From 2df3a8feba625e73edc710d3a9759fbb2ed9d07a Mon Sep 17 00:00:00 2001 From: Dan Manners Date: Fri, 10 Nov 2023 16:06:12 -0600 Subject: [PATCH] Functional --- .../workloads/kubeclarity/db-root-creds.yaml | 9 +++++ manifests/workloads/kubeclarity/initdb.yaml | 35 +++++++++++++++++++ .../workloads/kubeclarity/kustomization.yaml | 1 + .../workloads/kubeclarity/postgresSecret.yaml | 2 +- manifests/workloads/kubeclarity/values.yaml | 6 ++-- 5 files changed, 49 insertions(+), 4 deletions(-) create mode 100644 manifests/workloads/kubeclarity/db-root-creds.yaml create mode 100644 manifests/workloads/kubeclarity/initdb.yaml diff --git a/manifests/workloads/kubeclarity/db-root-creds.yaml b/manifests/workloads/kubeclarity/db-root-creds.yaml new file mode 100644 index 00000000..e701317e --- /dev/null +++ b/manifests/workloads/kubeclarity/db-root-creds.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +data: + password: dUJnenFVMWU3N3dQeEpKc29CZzRoQmpwR09keHMx + username: cG9zdGdyZXM= +kind: Secret +metadata: + name: postgres-superuser + namespace: kubeclarity +type: kubernetes.io/basic-auth diff --git a/manifests/workloads/kubeclarity/initdb.yaml b/manifests/workloads/kubeclarity/initdb.yaml new file mode 100644 index 00000000..9b51229d --- /dev/null +++ b/manifests/workloads/kubeclarity/initdb.yaml @@ -0,0 +1,35 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: kubeclarity-initdb + namespace: kubeclarity + labels: + app: kubeclarity +spec: + backoffLimit: 4 + template: + spec: + restartPolicy: OnFailure + containers: + - name: kubeclarity-initdb + image: core.harbor.homelab.danmanners.com/ghcr.io/onedr0p/postgres-initdb:14.8 + imagePullPolicy: IfNotPresent + env: + - name: POSTGRES_HOST + value: "primary-rw.postgres.svc.cluster.local" + - name: POSTGRES_DB + value: kubeclarity + - name: POSTGRES_SUPER_PASS + valueFrom: + secretKeyRef: + name: postgres-superuser + key: password + - name: POSTGRES_USER + value: kubeclarity + - name: POSTGRES_PASS + valueFrom: + secretKeyRef: + name: kubeclarity-postgresql-secret + key: secretKey + - name: POSTGRES_PORT + value: "5432" diff --git a/manifests/workloads/kubeclarity/kustomization.yaml b/manifests/workloads/kubeclarity/kustomization.yaml index f2e1a4bb..47b0fb78 100644 --- a/manifests/workloads/kubeclarity/kustomization.yaml +++ b/manifests/workloads/kubeclarity/kustomization.yaml @@ -3,6 +3,7 @@ kind: Kustomization namespace: kubeclarity resources: +- db-root-creds.yaml - external-dns.yaml - ingress-basicAuth.yaml - postgresSecret.yaml diff --git a/manifests/workloads/kubeclarity/postgresSecret.yaml b/manifests/workloads/kubeclarity/postgresSecret.yaml index 5717404c..acbdd540 100644 --- a/manifests/workloads/kubeclarity/postgresSecret.yaml +++ b/manifests/workloads/kubeclarity/postgresSecret.yaml @@ -6,7 +6,7 @@ metadata: namespace: kubeclarity spec: encryptedData: - secretKey: AgCz1Ml8IcfESeKLShP7pFGgqxdUkmcvTdICfHvEktbZJmDm8lrEnn4pP1BixddoJHbAXJ6i5GvpVpL6Yy+Fkst01ZPGu9M0cAmjorX66wcVSI9CzinNL2iT1wTNl4IIEaGY4MfGm0MG7l+tybbkIAzFqCssNjnRGZcBC7tmXFhAAhznIMGYITqO1emmM1w4jOgUu/F5YJlg8n2Vfsy/PrQbtgFupR21kBQ5mEaiOWFTpWUPECPFsC3q9McTuMikT1P1R56AiH0r5PnG8tJohjF8Bdud+cYvLoGYPbBW42JSgNzfjpVhMiNOqJ87lAloGvlUN/bUZKVilbc9SZxUhuUCQmL0Wq4N0MRk29NfG9HYD7530J/FxNlrB9sA3Q5JE59WMZ8cQ7PH9JKeDPmoMK6LtBPwQrxKMYdUdkBo764V+WHAEujuJ8D2e1rncAt2Q+umGiWgNLkP8oLMz8uJ5VQ0IHrWRYpWKZ5NbtrfluJLSQPVzz9ga1ceIU9c1BWaKLin2XH4i5YoFC012BCg20zNytYVitM23Sx6Qm4ZdGgVrFpfq1GgUQ/B/ab/DLbUT+uwdn4GZihf9LP66falzocH+EzwM0vOmiXYfsuKG5EmTcRSwiHDYOZIVfo9qTrPs2dvZBHLBtrdm+Xm4bhn2BkvYmiVNjsozTAPFZj9yllIoXStH4hUXClt2BXpCHaa1f9UCR7ib7+TSj4+qAMm03fuXC40/K3OKQhH1Xto7LCB7ALhQeKXTzJxTubz5F9MIKemlBX3mJgKkn+zGV4= + secretKey: AgBPP/TI3HUni5Cy5nFvEDPS/zvo8rZqx+vWRNNgajuq/nUEJFxoJ6CkcvZKBZTfiJnjYsqduwQ+bEbCN0RsKitMWhJGMCVBPdvPTF6qqfrXurck7+DIacShz53ZUQ81Q0ngns7PaDZnzHSqNyJe9+Nb8hMjfM6WzNTR8KBAbbpFg7Aj0oINhqCoqbMa+CTNJp0MdTGb5aOC5om6KHudWg4r195MsQ4MyA5NZgKMtBDSDK/NeJA055D47alcSFzVA5ukyFmeREJl4TepCXjKmJYNEzYoNPM1JR5wGLru2MvsRznYdwXpDuvEMzABKKxhAFyUkdZXiGge4uTt+G7bamy+wmRkQNqSAp2/sZnh988n7yOujey0vrVBBrf/pgU5iIPi1AvZJ715zwopfwRe3opMcMqsDic1FpBp7Qgg8xy22bROvBCip7NflxJthy73XY5adClesU4it6GWK/c8pQnW/K+1LgyX9nHVb53d1T3+u4kh3uFm+PH3YfVTFNhkbeUFgmAPCrKHPIWNZLxV3vu7Fne0R6vwTY5gxni9SFDxWeON3OlNNL4a5f58D7jODTSC2baeq5X/7w9BrqfL/tQ1A5S9TvA1Z1W4mDFGnyLDFvsk1FyIdQ/PDyj3U5e6I7EzRu1XVQe+C0vpjt14PI6iIoj6o/0dCB0W7K/F+QcPNEH2syYvcjhVCOeR2p1D1olN1fNoxdmW1RbKebeZSZP588d6bL0q4oP0v5tIGfoBJ9p1aDeF9kbl5qdZE1Un4gj1Xv1Who99HnugUSA= template: metadata: creationTimestamp: null diff --git a/manifests/workloads/kubeclarity/values.yaml b/manifests/workloads/kubeclarity/values.yaml index 581cfe21..e0e996a1 100644 --- a/manifests/workloads/kubeclarity/values.yaml +++ b/manifests/workloads/kubeclarity/values.yaml @@ -171,7 +171,7 @@ kubeclarity-runtime-scan: ## Scanner config. scanner: ## Space seperated list of scanners. (grype dependency-track) - scannerList: "grype" + scannerList: "grype dependency-track trivy" grype: ## Enable grype scanner, if true make sure to add it to scannerList above @@ -187,7 +187,7 @@ kubeclarity-runtime-scan: dependency-track: ## Enable dependency-track scanner, if true make sure to add it to scannerList above ## - enabled: false + enabled: true insecureSkipVerify: "true" disableTls: "true" apiserverAddress: "dependency-track-apiserver.dependency-track" @@ -197,7 +197,7 @@ kubeclarity-runtime-scan: ## Enable trivy scanner, if true make sure to add it to scannerList above. ## To guarentee reliable scans, also ensure that the trivy analyzer is enabled. ## - enabled: false + enabled: true timeout: "300"