RELEASE_27 (#38)

OPSWAT · Apr 5, 2024 · 465d4fb · 465d4fb
1 parent 2014676
commit 465d4fb
Show file tree

Hide file tree

Showing 20 changed files with 241 additions and 157 deletions.
diff --git a/helm_charts/icap/Chart.yaml b/helm_charts/icap/Chart.yaml
@@ -1,8 +1,8 @@
 apiVersion: v2
 name: MetaDefender_ICAP_Server
 type: application
-version: 5.4.0
-appVersion: 5.4.0
+version: 5.5.0
+appVersion: 5.5.0
 home: https://docs.opswat.com/mdicap/installation
 keywords:
   - mdicapsrv
@@ -34,4 +34,4 @@ long_description: |
   - Sensitive values (like credentials and keys) are saved in the Kubernetes cluster as secrets and are not deleted when the chart is removed and they can be reused for future deployments
   - Credentials that are not explicitly set (passwords and the api key) and do not already exist as k8s secrets will be randomly generated, if they are set, the respective k8s secret will be updated or created if it doesn't exist
   - **The license key value is mandatory**, if it's left unset or if it's invalid, the MD ICAP Server instance will report as "unhealthy" and it will be restarted
-  - The configured license should have a sufficient number of activations for all pod running MD ICAP Server, each pod counts as 1 activation. Terminating pods will also deactivate the respective MD ICAP Server instance.
+  - The configured license should have a sufficient number of activations for all pod running MD ICAP Server, each pod counts as 1 activation. Terminating pods will also deactivate the respective MD ICAP Server instance.
diff --git a/helm_charts/icap/templates/config-template.yml b/helm_charts/icap/templates/config-template.yml
@@ -26,9 +26,11 @@ data:
   DB_HOST: {{ .Values.icap_components.md_icapsrv.database.db_host | quote }}
   DB_PORT: {{ .Values.icap_components.md_icapsrv.database.db_port | quote }}
   ACCEPT_EULA: {{ .Values.ACCEPT_EULA | quote }}
+  MDICAPSRV_DB_NAME: {{ .Values.db_name | quote }}
 {{- if .Values.olms.enabled }}
 #Integration OLMS
   OLMS_HOST_URL: {{ .Values.olms.olms_host_url | quote }}
+  OLMS_TOKEN: {{ .Values.olms.olms_token | quote }}
   OLMS_REST_PORT: {{ .Values.olms.olms_rest_port | quote }}
   OLMS_SOCKET_PORT: {{ .Values.olms.olms_socket_port | quote }}
   OLMS_RULE: {{ .Values.olms.olms_rule | quote }}
@@ -41,6 +43,10 @@ data:
 {{- end }}
   ENABLE_HEALTHCHECK: {{ .Values.healthcheck.enabled | quote }}
   LOG_LEVEL: info
+  CUSTOM_SECRET: {{ .Values.icap_components.md_icapsrv.custom_secret | quote }}
+# Support customize privavte user
+  IGNITION_JSON: |
+    {"dbserver/private_username":"{{ .Values.mdicapsrv_private_user }}","dbserver/private_password":"{{ .Values.mdicapsrv_private_password }}"}
 # # Uncomment for make ConfigMap for import configuration
 ---
 {{- if .Values.icap_components.md_icapsrv.import_configuration.enabled }}

diff --git a/helm_charts/icap/templates/deployments-template.yml b/helm_charts/icap/templates/deployments-template.yml
@@ -33,6 +33,7 @@ spec:
           {{- toYaml $component.extra_labels | nindent 8 }}
         {{- end }}
     spec:
+      serviceAccountName: {{ .Values.icap_components.md_icapsrv.service_account_name }}
       {{- if $.Values.nodeSelector }}
       nodeSelector:
         {{- toYaml $.Values.nodeSelector | nindent 8 }}

diff --git a/helm_charts/icap/templates/role-binding-template.yml b/helm_charts/icap/templates/role-binding-template.yml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: mdicapsrv-worker-global
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Values.icap_components.md_icapsrv.service_account_name }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: mdicapsrv-worker-role
diff --git a/helm_charts/icap/templates/role-template.yml b/helm_charts/icap/templates/role-template.yml
@@ -0,0 +1,8 @@
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: mdicapsrv-worker-role
+rules:
+- apiGroups: [""] # "" indicates the core API group
+  resources: ["pods","secrets"]
+  verbs: ["create","update","get","list","patch"]
diff --git a/helm_charts/icap/templates/secret-template.yml b/helm_charts/icap/templates/secret-template.yml
@@ -1,54 +1,9 @@
-# apiVersion: v1
-# kind: Secret
-# metadata:
-#   name: {{ .Values.icap_components.md_icapsrv.tls.https.certSecret }}
-#   namespace: {{ .Release.Namespace }}
-# type: Opaque
-# data:
-#   {{ .Values.icap_components.md_icapsrv.tls.https.certSecretSubPath }}: ""
-# ---
-# apiVersion: v1
-# kind: Secret
-# metadata:
-#   name: {{ .Values.icap_components.md_icapsrv.tls.https.certKeySecret }}
-#   namespace: {{ .Release.Namespace }}
-# type: Opaque
-# data:
-#   {{ .Values.icap_components.md_icapsrv.tls.https.certKeySecretSubPath }}: ""
-# ---
-# apiVersion: v1
-# kind: Secret
-# metadata:
-#   name: {{ .Values.icap_components.md_icapsrv.tls.icaps.certSecret }}
-#   namespace: {{ .Release.Namespace }}
-# type: Opaque
-# data:
-#   {{ .Values.icap_components.md_icapsrv.tls.icaps.certSecretSubPath }}: ""
-# ---
-# apiVersion: v1
-# kind: Secret
-# metadata:
-#   name: {{ .Values.icap_components.md_icapsrv.tls.icaps.certKeySecret }}
-#   namespace: {{ .Release.Namespace }}
-# type: Opaque
-# data:
-#   {{ .Values.icap_components.md_icapsrv.tls.icaps.certKeySecretSubPath }}: ""
-# ---
-# apiVersion: v1
-# kind: Secret
-# metadata:
-#   name: {{ .Values.icap_components.md_icapsrv.tls.nginxs.certSecret }}
-#   namespace: {{ .Release.Namespace }}
-# type: Opaque
-# data:
-#   {{ .Values.icap_components.md_icapsrv.tls.nginxs.certSecretSubPath }}: ""
-# ---
-# apiVersion: v1
-# kind: Secret
-# metadata:
-#   name: {{ .Values.icap_components.md_icapsrv.tls.nginxs.certKeySecret }}
-#   namespace: {{ .Release.Namespace }}
-# type: Opaque
-# data:
-#   {{ .Values.icap_components.md_icapsrv.tls.nginxs.certKeySecretSubPath }}: ""
-# ---
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.icap_components.md_icapsrv.custom_secret }}
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/resource-policy": keep
+type: Opaque
diff --git a/helm_charts/icap/templates/service-account-template.yml b/helm_charts/icap/templates/service-account-template.yml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.icap_components.md_icapsrv.service_account_name }}
+  namespace: {{ .Release.Namespace }}
diff --git a/helm_charts/icap/values.yaml b/helm_charts/icap/values.yaml
@@ -27,13 +27,19 @@ mdicapsrv_license_key: <SET_LICENSE_KEY_HERE>    # A valid license key, **this v
 ## - if the "mdicapsrv-postgres-cred" secret exists, the values from the secret are used as credentials
 db_user: postgres                      # PostgreSQL database username 
 db_password: postgres                  # PostgreSQL database password, if not set it will be randomly generated
-
+# Support customize the database name. Default is `metadefender_icapsrv`
+db_name: metadefender_icapsrv
+# Support customize privavte user, if not set it will be randomly generated as prefix usr_***
+# mdicapsrv_private_user: postgres
+# mdicapsrv_private_password: postgres
 ## Integration OLMS
+# Required environment variables when enabled set is true: olms_host_url, olms_token, olms_rest_port, olms_socket_port
 olms:
   enabled: false
   olms_host_url: "olms"
-  olms_rest_port: 8040
-  olms_socket_port: 3316 # 3316 is the port default of the socket. If you enabled socket secure connection please change it to 13316
+  olms_token: ""
+  olms_rest_port: ""
+  olms_socket_port: ""
   olms_rule: "Default_Rule"
   olms_comment: ""
 
@@ -114,7 +120,7 @@ icap_components:
   # Init container to check database system is ready to accept connections
     initContainers:
       - name: check-db-ready
-        image: postgres:12.14
+        image: postgres:12.18
         envFrom:
           - configMapRef:
               name: mdicapsrv-env
@@ -130,7 +136,7 @@ icap_components:
             cpu: "100m"       # Maximum cpu limit
     name: md-icapsrv
     # Overrides the default docker image for the MD ICAP Server service, this value can be changed if you want to set a different version of MD ICAP Server
-    image: opswat/metadefendericapsrv-debian:5.4.0
+    image: opswat/metadefendericapsrv-debian:5.5.0
     # Warning: When to use this feature!
     # Sets the number of replicas if you want to have multiple MD ICAP Server instances
     replicas: 1
@@ -169,15 +175,26 @@ icap_components:
           secretKeyRef:
             name: mdicapsrv-postgres-cred
             key: password
+      - name: LICENSING_CLEANUP
+        value: "true"
+      - name: MY_POD_NAME
+        valueFrom:
+          fieldRef:
+            fieldPath: metadata.name
+      - name: MY_POD_NAMESPACE
+        valueFrom:
+          fieldRef:
+            fieldPath: metadata.namespace
+    service_account_name: mdicapsrv-service-account
+    custom_secret: mdicap-licensing
     ## Support set data retention
     data_retention:
       config_history: 168
       processing_history: 168
     import_configuration:
       enabled: false
       targets: 
-        - schema
-        - servers
+        - settings
       ## Support password to encrypt/decrypt exported JSON
       importConfigMap: mdicapsrv-import-configuration
       importConfigPath: /opt/opswat
@@ -270,58 +287,7 @@ icap_components:
       type: RollingUpdate
       rollingUpdate:
         maxSurge: 0
-    sidecars:                  # Configuration for the activation-manager sidecar
-      - name: activation-manager
-        image: alpine
-        resources:
-          requests:
-            memory: "128Mi"    # Minimum reserved memory
-            cpu: "100m"        # Minimum reserved cpu
-          limits:              
-            memory: "128Mi"    # Maximum memory limit
-            cpu: "100m"        # Maximum cpu limit
-        envFrom:
-          - configMapRef:
-              name: mdicapsrv-env
-        env:
-          - name: APIKEY
-            valueFrom:
-              secretKeyRef:
-                name: mdicapsrv-api-key
-                key: value
-          - name: LICENSE_KEY
-            valueFrom:
-              secretKeyRef:
-                name: mdicapsrv-license-key
-                key: value
-        command: ["/bin/sh", "-c"]
-        args:
-          - | 
-            apk add curl jq openssl
-            stop() {
-              echo 'Deactivating using the MD ICAP Server API'
-              curl -H "apikey: $APIKEY" -X POST "https://localhost:$REST_PORT/admin/license/deactivation"
-              echo 'Deactivating using activation server API'
-              curl -X GET "https://$ACTIVATION_SERVER/deactivation?key=$LICENSE_KEY&deployment=$DEPLOYMENT"
-              exit 0
-            }
-            trap stop SIGTERM SIGINT SIGQUIT
 
-            until [ -n $DEPLOYMENT ] && [ $DEPLOYMENT != null ]; do
-              if openssl s_client -connect $MD_BASE_URL:$REST_PORT < /dev/null &> /dev/null; then
-                export PROTOCOL="https"
-              else
-                export PROTOCOL="http"
-              fi
-              echo 'Checking...'
-              export DEPLOYMENT=$(curl --insecure --silent -H "apikey: $APIKEY" "$PROTOCOL://localhost:$REST_PORT/admin/license" | jq -r ".deployment")
-              echo "Deployment ID: $DEPLOYMENT"
-              sleep 1
-            done
-            echo "Waiting for termination signal..."
-            while true; do sleep 1; done
-            echo "MD ICAP Server pod finished, exiting"
-            exit 0
 # nodeSelector is the simplest recommended form of node selection constraint. 
 # You can add the nodeSelector field to your Pod specification and specify the node labels you want the target node to have.
 # Kubernetes only schedules the Pod onto nodes that have each of the labels you specify.

diff --git a/helm_charts/mdcore-import-config-from-nfs-non-root.yml b/helm_charts/mdcore-import-config-from-nfs-non-root.yml
@@ -0,0 +1,65 @@
+CONFIG_IMPORT_FILE: settings_export_package.zip  # config/import_file in IGNITION_JSON
+CONFIG_IMPORT_PASSWORD: <CONFIG_IMPORT_PASSWORD> # config/import_password  in IGNITION_JSON
+
+
+# For using a non-peristent local database uncomment the following variables and change the deploy_with_core_db to false
+#MDCORE_DB_MODE: "1"                 # Database mode
+#MDCORE_DB_TYPE: local              # Database type
+#MDCORE_DB_HOST: localhost       # Hostname / entrypoint of the database, this value should be changed any if using an external database service
+
+# Set to true if the respective database engine should also be deployed
+deploy_with_core_db: true           # Enable or disable the local in-cluster PostgreSQL database
+
+core_components:
+  postgres-core:
+    is_db: true
+#   persistentDir: /var/lib/postgresql/data
+    persistentDir: null
+  md-core:
+    persistentDir: /home/metascan
+    extraVolumeMounts:
+      - name: md-core-store-config
+        mountPath: /opt/ometascan/system/export_config
+    extraVolumes:
+      - nfsShare:
+          name: nfs-store-volume
+          nfs:
+            server: <NFS_SERVER_IP>    # A central NFS server IP to store the configuration zip file
+            path: /
+            readOnly: yes
+      - name: md-core-store-config
+        emptyDir:
+          sizeLimit: 500Mi
+    initContainers:
+      - name: check-db-ready
+        image: opswat/metadefendercore-debian:5.9.0
+        imagePullPolicy: IfNotPresent
+        envFrom:
+          - configMapRef:
+              name: mdcore-env
+        command: [ 'sh', '-c',
+          'until pg_isready -h $DB_HOST -p $DB_PORT; 
+          do echo waiting for database; sleep 2; done;' ]
+      - name: copy-config-zip-file
+        image: opswat/metadefendercore-debian:5.9.0
+        imagePullPolicy: IfNotPresent
+        envFrom:
+          - configMapRef:
+              name: mdcore-import-zip-config
+        command:
+          - /bin/bash
+          - -exc
+          - |
+            cp -f /nfs-store-volume/${CONFIG_IMPORT_FILE} /opt/ometascan/system/export_config/${CONFIG_IMPORT_FILE}
+            ls -la /opt/ometascan/system/export_config
+        volumeMounts:
+          - name: nfs-store-volume
+            mountPath: /nfs-store-volume
+          - name: md-core-store-config
+            mountPath: /opt/ometascan/system/export_config
+      - name: md-core-set-permission
+        image: busybox:latest
+        command: [ "sh","-c","chmod 777 /home/metascan" ]
+        volumeMounts:
+          - name: md-core
+            mountPath: /home/metascan
diff --git a/helm_charts/mdcore-mdhub-module.yml b/helm_charts/mdcore-mdhub-module.yml
@@ -22,6 +22,31 @@ CERT: |                           # Certificate contents (as text) for the MD Na
 ENABLED_MODULES: "mdhub"          # Enabling the MD Hub module will configure and start the redis, rabbitmq, md hub and md nas pods
 
 core_components:
+  md-core:
+    extraVolumes:
+      waitForServicesScript:
+        name: wait-for-hub-services
+        configMap:
+          name:  wait-for-hub-services
+          defaultMode: 0777
+    initContainers:
+      - name: check-db-ready
+        image: opswat/metadefendercore-debian:5.9.0
+        imagePullPolicy: IfNotPresent
+        envFrom:
+          - configMapRef:
+              name: mdcore-env
+        command: ['sh', '-c', 
+          'until pg_isready -h $DB_HOST -p $DB_PORT; 
+          do echo waiting for database; sleep 2; done;']
+      - name: wait-for-hub-services
+        image: opswat/metadefendercore-debian:5.9.0
+        imagePullPolicy: IfNotPresent
+        command: [ '/wait-for-hub-services.sh' ]
+        volumeMounts:
+          - name:  wait-for-hub-services
+            mountPath: /wait-for-hub-services.sh
+            subPath: wait-for-hub-services.sh
   md-hub:
     ports:
       - port: 8889

diff --git a/helm_charts/mdcore/Chart.yaml b/helm_charts/mdcore/Chart.yaml
@@ -42,4 +42,4 @@ long_description: |
   
 type: application
 
-version: 5.8.0
+version: 5.9.0
Original file line number	Diff line number	Diff line change
Expand Up		@@ -42,4 +42,4 @@ long_description: \|

		type: application

		version: 5.8.0
		version: 5.9.0