Merge branch 'master' into feat/externaldns

.github/workflows/readme.yml

@@ -35,8 +35,7 @@ jobs:
 
       - name: Generate TF Docs
         uses: terraform-docs/[email protected]
-        with:
-          working-dir: addons/cluster-autoscaler,addons/cert-manager,addons/ingress-nginx,addons/keda,addons/reloader,addons/external-dns
+          working-dir: addons/cluster-autoscaler,addons/cert-manager,addons/ingress-nginx,addons/keda,addons/reloader,addons/kubeclarity,addons/external-dns
           git-push: true
           template: |-
             <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

README.md

@@ -140,6 +140,9 @@ Here are some examples of how you can use this module in your inventory structur
 | keda | Enable Keda add-on | `bool` | `false` | no |
 | keda\_extra\_configs | Override attributes of helm\_release terraform resource | `any` | `{}` | no |
 | keda\_helm\_config | Path to override-values.yaml for Keda Helm Chart | `any` | `null` | no |
+| kubeclarity | Enable Kubeclarity add-on | `bool` | `false` | no |
+| kubeclarity\_extra\_configs | Override attributes of helm\_release terraform resource | `any` | `{}` | no |
+| kubeclarity\_helm\_config | Path to override-values.yaml for Kubeclarity Helm Chart | `any` | `null` | no |
 | project\_id | GCP project ID | `string` | n/a | yes |
 | region | cluster region | `string` | `""` | no |
 | reloader | Enable Reloader add-on | `bool` | `false` | no |
@@ -153,6 +156,7 @@ Here are some examples of how you can use this module in your inventory structur
 | certification\_manager\_chart\_version | Chart version of the certification-manager Helm Chart. |
 | certification\_manager\_namespace | The namespace where certification-manager is deployed. |
 | certification\_manager\_repository | Helm chart repository of the certification-manager. |
+| chart\_version | n/a |
 | cluster\_autoscaler\_chart\_version | chart version used for cluster-autoscaler helmchart |
 | cluster\_autoscaler\_namespace | Namespace where cluster-autoscaler is installed |
 | cluster\_autoscaler\_repository | helm repository url of cluster-autoscaler |
@@ -162,9 +166,11 @@ Here are some examples of how you can use this module in your inventory structur
 | keda\_chart\_version | chart version used for keda helmchart |
 | keda\_namespace | Namespace where keda is installed |
 | keda\_repository | helm repository url of keda |
+| namespace | -----------Kubeclarity------------------- |
 | reloader\_chart\_version | Chart version of the reloader Helm Chart. |
 | reloader\_namespace | The namespace where reloader is deployed. |
 | reloader\_repository | Helm chart repository of the reloader. |
+| repository | n/a |
 
 
 

_examples/basic/main.tf

@@ -192,10 +192,11 @@ module "addons" {
   project_id       = local.gcp_project_id
   region           = local.region
 
-  cluster_autoscaler    = false
-  reloader              = false
-  ingress_nginx         = false
-  certification_manager = false
-  keda                  = false
+  cluster_autoscaler    = true
+  reloader              = true
+  ingress_nginx         = true
+  certification_manager = true
+  keda                  = true
+  kubeclarity           = true
   external_dns          = true
 }

_examples/complete/config/override-kubeclarity.yaml

@@ -0,0 +1,22 @@
+
+kubeclarity:
+  resources:
+    limits:
+      memory: "500Mi"
+      cpu: "200m"
+    requests:
+      memory: "200Mi"
+      cpu: "100m"
+
+  podAnnotations:
+    co.elastic.logs/enabled: "true"
+
+
+# Be careful when using ingress. As there is no authentication on Kubeclarity yet, your instance may be accessible.
+# Make sure the ingress remains internal if you decide to enable it.
+  service:
+    type: LoadBalancer
+    port: 80
+    annotations: {}
+      # service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
+      # service.beta.kubernetes.io/aws-load-balancer-name: "kubeclarity"

_examples/complete/main.tf

@@ -197,7 +197,8 @@ module "addons" {
   ingress_nginx         = false
   certification_manager = false
   keda                  = false
-  external_dns          = true
+  external_dns          = false
+  kubeclarity           = false
 
   # -- Path of override-values.yaml file
   cluster_autoscaler_helm_config    = { values = [file("./config/override-cluster-autoscaler.yaml")] }
@@ -206,6 +207,7 @@ module "addons" {
   certification_manager_helm_config = { values = [file("./config/override-certification-manager.yaml")] }
   keda_helm_config                  = { values = [file("./config/keda/override-keda.yaml")] }
   external_dns_helm_config          = { values = [file("./config/override-external-dns.yaml")] }
+  kubeclarity_helm_config           = { values = [file("./config/override-kubeclarity.yaml")] }
 
   # -- Override Helm Release attributes
   cluster_autoscaler_extra_configs    = var.cluster_autoscaler_extra_configs
@@ -214,4 +216,5 @@ module "addons" {
   certification_manager_extra_configs = var.certification_manager_extra_configs
   keda_extra_configs                  = var.keda_extra_configs
   external_dns_extra_configs          = var.external_dns_extra_configs
+  kubeclarity_extra_configs           = var.kubeclarity_extra_configs
 }

