clair helm chart MVP

.github/workflows/cd-helm-release.yml

@@ -0,0 +1,29 @@
+name: Release Chart
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  release:
+    permissions:
+      contents: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Configure Git
+        run: |
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
+
+      - name: Run chart-releaser
+        uses: helm/chart-releaser-action@v1.5.0
+        with:
+          config: charts/cr.yaml
+        env:
+          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/ci-helm-lint-test.yml

@@ -0,0 +1,47 @@
+name: Lint and Test Chart
+
+on:
+  pull_request:
+    paths:
+      - 'charts/**'
+
+permissions:
+  contents: read
+
+jobs:
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: "0"
+
+      - name: Install Helm
+        uses: azure/setup-helm@v3.5
+
+      - name: Set up chart-testing
+        uses: helm/chart-testing-action@v2.6.0
+
+      - name: Run chart-testing (list-changed)
+        id: list-changed
+        run: |
+          changed=$(ct list-changed --config charts/ct.yaml)
+          if [[ -n "$changed" ]]; then
+            echo "changed=true" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Run chart-testing (lint)
+        id: lint
+        if: steps.list-changed.outputs.changed == 'true'
+        run: ct lint --config charts/ct.yaml
+
+      - name: Create kind cluster
+        uses: helm/kind-action@v1.8.0
+        if: steps.list-changed.outputs.changed == 'true'
+
+      - name: Run chart-testing (install)
+        id: install
+        if: steps.list-changed.outputs.changed == 'true'
+        run: ct install --config charts/ct.yaml

.gitignore

@@ -0,0 +1,2 @@
+readme-gen
+k8s.yaml

CONTRIBUTING.md

@@ -0,0 +1,10 @@
+
+# Contributing
+
+## Certificate of Origin
+
+By contributing to this project you agree to the Developer Certificate of Origin [DCO](../DCO).
+
+This document was created by the Linux Kernel community and is a simple statement that you, as a contributor, have the legal right to make the contribution.
+
+See the [DCO](../DCO) file for details.

Makefile

@@ -0,0 +1,8 @@
+
+lint:
+	ct lint --config charts/ct.yaml
+
+test:
+	ct install --config charts/ct.yaml
+
+.PHONY: lint test

README.md

@@ -1,2 +1,58 @@
-# helm-clair
-Helm chart for Clair
+
+# clair-helm
+
+[![MIT Licensed](https://img.shields.io/github/license/guerzon/clair-helm)](https://github.com/guerzon/clair-helm/blob/main/LICENSE)
+[![Helm Release](https://img.shields.io/github/v/release/guerzon/clair-helm)](https://github.com/guerzon/clair-helm/releases)
+
+Helm chart for [Clair](https://github.com/quay/clair).
+
+## Warning
+
+If you happen to stumble upon this repo, please be aware that this is a work in progress. Therefore, please assume version < 1.0.0 to be unstable. Or as long as you see this warning message.
+
+Also, it's a passion project, so please bear with me.
+
+## Features / TODO
+
+1. Supports running in `combo` mode (default).
+2. Supports running on a single instance with the DB split per mode.
+3. Supports running multiple instances.
+
+## Usage
+
+Add the repository:
+
+```bash
+helm repo add clair https://guerzon.github.io/clair
+```
+
+List the chart:
+
+```bash
+helm search repo clair
+```
+
+Please refer to the [detailed documentation](./charts/clair/README.md) to get started.
+
+## Testing
+
+If not using an ingresss:
+
+```bash
+kubectl -n clair port-forward service/clair 6060:6060
+
+## Test the vaultwarden/server image:
+clairctl report --host http://localhost:6060 vaultwarden/server
+```
+
+## References
+
+- <https://github.com/quay/clair/tree/main/local-dev>
+- <https://quay.github.io/clair/howto/deployment.html>
+- <https://quay.github.io/clair/reference/config.html>
+- <https://quay.io/repository/projectquay/clair?tab=info>
+- <https://github.com/quay/clair/issues/1152>
+
+## License
+
+See [LICENSE](./LICENSE).

