feat: add helm support (#5)

Author: sreya

go.mod

@@ -1,4 +1,4 @@
-module github.com/coder/xray
+module github.com/coder/coder-xray
 
 go 1.21
 

helm/Chart.yaml

@@ -0,0 +1,28 @@
+apiVersion: v2
+name: coder-xray
+description: Query XRay results for Coder workspace pods and push them to Coder
+home: https://github.com/coder/coder-xray
+
+# version and appVersion are injected at release and will always be shown as
+# 0.1.0 in the repository.
+#
+# If you're installing the Helm chart directly from git it will have this
+# version, which means the auto-generated image URI will be invalid. You can set
+# "image.tag" to the desired tag manually.
+type: application
+version: "0.1.0"
+appVersion: "0.1.0"
+
+# This matches the required version from Coder.
+kubeVersion: ">= 1.19.0-0"
+
+keywords:
+  - coder
+  - terraform
+sources:
+  - https://github.com/coder/coder-xray/tree/main
+icon: https://helm.coder.com/coder_logo_black.png
+maintainers:
+  - name: Coder Technologies, Inc.
+    email: [email protected]
+    url: https://coder.com/contact

helm/templates/service.yaml

@@ -0,0 +1,98 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: coder-xray-kube-role
+rules:
+- apiGroups: [""]
+  resources: ["pods", "events"]
+  verbs: ["get", "watch", "list"]
+- apiGroups: ["apps"]
+  resources: ["replicasets", "events"]
+  verbs: ["get", "watch", "list"]
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.serviceAccount.name | quote }}
+  annotations: {{ toYaml .Values.serviceAccount.annotations | nindent 4 }}
+  labels: {{ toYaml .Values.serviceAccount.labels | nindent 4 }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: coder-xray-kube-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: coder-xray-kube-role
+subjects:
+- kind: ServiceAccount
+  name: {{ .Values.serviceAccount.name | quote }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: coder-xray-kube
+spec:
+  # This must remain at 1 otherwise duplicate logs can occur!
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/instance: {{ .Release.Name }}
+    spec:
+      serviceAccountName: {{ .Values.serviceAccount.name | quote }}
+      restartPolicy: Always
+      {{- with .Values.image.pullSecrets }}
+      imagePullSecrets:
+      {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+      {{- toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: coder-xray-kube
+          image: "{{ .Values.image.repo }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          command:
+            - /coder-xray scan
+          env:
+            - name: CODER_URL
+              value: {{ .Values.coder.url }}
+            - name: CODER_NAMESPACE
+              value: {{  .Values.namespace | default .Release.Namespace }}
+            - name: CODER_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.coder.secretName }}
+                  key: coder-token
+            {{- if .Values.image.sslCertFile }}
+            - name: SSL_CERT_FILE
+              value: {{ .Values.image.sslCertFile }}
+            {{- end }}
+            {{- if .Values.image.sslCertDir }}
+            - name: SSL_CERT_DIR
+              value: {{ .Values.image.sslCertDir }}
+            {{- end }}
+            - name: CODER_ARTIFACTORY_URL
+              value: {{ .Values.artifactory.url }}
+            - name: CODER_ARTIFACTORY_USER
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.artifactory.secretName }}
+                  key: user
+            - name: CODER_ARTIFACTORY_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.artifactory.secretName }}
+                  key: token
+          {{- if .Values.volumeMounts }}
+          volumeMounts: {{- toYaml .Values.volumeMounts | nindent 12 }}
+          {{- end }}
+      {{- if .Values.volumes }}
+      volumes: {{- toYaml .Values.volumes | nindent 8 }}
+      {{- end }}

