diff --git a/nessus/Chart.yaml b/nessus/Chart.yaml index 4f0df00d..d78393a4 100644 --- a/nessus/Chart.yaml +++ b/nessus/Chart.yaml @@ -1,8 +1,8 @@ +apiVersion: v2 name: nessus -apiVersion: v1 -version: 0.4.2 -appVersion: 7.1.2 description: Nessus Vulnerability Scanner +type: application +version: 1.0.0 keywords: - nessus - security @@ -10,6 +10,13 @@ home: https://www.tenable.com/products/nessus-vulnerability-scanner icon: https://static.tenable.com/press/logos/products/Nessus-FullColor-RGB-logo.png sources: - https://github.com/CenterForOpenScience/docker-library/tree/master/nessus +dependencies: + - name: cos-common + version: 1.0.0 + repository: https://centerforopenscience.github.io/helm-charts/ + # - name: cos-common + # version: 1.0.0 + # repository: file://../cos-common maintainers: - name: Matt Frazier email: matt@cos.io @@ -17,4 +24,3 @@ maintainers: - name: Matt Clark email: mattclark@cos.io url: https://github.com/mattclark -engine: gotpl diff --git a/nessus/README.md b/nessus/README.md deleted file mode 100644 index 45f96e4d..00000000 --- a/nessus/README.md +++ /dev/null @@ -1 +0,0 @@ -# Nessus \ No newline at end of file diff --git a/nessus/templates/NOTES.txt b/nessus/templates/NOTES.txt index 90a1d60a..bf45c6fe 100644 --- a/nessus/templates/NOTES.txt +++ b/nessus/templates/NOTES.txt @@ -1 +1,24 @@ -... \ No newline at end of file +Component fullname: {{ include "cos-common.fullname" (dict "root" . "name" "" "values" .Values.main) }} + +{{- if and .Values.main.ingress.enabled (.Values.main.ingress.hosts) }} +Ingress hosts: +{{- $hosts := list }} +{{- if and (kindIs "map" .Values.main.ingress.hosts) (or (hasKey .Values.main.ingress.hosts "primary") (hasKey .Values.main.ingress.hosts "additional")) }} + {{- range $h := (default (list) .Values.main.ingress.hosts.primary) }} + {{- $hosts = append $hosts $h }} + {{- end }} + {{- range $h := (default (list) .Values.main.ingress.hosts.additional) }} + {{- $hosts = append $hosts $h }} + {{- end }} +{{- else }} + {{- range $h := .Values.main.ingress.hosts }} + {{- $hosts = append $hosts $h.host }} + {{- end }} +{{- end }} +{{- range $hosts }} + - {{ . }} +{{- end }} +{{- else }} +Port-forward example: +kubectl -n {{ .Release.Namespace }} port-forward svc/{{ include "cos-common.fullname" (dict "root" . "name" "" "values" .Values.main) }} 8080:{{ ( .Values.main.http.containers.nessus.internalPort ) }} +{{- end }} diff --git a/nessus/templates/_helpers.tpl b/nessus/templates/_helpers.tpl deleted file mode 100644 index 54ed3a93..00000000 --- a/nessus/templates/_helpers.tpl +++ /dev/null @@ -1,32 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "nessus.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -*/}} -{{- define "nessus.fullname" -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified certificate name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -*/}} -{{- define "nessus.certificate.fullname" -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- printf "%s-%s-%s" .Release.Name $name .Values.certificate.name | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Image pull secrets are essentially a combination of registry, username, and password. -*/}} -{{- define "nessus.docker.imagePullSecret" }} -{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.docker.imageCredentials.registry (printf "%s:%s" .Values.docker.imageCredentials.username .Values.docker.imageCredentials.password | b64enc) | b64enc }} -{{- end }} diff --git a/nessus/templates/certificate.yaml b/nessus/templates/certificate.yaml deleted file mode 100644 index 3532b3c1..00000000 --- a/nessus/templates/certificate.yaml +++ /dev/null @@ -1,33 +0,0 @@ -{{- if .Values.certificate.enabled -}} -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: "{{ template "nessus.certificate.fullname" . }}" - labels: - app: {{ template "nessus.