This chart deploys Runecast Analyzer with nginx frontend proxy and PostgreSQL backend. For more information about Runecast Analyzer please visit the Runecast website.
To install Runecast Analyzer with the default settings, follow these steps:
Add Runecast Helm repository to Helm repository list:
helm repo add runecast https://helm.runecast.com/charts
Install Runecast Analyzer
helm upgrade --install runecast-analyzer runecast/runecast-analyzer
OS analysis in Runecast Analyzer requires additional components to be installed. If we installed them by default, it would mean a waste of resources for those, that won’t use this feature.
Therefore, in K8s deployment, additional steps are needed besides the standard OS analysis configuration process. To deploy the application:
Prepare a hostname (FQDN or IP address) that will be used by the OS agents to reach the OS analysis service. The hostname should lead to the OS analysis service, which can be exposed on the nodes as a NodePort or as a LoadBalancer if external loadbalancer is used.
Deploy the application using a Helm chart with value
global.osanalysis.enabled
set to true
and
hostname specified in global.osanalysis.hostname
.
To configure the OS analysis, continue in the application. Use the hostname from the previous step in the Runecast Address field.
Please see the Examples below for more information.
To modify the deployment, please use values.yaml file with the required changes or set the individual values directly on the command line. The list of values can be found in the section List of values or displayed by running the following command:
helm show values runecast/runecast-analyzer
To find more information about changing deployment values, please see the Values Files section of the Helm User Guide.
Using ingress with SSL termination
The following example shows how to deploy the application and expose it via Nginx ingress with SSL termination.
Create the secret runecast-analyzer-ingress-tls from the key and the certificate:
kubectl create secret tls runecast-analyzer-ingress-tls --key </path/to/key_file> --cert </path/to/cert_file>
To create a self-signed certificate for testing, you can use the following command:
openssl req -x509 -nodes -newkey rsa:4096 -days 365 -keyout </path/to/key_file> -out </path/to/cert_file> -subj "/CN=localhost"
Create the my-values.yaml file with the following content:
nginx:
ingress:
enabled: true
hosts:
- host: rca.local.domain
paths:
- /
tls:
- secretName: runecast-analyzer-ingress-tls
hosts:
- rca.local.domain
Install the application providing the custom my-values.yaml file:
helm upgrade --install runecast-analyzer runecast/runecast-analyzer -f my-values.yaml
Running without persistent data
By default, the application is installed with Persistent Volumes. If you would like to test the application without persisting data, you can simply disable the persistence storage by setting the respective values:
helm upgrade --install runecast-analyzer runecast/runecast-analyzer --set persistence.enabled=false --set postgresql.persistence.enabled=false --set imagescanning.persistence.enabled=false
Exposing the application via LoadBalancer service on secure port with custom certificate
Create the secret runecast-analyzer-certificate from the key and the certificate:
kubectl create secret tls runecast-analyzer-certificate --key </path/to/key_file> --cert </path/to/cert_file>
Install the application providing the custom values on the command line:
helm upgrade --install runecast-analyzer runecast/runecast-analyzer --set nginx.service.type="LoadBalancer" --set nginx.service.tls.enabled=true --set nginx.service.tls.existingSecretName="runecast-analyzer-certificate"
Installing with OS analysis enabled
Prepare a hostname that will point to the OS analysis service.
The service can be exposed via NodePort on the nodes or via LoadBalancer
if external loadbalancer is used. The default is service of type
NodePort
with the port set to 31443
. To change
it, please see the fleet.service
values.
