Installation of cdviz-collector

CLI

cdviz-collector is a command-line tool that can be downloaded from it's GitHub's release page:

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/cdviz-dev/cdviz-collector/releases/download/{{ $params.version }}/cdviz-collector-installer.sh | sh

Install prebuilt binaries via Homebrew

brew install cdviz-dev/tap/cdviz-collector

Install prebuilt binaries via mise (and .mise.toml):

[tools]
"ubi:cdviz-dev/cdviz-collector" = "latest"

Install prebuilt binaries via cargo-binstall:

cargo binstall cdviz-collector

Install from source via cargo:

cargo install cdviz-collector

Docker / OCI Images

see GitHub's package page

docker pull ghcr.io/cdviz-dev/cdviz-collector:latest

Kubernetes

Install via Helm chart:

(browse versions on github)

helm install cdviz-collector oci://ghcr.io/cdviz-dev/charts/cdviz-collector

Values.yaml

Look at the default values.yaml file in the GitHub repository.

# Default values for my.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.

replicaCount: 1

image:
  repository: ghcr.io/cdviz-dev/cdviz-collector
  pullPolicy: IfNotPresent
  # Overrides the image tag whose default is the chart appVersion.
  tag: "0.19.0"

imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""

serviceAccount:
  # Specifies whether a service account should be created
  create: true
  # Annotations to add to the service account
  annotations: {}
  # The name of the service account to use.
  # If not set and create is true, a name is generated using the fullname template
  name: ""

deploymentAnnotations: {}
  # reloader.stakater.com/auto: "true"

podAnnotations: {}

podSecurityContext:
  runAsNonRoot: true
  seccompProfile:
    type: RuntimeDefault
  # fsGroup: 2000

# Additional arguments to pass to the collector
podExtraArgs: []

securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - ALL
  readOnlyRootFilesystem: true
  runAsUser: 65532
  runAsGroup: 65532

service:
  type: ClusterIP
  port: 8080

ingress:
  enabled: false
  className: ""
  annotations: {}
    # kubernetes.io/ingress.class: nginx
    # kubernetes.io/tls-acme: "true"
  hosts:
    - host: cdviz-collector.local
      paths:
        - path: /
          pathType: ImplementationSpecific
  tls: []
  #  - secretName: chart-example-tls
  #    hosts:
  #      - chart-example.local

resources: {}
  # We usually recommend not to specify default resources and to leave this as a conscious
  # choice for the user. This also increases chances charts run on environments with little
  # resources, such as Minikube. If you do want to specify resources, uncomment the following
  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
  # limits:
  #   cpu: 100m
  #   memory: 128Mi
  # requests:
  #   cpu: 100m
  #   memory: 128Mi

autoscaling:
  enabled: false
  minReplicas: 1
  maxReplicas: 3
  targetCPUUtilizationPercentage: 80
  # targetMemoryUtilizationPercentage: 80

nodeSelector: {}

tolerations: []

affinity: {}

# List of config files to provide as a configMap mounted on the /mnt/config folder.
# cdviz-collector is launched with `--direcory /mnt/config`.
# The container of cdviz-collector includes some configuration files in the /etc/cdviz-collector folder.
#
# Adding & overriding files provided as part of the chart is allowed
# Content could set by override of the values
# or via `helm ... --set-file 'configFiles.config\.toml'=custom-config.toml`
configFiles:
  "cdviz-collector.toml": |-
    [sinks.debug]
    enabled = true

    [sinks.database]
    enabled = false

    [sources.cdevents_webhook]
    enabled = false

    [sources.cdevents_webhook.extractor]
    type = "webhook"
    id = "000-cdevents"

    [sources.github_webhook]
    enabled = false
    transformer_refs = [ "github_events" ]

    [sources.github_webhook.extractor]
    type = "webhook"
    id = "000-github"
    headers_to_keep = []

    [sources.github_webhook.extractor.headers]
    "x-hub-signature-256" = { type = "signature", signature_encoding = "hex", signature_on = "body", signature_prefix = "sha256=", token = "changeme" }

    [transformers.github_events]
    type = "vrl"
    template_rfile = "transformers-community:///github_events/transformer.vrl"

    [sources.kubewatch_webhook]
    enabled = {{ $.Values.kubewatch.enabled }}
    # transformer_refs = [ "log", "kubewatch_cloudevents" ]
    transformer_refs = [ "kubewatch_cloudevents" ]

    [sources.kubewatch_webhook.extractor]
    type = "webhook"
    id = "000-kubewatch"
    metadata.environment_id = "cluster/A-dev"

    [sources.argocd_webhook]
    enabled = true
    transformer_refs = [ "argocd_notifications" ]

    [sources.argocd_webhook.extractor]
    type = "webhook"
    id = "000-argocd"
    metadata.environment_id = "cluster/A-dev"
    """

    [remote.transformers-community]
    type = "github"
    owner = "cdviz-dev"
    repo = "transformers-community"
    # token = "gh...."  # Optional: github token

    [transformers]
    github_events = { type = "vrl", template_rfile = "transformers-community:///github_events/transformer.vrl" }
    kubewatch_cloudevents = { type = "vrl", template_rfile = "transformers-community:///kubewatch_cloudevents/transformer.vrl" }
    argocd_notifications = { type = "vrl", template_rfile = "transformers-community:///argocd_notifications/transformer.vrl" }

log:
  level: info # debug, info, warn, error

env:
  CDVIZ_COLLECTOR__HTTP__PORT:
    value: "{{ .Values.service.port }}"
  # Enable sinks (uncomment and configure as needed)
  # CDVIZ_COLLECTOR__SINKS__DEBUG__ENABLED:
  #   value: "true"
  # CDVIZ_COLLECTOR__SINKS__DATABASE__ENABLED:
  #   value: "true"
  # CDVIZ_COLLECTOR__SINKS__DATABASE__URL:
  #   valueFrom:
  #     secretKeyRef:
  #       name: "cdviz-collector-secret"
  #       key: DATABASE_URL
  # GitHub webhook signature token (for validating GitHub webhooks)
  # CDVIZ_COLLECTOR__SOURCES__GITHUB_WEBHOOK__EXTRACTOR__HEADERS__X-HUB-SIGNATURE-256__TOKEN:
  #   valueFrom:
  #     secretKeyRef:
  #       name: "cdviz-collector-secret"
  #       key: GITHUB_WEBHOOK_SIGNATURE_TOKEN

# Additional kubernetes resources to create. Helm template could be used.
# you could use it to create secrets, external secrets,
# configmaps, gateways (http-route, filter, ...), volumes, keda, ...
# - the name/key of the resource is used just to access the definition more easily than an arrays's index
# - the 'enabled' field is used to enable/disable the resource (removed when the resource is templated)
# - user can add any other resource definition as child node of extraObjects
# The manifests can be defined as a string or as a dictionary. But the string doesn't use the 'enabled' field.
extraObjects: {}
  # extrernalSecrets:
  #   enabled: true
  #   apiVersion: "kubernetes-client.io/v1"
  #   kind: ExternalSecret
  #   metadata:
  #     name: cdviz-collector-secrets
  #   spec:
  #     backendType: gcpSecretsManager
  #     data:
  #       - key: api-token
  #         name: api-token
  # http-route:
  #   enabled: true
  #   apiVersion: gateway.networking.k8s.io/v1
  #   kind: HTTPRoute
  #   metadata:
  #     name: cdviz-collector
  #     labels:
  #       app.kubernetes.io/instance: cdviz-collector
  #       app.kubernetes.io/name: cdviz-collector
  #   spec:
  #     parentRefs:
  #       - group: gateway.networking.k8s.io
  #         kind: Gateway
  #         name: traefik-gateway
  #         namespace: traefik
  #     rules:
  #       - backendRefs:
  #           - group: ""
  #             kind: Service
  #             name: cdviz-collector
  #             port: port: 8080 # see service.port
  #             weight: 1
  #         matches:
  #           # no strip, bind the gateway's `/webhook/*` to cdviz-collector's some `/webhook/...` (and hide other endpoints)
  #           # Before allow wildcard (eg. with just `/webhook/`), check that every endpoint has
  #           # some kind of authentication/security (before (or via) the gateway or via the collector)
  #           - path:
  #               type: PathPrefix
  #               value: /webhook/000-github

kubewatch:
  enabled: true
  rbac:
    create: true
  resourcesToWatch:
    deployment: true
    daemonset: true
    statefulset: true
    replicationcontroller: false
    replicaset: false
    services: false
    pod: false
    job: false
    node: false
    clusterrole: false
    clusterrolebinding: false
    serviceaccount: false
    persistentvolume: false
    namespace: false
    secret: false
    configmap: false
    ingress: false
    coreevent: false
    event: false

  ## Seems like only one handler could be enabled at a time

  slack:
    enabled: false # true by default

  # cloudevent include the webhook's data + manifest of the resource + ... use by the template
  cloudevent:
    enabled: true
    # update the name to match the name of the service (if not cdviz-collector)
    url: "http://cdviz-collector:8080/webhook/000-kubewatch"

  podSecurityContext:
    enabled: true
    runAsNonRoot: true
    seccompProfile:
      type: RuntimeDefault
    fsGroup: 1000
  containerSecurityContext:
    enabled: true
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - ALL
    runAsUser: 1000
    runAsGroup: 1000
    runAsNonRoot: true

Example with Helmwave

project: k8s-apps
version: "0.41.1"

registries:
  - host: ghcr.io

.options: &options
  create_namespace: true
  atomic: true
  force: true
  # resetValues: true
  timeout: 1m
  wait: true
  max_history: 3

releases:
  # ...
  - name: cdviz-collector
    namespace: cdviz-dev
    chart:
      name: oci://ghcr.io/cdviz-dev/charts/cdviz-collector
      version: 0.2.0-4-g62e72d1
    <<: *options
    create_namespace: false
    values:
      - src: values/secret.yaml
        renderer: sops
        strict: true
      - src: values/cdviz-collector.yaml
        renderer: copy
        strict: true
    tags:
      - cdviz