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - secretName: "{{ template "nessus.certificate.fullname" . }}" - issuerRef: - name: {{ .Values.certificate.issuerRef.name }} - kind: {{ .Values.certificate.issuerRef.kind }} - commonName: {{ .Values.certificate.commonName }} - dnsNames: - {{- range .Values.certificate.dnsNames }} - - {{ . }} - {{- end }} - acme: - config: - - http01: - {{- if hasKey .Values.certificate.acmeConfig.http01 "ingress" }} - ingress: {{ .Values.certificate.acmeConfig.http01.ingress }} - {{- else }} - ingress: {{ template "nessus.fullname" . }} - {{- end }} - domains: - {{- range .Values.certificate.acmeConfig.domains }} - - {{ . }} - {{- end }} -{{- end -}} diff --git a/nessus/templates/ingress.yaml b/nessus/templates/ingress.yaml deleted file mode 100644 index 8d6f1450..00000000 --- a/nessus/templates/ingress.yaml +++ /dev/null @@ -1,47 +0,0 @@ -{{- if .Values.ingress.enabled -}} -{{- $serviceName := include "nessus.fullname" . -}} -{{- $servicePort := .Values.service.externalPort -}} -{{- $ingressPaths := .Values.ingress.paths -}} -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: {{ template "nessus.fullname" . }} - labels: - app: {{ template "nessus.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - annotations: - {{- range $key, $value := .Values.ingress.annotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} -spec: - rules: - {{- range .Values.ingress.hosts }} - - host: {{ . }} - http: - paths: - {{- range $ingressPaths }} - - path: {{ . }} - pathType: ImplementationSpecific - backend: - service: - name: {{ $serviceName }} - port: - number: {{ $servicePort }} - {{- end -}} - {{- end -}} - {{- if (or .Values.ingress.tls (and .Values.certificate.enabled .Values.certificate.tls)) }} - tls: - {{- if .Values.ingress.tls }} - {{- toYaml .Values.ingress.tls | nindent 4 }} - {{- end -}} - {{- if (and .Values.certificate.enabled .Values.certificate.tls) }} - - secretName: "{{ template "nessus.certificate.fullname" . }}" - hosts: - {{- range .Values.certificate.acmeConfig.domains }} - - {{ . }} - {{- end }} - {{- end -}} - {{- end -}} -{{- end -}} diff --git a/nessus/templates/main.yaml b/nessus/templates/main.yaml new file mode 100644 index 00000000..37d07656 --- /dev/null +++ b/nessus/templates/main.yaml @@ -0,0 +1,5 @@ +{{- include "cos-common.secret" (dict "root" . "name" "" "values" .Values.main) }} +{{- include "cos-common.statefulset" (dict "root" . "name" "" "values" .Values.main) }} +{{- include "cos-common.service" (dict "root" . "name" "" "values" .Values.main) }} +{{- include "cos-common.ingress" (dict "root" . "name" "" "values" .Values.main) }} +{{- include "cos-common.certificate" (dict "root" . "name" "" "values" .Values.main) }} diff --git a/nessus/templates/secret.yaml b/nessus/templates/secret.yaml deleted file mode 100644 index 2a2cb23b..00000000 --- a/nessus/templates/secret.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "nessus.fullname" . }} - labels: - app: {{ template "nessus.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -type: Opaque -data: - {{- if .Values.docker.imageCredentials.enabled }} - .dockerconfigjson: {{ template "nessus.docker.imagePullSecret" . }} - {{- end }} - {{- range $key, $value := .Values.tls.files }} - tls-{{ $key }}: {{ $value | b64enc | quote }} - {{- end }} diff --git a/nessus/templates/service.yaml b/nessus/templates/service.yaml deleted file mode 100644 index a5234dfd..00000000 --- a/nessus/templates/service.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ template "nessus.fullname" . }} - labels: - app: {{ template "nessus.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - annotations: - {{- range $key, $value := .Values.service.annotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} -spec: - type: {{ .Values.service.type }} - ports: - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - protocol: TCP - name: {{ .Values.service.name }} - selector: - app: {{ template "nessus.name" . }} - release: {{ .Release.Name }} diff --git a/nessus/templates/statefulset.yaml b/nessus/templates/statefulset.yaml deleted file mode 100644 index e03eaf50..00000000 --- a/nessus/templates/statefulset.yaml +++ /dev/null @@ -1,139 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ template "nessus.fullname" . }} - labels: - app: {{ template "nessus.