From de557cb06b9893bf2424f2cf96ab5d1ad9abf369 Mon Sep 17 00:00:00 2001 From: Wajih Yassine <54372074+wajihyassine@users.noreply.github.com> Date: Tue, 16 Jan 2024 17:02:22 -0800 Subject: [PATCH] Fix config override, service port origination, bump to v1 (#107) * Fix config override, service port origination, bump to v1 * Fix yeti values.yaml * Update README.md with readme-generator-for-helm Signed-off-by: wajihyassine --------- Signed-off-by: wajihyassine Co-authored-by: wajihyassine --- charts/osdfir-infrastructure/CHANGELOG.md | 51 --------------- charts/timesketch/CHANGELOG.md | 62 ------------------- charts/timesketch/Chart.yaml | 16 ++--- charts/timesketch/README.md | 10 +-- .../timesketch/templates/_initContainer.tpl | 3 - .../templates/gcp/backendconfig.yaml | 2 +- .../timesketch/templates/init-configmap.yaml | 24 +++---- charts/timesketch/templates/service.yaml | 3 +- .../timesketch/templates/web-deployment.yaml | 6 +- .../templates/worker-deployment.yaml | 6 +- charts/timesketch/values.yaml | 8 +-- charts/turbinia/CHANGELOG.md | 49 --------------- charts/turbinia/Chart.yaml | 16 +++-- charts/turbinia/README.md | 10 +-- charts/turbinia/templates/_initContainer.tpl | 3 - charts/turbinia/templates/api-deployment.yaml | 6 +- .../turbinia/templates/gcp/backendconfig.yaml | 2 +- charts/turbinia/templates/ingress.yaml | 4 +- charts/turbinia/templates/init-configmap.yaml | 23 ++++--- .../turbinia/templates/server-deployment.yaml | 4 +- charts/turbinia/templates/service.yaml | 3 +- .../turbinia/templates/worker-deployment.yaml | 4 +- charts/turbinia/values.yaml | 8 +-- charts/yeti/Chart.yaml | 6 +- charts/yeti/README.md | 14 ++--- charts/yeti/templates/NOTES.txt | 4 +- charts/yeti/templates/api-deployment.yaml | 2 +- charts/yeti/templates/api-service.yaml | 3 +- .../yeti/templates/frontend-deployment.yaml | 2 +- charts/yeti/templates/frontend-service.yaml | 3 +- charts/yeti/templates/gcp/backendconfig.yaml | 2 +- charts/yeti/templates/ingress.yaml | 8 +-- charts/yeti/templates/nginx-configmap.yaml | 4 +- charts/yeti/values.yaml | 35 ++++------- 34 files changed, 110 insertions(+), 296 deletions(-) delete mode 100644 charts/osdfir-infrastructure/CHANGELOG.md delete mode 100644 charts/timesketch/CHANGELOG.md delete mode 100644 charts/turbinia/CHANGELOG.md diff --git a/charts/osdfir-infrastructure/CHANGELOG.md b/charts/osdfir-infrastructure/CHANGELOG.md deleted file mode 100644 index 4a1efa7b..00000000 --- a/charts/osdfir-infrastructure/CHANGELOG.md +++ /dev/null @@ -1,51 +0,0 @@ - -# Changelog - -All notable changes to this project will be documented in this file. - -The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), -and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). - ---- -## [Unreleased] -### Added -### Changed -### Deprecated -### Removed -### Fixed -### Security ---- -## [0.3.3] -### Added -### Changed - -* Update dependency charts (timesketch-0.3.4, turbinia-0.3.3) - -### Deprecated -### Removed -### Fixed - ---- -## [0.3.0] -### Added -### Changed -### Deprecated -### Removed -### Fixed - -* Adds logic to prevent password regen for Timesketch on Helm upgrades -* Adds missing plaso_formatters.yaml config for Timesketch -* Keep PVC on helm uninstall as an additional safeguard for data retention - -### Security ---- -## [0.2.0] -### Added - -* dfTimewolf integration instructions through post install NOTES.txt -* Updated values.yaml with the Turbinia Oauth2 Proxy configuration values - -### Changed -### Deprecated -### Removed -### Fixed diff --git a/charts/timesketch/CHANGELOG.md b/charts/timesketch/CHANGELOG.md deleted file mode 100644 index 70f308b0..00000000 --- a/charts/timesketch/CHANGELOG.md +++ /dev/null @@ -1,62 +0,0 @@ - -# Changelog - -All notable changes to this project will be documented in this file. - -The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), -and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). - ---- -## [Unreleased] -### Added -### Changed -### Deprecated -### Removed -### Fixed -### Security - ---- -## [0.3.4] -### Added -### Changed - -* Update docs to point to new Helm chart repo - -### Deprecated -### Removed -### Fixed - ---- -## [0.3.3] -### Added -### Changed - -* Update Timesketch configs download logic to pull git repo instead and copy out -configs from data folder - -### Deprecated -### Removed -### Fixed - ---- -## [0.3.0] -### Added -### Changed -### Deprecated -### Removed -### Fixed - -* Adds logic to prevent password regen for Timesketch on Helm upgrades -* Adds missing plaso_formatters.yaml config for Timesketch -* Keep PVC on helm uninstall as an additional safeguard for data retention - ---- -## [0.2.0] -### Added - -* dfTimewolf integration instructions through post install NOTES.txt - -### Changed -### Deprecated -### Removed -### Fixed diff --git a/charts/timesketch/Chart.yaml b/charts/timesketch/Chart.yaml index 