From 8a32a2aa577681d37b7cbc5d6a9e9fe07157b3ef Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Franti=C5=A1ek=20Dvo=C5=99=C3=A1k?= <valtri@civ.zcu.cz>
Date: Thu, 29 Aug 2024 13:58:16 +0000
Subject: [PATCH] Security vulnerability scanner - Deepfence ThreadMapper agent
 deployment

---
 .../playbooks/security-scanner.yaml           |  1 +
 .../templates/deepfence-agent.yaml.j2         |  1 +
 common/playbooks/security-scanner.yaml        | 46 +++++++++++++++++++
 .../templates/deepfence-agent.yaml.j2         |  8 ++++
 staging1/deploy.sh                            |  1 +
 staging1/playbooks/security-scanner.yaml      |  1 +
 .../templates/deepfence-agent.yaml.j2         |  1 +
 7 files changed, 59 insertions(+)
 create mode 120000 cesnet-central/playbooks/security-scanner.yaml
 create mode 120000 cesnet-central/playbooks/templates/deepfence-agent.yaml.j2
 create mode 100644 common/playbooks/security-scanner.yaml
 create mode 100644 common/playbooks/templates/deepfence-agent.yaml.j2
 create mode 120000 staging1/playbooks/security-scanner.yaml
 create mode 120000 staging1/playbooks/templates/deepfence-agent.yaml.j2

diff --git a/cesnet-central/playbooks/security-scanner.yaml b/cesnet-central/playbooks/security-scanner.yaml
new file mode 120000
index 0000000..186bdc1
--- /dev/null
+++ b/cesnet-central/playbooks/security-scanner.yaml
@@ -0,0 +1 @@
+../../common/playbooks/security-scanner.yaml
\ No newline at end of file
diff --git a/cesnet-central/playbooks/templates/deepfence-agent.yaml.j2 b/cesnet-central/playbooks/templates/deepfence-agent.yaml.j2
new file mode 120000
index 0000000..faf3956
--- /dev/null
+++ b/cesnet-central/playbooks/templates/deepfence-agent.yaml.j2
@@ -0,0 +1 @@
+../../../common/playbooks/templates/deepfence-agent.yaml.j2
\ No newline at end of file
diff --git a/common/playbooks/security-scanner.yaml b/common/playbooks/security-scanner.yaml
new file mode 100644
index 0000000..623c9b8
--- /dev/null
+++ b/common/playbooks/security-scanner.yaml
@@ -0,0 +1,46 @@
+---
+# Secrets in "/{{ site_name }}":
+#
+# * deepfence_host (required) - management console host
+# * deepfence_key (required)
+#
+- name: Deepfence ThreadManager Agent Deployment
+  hosts: master
+  become: true
+  vars:
+    namespace: deepfence
+    version: 2.3.0  # app 2.3.0
+  tasks:
+    - name: Configure Helm Repo
+      shell: |-
+        helm repo add deepfence https://deepfence-helm-charts.s3.amazonaws.com/threatmapper
+        helm repo update
+      when: "'deepfence' not in ansible_local.helm_repos | map(attribute='name') | list"
+    - name: Get Secrets From Vault
+      set_fact:
+        secret: "{{ lookup('community.hashi_vault.hashi_vault', [ vault_mount_point,  'site-' + site_name] | join('/'), token_validate=false) }}"
+    - name: Debug Secrets
+      debug:
+        msg: "{{ item.key }} = {{ item.value }}"
+      loop: "{{ secret | dict2items }}"
+    - name: Deepfence ThreadManager Agent Configuration
+      template:
+        src: templates/deepfence-agent.yaml.j2
+        dest: /tmp/deepfence-agent.yaml
+        mode: 0600
+    - name: Deploy/upgrade Deepfence ThreadManager Agent
+      shell: |-
+        helm status --namespace {{ namespace }} deepfence-agent
+        if [ $? -ne 0 ]; then
+            helm install --create-namespace --namespace {{ namespace }} \
+                -f /tmp/deepfence-agent.yaml --version {{ version }} \
+                deepfence-agent deepfence/deepfence-agent
+        else
+            helm upgrade --namespace {{ namespace }} \
+                -f /tmp/deepfence-agent.yaml --version {{ version }}  \
+                deepfence-agent deepfence/deepfence-agent
+        fi
+      environment:
+        KUBECONFIG: /etc/kubernetes/admin.conf
+        PATH: /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin
+      when: true
diff --git a/common/playbooks/templates/deepfence-agent.yaml.j2 b/common/playbooks/templates/deepfence-agent.yaml.j2
new file mode 100644
index 0000000..bf13c80
--- /dev/null
+++ b/common/playbooks/templates/deepfence-agent.yaml.j2
@@ -0,0 +1,8 @@
+managementConsoleUrl: "{{ secret['deepfence_host'] | default('') }}"
+deepfenceKey: "{{ secret['deepfence_key'] | default('') }}"
+clusterName: "jupyter-{{ site_name }}"
+mountContainerRuntimeSocket:
+  containerSock: true
+  crioSock: false
+  dockerSock: false
+  podmanSock: false
diff --git a/staging1/deploy.sh b/staging1/deploy.sh
index d509ed3..2487b4b 100755
--- a/staging1/deploy.sh
+++ b/staging1/deploy.sh
@@ -56,3 +56,4 @@ while ansible -m command -a 'kubectl get pods --all-namespaces' master | tail -n
 
 ansible-playbook playbooks/security-assets.yaml
 ansible-playbook playbooks/security-logs.yaml
+ansible-playbook playbooks/security-scanner.yaml
diff --git a/staging1/playbooks/security-scanner.yaml b/staging1/playbooks/security-scanner.yaml
new file mode 120000
index 0000000..186bdc1
--- /dev/null
+++ b/staging1/playbooks/security-scanner.yaml
@@ -0,0 +1 @@
+../../common/playbooks/security-scanner.yaml
\ No newline at end of file
diff --git a/staging1/playbooks/templates/deepfence-agent.yaml.j2 b/staging1/playbooks/templates/deepfence-agent.yaml.j2
new file mode 120000
index 0000000..faf3956
--- /dev/null
+++ b/staging1/playbooks/templates/deepfence-agent.yaml.j2
@@ -0,0 +1 @@
+../../../common/playbooks/templates/deepfence-agent.yaml.j2
\ No newline at end of file
-- 
GitLab