Deploy the application with OS analysis enabled:
helm upgrade --install runecast-analyzer runecast/runecast-analyzer --set global.osanalysis.enabled=true --set global.osanalysis.hostname="example.cluster.k8s"
Global values and Runecast
Value | Default | Description |
---|---|---|
global.imageRepository |
public.ecr.aws/runecast |
The repository to pull the images from, applicable to all subcharts. |
global.runecastAnalyzerServiceName |
runecast-analyzer |
Runecast Analyzer app service name, that cannot be overriden by nameOverride and fullnameOverride values. The value is required to be used in the nginx subchart and because of Helm limitataion, global value is used. |
global.osanalysis.enabled |
false |
Deploy the OS analysis components. |
global.osanalysis.hostname |
Specify a hostname that can be used to reach the K8s nodes where the OS analysis service is running. | |
global.imagescanning.enabled |
true |
Enable the image scanning/validation webhook functionality. |
global.proxy |
"" |
Set a proxy server to use for connections to ecosystems, knowledge
definition updates and container image registries, in the form of
‘http:// |
global.podLabels |
{} |
Set additional labels to attach all pods. |
image.repository |
"" |
The repository to pull the application and busybox images from, overrides the global value. |
image.tag |
"" |
The application image tag whose default is the chart appVersion. |
image.busyboxTag |
"1.35.0" |
Sets the busybox image tag. |
imagePullPolicy |
Always |
Kubelet image pull policy. |
imagePullSecrets |
[] |
List of secrets to use when pullling the image. |
nameOverride |
"" |
Override the objects’ names, using release name as a prefix. |
fullnameOverride |
"" |
Override the whole objects’ names (release name not used as a prefix). |
serviceAccount.annotations |
{} |
Annotations to add to the service account. |
serviceAccount.name |
"" |
The name of the service account to use. If not set and create is true, a name is generated using the name template. |
podAnnotations |
{} |
Specifies whether to annotate the pod. |
podLabels |
{} |
Specifies additional labels to attach to pod, overrides the global.podLabel value. |
service.type |
ClusterIP |
Kubernetes service type. |
service.port |
8080 |
Kubernetes service port. |
resources.requests.cpu |
"1" |
CPU requests. |
resources.requests.memory |
2Gi |
Memory requests. |
resources.limits.cpu |
"2" |
CPU limits. |
resources.limits.memory |
3Gi |
Memory limits. |
persistence.enabled |
true |
Specifies whether to enable the data persistence. |
persistence.annotations |
{} |
Specifies the persistent volume objects’ annotations. |
persistence.size |
10Gi |
The size of the persistent volume. |
persistence.storageClass |
"" |
Use a specific storage class. If not specified, the default is used. |
persistence.accessModes |
[ReadWriteOnce] |
Specifies the storage access modes, storage provider dependant. |
nodeSelector |
{} |
Allows to schedule the pod on specific nodes. |
affinity |
{} |
Allows more control of scheduling the pod on specific nodes. |
tolerations |
[] |
Another way of controlling where the pod will be scheduled. |
Database backend (PostgreSQL)
Value | Default | Description |
---|---|---|
postgresql.image.repository |
"" |
The repository to pull the PostgreSQL and busybox images from, overrides the global value. |
postgresql.image.tag |
"" |
Overrides the postgresql image tag whose default is the subchart appVersion. |
postgresql.image.busyboxTag |
"1.35.0" |
Sets the busybox image tag. |
postgresql.imagePullPolicy |
Always |
Kubelet image pull policy. |
postgresql.imagePullSecrets |
[] |
List of secrets to use when pullling the image. |
postgresql.nameOverride |
"" |
Override the objects’ names, using release name as a prefix. |
postgresql.fullnameOverride |
"" |
Override the whole objects’ names (release name not used as a prefix). |
postgresql.serviceAccount.create |
true |
Specifies whether a service account should be created (default namespace account used if set to false). |
postgresql.serviceAccount.annotations |
{} |
Annotations to add to the service account. |
postgresql.serviceAccount.name |
"" |
The name of the service account to use. If not set and create is true, a name is generated using the fullname template. |
postgresql.podAnnotations |
