feat: Hybrid platform helm charts

snyk · Feb 28, 2024 · fdc450d · fdc450d
1 parent 31b8df5
commit fdc450d
Show file tree

Hide file tree

Showing 15 changed files with 1,655 additions and 0 deletions.
diff --git a/hybrid-platform/charts/Chart.lock b/hybrid-platform/charts/Chart.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: Universal Broker
+  repository: file://./universal-broker
+  version: 2.5.2
+digest: sha256:dee511ee4cb20696b08ebd9d053250f5ac6c0f3ded55676e00453371b4e6f726
+generated: "2024-02-26T14:50:20.545853-05:00"
diff --git a/hybrid-platform/charts/Chart.yaml b/hybrid-platform/charts/Chart.yaml
@@ -0,0 +1,9 @@
+apiVersion: v2
+name: snyk-broker-test
+version: 2.5.2
+description: A Helm chart for Kubernetes
+type: application
+dependencies:
+  - name: Universal Broker
+    version: 2.5.2
+    repository: "file://./universal-broker"
diff --git a/hybrid-platform/charts/charts/Universal Broker-2.5.2.tgz b/hybrid-platform/charts/charts/Universal Broker-2.5.2.tgz
diff --git a/hybrid-platform/charts/templates/_helpers.tpl b/hybrid-platform/charts/templates/_helpers.tpl
@@ -0,0 +1,124 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "snyk-broker.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "snyk-broker.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "snyk-broker.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "snyk-broker.labels" -}}
+helm.sh/chart: {{ include "snyk-broker.chart" . }}
+{{ include "snyk-broker.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "snyk-broker.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "snyk-broker.name" . }}{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "snyk-broker.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "snyk-broker.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{/*
+Content of accept.json configuration file (either provided as literal value)
+*/}}
+{{- define "snyk-broker.acceptJson" -}}
+{{- with .Values.acceptJson}}{{.}}{{end}}
+{{- end}}
+
+{{/*
+Return the appropriate apiVersion for ingress.
+*/}}
+{{- define "snyk-broker.ingress.apiVersion" -}}
+  {{- if and (.Capabilities.APIVersions.Has "networking.k8s.io/v1") (semverCompare ">= 1.19-0" .Capabilities.KubeVersion.Version) -}}
+      {{- print "networking.k8s.io/v1" -}}
+  {{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" -}}
+    {{- print "networking.k8s.io/v1beta1" -}}
+  {{- else -}}
+    {{- print "extensions/v1beta1" -}}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+Return if ingress is stable.
+*/}}
+{{- define "snyk-broker.ingress.isStable" -}}
+  {{- eq (include "snyk-broker.ingress.apiVersion" .) "networking.k8s.io/v1" -}}
+{{- end -}}
+{{/*
+Return if ingress supports ingressClassName.
+*/}}
+{{- define "snyk-broker.ingress.supportsIngressClassName" -}}
+  {{- or (eq (include "snyk-broker.ingress.isStable" .) "true") (and (eq (include "snyk-broker.ingress.apiVersion" .) "networking.k8s.io/v1beta1") (semverCompare ">= 1.18-0" .Capabilities.KubeVersion.Version)) -}}
+{{- end -}}
+{{/*
+Return if ingress supports pathType.
+*/}}
+{{- define "snyk-broker.ingress.supportsPathType" -}}
+  {{- or (eq (include "snyk-broker.ingress.isStable" .) "true") (and (eq (include "snyk-broker.ingress.apiVersion" .) "networking.k8s.io/v1beta1") (semverCompare ">= 1.18-0" .Capabilities.KubeVersion.Version)) -}}
+{{- end -}}
+
+{{/*
+Create the name of the broker service to use
+*/}}
+{{- define "snyk-broker.brokerServiceName" -}}
+{{- if not .Values.disableSuffixes -}}
+{{- .Values.scmType }}-broker-service-{{ .Release.Name }}
+{{- else }}
+{{- .Values.scmType}}-broker-service
+{{- end -}}
+{{- end -}}
+
+{{- define "configMap" }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "snyk-broker.fullname" . }}-{{ .name }}{{ if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "snyk-broker.labels" . | nindent 4 }}
+data:
+  {{ .Key }}: {{ .Value | nindent 2 }}
+{{- end }}
diff --git a/hybrid-platform/charts/templates/configmap.yaml b/hybrid-platform/charts/templates/configmap.yaml
@@ -0,0 +1,15 @@
+{{- define "configMap" }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "snyk-broker.fullname" . }}-{{ .name }}{{ if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "snyk-broker.labels" . | nindent 4 }}
+data:
+  {{ .Key }}: {{ .Value | nindent 2 }}
+{{- end }}
+
+{{- if .Values.httpsCert }}
+{{- include "configMap" (dict "name" "httpscert-configmap" "Key" "" "Value" (.Files.Glob .Values.httpsCert).AsConfig) }}
+{{- end }}
diff --git a/hybrid-platform/charts/templates/egress.yaml b/hybrid-platform/charts/templates/egress.yaml
@@ -0,0 +1,34 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Release.Name }}-app1
+spec:
+  type: ExternalName
+  externalName: app.snyk.io
+  ports:
+    - name: https
+      protocol: TCP
+      port: 443
+      targetPort: 443
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: {{ .Release.Name }}
+  annotations:
+      haproxy.org/server-ssl: "true"
+      haproxy.org/backend-config-snippet: |
+        # See this article for the deep reasons of both parameters: https://www.haproxy.com/fr/blog/http-keep-alive-pipelining-multiplexing-and-connection-pooling/
+        # enforce SNI with the Host string instead of the 'Host' header, because HAProxy cannot reuse connections with a non-fixed Host SNI value.
+        default-server check-sni app1.example.com sni str(app1.example.com) resolvers mydns resolve-prefer ipv4
+        # make HAProxy reuse connections, because the default safe mode reuses connections only for the same source.ip
+        http-reuse always
+
+spec:
+  rules:
+  - host: app1.example.com
+    http:
+      paths:
+      - backend:
+          serviceName: {{ .Release.Name }}
+          servicePort: 443
diff --git a/hybrid-platform/charts/templates/ingress.yaml b/hybrid-platform/charts/templates/ingress.yaml
@@ -0,0 +1,81 @@
+{{- if .Values.brokerIngress.enabled -}}
+{{- $ingressApiIsStable := eq (include "snyk-broker.ingress.isStable" .) "true" -}}
+{{- $ingressSupportsIngressClassName := eq (include "snyk-broker.ingress.supportsIngressClassName" .) "true" -}}
+{{- $ingressSupportsPathType := eq (include "snyk-broker.ingress.supportsPathType" .) "true" -}}
+{{- $fullName := include "snyk-broker.fullname" . -}}
+{{- $servicePort := .Values.service.port -}}
+{{- $scmType := .Values.scmType -}}
+{{- $ingressPath := .Values.brokerIngress.path -}}
+{{- $ingressPathType := .Values.brokerIngress.pathType -}}
+{{- $extraPaths := .Values.brokerIngress.extraPaths -}}
+{{- $releaseName := .Release.Name -}}
+{{- $disableSuffixes := .Values.disableSuffixes }}
+apiVersion: {{ include "snyk-broker.ingress.apiVersion" . }}
+kind: Ingress
+metadata:
+  name: {{ $fullName }}{{ if not $disableSuffixes}}-{{ .Release.Name }}{{ end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "snyk-broker.labels" . | nindent 4 }}
+    {{- with .Values.brokerIngress.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- if .Values.brokerIngress.annotations }}
+  annotations:
+    {{- range $key, $value := .Values.brokerIngress.annotations }}
+    {{ $key }}: {{ tpl $value $ | quote }}
+    {{- end }}
+  {{- end }}
+spec:
+  {{- if and $ingressSupportsIngressClassName .Values.brokerIngress.ingressClassName }}
+  ingressClassName: {{ .Values.brokerIngress.ingressClassName }}
+  {{- end -}}
+{{- if .Values.brokerIngress.tls }}
+  tls:
+{{ tpl (toYaml .Values.brokerIngress.tls) $ | indent 4 }}
+{{- end }}
+  rules:
+  {{- if .Values.brokerIngress.hosts  }}
+  {{- range .Values.brokerIngress.hosts }}
+    - host: {{ tpl . $}}
+      http:
+        paths:
+{{- if $extraPaths }}
+{{ toYaml $extraPaths | indent 10 }}
+{{- end }}
+          - path: {{ $ingressPath }}