helm/values.yaml

@@ -0,0 +1,71 @@
+# artifactory -- Arguments related to the JFrog Artifactory instance
+coder:
+  # url -- The URL of your Coder deployment. Must prefix with http or https
+  url: ""
+  # secretName -- The secret to use to reference the Coder API token used
+  # when pushing scan results to a deployment. Must have template admin privileges.
+  # The key should be 'coder-token'.
+  #
+  # Create the secret by running `kubectl create secret generic coder-xray --from-literal=coder-token='<token>'` 
+  secretName: ""
+
+# namespace -- The namespace to searching for Pods within.
+# If unspecified, this defaults to the Helm namespace.
+namespace: ""
+
+# artifactory -- Arguments related to the JFrog Artifactory instance
+# to interface with.
+artifactory:
+  # url -- The base url of the Artifactory instance. Must prefix with http or https.
+  url: ""
+  # secretName -- The secret to use to reference the user and token for querying
+  # the Artifactory API. The key for the user should be 'user' and
+  # the key for the token should be 'token'. The secret should be
+  # managed separately.
+  # 
+  # Create the secret by running `kubectl create secret generic artifactory --from-literal=user='<user>' --from-literal=token='<token>'`
+  secretName: ""
+
+# volumes -- A list of extra volumes to add to the coder-xray pod.
+volumes:
+  #   emptyDir: {}
+  # - name: "my-volume"
+
+# volumeMounts -- A list of extra volume mounts to add to the coder-xray pod.
+volumeMounts:
+  # - name: "my-volume"
+  #   mountPath: "/mnt/my-volume"
+
+# image -- The image to use.
+image:
+  # image.repo -- The repository of the image.
+  repo: "ghcr.io/coder/coder-xray"
+  # image.tag -- The tag of the image, defaults to {{.Chart.AppVersion}}
+  # if not set. If you're using the chart directly from git, the default
+  # app version will not work and you'll need to set this value. The helm
+  # chart helpfully fails quickly in this case.
+  tag: ""
+  # image.pullPolicy -- The pull policy to use for the image. See:
+  # https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy
+  pullPolicy: IfNotPresent
+  # image.pullSecrets -- The secrets used for pulling the Coder image from
+  # a private registry.
+  pullSecrets: []
+  #  - name: "pull-secret"
+  # image.sslCertFile -- Location of the SSL certificate file. Sets the $SSL_CERT_FILE
+  # variable inside of the container.
+  sslCertFile: ""
+  # image.sslCertDir -- Directory to check for SSL certificate files. Sets the $SSL_CERT_DIR
+  # variable inside of the container.
+  sslCertDir: ""
+
+serviceAccount:
+  # serviceAccount.annotations -- The service account annotations.
+  annotations: {}
+  # serviceAccount.labels -- The service account labels.
+  labels: {}
+  # coder.serviceAccount.name -- The service account name
+  name: coder-xray
+
+# nodeSelector -- Node labels for constraining the coder-xray pod to specific nodes.
+nodeSelector: {}

reporter/reporter.go

@@ -8,8 +8,8 @@ import (
 
 	"github.com/google/uuid"
 
+	"github.com/coder/coder-xray/jfrog"
 	"github.com/coder/coder/v2/codersdk"
-	"github.com/coder/xray/jfrog"
 
 	corev1 "k8s.io/api/core/v1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"

reporter/reporter_test.go

@@ -14,10 +14,10 @@ import (
 
 	"cdr.dev/slog/sloggers/slogtest"
 
+	"github.com/coder/coder-xray/jfrog"
+	"github.com/coder/coder-xray/reporter"
 	"github.com/coder/coder/v2/codersdk"
 	"github.com/coder/coder/v2/codersdk/agentsdk"
-	"github.com/coder/xray/jfrog"
-	"github.com/coder/xray/reporter"
 )
 
 func TestK8SReporter(t *testing.T) {

root.go

@@ -13,8 +13,8 @@ import (
 	"cdr.dev/slog"
 	"cdr.dev/slog/sloggers/sloghuman"
 
-	"github.com/coder/xray/jfrog"
-	"github.com/coder/xray/reporter"
+	"github.com/coder/coder-xray/jfrog"
+	"github.com/coder/coder-xray/reporter"
 )
 
 func root() *cobra.Command {
@@ -101,9 +101,9 @@ func root() *cobra.Command {
 	}
 	cmd.Flags().StringVarP(&coderURL, "coder-url", "", os.Getenv("CODER_URL"), "URL of the Coder instance")
 	cmd.Flags().StringVarP(&coderToken, "coder-token", "", os.Getenv("CODER_TOKEN"), "Access Token for the Coder instance. Requires Template Admin privileges.")
-	cmd.Flags().StringVarP(&artifactoryURL, "artifactory-url", "", os.Getenv("ARTIFACTORY_URL"), "URL of the JFrog Artifactory instance")
-	cmd.Flags().StringVarP(&artifactoryToken, "artifactory-token", "", os.Getenv("ARTIFACTORY_TOKEN"), "Access Token for JFrog Artifactory instance")
-	cmd.Flags().StringVarP(&artifactoryUser, "artifactory-user", "", os.Getenv("ARTIFACTORY_USER"), "User to interface with JFrog Artifactory instance")
+	cmd.Flags().StringVarP(&artifactoryURL, "artifactory-url", "", os.Getenv("CODER_ARTIFACTORY_URL"), "URL of the JFrog Artifactory instance")
+	cmd.Flags().StringVarP(&artifactoryToken, "artifactory-token", "", os.Getenv("CODER_ARTIFACTORY_TOKEN"), "Access Token for JFrog Artifactory instance")
+	cmd.Flags().StringVarP(&artifactoryUser, "artifactory-user", "", os.Getenv("CODER_ARTIFACTORY_USER"), "User to interface with JFrog Artifactory instance")
 	cmd.Flags().StringVarP(&kubeConfig, "kubeconfig", "k", "/home/coder/.kube/config", "Path to the kubeconfig file")
 	cmd.Flags().StringVarP(&namespace, "namespace", "n", os.Getenv("CODER_NAMESPACE"), "Namespace to use when listing pods")
 	cmd.Flags().StringVarP(&fieldSelector, "field-selector", "f", "", "Field selector to use when listing pods")