Add helm chart

Author: J12934

operator/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

operator/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: minio
+  repository: https://kubernetes-charts.storage.googleapis.com/
+  version: 5.0.17
+digest: sha256:b35baf336cc13709979f3f0824963bfe658da479092085fafa61dd86f0ce6b89
+generated: "2020-03-19T17:36:50.79157+01:00"

operator/Chart.yaml

@@ -0,0 +1,19 @@
+apiVersion: v2
+name: operator
+description: secureCodeBox Operator to automate the execution of security scans on kubernetes
+
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application.
+appVersion: 1.16.0
+
+dependencies:
+  - name: minio
+    version: 5.0.17
+    repository: https://kubernetes-charts.storage.googleapis.com/
+    condition: minio.enabled

operator/charts/minio-5.0.17.tgz

@@ -18,29 +18,40 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - ""
   resources:
   - serviceaccounts
   verbs:
   - create
   - get
+  - list
   - watch
 - apiGroups:
-  - rbac
+  - rbac.authorization.k8s.io
   resources:
   - rolebindings
   verbs:
   - create
   - get
+  - list
   - watch
 - apiGroups:
-  - rbac
+  - rbac.authorization.k8s.io
   resources:
   - roles
   verbs:
   - create
   - get
+  - list
   - watch
 - apiGroups:
   - scans.experimental.securecodebox.io

operator/config/rbac/role.yaml

@@ -60,9 +60,13 @@ type ScanReconciler struct {
 // +kubebuilder:rbac:groups=scans.experimental.securecodebox.io,resources=parsedefinitions,verbs=get;list;watch
 // +kubebuilder:rbac:groups=scans.experimental.securecodebox.io,resources=persistenceproviders,verbs=get;list;watch
 // +kubebuilder:rbac:groups=batch,resources=jobs,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=core,resources=serviceaccounts,verbs=get;watch;create
-// +kubebuilder:rbac:groups=rbac,resources=roles,verbs=get;watch;create
-// +kubebuilder:rbac:groups=rbac,resources=rolebindings,verbs=get;watch;create
+// Permissions needed to create service accounts for lurcher, parser and persistence providers
+
+// Pod permission are required to grant these permission to service accounts
+// +kubebuilder:rbac:groups=core,resources=pods,verbs=get;list;watch
+// +kubebuilder:rbac:groups=core,resources=serviceaccounts,verbs=get;watch;list;create
+// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles,verbs=get;watch;list;create
+// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=rolebindings,verbs=get;watch;list;create
 
 // Reconcile compares the scan object against the state of the cluster and updates both if needed
 func (r *ScanReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {

operator/controllers/scan_controller.go

@@ -0,0 +1,54 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  creationTimestamp: null
+  name: parsedefinitions.scans.experimental.securecodebox.io
+spec:
+  group: scans.experimental.securecodebox.io
+  names:
+    kind: ParseDefinition
+    plural: parsedefinitions
+  scope: ""
+  validation:
+    openAPIV3Schema:
+      description: ParseDefinition is the Schema for the parsedefinitions API
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        spec:
+          description: ParseDefinitionSpec defines the desired state of ParseDefinition
+          properties:
+            handlesResultsType:
+              description: Foo is an example field of ParseDefinition. Edit ParseDefinition_types.go
+                to remove/update
+              type: string
+            image:
+              type: string
+          type: object
+        status:
+          description: ParseDefinitionStatus defines the observed state of ParseDefinition
+          type: object
+      type: object
+  version: v1
+  versions:
+  - name: v1
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

