generated from hashicorp/packer-plugin-scaffolding
-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #3 from Prateeknandle/packer-provisioner
kubearmor packer provisioner
- Loading branch information
Showing
48 changed files
with
1,440 additions
and
2,299 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,46 +1,31 @@ | ||
| # This GitHub action can publish assets for release when a tag is created. | ||
| # Currently its setup to run on any tag that matches the pattern "v*" (ie. v0.1.0). | ||
| # | ||
| # This uses an action (hashicorp/ghaction-import-gpg) that assumes you set your | ||
| # private key in the `GPG_PRIVATE_KEY` secret and passphrase in the `GPG_PASSPHRASE` | ||
| # secret. If you would rather own your own GPG handling, please fork this action | ||
| # or use an alternative one for key handling. | ||
| # | ||
| # You will need to pass the `--batch` flag to `gpg` in your signing step | ||
| # in `goreleaser` to indicate this is being used in a non-interactive mode. | ||
| # | ||
| name: release | ||
|
|
||
| on: | ||
| push: | ||
| branches: | ||
| - '!*' | ||
| tags: | ||
| - 'v*' | ||
| - v*.*.* | ||
|
|
||
| jobs: | ||
| goreleaser: | ||
| release: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 | ||
| - name: Unshallow | ||
| run: git fetch --prune --unshallow | ||
| - name: Set up Go | ||
| uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 | ||
| with: | ||
| go-version: 1.17 | ||
| - name: Describe plugin | ||
| id: plugin_describe | ||
| run: echo "api_version=$(go run . describe | jq -r '.api_version')" >> $GITHUB_OUTPUT | ||
| - name: Import GPG key | ||
| id: import_gpg | ||
| uses: crazy-max/ghaction-import-gpg@111c56156bcc6918c056dbef52164cfa583dc549 # v5.2.0 | ||
| with: | ||
| gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} | ||
| passphrase: ${{ secrets.GPG_PASSPHRASE }} | ||
| - name: Run GoReleaser | ||
| uses: goreleaser/goreleaser-action@f82d6c1c344bcacabba2c841718984797f664a6b # v4.2.0 | ||
| with: | ||
| version: latest | ||
| args: release --rm-dist | ||
| env: | ||
| GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }} | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| API_VERSION: ${{ steps.plugin_describe.outputs.api_version }} | ||
| - name: Checkout | ||
| uses: actions/checkout@v3 | ||
| - name: Set up Go | ||
| uses: actions/setup-go@v4 | ||
| with: | ||
| go-version-file: 'go.mod' | ||
| cache: true | ||
| - name: Describe plugin | ||
| id: plugin_describe | ||
| run: echo "api_version=$(go run . describe | jq -r '.api_version')" >> $GITHUB_OUTPUT | ||
| - name: Run GoReleaser | ||
| uses: goreleaser/goreleaser-action@v4 | ||
| with: | ||
| version: latest | ||
| args: release --rm-dist | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| API_VERSION: ${{ steps.plugin_describe.outputs.api_version }} |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,9 +1,12 @@ | ||
| main | ||
| packer-plugin-scaffolding | ||
| packer-plugin-kubearmor | ||
| **/packer_log*.txt | ||
| **/git_*test.pkr.hcl | ||
| crash.log | ||
|
|
||
| dist/* | ||
| .docs/* | ||
| docs.zip | ||
|
|
||
| out | ||
| output-basic-example |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,90 +1,67 @@ | ||
| # Packer Plugin Scaffolding | ||
| # Packer Plugin KubeArmor | ||
|
|
||
| This repository is a template for a Packer multi-component plugin. It is intended as a starting point for creating Packer plugins, containing: | ||
| - A builder ([builder/scaffolding](builder/scaffolding)) | ||
| - A provisioner ([provisioner/scaffolding](provisioner/scaffolding)) | ||
| - A post-processor ([post-processor/scaffolding](post-processor/scaffolding)) | ||
| - A data source ([datasource/scaffolding](datasource/scaffolding)) | ||
| - Docs ([docs](docs)) | ||
| - A working example ([example](example)) | ||
| A plugin for Packer which provides [KubeArmor Hardening Host Security policies](https://docs.kubearmor.io/kubearmor/use-cases/hardening_guide) for the build workloads. | ||
