Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Certs #9

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,3 +5,7 @@ updates:
directory: "/"
schedule:
interval: "weekly"
groups:
github-actions:
patterns:
- "*"
10 changes: 5 additions & 5 deletions .github/workflows/build-container.yml
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ jobs:
uses: actions/checkout@v4
- name: Setup container meta information
id: meta
uses: docker/metadata-action@v4
uses: docker/metadata-action@v5
with:
images: ${{ github.repository }}-build
labels: |
Expand All @@ -46,17 +46,17 @@ jobs:
type=raw,value=unstable,enable={{is_default_branch}}
- name: Login to DockerHub
if: github.event_name != 'pull_request'
uses: docker/login-action@v2
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- run: echo "Build and push ${{ steps.meta.outputs.tags }}"
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
uses: docker/setup-buildx-action@v3
- name: Build and push
uses: docker/build-push-action@v4
uses: docker/build-push-action@v5
with:
context: .
push: ${{ github.event_name != 'pull_request' }}
Expand Down
18 changes: 9 additions & 9 deletions .github/workflows/container.yml
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ jobs:
fi
- name: "Setup meta information (IS_VERSION_TAG: ${{ env.IS_VERSION_TAG }}, IS_LATEST_TAG: ${{ env.IS_LATEST_TAG }} )"
id: meta
uses: docker/metadata-action@v4
uses: docker/metadata-action@v5
with:
images: ${{ github.repository }}
labels: |
Expand All @@ -69,7 +69,7 @@ jobs:
type=ref,event=pr
- name: Login to DockerHub
if: github.event_name != 'pull_request'
uses: docker/login-action@v2
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
Expand All @@ -85,11 +85,11 @@ jobs:
- run: mv assets/nasl-cli-aarch64-unknown-linux-gnu assets/linux/arm64/nasl-cli
- run: mv assets/nasl-cli-x86_64-unknown-linux-gnu assets/linux/amd64/nasl-cli
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
uses: docker/setup-buildx-action@v3
- name: Build and push
uses: docker/build-push-action@v4
uses: docker/build-push-action@v5
with:
context: .
push: ${{ github.event_name != 'pull_request' && (github.ref_type == 'tag' || github.ref_name == 'main') }}
Expand All @@ -102,7 +102,7 @@ jobs:

- name: "Setup meta information debian:oldstable"
id: old_stable_meta
uses: docker/metadata-action@v4
uses: docker/metadata-action@v5
with:
images: ${{ github.repository }}
labels: |
Expand All @@ -118,7 +118,7 @@ jobs:
type=raw,value=oldstable-{{branch}}-{{sha}},enable=${{ github.ref_type == 'branch' && github.event_name == 'push' && github.ref_name != 'main' }}
type=ref,event=pr
- name: Build and push Container image
uses: docker/build-push-action@v4
uses: docker/build-push-action@v5
with:
context: .
push: ${{ github.event_name != 'pull_request' && (github.ref_type == 'tag' || github.ref_name == 'main') }}
Expand All @@ -129,7 +129,7 @@ jobs:

