wip: updated the chart/template

Signed-off-by: Rahul Vishwakarma <[email protected]>

Author: manzil-infinity180

chart/templates/cert-manager.yaml

@@ -0,0 +1,24 @@
+# for running this you need to have cert-manager install on your cluster
+# Installation: https://cert-manager.io/docs/installation/
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: selfsigned
+  namespace: {{ .Values.image.namespace }}
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: webhook1-certificate
+  namespace: {{ .Values.image.namespace }}
+spec:
+  secretName: "{{ .Chart.Name }}-tls"            # Secret mounted in deployment
+  dnsNames:
+    - "{{ include "chart.fullname" . }}.{{ .Values.image.namespace }}.svc"
+    - "{{ include "chart.fullname" . }}.{{ .Values.image.namespace }}.svc.cluster.local"
+  issuerRef:
+    name: selfsigned
+---

chart/templates/clusterrole.yaml

@@ -5,10 +5,16 @@ metadata:
 rules:
   - apiGroups: ["apps"]
     resources: ["deployments"]
-    verbs: ["get", "list", "watch"]
+    verbs: [ "get", "list", "watch", "create", "update", "patch" ]
   - apiGroups: [""]
     resources: ["services"]
     verbs: ["get", "list", "watch", "create", "update"]
   - apiGroups: ["networking.k8s.io"]
     resources: ["ingresses"]
     verbs: ["get", "list", "watch", "create", "update"]
+  - apiGroups: [ "admissionregistration.k8s.io" ]
+    resources: [ "validatingwebhookconfigurations" ]
+    verbs: [ "get", "list", "watch", "create", "update", "patch" ]
+  - apiGroups: [ "" ]
+    resources: [ "secrets" ]
+    verbs: [ "get", "list", "watch", "create", "update", "patch" ]

chart/templates/clusterrolebinding.yaml

@@ -4,9 +4,9 @@ metadata:
   name: {{ include "chart.fullname" . }}
 subjects:
   - kind: ServiceAccount
-    name: {{ include "chart.serviceAccountName" . }}
-    namespace: {{ .Release.Namespace }}
+    name: default
+    namespace: {{ .Values.image.namespace }}
 roleRef:
   kind: ClusterRole
   name: {{ include "chart.fullname" . }}
-  apiGroup: rbac.authorization.k8s.io
+  apiGroup: rbac.authorization.k8s.io

chart/templates/deployment.yaml

@@ -2,72 +2,32 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ include "chart.fullname" . }}
-  labels:
-    {{- include "chart.labels" . | nindent 4 }}
+  namespace: {{ .Values.image.namespace }}
 spec:
-  {{- if not .Values.autoscaling.enabled }}
-  replicas: {{ .Values.replicaCount }}
-  {{- end }}
+  replicas: 1
   selector:
     matchLabels:
-      {{- include "chart.selectorLabels" . | nindent 6 }}
+      k8s.custom.controller: k8s-custom-controller
   template:
     metadata:
-      {{- with .Values.podAnnotations }}
-      annotations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
       labels:
-        {{- include "chart.labels" . | nindent 8 }}
-        {{- with .Values.podLabels }}
-        {{- toYaml . | nindent 8 }}
-        {{- end }}
+        k8s.custom.controller: k8s-custom-controller
     spec:
-      {{- with .Values.imagePullSecrets }}
-      imagePullSecrets:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      serviceAccountName: {{ include "chart.serviceAccountName" . }}
-      {{- with .Values.podSecurityContext }}
-      securityContext:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
       containers:
         - name: {{ .Chart.Name }}
-          {{- with .Values.securityContext }}
-          securityContext:
-            {{- toYaml . | nindent 12 }}
-          {{- end }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          volumeMounts:
+            - name: {{ .Values.webhook.volumeMounts }}
+              mountPath: /certs
+              readOnly: true
           env:
+            - name: TLS_CERT_FILE
+              value: "/certs/tls.crt"
+            - name: TLS_KEY_FILE
+              value: "/certs/tls.key"
             - name: CONTEXT
-              value: {{ .Values.context | quote }}
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
-          ports:
-            - name: http
-              containerPort: {{ .Values.service.port }}
-              protocol: TCP
-          {{- with .Values.resources }}
-          resources:
-            {{- toYaml . | nindent 12 }}
-          {{- end }}
-          {{- with .Values.volumeMounts }}
-          volumeMounts:
-            {{- toYaml . | nindent 12 }}
-          {{- end }}
-      {{- with .Values.volumes }}
+              value: "kind-practice"
       volumes:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.nodeSelector }}
-      nodeSelector:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.affinity }}
-      affinity:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.tolerations }}
-      tolerations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
+        - name: {{ .Values.webhook.volumeMounts }}
+          secret:
+            secretName: "{{ .Chart.Name }}-tls"

