From 6aa80dfbb9599eb86c114587db599cab4294edbe Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Wed, 27 Apr 2022 02:27:30 +0200
Subject: [PATCH] feat(starboard): Add starboard operator

This patch adds the starboard operator along with a trivy-server
deployment to the cluster, which should provide insights into the
current situation of vulernerablities and CVEs in the cluster.

References:
https://aquasecurity.github.io/starboard/v0.15.4/
https://aquasecurity.github.io/trivy/v0.25.4/
---
 infrastructure/kustomization.yaml           |  1 +
 infrastructure/starboard/README.md          | 18 ++++++++
 infrastructure/starboard/kustomization.yaml | 19 +++++++++
 infrastructure/starboard/monitoring.yaml    | 25 +++++++++++
 infrastructure/starboard/namespace.yaml     |  7 ++++
 infrastructure/starboard/networkpolicy.yaml | 12 ++++++
 infrastructure/starboard/release.yaml       | 46 +++++++++++++++++++++
 infrastructure/starboard/repository.yaml    |  8 ++++
 8 files changed, 136 insertions(+)
 create mode 100644 infrastructure/starboard/README.md
 create mode 100644 infrastructure/starboard/kustomization.yaml
 create mode 100644 infrastructure/starboard/monitoring.yaml
 create mode 100644 infrastructure/starboard/namespace.yaml
 create mode 100644 infrastructure/starboard/networkpolicy.yaml
 create mode 100644 infrastructure/starboard/release.yaml
 create mode 100644 infrastructure/starboard/repository.yaml

diff --git a/infrastructure/kustomization.yaml b/infrastructure/kustomization.yaml
index 4090e3baa..59ab3cb80 100644
--- a/infrastructure/kustomization.yaml
+++ b/infrastructure/kustomization.yaml
@@ -14,3 +14,4 @@ resources:
   - k8up
   - postgres
   - kubenav
+  - starboard
diff --git a/infrastructure/starboard/README.md b/infrastructure/starboard/README.md
new file mode 100644
index 000000000..a63484575
--- /dev/null
+++ b/infrastructure/starboard/README.md
@@ -0,0 +1,18 @@
+Starboard
+===
+
+Operator to create and manage automated container image scans for all containers deployed in the cluster, this helps to provide visibility for potential security issues and makes it easy to identify containers and deployments affected by CVEs.
+
+This particular installation utilises a trivy-server setup, that reduces the times to download the vulnerability database, making it API limit friendlier.
+
+Links
+---
+
+- [Starboard Docs](https://aquasecurity.github.io/starboard/v0.15.4/)
+- [Starboard Helm Chart](https://github.com/aquasecurity/starboard/tree/main/deploy/helm)
+- [Starboard Source Code](https://github.com/aquasecurity/starboard/)
+- [Starboard Help Forum](https://github.com/aquasecurity/starboard//discussions)
+- [Trivy Docs](https://aquasecurity.github.io/trivy/v0.25.4/)
+- [Trivy Helm Chart](https://github.com/aquasecurity/trivy/tree/main/helm/trivy)
+- [Trivy Source Code](https://github.com/aquasecurity/trivy/)
+- [Trivy Help Forum](https://github.com/aquasecurity/trivy/discussions)
diff --git a/infrastructure/starboard/kustomization.yaml b/infrastructure/starboard/kustomization.yaml
new file mode 100644
index 000000000..56dc182cd
--- /dev/null
+++ b/infrastructure/starboard/kustomization.yaml
@@ -0,0 +1,19 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: longhorn-system
+resources:
+  - namespace.yaml
+  - repository.yaml
+  - release.yaml
+  - monitoring.yaml
+  - ../../shared/networkpolicies/allow-from-ingress.yaml
+  - ../../shared/networkpolicies/allow-from-monitoring.yaml
+patchesStrategicMerge:
+  - networkpolicy.yaml
+configMapGenerator:
+  - name: longhorn-grafana-dashboards
+    files:
+      - ./dashboards/longhorn.json
+    options:
+      labels:
+        grafana_dashboard: longhorn-system
diff --git a/infrastructure/starboard/monitoring.yaml b/infrastructure/starboard/monitoring.yaml
new file mode 100644
index 000000000..2dbb497b6
--- /dev/null
+++ b/infrastructure/starboard/monitoring.yaml
@@ -0,0 +1,25 @@
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: HelmRepository
+metadata:
+  name: giantswarm
+  namespace: starboard-system
+spec:
+  interval: 30m
+  url: https://giantswarm.github.io/giantswarm-catalog
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: starboard-exporter
+  namespace: starboard-system
+spec:
+  releaseName: starboard-exporter
+  chart:
+    spec:
+      chart: starboard-exporter
+      sourceRef:
+        kind: HelmRepository
+        name: giantswarm
+        namespace: starboard-system
+      version: 0.3.3
+  interval: 5m
diff --git a/infrastructure/starboard/namespace.yaml b/infrastructure/starboard/namespace.yaml
new file mode 100644
index 000000000..b8e0b9013
--- /dev/null
+++ b/infrastructure/starboard/namespace.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: starboard-system
+  labels:
+    name: starboard-system
+    kyverno.shivering-isles.com/class: "system"
diff --git a/infrastructure/starboard/networkpolicy.yaml b/infrastructure/starboard/networkpolicy.yaml
new file mode 100644
index 000000000..a268d31e2
--- /dev/null
+++ b/infrastructure/starboard/networkpolicy.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-from-ingress
+spec:
+  podSelector:
+    matchExpressions:
+      - key: app.kubernetes.io/name
+        operator: In
+        values:
+          - starboard-exporter
diff --git a/infrastructure/starboard/release.yaml b/infrastructure/starboard/release.yaml
new file mode 100644
index 000000000..7005502d3
--- /dev/null
+++ b/infrastructure/starboard/release.yaml
@@ -0,0 +1,46 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: starboard-operator
+  namespace: starboard-system
+spec:
+  releaseName: starboard-operator
+  chart:
+    spec:
+      chart: starboard-operator
+      sourceRef:
+        kind: HelmRepository
+        name: aqua
+        namespace: starboard-system
+      version: 0.10.4
+  interval: 5m
+  install:
+    crds: CreateReplace
+  upgrade:
+    crds: CreateReplace
+  values:
+    operator:
+      vulnerabilityScannerScanOnlyCurrentRevisions: true
+      clusterComplianceEnabled: false
+      kubernetesBenchmarkEnabled: false
+    trivy:
+      mode: ClientServer
+      ignoreUnfixed: false
+      serverURL: "http://trivy:4954"
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: trivy
+  namespace: starboard-system
+spec:
+  releaseName: trivy
+  chart:
+    spec:
+      chart: trivy
+      sourceRef:
+        kind: HelmRepository
+        name: aqua
+        namespace: starboard-system
+      version: 0.4.13
+  interval: 5m
diff --git a/infrastructure/starboard/repository.yaml b/infrastructure/starboard/repository.yaml
new file mode 100644
index 000000000..b27deccb2
--- /dev/null
+++ b/infrastructure/starboard/repository.yaml
@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: HelmRepository
+metadata:
+  name: longhorn
+  namespace: longhorn-system
+spec:
+  interval: 30m
+  url: https://aquasecurity.github.io/helm-charts/
-- 
GitLab