- name: "Setup meta information debian:testing"
id: test_meta
uses: docker/metadata-action@v4
uses: docker/metadata-action@v5
with:
images: ${{ github.repository }}
labels: |
Expand All @@ -145,7 +145,7 @@ jobs:
type=raw,value=testing-{{branch}}-{{sha}},enable=${{ github.ref_type == 'branch' && github.event_name == 'push' && github.ref_name != 'main' }}
type=ref,event=pr
- name: Build and push Container image
uses: docker/build-push-action@v4
uses: docker/build-push-action@v5
with:
context: .
push: ${{ github.event_name != 'pull_request' && (github.ref_type == 'tag' || github.ref_name == 'main') }}
Expand Down
18 changes: 10 additions & 8 deletions .github/workflows/helm-build-chart.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,25 +18,27 @@ jobs:
metrics-enabled: false
- name: deploy openvasd
run: |
helm uninstall openvasd || true
helm install openvasd charts/openvasd/ --values charts/openvasd/values.yaml
kubectl rollout status --watch --timeout 600s deployment/openvasd
helm uninstall openvasd --namespace openvasd|| true
helm install --namespace openvasd --create-namespace openvasd charts/openvasd/ --values charts/openvasd/values.yaml
kubectl rollout status --watch --timeout 600s deployment/openvasd --namespace openvasd
sleep 5
- id: smoketest
run: echo "POD_NAME=$(kubectl get pods |grep openvasd | awk '{print $1;}')" >> $GITHUB_OUTPUT
run: echo "POD_NAME=$(kubectl get pods --namespace openvasd |grep openvasd | awk '{print $1;}')" >> $GITHUB_OUTPUT
- name: forward port
run: |
echo "POD_NAME: ${{ steps.smoketest.outputs.POD_NAME }}"
echo "$(kubectl get pods)"
kubectl --namespace default port-forward ${{ steps.smoketest.outputs.POD_NAME }} 8080:3000 &
kubectl --namespace openvasd port-forward ${{ steps.smoketest.outputs.POD_NAME }} 8080:3000 &
- name: smoketest
working-directory: rust/smoketest
env:
API_KEY: changeme
OPENVASD: http://127.0.0.1:8080
SCAN_CONFIG: simple_scan_ssh_only.json
OPENVASD_SERVER: https://127.0.0.1:8080
SCAN_CONFIG: configs/simple_scan_ssh_only.json
CLIENT_KEY: configs/client_sample.key
CLIENT_CERT: configs/client_sample.cert
run: |
make build run
make build run-with-certs
- uses: greenbone/actions/helm-build-push@v3
if: github.event_name == 'workflow_dispatch'
with:
Expand Down
4 changes: 0 additions & 4 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,3 @@ testsuiterun.nasl
assets/
*.rsa
*.pem
rust/nasl-c-lib/include
rust/nasl-c-lib/bin
rust/nasl-c-lib/share
rust/nasl-c-lib/lib
52 changes: 44 additions & 8 deletions charts/openvasd/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,13 +4,13 @@ Contains the helm chart to deploy openvasd.

To install openvasd helm chart from a local path execute

```
helm install openvasd ./openvasd/ -f openvasd/values.yaml
```
helm install openvasd ./openvasd/ -f openvasd/values.yaml --namespace openvasd --create-namespace openvasd
```

You can also provide override the initial values within `openvasd/values.yaml` by providing an additional `-f` flag.

As an example imagine you want to override the openvas image to your forked one you can create `~/openvasd.yaml` file containing:
As an example imagine you want to override the openvas image to your forked one you can create `~/openvasd.yaml` file containing:

```
# Contains openvasd
Expand All @@ -20,26 +20,62 @@ openvas:
tag: "edge"
```

if you then execute:
```
if you then execute:
```
helm install openvasd ./openvasd/ -f openvasd/values.yaml -f ~/openvasd.yaml
```

it will use `nichtsfrei/openvas-scanner` instead of `greenbone/openvas-scanner`.

## TLS configuration

This chart is provided with server certificate and private key for example purposes and they should not be used in production systems. Certificate and key where created with [this scripts](../../rust/examples/tls/Self-Signed mTLS Method)

If you want to use your own key/cert pair, you have to base64 encode them and replace the ones in [server-private-key.yaml](templates/server-private-key.yaml).

If you want to enable Self-signed mTLS for client authentication replace the certificate in [client-cets.yaml](templates/client-certs). You can add as many certificates as you have authenticated clients.

For encoding the certificates use the following command
```
echo -n "$(cat certs.pem)" | base64
echo -n "$(cat key.pem)" | base64
```

You can verify that the secrets where mounted with the following command:

`kubectl describe secrets --namespace openvasd`


## Accessing the service

Once you installed the containers, run the following commands to rollout the pods and forward the por to access the service

`kubectl rollout status --watch --timeout 600s deployment/openvasd`

Get the pod name
`export POD_NAME=$(kubectl get pods --namespace default -l "app.kubernetes.io/name=openvasd,app.kubernetes.io/instance=openvasd" -o jsonpath="{.items[0].metadata.name}")`

Forward the port
`kubectl --namespace default port-forward $POD_NAME 8080:3000`

For testing, you can use the following command:

`curl --verbose --key $CLIENT_KEY --cert $CLIENT_CERT --insecure --request HEAD https://127.0.0.1:8080 -H "X-API-KEY: changeme"`


# Design decisions

## OSPD and Redis via unix socket

Although it is possible to start OSPD with TLS, it is used in unix socket mode to prevent a user to bypass openvasd and interfere with those scans.

Unfortunately the redis instance is shared between ospd and openvas without any clear separation. It is crucial that the redis instance used by them cannot be modified elsewhere.
Unfortunately the redis instance is shared between ospd and openvas without any clear separation. It is crucial that the redis instance used by them cannot be modified elsewhere.
To ensure redis is not used by another container, it is also started in unix socket mode.

