feat: add Helm chart to install Tracee with Postee (aquasecurity#1812)

This patch adds basic Helm chart templates to install Tracee
as a DaemonSet in a Kubernetes cluster.

You can install tracee Helm release with the following command:

    git clone https://github.com/aquasecurity/tracee.git
    cd tracee
    helm repo add aqua-charts https://aquasecurity.github.io/helm-charts
    helm dependency update ./deploy/helm/tracee
    helm install tracee ./deploy/helm/tracee \
      --namespace tracee-system --create-namespace

When you want to test the template rendering, but not actually
installing anything, you can use:

    helm install --debug --dry-run tracee ./deploy/helm/tracee \
      --namespace tracee-system --create-namespace

By default, Tracee is installed with Postee. You can disable Postee
with the `postee.enabled=false` value:

    helm install tracee ./deploy/helm/tracee \
      --namespace tracee-system --create-namespace \
      --set postee.enabled=false

To see the entire generated YAML run the following command:

    helm get manifest tracee --namespace tracee-system

To uninstall Tracee run:

    helm uninstall tracee -n tracee-system

.github/workflows/publish-helm.yaml

@@ -0,0 +1,73 @@
+---
+# This is a manually triggered workflow to package and upload the Helm chart
+# from the specified Git revision (e.g., main branch or v0.7.0 tag) to Helm
+# repository on https://github.com/aquasecurity/helm-charts.
+name: Publish Helm
+
+on:
+  workflow_dispatch:
+    inputs:
+      ref:
+        description: The branch, tag or SHA to publish, e.g. v0.0.1
+        required: true
+
+env:
+  HELM_REP: helm-charts
+  GH_OWNER: aquasecurity
+  CHART_DIR: deploy/helm/tracee
+
+jobs:
+  publish:
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+        with:
+          ref: ${{ github.event.inputs.ref }}
+          fetch-depth: 0
+      - name: Install Helm
+        uses: azure/setup-helm@18bc76811624f360dbd7f18c2d4ecb32c7b87bab
+        with:
+          version: v3.5.0
+      - name: Set up python
+        uses: actions/setup-python@98f2ad02fd48d057ee3b4d4f66525b231c3e52b6
+        with:
+          python-version: 3.7
+      - name: Setup Chart Linting
+        id: lint
+        uses: helm/chart-testing-action@dae259e86a35ff09145c0805e2d7dd3f7207064a
+      - name: Run chart-testing
+        run: ct lint-and-install --validate-maintainers=false --charts deploy/helm
+      - name: Install chart-releaser
+        run: |
+          wget https://github.com/helm/chart-releaser/releases/download/v1.3.0/chart-releaser_1.3.0_linux_amd64.tar.gz
+          echo "baed2315a9bb799efb71d512c5198a2a3b8dcd139d7f22f878777cffcd649a37  chart-releaser_1.3.0_linux_amd64.tar.gz" | sha256sum -c -
+          tar xzvf chart-releaser_1.3.0_linux_amd64.tar.gz cr
+      - name: Package helm chart
+        run: |
+          ./cr package --package-path .cr-release-packages ${{ env.CHART_DIR }}
+      - name: Upload helm chart
+        # Failed with upload the same version: https://github.com/helm/chart-releaser/issues/101
+        continue-on-error: true
+        run: |
+          ./cr upload --owner ${{ env.GH_OWNER }} \
+            --git-repo ${{ env.HELM_REP }} \
+            --package-path .cr-release-packages \
+            --token ${{ secrets.ORG_REPO_TOKEN }}
+      - name: Index helm chart
+        run: |
+          ./cr index --owner ${{ env.GH_OWNER }} \
+            --git-repo ${{ env.HELM_REP }} \
+            --charts-repo https://${{ env.GH_OWNER }}.github.io/${{ env.HELM_REP }}/ \
+            --index-path index.yaml
+      - name: Push index file
+        uses: dmnemec/copy_file_to_another_repo_action@c93037aa10fa8893de271f19978c980d0c1a9b37
+        env:
+          API_TOKEN_GITHUB: ${{ secrets.ORG_REPO_TOKEN }}
+        with:
+          source_file: 'index.yaml'
+          destination_repo: '${{ env.GH_OWNER }}/${{ env.HELM_REP }}'
+          destination_folder: '.'
+          destination_branch: 'gh-pages'
+          user_email: [email protected]
+          user_name: 'aqua-bot'

.gitignore

@@ -15,3 +15,6 @@ coverage.txt
 # ignore local and temporary packaging files
 debian
 .ubuntu*
+
+# ignore Helm subcharts
+deploy/helm/tracee/charts/

RELEASING.md

@@ -16,10 +16,11 @@
    ```
 1. Prepare release by creating the PR with the following changes
    1. Update the libbpfgo module
-   1. Update the types module
-   1. Update the container image tag in the following files:
+   2. Update the types module
+   3. Update the container image tag in the following files:
       1. `deploy/kubernetes/tracee-falcosidekick/falcosidekick.yaml`
-      1. `deploy/kubernetes/tracee-postee/tracee.yaml`
+      2. `deploy/kubernetes/tracee-postee/tracee.yaml`
+   4. Update `home`, `version` and `appVersion` properties in `deploy/helm/tracee/Chart.yaml`
 1. Run tests and checks
    1. Check that there are no verifier issues when choosing all events in tracee-ebpf (using `--trace e=*`)
    1. Check both CO-RE and non CO-RE builds
@@ -46,4 +47,4 @@
 1. Verify that the `release` workflow has built and published the following artifacts
    1. Tracee binaries (tracee-ebpf, tracee-rules, rules) in the form of a tar archive `tracee.<VERSION>.tar.gz`
    1. Source code zip and tar files
-   1. Docker images pushed to the aquasec/tracee repository (`docker.io/aquasec/tracee:<VERSION>` and `docker.io/aquasec/tracee:full-<VERSION>`)
+   1. Docker images pushed to the aquasec/tracee repository (`docker.io/aquasec/tracee:<VERSION>` and `docker.io/aquasec/tracee:full-<VERSION>`)

