clamav-network-policy (#58)

Co-authored-by: Julien Bouquillon <julien.bouquillon@sg.social.gouv.fr>
SocialGouv · Nov 21, 2023 · 38ebb32 · 38ebb32
1 parent c45ec90
commit 38ebb32
Show file tree

Hide file tree

Showing 7 changed files with 310 additions and 1 deletion.
diff --git a/charts/clamav/templates/network-policy.yaml b/charts/clamav/templates/network-policy.yaml
@@ -0,0 +1,27 @@
+{{- if .Values.netpol.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: clamav
+  namespace: {{ .Values.namespace }}
+spec:
+  ingress:
+  - from:
+    - podSelector: {}
+  - from:
+    - namespaceSelector:
+        matchExpressions:
+        - key: network-policy/source
+          operator: In
+          values:
+          - monitoring
+          - ingress-controller
+  - from:
+    - namespaceSelector:
+        matchExpressions:
+        - key: application
+          operator: Exists
+  podSelector: {}
+  policyTypes:
+  - Ingress
+{{- end }}
diff --git a/charts/clamav/tests/__snapshot__/clamav_test.yaml.snap b/charts/clamav/tests/__snapshot__/clamav_test.yaml.snap
@@ -0,0 +1,240 @@
+should render:
+  1: |
+    apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      labels:
+        app: clamav-rest
+      name: clamav-rest
+    spec:
+      replicas: 1
+      selector:
+        matchLabels:
+          app: clamav-rest
+      template:
+        metadata:
+          labels:
+            app: clamav-rest
+        spec:
+          containers:
+            - env:
+                - name: NODE_ENV
+                  valueFrom:
+                    configMapKeyRef:
+                      key: node-env
+                      name: clamav-rest-configmap
+                - name: CLAMD_IP
+                  valueFrom:
+                    configMapKeyRef:
+                      key: clamd-ip
+                      name: clamav-rest-configmap
+                - name: APP_FORM_KEY
+                  valueFrom:
+                    configMapKeyRef:
+                      key: app-form-key
+                      name: clamav-rest-configmap
+                - name: APP_MAX_FILE_SIZE
+                  valueFrom:
+                    configMapKeyRef:
+                      key: app-max-file-size
+                      name: clamav-rest-configmap
+              image: benzino77/clamav-rest-api:1.2.2
+              name: clamav-rest-api
+              ports:
+                - containerPort: 3000
+                  name: clamav-rest
+                  protocol: TCP
+              securityContext:
+                runAsUser: 1000
+  2: |
+    apiVersion: v1
+    kind: Service
+    metadata:
+      name: clamav-rest
+    spec:
+      ports:
+        - name: clamav-rest-port
+          port: 80
+          protocol: TCP
+          targetPort: clamav-rest
+      selector:
+        app: clamav-rest
+  3: |
+    apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      labels:
+        app: clamavd
+      name: clamavd
+    spec:
+      replicas: 1
+      selector:
+        matchLabels:
+          app: clamavd
+      template:
+        metadata:
+          labels:
+            app: clamavd
+        spec:
+          containers:
+            - image: clamav/clamav:1.2.1
+              name: clamavd
+              ports:
+                - containerPort: 3310
+                  name: clamavd-port
+                  protocol: TCP
+              volumeMounts:
+                - mountPath: /etc/clamav/clamd.conf
+                  name: clamavd-conf
+                  subPath: clamd.conf
+          securityContext:
+            runAsNonRoot: false
+          volumes:
+            - configMap:
+                name: clamavd-configmap
+              name: clamavd-conf
+  4: |
+    apiVersion: v1
+    kind: Service
+    metadata:
+      name: clamavd-service
+    spec:
+      ports:
+        - port: 3310
+          protocol: TCP
+          targetPort: 3310
+      selector:
+        app: clamavd
+  5: |
+    apiVersion: networking.k8s.io/v1
+    kind: NetworkPolicy
+    metadata:
+      name: clamav
+      namespace: null
+    spec:
+      ingress:
+        - from:
+            - podSelector: {}
+        - from:
+            - namespaceSelector:
+                matchExpressions:
+                  - key: network-policy/source
+                    operator: In
+                    values:
+                      - monitoring
+                      - ingress-controller
+        - from:
+            - namespaceSelector:
+                matchExpressions:
+                  - key: application
+                    operator: Exists
+      podSelector: {}
+      policyTypes:
+        - Ingress
+should use custom image:
+  1: |
+    apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      labels:
+        app: clamav-rest
+      name: clamav-rest
+    spec:
+      replicas: 1
+      selector:
+        matchLabels:
+          app: clamav-rest
+      template:
+        metadata:
+          labels:
+            app: clamav-rest
+        spec:
+          containers:
+            - env:
+                - name: NODE_ENV
+                  valueFrom:
+                    configMapKeyRef:
+                      key: node-env
+                      name: clamav-rest-configmap
+                - name: CLAMD_IP
+                  valueFrom:
+                    configMapKeyRef:
+                      key: clamd-ip
+                      name: clamav-rest-configmap
+                - name: APP_FORM_KEY
+                  valueFrom:
+                    configMapKeyRef:
+                      key: app-form-key
+                      name: clamav-rest-configmap
+                - name: APP_MAX_FILE_SIZE
+                  valueFrom:
+                    configMapKeyRef:
+                      key: app-max-file-size
+                      name: clamav-rest-configmap
+              image: clamav-rest/clamav:43.1.2
+              name: clamav-rest-api
+              ports:
+                - containerPort: 3000
+                  name: clamav-rest
+                  protocol: TCP
+              securityContext:
+                runAsUser: 1000
+  2: |
+    apiVersion: v1
+    kind: Service
+    metadata:
+      name: clamav-rest
+    spec:
+      ports:
+        - name: clamav-rest-port
+          port: 80
+          protocol: TCP
+          targetPort: clamav-rest
+      selector:
+        app: clamav-rest
+  3: |
+    apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      labels:
+        app: clamavd
+      name: clamavd
+    spec:
+      replicas: 1
+      selector:
+        matchLabels:
+          app: clamavd
+      template:
+        metadata:
+          labels:
+            app: clamavd
+        spec:
+          containers:
+            - image: clamav-d/clamav:42.1.2
+              name: clamavd
+              ports:
+                - containerPort: 3310
+                  name: clamavd-port
+                  protocol: TCP
+              volumeMounts:
+                - mountPath: /etc/clamav/clamd.conf
+                  name: clamavd-conf
+                  subPath: clamd.conf
+          securityContext:
+            runAsNonRoot: false
+          volumes:
+            - configMap:
+                name: clamavd-configmap
+              name: clamavd-conf
+  4: |
+    apiVersion: v1
+    kind: Service
+    metadata:
+      name: clamavd-service
+    spec:
+      ports:
+        - port: 3310
+          protocol: TCP
+          targetPort: 3310
+      selector:
+        app: clamavd
diff --git a/charts/clamav/tests/clamav_test.yaml b/charts/clamav/tests/clamav_test.yaml
@@ -0,0 +1,28 @@
+suite: test cnpg-cluster
+tests:
+  - it: should render
+    asserts:
+      - template: clamav-rest.yaml
+        matchSnapshot: {}
+      - template: clamavd.yaml
+        matchSnapshot: {}
+      - template: network-policy.yaml
+        matchSnapshot: {}
+      - template: network-policy.yaml
+        hasDocuments:
+          count: 1
+  - it: should not render netpol
+    values:
+      - ./values/no-netpol.yaml
+    asserts:
+      - template: network-policy.yaml
+        hasDocuments:
+          count: 0
+  - it: should use custom image
+    values:
+      - ./values/image.yaml
+    asserts:
+      - template: clamav-rest.yaml
+        matchSnapshot: {}
+      - template: clamavd.yaml
+        matchSnapshot: {}
diff --git a/charts/clamav/tests/values/image.yaml b/charts/clamav/tests/values/image.yaml
@@ -0,0 +1,9 @@
+clamavd:
+  image:
+    name: clamav-d/clamav
+    version: 42.1.2
+
+clamavRest:
+  image:
+    name: clamav-rest/clamav
+    version: 43.1.2
diff --git a/charts/clamav/tests/values/no-netpol.yaml b/charts/clamav/tests/values/no-netpol.yaml
@@ -0,0 +1,2 @@
+netpol:
+  enabled: false
diff --git a/charts/clamav/values.yaml b/charts/clamav/values.yaml
@@ -10,3 +10,6 @@ clamavRest:
   app:
     maxFileSize: "26214400"
     formKey: "FILES"
+
+netpol:
+  enabled: true
diff --git a/charts/cnpg-cluster/tests/__snapshot__/cnpg-cluster_test.yaml.snap b/charts/cnpg-cluster/tests/__snapshot__/cnpg-cluster_test.yaml.snap
@@ -118,7 +118,7 @@ cluster with enabled backup and recovery:
                     value: RELEASE-NAME-cnpg-cluster-r
                   - name: RETENTION_DAYS
                     value: "30"
-                image: ghcr.io/socialgouv/docker/s3-client:1.2.0
+                image: ghcr.io/socialgouv/docker/s3-client:1.2.1
                 imagePullPolicy: IfNotPresent
                 name: s3-client
                 securityContext: