ben.carrasco/prowler
1
0
Fork 0
mirror of https://github.com/prowler-cloud/prowler.git synced 2026-03-22 03:08:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(app): Helm chart for deploying prowler in k8s (#9835)

Browse Source 
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Daniel Barranquero <danielbo2001@gmail.com>
This commit is contained in:
Utwo
2026-02-09 17:43:12 +02:00
committed by GitHub
parent afe2e0a09e
commit dd730eec94
33 changed files with 1833 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
contrib/k8s/helm/prowler-app/.helmignore Normal file
View File

@@ -0,0 +1,24 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
examples
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

12
contrib/k8s/helm/prowler-app/Chart.lock Normal file
View File

@@ -0,0 +1,12 @@
dependencies:
- name: postgresql
repository: oci://registry-1.docker.io/bitnamicharts
version: 18.2.0
- name: valkey
repository: https://valkey.io/valkey-helm/
version: 0.9.3
- name: neo4j
repository: https://helm.neo4j.com/neo4j
version: 2025.12.1
digest: sha256:da19233c6832727345fcdb314d683d30aa347d349f270023f3a67149bffb009b
generated: "2026-01-26T12:00:06.798702+02:00"

33
contrib/k8s/helm/prowler-app/Chart.yaml Normal file
View File

@@ -0,0 +1,33 @@
apiVersion: v2
name: prowler
description: Prowler is an Open Cloud Security tool for AWS, Azure, GCP and Kubernetes. It helps for continuous monitoring, security assessments and audits, incident response, compliance, hardening and forensics readiness.
type: application
version: 0.0.1
appVersion: "5.17.0"
home: https://prowler.com
icon: https://cdn.prod.website-files.com/68c4ec3f9fb7b154fbcb6e36/68c5e0fea5d0059b9e05834b_Link.png
keywords:
- security
- aws
- azure
- gcp
- kubernetes
maintainers:
- name: Mihai
email: mihai.legat@gmail.com
dependencies:
# https://artifacthub.io/packages/helm/bitnami/postgresql
- name: postgresql
version: 18.2.0
repository: oci://registry-1.docker.io/bitnamicharts
condition: postgresql.enabled
# https://valkey.io/valkey-helm/
- name: valkey
version: 0.9.3
repository: https://valkey.io/valkey-helm/
condition: valkey.enabled
# https://helm.neo4j.com/neo4j
- name: neo4j
version: 2025.12.1
repository: https://helm.neo4j.com/neo4j
condition: neo4j.enabled

143
contrib/k8s/helm/prowler-app/README.md Normal file
View File

@@ -0,0 +1,143 @@
<!--
This README is the one shown on Artifact Hub.
Images should use absolute URLs.
-->
# Prowler App Helm Chart
![Version: 0.0.1](https://img.shields.io/badge/Version-0.0.1-informational?style=flat-square)
![AppVersion: 5.17.0](https://img.shields.io/badge/AppVersion-5.17.0-informational?style=flat-square)
Prowler is an Open Cloud Security tool for AWS, Azure, GCP and Kubernetes. It helps for continuous monitoring, security assessments and audits, incident response, compliance, hardening and forensics readiness. Includes CIS, NIST 800, NIST CSF, CISA, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, Well-Architected Security, ENS and more.
## Architecture
The Prowler App consists of three main components:
- **Prowler UI**: A user-friendly web interface for running Prowler and viewing results, powered by Next.js.
- **Prowler API**: The backend API that executes Prowler scans and stores the results, built with Django REST Framework.
- **Prowler SDK**: A Python SDK that integrates with the Prowler CLI for advanced functionality.
The app leverages the following supporting infrastructure:
- **PostgreSQL**: Used for persistent storage of scan results.
- **Celery Workers**: Facilitate asynchronous execution of Prowler scans.
- **Valkey**: An in-memory database serving as a message broker for the Celery workers.
- **Neo4j**: Graph Database
- **Keda**: Kubernetes Event-driven Autoscaling (Keda) automatically scales the number of Celery worker pods based on the workload, ensuring efficient resource utilization and responsiveness.
## Setup
This guide walks you through installing Prowler App using Helm. For a minimal installation example, see the [minimal installation example](./examples/minimal-installation/).
### Prerequisites
- Kubernetes cluster (1.24+)
- Helm 3.x installed
- `kubectl` configured to access your cluster
- Access to the Prowler Helm chart repository (or local chart)
### Step 1: Create Required Secrets
Before installing the Helm chart, you must create a Kubernetes Secret containing the required authentication keys and secrets.
1. **Generate the required keys and secrets:**
```bash
# Generate Django token signing key (private key)
openssl genrsa -out private.pem 2048
# Generate Django token verifying key (public key)
openssl rsa -in private.pem -pubout -out public.pem
# Generate Django secrets encryption key
openssl rand -base64 32
# Generate Auth secret
openssl rand -base64 32
```
2. **Create the secret file:**
Create a file named `secrets.yaml` with the following structure:
```yaml
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: prowler-secret
stringData:
DJANGO_TOKEN_SIGNING_KEY: |
-----BEGIN PRIVATE KEY-----
[paste your private key here]
-----END PRIVATE KEY-----
DJANGO_TOKEN_VERIFYING_KEY: |
-----BEGIN PUBLIC KEY-----
[paste your public key here]
-----END PUBLIC KEY-----
DJANGO_SECRETS_ENCRYPTION_KEY: "[paste your encryption key here]"
AUTH_SECRET: "[paste your auth secret here]"
NEO4J_PASSWORD: "[prowler-password]"
NEO4J_AUTH: "neo4j/[prowler-password]"
```
> **Note:** You can use the [example secrets file](./examples/minimal-installation/secrets.yaml) as a template, but **always replace the placeholder values with your own secure keys** before applying.
3. **Apply the secret to your cluster:**
```bash
kubectl apply -f secrets.yaml
```
### Step 2: Configure Values
Create a `values.yaml` file to customize your installation. At minimum, you need to configure the UI access method.
**Option A: Using Ingress (Recommended for production)**
```yaml
ui:
ingress:
enabled: true
hosts:
- host: prowler.example.com
paths:
- path: /
pathType: ImplementationSpecific
```
**Option B: Using authUrl (For proxy setups)**
```yaml
ui:
authUrl: prowler.example.com
```
> **Note:** See the [minimal installation example](./examples/minimal-installation/values.yaml) for a complete reference.
### Step 3: Install the Chart
Install Prowler App using Helm:
```bash
helm dependency update
helm install prowler prowler/prowler-app -f values.yaml
```
### Using Existing PostgreSQL and Valkey Instances
By default, this Chart uses Bitnami's Charts to deploy [PostgreSQL](https://artifacthub.io/packages/helm/bitnami/postgresql), [Neo4j](https://helm.neo4j.com/neo4j) and [Valkey official helm chart](https://valkey.io/valkey-helm/). **Note:** This default setup is not production-ready.
To connect to existing PostgreSQL, Neo4j and Valkey instances:
1. Create a `Secret` containing the correct database and message broker credentials
2. Reference the secret in the [values.yaml](values.yaml) file api->secrets list
## Contributing
Feel free to contact the maintainer of this repository for any questions or concerns. Contributions are encouraged and appreciated.

