Merge pull request #2576 from jtyr/jtyr-snyk

[snyk-exporter] Adding new Helm chart
grafana · Aug 18, 2023 · e5f1e9c · e5f1e9c
2 parents c539d6a + 8a38fe0
commit e5f1e9c
Show file tree

Hide file tree

Showing 11 changed files with 493 additions and 0 deletions.
diff --git a/.github/workflows/lint-test.yaml b/.github/workflows/lint-test.yaml
@@ -67,5 +67,8 @@ jobs:
           if [[ "$changed" == "charts/enterprise-metrics" ]]; then
             # Do not run `ct install` for enterprise-metrics
             exit 0
+          elif [[ "$changed" == "charts/snyk-exporter" ]]; then
+            # Do not run `ct install` for snyk-exporter as it requires Snyk API token
+            exit 0
           fi
           ct install --config "${CT_CONFIGFILE}"
diff --git a/charts/snyk-exporter/Chart.yaml b/charts/snyk-exporter/Chart.yaml
@@ -0,0 +1,10 @@
+apiVersion: v2
+name: snyk-exporter
+description: Prometheus exporter for Snyk.
+version: 0.1.0
+appVersion: v1.4.1
+home: https://github.com/grafana/snyk_exporter
+icon: https://res.cloudinary.com/snyk/image/upload/v1537346326/press-kit/brand/avatar.png
+maintainers:
+  - name: jtyr
+    email: [email protected]
diff --git a/charts/snyk-exporter/README.md b/charts/snyk-exporter/README.md
@@ -0,0 +1,80 @@
+# snyk-exporter
+
+![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![AppVersion: v1.4.1](https://img.shields.io/badge/AppVersion-v1.4.1-informational?style=flat-square)
+
+Prometheus exporter for Snyk.
+
+## Usage
+
+The Helm chart can be installed like this:
+
+```shell
+helm upgrade --install myrelease .
+```
+
+The Helm chart can be configured by providing an extra values:
+
+```shell
+cat <<END | helm upgrade --install --values - myrelease .
+# This is an example how to configure the Snyk exporter for kube-prometheus-stack
+exporter:
+  apiToken: 87654321-432104321-4321-210987654321
+  organizations:
+    - 12345678-1234-1234-1234-123456789012
+  origins:
+    - kubernetes
+  projectFilter: attributes.imageCluster=my-prod-cluster
+  timeout: 30
+END
+```
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| affinity | object | `{}` | Pod affinity |
+| exporter.apiToken | string | `nil` | Snyk API token. This must be provided if `secret.create: true`. |
+| exporter.apiURL | string | `nil` | Snyk API URL (legacy). If not specified, `https://snyk.io/api/v1` is used by default. |
+| exporter.argsFile | string | `nil` | Path to the file containing commandline arguments insude the container |
+| exporter.extraArgs | list | `[]` | List of extra command line arguments to pass to the exporter |
+| exporter.interval | string | `nil` | Polling interval for requesting data from Snyk API in seconds. If not specified, `600` is used by default. |
+| exporter.logFormat | string | `nil` | Log target and format |
+| exporter.logLevel | string | `nil` | Log level (`debug`, `info`, `warn`, `error` or `fatal`). If not set, `info` is used by default. |
+| exporter.organizations | list | `[]` | List of Snyk organization IDs. If not specified, all organizations will be scraped. |
+| exporter.origins | list | `[]` | List of Snyk project origins. If not specified, all origins will be scraped. |
+| exporter.port | int | `9532` | Metrics port number for the exporter |
+| exporter.projectFilter | string | `nil` | Project filter (e.g. `attributes.imageCluster=mycluster`) |
+| exporter.restAPIURL | string | `nil` | Snyk REST API URL. If not specified, `https://api.snyk.io/rest` is used by default. |
+| exporter.restAPIVersion | string | `nil` | Snyk REST API Version. If not set, `2023-06-22` is used by default. |
+| exporter.targets | list | `[]` | List of Snyk targets. If not specified, all targets will be scraped. |
+| exporter.timeout | string | `nil` | Timeout for requests against Snyk API in seconds. If not specified, `10` is used by default. |
+| fullnameOverride | string | `nil` | Helm chart full name override |
+| image.pullPolicy | string | `"IfNotPresent"` | Docker image pull policy |
+| image.repository | string | `"grafana/snyk_exporter"` | Docker image registry where the Docker image resides |
+| image.tag | string | `nil` | Docker image tag. If not specified, the chart `appVersion` is used by default. |
+| imagePullSecrets | list | `[]` | List of Docker image pull sercrets |
+| nameOverride | string | `nil` | Helm chart name override |
+| nodeSelector | object | `{}` | Node selector |
+| podAnnotations | object | `{}` | Pod annotations |
+| podSecurityContext | object | See the [`values.yaml`](values.yaml) file | Pod security context |
+| replicas | int | `1` | Number of replicas to run |
+| resources | object | `{}` | Pod resources |
+| secret.annotations | object | `{}` |  |
+| secret.asEnv | bool | `true` | Whether the Snyk API token from the secret should be used as environment variable |
+| secret.create | bool | `true` | Whether the secret holding the Snyk API key will be created or not |
+| secret.key | string | `"snykApiToken"` | Key under which the Snyk API key will be stored in the Secret |
+| secret.labels | object | `{}` | Labels for the secret |
+| secret.name | string | `""` | Name of the secret. Automatically generated if not set. |
+| securityContext | object | See the [`values.yaml`](values.yaml) file | Container security context |
+| service.port | string | `nil` | Service port. If not specified, the `exporter.port` is used by default. |
+| service.type | string | `"ClusterIP"` | Service type |
+| serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
+| serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
+| serviceAccount.name | string | `nil` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template |
+| serviceMonitor.create | bool | `false` | Whether the Prometheus `ServiceMonitor` will be created or not |
+| serviceMonitor.interval | string | `nil` | Metrics scrape interval |
+| serviceMonitor.labels | object | `{}` | Labels applied to the `ServiceMonitor` resource |
+| serviceMonitor.metricRelabelings | list | `[]` | List of metric relabelings |
+| serviceMonitor.relabelings | list | `[]` | List of relabelings |
+| serviceMonitor.scrapeTimeout | string | `nil` | Metrics scrape timeout |
+| tolerations | list | `[]` | Pod tolerations |
diff --git a/charts/snyk-exporter/README.md.gotmpl b/charts/snyk-exporter/README.md.gotmpl
@@ -0,0 +1,31 @@
+{{ template "chart.header" . }}
+
+{{ template "chart.badgesSection" . }}
+
+{{ template "chart.description" . }}
+
+## Usage
+
+The Helm chart can be installed like this:
+
+```shell
+helm upgrade --install myrelease .
+```
+
+The Helm chart can be configured by providing an extra values:
+
+```shell
+cat <<END | helm upgrade --install --values - myrelease .
+# This is an example how to configure the Snyk exporter for kube-prometheus-stack
+exporter:
+  apiToken: 87654321-432104321-4321-210987654321
+  organizations:
+    - 12345678-1234-1234-1234-123456789012
+  origins:
+    - kubernetes
+  projectFilter: attributes.imageCluster=my-prod-cluster
+  timeout: 30
+END
+```
+
+{{ template "chart.valuesSection" . }}
diff --git a/charts/snyk-exporter/templates/_helpers.tpl b/charts/snyk-exporter/templates/_helpers.tpl
@@ -0,0 +1,69 @@
+{{/*
+Expand the name of the chart
+*/}}
+{{- define "this.name" }}
+  {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "this.fullname" }}
+  {{- if .Values.fullnameOverride }}
+    {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+  {{- else }}
+    {{- $name := default .Chart.Name .Values.nameOverride }}
+    {{- if contains $name .Release.Name }}
+      {{- .Release.Name | trunc 63 | trimSuffix "-" }}
+    {{- else }}
+      {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label
+*/}}
+{{- define "this.chart" }}
+  {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "this.labels" -}}
+helm.sh/chart: {{ include "this.chart" . }}
+{{ include "this.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "this.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "this.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "this.serviceAccountName" }}
+  {{- if .Values.serviceAccount.create }}
+    {{- default (include "this.fullname" .) .Values.serviceAccount.name }}
+  {{- else }}
+    {{- default "default" .Values.serviceAccount.name }}
+  {{- end }}
+{{- end }}
+
+{{/*
+Secret name
+*/}}
+{{- define "this.secretName" }}
+  {{- default (include "this.fullname" .) .Values.secret.name }}
+{{- end }}
diff --git a/charts/snyk-exporter/templates/deployment.yaml b/charts/snyk-exporter/templates/deployment.yaml
@@ -0,0 +1,107 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "this.fullname" . }}
+  labels: {{- include "this.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicas }}
+  strategy:
+    rollingUpdate:
+      maxUnavailable: 0
+      maxSurge: 1
+  selector:
+    matchLabels: {{- include "this.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations: {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels: {{- include "this.selectorLabels" . | nindent 8 }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets: {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ template "this.serviceAccountName" . }}
+      {{- with .Values.podSecurityContext }}
+      securityContext: {{- toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: {{ .Chart.Name }}
+          {{- with .Values.securityContext }}
+          securityContext: {{- toYaml . | nindent 12 }}
+          {{- end }}
+          image: {{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          args:
+            {{- with .Values.exporter.apiURL }}
+            - --snyk.api-url={{ . }}
+            {{- end }}
+            {{- with .Values.exporter.restAPIURL }}
+            - --snyk.rest-api-url={{ . }}
+            {{- end }}
+            {{- with .Values.exporter.restAPIVersion }}
+            - --snyk.rest-api-version={{ . }}
+            {{- end }}
+            {{- with .Values.exporter.interval }}
+            - --snyk.interval={{ . }}
+            {{- end }}
+            {{- range .Values.exporter.organizations }}
+            - --snyk.organization={{ . }}
+            {{- end }}
+            {{- range .Values.exporter.targets }}
+            - --snyk.target={{ . }}
+            {{- end }}
+            {{- range .Values.exporter.origins }}
+            - --snyk.origin={{ . }}
+            {{- end }}
+            {{- with .Values.exporter.projectFilter }}
+            - --snyk.project-filter={{ . }}
+            {{- end }}
+            {{- with .Values.exporter.timeout }}
+            - --snyk.timeout={{ . }}
+            {{- end }}
+            - --web.listen-address=:{{ .Values.exporter.port }}
+            {{- with .Values.exporter.logLevel }}
+            - --log.level={{ . }}
+            {{- end }}
+            {{- with .Values.exporter.logFormat }}
+            - --log.format={{ . }}
+            {{- end }}
+            {{- with .Values.exporter.argsFile }}
+            - {{ printf "@%s" . | quote }}
+            {{- end }}
+            {{- range .Values.exporter.extraArgs }}
+            - {{ . }}
+            {{- end }}
+          {{- if or (and .Values.secret.asEnv .Values.secret.create .Values.exporter.apiToken) (and .Values.secret.asEnv (not .Values.secret.create)) }}
+          env:
+            - name: SNYK_API_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: {{ template "this.secretName" . }}
+                  key: {{ .Values.secret.key }}
+          {{- end }}
+          ports:
+            - name: metrics
+              containerPort: {{ .Values.exporter.port }}
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: metrics
+          readinessProbe:
+            httpGet:
+              path: /ready
+              port: metrics
+          {{- with .Values.resources }}
+          resources: {{- toYaml . | nindent 12 }}
+          {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector: {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity: {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations: {{- toYaml . | nindent 8 }}
+      {{- end }}
diff --git a/charts/snyk-exporter/templates/secret.yaml b/charts/snyk-exporter/templates/secret.yaml
@@ -0,0 +1,12 @@
+{{- if and .Values.secret.create .Values.exporter.apiToken }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "this.secretName" . }}
+  labels: {{- (mergeOverwrite (include "this.labels" . | fromYaml) .Values.secret.labels) | toYaml | nindent 4 }}
+  {{- with .Values.secret.annotations }}
+  annotations: {{- . | nindent 4 }}
+  {{- end }}
+data:
+  {{ .Values.secret.key }}: {{ .Values.exporter.apiToken | toString | b64enc }}
+{{- end }}
diff --git a/charts/snyk-exporter/templates/service.yaml b/charts/snyk-exporter/templates/service.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "this.fullname" . }}
+  labels: {{- include "this.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ default .Values.exporter.port .Values.service.port }}
+      targetPort: metrics
+      protocol: TCP
+      name: metrics
+  selector: {{- include "this.selectorLabels" . | nindent 4 }}
diff --git a/charts/snyk-exporter/templates/serviceaccount.yaml b/charts/snyk-exporter/templates/serviceaccount.yaml
@@ -0,0 +1,10 @@
+{{- if .Values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "this.serviceAccountName" . }}
+  labels: {{- include "this.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations: {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
diff --git a/charts/snyk-exporter/templates/servicemonitor.yaml b/charts/snyk-exporter/templates/servicemonitor.yaml
@@ -0,0 +1,27 @@
+{{- if .Values.serviceMonitor.create }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ template "this.fullname" . }}
+  labels: {{- (merge (include "this.labels" . | fromYaml) .Values.serviceMonitor.labels) | toYaml | nindent 4 }}
+spec:
+  namespaceSelector:
+    matchNames:
+      - {{ .Release.Namespace }}
+  selector:
+    matchLabels: {{- include "this.selectorLabels" . | nindent 4 }}
+  endpoints:
+    - port: metrics
+      {{- with .Values.serviceMonitor.interval }}
+      interval: {{ . | quote }}
+      {{- end }}
+      {{- with .Values.serviceMonitor.scrapeTimeout }}
+      scrapeTimeout: {{ . | quote }}
+      {{- end }}
+      {{- with .Values.serviceMonitor.relabelings }}
+      relabelings: {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.serviceMonitor.metricRelabelings }}
+      metricRelabelings: {{- toYaml . | nindent 8 }}
+      {{- end }}
+{{- end }}