From ab6fb76f9e561b5ab09e5098a8ca0cbd0793e118 Mon Sep 17 00:00:00 2001 From: Bruno Willenborg Date: Thu, 7 Sep 2023 15:17:33 +0200 Subject: [PATCH 01/14] Add clamav --- charts/sddi-ckan/Chart.yaml | 4 ++++ charts/sddi-ckan/README.md | 7 +++++++ charts/sddi-ckan/values.yaml | 18 ++++++++++++++++++ 3 files changed, 29 insertions(+) diff --git a/charts/sddi-ckan/Chart.yaml b/charts/sddi-ckan/Chart.yaml index 9644e37..a6dc9d2 100644 --- a/charts/sddi-ckan/Chart.yaml +++ b/charts/sddi-ckan/Chart.yaml @@ -48,3 +48,7 @@ dependencies: condition: cert-manager.enabled version: "~1.11.0" repository: https://charts.jetstack.io + - name: clamav + condition: clamav.enabled + version: "~2.8.0" + repository: https://wiremind.github.io/wiremind-helm-charts diff --git a/charts/sddi-ckan/README.md b/charts/sddi-ckan/README.md index e06a4f8..3ea2e12 100644 --- a/charts/sddi-ckan/README.md +++ b/charts/sddi-ckan/README.md @@ -32,6 +32,7 @@ Kubernetes: `>= 1.23.0-0` | | solr | * | | https://charts.jetstack.io | cert-manager(cert-manager) | ~1.11.0 | | https://kubernetes.github.io/ingress-nginx | ingress-nginx(ingress-nginx) | ~4.4.0 | +| https://wiremind.github.io/wiremind-helm-charts | clamav | ~2.8.0 | ## Values @@ -39,6 +40,12 @@ Kubernetes: `>= 1.23.0-0` |-----|------|---------|-------------| | cert-manager.enabled | bool | `false` | Enable/disable cert-manager. | | certIssuer.enabled | bool | `true` | Enable/disable namespace Issuers for cert-manager. | +| clamav.enabled | bool | `true` | Enable/disable [ClamAV](https://www.clamav.net/) virus scanning of uploaded files. | +| clamav.fullnameOverride | string | `"clamav"` | | +| clamav.resources.limits.cpu | string | `"1000m"` | [k8s: Resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | +| clamav.resources.limits.memory | string | `"2Gi"` | [k8s: Resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | +| clamav.resources.requests.cpu | string | `"500m"` | [k8s: Resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | +| clamav.resources.requests.memory | string | `"1Gi"` | [k8s: Resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | | datapusher.enabled | bool | `true` | Enable/disable Datapusher | | fullnameOverride | string | `""` | Override fullname | | global.datapusher.db.auth.password | string | `"changeMe"` | Jobs database password. If set, this values will overwrite the value in the Datapusher chart. | diff --git a/charts/sddi-ckan/values.yaml b/charts/sddi-ckan/values.yaml index f1edb3e..ba2206a 100644 --- a/charts/sddi-ckan/values.yaml +++ b/charts/sddi-ckan/values.yaml @@ -144,3 +144,21 @@ cert-manager: certIssuer: # -- Enable/disable namespace Issuers for cert-manager. enabled: true + +clamav: + # -- Enable/disable [ClamAV](https://www.clamav.net/) virus scanning of uploaded files. + enabled: true + + fullnameOverride: clamav + + resources: + limits: + # -- [k8s: Resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) + cpu: 1000m + # -- [k8s: Resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) + memory: 2Gi + requests: + # -- [k8s: Resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) + cpu: 500m + # -- [k8s: Resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) + memory: 1Gi From 364c49d1b4b1981c2fa3590394e792026e9fc5d4 Mon Sep 17 00:00:00 2001 From: Bruno Willenborg Date: Thu, 14 Sep 2023 11:36:16 +0200 Subject: [PATCH 02/14] clamav testing for timeouts --- charts/sddi-ckan/README.md | 10 +- charts/sddi-ckan/charts/ckan/README.md | 5 + .../ckan/templates/ckan-configMap-env.yml | 8 ++ .../charts/ckan/templates/ckan-ingress.yml | 6 ++ charts/sddi-ckan/charts/ckan/values.yaml | 7 ++ charts/sddi-ckan/values.yaml | 95 ++++++++++++++++++- 6 files changed, 123 insertions(+), 8 deletions(-) diff --git a/charts/sddi-ckan/README.md b/charts/sddi-ckan/README.md index 3ea2e12..56f2b91 100644 --- a/charts/sddi-ckan/README.md +++ b/charts/sddi-ckan/README.md @@ -40,12 +40,14 @@ Kubernetes: `>= 1.23.0-0` |-----|------|---------|-------------| | cert-manager.enabled | bool | `false` | Enable/disable cert-manager. | | certIssuer.enabled | bool | `true` | Enable/disable namespace Issuers for cert-manager. | +| clamav.clamdConfig | string | `"###############\n# General\n###############\n\nDatabaseDirectory /data\nTemporaryDirectory /tmp\nLogTime yes\n# CUSTOM: Use pid file in tmp\nPidFile /tmp/clamd.pid\nLocalSocket /tmp/clamd.sock\n# CUSTOM: Set local socket group to defined group id\nLocalSocketGroup 2000\nTCPSocket 3310\nForeground yes\nStreamMaxLength 4000M\nLogVerbose yes\n\n###############\n# Results\n###############\n\nDetectPUA yes\nExcludePUA NetTool\nExcludePUA PWTool\nHeuristicAlerts yes\nBytecode yes\n\n###############\n# Scan\n###############\n\nScanPE yes\nDisableCertCheck yes\nScanELF yes\nAlertBrokenExecutables yes\nScanOLE2 yes\nScanPDF yes\nScanSWF yes\nScanMail yes\nPhishingSignatures yes\nPhishingScanURLs yes\nScanHTML yes\nScanArchive yes\n\n###############\n# Scan\n###############\n\nMaxScanSize 150M\nMaxFileSize 30M\nMaxRecursion 10\nMaxFiles 15000\nMaxEmbeddedPE 10M\nMaxHTMLNormalize 10M\nMaxHTMLNoTags 2M\nMaxScriptNormalize 5M\nMaxZipTypeRcg 1M\nMaxPartitions 128\nMaxIconsPE 200\nPCREMatchLimit 10000\nPCRERecMatchLimit 10000\n"` | | | clamav.enabled | bool | `true` | Enable/disable [ClamAV](https://www.clamav.net/) virus scanning of uploaded files. | +| clamav.freshclamConfig | string | `"###############\n# General\n###############\n\nDatabaseDirectory /data\nUpdateLogFile /dev/stdout\nLogTime yes\n# CUSTOM: Use pid file in tmp\nPidFile /tmp/freshclam.pid\n# CUSTOM: Set defined user\nDatabaseOwner 2000\n\n###############\n# Updates\n###############\n\nDatabaseMirror database.clamav.net\nScriptedUpdates yes\nNotifyClamd /etc/clamav/clamd.conf\nBytecode yes\n"` | | | clamav.fullnameOverride | string | `"clamav"` | | -| clamav.resources.limits.cpu | string | `"1000m"` | [k8s: Resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | -| clamav.resources.limits.memory | string | `"2Gi"` | [k8s: Resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | -| clamav.resources.requests.cpu | string | `"500m"` | [k8s: Resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | -| clamav.resources.requests.memory | string | `"1Gi"` | [k8s: Resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | +| clamav.resources.limits.cpu | string | `"4000m"` | [k8s: Resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | +| clamav.resources.limits.memory | string | `"8Gi"` | [k8s: Resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | +| clamav.resources.requests.cpu | string | `"1500m"` | [k8s: Resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | +| clamav.resources.requests.memory | string | `"2Gi"` | [k8s: Resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | | datapusher.enabled | bool | `true` | Enable/disable Datapusher | | fullnameOverride | string | `""` | Override fullname | | global.datapusher.db.auth.password | string | `"changeMe"` | Jobs database password. If set, this values will overwrite the value in the Datapusher chart. | diff --git a/charts/sddi-ckan/charts/ckan/README.md b/charts/sddi-ckan/charts/ckan/README.md index 3eafc07..c07ebd8 100644 --- a/charts/sddi-ckan/charts/ckan/README.md +++ b/charts/sddi-ckan/charts/ckan/README.md @@ -49,6 +49,11 @@ A Helm chart for SDDI enabled CKAN. | autoscaling.targetCPUUtilizationPercentage | string | `nil` | [HorizontalPodAutoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/). | | autoscaling.targetMemoryUtilizationPercentage | string | `nil` | [HorizontalPodAutoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/). | | backgroundImage | string | `"../base/images/hero.jpg"` | Set URL or path to [CKAN SDDI background image](https://github.com/tum-gis/ckanext-grouphierarchy-sddi#personalisation). | +| clamav.enabled | bool | `true` | | +| clamav.host | string | `"clamav"` | | +| clamav.port | int | `3310` | | +| clamav.timeout | int | `360` | | +| clamav.uploadUnscanned | string | `"False"` | | | component | string | `"ckan"` | Role of CKAN in this chart | | datapusher.apiToken | string | `nil` | Datapusher API token, see [CKAN Datapusher settings](https://docs.ckan.org/en/latest/maintaining/configuration.html#datapusher-settings) | | datapusher.callback_url_base | string | `"http://ckan:5000/"` | This should be set to cluster internal ckan service domain. [CKAN DataPusher settings](https://docs.ckan.org/en/latest/maintaining/configuration.html#ckan-datapusher-callback-url-base) | diff --git a/charts/sddi-ckan/charts/ckan/templates/ckan-configMap-env.yml b/charts/sddi-ckan/charts/ckan/templates/ckan-configMap-env.yml index 4777cc9..1a517f3 100644 --- a/charts/sddi-ckan/charts/ckan/templates/ckan-configMap-env.yml +++ b/charts/sddi-ckan/charts/ckan/templates/ckan-configMap-env.yml @@ -75,6 +75,14 @@ data: {{- if .Values.webassets.path }} CKAN__WEBASSETS__PATH: {{ .Values.webassets.path | quote }} {{- end }} + {{- if .Values.clamav.enabled }} + # CKANEXT__CLAMAV__SOCKET_PATH: /your/path/to/socket.file + CKANEXT__CLAMAV__UPLOAD_UNSCANNED: {{ .Values.clamav.uploadUnscanned | quote }} + CKANEXT__CLAMAV__SOCKET_TYPE: tcp + CKANEXT__CLAMAV__TCP__HOST: {{ .Values.clamav.host | quote }} + CKANEXT__CLAMAV__TCP__PORT: {{ .Values.clamav.port | quote }} + CKANEXT__CLAMAV__TIMEOUT: {{ .Values.clamav.timeout | quote }} + {{- end }} # Additional env vars from values.yaml {{- with .Values.extraEnv }} {{- toYaml . | nindent 2 }} diff --git a/charts/sddi-ckan/charts/ckan/templates/ckan-ingress.yml b/charts/sddi-ckan/charts/ckan/templates/ckan-ingress.yml index acc577b..f4a335c 100644 --- a/charts/sddi-ckan/charts/ckan/templates/ckan-ingress.yml +++ b/charts/sddi-ckan/charts/ckan/templates/ckan-ingress.yml @@ -30,6 +30,12 @@ metadata: {{- end }} nginx.ingress.kubernetes.io/proxy-body-size: "{{ .Values.maxUploadSizeMB }}m" nginx.org/client-max-body-size: "{{ .Values.maxUploadSizeMB }}m" + nginx.ingress.kubernetes.io/proxy-connect-timeout: "360" + nginx.ingress.kubernetes.io/proxy-send-timeout: "360" + nginx.ingress.kubernetes.io/proxy-read-timeout: "360" + nginx.org/proxy-connect-timeout: "360" + nginx.org/proxy-read-timeout: "360" + nginx.org/proxy-send-timeout: "360" {{- if .Values.ingress.stickySessions.enabled }} # https://kubernetes.github.io/ingress-nginx/examples/affinity/cookie/ nginx.ingress.kubernetes.io/affinity: "cookie" diff --git a/charts/sddi-ckan/charts/ckan/values.yaml b/charts/sddi-ckan/charts/ckan/values.yaml index 89d271e..08259d9 100644 --- a/charts/sddi-ckan/charts/ckan/values.yaml +++ b/charts/sddi-ckan/charts/ckan/values.yaml @@ -421,6 +421,13 @@ activityStreams: # -- [CKAN config activity stream](https://docs.ckan.org/en/latest/maintaining/configuration.html#activity-streams-settings) emailNotifications: True +clamav: + enabled: true + uploadUnscanned: "False" + host: clamav + port: 3310 + timeout: 360 + resources: limits: # -- [k8s: Resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) diff --git a/charts/sddi-ckan/values.yaml b/charts/sddi-ckan/values.yaml index ba2206a..20da288 100644 --- a/charts/sddi-ckan/values.yaml +++ b/charts/sddi-ckan/values.yaml @@ -154,11 +154,98 @@ clamav: resources: limits: # -- [k8s: Resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) - cpu: 1000m + cpu: 4000m # -- [k8s: Resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) - memory: 2Gi + memory: 8Gi requests: # -- [k8s: Resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) - cpu: 500m + cpu: 1500m # -- [k8s: Resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) - memory: 1Gi + memory: 2Gi + + clamdConfig: | + ############### + # General + ############### + + DatabaseDirectory /data + TemporaryDirectory /tmp + LogTime