_examples/complete/variables.tf

@@ -37,3 +37,8 @@ variable "external_dns_extra_configs" {
   type    = any
   default = {}
 }
+#-------------------KUBECLARITY-------------------------------------------------
+variable "kubeclarity_extra_configs" {
+  type    = any
+  default = {}
+}

addons/kubeclarity/README.md

@@ -0,0 +1,64 @@
+# Kubeclarity Helm Chart
+
+KubeClarity is a tool for detecting and managing Software Bill of Materials (SBOM) and vulnerabilities of container images and filesystems. It scans runtime Kubernetes clusters and CI/CD pipelines to generate SBOM documents and vulnerability reports for enhanced software supply chain security. 
+
+## Installation
+Below terraform script shows how to use Reloader Terraform Addon, A complete example is also given [here](https://github.com/clouddrove/terraform-google-gke-addons/blob/master/_examples/complete/main.tf).
+
+```bash
+module "addons" {
+  source = "git::https://github.dev/clouddrove/terraform-google-gke-addons"
+
+  depends_on       = [module.gke]
+  gke_cluster_name = module.gke.name
+  project_id       = local.gcp_project_id
+  region           = local.region
+
+  reloader = true
+}
+```
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
+| <a name="requirement_google"></a> [google](#requirement\_google) | >= 5.10.0 |
+| <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | >= 2.10 |
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_helm_addon"></a> [helm\_addon](#module\_helm\_addon) | ../helm | n/a |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_helm_config"></a> [helm\_config](#input\_helm\_config) | Helm provider config for Metrics Server | `any` | `{}` | no |
+| <a name="input_kubeclarity_extra_configs"></a> [kubeclarity\_extra\_configs](#input\_kubeclarity\_extra\_configs) | Override attributes of helm\_release terraform resource | `any` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_chart_version"></a> [chart\_version](#output\_chart\_version) | n/a |
+| <a name="output_namespace"></a> [namespace](#output\_namespace) | n/a |
+| <a name="output_repository"></a> [repository](#output\_repository) | n/a |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+## Note:
+
+- For check vulnerabilities of container images and filesystems using `kubeclarity` ``dashboard`` go on Runtime-scan on Dashboard and filter out as per namespace you want.
+
+![image](https://github.com/clouddrove/terraform-google-gke-addons/assets/116706588/f0354df3-cb7e-4db8-84ae-d8bd0116151e)

addons/kubeclarity/config/kubeclarity.yaml

@@ -0,0 +1,22 @@
+## Using limits and requests
+kubeclarity:
+  resources:
+    limits:
+      memory: "500Mi"
+      cpu: "200m"
+    requests:
+      memory: "200Mi"
+      cpu: "100m"
+
+  podAnnotations:
+    co.elastic.logs/enabled: "true"
+
+
+# Be careful when using ingress. As there is no authentication on Kubeclarity yet, your instance may be accessible.
+# Make sure the ingress remains internal if you decide to enable it.
+  service:
+    type: LoadBalancer
+    port: 80
+    annotations: {}
+      # service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
+      # service.beta.kubernetes.io/aws-load-balancer-name: "kubeclarity"

addons/kubeclarity/locals.tf

@@ -0,0 +1,41 @@
+locals {
+  name = "kubeclarity"
+
+  default_helm_config = {
+    name                       = try(var.kubeclarity_extra_configs.name, local.name)
+    chart                      = try(var.kubeclarity_extra_configs.chart, local.name)
+    repository                 = try(var.kubeclarity_extra_configs.repository, "https://openclarity.github.io/kubeclarity")
+    version                    = try(var.kubeclarity_extra_configs.version, "v2.23.0")
+    namespace                  = try(var.kubeclarity_extra_configs.namespace, "kubeclarity")
+    create_namespace           = try(var.kubeclarity_extra_configs.create_namespace, true)
+    description                = "Kubeclarity helm Chart deployment configuration"
+    timeout                    = try(var.kubeclarity_extra_configs.timeout, "600")
+    lint                       = try(var.kubeclarity_extra_configs.lint, "false")
+    repository_key_file        = try(var.kubeclarity_extra_configs.repository_key_file, "")
+    repository_cert_file       = try(var.kubeclarity_extra_configs.repository_cert_file, "")
+    repository_username        = try(var.kubeclarity_extra_configs.repository_username, "")
+    repository_password        = try(var.kubeclarity_extra_configs.repository_password, "")
+    verify                     = try(var.kubeclarity_extra_configs.verify, "false")
+    keyring                    = try(var.kubeclarity_extra_configs.keyring, "")
+    disable_webhooks           = try(var.kubeclarity_extra_configs.disable_webhooks, "false")
+    reuse_values               = try(var.kubeclarity_extra_configs.reuse_values, "false")
+    reset_values               = try(var.kubeclarity_extra_configs.reset_values, "false")
+    force_update               = try(var.kubeclarity_extra_configs.force_update, "false")
+    recreate_pods              = try(var.kubeclarity_extra_configs.recreate_pods, "false")
+    cleanup_on_fail            = try(var.kubeclarity_extra_configs.cleanup_on_fail, "false")
+    max_history                = try(var.kubeclarity_extra_configs.max_history, "0")
+    atomic                     = try(var.kubeclarity_extra_configs.atomic, "false")
+    skip_crds                  = try(var.kubeclarity_extra_configs.skip_crds, "false")
+    render_subchart_notes      = try(var.kubeclarity_extra_configs.render_subchart_notes, "true")
+    disable_openapi_validation = try(var.kubeclarity_extra_configs.disable_openapi_validation, "false")
+    wait                       = try(var.kubeclarity_extra_configs.wait, "true")
+    wait_for_jobs              = try(var.kubeclarity_extra_configs.wait_for_jobs, "false")
+    dependency_update          = try(var.kubeclarity_extra_configs.dependency_update, "false")
+    replace                    = try(var.kubeclarity_extra_configs.replace, "false")
+  }
+
+  helm_config = merge(
+    local.default_helm_config,
+    var.helm_config,
+  )
+}

