diff --git a/.gitignore b/.gitignore index 87752ac85..ec2db762a 100644 --- a/.gitignore +++ b/.gitignore @@ -37,6 +37,7 @@ mysqldata/ # test helm charts helm-temp +charts/fleet/charts #editors .idea diff --git a/charts/example-skaffold.yaml b/charts/example-skaffold.yaml new file mode 100644 index 000000000..465164861 --- /dev/null +++ b/charts/example-skaffold.yaml @@ -0,0 +1,35 @@ +apiVersion: skaffold/v2beta28 +kind: Config +deploy: + helm: + releases: + - name: fleet + imageStrategy: + helm: {} + chartPath: ./fleet + valuesFiles: + - ./fleet/values.yaml + recreatePods: false + setValues: + image.pullPolicy: Never + imageTag: main + replicas: 1 + hostName: fleet.example.com + database.secretName: fleet-mysql + database.address: fleet-mysql:3306 + cache.secretName: fleet-redis + cache.address: fleet-redis-master:6379 + ingress.enabled: true + ingress.hosts[0].host: fleet.example.com + ingress.tls[0].secretName: fleet-web-tls + ingress.tls[0].hosts: ["fleet.example.com"] + fleet.tls.enabled: false + mysql.enabled: true + mysql.auth.username: fleet + mysql.auth.database: fleet + mysql.primary.livenessProbe.enabled: false + mysql.primary.readinessProbe.enabled: false + mysql.primary.startupProbe.enabled: false + redis.enabled: true + redis.architecture: standalone + redis.auth.enabled: false diff --git a/charts/fleet/Chart.yaml b/charts/fleet/Chart.yaml index 7166517e0..f4e370895 100644 --- a/charts/fleet/Chart.yaml +++ b/charts/fleet/Chart.yaml @@ -4,8 +4,17 @@ name: fleet keywords: - fleet - osquery -version: v5.0.1 +version: v6.0.1 home: https://github.com/fleetdm/fleet sources: - https://github.com/fleetdm/fleet.git appVersion: v4.40.0 +dependencies: +- name: mysql + condition: mysql.enabled + version: 9.12.5 + repository: https://charts.bitnami.com/bitnami +- name: redis + condition: redis.enabled + version: 18.1.6 + repository: https://charts.bitnami.com/bitnami \ No newline at end of file diff --git a/charts/fleet/charts/mysql-9.12.5.tgz b/charts/fleet/charts/mysql-9.12.5.tgz new file mode 100644 index 000000000..0aa4a2f28 Binary files /dev/null and b/charts/fleet/charts/mysql-9.12.5.tgz differ diff --git a/charts/fleet/charts/redis-18.1.6.tgz b/charts/fleet/charts/redis-18.1.6.tgz new file mode 100644 index 000000000..592718114 Binary files /dev/null and b/charts/fleet/charts/redis-18.1.6.tgz differ diff --git a/charts/fleet/requirements.lock b/charts/fleet/requirements.lock new file mode 100644 index 000000000..ae29fe7f2 --- /dev/null +++ b/charts/fleet/requirements.lock @@ -0,0 +1,9 @@ +dependencies: +- name: mysql + repository: https://charts.bitnami.com/bitnami + version: 9.12.5 +- name: redis + repository: https://charts.bitnami.com/bitnami + version: 18.1.6 +digest: sha256:f0b4e3397c22afafde5a56c3a78beecf72c2604ae5bdcad83c5ce9920fd2ea9a +generated: "2023-10-20T12:53:32.721448425-05:00" diff --git a/charts/fleet/templates/deployment.yaml b/charts/fleet/templates/deployment.yaml index 0706930c8..9ad00c5a0 100644 --- a/charts/fleet/templates/deployment.yaml +++ b/charts/fleet/templates/deployment.yaml @@ -99,52 +99,52 @@ spec: ## END FLEET SECTION ## BEGIN MYSQL SECTION - name: FLEET_MYSQL_ADDRESS - value: "{{ .Values.mysql.address }}" + value: "{{ .Values.database.address }}" - name: FLEET_MYSQL_DATABASE - value: "{{ .Values.mysql.database }}" + value: "{{ .Values.database.database }}" - name: FLEET_MYSQL_USERNAME - value: "{{ .Values.mysql.username }}" + value: "{{ .Values.database.username }}" - name: FLEET_MYSQL_PASSWORD valueFrom: secretKeyRef: - name: {{ .Values.mysql.secretName }} - key: {{ .Values.mysql.passwordKey }} + name: {{ .Values.database.secretName }} + key: {{ .Values.database.passwordKey }} - name: FLEET_MYSQL_MAX_OPEN_CONNS - value: "{{ .Values.mysql.maxOpenConns }}" + value: "{{ .Values.database.maxOpenConns }}" - name: FLEET_MYSQL_MAX_IDLE_CONNS - value: "{{ .Values.mysql.maxIdleConns }}" + value: "{{ .Values.database.maxIdleConns }}" - name: FLEET_MYSQL_CONN_MAX_LIFETIME - value: "{{ .Values.mysql.connMaxLifetime }}" - {{- if .Values.mysql.tls.enabled }} - {{- if .Values.mysql.tls.caCertKey }} + value: "{{ .Values.database.connMaxLifetime }}" + {{- if .Values.database.tls.enabled }} + {{- if .Values.database.tls.caCertKey }} - name: FLEET_MYSQL_TLS_CA - value: "/secrets/mysql/{{ .Values.mysql.tls.caCertKey }}" + value: "/secrets/mysql/{{ .Values.database.tls.caCertKey }}" {{- end }} - {{- if .Values.mysql.tls.certKey }} + {{- if .Values.database.tls.certKey }} - name: FLEET_MYSQL_TLS_CERT - value: "/secrets/mysql/{{ .Values.mysql.tls.certKey }}" + value: "/secrets/mysql/{{ .Values.database.tls.certKey }}" {{- end }} - {{- if .Values.mysql.tls.keyKey }} + {{- if .Values.database.tls.keyKey }} - name: FLEET_MYSQL_TLS_KEY - value: "/secrets/mysql/{{ .Values.mysql.tls.keyKey }}" + value: "/secrets/mysql/{{ .Values.database.tls.keyKey }}" {{- end }} - name: FLEET_MYSQL_TLS_CONFIG - value: "{{ .Values.mysql.tls.config }}" + value: "{{ .Values.database.tls.config }}" - name: FLEET_MYSQL_TLS_SERVER_NAME - value: "{{ .Values.mysql.tls.serverName }}" + value: "{{ .Values.database.tls.serverName }}" {{- end }} ## END MYSQL SECTION ## BEGIN REDIS SECTION - name: FLEET_REDIS_ADDRESS - value: "{{ .Values.redis.address }}" + value: "{{ .Values.cache.address }}" - name: FLEET_REDIS_DATABASE - value: "{{ .Values.redis.database }}" - {{- if .Values.redis.usePassword }} + value: "{{ .Values.cache.database }}" + {{- if .Values.cache.usePassword }} - name: FLEET_REDIS_PASSWORD valueFrom: secretKeyRef: - name: "{{ .Values.redis.secretName }}" - key: "{{ .Values.redis.passwordKey }}" + name: "{{ .Values.cache.secretName }}" + key: "{{ .Values.cache.passwordKey }}" {{- end }} ## END REDIS SECTION ## BEGIN OSQUERY SECTION @@ -290,7 +290,7 @@ spec: {{- if .Values.fleet.tls.enabled }} scheme: HTTPS {{- end }} - {{- if or (.Values.fleet.tls.enabled) (.Values.mysql.tls.enabled) (eq .Values.osquery.logging.statusPlugin "filesystem") (eq .Values.osquery.logging.resultPlugin "filesystem") }} + {{- if or (.Values.fleet.tls.enabled) (.Values.database.tls.enabled) (eq .Values.osquery.logging.statusPlugin "filesystem") (eq .Values.osquery.logging.resultPlugin "filesystem") }} volumeMounts: - name: tmp mountPath: /tmp @@ -299,7 +299,7 @@ spec: readOnly: true mountPath: /secrets/tls {{- end }} - {{- if .Values.mysql.tls.enabled }} + {{- if .Values.database.tls.enabled }} - name: mysql-tls readOnly: true mountPath: /secrets/mysql @@ -340,7 +340,7 @@ spec: hostNetwork: false hostIPC: false serviceAccountName: fleet - {{- if or (.Values.fleet.tls.enabled) (.Values.mysql.tls.enabled) (eq .Values.osquery.logging.statusPlugin "filesystem") (eq .Values.osquery.logging.resultPlugin "filesystem") }} + {{- if or (.Values.fleet.tls.enabled) (.Values.database.tls.enabled) (eq .Values.osquery.logging.statusPlugin "filesystem") (eq .Values.osquery.logging.resultPlugin "filesystem") }} volumes: - name: tmp emptyDir: @@ -353,10 +353,10 @@ spec: secretName: "{{ .Values.fleet.secretName }}" {{- end }} {{- end }} - {{- if .Values.mysql.tls.enabled }} + {{- if .Values.database.tls.enabled }} - name: mysql-tls secret: - secretName: "{{ .Values.mysql.secretName }}" + secretName: "{{ .Values.database.secretName }}" {{- end }} {{- if or (eq .Values.osquery.logging.statusPlugin "filesystem") (eq .Values.osquery.logging.resultPlugin "filesystem") }} - name: osquery-logs diff --git a/charts/fleet/templates/job-migration.yaml b/charts/fleet/templates/job-migration.yaml index bd9444c8c..afb2346a3 100644 --- a/charts/fleet/templates/job-migration.yaml +++ b/charts/fleet/templates/job-migration.yaml @@ -10,9 +10,13 @@ metadata: name: fleet-migration namespace: {{ .Release.Namespace }} annotations: + {{- if .Values.mysql.enabled }} + {} + {{- else }} "helm.sh/hook": pre-install,pre-upgrade "helm.sh/hook-weight": "1" "helm.sh/hook-delete-policy": hook-succeeded + {{- end }} spec: template: metadata: @@ -73,39 +77,39 @@ spec: ## END FLEET SECTION ## BEGIN MYSQL SECTION - name: FLEET_MYSQL_ADDRESS - value: "{{ .Values.mysql.address }}" + value: "{{ .Values.database.address }}" - name: FLEET_MYSQL_DATABASE - value: "{{ .Values.mysql.database }}" + value: "{{ .Values.database.database }}" - name: FLEET_MYSQL_USERNAME - value: "{{ .Values.mysql.username }}" + value: "{{ .Values.database.username }}" - name: FLEET_MYSQL_PASSWORD valueFrom: secretKeyRef: - name: {{ .Values.mysql.secretName }} - key: {{ .Values.mysql.passwordKey }} + name: {{ .Values.database.secretName }} + key: {{ .Values.database.passwordKey }} - name: FLEET_MYSQL_MAX_OPEN_CONNS - value: "{{ .Values.mysql.maxOpenConns }}" + value: "{{ .Values.database.maxOpenConns }}" - name: FLEET_MYSQL_MAX_IDLE_CONNS - value: "{{ .Values.mysql.maxIdleConns }}" + value: "{{ .Values.database.maxIdleConns }}" - name: FLEET_MYSQL_CONN_MAX_LIFETIME - value: "{{ .Values.mysql.connMaxLifetime }}" - {{- if .Values.mysql.tls.enabled }} - {{- if .Values.mysql.tls.caCertKey }} + value: "{{ .Values.database.connMaxLifetime }}" + {{- if .Values.database.tls.enabled }} + {{- if .Values.database.tls.caCertKey }} - name: FLEET_MYSQL_TLS_CA - value: "/secrets/mysql/{{ .Values.mysql.tls.caCertKey }}" + value: "/secrets/mysql/{{ .Values.database.tls.caCertKey }}" {{- end }} - {{- if .Values.mysql.tls.certKey }} + {{- if .Values.database.tls.certKey }} - name: FLEET_MYSQL_TLS_CERT - value: "/secrets/mysql/{{ .Values.mysql.tls.certKey }}" + value: "/secrets/mysql/{{ .Values.database.tls.certKey }}" {{- end }} - {{- if .Values.mysql.tls.keyKey }} + {{- if .Values.database.tls.keyKey }} - name: FLEET_MYSQL_TLS_KEY - value: "/secrets/mysql/{{ .Values.mysql.tls.keyKey }}" + value: "/secrets/mysql/{{ .Values.database.tls.keyKey }}" {{- end }} - name: FLEET_MYSQL_TLS_CONFIG - value: "{{ .Values.mysql.tls.config }}" + value: "{{ .Values.database.tls.config }}" - name: FLEET_MYSQL_TLS_SERVER_NAME - value: "{{ .Values.mysql.tls.serverName }}" + value: "{{ .Values.database.tls.serverName }}" {{- end }} ## END MYSQL SECTION securityContext: @@ -118,16 +122,16 @@ spec: runAsUser: 3333 