From e3768f7dc727dc61444850a63d795484ed321a4a Mon Sep 17 00:00:00 2001
From: Dustin Decker <dustin@trufflesec.com>
Date: Thu, 12 Sep 2024 07:54:16 -0700
Subject: [PATCH] =?UTF-8?q?Add=20VerticalPodAutoscaler,=20resource=20reque?=
 =?UTF-8?q?sts=20and=20limits,=20and=20priority=E2=80=A6=20(#6)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

… class
---
 trufflehog-0.1.1.tgz                          | Bin 0 -> 2763 bytes
 trufflehog/Chart.yaml                         |   4 +--
 trufflehog/README.md                          |  19 +++---------
 trufflehog/templates/deployment.yaml          |  24 +++++++++++++++
 trufflehog/templates/priorityclass.yaml       |  11 +++++++
 .../templates/verticalpodautoscaler.yaml      |  28 +++++++++++++++++
 trufflehog/values.yaml                        |  29 ++++++++++++++++++
 7 files changed, 99 insertions(+), 16 deletions(-)
 create mode 100644 trufflehog-0.1.1.tgz
 create mode 100644 trufflehog/templates/priorityclass.yaml
 create mode 100644 trufflehog/templates/verticalpodautoscaler.yaml

diff --git a/trufflehog-0.1.1.tgz b/trufflehog-0.1.1.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..62a3922571071392e0bd0d8daca7e4155f2bc5a4
GIT binary patch
literal 2763
zcmV;+3N-Z}iwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc
zVQyr3R8em|NM&qo0PGsua@#gG&-{ur^mf{2BZ{(RJHr`2cpdjL+q9lK?LKrmHAEhY
z*nj{FfJ)RP|Goo&6hVrzoy2jvGscTVTn^3+=LTq5=Q+bdET?A$kvdwFl0CZH7RPaX
zG@skwIF5(E@oawZXf{7Ojt`HI<Ab9|@$BH>@Zb@|cZ|nqtCc45QT)++4T<|dX{4gR
zqEuAy1XlY&hANe`()RllzC%_*YV-nfA>oBnmhZ$8&bdZeNvbg5q{IX|MG96ez&M&k
zv*2@+_|UFt-uYh<R-^g^2H=MCKRces!}EVMJA63*_tEy?614(dAn>|epahXaB{Gm$
zF`5z;1<k)RQFEQZEC^^xmY4)!<_JZ#kn03$HOWN!5@l4qTt*qLrn(Tz36YxSB-LtK
z)eA<`sY(gwC<6dZmI*MTQRyJqgBJyYL?vpOq5_G3)~K`s!ZTpBq*_@MWDp%SLy!ut
z3FRma#tj&Uq=RJs1C&@=bi>)vw=}d}X;mi>&f_>PT?bYLmM96k)Iu6kA)Li-w!_4M
zLQWP8Gi&;=4}AW#4}7-opa*+!3csS%G$rgpWT&+jDkTghyrPT&$^Kg_y<tPgg#}TV
zf#4t(3grqjIJ@}8^2Y56wIWN5f>lKfazoTg%1;>+uP{r-N#0^hNnZC>d>FB3g6DKu
zOLQ9c?|OlfqecY^Q;8aMK{QlStZ3HEA(hoO<AJ_ZMyM8m{f3Na5(Tc$pyh!4X#J1t
z4T4IFg;h?<siuTILq^t@m<pb$1P%g#3MCbp*JVA}Pb-v?W=7aykk^cDbq1BBLQ=gx
zV?<dUNF@@D8=g2v7=|!tdvN}mDoyzkS`d&L7@!5z3W4SgD4+^*!jyq#&2a*=IF1L<
zE?OXV$`cTr83n+s56EJ5)A{%8zs9n%$8q{cfviHQB3<2uE4ab_@6Ttmf&D)`o*zBf
z|NCff-b^3Eik1l|)R0q#dR^g3Y1on$n84%dyLW+^6`a4WjKQ(4f|O_+h52v8!zgIx
zO(4UZa)hwctjJ6cVbV<?HPaBegu@(Ph<<g!hkxkctx;i~!qI{KOUuhT&*^IjCmk^4
znf>oj{13V%<^&LJ78>jnEHEYJpea%ItdON6r^qq|M4~hAn3;2_3##C&#oE&N?8i$p
