local-dev folder, makefile

Makefile

@@ -0,0 +1,12 @@
+.PHONY: local-deploy
+local-deploy:
+	./local-dev/build.sh
+	-helm install --name clair-pg ./local-dev/helm/clair-pg
+	-helm delete --purge clair
+	helm install --name clair ./local-dev/helm/clair
+
+.PHONY: local-teardown
+local-teardown:
+	-helm delete --purge clair
+	-helm delete --purge clair-pg
+

contrib/helm/clair/requirements.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: postgresql
+  repository: https://kubernetes-charts.storage.googleapis.com
+  version: 5.1.2
+digest: sha256:4ec53b9ffeec273775737834f3c288a6d1b11451ea75457451e1ac8ce710a1b0
+generated: "2019-05-30T19:33:38.456423-04:00"

local-dev/build.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+set -e
+# if minikube is running configure docker
+# env vars to push to minikube
+if [ -x "$(command -v minikube)" ] && minikube status; then
+    eval $(minikube docker-env)
+fi
+docker build -t clair-local:latest .

local-dev/helm/clair-pg/.helmignore

@@ -0,0 +1,22 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

local-dev/helm/clair-pg/Chart.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+appVersion: "1.0"
+description: A postgres database for use in clair local dev
+name: clair-pg
+version: 0.1.0

local-dev/helm/clair-pg/requirements.yaml

@@ -0,0 +1,5 @@
+dependencies:
+  - name: postgresql
+    version: "5.1.2"
+    condition: postgresql.enabled
+    repository: "alias:stable"

local-dev/helm/clair-pg/values.yaml

@@ -0,0 +1,20 @@
+postgresql:
+  postgresqlUsername: clair
+  postgresqlPassword: clair
+  postgresqlDatabase: clair
+
+  replication:
+    enabled: false
+
+  resources:
+    requests:
+      memory: 256Mi
+      cpu: 250m
+
+  persistence:
+    enabled: true
+    size: 10Gi
+
+  metrics:
+    enabled: false
+

local-dev/helm/clair/.helmignore

@@ -0,0 +1,21 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj

local-dev/helm/clair/Chart.yaml

@@ -0,0 +1,11 @@
+name: clair
+home: https://coreos.com/clair
+version: 0.1.1
+appVersion: 3.0.0-pre
+description: Clair is an open source project for the static analysis of vulnerabilities in application containers.
+icon: https://cloud.githubusercontent.com/assets/343539/21630811/c5081e5c-d202-11e6-92eb-919d5999c77a.png
+sources:
+  - https://github.com/coreos/clair
+maintainers:
+  - name: Jimmy Zelinskie
+    email: [email protected]

local-dev/helm/clair/templates/_config.yaml.tpl

@@ -0,0 +1,83 @@
+clair:
+  database:
+    # Database driver.
+    type: pgsql
+    options:
+      # PostgreSQL Connection string.
+      # https://www.postgresql.org/docs/current/static/libpq-connect.html#LIBPQ-CONNSTRING
+      {{- if .Values.config.postgresURI }}
+      source: "{{ .Values.config.postgresURI }}"
+      {{ else }}
+      source: "host={{ template "postgresql.fullname" . }} port=5432 user={{ .Values.postgresql.postgresqlUsername }} password={{ .Values.postgresql.postgresqlPassword }} dbname={{ .Values.postgresql.postgresqlDatabase }} sslmode=disable statement_timeout=60000"
+      {{ end }}
+
+      # Number of elements kept in the cache.
+      # Values unlikely to change (e.g. namespaces) are cached in order to save prevent needless roundtrips to the database.
+      cachesize: 16384
+
+      # 32-bit URL-safe base64 key used to encrypt pagination tokens.
+      # If one is not provided, it will be generated.
+      # Multiple clair instances in the same cluster need the same value.
+      paginationkey: "{{ .Values.config.paginationKey }}"
+  api:
+    # v3 grpc/RESTful API server address.
+    addr: "0.0.0.0:{{ .Values.service.internalApiPort }}"
+
+    # Health server address.
+    # This is an unencrypted endpoint useful for load balancers to check to healthiness of the clair server.
+    healthaddr: "0.0.0.0:{{ .Values.service.internalHealthPort }}"
+
+    # Deadline before an API request will respond with a 503.
+    timeout: 900s
+
+    # Optional PKI configuration.
+    # If you want to easily generate client certificates and CAs, try the following projects:
+    # https://github.com/coreos/etcd-ca
+    # https://github.com/cloudflare/cfssl
+    servername:
+    cafile:
+    keyfile:
+    certfile:
+
+  worker:
+    namespace_detectors:
+    {{- range $key, $value := .Values.config.enabledNamespaceDetectors }}
+    - {{ $value }}
+    {{- end }}
+
+    feature_listers:
+    {{- range $key, $value := .Values.config.enabledFeatureListers }}
+    - {{ $value }}
+    {{- end }}
+
+  updater:
+    # Frequency the database will be updated with vulnerabilities from the default data sources.
+    # The value 0 disables the updater entirely.
+    interval: "{{ .Values.config.updateInterval }}"
+    enabledupdaters:
+    {{- range $key, $value := .Values.config.enabledUpdaters }}
+    - {{ $value }}
+    {{- end }}
+
+  notifier:
+    # Number of attempts before the notification is marked as failed to be sent.
+    attempts: 3
+
+    # Duration before a failed notification is retried.
+    renotifyinterval: 2h
+
+    http:
+      # Optional endpoint that will receive notifications via POST requests.
+      endpoint: "{{ .Values.config.notificationWebhookEndpoint }}"
+
+      # Optional PKI configuration.
+      # If you want to easily generate client certificates and CAs, try the following projects:
+      # https://github.com/cloudflare/cfssl
+      # https://github.com/coreos/etcd-ca
+      servername:
+      cafile:
+      keyfile:
+      certfile:
+
+      # Optional HTTP Proxy: must be a valid URL (including the scheme).
+      proxy:

