Tools to create a curated private Helm chart repository in Artifact Registry and to keep it synchronized with its public sources.
Reference:
This repository contains:
- A Python application that pulls Helm charts from multiple sources and pushes them to Artifact Registry.
- A Dockerfile to containerize the application, which includes SAST tools to analyze the charts before they are pushed to Artifact Registry.
- An adittional Dockerfile to containerize the application, without SAST tools.
- A Helm chart to deploy a Kubernetes Cronjob that would run the containerized application on a schedule.
- A bootstrapping shell script to create the GCP resources necessary to build, install and test the application.
- A build script that simplifies the process of building the container images locally.
The default Dockerfile includes two SAST tools, Checkov and Trivy, which will be executed on every pulled Helm chart before these are uploaded to Artifact Registry.
They both generate reports that will be saved and uploaded to a GCS bucket which is configurable via the provided Helm chart. These reports are useful to asses the Security Posture of your organization, and they can also be a requirement for compliance and audit puposes.
Checkov is an open source Static Code Analysis Tool (SAST) for scanning Infrastructure as Code (IaC) files for security or compliance problems. It is also called a Policy-as-Code tool.
It supports many IaC formats, including Helm, and comes pre-packaged with hundreds of policies.
Warning
Some charts which are or contain library charts may display a warning when scanned by Checkov, displaying the error: Error: library charts are not installable. This is standard Helm behaviour as library charts should not be templated.
Trivy is an open source Security Scanning tool which supports a wide range of languages, pakages and configuration files including Helm templates.
Warning
Trivy versions before v0.51.0 contain a bug in trivy config that makes it fail to render helm charts which set a minKubeVersion.
The repository includes a few helper scripts to deploy a Proof-of-Concept environment to test the application.
These are better run from a Google Cloud Shell session since it contains all the required tools.
-
bootstrap.sh- Will set everything up, and may also build and push the container image to the Artifact Registry repository. -
build.sh- Builds the container image without running the whole bootstrapping process. -
Once the environment is up and running, and the image has been built, you may deploy the application using the provided Helm chart.
This script will bootstrap a Proof of Concept environment that allows to test this solution with minimal cost. In detail, it:
- Creates a GCP project.
- Enables Billing for the project.
- Enables the necessary GCP Services (GKE, Artifact Registry, GCS).
- Creates a GCP Service Account (GSA).
- Grants permissions to the GSA.
- Creates and Artifact Registry repository.
- Creates a GKE Cluster with Workload Identity enabled and 4 node pools:
- default-pool, for system workloads.
- spot-pool, where the
helm-chart-synchronizercronjob will run.
- Create a Kubernetes Service Account in the application namespace.
- Binds the GSA and KSA to leverage Workload Identity.
- Grants permissions to the GSA on Artifact Registry.
- Creates a Cloud Storage bucket to store the compliance reports generated by the SAST tools.
- Optionally builds and pushes the container image for the node-pool scaler application.
Usage:
./bootstrap.sh PROJECT_ID ZONE BILLING_ACCOUNT CLUSTER_NAME APP_NAME REPO_NAME [ --build-and-push-image [TAG] ]Example:
./bootstrap.sh test-project us-east1-b A11BB-123ABCD-BCD321 cluster-1 helm-chart-synchronizer testrepo --build-and-push-image 1.0.0If docker is installed on your workspace, this script will build and push the container image for the node-pool scaler application.
Usage:
./build.sh REPOSITORY_PATH IMAGE_NAME TAGExample:
./build.sh us-east1-docker.pkg.dev/test-project/testrepo helm-chart-synchronizer 1.0.0