clouddrove · clouddrove-ci · Jan 30, 2024 · Jan 29, 2024 · Jan 29, 2024 · Jan 29, 2024
@@ -36,7 +36,7 @@ jobs:
       - name: Generate TF Docs
         uses: terraform-docs/[email protected]
         with:
-          working-dir: addons/cluster-autoscaler,addons/cert-manager,addons/ingress-nginx,addons/keda,addons/reloader
+          working-dir: addons/cluster-autoscaler,addons/cert-manager,addons/ingress-nginx,addons/keda,addons/reloader,addons/kubeclarity
           git-push: true
           template: |-
             <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

@@ -197,4 +197,6 @@ module "addons" {
   ingress_nginx         = true
   certification_manager = true
   keda                  = true
+  kubeclarity           = true
+
 }
@@ -0,0 +1,22 @@
+
+kubeclarity:
+  resources:
+    limits:
+      memory: "500Mi"
+      cpu: "200m"
+    requests:
+      memory: "200Mi"
+      cpu: "100m"
+
+  podAnnotations:
+    co.elastic.logs/enabled: "true"
+
+
+# Be careful when using ingress. As there is no authentication on Kubeclarity yet, your instance may be accessible.
+# Make sure the ingress remains internal if you decide to enable it.
+  service:
+    type: LoadBalancer
+    port: 80
+    annotations: {}
+      # service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
+      # service.beta.kubernetes.io/aws-load-balancer-name: "kubeclarity"
@@ -197,18 +197,23 @@ module "addons" {
   ingress_nginx         = false
   certification_manager = false
   keda                  = false
+  kubeclarity           = false
+
 
   # -- Path of override-values.yaml file
   cluster_autoscaler_helm_config    = { values = [file("./config/override-cluster-autoscaler.yaml")] }
   reloader_helm_config              = { values = [file("./config/reloader/override-reloader.yaml")] }
   ingress_nginx_helm_config         = { values = [file("./config/override-ingress-nginx.yaml")] }
   certification_manager_helm_config = { values = [file("./config/override-certification-manager.yaml")] }
   keda_helm_config                  = { values = [file("./config/keda/override-keda.yaml")] }
+  kubeclarity_helm_config           = { values = [file("./config/override-kubeclarity.yaml")] }
+
 
   # -- Override Helm Release attributes
   cluster_autoscaler_extra_configs    = var.cluster_autoscaler_extra_configs
   reloader_extra_configs              = var.reloader_extra_configs
   ingress_nginx_extra_configs         = var.ingress_nginx_extra_configs
   certification_manager_extra_configs = var.certification_manager_extra_configs
   keda_extra_configs                  = var.keda_extra_configs
+  kubeclarity_extra_configs           = var.kubeclarity_extra_configs
 }
@@ -31,3 +31,9 @@ variable "keda_extra_configs" {
   type    = any
   default = {}
 }
+
+#-------------------KUBECLARITY-------------------------------------------------
+variable "kubeclarity_extra_configs" {
+  type    = any
+  default = {}
+}
@@ -0,0 +1,65 @@
+# Kubeclarity Helm Chart
+
+KubeClarity is a tool for detecting and managing Software Bill of Materials (SBOM) and vulnerabilities of container images and filesystems. It scans runtime Kubernetes clusters and CI/CD pipelines to generate SBOM documents and vulnerability reports for enhanced software supply chain security. 
+
+## Installation
+Below terraform script shows how to use Reloader Terraform Addon, A complete example is also given [here](https://github.com/clouddrove/terraform-google-gke-addons/blob/master/_examples/complete/main.tf).