9506a774..bdf5e579 100644 --- a/charts/timesketch/Chart.yaml +++ b/charts/timesketch/Chart.yaml @@ -1,12 +1,13 @@ apiVersion: v2 name: timesketch -version: 0.3.5 +version: 1.0.0 description: A Helm chart for Timesketch Kubernetes deployments. keywords: - timesketch - dfir - analysis -home: "https://github.com/google/timesketch" +- security +home: "https://timesketch.org/" dependencies: - condition: postgresql.enabled name: postgresql @@ -21,15 +22,14 @@ dependencies: version: 2.14.1 repository: https://opensearch-project.github.io/helm-charts/ maintainers: - - name: Wajih Yassine - url: https://github.com/wajihyassine - - name: Johan Berggren - url: https://github.com/berggren + - name: Open Source DFIR + email: osdfir-maintainers@googlegroups.com + url: https://github.com/google/osdfir-infrastructure sources: - https://github.com/google/timesketch -- https://timesketch.org/ +- https://github.com/google/osdfir-infrastructure icon: https://raw.githubusercontent.com/google/timesketch/master/timesketch/frontend-ng/dist/timesketch-color.png -appVersion: "20230913" +appVersion: "latest" annotations: category: Security licenses: Apache-2.0 diff --git a/charts/timesketch/README.md b/charts/timesketch/README.md index 94834cb6..c5c5ab81 100644 --- a/charts/timesketch/README.md +++ b/charts/timesketch/README.md @@ -100,12 +100,12 @@ kubectl delete pvc -l release=my-release | Name | Description | Value | | ------------------------------- | -------------------------------------------------------------------------------------------- | ------- | -| `global.timesketch.enabled` | Enables the Timesketch deployment (only used in the main OSDFIR Infrastructure Helm chart) | `true` | -| `global.timesketch.servicePort` | Timesketch service port (overrides `timesketch.service.port`) | `5000` | +| `global.timesketch.enabled` | Enables the Timesketch deployment (only used in the main OSDFIR Infrastructure Helm chart) | `false` | +| `global.timesketch.servicePort` | Timesketch service port (overrides `timesketch.service.port`) | `nil` | | `global.turbinia.enabled` | Enables the Turbinia deployment (only used within the main OSDFIR Infrastructure Helm chart) | `false` | -| `global.turbinia.servicePort` | Turbinia API service port (overrides `turbinia.service.port`) | `8080` | +| `global.turbinia.servicePort` | Turbinia API service port (overrides `turbinia.service.port`) | `nil` | | `global.yeti.enabled` | Enables the Yeti deployment (only used in the main OSDFIR Infrastructure Helm chart) | `false` | -| `global.yeti.servicePort` | Yeti API service port (overrides `yeti.api.service.port`) | `8000` | +| `global.yeti.servicePort` | Yeti API service port (overrides `yeti.api.service.port`) | `nil` | | `global.existingPVC` | Existing claim for Timesketch persistent volume (overrides `persistent.name`) | `""` | | `global.storageClass` | StorageClass for the Timesketch persistent volume (overrides `persistent.storageClass`) | `""` | @@ -293,7 +293,7 @@ for more details. ## License -Copyright © 2023 Timesketch +Copyright © 2023 OSDFIR Infrastructure Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/charts/timesketch/templates/_initContainer.tpl b/charts/timesketch/templates/_initContainer.tpl index 9de95dfa..f1008847 100644 --- a/charts/timesketch/templates/_initContainer.tpl +++ b/charts/timesketch/templates/_initContainer.tpl @@ -4,7 +4,6 @@ this file has been created which then applies to both the Timesketch Web and Worker pod upon startup. */}} {{- define "timesketch.initContainer" -}} -{{- $userconfigs := .Files.Glob .Values.config.override }} - name: init-timesketch image: alpine/git command: ['sh', '-c', '/init/init-timesketch.sh'] @@ -42,8 +41,6 @@ Worker pod upon startup. name: init-timesketch - mountPath: /etc/timesketch name: timesketch-configs - {{- if $userconfigs }} - mountPath: /tmp/timesketch name: uploaded-configs - {{- end }} {{- end }} diff --git a/charts/timesketch/templates/gcp/backendconfig.yaml b/charts/timesketch/templates/gcp/backendconfig.yaml index 9772fb53..12b12f53 100644 --- a/charts/timesketch/templates/gcp/backendconfig.yaml +++ b/charts/timesketch/templates/gcp/backendconfig.yaml @@ -13,5 +13,5 @@ spec: unhealthyThreshold: 2 type: HTTP requestPath: /login/ - port: {{ include "timesketch.service.port" . }} + port: 5000 {{- end }} \ No newline at end of file diff --git a/charts/timesketch/templates/init-configmap.yaml b/charts/timesketch/templates/init-configmap.yaml index fcb6c7d5..7aabd1db 100644 --- a/charts/timesketch/templates/init-configmap.yaml +++ b/charts/timesketch/templates/init-configmap.yaml @@ -14,18 +14,18 @@ data: mkdir -p /etc/timesketch cd /etc/timesketch - {{- $userconfigs := .Files.Glob .Values.config.override }} - {{- if $userconfigs }} - cp /tmp/timesketch/* /etc/timesketch/ - {{- else }} - echo -n "* Fetching configuration files.." - GITHUB_BASE_URL="https://raw.githubusercontent.com/google/timesketch/master" - # Fetch default Timesketch config files - git clone https://github.com/google/timesketch.git - cp -r timesketch/data/* /etc/timesketch/ - rm -rf timesketch - echo "OK" - {{- end}} + if [ $(ls /tmp/timesketch/ | wc -l) -gt 0 ]; then + echo "Using existing configuration files provided." + cp /tmp/timesketch/* /etc/timesketch/ + else + echo -n "* Fetching configuration files.." + GITHUB_BASE_URL="https://raw.githubusercontent.com/google/timesketch/master" + # Fetch default Timesketch config files + git clone https://github.com/google/timesketch.git + cp -r timesketch/data/* /etc/timesketch/ + rm -rf timesketch + echo "OK" + fi # Set up the Redis connection sed -i 's#^CELERY_BROKER_URL =.