46
contrib/k8s/helm/prowler-app/examples/minimal-installation/README.md Normal file
View File

@@ -0,0 +1,46 @@
# Minimal Installation Example
This example demonstrates a minimal installation of Prowler in a Kubernetes cluster.
## Installation
To install Prowler using this example:
1. First, create the required secret:
```bash
# Edit secret.yaml and set secure values before applying
kubectl apply -f secret.yaml
```
1. Install the chart using the base values file:
```bash
# Basic installation
helm install prowler prowler/prowler-app -f values.yaml
```
## Configuration
The example contains the following configuration files:
### `secret.yaml`
Contains all required secrets for the Prowler installation. **Must be applied before installing the Helm chart**. Make sure to replace all placeholder values with secure values before applying.
### `values.yaml`
```yaml
ui:
# Note: You should set either `authUrl` if you use prowler behind a proxy or enable `ingress`.
# Example with authUrl:
# authUrl: example.prowler.com
# Example with ingress:
ingress:
enabled: true
hosts:
- host: example.prowler.com
paths:
- path: /
pathType: ImplementationSpecific
```
Make sure to adjust the hostname in the values file to match your environment before installing.

58
contrib/k8s/helm/prowler-app/examples/minimal-installation/secrets.yaml Normal file
View File

@@ -0,0 +1,58 @@
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: prowler-secret
stringData:
# openssl genrsa -out private.pem 2048
DJANGO_TOKEN_SIGNING_KEY: |
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCIro0QiLAxw7rF
GO0NgAWJfkpYE5ysMGDCbId07HUrv+/SCoRjqKVzGJVIvmNP5oByzSehPgswW9v3
3dqe2r9sCS1JyMa+XO3qfZCR0uRDcPCwZjIyr0QQLpWAymdBa8baeHsU1/3Orjcb
Vrr+lNx4HQJOiSn094iXPReW/25hYeq/SXs79V2CR87PGdoZAhb8IllAxJgdfkeB
/iWohY/1vfRTmIuMweWGXk0aKzPsBdvE/DqG4HjiNVEPh18G3vid0YTZNmm7u8vO
Cue3x9NQWGHA4QtxNtLtxlHcOEryqZ9ChO2nC+ew0Xl/v706XFNyLFicjisIKNQo
qdkaMS33AgMBAAECggEAGdJIChCYoL4mYafk2MEPyrrWFq+V0J3PGcvhB0DInfxD
tT2RZzZsE0NYqIZ3Qpf8OjPxwa9z863W74u1Cn+u3B0bti29BieONteD4VijEO6c
OecEorijth7m1Y7nVN+kkI9kSTrI0yvsczi+WOwMfpCUZ/vXtlSxNEkxVLBqzPCo
9VxAFIjgWOj2rpw8nxPedves36PUrC5ghLqrOTe1jmw/Di0++47AXG+DsTXc00sc
5+oybopm3Kimsxrqbf9s8SZf2A8NiwqcbLj8OtP2j2g4TCEgZYLD5Zmt+JN/wN4B
WsQG/Hwp4KPPm9QTHEpuuoPFP1CZWZeq8gPcV4apYQKBgQC+TuXjJCYhZqNIttTZ
z/i3hkKUEKQLkzTZnXaDzL5wHyEMVqM2E/WkilO0C9ZZwh0ENPzkp+JsHf7LEhHy
wSHOti81VzUCjN/YpCBKlOlClqSiDlOonImrobLei8xgvmA0VmGtirCXZyyzZUoV
OyPr17WpK6G/M5piX59MvKQg0QKBgQC33NBoQFD8A6FjrTopYmWfK099k9uQh9NE
bvUYsNAPunSDslmc/0PPHQC7fRX5Ime2BinXAN1PYtB/Fsu3jv/+FCUM5hVil0Dd
KBvt13+RYSCJKlhcGP1EkWoIg1F2XXBOZKJrC8VQ+Vyl2t06UcWQqy5M9J4VZaqI
fruOLU/URwKBgE55GjJfZZnASPRi78IhD94dbra/ZeWf/dr+IzCV7LEvJOGBmCtk
b5Y5s+o6N1krwetKLj3bPHJ4q+fwu5XuLZKfbTgBjcpPbL5YbzhRzx22IIzye2y7
n8k2FBvQaaY62lC6jeyRk9/am4Qd8D5w9I77k9z+MOQ20yJda8KoxsUBAoGBAIQ9
5QPmppjsf4ry0C9t30uhWhYnX7fPiYviBpVQrwVxBVan076Q9xOjd6BicohzT4bj
XfqPW546o12VZsbKqqLzmEZzwpPb2EJ5E8V4xv8ojb86Xr03GArWUB55XQE2aY1o
4kz99VitUg7UoWPN5ryL8sxU8NLRAdwU0w+K1a0HAoGAZaU7O94u9IIPZ6Ohobs2
Vjf/eV0brCKgX61b4z/YhuJdZsyTujhBZUihZwqR696kiFKuzmHx1ghE2ITvnPVN
q0iHxRZzBCnRQ+mQlS0trzphaCP0NVy3osFeAD9mJfnOnSmkU0ua4F81mkvke1eN
6nnaoAdy2lmMr96/Tye2ty4=
-----END PRIVATE KEY-----
# openssl rsa -in private.pem -pubout -out public.pem
DJANGO_TOKEN_VERIFYING_KEY: |
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAiK6NEIiwMcO6xRjtDYAF
iX5KWBOcrDBgwmyHdOx1K7/v0gqEY6ilcxiVSL5jT+aAcs0noT4LMFvb993antq/
bAktScjGvlzt6n2QkdLkQ3DwsGYyMq9EEC6VgMpnQWvG2nh7FNf9zq43G1a6/pTc
eB0CTokp9PeIlz0Xlv9uYWHqv0l7O/VdgkfOzxnaGQIW/CJZQMSYHX5Hgf4lqIWP
9b30U5iLjMHlhl5NGisz7AXbxPw6huB44jVRD4dfBt74ndGE2TZpu7vLzgrnt8fT
UFhhwOELcTbS7cZR3DhK8qmfQoTtpwvnsNF5f7+9OlxTcixYnI4rCCjUKKnZGjEt
9wIDAQAB
-----END PUBLIC KEY-----
# openssl rand -base64 32
DJANGO_SECRETS_ENCRYPTION_KEY: "qYAIWnRK52aBT5YQkBoMEw08j7j3+QIPZXS6+A8Su44="
# openssl rand -base64 32
AUTH_SECRET: "CM9w3Nco2P1RdHaYmD+fmy2nJmSofusdHd4g7Z4KDG4="
# Unfortunatelly, we need to duplicate the password in two different keys because the Neo4j Helm Chart expects the password in the NEO4J_AUTH key and the application expects it in the NEO4J_PASSWORD key.
NEO4J_PASSWORD: "prowler-password-fake"
NEO4J_AUTH: "neo4j/prowler-password-fake"

