Skip to content

Allow to configure env and volumes in hooks #1881

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Zero3141 merged 10 commits into from
Sep 1, 2023
Merged

Allow to configure env and volumes in hooks #1881

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
7942f57
#1763 Support configuration of env and volumes (mounts) for defectdoj…
Aug 29, 2023
ee4fb8c
#1763 Support configuration of env and volumes (mounts) for azure mon…
Aug 29, 2023
2fefec0
#1763 Support configuration of env and volumes (mounts) for elastic
Aug 29, 2023
eaa2f4d
#1763 Support configuration of env and volumes (mounts) for update fi…
Aug 29, 2023
48a688d
#1763 Support configuration of env and volumes (mounts) for notification
Aug 29, 2023
f66943a
Update helm install name
Aug 29, 2023
706abb7
#1763 Support configuration of env and volumes (mounts) for generic w…
Aug 29, 2023
b67b487
#1763 Support configuration of env and volumes (mounts) for finding p…
Aug 29, 2023
98822f2
#1763 Support configuration of env and volumes (mounts) for cascading…
Aug 29, 2023
c0cbce9
Fix helm syntax
Aug 30, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions hooks/cascading-scans/templates/cascading-scans-hook.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,8 @@ spec:
type: ReadOnly
image: "{{ .Values.hook.image.repository }}:{{ .Values.hook.image.tag | default .Chart.Version }}"
ttlSecondsAfterFinished: {{ .Values.hook.ttlSecondsAfterFinished }}
env:
{{- toYaml .Values.hook.env | nindent 4 }}
serviceAccountName: cascading-scans
affinity:
{{- toYaml .Values.hook.affinity | nindent 4 }}
Expand All @@ -30,3 +32,7 @@ spec:
resources:
{{- toYaml . | nindent 4 }}
{{- end }}
volumes:
{{- toYaml .Values.hook.extraVolumes | nindent 4 }}
volumeMounts:
{{- toYaml .Values.hook.extraVolumeMounts | nindent 4 }}
9 changes: 9 additions & 0 deletions hooks/cascading-scans/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,3 +35,12 @@ hook:
# -- Optional resources lets you control resource limits and requests for the hook container. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
# @default -- { requests: { cpu: "200m", memory: "100Mi" }, limits: { cpu: "400m", memory: "200Mi" } }
resources: {}

# hook.extraVolumes -- Optional Volumes mapped into the hook (see: https://kubernetes.io/docs/concepts/storage/volumes/)
extraVolumes: []

# hook.extraVolumeMounts -- Optional VolumeMounts mapped into the hook (see: https://kubernetes.io/docs/concepts/storage/volumes/)
extraVolumeMounts: []

# hook.env -- Optional environment variables mapped into the hook (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/)
env: []
7 changes: 7 additions & 0 deletions hooks/finding-post-processing/templates/finding-post-processing-hook.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,9 @@ spec:
env:
- name: RULES
value: {{ .Values.rules | toJson | quote }}
{{ if .Values.hook.env }}
{{- toYaml .Values.hook.env | nindent 4 }}
{{ end }}
affinity:
{{- toYaml .Values.hook.affinity | nindent 4 }}
tolerations:
Expand All @@ -31,3 +34,7 @@ spec:
resources:
{{- toYaml . | nindent 4 }}
{{- end }}
volumes:
{{- toYaml .Values.hook.extraVolumes | nindent 4 }}
volumeMounts:
{{- toYaml .Values.hook.extraVolumeMounts | nindent 4 }}
9 changes: 9 additions & 0 deletions hooks/finding-post-processing/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,3 +51,12 @@ hook:
# -- Optional resources lets you control resource limits and requests for the hook container. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
# @default -- { requests: { cpu: "200m", memory: "100Mi" }, limits: { cpu: "400m", memory: "200Mi" } }
resources: {}

# hook.extraVolumes -- Optional Volumes mapped into the hook (see: https://kubernetes.io/docs/concepts/storage/volumes/)
extraVolumes: []

