Merge pull request #100 from nautobot/develop

Release 1.1.0
nautobot · Dec 20, 2021 · 529b052 · 529b052
2 parents 4c84e95 + 9ebd710
commit 529b052
Show file tree

Hide file tree

Showing 29 changed files with 1,503 additions and 141 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -0,0 +1,110 @@
+---
+name: "CI"
+
+on:  # yamllint disable-line rule:truthy
+  workflow_dispatch:  # yamllint disable-line rule:empty-values
+  pull_request:  # yamllint disable-line rule:empty-values
+
+concurrency:
+  group: "${{ github.head_ref }}-ci"
+  cancel-in-progress: true
+
+jobs:
+  pre-commit-check:
+    name: "Run pre-commit checks"
+    runs-on: "ubuntu-20.04"
+    steps:
+      - name: "Checkout"
+        uses: "actions/checkout@v2"
+        with:
+          fetch-depth: 0
+
+      - name: "Setup Go"
+        uses: "actions/setup-go@v2"
+
+      - name: "Install helm-docs"
+        run: "go get github.com/norwoodj/helm-docs/cmd/helm-docs"
+        env:
+          GO111MODULE: "on"
+
+      - run: "echo $HOME/go/bin >> $GITHUB_PATH"
+
+      - uses: "dorny/paths-filter@v2"
+        id: "filter"
+        with:
+          list-files: "shell"
+          filters: |
+            addedOrModified:
+              - added|modified: '**'
+
+      # run only if changed files were detected
+      - name: "Run against changes"
+        uses: "pre-commit/[email protected]"
+        if: "steps.filter.outputs.addedOrModified == 'true'"
+        with:
+          extra_args: "--files ${{ steps.filter.outputs.addedOrModified_files }}"
+
+      # run if no changed files were detected (e.g. workflow_dispatch on main branch)
+      - name: "Run against all files"
+        uses: "pre-commit/[email protected]"
+        if: "steps.filter.outputs.addedOrModified != 'true'"
+        with:
+          extra_args: "--all-files"
+
+  snyk-security-check:
+    name: "Snyk Security Scanning"
+    runs-on: "ubuntu-20.04"
+    steps:
+      - name: "Checkout"
+        uses: "actions/checkout@v2"
+      - uses: "azure/setup-helm@v1"
+      - run: "mkdir template_output"
+      - run: "helm template -f charts/nautobot/linter_values.yaml charts/nautobot --output-dir=./template_output/test-postgresql"
+      - run: "helm template -f charts/nautobot/linter_values_mysql.yaml charts/nautobot --output-dir=./template_output/test-mysql"
+      - run: "helm template -f charts/nautobot/linter_values_postgresql_ha.yaml charts/nautobot --output-dir=./template_output/test-postgresql-ha"
+      - name: "Run Snyk to check template files for security issues"
+        # Snyk can be used to break the build when it detects security issues.
+        # In this case we want to upload the issues to GitHub Code Scanning
+        continue-on-error: true
+        uses: "snyk/actions/iac@master"
+        env:
+          # In order to use the Snyk Action you will need to have a Snyk API token.
+          # More details in https://github.com/snyk/actions#getting-your-snyk-token
+          SNYK_TOKEN: "${{ secrets.SNYK_TOKEN }}"
+        with:
+          # Add the path to the configuration file that you would like to test.
+          # For example `deployment.yaml` for a Kubernetes deployment manifest
+          # or `main.tf` for a Terraform configuration file
+          file: "./template_output"
+      - name: "Upload result to GitHub Code Scanning"
+        uses: "github/codeql-action/upload-sarif@v1"
+        with:
+          sarif_file: "snyk.sarif"
+
+  kubescape-security-check:
+    name: "Kubescape Security Scanning"
+    runs-on: "ubuntu-20.04"
+    steps:
+      - name: "Checkout"
+        uses: "actions/checkout@v2"
+      - uses: "azure/setup-helm@v1"
+      - name: "Install Kubescape"
+        run: "curl -s https://raw.githubusercontent.com/armosec/kubescape/master/install.sh | /bin/bash"
+      - name: "Kubescape NSA Scan - PostgreSQL"
+        run: "helm template -f charts/nautobot/linter_values.yaml charts/nautobot | kubescape scan framework nsa - --fail-threshold 100 --exceptions ./kubescape-exceptions.json"
+      - name: "Kubescape NSA Scan - MySQL"
+        run: "helm template -f charts/nautobot/linter_values_mysql.yaml charts/nautobot | kubescape scan framework nsa - --fail-threshold 100 --exceptions ./kubescape-exceptions.json"
+      - name: "Kubescape NSA Scan - PostgreSQL HA"
+        run: "helm template -f charts/nautobot/linter_values_postgresql_ha.yaml charts/nautobot | kubescape scan framework nsa - --fail-threshold 100 --exceptions ./kubescape-exceptions.json"
+      - name: "Kubescape MITRE Scan - PostgreSQL"
+        run: "helm template -f charts/nautobot/linter_values.yaml charts/nautobot | kubescape scan framework mitre - --fail-threshold 100 --exceptions ./kubescape-exceptions.json"
+      - name: "Kubescape MITRE Scan - MySQL"
+        run: "helm template -f charts/nautobot/linter_values_mysql.yaml charts/nautobot | kubescape scan framework mitre - --fail-threshold 100 --exceptions ./kubescape-exceptions.json"
+      - name: "Kubescape MITRE Scan - PostgreSQL HA"
+        run: "helm template -f charts/nautobot/linter_values_postgresql_ha.yaml charts/nautobot | kubescape scan framework mitre - --fail-threshold 100 --exceptions ./kubescape-exceptions.json"
+      - name: "Kubescape ARMOBest Scan - PostgreSQL"
+        run: "helm template -f charts/nautobot/linter_values.yaml charts/nautobot | kubescape scan framework armobest - --fail-threshold 100 --exceptions ./kubescape-exceptions.json"
+      - name: "Kubescape ARMOBest Scan - MySQL"
+        run: "helm template -f charts/nautobot/linter_values_mysql.yaml charts/nautobot | kubescape scan framework armobest - --fail-threshold 100 --exceptions ./kubescape-exceptions.json"
+      - name: "Kubescape ARMOBest Scan - PostgreSQL HA"
+        run: "helm template -f charts/nautobot/linter_values_postgresql_ha.yaml charts/nautobot | kubescape scan framework armobest - --fail-threshold 100 --exceptions ./kubescape-exceptions.json"
diff --git a/.github/workflows/pre-commit-check.yaml b/.github/workflows/pre-commit-check.yaml
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,6 +8,30 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Changed
 <!--- Renovate --->
 