+
+```bash
+module "addons" {
+  source = "git::https://github.dev/clouddrove/terraform-google-gke-addons"
+
+  depends_on       = [module.gke]
+  gke_cluster_name = module.gke.name
+  project_id       = local.gcp_project_id
+  region           = local.region
+
+  reloader = true
+}
+```
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
+| <a name="requirement_google"></a> [google](#requirement\_google) | >= 5.10.0 |
+| <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | >= 2.10 |
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_helm_addon"></a> [helm\_addon](#module\_helm\_addon) | ../helm | n/a |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_helm_config"></a> [helm\_config](#input\_helm\_config) | Helm provider config for Cluster Autoscaler | `any` | `{}` | no |
+| <a name="input_reloader_extra_configs"></a> [kubeclarity\_extra\_configs](#input\_kubeclarity\_extra\_configs) | Override attributes of helm\_release terraform resource | `any` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_chart_version"></a> [chart\_version](#output\_chart\_version) | n/a |
+| <a name="output_namespace"></a> [namespace](#output\_namespace) | n/a |
+| <a name="output_repository"></a> [repository](#output\_repository) | n/a |
+| <a name="output_service_account"></a> [service\_account](#output\_service\_account) | n/a |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+## Note:
+
+- For check vulnerabilities of container images and filesystems using `kubeclarity` ``dashboard`` go on Runtime-scan on Dashboard and filter out as per namespace you want.
+
+![image](https://github.com/clouddrove/terraform-google-gke-addons/assets/116706588/f0354df3-cb7e-4db8-84ae-d8bd0116151e)
@@ -0,0 +1,22 @@
+## Using limits and requests
+kubeclarity:
+  resources:
+    limits:
+      memory: "500Mi"
+      cpu: "200m"
+    requests:
+      memory: "200Mi"
+      cpu: "100m"
+
+  podAnnotations:
+    co.elastic.logs/enabled: "true"
+
+
+# Be careful when using ingress. As there is no authentication on Kubeclarity yet, your instance may be accessible.
+# Make sure the ingress remains internal if you decide to enable it.
+  service:
+    type: LoadBalancer
+    port: 80
+    annotations: {}
+      # service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
+      # service.beta.kubernetes.io/aws-load-balancer-name: "kubeclarity"
@@ -0,0 +1,41 @@
+locals {
+  name = "kubeclarity"
+
+  default_helm_config = {
+    name                       = try(var.kubeclarity_extra_configs.name, local.name)
+    chart                      = try(var.kubeclarity_extra_configs.chart, local.name)
+    repository                 = try(var.kubeclarity_extra_configs.repository, "https://openclarity.github.io/kubeclarity")
+    version                    = try(var.kubeclarity_extra_configs.version, "v2.23.0")
+    namespace                  = try(var.kubeclarity_extra_configs.namespace, "kubeclarity")
+    create_namespace           = try(var.kubeclarity_extra_configs.create_namespace, true)
+    description                = "Kubeclarity helm Chart deployment configuration"
+    timeout                    = try(var.kubeclarity_extra_configs.timeout, "600")
+    lint                       = try(var.kubeclarity_extra_configs.lint, "false")
+    repository_key_file        = try(var.kubeclarity_extra_configs.repository_key_file, "")
+    repository_cert_file       = try(var.kubeclarity_extra_configs.repository_cert_file, "")
+    repository_username        = try(var.kubeclarity_extra_configs.repository_username, "")
+    repository_password        = try(var.kubeclarity_extra_configs.repository_password, "")
+    verify                     = try(var.kubeclarity_extra_configs.verify, "false")
+    keyring                    = try(var.kubeclarity_extra_configs.keyring, "")
+    disable_webhooks           = try(var.kubeclarity_extra_configs.disable_webhooks, "false")
+    reuse_values               = try(var.kubeclarity_extra_configs.reuse_values, "false")
+    reset_values               = try(var.kubeclarity_extra_configs.reset_values, "false")
+    force_update               = try(var.kubeclarity_extra_configs.force_update, "false")
+    recreate_pods              = try(var.kubeclarity_extra_configs.recreate_pods, "false")
+    cleanup_on_fail            = try(var.kubeclarity_extra_configs.cleanup_on_fail, "false")
+    max_history                = try(var.kubeclarity_extra_configs.max_history, "0")