|
|
||
| These folders contain boilerplate code that you will need to edit to create your own Packer multi-component plugin. | ||
| A full guide to creating Packer plugins can be found at [Extending Packer](https://www.packer.io/docs/plugins/creation). | ||
| > [KubeArmor](https://docs.kubearmor.io/kubearmor/) is a security solution for the Kubernetes and cloud native platforms that helps protect your workloads from attacks and threats. It does this by providing a set of hardening policies that are based on industry-leading compliance and attack frameworks such as CIS, MITRE, NIST-800-53, and STIGs. These policies are designed to help you secure your workloads in a way that is compliant with these frameworks and recommended best practices. | ||
| In this repository you will also find a pre-defined GitHub Action configuration for the release workflow | ||
| (`.goreleaser.yml` and `.github/workflows/release.yml`). The release workflow configuration makes sure the GitHub | ||
| release artifacts are created with the correct binaries and naming conventions. | ||
| ## Installation | ||
|
|
||
| Please see the [GitHub template repository documentation](https://docs.github.com/en/free-pro-team@latest/github/creating-cloning-and-archiving-repositories/creating-a-repository-from-a-template) | ||
| for how to create a new repository from this template on GitHub. | ||
| Since we do not have a release currently so we have to build the provisioner and use it. | ||
| 1. Clone the repo. | ||
| 2. Run `make build`. | ||
| 3. Configure the Packer_PLUGIN_PATH - `export PACKER_PLUGIN_PATH=~/go/src/github.com/packer-plugin-kubearmor`. | ||
| 4. Run `packer init .` | ||
| 5. Run `packer build <file>.hcl`. | ||
|
|
||
| ## Packer plugin projects | ||
| ## Requirements | ||
|
|
||
| Here's a non exaustive list of Packer plugins that you can checkout: | ||
| In order to use the provided KubeArmor Host Security Policies by the provisioner the build also needs to have KubeArmor and other tools and dependencies required. For installing KubeArmor and ensuring all the dependencies are met we are providing an ansible playbook which could be used with ansible provisioner. | ||
|
|
||
| * [github.com/hashicorp/packer-plugin-docker](https://github.com/hashicorp/packer-plugin-docker) | ||
| * [github.com/exoscale/packer-plugin-exoscale](https://github.com/exoscale/packer-plugin-exoscale) | ||
| * [github.com/sylviamoss/packer-plugin-comment](https://github.com/sylviamoss/packer-plugin-comment) | ||
| * [github.com/hashicorp/packer-plugin-hashicups](https://github.com/hashicorp/packer-plugin-hashicups) | ||
| > NOTE : Please ensure that the user which executes the ansible playbook doesn't require password. | ||
| Looking at their code will give you good examples. | ||
| ## Example | ||
|
|
||
| ## Running Acceptance Tests | ||
|
|
||
| Make sure to install the plugin with `go build .` and to have Packer installed locally. | ||
| Then source the built binary to the plugin path with `cp packer-plugin-scaffolding ~/.packer.d/plugins/packer-plugin-scaffolding` | ||
| Once everything needed is set up, run: | ||
| ``` | ||
| PACKER_ACC=1 go test -count 1 -v ./... -timeout=120m | ||
| packer { | ||
| required_plugins { | ||
| virtualbox-ovf = { | ||
| source = "github.com/hashicorp/virtualbox" | ||
| version = "~> 1" | ||
| } | ||
| ansible = { | ||
| source = "github.com/hashicorp/ansible" | ||
| version = "~> 1" | ||
| } | ||
| } | ||
| } | ||
| source "virtualbox-ovf" "basic-example" { | ||
| source_path = "ubuntu20.ova" | ||
| ssh_username = "" | ||
| ssh_password = "" | ||
| shutdown_command = "echo 'packer' | sudo -S shutdown -P now" | ||
| } | ||
| build { | ||
| name = "learn-packer" | ||
| sources = ["sources.virtualbox-ovf.basic-example"] | ||
| provisioner "ansible" { | ||