addons/kubeclarity/main.tf

@@ -0,0 +1,4 @@
+module "helm_addon" {
+  source      = "../helm"
+  helm_config = local.helm_config
+}

addons/kubeclarity/outputs.tf

@@ -0,0 +1,11 @@
+output "namespace" {
+  value = local.default_helm_config.namespace
+}
+
+output "chart_version" {
+  value = local.default_helm_config.version
+}
+
+output "repository" {
+  value = local.default_helm_config.repository
+}

addons/kubeclarity/variables.tf

@@ -0,0 +1,11 @@
+variable "helm_config" {
+  description = "Helm provider config for Metrics Server"
+  type        = any
+  default     = {}
+}
+
+variable "kubeclarity_extra_configs" {
+  description = "Override attributes of helm_release terraform resource"
+  type        = any
+  default     = {}
+}

addons/kubeclarity/versions.tf

@@ -0,0 +1,14 @@
+terraform {
+  required_version = ">= 1.0.0"
+
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = ">= 5.10.0"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = ">= 2.10"
+    }
+  }
+}

main.tf

@@ -41,4 +41,10 @@ module "external_dns" {
   project_id                 = var.project_id
   external_dns_extra_configs = var.external_dns_extra_configs
   helm_config                = var.external_dns_helm_config != null ? var.external_dns_helm_config : { values = [local_file.external_dns_helm_config[count.index].content] }
+
+module "kubeclarity" {
+  source                    = "./addons/kubeclarity"
+  count                     = var.kubeclarity ? 1 : 0
+  helm_config               = var.kubeclarity_helm_config != null ? var.kubeclarity_helm_config : { values = [local_file.kubeclarity_helm_config[count.index].content] }
+  kubeclarity_extra_configs = var.kubeclarity_extra_configs
 }

outputs.tf

@@ -67,3 +67,17 @@ output "keda_repository" {
   value       = module.keda[*].repository
   description = "helm repository url of keda"
 }
+
+#-----------Kubeclarity-------------------
+output "namespace" {
+  value = module.kubeclarity[*].namespace
+}
+
+output "chart_version" {
+  value = module.kubeclarity[*].chart_version
+}
+
+output "repository" {
+  value = module.kubeclarity[*].repository
+}
+

override_values.tf

@@ -198,4 +198,34 @@ affinity:
           - "critical"
   EOT
   filename = "${path.module}/override_values/external_dns.yaml"
+
+#----------------------- KUBECLARITY ------------------------------
+resource "local_file" "kubeclarity_helm_config" {
+  count    = var.kubeclarity && (var.kubeclarity_helm_config == null) ? 1 : 0
+  content  = <<EOT
+## Using limits and requests
+kubeclarity:
+  resources:
+    limits:
+      memory: "500Mi"
+      cpu: "200m"
+    requests:
+      memory: "200Mi"
+      cpu: "100m"
+
+  podAnnotations:
+    co.elastic.logs/enabled: "true"
+
+
+# Be careful when using ingress. As there is no authentication on Kubeclarity yet, your instance may be accessible.
+# Make sure the ingress remains internal if you decide to enable it.
+  service:
+    type: LoadBalancer
+    port: 80
+    annotations: {}
+      # service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
+      # service.beta.kubernetes.io/aws-load-balancer-name: "kubeclarity"
+
+  EOT
+  filename = "${path.module}/override_values/kubeclarity.yaml"
 }

variables.tf

@@ -129,4 +129,23 @@ variable "external_dns_extra_configs" {
   description = "Override attributes of helm_release terraform resource"
   type        = any
   default     = {}
+}
+
+#-----------KUBECLARITY---------------------------
+variable "kubeclarity" {
+  description = "Enable Kubeclarity add-on"
+  type        = bool
+  default     = false
+}
+
+variable "kubeclarity_helm_config" {
+  description = "Path to override-values.yaml for Kubeclarity Helm Chart"
+  type        = any
+  default     = null
+}
+
+variable "kubeclarity_extra_configs" {
+  description = "Override attributes of helm_release terraform resource"
+  type        = any
+  default     = {}
 }