GRR Chart enhancements (#142)

* Incorporate GRR updates

* Incorporate GRR updates

* Incorporate GRR updates

* Incorporate GRR updates

* Adds executable signing changes for minikube

* Adds executable signing changes for minikube

* Updates prometheus labels on deployments

* Fix README typo

* Fix README typo

* Fix README typo

* Bumps the GRR Chart to version 1.0.1

* Update README.md with readme-generator-for-helm

Signed-off-by: daschwanden <[email protected]>

* Adjust prometheus label to match PodMontioring selectors

---------

Signed-off-by: daschwanden <[email protected]>
Co-authored-by: daschwanden <[email protected]>

charts/grr/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: grr
-version: 1.0.0
+version: 1.0.1
 description: A Helm chart for GRR/Fleetspeak Kubernetes deployments.
 keywords:
 - grr

charts/grr/certs/executable-signing.crt

@@ -0,0 +1 @@
+Replace with your executable signing certificate in case needed.

charts/grr/certs/executable-signing.key

@@ -0,0 +1 @@
+Replace with your executable signing key in case needed.

charts/grr/containers/grr-daemon/Dockerfile

@@ -11,34 +11,24 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-FROM ghcr.io/google/fleetspeak:cl-601420666 AS fleetspeak
 FROM ghcr.io/google/grr:latest AS grr
 COPY config /config
 COPY grr-client-config.yaml /config/grr.client.yaml
+COPY executable-signing.key /config/
 
-WORKDIR /
-
-# Create a dummy Client.executable_signing_public_key if none is provided in the config file
-# Reasoning: This ensures that the repackaging runs through (see below)
-RUN if [ $(grep -ic "Client.executable_signing_public_key:" /config/grr.client.yaml) -eq 0 ]; \
-    then \
-      grr_config_updater generate_keys; \
-      grep -oz "Client.executable_signing_public_key: '-----BEGIN PUBLIC KEY-----.*-----END PUBLIC KEY-----" \
-        /usr/src/grr/grr/core/install_data/etc/server.local.yaml | tr '\0' "'" >> /config/grr.client.yaml; \
-    fi
+RUN mkdir /client_installers && \
+    grr_config_updater repack_clients \
+      --secondary_configs /config/grr.yaml \
+      --noupload
 
-RUN grr_client_build repack_multiple \
-            --templates /client_templates/ubuntu-installers/grr_*_amd64.deb.zip \
-            --repack_configs /config/grr.client.yaml \
-            --output_dir /
+WORKDIR /
 
 FROM ubuntu:22.04
 WORKDIR /
 
 COPY config /config
 COPY --from=grr /config/grr.client.yaml /config/grr.client.yaml
 
-COPY --from=fleetspeak /fleetspeak/bin/client /usr/local/bin/fleetspeak-client
-COPY --from=grr /grr.client/grr_*_amd64.deb .
+COPY --from=grr /client_installers/grr_*_amd64.deb .
 RUN dpkg -i grr_*_amd64.deb && rm grr_*_amd64.deb
 ENTRYPOINT ["fleetspeak-client", "-config" , "/config/config.textproto", "-alsologtostderr"]

charts/grr/containers/grr-daemon/config/grr.yaml

@@ -0,0 +1,14 @@
+PrivateKeys.executable_signing_private_key: "%(/config/executable-signing.key|file)"
+Client.executable_signing_public_key: "%(/config/executable-signing.pub|file)"
+# Configuration for repacking client templates:
+Client.fleetspeak_enabled: true
+ClientBuilder.fleetspeak_bundled: true
+ClientBuilder.template_dir: /client_templates
+ClientBuilder.executables_dir: /client_installers
+
+Target:Linux:
+  ClientBuilder.fleetspeak_client_config: /config/config.textproto
+Target:Windows:
+  ClientBuilder.fleetspeak_client_config: /config/config.textproto
+Target:Darwin:
+  ClientBuilder.fleetspeak_client_config: /config/config.textproto

