Skip to content

Commit e6f29b9

Browse files
stevespringettstevespringett
committed
Updating helm with config and updated image
Signed-off-by: Steve Springett <steve@springett.us>
1 parent 5d189fe commit e6f29b9

File tree

5 files changed

+309
-22
lines changed

5 files changed

+309
-22
lines changed

.github/workflows/release.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -275,7 +275,7 @@ jobs:
275275
id: meta
276276
uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
277277
with:
278-
images: cyclonedx/assessors-studio
278+
images: cyclonedx/cyclonedx-assessors-studio
279279
tags: |
280280
type=raw,value=${{ needs.validate.outputs.version }}
281281
type=raw,value=latest,enable=${{ inputs.prerelease == false }}

deploy/helm/assessors-studio/Chart.yaml

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,6 @@ keywords:
99
- assessment
1010
- attestation
1111
- compliance
12-
- sbom
1312
maintainers:
1413
- name: Steve Springett
15-
email: steve@springett.us
14+
email: steve.springett@owasp.org

deploy/helm/assessors-studio/templates/deployment.yaml

Lines changed: 134 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,7 @@ spec:
2828
containerPort: {{ .Values.service.port }}
2929
protocol: TCP
3030
env:
31+
# ---- Core ------------------------------------------------------
3132
- name: NODE_ENV
3233
value: {{ .Values.config.nodeEnv | quote }}
3334
- name: PORT
@@ -38,8 +39,18 @@ spec:
3839
value: {{ .Values.config.corsOrigin | quote }}
3940
- name: JWT_EXPIRY
4041
value: {{ .Values.config.jwtExpiry | quote }}
42+
{{- if .Values.config.appUrl }}
43+
- name: APP_URL
44+
value: {{ .Values.config.appUrl | quote }}
45+
{{- end }}
46+
47+
# ---- Database --------------------------------------------------
4148
- name: DATABASE_PROVIDER
4249
value: {{ .Values.database.provider | quote }}
50+
{{- if eq .Values.database.provider "pglite" }}
51+
- name: PGLITE_DATA_DIR
52+
value: {{ .Values.config.pgliteDataDir | quote }}
53+
{{- end }}
4354
{{- if eq .Values.database.provider "postgres" }}
4455
{{- if .Values.database.bundled.enabled }}
4556
- name: DATABASE_URL
@@ -54,11 +65,134 @@ spec:
5465
name: {{ .Values.database.external.existingSecret | default (printf "%s-db" (include "assessors-studio.fullname" .)) }}
5566
key: {{ .Values.database.external.existingSecretPasswordKey }}
5667
{{- end }}
68+
69+
# ---- Auth (JWT) ------------------------------------------------
5770
- name: JWT_SECRET
5871
valueFrom:
5972
secretKeyRef:
6073
name: {{ .Values.secrets.jwtSecretName | default (printf "%s-secrets" (include "assessors-studio.fullname" .)) }}
6174
key: {{ .Values.secrets.jwtSecretKey }}
75+
76+
# ---- Initial admin user ---------------------------------------
77+
- name: ADMIN_USERNAME
78+
value: {{ .Values.admin.username | quote }}
79+
- name: ADMIN_EMAIL
80+
value: {{ .Values.admin.email | quote }}
81+
{{- if .Values.admin.displayName }}
82+
- name: ADMIN_DISPLAY_NAME
83+
value: {{ .Values.admin.displayName | quote }}
84+
{{- end }}
85+
- name: ADMIN_PASSWORD
86+
valueFrom:
87+
secretKeyRef:
88+
name: {{ .Values.admin.existingSecret | default (printf "%s-secrets" (include "assessors-studio.fullname" .)) }}
89+
key: {{ .Values.admin.existingSecretPasswordKey }}
90+
91+
# ---- Evidence storage -----------------------------------------
92+
- name: STORAGE_PROVIDER
93+
value: {{ .Values.storage.provider | quote }}
94+
- name: UPLOAD_MAX_FILE_SIZE
95+
value: {{ .Values.storage.uploadMaxFileSize | quote }}
96+
{{- if eq .Values.storage.provider "s3" }}
97+
- name: S3_BUCKET
98+
value: {{ .Values.storage.s3.bucket | quote }}
99+
- name: S3_REGION
100+
value: {{ .Values.storage.s3.region | quote }}
101+
{{- if .Values.storage.s3.endpoint }}
102+
- name: S3_ENDPOINT
103+
value: {{ .Values.storage.s3.endpoint | quote }}
104+
{{- end }}
105+
- name: S3_FORCE_PATH_STYLE
106+
value: {{ .Values.storage.s3.forcePathStyle | quote }}
107+
- name: S3_ACCESS_KEY_ID
108+
valueFrom:
109+
secretKeyRef:
110+
name: {{ .Values.storage.s3.existingSecret | default (printf "%s-secrets" (include "assessors-studio.fullname" .)) }}
111+
key: {{ .Values.storage.s3.existingSecretAccessKeyIdKey }}
112+
- name: S3_SECRET_ACCESS_KEY
113+
valueFrom:
114+
secretKeyRef:
115+
name: {{ .Values.storage.s3.existingSecret | default (printf "%s-secrets" (include "assessors-studio.fullname" .)) }}
116+
key: {{ .Values.storage.s3.existingSecretSecretAccessKeyKey }}
117+
{{- end }}
118+
119+
# ---- Webhook channel ------------------------------------------
120+
- name: WEBHOOK_ENABLED
121+
value: {{ .Values.notifications.webhook.enabled | quote }}
122+
- name: WEBHOOK_TIMEOUT
123+
value: {{ .Values.notifications.webhook.timeout | quote }}
124+
- name: WEBHOOK_MAX_RETRIES
125+
value: {{ .Values.notifications.webhook.maxRetries | quote }}
126+
- name: WEBHOOK_DELIVERY_RETENTION_DAYS
127+
value: {{ .Values.notifications.webhook.deliveryRetentionDays | quote }}
128+
129+
# ---- SMTP channel ---------------------------------------------
130+
- name: SMTP_ENABLED
131+
value: {{ .Values.notifications.smtp.enabled | quote }}
132+
{{- if .Values.notifications.smtp.enabled }}
133+
- name: SMTP_HOST
134+
value: {{ .Values.notifications.smtp.host | quote }}
135+
- name: SMTP_PORT
136+
value: {{ .Values.notifications.smtp.port | quote }}
137+
- name: SMTP_SECURE
138+
value: {{ .Values.notifications.smtp.secure | quote }}
139+
{{- if .Values.notifications.smtp.user }}
140+
- name: SMTP_USER
141+
value: {{ .Values.notifications.smtp.user | quote }}
142+
- name: SMTP_PASS
143+
valueFrom:
144+
secretKeyRef:
145+
name: {{ .Values.notifications.smtp.existingSecret | default (printf "%s-secrets" (include "assessors-studio.fullname" .)) }}
146+
key: {{ .Values.notifications.smtp.existingSecretPasswordKey }}
147+
{{- end }}
148+
{{- if .Values.notifications.smtp.from }}
149+
- name: SMTP_FROM
150+
value: {{ .Values.notifications.smtp.from | quote }}
151+
{{- end }}
152+
- name: SMTP_TLS_REJECT_UNAUTHORIZED
153+
value: {{ .Values.notifications.smtp.tlsRejectUnauthorized | quote }}
154+
{{- end }}
155+
156+
# ---- Chat channels --------------------------------------------
157+
- name: SLACK_ENABLED
158+
value: {{ .Values.notifications.chat.slackEnabled | quote }}
159+
- name: TEAMS_ENABLED
160+
value: {{ .Values.notifications.chat.teamsEnabled | quote }}
161+
- name: MATTERMOST_ENABLED
162+
value: {{ .Values.notifications.chat.mattermostEnabled | quote }}
163+
- name: CHAT_TIMEOUT
164+
value: {{ .Values.notifications.chat.timeout | quote }}
165+
- name: CHAT_DELIVERY_RETENTION_DAYS
166+
value: {{ .Values.notifications.chat.deliveryRetentionDays | quote }}
167+
168+
# ---- Prometheus metrics ---------------------------------------
169+
- name: METRICS_ENABLED
170+
value: {{ .Values.metrics.enabled | quote }}
171+
{{- if .Values.metrics.enabled }}
172+
- name: METRICS_PREFIX
173+
value: {{ .Values.metrics.prefix | quote }}
174+
- name: METRICS_DOMAIN_REFRESH_INTERVAL
175+
value: {{ .Values.metrics.domainRefreshInterval | quote }}
176+
{{- if or .Values.metrics.existingSecret .Values.metrics.token }}
177+
- name: METRICS_TOKEN
178+
valueFrom:
179+
secretKeyRef:
180+
name: {{ .Values.metrics.existingSecret | default (printf "%s-secrets" (include "assessors-studio.fullname" .)) }}
181+
key: {{ .Values.metrics.existingSecretTokenKey }}
182+
{{- end }}
183+
{{- end }}
184+
185+
# ---- Encryption at rest ---------------------------------------
186+
- name: REQUIRE_ENCRYPTION
187+
value: {{ .Values.encryption.require | quote }}
188+
{{- if or .Values.encryption.existingSecret .Values.encryption.masterKey }}
189+
- name: MASTER_ENCRYPTION_KEY
190+
valueFrom:
191+
secretKeyRef:
192+
name: {{ .Values.encryption.existingSecret | default (printf "%s-secrets" (include "assessors-studio.fullname" .)) }}
193+
key: {{ .Values.encryption.existingSecretMasterKeyKey }}
194+
{{- end }}
195+
62196
{{- with .Values.securityContext }}
63197
securityContext:
64198
{{- toYaml . | nindent 12 }}

