chore: kafka and falco affinity (#74)

* chore: kafka and falco affinity

* falco: lint

* fix: test

charts/datalayer-falco/values-any.yaml

@@ -1,79 +1,97 @@
+affinity:
+  nodeAffinity:
+    requiredDuringSchedulingIgnoredDuringExecution:
+      nodeSelectorTerms:
+      - matchExpressions:
+        - key: role.datalayer.io/system
+          operator: In
+          values:
+          - "true"
 collectors:
-    kubernetes:
-        enabled: true
+  kubernetes:
+    enabled: true
+k8s-metacollector:
+  affinity:
+    nodeAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+        nodeSelectorTerms:
+        - matchExpressions:
+          - key: role.datalayer.io/system
+            operator: In
+            values:
+            - "true"
 customRules:
-    rules-override-default.yaml: |-
-        # Whitelist strimzi operator for Kafka to connect to k8s API
-        - macro: user_known_contact_k8s_api_server_activities
-          condition: (container.image.repository=quay.io/strimzi/operator)
-          override:
-            condition: replace
-        # Enable cryptomining related rules
-        # See https://falco.org/blog/falco-detect-cryptomining
-        # Tested with https://github.com/n1g3ld0ugla5/Falco-Cryptomining-CNCF
-        - rule: Detect outbound connections to common miner pool ports
-          enabled: true
-          override:
-            enabled: replace
-        - rule: Set Setuid or Setgid bit
-          enabled: true
-          override:
-            enabled: replace
+  rules-override-default.yaml: |-
+    # Whitelist strimzi operator for Kafka to connect to k8s API
+    - macro: user_known_contact_k8s_api_server_activities
+      condition: (container.image.repository=quay.io/strimzi/operator)
+      override:
+        condition: replace
+    # Enable cryptomining related rules
+    # See https://falco.org/blog/falco-detect-cryptomining
+    # Tested with https://github.com/n1g3ld0ugla5/Falco-Cryptomining-CNCF
+    - rule: Detect outbound connections to common miner pool ports
+      enabled: true
+      override:
+        enabled: replace
+    - rule: Set Setuid or Setgid bit
+      enabled: true
+      override:
+        enabled: replace
 falco:
-    rules_files:
-        # Order matters to apply override the rule should
-        # be loaded first
-        - /etc/falco/falco_rules.yaml
-        - /etc/falco/falco-incubating_rules.yaml
-        - /etc/falco/falco-sandbox_rules.yaml
-        - /etc/falco/rules.d
+  rules_files:
+    # Order matters to apply override the rule should be loaded first.
+    - /etc/falco/falco_rules.yaml
+    - /etc/falco/falco-incubating_rules.yaml
+    - /etc/falco/falco-sandbox_rules.yaml
+    - /etc/falco/rules.d
 falcoctl:
-    config:
-        artifact:
-            install:
-                refs:
-                    - falco-rules:3
-                    - falco-incubating-rules:4
-                    - falco-sandbox-rules:4
-                    - ghcr.io/falcosecurity/plugins/plugin/k8smeta:0.2.1
-            follow:
-                refs:
-                    - falco-rules:3
-                    - falco-incubating-rules:4
-                    - falco-sandbox-rules:4
+  config:
+    artifact:
+      install:
+        refs:
+          - falco-rules:3
+          - falco-incubating-rules:4
+          - falco-sandbox-rules:4
+          - ghcr.io/falcosecurity/plugins/plugin/k8smeta:0.2.1
+      follow:
+        refs:
+          - falco-rules:3
+          - falco-incubating-rules:4
+          - falco-sandbox-rules:4
 falcosidekick:
+  enabled: true
+  affinity:
+    nodeAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+        nodeSelectorTerms:
+        - matchExpressions:
+          - key: role.datalayer.io/system
+            operator: In
+            values:
+            - "true"
+  # See https://github.com/falcosecurity/falcosidekick/blob/master/config_example.yaml
+  config:
+    # debug: true
+    # Not working ??
+    # templatedfields: "Dkey:{{ or (index .OutputFields \"k8s.ns.name\") \"bar\" }},k8s_labels:{{ printf \"%q\" (or (index .OutputFields \"k8s.pod.labels\") \"error\") }}"
+    kafka:
+      hostport: datalayer-kafka-kafka-bootstrap.datalayer-kafka.svc.cluster.local:9092
+      topic: falco-events
+  serviceMonitor:
+    enabled: true
+    additionalLabels:
+      monitoring.datalayer.io/enabled: "true"
+      monitoring.datalayer.io/instance: "observer"
+  prometheusRules:
     enabled: true
-    affinity:
-      nodeAffinity:
-        requiredDuringSchedulingIgnoredDuringExecution:
-          nodeSelectorTerms:
-          - matchExpressions:
-            - key: role.datalayer.io/system
-              operator: In
-              values:
-              - "true"
-    # See https://github.com/falcosecurity/falcosidekick/blob/master/config_example.yaml
-    config:
-        # debug: true
-        # Not working ??
-        # templatedfields: "Dkey:{{ or (index .OutputFields \"k8s.ns.name\") \"bar\" }},k8s_labels:{{ printf \"%q\" (or (index .OutputFields \"k8s.pod.labels\") \"error\") }}"
-        kafka:
-            hostport: datalayer-kafka-kafka-bootstrap.datalayer-kafka.svc.cluster.local:9092
-            topic: falco-events
-    serviceMonitor:
-        enabled: true
-        additionalLabels:
-            monitoring.datalayer.io/enabled: "true"
-            monitoring.datalayer.io/instance: "observer"
-    prometheusRules:
-        enabled: true
 # metrics:
-#     enable: true
+#   enable: true
 # serviceMonitor:
-#     create: true
-#     labels:
-#         monitoring.datalayer.io/enabled: "true"
-#         monitoring.datalayer.io/instance: "observer"
+#   create: true
+#   labels:
+#     monitoring.datalayer.io/enabled: "true"
+#     monitoring.datalayer.io/instance: "observer"
 grafana:
   dashboards:
     enabled: true