{} |
Specifies whether to annotate the pod. |
postgresql.podLabels |
{} |
Specifies additional labels to attach to pod, overrides the global.podLabel value. |
postgresql.service.type |
ClusterIP |
Kubernetes service type. |
postgresql.service.port |
5432 |
Kubernetes service port. |
postgresql.resources.requests.cpu |
100m |
CPU requests. |
postgresql.resources.requests.memory |
150M |
Memory requests. |
postgresql.resources.limits.cpu |
"1" |
CPU limits. |
postgresql.resources.limits.memory |
500M |
Memory limits. |
postgresql.persistence.enabled |
true |
Specifies whether to enable the data persistence. |
postgresql.persistence.annotations |
{} |
Specifies the persistent volume objects’ annotations. |
postgresql.persistence.size |
10G |
The size of the persistent volume. |
postgresql.persistence.storageClass |
"" |
Use a specific storage class. If not specified, the default is used. |
postgresql.persistence.accessModes |
[ReadWriteOnce] |
Specifies the storage access modes, storage provider dependant. |
postgresql.nodeSelector |
{} |
Allows to schedule the pod on specific nodes. |
postgresql.affinity |
{} |
Allows more control of scheduling the pod on specific nodes. |
postgresql.tolerations |
[] |
Another way of controlling where the pod will be scheduled. |
Reverse proxy frontend (nginx)
Value | Default | Description |
---|---|---|
nginx.image.repository |
"" |
The repository to pull the nginx image from, overrides the global value. |
nginx.image.tag |
"" |
Overrides the image tag whose default is the subchart appVersion |
nginx.imagePullPolicy |
Always |
Kubelet image pull policy. |
nginx.imagePullSecrets |
[] |
List of secrets to use when pullling the image. |
nginx.nameOverride |
"" |
Override the objects’ names, using release name as a prefix. |
nginx.fullnameOverride |
"" |
Override the whole objects’ names (release name not used as a prefix). |
nginx.serviceAccount.create |
true |
Specifies whether a service account should be created (default namespace account used if set to false). |
nginx.serviceAccount.annotations |
{} |
Annotations to add to the service account. |
nginx.serviceAccount.name |
"" |
The name of the service account to use. If not set and create is true, a name is generated using the fullname template. |
nginx.podAnnotations |
{} |
Specifies whether to annotate the pod. |
nginx.podLabels |
{} |
Specifies additional labels to attach to pod, overrides the global.podLabel value. |
nginx.service.type |
ClusterIP |
Kubernetes service type. |
nginx.service.port |
9080 |
Kubernetes service port. |
nginx.service.tls.enabled |
false |
Enables secure connection to the service. |
nginx.service.tls.existingSecretName |
The name of the existing secret where certificate and key are stored. If not defined, will be automatically generated. | |
nginx.service.tls.ssl_protocols |
TLSv1.3 TLSv1.2; |
Nginx SSL protocols setting. |
nginx.service.tls.ssl_ciphers |
HIGH:!aNULL:!MD5:!SHA1:!SHA256:!SHA384; |
Nginx SSL ciphers setting. |
nginx.ingress.enabled |
false |
Specifies whether to enable ingress for accessing the application. |
nginx.ingress.annotations |
{} |
Specifies the ingress object annotations. |
nginx.ingress.hosts |
[] |
Array of host and paths objects. |
nginx.ingress.hosts.host |
"" |
Host name string. |
nginx.ingress.hosts.paths |
[] |
Array of paths to publish (typically ‘/’, pathType ‘Prefix’ is automatically set). |
nginx.ingress.tls |
[] |
Specifies whether to use secure connection to the ingress. |
nginx.ingress.tls.secretName |
"" |
The name of the secret where certificate and key are stored. |
nginx.ingress.tls.hosts |
[] |
List of hosts names. |
nginx.resources.requests.cpu |
100m |
CPU requests. |
nginx.resources.requests.memory |
100M |
Memory requests. |
nginx.resources.limits.cpu |
500m |
CPU limits. |
nginx.resources.limits.memory |
500M |
Memory limits. |
nginx.nodeSelector |
{} |
Allows to schedule the pod on specific nodes. |
nginx.affinity |
{} |
Allows more control of scheduling the pod on specific nodes. |
nginx.tolerations |
[] |
Another way of controlling where the pod will be scheduled. |
OS analysis
Value | Default | Description |
---|---|---|
fleet.image.repository |
"" |
The repository to pull the fleet image from, overrides the global value. |
fleet.image.tag |