z*PLKgVfyv;<hItM!;<D33Wug;GiT?7Td{$u4$?m?S;@)mIo+<TB;`7X@C!BhLWL0h
zj0}lFx6*-qAE9gu=uDKQ;K0ZNnYxyVZi<6hAS)wPOs%RV@a7Frp0YaYudt&bL|}oA
zPEp7()k6Nz0B`0x0XZg}R#lS_nK4pT(aVj#L{v;S$<3QLBTL@GpS92k9`U14O2Ww!
zv&mxZ0JV(1M7g4AZ+*wS%Le<~uy07|WE2hOv34-asc<w-0Od*(o?;(;t0&`vw@GBf
zylXLU#JEc(eN}e<JKmc}m81yaKSK!r2;WOrKer+NOl{QvXIL?@E|K3&Ip_xeKcCMJ
z2mb%)FrGd5|NCfu{fAVQnyzNSOUknZo^6yMC{Ys=dncP9cZbR7JfAfi&{!&$LRdRH
zvWRVr@mt`OXUH|o&2r;vn>5p=qR!Sd{>#rw-CnK9YZ5)8)8Yqjdw>tOf4kOSZv_F`
zBh}`f9UDz!J?uUnzYoC>pyl#LL|v@XOL(Ftv)F9c8~t%m1e{=3Anah<FlFZk+{0=V
zyeIzaR&I9M^y~o_gWT&0FeEDks-do2z=xpLN@MARaSq&dtOTn|^aM6(PJ_!mCoUbG
zxM@L`vAO;v@Uu8Sb@j+{kfLt1+kI2t7(u`*zII!<G7W?tc-s|qWgB?+F4-E^WC`!y
zg&ri0vZUPR;LlMhvcwC)Xu3||8^YLvq%U8HAH-7q#LuM^(p#B|vLwcu{1#4YC8tcJ
zgiRNew{@WK354da`JGH0`6p9H|Fq$T@j-695>lT$ji1Kh@7^Yiu8^Zr7j5d_wL<Ia
z+ad1(Dx!-7rUeqFi@%10!UUOSm)^i=J)x(OVu8`fEdPL7`2G6B7Kq+>f3Z`o=f>u#
zK25h&Mbk>N{K9ddVYD}+S3C2&{VJLVtgQm|OmhPwYF9-~m8!2+uqhc`zc{Vxk(HY&
z-9&B5bl1Zf*7df44$NN%!j=7^rU*6^s9zMkJ+KW+-ixEd#Y3)a8Liu*<CuJV>GYP}
z85ScV`cSd&hImVCyY9~&q<z9R8vnPR(mKkIPXTVa|2;fB8pQv{`}@Za@&A3aTSk0-
znxN7Gvzk%9j9xx<HIX)FxbT;cqz&O{fEW%Eg^!Da-!}$s>g+pXOFM2R_U^{Ri+&~F
zyB;rk_fnx>2>RU8-fpAkf7RSjRU#vs8>$bt12^6O9v%+ff9%J{5BI<K(+1~%RS`eR
z=~V|BO&B}(qgR?AQ8q9isv=`Y)^=|f7w*?)v^ldTa*6t9%v&Tnc7;tf#RVIVO|FGq
zWyK9TOxvL2b{wj!jOaEEvrt^mb75~QjTFM5i{|}_n?%xf(k{}UbVI{*eiIlCZ<4(@
z(X*gNjk=lJv1J?M?q0GT9gk>gcS$`Knh&qAuR*ngb8A$)CF7_z7XNQ;{QLI*=kwEN
z&(EVWyX!q}tpCQt`tSbnZ2!Uj-$&cq@tVfI{ImBfLGY{#d_d&zsvx?%`2}}b;2!Ew
zt)Qx9B@{+Mu(t;n5>5I|71gMM;9r;viC~Q@GoHl4>0TK=fwicCqq~BwBvwSC>68Ag
zZOUq;?UNZ@xGP<fWz?WYm|wpL_V)JR%*C)~pN;!Sg5c`vYC%*H7^|OZ);^oqI3C~j
zU0q#m!8+?bOu1|-e8D+awZj++vT{?sDwe%qZ|TY$0nMWqDJn?~^xl(~2woJ(pS0-N
z8l`(VL%IFx(Da<<PV$<yOXMhN+H3`r$r#x%ndDNG6NB=JN5jdqBD$Dr;g{z+9(~`J
ztyQ5U2!7(JL%;Gh!d|*7qN&O$W={Gk;f+rD0d=ifh`BI!*L=0b#g5#<Xp+QA7>#IY
zQJB^?QZKZwR5G0o`lBV)MZGXy->jclO;iq6qp3by2CJt%j@_U?zG#EsMS<|!mG|uO
z>i4g_udiEeX<kS5-$Ds{9=9IF88o`{WYmW$AckYga#ssTYo$d=|8nx^?)reFsgRlF
zvv7wF`HD)x-6+p&6_83a-^v~E0ZE3+Sp>~F?{pyvg6ATmxqD90quEiJQE3!)-RgB?
zTWqiKu3EH@;~diNVM7DQ?YkervsxPTn|&=#Nf1on@#9~t{#;Ea3iTCy!^raS<0J?G
zTGau#Gl7HM1^gSTlYO_9+0lxm(OnSD6AbtG?aE(s)xPgisO{r1stp_VEsjXC_5n`A
zjL0XHz?qeDpVbY?jU=puZ9yJVQLPQQ-fU-kJ{^;C*jN&SivRw&WtI`^K?J9{G4}(h
zexDl(zFZ*?CXr<87A?#=uOeOGZk6{H;g*4Ar-*LL_f(O(T1t}PovX;f4i#zka~gu}
zOTw12jSu1Y%F%P@iU34epN!dVmAD(G+(ISZi#eUwutKMpjo6;(?-`jtw1@W49@?jE
R{|f*B|NpFb_4EKZ008SEXp{f|