*#CELERY_BROKER_URL = {{ (include "timesketch.redis.url" .) | quote }}#' timesketch.conf diff --git a/charts/timesketch/templates/service.yaml b/charts/timesketch/templates/service.yaml index 6bedd759..bd0f44e0 100644 --- a/charts/timesketch/templates/service.yaml +++ b/charts/timesketch/templates/service.yaml @@ -8,13 +8,14 @@ metadata: {{- if and (.Values.ingress.enabled) ( eq .Values.ingress.className "gce") }} annotations: cloud.google.com/neg: '{"ingress": true}' - cloud.google.com/backend-config: '{"ports": {"{{ include "timesketch.service.port" . }}":"{{ include "timesketch.fullname" . }}-backend-config"}}' + cloud.google.com/backend-config: '{"ports": {"5000":"{{ include "timesketch.fullname" . }}-backend-config"}}' {{- end }} spec: type: {{ .Values.service.type }} ports: - port: {{ include "timesketch.service.port" . }} protocol: TCP + targetPort: 5000 selector: app.kubernetes.io/component: frontend {{- include "timesketch.selectorLabels" . | nindent 4 }} \ No newline at end of file diff --git a/charts/timesketch/templates/web-deployment.yaml b/charts/timesketch/templates/web-deployment.yaml index 1ad2a085..785913a7 100644 --- a/charts/timesketch/templates/web-deployment.yaml +++ b/charts/timesketch/templates/web-deployment.yaml @@ -1,4 +1,3 @@ -{{- $userconfigs := .Files.Glob .Values.config.override }} apiVersion: apps/v1 kind: Deployment metadata: @@ -70,7 +69,7 @@ spec: {{- if .Values.metrics.enabled }} - containerPort: {{ .Values.metrics.port }} {{- end }} - - containerPort: {{ include "timesketch.service.port" . }} + - containerPort: 5000 resources: {{- toYaml .Values.frontend.resources | nindent 12 }} volumes: @@ -84,11 +83,10 @@ spec: defaultMode: 0744 - name: timesketch-configs emptyDir: {} - {{- if $userconfigs }} - name: uploaded-configs configMap: name: {{ include "timesketch.fullname" . }}-configmap - {{- end }} + optional: true {{- with .Values.frontend.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/timesketch/templates/worker-deployment.yaml b/charts/timesketch/templates/worker-deployment.yaml index 3dcb5a66..56a57dc6 100644 --- a/charts/timesketch/templates/worker-deployment.yaml +++ b/charts/timesketch/templates/worker-deployment.yaml @@ -1,4 +1,3 @@ -{{- $userconfigs := .Files.Glob .Values.config.override }} apiVersion: apps/v1 kind: Deployment metadata: @@ -59,7 +58,7 @@ spec: {{- if .Values.metrics.enabled }} - containerPort: {{ .Values.metrics.port }} {{- end }} - - containerPort: {{ include "timesketch.service.port" . }} + - containerPort: 5000 resources: {{- toYaml .Values.worker.resources | nindent 12 }} volumes: @@ -73,11 +72,10 @@ spec: defaultMode: 0744 - name: timesketch-configs emptyDir: {} - {{- if $userconfigs }} - name: uploaded-configs configMap: name: {{ include "timesketch.fullname" . }}-configmap - {{- end }} + optional: true {{- with .Values.worker.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/timesketch/values.yaml b/charts/timesketch/values.yaml index 35047748..79f05b31 100644 --- a/charts/timesketch/values.yaml +++ b/charts/timesketch/values.yaml @@ -10,24 +10,24 @@ global: timesketch: ## @param global.timesketch.enabled Enables the Timesketch deployment (only used in the main OSDFIR Infrastructure Helm chart) ## - enabled: true + enabled: false ## @param global.timesketch.servicePort Timesketch service port (overrides `timesketch.service.port`) ## - servicePort: 5000 + servicePort: turbinia: ## @param global.turbinia.enabled Enables the Turbinia deployment (only used within the main OSDFIR Infrastructure Helm chart) ## enabled: false ## @param global.turbinia.servicePort Turbinia API service port (overrides `turbinia.service.port`) ## - servicePort: 8080 + servicePort: yeti: ## @param global.yeti.enabled Enables the Yeti deployment (only used in the main OSDFIR Infrastructure Helm chart) ## enabled: false ## @param global.yeti.servicePort Yeti API service port (overrides `yeti.api.service.port`) ## - servicePort: 8000 + servicePort: ## @param global.existingPVC Existing claim for Timesketch persistent volume (overrides `persistent.name`) ## existingPVC: "" diff --git a/charts/turbinia/CHANGELOG.md b/charts/turbinia/CHANGELOG.md