Skip to content

Commit

Permalink
Add chart for SignalSciences agent (helm#8249)
Browse files Browse the repository at this point in the history 
* Add incubator chart for SignalSciences agent

Signed-off-by: Marc Campbell <[email protected]>

* Linting updates for the proposed SignalSciences incubator chart

Signed-off-by: Marc Campbell <[email protected]>

* Move from incubator -> stable

Signed-off-by: Marc Campbell <[email protected]>
  • Loading branch information
@marccampbell @k8s-ci-robot
marccampbell authored and k8s-ci-robot committed Oct 15, 2018
1 parent 382e147 commit 5dee285
Show file tree
Hide file tree
Showing 9 changed files with 337 additions and 0 deletions.
21 changes: 21 additions & 0 deletions stable/signalsciences/.helmignore
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
15 changes: 15 additions & 0 deletions stable/signalsciences/Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
name: signalsciences
home: https://signalsciences.com
icon: https://dashboard.signalsciences.net/static/images/logo-icon-color.svg
version: 0.0.1
appVersion: 3.12.1
description: SignalSciences is a web application firewall. This chart is the installable agent.
keywords:
- signalsciences
- signal-sciences
- sigsci
- agent
- firewall
- waf
sources:
- https://github.com/marccampbell/docker-sigsci
79 changes: 79 additions & 0 deletions stable/signalsciences/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
# SignalSciences

[SignalSciences](https://www.signalsciences.com/) is a hosted web application firewall.

## Introduction

This chart adds the SignalSciences agent to all nodes in your cluster via a DaemonSet. This chart exposes a shared unix socket file on every node for your application code to connect to the agent with.

## Prerequisites

Kubernetes 1.4+.

## Installing the Chart

To install the chart with the release name `my-release`, retrieve your SignalSciences accessKeyId and secretAccessKey from your [Agent Installation Instructions](https://dashboard.signalsciences.net) and run:

```bash
$ helm install --name my-release \
--set signalsciences.accessKeyId=YOUR-ACCESS-KEY-ID \
--set signalsciences.secretAccessKey=YOUR-SECRET-ACCESS-KEY \
stable/signalsciences
```

After a few minutes, you should see the agent in your SignalSciences dashboard.

**Tip**: List all releases using `helm list`

## Uninstalling the Chart

To uninstall/delete the `my-release` deployment:

```bash
$ helm delete my-release
```

The command removes all the Kubernetes components associated with the chart and deletes the release.

## Configuration

The following table lists the configurable parameters of the SignalSciences chart and their default values.

| Parameter | Description | Default |
|------------------------------------------------|---------------------------------------------------------------------------|-------------------------------------------------|
| `signalsciences.accessKeyId` | Your SignalSciences accessKeyId | `Nil` You must provide your own accessKeyId |
| `signalsciences.accessKeyIdExistingSecret` | If set, use the secret with a provided name instead of creating a new one | `nil` |
| `signalsciences.secretAccessKey` | Your SignalSciences secretAccessKey | `Nil` You must provide your own secretAccessKey |
| `signalsciences.secretAccessKeyExistingSecret` | If set, use the secret with a provided name instead of creating a new one | `nil` |
| `image.repository` | The image repository to pull from | `marc/sigsci-agent` |
| `image.tag` | The image tag to pull | `3.12.1` |
| `image.pullPolicy` | Image pull policy | `IfNotPresent` |
| `signalsciences.resources.requests.cpu` | CPU resource requests | `200m` |
| `signalsciences.resources.limits.cpu` | CPU resource limits | `200m` |
| `signalsciences.resources.requests.memory` | Memory resource requests | `256Mi` |
| `signalsciences.resources.limits.memory` | Memory resource limits | `256Mi` |
| `daemonset.podAnnotations` | Annotations to add to the DaemonSet's Pods | `nil` |
| `daemonset.tolerations` | List of node taints to tolerate (requires Kubernetes >= 1.6) | `nil` |
| `daemonset.nodeSelector` | Node selectors | `nil` |
| `daemonset.affinity` | Node affinities | `nil` |
| `daemonset.updateStrategy` | Node affinities | `nil` |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,

```bash
$ helm install --name my-release \
--set signalsciences.accessKeyId=YOUR-ACCESS-KEY-ID,signalsciences.secretAccessKey=YOUR-SECRET-ACCESS-KEY \
stable/signalsciences
```

Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,

```bash
$ helm install --name my-release -f my-values.yaml stable/signalsciences
```

**Tip**: You can copy and customize the default [values.yaml](values.yaml)

### Secret

By default, this Chart creates two Secrets and puts the accessKeyId and secretAccessKey in those Secrets.
However, you can use manually created secret by setting the `sginalsciences.accessKeyIdExistingSecret` and `signalsciences.secretAccessKeyExistingSecret` values.
24 changes: 24 additions & 0 deletions stable/signalsciences/templates/NOTES.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
{{- if and ((or (.Values.signalsciences.accessKeyIdExistingSecret) (.Values.signalsciences.accessKeyId)) (or (.Values.signalsciences.accessKeyIdExistingSecret) (.Values.signalsciences.secretAccessKey))) }}
Signalsciences agents are spinning up on each node in your cluster. After a few
minutes, you should see your agents on the dashboard:

https://dashboard.signalsciences.net

{{- else }}
##############################################################################
#### ERROR: You did not set a signalsciences.accessKeyId or ####
##### signalsciences.secretAccessKey. ####
##############################################################################

This deployment will not be complete until you get your accessKeyId and your
secretAccessKey from https://dashboard.signalsciences.net.

Then run:

helm upgrade {{ .Release.Name }} \
--set signalsciences.accessKeyId=YOUR-ACCESSKEYID \
--set signalsciences.secretAccessKey=YOUR-SECRETACCESSKEY \
stable/signalsciences
{{- end }}


39 changes: 39 additions & 0 deletions stable/signalsciences/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "signalsciences.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}

{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "signalsciences.fullname" -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}

{{/*
Return secret name to be used based on provided values.
*/}}
{{- define "signalsciences.secretAccessKeySecretName" -}}
{{- $fullName := printf "%s-secretaccesskey" (include "signalsciences.fullname" .) -}}
{{- default $fullName .Values.signalsciences.secretAccessKeyExistingSecret | quote -}}
{{- end -}}

{{/*
Return secret name to be used based on provided values.
*/}}
{{- define "signalsciences.accessKeyIdSecretName" -}}
{{- $fullName := printf "%s-accesskeyid" (include "signalsciences.fullname" .) -}}
{{- default $fullName .Values.signalsciences.accessKeyIdExistingSecret | quote -}}
{{- end -}}

{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "signalsciences.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
16 changes: 16 additions & 0 deletions stable/signalsciences/templates/accesskeyid-secret.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
{{- if not .Values.signalsciences.accessKeyIdExistingSecret }}

apiVersion: v1
kind: Secret
metadata:
name: {{ template "signalsciences.accessKeyIdSecretName" . }}
labels:
app: "{{ template "signalsciences.fullname" . }}"
chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
release: {{ .Release.Name | quote }}
heritage: {{ .Release.Service | quote }}
type: Opaque
data:
accessKeyId: {{ default "MISSING" .Values.signalsciences.accessKeyId | b64enc | quote }}