11
contrib/k8s/helm/prowler-app/examples/minimal-installation/values.yaml Normal file
View File

@@ -0,0 +1,11 @@
ui:
ingress:
enabled: true
hosts:
- host: 127.0.0.1.nip.io
paths:
- path: /
pathType: ImplementationSpecific
# or use authUrl if you use prowler behind a proxy
# authUrl: 127.0.0.1.nip.io

134
contrib/k8s/helm/prowler-app/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,134 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "prowler.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "prowler.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "prowler.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "prowler.labels" -}}
helm.sh/chart: {{ include "prowler.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Django environment variables for api, worker, and worker_beat.
*/}}
{{- define "prowler.django.env" -}}
- name: DJANGO_TOKEN_SIGNING_KEY
valueFrom:
secretKeyRef:
name: {{ .Values.djangoTokenSigningKey.secretKeyRef.name }}
key: {{ .Values.djangoTokenSigningKey.secretKeyRef.key }}
- name: DJANGO_TOKEN_VERIFYING_KEY
valueFrom:
secretKeyRef:
name: {{ .Values.djangoTokenVerifyingKey.secretKeyRef.name }}
key: {{ .Values.djangoTokenVerifyingKey.secretKeyRef.key }}
- name: DJANGO_SECRETS_ENCRYPTION_KEY
valueFrom:
secretKeyRef:
name: {{ .Values.djangoSecretsEncryptionKey.secretKeyRef.name }}
key: {{ .Values.djangoSecretsEncryptionKey.secretKeyRef.key }}
{{- end }}
{{/*
PostgreSQL environment variables for api, worker, and worker_beat.
Outputs nothing when postgresql.enabled is false.
*/}}
{{- define "prowler.postgresql.env" -}}
{{- if .Values.postgresql.enabled }}
{{- if .Values.postgresql.auth.username }}
- name: POSTGRES_USER
value: {{ .Values.postgresql.auth.username | quote }}
{{- end }}
- name: POSTGRES_PASSWORD
{{- if .Values.postgresql.auth.existingSecret }}
valueFrom:
secretKeyRef:
name: {{ .Values.postgresql.auth.existingSecret }}
key: {{ required "postgresql.auth.secretKeys.userPasswordKey is required when using an existing secret" .Values.postgresql.auth.secretKeys.userPasswordKey }}
{{- else if .Values.postgresql.auth.password }}
value: {{ .Values.postgresql.auth.password | quote }}
{{- else }}
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-postgresql
key: password
{{- end }}
- name: POSTGRES_DB
value: {{ .Values.postgresql.auth.database | quote }}
- name: POSTGRES_HOST
value: {{ .Release.Name }}-postgresql
- name: POSTGRES_PORT
value: "5432"
- name: POSTGRES_ADMIN_USER
value: postgres
- name: POSTGRES_ADMIN_PASSWORD
{{- if .Values.postgresql.auth.existingSecret }}
valueFrom:
secretKeyRef:
name: {{ .Values.postgresql.auth.existingSecret }}
key: {{ required "postgresql.auth.secretKeys.adminPasswordKey is required when using an existing secret" .Values.postgresql.auth.secretKeys.adminPasswordKey }}
{{- else if .Values.postgresql.auth.postgresPassword }}
value: {{ .Values.postgresql.auth.postgresPassword | quote }}
{{- else }}
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-postgresql
key: postgres-password
{{- end }}
{{- end }}
{{- end }}
{{/*
Neo4j environment variables for api, worker, and worker_beat.
Outputs nothing when neo4j.enabled is false.
*/}}
{{- define "prowler.neo4j.env" -}}
{{- if .Values.neo4j.enabled }}
- name: NEO4J_HOST
value: {{ .Release.Name }}
- name: NEO4J_PORT
value: "7687"
- name: NEO4J_USER
value: "neo4j"
- name: NEO4J_PASSWORD
valueFrom:
secretKeyRef:
name: {{ required "neo4j.neo4j.passwordFromSecret is required" .Values.neo4j.neo4j.passwordFromSecret }}
key: NEO4J_PASSWORD
{{- end }}
{{- end }}

10
contrib/k8s/helm/prowler-app/templates/api/_helpers.tpl Normal file
View File

@@ -0,0 +1,10 @@
{{/*
Create the name of the service account to use
*/}}
{{- define "prowler.api.serviceAccountName" -}}
{{- if .Values.api.serviceAccount.create }}
{{- default (printf "%s-%s" (include "prowler.fullname" .) "api") .Values.api.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.api.serviceAccount.name }}
{{- end }}
{{- end }}

10
contrib/k8s/helm/prowler-app/templates/api/configmap.yaml Normal file
View File

@@ -0,0 +1,10 @@
kind: ConfigMap
apiVersion: v1
metadata:
name: {{ include "prowler.fullname" . }}-api
labels:
{{- include "prowler.labels" . | nindent 4 }}
data:
{{- range $key, $value := .Values.api.djangoConfig }}
{{ $key }}: {{ $value | quote }}
{{- end }}

105
contrib/k8s/helm/prowler-app/templates/api/deployment.yaml Normal file
View File

@@ -0,0 +1,105 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "prowler.fullname" . }}-api
labels:
{{- include "prowler.labels" . | nindent 4 }}
spec:
{{- if not .Values.api.autoscaling.enabled }}
replicas: {{ .Values.api.replicaCount }}
{{- end }}
selector:
matchLabels:
app.kubernetes.io/name: {{ include "prowler.fullname" . }}-api
template:
metadata:
annotations:
secret-hash: "{{ printf "%s%s%s" (.Files.Get "templates/api/configmap.yaml" | sha256sum) (.Files.Get "templates/api/secret-valkey.yaml" | sha256sum) | sha256sum }}"
{{- with .Values.api.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "prowler.labels" . | nindent 8 }}
app.kubernetes.io/name: {{ include "prowler.fullname" . }}-api
{{- with .Values.api.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.api.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "prowler.api.serviceAccountName" . }}
{{- with .Values.api.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: api
{{- with .Values.api.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
image: "{{ .Values.api.image.repository }}:{{ .Values.api.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.api.image.pullPolicy }}
{{- with .Values.api.command }}
command:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.api.args }}
args:
{{- toYaml . | nindent 12 }}
{{- end }}
ports:
- name: http
containerPort: {{ .Values.api.service.port }}
protocol: TCP
envFrom:
- configMapRef:
name: {{ include "prowler.fullname" . }}-api
{{- if .Values.valkey.enabled }}
- secretRef:
name: {{ include "prowler.fullname" . }}-api-valkey
{{- end }}
{{- with .Values.api.secrets }}
{{- range $index, $secret := . }}
- secretRef:
name: {{ $secret }}
{{- end }}
{{- end }}
env:
{{- include "prowler.django.env" . | nindent 12 }}
{{- include "prowler.postgresql.env" . | nindent 12 }}
{{- include "prowler.neo4j.env" . | nindent 12 }}
{{- with .Values.api.livenessProbe }}
livenessProbe:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.api.readinessProbe }}
readinessProbe:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.api.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.api.volumeMounts }}
volumeMounts:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.api.volumes }}
volumes:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.api.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.api.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.api.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

32
contrib/k8s/helm/prowler-app/templates/api/hpa.yaml Normal file
View File

@@ -0,0 +1,32 @@
{{- if .Values.api.autoscaling.enabled }}
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: {{ include "prowler.fullname" . }}-api
labels:
{{- include "prowler.labels" . | nindent 4 }}
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ include "prowler.fullname" . }}-api
minReplicas: {{ .Values.api.autoscaling.minReplicas }}
maxReplicas: {{ .Values.api.autoscaling.maxReplicas }}
metrics:
{{- if .Values.api.autoscaling.targetCPUUtilizationPercentage }}
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: {{ .Values.api.autoscaling.targetCPUUtilizationPercentage }}
{{- end }}
{{- if .Values.api.autoscaling.targetMemoryUtilizationPercentage }}
- type: Resource
resource:
name: memory
target:
type: Utilization
averageUtilization: {{ .Values.api.autoscaling.targetMemoryUtilizationPercentage }}
{{- end }}
{{- end }}

43
contrib/k8s/helm/prowler-app/templates/api/ingress.yaml Normal file
View File

@@ -0,0 +1,43 @@
{{- if .Values.api.ingress.enabled -}}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ include "prowler.fullname" . }}-api
labels:
{{- include "prowler.labels" . | nindent 4 }}
{{- with .Values.api.ingress.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- with .Values.api.ingress.className }}
ingressClassName: {{ . }}
{{- end }}
{{- if .Values.api.ingress.tls }}
tls:
{{- range .Values.api.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.api.ingress.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .paths }}
- path: {{ .path }}
{{- with .pathType }}
pathType: {{ . }}
{{- end }}
backend:
service:
name: {{ include "prowler.fullname" $ }}-api
port:
number: {{ $.Values.api.service.port }}
{{- end }}
{{- end }}
{{- end }}

29
contrib/k8s/helm/prowler-app/templates/api/role.yaml Normal file
View File

@@ -0,0 +1,29 @@
# https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/prowler-app/#step-44-kubernetes-credentials
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "prowler.fullname" . }}-api
labels:
{{- include "prowler.labels" . | nindent 4 }}
rules:
- apiGroups: [""]
resources: ["pods", "configmaps", "nodes", "namespaces"]
verbs: ["get", "list", "watch"]
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["clusterrolebindings", "rolebindings", "clusterroles", "roles"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "prowler.fullname" . }}-api
labels:
{{- include "prowler.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "prowler.fullname" . }}-api
subjects:
- kind: ServiceAccount
name: {{ include "prowler.api.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}

13
contrib/k8s/helm/prowler-app/templates/api/secret-valkey.yaml Normal file
View File

@@ -0,0 +1,13 @@
{{- if .Values.valkey.enabled -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "prowler.fullname" . }}-api-valkey
labels:
{{- include "prowler.labels" . | nindent 4 }}
type: Opaque
stringData:
VALKEY_HOST: "{{ include "prowler.fullname" . }}-valkey"
VALKEY_PORT: "6379"
VALKEY_DB: "0"
{{- end -}}

15
contrib/k8s/helm/prowler-app/templates/api/service.yaml Normal file
View File

@@ -0,0 +1,15 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "prowler.fullname" . }}-api
labels:
{{- include "prowler.labels" . | nindent 4 }}
spec:
type: {{ .Values.api.service.type }}
ports:
- port: {{ .Values.api.service.port }}
targetPort: http
protocol: TCP
name: http
selector:
app.kubernetes.io/name: {{ include "prowler.fullname" . }}-api

13
contrib/k8s/helm/prowler-app/templates/api/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,13 @@
{{- if .Values.api.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "prowler.api.serviceAccountName" . }}
labels:
{{- include "prowler.labels" . | nindent 4 }}
{{- with .Values.api.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
automountServiceAccountToken: {{ .Values.api.serviceAccount.automount }}
{{- end }}

10
contrib/k8s/helm/prowler-app/templates/ui/_helpers.tpl Normal file
View File

@@ -0,0 +1,10 @@
{{/*
Create the name of the service account to use
*/}}
{{- define "prowler.ui.serviceAccountName" -}}
{{- if .Values.ui.serviceAccount.create }}
{{- default (printf "%s-%s" (include "prowler.fullname" .) "ui") .Values.ui.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.ui.serviceAccount.name }}
{{- end }}
{{- end }}

18
contrib/k8s/helm/prowler-app/templates/ui/configmap.yaml Normal file
View File

@@ -0,0 +1,18 @@
kind: ConfigMap
apiVersion: v1
metadata:
name: {{ include "prowler.fullname" . }}-ui
data:
PROWLER_UI_VERSION: "stable"
{{- if .Values.ui.ingress.enabled }}
{{- with (first .Values.ui.ingress.hosts) }}
AUTH_URL: "https://{{ .host }}"
{{- end }}
{{- else }}
AUTH_URL: {{ .Values.ui.authUrl | quote }}
{{- end }}
API_BASE_URL: "http://{{ include "prowler.fullname" . }}-api:{{ .Values.api.service.port }}/api/v1"
NEXT_PUBLIC_API_BASE_URL: "http://{{ include "prowler.fullname" . }}-api:{{ .Values.api.service.port }}/api/v1"
NEXT_PUBLIC_API_DOCS_URL: "http://{{ include "prowler.fullname" . }}-api:{{ .Values.api.service.port }}/api/v1/docs"
AUTH_TRUST_HOST: "true"
UI_PORT: {{ .Values.ui.service.port | quote }}

95
contrib/k8s/helm/prowler-app/templates/ui/deployment.yaml Normal file
View File

@@ -0,0 +1,95 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "prowler.fullname" . }}-ui
labels:
{{- include "prowler.labels" . | nindent 4 }}
spec:
{{- if not .Values.ui.autoscaling.enabled }}
replicas: {{ .Values.ui.replicaCount }}
{{- end }}
selector:
matchLabels:
app.kubernetes.io/name: {{ include "prowler.fullname" . }}-ui
template:
metadata:
annotations:
secret-hash: {{ .Files.Get "templates/ui/configmap.yaml" | sha256sum }}
{{- with .Values.ui.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "prowler.labels" . | nindent 8 }}
app.kubernetes.io/name: {{ include "prowler.fullname" . }}-ui
{{- with .Values.ui.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.ui.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "prowler.ui.serviceAccountName" . }}
{{- with .Values.ui.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: ui
{{- with .Values.ui.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
image: "{{ .Values.ui.image.repository }}:{{ .Values.ui.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.ui.image.pullPolicy }}
ports:
- name: http
containerPort: {{ .Values.ui.service.port }}
protocol: TCP
env:
- name: AUTH_SECRET
valueFrom:
secretKeyRef:
name: {{ .Values.ui.authSecret.secretKeyRef.name }}
key: {{ .Values.ui.authSecret.secretKeyRef.key }}
envFrom:
- configMapRef:
name: {{ include "prowler.fullname" . }}-ui
{{- with .Values.ui.secrets }}
{{- range $index, $secret := . }}
- secretRef:
name: {{ $secret }}
{{- end }}
{{- end }}
{{- with .Values.ui.livenessProbe }}
livenessProbe:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.ui.readinessProbe }}
readinessProbe:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.ui.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.ui.volumeMounts }}
volumeMounts:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.ui.volumes }}
volumes:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.ui.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.ui.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.ui.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

32
contrib/k8s/helm/prowler-app/templates/ui/hpa.yaml Normal file
View File

@@ -0,0 +1,32 @@
{{- if .Values.ui.autoscaling.enabled }}
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: {{ include "prowler.fullname" . }}-ui
labels:
{{- include "prowler.labels" . | nindent 4 }}
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ include "prowler.fullname" . }}-ui
minReplicas: {{ .Values.ui.autoscaling.minReplicas }}
maxReplicas: {{ .Values.ui.autoscaling.maxReplicas }}
metrics:
{{- if .Values.ui.autoscaling.targetCPUUtilizationPercentage }}
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: {{ .Values.ui.autoscaling.targetCPUUtilizationPercentage }}
{{- end }}
{{- if .Values.ui.autoscaling.targetMemoryUtilizationPercentage }}
- type: Resource
resource:
name: memory
target:
type: Utilization
averageUtilization: {{ .Values.ui.autoscaling.targetMemoryUtilizationPercentage }}
{{- end }}
{{- end }}

43
contrib/k8s/helm/prowler-app/templates/ui/ingress.yaml Normal file
View File

@@ -0,0 +1,43 @@
{{- if .Values.ui.ingress.enabled -}}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ include "prowler.fullname" . }}-ui
labels:
{{- include "prowler.labels" . | nindent 4 }}
{{- with .Values.ui.ingress.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- with .Values.ui.ingress.className }}
ingressClassName: {{ . }}
{{- end }}
{{- if .Values.ui.ingress.tls }}
tls:
{{- range .Values.ui.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ui.ingress.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .paths }}
- path: {{ .path }}
{{- with .pathType }}
pathType: {{ . }}
{{- end }}
backend:
service:
name: {{ include "prowler.fullname" $ }}-ui
port:
number: {{ $.Values.ui.service.port }}
{{- end }}
{{- end }}
{{- end }}

15
contrib/k8s/helm/prowler-app/templates/ui/service.yaml Normal file
View File

@@ -0,0 +1,15 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "prowler.fullname" . }}-ui
labels:
{{- include "prowler.labels" . | nindent 4 }}
spec:
type: {{ .Values.ui.service.type }}
ports:
- port: {{ .Values.ui.service.port }}
targetPort: http
protocol: TCP
name: http
selector:
app.kubernetes.io/name: {{ include "prowler.fullname" . }}-ui

13
contrib/k8s/helm/prowler-app/templates/ui/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,13 @@
{{- if .Values.ui.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "prowler.ui.serviceAccountName" . }}
labels:
{{- include "prowler.labels" . | nindent 4 }}
{{- with .Values.ui.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
automountServiceAccountToken: {{ .Values.ui.serviceAccount.automount }}
{{- end }}

10
contrib/k8s/helm/prowler-app/templates/worker/_helpers.tpl Normal file
View File

@@ -0,0 +1,10 @@
{{/*
Create the name of the service account to use
*/}}
{{- define "prowler.worker.serviceAccountName" -}}
{{- if .Values.worker.serviceAccount.create }}
{{- default (printf "%s-%s" (include "prowler.fullname" .) "worker") .Values.worker.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.worker.serviceAccount.name }}
{{- end }}
{{- end }}

101
contrib/k8s/helm/prowler-app/templates/worker/deployment.yaml Normal file
View File

