Merge remote-tracking branch 'upstream/main' into pr/hungran-ISSUE-17…

…78/helm-operator-metrics
cilium · Dec 1, 2023 · 036efef · 036efef
2 parents a2eb0f9 + e4f9863
commit 036efef
Show file tree

Hide file tree

Showing 15 changed files with 46 additions and 45 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -25,7 +25,7 @@ COPY . .
 RUN make VERSION=$TETRAGON_VERSION TARGET_ARCH=$TARGETARCH tetragon tetra
 
 # Third builder (cross-)compile a stripped gops
-FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.21.4-alpine@sha256:110b07af87238fbdc5f1df52b00927cf58ce3de358eeeb1854f10a8b5e5e1411 as gops
+FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.21.4-alpine@sha256:8a1526350d5e9d67c86b9a376421458309f8398b0bcc838a771ea4d71c381bf9 as gops
 ARG TARGETARCH
 RUN apk add --no-cache git \
 # renovate: datasource=github-releases depName=google/gops
@@ -68,7 +68,7 @@ RUN curl -L https://github.com/libbpf/bpftool/releases/download/${BPFTOOL_TAG}/b
 
 # Almost final step runs on target platform (might need emulation) and
 # retrieves (cross-)compiled binaries from builders
-FROM docker.io/library/alpine:3.18.4@sha256:eece025e432126ce23f223450a0326fbebde39cdf496a85d8c016293fc851978 as base-build
+FROM docker.io/library/alpine:3.18.5@sha256:34871e7290500828b39e22294660bee86d966bc0017544e848dd9a255cdf59e0 as base-build
 RUN apk add iproute2
 RUN mkdir /var/lib/tetragon/ && \
     mkdir -p /etc/tetragon/tetragon.conf.d/ && \

diff --git a/Dockerfile.operator b/Dockerfile.operator
@@ -5,7 +5,7 @@
 
 ARG BASE_IMAGE=scratch
 ARG GOLANG_IMAGE=docker.io/library/golang:1.21.4@sha256:9baee0edab4139ae9b108fffabb8e2e98a67f0b259fd25283c2a084bd74fea0d
-ARG ALPINE_IMAGE=docker.io/library/alpine:3.18.4@sha256:eece025e432126ce23f223450a0326fbebde39cdf496a85d8c016293fc851978
+ARG ALPINE_IMAGE=docker.io/library/alpine:3.18.5@sha256:34871e7290500828b39e22294660bee86d966bc0017544e848dd9a255cdf59e0
 
 # BUILDPLATFORM is an automatic platform ARG enabled by Docker BuildKit.
 # Represents the plataform where the build is happening, do not mix with

diff --git a/Makefile.cli b/Makefile.cli
@@ -3,7 +3,7 @@
 
 CLI_GO_BUILD = CGO_ENABLED=0 $(GO) build
 # renovate: datasource=docker
-GO_IMAGE = docker.io/library/golang:1.21.4-alpine@sha256:110b07af87238fbdc5f1df52b00927cf58ce3de358eeeb1854f10a8b5e5e1411
+GO_IMAGE = docker.io/library/golang:1.21.4-alpine@sha256:8a1526350d5e9d67c86b9a376421458309f8398b0bcc838a771ea4d71c381bf9
 TARGET=tetra
 
 RELEASE_UID ?= $(shell id -u)

