From 56b251a396a330da158f0d44580ca9528950ca59 Mon Sep 17 00:00:00 2001 From: Max Brain Date: Wed, 28 Aug 2024 15:15:24 -0500 Subject: [PATCH] Adds Helm Module to install Rad through a Terraform Module Signed-off-by: Max Brain --- .github/auto_assign.yml | 3 + .github/workflows/assign-bot.yml | 10 ++ .github/workflows/pre-commit.yml | 17 ++ .github/workflows/release.yml | 33 ++++ .pre-commit-config.yaml | 22 +++ .releaserc.json | 45 +++++ CODEOWNERS | 1 + README.md | 148 +++++++++++++++- example/main.tf | 26 +++ example/values.yaml | 290 +++++++++++++++++++++++++++++++ local.tf | 3 + main.tf | 122 +++++++++++++ outputs.tf | 7 + renovate.json | 6 + variables.tf | 82 +++++++++ 15 files changed, 814 insertions(+), 1 deletion(-) create mode 100644 .github/auto_assign.yml create mode 100644 .github/workflows/assign-bot.yml create mode 100644 .github/workflows/pre-commit.yml create mode 100644 .github/workflows/release.yml create mode 100644 .pre-commit-config.yaml create mode 100644 .releaserc.json create mode 100644 CODEOWNERS create mode 100644 example/main.tf create mode 100644 example/values.yaml create mode 100644 local.tf create mode 100644 main.tf create mode 100644 outputs.tf create mode 100644 renovate.json create mode 100644 variables.tf diff --git a/.github/auto_assign.yml b/.github/auto_assign.yml new file mode 100644 index 0000000..3d823d7 --- /dev/null +++ b/.github/auto_assign.yml @@ -0,0 +1,3 @@ +addReviewers: true +reviewers: + - rad-security/engineering diff --git a/.github/workflows/assign-bot.yml b/.github/workflows/assign-bot.yml new file mode 100644 index 0000000..0f8d568 --- /dev/null +++ b/.github/workflows/assign-bot.yml @@ -0,0 +1,10 @@ +name: 'Auto Assign' +on: + pull_request: + types: [opened, ready_for_review] + +jobs: + add-reviews: + runs-on: ubuntu-latest + steps: + - uses: kentaro-m/auto-assign-action@v1.2.5 diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml new file mode 100644 index 0000000..195fc49 --- /dev/null +++ b/.github/workflows/pre-commit.yml @@ -0,0 +1,17 @@ +name: checks + +on: + pull_request: + +jobs: + + pre-commit: + permissions: + contents: read + runs-on: ubuntu-latest + container: ksoc/terraform-toolkit:1.0.8 + steps: + - name: clone repo + uses: actions/checkout@v3 + - name: pre-commit checks + run: pre-commit-checks diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..a6dc2e3 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,33 @@ +name: Release + +on: + push: + branches: + - main + - master + paths: + - '**/*.tpl' + - '**/*.py' + - '**/*.tf' + - '.github/workflows/release.yml' + +jobs: + release: + name: Release + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + with: + persist-credentials: false + fetch-depth: 0 + - name: Release + uses: cycjimmy/semantic-release-action@v2 + with: + semantic_version: 18.0.0 + extra_plugins: | + @semantic-release/changelog@6.0.0 + @semantic-release/git@10.0.0 + conventional-changelog-conventionalcommits@4.6.3 + env: + GITHUB_TOKEN: ${{ secrets.SEMANTIC_RELEASE_TOKEN }} diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..69ed3af --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,22 @@ +repos: + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.0.1 + hooks: + - id: fix-byte-order-marker + - id: check-case-conflict + - id: check-merge-conflict + - id: detect-aws-credentials + args: ['--allow-missing-credentials'] + - id: detect-private-key + - id: end-of-file-fixer + - id: mixed-line-ending + - id: trailing-whitespace + - repo: https://github.com/antonbabenko/pre-commit-terraform.git + rev: v1.52.0 + hooks: + - id: terraform_fmt + - id: terraform_docs + - repo: https://github.com/gruntwork-io/pre-commit + rev: v0.1.16 + hooks: + - id: shellcheck diff --git a/.releaserc.json b/.releaserc.json new file mode 100644 index 0000000..66b3eef --- /dev/null +++ b/.releaserc.json @@ -0,0 +1,45 @@ +{ + "branches": [ + "main", + "master" + ], + "ci": false, + "plugins": [ + [ + "@semantic-release/commit-analyzer", + { + "preset": "conventionalcommits" + } + ], + [ + "@semantic-release/release-notes-generator", + { + "preset": "conventionalcommits" + } + ], + [ + "@semantic-release/github", + { + "successComment": "This ${issue.pull_request ? 