literal 0
HcmV?d00001

diff --git a/trufflehog/Chart.yaml b/trufflehog/Chart.yaml
index 5c24f79..b53635e 100644
--- a/trufflehog/Chart.yaml
+++ b/trufflehog/Chart.yaml
@@ -1,4 +1,4 @@
 apiVersion: v2
 name: trufflehog
-description: A Helm chart for trufflehog secrets scanning
-version: 0.1.0
+description: A Helm chart for TruffleHog Enterprise
+version: 0.1.1
diff --git a/trufflehog/README.md b/trufflehog/README.md
index 1b40e13..dd0b058 100644
--- a/trufflehog/README.md
+++ b/trufflehog/README.md
@@ -1,4 +1,4 @@
-# Trufflehog Helm Chart
+# TruffleHog Enterprise Helm Chart
 
 Description of what the chart deploys and its purpose.
 
@@ -15,13 +15,15 @@ kubectl create namespace trufflehog
 ### Create the Configuration Secret:
 
 Ensure you have the config.yaml file prepared with the appropriate configuration. Then, create the secret in the trufflehog namespace:
+
 ```bash
-kubectl create secret generic config --namespace trufflehog --from-file=config.yaml=config.yaml
+kubectl create secret generic config --namespace trufflehog --from-file=config.yaml=/path/to/config.yaml
 ```
 
 ### Installing the Chart:
 
 Once the prerequisites are satisfied, you can deploy Trufflehog using the following command:
+
 ```bash
 helm repo add trufflesecurity https://trufflesecurity.github.io/helm-charts
 helm install trufflehog trufflesecurity/trufflehog --namespace trufflehog
@@ -29,17 +31,7 @@ helm install trufflehog trufflesecurity/trufflehog --namespace trufflehog
 
 ### Configuration
 
-The `values.yaml` file provides configuration options for the Trufflehog Helm chart. This allows you to customize the deployment according to your environment and requirements.
-
-#### Key Configurations:
-
-- **replicaCount**: Sets the number of pod replicas.
-- **image**: Defines the Docker image repository and tag.
-- **config**: Configures the Kubernetes secret that provides the application's configuration data.
-- **probe**: Specifies the health probe settings for the pod, including initial delay and check frequency.
-- **nameOverride** and **fullnameOverride**: Allow for overriding the default naming of the deployment.
-
-To adjust these configurations:
+The [`values.yaml`](values.yaml) file provides configuration options for the Trufflehog Helm chart. This allows you to customize the deployment according to your environment and requirements.
 
 ## Configuration
 
@@ -86,4 +78,3 @@ If you've already installed the Helm release and want to modify the values:
   ```
 
