diff --git a/.github/workflows/push-trigger.yml b/.github/workflows/push-trigger.yml index afe4624..4ffaf02 100644 --- a/.github/workflows/push-trigger.yml +++ b/.github/workflows/push-trigger.yml @@ -1,4 +1,4 @@ -name: Build databreach-detector +name: Building Security Tools on: release: @@ -30,12 +30,16 @@ jobs: SERVICE_NAME: 'databreachdetector' - SERVICE_LOCATION: 'certmanager' SERVICE_NAME: 'certmanager' + - SERVICE_LOCATION: 'auditsweeper' + SERVICE_NAME: 'auditsweeper' + ONLY_DOCKER: true fail-fast: false name: ${{ matrix.SERVICE_NAME }} uses: mosip/kattu/.github/workflows/docker-build.yml@master with: SERVICE_LOCATION: ${{ matrix.SERVICE_LOCATION }} SERVICE_NAME: ${{ matrix.SERVICE_NAME }} + ONLY_DOCKER: ${{ matrix.ONLY_DOCKER }} secrets: DEV_NAMESPACE_DOCKER_HUB: ${{ secrets.DEV_NAMESPACE_DOCKER_HUB }} ACTOR_DOCKER_HUB: ${{ secrets.ACTOR_DOCKER_HUB }} diff --git a/auditsweeper/Dockerfile b/auditsweeper/Dockerfile new file mode 100644 index 0000000..12dc8f3 --- /dev/null +++ b/auditsweeper/Dockerfile @@ -0,0 +1,39 @@ +FROM python:3.9 + +ARG SOURCE +ARG COMMIT_HASH +ARG COMMIT_ID +ARG BUILD_TIME +LABEL source=${SOURCE} +LABEL commit_hash=${COMMIT_HASH} +LABEL commit_id=${COMMIT_ID} +LABEL build_time=${BUILD_TIME} + +ARG container_user=mosip +ARG container_user_group=mosip +ARG container_user_uid=1001 +ARG container_user_gid=1001 + +# Create the user and set the working directory +RUN groupadd -r ${container_user_group} && useradd -u ${container_user_uid} -r -g ${container_user_group} -s /bin/bash -m -d /home/${container_user} ${container_user} + +WORKDIR /home/${container_user} + +# Add all files to the correct working directory +ADD . . + +# Install kubectl and Python dependencies +RUN apt-get -y update && apt-get install -y curl \ +&& curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.sio/release/stable.txt)/bin/linux/amd64/kubectl" \ +&& chmod +x ./kubectl && mv ./kubectl /usr/local/bin/kubectl \ +&& pip install --no-cache-dir -r requirements.txt \ +&& chown -R ${container_user}:${container_user_group} /home/${container_user} + +USER ${container_user} + +ENV db-server= +ENV db-port= +ENV db-su-user= +ENV postgres-password= + +CMD ["python", "auditsweeper.py"] \ No newline at end of file diff --git a/auditsweeper/auditsweeper.py b/auditsweeper/auditsweeper.py new file mode 100644 index 0000000..a249ead --- /dev/null +++ b/auditsweeper/auditsweeper.py @@ -0,0 +1,87 @@ +import os +import sys +import configparser +import psycopg2 + +# This script performs a cleanup of old log entries from a PostgreSQL database. +# It is designed to be run as a Docker container via a cron job. + +def get_db_credentials(): + """ + Attempts to get database credentials from environment variables. + If not found, falls back to a local.properties file. + """ + # List of required variables + required_vars = [ + "db-host", "db-port", "db-su-user", + "postgres-password", "log-age-days" + ] + + env_vars = {var: os.getenv(var.upper().replace('-', '_')) for var in required_vars} + + # Check if all environment variables are set + if all(env_vars.values()): + print("Using credentials from environment variables.") + return env_vars + else: + print("One or more required environment variables are not set. Checking for local.properties...") + config = configparser.ConfigParser() + config_file = "local.properties" + + if not os.path.exists(config_file): + print(f"Error: Required variables not set and '{config_file}' not found.") + sys.exit(1) + + try: + # Read the properties file, assuming a single section + config.read_string(f"[DEFAULT]\n{open(config_file).read()}") + props = config['DEFAULT'] + + # Populate variables from the properties file + return {var: props.get(var) for var in required_vars} + except configparser.Error as e: + print(f"Error reading local.properties file: {e}") + sys.exit(1) + +def cleanup_db(config): + """ + Connects to the database and performs the cleanup operation. + """ + db_name = "mosip_audit" + try: + conn = psycopg2.connect( + host=config["db-host"], + port=config["db-port"], + user=config["db-su-user"], + password=config["postgres-password"], + dbname=db_name + ) + cur = conn.cursor() + + print(f"Starting database cleanup for logs older than {config['log-age-days']} days...") + print(f"Connecting to DB: {config['db-su-user']}@{config['db-host']}:{config['db-port']}/{db_name}") + + # The core DELETE command + # Use a parameterized query for safety + delete_query = "DELETE FROM audit.app_audit_log WHERE log_dtimes < NOW() - INTERVAL %s" + interval_str = f"{config['log-age-days']} days" + + cur.execute(delete_query, (interval_str,)) + + # Get the number of rows deleted + rows_deleted = cur.rowcount + conn.commit() + + print(f"Successfully deleted {rows_deleted} rows.") + + except psycopg2.OperationalError as e: + print(f"Database connection or query failed: {e}") + sys.exit(1) + finally: + if 'conn' in locals() and conn: + conn.close() + +if __name__ == "__main__": + db_config = get_db_credentials() + cleanup_db(db_config) + print("Database cleanup script finished successfully.") \ No newline at end of file diff --git a/auditsweeper/local.properties b/auditsweeper/local.properties new file mode 100644 index 0000000..984fda7 --- /dev/null +++ b/auditsweeper/local.properties @@ -0,0 +1,5 @@ +db-host=postgres.dev1.mosip.net +db-port=5432 +db-su-user=postgres +postgres-password=HEdM***9ZXir7Tu2F +log-age-days=85 \ No newline at end of file diff --git a/auditsweeper/requirements.txt b/auditsweeper/requirements.txt new file mode 100644 index 0000000..ee92c0e --- /dev/null +++ b/auditsweeper/requirements.txt @@ -0,0 +1 @@ +psycopg2-binary==2.9.1 \ No newline at end of file diff --git a/deploy/auditsweeper/README.md b/deploy/auditsweeper/README.md new file mode 100644 index 0000000..8a6877c --- /dev/null +++ b/deploy/auditsweeper/README.md @@ -0,0 +1,18 @@ +# auditsweeper +Helm chart for installing auditsweeper + +## Introduction +It's a cronjob that goes through the audit table and cleans up the audit logs after a customisable no of days. + +## Install +* Review the `values.yaml` file and ensure that the database parameter values and log_age_days are set according to your environment +* RUN Install script +``` +./install.sh +``` + +# TL;DR +```console +$ helm repo add mosip https://mosip.github.io +$ helm install my-release mosip/auditsweeper +``` \ No newline at end of file diff --git a/deploy/auditsweeper/copy_cm.sh b/deploy/auditsweeper/copy_cm.sh new file mode 100644 index 0000000..e033860 --- /dev/null +++ b/deploy/auditsweeper/copy_cm.sh @@ -0,0 +1,26 @@ +#!/bin/bash +# Copy configmaps from other namespaces +# DST_NS: Destination (current) namespace + +function copying_cm() { + UTIL_URL=https://raw.githubusercontent.com/mosip/mosip-infra/master/deployment/v3/utils/copy_cm_func.sh + COPY_UTIL=./copy_cm_func.sh + + wget -q $UTIL_URL -O copy_cm_func.sh && chmod +x copy_cm_func.sh + + DST_NS=auditsweeper + + $COPY_UTIL configmap global default $DST_NS + return 0 +} + +# set commands for error handling. +set -e +set -o errexit ## set -e : exit the script if any statement returns a non-true return value +set -o nounset ## set -u : exit the script if you try to use an uninitialised variable +set -o errtrace # trace ERR through 'time command' and other functions +set -o pipefail # trace ERR through pipes +copying_cm # calling function + + + diff --git a/deploy/auditsweeper/copy_secrets.sh b/deploy/auditsweeper/copy_secrets.sh new file mode 100644 index 0000000..e1a4ddc --- /dev/null +++ b/deploy/auditsweeper/copy_secrets.sh @@ -0,0 +1,22 @@ +#!/bin/bash +# Copy secrets from other namespaces +# DST_NS: Destination namespace + +function copying_secrets() { + UTIL_URL=https://raw.githubusercontent.com/mosip/mosip-infra/master/deployment/v3/utils/copy_cm_func.sh + COPY_UTIL=./copy_cm_func.sh + + wget -q $UTIL_URL -O copy_cm_func.sh && chmod +x copy_cm_func.sh + + DST_NS=auditsweeper + $COPY_UTIL secret postgres-postgresql postgres $DST_NS + return 0 +} + +# set commands for error handling. +set -e +set -o errexit ## set -e : exit the script if any statement returns a non-true return value +set -o nounset ## set -u : exit the script if you try to use an uninitialised variable +set -o errtrace # trace ERR through 'time command' and other functions +set -o pipefail # trace ERR through pipes +copying_secrets # calling function diff --git a/deploy/auditsweeper/delete.sh b/deploy/auditsweeper/delete.sh new file mode 100644 index 0000000..c677338 --- /dev/null +++ b/deploy/auditsweeper/delete.sh @@ -0,0 +1,30 @@ +#!