+## 1.1.0 - 2021-12-20
+### Added
+- Security scanning provided by Snyk and Kubescan to CI process
+- Security remediations for most findings from security scanners, notably:
+
+```yaml
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+```
+
+was added to nearly all containers.
+- PostgreSQL High Availability support
+- Redis Sentinel Support
+- MySQL Support
+- Support for scheduled jobs with Nautobot 1.2
+
+### Changed
+- Updated to Nautobot 1.2.1
+- Improved Redis TLS documentation
+- Upgraded sub-chart dependencies
+
 ## 1.0.4 - 2021-12-10
 ### Changed
 - Update ghcr.io/nautobot/nautobot Docker tag to v1.1.6

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -1,10 +1,10 @@
 # Contributing
 
-This section describes how to install Nautobot *helm-charts* for development, how to run tests, and make sure you are a good contributor.
+This section describes how to install Nautobot *helm-charts* for development, how to run tests and make sure you are a good contributor.
 
 ## Branches
 
-- `main` - Reserved for current release
+- `main` - Reserved for the current release
 - `develop` - Ready to release code, bases for new PRs
 - `gh-pages` - Reserved to host the chart repository using GitHub Pages
 - `<feature>` - Individual feature branches, should be PR'd to `develop`.
@@ -30,27 +30,27 @@ The following dependencies are required for development, their installation is o
 $ pre-commit run -av
 ```
 
-In some cases, such as documentation updates pre-commit will actually make the docs changes for you so it's possible to run the command above 1 time, it will fail because an update was necessary, but on subsequent runs it will succeed.
+In some cases, such as documentation updates pre-commit will actually make the docs changes for you so it's possible to run the command above 1 time, it will fail because an update was necessary, but on subsequent runs, it will succeed.
 
 Before pushing any code the pre-commit tests should all pass locally, these tests will again be run by the CI process and will prevent CI from succeeding.
 
 ### Linting
 
-Pre-commit runs several [built-in hooks](https://pre-commit.com/hooks.html) for linting linting tasks such as:
+Pre-commit runs several [built-in hooks](https://pre-commit.com/hooks.html) for linting tasks such as:
 
 * `check-case-conflict` - Check for files that would conflict in case-insensitive filesystems.
 * `check-json` - This hook checks json files for parseable syntax.
 * `check-yaml` - This hook checks yaml files for parseable syntax.
 * `check-merge-conflict` - Check for files that contain merge conflict strings.
-* `end-of-file-fixer` - Ensures that a file is either empty, or ends with one newline.
+* `end-of-file-fixer` - Ensures that a file is either empty or ends with one newline.
 * `fix-byte-order-marker` - removes UTF-8 byte order marker.
 * `mixed-line-ending` - Replaces or checks mixed line ending.
 * `pretty-format-json` - This hook sets a standard for formatting JSON files.
 * `trailing-whitespace` - This hook trims trailing whitespace.
 
 Some other [generic linting from Lucas-C](https://github.com/Lucas-C/pre-commit-hooks):
 
-* `remove-crlf` - Removes carriage return followed by line feed to keep all files in Unix style format.
+* `remove-crlf` - Removes carriage return followed by a line feed to keep all files in Unix style format.
 * `remove-tabs` - Removes tabs to keep all spacing using standard spaces.
 
 Project specific linting includes:
@@ -64,6 +64,15 @@ To run a single check from the above list run:
 $ pre-commit run -av {check name}
 ```
 
+### Security Scanning
+
+For security scanning we utilize both:
+
+* [Kubescape](https://github.com/armosec/kubescape)
+* [Snyk](https://snyk.io/)
+
+These tools can be run locally and are also run as part of the CI pipeline to validate the security posture of the helm charts.
+
 ### Helm tests
 
 Coming soon...

diff --git a/README.md b/README.md
@@ -4,10 +4,10 @@
 <!-- ALL-CONTRIBUTORS-BADGE:END -->
 
