diff --git a/library/ix-dev/community/clamav/Chart.lock b/library/ix-dev/community/clamav/Chart.lock new file mode 100644 index 00000000000..38f0629cf7b --- /dev/null +++ b/library/ix-dev/community/clamav/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: common + repository: file://../../../common + version: 1.0.6 +digest: sha256:2f1f31c15fb7f92db141a66adbb8d23a8598727730050a3883a211763a4e5472 +generated: "2023-04-28T16:05:12.034666174+03:00" diff --git a/library/ix-dev/community/clamav/Chart.yaml b/library/ix-dev/community/clamav/Chart.yaml new file mode 100644 index 00000000000..55761cbc538 --- /dev/null +++ b/library/ix-dev/community/clamav/Chart.yaml @@ -0,0 +1,26 @@ +name: clamav +description: ClamAV is an open source (GPLv2) anti-virus toolkit. +annotations: + title: Clam AV +type: application +version: 1.0.0 +apiVersion: v2 +appVersion: '1.0.1' +kubeVersion: '>=1.16.0-0' +maintainers: + - name: truenas + url: https://www.truenas.com/ + email: dev@ixsystems.com +dependencies: + - name: common + repository: file://../../../common + version: 1.0.6 +home: https://www.clamav.net/ +icon: https://raw.githubusercontent.com/micahsnyder/clamav-documentation/main/src/images/logo.png +sources: + - https://docs.clamav.net/ + - https://github.com/truenas/charts/tree/master/community/clamav + - https://www.clamav.net/ +keywords: + - anti-virus + - clamav diff --git a/library/ix-dev/community/clamav/README.md b/library/ix-dev/community/clamav/README.md new file mode 100644 index 00000000000..3c4d7460a45 --- /dev/null +++ b/library/ix-dev/community/clamav/README.md @@ -0,0 +1,5 @@ +# ClamAV + +[ClamAV](https://www.clamav.net/) - ClamAV® is an open-source antivirus engine for detecting trojans, viruses, malware & other malicious threats. + +- App runs as `root` user diff --git a/library/ix-dev/community/clamav/app-readme.md b/library/ix-dev/community/clamav/app-readme.md new file mode 100644 index 00000000000..3c4d7460a45 --- /dev/null +++ b/library/ix-dev/community/clamav/app-readme.md @@ -0,0 +1,5 @@ +# ClamAV + +[ClamAV](https://www.clamav.net/) - ClamAV® is an open-source antivirus engine for detecting trojans, viruses, malware & other malicious threats. + +- App runs as `root` user diff --git a/library/ix-dev/community/clamav/charts/common-1.0.6.tgz b/library/ix-dev/community/clamav/charts/common-1.0.6.tgz new file mode 100644 index 00000000000..3f42ea345d3 Binary files /dev/null and b/library/ix-dev/community/clamav/charts/common-1.0.6.tgz differ diff --git a/library/ix-dev/community/clamav/ci/basic-values.yaml b/library/ix-dev/community/clamav/ci/basic-values.yaml new file mode 100644 index 00000000000..d43e4076036 --- /dev/null +++ b/library/ix-dev/community/clamav/ci/basic-values.yaml @@ -0,0 +1,7 @@ +clamavStorage: + sigdb: + type: hostPath + hostPath: /mnt/{{ .Release.Name }}/sig-db + scandir: + type: hostPath + hostPath: /mnt/{{ .Release.Name }}/scan-dir diff --git a/library/ix-dev/community/clamav/ci/milterd-values.yaml b/library/ix-dev/community/clamav/ci/milterd-values.yaml new file mode 100644 index 00000000000..82e77114cb2 --- /dev/null +++ b/library/ix-dev/community/clamav/ci/milterd-values.yaml @@ -0,0 +1,10 @@ +clamavStorage: + sigdb: + type: hostPath + hostPath: /mnt/{{ .Release.Name }}/sig-db + scandir: + type: hostPath + hostPath: /mnt/{{ .Release.Name }}/scan-dir + +clamavConfig: + disableMilterd: false diff --git a/library/ix-dev/community/clamav/ci/no-clamd-values.yaml b/library/ix-dev/community/clamav/ci/no-clamd-values.yaml new file mode 100644 index 00000000000..948c16d1f95 --- /dev/null +++ b/library/ix-dev/community/clamav/ci/no-clamd-values.yaml @@ -0,0 +1,10 @@ +clamavStorage: + sigdb: + type: hostPath + hostPath: /mnt/{{ .Release.Name }}/sig-db + scandir: + type: hostPath + hostPath: /mnt/{{ .Release.Name }}/scan-dir + +clamavConfig: + disableClamd: true diff --git a/library/ix-dev/community/clamav/ci/no-freshclamd-values.yaml b/library/ix-dev/community/clamav/ci/no-freshclamd-values.yaml