deleted file mode 100644 index 913c6257..00000000 --- a/charts/turbinia/CHANGELOG.md +++ /dev/null @@ -1,49 +0,0 @@ - -# Changelog - -All notable changes to this project will be documented in this file. - -The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), -and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). - ---- -## [Unreleased] -### Added -### Changed -### Deprecated -### Removed -### Fixed -### Security - ---- -## [0.3.3] -### Added -### Changed - -* Update docs to point to new Helm chart repo - -### Deprecated -### Removed -### Fixed - ---- -## [0.3.0] -### Added -### Changed -### Deprecated -### Removed -### Fixed - -* Keep PVC on helm uninstall as an additional safeguard for data retention - ---- -## [0.2.0] -### Added - -* dfTimewolf integration instructions through post install NOTES.txt -* A secret to store the Turbinia Oauth2 Proxy config for dfTimewolf - -### Changed -### Deprecated -### Removed -### Fixed diff --git a/charts/turbinia/Chart.yaml b/charts/turbinia/Chart.yaml index cea8b75c..fa296b86 100644 --- a/charts/turbinia/Chart.yaml +++ b/charts/turbinia/Chart.yaml @@ -1,12 +1,13 @@ apiVersion: v2 name: turbinia -version: 0.3.4 +version: 1.0.0 description: A Helm chart for Turbinia Kubernetes deployments. keywords: - turbinia - dfir - processing - scaling +- security home: "https://github.com/google/turbinia" dependencies: - condition: redis.enabled @@ -19,16 +20,13 @@ dependencies: version: 4.1.3 repository: https://charts.bitnami.com/bitnami maintainers: - - name: Wajih Yassine - url: https://github.com/wajihyassine - - name: Aaron Peterson - url: https://github.com/aarontp - - name: hacktobeer - url: https://github.com/hacktobeer + - name: Open Source DFIR + email: osdfir-maintainers@googlegroups.com + url: https://github.com/google/osdfir-infrastructure sources: -- https://github.com/google/turbinia +- https://github.com/google/osdfir-infrastructure icon: https://raw.githubusercontent.com/google/turbinia/master/web/src/assets/turbinia-logo-mark.png -appVersion: "20230808" +appVersion: "latest" annotations: category: Security licenses: Apache-2.0 diff --git a/charts/turbinia/README.md b/charts/turbinia/README.md index 0bb058c9..fda4b7cb 100644 --- a/charts/turbinia/README.md +++ b/charts/turbinia/README.md @@ -125,11 +125,11 @@ kubectl delete pvc -l release=my-release | Name | Description | Value | | ------------------------------- | -------------------------------------------------------------------------------------------- | ------- | | `global.timesketch.enabled` | Enables the Timesketch deployment (only used in the main OSDFIR Infrastructure Helm chart) | `false` | -| `global.timesketch.servicePort` | Timesketch service port (overrides `timesketch.service.port`) | `5000` | -| `global.turbinia.enabled` | Enables the Turbinia deployment (only used within the main OSDFIR Infrastructure Helm chart) | `true` | -| `global.turbinia.servicePort` | Turbinia API service port (overrides `turbinia.service.port`) | `8080` | +| `global.timesketch.servicePort` | Timesketch service port (overrides `timesketch.service.port`) | `nil` | +| `global.turbinia.enabled` | Enables the Turbinia deployment (only used within the main OSDFIR Infrastructure Helm chart) | `false` | +| `global.turbinia.servicePort` | Turbinia API service port (overrides `turbinia.service.port`) | `nil` | | `global.yeti.enabled` | Enables the Yeti deployment (only used in the main OSDFIR Infrastructure Helm chart) | `false` | -| `global.yeti.servicePort` | Yeti API service port (overrides `yeti.api.service.port`) | `8000` | +| `global.yeti.servicePort` | Yeti API service port (overrides `yeti.api.service.port`) | `nil` | | `global.existingPVC` | Existing claim for Turbinia persistent volume (overrides `persistent.name`) | `""` | | `global.storageClass` | StorageClass for the Turbinia persistent volume (overrides `persistent.storageClass`) | `""` | @@ -333,7 +333,7 @@ of the volume that backs the underlying PersistentVolume. See [here](https://kub ## License -Copyright © 2023 Turbinia +Copyright © 2023 OSDFIR Infrastructure Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/charts/turbinia/templates/_initContainer.tpl b/charts/turbinia/templates/_initContainer.tpl index 911920be..52bdae13 100644 --- a/charts/turbinia/templates/_initContainer.tpl +++ b/charts/turbinia/templates/_initContainer.tpl @@ -4,7 +4,6 @@ this file has been created which then applies to both the Turbinia Server, API, and Worker pod upon startup. */}} {{- define "turbinia.initContainer" -}} -{{- $userconfigs := .Files.Get .Values.config.override -}} - name: init-turbinia image: busybox command: ['sh', '-c', '/init/init-turbinia.sh'] @@ -24,8 +23,6 @@ and Worker pod upon startup. name: init-turbinia - mountPath: /etc/turbinia name: turbinia-configs - {{- if $userconfigs }} - mountPath: /tmp/turbinia name: user-configs - {{- end }} {{- end }} diff --git a/charts/turbinia/templates/api-deployment.yaml b/charts/turbinia/templates/api-deployment.yaml index 2fbc64b9..406655b1 100644 --- a/charts/turbinia/templates/api-deployment.yaml +++ b/charts/turbinia/templates/api-deployment.yaml @@ -1,4 +1,3 @@ -{{- $userconfigs := .Files.Get .Values.config.override }} apiVersion: apps/v1 kind: Deployment metadata: @@ -60,7 +59,7 @@ spec: {{- if .Values.metrics.enabled }} - containerPort: {{ .Values.metrics.port }} {{- end }} - - containerPort: {{ include "turbinia.service.port" . }} + - containerPort: 8000 resources: {{- toYaml .Values.api.resources | nindent 12 }} volumes: @@ -76,11 +75,10 @@ spec: defaultMode: 0777 - name: turbinia-configs emptyDir: {} - {{- if $userconfigs }} - name: user-configs configMap: name: {{ include "turbinia.fullname" . }}-configmap - {{- end }} + optional: true {{- with .Values.api.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/turbinia/templates/gcp/backendconfig.yaml b/charts/turbinia/templates/gcp/backendconfig.yaml index 3638aea1..e2e3d4ef 100644 --- a/charts/turbinia/templates/gcp/backendconfig.yaml +++ b/charts/turbinia/templates/gcp/backendconfig.yaml @@ -19,6 +19,6 @@ spec: port: 4180 {{- else }} requestPath: /web - port: {{ include "turbinia.service.port" . }} + port: 8000 {{- end }} {{- end }} \ No newline at end of file diff --git a/charts/turbinia/templates/ingress.yaml b/charts/turbinia/templates/ingress.yaml index 61f4249a..7e180d95 100644 --- a/charts/turbinia/templates/ingress.yaml +++ b/charts/turbinia/templates/ingress.yaml @@ -7,7 +7,7 @@ metadata: labels: {{- include "turbinia.labels" . | nindent 4 }} annotations: - kubernetes.io/ingress.class: {{ .Values.ingress.className }} + kubernetes.io/ingressClassName: {{ .Values.ingress.className }} {{- if .Values.ingress.gcp.managedCertificates }} networking.gke.io/managed-certificates: {{ include "turbinia.fullname" . }}-managed-ssl {{- end }} @@ -59,7 +59,7 @@ metadata: labels: {{- include "turbinia.labels" . | nindent 4 }} annotations: - kubernetes.io/ingress.class: {{ .Values.ingress.className }} + kubernetes.io/ingressClassName: {{ .Values.ingress.className }} {{- if .Values.ingress.gcp.managedCertificates }} networking.gke.io/managed-certificates: {{ include "turbinia.fullname" . }}-managed-ssl {{- end }} diff --git a/charts/turbinia/templates/init-configmap.yaml b/charts/turbinia/templates/init-configmap.yaml index dd29afff..8274230a 100644 --- a/charts/turbinia/templates/init-configmap.yaml +++ b/charts/turbinia/templates/init-configmap.yaml @@ -16,18 +16,17 @@ data: # Create turbinia config directory mkdir -p /etc/turbinia cd /etc/turbinia - - # Pull default config if one is not already provided - {{- $userconfigs := .Files.Get .Values.config.override }} - {{- if $userconfigs }} - ls -lh /tmp/turbinia - cp /tmp/turbinia/* /etc/turbinia/ - {{- else }} - echo -n "* Fetching configuration files.." - # Fetch default Turbinia config file - wget "https://raw.githubusercontent.com/google/turbinia/master/turbinia/config/turbinia_config_tmpl.py" -O turbinia.conf - echo "OK" - {{- end }} + + if [ $(ls /tmp/turbinia/ | wc -l) -gt 0 ]; then + echo "Using exisiting configuration file provided." + cp /tmp/turbinia/* /etc/turbinia/ + else + # Pull default config if one is not already provided + echo -n "* Fetching configuration files.." + # Fetch default Turbinia config file + wget "https://raw.githubusercontent.com/google/turbinia/master/turbinia/config/turbinia_config_tmpl.py" -O turbinia.conf + echo "OK" + fi # Set up the Redis connection sed -i -e "s/^TASK_MANAGER = .*$/TASK_MANAGER = 'Celery'/g" turbinia.conf diff --git a/charts/turbinia/templates/server-deployment.yaml b/charts/turbinia/templates/server-deployment.yaml index f14cd0a0..021c42d7 100644 --- a/charts/turbinia/templates/server-deployment.yaml +++ b/charts/turbinia/templates/server-deployment.yaml @@ -1,4 +1,3 @@ -{{- $userconfigs := .Files.Get .Values.config.override }} apiVersion: apps/v1 kind: Deployment metadata: @@ -66,11 +65,10 @@ spec: defaultMode: 0744 - name: turbinia-configs emptyDir: {} - {{- if $userconfigs }} - name: user-configs configMap: name: {{ include "turbinia.fullname" . }}-configmap - {{- end }} + optional: true {{- with .Values.server.