   This command upgrades the existing release using the modified `values.yaml` file.
-
diff --git a/trufflehog/templates/deployment.yaml b/trufflehog/templates/deployment.yaml
index d3014cf..99fedc3 100644
--- a/trufflehog/templates/deployment.yaml
+++ b/trufflehog/templates/deployment.yaml
@@ -16,6 +16,13 @@ spec:
         app.kubernetes.io/name: {{ include "trufflehog.name" . }}
         app.kubernetes.io/instance: {{ .Release.Name }}
     spec:
+      {{- if .Values.priorityClass.create }}
+      priorityClassName: trufflehog-enterprise
+      {{- else if .Values.priorityClass.name }}
+      priorityClassName: {{ .Values.priorityClass.name }}
+      {{- else }}
+      # no priority class, leave it up to the system
+      {{- end }}
       volumes:
         - name: config-secret-volume
           secret:
@@ -34,3 +41,20 @@ spec:
           volumeMounts:
             - name: config-secret-volume
               mountPath: /secret/
+          resources:
+            requests:
+              memory: "{{ .Values.resources.requests.memory }}"
+              cpu: "{{ .Values.resources.requests.cpu }}"
+              ephemeral-storage: "{{ .Values.resources.requests.ephemeralStorage }}"
+            {{- if .Values.resources.limits.enabled }}
+            limits:
+              {{- if .Values.resources.limits.memory }}
+              memory: "{{ .Values.resources.limits.memory }}"
+              {{- end }}
+              {{- if .Values.resources.limits.cpu }}
+              cpu: "{{ .Values.resources.limits.cpu }}"
+              {{- end }}
+              {{- if .Values.resources.limits.ephemeralStorage }}
+              ephemeral-storage: "{{ .Values.resources.limits.ephemeralStorage }}"
+              {{- end }}
+            {{- end }}
\ No newline at end of file
diff --git a/trufflehog/templates/priorityclass.yaml b/trufflehog/templates/priorityclass.yaml
new file mode 100644
index 0000000..28fbf67
--- /dev/null
+++ b/trufflehog/templates/priorityclass.yaml
@@ -0,0 +1,11 @@
+{{- if .Values.priorityClass.create }}
+apiVersion: scheduling.k8s.io/v1
+kind: PriorityClass
+metadata:
+  name: "trufflehog-enterprise"
+  labels:
+    app.kubernetes.io/name: {{ include "trufflehog.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+value: {{ .Values.priorityClass.value }}
+description: "Priority class for Trufflehog Enterprise"
+{{- end }}
diff --git a/trufflehog/templates/verticalpodautoscaler.yaml b/trufflehog/templates/verticalpodautoscaler.yaml
new file mode 100644
index 0000000..899d6d7
--- /dev/null
+++ b/trufflehog/templates/verticalpodautoscaler.yaml
@@ -0,0 +1,28 @@
+{{- if .Values.vpa.enabled }}
+apiVersion: autoscaling.k8s.io/v1
+kind: VerticalPodAutoscaler
+metadata:
+  name: {{ include "trufflehog.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "trufflehog.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+spec:
+  targetRef:
+    apiVersion: "apps/v1"
+    kind:       "Deployment"
+    name:       {{ include "trufflehog.fullname" . }}
+  updatePolicy:
+    updateMode: "Auto"
+  resourcePolicy:
+    containerPolicies:
+      - containerName: trufflehog
+        minAllowed:
+          cpu: {{ .Values.vpa.minAllowed.cpu }}
+          memory: {{ .Values.vpa.minAllowed.memory }}
+        {{- if .Values.vpa.maxAllowed.enabled }}
+        maxAllowed:
+          cpu: {{ .Values.vpa.maxAllowed.cpu }}
+          memory: {{ .Values.vpa.maxAllowed.memory }}
+        {{- end }}
+{{- end }}
diff --git a/trufflehog/values.yaml b/trufflehog/values.yaml
index 0b2cdf9..98f9c24 100644
--- a/trufflehog/values.yaml
+++ b/trufflehog/values.yaml
@@ -1,9 +1,33 @@
+# Sets the number of pod replicas.
 replicaCount: 1
 
 image:
   repository: us-docker.pkg.dev/thog-artifacts/public/scanner
   tag: latest
 
+# The resources requests and limits for the TruffleHog Enterprise container.
+resources:
+  requests:
+    memory: "16Gi"
+    cpu: "4000m"
+    ephemeralStorage: "10Gi"
+  limits:
+    enabled: true
+    memory: "48Gi"
+    cpu: "12000m"
+
+# A VerticalPodAutoscaler will adjust resource requests based on observed CPU and memory usage.
+vpa:
+  enabled: true
+  minAllowed:
+    cpu: "4000m"
+    memory: "16Gi"
+  maxAllowed:
+    enabled: true
+    memory: "48Gi"
+    cpu: "12000m"
+
+# Configures the Kubernetes secret that provides the application's configuration data.
 config:
   secretName: config
 
@@ -13,3 +37,8 @@ probe:
 
 nameOverride: ""
 fullnameOverride: ""
+
+priorityClass:
+  create: true
+  name: ""                # Existing priority class to use if create is false
+  value: 1000             # Priority value, only used if create is true