AllardDCS/kubernetes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4b6f071349a2ca5d8268c47de4610b99fac38ce3
kubernetes/lp/clair/helm/clair-from-helm.yaml
allard 376a944abc initial commit
2025-11-23 18:58:51 +01:00

409 lines
11 KiB
YAML
Raw Blame History

---
# Source: clair/charts/postgresql/templates/networkpolicy.yaml
kind: NetworkPolicy
apiVersion: "networking.k8s.io/v1"
metadata:
name: clair-postgresql
labels:
app.kubernetes.io/name: postgresql
helm.sh/chart: postgresql-10.0.0
app.kubernetes.io/instance: clair
app.kubernetes.io/managed-by: Helm
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: postgresql
app.kubernetes.io/instance: clair
ingress:
# Allow inbound connections
- ports:
- port: 5432
---
# Source: clair/charts/postgresql/templates/secrets.yaml
apiVersion: v1
kind: Secret
metadata:
name: clair-postgresql
labels:
app.kubernetes.io/name: postgresql
helm.sh/chart: postgresql-10.0.0
app.kubernetes.io/instance: clair
app.kubernetes.io/managed-by: Helm
type: Opaque
data:
postgresql-postgres-password: "YjBRQTI1QjdnRw=="
postgresql-password: "Y2xhaXI="
---
# Source: clair/templates/configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: clair-clair
labels:
app.kubernetes.io/name: clair
helm.sh/chart: clair-0.2.9
app.kubernetes.io/instance: clair
app.kubernetes.io/managed-by: Helm
data:
config.yaml: |
clair:
database:
# Database driver
type: pgsql
options:
# PostgreSQL Connection string
# https://www.postgresql.org/docs/current/static/libpq-connect.html#LIBPQ-CONNSTRING
# This should be done using secrets or Vault, but for now this will also work
source: "postgres://postgres:clair@clair-postgresql:5432/postgres?sslmode=disable"
# Number of elements kept in the cache
# Values unlikely to change (e.g. namespaces) are cached in order to save prevent needless roundtrips to the database.
cachesize: 16384
# 32-bit URL-safe base64 key used to encrypt pagination tokens
# If one is not provided, it will be generated.
# Multiple clair instances in the same cluster need the same value.
paginationkey: ""
api:
# v3 grpc/RESTful API server address
addr: "0.0.0.0:6060"
# Health server address
# This is an unencrypted endpoint useful for load balancers to check to healthiness of the clair server.
healthaddr: "0.0.0.0:6061"
# Deadline before an API request will respond with a 503
timeout: 900s
# Optional PKI configuration
# If you want to easily generate client certificates and CAs, try the following projects:
# https://github.com/coreos/etcd-ca
# https://github.com/cloudflare/cfssl
servername:
cafile:
keyfile:
certfile:
worker:
namespace_detectors:
- os-release
- lsb-release
- apt-sources
- alpine-release
- redhat-release
feature_listers:
- apk
- dpkg
- rpm
updater:
# Frequency the database will be updated with vulnerabilities from the default data sources
# The value 0 disables the updater entirely.
interval: "2h"
enabledupdaters:
- debian
- ubuntu
- rhel
- alpine
notifier:
# Number of attempts before the notification is marked as failed to be sent
attempts: 3
# Duration before a failed notification is retried
renotifyinterval: 2h
http:
# Optional endpoint that will receive notifications via POST requests
endpoint: ""
# Optional PKI configuration
# If you want to easily generate client certificates and CAs, try the following projects:
# https://github.com/cloudflare/cfssl
# https://github.com/coreos/etcd-ca
servername:
cafile:
keyfile:
certfile:
# Optional HTTP Proxy: must be a valid URL (including the scheme).
proxy:
---
# Source: clair/charts/postgresql/templates/svc-headless.yaml
apiVersion: v1
kind: Service
metadata:
name: clair-postgresql-headless
labels:
app.kubernetes.io/name: postgresql
helm.sh/chart: postgresql-10.0.0
app.kubernetes.io/instance: clair
app.kubernetes.io/managed-by: Helm
# Use this annotation in addition to the actual publishNotReadyAddresses
# field below because the annotation will stop being respected soon but the
# field is broken in some versions of Kubernetes:
# https://github.com/kubernetes/kubernetes/issues/58662
service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
spec:
type: ClusterIP
clusterIP: None
# We want all pods in the StatefulSet to have their addresses published for
# the sake of the other Postgresql pods even before they're ready, since they
# have to be able to talk to each other in order to become ready.
publishNotReadyAddresses: true
ports:
- name: tcp-postgresql
port: 5432
targetPort: tcp-postgresql
selector:
app.kubernetes.io/name: postgresql
app.kubernetes.io/instance: clair
---
# Source: clair/charts/postgresql/templates/svc.yaml
apiVersion: v1
kind: Service
metadata:
name: clair-postgresql
labels:
app.kubernetes.io/name: postgresql
helm.sh/chart: postgresql-10.0.0
app.kubernetes.io/instance: clair
app.kubernetes.io/managed-by: Helm
annotations:
spec:
type: ClusterIP
ports:
- name: tcp-postgresql
port: 5432
targetPort: tcp-postgresql
selector:
app.kubernetes.io/name: postgresql
app.kubernetes.io/instance: clair
role: primary
---
# Source: clair/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
name: clair-clair
labels:
app.kubernetes.io/name: clair
helm.sh/chart: clair-0.2.9
app.kubernetes.io/instance: clair
app.kubernetes.io/managed-by: Helm
spec:
type: NodePort
ports:
- name: clair-api
port: 6060
nodePort: 30060
targetPort: 6060
protocol: TCP
name: "clair-api"
- name: clair-health
port: 6061
nodePort: 30061
targetPort: 6061
protocol: TCP
name: "clair-health"
selector:
app.kubernetes.io/name: clair
app.kubernetes.io/instance: clair
---
# Source: clair/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: clair-clair
labels:
app.kubernetes.io/name: clair
helm.sh/chart: clair-0.2.9
app.kubernetes.io/instance: clair
app.kubernetes.io/managed-by: Helm
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: clair
app.kubernetes.io/instance: clair
template:
metadata:
labels:
app.kubernetes.io/name: clair
helm.sh/chart: clair-0.2.9
app.kubernetes.io/instance: clair
app.kubernetes.io/managed-by: Helm
spec:
volumes:
- name: "clair-config"
configMap:
name: clair-clair
nodeSelector:
kubernetes.io/arch: amd64
containers:
- name: clair
image: "quay.io/coreos/clair:v4.3.6"
imagePullPolicy: IfNotPresent
args:
- "-log-level=debug"
ports:
- name: clair-api
containerPort: 6060
protocol: TCP
- name: clair-health
containerPort: 6061
protocol: TCP
livenessProbe:
httpGet:
path: /health
port: 6061
readinessProbe:
httpGet:
path: /health
port: 6061
volumeMounts:
- name: "clair-config"
mountPath: /etc/clair
resources:
limits:
cpu: 2
memory: 3000Mi
requests:
cpu: 50m
memory: 2000Mi
env:
- name: CLAIR_CONF
value: "/clair/config.yaml"
- name: CLAIR_MODE
value: "combo"
---
# Source: clair/charts/postgresql/templates/statefulset.yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: clair-postgresql
labels:
app.kubernetes.io/name: postgresql
helm.sh/chart: postgresql-10.0.0
app.kubernetes.io/instance: clair
app.kubernetes.io/managed-by: Helm
annotations:
spec:
serviceName: clair-postgresql-headless
replicas: 1
updateStrategy:
type: RollingUpdate
selector:
matchLabels:
app.kubernetes.io/name: postgresql
app.kubernetes.io/instance: clair
role: primary
template:
metadata:
name: clair-postgresql
labels:
app.kubernetes.io/name: postgresql
helm.sh/chart: postgresql-10.0.0
app.kubernetes.io/instance: clair
app.kubernetes.io/managed-by: Helm
role: primary
spec:
securityContext:
fsGroup: 1001
nodeSelector:
kubernetes.io/arch: amd64
containers:
- name: clair-postgresql
image: docker.io/bitnami/postgresql:11.10.0-debian-10-r2
imagePullPolicy: "IfNotPresent"
resources:
limits:
cpu: 2
memory: 512Mi
requests:
cpu: 50m
memory: 512Mi
securityContext:
runAsUser: 1001
env:
- name: BITNAMI_DEBUG
value: "true"
- name: POSTGRESQL_PORT_NUMBER
value: "5432"
- name: POSTGRESQL_VOLUME_DIR
value: "/bitnami/postgresql"
- name: PGDATA
value: "/bitnami/postgresql/data"
- name: POSTGRES_USER
value: "postgres"
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: clair-postgresql
key: postgresql-password
- name: POSTGRESQL_ENABLE_LDAP
value: "no"
- name: POSTGRESQL_ENABLE_TLS
value: "no"
- name: POSTGRESQL_LOG_HOSTNAME
value: "false"
- name: POSTGRESQL_LOG_CONNECTIONS
value: "false"
- name: POSTGRESQL_LOG_DISCONNECTIONS
value: "false"
- name: POSTGRESQL_PGAUDIT_LOG_CATALOG
value: "off"
- name: POSTGRESQL_CLIENT_MIN_MESSAGES
value: "error"
- name: POSTGRESQL_SHARED_PRELOAD_LIBRARIES
value: "pgaudit"
ports:
- name: tcp-postgresql
containerPort: 5432
livenessProbe:
exec:
command:
- /bin/sh
- -c
- exec pg_isready -U "postgres" -h 127.0.0.1 -p 5432
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 6
readinessProbe:
exec:
command:
- /bin/sh
- -c
- -e
- |
exec pg_isready -U "postgres" -h 127.0.0.1 -p 5432
[ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 6
volumeMounts:
- name: dshm
mountPath: /dev/shm
- name: data
mountPath: /bitnami/postgresql
subPath:
volumes:
- name: dshm
emptyDir:
medium: Memory
sizeLimit: 1Gi
volumeClaimTemplates:
- metadata:
name: data
spec:
accessModes:
- "ReadWriteOnce"
resources:
requests:
storage: "1Gi"
Reference in New Issue View Git Blame Copy Permalink