| playbook_file = "./ansible/conf.yml" | ||
| } | ||
| provisioner "kubearmor" { | ||
| policyPath = "/home/prateek/policies" | ||
| } | ||
| } | ||
| ``` | ||
| In order to get an `.ova` file first create a Virtual Machine on VirtualBox and then export it in OVF Version 2 format. Exporting will generate an `.ova` file. | ||
|
|
||
| ## Using the Policies in the build | ||
|
|
||
| This will run the acceptance tests for all plugins in this set. | ||
|
|
||
| ## Test Plugin Example Action | ||
|
|
||
| This scaffolding configures a [manually triggered plugin test action](/.github/workflows/test-plugin-example.yml). | ||
| By default, the action will run Packer at the latest version to init, validate, and build the example configuration | ||
| within the [example](example) folder. This is useful to quickly test a basic template of your plugin against Packer. | ||
|
|
||
| The example must contain the `required_plugins` block and require your plugin at the latest or any other released version. | ||
| This will help test and validate plugin releases. | ||
|
|
||
| ## Registering Documentation on Packer.io | ||
|
|
||
| Documentation for a plugin is maintained within the `docs` directory and served on GitHub. | ||
| To include plugin docs on Packer.io a global pre-hook has been added to the main scaffolding .goreleaser.yml file, that if uncommented will generate and include a docs.zip file as part of the plugin release. | ||
|
|
||
| The `docs.zip` file will contain all of the `.mdx` files under the plugins root `docs/` directory that can be consumed remotely by Packer.io. | ||
|
|
||
| Once the first `docs.zip` file has been included into a release you will need to open a one time pull-request against [hashicorp/packer](https://github.com/hashicorp/packer) to register the plugin docs. | ||
| This is done by adding the block below for the respective plugin to the file [website/data/docs-remote-navigation.js](https://github.com/hashicorp/packer/blob/master/website/data/docs-remote-plugins.json). | ||
|
|
||
| ```json | ||
| { | ||
| "title": "Scaffolding", | ||
| "path": "scaffolding", | ||
| "repo": "hashicorp/packer-plugin-scaffolding", | ||
| "version": "latest", | ||
| "sourceBranch": "main" | ||
| } | ||
| ``` | ||
|
|
||
| If a plugin maintainer wishes to only include a specific version of released docs then the `"version"` key in the above configuration should be set to a released version of the plugin. Otherwise it should be set to `"latest"`. | ||
|
|
||
| The `"sourceBranch"` key in the above configuration ensures potential contributors can link back to source files in the plugin repository from the Packer docs site. If a `"sourceBranch"` value is not present, it will default to `"main"`. | ||
|
|
||
| The documentation structure needed for Packer.io can be generated manually, by creating a simple zip file called `docs.zip` of the docs directory and included in the plugin release. | ||
|
|
||
| ```/bin/bash | ||
| [[ -d docs/ ]] && zip -r docs.zip docs/ | ||
| ``` | ||
|
|
||
| Once the first `docs.zip` file has been included into a release you will need to open a one time pull-request against [hashicorp/packer](https://github.com/hashicorp/packer) to register the plugin docs. | ||
|
|
||
| # Requirements | ||
| In order to apply the policies please go thorugh the [guide](https://github.com/kubearmor/KubeArmor/blob/main/getting-started/kubearmor_vm.md). | ||
| > Since KubeArmor is already installed so we don't have to install it. | ||
| - [packer-plugin-sdk](https://github.com/hashicorp/packer-plugin-sdk) >= v0.2.9 | ||
| - [Go](https://golang.org/doc/install) >= 1.17 | ||
| Ensure KubeArmor service is running inside the build `sudo systemctl status kubearmor` and use `karmor vm policy` to apply the policies. | ||
|
|
||
| ## Packer Compatibility | ||
| This scaffolding template is compatible with Packer >= v1.7.0 |
Oops, something went wrong.