/bin/bash +# Uninstalls print service +## Usage: ./delete.sh [kubeconfig] + +if [ $# -ge 1 ] ; then + export KUBECONFIG=$1 +fi + +function deleting_auditsweeper() { + NS=auditsweeper + while true; do + read -p "Are you sure you want to delete print helm chart?(Y/n) " yn + if [ $yn = "Y" ] + then + helm -n $NS delete auditsweeper + break + else + break + fi + done + return 0 +} + +# set commands for error handling. +set -e +set -o errexit ## set -e : exit the script if any statement returns a non-true return value +set -o nounset ## set -u : exit the script if you try to use an uninitialised variable +set -o errtrace # trace ERR through 'time command' and other functions +set -o pipefail # trace ERR through pipes +deleting_auditsweeper # calling function diff --git a/deploy/auditsweeper/install.sh b/deploy/auditsweeper/install.sh new file mode 100644 index 0000000..670f720 --- /dev/null +++ b/deploy/auditsweeper/install.sh @@ -0,0 +1,40 @@ +#!/bin/bash +# Installs sample print service +## Usage: ./restart.sh [kubeconfig] + +if [ $# -ge 1 ] ; then + export KUBECONFIG=$1 +fi + + +NS=auditsweeper +CHART_VERSION=0.0.1-develop + +echo Create $NS namespace +kubectl create ns $NS + +function installing_auditsweeper() { + echo Istio label + kubectl label ns $NS istio-injection=disabled --overwrite + helm repo update + + echo Copy configmaps + sed -i 's/\r$//' copy_cm.sh + ./copy_cm.sh + + echo Copy secrets + sed -i 's/\r$//' copy_secrets.sh + ./copy_secrets.sh + + echo Installing auditsweeper + helm -n $NS install auditsweeper mosip/auditsweeper -f values.yaml --wait --version $CHART_VERSION + return 0 +} + +# set commands for error handling. +set -e +set -o errexit ## set -e : exit the script if any statement returns a non-true return value +set -o nounset ## set -u : exit the script if you try to use an uninitialised variable +set -o errtrace # trace ERR through 'time command' and other functions +set -o pipefail # trace ERR through pipes +installing_auditsweeper # calling function diff --git a/deploy/auditsweeper/values.yaml b/deploy/auditsweeper/values.yaml new file mode 100644 index 0000000..7d00ead --- /dev/null +++ b/deploy/auditsweeper/values.yaml @@ -0,0 +1,12 @@ + +crontime: "0 3 * * *" ## run cronjob every day at 3 AM (time hr: 0-23 ) + +auditsweeper: + configmaps: + db: + db-port: '5432' + db-su-user: 'postgres' + db-host: 'postgres.sandbox.mosip.net' + auditsweeper: + log-age-days: '90' + diff --git a/helm/auditsweeper/Chart.yaml b/helm/auditsweeper/Chart.yaml new file mode 100644 index 0000000..853618c --- /dev/null +++ b/helm/auditsweeper/Chart.yaml @@ -0,0 +1,19 @@ +apiVersion: v2 +name: auditsweeper +description: A Helm chart to deploy auditsweeper +type: application +version: 0.0.1-develop +appVersion: "" +dependencies: + - name: common + repository: https://charts.bitnami.com/bitnami + tags: + - bitnami-common + version: 1.x.x +home: https://mosip.io +keywords: + - mosip + - auditsweeper +maintainers: + - email: info@mosip.io + name: MOSIP diff --git a/helm/auditsweeper/README.md b/helm/auditsweeper/README.md new file mode 100644 index 0000000..4fd211b --- /dev/null +++ b/helm/auditsweeper/README.md @@ -0,0 +1,12 @@ +# mosipcertmanager +Helm chart for installing auditsweeper + +## Introduction +t's a cronjob that goes through the audit table and cleans up the audit logs after a customisable no of days. + +# TL;DR +```console +$ helm repo add mosip https://mosip.github.io +$ helm install my-release mosip/auditsweeper +``` + diff --git a/helm/auditsweeper/templates/NOTES.txt b/helm/auditsweeper/templates/NOTES.txt new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/helm/auditsweeper/templates/NOTES.txt @@ -0,0 +1 @@ + diff --git a/helm/auditsweeper/templates/_helpers.tpl b/helm/auditsweeper/templates/_helpers.tpl new file mode 100644 index 0000000..c7fab14 --- /dev/null +++ b/helm/auditsweeper/templates/_helpers.tpl @@ -0,0 +1,63 @@ +{{/* +Return the proper image name +*/}} +{{- define "auditsweeper.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return the proper image name (for the init container volume-permissions image) +*/}} +{{- define "auditsweeper.volumePermissions.image" -}} +{{- include "common.images.image" ( dict "imageRoot" .Values.volumePermissions.image "global" .Values.global ) -}} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names +*/}} +{{- define "auditsweeper.imagePullSecrets" -}} +{{- include "common.images.pullSecrets" (dict "images" (list .Values.image .Values.volumePermissions.image) "global" .Values.global) -}} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "auditsweeper.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (printf "%s-foo" (include "common.names.fullname" .)) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Compile all warnings into a single message. +*/}} +{{- define "auditsweeper.validateValues" -}} +{{- $messages := list -}} +{{- $messages := append $messages (include "auditsweeper.validateValues.foo" .) -}} +{{- $messages := append $messages (include "auditsweeper.validateValues.bar" .) -}} +{{- $messages := without $messages "" -}} +{{- $message := join "\n" $messages -}} + +{{- if $message -}} +{{- printf "\nVALUES VALIDATION:\n%s" $message -}} +{{- end -}} +{{- end -}} + +{{/* +Return podAnnotations +*/}} +{{- define "auditsweeper.podAnnotations" -}} +{{- if .Values.podAnnotations }} +{{ include "common.tplvalues.render" (dict "value" .Values.podAnnotations "context" $) }} +{{- end }} +{{- if and .Values.metrics.enabled .Values.metrics.podAnnotations }} +{{ include "common.tplvalues.render" (dict "value" .Values.metrics.podAnnotations "context" $) }} +{{- end }} +{{- end -}} + +{{/* Create the name for restart cronjob */}} +{{- define "auditsweeper.cronjob" -}} +{{ default (printf "cronjob-%s" (include "common.names.fullname" .)) .Values.serviceAccount.name }} +{{- end -}} diff --git a/helm/auditsweeper/templates/clusterrole.yaml b/helm/auditsweeper/templates/clusterrole.yaml new file mode 100644 index 0000000..9a555c7 --- /dev/null +++ b/helm/auditsweeper/templates/clusterrole.yaml @@ -0,0 +1,8 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Release.Name }}-deployment-clusterrole +rules: + - apiGroups: ["apps"] + resources: ["deployments"] + verbs: ["get", "patch", "list", "watch"] \ No newline at end of file diff --git a/helm/auditsweeper/templates/clusterrolebinding.yaml b/helm/auditsweeper/templates/clusterrolebinding.yaml new file mode 100644 index 0000000..742d997 --- /dev/null +++ b/helm/auditsweeper/templates/clusterrolebinding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ .Release.Name }}-deployment-clusterrolebinding +subjects: + - kind: ServiceAccount + name: {{ template "auditsweeper.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Release.Name }}-deployment-clusterrole + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/helm/auditsweeper/templates/configmaps.yaml b/helm/auditsweeper/templates/configmaps.yaml new file mode 100644 index 0000000..f7e85f8 --- /dev/null +++ b/helm/auditsweeper/templates/configmaps.yaml @@ -0,0 +1,21 @@ +{{- if .Values.auditsweeper.configmaps }} + {{- range $cm_name, $cm_value := .Values.auditsweeper.configmaps }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ $cm_name }} + namespace: {{ $.Release.Namespace }} + labels: {{- include "common.labels.standard" $ | nindent 8 }} + {{- if $.Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" $.Values.commonLabels "context" $ ) | nindent 8 }} + {{- end }} + {{- if $.Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $.Values.commonAnnotations "context" $ ) | nindent 8 }} + {{- end }} +data: + {{- range $key, $value := $cm_value }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} \ No newline at end of file diff --git a/helm/auditsweeper/templates/cronjob.yaml b/helm/auditsweeper/templates/cronjob.yaml new file mode 100644 index 0000000..6d394c2 --- /dev/null +++ b/helm/auditsweeper/templates/cronjob.yaml @@ -0,0 +1,68 @@ +--- +apiVersion: {{ include "common.capabilities.cronjob.apiVersion" $ }} +kind: CronJob +metadata: + name: {{ template "auditsweeper.cronjob" $ }} + namespace: {{ .Release.Namespace }} + annotations: + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + labels: {{- include "common.labels.standard" $ | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + +spec: + concurrencyPolicy: Forbid + successfulJobsHistoryLimit: 1 # remove jobs which are successfully executed + failedJobsHistoryLimit: 1 # except 1 recent failed job, remove jobs which are not successfully executed + #schedule: '*/3 * * * *' # cron spec of time + schedule: {{ .Values.crontime }} + jobTemplate: + spec: + backoffLimit: 0 # this has very low chance of failing, as all this does + # is prompt kubernetes to schedule new replica set for + # the deployment + # activeDeadlineSeconds: 600 # timeout, makes most sense with + # "waiting for rollout" variant specified below + template: + spec: + # account configured above + restartPolicy: Never + serviceAccountName: {{ template "auditsweeper.serviceAccountName" $ }} + containers: + - name: {{ template "auditsweeper.serviceAccountName" $ }} + image: {{ template "auditsweeper.image" $ }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if .Values.lifecycleHooks }} + lifecycle: {{- include "common.tpvalues.render" (dict "value" .Values.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.command }} + command: {{- include "common.tpvalues.render" (dict "value" .Values.command "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.args }} + args: {{- include "common.tpvalues.render" (dict "value" .Values.args "context" $) | nindent 12 }} + {{- end }} + env: + - name: container_user + value: {{ .Values.containerSecurityContext.runAsUser }} + {{- if .Values.extraEnvVars }} + {{- include "common.tpvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + envFrom: + {{- if .Values.extraEnvVarsCM }} + {{- range .Values.extraEnvVarsCM }} + - configMapRef: + name: {{ . }} + {{- end }} + {{- end }} + {{- if .Values.extraEnvVarsSecret }} + {{- range .Values.extraEnvVarsSecret }} + - secretRef: + name: {{ . }} + {{- end }} + {{- end }} diff --git a/helm/auditsweeper/templates/extra-list.yaml b/helm/auditsweeper/templates/extra-list.yaml new file mode 100644 index 0000000..9ac65f9 --- /dev/null +++ b/helm/auditsweeper/templates/extra-list.yaml @@ -0,0 +1,4 @@ +{{- range .Values.extraDeploy }} +--- +{{ include "common.tplvalues.render" (dict "value" . "context" $) }} +{{- end }} diff --git a/helm/auditsweeper/templates/secrets.yaml b/helm/auditsweeper/templates/secrets.yaml new file mode 100644 index 0000000..83a2042 --- /dev/null +++ b/helm/auditsweeper/templates/secrets.yaml @@ -0,0 +1,21 @@ +{{- if .Values.auditsweeper.secrets }} +{{- range $secret_name, $secret_value := .Values.auditsweeper.secrets }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secret_name }} + namespace: {{ $.Release.Namespace }} + labels: {{- include "common.labels.standard" $ | nindent 8 }} + {{- if $.Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" $.Values.commonLabels "context" $ ) | nindent 8 }} + {{- end }} + {{- if $.Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $.Values.commonAnnotations "context" $ ) | nindent 8 }} + {{- end }} +type: Opaque +data: + {{- range $key, $value := $secret_value }} + {{ $key }}: {{ $value | b64enc | quote }} + {{- end }} +{{- end }} +{{- end }} diff --git a/helm/auditsweeper/templates/service-account.yaml b/helm/auditsweeper/templates/service-account.yaml new file mode 100644 index 0000000..f3aa762 --- /dev/null +++ b/helm/auditsweeper/templates/service-account.