@@ -0,0 +1,101 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "prowler.fullname" . }}-worker
labels:
{{- include "prowler.labels" . | nindent 4 }}
spec:
{{- if not .Values.worker.autoscaling.enabled }}
replicas: {{ .Values.worker.replicaCount }}
{{- end }}
selector:
matchLabels:
app.kubernetes.io/name: {{ include "prowler.fullname" . }}-worker
template:
metadata:
annotations:
secret-hash: "{{ printf "%s%s%s" (.Files.Get "templates/api/configmap.yaml" | sha256sum) (.Files.Get "templates/api/secret-valkey.yaml" | sha256sum) | sha256sum }}"
{{- with .Values.worker.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "prowler.labels" . | nindent 8 }}
app.kubernetes.io/name: {{ include "prowler.fullname" . }}-worker
{{- with .Values.worker.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.worker.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "prowler.worker.serviceAccountName" . }}
{{- with .Values.worker.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: worker
{{- with .Values.worker.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
image: "{{ .Values.worker.image.repository }}:{{ .Values.worker.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.worker.image.pullPolicy }}
{{- with .Values.worker.command }}
command:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.worker.args }}
args:
{{- toYaml . | nindent 12 }}
{{- end }}
envFrom:
- configMapRef:
name: {{ include "prowler.fullname" . }}-api
{{- if .Values.valkey.enabled }}
- secretRef:
name: {{ include "prowler.fullname" . }}-api-valkey
{{- end }}
{{- with .Values.api.secrets }}
{{- range $index, $secret := . }}
- secretRef:
name: {{ $secret }}
{{- end }}
{{- end }}
env:
{{- include "prowler.django.env" . | nindent 12 }}
{{- include "prowler.postgresql.env" . | nindent 12 }}
{{- include "prowler.neo4j.env" . | nindent 12 }}
{{- with .Values.worker.livenessProbe }}
livenessProbe:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.worker.readinessProbe }}
readinessProbe:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.worker.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.worker.volumeMounts }}
volumeMounts:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.worker.volumes }}
volumes:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.worker.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.worker.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.worker.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

32
contrib/k8s/helm/prowler-app/templates/worker/hpa.yaml Normal file
View File

@@ -0,0 +1,32 @@
{{- if .Values.worker.autoscaling.enabled }}
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: {{ include "prowler.fullname" . }}-worker
labels:
{{- include "prowler.labels" . | nindent 4 }}
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ include "prowler.fullname" . }}-worker
minReplicas: {{ .Values.worker.autoscaling.minReplicas }}
maxReplicas: {{ .Values.worker.autoscaling.maxReplicas }}
metrics:
{{- if .Values.worker.autoscaling.targetCPUUtilizationPercentage }}
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: {{ .Values.worker.autoscaling.targetCPUUtilizationPercentage }}
{{- end }}
{{- if .Values.worker.autoscaling.targetMemoryUtilizationPercentage }}
- type: Resource
resource:
name: memory
target:
type: Utilization
averageUtilization: {{ .Values.worker.autoscaling.targetMemoryUtilizationPercentage }}
{{- end }}
{{- end }}

32
contrib/k8s/helm/prowler-app/templates/worker/scaled-object.yaml Normal file
View File

@@ -0,0 +1,32 @@
{{- if .Values.worker.keda.enabled }}
apiVersion: keda.sh/v1alpha1
kind: ScaledObject
metadata:
name: {{ include "prowler.fullname" . }}-worker
namespace: {{ $.Release.Namespace }}
labels:
{{- include "prowler.labels" . | nindent 4 }}
spec:
scaleTargetRef:
name: {{ include "prowler.fullname" . }}-worker
envSourceContainerName: worker
kind: Deployment
minReplicaCount: {{ .Values.worker.keda.minReplicas }}
maxReplicaCount: {{ .Values.worker.keda.maxReplicas }}
pollingInterval: {{ .Values.worker.keda.pollingInterval }}
cooldownPeriod: {{ .Values.worker.keda.cooldownPeriod }}
triggers:
- type: {{ .Values.worker.keda.triggerType }}
metadata:
userName: "postgres"
passwordFromEnv: POSTGRES_ADMIN_PASSWORD
host: {{ .Release.Name }}-postgresql
port: {{ .Values.postgresql.port | quote }}
dbName: {{ .Values.postgresql.auth.database | quote }}
sslmode: disable
# Query for KEDA to count the number of scans that are in executing, available, or scheduled states,
# where the scheduled time is within the last 2 hours and is before NOW(). Used for scaling workers.
query: >-
SELECT COUNT(*) FROM scans WHERE ((state='executing' OR state='available' OR state='scheduled') and scheduled_at < NOW() and scheduled_at > NOW() - INTERVAL '2 hours')
targetQueryValue: "1"
{{- end }}

13
contrib/k8s/helm/prowler-app/templates/worker/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,13 @@
{{- if .Values.worker.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "prowler.worker.serviceAccountName" . }}
labels:
{{- include "prowler.labels" . | nindent 4 }}
{{- with .Values.worker.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
automountServiceAccountToken: {{ .Values.worker.serviceAccount.automount }}
{{- end }}

10
contrib/k8s/helm/prowler-app/templates/worker_beat/_helpers.tpl Normal file
View File

@@ -0,0 +1,10 @@
{{/*
Create the name of the service account to use
*/}}
{{- define "prowler.worker_beat.serviceAccountName" -}}
{{- if .Values.worker_beat.serviceAccount.create }}
{{- default (printf "%s-%s" (include "prowler.fullname" .) "worker-beat") .Values.worker_beat.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.worker_beat.serviceAccount.name }}
{{- end }}
{{- end }}

99
contrib/k8s/helm/prowler-app/templates/worker_beat/deployment.yaml Normal file
View File

@@ -0,0 +1,99 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "prowler.fullname" . }}-worker-beat
labels:
{{- include "prowler.labels" . | nindent 4 }}
spec:
replicas: {{ .Values.worker_beat.replicaCount }}
selector:
matchLabels:
app.kubernetes.io/name: {{ include "prowler.fullname" . }}-worker-beat
template:
metadata:
annotations:
secret-hash: "{{ printf "%s%s%s" (.Files.Get "templates/api/configmap.yaml" | sha256sum) (.Files.Get "templates/api/secret-valkey.yaml" | sha256sum) | sha256sum }}"
{{- with .Values.worker.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "prowler.labels" . | nindent 8 }}
app.kubernetes.io/name: {{ include "prowler.fullname" . }}-worker-beat
{{- with .Values.worker_beat.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.worker_beat.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "prowler.worker_beat.serviceAccountName" . }}
{{- with .Values.worker_beat.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: worker-beat
{{- with .Values.worker_beat.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
image: "{{ .Values.worker_beat.image.repository }}:{{ .Values.worker_beat.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.worker_beat.image.pullPolicy }}
{{- with .Values.worker_beat.command }}
command:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.worker_beat.args }}
args:
{{- toYaml . | nindent 12 }}
{{- end }}
envFrom:
- configMapRef:
name: {{ include "prowler.fullname" . }}-api
{{- if .Values.valkey.enabled }}
- secretRef:
name: {{ include "prowler.fullname" . }}-api-valkey
{{- end }}
{{- with .Values.api.secrets }}
{{- range $index, $secret := . }}
- secretRef:
name: {{ $secret }}
{{- end }}
{{- end }}
env:
{{- include "prowler.django.env" . | nindent 12 }}
{{- include "prowler.postgresql.env" . | nindent 12 }}
{{- include "prowler.neo4j.env" . | nindent 12 }}
{{- with .Values.worker_beat.livenessProbe }}
livenessProbe:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.worker_beat.readinessProbe }}
readinessProbe:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.worker_beat.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.worker_beat.volumeMounts }}
volumeMounts:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.worker_beat.volumes }}
volumes:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.worker_beat.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.worker_beat.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.worker_beat.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

13
contrib/k8s/helm/prowler-app/templates/worker_beat/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,13 @@
{{- if .Values.worker_beat.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "prowler.worker_beat.serviceAccountName" . }}
labels:
{{- include "prowler.labels" . | nindent 4 }}
{{- with .Values.worker_beat.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
automountServiceAccountToken: {{ .Values.worker_beat.serviceAccount.automount }}
{{- end }}

566
contrib/k8s/helm/prowler-app/values.yaml Normal file
View File

@@ -0,0 +1,566 @@
# This is to override the chart name.
nameOverride: ""
fullnameOverride: ""
# Reference to the secret containing the API authentication secret.
# Used to inject the environment variable for the API container.
djangoTokenSigningKey:
secretKeyRef:
name: prowler-secret
key: DJANGO_TOKEN_SIGNING_KEY
djangoTokenVerifyingKey:
secretKeyRef:
name: prowler-secret
key: DJANGO_TOKEN_VERIFYING_KEY
djangoSecretsEncryptionKey:
secretKeyRef:
name: prowler-secret
key: DJANGO_SECRETS_ENCRYPTION_KEY
ui:
# This will set the replicaset count more information can be found here: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/
replicaCount: 1
# This sets the container image more information can be found here: https://kubernetes.io/docs/concepts/containers/images/
image:
repository: prowlercloud/prowler-ui
# This sets the pull policy for images.
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion.
tag: ""
# This is for the secrets for pulling an image from a private repository more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
imagePullSecrets: []
# Reference to the secret containing the UI authentication secret.
# Used to inject the environment variable for the UI container.
# By default, expects a Secret named 'prowler-secret' with a key 'AUTH_SECRET'.
authSecret:
secretKeyRef:
name: prowler-secret
key: AUTH_SECRET
# Secret names to be used as env vars.
secrets: []
# - "prowler-ui-secret"
# This section builds out the service account more information can be found here: https://kubernetes.io/docs/concepts/security/service-accounts/
serviceAccount:
# Specifies whether a service account should be created
create: true
# Automatically mount a ServiceAccount's API credentials?
automount: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
# This is for setting Kubernetes Annotations to a Pod.
# For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
podAnnotations: {}
# This is for setting Kubernetes Labels to a Pod.
# For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
podLabels: {}
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
# This is for setting up a service more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/
service:
# This sets the service type more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
type: ClusterIP
# This sets the ports more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#field-spec-ports
port: 3000
# The URL of the UI. This is only set if ingress is disabled.
authUrl: ""
# This block is for setting up the ingress for more information can be found here: https://kubernetes.io/docs/concepts/services-networking/ingress/
ingress:
enabled: false
className: ""
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
hosts:
- host: chart-example.local
paths:
- path: /
pathType: ImplementationSpecific
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
# This is to setup the liveness and readiness probes more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
livenessProbe:
httpGet:
path: /
port: http
readinessProbe:
httpGet:
path: /
port: http
# This section is for setting up autoscaling more information can be found here: https://kubernetes.io/docs/concepts/workloads/autoscaling/
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 100
targetCPUUtilizationPercentage: 80
targetMemoryUtilizationPercentage: 80
# Additional volumes on the output Deployment definition.
volumes: []
# - name: foo
# secret:
# secretName: mysecret
# optional: false
# Additional volumeMounts on the output Deployment definition.
volumeMounts: []
# - name: foo
# mountPath: "/etc/foo"
# readOnly: true
nodeSelector: {}
tolerations: []
affinity: {}
api:
# This will set the replicaset count more information can be found here: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/
replicaCount: 1
# This sets the container image more information can be found here: https://kubernetes.io/docs/concepts/containers/images/
image:
repository: prowlercloud/prowler-api
# This sets the pull policy for images.
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion.
tag: ""
# Shared with celery-worker and celery-beat
djangoConfig:
# API scan settings
# The path to the directory where scan output should be stored
DJANGO_TMP_OUTPUT_DIRECTORY: "/tmp/prowler_api_output"
# The maximum number of findings to process in a single batch
DJANGO_FINDINGS_BATCH_SIZE: "1000"
# Django settings
DJANGO_ALLOWED_HOSTS: "*"
DJANGO_BIND_ADDRESS: "0.0.0.0"
DJANGO_PORT: "8080"
DJANGO_DEBUG: "False"
DJANGO_SETTINGS_MODULE: "config.django.production"
# Select one of [ndjson|human_readable]
DJANGO_LOGGING_FORMATTER: "ndjson"
# Select one of [DEBUG|INFO|WARNING|ERROR|CRITICAL]
# Applies to both Django and Celery Workers
DJANGO_LOGGING_LEVEL: "INFO"
# Defaults to the maximum available based on CPU cores if not set.
DJANGO_WORKERS: "4"
# Token lifetime is in minutes
DJANGO_ACCESS_TOKEN_LIFETIME: "30"
# Token lifetime is in minutes
DJANGO_REFRESH_TOKEN_LIFETIME: "1440"
DJANGO_CACHE_MAX_AGE: "3600"
DJANGO_STALE_WHILE_REVALIDATE: "60"
DJANGO_MANAGE_DB_PARTITIONS: "True"
DJANGO_BROKER_VISIBILITY_TIMEOUT: "86400"
# Secret names to be used as env vars for api, worker, and worker_beat.
secrets: []
# - "prowler-api-keys"
command:
- /home/prowler/docker-entrypoint.sh
args:
- prod
# This is for the secrets for pulling an image from a private repository more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
imagePullSecrets: []
# This section builds out the service account more information can be found here: https://kubernetes.io/docs/concepts/security/service-accounts/
serviceAccount:
# Specifies whether a service account should be created
create: true
# Automatically mount a ServiceAccount's API credentials?
automount: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
# This is for setting Kubernetes Annotations to a Pod.
# For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
podAnnotations: {}
# This is for setting Kubernetes Labels to a Pod.
# For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
podLabels: {}
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
# This is for setting up a service more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/
service:
# This sets the service type more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
type: ClusterIP
# This sets the ports more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#field-spec-ports
port: 8080
# This block is for setting up the ingress for more information can be found here: https://kubernetes.io/docs/concepts/services-networking/ingress/
ingress:
enabled: false
className: ""
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
hosts:
- host: chart-example.local
paths:
- path: /
pathType: ImplementationSpecific
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
# 3m30s to setup DB
# startupProbe:
# httpGet:
# path: /api/v1/docs
# port: http
# This is to setup the liveness and readiness probes more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
livenessProbe:
failureThreshold: 10
httpGet:
path: /api/v1/docs
port: http
periodSeconds: 20
readinessProbe:
failureThreshold: 10
httpGet:
path: /api/v1/docs
port: http
periodSeconds: 20
# This section is for setting up autoscaling more information can be found here: https://kubernetes.io/docs/concepts/workloads/autoscaling/
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 100
targetCPUUtilizationPercentage: 80
targetMemoryUtilizationPercentage: 80
# Additional volumes on the output Deployment definition.
volumes: []
# - name: foo
# secret:
# secretName: mysecret
# optional: false
# Additional volumeMounts on the output Deployment definition.
volumeMounts: []
# - name: foo
# mountPath: "/etc/foo"
# readOnly: true
nodeSelector: {}
tolerations: []
affinity: {}
worker:
# This will set the replicaset count more information can be found here: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/
replicaCount: 1
# This sets the container image more information can be found here: https://kubernetes.io/docs/concepts/containers/images/
image:
repository: prowlercloud/prowler-api
# This sets the pull policy for images.
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion.
tag: ""
command:
- /home/prowler/docker-entrypoint.sh
args:
- worker
# This is for the secrets for pulling an image from a private repository more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
imagePullSecrets: []
# This section builds out the service account more information can be found here: https://kubernetes.io/docs/concepts/security/service-accounts/
serviceAccount:
# Specifies whether a service account should be created
create: true
# Automatically mount a ServiceAccount's API credentials?
automount: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
# This is for setting Kubernetes Annotations to a Pod.
# For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
podAnnotations: {}
# This is for setting Kubernetes Labels to a Pod.
# For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
podLabels: {}
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
# This is to setup the liveness and readiness probes more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
livenessProbe: {}
readinessProbe: {}
# This section is for setting up autoscaling more information can be found here: https://kubernetes.io/docs/concepts/workloads/autoscaling/
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 10
targetCPUUtilizationPercentage: 80
targetMemoryUtilizationPercentage: 80
# Additional volumes on the output Deployment definition.
volumes: []
# - name: foo
# secret:
# secretName: mysecret
# optional: false
# Additional volumeMounts on the output Deployment definition.
volumeMounts: []
# - name: foo
# mountPath: "/etc/foo"
# readOnly: true
nodeSelector: {}
tolerations: []
affinity: {}
# KEDA ScaledObject configuration
keda:
# -- Set to `true` to enable KEDA for the worker pods
# Note: When both KEDA and HPA are enabled, the deployment will fail.
enabled: false
# -- The minimum number of replicas to use for the worker pods
minReplicas: 1
# -- The maximum number of replicas to use for the worker pods
maxReplicas: 2
# -- The polling interval in seconds for checking metrics
pollingInterval: 30
# -- The cooldown period in seconds for scaling
cooldownPeriod: 120
# -- The trigger type for scaling (cpu or memory)
triggerType: "postgresql"
# -- The target utilization percentage for the worker pods
value: "50"
worker_beat:
# This will set the replicaset count more information can be found here: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/
replicaCount: 1
# This sets the container image more information can be found here: https://kubernetes.io/docs/concepts/containers/images/
image:
repository: prowlercloud/prowler-api
# This sets the pull policy for images.
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion.
tag: ""
command:
- ../docker-entrypoint.sh
args:
- beat
# This is for the secrets for pulling an image from a private repository more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
imagePullSecrets: []
# This section builds out the service account more information can be found here: https://kubernetes.io/docs/concepts/security/service-accounts/
serviceAccount:
# Specifies whether a service account should be created
create: true
# Automatically mount a ServiceAccount's API credentials?
automount: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
# This is for setting Kubernetes Annotations to a Pod.
# For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
podAnnotations: {}
# This is for setting Kubernetes Labels to a Pod.
# For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
podLabels: {}
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
# This is to setup the liveness and readiness probes more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
livenessProbe: {}
readinessProbe: {}
# Additional volumes on the output Deployment definition.
volumes: []
# - name: foo
# secret:
# secretName: mysecret
# optional: false
# Additional volumeMounts on the output Deployment definition.
volumeMounts: []
# - name: foo
# mountPath: "/etc/foo"
# readOnly: true
nodeSelector: {}
tolerations: []
affinity: {}
postgresql:
# -- Enable PostgreSQL deployment (via Bitnami Helm Chart). If you want to use an external Postgres server (or a managed one), set this to false
# If enabled, it will create a Secret with the credentials.
# Otherwise, create a secret with the following and add it to the api deployment:
# - POSTGRES_HOST
# - POSTGRES_PORT
# - POSTGRES_ADMIN_USER - Existing user in charge of migrations, tables, permissions, RLS
# - POSTGRES_ADMIN_PASSWORD
# - POSTGRES_USER - Will be created by ADMIN_USER
# - POSTGRES_PASSWORD
# - POSTGRES_DB - Existing DB
enabled: true
image:
repository: "bitnami/postgresql"
auth:
database: prowler_db
username: prowler
valkey:
# If enabled, it will create a Secret with the following.
# Otherwise, create a secret with
# - VALKEY_HOST
# - VALKEY_PORT
# - VALKEY_DB
enabled: true
neo4j:
enabled: true
neo4j:
name: prowler-neo4j
edition: community
# The name of the secret containing the Neo4j password with the key NEO4J_PASSWORD
passwordFromSecret: prowler-secret
# Disable lookups during helm template rendering (required for ArgoCD)
disableLookups: true
volumes:
data:
mode: defaultStorageClass
services:
neo4j:
enabled: false
# Neo4j Configuration (yaml format)
config:
dbms_security_procedures_allowlist: "apoc.*"
dbms_security_procedures_unrestricted: "apoc.*"
apoc_config:
apoc.export.file.enabled: "true"
apoc.import.file.enabled: "true"
apoc.import.file.use_neo4j_config: "true"