runAsNonRoot: true volumeMounts: - {{- if .Values.mysql.tls.enabled }} + {{- if .Values.database.tls.enabled }} - name: mysql-tls readOnly: true mountPath: /secrets/mysql {{- end }} volumes: - {{- if .Values.mysql.tls.enabled }} + {{- if .Values.database.tls.enabled }} - name: mysql-tls secret: - secretName: "{{ .Values.mysql.secretName }}" + secretName: "{{ .Values.database.secretName }}" {{- end }} {{- with .Values.nodeSelector }} nodeSelector: diff --git a/charts/fleet/templates/rbac.yaml b/charts/fleet/templates/rbac.yaml index 2f2510bee..fc689d1a2 100644 --- a/charts/fleet/templates/rbac.yaml +++ b/charts/fleet/templates/rbac.yaml @@ -14,8 +14,8 @@ rules: resources: - secrets resourceNames: - - {{ .Values.mysql.secretName }} - - {{ .Values.redis.secretName }} + - {{ .Values.database.secretName }} + - {{ .Values.cache.secretName }} - {{ .Values.fleet.secretName }} - {{ .Values.osquery.secretName }} verbs: diff --git a/charts/fleet/values.yaml b/charts/fleet/values.yaml index f557b75f9..757f1828b 100644 --- a/charts/fleet/values.yaml +++ b/charts/fleet/values.yaml @@ -39,17 +39,19 @@ ingress: enabled: false className: "" annotations: {} - # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" + # nginx.ingress.kubernetes.io/proxy-body-size: 10m + # kubernetes.io/ingress.class: nginx + # cert-manager.io/cluster-issuer: letsencrypt hosts: - host: chart-example.local paths: - path: / pathType: ImplementationSpecific - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local + tls: + - secretName: chart-example-tls + hosts: + - chart-example.local ## Section: Fleet # All of the settings relating to configuring the Fleet server @@ -146,9 +148,9 @@ osquery: statusTopic: "" resultTopic: "" -## Section: MySQL +## Section: database # All of the connection settings for MySQL -mysql: +database: # Name of the Secret resource containing MySQL password and TLS secrets secretName: mysql address: 127.0.0.1:3306 @@ -168,9 +170,9 @@ mysql: config: "" serverName: "" -## Section: Redis +## Section: cache # All of the connection settings for Redis -redis: +cache: address: 127.0.0.1:6379 database: "0" usePassword: false @@ -204,3 +206,9 @@ environments: FLEET_MDM_APPLE_APNS_KEY_BYTES: "" FLEET_MDM_APPLE_SCEP_CERT_BYTES: "" FLEET_MDM_APPLE_SCEP_KEY_BYTES: "" + +mysql: + enabled: false + +redis: + enabled: false diff --git a/tools/ci/helm-values/custom-annotations.yaml b/tools/ci/helm-values/custom-annotations.yaml index 80c134c68..1ebb02ab2 100644 --- a/tools/ci/helm-values/custom-annotations.yaml +++ b/tools/ci/helm-values/custom-annotations.yaml @@ -100,7 +100,7 @@ osquery: ## Section: MySQL # All of the connection settings for MySQL -mysql: +database: # Name of the Secret resource containing MySQL password and TLS secrets secretName: mysql address: 127.0.0.1:3306 @@ -120,7 +120,7 @@ mysql: ## Section: Redis # All of the connection settings for Redis -redis: +cache: address: 127.0.0.1:6379 database: "0" usePassword: false diff --git a/tools/ci/helm-values/disable-fleet-tls.yaml b/tools/ci/helm-values/disable-fleet-tls.yaml index a67d1a117..c2c44171d 100644 --- a/tools/ci/helm-values/disable-fleet-tls.yaml +++ b/tools/ci/helm-values/disable-fleet-tls.yaml @@ -97,7 +97,7 @@ osquery: ## Section: MySQL # All of the connection settings for MySQL -mysql: +database: # Name of the Secret resource containing MySQL password