{{- end }}
67 changes: 67 additions & 0 deletions stable/signalsciences/templates/daemonset.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
{{- if .Values.daemonset.enabled }}
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
name: {{ template "signalsciences.fullname" . }}
labels:
app: {{ template "signalsciences.name" . }}
chart: {{ template "signalsciences.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
template:
metadata:
labels:
app: {{ template "signalsciences.name" . }}
release: {{ .Release.Name }}
{{- if .Values.daemonset.podAnnotations }}
annotations:
{{ toYaml .Values.daemonset.podAnnotations | indent 8 }}
{{- end }}
spec:
{{- if .Values.daemonset.tolerations }}
tolerations:
{{ toYaml .Values.daemonset.tolerations | indent 8 }}
{{- end }}
{{- if .Values.daemonset.affinity }}
affinity:
{{ toYaml .Values.daemonset.affinity | indent 8 }}
{{- end }}
{{- if .Values.daemonset.nodeSelector }}
nodeSelector:
{{ toYaml .Values.daemonset.nodeSelector | indent 8 }}
{{- end }}
volumes:
- name: var-run
hostPath:
path: {{ .Values.signalsciences.socketDir }}
containers:
- name: sigsci-agent
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
volumeMounts:
- mountPath: {{ .Values.signalsciences.socketDir }}
name: var-run
readOnly: false
env:
- name: SIGSCI_RPC_ADDRESS
value: unix:{{ .Values.signalsciences.socketDir }}/{{ .Values.signalsciences.socketFile }}
- name: SIGSCI_HOSTNAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: SIGSCI_SECRETACCESSKEY
valueFrom:
secretKeyRef:
name: {{ template "signalsciences.secretAccessKeySecretName" . }}
key: secretAccessKey
- name: SIGSCI_ACCESSKEYID
valueFrom:
secretKeyRef:
name: {{ template "signalsciences.accessKeyIdSecretName" . }}
key: accessKeyId
resources:
{{ toYaml .Values.signalsciences.resources | indent 12 }}
updateStrategy:
type: {{ default "OnDelete" .Values.daemonset.updateStrategy | quote }}
{{- end }}
16 changes: 16 additions & 0 deletions stable/signalsciences/templates/secretaccesskey-secret.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
{{- if not .Values.signalsciences.secretAccessKeyExistingSecret }}

apiVersion: v1
kind: Secret
metadata:
name: {{ template "signalsciences.secretAccessKeySecretName" . }}
labels:
app: "{{ template "signalsciences.fullname" . }}"
chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
release: {{ .Release.Name | quote }}
heritage: {{ .Release.Service | quote }}
type: Opaque
data:
secretAccessKey: {{ default "MISSING" .Values.signalsciences.secretAccessKey | b64enc | quote }}

{{- end }}
60 changes: 60 additions & 0 deletions stable/signalsciences/values.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
# Default values for signalsciences.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.

replicaCount: 1

image:
repository: marc/sigsci-agent
tag: 3.12.1
pullPolicy: IfNotPresent

daemonset: {}
## Annotations to add to the DaemonSet's Pods
# podAnnotations:
# scheduler.alpha.kubernetes.io/tolerations: '[{"key": "example", "value": "foo"}]'

## Allow the DaemonSet to schedule on tainted nodes (requires Kubernetes >= 1.6)
# tolerations: []

## Allow the DaemonSet to schedule on selected nodes
# Ref: https://kubernetes.io/docs/user-guide/node-selection/
# nodeSelector: {}

## Allow the DaemonSet to schedule ussing affinity rules
# Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
# affinity: {}

## Allow the DaemonSet to perform a rolling update on helm update
## ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/
# updateStrategy: RollingUpdate

signalsciences:
## You'll need to set this to your agent accessKeyId before the agent will run
## ref: https://docs.signalsciences.net/install-guides/#step-1-agent-installation
##
# accessKeyId:

## Use existing Secret which stores accessKeyId instead of creating a new one
# accessKeyIdExistingSecret:

## You'll need to set this to your agent secretAccessKey before the agent will run
## ref: https://docs.signalsciences.net/install-guides/#step-1-agent-installation
# secretAccessKey:

## Use existing Secret which stores the secretAccessKey instead of creating a new one
# secretAccessKeyExistingSecret:

## Directory to mount and create the shared unix socket file for mdule installation
socketDir: /var/run/sigsci

## Filename of the shared socket file
socketFile: sigsci.sock

resources:
requests:
cpu: 200m
memory: 256Mi
limits:
cpu: 200m
memory: 256Mi

0 comments on commit 5dee285

Please sign in to comment.