RELEASE_31 (#43)

OPSWAT · Jul 3, 2024 · a22392a · a22392a
1 parent c754b50
commit a22392a
Show file tree

Hide file tree

Showing 10 changed files with 73 additions and 12 deletions.
diff --git a/example_scripts/core-worker-role-binding.yml b/example_scripts/core-worker-role-binding.yml
@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+# This cluster role binding allows anyone in the "manager" group to read secrets in any namespace.
+kind: RoleBinding
+metadata:
+  name: core-worker-global
+  namespace: default
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: default
+roleRef:
+  kind: Role
+  name: core-worker-role
+  apiGroup: rbac.authorization.k8s.io
diff --git a/example_scripts/core-worker-role.yml b/example_scripts/core-worker-role.yml
@@ -0,0 +1,12 @@
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  namespace: default
+  name: core-worker-role
+rules:
+- apiGroups: [""] 
+  resources: ["secrets"]
+  verbs: ["create","update","get","list","patch"]
+- apiGroups: [""] 
+  resources: ["pods"]
+  verbs: ["get","list"]
diff --git a/helm_charts/mdcore-aws-eks-values.yml b/helm_charts/mdcore-aws-eks-values.yml
@@ -66,6 +66,11 @@ core_components:
 core_ingress:
   host: <APP_NAMESPACE>-mdcore.k8s
   enabled: false
+  spec_className: true
+  ingress_annotations:
+    alb.ingress.kubernetes.io/scheme: internet-facing
+    alb.ingress.kubernetes.io/target-type: ip
+
 
 # enable TLS
 # md-core:

diff --git a/helm_charts/mdcore-import-config-from-nfs-non-root.yml b/helm_charts/mdcore-import-config-from-nfs-non-root.yml
@@ -34,7 +34,7 @@ core_components:
           sizeLimit: 500Mi
     initContainers:
       - name: check-db-ready
-        image: opswat/metadefendercore-debian:5.10.0
+        image: opswat/metadefendercore-debian:5.10.1 
         imagePullPolicy: IfNotPresent
         envFrom:
           - configMapRef:
@@ -43,7 +43,7 @@ core_components:
           'until pg_isready -h $DB_HOST -p $DB_PORT; 
           do echo waiting for database; sleep 2; done;' ]
       - name: copy-config-zip-file
-        image: opswat/metadefendercore-debian:5.10.0
+        image: opswat/metadefendercore-debian:5.10.1 
         imagePullPolicy: IfNotPresent
         envFrom:
           - configMapRef:

diff --git a/helm_charts/mdcore-mdhub-module.yml b/helm_charts/mdcore-mdhub-module.yml
@@ -31,7 +31,7 @@ core_components:
           defaultMode: 0777
     initContainers:
       - name: check-db-ready
-        image: opswat/metadefendercore-debian:5.10.0
+        image: opswat/metadefendercore-debian:5.10.1 
         imagePullPolicy: IfNotPresent
         envFrom:
           - configMapRef:
@@ -40,7 +40,7 @@ core_components:
           'until pg_isready -h $DB_HOST -p $DB_PORT; 
           do echo waiting for database; sleep 2; done;']
       - name: wait-for-hub-services
-        image: opswat/metadefendercore-debian:5.10.0
+        image: opswat/metadefendercore-debian:5.10.1 
         imagePullPolicy: IfNotPresent
         command: [ '/wait-for-hub-services.sh' ]
         volumeMounts:

diff --git a/helm_charts/mdcore/Chart.yaml b/helm_charts/mdcore/Chart.yaml
@@ -1,6 +1,14 @@
 apiVersion: v2
 name: metadefender_core
-description: This is a Helm chart for deploying MetaDefender Core (https://www.opswat.com/products/metadefender/core) in a Kubernetes cluster
+description: | 
+  This is a Helm chart for deploying MetaDefender Core (https://www.opswat.com/products/metadefender/core) in a Kubernetes cluster. 
+
+  Release Notes
+  - MetaDefender Core version 5.10.1
+  - Environment variables to migrate processing history (Pre-steps needed)
+  - Environment variables to enable Licensing Cleanup and examples for Role/Rolebinding
+  - Fixed warning of kubernetes.io/ingress.class annotation for AWS and Azure. Added control flag to still use it for GCP
+
 
 long_description: |
   This chart can deploy the following depending on the provided values:
@@ -42,5 +50,5 @@ long_description: |
   
 type: application
 
-version: 0.0.29
-appVersion: 5.10.0
+version: 0.0.30
+appVersion: 5.10.1
diff --git a/helm_charts/mdcore/templates/ingress-template.yml b/helm_charts/mdcore/templates/ingress-template.yml
@@ -5,7 +5,9 @@ apiVersion: networking.k8s.io/v1
 metadata:
   name: core-ingress
   annotations:
+    {{ if not .Values.core_ingress.spec_className }}
     kubernetes.io/ingress.class: {{ .Values.core_ingress.class }}
+    {{ end }}
     ingress.kubernetes.io/rewrite-target: /
     {{- if .Values.core_ingress.ingress_annotations }}
       {{- toYaml .Values.core_ingress.ingress_annotations | nindent 4 }}
@@ -15,6 +17,9 @@ metadata:
     {{ end }}
 