'PR is included' : 'issue has been resolved'} in version ${nextRelease.version} :tada:", + "labels": false, + "releasedLabels": false + } + ], + [ + "@semantic-release/changelog", + { + "changelogFile": "CHANGELOG.md", + "changelogTitle": "# Changelog\n\nAll notable changes to this project will be documented in this file." + } + ], + [ + "@semantic-release/git", + { + "assets": [ + "CHANGELOG.md" + ], + "message": "chore(release): version ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}" + } + ] + ] +} diff --git a/CODEOWNERS b/CODEOWNERS new file mode 100644 index 0000000..b766d71 --- /dev/null +++ b/CODEOWNERS @@ -0,0 +1 @@ +* @rad-security/engineering diff --git a/README.md b/README.md index 59dc7d2..fc49f02 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,148 @@ # terraform-helm-rad-security-plugins -A terraform module for installing Rad Security plugins +A terraform module for installing Rad Security Plugins through Terraform. + +## Description + +This module provides a flexible way to deploy Rad Security plugins using Helm. It allows you to configure various components of the Rad Security suite, including Guard, SBOM, Sync, Watch, Node Agent, and K9. + +Rad Security currently requires Cert Manager to be installed prior to installing the plugins. This can be disabled by setting `install_cert_manager` to `false`. + +## Features + +- Automatic cluster API key generation +- Optional installation of cert-manager +- Installs Rad Security plugins using Helm +- Configurable components of the Rad Security plugins (Guard, SBOM, Sync, Watch, Node Agent, K9) + +## Usage +To use this module, two providers are required. The `rad-security` provider and the `helm` provider. + +To configure the `rad-security` provider, the cloud api keys must be provided. + +```hcl +provider "rad-security" { + access_key_id = "YOUR_ACCESS_KEY_ID" + secret_key = "YOUR_SECRET_KEY" +} +``` + +The second provider is the `helm` provider. This provider requires a kubernetes configuration. This can be provided in multiple ways. Here are two examples of configuring the helm provider. + +1. By using the `config_path` attribute to point to a local kubeconfig file. +2. By providing the kubernetes host, token, and cluster_ca_certificate. + +### Local Kubeconfig +```hcl +provider "helm" { + kubernetes { + config_path = "~/.kube/config" + } +} +``` + +### AWS EKS +```hcl +provider "helm" { + kubernetes { + host = module.eks_cluster.eks_cluster_endpoint + token = data.aws_eks_cluster_auth.kubernetes.token + cluster_ca_certificate = base64decode(module.eks_cluster.eks_cluster_certificate_authority_data) + } +} +``` + +## Additional Usecases + +The namespace and service account name for SBOM is exported as outputs. This allows for easy integration with IRSA or EKS Pod Identity. + +EKS Pod Identity: + +```hcl +resource "aws_eks_pod_identity_association" "rad_sbom" { + cluster_name = aws_eks_cluster.example.name + namespace = module.rad_plugin.rad_plugin_namespace + service_account = module.rad_plugin.sbom_service_account_name + role_arn = aws_iam_role.example.arn +} + +IRSA: +```hcl + +module "iam_assumable_role_example" { + source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" + version = "3.6.0" + create_role = true + role_name = local.example_role_name + provider_url = replace(module.eks.cluster_oidc_issuer_url, "https://", "") + role_policy_arns = [aws_iam_policy.cluster_autoscaler.arn] + oidc_fully_qualified_subjects = ["system:serviceaccount:${module.rad_plugin.rad_plugin_namespace}:${module.rad_plugin.sbom_service_account_name}"] +} + + +module "rad_install" { + source = "../" + # version = "1.0.0" + + install_cert_manager = true + + cluster_name = "Example" + + helm_settings = [{ + name = "ksocSbom.serviceAccount.annotations.eks.amazonaws.com/role-arn" + value = module.iam_assumable_role_example.iam_role_arn + type = "string" + }] + + plugin_configuration_file = ["${file("./values.yaml")}"] +} +``` + + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [helm](#provider\_helm) | n/a | +| [rad-security](#provider\_rad-security) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [helm_release.cert-manager](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | +| [helm_release.plugins](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | +| [rad-security_cluster_api_key.this](https://registry.terraform.io/providers/hashicorp/rad-security/latest/docs/resources/cluster_api_key) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [cluster\_name](#input\_cluster\_name) | Cluster Name to use within the Rad Platform | `string` | `""` | no | +| [enable\_guard](#input\_enable\_guard) | Toggles the Guard component | `bool` | `true` | no | +| [enable\_k9](#input\_enable\_k9) | Toggles the K9 component | `bool` | `false` | no | +| [enable\_node\_agent](#input\_enable\_node\_agent) | Toggles the Node Agent component | `bool` | `false` | no | +| [enable\_openshift](#input\_enable\_openshift) | Toggles support for OpenShift | `bool` | `false` | no | +| [enable\_sbom](#input\_enable\_sbom) | Toggles the SBOM component | `bool` | `true` | no | +| [enable\_sync](#input\_enable\_sync) | Toggles the Sync component | `bool` | `true` | no | +| [enable\_watch](#input\_enable\_watch) | Toggles the Watch component | `bool` | `true` | no | +| [helm\_settings](#input\_helm\_settings) | List of Helm configuration values to set | 
list(object({
    name  = string
    value = string
    type  = string
    }
  ))
| `[]` | no | +| [install\_cert\_manager](#input\_install\_cert\_manager) | Set to toggle the installation of cert-manager before the installation of plugins | `bool` | `true` | no | +| [plugin\_configuration\_file](#input\_plugin\_configuration\_file) | Location of the values.yaml file to use with rad plugins | `list(string)` | `[]` | no | +| [rad\_plugin\_namespace](#input\_rad\_plugin\_namespace) | Namespace to install the Rad Platform plugins into | `string` | `"ksoc"` | no | +| [rad\_plugin\_version](#input\_rad\_plugin\_version) | Helm chart version to use | `string` | `""` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [rad\_plugin\_namespace](#output\_rad\_plugin\_namespace) | n/a | +| [sbom\_service\_account\_name](#output\_sbom\_service\_account\_name) | n/a | + diff --git a/example/main.tf b/example/main.tf new file mode 100644 index 0000000..c21dc29 --- /dev/null +++ b/example/main.tf @@ -0,0 +1,26 @@ +provider "rad-security" { + access_key_id = "YOUR_ACCESS_KEY_HERE" + secret_key = "YOUR_SECRET_KEY_HERE" +} + +provider "helm" { + +} + + +module "rad_install" { + source = "../" + # version = "1.0.0" + + install_cert_manager = true + + cluster_name = "Example Cluster" + + helm_settings = [{ + name = "ksocSync.resources.limits.cpu" + value = "500m" + type = "string" + }] + + plugin_configuration_file = ["${file("./values.yaml")}"] +} diff --git a/example/values.yaml b/example/values.yaml new file mode 100644 index 0000000..f0d0361 --- /dev/null +++ b/example/values.yaml @@ -0,0 +1,290 @@ +# This is an example copied directly from the default values within the Helm Chart. + +ksoc: + # -- The combined API key to authenticate with KSOC + apiKey: "" + # -- The base URL for the KSOC API. + apiUrl: https://api.ksoc.com + # -- The ID of the Access Key used in this cluster (base64). + base64AccessKeyId: "" + # -- The secret key part of the Access Key used in this cluster (base64). + base64SecretKey: "" + # -- The name of the cluster you want displayed in KSOC. + clusterName: "" + # -- The name of the custom secret containing Access Key. + accessKeySecretNameOverride: "" + # -- Enable seccompProfile for all KSOC pods + seccompProfile: + enabled: true + +workloads: + # -- Whether to disable service mesh integration. + disableServiceMesh: true + # -- The image pull secret name to use to pull container images. + imagePullSecretName: "" + +priorityClass: + enabled: false + name: ksoc-priority + value: 1000000000 + globalDefault: false + description: "The priority class for KSOC components" + preemptionPolicy: PreemptLowerPriority + +ksocBootstrapper: + image: + # -- The image to use for the ksoc-bootstrapper deployment (located at https://console.cloud.google.com/gcr/images/ksoc-public/us/ksoc-bootstrapper). + repository: us.gcr.io/ksoc-public/ksoc-bootstrapper + tag: v1.1.6 + env: {} + resources: + limits: + cpu: 100m + memory: 64Mi + ephemeral-storage: 100Mi + requests: + cpu: 50m + memory: 32Mi + ephemeral-storage: 100Mi + podAnnotations: {} + nodeSelector: {} + tolerations: [] + +ksocGuard: + enabled: true + image: + # -- The image to use for the ksoc-guard deployment (located at https://console.cloud.google.com/gcr/images/ksoc-public/us/ksoc-guard). + repository: us.gcr.io/ksoc-public/ksoc-guard + tag: v1.1.10 + config: + # -- Whether to block on error. + BLOCK_ON_ERROR: false + # -- Whether to block on policy violation. + BLOCK_ON_POLICY_VIOLATION: false + # -- Whether to block on timeout. + BLOCK_ON_TIMEOUT: false + # -- Whether to enable warning logs. + ENABLE_WARNING_LOGS: false + # -- The log level to use. + LOG_LEVEL: info + resources: + requests: + memory: 100Mi + cpu: 100m + ephemeral-storage: 100Mi + limits: + memory: 500Mi + cpu: 500m + ephemeral-storage: 1Gi + podAnnotations: {} + replicas: 1 + webhook: + objectSelector: {} + timeoutSeconds: 10 + nodeSelector: {} + tolerations: [] + +ksocSbom: + enabled: true + image: + # -- The image to use for the ksoc-sbom deployment (located at https://console.cloud.google.com/gcr/images/ksoc-public/us/ksoc-sbom). + repository: us.gcr.io/ksoc-public/ksoc-sbom + tag: v1.1.20 + env: + # -- Whether to mutate the image in pod spec by adding digest at the end. By default, digests are added to images to ensure + # that the image that runs in the cluster matches the digest of the build. Disable this if your continuous deployment + # reconciler requires a strict image tag match. + MUTATE_IMAGE: true + # -- Whether to mutate the annotations in pod spec by adding images digests. Annotations can be used to track image + # digests in addition to, or instead of the image tag mutation. + MUTATE_ANNOTATIONS: false + # -- The format of the generated SBOM. Currently we support: syft-json,cyclonedx-json,spdx-json + SBOM_FORMAT: cyclonedx-json + # -- The log level to use. Options are trace, debug, info, warn, error + LOG_LEVEL: info + resources: + requests: + cpu: 500m + memory: 1Gi + ephemeral-storage: 1Gi + limits: + cpu: 1000m + memory: 2Gi + # -- The ephemeral storage limit is set to 25Gi to cache and reuse image layers for the sbom generation. + ephemeral-storage: 25Gi + podAnnotations: {} + webhook: + timeoutSeconds: 10 + nodeSelector: {} + tolerations: [] + +ksocSync: + enabled: true + image: + # -- The image to use for the ksoc-sync deployment (located at https://console.cloud.google.com/gcr/images/ksoc-public/us/ksoc-sync). + repository: us.gcr.io/ksoc-public/ksoc-sync + tag: v1.1.7 + env: {} + resources: + limits: + cpu: 200m + memory: 256Mi + ephemeral-storage: 1Gi + requests: + cpu: 100m + memory: 128Mi + ephemeral-storage: 100Mi + podAnnotations: {} + nodeSelector: {} + tolerations: [] + +ksocWatch: + enabled: true + image: + # -- The image to use for the ksoc-watch deployment (located at https://console.cloud.google.com/gcr/images/ksoc-public/us/ksoc-watch). + repository: us.gcr.io/ksoc-public/ksoc-watch + tag: v1.1.20 + env: + # -- Whether to trigger reconciliation at startup. + RECONCILIATION_AT_START: false + resources: + limits: + cpu: 250m + memory: 512Mi + ephemeral-storage: 1Gi + requests: + cpu: 100m + memory: 128Mi + ephemeral-storage: 100Mi + podAnnotations: {} + nodeSelector: {} + tolerations: [] + + # -- If set will allow ingesting Custom Resources specified in `customResourceRules` + ingestCustomResources: false + # -- Rules for Custom Resource ingestion containing allow- and denylists of rules specifying `apiGroups` and `resources`. + # E.g. `allowlist: apiGroups: ["custom.com"], resources: ["someResource", "otherResoure"]` + # Wildcards (`*`) can be used to match all. + # `customResourceRules.denylist` sets resources that should not be ingested. It has a priority over `customResourceRules.allowlist` to + # deny resources allowed using a wildcard (`*`) match. + # E.g. you can use `allowlist: apiGroups: ["custom.com"], resources: ["*"], denylist: apiGroups: ["custom.com"], resources: "excluded"` + # to ingest all resources within `custom.com` group but `excluded`. + customResourceRules: + allowlist: [] + denylist: [] + +ksocNodeAgent: + enabled: false + reachableVulnerabilitiesEnabled: false + image: + repository: us.gcr.io/ksoc-public/ksoc-node-agent + tag: v0.0.18 + agent: + env: + AGENT_LOG_LEVEL: INFO + AGENT_TRACER_IGNORE_NAMESPACES: | + cert-manager, + ksoc, + kube-node-lease, + kube-public, + kube-system + resources: + limits: + cpu: 200m + memory: 1Gi + ephemeral-storage: 1Gi + requests: + cpu: 100m + memory: 128Mi + ephemeral-storage: 100Mi + hostPID: false + collectors: + # An absolute path to the runc binary executable. + runtimePath: "" + docker: + enabled: false + socket: /run/docker.sock + containerd: + enabled: true + socket: /run/containerd/containerd.sock + mounts: + # A list of volumes you want to add to the agent pods. + volumes: [] + # A list of volume mounts you want to add to the agent pods. + volumeMounts: [] + eventQueueSize: 20000 + grpcServerBatchSize: 2000 + exporter: + env: + EXPORTER_LOG_LEVEL: INFO + + # -- Allows to specify wildcard rules for filtering command arguments. + execFilters: [] + + resources: + limits: + cpu: 500m + memory: 1Gi + ephemeral-storage: 1Gi + requests: + cpu: 100m + memory: 128Mi + ephemeral-storage: 100Mi + nodeSelector: {} + nodeName: "" + tolerations: [] + updateStrategy: + type: RollingUpdate + rollingUpdate: + # -- The maximum number of pods that can be unavailable during the update. Can be an absolute number or percent, e.g. `5` or `"10%"` + maxUnavailable: 1 + # -- The maximum number of pods that can be scheduled above the desired number of pods. Can be an absolute number or percent, e.g. `5` or `"10%"` + maxSurge: 0 + + # -- K9 is an in-cluster response plugin. It will request any queued commands from + # -- the Rad Security backend, and execute them in the cluster. Each capability must + # -- be opted into individually. +k9: + enabled: false + replicas: 1 + frontend: + image: + repository: us.gcr.io/ksoc-public/ksoc-frontend-agent + tag: v0.0.31 + # -- The interval in which the agent polls the backend for new actions. + agentActionPollInterval: "5s" + backend: + image: + repository: us.gcr.io/ksoc-public/ksoc-backend-agent + tag: v0.0.31 + resources: + limits: + cpu: 250m + memory: 512Mi + ephemeral-storage: 1Gi + requests: + cpu: 100m + memory: 128Mi + ephemeral-storage: 100Mi + capabilities: + enableTerminatePod: false + enableTerminateNamespace: false + enableQuarantine: false + enableGetLogs: false + enableLabelPod: false + tolerations: [] + nodeSelector: {} + +# Toggles support for Openshift. Please note that functionality is limited at the moment. +openshift: + enabled: false + +# @ignored +# -- Configuration for the EKS Addon dummy deployment. This is needed to track the status of addon. +# -- This is a known issue and this is the workaround for now. If you are not installing through the +# -- EKS Addon Marketplace, you do not need to enable the addon. +eksAddon: + enabled: false + image: + repository: public.ecr.aws/eks-distro/kubernetes/pause + tag: v1.29.1-eks-1-29-latest diff --git a/local.tf b/local.tf new file mode 100644 index 0000000..9e9f8dc --- /dev/null +++ b/local.tf @@ -0,0 +1,3 @@ +locals { + cluster_name = var.cluster_name != "" ? var.cluster_name : "terraform-${uuid()}" +} diff --git a/main.tf b/main.tf new file mode 100644 index 0000000..1904fe6 --- /dev/null +++ b/main.tf @@ -0,0 +1,122 @@ +resource "rad-security_cluster_api_key" "this" {} + +resource "helm_release" "cert-manager" { + count = var.install_cert_manager ? 