh
+  labels:
+    {{- include "zora.tokenRefreshSelectorLabels" . | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "zora.tokenRefreshSelectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.tokenRefresh.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "zora.tokenRefreshSelectorLabels" . | nindent 8 }}
+    spec:
+      containers:
+        - name: tokenrefresh
+          {{- if .Values.httpsProxy }}
+          env:
+            - name: HTTPS_PROXY
+              value: {{ .Values.httpsProxy | quote }}
+            - name: NO_PROXY
+              value: {{ .Values.noProxy | quote }}
+          {{- end }}
+          command:
+            - /tokenrefresh
+          args:
+            - --secret-name={{ $secretName }}
+            - --namespace={{ .Release.Namespace }}
+            - --domain={{ .Values.zoraauth.domain }}
+            - --client-id={{ .Values.zoraauth.clientId }}
+            - --min-refresh-time={{ .Values.tokenRefresh.minRefreshTime }}
+            - --refresh-threshold={{ .Values.tokenRefresh.refreshThreshold }}
+          image: "{{ .Values.tokenRefresh.image.repository }}:{{ .Values.tokenRefresh.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.tokenRefresh.image.pullPolicy }}
+          resources:
+            {{- toYaml .Values.tokenRefresh.resources | nindent 12 }}
+          securityContext:
+            {{- toYaml .Values.tokenRefresh.securityContext | nindent 12 }}
+      volumes:
+        - name: jwt-tokens
+          secret:
+            defaultMode: 420
+            secretName: {{ $secretName }}
+      securityContext:
+        {{- toYaml .Values.tokenRefresh.podSecurityContext | nindent 8 }}
+      serviceAccountName: {{ include "zora.tokenRefreshServiceAccountName" . }}
+      terminationGracePeriodSeconds: 10
+      {{- with .Values.tokenRefresh.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tokenRefresh.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tokenRefresh.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+{{- end -}}
diff --git a/charts/zora/templates/tokenrefresh/rbac.yaml b/charts/zora/templates/tokenrefresh/rbac.yaml
@@ -0,0 +1,53 @@
+# Copyright 2023 Undistro Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- if .Values.saas.workspaceID -}}
+{{ if .Values.tokenRefresh.rbac.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "zora.tokenRefreshServiceAccountName" . }}
+  labels:
+  {{- include "zora.tokenRefreshSelectorLabels" . | nindent 4 }}
+  {{- with .Values.tokenRefresh.rbac.serviceAccount.annotations }}
+  annotations:
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{ end }}
+{{- if .Values.tokenRefresh.rbac.create -}}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "zora.tokenRefreshServiceAccountName" . }}-secret-access
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "list", "watch", "update", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "zora.tokenRefreshServiceAccountName" . }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "zora.tokenRefreshServiceAccountName" . }}-secret-access
+subjects:
+- kind: ServiceAccount
+  name: {{ include "zora.tokenRefreshServiceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}
+{{- end -}}
+---