add podLogs and podMonitor

portswigger-cloud · Oct 11, 2023 · 6227ccf · 6227ccf
1 parent a825734
commit 6227ccf
Show file tree

Hide file tree

Showing 9 changed files with 107 additions and 16 deletions.
diff --git a/charts/scan-controller/Chart.yaml b/charts/scan-controller/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.0.0-alpha.1
+version: 0.0.0-alpha.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

diff --git a/charts/scan-controller/templates/_helpers.tpl b/charts/scan-controller/templates/_helpers.tpl
@@ -50,6 +50,11 @@ app.kubernetes.io/name: {{ include "scan-controller.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 
+{{- define "scan-controller.scanner.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "scan-controller.name" . }}-scanner
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
 {{/*
 Renders a value that contains template.
 Usage:

diff --git a/charts/scan-controller/templates/controller-env-secret.yaml b/charts/scan-controller/templates/controller-env-secret.yaml
@@ -4,7 +4,7 @@ metadata:
   name: {{ include "scan-controller.fullname" . }}-env
 type: Opaque
 data:
-  BSEE_WEB_SERVER_URL: {{ .Values.configuration.apiKey | b64enc }}
+  BSEE_SERVER_URL: {{ .Values.configuration.enterpriseUrl | b64enc }}
   BSEE_HOSTED_SCANNING_MACHINE_API_KEY: {{ .Values.configuration.apiKey | b64enc }}
-  BSEE_HOSTED_SCAN_JOB_TEMPLATE: {{ include "scan-controller.tplvalues.render" ( dict "value" .Values.scanner.jobTemplate "context" $) | b64enc }}
+  BSEE_HOSTED_SCAN_JOB_TEMPLATE: {{ include "scan-controller.tplvalues.render" ( dict "value" .Values.scanner.jobTemplate "context" $) | b64enc | b64enc }}
   BSEE_MAX_SCAN_CONCURRENCY: {{ .Values.configuration.maxConcurrency | quote | b64enc }}
diff --git a/charts/scan-controller/templates/deployment.yaml b/charts/scan-controller/templates/deployment.yaml
@@ -69,10 +69,10 @@ spec:
             successThreshold: 1
           resources:
             limits:
-              memory: 128Mi
+              memory: 512Mi
             requests:
               cpu: 200m
-              memory: 128Mi
+              memory: 512Mi
       {{- with .Values.controller.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

diff --git a/charts/scan-controller/templates/podlogs.yaml b/charts/scan-controller/templates/podlogs.yaml
@@ -0,0 +1,35 @@
+{{- if .Values.controller.podLogs }}
+apiVersion: monitoring.grafana.com/v1alpha1
+kind: PodLogs
+metadata:
+  name: {{ include "scan-controller.fullname" . }}
+  labels:
+    {{- include "scan-controller.labels" . | nindent 4 }}
+spec:
+  pipelineStages:
+  - docker: {}
+  namespaceSelector:
+    matchNames:
+    - {{ .Release.Namespace }}
+  selector:
+    matchLabels:
+      {{- include "scan-controller.selectorLabels" . | nindent 6 }}
+{{- end }}
+{{- if .Values.scanner.podLogs }}
+---
+apiVersion: monitoring.grafana.com/v1alpha1
+kind: PodLogs
+metadata:
+  name: {{ include "scan-controller.fullname" . }}-scanner
+  labels:
+    {{- include "scan-controller.labels" . | nindent 4 }}
+spec:
+  pipelineStages:
+  - docker: {}
+  namespaceSelector:
+    matchNames:
+    - {{ .Release.Namespace }}
+  selector:
+    matchLabels:
+      {{- include "scan-controller.scanner.selectorLabels" . | nindent 8 }}
+{{- end }}
diff --git a/charts/scan-controller/templates/podmonitor.yaml b/charts/scan-controller/templates/podmonitor.yaml
@@ -0,0 +1,23 @@
+{{- if .Values.controller.podMonitor }}
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  name: {{ include "scan-controller.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "scan-controller.labels" . | nindent 4 }}
+spec:
+  jobLabel: {{ include "scan-controller.fullname" . }}
+  namespaceSelector:
+    matchNames:
+    -  {{ .Release.Namespace }}
+  podMetricsEndpoints:
+  - interval: 15s
+    path: /metrics
+    port: management
+  podTargetLabels:
+  - app.kubernetes.io/version
+  selector:
+    matchLabels:
+      {{- include "scan-controller.selectorLabels" . | nindent 6 }}
+{{- end }}
diff --git a/charts/scan-controller/templates/rbac.yaml b/charts/scan-controller/templates/rbac.yaml
@@ -8,7 +8,17 @@ rules:
     verbs: ["get", "watch", "list"]
   - apiGroups: ["batch"]
     resources: ["jobs"]
-    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+    verbs:
+      [
+        "get",
+        "list",
+        "watch",
+        "create",
+        "update",
+        "patch",
+        "delete",
+        "deletecollection",
+      ]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -17,7 +27,7 @@ metadata:
 subjects:
   - kind: ServiceAccount
     name: {{include "scan-controller.fullname" .}}
-    apiGroup: rbac.authorization.k8s.io
+    apiGroup: ""
 roleRef:
   kind: Role
   name: {{include "scan-controller.fullname" .}}