 [![pre-commit](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit&logoColor=white&style=for-the-badge)](https://github.com/pre-commit/pre-commit)
-[![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/nautobot&style=for-the-badge)](https://artifacthub.io/packages/search?repo=nautobot)
-<!-- [![renovate](https://img.shields.io/badge/renovate-enabled-brightgreen?style=for-the-badge&logo=data:image/svg+xml;base64,)](https://github.com/renovatebot/renovate) -->
+[![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/nautobot&style=for-the-badge)](https://artifacthub.io/packages/helm/nautobot/nautobot)
+[![renovate](https://img.shields.io/badge/renovate-enabled-brightgreen?style=for-the-badge&logo=data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHZpZXdCb3g9IjUgNSAzNzAgMzcwIj48Y2lyY2xlIGN4PSIxODkiIGN5PSIxOTAiIHI9IjE4NCIgZmlsbD0iI2ZlMiIvPjxwYXRoIGZpbGw9IiM4YmIiIGQ9Ik0yNTEgMjU2bC0zOC0zOGExNyAxNyAwIDAxMC0yNGw1Ni01NmMyLTIgMi02IDAtN2wtMjAtMjFhNSA1IDAgMDAtNyAwbC0xMyAxMi05LTggMTMtMTNhMTcgMTcgMCAwMTI0IDBsMjEgMjFjNyA3IDcgMTcgMCAyNGwtNTYgNTdhNSA1IDAgMDAwIDdsMzggMzh6Ii8+PHBhdGggZmlsbD0iI2Q1MSIgZD0iTTMwMCAyODhsLTggOGMtNCA0LTExIDQtMTYgMGwtNDYtNDZjLTUtNS01LTEyIDAtMTZsOC04YzQtNCAxMS00IDE1IDBsNDcgNDdjNCA0IDQgMTEgMCAxNXoiLz48cGF0aCBmaWxsPSIjYjMwIiBkPSJNMjg1IDI1OGw3IDdjNCA0IDQgMTEgMCAxNWwtOCA4Yy00IDQtMTEgNC0xNiAwbC02LTdjNCA1IDExIDUgMTUgMGw4LTdjNC01IDQtMTIgMC0xNnoiLz48cGF0aCBmaWxsPSIjYTMwIiBkPSJNMjkxIDI2NGw4IDhjNCA0IDQgMTEgMCAxNmwtOCA3Yy00IDUtMTEgNS0xNSAwbC05LThjNSA1IDEyIDUgMTYgMGw4LThjNC00IDQtMTEgMC0xNXoiLz48cGF0aCBmaWxsPSIjZTYyIiBkPSJNMjYwIDIzM2wtNC00Yy02LTYtMTctNi0yMyAwLTcgNy03IDE3IDAgMjRsNCA0Yy00LTUtNC0xMSAwLTE2bDgtOGM0LTQgMTEtNCAxNSAweiIvPjxwYXRoIGZpbGw9IiNiNDAiIGQ9Ik0yODQgMzA0Yy00IDAtOC0xLTExLTRsLTQ3LTQ3Yy02LTYtNi0xNiAwLTIybDgtOGM2LTYgMTYtNiAyMiAwbDQ3IDQ2YzYgNyA2IDE3IDAgMjNsLTggOGMtMyAzLTcgNC0xMSA0em0tMzktNzZjLTEgMC0zIDAtNCAybC04IDdjLTIgMy0yIDcgMCA5bDQ3IDQ3YTYgNiAwIDAwOSAwbDctOGMzLTIgMy02IDAtOWwtNDYtNDZjLTItMi0zLTItNS0yeiIvPjxwYXRoIGZpbGw9IiMxY2MiIGQ9Ik0xNTIgMTEzbDE4LTE4IDE4IDE4LTE4IDE4em0xLTM1bDE4LTE4IDE4IDE4LTE4IDE4em0tOTAgODlsMTgtMTggMTggMTgtMTggMTh6bTM1LTM2bDE4LTE4IDE4IDE4LTE4IDE4eiIvPjxwYXRoIGZpbGw9IiMxZGQiIGQ9Ik0xMzQgMTMxbDE4LTE4IDE4IDE4LTE4IDE4em0tMzUgMzZsMTgtMTggMTggMTgtMTggMTh6Ii8+PHBhdGggZmlsbD0iIzJiYiIgZD0iTTExNiAxNDlsMTgtMTggMTggMTgtMTggMTh6bTU0LTU0bDE4LTE4IDE4IDE4LTE4IDE4em0tODkgOTBsMTgtMTggMTggMTgtMTggMTh6bTEzOS04NWwyMyAyM2M0IDQgNCAxMSAwIDE2TDE0MiAyNDBjLTQgNC0xMSA0LTE1IDBsLTI0LTI0Yy00LTQtNC0xMSAwLTE1bDEwMS0xMDFjNS01IDEyLTUgMTYgMHoiLz48cGF0aCBmaWxsPSIjM2VlIiBkPSJNMTM0IDk1bDE4LTE4IDE4IDE4LTE4IDE4em0tNTQgMThsMTgtMTcgMTggMTctMTggMTh6bTU1LTUzbDE4LTE4IDE4IDE4LTE4IDE4em05MyA0OGwtOC04Yy00LTUtMTEtNS0xNiAwTDEwMyAyMDFjLTQgNC00IDExIDAgMTVsOCA4Yy00LTQtNC0xMSAwLTE1bDEwMS0xMDFjNS00IDEyLTQgMTYgMHoiLz48cGF0aCBmaWxsPSIjOWVlIiBkPSJNMjcgMTMxbDE4LTE4IDE4IDE4LTE4IDE4em01NC01M2wxOC0xOCAxOCAxOC0xOCAxOHoiLz48cGF0aCBmaWxsPSIjMGFhIiBkPSJNMjMwIDExMGwxMyAxM2M0IDQgNCAxMSAwIDE2TDE0MiAyNDBjLTQgNC0xMSA0LTE1IDBsLTEzLTEzYzQgNCAxMSA0IDE1IDBsMTAxLTEwMWM1LTUgNS0xMSAwLTE2eiIvPjxwYXRoIGZpbGw9IiMxYWIiIGQ9Ik0xMzQgMjQ4Yy00IDAtOC0yLTExLTVsLTIzLTIzYTE2IDE2IDAgMDEwLTIzTDIwMSA5NmExNiAxNiAwIDAxMjIgMGwyNCAyNGM2IDYgNiAxNiAwIDIyTDE0NiAyNDNjLTMgMy03IDUtMTIgNXptNzgtMTQ3bC00IDItMTAxIDEwMWE2IDYgMCAwMDAgOWwyMyAyM2E2IDYgMCAwMDkgMGwxMDEtMTAxYTYgNiAwIDAwMC05bC0yNC0yMy00LTJ6Ii8+PC9zdmc+)](https://github.com/renovatebot/renovate)
 