"" |
Overrides the image tag whose default is the subchart appVersion |
fleet.imagePullPolicy |
Always |
Kubelet image pull policy. |
fleet.imagePullSecrets |
[] |
List of secrets to use when pullling the image. |
fleet.nameOverride |
"" |
Override the objects’ names, using release name as a prefix. |
fleet.fullnameOverride |
"" |
Override the whole objects’ names (release name not used as a prefix). |
fleet.serviceAccount.create |
true |
Specifies whether a service account should be created (default namespace account used if set to false). |
fleet.serviceAccount.annotations |
{} |
Annotations to add to the service account. |
fleet.serviceAccount.name |
"" |
The name of the service account to use. If not set and create is true, a name is generated using the fullname template. |
fleet.podAnnotations |
{} |
Specifies whether to annotate the pod. |
fleet.podLabels |
{} |
Specifies additional labels to attach to pod, overrides the global.podLabel value. |
fleet.service.type |
NodePort |
NodePort or LoadBalancer , to access the OS
analysis service from outside of the cluster. Kubernetes service
type docs. |
fleet.service.loadBalancerIP |
If LoadBalancer is used as a type,
loadBalancerIP needs to be set and
global.osanalysis.hostname should point to it. |
|
fleet.service.port |
8443 |
Kubernetes service port. |
fleet.service.nodePort |
31443 |
Kubernetes service port to access on nodes. |
fleet.resources.requests.cpu |
100m |
CPU requests. |
fleet.resources.requests.memory |
100M |
Memory requests. |
fleet.resources.limits.cpu |
"1" |
CPU limits. |
fleet.resources.limits.memory |
4G |
Memory limits. |
fleet.nodeSelector |
{} |
Allows to schedule the pod on specific nodes. |
fleet.affinity |
{} |
Allows more control of scheduling the pod on specific nodes. |
fleet.tolerations |
[] |
Another way of controlling where the pod will be scheduled. |
fleet.mysql.image.repository |
"" |
The repository to pull the mysql and busybox images from, overrides the global value. |
fleet.mysql.image.tag |
"" |
Overrides the mysql image tag whose default is the subchart appVersion. |
fleet.mysql.image.busyboxTag |
"1.35.0" |
Sets the busybox image tag. |
fleet.mysql.imagePullPolicy |
Always |
Kubelet image pull policy. |
fleet.mysql.imagePullSecrets |
[] |
List of secrets to use when pullling the image. |
fleet.mysql.nameOverride |
"" |
Override the objects’ names, using release name as a prefix. |
fleet.mysql.fullnameOverride |
"" |
Override the whole objects’ names (release name not used as a prefix). |
fleet.mysql.serviceAccount.create |
true |
Specifies whether a service account should be created (default namespace account used if set to false). |
fleet.mysql.serviceAccount.annotations |
{} |
Annotations to add to the service account. |
fleet.mysql.serviceAccount.name |
"" |
The name of the service account to use. If not set and create is true, a name is generated using the fullname template. |
fleet.mysql.podAnnotations |
{} |
Specifies whether to annotate the pod. |
fleet.mysql.podLabels |
{} |
Specifies additional labels to attach to pod, overrides the global.podLabel value. |
fleet.mysql.service.type |
ClusterIP |
Kubernetes service type. |
fleet.mysql.service.port |
3306 |
Kubernetes service port. |
fleet.mysql.resources.requests.cpu |
100m |
CPU requests. |
fleet.mysql.resources.requests.memory |
256Mi |
Memory requests. |
fleet.mysql.resources.limits.cpu |
500m |
CPU limits. |
fleet.mysql.resources.limits.memory |
500M |
Memory limits. |
fleet.mysql.persistence.enabled |
true |
Specifies whether to enable the data persistence. |
fleet.mysql.persistence.annotations |
{} |
Specifies the persistent volume objects’ annotations. |
fleet.mysql.persistence.size |
10G |
The size of the persistent volume. |
fleet.mysql.persistence.storageClass |
"" |
Use a specific storage class. If not specified, the default is used. |
fleet.mysql.persistence.accessModes |
[ReadWriteOnce] |
Specifies the storage access modes, storage provider dependant. |
fleet.mysql.nodeSelector |
{} |
Allows to schedule the pod on specific nodes. |
fleet.mysql.affinity |
{} |
Allows more control of scheduling the pod on specific nodes. |
fleet.mysql.tolerations |
[] |
Another way of controlling where the pod will be scheduled. |
fleet.redis.image.repository |
