From 6acfd522a890af30d4c4f657cf70a57e25028633 Mon Sep 17 00:00:00 2001 From: Marius Bordeianu Date: Tue, 21 Dec 2021 11:50:11 +0100 Subject: [PATCH 01/11] EN-274: Helm chart for gremlin integrations agent --- README.md | 40 +++- gremlin-integrations/.helmignore | 23 ++ gremlin-integrations/Chart.yaml | 28 +++ gremlin-integrations/README.md | 196 ++++++++++++++++++ gremlin-integrations/templates/_helpers.tpl | 117 +++++++++++ .../templates/deployment.yaml | 117 +++++++++++ .../templates/secret-ssl-cert-file.yaml | 16 ++ gremlin-integrations/templates/secret.yaml | 25 +++ .../templates/serviceaccount.yaml | 12 ++ gremlin-integrations/values.yaml | 95 +++++++++ 10 files changed, 666 insertions(+), 3 deletions(-) create mode 100644 gremlin-integrations/.helmignore create mode 100644 gremlin-integrations/Chart.yaml create mode 100644 gremlin-integrations/README.md create mode 100644 gremlin-integrations/templates/_helpers.tpl create mode 100644 gremlin-integrations/templates/deployment.yaml create mode 100644 gremlin-integrations/templates/secret-ssl-cert-file.yaml create mode 100644 gremlin-integrations/templates/secret.yaml create mode 100644 gremlin-integrations/templates/serviceaccount.yaml create mode 100644 gremlin-integrations/values.yaml diff --git a/README.md b/README.md index f5d485e..559699c 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,7 @@ # Gremlin Helm Charts -This repository hosts the official **Gremlin Helm Charts** to deploy **Gremlin** products to [Kubernetes](https://kubernetes.io/) +This repository hosts the official **Gremlin Helm Charts** to deploy **Gremlin** products +to [Kubernetes](https://kubernetes.io/) ## Install Helm @@ -10,8 +11,13 @@ Get the latest [Helm release](https://github.com/kubernetes/helm#install). Add this Chart repo to Helm, and install: -```console +```shell helm repo add gremlin https://helm.gremlin.com/ +```` + +### Gremlin + +```shell helm install gremlin gremlin/gremlin \ --namespace gremlin \ --set gremlin.secret.managed=true \ @@ -21,7 +27,35 @@ helm install gremlin gremlin/gremlin \ --set gremlin.secret.teamSecret=YOUR-TEAM-SECRET ``` -For more detailed instructions, see the chart's documentation [here](https://github.com/gremlin/helm/blob/master/gremlin/README.md). +For more detailed instructions, see the chart's +documentation [here](https://github.com/gremlin/helm/blob/master/gremlin/README.md). + +### Gremlin Integration + +#### Secret Auth + +```shell +helm install gremlin gremlin/gremlin-integrations \ + --namespace gremlin \ + --set gremlin.secret.managed=true \ + --set gremlin.secret.type=secret \ + --set gremlin.secret.teamID=YOUR-TEAM-ID \ + --set gremlin.secret.teamSecret=YOUR-TEAM-SECRET +``` + +#### Certificate Auth + +```shell +helm install gremlin gremlin/gremlin-integrations \ + --namespace gremlin \ + --set gremlin.secret.managed=true \ + --set gremlin.secret.teamID=YOUR-TEAM-ID \ + --set-file gremlin.secret.certificate=PATH_TO_CERTIFICATE \ + --set-file gremlin.secret.key=PATH_TO_PRIVATE_KEY +``` + +For more detailed instructions, see the chart's +documentation [here](https://github.com/gremlin/helm/blob/master/gremlin-integrations/README.md). ## Reporting Issues diff --git a/gremlin-integrations/.helmignore b/gremlin-integrations/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/gremlin-integrations/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/gremlin-integrations/Chart.yaml b/gremlin-integrations/Chart.yaml new file mode 100644 index 0000000..4d52e7c --- /dev/null +++ b/gremlin-integrations/Chart.yaml @@ -0,0 +1,28 @@ +apiVersion: v2 +name: gremlin-integrations +description: The Gremlin Inc integration agent application + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.16.0" +home: https://www.gremlin.com +maintainers: + - name: Gremlin Development + email: dev@gremlin.com diff --git a/gremlin-integrations/README.md b/gremlin-integrations/README.md new file mode 100644 index 0000000..0cabdfa --- /dev/null +++ b/gremlin-integrations/README.md @@ -0,0 +1,196 @@ +# Gremlin Integrations Client Helm Chart + +## Prerequisites + +* Kubernetes with apps/v1 available + +## Configuration + +This chart will install the gremlin integrations client on the specified namespace. + +The following table lists common configurable parameters of the chart and their default values. See +values.yaml for all available options. + +| Parameter | Description | Default | +|----------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------| +| `image.pullPolicy` | Container pull policy | `Always` | +| `image.pullSecret` | Pull secret for a private registry | `""` (When empty, no authentication is used) | +| `image.repository` | Container image to use | `gremlin/gremlin-integrations` | +| `image.tag` | Container image tag to deploy | `latest` | +| `nodeSelector` | Map of node labels for pod assignment for the `gremlin-integrations` container | `{}` | +| `tolerations` | List of