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + name: {{ template "auditsweeper.serviceAccountName" . }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + namespace: {{ .Release.Namespace }} diff --git a/helm/auditsweeper/values.yaml b/helm/auditsweeper/values.yaml new file mode 100644 index 0000000..ededf2c --- /dev/null +++ b/helm/auditsweeper/values.yaml @@ -0,0 +1,374 @@ +## Global Docker image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry and imagePullSecrets +## +# global: +# imageRegistry: myRegistryName +# imagePullSecrets: +# - myRegistryKeySecretName +# storageClass: myStorageClass + +## Add labels to all the deployed resources +## +commonLabels: + app.kubernetes.io/component: mosip + +## Add annotations to all the deployed resources +## +commonAnnotations: {} + +## Kubernetes Cluster Domain +## +clusterDomain: cluster.local + +## Extra objects to deploy (value evaluated as a template) +## +extraDeploy: [] + +## Number of nodes +## +replicaCount: 1 + +service: + type: ClusterIP + port: 80 + ## loadBalancerIP for the SuiteCRM Service (optional, cloud specific) + ## ref: http://kubernetes.io/docs/user-guide/services/#type-loadbalancer + ## + ## loadBalancerIP: + ## + ## nodePorts: + ## http: + ## https: + ## + nodePorts: + http: "" + https: "" + ## Enable client source IP preservation + ## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + +image: + registry: docker.io + repository: mosipqa/auditsweeper + tag: develop + + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: Always + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + +## Port on which this particular spring service module is running. +# springServicePort: 8083 + +## Configure extra options for liveness and readiness probes +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes +## + +## +# existingConfigmap: + +## Command and args for running the container (set to default if not set). Use array form +## +command: [] +args: [] + +## Deployment pod host aliases +## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ +## +hostAliases: [] + +## ref: http://kubernetes.io/docs/user-guide/compute-resources/ +## +# resources: + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + ## cpu: 1000m + ## memory: 3500Mi + # requests: + ## cpu: 1000m + # memory: 3500Mi + +additionalResources: + ## Specify any JAVA_OPTS string here. These typically will be specified in conjunction with above resources + ## Example: java_opts: "-Xms500M -Xmx500M" + javaOpts: "-Xms2600M -Xmx2600M" + +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container +## Clamav container already runs as 'mosip' user, so we may not need to enable this +containerSecurityContext: + enabled: false + runAsUser: mosip + runAsNonRoot: true + +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod +## +podSecurityContext: + enabled: false + fsGroup: 1001 + +## Pod affinity preset +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +## Allowed values: soft, hard +## +podAffinityPreset: "" + +## Pod anti-affinity preset +## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +## Allowed values: soft, hard +## +podAntiAffinityPreset: soft + +## Node affinity preset +## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity +## Allowed values: soft, hard +## +nodeAffinityPreset: + ## Node affinity type + ## Allowed values: soft, hard + ## + type: "" + ## Node label key to match + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## Node label values to match + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + +## Affinity for pod assignment. Evaluated as a template. +## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +## +affinity: {} + +## Node labels for pod assignment. Evaluated as a template. +## ref: https://kubernetes.io/docs/user-guide/node-selection/ +## +nodeSelector: {} + +## Tolerations for pod assignment. Evaluated as a template. +## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +## +tolerations: [] + +## Pod extra labels +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ +## +podLabels: {} + +## Annotations for server pods. +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ +## +podAnnotations: {} + +## pods' priority. +## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ +## +# priorityClassName: "" + +## lifecycleHooks for the container to automate configuration before or after startup. +## +lifecycleHooks: {} + +## Custom Liveness probes for +## +customLivenessProbe: {} + +## Custom Rediness probes +## +customReadinessProbe: {} + +## Update strategy - only really applicable for deployments with RWO PVs attached +## If replicas = 