diff --git a/charts/clamav/.helmignore b/charts/clamav/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/charts/clamav/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/clamav/Chart.yaml b/charts/clamav/Chart.yaml new file mode 100644 index 00000000..6cea2189 --- /dev/null +++ b/charts/clamav/Chart.yaml @@ -0,0 +1,18 @@ +apiVersion: v2 +name: clamav +description: Chart for deploying a ClamavD on kubernetes as statfulSet +type: application +version: 0.1.0 +appVersion: 0.104.0 +home: https://kubezero.com +icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png +keywords: + - kubezero + - clamav +maintainers: + - name: Quarky9 +dependencies: + - name: kubezero-lib + version: ">= 0.1.4" + repository: https://zero-down-time.github.io/kubezero/ +kubeVersion: ">= 1.18.0" diff --git a/charts/clamav/README.md b/charts/clamav/README.md new file mode 100644 index 00000000..5eb4f030 --- /dev/null +++ b/charts/clamav/README.md @@ -0,0 +1,42 @@ +# clamav + +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.104.0](https://img.shields.io/badge/AppVersion-0.104.0-informational?style=flat-square) + +A Helm chart for deploying a Clamav on kubernetes + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Quarky9 | | | + +## Requirements + +Kubernetes: `>= 1.18.0` + +| Repository | Name | Version | +|------------|------|---------| +| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.4 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| clamav.freshclam.mirrors | string | `"database.clamav.net"` | A list of clamav mirrors to be used by the clamav service | +| clamav.image | string | `"clamav/clamav"` | The clamav docker image | +| clamav.limits.connectionQueueLength | int | `100` | Maximum length the queue of pending connections may grow to | +| clamav.limits.fileSize | int | `20` | The largest file size scanable by clamav, in MB | +| clamav.limits.maxThreads | int | `4` | Maximum number of threads running at the same time. | +| clamav.limits.scanSize | int | `100` | The largest scan size permitted in clamav, in MB | +| clamav.limits.sendBufTimeout | int | `500` | | +| clamav.replicaCount | int | `1` | | +| clamav.resources | object | `{"limits":{"cpu":"1500m","ephemeral-storage":"1000M","memory":"2000M"},"requests":{"cpu":"300m","ephemeral-storage":"500M","memory":"1300M"}}` | The resource requests and limits for the clamav service | +| clamav.version | string | `"unstable"` | The clamav docker image version - defaults to .Chart.appVersion | +| fullnameOverride | string | `""` | override the full name of the clamav chart | +| nameOverride | string | `""` | override the name of the clamav chart | +| service.port | int | `3310` | The port to be used by the clamav service | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0) diff --git a/charts/clamav/clamav.yaml b/charts/clamav/clamav.yaml new file mode 100644 index 00000000..b573d82d --- /dev/null +++ b/charts/clamav/clamav.yaml @@ -0,0 +1,167 @@ +--- +# Source: clamav/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: clamav + namespace: clamav + labels: + helm.sh/chart: clamav-0.1.0 + app.kubernetes.io/name: clamav + app.kubernetes.io/instance: clamav + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: kubezero +data: + clamd.conf: | + LogTime yes + LogClean yes + LogSyslog no + LogVerbose no + LogFileMaxSize 0 + LogFile /dev/stdout + DatabaseDirectory /var/lib/clamav + TCPSocket 3310 + LocalSocket /run/clamav/clamd.sock + User clamav + ExitOnOOM yes + Foreground yes + MaxScanSize 100M + MaxFileSize 20M + + # Close the connection when the data size limit is exceeded. + # The value should match your MTA's limit for a maximum attachment size. + # Default: 25M + StreamMaxLength 100M + + # Maximum length the queue of pending connections may grow to. + # Default: 200 + MaxConnectionQueueLength 100 + + # Maximum number of threads running at the same time. + # Default: 10 + MaxThreads 4 + + # This option specifies how long to wait (in milliseconds) if the send buffer + # is full. + # Keep this value low to prevent clamd hanging. + # + # Default: 500 + SendBufTimeout 500 + + freshclam.conf: | + LogTime yes + LogVerbose yes + NotifyClamd /etc/clamav/clamd.conf + Checks 24 + LogSyslog no + DatabaseOwner root + DatabaseMirror database.clamav.net +--- +# Source: clamav/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: clamav + namespace: clamav + labels: + helm.sh/chart: clamav-0.1.0 + app.kubernetes.io/name: clamav + app.kubernetes.io/instance: clamav + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: kubezero +spec: + ports: + - port: 3310 + targetPort: 3310 + protocol: TCP + name: clamav + selector: + app.kubernetes.io/name: clamav + app.kubernetes.io/instance: clamav +--- +# Source: clamav/templates/clamav.yaml +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: clamav + namespace: clamav + labels: + helm.sh/chart: clamav-0.1.0 + app.kubernetes.io/name: clamav + app.kubernetes.io/instance: clamav + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: kubezero +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: clamav + app.kubernetes.io/instance: clamav + serviceName: clamav + template: + metadata: + labels: + app.kubernetes.io/name: clamav + app.kubernetes.io/instance: clamav + annotations: + checksum/config: 461412fe732118123a89af8c9a06380a9547b63aa117fa7b338e347aa4b3d8e9 + spec: + containers: + - name: clamav + image: "clamav/clamav:unstable_base" + ports: + - containerPort: 3310 + name: clamav + protocol: TCP + # Give clamav up to 300s to get CVDs in place etc. + startupProbe: + exec: + command: + - /usr/local/bin/clamdcheck.sh + failureThreshold: 30 + periodSeconds: 10 + livenessProbe: + exec: + command: + - /usr/local/bin/clamdcheck.sh + failureThreshold: 2 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 3 + readinessProbe: + exec: + command: + - /usr/local/bin/clamdcheck.sh + initialDelaySeconds: 90 + failureThreshold: 2 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 3 + resources: + limits: + cpu: 1500m + ephemeral-storage: 1000M + memory: 2000M + requests: + cpu: 300m + ephemeral-storage: 500M + memory: 1300M + volumeMounts: + - mountPath: /var/lib/clamav + name: signatures + - mountPath: /etc/clamav + name: config-volume + #securityContext: + # runAsNonRoot: true + volumes: + - name: config-volume + configMap: + name: clamav + volumeClaimTemplates: + - metadata: + name: signatures + spec: + accessModes: [ "ReadWriteOnce" ] + resources: + requests: + storage: 2Gi diff --git a/charts/clamav/deploy.sh b/charts/clamav/deploy.sh new file mode 100755 index 00000000..dc8c8a59 --- /dev/null +++ b/charts/clamav/deploy.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +release=clamav +namespace=clamav + +helm template . --namespace $namespace --name-template $release > clamav.yaml +kubectl apply --namespace $namespace -f clamav.yaml diff --git a/charts/clamav/templates/clamav.yaml b/charts/clamav/templates/clamav.yaml new file mode 100644 index 00000000..c6adda21 --- /dev/null +++ b/charts/clamav/templates/clamav.yaml @@ -0,0 +1,87 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ include "kubezero-lib.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "kubezero-lib.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.clamav.replicaCount }} + selector: + matchLabels: + {{- include "kubezero-lib.selectorLabels" . | nindent 6 }} + serviceName: {{ include "kubezero-lib.fullname" . }} + template: + metadata: + labels: + {{- include "kubezero-lib.selectorLabels" . | nindent 8 }} + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + spec: + containers: + - name: clamav + image: "{{ .Values.clamav.image }}:{{ default .Chart.AppVersion .Values.clamav.version }}_base" + ports: + - containerPort: 3310 + name: clamav + protocol: TCP + # Give clamav up to 300s to get CVDs in place etc. + startupProbe: + exec: + command: + - /usr/local/bin/clamdcheck.sh + failureThreshold: 30 + periodSeconds: 10 + livenessProbe: + exec: + command: + - /usr/local/bin/clamdcheck.sh + failureThreshold: 2 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 3 + readinessProbe: + exec: + command: + - /usr/local/bin/clamdcheck.sh + initialDelaySeconds: 90 + failureThreshold: 2 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 3 + resources: + {{- toYaml .Values.clamav.resources | nindent 10 }} + volumeMounts: + - mountPath: /var/lib/clamav + name: signatures + - mountPath: /etc/clamav + name: config-volume + #securityContext: + # runAsNonRoot: true + volumes: + - name: config-volume + configMap: + name: {{ include "kubezero-lib.fullname" . }} + {{- with .Values.clamav.