node taints to tolerate for the `gremlin-integrations` container | `[]` | +| `affinity` | Map of node/pod affinities for the `gremlin-integrations` container | `{}` | +| `gremlin.serviceAccount.create` | Specifies whether Gremlin's kubernetes service account should be created by this helm chart | `true` | +| `gremlin.serviceUrl` | Specifies the Control Plane endpoint URL | `https://api.gremlin.com/v1` | +| `gremlin.allowList` | Whitelist URLs in order to allow access only to specific set of endpoints | `""` | +| `gremlin.secret.managed` | Specifies whether Gremlin should manage its secrets with Helm | `false` | +| `gremlin.secret.type` | The type of certificate to use, can be either `certificate` or `secret` | `certificate` | +| `gremlin.secret.name` | The name of certificate to use, like in the case of pointing to an eternally managed secret | `gremlin-team-cert` | +| `gremlin.secret.teamID` | Gremlin Team ID to authenticate with | `""` | +| `gremlin.secret.certificate` | Contents of the certificate. Required if using managed secrets of `type=certificate` | `""` | +| `gremlin.secret.key` | Contents of the private key. Required if using managed secrets of `type=certificate` | `""` | +| `gremlin.secret.teamSecret` | Gremlin's team secret. Required if using managed secrets of `type=secret` | `""` | +| `gremlin.resources` | Set resource requests and limits | `{}` +| `gremlin.client.tags` | Comma-separated list of custom tags to assign to this client | `""` | +| `gremlin.proxy.url` | Specifies the http proxy the agent should use to communicate with api.gremlin.com. | `""` (ignored) | | +| `ssl.certFile` | Add a certificate file to Gremlin's set of certificate authorities. This argument expects a file containing the certificate(s) you wish to add. When set, this chart creates secret (`integrations-ssl-cert-file`) with the file contents. This value is ignored when blank or absent. | `""` (ignored) | +| `ssl.certDir` | sets the SSL_CERT_DIR environment variable on the both agents. Unlike ssl.certFile, this value accepts only a path to an existing directory on the Kubernetes nodes. This value is ignored when blank or absent. | `""` (ignored) | + +Specify each parameter using the `--set[-file] key=value[,key=value]` argument to `helm install`. + +**Example Usage** + +```shell +$ helm install gremlin gremlin/gremlin-integrations \ + --set gremlin.secret.managed=true \ + --set gremlin.secret.type=certificate \ + --set gremlin.secret.teamID=$GREMLIN_TEAM_ID \ + --set-file gremlin.secret.certificate=/path/to/gremlin.cert \ + --set-file gremlin.secret.key=/path/to/gremlin.key \ + --set 'tolerations[0].effect=NoSchedule' \ + --set 'tolerations[0].key=node-role.kubernetes.io/master' \ + --set 'tolerations[0].operator=Exists' +``` + +_note_: Depending on your shell you may need different quoting around `tolerations[0]` + +## Installation + +All Gremlin Integrations installations require authentication with our Gremlin control plane. There +are two types of authentication available to Gremlin and Helm: `certificate`, and `secret`. You can +find out more about these authentication +types [here](https://www.gremlin.com/docs/infrastructure-layer/authentication/). + +For this Helm chart, you'll need to download your team certificate or team secret from the Gremlin +app. + +**Certificate** + +1. go to [Company Settings](https://app.gremlin.com/settings/teams), and select your team, and + then `Configuration` +2. Click on the button labeled `Download` next to `Certificates` (If you don't see a button + labelled `Download`, click on `Create New` to generate a new certificate) +3. When you unzip the downloaded file, you will see two files named `TEAM_NAME-client.priv_key.pem` + and `TEAM_NAME-client.pub_cert.pem`. Rename these to `gremlin.key` and `gremlin.cert` + respectively. These will be refered to as `/path/to/gremlin.cert` and `/path/to/gremlin.key` in + later instructions. + +**Secret** + +1. go to [Company Settings](https://app.gremlin.com/settings/teams), and select your team, and + then `Configuration` +2. Click on the button labeled `New` next to `Secret Key` (If you don't see a button labeled `New`, + it's already been created. Talk to your administrator who should have the key or click + the `Reset` button to create a new one) +3. You should see a value named `GREMLIN_TEAM_SECRET`, this will be refered to + as `$GREMLIN_TEAM_SECRET` in later instructions + +### With Managed Secrets + +Some find it preferable to have this chart manage Gremlin's secret values instead of administrating +them outside of Helm. + +#### For certificate auth + +```shell +helm install gremlin gremlin/gremlin-integrations \ + --namespace gremlin \ + --set gremlin.secret.managed=true \ + --set gremlin.secret.teamID=$GREMLIN_TEAM_ID \ + --set-file gremlin.secret.certificate=/path/to/gremlin.cert \ + --set-file gremlin.secret.key=/path/to/gremlin.key +``` + +#### For secret auth + +```shell +helm install gremlin gremlin/gremlin-integrations \ + --namespace gremlin \ + --set gremlin.secret.managed=true \ + --set gremlin.secret.type=secret \ + --set gremlin.secret.teamID=$GREMLIN_TEAM_ID \ + --set gremlin.secret.teamSecret=$GREMLIN_TEAM_SECRET +``` + +### Without Managed Secrets + +If you do not want this Chart to manage the kubernetes secrets for Gremlin, point this chart to your +external secret with `gremlin.secret.name` and `gremlin.secret.type` + +##### For secret auth + +Create the external secret + +```shell +kubectl create secret generic gremlin-team-secret \ + --namespace gremlin \ + --from-literal=GREMLIN_TEAM_ID=$GREMLIN_TEAM_ID \ + --from-literal=GREMLIN_TEAM_SECRET=$GREMLIN_TEAM_SECRET \ +``` + +Install the Helm chart + +```shell +helm install gremlin gremlin/gremlin-integrations \ + --namespace gremlin \ + --set gremlin.secret.name=gremlin-team-secret \ + --set gremlin.secret.type=secret # Default is gremlin.secret.type=certificate +``` + +#### For certificate auth + +Create the external secret + +```shell +kubectl create secret generic gremlin-team-cert \ + --namespace gremlin \ + --from-literal=GREMLIN_TEAM_ID=$GREMLIN_TEAM_ID \ + --from-file=gremlin.cert=/path/to/gremlin.cert \ + --from-file=gremlin.key=/path/to/gremlin.key +``` + +```shell +helm install gremlin gremlin/gremlin-integrations \ + --namespace gremlin \ + --set gremlin.secret.name=gremlin-team-cert +``` + +### With an HTTP_PROXY + +Gremlin can be configured to communicate with api.gremlin.com through an http_proxy. You can set +this proxy with `gremlin.proxy.url`. + +```shell +helm install gremlin gremlin/gremlin-integrations \ + --namespace gremlin \ + --set gremlin.secret.managed=true \ + --set gremlin.secret.teamID=$GREMLIN_TEAM_ID \ + --set-file gremlin.secret.certificate=/path/to/gremlin.cert \ + --set-file gremlin.secret.key=/path/to/gremlin.key \ + --set gremlin.proxy.url=http://proxy.net:3128 +``` + +#### HTTPS_PROXY with custom certificate authority + +```shell +helm install gremlin gremlin/gremlin \ + --namespace gremlin \ + --set gremlin.secret.managed=true \ + --set gremlin.secret.teamID=$GREMLIN_TEAM_ID \ + --set-file gremlin.secret.certificate=/path/to/gremlin.cert \ + --set-file gremlin.secret.key=/path/to/gremlin.key \ + --set gremlin.proxy.url=https://proxy.net:3128 \ + --set-file ssl.certFile=$HOME/Workspace/proxy/ca.pem +``` + +## Uninstallation + +```shell +helm delete gremlin-integrations +``` + +To delete the deployment and its history: + +```shell +helm delete --purge gremlin +``` \ No newline at end of file diff --git a/gremlin-integrations/templates/_helpers.tpl b/gremlin-integrations/templates/_helpers.tpl new file mode 100644 index 0000000..8768961 --- /dev/null +++ b/gremlin-integrations/templates/_helpers.tpl @@ -0,0 +1,117 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "gremlin-integrations.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "gremlin-integrations.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "gremlin-integrations.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "gremlin-integrations.labels" -}} +helm.sh/chart: {{ include "gremlin-integrations.chart" . }} +{{ include "gremlin-integrations.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "gremlin-integrations.selectorLabels" -}} +app.kubernetes.io/name: {{ include "gremlin-integrations.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "gremlin-integrations.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "gremlin-integrations.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Because we've evolved the recommended way to pass the secret name over time, we hide the following order of operations behind this computed value: +In later versions of this chart, we will remove the use of `.Values.gremlin.client.secretName` and the fallback value of `gremlin-team-cert` +*/}} +{{- define "gremlin.secretName" -}} +{{- if .Values.gremlin.secret.managed -}} +{{- default .Values.gremlin.client.secretName .Values.gremlin.secret.name | default "gremlin-integrations-secret" -}} +{{- else -}} +{{- default .Values.gremlin.client.secretName .Values.gremlin.secret.name | default "gremlin-integrations-team-cert" -}} +{{- end -}} +{{- end -}} + +{{- define "gremlinServiceUrl" -}} +{{- if .Values.gremlin.serviceUrl -}} +{{- .Values.gremlin.serviceUrl -}} +{{- else -}} +{{- "https://api.gremlin.com/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Create a computed value for the intended Gremlin secret type which can either be `certificate` or `secret` +*/}} +{{- define "gremlin.secretType" -}} +{{- if .Values.gremlin.secret.type -}} +{{- .Values.gremlin.secret.type -}} +{{- else -}} +{{- if .Values.gremlin.client.certCreateSecret -}} +{{- "certificate" -}} +{{- else if .Values.gremlin.secret.managed -}} +{{- if .Values.gremlin.secret.teamSecret -}} +{{- "secret" -}} +{{- else -}} +{{- "certificate" -}} +{{- end -}} +{{- else -}} +{{- "certificate" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "gremlin.