Helm chart

charts/clamav/Chart.yaml

@@ -14,8 +14,8 @@ type: application
 
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: 0.1.1
+version: 0.1.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application.
-appVersion: 0.1.1
+appVersion: 0.1.2

charts/clamav/templates/clamav-notify-config.yaml

@@ -11,6 +11,18 @@ data:
     DatabaseMirror {{ . }}
     {{- end }}
     TestDatabases yes
-    OnUpdateExecute python /clam/notify.py {{ .Release.Namespace }} {{ include "clamav.fullname" . }}
+    OnUpdateExecute python /clam/notify.py -n {{ .Release.Namespace }} -d {{ include "clamav.fullname" . }} --test -f /var/lib/clamav -t /var/lib/clamav/mirror
     LogVerbose yes
     NotifyClamd no
+  lighttpd.conf: |
+    server.document-root = "/var/lib/clamav/mirror/" 
+
+    server.port = 8080
+
+    mimetype.assign = (
+      ".htm" => "text/html", 
+    )
+
+    dir-listing.activate = "enable" 
+    dir-listing.encoding = "utf-8"
+

charts/clamav/templates/clamav-notify-deployment.yaml

@@ -34,11 +34,18 @@ spec:
           httpGet:
             path: /
             port: http
+        env:
+        - name: LIGHTTPD_CONFIG
+          value: /etc/config/lighttpd.conf
         volumeMounts:
         - name: clamav-notify-storage
           mountPath: /var/lib/clamav
         - name: config-volume
-          mountPath: /etc/clamav
+          mountPath: /etc/clamav/freshclam.conf
+          subPath: freshclam.conf
+        - name: config-volume
+          mountPath: /etc/config/lighttpd.conf
+          subPath: lighttpd.conf
       volumes:
       - name: clamav-notify-storage
         persistentVolumeClaim:

clamav-notify/Dockerfile

@@ -10,10 +10,14 @@ RUN apk add --no-cache bash wget shadow lighttpd \
 RUN adduser -S -g clamav -u 1000 clam \
     && chown -R clam:clamav /clam /var/log/clamav
 
-RUN pip install kubernetes
+COPY requirements.txt ./
+
+RUN pip install -r requirements.txt
 
 COPY notify.py start.sh lighttpd.conf ./
 
+COPY files/ ./files/
+
 USER 1000
 
 EXPOSE 8080

clamav-notify/files/eicar.txt

@@ -0,0 +1 @@
+X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

clamav-notify/files/safe.txt

@@ -0,0 +1 @@
+ABCDEFGHIJKLMNOPQRSTUVWXYZ

clamav-notify/lighttpd.conf

@@ -1,9 +1,10 @@
-server.document-root = "/var/lib/clamav" 
+server.document-root = "/var/lib/clamav/" 
 
 server.port = 8080
 
 mimetype.assign = (
   ".htm" => "text/html", 
 )
 
-index-file.names = ( "index.htm" )
+dir-listing.activate = "enable" 
+dir-listing.encoding = "utf-8" 

clamav-notify/notify.py

@@ -1,19 +1,58 @@
-import sys, time, os
+import sys, time, os, subprocess
+import click
+
+from shutil import copytree, rmtree
+
 from kubernetes import client, config
 
 
-if os.getenv('KUBERNETES_SERVICE_HOST'):
-	config.load_incluster_config()
-else:
-	config.load_kube_config()
+def notify(namespace, deployment):
+	if os.getenv('KUBERNETES_SERVICE_HOST'):
+		config.load_incluster_config()
+	else:
+		config.load_kube_config()
+
+
+	apps_v1 = client.AppsV1Api()
+
+	api_response = apps_v1.patch_namespaced_deployment(
+	    name=deployment, namespace=namespace,
+	    body={"spec": {"template": {"metadata": {"annotations": {"clamavSignatureUpdateTime": str(time.time())}}}}}   
+	)
+
+
+def scan_file(definitions, filepath):
+	command = ["clamscan", "-d", definitions, filepath]
+	result = subprocess.call(command)
+	return result
+
+
+def test_definitions(definitions):
+	if scan_file(definitions, "files/eicar.txt") == 1:
+		if scan_file(definitions, "files/safe.txt") == 0:
+			return True
+	return False
+
+
+def copy_signatures(from_location, to_location):
+	rmtree(to_location)
+	copytree(from_location, to_location)
 
 
-apps_v1 = client.AppsV1Api()
+@click.command()
+@click.option('-n', '--namespace', default="default", help='The namespace of the clamav deployment')
+@click.option('-d', '--deployment', default="clamav", help='The name of the clamav deployment')
+@click.option('--test', is_flag=True, help='Should we test the virus definitions')
+@click.option('-f', '--movefrom', default="", help='The directory to move signatures from after testing')
+@click.option('-t', '--moveto', default="", help='The directory to move signatures to after testing')
+def main(namespace, deployment, test, movefrom, moveto):
+	if test:
+		if test_definitions(movefrom):
+			copy_signatures(movefrom, moveto)
+		else:
+			sys.exit(1)
+	notify(namespace, deployment)
 
-if len(sys.argv) < 3:
-	sys.exit()
 
-api_response = apps_v1.patch_namespaced_deployment(
-    name=sys.argv[2], namespace=sys.argv[1],
-    body={"spec": {"template": {"metadata": {"annotations": {"clamavSignatureUpdateTime": str(time.time())}}}}}   
-)
+if __name__ == "__main__":
+	main()

clamav-notify/requirements.txt

@@ -0,0 +1,18 @@
+cachetools==4.1.0
+certifi==2020.4.5.1
+chardet==3.0.4
+click==7.1.2
+google-auth==1.14.1
+idna==2.9
+kubernetes==11.0.0
+oauthlib==3.1.0
+pyasn1==0.4.8
+pyasn1-modules==0.2.8
+python-dateutil==2.8.1
+PyYAML==5.3.1
+requests==2.23.0
+requests-oauthlib==1.3.0
+rsa==4.0
+six==1.14.0
+urllib3==1.25.9
+websocket-client==0.57.0

clamav-notify/start.sh

@@ -1,7 +1,9 @@
 #!/bin/bash
 
-touch /var/lib/clamav/index.htm
+touch /var/lib/clamav/
+
+LIGHTTPD_CONFIG="${LIGHTTPD_CONFIG:-lighttpd.conf}"
 
 freshclam -d
-lighttpd -t -f lighttpd.conf
-lighttpd -D -f lighttpd.conf
+lighttpd -t -f $LIGHTTPD_CONFIG
+lighttpd -D -f $LIGHTTPD_CONFIG