## No scaling

Due to the current architectural limitation replica count and auto-scaling is completely disabled.
Due to the current architectural limitation replica count and auto-scaling is completely disabled.

The reason for that is that openvasd requires ospd which has no cluster capabilities nor a database setup that allows sharing via multiple instances.
The reason for that is that openvasd requires ospd which has no cluster capabilities nor a database setup that allows sharing via multiple instances.

That means that each replica would have a completely own state and reqires vertical scaling via deployment so that a customer can choose which openvasd to use.
95 changes: 95 additions & 0 deletions charts/openvasd/templates/client-certs.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,95 @@
apiVersion: v1
kind: Secret
metadata:
name: client-certs
namespace: openvasd
data:
client1.pem: |
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVDVENDQW5HZ0F3SUJBZ0lDQWNnd0RRWUpL
b1pJaHZjTkFRRUxCUUF3TERFcU1DZ0dBMVVFQXd3aGNHOXUKZVhSdmQyNGdVbE5CSUd4bGRtVnNJ
RElnYVc1MFpYSnRaV1JwWVhSbE1CNFhEVEl6TURZeU9ERXdNRGd3TjFvWApEVEk0TVRJeE9ERXdN
RGd3TjFvd0dURVhNQlVHQTFVRUF3d09kR1Z6ZEhObGNuWmxjaTVqYjIwd2dnRWlNQTBHCkNTcUdT
SWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFERkR3cWZMb2RiamNkZGhuVGdHOGxNMmsxakNM
b28KUkN4VkV6d2czYStBOUp3L3VZakt2Y0dzWm4yR0lkeXJ3QTIxdVVSSE4xMTJWK3VKODVqV3JR
VlkzeDNnNkJqbwpZVkhOZUVRajlja2dUcXBFNHFEclJCamJIZTB4TDJwanlHdjJnbW5xUkxzTkJn
QlFoQ3BpdTZGcGFjSFU5T3hRCm8xUHBMbzNrdjhqVytlMkVtMFBDZDVwQmxwbjBoSmw2a2JHbnBz
TXpvaWd0RUwxTWNydUtXK0g0ZEQrdlhHSXIKSjk0MXFzL0Nxdk9YbG9sby9vWFd0TTdYSEx0WUt1
ODNnWUMzZ2ZDSGNOYktQeFZiNGMrVUlOWWFyWTBCQmVFRQo5aGtDL3BzNG9EUG5TNnk0Y3pMSkNr
NjZYRnZ6VFg0Skg4MTZMa2FxM0Q5ejN0aFdaaFBIN1lTVEFnTUJBQUdqCmdjY3dnY1F3REFZRFZS
MFRBUUgvQkFJd0FEQUxCZ05WSFE4RUJBTUNCc0F3SFFZRFZSME9CQllFRk50QXBzNWYKRllWYUxV
MEt0WUtqa0xEWUdrak9NRUlHQTFVZEl3UTdNRG1BRkxmSThwVGxkY081bFZ5VVNIQTlSdUtFb1dP
dQpvUjZrSERBYU1SZ3dGZ1lEVlFRRERBOXdiMjU1ZEc5M2JpQlNVMEVnUTBHQ0FYc3dSQVlEVlIw
UkJEMHdPNElWCmJHOWpZV3hvYjNOMExteHZZMkZzWkc5dFlXbHVnaGRzYjJOaGJHaHZjM1EwTG14
dlkyRnNaRzl0WVdsdU5JSUoKYkc5allXeG9iM04wTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCZ1FB
RGVGUDYxTmhPa1FlMHhkTUtVWVFNaFc0MwpVVGtoNWU0N2pBUEJtMmsrWTBLcUY0ZUFwSEp5a3Fq
N0hhT0prMFBNckhRUDl6YksvSzVMV3B6cjkvbnpkd0dECmR2VWNXWElyMVVYK2VrS3VYa1hGTTMr
cHVSTkZMQ3RjbXAzS1MySm0xMlZDclBEZE03cmQ4cU92d1c1Q0pqSEcKSjRxdyt1Y1gxeDVZeStI
ZUZzQytFK2JQTjlycXdRSGFHdnBzOUI5emJVVVhRL1duRjlwa0JGb2VjVnYwWjVWKwpjWlVIb241
QjJWKzdqVUFSY1dtSm94Wm9EaFNnMW9zQ1pVL1NpSGF0R2dIQ2lKVmUzTDlpVGhDY0x5eGovRnlT
