diff --git a/.gitignore b/.gitignore
index 810ec8ae..0f02a16e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,3 @@
*.tgz
Chart.lock
-
+private.yaml
diff --git a/README.md b/README.md
index 5046491c..6b471026 100644
--- a/README.md
+++ b/README.md
@@ -43,3 +43,74 @@ Before committing changes execute the following commands:
# Review the updated files and add to the repository.
git add .
```
+
+## Running in a local cluster
+
+Follow this instructions to deploy vulcan in your local cluster.
+The service will be available at .
+We use but `Kind` should work, the requirement is to expose the ingress on 127.0.0.1:80/443 ports.
+
+- Start your cluster.
+
+ ```sh
+ # Start the cluster on standard ports
+ k3d cluster create --port 80:80@Loadbalancer --port 443:443@Loadbalancer
+ ```
+
+- Create your SAML application with this callback URL .
+- Set the configuration (i.e. in `private.yaml`).
+
+ ```yaml
+ api:
+ conf:
+ saml:
+ metadata: https://example.okta.com/app/myclientid/sso/saml/metadata
+ issuer: http://www.okta.com/myclientid
+ ````
+
+- Install the application.
+
+ ```sh
+ # Install vulcan.
+ helm upgrade --install vulcan stable/vulcan -f examples/local.yaml -f private.yaml
+
+ # Wait for the pods to be in a RUNNING state
+ kubectl get pods
+ ```
+
+- Access the UI
+ - Create your team/s.
+ - Add your asset/s.
+ - Generate your token in .
+
+- Load the checks.
+
+ ```sh
+ # Load the default checks from https://github.com/adevinta/vulcan-checks
+ tools/load-checks.sh
+ ```
+
+- Create a scan for your team.
+
+ ```sh
+ TOKEN=your-token
+
+ # Find your team_id and set $TEAM_ID
+ curl -H "Authorization: Bearer $TOKEN" -s https://www.localhost.direct/api/v1/teams
+
+ TEAM_ID=your-team_id
+
+ # Launch a scan
+ curl -H "Authorization: Bearer $TOKEN" -H 'Accept: scan' -H 'Content-Type: application/json' -s \
+ --data '{"program_id": "periodic-full-scan"}' \
+ https://www.localhost.direct/api/v1/teams/$TEAM_ID/scans
+ ```
+
+- Start the agent to process the checks
+
+ ```sh
+ # Start the agent
+ tools/agent.sh
+ ````
+
+- See the findings in --> `Security` --> `Live report`.
diff --git a/examples/local.yaml b/examples/local.yaml
index 84886ce9..681072de 100644
--- a/examples/local.yaml
+++ b/examples/local.yaml
@@ -1,124 +1,267 @@
+extraManifests:
+ # See https://get.localhost.direct/
+ tls: |
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: localhost-direct-tls
+ labels: {{- include "vulcan.labels" . | nindent 4 }}
+ type: kubernetes.io/tls
+ data:
+ tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUdWVENDQlQyZ0F3SUJBZ0lNQ01XYUQwa0ZBK2JIT2Q4U01BMEdDU3FHU0liM0RRRUJDd1VBTUV3eEN6QUoKQmdOVkJBWVRBa0pGTVJrd0Z3WURWUVFLRXhCSGJHOWlZV3hUYVdkdUlHNTJMWE5oTVNJd0lBWURWUVFERXhsQgpiSEJvWVZOVFRDQkRRU0F0SUZOSVFUSTFOaUF0SUVjME1CNFhEVEl6TURRd01URTJNemN5TlZvWERUSTBNRFV3Ck1qRTJNemN5TkZvd0hURWJNQmtHQTFVRUF3d1NLaTVzYjJOaGJHaHZjM1F1WkdseVpXTjBNSUlCSWpBTkJna3EKaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFuOFNNS2ZMOXE3c3FPMGtNc2JoelRIVVNqWnVoRTVEYwprMU91SmhycTdWcXU2M0RKbXZRTEJFZTN0NkJWZHBHRlZDTWFBVVd5NjVXSjhSSEZqTWhCNktSSnRpMlcyNmhqClJOMU95V1JocS9PRlRjbjdrVjZqVFAwSUVVWXorSWRrNnZYVS9RSGJqWlVIWlZRMU81SDhpYVJ6SDRlaHphbmMKMmJPUEVCRzZibnNxYXFNZ2ozcnhEV1N5cG0zb0lyQ1lmZ09IMzUwVHQ5TGVUQytldC9aSTV3Y29LTGlqVWtLUgpjRHpQODFQb0xnUWtkQ29FTVhaKzdxNEpLcEtreFBwUWpqcDFiMUNabE9KZ2ozRE5QdkVyMnFNODV0dEhNRCtWCnhHTTA0NWxBVXNoaEdYaG1VbTFCUXNSRGdyeXg1dnhVS2dyQmdKUEJxS1o0VW9kYXNEdUU4UUlEQVFBQm80SUQKWkRDQ0EyQXdEZ1lEVlIwUEFRSC9CQVFEQWdXZ01JR1RCZ2dyQmdFRkJRY0JBUVNCaGpDQmd6QkdCZ2dyQmdFRgpCUWN3QW9ZNmFIUjBjRG92TDNObFkzVnlaUzVuYkc5aVlXeHphV2R1TG1OdmJTOWpZV05sY25RdllXeHdhR0Z6CmMyeGpZWE5vWVRJMU5tYzBMbU55ZERBNUJnZ3JCZ0VGQlFjd0FZWXRhSFIwY0RvdkwyOWpjM0F1WjJ4dlltRnMKYzJsbmJpNWpiMjB2WVd4d2FHRnpjMnhqWVhOb1lUSTFObWMwTUZjR0ExVWRJQVJRTUU0d0NBWUdaNEVNQVFJQgpNRUlHQ2lzR0FRUUJvRElLQVFNd05EQXlCZ2dyQmdFRkJRY0NBUlltYUhSMGNITTZMeTkzZDNjdVoyeHZZbUZzCmMybG5iaTVqYjIwdmNtVndiM05wZEc5eWVTOHdDUVlEVlIwVEJBSXdBREJCQmdOVkhSOEVPakE0TURhZ05LQXkKaGpCb2RIUndPaTh2WTNKc0xtZHNiMkpoYkhOcFoyNHVZMjl0TDJGc2NHaGhjM05zWTJGemFHRXlOVFpuTkM1agpjbXd3THdZRFZSMFJCQ2d3Sm9JU0tpNXNiMk5oYkdodmMzUXVaR2x5WldOMGdoQnNiMk5oYkdodmMzUXVaR2x5ClpXTjBNQjBHQTFVZEpRUVdNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUZCUWNEQWpBZkJnTlZIU01FR0RBV2dCUlAKeTZ5b3d1K3IzWU52YTcvT21EMWNXQ1YyRlRBZEJnTlZIUTRFRmdRVW9raVBPQ3hwcFVGUCs0Um9DOGsyS0ZrUwpZYmt3Z2dGL0Jnb3JCZ0VFQWRaNUFnUUNCSUlCYndTQ0FXc0JhUUIxQUhQWm5va2JUSlo0b0NCOVI1M21zc1ljCjBGRmVjUmtxakd1QUVIckJkM0sxQUFBQmh6MnVaRTBBQUFRREFFWXdSQUlnQi9jMEJ6dVVKdG5SdFBuNGFTUW4KM0NkUWpRL2FwVmpCWHBaNWl0VjhYamdDSUJDWG90TXU4M2w2RnJpdDhCMXV0NTFIclJZc3NsNVRKTDMrTnlpOAo0Vk84QUhjQVNMRGphOXFtUnpRUDVXb0MrcDB3Nnh4U0FjdFczU3lCMmJ1L3F6blloSE1BQUFHSFBhNWt6UUFBCkJBTUFTREJHQWlFQTFZNmZrZzBvOWY5M3VHbXRmVXFQS0x2enZRQVg3T1h0c2ZDbC9WZEtkeVFDSVFERjdET24KRFpwbFJkVmRrRTl4WldoZ0R3bElOdFJYOHlVWGlrVWc2ejZORWdCM0FPN04wR1RWMnhyT3hWeTNuYlRORTZJeQpoMFo4dk96ZXcxRklXVVp4SDdXYkFBQUJoejJ1WlJFQUFBUURBRWd3UmdJaEFMeDRON3dZVjNyTzVOejIxbjFxCjNRbk5WVW5jR3RQSTFaTW9ydU5xV25IaEFpRUE1aU9vN213b1JSWUduNzduWEVSYUlBVU9BNGlWNnB2emFZeEMKeWFVMXJFTXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBSHowczk3ckVRWnJzV1FVRVpkaUhocjV4eUh0dFI3dAovMDkvbEVUMTU4aTNOM3hSQmhMUytpSEVPTGdhdnM4Q29GZkxwT21ySnVhNnpQczI2WGliM0cvT3pkNTRLMnN6CjF2VjJ5OVdKVFI0ZGNnOWlqaVZibUFLY2hlZG1UN1NxS3RicjFLc2hLQWoycThpelJWM2R1S1gxanNmaTN6UCsKYThQZTF2YloxcVVOSU5YQ3NqUjMyckcxbSt0d2x1TE13N2tONndiMlM1Qk4reVJHNTVYR0NZT0JMN0d2UEE0ZAowUlZrc2grVCtNMXNqaWNjRGU2bFcrVXZWYjJVM0xsS3VYekVGQTBHSnp3YU1aT0NzUjdnN3hvMFVGZVk5d1haCllmNWMzRHc5dml1SlZDVE0vWFc3QkpVaU1yQ21HZzg2NG1DZ0dGVkJnUnVnWmlrdXkxRVFmRTQ9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVUVENDQXpXZ0F3SUJBZ0lMQkFBQUFBQUJSRTd3TmpFd0RRWUpLb1pJaHZjTkFRRUxCUUF3VnpFTE1Ba0cKQTFVRUJoTUNRa1V4R1RBWEJnTlZCQW9URUVkc2IySmhiRk5wWjI0Z2JuWXRjMkV4RURBT0JnTlZCQXNUQjFKdgpiM1FnUTBFeEd6QVpCZ05WQkFNVEVrZHNiMkpoYkZOcFoyNGdVbTl2ZENCRFFUQWVGdzB4TkRBeU1qQXhNREF3Ck1EQmFGdzB5TkRBeU1qQXhNREF3TURCYU1Fd3hDekFKQmdOVkJBWVRBa0pGTVJrd0Z3WURWUVFLRXhCSGJHOWkKWVd4VGFXZHVJRzUyTFhOaE1TSXdJQVlEVlFRREV4bEJiSEJvWVZOVFRDQkRRU0F0SUZOSVFUSTFOaUF0SUVjeQpNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTJnSHM1T3h6WVB0K2oycTN4aGZqCmttUXkxS3dBMmFJUHVlM3VhNHFHeXBKbjJYVFhYVWNDUEk5QTFwNXRGTTNEMmlrNXB3OEZDbWlpWmhvZXhMS0wKZGxqbHExMGRqMEN6T1l2dkhvTjlJdERqcVFBdTdGUFBZaG1GUkNoTXdDZkxldzdzRUdRQUVLUUZ6S0J5dmtGcwpNVnRJNUxIc3VTUHJWVTNRZldKS3BiU2xwRm1GeFNXUnB2Nm1DWjhHRUcyUGdReGtRRjV6QUpyZ0xtV1lWQkFBCmNKakk0ZTAwWDlpY3h3M0ExaU5aUmZ6K1ZYcUc3cFJnSXZHdTBlWlZSdmFaeFJzSWRGK3NzR1NFajRrNEhLR24Ka0NGUEFtNjk0R0ZuMVBoQ2h3OEs5OGtFYlNxcEwrOUNwZC9kbzFQYm1CNkIrWnB5ZTFyZVR6NS9vbGlnNGhldApad0lEQVFBQm80SUJJekNDQVI4d0RnWURWUjBQQVFIL0JBUURBZ0VHTUJJR0ExVWRFd0VCL3dRSU1BWUJBZjhDCkFRQXdIUVlEVlIwT0JCWUVGUFhOMVR3SVVQbHFUenEzbDlwV2crWnAwbWozTUVVR0ExVWRJQVErTUR3d09nWUUKVlIwZ0FEQXlNREFHQ0NzR0FRVUZCd0lCRmlSb2RIUndjem92TDNkM2R5NWhiSEJvWVhOemJDNWpiMjB2Y21WdwpiM05wZEc5eWVTOHdNd1lEVlIwZkJDd3dLakFvb0NhZ0pJWWlhSFIwY0RvdkwyTnliQzVuYkc5aVlXeHphV2R1CkxtNWxkQzl5YjI5MExtTnliREE5QmdnckJnRUZCUWNCQVFReE1DOHdMUVlJS3dZQkJRVUhNQUdHSVdoMGRIQTYKTHk5dlkzTndMbWRzYjJKaGJITnBaMjR1WTI5dEwzSnZiM1J5TVRBZkJnTlZIU01FR0RBV2dCUmdlMllhUlEyWAp5b2xRTDMwRXpUU28vL3o5U3pBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQVlFQm9Ga2ZuRm8zYlhLRldLc3YwClhKdXdIcUpMOWNzQ1AvZ0xvZktuUXRTM1RPdmpab0R6SlVONExoc1hWZ2RTR012UnFPem0rM00rcEdLTWdMVFMKeFJKem85UDZBamkrWXoyRXVKbkI4YnIzbjhOQTBWZ1lVOEZpM2E4WVFuODBUc1ZEMVhHd01BREg0NUN1UDFlRwpsODdxREJLT0luRGpacWRVZnk0b3k5UlUwTE1lWW1jSStTZmh5K05tdUNRYmlXcUpSR1h5MlV6U1dCeU1Uc0NWCm9kVHZaeTg0SU9ndS81WlI4THJZUFpKd1IyVWNubk55dEdBTVhPTFJjM2JncjA3aTVUZWxSUytLSXo2SHh6RG0KTVRoODlOMVN5dk5UQkNWWFZtYVU2QXZ1NWdNVVR1NzliWlJrbmw3T2VkU3lwczlBc1VTb1BvY1pYdW40SVJaWgpVdz09IAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+ tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2QUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktZd2dnU2lBZ0VBQW9JQkFRQ2Z4SXdwOHYycnV5bzcKU1F5eHVITk1kUktObTZFVGtOeVRVNjRtR3VydFdxN3JjTW1hOUFzRVI3ZTNvRlYya1lWVUl4b0JSYkxybFlueApFY1dNeUVIb3BFbTJMWmJicUdORTNVN0paR0dyODRWTnlmdVJYcU5NL1FnUlJqUDRoMlRxOWRUOUFkdU5sUWRsClZEVTdrZnlKcEhNZmg2SE5xZHpaczQ4UUVicHVleXBxb3lDUGV2RU5aTEttYmVnaXNKaCtBNGZmblJPMzB0NU0KTDU2Mzlram5CeWdvdUtOU1FwRndQTS96VStndUJDUjBLZ1F4ZG43dXJna3FrcVRFK2xDT09uVnZVSm1VNG1DUApjTTArOFN2YW96em0yMGN3UDVYRVl6VGptVUJTeUdFWmVHWlNiVUZDeEVPQ3ZMSG0vRlFxQ3NHQWs4R29wbmhTCmgxcXdPNFR4QWdNQkFBRUNnZ0VBZTZKaWdOZmIrN2ZqcjJzUkdycE01djYxczhXYU9ZVGhYRlRtTC9DbW1iU1MKSmZucTJURS9FVG5hYm92eGRzYVhzWXRVUldYRlZrOHJKdFVFMWJQbVpQdzFXbmdmQks1aTIxaVM3bi95b1ZqYQpjRjc4Z1BzR1RiNkZMckR2Nk1RRmtWbFpUOHpQTk5uOWxpazY1SFZOUXNweW1CU2lYbit6T3ZpYm5laktKMUdKCmVQQ2dnSE1UOHkxQ3JlWHIyQmtEak5VUis0ZXhkOVFhdEpiZlNTZG15YytGcytnWFoydytJclcxMTRyTTZHUWIKcDU2TGZLREkyUjNkSDB6Yy8xZzUzY2dvTDdNZ3ZxeHVnZ2p6SUFTR3c0WG8zZHlzeHN4QmdweXNCMHk3QVlyTAo3SnQxbkU5UVQ2QVQwRjVzdS8yUTJnM0ltVFRpWHF1bVB6TzhUWXRDQVFLQmdRREt1b09BSlR5SHVxRVRQd1huCjRRRlFNZEhjem1aVUVvYmVIdVdIbmlkeThIVjBBdzNjWDVaeFJxWmNoMUR3OWZPT1luYTZLSkthcTJZdzVHaHoKRGNxbEUxY1A2UW1pbThibUQ0L3o3NjMvSUlKNVQ4SjE4cDNBS0V3NS9CcituYldwOE43Wk1Eejl4YTYrcWtybQpOZnI5eE1HZFdRaDVPeXUrU2tudzJFdHhrUUtCZ1FESndCTDZ4OWV2dENhT09HbkEvMHZwc29GTWFGWDBTQngrCk5SQ3Y1ZWhySFc1RDg4UHk4OE8weW1SSElFVmFNTWtuZ2hsY1RVbG41OEtZcmswa3pxaE5Mb1pZWlZmNml2cHQKOXFRYVJuSVVneThrcmxyRGl5dm40T0ZuaGZoNURObS9uZCt3aWtQSkV3Y0kxcTB6OFI3K2c5eTNSS0NOTDZzMgpIUUczSmo4dFlRS0JnRW9CVkVmUFVBMXNQNmk2OVBqMDFubmo5ZXhaSEZuTWVaZFVTQTM5MmdESGJ0anUxSHlDCkdIVTVpVGwxM0VKYVJwTFB0dSsySis1MmExT2x6Y3RTV1l0eFIvTHk2eVdGSUZLVGs4VkUxWXV3M25CU2dYWjEKSHNrcTdNaXVFMXluVGMyL3RGb3NsZGM5OXRCN2NlUWdDSVBpODVyeENYclg4dHdBV29XbEw4VkJBb0dBUGcwNgppVEdBRUVXTGVrQzFuaXVuY0poN2xrR2M5a1picFNHeklUYklWbkcxNFdhUFJTRmVkek9zeGdlUjdSeUdNZ1djCndUdndNT29pZXcxWkl0SUJCOFFnZy8yZm9xcXVQYllYWVJGN3N2MXFPWkQ2ejV2MWhCc3htTUttMnF4dUtMWm8KLzRaM05OZ0tXTmlXYXh4bFdRaTdrUTZsaHVjN2RLaFZSN3lXditFQ2dZQXVNMmd0VDgzRHlSNHltU083UTZkdgpkVC9VT2J6cmtQZkRta1JXMnk0UFVxQUM2UGEvOSs0SGJCZ0hHcHRhMG1JdTdqd3pTZUR6dktoT2YzOVRPZEdkCnJncUM4Y29hblUzS1VRMGhRM3F4YzMxc0swNHhkMG9MN0lsSE44NHJhWWFranBsZFJjR0RhNXJNQnZ1QWhYN2wKVXR6S1hYUmFXTm9SeTBEZlJXem95dz09Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
+
+postgresql:
+ enabled: true
+
+redis:
+ enabled: true
+
minio:
enabled: true
ingress:
enabled: true
- hostname: minio.vulcan.local
+ hostname: minio.localhost.direct
+ extraTls:
+ - secretName: localhost-direct-tls
+ apiIngress:
+ enabled: true
+ hostname: s3.localhost.direct
+ tls: true
+ extraTls:
+ - secretName: localhost-direct-tls
goaws:
enabled: true
ingress:
enabled: true
hosts:
- - host: goaws.vulcan.local
- paths: [/]
-
-postgresql:
- enabled: true
-
-redis:
- enabled: true
+ - host: goaws.localhost.direct
+ paths: [/]
+ tls:
+ - secretName: localhost-direct-tls
+ hosts:
+ - goaws.localhost.direct
results:
- conf:
- linkBase: https://results.vulcan.local
+ enabled: true
+ image:
+ tag: latest
+ proxy: &proxy
+ enabled: false
+ dogstatsd: &dogstatsd
+ enabled: false
ingress:
enabled: true
hosts:
- - host: results.vulcan.local
- paths: [/]
+ - host: results.localhost.direct
+ paths: [/]
+ tls:
+ - secretName: localhost-direct-tls
+ hosts:
+ - results.localhost.direct
stream:
+ enabled: true
+ image:
+ tag: latest
+ proxy: *proxy
+ dogstatsd: *dogstatsd
ingress:
- annotations:
- nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
- nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
enabled: true
hosts:
- - host: stream.vulcan.local
- paths: [/]
+ - host: stream.localhost.direct
+ paths: [/]
+ tls:
+ - secretName: localhost-direct-tls
+ hosts:
+ - stream.localhost.direct
persistence:
+ enabled: true
+ image:
+ tag: latest
+ proxy: *proxy
+ dogstatsd: *dogstatsd
ingress:
enabled: true
hosts:
- - host: persistence.vulcan.local
- paths: [/]
+ - host: persistence.localhost.direct
+ paths: [/]
+ tls:
+ - secretName: localhost-direct-tls
+ hosts:
+ - persistence.localhost.direct
api:
+ enabled: true
+ image:
+ tag: latest
conf:
+ cookieDomain: localhost.direct
+ secretKey: mysecretkey
saml:
- callback: https://www.vulcan.local/api/v1/login/callback
- trustedDomains: '["www.vulcan.local"]'
+ # Setup your SAML
+ # Okta format
+ metadata: https://example.okta.com/app/yourclientid/sso/saml/metadata
+ issuer: http://www.okta.com/yourclientid
+ # auth0 format
+ # metadata: https://example.eu.auth0.com/samlp/metadata/yourclientid
+ # issuer: urn:example.eu.auth0.com
+ callback: https://www.localhost.direct/api/v1/login/callback
+ trustedDomains: '["www.localhost.direct"]'
globalPolicies:
+ - name: default-global
+ allowedChecks:
+ # - vulcan-aws-alerts
+ # - vulcan-aws-trusted-advisor
+ # - vulcan-dmarc
+ # - vulcan-drupal
+ # - vulcan-exposed-bgp
+ # - vulcan-exposed-db
+ - vulcan-exposed-http
+ - vulcan-exposed-ssh
+ # - vulcan-github-alerts
+ # - vulcan-gitleaks
+ # - vulcan-heartbleed
+ # - vulcan-host-discovery
+ - vulcan-http-headers
+ # - vulcan-ipv6
+ # - vulcan-mx
+ # - vulcan-nessus
+ # - vulcan-prowler
+ - vulcan-retirejs
+ - vulcan-semgrep
+ - vulcan-smtp-open-relay
+ # - vulcan-spf
+ - vulcan-trivy
+ # - vulcan-vulners
+ # - vulcan-wpscan
+ # - vulcan-blast-radius
+ # - vulcan-nuclei
- name: web-scanning-global
- allowedAssettypes:
- blockedAssettypes:
allowedChecks:
- - vulcan-zap
- blockedChecks:
- excludingSuffixes:
- - experimental
+ # - vulcan-zap
+ # - vulcan-burp
+ proxy: *proxy
+ dogstatsd: *dogstatsd
ingress:
enabled: true
- annotations:
- nginx.ingress.kubernetes.io/enable-cors: "true"
- nginx.ingress.kubernetes.io/cors-allow-origin: "https://www.vulcan.local"
- nginx.ingress.kubernetes.io/proxy-body-size: 8m
hosts:
- - host: www.vulcan.local
- paths: [/api]
+ - host: www.localhost.direct
+ paths: [/api]
+ tls:
+ - secretName: localhost-direct-tls
+ hosts:
+ - www.localhost.direct
crontinuous:
- conf:
- teamsWhitelistScan: '["team1", "team2"]'
- teamsWhitelistReport: '["team3"]'
- ingress:
- enabled: false
+ enabled: true
+ image:
+ tag: latest
+ proxy: *proxy
scanengine:
+ enabled: true
+ image:
+ tag: latest
+ proxy: *proxy
+ dogstatsd: *dogstatsd
ingress:
- enabled: false
+ enabled: true
+ hosts:
+ - host: scanengine.localhost.direct
+ paths: [/]
+ tls:
+ - secretName: localhost-direct-tls
+ hosts:
+ - scanengine.localhost.direct
ui:
+ enabled: true
+ image:
+ tag: latest
+ proxy: *proxy
conf:
- apiUrl: https://www.vulcan.local/api/v1/
+ apiUrl: https://www.localhost.direct/api/v1/
+
ingress:
enabled: true
hosts:
- - host: www.vulcan.local
- paths: [/]
+ - host: www.localhost.direct
+ paths: [/]
+ tls:
+ - secretName: localhost-direct-tls
+ hosts:
+ - www.localhost.direct
insights:
+ enabled: true
+ image:
+ tag: latest
+ proxy:
+ enabled: true
+ conf:
+ log: true
ingress:
enabled: true
- annotations:
- nginx.ingress.kubernetes.io/configuration-snippet: |
- more_set_headers "X-Frame-Options: SAMEORIGIN";
- more_set_headers "X-Content-Type-Options: nosniff";
- more_set_headers "X-Frame-Options: DENY";
- more_set_headers "X-Xss-Protection: 1";
- more_set_headers "Strict-Transport-Security: max-age=31536000; includeSubDomains";
- more_set_headers "Content-Security-Policy: default-src 'none'; script-src 'self' 'unsafe-inline' https://insights.vulcan.local https://www.google-analytics.com; font-src 'self' https://insights.vulcan.local; connect-src 'self' https://insights.vulcan.local; img-src 'self' https://insights.vulcan.local https://www.google-analytics.com; style-src 'self' 'unsafe-inline' https://insights.vulcan.local; object-src 'none'";
hosts:
- - host: insights.vulcan.local
- paths: [/]
+ - host: insights.localhost.direct
+ paths: [/]
+ tls:
+ - secretName: localhost-direct-tls
+ hosts:
+ - insights.localhost.direct
+
+metrics:
+ enabled: false
reportsgenerator:
+ enabled: true
+ image:
+ tag: latest
+ proxy:
+ enabled: false
+ dogstatsd: *dogstatsd
+
conf:
generators:
scan:
- vulcanUi: http://www.vulcan.local/
- proxyEndpoint: http://insights.vulcan.local
- ses:
- cc: '["tbd@tbd.com"]'
- ingress:
- enabled: false
+ proxyEndpoint: https://insights.localhost.direct
+ vulcanUi: https://www.localhost.direct/
-vulndbapi:
ingress:
enabled: true
hosts:
- - host: vulndbapi.vulcan.local
- paths: [/]
+ - host: reportsgenerator.localhost.direct
+ paths: [/]
+ tls:
+ - secretName: localhost-direct-tls
+ hosts:
+ - reportsgenerator.localhost.direct
+
+vulndb:
+ enabled: true
+ image:
+ tag: latest
+
+vulndbapi:
+ enabled: true
+ image:
+ tag: latest
+ proxy: *proxy
+ dogstatsd: *dogstatsd
conf:
readReplicaHost:
+ ingress:
+ enabled: true
+ hosts:
+ - host: vulndbapi.localhost.direct
+ paths: [/]
+ tls:
+ - secretName: localhost-direct-tls
+ hosts:
+ - vulndbapi.localhost.direct
+
+sqsexporter:
+ enabled: false