deploy/helm/assessors-studio/templates/secrets.yaml

Lines changed: 56 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,56 @@
1+
{{/*
2+
Generate the default chart-managed secret when the operator has not supplied
3+
pre-existing Kubernetes secrets for these values. Production deployments should
4+
reference externally-managed secrets via the *.existingSecret values instead.
5+
*/}}
6+
{{- $fullname := include "assessors-studio.fullname" . -}}
7+
{{- $defaultSecretName := printf "%s-secrets" $fullname -}}
8+
9+
{{- $needsJwt := not .Values.secrets.jwtSecretName -}}
10+
{{- $needsAdmin := not .Values.admin.existingSecret -}}
11+
{{- $needsSmtp := and .Values.notifications.smtp.enabled .Values.notifications.smtp.user (not .Values.notifications.smtp.existingSecret) -}}
12+
{{- $needsMetrics := and .Values.metrics.enabled .Values.metrics.token (not .Values.metrics.existingSecret) -}}
13+
{{- $needsEncryption := and .Values.encryption.masterKey (not .Values.encryption.existingSecret) -}}
14+
{{- $needsS3 := and (eq .Values.storage.provider "s3") (not .Values.storage.s3.existingSecret) -}}
15+
16+
{{- if or $needsJwt $needsAdmin $needsSmtp $needsMetrics $needsEncryption $needsS3 }}
17+
apiVersion: v1
18+
kind: Secret
19+
metadata:
20+
name: {{ $defaultSecretName }}
21+
labels:
22+
{{- include "assessors-studio.labels" . | nindent 4 }}
23+
type: Opaque
24+
stringData:
25+
{{- if $needsJwt }}
26+
{{- if not .Values.secrets.jwtSecret }}
27+
{{- fail "secrets.jwtSecret must be set (>= 32 chars) or provide secrets.jwtSecretName pointing to an existing secret" }}
28+
{{- end }}
29+
{{ .Values.secrets.jwtSecretKey }}: {{ .Values.secrets.jwtSecret | quote }}
30+
{{- end }}
31+
{{- if $needsAdmin }}
32+
{{- if not .Values.admin.password }}
33+
{{- fail "admin.password must be set (>= 8 chars) or provide admin.existingSecret pointing to an existing secret" }}
34+
{{- end }}
35+
{{ .Values.admin.existingSecretPasswordKey }}: {{ .Values.admin.password | quote }}
36+
{{- end }}
37+
{{- if $needsSmtp }}
38+
{{- if not .Values.notifications.smtp.password }}
39+
{{- fail "notifications.smtp.password must be set or provide notifications.smtp.existingSecret" }}
40+
{{- end }}
41+
{{ .Values.notifications.smtp.existingSecretPasswordKey }}: {{ .Values.notifications.smtp.password | quote }}
42+
{{- end }}
43+
{{- if $needsMetrics }}
44+
{{ .Values.metrics.existingSecretTokenKey }}: {{ .Values.metrics.token | quote }}
45+
{{- end }}
46+
{{- if $needsEncryption }}
47+
{{ .Values.encryption.existingSecretMasterKeyKey }}: {{ .Values.encryption.masterKey | quote }}
48+
{{- end }}
49+
{{- if $needsS3 }}
50+
{{- if or (not .Values.storage.s3.accessKeyId) (not .Values.storage.s3.secretAccessKey) }}
51+
{{- fail "storage.s3.accessKeyId and storage.s3.secretAccessKey must be set or provide storage.s3.existingSecret" }}
52+
{{- end }}
53+
{{ .Values.storage.s3.existingSecretAccessKeyIdKey }}: {{ .Values.storage.s3.accessKeyId | quote }}
54+
{{ .Values.storage.s3.existingSecretSecretAccessKeyKey }}: {{ .Values.storage.s3.secretAccessKey | quote }}
55+
{{- end }}
56+
{{- end }}

0 commit comments

Comments
 (0)