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "gremlin.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} \ No newline at end of file diff --git a/gremlin-integrations/templates/deployment.yaml b/gremlin-integrations/templates/deployment.yaml new file mode 100644 index 0000000..20a2b98 --- /dev/null +++ b/gremlin-integrations/templates/deployment.yaml @@ -0,0 +1,117 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "gremlin-integrations.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "gremlin-integrations.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "gremlin-integrations.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "gremlin-integrations.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "gremlin-integrations.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + env: + - name: GREMLIN_TEAM_ID + {{- /* If we aren't managing this secret and a teamID was supplied, assume teamID is not in the external secret */}} + {{- if (and (not .Values.gremlin.secret.managed) (default .Values.gremlin.teamID .Values.gremlin.secret.teamID)) }} + value: {{ default .Values.gremlin.teamID .Values.gremlin.secret.teamID | quote }} + {{- else }} + valueFrom: + secretKeyRef: + name: {{ include "gremlin.secretName" . }} + key: GREMLIN_TEAM_ID + {{- end }} + - name: GREMLIN_SERVICE_URL + value: {{ include "gremlinServiceUrl" .}} + {{- if (eq (include "gremlin.secretType" .) "secret") }} + - name: GREMLIN_TEAM_SECRET + valueFrom: + secretKeyRef: + name: {{ include "gremlin.secretName" . }} + key: GREMLIN_TEAM_SECRET + {{- else }} + - name: GREMLIN_TEAM_CERTIFICATE_OR_FILE + value: file:///var/lib/gremlin/cert/gremlin.cert + - name: GREMLIN_TEAM_PRIVATE_KEY_OR_FILE + value: file:///var/lib/gremlin/cert/gremlin.key + {{- end }} + {{- if .Values.gremlin.allowList }} + - name: GREMLIN_INTEGRATION_AGENT_ALLOW_LIST + value: {{ .Values.gremlin.allowList }} + {{- end }} + {{- if .Values.gremlin.proxy.url }} + - name: https_proxy + value: {{ .Values.gremlin.proxy.url }} + - name: no_proxy + value: $(KUBERNETES_SERVICE_HOST):$(KUBERNETES_SERVICE_PORT) + {{- end }} + {{- if .Values.ssl.certFile }} + - name: SSL_CERT_FILE + value: /etc/gremlin/ssl/certfile.pem + {{- end }} + {{- if .Values.ssl.certDir }} + - name: SSL_CERT_DIR + value: {{ .Values.ssl.certDir }} + {{- end }} + volumeMounts: + {{- if (eq (include "gremlin.secretType" .) "certificate") }} + - name: gremlin-cert + mountPath: /var/lib/gremlin/cert + readOnly: true + {{- end }} + {{- if .Values.ssl.certFile }} + - name: integrations-ssl-cert-file + mountPath: /etc/gremlin/ssl + readOnly: true + {{- end }} + - name: gremlin-logs + mountPath: /var/log/gremlin + readOnly: false + volumes: + - name: gremlin-logs + hostPath: + path: /var/log/gremlin + {{- if (eq (include "gremlin.secretType" .) "certificate") }} + - name: gremlin-cert + secret: + secretName: {{ include "gremlin.secretName" . }} + {{- end }} + {{- if .Values.ssl.certFile }} + - name: integrations-ssl-cert-file + secret: + secretName: integrations-ssl-cert-file + {{ end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/gremlin-integrations/templates/secret-ssl-cert-file.yaml b/gremlin-integrations/templates/secret-ssl-cert-file.yaml new file mode 100644 index 0000000..d5faaf0 --- /dev/null +++ b/gremlin-integrations/templates/secret-ssl-cert-file.yaml @@ -0,0 +1,16 @@ +{{- if .Values.ssl.certFile }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: integrations-ssl-cert-file + labels: + app.kubernetes.io/name: {{ include "gremlin.name" . }} + helm.sh/chart: {{ include "gremlin.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + version: v1 +type: kubernetes.io/Opaque +data: + certfile.pem: {{ default .Values.ssl.certFile | toString | b64enc }} +{{- end }} diff --git a/gremlin-integrations/templates/secret.yaml b/gremlin-integrations/templates/secret.yaml new file mode 100644 index 0000000..465ac36 --- /dev/null +++ b/gremlin-integrations/templates/secret.yaml @@ -0,0 +1,25 @@ +{{- if (default .Values.gremlin.client.certCreateSecret .Values.gremlin.secret.managed) }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "gremlin.secretName" . }} + labels: + app.kubernetes.io/name: {{ include "gremlin.name" . }} + helm.sh/chart: {{ include "gremlin.