charts/grr/containers/grr-daemon/config/textservices/grr.service

@@ -1,16 +1,9 @@
 name: "GRR"
 factory: "Daemon"
-required_labels {
-  service_name: "client"
-  label: "linux"
-}
 config {
   [type.googleapis.com/fleetspeak.daemonservice.Config] {
     argv: "/usr/sbin/grrd"
-    argv: "--config=/config/grr.client.yaml"
-
-    monitor_heartbeats: true
-    heartbeat_unresponsive_grace_period_seconds: 600  # 10 minutes.
-    heartbeat_unresponsive_kill_period_seconds: 120  # 2 minutes.
+    argv: "--config"
+    argv: "/config/grr.client.yaml"
   }
 }

charts/grr/containers/grr-daemon/grr-client-config.yaml

@@ -7,3 +7,5 @@ Logging.path: /
 Logging.filename: /grr-client.log
 
 Config.writeback: /config/grr-client.local.yaml
+
+Client.executable_signing_public_key: "%(/config/executable-signing.pub|file)"

charts/grr/templates/daemonset/dst-grr.yaml

@@ -36,6 +36,12 @@ spec:
       containers:
       - name: grr
         image: {{ .Values.grr.daemon.image }}
+        {{- if .Values.global.useResourceRequests }}
+        resources:
+          requests:
+            memory: "150Mi"
+            cpu: "150m"
+        {{- end }}
         imagePullPolicy: {{ .Values.grr.daemon.imagePullPolicy }}
         # Making it a privileged container. This way the processes within
         # the container get almost the same privileges as those outside the

charts/grr/templates/deployment/dpl-fleetspeak-admin.yaml

@@ -16,7 +16,7 @@ spec:
     metadata:
       labels:
         app.kubernetes.io/name: fleetspeak-admin
-        prometheus: enabled
+        prometheus: fleetspeak-admin
     spec:
       affinity:
         nodeAffinity:
@@ -31,6 +31,12 @@ spec:
       containers:
       - name: fleetspeak-admin
         image: {{ .Values.fleetspeak.admin.image }}
+        {{- if .Values.global.useResourceRequests }}
+        resources:
+          requests:
+            memory: "2Gi"
+            cpu: "1000m"
+        {{- end }}
         ports:
         - containerPort: {{ .Values.fleetspeak.admin.listenPort }}
           name: admin

charts/grr/templates/deployment/dpl-fleetspeak-frontend.yaml

@@ -16,7 +16,7 @@ spec:
     metadata:
       labels:
         app.kubernetes.io/name: fleetspeak-frontend
-        prometheus: enabled
+        prometheus: fleetspeak-frontend
     spec:
       affinity:
         nodeAffinity:
@@ -49,6 +49,12 @@ spec:
       containers:
       - name: fleetspeak-frontend
         image: {{ .Values.fleetspeak.frontend.image }}
+        {{- if .Values.global.useResourceRequests }}
+        resources:
+          requests:
+            memory: "2Gi"
+            cpu: "1000m"
+        {{- end }}
         ports:
         - containerPort: {{ .Values.fleetspeak.frontend.listenPort }}
           name: frontend

charts/grr/templates/deployment/dpl-grr-admin.yaml

@@ -16,7 +16,7 @@ spec:
     metadata:
       labels:
         app.kubernetes.io/name: grr-admin
-        prometheus: enabled
+        prometheus: grr-admin
     spec:
       affinity:
         nodeAffinity:
@@ -31,6 +31,12 @@ spec:
       containers:
       - name: grr-admin
         image: {{ .Values.grr.admin.image }}
+        {{- if .Values.global.useResourceRequests }}
+        resources:
+          requests:
+            memory: "2Gi"
+            cpu: "1000m"
+        {{- end }}
         ports:
         - containerPort: {{ .Values.grr.admin.listenPort }}
           name: admin
@@ -53,4 +59,4 @@ spec:
             path: server.local.yaml
       - name: cert-volume
         secret:
-          secretName: sec-grr-frontend-cert
+          secretName: sec-grr-executable-signing-cert