chart-docs.sh

@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+
+echo "[+] Setting up ..."
+if [ ! -d "readme-gen" ]; then
+    git clone https://github.com/bitnami-labs/readme-generator-for-helm readme-gen
+fi
+cd readme-gen
+docker build -t readme-gen .
+cd ..
+
+echo "[+] Run the tool and mount the current project directory ..."
+docker run --rm -v $(pwd):/mnt -w /mnt readme-gen readme-generator -v charts/clair/values.yaml -r charts/clair/README.md 
+
+echo "Done"

charts/clair/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/clair/Chart.yaml

@@ -0,0 +1,41 @@
+apiVersion: v2
+name: clair
+description: Vulnerability Static Analysis for Containers
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.0.2
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "4.7.2"
+
+kubeVersion: ">=1.26.0-0"
+
+maintainers:
+  - name: guerzon
+    email: guerzon@proton.me
+    url: https://github.com/guerzon
+
+keywords:
+  - clair
+  - static-analysis
+  - containers
+  - vulnerabilities
+
+sources:
+  - https://github.com/guerzon/clair-helm
+  - https://github.com/quay/clair

charts/clair/README.md

@@ -0,0 +1,60 @@
+
+# clair
+
+Vulnerability Static Analysis for Containers
+
+## TL;DR
+
+```bash
+# install:
+helm install clair clair/clair \
+  --create-namespace \
+  --namespace clair \
+  --set "database.host=prod.contoso.org" \
+  --set "database.dbName=clairdb" \
+  --set "database.user=app" \
+  --set "database.user=Supers3cret"
+```
+
+Using a custom values in the file `demo.yaml`:
+
+```bash
+helm upgrade -i clair clair/clair \
+  --create-namespace \
+  --namespace clair \
+  -f demo.yaml
+```
+
+## Detailed guide
+
+### General configuration
+
+This chart deploys `clair` from pre-built images on [quay.io](https://quay.io/repository/projectquay/clair). The image can be defined by specifying the tag with `image.tag`.
+
+Here is an example that uses the nightly image build `nightly` and an existing secret that contains registry credentials:
+
+```yaml
+image:
+  tag: "nightly"
+  pullSecrets:
+    - myRegKey
+```
+
+### Database options
+
+Clair requires PostgreSQL for its data persistence. By default, it does migrations, so all you need is to point it to a database.
+
+To configure, set `database.type` to either `mysql` or `postgresql` and specify the datase connection information.
+
+Example for using an external MySQL database:
+
+```yaml
+database:
+  host: database.contoso.eu
+  username: appuser
+  password: apppassword
+  dbName: prodapp
+  sslMode: disable
+```
+
+## Parameters

charts/clair/templates/NOTES.txt

@@ -0,0 +1,22 @@
+1. Get the application URL by running these commands:
+{{- if .Values.ingress.enabled }}
+{{- range $host := .Values.ingress.hosts }}
+  {{- range .paths }}
+  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
+  {{- end }}
+{{- end }}
+{{- else if contains "NodePort" .Values.service.type }}
+  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "clair.fullname" . }})
+  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+  echo http://$NODE_IP:$NODE_PORT
+{{- else if contains "LoadBalancer" .Values.service.type }}
+     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+           You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "clair.fullname" . }}'
+  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "clair.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
+  echo http://$SERVICE_IP:{{ .Values.service.port }}
+{{- else if contains "ClusterIP" .Values.service.type }}
+  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "clair.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+  export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
+  echo "Visit http://127.0.0.1:8080 to use your application"
+  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
+{{- end }}

charts/clair/templates/_helpers.tpl

@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "clair.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "clair.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "clair.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "clair.labels" -}}
+helm.sh/chart: {{ include "clair.chart" . }}
+{{ include "clair.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "clair.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "clair.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "clair.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "clair.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}