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + version: v1 +type: kubernetes.io/Opaque +stringData: + GREMLIN_TEAM_ID: {{ default .Values.gremlin.teamID .Values.gremlin.secret.teamID | required "required: .Values.gremlin.secret.teamID" | toString }} +{{- if (eq (include "gremlin.secretType" .) "secret") }} + GREMLIN_TEAM_SECRET: {{ .Values.gremlin.secret.teamSecret | required "required: .Values.gremlin.secret.teamSecret" | toString }} +{{- else if (eq (include "gremlin.secretType" .) "certificate") }} + GREMLIN_TEAM_CERTIFICATE_OR_FILE: file:///var/lib/gremlin/cert/gremlin.cert + GREMLIN_TEAM_PRIVATE_KEY_OR_FILE: file:///var/lib/gremlin/cert/gremlin.key +data: + gremlin.cert: {{ default .Values.gremlin.client.certContent .Values.gremlin.secret.certificate | required "required: .Values.gremlin.secret.certificate" | toString | b64enc }} + gremlin.key: {{ default .Values.gremlin.client.keyContent .Values.gremlin.secret.key | required "required: .Values.gremlin.secret.key" | toString | b64enc }} +{{- end }} +{{- end }} diff --git a/gremlin-integrations/templates/serviceaccount.yaml b/gremlin-integrations/templates/serviceaccount.yaml new file mode 100644 index 0000000..0fd08f3 --- /dev/null +++ b/gremlin-integrations/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "gremlin-integrations.serviceAccountName" . }} + labels: + {{- include "gremlin-integrations.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/gremlin-integrations/values.yaml b/gremlin-integrations/values.yaml new file mode 100644 index 0000000..c6bd750 --- /dev/null +++ b/gremlin-integrations/values.yaml @@ -0,0 +1,95 @@ +# Default values for gremlin-integrations. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +image: + repository: gremlin/gremlin-integrations + pullPolicy: Always + # Overrides the image tag whose default is the chart appVersion. + tag: latest + +imagePullSecrets: [ ] +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: { } + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "gremlin-integrations" + +podAnnotations: { } + +podSecurityContext: { } +# fsGroup: 2000 + +securityContext: { } +# capabilities: +# drop: +# - ALL +# readOnlyRootFilesystem: true +# runAsNonRoot: true +# runAsUser: 1000 + +resources: { } +# We usually recommend not to specify default resources and to leave this as a conscious +# choice for the user. This also increases chances charts run on environments with little +# resources, such as Minikube. If you do want to specify resources, uncomment the following +# lines, adjust them as necessary, and remove the curly braces after 'resources:'. +# limits: +# cpu: 100m +# memory: 128Mi +# requests: +# cpu: 100m +# memory: 128Mi + +nodeSelector: { } + +tolerations: [ ] + +affinity: { } + +ssl: + # ssl.certFile - + # Add a certificate file to Gremlin's set of certificate authorities. This argument expects a file containing the + # certificate(s) you wish to add. When set, this chart creates secret (`ssl-cert-file`) with the contents and passes + # it to both agents. This value is ignored when blank or absent. + certFile: + # ssl.certDir - + # sets the SSL_CERT_DIR environment variable on the both agents. Unlike ssl.certFile, this value accepts only a + # path to an existing directory on the Kubernetes nodes. This value is ignored when blank or absent. + certDir: + +gremlin: + secret: + # Gremlin supports both `certificate` and `secret` types + # To manage secrets with helm, set `managed=true` and fill in either the certificate auth or secret auth sections + type: certificate + managed: false + # team identifier (e.g. 11111111-1111-1111-1111-111111111111) + teamID: + + ## Certificate auth requires: `certificate` and `key` + # team certificate (e.g. -----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----) + certificate: + # team private key (e.g. -----BEGIN EC PRIVATE KEY-----...-----END EC PRIVATE KEY-----) + key: + + ## Secret auth requires: `teamSecret` + # team secret (e.g. 00000000-0000-0000-0000-000000000000) + teamSecret: + allowList: "" + proxy: + # gremlin.proxy.url - + # Specifies the http proxy that the Gremlin Agent and Gremlin Kubernetes agent should use to communicate with + # api.gremlin.com. This value is ignored when blank or absent. + url: + client: + certCreateSecret: + + From 7aa838744f44d95964e773fe57af2e3ff3fc2d88 Mon Sep 17 00:00:00 2001 From: Marius Bordeianu Date: Tue, 4 Jan 2022 08:33:10 +0100 Subject: [PATCH 02/11] EN-274: Helm chart for gremlin integrations agent --- gremlin-integrations/templates/_helpers.tpl | 12 ++++++++++++ gremlin-integrations/templates/deployment.yaml | 10 ++++++---- .../templates/secret-ssl-cert-file.yaml | 1 + gremlin-integrations/templates/secret.yaml | 1 + gremlin-integrations/templates/serviceaccount.yaml | 1 + 5 files changed, 21 insertions(+), 4 deletions(-) diff --git a/gremlin-integrations/templates/_helpers.tpl b/gremlin-integrations/templates/_helpers.tpl index 8768961..c22ef1d 100644 --- a/gremlin-integrations/templates/_helpers.tpl +++ b/gremlin-integrations/templates/_helpers.tpl @@ -61,6 +61,18 @@ Create the name of the service account to use {{- end }} {{- end }} +{{- /* GKE Container Optimized OS with Containerd cannot */ -}} +{{- /* mount the state/logs volumes, so detect that here */ -}} +{{- define "gkeCOSContainerd" -}} +{{- $output := false }} +{{- range $index, $node := (lookup "v1" "Node" "" "").items -}} + {{- $gkeRuntime := index $node.metadata.labels "cloud.google.com/gke-container-runtime" -}} + {{- $gkeOS := index $node.metadata.labels "cloud.google.com/gke-os-distribution" -}} + {{- $output = (or $output (and (eq $gkeRuntime "containerd") (eq $gkeOS "cos"))) -}} +{{- end -}} +{{ $output }} +{{- end -}} + {{/* Because we've evolved the recommended way to pass the secret name over time, we hide the following order of operations behind this computed value: In later versions of this chart, we will remove the use of `.Values.gremlin.client.secretName` and the fallback value of `gremlin-team-cert` diff --git a/gremlin-integrations/templates/deployment.yaml b/gremlin-integrations/templates/deployment.yaml index 20a2b98..3743710 100644 --- a/gremlin-integrations/templates/deployment.yaml +++ b/gremlin-integrations/templates/deployment.yaml @@ -76,19 +76,21 @@ spec: value: {{ .Values.ssl.certDir }} {{- end }} volumeMounts: - {{- if (eq (include "gremlin.secretType" .) "certificate") }} + {{- if (eq (include "gremlin.secretType" .) "certificate") }} - name: gremlin-cert mountPath: /var/lib/gremlin/cert readOnly: true - {{- end }} - {{- if .Values.ssl.certFile }} + {{- end }} + {{- if .Values.ssl.certFile }} - name: integrations-ssl-cert-file mountPath: /etc/gremlin/ssl readOnly: true - {{- end }} + {{- end }} + {{- if not (include "gkeCOSContainerd" .) }} - name: gremlin-logs mountPath: /var/log/gremlin readOnly: false + {{- end }} volumes: - name: gremlin-logs hostPath: diff --git a/gremlin-integrations/templates/secret-ssl-cert-file.yaml b/gremlin-integrations/templates/secret-ssl-cert-file.yaml index d5faaf0..88faa19 100644 --- a/gremlin-integrations/templates/secret-ssl-cert-file.yaml +++ b/gremlin-integrations/templates/secret-ssl-cert-file.yaml @@ -4,6 +4,7 @@ apiVersion: v1 kind: Secret metadata: name: integrations-ssl-cert-file + namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: {{ include "gremlin.name" . }} helm.sh/chart: {{ include "gremlin.chart" . }} diff --git a/gremlin-integrations/templates/secret.yaml b/gremlin-integrations/templates/secret.yaml index 465ac36..8f992c2 100644 --- a/gremlin-integrations/templates/secret.yaml +++ b/gremlin-integrations/templates/secret.yaml @@ -4,6 +4,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ include "gremlin.secretName" . }} + namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: {{ include "gremlin.name" . }} helm.sh/chart: {{ include "gremlin.chart" . }} diff --git a/gremlin-integrations/templates/serviceaccount.yaml b/gremlin-integrations/templates/serviceaccount.yaml index 0fd08f3..7dfa95c 100644 --- a/gremlin-integrations/templates/serviceaccount.yaml +++ b/gremlin-integrations/templates/serviceaccount.yaml @@ -3,6 +3,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "gremlin-integrations.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} labels: {{- include "gremlin-integrations.labels" . | nindent 4 }} {{- with .Values.serviceAccount.annotations }} From fbd640a7d0de6b06230f5054c8513e5c42e0feec Mon Sep 17 00:00:00 2001 From: Marius Bordeianu Date: Wed, 5 Jan 2022 09:25:52 +0100 Subject: [PATCH 03/11] EN-274: Helm chart for gremlin integrations agent --- gremlin-integrations/templates/deployment.yaml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/gremlin-integrations/templates/deployment.yaml b/gremlin-integrations/templates/deployment.yaml index 3743710..a81c836 100644 --- a/gremlin-integrations/templates/deployment.yaml +++ b/gremlin-integrations/templates/deployment.yaml @@ -86,11 +86,6 @@ spec: mountPath: /etc/gremlin/ssl readOnly: true {{- end }} - {{- if not (include "gkeCOSContainerd" .) }} - - name: gremlin-logs - mountPath: /var/log/gremlin - readOnly: false - {{- end }} volumes: - name: gremlin-logs hostPath: From c74e3ad1e5dc88eeaf5901202ac2273d109e15e8 Mon Sep 17 00:00:00 2001 From: Marius Bordeianu Date: Wed, 5 Jan 2022 09:49:03 +0100 Subject: [PATCH 04/11] EN-274: Helm chart for gremlin integrations agent --- gremlin-integrations/templates/deployment.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/gremlin-integrations/templates/deployment.yaml b/gremlin-integrations/templates/deployment.yaml index a81c836..9bbdb9f 100644 --- a/gremlin-integrations/templates/deployment.yaml +++ b/gremlin-integrations/templates/deployment.yaml @@ -87,9 +87,6 @@ spec: readOnly: true {{- end }} volumes: - - name: gremlin-logs - hostPath: - path: /var/log/gremlin {{- if (eq (include "gremlin.secretType" .) "certificate") }} - name: gremlin-cert secret: From 78799f2fc669d86b52b5eecdcf797e26562193a7 Mon Sep 17 00:00:00 2001 From: Marius Bordeianu Date: Thu, 6 Jan 2022 13:32:03 +0100 Subject: [PATCH 05/11] EN-274: Helm chart for gremlin integrations agent --- README.md | 7 +++---- gremlin-integrations/README.md | 17 ++++++++--------- 2 files changed, 11 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index 559699c..72a4907 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,7 @@ helm repo add gremlin https://helm.gremlin.com/ ### Gremlin ```shell -helm install gremlin gremlin/gremlin \ +helm install gremlin-integrations gremlin/gremlin \ --namespace gremlin \ --set gremlin.secret.managed=true \ --set gremlin.secret.type=secret \ @@ -35,7 +35,7 @@ documentation [here](https://github.com/gremlin/helm/blob/master/gremlin/README. #### Secret Auth ```shell -helm install gremlin gremlin/gremlin-integrations \ +helm install gremlin-integrations gremlin/gremlin-integrations \ --namespace gremlin \ --set gremlin.secret.managed=true \ --set gremlin.secret.type=secret \ @@ -46,9 +46,8 @@ helm install gremlin gremlin/gremlin-integrations \ #### Certificate Auth ```shell -helm install gremlin gremlin/gremlin-integrations \ +helm install gremlin-integrations gremlin/gremlin-integrations \ --namespace gremlin \ - --set gremlin.secret.managed=true \ --set gremlin.secret.teamID=YOUR-TEAM-ID \ --set-file gremlin.secret.certificate=PATH_TO_CERTIFICATE \ --set-file gremlin.secret.key=PATH_TO_PRIVATE_KEY diff --git a/gremlin-integrations/README.md b/gremlin-integrations/README.md index 0cabdfa..0c89c94 100644 --- a/gremlin-integrations/README.md +++ b/gremlin-integrations/README.md @@ -41,7 +41,7 @@ Specify each parameter using the `--set[-file] key=value[,key=value]` argument t **Example Usage** ```shell -$ helm install gremlin gremlin/gremlin-integrations \ +$ helm install gremlin-integrations gremlin/gremlin-integrations \ --set gremlin.secret.managed=true \ --set gremlin.secret.type=certificate \ --set gremlin.secret.teamID=$GREMLIN_TEAM_ID \ @@ -93,9 +93,8 @@ them outside of Helm. #### For certificate auth ```shell -helm install gremlin gremlin/gremlin-integrations \ +helm install gremlin-integrations gremlin/gremlin-integrations \ --namespace gremlin \ - --set gremlin.secret.managed=true \ --set gremlin.secret.teamID=$GREMLIN_TEAM_ID \ --set-file gremlin.secret.certificate=/path/to/gremlin.cert \ --set-file gremlin.secret.key=/path/to/gremlin.key @@ -104,7 +103,7 @@ helm install gremlin gremlin/gremlin-integrations \ #### For secret auth ```shell -helm install gremlin gremlin/gremlin-integrations \ +helm install gremlin-integrations gremlin/gremlin-integrations \ --namespace gremlin \ --set gremlin.secret.managed=true \ --set gremlin.secret.type=secret \ @@ -131,7 +130,7 @@ kubectl create secret generic gremlin-team-secret \ Install the Helm chart ```shell -helm install gremlin gremlin/gremlin-integrations \ +helm install gremlin-integrations gremlin/gremlin-integrations \ --namespace gremlin \ --set gremlin.secret.name=gremlin-team-secret \ --set gremlin.secret.type=secret # Default is gremlin.secret.type=certificate @@ -150,7 +149,7 @@ kubectl create secret generic gremlin-team-cert \ ``` ```shell -helm install gremlin gremlin/gremlin-integrations \ +helm install gremlin-integrations gremlin/gremlin-integrations \ --namespace gremlin \ --set gremlin.secret.name=gremlin-team-cert ``` @@ -161,7 +160,7 @@ Gremlin can be configured to communicate with api.gremlin.com through an http_pr this proxy with `gremlin.proxy.url`. ```shell -helm install gremlin gremlin/gremlin-integrations \ +helm install gremlin-integrations gremlin/gremlin-integrations \ --namespace gremlin \ --set gremlin.secret.managed=true \ --set gremlin.secret.teamID=$GREMLIN_TEAM_ID \ @@ -173,7 +172,7 @@ helm install gremlin gremlin/gremlin-integrations \ #### HTTPS_PROXY with custom certificate authority ```shell -helm install gremlin gremlin/gremlin \ +helm install gremlin-integrations gremlin/gremlin \ --namespace gremlin \ --set gremlin.secret.managed=true \ --set gremlin.secret.teamID=$GREMLIN_TEAM_ID \ @@ -192,5 +191,5 @@ helm delete gremlin-integrations To delete the deployment and its history: ```shell -helm delete --purge gremlin +helm delete --purge gremlin-integrations ``` \ No newline at end of file From 0e80465748fa4d8b9c82a629cbcb04253dc75354 Mon Sep 17 00:00:00 2001 From: Marius Bordeianu Date: Thu, 20 Jan 2022 09:18:12 +0100 Subject: [PATCH 06/11] Update gremlin-integrations/values.yaml Co-authored-by: Phil Gebhardt --- gremlin-integrations/values.yaml | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/gremlin-integrations/values.yaml b/gremlin-integrations/values.yaml index c6bd750..da6b166 100644 --- a/gremlin-integrations/values.yaml +++ b/gremlin-integrations/values.yaml @@ -37,17 +37,6 @@ securityContext: { } # runAsUser: 1000 resources: { } -# We usually recommend not to specify default resources and to leave this as a conscious -# choice for the user. This also increases chances charts run on environments with little -# resources, such as Minikube. If you do want to specify resources, uncomment the following -# lines, adjust them as necessary, and remove the curly braces after 'resources:'. -# limits: -# cpu: 100m -# memory: 128Mi -# requests: -# cpu: 100m -# memory: 128Mi - nodeSelector: { } tolerations: [ ] From b2f58bf6a745ee7cf650444670789cb6fd114fda Mon Sep 17 00:00:00 2001 From: Marius Bordeianu Date: Thu, 20 Jan 2022 10:02:47 +0100 Subject: [PATCH 