From 90111a122f6e22f5b840b1098b2947c53641f49d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Furkan=20T=C3=BCrkal?= <furkan.turkal@chainguard.dev>
Date: Sun, 7 Apr 2024 01:04:10 +0300
Subject: [PATCH] add neuvector-prometheus-exporter (#2453)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Furkan Türkal <furkan.turkal@chainguard.dev>
Co-authored-by: Batuahn <batuhan.apaydin@chainguard.dev>
---
 .../neuvector-prometheus-exporter/README.md   | 53 ++++++++++
 .../config/main.tf                            | 19 ++++
 .../config/template.apko.yaml                 | 15 +++
 images/neuvector-prometheus-exporter/main.tf  | 39 ++++++++
 .../metadata.yaml                             | 14 +++
 .../tests/main.tf                             | 97 +++++++++++++++++++
 main.tf                                       |  5 +
 7 files changed, 242 insertions(+)
 create mode 100644 images/neuvector-prometheus-exporter/README.md
 create mode 100644 images/neuvector-prometheus-exporter/config/main.tf
 create mode 100644 images/neuvector-prometheus-exporter/config/template.apko.yaml
 create mode 100644 images/neuvector-prometheus-exporter/main.tf
 create mode 100644 images/neuvector-prometheus-exporter/metadata.yaml
 create mode 100644 images/neuvector-prometheus-exporter/tests/main.tf

diff --git a/images/neuvector-prometheus-exporter/README.md b/images/neuvector-prometheus-exporter/README.md
new file mode 100644
index 0000000000..f86eb73bfc
--- /dev/null
+++ b/images/neuvector-prometheus-exporter/README.md
@@ -0,0 +1,53 @@
+<!--monopod:start-->
+# neuvector-prometheus-exporter
+| | |
+| - | - |
+| **OCI Reference** | `cgr.dev/chainguard/neuvector-prometheus-exporter` |
+
+
+* [View Image in Chainguard Academy](https://edu.chainguard.dev/chainguard/chainguard-images/reference/neuvector-prometheus-exporter/overview/)
+* [View Image Catalog](https://console.enforce.dev/images/catalog) for a full list of available tags.
+* [Contact Chainguard](https://www.chainguard.dev/chainguard-images) for enterprise support, SLAs, and access to older tags.*
+
+---
+<!--monopod:end-->
+
+<!--overview:start-->
+Prometheus exporter and Grafana template for NeuVector container security platform.
+<!--overview:end-->
+
+<!--getting:start-->
+## Download this Image
+The image is available on `cgr.dev`:
+
+```
+docker pull cgr.dev/chainguard/neuvector-prometheus-exporter:latest
+```
+<!--getting:end-->
+
+<!--body:start-->
+## Usage
+
+Add the NeuVector Helm repository to your repositories list:
+
+```shell
+helm repo add neuvector https://neuvector.github.io/neuvector-helm/
+helm repo update
+```
+
+Next, install the NeuVector Prometheus Exporter with the following command:
+
+```sh
+helm install neuvector-prometheus-exporter neuvector/monitor \
+    --namespace neuvector \
+    --create-namespace \
+    --set exporter.apiSvc=neuvector-svc-controller:10443 \
+    --set exporter.image.repository=cgr.dev/chainguard/neuvector-prometheus-exporter \
+    --set exporter.image.tag=<set to the latest chainguard tag>
+```
+
+Jump to the official [Helm Chart](https://github.com/neuvector/neuvector-helm/blob/master/charts/monitor/README.md) for more detailed usage.
+
+P.S: The Exporter will not work without the NeuVector Core Service. Install the [neuvector/core](https://github.com/neuvector/neuvector-helm/tree/master/charts/core) first.
+
+<!--body:end-->
diff --git a/images/neuvector-prometheus-exporter/config/main.tf b/images/neuvector-prometheus-exporter/config/main.tf
new file mode 100644
index 0000000000..ada624af1d
--- /dev/null
+++ b/images/neuvector-prometheus-exporter/config/main.tf
@@ -0,0 +1,19 @@
+terraform {
+  required_providers {
+    apko = { source = "chainguard-dev/apko" }
+  }
+}
+
+variable "extra_packages" {
+  description = "The additional packages to install"
+  default     = ["neuvector-prometheus-exporter"]
+}
+
+data "apko_config" "this" {
+  config_contents = file("${path.module}/template.apko.yaml")
+  extra_packages  = var.extra_packages
+}
+
+output "config" {
+  value = jsonencode(data.apko_config.this.config)
+}
diff --git a/images/neuvector-prometheus-exporter/config/template.apko.yaml b/images/neuvector-prometheus-exporter/config/template.apko.yaml
new file mode 100644
index 0000000000..7f928818fd
--- /dev/null
+++ b/images/neuvector-prometheus-exporter/config/template.apko.yaml
@@ -0,0 +1,15 @@
+contents:
+  packages:
+
+accounts:
+  groups:
+    - groupname: nonroot
+      gid: 65532
+  users:
+    - username: nonroot
+      uid: 65532
+      gid: 65532
+  run-as: 65532
+
+entrypoint:
+  command: python3 /usr/bin/nv_exporter.py
diff --git a/images/neuvector-prometheus-exporter/main.tf b/images/neuvector-prometheus-exporter/main.tf
new file mode 100644
index 0000000000..38db5806fa
--- /dev/null
+++ b/images/neuvector-prometheus-exporter/main.tf
@@ -0,0 +1,39 @@
+terraform {
+  required_providers {
+    oci = { source = "chainguard-dev/oci" }
+  }
+}
+
+variable "target_repository" {
+  description = "The docker repo into which the image and attestations should be published."