1, an update can get "stuck", as the previous pod remains attached to the +## PV, and the "incoming" pod can never start. Changing the strategy to "Recreate" will +## terminate the single previous pod, so that the new, incoming pod can attach to the PV +## +updateStrategy: + type: RollingUpdate + +## Additional environment variables to set +## Example: +## extraEnvVars: +## - name: FOO +## value: "bar" +## +extraEnvVars: [] + +## ConfigMap with extra environment variables +## +extraEnvVarsCM: + - global + - db + - log-age-days +## Secret with extra environment variables +## +extraEnvVarsSecret: + - postgres-postgresql + +## Extra volumes to add to the deployment +## +extraVolumes: [] + +## Extra volume mounts to add to the container +## +extraVolumeMounts: [] + +## Add init containers to the pods. +## Example: +## initContainers: +## - name: your-image-name +## image: your-image +## imagePullPolicy: Always +## ports: +## - name: portname +## containerPort: 1234 +## + +## Add sidecars to the pods. +## Example: +## sidecars: +## - name: your-image-name +## image: your-image +## imagePullPolicy: Always +## ports: +## - name: portname +## containerPort: 1234 +## +sidecars: {} + + +## Init containers parameters: +## volumePermissions: Change the owner and group of the persistent volume mountpoint to runAsUser:fsGroup values from the securityContext section. +## +volumePermissions: + enabled: false + image: + registry: docker.io + repository: bitnami/bitnami-shell + tag: "10" + pullPolicy: Always + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + pullSecrets: [] + ## - myRegistryKeySecretName + ## Init containers' resource requests and limits + ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## + limits: {} + ## cpu: 100m + ## memory: 128Mi + ## + requests: {} + ## cpu: 100m + ## memory: 128Mi + ## + +## Specifies whether RBAC resources should be created +## +rbac: + create: true + +## Specifies whether a ServiceAccount should be created +## +serviceAccount: + create: true + ## The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the fullname template + ## + name: + +## Prometheus Metrics +## +metrics: + enabled: false + ## Prometheus pod annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: + prometheus.io/scrape: "true" + + endpointPath: + + ## Prometheus Service Monitor + ## ref: https://github.com/coreos/prometheus-operator + ## + serviceMonitor: + ## If the operator is installed in your cluster, set to true to create a Service Monitor Entry + ## + enabled: true + ## Specify the namespace in which the serviceMonitor resource will be created + ## + # namespace: "" + ## Specify the interval at which metrics should be scraped + ## + interval: 10s + ## Specify the timeout after which the scrape is ended + ## + # scrapeTimeout: 30s + ## Specify Metric Relabellings to add to the scrape endpoint + ## + # relabellings: + ## Specify honorLabels parameter to add the scrape endpoint + ## + honorLabels: false + ## Used to pass Labels that are used by the Prometheus installed in your cluster to select Service Monitors to work with + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#prometheusspec + ## + additionalLabels: {} + + ## Custom PrometheusRule to be defined + ## The value is evaluated as a template, so, for example, the value can depend on .Release or .Chart + ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions + ## + prometheusRule: + enabled: false + additionalLabels: {} + namespace: '' + ## List of rules, used as template by Helm. + ## These are just examples rules inspired from https://awesome-prometheus-alerts.grep.to/rules.html + # rules: + # - alert: RabbitmqDown + # expr: rabbitmq_up{service="{{ template "rabbitmq.fullname" . }}"} == 0 + # for: 5m + # labels: + # severity: error + rules: [] + +## Admin swagger should have only internal access. Hence linked to internal gateway + +crontime: "0 3 * * *" ## run cronjob every day at 3 AM (time hr: 0-23 ) + +auditsweeper: + configmaps: + db: + db-port: '5432' + db-su-user: 'postgres' + db-host: 'postgres.sandbox.mosip.net' + auditsweeper: + log-age-days: '90' + +enable_insecure: false