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.clamav.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.clamav.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + volumeClaimTemplates: + - metadata: + name: signatures + spec: + accessModes: [ "ReadWriteOnce" ] + {{- with .Values.clamav.storageClassName }} + storageClassName: {{ . }} + {{- end }} + resources: + requests: + storage: 2Gi diff --git a/charts/clamav/templates/configmap.yaml b/charts/clamav/templates/configmap.yaml new file mode 100644 index 00000000..9ebdc6e7 --- /dev/null +++ b/charts/clamav/templates/configmap.yaml @@ -0,0 +1,52 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "kubezero-lib.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "kubezero-lib.labels" . | nindent 4 }} +data: + clamd.conf: | + LogTime yes + LogClean yes + LogSyslog no + LogVerbose no + LogFileMaxSize 0 + LogFile /dev/stdout + DatabaseDirectory /var/lib/clamav + TCPSocket 3310 + LocalSocket /run/clamav/clamd.sock + User clamav + ExitOnOOM yes + Foreground yes + MaxScanSize {{.Values.clamav.limits.scanSize}}M + MaxFileSize {{.Values.clamav.limits.fileSize}}M + + # Close the connection when the data size limit is exceeded. + # The value should match your MTA's limit for a maximum attachment size. + # Default: 25M + StreamMaxLength {{.Values.clamav.limits.scanSize}}M + + # Maximum length the queue of pending connections may grow to. + # Default: 200 + MaxConnectionQueueLength {{.Values.clamav.limits.connectionQueueLength}} + + # Maximum number of threads running at the same time. + # Default: 10 + MaxThreads {{.Values.clamav.limits.maxThreads}} + + # This option specifies how long to wait (in milliseconds) if the send buffer + # is full. + # Keep this value low to prevent clamd hanging. + # + # Default: 500 + SendBufTimeout {{.Values.clamav.limits.sendBufTimeout}} + + freshclam.conf: | + LogTime yes + LogVerbose yes + NotifyClamd /etc/clamav/clamd.conf + Checks 24 + LogSyslog no + DatabaseOwner root + DatabaseMirror {{ .Values.clamav.freshclam.mirrors }} diff --git a/charts/clamav/templates/service.yaml b/charts/clamav/templates/service.yaml new file mode 100644 index 00000000..d572fddc --- /dev/null +++ b/charts/clamav/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kubezero-lib.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "kubezero-lib.labels" . | nindent 4 }} +spec: + ports: + - port: {{ .Values.service.port }} + targetPort: 3310 + protocol: TCP + name: clamav + selector: + {{- include "kubezero-lib.selectorLabels" . | nindent 4 }} diff --git a/charts/clamav/values.yaml b/charts/clamav/values.yaml new file mode 100644 index 00000000..4b899d65 --- /dev/null +++ b/charts/clamav/values.yaml @@ -0,0 +1,48 @@ +# Default values for clamav. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# nameOverride -- override the name of the clamav chart +nameOverride: "" + +# fullnameOverride -- override the full name of the clamav chart +fullnameOverride: "" + +service: + # service.port -- The port to be used by the clamav service + port: 3310 + +clamav: + # clamav.image -- The clamav docker image + image: clamav/clamav + # clamav.version -- The clamav docker image version - defaults to .Chart.appVersion + version: "unstable" + + replicaCount: 1 + + freshclam: + # clamav.freshclam.mirrors -- A list of clamav mirrors to be used by the clamav service + mirrors: database.clamav.net + limits: + # clamav.limits.fileSize -- The largest file size scanable by clamav, in MB + fileSize: 20 + # clamav.limits.scanSize -- The largest scan size permitted in clamav, in MB + scanSize: 100 + # clamav.limits.connectionQueueLength -- Maximum length the queue of pending connections may grow to + connectionQueueLength: 100 + # clamav.limits.maxThreads --Maximum number of threads running at the same time. + maxThreads: 4 + # clamav.sendBufTimeout -- This option specifies how long to wait (in milliseconds) if the send buffer is full, keep low to avoid clamd hanging + sendBufTimeout: 500 + + + resources: + # clamav.resources -- The resource requests and limits for the clamav service + requests: + cpu: 300m + memory: 1300M + ephemeral-storage: "500M" + limits: + cpu: 1500m + memory: 2000M + ephemeral-storage: "1000M"