yes + # CUSTOM: Use pid file in tmp + PidFile /tmp/clamd.pid + LocalSocket /tmp/clamd.sock + # CUSTOM: Set local socket group to defined group id + LocalSocketGroup 2000 + TCPSocket 3310 + Foreground yes + StreamMaxLength 4000M + LogVerbose yes + + ############### + # Results + ############### + + DetectPUA yes + ExcludePUA NetTool + ExcludePUA PWTool + HeuristicAlerts yes + Bytecode yes + + ############### + # Scan + ############### + + ScanPE yes + DisableCertCheck yes + ScanELF yes + AlertBrokenExecutables yes + ScanOLE2 yes + ScanPDF yes + ScanSWF yes + ScanMail yes + PhishingSignatures yes + PhishingScanURLs yes + ScanHTML yes + ScanArchive yes + + ############### + # Scan + ############### + + MaxScanSize 150M + MaxFileSize 30M + MaxRecursion 10 + MaxFiles 15000 + MaxEmbeddedPE 10M + MaxHTMLNormalize 10M + MaxHTMLNoTags 2M + MaxScriptNormalize 5M + MaxZipTypeRcg 1M + MaxPartitions 128 + MaxIconsPE 200 + PCREMatchLimit 10000 + PCRERecMatchLimit 10000 + + ## Ref: https://linux.die.net/man/5/freshclam.conf + ## Note: will completely override default clamd.conf file at https://github.com/Mailu/Mailu/tree/master/optional/clamav/conf + freshclamConfig: | + ############### + # General + ############### + + DatabaseDirectory /data + UpdateLogFile /dev/stdout + LogTime yes + # CUSTOM: Use pid file in tmp + PidFile /tmp/freshclam.pid + # CUSTOM: Set defined user + DatabaseOwner 2000 + + ############### + # Updates + ############### + + DatabaseMirror database.clamav.net + ScriptedUpdates yes + NotifyClamd /etc/clamav/clamd.conf + Bytecode yes From 641d5ed0439e320f5f001046d4f90977ff35983d Mon Sep 17 00:00:00 2001 From: Bruno Willenborg Date: Wed, 11 Oct 2023 22:23:38 +0200 Subject: [PATCH 03/14] BytecodeTimeout --- charts/sddi-ckan/README.md | 2 +- charts/sddi-ckan/values.yaml | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/charts/sddi-ckan/README.md b/charts/sddi-ckan/README.md index 56f2b91..9a93a2d 100644 --- a/charts/sddi-ckan/README.md +++ b/charts/sddi-ckan/README.md @@ -40,7 +40,7 @@ Kubernetes: `>= 1.23.0-0` |-----|------|---------|-------------| | cert-manager.enabled | bool | `false` | Enable/disable cert-manager. | | certIssuer.enabled | bool | `true` | Enable/disable namespace Issuers for cert-manager. | -| clamav.clamdConfig | string | `"###############\n# General\n###############\n\nDatabaseDirectory /data\nTemporaryDirectory /tmp\nLogTime yes\n# CUSTOM: Use pid file in tmp\nPidFile /tmp/clamd.pid\nLocalSocket /tmp/clamd.sock\n# CUSTOM: Set local socket group to defined group id\nLocalSocketGroup 2000\nTCPSocket 3310\nForeground yes\nStreamMaxLength 4000M\nLogVerbose yes\n\n###############\n# Results\n###############\n\nDetectPUA yes\nExcludePUA NetTool\nExcludePUA PWTool\nHeuristicAlerts yes\nBytecode yes\n\n###############\n# Scan\n###############\n\nScanPE yes\nDisableCertCheck yes\nScanELF yes\nAlertBrokenExecutables yes\nScanOLE2 yes\nScanPDF yes\nScanSWF yes\nScanMail yes\nPhishingSignatures yes\nPhishingScanURLs yes\nScanHTML yes\nScanArchive yes\n\n###############\n# Scan\n###############\n\nMaxScanSize 150M\nMaxFileSize 30M\nMaxRecursion 10\nMaxFiles 15000\nMaxEmbeddedPE 10M\nMaxHTMLNormalize 10M\nMaxHTMLNoTags 2M\nMaxScriptNormalize 5M\nMaxZipTypeRcg 1M\nMaxPartitions 128\nMaxIconsPE 200\nPCREMatchLimit 10000\nPCRERecMatchLimit 10000\n"` | | +| clamav.clamdConfig | string | `"###############\n# General\n###############\n\nDatabaseDirectory /data\nTemporaryDirectory /tmp\nLogTime yes\n# CUSTOM: Use pid file in tmp\nPidFile /tmp/clamd.pid\nLocalSocket /tmp/clamd.sock\n# CUSTOM: Set local socket group to defined group id\nLocalSocketGroup 2000\nTCPSocket 3310\nForeground yes\nStreamMaxLength 4000M\nLogVerbose yes\nBytecodeTimeout 1000\n\n###############\n# Results\n###############\n\nDetectPUA yes\nExcludePUA NetTool\nExcludePUA PWTool\nHeuristicAlerts yes\nBytecode yes\n\n###############\n# Scan\n###############\n\nScanPE yes\nDisableCertCheck yes\nScanELF yes\nAlertBrokenExecutables yes\nScanOLE2 yes\nScanPDF yes\nScanSWF yes\nScanMail yes\nPhishingSignatures yes\nPhishingScanURLs yes\nScanHTML yes\nScanArchive yes\n\n###############\n# Scan\n###############\n\nMaxScanSize 150M\nMaxFileSize 30M\nMaxRecursion 10\nMaxFiles 15000\nMaxEmbeddedPE 10M\nMaxHTMLNormalize 10M\nMaxHTMLNoTags 2M\nMaxScriptNormalize 5M\nMaxZipTypeRcg 1M\nMaxPartitions 128\nMaxIconsPE 200\nPCREMatchLimit 10000\nPCRERecMatchLimit 10000\n"` | | | clamav.enabled | bool | `true` | Enable/disable [ClamAV](https://www.clamav.net/) virus scanning of uploaded files. | | clamav.freshclamConfig | string | `"###############\n# General\n###############\n\nDatabaseDirectory /data\nUpdateLogFile /dev/stdout\nLogTime yes\n# CUSTOM: Use pid file in tmp\nPidFile /tmp/freshclam.pid\n# CUSTOM: Set defined user\nDatabaseOwner 2000\n\n###############\n# Updates\n###############\n\nDatabaseMirror database.clamav.net\nScriptedUpdates yes\nNotifyClamd /etc/clamav/clamd.conf\nBytecode yes\n"` | | | clamav.fullnameOverride | string | `"clamav"` | | diff --git a/charts/sddi-ckan/values.yaml b/charts/sddi-ckan/values.yaml index 20da288..970bd12 100644 --- a/charts/sddi-ckan/values.yaml +++ b/charts/sddi-ckan/values.yaml @@ -180,6 +180,7 @@ clamav: Foreground yes StreamMaxLength 4000M LogVerbose yes + BytecodeTimeout 1000 ############### # Results From 9d8f6fde5e950b992c073518e38729411249743b Mon Sep 17 00:00:00 2001 From: Ilche Bedelovski Date: Tue, 12 Mar 2024 08:48:20 +0100 Subject: [PATCH 04/14] Disable Ingress stickySession --- charts/sddi-ckan/charts/ckan/README.md | 2 +- charts/sddi-ckan/charts/ckan/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/sddi-ckan/charts/ckan/README.md b/charts/sddi-ckan/charts/ckan/README.md index c07ebd8..9cda0f6 100644 --- a/charts/sddi-ckan/charts/ckan/README.md +++ b/charts/sddi-ckan/charts/ckan/README.md @@ -92,7 +92,7 @@ A Helm chart for SDDI enabled CKAN. | ingress.cors.enabled | bool | `true` | Enable/disable [CORS](https://de.wikipedia.org/wiki/Cross-Origin_Resource_Sharing). See [ingress-nginx cors settings](https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md#enable-cors) for details on CORS configuration and default settings. Use `ingress.annotations` to overwrite the default configuration annotations. | | ingress.domains | list | `[]` | List of [FQDNs](https://de.wikipedia.org/wiki/Fully-Qualified_Host_Name) for this Ingress. Note: All FQDNs will be used for Ingress hosts and TLS certificate. Note: Set `siteUrl` accordingly! | | ingress.enabled | bool | `true` | Enable/disable Ingress. | -| ingress.stickySessions.enabled | bool | `true` | Enable/disable sticks sessions, see [Nginx Ingress Controller Sticky sessions](https://kubernetes.github.io/ingress-nginx/examples/affinity/cookie/). | +| ingress.stickySessions.enabled | bool | `false` | Enable/disable sticks sessions, see [Nginx Ingress Controller Sticky sessions](https://kubernetes.github.io/ingress-nginx/examples/affinity/cookie/). | | ingress.stickySessions.sessionCookie.affinityMode | string | `"balanced"` | [Nginx Ingress Controller Sticky sessions](https://kubernetes.github.io/ingress-nginx/examples/affinity/cookie/) | | ingress.stickySessions.sessionCookie.changeOnFailure | string | `"true"` | [Nginx Ingress Controller Sticky sessions](https://kubernetes.github.io/ingress-nginx/examples/affinity/cookie/) | | ingress.stickySessions.sessionCookie.maxAge | string | `"172800"` | [Nginx Ingress Controller Sticky sessions](https://kubernetes.github.io/ingress-nginx/examples/affinity/cookie/) | diff --git a/charts/sddi-ckan/charts/ckan/values.yaml b/charts/sddi-ckan/charts/ckan/values.yaml index 08259d9..f9b7fcb 100644 --- a/charts/sddi-ckan/charts/ckan/values.yaml +++ b/charts/sddi-ckan/charts/ckan/values.yaml @@ -98,7 +98,7 @@ ingress: stickySessions: # -- Enable/disable sticks sessions, see # [Nginx Ingress Controller Sticky sessions](https://kubernetes.github.io/ingress-nginx/examples/affinity/cookie/). - enabled: true + enabled: false sessionCookie: # -- [Nginx Ingress Controller Sticky sessions](https://kubernetes.github.io/ingress-nginx/examples/affinity/cookie/) affinityMode: "balanced" From c71f52f2b2de7159682546aafb65ae54f0fee8ff Mon Sep 17 00:00:00 2001 From: Ilche Bedelovski Date: Tue, 19 Mar 2024 08:20:49 +0100 Subject: [PATCH 05/14] Ingress configuration snippet headers --- charts/sddi-ckan/charts/ckan/templates/ckan-ingress.yml | 4 ++++ charts/sddi-ckan/charts/ckan/values.yaml | 3 +++ 2 files changed, 7 insertions(+) diff --git a/charts/sddi-ckan/charts/ckan/templates/ckan-ingress.yml b/charts/sddi-ckan/charts/ckan/templates/ckan-ingress.yml index acc577b..54f5a2a 100644 --- a/charts/sddi-ckan/charts/ckan/templates/ckan-ingress.yml +++ b/charts/sddi-ckan/charts/ckan/templates/ckan-ingress.yml @@ -30,6 +30,10 @@ metadata: {{- end }} nginx.ingress.kubernetes.io/proxy-body-size: "{{ .Values.maxUploadSizeMB }}m" nginx.org/client-max-body-size: "{{ .Values.maxUploadSizeMB }}m" + {{- range .Values.ingress.configurationSnippet }} + nginx.ingress.kubernetes.io/configuration-snippet: | + {{ . | quote }} + {{- end }} {{- if .Values.ingress.stickySessions.enabled }} # https://kubernetes.github.io/ingress-nginx/examples/affinity/cookie/ nginx.ingress.kubernetes.io/affinity: "cookie" diff --git a/charts/sddi-ckan/charts/ckan/values.yaml b/charts/sddi-ckan/charts/ckan/values.yaml index ef8179b..c8fda07 100755 --- a/charts/sddi-ckan/charts/ckan/values.yaml +++ b/charts/sddi-ckan/charts/ckan/values.yaml @@ -132,6 +132,9 @@ ingress: tls: # -- Specify a custom tls secret name. This overwrites `global.ingress.tls.secretName`. secretName: + configurationSnippet: + - more_set_headers "X-Frame-Options: Deny"; + - more_set_headers "X-XSS-Protection: 1; mode=block"; # General settings # -- CKAN site url. This should match a domain name of CKAN specified in `ingress.domains`/`global.ingress.domains` From e33c0228ed42e3fd36fcba0f3a90db8af296307e Mon Sep 17 00:00:00 2001 From: Ilche Bedelovski Date: Mon, 25 Mar 2024 09:37:53 +0100 Subject: [PATCH 06/14] Ingress configure snippet annotations CSP --- charts/sddi-ckan/charts/ckan/templates/ckan-ingress.yml | 5 +---- charts/sddi-ckan/charts/ckan/values.yaml | 8 +++++--- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/charts/sddi-ckan/charts/ckan/templates/ckan-ingress.yml b/charts/sddi-ckan/charts/ckan/templates/ckan-ingress.yml index 54f5a2a..da0149e 100644 --- a/charts/sddi-ckan/charts/ckan/templates/ckan-ingress.yml +++ b/charts/sddi-ckan/charts/ckan/templates/ckan-ingress.yml @@ -30,10 +30,7 @@ metadata: {{- end }} nginx.ingress.kubernetes.io/proxy-body-size: "{{ .Values.maxUploadSizeMB }}m" nginx.org/client-max-body-size: "{{ .Values.maxUploadSizeMB }}m" - {{- range .Values.ingress.configurationSnippet }} - nginx.ingress.kubernetes.io/configuration-snippet: | - {{ . | quote }} - {{- end }} + nginx.ingress.kubernetes.io/configuration-snippet: {{- .Values.ingress.configurationSnippet | toYaml | indent 4 }} {{- if .Values.ingress.stickySessions.enabled }} # https://kubernetes.github.io/ingress-nginx/examples/affinity/cookie/ nginx.ingress.kubernetes.io/affinity: "cookie" diff --git a/charts/sddi-ckan/charts/ckan/values.yaml b/charts/sddi-ckan/charts/ckan/values.yaml index c8fda07..d5babbe 100755 --- a/charts/sddi-ckan/charts/ckan/values.yaml +++ b/charts/sddi-ckan/charts/ckan/values.yaml @@ -132,9 +132,11 @@ ingress: tls: # -- Specify a custom tls secret name. This overwrites `global.ingress.tls.secretName`. secretName: - configurationSnippet: - - more_set_headers "X-Frame-Options: Deny"; - - more_set_headers "X-XSS-Protection: 1; mode=block"; + configurationSnippet: | + more_set_headers "X-Frame-Options: DENY"; + more_set_headers "X-Xss-Protection: 0"; + more_set_headers "X-Content-Type-Options: nosniff"; + more_set_headers "Content-Security-Policy: default-src 'self'; object-src 'none'; child-src 'self'; frame-ancestors 'none'; base-uri 'none'; upgrade-insecurerequests; blockall-mixed-content; require-trustedtypes-for 'script'"; # General settings # -- CKAN site url. This should match a domain name of CKAN specified in `ingress.domains`/`global.ingress.domains` From 1d39a07821902d291ae4591c9910a7c520606959 Mon Sep 17 00:00:00 2001 From: Ilche Bedelovski Date: Sat, 20 Apr 2024 20:47:20 +0200 Subject: [PATCH 07/14] Ingress configuration snippet CSP update --- charts/sddi-ckan/charts/ckan/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/sddi-ckan/charts/ckan/values.yaml b/charts/sddi-ckan/charts/ckan/values.yaml index d5babbe..9b7df36 100755 --- a/charts/sddi-ckan/charts/ckan/values.yaml +++ b/charts/sddi-ckan/charts/ckan/values.yaml @@ -136,7 +136,7 @@ ingress: more_set_headers "X-Frame-Options: DENY"; more_set_headers "X-Xss-Protection: 0"; more_set_headers "X-Content-Type-Options: nosniff"; - more_set_headers "Content-Security-Policy: default-src 'self'; object-src 'none'; child-src 'self'; frame-ancestors 'none'; base-uri 'none'; upgrade-insecurerequests; blockall-mixed-content; require-trustedtypes-for 'script'"; + more_set_headers "Content-Security-Policy: object-src 'none'; child-src 'self'; frame-ancestors 'none'; base-uri 'none'; upgrade-insecurerequests; blockall-mixed-content; require-trustedtypes-for 'script'"; # General settings # -- CKAN site url. This should match a domain name of CKAN specified in `ingress.domains`/`global.ingress.domains` From ea436844c84adff187001823f2d6104e22396dc5 Mon Sep 17 00:00:00 2001 From: Ilche Bedelovski Date: Sun, 21 Apr 2024 18:57:25 +0200 Subject: [PATCH 08/14] Release 3.0.1 - 2.1.2 --- CHANGELOG.md | 13 +++++++++++++ charts/sddi-ckan/Chart.yaml | 4 ++-- charts/sddi-ckan/README.md | 6 ++++-- charts/sddi-ckan/charts/certIssuer/README.md | 2 ++ charts/sddi-ckan/charts/ckan/README.md | 7 +++++++ charts/sddi-ckan/charts/datapusher/README.md | 2 ++ charts/sddi-ckan/charts/postgis/README.md | 2 ++ charts/sddi-ckan/charts/redis/README.md | 2 ++ charts/sddi-ckan/charts/solr/README.md | 2 ++ 9 files changed, 36 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2997940..121b866 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,18 @@ Versions are prefixed with `sddi-ckan-` due to usage of [chart-releaser-action](https://github.com/helm/chart-releaser-action). For releases `< 1.0.0` minor version step indicate breaking changes. +## [sddi-ckan-3.0.1] - 2024-04-21 + +## Added + +- ClamAV service. tum-gis/sddi-ckan-k8s#38 +- Ingress security headers. tum-gis/sddi-ckan-k8s#37 + +### Changed + +- Limits and requests for the CKAN StatefulSet +- New Docker release 2.1.2 where the ClamAV extension is installed https://github.com/tum-gis/ckan-docker/pull/59 + ## [sddi-ckan-3.0.0] - 2024-03-22 ## Added @@ -375,6 +387,7 @@ is displayed when navigating to the _Datasets_ view of CKAN. [Unreleased]: https://github.com/tum-gis/sddi-ckan-k8s/compare/sddi-ckan-3.0.0...HEAD +[sddi-ckan-3.0.0]: https://github.com/tum-gis/sddi-ckan-k8s/compare/sddi-ckan-2.1.2...sddi-ckan-3.0.1 [sddi-ckan-3.0.0]: https://github.com/tum-gis/sddi-ckan-k8s/compare/sddi-ckan-2.0.0...sddi-ckan-3.0.0 [sddi-ckan-2.0.0]: https://github.com/tum-gis/sddi-ckan-k8s/compare/sddi-ckan-1.2.2...sddi-ckan-2.0.0 [sddi-ckan-1.2.2]: https://github.com/tum-gis/sddi-ckan-k8s/compare/sddi-ckan-1.2.1...sddi-ckan-1.2.2 diff --git a/charts/sddi-ckan/Chart.yaml b/charts/sddi-ckan/Chart.yaml index 213e34a..7eefc9a 100644 --- a/charts/sddi-ckan/Chart.yaml +++ b/charts/sddi-ckan/Chart.yaml @@ -10,8 +10,8 @@ sources: - https://www.asg.ed.tum.de/en/gis/projects/smart-district-data-infrastructure - https://github.com/tum-gis/ckan-docker -version: 3.0.0 -appVersion: "2.0.0" +version: 3.0.1 +appVersion: "2.1.2" kubeVersion: ">= 1.23.0-0" maintainers: diff --git a/charts/sddi-ckan/README.md b/charts/sddi-ckan/README.md index b06ba8a..ad89d28 100644 --- a/charts/sddi-ckan/README.md +++ b/charts/sddi-ckan/README.md @@ -30,8 +30,8 @@ Kubernetes: `>= 1.23.0-0` | | postgis | * | | | redis | * | | | solr | * | -| https://charts.jetstack.io | cert-manager(cert-manager) | ~1.11.0 | -| https://kubernetes.github.io/ingress-nginx | ingress-nginx(ingress-nginx) | ~4.4.0 | +| https://charts.jetstack.io | cert-manager(cert-manager) | ^1 | +| https://kubernetes.github.io/ingress-nginx | ingress-nginx(ingress-nginx) | ^4 | | https://wiremind.github.io/wiremind-helm-charts | clamav | ~2.8.0 | | oci://registry-1.docker.io/bitnamicharts | common | 2.x.x | @@ -84,3 +84,5 @@ Kubernetes: `>= 1.23.0-0` | redis.enabled | bool | `true` | Enable/disable Redis instance. Disable, if an external Redis instance is used. | | solr.enabled | bool | `true` | Enable/disable Apache Solr instance. Disable, if an external Solr instance is used. | +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1) diff --git a/charts/sddi-ckan/charts/certIssuer/README.md b/charts/sddi-ckan/charts/certIssuer/README.md index 9a866b1..804e380 100644 --- a/charts/sddi-ckan/charts/certIssuer/README.md +++ b/charts/sddi-ckan/charts/certIssuer/README.md @@ -12,3 +12,5 @@ Namespace Issuers for CertManager. | enabled | bool | `true` | Enable/disable namespace [Issuers](https://cert-manager.io/docs/concepts/issuer/) for CertManager. | | issuerEmail | string | `"example@email.com"` | eMail address for registration with Let's Encrypt account. Note: This is overwritten by `global.ingress.certManager.issuerEmail`, if set. | +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1) diff --git a/charts/sddi-ckan/charts/ckan/README.md b/charts/sddi-ckan/charts/ckan/README.md index f779915..ef8d779 100644 --- a/charts/sddi-ckan/charts/ckan/README.md +++ b/charts/sddi-ckan/charts/ckan/README.md @@ -92,6 +92,7 @@ A Helm chart for SDDI enabled CKAN. | ingress.certManager.issuerName | string | `"letsencrypt-staging"` | Name of the Issuer to use. For certManager.type = namespace `letsencrypt-staging`, `letsencrypt-prod` and `self-signed` are available. | | ingress.certManager.issuerType | string | `"namespace"` | Type of [cert-manager](https://cert-manager.io/docs/) Issuer: Use either "namespace" or "cluster". | | ingress.className | string | `"nginx"` | Name of the [IngressClass](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use in Ingress routes. | +| ingress.configurationSnippet | string | `"more_set_headers \"X-Frame-Options: DENY\";\nmore_set_headers \"X-Xss-Protection: 0\";\nmore_set_headers \"X-Content-Type-Options: nosniff\";\nmore_set_headers \"Content-Security-Policy: object-src 'none'; child-src 'self'; frame-ancestors 'none'; base-uri 'none'; upgrade-insecurerequests; blockall-mixed-content; require-trustedtypes-for 'script'\";\n"` | | | ingress.cors.enabled | bool | `true` | Enable/disable [CORS](https://de.wikipedia.org/wiki/Cross-Origin_Resource_Sharing). See [ingress-nginx cors settings](https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md#enable-cors) for details on CORS configuration and default settings. Use `ingress.annotations` to overwrite the default configuration annotations. | | ingress.domains | list | `[]` | List of [FQDNs](https://de.wikipedia.org/wiki/Fully-Qualified_Host_Name) for this Ingress. Note: All FQDNs will be used for Ingress hosts and TLS certificate. Note: Set `siteUrl` accordingly! | | ingress.enabled | bool | `true` | Enable/disable Ingress. | @@ -137,6 +138,10 @@ A Helm chart for SDDI enabled CKAN. | redis.url | string | `"redis://redis-hl:6379/0"` | Redis endpoint for CKAN. This should be set to cluster internal Redis service domain. [CKAN configuration Redis](https://docs.ckan.org/en/latest/maintaining/configuration.html#redis-settings) | | replicaCount | int | `1` | Number of replicas. Only used if `autoscaling.enabled = false`. **Note:** Running multiple replicas requires to enable persistent data storage (`persistence.enabled = true`) and, if Pods run on different nodes, a storage that supports RWX. | | resources | object | `{}` | [k8s: Resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | +| resources.limits.cpu | string | `"500m"` | [k8s: Resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | +| resources.limits.memory | string | `"1Gi"` | [k8s: Resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | +| resources.requests.cpu | string | `"250m"` | [k8s: Resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | +| resources.requests.memory | string | `"256Mi"` | [k8s: Resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | | sddiInitDataJson | string | `"init_data.json"` | Local path or URL to File path or URL to [CKAN SDDI `init_data.json`](https://github.com/tum-gis/ckanext-grouphierarchy-sddi/blob/main/ckanext/grouphierarchy/init_data.json). This file allows to specify pre-defined set of SDDI CKAN main categories, topics, and organizations. | | securityContext | object | `{}` | [k8s: Security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | | service.port | int | `5000` | Service port for http | @@ -184,3 +189,5 @@ A Helm chart for SDDI enabled CKAN. | volumes | list | See [`values.yml`](values.yml) for the list of default volumes. | Sets [`volumes`](https://kubernetes.io/docs/concepts/storage/volumes). Set to `[]` to disable the default volumes. Set to any list of volume definitions to overwrite the default volumes. Use `extraVolumes` to extend the default volumes. | | webassets.path | string | `nil` | Webassets storage path, see [CKAN webassets settings](https://docs.ckan.org/en/latest/maintaining/configuration.html#webassets-settings) This should point to the location of webassets in the CKAN image. The path may vary depending on the CKAN Docker image used. | +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1) diff --git a/charts/sddi-ckan/charts/datapusher/README.md b/charts/sddi-ckan/charts/datapusher/README.md index dacaa0d..9402985 100644 --- a/charts/sddi-ckan/charts/datapusher/README.md +++ b/charts/sddi-ckan/charts/datapusher/README.md @@ -65,3 +65,5 @@ A Helm chart for CKAN Datapusher. | serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | | tolerations | list | `[]` | [k8S: Taints and tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1) diff --git a/charts/sddi-ckan/charts/postgis/README.md b/charts/sddi-ckan/charts/postgis/README.md index a0e070f..e77f529 100644 --- a/charts/sddi-ckan/charts/postgis/README.md +++ b/charts/sddi-ckan/charts/postgis/README.md @@ -66,3 +66,5 @@ A Helm chart for sa simple PostGIS database pre-configured for CKAN. | serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | | tolerations | list | `[]` | [k8S: Taints and tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1) diff --git a/charts/sddi-ckan/charts/redis/README.md b/charts/sddi-ckan/charts/redis/README.md index 5f38c49..f113c61 100644 --- a/charts/sddi-ckan/charts/redis/README.md +++ b/charts/sddi-ckan/charts/redis/README.md @@ -55,3 +55,5 @@ A Helm chart for basic Redis for use with CKAN. | serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | | tolerations | list | `[]` | [k8S: Taints and tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1) diff --git a/charts/sddi-ckan/charts/solr/README.md b/charts/sddi-ckan/charts/solr/README.md index db0dbc3..beca0ac 100644 --- a/charts/sddi-ckan/charts/solr/README.md +++ b/charts/sddi-ckan/charts/solr/README.md @@ -50,3 +50,5 @@ A Helm chart for Solr pre-configured for CKAN and ckanext-spatial. | serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | | tolerations | list | `[]` | [k8S: Taints and tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1) From fe4da8b7bce2cfae8eb43d74aad3cbe25e0dff0c Mon Sep 17 00:00:00 2001 From: Ilche Bedelovski Date: Mon, 22 Apr 2024 14:15:19 +0200 Subject: [PATCH 09/14] Prepare beta release helm chart for version 3.1.0 --- CHANGELOG.md | 4 ++-- charts/sddi-ckan/Chart.yaml | 2 +- charts/sddi-ckan/charts/ckan/Chart.yaml | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 121b866..b591f04 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,7 +8,7 @@ Versions are prefixed with `sddi-ckan-` due to usage of [chart-releaser-action](https://github.com/helm/chart-releaser-action). For releases `< 1.0.0` minor version step indicate breaking changes. -## [sddi-ckan-3.0.1] - 2024-04-21 +## [sddi-ckan-3.1.0] - 2024-04-21 ## Added @@ -387,7 +387,7 @@ is displayed when navigating to the _Datasets_ view of CKAN. [Unreleased]: https://github.com/tum-gis/sddi-ckan-k8s/compare/sddi-ckan-3.0.0...HEAD -[sddi-ckan-3.0.0]: https://github.com/tum-gis/sddi-ckan-k8s/compare/sddi-ckan-2.1.2...sddi-ckan-3.0.1 +[sddi-ckan-3.0.0]: https://github.com/tum-gis/sddi-ckan-k8s/compare/sddi-ckan-2.1.2...sddi-ckan-3.1.0 [sddi-ckan-3.0.0]: https://github.com/tum-gis/sddi-ckan-k8s/compare/sddi-ckan-2.0.0...sddi-ckan-3.0.0 [sddi-ckan-2.0.0]: https://github.com/tum-gis/sddi-ckan-k8s/compare/sddi-ckan-1.2.2...sddi-ckan-2.0.0 [sddi-ckan-1.2.2]: https://github.com/tum-gis/sddi-ckan-k8s/compare/sddi-ckan-1.2.1...sddi-ckan-1.2.2 diff --git a/charts/sddi-ckan/Chart.yaml b/charts/sddi-ckan/Chart.yaml index 7eefc9a..d067d10 100644 --- a/charts/sddi-ckan/Chart.yaml +++ b/charts/sddi-ckan/Chart.yaml @@ -10,7 +10,7 @@ sources: - https://www.asg.ed.tum.de/en/gis/projects/smart-district-data-infrastructure - https://github.com/tum-gis/ckan-docker -version: 3.0.1 +version: 3.1.0 appVersion: "2.1.2" kubeVersion: ">= 1.23.0-0" diff --git a/charts/sddi-ckan/charts/ckan/Chart.yaml b/charts/sddi-ckan/charts/ckan/Chart.yaml index 2e3b466..84457e8 100644 --- a/charts/sddi-ckan/charts/ckan/Chart.yaml +++ b/charts/sddi-ckan/charts/ckan/Chart.yaml @@ -9,8 +9,8 @@ sources: - https://github.com/tum-gis/ckan-docker - https://github.com/keitaroinc/docker-ckan -version: 3.0.1 -appVersion: "2.0.0" +version: 3.1.0 +appVersion: "2.1.2" maintainers: - email: b.willenborg@tum.de From aa14b695632ec4c5cdd08a4f704cb12e5f8086b4 Mon Sep 17 00:00:00 2001 From: Ilche Bedelovski Date: Mon, 22 Apr 2024 14:20:36 +0200 Subject: [PATCH 10/14] Prepare beta release helm chart for version 3.1.0-beta1 --- charts/sddi-ckan/Chart.yaml | 2 +- charts/sddi-ckan/charts/ckan/Chart.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/sddi-ckan/Chart.yaml b/charts/sddi-ckan/Chart.yaml index d067d10..00bcd45 100644 --- a/charts/sddi-ckan/Chart.yaml +++ b/charts/sddi-ckan/Chart.yaml @@ -10,7 +10,7 @@ sources: - https://www.asg.ed.tum.de/en/gis/projects/smart-district-data-infrastructure - https://github.com/tum-gis/ckan-docker -version: 3.1.0 +version: "3.1.0-beta1" appVersion: "2.1.2" kubeVersion: ">= 1.23.0-0" diff --git a/charts/sddi-ckan/charts/ckan/Chart.yaml b/charts/sddi-ckan/charts/ckan/Chart.yaml index 84457e8..47a20dd 100644 --- a/charts/sddi-ckan/charts/ckan/Chart.yaml +++ b/charts/sddi-ckan/charts/ckan/Chart.yaml @@ -9,7 +9,7 @@ sources: - https://github.com/tum-gis/ckan-docker - https://github.com/keitaroinc/docker-ckan -version: 3.1.0 +version: "3.1.0-beta1" appVersion: "2.1.2" maintainers: From 80ad5cfecebb907d8ddc71787a78ef84125bf0b3 Mon Sep 17 00:00:00 2001 From: Bruno Willenborg Date: Mon, 22 Apr 2024 15:15:12 +0200 Subject: [PATCH 11/14] Update docs --- charts/sddi-ckan/README.md | 2 +- charts/sddi-ckan/charts/ckan/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/sddi-ckan/README.md b/charts/sddi-ckan/README.md index ad89d28..89344fb 100644 --- a/charts/sddi-ckan/README.md +++ b/charts/sddi-ckan/README.md @@ -1,6 +1,6 @@ # sddi-ckan -![Version: 3.0.0](https://img.shields.io/badge/Version-3.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.0.0](https://img.shields.io/badge/AppVersion-2.0.0-informational?style=flat-square) +![Version: 3.1.0-beta1](https://img.shields.io/badge/Version-3.1.0--beta1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.1.2](https://img.shields.io/badge/AppVersion-2.1.2-informational?style=flat-square) Helm Chart for a SDDI enabled CKAN catalog. See [CHANGELOG](https://github.com/tum-gis/sddi-ckan-k8s/blob/main/CHANGELOG.md) for changes. diff --git a/charts/sddi-ckan/charts/ckan/README.md b/charts/sddi-ckan/charts/ckan/README.md index ef8d779..5f17857 100644 --- a/charts/sddi-ckan/charts/ckan/README.md +++ b/charts/sddi-ckan/charts/ckan/README.md @@ -1,6 +1,6 @@ # ckan -![Version: 3.0.1](https://img.shields.io/badge/Version-3.0.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.0.0](https://img.shields.io/badge/AppVersion-2.0.0-informational?style=flat-square) +![Version: 3.1.0-beta1](https://img.shields.io/badge/Version-3.1.0--beta1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.1.2](https://img.shields.io/badge/AppVersion-2.1.2-informational?style=flat-square) A Helm chart for SDDI enabled CKAN. From 9b86c252510d7f7a8872ed2dca52e265ced617bd Mon Sep 17 00:00:00 2001 From: Bruno Willenborg Date: Mon, 22 Apr 2024 15:22:40 +0200 Subject: [PATCH 12/14] Update changelog --- CHANGELOG.md | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b591f04..6e3b5ed 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,17 +8,19 @@ Versions are prefixed with `sddi-ckan-` due to usage of [chart-releaser-action](https://github.com/helm/chart-releaser-action). For releases `< 1.0.0` minor version step indicate breaking changes. -## [sddi-ckan-3.1.0] - 2024-04-21 +## [sddi-ckan-3.1.0-beta1] - 2024-04-22 ## Added -- ClamAV service. tum-gis/sddi-ckan-k8s#38 +- ClamAV service for virus scanning of uploaded files. tum-gis/sddi-ckan-k8s#38 - Ingress security