local-dev/helm/clair/templates/_helpers.tpl

@@ -0,0 +1,33 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "clair.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "clair.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified postgresql name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "postgresql.fullname" -}}
+{{- printf "%s-%s" .Release.Name "postgresql" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}

local-dev/helm/clair/templates/deployment.yaml

@@ -0,0 +1,65 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "clair.fullname" . }}
+  labels:
+    heritage: {{ .Release.Service | quote }}
+    release: {{ .Release.Name | quote }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
+    app: {{ template "clair.fullname" . }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      app: {{ template "clair.fullname" . }}
+  template:
+    metadata:
+      labels:
+        app: {{ template "clair.fullname" . }}
+    spec:
+      volumes:
+      - name: "{{ .Chart.Name }}-config"
+        secret:
+          secretName: {{ template "clair.fullname" . }}
+      {{- if .Values.nodeSelector }}
+      nodeSelector:
+{{ toYaml .Values.nodeSelector | indent 8 }}
+      {{- end }}
+      {{- if .Values.tolerations }}
+      tolerations:
+{{ toYaml .Values.tolerations | indent 8 }}
+      {{- end }}
+      initContainers:
+      - name: pg-ready-wait
+        image: postgres:11.3
+        command: [ "sh", "-c",
+          "until pg_isready -h {{ .Values.config.postgresServiceName }} -p 5432;
+          do echo waiting for database; sleep 1; done;"]
+      containers:
+      - name: {{ .Chart.Name }}
+        image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        args:
+        - "-log-level={{ .Values.logLevel }}"
+        {{ if .Values.insecureTls }}- "--insecure-tls" {{end}}
+        ports:
+        - name: "{{ .Chart.Name }}-api"
+          containerPort: {{ .Values.service.internalApiPort }}
+          protocol: TCP
+        - name: "{{ .Chart.Name }}-health"
+          containerPort: {{ .Values.service.internalHealthPort }}
+          protocol: TCP
+        livenessProbe:
+          httpGet:
+            path: /health
+            port: {{ .Values.service.internalHealthPort }}
+        readinessProbe:
+          httpGet:
+            path: /health
+            port: {{ .Values.service.internalHealthPort }}
+        volumeMounts:
+        - name: "{{ .Chart.Name }}-config"
+          mountPath: /etc/clair
+          readOnly: true
+        resources:
+{{ toYaml .Values.resources | indent 10 }}

local-dev/helm/clair/templates/ingress.yaml

@@ -0,0 +1,33 @@
+{{- if .Values.ingress.enabled -}}
+{{- $serviceName := include "clair.fullname" . -}}
+{{- $servicePort := .Values.service.externalApiPort -}}
+{{- $path := .Values.ingress.path | default "/" -}}
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: {{ template "clair.fullname" . }}
+  labels:
+    heritage: {{ .Release.Service | quote }}
+    release: {{ .Release.Name | quote }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
+    app: {{ template "clair.fullname" . }}
+  annotations:
+    {{- range $key, $value := .Values.ingress.annotations }}
+      {{ $key }}: {{ $value | quote }}
+    {{- end }}
+spec:
+  rules:
+    {{- range $host := .Values.ingress.hosts }}
+    - host: {{ $host }}
+      http:
+        paths:
+          - path: {{ $path }}
+            backend:
+              serviceName: {{ $serviceName }}
+              servicePort: {{ $servicePort }}
+    {{- end -}}
+  {{- if .Values.ingress.tls }}
+  tls:
+{{ toYaml .Values.ingress.tls | indent 4 }}
+  {{- end -}}
+{{- end -}}

local-dev/helm/clair/templates/secret.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "clair.fullname" . }}
+  labels:
+    heritage: {{ .Release.Service | quote }}
+    release: {{ .Release.Name | quote }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
+    app: {{ template "clair.fullname" . }}
+type: Opaque
+data:
+  config.yaml: |-
+{{ include (print .Template.BasePath "/_config.yaml.tpl") . | b64enc | indent 4 }}

local-dev/helm/clair/templates/service.yaml

@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "clair.fullname" . }}
+  labels:
+    heritage: {{ .Release.Service | quote }}
+    release: {{ .Release.Name | quote }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
+    app: {{ template "clair.fullname" . }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+  - name: "{{ .Chart.Name }}-api"
+    port: {{ .Values.service.externalApiPort }}
+    targetPort: {{ .Values.service.internalApiPort }}
+    protocol: TCP
+{{- if and (.Values.service.apiNodePort) (eq .Values.service.type "NodePort") }}
+    nodePort: {{ .Values.service.apiNodePort }}
+{{- end }}
+  - name: "{{ .Chart.Name }}-health"
+    port: {{ .Values.service.externalHealthPort }}
+    targetPort: {{ .Values.service.internalHealthPort }}
+    protocol: TCP
+{{- if and (.Values.service.healthNodePort) (eq .Values.service.type "NodePort") }}
+    nodePort: {{ .Values.service.healthNodePort }}
+{{- end }}
+  selector:
+    app: {{ template "clair.fullname" . }}