Merge branch 'master' into admission-controller

charts/admission-controller/CHANGELOG.md

@@ -10,6 +10,9 @@ Manual edits are supported only below '## Change Log' and should be used
 exclusively to fix incorrect entries and not to add new ones.
 
 ## Change Log
+# v0.12.0
+### New Features
+* **sysdig-agent,node-analyzer,kspm-collector,rapid-response,admission-controller** [2dca8e7c](https://github.com/sysdiglabs/charts/commit/2dca8e7c5308e76c2da63c974ae75c4ad510c201): Global Custom CA Bundle Support ([#961](https://github.com/sysdiglabs/charts/issues/961))
 # v0.11.9
 ### New Features
 * **admission-controller** [3d4304d0](https://github.com/sysdiglabs/charts/commit/3d4304d03483f23371f74541102b4cf1036bdfc0): update README with latest CA certificate changes ([#1263](https://github.com/sysdiglabs/charts/issues/1263))

charts/admission-controller/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: admission-controller
 description: Sysdig Admission Controller using Sysdig Secure inline image scanner
 type: application
-version: 0.11.10
+version: 0.12.0
 appVersion: 3.9.26
 home: https://sysdiglabs.github.io/admission-controller/
 icon: https://avatars.githubusercontent.com/u/5068817?s=200&v=4
@@ -21,4 +21,4 @@ dependencies:
   - name: common
     # repository: https://charts.sysdig.com
     repository: file://../common
-    version: ~1.0.1
+    version: ~1.1.0

charts/admission-controller/README.md

@@ -14,8 +14,10 @@ $ pre-commit run -a
 
 # Admission Controller
 
+
 This chart deploys the Sysdig Admission Controller on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
 
+
 ## Overview
 
 [Sysdig Admission Controller](https://docs.sysdig.com/en/docs/sysdig-secure/scanning/admission-controller/) provides Audit Logging and optional Image Scanning capabilities to secure your Kubernetes environment.
@@ -41,6 +43,10 @@ For deployment instructions, including common deployment configurations related
 
 If you use the [Legacy Scanning Engine](https://docs.sysdig.com/en/docs/sysdig-secure/scanning/) instead of the new Vulnerability Management engine in Sysdig Secure, you can deploy the `admission-controller` chart with old scanning options enabled and use [admission controller policies](https://docs.sysdig.com/en/docs/sysdig-secure/scanning/admission-controller/) to reject container images that do not fulfill the policy requirements from the cluster before being scheduled.
 
+```console
+$ helm upgrade --install sysdig-admission-controller sysdig/admission-controller -n sysdig-admission-controller --version=0.12.0
+```
+
 This option is enabled by default unless you specify  `--scanner.enabled=false` .
 
 
@@ -64,23 +70,21 @@ Specify each parameter using the `--set key=value[,key=value]` argument to the `
 
 For example:
 
-```bash
-helm upgrade --install admission-controller sysdig/admission-controller \
-    --create-namespace -n sysdig-admission-controller --version=0.9.0  \
+
+```console
+$ helm upgrade --install sysdig-admission-controller sysdig/admission-controller \
+    --create-namespace -n sysdig-admission-controller --version=0.12.0 \
     --set sysdig.secureAPIToken=YOUR-KEY-HERE,clusterName=YOUR-CLUSTER-NAME
 ```
 
 ### Using values.yaml
 
 The `values.yaml` file specifies the values for the admission controller configuration parameters.  You can add the configuration to the `values.yaml` file, then use it in the `helm install` command.
 
-For example:
-
-```bash
-helm upgrade --install admission-controller sysdig/admission-controller \
-     --create-namespace -n sysdig-admission-controller --version=0.9.0  \
+```console
+$ helm upgrade --install sysdig-admission-controller sysdig/admission-controller \
+    --create-namespace -n sysdig-admission-controller --version=0.12.0 \
     --values values.yaml
-
 ```
 See the default [`values.yaml`](./values.yaml) file for more information.
 