07/11] Update gremlin-integrations/values.yaml Co-authored-by: Phil Gebhardt --- gremlin-integrations/values.yaml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/gremlin-integrations/values.yaml b/gremlin-integrations/values.yaml index da6b166..2630e44 100644 --- a/gremlin-integrations/values.yaml +++ b/gremlin-integrations/values.yaml @@ -29,12 +29,6 @@ podSecurityContext: { } # fsGroup: 2000 securityContext: { } -# capabilities: -# drop: -# - ALL -# readOnlyRootFilesystem: true -# runAsNonRoot: true -# runAsUser: 1000 resources: { } nodeSelector: { } From 38f8813a001557858b96d8a5fb94e84e48004180 Mon Sep 17 00:00:00 2001 From: Marius Bordeianu Date: Thu, 20 Jan 2022 10:03:01 +0100 Subject: [PATCH 08/11] Update gremlin-integrations/templates/_helpers.tpl Co-authored-by: Phil Gebhardt --- gremlin-integrations/templates/_helpers.tpl | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/gremlin-integrations/templates/_helpers.tpl b/gremlin-integrations/templates/_helpers.tpl index c22ef1d..8768961 100644 --- a/gremlin-integrations/templates/_helpers.tpl +++ b/gremlin-integrations/templates/_helpers.tpl @@ -61,18 +61,6 @@ Create the name of the service account to use {{- end }} {{- end }} -{{- /* GKE Container Optimized OS with Containerd cannot */ -}} -{{- /* mount the state/logs volumes, so detect that here */ -}} -{{- define "gkeCOSContainerd" -}} -{{- $output := false }} -{{- range $index, $node := (lookup "v1" "Node" "" "").items -}} - {{- $gkeRuntime := index $node.metadata.labels "cloud.google.com/gke-container-runtime" -}} - {{- $gkeOS := index $node.metadata.labels "cloud.google.com/gke-os-distribution" -}} - {{- $output = (or $output (and (eq $gkeRuntime "containerd") (eq $gkeOS "cos"))) -}} -{{- end -}} -{{ $output }} -{{- end -}} - {{/* Because we've evolved the recommended way to pass the secret name over time, we hide the following order of operations behind this computed value: In later versions of this chart, we will remove the use of `.Values.gremlin.client.secretName` and the fallback value of `gremlin-team-cert` From 5a7335d6f88bd57ef82f2e5792ea66ed847a81c1 Mon Sep 17 00:00:00 2001 From: Marius Bordeianu Date: Thu, 20 Jan 2022 10:03:13 +0100 Subject: [PATCH 09/11] Update gremlin-integrations/README.md Co-authored-by: Phil Gebhardt --- gremlin-integrations/README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/gremlin-integrations/README.md b/gremlin-integrations/README.md index 0c89c94..75c2a17 100644 --- a/gremlin-integrations/README.md +++ b/gremlin-integrations/README.md @@ -31,7 +31,6 @@ values.yaml for all available options. | `gremlin.secret.key` | Contents of the private key. Required if using managed secrets of `type=certificate` | `""` | | `gremlin.secret.teamSecret` | Gremlin's team secret. Required if using managed secrets of `type=secret` | `""` | | `gremlin.resources` | Set resource requests and limits | `{}` -| `gremlin.client.tags` | Comma-separated list of custom tags to assign to this client | `""` | | `gremlin.proxy.url` | Specifies the http proxy the agent should use to communicate with api.gremlin.com. | `""` (ignored) | | | `ssl.certFile` | Add a certificate file to Gremlin's set of certificate authorities. This argument expects a file containing the certificate(s) you wish to add. When set, this chart creates secret (`integrations-ssl-cert-file`) with the file contents. This value is ignored when blank or absent. | `""` (ignored) | | `ssl.certDir` | sets the SSL_CERT_DIR environment variable on the both agents. Unlike ssl.certFile, this value accepts only a path to an existing directory on the Kubernetes nodes. This value is ignored when blank or absent. | `""` (ignored) | From 65a7c005090cd41559b57cc1f311a936661cb81d Mon Sep 17 00:00:00 2001 From: Marius Bordeianu Date: Thu, 20 Jan 2022 10:03:22 +0100 Subject: [PATCH 10/11] Update gremlin-integrations/Chart.yaml Co-authored-by: Phil Gebhardt --- gremlin-integrations/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gremlin-integrations/Chart.yaml b/gremlin-integrations/Chart.yaml index 4d52e7c..3f60b1f 100644 --- a/gremlin-integrations/Chart.yaml +++ b/gremlin-integrations/Chart.yaml @@ -21,7 +21,7 @@ version: 0.1.0 # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "1.16.0" +appVersion: "0.0.2" home: https://www.gremlin.com maintainers: - name: Gremlin Development From f2348768d433380a7382263d18b2d2ceec0a2ea8 Mon Sep 17 00:00:00 2001 From: Marius Bordeianu Date: Thu, 20 Jan 2022 10:04:03 +0100 Subject: [PATCH 11/11] Update README.md Co-authored-by: Phil Gebhardt --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 72a4907..bee4f31 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,7 @@ helm repo add gremlin https://helm.gremlin.com/ ### Gremlin ```shell -helm install gremlin-integrations gremlin/gremlin \ +helm install gremlin gremlin/gremlin \ --namespace gremlin \ --set gremlin.secret.managed=true \ --set gremlin.secret.type=secret \