Skip to content

Replace Helm Install Instructions to use our OCI Based Helm Charts#2541

Merged
Weltraumschaf merged 2 commits intosecureCodeBox:mainfrom
J12934:feature/oci-registry-instructions
Jun 27, 2024
Merged

Replace Helm Install Instructions to use our OCI Based Helm Charts#2541
Weltraumschaf merged 2 commits intosecureCodeBox:mainfrom
J12934:feature/oci-registry-instructions

Conversation

@J12934
Copy link
Copy Markdown
Member

@J12934 J12934 commented Jun 26, 2024

Description

Replaces default install instructions across the repo with OCI install instructions

Checklist

  • Test your changes as thoroughly as possible before you commit them. Preferably, automate your test by unit/integration tests.
  • Make sure that all your commits are signed-off and that you are added to the Contributors file.
  • Make sure that all CI finish successfully.
  • Optional (but appreciated): Make sure that all commits are Verified.

@J12934
Replace helm repo install instructions with oci registry instructions
b85e8a5 
Signed-off-by: Jannik Hollenbach <jannik.hollenbach@iteratec.com>
@J12934 J12934 added enhancement New feature or request documentation Improvements or additions to documentation labels Jun 26, 2024
@J12934 J12934 requested a review from Ilyesbdlala June 26, 2024 18:16
@J12934 J12934 self-assigned this Jun 26, 2024
@netlify
Copy link
Copy Markdown

netlify bot commented Jun 26, 2024
edited
Loading

Deploy Preview for docs-securecodebox ready!

Name Link
🔨 Latest commit 16a7c88
🔍 Latest deploy log https://app.netlify.com/sites/docs-securecodebox/deploys/667c669fa46aaa0008be8c14
😎 Deploy Preview https://deploy-preview-2541--docs-securecodebox.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@J12934
Copy link
Copy Markdown
Member Author

J12934 commented Jun 26, 2024

With this I'd like to publish this Discussion / Announcement / Pinned Issue to communicate this with our users:

Let me know if this is clear / needs tweaks :)

With the secureCodeBox 4.6.0 release, we are transitioning our installation instructions from the old https://charts.securecodebox.io Helm registry to the new Helm registry infrastructure, which uses Open Container Initiative (OCI) images to store charts.

What Will Happen?

  • All 4.x secureCodeBox Helm charts are already published to our OCI registry.
  • https://charts.securecodebox.io will be deprecated with secureCodeBox 4.6.0 and will be shut down at the end of the year.
  • Until then, all 4.x releases of secureCodeBox will be published to both registries. Version 5.0.0 will be the first release to be exclusively published to the OCI registry.

What Steps Are Required by Users:

You'll need to switch the source of your Helm charts to point to the OCI registry. This process is straightforward.

When using Helm via the CLI / CI:

# Before
helm --namespace securecodebox-system install securecodebox-operator secureCodeBox/operator

# After
helm --namespace securecodebox-system install securecodebox-operator oci://ghcr.io/securecodebox/helm/operator

Existing releases that have been installed using the charts.securecodebox.io registry can be switched easily:

# Prior installation:
helm upgrade --install nmap secureCodeBox/nmap --version 4.5.0

# To switch the same Helm release to OCI, simply install the release with the same name from OCI:
helm upgrade --install nmap oci://ghcr.io/securecodebox/helm/nmap --version 4.5.0

Both ArgoCD and Flux also support OCI Helm charts.

Why Are We Doing This:

  • 🧱 Stability: The https://charts.securecodebox.io registry is the only component we need to self-host to provide secureCodeBox to the internet. There have been issues and downtime before, which we’d like to avoid in the future by having the charts hosted for us by the GitHub container registry.
  • 💰 Cost Efficiency: Hosting the charts requires a significant amount of bandwidth (about 4TB a month for the now quite large index.yaml file and the zipped Helm charts). We have migrated to a cheaper setup, but it has cost us some money in the past.
  • 🤹 Ease of Use: OCI-based charts don't require users to add the registry to their Helm installation beforehand. This will hopefully ease some friction for users who are not familiar with Helm.

@J12934
Fix the most important install instruction...
16a7c88 
Signed-off-by: Jannik Hollenbach <jannik.hollenbach@iteratec.com>
@Weltraumschaf Weltraumschaf merged commit b65dce5 into secureCodeBox:main Jun 27, 2024
@Weltraumschaf
Copy link
Copy Markdown
Member

Weltraumschaf commented Jun 27, 2024
edited
Loading

@J12934 seems there are still some references to the old registry:

git g 'helm .* secureCodeBox/'

auto-discovery/cloud-aws/.helm-docs.gotmpl
132:helm upgrade --install {{ template "chart.name" . }} secureCodeBox/{{ template "chart.name" . }} --set="config.aws.queueUrl=${SQS_QUEUE_URL}" --set="config.aws.region=${AWS_REGION}"

auto-discovery/cloud-aws/README.md
152:helm upgrade --install auto-discovery-cloud-aws secureCodeBox/auto-discovery-cloud-aws --set="config.aws.queueUrl=${SQS_QUEUE_URL}" --set="config.aws.region=${AWS_REGION}"

auto-discovery/cloud-aws/docs/README.ArtifactHub.md
144:helm upgrade --install auto-discovery-cloud-aws secureCodeBox/auto-discovery-cloud-aws --set="config.aws.queueUrl=${SQS_QUEUE_URL}" --set="config.aws.region=${AWS_REGION}"

bin/install.sh
121:  if [[ $(helm -n "$SCB_SYSTEM_NAMESPACE" upgrade --install securecodebox-operator secureCodeBox/operator) ]]; then

documentation/blog/2022-01-18-log4shell.md
260:Most scanner helm charts in the secureCodeBox come with cascading rules by default. E.g. the [rule used to trigger the nmap port scans on amass findings](https://github.com/secureCodeBox/secureCodeBox/blob/main/scanners/nmap/cascading-rules/hostscan.yaml) is included by default in the nmap helm chart GitHub. With the nuclei cascading rule we wanted to have more control over the configuration of the automatically created cascaded scans so we disabled the cascading rules included by default in the helm chart (`helm install nuclei secureCodeBox/nuclei --set="cascadingRules.enabled=false"`) and created our own, incorporating our custom nuclei configuration described above. The rule then looked like the following (reusing the ConfigMap created in the example above):

documentation/docs/11-telemetry.md
28:helm install securecodebox-operator secureCodeBox/operator --set="telemetryEnabled=false"

documentation/docs/architecture/09_architecture_decisions/adr_0012.md
20:Currently all custom resources for the secureCodeBox are isolated into the namespace they are installed from. If you start a scan of type nmap in namespace `demo-one` you'll have to have the `ScanType` (and the corresponding `ParseDefinition`) nmap installed in `demo-one`. This is usually not a big issue as installing a `ScanType` is pretty easy (`helm install nmap secureCodeBox/nmap --namespace demo-one`).

documentation/docs/auto-discovery/installation.md
17:helm install --namespace securecodebox-system auto-discovery-kubernetes secureCodeBox/auto-discovery-kubernetes

documentation/docs/contributing/local-deployment.md
67:securecodebox$ helm --namespace securecodebox-system upgrade --install securecodebox-operator secureCodeBox/operator

documentation/docs/getting-started/first-scans.md
20:helm install nmap secureCodeBox/nmap

documentation/docs/getting-started/troubleshooting.md
27:helm upgrade --install nmap securecodebox/nmap
29:helm upgrade --install nmap secureCodeBox/nmap/
31:helm upgrade --install nmap secureCodeBox/nmap
48:helm upgrade --install nmap secureCodeBox/nmap

documentation/docs/getting-started/uninstallation.md
15:If you want to uninstall specific scanners or hooks you can delete them via `helm`. For example if you installed nmap using `helm install nmap secureCodeBox/nmap` you can delete nmap like this:

documentation/docs/how-tos/hooks.md
116:helm upgrade --install ufh2 secureCodeBox/update-field-hook --set hook.priority="1" --set attribute.name="category" --set attribute.value="second-hook"
213:helm upgrade --install ufh2 secureCodeBox/update-field-hook --set hook.labels.securecodebox="rocks" --set attribute.name="category" --set attribute.value="second-hook"

documentation/docs/how-tos/persistence-storage.md
281:helm --namespace securecodebox-system upgrade --install securecodebox-operator secureCodeBox/operator
288:helm --namespace elastic upgrade --install nmap secureCodeBox/nmap
289:helm --namespace elastic upgrade --install persistence-elastic secureCodeBox/persistence-elastic
364:  helm upgrade --install persistence-defectdojo secureCodeBox/persistence-defectdojo \

operator/.helm-docs.gotmpl
48:helm install securecodebox-operator secureCodeBox/operator

operator/README.md
69:helm install securecodebox-operator secureCodeBox/operator

operator/docs/README.ArtifactHub.md
74:helm install securecodebox-operator secureCodeBox/operator

resources/ascii/scb-first-start.cast
391:[30.15912299999992,"o","\u001b]2;helm install nmap secureCodeBox/nmap\u0007"]

resources/ascii/scb-first-start.svg
...

scanners/nikto/examples/demo-juice-shop/README.md
12:helm upgrade --install juice-shop secureCodeBox/juice-shop --wait
git g 'https://charts.securecodebox.io'

github/workflows/helm-charts-release.yaml
23:          HELM_REGISTRY: https://charts.securecodebox.io

auto-discovery/kubernetes/demo/juice-shop.yaml
68:    repository: https://charts.securecodebox.io

bin/install.sh
314:helm repo add secureCodeBox https://charts.securecodebox.io

documentation/docs/contributing/local-deployment.md
63:securecodebox$ helm repo add secureCodeBox https://charts.securecodebox.io

documentation/docs/getting-started/troubleshooting.md
22:helm repo add secureCodeBox https://charts.securecodebox.io

documentation/docs/how-tos/persistence-storage.md
153:helm repo add secureCodeBox https://charts.securecodebox.io

operator/.helm-docs.gotmpl
44:helm repo add secureCodeBox https://charts.securecodebox.io

operator/README.md
65:helm repo add secureCodeBox https://charts.securecodebox.io

operator/docs/README.ArtifactHub.md
70:helm repo add secureCodeBox https://charts.securecodebox.io

resources/ascii/scb-first-start.cast
105:[9.283162,"o","\u001b]2;helm repo add secureCodeBox https://charts.securecodebox.io\u0007"]

resources/ascii/scb-first-start.svg
...

@J12934 J12934 mentioned this pull request Jun 27, 2024
Merged
4 tasks
@J12934
Copy link
Copy Markdown
Member Author

J12934 commented Jun 27, 2024

@Weltraumschaf good find. Used a simpler search which missed a bunch. Should be fixed with: #2543

@Weltraumschaf
Copy link
Copy Markdown
Member

Weltraumschaf commented Jun 27, 2024

@J12934 If you're interested in the git g: https://github.com/Weltraumschaf/dotfiles/blob/29d4ce19e42559eb8066067afe6d9bf4e8770229/src/dotfiles/_gitconfig#L88

@Weltraumschaf
Copy link
Copy Markdown
Member

Weltraumschaf commented Jun 28, 2024

With this I'd like to publish this Discussion / Announcement / Pinned Issue to communicate this with our users:

Let me know if this is clear / needs tweaks :)

With the secureCodeBox 4.6.0 release, we are transitioning our installation instructions from the old https://charts.securecodebox.io Helm registry to the new Helm registry infrastructure, which uses Open Container Initiative (OCI) images to store charts.

What Will Happen?

* All 4.x secureCodeBox Helm charts are already published to our [OCI registry](https://github.com/orgs/secureCodeBox/packages?tab=packages&q=helm).

* `https://charts.securecodebox.io` will be deprecated with secureCodeBox 4.6.0 and will be shut down at the end of the year.

* Until then, all 4.x releases of secureCodeBox will be published to both registries. Version 5.0.0 will be the first release to be exclusively published to the OCI registry.

What Steps Are Required by Users:

You'll need to switch the source of your Helm charts to point to the OCI registry. This process is straightforward.

When using Helm via the CLI / CI:

# Before
helm --namespace securecodebox-system install securecodebox-operator secureCodeBox/operator

# After
helm --namespace securecodebox-system install securecodebox-operator oci://ghcr.io/securecodebox/helm/operator

Existing releases that have been installed using the charts.securecodebox.io registry can be switched easily:

# Prior installation:
helm upgrade --install nmap secureCodeBox/nmap --version 4.5.0

# To switch the same Helm release to OCI, simply install the release with the same name from OCI:
helm upgrade --install nmap oci://ghcr.io/securecodebox/helm/nmap --version 4.5.0

Both ArgoCD and Flux also support OCI Helm charts.

Why Are We Doing This:

* **🧱 Stability**: The `https://charts.securecodebox.io` registry is the only component we need to self-host to provide secureCodeBox to the internet. There have been issues and downtime before, which we’d like to avoid in the future by having the charts hosted for us by the GitHub container registry.

* **💰 Cost Efficiency**: Hosting the charts requires a significant amount of bandwidth (about 4TB a month for the now quite large `index.yaml` file and the zipped Helm charts). We have migrated to a cheaper setup, but it has cost us some money in the past.

* **🤹 Ease of Use**: OCI-based charts don't require users to add the registry to their Helm installation beforehand. This will hopefully ease some friction for users who are not familiar with Helm.

@J12934 Please make a new PR with a draft post.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Weltraumschaf Weltraumschaf Weltraumschaf approved these changes

@Ilyesbdlala Ilyesbdlala Awaiting requested review from Ilyesbdlala

Assignees

@J12934 J12934

Labels

documentation Improvements or additions to documentation enhancement New feature or request

Projects

secureCodeBox
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@J12934 @Weltraumschaf