new file mode 100644 index 00000000000..bf7a2dbb4b8 --- /dev/null +++ b/library/ix-dev/community/clamav/ci/no-freshclamd-values.yaml @@ -0,0 +1,10 @@ +clamavStorage: + sigdb: + type: hostPath + hostPath: /mnt/{{ .Release.Name }}/sig-db + scandir: + type: hostPath + hostPath: /mnt/{{ .Release.Name }}/scan-dir + +clamavConfig: + disableFreshClamd: true diff --git a/library/ix-dev/community/clamav/item.yaml b/library/ix-dev/community/clamav/item.yaml new file mode 100644 index 00000000000..07ba36c343d --- /dev/null +++ b/library/ix-dev/community/clamav/item.yaml @@ -0,0 +1,4 @@ +icon_url: https://raw.githubusercontent.com/micahsnyder/clamav-documentation/main/src/images/logo.png +categories: + - anti-virus + - clamav diff --git a/library/ix-dev/community/clamav/metadata.yaml b/library/ix-dev/community/clamav/metadata.yaml new file mode 100644 index 00000000000..27f2cf9ca2e --- /dev/null +++ b/library/ix-dev/community/clamav/metadata.yaml @@ -0,0 +1,18 @@ +runAsContext: + - userName: root + groupName: root + gid: 0 + uid: 0 + description: ClamAV runs as root user. +capabilities: + - name: CHOWN + description: ClamAV is able to chown files. + - name: FOWNER + description: ClamAV is able bypass permission checks for it's sub-processes. + - name: DAC_OVERRIDE + description: ClamAV is able to bypass permission checks. + - name: SETGID + description: ClamAV is able to set group ID for it's sub-processes. + - name: SETUID + description: ClamAV is able to set user ID for it's sub-processes. +hostMounts: [] diff --git a/library/ix-dev/community/clamav/questions.yaml b/library/ix-dev/community/clamav/questions.yaml new file mode 100644 index 00000000000..f5a1a952cb7 --- /dev/null +++ b/library/ix-dev/community/clamav/questions.yaml @@ -0,0 +1,208 @@ +groups: + - name: ClamAV Configuration + description: Configure ClamAV + - name: Network Configuration + description: Configure Network for ClamAV + - name: Storage Configuration + description: Configure Storage for ClamAV + - name: Resources Configuration + description: Configure Resources for ClamAV + +questions: + + - variable: clamavConfig + label: "" + group: ClamAV Configuration + schema: + type: dict + attrs: + - variable: disableClamd + label: Disable ClamD + description: Do not start Clam daemon + schema: + type: boolean + default: false + - variable: disableFreshClamd + label: Disable FreshClamD + description: Do not start the FreshClam daemon + schema: + type: boolean + default: false + - variable: disableMilterd + label: Disable MilterD + description: Do not start the ClamAV-Milter daemon + schema: + type: boolean + default: true + - variable: clamdStartupTimeout + label: ClamD Startup Timeout + description: Seconds to wait for ClamD to start + schema: + type: int + default: 1800 + required: true + - variable: freshclamChecks + label: Fresh Clam Checks + description: Times to check per day for a new database. + schema: + type: int + default: 1 + min: 1 + max: 50 + required: true + - variable: additionalEnvs + label: Additional Environment Variables + description: Configure additional environment variables for ClamAV. + schema: + type: list + default: [] + items: + - variable: env + label: Environment Variable + schema: + type: dict + attrs: + - variable: name + label: Name + schema: + type: string + required: true + - variable: value + label: Value + schema: + type: string + required: true + + - variable: clamavNetwork + label: "" + group: Network Configuration + schema: + type: dict + attrs: + - variable: clamdPort + label: ClamD Port + description: The port for the ClamAV ClamD + schema: + type: int + default: 30000 + min: 9000 + max: 65535 + required: true + - variable: milterdPort + label: MilterD Port + description: The port for the ClamAV MilterD + schema: + type: int + default: 30001 + min: 9000 + max: 65535 + required: true + + - variable: clamavStorage + label: "" + group: Storage Configuration + schema: + type: dict + attrs: + - variable: sigdb + label: ClamAV Signature Database Storage + description: The path to store ClamAV Signature Database. + schema: + type: dict + attrs: + - variable: type + label: Type + description: | + ixVolume: Is dataset created automatically by the system.
+ Host Path: Is a path that already exists on the system. + schema: + type: string + required: true + default: ixVolume + enum: + - value: hostPath + description: Host Path (Path that already exists on the system) + - value: ixVolume + description: ixVolume (Dataset created automatically by the system) + - variable: datasetName + label: Dataset Name + schema: + type: string + show_if: [["type", "=", "ixVolume"]] + required: true + hidden: true + immutable: true + default: sig-db + $ref: + - "normalize/ixVolume" + - variable: hostPath + label: Host Path + schema: + type: hostpath + show_if: [["type", "=", "hostPath"]] + immutable: true + required: true + - variable: scandir + label: ClamAV Scan Storage + description: The path to store ClamAV Scan storage. + schema: + type: dict + attrs: + - variable: type + label: Type + description: | + ixVolume: Is dataset created automatically by the system.
+ Host Path: Is a path that already exists on the system. + schema: + type: string + required: true + default: ixVolume + enum: + - value: hostPath + description: Host Path (Path that already exists on the system) + - value: ixVolume + description: ixVolume (Dataset created automatically by the system) + - variable: datasetName + label: Dataset Name + schema: + type: string + show_if: [["type", "=", "ixVolume"]] + required: true + hidden: true + immutable: true + default: scan-dir + $ref: + - "normalize/ixVolume" + - variable: hostPath + label: Host Path + schema: + type: hostpath + show_if: [["type", "=", "hostPath"]] + immutable: true + required: true + + - variable: resources + label: "" + group: Resources Configuration + schema: + type: dict + attrs: + - variable: limits + label: Limits + schema: + type: dict + attrs: + - variable: cpu + label: CPU + description: CPU limit for ClamAV. + schema: + type: string + default: 4000m + required: true + - variable: memory + label: Memory + description: Memory limit for ClamAV. + schema: + type: string + default: 8Gi + required: true diff --git a/library/ix-dev/community/clamav/templates/NOTES.txt b/library/ix-dev/community/clamav/templates/NOTES.txt new file mode 100644 index 00000000000..ba4e01146c0 --- /dev/null +++ b/library/ix-dev/community/clamav/templates/NOTES.txt @@ -0,0 +1 @@ +{{ include "ix.v1.common.lib.chart.notes" $ }} diff --git a/library/ix-dev/community/clamav/templates/_clamav.tpl b/library/ix-dev/community/clamav/templates/_clamav.tpl new file mode 100644 index 00000000000..3224c567ec1 --- /dev/null +++ b/library/ix-dev/community/clamav/templates/_clamav.tpl @@ -0,0 +1,99 @@ +{{- define "clamav.workload" -}} +workload: + clamav: + enabled: true + primary: true + type: Deployment + podSpec: + hostNetwork: false + containers: + clamav: + enabled: true + primary: true + tty: true + stdin: true + imageSelector: image + securityContext: + # FIXME: https://github.com/Cisco-Talos/clamav/issues/478 + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false + readOnlyRootFilesystem: false + capabilities: + add: + - CHOWN + - DAC_OVERRIDE + - FOWNER + - SETUID + - SETGID + env: + CLAMAV_NO_CLAMD: {{ .Values.clamavConfig.disableClamd | quote }} + CLAMAV_NO_FRESHCLAMD: {{ .Values.clamavConfig.disableFreshClamd | quote }} + CLAMAV_NO_MILTERD: {{ .Values.clamavConfig.disableMilterd | quote }} + CLAMD_STARTUP_TIMEOUT: {{ .Values.clamavConfig.clamdStartupTimeout | quote }} + FRESHCLAM_CHECKS: {{ .Values.clamavConfig.freshclamChecks | quote }} + {{ with .Values.clamavConfig.additionalEnvs }} + envList: + {{ range $env := . }} + - name: {{ $env.name }} + value: {{ $env.value }} + {{ end }} + {{ end }} + probes: + liveness: + enabled: {{ not .Values.clamavConfig.disableClamd }} + type: exec + command: clamdcheck.sh + readiness: + enabled: {{ not .Values.clamavConfig.disableClamd }} + type: exec + command: clamdcheck.sh + startup: + enabled: {{ not .Values.clamavConfig.disableClamd }} + type: exec + command: clamdcheck.sh + +{{/* Service */}} +service: + clamav: + enabled: {{ or (not .Values.clamavConfig.disableClamd) (not .Values.clamavConfig.disableMilterd) }} + primary: true + type: NodePort + targetSelector: clamav + ports: + clamd: + enabled: {{ not .Values.clamavConfig.disableClamd }} + primary: true + port: {{ .Values.clamavNetwork.clamdPort }} + nodePort: {{ .Values.clamavNetwork.clamdPort }} + targetPort: 3310 + targetSelector: clamav + milted: + enabled: {{ not .Values.clamavConfig.disableMilterd }} + primary: {{ .Values.clamavConfig.disableClamd }} + port: {{ .Values.clamavNetwork.milterdPort }} + nodePort: {{ .Values.clamavNetwork.milterdPort }} + targetPort: 7357 + targetSelector: clamav + +{{/* Persistence */}} +persistence: + data: + enabled: true + type: {{ .Values.clamavStorage.sigdb.type }} + datasetName: {{ .Values.clamavStorage.sigdb.datasetName | default "" }} + hostPath: {{ .Values.clamavStorage.sigdb.hostPath | default "" }} + targetSelector: + clamav: + clamav: + mountPath: /var/lib/clamav + scan-dir: + enabled: true + type: {{ .Values.clamavStorage.scandir.type }} + datasetName: {{ .Values.clamavStorage.scandir.datasetName | default "" }} + hostPath: {{ .Values.clamavStorage.scandir.hostPath | default "" }} + targetSelector: + clamav: + clamav: + mountPath: /scandir +{{- end -}} diff --git a/library/ix-dev/community/clamav/templates/common.yaml b/library/ix-dev/community/clamav/templates/common.yaml new file mode 100644 index 00000000000..cb90f891d93 --- /dev/null +++ b/library/ix-dev/community/clamav/templates/common.yaml @@ -0,0 +1,6 @@ +{{- include "ix.v1.common.loader.init" . -}} + +{{/* Merge the templates with Values */}} +{{- $_ := mustMergeOverwrite .Values (include "clamav.workload" $ | fromYaml) -}} + +{{- include "ix.v1.common.loader.apply" . -}} diff --git a/library/ix-dev/community/clamav/upgrade_info.json b/library/ix-dev/community/clamav/upgrade_info.json new file mode 100644 index 00000000000..767388094ad --- /dev/null +++ b/library/ix-dev/community/clamav/upgrade_info.json @@ -0,0 +1 @@ +{"filename": "values.yaml", "keys": ["image"]} diff --git a/library/ix-dev/community/clamav/upgrade_strategy b/library/ix-dev/community/clamav/upgrade_strategy new file mode 100755 index 00000000000..7e4b5ffae04 --- /dev/null +++ b/library/ix-dev/community/clamav/upgrade_strategy @@ -0,0 +1,31 @@ +#!/usr/bin/python3 +import json +import re +import sys + +from catalog_update.upgrade_strategy import semantic_versioning + + +RE_STABLE_VERSION = re.compile(r'^[0-9]+\.[0-9]+\.[0-9]+(-[0-9]+)?$') + + +def newer_mapping(image_tags): + key = list(image_tags.keys())[0] + tags = {t: t for t in image_tags[key] if RE_STABLE_VERSION.fullmatch(t)} + version = semantic_versioning(list(tags)) + if not version: + return {} + + return { + 'tags': {key: tags[version]}, + 'app_version': version, + } + + +if __name__ == '__main__': + try: + versions_json = json.loads(sys.stdin.read()) + except ValueError: + raise ValueError('Invalid json specified') + + print(json.dumps(newer_mapping(versions_json))) diff --git a/library/ix-dev/community/clamav/values.yaml b/library/ix-dev/community/clamav/values.yaml new file mode 100644 index 00000000000..5a9f740cef6 --- /dev/null +++ b/library/ix-dev/community/clamav/values.yaml @@ -0,0 +1,31 @@ +image: + repository: clamav/clamav + pullPolicy: IfNotPresent + tag: '1.0.1-2' + +resources: + limits: + cpu: 4000m + memory: 8Gi + +clamavConfig: + disableClamd: false + disableFreshClamd: false + disableMilterd: true + clamdStartupTimeout: 1800 + freshclamChecks: 1 + additionalEnvs: [] + +clamavNetwork: + clamdPort: 30000 + milterdPort: 30001 + +clamavStorage: + sigdb: + type: ixVolume + hostPath: '' + datasetName: sig-db + scandir: + type: ixVolume + hostPath: '' + datasetName: scan-dir