charts/grr/templates/deployment/dpl-grr-frontend.yaml

@@ -16,7 +16,7 @@ spec:
     metadata:
       labels:
         app.kubernetes.io/name: grr-frontend
-        prometheus: enabled
+        prometheus: grr-frontend
     spec:
       affinity:
         nodeAffinity:
@@ -31,6 +31,12 @@ spec:
       containers:
       - name: grr-frontend
         image: {{ .Values.grr.frontend.image }}
+        {{- if .Values.global.useResourceRequests }}
+        resources:
+          requests:
+            memory: "2Gi"
+            cpu: "1000m"
+        {{- end }}
         ports:
         - containerPort: {{ .Values.grr.frontend.listenPort }}
           name: frontend
@@ -53,4 +59,4 @@ spec:
             path: server.local.yaml
       - name: cert-volume
         secret:
-          secretName: sec-grr-frontend-cert
+          secretName: sec-grr-executable-signing-cert

charts/grr/templates/deployment/dpl-grr-worker.yaml

@@ -16,7 +16,7 @@ spec:
     metadata:
       labels:
         app.kubernetes.io/name: grr-worker
-        prometheus: enabled
+        prometheus: grr-worker
     spec:
       affinity:
         nodeAffinity:
@@ -31,6 +31,12 @@ spec:
       containers:
       - name: grr-worker
         image: {{ .Values.grr.worker.image }}
+        {{- if .Values.global.useResourceRequests }}
+        resources:
+          requests:
+            memory: "2Gi"
+            cpu: "1000m"
+        {{- end }}
         ports:
         - containerPort: {{ .Values.prometheus.metricsPort }}
           name: metrics
@@ -51,4 +57,4 @@ spec:
             path: server.local.yaml
       - name: cert-volume
         secret:
-          secretName: sec-grr-frontend-cert
+          secretName: sec-grr-executable-signing-cert

charts/grr/templates/secret/sec-grr-executable-cert.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: sec-grr-executable-signing-cert
+  {{- if .Values.grr.namespace }}
+  namespace: {{ .Values.grr.namespace }}
+  {{- end }}
+  labels:
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+type: Opaque
+data:
+  {{- if .Values.grr.generateExecutableSigningCert }}
+    {{- $cert := genSelfSignedCert "grr-response.com" nil nil 3650 }}
+    executable-signing.crt: {{ b64enc $cert.Cert }}
+    executable-signing.key: {{ b64enc $cert.Key }}
+  {{- else }}
+    executable-signing.crt: {{ .Files.Get "certs/executable-signing.crt" | b64enc }}
+    executable-signing.key: {{ .Files.Get "certs/executable-signing.key" | b64enc }}
+  {{- end }}

charts/grr/templates/secret/sec-grr-server-local.yaml

@@ -15,8 +15,6 @@ stringData:
     Mysql.username: {{ .Values.grr.mysqlDb.userName }}
     Mysql.password: {{ .Values.grr.mysqlDb.userPassword }}
     Mysql.flow_processing_threads_max: 20
-    Client.server_urls:
-    - http://localhost:8080/
     AdminUI.csrf_secret_key: KPK,_0a_xY&DTeiaokEdsH1uXGobNIhfrr67BTSLlPPv64_UE0nyn8QsD6
     AdminUI.url: http://localhost:{{ .Values.grr.admin.listenPort }}
     AdminUI.bind: 0.0.0.0
@@ -33,7 +31,8 @@ stringData:
     Monitoring.http_address: 0.0.0.0
     Monitoring.http_port: {{ .Values.prometheus.metricsPort }}
 
-    Frontend.certificate: "%(/grr/certs/grr-frontend.crt|file)"
+    Client.executable_signing_public_key: "%(/grr/certs/executable-signing.pub|file)"
+    PrivateKeys.executable_signing_private_key: "%(/grr/certs/executable-signing.key|file)"
 
     Server.initialized: true
     Server.fleetspeak_enabled: true

charts/grr/values-gcp.yaml

@@ -7,6 +7,9 @@ global:
   ## @param global.selfManagedMysql Enables a mySQL DB containter to be deployed into the cluster.
   ##
   selfManagedMysql: false
+  ## @param global.useResourceRequests Allocates resources to the pods.
+  ##
+  useResourceRequests: true
 
 ## @section Fleetspeak parameters
 ##
@@ -27,7 +30,7 @@ fleetspeak:
   admin:
     ## @param fleetspeak.admin.image Sets the Fleetspeak admin container image to use.
     ##
-    image: "ghcr.io/google/fleetspeak:cl-616106372"
+    image: "ghcr.io/google/fleetspeak:latest"
     ## @param fleetspeak.admin.listenPort Sets the Fleetspeak admin listen port to use.
     ##
     listenPort: 4444
@@ -41,7 +44,7 @@ fleetspeak:
     healthCheckPort: 8080
     ## @param fleetspeak.frontend.image Sets the Fleetspeak fronend container image to use.
     ##
-    image: "ghcr.io/google/fleetspeak:cl-616106372"
+    image: "ghcr.io/google/fleetspeak:latest"
     ## @param fleetspeak.frontend.listenPort Sets the Fleetspeak frontend listen port to use.
     ##
     listenPort: 4443
@@ -76,20 +79,16 @@ fleetspeak:
 ## @section GRR parameters
 ##
 grr:
-  ## @param grr.generateCert Enables the generation of self-signed GRR x509 certificate.
+  ## @param grr.generateExecutableSigningCert Enables the generation of self-signed executable signging certificate.
   ## ref https://helm.sh/docs/chart_template_guide/function_list/#genselfsignedcert
   ##
-  generateCert: true
+  generateExecutableSigningCert: true
   ## @param grr.namespace Sets the GRR namespace.
   ##
   namespace: "grr"
   ## @param grr.namespaceClient Sets the GRR client namespace.
   ##
   namespaceClient: "grr-client"
-  ## @param grr.subjectCommonName Sets the GRR x509 certificate subject common name.
-  ## ref https://helm.sh/docs/chart_template_guide/function_list/#genselfsignedcert
-  ##
-  subjectCommonName: "grr-frontend"
 
   admin:
     ## @param grr.admin.image Sets the GRR admin container image to use.

charts/grr/values.yaml

@@ -7,6 +7,9 @@ global:
   ## @param global.selfManagedMysql Enables a mySQL DB containter to be deployed into the cluster.
   ##
   selfManagedMysql: true
+  ## @param global.useResourceRequests Allocates resources to the pods.
+  ##
+  useResourceRequests: false
 
 ## @section Fleetspeak parameters
 ##
@@ -27,7 +30,7 @@ fleetspeak:
   admin:
     ## @param fleetspeak.admin.image Sets the Fleetspeak admin container image to use.
     ##
-    image: "ghcr.io/google/fleetspeak:cl-616106372"
+    image: "ghcr.io/google/fleetspeak:latest"
     ## @param fleetspeak.admin.listenPort Sets the Fleetspeak admin listen port to use.
     ##
     listenPort: 4444
@@ -41,7 +44,7 @@ fleetspeak:
     healthCheckPort: 8080
     ## @param fleetspeak.frontend.image Sets the Fleetspeak fronend container image to use.
     ##
-    image: "ghcr.io/google/fleetspeak:cl-616106372"
+    image: "ghcr.io/google/fleetspeak:latest"
     ## @param fleetspeak.frontend.listenPort Sets the Fleetspeak frontend listen port to use.
     ##
     listenPort: 4443
@@ -76,14 +79,10 @@ fleetspeak:
 ## @section GRR parameters
 ##
 grr:
-  ## @param grr.generateCert Enables the generation of self-signed GRR x509 certificate.
-  ## ref https://helm.sh/docs/chart_template_guide/function_list/#genselfsignedcert
-  ##
-  generateCert: true
-  ## @param grr.subjectCommonName Sets the GRR x509 certificate subject common name.
+  ## @param grr.generateExecutableSigningCert Enables the generation of self-signed executable signging certificate.
   ## ref https://helm.sh/docs/chart_template_guide/function_list/#genselfsignedcert
   ##
-  subjectCommonName: "grr-frontend"
+  generateExecutableSigningCert: true
 
   admin:
     ## @param grr.admin.image Sets the GRR admin container image to use.