diff --git a/docs/content/en/docs/reference/helm-chart.md b/docs/content/en/docs/reference/helm-chart.md
@@ -53,8 +53,10 @@ To use [the values available](#values), with `helm install` or `helm upgrade`, u
 | imagePullSecrets | list | `[]` |  |
 | nodeSelector | object | `{}` |  |
 | podAnnotations | object | `{}` |  |
+| podLabels | object | `{}` |  |
 | podLabelsOverride | object | `{}` |  |
 | podSecurityContext | object | `{}` |  |
+| priorityClassName | string | `""` |  |
 | selectorLabelsOverride | object | `{}` |  |
 | serviceAccount.annotations | object | `{}` |  |
 | serviceAccount.create | bool | `true` |  |
@@ -64,9 +66,9 @@ To use [the values available](#values), with `helm install` or `helm upgrade`, u
 | tetragon.btf | string | `""` |  |
 | tetragon.commandOverride | list | `[]` |  |
 | tetragon.enableK8sAPI | bool | `true` |  |
-| tetragon.enableMsgHandlingLatency | bool | `false` |  |
-| tetragon.enablePolicyFilter | bool | `true` |  |
-| tetragon.enablePolicyFilterDebug | bool | `false` |  |
+| tetragon.enableMsgHandlingLatency | bool | `false` | Enable latency monitoring in message handling |
+| tetragon.enablePolicyFilter | bool | `true` | Enable policy filter. This is required for K8s namespace and pod-label filtering. |
+| tetragon.enablePolicyFilterDebug | bool | `false` | Enable policy filter debug messages. |
 | tetragon.enableProcessCred | bool | `false` |  |
 | tetragon.enableProcessNs | bool | `false` |  |
 | tetragon.enabled | bool | `true` |  |
@@ -95,12 +97,12 @@ To use [the values available](#values), with `helm install` or `helm upgrade`, u
 | tetragon.prometheus.enabled | bool | `true` | Whether to enable exposing Tetragon metrics. |
 | tetragon.prometheus.metricsLabelFilter | string | `"namespace,workload,pod,binary"` | The labels to include with supporting metrics. The possible values are "namespace", "workload", "pod" and "binary". |
 | tetragon.prometheus.port | int | `2112` | The port at which to expose metrics. |
-| tetragon.prometheus.serviceMonitor.enabled | bool | `false` | Whether to create a 'ServiceMonitor' resource targeting the 'tetragon' pods. |
+| tetragon.prometheus.serviceMonitor.enabled | bool | `false` | Whether to create a 'ServiceMonitor' resource targeting the tetragon pods. |
 | tetragon.prometheus.serviceMonitor.labelsOverride | object | `{}` | The set of labels to place on the 'ServiceMonitor' resource. |
 | tetragon.prometheus.serviceMonitor.scrapeInterval | string | `"10s"` | Interval at which metrics should be scraped. If not specified, Prometheus' global scrape interval is used. |
 | tetragon.resources | object | `{}` |  |
 | tetragon.securityContext.privileged | bool | `true` |  |
-| tetragonOperator.image | object | `{"override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/tetragon-operator","suffix":"","tag":"v1.0.0"}` | tetragon-operator image. |
+| tetragonOperator.image | object | `{"override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/tetragon-operator","tag":"v1.0.0"}` | tetragon-operator image. |
 | tetragonOperator.podInfo.enabled | bool | `false` | Enables the PodInfo CRD and the controller that reconciles PodInfo custom resources. |
 | tetragonOperator.skipCRDCreation | bool | `false` |  |
 | tolerations[0].operator | string | `"Exists"` |  |

diff --git a/install/kubernetes/.helmignore b/install/kubernetes/.helmignore
@@ -4,6 +4,7 @@
 .DS_Store
 # Common VCS dirs
 .git/
+.github/
 .gitignore
 .bzr/
 .bzrignore

diff --git a/install/kubernetes/Chart.yaml b/install/kubernetes/Chart.yaml
@@ -1,18 +1,7 @@
 apiVersion: v2
 name: tetragon
 description: Helm chart for Tetragon
-# A chart can be either an 'application' or a 'library' chart.
-#
-# Application charts are a collection of templates that can be packaged into versioned archives
-# to be deployed.
-#
-# Library charts provide useful utilities or functions for the chart developer. They're included as
-# a dependency of application charts to inject those utilities and functions into the rendering
-# pipeline. Library charts do not define any templates and therefore cannot be deployed.
 type: application
-# This is the chart version. This version number should be incremented each time you make changes
-# to the chart and its templates, including the app version.
-# Versions are expected to follow Semantic Versioning (https://semver.org/)
 version: 1.0.0
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