diff --git a/charts/scan-controller/templates/scanner-env-secret.yaml b/charts/scan-controller/templates/scanner-env-secret.yaml
@@ -4,5 +4,5 @@ metadata:
   name: {{ include "scan-controller.fullname" . }}-scanner-env
 type: Opaque
 data:
-  BSEE_WEB_SERVER_URL: {{ .Values.configuration.apiKey | b64enc }}
+  BSEE_WEB_SERVER_URL: {{ .Values.configuration.enterpriseUrl | b64enc }}
   BSEE_HOSTED_SCANNING_MACHINE_API_KEY: {{ .Values.configuration.apiKey | b64enc }}
diff --git a/charts/scan-controller/values.yaml b/charts/scan-controller/values.yaml
@@ -21,35 +21,41 @@ controller:
     repository: portswigger/scan-controller
     pullPolicy: Always
     tag: ""
-  nodeSelector: {}
+  nodeSelector:
+    kubernetes.io/arch: amd64
   tolerations: []
   affinity: {}
 
+  podLogs: false
+  podMonitor: false
+
 scanner:
   image:
     registry: ""
     repository: portswigger/portswigger-hosted-scan
     tag: ""
-  nodeSelector: {}
+  nodeSelector:
+    kubernetes.io/arch: amd64
   tolerations: []
   affinity: {}
 
+  podLogs: false
+  podMonitor: false
+
   jobTemplate: |
     apiVersion: batch/v1
     kind: Job
     metadata:
       name: scan
       labels:
-        app.kubernetes.io/component: scanner
-        app.kubernetes.io/part-of: bsee
+        {{- include "scan-controller.labels" . | nindent 8 }}
     spec:
       backoffLimit: 0
       ttlSecondsAfterFinished: 60
       template:
         metadata:
           labels:
-            app.kubernetes.io/component: scanner
-            app.kubernetes.io/part-of: bsee
+            {{- include "scan-controller.scanner.selectorLabels" . | nindent 8 }}
           annotations:
             cluster-autoscaler.kubernetes.io/safe-to-evict: "false"
             karpenter.sh/do-not-evict: "true"
@@ -71,10 +77,10 @@ scanner:
               imagePullPolicy: Always
               resources:
                 limits:
-                  memory: 8Gi
+                  memory: 14Gi
                 requests:
                   cpu: 2
-                  memory: 8Gi
+                  memory: 14Gi
               securityContext:
                 runAsUser: 100000
                 readOnlyRootFilesystem: true
@@ -83,6 +89,18 @@ scanner:
                 capabilities:
                   drop:
                     - ALL
+              volumeMounts:
+                - mountPath: /home/burpsuite/
+                  name: home-burpsuite
+                - mountPath: /tmp
+                  name: tmp
+          volumes:
+            - name: home-burpsuite
+              emptyDir:
+                sizeLimit: 10Gi
+            - name: tmp
+              emptyDir:
+                sizeLimit: 512Mi
           restartPolicy: Never
           terminationGracePeriodSeconds: 30
           {{- with .Values.scanner.nodeSelector }}