headers. tum-gis/sddi-ckan-k8s#37 ### Changed -- Limits and requests for the CKAN StatefulSet -- New Docker release 2.1.2 where the ClamAV extension is installed https://github.com/tum-gis/ckan-docker/pull/59 +- Limits and requests for the CKAN StatefulSet. +- - Bump SDDI CKAN Image `2.0.0` --> `2.1.2`, see + [CHANGELOG](https://github.com/tum-gis/ckan-docker/blob/2.0.0/CHANGELOG.md) for more. + - Adds ClamAV extension. ## [sddi-ckan-3.0.0] - 2024-03-22 @@ -387,7 +389,7 @@ is displayed when navigating to the _Datasets_ view of CKAN. [Unreleased]: https://github.com/tum-gis/sddi-ckan-k8s/compare/sddi-ckan-3.0.0...HEAD -[sddi-ckan-3.0.0]: https://github.com/tum-gis/sddi-ckan-k8s/compare/sddi-ckan-2.1.2...sddi-ckan-3.1.0 +[sddi-ckan-3.1.0-beta1]: https://github.com/tum-gis/sddi-ckan-k8s/compare/sddi-ckan-3.0.0...sddi-ckan-3.1.0-beta1 [sddi-ckan-3.0.0]: https://github.com/tum-gis/sddi-ckan-k8s/compare/sddi-ckan-2.0.0...sddi-ckan-3.0.0 [sddi-ckan-2.0.0]: https://github.com/tum-gis/sddi-ckan-k8s/compare/sddi-ckan-1.2.2...sddi-ckan-2.0.0 [sddi-ckan-1.2.2]: https://github.com/tum-gis/sddi-ckan-k8s/compare/sddi-ckan-1.2.1...sddi-ckan-1.2.2 From 519a60d9861f75d83947ec0d0465e0a636510e61 Mon Sep 17 00:00:00 2001 From: Bruno Willenborg Date: Mon, 22 Apr 2024 15:24:31 +0200 Subject: [PATCH 13/14] Re-add vs code settings --- .vscode/settings.json | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 .vscode/settings.json diff --git a/.vscode/settings.json b/.vscode/settings.json new file mode 100644 index 0000000..112e739 --- /dev/null +++ b/.vscode/settings.json @@ -0,0 +1,6 @@ +{ + "markdownlint.config": { + "default": true, + "MD024": false + } +} From e4a14ef36bbfcccfaaa1943b559fbd17832d2c2e Mon Sep 17 00:00:00 2001 From: Ilche Bedelovski Date: Mon, 22 Apr 2024 21:21:34 +0200 Subject: [PATCH 14/14] Document ClamAV chart settings --- charts/sddi-ckan/charts/ckan/README.md | 11 +++++------ charts/sddi-ckan/charts/ckan/values.yaml | 7 +++++-- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/charts/sddi-ckan/charts/ckan/README.md b/charts/sddi-ckan/charts/ckan/README.md index 5f17857..a792b6b 100644 --- a/charts/sddi-ckan/charts/ckan/README.md +++ b/charts/sddi-ckan/charts/ckan/README.md @@ -49,11 +49,11 @@ A Helm chart for SDDI enabled CKAN. | autoscaling.targetCPUUtilizationPercentage | string | `nil` | [HorizontalPodAutoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/). | | autoscaling.targetMemoryUtilizationPercentage | string | `nil` | [HorizontalPodAutoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/). | | backgroundImage | string | `"../base/images/hero.jpg"` | Set URL or path to [CKAN SDDI background image](https://github.com/tum-gis/ckanext-grouphierarchy-sddi#personalisation). | -| clamav.enabled | bool | `true` | | -| clamav.host | string | `"clamav"` | | -| clamav.port | int | `3310` | | -| clamav.timeout | int | `360` | | -| clamav.uploadUnscanned | string | `"False"` | | +| clamav.enabled | bool | `true` | [CKAN config enable ClamAV] | +| clamav.host | string | `"clamav"` | [CKAN config ClamAV host] | +| clamav.port | int | `3310` | [CKAN config ClamAV port] | +| clamav.timeout | int | `360` | [CKAN config ClamAV connection timeout] | +| clamav.uploadUnscanned | string | `"False"` | [CKAN config ClamAV upload unscanned files] | | component | string | `"ckan"` | Role of CKAN in this chart | | datapusher.apiToken | string | `nil` | Datapusher API token, see [CKAN Datapusher settings](https://docs.ckan.org/en/latest/maintaining/configuration.html#datapusher-settings) | | datapusher.callback_url_base | string | `"http://ckan:5000/"` | This should be set to cluster internal ckan service domain. [CKAN DataPusher settings](https://docs.ckan.org/en/latest/maintaining/configuration.html#ckan-datapusher-callback-url-base) | @@ -137,7 +137,6 @@ A Helm chart for SDDI enabled CKAN. | readiness.timeoutSeconds | int | `10` | Timeout interval for the liveness probe | | redis.url | string | `"redis://redis-hl:6379/0"` | Redis endpoint for CKAN. This should be set to cluster internal Redis service domain. [CKAN configuration Redis](https://docs.ckan.org/en/latest/maintaining/configuration.html#redis-settings) | | replicaCount | int | `1` | Number of replicas. Only used if `autoscaling.enabled = false`. **Note:** Running multiple replicas requires to enable persistent data storage (`persistence.enabled = true`) and, if Pods run on different nodes, a storage that supports RWX. | -| resources | object | `{}` | [k8s: Resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | | resources.limits.cpu | string | `"500m"` | [k8s: Resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | | resources.limits.memory | string | `"1Gi"` | [k8s: Resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | | resources.requests.cpu | string | `"250m"` | [k8s: Resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | diff --git a/charts/sddi-ckan/charts/ckan/values.yaml b/charts/sddi-ckan/charts/ckan/values.yaml index 74dcf92..b28d5a9 100755 --- a/charts/sddi-ckan/charts/ckan/values.yaml +++ b/charts/sddi-ckan/charts/ckan/values.yaml @@ -499,10 +499,15 @@ activityStreams: emailNotifications: True clamav: + # -- [CKAN config enable ClamAV] enabled: true + # -- [CKAN config ClamAV upload unscanned files] uploadUnscanned: "False" + # -- [CKAN config ClamAV host] host: clamav + # -- [CKAN config ClamAV port] port: 3310 + # -- [CKAN config ClamAV connection timeout] timeout: 360 resources: @@ -517,8 +522,6 @@ resources: # -- [k8s: Resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) memory: 256Mi -# -- [k8s: Resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) -resources: {} # -- [k8s: Assign pods to nodes](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) nodeSelector: {} # -- [k8S: Taints and tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)