add kubeclarity

argocd/templates/kubeclarity.yaml

@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: kubeclarity
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
+    path: kubeclarity
+  destination:
+    namespace: kubeclarity
+    name: in-cluster
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true  
+    syncOptions:
+      - CreateNamespace=true 

kubeclarity/Chart.yaml

@@ -0,0 +1,11 @@
+apiVersion: v2
+name: kubeclarity
+description: A Helm chart for Kubernetes
+type: application
+version: 0.0.1
+appVersion: 0.0.1
+
+dependencies:
+- name: kubeclarity
+  repository: https://openclarity.github.io/kubeclarity
+  version: 2.22.0

kubeclarity/values.yaml

@@ -0,0 +1,235 @@
+kubeclarity:
+  global:
+    databasePassword: kubeclarity
+    docker:
+      registry: "registry.durp.info/openclarity"
+      tag: "latest"
+      imagePullPolicy: Always
+
+  curl:
+    image:
+      registry: "registry.durp.info"
+      repository: curlimages/curl
+      tag: 7.87.0
+
+  kubeclarity:
+    docker:
+      imageName: ""
+
+    logLevel: warning
+
+    enableDBInfoLog: false
+
+    prometheus:
+      enabled: false
+
+    podAnnotations: {}
+
+    service:
+      type: ClusterIP
+      port: 8080
+      annotations: {}
+
+    ingress:
+      enabled: false
+
+    resources:
+      requests:
+        memory: "200Mi"
+        cpu: "100m"
+      limits:
+        memory: "1000Mi"
+        cpu: "1000m"
+
+    initContainers:
+      resources:
+        requests:
+          memory: "100Mi"
+          cpu: "100m"
+        limits:
+          memory: "200Mi"
+          cpu: "200m"
+
+  kubeclarity-runtime-scan:
+    httpsProxy: ""
+    httpProxy: ""
+    resultServicePort: 8888
+
+    labels:
+      app: kubeclarity-scanner
+      sidecar.istio.io/inject: "false"
+
+    namespace: ""
+
+    registry:
+      skipVerifyTlS: "false"
+      useHTTP: "false"
+
+    cis-docker-benchmark-scanner:
+      resources:
+        requests:
+          memory: "50Mi"
+          cpu: "50m"
+        limits:
+          memory: "1000Mi"
+          cpu: "1000m"
+
+    vulnerability-scanner:
+      resources:
+        requests:
+          memory: "50Mi"
+          cpu: "50m"
+        limits:
+          memory: "1000Mi"
+          cpu: "1000m"
+
+      analyzer:
+        analyzerList: "syft gomod trivy"
+        analyzerScope: "squashed"
+
+        trivy:
+          enabled: true
+          timeout: "300"
+
+      scanner:
+        scannerList: "grype trivy"
+
+        grype:
+          enabled: true
+          mode: "REMOTE"
+
+          remote-grype:
+            timeout: "2m"
+
+        dependency-track:
+          enabled: false
+          insecureSkipVerify: "true"
+          disableTls: "true"
+          apiserverAddress: "dependency-track-apiserver.dependency-track"
+          apiKey: ""
+
+        trivy:
+          enabled: true
+          timeout: "300"
+
+  kubeclarity-grype-server:
+    enabled: true
+
+    docker:
+      imageRepo: "registry.durp.info/openclarity"
+      imageTag: "v0.6.0"
+      imagePullPolicy: Always
+
+    logLevel: warning
+
+    servicePort: 9991
+
+    resources:
+      requests:
+        cpu: "200m"
+        memory: "200Mi"
+      limits:
+        cpu: "1000m"
+        memory: "1G"
+
+  kubeclarity-trivy-server:
+    enabled: true
+
+    ## Docker Image values.
+    image:
+      registry: registry.durp.info
+      repository: aquasec/trivy
+      tag: 0.44.1
+      pullPolicy: Always
+
+    persistence:
+      enabled: false
+
+    podSecurityContext:
+      runAsUser: 1001
+      runAsNonRoot: true
+      fsGroup: 1001
+
+    securityContext:
+      privileged: false
+      readOnlyRootFilesystem: true
+
+    trivy:
+      debugMode: false
+
+    service:
+      port: 9992
+
+    resources:
+      requests:
+        cpu: "200m"
+        memory: "200Mi"
+      limits:
+        cpu: "1000m"
+        memory: "1G"
+
+
+  kubeclarity-sbom-db:
+    docker:
+      imageName: ""
+    logLevel: warning
+
+    servicePort: 8080
+
+    resources:
+      requests:
+        memory: "20Mi"
+        cpu: "10m"
+      limits:
+        memory: "1Gi"
+        cpu: "200m"
+
+  kubeclarity-postgresql:
+    enabled: true
+
+    image:
+      registry: registry.durp.info
+      repository: bitnami/postgresql
+      tag: 14.6.0-debian-11-r31
+
+    auth:
+      existingSecret: kubeclarity-postgresql-secret
+      username: postgres
+      database: kubeclarity
+      sslMode: disable
+
+    service:
+      ports:
+        postgresql: 5432
+
+    serviceAccount:
+      enabled: true
+    securityContext:
+      enabled: true
+      fsGroup: 1001
+    containerSecurityContext:
+      enabled: true
+      runAsUser: 1001
+      runAsNonRoot: true
+    volumePermissions:
+      enabled: false
+      securityContext:
+        runAsUser: 1001
+    shmVolume:
+      chmod:
+        enabled: true
+
+    resources:
+      requests:
+        memory: "256Mi"
+        cpu: "250m"
+      limits:
+        memory: "1000Mi"
+        cpu: "1000m"
+
+  kubeclarity-postgresql-external:
+    enabled: false
+
+  kubeclarity-postgresql-secret:
+    create: true
+    secretKey: "postgres-password"