diff --git a/install/kubernetes/README.md b/install/kubernetes/README.md
@@ -36,8 +36,10 @@ Helm chart for Tetragon
 | imagePullSecrets | list | `[]` |  |
 | nodeSelector | object | `{}` |  |
 | podAnnotations | object | `{}` |  |
+| podLabels | object | `{}` |  |
 | podLabelsOverride | object | `{}` |  |
 | podSecurityContext | object | `{}` |  |
+| priorityClassName | string | `""` |  |
 | selectorLabelsOverride | object | `{}` |  |
 | serviceAccount.annotations | object | `{}` |  |
 | serviceAccount.create | bool | `true` |  |
@@ -47,9 +49,9 @@ Helm chart for Tetragon
 | tetragon.btf | string | `""` |  |
 | tetragon.commandOverride | list | `[]` |  |
 | tetragon.enableK8sAPI | bool | `true` |  |
-| tetragon.enableMsgHandlingLatency | bool | `false` |  |
-| tetragon.enablePolicyFilter | bool | `true` |  |
-| tetragon.enablePolicyFilterDebug | bool | `false` |  |
+| tetragon.enableMsgHandlingLatency | bool | `false` | Enable latency monitoring in message handling |
+| tetragon.enablePolicyFilter | bool | `true` | Enable policy filter. This is required for K8s namespace and pod-label filtering. |
+| tetragon.enablePolicyFilterDebug | bool | `false` | Enable policy filter debug messages. |
 | tetragon.enableProcessCred | bool | `false` |  |
 | tetragon.enableProcessNs | bool | `false` |  |
 | tetragon.enabled | bool | `true` |  |
@@ -78,12 +80,12 @@ Helm chart for Tetragon
 | tetragon.prometheus.enabled | bool | `true` | Whether to enable exposing Tetragon metrics. |
 | tetragon.prometheus.metricsLabelFilter | string | `"namespace,workload,pod,binary"` | The labels to include with supporting metrics. The possible values are "namespace", "workload", "pod" and "binary". |
 | tetragon.prometheus.port | int | `2112` | The port at which to expose metrics. |
-| tetragon.prometheus.serviceMonitor.enabled | bool | `false` | Whether to create a 'ServiceMonitor' resource targeting the 'tetragon' pods. |
+| tetragon.prometheus.serviceMonitor.enabled | bool | `false` | Whether to create a 'ServiceMonitor' resource targeting the tetragon pods. |
 | tetragon.prometheus.serviceMonitor.labelsOverride | object | `{}` | The set of labels to place on the 'ServiceMonitor' resource. |
 | tetragon.prometheus.serviceMonitor.scrapeInterval | string | `"10s"` | Interval at which metrics should be scraped. If not specified, Prometheus' global scrape interval is used. |
 | tetragon.resources | object | `{}` |  |
 | tetragon.securityContext.privileged | bool | `true` |  |
-| tetragonOperator.image | object | `{"override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/tetragon-operator","suffix":"","tag":"v1.0.0"}` | tetragon-operator image. |
+| tetragonOperator.image | object | `{"override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/tetragon-operator","tag":"v1.0.0"}` | tetragon-operator image. |
 | tetragonOperator.podInfo.enabled | bool | `false` | Enables the PodInfo CRD and the controller that reconciles PodInfo custom resources. |
 | tetragonOperator.prometheus | object | `{"address":"","enabled":true,"port":2113}` | Enables the Tetragon Operator metrics. |
 | tetragonOperator.prometheus.address | string | `""` | The address at which to expose metrics. Set it to "" to expose on all available interfaces. |

diff --git a/install/kubernetes/templates/_container_export_stdout.tpl b/install/kubernetes/templates/_container_export_stdout.tpl
@@ -2,6 +2,7 @@
 - name: {{include "container.export.stdout.name" .}}
   image: "{{ if .Values.export.stdout.image.override }}{{ .Values.export.stdout.image.override }}{{ else }}{{ .Values.export.stdout.image.repository }}:{{ .Values.export.stdout.image.tag }}{{ end }}"
   imagePullPolicy: {{ .Values.imagePullPolicy }}
+  terminationMessagePolicy: FallbackToLogsOnError
   env: {{- toYaml .Values.export.stdout.extraEnv | nindent 4 }}
   securityContext:
     {{- toYaml .Values.export.securityContext | nindent 4 }}

