From 06b3f4835457aa5ace9d308a40657a5e7f4897e6 Mon Sep 17 00:00:00 2001 From: Craig Aspinall Date: Fri, 21 Jun 2024 15:59:11 +0100 Subject: [PATCH 1/3] Switch from H2 to PostgreSQL --- charts/burpsuite/templates/_helpers.tpl | 51 ++++++++++++++++++- charts/burpsuite/templates/_podtemplate.tpl | 9 +++- .../_containertemplate.tpl} | 35 +++++++------ .../templates/database/env-secret.yaml | 13 +++++ .../templates/database/vol-secret.yaml | 12 +++++ charts/burpsuite/values.yaml | 9 +++- 6 files changed, 105 insertions(+), 24 deletions(-) rename charts/burpsuite/templates/{h2/_containerstemplate.tpl => database/_containertemplate.tpl} (58%) create mode 100644 charts/burpsuite/templates/database/env-secret.yaml create mode 100644 charts/burpsuite/templates/database/vol-secret.yaml diff --git a/charts/burpsuite/templates/_helpers.tpl b/charts/burpsuite/templates/_helpers.tpl index c3c05d2..f58ad82 100644 --- a/charts/burpsuite/templates/_helpers.tpl +++ b/charts/burpsuite/templates/_helpers.tpl @@ -164,11 +164,58 @@ Fetch given field from existing web secret or generate a new random value {{- end -}} {{- end -}} +{{/* +Fetch given field from existing enterprise secret or generate a new random value +*/}} +{{- define "burpsuite.database.fetchOrCreateSecretField" -}} +{{- $context := index . 0 -}} +{{- $secretFieldName := index . 1 -}} + +{{- $secretObj := (lookup "v1" "Secret" $context.Release.Namespace "database-env") | default dict }} +{{- $secretData := (get $secretObj "data") | default dict }} +{{- $secretFieldValue := (get $secretData $secretFieldName) | default (randAlphaNum 30 | b64enc) }} +{{- $secretFieldValue -}} +{{- end -}} +{{- define "burpsuite.database.secretValue" -}} +{{- $context := index . 0 -}} +{{- $suppliedValue := index . 1 -}} +{{- $secretFieldName := index . 2 -}} +{{- if $suppliedValue -}} +{{ $suppliedValue | b64enc }} +{{- else -}} +{{ include "burpsuite.database.fetchOrCreateSecretField" (list $context $secretFieldName) }} +{{- end -}} +{{- end -}} + +{{- define "burpsuite.database.image" -}} +{{- if .Values.database.image.sha256 -}} +{{- printf "%s/%s:%s@sha256:%s" (.Values.database.image.registry | default .Values.global.image.registry) .Values.database.image.repository .Values.database.image.tag (trimPrefix "sha256:" .Values.database.image.sha256) }} +{{- else -}} +{{- printf "%s/%s:%s" (.Values.database.image.registry | default .Values.global.image.registry) .Values.database.image.repository .Values.database.image.tag }} +{{- end -}} +{{- end -}} + +{{- define "burpsuite.database.init" -}} +{{- $enterpriseUserPassword := include "burpsuite.enterprise.secretValue" (list . .Values.database.users.enterprise.password "BSEE_ADMIN_REPOSITORY_PASSWORD") -}} +{{- $scannerUserPassword := include "burpsuite.enterprise.secretValue" (list . .Values.database.users.scanner.password "BSEE_AGENT_REPOSITORY_PASSWORD") }} +CREATE USER {{ .Values.database.users.enterprise.username }} PASSWORD '{{ $enterpriseUserPassword }}'; +CREATE USER {{ .Values.database.users.scanner.username }} PASSWORD '{{ $scannerUserPassword }}'; + +CREATE DATABASE burp_enterprise; +ALTER DATABASE burp_enterprise OWNER TO {{ .Values.database.users.enterprise.username }}; +GRANT ALL ON DATABASE burp_enterprise TO {{ .Values.database.users.enterprise.username }}; + +\c burp_enterprise + +CREATE SCHEMA burp_enterprise AUTHORIZATION {{ .Values.database.users.enterprise.username }}; +GRANT USAGE ON SCHEMA burp_enterprise TO {{ .Values.database.users.scanner.username }}; +ALTER USER {{ .Values.database.users.scanner.username }} SET search_path = "burp_enterprise"; +{{- end -}} {{- define "burpsuite.database.url" -}} -{{- if .Values.database.h2.enabled -}} -jdbc:h2:tcp://localhost:9092/mem:bsee;DB_CLOSE_DELAY=-1 +{{- if .Values.database.useEmbedded -}} +jdbc:postgresql://localhost:5432/burp_enterprise {{- else -}} {{ .Values.database.externalUrl }} {{- end -}} diff --git a/charts/burpsuite/templates/_podtemplate.tpl b/charts/burpsuite/templates/_podtemplate.tpl index 603bbdf..e81e4da 100644 --- a/charts/burpsuite/templates/_podtemplate.tpl +++ b/charts/burpsuite/templates/_podtemplate.tpl @@ -31,8 +31,8 @@ spec: {{- include "burpsuite.enterprise.initContainerTemplates" . | nindent 4 }} {{- include "burpsuite.web.initContainerTemplates" . | nindent 4 }} containers: - {{- if .Values.database.h2.enabled -}} - {{- include "burpsuite.h2db.containerTemplate" . | nindent 4 }} + {{- if .Values.database.useEmbedded -}} + {{- include "burpsuite.database.containerTemplate" . | nindent 4 }} {{- end -}} {{- include "burpsuite.enterprise.containerTemplate" . | nindent 4 }} {{- include "burpsuite.web.containerTemplate" . | nindent 4 }} @@ -59,4 +59,9 @@ spec: - name: tmp emptyDir: sizeLimit: 1Gi + {{- if .Values.database.useEmbedded }} + - name: database-vol + secret: + secretName: database-vol + {{- end }} {{- end }} \ No newline at end of file diff --git a/charts/burpsuite/templates/h2/_containerstemplate.tpl b/charts/burpsuite/templates/database/_containertemplate.tpl similarity index 58% rename from charts/burpsuite/templates/h2/_containerstemplate.tpl rename to charts/burpsuite/templates/database/_containertemplate.tpl index fa3ade9..410a5c3 100644 --- a/charts/burpsuite/templates/h2/_containerstemplate.tpl +++ b/charts/burpsuite/templates/database/_containertemplate.tpl @@ -1,16 +1,7 @@ -{{- define "burpsuite.h2db.containerTemplate" -}} -- image: {{ include "burpsuite.web.image" . }} +{{- define "burpsuite.database.containerTemplate" -}} +- image: {{ include "burpsuite.database.image" . }} imagePullPolicy: Always - name: h2 - command: - - /usr/local/burpsuite_enterprise/jre/bin/java - args: - - -cp - - /usr/local/burpsuite_enterprise/lib/h2-1.4.197.jar - - org.h2.tools.Server - - -tcp - - -tcpPort - - "9092" + name: database resources: requests: memory: 128Mi @@ -19,33 +10,41 @@ limits: memory: 128Mi ports: - - name: h2 - containerPort: 9092 + - name: postgres + containerPort: 5432 startupProbe: tcpSocket: - port: h2 + port: postgres failureThreshold: 60 periodSeconds: 5 timeoutSeconds: 2 livenessProbe: tcpSocket: - port: h2 + port: postgres failureThreshold: 3 periodSeconds: 10 timeoutSeconds: 2 successThreshold: 1 readinessProbe: tcpSocket: - port: h2 + port: postgres failureThreshold: 1 periodSeconds: 10 timeoutSeconds: 2 successThreshold: 1 + envFrom: + - secretRef: + name: database-env + volumeMounts: + - name: database-vol + mountPath: /docker-entrypoint-initdb.d securityContext: + runAsUser: 999 + runAsGroup: 999 capabilities: drop: - ALL - readOnlyRootFilesystem: true + readOnlyRootFilesystem: false allowPrivilegeEscalation: false runAsNonRoot: true {{- end -}} \ No newline at end of file diff --git a/charts/burpsuite/templates/database/env-secret.yaml b/charts/burpsuite/templates/database/env-secret.yaml new file mode 100644 index 0000000..be27781 --- /dev/null +++ b/charts/burpsuite/templates/database/env-secret.yaml @@ -0,0 +1,13 @@ +{{- if .Values.database.useEmbedded -}} +{{- $postgresPassword := include "burpsuite.database.fetchOrCreateSecretField" (list . "POSTGRES_PASSWORD") }} +apiVersion: v1 +kind: Secret +metadata: + name: database-env + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/component: database +{{ include "burpsuite.labels" . | indent 4 }} +data: + POSTGRES_PASSWORD: {{ $postgresPassword }} +{{- end -}} \ No newline at end of file diff --git a/charts/burpsuite/templates/database/vol-secret.yaml b/charts/burpsuite/templates/database/vol-secret.yaml new file mode 100644 index 0000000..7501cdf --- /dev/null +++ b/charts/burpsuite/templates/database/vol-secret.yaml @@ -0,0 +1,12 @@ +{{- if .Values.database.useEmbedded -}} +apiVersion: v1 +kind: Secret +metadata: + name: database-vol + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/component: database +{{ include "burpsuite.labels" . | indent 4 }} +data: + init.sql: {{ include "burpsuite.database.init" . | b64enc }} +{{- end -}} \ No newline at end of file diff --git a/charts/burpsuite/values.yaml b/charts/burpsuite/values.yaml index 6eab9ed..8771fb2 100644 --- a/charts/burpsuite/values.yaml +++ b/charts/burpsuite/values.yaml @@ -133,8 +133,13 @@ email: ## @section Database settings ## database: - h2: - enabled: false + useEmbedded: false + + image: + registry: "" + repository: "docker/internal/postgres" + tag: "16" + sha256: "" externalUrl: "jdbc:postgresql://postgres-rw:5432/burp_enterprise" externalCredentials: false From 8562307a8eb3a124396b5c39f79804961e0299c9 Mon Sep 17 00:00:00 2001 From: Craig Aspinall Date: Tue, 25 Jun 2024 11:22:35 +0100 Subject: [PATCH 2/3] Correct database image repository name --- charts/burpsuite/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/burpsuite/values.yaml b/charts/burpsuite/values.yaml index 8771fb2..4aa4f36 100644 --- a/charts/burpsuite/values.yaml +++ b/charts/burpsuite/values.yaml @@ -137,7 +137,7 @@ database: image: registry: "" - repository: "docker/internal/postgres" + repository: "docker/library/postgres" tag: "16" sha256: "" From 871cea54e5359e257bb61d4cc2ff57637ac551d1 Mon Sep 17 00:00:00 2001 From: Craig Aspinall Date: Tue, 25 Jun 2024 11:23:11 +0100 Subject: [PATCH 3/3] Bump chart version number --- charts/burpsuite/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/burpsuite/Chart.yaml b/charts/burpsuite/Chart.yaml index ebd1c82..4404363 100644 --- a/charts/burpsuite/Chart.yaml +++ b/charts/burpsuite/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: burpsuite description: Scan it all. With the enterprise-enabled dynamic web vulnerability scanner. type: application -version: 0.0.8 +version: 0.1.0 kubeVersion: ">=1.24.0-0" keywords: - burpsuite