charts/admission-controller/RELEASE-NOTES.md

@@ -1,5 +1,5 @@
 # What's Changed
 
 ### New Features
-- **admission-controller** [3d4304d0](https://github.com/sysdiglabs/charts/commit/3d4304d03483f23371f74541102b4cf1036bdfc0): update README with latest CA certificate changes ([#1263](https://github.com/sysdiglabs/charts/issues/1263))
-#### Full diff: https://github.com/sysdiglabs/charts/compare/admission-controller-0.11.8...admission-controller-0.11.9
+- **sysdig-agent,node-analyzer,kspm-collector,rapid-response,admission-controller** [2dca8e7c](https://github.com/sysdiglabs/charts/commit/2dca8e7c5308e76c2da63c974ae75c4ad510c201): Global Custom CA Bundle Support ([#961](https://github.com/sysdiglabs/charts/issues/961))
+#### Full diff: https://github.com/sysdiglabs/charts/compare/admission-controller-0.11.9...admission-controller-0.12.0

charts/admission-controller/templates/scanner/deployment.yaml

@@ -41,10 +41,18 @@ spec:
             defaultMode: 420
             secretName: {{ .Values.scanner.dockerCfgSecretName }}
         {{- end }}
-        {{- if .Values.scanner.ssl.ca.cert }}
+        {{- if or .Values.scanner.ssl.ca.cert (eq (include "sysdig.custom_ca.useValues"  (dict "global" .Values.global.ssl "component" .Values.scanner.ssl)) "true") }}
         - name: ca-cert
           secret:
             secretName: {{ include "admissionController.scanner.fullname" . }}-ca
+        {{- else if eq (include "sysdig.custom_ca.useExistingSecret"  (dict "global" .Values.global.ssl "component" .Values.scanner.ssl)) "true" }}
+        - name: ca-cert
+          secret:
+            secretName: {{ include "sysdig.custom_ca.existingSecret" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl) }}
+        {{- else if eq (include "sysdig.custom_ca.useExistingConfigMap" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl)) "true" }}
+        - name: ca-cert
+          configMap:
+            name: {{ include "sysdig.custom_ca.existingConfigMap" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl) }}
         {{- end }}
       containers:
         - name: inline-scanner
@@ -59,9 +67,9 @@ spec:
               name: dockercfg
               readOnly: true
             {{- end }}
-            {{- if .Values.scanner.ssl.ca.cert }}
+            {{- if or .Values.scanner.ssl.ca.cert (eq (include "sysdig.custom_ca.enabled"  (dict "global" .Values.global.ssl "component" .Values.scanner.ssl)) "true") }}
             - name: ca-cert
-              mountPath: /ca-cert
+              mountPath: /ca-certs
               readOnly: true
             {{- end }}
           {{- if .Values.scanner.customEntryPoint }}
@@ -83,9 +91,9 @@ spec:
             - name: NO_PROXY
               value: {{ include "scanner.noProxy" . }}
             {{- end }}
-            {{- if .Values.scanner.ssl.ca.cert }}
-            - name: SSL_CERT_FILE
-              value: /ca-cert/root_ca_file.crt # mounted from the secret
+            {{- if or .Values.scanner.ssl.ca.cert (eq (include "sysdig.custom_ca.enabled"  (dict "global" .Values.global.ssl "component" .Values.scanner.ssl)) "true") }}
+            - name: SSL_CERT_DIR
+              value: /ca-certs
             {{- end }}
           envFrom:
             - configMapRef:

charts/admission-controller/templates/scanner/secret.yaml

@@ -19,14 +19,19 @@ stringData:
   AUTH_BEARER_TOKEN: {{ include "sysdig.secureAPIToken" . }}
 {{- end }}
 ---
-{{- if .Values.scanner.ssl.ca.cert }}
+{{- if or .Values.scanner.ssl.ca.cert (eq (include "sysdig.custom_ca.useValues"  (dict "global" .Values.global.ssl "component" .Values.scanner.ssl)) "true") }}
 apiVersion: v1
 kind: Secret
 metadata:
   name: {{ include "admissionController.scanner.fullname" . }}-ca
   namespace: {{ include "admissionController.namespace" . }}
   labels: {{- include "admissionController.scanner.labels" . | nindent 4 }}
 data:
+  {{- if eq (include "sysdig.custom_ca.useValues"  (dict "global" .Values.global.ssl "component" .Values.scanner.ssl)) "true" }}
+  {{ include "sysdig.custom_ca.keyName" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl) }}: {{ include "sysdig.custom_ca.cert" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl "Files" .Subcharts.common.Files) | b64enc | quote }}
+  {{- end }}
+  {{- if or .Values.scanner.ssl.ca.cert }}
   root_ca_file.crt: {{ .Values.scanner.ssl.ca.cert | b64enc | quote }}
+  {{- end }}
 {{- end }}
 {{- end }}

charts/admission-controller/templates/webhook/deployment.yaml

@@ -84,9 +84,9 @@ spec:
             - name: NO_PROXY
               value: {{ include "webhook.noProxy" . }},{{ include "admissionController.scanner.fullname" . }}
             {{- end }}
-            {{- if .Values.webhook.ssl.ca.cert }}
-            - name: SSL_CERT_FILE
-              value: /ca-cert/root_ca_file.crt # mounted from the secret
+            {{- if or .Values.webhook.ssl.ca.cert (eq (include "sysdig.custom_ca.enabled"  (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true") }}
+            - name: SSL_CERT_DIR
+              value: /ca-certs
             {{- end }}
           ports:
             - name: http
@@ -117,9 +117,9 @@ spec:
             - name: cert
               mountPath: /cert
               readOnly: true
-            {{- if .Values.webhook.ssl.ca.cert }}
+            {{- if or .Values.webhook.ssl.ca.cert (eq (include "sysdig.custom_ca.enabled"  (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true") }}
             - name: ca-cert
-              mountPath: /ca-cert
+              mountPath: /ca-certs
               readOnly: true
             {{- end }}
           resources:
@@ -128,11 +128,19 @@ spec:
         - name: cert
           secret:
             secretName: {{ include "admissionController.webhook.fullname" . }}-tls
-      {{- if .Values.webhook.ssl.ca.cert }}
+        {{- if or .Values.webhook.ssl.ca.cert (eq (include "sysdig.custom_ca.useValues"  (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true") }}
         - name: ca-cert
           secret:
             secretName: {{ include "admissionController.webhook.fullname" . }}-ca
-      {{- end }}
+        {{- else if eq (include "sysdig.custom_ca.useExistingSecret"  (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true" }}
+        - name: ca-cert
+          secret:
+            secretName: {{ include "sysdig.custom_ca.existingSecret" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl) }}
+        {{- else if eq (include "sysdig.custom_ca.useExistingConfigMap"  (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true" }}
+        - name: ca-cert
+          configMap:
+            name: {{ include "sysdig.custom_ca.existingConfigMap" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl) }}
+        {{- end }}
     {{- with .Values.webhook.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

charts/admission-controller/templates/webhook/secret.yaml

@@ -10,7 +10,7 @@ stringData:
   SECURE_API_TOKEN: {{ include "sysdig.secureAPIToken" . }}
 {{- end }}
 ---
-{{- if .Values.webhook.ssl.ca.cert }}
+{{- if or .Values.webhook.ssl.ca.cert (eq (include "sysdig.custom_ca.useValues"  (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true") }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -19,5 +19,10 @@ metadata:
   labels:
     {{ include "admissionController.webhook.labels" . | nindent 4 }}
 data:
+  {{- if or .Values.webhook.ssl.ca.cert }}
   root_ca_file.crt: {{ .Values.webhook.ssl.ca.cert | b64enc | quote }}
+  {{- end }}
+  {{- if eq (include "sysdig.custom_ca.useValues"  (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true" }}
+  {{ include "sysdig.custom_ca.keyName" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl) }}: {{ include "sysdig.custom_ca.cert" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl "Files" .Subcharts.common.Files) | b64enc | quote }}
+  {{- end }}
 {{- end }}