diff --git a/install/kubernetes/templates/_container_tetragon.tpl b/install/kubernetes/templates/_container_tetragon.tpl
@@ -4,6 +4,7 @@
     {{- toYaml .Values.tetragon.securityContext | nindent 4 }}
   image: "{{ if .Values.tetragon.image.override }}{{ .Values.tetragon.image.override }}{{ else }}{{ .Values.tetragon.image.repository }}:{{ .Values.tetragon.image.tag | default .Chart.AppVersion }}{{ end }}"
   imagePullPolicy: {{ .Values.imagePullPolicy }}
+  terminationMessagePolicy: FallbackToLogsOnError
 {{- with .Values.tetragon.commandOverride }}
   command:
   {{- toYaml . | nindent 2 }}
@@ -25,10 +26,6 @@
     {{- with .Values.tetragon.extraVolumeMounts }}
       {{- toYaml . | nindent 4 }}
     {{- end }}
-    {{- if not .Values.tetragon.btf }}
-    - mountPath: /var/lib/tetragon/metadata
-      name: metadata-files
-    {{- end }}
     - mountPath: /etc/tetragon/tetragon.conf.d/
       name: tetragon-config
       readOnly: true

diff --git a/install/kubernetes/templates/_helpers.tpl b/install/kubernetes/templates/_helpers.tpl
@@ -14,11 +14,17 @@ Common labels
 {{- define "tetragon.labels" -}}
 helm.sh/chart: {{ include "tetragon.chart" . }}
 {{ include "tetragon.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end }}
 {{- define "tetragon-operator.labels" -}}
 helm.sh/chart: {{ include "tetragon-operator.chart" . }}
 {{ include "tetragon-operator.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end }}
 

diff --git a/install/kubernetes/templates/clusterrole.yaml b/install/kubernetes/templates/clusterrole.yaml
@@ -18,6 +18,7 @@ rules:
   - apiGroups:
       - cilium.io
     resources:
+      - podinfo
       - tracingpolicies
       - tracingpoliciesnamespaced
     verbs:

diff --git a/install/kubernetes/templates/daemonset.yaml b/install/kubernetes/templates/daemonset.yaml
@@ -34,7 +34,13 @@ spec:
       {{- else }}
         {{- include "tetragon.labels" . | nindent 8 }}
       {{- end }}
+      {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
     spec:
+      {{- with .Values.priorityClassName }}
+      priorityClassName: "{{ . }}"
+      {{- end }}
       {{- with .Values.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
@@ -87,10 +93,6 @@ spec:
         hostPath:
           path: {{ .Values.tetragon.hostProcPath }}
           type: Directory
-{{- if not .Values.tetragon.btf }}
-      - emptyDir: {}
-        name: metadata-files
-{{- end }}
 {{- end }}
       {{- with .Values.extraVolumes }}
         {{- toYaml . | nindent 6 }}

diff --git a/install/kubernetes/templates/operator_deployment.yaml b/install/kubernetes/templates/operator_deployment.yaml
@@ -22,7 +22,7 @@ spec:
         args:
           - serve
           - --config-dir=/etc/tetragon/operator.conf.d/
-        image: "{{ if .Values.tetragonOperator.image.override }}{{ .Values.tetragonOperator.image.override }}{{ else }}{{ .Values.tetragonOperator.image.repository }}{{ .Values.tetragonOperator.image.suffix }}:{{ .Values.tetragonOperator.image.tag }}{{ end }}"
+        image: "{{ if .Values.tetragonOperator.image.override }}{{ .Values.tetragonOperator.image.override }}{{ else }}{{ .Values.tetragonOperator.image.repository }}:{{ .Values.tetragonOperator.image.tag }}{{ end }}"
         imagePullPolicy: {{ .Values.tetragonOperator.image.pullPolicy }}
         volumeMounts:
           - mountPath: /etc/tetragon/operator.conf.d/