1 : 0 + name = "certmanager" + repository = "https://charts.jetstack.io" + + chart = "cert-manager" + version = "v1.15.0" + + namespace = "cert-manager" + create_namespace = true + + set { + name = "installCRDs" + value = "true" + } + + set { + name = "enableCertificateOwnerRef" + value = "true" + } + +} + +resource "helm_release" "plugins" { + name = "ksoc" + repository = "https://charts.ksoc.com/stable" + chart = "ksoc-plugins" + version = var.rad_plugin_version != "" ? var.rad_plugin_version : null + + namespace = var.rad_plugin_namespace + create_namespace = true + + values = var.plugin_configuration_file + + set_sensitive { + name = "ksoc.base64AccessKeyId" + value = base64encode(rad-security_cluster_api_key.this.access_key) + } + + set_sensitive { + name = "ksoc.base64SecretKey" + value = base64encode(rad-security_cluster_api_key.this.secret_key) + } + + set { + name = "ksoc.clusterName" + value = local.cluster_name + } + + set { + name = "ksocGuard.enable" + value = var.enable_guard + } + + set { + name = "ksocSbom.enable" + value = var.enable_sbom + } + + set { + name = "ksocSync.enable" + value = var.enable_sync + } + + set { + name = "ksocWatch.enable" + value = var.enable_watch + } + + + dynamic "set" { + for_each = var.enable_node_agent ? [1] : [] + + content { + name = "ksocNodeAgent.enable" + value = true + type = "bool" + } + } + + dynamic "set" { + for_each = var.enable_k9 ? [1] : [] + + content { + name = "k9.enable" + value = true + type = "bool" + } + } + + dynamic "set" { + for_each = var.enable_openshift ? [1] : [] + + content { + name = "openshift.enable" + value = true + type = "bool" + } + } + + dynamic "set" { + for_each = var.helm_settings + content { + name = set.value.name + value = set.value.value + type = set.value.type + } + } + + # This value does not do anything to the plugin helm chart. + # It creates an implict dependency on cert-manager if it is installed. + dynamic "set" { + for_each = var.install_cert_manager ? [1] : [] + + content { + name = "cert_manager_installed" + value = helm_release.cert-manager[0].name + } + } +} diff --git a/outputs.tf b/outputs.tf new file mode 100644 index 0000000..0f955bd --- /dev/null +++ b/outputs.tf @@ -0,0 +1,7 @@ +output "rad_plugin_namespace" { + value = helm_release.rad_plugin.namespace +} + +output "sbom_service_account_name" { + value = "ksoc-sbom" +} diff --git a/renovate.json b/renovate.json new file mode 100644 index 0000000..39a2b6e --- /dev/null +++ b/renovate.json @@ -0,0 +1,6 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ + "config:base" + ] +} diff --git a/variables.tf b/variables.tf new file mode 100644 index 0000000..ba170a1 --- /dev/null +++ b/variables.tf @@ -0,0 +1,82 @@ +variable "cluster_name" { + description = "Cluster Name to use within the Rad Platform" + type = string + default = "" +} + +variable "enable_guard" { + description = "Toggles the Guard component" + type = bool + default = true +} + +variable "enable_sbom" { + description = "Toggles the SBOM component" + type = bool + default = true +} + +variable "enable_sync" { + description = "Toggles the Sync component" + type = bool + default = true +} + +variable "enable_watch" { + description = "Toggles the Watch component" + type = bool + default = true +} + +variable "enable_node_agent" { + description = "Toggles the Node Agent component" + type = bool + default = false +} + +variable "enable_k9" { + description = "Toggles the K9 component" + type = bool + default = false +} + +variable "enable_openshift" { + description = "Toggles support for OpenShift" + type = bool + default = false +} + +variable "helm_settings" { + description = "List of Helm configuration values to set" + type = list(object({ + name = string + value = string + type = string + } + )) + default = [] +} + +variable "install_cert_manager" { + description = "Set to toggle the installation of cert-manager before the installation of plugins" + type = bool + default = true +} + +variable "rad_plugin_namespace" { + description = "Namespace to install the Rad Platform plugins into" + type = string + default = "ksoc" +} + +variable "plugin_configuration_file" { + description = "Location of the values.yaml file to use with rad plugins" + type = list(string) + default = [] +} + +variable "rad_plugin_version" { + description = "Helm chart version to use" + type = string + default = "" +}