Add Konnector Charts

.github/workflows/lint-test.yaml

@@ -0,0 +1,45 @@
+name: Lint and Test Charts
+
+on: pull_request
+
+jobs:
+  lint-test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+        with:
+          fetch-depth: 0
+
+      - name: Set up Helm
+        uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
+        with:
+          version: v3.13.0
+
+      # Python is required because `ct lint` runs Yamale (https://github.com/23andMe/Yamale) and
+      # yamllint (https://github.com/adrienverge/yamllint) which require Python
+      - name: Set up Python
+        uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
+        with:
+          python-version: 3.x
+
+      - name: Set up chart-testing
+        uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0
+
+      - name: Run chart-testing (list-changed)
+        id: list-changed
+        run: |
+          changed=$(ct list-changed --config ct.yaml)
+          if [[ -n "$changed" ]]; then
+            echo "changed=true" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Run chart-testing (lint)
+        run: ct lint --config ct.yaml
+
+      - name: Create kind cluster
+        uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0
+        if: steps.list-changed.outputs.changed == 'true'
+
+      - name: Run chart-testing (install)
+        run: ct install --config ct.yaml

.github/workflows/release.yaml

@@ -0,0 +1,37 @@
+name: Release Charts
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+        with:
+          fetch-depth: 0
+
+      - name: Configure Git
+        run: |
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "[email protected]"
+
+      - name: Install Helm
+        uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
+        with:
+          version: v3.13.0
+
+      - name: Run chart-releaser
+        uses: helm/chart-releaser-action@be16258da8010256c6e82849661221415f031968 # v1.5.0
+        with:
+          charts_dir: charts
+          config: cr.yaml
+        env:
+          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

.gitignore

@@ -0,0 +1,2 @@
+.DS_Store
+*.tgz

charts/konnector/Chart.yaml

@@ -0,0 +1,9 @@
+apiVersion: v2
+name: konnector
+description: Deploys Palo Alto Networks' Cortex KSPM connector for advanced Kubernetes security posture management.
+type: application
+version: 1.0.0
+appVersion: "1.0.0"
+maintainers:
+  - name: Palo Alto Networks - Cortex KSPM team
+    url: https://www.paloaltonetworks.com

charts/konnector/templates/_helpers.tpl

@@ -0,0 +1,58 @@
+{{- define "common.validateImage" -}}
+  {{- if or (not .Values.image.name) (eq .Values.image.name "") -}}
+    {{- fail (print "Error: 'image.name' is missing or empty. Provided value: '" .Values.image.name "'") -}}
+  {{- end -}}
+
+  {{- if or (not .Values.image.registry) (eq .Values.image.registry "") -}}
+    {{- fail (print "Error: 'image.registry' is missing or empty. Provided value: '" .Values.image.registry "'") -}}
+  {{- end -}}
+
+  {{- if and (not .Values.image.tag) (not .Values.image.digest) -}}
+    {{- fail "Error: Either 'image.tag' or 'image.digest' must be provided for the image." -}}
+  {{- end -}}
+
+  {{- if and (eq (.Values.image.tag | toString) "") (eq (.Values.image.digest | toString) "") -}}
+    {{- fail (print "Error: Both 'image.tag' and 'image.digest' cannot be empty.") -}}
+  {{- end -}}
+
+{{- end -}}
+
+
+{{- define "common.labels" -}}
+app.kubernetes.io/name: {{ .Chart.Name }}
+app.kubernetes.io/author: {{ .Values.namespace.name }}
+{{- end -}}
+
+{{- define "common.jobTemplate" -}}
+spec:
+  backoffLimit: {{ .Values.system.batch.backoffLimit }}
+  template:
+    metadata:
+      labels:
+        {{- include "common.labels" . | nindent 8 }}
+        app.kubernetes.io/component: {{ .Release.Name }}
+    spec:
+      volumes:
+        - name: {{ .Values.system.secrets.backendAuth.name }}
+          secret:
+            secretName: {{ .Values.system.secrets.backendAuth.name }}
+      serviceAccountName: {{ .Values.system.serviceAccount.name }}
+      containers:
+        - name: {{ .Chart.Name }}
+          image: "{{ .Values.image.registry }}/{{ .Values.image.name }}{{- if .Values.image.tag }}:{{ .Values.image.tag }}{{- end }}{{- if .Values.image.digest }}@{{ .Values.image.digest }}{{- end }}"
+          command: [/{{ .Chart.Name }}]
+          env:
+            - name: DISTRIBUTION_ID
+              valueFrom:
+                secretKeyRef:
+                  name: distribution-id
+                  key: distribution-id
+          envFrom:
+            - configMapRef:
+                name: {{ .Values.system.configMap.global.name }}
+          volumeMounts:
+            - mountPath: "/secret"
+              name: {{ .Values.system.secrets.backendAuth.name }}
+              readOnly: true
+      restartPolicy: Never
+{{- end -}}

charts/konnector/templates/batch.yaml

@@ -0,0 +1,23 @@
+{{- include "common.validateImage" . }}
+
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ .Chart.Name }}
+  namespace: {{ .Values.namespace.name }}
+  labels:
+    {{- include "common.labels" . | nindent 4 }}
+{{- include "common.jobTemplate" . | nindent 0 }}
+---
+
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: {{ .Chart.Name }}
+  namespace: {{ .Values.namespace.name }}
+  labels:
+    {{- include "common.labels" . | nindent 4 }}
+spec:
+  schedule: {{ .Values.system.batch.schedule }}
+  jobTemplate:
+    {{- include "common.jobTemplate" . | nindent 4 }}

charts/konnector/templates/configmap.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Values.system.configMap.global.name }}
+  namespace: {{ .Values.namespace.name }}
+  labels:
+    {{- include "common.labels" . | nindent 4 }}
+data:
+  NAMESPACE: {{ .Values.namespace.name | quote }}
+  DISTRIBUTION_URL: {{ .Values.distribution.url | quote }}
+  RELEASE_NAME: {{.Release.Name | quote }}
+  CHART_NAME: {{ .Chart.Name | quote }}
+  CHART_VERSION: {{ .Values.image.tag | quote }}
+  {{- if .Values.optionalValues }}
+  {{- range $key, $value := .Values.optionalValues }}
+  {{ $key }}: {{ $value | quote }}
+  {{- end }}
+  {{- end }}

charts/konnector/templates/namespace.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {{ .Values.namespace.name }}
+  labels:
+    {{- include "common.labels" . | nindent 4 }}
+  annotations: {"helm.sh/hook": pre-install}
+---

charts/konnector/templates/rbac.yaml

@@ -0,0 +1,66 @@
+{{- $namespace := .Values.namespace.name }}
+{{- $sa := .Values.system.serviceAccount.name }}
+
+{{- range $roleName, $roleInfo := .Values.system.roles }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $roleName }}
+  namespace: {{ $namespace }}
+  labels:
+    {{- include "common.labels" $ | nindent 4 }}
+rules:
+{{- range $roleInfo.rules }}
+  - apiGroups: {{ .apiGroups | toJson }}
+    resources: {{ .resources | toJson }}
+    verbs: {{ .verbs | toJson }}
+{{- end }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $roleName }}-binding
+  namespace: {{ $namespace }}
+  labels:
+    {{- include "common.labels" $ | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $sa }}
+    namespace: {{ $namespace }}
+roleRef:
+  kind: Role
+  name: {{ $roleName }}
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
+
+{{- range $roleName, $roleInfo := .Values.system.clusterRoles }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ $roleName }}
+  labels:
+    {{- include "common.labels" $ | nindent 4 }}
+rules:
+{{- range $roleInfo.rules }}
+  - apiGroups: {{ .apiGroups | toJson }}
+    resources: {{ .resources | toJson }}
+    verbs: {{ .verbs | toJson }}
+{{- end }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ $roleName }}-binding
+  labels:
+    {{- include "common.labels" $ | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $sa}}
+    namespace: {{ $namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ $roleName }}
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}

charts/konnector/templates/secret.yaml

@@ -0,0 +1,33 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.system.secrets.backendAuth.name }}
+  namespace: {{ .Values.namespace.name }}
+  labels:
+    {{- include "common.labels" . | nindent 4 }}
+type: Opaque
+stringData:
+  token: "--set-by-konnnector-at-runtime--"
+  chapi: "--set-by-konnnector-at-runtime--"
+---
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/dockerconfigjson
+metadata:
+  name: {{ .Values.system.secrets.dockerSecret.name }}
+  namespace: {{ .Values.namespace.name }}
+  labels:
+    {{- include "common.labels" . | nindent 4 }}
+data:
+  .dockerconfigjson: {{ .Values.dockerPullSecret | default ( "{}" | b64enc ) }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: distribution-id
+  namespace: {{ .Values.namespace.name }}
+  labels:
+    {{- include "common.labels" . | nindent 4 }}
+type: Opaque
+stringData:
+  distribution-id: {{ .Values.distribution.id | required "The distribution.id value is required!" | quote }}

charts/konnector/templates/serviceaccount.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.system.serviceAccount.name }}
+  namespace: {{ .Values.namespace.name }}
+  labels:
+    {{- include "common.labels" . | nindent 4 }}
+automountServiceAccountToken: true
+secrets:
+ - name: {{ .Values.system.secrets.backendAuth.name }}
+imagePullSecrets:
+ - name: {{ .Values.system.secrets.dockerSecret.name }}