+            {{- if $ingressSupportsPathType }}
+            pathType: {{ $ingressPathType }}
+            {{- end }}
+            backend:
+              {{- if $ingressApiIsStable }}
+              service:
+                name: {{ include "snyk-broker.brokerServiceName" $ }}
+                port:
+                  number: {{ $servicePort }}
+              {{- else }}
+              serviceName: {{ $scmType }}-broker-service{{ if not $disableSuffixes}}-{{ $releaseName }}{{ end }}
+              servicePort: {{ $servicePort }}
+              {{- end }}
+  {{- end }}
+  {{- else }}
+    - http:
+        paths:
+          - backend:
+              {{- if $ingressApiIsStable }}
+              service:
+                name: {{ include "snyk-broker.brokerServiceName" . }}
+                port:
+                  number: {{ $servicePort }}
+              {{- else }}
+              serviceName: {{ include "snyk-broker.brokerServiceName" . }}
+              servicePort: {{ $servicePort }}
+              {{- end }}
+            {{- if $ingressPath }}
+            path: {{ $ingressPath }}
+            {{- end }}
+            {{- if $ingressSupportsPathType }}
+            pathType: {{ $ingressPathType }}
+            {{- end }}
+  {{- end -}}
+{{- end }}
diff --git a/hybrid-platform/charts/templates/secrets.yaml b/hybrid-platform/charts/templates/secrets.yaml
@@ -0,0 +1,119 @@
+{{- if .Values.brokerToken }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.scmType}}-broker-token{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }}
+type: Opaque
+data:
+  "{{ .Values.scmType}}-broker-token-key": {{ .Values.brokerToken | b64enc | quote }}
+---
+{{- end }}
+{{- if .Values.scmToken }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.scmType}}-token{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }}
+type: Opaque
+data:
+  "{{ .Values.scmType}}-token-key": {{ .Values.scmToken | b64enc | quote }}
+{{- end }}
+---
+{{- if .Values.scmTokenPool }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.scmType }}-token-pool{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }}
+type: Opaque
+data:
+  "{{ .Values.scmType }}-token-key-pool": {{ .Values.scmTokenPool | b64enc | quote }}
+{{- end }}
+---
+{{- if .Values.bitbucketPassword }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.scmType}}-token{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }}
+type: Opaque
+data:
+  "{{ .Values.scmType}}-token-key": {{ .Values.bitbucketPassword | b64enc | quote }}
+---
+{{- end }}
+{{- if .Values.azureReposToken }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.scmType}}-token{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }}
+type: Opaque
+data:
+  "{{ .Values.scmType}}-token-key": {{ .Values.azureReposToken | b64enc | quote }}
+---
+{{- end }}
+{{- if .Values.jiraPassword }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.scmType}}-token{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }}
+type: Opaque
+data:
+  "{{ .Values.scmType}}-token-key": {{ .Values.jiraPassword | b64enc | quote }}
+---
+{{- end }}
+{{- if .Values.jiraPat }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.scmType}}-token{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }}
+type: Opaque
+data:
+  "{{ .Values.scmType}}-token-key": {{ .Values.jiraPat | b64enc | quote }}
+---
+{{- end }}
+{{- if .Values.crPassword }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.scmType}}-token{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }}
+type: Opaque
+data:
+  "{{ .Values.scmType}}-token-key": {{ .Values.crPassword | b64enc | quote }}
+---
+{{- end }}
+{{- if .Values.crToken }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.scmType}}-token{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }}
+type: Opaque
+data:
+  "{{ .Values.scmType}}-token-key": {{ .Values.crToken | b64enc | quote }}
+---
+{{- end }}
+{{- if .Values.snykToken }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: snyk-token{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }}
+type: Opaque
+data:
+  "snyk-token-key": {{ .Values.snykToken | b64enc | quote }}
+---
+{{- end }}
+{{- if .Values.baseNexusUrl }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: nexus-base-nexus-url{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }}
+type: Opaque
+data:
+  "nexus-base-nexus-url": {{ .Values.baseNexusUrl | b64enc | quote }}
+---
+{{- end}}
+{{- if .Values.nexusUrl }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: nexus-nexus-url{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }}
+type: Opaque
+data:
+  "nexus-nexus-url": {{ .Values.nexusUrl | b64enc | quote }}
+{{- end}}