# hook.extraVolumeMounts -- Optional VolumeMounts mapped into the hook (see: https://kubernetes.io/docs/concepts/storage/volumes/)
extraVolumeMounts: []

# hook.env -- Optional environment variables mapped into the hook (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/)
env: []
7 changes: 7 additions & 0 deletions hooks/generic-webhook/templates/webhook-hook.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,9 @@ spec:
name: {{ .Values.hook.authentication.apikey.userSecret }}
key: {{ .Values.hook.authentication.apikey.headerValueKey }}
optional: true
{{ if .Values.hook.env }}
{{- toYaml .Values.hook.env | nindent 4 }}
{{ end }}
affinity:
{{- toYaml .Values.hook.affinity | nindent 4 }}
tolerations:
Expand All @@ -55,3 +58,7 @@ spec:
resources:
{{- toYaml . | nindent 4 }}
{{- end }}
volumes:
{{- toYaml .Values.hook.extraVolumes | nindent 4 }}
volumeMounts:
{{- toYaml .Values.hook.extraVolumeMounts | nindent 4 }}
9 changes: 9 additions & 0 deletions hooks/generic-webhook/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,3 +55,12 @@ hook:
# -- Optional resources lets you control resource limits and requests for the hook container. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
# @default -- { requests: { cpu: "200m", memory: "100Mi" }, limits: { cpu: "400m", memory: "200Mi" } }
resources: {}

# hook.extraVolumes -- Optional Volumes mapped into the hook (see: https://kubernetes.io/docs/concepts/storage/volumes/)
extraVolumes: []

# hook.extraVolumeMounts -- Optional VolumeMounts mapped into the hook (see: https://kubernetes.io/docs/concepts/storage/volumes/)
extraVolumeMounts: []

# hook.env -- Optional environment variables mapped into the hook (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/)
env: []
2 changes: 1 addition & 1 deletion hooks/notification/.helm-docs.gotmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ You can customise the message templates on your behalf or use the already provid
Installing the Notification hook will add a ReadOnly Hook to your namespace.

```bash
helm upgrade --install nwh ./hooks/notification-hook/ --values /path/to/your/values"
helm upgrade --install notification ./hooks/notification/ --values /path/to/your/values"
```

The `values.yaml` you need depends on the notification type you want to use.
Expand Down
9 changes: 9 additions & 0 deletions hooks/notification/templates/notification-hook.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,9 @@ spec:
configMap:
name: {{ .Values.customTemplateMap.name }}
{{ end }}
{{ if .Values.hook.extraVolumes }}
{{- toYaml .Values.hook.extraVolumes | nindent 4 }}
{{ end }}
volumeMounts:
- name: {{ .Release.Name }}-config
mountPath: /home/app/config
Expand All @@ -34,8 +37,14 @@ spec:
- name: {{ .Release.Name }}-custom-templates
mountPath: /home/app/hook-wrapper/hook/notification-templates
{{ end }}
{{ if .Values.hook.extraVolumeMounts }}
{{- toYaml .Values.hook.extraVolumeMounts | nindent 4 }}
{{ end }}
env:
{{- toYaml .Values.env | nindent 4}}
{{ if .Values.hook.env }}
{{- toYaml .Values.hook.env | nindent 4 }}
{{ end }}
affinity:
{{- toYaml .Values.hook.affinity | nindent 4 }}
tolerations:
Expand Down
9 changes: 9 additions & 0 deletions hooks/notification/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,15 @@ hook:
# @default -- { requests: { cpu: "200m", memory: "100Mi" }, limits: { cpu: "400m", memory: "200Mi" } }
resources: {}

# hook.extraVolumes -- Optional Volumes mapped into the hook (see: https://kubernetes.io/docs/concepts/storage/volumes/)
extraVolumes: []

# hook.extraVolumeMounts -- Optional VolumeMounts mapped into the hook (see: https://kubernetes.io/docs/concepts/storage/volumes/)
extraVolumeMounts: []

# hook.env -- Optional environment variables mapped into the hook (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/)
env: []

notificationChannels:
- name: slack
type: slack
Expand Down
7 changes: 7 additions & 0 deletions hooks/persistence-azure-monitor/templates/persistence-provider.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,9 @@ spec:
secretKeyRef:
name: {{ .Values.monitor.authentication.apiKeySecret }}
key: sharedkey
{{ if .Values.hook.env }}
{{- toYaml .Values.hook.env | nindent 4 }}
{{ end }}
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 4 }}
Expand All @@ -38,3 +41,7 @@ spec:
resources:
{{- toYaml . | nindent 4 }}
{{- end }}
volumes:
{{- toYaml .Values.hook.extraVolumes | nindent 4 }}
volumeMounts:
{{- toYaml .Values.hook.extraVolumeMounts | nindent 4 }}
9 changes: 9 additions & 0 deletions hooks/persistence-azure-monitor/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,15 @@ hook:
# @default -- { requests: { cpu: "200m", memory: "100Mi" }, limits: { cpu: "400m", memory: "200Mi" } }
resources: {}

# hook.extraVolumes -- Optional Volumes mapped into the hook (see: https://kubernetes.io/docs/concepts/storage/volumes/)
extraVolumes: []

# hook.extraVolumeMounts -- Optional VolumeMounts mapped into the hook (see: https://kubernetes.io/docs/concepts/storage/volumes/)
extraVolumeMounts: []

# hook.env -- Optional environment variables mapped into the hook (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/)
env: []

monitor:
# monitor.logtype -- Configure the Logtype that the hook should use in Azure Monitor
logtypePrefix: "SCB"
Expand Down
11 changes: 10 additions & 1 deletion hooks/persistence-defectdojo/.helm-docs.gotmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -115,6 +115,15 @@ If the engagement doesn't exist the hook will create the engagement (CI/CD engag
(product & product type). The hook will then pull the imported information from DefectDojo and use them to replace the
findings inside secureCodeBox.

In case you use a DefectDojo instance with a self-signed root CA, upgrade the hook with:
```bash
helm upgrade --install dd secureCodeBox/persistence-defectdojo \
--set="defectdojo.url=https://defectdojo-django.default.svc" \
--set-json 'hook.extraVolumes=[{"name": "ca-dojo", "configMap": {"name": "ca-dojo"}}]' \
--set-json 'hook.extraVolumeMounts=[{"name": "ca-dojo", "mountPath": "/etc/ssl/certs/java/cacerts", "subPath": "cacerts", "readOnly": false}]'
```
After, you can update `/etc/ssl/certs/java/cacerts` with your certificate.

You don't need any configuration for that to work, the hook will infer engagement & product names from the scan name.
If you want more control over the names or add additional meta information like the version of the tested software you
can add these via annotation to the scan. See examples below.
Expand Down Expand Up @@ -215,7 +224,7 @@ The secureCodeBox DefectDojo Hook can be configured to run with such a token of
kubectl create secret generic defectdojo-credentials --from-literal="apikey=08b7..."

helm upgrade --install dd secureCodeBox/persistence-defectdojo \
--set="defectdojo.url=https://defectdojo-django.default.svc" \
--set="defectdojo.url=http://defectdojo-django.default.svc" \
--set="defectdojo.lowPrivilegedMode=true" \
--set="defectdojo.authentication.userId=42"
```
Expand Down
7 changes: 7 additions & 0 deletions hooks/persistence-defectdojo/templates/persistence-provider.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,9 @@ spec:
key: {{ .Values.defectdojo.authentication.apiKeyKey }}
- name: DEFECTDOJO_LOW_PRIVILEGED_MODE
value: {{ .Values.defectdojo.lowPrivilegedMode | quote }}
{{ if .Values.hook.env }}
{{- toYaml .Values.hook.env | nindent 4 }}
{{ end }}
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 4 }}
Expand All @@ -50,3 +53,7 @@ spec:
resources:
{{- toYaml . | nindent 4 }}
{{- end }}
volumes:
{{- toYaml .Values.hook.extraVolumes | nindent 4 }}
volumeMounts:
{{- toYaml .Values.hook.extraVolumeMounts | nindent 4 }}
9 changes: 9 additions & 0 deletions hooks/persistence-defectdojo/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,15 @@ hook:
# @default -- { requests: { cpu: "200m", memory: "100Mi" }, limits: { cpu: "400m", memory: "200Mi" } }
resources: {}

# hook.extraVolumes -- Optional Volumes mapped into the hook (see: https://kubernetes.io/docs/concepts/storage/volumes/)
extraVolumes: []

# hook.extraVolumeMounts -- Optional VolumeMounts mapped into the hook (see: https://kubernetes.io/docs/concepts/storage/volumes/)
extraVolumeMounts: []

# hook.env -- Optional environment variables mapped into the hook (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/)
env: []

defectdojo:
# -- Syncs back (two way sync) all imported findings from DefectDojo to SCB Findings Store. When set to false the hook will only import the findings to DefectDojo (one way sync).
syncFindingsBack: true
Expand Down
7 changes: 7 additions & 0 deletions hooks/persistence-elastic/templates/persistence-provider.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,9 @@ spec:
name: {{ .Values.authentication.apiKeySecret }}
key: id
{{- end }}
{{ if .Values.hook.env }}
{{- toYaml .Values.hook.env | nindent 4 }}
{{ end }}
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 4 }}
Expand All @@ -62,3 +65,7 @@ spec:
resources:
{{- toYaml . | nindent 4 }}
{{- end }}
volumes:
{{- toYaml .Values.hook.extraVolumes | nindent 4 }}
volumeMounts:
{{- toYaml .Values.hook.extraVolumeMounts | nindent 4 }}
9 changes: 9 additions & 0 deletions hooks/persistence-elastic/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -108,3 +108,12 @@ hook:
# -- Optional resources lets you control resource limits and requests for the hook container. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
# @default -- { requests: { cpu: "200m", memory: "100Mi" }, limits: { cpu: "400m", memory: "200Mi" } }
resources: {}

# hook.extraVolumes -- Optional Volumes mapped into the hook (see: https://kubernetes.io/docs/concepts/storage/volumes/)
extraVolumes: []

# hook.extraVolumeMounts -- Optional VolumeMounts mapped into the hook (see: https://kubernetes.io/docs/concepts/storage/volumes/)
extraVolumeMounts: []

# hook.env -- Optional environment variables mapped into the hook (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/)
env: []
7 changes: 7 additions & 0 deletions hooks/update-field-hook/templates/update-field-hook.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,9 @@ spec:
value: {{ .Values.attribute.name | quote }}
- name: ATTRIBUTE_VALUE
value: {{ .Values.attribute.value | quote }}
{{ if .Values.hook.env }}
{{- toYaml .Values.hook.env | nindent 4 }}
{{ end }}
affinity:
{{- toYaml .Values.hook.affinity | nindent 4 }}
tolerations:
Expand All @@ -33,3 +36,7 @@ spec:
resources:
{{- toYaml . | nindent 4 }}
{{- end }}
volumes:
{{- toYaml .Values.hook.extraVolumes | nindent 4 }}
volumeMounts:
{{- toYaml .Values.hook.extraVolumeMounts | nindent 4 }}
9 changes: 9 additions & 0 deletions hooks/update-field-hook/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,3 +41,12 @@ hook:
# -- Optional resources lets you control resource limits and requests for the hook container. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
# @default -- { requests: { cpu: "200m", memory: "100Mi" }, limits: { cpu: "400m", memory: "200Mi" } }
resources: {}

# hook.extraVolumes -- Optional Volumes mapped into the hook (see: https://kubernetes.io/docs/concepts/storage/volumes/)
extraVolumes: []

# hook.extraVolumeMounts -- Optional VolumeMounts mapped into the hook (see: https://kubernetes.io/docs/concepts/storage/volumes/)
extraVolumeMounts: []

# hook.env -- Optional environment variables mapped into the hook (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/)
env: []