CmpDdG5hbXB0ZTRBYmVSM0t4VDVJZjZDZHlTeGNDeEdqcmhFeXBQUVR0cmQ1eGgzRS9oUXFZN2Yx
cXFsR29PYVgKY2FaQWw1Q1dmVGIyWGVUbTd3WmxvOHhuVGZpSXh5Mkx2UldUZ2FHODZBSjJUNktG
enNuRlhCVjFkTFJUV3ArMApSWkVDRm5adHBKdU1hU1ZIL0JtY0dlMlp3Z3MrNE9wWDZ1TTFnZTVX
NnAxenVpeU5qZU9BY0x6ZXR4QUFBQUlPCmsyQnA5Y3RoQmwzR1JicnJCWnVBM25MK2EwcUt6SjRX
Qm9ad3M3UT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQotLS0tLUJFR0lOIENFUlRJRklDQVRF
LS0tLS0KTUlJRW56Q0NBb2VnQXdJQkFnSUJlekFOQmdrcWhraUc5dzBCQVFzRkFEQWFNUmd3RmdZ
RFZRUUREQTl3YjI1NQpkRzkzYmlCU1UwRWdRMEV3SGhjTk1qTXdOakk0TVRBd09EQTNXaGNOTXpN
d05qSTFNVEF3T0RBM1dqQXNNU293CktBWURWUVFERENGd2IyNTVkRzkzYmlCU1UwRWdiR1YyWld3
Z01pQnBiblJsY20xbFpHbGhkR1V3Z2dHaU1BMEcKQ1NxR1NJYjNEUUVCQVFVQUE0SUJqd0F3Z2dH
S0FvSUJnUUNqZUZiOWM2US9UK1NpMEU5aFBiNXdJU0RDZ3VjTwpVZVgxcUdIdlIvYUJKeW9OZ0xi
cURWbkhPcXYzSWhjWnExSHFmcXNvSzFib3huVFVqNVhDUjF5OTdobnIvTmkyCmxWWUUwdlEzeWxL
NHV4L3FKcGZwSkprdTF0dzk4Y2lKWXhxU2s5VENaWGdiMnFPeGxtVUxIZmY4VnExaEtLVEMKVDRO
dEptWStTNzk3Vkh1b2VoVVphZGtTdFNjdmI0MU5KZ1JZOTdwK0lYbzhNT3UwVEx6TEQrVWJpMGdI
NTNadgpzeFA2dWRtUjhQVk1wblVBSmVqNDZBbDBsN1dJZG16dmczaDBGNlNFTkQ2QW50WEJsUkdw
ejIzSk44OXlDaVhyClNEd3VsWGxEVmJMUy9EeHNYUklmYkNObGpFVGdOTVhjYmc0NkkzcHN2K0w4
T2t6TVNNT01sWkM4QkpJd3VDVlIKN1lFSno5ODdReGxNb1Q3ajBVM3V1YTZFUy9RSVVidXdnelhT
OUpoZTNsUlVnczBEU2l4UnFwSnYyQ052VXhsdwpvd09BYUt0bU1BY3FRWndWeVZEa1MvUjZ2MXBp
SENXQXRtQmNBY0tXOVljWEJZbTVlK1pJNkFYeVBHYm5kSVA3Ck83UjJNQnZaN2QxdUs3K0htTmY5
NzRKRkhaakI5Y2dSV3dzQ0F3RUFBYU5lTUZ3d0hRWURWUjBPQkJZRUZMZkkKOHBUbGRjTzVsVnlV
U0hBOVJ1S0VvV091TUNBR0ExVWRKUUVCL3dRV01CUUdDQ3NHQVFVRkJ3TUJCZ2dyQmdFRgpCUWNE
QWpBTUJnTlZIUk1FQlRBREFRSC9NQXNHQTFVZER3UUVBd0lCL2pBTkJna3Foa2lHOXcwQkFRc0ZB
QU9DCkFnRUFLejI2S1EwQ1ROcjA4SXN3OEQzczliT1cyMzVlLzM3Wk1qVksyQWhBQTc1RVZVSGk5
VERrYnpjcFZsU08KTzJlcHV5alFHSUdUU0hpS3k5K2g2cTR5dTVXOXJIRDl4NjN4MzA4dmY5eW5C
M1VZKzFSUmczSDJ0cTFYblNtUgpZaXZka1o2SHdsWWdPMTVFa2YvaDNKd0cvSDRrVGtRbktZWlha
N29LNGdLQmVvUklIWTRQMkNVdlRNS2owQzE2CmVaSzZMck9JZ2E2dmlnUVpNMndzKzJZaXdSZzJp
NU05akZnZUNnc0tWUGhMZXN4STA5SkZ5dEhZZVN0VXZyZ3AKODNkR3QvZkEvcU9MdmxmOEZzTXV1
YWUzSWZxU3dNY2h5cnVYR0l4OURVdjJ5YVlpV1Z6L2FjdDRxRFd6MmJMbgpVaEhOT3pqclg0V2lx
VTdyQ3VjZmNGb3FUdVBMVFVDa202YkNrY3VXY01yWkxNTHg5SnRrNmVMMm5rSFowbU5PCkVkK1lt
akpYZ3ZxSzBqQTVwZnN1L25vc1dUMWMxNFkwSFBkdFNjaFVNOENoK3BZdksreFUzNTJKZDF6MVBB
QU4KajU1OGk3R3NxOENFclZiQkNrSlNDWEhwY0dLc0g4YnZFRlllSkhFZU1xRmNhaDdwTkV0eXE1
Yi9uQWxHQ2lSagp2emVZcDRPR3d4NlhsdWhlREt4RWowYmhYK1BqaUNJRXVnVys1MXRJWXZ1Ui9B
eU1aMm1mL1JlR2ZGbFR6VG1wCi9DSW5MOGtDTjlsb3cwNzhPSVZhVVVqUXI2ZjIrWC9xbDFGd0o2
WmQ3NXBwc3ZrNWZ2VHVUdkQ4UFhETVQ2SDIKV0hJRENHSGJoSmYydVoxMGdjY2JxNW10S1ZJdXJQ
Si9KZ0Y2NzVZa1ZxWE0zOE09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBD
RVJUSUZJQ0FURS0tLS0tCk1JSUZGVENDQXYyZ0F3SUJBZ0lVSFNhNkV1NS9ITjUxR2FUY3E4V25p
VFpNczY4d0RRWUpLb1pJaHZjTkFRRUwKQlFBd0dqRVlNQllHQTFVRUF3d1BjRzl1ZVhSdmQyNGdV
bE5CSUVOQk1CNFhEVEl6TURZeU9ERXdNRGd3TjFvWApEVE16TURZeU5URXdNRGd3TjFvd0dqRVlN
QllHQTFVRUF3d1BjRzl1ZVhSdmQyNGdVbE5CSUVOQk1JSUNJakFOCkJna3Foa2lHOXcwQkFRRUZB
QU9DQWc4QU1JSUNDZ0tDQWdFQXZRZTQwajQ4NE1qWXhkdXVlN0c4TlRWd2lyN3AKOG10RDB4L0pD
dVBoL3lkcE1WbFlCUkNhTGF1K2F2eHNUMnpSbDgxNy9IZGdCUysxUEVRTjhteTVZZklOd0oxdwpl
WnVWQ1Z3Wlk5NlBNNmVPanBYaEpabGFPQzFabnB4TlBSaVU2alU5cWU1amQ0TUl6RzJaYWhMcDVo
YzkrK1lZCm01SVNsVWFCdStPQXN1cHJCdlNsTysyWkdoTENyZ0pHQ1ByNkp0NEJvTzVtaHpUc0xL
czA1ZENqSmlkcGZBejgKSTFiQjBzRXR2Tm1TRHB2YjViWFNzd041YlZ6bGJGYmR5RTBCYm5FNVBi
WUdMT1RxT0tTY0kzeERuTmFSOFd0VQpNMEVwaURBODlIN013eldObnZ3U1B6OFdxMEpsQWpqdjdy
TWU0RDFUblNlY0NCbmlCdEZkSlVhTFUrMTRJTzUvCk9TVTZ1SlVVUDE1blZjQnNXQSttbFNLVE92
aUIwTkJEY1dyR1E4b1JZSnhuMktlMkV0YmlJby9rZ2JNOTQ3N2sKVjZlQTF6TC9CcDRKTFhBOTVo
MmowZ1k1ckNneGo1ZFhvS1VKUytBYk9nRzFKbW5udjBXVVZNdmxDejZJWFA4YQo0RDR1R0ZWVFN2
Z0VuWFBvTU01R2xSUSt1YksvRXZnc2d0MG42QVZwM3d0U2RHSmRWaFlpTXBNQUl4Ry80V0lhCnhZ
MDU0bnVVeEFoRGtZaC9VZDRVK2dUcEJCT3dmWldlZWJKQk1haXFsNTZRdURSMlNRUE9BZXBCMHJq
T01pLysKMkFWUHhMMUREb0F1RVJkTnhPTWdqc1p1RkVmVHRUZXRwYTgrQXJHWFlNMXM0K0lZRXJQ
SDZVUW9GNlNvQytvTQpIbGRiYjdmUTBOQ2ZRcmtDQXdFQUFhTlRNRkV3SFFZRFZSME9CQllFRkt2
Q21RS0gyYzVKRHd6MnZKOGlzbWtrCmR0bUxNQjhHQTFVZEl3UVlNQmFBRkt2Q21RS0gyYzVKRHd6
MnZKOGlzbWtrZHRtTE1BOEdBMVVkRXdFQi93UUYKTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVMQlFB
RGdnSUJBQ3R3QXY5VHU2U2FOKzFmVXNZUUlQRmkrSzlvdTljSAplWk13SmxhY3BDQzRkdzJTcjZ0
SkRBc1ZkbXZ6YTFPZVF3S3NtRU1JL0hlc2VvREZST0kvUzFIK2EzNEFBWjFYCk5mcm8vNjh5eEhH
VWdIcGs3blo2eTNIbFNObU91aGs2MDJCZUVoNE1kMDM0cmcxUElHQzAwNFc3SnozSXEzemsKRG4v
WTZ4bFI1QXFMNU56QUtrZUZYTjJBWHpMVkE4NlRSVHV5NHVWS0FFQmt1b05KbnNwR0hFU2tCUmtN
dHNPUApnMHVkQ1JMTCt1SGVxTWszeUs0U1BvWDdpVTlTeVBpNUJFc2ZEaVZTVmRlNFljYk9wYWdV
MVVCckhnWmN6YkpzCktnNXNNQURpTkM5ZkV5amh1TWxNMVhlMXFYbjE2UEdUVnN1YXRVMEd4TjAr
dGJiZFJBNzdmSnovZHRYZ09jUjcKbXAxVU1vUEtkTnJHMTdmbzU1WDBUMmF1ZUxkRDB3TWJHMzRL
RVNIeE9tNWYvRFBFWnNPNExxRk1mdUkvOEdMRApYaTVjd2c5U25RSmYyNGZIS0pvQVhndVlCTzZB
QVlkL2trM0ROVWZZOUd4Y2dPM3lGS0cwNk9mcnA2aVBqUjA3CitmRDZrZzJEU1ZOd0pnS2lCakVw
TXN1azlubzdNWVJsdXFPLzdwYmpnWDJLRER6MzgxNlpWWFlOWFV5dVRSejEKVk5FNXhuTVdMUTht
Q0tSMlVtODhuN05VaW9QclJGS3ZScDNVa1BQeE4reFpyTzhqTUE3aHNGcm84cGxWZnZ4ZQpJa05N
b2U4VUFKYXZHSXlvR000UmszZXl6eXY2dm9ScEcwdjBLeC9ZVGhGeGU2ZUNmYUhSRTB2ZlFid0dR
VEZoCkhsdmhIa01wL1NCVwotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t