Vagrantfile

@@ -50,17 +50,22 @@ Vagrant.configure("2") do |config|
     snap install microk8s --classic
     microk8s status --wait-ready
     usermod -a -G microk8s vagrant
-    microk8s enable dashboard
+    microk8s enable hostpath-storage dns dashboard
 
-    mkdir -p /home/vagrant/.kube/
+    mkdir -p $VAGRANT_HOME/.kube/
     microk8s kubectl config view --raw > $VAGRANT_HOME/.kube/config
+    chmod 600 $VAGRANT_HOME/.kube/config
+    chown vagrant:vagrant $VAGRANT_HOME/.kube/config
 
     apt-get install --yes apt-transport-https ca-certificates curl
     curl -fsSLo /usr/share/keyrings/kubernetes-archive-keyring.gpg https://packages.cloud.google.com/apt/doc/apt-key.gpg
     echo "deb [signed-by=/usr/share/keyrings/kubernetes-archive-keyring.gpg] https://apt.kubernetes.io/ kubernetes-xenial main" | tee /etc/apt/sources.list.d/kubernetes.list
     apt-get update
     apt-get install --yes kubectl
-    echo 'source <(kubectl completion bash)' >> $VAGRANT_HOME/.bashrc
+    echo 'source <(kubectl completion bash)' >> $VAGRANT_HOME/.profile
+
+    snap install helm --classic
+    echo 'source <(helm completion bash)' >> $VAGRANT_HOME/.profile
 
     apt-get install --yes linux-tools-$(uname -r)
 

deploy/helm/tracee/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

deploy/helm/tracee/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: postee
+  repository: https://aquasecurity.github.io/helm-charts
+  version: v2.6.0
+digest: sha256:6b5654cf403b9b1423ae9b40d885c7514beba526a45807204005441fae574e14
+generated: "2022-06-08T22:16:16.71+02:00"

deploy/helm/tracee/Chart.yaml

@@ -0,0 +1,34 @@
+apiVersion: v2
+name: tracee
+description: Linux Runtime Security and Forensics using eBPF
+home: https://aquasecurity.github.io/tracee/v0.7.0/
+sources:
+  - https://github.com/aquasecurity/tracee
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: "0.7.0"
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "0.7.0"
+
+dependencies:
+  - name: postee
+    version: "~2.6.0"
+    # helm repo add aqua-charts https://aquasecurity.github.io/helm-charts
+    repository: "@aqua-charts"
+    condition: postee.enabled

deploy/helm/tracee/templates/NOTES.txt

@@ -0,0 +1,24 @@
+Tracee has been successfully installed as a set of pods scheduled on each Kubernetes cluster
+node controlled by the `{{ include "tracee.fullname" . }}` DaemonSet in the `{{ .Release.Namespace}}` namespace.
+By default, threat detections are printed to the standard output of each pod:
+
+$ kubectl logs -f daemonset/{{ include "tracee.fullname" . }} -n {{ .Release.Namespace }}
+
+*** Detection ***
+Time: 2022-06-08T13:59:01Z
+Signature ID: TRC-9
+Signature: New Executable Was Dropped During Runtime
+Data: map[file path:/bin/apache]
+Command: cp
+Hostname: attacker
+
+{{- if .Values.postee.enabled }}
+
+Detections are also sent to the webhook endpoint exposed by Postee:
+
+$ kubectl logs -f statefulset/{{ include "tracee.fullname" . }}-postee -n {{ .Release.Namespace }}
+
+You can integrate Postee with email server, Slack channel, and any other supported
+data sink to forward threat alerts for forensic auditing. For more details on Postee,
+see its documentation on https://aquasecurity.github.io/postee/latest.
+{{- end }}

deploy/helm/tracee/templates/_helpers.tpl

@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "tracee.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "tracee.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "tracee.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "tracee.labels" -}}
+helm.sh/chart: {{ include "tracee.chart" . }}
+{{ include "tracee.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "tracee.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "tracee.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "tracee.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "tracee.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

deploy/helm/tracee/templates/daemonset.yaml

@@ -0,0 +1,69 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: {{ include "tracee.fullname" . }}
+  labels:
+    {{- include "tracee.labels" . | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "tracee.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "tracee.selectorLabels" . | nindent 8 }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "tracee.serviceAccountName" . }}
+      hostPID: {{ .Values.hostPID }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+        - name: tracee
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- if .Values.postee.enabled }}
+          args:
+            - --webhook=http://{{ include "tracee.fullname" . }}-postee:8082
+            - --webhook-template=./templates/rawjson.tmpl
+            - --webhook-content-type=application/json
+          {{- end }}
+          env:
+            - name: LIBBPFGO_OSRELEASE_FILE
+              value: /etc/os-release-host
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          volumeMounts:
+            - name: tmp-tracee
+              mountPath: /tmp/tracee
+            - name: etc-os-release
+              mountPath: /etc/os-release-host
+              readOnly: true
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      volumes:
+        - hostPath:
+            path: /tmp/tracee
+          name: tmp-tracee
+        - hostPath:
+            path: /etc/os-release
+          name: etc-os-release

deploy/helm/tracee/templates/serviceaccount.yaml

@@ -0,0 +1,12 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "tracee.serviceAccountName" . }}
+  labels:
+    {{- include "tracee.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}