diff --git a/examples/templates/local.yaml b/examples/templates/local.yaml
index 46d3d220..d6970d3c 100644
--- a/examples/templates/local.yaml
+++ b/examples/templates/local.yaml
@@ -46,7 +46,7 @@ metadata:
type: Opaque
data:
PG_PASSWORD: "c2VjcmV0"
- SECRET_KEY: "VEJEVEJE"
+ SECRET_KEY: "bXlzZWNyZXRrZXk="
AWSCATALOGUE_KEY: "a2V5"
---
# Source: vulcan/templates/crontinuous/secrets.yaml
@@ -79,21 +79,20 @@ type: Opaque
data:
DD_API_KEY: "VEJE"
---
-# Source: vulcan/templates/metrics/secrets.yaml
+# Source: vulcan/templates/extra-manifests.yaml
apiVersion: v1
kind: Secret
metadata:
- name: myrelease-vulcan-metrics
+ name: localhost-direct-tls
labels:
helm.sh/chart: vulcan-0.5.5
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: vulcan
app.kubernetes.io/instance: vulcan
- app.kubernetes.io/name: metrics
-type: Opaque
+type: kubernetes.io/tls
data:
- DEVHOSE_TOKEN: "dG9rZW4="
- VULCAN_API_TOKEN: "dG9rZW4="
+ tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUdWVENDQlQyZ0F3SUJBZ0lNQ01XYUQwa0ZBK2JIT2Q4U01BMEdDU3FHU0liM0RRRUJDd1VBTUV3eEN6QUoKQmdOVkJBWVRBa0pGTVJrd0Z3WURWUVFLRXhCSGJHOWlZV3hUYVdkdUlHNTJMWE5oTVNJd0lBWURWUVFERXhsQgpiSEJvWVZOVFRDQkRRU0F0SUZOSVFUSTFOaUF0SUVjME1CNFhEVEl6TURRd01URTJNemN5TlZvWERUSTBNRFV3Ck1qRTJNemN5TkZvd0hURWJNQmtHQTFVRUF3d1NLaTVzYjJOaGJHaHZjM1F1WkdseVpXTjBNSUlCSWpBTkJna3EKaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFuOFNNS2ZMOXE3c3FPMGtNc2JoelRIVVNqWnVoRTVEYwprMU91SmhycTdWcXU2M0RKbXZRTEJFZTN0NkJWZHBHRlZDTWFBVVd5NjVXSjhSSEZqTWhCNktSSnRpMlcyNmhqClJOMU95V1JocS9PRlRjbjdrVjZqVFAwSUVVWXorSWRrNnZYVS9RSGJqWlVIWlZRMU81SDhpYVJ6SDRlaHphbmMKMmJPUEVCRzZibnNxYXFNZ2ozcnhEV1N5cG0zb0lyQ1lmZ09IMzUwVHQ5TGVUQytldC9aSTV3Y29LTGlqVWtLUgpjRHpQODFQb0xnUWtkQ29FTVhaKzdxNEpLcEtreFBwUWpqcDFiMUNabE9KZ2ozRE5QdkVyMnFNODV0dEhNRCtWCnhHTTA0NWxBVXNoaEdYaG1VbTFCUXNSRGdyeXg1dnhVS2dyQmdKUEJxS1o0VW9kYXNEdUU4UUlEQVFBQm80SUQKWkRDQ0EyQXdEZ1lEVlIwUEFRSC9CQVFEQWdXZ01JR1RCZ2dyQmdFRkJRY0JBUVNCaGpDQmd6QkdCZ2dyQmdFRgpCUWN3QW9ZNmFIUjBjRG92TDNObFkzVnlaUzVuYkc5aVlXeHphV2R1TG1OdmJTOWpZV05sY25RdllXeHdhR0Z6CmMyeGpZWE5vWVRJMU5tYzBMbU55ZERBNUJnZ3JCZ0VGQlFjd0FZWXRhSFIwY0RvdkwyOWpjM0F1WjJ4dlltRnMKYzJsbmJpNWpiMjB2WVd4d2FHRnpjMnhqWVhOb1lUSTFObWMwTUZjR0ExVWRJQVJRTUU0d0NBWUdaNEVNQVFJQgpNRUlHQ2lzR0FRUUJvRElLQVFNd05EQXlCZ2dyQmdFRkJRY0NBUlltYUhSMGNITTZMeTkzZDNjdVoyeHZZbUZzCmMybG5iaTVqYjIwdmNtVndiM05wZEc5eWVTOHdDUVlEVlIwVEJBSXdBREJCQmdOVkhSOEVPakE0TURhZ05LQXkKaGpCb2RIUndPaTh2WTNKc0xtZHNiMkpoYkhOcFoyNHVZMjl0TDJGc2NHaGhjM05zWTJGemFHRXlOVFpuTkM1agpjbXd3THdZRFZSMFJCQ2d3Sm9JU0tpNXNiMk5oYkdodmMzUXVaR2x5WldOMGdoQnNiMk5oYkdodmMzUXVaR2x5ClpXTjBNQjBHQTFVZEpRUVdNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUZCUWNEQWpBZkJnTlZIU01FR0RBV2dCUlAKeTZ5b3d1K3IzWU52YTcvT21EMWNXQ1YyRlRBZEJnTlZIUTRFRmdRVW9raVBPQ3hwcFVGUCs0Um9DOGsyS0ZrUwpZYmt3Z2dGL0Jnb3JCZ0VFQWRaNUFnUUNCSUlCYndTQ0FXc0JhUUIxQUhQWm5va2JUSlo0b0NCOVI1M21zc1ljCjBGRmVjUmtxakd1QUVIckJkM0sxQUFBQmh6MnVaRTBBQUFRREFFWXdSQUlnQi9jMEJ6dVVKdG5SdFBuNGFTUW4KM0NkUWpRL2FwVmpCWHBaNWl0VjhYamdDSUJDWG90TXU4M2w2RnJpdDhCMXV0NTFIclJZc3NsNVRKTDMrTnlpOAo0Vk84QUhjQVNMRGphOXFtUnpRUDVXb0MrcDB3Nnh4U0FjdFczU3lCMmJ1L3F6blloSE1BQUFHSFBhNWt6UUFBCkJBTUFTREJHQWlFQTFZNmZrZzBvOWY5M3VHbXRmVXFQS0x2enZRQVg3T1h0c2ZDbC9WZEtkeVFDSVFERjdET24KRFpwbFJkVmRrRTl4WldoZ0R3bElOdFJYOHlVWGlrVWc2ejZORWdCM0FPN04wR1RWMnhyT3hWeTNuYlRORTZJeQpoMFo4dk96ZXcxRklXVVp4SDdXYkFBQUJoejJ1WlJFQUFBUURBRWd3UmdJaEFMeDRON3dZVjNyTzVOejIxbjFxCjNRbk5WVW5jR3RQSTFaTW9ydU5xV25IaEFpRUE1aU9vN213b1JSWUduNzduWEVSYUlBVU9BNGlWNnB2emFZeEMKeWFVMXJFTXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBSHowczk3ckVRWnJzV1FVRVpkaUhocjV4eUh0dFI3dAovMDkvbEVUMTU4aTNOM3hSQmhMUytpSEVPTGdhdnM4Q29GZkxwT21ySnVhNnpQczI2WGliM0cvT3pkNTRLMnN6CjF2VjJ5OVdKVFI0ZGNnOWlqaVZibUFLY2hlZG1UN1NxS3RicjFLc2hLQWoycThpelJWM2R1S1gxanNmaTN6UCsKYThQZTF2YloxcVVOSU5YQ3NqUjMyckcxbSt0d2x1TE13N2tONndiMlM1Qk4reVJHNTVYR0NZT0JMN0d2UEE0ZAowUlZrc2grVCtNMXNqaWNjRGU2bFcrVXZWYjJVM0xsS3VYekVGQTBHSnp3YU1aT0NzUjdnN3hvMFVGZVk5d1haCllmNWMzRHc5dml1SlZDVE0vWFc3QkpVaU1yQ21HZzg2NG1DZ0dGVkJnUnVnWmlrdXkxRVFmRTQ9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVUVENDQXpXZ0F3SUJBZ0lMQkFBQUFBQUJSRTd3TmpFd0RRWUpLb1pJaHZjTkFRRUxCUUF3VnpFTE1Ba0cKQTFVRUJoTUNRa1V4R1RBWEJnTlZCQW9URUVkc2IySmhiRk5wWjI0Z2JuWXRjMkV4RURBT0JnTlZCQXNUQjFKdgpiM1FnUTBFeEd6QVpCZ05WQkFNVEVrZHNiMkpoYkZOcFoyNGdVbTl2ZENCRFFUQWVGdzB4TkRBeU1qQXhNREF3Ck1EQmFGdzB5TkRBeU1qQXhNREF3TURCYU1Fd3hDekFKQmdOVkJBWVRBa0pGTVJrd0Z3WURWUVFLRXhCSGJHOWkKWVd4VGFXZHVJRzUyTFhOaE1TSXdJQVlEVlFRREV4bEJiSEJvWVZOVFRDQkRRU0F0SUZOSVFUSTFOaUF0SUVjeQpNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTJnSHM1T3h6WVB0K2oycTN4aGZqCmttUXkxS3dBMmFJUHVlM3VhNHFHeXBKbjJYVFhYVWNDUEk5QTFwNXRGTTNEMmlrNXB3OEZDbWlpWmhvZXhMS0wKZGxqbHExMGRqMEN6T1l2dkhvTjlJdERqcVFBdTdGUFBZaG1GUkNoTXdDZkxldzdzRUdRQUVLUUZ6S0J5dmtGcwpNVnRJNUxIc3VTUHJWVTNRZldKS3BiU2xwRm1GeFNXUnB2Nm1DWjhHRUcyUGdReGtRRjV6QUpyZ0xtV1lWQkFBCmNKakk0ZTAwWDlpY3h3M0ExaU5aUmZ6K1ZYcUc3cFJnSXZHdTBlWlZSdmFaeFJzSWRGK3NzR1NFajRrNEhLR24Ka0NGUEFtNjk0R0ZuMVBoQ2h3OEs5OGtFYlNxcEwrOUNwZC9kbzFQYm1CNkIrWnB5ZTFyZVR6NS9vbGlnNGhldApad0lEQVFBQm80SUJJekNDQVI4d0RnWURWUjBQQVFIL0JBUURBZ0VHTUJJR0ExVWRFd0VCL3dRSU1BWUJBZjhDCkFRQXdIUVlEVlIwT0JCWUVGUFhOMVR3SVVQbHFUenEzbDlwV2crWnAwbWozTUVVR0ExVWRJQVErTUR3d09nWUUKVlIwZ0FEQXlNREFHQ0NzR0FRVUZCd0lCRmlSb2RIUndjem92TDNkM2R5NWhiSEJvWVhOemJDNWpiMjB2Y21WdwpiM05wZEc5eWVTOHdNd1lEVlIwZkJDd3dLakFvb0NhZ0pJWWlhSFIwY0RvdkwyTnliQzVuYkc5aVlXeHphV2R1CkxtNWxkQzl5YjI5MExtTnliREE5QmdnckJnRUZCUWNCQVFReE1DOHdMUVlJS3dZQkJRVUhNQUdHSVdoMGRIQTYKTHk5dlkzTndMbWRzYjJKaGJITnBaMjR1WTI5dEwzSnZiM1J5TVRBZkJnTlZIU01FR0RBV2dCUmdlMllhUlEyWAp5b2xRTDMwRXpUU28vL3o5U3pBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQVlFQm9Ga2ZuRm8zYlhLRldLc3YwClhKdXdIcUpMOWNzQ1AvZ0xvZktuUXRTM1RPdmpab0R6SlVONExoc1hWZ2RTR012UnFPem0rM00rcEdLTWdMVFMKeFJKem85UDZBamkrWXoyRXVKbkI4YnIzbjhOQTBWZ1lVOEZpM2E4WVFuODBUc1ZEMVhHd01BREg0NUN1UDFlRwpsODdxREJLT0luRGpacWRVZnk0b3k5UlUwTE1lWW1jSStTZmh5K05tdUNRYmlXcUpSR1h5MlV6U1dCeU1Uc0NWCm9kVHZaeTg0SU9ndS81WlI4THJZUFpKd1IyVWNubk55dEdBTVhPTFJjM2JncjA3aTVUZWxSUytLSXo2SHh6RG0KTVRoODlOMVN5dk5UQkNWWFZtYVU2QXZ1NWdNVVR1NzliWlJrbmw3T2VkU3lwczlBc1VTb1BvY1pYdW40SVJaWgpVdz09IAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+ tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2QUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktZd2dnU2lBZ0VBQW9JQkFRQ2Z4SXdwOHYycnV5bzcKU1F5eHVITk1kUktObTZFVGtOeVRVNjRtR3VydFdxN3JjTW1hOUFzRVI3ZTNvRlYya1lWVUl4b0JSYkxybFlueApFY1dNeUVIb3BFbTJMWmJicUdORTNVN0paR0dyODRWTnlmdVJYcU5NL1FnUlJqUDRoMlRxOWRUOUFkdU5sUWRsClZEVTdrZnlKcEhNZmg2SE5xZHpaczQ4UUVicHVleXBxb3lDUGV2RU5aTEttYmVnaXNKaCtBNGZmblJPMzB0NU0KTDU2Mzlram5CeWdvdUtOU1FwRndQTS96VStndUJDUjBLZ1F4ZG43dXJna3FrcVRFK2xDT09uVnZVSm1VNG1DUApjTTArOFN2YW96em0yMGN3UDVYRVl6VGptVUJTeUdFWmVHWlNiVUZDeEVPQ3ZMSG0vRlFxQ3NHQWs4R29wbmhTCmgxcXdPNFR4QWdNQkFBRUNnZ0VBZTZKaWdOZmIrN2ZqcjJzUkdycE01djYxczhXYU9ZVGhYRlRtTC9DbW1iU1MKSmZucTJURS9FVG5hYm92eGRzYVhzWXRVUldYRlZrOHJKdFVFMWJQbVpQdzFXbmdmQks1aTIxaVM3bi95b1ZqYQpjRjc4Z1BzR1RiNkZMckR2Nk1RRmtWbFpUOHpQTk5uOWxpazY1SFZOUXNweW1CU2lYbit6T3ZpYm5laktKMUdKCmVQQ2dnSE1UOHkxQ3JlWHIyQmtEak5VUis0ZXhkOVFhdEpiZlNTZG15YytGcytnWFoydytJclcxMTRyTTZHUWIKcDU2TGZLREkyUjNkSDB6Yy8xZzUzY2dvTDdNZ3ZxeHVnZ2p6SUFTR3c0WG8zZHlzeHN4QmdweXNCMHk3QVlyTAo3SnQxbkU5UVQ2QVQwRjVzdS8yUTJnM0ltVFRpWHF1bVB6TzhUWXRDQVFLQmdRREt1b09BSlR5SHVxRVRQd1huCjRRRlFNZEhjem1aVUVvYmVIdVdIbmlkeThIVjBBdzNjWDVaeFJxWmNoMUR3OWZPT1luYTZLSkthcTJZdzVHaHoKRGNxbEUxY1A2UW1pbThibUQ0L3o3NjMvSUlKNVQ4SjE4cDNBS0V3NS9CcituYldwOE43Wk1Eejl4YTYrcWtybQpOZnI5eE1HZFdRaDVPeXUrU2tudzJFdHhrUUtCZ1FESndCTDZ4OWV2dENhT09HbkEvMHZwc29GTWFGWDBTQngrCk5SQ3Y1ZWhySFc1RDg4UHk4OE8weW1SSElFVmFNTWtuZ2hsY1RVbG41OEtZcmswa3pxaE5Mb1pZWlZmNml2cHQKOXFRYVJuSVVneThrcmxyRGl5dm40T0ZuaGZoNURObS9uZCt3aWtQSkV3Y0kxcTB6OFI3K2c5eTNSS0NOTDZzMgpIUUczSmo4dFlRS0JnRW9CVkVmUFVBMXNQNmk2OVBqMDFubmo5ZXhaSEZuTWVaZFVTQTM5MmdESGJ0anUxSHlDCkdIVTVpVGwxM0VKYVJwTFB0dSsySis1MmExT2x6Y3RTV1l0eFIvTHk2eVdGSUZLVGs4VkUxWXV3M25CU2dYWjEKSHNrcTdNaXVFMXluVGMyL3RGb3NsZGM5OXRCN2NlUWdDSVBpODVyeENYclg4dHdBV29XbEw4VkJBb0dBUGcwNgppVEdBRUVXTGVrQzFuaXVuY0poN2xrR2M5a1picFNHeklUYklWbkcxNFdhUFJTRmVkek9zeGdlUjdSeUdNZ1djCndUdndNT29pZXcxWkl0SUJCOFFnZy8yZm9xcXVQYllYWVJGN3N2MXFPWkQ2ejV2MWhCc3htTUttMnF4dUtMWm8KLzRaM05OZ0tXTmlXYXh4bFdRaTdrUTZsaHVjN2RLaFZSN3lXditFQ2dZQXVNMmd0VDgzRHlSNHltU083UTZkdgpkVC9VT2J6cmtQZkRta1JXMnk0UFVxQUM2UGEvOSs0SGJCZ0hHcHRhMG1JdTdqd3pTZUR6dktoT2YzOVRPZEdkCnJncUM4Y29hblUzS1VRMGhRM3F4YzMxc0swNHhkMG9MN0lsSE44NHJhWWFranBsZFJjR0RhNXJNQnZ1QWhYN2wKVXR6S1hYUmFXTm9SeTBEZlJXem95dz09Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
---
# Source: vulcan/templates/persistence/secrets.yaml
apiVersion: v1
@@ -372,94 +371,6 @@ data:
ARGS+=("--include" "/opt/bitnami/redis/etc/master.conf")
exec redis-server "${ARGS[@]}"
---
-# Source: vulcan/templates/api/deployment.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: myrelease-vulcan-api-proxy
- labels:
- helm.sh/chart: vulcan-0.5.5
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: vulcan
- app.kubernetes.io/instance: vulcan
- app.kubernetes.io/name: api
-data:
- haproxy.cfg: |
- global
- daemon
- maxconn 64
- log stdout format raw daemon
-
- defaults
- mode http
- timeout connect 5s
- timeout client 25s
- timeout server 25s
- timeout tunnel 3600s
- option http-server-close
-
- frontend http
- bind *:9090
- log global
- option httplog clf
- http-request capture req.hdr(Host) len 50
- http-request capture req.hdr(User-Agent) len 100
-
- default_backend app
-
- backend app
- server app 127.0.0.1:8080
-
- frontend stats
- bind *:9101
- option http-use-htx
- http-request use-service prometheus-exporter if { path /metrics }
- monitor-uri /healthz
----
-# Source: vulcan/templates/crontinuous/deployment.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: myrelease-vulcan-crontinuous-proxy
- labels:
- helm.sh/chart: vulcan-0.5.5
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: vulcan
- app.kubernetes.io/instance: vulcan
- app.kubernetes.io/name: crontinuous
-data:
- haproxy.cfg: |
- global
- daemon
- maxconn 64
- log stdout format raw daemon
-
- defaults
- mode http
- timeout connect 5s
- timeout client 25s
- timeout server 25s
- timeout tunnel 3600s
- option http-server-close
-
- frontend http
- bind *:9090
- log global
- option httplog clf
- http-request capture req.hdr(Host) len 50
- http-request capture req.hdr(User-Agent) len 100
-
- default_backend app
-
- backend app
- server app 127.0.0.1:8080
-
- frontend stats
- bind *:9101
- option http-use-htx
- http-request use-service prometheus-exporter if { path /metrics }
- monitor-uri /healthz
----
# Source: vulcan/templates/goaws/config.yaml
apiVersion: v1
kind: ConfigMap
@@ -490,314 +401,42 @@ data:
- Name: VulcanK8SScanEngineCheckStatus
- Name: VulcanK8SV2ChecksGeneric
- Name: VulcanK8SVulnDBChecks
- Topics:
- - Name: VulcanK8SChecks
- Subscriptions:
- - QueueName: VulcanK8SMetricsChecks
- Raw: false
- - QueueName: VulcanK8SVulnDBChecks
- Raw: false
- - Name: VulcanK8SScans
- Subscriptions:
- - QueueName: VulcanK8SAPIScans
- Raw: false
- - QueueName: VulcanK8SMetricsScans
- Raw: false
- - Name: VulcanK8SReportsGen
- Subscriptions:
- - QueueName: VulcanK8SReportsGenerator
- Raw: false
- - Name: VulcanK8SVulnDBVulns
- Subscriptions:
- - QueueName: VulcanK8SMetricsFindings
- Raw: false
- RandomLatency:
- Min: 0
- Max: 0
----
-# Source: vulcan/templates/insights/config.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: myrelease-vulcan-insights-proxy
- labels:
- helm.sh/chart: vulcan-0.5.5
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: vulcan
- app.kubernetes.io/instance: vulcan
- app.kubernetes.io/name: insights
-data:
- haproxy.cfg: |
- global
- daemon
- maxconn 64
- log stdout format raw daemon
-
- defaults
- mode http
- timeout connect 5s
- timeout client 25s
- timeout server 25s
- timeout tunnel 3600s
- option http-server-close
- cache small
- total-max-size 64 # mb
- max-age 240 # seconds
-
- frontend http
- bind *:9090
- log global
- option httplog clf
- http-request cache-use small
- http-response cache-store small
- http-request capture req.hdr(Host) len 50
- http-request capture req.hdr(User-Agent) len 100
- default_backend private
- use_backend public if { path -i -m beg /public }
-
- backend private
- server app 127.0.0.1:8080
-
- backend public
- server app 127.0.0.1:8081
-
- frontend stats
- bind *:9101
- option http-use-htx
- http-request use-service prometheus-exporter if { path /metrics }
- monitor-uri /healthz
----
-# Source: vulcan/templates/persistence/deployment.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: myrelease-vulcan-persistence-proxy
- labels:
- helm.sh/chart: vulcan-0.5.5
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: vulcan
- app.kubernetes.io/instance: vulcan
- app.kubernetes.io/name: persistence
-data:
- haproxy.cfg: |
- global
- daemon
- maxconn 64
- log stdout format raw daemon
-
- defaults
- mode http
- timeout connect 5s
- timeout client 25s
- timeout server 25s
- timeout tunnel 3600s
- option http-server-close
-
- frontend http
- bind *:9090
- log global
- option httplog clf
- http-request capture req.hdr(Host) len 50
- http-request capture req.hdr(User-Agent) len 100
-
- default_backend app
-
- backend app
- server app 127.0.0.1:8080
-
- frontend stats
- bind *:9101
- option http-use-htx
- http-request use-service prometheus-exporter if { path /metrics }
- monitor-uri /healthz
----
-# Source: vulcan/templates/reportsgenerator/deployment.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: myrelease-vulcan-reportsgenerator-proxy
- labels:
- helm.sh/chart: vulcan-0.5.5
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: vulcan
- app.kubernetes.io/instance: vulcan
- app.kubernetes.io/name: reportsgenerator
-data:
- haproxy.cfg: |
- global
- daemon
- maxconn 64
- log stdout format raw daemon
-
- defaults
- mode http
- timeout connect 5s
- timeout client 25s
- timeout server 25s
- timeout tunnel 3600s
- option http-server-close
-
- frontend http
- bind *:9090
- log global
- option httplog clf
- http-request capture req.hdr(Host) len 50
- http-request capture req.hdr(User-Agent) len 100
-
- default_backend app
-
- backend app
- server app 127.0.0.1:8080
-
- frontend stats
- bind *:9101
- option http-use-htx
- http-request use-service prometheus-exporter if { path /metrics }
- monitor-uri /healthz
----
-# Source: vulcan/templates/results/deployment.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: myrelease-vulcan-results-proxy
- labels:
- helm.sh/chart: vulcan-0.5.5
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: vulcan
- app.kubernetes.io/instance: vulcan
- app.kubernetes.io/name: results
-data:
- haproxy.cfg: |
- global
- daemon
- maxconn 64
- log stdout format raw daemon
-
- defaults
- mode http
- timeout connect 5s
- timeout client 25s
- timeout server 25s
- timeout tunnel 3600s
- option http-server-close
-
- frontend http
- bind *:9090
- log global
- option httplog clf
- http-request capture req.hdr(Host) len 50
- http-request capture req.hdr(User-Agent) len 100
-
- default_backend app
-
- backend app
- server app 127.0.0.1:8080
-
- frontend stats
- bind *:9101
- option http-use-htx
- http-request use-service prometheus-exporter if { path /metrics }
- monitor-uri /healthz
----
-# Source: vulcan/templates/scanengine/deployment.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: myrelease-vulcan-scanengine-proxy
- labels:
- helm.sh/chart: vulcan-0.5.5
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: vulcan
- app.kubernetes.io/instance: vulcan
- app.kubernetes.io/name: scanengine
-data:
- haproxy.cfg: |
- global
- daemon
- maxconn 64
- log stdout format raw daemon
-
- defaults
- mode http
- timeout connect 5s
- timeout client 25s
- timeout server 25s
- timeout tunnel 3600s
- option http-server-close
-
- frontend http
- bind *:9090
- log global
- option httplog clf
- http-request capture req.hdr(Host) len 50
- http-request capture req.hdr(User-Agent) len 100
-
- default_backend app
-
- backend app
- server app 127.0.0.1:8080
-
- frontend stats
- bind *:9101
- option http-use-htx
- http-request use-service prometheus-exporter if { path /metrics }
- monitor-uri /healthz
----
-# Source: vulcan/templates/stream/deployment.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: myrelease-vulcan-stream-proxy
- labels:
- helm.sh/chart: vulcan-0.5.5
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: vulcan
- app.kubernetes.io/instance: vulcan
- app.kubernetes.io/name: stream
-data:
- haproxy.cfg: |
- global
- daemon
- maxconn 64
- log stdout format raw daemon
-
- defaults
- mode http
- timeout connect 5s
- timeout client 25s
- timeout server 25s
- timeout tunnel 3600s