diff --git a/install/kubernetes/templates/servicemonitor.yaml b/install/kubernetes/templates/servicemonitor.yaml
@@ -9,7 +9,7 @@ metadata:
     {{- else }}
     {{- include "tetragon.labels" . | nindent 4 }}
     {{- end }}
-  name: tetragon
+  name: {{ .Release.Name }}
   namespace: {{ .Release.Namespace }}
 spec:
   endpoints:

diff --git a/install/kubernetes/values.yaml b/install/kubernetes/values.yaml
@@ -1,5 +1,6 @@
 enabled: true
 imagePullPolicy: IfNotPresent
+priorityClassName: ""
 imagePullSecrets: []
 serviceAccount:
   create: true
@@ -16,6 +17,7 @@ extraConfigmapMounts: []
 daemonSetAnnotations: {}
 extraVolumes: []
 updateStrategy: {}
+podLabels: {}
 daemonSetLabelsOverride: {}
 selectorLabelsOverride: {}
 podLabelsOverride: {}
@@ -33,7 +35,7 @@ serviceLabelsOverride: {}
 #
 # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy
 dnsPolicy: Default
-# exportDirectory specifies directory to put Hubble and FGS JSON export files.
+# exportDirectory specifies directory to put Tetragon JSON export files.
 exportDirectory: "/var/run/cilium/tetragon"
 # exportFileRotationInterval specifies file creation interval for hubble-export-s3.
 exportFileCreationInterval: "120s"
@@ -59,12 +61,12 @@ tetragon:
   extraVolumeMounts: []
   securityContext:
     privileged: true
-  # Tetragon puts processes in an LRU cache. The cache is used to find ancestors for subsequently exec'ed
-  # processes.
+  # Tetragon puts processes in an LRU cache. The cache is used to find ancestors
+  # for subsequently exec'ed processes.
   processCacheSize: 65536
   # JSON export filename. Set it to an empty string to disable JSON export altogether.
   exportFilename: tetragon.log
-  # JSON export file permissions as a string
+  # JSON export file permissions as a string. Set it to "600" to restrict access to owner.
   exportFilePerm: "600"
   # Size in megabytes at which to rotate JSON export files.
   exportFileMaxSizeMB: 10
@@ -130,7 +132,7 @@ tetragon:
     # The possible values are "namespace", "workload", "pod" and "binary".
     metricsLabelFilter: "namespace,workload,pod,binary"
     serviceMonitor:
-      # -- Whether to create a 'ServiceMonitor' resource targeting the 'tetragon' pods.
+      # -- Whether to create a 'ServiceMonitor' resource targeting the tetragon pods.
       enabled: false
       # -- The set of labels to place on the 'ServiceMonitor' resource.
       labelsOverride: {}
@@ -146,11 +148,11 @@ tetragon:
     address: "localhost"
     # -- The port at which to expose gops.
     port: 8118
-  # Enable policy filter. This is required for K8s namespace filtering and pod label filters.
+  # -- Enable policy filter. This is required for K8s namespace and pod-label filtering.
   enablePolicyFilter: True
-  # Enable policy filter debug messages.
+  # -- Enable policy filter debug messages.
   enablePolicyFilterDebug: false
-  # Enable latency monitoring in message handling
+  # -- Enable latency monitoring in message handling
   enableMsgHandlingLatency: false
   # -- Location of the host proc filesystem in the runtime environment. If the runtime runs in the
   # host, the path is /proc. Exceptions to this are environments like kind, where the runtime itself
@@ -162,8 +164,6 @@ tetragonOperator:
     override: ~
     repository: quay.io/cilium/tetragon-operator
     tag: v1.0.0
-    # tetragon-operator image-digest
-    suffix: ""
     pullPolicy: IfNotPresent
   # Skip CRD creation.
   skipCRDCreation: false