chart/templates/ingress.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {{ .Values.image.namespace }}

chart/templates/namespace.yaml

@@ -2,14 +2,12 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ include "chart.fullname" . }}
-  labels:
-    {{- include "chart.labels" . | nindent 4 }}
+  namespace: {{ .Values.image.namespace }}
 spec:
-  type: {{ .Values.service.type }}
-  ports:
-    - port: {{ .Values.service.port }}
-      targetPort: 8000 #http
-      protocol: TCP
-      name: http
   selector:
-    {{- include "chart.selectorLabels" . | nindent 4 }}
+    k8s.custom.controller: k8s-custom-controller
+  ports:
+    - protocol: TCP
+      port: {{ .Values.service.port }}
+      targetPort: 8000
+  type: ClusterIP

chart/templates/service.yaml

@@ -0,0 +1,30 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Values.trivy.name }}
+  labels:
+    app: {{ .Values.trivy.name }}
+spec:
+  replicas: 1 # You can adjust the number of replicas for high availability
+  selector:
+    matchLabels:
+      app: {{ .Values.trivy.name }}
+  template:
+    metadata:
+      labels:
+        app: {{ .Values.trivy.name }}
+    spec:
+      containers:
+        - name: {{ .Values.trivy.name }}
+          image: "{{ .Values.trivy.image }}:{{ .Values.trivy.tag }}"# aquasec/trivy:latest # Use a specific version instead of latest in production
+          args: ["server", "--listen", "0.0.0.0:8080"] # Listen on all interfaces
+          ports:
+            - containerPort: 8080
+              name: http
+#          volumeMounts:
+#            - name: trivy-cache
+#              mountPath: /root/.cache/trivy
+#      volumes:
+#        - name: trivy-cache
+#          persistentVolumeClaim:
+#            claimName: trivy-cache-pvc

chart/templates/trivy-deployment.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: "{{ .Values.trivy.name }}-service"
+  labels:
+    app: {{ .Values.trivy.name }}
+spec:
+  selector:
+    app: {{ .Values.trivy.name }}
+  ports:
+    - protocol: TCP
+      port: 8080
+      targetPort: 8080
+  type: ClusterIP

chart/templates/trivy-service.yaml

@@ -0,0 +1,24 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: {{ .Values.webhook.name }}
+  annotations:
+    cert-manager.io/inject-ca-from: "{{ .Values.image.namespace }}/{{ .Values.webhook.name }}-certificate"
+webhooks:
+  - name: "{{ include "chart.fullname" . }}.{{ .Values.image.namespace }}.svc"
+    admissionReviewVersions:
+      - v1
+    sideEffects: None
+    timeoutSeconds: 30
+    clientConfig:
+      service:
+        name: {{ include "chart.fullname" . }}
+        namespace: {{ .Values.image.namespace }}
+        path: /validate
+        port: {{ .Values.service.port }}
+    rules:
+      - apiGroups: [ "apps" ]
+        apiVersions: [ "v1" ]
+        operations: [ "CREATE" ]
+        resources: [ "deployments" ]
+    failurePolicy: Fail