- option http-server-close
-
- frontend http
- bind *:9090
- log global
- option httplog clf
- http-request capture req.hdr(Host) len 50
- http-request capture req.hdr(User-Agent) len 100
-
- default_backend app
-
- backend app
- server app 127.0.0.1:8080
-
- frontend stats
- bind *:9101
- option http-use-htx
- http-request use-service prometheus-exporter if { path /metrics }
- monitor-uri /healthz
+ Topics:
+ - Name: VulcanK8SChecks
+ Subscriptions:
+ - QueueName: VulcanK8SMetricsChecks
+ Raw: false
+ - QueueName: VulcanK8SVulnDBChecks
+ Raw: false
+ - Name: VulcanK8SScans
+ Subscriptions:
+ - QueueName: VulcanK8SAPIScans
+ Raw: false
+ - QueueName: VulcanK8SMetricsScans
+ Raw: false
+ - Name: VulcanK8SReportsGen
+ Subscriptions:
+ - QueueName: VulcanK8SReportsGenerator
+ Raw: false
+ - Name: VulcanK8SVulnDBVulns
+ Subscriptions:
+ - QueueName: VulcanK8SMetricsFindings
+ Raw: false
+ RandomLatency:
+ Min: 0
+ Max: 0
---
-# Source: vulcan/templates/ui/deployment.yaml
+# Source: vulcan/templates/insights/config.yaml
apiVersion: v1
kind: ConfigMap
metadata:
- name: myrelease-vulcan-ui-proxy
+ name: myrelease-vulcan-insights-proxy
labels:
helm.sh/chart: vulcan-0.5.5
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: vulcan
app.kubernetes.io/instance: vulcan
- app.kubernetes.io/name: ui
+ app.kubernetes.io/name: insights
data:
haproxy.cfg: |
global
@@ -812,62 +451,26 @@ data:
timeout server 25s
timeout tunnel 3600s
option http-server-close
+ cache small
+ total-max-size 64 # mb
+ max-age 240 # seconds
frontend http
bind *:9090
log global
option httplog clf
+ http-request cache-use small
+ http-response cache-store small
http-request capture req.hdr(Host) len 50
http-request capture req.hdr(User-Agent) len 100
+ default_backend private
+ use_backend public if { path -i -m beg /public }
- default_backend app
-
- backend app
+ backend private
server app 127.0.0.1:8080
- frontend stats
- bind *:9101
- option http-use-htx
- http-request use-service prometheus-exporter if { path /metrics }
- monitor-uri /healthz
----
-# Source: vulcan/templates/vulndbapi/deployment.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: myrelease-vulcan-vulndbapi-proxy
- labels:
- helm.sh/chart: vulcan-0.5.5
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: vulcan
- app.kubernetes.io/instance: vulcan
- app.kubernetes.io/name: vulndbapi
-data:
- haproxy.cfg: |
- global
- daemon
- maxconn 64
- log stdout format raw daemon
-
- defaults
- mode http
- timeout connect 5s
- timeout client 25s
- timeout server 25s
- timeout tunnel 3600s
- option http-server-close
-
- frontend http
- bind *:9090
- log global
- option httplog clf
- http-request capture req.hdr(Host) len 50
- http-request capture req.hdr(User-Agent) len 100
-
- default_backend app
-
- backend app
- server app 127.0.0.1:8080
+ backend public
+ server app 127.0.0.1:8081
frontend stats
bind *:9101
@@ -1387,10 +990,8 @@ spec:
app.kubernetes.io/instance: vulcan
app.kubernetes.io/name: api
annotations:
- checksum/secrets: a610f1fa858d194f64e8e8fea63e882eb02c27a896372f9cd175f50deb00dc14
- checksum/config-proxy: 4ba45566a092b043208fcf6bf26a0d842fc23e0e10b03c5802c85c930bb6e1c9
- prometheus.io/scrape: 'true'
- prometheus.io/port: '9101'
+ checksum/secrets: abda7c176134f7cc20b378bba55157aab67aaf13fcc1255b3c73b7abc674b9b9
+
spec:
initContainers:
- name: waitfordb
@@ -1404,34 +1005,9 @@ spec:
value: "5432"
containers:
- - name: dogstatsd
- image: "datadog/dogstatsd:7.42.0"
- envFrom:
- - secretRef:
- name: myrelease-vulcan-dogstatsd
- ports:
- - containerPort: 8125
- name: dogstatsd
- protocol: UDP
- - name: proxy
- image: "haproxy:2.4.21-alpine"
- imagePullPolicy: Always
- ports:
- - name: http
- containerPort: 9090
- - name: metrics
- containerPort: 9101
- volumeMounts:
- - mountPath: /usr/local/etc/haproxy
- readOnly: true
- name: config-proxy
- lifecycle:
- preStop:
- exec:
- command: ["/bin/sh","-c","sleep 30;"]
- name: api
- image: "adevinta/vulcan-api:1.0"
+ image: "adevinta/vulcan-api:latest"
imagePullPolicy: Always
lifecycle:
preStop:
@@ -1473,15 +1049,15 @@ spec:
- name: LOG_LEVEL
value: "INFO"
- name: COOKIE_DOMAIN
- value: "vulcan.local"
+ value: "localhost.direct"
- name: SAML_MEATADATA
- value: "https://okta/app/TBD/sso/saml/metadata"
+ value: "https://example.okta.com/app/yourclientid/sso/saml/metadata"
- name: SAML_ISSUER
- value: "http://okta/TBD"
+ value: "http://www.okta.com/yourclientid"
- name: SAML_CALLBACK
- value: "https://www.vulcan.local/api/v1/login/callback"
+ value: "https://www.localhost.direct/api/v1/login/callback"
- name: SAML_TRUSTED_DOMAINS
- value: "[\"www.vulcan.local\"]"
+ value: "[\"www.localhost.direct\"]"
- name: DEFAULT_OWNERS
value: "[]"
- name: SCANENGINE_URL
@@ -1511,17 +1087,29 @@ spec:
- name: AWSCATALOGUE_RETRY_INTERVAL
value: "2"
- name: "GPC_1_NAME"
- value: "web-scanning-global"
+ value: "default-global"
- name: "GPC_1_ALLOWED_ASSETTYPES"
value: "[]"
- name: "GPC_1_BLOCKED_ASSETTYPES"
value: "[]"
- name: "GPC_1_ALLOWED_CHECKS"
- value: "[\"vulcan-zap\"]"
+ value: "[\"vulcan-exposed-http\",\"vulcan-exposed-ssh\",\"vulcan-http-headers\",\"vulcan-retirejs\",\"vulcan-semgrep\",\"vulcan-smtp-open-relay\",\"vulcan-trivy\"]"
- name: "GPC_1_BLOCKED_CHECKS"
value: "[]"
- name: "GPC_1_EXCLUDING_SUFFIXES"
- value: "[\"experimental\"]"
+ value: "[]"
+ - name: "GPC_2_NAME"
+ value: "web-scanning-global"
+ - name: "GPC_2_ALLOWED_ASSETTYPES"
+ value: "[]"
+ - name: "GPC_2_BLOCKED_ASSETTYPES"
+ value: "[]"
+ - name: "GPC_2_ALLOWED_CHECKS"
+ value: "[]"
+ - name: "GPC_2_BLOCKED_CHECKS"
+ value: "[]"
+ - name: "GPC_2_EXCLUDING_SUFFIXES"
+ value: "[]"
- name: KAFKA_BROKER
value:
- name: KAFKA_USER
@@ -1548,23 +1136,15 @@ spec:
secretKeyRef:
name: myrelease-vulcan-minio
key: root-password
- - name: DOGSTATSD_ENABLED
- value: "true"
- - name: DOGSTATSD_HOST
- value: "localhost"
- - name: DOGSTATSD_PORT
- value: "8125"
+
envFrom:
- secretRef:
name: myrelease-vulcan-api
ports:
- - name: app
+ - name: http
containerPort: 8080
protocol: TCP
volumes:
- - name: config-proxy
- configMap:
- name: myrelease-vulcan-api-proxy
---
# Source: vulcan/templates/crontinuous/deployment.yaml
apiVersion: apps/v1
@@ -1589,31 +1169,13 @@ spec:
app.kubernetes.io/name: crontinuous
annotations:
checksum/secrets: 4de1dea9168b8ae8633f4ef69b1960d7808615887e0b1218cdfd1b1d987c09d1
- checksum/config-proxy: 4ba45566a092b043208fcf6bf26a0d842fc23e0e10b03c5802c85c930bb6e1c9
- prometheus.io/scrape: 'true'
- prometheus.io/port: '9101'
+
spec:
containers:
- - name: proxy
- image: "haproxy:2.4.21-alpine"
- imagePullPolicy: Always
- ports:
- - name: http
- containerPort: 9090
- - name: metrics
- containerPort: 9101
- volumeMounts:
- - mountPath: /usr/local/etc/haproxy
- readOnly: true
- name: config-proxy
- lifecycle:
- preStop:
- exec:
- command: ["/bin/sh","-c","sleep 30;"]
- name: crontinuous
- image: "adevinta/vulcan-crontinuous:1.0"
+ image: "adevinta/vulcan-crontinuous:latest"
imagePullPolicy: Always
lifecycle:
preStop:
@@ -1651,11 +1213,11 @@ spec:
- name: ENABLE_TEAMS_WHITELIST_SCAN
value: "false"
- name: TEAMS_WHITELIST_SCAN
- value: "[\"team1\", \"team2\"]"
+ value: "[]"
- name: ENABLE_TEAMS_WHITELIST_REPORT
value: "false"
- name: TEAMS_WHITELIST_REPORT
- value: "[\"team3\"]"
+ value: "[]"
- name: AWS_S3_ENDPOINT
value: "http://myrelease-vulcan-minio"
@@ -1678,13 +1240,10 @@ spec:
- secretRef:
name: myrelease-vulcan-crontinuous
ports:
- - name: app
+ - name: http
containerPort: 8080
protocol: TCP
volumes:
- - name: config-proxy
- configMap:
- name: myrelease-vulcan-crontinuous-proxy
---
# Source: vulcan/templates/goaws/deployment.yaml
apiVersion: apps/v1
@@ -1773,7 +1332,7 @@ spec:
command: ["/bin/sh","-c","sleep 30;"]
- name: insights-private
- image: "pottava/s3-proxy:2.0"
+ image: "pottava/s3-proxy:latest"
imagePullPolicy: Always
lifecycle:
preStop:
@@ -1801,7 +1360,7 @@ spec:
- name: AWS_REGION
value: "local"
- name: ACCESS_LOG
- value: "false"
+ value: "true"
- name: AWS_S3_BUCKET
value: "insights"
- name: STRIP_PATH
@@ -1828,7 +1387,7 @@ spec:
protocol: TCP
- name: insights-public
- image: "pottava/s3-proxy:2.0"
+ image: "pottava/s3-proxy:latest"
imagePullPolicy: Always
lifecycle:
preStop:
@@ -1856,7 +1415,7 @@ spec:
- name: AWS_REGION
value: "local"
- name: ACCESS_LOG
- value: "false"
+ value: "true"
- name: AWS_S3_BUCKET
value: "public-insights"
- name: STRIP_PATH
@@ -1886,106 +1445,6 @@ spec:
configMap:
name: myrelease-vulcan-insights-proxy
---
-# Source: vulcan/templates/metrics/deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: myrelease-vulcan-metrics
- labels:
- helm.sh/chart: vulcan-0.5.5
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: vulcan
- app.kubernetes.io/instance: vulcan
- app.kubernetes.io/name: metrics
-spec:
- selector:
- matchLabels:
- app.kubernetes.io/instance: vulcan
- app.kubernetes.io/name: metrics
- template:
- metadata:
- labels:
- app.kubernetes.io/instance: vulcan
- app.kubernetes.io/name: metrics
- annotations:
- checksum/secrets: b0d413a0b3902a84c0f51e59f152d29668f629dd011d9d8462b70fd2cbd5a1c3
-
- spec:
- containers:
-
- - name: dogstatsd
- image: "datadog/dogstatsd:7.42.0"
- envFrom:
- - secretRef:
- name: myrelease-vulcan-dogstatsd
- ports:
- - containerPort: 8125
- name: dogstatsd
- protocol: UDP
- - name: redis
- image: "bitnami/redis:6.2.10"
- env:
- - name: ALLOW_EMPTY_PASSWORD
- value: "yes"
- ports:
- - containerPort: 6379
- name: redis
- protocol: TCP
- - name: metrics
-
- image: "containers.mpi-internal.com/spt-security/vulcan-metrics:1.0"
- imagePullPolicy: Always
- lifecycle:
- preStop:
- exec:
- command: ["/bin/sh","-c","sleep 30;"]
- env:
- - name: LOG_LEVEL
- value: "warn"
- - name: SQS_POLLING_INTERVAL
- value: "10"
- - name: CHECKS_SQS_QUEUE_ARN
- value: "arn:aws:sqs:local:012345678900:VulcanK8SMetricsChecks"
- - name: SCANS_SQS_QUEUE_ARN
- value: "arn:aws:sqs:local:012345678900:VulcanK8SMetricsScans"
- - name: FINDINGS_SQS_QUEUE_ARN
- value: "arn:aws:sqs:local:012345678900:VulcanK8SMetricsFindings"
- - name: RESULTS_HOST
- value: "myrelease-vulcan-results"
- - name: RESULTS_SCHEME
- value: "http"
- - name: DEVHOSE_URL
- value: "http://devhose/devhose"
- - name: DEVHOSE_TENANT
- value: "tbd"
- - name: DEVHOSE_METRICS_SOURCE
- value: "tbd"
- - name: DEVHOSE_FINDINGS_SOURCE
- value: "tbd"
- - name: REDIS_ADDR
- value: "localhost:6379"
- - name: VULCAN_API
- value: http://myrelease-vulcan-api/api
- - name: VULCAN_API_EXTERNAL
- value:
-
- - name: AWS_SQS_ENDPOINT
- value: "http://myrelease-vulcan-goaws"
- - name: AWS_ACCESS_KEY_ID
- value: ANYVALUE
- - name: AWS_SECRET_ACCESS_KEY
- value: ANYVALUE
- - name: DOGSTATSD_ENABLED
- value: "true"
- - name: DOGSTATSD_HOST
- value: "localhost"
- - name: DOGSTATSD_PORT
- value: "8125"
- envFrom:
- - secretRef:
- name: myrelease-vulcan-metrics
- volumes:
----
# Source: vulcan/templates/persistence/deployment.yaml
apiVersion: apps/v1
kind: Deployment
@@ -2009,9 +1468,7 @@ spec:
app.kubernetes.io/name: persistence
annotations:
checksum/secrets: 64dfd3510554f471e7acf188272e139e6731696669825d65400e7e910fec49d3
- checksum/config-proxy: 4ba45566a092b043208fcf6bf26a0d842fc23e0e10b03c5802c85c930bb6e1c9
- prometheus.io/scrape: 'true'
- prometheus.io/port: '9101'
+
spec:
initContainers:
- name: waitfordb
@@ -2025,34 +1482,9 @@ spec:
value: "5432"
containers:
- - name: dogstatsd
- image: "datadog/dogstatsd:7.42.0"
- envFrom:
- - secretRef:
- name: myrelease-vulcan-dogstatsd
- ports:
- - containerPort: 8125
- name: dogstatsd
- protocol: UDP
- - name: proxy
- image: "haproxy:2.4.21-alpine"
- imagePullPolicy: Always
- ports:
- - name: http
- containerPort: 9090
- - name: metrics
- containerPort: 9101
- volumeMounts:
- - mountPath: /usr/local/etc/haproxy
- readOnly: true
- name: config-proxy
- lifecycle:
- preStop:
- exec:
- command: ["/bin/sh","-c","sleep 30;"]
- name: persistence
- image: "adevinta/vulcan-persistence:1.0"
+ image: "adevinta/vulcan-persistence:latest"
imagePullPolicy: Always
lifecycle:
preStop:
@@ -2115,23 +1547,15 @@ spec:
secretKeyRef:
name: myrelease-vulcan-minio
key: root-password
- - name: DOGSTATSD_ENABLED
- value: "true"
- - name: DOGSTATSD_HOST
- value: "localhost"
- - name: DOGSTATSD_PORT
- value: "8125"
+
envFrom:
- secretRef:
name: myrelease-vulcan-persistence
ports:
- - name: app
+ - name: http
containerPort: 8080
protocol: TCP
volumes:
- - name: config-proxy
- configMap:
- name: myrelease-vulcan-persistence-proxy
---
# Source: vulcan/templates/reportsgenerator/deployment.yaml
apiVersion: apps/v1
@@ -2154,52 +1578,25 @@ spec:
labels:
app.kubernetes.io/instance: vulcan
app.kubernetes.io/name: reportsgenerator
- annotations:
- checksum/secrets: d12b57422221bb25b6455164ae353b8e7ea795e4561384b61e4d158b67cad050
- checksum/config-proxy: 4ba45566a092b043208fcf6bf26a0d842fc23e0e10b03c5802c85c930bb6e1c9
- prometheus.io/scrape: 'true'
- prometheus.io/port: '9101'
- spec:
- initContainers:
- - name: waitfordb
- image: "busybox:1.35.0"
- imagePullPolicy: Always
- command: ['sh', '-c', 'until nc -z "$PGHOST" "$PGPORT"; do echo WaitingDB && sleep 5; done;']
- env:
- - name: PGHOST
- value: "myrelease-postgresql"
- - name: PGPORT
- value: "5432"
- containers:
-
- - name: dogstatsd
- image: "datadog/dogstatsd:7.42.0"
- envFrom:
- - secretRef:
- name: myrelease-vulcan-dogstatsd
- ports:
- - containerPort: 8125
- name: dogstatsd
- protocol: UDP
- - name: proxy
- image: "haproxy:2.4.21-alpine"
- imagePullPolicy: Always
- ports:
- - name: http
- containerPort: 9090
- - name: metrics
- containerPort: 9101
- volumeMounts:
- - mountPath: /usr/local/etc/haproxy
- readOnly: true
- name: config-proxy
- lifecycle:
- preStop:
- exec:
- command: ["/bin/sh","-c","sleep 30;"]
+ annotations:
+ checksum/secrets: d12b57422221bb25b6455164ae353b8e7ea795e4561384b61e4d158b67cad050
+
+ spec:
+ initContainers:
+ - name: waitfordb
+ image: "busybox:1.35.0"
+ imagePullPolicy: Always
+ command: ['sh', '-c', 'until nc -z "$PGHOST" "$PGPORT"; do echo WaitingDB && sleep 5; done;']
+ env:
+ - name: PGHOST
+ value: "myrelease-postgresql"
+ - name: PGPORT
+ value: "5432"
+ containers:
+
- name: reportsgenerator
- image: "adevinta/vulcan-reports-generator:1.0"
+ image: "adevinta/vulcan-reports-generator:latest"
imagePullPolicy: Always
lifecycle:
preStop:
@@ -2275,11 +1672,11 @@ spec:
- name: RESULTS_ENDPOINT
value: "http://myrelease-vulcan-results"
- name: SCAN_PROXY_ENDPOINT
- value: "http://insights.vulcan.local"
+ value: "https://insights.localhost.direct"
- name: VULCAN_UI
- value: "http://www.vulcan.local/"
+ value: "https://www.localhost.direct/"
- name: SCAN_VIEW_REPORT
- value: "http://www.vulcan.local/api/v1/report?team_id=%s&scan_id=%s"
+ value: "https://www.localhost.direct/api/v1/report?team_id=%s&scan_id=%s"
- name: LIVEREPORT_EMAIL_SUBJECT
value:
@@ -2301,23 +1698,15 @@ spec:
secretKeyRef:
name: myrelease-vulcan-minio
key: root-password
- - name: DOGSTATSD_ENABLED
- value: "true"
- - name: DOGSTATSD_HOST
- value: "localhost"
- - name: DOGSTATSD_PORT
- value: "8125"
+
envFrom:
- secretRef:
name: myrelease-vulcan-reportsgenerator
ports:
- - name: app
+ - name: http
containerPort: 8080
protocol: TCP
volumes:
- - name: config-proxy
- configMap:
- name: myrelease-vulcan-reportsgenerator-proxy
---
# Source: vulcan/templates/results/deployment.yaml
apiVersion: apps/v1
@@ -2341,40 +1730,13 @@ spec:
app.kubernetes.io/instance: vulcan
app.kubernetes.io/name: results
annotations:
- checksum/config-proxy: 4ba45566a092b043208fcf6bf26a0d842fc23e0e10b03c5802c85c930bb6e1c9
- prometheus.io/scrape: 'true'
- prometheus.io/port: '9101'
+
spec:
containers:
- - name: dogstatsd
- image: "datadog/dogstatsd:7.42.0"
- envFrom:
- - secretRef:
- name: myrelease-vulcan-dogstatsd
- ports:
- - containerPort: 8125
- name: dogstatsd
- protocol: UDP
- - name: proxy
- image: "haproxy:2.4.21-alpine"
- imagePullPolicy: Always
- ports:
- - name: http
- containerPort: 9090
- - name: metrics
- containerPort: 9101
- volumeMounts:
- - mountPath: /usr/local/etc/haproxy
- readOnly: true
- name: config-proxy
- lifecycle:
- preStop:
- exec:
- command: ["/bin/sh","-c","sleep 30;"]
- name: results
- image: "adevinta/vulcan-results:1.0"
+ image: "adevinta/vulcan-results:latest"
imagePullPolicy: Always
lifecycle:
preStop:
@@ -2410,7 +1772,7 @@ spec:
- name: BUCKET_LOGS
value: "logs"
- name: LINK_BASE
- value: "https://results.vulcan.local/v1"
+ value: "http://vulcan-results/v1"
- name: AWS_S3_ENDPOINT
value: "http://myrelease-vulcan-minio"
@@ -2428,20 +1790,12 @@ spec:
secretKeyRef:
name: myrelease-vulcan-minio
key: root-password
- - name: DOGSTATSD_ENABLED
- value: "true"
- - name: DOGSTATSD_HOST
- value: "localhost"
- - name: DOGSTATSD_PORT
- value: "8125"
+
ports:
- - name: app
+ - name: http
containerPort: 8080
protocol: TCP
volumes:
- - name: config-proxy
- configMap:
- name: myrelease-vulcan-results-proxy
---
# Source: vulcan/templates/scanengine/deployment.yaml
apiVersion: apps/v1
@@ -2466,9 +1820,7 @@ spec:
app.kubernetes.io/name: scanengine
annotations:
checksum/secrets: d12b57422221bb25b6455164ae353b8e7ea795e4561384b61e4d158b67cad050
- checksum/config-proxy: 4ba45566a092b043208fcf6bf26a0d842fc23e0e10b03c5802c85c930bb6e1c9
- prometheus.io/scrape: 'true'
- prometheus.io/port: '9101'
+
spec:
initContainers:
- name: waitfordb
@@ -2482,34 +1834,9 @@ spec:
value: "5432"
containers:
- - name: dogstatsd
- image: "datadog/dogstatsd:7.42.0"
- envFrom:
- - secretRef:
- name: myrelease-vulcan-dogstatsd
- ports:
- - containerPort: 8125
- name: dogstatsd
- protocol: UDP
- - name: proxy
- image: "haproxy:2.4.21-alpine"
- imagePullPolicy: Always
- ports:
- - name: http
- containerPort: 9090
- - name: metrics
- containerPort: 9101
- volumeMounts:
- - mountPath: /usr/local/etc/haproxy
- readOnly: true
- name: config-proxy
- lifecycle:
- preStop:
- exec:
- command: ["/bin/sh","-c","sleep 30;"]
- name: scanengine
- image: "adevinta/vulcan-scan-engine:1.0"
+ image: "adevinta/vulcan-scan-engine:latest"
imagePullPolicy: Always
lifecycle:
preStop:
@@ -2574,77 +1901,15 @@ spec:
value: ANYVALUE
- name: AWS_SECRET_ACCESS_KEY
value: ANYVALUE
- - name: DOGSTATSD_ENABLED
- value: "true"
- - name: DOGSTATSD_HOST
- value: "localhost"
- - name: DOGSTATSD_PORT
- value: "8125"
+
envFrom:
- secretRef:
name: myrelease-vulcan-scanengine
ports:
- - name: app
+ - name: http
containerPort: 8080
protocol: TCP
volumes:
- - name: config-proxy
- configMap:
- name: myrelease-vulcan-scanengine-proxy
----
-# Source: vulcan/templates/sqsexporter/deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: myrelease-vulcan-sqsexporter
- labels:
- helm.sh/chart: vulcan-0.5.5
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: vulcan
- app.kubernetes.io/instance: vulcan
- app.kubernetes.io/name: sqsexporter
-spec:
- selector:
- matchLabels:
- app.kubernetes.io/instance: vulcan
- app.kubernetes.io/name: sqsexporter
- template:
- metadata:
- labels:
- app.kubernetes.io/instance: vulcan
- app.kubernetes.io/name: sqsexporter
- annotations:
- prometheus.io/scrape: 'true'
- prometheus.io/port: "8080"
- spec:
- containers:
- - name: sqsexporter
-
- image: "jesusfcr/sqs-prometheus-exporter:0.4.0"
- imagePullPolicy: Always
- lifecycle:
- preStop:
- exec:
- command: ["/bin/sh","-c","sleep 30;"]
- env:
- - name: PORT
- value: "8080"
- - name: SQS_QUEUE_NAME_PREFIX
- value: VulcanK8S
- - name: AWS_REGION
- value: "local"
-
- - name: AWS_SQS_ENDPOINT
- value: "http://myrelease-vulcan-goaws"
- - name: AWS_ACCESS_KEY_ID
- value: ANYVALUE
- - name: AWS_SECRET_ACCESS_KEY
- value: ANYVALUE
-
- ports:
- - name: metrics
- containerPort: 8080
- protocol: TCP
---
# Source: vulcan/templates/stream/deployment.yaml
apiVersion: apps/v1
@@ -2668,40 +1933,13 @@ spec:
app.kubernetes.io/instance: vulcan
app.kubernetes.io/name: stream
annotations:
- checksum/config-proxy: 4ba45566a092b043208fcf6bf26a0d842fc23e0e10b03c5802c85c930bb6e1c9
- prometheus.io/scrape: 'true'
- prometheus.io/port: '9101'
+
spec:
containers:
- - name: dogstatsd
- image: "datadog/dogstatsd:7.42.0"
- envFrom:
- - secretRef:
- name: myrelease-vulcan-dogstatsd
- ports:
- - containerPort: 8125
- name: dogstatsd
- protocol: UDP
- - name: proxy
- image: "haproxy:2.4.21-alpine"
- imagePullPolicy: Always
- ports:
- - name: http
- containerPort: 9090
- - name: metrics
- containerPort: 9101
- volumeMounts:
- - mountPath: /usr/local/etc/haproxy
- readOnly: true
- name: config-proxy
- lifecycle:
- preStop:
- exec:
- command: ["/bin/sh","-c","sleep 30;"]
- name: stream
- image: "adevinta/vulcan-stream:1.0"
+ image: "adevinta/vulcan-stream:latest"
imagePullPolicy: Always
lifecycle:
preStop:
@@ -2741,20 +1979,12 @@ spec:
- name: REDIS_TTL
value: "0"
- - name: DOGSTATSD_ENABLED
- value: "true"
- - name: DOGSTATSD_HOST
- value: "localhost"
- - name: DOGSTATSD_PORT
- value: "8125"
+
ports:
- - name: app
+ - name: http
containerPort: 8080
protocol: TCP
volumes:
- - name: config-proxy
- configMap:
- name: myrelease-vulcan-stream-proxy
---
# Source: vulcan/templates/ui/deployment.yaml
apiVersion: apps/v1
@@ -2778,31 +2008,13 @@ spec:
app.kubernetes.io/instance: vulcan
app.kubernetes.io/name: ui
annotations:
- checksum/config-proxy: 4ba45566a092b043208fcf6bf26a0d842fc23e0e10b03c5802c85c930bb6e1c9
- prometheus.io/scrape: 'true'
- prometheus.io/port: '9101'
+
spec:
containers:
- - name: proxy
- image: "haproxy:2.4.21-alpine"
- imagePullPolicy: Always
- ports:
- - name: http
- containerPort: 9090
- - name: metrics
- containerPort: 9101
- volumeMounts:
- - mountPath: /usr/local/etc/haproxy
- readOnly: true
- name: config-proxy
- lifecycle:
- preStop:
- exec:
- command: ["/bin/sh","-c","sleep 30;"]
- name: ui
- image: "adevinta/vulcan-ui:1.0"
+ image: "adevinta/vulcan-ui:latest"
imagePullPolicy: Always
lifecycle:
preStop:
@@ -2830,7 +2042,7 @@ spec:
- name: PORT
value: "8080"
- name: API_URL
- value: "https://www.vulcan.local/api/v1/"
+ value: "https://www.localhost.direct/api/v1/"
- name: UI_DOCS_API_LINK
value: "https://docs.example.com/vulcan/vulcan-api/"
- name: UI_DOCS_WHITELISTING_LINK
@@ -2848,13 +2060,10 @@ spec:
ports:
- - name: app
+ - name: http
containerPort: 8080
protocol: TCP
volumes:
- - name: config-proxy
- configMap:
- name: myrelease-vulcan-ui-proxy
---
# Source: vulcan/templates/vulndb/deployment.yaml
apiVersion: apps/v1
@@ -2895,7 +2104,7 @@ spec:
- name: vulndb
- image: "adevinta/vulnerability-db:1.0"
+ image: "adevinta/vulnerability-db:latest"
imagePullPolicy: Always
lifecycle:
preStop:
@@ -2975,9 +2184,7 @@ spec:
app.kubernetes.io/name: vulndbapi
annotations:
checksum/secrets: 9f980ebd3194bdfdb04a084378c12199e6711219ef2e2e5f5ed02571e749e01b
- checksum/config-proxy: 4ba45566a092b043208fcf6bf26a0d842fc23e0e10b03c5802c85c930bb6e1c9
- prometheus.io/scrape: 'true'
- prometheus.io/port: '9101'
+
spec:
initContainers:
- name: waitfordb
@@ -2991,25 +2198,9 @@ spec:
value: "5432"
containers:
- - name: proxy
- image: "haproxy:2.4.21-alpine"
- imagePullPolicy: Always
- ports:
- - name: http
- containerPort: 9090
- - name: metrics
- containerPort: 9101
- volumeMounts:
- - mountPath: /usr/local/etc/haproxy
- readOnly: true
- name: config-proxy
- lifecycle:
- preStop:
- exec:
- command: ["/bin/sh","-c","sleep 30;"]
- name: vulndbapi
- image: "adevinta/vulnerability-db-api:1.0"
+ image: "adevinta/vulnerability-db-api:latest"
imagePullPolicy: Always
lifecycle:
preStop:
@@ -3056,13 +2247,10 @@ spec:
- secretRef:
name: myrelease-vulcan-vulndbapi
ports:
- - name: app
+ - name: http
containerPort: 8080
protocol: TCP
volumes:
- - name: config-proxy
- configMap:
- name: myrelease-vulcan-vulndbapi-proxy
---
# Source: vulcan/charts/postgresql/templates/primary/statefulset.yaml
apiVersion: apps/v1
@@ -3355,6 +2543,33 @@ spec:
- name: redis-data
emptyDir: {}
---
+# Source: vulcan/charts/minio/templates/api-ingress.yaml
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: myrelease-minio-api
+ namespace: "ns"
+ labels:
+ app.kubernetes.io/name: minio
+ helm.sh/chart: minio-12.6.2
+ app.kubernetes.io/instance: myrelease
+ app.kubernetes.io/managed-by: Helm
+ annotations:
+spec:
+ rules:
+ - host: s3.localhost.direct
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: myrelease-minio
+ port:
+ name: minio-api
+ tls:
+ - secretName: localhost-direct-tls
+---
# Source: vulcan/charts/minio/templates/ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
@@ -3369,7 +2584,7 @@ metadata:
annotations:
spec:
rules:
- - host: minio.vulcan.local
+ - host: minio.localhost.direct
http:
paths:
- path: /
@@ -3379,6 +2594,8 @@ spec:
name: myrelease-minio
port:
name: minio-console
+ tls:
+ - secretName: localhost-direct-tls
---
# Source: vulcan/templates/api/ingress.yaml
apiVersion: networking.k8s.io/v1
@@ -3391,13 +2608,13 @@ metadata:
app.kubernetes.io/part-of: vulcan
app.kubernetes.io/instance: vulcan
app.kubernetes.io/name: api
- annotations:
- nginx.ingress.kubernetes.io/cors-allow-origin: https://www.vulcan.local
- nginx.ingress.kubernetes.io/enable-cors: "true"
- nginx.ingress.kubernetes.io/proxy-body-size: 8m
spec:
+ tls:
+ - hosts:
+ - "www.localhost.direct"
+ secretName: localhost-direct-tls
rules:
- - host: "www.vulcan.local"
+ - host: "www.localhost.direct"
http:
paths:
- path: /api
@@ -3420,8 +2637,12 @@ metadata:
app.kubernetes.io/instance: vulcan
app.kubernetes.io/name: goaws
spec:
+ tls:
+ - hosts:
+ - "goaws.localhost.direct"
+ secretName: localhost-direct-tls
rules:
- - host: "goaws.vulcan.local"
+ - host: "goaws.localhost.direct"
http:
paths:
- path: /
@@ -3443,17 +2664,13 @@ metadata:
app.kubernetes.io/part-of: vulcan
app.kubernetes.io/instance: vulcan
app.kubernetes.io/name: insights
- annotations:
- nginx.ingress.kubernetes.io/configuration-snippet: |
- more_set_headers "X-Frame-Options: SAMEORIGIN";
- more_set_headers "X-Content-Type-Options: nosniff";
- more_set_headers "X-Frame-Options: DENY";
- more_set_headers "X-Xss-Protection: 1";
- more_set_headers "Strict-Transport-Security: max-age=31536000; includeSubDomains";
- more_set_headers "Content-Security-Policy: default-src 'none'; script-src 'self' 'unsafe-inline' https://insights.vulcan.local https://www.google-analytics.com; font-src 'self' https://insights.vulcan.local; connect-src 'self' https://insights.vulcan.local; img-src 'self' https://insights.vulcan.local https://www.google-analytics.com; style-src 'self' 'unsafe-inline' https://insights.vulcan.local; object-src 'none'";
spec:
+ tls:
+ - hosts:
+ - "insights.localhost.direct"
+ secretName: localhost-direct-tls
rules:
- - host: "insights.vulcan.local"
+ - host: "insights.localhost.direct"
http:
paths:
- path: /
@@ -3476,8 +2693,12 @@ metadata:
app.kubernetes.io/instance: vulcan
app.kubernetes.io/name: persistence
spec:
+ tls:
+ - hosts:
+ - "persistence.localhost.direct"
+ secretName: localhost-direct-tls
rules:
- - host: "persistence.vulcan.local"
+ - host: "persistence.localhost.direct"
http:
paths:
- path: /
@@ -3488,6 +2709,34 @@ spec:
port:
number: 80
---
+# Source: vulcan/templates/reportsgenerator/ingress.yaml
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: myrelease-vulcan-reportsgenerator
+ labels:
+ helm.sh/chart: vulcan-0.5.5
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: vulcan
+ app.kubernetes.io/instance: vulcan
+ app.kubernetes.io/name: reportsgenerator
+spec:
+ tls:
+ - hosts:
+ - "reportsgenerator.localhost.direct"
+ secretName: localhost-direct-tls
+ rules:
+ - host: "reportsgenerator.localhost.direct"
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: myrelease-vulcan-reportsgenerator
+ port:
+ number: 80
+---
# Source: vulcan/templates/results/ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
@@ -3500,8 +2749,12 @@ metadata:
app.kubernetes.io/instance: vulcan
app.kubernetes.io/name: results
spec:
+ tls:
+ - hosts:
+ - "results.localhost.direct"
+ secretName: localhost-direct-tls
rules:
- - host: "results.vulcan.local"
+ - host: "results.localhost.direct"
http:
paths:
- path: /
@@ -3512,6 +2765,34 @@ spec:
port:
number: 80
---
+# Source: vulcan/templates/scanengine/ingress.yaml
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: myrelease-vulcan-scanengine
+ labels:
+ helm.sh/chart: vulcan-0.5.5
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: vulcan
+ app.kubernetes.io/instance: vulcan
+ app.kubernetes.io/name: scanengine
+spec:
+ tls:
+ - hosts:
+ - "scanengine.localhost.direct"
+ secretName: localhost-direct-tls
+ rules:
+ - host: "scanengine.localhost.direct"
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: myrelease-vulcan-scanengine
+ port:
+ number: 80
+---
# Source: vulcan/templates/stream/ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
@@ -3523,12 +2804,13 @@ metadata:
app.kubernetes.io/part-of: vulcan
app.kubernetes.io/instance: vulcan
app.kubernetes.io/name: stream
- annotations:
- nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
- nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
spec:
+ tls:
+ - hosts:
+ - "stream.localhost.direct"
+ secretName: localhost-direct-tls
rules:
- - host: "stream.vulcan.local"
+ - host: "stream.localhost.direct"
http:
paths:
- path: /
@@ -3551,8 +2833,12 @@ metadata:
app.kubernetes.io/instance: vulcan
app.kubernetes.io/name: ui
spec:
+ tls:
+ - hosts:
+ - "www.localhost.direct"
+ secretName: localhost-direct-tls
rules:
- - host: "www.vulcan.local"
+ - host: "www.localhost.direct"
http:
paths:
- path: /
@@ -3575,8 +2861,12 @@ metadata:
app.kubernetes.io/instance: vulcan
app.kubernetes.io/name: vulndbapi
spec:
+ tls:
+ - hosts:
+ - "vulndbapi.localhost.direct"
+ secretName: localhost-direct-tls
rules:
- - host: "vulndbapi.vulcan.local"
+ - host: "vulndbapi.localhost.direct"
http:
paths:
- path: /
diff --git a/tools/agent.sh b/tools/agent.sh
new file mode 100644
index 00000000..fbef1f95
--- /dev/null
+++ b/tools/agent.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+set -e
+
+go install github.com/adevinta/vulcan-agent/cmd/vulcan-agent-docker@latest
+
+AWS_ACCESS_KEY_ID="$(kubectl get secrets/vulcan-minio --template='{{index .data "root-user"}}' | base64 -d)" \
+AWS_SECRET_ACCESS_KEY="$(kubectl get secrets/vulcan-minio --template='{{index .data "root-password"}}' | base64 -d)" \
+ vulcan-agent-docker agent/config.toml
diff --git a/tools/agent.toml b/tools/agent.toml
new file mode 100644
index 00000000..97e7d840
--- /dev/null
+++ b/tools/agent.toml
@@ -0,0 +1,77 @@
+[agent]
+log_level = "debug"
+log_file = ""
+concurrent_jobs = 5
+# Time in seconds the agent will remain active without received any message.
+max_no_msgs_interval = 30
+max_message_processed_times = 3
+timeout = 3600
+
+[uploader]
+endpoint = "https://results.localhost.direct/v1/"
+timeout = 10
+
+[s3_writer]
+endpoint = "https://s3.localhost.direct"
+path_style = true
+link_base = "http://vulcan-results/v1/"
+bucket_reports = "reports"
+bucket_logs = "logs"
+region = "local"
+s3_link = false
+
+[stream]
+endpoint = "wss://stream.localhost.direct/stream"
+query_endpoint = "https://stream.localhost.direct/checks"
+timeout = 60
+retries = 15
+# interval in seconds between connection retries.
+retry_interval = 5
+
+[sqs_reader]
+endpoint = "https://goaws.localhost.direct"
+arn = "arn:aws:sqs:local:012345678900:VulcanK8SV2ChecksGeneric"
+polling_interval = 5
+visibility_timeout = 120
+process_quantum = 45
+
+[sqs_writer]
+endpoint = "https://goaws.localhost.direct"
+arn = "arn:aws:sqs:local:012345678900:VulcanK8SScanEngineCheckStatus"
+
+[api]
+port = ":18080"
+iname = "en0"
+
+[check]
+abort_timeout = 60
+log_level = "info"
+
+[check.vars]
+NESSUS_ENDPOINT = "https://cloud.tenable.com"
+NESSUS_USERNAME = ""
+NESSUS_PASSWORD = ""
+NESSUS_POLICY_ID = "9"
+GITHUB_ENTERPRISE_ENDPOINT = "https://github.example.com/"
+GITHUB_ENTERPRISE_TOKEN = "a"
+VULCAN_ASSUME_ROLE_ENDPOINT = ""
+ROLE_NAME = "ExampleSecurityAuditRole"
+WPVULNDB_API_TOKEN = ""
+REGISTRY_DOMAIN = "docker.io"
+REGISTRY_USERNAME = "myuser"
+REGISTRY_PASSWORD = "mypwd"
+
+[runtime]
+[runtime.docker]
+[runtime.docker.registry]
+server = ""
+user = ""
+pass = ""
+backoff_interval = 5
+backoff_max_retries = 5
+backoff_jitter_factor = 0.5
+pull_policy = "Always"
+
+[datadog]
+metrics_enabled = false
+dogstatsd = "127.0.0.1:8125"
diff --git a/tools/load-checks.sh b/tools/load-checks.sh
new file mode 100755
index 00000000..1fcf3c5d
--- /dev/null
+++ b/tools/load-checks.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+set -e
+
+persistence=https://persistence.localhost.direct/
+checktypes=${1:-https://adevinta.github.io/vulcan-checks/checktypes/edge.json}
+
+if [[ "$checktypes" =~ ^https?://.+ ]]; then
+ checks=$(curl -s "$checktypes")
+elif [[ -f "$checktypes" ]]; then
+ checks=$(cat "$checktypes")
+else
+ echo "Error unknown $checktypes"
+ return
+fi
+
+echo "$checks" | jq -c '.checktypes[] | select(.options!=null).options=(.options | tostring) | { checktype: .}' \
+| while read -r check; do
+ echo "INSTALLING $(echo "$check" | jq '.checktype.name' -r)"
+ echo "$check" | \
+ curl -s -H "Content-type: application/json" -X POST "${persistence}/v1/checktypes" --data-binary @- \
+ | jq
+done