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - selector: - matchLabels: - app: {{ template "nessus.name" . }} - release: {{ .Release.Name }} - serviceName: {{ template "nessus.fullname" . }} - replicas: 1 - updateStrategy: - type: RollingUpdate - rollingUpdate: - partition: 0 - template: - metadata: - labels: - app: {{ template "nessus.name" . }} - release: {{ .Release.Name }} - annotations: - checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} - spec: - initContainers: - - name: bootstrap - image: "{{ .Values.bootstrap.image.repository }}:{{ .Values.bootstrap.image.tag }}" - imagePullPolicy: {{ .Values.bootstrap.image.pullPolicy }} - command: - - /bin/sh - - -c - - |- - if [ ! -d /data/nessus ]; then - cp -R /opt/nessus /data/nessus - fi - volumeMounts: - - mountPath: /data - name: data - containers: - - name: docker - image: "{{ .Values.docker.image.repository }}:{{ .Values.docker.image.tag }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - command: - - docker - - run - - --rm - - --interactive - - --mac-address - - "{{ .Values.macAddress }}" - - --publish - - "{{ .Values.service.internalPort }}:{{ .Values.service.internalPort }}" - - --volume - - /opt/nessus:/opt/nessus - - --name - - nessus - - "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - ## Sleep the container for upgrades, copy and place file in /opt/nessus, exec into container and perform upgrade - #- /bin/bash - #- -c - #- "sleep 9999999999999" - env: - - name: DOCKER_HOST - value: tcp://localhost:2375 - ports: - - name: https - containerPort: {{ .Values.service.internalPort }} - readinessProbe: - httpGet: - path: / - port: {{ .Values.service.internalPort }} - scheme: HTTPS - volumeMounts: - - mountPath: /opt/nessus - name: data - subPath: nessus - {{- if .Values.tls.eanbled }} - - name: secret - subPath: tls-servercert.pem - mountPath: /opt/nessus/com/nessus/CA/servercert.pem - readOnly: true - - name: secret - subPath: tls-serverkey.pem - mountPath: /opt/nessus/var/nessus/CA/serverkey.pem - readOnly: true - {{- end }} - {{- if .Values.docker.imageCredentials.enabled }} - - name: secret - subPath: .dockerconfigjson - mountPath: /root/.docker/config.json - readOnly: true - {{- end }} - resources: - {{- toYaml .Values.docker.resources | nindent 12 }} - - name: dind - image: "{{ .Values.dind.image.repository }}:{{ .Values.dind.image.tag }}" - imagePullPolicy: {{ .Values.dind.image.pullPolicy }} - args: - - --storage-driver=overlay - ports: - - name: dind - containerPort: 2375 - volumeMounts: - - mountPath: /opt/nessus - name: data - subPath: nessus - securityContext: - privileged: true - resources: - {{- toYaml .Values.dind.resources | nindent 12 }} - volumes: - {{- if not .Values.persistence.enabled }} - - name: data - emptyDir: {} - {{- end }} - - name: secret - secret: - secretName: {{ template "nessus.fullname" . }} - {{- if .Values.nodeSelector }} - nodeSelector: - {{- toYaml .Values.nodeSelector | nindent 8 }} - {{- end }} - {{- if .Values.persistence.enabled }} - volumeClaimTemplates: - - metadata: - name: data - spec: - accessModes: - - {{ .Values.persistence.accessMode | quote }} - {{- if .Values.persistence.storageClass }} - storageClassName: {{ .Values.persistence.storageClass | quote }} - {{- end }} - resources: - requests: - storage: {{ .Values.persistence.size | quote }} - {{- end }} diff --git a/nessus/values.yaml b/nessus/values.yaml index 454f6748..baf89f6d 100644 --- a/nessus/values.yaml +++ b/nessus/values.yaml @@ -1,111 +1,259 @@ -## Nessus -## -image: - repository: us.gcr.io/cos-containers/nessus - tag: 7.1.2 - pullPolicy: IfNotPresent - -persistence: +### ------- Global or Reusable parts across