Security vulnerability scanner - Deepfence ThreadMapper agent deployment

cesnet-central/playbooks/security-scanner.yaml

+../../common/playbooks/security-scanner.yaml
\ No newline at end of file

cesnet-central/playbooks/templates/deepfence-agent.yaml.j2

+../../../common/playbooks/templates/deepfence-agent.yaml.j2
\ No newline at end of file

common/playbooks/security-scanner.yaml

+---
+# Secrets in "/{{ site_name }}":
+#
+# * deepfence_host (required) - management console host
+# * deepfence_key (required)
+#
+- name: Deepfence ThreadManager Agent Deployment
+  hosts: master
+  become: true
+  vars:
+    namespace: deepfence
+    version: 2.3.0  # app 2.3.0
+  tasks:
+    - name: Configure Helm Repo
+      shell: |-
+        helm repo add deepfence https://deepfence-helm-charts.s3.amazonaws.com/threatmapper
+        helm repo update
+      when: "'deepfence' not in ansible_local.helm_repos | map(attribute='name') | list"
+    - name: Get Secrets From Vault
+      set_fact:
+        secret: "{{ lookup('community.hashi_vault.hashi_vault', [ vault_mount_point,  'site-' + site_name] | join('/'), token_validate=false) }}"
+    - name: Debug Secrets
+      debug:
+        msg: "{{ item.key }} = {{ item.value }}"
+      loop: "{{ secret | dict2items }}"
+    - name: Deepfence ThreadManager Agent Configuration
+      template:
+        src: templates/deepfence-agent.yaml.j2
+        dest: /tmp/deepfence-agent.yaml
+        mode: 0600
+    - name: Deploy/upgrade Deepfence ThreadManager Agent
+      shell: |-
+        helm status --namespace {{ namespace }} deepfence-agent
+        if [ $? -ne 0 ]; then
+            helm install --create-namespace --namespace {{ namespace }} \
+                -f /tmp/deepfence-agent.yaml --version {{ version }} \
+                deepfence-agent deepfence/deepfence-agent
+        else
+            helm upgrade --namespace {{ namespace }} \
+                -f /tmp/deepfence-agent.yaml --version {{ version }}  \
+                deepfence-agent deepfence/deepfence-agent
+        fi
+      environment:
+        KUBECONFIG: /etc/kubernetes/admin.conf
+        PATH: /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin
+      when: true

common/playbooks/templates/deepfence-agent.yaml.j2

+managementConsoleUrl: "{{ secret['deepfence_host'] | default('') }}"
+deepfenceKey: "{{ secret['deepfence_key'] | default('') }}"
+clusterName: "jupyter-{{ site_name }}"
+mountContainerRuntimeSocket:
+  containerSock: true
+  crioSock: false
+  dockerSock: false
+  podmanSock: false

staging1/deploy.sh

@@ -56,3 +56,4 @@ while ansible -m command -a 'kubectl get pods --all-namespaces' master | tail -n
 
 ansible-playbook playbooks/security-assets.yaml
 ansible-playbook playbooks/security-logs.yaml
+ansible-playbook playbooks/security-scanner.yaml

staging1/playbooks/security-scanner.yaml

+../../common/playbooks/security-scanner.yaml
\ No newline at end of file

staging1/playbooks/templates/deepfence-agent.yaml.j2

+../../../common/playbooks/templates/deepfence-agent.yaml.j2
\ No newline at end of file