and TLS secrets secretName: mysql address: 127.0.0.1:3306 @@ -117,7 +117,7 @@ mysql: ## Section: Redis # All of the connection settings for Redis -redis: +cache: address: 127.0.0.1:6379 database: "0" usePassword: false diff --git a/tools/ci/helm-values/enable-cloudsql-proxy.yaml b/tools/ci/helm-values/enable-cloudsql-proxy.yaml index b1525c244..807a4cb39 100644 --- a/tools/ci/helm-values/enable-cloudsql-proxy.yaml +++ b/tools/ci/helm-values/enable-cloudsql-proxy.yaml @@ -97,7 +97,7 @@ osquery: ## Section: MySQL # All of the connection settings for MySQL -mysql: +database: # Name of the Secret resource containing MySQL password and TLS secrets secretName: mysql address: 127.0.0.1:3306 @@ -117,7 +117,7 @@ mysql: ## Section: Redis # All of the connection settings for Redis -redis: +cache: address: 127.0.0.1:6379 database: "0" usePassword: false diff --git a/tools/ci/helm-values/enable-mysql-tls.yaml b/tools/ci/helm-values/enable-mysql-tls.yaml index d8b4875e9..73aadcceb 100644 --- a/tools/ci/helm-values/enable-mysql-tls.yaml +++ b/tools/ci/helm-values/enable-mysql-tls.yaml @@ -97,7 +97,7 @@ osquery: ## Section: MySQL # All of the connection settings for MySQL -mysql: +database: # Name of the Secret resource containing MySQL password and TLS secrets secretName: mysql address: 127.0.0.1:3306 @@ -117,7 +117,7 @@ mysql: ## Section: Redis # All of the connection settings for Redis -redis: +cache: address: 127.0.0.1:6379 database: "0" usePassword: false diff --git a/tools/ci/helm-values/logger-firehose-accesssid.yaml b/tools/ci/helm-values/logger-firehose-accesssid.yaml index ec693da01..329c9492f 100644 --- a/tools/ci/helm-values/logger-firehose-accesssid.yaml +++ b/tools/ci/helm-values/logger-firehose-accesssid.yaml @@ -97,7 +97,7 @@ osquery: ## Section: MySQL # All of the connection settings for MySQL -mysql: +database: # Name of the Secret resource containing MySQL password and TLS secrets secretName: mysql address: 127.0.0.1:3306 @@ -117,7 +117,7 @@ mysql: ## Section: Redis # All of the connection settings for Redis -redis: +cache: address: 127.0.0.1:6379 database: "0" usePassword: false diff --git a/tools/ci/helm-values/logger-firehose-sts.yaml b/tools/ci/helm-values/logger-firehose-sts.yaml index d3ecda471..352592824 100644 --- a/tools/ci/helm-values/logger-firehose-sts.yaml +++ b/tools/ci/helm-values/logger-firehose-sts.yaml @@ -97,7 +97,7 @@ osquery: ## Section: MySQL # All of the connection settings for MySQL -mysql: +database: # Name of the Secret resource containing MySQL password and TLS secrets secretName: mysql address: 127.0.0.1:3306 @@ -117,7 +117,7 @@ mysql: ## Section: Redis # All of the connection settings for Redis -redis: +cache: address: 127.0.0.1:6379 database: "0" usePassword: false diff --git a/tools/ci/helm-values/logger-pubsub.yaml b/tools/ci/helm-values/logger-pubsub.yaml index ccaea7cd1..2b54c16f1 100644 --- a/tools/ci/helm-values/logger-pubsub.yaml +++ b/tools/ci/helm-values/logger-pubsub.yaml @@ -97,7 +97,7 @@ osquery: ## Section: MySQL # All of the connection settings for MySQL -mysql: +database: # Name of the Secret resource containing MySQL password and TLS secrets secretName: mysql address: 127.0.0.1:3306 @@ -117,7 +117,7 @@ mysql: ## Section: Redis # All of the connection settings for Redis -redis: +cache: address: 127.0.0.1:6379 database: "0" usePassword: false