"" |
The repository to pull the redis image from, overrides the global value. |
fleet.redis.image.tag |
"" |
Overrides the image tag whose default is the subchart appVersion. |
fleet.redis.imagePullPolicy |
Always |
Kubelet image pull policy. |
fleet.redis.imagePullSecrets |
[] |
List of secrets to use when pullling the image. |
fleet.redis.nameOverride |
"" |
Override the objects’ names, using release name as a prefix. |
fleet.redis.fullnameOverride |
"" |
Override the whole objects’ names (release name not used as a prefix). |
fleet.redis.serviceAccount.create |
true |
Specifies whether a service account should be created (default namespace account used if set to false). |
fleet.redis.serviceAccount.annotations |
{} |
Annotations to add to the service account. |
fleet.redis.serviceAccount.name |
"" |
The name of the service account to use. If not set and create is true, a name is generated using the fullname template. |
fleet.redis.podAnnotations |
{} |
Specifies whether to annotate the pod. |
fleet.redis.podLabels |
{} |
Specifies additional labels to attach to pod, overrides the global.podLabel value. |
fleet.redis.service.type |
ClusterIP |
Kubernetes service type. |
fleet.redis.service.port |
6379 |
Kubernetes service port. |
fleet.redis.resources.requests.cpu |
100m |
CPU requests. |
fleet.redis.resources.requests.memory |
256Mi |
Memory requests. |
fleet.redis.resources.limits.cpu |
500m |
CPU limits. |
fleet.redis.resources.limits.memory |
500M |
Memory limits. |
fleet.redis.nodeSelector |
{} |
Allows to schedule the pod on specific nodes. |
fleet.redis.affinity |
{} |
Allows more control of scheduling the pod on specific nodes. |
fleet.redis.tolerations |
[] |
Another way of controlling where the pod will be scheduled. |
Image Scanning
Value | Default | Description |
---|---|---|
imagescanning.image.repository |
"" |
The repository to pull the imagescanning image from, overrides the global value. |
imagescanning.image.tag |
"" |
Overrides the image tag whose default is the subchart appVersion |
imagescanning.imagePullPolicy |
Always |
Kubelet image pull policy. |
imagescanning.imagePullSecrets |
[] |
List of secrets to use when pullling the image. |
imagescanning.nameOverride |
"" |
Override the objects’ names, using release name as a prefix. |
imagescanning.fullnameOverride |
"" |
Override the whole objects’ names (release name not used as a prefix). |
imagescanning.serviceAccount.create |
true |
Specifies whether a service account should be created (default namespace account used if set to false). |
imagescanning.serviceAccount.annotations |
{} |
Annotations to add to the service account. |
imagescanning.serviceAccount.name |
"" |
The name of the service account to use. If not set and create is true, a name is generated using the fullname template. |
imagescanning.podAnnotations |
{} |
Specifies whether to annotate the pod. |
imagescanning.podLabels |
{} |
Specifies additional labels to attach to pod, overrides the global.podLabel value. |
imagescanning.resources.requests.cpu |
100m |
CPU requests. |
imagescanning.resources.requests.memory |
500M |
Memory requests. |
imagescanning.resources.limits.cpu |
1 |
CPU limits. |
imagescanning.resources.limits.memory |
2Gi |
Memory limits. |
imagescanning.persistence.enabled |
true |
Specifies whether to enable the data persistence (persists imagescanning cache through pod restarts). |
imagescanning.persistence.annotations |
{} |
Specifies the persistent volume objects’ annotations. |
imagescanning.persistence.size |
500M |
The size of the persistent volume. |
imagescanning.persistence.storageClass |
"" |
Use a specific storage class. If not specified, the default is used. |
imagescanning.persistence.accessModes |
[ReadWriteOnce] |
Specifies the storage access modes, storage provider dependant. |
imagescanning.nodeSelector |
{} |
Allows to schedule the pod on specific nodes. |
imagescanning.affinity |
{} |
Allows more control of scheduling the pod on specific nodes. |
imagescanning.tolerations |
[] |
Another way of controlling where the pod will be scheduled. |
To find out how to configure and use the product, including the required permissions for scanning a Kubernetes cluster, please follow the official documentation available at https://docs.runecast.com/.