operator/crds/scans.experimental.securecodebox.io_parsedefinitions.yaml

@@ -0,0 +1,151 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  creationTimestamp: null
+  name: persistenceproviders.scans.experimental.securecodebox.io
+spec:
+  group: scans.experimental.securecodebox.io
+  names:
+    kind: PersistenceProvider
+    plural: persistenceproviders
+  scope: ""
+  validation:
+    openAPIV3Schema:
+      description: PersistenceProvider is the Schema for the persistenceproviders
+        API
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        spec:
+          description: PersistenceProviderSpec defines the desired state of PersistenceProvider
+          properties:
+            env:
+              items:
+                description: EnvVar represents an environment variable present in
+                  a Container.
+                properties:
+                  name:
+                    description: Name of the environment variable. Must be a C_IDENTIFIER.
+                    type: string
+                  value:
+                    description: 'Variable references $(VAR_NAME) are expanded using
+                      the previous defined environment variables in the container
+                      and any service environment variables. If a variable cannot
+                      be resolved, the reference in the input string will be unchanged.
+                      The $(VAR_NAME) syntax can be escaped with a double $$, ie:
+                      $$(VAR_NAME). Escaped references will never be expanded, regardless
+                      of whether the variable exists or not. Defaults to "".'
+                    type: string
+                  valueFrom:
+                    description: Source for the environment variable's value. Cannot
+                      be used if value is not empty.
+                    properties:
+                      configMapKeyRef:
+                        description: Selects a key of a ConfigMap.
+                        properties:
+                          key:
+                            description: The key to select.
+                            type: string
+                          name:
+                            description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                              TODO: Add other useful fields. apiVersion, kind, uid?'
+                            type: string
+                          optional:
+                            description: Specify whether the ConfigMap or its key
+                              must be defined
+                            type: boolean
+                        required:
+                        - key
+                        type: object
+                      fieldRef:
+                        description: 'Selects a field of the pod: supports metadata.name,
+                          metadata.namespace, metadata.labels, metadata.annotations,
+                          spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP,
+                          status.podIPs.'
+                        properties:
+                          apiVersion:
+                            description: Version of the schema the FieldPath is written
+                              in terms of, defaults to "v1".
+                            type: string
+                          fieldPath:
+                            description: Path of the field to select in the specified
+                              API version.
+                            type: string
+                        required:
+                        - fieldPath
+                        type: object
+                      resourceFieldRef:
+                        description: 'Selects a resource of the container: only resources
+                          limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage,
+                          requests.cpu, requests.memory and requests.ephemeral-storage)
+                          are currently supported.'
+                        properties:
+                          containerName:
+                            description: 'Container name: required for volumes, optional
+                              for env vars'
+                            type: string
+                          divisor:
+                            description: Specifies the output format of the exposed
+                              resources, defaults to "1"
+                            type: string
+                          resource:
+                            description: 'Required: resource to select'
+                            type: string
+                        required:
+                        - resource
+                        type: object
+                      secretKeyRef:
+                        description: Selects a key of a secret in the pod's namespace
+                        properties:
+                          key:
+                            description: The key of the secret to select from.  Must
+                              be a valid secret key.
+                            type: string
+                          name:
+                            description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                              TODO: Add other useful fields. apiVersion, kind, uid?'
+                            type: string
+                          optional:
+                            description: Specify whether the Secret or its key must
+                              be defined
+                            type: boolean
+                        required:
+                        - key
+                        type: object
+                    type: object
+                required:
+                - name
+                type: object
+              type: array
+            image:
+              description: Foo is an example field of PersistenceProvider. Edit PersistenceProvider_types.go
+                to remove/update
+              type: string
+          type: object
+        status:
+          description: PersistenceProviderStatus defines the observed state of PersistenceProvider
+          type: object
+      type: object
+  version: v1
+  versions:
+  - name: v1
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

operator/crds/scans.experimental.securecodebox.io_persistenceproviders.yaml

@@ -0,0 +1,72 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  creationTimestamp: null
+  name: scans.scans.experimental.securecodebox.io
+spec:
+  additionalPrinterColumns:
+  - JSONPath: .status.state
+    description: Scan State
+    name: State
+    type: string
+  group: scans.experimental.securecodebox.io
+  names:
+    kind: Scan
+    plural: scans
+  scope: ""
+  subresources:
+    status: {}
+  validation:
+    openAPIV3Schema:
+      description: Scan is the Schema for the scans API
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        spec:
+          description: ScanSpec defines the desired state of Scan
+          properties:
+            parameters:
+              items:
+                type: string
+              type: array
+            scanType:
+              type: string
+          type: object
+        status:
+          description: ScanStatus defines the observed state of Scan
+          properties:
+            rawResultFile:
+              description: RawResultFile Filename of the result file of the scanner.
+                e.g. `nmap-result.xml`
+              type: string
+            rawResultType:
+              description: RawResultType determines which kind of ParseDefinition
+                will be used to turn the raw results of the scanner into findings
+              type: string
+            state:
+              type: string
+          type: object
+      type: object
+  version: v1
+  versions:
+  - name: v1
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []