From d776fa753f146717a2690dc03e443cffe0cced22 Mon Sep 17 00:00:00 2001 From: Sheogorath <sheogorath@shivering-isles.com> Date: Wed, 27 Sep 2023 23:31:57 +0200 Subject: [PATCH] feat(sbom-operator): Deploy sbom operator for k8s01 --- apps/k8s01/sbom-operator/kustomization.yaml | 9 ++ apps/k8s01/sbom-operator/namespace.yaml | 31 +++++ apps/k8s01/sbom-operator/release.yaml | 46 ++++++++ apps/k8s01/sbom-operator/repository.yaml | 8 ++ apps/k8s01/sbom-operator/secret.yaml | 119 ++++++++++++++++++++ 5 files changed, 213 insertions(+) create mode 100644 apps/k8s01/sbom-operator/kustomization.yaml create mode 100644 apps/k8s01/sbom-operator/namespace.yaml create mode 100644 apps/k8s01/sbom-operator/release.yaml create mode 100644 apps/k8s01/sbom-operator/repository.yaml create mode 100644 apps/k8s01/sbom-operator/secret.yaml diff --git a/apps/k8s01/sbom-operator/kustomization.yaml b/apps/k8s01/sbom-operator/kustomization.yaml new file mode 100644 index 000000000..d0043a65d --- /dev/null +++ b/apps/k8s01/sbom-operator/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: sbom-operator +resources: + - namespace.yaml + - repository.yaml + - release.yaml + - secret.yaml + - ../../../shared/resourcequotas/default.yaml diff --git a/apps/k8s01/sbom-operator/namespace.yaml b/apps/k8s01/sbom-operator/namespace.yaml new file mode 100644 index 000000000..9c279c5ed --- /dev/null +++ b/apps/k8s01/sbom-operator/namespace.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: sbom-operator + labels: + pod-security.kubernetes.io/audit: restricted + pod-security.kubernetes.io/enforce: restricted + pod-security.kubernetes.io/warn: restricted + pod-security.kubernetes.io/audit-version: v1.27 + pod-security.kubernetes.io/enforce-version: v1.26 + pod-security.kubernetes.io/warn-version: v1.27 +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: flux-reconciler + namespace: sbom-operator +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: flux-reconciler + namespace: sbom-operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: admin +subjects: + - kind: ServiceAccount + name: flux-reconciler + namespace: sbom-operator diff --git a/apps/k8s01/sbom-operator/release.yaml b/apps/k8s01/sbom-operator/release.yaml new file mode 100644 index 000000000..862094c33 --- /dev/null +++ b/apps/k8s01/sbom-operator/release.yaml @@ -0,0 +1,46 @@ +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: sbom-operator + namespace: sbom-operator +spec: + serviceAccountName: flux-reconciler + timeout: 5m + releaseName: sbom-operator + chart: + spec: + chart: sbom-operator + sourceRef: + kind: HelmRepository + name: sbom-operator + version: 0.29.0 + interval: 5m + valuesFrom: + - kind: ConfigMap + name: sbom-operator-base-values + valuesKey: values.yaml + - kind: Secret + name: sbom-operator-override-values + valuesKey: values-overrides.yaml + optional: true + install: + remediation: + retries: -1 + upgrade: + remediation: + retries: -1 +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: sbom-operator-base-values + namespace: sbom-operator +data: + values.yaml: | + resources: + requests: + cpu: 100m + memory: 256Mi + limits: + cpu: "1" + memory: "2Gi" \ No newline at end of file diff --git a/apps/k8s01/sbom-operator/repository.yaml b/apps/k8s01/sbom-operator/repository.yaml new file mode 100644 index 000000000..ef91c8d18 --- /dev/null +++ b/apps/k8s01/sbom-operator/repository.yaml @@ -0,0 +1,8 @@ +apiVersion: source.toolkit.fluxcd.io/v1beta1 +kind: HelmRepository +metadata: + name: sbom-operator + namespace: sbom-operator +spec: + interval: 30m + url: https://ckotzbauer.github.io/helm-charts diff --git a/apps/k8s01/sbom-operator/secret.yaml b/apps/k8s01/sbom-operator/secret.yaml new file mode 100644 index 000000000..5859b24ff --- /dev/null +++ b/apps/k8s01/sbom-operator/secret.yaml @@ -0,0 +1,119 @@ +apiVersion: v1 +kind: Secret +metadata: + name: sbom-operator-override-values + namespace: sbom-operator +stringData: + values-overrides.yaml: ENC[AES256_GCM,data:NPu4ju6yTsyT2MgW9mZ9Pn77nK/11s7X6xxUDXn0dJMkRyqUTIMNskvtNMMSzIO9aKNicg0iVkyF1tynO+DQm8k+h//cQL8/1N6hiBNt+4IP3ntjL40W05Rtxyv0iNTr9MG1Yw6/3EIFoYG8+aggDAIk5qpSCn9AZXVFtprAGD1I2rTUetT73RmxLrGVr1l2+J1SFxLmFClmdPUEPTHNbv3PEuSP2skKcK0d7toyFVkbLcD1EobiZx7qZIei4stwwX+xHPIPaa4M8mXMp0c187Ac4x1wUBSjRrKEibifGNNTdagbP1hQeRqzBPwy6njJ7EvBLULZb83xKqoieniQBQ+8PMkgWU6jEaslohUXuB/RNJrdkN8ZbX+IZA7ryKp7wmeInxsZt74oHurNicChKgCdtQux/xWrza7rGYN4zmeC84JUkYkmebZDCJPh3g+cLy156E0HiGx9EGWrzZY=,iv:QcpytjvO8uliZ5opQ4OqvSRDiSQwHLu5miQvgqyOJGU=,tag:YcrkBB/xinQc8n1aihzadA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2023-09-27T21:30:32Z" + mac: ENC[AES256_GCM,data:GfPIreF44vUI21nrQc1SA+6rIZ0LhJhL8rIV5JzDRpBnCaG2a8piKb/MJ0jJ4qsyqnkpnoDGlts70LDzuEcJAPOsvDQdmiFaJ4cRtklQD8cERH9yRZGbN4qL3FxZl2RcV4D+9s1Tow3l4gCxhIcf16F/p/WYV1DhpcwAtxC8hLA=,iv:miP7IoN40+NuDXAYvREd4NO/IGi8/0d6UIIyS9G3ZTI=,tag:PN8s6gYJhmGHz/tJ/EgnIg==,type:str] + pgp: + - created_at: "2023-09-27T21:30:31Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA7kpg2bgzVHcARAAr5M5ibEfvKUkkpR1TMz77VXKlaMTaUHEQ25OK1Rpe4jV + xcRw3OAYN/WOJsAYYyu+DZTa5X0CMTX2vIUGzaDkuTH9VFdn67A6/FamzfvGqWFR + lcjh8PmbT9/DpJVKuNGs+0WyP6dBbvQDVprAo9rBjvEqqhTxXLXYGy/L4ky/+6Od + sZNpqKvQtvmbLpvkWDs16atFXupUnRYOD3dyvd74jS6CQj3t9a20hfZ244WLNqat + 7dtefew1F93xgYvwLik1PggH9i1BXv4CR/Uj6f0vTJ84sD3wJX43JQLnmmeEYYMg + rH7p/CyrfVrD1zklf/kSb6R3SOJBR+tbv6i+DUG/f/DAxOQxKZwrvDMQZUumnVUY + iqOA1HGa1yBSRwmM6EybCiSsDXmrIL2OiBugHGjqzOA3AzV8vmsmkvYSZwh4cCWT + XJAYffWD730Z5ECeoGh+DngB6vy9fEF6NyZ5xrzqJk6ITkIYwnxlZv1ZiRfipeYj + mg9XZbm6mOk+cgrcPMOK3VOyKDmjk6pGEEGIy0qwaWO2rBA5gUbVTtEsNOQhdKWb + raVhgA4MnLtSkvBgsYoRO/xc0M3KYl1Q1A2ATv2z9SzJ8qJyzhPMF/+/uq7MgEbn + ogTpcgsDvGMR24XGNBv/4cvZO9NgIWgs8f+smJLqnxbaCZMS7IQ7XtwQhSsL6nLS + UQHiogW6CIeB+i8DgTooWXz5O4xf184jZodFuC5VNN6FvaDiFZ/cKV+4goPUthP7 + C7faolE6ilirP5+YPj63zdhSW9y55ASDPdk/cE16ijZJ0w== + =LB59 + -----END PGP MESSAGE----- + fp: 286791FB6648539775DB31B8FCB98C2A3EC6F601 + - created_at: "2023-09-27T21:30:31Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA4oYbIHZIrAPAQ/9HgKJUBNTeNvwNFaH8sJYHLv4mNkQd6vrmI2ZGx0Qra4T + Ze1eaRdpCTQ/1l9IREQuQr0nenpAyb9AyYVAtNXmQlT05BqZjXP5rPWWtShGVZVz + 932gRSJ56LoKKzcJiuEx5EzLOjBfgW2LtvWV2EzgFwz9+SquUJSdcvQM3ZfLWYsO + xnsdPGcxJieCv0Z4T+TXO1CF9RRSxinFgB5l/66F2S8y/WVWabBEcvRpLS6aDSpg + 0OxPfQht8qkHkb1poFnZwr2oQYXpFYYBT7jGwfi/ShmREwW+fE9zjS26VEswsQ/u + hsm5jDooiitIrcbZ+H5vbKXirLPBK+Bs8spqt0XJGrfIAbvtE0XDHlWhO5k/HzzH + dBbOc2UQpoO0/kRoQbvdOjjfrpEo3T+qKYnlwu+U+Hai8xWZw3IM19KVAQ2YL0wn + xPN33f2n3k0KqX/MmmiYJIX/bzbkcuPOp5fPFZGw3MDCp1FbX5cKkW/6/QiNMnLU + Tm1OeDTYw1SEjb1J+5UBTbL2Ofbwb7VR2svn6oBV440hIIzsGcWkmFZ1w/uU7S66 + BM9mDG8+bZK5u3G8Umtr0+vYNSxlYIl017Iyx20xTFq/OPZ3GnuddUON0FC1bufR + /kHH+Q+fdLQD2nDmUKneSwn7JG03RdzQA7XT76tUN1BCOyPpwRis66W9zsHhdWbU + aAEJAhA587Gfs0hbJYeivufwtlr+3wP9OffI8VpcbiqIileOTEP9ap6Fxnp8S05o + SFZxhFP4t86wJPaGhomu3gA2kVx6QauNVt0gZaz0HZmxO4Uk8RDuI36fCpAfrSrU + 5/ePctR+K/bu + =WJnd + -----END PGP MESSAGE----- + fp: B137EE1549DFAF960DD1E2B15147025FB9F09E07 + encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|.*(H|h)osts?|tang|externalURL|.*-secret|.*-url|.*Secrets?|.*-domain|password|subjects|node|apiURL|.*(S|s)erverNames?|.*SecretKey|externalName)$ + version: 3.7.3 +--- +apiVersion: v1 +kind: Secret +metadata: + name: sbom-operator + namespace: sbom-operator +stringData: + password: ENC[AES256_GCM,data:G95GN4ft1zp6zqSRzae9WrFXqIsfUDUVx9k=,iv:7Jt92nbroqOshzvE4yKTkDebA2cjAwi/DmQL1tmHZa4=,tag:yq9RQd8VEEwzU9ai8xlF6w==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2023-09-27T21:30:32Z" + mac: ENC[AES256_GCM,data:GfPIreF44vUI21nrQc1SA+6rIZ0LhJhL8rIV5JzDRpBnCaG2a8piKb/MJ0jJ4qsyqnkpnoDGlts70LDzuEcJAPOsvDQdmiFaJ4cRtklQD8cERH9yRZGbN4qL3FxZl2RcV4D+9s1Tow3l4gCxhIcf16F/p/WYV1DhpcwAtxC8hLA=,iv:miP7IoN40+NuDXAYvREd4NO/IGi8/0d6UIIyS9G3ZTI=,tag:PN8s6gYJhmGHz/tJ/EgnIg==,type:str] + pgp: + - created_at: "2023-09-27T21:30:31Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA7kpg2bgzVHcARAAr5M5ibEfvKUkkpR1TMz77VXKlaMTaUHEQ25OK1Rpe4jV + xcRw3OAYN/WOJsAYYyu+DZTa5X0CMTX2vIUGzaDkuTH9VFdn67A6/FamzfvGqWFR + lcjh8PmbT9/DpJVKuNGs+0WyP6dBbvQDVprAo9rBjvEqqhTxXLXYGy/L4ky/+6Od + sZNpqKvQtvmbLpvkWDs16atFXupUnRYOD3dyvd74jS6CQj3t9a20hfZ244WLNqat + 7dtefew1F93xgYvwLik1PggH9i1BXv4CR/Uj6f0vTJ84sD3wJX43JQLnmmeEYYMg + rH7p/CyrfVrD1zklf/kSb6R3SOJBR+tbv6i+DUG/f/DAxOQxKZwrvDMQZUumnVUY + iqOA1HGa1yBSRwmM6EybCiSsDXmrIL2OiBugHGjqzOA3AzV8vmsmkvYSZwh4cCWT + XJAYffWD730Z5ECeoGh+DngB6vy9fEF6NyZ5xrzqJk6ITkIYwnxlZv1ZiRfipeYj + mg9XZbm6mOk+cgrcPMOK3VOyKDmjk6pGEEGIy0qwaWO2rBA5gUbVTtEsNOQhdKWb + raVhgA4MnLtSkvBgsYoRO/xc0M3KYl1Q1A2ATv2z9SzJ8qJyzhPMF/+/uq7MgEbn + ogTpcgsDvGMR24XGNBv/4cvZO9NgIWgs8f+smJLqnxbaCZMS7IQ7XtwQhSsL6nLS + UQHiogW6CIeB+i8DgTooWXz5O4xf184jZodFuC5VNN6FvaDiFZ/cKV+4goPUthP7 + C7faolE6ilirP5+YPj63zdhSW9y55ASDPdk/cE16ijZJ0w== + =LB59 + -----END PGP MESSAGE----- + fp: 286791FB6648539775DB31B8FCB98C2A3EC6F601 + - created_at: "2023-09-27T21:30:31Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA4oYbIHZIrAPAQ/9HgKJUBNTeNvwNFaH8sJYHLv4mNkQd6vrmI2ZGx0Qra4T + Ze1eaRdpCTQ/1l9IREQuQr0nenpAyb9AyYVAtNXmQlT05BqZjXP5rPWWtShGVZVz + 932gRSJ56LoKKzcJiuEx5EzLOjBfgW2LtvWV2EzgFwz9+SquUJSdcvQM3ZfLWYsO + xnsdPGcxJieCv0Z4T+TXO1CF9RRSxinFgB5l/66F2S8y/WVWabBEcvRpLS6aDSpg + 0OxPfQht8qkHkb1poFnZwr2oQYXpFYYBT7jGwfi/ShmREwW+fE9zjS26VEswsQ/u + hsm5jDooiitIrcbZ+H5vbKXirLPBK+Bs8spqt0XJGrfIAbvtE0XDHlWhO5k/HzzH + dBbOc2UQpoO0/kRoQbvdOjjfrpEo3T+qKYnlwu+U+Hai8xWZw3IM19KVAQ2YL0wn + xPN33f2n3k0KqX/MmmiYJIX/bzbkcuPOp5fPFZGw3MDCp1FbX5cKkW/6/QiNMnLU + Tm1OeDTYw1SEjb1J+5UBTbL2Ofbwb7VR2svn6oBV440hIIzsGcWkmFZ1w/uU7S66 + BM9mDG8+bZK5u3G8Umtr0+vYNSxlYIl017Iyx20xTFq/OPZ3GnuddUON0FC1bufR + /kHH+Q+fdLQD2nDmUKneSwn7JG03RdzQA7XT76tUN1BCOyPpwRis66W9zsHhdWbU + aAEJAhA587Gfs0hbJYeivufwtlr+3wP9OffI8VpcbiqIileOTEP9ap6Fxnp8S05o + SFZxhFP4t86wJPaGhomu3gA2kVx6QauNVt0gZaz0HZmxO4Uk8RDuI36fCpAfrSrU + 5/ePctR+K/bu + =WJnd + -----END PGP MESSAGE----- + fp: B137EE1549DFAF960DD1E2B15147025FB9F09E07 + encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|.*(H|h)osts?|tang|externalURL|.*-secret|.*-url|.*Secrets?|.*-domain|password|subjects|node|apiURL|.*(S|s)erverNames?|.*SecretKey|externalName)$ + version: 3.7.3 -- GitLab