charts/datalayer-kafka/templates/kafka.yaml

@@ -7,6 +7,17 @@ spec:
   kafka:
     version: 3.8.0
     replicas: 3
+    template:
+      pod:
+        affinity:
+          nodeAffinity:
+            requiredDuringSchedulingIgnoredDuringExecution:
+              nodeSelectorTerms:
+                - matchExpressions:
+                  - key: role.datalayer.io/system
+                    operator: In
+                    values:
+                    - "true"
     listeners:
       - name: plain
         port: 9092
@@ -36,7 +47,29 @@ spec:
       type: persistent-claim
       size: 8Gi
       deleteClaim: false
+    template:
+      pod:
+        affinity:
+          nodeAffinity:
+            requiredDuringSchedulingIgnoredDuringExecution:
+              nodeSelectorTerms:
+                - matchExpressions:
+                  - key: role.datalayer.io/system
+                    operator: In
+                    values:
+                    - "true"
   entityOperator:
+    template:
+      pod:
+        affinity:
+          nodeAffinity:
+            requiredDuringSchedulingIgnoredDuringExecution:
+              nodeSelectorTerms:
+                - matchExpressions:
+                  - key: role.datalayer.io/system
+                    operator: In
+                    values:
+                    - "true"
     topicOperator: {}
     userOperator: {}
   kafkaExporter:

charts/datalayer-operator/tests/deployment_test.yaml

@@ -46,6 +46,8 @@ tests:
                 value: ""
               - name: DATALAYER_AUTHZ_ENGINE
                 value: openfga
+              - name: DATALAYER_AVAILABLE_KERNELS_MAX_LIFE_SEC
+                value: "3600"
               - name: DATALAYER_CERT_ISSUER
                 value: letsencrypt
               - name: DATALAYER_DOCKER_REGISTRY
@@ -56,6 +58,8 @@ tests:
                 value: datalayer-iam-svc.datalayer-api.svc.cluster.local:9700
               - name: DATALAYER_INGRESS_CLASS_NAME
                 value: datalayer-traefik
+              - name: DATALAYER_KERNELS_RUN_HOOKS
+                value: "false"
               - name: DATALAYER_OPERATOR_API_KEY
                 value: ""
               - name: DATALAYER_PUB_SUB_ENGINE