-This repo is intented to house [Helm](https://helm.sh/) charts for the Nautobot project, today there is one Nautobot chart but we are ready for more if the need arises.  Helm is the unofficial package manager for Kubernetes, it provides a simple way for users to deploy applications to Kubernetes without defining custom Kubernetes manifests.  This allows users of all experience levels to deploy applications the way the developers intend for them to be deployed.  Helm is capable of also providing restrictions and tests to validate the deployment configuration.
+This repo is intended to house [Helm](https://helm.sh/) charts for the Nautobot project, today there is one Nautobot chart but we are ready for more if the need arises.  Helm is the unofficial package manager for Kubernetes, it provides a simple way for users to deploy applications to Kubernetes without defining custom Kubernetes manifests.  This allows users of all experience levels to deploy applications the way the developers intend for them to be deployed.  Helm is capable of also providing restrictions and tests to validate the deployment configuration.
 
 ## Usage
 

diff --git a/charts/nautobot/Chart.lock b/charts/nautobot/Chart.lock
@@ -1,12 +1,18 @@
 dependencies:
 - name: redis
   repository: https://charts.bitnami.com/bitnami
-  version: 14.8.11
+  version: 15.6.7
 - name: postgresql
   repository: https://charts.bitnami.com/bitnami
-  version: 10.9.5
+  version: 10.13.14
+- name: postgresql-ha
+  repository: https://charts.bitnami.com/bitnami
+  version: 8.1.2
+- name: mariadb
+  repository: https://charts.bitnami.com/bitnami
+  version: 10.1.1
 - name: common
   repository: https://charts.bitnami.com/bitnami
-  version: 1.8.0
-digest: sha256:0f4815616bc7c2d4770708133b646a5e83a797d3e1f3888a91ddf01b0a4ee2f4
-generated: "2021-09-10T07:24:13.246116-06:00"
+  version: 1.10.3
+digest: sha256:113aa6347e7c54f40f07641f76e032397d434f72a8997022725a34d5abc25ce5
+generated: "2021-12-16T11:01:22.510851-07:00"
diff --git a/charts/nautobot/Chart.yaml b/charts/nautobot/Chart.yaml
@@ -6,7 +6,7 @@ annotations:
   artifacthub.io/prerelease: "false"
   artifacthub.io/images: |
     - name: nautobot
-      image: ghcr.io/nautobot/nautobot:1.1.6
+      image: ghcr.io/nautobot/nautobot:1.2.1
   artifacthub.io/links: |
     - name: Nautobot Documentation
       url: https://nautobot.readthedocs.io/en/stable/
@@ -20,34 +20,47 @@ annotations:
     - title: Prefix hierarchy
       url: https://raw.githubusercontent.com/nautobot/nautobot/develop/nautobot/docs/media/screenshot3.png
   artifacthub.io/changes: |
-    - kind: changed
-      description: Update ghcr.io/nautobot/nautobot Docker tag to v1.1.6
     - kind: added
-      description: Added backup and restore procedures
+      description: Security Scanning & Remediations for medium/high findings
       links:
         - name: Github Issue
-          url: https://github.com/nautobot/helm-charts/issues/16
+          url: https://github.com/nautobot/helm-charts/issues/87
     - kind: added
-      description: Added documentation to enable PostgreSQL and Redis TLS
+      description: PostgreSQL High Availability Support
       links:
         - name: Github Issue
-          url: https://github.com/nautobot/helm-charts/issues/46
+          url: https://github.com/nautobot/helm-charts/issues/35
+    - kind: changed
+      description: Update ghcr.io/nautobot/nautobot Docker tag to v1.2.1
     - kind: added
-      description: Added annotations for the serviceaccount
+      description: Redis Sentinel Documentation
+      links:
+        - name: Github Issue
+          url: https://github.com/nautobot/helm-charts/issues/35
+    - kind: added
+      description: MySQL Support
+      links:
+        - name: Github Issue
+          url: https://github.com/nautobot/helm-charts/issues/15
+    - kind: changed
+      description: Updated Redis with TLS documentation
       links:
         - name: Github Issue
-          url: https://github.com/nautobot/helm-charts/issues/58
+          url: https://github.com/nautobot/helm-charts/issues/57
+    - kind: changed
+      description: Bumping sub-chart dependencies
     - kind: changed
-      description: Update ghcr.io/nautobot/nautobot Docker tag to v1.1.5
+      description: Upgraded Nautobot to 1.2.1
+      links:
+        - name: Github Issue
+          url: https://github.com/nautobot/helm-charts/issues/47
     - kind: added
-      description: Added Artifact Hub images annotation for security scanning.
+      description: Added Celery Beat for Nautobot 1.2 support
       links:
-        - name: Artifact Hub documentation
-          url: https://artifacthub.io/docs/topics/annotations/helm/
         - name: Github Issue
-          url: https://github.com/nautobot/helm-charts/issues/56
+          url: https://github.com/nautobot/helm-charts/issues/47
 apiVersion: "v2"
-appVersion: "1.1.6"
+appVersion: "1.2.1"
 dependencies:
   - condition: "redis.enabled"
     name: "redis"
@@ -57,6 +70,15 @@ dependencies:
     name: "postgresql"
     repository: "https://charts.bitnami.com/bitnami"
     version: "10.x.x"
+  - condition: "postgresqlha.enabled"
+    name: "postgresql-ha"
+    repository: "https://charts.bitnami.com/bitnami"
+    version: "8.x.x"
+    alias: "postgresqlha"
+  - condition: "mariadb.enabled"
+    name: "mariadb"
+    repository: "https://charts.bitnami.com/bitnami"
+    version: "10.x.x"
   - name: "common"
     repository: "https://charts.bitnami.com/bitnami"
     tags:
@@ -78,4 +100,4 @@ name: "nautobot"
 sources:
   - "https://github.com/nautobot/nautobot"
   - "https://github.com/nautobot/helm-charts"
-version: "1.0.4"
+version: "1.1.0"