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/turbinia/templates/service.yaml b/charts/turbinia/templates/service.yaml index e6bdb0ef..372ca504 100644 --- a/charts/turbinia/templates/service.yaml +++ b/charts/turbinia/templates/service.yaml @@ -5,7 +5,7 @@ metadata: {{- if and (.Values.ingress.enabled) (not .Values.oauth2proxy.enabled) }} annotations: cloud.google.com/neg: '{"ingress": true}' - cloud.google.com/backend-config: '{"ports": {"{{ include "turbinia.service.port" . }}": "{{ .Release.Name }}-backend-config"}}' + cloud.google.com/backend-config: '{"ports": {"8000": "{{ .Release.Name }}-backend-config"}}' {{- end }} labels: {{- include "turbinia.labels" . | nindent 4 }} @@ -14,6 +14,7 @@ spec: ports: - port: {{ include "turbinia.service.port" . }} protocol: TCP + targetPort: 8000 selector: app.kubernetes.io/component: api {{- include "turbinia.selectorLabels" . | nindent 4 }} diff --git a/charts/turbinia/templates/worker-deployment.yaml b/charts/turbinia/templates/worker-deployment.yaml index 0235c2f3..82e49e1b 100644 --- a/charts/turbinia/templates/worker-deployment.yaml +++ b/charts/turbinia/templates/worker-deployment.yaml @@ -1,4 +1,3 @@ -{{- $userconfigs := .Files.Get .Values.config.override }} apiVersion: apps/v1 kind: Deployment metadata: @@ -94,11 +93,10 @@ spec: defaultMode: 0744 - name: turbinia-configs emptyDir: {} - {{- if $userconfigs }} - name: user-configs configMap: name: {{ include "turbinia.fullname" . }}-configmap - {{- end }} + optional: true {{- with .Values.worker.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/turbinia/values.yaml b/charts/turbinia/values.yaml index 2c8b53d0..c57aae59 100644 --- a/charts/turbinia/values.yaml +++ b/charts/turbinia/values.yaml @@ -13,21 +13,21 @@ global: enabled: false ## @param global.timesketch.servicePort Timesketch service port (overrides `timesketch.service.port`) ## - servicePort: 5000 + servicePort: turbinia: ## @param global.turbinia.enabled Enables the Turbinia deployment (only used within the main OSDFIR Infrastructure Helm chart) ## - enabled: true + enabled: false ## @param global.turbinia.servicePort Turbinia API service port (overrides `turbinia.service.port`) ## - servicePort: 8080 + servicePort: yeti: ## @param global.yeti.enabled Enables the Yeti deployment (only used in the main OSDFIR Infrastructure Helm chart) ## enabled: false ## @param global.yeti.servicePort Yeti API service port (overrides `yeti.api.service.port`) ## - servicePort: 8000 + servicePort: ## @param global.existingPVC Existing claim for Turbinia persistent volume (overrides `persistent.name`) ## existingPVC: "" diff --git a/charts/yeti/Chart.yaml b/charts/yeti/Chart.yaml index 0378794a..d8f401a5 100644 --- a/charts/yeti/Chart.yaml +++ b/charts/yeti/Chart.yaml @@ -1,12 +1,13 @@ apiVersion: v2 name: yeti -version: 0.1.0 +version: 1.0.0 description: A Helm chart for Yeti Kubernetes deployments. keywords: - yeti - dfir - threatintel - threat-hunting +- security home: "https://yeti-platform.io/" dependencies: - condition: redis.enabled @@ -15,10 +16,11 @@ dependencies: repository: https://charts.bitnami.com/bitnami maintainers: - name: Open Source DFIR + email: osdfir-maintainers@googlegroups.com url: https://github.com/google/osdfir-infrastructure sources: - https://github.com/yeti-platform/yeti -- https://yeti-platform.io/ +- https://github.com/google/osdfir-infrastructure appVersion: "latest" annotations: category: Security diff --git a/charts/yeti/README.md b/charts/yeti/README.md index b7342ce2..5f01c707 100644 --- a/charts/yeti/README.md +++ b/charts/yeti/README.md @@ -71,11 +71,11 @@ kubectl delete pvc -l release=my-release | Name | Description | Value | | ------------------------------- | -------------------------------------------------------------------------------------------- | ------- | | `global.timesketch.enabled` | Enables the Timesketch deployment (only used in the main OSDFIR Infrastructure Helm chart) | `false` | -| `global.timesketch.servicePort` | Timesketch service port (overrides `timesketch.service.port`) | `5000` | +| `global.timesketch.servicePort` | Timesketch service port (overrides `timesketch.service.port`) | `nil` | | `global.turbinia.enabled` | Enables the Turbinia deployment (only used within the main OSDFIR Infrastructure Helm chart) | `false` | -| `global.turbinia.servicePort` | Turbinia API service port (overrides `turbinia.service.port`) | `8080` | -| `global.yeti.enabled` | Enables the Yeti deployment (only used in the main OSDFIR Infrastructure Helm chart) | `true` | -| `global.yeti.servicePort` | Yeti API service port (overrides `yeti.api.service.port`) | `8000` | +| `global.turbinia.servicePort` | Turbinia API service port (overrides `turbinia.service.port`) | `nil` | +| `global.yeti.enabled` | Enables the Yeti deployment (only used in the main OSDFIR Infrastructure Helm chart) | `false` | +| `global.yeti.servicePort` | Yeti API service port (overrides `yeti.api.service.port`) | `nil` | | `global.existingPVC` | Existing claim for Yeti persistent volume (overrides `persistent.name`) | `""` | | `global.storageClass` | StorageClass for the Yeti persistent volume (overrides `persistent.storageClass`) | `""` | @@ -90,8 +90,6 @@ kubectl delete pvc -l release=my-release | `frontend.image.pullPolicy` | Yeti image pull policy | `Always` | | `frontend.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest` | | `frontend.image.imagePullSecrets` | Specify secrets if pulling from a private repository | `[]` | -| `frontend.service.type` | Yeti service type | `ClusterIP` | -| `frontend.service.port` | Yeti service port | `80` | | `frontend.podSecurityContext` | Holds pod-level security attributes and common server container settings | `{}` | | `frontend.securityContext` | Holds security configuration that will be applied to the server container | `{}` | | `frontend.resources.limits` | Resource limits for the frontend container | `{}` | @@ -108,8 +106,6 @@ kubectl delete pvc -l release=my-release | `api.image.pullPolicy` | Yeti image pull policy | `Always` | | `api.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest` | | `api.image.imagePullSecrets` | Specify secrets if pulling from a private repository | `[]` | -| `api.service.type` | Yeti service type | `ClusterIP` | -| `api.service.port` | Yeti service port | `8000` | | `api.podSecurityContext` | Holds pod-level security attributes and common API container settings | `{}` | | `api.securityContext` | Holds security configuration that will be applied to the API container | `{}` | | `api.resources.limits` | Resource limits for the API container | `{}` | @@ -141,6 +137,8 @@ kubectl delete pvc -l release=my-release | `serviceAccount.create` | Specifies whether a service account should be created | `true` | | `serviceAccount.annotations` | Annotations to add to the service account | `{}` | | `serviceAccount.name` | The name of the service account to use | `yeti` | +| `service.type` | Yeti service type | `ClusterIP` | +| `service.port` | Yeti service port | `9000` | | `metrics.enabled` | Enables metrics scraping | `true` | | `metrics.port` | Port to scrape metrics from | `9200` | | `persistence.name` | Yeti persistent volume name | `yetivolume` | diff --git a/charts/yeti/templates/NOTES.txt b/charts/yeti/templates/NOTES.txt index d09058d4..2ca9a237 100644 --- a/charts/yeti/templates/NOTES.txt +++ b/charts/yeti/templates/NOTES.txt @@ -9,8 +9,8 @@ To learn more about the release, try: To connect to the Yeti URL, run: - $ kubectl --namespace {{ .Release.Namespace }} port-forward service/{{ include "yeti.fullname" . }} 8000:{{ .Values.frontend.service.port }} - $ echo "Visit http://127.0.0.1:8000 to access Yeti" + $ kubectl --namespace {{ .Release.Namespace }} port-forward service/{{ include "yeti.fullname" . }} {{ include "yeti.service.port" . }}:{{ include "yeti.service.port" . }} + $ echo "Visit http://127.0.0.1:{{ include "yeti.service.port" . }} to access Yeti" Login to Yeti with the User `yeti`. To get your password run: $ kubectl get secret --namespace {{ .Release.Namespace }} {{ include "yeti.fullname" . }}-secret -o jsonpath="{.data.yeti-user}" | base64 -d \ No newline at end of file diff --git a/charts/yeti/templates/api-deployment.yaml b/charts/yeti/templates/api-deployment.yaml index 30489d8a..0ad9a160 100644 --- a/charts/yeti/templates/api-deployment.yaml +++ b/charts/yeti/templates/api-deployment.yaml @@ -74,7 +74,7 @@ spec: {{- if .Values.metrics.enabled }} - containerPort: {{ .Values.metrics.port }} {{- end }} - - containerPort: {{ include "yeti.service.port" . }} + - containerPort: 8000 resources: {{- toYaml .Values.api.resources | nindent 12 }} volumes: diff --git a/charts/yeti/templates/api-service.yaml b/charts/yeti/templates/api-service.yaml index 7723aff9..faad3d45 100644 --- a/charts/yeti/templates/api-service.yaml +++ b/charts/yeti/templates/api-service.yaml @@ -8,8 +8,9 @@ metadata: spec: type: ClusterIP ports: - - port: {{ include "yeti.service.port" . }} + - port: 8000 protocol: TCP + targetPort: 8000 selector: app.kubernetes.io/component: api {{- include "yeti.selectorLabels" . | nindent 4 }} \ No newline at end of file diff --git a/charts/yeti/templates/frontend-deployment.yaml b/charts/yeti/templates/frontend-deployment.yaml index fb0e0e23..c837b6c7 100644 --- a/charts/yeti/templates/frontend-deployment.yaml +++ b/charts/yeti/templates/frontend-deployment.yaml @@ -45,7 +45,7 @@ spec: {{- if .Values.metrics.enabled }} - containerPort: {{ .Values.metrics.port }} {{- end }} - - containerPort: {{ .Values.frontend.service.port }} + - containerPort: 80 resources: {{- toYaml .Values.frontend.resources | nindent 12 }} volumes: diff --git a/charts/yeti/templates/frontend-service.yaml b/charts/yeti/templates/frontend-service.yaml index f2d3c26b..9c73fafd 100644 --- a/charts/yeti/templates/frontend-service.yaml +++ b/charts/yeti/templates/frontend-service.yaml @@ -8,8 +8,9 @@ metadata: spec: type: ClusterIP ports: - - port: {{ .Values.frontend.service.port }} + - port: {{ include "yeti.service.port" . }} protocol: TCP + targetPort: 80 selector: app.kubernetes.io/component: frontend {{- include "yeti.selectorLabels" . | nindent 4 }} \ No newline at end of file diff --git a/charts/yeti/templates/gcp/backendconfig.yaml b/charts/yeti/templates/gcp/backendconfig.yaml index 4010bd31..5aa5acec 100644 --- a/charts/yeti/templates/gcp/backendconfig.yaml +++ b/charts/yeti/templates/gcp/backendconfig.yaml @@ -13,5 +13,5 @@ spec: unhealthyThreshold: 2 type: HTTP requestPath: /login/ - port: {{ .Values.frontend.service.port }} + port: 80 {{- end }} \ No newline at end of file diff --git a/charts/yeti/templates/ingress.yaml b/charts/yeti/templates/ingress.yaml index c3c27ce9..827f1210 100644 --- a/charts/yeti/templates/ingress.yaml +++ b/charts/yeti/templates/ingress.yaml @@ -30,12 +30,12 @@ spec: service: name: {{ include "yeti.fullname" . }} port: - number: {{ .Values.frontend.service.port }} + number: {{ include "yeti.service.port" . }} defaultBackend: service: name: {{ include "yeti.fullname" . }} # Name of the Service targeted by the Ingress port: - number: {{ .Values.frontend.service.port }} # Should match the port used by the Service + number: {{ include "yeti.service.port" . }} # Should match the port used by the Service {{- end }} {{- if and .Values.ingress.enabled .Values.ingress.gcp.staticIPV6Name }} --- @@ -66,10 +66,10 @@ spec: service: name: {{ include "yeti.fullname" . }} port: - number: {{ .Values.frontend.service.port }} + number: {{ include "yeti.service.port" . }} defaultBackend: service: name: {{ include "yeti.fullname" . }} # Name of the Service targeted by the Ingress port: - number: {{ .Values.frontend.service.port }} # Should match the port used by the Service + number: {{ include "yeti.service.port" . }} # Should match the port used by the Service {{- end }} \ No newline at end of file diff --git a/charts/yeti/templates/nginx-configmap.yaml b/charts/yeti/templates/nginx-configmap.yaml index 8a9a7407..a4f753b2 100644 --- a/charts/yeti/templates/nginx-configmap.yaml +++ b/charts/yeti/templates/nginx-configmap.yaml @@ -12,11 +12,11 @@ data: root /www; location /api/v2 { - proxy_pass http://{{ include "yeti.fullname" . }}-api:{{ include "yeti.service.port" . }}; + proxy_pass http://{{ include "yeti.fullname" . }}-api:8000; } location ~(^/docs|^/openapi.json) { - proxy_pass http://{{ include "yeti.fullname" . }}-api:{{ include "yeti.service.port" . }}; + proxy_pass http://{{ include "yeti.fullname" . }}-api:8000; } location / { diff --git a/charts/yeti/values.yaml b/charts/yeti/values.yaml index 304dbf37..f9f0ded7 100644 --- a/charts/yeti/values.yaml +++ b/charts/yeti/values.yaml @@ -13,21 +13,21 @@ global: enabled: false ## @param global.timesketch.servicePort Timesketch service port (overrides `timesketch.service.port`) ## - servicePort: 5000 + servicePort: turbinia: ## @param global.turbinia.enabled Enables the Turbinia deployment (only used within the main OSDFIR Infrastructure Helm chart) ## enabled: false ## @param global.turbinia.servicePort Turbinia API service port (overrides `turbinia.service.port`) ## - servicePort: 8080 + servicePort: yeti: ## @param global.yeti.enabled Enables the Yeti deployment (only used in the main OSDFIR Infrastructure Helm chart) ## - enabled: true + enabled: false ## @param global.yeti.servicePort Yeti API service port (overrides `yeti.api.service.port`) ## - servicePort: 8000 + servicePort: ## @param global.existingPVC Existing claim for Yeti persistent volume (overrides `persistent.name`) ## existingPVC: "" @@ -58,15 +58,6 @@ frontend: ## - myRegistryKeySecretName ## imagePullSecrets: [] - ## Service Parameters - ## - service: - ## @param frontend.service.type Yeti service type - ## - type: ClusterIP - ## @param frontend.service.port Yeti service port - ## - port: 80 ## @param frontend.podSecurityContext Holds pod-level security attributes and common server container settings ## Some fields are also present in container.securityContext. Field values of container.securityContext take precedence over field values of PodSecurityContext ## ref https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#podsecuritycontext-v1-core @@ -138,15 +129,6 @@ api: ## - myRegistryKeySecretName ## imagePullSecrets: [] - ## Service Parameters - ## - service: - ## @param api.service.type Yeti service type - ## - type: ClusterIP - ## @param api.service.port Yeti service port - ## - port: 8000 ## @param api.podSecurityContext Holds pod-level security attributes and common API container settings ## Some fields are also present in container.securityContext. Field values of container.securityContext take precedence over field values of PodSecurityContext ## ref https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#podsecuritycontext-v1-core @@ -283,6 +265,15 @@ serviceAccount: ## If not set and create is true, a name is generated using the fullname template ## name: "yeti" +## Service Parameters +## +service: + ## @param service.type Yeti service type + ## + type: ClusterIP + ## @param service.port Yeti service port + ## + port: 9000 ## Metrics Parameters ## IMPORTANT: Yeti utilizes Prometheus to scrape metrics through annotations ## Please ensure the Prometheus server is also installed to the cluster for metrics to scrape properly