values.yaml ------- +scanner: + image: + repository: us.gcr.io/cos-containers/nessus + tag: 7.1.2 + pullPolicy: IfNotPresent + +docker: + imageCredentials: + registry: https://gcr.io + username: _json_key + password: secret + +## Remember that full name for all objects is '{{ include "cos-common.fullname" (dict "root" . "name" "") | trim }}' +## or in other form current naming is Release.Name-Chart.Name + +## =============== MAIN Component =============== +main: enabled: true - # storageClass: - accessMode: ReadWriteOnce - size: 10Gi -## Node labels for component pod assignment -## Ref: https://kubernetes.io/docs/user-guide/node-selection/ -## -nodeSelector: {} + replicas: 1 -# Nessus license is tied to the MAC address -macAddress: 12-34-56-78-90-01 + http: + containers: + nessus: + internalPort: 8834 + externalPort: 443 + serviceType: ClusterIP -bootstrap: - image: - repository: busybox - tag: latest - pullPolicy: Always + updateStrategy: + type: RollingUpdate + rollingUpdate: + partition: 0 -docker: - image: - repository: docker - tag: '17.06' - pullPolicy: Always - imageCredentials: - enabled: false - #registry: https://gcr.io - #username: _json_key - #password: secret - resources: {} - #limits: - # cpu: "1" - # memory: 512Mi - #requests: - # cpu: 100m - # memory: 256Mi - -dind: + macAddress: 12-34-56-78-90-01 + +# ------- Configuration follows for containerName: docker ------- image: repository: docker - tag: 17.06-dind - pullPolicy: Always + tag: "17.06" + pullPolicy: IfNotPresent + + containerName: docker + + command: + - docker + - run + - --rm + - --interactive + - --mac-address + - "{{ .Values.main.macAddress }}" + - --publish + - "{{ .Values.main.http.containers.nessus.internalPort }}:{{ .Values.main.http.containers.nessus.internalPort }}" + - --volume + - /opt/nessus:/opt/nessus + - --name + - nessus + - "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag }}" + + env: + - name: DOCKER_HOST + value: tcp://localhost:2375 + + ports: + - name: https + containerPort: "{{ .Values.main.http.containers.nessus.internalPort }}" + protocol: TCP + + probes: + readiness: + httpGet: + path: / + port: "{{ .Values.main.http.containers.nessus.internalPort }}" + scheme: HTTPS + + volumeMounts: + - name: data + mountPath: /opt/nessus + subPath: nessus + - name: secret + mountPath: /root/.docker/config.json + subPath: .dockerconfigjson + readOnly: true + + additionalVolumeMounts: [] + ## If TLS enabled + # + # - name: secret + # subPath: tls-servercert.pem + # mountPath: /opt/nessus/com/nessus/CA/servercert.pem + # readOnly: true + # - name: secret + # subPath: tls-serverkey.pem + # mountPath: /opt/nessus/var/nessus/CA/serverkey.pem + # readOnly: true + resources: {} - #limits: - # cpu: "1" - # memory: 512Mi - #requests: - # cpu: 100m - # memory: 256Mi - -service: - name: https - type: ClusterIP - externalPort: 443 - internalPort: 8834 - annotations: {} - # service.alpha.kubernetes.io/app-protocols: '{"https":"HTTPS"}' - -tls: - enabled: false - files: - # https://docs.tenable.com/nessus/Content/CustomSSLCertificates.htm - servercert.pem: |- - ... - serverkey.pem: |- - ... - -ingress: - enabled: false - # Used to create Ingress record (should used with service.type: ClusterIP). - annotations: - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - hosts: - - chart-example.local - paths: - - / - tls: - # Secrets must be manually created in the namespace. - # - secretName: chart-example-tls - # hosts: - # - chart-example.local - -certificate: - enabled: false - name: cert - # WORKAROUND: Ingress deploy blocked to GLBC due to race condition w/ missing TLS certificate - # - Issue: https://github.com/jetstack/cert-manager/issues/606 - # - PR: https://github.com/kubernetes/ingress-gce/pull/388 - tls: true - # issuerRef: - # name: letsencrypt-prod - # kind: ClusterIssuer - # commonName: example.org - # dnsNames: - # - example.org - # - subdomain.example.org - # acmeConfig: - # http01: {} - # # ingress: '' - # domains: - # - example.org - # - subdomain.example.org + + +# ------- Init containers ------- + bootstrap: + image: + repository: busybox + tag: latest + pullPolicy: Always + + initContainers: + - name: bootstrap + image: "{{ .Values.main.bootstrap.image.repository }}:{{ .Values.main.bootstrap.image.tag }}" + imagePullPolicy: "{{ .Values.main.bootstrap.image.pullPolicy }}" + command: + - /bin/sh + - -c + - |- + set -e + if [ ! -d /data/nessus ]; then + cp -R /opt/nessus /data/nessus + fi + volumeMounts: + - name: data + mountPath: /data + + +# ------- Additional containers ------- + dind: + image: + repository: docker + tag: 17.06-dind + pullPolicy: Always + volumeMounts: + - name: data + mountPath: /opt/nessus + subPath: nessus + resources: {} + + additionalContainers: + - name: dind + inheritVolumeMountsFrom: dind + inheritResourcesFrom: dind + image: "{{ .Values.main.dind.image.repository }}:{{ .Values.main.dind.image.tag }}" + imagePullPolicy: "{{ .Values.main.dind.image.pullPolicy }}" + args: + - --storage-driver=overlay + ports: + - name: dind + containerPort: 2375 + securityContext: + privileged: true + + +# ------- Volumes configuration for the pod ------- + volumeClaimTemplates: + - metadata: + name: data + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: "10Gi" + # storageClassName: "default" + + volumes: + - name: secret + secret: + # main secret name + secretName: '{{ include "cos-common.fullname" (dict "root" . "name" "" "values" .Values.main) | trim }}' + + +# ------- Affinity configuration ------- + affinity: {} + + additionalAffinities: [] + + +# ------- Pod Annotations ------- + podAnnotations: + checksum/main-secret: '{{ include "cos-common.componentChecksum" (dict "root" . "name" "" "values" .Values.main "resource" "secret") }}' + + +# ------- Service configuration ------- +# service name: '{{ include "cos-common.fullname" (dict "root" . "name" "") | trim }}' + service: + enabled: true + type: "{{ .Values.main.http.containers.nessus.serviceType }}" + annotations: {} + ports: + - name: https + port: "{{ .Values.main.http.containers.nessus.externalPort }}" + targetPort: "{{ .Values.main.http.containers.nessus.internalPort }}" + + +# ------- Ingress configuration ------- +# ingress name: '{{ include "cos-common.fullname" (dict "root" . "name" "") | trim }}' + ingress: + enabled: false + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + primary: + - chart-example.local + # additional: + # - chart-example-2.local + rules: + - name: main + includeForPrimaryHost: true + includeForAdditionalHost: false + pathType: ImplementationSpecific + service: + name: '{{ include "cos-common.fullname" (dict "root" . "name" "") | trim }}' + port: "{{ .Values.main.http.containers.nessus.externalPort }}" + paths: + - / + tls: [] + # - secretName: secret_name + # hosts: + # - chart-example.local + + +# ------- Certificate configuration ------- (if we want to create Certificate object) +# certificate name: '{{ include "cos-common.fullname" (dict "root" . "name" "cert") | trim }}' + certificate: + enabled: false + # secretName: secret-with-cert # default secret name is certificate name + issuerRef: + name: letsencrypt-prod + kind: ClusterIssuer + commonName: example.org + dnsNames: + - example.org + acmeConfig: + http01: {} + # ingress: '' + domains: + - example.org + + +# ------- Secrets configuration ------- +# Secret name: '{{ include "cos-common.fullname" (dict "root" . "name" "") | trim }}' + secret: + enabled: true + data: + .dockerconfigjson: |- + {{- $creds := .Values.docker.imageCredentials -}} + {{ printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" $creds.registry (printf "%s:%s" $creds.username $creds.password | b64enc) }} + # + ## If TLS enabled + # + # tls-servercert.pem: |- + # ... + # tls-serverkey.pem: |- + # ... + + +# ------- Selectors and etc. ------- + nodeSelector: {} + + tolerations: [] \ No newline at end of file