+    atomic                     = try(var.kubeclarity_extra_configs.atomic, "false")
+    skip_crds                  = try(var.kubeclarity_extra_configs.skip_crds, "false")
+    render_subchart_notes      = try(var.kubeclarity_extra_configs.render_subchart_notes, "true")
+    disable_openapi_validation = try(var.kubeclarity_extra_configs.disable_openapi_validation, "false")
+    wait                       = try(var.kubeclarity_extra_configs.wait, "true")
+    wait_for_jobs              = try(var.kubeclarity_extra_configs.wait_for_jobs, "false")
+    dependency_update          = try(var.kubeclarity_extra_configs.dependency_update, "false")
+    replace                    = try(var.kubeclarity_extra_configs.replace, "false")
+  }
+
+  helm_config = merge(
+    local.default_helm_config,
+    var.helm_config,
+  )
+}
@@ -0,0 +1,4 @@
+module "helm_addon" {
+  source      = "../helm"
+  helm_config = local.helm_config
+}
@@ -0,0 +1,11 @@
+output "namespace" {
+  value = local.default_helm_config.namespace
+}
+
+output "chart_version" {
+  value = local.default_helm_config.version
+}
+
+output "repository" {
+  value = local.default_helm_config.repository
+}
@@ -0,0 +1,11 @@
+variable "helm_config" {
+  description = "Helm provider config for Metrics Server"
+  type        = any
+  default     = {}
+}
+
+variable "kubeclarity_extra_configs" {
+  description = "Override attributes of helm_release terraform resource"
+  type        = any
+  default     = {}
+}
@@ -0,0 +1,14 @@
+terraform {
+  required_version = ">= 1.0.0"
+
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = ">= 5.10.0"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = ">= 2.10"
+    }
+  }
+}
@@ -35,3 +35,10 @@ module "keda" {
   keda_extra_configs = var.keda_extra_configs
   helm_config        = var.keda_helm_config != null ? var.keda_helm_config : { values = [local_file.keda_helm_config[count.index].content] }
 }
+
+module "kubeclarity" {
+  source                    = "./addons/kubeclarity"
+  count                     = var.kubeclarity ? 1 : 0
+  helm_config               = var.kubeclarity_helm_config != null ? var.kubeclarity_helm_config : { values = [local_file.kubeclarity_helm_config[count.index].content] }
+  kubeclarity_extra_configs = var.kubeclarity_extra_configs
+}
@@ -67,3 +67,17 @@ output "keda_repository" {
   value       = module.keda[*].repository
   description = "helm repository url of keda"
 }
+
+#-----------Kubeclarity-------------------
+output "namespace" {
+  value = module.kubeclarity[*].namespace
+}
+
+output "chart_version" {
+  value = module.kubeclarity[*].chart_version
+}
+
+output "repository" {
+  value = module.kubeclarity[*].repository
+}
+
@@ -162,4 +162,35 @@ resourc_helm_configes:
     memory: 128Mi
   EOT
   filename = "${path.module}/override_values/keda.yaml"
-}
+}
+
+#----------------------- KUBECLARITY ------------------------------
+resource "local_file" "kubeclarity_helm_config" {
+  count    = var.kubeclarity && (var.kubeclarity_helm_config == null) ? 1 : 0
+  content  = <<EOT
+## Using limits and requests
+kubeclarity:
+  resources:
+    limits:
+      memory: "500Mi"
+      cpu: "200m"
+    requests:
+      memory: "200Mi"
+      cpu: "100m"
+
+  podAnnotations:
+    co.elastic.logs/enabled: "true"
+
+
+# Be careful when using ingress. As there is no authentication on Kubeclarity yet, your instance may be accessible.
+# Make sure the ingress remains internal if you decide to enable it.
+  service:
+    type: LoadBalancer
+    port: 80
+    annotations: {}
+      # service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
+      # service.beta.kubernetes.io/aws-load-balancer-name: "kubeclarity"
+
+  EOT
+  filename = "${path.module}/override_values/kubeclarity.yaml"
+}
@@ -110,4 +110,23 @@ variable "keda_extra_configs" {
   description = "Override attributes of helm_release terraform resource"
   type        = any
   default     = {}
+}
+
+#-----------KUBECLARITY---------------------------
+variable "kubeclarity" {
+  description = "Enable Kubeclarity add-on"
+  type        = bool
+  default     = false
+}
+
+variable "kubeclarity_helm_config" {
+  description = "Path to override-values.yaml for Kubeclarity Helm Chart"
+  type        = any
+  default     = null
+}
+
+variable "kubeclarity_extra_configs" {
+  description = "Override attributes of helm_release terraform resource"
+  type        = any
+  default     = {}
 }