diff --git a/clusters/cl01tl/helm/blocky/values.yaml b/clusters/cl01tl/helm/blocky/values.yaml index dced08dbb..d316ec069 100644 --- a/clusters/cl01tl/helm/blocky/values.yaml +++ b/clusters/cl01tl/helm/blocky/values.yaml @@ -109,6 +109,7 @@ blocky: bazarr IN CNAME traefik-cl01tl ceph IN CNAME traefik-cl01tl dawarich IN CNAME traefik-cl01tl + dependency-track IN CNAME traefik-cl01tl directus IN CNAME traefik-cl01tl excalidraw IN CNAME traefik-cl01tl feishin IN CNAME traefik-cl01tl diff --git a/clusters/cl01tl/helm/dependency-track/Chart.lock b/clusters/cl01tl/helm/dependency-track/Chart.lock new file mode 100644 index 000000000..0b50ae6c9 --- /dev/null +++ b/clusters/cl01tl/helm/dependency-track/Chart.lock @@ -0,0 +1,9 @@ +dependencies: +- name: dependency-track + repository: https://dependencytrack.github.io/helm-charts + version: 0.44.0 +- name: postgres-cluster + repository: oci://harbor.alexlebens.net/helm-charts + version: 7.11.2 +digest: sha256:6ea7e8066cce675a02ce76393ee2b0e23300d2f5c72ae64946ae667fc12fde1f +generated: "2026-04-05T17:32:11.221935-05:00" diff --git a/clusters/cl01tl/helm/dependency-track/Chart.yaml b/clusters/cl01tl/helm/dependency-track/Chart.yaml new file mode 100644 index 000000000..8cd599502 --- /dev/null +++ b/clusters/cl01tl/helm/dependency-track/Chart.yaml @@ -0,0 +1,26 @@ +apiVersion: v2 +name: dependency-track +version: 1.0.0 +description: Dependency Track +keywords: + - dependency-track + - vulnerability-scanner +home: https://docs.alexlebens.dev/applications/dependency-track/ +sources: + - https://github.com/DependencyTrack/dependency-track + - https://hub.docker.com/r/dependencytrack/apiserver + - https://hub.docker.com/r/dependencytrack/frontend + - https://github.com/DependencyTrack/helm-charts/tree/main/charts/dependency-track +maintainers: + - name: alexlebens +dependencies: + - name: dependency-track + version: 0.44.0 + repository: https://dependencytrack.github.io/helm-charts + - name: postgres-cluster + alias: postgres-18-cluster + version: 7.11.2 + repository: oci://harbor.alexlebens.net/helm-charts +icon: https://avatars.githubusercontent.com/u/40258585 +# renovate: datasource=github-releases depName=dependency-track +appVersion: 4.14.1 diff --git a/clusters/cl01tl/helm/dependency-track/templates/external-secret.yaml b/clusters/cl01tl/helm/dependency-track/templates/external-secret.yaml new file mode 100644 index 000000000..5bbbb407c --- /dev/null +++ b/clusters/cl01tl/helm/dependency-track/templates/external-secret.yaml @@ -0,0 +1,42 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: dependency-track-key-secret + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: dependency-track-key-secret + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: secret.key + remoteRef: + key: /cl01tl/dependency-track/key + property: key + +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: dependency-track-oidc-secret + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: dependency-track-oidc-secret + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: client + remoteRef: + key: /authentik/oidc/dependency-track + property: client + - secretKey: secret + remoteRef: + key: /authentik/oidc/dependency-track + property: secret diff --git a/clusters/cl01tl/helm/dependency-track/values.yaml b/clusters/cl01tl/helm/dependency-track/values.yaml new file mode 100644 index 000000000..3c72a044c --- /dev/null +++ b/clusters/cl01tl/helm/dependency-track/values.yaml @@ -0,0 +1,106 @@ +dependency-track: + common: + secretKey: + createSecret: false + existingSecretName: dependency-track-key-secret + apiServer: + image: + repository: dependencytrack/apiserver + tag: 4.14.1@sha256:2d8813e1ba4ada4aa23087d908c1b5a3ffce39261ead5555c397a1d67c7cbe9d + resources: + requests: + cpu: 100m + memory: 100Mi + limits: + memory: null + persistentVolume: + enabled: true + className: ceph-block + size: 5Gi + extraEnv: + - name: ALPINE_DATABASE_MODE + value: external + - name: ALPINE_DATABASE_MODE + value: org.postgresql.Driver + - name: ALPINE_DATABASE_URL + valueFrom: + secretKeyRef: + name: dependency-track-postgresql-18-cluster-app + key: jdbc-uri + - name: ALPINE_DATABASE_USERNAME + valueFrom: + secretKeyRef: + name: dependency-track-postgresql-18-cluster-app + key: user + - name: ALPINE_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + name: dependency-track-postgresql-18-cluster-app + key: password + - name: ALPINE_OIDC_ENABLED + value: true + - name: ALPINE_OIDC_CLIENT_ID + valueFrom: + secretKeyRef: + name: dependency-track-oidc-secret + key: client + - name: ALPINE_OIDC_ISSUER + value: https://authentik.alexlebens.net/application/o/dependency-track/ + - name: ALPINE_OIDC_USERNAME_CLAIM + value: preferred_username + - name: ALPINE_OIDC_TEAMS_CLAIM + value: groups + - name: ALPINE_OIDC_USER_PROVISIONING + value: true + - name: ALPINE_OIDC_TEAM_SYNCHRONIZATION + value: true + - name: ALPINE_CORS_ENABLED + value: true + - name: ALPINE_CORS_ALLOW_ORIGIN + value: dependency-track.alexlebens.net, dependency-track.dependency-track + serviceMonitor: + enabled: true + namespace: dependency-track + frontend: + image: + repository: dependencytrack/frontend + tag: 4.14.1@sha256:8217737050b26ea69a6ddd6fe2cb419531a0bae0b903a87a04077a2415fc9f35 + resources: + requests: + cpu: 10m + memory: 60Mi + limits: + memory: null + apiBaseUrl: dependency-track.alexlebens.net + httpRoute: + enabled: true + hostnames: + - dependency-track.alexlebens.net + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: traefik-gateway + namespace: traefik +postgres-18-cluster: + mode: standalone + cluster: + initdb: + postInitSQL: + - ALTER DATABASE app SET READ_COMMITTED_SNAPSHOT ON; + recovery: + method: objectStore + objectStore: + index: 1 + backup: + objectStore: + - name: garage-local + index: 1 + destinationBucket: postgres-backups + externalSecretCredentialPath: /garage/home-infra/postgres-backups + isWALArchiver: true + scheduledBackups: + - name: live-backup + suspend: false + immediate: true + schedule: "0 10 14 * * *" + backupName: garage-local diff --git a/clusters/cl01tl/helm/gatus/values.yaml b/clusters/cl01tl/helm/gatus/values.yaml index 7b27cad1f..8d04398c3 100644 --- a/clusters/cl01tl/helm/gatus/values.yaml +++ b/clusters/cl01tl/helm/gatus/values.yaml @@ -179,6 +179,9 @@ gatus: - name: komodo url: https://komodo.alexlebens.net <<: *defaults + - name: dependency-track + url: https://dependency-track.alexlebens.net + <<: *defaults - name: omni-tools url: https://omni-tools.alexlebens.net <<: *defaults diff --git a/clusters/cl01tl/helm/homepage/values.yaml b/clusters/cl01tl/helm/homepage/values.yaml index 063ed7015..15b386eeb 100644 --- a/clusters/cl01tl/helm/homepage/values.yaml +++ b/clusters/cl01tl/helm/homepage/values.yaml @@ -375,6 +375,12 @@ homepage: secret: {{ "{{HOMEPAGE_VAR_KOMODO_API_SECRET}}" }} showStacks: true fields: ["running", "down", "unhealthy", "unknown"] + - Vulnerability Scanning: + icon: https://avatars.githubusercontent.com/u/40258585 + description: Dependency Track + href: https://dependency-track.alexlebens.net + siteMonitor: http://dependency-track.dependency-track:8080 + statusStyle: dot - Uptime: icon: sh-gatus.webp description: Gatus diff --git a/hosts/ps08rp/blocky/config.yml b/hosts/ps08rp/blocky/config.yml index b0bf48691..4f92c22b0 100644 --- a/hosts/ps08rp/blocky/config.yml +++ b/hosts/ps08rp/blocky/config.yml @@ -86,6 +86,7 @@ customDNS: bazarr IN CNAME traefik-cl01tl ceph IN CNAME traefik-cl01tl dawarich IN CNAME traefik-cl01tl + dependency-track IN CNAME traefik-cl01tl directus IN CNAME traefik-cl01tl excalidraw IN CNAME traefik-cl01tl feishin IN CNAME traefik-cl01tl diff --git a/hosts/ps09rp/blocky/config.yml b/hosts/ps09rp/blocky/config.yml index 6a7b35314..c10efe2ce 100644 --- a/hosts/ps09rp/blocky/config.yml +++ b/hosts/ps09rp/blocky/config.yml @@ -107,6 +107,7 @@ customDNS: bazarr IN CNAME traefik-cl01tl ceph IN CNAME traefik-cl01tl dawarich IN CNAME traefik-cl01tl + dependency-track IN CNAME traefik-cl01tl directus IN CNAME traefik-cl01tl excalidraw IN CNAME traefik-cl01tl feishin IN CNAME traefik-cl01tl