 spec:
+  {{ if .Values.core_ingress.spec_className }}
+  ingressClassName: {{ .Values.core_ingress.class }}
+  {{ end }}
   {{ if .Values.core_ingress.rules }}
   rules: {{ .Values.core_ingress.rules }}
   {{ else }}

diff --git a/helm_charts/mdcore/values.yaml b/helm_charts/mdcore/values.yaml
@@ -90,7 +90,8 @@ core_ingress:
   service: md-core                  # Service name where the ingress should route to, this should be left unchanged
   port: 8008                        # Port where the ingress should route to
   enabled: false                    # Enable or disable the ingress creation
-  class: nginx                      # Sets the ingress class
+  spec_className: true              # true -> for adding class as spec || false -> for adding class as annotation. false for GKE as it needs to be as annotation.
+  class: ngnix                      # Sets the ingress class (For AWS alb, for GKE gce)
   tls: false                        # Flag for set up tls section in ingress
   secret: mdcore-tls                # SecretName of the tls secret created to be used for ingress
   ingress_annotations: 
@@ -121,6 +122,12 @@ env:                                                            # Set additional
   PROXY_USER: ""            # (optional) Username for proxy authentication
   PROXY_PWD: ""             # (optional) Password for proxy authentication
   PROXY_EXCLUSION: ""       # Not use the proxy server for the addresses starting with the following entries
+  # Licensing CleanUp
+  LICENSING_CLEANUP: "false"
+  # Upgrade Database Flags
+  MDCORE_UPGRADE_FROM_DB_NAME: "metadefender_core"
+  UPGRADE_DB: "false"
+  MIGRATE_HISTORY: "false"  # Only from version 5.10.1 See Pre-steps in docs.opswat.com 
 
 core_components:
   postgres-core:
@@ -146,7 +153,7 @@ core_components:
 
   md-core:
     name: md-core
-    image: opswat/metadefendercore-debian:5.10.0         # Overrides the default docker image for the MD Core service, this value can be changed if you want to set a different version of MD Core
+    image: opswat/metadefendercore-debian:5.10.1         # Overrides the default docker image for the MD Core service, this value can be changed if you want to set a different version of MD Core
     replicas: 1                                         # Sets the number of replicas if you want to have multiple MD Core instances
     env:
       - name: MD_USER
@@ -163,6 +170,14 @@ core_components:
         valueFrom:
           fieldRef:
             fieldPath: metadata.name
+      - name: MY_POD_NAME
+        valueFrom:
+          fieldRef:
+            fieldPath: metadata.name
+      - name: MY_POD_NAMESPACE
+        valueFrom:
+          fieldRef:
+            fieldPath: metadata.namespace
       - name: APIKEY
         valueFrom:
           secretKeyRef:
@@ -235,7 +250,7 @@ core_components:
         maxSurge: 0
     initContainers:
       - name: check-db-ready
-        image: opswat/metadefendercore-debian:5.10.0
+        image: opswat/metadefendercore-debian:5.10.1 
         imagePullPolicy: IfNotPresent
         envFrom:
           - configMapRef:
@@ -267,7 +282,7 @@ core_components:
           defaultMode: 0777
     initContainers:
       - name: wait-for-hub-services
-        image: opswat/metadefendercore-debian:5.10.0
+        image: opswat/metadefendercore-debian:5.10.1 
         imagePullPolicy: IfNotPresent
         command: [ '/wait-for-hub-services.sh' ]
         volumeMounts:

diff --git a/helm_charts/mdss/Chart.yaml b/helm_charts/mdss/Chart.yaml
@@ -32,5 +32,5 @@ long_description: |
 
 type: application
 
-version: 0.0.30
+version: 0.0.31
 appVersion: 3.4.1
diff --git a/terraform/gcloud/main.tf b/terraform/gcloud/main.tf
@@ -33,6 +33,7 @@ resource "google_container_cluster" "primary-autopilot" {
   count    = var.AUTOPILOT_GKE ? 1 : 0
   name     = "mdk8s-${var.cluster_name}-gke"
   location = var.cluster_location
+  deletion_protection = false
 
   network    = google_compute_network.vpc_network.name
   subnetwork = google_compute_subnetwork.subnet.name
@@ -45,6 +46,7 @@ resource "google_container_cluster" "primary" {
   count    = var.AUTOPILOT_GKE ? 0 : 1
   name     = "mdk8s-${var.cluster_name}-gke"
   location = var.cluster_location
+  deletion_protection = false
 
   remove_default_node_pool = true
   initial_node_count       = 1