+}
+
+module "config" { source = "./config" }
+
+module "neuvector-prometheus-exporter" {
+  source            = "../../tflib/publisher"
+  name              = basename(path.module)
+  target_repository = var.target_repository
+  config            = module.config.config
+
+  build-dev = true
+
+}
+
+module "test" {
+  source = "./tests"
+  digest = module.neuvector-prometheus-exporter.image_ref
+}
+
+resource "oci_tag" "latest" {
+  depends_on = [module.test]
+  digest_ref = module.neuvector-prometheus-exporter.image_ref
+  tag        = "latest"
+}
+
+resource "oci_tag" "latest-dev" {
+  depends_on = [module.test]
+  digest_ref = module.neuvector-prometheus-exporter.dev_ref
+  tag        = "latest-dev"
+}
+
diff --git a/images/neuvector-prometheus-exporter/metadata.yaml b/images/neuvector-prometheus-exporter/metadata.yaml
new file mode 100644
index 0000000000..1ed2f865e9
--- /dev/null
+++ b/images/neuvector-prometheus-exporter/metadata.yaml
@@ -0,0 +1,14 @@
+name: neuvector-prometheus-exporter
+image: cgr.dev/chainguard/neuvector-prometheus-exporter
+logo: https://storage.googleapis.com/chainguard-academy/logos/neuvector-prometheus-exporter.svg
+endoflife: ""
+console_summary: ""
+short_description: Prometheus exporter and Grafana template for NeuVector container security platform.
+compatibility_notes: ""
+readme_file: README.md
+upstream_url: https://github.com/neuvector/prometheus-exporter
+keywords:
+  - application
+  - prometheus
+  - grafana
+  - neuvector
diff --git a/images/neuvector-prometheus-exporter/tests/main.tf b/images/neuvector-prometheus-exporter/tests/main.tf
new file mode 100644
index 0000000000..2e9340ad30
--- /dev/null
+++ b/images/neuvector-prometheus-exporter/tests/main.tf
@@ -0,0 +1,97 @@
+terraform {
+  required_providers {
+    oci       = { source = "chainguard-dev/oci" }
+    imagetest = { source = "chainguard-dev/imagetest" }
+  }
+}
+
+variable "digest" {
+  description = "The image digest to run tests over."
+}
+
+data "oci_string" "ref" { input = var.digest }
+
+data "imagetest_inventory" "this" {}
+
+resource "random_pet" "suffix" {}
+
+module "helm-neuvector" {
+  source = "../../../tflib/imagetest/helm"
+
+  name      = "neuvector-core-${random_pet.suffix.id}"
+  namespace = "neuvector"
+  repo      = "https://neuvector.github.io/neuvector-helm"
+  chart     = "core"
+}
+
+module "helm" {
+  source = "../../../tflib/imagetest/helm"
+
+  name      = "neuvector-prometheus-exporter-${random_pet.suffix.id}"
+  namespace = "neuvector"
+  repo      = "https://neuvector.github.io/neuvector-helm"
+  chart     = "monitor"
+
+  values = {
+    exporter = {
+      apiSvc = "neuvector-svc-controller:10443"
+    }
+  }
+}
+
+resource "imagetest_harness_k3s" "this" {
+  name      = "neuvector-prometheus-exporter"
+  inventory = data.imagetest_inventory.this
+}
+
+resource "imagetest_feature" "basic" {
+  harness     = imagetest_harness_k3s.this
+  name        = "Basic"
+  description = "Basic functionality of neuvector-prometheus-exporter."
+
+  steps = [
+    {
+      name = "Helm install neuvector dependency"
+      cmd  = module.helm-neuvector.install_cmd
+    },
+    {
+      name = "Helm install"
+      cmd  = module.helm.install_cmd
+    },
+
+    {
+      name = "Set image"
+      cmd  = <<EOF
+kubectl set image -n neuvector deployment/neuvector-prometheus-exporter-pod neuvector-prometheus-exporter-pod="${data.oci_string.ref.registry_repo}:${data.oci_string.ref.pseudo_tag}"
+       EOF
+    },
+    {
+      name  = "Ensure it comes up healthy"
+      cmd   = <<EOF
+kubectl logs -n neuvector --selector app=neuvector-prometheus-exporter-pod
+kubectl rollout status -n neuvector deployment/neuvector-prometheus-exporter-pod --timeout=120s
+kubectl wait -n neuvector --for=condition=ready pod --selector app=neuvector-prometheus-exporter-pod
+       EOF
+      retry = { attempts = 3, delay = "2s", factor = 2 }
+    },
+    {
+      name  = "Test metrics"
+      cmd   = <<EOF
+apk add curl prometheus
+kubectl port-forward -n neuvector svc/neuvector-prometheus-exporter 8068 &
+until curl -L http://localhost:8068; do sleep 1; done
+set -o errexit -o nounset -o errtrace -o pipefail -x
+curl -s http://localhost:8068 | promtool check metrics || [ $? -eq 3 ] # Exit code 3 means the lint error, it's fine
+EOF
+      retry = { attempts = 5, delay = "5s", factor = 2 }
+    },
+  ]
+
+  labels = {
+    type = "k8s"
+  }
+
+  timeouts = {
+    create = "15m"
+  }
+}
diff --git a/main.tf b/main.tf
index ab1259862b..b47dc89979 100644
--- a/main.tf
+++ b/main.tf
@@ -965,6 +965,11 @@ module "netcat" {
   target_repository = "${var.target_repository}/netcat"
 }
 
+module "neuvector-prometheus-exporter" {
+  source            = "./images/neuvector-prometheus-exporter"
+  target_repository = "${var.target_repository}/neuvector-prometheus-exporter"
+}
+
 module "newrelic-fluent-bit-output" {
   source            = "./images/newrelic-fluent-bit-output"
   target_repository = "${var.target_repository}/newrelic-fluent-bit-output"