20 changes: 19 additions & 1 deletion charts/openvasd/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,12 @@ spec:
emptyDir: {}
- name: ospd-logs
emptyDir: {}
- name: server-private-key
secret:
secretName: server-private-key
- name: client-certs
secret:
secretName: client-certs
initContainers:
- name: nasl
image: "{{ .Values.vulnerabilitytests.repository }}:{{ .Values.vulnerabilitytests.tag }}"
Expand Down Expand Up @@ -140,6 +146,12 @@ spec:
mountPath: /etc/openvas
- name: ospd-socket
mountPath: /run/ospd/
- mountPath: "/etc/openvasd/tls/"
name: server-private-key
readOnly: true
- mountPath: "/etc/openvasd/clientcerts"
name: client-certs
readOnly: true
securityContext:
capabilities:
add:
Expand All @@ -156,7 +168,13 @@ spec:
- name: OPENVASD_LOG
value: {{ .Values.openvasd.loglevel | default "INFO" }}
- name: API_KEY
value: {{ .Values.openvasd.apikey }}
value: {{ .Values.openvasd.apikey }}
- name: TLS_CERTS
value: "/etc/openvasd/tls/certs.pem"
- name: TLS_KEY
value: "/etc/openvasd/tls/key.pem"
- name: TLS_CLIENT_CERTS
value: "/etc/openvasd/clientcerts/"
- name: ospd
image: "{{ .Values.ospd.repository }}:{{ .Values.ospd.tag }}"
imagePullPolicy: Always
Expand Down
Loading